3Com Switch 8800 Advanced Software V5 Configuration Guide
Configuring Protection Functions 131
n
Among loop guard, root guard and edge port setting, only one function can take
effect on the same port at the same time.
These protection functions function as follows:
■ BPDU guard
For access layer devices, the access ports generally have user terminals (such as
PCs) or file servers directly connected to them. These ports are usually configured
as edge ports to allow rapid transition. However, these ports become non-edge
ports when they receive configuration BPDUs, which triggers a new round of
spanning tree computing process and causes changes of network topology. Under
normal conditions, these ports are not supposed to receive configuration BPDUs.
However, if someone forges configuration BPDUs maliciously to attack the devices,
network may become instable.
MSTP provides the BPDU guard function to protect the system against such
attacks. With the BPDU guard function enabled on the devices, edge ports
receiving configuration BPDUs are shut down and the NMS is informed. Those
ports closed thereby can be restored only by the network administrators.
■ Root guard
The root bridge and its secondary root bridges of a spanning tree must reside in
the same MST region. Especially for the CIST, the root bridge and its secondary
root bridges are generally put in a high-bandwidth core region during network
design. However, due to possible configuration errors or attacks in the network,
the root bridge may receive a configuration BPDU with a higher priority. In this
case, the current, legal root bridge will be superseded by another device, causing
undesired change of the network topology. As a result of this kind of illegal
topology change, the traffics that are to travel along high-speed links may be led
to low-speed links, resulting in network congestion.
To prevent this situation from happening, MSTP provides the root guard function
to protect the root bridge. Ports with root guard function enabled can only be
designated ports in all MST instances. Once a port of this type receives a
configuration BPDU with a higher priority from an MST instance, it turns to the
listening state in the MST instance and stops forwarding packets (as if it is
disconnected from the link). If the port receives no BPDUs with higher priorities
within twice the forwarding delay, the port reverts to its original state.
■ Loop guard
A device maintains the states of its root port and blocked ports by receiving
and processing BPDUs from the upstream device. However, due to link
congestion or unidirectional link failures, these ports may fail to receive BPDUs
from the upstream device. In this case, the downstream device will reselect the
port roles (for example, ports failing to receive upstream BPDUs become
designated ports and the blocked ports transition to the forwarding state),
resulting in loops in the switched network. The loop guard function can
suppress the occurrence of such loops.
n
A loop guard-enabled port that fails to receive BPDUs from the upstream device
remains in the discarding state in all the MST instances in the process of STP
computing, regardless of the role it plays.