Loading ...
Loading ...
Loading ...
Loop Protect
In a stable network, a switch maintains the states of ports by receiving and processing BPDU
packets from the upstream switch. However, when link congestions or link failures occurred to
the network, a down stream switch does not receive BPDU packets for certain period, which
results in spanning trees being regenerated and roles of ports being reselected, and causes
the blocked ports to transit to forwarding state. Therefore, loops may be incurred in the
network.
The loop protect function can suppresses loops. With this function enabled, a port, regardless
of the role it plays in instances, is always set to blocking state, when the port does not receive
BPDU packets from the upstream switch and spanning trees are regenerated, and thereby
loops can be prevented.
Root Protect
A CIST and its secondary root bridges are usually located in the high-bandwidth core region.
Wrong configuration or malicious attacks may result in configuration BPDU packets with higher
priorities being received by the legal root bridge, which causes the current legal root bridge to
lose its position and network topology jitter to occur. In this case, flows that should travel along
high-speed links may lead to low-speed links, and network congestion may occur.
To avoid this, MSTP provides root protect function. Ports with this function enabled can only be
set as designated ports in all spanning tree instances. When a port of this type receives BDPU
packets with higher priority, it transits its state to blocking state and stops forwarding packets
(as if it is disconnected from the link). The port resumes the normal state if it does not receive
any configuration BPDU packets with higher priorities for a period of two times of forward
delay.
TC Protect
A switch removes MAC address entries upon receiving TC-BPDU packets. If a user maliciously
sends a large amount of TC-BPDU packets to a switch in a short period, the switch will be busy
with removing MAC address entries, which may decrease the performance and stability of the
network.
To prevent the switch from frequently removing MAC address entries, you can enable the TC
protect function on the switch. With TC protect function enabled, if the account number of the
received TC-BPDUs exceeds the maximum number you set in the TC threshold field, the switch
will not performs the removing operation in the TC protect cycle. Such a mechanism prevents
the switch from frequently removing MAC address entries.
BPDU Protect
Ports of the switch directly connected to PCs or servers are configured as edge ports to
rapidly transit their states. When these ports receive BPDUs, the system automatically
configures these ports as non-edge ports and regenerates spanning trees, which may cause
network topology jitter. Normally these ports do not receive BPDUs, but if a user maliciously
attacks the switch by sending BPDUs, network topology jitter occurs.
To prevent this attack, MSTP provides BPDU protect function. With this function enabled on the
switch, the switch shuts down the edge ports that receive BPDUs and reports these cases to
the administrator. If a port is shut down, only the administrator can restore it.
84
Loading ...
Loading ...
Loading ...