Some of you may know Cisco’s err-disable recovery feature, which allows to automatically bring a port from err-disable back to UP state. Huawei switches have similar functionality, which is called error-down auto-recovery.

There are five reasons a port can enter into error-down state:

• BPDU protection
• EFM threshold
• EFM remote failure
• Auto defend
• Link flapping
• MAC address flapping

Let’s take a look, how this feature works, in a network running STP, when BPDU protection is the reason that a port goes into DOWN state. If you are not familiar with BPDU protection feature, read my previous article “Protecting STP on Huawei switches”.

I have configured STP BPDU protection on the Ethernet 0/0/1 interface of labnarioSW1 switch as follows:

[labnarioSW1]int e0/0/1
[labnarioSW1-Ethernet0/0/1]stp edged-port enable
[labnarioSW1]stp bpdu-protection

Error-down auto-recovery feature has been enabled on the switch using command:

[labnarioSW1]error-down auto-recovery cause bpdu-protection interval 30

Option “interval” specifies how long (in seconds) our interface will be in DOWN state before it transitions to UP state. Any integer ranging from 30 to 86400 can be chosen.

On the other end of this Ethernet link labnarioSW2 switch is connected, to simulate STP attack. STP is temporary disabled on the Ethernet 0/0/1 port of the labnarioSW2, to prevent the Ethernet 0/0/1 port of the labnarioSW1 switch from transition to DOWN state.

The only role of the labnarioSW2 switch is to generate BPDU frames. Any other device, which can send STP BPDU frames, can be connected as well. So let’s start sending STP BPDUs:

[labnarioSW2-Ethernet0/0/1]stp enable

Please see log messages, generated by the BPDU protection and error-down auto-recovery feature, enabled on labnarioSW1 switch:

[labnarioSW1]
May 23 2013 21:30:34-08:00 labnarioSW1 %%01MSTP/4/BPDU_PROTECTION(l)[62]:This edged-port Ethernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
May 23 2013 21:30:34-08:00 labnarioSW1 %%01ERRDOWN/4/ERRDOWN_DOWNNOTIFY(l)[63]:Notify interface to change status to error-down. (InterfaceName=Ethernet0/0/1, Cause=bpdu-protection)
May 23 2013 21:30:34-08:00 labnarioSW1 ERRDOWN/4/ErrordownOccur:OID 1.3.6.1.4.1.2011.5.25.257.2.1 Error-down occured. (Ifindex=6, Ifname=Ethernet0/0/1, Cause=bpdu-protection)
May 23 2013 21:30:34-08:00 labnarioSW1 %%01PHY/1/PHY(l)[64]: Ethernet0/0/1: change status to down

To display the status of the error-down auto-recovery, use the command:

[labnarioSW1]display error-down recovery int e0/0/1
  interface                      error-down cause          recovery   remainder time(sec) 
  ------------------------------------------------------------------------------
  Ethernet0/0/1                  bpdu-protection           30         17        

[labnarioSW1]display error-down recovery int e0/0/1
  interface                      error-down cause          recovery   remainder time(sec) 
  ------------------------------------------------------------------------------
  Ethernet0/0/1                  bpdu-protection           30         8         

[labnarioSW1]display error-down recovery int e0/0/1
  interface                      error-down cause          recovery   remainder time(sec)
  ------------------------------------------------------------------------------
  Ethernet0/0/1                  bpdu-protection           30         3

After 30 seconds, error-down auto-recovery feature transitions  port back to UP state:

May 23 2013 21:31:03-08:00 labnarioSW1 %%01ERRDOWN/4/ERRDOWN_DOWNRECOVER(l)[67]:Notify interface to recover state from error-down. (InterfaceName=Ethernet0/0/1) May 23 2013 21:31:03-08:00 labnarioSW1 ERRDOWN/4/ErrordownRecover:OID 1.3.6.1.4.1.2011.5.25.257.2.2 Error-down recovered. (Ifindex=6, Ifname=Ethernet0/0/1, Cause=bpdu-protection, RecoverType=auto recovery) May 23 2013 21:31:05-08:00 labnarioSW1 %%01PHY/1/PHY(l)[68]: Ethernet0/0/1: change status to up

Let’s check today how a Designated Intermediate System (DIS) is elected in broadcast network.

Unlike in OSPF, in ISIS, routers of the same level, in a network segment, set up adjacencies (including non-DIS routers). DIS, as a pseudo node also generates LSPs, to describe available routers in the network. A pseudo node is indentified by the system ID of the DIS and the 1-byte circuit ID, which is always not 0. The main task of DIS is to reduce the number of generated LSPs. Even though all routers set up adjacencies in an ISIS broadcast network, LSDBs are synchronized by the DISs. One router can be DIS either for Level -1 or Level 2 routers. It depends on DIS priority configured. You can configure different DIS priority for different levels. The highest priority means the router is elected as DIS. In case that all routers have the same DIS priority, the one with the highest MAC address is chosen as DIS. By default DIS priority is set to 64 and can be changed manually. Comparing to OSFP DR, the router with the priority 0 also takes part in DIS election. Each time you connect a new router with higher DIS priority, the new router is elected as the new DIS, which causes LSPs flooding.

