Spanning Tree Protocol

The FortiSwitch unit supports the following:

• Spanning Tree Protocol, a link-management protocol that ensures a loop-free layer-2 network topology
• Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q standard
• Per-VLAN Rapid Spanning Tree Protocol (also known as Rapid PVST or RPVST); RSTP is defined in the IEEE 802.1w standard

This chapter covers the following topics:

• MSTP overview and terminology
• MSTP configuration
• Interactions outside of the MSTP region
• Viewing the MSTP configuration
• Support for interoperation with per-VLAN RSTP (rapid PVST+ or RPVST+)

MSTP overview and terminology

MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the mapping of VLANs to instances is configurable).

MSTP is backward-compatible with STP and Rapid Spanning Tree Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP.

MSTP is built on RSTP, so it provides fast recovery from network faults and fast convergence times.

Regions

A region is a set of interconnected switches that have the same multiple spanning tree (MST) configuration (region name, MST revision number, and VLAN-to-instance mapping). A network can have any number of regions. Regions are independent of each other because the VLAN-to-instance mapping is different in each region.

The FortiSwitch unit supports 15 MST instances in a region. Multiple VLANs can be mapped to each MST instance. Each switch in the region must have the identical mapping of VLANs to instances.

The MST region acts like a single bridge to adjacent MST regions and to non-MST STPs.

IST

Instance 0 is a special instance, called the internal spanning-tree instance (IST). IST is a spanning tree that connects all of the MST switches in a region. All VLANs are assigned to the IST.

IST is the only instance that exchanges bridge protocol data units (BPDUs). The MSTP BPDU contains information for each MSTP instance (captured in an M-record). The M-records are added to the end of a regular RSTP BPDU. This allows MSTP region to inter-operate with an RSTP switch.

CST

The common spanning tree (CST) interconnects the MST regions and all instances of STP or RSTP that are running in the network.

Hop count and message age

MST does not use the BPDU message age within a region. The message-age and maximum-age fields in the BPDU are propagated unchanged within the region.

Within the region, a hop-count mechanism is used to age out the BPDU. The IST root sends out BPDUs with the hop count set to the maximum number of hops. The hop count is decremented each time the BPDU is forwarded. If the hop count reaches zero, the switch discards the BPDU and ages out the information on the receiving port.

STP port roles

STP assigns a port role to each switch port. The role is based on configuration, topology, relative position of the port in the topology, and other considerations. Based on the port role, the port either sends or receives STP BPDUs and forwards or blocks the data traffic. Here is a brief summary of each STP port role:

• Designated—One designated port is elected per link (segment). The designated port is the port closest to the root bridge. This port sends BPDUs on the link (segment) and forwards traffic towards the root bridge. In an STP converged network, each designated port is in the STP forwarding state.
• Root—The bridge can have only one root port. The root port is the port that leads to the root bridge. In an STP converged network, the root port is in the STP forwarding state.
• Alternate—Alternate ports lead to the root bridge but are not root ports. The alternate ports maintain the STP blocking state.
• Backup—This is a special case when two or more ports of the same switch are connected together (either directly or through shared media). In this case, one port is designated, and the remaining ports are backup (in the STP blocking state).

STP loop protection

The STP loop-protection feature provides additional protection against layer-2 forwarding loops (STP loops). An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state.

A port remains in blocking state only if it continues to receive BPDU messages. If it stops receiving BPDUs (for example, due to unidirectional link failure), the blocking port (alternate or backup port) becomes designated and transitions to a forwarding state. In a redundant topology, this situation may create a loop.

If the loop-protection feature is enabled on a port, that port is forced to remain in blocking state, even if the port stops receiving BPDU messages. It will not transition to forwarding state and does not forward any user traffic.

The loop-protection feature is enabled on a per-port basis. Fortinet recommends that you enable loop protection on all nondesignated ports (all root, alternate, and backup ports).

STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

MSTP configuration

MSTP configuration consists of the following steps:

1. Configure STP settings that are common to all MST instances.
2. Configure settings that are specific to each MST instance.
3. Configure loop-protection on all nondesignated ports.

Configuring STP settings

Some STP settings (region name and MST revision number) are common to all MST instances. Also, protocol timers are common to all instances because only the IST sends out BPDUs.

