cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
41857
Views
65
Helpful
25
Replies

Problem in migration from PVST to MSTP

Majed Saeed
Level 1
Level 1

Dears

I'm facing a problem during spanning-tree migration on our network from PVST to MSTP . I get such below error . 

 

%SPANTREE-2-PVSTSIM_FAIL: Blocking root port Fa0/1: Inconsitent inferior PVST 
BPDU received on VLAN 2, claiming root 12290:0022.0dba.9d00
SW2#show spanning-tree
MST0
  Spanning tree enabled protocol mstp
  Root ID    Priority    8193
             Address     0022.0dba.9d00
             Cost        200000
             Port        3 (FastEthernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    12288  (priority 12288 sys-id-ext 0)
             Address     0022.916d.5380
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Root BKN*200000    128.3    P2p Bound(PVST) *PVST_Inc

Thanks in advance .

 

2 Accepted Solutions

Accepted Solutions

Hi,

You are facing a relatively common problem related to so-called PVST+ Simulation. This is a feature on Cisco switches whose purpose is to allow for interoperation of MST and PVST+ regions. However, there are certain requirements for this interoperation to successfully take place. Going into exact details would probably be too extensive at this point; suffice it to say that when interworking PVST+ and MST, only two representants of PVST+ and MST really speak to each other: the PVST+ instance for VLAN1 on the behalf of the entire PVST+ region, and MSTI 0 on the behalf of the entire MST region. These two instances must arrive at a conclusion (determining port roles and states) that will be adopted both by all other MST instances (this is given by MST design) and by all PVST+ instances (this is the purpose of the PVST+ Simulation). This can only be accomplished if one of the following two conditions is met:

  • The root switch for all VLANs in the PVST+ region is located itself in the MST region. This can be accomplished by setting the priority of the root bridge for the MSTI 0 in the MST region to a lower value than the bridge priorities of all switches in the PVST+ region in all VLANs. This is the recommended way of running a mixed MST/PVST+ network. As an example of accomplishing this, perform the following steps:
    • On a PVST+ switch, issue the show spanning-tree root command. In the "Root ID" column, note the lowest shown priority among all VLANs (check the entire output and choose the lowest displayed priority). Afterwards, make sure that the MST root switch for MSTI 0 is configured with a priority lower than the lowest priority displayed in the show command described previously.
  • Root switches for all VLANs in the PVST+ region are located in the PVST+ region. This can be accomplished by setting the priority of the root switch for VLAN1 in the PVST+ region to a lower value than the priority of any MST switch in the MSTI 0 instance, and in addition, setting the priority of root switches for VLANs other than VLAN 1 in the PVST+ region to a value even lower than the priority of the VLAN1 root switch. As an example of accomplishing this, perform the following steps:
    • Whatever priorities you configure on MST switches in MSTI 0, keep them at 24576 or above. In the PVST+ region, configure the root bridge for VLAN 1 with a priority of 8192, and configure root bridges for VLANs 2, 3, ... with a priority of 4096.

The situation you are experiencing currently is that the VLAN1 root switch in the PVST+ region has a lower priority than any of your MST switches in MSTI 0 - according to your output, it is 8192, and thus becomes the root switch for MSTI 0 as well. However, the root switch for VLAN 2 has a priority of 12288, which is not even less than 8192, and this causes the PVST+ Simulation to fail and block the port. Depending on what is your network requirement, you can solve this in two ways: either you configure one of your MST switches in MSTI0 with a priority of 0 or 4096 to become the root of the entire PVST+ region for all VLANs (recommended), or you decrease the priority of root switches in VLANs 2, 3, 4... to 4096 or 0.

Feel welcome to ask further!

Best regards,
Peter

View solution in original post

Hi Brian,

I believe I know what is happening but the explanation is quite involved so please follow me very carefully.

You did not post a topology diagram but from the outputs you have posted, it appears that both GH.TEA.ROOM and GH.BOOM.GATE are directly connected via a Port-channel link to the HP switch that is the root switch for MSTI 0.

