To enable Spanning Tree Protocol (STP) on an IOS based switch, use the 'spanning-tree vlan vlannumber' command from global configuration mode as shown below. Omnisecu.com.switch01 omnisecu.com.switch01enable omnisecu.com.switch01#configure terminal Enter configuration commands, one per line. End with CNTL/Z. The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. STP was invented by Dr. Radia Perlman, distinguished engineer at Sun Microsystems. Spanning-tree spanning-tree force-version RSTP-operation Switch2: hostname switch2 module 1 type J8702A module 2 type J8702A vlan 1 name 'DEFAULTVLAN' untagged A1-A24,B1-B24 ip address dhcp-bootp exit vlan 2 name 'VLAN2' ip address 192.168.2.253 255.255.255.0 tagged A1-A2 exit spanning-tree spanning-tree force-version RSTP-operation. Hello, Need help with configuring spanning tree on my two aruba 2530 switches. Two switches connected with LACP. What is the best practice configuration for spanning tree?
BPDU protection is a security feature designed to protect the active STP topology by preventing spoofed BPDU packets from entering the STP domain. In a typical implementation, BPDU protection would be applied to edge ports connected to end user devices that do not run STP. If STP BPDU packets are received on a protected port, the feature will disable that port and alert the network manager via an SNMP trap as shown in BPDU protection enabled at the network edge.
BPDU protection enabled at the network edge
The following commands allow you to configure BPDU protection on VLANs for which the port is a member.
Syntax:
[no] spanning-tree <port-list> bpdu-protection
Enables/disables the BPDU protection feature on a port.
Default: Disabled.
Syntax:
[no] spanning-tree <port-list> bpdu-protection-timeout <timeout>
Configures the duration of time when protected ports receiving unauthorized BPDUs will remain disabled. The default value of 0 (zero) sets an infinite timeout (that is, ports that are disabled by bpdu-protection are not, by default, re-enabled automatically).
Default: 0
Range: 0 - 65535 seconds
For an example of using this command, see Re-enabling a port blocked by BPDU protection.
Syntax:
Enables/disables the sending of errant BPDU traps.
CAUTION: This command should only be used to guard edge ports that are not expected to participate in STP operations. Once BPDU protection is enabled, it will disable the port as soon as any BPDU packet is received on that interface. |
Syntax:
show spanning-tree bpdu-protection <port-list>
Displays a summary listing of ports with BPDU protection enabled. To display detailed per-port status information, enter the specific port number(s). BPDU protected ports are displayed as separate entries of the spanning tree category within the configuration file.
Displaying BPDU protection status for specific ports
Ports disabled by BPDU Protection remain disabled unless BPDU Protection is removed from the switch or by configuring a nonzero BPDU protection timeout. For example, if you want to re-enable protected ports 60 seconds after receiving a BPDU, you would use this command:
The STP BPDU filter feature allows control of spanning tree participation on a per-port basis. It can be used to exclude specific ports from becoming part of spanning tree operations. A port with the BPDU filter enabled will ignore incoming BPDU packets and stay locked in the spanning tree forwarding state. All other ports will maintain their role.
Syntax:
[no] spanning-tree [ port-listall] bpdu-filter
Enables or disables the BPDU filter feature on specified port(s). This forces a port to always stay in the forwarding state and be excluded from standard STP operation.
Sample scenarios in which this feature may be used are:
To have STP operations running on selected ports of the switch rather than every port of the switch at a time.
To prevent the spread of errant BPDU frames.
To eliminate the need for a topology change when a port's link status changes. For example, ports that connect to servers and workstations can be configured to remain outside of spanning tree operations.
To protect the network from denial of service attacks that use spoofing BPDUs by dropping incoming BPDU frames. For this scenario, BPDU protection offers a more secure alternative, implementing port shut down and a detection alert when errant BPDU frames are received.
CAUTION: Ports configured with the BPDU filter mode remain active (learning and forward frames); however, spanning tree cannot receive or transmit BPDUs on the port. The port remains in a forwarding state, permitting all broadcast traffic. This can create a network storm if there are any loops (that is, trunks or redundant links) using these ports. If you suddenly have a high load, disconnect the link and disable the bpdu-filter (using the |
Configuring BPDU filtering
To configure BPDU filtering on port a9, enter:
Syntax:
spanning-tree show port configuration
Viewing BPDU filter status using the show spanning tree command
Viewing BPDU filters using the show configuration command
BPDU filters per port are displayed as separate entries of the spanning tree category within the configuration file.
Syntax:
[no] spanning-tree port-list bpdu-protection
Enables or disables BPDU protection on specified port(s).
