Multiple Spanning Tree (MST)

Submitted by rayc on Mon, 10/25/2021 - 09:16

MSTP or 802.1s, is an industry standard version of STP that incorporates RSTP timing with the ability to load balance VLANs across instances of spanning tree. If you recall, 802.1D runs a single instance of spanning tree for all VLANs within a network called the Common Spanning Tree or CST. MST takes this concept and expands on it by allowing you to assign VLANs to an Instance of spanning tree and allowing multiple instances to be configured, hence the name Multiple Spanning Tree.  This also means that you can have a root switch for each instance of MST as well.

MST configuration requires that you map a VLAN or set of VLANs to an instance of MST. MST also uses what is referred to as an MST region to decide which switches are part of the same spanning-tree boundary. An MST region is a grouping of MST switches that are configured with the same variables. In order for a switch to be concidered in the same MST region, the following MST configuration variables need to match:

  • MST region name
  • MST revision number
  • MST VLAN to instance mapping

If all of the above configuration options match on two MST switches, they are concidered to be in the same region. If the above configuration does not match, then the switches are MST Boundary switches. An MST boundary switch will still talk RSTP to the other MST switches however if the other switch is running PVST+ or PVRSTP+, MST will use its compatibility features to ensure a loop free topology.

With PVST and PVRST, a switch runs an instance of STP per VLAN. In a network with 5, 10 or even 20 VLANs that isn't too bad. It's relatively easy to load balance if required and switches don't have to deal with too many BPDUs or TCN BPDU events (One per VLAN). However in a network that has hundreds or thousands of VLANs, that can cause quite a lot of network traffic and switch processing every time a BPDU or TCN is received. MST alleviates these types of issues by only processing BPDUs for an instance. When an MST PBDU is sent, the entire instance to VLAN mapping is not transmitted in the BPDU, instead the switch will compute a hash based on the mappings and send the hash only.

MST Instances

Cisco switches support the use of up to 16 MST Instances with the default Instance or IST (Internal Spanning Tree) configured as IST0. IST0 cannot be deleted and is the instance that is used for all MST communication meaning that MST does not send BPDUs on any other instance other than the IST. When MST wants to send BPDUs about the other instances that are configured in the region, the information is added to the IST BPDU called M-Records. This means that only a single BPDU is sent for all ISTs that are configured. 

MST Instances are also only relevant within an MST Region. If you have multiple MST Regions, you are able to use the same instance numbers with the same or different VLAN mappings and it doesn't matter. The MST Boundary switches that communicate between the two regions will only communicate the CST to each other. The same is said when MST is configured to run in compatibility mode with other STP protocols. MST acts like a singe virtual switch inside the MST region to any outside STP switches. The image below helps show exactly what happens when you run MST in conjunction with PVST or PVRSTP.


Configuring MST

When configuring MST, you first need to enter into MST configuration mode using the command spanning-tree mst configuration. Once entered into MST configuration mode, you can configure the region name, the revision number and the VLAN to instance mappings. 

Configuring MST

When you enter MST configuration mode, the configuration does not apply until you exit out of the MST configuration. If you are in the middle of configuring your MST region details and you make a mistake you can abort the changes you made by simply entering the abort keyword from inside MST configuration mode.

Aborting MST configuration

Once you have completed your MST configuration for the region, you need to enable MST on the switch. To do this, use the command spanning-tree mode mst

Enabling MST on switch

Tuning MST

As with other versions of STP, MST has the ability to manually select which switch will be the root for which instance or for all instances. MST uses the same methods in order to select the Root Bridge, Root ports, Designated ports and which ports to block and forward on redundant links. When configuring a specific switch as the root switch, you can change the MST instance priority for the selected instance using the command spanning-tree mst instance <id> priority <num> or by using the command spanning-tree mst instance <id> root {primary|secondary} [diameter <num>]. The primary and secondary keywords are the same as with PVST+/PVRST+, they run a macro that sets the priority value of the MST instance. When you use the root keyword, the switch will check what the priority of the current root is and set it to a value that is 4096 less. The Secondary keyword runs a macro that changes the priority to a value of 28672. The reason that there is no check to see if there's a switch with a lower priority is that only the Root Bridge priority is known by all switches.

configuring MST priority using root keywork

If you choose to manually specify the root priority using the command spanning-tree mst instance <id> priority <num>, as with all other iterations of STP on Cisco switches, the value must be in multiples of 4096. 

The MST path cost and interface priority follows the same rules as RSTP when selecting a port to be Root/Designated etc but can be done on a per instance basis. To change the MST path cost for an interface, use the interface configuration subcommand spanning-tree mst <instance> cost <cost> and to change the interface port priority, use the interface configuration subcommand spanning-tree mst <instance> port-priority <priority>. 

changing MST port cost and port-priority

MST Verification

In order to verify your MST configuration, use the command show spanning-tree mst configuration. This command outputs a brief overview of the MST region details.

show spanning-tree mst configuration

Viewing the MSTP topology is the same with any other version of STP. Use the command show spanning-tree to output the STP topology for all MST instances. You can also use the keyword mst <instance> to show a specific instance.

show spanning-tree and show spanning-tree instance

Notice that with the command show spanning-tree the VLAN to Instance mappings are not shown, however in the output of the show spanning-tree mst <instance> you can see the VLAN mappings for that specific instance. 

Common MST Misconfigurations

One common misconfiguration with MST is when you have VLANs assigned to the IST instance 0. This can result in a port being blocked and preventing traffic from reaching its destination. In order to understand this you need to look at how MST exchanged BPDU information. As mentioned earlier, MST uses the IST0 to send BPDU information about the root bridge and the configured timers. If other instances are configured, this information is attached to the BPDU as an M-Record. There is 1 M-Record attached to the BPDU per instance. Using rhe below topology, we have two switches that are connected to each other via two links. One link is configured as an access port on VLAN 10 which is assigned to the IST0, and the other is an access port configured for VLAN 20 which is assigned to IST1.

Example for VLANs assigned to IST

This topology with VLAN 10 assigned to IST0 will result in the second link in IST1 being blocked. How you ask? Well IST runs on all ports whether they're trunks or access ports. In this instance SW2 will receive 2 BPDUs from SW1 on g1/0/1 and G1/0/2. Each BPDU will show as being from the IST even with the M-Record attached for IST1. SW2 seeing a BPDU from IST0, will determine that there is a loop in the network and block one of the interfaces.

IST VLANs port blocked

The way to avoid this situation is to ensure that no VLANs are associated with the instance 0.

Another common MST misconfiguration is when pruning VLANs on a trunk port. This isn't to say that you can't prune VLANs, you just need to be careful when you do. For example, looking at the switch topology below we have our 3 switches connected and have 3 VLANs on each switch with all VLANs assigned to MSTI1. Our junior network engineer then decides that they want to prune some VLANs to load balance a cross the two links better and prunes vlan 10 from SW3s G1/0/1 interface and VLAN 20 from the G1/0/2 interface.

Example of VLAN pruning

Pruning these VLANs results in hosts on VLANs 10 from being able to communicate as the trunk that permits these VLANs is in an STP blocked state. Remember that MST works on instances not per VLAN and that VLAN 10, and 20 are both assigned to the same MSTI.

VLAN Pruning showing IST1 blocked port

The way to avoid this scenario is to either not prune any VLANs or to ensure that your VLAN to instance mapping matches the VLANs that you prune. In the above example we could assign VLANs 10 to IST1 and VLAN 20 to IST2.