Let’s leave theory and carry out a test of DIS election in ISIS broadcast network.

Based on the below topology configure, IP addresses for physical and loopback interfaces (it is omitted here).

Configure ISIS protocol on all routers. How to do this? Go to ISIS on Huawei routers.

You can add ISIS name for each router to simplify maintenance and troubleshooting (AR1 as an example):

[AR1]isis	
[AR1-isis-1]is-name AR1

Check ARP table for AR1 router to find out which router has the highest MAC address:

[AR1]dis arp int eth 4/0/0
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
                                          VLAN/CEVLAN PVC                      
------------------------------------------------------------------------------
10.10.10.1      00e0-fc0d-7860            I -         Eth4/0/0
10.10.10.3      00e0-fc0d-e793  19        D-0         Eth4/0/0
10.10.10.4      00e0-fc06-db85  19        D-0         Eth4/0/0
10.10.10.2      00e0-fc0d-27df  19        D-0         Eth4/0/0
------------------------------------------------------------------------------
Total:4         Dynamic:3       Static:0     Interface:1

As we can see from the output, AR3 router’s MAC address 00e0-fc0d-e793 is the highest and will be elected as DIS. Why? Because DIS priority of all routers is set as defualt 64. Let’s check it:

[AR1]display isis peer

                          Peer information for ISIS(1)

  System Id     Interface          Circuit Id       State HoldTime Type     PRI
-------------------------------------------------------------------------------
AR3             Eth4/0/0           AR3.01            Up   7s       L1(L1L2) 64 
AR4             Eth4/0/0           AR3.01            Up   28s      L1(L1L2) 64 
AR2             Eth4/0/0           AR3.01            Up   29s      L1(L1L2) 64 
AR3             Eth4/0/0           AR3.01            Up   8s       L2(L1L2) 64 
AR4             Eth4/0/0           AR3.01            Up   23s      L2(L1L2) 64 
AR2             Eth4/0/0           AR3.01            Up   28s      L2(L1L2) 64 

Total Peer(s): 6

[AR1]display isis interface 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Loop0           001         Up                 Down         1500 L1/L2 -- 
 Eth4/0/0        001         Up                 Down         1497 L1/L2 No/No 

[AR2]display isis interface 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Loop0           001         Up                 Down         1500 L1/L2 -- 
 Eth4/0/0        001         Up                 Down         1497 L1/L2 No/No 

[AR3]display isis interface 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Loop0           001         Up                 Down         1500 L1/L2 -- 
 Eth4/0/0        001         Up                 Down         1497 L1/L2 Yes/Yes

[AR4]display isis interface 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Loop0           001         Up                 Down         1500 L1/L2 -- 
 Eth2/0/0        001         Up                 Down         1497 L1/L2 No/No

AR3.01 – As it was mentioned earlier, a pseudo node is indentified by the system ID of the DIS and the 1-byte circuit ID, which is always not 0.

And now change DIS priority of AR1 to 100:

[AR1]int Ethernet 4/0/0
[AR1-Ethernet4/0/0]isis dis-priority 100 (Level-1-2 by default)

Let’s check what’s happend:

[AR1]dis isis interface 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Loop0           001         Up                 Down         1500 L1/L2 -- 
 Eth4/0/0        001         Up                 Down         1497 L1/L2 Yes/Yes

Now router AR1 has been chosen as DIS. As you can see, it is the DIS for both levels because all routers in our topology are Level-1-2 routers. You can test the same for hierarchical topology, changing circuit-type of some routers to Level-1 and Level-2. You can also change DIS priority for Level-1 or Level-2.

As a continuation of the STP Root Protection feature I want to describe additional STP protection functions and show you, where these functions should be implemented, in a typical campus LAN environment.

BPDU Protection feature can be used to protect switches against STP BPDU attacks. It should be implemented on every switch, which has ports directly connected to end-user workstations. This is because we do not expect receiving STP BPDU from user workstations. When STP BPDUs are received on the edge port, STP topology recalculation occurs, causing network flapping. If the port is configured with BPDU Protection and the switching device receives STP BPDUs, then the port is placed into shutdown state, protecting STP topology from recalculation. By default BPDU Protection feature is disabled on Huawei switches. To enable it:

<labnario_sw>system-view 
[labnario_sw]interface Ethernet 0/0/1
[labnario_sw-Ethernet0/0/1]stp edged-port enable 
[labnario_sw-Ethernet0/0/1]quit
[labnario_sw]stp bpdu-protection

When a switch port is configured as a STP Edged and STP BPDU is received, the port is placed into shutdown state:

May 13 2013 20:17:00-08:00 labnario_sw%%01MSTP/4/BPDU_PROTECTION(l)[4]:This edged-port Ethernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!