Using the GUI:

1. Go to Switch > STP > Settings.
   
   
   
2. Update the settings as described in the following table.
3. Select Update to save the settings.

Settings	Guidelines
Disabled	Disables MSTP for this switch.
Flood BPDU Packets	Select this checkbox if you want the STP packets arriving at any port to pass through the switch without being processed. If you do not select this checkbox, STP packets arriving at any port are blocked. This option is only available when MSTP is disabled.
Enabled	Enables MSTP for this switch.
Name	Region name. All switches in the MST region must have the identical name.
Revision	The MSTP revision number. All switches in the region must have the same revision number. The range of values is 0 to 65535. The default value is 0.
Hello Time (Seconds)	Hello time is how often (in seconds) that the switch sends out a BPDU. The range of values is 1 to 10. The default value is 2.
Forward Time (Seconds)	Forward time is how long (in seconds) a port will spend in the listening-and-learning state before transitioning to forwarding state. The range of values is 4 to 30. The default value is 15.
Max Age (Seconds)	The maximum age before the switch considers the received BPDU information on a port to be expired. Max-age is used when interworking with switches outside the region. The range of values is 6 to 40. The default value is 20.
Max Hops	Maximum hops is used inside the MST region. Hop count is decremented each time the BPDU is forwarded. If max-hops reaches zero, the switch discards the BPDU and ages out the information on the receiving port. The range of values is 1 to 40. The default value is 20.

Using the CLI:

config switch stp settings

set flood {enable | disable}

set forward-time <fseconds_int>

set hello-time <hseconds_int>

set max-age <age>

set max-hops <hops_int>

set mclag-stp-bpdu {both | single}

set name <name_str>

set revision <rev_int>

set status {enable | disable}

end

Configuring an MST instance

The STP topology is unique for each MST instance in the region. You can configure a different bridge priority and port parameters for each instance.

Using the GUI:

1. Go to Switch > STP > Instances.
   
   
   
2. Select Add Instance to create a new MST instance or select an existing instance and then select Edit.
3. Update the instance parameters as described in the following table.
4. Select Add or Update to save the settings.

Settings	Guidelines
ID	Instance identifier. The range is 0-32 for 5xx models and higher. For all other models, the range is 0 - 15.
Priority	Priority is a component of bridge ID. The switch with the lowest bridge ID becomes the root switch for this MST instance. Allowed values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. The default value is 32768.
VLAN Range	The VLANs that map to this MST instance. You can specify individual VLAN numbers or a range of numbers. NOTE: Do not assign any VLAN to more than one MST instance. Each VLAN number is in the range 1-4094.
Port Configuration
Name	Port that will participate in this MST instance.
Cost	The switch uses port cost to select designated ports. Port cost is added to the received BPDU root cost in any BPDU sent on this port. A lower value is preferred. The range of values is 1 to 200,000,000. The default value depends on the interface speed: - 10 Gigabit Ethernet: 2,000 - Gigabit Ethernet: 20,000 - Fast Ethernet: 200,000 - Ethernet: 2,000,000
Priority	The switch uses port priority to choose among ports of the same cost. The port with the lowest priority is put into forwarding state. The valid values are: 0, 32, 64, 96, 128, 160, 192, and 224. The default value is 128.

Using the CLI:

config switch stp instance

edit <instance number>

set priority <>

config stp-port

edit <port name>

set cost <>

set priority <>

next

set vlan-range <vlan range>

end

Example:

config switch stp instance

edit "1"

set priority 8192

config stp-port

edit "port18"

set cost 0

set priority 128

next

edit "port19"

set cost 0

set priority 128

next

end

set vlan-range 5 7 11-20

end

Configuring an STP edge port

You can use the edge-port setting when a device connected to a FortiSwitch port is not an STP bridge. When this setting is enabled, the FortiSwitch port immediately moves to a forwarding state rather than passing through listening and learning states.

By default, STP (and edge port) is enabled on all ports.

Using the GUI:

1. Go to Switch > Interface > Physical.
2. On the Physical Port Interfaces page, select a port and then select Edit.
3. Under Edge Port, select Enable.
4. Select OK to save the settings.

Using the CLI:

config switch interface

edit <port_name>

set edge-port <enabled | disabled>

next

end

Configuring STP loop protection

By default, STP loop protection is disabled on all ports.

Using the GUI:

1. Go to Switch > Interface > Physical.
2. On the Physical Port Interfaces page, select a port and then select Edit.
3. Under Loop Guard, select Enable.
4. Select OK to save the settings.

Using the CLI:

config switch interface

edit <port_name>

set stp-loop-protection <enabled | disabled>

next

end

Configuring STP root guard

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-root-guard <enable | disable>

next

end

For example, to enable root guard on port 20:

config switch interface

edit port20

set stp-state enabled

set stp-root-guard enable

next

end

Configuring STP BPDU guard

There are three prerequisites for using BPDU guard:

• You must define the port as an edge port with the set edge-port enabled command.
• You must enable STP on the switch interface with the set stp-state enabled command.
• You must enable STP on the global level with the set status enable command.

