H3C S3100-52P Ethernet Switch Operation Manual-Release 1500(V1.02)

HomeSupportResource CenterSwitchesH3C S3100 Switch SeriesH3C S3100 Switch SeriesTechnical DocumentsConfigure & DeployConfiguration GuidesH3C S3100-52P Ethernet Switch Operation Manual-Release 1500(V1.02)
12-MSTP Operation
Title Size Download
12-MSTP Operation 598.23 KB

Table of Contents

Chapter 1 MSTP Configuration. 1-1

1.1 MSTP Overview. 1-1

1.1.1 MSTP Protocol Data Unit 1-1

1.1.2 Basic MSTP Terminologies. 1-2

1.1.3 Principle of MSTP. 1-5

1.1.4 MSTP Implementation on Switches. 1-7

1.2 Configuring Root Bridge. 1-7

1.2.1 Configuration Prerequisites. 1-8

1.2.2 Configuring the MST region. 1-9

1.2.3 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge. 1-10

1.2.4 Configuring the Bridge Priority of the Current Switch. 1-12

1.2.5 Configuring the MSTP Packet Format 1-13

1.2.6 Configuring the MSTP Operation Mode. 1-14

1.2.7 Configuring the Maximum Hops of MST Region. 1-15

1.2.8 Configuring the Network Diameter of the Switched Network. 1-16

1.2.9 Configuring the MSTP Time-related Parameters. 1-16

1.2.10 Configuring the Timeout Time Factor 1-18

1.2.11 Configuring the Maximum Transmitting Speed on the Current Port 1-19

1.2.12 Configuring the Current Port as an Edge Port 1-21

1.2.13 Specifying Whether the Link Connected to a Port Is Point-to-point Link. 1-22

1.2.14 Enabling the MSTP Feature. 1-25

1.3 Configuring Leaf Nodes. 1-26

1.3.1 Configuration Prerequisites. 1-27

1.3.2 Configuring the MST Region. 1-27

1.3.3 Configuring the MSTP Operation Mode. 1-27

1.3.4 Configuring the Timeout Time Factor 1-27

1.3.5 Configuring the Maximum Transmitting Speed. 1-27

1.3.6 Configuring a Port as an Edge. 1-27

1.3.7 Configuring the Path Cost for a Port 1-28

1.3.8 Configuring Port Priority. 1-31

1.3.9 Specifying Whether the Link Connected to a Port Is a Point-to-point Link. 1-32

1.3.10 Enabling the MSTP Feature. 1-32

1.4 Performing mCheck. 1-32

1.4.1 Configuration Prerequisites. 1-33

1.4.2 Configuration Procedure. 1-33

1.4.3 Configuration Example. 1-33

1.5 Configuring Protection Function. 1-34

1.5.1 Introduction. 1-34

1.5.2 Configuration Prerequisites. 1-35

1.5.3 Configuring BPDU Protection. 1-36

1.5.4 Configuring Root Protection. 1-36

1.5.5 Configuring Loop Prevention. 1-37

1.5.6 Configuring TC-BPDU Attack Prevention. 1-38

1.5.7 Configuring the Function of Dropping BPDU Packets. 1-38

1.6 Configuring Digest Snooping. 1-38

1.6.1 Introduction. 1-38

1.6.2 Configuring Digest Snooping. 1-39

1.7 Configuring Rapid Transition. 1-40

1.7.1 Introduction. 1-40

1.7.2 Configuring Rapid Transition. 1-42

1.8 Configuring BPDU Tunnel 1-43

1.8.1 Introduction. 1-43

1.8.2 Configuring BPDU Tunnel 1-44

1.9 Displaying and Maintaining MSTP. 1-45

1.10 MSTP Configuration Example. 1-45

1.11 BPDU Tunnel Configuration Example. 1-48

 


Chapter 1  MSTP Configuration

1.1  MSTP Overview

Spanning tree protocol (STP) cannot enable Ethernet ports to transit their states rapidly. It costs two times of the forward delay for a port to turn to the forwarding state even if the port is on a point-to-point link or the port is an edge port.

Rapid spanning tree protocol (RSTP) enables the spanning tree to converge rapidly, but it suffers from the same drawback as STP: all bridges in a LAN share one spanning tree; packets of all VLANs are forwarded along the same spanning tree, and therefore redundant links cannot be blocked based on VLANs.

As well as the two protocols above, multiple spanning tree protocol (MSTP) can disbranch a ring network to form a tree-topological ring-free network to prevent packets from being duplicated and forwarded endlessly in the ring network. Additionally, MSTP can also provide multiple redundant paths for packet forwarding to implement VLAN-based load balancing.

MSTP is compatible with both STP and RSTP. It overcomes the drawback of STP and RSTP. It not only enables spanning trees to converge rapidly, but also enables packets of different VLANs to be forwarded along their respective paths to provide a better load balancing mechanism for redundant links.

1.1.1  MSTP Protocol Data Unit

Bridge protocol data unit (BPDU), which is also called configuration message, is the protocol data unit (PDU) that STP and RSTP use.

The switches in a network transfer BPDUs between each other to determine the topology of the network. BPDUs carry enough information needed for spanning tree calculation.

BPDUs used in STP fall into the following two categories:

l           Configuration BPDUs: BPDUs of this type are used to maintain the spanning tree topology.

l           Topology change notification BPDU (TCN BPDN): BPDUs of this type are used to notify the switches of network changes.

Similar to STP and RSTP, MSTP uses BPDUs for spanning tree calculation too. Besides, the BPDUs of MSTP carry MSTP configuration information of the switches.

1.1.2  Basic MSTP Terminologies

Figure 1-1 illustrates basic MSTP terms (assuming that MSTP is enabled on each switch in this figure).

Figure 1-1 Basic MSTP terminologies

I. MST region

A multiple spanning tree region (MST region) comprises multiple physically-interconnected MSTP-enabled switches and the corresponding network segments connected to these switches. These switches have the same region name, the same VLAN-to-MSTI mapping configuration and the same MSTP revision level.

A switched network can contain multiple MST regions. You can group multiple switches into one MST region by using the corresponding MSTP configuration commands. For example, all switches in region A0 shown in Figure 1-1 have the same MST region configuration: the same region name, the same VLAN-to-MSTI mappings (that is, VLAN 1 is mapped to spanning tree instance 1, VLAN 2 is mapped to spanning tree instance 2, and other VLANs are mapped to CIST), and the same MSTP revision level (not shown in Figure 1-1).

II. MSTI

A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region.

Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-1 contains multiple spanning trees known as MSTIs. Each of these spanning trees corresponds to a VLAN.

III. VLAN mapping table

A VLAN mapping table is a property of an MST region. It contains information about how VLANs are mapped to MSTIs. For example, in Figure 1-1, the VLAN mapping table of region A0 is: VLAN 1 is mapped to MSTI 1; VLAN 2 is mapped to MSTI 2; and other VLANs are mapped to CIST. In an MST region, load balancing is implemented according to the VLAN mapping table.

IV. IST

An internal spanning tree (IST) is a spanning tree in an MST region.

ISTs together with the common spanning tree (CST) form the common and internal spanning tree (CIST) of the entire switched network. An IST is a special MSTI; it is a branch of CIST in the MST region. In Figure 1-1, each MST region has an IST, which is a branch of the CIST.

V. CST

A CST is a single spanning tree in a switched network that connects all MST regions in the network. If you regard each MST region in the network as a switch, then the CST is the spanning tree generated by STP or RSTP running on the "switches". In Figure 1-1, the lines in red depict the CST.

VI. CIST

A CIST is the spanning tree in a switched network that connects all switches in the network. It comprises the ISTs and the CST. In Figure 1-1, the ISTs in the MST regions and the CST connecting the MST regions form the CIST.

VII. Region root

A region root is the root of the IST or an MSTI in an MST region. Different spanning trees in an MST region may have different topologies and thus have different region roots. In region D0 shown in Figure 1-1, the region root of MSTI 1 is switch B, and the region root of MSTI 2 is switch C.

VIII. Common root bridge

The common root bridge is the root of the CIST. The common root bridge of the network shown in Figure 1-1 is a switch in region A0.

