Example for Configuring MLAG with PVST (Root Guard)
- Tracy Yang (Unlicensed)
Networking Requirements
As shown in Figure 1, we have implemented MLAG on Switch A and Switch B, the downstream Switch C and Switch D dual-access to network through Switch A and Switch B respectively.
PVST is deployed in the network to eliminate loops. Devices running PVST exchange PVST bridge protocol data units (BPDUs) to discover loops in the network and block some ports to prune the network into a loop-free tree network.
Figure1. Example Topology of MLAG with PVST
Figure 1 shows the user topology of MLAG with PVST. Follow the configuration roadmap below to complete the configuration.
- Configure MLAG. Switch A, Switch B and the aggregated port ae1connected to Switch C form an MLAG, MLAG Domain 1; Switch A, Switch B and the aggregated port ae2 connected to Switch D form another MLAG, MLAG Domain 2. MLAG peer-link implements a backup link aggregation group ae3 between Switch A and Switch B to improve network reliability.
- Configure basic PVST functions to eliminate loops. PVST prevents infinite looping of packets to ensure packet processing capabilities of switches.
- Configure Root Guard to protect devices or links. For each MLAG peer device, configure root guard on ports connected to the public network. If a port is enabled with the root guard function, its port role on all instances can only be the designated port. Once the port that is enabled with root guard receives BPDUs with a higher priority, the port enters the Discarding state and does not forward packets. If the port does not receive any BPDUs with a higher priority for a long time, the port automatically returns to the Forwarding state.
Procedure
Configure Switch A, Switch B, Switch C and Switch D according to the networking requirements described above.
Switch A
Step1 Configure the VLAN.
a. Configure an aggregation interface with LACP mode.
admin@SwitchA# set interface aggregate-ethernet ae1 aggregated-ether-options lacp enable true admin@SwitchA# set interface aggregate-ethernet ae2 aggregated-ether-options lacp enable true admin@SwitchA# set interface aggregate-ethernet ae3
b. Add member interfaces to the LAG.
admin@SwitchA# set interface gigabit-ethernet ge-1/1/1 ether-options 802.3ad ae1 admin@SwitchA# set interface gigabit-ethernet ge-1/1/2 ether-options 802.3ad ae2 admin@SwitchA# set interface gigabit-ethernet te-1/1/49 ether-options 802.3ad ae3 admin@SwitchA# set interface gigabit-ethernet te-1/1/50 ether-options 802.3ad ae3
c. Create VLANs.
admin@SwitchA# set vlans vlan-id 15 admin@SwitchA# set vlans vlan-id 16 admin@SwitchA# set vlans vlan-id 4094 l3-interface 4094 admin@SwitchA# set interface aggregate-ethernet ae1 family ethernet-switching port- mode trunk admin@SwitchA# set interface aggregate-ethernet ae1 family ethernet-switching vlan members 15 admin@SwitchA# set interface aggregate-ethernet ae1 family ethernet-switching vlan members 16 admin@SwitchA# set interface aggregate-ethernet ae2 family ethernet-switching port-mode trunk admin@SwitchA# set interface aggregate-ethernet ae2 family ethernet-switching vlan members 15 admin@SwitchA# set interface aggregate-ethernet ae2 family ethernet-switching vlan members 16 admin@SwitchA# set interface aggregate-ethernet ae3 family ethernet-switching port-mode trunk admin@SwitchA# set interface aggregate-ethernet ae3 family ethernet-switching vlan members 4094 admin@SwitchA# set interface aggregate-ethernet ae3 family ethernet-switching vlan members 15 admin@SwitchA# set interface aggregate-ethernet ae3 family ethernet-switching vlan members 16 admin@SwitchA# set interface gigabit-ethernet te-1/1/3 family ethernet-switching port-mode trunk admin@SwitchA# set interface gigabit-ethernet te-1/1/3 family ethernet-switching vlan members 15 admin@SwitchA# set interface gigabit-ethernet te-1/1/3 family ethernet-switching vlan members 16
d. Configure the IP address of the L3 interface.
admin@SwitchA# set vlan-interface interface 4094 vif 4094 address 10.10.0.1 prefix-length 24
Step2 Configure MLAG.
a. Enable MLAG on the LAG connected to the downstream device.
admin@SwitchA# set interface aggregate-ethernet ae1 aggregated-ether-options mlag disable false admin@SwitchA# set interface aggregate-ethernet ae2 aggregated-ether-options mlag disable false
By default, MLAG function is enabled.
b. Configure MLAG domain ID.
