No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring RSTP Protection Functions

Configuring RSTP Protection Functions

Rapid Spanning Tree Protocol (RSTP) protection functions are as follows, and you can configure one or more functions as required.

Applicable Environment

RSTP provides the following protection functions, as listed in Table 13-5.

Table 13-5 RSTP Protection Function

Protection Function

Scenario

Configuration Impact

BPDU protection

An edge port changes to be a non-edge port after receiving a BPDU, which triggers spanning tree recalculation. If an attacker keeps sending bogus BPDUs to a switching device, network flapping occurs.

After BPDU protection is enabled on the switching device, the switching device shuts down the edge port if the edge port receives an RST BPDU, and notifies the NMS of the shutdown event. The attributes of the edge port are not changed.

TC protection

Generally, after receiving TC BPDUs (packets for advertising network topology changes), a switching device needs to delete MAC entries and ARP entries. Frequent deletion operations will exhaust CPU resources.

TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are processed by a switching device within a given time period is configurable. If the number of TC-BPDUs that the switching device receives within a given time exceeds the specified threshold, the switching device handles TC-BPDUs only for the specified number of times. Excess TC-BPDUs are processed by the switching device as a whole for once after the timer (that is, the specified time period) expires. This protects the switching device from frequently deleting MAC entries and ARP entries, thus avoiding over-burdened.

Root protection

Due to incorrect configurations or malicious attacks on the network, a root bridge may receive BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve as the root bridge, and the network topology is illegitimately changed, triggering spanning tree recalculation. This may transfer traffic from high-speed links to low-speed links, causing traffic congestion.

If a designated port is enabled with the root protection function, the role of the port cannot be changed. Once a designated port that is enabled with root protection receives RST BPDUs with a higher priority, the port enters the Discarding state and does not forward packets. If the port does not receive any RST BPDUs with a higher priority before a period (generally two Forward Delay periods) expires, the port automatically enters the Forwarding state.

Loop protection

A root port or an alternate port will age if link congestion or a one-way link failure occurs. After the root port ages, a switching device may re-select a root port incorrectly and after the alternate port ages, the port enters the Forwarding state. Loops may occur in such a situation.

After loop protection is configured, if the root port or alternate port does not receive RST BPDUs from the upstream switching device for a long time, the switching device notifies the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and no longer forwards packets. This prevents loops on the network. The root port restores the Forwarding state after receiving new BPDUs.

Abnormal packet filtering

On a network running STP, RSTP, or MSTP, a device may receive unexpected STP, RSTP, or MSTP packets due to incorrect configurations or malicious network attacks. If these unexpected packets are transparently transmitted on the network, spanning tree calculation may be affected, causing network flapping.

After the function to filter abnormal packets is enabled, the device discards the packets carrying a specified source MAC address or VLAN ID. In this manner, unexpected packets are not transparently transmitted on the network, preventing network flapping.

Pre-configuration Tasks

Before configuring basic RSTP functions, complete the following task:

Configuration Procedures

You can choose one or more configuration tasks (excluding "Checking the Configuration") as required.

Configuring BPDU Protection on a Switching Device

After Bridge Protocol Data Unit (BPDU) protection is enabled on a switching device, the switching device shuts down an edge port if the edge port receives a BPDU, and notifies the NMS of the shutdown event.

Context

Edge ports are directly connected to user terminals and normally, the edge ports will not receive Bridge Protocol Data Units (BPDUs). Some attackers may send pseudo BPDUs to attach the switching device. If the edge ports receive the BPDUs, the switching device automatically configures the edge ports as non-edge ports and triggers new spanning tree calculation. Network flapping then occurs. BPDU protection can be used to protect switching devices against malicious attacks.

NOTE:

Do as follows on a switching device having an edge port:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run stp bpdu-protection

    BPDU protection is enabled on the switching device.

  3. Run commit

    The configuration is committed.

Follow-up Procedure

To allow an edge port to automatically start after being shut down, you can run the error-down auto-recovery cause cause-item interval interval-value command to configure the auto recovery function and set the delay on the port. After the delay expires, the port automatically goes Up. interval interval-value ranges from 30 to 86400, in seconds. Note the following when setting this parameter:
  • There is no default value for the recovery time. Therefore, you must specify a delay when configuring this command.
  • The smaller the interval-value is, the shorter it takes for the edge port to go Up, and the more frequently the edge port alternates between Up and Down.
  • The larger the interval-value is, the longer it takes for the edge port to go Up, and the longer the service interruption lasts.