There are two very important observations you will need to keep in mind. First, the HP switch does not support the PVST Simulation mechanism. It speaks MST only, reverting to non-VLAN-aware RSTP or STP on boundary ports, and that's it. Even if it receives PVST+ BPDUs, it will not start any specific PVST+ interoperability mechanism, as opposed to Cisco Catalyst switches. An important consequence is that when the HP switch running MST is connected to a Cisco switch running PVST+, the MSTI 0 instance on the HP will communicate with the VLAN 1 PVST+ instance but other PVST+ instances will not see the HP switch at all. This is because the HP switch does not originate PVST+ BPDUs to be able to speak to individual PVST+ instances on the Cisco switch, and instead, on a boundary port, it reverts to sending and receiving plain (R)STP BPDUs which are always processed in VLAN 1 PVST+ instance on a Cisco switch. You can see this very nicely in the show spanning-tree root command on the GH.BOOM.GATE switch - for VLAN 1, the switch recognizes the HP as the root switch. For other VLANs, it considers itself to be the root switch (as there is no root port identified in the output).

Second, to the HP switch, all PVST+ BPDUs are just multicast frames. It does not process them as BPDUs, rather, it only floods them in their respective VLANs. For PVST+ switches interconnected by the HP switch, the HP simply "isn't there". Again, this can be seen nicely on the show spanning-tree root command on the GH.TEA.ROOM switch - notice that this switch recognizes the HP as the root switch in VLAN 1, but in other VLANs, it considers the GH.BOOM.GATE switch to be the root switch, simply ignoring the HP switch that sits between these two Cisco switches.

Now, when you configure the GH.BOOM.GATE to run MST while leaving GH.TEA.ROOM run PVST+, GH.BOOM.GATE will consider its Po1 to be the root port in MSTI 0 because, obviously, it receives superior BPDUs sourced from the HP switch. So, the Po1 is the root port on GH.BOOM.GATE. However, because GH.TEA.ROOM still runs PVST+, its PVST+ BPDUs are simply flooded across the HP switch and arrive at the Po1 port on the GH.BOOM.GATE. So this root port on GH.BOOM.GATE also becomes a boundary port.

For an MST boundary port to be a consistent root port on Cisco switches, the consistency rule states: If an MST boundary port becomes a root port for MSTI 0 (obviously because it receives superior BPDUs, either MST BPDUs or VLAN 1 PVST+ BPDUs), it must guaranteedly be a root port towards all PVST+ instances out there. This is verified by looking at PVST+ BPDUs for VLANs 2 and higher, and making sure they are identical or even superior to the MST/VLAN1 BPDUs that caused the boundary port to become the root port for MSTI 0 in the first place.

However, note that this rule can never be met in your network! Because the HP switch does not perform PVST Simulation to speak to PVST+ switches in individual per-VLAN PVST+ instances, GH.TEA.ROOM can never learn about the HP as the root switch in VLANs 2 and higher. Because GH.BOOM.GATE considers its Po1 port as the root boundary port, it is not going to replicate the MSTI 0 data into per-VLAN PVST+ BPDUs (this would be only done on designated boundary ports, not on root boundary ports), and instead, it is just going to check for all received PVST+ BPDUs to meet the consistency check described earlier. So GH.TEA.ROOM effectively stops hearing any PVST+ BPDUs whatsoever, and will soon start considering itself as the root switch for VLAN 2 and higher and start sending its own PVST+ BPDUs. Obviously, these are inferior to the BPDUs originated by the HP switch that made GH.BOOM.GATE choose its Po1 port as the root port, but GH.TEA.ROOM has no way of knowing that. As a result, GH.BOOM.GATE is truly receiving PVST+ BPDUs that are inferior to the MSTI 0 BPDU received from the HP switch, failing the consistency check and causing the Po1 become blocked.

Interestingly, in your show logging output, the inferior BPDU reported by GH.BOOM.GATE actually advertises GH.BOOM.GATE itself as the root switch in VLAN 4. I tend to believe that this BPDU was probably a Topology Change BPDU during the time when GH.TEA.ROOM still considered GH.BOOM.GATE a root switch for non-VLAN1 PVST+ instances (were you running Rapid PVST+?). In any case, within 20 seconds at most, GH.TEA.ROOM should have proceeded to treat itself as the root switch in non-VLAN1 PVST+ instances and this inferior BPDU should have been reported on GH.BOOM.GATE.

