stp extreme

8/13/2019 Stp Extreme

http://slidepdf.com/reader/full/stp-extreme 1/25

Extreme Networks Application Note

© 2009 Extreme Networks, Inc. All rights reserved. Do not reproduce.

Rapid Spanning Tree Protocol (RSTP) Deployment

Guidelines for Converged Networks – Revision 01

Abstract: The following Application Note was written to help business partners and sys-

tems engineers with configuring Rapid Spanning Tree Protocol (RSTP) loop avoidance for

converged networks. This configuration can be generalized and applied to most converged

networks from various IP PBX vendors in order to provide loop avoidance and prevent

end-user cabling errors from taking down voice, video and data application services.




Table of Contents

1. Introduction

1.1. Loop Avoidance and Spanning Tree Protocol

2. Configuring RSTP

2.1. STP Domains and Modes

2.2. STP Domain Modes for Converged Networks

2.3. Encapsulation and Default-Encapsulation

2.4. STPD Default-Encapsulation for Converged Networks

2.5. Participating Ports and VLANs

2.6. Adding Ports and VLANs in Converged Networks

2.7. Link-Type and Converged Networks

2.8. Bridge-Priority

2.9. Auto-Bind

3. Sample RSTP Configurations

3.1 Single Core Switch Configuration

3.1.1. “NJCore1” Switch Configuration

3.1.2. “IDF1” Switch Configuration


3.2. Dual Aggregation Switch Configuration

3.2.1. “NJAgg1” Switch Configuration




4. Verification Steps for Sample Configurations

4.1. Single Core Switch Configuration

4.1.1. Verify “IDF1” Switch Configuration





5. Basic RSTP Deployment Checklist

6. Conclusion

6.1. Hardware and Software Versions Tested

7. Additional References

3

3

4

4

6

6

7

7

8

9

10

10

10

10

11

12

13

14

15

16

17

18

19

19

19

20

21

22

23

24

24

24

25



1. Introduction

Layer 2 loops can occur in converged network environments,

sometimes even with Spanning Tree Protocol (STP)

enabled. Most loops are accidental, but they can cripple

voice and data communication services across entire

segments. Spanning tree is disabled on all Extreme Networks®

switches by default. Operating a network without any typeof loop avoidance mechanism like STP or other alternative

technique can be problematic even in loop-free topologies.

These deployment guidelines explain how to enable Rapid

Spanning Tree Protocol (RSTP) in order to eliminate the

majority of Layer 2 loops in converged network environments.

The two sample configurations represent field proven cases

that provide loop-free operation at the network edge, closest

to end users.

Two sample configurations described in this Application Note:

1. Single Core, Two IDF Switches

2. Dual Aggregation with Virtual Router Redundancy

Protocol (VRRP), Two IDF Switches


© 2009 Extreme Networks, Inc. All rights reserved. RSTP Deployment Guidelines Application Note—

Figure 1: Usage Model

1.1. Loop Avoidance and SpanningTree Protocol

Converged networks require a loop avoidance mechanism to

protect against end-user cabling errors. The widespread

deployment of automatic polarity on edge ports exacerbates

the problem, because a simple straight CAT5e patch cable

can automatically establish a link and result in a broadcast

storm. Networks that are deployed without enabling STP

can leave customers vulnerable to three types of loops without

proper configuration. Figure 1 shows the three most common

loops found in Ethernet networks. The self loop occurs when

an end user loops a cable back within the same switch. A

switch-to-switch loop occurs when the end user connects a

third party switch into the network with dual connections.

Lastly, the IP telephone loop can happen when an end user

attaches both the Power+Data and Data only ports of an IP

telephone into the switch.

Network administrators must take appropriate steps to provide

loop-free operation by configuring and enabling RSTP or analternative loop avoidance mechanism. With RSTP, the network

can quickly and automatically detect the most common loops

and place one of the two ports into a BLOCKING state to

avoid a broadcast storm (See Figure 2).

Self Loop

LoopFormed

Switch-to-Switch Loop

LoopFormed IP TelephoneLoop

LoopFormed

5361-01

Figure 1: Types of Network Loops

Self Loop

LoopAvoided

Switch-to-Switch Loop

LoopAvoided

IP TelephoneLoop

LoopAvoided

5362-01

Blocking

Blocking

Blocking

Figure 2: Loop Avoidance Using RSTP





There is a fourth type of loop that occurs less frequently, but it can be just as troublesome. If a user attaches an adjacent device to

the network that has a loop the outcome can be catastrophic to voice, video and data communications. To help avoid the occurrence

of this possible loop, Extreme Networks introduced the edge-safeguard feature for edge ports. The edge-safeguard feature will

detect the presence of an adjacent looped device and software disable the port to avoid a network interruption. See Figure 3.

Looped Hub

LoopFormed

5363-01

Figure 3: Adjacent Looped Device2. Configuring RSTP

The following sections outline the fundamentals necessary to successfully configure and enable RSTP on Extreme Networks

ExtremeXOS® switch for a converged network environment.

2.1. STP Domains and Modes

An Extreme Networks spanning tree instance or database is called a Spanning Tree Protocol Domain (STPD). The STPD determines

the version of spanning tree protocol to use on the switch, the Bridge Protocol Data Unit (BPDU) encapsulation format and the

participating ports and VLANs to be protected by spanning tree. All switch platforms have STPD “s0” preconfigured in their

factory default configuration, but spanning tree has been disabled by default. See Example 1. You must properly configure and

enable spanning tree if you require a loop-free environment.

