Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

MSTP configuration

MSTP configuration consists of the following steps:

  1. Configure STP settings that are common to all MST instances.
  2. Configure settings that are specific to each MST instance.
  3. Configure loop-protection on all nondesignated ports.

Configuring STP settings

Some STP settings (region name and MST revision number) are common to all MST instances. Also, protocol timers are common to all instances because only the IST sends out BPDUs.

Using the GUI:
  1. Go to Switch > STP > Settings.


  2. Update the settings as described in the following table.
  3. Select Update to save the settings.

Settings

Guidelines

Disabled

Disables MSTP for this switch.

Flood BPDU Packets

Select this checkbox if you want the STP packets arriving at any port to pass through the switch without being processed. If you do not select this checkbox, STP packets arriving at any port are blocked.

This option is only available when MSTP is disabled.

Enabled

Enables MSTP for this switch.

Name

Region name. All switches in the MST region must have the identical name.

Revision

The MSTP revision number. All switches in the region must have the same revision number.

The range of values is 0 to 65535.

The default value is 0.

Hello Time (Seconds)

Hello time is how often (in seconds) that the switch sends out a BPDU.

The range of values is 1 to 10.

The default value is 2.

Forward Time (Seconds)

Forward time is how long (in seconds) a port will spend in the listening-and-learning state before transitioning to forwarding state.

The range of values is 4 to 30.

The default value is 15.

Max Age (Seconds)

The maximum age before the switch considers the received BPDU information on a port to be expired. Max-age is used when interworking with switches outside the region.

The range of values is 6 to 40.

The default value is 20.

Max Hops

Maximum hops is used inside the MST region. Hop count is decremented each time the BPDU is forwarded. If max-hops reaches zero, the switch discards the BPDU and ages out the information on the receiving port.

The range of values is 1 to 40.

The default value is 20.

Using the CLI:

config switch stp settings

set flood {enable | disable}

set forward-time <fseconds_int>

set hello-time <hseconds_int>

set max-age <age>

set max-hops <hops_int>

set mclag-stp-bpdu {both | single}

set name <name_str>

set revision <rev_int>

set status {enable | disable}

end

Configuring an MST instance

The STP topology is unique for each MST instance in the region. You can configure a different bridge priority and port parameters for each instance.

Using the GUI:
  1. Go to Switch > STP > Instances.


  2. Select Add Instance to create a new MST instance or select an existing instance and then select Edit.
  3. Update the instance parameters as described in the following table.
  4. Select Add or Update to save the settings.

 

Settings

Guidelines

ID

Instance identifier. The range is 0-32 for 5xx models and higher. For all other models, the range is 0 - 15.

Priority

Priority is a component of bridge ID. The switch with the lowest bridge ID becomes the root switch for this MST instance.

Allowed values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.

The default value is 32768.

VLAN Range

The VLANs that map to this MST instance. You can specify individual VLAN numbers or a range of numbers.

NOTE: Do not assign any VLAN to more than one MST instance.

Each VLAN number is in the range 1-4094.

Port Configuration

Name

Port that will participate in this MST instance.

Cost

The switch uses port cost to select designated ports. Port cost is added to the received BPDU root cost in any BPDU sent on this port.

A lower value is preferred. The range of values is 1 to 200,000,000.

The default value depends on the interface speed:

- 10 Gigabit Ethernet: 2,000

- Gigabit Ethernet: 20,000

- Fast Ethernet: 200,000

- Ethernet: 2,000,000

Priority

The switch uses port priority to choose among ports of the same cost. The port with the lowest priority is put into forwarding state. The valid values are: 0, 32, 64, 96, 128, 160, 192, and 224.

The default value is 128.

