Configure the Spanning Tree Protection Function

Configuration Condition

None

Configure BPDU Guard Function

For an access layer device, the access port is usually directly connected to the user terminal or file server. At this time, the port is set to the edge port to realize fast migration of port statuses. When an edge port receives BPDU packets, it automatically changes to a non-edge port to cause re-generation of the spanning tree. Normally, an edge port does not receive BPDU packets. However, if someone sends faked BPDU packets to attack the device in a malicious manner, network flapping may be caused. The BPDU Guard function is used to prevent such attacks. If an edge port on which the BPDU Guard function is enabled receives BPDU packets, the port is closed.

Table 9-23 Configuring the BPDU Guard Function

Configure BPDU Filter Function

After the BPDU Filter function is enabled on an edge port, the port does not send or receive BPDU packets.

Table 9-24 Configuring the BPDU Filter Function

Configure the Flap Guard Function

In a stable topology environment, the root port is usually not changed. However, if the links in the network are not stable or the network experiences attacks with external BPDU packets, frequent switchover of root ports may be caused, and finally network flapping is caused.

The Flap Guard function prevent frequent switchover of root ports. After the Flap Guard function is enabled, if the root port role change frequency of a spanning tree instance exceeds the specified threshold, the root port of the instance enters the Flap Guard status. In this case, the root port is always in the Discarding status, and it starts normal spanning tree calculation only after the recovery time times out.

Table 9-25 Configuring the Flap Guard Function

Configure the Loop Guard Function

The local device maintains the statuses of the root port and other blocked ports according to the BPDU packets that are periodically sent by the upstream device. In the case of link congestion or unidirectional link failure, the ports fail to receive BPDU packets from the upstream device, the spanning tree message on the port times out.

Then, the downstream devices re-elect port roles. The downstream device ports that fail to receive BPDU packets change to designated port, while blocked ports migrate to the Forwarding status, resulting in loops in the switching network.

The Loop Guard function can restrain generation of such loops. After the Loop Guard function is enabled on a port, if the port times out owing to the failure to receive BPDU packets from the upstream device, in re-calculating the port role, the port is set to the Discarding status, and the port does not participate in spanning tree calculation. If an instance on the port receives BPDU packets again, the port participates in spanning tree calculation again.

Table 9-26 Configuring the Loop Guard Function

• ---

  On a port, either the Root Guard function or the Loop Guard function can be enabled at a time.

  ---

   

Configure the Root Guard Function

The root bridge and backup root bridge of a spanning tree must be in the same region, especially the CIST root bridge and its backup bridge. In network design, usually the CIST root bridge and its backup bridge are placed in the core region with high bandwidth. However, owning to incorrect configuration or malicious attacks in the network, the legal root bridge in the network may receive a BPDU packet with a higher priority. In this way, the current legal bridge may lose its role as the root bridge, and improper change of the network topology is caused. The illegal change may lead the traffic that should be transmitted through a high-speed link to a low-speed link, causing network congestion.

The Root Guard function prevents occurrence of such case. If the Root Guard function is enabled on a port, the port can only act as the designated port in all instances. If the port receives a better BPDU configuration message, the port is set to the Discarding status. If it does not receive better BPDU configuration message in a period of time, the port resumes its previous status. It is recommended that you enable the Root Guard function on the specified port.

Table 9-27 Configuring the Root Guard Function

• ---

  On a port, either the Root Guard function or the Loop Guard function can be enabled at a time.

  ---

   

Configure TC Guard Function

When the device detects the network topology change, generate the TC packet and inform the other devices in the environment that the network topology changes. After the device receives the TC packet, refresh the address. When the topology is not stable or constructing the TC packets artificially to attack, generate TC frequently in the network and as a result, the device refreshes the address repeatedly, affecting the spanning tree calculation and resulting in the high CPU occupation.

TC GUARD can prevent the case. After configuring TC GUARD on the current port and the device receives the TC packet, do not process the TC flag or spread TC any more, so as to prevent the TC packets from attacking the network efficiently.

Table 9-28 Configure TC Guard function

Configure the TC Protection Function

If the network topology changes, to ensure normal forwarding of service data during the topology change process, when devices handle TC packets, they will refresh the MAC addresses. Attacks with faked TC packets may cause the devices to refresh MAC addresses frequently. This affects calculation of the spanning tree and leads to a high CPU occupancy.

The TC protection function prevents occurrence of such case. After the TC protection function is enabled, once a TC packet is received within the TC protection interval, the TC counter counts one. If the TC counter is equal to or larger than the threshold, it enters a suppressed status. Then, the devices do not refresh MAC addresses in handling later TC packets. After the TC protection interval, the suppressed status is changed to the normal status, and the TC counter is cleared and started again.

Table 9-29 Configuring the TC Protection Function