Example 1: Default Spanning Tree Protocol Domain “s0”

* NJCore1.5 # show stpd

MSTP Global Conguration:

MSTP Region Name : 00049635e5f9

MSTP Format Identier : 0

MSTP Revision Level : 3

Common and Internal Spanning Tree (CIST) : ----

Total Number of MST Instances (MSTI) : 0

Name Tag Flags Ports Bridge ID Designated Root Rt Port Rt Cost

s0 0000 D----- 0 800000049635e5f9 0000000000000000 ------- 0

Total number of STPDs: 1

Flags: (C) Topology Change, (D) Disable, (E) Enable, (R) Rapid Root Failover

(T) Topology Change Detected, (M) MSTP CIST, (I) MSTP MSTI

Figure 3: Adjacent Looped Device





The domain “s0” is preconfigured to automatically bind and protect all ports assigned to the untagged Default VLAN as show in

Example 2. You must enable domain “s0” if you want to use the preconfigured settings to implement spanning tree protection. Many

customers modify the untagged VLANs assigned to the switch ports, so Extreme Networks leaves “s0” disabled in the factory default

configuration. This also minimizes the impact of introducing an Extreme Networks switch into an environment that is already running a

version spanning tree.

Example 2: STPD s0 Default Configuration

NJCore1.10 # show stpd s0

Stpd: s0 Stp: DISABLED Number of Ports: 26

Rapid Root Failover: Disabled

Operational Mode: 802.1D Default Binding Mode: 802.1D

802.1Q Tag: (none)

Ports: 1,2,3,4,5,6,7,8,9,10,

11,12,13,14,15,16,17,18,19,20,

21,22,23,24,25,26

Participating Vlans: Default

Auto-bind Vlans: Default

Bridge Priority: 32768

BridgeID: 80:00:00:04:96:35:e5:f9

Designated root: 00:00:00:00:00:00:00:00

RootPathCost: 0 Root Port: ----

MaxAge: 0s HelloTime: 0s ForwardDelay: 0s

CfgBrMaxAge: 20s CfgBrHelloTime: 2s CfgBrForwardDelay: 15s

Topology Change Time: 35s Hold time: 1s

Topology Change Detected: FALSE Topology Change: FALSE

Number of Topology Changes: 0

Time Since Last Topology Change: 0s

You have the option of modifying domain “s0” to protect different combinations of ports and VLANs or you can create a new domain.

Example 3 shows how to create a new domain. User defined domain names have a maximum length of 32 characters.

Example 3: User Defined Spanning Tree Domain Configuration

* NJCore1.11 # create stpd s1

All Extreme Networks spanning tree domains, including domain “s0” and user defined domains use operational mode IEEE 802.1D by

default. Example 4 shows a user defined domain. Notice that the user defined domain is disabled with an operational mode of 802.1D.

Example 4: User Defined STPD s1 Default Configuration

* NJCore1.12 # show stpd s1



Operational Mode: 802.1D Default Binding Mode: EMISTP

802.1Q Tag: (none)

Ports: (none)

Participating Vlans: (none)

Auto-bind Vlans: (none)


BridgeID: 80:00:00:04:96:35:e5:f9

Designated root: 00:00:00:00:00:00:00:00






Number of Topology Changes: 0Time Since Last Topology Change: 0s





Each STPD instance has three possible modes of operation:

• IEEE 802.1D – Use the 802.1D (dot1d) operational mode for backward compatibility with previous STP versions and for

compatibility with third-party switches using IEEE standard 802.1D. When configured in this mode, all rapid configuration

mechanisms are disabled.

• IEEE 802.1w (Rapid Spanning Tree Protocol) – Use the 802.1w (dot1w) operational mode for compatibility with

RSTP. When configured in this mode, all rapid configuration mechanisms are enabled.

•

IEEE 802.1s (Multiple Instance Spanning Tree Protocol) – Use the MSTP (mstp) operational mode for compatibilitywith MSTP. MSTP is an extension of RSTP and offers the benefit of better scaling with fast convergence.

2.2. STP Domain Modes for Converged Networks

IP networks responsible for delivering real-time applications such as Voice-over-IP (VoIP) and video require fast convergence in

order to maintain quality audio and satisfactory picture quality. The legacy 802.1D mode of spanning tree takes about 30-60 seconds

to converge making it suboptimal for converged networks. If you are deploying spanning tree in a converged network environment

you should change your spanning tree domain to mode 802.1w (dot1w) or 802.1s (mstp) to ensure fast convergence when network

topology changes occur. Example 5 shows how to properly create and configure a user defined domain to operate in RSPT mode.

Example 5: User Defined RSTP Domain Configuration

* NJCore1.8 # create stpd s1* NJCore1.9 # cong stpd s1 mode dot1w

2.3. Encapsulation and Default-Encapsulation

The STPD encapsulation mode determines how the switch formats BPDU messages. The encapsulation mode and operational mode

for STPD are independent settings. The encapsulation may be modified on an individual port basis, or you can use the default-

encapsulation configured for the domain. The “s0” domain is preconfigured to use 802.1D as its default-encapsulation mode while

user defined domains automatically select Extreme Multiple Instance Spanning Tree Protocol (EMISTP) as their default-encapsulation

mode (See Example 6).

Example 6: Default-Encapsulation Modes for Spanning Tree Domains




Operational Mode: 802.1D Default Binding Mode: 802.1D




Operational Mode: 802.1W Default Binding Mode: EMISTP

Each port assigned to an STPD has three possible modes of BPDU encapsulation:

• IEEE 802.1D – Use the 802.1D (dot1d) encapsulation mode for backward compatibility with previous STP versions and

for compatibility with third-party switches using IEEE standard 802.1D. BPDUs are sent untagged in 802.1D mode. Thisencapsulation mode supports the following STPD modes of operation: 802.1D, 802.1w, and MSTP.

