An HP ProCurve Networking Configuration Note
How to improve and harden spanning-tree configuration on ProCurve switches
Contents
1. Introduction .............................................................................................................................................................. 2 2. Network diagram ...................................................................................................................................................... 2 3. Auto-Edge and Admin-Edge .................................................................................................................................... 4 4. BPDU Protection and BPDU Filtering ..................................................................................................................... 6 5. Spanning-tree Root Guard ...................................................................................................................................... 8 6. Loop protection ...................................................................................................................................................... 10 7. Firmware versions ................................................................................................................................................. 11 8. Reference documents ............................................................................................................................................ 12
�How to improve and harden spanning-tree configuration on ProCurve switches
1. Introduction
This application note presents different commands that ease and fasten the convergence of spanning-tree protocol on a ProCurve network, while protecting against loops and unwanted topology changes.
2. Network diagram
The platform which will be used in this document to detail the different steps of the configuration consists of: Two Distribution switches: - 2 x ProCurve switches 8212zl, named Distrib-1 and Distrib-2 are set as Distribution switches. They aggregate multiple Edge switches redundantly. - Distribution switches act as redundant default gateway for the user VLANS/ IP subnets define between Edge and Distribution switch. For details on this configuration refer to AN-I1 and AN-I2. Two Core switches: - The 2 Cores Core-1 and Core-2 are connected to each of the 2 Distribution switches via Gigabit uplinks. Each link is defined as a unique VLAN and IP Subnet (Routed Link) A Router: A ProCurve Secure Router 7102dl is redundantly connected to the 2 Core switches:
This hardware configuration is detailed in Figure-1 below.
HP ProCurve Networking
�How to improve and harden spanning-tree configuration on ProCurve switches
Figure 1. 3-Layer topology with spanning-tree and routed network interconnection
This platform represents a typical enterprise network topology, with Edge, Distribution and Core layers. Multiple spanning-tree with 2 instances is implemented on the Edge and Distribution switches. Now, in order to protect the network against unwanted loops or topology changes, we are going to implement several security features on the Distribution and Edge switches
�How to improve and harden spanning-tree configuration on ProCurve switches
3. Auto-Edge and Admin-Edge
Preamble: in MSTP and RSTP, ports that connect to End nodes (PCs, Printers, Routers, Firewall) should be set as Edge port and Inter-Switch link should be set as non-Edge ports With the auto-edge-port feature, the identification of edge ports is automatic. Auto-edge-port- feature is enabled by default on ports. The port will look for BPDUs for 3 seconds; if there are none it begins forwarding packets and port is set as Edge, if there are BPDUs, it sets the port as non-Edge. As an admin, if you do not care about the 3 sec delay, auto-edge-port is an easy end recommended setup. For a manual setup of Edge ports, enable admin-edge-port on ports connected to end nodes. During spanning tree establishment, ports with admin-edge-port enabled transition immediately to the forwarding state. If a bridge or switch is detected on the segment, the port automatically operates as non-edge. Admin-edge-port is disabled by default. Note: If admin-edge-port is enabled for a port, the setting for auto-edge-port is ignored whether set to yes or no. If admin-edge-port is set to No, and auto-edge-port has not been disabled (set to No), then the auto-edge-port setting controls the behavior of the port. Then for the non Edge-Ports: disable admin-Edge (default value=disabled) and disable auto-edge-port (Default=Enabled) Synthesis: Auto-edge feature results on correct setting of ports (Edge or non-Edge) but introduce a delay of 3 seconds. To bypass this delay set your Edge ports as Admin-Edge. For the non Edge-Ports: disable admin-Edge (default value) and disable auto-edge-port. In our platform, following ports/modules are configured as admin edge: - Ports A1-B24 on switches Distrib-1, Distrib-2, Edge-2 and 1-24 on switch Edge-1 (3500yl) Following ports/modules are configured as no auto edge: - C1-C4 on switches Distrib-1, Distrib-2, Edge-2 and A1-A4 on switch Edge-1 (3500yl)
�How to improve and harden spanning-tree configuration on ProCurve switches
Configuration example on Distrib-1:
