How to protect the switch from L2 loop without disabling the redundant link?

B

Benedictus2019-01-31 15:33:51

Computer networks

Benedictus, 2019-01-31 15:33:51

There is such a switching scheme

External platform - replaces the destination MAC address with the MAC address of the analytics
server The traffic analytics server transparently passes traffic through itself and sends it to Port 1, but in this case a loop appears between port 1 and port 2, and it is necessary that L2 Switch sent packets back to the external platform.
Tell me, is it possible to somehow disable the forwarding of packets between two ports within the L2 domain of one switch, are there any protection mechanisms

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

athacker, 2019-01-31
@Benedictus

The whole system will have to be changed. Or remake the return of traffic to the "analyzer" (as I understand it, you build IPS?) through routing, i.e. take it to the L3 level. Or send a copy of the traffic to the analyzer via SPAN, and the analyzer must shoot spoofed TCP RST packets towards the client, pretending to be a server if the connection is recognized as suspicious. Then the client will immediately close the connection.
But answering the directly posed question - you can protect the switch from disconnecting the redundant link by configuring, for example, port-channel on these links (between switches). However, it is obvious that this is not your story, and this option will not help you. So it remains only to change the system.