IX. Port role

During MSTP calculation, the following port roles exist: root port, designated port, master port, region edge port, alternate port, and backup port.

l           A root port is used to forward packets to the root.

l           A designated port is used to forward packets to a downstream network segment or switch.

l           A master port connects an MST region to the common root. The path from the master port to the common root is the shortest path between the MST region and the common root.

l           A region edge port is located on the edge of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region

l           An alternate port is a backup port of a master port. It becomes the master port if the existing master port is blocked.

l           A loop occurs when two ports of a switch are connected to each other. In this case, the switch blocks one of the two ports. The blocked port is a backup port.

In Figure 1-2, switch A, switch B, switch C, and switch D form an MST region. Port 1 and port 2 on switch A connect upstream to the common root. Port 5 and port 6 on switch C form a loop. Port 3 and port 4 on switch D connect downstream to other MST regions. This figure shows the roles these ports play.

 

&  Note:

l      A port can play different roles in different MSTIs.

l      The role a region edge port plays is consistent with the role it plays in the CIST. For example, port 1 on switch A in Figure 1-2 is a region edge port, and it is a master port in the CIST. So it is a master port in all MSTIs in the region.

 

Figure 1-2 Port roles

X. Port state

Ports can be in one of the following three states:

l           Forwarding state: Ports in this state can forward user packets and receive/send BPDU packets.

l           Learning state: Ports in this state can receive/send BPDU packets.

l           Discarding state: Ports in this state can only receive BPDU packets.

Port roles and port states are not mutually dependent. Table 1-1 lists possible combinations of port states and port roles.

Table 1-1 Combinations of port states and port roles

Port role

 

Port state

Root/ port/Master port

Designated port

Region edge port

Alternate port

Backup port

Forwarding

Learning

Discarding

 

1.1.3  Principle of MSTP

MSTP divides a Layer 2 network into multiple MST regions. The CSTs are generated between these MST regions, and multiple spanning trees (also called MSTIs) can be generated in each MST region. As well as RSTP, MSTP uses configuration BPDUs for spanning tree calculation. The only difference is that the configuration BPDUs for MSTP carry the MSTP configuration information on the switches.

I. Calculate the CIST

Through comparing configuration BPDUs, the switch of the highest priority in the network is selected as the root of the CIST. In each MST region, an IST is calculated by MSTP. At the same time, MSTP regards each MST region as a switch to calculate the CSTs of the network. The CSTs, together with the ISTs, form the CIST of the network.

II. Calculate an MSTI

In an MST region, different MSTIs are generated for different VLANs based on the VLAN-to-MSTI mappings. Each spanning tree is calculated independently, in the same way as how STP/RSTP is calculated.

III. Implement STP algorithm

In the beginning, each switch regards itself as the root, and generates a configuration BPDU for each port on it as a root, with the root path cost being 0, the ID of the designated bridge being that of the switch, and the designated port being itself.

1)         Each switch sends out its configuration BPDUs and operates in the following way when receiving a configuration BPDU on one of its ports from another switch:

l           If the priority of the configuration BPDU is lower than that of the configuration BPDU of the port itself, the switch discards the BPDU and does not change the configuration BPDU of the port.

l           If the priority of the configuration BPDU is higher than that of the configuration BPDU of the port itself, the switch replaces the configuration BPDU of the port with the received one and compares it with those of other ports on the switch to obtain the one with the highest priority.

2)         Configuration BPDUs are compared as follows:

l           The smaller the root ID of the configuration BPDU is, the higher the priority of the configuration BPDU is.

l           For configuration BPDUs with the same root IDs, the path costs are compared. Suppose S is the sum of the root path costs and the corresponding path cost of the port. The less the S value is, the higher the priority of the configuration BPDU is.

l           For configuration BPDUs with both the same root ID and the same root path cost, the designated bridge ID, designated port ID, the ID of the receiving port are compared in turn.

3)         A spanning tree is calculated as follows:

l           Determining the root bridge

Root bridges are selected by configuration BPDU comparing. The switch with the smallest root ID is chosen as the root bridge.

l           Determining the root port

For each switch in a network, the port on which the configuration BPDU with the highest priority is received is chosen as the root port of the switch.

l           Determining the designated port

First, the switch calculates a designated port configuration BPDU for each of its ports using the root port configuration BPDU and the root port path cost, with the root ID being replaced with that of the root port configuration BPDU, root path cost being replaced with the sum of the root path cost of the root port configuration BPDU and the path cost of the root port, the ID of the designated bridge being replaced with that of the switch, and the ID of the designated port being replaced with that of the port.

The switch then compares the calculated configuration BPDU with the original configuration BPDU received from the corresponding port on another switch. If the latter takes precedence over the former, the switch blocks the local port and keeps the port's configuration BPDU unchanged, so that the port can only receive configuration messages and cannot forward packets. Otherwise, the switch sets the local port to the designated port, replaces the original configuration BPDU of the port with the calculated one and advertises it regularly.

1.1.4  MSTP Implementation on Switches

MSTP is compatible with both STP and RSTP. That is, MSTP-enabled switches can recognize the protocol packets of STP and RSTP and use them for spanning tree calculation. In addition to the basic MSTP functions, H3C series switches also provide the following functions for the convenience of users to manage their switches:

l           Root bridge hold

l           Root bridge backup

l           Root protection

l           BPDU protection

l           Loop prevention

1.2  Configuring Root Bridge

Table 1-2 lists MSTP-related configurations about root bridges.

Table 1-2 Configure root bridge

Operation

Description

Related section

Enable the MSTP feature

Required

To prevent network topology jitter caused by other related configurations, you are recommended to enable the MSTP feature after other related configurations are performed.

Section 1.2.14  Enabling the MSTP Feature

Configure the MST region

Required

Section 1.2.2  Configuring the MST region

Specify the current switch as a root bridge/secondary root bridge

Required

Section 1.2.3  Specifying the Current Switch as a Root Bridge/Secondary Root Bridge

Configure the bridge priority of the current switch

Optional

The priority of a switch cannot be changed after the switch is specified as the root bridge or a secondary root bridge.

Section 1.2.4  Configuring the Bridge Priority of the Current Switch

Configure the MSTP packet format

Optional

Section 1.2.5  Configuring the MSTP Packet Format

Configure the MSTP operation mode

Optional

Section 1.2.6  Configuring the MSTP Operation Mode

Configure the maximum hops of MST region

Optional

Section 1.2.7  Configuring the Maximum Hops of MST Region

Configure the network diameter of the switched network

Optional

The default value is recommended.

Section 1.2.8  Configuring the Network Diameter of the Switched Network

Configure the MSTP time-related parameters

Optional

The default values are recommended.

Section 1.2.9  Configuring the MSTP Time-related Parameters

Configure the timeout time factor

Optional

Section 1.2.10  Configuring the Timeout Time Factor

Configure the maximum transmitting speed on the current port

Optional

The default value is recommended.

Section 1.2.11  Configuring the Maximum Transmitting Speed on the Current Port

Configure the current port as an edge port

Optional

Section 1.2.12  Configuring the Current Port as an Edge Port

Specify whether the link connected to a port is a point-to-point link

Optional

Section 1.2.13  Specifying Whether the Link Connected to a Port Is Point-to-point Link

 

&  Note:

In a network containing switches with both GVRP and MSTP enabled, GVRP packets are forwarded along the CIST. If you want to advertise packets of a specific VLAN through GVRP, be sure to map the VLAN to the CIST when configuring the MSTP VLAN mapping table (the CIST of a network is spanning tree instance 0).

 

1.2.1  Configuration Prerequisites

The role (root, branch, or leaf) of each switch in each spanning tree instance is determined.

1.2.2  Configuring the MST region

I. Configuration procedure

Table 1-3 Configure an MST region

Operation

Command

Description

Enter system view

system-view

Enter MST region view

stp region-configuration

Configure the name of the MST region

region-name name

Required

The default MST region name of a switch is its MAC address.

Configure the VLAN mapping table for the MST region

instance instance-id vlan vlan-list

Required

Both commands can be used to configure VLAN mapping tables.

By default, all VLANs in an MST region are mapped to spanning tree instance 0.

vlan-mapping modulo modulo

Configure the MSTP revision level for the MST region

revision-level level

Required

The default revision level of an MST region is level 0.

