Spanning Tree MST situation

kralopafo · ‎10-22-2023

Hello,

I need your help I have run into a problem I Can't get over.
I have got two separated companies under tho roof which are useing separated L3 subnets, but same VoIP MPLS vlan-subnet,
which is just switched over each company-distribution switch directly to IP-Phone interfaces. (attached MAP)
So each company have got it's own distribution switch, which is connecting them to up-link firewall.
Company 1 distribution switch:BB_INZING_01[PO1]<-> [Aggregate interafce1]Firewall
Company 2 distribution switch:BB-PWRDS-01[PO1] <-> [Aggregate interafce2]Firewall
They are not interconnected, UP-link Port-Channel on each distribution switch leading's to Firewall in where all L3 gateways are situated and from this point everything is routed via default route to internet.
And it's working good, as expected, each distribution switch have got it's own MSTP region completely separated and they do not sees each others.
Here is MST config from both distribution switches

----------------------------------------BB-PWRDS-01-----------------------------------------------
BB-PWRDS-01#show running-config | b spann
spanning-tree mode mst
spanning-tree priority 4096
spanning-tree mst configuration
instance 1 vlan 1-4094
name PPA_PWRDS
revision 1
exit
spanning-tree mst 1 priority 8192

BB-PWRDS-01#show spanning-tree mst-configuration
Current MST configuration
Name: PPA_PWRDS
Revision: 1
Digest: 0xE13A80F11ED0856ACD4EE3476941C73B

Instance Vlans Mapped State
-------- --------------------------------------- --------
0 enabled
1 1-4094 enabled
2 disabled
3 disabled
4 disabled
5 disabled
6 disabled
7 disabled
BB-PWRDS-01#

----------------------------------------BB_INZING_01-------------------------------------------------

BB_INZING_01#show running-config | b span
spanning-tree mode mst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree mst configuration
name PPA_INZING
instance 1 vlan 1-4094
spanning-tree mst 0 priority 4096
spanning-tree mst 1 priority 8192
!

BB_INZING_01#show spanning-tree mst configuration
Name [PPA_INZING]
Revision 0 Instances configured 2
Instance Vlans mapped
-------- -----------------------------------------------
0 none
1 1-4094
----------------------------------------------------------
BB_INZING_01#

BB_INZING_01#show spanning-tree mst configuration digest
Name [PPA_INZING]
Revision 0 Instances configured 2
Digest 0xE13A80F11ED0856ACD4EE3476941C73B
Pre-std Digest 0x0B6DDEB17A89E5F1122D3BC0AB75384A
BB_INZING_01#
---------------------------------------------------------------

I have got configured VoIP MPLS Vlan on ISP Router (Cisco 890)
Problem is happening when I'm connecting the same VoIP MPLS vlan to both of those distributed switches.
They sees each other via VoIP-MPLS UP-Link interfaces(Via this ISP Cisco 890 Router) and one distribution switch (BB_INZING_01) is basically elected as CST Root.
And the other distribution switch (BB-PWRDS-01)is IST Master, and on IST master I'm receiving BPDUs from CST Root, via VoIP-MPLS Port/vlan.

I want to separate those two MSTP regions so I would not receive BPDUs from the other company switch and Im curious whether is a good solution to turn off spanning tree on interface Gi0/27, (In the map)
Or what is the best solution for this scenario please ?

Also I'm not sure whether my both MST regions have got the same Digest even throught they have got a diggerent name and revision number, only vlan-to-instance mapping is same.

Thank you very much for all of your advice.

----------------------------------------BB-PWRDS-01-----------------------------------------------

BB-PWRDS-01#show spanning-tree
###### MST 0 Vlans Mapped:
CST Root ID Priority: 4096
Address: 00:1a:6d:da:4f:80
Path Cost: 20004
Root Port: gi27
Hello Time: 2 sec Max Age: 20 sec Forward Delay: 15 sec
Bridge ID Priority: 4096
Address: 90:e9:5e:ec:cb:02
This switch is the IST master
Hello Time: 2 sec Max Age: 20 sec Forward Delay: 15 sec
Max hops: 20

###### MST 1 Vlans Mapped: 1-2,4,10,20,30,40,50,60,500,777

Root ID Priority: 8192
Address: 90:e9:5e:ec:cb:02
This switch is the regional Root

----------------------------------------BB_INZING_01-------------------------------------------------

BB_INZING_01#show spanning-tree

MST0
Spanning tree enabled protocol mstp
Root ID Priority 4096
Address 001a.6dda.4f80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4096 (priority 4096 sys-id-ext 0)
Address 001a.6dda.4f80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

MST1
Spanning tree enabled protocol mstp
Root ID Priority 8193
Address 001a.6dda.4f80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)
Address 001a.6dda.4f80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

MHM Cisco World · ‎10-22-2023

For best solution I dont know excatly.

But for separation you can use

Bpdu filter in both site' this prevents interface send bpdu

Bpdu guard in both site this protect your network if other site send bpdu.

But why this is not best solution? This isolated two site but if there is more than one link then sure sure you will get l2 loop.

kralopafo · ‎10-22-2023

Would do you think about another possibility, that I would reconfigure both site for Rapid PVST.

I guess every Vlan would have it's own STP tree, so for most of the Vlans elected Rood bridge would be the site's Distribution switch.

And only for VoIP-MPLS Vlan would be the root switch the one which is currently CST Root ?

Do you have any experiences doing such a reconfiguration ? Is it safe to do it remotely ?
What should I be especially careful about ?