An HP ProCurve Networking Configuration Note

How to improve and harden spanning-tree

configuration on ProCurve switches

Contents
1. Introduction .............................................................................................................................................................. 2 
2. Network diagram ...................................................................................................................................................... 2 
3. Auto-Edge and Admin-Edge .................................................................................................................................... 4 
4. BPDU Protection and BPDU Filtering ..................................................................................................................... 6 
5. Spanning-tree Root Guard ...................................................................................................................................... 8 
6. Loop protection ...................................................................................................................................................... 10 
7. Firmware versions ................................................................................................................................................. 11 
8. Reference documents ............................................................................................................................................ 12 
How to improve and harden spanning-tree configuration on ProCurve switches

1. Introduction
This application note presents different commands that ease and fasten the convergence of spanning-tree protocol on
a ProCurve network, while protecting against loops and unwanted topology changes.

2. Network diagram
The platform which will be used in this document to detail the different steps of the configuration consists of:

Two Distribution switches:

- 2 x ProCurve switches 8212zl, named “Distrib-1” and “Distrib-2” are set as Distribution switches. They
aggregate multiple Edge switches redundantly.
- Distribution switches act as redundant default gateway for the user VLANS/ IP subnets define between
Edge and Distribution switch. For details on this configuration refer to AN-I1 and AN-I2.

Two Core switches:

- The 2 Cores “Core-1” and “Core-2” are connected to each of the 2 Distribution switches via Gigabit
uplinks. Each link is defined as a unique VLAN and IP Subnet (“Routed Link”)

A Router:

- A ProCurve Secure Router 7102dl is redundantly connected to the 2 Core switches:

This hardware configuration is detailed in Figure-1 below.

HP ProCurve Networking 2
How to improve and harden spanning-tree configuration on ProCurve switches

Figure 1. 3-Layer topology with spanning-tree and routed network interconnection

This platform represents a typical enterprise network topology, with Edge, Distribution and Core layers. Multiple
spanning-tree with 2 instances is implemented on the Edge and Distribution switches. Now, in order to protect the
network against unwanted loops or topology changes, we are going to implement several security features on the
Distribution and Edge switches
How to improve and harden spanning-tree configuration on ProCurve switches

3. Auto-Edge and Admin-Edge

Preamble: in MSTP and RSTP, ports that connect to End nodes (PCs, Printers, Routers, Firewall…) should be set as
“Edge port” and Inter-Switch link should be set as “non-Edge ports”
With the auto-edge-port feature, the identification of edge ports is automatic. Auto-edge-port- feature is enabled by
default on ports. The port will look for BPDUs for 3 seconds; if there are none it begins forwarding packets and port is
set as Edge, if there are BPDUs, it sets the port as non-Edge.
As an admin, if you do not care about the 3 sec delay, auto-edge-port is an easy end recommended setup.

For a manual setup of Edge ports, enable admin-edge-port on ports connected to end nodes. During spanning tree
establishment, ports with admin-edge-port enabled transition immediately to the forwarding state. If a bridge or switch
is detected on the segment, the port automatically operates as non-edge. Admin-edge-port is disabled by default.

Note: If admin-edge-port is enabled for a port, the setting for auto-edge-port is ignored whether set to yes or no. If
admin-edge-port is set to No, and auto-edge-port has not been disabled (set to No), then the auto-edge-port setting
controls the behavior of the port.

Then for the non Edge-Ports: disable admin-Edge (default value=disabled) and disable auto-edge-port
(Default=Enabled)

Synthesis:
Auto-edge feature results on correct setting of ports (Edge or non-Edge) but introduce a delay of 3 seconds.
To bypass this delay set your Edge ports as “Admin-Edge”.
For the non Edge-Ports: disable admin-Edge (default value) and disable auto-edge-port.

In our platform, following ports/modules are configured as “admin edge”:

- Ports A1-B24 on switches Distrib-1, Distrib-2, Edge-2 and 1-24 on switch Edge-1 (3500yl)
Following ports/modules are configured as “no auto edge”:
- C1-C4 on switches Distrib-1, Distrib-2, Edge-2 and A1-A4 on switch Edge-1 (3500yl)
How to improve and harden spanning-tree configuration on ProCurve switches

Configuration example on Distrib-1:

! User ports A1-B24 are defined as admin-edge

Distrib-1(config)# spanning-tree A1-A24, B1-B24 admin-edge-port

! Auto-edge is disabled on uplink ports

Distrib-1(config)# no spanning-tree C1-C4 auto-edge-port

To view the edge configuration and status of all switch ports, use the command “show spanning-tree config”:

