Michael McNamara

Network is down! Please help!

Michael McNamara — Mon, 06 Jan 2014 15:00:22 +0000

I get quite a few emails and and private messages that contain the phrase above, “Network is down! Please help!”. In the vast majority of cases it usually turns out that the problem is self inflicted. Here are a few simple steps that I strongly recommend you look at if it’s your responsibility to manage the network. These features will help mitigate some serious operational issues from spoiling your day.

Spanning Tree (FastStart / PortFast)

You can’t imagine how many times I’ve seen a patch cable patched from one port on a switch in an IDF back into the same switch. It’s usually a case of sloppy cabling, although I’ve met a quite a few users who thought that both ends of the cable needed to be plugged into the wall plate. In order to prevent such scenarios from spoiling your day you should verify that you have Spanning Tree enabled on all edge ports (ports that face the users). And you should also verify that you have FastStart or PortFast enabled to help eliminate the 30 second delay during STP learning (those of us that used to run IPX/SPX networks with Novell NetWare learned this a long time ago).

BPDU Guard (called BPDU Filtering by some vendors)

In addition to Spanning Tree you should also enable BPDU guard on all your edge ports. This will immediately disable the switchport if it receives a BPDU Spanning Tree frame. This can help mitigate topology loops and it can help prevent your users from plugging in their own switches in their offices or cubicles. There are some scenarios where connecting the PC port on the back of an Avaya IP phone could potentially put a loop into the network. BPDU guard (called BPDU filtering by Avaya) will detect the BPDU frame and disable the port, thereby protecting the network.

Rate Limiting (Broadcast / Multicast)

If your in the networking field long enough you’ll eventually see some really odd behavior from one or more devices. I’ve seen my fair share of oddities and eventually you’ll run across a few too. You should prepare for that eventuality today by configuring broadcast and Multicast rate limiting on your edge ports. This helps prevent any single device from flooding too many broadcast or Multicast packets into your network which could impact either other devices connected to the network or the network itself.

You’re already doing each of the previously listed items? Well you could look at the following additional steps. You can find additional detail in a blog post titled, DHCP Snooping ARP Inspection IP Source Guard.

DHCP Snooping

Dynamic Host Configuration Protocol (DHCP) snooping provides security to the network by preventing DHCP spoofing. DHCP spoofing refers to an attacker’s ability to respond to DHCP requests with false IP information. DHCP snooping acts like a firewall between untrusted hosts and the DHCP servers, so that DHCP spoofing cannot occur. There are 2 types of ports in DHCP snooping, trusted and untrusted. The network will only allow DHCP responses from trusted ports – usually uplinks as opposed to allowing DHCP responses from untrusted ports – usually edge switch ports.

DHCP Option 82 – With DHCP Option 82 the switch will append additional information to the DHCP request which can be stored and captured by your DHCP server (or your IP Address Management solution) to help identify the switch and port from which the request was initiated.

ARP Inspection

Dynamic Address Resolution Protocol Inspection (DAI) is a security feature that validates ARP packets in the network.

Without dynamic ARP inspection, a malicious user can attack hosts, switches, and routers connected to the Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Dynamic ARP inspection prevents this type of attack. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings.

The address binding table is dynamically built from information gathered in the DHCP request and reply when DHCP snooping is enabled. The MAC address from the DHCP request is paired with the IP address from the DHCP reply to create an entry in the DHCP binding table.

When you enable Dynamic ARP inspection, ARP packets on untrusted ports are filtered based on the source MAC and IP addresses stored in the DHCP snooping table. The switch forwards an ARP packet when the source MAC and IP address matches an entry in the DHCP snooping table. Otherwise, the ARP packet is dropped.

IP Source Guard

IP Source Guard provides security to the network by filtering clients with invalid or spoofed IP addresses. IP Source Guard is a Layer 2 (L2), port-to-port feature that works closely with information in the Dynamic Host Control Protocol (DHCP) snooping binding table. When you enable IP Source Guard on an untrusted port with DHCP snooping enabled, an IP filter entry is created or deleted for that port automatically, based on IP information stored in the corresponding DHCP binding table entry. When a connecting client receives a valid IP address from the DHCP server, a filter is installed on the port to allow traffic only from the assigned IP address. A maximum of 10 IP addresses are allowed on each IP Source Guard-enabled port. When this number is reached, no more filters are set up and traffic is dropped.