! User ports A1-B24 are defined as admin-edge Distrib-1(config)# spanning-tree A1-A24, B1-B24 admin-edge-port
! Auto-edge is disabled on uplink ports Distrib-1(config)# no spanning-tree C1-C4 auto-edge-port
To view the edge configuration and status of all switch ports, use the command show spanning-tree config:
Distrib-1# show spanning-tree config
Multiple Spanning Tree (MST) Configuration Information
STP Enabled [No] : Yes
Force Version [MSTP-operation] : MSTP-operation Default Path Costs [802.1t] : 802.1t MST Configuration Name : B10 MST Configuration Revision : 1 Switch Priority : 0 Forward Delay [15] : 15 Hello Time [2] : 2 Max Age [20] : 20 Max Hops [20] : 20
Port
Type
| Path | Cost
Prio rity
Admin Auto Edge Edge
Admin Hello PtP Time
Root Guard
TCN Guard
BPDU Flt
----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes
B23 B24 C1 C2 C3 C4
100/1000T 100/1000T 10GbE-SR 10GbE-SR 10GbE-SR
| | | | | |
Auto Auto Auto Auto Auto Auto
... 128 128 128 128 128 128
Yes Yes No No No Yes
Yes Yes No No No Yes
True True True True True True
Global Global Global Global Global Global
No No No No No No
No No No No No No
No No No No No No
HP ProCurve Networking
�How to improve and harden spanning-tree configuration on ProCurve switches
4. BPDU Protection and BPDU Filtering
The switch should never receive spanning tree BPDUs on user ports. If it happens, it means that somebody connected a switch on a port where it should not be connected. And the danger of connecting an unwanted switch to the network is that it can cause the spanning-tree algorithm to be recalculated and to completely change its topology and forward the traffic on the wrong links. In order to protect the network against such behavior, 2 security features exist: BPDU filtering and BPDU protection. BPDU filtering allows control of spanning-tree participation on a per-port basis. When enabled on a port, it excludes this port from any spanning-tree participation: the port will ignore spanning-tree BPDUs and stay locked in forwarding state. BPDU protection prevents unwanted BPDUs to enter the spanning-tree domain. It is usually used on ports connected to devices that do not support spanning-tree. When enabled on a port, BPDU protection will disable the port for a given period (configurable timeout) if a BPDU is received. In our case the 300s timeout will be used for port deactivation.
Basically, ports connected to identified devices that do not support spanning-tree should be configured with BPDU filtering. Ports not connected to anything yet should be configured with BPDU protection, which will disable a port in case of spoofed BPDU attack. In our configuration examples, ports connected to routed links are configured with BPDU filtering: - Ports A1-A2 on Distrib-1 and Distrib-2 Other edge-ports are configured with BPDU protection: - Ports A3-A24 and B1-B24 on Distrib-1, Distrib-2 - Ports A1-A24 and B1-B24 on Edge-2 - Ports 1-24 on Edge-1
HP ProCurve Networking
�How to improve and harden spanning-tree configuration on ProCurve switches
Example on Distrib-1:
! BPDU filtering configuration: Distrib-1(config)# spanning-tree A1-A2 bpdu-filter
! Timeout configuration: Distrib-1(config)# spanning-tree bpdu-protection-timeout 300
! BPDU protection configuration: Distrib-1(config)# spanning-tree A1-A24, B1-B24 bpdu-protection
�How to improve and harden spanning-tree configuration on ProCurve switches
To view the status of these features, use the commands show spanning-tree config , show spanning-tree bpduprotection and show run | include bpdu-protection
Distrib-1# show spanning-tree Config
Port
Type
| Path | Cost
Prio rity
Admin Auto Edge Edge
Admin Hello PtP Time
Root Guard
TCN Guard
BPDU Flt
----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes
Distrib-1# show spanning-tree bpdu-protection
Status and Counters - STP Port(s) BPDU Protection Information
BPDU Protection Timeout (sec) : 300 BPDU Protected Ports : A3-A24,B3-B24
Distrib-1# show run | include bpdu-protection
spanning-tree ... spanning-tree spanning-tree ... spanning-tree spanning-tree
A21 bpdu-protection A24 bpdu-protection B1 bpdu-protection B24 bpdu-protection bpdu-protection-timeout 300 priority 0
5. Spanning-tree Root Guard
When a port is enabled as root-guard, it cannot be selected as the root port even if it receives superior STP BPDUs. The port is assigned an alternate port role and enters a blocking state if it receives superior STP BPDUs. A superior BPDU contains better information on the root bridge and/or path cost to the root bridge, which would normally replace the current root bridge selection. The superior BPDUs received on a port enabled as rootguard are ignored. All other BPDUs are accepted and the external devices may belong to the spanning tree as long as they do not claim to be the Root device. Use this command on MSTP Distribution switch ports that are connected to Edge switch that may come with wrong configuration or to devices located in other administrative network domains to: Ensure the stability of the core MSTP network topology so that undesired or damaging influences external to the network do not enter. Protect the configuration of the CIST root bridge that serves as the common root for the entire network. Default: The root-guard setting is disabled.