Distrib-1# show spanning-tree config

Multiple Spanning Tree (MST) Configuration Information

STP Enabled [No] : Yes

Force Version [MSTP-operation] : MSTP-operation

Default Path Costs [802.1t] : 802.1t
MST Configuration Name : B10
MST Configuration Revision : 1 Switch Priority : 0
Forward Delay [15] : 15 Hello Time [2] : 2
Max Age [20] : 20 Max Hops [20] : 20

| Path Prio Admin Auto Admin Hello Root TCN BPDU

Port Type | Cost rity Edge Edge PtP Time Guard Guard Flt

----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ----
A1 100/1000T | Auto 128 No No True Global No No Yes
A2 100/1000T | Auto 128 No No True Global No No Yes

...
B23 100/1000T | Auto 128 Yes Yes True Global No No No
B24 100/1000T | Auto 128 Yes Yes True Global No No No
C1 10GbE-SR | Auto 128 No No True Global No No No
C2 10GbE-SR | Auto 128 No No True Global No No No
C3 10GbE-SR | Auto 128 No No True Global No No No
C4 | Auto 128 Yes Yes True Global No No No

HP ProCurve Networking 5
How to improve and harden spanning-tree configuration on ProCurve switches

4. BPDU Protection and BPDU Filtering

The switch should never receive spanning tree BPDUs on “user” ports. If it happens, it means that somebody
connected a switch on a port where it should not be connected. And the danger of connecting an unwanted switch to
the network is that it can cause the spanning-tree algorithm to be recalculated and to completely change its topology
and forward the traffic on the “wrong” links.

In order to protect the network against such behavior, 2 security features exist: BPDU filtering and BPDU protection.

BPDU filtering allows control of spanning-tree participation on a per-port basis. When enabled on a port, it excludes
this port from any spanning-tree participation: the port will ignore spanning-tree BPDUs and stay locked in “forwarding”
state.

BPDU protection prevents unwanted BPDUs to enter the spanning-tree domain. It is usually used on ports connected
to devices that do not support spanning-tree. When enabled on a port, BPDU protection will disable the port for a
given period (configurable timeout) if a BPDU is received. In our case the 300s timeout will be used for port
deactivation.

Basically, ports connected to identified devices that do not support spanning-tree should be configured with BPDU
filtering. Ports not connected to anything yet should be configured with BPDU protection, which will disable a port in
case of spoofed BPDU attack.

In our configuration examples, ports connected to routed links are configured with BPDU filtering:
- Ports A1-A2 on Distrib-1 and Distrib-2

Other edge-ports are configured with BPDU protection:

- Ports A3-A24 and B1-B24 on Distrib-1, Distrib-2
- Ports A1-A24 and B1-B24 on Edge-2
- Ports 1-24 on Edge-1

HP ProCurve Networking 6
How to improve and harden spanning-tree configuration on ProCurve switches

Example on Distrib-1:

! BPDU filtering configuration:

Distrib-1(config)# spanning-tree A1-A2 bpdu-filter

! Timeout configuration:
Distrib-1(config)# spanning-tree bpdu-protection-timeout 300

! BPDU protection configuration:

Distrib-1(config)# spanning-tree A1-A24, B1-B24 bpdu-protection
How to improve and harden spanning-tree configuration on ProCurve switches

To view the status of these features, use the commands show spanning-tree config , show spanning-tree bpdu-
protection and show run | include bpdu-protection

Distrib-1# show spanning-tree Config

| Path Prio Admin Auto Admin Hello Root TCN BPDU

Port Type | Cost rity Edge Edge PtP Time Guard Guard Flt

----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ----
A1 100/1000T | Auto 128 No No True Global No No Yes
A2 100/1000T | Auto 128 No No True Global No No Yes

Distrib-1# show spanning-tree bpdu-protection

Status and Counters - STP Port(s) BPDU Protection Information

BPDU Protection Timeout (sec) : 300

BPDU Protected Ports : A3-A24,B3-B24

Distrib-1# show run | include bpdu-protection

spanning-tree A21 bpdu-protection

...
spanning-tree A24 bpdu-protection
spanning-tree B1 bpdu-protection
...
spanning-tree B24 bpdu-protection
spanning-tree bpdu-protection-timeout 300 priority 0