While Dynamic ARP Inspection blocks only ARP packets, IP Source Guard blocks all IP packets.

Cheers!
Image Credit: The Lánchid Bridge in Budapest Hungary at nightfall by Abel Leemans

LACP Configuration Examples (Part 5)

Michael McNamara — Mon, 25 Nov 2013 23:07:06 +0000

Let’s keep going… let’s bring a Cisco 3750E into the topology and let’s talk about utilizing Spanning Tree. Let’s get this out the way, Avaya does NOT recommend that you disable Spanning Tree. Avaya’s Split MultiLink Trunking (SMLT) is not compatible with the Spanning Tree Protocol so you can’t run STP over SMLT links. You can still run STP on edge ports and even ports utilizing MultiLink Trunking (MLT) or LACP/802.3ad. This is in contrast to Cisco’s Virtual Port Channel (vPC) which is interoperable with Spanning Tree.

Let’s look at expanding the topology from our last post adding a Cisco 3750E;

Again, that’s pretty straight forward and isn’t too exciting. Although if we leave every uplink/downlink as a member of VLAN 100 and VLAN 200 we’ll end up with a loop in our topology – not a Spanning Tree Loop. What if we add Multiple Spanning Tree Protocol (MSTP) to our configuration just to make it interesting? Our topology might look like this with 2 instances of MSTP running, one for each VLAN.

We’ll make the Avaya switch the root bridge for CIST. We’ll make the Juniper switch the root bridge for MST 1, and we’ll make the Cisco switch the root bridge for MST 2.

That’s interesting… let’s see what we need to-do in order to configure everything up. I’m going to pickup the configuration as I had it setup in the previous post, LACP Configuration Examples (Part 4). We’ll need to add another LACP group/pair to our Avaya and Juniper switches as well as configure the Cisco switch. We’ll also need to enable MSTP on each switch, add the VLANs to the correct MSTP instances and set the correct bridge priority for each.

Juniper EX2200-C Switch

configure
set chassis aggregated-devices ethernet device-count 2

delete interfaces ge-0/0/4 unit 0
delete interfaces ge-0/0/5 unit 0

set interfaces ge-0/0/4 ether-options 802.3ad ae1
set interfaces ge-0/0/5 ether-options 802.3ad ae1
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast

set interfaces ae1 unit 0 family ethernet-switching
set interfaces ae1 unit 0 family ethernet-switching port-mode trunk
set interfaces ae1 unit 0 family ethernet-switching port-mode trunk vlan members VLAN-100 members VLAN-200

delete protocols rstp

set protocols mstp configuration-name AcmeNetworks
set protocols mstp revision-level 1
set protocols mstp msti 1 vlan 100
set protocols mstp msti 2 vlan 200

set protocols mstp msti 1 bridge-priority 16384
commit and-quit

Avaya Ethernet Routing Switch 5520

config t
spanning-tree mode mst
exit
boot

You’ll need to reboot the switch in order to enable MSTP, so go ahead and reboot before continuing the steps;

config t
vlan ports 25,26 tagging tagAll

interface fastEthernet 25,26
lacp key 25
lacp mode active
lacp timeout-time short
lacp aggregation enable
exit

spanning-tree mstp msti 1
spanning-tree mstp msti 1 add-vlan 100
spanning-tree mstp msti 2
spanning-tree mstp msti 2 add-vlan 200
spanning-tree mstp priority 4000

You’ll notice that the Avaya switch accepts a hexadecimal value for the priority, so 4000 in hex = 16384 in decimal.

spanning-tree mstp region region-name AcmeNetworks
spanning-tree mstp region region-version 1
exit

Cisco Catalyst 3750E Switch

config t
vlan 100
name "192-168-100-0/24"
exit
vlan 200
name "192-168-200-0/24"
exit

interface vlan 100
ip address 192.168.100.30 255.255.255.0
no shut
exit

interface vlan 200
ip address 192.168.200.30 255.255.255.0
no shut
exit

interface gig1/0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active

interface gig1/0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active

interface gig1/0/25
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active

interface gig1/0/26
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active

spanning-tree mode mst

spanning-tree mst configuration
name AcmeNetworks
revision 1
instance 1 vlan 100
instance 2 vlan 200
exit
spanning-tree mst 2 priority 16384
exit

Let’s have a look at our work and see what everything looks like from both a LACP and Spanning Tree perspective.

