If you have a strong Cisco background, then you immediately think of Spanning Tree Protocol when you think of Layer 2 loop protection. Or if you’re keeping abreast of the newest developments, you think of TRILL and SPB. But there are other mechanisms for helping detect loops at layer 2. Here’s one I came across while studying for HP Master ASE: HP Procurve Loop-Protection. In the cisco world RPVSTP (Rapid Per Vlan Spanning Tree Protocol) would probably be the recommended protocol but my understanding is that it is a cisco proprietary protocol. (it is according to the spanning tree wikipedia entry) The fact that it is in the hp configuration would suggest that HP has tried to either duplicate the functionality or at least provide a feature to interract with other RPVSTP switches. Spanning Tree configuration on HP Comware switches part 1Tree config.
The STP BPDU filter feature allows control of spanning tree participation on a per-port basis. It can be used to exclude specific ports from becoming part of spanning tree operations. A port with the BPDU filter enabled will ignore incoming BPDU packets and stay locked in the spanning tree forwarding state. All other ports will maintain their role.
Enables or disables the BPDU filter feature on specified port(s). This forces a port to always stay in the forwarding state and be excluded from standard STP operation.
Sample scenarios in which this feature may be used are:
To have STP operations running on selected ports of the switch rather than every port of the switch at a time.
To prevent the spread of errant BPDU frames.
To eliminate the need for a topology change when a port's link status changes. For example, ports that connect to servers and workstations can be configured to remain outside of spanning tree operations.
To protect the network from denial of service attacks that use spoofing BPDUs by dropping incoming BPDU frames. For this scenario, BPDU protection offers a more secure alternative, implementing port shut down and a detection alert when errant BPDU frames are received.
CAUTION: Ports configured with the BPDU filter mode remain active (learning and forward frames); however, spanning tree cannot receive or transmit BPDUs on the port. The port remains in a forwarding state, permitting all broadcast traffic. This can create a network storm if there are any loops (that is, trunks or redundant links) using these ports. If you suddenly have a high load, disconnect the link and disable the bpdu-filter (using the
Configuring BPDU filtering
To configure BPDU filtering on port a9, enter:
Viewing BPDU filter status using the
show spanning tree command
Viewing BPDU filters using the
show configuration command
BPDU filters per port are displayed as separate entries of the spanning tree category within the configuration file.
Enables or disables BPDU protection on specified port(s).
Configures the duration in seconds when protected ports receiving unauthorized BPDUs will remain disabled. The default value of 0 (zero) sets an infinite timeout (that is, ports that are disabled by
bpdu-protection are not, by default, re-enabled automatically).
Range: 0-65535 seconds
Enables or disables the sending of errant BPDU traps.
CAUTION: This command should only be used to guard edge ports that are not expected to participate in STP operations. Once BPDU protection is enabled, it will disable the port as soon as any BPDU packet is received on that interface.
Configuring BPDU protection
To configure BPDU protection on ports 1 to 10 with SNMP traps enabled, enter:
The following steps will then be set in progress:
When an STP BPDU packet is received on ports 1-10, STP treats it as an unauthorized transmission attempt and shuts down the port that the BPDU came in on.
An event message is logged and an SNMP notification trap is generated.
The port remains disabled until re-enabled manually by a network administrator using the
NOTE: To re-enable the BPDU-protected ports automatically, configure a timeout period using the
show spanning-tree bpdu-protection
Displays a summary listing of ports with BPDU protection enabled. To display detailed per port status information, enter the specific port numbers as shown here.
Viewing BPDU protection status
BPDU protected ports are displayed as separate entries of the spanning tree category within the configuration file.
Viewing BPDU filters using the
show configuration command
When a STP enabled HP Switch is hit by a MSTP BPDU storm, the CPU usage rises and the manageability of the switch goes down. In BYOD solution , the HP Switch is connected to a HUB where there is a loop. The HP Switch generates a single MSTP BPDU, which goes through the loop in the HUB and results in a BPDU storm eventually. Since all STP packets are taken to the CPU for processing, CPU usage goes high and the switch response slows down. The switch can become unmanageable as a result of this BPDU storm. BPDU throttling will take care of BPDU storms automatically via rate-limiting.
MSTP BPDU path
BPDU throttling is enabled when the spanning-tree in MSTP mode is enabled. When spanning tree is enabled, all modules and members are assigned corresponding throttle values from the configuration. The default throttle value is 256.
An option is also provided to enabling/disabling BPDU throttling. This option is enabled by default if the switch does not support “V1 modules”. The spanning-tree is enabled in MSTP mode by default.
The CLI allows you to configure MSTP BPDU throttling.
spanning-tree bpdu-throttle [
Configures BPDU throttling on a device. BPDU throttling limits the number of BPDUs that are sent to the switch’s CPU. The result prevents high CPU utilization on the switch when the network undergoes a broadcast storm or loop. The BPDU throttle value is in packets per second (pps). The valid BPDU throttle values are 64, 128, and 256 pps. The default throttle value is 256 pps.
The CLI allows you to show MSTP BPDU throttling configurations.
show spanning-tree bpdu-throttle
Displays the configured throttle value.
show running configuration
Show running configuration will display any one of the following line based on the configuration.
When the HW meter goes over the bandwidth, system generates a log message.
stp: BPDU Throttling triggered for STP BPDUs on portGroup 1-24.
On a 5400 series switch, when
stp: BPDU Throttling is disabled, because allow-v1-module is enabled.
When QinQ is enabled, BPDU throttling is disabled and the system generates a log message.
stp: BPDU Throttling is disabled, because QinQ is enabled.
When meshing is enabled, BPDU throttling is disabled and the system generates a log message.
stp: BPDU Throttling is disabled, because Meshing is enabled. Iso dreamcast download.