Configuring TC Protection on a Switching Device

After Topology Change (TC) protection is enabled, you can set the number of times for a switching device to process TC Bridge Protocol Data Units (BPDUs) within a specified time. TC protection avoids frequent deletion of MAC address entries and ARP entries, thereby protecting switching devices.

Context

An attacker may send pseudo TC BPDUs to attack switching devices. Switching devices receive a large number of TC BPDUs in a short time and delete entries frequently, which burdens system processing and degrades network stability.

TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are processed by a switching device withina specified time is configurable. If the number of TC BPDUs that the switching device receives within a specified time exceeds the specified threshold, the switching device handles TC BPDUs only for the specified number of times. Excess TC-BPDUs are processed by the switching device as a whole for once after the specified time period expires. This protects the switching device from frequently deleting MAC entries and ARP entries, therefore avoiding overburden.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run stp tc-protection

    TC protection is enabled for a switching device.

  3. Run either or both of the following commands to configure TC protection parameters.

    • To set the time for a device to process the maximum number of TC BPDUs, run the stp tc-protection interval interval-value command.
    • To set the maximum number of TC BPDUs that a device processes within a specified period, run the stp tc-protection threshold threshold command.
    NOTE:
    • There are two TC protection parameters: time needed to process the maximum number of TC BPDUs and the maximum number of TC BPDUs processed within a specified period. For example, if the time is set to 10 seconds and the maximum number is set to 5, when a device receives TC BPDUs, the device processes only the first 5 TC BPDUs within 10 seconds and processes the other TC BPDUs after the time expires.

    • The device processes only the maximum number of TC BPDUs specified in the stp tc-protection threshold command within the time specified in the stp tc-protection interval command. The processing of other TC BPDUs is delayed, which may slow down spanning tree convergence.

  4. Run commit

    The configuration is committed.

Configuring Root Protection on a Port

The root protection function on a switching device protects a root bridge by preserving the role of a designated port.

Context

Due to incorrect configurations or malicious attacks on the network, a root bridge may receive Bridge Protocol Data Units (BPDUs) with a higher priority. Consequently, the legitimate root bridge is no longer able to serve as the root bridge, and the network topology is incorrectly changed, triggering spanning tree recalculation. This also may cause the traffic that should be transmitted over high-speed links to be transmitted over low-speed links, leading to network congestion. The root protection function on a switching device is used to protect the root bridge by preserving the role of the designated port.

NOTE:

Root protection is configured on a designated port. Root protection takes effect only on a designated port.

Do as follows on the root bridge.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The view of the Ethernet interface participating in STP calculation is displayed.

    NOTE:
    The following configuration can be configured both on a Layer 2 interface and a Layer 3 interface.

  3. Run stp root-protection

    Root protection is configured on the switching device.

  4. Run commit

    The configuration is committed.

Configuring Loop Protection on a Port

The loop protection function suppresses the loops caused by link congestion.

Context

On a network running Rapid Spanning Tree Protocol (RSTP), a switching device maintains the root port status and status of blocked ports by receiving Bridge Protocol Data Units (BPDUs) from an upstream switching device. If the switching device cannot receive BPDUs from the upstream because of link congestion or unidirectional-link failure, the switching device re-selects a root port. The original root port becomes a designated port and the original blocked ports change to the Forwarding state. This may cause network loops. To address such a problem, configure loop protection.

After loop protection is configured, if the root port or alternate port does not receive BPDUs from the upstream switching device, the root port is blocked and the switching device notifies the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and no longer forwards packets. This prevents loops on the network. The root port restores the Forwarding state after receiving new BPDUs.

NOTE:
An alternate port is a backup port of a root port. If a switching device has an alternate port, you need to configure loop protection on both the root port and the alternate port.

Do as follows on a root port and an alternate port on a switching device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The view of the Ethernet interface participating in STP calculation is displayed.

    NOTE:
    The following configuration can be configured both on a Layer 2 interface and a Layer 3 interface.

  3. Run stp loop-protection

    Loop protection for the root port or the alternate port is configured on the switching device.

  4. Run commit

    The configuration is committed.

Configuring Abnormal Packet Filtering

You can configure the router to process or discard specified packets in order to filter unexpected packets.