Syntax:
[no] spanning-tree port-list bpdu-protection-timeout timeout
Configures the duration in seconds when protected ports receiving unauthorized BPDUs will remain disabled. The default value of 0 (zero) sets an infinite timeout (that is, ports that are disabled by bpdu-protection are not, by default, re-enabled automatically).
Range: 0-65535 seconds
Default: 0
Syntax:
Enables or disables the sending of errant BPDU traps.
CAUTION: This command should only be used to guard edge ports that are not expected to participate in STP operations. Once BPDU protection is enabled, it will disable the port as soon as any BPDU packet is received on that interface. |
Configuring BPDU protection
To configure BPDU protection on ports 1 to 10 with SNMP traps enabled, enter:
The following steps will then be set in progress:
When an STP BPDU packet is received on ports 1-10, STP treats it as an unauthorized transmission attempt and shuts down the port that the BPDU came in on.
An event message is logged and an SNMP notification trap is generated.
The port remains disabled until re-enabled manually by a network administrator using the
interfaceport-listenablecommand.
NOTE: To re-enable the BPDU-protected ports automatically, configure a timeout period using the |
Syntax:
show spanning-tree bpdu-protection
Displays a summary listing of ports with BPDU protection enabled. To display detailed per port status information, enter the specific port numbers as shown here.
Viewing BPDU protection status
BPDU protected ports are displayed as separate entries of the spanning tree category within the configuration file.
Viewing BPDU filters using the show configuration command
When a STP enabled HP Switch is hit by a MSTP BPDU storm, the CPU usage rises and the manageability of the switch goes down. In BYOD solution , the HP Switch is connected to a HUB where there is a loop. The HP Switch generates a single MSTP BPDU, which goes through the loop in the HUB and results in a BPDU storm eventually. Since all STP packets are taken to the CPU for processing, CPU usage goes high and the switch response slows down. The switch can become unmanageable as a result of this BPDU storm. BPDU throttling will take care of BPDU storms automatically via rate-limiting.
MSTP BPDU path
BPDU throttling is enabled when the spanning-tree in MSTP mode is enabled. When spanning tree is enabled, all modules and members are assigned corresponding throttle values from the configuration. The default throttle value is 256.
An option is also provided to enabling/disabling BPDU throttling. This option is enabled by default if the switch does not support “V1 modules”. The spanning-tree is enabled in MSTP mode by default.
The CLI allows you to configure MSTP BPDU throttling.
Syntax
[no]spanning-tree bpdu-throttle [Throttle-Value]
Spanning Tree Hp Switch Configuration
Configures BPDU throttling on a device. BPDU throttling limits the number of BPDUs that are sent to the switch’s CPU. The result prevents high CPU utilization on the switch when the network undergoes a broadcast storm or loop. The BPDU throttle value is in packets per second (pps). The valid BPDU throttle values are 64, 128, and 256 pps. The default throttle value is 256 pps.
The CLI allows you to show MSTP BPDU throttling configurations.
Syntax
show spanning-tree bpdu-throttle
Displays the configured throttle value.
Example
Syntaxshow running configuration
Show running configuration will display any one of the following line based on the configuration.
no spanning-tree bpdu throttle |
spanning-tree bpdu throttle 128 |
spanning-tree bpdu throttle 64 |
Event log
| Event | Message |
|---|---|
When the HW meter goes over the bandwidth, system generates a log message. | stp: BPDU Throttling triggered for STP BPDUs on portGroup 1-24. |
On a 5400 series switch, when | stp: BPDU Throttling is disabled, because allow-v1-module is enabled. |
When QinQ is enabled, BPDU throttling is disabled and the system generates a log message. | stp: BPDU Throttling is disabled, because QinQ is enabled. |
When meshing is enabled, BPDU throttling is disabled and the system generates a log message. | stp: BPDU Throttling is disabled, because Meshing is enabled. |
Procurve Spanning Tree
Validation rules
| Validation | Error/Warning/Prompt |
|---|---|
Throttle value not within the range of 64 to 256. | The BPDU throttle value is invalid. The valid values are 64, 128 and 256. |
Configuring lower throttle value (64). | Configuring lower throttle value may cause legitimate BPDU’s to be dropped. |
Enabling QinQ when BPDU throttling is configured. | Q-in-Q cannot be enabled when BPDU throttling is configured. |
Configuring BPDU throttling when QinQ is enabled. | BPDU throttling cannot be configured when Q-in-Q is enabled. |
Configuring BPDU throttling when meshing is configured. | BPDU throttling cannot be configured when meshing is configured. |
Configuring meshing when BPDU throttling is configured. | Meshing cannot be configured when BPDU throttling is configured. |
NOTE: This feature is exclusively for MSTP BPDUs and not applicable for any other IEEE BPDUs such as LLDP, slow protocols etc. |