There is no simple solution to this problem. One way of solving this problem would be to set the HP MSTI 0 priority to 4096, and before connecting a switch running PVST+, leave its VLAN 1 priority at 32,768 while setting the priority for all other VLANs to 0. This will make the PVST Simulation on Cisco switches happy while keeping the HP as the root switch for MSTI 0.

Another solution would be to configure the HP switch to entirely block the PVST+ BPDUs. A loop-free topology will still be maintained in the network thanks to the interoperation of VLAN 1 IEEE STP and MSTI 0 while preventing the PVST+ BPDUs to wreak havoc with the PVST Simulation. I do not know, however, if the HP switch is capable of filtering frames based on their destination multicast MAC address. If it is, filtering the frames destined to 01:00:0c:cc:cc:cd would do the trick.

I hope this helps but please feel welcome to ask further!

Best regards,
Peter

View solution in original post

25 Replies 25

Majed Saeed
Level 1
Level 1

Any help would be appreciated ...

Hi,

You are facing a relatively common problem related to so-called PVST+ Simulation. This is a feature on Cisco switches whose purpose is to allow for interoperation of MST and PVST+ regions. However, there are certain requirements for this interoperation to successfully take place. Going into exact details would probably be too extensive at this point; suffice it to say that when interworking PVST+ and MST, only two representants of PVST+ and MST really speak to each other: the PVST+ instance for VLAN1 on the behalf of the entire PVST+ region, and MSTI 0 on the behalf of the entire MST region. These two instances must arrive at a conclusion (determining port roles and states) that will be adopted both by all other MST instances (this is given by MST design) and by all PVST+ instances (this is the purpose of the PVST+ Simulation). This can only be accomplished if one of the following two conditions is met:

  • The root switch for all VLANs in the PVST+ region is located itself in the MST region. This can be accomplished by setting the priority of the root bridge for the MSTI 0 in the MST region to a lower value than the bridge priorities of all switches in the PVST+ region in all VLANs. This is the recommended way of running a mixed MST/PVST+ network. As an example of accomplishing this, perform the following steps:
    • On a PVST+ switch, issue the show spanning-tree root command. In the "Root ID" column, note the lowest shown priority among all VLANs (check the entire output and choose the lowest displayed priority). Afterwards, make sure that the MST root switch for MSTI 0 is configured with a priority lower than the lowest priority displayed in the show command described previously.
  • Root switches for all VLANs in the PVST+ region are located in the PVST+ region. This can be accomplished by setting the priority of the root switch for VLAN1 in the PVST+ region to a lower value than the priority of any MST switch in the MSTI 0 instance, and in addition, setting the priority of root switches for VLANs other than VLAN 1 in the PVST+ region to a value even lower than the priority of the VLAN1 root switch. As an example of accomplishing this, perform the following steps:
    • Whatever priorities you configure on MST switches in MSTI 0, keep them at 24576 or above. In the PVST+ region, configure the root bridge for VLAN 1 with a priority of 8192, and configure root bridges for VLANs 2, 3, ... with a priority of 4096.

The situation you are experiencing currently is that the VLAN1 root switch in the PVST+ region has a lower priority than any of your MST switches in MSTI 0 - according to your output, it is 8192, and thus becomes the root switch for MSTI 0 as well. However, the root switch for VLAN 2 has a priority of 12288, which is not even less than 8192, and this causes the PVST+ Simulation to fail and block the port. Depending on what is your network requirement, you can solve this in two ways: either you configure one of your MST switches in MSTI0 with a priority of 0 or 4096 to become the root of the entire PVST+ region for all VLANs (recommended), or you decrease the priority of root switches in VLANs 2, 3, 4... to 4096 or 0.

Feel welcome to ask further!

Best regards,
Peter

Wonderfull Explanation Peter! I am the true follower of you believe me :-)

 

Majed,

As peter explain we have also documented same on this by one of my collegue which has clear explanation with example how to achieve this. Please find the link below:

http://www.cisco.com/c/en/us/support/docs/lan-switching/multiple-instance-stp-mistp-8021s/116464-configure-pvst-00.html

 

HTH

Regards

Inayath

 

Hi Inayath,

I am the true follower of you believe me :-)

I do not really know what to say. I am honored beyond words. I am very sincere here.

Yes, Aninda Chatterjee authored the TAC document you have referenced. We have in fact been in contact regarding that document. It is a very good explanation indeed.