Throttle value not within the range of 64 to 256.
The BPDU throttle value is invalid. The valid values are 64, 128 and 256.
Configuring lower throttle value (64).
Configuring lower throttle value may cause legitimate BPDU’s to be dropped.
Enabling QinQ when BPDU throttling is configured.
Q-in-Q cannot be enabled when BPDU throttling is configured.
Configuring BPDU throttling when QinQ is enabled.
BPDU throttling cannot be configured when Q-in-Q is enabled.
Configuring BPDU throttling when meshing is configured.
BPDU throttling cannot be configured when meshing is configured.
Configuring meshing when BPDU throttling is configured.
Meshing cannot be configured when BPDU throttling is configured.
NOTE: This feature is exclusively for MSTP BPDUs and not applicable for any other IEEE BPDUs such as LLDP, slow protocols etc.
The switch automatically negotiates trunked links between LACP-configured ports on separate devices, and offers one dynamic trunk option: LACP. To configure the switch to initiate a dynamic LACP trunk with another device, use the
interface command in the CLI to set the default LACP option to
active on the ports you want to use for the trunk. For example, the following command sets ports C1 to C4 to
The preceding Example: works if the ports are not already operating in a trunk. To change the LACP option on ports already operating as a trunk, you must first remove them from the trunk. For example, if ports C1 to C4 are LACP-active and operating in a trunk with another device, you would do the following to change them to LACP-passive:
Removes the ports from the trunk.
Configures LACP passive.
lacp key option provides the ability to control dynamic trunk configuration. Ports with the same key will be aggregated as a single trunk.
There are two types of keys associated with each port, the Admin key and the Operational key. The Operational key is the key currently in use. The Admin key is used internally to modify the value of the Operational key. The Admin and Operational key are usually the same, but using static LACP can alter the Operational key during runtime, in which case the keys would differ.
lacp key command configures both the Admin and Operational keys when using dynamic LACP trunks. It only configures the Admin key if the trunk is a static LACP trunk. It is executed in the interface context.
Sets the LACP key. During dynamic link aggregation using LACP, ports with the same key are aggregated as a single trunk.
Enabling LACP and configuring an LACP key
The switch uses the links you configure with the Port/Trunk Settings screen in the menu interface or the
trunk command in the CLI to create a static port trunk. The switch offers two types of static trunks: LACP and Trunk.
Trunk types used in static and dynamic trunk groups
Trunk configuration protocols describes the trunking options for LACP and Trunk protocols.
Trunk configuration protocols
Provides dynamic and static LACP trunking options.
For more information, see Trunk group operation using LACP.
Provides manually configured, static-only trunking to:
Use the Trunk option when:
See Trunk group operation using the 'trunk' option.
General operating rules for port trunks
For proper trunk operation, all ports on both ends of a trunk group must have the same media type and mode (speed and duplex). (For the switches, HP Switch recommends leaving the port Mode setting at
The default port configuration is
All of the following operate on a per-port basis, regardless of trunk membership:
LACP is a full-duplex protocol. See Trunk group operation using LACP.
All ports in the same trunk group must be the same trunk type (LACP or trunk). All LACP ports in the same trunk group must be either all static LACP or all dynamic LACP.
A trunk appears as a single port labeled
For spanning-tree or VLAN operation, configuration for all ports in a trunk is done at the trunk level. (You cannot separately configure individual ports within a trunk for spanning-tree or VLAN operation.)
All of the switch trunk protocols use the SA/DA (source address/destination address) method of distributing traffic across the trunked links. See Outbound traffic distribution across trunked links.
802.1D (STP) and 802.1w (RSTP) Spanning Tree operate as a global setting on the switch (with one instance of Spanning Tree per switch). 802.1s (MSTP) Spanning Tree operates on a per-instance basis (with multiple instances allowed per switch). For each Spanning Tree instance, you can adjust Spanning Tree parameters on a per-port basis.
A static trunk of any type appears in the Spanning Tree configuration display, and you can configure Spanning Tree parameters for a static trunk in the same way that you would configure Spanning Tree parameters on a non-trunked port. (Note that the switch lists the trunk by name—such as Trk1—and does not list the individual ports in the trunk.) For example, if ports C1 and C2 are configured as a static trunk named Trk1, they are listed in the Spanning Tree display as Trk1 and do not appear as individual ports in the Spanning Tree displays. See A port trunk in a Spanning Tree listing.
When Spanning Tree forwards on a trunk, all ports in the trunk will be forwarding. Conversely, when Spanning Tree blocks a trunk, all ports in the trunk are blocked.
If you remove a port from a static trunk, the port retains the same Spanning Tree settings that were configured for the trunk.
In the below Example:, ports C1 and C2 are members of TRK1 and do not appear as individual ports in the port configuration part of the listing.
A port trunk in a Spanning Tree listing
|IP multicast protocol (IGMP):|
A static trunk of any type appears in the IGMP configuration display, and you can configure IGMP for a static trunk in the same way that you would configure IGMP on a non-trunked port. (Note that the switch lists the trunk by name—such as Trk1—and does not list the individual ports in the trunk.) Also, creating a new trunk automatically places the trunk in IGMP Auto status if IGMP is enabled for the default VLAN.
A dynamic LACP trunk operates only with the default IGMP settings and does not appear in the IGMP configuration display or
Creating a new trunk automatically places the trunk in the DEFAULT_VLAN, regardless of whether the ports in the trunk were in another VLAN. Similarly, removing a port from a trunk group automatically places the port in the default VLAN. You can configure a static trunk in the same way that you configure a port for membership in any VLAN.
Trunk groups (and their individual ports) cannot be configured for port security, and the switch excludes trunked ports from the