174 CHAPTER 14: MSTP CONFIGURATION
Root guard
A root bridge and its secondary root bridges must reside in the same region. The
root bridge of the CIST and its secondary root bridges are usually located in the
high-bandwidth core region. Configuration errors or attacks may result in
configuration BPDUs with their priorities higher than that of a root bridge, which
causes a new root bridge to be elected and network topology jitter to occur. In this
case, flows that should travel along high-speed links may be led to low-speed
links, and network congestion may occur.
You can avoid this problem by utilizing the root guard function. Ports with this
function enabled can only be kept as designated ports in all spanning tree
instances. When a port of this type receives configuration BPDUs with higher
priorities, it turns to the discarding state (rather than become a non-designated
port) and stops forwarding packets (as if it is disconnected from the link). It
resumes the normal state if it does not receive any configuration BPDUs with
higher priorities for a specified period.
Loop guard
A switch maintains the states of the root port and other blocked ports by receiving
and processing BPDUs from the upstream switch. These BPDUs may get lost
because of network congestions or unidirectional link failures. If a switch does not
receive BPDUs from the upstream switch for certain period, the switch selects a
new root port; the original root port becomes a designated port; and the blocked
ports turns to the forwarding state. This may cause loops in the network.
The loop guard function suppresses loops. With this function enabled, if link
congestions or unidirectional link failures occur, both the root port and the
blocked ports become designated ports and turn to the discarding state. In this
case, they stop forwarding packets, and thereby loops can be prevented.
c
CAUTION: With the loop guard function enabled, the root guard function and
the edge port configuration are mutually exclusive.
TC-BPDU attack guard
Normally, a switch removes its MAC address table and ARP entries upon receiving
TC-BPDUs. If a malicious user sends a large amount of TC-BPDUs to a switch in a
short period, the switch may be busy in removing the MAC address table and ARP
entries, which may affect spanning tree calculation, occupy large amount of
bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing
operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by
default) at the same time. Before the timer expires, the switch only performs the
removing operation for limited times (up to six times by default) regardless of the
number of the TC-BPDUs it receives. Such a mechanism prevents a switch from
being busy in removing the MAC address table and ARP entries.
You can use the stp tc-protection threshold command to set the maximum
times for a switch to remove the MAC address table and ARP entries in a specific
period. When the number of the TC-BPDUs received within a period is less than
the maximum times, the switch performs a removing operation upon receiving a
TC-BPDU. After the number of the TC-BPDUs received reaches the maximum
times, the switch stops performing the removing operation. For example, if you set
To Next Page
Loading...
