Help to determine the most suitable STP type for my configuration


Userlevel 4
Hello, everybody!

I have a network, where only Extremes exist.

Access layer are 8 stacks spread through floors.

Distribution layer is a stack of 2 X670.

Core layer are two BD8806 connected with MLAG. There is also VRRP configured.

There is one etherchannel between core for MLAG, and one etherchannel to X670 stack.

Floor stacks are connected to X670 with one etherchannel link.

I have 30 vlans total.

The schema is provided below.

Could you please help me to find the most suitable STP type/configuration?

At the moment I have configured EMISTP encapsulation with dot1w mode, but I don't like it.

Many thanks in advance,

Ilya

P.S. With this scheme I have strange alternating ping replies from 1 to 50 ms. Is there any connection with STPDs or VRRP in the core?

P.P.S Could you give me a link to any article where the simplest STP configuration on extremes described? I am interested in the method of configuring STP for all vlans with minimum efforts like in CISCO.


18 replies

Userlevel 4
Hi,

where do you see a potential for a loop ? I don't see any need for STP in this network.
If you want a loop prevention for access ports I would recommend ELRP.

Regards
André
Userlevel 4
Hello, Andre!

Thank you for your reply.

First of all, at the access layer. Customers sometimes attach stupid switches.

Secondly, at the distribution layer. During the configuration process last weekend the technicians got wrong with cables and looped X670 stack. (LLDP was my salvation!)

Anyway, there are many free ports on X670. The both switches of this stack is located on different floors. The chance of mistake is high.
Userlevel 7
Ilya Semenov wrote:

Hello, Andre!

Thank you for your reply.

First of all, at the access layer. Customers sometimes attach stupid switches.

Secondly, at the distribution layer. During the configuration process last weekend the technicians got wrong with cables and looped X670 stack. (LLDP was my salvation!)

Anyway, there are many free ports on X670. The both switches of this stack is located on different floors. The chance of mistake is high.

Hi Ilya,

for the distribution switches, you can disable unused ports. Alternatively you can remove any VLAN from the unused ports (e.g. "configure vlan Default delete ports all").

Br,
Erik
Userlevel 4
OK - I understood your issue.
Please look into ELRP - It makes life a lot easier than STP.

Regards
André
Userlevel 4
Thanks to you, Andre!

I've heard about this feature, but still haven't clear understanding what it really does?

If it's enabled, what will happen in case of a loop?
Userlevel 4
You can decide, what it does - Most customers disable the port for 60 seconds and send a notification.

Best Regards
André
Userlevel 4
So, your advice is to remove STP from core and distribution layers and replace them with ELRP?

Is there any negative impact of STPD on a network? on switches?
Userlevel 4
In the core layer you already have MLAG. There you have to be very careful with another L2 Protocol. And when it comes to "stupid patch prevention" I'd always prefer ELRP over STP.
In your network I see the most risk of stupid patching in the Edge. In these areas ELRP is always a good choice.

Regards
André
ELRP is very simple to configure and works flawlessly from what I have seen.

Configure ELRP to run on a NoLoop Vlan tagged on every port and exclude the uplinks.

Most of our customers run it with a permanent disable and simply enable the port after they clear the loop.

Thanks,
Userlevel 4
Hello, David!

What is the difference between uplinks and tagged ports? I think there isn't...

Am I correct, that you recommend me to use ELRP for access ports and STP for uplinks? Something like "enable stpd VLAN5 auto-bind vlan VLAN5"...?

Thank you!
By uplinks I simply meant your inter-switch connections which we obviously do not want to disable.

We still add the noloop vlan to those ports so that a loop that spans two closets will be detected but we exclude the uplink port so elrp does not disable that port.

We do not need stp at all. In our configuration ELRP will tell you if there is a link on an uplink port but not disable it. If you do not add the vlan used by ELRP to the uplink ports the link in the below drawing could go undetected.

