An HP ProCurve Networking Configuration Note

How to improve and harden spanning-tree configuration on ProCurve switches

Contents
1. Introduction .............................................................................................................................................................. 2 2. Network diagram ...................................................................................................................................................... 2 3. Auto-Edge and Admin-Edge .................................................................................................................................... 4 4. BPDU Protection and BPDU Filtering ..................................................................................................................... 6 5. Spanning-tree Root Guard ...................................................................................................................................... 8 6. Loop protection ...................................................................................................................................................... 10 7. Firmware versions ................................................................................................................................................. 11 8. Reference documents ............................................................................................................................................ 12

How to improve and harden spanning-tree configuration on ProCurve switches

1. Introduction
This application note presents different commands that ease and fasten the convergence of spanning-tree protocol on a ProCurve network, while protecting against loops and unwanted topology changes.

2. Network diagram
The platform which will be used in this document to detail the different steps of the configuration consists of: Two Distribution switches: - 2 x ProCurve switches 8212zl, named Distrib-1 and Distrib-2 are set as Distribution switches. They aggregate multiple Edge switches redundantly. - Distribution switches act as redundant default gateway for the user VLANS/ IP subnets define between Edge and Distribution switch. For details on this configuration refer to AN-I1 and AN-I2. Two Core switches: - The 2 Cores Core-1 and Core-2 are connected to each of the 2 Distribution switches via Gigabit uplinks. Each link is defined as a unique VLAN and IP Subnet (Routed Link) A Router: A ProCurve Secure Router 7102dl is redundantly connected to the 2 Core switches:

This hardware configuration is detailed in Figure-1 below.

HP ProCurve Networking

How to improve and harden spanning-tree configuration on ProCurve switches

Figure 1. 3-Layer topology with spanning-tree and routed network interconnection

This platform represents a typical enterprise network topology, with Edge, Distribution and Core layers. Multiple spanning-tree with 2 instances is implemented on the Edge and Distribution switches. Now, in order to protect the network against unwanted loops or topology changes, we are going to implement several security features on the Distribution and Edge switches

How to improve and harden spanning-tree configuration on ProCurve switches

3. Auto-Edge and Admin-Edge

Preamble: in MSTP and RSTP, ports that connect to End nodes (PCs, Printers, Routers, Firewall) should be set as Edge port and Inter-Switch link should be set as non-Edge ports With the auto-edge-port feature, the identification of edge ports is automatic. Auto-edge-port- feature is enabled by default on ports. The port will look for BPDUs for 3 seconds; if there are none it begins forwarding packets and port is set as Edge, if there are BPDUs, it sets the port as non-Edge. As an admin, if you do not care about the 3 sec delay, auto-edge-port is an easy end recommended setup. For a manual setup of Edge ports, enable admin-edge-port on ports connected to end nodes. During spanning tree establishment, ports with admin-edge-port enabled transition immediately to the forwarding state. If a bridge or switch is detected on the segment, the port automatically operates as non-edge. Admin-edge-port is disabled by default. Note: If admin-edge-port is enabled for a port, the setting for auto-edge-port is ignored whether set to yes or no. If admin-edge-port is set to No, and auto-edge-port has not been disabled (set to No), then the auto-edge-port setting controls the behavior of the port. Then for the non Edge-Ports: disable admin-Edge (default value=disabled) and disable auto-edge-port (Default=Enabled) Synthesis: Auto-edge feature results on correct setting of ports (Edge or non-Edge) but introduce a delay of 3 seconds. To bypass this delay set your Edge ports as Admin-Edge. For the non Edge-Ports: disable admin-Edge (default value) and disable auto-edge-port. In our platform, following ports/modules are configured as admin edge: - Ports A1-B24 on switches Distrib-1, Distrib-2, Edge-2 and 1-24 on switch Edge-1 (3500yl) Following ports/modules are configured as no auto edge: - C1-C4 on switches Distrib-1, Distrib-2, Edge-2 and A1-A4 on switch Edge-1 (3500yl)

How to improve and harden spanning-tree configuration on ProCurve switches

Configuration example on Distrib-1:

! User ports A1-B24 are defined as admin-edge Distrib-1(config)# spanning-tree A1-A24, B1-B24 admin-edge-port

