3Com Switch 7750 Configuration Guide Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

241

242

243

244

245

246

247

248

249

250

Protection Function Configuration 247

■ Configure in system view.

<SW7750> system-view

[SW7750] stp interface ethernet1/0/1 mcheck

■ Configure in Ethernet port view.

<SW7750> system-view

[SW7750] interface ethernet1/0/1

[SW7750-Ethernet1/0/1] stp mcheck

Protection Function

Configuration

Introduction The following protection functions are available on an MSTP-enabled switch:

BPDU protection, root protection, loop guard, and topology change BPDU

(TC-BPDU) attack guard.

BPDU protection

Normally, the access ports of the devices operating on the access layer directly

connect to terminals (such as PCs) or file servers. These ports are usually

configured as edge ports to achieve rapid transition. But they resume non-edge

ports automatically upon receiving configuration BPDUs, which causes spanning

tree regeneration and network topology jitter.

Normally, no configuration BPDU will reach edge ports. But malicious users can

attack a network by sending configuration BPDUs deliberately to edge ports to

cause network jitter. You can prevent this type of attacks by utilizing the BPDU

protection function. With this function enabled on a switch, the switch shuts

down the edge ports that receive configuration BPDUs and then reports these

cases to the administrator. If a port is shut down, only the administrator can

restore it.

Root protection

A root bridge and its secondary root bridges must reside in the same region. A

CIST and its secondary root bridges are usually located in the high-bandwidth core

region. Configuration errors or attacks may result in configuration BPDUs with

their priorities higher than that of a root bridge, which causes new root bridge to

be elected and network topology jitter to occur. In this case, flows that should

travel along high-speed links may be led to low-speed links, and network

congestion may occur.

You can avoid this by utilizing the root protection function. Ports with this function

enabled can only be kept as designated ports in all spanning tree instances. When

a port of this type receives configuration BPDUs with higher priorities, it changes

to discarding state (rather than becomes a non-designated port) and stops

forwarding packets (as if it is disconnected from the link). It resumes the normal

state if it does not receive any configuration BPDUs with higher priorities for a

specified period.

Loop guard

A switch maintains the states of the root port and other blocked ports by receiving

and processing BPDUs from the upstream switch. These BPDUs may get lost