3Com Switch 7750 Configuration Guide
Protection Function Configuration 265
Normally, no configuration BPDU will reach edge ports. But malicious users can
attack a network by sending configuration BPDUs deliberately to edge ports to
cause network jitter. You can prevent this type of attacks by utilizing the BPDU
protection function. With this function enabled on a switch, the switch shuts
down the edge ports that receive configuration BPDUs and then reports these
cases to the administrator. If a port is shut down, only the administrator can
restore it.
Root protection
A root bridge and its secondary root bridges must reside in the same region. A
CIST and its secondary root bridges are usually located in the high-bandwidth core
region. Configuration errors or attacks may result in configuration BPDUs with
their priorities higher than that of a root bridge, which causes new root bridge to
be elected and network topology jitter to occur. In this case, flows that should
travel along high-speed links may be led to low-speed links, and network
congestion may occur.
You can avoid this by utilizing the root protection function. Ports with this function
enabled can only be kept as designated ports in all spanning tree instances. When
a port of this type receives configuration BPDUs with higher priorities, it changes
to discarding state (rather than becomes a non-designated port) and stops
forwarding packets (as if it is disconnected from the link). It resumes the normal
state if it does not receive any configuration BPDUs with higher priorities for a
specified period.
Loop guard
A switch maintains the states of the root port and other blocked ports by receiving
and processing BPDUs from the upstream switch. These BPDUs may get lost
because of network congestions and link failures. If a switch does not receive
BPDUs from the upstream switch for certain period, the switch selects a new root
port; the original root port becomes a designated port; and the blocked ports
transit to forwarding state. This may cause loops in the network.
The loop guard function suppresses loops. With this function enabled, if link
congestions or link failures occur, both the root port and the blocked ports
become designated ports and change to be in the discarding state. In this case,
they stop forwarding packets, and thereby loops can be prevented.
TC-BPDU attack guard
Generally, upon receiving a TC-BPDU, a switch removes its local MAC address
table and then updates the ARP address table based on STP instances according to
the updated MAC address table. If a malicious user forges TC-BPDUs to attack a
switch, the switch will receive a large amount of TC-BPDUs in a short period,
causing the switch busy in removing local MAC address tables and updating ARP
address tables, which will affect STP calculation and occupy a large amount of
network bandwidth. As a result, the CPU utilization stays high for the switch.
With the TC-BPDU guard function enabled, the switch performs the operation of
removing its local MAC address table once after it receives a TC-BPDU, and
triggers a timer at the same time, which expires after 10 seconds. Before the timer
expires, the switch can only perform the operation of removing MAC address
entries for up to six times. Such a mechanism prevents the switch from removing