Prior to PAN-OS 7.1, deploying the firewall in Layer2 VLAN Bridge mode sometimes ran into spanning tree issues with PerVLAN Spanning Tree (PVST+) enabled on the surrounding L2 switches. Because the firewall didn't support VLAN rewrite for PVST+ BPDUs and flooded these between the VLANs, the receiving switch would detect a "PVID-inconsistent" error and break spanning tree loop detection.
With PAN-OS 7.1 and later, Per VLAN Spanning-Tree (PVST+) BPDU rewrite is added; this feature will allow the firewall to rewrite the PVST+ BPDU's VLAN ID (PVID) when it's forwarded between the firewall's L2 bridged VLANs.
PVST+ Packet Flow
- When a PVST+ packet received on an interface, PAN-OS parses the packets, retrieves its 8021q tag (if any) and PVID.
- PVID should be within ‘1 – 4094,’ otherwise, it is dropped.
- If 802.1q tag exists, but does not match PVID, the packet is dropped and counter “pvid_inconsistent” is incremented.
- If 802.1q tag does not exist, PVID must match system native VLAN ID, otherwise, it is dropped and counter “pvid_inconsistent” is incremented.
- Using 802.1q and port to do interface lookup, if a logic interface is not found, the packet is dropped (current behavior).
- PAN-OS starts to flood PVST+ packets to all egress interfaces (except the ingress interface) inside the VLAN (current behavior).
- For each egress logic interface, if it is an untagged interface, replace PVID with the system's native VLAN ID, remove 802.1q tag if it exists. If it is a tagged sub-interface, replace PVID and replace/insert 802.1q tag with the tag defined in the sub-interface.
The feature can be controlled only through the CLI:
Enable or disable the feature
> set session rewrite-pvst-pvid yes|no
Set the systemwide PVST native VLAN ID
> set session pvst-native-vlan-id <vlan-id>
Enable or disable discarding of all STP BPDU packets
> set session drop-stp-packet yes|no
These settings will persist after reboot
The default settings:
- pvst+ tag rewrite: enabled
- pvst+ native vlan id: 1
- drop stp: disabled
> show vlan all
pvst+ tag rewrite: enabled
pvst+ native vlan id: 1
drop stp: disabled
Considerations:
- This feature is supported only on L2 interfaces
- Regular Ethernet interfaces and aggregate Ethernet interfaces are supported
- This feature only handles PVST+ BPDU packets. The processing of all other L2 non PVST+ BPDUs remains unchanged.
- All switches and Palo Alto Networks in a same L2 deployment should have same native vlan.