MSTP not work

cuong
cuong Posts: 9  Freshman Member
First Anniversary Friend Collector First Comment
edited August 2022 in Switch
I have a network diagram as below


My configuration 
XGS4600-32 (SW1):

spanning-tree mode MSTP
mstp
mstp configuration-name GVL
mstp revision 2
mstp instance 0 vlan ""
mstp instance 2 vlan 1-4094
mstp instance 2 priority 4096
mstp instance 2 interface port-channel 25
mstp interface port-channel 25 rootguard


GS1920-48 (SW2):

spanning-tree mode MSTP
mstp
mstp configuration-name GVL
mstp revision 2
mstp instance 0 vlan ""
mstp instance 2 vlan 1-4094
mstp instance 2 interface port-channel 47
mstp instance 2 interface port-channel 48


GS1920-48 (SW3):

mstp
mstp configuration-name GVL
mstp revision 2
mstp instance 0 vlan ""
mstp instance 2 vlan 1-4094
mstp instance 2 interface port-channel 48

After configuring connected 1 port of SW1 with one cable to 1 port of SW3 and saw continuous LED fast activity.  Please show me what I make wrong.

Accepted Solution

All Replies

  • Ace
    Ace Posts: 25  Freshman Member
    First Anniversary Nebula Gratitude Friend Collector First Answer
    edited December 2018
    Your SW1 and SW3 only enable MSTP on one port and those ports are connecting to SW2.

    If SW1 has connected to SW3 then those ports have to join MSTP as well.

    BTW, not sure you forgot to capture the full configuration for SW3, it should change to MSTP mode too.
  • Zyxel_JonasTan
    Zyxel_JonasTan Posts: 94  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @cuong,

    Based on the description, kindly ensure that the "spanning-tree mode MSTP" on GS1920-48(SW3) is configured.
    Web GUI: [Advanced Application > Spanning Tree Protocol > Configuration]

    And configure the interface that you would like to connect the ring with.
    Eg. SW1 & SW3 interface 1 must be configured with MSTP also.

    Hope it helps.

    PS: Thanks @Ace for the answer =)

    Jonas
  • cuong
    cuong Posts: 9  Freshman Member
    First Anniversary Friend Collector First Comment
    edited December 2018
    Dear Jonas, Ace,

    Thank for your support. 
    For mstp configuration, SW1,SW2,SW3 all interfaces must be configured with MSTP, right?

    Besides, please help me ,how to configuration dhcp snooping and arp inspection on network diagram above, the dhcp server connected on interface 20 sw1.
    My  configuration:
    XGS4600-32(SW1)
    interface port-channel 25
      pvid 250
      dhcp snooping trust
    exit
    interface port-channel 20
      pvid 100
      dhcp snooping trust
    exit
    dhcp relay 10 helper-address 172.17.100.10
    dhcp relay 50 helper-address 172.17.100.10
    dhcp relay 100 helper-address 172.17.100.10
    dhcp relay 210 helper-address 172.17.100.10
    dhcp snooping
    dhcp snooping vlan 10,50,100,210

    GS1920-48(SW2):
    interface port-channel 47
      pvid 250
      dhcp snooping trust
    exit
    interface port-channel 48
      pvid 250
      dhcp snooping trust
    exit
    dhcp snooping
    dhcp snooping vlan 10,50,100,210

    GS1920-48(SW3):

    interface port-channel 48
      pvid 250
      dhcp snooping trust
    exit
    dhcp snooping
    dhcp snooping vlan 10,50,100,210



    Sorry my english is not good.

    Thanks and best regards.
  • Ace
    Ace Posts: 25  Freshman Member
    First Anniversary Nebula Gratitude Friend Collector First Answer
    @cuong

    No need enable MSTP on all ports.
    Your SW2 configuration is correct, because MSTP enable on (port 47)SW1 and (Port 48) SW3.
    Follow the same concept on the SW1 and SW3. It should work.


    For DHCP snooping, enable "dhcp snooping trust" on port if that port will receive DHCP server packets.

    SW1 needs enabled "dhcp snooping trust" on port 20 only, because only port 20 will receive DHCP server packet.
    SW2 port 47 and 48.
    SW3 port 48 and port connected to SW1.


    About ARP inspection, my experience is enabling ARP inspection on uplink and downlink port and it can work correctly.

    SW1 enables "ARP inspection trust" on port which connect to ZyWALL 1100 and port 25.
    SW2 port 47 and 48.
    SW3 port 48 and port connected to SW1.

    BTW, you should enable DHCP snooping first to make the snooping table created. After that you can enable ARP inspection.
    If you enable ARP inspection first, you may loss connection....


  • cuong
    cuong Posts: 9  Freshman Member
    First Anniversary Friend Collector First Comment
    Dear Ace said:
    @cuong

    No need enable MSTP on all ports.
    Your SW2 configuration is correct, because MSTP enable on (port 47)SW1 and (Port 48) SW3.
    Follow the same concept on the SW1 and SW3. It should work.

    ===>The end user accidentally connects a network wire from SW1 to SW3, so create a loop network.

    How to resolve this problem,i need to enable loop guad, right?

    For DHCP snooping, enable "dhcp snooping trust" on port if that port will receive DHCP server packets.

    SW1 needs enabled "dhcp snooping trust" on port 20 only, because only port 20 will receive DHCP server packet.
    SW2 port 47 and 48.
    SW3 port 48 and port connected to SW1.

    ==> I configure dhcp snooping switch layer 3 only, no need enable dhcp snooping on switch layer 2, right?

    About ARP inspection, my experience is enabling ARP inspection on uplink and downlink port and it can work correctly.

    SW1 enables "ARP inspection trust" on port which connect to ZyWALL 1100 and port 25.
    SW2 port 47 and 48.
    SW3 port 48 and port connected to SW1.

    BTW, you should enable DHCP snooping first to make the snooping table created. After that you can enable ARP inspection.
    If you enable ARP inspection first, you may loss connection....


    Thank you so much.
  • cuong
    cuong Posts: 9  Freshman Member
    First Anniversary Friend Collector First Comment
    Dear Ace,

    Thank you so much.
    My network hasn't ring topology.

    Thank and Best Regard.
  • Zyxel_JonasTan
    Zyxel_JonasTan Posts: 94  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @cuong,

    Good day.
    If there is no ring topology, you just need to enable loop guard to all port to avoid loop in your network environment.

    About the question below:
    SW1 needs enabled "dhcp snooping trust" on port 20 only, because only port 20 will receive DHCP server packet.
    SW2 port 47 and 48.
    SW3 port 48 and port connected to SW1.
    ==> I configure dhcp snooping switch layer 3 only, no need enable dhcp snooping on switch layer 2, right?

    We suggest configuring DHCP snooping and ARP inspection on layer 2 switch also to prevent some attackers connecting DHCP server which may cause the other users to get the wrong IP address and to avoid ARP spoofing.


    And for the other inquiry thanks for @Ace sharing the answers and experience.

    Thanks for supporting Zyxel!

    Jonas