Cisco Catalyst 3750E Switch

Switch#show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode

Channel group 1 neighbors

Partner's information:

LACP port Admin Oper Port Port
Port Flags Priority Dev ID Age key Key Number State
Gi1/0/13 FA 127 54e0.xxxx.d440 5s 0x0 0x2 0x3 0x3F
Gi1/0/14 FA 127 54e0.xxxx.d440 5s 0x0 0x2 0x4 0x3F

Channel group 2 neighbors

Partner's information:

LACP port Admin Oper Port Port
Port Flags Priority Dev ID Age key Key Number State
Gi1/0/25 FA 32768 3475.xxxx.a400 14s 0x0 0x3019 0x19 0x3F
Gi1/0/26 FA 32768 3475.xxxx.a400 16s 0x0 0x3019 0x1A 0x3F

Switch#show spanning-tree

MST0
Spanning tree enabled protocol mstp
Root ID Priority 16384
Address 3475.xxxx.a400
Cost 0
Port 496 (Port-channel2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address 0064.xxxx.4d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 10000 128.488 P2p
Po2 Root FWD 10000 128.496 P2p

MST1
Spanning tree enabled protocol mstp
Root ID Priority 16385
Address 54e0.322a.d441
Cost 10000
Port 488 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0064.xxxx.4d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Root FWD 10000 128.488 P2p
Po2 Desg FWD 10000 128.496 P2p

MST2
Spanning tree enabled protocol mstp
Root ID Priority 16386
Address 0064.xxxx.4d80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 16386 (priority 16384 sys-id-ext 2)
Address 0064.xxxx.4d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 10000 128.488 P2p
Po2 Desg FWD 10000 128.496 P2p

We can see that LACP is up and running to both the Avaya and Juniper switches. We can also see that the Cisco switch is the root bridge for MSTI 2 and the root port for MSTI 1 is Port-channel 1 (link to Juniper EX2200-C) while the root port for the CIST is Port-channel2 (link to Avaya ERS 5520). All ports are designated and forwarding traffic.

Juniper EX2200-C Switch

root> show lacp interfaces
Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/0 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/0 Partner No No Yes Yes Yes Yes Fast Active
ge-0/0/1 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/1 Partner No No Yes Yes Yes Yes Fast Active
LACP protocol: Receive State Transmit State Mux State
ge-0/0/0 Current Fast periodic Collecting distributing
ge-0/0/1 Current Fast periodic Collecting distributing

Aggregated interface: ae1
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/4 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/4 Partner No No Yes Yes Yes Yes Slow Active
ge-0/0/5 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/5 Partner No No Yes Yes Yes Yes Slow Active
LACP protocol: Receive State Transmit State Mux State
ge-0/0/4 Current Slow periodic Collecting distributing
ge-0/0/5 Current Slow periodic Collecting distributing

root> show spanning-tree bridge

STP bridge parameters
Context ID : 0
Enabled protocol : MSTP

STP bridge parameters for CIST
Root ID : 16384.34:75:xx:xx:a4:00
Root cost : 0
Root port : ae0.0
CIST regional root : 16384.34:75:xx:xx:a4:00
CIST internal root cost : 10000
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Hop count : 19
Message age : 0
Number of topology changes : 2
Time since last topology change : 14690 seconds
Topology change initiator : ae0.0
Topology change last recvd. from : 34:75:xx:xx:a4:01
Local parameters
Bridge ID : 32768.54:e0:xx:xx:d4:41
Extended system ID : 0
Internal instance ID : 0

STP bridge parameters for MSTI 1
MSTI regional root : 16385.54:e0:xx:xx:d4:41
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Number of topology changes : 5
Topology change initiator : ae1.0
Topology change last recvd. from : 00:64:xx:xx:4d:8d
Local parameters
Bridge ID : 16385.54:e0:xx:xx:d4:41
Extended system ID : 0
Internal instance ID : 1

