cancel
Showing results for 
Search instead for 
Did you mean: 

Best way to prevent topology changes...?

Best way to prevent topology changes...?

Jeff
New Contributor
Brief description of the environment:
K-12 School District
S4 Core [08.62.04.001]
x460-G2 (40G uplink) distribution layer [21.1.1.4]
x450-G2 (10G uplink) edge layer [21.1.1.4]
Management, Control, Analytics 8.x

x460-G2+x450-G2 stacks (building mdf)
x450-G2 stacks (building idf)

x430 (1G uplink) "classroom layer" [16.2.3.5] - connects Kramer VP-773A, Crestron MPC-M10, Epson Projector, HP PC, and spare ethernet for laptop in every classroom (200+ district-wide), a few (<5) have a Mitel phone plugged in

Interswitch edge devices of interest include:
3935i/3965i APs in lacp lags
Mitel 5304 (no PC port), 5320/5330/5360 (includes PC port) IP Phones

Access edge devices of interest include:
Avigilon IP Cameras
Windows/Mac Devices
IP Intercom Devices
IP Physical Access Control Devices
IP Building Management (BMS) Devices
Digital Signage Devices

My S4 STP config is very simple:
set spantree priority 0 0
set spantree adminedge ge.X.xx true (where access edge device)

My x430, x450-G2, x460-G2 STP config is:
configure mstp revision 3
configure stpd s0 mode mstp cist
enable s0 auto-bind vlan 1-4094
configure stpd s0 ports link-type edge X:xx (where access edge device)
configure stpd s0 ports edge-safeguard enable X:xx (where access edge device)
configure stpd s0 ports bpdu-restrict enable X:xx (where access edge device)
enable stpd s0

Here is my question... What are my options to prevent excessive topology changes if someone plugs in an access edge device into a port that was programmed for a interswitch edge device?

1. maclock seems heavy handed

2. This is interesting but feels like duct tape

3. Dedicated phone, camera, classroom switch is a possibility in some spots but someone could still accidentally plug in the wrong thing

Wired dot1x is not fully deployed. MAC auth is used to identify Mitel phones, Avigilon cameras, intercom, BMS, and digital signage devices. I am not finding a way to apply STP port rules via Policy.

Am I missing something?

Thanks in advance,
Jeff
5 REPLIES 5

ar1
Contributor
Hi Jeff,
I have no experience with Extreme Switches but Enterasys has a feature called spanguard that will disable the port if a stp sending device is connected.
That will not fix all your problems but perhaps some?
Regards,
Axel
GTM-P2G8KFN