Introduction to Ethernet STP, RSTP, MSTP Basic Configuration, STP Spanning Tree Security Guarantee Operation Commands

2.13.0 Ethernet STP, RSTP, MSTP configuration, spanning tree security operation

Main reference: Huawei S2750, S5700, S6700 V200R005 (C00&C01&C02&C03) product documentation "Command Manual"

---

STP configuration

# 开启STP生成树
[LSW1]stp enable 

# 使用STP模式
[LSW1]stp mode stp 

# 配置设备优先级
[LSW1]stp priority 0~61440

# 强制设置成为根桥
[LSW1]stp root primary 

# 强制设置成为备用根桥
[LSW1]stp root secondary 

RSTP configuration

# 开启STP生成树
[LSW1]stp enable 

# 使用STP模式
[LSW1]stp mode rstp 

MSTP configuration

# 开启STP生成树
[LSW1]stp enable 

# 使用STP模式
[LSW1]stp mode mstp 

# 创建MSTP实例（所有开启MSTP的交换机上配置一样）
[LSW1]stp region-configuration 			\\ 配置生成树区域信息
[LSW1-mst-region]region-name huawei		\\ 区域命名
[LSW1-mst-region]instance 1 vlan 10 20	\\ 创建实例1
[LSW1-mst-region]instance 2 vlan 30 40	\\ 创建实例2
[LSW1-mst-region]active region-configuration \\ 激活区域配置文件
[LSW1-mst-region]q

# 设置本设备的在区域实例1的优先级
[LSW1]stp instance 1 priority 

# 设置本设备在区域实例1中为根桥
[LSW1]stp instance 1 root primary 

Safeguarding Operations for Spanning Tree

(1) Root bridge protection

1. By default, as long as there is a device with a higher priority (pri=0) in the STP switching network, the root bridge of the STP topology will change and cause network shocks.

2. In order to protect the stability of the network, the root protection function can be configured on the user interface and unused ports , so that even if the connected switch is changed to a higher priority, it cannot affect the election of the root bridge of the current network.

• Once a designated port with root protection enabled receives a BPDU with a higher priority, the port will enter the Discarding state and no longer forward packets.
• After a period of time (usually twice the Forward Delay), if the port has not received a BPDU with a higher priority, the port will automatically return to the normal Forwarding state.

3. The root protection function is generally only configured on the port of the root bridge . If stp root-protection is executed on other types of ports , the root protection function will not take effect.

(2) Edge port & BPDU protection & BPDU filtering

1. Reasons for configuring edge ports

• By default, a switching device with spanning tree protocol enabled will regularly send BPDUs to all ports, but it is unnecessary and not allowed for some ports connected to hosts .

• The reason why it is not necessary is that the host cannot process BPDU messages. Not allowed is to prevent illegal hosts from listening to switching device information through BPDUs and affecting the spanning tree topology of the current network. When illegal users know that there are BPDUs, replacing the host with a switch and increasing the priority may affect the entire spanning tree. topology changes, resulting in network failures.

2. The role of edge ports

• Open separately: [LSW1-Ethernet0/0/1]stp edged-port enable

• Enabled by default: [LSW1]stp edged-port default

• After the edge port becomes active, it directly enters the forwarding state.

• Prevent switch equipment from sending unnecessary BPDUs from edge ports, effectively avoiding unnecessary BPDUs.

• However, the edge port has a very wonderful feature: as long as it receives a BPDU, the edge port will return to a normal switching interface and can send and receive BPDUs again.

• By using the command stp edged-port enable to configure the current port as an edge port, the port will no longer participate in the spanning tree calculation, thus helping to speed up the convergence time of the network topology and enhance the stability of the network.

3. BPDU protection (global)

• [LSW1]stp bpdu-protection

• [LSW1]error-down auto-recovery cause bpdu-protection interval 30~86400

• When an edge port receives a BPDU, it loses its edge port attribute. To prevent an attacker from forging BPDU packets and causing the edge port attribute to become a non-edge port, run the stp bpdu-protection command to configure the BPDU protection function of the switching device.

• After BPDU protection is configured, if an edge port receives a BPDU packet, the edge port will be shut down, and the attributes of the edge port will remain unchanged.

• When the port is shut down after the BPDU protection function is configured, the shut down port will not be automatically restored by default. It can only be restored manually by the NMS first executing the shutdown command and then the undo shutdown command. You can also execute the restart command in the interface view to restart the port. .

• If you want the closed port to recover automatically, you can execute the error-down auto-recovery cause bpdu-protection interval recovery time command in the system view to enable the closed port to recover automatically after the delay time.

4. BPDU filtering

• Open separately: **[LSW1-Ethernet0/0/1]stp bpdu-filter enable **

• Enabled by default: **[LSW1]stp bpdu-filter default **

• An edge port can still receive BPDUs, but becomes a non-edge port after receiving BPDUs, causing network flapping.

• To solve this problem, in addition to BPDU protection, you can configure the command stp bpdu-filter enable on the port to filter BPDUs so that the edge port does not process or send BPDU packets. This port is the BPDU filter port.

• The difference from BPDU protection is that this function filters BPDUs and does not shut down the interface like BPDU protection does.

(3) Anti-TC-BPDU packet attack protection (global)

• [LSW1] stp tc-protection

1. In a Layer 2 network running the Spanning Tree Protocol, after receiving a topology change message, the device will delete MAC address entries and ARP entries. Frequent operations will have a great impact on the CPU . Causes high CPU usage.

2. The device enables the anti-topology change attack function by default. By executing the stp tc-protection interval time command, set the maximum number of TC BPDUs processed by the switching device within the interval time . For other topology change packets that exceed the threshold, the device only processes them once after the timer expires. In this way, frequent deletion of MAC address entries and ARP entries can be avoided, thereby achieving the purpose of protecting the device.

(4) Loop protection

• [LSW1-GigabitEthernet0/0/1] stp loop-protection

1. In a network running the spanning tree protocol, the state of the root port and other blocked ports is maintained by continuously receiving BPDU messages from upstream devices.

• When these ports cannot receive BPDU packets from the upstream device due to link congestion or unidirectional link failure, the switching device will re-elect the root port.
• The original root port will become a designated port, and the original blocked port will migrate to the forwarding state, which may cause a loop in the network.

2. In order to prevent the above situation from happening, the loop protection function can be deployed.

• After the loop protection function is enabled, if the root port or alternate port does not receive BPDU packets from the upstream device for a long time, it will send a notification message to the network management system.
• At this time , the root port will enter the Discarding state , and its role will switch to the designated port , while the alternate port will remain in the blocked state (the role will also be switched to the designated port), and will not forward packets, thus preventing loops in the network.
• Until the link is no longer congested or the unidirectional link failure is recovered, the port receives BPDU packets again for negotiation, and restores to the role and state before the link congestion or unidirectional link failure.