08-22-2014 04:38 PM - edited 03-07-2019 08:30 PM
Dears
I'm facing a problem during spanning-tree migration on our network from PVST to MSTP . I get such below error .
%SPANTREE-2-PVSTSIM_FAIL: Blocking root port Fa0/1: Inconsitent inferior PVST BPDU received on VLAN 2, claiming root 12290:0022.0dba.9d00
SW2#show spanning-tree MST0 Spanning tree enabled protocol mstp Root ID Priority 8193 Address 0022.0dba.9d00 Cost 200000 Port 3 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 12288 (priority 12288 sys-id-ext 0) Address 0022.916d.5380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Fa0/1 Root BKN*200000 128.3 P2p Bound(PVST) *PVST_Inc
Thanks in advance .
Solved! Go to Solution.
08-28-2014 03:53 PM
Hi,
You are facing a relatively common problem related to so-called PVST+ Simulation. This is a feature on Cisco switches whose purpose is to allow for interoperation of MST and PVST+ regions. However, there are certain requirements for this interoperation to successfully take place. Going into exact details would probably be too extensive at this point; suffice it to say that when interworking PVST+ and MST, only two representants of PVST+ and MST really speak to each other: the PVST+ instance for VLAN1 on the behalf of the entire PVST+ region, and MSTI 0 on the behalf of the entire MST region. These two instances must arrive at a conclusion (determining port roles and states) that will be adopted both by all other MST instances (this is given by MST design) and by all PVST+ instances (this is the purpose of the PVST+ Simulation). This can only be accomplished if one of the following two conditions is met:
The situation you are experiencing currently is that the VLAN1 root switch in the PVST+ region has a lower priority than any of your MST switches in MSTI 0 - according to your output, it is 8192, and thus becomes the root switch for MSTI 0 as well. However, the root switch for VLAN 2 has a priority of 12288, which is not even less than 8192, and this causes the PVST+ Simulation to fail and block the port. Depending on what is your network requirement, you can solve this in two ways: either you configure one of your MST switches in MSTI0 with a priority of 0 or 4096 to become the root of the entire PVST+ region for all VLANs (recommended), or you decrease the priority of root switches in VLANs 2, 3, 4... to 4096 or 0.
Feel welcome to ask further!
Best regards,
Peter
09-05-2014 05:44 PM
Hi Brian,
I believe I know what is happening but the explanation is quite involved so please follow me very carefully.
You did not post a topology diagram but from the outputs you have posted, it appears that both GH.TEA.ROOM and GH.BOOM.GATE are directly connected via a Port-channel link to the HP switch that is the root switch for MSTI 0.
There are two very important observations you will need to keep in mind. First, the HP switch does not support the PVST Simulation mechanism. It speaks MST only, reverting to non-VLAN-aware RSTP or STP on boundary ports, and that's it. Even if it receives PVST+ BPDUs, it will not start any specific PVST+ interoperability mechanism, as opposed to Cisco Catalyst switches. An important consequence is that when the HP switch running MST is connected to a Cisco switch running PVST+, the MSTI 0 instance on the HP will communicate with the VLAN 1 PVST+ instance but other PVST+ instances will not see the HP switch at all. This is because the HP switch does not originate PVST+ BPDUs to be able to speak to individual PVST+ instances on the Cisco switch, and instead, on a boundary port, it reverts to sending and receiving plain (R)STP BPDUs which are always processed in VLAN 1 PVST+ instance on a Cisco switch. You can see this very nicely in the show spanning-tree root command on the GH.BOOM.GATE switch - for VLAN 1, the switch recognizes the HP as the root switch. For other VLANs, it considers itself to be the root switch (as there is no root port identified in the output).
Second, to the HP switch, all PVST+ BPDUs are just multicast frames. It does not process them as BPDUs, rather, it only floods them in their respective VLANs. For PVST+ switches interconnected by the HP switch, the HP simply "isn't there". Again, this can be seen nicely on the show spanning-tree root command on the GH.TEA.ROOM switch - notice that this switch recognizes the HP as the root switch in VLAN 1, but in other VLANs, it considers the GH.BOOM.GATE switch to be the root switch, simply ignoring the HP switch that sits between these two Cisco switches.
