This application note presents different commands that ease and fasten the convergence of spanning-tree protocol ona ProCurve network, while protecting against loops and unwanted topology changes.
How to improve and harden spanning-tree configuration on ProCurve switches
HP ProCurve Networking 2
1. Introduction
This application note presents different commands that ease and fasten the convergence of spanning-tree protocol on a ProCurve network, while protecting against loops and unwanted topology changes.
2. Network diagram The platform which will be used in this document to detail the different steps of the configuration consists of:
Two Distribution switches:
- 2 x ProCurve switches 8212zl, named “Distrib-1” and “Distrib-2” are set as Distribution switches. They aggregate multiple Edge switches redundantly.
- Distribution switches act as redundant default gateway for the user VLANS/ IP subnets define between Edge and Distribution switch. For details on this configuration refer to AN-I1 and AN-I2.
Two Core switches: - The 2 Cores “Core-1” and “Core-2” are connected to each of the 2 Distribution switches via Gigabit
uplinks. Each link is defined as a unique VLAN and IP Subnet (“Routed Link”) A Router:
- A ProCurve Secure Router 7102dl is redundantly connected to the 2 Core switches: This hardware configuration is detailed in Figure-1 below.
How to improve and harden spanning-tree configuration on ProCurve switches
Figure 1. 3-Layer topology with spanning-tree and routed network interconnection This platform represents a typical enterprise network topology, with Edge, Distribution and Core layers. Multiple spanning-tree with 2 instances is implemented on the Edge and Distribution switches. Now, in order to protect the network against unwanted loops or topology changes, we are going to implement several security features on the Distribution and Edge switches
How to improve and harden spanning-tree configuration on ProCurve switches
3. Auto-Edge and Admin-Edge Preamble: in MSTP and RSTP, ports that connect to End nodes (PCs, Printers, Routers, Firewall…) should be set as “Edge port” and Inter-Switch link should be set as “non-Edge ports” With the auto-edge-port feature, the identification of edge ports is automatic. Auto-edge-port- feature is enabled by default on ports. The port will look for BPDUs for 3 seconds; if there are none it begins forwarding packets and port is set as Edge, if there are BPDUs, it sets the port as non-Edge. As an admin, if you do not care about the 3 sec delay, auto-edge-port is an easy end recommended setup. For a manual setup of Edge ports, enable admin-edge-port on ports connected to end nodes. During spanning tree establishment, ports with admin-edge-port enabled transition immediately to the forwarding state. If a bridge or switch is detected on the segment, the port automatically operates as non-edge. Admin-edge-port is disabled by default. Note: If admin-edge-port is enabled for a port, the setting for auto-edge-port is ignored whether set to yes or no. If admin-edge-port is set to No, and auto-edge-port has not been disabled (set to No), then the auto-edge-port setting controls the behavior of the port. Then for the non Edge-Ports: disable admin-Edge (default value=disabled) and disable auto-edge-port (Default=Enabled) Synthesis: Auto-edge feature results on correct setting of ports (Edge or non-Edge) but introduce a delay of 3 seconds. To bypass this delay set your Edge ports as “Admin-Edge”. For the non Edge-Ports: disable admin-Edge (default value) and disable auto-edge-port. In our platform, following ports/modules are configured as “admin edge”:
- Ports A1-B24 on switches Distrib-1, Distrib-2, Edge-2 and 1-24 on switch Edge-1 (3500yl) Following ports/modules are configured as “no auto edge”:
- C1-C4 on switches Distrib-1, Distrib-2, Edge-2 and A1-A4 on switch Edge-1 (3500yl)
How to improve and harden spanning-tree configuration on ProCurve switches
HP ProCurve Networking 5
Configuration example on Distrib-1:
! User ports A1-B24 are defined as admin-edge Distrib-1(config)# spanning-tree A1-A24, B1-B24 admin-edge-port
! Auto-edge is disabled on uplink ports Distrib-1(config)# no spanning-tree C1-C4 auto-edge-port
To view the edge configuration and status of all switch ports, use the command “show spanning-tree config”:
Distrib-1# show spanning-tree config
Multiple Spanning Tree (MST) Configuration Information
STP Enabled [No] : Yes
Force Version [MSTP-operation] : MSTP-operation Default Path Costs [802.1t] : 802.1t MST Configuration Name : B10 MST Configuration Revision : 1 Switch Priority : 0 Forward Delay [15] : 15 Hello Time [2] : 2 Max Age [20] : 20 Max Hops [20] : 20
| Path Prio Admin Auto Admin Hello Root TCN BPDU Port Type | Cost rity Edge Edge PtP Time Guard Guard Flt
----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---- A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes
... B23 100/1000T | Auto 128 Yes Yes True Global No No No B24 100/1000T | Auto 128 Yes Yes True Global No No No C1 10GbE-SR | Auto 128 No No True Global No No No C2 10GbE-SR | Auto 128 No No True Global No No No C3 10GbE-SR | Auto 128 No No True Global No No No C4 | Auto 128 Yes Yes True Global No No No
How to improve and harden spanning-tree configuration on ProCurve switches
HP ProCurve Networking 6