Best regards,
Peter

Hello

excellent post peter!

enjoyed the read!

 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

perfect explanation.

 

Regards.

 

Bruno.

Hi Peter, I have a similar but slightly different problem that I would like your thoughts on the matter. 

I am working on a network that is comprised mainly of HP Comware switches running MST instance 0 for all VLANs. 

I have approx 12 Cisco switches also running in MST spanning-tree instance 0 configuration for all VLANs. 

The Root bridge on the Cisco switches are the HP Core L3 switch, which is correct, as this has been configured as the Primary Root for all VLANs (Priority 0)

The problem I face, is that if a new Cisco switch configured with PVST connects to the network all my Cisco switches uplinks to the Core go offline. In the logs I see examples of the following:

SPANTREE-2-PVSTSIM_FAIL: Blocking root port Po1: Inconsistent Inferior PVST BPDU received on VLAN 4, claiming root 32772:mac address

If the MST tree already has a Root for instance 0; why would only the Cisco switches shutdown the interface when receiving an inferior PVST BPDU. Should it not ignore this packet and maintain its current Root?

Hi Brian,

What you say definitely makes sense: Once the MST contains the root bridge for the entire CIST (meaning its MSTI 0 priority is lower than any PVST+ switch' priority in any VLAN) then logically, all received PVST+ BPDUs on boundary port must be inferior. There is not point in blocking the port.

What the message above appears to say is that on Po1,

  • a PVST+ BPDU for VLAN 1 was received that actually advertised a better root bridge for VLAN 1 than the current MSTI 0 root bridge
  • at the same time, another PVST+ BPDU for VLAN 4 was received according that was inferior to the VLAN 1's PVST+ BPDU.

In other words, it would suggest that the attached Cisco switch was configured with a low VLAN 1 priority but left with priorities in all other VLANs intact. Would that actually be the case? Can that be possible?

By the way, to which switch does the MAC address in the SPANTREE-2-PVSTSIM_FAIL message belong? Is it the newly added switch?

Can you perhaps post the output of show spanning-tree root from any currently working Cisco Catalyst switch in your network?

Looking forward to hearing from you?

Best regards,
Peter

Hi Peter, apologies for the delay. Took me a while to get access to this. Here is the requested output.

 

Cisco Sw1

GH.TEA.ROOM#show spanning-tree root

                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
VLAN0001             0 3ce5.a6d7.07c0         3    2   20  15  Po1
VLAN0004         32772 4c00.82c1.6980         3    2   20  15  Po1
VLAN0008         32776 4c00.82c1.6980         3    2   20  15  Po1
VLAN0012         32780 4c00.82c1.6980         3    2   20  15  Po1
VLAN0016         32784 4c00.82c1.6980         3    2   20  15  Po1
VLAN0020         32788 4c00.82c1.6980         3    2   20  15  Po1
VLAN0024         32792 4c00.82c1.6980         3    2   20  15  Po1

Cisco Sw2

GH.BOOM.GATE#show spanning-tree root

                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
VLAN0001             0 3ce5.a6d7.07c0         3    2   20  15  Po1
VLAN0004         32772 4c00.82c1.6980         0    2   20  15
VLAN0008         32776 4c00.82c1.6980         0    2   20  15
VLAN0012         32780 4c00.82c1.6980         0    2   20  15
VLAN0016         32784 4c00.82c1.6980         0    2   20  15
VLAN0020         32788 4c00.82c1.6980         0    2   20  15
VLAN0024         32792 4c00.82c1.6980         0    2   20  15


We change cisco sw2 into mst. This means we have now have 1 Cisco switch in the network in PVST (cisco sw1). The output below shows what happens to Cisco SW2. 

