Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Spanning-tree between Cisco 4507 and Extreme Switch

Hi Everyone,

We will be connecting Cisco 4507 with Extreme Switches. We ran into spanning-tree issues last time. Extreme does not understand spanning-tree. So what i am thinking it to prevent bpdu advertisement from 4507 to extreme switches and also prevent incoming bddu from extreme switch to 4507. I am thinking of using

spanning-tree bpdu filter

spanning-tree bpdu guard

spanning-tree root guard

on the interfaces. Please let me know if I should be adding any other feature. Any suggestions that you have will be highly appreciated.

Best Regards


Rising star

The problem is more likely STP isn't enabled on the Extreme switch(es) or its a different version - remember Cisco still use PVST+ by default which no other vendor does as far a I can remember. Do you need to extend layer-2 VLANs between the switches or can you route the traffic?  If you must extend VLANs then you need to make sure the topology is sound and STP is configured correctly.  Do you need to trunk multiple VLANs between the switches or is this just a single VLAN?  Will there be redundant links?

A picture would help showing the physical connectivity, as well as the layer-2 and layer-3 topology.


I ran into a similar issue

Extreme 7i------Cisco 3548XL

Spanning tree is disabled on the extreme side:

RTR-01.1 # sh stpd "s0" ports 24

Port   Mode   State      Cost  Flags     Priority Port ID Designated Bridge

Port 24 not in STP domain s0

0389-RTR-01.2 # sh stpd detail

Stpd: s0                Stp: DISABLED           Number of Ports: 16

Rapid Root Failover: Disabled

Operational Mode: 802.1D                        Default Binding Mode: 802.1D

802.1Q Tag: (none)

Ports: 2,3,6,7,8,9,10,11,12,19,


Participating Vlans: vlan111,vlan118,vlan123

Auto-bind Vlans: Default

Bridge Priority: 32768

Then in the config we have :

configure stpd s0 delete vlan default ports all
disable stpd s0 auto-bind vlan default
enable stpd s0 auto-bind vlan Default

Which also confused me because the enable comes after the disable.   Does this mean that say vlan111 is partcipating but the default vlan is not?

Whatever the case the Cisco sw would keep on disabling the port due to native vlan mismatch.  The only way I could get around it was to untag one vlan on the extreme side then add that vlan as the native vlan on the cisco side.  The standard config is to have all ports tagged with all vlans on the LAN rtr and on the cisco sw have sw mo tr, that for some reason that did not work, port disabled due to inconsistent bpdu.

I have not had the chance to go back out to site, want to span the port to see what stp on the cisco side was disabling the port.

If you are getting native VLAN mismatch then its because there is another connection to a Cisco switch.  You will only get Native VLAN mismatches logged because CDP is enabled and the Cisco switch is seeing the CDP messages from another switch (CDP is layer-2 multicast and will advertise the Native/Access VLAN, these will travel through the Extreme switch).

Grap the output from 'show port 24 info detail' on the extreme switch and post it here.  Still think we need a picture though.


Hi Andy,

Thank Andy thanks for your reply.

Topology is like this

Extreme Switch <<< access-port >>>4507-1  <<>> 4507-2

Extreme Switch will be connected to just one Cisco Switch 4507-1 and we are only allowing one vlan on this port but between the two 4507 switches, we have everything allowed.

Do you need to trunk multiple VLANs between the switches or is this just a single VLAN?

Azhar: Single

Will there be redundant links?

Azhar: Between Extreme and Cisco Switch , it is just one link and extreme switch will be connected to just one Cisco Switch and not both.

Best Regards


If that is really all there is then it should just work......  STP enabled or disabled on the Extreme switch it should just work. I suspect the Extreme is connected back into the network as this is where the CDP message will be coming from that is causing the Error Disable issue on the 4507.

If you are confident the topology is as you describe then disable CDP on the access port on 4507-1 that connects to the Extreme switch.  Make sure they are both just access ports with just a single untagged VLAN.