! Auto-edge is disabled on uplink ports Distrib-1(config)# no spanning-tree C1-C4 auto-edge-port

To view the edge configuration and status of all switch ports, use the command show spanning-tree config:

Distrib-1# show spanning-tree config

Multiple Spanning Tree (MST) Configuration Information

STP Enabled [No] : Yes

Force Version [MSTP-operation] : MSTP-operation Default Path Costs [802.1t] : 802.1t MST Configuration Name : B10 MST Configuration Revision : 1 Switch Priority : 0 Forward Delay [15] : 15 Hello Time [2] : 2 Max Age [20] : 20 Max Hops [20] : 20

Port

Type

| Path | Cost

Prio rity

Admin Auto Edge Edge

Admin Hello PtP Time

Root Guard

TCN Guard

BPDU Flt

----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes

B23 B24 C1 C2 C3 C4

100/1000T 100/1000T 10GbE-SR 10GbE-SR 10GbE-SR

| | | | | |

Auto Auto Auto Auto Auto Auto

... 128 128 128 128 128 128

Yes Yes No No No Yes

Yes Yes No No No Yes

True True True True True True

Global Global Global Global Global Global

No No No No No No

No No No No No No

No No No No No No

HP ProCurve Networking

How to improve and harden spanning-tree configuration on ProCurve switches

4. BPDU Protection and BPDU Filtering

The switch should never receive spanning tree BPDUs on user ports. If it happens, it means that somebody connected a switch on a port where it should not be connected. And the danger of connecting an unwanted switch to the network is that it can cause the spanning-tree algorithm to be recalculated and to completely change its topology and forward the traffic on the wrong links. In order to protect the network against such behavior, 2 security features exist: BPDU filtering and BPDU protection. BPDU filtering allows control of spanning-tree participation on a per-port basis. When enabled on a port, it excludes this port from any spanning-tree participation: the port will ignore spanning-tree BPDUs and stay locked in forwarding state. BPDU protection prevents unwanted BPDUs to enter the spanning-tree domain. It is usually used on ports connected to devices that do not support spanning-tree. When enabled on a port, BPDU protection will disable the port for a given period (configurable timeout) if a BPDU is received. In our case the 300s timeout will be used for port deactivation.

Basically, ports connected to identified devices that do not support spanning-tree should be configured with BPDU filtering. Ports not connected to anything yet should be configured with BPDU protection, which will disable a port in case of spoofed BPDU attack. In our configuration examples, ports connected to routed links are configured with BPDU filtering: - Ports A1-A2 on Distrib-1 and Distrib-2 Other edge-ports are configured with BPDU protection: - Ports A3-A24 and B1-B24 on Distrib-1, Distrib-2 - Ports A1-A24 and B1-B24 on Edge-2 - Ports 1-24 on Edge-1

HP ProCurve Networking

How to improve and harden spanning-tree configuration on ProCurve switches

Example on Distrib-1:

! BPDU filtering configuration: Distrib-1(config)# spanning-tree A1-A2 bpdu-filter

! Timeout configuration: Distrib-1(config)# spanning-tree bpdu-protection-timeout 300

! BPDU protection configuration: Distrib-1(config)# spanning-tree A1-A24, B1-B24 bpdu-protection

How to improve and harden spanning-tree configuration on ProCurve switches

To view the status of these features, use the commands show spanning-tree config , show spanning-tree bpduprotection and show run | include bpdu-protection

Distrib-1# show spanning-tree Config

Port

Type

| Path | Cost

Prio rity

Admin Auto Edge Edge

Admin Hello PtP Time

Root Guard

TCN Guard

BPDU Flt

----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes

Distrib-1# show spanning-tree bpdu-protection

Status and Counters - STP Port(s) BPDU Protection Information

BPDU Protection Timeout (sec) : 300 BPDU Protected Ports : A3-A24,B3-B24

Distrib-1# show run | include bpdu-protection

spanning-tree ... spanning-tree spanning-tree ... spanning-tree spanning-tree

A21 bpdu-protection A24 bpdu-protection B1 bpdu-protection B24 bpdu-protection bpdu-protection-timeout 300 priority 0

