ExtremeXOS (EXOS) Interoperability with Cisco Rapid-PVST+

Cisco developed the Per VLAN Spanning Tree Protocol as the obvious generalization of STP to VLAN based Ethernet networks. Each VLAN (Virtual Local Area Network) needs to be loop-free. Using one STP instance per VLAN solves this problem in a sinple, robust, and easy to use way. While the original PVST relied on Cisco's proprietary Inter-Switch Link (ISL) VLAN encapsulation, the plus in PVST+ signifies the change to 802.1Q VLAN tagging. Rapid-PVST+ replaces the classic STP algorithm with the algorithm of the newer rapid variant (known as 802.1w at the time).

The ExtremeXOS network operating system provides support for Cisco's Per VLAN Spanning Tree+ BPDU encapsulation. Because EXOS allows a lot of flexibility in configuring Spanning Tree Protocol (STP) variants with the ability to mix and match different algorithms and encapsulations on a per VLAN per port basis, the Rapid-PVST+ compatibility is not a simple enable command, but requires a combination of several Spanning Tree Protocol instances. This results in a stark contrast to Cisco's simple PVST(+) configuration.

While Cisco introduced compatibility with 802.1Q and standard Spanning Tree Protocol implementations in the PVST successor PVST+ by adding untagged BPDUs sent to the standard STP MAC address, the Extreme Networks implementation does not integrate this. EXOS rather requires the administrator to manually add a standard STP instance for the native VLAN.

The different behaviors of standard STP (one common spanning tree for the physical topology independent of VLANs) and PVST+ (each VLAN has its own spanning tree for its logical topology) result in a funtioning network because PVST+ BPDUs sent to the PVST+ MAC address are transported as normal multicast frames across the standard compliant Ethernet. The standard compliant Ethernet between two Cisco switches is treated as a (virtual) cable between those switches by PVST+. Per VLAN blocking of logical links happens on the Cisco gear only, while basic Ethernet STP blocks on the port level without regard for VLANs.

Understanding Rapid-PVST+

The first step in building a Cisco Rapid-PVST+ compatible configuration on EXOS is to understand the behavior of a Cisco IOS based switch that uses Rapid-PVST+. Since the algorithm used to build a spanning tree is basically the same for all STP variants, only encapsulation needs to be considered. BPDU format compatibility can be taken care of by chosing the correct encapsulation resp. STP mode option. The BPDUs themselves are similar between different STP modes, the foremost difference is the destination MAC address used when sending BPDUs. Standard STP BPDUs use 01:80:c2:00:00:00 as destination MAC address, while Cisco (Rapid-)PVST+ BPDUs use 01:00:0c:cc:cc:cd as destination MAC address.

To gain an understanding of Cisco's Rapid-PVST+, packet captures have been taken for eight (8) different interface configurations of a Cisco IOS based switch:

  1. Access port in default VLAN
  2. Access port in non-default VLAN
  3. Access port in non-default VLAN with voice VLAN
  4. Trunk port with default VLAN as native VLAN
  5. Trunk port with non-default VLAN as native VLAN
  6. Trunk port with non-default VLAN as native VLAN excluding the default VLAN from the trunk
  7. Trunk port with default VLAN as native VLAN with tagged native VLAN
  8. Trunk port with non-default VLAN as native VLAN with tagged native VLAN

The Cisco documentation suggests that standard conforming (untagged) BPDUs are generated by PVST+ and Rapid-PVST+. The Extreme documentation suggests that PVST+ encapsulation can only generate tagged BPDUs, thus the standard conforming Common STP BPDUs needed for compatibility with Cisco's PVST+ need to be generated differently.

Test Setup

Rapid-PVST+ compatibility was tested using two switches, one EXOS based, the other IOS based. The EXOS switch was an ExtremeSwitching X460 with EXOS version 16.1.3.6-patch1-4, the IOS switch a Catalyst 3560 with IOS Version 15.0(2)SE1.

Four (4) VLANs were created:

Two (2) cables were used to connect the two switches, thus STP needed to block one of the links to prevent a layer 2 loop:

BPDU Observations on Cisco IOS

To find out what kind of BPDUs are sent by Cisco IOS Rapid-PVST+, a packet sniffer (Wireshark) was connected to an interface of the Catalyst switch. The eight (8) different interface confiurations (see above) provided the following observations:

  1. Access port in default VLAN (ID 1):
  2. Access port in non-default DATA VLAN (ID 10):
  3. Access port in non-default DATA VLAN (ID 10) with VOICE VLAN (ID 100):
  4. Trunk port with default VLAN as native VLAN:
  5. Trunk port with non-default VLAN 1000 as native VLAN:
  6. Trunk port with non-default VLAN 1000 as native VLAN excluding the default VLAN from the trunk:
  7. Trunk port with default VLAN as native VLAN with tagged native VLAN:
  8. Trunk port with non-default VLAN 1000 as native VLAN with tagged native VLAN:
The above observations suggest that Cisco Rapid-PVST+ uses the Bridge System ID Extension to communicate the VLAN ID of the PVST+ instance. Additionally, when Cisco Rapid-PVST+ is used with a tagged native VLAN on IOS, Rapid-PVST+ is no longer compatible to standard conforming Spanning Tree Protocol implementations, because all BPDUs are sent as tagged frames. If the default VLAN is excluded from the trunk (test number six (6) above), no standard conforming BPDUs are generated at all.

