protecting STP on Huawei switches

As a continuation of the STP Root Protection feature I want to describe additional STP protection
functions and show you, where these functions should be implemented, in a typical campus LAN
environment.

BPDU Protection feature can be used to protect switches against STP BPDU attacks. It should be
implemented on every switch, which has ports directly connected to end-user workstations. This is
because we do not expect receiving STP BPDU from user workstations. When STP BPDUs are received
on the edge port, STP topology recalculation occurs, causing network flapping. If the port is
configured with BPDU Protection and the switching device receives STP BPDUs, then the port is
placed into shutdown state, protecting STP topology from recalculation. By default BPDU Protection
feature is disabled on Huawei switches. To enable it:

<labnario_sw>system-view
[labnario_sw]interface Ethernet 0/0/1
[labnario_sw-Ethernet0/0/1]stp edged-port enable
[labnario_sw-Ethernet0/0/1]quit
[labnario_sw]stp bpdu-protection

When a switch port is configured as a STP Edged and STP BPDU is received, the port is placed into
shutdown state:

[labnario_sw]
May 13 2013 20:17:00-08:00 labnario_sw%%01MSTP/4/BPDU_PROTECTION(l)[4]:This edged-port
Ethernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!

[labnario_sw-Ethernet0/0/1]dis cur int e0/0/1

#
interface Ethernet0/0/1
shutdown
stp edged-port enable

[labnario_sw-Ethernet0/0/1]dis int eth0/0/1

Ethernet0/0/1 current state : Administratively DOWN
Line protocol current state : DOWN

To bring the port back to UP state, manual port reconfiguration is required or auto recovery feature
should be enabled on the switch.

TC Protection (TC Topology Change) feature is used to suppress TC BPDUs (BPDU frames
advertising STP topology change). When a switch receives a large number of TC BPDUs in a short
time period, it has to frequently process MAC and ARP table entries, which can lead to CPU resources
exhausting. To prevent this from happening, TC Protection can be configured, so that the switch will
process TC BPDUs only with the given number of times within a specified time period. To enable TC
Protection and change its default settings:

[labnario_sw]stp tc-protection
[labnario_sw]stp tc-protection threshold ?
INTEGER The threshold of TC-BPDU protection, default is 1

[labnario_sw]stp tc-protection threshold 3

The default threshold is 1, the time is specified by the STP Hello timer, which equals to 2 seconds,
and can be easy changed using command:

[labnario_sw]stp timer hello ?

INTEGER Hello time in centiseconds, in steps of 100, the default value is 200
When the number of TC BPDUs, received by the switch, exceeds the specified threshold in a given
time period, switch processes the excess TC BPDUs, after the specified time period expires. TC
Protection feature should be enabled on every switch in a LAN environment.

Loop Protection feature provides additional protection against L2 forwarding loops. STP relies on a
continuous reception or transmission of BPDUs based on the port role. The designated port transmits
BPDUs and the non-designated port (ROOT, ALTERNATE) receives BPDUs. An STP loop is created,
when one of the ports, of a physically redundant topology, no longer receives STP BPDUs. This
usually happens, when ALTERNATE port in DISCARDING state stops receiving STP PBDUs, and as a
result, moves to a Designated role and FORWARDING state. It means that there is no longer blocking
port in redundant physical topology and loop is created. Loop protection feature, enabled on the
interface, moves this port into Designated role and DISCARDING state, when no STP BPDUs are
received in a prescriptive time. Loop Protection feature should be enabled on ROOT and ALTERNATE
ports for every possible STP topology including failover scenarios.

Look at the following example to see Loop Protection feature in action:

[labnario_sw]dis cur | beg t0/0/1

#
interface GigabitEthernet0/0/1
stp loop-protection
#
interface GigabitEthernet0/0/2
stp loop-protection
#
[labnario_sw]dis stp brie
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 ALTE DISCARDING LOOP
0 GigabitEthernet0/0/2 ROOT FORWARDING LOOP

[labnario_sw]
May 14 2013 13:50:06-08:00 Huawei %%01MSTP/4/LOOP_GUARD(l)[2]:MSTP process 0 Instance0's LOOP-
Protection port GigabitEthernet0/0/1 did not receive message in prescriptive time!

[labnario_sw]dis stp brie

MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI DISCARDING LOOP
0 GigabitEthernet0/0/2 ROOT FORWARDING LOOP

Recovery is automatic when port starts receiving STP BPDUs, no additional administrative
intervention is required. By default Loop Protection feature is disabled on Huawei switches.