Most of you will know that the spanning tree protocol is a layer2 protocol which was never designed with maximum security in mind. Over the years, this has resulted in various security configuration options to make sure the end-user edge ports can only perform edge-roles/functions and can't control the entire STP topology anymore.

The key security commands are the "bpdu-protection" on the edge switches and the "root-guard" on the distribution layer switches. Both result in the port being disabled (optionally temporary with the bpdu-protection-timeout command) and an SNMP trap being generated.

To facilitate the test process, this small script (written by Peter Debruyne) can help you to demonstrate the advantage of the bpdu-protection and root-guard features. The script can be run from a standard Windows box, just install WinPcap and follow the readme.txt.

The script will send new root STP BPDU packets for about 12 seconds, so the current (non-protected) network will encounter an STP topology change, then it will sleep for 21 seconds to allow the current network to detect the root failure and encounter another STP topology change back to the original root. This procedure is repeated by the loop.

On the ProCurve switches, you can easily follow this situation by running the "show span" command, and then using the "repeat 1" command to repeat the show process automatically. Next run the fakeroot script and watch the root port flap from the original to the new root port, you may also use some ping -t to watch the network hick every 10-15 seconds.

Then configure your ProCurve switch with the bpdu-protection (on all ports except the uplinks) e.g. with the "span 1-46 bpdu-protection" command for ports 1-46, set the timeout to e.g. 60 seconds with "span bpdu-protection-timeout 60" and retry the test. You will notice that the port of your test box will be disabled for 60 seconds and then it comes back online (if you stop the script, otherwise it will go down again of course). This also allows room for these "standard" end-user issues, where end-users connect e.g. a cable from 1 wall-outlet to another (with or without intermediate switch/hub) and cause the loop. Thanks to the bpdu-protection, the port will be disabled and will be retried after 60 seconds. So if the end-user notices that the network doesn't work, he just needs to remove 1 cable and after a minute the system will be operational again.

Please be aware to run this test only in a controlled test environment! Don't say you haven't been warned. Good luck with the testing and feel free to send any comments.