Now, when you configure the GH.BOOM.GATE to run MST while leaving GH.TEA.ROOM run PVST+, GH.BOOM.GATE will consider its Po1 to be the root port in MSTI 0 because, obviously, it receives superior BPDUs sourced from the HP switch. So, the Po1 is the root port on GH.BOOM.GATE. However, because GH.TEA.ROOM still runs PVST+, its PVST+ BPDUs are simply flooded across the HP switch and arrive at the Po1 port on the GH.BOOM.GATE. So this root port on GH.BOOM.GATE also becomes a boundary port.
For an MST boundary port to be a consistent root port on Cisco switches, the consistency rule states: If an MST boundary port becomes a root port for MSTI 0 (obviously because it receives superior BPDUs, either MST BPDUs or VLAN 1 PVST+ BPDUs), it must guaranteedly be a root port towards all PVST+ instances out there. This is verified by looking at PVST+ BPDUs for VLANs 2 and higher, and making sure they are identical or even superior to the MST/VLAN1 BPDUs that caused the boundary port to become the root port for MSTI 0 in the first place.
However, note that this rule can never be met in your network! Because the HP switch does not perform PVST Simulation to speak to PVST+ switches in individual per-VLAN PVST+ instances, GH.TEA.ROOM can never learn about the HP as the root switch in VLANs 2 and higher. Because GH.BOOM.GATE considers its Po1 port as the root boundary port, it is not going to replicate the MSTI 0 data into per-VLAN PVST+ BPDUs (this would be only done on designated boundary ports, not on root boundary ports), and instead, it is just going to check for all received PVST+ BPDUs to meet the consistency check described earlier. So GH.TEA.ROOM effectively stops hearing any PVST+ BPDUs whatsoever, and will soon start considering itself as the root switch for VLAN 2 and higher and start sending its own PVST+ BPDUs. Obviously, these are inferior to the BPDUs originated by the HP switch that made GH.BOOM.GATE choose its Po1 port as the root port, but GH.TEA.ROOM has no way of knowing that. As a result, GH.BOOM.GATE is truly receiving PVST+ BPDUs that are inferior to the MSTI 0 BPDU received from the HP switch, failing the consistency check and causing the Po1 become blocked.
Interestingly, in your show logging output, the inferior BPDU reported by GH.BOOM.GATE actually advertises GH.BOOM.GATE itself as the root switch in VLAN 4. I tend to believe that this BPDU was probably a Topology Change BPDU during the time when GH.TEA.ROOM still considered GH.BOOM.GATE a root switch for non-VLAN1 PVST+ instances (were you running Rapid PVST+?). In any case, within 20 seconds at most, GH.TEA.ROOM should have proceeded to treat itself as the root switch in non-VLAN1 PVST+ instances and this inferior BPDU should have been reported on GH.BOOM.GATE.
There is no simple solution to this problem. One way of solving this problem would be to set the HP MSTI 0 priority to 4096, and before connecting a switch running PVST+, leave its VLAN 1 priority at 32,768 while setting the priority for all other VLANs to 0. This will make the PVST Simulation on Cisco switches happy while keeping the HP as the root switch for MSTI 0.
Another solution would be to configure the HP switch to entirely block the PVST+ BPDUs. A loop-free topology will still be maintained in the network thanks to the interoperation of VLAN 1 IEEE STP and MSTI 0 while preventing the PVST+ BPDUs to wreak havoc with the PVST Simulation. I do not know, however, if the HP switch is capable of filtering frames based on their destination multicast MAC address. If it is, filtering the frames destined to 01:00:0c:cc:cc:cd would do the trick.
I hope this helps but please feel welcome to ask further!
Best regards,
Peter
08-28-2014 02:47 PM
Any help would be appreciated ...
08-28-2014 03:53 PM
Hi,
You are facing a relatively common problem related to so-called PVST+ Simulation. This is a feature on Cisco switches whose purpose is to allow for interoperation of MST and PVST+ regions. However, there are certain requirements for this interoperation to successfully take place. Going into exact details would probably be too extensive at this point; suffice it to say that when interworking PVST+ and MST, only two representants of PVST+ and MST really speak to each other: the PVST+ instance for VLAN1 on the behalf of the entire PVST+ region, and MSTI 0 on the behalf of the entire MST region. These two instances must arrive at a conclusion (determining port roles and states) that will be adopted both by all other MST instances (this is given by MST design) and by all PVST+ instances (this is the purpose of the PVST+ Simulation). This can only be accomplished if one of the following two conditions is met:
The situation you are experiencing currently is that the VLAN1 root switch in the PVST+ region has a lower priority than any of your MST switches in MSTI 0 - according to your output, it is 8192, and thus becomes the root switch for MSTI 0 as well. However, the root switch for VLAN 2 has a priority of 12288, which is not even less than 8192, and this causes the PVST+ Simulation to fail and block the port. Depending on what is your network requirement, you can solve this in two ways: either you configure one of your MST switches in MSTI0 with a priority of 0 or 4096 to become the root of the entire PVST+ region for all VLANs (recommended), or you decrease the priority of root switches in VLANs 2, 3, 4... to 4096 or 0.
