3com 5500-SI Manual De Usuario
186
C
HAPTER
13: MSTP C
ONFIGURATION
automatically shut it down and notifies the network administrator of the situation.
Only the administrator can restore edge ports that are shut down.
Only the administrator can restore edge ports that are shut down.
Root protection
A root bridge and its secondary root bridges must reside in the same region.
Particularly, a CIST and its secondary root bridges are usually located in the core
region, which is equipped with high bandwidth. But errors may exist in configurations
and malicious attacks may occur, making legal root bridges receive BPDUs of higher
priorities and give up their roles as root bridges, which means network topology
jitters. In this case, flows that should travel along high-speed links may be led to
low-speed links, and network congestions may occur.
Particularly, a CIST and its secondary root bridges are usually located in the core
region, which is equipped with high bandwidth. But errors may exist in configurations
and malicious attacks may occur, making legal root bridges receive BPDUs of higher
priorities and give up their roles as root bridges, which means network topology
jitters. In this case, flows that should travel along high-speed links may be led to
low-speed links, and network congestions may occur.
You can avoid this problem by utilizing the root protection function. Ports with this
function enabled can retain their roles in all spanning tree instances. When such a
port receives BPDUs of higher priorities, its state is set to discarding and it stops
forwarding any packets as if the connected link were down. Only when it receives no
BPDUs of higher priorities in a specified period, does it resumes its normal state.
function enabled can retain their roles in all spanning tree instances. When such a
port receives BPDUs of higher priorities, its state is set to discarding and it stops
forwarding any packets as if the connected link were down. Only when it receives no
BPDUs of higher priorities in a specified period, does it resumes its normal state.
Loop prevention
A switch maintains the states of the root port and blocked ports by receiving and
processing BPDUs from the upstream switch. However, the switch may not receive the
BPDUs due to network congestions or unidirectional link failures. In this case, the
switch reelects a root port, sets the original root port to a designated port, and places
the blocked ports to the forwarding state, all of which may bring about loops in the
network.
processing BPDUs from the upstream switch. However, the switch may not receive the
BPDUs due to network congestions or unidirectional link failures. In this case, the
switch reelects a root port, sets the original root port to a designated port, and places
the blocked ports to the forwarding state, all of which may bring about loops in the
network.
The loop prevention function can suppress loops of this type. With this function
enabled, the root port does not give up its role and the blocked ports remain in the
discarding state, eliminating the possibilities of loops in the network.
enabled, the root port does not give up its role and the blocked ports remain in the
discarding state, eliminating the possibilities of loops in the network.
TC-BPDU attack prevention
A switch removes MAC address entries and ARP entries upon receiving TC-BPDUs. If a
malicious user sends large amounts of TC-BPDUs to a switch in a short period, the
switch may be busy removing MAC address entries and ARP entries, which may
decrease the performance of the switch and introduce potential stability risks.
malicious user sends large amounts of TC-BPDUs to a switch in a short period, the
switch may be busy removing MAC address entries and ARP entries, which may
decrease the performance of the switch and introduce potential stability risks.
With the TC-BPDU attack prevention function enabled, a switch performs removing
operation only once in a specified period (10 seconds by default) after it receives a
TC-BPDU. The switch also checks to see if other TC-BPDUs arrive and performs
another removing operation in the next period if a TC-BPDU is received. Such a
mechanism prevents a switch from being busy removing address entries and ARP
entries.
operation only once in a specified period (10 seconds by default) after it receives a
TC-BPDU. The switch also checks to see if other TC-BPDUs arrive and performs
another removing operation in the next period if a TC-BPDU is received. Such a
mechanism prevents a switch from being busy removing address entries and ARP
entries.
Only one function among loop prevention, root protection, and edge port can be
valid at a time.
valid at a time.
Prerequisites
Configure MSTP on the switch properly.