EXOS Configuration for Rapid-PVST+ Compatibility

While Cisco IOS sents both standard conforming and PVST+ encapsulated BPDUs for the untagged native VLAN on trunk ports, ExtremeXOS can send only the untagged standard compliant BPDUs, not untagged PVST+ BPDUs.

ExtremeXOS can generate additional untagged standard compliant BPDUs on a trunk port by creating a dedicated VLAN with associated STP instance to use as untagged (native) VLAN on trunks in addition to the VLANs used for data transport.

The easiest option is to use the default VLAN as native VLAN. On EXOS, the default VLAN is added to the default STP instance s0, which just needs to be enabled. Please note that this creates a security vulnerability by enabling VLAN hopping if the default VLAN is used on any access port, which is the default setting for both Cisco IOS and ExtremeXOS.

General Approach

While Cisco IOS needs just a single configuration line to use Rapid-PVST+, on EXOS the following configuration steps are necessary (all inter-switch links are assumed to be trunks, never access ports):

Example Configuration

The following example configuration uses just the DATA, and VOICE VLANs and uses the default VLAN 1 as native VLAN. Thus in this example VLAN 1 uses stpd s0.

EXOS

    create vlan "DATA"
    configure vlan DATA tag 10
    create vlan "VOICE"
    configure vlan VOICE tag 100
    configure vlan DATA add ports 15-16 tagged  
    configure vlan Default add ports 15-16 untagged  
    configure vlan VOICE add ports 15-16 tagged  
    #
    configure stpd s0 mode dot1w
    create stpd s10
    configure stpd s10 mode dot1w
    configure stpd s10 default-encapsulation pvst-plus
    create stpd s100
    configure stpd s100 mode dot1w
    configure stpd s100 default-encapsulation pvst-plus
    configure stpd s10 add vlan DATA ports 15 pvst-plus
    configure stpd s100 add vlan VOICE ports 15 pvst-plus
    configure stpd s10 add vlan DATA ports 16 pvst-plus
    configure stpd s100 add vlan VOICE ports 16 pvst-plus
    enable stpd s0
    configure stpd s10 tag 10
    enable stpd s10
    configure stpd s100 tag 100
    enable stpd s100

IOS

    vlan 10
     name DATA
    vlan 100
     name VOICE
    !
    spanning-tree mode rapid-pvst
    spanning-tree extend system-id
    spanning-tree vlan 10 priority 24576
    !
    interface FastEthernet0/7
     switchport trunk encapsulation dot1q
     switchport mode trunk
     switchport nonegotiate
    !
    interface FastEthernet0/8
     switchport trunk encapsulation dot1q
     switchport mode trunk
     switchport nonegotiate
    !

Test Result

Rapid-PVST+ Interoperability between Cisco IOS and ExtremeXOS was tested using the configurations given above.

Since EXOS does not use Bridge System ID Extension, the default bridge priority is better than that of a Cisco IOS switch. Thus the EXOS switch was root bridge for VLANs 1 and 100. Since the Cisco IOS switch had a manually configured better bridge priority in VLAN 10, it was the root bridge for that VLAN.

The STP processes on Cisco IOS and ExtremeXOS interoperate, both switches agreed on the same per VLAN root bridges and the correct ports were blocked.

Temporarily reducing the bridge priority for VLAN 1 on IOS resulted in the IOS switch as root bridge with the related changes in blocked ports. Reverting this configuration resulted in EXOS as root bridge for VLAN 1 and IOS blocking a port, not EXOS.

Conclusion

While it is possible to integrate EXOS based switches in an existing Cisco IOS network running Rapid-PVST+, it should be considered changing the Cisco IOS configuration to use the standard Multiple Spanning Tree Protocol instead of Rapid-PVST+. That allows interoperability with most vendor's switches without the need to manually create a more or less PVST+ compatible configuration on non-Cisco switches.

Links to References

A few articles on Extreme Network's GTAC Knowledge site pertain to PVST+ on EXOS:

Some posts on the Extreme Networks community site The Hub regarding PVST+ on EXOS:

I have written a few notes on using EXOS switches together with Extreme EOS (formerly known as Enterasys) switches:

Back to my homepage.