Activate the configuration of the MST region manually

active region-configuration

Required

Display the configuration of the current MST region

check region-configuration

Optional

Display the currently valid configuration of the MST region

display stp region-configuration

You can execute this command in any view.

 

Configuring MST region-related parameters (especially the VLAN mapping table) results in spanning tree recalculation and network topology jitter. To reduce network topology jitter caused by the configuration, MSTP does not recalculate spanning trees immediately after the configuration; it does this only after you perform one of the following operations, and then the configuration can really takes effect:

l           Activate the new MST region-related settings by using the active region-configuration command

l           Enable MSTP by using the stp enable command

 

&  Note:

Switches belong to the same MST region only when they have the same MST region name, VLAN mapping table, and MSTP revision level.

 

II. Configuration example

# Configure an MST region, with the name being “info”, the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to spanning tree instance 1, and VLAN 20 through VLAN 30 being mapped to spanning tree 2.

<H3C> system-view

[H3C] stp region-configuration

[H3C-mst-region] region-name info

[H3C-mst-region] instance 1 vlan 2 to 10

[H3C-mst-region] instance 2 vlan 20 to 30

[H3C-mst-region] revision-level 1

[H3C-mst-region] active region-configuration

# Verify the above configuration.

[H3C-mst-region] check region-configuration

Admin configuration

   Format selector    :0

   Region name        :info

   Revision level     :1

 

   Instance   Vlans Mapped

      0       11 to 19, 31 to 4094

      1       1 to 10

      2       20 to 30

1.2.3  Specifying the Current Switch as a Root Bridge/Secondary Root Bridge

MSTP can automatically choose a switch as a root bridge through calculation. You can also manually specify the current switch as a root bridge by using the corresponding commands.

I. Specify the current switch as the root bridge of a specified spanning tree

Table 1-4 Specify the current switch as the root bridge of a specified spanning tree

Operation

Command

Description

Enter system view

system-view

Specify the current switch as the root bridge of a specified spanning tree

stp [ instance instance-id ] root primary [ bridge-diameter bridgenumber ] [ hello-time centi-seconds ]

Required

 

II. Specify the current switch as the secondary root bridge of a specified spanning tree

Table 1-5 Specify the current switch as the secondary root bridge of a specified spanning tree

Operation

Command

Description

Enter system view

system-view

Specify the current switch as the secondary root bridge of a specified spanning tree

stp [ instance instance-id ] root secondary [ bridge-diameter bridgenumber ] [ hello-time centi-seconds ]

Required

 

Using the stp root primary/stp root secondary command, you can specify the current switch as the root bridge or the secondary root bridge of the spanning tree instance identified by the instance-id argument. If the value of the instance-id argument is set to 0, the stp root primary/stp root secondary command specify the current switch as the root bridge or the secondary root bridge of the CIST.

A switch can play different roles in different spanning tree instances. That is, it can be the root bridges in a spanning tree instance and be a secondary root bridge in another spanning tree instance at the same time. But in the same spanning tree instance, a switch cannot be the root bridge and the secondary root bridge simultaneously.

When the root bridge fails or is turned off, the secondary root bridge becomes the root bridge if no new root bridge is configured. If you configure multiple secondary root bridges for a spanning tree instance, the one with the smallest MAC address replaces the root bridge when the latter fails.

You can specify the network diameter and the hello time parameters while configuring a root bridge/secondary root bridge. Refer to section 1.2.8  Configuring the Network Diameter of the Switched Network” and 1.2.9  Configuring the MSTP Time-related Parameters” for information about the network diameter parameter and the hello time parameter.

 

&  Note:

l      You can configure a switch as the root bridges of multiple spanning tree instances. But you cannot configure two or more root bridges for one spanning tree instance. So, do not configure root bridges for the same spanning tree instance on two or more switches using the stp root primary command.

l      You can configure multiple secondary root bridges for one spanning tree instance. That is, you can configure secondary root bridges for the same spanning tree instance on two or more switches using the stp root secondary command.

l      You can also configure the current switch as the root bridge by setting the priority of the switch to 0. Note that once a switch is configured as the root bridge or a secondary root bridge, its priority cannot be modified.

 

III. Configuration example

# Configure the current switch as the root bridge of spanning tree instance 1 and a secondary root bridge of spanning tree instance 2.

<H3C> system-view

[H3C] stp instance 1 root primary

[H3C] stp instance 2 root secondary

1.2.4  Configuring the Bridge Priority of the Current Switch

Root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch can have different bridge priorities in different spanning tree instances.

I. Configuration procedure

Table 1-6 Configure the bridge priority of the current switch

Operation

Command

Description

Enter system view

system-view

Set the bridge priority for the current switch

stp [ instance instance-id ] priority priority

Required

The default bridge priority of a switch is 32,768.

 

  Caution:

l      Once you specify a switch as the root bridge or a secondary root bridge by using the stp root primary or stp root secondary command, the bridge priority of the switch cannot be configured any more.

l      During the selection of the root bridge, if multiple switches have the same bridge priority, the one with the smallest MAC address becomes the root bridge.

 

II. Configuration example

# Set the bridge priority of the current switch to 4,096 in spanning tree instance 1.

<H3C> system-view

[H3C] stp instance 1 priority 4096

1.2.5  Configuring the MSTP Packet Format

You can set the MSTP packet format to the following three formats for a port: auto, legacy, and dot1s (802.1s).

l           With the MSTP packet format set to auto, the port automatically determines the format of the received MSTP packets (legacy or dot1s) and then decides the format of packets to be transmitted, thus implementing communication with the peer device. If the format of the received packets from the peer device changes repeatedly, MSTP will shut down the corresponding port to prevent network storm. A port shut down in this way can only be enabled again by the network administrator after login.

l           With the MSTP packet format set to legacy, the port processes and transmits only MSTP packets in legacy format, thus implementing communication with the peer device sending packets in legacy format. If packets in dot1s format are received, the corresponding ports are set to the discarding state to prevent network storm.

l           With the MSTP packet format set to dot1s, the port processes and transmits only MSTP packets in dot1s format, thus implementing communication with the peer device sending packets in dot1s format. If packets in legacy format are received, the corresponding ports are set to the discarding state to prevent network storm.

l           All the ports in an aggregation group use the same MSTP packet format.

I. Configuration procedure

Table 1-7 Configure MSTP packet format for the port

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Configure MSTP packet format for the port

stp compliance { auto | dot1s | legacy }

Required

By default, an MSTP packet is in legacy format.

 

II. Configuration Example

# Configure the MSTP packet format as dot1s (802.1s).

<H3C> system-view

[H3C] interface Ethernet1/0/1

[H3C-Ethernet1/0/1] stp compliance dot1s

# Restore the MSTP packet format to the default value.

[H3C-Ethernet1/0/1] undo stp compliance

1.2.6  Configuring the MSTP Operation Mode

A MSTP-enabled switch can operate in one of the following operation modes:

l           STP-compatible mode: In this mode, all ports of the switches send STP packets. If the switched network contains STP-enabled switches, you can configure the current MSTP-enabled switch to operate in this mode by using the stp mode stp command.

l           RSTP-compatible mode: In this mode, all ports of the switches send RSTP packets. If the switched network contains RSTP-enabled switches, you can configure the current MSTP-enabled switch to operate in this mode by using the stp mode rstp command.

l           MSTP mode: In this mode, all the ports of the switches send MSTP packets or STP packets (if the port is connected to an STP-enabled switch). In this case, the multiple spanning tree function is enabled as well.

I. Configuration procedure

Table 1-8 Configure the MSTP operation mode

Operation

Command

Description

Enter system view

system-view

Configure the MSTP operation mode

stp mode { stp | rstp | mstp }

Required

An MSTP-enabled switch operates in the MSTP mode by default.

 

II. Configuration example

# Configure the current MSTP-enabled switch to operate in the STP-compatible mode.

<H3C> system-view

[H3C] stp mode stp

1.2.7  Configuring the Maximum Hops of MST Region

The maximum hops configured on the region root is also the maximum hops of an MST region. The value of the maximum hops limits the size of the MST region.

A configuration BPDU contains a field that maintains the remaining hops of the configuration BPDU. And a switch discards the configuration BPDUs whose remaining hops are 0. After a configuration BPDU reaches a root bridge of a spanning tree in an MST region, the value of the remaining hops field in the configuration BPDU is decreased by 1 every time the configuration BPDU passes one switch. Such a mechanism disables the switches that are beyond the maximum hops from participating in spanning tree calculation, and thus limits the size of an MST region.