5. Spanning-tree Root Guard

When a port is enabled as root-guard, it cannot be selected as the root port even if it receives superior STP
BPDUs. The port is assigned an “alternate” port role and enters a blocking state if it receives superior STP BPDUs.
A superior BPDU contains “better” information on the root bridge and/or path cost to the root bridge, which would
normally replace the current root bridge selection.
The superior BPDUs received on a port enabled as rootguard are ignored. All other BPDUs are accepted and the
external devices may belong to the spanning tree as long as they do not claim to be the Root device.
Use this command on MSTP Distribution switch ports that are connected to Edge switch that may come with “wrong”
configuration or to devices located in other administrative network domains to:
• Ensure the stability of the core MSTP network topology so that undesired or damaging influences external to
the network do not enter.
• Protect the configuration of the CIST root bridge that serves as the common root for the entire network.
• Default: The root-guard setting is disabled.

HP ProCurve Networking 8
How to improve and harden spanning-tree configuration on ProCurve switches

In our example, we’ll enable Root Guard on ports of Distribution switches that connect to Edge switches.

Root Guard configuration:

Distrib-1# / Distrib-2#
spanning-tree A1,C1,C2 root-guard

Configuration example on Distrib-1:

! Root Guard configuration:

Distrib-1(config)# spanning-tree C2-C3 root-guard
How to improve and harden spanning-tree configuration on ProCurve switches

To view the status of root guard protection:

Distrib-1# show spanning-tree config

| Path Prio Admin Auto Admin Hello Root TCN BPDU

Port Type | Cost rity Edge Edge PtP Time Guard Guard Flt

----- --------- + --------- ----- ----- ----- ----- ------ ------ ------ ----
A1 100/1000T | Auto 128 No No True Global No No Yes
A2 100/1000T | Auto 128 No No True Global No No Yes

...
B23 100/1000T | Auto 128 Yes Yes True Global No No No
B24 100/1000T | Auto 128 Yes Yes True Global No No No
C1 10GbE-SR | Auto 128 No No True Global No No No
C2 10GbE-SR | Auto 128 No No True Global Yes No No
C3 10GbE-SR | Auto 128 No No True Global Yes No No
C4 | Auto 128 Yes Yes True Global No No No

6. Loop protection
Loop protection mechanism is used to prevent accidental loops that can occur when an unmanaged non-spanning-
tree-capable equipment is connected and drops spanning-tree packets.
When loop protection is enabled on a port, it sends out a loop protocol packet; if it then receives the same packet, it
disables the port for a time that can be configured (disable-timer).

Loop protection should be activated on all ports.

How to improve and harden spanning-tree configuration on ProCurve switches

Loop protect configuration example on Distrib-1:

! Disable timer configuration:

Distrib-1(config)# loop-protect disable-timer 300

! Loop-protection activation:
Distrib-1(config)# loop-protect A1-A24, B1-B24, C1-C4

Loop protection ports status check:

Distrib-1(config)# show loop-protect

Status and Counters - Loop Protection Information

Transmit Interval (sec) : 5
Port Disable Timer (sec) : 300
Loop Detected Trap : Disabled

Loop Loop Loop Time Rx Port

Port Protection Detected Count Since Last Loop Action Status

---- ----------- --------- ---------- ---------------- ------------ --------

A1 Yes No 0 send-disable Up
A2 Yes No 0 send-disable Down
...
B23 Yes No 0 send-disable Down
B24 Yes No 0 send-disable Up
C1 Yes No 0 send-disable Up
C2 Yes No 0 send-disable Up
C3 Yes No 0 send-disable Down
C4 Yes No 0 send-disable Down

7. Firmware versions
Switches firmware versions used in this application note are:

For ProCurve switches 3500yl, 5406zl and 8212zl: K.13.25

HP ProCurve Networking 11
 How to improve and harden spanning-tree configuration on ProCurve switches

8. Reference documents
This concludes the procedure for hardening MSTP on ProCurve switches.

For further information about how to configure MSTP security features on ProCurve switches 3500yl-5400zl-8212zl,
please refer to the following links:

- ProCurve Advanced Traffic Management Guide for the ProCurve Series 3500yl/6200yl/5400zl/8212zl Switches
Chapter 4- Multiple Instance Spanning-tree operation: http://cdn.procurve.com/training/Manuals/3500-5400-6200-
8200-ATG-Jan08-4-MSTP.pdf

- Command Line Reference Guide: http://cdn.procurve.com/training/Manuals/8200-6200-5400-3500-CLI-K13-

Mar2008.pdf

For further information, please visit www.procurve.eu

© 2008 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. The only warranties
for HP products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not
be liable for technical or editorial errors or omissions contained herein.

4AA2-3657EEE, December 2008