• Extreme Multiple Instance Spanning Tree Protocol (EMISTP) – Use the EMISTP (emistp) encapsulation mode

when connecting with Extreme Networks switches only. BPDUs for each STPD are sent with an 802.1Q tag in EMISTP

encapsulation mode. The STPDs running in this mode have a one-to-one relationship with VLANs and send and process

packets in EMISTP format. This encapsulation mode supports the following STPD modes of operation: 802.1D and

802.1w.

• Per VLAN Spanning Tree (PVST+) – Use the PVST+ (pvst-plus) encapsulation mode when connecting to third-party

switches running the PVST+ version of STP. BPDUs for each STPD are sent with an 802.1Q tag in PVST+ encapsulation mode.

The STPDs running in this mode have a one-to-one relationship with VLANs and send and process packets in PVST+ format.

This encapsulation mode supports the following STPD modes of operation: 802.1D and 802.1w.





You can manually specify how the BPDU should be formatted on a per port basis, but this requires that you append the encapsulation

mode at the end of the add VLAN and port command. Example 7 shows how a port can be added to the domain with a manually

specified BDPU encapsulation mode. Most administrators prefer to use the default-encapsulation to assign the BPDU format to a

switch port.

Example 7: Add VLAN and Port to Spanning Tree Domain with Encapsulation

* NJCore1.12 # cong stpd s1 add vlan data10 ports 1 dot1d

If most switch ports in a spanning tree domain are using the same port encapsulation mode it is easier to change the default-encapsulation

and assign the ports. Example 8 shows how a port can inherit the default-encapsulation mode configured for the spanning tree

domain by not appending the BPDU encapsulation at the end of an add VLAN and port command.

Example 8: Add VLAN and Port to Spanning Tree Domain with Default-Encapsulation

* NJCore1.14 # cong stpd s1 default-encapsulation dot1d

* NJCore1.15 # cong stpd s1 add vlan data10 ports 1

2.4. STPD Default-Encapsulation for Converged Networks

Most IP telephones have the ability to pass untagged BPDU messages across their internal switch fabrics. Unfortunately, manymanufacturers and models of IP telephones are also incapable of passing 802.1Q tagged BDPU messages across their internal switch

fabrics. This makes the EMISTP and PVST+ encapsulation modes suboptimal for converged network environments. If you are

deploying spanning tree in a converged network environment you should change your spanning tree domain default-encapsulation

mode to 802.1D (dot1d) so that the IEEE standard untagged BPDU message format is used. Example 9 shows how a user defined

spanning tree domain can be configured to properly support RSTP in a converged network. This configuration will allow the

Extreme Networks switch to detect and prevent loops across an IP telephone’s internal switch fabric. The STPD mode 802.1w

(dot1w) and default-encapsulation 802.1D (dot1d) are the preferred setting for interoperating with third-party IEEE bridges and

for preventing looped IP telephone scenarios.

Example 9: User Defined RSTP Domain with 802.1D Encapsulation Mode Configuration


* NJCore1.9 # cong stpd s1 mode dot1w


* NJCore1.20 # enable stpd s1

2.5. Participating Ports and VLANs

Once you have selected a STPD domain, operational mode and default-encapsulation mode for a converged network environment

you will need to add ports and VLANs that are to be protected. The ordering by which you add ports and VLANs is very important

when using 802.1D (dot1d) default-encapsulation.

Example 10: Adding Port and Untagged VLAN to RSTP Configuration

* NJCore1.5 # create vlan data10

* NJCore1.6 # cong vlan data10 tag 10

* NJCore1.7 # cong vlan data10 add ports 1


* NJCore1.9 # cong stpd s1 mode dot1w



* NJCore1.12 # cong stpd s1 add vlan data10 ports 1

Example 10 shows port 1 and untagged “data10” VLAN being added to spanning tree domain “s1”. Example 11 shows port 1 and

untagged “data10” VLAN are participating in the domain.





Example 11: Spanning Tree Domain with Port and Untagged Participating VLAN Added


Stpd: s1 Stp: ENABLED Number of Ports: 1


Operational Mode: 802.1W Default Binding Mode: 802.1D

802.1Q Tag: (none)

Ports: 1

Participating Vlans: data10



BridgeID: 80:00:00:04:96:35:e5:f9

Designated root: 80:00:00:04:96:35:e5:f9








If you attempt to add a port and tagged VLAN to the spanning tree domain before you have added the port and its untagged VLAN,

you will receive an error in the command prompt. The ports untagged VLAN must be added first, because the 802.1w domain requires

an untagged VLAN in order to transmit and receive BPDUs. If you attempt to bind a port and tagged VLAN before you have bound

the ports untagged VLAN, the domain will have no way of transmitting or receiving BPDU messages, which is why you see an error

condition in Example 12.

Example 12: Error Adding Port and Tagged VLAN Only to RSTP Configuration

* NJCore1.5 # create vlan voice11

* NJCore1.6 # cong vlan voice11 tag 11

* NJCore1.7 # cong vlan voice11 add ports 1 tagged

* NJCore1.8 # create stpd s1* NJCore1.9 # cong stpd s1 mode dot1w



* NJCore1.12 # cong stpd s1 add vlan voice11 ports 1

Error: Cannot add VLAN voice11 port 1 to STP domain s1

When you add untagged and tagged VLANs in the incorrect order, an error may occur and VLANs will fail to be added to the domain.

You must add ports and untagged VLANs to the domain first.