With such a mechanism, the maximum hops configured on the switch operating as the root bridge of the CIST or an MSTI in an MST region becomes the network diameter of the spanning tree, which limits the size of the spanning tree in the current MST region. The switches that are not root bridges in the MST region adopt the maximum hop settings of their root bridges.

I. Configuration procedure

Table 1-9 Configure the maximum hops for an MST region

Operation

Command

Description

Enter system view

system-view

Configure the maximum hops of the MST region

stp max-hops hops

Required

By default, the maximum hops of an MST region are 20.

 

The bigger the maximum hops are in an MST region, the larger the MST region is. Note that only the maximum hop settings on the switch operating as a region root can limit the size of the MST region.

II. Configuration example

# Configure the maximum hops of the MST region to be 30.

<H3C> system-view

[H3C] stp max-hops 30

1.2.8  Configuring the Network Diameter of the Switched Network

In a switched network, any two switches can communicate with each other through a specific path made up of multiple switches. The network diameter of a network is measured by the number of switches; it equals the number of the switches on the longest path (that is, the path containing the maximum number of switches).

I. Configuration procedure

Table 1-10 Configure the network diameter of the switched network

Operation

Command

Description

Enter system view

system-view

Configure the network diameter of the switched network

stp bridge-diameter bridgenumber

Required

The default network diameter of a network is 7.

 

The network diameter parameter indicates the size of a network. The bigger the network diameter is, the larger the network size is.

After you configure the network diameter of a switched network, an MSTP-enabled switch adjusts its hello time, forward delay, and max age settings accordingly to better values.

The network diameter setting only applies to only CIST; it is invalid for MSTIs.

II. Configuration example

# Configure the network diameter of the switched network to 6.

<H3C> system-view

[H3C] stp bridge-diameter 6

1.2.9  Configuring the MSTP Time-related Parameters

You can configure three MSTP time-related parameters for a switch: forward delay, hello time, and max age.

l           The forward delay parameter sets the delay of state transition.

Link failures in a network result in the spanning tree recalculation and spanning tree structure change. As the newly calculated configuration BPDUs cannot be advertised across the entire network immediately when the new spanning trees are calculated, temporary loops may occur if the new root ports and designated ports begin to forward packets immediately.

This problem can be solved by adopting a state transition mechanism. With this mechanism, newly selected root ports and designated ports undergo an intermediate state before they begin to forward packets. That is, it costs these ports a period (specified by the forward delay parameter) for them to turn to the forwarding state. In the period, the newly calculated configuration BPDUs are advertised across the entire network.

l           The hello time parameter is used for testing link failures.

A switch regularly sends hello packets to other switches at the interval specified by the hello time parameter to test whether the links fail.

l           The max age parameter is used to judge whether or not a configuration BPDU times out. The configuration BPDUs which time out will be discarded.

I. Configuration procedure

Table 1-11 Configure MSTP time-related parameters

Operation

Command

Description

Enter system view

system-view

Configure the forward delay parameter

stp timer forward-delay centiseconds

Required

The forward delay parameter defaults to 1,500 centiseconds (namely, 15 seconds).

Configure the hello time parameter

stp timer hello centiseconds

Required

The hello time parameter defaults to 200 centiseconds (namely, 2 seconds).

Configure the max age parameter

stp timer max-age centiseconds

Required

The max age parameter defaults to 2,000 centiseconds (namely, 20 seconds).

 

All switches in a switched network adopt the three time-related parameters configured on the CIST root bridge.

 

  Caution:

l      The forward delay parameter and the network diameter are correlated. Normally, a large network diameter corresponds to a large forward delay. A too small forward delay parameter may result in temporary redundant paths. And a too large forward delay parameter may cause a network unable to resume the normal state in time after changes occurred to the network. The default value is recommended.

l      An adequate hello time parameter enables a switch to detect link failures in time without occupying too many network resources. And a too small hello time parameter may result in duplicated configuration BPDUs being sent frequently, which increases the work load of the switches and wastes network resources. The default value is recommended.

l      As for the max age parameter, if it is too small, network congestion may be falsely regarded as link failures, which results in frequent spanning tree recalculation. If it is too large, link problems may be unable to be detected in time, which prevents spanning trees being recalculated in time and makes the network less adaptive. The default value is recommended.

 

As for the configuration of the three time-related parameters (that is, the hello time, forward delay, and max age parameters), the following formulas must be met to prevent frequent network jitter.

2 x (forward delay – 1 second) >= max age

Max age >= 2 x (hello time + 1 second)

You are recommended to specify the network diameter of the switched network and the hello time by using the stp root primary or stp root secondary command. After that, the three proper time-related parameters are determined automatically.

II. Configuration example

# Configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300 centiseconds, and the max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the CIST root bridge).

<H3C> system-view

[H3C] stp timer forward-delay 1600

[H3C] stp timer hello 300

[H3C] stp timer max-age 2100

1.2.10  Configuring the Timeout Time Factor

A switch regularly sends protocol packets to its neighboring devices at the interval specified by the hello time parameter to test the link failures. Normally, a switch regards its upstream switch faulty if the former does not receive any protocol packets from the latter in a period three times of the hello time and then initiates the spanning tree recalculation process.

Spanning trees may be recalculated even in a steady network if an upstream switch continues to be busy. You can configure the timeout time factor to a larger number to avoid such cases. Normally, the timeout time can be four or more times of the hello time. For a steady network, the timeout time can be five to seven times of the hello time.

I. Configuration procedure

Table 1-12 Configure the timeout time factor

Operation

Command

Description

Enter system view

system-view

Configure the timeout time factor for the switch

stp timer-factor number

Required

The timeout time factor defaults to 3.

 

For a steady network, the timeout time can be five to seven times of the hello time.

II. Configuration example

# Configure the timeout time factor to be 6.

<H3C> system-view

[H3C] stp timer-factor 6

1.2.11  Configuring the Maximum Transmitting Speed on the Current Port

The maximum transmitting speed of a port specifies the maximum number of configuration BPDUs a port can transmit in a period specified by the hello time parameter. It depends on the physical state of the port and network structure. You can configure this parameter according to the network.

I. Configure the maximum transmitting speed for specified ports in system view

Table 1-13 Configure the maximum transmitting speed for specified ports in system view

Operation

Command

Description

Enter system view

system-view

Configure the maximum transmitting speed for specified ports

stp interface interface-list transmit-limit packetnum

Required

The maximum transmitting speed of all Ethernet ports on a switch defaults to 10.

 

II. Configure the maximum transmitting speed in Ethernet port view

Table 1-14 Configure the maximum transmitting speed in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Configure the maximum transmitting speed

stp transmit-limit packetnum

Required

 The maximum transmitting speed of all Ethernet ports on a switch defaults to 10.

 

As the maximum transmitting speed parameter determines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources. The default value is recommended.

III. Configuration example

# Set the maximum transmitting speed of Ethernet1/0/1 to 15.

1)         Configure the maximum transmitting speed in system view.

<H3C> system-view

[H3C] stp interface ethernet1/0/1 transmit-limit 15

2)         Configure the maximum transmitting speed in Ethernet port view.

<H3C> system-view

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] stp transmit-limit 15

1.2.12  Configuring the Current Port as an Edge Port

Edge ports are ports that neither directly connects to other switches nor indirectly connects to other switches through network segments. After a port is configured as an edge port, the rapid transition mechanism is applicable to the port. That is, when the port changes from the blocking state to the forwarding state, it does not have to wait for a delay.

You can configure a port as an edge port in one of the following two ways.

I. Configure a port as an edge port in system view

Table 1-15 Configure a port as an edge port in system view

Operation

Command

Description

Enter system view

system-view

Configure the specified ports as edge ports

stp interface interface-list edged-port enable

Required

By default, all the Ethernet ports of a switch are non-edge ports.

 

II. Configure a port as an edge port in Ethernet port view

Table 1-16 Configure a port as an edge port in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Configure the port as an edge port

stp edged-port enable

Required

By default, all the Ethernet ports of a switch are non-edge ports.

 

On a switch with BPDU protection disabled, an edge port becomes a non-edge port again once it receives a BPDU from another port.

 

&  Note:

You are recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU protection function at the same time. This not only enables these ports to turn to the forwarding state rapidly but also secures your network.

 

III. Configuration example

# Configure Ethernet1/0/1 as an edge port.

1)         Configure Ethernet1/0/1 as an edge port in system view.

<H3C> system-view

[H3C] stp interface ethernet1/0/1 edged-port enable

2)         Configure Ethernet1/0/1 as an edge port in Ethernet port view.

<H3C> system-view

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] stp edged-port enable

1.2.13  Specifying Whether the Link Connected to a Port Is Point-to-point Link

A point-to-point link directly connects two switches. If the roles of the two ports at the two ends of a point-to-point link meet certain criteria, the two ports can turn to the forwarding state rapidly by exchanging synchronization packets, thus reducing the forward delay.

You can determine whether or not the link connected to a port is a point-to-point link in one of the following two ways.

I. Specify whether the link connected to a port is point-to-point link in system view

Table 1-17 Specify whether the link connected to a port is point-to-point link in system view

Operation

Command

Description

Enter system view

system-view

Specify whether the link connected to a port is point-to-point link

stp interface interface-list point-to-point { force-true | force-false | auto }

Required

The auto keyword is adopted by default.

The force-true keyword specifies that the links connected to the specified ports are point-to-point links.

The force-false keyword specifies that the links connected to the specified ports are not point-to-point links.

The auto keyword specifies to automatically determine whether or not the links connected to the specified ports are point-to-point links.

 

II. Specify whether the link connected to a port is point-to-point link in Ethernet port view

Table 1-18 Specify whether the link connected to a port is point-to-point link in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Specify whether the link connected to a port is a point-to-point link

stp point-to-point { force-true | force-false | auto }

Required

The auto keyword is adopted by default.

The force-true keyword specifies that the link connected to the port is a point-to-point link.

The force-false keyword specifies that the link connected to the port is not a point-to-point link.

The auto keyword specifies to automatically determine whether or not the link connected to the port is a point-to-point link.

 

&  Note:

l      Among aggregated ports, you can only configure the links of master ports as point-to-point links.

l      If an auto-negotiating port operates in full duplex mode after negotiation, you can configure the link of the port as a point-to-point link.

 

After you configure the link of a port as a point-to-point link, the configuration applies to all spanning tree instances. If the actual physical link of a port is not a point-to-point link and you forcibly configure the link as a point-to-point link, temporary loops may be incurred.

III. Configuration example

# Configure the link connected to Ethernet1/0/1 as a point-to-point link.

1)         Perform this configuration in system view.

<H3C> system-view

[H3C] stp interface ethernet1/0/1 point-to-point force-true

2)         Perform this configuration in Ethernet port view.

<H3C> system-view

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] stp point-to-point force-true

1.2.14  Enabling the MSTP Feature

I. Configuration procedure

Table 1-19 Enable the MSTP feature in system view

Operation

Command

Description

Enter system view

system-view

Enable the MSTP feature

stp enable

Required

MSTP is disabled by default.

Disable the MSTP feature on specified ports

stp interface interface-list disable

Optional

By default, the MSTP feature is enabled on all ports after you enable the MSTP feature in system view.

To enable a switch to operate more flexibly, you can disable MSTP on specific ports. As MSTP-disabled ports do not participate in spanning tree calculation, this operation saves CPU resources of the switch.

 

Table 1-20 Enable the MSTP feature in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enable the MSTP feature

stp enable

Required

MSTP is disabled by default.

Enter Ethernet port view

interface interface-type interface-number

Disable the MSTP feature on the port

stp disable

Optional

By default, MSTP is enabled on all ports after you enable MSTP in system view.

To enable a switch to operate more flexibly, you can disable MSTP on specific ports. As MSTP-disabled ports do not participate in spanning tree calculation, this operation saves CPU resources of the switch.

 

Other MSTP-related settings can take effect only after MSTP is enabled on the switch.

II. Configuration example

# Enable MSTP on the switch and disable MSTP on Ethernet1/0/1.

1)         Perform this configuration in system view.

<H3C> system-view

[H3C] stp enable

[H3C] stp interface ethernet1/0/1 disable

2)         Perform this configuration in Ethernet port view.

<H3C> system-view

[H3C] stp enable

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] stp disable

1.3  Configuring Leaf Nodes

Table 1-21 lists MSTP-related configurations about leaf nodes.

Table 1-21 Configure leaf nodes

Operation

Description

Related section

Enable the MSTP feature

Required

To prevent network topology jitter caused by other related configurations, you are recommended to enable MSTP after performing other configurations.

Section 1.2.14  Enabling the MSTP Feature

Configure the MST region

Required

Section 1.2.2  Configuring the MST region

Configure the MSTP operation mode

Optional

Section 1.2.5  Configuring the MSTP Packet Format

Configure the timeout time factor

Optional

Section 1.2.10  Configuring the Timeout Time Factor

Configure the maximum transmitting speed on the current port

Optional

The default value is recommended.

Section 1.2.11  Configuring the Maximum Transmitting Speed on the Current Port

Configure the current port as an edge port

Optional

Section 1.2.12  Configuring the Current Port as an Edge Port

Configure the path cost for a port

Optional

Section 1.3.7  Configuring the Path Cost for a Port

Configure the port priority

Optional

Section 1.3.8  Configuring Port Priority

Specify whether the link connected to a port is point-to-point link

Optional

Section 1.2.13  Specifying Whether the Link Connected to a Port Is Point-to-point Link

 

&  Note:

In a network containing switches with both GVRP and MSTP enabled, GVRP packets are forwarded along the CIST. In this case, if you want to broadcast packets of a specific VLAN through GVRP, be sure to map the VLAN to the CIST when configuring the MSTP VLAN mapping table (the CIST of a network is spanning tree instance 0).

 

1.3.1  Configuration Prerequisites

The role (root, branch, or leaf) of each switch in each spanning tree instance is determined.

1.3.2  Configuring the MST Region

Refer to section 1.2.2  Configuring the MST region”.

1.3.3  Configuring the MSTP Operation Mode

Refer to section 1.2.6  Configuring the MSTP Operation Mode”.

1.3.4  Configuring the Timeout Time Factor

Refer to section 1.2.10  Configuring the Timeout Time Factor”.

1.3.5  Configuring the Maximum Transmitting Speed

Refer to section 1.2.11   “Configuring the Maximum Transmitting Speed on the Current Port”.

1.3.6  Configuring a Port as an Edge

Refer to section 1.2.12   “Configuring the Current Port as an Edge Port”.

1.3.7  Configuring the Path Cost for a Port

The path cost parameter reflects the rate of the link connected to the port. For a port on an MSTP-enabled switch, the path cost may be different in different spanning tree instances. You can enable flows of different VLANs to travel along different physical links by configuring appropriate path costs on ports, so that VLAN-based load balancing can be implemented.

Path cost of a port can be determined by the switch or through manual configuration.

I. Standards for calculating path costs of ports

Currently, a switch can calculate the path costs of ports based on one of the following standards:

l           dot1d-1998: Adopts the IEEE 802.1D-1998 standard to calculate the default path costs of ports.

l           dot1t: Adopts the IEEE 802.1t standard to calculate the default path costs of ports.

l           legacy: Adopts the proprietary standard to calculate the default path costs of ports.

Table 1-22 Specify the standard for calculating path costs

Operation

Command

Description

Enter system view

system-view

Specify the standard for calculating the default path costs of the links connected to the ports of the switch

stp pathcost-standard { dot1d-1998 | dot1t | legacy }

Optional

By default, the IEEE 802.1t standard is used to calculate the default path costs of ports.

 

Table 1-23 Transmission speeds and the corresponding path costs

Transmission speed

Operation mode (half-/full-duplex)

802.1D-1998

IEEE 802.1t

Proprietary standard

0

65,535

200,000,000

200,000

10 Mbps

Half-duplex/Full-duplex

Aggregated link 2 ports

Aggregated link 3 ports

Aggregated link 4 ports

100

95

95

95

200,000

1,000,000

666,666

500,000

2,000

1,800

1,600

1,400

100 Mbps

Half-duplex/Full-duplex

Aggregated link 2 ports

Aggregated link 3 ports

Aggregated link 4 ports

19

15

15

15

200,000

100,000

66,666

50,000

200

180

160

140

1,000 Mbps

Full-duplex

Aggregated link 2 ports

Aggregated link 3 ports

Aggregated link 4 ports

4

3

3

3

200,000

10,000

6,666

5,000

20

18

16

14

10 Gbps

Full-duplex

Aggregated link 2 ports

Aggregated link 3 ports

Aggregated link 4 ports

2

1

1

1

200,000

1,000

666

500

2

1

1

1

 

Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.

When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the number of the ports on the aggregated link into account, whereas the 802.1T standard does. The following formula is used to calculate the path cost of an aggregated link:

Path cost = 200,000/ link transmission speed.

In this formula, the link transmission speed is the sum of the speeds of all the unblocked ports on the aggregated link, which is measured in 100 Kbps.

II. Configure the path costs of ports

Table 1-24 Configure the path cost for specified ports in system view

Operation

Command

Description

Enter system view

system-view

Configure the path cost for specified ports

stp interface interface-list [ instance instance-id ] cost cost

Required

An MSTP-enabled switch can calculate path costs for all its ports automatically.

 

Table 1-25 Configure the path cost for a port in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Configure the path cost for the port

stp [ instance instance-id ] cost cost

Required

A MSTP-enabled switch can calculate path costs for all its ports automatically.

 

Changing the path cost of a port may change the role of the port and put it in state transition. Executing the stp cost command with the instance-id argument being 0 sets the path cost on the CIST for the port.

III. Configuration example (A)

# Configure the path cost of Ethernet1/0/1 in spanning tree instance 1 to be 2,000.

1)         Perform this configuration in system view.

<H3C> system-view

[H3C] stp interface ethernet1/0/1 instance 1 cost 2000

2)         Perform this configuration in Ethernet port view.

<H3C> system-view

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] stp instance 1 cost 2000

IV. Configuration example (B)

# Configure the path cost of Ethernet1/0/1 in spanning tree instance 1 to be calculated by the MSTP-enabled switch according to the IEEE 802.1D-1998 standard.

1)         Perform this configuration in system view.

<H3C> system-view

[H3C] undo stp interface ethernet1/0/1 instance 1 cost

[H3C] stp pathcost-standard dot1d-1998

2)         Perform this configuration in Ethernet port view.

<H3C> system-view

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] undo stp instance 1 cost

[H3C-Ethernet1/0/1] quit

[H3C] stp pathcost-standard dot1d-1998

1.3.8  Configuring Port Priority

Port priority is an important criterion on determining the root port. In the same condition, the port with the smallest port priority value becomes the root port.

A port on an MSTP-enabled switch can have different port priorities and play different roles in different spanning tree instances. This enables packets of different VLANs to be forwarded along different physical paths, so that VLAN-based load balancing can be implemented.

You can configure port priority in one of the following two ways.

I. Configure port priority in system view

Table 1-26 Configure port priority in system view

Operation

Command

Description

Enter system view

system-view

Configure port priority for specified ports

stp interface interface-list instance instance-id port priority priority

Required

The default port priority is 128.

 

II. Configure port priority in Ethernet port view

Table 1-27 Configure port priority in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Configure port priority for the port

stp [ instance instance-id ] port priority priority

Required.

The default port priority is 128.

 

Changing port priority of a port may change the role of the port and put the port into state transition.

A smaller port priority value indicates a higher possibility for the port to become the root port. If all the ports of a switch have the same port priority value, the port priorities are determined by the port indexes. Changing the priority of a port will cause spanning tree recalculation.

You can configure port priorities according to actual networking requirements.

III. Configuration example

# Configure the port priority of Ethernet1/0/1 in spanning tree instance 1 to be 16.

1)         Perform this configuration in system view.

<H3C> system-view

[H3C] stp interface ethernet1/0/1 instance 1 port priority 16

2)         Perform this configuration in Ethernet port view.

<H3C> system-view

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] stp instance 1 port priority 16

1.3.9  Specifying Whether the Link Connected to a Port Is a Point-to-point Link

Refer to section 1.2.13  Specifying Whether the Link Connected to a Port Is Point-to-point Link”.

1.3.10  Enabling the MSTP Feature

Refer to section 1.2.14  Enabling the MSTP Feature”.

1.4  Performing mCheck

Ports on an MSTP-enabled switch can operate in three modes: STP-compatible, RSTP-compatible, and MSTP.

A port on an MSTP-enabled switch operating as an upstream switch transits to the STP-compatible mode when it has an STP-enabled switch connected to it. When the STP-enabled downstream switch is then replaced by an MSTP-enabled switch, the port cannot automatically transit to the MSTP mode. It remains in the STP-compatible mode. In this case, you can force the port to transit to the MSTP mode by performing the mCheck operation on the port.

Similarly, a port on an RSTP-enabled switch operating as an upstream switch turns to the STP-compatible mode when it has an STP-enabled switch connected to it. When the STP enabled downstream switch is then replaced by an MSTP-enabled switch, the port cannot automatically transit to the MSTP-compatible mode. It remains in the STP-compatible mode. In this case, you can force the port to transit to the MSTP-compatible mode by performing the mCheck operation on the port.

1.4.1  Configuration Prerequisites

MSTP runs normally on the switch.

1.4.2  Configuration Procedure

Perform the mCheck operation in the following two ways.

I. Perform the mCheck operation in system view

Table 1-28 Perform the mCheck operation in system view

Operation

Command

Description

Enter system view

system-view

Perform the mCheck operation

stp [ interface interface-list ] mcheck

Required

 

II. Perform the mCheck operation in Ethernet port view

Table 1-29 Perform the mCheck operation in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Perform the mCheck operation

stp mcheck

Required

 

1.4.3  Configuration Example

# Perform the mCheck operation on Ethernet1/0/1.

1)         Perform this configuration in system view.

<H3C> system-view

[H3C] stp interface ethernet1/0/1 mcheck

2)         Perform this configuration in Ethernet port view.

<H3C> system-view

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] stp mcheck

1.5  Configuring Protection Function

1.5.1  Introduction

The following protection functions are available on an MSTP-enabled switch: BPDU protection, root protection, loop prevention, and TC-BPDU attack prevention.

I. BPDU protection

Normally, the access ports of the devices operating on the access layer are directly connected to terminals (such as PCs) or file servers. These ports are usually configured as edge ports to achieve rapid transition. But they resume non-edge ports automatically upon receiving configuration BPDUs, which causes spanning tree recalculation and network topology jitter.

Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent this type of attacks by utilizing the BPDU protection function. With this function enabled on a switch, the switch shuts down the edge ports that receive configuration BPDUs and then reports these cases to the administrator. If a port is shut down, only the administrator can restore it.

II. Root protection

A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST and its secondary root bridges are usually located in the high-bandwidth core region. Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes a new root bridge to be elected and network topology jitter to occur. In this case, flows that should travel along high-speed links may be led to low-speed links, and network congestion may occur.

You can avoid this problem by utilizing the root protection function. Ports with this function enabled can only be kept as designated ports in all spanning tree instances. When a port of this type receives configuration BPDUs with higher priorities, it turns to the discarding state (rather than become a non-designated port) and stops forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not receive any configuration BPDUs with higher priorities for a specified period.

III. Loop prevention

A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch. These BPDUs may get lost because of network congestions or unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for certain period, the switch selects a new root port; the original root port becomes a designated port; and the blocked ports turns to the forwarding state. This may cause loops in the network.

The loop prevention function suppresses loops. With this function enabled, if link congestions or unidirectional link failures occur, both the root port and the blocked ports become designated ports and turn to the discarding state. In this case, they stop forwarding packets, and thereby loops can be prevented.

IV. TC-BPDU attack prevention

A switch removes MAC address entries and ARP entries upon receiving TC-BPDUs. If a malicious user sends a large amount of TC-BPDUs to a switch in a short period, the switch may be busy in removing MAC address entries and ARP entries, which may decrease the performance of the switch and affect the stability of the network.

With the TC-BPDU prevention function enabled, the switch performs only one removing operation in a specified period (it is 10 seconds by default) after it receives a TC-BPDU. The switch also checks to see whether other TC-BPDUs arrive in this period and performs another removing operation in the next period if a TC-BPDU is received. Such a mechanism prevents a switch from busying itself in performing removing operations.