STP bridge parameters for MSTI 2
MSTI regional root : 16386.00:64:xx:xx:4d:80
Root cost : 10000
Root port : ae1.0
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Hop count : 19
Number of topology changes : 6
Topology change initiator : ae1.0
Topology change last recvd. from : 00:64:xx:xx:4d:8d
Local parameters
Bridge ID : 32770.54:e0:xx:xx:d4:41
Extended system ID : 0
Internal instance ID : 2

Avaya Ethernet Routing Switch 5520

5520-48T-PWR#show lacp port 13-14,25-26
Admin Oper Trunk Partner
Port Priority Lacp A/I Timeout Key Key AggrId Id Port Status
---- -------- ------- --- ------- ----- ----- ------ ----- ------- ------
13 32768 Active A Short 1 12289 8224 32 1 Active
14 32768 Active A Short 1 12289 8224 32 2 Active
25 32768 Active A Short 25 12313 8223 31 282 Active
26 32768 Active A Short 25 12313 8223 31 283 Active

5520-48T-PWR#show spanning-tree mstp config
Maximum Mst Instance Number: 8
Number of Msti Supported: 2
Cist Bridge Priority (hex): 4000
Stp Version: Mstp Mode
Cist Bridge Max Age: 20 seconds
Cist Bridge Forward Delay: 15 seconds
Tx Hold Count: 3
Path Cost Default Type: 32-bit
Max Hop Count: 2000

VLAN members
------ ------ ------ ------ ------ ------ ------ ------ ------ ------
1

Msti Config Id Selector: 0
Msti Region Name: AcmeNetworks
Msti Region Version: 1
Msti Config Digest: 6D:A4:B5:0C:4F:D5:87:75:7E:EF:03:56:75:36:05:E1

5520-48T-PWR#show spanning-tree mstp msti config 1
Msti Bridge Regional Root:  40:00:54:E0:xx:xx:D4:41
Msti Bridge Priority (hex): F000
Msti Root Cost:             10000
Msti Root Port:             MLT 32
Msti State:                 Enabled

VLAN members
------ ------ ------ ------ ------ ------ ------ ------ ------ ------
100

5520-48T-PWR#show spanning-tree mstp msti config 2
Msti Bridge Regional Root:  40:00:00:64:xx:xx:4D:80
Msti Bridge Priority (hex): F000
Msti Root Cost:             10000
Msti Root Port:             MLT 31
Msti State:                 Enabled

VLAN members
------ ------ ------ ------ ------ ------ ------ ------ ------ ------
200

5520-48T-PWR#show spanning-tree mstp msti port role 1
Port Role State STP Status Oper Status
---- ---------- ---------- ---------- -----------
13 Root Forwarding Enabled Enabled
14 Root Forwarding Enabled Enabled
25 Alternate Discarding  Enabled Enabled
26 Alternate Discarding  Enabled Enabled

5520-48T-PWR#show spanning-tree mstp msti port role 2
Port Role State STP Status Oper Status
---- ---------- ---------- ---------- -----------
13 Alternate Discarding  Enabled Enabled
14 Alternate Discarding  Enabled Enabled
25 Root Forwarding Enabled Enabled
26 Root Forwarding Enabled Enabled

We can see from the output above that ports 13,14 are Alternate Discarding for MSTI 1 while ports 25,26 are Alternate Discarding for MSTI 2.

In the output we can see which port is the root bridge port for each switch, we can also see the MSTP config digest which should match on every switch in the topology. In order for the configuration to be valid the MST region name, version and config selector need to match along with correct VLAN IDs matched to the correct MST instance.

Cheers!
Image Credit: New York City Brooklyn Bridge by Diogo Ferrari

Avaya’s MultiLink Trunk and Spanning Tree Protocol

Michael McNamara — Tue, 21 Jun 2011 21:02:14 +0000

There was a question recently on the discussion forums regarding the ability to run Spanning Tree Protocol (STP/RSTP/MSTP) over a MultiLink Trunk (MLT). You can most certainly run STP/RSTP/MSTP over a MLT interface. You can NOT run STP/RSTP/MSTP over a SMLT interface.

I thought I would run through a few quick commands to demonstrate how to enable Spanning Tree over an MLT interface. In the spirit of making things interesting I’ll utilize Multiple Spanning Tree Protocol (MSTP) over the default legacy Spanning Tree Protocol (STP) or the optional Rapid Spanning Tree Protocols (RSTP). I won’t try to explain Spanning Tree as there are plenty of resources available on the Internet.