4. BPDU Protection and BPDU Filtering The switch should never receive spanning tree BPDUs on “user” ports. If it happens, it means that somebody connected a switch on a port where it should not be connected. And the danger of connecting an unwanted switch to the network is that it can cause the spanning-tree algorithm to be recalculated and to completely change its topology and forward the traffic on the “wrong” links. In order to protect the network against such behavior, 2 security features exist: BPDU filtering and BPDU protection. BPDU filtering allows control of spanning-tree participation on a per-port basis. When enabled on a port, it excludes this port from any spanning-tree participation: the port will ignore spanning-tree BPDUs and stay locked in “forwarding” state. BPDU protection prevents unwanted BPDUs to enter the spanning-tree domain. It is usually used on ports connected to devices that do not support spanning-tree. When enabled on a port, BPDU protection will disable the port for a given period (configurable timeout) if a BPDU is received. In our case the 300s timeout will be used for port deactivation. Basically, ports connected to identified devices that do not support spanning-tree should be configured with BPDU filtering. Ports not connected to anything yet should be configured with BPDU protection, which will disable a port in case of spoofed BPDU attack. In our configuration examples, ports connected to routed links are configured with BPDU filtering:
- Ports A1-A2 on Distrib-1 and Distrib-2
Other edge-ports are configured with BPDU protection: - Ports A3-A24 and B1-B24 on Distrib-1, Distrib-2 - Ports A1-A24 and B1-B24 on Edge-2 - Ports 1-24 on Edge-1
How to improve and harden spanning-tree configuration on ProCurve switches
How to improve and harden spanning-tree configuration on ProCurve switches
HP ProCurve Networking 8
To view the status of these features, use the commands show spanning-tree config , show spanning-tree bpdu-protection and show run | include bpdu-protection
Distrib-1# show spanning-tree Config
| Path Prio Admin Auto Admin Hello Root TCN BPDU Port Type | Cost rity Edge Edge PtP Time Guard Guard Flt
----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---- A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes
…
Distrib-1# show spanning-tree bpdu-protection
Status and Counters - STP Port(s) BPDU Protection Information
5. Spanning-tree Root Guard When a port is enabled as root-guard, it cannot be selected as the root port even if it receives superior STP BPDUs. The port is assigned an “alternate” port role and enters a blocking state if it receives superior STP BPDUs. A superior BPDU contains “better” information on the root bridge and/or path cost to the root bridge, which would normally replace the current root bridge selection. The superior BPDUs received on a port enabled as rootguard are ignored. All other BPDUs are accepted and the external devices may belong to the spanning tree as long as they do not claim to be the Root device. Use this command on MSTP Distribution switch ports that are connected to Edge switch that may come with “wrong” configuration or to devices located in other administrative network domains to:
• Ensure the stability of the core MSTP network topology so that undesired or damaging influences external to the network do not enter.
• Protect the configuration of the CIST root bridge that serves as the common root for the entire network. • Default: The root-guard setting is disabled.
How to improve and harden spanning-tree configuration on ProCurve switches In our example, we’ll enable Root Guard on ports of Distribution switches that connect to Edge switches. Root Guard configuration: Distrib-1# / Distrib-2# spanning-tree A1,C1,C2 root-guard
How to improve and harden spanning-tree configuration on ProCurve switches To view the status of root guard protection:
Distrib-1# show spanning-tree config
| Path Prio Admin Auto Admin Hello Root TCN BPDU Port Type | Cost rity Edge Edge PtP Time Guard Guard Flt
----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---- A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes
... B23 100/1000T | Auto 128 Yes Yes True Global No No No B24 100/1000T | Auto 128 Yes Yes True Global No No No C1 10GbE-SR | Auto 128 No No True Global No No No C2 10GbE-SR | Auto 128 No No True Global Yes No No C3 10GbE-SR | Auto 128 No No True Global Yes No No C4 | Auto 128 Yes Yes True Global No No No
6. Loop protection Loop protection mechanism is used to prevent accidental loops that can occur when an unmanaged non-spanning-tree-capable equipment is connected and drops spanning-tree packets. When loop protection is enabled on a port, it sends out a loop protocol packet; if it then receives the same packet, it disables the port for a time that can be configured (disable-timer). Loop protection should be activated on all ports.
How to improve and harden spanning-tree configuration on ProCurve switches
Status and Counters - Loop Protection Information Transmit Interval (sec) : 5 Port Disable Timer (sec) : 300 Loop Detected Trap : Disabled
Loop Loop Loop Time Rx Port Port Protection Detected Count Since Last Loop Action Status
---- ----------- --------- ---------- ---------------- ------------ -------- A1 Yes No 0 send-disable Up A2 Yes No 0 send-disable Down ... B23 Yes No 0 send-disable Down B24 Yes No 0 send-disable Up C1 Yes No 0 send-disable Up C2 Yes No 0 send-disable Up C3 Yes No 0 send-disable Down C4 Yes No 0 send-disable Down
7. Firmware versions Switches firmware versions used in this application note are: For ProCurve switches 3500yl, 5406zl and 8212zl: K.13.25
How to improve and harden spanning-tree configuration on ProCurve switches
8. Reference documents This concludes the procedure for hardening MSTP on ProCurve switches. For further information about how to configure MSTP security features on ProCurve switches 3500yl-5400zl-8212zl, please refer to the following links:
- ProCurve Advanced Traffic Management Guide for the ProCurve Series 3500yl/6200yl/5400zl/8212zl Switches Chapter 4- Multiple Instance Spanning-tree operation: http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ATG-Jan08-4-MSTP.pdf
- Command Line Reference Guide: http://cdn.procurve.com/training/Manuals/8200-6200-5400-3500-CLI-K13-Mar2008.pdf
For further information, please visit www.procurve.eu