 

Using the CLI:

config switch stp instance

edit <instance number>

set priority <>

config stp-port

edit <port name>

set cost <>

set priority <>

next

set vlan-range <vlan range>

end

 

Example:

config switch stp instance

edit "1"

set priority 8192

config stp-port

edit "port18"

set cost 0

set priority 128

next

edit "port19"

set cost 0

set priority 128

next

end

set vlan-range 5 7 11-20

end

Configuring an STP edge port

You can use the edge-port setting when a device connected to a FortiSwitch port is not an STP bridge. When this setting is enabled, the FortiSwitch port immediately moves to a forwarding state rather than passing through listening and learning states.

By default, STP (and edge port) is enabled on all ports.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. On the Physical Port Interfaces page, select a port and then select Edit.
  3. Under Edge Port, select Enable.
  4. Select OK to save the settings.
Using the CLI:

config switch interface

edit <port_name>

set edge-port <enabled | disabled>

next

end

Configuring STP loop protection

By default, STP loop protection is disabled on all ports.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. On the Physical Port Interfaces page, select a port and then select Edit.
  3. Under Loop Guard, select Enable.
  4. Select OK to save the settings.
Using the CLI:

config switch interface

edit <port_name>

set stp-loop-protection <enabled | disabled>

next

end

Configuring STP root guard

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-root-guard <enable | disable>

next

end

 

For example, to enable root guard on port 20:

config switch interface

edit port20

set stp-state enabled

set stp-root-guard enable

next

end

Configuring STP BPDU guard

There are three prerequisites for using BPDU guard:

  • You must define the port as an edge port with the set edge-port enabled command.
  • You must enable STP on the switch interface with the set stp-state enabled command.
  • You must enable STP on the global level with the set status enable command.

You can set how long the port will go down for when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. On the Physical Port Interfaces page, select a port and then select Edit.
  3. Under Edge Port, select Enable and BPDU Guard.
  4. In the Timeout (Minutes) field, enter how many minutes the port will go down for when a BPDU is received.
  5. Select OK to save the settings.

 

To check if BPDU guard has been triggered and on which ports, go to Switch > Monitor > BPDU Guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-bpdu-guard <enabled | disabled>

set stp-bpdu-guard-timeout <0-120>

next

end

 

For example, to enable BPDU guard on port 30 with a timeout value of 1 hour:

config switch stp settings

set status enable

end

config switch interface

edit port30

set stp-state enabled

set edge-port enabled

set stp-bpdu-guard enabled

set stp-bpdu-guard-timeout 60

next

end

 

If you set the port timeout to 0, you will need to reset the port after it receives BPDUs and goes down. Use the following command to reset the port:

execute bpdu-guard reset <port_name>

 

To check if BPDU guard has been triggered and on which ports, use the following command:

diagnose bpdu-guard display status

 

Portname             State      Status       Timeout(m)    Count    Last-Event

_________________   _______    _________    ___________    _____   __________________

 

port1              disabled     -              -             -            -

port2              disabled     -              -             -            -

port3              disabled     -              -             -            -

port4              disabled     -              -             -            -

port5              disabled     -              -             -            -

port6              disabled     -              -             -            -

port7              disabled     -              -             -            -

port8              disabled     -              -             -            -

port9              disabled     -              -             -            -

port10             disabled     -              -             -            -

port11             disabled     -              -             -            -

port12             disabled     -              -             -            -

port13             disabled     -              -             -            -

port14             disabled     -              -             -            -

port15             disabled     -              -             -            -

port16             disabled     -              -             -            -

port17             disabled     -              -             -            -

port18             disabled     -              -             -            -

port19             disabled     -              -             -            -

port20             disabled     -              -             -            -

port21             disabled     -              -             -            -

port22             disabled     -              -             -            -

port23             disabled     -              -             -            -

port25             disabled     -              -             -            -

port26             disabled     -              -             -            -

port27             disabled     -              -             -            -

port28             disabled     -              -             -            -

port29             disabled     -              -             -            -

port30             enabled      -              60            0            -

__FoRtI1LiNk0__    disabled     -              -             -            -

 

You can also check BPDU guard by going to the Monitor > BPDU Guard page.

