Desktop switch kills routing

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Hello all,

I run a network where three different lan:s are used. Between the
buildings at every site the traffic flows through tagged ports in layer-2
switches.  (ASCII-art and switchmodels below)  When traffic need to go
somewhere outside that site a layer-3 switch routes it onto a carrier
network kept separated from the three other vlan:s.

Enabled spanning-tree on all switches to kill off nasty loops.

So far so good.

Then some student connected a simple desktop-switch and made a loop within
that little switch.  Somehow the spanning tree did not work correctly in
that situation. The entire student-vlan stopped dead. While searching for
what was going on, the administration people started complaining too; They
could reach the local servers, but remote servers and internet was

Set up lab to study things a little closer.

Found out that when one of the vlan:s was looping, the other vlan:s worked
within that site, but routing soon stopped in the layer-3 switch. The very
second i disconnected the offending desktop-switch everything went back to
normal again.

Any ideas how to stop this from happening and keep the routing going? The
admin-network Must Always Be Reachable, so I dont like the idea that some
lousy desktop-switch can wreak such havoc...



layer-2 switches are D-Link DES-3526
layer-3 switches are D-Link DES-3326S, DGS-3324SR, DGS-3312SR

vlan-10:  link-net that connect all sites togehter.
vlan-110: students
vlan-120: administration
vlan-130: public hotspots etc.

(carrier network)
   | vlan-10
|                    |
| switch-1 (layer 3) |
                 | tagged link with vlans-110,120,130
|                    |
| switch-2 (layer 2) |
  |     |     |    |
  |     |     |    |
 110   120   130   |
                   | tagged link with vlans-110,120,130

Site Timeline