3com 3.01.01 用户手册
262
C
HAPTER
8: STP O
PERATION
The command can be used only if the switch runs MSTP. The command does not
make any sense when the switch runs in STP-compatible mode.
make any sense when the switch runs in STP-compatible mode.
Configuring the Switch
Security Function
An MSTP switch provides BPDU protection, Root protection, and loop-protection
functions.
functions.
For an access device, the access port is, mainly, directly connected to the user
terminal or a file server, and the access port is set to edge port to implement fast
transition. When such a port receives BPDU packet, the system will automatically
set it as a non-edge port and recalculate the spanning tree, which causes the
network topology flapping. Normally, these ports will not receive STP BPDU. If
someone forges BPDU to attack the switch, the network will flap. BPDU protection
function is used against such network attacks.
terminal or a file server, and the access port is set to edge port to implement fast
transition. When such a port receives BPDU packet, the system will automatically
set it as a non-edge port and recalculate the spanning tree, which causes the
network topology flapping. Normally, these ports will not receive STP BPDU. If
someone forges BPDU to attack the switch, the network will flap. BPDU protection
function is used against such network attacks.
The primary and secondary root switches of the spanning tree, especially those of
ICST, must be located in the same region. This is because the primary and
secondary roots of CIST are generally placed in the core region with a high
bandwidth in network design. In case of configuration error or malicious attack,
the legal primary root may receive the BPDU with a higher priority and then lose its
place, which causes network topology change errors. Due to the illegal change,
the traffic that is supposed to travel over the high-speed link may be pulled to the
low-speed link and congestion will occur on the network. The root protection
function is used against such problem.
ICST, must be located in the same region. This is because the primary and
secondary roots of CIST are generally placed in the core region with a high
bandwidth in network design. In case of configuration error or malicious attack,
the legal primary root may receive the BPDU with a higher priority and then lose its
place, which causes network topology change errors. Due to the illegal change,
the traffic that is supposed to travel over the high-speed link may be pulled to the
low-speed link and congestion will occur on the network. The root protection
function is used against such problem.
The root port and other blocked ports maintain their state according to the BPDUs
sent by an uplink switch. Once the link is blocked or has trouble, the ports cannot
receive BPDUs and the switch will select a root port again. In this case, the former
root port will turn into a specified port and the former blocked ports will enter the
forwarding state and a link loop will be created.
sent by an uplink switch. Once the link is blocked or has trouble, the ports cannot
receive BPDUs and the switch will select a root port again. In this case, the former
root port will turn into a specified port and the former blocked ports will enter the
forwarding state and a link loop will be created.
The security functions can control the generation of loop. After it is enabled, the
root port cannot be changed, the blocked port will remain in the discarding state
and will not forward packets.
root port cannot be changed, the blocked port will remain in the discarding state
and will not forward packets.
You can use the following command to configure the security functions of the
switch.
switch.
Perform the following configuration in corresponding configuration modes.
Table 22 Configure the Switch Security Function
Operation
Command
Configure switch BPDU protection (from
system view)
system view)
stp bpdu-protection
Restore the disabled BPDU protection state as
defaulted (from system view)
defaulted (from system view)
undo stp bpdu-protection
Configure switch Root protection (from
system view)
system view)
stp interface interface-list root-protection
Restore the disabled Root protection state as
defaulted (from system view)
defaulted (from system view)
undo stp interface interface-list
root-protection
root-protection
Configure switch Root protection (from
Ethernet port view)
Ethernet port view)
stp root-protection
Restore the disabled Root protection state as
defaulted (from Ethernet port view)
defaulted (from Ethernet port view)
undo stp root-protection