Showing results for 
Search instead for 
Did you mean: 

Best way to prevent topology changes...?

Best way to prevent topology changes...?

New Contributor
Brief description of the environment:
K-12 School District
S4 Core []
x460-G2 (40G uplink) distribution layer []
x450-G2 (10G uplink) edge layer []
Management, Control, Analytics 8.x

x460-G2+x450-G2 stacks (building mdf)
x450-G2 stacks (building idf)

x430 (1G uplink) "classroom layer" [] - connects Kramer VP-773A, Crestron MPC-M10, Epson Projector, HP PC, and spare ethernet for laptop in every classroom (200+ district-wide), a few (<5) have a Mitel phone plugged in

Interswitch edge devices of interest include:
3935i/3965i APs in lacp lags
Mitel 5304 (no PC port), 5320/5330/5360 (includes PC port) IP Phones

Access edge devices of interest include:
Avigilon IP Cameras
Windows/Mac Devices
IP Intercom Devices
IP Physical Access Control Devices
IP Building Management (BMS) Devices
Digital Signage Devices

My S4 STP config is very simple:
set spantree priority 0 0
set spantree adminedge ge.X.xx true (where access edge device)

My x430, x450-G2, x460-G2 STP config is:
configure mstp revision 3
configure stpd s0 mode mstp cist
enable s0 auto-bind vlan 1-4094
configure stpd s0 ports link-type edge X:xx (where access edge device)
configure stpd s0 ports edge-safeguard enable X:xx (where access edge device)
configure stpd s0 ports bpdu-restrict enable X:xx (where access edge device)
enable stpd s0

Here is my question... What are my options to prevent excessive topology changes if someone plugs in an access edge device into a port that was programmed for a interswitch edge device?

1. maclock seems heavy handed

2. This is interesting but feels like duct tape

3. Dedicated phone, camera, classroom switch is a possibility in some spots but someone could still accidentally plug in the wrong thing

Wired dot1x is not fully deployed. MAC auth is used to identify Mitel phones, Avigilon cameras, intercom, BMS, and digital signage devices. I am not finding a way to apply STP port rules via Policy.

Am I missing something?

Thanks in advance,

New Contributor

Can you elaborate on this? Is this documented somewhere? This seems like the best solution, but I am not seeing the way to it. I have policy fully deployed and identifying interswitch devices by mac. I am using Control, Manage, and Policy. Is it possible with these two products?


Extreme Employee

you can add a security profile to the radius reply. This security profile triggers a UPM which can afterwards change the STP config.


New Contributor
Thank you for your comment. I am already using edge-safeguard on my EXOS switches. My question is not concerning edge ports, but interswitch ports where edge devices are inadvertently plugged in.

Extreme Employee
Hi Jeff,

The EXOS equivalent of spanguard is "edge safeguard". Please take a look at the link below. By configuring user ports as "edge ports", you will also prevent the topology changes initiated from end-devices such as PCs, phones, IP cams each time they plug-unplug to the network.

Emre Kurtman Technical Marketing Engineer / Extreme Networks