Hey Andrew,

I kind of high jacked this thread!  You have two diff posters.

For my post, you feedback does make perfect sense!  We do have multiple Cisco switches off of the Extreme Lan rtr....I look forward to trying your input!  Thank you.


Here was the requested info....again, only way I could get this sw to stay up was the untagged one vlan on the extreme side and then add that as the native vlan on the cisco side.

RTR-01.1 # sh port 24 info det
Port:   24(LAB-3548):
        Virtual-router: VR-Default
        Type:           SX
        Redundant Type: UTP
        Random Early drop:      Unsupported
        Admin state:    Enabled with  auto-speed sensing (1G Advertised), auto-duplex (full-duplex Advertised)
        Link State:     Active, 1Gbps, full-duplex
        Link Counter: Up        67 time(s)

        VLAN cfg:
                 Name: Manage, 802.1Q Tag = 11, MAC-limit = No-limit, Virtual router: VR-Default
                 Name: vlan111, 802.1Q Tag = 111, MAC-limit = No-limit, Virtual router: VR-Default
                 Name: vlan119, 802.1Q Tag = 119, MAC-limit = No-limit, Virtual router: VR-Default
                 Name: vlan19, Internal Tag = 19, MAC-limit = No-limit, Virtual router: VR-Default

        STP cfg:

                 Name: vlan19       Protocol: ANY      Match all protocols.
        Trunking:       Load sharing is not enabled.
        EDP:            Enabled
        ELSM:           Disabled
        Ethernet OAM:           Disabled
        Learning:       Enabled
        Unicast Flooding:       Enabled
        Multicast Flooding:     Enabled
        Broadcast Flooding:     Enabled
        Jumbo:          Disabled
        Flow Control:   Rx-Pause: Enabled       Tx-Pause: Disabled
        Link up/down SNMP trap filter setting:  Enabled
        Egress Port Rate:       No-limit
        Broadcast Rate:         No-limit
        Multicast Rate:         No-limit
        Unknown Dest Mac Rate:  No-limit
        QoS Profile:    None configured
        Ingress Rate Shaping :          Unsupported
        Ingress IPTOS Examination:      Enabled
        Ingress 802.1p Examination:     Enabled
        Ingress 802.1p Inner Exam:      Disabled
        Egress IPTOS Replacement:       Disabled
        Egress 802.1p Replacement:      Enabled
        NetLogin:                       Disabled
        NetLogin port mode:             Port based VLANs
        Smart redundancy:               Enabled
        Software redundant port:        Disabled
        Preferred medium:               Fiber

0389-RTR-01.2 #

Jimmsands73 - what does the topology of this look like?

The switchport config you describe on the Extreme switch should look like this on the Cisco side:

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 19

switchport trunk allowed vlan 11,19,111,119

switchport mode trunk

switchport nonegotiate

Now this is where it gets a bit vague...  You are running a single instance of STP operating in 802.1D mode using VLAN 19 (untagged) as its carrier.  If the Cisco switch is operating in PVST+ or Rapid PVST+ then it will send BPDU's on each VLAN separately.  On the Native VLAN (19) it will send two BPDUs - a standard 802.1D BPDU (destination MAC 0180.C200.0000) to allow interoperability and one sent to the PVST+ destination MAC (0100.0ccc.cccd).  On the tagged VLANs the switch will send PVST+ BPDU's.  The PVST+ BPDU's should be handled as multicast frames by the connected (802.1D) switch and flooded.

For STP to operate correctly, observe certain rules when you connect PVST+ bridges to IEEE 802.1D or 802.1Q bridges. The main rule is that PVST+ bridges must connect to IEEE 802.1D or 802.1Q bridges through an IEEE 802.1Q trunk with a consistent Native VLAN on all bridges that connect to the cloud of IEEE 802.1Q or 802.1D bridges.

