Configuring STP settings
The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q standard.
MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP, so it provides fast recovery from network faults and fast convergence times.
This section covers the following topics:
- Configuring STP on FortiSwitch ports
- Configuring STP root guard
- Configuring STP BPDU guard
- Configuring interoperation with per-VLAN RSTP
To configure STP for all managed FortiSwitch units:
config switch-controller stp-settings
set name <name>
set revision <stp revision>
set hello-time <hello time>
set forward-time <forwarding delay>
set max-age <maximum aging time>
set max-hops <maximum number of hops>
end
To override the global STP settings for a specific FortiSwitch unit:
config switch-controller managed-switch
edit <switch-id>
config stp-settings
set local-override enable
end
To configure MSTP instances:
config switch-controller stp-instance
edit <id>
config vlan-range <list of VLAN names>
end
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config stp-instance
edit <id>
set priority <0 | 4096 | 8192 | 12288 | 16384 | 20480 | 24576 | 28672 | 32768 | 36864 | 40960 | 45056 | 49152 | 53248 | 57344 | 61440>
next
end
next
end
For example:
config switch-controller stp-instance
edit 1
config vlan-range vlan1 vlan2 vlan3
end
config switch-controller managed-switch
edit S524DF4K15000024
config stp-instance
edit 1
set priority 16384
next
end
next
end
Configuring STP on FortiSwitch ports
Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.
NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.
Use the following commands to enable or disable STP on FortiSwitch ports:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set stp-state {enabled | disabled}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set stp-state enabled
end
end
To check the STP configuration on a FortiSwitch, use the following command:
diagnose switch-controller switch-info stp <FortiSwitch_serial_number> <instance_number>
For example:
FG100D3G15817028 # diagnose switch-controller switch-info stp S524DF4K15000024 0 MST Instance Information, primary-Channel: Instance ID : 0 Switch Priority : 24576 Root MAC Address : 085b0ef195e4 Root Priority: 24576 Root Pathcost: 0 Regional Root MAC Address : 085b0ef195e4 Regional Root Priority: 24576 Regional Root Path Cost: 0 Remaining Hops: 20 This Bridge MAC Address : 085b0ef195e4 This bridge is the root Port Speed Cost Priority Role State Edge STP-Status Loop Protection ________________ ______ _________ _________ ___________ __________ ____ __________ ________ port1 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port2 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port3 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port4 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port5 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port6 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port7 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port8 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port9 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port10 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port11 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port12 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port13 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port14 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port15 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port16 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port17 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port18 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port19 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port20 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port21 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port22 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port23 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port25 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port26 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port27 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port28 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port29 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port30 - 200000000 128 DISABLED DISCARDING YES ENABLED NO internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO __FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO
Configuring STP root guard
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.
Use the following commands to enable or disable STP root guard on FortiSwitch ports:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set stp-root-guard {enabled | disabled}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set stp-root-guard enabled
end
end
Configuring STP BPDU guard
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.
There are two prerequisites for using BPDU guard:
- You must define the port as an edge port with the
set edge-port enable
command. - You must enable STP on the switch interface with the
set stp-state enabled
command.
You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.
Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set stp-bpdu-guard {enabled | disabled}
set stp-bpdu-guard-time <0-120>
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set stp-bpdu-guard enabled
set stp-bpdu-guard-time 10
end
end
To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:
diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>
For example:
FG100D3G15817028 # diagnose switch-controller switch-info bpdu-guard-status S524DF4K15000024 Managed Switch : S524DF4K15000024 0 Portname State Status Timeout(m) Count Last-Event _________________ _______ _________ ___________ _____ _______________ port1 enabled - 10 0 - port2 disabled - - - - port3 disabled - - - - port4 disabled - - - - port5 disabled - - - - port6 disabled - - - - port7 disabled - - - - port8 disabled - - - - port9 disabled - - - - port10 disabled - - - - port11 disabled - - - - port12 disabled - - - - port13 disabled - - - - port14 disabled - - - - port15 disabled - - - - port16 disabled - - - - port17 disabled - - - - port18 disabled - - - - port19 disabled - - - - port20 disabled - - - - port21 disabled - - - - port22 disabled - - - - port23 disabled - - - - port25 disabled - - - - port26 disabled - - - - port27 disabled - - - - port28 disabled - - - - port29 disabled - - - - port30 disabled - - - - __FoRtI1LiNk0__ disabled - - - -
Configuring interoperation with per-VLAN RSTP
Starting in FortiOS 6.4.2, managed FortiSwitch units can now interoperate with a network that is running RPVST+. The existing networkʼs configuration can be maintained while adding managed FortiSwitch units as an extended region. By default, interoperation with RPVST+ is disabled.
When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain works in two ways:
- If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+ domain.
In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1 defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST root bridge within MSTP region.
- If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN 1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected RPVST+ domain are used only for consistency checks.
In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
To configure interoperation with RPVST+:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set rpvst-port {enabled | disabled}
next
end
For example:
FGT-1 (testvdom) # config switch-controller managed-switch
FGT-1 (managed-switch) # edit FS3E32T419000006
FGT-1 (FS3E32T419000006) # config ports
FGT-1 (ports) # edit port5
FGT-1 (port5) # set rpvst-port enabled
FGT-1 (port5) # next
FGT-1 (ports) # end
A maximum of 16 VLANs is supported; the maximum number of VLANs includes native VLANs. You must configure the same VLANs as those used in the RPVST+ domain. |
To check your configuration and to diagnose any problems:
diagnose switch-controller switch-info rpvst <FortiSwitch_serial_number> <port_name>
For example:
diagnose switch-controller switch-info rpvst FS3E32T419000006 port5