MSTP configuration

MSTP configuration consists of the following steps:

Configure STP settings that are common to all MST instances.
Configure settings that are specific to each MST instance.
Configure loop-protection on all nondesignated ports.

Configuring STP settings

Some STP settings (region name and MST revision number) are common to all MST instances. Also, protocol timers are common to all instances because only the IST sends out BPDUs.

Using the GUI:

Go to Switch > STP > Settings.
Update the settings as described in the following table.
Select Update to save the settings.

Settings	Guidelines
Disabled	Disables MSTP for this switch.
Flood BPDU Packets	Select this checkbox if you want the STP packets arriving at any port to pass through the switch without being processed. If you do not select this checkbox, STP packets arriving at any port are blocked. This option is only available when MSTP is disabled.
Enabled	Enables MSTP for this switch.
Name	Region name. All switches in the MST region must have the identical name.
Revision	The MSTP revision number. All switches in the region must have the same revision number. The range of values is 0 to 65535. The default value is 0.
Hello Time (Seconds)	Hello time is how often (in seconds) that the switch sends out a BPDU. The range of values is 1 to 10. The default value is 2.
Forward Time (Seconds)	Forward time is how long (in seconds) a port will spend in the listening-and-learning state before transitioning to forwarding state. The range of values is 4 to 30. The default value is 15.
Max Age (Seconds)	The maximum age before the switch considers the received BPDU information on a port to be expired. Max-age is used when interworking with switches outside the region. The range of values is 6 to 40. The default value is 20.
Max Hops	Maximum hops is used inside the MST region. Hop count is decremented each time the BPDU is forwarded. If max-hops reaches zero, the switch discards the BPDU and ages out the information on the receiving port. The range of values is 1 to 40. The default value is 20.

Using the CLI:

config switch stp settings

set flood {enable | disable}

set forward-time <fseconds_int>

set hello-time <hseconds_int>

set max-age <age>

set max-hops <hops_int>

set mclag-stp-bpdu {both | single}

set name <name_str>

set revision <rev_int>

set status {enable | disable}

end

Configuring an MST instance

The STP topology is unique for each MST instance in the region. You can configure a different bridge priority and port parameters for each instance.

Using the GUI:

Go to Switch > STP > Instances.
Select Add Instance to create a new MST instance or select an existing instance and then select Edit.
Update the instance parameters as described in the following table.
Select Add or Update to save the settings.

Settings	Guidelines
ID	Instance identifier. The range is 0-32 for 5xx models and higher. For all other models, the range is 0 - 15.
Priority	Priority is a component of bridge ID. The switch with the lowest bridge ID becomes the root switch for this MST instance. Allowed values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. The default value is 32768.
VLAN Range	The VLANs that map to this MST instance. You can specify individual VLAN numbers or a range of numbers. NOTE: Do not assign any VLAN to more than one MST instance. Each VLAN number is in the range 1-4094.
Port Configuration
Name	Port that will participate in this MST instance.
Cost	The switch uses port cost to select designated ports. Port cost is added to the received BPDU root cost in any BPDU sent on this port. A lower value is preferred. The range of values is 1 to 200,000,000. The default value depends on the interface speed: - 10 Gigabit Ethernet: 2,000 - Gigabit Ethernet: 20,000 - Fast Ethernet: 200,000 - Ethernet: 2,000,000
Priority	The switch uses port priority to choose among ports of the same cost. The port with the lowest priority is put into forwarding state. The valid values are: 0, 32, 64, 96, 128, 160, 192, and 224. The default value is 128.

Using the CLI:

config switch stp instance

edit <instance number>

set priority <>

config stp-port

edit <port name>

set cost <>

set priority <>

set vlan-range <vlan range>

end

Example:

config switch stp instance

edit "1"

set priority 8192

config stp-port

edit "port18"

set cost 0

set priority 128

edit "port19"

set cost 0

set priority 128

end

set vlan-range 5 7 11-20

end

Configuring an STP edge port

You can use the edge-port setting when a device connected to a FortiSwitch port is not an STP bridge. When this setting is enabled, the FortiSwitch port immediately moves to a forwarding state rather than passing through listening and learning states.

By default, STP (and edge port) is enabled on all ports.

Using the GUI:

Go to Switch > Interface > Physical.
On the Physical Port Interfaces page, select a port and then select Edit.
Under Edge Port, select Enable.
Select OK to save the settings.

Using the CLI:

config switch interface

edit <port_name>

set edge-port <enabled | disabled>

end

Configuring STP loop protection

By default, STP loop protection is disabled on all ports.

Using the GUI:

Go to Switch > Interface > Physical.
On the Physical Port Interfaces page, select a port and then select Edit.
Under Loop Guard, select Enable.
Select OK to save the settings.