admin@SwitchA# set interface aggregate-ethernet ae1 aggregated-ether-options mlag domain-id 1 admin@SwitchA# set interface aggregate-ethernet ae2 aggregated-ether-options mlag domain-id 2
c. Configure a global peer IP address and the peer-link for the MLAG peer.
admin@SwitchA# set interface mlag peer 10.10.0.2 peer-link ae3
d. Configure a static ARP entry for peer-link interface.
admin@SwitchA# set interface gigabit-ethernet ae3 static-ethernet-switching mac-address A0:34:44:32:9C:23 vlan 4094 admin@SwitchA# set protocols arp interface 4094 address 10.10.0.2 mac-address A0:34:44:32:9C:23
NOTE: PICA8 recommends configuring a static ARP for peer-link interface to prevent ARP entry of the peer-link interface from being modified by ARP attack packets. |
e. Configure system ID for LACP negotiation.
admin@SwitchA# set interface aggregate-ethernet ae1 aggregated-ether-options mlag system id 0A:B0:BC:00:00:00 admin@SwitchA# set interface aggregate-ethernet ae2 aggregated-ether-options mlag system id 0B:B0:BC:00:00:00
System ID configured on the MLAG peer devices should be consistent within the same domain.
Step3 Configure PVST.
a. Enable spanning tree on Switch A.
admin@SwitchA# set protocols spanning-tree enable true
By default, spanning tree function is enabled.
b. Configure spanning tree mode in PVST.
admin@SwitchA# set protocols spanning-tree force-version 4
c. Enable PVST on VLAN instance.
admin@SwitchA# set protocols spanning-tree pvst vlan 15 enable true admin@SwitchA# set protocols spanning-tree pvst vlan 16 enable true
Step4 Configure root guard.
a. Enable root guard on port te-1/1/3.
admin@SwitchA# set protocols spanning-tree pvst interface te-1/1/3 root-guard true
b. Commit the configuration.
admin@SwitchA# commit
Switch B
Step1 Configure the VLAN.
a. Configure an aggregation interface with LACP mode.
admin@SwitchB# set interface aggregate-ethernet ae1 aggregated-ether-options lacp enable true admin@SwitchB# set interface aggregate-ethernet ae2 aggregated-ether-options lacp enable true admin@SwitchB# set interface aggregate-ethernet ae3
b. Add member interfaces to the LAG.
admin@SwitchB# set interface gigabit-ethernet ge-1/1/1 ether-options 802.3ad ae1 admin@SwitchB# set interface gigabit-ethernet ge-1/1/2 ether-options 802.3ad ae2 admin@SwitchB# set interface gigabit-ethernet te-1/1/49 ether-options 802.3ad ae3 admin@SwitchB# set interface gigabit-ethernet te-1/1/50 ether-options 802.3ad ae3
c. Create VLANs.
admin@SwitchB# set vlans vlan-id 15 admin@SwitchB# set vlans vlan-id 16 admin@SwitchB# set vlans vlan-id 4094 l3-interface 4094 admin@SwitchB# set interface aggregate-ethernet ae1 family ethernet-switching port-mode trunk admin@SwitchB# set interface aggregate-ethernet ae1 family ethernet-switching vlan members 15 admin@SwitchB# set interface aggregate-ethernet ae1 family ethernet-switching vlan members 16 admin@SwitchB# set interface aggregate-ethernet ae2 family ethernet-switching port-mode trunk admin@SwitchB# set interface aggregate-ethernet ae2 family ethernet-switching vlan members 15 admin@SwitchB# set interface aggregate-ethernet ae2 family ethernet-switching vlan members 16 admin@SwitchB# set interface aggregate-ethernet ae3 family ethernet-switching port-mode trunk admin@SwitchB# set interface aggregate-ethernet ae3 family ethernet-switching vlan members 4094 admin@SwitchB# set interface aggregate-ethernet ae3 family ethernet-switching vlan members 15 admin@SwitchA# set interface aggregate-ethernet ae3 family ethernet-switching vlan members 16 admin@SwitchB# set interface gigabit-ethernet te-1/1/3 family ethernet-switching port-mode trunk admin@SwitchB# set interface gigabit-ethernet te-1/1/3 family ethernet-switching vlan members 15 admin@SwitchB# set interface gigabit-ethernet te-1/1/3 family ethernet-switching vlan members 16
d. Configure the IP address of the L3 interface.
admin@SwitchB# set vlan-interface interface 4094 vif 4094 address 10.10.0.2 prefix-length 24
Step2 Configure MLAG.
a. Enable MLAG on the LAG connected to the downstream device.
