cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
5
Helpful
1
Replies

How to Separate Two MST in single company

anitaleung2019
Level 1
Level 1

Dear Expert,

 

I will connect two metro Ethernet circuits to linkup with two "very powerful" departments. they enable the MST (STP) in all layer 2 Ethernet switch.

 

I would like to retain their STP in their office only, It means that both MST are separated and both MST cannot communicate each other. However, the PCs in each VLAN can communicate with each other. 

 

I use bpdufilter to separate two MST and not sure any potential issue / problem on it. appreciated if you would give me any idea on it (i.e. use another approach to separate two MST and the demarcation point on ME circuit). Thanks.

 

switch A
========

interface Port-channel1
description connect Dept B on 15/F, building B
!
interface GigabitEthernet1/0/23
description Dept B on 15/F, building B - ME circuit 1
switchport mode trunk
spanning-tree bpdufilter enable    <----- add this command on trunk port
switchport trunk allowed vlan 1-100, 300-399
channel-group 1 mode active
!
interface GigabitEthernet1/0/24
description Dept B on 15/F, building B - ME circuit 2
switchport mode trunk
spanning-tree bpdufilter enable
switchport trunk allowed vlan 1-100, 300-399
channel-group 1 mode active

 

switch B
========

interface Port-channel1
description connect Dept A on 10/F, building A
!
interface GigabitEthernet1/0/23
description Dept A on 10/F, building A - ME circuit 1
switchport mode trunk
spanning-tree bpdufilter enable
switchport trunk allowed vlan 1-100, 300-399
channel-group 1 mode active
!
interface GigabitEthernet1/0/24
description Dept A on 10/F, building A - ME circuit 2
switchport mode trunk
spanning-tree bpdufilter enable
switchport trunk allowed vlan 1-100, 300-399
channel-group 1 mode active

===

Best regards

 

 

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Anita,

first of all, it would be better to know what type of STP you are using in your own switches.

 

The second point is the following:

If the two departments have their own MST region they will treat each other as separate entities.

 

Let me explain:

in an MST region all switches have to agree on the following parameters:

a) region name  It is an alphanumeric string

b) the revision number. IT is just a number

c) the Vlans to MST instances mapping.

MST is more scalable then PVST / Rapid PVST in the sense it uses only few MST instances called MSTI to build and manage the network. All possible Vlans 1-4094 are by default associated to instance 0 the IST.

Only the IST sends MST BPDUs with sections for additional MSTI if any.

Only an MD5 hash of Vlans to MST instances mapping is sent in the BPDU to save space.

To be in the same region, region name, revision number, and hash of the Vlans to MST instances must match.

So, the chances that the two MST regions of the two deparments can join are little, unlikely.

 

Your configuration using port-channels + bpdu filter can be a good fit to avoid some complexity of multiple MST regions.

This is specially true if you are using MST in your own network with your own parameters (region name, rev number and Vlans to MSTi instance mappings).

 

If you are using Rapid PVST or PVST the scenario is different.

MST and Rapid PVST can interact on a link but there are some design rules to respect.

Either all Rapid PVST root bridges are worse then MST root bridge in IST instance 0 and all other MSTI root bridges or the opposite.

A mixed scenario is not allowed as there is no one to one corrispondence between Rapid PVST and those few MST instances.

The port role on your side has to be the same for all instances (designated port or root port).If inconsistency is detected the port can have issues related to MST / PVST interaction. On the MST side they can be seen as PVST emulation errors.

 

So yes, for the sake of simplicity the use of spanning-tree bpdufilter can be the easiest way to connect without interacting with the two MST regions.

 

Hope to help

Giuseppe

 

View solution in original post

1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Anita,

first of all, it would be better to know what type of STP you are using in your own switches.

 

The second point is the following:

If the two departments have their own MST region they will treat each other as separate entities.

 

Let me explain:

in an MST region all switches have to agree on the following parameters:

a) region name  It is an alphanumeric string

b) the revision number. IT is just a number

c) the Vlans to MST instances mapping.

MST is more scalable then PVST / Rapid PVST in the sense it uses only few MST instances called MSTI to build and manage the network. All possible Vlans 1-4094 are by default associated to instance 0 the IST.

Only the IST sends MST BPDUs with sections for additional MSTI if any.

Only an MD5 hash of Vlans to MST instances mapping is sent in the BPDU to save space.

To be in the same region, region name, revision number, and hash of the Vlans to MST instances must match.

So, the chances that the two MST regions of the two deparments can join are little, unlikely.

 

Your configuration using port-channels + bpdu filter can be a good fit to avoid some complexity of multiple MST regions.

This is specially true if you are using MST in your own network with your own parameters (region name, rev number and Vlans to MSTi instance mappings).

 

If you are using Rapid PVST or PVST the scenario is different.

MST and Rapid PVST can interact on a link but there are some design rules to respect.

Either all Rapid PVST root bridges are worse then MST root bridge in IST instance 0 and all other MSTI root bridges or the opposite.

A mixed scenario is not allowed as there is no one to one corrispondence between Rapid PVST and those few MST instances.

The port role on your side has to be the same for all instances (designated port or root port).If inconsistency is detected the port can have issues related to MST / PVST interaction. On the MST side they can be seen as PVST emulation errors.

 

So yes, for the sake of simplicity the use of spanning-tree bpdufilter can be the easiest way to connect without interacting with the two MST regions.

 

Hope to help

Giuseppe

 

Review Cisco Networking for a $25 gift card