HP ProCurve Networking
�How to improve and harden spanning-tree configuration on ProCurve switches
In our example, well enable Root Guard on ports of Distribution switches that connect to Edge switches. Root Guard configuration: Distrib-1# / Distrib-2# spanning-tree A1,C1,C2 root-guard
Configuration example on Distrib-1:
! Root Guard configuration: Distrib-1(config)# spanning-tree C2-C3 root-guard
�How to improve and harden spanning-tree configuration on ProCurve switches
To view the status of root guard protection:
Distrib-1# show spanning-tree config
Port
Type
| Path | Cost
Prio rity
Admin Auto Edge Edge
Admin Hello PtP Time
Root Guard
TCN Guard
BPDU Flt
----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ---A1 100/1000T | Auto 128 No No True Global No No Yes A2 100/1000T | Auto 128 No No True Global No No Yes
B23 B24 C1 C2 C3 C4
100/1000T 100/1000T 10GbE-SR 10GbE-SR 10GbE-SR
| | | | | |
Auto Auto Auto Auto Auto Auto
... 128 128 128 128 128 128
Yes Yes No No No Yes
Yes Yes No No No Yes
True True True True True True
Global Global Global Global Global Global
No No No Yes Yes No
No No No No No No
No No No No No No
6. Loop protection
Loop protection mechanism is used to prevent accidental loops that can occur when an unmanaged non-spanningtree-capable equipment is connected and drops spanning-tree packets. When loop protection is enabled on a port, it sends out a loop protocol packet; if it then receives the same packet, it disables the port for a time that can be configured (disable-timer). Loop protection should be activated on all ports.
�How to improve and harden spanning-tree configuration on ProCurve switches
Loop protect configuration example on Distrib-1:
! Disable timer configuration: Distrib-1(config)# loop-protect disable-timer 300
! Loop-protection activation: Distrib-1(config)# loop-protect A1-A24, B1-B24, C1-C4
Loop protection ports status check:
Distrib-1(config)# show loop-protect
Status and Counters - Loop Transmit Interval (sec) : Port Disable Timer (sec) : Loop Detected Trap :
Protection Information 5 300 Disabled
Loop Port Protection
Loop Detected
Loop Count
Time Since Last Loop
Rx Action
Port Status
---- ----------- --------A1 Yes No A2 Yes No ... B23 Yes No B24 Yes No C1 Yes No C2 Yes No C3 Yes No C4 Yes No
---------- ---------------- ------------ -------0 send-disable Up 0 send-disable Down 0 0 0 0 0 0 send-disable send-disable send-disable send-disable send-disable send-disable Down Up Up Up Down Down
7. Firmware versions
Switches firmware versions used in this application note are: For ProCurve switches 3500yl, 5406zl and 8212zl: K.13.25
HP ProCurve Networking
11
�How to improve and harden spanning-tree configuration on ProCurve switches
8. Reference documents
This concludes the procedure for hardening MSTP on ProCurve switches. For further information about how to configure MSTP security features on ProCurve switches 3500yl-5400zl-8212zl, please refer to the following links: - ProCurve Advanced Traffic Management Guide for the ProCurve Series 3500yl/6200yl/5400zl/8212zl Switches Chapter 4- Multiple Instance Spanning-tree operation: http://cdn.procurve.com/training/Manuals/3500-5400-62008200-ATG-Jan08-4-MSTP.pdf
- Command Line Reference Guide: http://cdn.procurve.com/training/Manuals/8200-6200-5400-3500-CLI-K13Mar2008.pdf
For further information, please visit www.procurve.eu
2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
4AA2-3657EEE, December 2008
