protecting STP on Huawei switches

Download as PDF

As a continuation of the STP Root Protection feature I want to describe additional STP protection functions and show you, where these functions should be implemented, in a typical campus LAN environment.

BPDU Protection feature can be used to protect switches against STP BPDU attacks. It should be implemented on every switch, which has ports directly connected to end-user workstations. This is because we do not expect receiving STP BPDU from user workstations. When STP BPDUs are received on the edge port, STP topology recalculation occurs, causing network flapping. If the port is configured with BPDU Protection and the switching device receives STP BPDUs, then the port is placed into shutdown state, protecting STP topology from recalculation. By default BPDU Protection feature is disabled on Huawei switches. To enable it:

<labnario_sw>system-view 
[labnario_sw]interface Ethernet 0/0/1
[labnario_sw-Ethernet0/0/1]stp edged-port enable 
[labnario_sw-Ethernet0/0/1]quit
[labnario_sw]stp bpdu-protection

When a switch port is configured as a STP Edged and STP BPDU is received, the port is placed into shutdown state:

May 13 2013 20:17:00-08:00 labnario_sw%%01MSTP/4/BPDU_PROTECTION(l)[4]:This edged-port Ethernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
[labnario_sw-Ethernet0/0/1]dis cur int e0/0/1
#
interface Ethernet0/0/1
 shutdown
 stp edged-port enable

[labnario_sw-Ethernet0/0/1]dis int eth0/0/1
Ethernet0/0/1 current state : Administratively DOWN
Line protocol current state : DOWN

To bring the port back to UP state, manual port reconfiguration is required or auto recovery feature should be enabled on the switch.

TC Protection (TC – Topology Change) feature is used to suppress TC BPDUs (BPDU frames advertising STP topology change). When a switch receives a large number of TC BPDUs in a short time period, it has to frequently process MAC and ARP table entries, which can lead to CPU resources exhausting. To prevent this from happening, TC Protection can be configured, so that the switch will process TC BPDUs only with the given number of times within a specified time period. To enable TC Protection and change its default settings:

[labnario_sw]stp tc-protection
[labnario_sw]stp tc-protection threshold ?
  INTEGER  The threshold of TC-BPDU protection, default is 1

[labnario_sw]stp tc-protection threshold 3

The default threshold is 1, the time is specified by the STP Hello timer, which equals to 2 seconds, and can be easy changed using command:

[labnario_sw]stp timer hello ?
  INTEGER  Hello time in centiseconds, in steps of 100, the default value is 200

When the number of TC BPDUs, received by the switch, exceeds the specified threshold in a given time period, switch processes the excess TC BPDUs, after the specified time period expires. TC Protection feature should be enabled on every switch in a LAN environment.

Loop Protection feature provides additional protection against L2 forwarding loops. STP relies on a continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs and the non-designated port (ROOT, ALTERNATE) receives BPDUs. An STP loop is created, when one of the ports, of a physically redundant topology, no longer receives STP BPDUs. This usually happens, when ALTERNATE port in DISCARDING state stops receiving STP PBDUs, and as a result, moves to a Designated role and FORWARDING state. It means that there is no longer blocking port in redundant physical topology and loop is created. Loop protection feature, enabled on the interface, moves this port into Designated role and DISCARDING state, when no STP BPDUs are received in a prescriptive time. Loop Protection feature should be enabled on ROOT and ALTERNATE ports for every possible STP topology including failover scenarios.

Look at the following example to see Loop Protection feature in action:

[labnario_sw]dis cur | beg t0/0/1
#
interface GigabitEthernet0/0/1
 stp loop-protection
#
interface GigabitEthernet0/0/2
 stp loop-protection
#
[labnario_sw]dis stp brie
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ALTE  DISCARDING      LOOP
   0    GigabitEthernet0/0/2        ROOT  FORWARDING      LOOP
[labnario_sw]
May 14 2013 13:50:06-08:00 Huawei %%01MSTP/4/LOOP_GUARD(l)[2]:MSTP process 0 Instance0's LOOP-Protection port GigabitEthernet0/0/1 did not receive message in prescriptive time!
[labnario_sw]dis stp brie
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        DESI  DISCARDING      LOOP
   0    GigabitEthernet0/0/2        ROOT  FORWARDING      LOOP

Recovery is automatic when port starts receiving STP BPDUs, no additional administrative intervention is required. By default Loop Protection feature is disabled on Huawei switches.

Protecting STP on Huawei switches topology

Advertisements

3 thoughts on “protecting STP on Huawei switches

  1. pereest

    Hi,

    Nice blog you have. We recently also bought Huawei 6700 to use as core. in each datacenter, under those Huawei we’re running 4 catalayst 4507 switches which are running PVST+ for the moment.
    Do you have any experience with this? And if so with which spanning-tree protocol can you choose the best?
    I’m thinking or Rapid PVST+ or MST. Or is Rapid PVST isfalling back to normal STP??
    Any advice is more then welcome.
    Thanks

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s