Joining MST and PVST Domains

Multiple Spanning Tree Protocol (MST) allows network operators to map one or more VLANs to a Spanning Tree Protocol instance. For example, VLANs 1,2,3,4, and 5 can be mapped to STP instance 1 while VLANs 6,7,8,9 and 10 are mapped to STP instance 2. Consolidating multiple VLANs into a single STP instance requires less overhead and can be less of an administrative burden. As the name implies, Per VLAN Spanning Tree (PVST) runs a unique instance of STP for each VLAN. What happens and how does it work when a group of MST switches are connected to a group of PVST switches? This article hopes to explain this somewhat complex problem.

Demo Network

As is tradition on routingloop.net, I have a lab topology to go along with the article topic, this time utilizing CML. As stated, the 3 switches on the left are running PVST+ and the 4 switches on the right are running MST. 4 VLANs are defined and trunked between all switches.

MST Overview

As mentioned previously, MST allows mapping multiple VLANs to a single STP instance. By default, all VLANs are mapped to instance 0. Instance 0 is referred to as the Internal Spanning Tree (IST). In the output below, we can see that VLANs 43 and 55 are mapped to instance 1 and VLANs 87 and 99 are mapped to instance 2.

SW2#show spanning-tree mst configuration 
Name      [CCIE]
Revision  500   Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-42,44-54,56-86,88-98,100-4094
1         43,55
2         87,99

The output below allows us to see various information about STP instance 1. This is like “show spanning-tree vlan x” output, except that this is for an STP instance that may be working for multiple VLANS. MST uses long path cost by default.

SW2#show spanning-tree mst 1

##### MST1    vlans mapped:   43,55
Bridge        address 5254.000b.7db2  priority      32769 (32768 sysid 1)
Root          address 5254.000e.5ef6  priority      8193  (8192 sysid 1)
              port    Gi0/1           cost          20000     rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/0            Desg FWD 20000     128.1    P2p 
Gi0/1            Root FWD 20000     128.2    P2p 
Gi0/2            Desg FWD 20000     128.3    P2p

The PVST Domain

The 3 PVST switches are operating with default configurations other than having trunks and VLANs created. SW7 is using G0/0 as its root port for all trunked VLANs. At this stage, the root bridge is somewhere in the MST domain. Each VLAN gets its own STP instance.

SW7#show spanning-tree root

                                                   Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
VLAN0001         32769 5254.001a.ef9d         0    2   20  15                  
VLAN0043          8192 5254.000b.7db2         8    2   20  15  Gi0/0           
VLAN0055          8192 5254.000b.7db2         8    2   20  15  Gi0/0           
VLAN0087          8192 5254.000b.7db2         8    2   20  15  Gi0/0           
VLAN0099          8192 5254.000b.7db2         8    2   20  15  Gi0/0  

The MST to PVST Boundary

Like always, when an STP bridge boots up and initializes spanning-tree, it assumes itself to be the root bridge and sends BPDUs out of all ports. A differentiator with the MST to PVST boundary is that when an MST switch hears a PVST BPDU come in, it takes notice and will no longer send MST BPDUs out of the port. Instead, the MST bridge will send instance 0 sourced (the Internal Spanning Tree) BPDUs out of the port toward the PVST domain. The MST is running what is called PVST Simulation on its port(s) connected to PVST switches. The IST sourced BPDUs being sent by PVST simulation ports are formatted like a standard PVST BPDU. They do not carry the MST extension data. The “Bound(PVST)” output below confirms that this is a boundary port.

SW1#show spanning-tree interface gigabitEthernet 0/2

Mst Instance        Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0                Desg FWD 20000     128.3    P2p Bound(PVST) 
MST1                Desg FWD 20000     128.3    P2p Bound(PVST) 
MST2                Desg FWD 20000     128.3    P2p Bound(PVST) 

The snippet below is a BPDU being transmitted by SW1 to SW5. Notice that the priority is 32768 with an extended system ID of 0. This is an IST sourced BPDU. The PVST domain will have to use this single BPDU for all VLANs being trunked to the MST region.

By only sending IST BPDUs to the PVST domain, details about the MST domain are being abstracted. This essentially makes the MST region look like 1 big switch from the perspective of PVST. PVST will still send BPDUs for each VLAN toward the MST bridges. Take a moment to consider the root bridge placement implications this presents. If PVST is only receiving BPDU information for the MST IST, all root bridges either must be in the MST domain, or in the PVST domain.

The simplest solution to this problem is to manually configure the IST on an MST bridge to always win the root bridge election and leave the bridge priorities on the PVST bridges at their default setting. This ensures that PVST will see the MST “big switch” as the root bridge. In the example below, I set SW2 to be the root for the IST. Notice in the PCAP snippet that the root bridge priority being advertised to the PVST domain is now 8192.

SW2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#spanning-tree mst 0 priority 8192
SW2(config)#^Z
SW2#show spanning-tree mst 0
*Feb 16 20:44:07.076: %SYS-5-CONFIG_I: Configured from console by console

##### MST0    vlans mapped:   1-42,44-54,56-86,88-98,100-4094
Bridge        address 5254.000b.7db2  priority      8192  (8192 sysid 0)
Root          this switch for the CIST
Operational   hello time 2 , forward delay 15, max age 20, txholdcount 6 
Configured    hello time 2 , forward delay 15, max age 20, max hops    20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/0            Desg FWD 20000     128.1    P2p 
Gi0/1            Desg FWD 20000     128.2    P2p 
Gi0/2            Desg FWD 20000     128.3    P2p 
Gi0/3            Desg FWD 20000     128.4    P2p

This change is reflected in the PVST domain, confirmed below on SW7. Notice the root cost for all trunked VLANs (all expect VLAN 1). The root cost is 8 despite the shortest path from SW7 to SW2 being 3 Gigabit Ethernet links. This is part of the abstraction that makes the MST region appear as a single switch. The PVST domain only has enough information to calculate the root path cost to the MST boundary.