Context

On a network running STP, RSTP, or MSTP, a device may receive unexpected STP, RSTP, or MSTP packets due to incorrect configurations or malicious network attacks. If these unexpected packets are transparently transmitted on the network, spanning tree calculation may be affected, causing network flapping. To address this problem, enable the function to filter abnormal packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Perform either of the following operations:

    • To enter the view of the interface participating in spanning tree calculation, run the interface interface-type interface-number command.
    • To enter the VSI-LDP-PW view, run the pw pw-name command.

    NOTE:
    The following configuration can be configured both on a Layer 2 interface and a Layer 3 interface.

  3. Run either or both of the following commands to configure abnormal packet filtering:

    • Run the stp permit packet source-mac source-mac source-mac-mask command to enable the interface to process STP, RSTP, and MSTP packets carrying a specified source MAC address.
    • Run the stp deny packet { vlan vlan-id1 [ to vlan-id2 ] } &<1-10> command to enable the interface to discard STP, RSTP, and MSTP packets carrying a specified VLAN ID.
    NOTE:
    • If this operation is incorrectly performed, a broadcast storm may occur.
    • If both of the preceding commands are configured in the same interface view or VSI-LDP-PW view, the device preferentially executes the stp deny packet { vlan vlan-id1 [ to vlan-id2 ] } &<1-10> command.
    • A maximum of 16 source MAC addresses or VLAN IDs can be configured in the same interface view or VSI-LDP-PW view.

  4. Run commit

    The configuration is committed.

Verifying the RSTP Protection Function Configuration

After Rapid Spanning Tree Protocol (RSTP) protection functions are configured, verify the configuration.

Prerequisites

All configurations of RSTP protection functions are complete.

Procedure

  • Run the display stp [ interface interface-type interface-number ] [ brief ] command to view the status of a spanning tree, including the status of protection functions on a switching device

Example

Run the display stp command to view the working mode of a spanning tree, the status of Bridge Protocol Data Unit (BPDU) protection on a switching device, and the status of root protection on a specified port. For example:
<HUAWEI> display stp
-------[CIST Global Info][Mode RSTP]-------
CIST Bridge         :32768.00e0-4e1f-b200
Bridge Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC      :0    .00e0-e70a-4d00 / 20
CIST RegRoot/IRPC   :32768.00e0-4e1f-b200 / 0
CIST RootPortId     :128.1
BPDU-Protection     :enabled
TC or TCN received  :0
TC count per hello  :0
STP Converge Mode   :Normal
Time since last TC  :0 days 0h:26m:16s
----[Port1(GigabitEthernet0/1/1)][FORWARDING]----
 Port Protocol       :enabled
 Port Role           :Designated Port
 Port Priority       :128
 Port Cost(Legacy)   :Config=auto / Active=20
 Desg. Bridge/Port   :0.00e0-e70a-4d00 / 128.5
 Port Edged          :Config=default / Active=disabled
 Point-to-point      :Config=auto / Active=true
 Transit Limit       :147 packets/hello-time
 Protection Type     :Root
 Port Stp Mode       :RSTP
 Port Protocol Type  :Config=auto / Active=dot1s
 BPDU Encapsulation  :Config=stp / Active=stp
 PortTimes           :Hello 2s MaxAge 20s FwDly 15s RemHop 0
 TC or TCN send     :1
 TC or TCN received  :0
 BPDU Sent           :4
          TCN: 0, Config: 0, RST: 4, MST: 0
 BPDU Received       :22
          TCN: 0, Config: 0, RST: 22, MST: 0
----[Port2(GigabitEthernet0/1/3)][FORWARDING]----
 Port Protocol       :enabled
 Port Role           :Designated Port
 Port Priority       :160
 Port Cost(Legacy)   :Config=auto / Active=20
 Desg. Bridge/Port   :4096.00e0-6606-be00 / 128.1
 Port Edged          :Config=default / Active=disabled
 Point-to-point      :Config=auto / Active=true
 Transit Limit       :147 packets/hello-time
 Protection Type     :Root
 Port STP Mode       :RSTP
 Port Protocol Type  :Config=auto / Active=dot1s
 BPDU Encapsulation  :Config=stp / Active=stp
PortTimes           :Hello 2s MaxAge 14s FwDly 10s RemHop 0
 TC or TCN send      :1
 TC or TCN received  :0
 BPDU Sent           :2
          TCN: 0, Config: 0, RST: 2, MST: 0
 BPDU Received       :22
          TCN: 0, Config: 0, RST: 22, MST: 0  
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055378

Views: 18678

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next