Using the CLI:

config switch interface

edit <port_name>

set stp-loop-protection <enabled | disabled>

end

Configuring STP root guard

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-root-guard <enable | disable>

end

For example, to enable root guard on port 20:

config switch interface

edit port20

set stp-state enabled

set stp-root-guard enable

end

Configuring STP BPDU guard

There are three prerequisites for using BPDU guard:

You must define the port as an edge port with the set edge-port enabled command.
You must enable STP on the switch interface with the set stp-state enabled command.
You must enable STP on the global level with the set status enable command.

You can set how long the port will go down for when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Using the GUI:

Go to Switch > Interface > Physical.
On the Physical Port Interfaces page, select a port and then select Edit.
Under Edge Port, select Enable and BPDU Guard.
In the Timeout (Minutes) field, enter how many minutes the port will go down for when a BPDU is received.
Select OK to save the settings.

To check if BPDU guard has been triggered and on which ports, go to Switch > Monitor > BPDU Guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-bpdu-guard <enabled | disabled>

set stp-bpdu-guard-timeout <0-120>

end

For example, to enable BPDU guard on port 30 with a timeout value of 1 hour:

config switch stp settings

set status enable

end

config switch interface

edit port30

set stp-state enabled

set edge-port enabled

set stp-bpdu-guard enabled

set stp-bpdu-guard-timeout 60

end

If you set the port timeout to 0, you will need to reset the port after it receives BPDUs and goes down. Use the following command to reset the port:

execute bpdu-guard reset <port_name>

To check if BPDU guard has been triggered and on which ports, use the following command:

diagnose bpdu-guard display status

Portname State Status Timeout(m) Count Last-Event

_________________ _______ _________ ___________ _____ __________________

port1 disabled - - - -

port2 disabled - - - -

port3 disabled - - - -

port4 disabled - - - -

port5 disabled - - - -

port6 disabled - - - -

port7 disabled - - - -

port8 disabled - - - -

port9 disabled - - - -

port10 disabled - - - -

port11 disabled - - - -

port12 disabled - - - -

port13 disabled - - - -

port14 disabled - - - -

port15 disabled - - - -

port16 disabled - - - -

port17 disabled - - - -

port18 disabled - - - -

port19 disabled - - - -

port20 disabled - - - -

port21 disabled - - - -

port22 disabled - - - -

port23 disabled - - - -

port25 disabled - - - -

port26 disabled - - - -

port27 disabled - - - -

port28 disabled - - - -

port29 disabled - - - -

port30 enabled - 60 0 -

__FoRtI1LiNk0__ disabled - - - -

You can also check BPDU guard by going to the Monitor > BPDU Guard page.

MSTP configuration

MSTP configuration consists of the following steps:

Configure STP settings that are common to all MST instances.
Configure settings that are specific to each MST instance.
Configure loop-protection on all nondesignated ports.

Configuring STP settings

Some STP settings (region name and MST revision number) are common to all MST instances. Also, protocol timers are common to all instances because only the IST sends out BPDUs.

Using the GUI:

Go to Switch > STP > Settings.
Update the settings as described in the following table.
Select Update to save the settings.

Settings	Guidelines
Disabled	Disables MSTP for this switch.
Flood BPDU Packets	Select this checkbox if you want the STP packets arriving at any port to pass through the switch without being processed. If you do not select this checkbox, STP packets arriving at any port are blocked. This option is only available when MSTP is disabled.
Enabled	Enables MSTP for this switch.
Name	Region name. All switches in the MST region must have the identical name.
Revision	The MSTP revision number. All switches in the region must have the same revision number. The range of values is 0 to 65535. The default value is 0.
Hello Time (Seconds)	Hello time is how often (in seconds) that the switch sends out a BPDU. The range of values is 1 to 10. The default value is 2.
Forward Time (Seconds)	Forward time is how long (in seconds) a port will spend in the listening-and-learning state before transitioning to forwarding state. The range of values is 4 to 30. The default value is 15.
Max Age (Seconds)	The maximum age before the switch considers the received BPDU information on a port to be expired. Max-age is used when interworking with switches outside the region. The range of values is 6 to 40. The default value is 20.
Max Hops	Maximum hops is used inside the MST region. Hop count is decremented each time the BPDU is forwarded. If max-hops reaches zero, the switch discards the BPDU and ages out the information on the receiving port. The range of values is 1 to 40. The default value is 20.

Using the CLI:

config switch stp settings

set flood {enable | disable}

set forward-time <fseconds_int>

set hello-time <hseconds_int>

set max-age <age>

set max-hops <hops_int>

set mclag-stp-bpdu {both | single}

set name <name_str>

set revision <rev_int>

set status {enable | disable}

end

Configuring an MST instance

The STP topology is unique for each MST instance in the region. You can configure a different bridge priority and port parameters for each instance.

Using the GUI:

Go to Switch > STP > Instances.
Select Add Instance to create a new MST instance or select an existing instance and then select Edit.
Update the instance parameters as described in the following table.
Select Add or Update to save the settings.