Feel welcome to ask further!
Best regards,
Peter
08-28-2014 08:00 PM
Wonderfull Explanation Peter! I am the true follower of you believe me :-)
Majed,
As peter explain we have also documented same on this by one of my collegue which has clear explanation with example how to achieve this. Please find the link below:
http://www.cisco.com/c/en/us/support/docs/lan-switching/multiple-instance-stp-mistp-8021s/116464-configure-pvst-00.html
HTH
Regards
Inayath
08-30-2014 07:11 AM
Hi Inayath,
I am the true follower of you believe me :-)
I do not really know what to say. I am honored beyond words. I am very sincere here.
Yes, Aninda Chatterjee authored the TAC document you have referenced. We have in fact been in contact regarding that document. It is a very good explanation indeed.
Best regards,
Peter
09-26-2014 05:27 PM
Hello
excellent post peter!
enjoyed the read!
res
paul
11-28-2018 08:06 AM
perfect explanation.
Regards.
Bruno.
09-02-2014 05:26 AM
Hi Peter, I have a similar but slightly different problem that I would like your thoughts on the matter.
I am working on a network that is comprised mainly of HP Comware switches running MST instance 0 for all VLANs.
I have approx 12 Cisco switches also running in MST spanning-tree instance 0 configuration for all VLANs.
The Root bridge on the Cisco switches are the HP Core L3 switch, which is correct, as this has been configured as the Primary Root for all VLANs (Priority 0)
The problem I face, is that if a new Cisco switch configured with PVST connects to the network all my Cisco switches uplinks to the Core go offline. In the logs I see examples of the following:
SPANTREE-2-PVSTSIM_FAIL: Blocking root port Po1: Inconsistent Inferior PVST BPDU received on VLAN 4, claiming root 32772:mac address
If the MST tree already has a Root for instance 0; why would only the Cisco switches shutdown the interface when receiving an inferior PVST BPDU. Should it not ignore this packet and maintain its current Root?
09-02-2014 06:40 AM
Hi Brian,
What you say definitely makes sense: Once the MST contains the root bridge for the entire CIST (meaning its MSTI 0 priority is lower than any PVST+ switch' priority in any VLAN) then logically, all received PVST+ BPDUs on boundary port must be inferior. There is not point in blocking the port.
What the message above appears to say is that on Po1,
In other words, it would suggest that the attached Cisco switch was configured with a low VLAN 1 priority but left with priorities in all other VLANs intact. Would that actually be the case? Can that be possible?
By the way, to which switch does the MAC address in the SPANTREE-2-PVSTSIM_FAIL message belong? Is it the newly added switch?
Can you perhaps post the output of show spanning-tree root from any currently working Cisco Catalyst switch in your network?
Looking forward to hearing from you?
Best regards,
Peter
09-04-2014 12:56 AM
Hi Peter, apologies for the delay. Took me a while to get access to this. Here is the requested output.
Cisco Sw1
GH.TEA.ROOM#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 0 3ce5.a6d7.07c0 3 2 20 15 Po1
VLAN0004 32772 4c00.82c1.6980 3 2 20 15 Po1
VLAN0008 32776 4c00.82c1.6980 3 2 20 15 Po1
VLAN0012 32780 4c00.82c1.6980 3 2 20 15 Po1
VLAN0016 32784 4c00.82c1.6980 3 2 20 15 Po1
VLAN0020 32788 4c00.82c1.6980 3 2 20 15 Po1
VLAN0024 32792 4c00.82c1.6980 3 2 20 15 Po1
Cisco Sw2
GH.BOOM.GATE#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 0 3ce5.a6d7.07c0 3 2 20 15 Po1
VLAN0004 32772 4c00.82c1.6980 0 2 20 15
VLAN0008 32776 4c00.82c1.6980 0 2 20 15
VLAN0012 32780 4c00.82c1.6980 0 2 20 15
VLAN0016 32784 4c00.82c1.6980 0 2 20 15
VLAN0020 32788 4c00.82c1.6980 0 2 20 15
VLAN0024 32792 4c00.82c1.6980 0 2 20 15
We change cisco sw2 into mst. This means we have now have 1 Cisco switch in the network in PVST (cisco sw1). The output below shows what happens to Cisco SW2.
