Extreme Networks

gbrown · Monday

Long story short, I have recently began working at a university and I come from a Cisco background. The university is purely Extreme in switching and wireless. They have been having a problem for years where if someone does accidentally cause a loop a large portion of the campus shuts down. This has already happened a couple of times now since I started working here and is to me of the utmost importance to fix.

The issue lies with the 3rd party that installed the switches. They implemented ELRP only at the core. Therefore, when a loop occurs, it disables the corresponding port on the core which shuts off access to everything connecting off of it.

Anyways, I would like to implement STP for all of the switches. This summer, we plan to do a core upgrade. I have already setup the new core in a mlag setup. 2 7520s with the isc lag between them and mlagging two 5520s. Below is the configuration I am thinking for STP:

create vlan stpd_bpdu tag 4064
        configure vlan 4064 add ports all tagged
        configure stpd s0 mode dot1w
        enable stpd s0 rapid-root-failover
        configure stpd s0 default-encapsulation pvst-plus
        enable stpd s0 auto-bind vlan 4064
        configure stpd s0 ports link-type edge {edge_ports}
        configure stpd s0 ports edge-safeguard enable {edge_ports}
        configure stpd s0 ports bpdu-restrict enable {edge_ports} recovery-timeout 120
        configure stpd s0 tag 4064
        configure stpd s0 ports restricted-tcn on {edge_ports}
        enable stpd s0

In addition, the core will get:

configure stpd s0 priority 4096

Since stp configuration is quite a bit different than Cisco, I was wondering if this looks about right? I'm planning on introducing this to the core and then slowly rolling out towards the edge.

Gabriel_G · yesterday

Hi!

If you're interoping with Cisco, this config with PVST+ seems OK, provided that the carrier VLAN is tagged on all relevant ports. There are restrictions on using PVST+ with an untagged native VLAN.

You do not need to add ports to STP and also auto-bind the VLAN, you can just auto-bind the VLAN to STP which will also add all current and future ports in that VLAN to STP at the same time.

If you're doing all Extreme, keeping the MSTP mode and dot1d encapsulation defaults is probably easier.
In a very basic setup, the only configuration you'd need from defaults is:

enable stpd s0 auto-bind vlan <Auto-Bind All VLANs to s0>
enable stpd s0 #Enabled by default
#Edge Ports
configure stpd <STPD> ports link-type edge <Ports>

configure stpd <STPD> ports edge-safeguard enable <Ports> {recovery-timeout <Seconds>}

configure stpd <STPD> ports bpdu-restrict enable <Ports> {recovery-timeout <Seconds>}

An edge port configured with BPDU-restrict is disabled if an STP BPDU is received on the port. Equivalent to Cisco BPDU-guard.

An edge port configured with edge-safeguard immediately enters the forwarding state and transmits BPDUs. If a loop is detected, STP disables the port. By default, an edge port without edge-safeguard configured immediately enters the forwarding state but does not transmit BPDUs unless a BPDU is received by that edge port. Equivalent to Cisco spantree portfast.

Both commands have an optional recovery-timeout, the duration that the port is disabled in either event. If the recovery-timeout period is not specified, the port is disabled permanently until manually re-enabled or the switch is rebooted.

Hope that helps!

Brent_Addis · Tuesday

Hellloooo The 90's called, they want their technology back 🤣.

I spent 15 years as a cisco engineer myself so know where you are coming from, but honestly, MSTP is a lot of work for very little gain, especially if you have MLAGS.

Why not roll ELRP out to the rest of the network? It's faster, safer and doesn't suffer from conversion times. You can setup ELRP exclusion ports which will listen out for ELRP loops but not lock the port.

-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!

Bill_Handler · Tuesday

GBrown,

We prefer ELRP to STP due to the fact that ELRP mitigates loops with 3rd party devices/dumb switches. We implement ELRP at nearly all levels except the core just for that reason. Usually in the core there are not connections to edge devices. I think a better option may to re-do the ELRP configuration so that your dedicated uplink ports are not part ELRP, while all your edge ports are configured for ELRP. This will also cut down on the number of ELRP packets flowing across the network uselessly. We've found in our deployments that using ELRP to disable the offending port for 300 seconds (as someone else mentioned) is also a good practice.

Are you all using XMC/XIQ-SE? Using the custom alarm feature to get more information on when a loop occurs is very beneficial. The trap lacks information to tell where the loop is - specific port numbers.

It may be worthwhile to reach out to your Extreme Partner (or a different one if the partner caused this issue...) or your Extreme Engineer for additional information.

Thanks,

Bill

Brian_Anderson1 · Tuesday

If you decide to go with stp, in the deployments I do, I leave spanning tree off of uplinks, and keep all the topo changes to the switch(es) in the closet.

Only advantage I've found stp over elrp is the bpdu restrict, to keep other switches from being plugged into network. If that isn't a concern I'd go ELRP, a lot simpler config.

Extreme Networks

STP Safe Implementation Plans

STP Safe Implementation Plans