2.6. Adding Ports and VLANs in Converged Networks

In a converged network environment you want to avoid loops on both the data and voice VLANs, therefore, both must be added to

the RSTP domain for protection. As per the previous section, you must always add ports and untagged VLANs to the RSTP domain,before you add ports and its tagged VLANs. This is necessary because the dot1d encapsulation requires an untagged VLAN in order

transmit and receive untagged BPDU messages.

When adding ports to an RSTP domain, you must follow this approach:

• First, add each port and its untagged VLAN to the RSTP domain

• Second, add each port and its tagged VLANs to the RSTP domain

Example 13 shows the proper order for adding untagged and tagged VLANs to an RSTP domain in a converged network environment.

The data10 VLAN was previously added to port 1 as untagged and the voice11 VLAN was previously added to port 1 as tagged.





Example 13: Adding Untagged and Tagged VLANs to an STPD in a Converged Network

* NJCore1.12 # cong stpd s1 add vlan data10 ports 1 # must add untagged 1st

* NJCore1.13 # cong stpd s1 add vlan voice11 ports 1 # must add tagged 2nd

Note: If you remove the port and untagged VLAN from the RSTP domain and you are using dot1d encapsulation, the tagged VLANs

will also be removed from the domain.

Example 14: Port Data and Voice VLANs Participating in STP Domain s1

* X450a-24t.16 # show stpd s1

Stpd: s1 Stp: ENABLED Number of Ports: 1


Operational Mode: 802.1W Default Binding Mode: 802.1D

802.1Q Tag: (none)

Ports: 1

Participating Vlans: data10,voice11



BridgeID: 80:00:00:04:96:35:e5:f9

Designated root: 80:00:00:04:96:35:e5:f9








2.7. Link-Type and Converged Networks

The STPD port link-type is a very important parameter that should be configured in any converged network environment. The

link-type effects whether or not the port Forwarding Database (FDB) table will be flushed during a topology change. The link-type

also controls how quickly a port will transition to the forwarding state and it determines whether or not the port transmits and

receives BPDU messages to participate in the spanning tree topology. Failure to configure port link-types can result in undesired

behavior such as inadvertent FDB flushing and longer convergence times when a topology change occurs. In order to minimize FDB

flushing and speed up convergence there are two link-type combinations that should be applied in a converged network environment:

• Point-to-Point – Use link type point-to-point on all switch-to-switch links within the environment. If the switch-to-

switch connection is a Link Aggregation Group, configure the master port as link-type point-to-point.

• Edge with Edge-Safeguard – Use link type edge with edge-safeguard enable on any edge ports connected to hosts that

are participating in spanning tree, such as PC workstations, printers, IP telephones.

If you plan on implementing RSTP on application server and IP PBX ports you should use Edge with Edge-Safeguard. Most enterprises

leave RSTP disabled for ports connected to these services to avoid any effects of STP flapping. If you use auto-bind in the core the PBX

and application server ports will automatically be added to the domain so remember to configure your link-types properly in this type ofarrangement. Example 15 shows how to configure port link-types for a switch-to-switch port 24 and edge port 1.

Example 15: Port Link-Type Configuration for STP Domain s1

* NJCore1.14 # cong stpd s1 port link-type point-to-point 24

* NJCore1.15 # cong stpd s1 port link-type edge 1 edge-safeguard enable





2.8. Bridge Priority

The STPD bridge priority value determines whether or not the Extreme Networks switch will operate as a root bridge. The bridge

with the lowest priority is elected as the root bridge for the domain. Generally, you will only modify the priority on a switch that you

want to force to be the root bridge (typically a core switch) and you sometimes modify a second switch that you want to force to be

the backup root bridge (typically a backup core switch). The default STPD priority for all Extreme Networks switches is 32768. The

bridge priority can be modified in increments of 4096 from 0 to 61440. Assuming no tie conditions, the bridge with the lowest priority is

elected as the root bridge and the bridge with the second lowest bridge priority would act as the backup root bridge. When there is a

tie and two or more bridges have equal priority, the bridge with the lowest MAC address becomes the root bridge and the bridgewith the second lowest MAC address will essentially be the backup root bridge

Example 16: Bridge Priority Configuration for STP Domain s1

* NJCore1.27 # cong stpd s1 priority 4096

2.9. Auto-bind

The auto-bind feature allows the domain to automatically add and remove ports and VLANs to the STPD domain using the default-

encapsulation. You should only use auto-bind for VLANs that are to be protected by spanning tree. The auto-bind feature makes STP

modifications to the switch less error prone, because the switch will automatically adjust the STP bindings according to how the switch

VLANs and port are configured.

3. Sample RSTP Configurations


Figure 4 show a basic RSTP configuration. There is a single Summit® X450a-24t switch “CORE1” that is the Layer 3 switch and

Spanning Tree Root Bridge. There are two IDF closets. The “IDF1” closet has two stacked Summit X250e-24p switches that are link

aggregated back to the core. The “IDF2” closet has a single Summit X150-24p switch that is link aggregated back to the core. The

STP was intentionally disabled for all IP PBX and application server facing ports on “CORE1”. The untagged “data10” VLAN is used to

transmit and receive BPDUs and both the untagged “data10” and tagged “voice11” VLANs are protected by spanning tree.