Settings	Guidelines
ID	Instance identifier. The range is 0-32 for 5xx models and higher. For all other models, the range is 0 - 15.
Priority	Priority is a component of bridge ID. The switch with the lowest bridge ID becomes the root switch for this MST instance. Allowed values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. The default value is 32768.
VLAN Range	The VLANs that map to this MST instance. You can specify individual VLAN numbers or a range of numbers. NOTE: Do not assign any VLAN to more than one MST instance. Each VLAN number is in the range 1-4094.
Port Configuration
Name	Port that will participate in this MST instance.
Cost	The switch uses port cost to select designated ports. Port cost is added to the received BPDU root cost in any BPDU sent on this port. A lower value is preferred. The range of values is 1 to 200,000,000. The default value depends on the interface speed: - 10 Gigabit Ethernet: 2,000 - Gigabit Ethernet: 20,000 - Fast Ethernet: 200,000 - Ethernet: 2,000,000
Priority	The switch uses port priority to choose among ports of the same cost. The port with the lowest priority is put into forwarding state. The valid values are: 0, 32, 64, 96, 128, 160, 192, and 224. The default value is 128.

Using the CLI:

config switch stp instance

edit <instance number>

set priority <>

config stp-port

edit <port name>

set cost <>

set priority <>

set vlan-range <vlan range>

end

Example:

config switch stp instance

edit "1"

set priority 8192

config stp-port

edit "port18"

set cost 0

set priority 128

edit "port19"

set cost 0

set priority 128

end

set vlan-range 5 7 11-20

end

Configuring an STP edge port

By default, STP (and edge port) is enabled on all ports.

Using the GUI:

Go to Switch > Interface > Physical.
On the Physical Port Interfaces page, select a port and then select Edit.
Under Edge Port, select Enable.
Select OK to save the settings.

Using the CLI:

config switch interface

edit <port_name>

set edge-port <enabled | disabled>

end

Configuring STP loop protection

By default, STP loop protection is disabled on all ports.

Using the GUI:

Go to Switch > Interface > Physical.
On the Physical Port Interfaces page, select a port and then select Edit.
Under Loop Guard, select Enable.
Select OK to save the settings.

Using the CLI:

config switch interface

edit <port_name>

set stp-loop-protection <enabled | disabled>

end

Configuring STP root guard

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-root-guard <enable | disable>

end

For example, to enable root guard on port 20:

config switch interface

edit port20

set stp-state enabled

set stp-root-guard enable

end

Configuring STP BPDU guard

There are three prerequisites for using BPDU guard:

You must define the port as an edge port with the set edge-port enabled command.
You must enable STP on the switch interface with the set stp-state enabled command.
You must enable STP on the global level with the set status enable command.

Using the GUI:

Go to Switch > Interface > Physical.
On the Physical Port Interfaces page, select a port and then select Edit.
Under Edge Port, select Enable and BPDU Guard.
In the Timeout (Minutes) field, enter how many minutes the port will go down for when a BPDU is received.
Select OK to save the settings.

To check if BPDU guard has been triggered and on which ports, go to Switch > Monitor > BPDU Guard.

Using the CLI:

config switch interface

edit <port_name>

set stp-bpdu-guard <enabled | disabled>

set stp-bpdu-guard-timeout <0-120>

end

For example, to enable BPDU guard on port 30 with a timeout value of 1 hour:

config switch stp settings

set status enable

end

config switch interface

edit port30

set stp-state enabled

set edge-port enabled

set stp-bpdu-guard enabled

set stp-bpdu-guard-timeout 60

end

If you set the port timeout to 0, you will need to reset the port after it receives BPDUs and goes down. Use the following command to reset the port:

execute bpdu-guard reset <port_name>

To check if BPDU guard has been triggered and on which ports, use the following command:

diagnose bpdu-guard display status

Portname State Status Timeout(m) Count Last-Event

_________________ _______ _________ ___________ _____ __________________

port1 disabled - - - -

port2 disabled - - - -

port3 disabled - - - -

port4 disabled - - - -

port5 disabled - - - -

port6 disabled - - - -

port7 disabled - - - -

port8 disabled - - - -

port9 disabled - - - -

port10 disabled - - - -

port11 disabled - - - -

port12 disabled - - - -

port13 disabled - - - -

port14 disabled - - - -

port15 disabled - - - -

port16 disabled - - - -

port17 disabled - - - -

port18 disabled - - - -

port19 disabled - - - -

port20 disabled - - - -

port21 disabled - - - -

port22 disabled - - - -

port23 disabled - - - -

port25 disabled - - - -

port26 disabled - - - -

port27 disabled - - - -

port28 disabled - - - -

port29 disabled - - - -

port30 enabled - 60 0 -

__FoRtI1LiNk0__ disabled - - - -

You can also check BPDU guard by going to the Monitor > BPDU Guard page.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

MSTP configuration

MSTP configuration

Configuring STP settings

Using the GUI:

Using the CLI:

Configuring an MST instance

Using the GUI:

Using the CLI:

Configuring an STP edge port

Using the GUI:

Using the CLI:

Configuring STP loop protection

Using the GUI: