HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 305
94
Figure 23 Digest Snooping configuration
Configuration procedure
# Enable Digest Snooping on GigabitEthernet 1/0/1 of Device A and enable global Digest
Snooping on Device A.
system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] stp config-digest-snooping
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] stp config-digest-snooping
# Enable Digest Snooping on GigabitEthernet 1/ 0/1 of Device B and enable global Digest
Snooping on Device B.
system-view...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-304.png "Page 305
94
Figure 23 Digest Snooping configuration
Configuration procedure
# Enable Digest Snooping on GigabitEthernet 1/0/1 of Device A and enable global Digest
Snooping on Device A.
system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] stp config-digest-snooping
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] stp config-digest-snooping
# Enable Digest Snooping on GigabitEthernet 1/ 0/1 of Device B and enable global Digest
Snooping on Device B.
system-view...")
90
Step Command Remarks
3. Configure the mode that
the port uses to
recognize/send MSTP
packets. stp compliance
{ auto | dot1s | legacy } auto by default.
Enabling outputting port state transition information
In a large-scale spanning tree network, you can enable devices to output the port state transition
information of all MSTIs or the specified MSTI in order to monitor the port states in real time.
To enable outputting port state transition information:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable outputting port
state transition
information.
• In STP/RSTP mode:
stp port-log instance 0
• In PVST mode:
stp port-log vlan vlan-list
• In MSTP mode:
stp port-log instance { instance-id | all } Use one of the commands.
Enabled by default.
Enabling the spanning tree feature
You must enable the spanning tree feature for the device before any other spanning tree related
configurations can take effect.
Configuration restrictions and guidelines
• To globally enable or disable the spanning tree feature (not for VLANs), use the stp enable
command or undo stp enable command in system view. To enab le or disable the spanning tree
feature for specific VLANs, use the stp vlan enable command or undo stp vlan enable command.
• You can disable the spanning tree feature for certain ports with the undo stp enable command to
exclude them from spanning tree calculation and save CPU resources of the device.
• In PVST mode, when you globally enable the spanning tree feature, the device automatically
enables the spanning tree feature for the first n (which is the number of PVST instances that the
switch supports and is 128 for the 5500 EI switch and 32 for the 5500 SI switch) of the existing
VLANs by default. To enable the spanning tree feature for other VLANs, you must first disable the
spanning tree feature for certain VLANs. This guideline does not apply if the number of existing
VLANs on the switch does not exceed n.
Enabling the spanning tree feature (in STP/RSTP/MSTP mode)
In STP/RSTP/MSTP mode, make sure that the spanning tree feature is enabled globally and on the
desired ports.
To enable the spanning tree feature in STP/RSTP/MSTP mode:
91 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the spanning tree feature globally. stp enable By default, the spanning tree feature is disabled globally. 3. Enter interface view or port group view. • Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. 4. Enable the spanning tree feature for the port or group of ports. stp enable Optional. By default, the spanning tree feature is enabled for all ports. Enabling the spanning tree feature (in PVST mode) In PVST mode, make sure that the spanning tree fe ature is enabled globally and on the desired VLANs and ports. To enable the spanning tree feature in PVST mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Globally enable the spanning tree feature. stp enable By default, the spanning tree feature is disabled globally. 3. Enable the spanning tree feature on specific VLANs. stp vlan vlan-list enable By default, the spanning tree feature is enabled on VLANs. 4. Enter interface view or port group view. • Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. 5. Enable the spanning tree feature for the port or group of ports. stp enable Optional. By default, the spanning tree feature is enabled on all ports. Performing mCheck If a port on a device that is running MSTP, RSTP, or PVST connects to an STP device, this port automatically transitions to the STP-compatible mode. However, it cannot automatically transition back to the original mode under the follow ing circumstances: • The STP device is shut down or removed. • The STP device transitions to the MSTP, RSTP, or PVST mode.
92 Suppose Device A running STP, Device B with no spanning tree feature enabled, and Device C running RSTP or MSTP are connected in order. Device B will transparently transmit the STP BPDUs, and the port on Device C and connecting to Device B will transition to the STP mode. After you enable the spanning tree feature on Device B, to run RSTP or MSTP between Device B and Device C, you must perform an mCheck operation on the ports interconnecting Device B and Device C, in addition to configuring the spanning tree to operate in RSTP or MSTP mode on Device B. To forcibly transition the port to operate in the original mode, you can perform an mCheck operation. The following methods for performing mCheck produce the same result. Performing mCheck globally Step Command 1. Enter system view. system-view 2. Perform mCheck. stp mcheck Performing mCheck in interface view Step Command 1. Enter system view. system-view 2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number 3. Perform mCheck. stp mcheck NOTE: An mCheck operation takes effect on a device that operates in MSTP, RSTP, or PVST mode. Configuring Digest Snooping As defined in IEEE 802.1s, connected devices are in the same region only when their MST region-related configurations (region name, revision level, and VL AN-to-instance mappings) are identical. A spanning tree device identifies devices in the same MST region by determining the configuration ID in BPDU packets. The configuration ID includes the region name, revision level, and configuration digest, which is in 16-byte length and is the result calculated via the HMAC-MD5 algorithm based on VLAN-to-instance mappings. Spanning tree implementations vary with vendors, an d the configuration digests calculated using private keys is different, so devices of different vendors in the same MST region cannot communicate with each other. To enable communication between an HP device and a third-party device, enable the Digest Snooping feature on the port that connects the HP device to the third-party device in the same MST region. Configuration restrictions and guidelines • Before you enable Digest Snooping, make sure th at associated devices of different vendors are connected and run spanning tree protocols.
93 • With digest snooping enabled, in-the-same-region verification does not require comparison of configuration digest, so the VLAN-to-instance mapp ings must be the same on associated ports. • W i t h g l o b a l D i g e s t S n o o p i n g e n a b l e d , m o d i f i c a t i on of VLAN-to-instance mappings and removal of the current region configuration via the undo stp region-configuration command are not allowed. You can modify only the region name and revision level. • To make Digest Snooping take effect, you must enable it both globally and on associated ports. To make the configuration effective on all configured ports and while reducing impact on the network, enable Digest Snooping on all associ ated ports first and then globally. • To prevent loops, do not enable Digest Snooping on MST region edge ports. • HP recommends you to enable Digest Snooping first and then the spanning tree feature. To avoid causing traffic interruption, do not configure Dige st Snooping when the network is already working well. Configuration procedure Yo u c a n e n a b l e D i g e s t S n o o p i n g o n l y o n t h e H P d e vi c e t h a t i s c o n n e c t e d t o a t h i r d - p a r t y d e vi c e t h a t u s e s its private key to calculate the configuration digest. To configure Digest Snooping: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view or port group view. • Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. 3. Enable Digest Snooping on the interface or port group. stp config-digest-snooping Disabled by default. 4. Return to system view. quit N/A 5. Enable global Digest Snooping. stp config-digest-snooping Disabled by default. Digest Snooping configuration example Network requirements As shown in Figure 23, D evice A and Device B connect to Device C, which is a third-party device. All these devices are in the same region. Enable Digest Snooping on the ports of Device A and Device B that connect to Device C, so that the three devices can communicate with one another.
94 Figure 23 Digest Snooping configuration Configuration procedure # Enable Digest Snooping on GigabitEthernet 1/0/1 of Device A and enable global Digest Snooping on Device A. system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] stp config-digest-snooping [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] stp config-digest-snooping # Enable Digest Snooping on GigabitEthernet 1/ 0/1 of Device B and enable global Digest Snooping on Device B. system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] stp config-digest-snooping [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] stp config-digest-snooping Configuring No Agreement Check In RSTP and MSTP, the following types of messages are used for rapid state transition on designated ports: • Proposal —Sent by designated ports to request rapid transition • Agreement —Used to acknowledge rapid transition requests Both RSTP and MSTP devices can perform rapid transi tion on a designated port only when the port receives an agreement packet from the downstream device. RSTP and MSTP devices have the following differences: • For MSTP, the root port of the downstream device sends an agreement packet only after it receives an agreement packet from the upstream device. • For RSTP, the downstream device sends an agreement packet regardless of whether an agreement packet from the upstream device is received.
95 Figure 24 Rapid state transition of an MSTP designated port Figure 25 Rapid state transition of an RSTP designated port If the upstream device is a third-party device, the rapid state transition implementation might be limited. For example, when the upstream device uses a rapid tr ansition mechanism similar to that of RSTP, and the downstream device adopts MSTP and does not operate in RSTP mode, the root port on the downstream device receives no agreement packet from the upstream device and sends no agreement packets to the upstream device. As a result, the designated port of the upstream device fails to transit rapidly, and can only change to the forwarding state after a period twice the Forward Delay. You can enable the No Agreement Check feature on the downstream device’s port to enable the designated port of the upstream de vice to transit its state rapidly. Configuration prerequisites Before you configure the No Agreement Chec k function, complete the following tasks: • Connect a device to a third-party upstream device that supports spanning tree protocols via a point-to-point link. • Configure the same region name, revision level and VLAN-to-instance mappings on the two devices, assigning them to the same region. Configuration procedure To make the No Agreement Check feature take effect, enable it on the root port.
96 To configure No Agreement Check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view or port group view. • Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. 3. Enable No Agreement Check. stp no-agreement-check Disabled by default. No Agreement Check configuration example Network requirements As shown in Figure 26: • D evice A connects to a third-party device that has a different spanning tree implementation. Both devices are in the same region. • The third-party device (Device B) is the regional root bridge, and Device A is the downstream device. Figure 26 Network diagram Configuration procedure # Enable No Agreement Check on GigabitEthernet 1/0/1 of Device A. system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] stp no-agreement-check Configuring TC snooping Figure 27 shows a topology change (TC) snooping application scenario. Device A and Device B form an IRF fabric and do not have the spanning tree feature enabled. The IRF fabric connects to two user networks, in which all devices are enabled with the spanning tree feature. The user networks are dual-uplinked to the IRF fabric for high availability. The IRF fabric transparently transmits BPDUs in every user network.
97 Figure 27 TC snooping application scenario In the network, the IRF fabric transparently transmits the received BPDUs and does not participate in spanning tree calculations. When a topology change occurs to the IRF fabric or user networks, the IRF fabric may need a long time to learn the correct MAC address table entries and ARP entries, resulting in long network disruption. To avoid the network disruption, you can enable TC snooping on the IRF fabric. With TC snooping enabled, a device actively updates the MAC address table entries and ARP entries upon receiving TC-BPDUs, so that the device can normally forward the user traffic. For more information about MAC address table entries, see Configuring the MAC address table. F or more information about ARP, see Layer 3—IP Services Configuration Guide . Configuration restrictions and guidelines • TC snooping and STP are mutually exclusive. You must globally disable the spanning tree feature before enable TC snooping. • TC snooping does not take effect on the ports on which BPDU tunneling is enabled for spanning tree protocols. For more information about BPDU tunneling, see Configuring BPDU tunneling. • TC snooping does not support PVST TC-BPDUs. As a result, TC snooping does not take effect in a PVST network. Configuration procedure To c o n fig u re TC s no o pi ng : Step Command Description 1. Enter system view. system-view N/A 2. Globally disable the spanning tree feature. undo stp enable By default, the spanning tree feature is disabled globally. 3. Enable TC snooping. stp tc-snooping Disabled by default.
98
Configuring protection functions
A spanning tree device supports the following protection functions:
• BPDU guard
• Root guard
• Loop guard
• TC-BPDU guard
• BPDU drop
Configuration prerequisites
The spanning tree feature has been correctly configured on the device.
Enabling BPDU guard
For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file
servers. The access ports are configured as edge ports to allow rapid transition. When these ports
receive configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new
spanning tree calculation process. This causes a ch ange of network topology. Under normal conditions,
these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs
maliciously to attack the devices, the network will become unstable.
The spanning tree protocol provides the BPDU guard fu nction to protect the system against such attacks.
With the BPDU guard function enabled on the devices, when edge ports receive configuration BPDUs,
the system closes these ports and notifies the NMS that these ports have been closed by the spanning tree
protocol. The device will reactivate the closed ports after a detection interval. For more information about
this detection interval, see Fundamentals Configuration Guide .
Configure BPDU guard on a device with edge ports configured.
To enable BPDU guard:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the BPDU guard function for
the device. stp bpdu-protection
Disabled by default.
NOTE:
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see Configuring Ethernet interfaces .
Enabling root guard
The root bridge and secondary root bridge of a spa nning tree should be located in the same MST region.
Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth core
region during network design. However, due to possible configuration errors or malicious attacks in the
network, the legal root bridge might receive a configuration BPDU with a higher priority. Another device
will supersede the current legal root bridge, causing an undesired change of the network topology. The
99 traffic that should go over high-speed links is switched to low-speed links, resulting in network congestion. To prevent this situation, MSTP provides the root guar d function. If the root guard function is enabled on a port of a root bridge, this port plays the role of de signated por t on all MSTIs. After this por t receives a configuration BPDU with a higher priority from an MSTI, it immediately sets that port to the listening state in the MSTI, without forwarding the packet. This is equivalent to disconnecting the link connected with this port in the MSTI. If the port receives no BPDUs wi th a higher priority within twice the forwarding delay, it reverts to its original state. Configure root guard on a designated port. To enable root guard: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view or port group view. • Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. 3. Enable the root guard function for the port(s). stp root-protection Disabled by default. NOTE: You cannot configure root guard and loop guard on a port at the same time. Enabling loop guard A device that keeps receiving BPDUs from the upstream device can maintain the state of the root port and blocked ports. However, link congestion or unidirection al link failures might cause these ports to fail to receive BPDUs from the upstream devices. The device will reselect the port roles: Those ports in forwarding state that failed to receive upstream BPDUs will become designated ports, and the blocked ports will transition to the forwardi ng state, resulting in loops in the switched network. The loop guard function can suppress the occurrence of such loops. The initial state of a loop guard-enabled port is disc arding in every MSTI. When the port receives BPDUs, its state transitions normally. Otherwise, it stays in the discarding state to prevent temporary loops. Configure loop guard on the root port and alternate ports of a device. To enable loop guard: Step Command Remarks 1. Enter system view. system-view N/A