5364-01

“IP PBX”10.1.1.10/24

“DHCPSVR”10.1.1.254/24

10/3

100-Full

“IDF1” “IDF2”1:25 2:25

“NJCore1”1

21 22 23

2526

24

2

AvayaG700

STPD “sO” mode “dot1w”Default Encapsulation “dot1d”Bridge Priority 4096Ports 21,23 P2PUntagged Participating VLAN “data10”Tagged Participating VLAN “voice11”

STPD “sO” mode “dot1w”Default Encapsulation “dot1d”Ports 1:1-1:24,2:1-2:24 type Edge w/Edge-SafeguardPorts 1:25 P2PUntagged Participating VLAN “data10”Tagged Participating VLAN “voice11”

STPD “sO” mode “dot1w”Default Encapsulation “dot1d”Ports 1-24 type Edge w/Edge-SafeguardPorts 25 type P2PUntagged Participating VLAN “data10”Tagged Participating VLAN “voice11”

L A GL A G

Figure 4: Single Core RSTP Configuration





3.1.1. “NJCore1” Switch Configuration

# Remove the default VLAN from all ports and name the switch

cong vlan default delete ports all

cong snmp sysname NJCore1

# Congure Link Aggregation Groups

enable sharing 21 grouping 21-22 lacp

enable sharing 23 grouping 23-24 lacp

# Dene VLANs, assign ports, IP addresses and enable forwarding

create vlan data10

cong vlan data10 tag 10

cong vlan data10 add ports 21,23 untagged

cong vlan data10 ipaddress 192.168.10.1/24

enable ipforwarding data10

create vlan voice11

cong vlan voice11 tag 11

cong vlan voice11 add ports 21,23 tagged

cong vlan voice11 ipaddress 192.168.11.1/24

enable ipforwarding voice11

create vlan server100

cong vlan server100 tag 100cong vlan server100 add ports 1-2 untagged

cong port 1 auto off speed 100 duplex full

cong vlan server100 ipaddress 10.1.1.1/24

enable ipforwarding server100

# Congure DHCP Relay function

cong bootprelay add 10.1.1.254

enable bootprelay

# Congure Layer 3 based Quality of Service for VoIP

create qosprole qp6

cong diffserv examination code-point 46 qp6

enable diffserv examination ports all

disable dot1p examination ports all

# Dene and enable a custom RSTP domain for the root bridge

create stpd s1

cong stpd s1 mode dot1w

cong stpd s1 default-encapsulation dot1d

cong stpd s1 priority 4096

enable stpd s1

# Manually add sports, untagged and tagged participant VLANs to spanning tree

cong stpd s1 add data10 ports 21,23

cong stpd s1 add voice11 ports 21,23

# Tune participant port link-types for fastest transition to forwarding

cong stpd s1 ports link-type point-to-point 21,23

# Turn on CPU DoS protection

enable dos-protect








cong snmp sysname IDF1


enable sharing 1:25 grouping 1:25,2:25 lacp


create vlan data10


cong vlan data10 add ports 1:1-25,2:1-24 untagged


create vlan voice11


cong vlan voice11 add ports 1:1-25,2:1-24 tagged

cong iproute add default 192.168.10.1


create qosprole qp6



disable dot1p examination ports all# Dene and enable a custom RSTP domain

create stpd s1



enable stpd s1

# Autobind the ports, untagged and tagged participant VLANs to spanning tree

enable stpd s1 auto-bind data10

enable stpd s1 auto-bind voice11

# Tune participant port link-types for fastest transition to forwarding state

cong stpd s1 ports link-type point-to-point 1:25

cong stpd s1 ports link-type edge 1:1-24,2:1-24 edge-safeguard enable

# Congure static LLDP-MED for phone provisioning on edge ports

enable lldp ports 1:1-24,2:1-24

cong lldp ports 1:1-24,2:1-24 advertise vendor-specic avaya-extreme call-server 10.1.1.10

cong lldp ports 1:1-24,2:1-24 advertise vendor-specic avaya-extreme le-server 10.1.1.254

cong lldp ports 1:1-24,2:1-24 advertise vendor-specic avaya-extreme dot1q-framing tagged

cong lldp ports 1:1-24,2:1-24 advertise vendor-specic dot1 vlan-name

# Disable EDP on edge ports

disable edp ports all

enable edp ports 1:25

# Congure ood rate limiting on edge ports. This control excessive ooding

# on the network edge, which can be harmful to host and IP Phone CPU processing

cong ports 1:1-24,2:1-24 rate-limit ood broadcast 500

cong ports 1:1-24,2:1-24 rate-limit ood multicast 500

cong ports 1:1-24,2:1-24 rate-limit ood unknown-destmac 500# Turn on CPU DoS protection

enable dos-protect










enable sharing 25 grouping 25,26 lacp


create vlan data10


cong vlan data10 add ports 1-25 untagged


create vlan voice11


cong vlan voice11 add ports 1-25 tagged



create qosprole qp6



disable dot1p examination ports all# Dene and enable a custom RSTP domain

create stpd s1



enable stpd s1





cong stpd s1 ports link-type point-to-point 25

cong stpd s1 ports link-type edge 1-24 edge-safeguard enable


enable lldp ports 1-24

cong lldp ports 1-24 advertise vendor-specic avaya-extreme call-server 10.1.1.10

cong lldp ports 1-24 advertise vendor-specic avaya-extreme le-server 10.1.1.254

cong lldp ports 1-24 advertise vendor-specic avaya-extreme dot1q-framing tagged

cong lldp ports 1-24 advertise vendor-specic dot1 vlan-name



enable edp ports 25



cong ports 1-24 rate-limit ood broadcast 500

cong ports 1-24 rate-limit ood multicast 500

cong ports 1-24 rate-limit ood unknown-destmac 500# Turn on CPU DoS protection

enable dos-protect





3.2. Dual Aggregation Switch

This is an advanced RSTP configuration (Figure 5). There are dual Summit X450a-24t switches at the core. The “NJAgg1” switch is

the VRRP Master that is providing the Layer 3 routing and Spanning Tree Root Bridge functions. The “NJAgg2” switch is the VRRP

Backup and backup Root Bridge. There are two IDF closets. The “IDF1” closet has two stacked Summit X250e-24p switches that

are single connected back to each core switch. The “IDF2” closet has a single Summit X150-24p switch that is single connected back

to each core switch. Spanning Tree Protocol was intentionally disabled for all IP PBX and application server facing ports on “NJAgg1”

and “NJAgg2”. The untagged “data10” VLAN is used to transmit and receive BPDUs. Both the “data10” and “voice11” VLANs have

been protected against loops.