 

  Caution:

Among loop prevention function, root protection function, and edge port setting, only one can be valid on a port at one time.

 

V. BPDU packet drop

In a STP-enabled network, some users may send BPDU packets to the switch continuously in order to destroy the network. When a switch receives the BPDU packets, it will forward them to other switches. As a result, STP calculation is performed continuously, which may occupy too much CPU of the switches or cause errors in the protocol state of the BPDU packets.

In order to avoid this problem, you can enable the function of dropping BPDU packets on the Ethernet ports. Once the function is enabled on a port, the port will not receive and forward any BPDU packets. In this way, the switch is protected again the BPDU packet attack so that the STP calculation is assured to be right.

1.5.2  Configuration Prerequisites

MSTP runs normally on the switch.

1.5.3  Configuring BPDU Protection

I. Configuration procedure

Table 1-30 Configure BPDU protection

Operation

Command

Description

Enter system view

system-view

Enable the BPDU protection function

stp bpdu-protection

Required

The BPDU protection function is disabled by default.

 

II. Configuration example

# Enable the BPDU protection function.

<H3C> system-view

[H3C] stp bpdu-protection

 

  Caution:

As Gigabit ports of an S3100-52P Ethernet switch cannot be shut down, the BPDU protection function is not applicable to these ports even if you enable the BPDU protection function and specify these ports to be MSTP edge ports.

 

1.5.4  Configuring Root Protection

I. Configuration procedure

Table 1-31 Configure the root protection function in system view

Operation

Command

Description

Enter system view

system-view

Enable the root protection function on specified ports

stp interface interface-list root-protection

Required

The root protection function is disabled by default.

 

Table 1-32 Enable the root protection function in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

Interface interface-type interface-number

Enable the root protection function on the current port

stp root-protection

Required

The root protection function is disabled by default.

 

II. Configuration example

# Enable the root protection function on Ethernet1/0/1.

1)         Perform this configuration in system view.

<H3C> system-view

[H3C] stp interface ethernet1/0/1 root-protection

2)         Perform this configuration in Ethernet port view.

<H3C> system-view

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] stp root-protection

1.5.5  Configuring Loop Prevention

I. Configuration procedure

Table 1-33 Configure loop prevention

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Enable the loop prevention function on the current port

stp loop-protection

Required

The loop prevention function is disabled by default.

 

II. Configuration example

# Enable the loop prevention function on Ethernet1/0/1.

<H3C> system-view

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] stp loop-protection

1.5.6  Configuring TC-BPDU Attack Prevention

I. Configuration procedure

Table 1-34 Configure the TC-BPDU attack prevention function

Operation

Command

Description

Enter system view

system-view

Enable the TC-BPDU attack prevention function

stp tc-protection enable

Required

The TC-BPDU attack prevention function is disabled by default.

 

II. Configuration example

# Enable the TC-BPDU attack prevention function

<H3C> system-view

[H3C] stp tc-protection enable

1.5.7  Configuring the Function of Dropping BPDU Packets

Table 1-35  Configure the function of dropping BPDU Packets

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-name

Enable the function of dropping BPDU packets in Ethernet port view

bpdu-drop any

Required

 

# Enable the function of dropping BPDU packets on Ethernet1/0/1.

<H3C>system-view

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] bpdu-drop any

1.6  Configuring Digest Snooping

1.6.1  Introduction

According to IEEE 802.1s, two interconnected switches can interwork with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration. Interconnected MSTP-enabled switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them. (A configuration ID contains information such as region ID and configuration digest.)

As some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot interwork with the other switches in an MST region even if they are configured with the same MST region-related settings as the other switches in the MST region.

This problem can be overcome by implementing the digest snooping feature. If a port on an S3100-52P Ethernet switch is connected to another manufacturer's switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port. Then the S3100-52P Ethernet switch regards another manufacturer's switch as in the same region; it records the configuration digests carried in the BPDUs received from another manufacturer's switch, and put them in the BPDUs to be sent to the another manufacturer's switch. In this way, the S3100-52P Ethernet switch can interwork with another manufacturer’s switches in the same MST region.

1.6.2  Configuring Digest Snooping

Configure the digest snooping feature on a switch to enable it to interwork with other switches adopting proprietary protocols to calculate configuration digests in the same MST region through MSTIs.

I. Configuration prerequisites

The switch to be configured is connected to another manufacturer's switch adopting a proprietary spanning tree protocol. The MSTP and the network operate normally.

II. Configuration procedure

Table 1-36 Configure digest snooping

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Enable the digest snooping feature

stp config-digest-snooping

Required

The digest snooping feature is disabled on the port by default.

Return to system view

quit

Enable the digest snooping feature globally

stp config-digest-snooping

Required

The digest snooping feature is disabled globally by default.

Display the configuration

display current-configuration

You can execute this command in any view.

 

&  Note:

l      When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port.

l      The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.

l      To enable the digest snooping feature successfully, you must first enable it on all the ports of your switch that are connected to another manufacturer’s switches adopting proprietary spanning tree protocols and then enable it globally.

l      To enable the digest snooping feature, the interconnected switches and another manufacturer’s switch adopting proprietary spanning tree protocols must be configured with exactly the same MST region-related configurations (including region name, revision level, and VLAN-to-MSTI mapping).

l      The digest snooping feature must be enabled on all the ports of your S3100-52P Ethernet switches connected to another manufacturer's switches adopting proprietary spanning tree protocols in the same MST region.

l      When the digest snooping feature is enabled globally, the VLAN-to-MSTI mapping table cannot be modified.

l      The digest snooping feature is not applicable to edge ports in an MST region.

 

1.7  Configuring Rapid Transition

1.7.1  Introduction

Designated ports of RSTP-enabled or MSTP-enabled switches use the following two types of packets to implement rapid transition:

l           Proposal packets: Packets sent by designated ports to request rapid transition

l           Agreement packets: Packets used to acknowledge rapid transition requests

Both RSTP and MSTP specify that the upstream switch can perform rapid transition operation on the designated port only when the port receives an agreement packet from the downstream switch. The difference between RSTP and MSTP are:

l           For MSTP, the upstream switch sends agreement packets to the downstream switch; and the downstream switch sends agreement packets to the upstream switch only after it receives agreement packets from the upstream switch.

l           For RSTP, the upstream switch does not send agreement packets to the downstream switch.

Figure 1-3 and Figure 1-4 illustrate the rapid transition mechanisms on designated ports in RSTP and MSTP.

Figure 1-3 The RSTP rapid transition mechanism

Figure 1-4 The MSTP rapid transition mechanism

The cooperation between MSTP and RSTP is limited in the process of rapid transition. For example, when the upstream switch adopts RSTP, the downstream switch adopts MSTP and the downstream switch does not support RSTP-compatible mode, the root port on the downstream switch receives no agreement packet from the upstream switch and thus sends no agreement packets to the upstream switch. As a result, the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding state after a period twice the forward delay.

Some other manufacturers' switches adopt proprietary spanning tree protocols that are similar to RSTP in the way to implement rapid transition on designated ports. When a switch of this kind operating as the upstream switch connects with a H3C series switch running MSTP, the upstream designated port fails to change its state rapidly.

The rapid transition feature is developed to resolve this problem. When a H3C series switch running MSTP is connected in the upstream direction to another manufacturer's switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch. This enables designated ports of the upstream switch to change their states rapidly.

1.7.2  Configuring Rapid Transition

I. Configuration prerequisites

As shown in Figure 1-5, a H3C series switch is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally.

The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports. Port 1 is the designated port.

The downstream switch is running MSTP. Port 2 is the root port.

Figure 1-5 Network diagram for rapid transition configuration

II. Configuration procedure

1)         Configure the rapid transition feature in system view

Table 1-37 Configure the rapid transition feature in system view

Operation

Command

Description

Enter system view

system-view

Enable the rapid transition feature

stp interface interface-type interface-number no-agreement-check

Required

By default, the rapid transition feature is disabled on a port.

 

2)         Configure the rapid transition feature in Ethernet port view

Table 1-38 Configure the rapid transition feature in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Enable the rapid transition feature

stp no-agreement-check

Required

By default, the rapid transition feature is disabled on a port.

