Are there any easy ways to configure edge-safeguard mode with bpdu-restrict?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hello, everybody!

I have a task from a customer to config ports on Extreme stack to prevent users from attaching switches and turn ports in forwarding mode immediately (dot1w).

So, does anybody know more easliy way to get CISCO's "spanning-tree bpduguard enable" analog on Extremes, than described here - https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-a-port-in-an-STP-domain-t...

I did these thing like in the article many times, but it is too difficult in this case because there are 8-slot stack where many vlans exist and vlans ports don't go in a row like VLAN10 port 1:1-48, but VLAN10 ports 1:1-4,1:6-10,1:18-21 etc. 

Many thanks in advance,

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,854 Points 5k badge 2x thumb
I am using following config. I believe it is quite simple and does what you need:
configure mstp region region1
configure stpd s0 mode mstp cist
configure stpd s0 priority 4096
# the above usualy complain that vlan default is already autobinded => "disable stpd s0 auto-bind vlan default" try it again and then auto-bind it again
enable stpd s0 auto-bind vlan VLAN-X
enable stpd s0 auto-bind vlan VLAN-Y ...
# you need to add every vlan to the s0
configure stpd s0 ports link-type edge 1:1-48 
configure stpd s0 ports edge-safeguard enable 1:1-48 recovery-timeout 60
configure stpd s0 ports bpdu-restrict enable 1:1-48 recovery-timeout 60 ...
# the above will do the job for ports 1-48 on the unit 1. Be sure you do not configure it on your uplink :)
enable stpd s0
probably there is also some more nice way...

Good luck
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Zdenek!

We all need "auto-bind" for untagged ports too...

Why if I say: "enable stpd VLAN-X auto-bind vlan VLAN-X" it works for tagged ports only?

I have about 2000+ ports in 30 vlans on 8 stacks which set in a random order.

It would be suicide for me to say to the customer: "Well, guys, now find out all untag ports for all VLANs on that stack and set them separated with comma in "configure stpd VLAN-X ports edge-safeguard enable ......." and "recovery-timeout 60
configure stpd s0 ports bpdu-restrict enable ..........". For every VLAN!

But even if they will do that, a human factor make an inevitable mistake, correcting this configuration later...

Anyway, many thanks for your reply! For years I have been looking a simple and straightforward way to turn on STP globally on Extremes and now I have it!

Unfortunately, on Saturday I've changed STP config everywhere from MST to PVST+ with ELRP (dedicated VLAN) on access-switches.

The problems were: 
1) CISCOs didn't see Extremes as root in case of MST. Is it expected behaviour?
2) There was not possible in 15.3 to set access ports in edge-safeguard mode in case of MST
3) After upgrade to EXOS 16.2 stack switches where MST instance had been enabled started to turn off ports arbitrary with no messages to syslog. So now I've reverted to 15.3 back. If PVST+ works fine, I will try to upgrade the stacks again in several days.

So, now I have PVST+ STP on per VLAN basis.

My confs:

Core (X8):

create stpd VLAN-X 
configure stpd VLAN-X  default-encapsulation pvst-plus
configure stpd VLAN-X  mode dot1w
configure stpd VLAN-X  priority 4096
enable stpd  VLAN-X  auto-bind vlan VLAN-X
configure stpd VLAN-X  tag X
enable stpd  VLAN-X

The same config for about 30 vlans. Stacks have also the same config, but without "configure stpd VLAN-X  priority 4096" command.

As I told earlier, access ports don't go in order on stacks (about 2000+ ports between 30 vlans).  

Am I understand right, that without STPD configuration on access-ports I can't get "spanning-tree bpduguard enable" analogous functionality?

Many thanks to you, Zdenek! 
(Edited)
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,854 Points 5k badge 2x thumb
Hi Ilya.

the autobind works for untagged vlans/ports also
the autobind works for tagged vlans/ports also

there is also very nice XOS application called ezSpanningtre = https://github.com/extremenetworks/EXOS_Apps/tree/master/EZ_SpanningTree

it will autobind newly created vlan automatically = you do not have to remember it everytime you create new vlan...

here is my config regardless of the port-to-vlan assignment. I do not care if you have 10 ports or 3000 ports :)

configure vlan untagged-ports auto-move inform
create vlan ONE tag 100
configure vlan "ONE" add ports 7-8 un
configure vlan "ONE" add ports 11-12 tagged

disable s0 auto-bind "Default"
configure stpd s0 delete vlan "Default" ports all
configure mstp region region1
configure stpd s0 mode mstp cist
enable s0 auto-bind vlan "Default"
enable s0 auto-bind vlan "ONE"
configure s0 ports link-type edge 1-10 edge-safeguard enable recovery-timeout 60 bpdu-restrict
enable s0

If I connect any port to any port it does work :)

Good luck :)

Z.

log example:
01/28/2017 09:02:28.54 <Info:vlan.dbg.info> Toggling AdminState on Port 7 with pif 0x5c3a4001/28/2017 09:02:28.53 <Info:vlan.dbg.info> Toggling AdminState on Port 8 with pif 0x5c4b08
01/28/2017 09:02:28.53 <Warn:STP.EnblPortTimerExp> Port (7) is re-enabled as the disable time out has expired.
01/28/2017 09:02:28.53 <Warn:STP.EnblPortTimerExp> Port (8) is re-enabled as the disable time out has expired.
01/28/2017 09:01:28.56 <Info:vlan.msgs.portLinkStateDown> Port 7 link down
01/28/2017 09:01:28.54 <Info:vlan.msgs.portLinkStateDown> Port 8 link down
01/28/2017 09:01:28.52 <Info:vlan.dbg.info> Toggling AdminState on Port 7 with pif 0x5c3a40
01/28/2017 09:01:28.52 <Info:vlan.dbg.info> Toggling AdminState on Port 8 with pif 0x5c4b08
01/28/2017 09:01:28.52 <Warn:STP.DsblPortBrdgDtect> BPDU Restrict Port (7) has received a bpdu and will be shutdown.
01/28/2017 09:01:28.52 <Warn:STP.DsblPortBrdgDtect> BPDU Restrict Port (8) has received a bpdu and will be shutdown.
01/28/2017 09:01:26.89 <Info:vlan.msgs.portLinkStateUp> Port 8 link UP at speed 1 Gbps and full-duplex
01/28/2017 09:01:26.87 <Info:vlan.msgs.portLinkStateUp> Port 7 link UP at speed 1 Gbps and full-duplex
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Zdenek!

Many thanks for your reply.

In what version of EXOS auto-bind does work for untagged ports? Enlight me, please.

I believe that ezSpanningtree is a great application, but it requires EXOS 21.x. All my switches are G1, so I can't use it anyway.

MSTP is not recommended STP protol for Summit. You can use search in this community to easily find out how tricky, dangerous and unstable Extreme's MSTP is. There are a lot of topics and related articles.

So, may be auto-bind works for untag in MSTP, but in PVS+ it doesn't. (Like bpdu-restrict, unfortunately)
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Anybody?

Am I understand right, that without STPD configuration on access-ports I can't get CISCO's "spanning-tree bpduguard enable" analogous functionality on Extremes?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Hi Ilya,

the exact functionality of Cisco IOS' "spanning-tree bpduguard enable" requires some spanning tree protocol on the port. Thus on EXOS you need to configure and stpd that includes the access port to exaclty recreate the BPDUguard functionality.

You may be able to create similar functionality using ELRP to guard against loops, and perhaps something based on ACLs, log entries, and scripts triggered by logs to react to a BPDU.

Erik