[labnario_sw-Ethernet0/0/1]dis cur int e0/0/1
#
interface Ethernet0/0/1
 shutdown
 stp edged-port enable

[labnario_sw-Ethernet0/0/1]dis int eth0/0/1
Ethernet0/0/1 current state : Administratively DOWN
Line protocol current state : DOWN

To bring the port back to UP state, manual port reconfiguration is required or auto recovery feature should be enabled on the switch.

TC Protection (TC – Topology Change) feature is used to suppress TC BPDUs (BPDU frames advertising STP topology change). When a switch receives a large number of TC BPDUs in a short time period, it has to frequently process MAC and ARP table entries, which can lead to CPU resources exhausting. To prevent this from happening, TC Protection can be configured, so that the switch will process TC BPDUs only with the given number of times within a specified time period. To enable TC Protection and change its default settings:

[labnario_sw]stp tc-protection
[labnario_sw]stp tc-protection threshold ?
  INTEGER  The threshold of TC-BPDU protection, default is 1

[labnario_sw]stp tc-protection threshold 3

The default threshold is 1, the time is specified by the STP Hello timer, which equals to 2 seconds, and can be easy changed using command:

[labnario_sw]stp timer hello ?
  INTEGER  Hello time in centiseconds, in steps of 100, the default value is 200

When the number of TC BPDUs, received by the switch, exceeds the specified threshold in a given time period, switch processes the excess TC BPDUs, after the specified time period expires. TC Protection feature should be enabled on every switch in a LAN environment.

Loop Protection feature provides additional protection against L2 forwarding loops. STP relies on a continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs and the non-designated port (ROOT, ALTERNATE) receives BPDUs. An STP loop is created, when one of the ports, of a physically redundant topology, no longer receives STP BPDUs. This usually happens, when ALTERNATE port in DISCARDING state stops receiving STP PBDUs, and as a result, moves to a Designated role and FORWARDING state. It means that there is no longer blocking port in redundant physical topology and loop is created. Loop protection feature, enabled on the interface, moves this port into Designated role and DISCARDING state, when no STP BPDUs are received in a prescriptive time. Loop Protection feature should be enabled on ROOT and ALTERNATE ports for every possible STP topology including failover scenarios.

Look at the following example to see Loop Protection feature in action:

[labnario_sw]dis cur | beg t0/0/1
#
interface GigabitEthernet0/0/1
 stp loop-protection
#
interface GigabitEthernet0/0/2
 stp loop-protection
#
[labnario_sw]dis stp brie
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ALTE  DISCARDING      LOOP
   0    GigabitEthernet0/0/2        ROOT  FORWARDING      LOOP

May 14 2013 13:50:06-08:00 Huawei %%01MSTP/4/LOOP_GUARD(l)[2]:MSTP process 0 Instance0's LOOP-Protection port GigabitEthernet0/0/1 did not receive message in prescriptive time!

[labnario_sw]dis stp brie
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        DESI  DISCARDING      LOOP
   0    GigabitEthernet0/0/2        ROOT  FORWARDING      LOOP

Recovery is automatic when port starts receiving STP BPDUs, no additional administrative intervention is required. By default Loop Protection feature is disabled on Huawei switches.

Based on the release notes of eNSP:

New features:

• supports TAB key switch when filling IP address of SimPC
• provides one key register function of AR_Base.

Modified features:

• improves the stability when starting AR
• reduces memory usage of AR
• fixes distribution service for AR
• fixes the dysfunction of MPLS L3VPN.

A new Huawei Enterprise Network Simulation Platform has been released.

Download, test and enjoy!

Let’s keep going and try to configure ISIS route aggregation based on the following topology:

If you want to recall how to configure ISIS adjacency on Huawei routers, just go to ‘ISIS on Huawei routers‘.