 

&  Note:

l      The rapid transition feature can be enabled on only root ports or alternate ports.

l      If you configure the rapid transition feature on a designated port, the feature does not take effect on the port.

 

1.8  Configuring BPDU Tunnel

1.8.1  Introduction

The BPDU Tunnel function enables BPDUs to be transparently transmitted between geographically dispersed user networks through specified VLAN VPNs in operator’s networks, through which spanning trees can be generated across these user networks and are independent of those of the operator’s network.

As shown in Figure 1-6, the upper part is the operator’s network, and the lower part is the user’s network. The operator’s network comprises packet ingress/egress devices, and the user’s network has networks A and B. On the operator’s network, configure the arriving BPDU packets at the ingress to have MAC addresses in a special format, and reconvert them back to their original formats at the egress. This is how transparent transmission is implemented over the operator’s network.

Figure 1-6 BPDU Tunnel network hierarchy

1.8.2  Configuring BPDU Tunnel

Table 1-39 Configure BPDU Tunnel

Operation

Command

Description

Enter system view

system-view

Enable MSTP globally

stp enable

Enable the BPDU Tunnel function globally

vlan-vpn tunnel

Required

Enter Ethernet port view

interface interface-type interface-number

Make sure that you enter the Ethernet port view of the port for which you want to enable the BPDU Tunnel function.

Disable MSTP for the port

stp disable

Enable the VLAN VPN function for the Ethernet port

vlan-vpn enable

Required

By default, the VLAN VPN function is disabled on all ports.

 

&  Note:

l      The BPDU Tunnel function can be enabled on only STP-enabled devices.

l      The BPDU Tunnel function can only be enabled on access ports.

l      To enable the BPDU Tunnel function, make sure the links between operator’s networks are trunk links.

l      The VLAN VPN function cannot be enabled on the ports where 802.1x, GVRP, GMRP, STP, or NTDP is enabled.

 

1.9  Displaying and Maintaining MSTP

You can verify the above configurations by executing the display commands in any view.

Execute the reset command in user view to clear statistics about MSTP.

Table 1-40 Display and maintain MSTP

Operation

Command

Display the state and statistics information about spanning trees of the current device

display stp [ instance instance-id ] [ interface interface-list | slot slot-number ] [ brief ]

Display region configuration

display stp region-configuration

Clear statistics about MSTP

reset stp [ interface interface-list ]

 

1.10  MSTP Configuration Example

I. Network requirements

Implement MSTP in the network shown in Figure 1-7 to enable packets of different VLANs to be forwarded along different spanning tree instances. The detailed configurations are as follows:

l           All switches in the network belong to the same MST region.

l           Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along spanning tree instance 1, instance 3, instance 4, and instance 0 respectively.

In this network, Switch A and Switch B operate on the convergence layer; Switch C and Switch D operate on the access layer. VLAN 10 and VLAN 30 are limited in the convergence layer and VLAN 40 is limited in the access layer. Switch A and Switch B are configured as the root bridges of spanning tree instance 1 and spanning tree instance 3 respectively. Switch C is configured as the root bridge of spanning tree instance 4.

II. Network diagram

Figure 1-7 Network diagram for MSTP configuration

 

&  Note:

The word “permit” shown in Figure 1-7 means the corresponding link permits packets of specific VLANs.

 

III. Configuration procedure

1)         Configure Switch A

# Enter MST region view.

<H3C> system-view

[H3C] stp region-configuration

# Configure the MST region.

[H3C-mst-region] region-name example

[H3C-mst-region] instance 1 vlan 10

[H3C-mst-region] instance 3 vlan 30

[H3C-mst-region] instance 4 vlan 40

[H3C-mst-region] revision-level 0

# Activate the settings of the MST region manually.

[H3C-mst-region] active region-configuration

# Specify Switch A as the root bridge of spanning tree instance 1.

[H3C] stp instance 1 root primary

2)         Configure Switch B

# Enter MST region view.

<H3C> system-view

[H3C] stp region-configuration

# Configure the MST region.

[H3C-mst-region] region-name example

[H3C-mst-region] instance 1 vlan 10

[H3C-mst-region] instance 3 vlan 30

[H3C-mst-region] instance 4 vlan 40

[H3C-mst-region] revision-level 0

# Activate the settings of the MST region manually.

[H3C-mst-region] active region-configuration

# Specify Switch B as the root bridge of spanning tree instance 3.

[H3C] stp instance 3 root primary

3)         Configure Switch C.

# Enter MST region view.

<H3C> system-view

[H3C] stp region-configuration

# Configure the MST region.

[H3C-mst-region] region-name example

[H3C-mst-region] instance 1 vlan 10

[H3C-mst-region] instance 3 vlan 30

[H3C-mst-region] instance 4 vlan 40

[H3C-mst-region] revision-level 0

# Activate the settings of the MST region manually.

[H3C-mst-region] active region-configuration

# Specify Switch C as the root bridge of spanning tree instance 4.

[H3C] stp instance 4 root primary

4)         Configure Switch D

# Enter MST region view.

<H3C> system-view

[H3C] stp region-configuration

# Configure the MST region.

[H3C-mst-region] region-name example

[H3C-mst-region] instance 1 vlan 10

[H3C-mst-region] instance 3 vlan 30

[H3C-mst-region] instance 4 vlan 40

[H3C-mst-region] revision-level 0

# Activate the settings of the MST region manually.

[H3C-mst-region] active region-configuration

1.11  BPDU Tunnel Configuration Example

I. Network requirements

l           S3100-52P Ethernet switches operate as the access devices of the operator’s network, that is, Switch C and Switch D in the network diagram.

l           S2000 series switches operate as the access devices of the user’s network, that is, Switch A and Switch B in the network diagram.

l           Switch C and Switch D are connected to each other through the configured trunk ports of the switches. The BPDU Tunnel function is enabled in system view, thus implementing transparent transmission between the user’s network and the operator’s network.

II. Network diagram

Figure 1-8 Network diagram for BPDU Tunnel configuration

III. Configuration procedure

1)         Configure Switch A

# Enable RSTP.

<H3C> system-view

[H3C] stp enable

# Add Ethernet 0/1 to VLAN 10.

[H3C] vlan 10

[H3C-Vlan10] port Ethernet 0/1

2)         Configure Switch B

# Enable RSTP.

<H3C> system-view

[H3C] stp enable

# Add Ethernet 0/1 to VLAN 10.

[H3C] vlan 10

[H3C-Vlan10] port Ethernet 0/1

3)         Configure Switch C

# Enable MSTP.

<H3C> system-view

[H3C] stp enable

# Enable the BPDU Tunnel function.

[H3C] vlan-vpn tunnel

# Add Ethernet1/0/1 to VLAN 10.

[H3C] vlan 10

[H3C-Vlan10] port Ethernet 1/0/1

[H3C-Vlan10] quit

# Disable the STP feature on Ethernet1/0/1 and then enable the VLAN VPN function on it.

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] port access vlan 10

[H3C-Ethernet1/0/1] stp disable

[H3C-Ethernet1/0/1] vlan-vpn enable

[H3C-Ethernet1/0/1] quit

# Configure Ethernet1/0/2 as a trunk port.

[H3C] interface Ethernet 1/0/2

[H3C-Ethernet1/0/2] port link-type trunk

# Add the trunk port to all VLANs.

[H3C-Ethernet1/0/2] port trunk permit vlan all

4)         Configure Switch D

# Enable MSTP.

<H3C> system-view

[H3C] stp enable

# Enable the BPDU Tunnel function.

[H3C] vlan-vpn tunnel

# Add Ethernet1/0/2 to VLAN 10.

[H3C] vlan 10

[H3C-Vlan10] port Ethernet 1/0/2

# Disable STP on Ethernet1/0/2 and then enable the VLAN VPN function on it.

[H3C] interface Ethernet 1/0/2

[H3C-Ethernet1/0/2] port access vlan 10

[H3C-Ethernet1/0/2] stp disable

[H3C-Ethernet1/0/2] vlan-vpn enable

[H3C-Ethernet1/0/2] quit

# Configure Ethernet1/0/1 as a trunk port.

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] port link-type trunk

# Add the trunk port to all VLANs.

[H3C-Ethernet1/0/1] port trunk permit vlan all