Operation Manual – MSTP
H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1
MSTP Configuration
1-33
2) Perform this configuration in Ethernet port view.
<H3C> system-view
[H3C] interface Ethernet1/0/1
[H3C-Ethernet1/0/1] stp mcheck
1.5 Configuring Protection Function
1.5.1 Introduction
The following protection functions are available on an MSTP-enabled switch: BPDU
protection, root protection, loop prevention, and TC-BPDU attack prevention.
I. BPDU protection
Normally, the access ports of the devices operating on the access layer are directly
connected to terminals (such as PCs) or file servers. These ports are usually
configured as edge ports to achieve rapid transition. But they resume non-edge ports
automatically upon receiving configuration BPDUs, which causes spanning tree
recalculation and network topology jitter.
Normally, no configuration BPDU will reach edge ports. But malicious users can attack
a network by sending configuration BPDUs deliberately to edge ports to cause network
jitter. You can prevent this type of attacks by utilizing the BPDU protection function.
With this function enabled on a switch, the switch shuts down the edge ports that
receive configuration BPDUs and then reports these cases to the administrator. If a port
is shut down, only the administrator can restore it.
II. Root protection
A root bridge and its secondary root bridges must reside in the same region. The root
bridge of the CIST and its secondary root bridges are usually located in the
high-bandwidth core region. Configuration errors or attacks may result in configuration
BPDUs with their priorities higher than that of a root bridge, which causes a new root
bridge to be elected and network topology jitter to occur. In this case, flows that should
travel along high-speed links may be led to low-speed links, and network congestion
may occur.
You can avoid this problem by utilizing the root protection function. Ports with this
function enabled can only be kept as designated ports in all spanning tree instances.
When a port of this type receives configuration BPDUs with higher priorities, it turns to
the discarding state (rather than become a non-designated port) and stops forwarding
packets (as if it is disconnected from the link). It resumes the normal state if it does not
receive any configuration BPDUs with higher priorities for a specified period.
To Next Page
Loading...
Need help?
General