Loop guard

A device maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream device. These BPDUs may get lost because of network congestions or unidirectional link failures. If a device does not receive BPDUs from the upstream device for certain period, the device selects a new root port; the original root port becomes a designated port; and the blocked ports turns to the forwarding state. This may cause loops in the network.

The loop guard function suppresses loops. With this function enabled, if link congestions or unidirectional link failures occur, both the root port and the blocked ports become designated ports and turn to the discarding state. In this case, they stop forwarding packets, and thereby loops can be prevented.

With the loop guard function enabled, the root guard function and the edge port configuration are mutually exclusive.

TC-BPDU attack guard

Normally, a device removes its MAC address table and ARP entries upon receiving TC-BPDUs. If a malicious user sends a large amount of TC-BPDUs to a device in a short period, the device may be busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation, occupy large amount of bandwidth and increase device CPU utilization.

With the TC-BPDU attack guard function enabled, a device performs a removing operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the timer expires, the device only performs the removing operation for limited times (up to six times by default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a device from being busy in removing the MAC address table and ARP entries.

You can use the stp tc-protection threshold command to set the maximum times for a device to remove the MAC address table and ARP entries in a specific period. When the number of the TC-BPDUs received within a period is less than the maximum times, the device performs a removing operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the maximum times, the device stops performing the removing operation. For example, if you set the maximum times for a device to remove the MAC address table and ARP entries to 100 and the device receives 200 TC-BPDUs in the period, the device removes the MAC address table and ARP entries for only 100 times within the period.

BPDU dropping

In a STP-enabled network, some users may send BPDU packets to the device continuously in order to destroy the network. When a device receives the BPDU packets, it will forward them to other devices. As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the devices or cause errors in the protocol state of the BPDU packets.

In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is enabled on a port, the port will not receive or forward any BPDU packets. In this way, the device is protected against the BPDU packet attacks so that the STP calculation is assured to be right.

1-36

Page 206
Image 206
3Com WX3000 operation manual Loop guard, TC-BPDU attack guard, Bpdu dropping