As a continuation of the STP Root Protection feature I want to describe additional STP protection functions and show you, where these functions should be implemented, in a typical campus LAN environment.
BPDU Protection feature can be used to protect switches against STP BPDU attacks. It should be implemented on every switch, which has ports directly connected to end-user workstations. This is because we do not expect receiving STP BPDU from user workstations. When STP BPDUs are received on the edge port, STP topology recalculation occurs, causing network flapping. If the port is configured with BPDU Protection and the switching device receives STP BPDUs, then the port is placed into shutdown state, protecting STP topology from recalculation. By default BPDU Protection feature is disabled on Huawei switches. To enable it:
<labnario_sw>system-view [labnario_sw]interface Ethernet 0/0/1 [labnario_sw-Ethernet0/0/1]stp edged-port enable [labnario_sw-Ethernet0/0/1]quit [labnario_sw]stp bpdu-protection
When a switch port is configured as a STP Edged and STP BPDU is received, the port is placed into shutdown state:
May 13 2013 20:17:00-08:00 labnario_sw%%01MSTP/4/BPDU_PROTECTION(l):This edged-port Ethernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
[labnario_sw-Ethernet0/0/1]dis cur int e0/0/1 # interface Ethernet0/0/1 shutdown stp edged-port enable [labnario_sw-Ethernet0/0/1]dis int eth0/0/1 Ethernet0/0/1 current state : Administratively DOWN Line protocol current state : DOWN
To bring the port back to UP state, manual port reconfiguration is required or auto recovery feature should be enabled on the switch.
TC Protection (TC – Topology Change) feature is used to suppress TC BPDUs (BPDU frames advertising STP topology change). When a switch receives a large number of TC BPDUs in a short time period, it has to frequently process MAC and ARP table entries, which can lead to CPU resources exhausting. To prevent this from happening, TC Protection can be configured, so that the switch will process TC BPDUs only with the given number of times within a specified time period. To enable TC Protection and change its default settings:
[labnario_sw]stp tc-protection [labnario_sw]stp tc-protection threshold ? INTEGER The threshold of TC-BPDU protection, default is 1 [labnario_sw]stp tc-protection threshold 3
The default threshold is 1, the time is specified by the STP Hello timer, which equals to 2 seconds, and can be easy changed using command:
[labnario_sw]stp timer hello ? INTEGER Hello time in centiseconds, in steps of 100, the default value is 200
When the number of TC BPDUs, received by the switch, exceeds the specified threshold in a given time period, switch processes the excess TC BPDUs, after the specified time period expires. TC Protection feature should be enabled on every switch in a LAN environment.
Loop Protection feature provides additional protection against L2 forwarding loops. STP relies on a continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs and the non-designated port (ROOT, ALTERNATE) receives BPDUs. An STP loop is created, when one of the ports, of a physically redundant topology, no longer receives STP BPDUs. This usually happens, when ALTERNATE port in DISCARDING state stops receiving STP PBDUs, and as a result, moves to a Designated role and FORWARDING state. It means that there is no longer blocking port in redundant physical topology and loop is created. Loop protection feature, enabled on the interface, moves this port into Designated role and DISCARDING state, when no STP BPDUs are received in a prescriptive time. Loop Protection feature should be enabled on ROOT and ALTERNATE ports for every possible STP topology including failover scenarios.
Look at the following example to see Loop Protection feature in action:
[labnario_sw]dis cur | beg t0/0/1 # interface GigabitEthernet0/0/1 stp loop-protection # interface GigabitEthernet0/0/2 stp loop-protection # [labnario_sw]dis stp brie MSTID Port Role STP State Protection 0 GigabitEthernet0/0/1 ALTE DISCARDING LOOP 0 GigabitEthernet0/0/2 ROOT FORWARDING LOOP
[labnario_sw] May 14 2013 13:50:06-08:00 Huawei %%01MSTP/4/LOOP_GUARD(l):MSTP process 0 Instance0's LOOP-Protection port GigabitEthernet0/0/1 did not receive message in prescriptive time!
[labnario_sw]dis stp brie MSTID Port Role STP State Protection 0 GigabitEthernet0/0/1 DESI DISCARDING LOOP 0 GigabitEthernet0/0/2 ROOT FORWARDING LOOP
Recovery is automatic when port starts receiving STP BPDUs, no additional administrative intervention is required. By default Loop Protection feature is disabled on Huawei switches.