admin@SwitchA# set interface aggregate-ethernet ae1 aggregated-ether-options mlag disable false admin@SwitchA# set interface aggregate-ethernet ae2 aggregated-ether-options mlag disable false
By default, MLAG function is enabled.
b. Configure MLAG domain ID.
admin@SwitchA# set interface aggregate-ethernet ae1 aggregated-ether-options mlag domain-id 1 admin@SwitchA# set interface aggregate-ethernet ae2 aggregated-ether-options mlag domain-id 2
c. Configure a global peer IP address and the peer-link for the MLAG peer.
admin@SwitchA# set interface mlag peer 10.10.0.1 peer-link ae3
d. Configure a static ARP entry for peer-link interface.
admin@SwitchA# set interface gigabit-ethernet ae3 static-ethernet-switching mac-address 00:18:23:30:E7:90 vlan 4094 admin@SwitchA# set protocols arp interface 4094 address 10.10.0.1 mac-address 00:18:23:30:E7:90
NOTE: PICA8 recommends configuring a static ARP for peer-link interface to prevent ARP entry of the peer-link interface from being modified by ARP attack packets. |
e. Configure system ID for LACP negotiation.
admin@SwitchA# set interface aggregate-ethernet ae1 aggregated-ether-options mlag system id 0A:B0:BC:00:00:00 admin@SwitchA# set interface aggregate-ethernet ae2 aggregated-ether-options mlag system id 0B:B0:BC:00:00:00
System ID configured on the MLAG peer devices should be consistent within the same domain.
Step3 Configure PVST.
a. Enable spanning tree on Switch B.
admin@SwitchB# set protocols spanning-tree enable true
By default, spanning tree function is enabled.
b. Configure spanning tree mode in PVST.
admin@SwitchB# set protocols spanning-tree force-version 4
c. Enable PVST on VLAN instance.
admin@SwitchB# set protocols spanning-tree pvst vlan 15 enable true admin@SwitchB# set protocols spanning-tree pvst vlan 16 enable true
Step4 Configure root guard.
a. Enable root guard on port te-1/1/3.
admin@SwitchB# set protocols spanning-tree pvst interface te-1/1/3 root-guard true
b. Commit the configuration.
admin@SwitchB# commit
Switch C
Step1 Enable aggregation interface with LACP mode.
admin@SwitchC# set interface aggregate-ethernet ae1 aggregated-ether-options lacp enable true
Step2 Add member interfaces to a LAG.
admin@SwitchC# set interface gigabit-ethernet ge-1/1/1 ether-options 802.3ad ae1 admin@SwitchC# set interface gigabit-ethernet ge-1/1/2 ether-options 802.3ad ae1
Step3 Configure VLANs.
admin@SwitchC# set vlans vlan-id 15 admin@SwitchC# set vlans vlan-id 16 admin@SwitchC# set interface aggregate-ethernet ae1 family ethernet-switching port-mode trunk admin@SwitchC# set interface aggregate-ethernet ae1 family ethernet-switching vlan members 15 admin@SwitchC# set interface aggregate-ethernet ae1 family ethernet-switching vlan members 16
Step4 Configure PVST.
a. Enable spanning tree on Switch C.
admin@SwitchC# set protocols spanning-tree enable true
By default, spanning tree function is enabled.
b. Configure spanning tree mode in PVST.
admin@SwitchC# set protocols spanning-tree force-version 4
c. Enable PVST on VLAN instance.
admin@SwitchC# set protocols spanning-tree pvst vlan 15 enable true admin@SwitchC# set protocols spanning-tree pvst vlan 16 enable true
Step5 Commit the configuration.
admin@SwitchC# commit
Switch D
Step1 Enable aggregation interface with LACP mode.
admin@SwitchD# set interface aggregate-ethernet ae2 aggregated-ether-options lacp enable true
Step2 Add member interfaces to a LAG.
admin@SwitchD# set interface gigabit-ethernet ge-1/1/1 ether-options 802.3ad ae2 admin@SwitchD# set interface gigabit-ethernet ge-1/1/2 ether-options 802.3ad ae2
Step3 Configure VLANs.
admin@SwitchD# set vlans vlan-id 15 admin@SwitchD# set vlans vlan-id 16 admin@SwitchD# set interface aggregate-ethernet ae2 family ethernet-switching port-mode trunk admin@SwitchD# set interface aggregate-ethernet ae2 family ethernet-switching vlan members 15 admin@SwitchD# set interface aggregate-ethernet ae2 family ethernet-switching vlan members 16
Step4 Configure PVST.
a. Enable spanning tree on Switch D.
admin@SwitchD# set protocols spanning-tree enable true
By default, spanning tree function is enabled.
b. Configure spanning tree mode in PVST.
admin@SwitchD# set protocols spanning-tree force-version 4
c. Enable PVST on VLAN instance.
admin@SwitchD# set protocols spanning-tree pvst vlan 15 enable true admin@SwitchD# set protocols spanning-tree pvst vlan 16 enable true
Step5 Commit the configuration.
admin@SwitchD# commit
Verify the Configuration
- You can use the run show mlag configuration command to check the configuration information of MLAG.