To avoid DIS election, configure all physical interfaces as ISIS point-to-point (p2p) links (Router 1 as an example):

[1-Ethernet0/0/8]isis circuit-type p2p

[1]dis isis interface 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Eth0/0/8        003         Up                 Down         1497 L1/L2 -- 
 Loop0           001         Up                 Down         1500 L1/L2 -- 
 Loop100         002         Up                 Down         1500 L1/L2 -- 

[1]dis isis interface Ethernet 0/0/8 verbose 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Eth0/0/8        003         Up                 Down         1497 L1/L2 -- 
  Circuit MT State            : Standard 
  Circuit Parameters          : p2p 
  Description                 : HUAWEI, AR Series, Ethernet0/0/8 Interface
  SNPA Address                : 00e0-fc03-993e
  IP Address                  : 10.0.1.1
  IPV6 Link Local Address     :
  IPV6 Global Address(es)     :
  Csnp Timer Value            :  L12   10
  Hello Timer Value           :        10
  DIS Hello Timer Value       :
  Hello Multiplier Value      :         3
  Cost                        :  L1    10  L2    10
  Ipv6 Cost                   :  L1    10  L2    10
  Retransmit Timer Value      :  L12    5
  LSP-Throttle Timer          :  L12   50
  Bandwidth-Value             :  Low  100000000  High          0
  Static Bfd                  :  NO
  Dynamic Bfd                 :  NO
  Fast-Sense Rpr              :  NO
  Extended-Circuit-Id Value   :  0000000003

What we want to do today are:

• Configure Loopback100 interface on Router 1 and assign 10.0.100./32 IP address to it
• Enable ISIS protocol on Loopback100
• Configure three static routes: 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24 on Router 1
• Import the static routes to ISIS
• Aggregate these networks on Level-1-2 router (router 2).

Let’s do it. Configure Loopback100 and enable ISIS on it:

[1]interface LoopBack 100
[1-LoopBack100]ip address 10.0.100.1 32
[1-LoopBack100]isis enable

Configure static routes on Router 1 to simulate networks that should be aggregated:

[1]ip route-static 10.0.2.0 255.255.255.0 NULL0
[1]ip route-static 10.0.3.0 255.255.255.0 NULL0
[1]ip route-static 10.0.4.0 255.255.255.0 NULL0

Import these three routes into ISIS:

[1]isis
[1-isis-1]import-route static level-1

Check the routing table of Router 1:

[1]dis ip rout
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 16       Routes : 16       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   ISIS-L1 15   10          D   10.0.1.2        Ethernet0/0/8
        1.1.1.1/32  Direct  0    0           D   127.0.0.1       LoopBack0
        2.2.2.2/32  ISIS-L1 15   10          D   10.0.1.2        Ethernet0/0/8
       10.0.1.0/30  Direct  0    0           D   10.0.1.1        Ethernet0/0/8
       10.0.1.1/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       10.0.1.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       10.0.2.0/24  Static  60   0           D   0.0.0.0         NULL0
       10.0.3.0/24  Static  60   0           D   0.0.0.0         NULL0
       10.0.4.0/24  Static  60   0           D   0.0.0.0         NULL0
     10.0.100.1/32  Direct  0    0           D   127.0.0.1       LoopBack100
       20.0.0.0/30  ISIS-L1 15   20          D   10.0.1.2        Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

Check the routing table of Router 5 to find how our networks have been advertised:

[5]dis ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 17       Routes : 17       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
        2.2.2.2/32  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
        4.4.4.4/32  ISIS-L2 15   10          D   40.0.0.1        Ethernet0/0/8
        5.5.5.5/32  Direct  0    0           D   127.0.0.1       LoopBack0
       10.0.1.0/30  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       10.0.2.0/24  ISIS-L2 15   94          D   40.0.0.1        Ethernet0/0/8
       10.0.3.0/24  ISIS-L2 15   94          D   40.0.0.1        Ethernet0/0/8
       10.0.4.0/24  ISIS-L2 15   94          D   40.0.0.1        Ethernet0/0/8
     10.0.100.1/32  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       20.0.0.0/30  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
       40.0.0.0/30  Direct  0    0           D   40.0.0.2        Ethernet0/0/8
       40.0.0.2/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       40.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

These three static routes configured on Router 1 are imported into ISIS and we can find them in the routing table of Router 5. It should be noted that ISIS has no external routes, unlike OSPF. The origin of the routes is still ISIS, with preference 15. As you can see, the IP address of Loopback100 of Router 1 is also found in the routing table of Router 5.

Let’s finally configure route aggregation. Based on the topology and networks configured, we can aggregate the following networks on Router 2:

• 10.0.1.0/30
• 10.0.2.0/24
• 10.0.3.0/24
• 10.0.4.0/24
• 10.0.100.1/32.

[2]isis
[2-isis-1]summary 10.0.0.0 255.255.0.0 (Level-2 by default)

Verify the IP routing table of Router 5 once again:

[5]dis ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 13       Routes : 13       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
        2.2.2.2/32  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
        4.4.4.4/32  ISIS-L2 15   10          D   40.0.0.1        Ethernet0/0/8
        5.5.5.5/32  Direct  0    0           D   127.0.0.1       LoopBack0
       10.0.0.0/16  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       20.0.0.0/30  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
       40.0.0.0/30  Direct  0    0           D   40.0.0.2        Ethernet0/0/8
       40.0.0.2/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       40.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

Thus the routing table has been reduced.