The PVST+ BPDU contains a VLAN number that allows PVST+ bridges to detect whether the previous rule is not respected. When a Catalyst switch detects a misconfiguration, the corresponding ports are put into a “PVID-inconsistent” or “type-inconsistent” state, which effectively blocks the traffic in the corresponding VLAN on a corresponding port. These states prevent forwarding loops that misconfigurations or miswiring cause.

HTH, Andy

OK.... I just put wireshark on and watched what happens when the Native VLAN is and isn't 1.

If the port is configured like this:

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,10,15

switchport mode trunk

switchport nonegotiate

With the Native VLAN as 1 by default and VLAN 1 allowed on the trunk then the switch will send out 4 BPDU's. Two PVST+ BPDU's that are tagged (10 & 15), a PVST+ BPDU on the Native VLAN and an 802.1D BPDU untagged.

If the Native VLAN is removed from the allowed list on the trunk but the Native VLAN is still 1 - i.e.

switchport trunk allowed vlan 10,15

Then only 2 PVST+ BPDU's are sent - both tagged (10 & 15).

If the Native VLAN is configured as one of the allowed VLANs (10):

switchport trunk allowed vlan 10,15

switchport trunk native vlan 10

Then again 2 PVST+ BPDU's are sent although this time one is tagged (15) and the other untagged.

If the Native VLAN is not 1 but VLAN 1 is allowed on the trunk:

switchport trunk allowed vlan 1,10,15

switchport trunk native vlan 10

Then the switch will send 4 BPDU's in total - 3 PVST+ BPDU's - one untagged coresponding to the Native VLAN (in my case 10), 2 tagged PVST+ BPDU's (VLAN 1 & 15) and an 802.1D BPDU untagged.

Hopefully this helps...


Thank you kindly for your indepth discussion and taking the time to lab it up!      

So if we wanted all ports tagged on the upink port (Extreme) then I would you use this scenario:

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,15 plus any other vlans....
switchport mode trunk
switchport nonegotiate

Reson is standards dictate all ports tagged on the Extreme and also on the extreme the default vlan is

configure vlan default delete ports 1-26

On the Extreme side any you can have one VLAN untagged (the Native VLAN) and any number of VLANs tagged (I am sure there are limits but I am fairly sure they are large?).  You also get the option not to have an untagged VLAN.  HOw this complies with standards I am not sure?  On the Cisco side you must have a Native VLAN (and then any number of tagged VLANs obviously limits apply on different platforms).

This is all from a user traffic point of view - not from an STP perspective.  What I tested above was just what STP traffic is transmitted from a Cisco switchport with various trunk configurations.  What I didn't do was stick an Extreme switch on the other end of it and see what happens.

If you need to span VLANs between Cisco and Extreme switches and also maintain a consistent STP then in my opinion you need to get away from PVST+ or Rapid PVST+ and investigate MST.  Personally I try to design these elements out of the network and use Layer-3 instead.


I dont have that 'clout', work for a school district (enterprise) with 400+ plus sites easily. Most LAN routers are Extreme, some Cisco, and access layers sw are mostly extremes, mostly Ciscos and few other vendords.  I tested  your cdp theory, we have multple cisco sites with extremes as lan routers and ciscos as sw's hanging off with cdp enabled.   None are from a 3548xl though with a very old ios.

IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XW, MAINTENANCE INTERIM SOFTWARE

The port config I showed for the Extreme side is after I untagged vlan 19. I would like to have all vlans tagged on the Extreme, and just sw mo tr on the Extreme side. But when I do this (and take the native vlan statement off the Cisco) STP on the cisco side shuts the port down due to inconsistent port type. But I have not explicity said sw tr al vla 10, 19, 111 on it, will try that when giving the chance.

*Feb 28 16:04:30.982: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet0/1 on vlan 1.

Inconsistent peer vlan.

*Feb 28 16:04:31.000: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/1 on vlan 11.

Inconsistent local vlan

Thats the was so long ago and my notes arent what they should be I am forgetting what Cisco port confg gave me that, I beileve it was just sw mo tr, but I could be wrong.

This probably explains the behaviour better than I can...

Good luck


Great feedback and great link, thanks again.