MSTP configuration

MSTP configuration consists of the following steps:

  1. Configure STP settings that are common to all MST instances.
  2. Configure settings that are specific to each MST instance.
  3. Configure loop-protection on all nondesignated ports.

Configuring STP settings

Some STP settings (region name and MST revision number) are common to all MST instances. Also, protocol timers are common to all instances because only the IST sends out BPDUs.

Using the GUI:
  1. Go to Switch > STP > Settings.


  2. Update the settings as described in the following table.
  3. Select Update to save the settings.

Settings

Guidelines

Disabled

Disables MSTP for this switch.

Flood BPDU Packets

Select this checkbox if you want the STP packets arriving at any port to pass through the switch without being processed. If you do not select this checkbox, STP packets arriving at any port are blocked.

This option is only available when MSTP is disabled.

Enabled

Enables MSTP for this switch.

Name

Region name. All switches in the MST region must have the identical name.

Revision

The MSTP revision number. All switches in the region must have the same revision number.

The range of values is 0 to 65535.

The default value is 0.

Hello Time (Seconds)

Hello time is how often (in seconds) that the switch sends out a BPDU.

The range of values is 1 to 10.

The default value is 2.

Forward Time (Seconds)

Forward time is how long (in seconds) a port will spend in the listening-and-learning state before transitioning to forwarding state.

The range of values is 4 to 30.

The default value is 15.

Max Age (Seconds)

The maximum age before the switch considers the received BPDU information on a port to be expired. Max-age is used when interworking with switches outside the region.

The range of values is 6 to 40.

The default value is 20.

Max Hops

Maximum hops is used inside the MST region. Hop count is decremented each time the BPDU is forwarded. If max-hops reaches zero, the switch discards the BPDU and ages out the information on the receiving port.

The range of values is 1 to 40.

The default value is 20.

Using the CLI:

config switch stp settings

set flood {enable | disable}

set forward-time <fseconds_int>

set hello-time <hseconds_int>

set max-age <age>

set max-hops <hops_int>

set mclag-stp-bpdu {both | single}

set name <name_str>

set revision <rev_int>

set status {enable | disable}

end

Configuring an MST instance

The STP topology is unique for each MST instance in the region. You can configure a different bridge priority and port parameters for each instance.

Using the GUI:
  1. Go to Switch > STP > Instances.


  2. Select Add Instance to create a new MST instance or select an existing instance and then select Edit.
  3. Update the instance parameters as described in the following table.
  4. Select Add or Update to save the settings.

 

Settings

Guidelines

ID

Instance identifier. The range is 0-32 for 5xx models and higher. For all other models, the range is 0 - 15.

Priority

Priority is a component of bridge ID. The switch with the lowest bridge ID becomes the root switch for this MST instance.

Allowed values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.

The default value is 32768.

VLAN Range

The VLANs that map to this MST instance. You can specify individual VLAN numbers or a range of numbers.

NOTE: Do not assign any VLAN to more than one MST instance.

Each VLAN number is in the range 1-4094.

Port Configuration

Name

Port that will participate in this MST instance.

Cost

The switch uses port cost to select designated ports. Port cost is added to the received BPDU root cost in any BPDU sent on this port.

A lower value is preferred. The range of values is 1 to 200,000,000.

The default value depends on the interface speed:

- 10 Gigabit Ethernet: 2,000

- Gigabit Ethernet: 20,000

- Fast Ethernet: 200,000

- Ethernet: 2,000,000

Priority

The switch uses port priority to choose among ports of the same cost. The port with the lowest priority is put into forwarding state. The valid values are: 0, 32, 64, 96, 128, 160, 192, and 224.

The default value is 128.