For this example I have an Avaya Ethernet Routing Switch 5520 and an Avaya Ethernet Switch 460 (formerly Nortel BayStack 460). I’ll setup 2 MLT links between the two switches utilizing 4 ports in total. I’ll utilize VLANS 1, 100, 200 and Multiple Spanning Tree Instances (MSTI) 1 and 2 with CIST 0.

Ethernet Routing Switch 5520

By default only legacy STP is enabled so we need to enable MSTP and reload the switch;

config t
spanning-tree mode mst
copy config nvram
boot -y

Once the switch has restarted we can continue the configuration. Let’s make all 4 ports 802.1q tagged ports;

config t
vlan ports 11,12,17,18 tagging tagAll

Now we’ll create the MultiLink Trunk interfaces and add the port members. You might notice in the code below the command “mlt # bpdu all-ports”. By default Avaya/Nortel switches only send BPDU frames on the single port in a MLT. This is completely opposite of the behavior from Cisco and other network manufacturers so as a best practice I enable this option. If we were connecting Avaya switches and didn’t enable this feature we would need to ensure that the lowest number ifIndex on one switch connected to the lowest number ifIndex on the other switch. This is important because Nortel/Avaya switches only send BPDU frames on the lower ifIndex port in an MLT. For example if we had say ports 3 and 7 on switch A and ports 10 and 14 on switch B we would need to connect 3(A) to 10(B) and 7(A) to 14(B) to ensure that the BPDU frames would be exchanged on matching ports between the switches.

mlt 1 name "Primary Group"
mlt 1 member 11,12
mlt 1 learning enable
mlt 1 bpdu all-ports
mlt 1 enable
mlt 2 name "Secondary Group"
mlt 2 member 11,12
mlt 2 learning enable
mlt 2 bpdu all-ports
mlt 2 enable

Now we’ll create the MSTI instances 1,2 along with VLANS 100,200 respectively;

spanning-tree mstp msti 1
spanning-tree mstp msti 1 enable
spanning-tree mstp msti 2
spanning-tree mstp msti 2 enable
spanning-tree mstp region region-name acme region-version 1
spanning-tree mstp priority 8000 (this is 32768 in decimal)
spanning-tree mstp msti 1 priority 8000 (this is 32768 in decimal)
spanning-tree mstp msti 2 priority 8000 (this is 32768 in decimal)
vlan create 100 type port msti 1
vlan create 200 type port msti 2
vlan members add 100 11,12
vlan members add 200 17,18

As a best practice we’ll enable edge-port (FastStart) and BPDU filtering on the remaining ports;

inter fa 1-10,13-16,19-48
spanning-tree mstp edge-port true
spanning-tree bpdu-filtering enable

Ethernet Switch 460

By default only legacy STP is enabled so we need to enable MSTP and reload the switch;

config t
spanning-tree op-mode mstp
copy config nvram
boot -y

Once the switch has restarted we can continue the configuration. Let’s make all 4 ports 802.1q tagged ports;

config t
vlan ports 11,12,17,18 tagging tagAll

Now we’ll create the MultiLink Trunk interfaces and add the port members. Just as we did with the ERS 5520 we’ll enable “mlt # bpdu all-ports”.

mlt 1 name "Primary Trunk Group"
mlt 1 member 11,12
mlt 1 learning enable
mlt 1 bpdu all-ports
mlt 1 enable
mlt 2 name "Secondary Trunk Group"
mlt 2 member 11,12
mlt 2 learning enable
mlt 2 bpdu all-ports
mlt 2 enable

Now we’ll create the MSTI instances 1,2 along with VLANS 100,200 respectively;

spanning-tree mstp msti 1
spanning-tree mstp msti 1 enable
spanning-tree mstp msti 2
spanning-tree mstp msti 2 enable
spanning-tree mstp region region-name acme region-version 1
spanning-tree mstp priority f000 (this is 61440 in decimal)
spanning-tree mstp msti 1 priority f000 (this is 61440 in decimal)
spanning-tree mstp msti 2 priority f000 (this is 61440 in decimal)
vlan create 100 type port msti 1
vlan create 200 type port msti 2
vlan members add 100 11,12
vlan members add 200 17,18

