Operation Manual – MSTP
Quidway S5600 Series Ethernet Switches-Release 1510 Chapter 1
MSTP Configuration
Huawei Technologies Proprietary
1-33
II. Root protection
A root bridge and its secondary root bridges must reside in the same region. A CIST
and its secondary root bridges are usually located in the high-bandwidth core region.
Configuration errors or attacks may result in configuration BPDUs with their priorities
higher than that of a root bridge, which causes new root bridge to be elected and
network topology jitter to occur. In this case, flows that should travel along high-speed
links may be led to low-speed links, and network congestion may occur.
You can avoid this by utilizing the root protection function. Ports with this function
enabled can only be kept as designated ports in all spanning tree instances. When a
port of this type receives configuration BPDUs with higher priorities, it changes to
discarding state (rather than becomes a non-designated port) and stops forwarding
packets (as if it is disconnected from the link). It resumes the normal state if it does not
receive any configuration BPDUs with higher priorities for a specified period.
III. Loop prevention
A switch maintains the states of the root port and other blocked ports by receiving and
processing BPDUs from the upstream switch. These BPDUs may get lost because of
network congestions and link failures. If a switch does not receive BPDUs from the
upstream switch for certain period, the switch selects a new root port; the original root
port becomes a designated port; and the blocked ports transit to forwarding state. This
may cause loops in the network.
The loop prevention function suppresses loops. With this function enabled, if link
congestions or link failures occur, both the root port and the blocked ports become
designated ports and change to be in the discarding state. In this case, they stop
forwarding packets, and thereby loops can be prevented.
IV. TC-BPDU attack prevention
A switch removes MAC address entries and ARP entries upon receiving TC-BPDUs. If
a malicious user sends a large amount of TC-BPDUs to a switch in a short period, the
switch may busy itself in removing MAC address entries and ARP entries, which may
decreases the performance and stability of the switch.
With the TC-BPDU prevention function enabled, the switch performs only one
removing operation in a specified period (it is 10 seconds by default) after it receives a
TC-BPDU. The switch also checks to see if other TC-BPDUs arrive in this period and
performs another removing operation in the next period if a TC-BPDU is received. Such
a mechanism prevents a switch from busying itself in performing removing operations.
To Next Page
Loading...