*Mar  1 12:26:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar  1 12:26:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan24, changed state to down
*Mar  1 12:26:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  1 12:26:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan24, changed state to up
*Mar  1 12:26:14: %SPANTREE-2-PVSTSIM_FAIL: Blocking root port Po1: Inconsitent inferior PVST BPDU received on VLAN 4, claiming root 32772:4c00.82c1.6980
*Mar  1 12:26:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar  1 12:26:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan24, changed state to down$ne protocol on Interface Vlan1, changed state to down
*Mar  1 12:26:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed^ state to down

GH.BOOM.GATE#show spanning-tree 

MST0
  Spanning tree enabled protocol mstp
  Root ID    Priority    0
             Address     3ce5.a6d7.07c0
             Cost        10000
             Port        64 (Port-channel1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32768  (priority 32768 sys-id-ext 0)
             Address     4c00.82c1.6980
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1                 Root BKN*10000     128.64   P2p Bound(RSTP) *PVST_Inc 

 

GH.BOOM.GATE#show span root 

                                        Root    Hello Max Fwd
MST Instance           Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
MST0                 0 3ce5.a6d7.07c0     10000    2   20  15  Po1         

Then go an change Cisco sw1 and put it in mst. (so now we dont have any PVST switches in the network) Below is output from Cisco sw2 as soon as SW1 is changed to MST (the same thing happens if SW1 is removed from the network.) 

terminal out of sw2

*Mar  1 12:29:45: %SPANTREE-2-PVSTSIM_OK: PVST Simulation inconsistency cleared on port Port-channel1.
*Mar  1 12:29:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  1 12:29:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan24, changed state to up

terminal out for "show stp root"

GH.TEA.ROOM#show spanning-tree root

                                        Root    Hello Max Fwd
MST Instance           Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
MST0                 0 3ce5.a6d7.07c0     10000    2   20  15  Po1
GH.TEA.ROOM#

The mac address 3ce5.a6d7.07c0 is the HP Core which is correct. 
 

Hi Brian,

I believe I know what is happening but the explanation is quite involved so please follow me very carefully.

You did not post a topology diagram but from the outputs you have posted, it appears that both GH.TEA.ROOM and GH.BOOM.GATE are directly connected via a Port-channel link to the HP switch that is the root switch for MSTI 0.

There are two very important observations you will need to keep in mind. First, the HP switch does not support the PVST Simulation mechanism. It speaks MST only, reverting to non-VLAN-aware RSTP or STP on boundary ports, and that's it. Even if it receives PVST+ BPDUs, it will not start any specific PVST+ interoperability mechanism, as opposed to Cisco Catalyst switches. An important consequence is that when the HP switch running MST is connected to a Cisco switch running PVST+, the MSTI 0 instance on the HP will communicate with the VLAN 1 PVST+ instance but other PVST+ instances will not see the HP switch at all. This is because the HP switch does not originate PVST+ BPDUs to be able to speak to individual PVST+ instances on the Cisco switch, and instead, on a boundary port, it reverts to sending and receiving plain (R)STP BPDUs which are always processed in VLAN 1 PVST+ instance on a Cisco switch. You can see this very nicely in the show spanning-tree root command on the GH.BOOM.GATE switch - for VLAN 1, the switch recognizes the HP as the root switch. For other VLANs, it considers itself to be the root switch (as there is no root port identified in the output).

Second, to the HP switch, all PVST+ BPDUs are just multicast frames. It does not process them as BPDUs, rather, it only floods them in their respective VLANs. For PVST+ switches interconnected by the HP switch, the HP simply "isn't there". Again, this can be seen nicely on the show spanning-tree root command on the GH.TEA.ROOM switch - notice that this switch recognizes the HP as the root switch in VLAN 1, but in other VLANs, it considers the GH.BOOM.GATE switch to be the root switch, simply ignoring the HP switch that sits between these two Cisco switches.

Now, when you configure the GH.BOOM.GATE to run MST while leaving GH.TEA.ROOM run PVST+, GH.BOOM.GATE will consider its Po1 to be the root port in MSTI 0 because, obviously, it receives superior BPDUs sourced from the HP switch. So, the Po1 is the root port on GH.BOOM.GATE. However, because GH.TEA.ROOM still runs PVST+, its PVST+ BPDUs are simply flooded across the HP switch and arrive at the Po1 port on the GH.BOOM.GATE. So this root port on GH.BOOM.GATE also becomes a boundary port.

For an MST boundary port to be a consistent root port on Cisco switches, the consistency rule states: If an MST boundary port becomes a root port for MSTI 0 (obviously because it receives superior BPDUs, either MST BPDUs or VLAN 1 PVST+ BPDUs), it must guaranteedly be a root port towards all PVST+ instances out there. This is verified by looking at PVST+ BPDUs for VLANs 2 and higher, and making sure they are identical or even superior to the MST/VLAN1 BPDUs that caused the boundary port to become the root port for MSTI 0 in the first place.

