Best way to prevent topology changes...?

  • 0
  • 3
  • Question
  • Updated 6 months ago
  • Doesn't Need an Answer
Brief description of the environment:
K-12 School District
S4 Core []
x460-G2 (40G uplink) distribution layer []
x450-G2 (10G uplink) edge layer []
Management, Control, Analytics 8.x

x460-G2+x450-G2 stacks (building mdf)
x450-G2 stacks (building idf)

x430 (1G uplink) "classroom layer" [] - connects Kramer VP-773A, Crestron MPC-M10, Epson Projector, HP PC, and spare ethernet for laptop in every classroom (200+ district-wide), a few (<5) have a Mitel phone plugged in

Interswitch edge devices of interest include:
3935i/3965i APs in lacp lags
Mitel 5304 (no PC port), 5320/5330/5360 (includes PC port) IP Phones

Access edge devices of interest include:
Avigilon IP Cameras
Windows/Mac Devices
IP Intercom Devices
IP Physical Access Control Devices
IP Building Management (BMS) Devices
Digital Signage Devices

My S4 STP config is very simple:
set spantree priority 0 0
set spantree adminedge ge.X.xx true (where access edge device)

My x430, x450-G2, x460-G2 STP config is:
configure mstp revision 3
configure stpd s0 mode mstp cist
enable s0 auto-bind vlan 1-4094
configure stpd s0 ports link-type edge X:xx (where access edge device)
configure stpd s0 ports edge-safeguard enable X:xx (where access edge device)
configure stpd s0 ports bpdu-restrict enable X:xx (where access edge device)
enable stpd s0

Here is my question... What are my options to prevent excessive topology changes if someone plugs in an access edge device into a port that was programmed for a interswitch edge device?

1. maclock seems heavy handed

2. This is interesting but feels like duct tape

3. Dedicated phone, camera, classroom switch is a possibility in some spots but someone could still accidentally plug in the wrong thing

Wired dot1x is not fully deployed. MAC auth is used to identify Mitel phones, Avigilon cameras, intercom, BMS, and digital signage devices. I am not finding a way to apply STP port rules via Policy.

Am I missing something?

Thanks in advance,
Photo of Jeff


  • 414 Points 250 badge 2x thumb
  • happy. Why do you ask?

Posted 6 months ago

  • 0
  • 3
Photo of ar


  • 416 Points 250 badge 2x thumb
Hi Jeff,
I have no experience with Extreme Switches but Enterasys has a feature called spanguard that will disable the port if a stp sending device is connected.
That will not fix all your problems but perhaps some?
Photo of Kurtman, Emre

Kurtman, Emre, Employee

  • 202 Points 100 badge 2x thumb
Hi Jeff,

The EXOS equivalent of spanguard is "edge safeguard". Please take a look at the link below. By configuring user ports as "edge ports", you will also prevent the topology changes initiated from end-devices such as PCs, phones, IP cams each time they plug-unplug to the network.
Photo of Jeff


  • 414 Points 250 badge 2x thumb
Thank you for your comment. I am already using edge-safeguard on my EXOS switches. My question is not concerning edge ports, but interswitch ports where edge devices are inadvertently plugged in.
Photo of André Herkenrath

André Herkenrath, Employee

  • 1,932 Points 1k badge 2x thumb

you can add a security profile to the radius reply. This security profile triggers a UPM which can afterwards change the STP config.

Photo of Jeff


  • 414 Points 250 badge 2x thumb

Can you elaborate on this? Is this documented somewhere? This seems like the best solution, but I am not seeing the way to it. I have policy fully deployed and identifying interswitch devices by mac. I am using Control, Manage, and Policy. Is it possible with these two products?