Professional Documents
Culture Documents
How To Improve and Harden Spanning-Tree Configuration Configuration Note Dec 08 A4
How To Improve and Harden Spanning-Tree Configuration Configuration Note Dec 08 A4
Contents
1. Introduction .............................................................................................................................................................. 2 2. Network diagram ...................................................................................................................................................... 2 3. Auto-Edge and Admin-Edge .................................................................................................................................... 4 4. BPDU Protection and BPDU Filtering ..................................................................................................................... 6 5. Spanning-tree Root Guard ...................................................................................................................................... 8 6. Loop protection ...................................................................................................................................................... 10 7. Firmware versions ................................................................................................................................................. 11 8. Reference documents ............................................................................................................................................ 12
1. Introduction
This application note presents different commands that ease and fasten the convergence of spanning-tree protocol on a ProCurve network, while protecting against loops and unwanted topology changes.
2. Network diagram
The platform which will be used in this document to detail the different steps of the configuration consists of: Two Distribution switches: - 2 x ProCurve switches 8212zl, named Distrib-1 and Distrib-2 are set as Distribution switches. They aggregate multiple Edge switches redundantly. - Distribution switches act as redundant default gateway for the user VLANS/ IP subnets define between Edge and Distribution switch. For details on this configuration refer to AN-I1 and AN-I2. Two Core switches: - The 2 Cores Core-1 and Core-2 are connected to each of the 2 Distribution switches via Gigabit uplinks. Each link is defined as a unique VLAN and IP Subnet (Routed Link) A Router: A ProCurve Secure Router 7102dl is redundantly connected to the 2 Core switches:
HP ProCurve Networking
This platform represents a typical enterprise network topology, with Edge, Distribution and Core layers. Multiple spanning-tree with 2 instances is implemented on the Edge and Distribution switches. Now, in order to protect the network against unwanted loops or topology changes, we are going to implement several security features on the Distribution and Edge switches
! User ports A1-B24 are defined as admin-edge Distrib-1(config)# spanning-tree A1-A24, B1-B24 admin-edge-port
To view the edge configuration and status of all switch ports, use the command show spanning-tree config:
Force Version [MSTP-operation] : MSTP-operation Default Path Costs [802.1t] : 802.1t MST Configuration Name : B10 MST Configuration Revision : 1 Switch Priority : 0 Forward Delay [15] : 15 Hello Time [2] : 2 Max Age [20] : 20 Max Hops [20] : 20
Port
Type
| Path | Cost
Prio rity
Root Guard
TCN Guard
BPDU Flt
----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes
B23 B24 C1 C2 C3 C4
| | | | | |
No No No No No No
No No No No No No
No No No No No No
HP ProCurve Networking
Basically, ports connected to identified devices that do not support spanning-tree should be configured with BPDU filtering. Ports not connected to anything yet should be configured with BPDU protection, which will disable a port in case of spoofed BPDU attack. In our configuration examples, ports connected to routed links are configured with BPDU filtering: - Ports A1-A2 on Distrib-1 and Distrib-2 Other edge-ports are configured with BPDU protection: - Ports A3-A24 and B1-B24 on Distrib-1, Distrib-2 - Ports A1-A24 and B1-B24 on Edge-2 - Ports 1-24 on Edge-1
HP ProCurve Networking
Example on Distrib-1:
To view the status of these features, use the commands show spanning-tree config , show spanning-tree bpduprotection and show run | include bpdu-protection
Port
Type
| Path | Cost
Prio rity
Root Guard
TCN Guard
BPDU Flt
----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes
A21 bpdu-protection A24 bpdu-protection B1 bpdu-protection B24 bpdu-protection bpdu-protection-timeout 300 priority 0
HP ProCurve Networking
In our example, well enable Root Guard on ports of Distribution switches that connect to Edge switches. Root Guard configuration: Distrib-1# / Distrib-2# spanning-tree A1,C1,C2 root-guard
Port
Type
| Path | Cost
Prio rity
Root Guard
TCN Guard
BPDU Flt
----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes
B23 B24 C1 C2 C3 C4
| | | | | |
No No No Yes Yes No
No No No No No No
No No No No No No
6. Loop protection
Loop protection mechanism is used to prevent accidental loops that can occur when an unmanaged non-spanningtree-capable equipment is connected and drops spanning-tree packets. When loop protection is enabled on a port, it sends out a loop protocol packet; if it then receives the same packet, it disables the port for a time that can be configured (disable-timer). Loop protection should be activated on all ports.
Status and Counters - Loop Transmit Interval (sec) : Port Disable Timer (sec) : Loop Detected Trap :
Loop Detected
Loop Count
Rx Action
Port Status
---- ----------- --------A1 Yes No A2 Yes No ... B23 Yes No B24 Yes No C1 Yes No C2 Yes No C3 Yes No C4 Yes No
---------- ---------------- ------------ -------0 send-disable Up 0 send-disable Down 0 0 0 0 0 0 send-disable send-disable send-disable send-disable send-disable send-disable Down Up Up Up Down Down
7. Firmware versions
Switches firmware versions used in this application note are: For ProCurve switches 3500yl, 5406zl and 8212zl: K.13.25
HP ProCurve Networking
11
8. Reference documents
This concludes the procedure for hardening MSTP on ProCurve switches. For further information about how to configure MSTP security features on ProCurve switches 3500yl-5400zl-8212zl, please refer to the following links: - ProCurve Advanced Traffic Management Guide for the ProCurve Series 3500yl/6200yl/5400zl/8212zl Switches Chapter 4- Multiple Instance Spanning-tree operation: http://cdn.procurve.com/training/Manuals/3500-5400-62008200-ATG-Jan08-4-MSTP.pdf