*Mar 1 12:26:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 12:26:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan24, changed state to down
*Mar 1 12:26:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar 1 12:26:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan24, changed state to up
*Mar 1 12:26:14: %SPANTREE-2-PVSTSIM_FAIL: Blocking root port Po1: Inconsitent inferior PVST BPDU received on VLAN 4, claiming root 32772:4c00.82c1.6980
*Mar 1 12:26:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 12:26:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan24, changed state to down$ne protocol on Interface Vlan1, changed state to down
*Mar 1 12:26:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed^ state to down
GH.BOOM.GATE#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 0
Address 3ce5.a6d7.07c0
Cost 10000
Port 64 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address 4c00.82c1.6980
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Root BKN*10000 128.64 P2p Bound(RSTP) *PVST_Inc
GH.BOOM.GATE#show span root
Root Hello Max Fwd
MST Instance Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
MST0 0 3ce5.a6d7.07c0 10000 2 20 15 Po1
Then go an change Cisco sw1 and put it in mst. (so now we dont have any PVST switches in the network) Below is output from Cisco sw2 as soon as SW1 is changed to MST (the same thing happens if SW1 is removed from the network.)
terminal out of sw2
*Mar 1 12:29:45: %SPANTREE-2-PVSTSIM_OK: PVST Simulation inconsistency cleared on port Port-channel1.
*Mar 1 12:29:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar 1 12:29:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan24, changed state to up
terminal out for "show stp root"
GH.TEA.ROOM#show spanning-tree root
Root Hello Max Fwd
MST Instance Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
MST0 0 3ce5.a6d7.07c0 10000 2 20 15 Po1
GH.TEA.ROOM#
The mac address 3ce5.a6d7.07c0 is the HP Core which is correct.
09-05-2014 05:44 PM
Hi Brian,
I believe I know what is happening but the explanation is quite involved so please follow me very carefully.
You did not post a topology diagram but from the outputs you have posted, it appears that both GH.TEA.ROOM and GH.BOOM.GATE are directly connected via a Port-channel link to the HP switch that is the root switch for MSTI 0.
There are two very important observations you will need to keep in mind. First, the HP switch does not support the PVST Simulation mechanism. It speaks MST only, reverting to non-VLAN-aware RSTP or STP on boundary ports, and that's it. Even if it receives PVST+ BPDUs, it will not start any specific PVST+ interoperability mechanism, as opposed to Cisco Catalyst switches. An important consequence is that when the HP switch running MST is connected to a Cisco switch running PVST+, the MSTI 0 instance on the HP will communicate with the VLAN 1 PVST+ instance but other PVST+ instances will not see the HP switch at all. This is because the HP switch does not originate PVST+ BPDUs to be able to speak to individual PVST+ instances on the Cisco switch, and instead, on a boundary port, it reverts to sending and receiving plain (R)STP BPDUs which are always processed in VLAN 1 PVST+ instance on a Cisco switch. You can see this very nicely in the show spanning-tree root command on the GH.BOOM.GATE switch - for VLAN 1, the switch recognizes the HP as the root switch. For other VLANs, it considers itself to be the root switch (as there is no root port identified in the output).
Second, to the HP switch, all PVST+ BPDUs are just multicast frames. It does not process them as BPDUs, rather, it only floods them in their respective VLANs. For PVST+ switches interconnected by the HP switch, the HP simply "isn't there". Again, this can be seen nicely on the show spanning-tree root command on the GH.TEA.ROOM switch - notice that this switch recognizes the HP as the root switch in VLAN 1, but in other VLANs, it considers the GH.BOOM.GATE switch to be the root switch, simply ignoring the HP switch that sits between these two Cisco switches.
Now, when you configure the GH.BOOM.GATE to run MST while leaving GH.TEA.ROOM run PVST+, GH.BOOM.GATE will consider its Po1 to be the root port in MSTI 0 because, obviously, it receives superior BPDUs sourced from the HP switch. So, the Po1 is the root port on GH.BOOM.GATE. However, because GH.TEA.ROOM still runs PVST+, its PVST+ BPDUs are simply flooded across the HP switch and arrive at the Po1 port on the GH.BOOM.GATE. So this root port on GH.BOOM.GATE also becomes a boundary port.
