Brief description of the environment:
K-12 School District
S4 Core [08.62.04.001]
x460-G2 (40G uplink) distribution layer [21.1.1.4]
x450-G2 (10G uplink) edge layer [21.1.1.4]
Management, Control, Analytics 8.x
x460-G2+x450-G2 stacks (building mdf)
x450-G2 stacks (building idf)
x430 (1G uplink) "classroom layer" [16.2.3.5] - connects Kramer VP-773A, Crestron MPC-M10, Epson Projector, HP PC, and spare ethernet for laptop in every classroom (200+ district-wide), a few (<5) have a Mitel phone plugged in
Interswitch edge devices of interest include:
3935i/3965i APs in lacp lags
Mitel 5304 (no PC port), 5320/5330/5360 (includes PC port) IP Phones
Access edge devices of interest include:
Avigilon IP Cameras
Windows/Mac Devices
IP Intercom Devices
IP Physical Access Control Devices
IP Building Management (BMS) Devices
Digital Signage Devices
My S4 STP config is very simple:
set spantree priority 0 0
set spantree adminedge ge.X.xx true (where access edge device)
My x430, x450-G2, x460-G2 STP config is:
configure mstp revision 3
configure stpd s0 mode mstp cist
enable s0 auto-bind vlan 1-4094
configure stpd s0 ports link-type edge X:xx (where access edge device)
configure stpd s0 ports edge-safeguard enable X:xx (where access edge device)
configure stpd s0 ports bpdu-restrict enable X:xx (where access edge device)
enable stpd s0
Here is my question... What are my options to prevent excessive topology changes if someone plugs in an access edge device into a port that was programmed for a interswitch edge device?
1. maclock seems heavy handed
2.
This is interesting but feels like duct tape
3. Dedicated phone, camera, classroom switch is a possibility in some spots but someone could still accidentally plug in the wrong thing
Wired dot1x is not fully deployed. MAC auth is used to identify Mitel phones, Avigilon cameras, intercom, BMS, and digital signage devices. I am not finding a way to apply STP port rules via Policy.
Am I missing something?
Thanks in advance,
Jeff
