When an interface on the firewall is configured for a Layer 2 deployment, the firewall now rewrites the inbound Port VLAN ID (PVID) number in a Cisco per-VLAN spanning tree (PVST+) or Rapid PVST+ bridge protocol data unit (BPDU) to the proper outbound VLAN ID number and forwards the BPDU out. This default behavior beginning in PAN-OS 7.1 allows the firewall to correctly tag Cisco proprietary PVST+ and Rapid PVST+ frames between Cisco switches in VLANs on either side of the firewall so that spanning tree loop detection using Cisco PVST+ and Rapid PVST+ can function properly. The firewall is not participating in the Spanning Tree Protocol (STP) election process and there is no behavior change for other types of spanning tree.
The Cisco switch must have the loopguard disabled for the PVST+ or Rapid PVST+ BPDU rewrite to function properly on the firewall.
This feature is supported on Layer 2 Ethernet and Aggregated Ethernet (AE) interfaces only. The firewall supports a PVID range of 1-4,094 with a native VLAN ID of 1 to be compatible with the Cisco native VLAN implementation.
To support the PVST+ BPDU rewrite feature, PAN-OS now supports the concept of a PVST+ native VLAN. Frames sent to and received from a native VLAN are untagged with a PVID equal to the native VLAN. All switches and firewalls in the same Layer 2 deployment must have the same native VLAN for PVST+ to function properly. Although the Cisco native VLAN defaults to vlan1, the VLAN ID could be a number other than 1.
For example, the firewall is configured with a VLAN object (named VLAN_BRIDGE), which describes the interfaces and subinterfaces that belong to a switch or broadcast domain. In this example, the VLAN includes three subinterfaces: ethernet1/21.100 tagged with 100, ethernet1/22.1000 tagged with 1000, and ethernet1/23.1500 tagged with 1500.
The subinterfaces belonging to VLAN_BRIDGE look like this:
The sequence in which the firewall automatically rewrites the PVST+ BPDU is shown in the following topology illustration:
The Cisco switch port belonging to VLAN 100 sends a PVST+ BPDU—with the PVID and 802.1Q VLAN tag set to 100—to the firewall. The firewall interfaces and subinterfaces are configured as a Layer 2 interface type. The ingress subinterface on the firewall is tagged with VLAN 100, which matches the PVID and VLAN tag of the incoming BPDU so the firewall accepts the BPDU. The firewall floods the PVST+ BPDU to all other interfaces belonging to the same VLAN object (in this example, ethernet1/22.1000 and ethernet1/23.1500). If the VLAN tags did not match, the firewall would have, instead, dropped the BPDU. When the firewall floods the BPDU out through other interfaces (belonging to the same VLAN object), the firewall rewrites the PVID and any 802.1Q VLAN tags to match the VLAN tag of the egress interface. In this example, the firewall rewrites the BPDU PVID from 100 to 1000 for one subinterface and from 100 to 1500 for the second subinterface as the BPDU traverses the Layer 2 bridge on the firewall. Each Cisco switch receives the correct PVID and VLAN tag on the incoming BPDU and processes the PVST+ packet to detect possible loops in the network.
The following table describes different options you can use to manage PVST+ and Rapid PVST+ BPDUs.
Manage PVST+ and Rapid PVST+ BPDUs
The PVST+ and Rapid PVST+ BPDU rewrite of the PVID is enabled by default; you can globally disable and re-enable it. Use the following CLI operational command: set session rewrite-pvst-pvid yes|no
Set the native VLAN ID for the firewall (range is 1-4,094; default is 1). If the native VLAN ID on your switch is a value other than 1, you must set the native VLAN ID on the firewall to that same number; otherwise, the firewall will drop packets with that VLAN ID. This applies to trunked and non-trunked interfaces. Use the following CLI operational command: set session pvst-native-vlan-id <vid>
Drop all STP BPDU packets. Examples of why you might want to drop all STP BPDU packets: If there is only one switch on each side of the firewall and no other connections between the switches that can cause a loop, then STP is not required and can be disabled on the switch or blocked by the firewall. If there is a misbehaving STP switch inappropriately flooding BPDUs, you can drop the STP packets at the firewall to stop the BPDU flood. Use the following CLI operational command: set session drop-stp-packet yes|no
Verify whether PVST+ BPDU rewrite is enabled, view the PVST native VLAN ID, and determine whether the firewall is dropping all STP BPDU packets. Use the following CLI operational command: admin@pa-vm-30-20> show vlan all pvst+ tag rewrite: disabled pvst native vlan id: 5 drop stp: disabled total vlans shown: 1 name interface virtual interface -------------------------------------------------- bridge ethernet1/1 ethernet1/2 ethernet1/1.1 ethernet1/2.1 ethernet1/2.5 ethernet1/1.5
Troubleshoot PVST+ BPDU errors. Use the following CLI operational command: show counter global Look at the flow_pvid_inconsistent counter, which counts the number of times the 802.1Q Tag and PVID fields inside a PVST+ BPDU packet do not match.

Related Documentation