SW7#show spanning-tree root

                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
VLAN0001         32769 5254.001a.ef9d         0    2   20  15                  
VLAN0043          8192 5254.000b.7db2         8    2   20  15  Gi0/0           
VLAN0055          8192 5254.000b.7db2         8    2   20  15  Gi0/0           
VLAN0087          8192 5254.000b.7db2         8    2   20  15  Gi0/0           
VLAN0099          8192 5254.000b.7db2         8    2   20  15  Gi0/0        

Placing the Root Bridges in the PVST Domain

If the root bridges need to be in the PVST domain, there are extra complexities. To make this work, the PVST region must send VLAN 1 BPDUs that are superior to the IST BPDUs AND all non VLAN 1 BPDUs being sent to the MST must be superior to the VLAN 1 BPDUs. Clear as mud?

I’ll start by allowing VLAN 1 on all PVST domain trunk interfaces.

SW5(config)#interface range g0/0-2 
SW5(config-if-range)#switchport trunk allowed vlan add 1
SW5(config-if-range)#^Z

Now that VLAN 1 BPDUs will propagate though the PVST and to the MST, I configured SW6 with VLAN 1 priority 0.

SW6(config)#spanning-tree vlan 1 priority 0
SW6(config)#end

This means that the MST region is receiving superior BPDUs for a single VLAN from the PVST region. The MST BPDUs are still superior for all other VLANs. This brings the potential for loops or traffic blackholing. SW3 quickly places its boundary port into a broken state for PVST inconsistency.

SW3#show spanning-tree interface gigabitEthernet 0/3

Mst Instance        Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0                Root BKN*20000     128.4    P2p Bound(PVST) *PVST_Inc 
MST1                Mstr BKN*20000     128.4    P2p Bound(PVST) *PVST_Inc 
MST2                Mstr BKN*20000     128.4    P2p Bound(PVST) *PVST_Inc

I reverted the change on SW6 and the PVST simulation inconsistency state automatically cleared on SW3.

SW6(config)#no spanning-tree vlan 1 priority 0
SW6(config)#end

SW3#
*Feb 16 21:10:26.160: %SPANTREE-2-PVSTSIM_OK: PVST Simulation inconsistency cleared on port GigabitEthernet0/3.

How can we make this work? Recall that the current IST root bridge has priority 8192. If we configure PVST VLAN 1 with priority 4096 and all other PVST VLANs with priority 0, this should allow the root bridges for all VLANs to exist in PVST without PVST simulation issues. This should satisfy the requirement of having PVST VLAN 1 be superior to the IST while allowing our other VLANs to be superior to VLAN 1 and IST 0 BPDUs. This confusing requirement is to ensure that PVST and MST align in their forwarding and blocking decisions.

Changes applied on SW7 to move the root bridges to the PVST:

SW7(config)#spanning-tree vlan 2-4094 priority 0
SW7(config)#spanning-tree vlan 1 priority 4096

After making the SW7 priority changes, SW1 G0/2 became its root port for the IST.

SW1#show spanning-tree mst 0 interface gigabitEthernet 0/2

GigabitEthernet0/2 of MST0 is root forwarding 
Portfast : no             (default)        port guard : none        (default)
Link type: point-to-point (auto)           bpdu filter: disable     (default)
Boundary : boundary       (PVST)           bpdu guard : disable     (default)
PVST Sim : enable         (default)       
Bpdus sent 27011, received 2774

Instance Role Sts Cost      Prio.Nbr Vlans mapped
-------- ---- --- --------- -------- -------------------------------
0        Root FWD 20000     128.3    1-42,44-54,56-86,88-98,100-4094 

Because a loop would form otherwise, SW3 G0/3 toward the PVST region becomes an alternate (blocking) port.

SW3#show spanning-tree mst 0 interface g0/3

GigabitEthernet0/3 of MST0 is alternate blocking 
Portfast : no             (default)        port guard : none        (default)
Link type: point-to-point (auto)           bpdu filter: disable     (default)
Boundary : boundary       (PVST)           bpdu guard : disable     (default)
PVST Sim : enable         (default)       
Bpdus sent 26833, received 2506

Instance Role Sts Cost      Prio.Nbr Vlans mapped
-------- ---- --- --------- -------- -------------------------------
0        Altn BLK 20000     128.4    1-42,44-54,56-86,88-98,100-4094

SW7 is the root bridge for all VLANs. Notice the root path cost of 0. I added 4094 while writing but it caused no changes in the STP topology.

SW7#show spanning-tree root

                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
VLAN0001          4097 5254.001a.ef9d         0    2   20  15                  
VLAN0043            43 5254.001a.ef9d         0    2   20  15                  
VLAN0055            55 5254.001a.ef9d         0    2   20  15                  
VLAN0087            87 5254.001a.ef9d         0    2   20  15                  
VLAN0099            99 5254.001a.ef9d         0    2   20  15                  
VLAN4094          4094 5254.001a.ef9d         0    2   20  15