Technical Tip: Configure STP priority using 'custom-command 'on FortiGate

asharma02 · ‎07-01-2020

Description

This article describes how to configure STP priority on managed switches using custom commands.

Related link:
FortiSwitch 6.2.

FortiSwitch admin guide (stp instance/changing priority): page 107 FortiSwitchOS Administration Guide - Standalone Mode.
FortiSwitch managed guide (custom command): page 133 FortiSwitch - Managed by FortiOS 6.4.

Scope

For version 3.6, 6.0, 6.2 and 6.4.

Solution

From the FortiGate, executing a custom script on a managed FortiSwitch unit is possible.
The custom script contains generic FortiSwitch commands.
In the below example, it is configured a custom command to change STP priority to 4096 on a managed FortiSwitch.

By default, managed FortiSwitch is configured with MSTP (backward compatible with stp and rstp) and consists of 2 MSTP instances: Instance 0 and Instance 15.
Instance 0 is for all VLANs and contains all ports/trunks i.e. data traffic.
instance 15 is for VLAN 4094 and contains only FortiLink trunks i.e. only control plane traffic FortiLink/capwap.

Example:

diagnose stp instance list

MST Instance Information, primary-Channel:

Instance ID 0 (CST)
Config         Priority 20480
                 Bridge MAC 704ca5a19398, MD5 Digest 9999b43d77cc58bba8854f9991c4a487

Root           MAC 704ca5a19398, Priority 20480, Path Cost 0, Remaining Hops 20          <----- This bridge is the root.


Regional Root MAC 704ca5a19398, Priority 20480, Path Cost 0                             <----- This bridge is the regional root.


Active Times   Forward Time 15, Max Age 20, Remaining Hops 20

TCN Events     Triggered 5 (41d 16h 1m 52s ago), Received 6 (41d 16h 1m 32s ago)

Port               Speed   Cost       Priority   Role         State        HelloTime Flags
________________   ______ _________ _________ ___________ __________   _________ _______________

port1              -       200000000 128        DISABLED     DISCARDING   2          ED
port3              -       200000000 128        DISABLED     DISCARDING   2          ED
port4              -       200000000 128        DISABLED     DISCARDING   2          ED
port5              -       200000000 128        DISABLED     DISCARDING   2          ED
port6              -       200000000 128        DISABLED     DISCARDING   2          ED
port7              -       200000000 128        DISABLED     DISCARDING   2          ED
port8              -       200000000 128        DISABLED     DISCARDING   2          ED
port9              -       200000000 128        DISABLED     DISCARDING   2          ED
port10             -       200000000 128        DISABLED     DISCARDING   2          ED
port11             -       200000000 128        DISABLED     DISCARDING   2          ED
port12             -       200000000 128        DISABLED     DISCARDING   2          ED
port13             -       200000000 128        DISABLED     DISCARDING   2          ED
port14             -       200000000 128        DISABLED     DISCARDING   2          ED
port15             -       200000000 128        DISABLED     DISCARDING   2          ED
port16             -       200000000 128        DISABLED     DISCARDING   2          ED
port17             -       200000000 128        DISABLED     DISCARDING   2          ED
port18             -       200000000 128        DISABLED     DISCARDING   2          ED
port19             -       200000000 128        DISABLED     DISCARDING   2          ED
port20             -       200000000 128        DISABLED     DISCARDING   2          ED
port21             -       200000000 128        DISABLED     DISCARDING   2          ED
port22             -       200000000 128        DISABLED     DISCARDING   2          ED
port24             -       200000000 128        DISABLED     DISCARDING   2          ED
port26             -       200000000 128        DISABLED     DISCARDING   2          ED
port27             -       200000000 128        DISABLED     DISCARDING   2          ED
port28             -       200000000 128        DISABLED     DISCARDING   2          ED
port29             -       200000000 128        DISABLED     DISCARDING   2          ED
port30             -       200000000 128        DISABLED     DISCARDING   2          ED
port31             -       200000000 128        DISABLED     DISCARDING   2          ED
port32             -       200000000 128        DISABLED     DISCARDING   2          ED
port33             -       200000000 128        DISABLED     DISCARDING   2          ED
port34             -       200000000 128        DISABLED     DISCARDING   2          ED
port35             -       200000000 128        DISABLED     DISCARDING   2          ED
port36             -       200000000 128        DISABLED     DISCARDING   2          ED
port37             -       200000000 128        DISABLED     DISCARDING   2          ED
port38             -       200000000 128        DISABLED     DISCARDING   2          ED
port39             -       200000000 128        DISABLED     DISCARDING   2          ED
port40             -       200000000 128        DISABLED     DISCARDING   2          ED
port41             -       200000000 128        DISABLED     DISCARDING   2          ED
port42             -       200000000 128        DISABLED     DISCARDING   2          ED
port43             -       200000000 128        DISABLED     DISCARDING   2          ED
port44             -       200000000 128        DISABLED     DISCARDING   2          ED
port45             -       200000000 128        DISABLED     DISCARDING   2          ED
port46             -       200000000 128        DISABLED     DISCARDING   2          ED
port47             -       200000000 128        DISABLED     DISCARDING   2          ED
port49             -       200000000 128        DISABLED     DISCARDING   2          ED
port50             -       200000000 128        DISABLED     DISCARDING   2          ED
port51             -       200000000 128        DISABLED     DISCARDING   2          ED
port52             -       200000000 128        DISABLED     DISCARDING   2          ED
internal           1G      20000      128        DESIGNATED   FORWARDING   2          ED
8EFTF18000001-0    1G      1          128        DESIGNATED   FORWARDING   2          EN ED
8DF3X16002609-0    1G      1          128        DESIGNATED   FORWARDING   2          EN
G200E4Q16900196    1G      20000      128        DESIGNATED   FORWARDING   2          ED
test               -       200000000 128        DISABLED     DISCARDING   2          ED

