Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure the Spanning Tree Protection Function

Configuration Condition

None

Configure BPDU Guard Function

For an access layer device, the access port is usually directly connected to the user terminal or file server. At this time, the port is set to the edge port to realize fast migration of port statuses. When an edge port receives BPDU packets, it automatically changes to a non-edge port to cause re-generation of the spanning tree. Normally, an edge port does not receive BPDU packets. However, if someone sends faked BPDU packets to attack the device in a malicious manner, network flapping may be caused. The BPDU Guard function is used to prevent such attacks. If an edge port on which the BPDU Guard function is enabled receives BPDU packets, the port is closed.

Table 9-23 Configuring the BPDU Guard Function

Step

Command

Description

Enter the global configuration mode.

configure terminal

-

Enter the L2 Ethernet interface configuration mode.

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration takes effect only on the current port. After entering the aggregation group configuration mode, the subsequent configuration takes effect only on the aggregation group.

Enter the aggregation group configuration mode.

interface link-aggregation link-aggregation-id

Configure the BPDU Guard function.

spanning-tree bpdu guard

Mandatory.

By default, the BPDU Guard function is disabled on the port.

Configure BPDU Filter Function

After the BPDU Filter function is enabled on an edge port, the port does not send or receive BPDU packets.

Table 9-24 Configuring the BPDU Filter Function

Step

Command

Description

Enter the global configuration mode. configure terminal -

Enter the L2 Ethernet interface configuration mode.

interface interface-name

Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration takes effect only on the current port. After entering the aggregation group configuration mode, the subsequent configuration takes effect only on the aggregation group.

Enter the aggregation group configuration mode.

interface link-aggregation link-aggregation-id

Configure the BPDU Filter function.

spanning-tree bpdu filter

Mandatory.

By default, the BPDU Filter function is disabled.

Configure the Flap Guard Function

In a stable topology environment, the root port is usually not changed. However, if the links in the network are not stable or the network experiences attacks with external BPDU packets, frequent switchover of root ports may be caused, and finally network flapping is caused.

The Flap Guard function prevent frequent switchover of root ports. After the Flap Guard function is enabled, if the root port role change frequency of a spanning tree instance exceeds the specified threshold, the root port of the instance enters the Flap Guard status. In this case, the root port is always in the Discarding status, and it starts normal spanning tree calculation only after the recovery time times out.

Table 9-25 Configuring the Flap Guard Function

Step

Command

Description

Enter the global configuration mode.

configure terminal

-

Enable the Flap Guard function.

spanning-tree flap-guard enable

Mandatory.

By default, the Flap Guard function is disabled.

Configure the maximum number of root port changes that are allowed within a detection period.

spanning-tree flap-guard max-flaps max-flaps-number time seconds

Optional.

By default, after the Flap Guard function is enabled, if five root port role changes occurs for an instance within 10 seconds, the port enters the Flap Guard status.

Configure the Flap Guard recovery time. spanning-tree flap-guard recovery-time seconds

Optional.

By default, the Flap Guard recovery time is 30 seconds.

Configure the Loop Guard Function

The local device maintains the statuses of the root port and other blocked ports according to the BPDU packets that are periodically sent by the upstream device. In the case of link congestion or unidirectional link failure, the ports fail to receive BPDU packets from the upstream device, the spanning tree message on the port times out.

Then, the downstream devices re-elect port roles. The downstream device ports that fail to receive BPDU packets change to designated port, while blocked ports migrate to the Forwarding status, resulting in loops in the switching network.

The Loop Guard function can restrain generation of such loops. After the Loop Guard function is enabled on a port, if the port times out owing to the failure to receive BPDU packets from the upstream device, in re-calculating the port role, the port is set to the Discarding status, and the port does not participate in spanning tree calculation. If an instance on the port receives BPDU packets again, the port participates in spanning tree calculation again.

Table 9-26 Configuring the Loop Guard Function

Step

Command

Description

Enter the global configuration mode.

configure terminal

-

Enter the L2 Ethernet interface configuration mode.

