ELRP across multiple stacks

  • 0
  • 1
  • Question
  • Updated 4 weeks ago
  • Answered
Hi,

Have a scenario where we are using ELRP, which works great for disabling ports on the same stack but we have a stack in the same room and want to protect across the two - is this possible?

My theory was that should an edge port see a ELRP PDU from the other stack, due to ELRP also being enabled on the other edge port it should disable?

Originally I didn't have port 1:52 on stacks (uplink to cores) included in any of the ELRP config, but added it in trying to get it to work across stacks.

#### Stack A ELRP config, port 1:52 is a lag to core hence it being excluded:

enable elrp-client
configure elrp-client periodic B20_23-L-GND-MGMT ports 1:45-48,1:52,2:45-48,3:45-48,4:45-48 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-L-GND-Data ports 1:1-40,1:52,2:1-40,3:1-40,4:1-40 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-L-GND-Voice ports 1:1-40,1:52,2:1-40,3:1-40,4:1-40 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-L-GND-Printers ports 1:41-44,1:52,2:41-44,3:41-44,4:41-44 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client disable-port exclude 1:52

##### Stack B ELRP config, port 1:52 is a lag to core hence it being excluded:

enable elrp-client
configure elrp-client periodic B20_23-GND-MGMT ports 1:45-48,1:52,2:45-48,3:45-48,4:45-48 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-Data ports 1:1-40,1:52,2:1-40,3:1-40,4:1-40 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-Voice ports 1:1-40,1:52,2:1-40,3:1-40,4:1-40 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-Printers ports 1:41-44,1:52,2:41-44,3:41-44,4:41-44 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client disable-port exclude 1:52

##### Core A ELRP config. Originally I had no ELRP config on the core but added in trying to get to work. Ports 1 & 2 go to stacks:

enable elrp-client
configure elrp-client periodic B20_23-L-GND-Data ports 1 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-Data ports 2 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-L-GND-Voice ports 1 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-Voice ports 2 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-L-GND-Printers ports 1 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-Printers ports 2 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-L-GND-MGMT ports 1 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-MGMT ports 2 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client disable-port exclude 1
configure elrp-client disable-port exclude 2

##### Core A ELRP config. Originally I had no ELRP config on the core but added in trying to get to work: Ports 1 & 2 go to stacks:

enable elrp-client
configure elrp-client periodic B20_23-L-GND-Data ports 1 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-Data ports 2 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-L-GND-Voice ports 1 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-Voice ports 2 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-L-GND-Printers ports 1 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-Printers ports 2 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-L-GND-MGMT ports 1 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client periodic B20_23-GND-MGMT ports 2 interval 1 log-and-trap disable-port ingress permanent
configure elrp-client disable-port exclude 1
configure elrp-client disable-port exclude 2


Many thanks in advance
Photo of Martin Flammia

Martin Flammia

  • 6,128 Points 5k badge 2x thumb

Posted 11 months ago

  • 0
  • 1
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,346 Points 10k badge 2x thumb
Hi,

The ELRP PDU is a multicast frame, so it would flow through the uplink without you needed to configure it. If you create a loop between two stacks, that loop will be detected as the ELRP PDU will be seen back from the uplink. Then ELRP would disable one port, based on your config. You don't want the uplink to be disabled, of course, so exclude it.
Photo of Martin Flammia

Martin Flammia

  • 6,128 Points 5k badge 2x thumb
Hi Stephane,

Thanks for posting.

The config above isn't working. Originally I didn't have any ELRP config on the core, I'm not sure I really need that anyway - just at the edge, so long as I include the uplinks on the edge stacks?

With it not working and essentially using multicast, would I perhaps need to enable ipmc forwarding for all the VLANs on both the cores to get it working - which obviously wouldn't be a good idea, but perhaps something along those lines?

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Pass-Multicast-Traffic-on-an-Extrem...

Thanks
(Edited)
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,346 Points 10k badge 2x thumb
Hi,

no, you don't need to configure anything else aside of ELRP for it to work. ELRP is sending PDU per VLAN and per port, there's no "routing" involved, it's pure L2.

I also don't think ELRP on the Core is necessary, but I do know some networks where it has been enabled there, but only for log info, no action, so that the admins have the info of a loop across the Core. That makes sense, and the overhead is not that bad, typically.