5. Spanning-tree Root Guard

When a port is enabled as root-guard, it cannot be selected as the root port even if it receives superior STP BPDUs. The port is assigned an alternate port role and enters a blocking state if it receives superior STP BPDUs. A superior BPDU contains better information on the root bridge and/or path cost to the root bridge, which would normally replace the current root bridge selection. The superior BPDUs received on a port enabled as rootguard are ignored. All other BPDUs are accepted and the external devices may belong to the spanning tree as long as they do not claim to be the Root device. Use this command on MSTP Distribution switch ports that are connected to Edge switch that may come with wrong configuration or to devices located in other administrative network domains to: Ensure the stability of the core MSTP network topology so that undesired or damaging influences external to the network do not enter. Protect the configuration of the CIST root bridge that serves as the common root for the entire network. Default: The root-guard setting is disabled.

HP ProCurve Networking

How to improve and harden spanning-tree configuration on ProCurve switches

In our example, well enable Root Guard on ports of Distribution switches that connect to Edge switches. Root Guard configuration: Distrib-1# / Distrib-2# spanning-tree A1,C1,C2 root-guard

Configuration example on Distrib-1:

! Root Guard configuration: Distrib-1(config)# spanning-tree C2-C3 root-guard

How to improve and harden spanning-tree configuration on ProCurve switches

To view the status of root guard protection:

Distrib-1# show spanning-tree config

Port

Type

| Path | Cost

Prio rity

Admin Auto Edge Edge

Admin Hello PtP Time

Root Guard

TCN Guard

BPDU Flt

----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes

B23 B24 C1 C2 C3 C4

100/1000T 100/1000T 10GbE-SR 10GbE-SR 10GbE-SR

| | | | | |

Auto Auto Auto Auto Auto Auto

... 128 128 128 128 128 128

Yes Yes No No No Yes

Yes Yes No No No Yes

True True True True True True

Global Global Global Global Global Global

No No No Yes Yes No

No No No No No No

No No No No No No

6. Loop protection
Loop protection mechanism is used to prevent accidental loops that can occur when an unmanaged non-spanningtree-capable equipment is connected and drops spanning-tree packets. When loop protection is enabled on a port, it sends out a loop protocol packet; if it then receives the same packet, it disables the port for a time that can be configured (disable-timer). Loop protection should be activated on all ports.

How to improve and harden spanning-tree configuration on ProCurve switches

Loop protect configuration example on Distrib-1:

! Disable timer configuration: Distrib-1(config)# loop-protect disable-timer 300

! Loop-protection activation: Distrib-1(config)# loop-protect A1-A24, B1-B24, C1-C4

Loop protection ports status check:

Distrib-1(config)# show loop-protect

Status and Counters - Loop Transmit Interval (sec) : Port Disable Timer (sec) : Loop Detected Trap :

Protection Information 5 300 Disabled

Loop Port Protection

Loop Detected

Loop Count

Time Since Last Loop

Rx Action

Port Status

---- ----------- --------A1 Yes No A2 Yes No ... B23 Yes No B24 Yes No C1 Yes No C2 Yes No C3 Yes No C4 Yes No

---------- ---------------- ------------ -------0 send-disable Up 0 send-disable Down 0 0 0 0 0 0 send-disable send-disable send-disable send-disable send-disable send-disable Down Up Up Up Down Down

7. Firmware versions
Switches firmware versions used in this application note are: For ProCurve switches 3500yl, 5406zl and 8212zl: K.13.25

HP ProCurve Networking

11

How to improve and harden spanning-tree configuration on ProCurve switches

8. Reference documents
This concludes the procedure for hardening MSTP on ProCurve switches. For further information about how to configure MSTP security features on ProCurve switches 3500yl-5400zl-8212zl, please refer to the following links: - ProCurve Advanced Traffic Management Guide for the ProCurve Series 3500yl/6200yl/5400zl/8212zl Switches Chapter 4- Multiple Instance Spanning-tree operation: http://cdn.procurve.com/training/Manuals/3500-5400-62008200-ATG-Jan08-4-MSTP.pdf

- Command Line Reference Guide: http://cdn.procurve.com/training/Manuals/8200-6200-5400-3500-CLI-K13Mar2008.pdf

For further information, please visit www.procurve.eu

2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

4AA2-3657EEE, December 2008