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration takes effect only on the current port. After entering the aggregation group configuration mode, the subsequent configuration takes effect only on the aggregation group.

Enter the aggregation group configuration mode.

interface link-aggregation link-aggregation-id

Configure the Loop Guard function.

spanning-tree guard { loop | root | none }

Mandatory.

By default, the Loop Guard function is disabled on the port.

note


  • On a port, either the Root Guard function or the Loop Guard function can be enabled at a time.

     

Configure the Root Guard Function

The root bridge and backup root bridge of a spanning tree must be in the same region, especially the CIST root bridge and its backup bridge. In network design, usually the CIST root bridge and its backup bridge are placed in the core region with high bandwidth. However, owning to incorrect configuration or malicious attacks in the network, the legal root bridge in the network may receive a BPDU packet with a higher priority. In this way, the current legal bridge may lose its role as the root bridge, and improper change of the network topology is caused. The illegal change may lead the traffic that should be transmitted through a high-speed link to a low-speed link, causing network congestion.

The Root Guard function prevents occurrence of such case. If the Root Guard function is enabled on a port, the port can only act as the designated port in all instances. If the port receives a better BPDU configuration message, the port is set to the Discarding status. If it does not receive better BPDU configuration message in a period of time, the port resumes its previous status. It is recommended that you enable the Root Guard function on the specified port.

Table 9-27 Configuring the Root Guard Function

Step

Command

Description

Enter the global configuration mode.

configure terminal

-

Enter the L2 Ethernet interface configuration mode.

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration takes effect only on the current port. After entering the aggregation group configuration mode, the subsequent configuration takes effect only on the aggregation group.

Enter the aggregation group configuration mode.

interface link-aggregation link-aggregation-id

Configure the Root Guard function.

spanning-tree guard { loop | root | none }

Mandatory.

By default, the Root Guard function is disabled on the port.

note


  • On a port, either the Root Guard function or the Loop Guard function can be enabled at a time.

     

Configure TC Guard Function

When the device detects the network topology change, generate the TC packet and inform the other devices in the environment that the network topology changes. After the device receives the TC packet, refresh the address. When the topology is not stable or constructing the TC packets artificially to attack, generate TC frequently in the network and as a result, the device refreshes the address repeatedly, affecting the spanning tree calculation and resulting in the high CPU occupation.

TC GUARD can prevent the case. After configuring TC GUARD on the current port and the device receives the TC packet, do not process the TC flag or spread TC any more, so as to prevent the TC packets from attacking the network efficiently.

Table 9-28 Configure TC Guard function

Step

Command

Description

Enter the global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration takes effect only on the current port. After entering the aggregation group configuration mode, the subsequent configuration takes effect only on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the TC Guard function

spanning-tree tc-guard enable

Mandatory

By default, do not enable the TC Guard function of the port.

Configure the TC Protection Function

If the network topology changes, to ensure normal forwarding of service data during the topology change process, when devices handle TC packets, they will refresh the MAC addresses. Attacks with faked TC packets may cause the devices to refresh MAC addresses frequently. This affects calculation of the spanning tree and leads to a high CPU occupancy.

The TC protection function prevents occurrence of such case. After the TC protection function is enabled, once a TC packet is received within the TC protection interval, the TC counter counts one. If the TC counter is equal to or larger than the threshold, it enters a suppressed status. Then, the devices do not refresh MAC addresses in handling later TC packets. After the TC protection interval, the suppressed status is changed to the normal status, and the TC counter is cleared and started again.

Table 9-29 Configuring the TC Protection Function

Step

Command

Description

Enter the global configuration mode.

configure terminal

-

Enable the TC protection function.

spanning-tree tc-protection enable

Optional.

By default, the TC protection function is disabled.

Configure a TC protection interval.

spanning-tree tc-protection interval seconds

Mandatory.

By default, the TC protection interval is 2 seconds.

Configure the TC protection threshold.

spanning-tree tc-protection threshold threshold-value

Mandatory.

By default, the TC protection threshold is 3.