Spanning-tree

DOWNLOAD THE LATEST FIRMWARE HERE
mducharme
Member
 
Posts: 32
Joined: Sun Jul 10, 2016 3:34 am
Has thanked: 2 times
Been thanked: 3 times

Spanning-tree

Fri Apr 14, 2017 1:55 pm

Hello,

When we first started using Netonix, on firmware 1.4.2, we encountered a spanning tree issue, where when any Ubiquiti SU was rebooted, spanning tree would block the entire AP.

Since then we have had spanning tree disabled on all ports that connect to our APs. I would prefer to be able to leave it enabled, but first I wanted to find out if this issue was fixed at some point, and whether it is safe to enable spanning tree again. Please let me know.

Thanks.

User avatar
mike99
Associate
Associate
 
Posts: 837
Joined: Tue Nov 25, 2014 10:53 am
Location: Quebec, Canada
Has thanked: 95 times
Been thanked: 245 times

Re: Spanning-tree

Fri Apr 14, 2017 5:41 pm

Spanning tree should be disable on AP facing your customer, only on backbone ports.

As for you issue, never saw this. Is spannig-tree enable on Ubnt radios ?

mducharme
Member
 
Posts: 32
Joined: Sun Jul 10, 2016 3:34 am
Has thanked: 2 times
Been thanked: 3 times

Re: Spanning-tree

Sat Apr 15, 2017 1:15 pm

Yes, we enable spanning tree on our UBNT radios. We had numerous cases where a customer connected a hub into their radio, and then plugged the hub into itself, which would bring down the entire VLAN of customers.

User avatar
sirhc
Employee
Employee
 
Posts: 7416
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Spanning-tree

Sat Apr 15, 2017 1:57 pm

This is why we NEVER allow customers to have Layer 2 access to our network.

If residential customer CPE is always in router/NAT mode.

If commercial customer the CPE is in Router mode and the customer default gateway is assigned to the Ethernet side of the CPE.

Allowing customers Layer 2 access to your network is dangerous.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

mducharme
Member
 
Posts: 32
Joined: Sun Jul 10, 2016 3:34 am
Has thanked: 2 times
Been thanked: 3 times

Re: Spanning-tree

Sat Apr 15, 2017 2:20 pm

I disagree - we use isolation going all the way back to the switch. Client isolation on all APs, switchport isolation on the Netonix, so that customers cannot contact each other directly through layer 2. Even though the customers are bridged, they are fully isolated from each other as though they were on separate VLANs - the only impact is a customer creating a loop with themselves.

We are not the same as your network - we use PPPoE and all customers get a public IP on their own router.

Or are you saying it is better to give all of our Ubiquiti radios public IPs? I think that would be worse, given the vulnerabilities that are going around. As it stands, our radios are on management VLANs etc with private addresses only so they are protected if some new vulnerability becomes known.

User avatar
sirhc
Employee
Employee
 
Posts: 7416
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Spanning-tree

Sat Apr 15, 2017 2:53 pm

We use access lists on the CPE to prevent access to the CPE from all but our admin IP ranges on the outside wireless interface and we also use an access list on the inside Ethernet port to prevent the customer from being able to access the CPE from inside.

We do this by adding a secret secondary IP (what UBNT calls IP aliasing) on the inside interface that only our techs know.

The tech MUST have that one allowed IP on his laptop and can only talk to the CPE UI/CLI via this secondary IP on the CPE from the secret IP that is allowed to talk to the CPE. The secondary IP is in an invalid B class so even if the customer snoops it out he must also know the only IP in that range that is allowed to talk to it.

These access lists are scripted and take seconds for the tech to implement during installation.

SO if the customer goes to the default gateway (the CPE) it rejects communications.

But hey everyone runs their network differently, do what works best for you. But i never have to worry about customers creating loops, or arp storms, or anything like that as they never have Layer 2 access only routed access to my network.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

User avatar
sirhc
Employee
Employee
 
Posts: 7416
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Spanning-tree

Sat Apr 15, 2017 3:00 pm

Every now and then (a couple times a month) we run port probs at our network from our Amazon cloud cluster looking for any device that is accessible from the outside world.

The only thing that usually shows up is a commercial customer router or server that does not have Layer 2 access to our network anyway.

There have been a couple occasions where a tech forgot to run the script that installs the access list during installation which we quickly fix.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

mducharme
Member
 
Posts: 32
Joined: Sun Jul 10, 2016 3:34 am
Has thanked: 2 times
Been thanked: 3 times

Re: Spanning-tree

Sat Apr 15, 2017 3:17 pm

We haven't had these hub loop problems in a few years, I think most customers have moved to switches, but we kept the STP on, just in case.

In any event, I wouldn't trust all my installers to set up the firewall correctly. I've had a few issues with devices getting misconfigured that makes me hesitant to rely so heavily on every SU getting configured in a completely correct way to ensure the security of the network.

Also, my point was that STP worked fine on our Cisco switches and our MikroTik devices where we use STP on the bridges - never had problems with them blocking a port when an SU was rebooted. That has only happened with Netonix.
Last edited by mducharme on Sun Apr 16, 2017 3:58 pm, edited 4 times in total.

User avatar
sirhc
Employee
Employee
 
Posts: 7416
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Spanning-tree

Sat Apr 15, 2017 3:31 pm

Well as I said it is scripted but our NOC verifies the install when the installer is finishing up and loading his truck.

You keep saying STP and not RSTP. there is a difference between STP and RSTP, by default we are set to RSTP not STP, their behavior is different you know?

If using RSTP you need to look at your RSTP settings to determine who is active Root and what happens when the customer reboots their radio and RSTP is talking deciding what to do next.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

mducharme
Member
 
Posts: 32
Joined: Sun Jul 10, 2016 3:34 am
Has thanked: 2 times
Been thanked: 3 times

Re: Spanning-tree

Sat Apr 15, 2017 3:41 pm

sirhc wrote:Well as I said it is scripted but our NOC verifies the install when the installer is finishing up and loading his truck.

You keep saying STP and not RSTP. there is a difference between STP and RSTP, by default we are set to RSTP not STP, their behavior is different you know?

If using RSTP you need to look at your RSTP settings to determine who is active Root and what happens when the customer reboots their radio and RSTP is talking deciding what to do next.


Our NOC guys have made mistakes before - I've had 'verified' configs that a NOC guy 'double checked' that were half wrong.

We have better guys now who are by and large more careful, but we manage so much equipment with so little staff - the simpler that we make things, the less that can go wrong.

For STP, Cisco uses per-VLAN-STP and MikroTik uses RSTP. Ubiquiti has a checkbox for STP but does not allow config of the priority or any other settings - I don't know whether it is regular STP or RSTP underneath. The MikroTik running RSTP was the active root. Also, I read that RSTP and STP are supposed to be compatible with one another, so if you have a device running regular STP, it should work fine with another device doing RSTP.
Last edited by mducharme on Sun Apr 16, 2017 3:56 pm, edited 1 time in total.

Next
Return to Hardware and software issues

Who is online

Users browsing this forum: No registered users and 58 guests