Flags: EN(STP enable), ED(Edge), LP(Loop Protection Triggered)
RG(Root Guard Triggered), BG(BPDU Guard Triggered), IC(PVST Port Inconsistent)
MV(PVST Port Vlan Mismatch)

Instance ID 15
Config         Priority 20480, VLANs 4094
                 Bridge MAC 704ca5a19398
Regional Root MAC 704ca5a19398, Priority 20480, Path Cost 0                              <----- This bridge is the regional bridge.


TCN Events     Triggered 5 (41d 16h 1m 53s ago), Received 3 (41d 16h 1m 32s ago)

Port               Speed   Cost       Priority   Role         State        Flags
________________   ______ _________ _________ ___________ __________   _______________

internal           1G      20000      128        DESIGNATED   FORWARDING   ED
8EFTF18000001-0    1G      1          128        DESIGNATED   FORWARDING   EN ED
8DF3X16002609-0    1G      1          128        DESIGNATED   FORWARDING   EN
G200E4Q169001-6    1G      20000      128        DESIGNATED   FORWARDING   ED

Flags: EN(STP enable), ED(Edge), LP(Loop Protection Triggered)
RG(Root Guard Triggered), BG(BPDU Guard Triggered), IC(PVST Port Inconsistent)
MV(PVST Port Vlan Mismatch)

Follow the below steps to change stp priority to 4096 on both instances 0 and 15 using the custom command:

Create the below custom command on FortiGate:
config switch-controller custom-command

(custom-command) edit stp
(stp) set command "config switch stp instance %0a edit 0 %0a set priority 4096 %0a next %0a edit 15 %0a set priority 4096 %0a end %0a"
(stp)end

Push the commands to the FortiSwitches: (the serial number is the FortiSwitch(s) serial number).
config switch-controller managed-switch
(managed-switch) # edit "S248EFTF18-----5"
(S248EFTF18-----5) # config custom-command
(custom-command) edit "1"
new entry '1' added
(1) set command-name "stp"
(1) end
On the FortiSwitch, make sure to disable auto-stp-priority.

On FortiSwitch CLI:

config switch global
set auto-stp-priority disable
end

Verify if the change is pushed to the FortiSwitch:
SSH into the FortiSwitch from FortiGate (execute ssh admin@<switchip>):

Switch# show full-configuration switch stp instance
Switch# diagnose stp instance list

Note: In the ‘set command’, %0a denotes a new line or return action.