topic RE: edge-safeguard enabled by default in ExtremeSwitching (EXOS/Switch Engine)

edge-safeguard enabled by default

julienb — Tue, 28 Feb 2017 01:32:00 GMT

Hi,

Is there a way to enable by default for every ports the STP mode edge-safeguard with bpdu-restrict ? Like the "spanning-tree portfast default" and "spanning-tree portfast bpduguard default" on Cisco switches.
I'd like to enable the edge-safeguard mode for every port, and add an exception on trunk/dot1q ports.
Is that possible ?

I've tried to enable it for every ports in each instance like that :
configure stpd s0 ports edge-safeguard enable 1-24 bpdu-restrict recovery-timeout 300
configure stpd s900 ports edge-safeguard enable 1-24 bpdu-restrict recovery-timeout 300
configure stpd s903 ports edge-safeguard enable 1-24 bpdu-restrict recovery-timeout 300
configure stpd s914 ports edge-safeguard enable 1-24 bpdu-restrict recovery-timeout 300

But since the ports are not in the instance yet (auto-bind enabled), it throws an error for all ports :
Error: Port 1 is not a member of STP domain s900
Error: Port 2 is not a member of STP domain s900
etc...

Here is the whole STP config (the goal is to be compatible with rapid-pvst+ on Cisco):
configure stpd s0 mode dot1w
configure stpd s0 default-encapsulation pvst-plus
create stpd s823
configure stpd s823 default-encapsulation pvst-plus
create stpd s900
configure stpd s900 default-encapsulation pvst-plus
create stpd s903
configure stpd s903 default-encapsulation pvst-plus
create stpd s914
configure stpd s914 default-encapsulation pvst-plus
create stpd s921
configure stpd s921 default-encapsulation pvst-plus
create stpd s923
configure stpd s923 default-encapsulation pvst-plus
enable stpd s823 auto-bind vlan 823
enable stpd s923 auto-bind vlan 923
enable stpd s903 auto-bind vlan 903
enable stpd s900 auto-bind vlan 900
enable stpd s921 auto-bind vlan 921
enable stpd s914 auto-bind vlan 914
enable stpd s0
configure stpd s823 tag 823
enable stpd s823
configure stpd s900 tag 900
enable stpd s900
configure stpd s903 tag 903
enable stpd s903
configure stpd s914 tag 914
enable stpd s914
configure stpd s921 tag 921
enable stpd s921
configure stpd s923 tag 923
enable stpd s923

Thanks for your help

RE: edge-safeguard enabled by default

Jeremy_Gibbs — Tue, 28 Feb 2017 02:53:00 GMT

This is a nice script I have used to get you going.

https://github.com/extremenetworks/EXOS_Apps/tree/master/EZ_SpanningTree

RE: edge-safeguard enabled by default

julienb — Tue, 28 Feb 2017 02:53:00 GMT

I don't get it. It says the script associates all vlans to instance s0 and configure it for MSTP. But in MSTP, you need one instance per VLAN right ? By the way, I need Rapid-PVST+, not MSTP.

RE: edge-safeguard enabled by default

Roy_Noh — Wed, 01 Mar 2017 13:45:00 GMT

Hello Julienb.

You can't make setting link type edge and enabling edge-safeguard by default.
Anyway, even with the auto bind options on STPDs, it will not automatically be bound to the STPD if you add a port to a vlan as untagged since default-encapsulations are PVST+ on every STPD.
So below two example lines are needed when you add a port to a vlan as untagged with edge-safeguard.

conf "v823" add ports 5 untagged "s823" dot1d
conf "s823" ports link-type edge 5 edge-safeguard enable bpdu-restrict recovery-timeout 300

RE: edge-safeguard enabled by default

julienb — Wed, 01 Mar 2017 13:45:00 GMT

Wow Extreme knows how to make life easy for network admins ! ahah
So each time you change a VLAN on a port, you also need to change the STP config ? What is auto-bind made for in that case?

RE: edge-safeguard enabled by default

Vincent_Boucher — Wed, 01 Mar 2017 13:45:00 GMT

I totally agree here, this is ridiculous. New to EXOS and I have to use PVST+ for interoperability.

RE: edge-safeguard enabled by default

EtherMAN — Fri, 17 Aug 2018 20:32:00 GMT

LOL .. getting my popcorn ready... who runs spanning tree now days... with so many other ways to build rings and redundancy and prevent broadcast loops  2000 plus switches and there has been no spanning tree in over at least ten years

RE: edge-safeguard enabled by default

Vincent_Boucher — Fri, 17 Aug 2018 20:32:00 GMT

Anyway, I need PVST+. To add a port to a STPd, you need the carrier vlan to be tagged on the port, even for an edge port or it won't join the STP domain.

If I use the tagged vlan on my edge port, I can add the port to the stpd. But now the traffic is tagged. This means I would have to create a separate vlan for each PVST+ domain. This is counter productive and probably the worst implementation of PVST+.

Using Cisco switches, you need 3 lines of configuration for this. With EXOS, I'm up to 104 lines of configuration and it only works for tagged traffic on trunk ports, it won't work for untagged ports.

What do you recommend instead of STP?

RE: edge-safeguard enabled by default

Vincent_Boucher — Fri, 17 Aug 2018 20:32:00 GMT

https://gtacknowledge.extremenetworks.com/articles/Q_A/Can-you-configure-an-STP-domain-using-PVST-en...

RE: edge-safeguard enabled by default

EtherMAN — Fri, 17 Aug 2018 21:30:00 GMT

Sorry but I could not resist.. We have a lot of legacy Cisco customers we transport across our network. Best thing for us is using a vman on our side ... protecting our rings with EAPS or ERPS, Untagging vman at the edges on the UNI ports. Dont have to know anything about the Cisco vlans that are being used and any of the PVST that they may want to extend across the network. They can even run CDP across if you configure the port to tunnel the L2PT traffic. I do understand your pain when you try to turn an Extreme switch into a Cisco switch. EAPS and ERPS rock and will outperform any STP or PVST+ on failover times. If you dont have an option to tunnel the Cisco stuff across and must actively participate and be part of their spanning tree domains then I am afraid your options are limited ....