# Check MLAG information on Switch A.
admin@SwitchA# run show mlag configuration Domain-id Local-LAG System-id Prio Source Peer Peer-link Hello-interval Reload-delay ---------------------------------------------------------------------------------------------------------- 1 ae1 0A:B0:BC:00:00:00 0 N/A 10.10.0.2 ae3 4 0 2 ae2 0B:B0:BC:00:00:00 0 N/A 10.10.0.2 ae3 4 0
# Check MLAG information on Switch B.
admin@SwitchB# run show mlag configuration Domain-id Local-LAG System-id Prio Source Peer Peer-link Hello-interval Reload-delay ---------------------------------------------------------------------------------------------------------- 1 ae1 0A:B0:BC:00:00:00 0 N/A 10.10.0.1 ae3 4 0 2 ae2 0B:B0:BC:00:00:00 0 N/A 10.10.0.1 ae3 4 0
- You can use the run show mlag peer <domain-id> command to view the status of MLAG peer device in an MLAG domain.
# Check the status of local MLAG interface state on Switch A.
admin@SwitchA# run show mlag peer 1 Domain-id Peer System-id State Link-status ------------------------------------------------------------------------------------------------- 1 10.10.0.2 0A:B0:BC:00:00:00 FULL UP admin@SwitchA# run show mlag peer 2 Domain-id Peer System-id State Link-status ------------------------------------------------------------------------------------------------- 2 10.10.0.2 0B:B0:BC:00:00:00 FULL UP
# Check the status of local MLAG interface state on Switch B.
admin@SwitchB# run show mlag peer 1 Domain-id Peer System-id State Link-status ------------------------------------------------------------------------------------------------- 1 10.10.0.1 0A:B0:BC:00:00:00 FULL UP admin@SwitchB# run show mlag peer 2 Domain-id Peer System-id State Link-status ------------------------------------------------------------------------------------------------- 2 10.10.0.1 0B:B0:BC:00:00:00 FULL UP
- You can use the run show mlag internal command to view the status of local MLAG interface state.
# Check the status of local MLAG interface state on Switch A.
admin@SwitchA# run show mlag internal Domain-id Local-LAG Flood MAC-sync State Config-Match Role ---------------------------------------------------------------------------------------------------------- 1 ae1 false false UP Yes MASTER 2 ae2 false false UP Yes MASTER
# Check the status of local MLAG interface state on Switch B.
admin@SwitchB# run show mlag internal Domain-id Local-LAG Flood MAC-sync State Config-Match Role ---------------------------------------------------------------------------------------------------------- 1 ae1 false false UP Yes SLAVE 2 ae2 false false UP Yes SLAVE
- You can use the run show spanning-tree mstp bridge command to view the bridge information of PVST.
admin@SwitchA# run show spanning-tree pvst bridge vlan 15 PVST Bridge Parameters for VLAN 15 Root Bridge: 32768.08:9e:01:39:1a:fe Root Cost: 0 Root Port: Hello Time: 2 Max Age: 20 Forward Delay: 15 Time Since Last Topology Change: 0 days 00:02:55 Local Parameters Bridge ID: 4098.08:9e:01:61:65:71 Hello Time: 2 Maximum Age: 20 Forward Delay: 15
- You can use the run show spanning-tree mstp interface command to view the interface information of PVST.
admin@SwitchA# run show spanning-tree pvst interface vlan 15 Rapid PVST+ Spanning Tree Interface Status for VLAN 15 Interface Port ID Designated Designated Bridge Path Cost State Role Port ID ID ---------- --------- ---------- ----------------------- --------- ---------- --------------- ae1 128.31 128.31 32778.cc:37:ab:4f:b1:c1 20000 FORWARDING EDGE ae2 128.33 128.33 32778.cc:37:ab:4f:b1:c1 20000 FORWARDING EDGE ae3 128.35 128.35 32778.cc:37:ab:4f:b1:c1 20000 FORWARDING EDGE
Copyright © 2025 Pica8 Inc. All Rights Reserved.