Use Case Explorer: Spanning Tree Interoperability between FortiSwitch (MST) and Cisco PVST/RPVST
- Matt Sherif
- 2 hours ago
- 3 min read
Ah Spanning Tree... whether you love it, or hate it, it's an important layer 2 technology we use to prevent loops in our networks. And while SPB and TRILL attempted to solve these challenges, they don't seem to be practical for the campus network.
I was working with a customer who was considering using FortiSwitch for their campus network, which is a fine choice since they already use FortiGate for SD-WAN. There were some concerns about "Compatibility" and while yes, in most cases "SwItChInG iS sWiTcHiNg" there's one big difference in the default - only in the case of FortiSwitch - mode of Spanning Tree Protocol, Cisco by default uses their proprietary (based on 802.1D) Per-VLAN Spanning Tree, FortiSwitch ONLY supports Multiple Spanning Tree (MST).
Now the simple path would be to replace all PVST configuration with MST, however due to some legacy systems being in place, this was not an option.
Now, MST can support PVST, however there are some very special rules that you MUST consider. These are NOT Fortinet rules, these are IEEE rules. And the rules for interoperability are:
If the Root Bridge will be using MST, then the root bridge's VLAN 1 bridge priority must be higher (numerically lower) than ALL other VLANs in the Cisco PVST configuration. Example Cisco Configuration - FortiSwitch as STP root:
Root Bridge:
spanning-tree vlan 1 priority 204480
spanning-tree vlan 2-10,100,200-300 priority 32768
Root FortiSwitch Configuration:
config switch stp instance
edit 1
set priority 4096
config stp-port
<..put whichever ports you want in this instance>
end
next
endDesignated Root FortiSwitch Configuration:
config switch stp instance
edit 1
set priority 8192
config stp-port
<..put whichever ports you want in this instance>
end
next
endIf the Root Bridge will be using PVST/RPVST, then the root bridge's VLAN 1 bridge priority must be lower (numerically higher) than ALL other VLANs in the Cisco PVST configuration. Example Cisco Configuration - Cisco Catalyst as STP Root:
Root Bridge:
spanning-tree vlan 1 priority 12288
spanning-tree vlan 2-10,100,200-300 priority 4096Designated Root Bridge (Backup RB):
spanning-tree vlan 1 priority 16384
spanning-tree vlan 2-10,100,200-300 priority 8192FortiSwitch Configuration:
config switch stp instance
edit 1
set priority 32768
config stp-port
<..put whichever ports you want in this instance>
end
next
endNOTE: All Production VLANs must be "tagged" using 802.1q, with the exception of VLAN 1 which can remain the native VLAN.
The FortiSwitch ports that connect to the PVST switch ports (in this case Cisco Catalyst) require the following configuration:
This configuration assumes native-vlan 1
config switch interface
edit port1
set allowed-vlans <insert your allowed vlans here>
set rpvst-port enabled
next
endThe above information can be referenced in Cisco's documentation as well as Fortinet's documentation.
Helpful STP Commands:
diagnose stp instance listThis command is like Cisco's "show spanning-tree" but will list ALL MST instances if you have more than 1.
diagnose stp rapid-pvst-port listA consistent output should look like the following:
switch# diagnose stp rapid-pvst-port list
RPVST port1: STP priorities consistent on all VLANsIf there are any inconsistencies they will be listed with a "STP priorities inconsistent on the following VLANs". In the event you encounter this, double check your VLAN priorities.
Conclusion
MST to STP/RSTP (PVST/RPVST) interoperability is fairly straight forward, and does require some configuration on both ends due to the IEEE standard requiring it. If you can support an overall change to MST, that would be preferred, however if you find yourself in a position like I was in, I hope you find this helpful.
-- Madman out
Comments