As a best practice we’ll enable edge-port (FastStart) and BPDU filtering on the remaining ports;

inter fa 1-10,13-16,19-24
spanning-tree mstp edge-port true
spanning-tree bpdu-filtering enable

Results

Let’s have a look at some of the show commands to see how things are running;

5520-48T-PWR#show autotopology nmm-table
LSlot                                                                     RSlot
LPort IP Addr          Seg ID  MAC Addr     Chassis Type     BT LS   CS   RPort
----- --------------- -------- ------------ ---------------- -- --- ----  -----
0/ 0 192.168.1.24    0x000000 001F0ACEBC01 5520-48T-PWR     12 Yes HTBT    NA
1/11 192.168.1.23    0x00010b 000FCDF59601 460-24T-PWR      12 Yes HTBT   1/11
1/12 192.168.1.23    0x00010c 000FCDF59601 460-24T-PWR      12 Yes HTBT   1/12

460-24T-PWR#show autotopology nmm-table
LSlot                                                                     RSlot
LPort IP Addr          Seg ID  MAC Addr     Chassis Type     BT LS   CS   RPort
----- --------------- -------- ------------ ---------------- -- --- ----  -----
0/ 0 192.168.1.23    0x000000 000FCDF59601 460-24T-PWR      12 Yes HTBT    NA
1/11 192.168.1.24    0x00010b 001F0ACEBC01 5520-48T-PWR     12 Yes HTBT   1/11
1/12 192.168.1.24    0x00010c 001F0ACEBC01 5520-48T-PWR     12 Yes HTBT   1/12

We can see that the SONMP table is exchanging packets across MLT 1 (11,12). That would lead me to guess that ports 17,18 are in discarding (blocking) mode. Let’s see if that’s the case;

5520-48T-PWR#show spanning-tree mstp port role 11,12,17,18
Port     Role       State     STP Status  Oper Status
----  ----------  ----------  ----------  -----------
11    Designated  Forwarding  Enabled     Enabled
12    Designated  Forwarding  Enabled     Enabled
17    Designated  Forwarding  Enabled     Enabled
18    Designated  Forwarding  Enabled     Enabled

460-24T-PWR#show spanning-tree mstp port role 11,12,17,18
Port     Role       State     STP Status  Oper Status
----  ----------  ----------  ----------  -----------
11    Root        Forwarding  Enabled     Enabled
12    Root        Forwarding  Enabled     Enabled
17    Alternate   Discarding  Enabled     Enabled
18    Alternate   Discarding  Enabled     Enabled

From the output above we can determine that the Ethernet Routing Switch 5520 is the root bridge and that MLT 2 (17,18) is an alternate path that’s currently discarding traffic on the Ethernet Switch 460. Lets confirm who’s the root bridge;

5520-48T-PWR#show spanning-tree mstp status
Bridge Address:          00:1F:0A:CE:BC:00
Cist Root:               80:00:00:1F:0A:CE:BC:00
Cist Regional Root:      80:00:00:1F:0A:CE:BC:00
Cist Root Port:          0
Cist Root Cost:          0
Cist Regional Root Cost: 0
Cist Max Age:            20 seconds
Cist Forward Delay:      15 seconds

460-24T-PWR#show spanning-tree mstp status
Bridge Address:          00:0F:CD:F5:96:00
Cist Root:               80:00:00:1F:0A:CE:BC:00
Cist Regional Root:      80:00:00:1F:0A:CE:BC:00
Cist Root Port:          MLT 1
Cist Root Cost:          0
Cist Regional Root Cost: 100000
Cist Max Age:            20 seconds
Cist Forward Delay:      15 seconds

The root bridge is definitely the ERS 5520 as it should be since we set the bridge priority in our configuration above.

Hopefully you’ll agree that was pretty easy. You could of course set path costs/priorities so that you can administratively choose which path is the designated and alternate and for which MST instance. In a future post I will demonstrate how you can connect a Cisco Catalyst 3750-E to an Avaya switch while supporting MSTP.

Cheers!
References;

Avaya Ethernet Routing Switch RSTP/MSTP Technical Configuration Guide