For an MST boundary port to be a consistent root port on Cisco switches, the consistency rule states: If an MST boundary port becomes a root port for MSTI 0 (obviously because it receives superior BPDUs, either MST BPDUs or VLAN 1 PVST+ BPDUs), it must guaranteedly be a root port towards all PVST+ instances out there. This is verified by looking at PVST+ BPDUs for VLANs 2 and higher, and making sure they are identical or even superior to the MST/VLAN1 BPDUs that caused the boundary port to become the root port for MSTI 0 in the first place.
However, note that this rule can never be met in your network! Because the HP switch does not perform PVST Simulation to speak to PVST+ switches in individual per-VLAN PVST+ instances, GH.TEA.ROOM can never learn about the HP as the root switch in VLANs 2 and higher. Because GH.BOOM.GATE considers its Po1 port as the root boundary port, it is not going to replicate the MSTI 0 data into per-VLAN PVST+ BPDUs (this would be only done on designated boundary ports, not on root boundary ports), and instead, it is just going to check for all received PVST+ BPDUs to meet the consistency check described earlier. So GH.TEA.ROOM effectively stops hearing any PVST+ BPDUs whatsoever, and will soon start considering itself as the root switch for VLAN 2 and higher and start sending its own PVST+ BPDUs. Obviously, these are inferior to the BPDUs originated by the HP switch that made GH.BOOM.GATE choose its Po1 port as the root port, but GH.TEA.ROOM has no way of knowing that. As a result, GH.BOOM.GATE is truly receiving PVST+ BPDUs that are inferior to the MSTI 0 BPDU received from the HP switch, failing the consistency check and causing the Po1 become blocked.
Interestingly, in your show logging output, the inferior BPDU reported by GH.BOOM.GATE actually advertises GH.BOOM.GATE itself as the root switch in VLAN 4. I tend to believe that this BPDU was probably a Topology Change BPDU during the time when GH.TEA.ROOM still considered GH.BOOM.GATE a root switch for non-VLAN1 PVST+ instances (were you running Rapid PVST+?). In any case, within 20 seconds at most, GH.TEA.ROOM should have proceeded to treat itself as the root switch in non-VLAN1 PVST+ instances and this inferior BPDU should have been reported on GH.BOOM.GATE.
There is no simple solution to this problem. One way of solving this problem would be to set the HP MSTI 0 priority to 4096, and before connecting a switch running PVST+, leave its VLAN 1 priority at 32,768 while setting the priority for all other VLANs to 0. This will make the PVST Simulation on Cisco switches happy while keeping the HP as the root switch for MSTI 0.
Another solution would be to configure the HP switch to entirely block the PVST+ BPDUs. A loop-free topology will still be maintained in the network thanks to the interoperation of VLAN 1 IEEE STP and MSTI 0 while preventing the PVST+ BPDUs to wreak havoc with the PVST Simulation. I do not know, however, if the HP switch is capable of filtering frames based on their destination multicast MAC address. If it is, filtering the frames destined to 01:00:0c:cc:cc:cd would do the trick.
I hope this helps but please feel welcome to ask further!
Best regards,
Peter
09-07-2014 02:03 AM
Thanks Peter, your analysis of this problem is spot on. I would like to thank you for looking into this and providing me your thoughts as it has had me baffled for sometime.
Looking at your proposed suggestions to solve this; I can almost be certain that the HP switches would not be able to filter based on destination MAC; but I will look into it.
Modifying any future switches that are being connected to this network to ensure this doesn't happen again - although manageable - is not a position I want to leave this network in. Essentially this creates a vulnerability whereby anyone with a default Cisco switch can power it up and connect it to the network and essentially bring down any Cisco MST configured switches. This is something that would keep me awake at night.
The topology is simple, Hub-and-spoke. Each edge switch (HP or Cisco) are connected to the Core via port-channel. Probably the simplest topology one can think of. I need to look at something that will "permanently" solve this problem, to ensure it cannot happen again.
Is PVSTSIM something that can be turned off? I have looked but cant see anyway to do this - possibly a magical command Cisco TAC could provide me with.
I am even entertaining the idea of turning off STP on the uplink ports on the Cisco switches, just to avoid this from possibly happening. They are Port-Channel interfaces so theoretically the ports on the Core would have to have been provisioned accordingly, thus a loop on these ports should never exist. But the thought of doing this I suspect will also keep me awake all night.