You can set how long the port will go down for when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Using the GUI:

1. Go to Switch > Interface > Physical.
2. On the Physical Port Interfaces page, select a port and then select Edit.
3. Under Edge Port, select Enable and BPDU Guard.
4. In the Timeout (Minutes) field, enter how many minutes the port will go down for when a BPDU is received.
5. Select OK to save the settings.

To check if BPDU guard has been triggered and on which ports, go to Switch > Monitor > BPDU Guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-bpdu-guard <enabled | disabled>

set stp-bpdu-guard-timeout <0-120>

next

end

For example, to enable BPDU guard on port 30 with a timeout value of 1 hour:

config switch stp settings

set status enable

end

config switch interface

edit port30

set stp-state enabled

set edge-port enabled

set stp-bpdu-guard enabled

set stp-bpdu-guard-timeout 60

next

end

If you set the port timeout to 0, you will need to reset the port after it receives BPDUs and goes down. Use the following command to reset the port:

execute bpdu-guard reset <port_name>

To check if BPDU guard has been triggered and on which ports, use the following command:

diagnose bpdu-guard display status

Portname State Status Timeout(m) Count Last-Event

_________________ _______ _________ ___________ _____ __________________

port1 disabled - - - -

port2 disabled - - - -

port3 disabled - - - -

port4 disabled - - - -

port5 disabled - - - -

port6 disabled - - - -

port7 disabled - - - -

port8 disabled - - - -

port9 disabled - - - -

port10 disabled - - - -

port11 disabled - - - -

port12 disabled - - - -

port13 disabled - - - -

port14 disabled - - - -

port15 disabled - - - -

port16 disabled - - - -

port17 disabled - - - -

port18 disabled - - - -

port19 disabled - - - -

port20 disabled - - - -

port21 disabled - - - -

port22 disabled - - - -

port23 disabled - - - -

port25 disabled - - - -

port26 disabled - - - -

port27 disabled - - - -

port28 disabled - - - -

port29 disabled - - - -

port30 enabled - 60 0 -

__FoRtI1LiNk0__ disabled - - - -

You can also check BPDU guard by going to the Monitor > BPDU Guard page.

Interactions outside of the MSTP region

A boundary port on an MST switch is a port that receives an STP (version 0) BPDU, an RSTP (version 2) BPDU, or a BPDU from a different MST region.

If the port receives a version 0 BPDU, it will only send version 0 BPDUs on that port. Otherwise, it will send version 3 (MST) BPDUs because the RSTP switch will read this as an RSTP BPDU.

Viewing the MSTP configuration

To view the MSTP configuration details, use the following commands:

get switch stp instance

get switch stp settings

Use the following commands to display information about the MSTP instances in the network:

diagnose stp instance list

diagnose stp vlan list

diagnose stp mst-config list

Support for interoperation with per-VLAN RSTP (rapid PVST+ or RPVST+)

Starting in FortiSwitchOS 6.2.2, FortiSwitch units can now interoperate with a network that is running RPVST+. The existing networkʼs configuration can be maintained while adding FortiSwitch units as an extended region.

When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain works in two ways:

• If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+ domain.
  
  In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1 defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST root bridge within MSTP region.
  
  

• If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN 1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected RPVST+ domain are used only for consistency checks.
  
  In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.

Configuring rapid PVST or RPVST+ interoperation support

Using the CLI:

Enable the RPVST+ interoperation support on the appropriate switch port or trunk.

config switch interface

edit <interface_name>

set allowed-vlans <one or more VLANs> // The VLANs must be configured for RSTP.

set rpvst-port enabled

next

end

For example, to enable RPVST+ interoperation support on port 9:

config switch interface

edit "port9"

set allowed-vlans 10,20

set rpvst-port enabled

next

end

For example, to enable RPVST+ interoperation support on trunk 1:

config switch interface

edit "trunk1"

set allowed-vlans 10,20

set rpvst-port enabled

next

end

Note: A maximum of 16 VLANs is supported; the maximum number of VLANs includes native VLANs. You must configure the same VLANs as those used in the RPVST+ domain.

Viewing the configuration

Use one of the following commands to check your configuration and to diagnose any problems.

• diagnose stp instance list
  
  If either rule is violated, the RPVST port is flagged with “IC” in the command output, and the port is in the Discard state.
  
  If the VLANs used by the RPVST+ domain are not all within the VLAN range configured on the RPVST port, an “MV” flag is displayed in the command output. NOTE: Only the ports in instance 0 show this flag.
  
  

• diagnose stp rapid-pvst-port list
  
  This command shows the status of one port or all ports. If any of the ports is in the “IC” state, the command output gives the reason: VLAN priority inconsistent, VLAN configuration mismatch, or both.
  
  
• diagnose stp rapid-pvst-port clear
  
  This command clears all flags and timers on the RPVST+ port.