PAN-OS 7.1 Per VLAN Spanning-Tree (PVST+) BPDU rewrite

PAN-OS 7.1 Per VLAN Spanning-Tree (PVST+) BPDU rewrite

26319
Created On 09/25/18 17:15 PM - Last Modified 06/13/23 13:51 PM


Resolution


Prior to PAN-OS 7.1, deploying the firewall in Layer2 VLAN Bridge mode sometimes ran into spanning tree issues with PerVLAN Spanning Tree (PVST+) enabled on the surrounding L2 switches. Because the firewall didn't support VLAN rewrite for PVST+ BPDUs and flooded these between the VLANs, the receiving switch would detect a "PVID-inconsistent" error and break spanning tree loop detection.

 

With PAN-OS 7.1 and later, Per VLAN Spanning-Tree (PVST+)  BPDU rewrite is added; this feature will allow the firewall to rewrite the PVST+ BPDU's VLAN ID (PVID) when it's forwarded between the firewall's L2 bridged VLANs.

 

 

PVST+ Packet Flow

 

  1. When a PVST+ packet received on an interface, PAN-OS parses the packets, retrieves its 8021q tag (if any) and PVID.
  2. PVID should be within ‘1 – 4094,’ otherwise, it is dropped.
  3. If 802.1q tag exists, but does not match PVID, the packet is dropped and counter “pvid_inconsistent” is incremented.
  4. If 802.1q tag does not exist, PVID must match system native VLAN ID, otherwise, it is dropped and counter “pvid_inconsistent” is incremented.
  5. Using 802.1q and port to do interface lookup, if a logic interface is not found, the packet is dropped (current behavior).
  6. PAN-OS starts to flood PVST+ packets to all egress interfaces (except the ingress interface) inside the VLAN (current behavior).
  7. For each egress logic interface, if it is an untagged interface, replace PVID with the system's native VLAN ID, remove 802.1q tag if it exists. If it is a tagged sub-interface, replace PVID and replace/insert 802.1q tag with the tag defined in the sub-interface.

 

The feature can be controlled only through the CLI:

 

Enable or disable the feature

> set session rewrite-pvst-pvid yes|no

Set the systemwide PVST native VLAN ID

> set session pvst-native-vlan-id <vlan-id>

Enable or disable discarding of all STP BPDU packets

> set session drop-stp-packet yes|no

These settings will persist after reboot

 

The default settings:

  • pvst+ tag rewrite:         enabled
  • pvst+ native vlan id:     1
  • drop stp:                       disabled
> show vlan all 

pvst+ tag rewrite:                    enabled
pvst+ native vlan id:                 1
drop stp:                             disabled

 

Considerations:

  • This feature is supported only on L2 interfaces
  • Regular Ethernet interfaces and aggregate Ethernet interfaces are supported
  • This feature only handles PVST+ BPDU packets. The processing of all other L2 non PVST+ BPDUs remains unchanged.
  • All switches and Palo Alto Networks in a same L2 deployment should have same native vlan.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE1CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language