Fortinet white logo
Fortinet white logo

FortiLink Guide

Configuring STP settings

Configuring STP settings

The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q standard.

MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP, so it provides fast recovery from network faults and fast convergence times.

This section covers the following topics:

To configure STP for all managed FortiSwitch units:

config switch-controller stp-settings

set name <name>

set revision <stp revision>

set hello-time <hello time>

set forward-time <forwarding delay>

set max-age <maximum aging time>

set max-hops <maximum number of hops>

end

To override the global STP settings for a specific FortiSwitch unit:

config switch-controller managed-switch

edit <switch-id>

config stp-settings

set local-override enable

end

To configure MSTP instances:

config switch-controller stp-instance

edit <id>

config vlan-range <list of VLAN names>

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config stp-instance

edit <id>

set priority <0 | 4096 | 8192 | 12288 | 16384 | 20480 | 24576 | 28672 | 32768 | 36864 | 40960 | 45056 | 49152 | 53248 | 57344 | 61440>

next

end

next

end

For example:

config switch-controller stp-instance

edit 1

config vlan-range vlan1 vlan2 vlan3

end

config switch-controller managed-switch

edit S524DF4K15000024

config stp-instance

edit 1

set priority 16384

next

end

next

end

Configuring STP on FortiSwitch ports

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-state {enabled | disabled}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-state enabled

end

end

To check the STP configuration on a FortiSwitch, use the following command:

diagnose switch-controller switch-info stp <FortiSwitch_serial_number> <instance_number>

For example:

FG100D3G15817028 # diagnose switch-controller switch-info stp S524DF4K15000024 0
MST Instance Information, primary-Channel:
Instance ID :   0
Switch Priority : 24576
Root MAC Address :    085b0ef195e4
Root Priority:    24576
Root Pathcost:    0
Regional Root MAC Address :   085b0ef195e4
Regional Root Priority:   24576
Regional Root Path Cost:  0
Remaining Hops:       20
This Bridge MAC Address :    085b0ef195e4
This bridge is the root

Port               Speed   Cost       Priority   Role         State       Edge  STP-Status  Loop Protection
________________   ______  _________  _________  ___________  __________  ____  __________  ________

port1              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port2              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port3              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port4              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port5              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port6              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port7              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port8              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port9              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port10             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port11             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port12             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port13             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port14             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port15             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port16             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port17             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port18             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port19             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port20             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port21             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port22             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port23             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port25             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port26             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port27             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port28             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port29             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port30             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
internal           1G      20000      128        DESIGNATED   FORWARDING   YES    DISABLED       NO
__FoRtI1LiNk0__    1G      20000      128        DESIGNATED   FORWARDING   YES    DISABLED       NO

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-root-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-root-guard enabled

end

end

Configuring STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

There are two prerequisites for using BPDU guard:

  • You must define the port as an edge port with the set edge-port enable command.
  • You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-bpdu-guard {enabled | disabled}

set stp-bpdu-guard-time <0-120>

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-bpdu-guard enabled

set stp-bpdu-guard-time 10

end

end

To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:

diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>

For example:

FG100D3G15817028 # diagnose switch-controller switch-info bpdu-guard-status S524DF4K15000024
Managed Switch : S524DF4K15000024 0

Portname             State      Status       Timeout(m)    Count    Last-Event
_________________   _______    _________    ___________    _____   _______________

port1              enabled      -              10            0            -
port2              disabled     -              -             -            -
port3              disabled     -              -             -            -
port4              disabled     -              -             -            -
port5              disabled     -              -             -            -
port6              disabled     -              -             -            -
port7              disabled     -              -             -            -
port8              disabled     -              -             -            -
port9              disabled     -              -             -            -
port10             disabled     -              -             -            -
port11             disabled     -              -             -            -
port12             disabled     -              -             -            -
port13             disabled     -              -             -            -
port14             disabled     -              -             -            -
port15             disabled     -              -             -            -
port16             disabled     -              -             -            -
port17             disabled     -              -             -            -
port18             disabled     -              -             -            -
port19             disabled     -              -             -            -
port20             disabled     -              -             -            -
port21             disabled     -              -             -            -
port22             disabled     -              -             -            -
port23             disabled     -              -             -            -
port25             disabled     -              -             -            -
port26             disabled     -              -             -            -
port27             disabled     -              -             -            -
port28             disabled     -              -             -            -
port29             disabled     -              -             -            -
port30             disabled     -              -             -            -
__FoRtI1LiNk0__    disabled     -              -             -            -

Configuring interoperation with per-VLAN RSTP

Starting in FortiOS 6.4.2, managed FortiSwitch units can now interoperate with a network that is running RPVST+. The existing networkʼs configuration can be maintained while adding managed FortiSwitch units as an extended region. By default, interoperation with RPVST+ is disabled.

When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain works in two ways:

  • If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+ domain.

    In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1 defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST root bridge within MSTP region.

  • If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN 1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected RPVST+ domain are used only for consistency checks.

    In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
To configure interoperation with RPVST+:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set rpvst-port {enabled | disabled}

next

end

For example:

FGT-1 (testvdom) # config switch-controller managed-switch

FGT-1 (managed-switch) # edit FS3E32T419000006

FGT-1 (FS3E32T419000006) # config ports

FGT-1 (ports) # edit port5

FGT-1 (port5) # set rpvst-port enabled

FGT-1 (port5) # next

FGT-1 (ports) # end

Note

A maximum of 16 VLANs is supported; the maximum number of VLANs includes native VLANs. You must configure the same VLANs as those used in the RPVST+ domain.

To check your configuration and to diagnose any problems:

diagnose switch-controller switch-info rpvst <FortiSwitch_serial_number> <port_name>

For example:

diagnose switch-controller switch-info rpvst FS3E32T419000006 port5

Configuring STP settings

Configuring STP settings

The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q standard.

MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP, so it provides fast recovery from network faults and fast convergence times.

This section covers the following topics:

To configure STP for all managed FortiSwitch units:

config switch-controller stp-settings

set name <name>

set revision <stp revision>

set hello-time <hello time>

set forward-time <forwarding delay>

set max-age <maximum aging time>

set max-hops <maximum number of hops>

end

To override the global STP settings for a specific FortiSwitch unit:

config switch-controller managed-switch

edit <switch-id>

config stp-settings

set local-override enable

end

To configure MSTP instances:

config switch-controller stp-instance

edit <id>

config vlan-range <list of VLAN names>

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config stp-instance

edit <id>

set priority <0 | 4096 | 8192 | 12288 | 16384 | 20480 | 24576 | 28672 | 32768 | 36864 | 40960 | 45056 | 49152 | 53248 | 57344 | 61440>

next

end

next

end

For example:

config switch-controller stp-instance

edit 1

config vlan-range vlan1 vlan2 vlan3

end

config switch-controller managed-switch

edit S524DF4K15000024

config stp-instance

edit 1

set priority 16384

next

end

next

end

Configuring STP on FortiSwitch ports

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-state {enabled | disabled}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-state enabled

end

end

To check the STP configuration on a FortiSwitch, use the following command:

diagnose switch-controller switch-info stp <FortiSwitch_serial_number> <instance_number>

For example:

FG100D3G15817028 # diagnose switch-controller switch-info stp S524DF4K15000024 0
MST Instance Information, primary-Channel:
Instance ID :   0
Switch Priority : 24576
Root MAC Address :    085b0ef195e4
Root Priority:    24576
Root Pathcost:    0
Regional Root MAC Address :   085b0ef195e4
Regional Root Priority:   24576
Regional Root Path Cost:  0
Remaining Hops:       20
This Bridge MAC Address :    085b0ef195e4
This bridge is the root

Port               Speed   Cost       Priority   Role         State       Edge  STP-Status  Loop Protection
________________   ______  _________  _________  ___________  __________  ____  __________  ________

port1              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port2              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port3              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port4              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port5              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port6              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port7              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port8              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port9              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port10             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port11             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port12             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port13             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port14             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port15             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port16             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port17             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port18             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port19             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port20             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port21             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port22             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port23             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port25             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port26             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port27             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port28             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port29             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port30             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
internal           1G      20000      128        DESIGNATED   FORWARDING   YES    DISABLED       NO
__FoRtI1LiNk0__    1G      20000      128        DESIGNATED   FORWARDING   YES    DISABLED       NO

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-root-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-root-guard enabled

end

end

Configuring STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

There are two prerequisites for using BPDU guard:

  • You must define the port as an edge port with the set edge-port enable command.
  • You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-bpdu-guard {enabled | disabled}

set stp-bpdu-guard-time <0-120>

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-bpdu-guard enabled

set stp-bpdu-guard-time 10

end

end

To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:

diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>

For example:

FG100D3G15817028 # diagnose switch-controller switch-info bpdu-guard-status S524DF4K15000024
Managed Switch : S524DF4K15000024 0

Portname             State      Status       Timeout(m)    Count    Last-Event
_________________   _______    _________    ___________    _____   _______________

port1              enabled      -              10            0            -
port2              disabled     -              -             -            -
port3              disabled     -              -             -            -
port4              disabled     -              -             -            -
port5              disabled     -              -             -            -
port6              disabled     -              -             -            -
port7              disabled     -              -             -            -
port8              disabled     -              -             -            -
port9              disabled     -              -             -            -
port10             disabled     -              -             -            -
port11             disabled     -              -             -            -
port12             disabled     -              -             -            -
port13             disabled     -              -             -            -
port14             disabled     -              -             -            -
port15             disabled     -              -             -            -
port16             disabled     -              -             -            -
port17             disabled     -              -             -            -
port18             disabled     -              -             -            -
port19             disabled     -              -             -            -
port20             disabled     -              -             -            -
port21             disabled     -              -             -            -
port22             disabled     -              -             -            -
port23             disabled     -              -             -            -
port25             disabled     -              -             -            -
port26             disabled     -              -             -            -
port27             disabled     -              -             -            -
port28             disabled     -              -             -            -
port29             disabled     -              -             -            -
port30             disabled     -              -             -            -
__FoRtI1LiNk0__    disabled     -              -             -            -

Configuring interoperation with per-VLAN RSTP

Starting in FortiOS 6.4.2, managed FortiSwitch units can now interoperate with a network that is running RPVST+. The existing networkʼs configuration can be maintained while adding managed FortiSwitch units as an extended region. By default, interoperation with RPVST+ is disabled.

When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain works in two ways:

  • If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+ domain.

    In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1 defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST root bridge within MSTP region.

  • If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN 1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected RPVST+ domain are used only for consistency checks.

    In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
To configure interoperation with RPVST+:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set rpvst-port {enabled | disabled}

next

end

For example:

FGT-1 (testvdom) # config switch-controller managed-switch

FGT-1 (managed-switch) # edit FS3E32T419000006

FGT-1 (FS3E32T419000006) # config ports

FGT-1 (ports) # edit port5

FGT-1 (port5) # set rpvst-port enabled

FGT-1 (port5) # next

FGT-1 (ports) # end

Note

A maximum of 16 VLANs is supported; the maximum number of VLANs includes native VLANs. You must configure the same VLANs as those used in the RPVST+ domain.

To check your configuration and to diagnose any problems:

diagnose switch-controller switch-info rpvst <FortiSwitch_serial_number> <port_name>

For example:

diagnose switch-controller switch-info rpvst FS3E32T419000006 port5