Do you have any other suggestions that I could look at or entertain that could potentially resolve this thing for the long term. If I could turn off/disable the PVSTSIM that would solve it permanently.
Again I appreciate your assistance and value your feedback.
09-07-2014 10:57 AM
Hi Brian,
You are welcome.
Regarding deactivating the PVST Simulation, I am sorry to say that I do not know of any way of truly accomplishing that. On selected platforms, such as Catalyst 6500, it is actually possible to use the no spanning-tree mst simulate pvst global to stop the switch perform the PVST Simulation (sending and processing PVST+ BPDUs on boundary ports receiving PVST+ BPDUs from other switches), but if such a switch still receives PVST+ BPDUs, the port gets blocked automatically without any consistency checks.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/stp_enha.html#wp1054786
The disadvantage is that on common access-level Catalysts (2960, 3560, 3750, ...), this feature is not available. There is no way of deactivating the PVST Simulation on these switches. Even if there was one, however, you have to note that this solution is analogous to the suggestion of cleverly modifying PVST+ STP priorities - you will have to configure at least something on a newly attached switch to be safe and sure that the problems do not happen. This is not really helpful.
What exact type of HP core switch are you using? I can have a look into its documentation to see if there is any tool we could use.
Theoretically, you could configure your existing Catalyst switches running MST to ignore PVST+ BPDUs on the Port-channel ports toward the HP switch using MAC ACLs - although tedious and not exactly by-the-book, it could at least prevent them from blocking their ports if a new, unconfigured Catalyst switch is connected to your network. Please be cautious that blocking STP is always a very dangerous thing to do, and I am suggesting this only because I know that all your current switches are running MST and are thereby prevented against loops regardless of PVST+ being run, and that your network is constructed in a hub-and-spoke fashion.
I am not happy to say this but I have to: The PVST Simulation mechanism is a well-meant mechanism but it ultimately proves to be much more troublesome than helpful.
Best regards,
Peter
09-07-2014 04:20 PM
Yes, it certainly seems that this "helpful" feature on the Cisco's is causing a serious issue/vulnerability.
The HP core comprises of 2x HP 7506 switches in an IRF "virtual stack" configuration running Comware OS.
I am surprised that I have stumbled across this issue. One would think that a simple hub-and-spoke with multi-vendor interop would have been done a million times over and this issue would have raised its head before, and a suitable fix be available. We must be on the bleeding edge here :)
I am thinking it would probably just be simpler to enable MST on all the existing Cisco switches int he network and if any further switches that go into the network also need to be configured with MST. This should avoid any PVST BPDU's being on the network and wreaking havoc.
Again, although this solves the issue. There still remains a vulnerability that anyone can connect a default Cisco switch which will shutdown the rest of them.
09-08-2014 07:37 AM
Hi Brian,
One would think that a simple hub-and-spoke with multi-vendor interop would have been done a million times
I would believe it was indeed done a million times - but in all those cases, all switches in a switched network already ran MST so the PVST Simulation was never triggered. Mixing different STP versions in a single network is always discouraged even though at least the vanilla IEEE versions are backward compatible.
I am thinking it would probably just be simpler to enable MST on all the existing Cisco switches int he network and if any further switches that go into the network also need to be configured with MST.
This is the proper way it should be done, and I am 100% in agreement here. All your switches shall be properly configured with MST before being plugged into network.
Allow me to be more philosophical than technical at this point: Notice that you are trying to make your network resilient to errors such as plugging in an unconfigured Cisco switch that causes mayhem with its PVST+. While that is a good intention, and if it was possible I would go for it, there is another point worth noticing: Are you actually allowing devices to be plugged into your network without properly inspecting their configuration beforehand? You see, the PVST+ is by far not the only problem you may be facing if you allow a switch to be connected to your network without having very strict procedures on validating its configuration beforehand. To put it plainly, I would impose some very strict rules on how a new switch should be configured and who is responsible for signing off that configuration before the switch can be plugged into the network. Having a network able to cope graciously with newly attached switches is definitely an advantage but first and foremost, the switches should not be attached to it like that - with no appropriate configuration applied.
Oh, by the way, it seems that your HP 7500 does support filtering the traffic based on MAC addresses! It should be something along:
I am just blind-shooting this configuration here based on the configuration to your switch series but definitely, it seems that this kind of configuration should actually be supported. Would you mind giving it a try?
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide