Solved: Cisco and Extreme Connection

Dustin Flint · ‎08-01-2017

I have a question. I have a Cisco network that connects to an Extreme network. I don't own the Extreme network, just the Cisco side. They are connected by a simple trunk port allowing 3 vlans. For example a trunk port on cisco side allowing vlans 3,4,5 connections to a trunk port on the Extreme side.

Should I put something on the Cisco port for spanning tree, such as root guard or bpdu filter. My Cisco network is running in MST mode,and I have no clue if the Extreme side is running any type of stp or if its enabled.

Switchport config below:

Cisco Switch is Nexus 9K

interface Ethernet1/6
description reserved for Extreme
switchport mode trunk
switchport trunk allowed vlan 3-5
channel-group 3000 mode active

Kevin Rivest · ‎08-01-2017

It matters on what you are trying to do.

If your objective is only to ensure that the root bridge is elected in the Cisco portion of the network, and place to port into an err-disabled state if a switch in the Extreme portion tries to become root, than root guard is all that is required.

If your objective is to split the Cisco portion of the network and the Extreme portion of the network into separate STP domains, than you would use bpdu filter. If you do this both portions of the network will be completely independent from an STP perspective. In this scenario you must ensure there are no physical loops between the Cisco portion and Extreme portion of the network though as you are effectively turning off STP at the boundary.

Also, even though you can configure both root guard and bpdu filter on the port at the same time it makes little sense. If you enable bpdu filter you are effectively turning off STP and not processing any BPDUs on the port. If all BPDUs are dropped before processing, root guard will never see a BPDU to determine if it is superior enough to make the port become root.

View solution in original post

Dustin Flint · ‎08-01-2017

Sorry I forget this part, I do have it in a vpc because Nexus 9Ks are stacked. The port-channel does have root guard on. But do I need bpdu filter also?

interface port-channel3000
description Extreme
switchport mode trunk
switchport trunk allowed vlan 3-5
spanning-tree guard root
vpc 3000

Kevin Rivest · ‎08-01-2017

It matters on what you are trying to do.

If your objective is only to ensure that the root bridge is elected in the Cisco portion of the network, and place to port into an err-disabled state if a switch in the Extreme portion tries to become root, than root guard is all that is required.

If your objective is to split the Cisco portion of the network and the Extreme portion of the network into separate STP domains, than you would use bpdu filter. If you do this both portions of the network will be completely independent from an STP perspective. In this scenario you must ensure there are no physical loops between the Cisco portion and Extreme portion of the network though as you are effectively turning off STP at the boundary.

Also, even though you can configure both root guard and bpdu filter on the port at the same time it makes little sense. If you enable bpdu filter you are effectively turning off STP and not processing any BPDUs on the port. If all BPDUs are dropped before processing, root guard will never see a BPDU to determine if it is superior enough to make the port become root.

Dustin Flint · ‎08-01-2017

Thanks!

Makes sense. I will probably turn off root guard and on bpdu filter, as this is this VPC is the only connection between the networks.