R3166-R3206-HP High-End Firewalls Network Management Configuration Guide-6PW101
80
NOTE:
• With the Digest Snooping feature enabled, comparison of configuration digest is not needed for
in-the-same-region check, so the VLAN-to-instance mappings must be the same on associated ports.
• With global Digest Snooping enabled, modification of VLAN-to-instance mappings and removing of
the current region configuration using the undo stp region-configuration command are not allowed.
You can only modify the region name and revision level.
• To make Digest Snooping take effect, you must enable it both globally and on associated ports. To make
the configuration effective on all configured ports and while reducing impact on the network, enable
Digest Snooping on all associated ports first and then globally.
• To prevent loops, do not enable Digest Snooping on MST region edge ports.
• HP recommends you to enable Digest Snooping first and then the spanning tree feature. To avoid traffic
interruption, do not configure Digest Snooping when the network is already working well.
2. Digest Snooping configuration example
a. Network requirements
As shown in Figure 35:
• F
irewall A and Firewall B connect to Device, which is a third-party device. All these devices are in
the same region.
• Enable Digest Snooping on Firewalle A’s and Firewall B’s ports that connect to Device C, so that the
three devices can communicate with one another.
Figure 35 Digest Snooping configuration
b. Configuration procedure
# Enable Digest Snooping on GigabitEthernet 0/1 of Device A and enable global Digest Snooping on
Firewall A.
<FirewallA> system-view
[FirewallA] interface GigabitEthernet 0/1
[FirewallA-GigabitEthernet0/1] stp config-digest-snooping
[FirewallA-GigabitEthernet0/1] quit
[FirewallA] stp config-digest-snooping