However, note that this rule can never be met in your network! Because the HP switch does not perform PVST Simulation to speak to PVST+ switches in individual per-VLAN PVST+ instances, GH.TEA.ROOM can never learn about the HP as the root switch in VLANs 2 and higher. Because GH.BOOM.GATE considers its Po1 port as the root boundary port, it is not going to replicate the MSTI 0 data into per-VLAN PVST+ BPDUs (this would be only done on designated boundary ports, not on root boundary ports), and instead, it is just going to check for all received PVST+ BPDUs to meet the consistency check described earlier. So GH.TEA.ROOM effectively stops hearing any PVST+ BPDUs whatsoever, and will soon start considering itself as the root switch for VLAN 2 and higher and start sending its own PVST+ BPDUs. Obviously, these are inferior to the BPDUs originated by the HP switch that made GH.BOOM.GATE choose its Po1 port as the root port, but GH.TEA.ROOM has no way of knowing that. As a result, GH.BOOM.GATE is truly receiving PVST+ BPDUs that are inferior to the MSTI 0 BPDU received from the HP switch, failing the consistency check and causing the Po1 become blocked.

Interestingly, in your show logging output, the inferior BPDU reported by GH.BOOM.GATE actually advertises GH.BOOM.GATE itself as the root switch in VLAN 4. I tend to believe that this BPDU was probably a Topology Change BPDU during the time when GH.TEA.ROOM still considered GH.BOOM.GATE a root switch for non-VLAN1 PVST+ instances (were you running Rapid PVST+?). In any case, within 20 seconds at most, GH.TEA.ROOM should have proceeded to treat itself as the root switch in non-VLAN1 PVST+ instances and this inferior BPDU should have been reported on GH.BOOM.GATE.

There is no simple solution to this problem. One way of solving this problem would be to set the HP MSTI 0 priority to 4096, and before connecting a switch running PVST+, leave its VLAN 1 priority at 32,768 while setting the priority for all other VLANs to 0. This will make the PVST Simulation on Cisco switches happy while keeping the HP as the root switch for MSTI 0.

Another solution would be to configure the HP switch to entirely block the PVST+ BPDUs. A loop-free topology will still be maintained in the network thanks to the interoperation of VLAN 1 IEEE STP and MSTI 0 while preventing the PVST+ BPDUs to wreak havoc with the PVST Simulation. I do not know, however, if the HP switch is capable of filtering frames based on their destination multicast MAC address. If it is, filtering the frames destined to 01:00:0c:cc:cc:cd would do the trick.

I hope this helps but please feel welcome to ask further!

Best regards,
Peter

Thanks Peter, your analysis of this problem is spot on. I would like to thank you for looking into this and providing me your thoughts as it has had me baffled for sometime. 

Looking at your proposed suggestions to solve this; I can almost be certain that the HP switches would not be able to filter based on destination MAC; but I will look into it. 

Modifying any future switches that are being connected to this network to ensure this doesn't happen again - although manageable - is not a position I want to leave this network in. Essentially this creates a vulnerability whereby anyone with a default Cisco switch can power it up and connect it to the network and essentially bring down any Cisco MST configured switches. This is something that would keep me awake at night. 

The topology is simple, Hub-and-spoke. Each edge switch (HP or Cisco) are connected to the Core via port-channel. Probably the simplest topology one can think of. I need to look at something that will "permanently" solve this problem, to ensure it cannot happen again.

Is PVSTSIM something that can be turned off? I have looked but cant see anyway to do this - possibly a magical command Cisco TAC could provide me with.

I am even entertaining the idea of turning off STP on the uplink ports on the Cisco switches, just to avoid this from possibly happening. They are Port-Channel interfaces so theoretically the ports on the Core would have to have been provisioned accordingly, thus a loop on these ports should never exist. But the thought of doing this I suspect will also keep me awake all night. 

Do you have any other suggestions that I could look at or entertain that could potentially resolve this thing for the long term. If I could turn off/disable the PVSTSIM that would solve it permanently.  

Again I appreciate your assistance and value your feedback. 

 

Hi Brian,

You are welcome.

