LoopProtect and MSTP

  • 1
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi,

I've been reading up on Spanning Tree and LoopProtect. In the 7100 v8.41 Configuration Guide on page 338 there is a note that says:

The Loop Protect enable/disable settings for an MSTI port should match those for the CIST port.
What exactly does this mean? What does this statement require us to be vigilant about in our configs?

Does it mean that if you "set spantree lp ge.1.2 enable sid 1" you should also "set spantree lp ge.1.2 enable" (sid 0) etc. for all other SIDs? Why?

Bye,

Marki
Photo of jeronimo

jeronimo

  • 1,428 Points 1k badge 2x thumb

Posted 3 years ago

  • 1
  • 1
Photo of Allen George

Allen George, Employee

  • 130 Points 100 badge 2x thumb
Hello,

"The Loop Protect enable/disable settings for an MSTI port should match those for the CIST port."
Answer: The MSTI port is the port in which the MSTP Instance is configured but the CIST port in this case will be the underlying SID 0. So when you configure SID 1 and 2 and align VLAN 5,15 to SID 1 and then VLAN 10,20 to SID 2. You will then configure 'set spantree lp ge.x.x sid 1' on all ports that belong to that VLAN and the same goes for SID 2 for any port that belongs to those correlating VLANs. But that is only configuring for the MSTI, to match the CIST port, you must also configure Loop Protect on SID 0 for all of these same ports to ensure proper operation in MSTP.

So in a way this does require you to be very specific about how you prepare and apply your configuration or you may be unknown results if done improperly.

Please let me know if that answers your question.

Thank you and have a great day!

Regards,
Allen George
Technical Support Engineer, GTAC / Extreme Networks
Photo of jeronimo

jeronimo

  • 1,428 Points 1k badge 2x thumb
Ok, so if I understand correctly, the "problem" arises through the fact that MSTP, contrary to e.g. PVST, does not send BPDUs per VLAN but on a port-basis. Thus, for LoopProtect to be effective and not create more trouble than it should prevent, you have to perform a manual and explicit accounting of what VLANs are present on what ISLs.

So generally speaking, if we'd like to use the LoopProtect feature, we have to perform the following with our ISLs:
1) Enable LoopProtect in SID0 for every ISL ;
2) Enable LoopProtect in SIDx if any of the VLANs configured in SIDx are active on that ISL.

In our case where we
1) mainly chose to use MSTP to get the higher max. hopcount of 20 compared to RSTP (7)
2) are using only one MSTP instance in every MSTP region
then this boils down to simply activating LoopProtect on SID0 and SID1 on every ISL and we should be good.

Can you confirm that this reasoning is correct?
If so, why not share such details in the Configuration Guides for example :)

Thanks a lot for your insight.

Marki

PS. If all my reasoning is correct, and to prevent problems for people not aware of all this, then the switch could/should IMHO enable LoopProtect in SID0 automatically as soon as you activate it for any SID different than SID0...
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Hello Marki,

did you test and verify an RSTP hop limit of 7?

Erik
Photo of jeronimo

jeronimo

  • 1,428 Points 1k badge 2x thumb
Nope, we did not. Are you saying that RSTP would work equally well as MSTP in case you don't need the individual instances that MSTP provides?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
That is what I would expect, but I never actually tested this.

Once I had to use several MSTP regions of significant size each to overcome the hop count limit inside a region. But that has been the only time STP hop count has been a concern for me.
Photo of jeronimo

jeronimo

  • 1,428 Points 1k badge 2x thumb
Hi again,

So, can someone confirm if what I thought I had understood from Allen's reply is correct or not? (See my reply above.)

Let me give you a simple and concrete example:



Q1) In that diagram, how should the different ports be configured for LoopProtect? I am proposing the following:
P1 LoopProtect SID0+SID1
P2 LoopProtect SID0+SID1
P3 LoopProtect SID0
P4 LoopProtect SID0+SID1
P5 LoopProtect SID0+SID1
P6 LoopProtect SID0+SID1
P7 LoopProtect SID0+SID1
P8 LoopProtect SID0
Q2) Oh and in that regard: Why is it that "show spantree debug active port x.y.z sid 1" shows an MSTI BPDU Rx Count and MSTI BPDU Tx Count when the port is a master port? By definition, there are no MSTI BPDUs between regions...?

Bye,

Marki
Photo of Allen George

Allen George, Employee

  • 130 Points 100 badge 2x thumb
Hello Marki,

A1) So that diagram and port/SID layout looks correct for how you would want it configured.

Q2) In regards to your second question, are you referring to a specific port in this diagram that you are seeing this? Keep in mind that the MSTI BPDUs are most likely still going to be sent regardless, but the remote device just won't process them as the SID/region doesn't exist (Assuming I am understanding what you are trying to explain). Reason for this is because all ports belong in each SID in the background by design, the VLANs are just required to carry proper MSTP communication between switches so it will functionally speak when required and dropped when not needed/configured.

Regards,
Allen George
Technical Support Engineer, GTAC / Extreme Networks
Photo of jeronimo

jeronimo

  • 1,428 Points 1k badge 2x thumb
Thanks a lot for the clarifications and approval concerning Q1.

You understood right concerning Q2 and I realize that I should have reflected more thoroughly on this before asking. For the people following this thread: indeed, if the hash transmitted in MST BPDU differs between sender and recipient, they know that they are at a region boundary and will ignore the M-records. For the case where the remote side runs classic STP and not MSTP it will ignore the MSTP part entirely as you said, as (R)STP and MSTP are designed to be interoperable. So, it is not an error or a problem that MSTI BPDUs are generated/sent/received as one can see with the debug commands.