Userlevel 6
The uplinks are the connections between the switches. You want to configure those ports for ELRP but exclude them from any action. You don't want an uplink port disabled. He referring to a simple VLAN present on the entire network where every port on every switch is tagged. Enabling ELRP on this VLAN on each switch will allow it to send out the necessary multicast traffic and perform an action if it receives it back.

I would not use both. ELRP will take care of everything you need. If you would like to use STP to prevent loops you can simply configure edge-safeguard on all the ports except the uplinks and it will do the same thing.
Userlevel 4
Guys... Did I get it right...? To protect access ports against loops I have to add to all of them special technical VLAN as tagged. Then turn on the mysterious ELRP. Associate it with the VLAN. In case of a loop ELRP have to detect on a certain port BPDUs from current switch (from himself) and block the port, yes? Permanent or for period of time...

Would this conf be ok?

create vlan ELRP tag 4094
conf vlan ELRP add ports all tag
enable elrp-client
configure elrp-client disable-ports exclude 49,50 (these are uplinks)
configure elrp-client periodic "ELRP" ports all log disable-port duration 60

Why shouldn't I turn on the same feature at distribution layer on X670?

To be honest I scrating my head over whether is it safe to completely remove STPDs from core and distribution? Still thinking...

Many thanks to you!

P.S. Will you attend annual summit in Orlando?)
Userlevel 7
Ilya Semenov wrote:

Guys... Did I get it right...? To protect access ports against loops I have to add to all of them special technical VLAN as tagged. Then turn on the mysterious ELRP. Associate it with the VLAN. In case of a loop ELRP have to detect on a certain port BPDUs from current switch (from himself) and block the port, yes? Permanent or for period of time...

Would this conf be ok?

create vlan ELRP tag 4094
conf vlan ELRP add ports all tag
enable elrp-client
configure elrp-client disable-ports exclude 49,50 (these are uplinks)
configure elrp-client periodic "ELRP" ports all log disable-port duration 60

Why shouldn't I turn on the same feature at distribution layer on X670?

To be honest I scrating my head over whether is it safe to completely remove STPDs from core and distribution? Still thinking...

Many thanks to you!

P.S. Will you attend annual summit in Orlando?)

I'll be there working at the Services booth - stop by and say hello!
Userlevel 4
Ilya Semenov wrote:

Guys... Did I get it right...? To protect access ports against loops I have to add to all of them special technical VLAN as tagged. Then turn on the mysterious ELRP. Associate it with the VLAN. In case of a loop ELRP have to detect on a certain port BPDUs from current switch (from himself) and block the port, yes? Permanent or for period of time...

Would this conf be ok?

create vlan ELRP tag 4094
conf vlan ELRP add ports all tag
enable elrp-client
configure elrp-client disable-ports exclude 49,50 (these are uplinks)
configure elrp-client periodic "ELRP" ports all log disable-port duration 60

Why shouldn't I turn on the same feature at distribution layer on X670?

To be honest I scrating my head over whether is it safe to completely remove STPDs from core and distribution? Still thinking...

Many thanks to you!

P.S. Will you attend annual summit in Orlando?)

Surely, Drew! See you in Orlando!
I have not tested it but I don't think you can name a VLAN elrp, I think it is "protected" which could be why we use "noloop"

You can turn elrp on for the distribution layer, I think were where all just advising against letting it disable ports that will take down entire switches.

We don't use stp at all, but its your network......

Orlando sounds fun but boss would have to send me. Wish me luck on that one.

Thanks,
Userlevel 4
David, I wish you the luck!)

Thank you!
Userlevel 6
One other thing you can do that is also a great alarm generator and protection on edge access ports. Enable rate shaping. you have three options... broadcast, mcast, and unknown mac address packets per second. This is fully configurable .. We only do broadcast and set it to 200 pps. If someone plugs a dumb switch in a loops it on their side this simple configuration will limit the amount of broadcast packets coming from them and send you monitoring system and nice trap. Good luck

Reply