Regarding deactivating the PVST Simulation, I am sorry to say that I do not know of any way of truly accomplishing that. On selected platforms, such as Catalyst 6500, it is actually possible to use the no spanning-tree mst simulate pvst global to stop the switch perform the PVST Simulation (sending and processing PVST+ BPDUs on boundary ports receiving PVST+ BPDUs from other switches), but if such a switch still receives PVST+ BPDUs, the port gets blocked automatically without any consistency checks.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/stp_enha.html#wp1054786

The disadvantage is that on common access-level Catalysts (2960, 3560, 3750, ...), this feature is not available. There is no way of deactivating the PVST Simulation on these switches. Even if there was one, however, you have to note that this solution is analogous to the suggestion of cleverly modifying PVST+ STP priorities - you will have to configure at least something on a newly attached switch to be safe and sure that the problems do not happen. This is not really helpful.

What exact type of HP core switch are you using? I can have a look into its documentation to see if there is any tool we could use.

Theoretically, you could configure your existing Catalyst switches running MST to ignore PVST+ BPDUs on the Port-channel ports toward the HP switch using MAC ACLs - although tedious and not exactly by-the-book, it could at least prevent them from blocking their ports if a new, unconfigured Catalyst switch is connected to your network. Please be cautious that blocking STP is always a very dangerous thing to do, and I am suggesting this only because I know that all your current switches are running MST and are thereby prevented against loops regardless of PVST+ being run, and that your network is constructed in a hub-and-spoke fashion.

I am not happy to say this but I have to: The PVST Simulation mechanism is a well-meant mechanism but it ultimately proves to be much more troublesome than helpful.

Best regards,
Peter

Yes, it certainly seems that this "helpful" feature on the Cisco's is causing a serious issue/vulnerability. 

The HP core comprises of 2x HP 7506 switches in an IRF "virtual stack" configuration running Comware OS. 

I am surprised that I have stumbled across this issue. One would think that a simple hub-and-spoke with multi-vendor interop would have been done a million times over and this issue would have raised its head before, and a suitable fix be available. We must be on the bleeding edge here :)

I am thinking it would probably just be simpler to enable MST on all the existing Cisco switches int he network and if any further switches that go into the network also need to be configured with MST. This should avoid any PVST BPDU's being on the network and wreaking havoc. 

Again, although this solves the issue. There still remains a vulnerability that anyone can connect a default Cisco switch which will shutdown the rest of them. 

 

Hi Brian,

One would think that a simple hub-and-spoke with multi-vendor interop would have been done a million times

I would believe it was indeed done a million times - but in all those cases, all switches in a switched network already ran MST so the PVST Simulation was never triggered. Mixing different STP versions in a single network is always discouraged even though at least the vanilla IEEE versions are backward compatible.

I am thinking it would probably just be simpler to enable MST on all the existing Cisco switches int he network and if any further switches that go into the network also need to be configured with MST.

This is the proper way it should be done, and I am 100% in agreement here. All your switches shall be properly configured with MST before being plugged into network.

Allow me to be more philosophical than technical at this point: Notice that you are trying to make your network resilient to errors such as plugging in an unconfigured Cisco switch that causes mayhem with its PVST+. While that is a good intention, and if it was possible I would go for it, there is another point worth noticing: Are you actually allowing devices to be plugged into your network without properly inspecting their configuration beforehand? You see, the PVST+ is by far not the only problem you may be facing if you allow a switch to be connected to your network without having very strict procedures on validating its configuration beforehand. To put it plainly, I would impose some very strict rules on how a new switch should be configured and who is responsible for signing off that configuration before the switch can be plugged into the network. Having a network able to cope graciously with newly attached switches is definitely an advantage but first and foremost, the switches should not be attached to it like that - with no appropriate configuration applied.

Oh, by the way, it seems that your HP 7500 does support filtering the traffic based on MAC addresses! It should be something along:

system-view
acl number 4000
rule deny dest-mac 0100.0ccc.cccd 0000.0000.0000
rule permit

interface ...
packet-filter 4000 inbound

 

I am just blind-shooting this configuration here based on the configuration to your switch series but definitely, it seems that this kind of configuration should actually be supported. Would you mind giving it a try?

Best regards,
Peter

Review Cisco Networking for a $25 gift card