3Com Switch 7750 Configuration Guide Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

241

242

243

244

245

246

247

248

249

250

248 CHAPTER 29: MSTP CONFIGURATION

because of network congestions and link failures. If a switch does not receive

BPDUs from the upstream switch for certain period, the switch selects a new root

port; the original root port becomes a designated port; and the blocked ports

transit to forwarding state. This may cause loops in the network.

The loop guard function suppresses loops. With this function enabled, if link

congestions or link failures occur, both the root port and the blocked ports

become designated ports and change to be in the discarding state. In this case,

they stop forwarding packets, and thereby loops can be prevented.

TC-BPDU attack guard

Generally, upon receiving a TC-BPDU, a switch removes its local MAC address

table and then updates the ARP address table based on STP instances according to

the updated MAC address table. If a malicious user forges TC-BPDUs to attack a

switch, the switch will receive a large amount of TC-BPDUs in a short period,

causing the switch busy in removing local MAC address tables and updating ARP

address tables, which will affect STP calculation and occupy a large amount of

network bandwidth. As a result, the CPU utilization stays high for the switch.

With the TC-BPDU guard function enabled, the switch performs the operation of

removing its local MAC address table once after it receives a TC-BPDU, and

triggers a timer at the same time, which expires after 10 seconds. Before the timer

expires, the switch can only perform the operation of removing MAC address

entries for up to six times. Such a mechanism prevents the switch from removing

MAC address tables frequently and negative effects to STP calculation and

network stability.

You can use the stp tc-protection threshold command to set a threshold for the

times of removing MAC address tables in a period. If the number of received

TC-BPDUs is less than the specified upper threshold, the switch removes its MAC

address table upon receiving a TC-BPDU. If the number of received TC-BPDUs is

more than the specified upper threshold, the switch will remove its MAC address

table for the times equal to the specified upper threshold. For example, if you set

the upper threshold for the times for the switch to remove its MAC address table

to 100 in the specific period, while the switch receives 200 TC-BPDUs in the

period. In this case, the switch removes its MAC address table for only 100 times

within the period.

CAUTION: Among loop guard function, root protection function, and edge port

setting, only one can be valid on a port at one time.

BPDU Protection

Configuration

Configuration prerequisites

MSTP is enabled on the current switch.

Configuration procedure

Tabl e 181 Enable the BPDU guard function

Operation Command Description

Enter system view system-view -

Enable the BPDU guard

function

stp bpdu-protection

Required

The BPDU guard function is

disabled by default.