5365-01

“NJAgg1”

1:25

23

2:26

24 23 24

2625

21 21

“IDF1”

STPD “sO” mode “dot1w”

Default Encapsulation “dot1d”

Bridge Priority 4096

Ports 21,23,24 type P2P

Untagged Participating VLAN “data10”

Tagged Participating VLAN “voice11”

VRRP “Master”

“NJAgg2”



Bridge Priority 8192

Ports 21,23,24 type P2P



VRRP “Backup”



Ports 1:1-1:24,2:1-2:24 type Edge with Safeguard

Ports 1:25,2:26 P2P



“IDF2”



Ports 1-24 type Edge with Safeguard

Ports 25,26 type P2P



Figure 5: Dual Aggregation Switch RSTP Configuration








disable stpd s0 auto-bind default

cong snmp sysname NJAgg1


create vlan data10


cong vlan data10 add ports 21,23,24 untagged


create vlan voice11


cong vlan voice11 add ports 21,23,24 tagged



cong vlan server100 tag 100

cong vlan server100 add ports 1-2 untagged



enable ipforwarding# Congure Virtual Router Redundancy Protocol – Master Switch

# You can use the same or different vrid’s for each VLAN

create vrrp data10 vrid 1

cong vrrp data10 vrid 1 priority 255

cong vrrp data10 vrid 1 add 192.168.10.1

create vrrp voice11 vrid 2

cong vrrp voice11 vrid 2 priority 255

cong vrrp voice11 vrid 2 add 192.168.11.1

create vrrp server100 vrid 3

cong vrrp server100 vrid 3 priority 255

cong vrrp server100 vrid 3 add 10.1.1.1

enable vrrp



enable bootprelay


create qosprole qp6




# Use domain s0 for the root bridge




enable stpd s0# Manually add ports, untagged and tagged participant VLANs to spanning tree

cong stpd s0 add data10 ports 21,23,24

cong stpd s0 add voice11 ports 21,23,24


cong stpd s0 ports link-type point-to-point 21,23,24


enable dos-protect









cong snmp sysname NJAgg2


create vlan data10


cong vlan data10 add ports 21,23,24 untagged


create vlan voice11


cong vlan voice11 add ports 21,23,24 tagged



cong vlan server100 tag 100

cong vlan server100 add ports 1-2 untagged



enable ipforwarding# Congure Virtual Router Redundancy Protocol – Master Switch

# You can use the same or different vrid’s for each VLAN

create vrrp data10 vrid 1

cong vrrp data10 vrid 1 priority 100

cong vrrp data10 vrid 1 add 192.168.10.1

create vrrp voice11 vrid 2

cong vrrp voice11 vrid 2 priority 100

cong vrrp voice11 vrid 2 add 192.168.11.1

create vrrp server100 vrid 3

cong vrrp server100 vrid 3 priority 100

cong vrrp server100 vrid 3 add 10.1.1.1

enable vrrp



enable bootprelay


create qosprole qp6




# Use domain s0 for the root bridge




enable stpd s0# Manually add ports, untagged and tagged participant VLANs to spanning tree

cong stpd s0 add data10 ports 21,23,24

cong stpd s0 add voice11 ports 21,23,24


cong stpd s0 ports link-type point-to-point 21,23,24


enable dos-protect











create vlan data10


cong vlan data10 add ports 1:1-25,2:1-24,2:26 untagged


create vlan voice11


cong vlan voice11 add ports 1:1-25,2:1-24,2:26 tagged



create qosprole qp6




# Congure and use domain s0 for RSTPcong stpd s0 mode dot1w


enable stpd s0





cong stpd s0 ports link-type point-to-point 1:25,2:26

cong stpd s0 ports link-type edge 1:1-24,2:1-24 edge-safeguard enable


enable lldp ports 1:1-24,2:1-24

cong lldp ports 1:1-24,2:1-24 advertise vendor-specic avaya-extreme call-server 10.1.1.10

cong lldp ports 1:1-24,2:1-24 advertise vendor-specic avaya-extreme le-server 10.1.1.254

cong lldp ports 1:1-24,2:1-24 advertise vendor-specic avaya-extreme dot1q-framing tagged

cong lldp ports 1:1-24,2:1-24 advertise vendor-specic dot1 vlan-name



enable edp ports 1:25,2:26



cong ports 1:1-24,2:1-24 rate-limit ood broadcast 500

cong ports 1:1-24,2:1-24 rate-limit ood multicast 500

cong ports 1:1-24,2:1-24 rate-limit ood unknown-destmac 500


enable dos-protect











create vlan data10


cong vlan data10 add ports 1-26 untagged


create vlan voice11


cong vlan voice11 add ports 1-26 tagged



create qosprole qp6




# Congure and use domain s0 for RSTPcong stpd s0 mode dot1w


enable stpd s0





cong stpd s0 ports link-type point-to-point 25,26

cong stpd s0 ports link-type edge 1-24 edge-safeguard enable


enable lldp ports 1-24

cong lldp ports 1-24 advertise vendor-specic avaya-extreme call-server 10.1.1.10

cong lldp ports 1-24 advertise vendor-specic avaya-extreme le-server 10.1.1.254

cong lldp ports 1-24 advertise vendor-specic avaya-extreme dot1q-framing tagged

cong lldp ports 1-24 advertise vendor-specic dot1 vlan-name



enable edp ports 25,26



cong ports 1-24 rate-limit ood broadcast 500

cong ports 1-24 rate-limit ood multicast 500

cong ports 1-24 rate-limit ood unknown-destmac 500


enable dos-protect





4. Verification Steps for Sample Configurations


Introduce all eight loop scenarios and verify that the Extreme Networks switch correctly enters the BLOCKING state on looped ports.

Also check that the ports go into the DISABLED state when an adjacent looped device is attached.

5366-01

“IPPBX”10.1.1.10/24

“DHCPSVR”10.1.1.254/24

10/3

100-Full

“NJCore1”1

21 22 23 24

2

AvayaG700

L A GL A G

1:251:3

Self

Loop #1

Self

Loop #2

2:26 2625“IDF1” “IDF2” 3 4

1:1 1:2 1:5

1

1:6 1:7

2

Data andPower

DataOnly

Data andPower

DataOnly

Adjacent LoopedDevice #1

Looped IPTelephone

#1

L2 Switch

Hub

1 2 5

1

6 7

2

Switch-to-SwitchLoop #2



Looped IPTelephone

#2

L2 Switch

Hub

Figure 6: Single Core Switch Configuration


Introduce several Layer 2 loops into the IDF1 configuration and verify Spanning Tree Protocol resolution. Connect IDF1 switch ports as

follows:

• Connect IP Telephone #1 Power+Data Port to IDF1 Port 1:1

• Connect IP Telephone #1 Data Port to IDF1 Port 1:2

• Connect between IDF1 Port 1:3 to IFD1 Port 1:4

• Connect IDF1 Port 1:5 to Netgear Switch Port 1


• Connect looped hub to IDF1 Port 1:7

Whenever a loop is introduced the lowest port number in the loop will remain in the FORWARDING state and the highest port number

in the loop will enter the BLOCKING state. If an adjacent looped device is attached the edge-safeguard feature will place the port in the

DISABLED state by software disabling it. The administrator must manually re-enable the downed port in software after the adjacent

looped device has been removed. Example 17 shows the results from the IDF1 switch. You should expect similar results in your own

configuration.





Example 17: IFD1 Switch with Loops Configured

Slot-1 IDF1.2 # show stpd s1 ports 1:1-3,1:5-7,2:3

Port Mode State Cost Flags Priority Port ID Designated Bridge

1:1 802.1D FORWARDING 200000 eDeepw-S-- 128 8001 80:00:02:04:96:34:4f:65

1:2 802.1D BLOCKING 200000 eBeeaw-S-- 128 8002 80:00:02:04:96:34:4f:65




1:7 802.1D DISABLED 200000 e?ee-w-S-- 128 8007 00:00:00:00:00:00:00:00


Total Ports: 7

------------------------- Flags: ----------------------------

1: e=Enable, d=Disable

2: (Port role) R=Root, D=Designated, A=Alternate, B=Backup, M=Master

3: (Cong type) b=broadcast, p=point-to-point, e=edge, a=auto

4: (Oper. type) b=broadcast, p=point-to-point, e=edge

5: p=proposing, a=agree

6: (partner mode) d = 802.1d, w = 802.1w, m = mstp

7: i = edgeport inconsistency

8: S = edgeport safe guard active

s = edgeport safe guard congured but inactive

9: B = Boundary, I = Internal

10: r = Restricted Role



follows:

• Connect IP Telephone #1 Power+Data Port to IDF2 Port 1

• Connect IP Telephone #1 Data Port to IDF2 Port 2

• Connect between IDF2 Port 3 to IFD2 Port 4

• Connect IDF2 Port 5 to Netgear Switch Port 1


• Connect looped hub to IDF2 Port 7

You should expect similar results in your own configuration.






IDF2.37 # show stpd s1 ports 1-7


1 802.1D FORWARDING 200000 eDeepw-S-- 128 8001 80:00:00:04:96:27:fd:1d

2 802.1D BLOCKING 200000 eBeeaw-S-- 128 8002 80:00:00:04:96:27:fd:1d





7 802.1D DISABLED 200000 e?ee-w-S-- 128 8007 00:00:00:00:00:00:00:00

Total Ports: 7

------------------------- Flags: ----------------------------













Introduce all eight loop scenarios and verify that the Extreme Networks switch correctly enters into the BLOCKING state on looped

ports. Also check that the ports go into the DISABLED state when an adjacent looped device is attached.

“NJAgg1”

23 24 23 24

21 21

“NJAgg2”

5367-01

1:251:3

Self Loop #1

Self Loop #2

2:26 2625“IDF1” “IDF2” 3 4

1:1 1:2 1:5

1

1:6 1:7

2



Looped IPTelephone

#1

L2 Switch

Hub

1 2 5

1

6 7

2



Looped IPTelephone

#2

L2 Switch

Hub

Figure 7: Dual Aggregation Switch Configuration







follows:

• Connect IP Telephone #1 Power+Data Port to IDF1 Port 1:1

• Connect IP Telephone #1 Data Port to IDF1 Port 1:2

• Connect between IDF1 Port 1:3 to IFD1 Port 1:4



• Connect looped hub to IDF1 Port 1:7

Whenever a loop is introduced the lowest port number in the loop will remain in the FORWARDING state and the highest port number

in the loop will enter the BLOCKING state. If an adjacent looped device is attached the edge-safeguard feature will place the port in the

DISABLED state by software disabling it. The administrator must manually re-enable the downed port-in-software after the adjacent

looped device has been removed. Example IDF shows the results from the IDF1 switch. You should expect similar results in your own

configuration.


* Slot-1 IDF1.31 # show stpd s0 ports 1:1-3,1:5-7,2:3,1:25,2:26




1:3 802.1D FORWARDING 200000 eDee-w-S-- 128 8003 80:00:02:04:96:34:4f:65



1:7 802.1D DISABLED 200000 e?ee-w-S-- 128 8007 00:00:00:00:00:00:00:00

1:25 802.1D FORWARDING 20000 eRppaw---- 128 8019 10:00:00:04:96:35:e5:f9


2:26 802.1D BLOCKING 20000 eAppaw---- 128 809a 20:00:00:04:96:27:c5:49

Total Ports: 9

------------------------- Flags: ----------------------------










9: B = Boundary, I = Internal10: r = Restricted Role







follows:

• Connect IP Telephone #1 Power+Data Port to IDF2 Port 1

• Connect IP Telephone #1 Data Port to IDF2 Port 2

• Connect between IDF2 Port 3 to IFD2 Port 4



• Connect looped hub to IDF2 Port 7

You should expect similar results in your own configuration.


* Slot-1 IDF1.32 # show stpd s0 ports 1-7,25,26


1 802.1D FORWARDING 200000 eDee-w-S-- 128 8001 80:00:00:04:96:27:fd:1d


3 802.1D FORWARDING 200000 eDee-w-S-- 128 8003 80:00:00:04:96:27:fd:1d




7 802.1D DISABLED 200000 e?ee-w-S-- 128 8007 00:00:00:00:00:00:00:00

25 802.1D FORWARDING 20000 eRppaw---- 128 8019 10:00:00:04:96:35:e5:f9

26 802.1D BLOCKING 20000 eAppaw---- 128 801a 20:00:00:04:96:27:c5:49

Total Ports: 9

------------------------- Flags: ----------------------------


2: (Port role) R=Root, D=Designated, A=Alternate, B=Backup, M=Master3: (Cong type) b=broadcast, p=point-to-point, e=edge, a=auto













5. Basic RSTP Deployment Checklist

P Select a STPD domain (Either use “s0” or create a new one, e.g. “s1”)

P Configure STPD mode dot1w

P Configure STPD default-encapsulation dot1d

P If the bridge is root, configure STPD priority to 4096

PIf the bridge is backup root, configure STPD priority to 8192 (VRRP arrangement)

P Enable the selected STPD domain

P (Optionally) Auto-bind VLANs to the STPD domain

P If no auto-bind, add ports and untagged VLANs to the STPD domain first

P If no auto-bind, add ports and tagged VLANs to the STPD domain second

P Configure STPD port link-type point-to-point on switch-to-switch links

P Configure STPD port link-type edge with edge-safeguard enabled on user facing ports

6. Conclusion

The sample configurations and recommendations described in this Application Note can be generalized for most customerconfigurations. The behavior of some features shown, such as edge-safeguard, will operate slightly different in pre-12.x software

releases. Layer 2 loops can occur in converged networks, even with STP enabled. By default, Extreme Networks switches have

spanning tree disabled. These deployment guidelines explain how to enable RSTP in order to eliminate the majority of Layer 2

loop conditions that end users may accidentally introduce. The three sample configurations represent field proven cases that can

be leveraged to help provide loop-free operation at the network edge, closest to end users.

6.1. Hardware and Software Versions Tested

The following hardware models and software versions were used to test all three RSTP loop avoidance configurations described in this

Application Note.

Qty. Models TestedLicenseLevels Software Versions

2 Summit X450a-24t Core 12.1.2.17-patch1-17

12.1.3.14

12.2.2.11

2 Summit X250e-24p Edge 12.1.2.17-patch1-17

12.1.3.14

12.2.2.11

1 Summit X150-24p L2-Edge 12.1.2.17-patch1-17

12.1.3.14

12.2.2.11

1 Avaya 4602SW+ IP Telephone N/A Release 2.9

Release 2.8.3

1 Avaya 4610SW+ IP Telephone N/A Release 2.9

Release 2.8.3

2 Avaya 9640 IP Telephone N/A Release 3.0

1 Avaya S8300B Media Ser ver N/A Release R014x.00.1.731.2

1 Avaya G250 Media Servers N/A Release 27.27

1 EPICenter® 7.0 SP1 Ser ver Bronze-20

Table 1:




www.extremenetworks.com

Corporate

and North America

Extreme Networks, Inc.

3585 Monroe Street

Santa Clara, CA 95051 USA

Phone +1 408 579 2800

Europe, Middle East, Africa

and South America

Phone +31 30 800 5100

Asia Pacific

Phone +852 2517 1123

Japan

Phone +81 3 5842 4011

7. Additional References

[1] ExtremeXOS Command Reference Guide, Software Version 12.2.2, Extreme Networks, March 2009,

http://www.extremenetworks.com/services/software-userguide.aspx

[2] ExtremeXOS Concepts Guide, Software Version 12.2.2, Extreme Networks, March 2009,

http://www.extremenetworks.com/services/software-userguide.aspx

[3] Newton’s Telecom Dictionary 21st Edition, Harry Newton, March 2005, CMP Books

stp extreme

Documents