This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EOS)
- RE: Best way to prevent topology changes...?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Best way to prevent topology changes...?
Best way to prevent topology changes...?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-20-2017 11:49 PM
Brief description of the environment:
K-12 School District
S4 Core [08.62.04.001]
x460-G2 (40G uplink) distribution layer [21.1.1.4]
x450-G2 (10G uplink) edge layer [21.1.1.4]
Management, Control, Analytics 8.x
x460-G2+x450-G2 stacks (building mdf)
x450-G2 stacks (building idf)
x430 (1G uplink) "classroom layer" [16.2.3.5] - connects Kramer VP-773A, Crestron MPC-M10, Epson Projector, HP PC, and spare ethernet for laptop in every classroom (200+ district-wide), a few (<5) have a Mitel phone plugged in
Interswitch edge devices of interest include:
3935i/3965i APs in lacp lags
Mitel 5304 (no PC port), 5320/5330/5360 (includes PC port) IP Phones
Access edge devices of interest include:
Avigilon IP Cameras
Windows/Mac Devices
IP Intercom Devices
IP Physical Access Control Devices
IP Building Management (BMS) Devices
Digital Signage Devices
My S4 STP config is very simple:
set spantree priority 0 0
set spantree adminedge ge.X.xx true (where access edge device)
My x430, x450-G2, x460-G2 STP config is:
configure mstp revision 3
configure stpd s0 mode mstp cist
enable s0 auto-bind vlan 1-4094
configure stpd s0 ports link-type edge X:xx (where access edge device)
configure stpd s0 ports edge-safeguard enable X:xx (where access edge device)
configure stpd s0 ports bpdu-restrict enable X:xx (where access edge device)
enable stpd s0
Here is my question... What are my options to prevent excessive topology changes if someone plugs in an access edge device into a port that was programmed for a interswitch edge device?
1. maclock seems heavy handed
2. This is interesting but feels like duct tape
3. Dedicated phone, camera, classroom switch is a possibility in some spots but someone could still accidentally plug in the wrong thing
Wired dot1x is not fully deployed. MAC auth is used to identify Mitel phones, Avigilon cameras, intercom, BMS, and digital signage devices. I am not finding a way to apply STP port rules via Policy.
Am I missing something?
Thanks in advance,
Jeff
K-12 School District
S4 Core [08.62.04.001]
x460-G2 (40G uplink) distribution layer [21.1.1.4]
x450-G2 (10G uplink) edge layer [21.1.1.4]
Management, Control, Analytics 8.x
x460-G2+x450-G2 stacks (building mdf)
x450-G2 stacks (building idf)
x430 (1G uplink) "classroom layer" [16.2.3.5] - connects Kramer VP-773A, Crestron MPC-M10, Epson Projector, HP PC, and spare ethernet for laptop in every classroom (200+ district-wide), a few (<5) have a Mitel phone plugged in
Interswitch edge devices of interest include:
3935i/3965i APs in lacp lags
Mitel 5304 (no PC port), 5320/5330/5360 (includes PC port) IP Phones
Access edge devices of interest include:
Avigilon IP Cameras
Windows/Mac Devices
IP Intercom Devices
IP Physical Access Control Devices
IP Building Management (BMS) Devices
Digital Signage Devices
My S4 STP config is very simple:
set spantree priority 0 0
set spantree adminedge ge.X.xx true (where access edge device)
My x430, x450-G2, x460-G2 STP config is:
configure mstp revision 3
configure stpd s0 mode mstp cist
enable s0 auto-bind vlan 1-4094
configure stpd s0 ports link-type edge X:xx (where access edge device)
configure stpd s0 ports edge-safeguard enable X:xx (where access edge device)
configure stpd s0 ports bpdu-restrict enable X:xx (where access edge device)
enable stpd s0
Here is my question... What are my options to prevent excessive topology changes if someone plugs in an access edge device into a port that was programmed for a interswitch edge device?
1. maclock seems heavy handed
2. This is interesting but feels like duct tape
3. Dedicated phone, camera, classroom switch is a possibility in some spots but someone could still accidentally plug in the wrong thing
Wired dot1x is not fully deployed. MAC auth is used to identify Mitel phones, Avigilon cameras, intercom, BMS, and digital signage devices. I am not finding a way to apply STP port rules via Policy.
Am I missing something?
Thanks in advance,
Jeff
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-21-2017 05:22 AM
Andre,
Can you elaborate on this? Is this documented somewhere? This seems like the best solution, but I am not seeing the way to it. I have policy fully deployed and identifying interswitch devices by mac. I am using Control, Manage, and Policy. Is it possible with these two products?
Jeff
Can you elaborate on this? Is this documented somewhere? This seems like the best solution, but I am not seeing the way to it. I have policy fully deployed and identifying interswitch devices by mac. I am using Control, Manage, and Policy. Is it possible with these two products?
Jeff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-21-2017 05:22 AM
Hi,
you can add a security profile to the radius reply. This security profile triggers a UPM which can afterwards change the STP config.
Regards
André
you can add a security profile to the radius reply. This security profile triggers a UPM which can afterwards change the STP config.
Regards
André
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-21-2017 04:38 AM
Thank you for your comment. I am already using edge-safeguard on my EXOS switches. My question is not concerning edge ports, but interswitch ports where edge devices are inadvertently plugged in.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-21-2017 04:38 AM
Hi Jeff,
The EXOS equivalent of spanguard is "edge safeguard". Please take a look at the link below. By configuring user ports as "edge ports", you will also prevent the topology changes initiated from end-devices such as PCs, phones, IP cams each time they plug-unplug to the network.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-a-port-in-an-STP-domain-t...
The EXOS equivalent of spanguard is "edge safeguard". Please take a look at the link below. By configuring user ports as "edge ports", you will also prevent the topology changes initiated from end-devices such as PCs, phones, IP cams each time they plug-unplug to the network.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-a-port-in-an-STP-domain-t...
Emre Kurtman
Technical Marketing Engineer / Extreme Networks