 

Using the CLI:

config switch stp instance

edit <instance number>

set priority <>

config stp-port

edit <port name>

set cost <>

set priority <>

next

set vlan-range <vlan range>

end

 

Example:

config switch stp instance

edit "1"

set priority 8192

config stp-port

edit "port18"

set cost 0

set priority 128

next

edit "port19"

set cost 0

set priority 128

next

end

set vlan-range 5 7 11-20

end

Configuring an STP edge port

You can use the edge-port setting when a device connected to a FortiSwitch port is not an STP bridge. When this setting is enabled, the FortiSwitch port immediately moves to a forwarding state rather than passing through listening and learning states.

By default, STP (and edge port) is enabled on all ports.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. On the Physical Port Interfaces page, select a port and then select Edit.
  3. Under Edge Port, select Enable.
  4. Select OK to save the settings.
Using the CLI:

config switch interface

edit <port_name>

set edge-port <enabled | disabled>

next

end

Configuring STP loop protection

By default, STP loop protection is disabled on all ports.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. On the Physical Port Interfaces page, select a port and then select Edit.
  3. Under Loop Guard, select Enable.
  4. Select OK to save the settings.
Using the CLI:

config switch interface

edit <port_name>

set stp-loop-protection <enabled | disabled>

next

end

Configuring STP root guard

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-root-guard <enable | disable>

next

end

 

For example, to enable root guard on port 20:

config switch interface

edit port20

set stp-state enabled

set stp-root-guard enable

next

end

Configuring STP BPDU guard

There are three prerequisites for using BPDU guard:

  • You must define the port as an edge port with the set edge-port enabled command.
  • You must enable STP on the switch interface with the set stp-state enabled command.
  • You must enable STP on the global level with the set status enable command.

You can set how long the port will go down for when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. On the Physical Port Interfaces page, select a port and then select Edit.
  3. Under Edge Port, select Enable and BPDU Guard.
  4. In the Timeout (Minutes) field, enter how many minutes the port will go down for when a BPDU is received.
  5. Select OK to save the settings.

 

To check if BPDU guard has been triggered and on which ports, go to Switch > Monitor > BPDU Guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-bpdu-guard <enabled | disabled>

set stp-bpdu-guard-timeout <0-120>

next

end

 

For example, to enable BPDU guard on port 30 with a timeout value of 1 hour:

config switch stp settings

set status enable

end

config switch interface

edit port30

set stp-state enabled

set edge-port enabled

set stp-bpdu-guard enabled

set stp-bpdu-guard-timeout 60

next

end

 

If you set the port timeout to 0, you will need to reset the port after it receives BPDUs and goes down. Use the following command to reset the port:

execute bpdu-guard reset <port_name>

 

To check if BPDU guard has been triggered and on which ports, use the following command:

diagnose bpdu-guard display status

 

Portname             State      Status       Timeout(m)    Count    Last-Event

_________________   _______    _________    ___________    _____   __________________

 

port1              disabled     -              -             -            -

port2              disabled     -              -             -            -

port3              disabled     -              -             -            -

port4              disabled     -              -             -            -

port5              disabled     -              -             -            -

port6              disabled     -              -             -            -

port7              disabled     -              -             -            -

port8              disabled     -              -             -            -

port9              disabled     -              -             -            -

port10             disabled     -              -             -            -

port11             disabled     -              -             -            -

port12             disabled     -              -             -            -

port13             disabled     -              -             -            -

port14             disabled     -              -             -            -

port15             disabled     -              -             -            -

port16             disabled     -              -             -            -

port17             disabled     -              -             -            -

port18             disabled     -              -             -            -

port19             disabled     -              -             -            -

port20             disabled     -              -             -            -

port21             disabled     -              -             -            -

port22             disabled     -              -             -            -

port23             disabled     -              -             -            -

port25             disabled     -              -             -            -

port26             disabled     -              -             -            -

port27             disabled     -              -             -            -

port28             disabled     -              -             -            -

port29             disabled     -              -             -            -

port30             enabled      -              60            0            -

__FoRtI1LiNk0__    disabled     -              -             -            -

 

You can also check BPDU guard by going to the Monitor > BPDU Guard page.