Assuming MLAG, my best-practise typical advice is to use LACP (prevents misscabling errors), shutdown unused Core ports and have ELRP at the edge. You obviously want to disable an edge port in case of a loop, but not the uplink, so you exclude the uplink.

It's easier in terms of global config to enable ELRP on every port of an edge (you just do "ports all" without worrying if this is a 24 ports or a 48 ports switch), exclude the uplink (there you have to worry about what ports are the uplinks) so that they are not disabled in case of a loop. It's good enough to prevent a loop across stacks.

You can optimize that using egress ELRP (EXOS 16.1 and above), where you would not send ELRP PDU to the core, unless a loop happens between stacks.
Photo of Martin Flammia

Martin Flammia

  • 6,128 Points 5k badge 2x thumb
Hi Stephane,

Thanks for replying. Some really useful information there.

So the way I originally had ELRP was probably all I needed to do. I am using MLAG and LACP and have ELRP pretty much setup as you say.

Problem is I'm still not able to get ELRP to recognise there is a loop across stacks.... only when on the same stack, with the config you have mentioned or that I have detailed above.

This is the primary problem. Think you are saying it should work, so I wonder if this is actually more to do with my setup. 

I am running verison 22.3.14 on all the switches, and also Netlogin currently for MAC auth (optional mode):

enable netlogin mac
enable netlogin ports 1:1-51,2:1-51,3:1-51 mac

configure netlogin port 1:1 authentication mode optional
configure netlogin port 1:2 authentication mode optional
configure netlogin port 1:3 authentication mode optional
configure netlogin port 1:4 authentication mode optional
configure netlogin port 1:5 authentication mode optional
configure netlogin port 1:6 authentication mode optional
.........

I believe ELRP and Netlogin has just been supported in version 22.2?

Do you think it could be anything to do with that, although I'm not sure why it would work on the same stack but not across two stacks?

Thanks
(Edited)
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,346 Points 10k badge 2x thumb
Indeed, Netlogin + ELRP is recent. I never had the opportunity to test it myself, so I can't comment if there's an issue on that. Maybe someone from GTAC can comment.

As for the generic config on ELRP I described, I use it everywhere without issues (without netlogin).
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,458 Points 10k badge 2x thumb
Hi,

I have just tried to use ELRP in a network with OnePolicy based netlogin for dynamic VLAN assignment (NAC sends policy + RFC 3580 VLAN) via MAC authentication, using optional authentication and a default VLAN (not VLAN 1) with a deny all policy. ELRP was enabled in the default VLAN. The deny all policy allows just STP (via destination MAC address) and ELRP (via source MAC address). All traffic out and into the access ports is untagged. But it did not work.

Ports with dynamic VLAN assignment enabled blackhole incoming ELRP frames from other switches that should be flooded in the VLAN. I even tried to use NAC to accept the ELRP source MAC as an end-system (auth optional should suffice to allow the frames into the VLAN statically configured on the switch port), which did not help either.

The new ELRP with dynamic VLAN assignment seems to pertain to sending ELRP frames only, at least that was what I could get working. But that does not help against blackholed ELRP frames. Instead of dropping one incoming frame per second, two incoming frames per second are dropped when adding dynamic (untagged) ELRP to a port that already has statically configured (untagged) ELRP.

Just as with Martins setup ELRP should be used to detect loops between several switches. Since MLAG is in use, STP cannot be used to break accidental loops. Since ELRP does not work together with dynamic VLAN assignment in OnePolicy mode, it cannot be used either. As a last resort BUM limiters and central logging might enable the network operators to detect accidental loops and manually break them, but STP and even ELRP are intended to break (accidental) loops. It would be preferable if one or the other could be used.

As additional info, I have use X460-G2 switches with EXOS 22.3.1.4. Since it did not work, I briefly tried EXOS 22.4.1.4-patch1-3 and EXOS 22.5.1.7, but there the statically configured ELRP in the default VLAN did not send out any ELRP frames, although the counters for sent frames increased (tested via packet sniffer, which was used extensively to understand what happened). [According to the release notes EXOS 22.4.1.4-patch1-3 contains some fix for ELRP and OnePolicy, but it did not help.]

Thanks,
Erik