Protection Function Configuration
137
Root protection
A root bridge and its secondary root bridges must reside in the same region. A CIST
and its secondary root bridges are usually located in the high-bandwidth core region.
Configuration errors or attacks may result in configuration BPDUs with their priorities
higher than that of a root bridge, which causes new root bridge to be elected and
network topology jitter to occur. In this case, flows that should travel along
high-speed links may be led to low-speed links, and network congestion may occur.
You can avoid this by utilizing the root protection function. Ports with this function
enabled can only be kept as designated ports in all spanning tree instances. When a
port of this type receives configuration BPDUs with higher priorities, it changes to
discarding state (rather than becomes a non-designated port) and stops forwarding
packets (as if it is disconnected from the link). It resumes the normal state if it does
not receive any configuration BPDUs with higher priorities for a specified period.
Loop prevention
A switch maintains the states of the root port and other blocked ports by receiving
and processing BPDUs from the upstream switch. These BPDUs may get lost because
of network congestions and link failures. If a switch does not receive BPDUs from the
upstream switch for certain period, the switch selects a new root port; the original
root port becomes a designated port; and the blocked ports transit to forwarding
state. This may cause loops in the network.
The loop prevention function suppresses loops. With this function enabled, a root
port does not gives up its position and blocked ports remain in discarding state (do
not forward packets), and thereby loops can be prevented.
TC-BPDU attack prevention
A switch removes MAC address entries and ARP entries upon receiving TC-BPDUs. If a
malicious user sends a large amount of TC-BPDUs to a switch in a short period, the
switch may busy itself in removing MAC address entries and ARP entries, which may
decreases the performance and stability of the switch.
With the TC-BPDU prevention function enabled, the switch performs only one
removing operation in a specified period (it is 10 seconds by default) after it receives a
TC-BPDU. The switch also checks to see if other TC-BPDUs arrive in this period and
performs another removing operation in the next period if a TC-BPDU is received.
Such a mechanism prevents a switch from busying itself in performing removing
operations.
CAUTION:
Among loop prevention function, root protection function, and edge port
setting, only one can be valid on the same port.
Prerequisites
MSTP runs normally on the switch.
Summary of Contents for 4200G 12-Port
Page 10: ...8 CONTENTS...
Page 14: ...4 ABOUT THIS GUIDE...
Page 46: ...32 CHAPTER 5 LOGGING IN THROUGH WEB BASED NETWORK MANAGEMENT SYSTEM...
Page 48: ...34 CHAPTER 6 LOGGING IN THROUGH NMS...
Page 60: ...46 CHAPTER 9 VLAN CONFIGURATION...
Page 64: ...50 CHAPTER 10 MANAGEMENT VLAN CONFIGURATION...
Page 80: ...66 CHAPTER 13 GVRP CONFIGURATION...
Page 98: ...84 CHAPTER 15 LINK AGGREGATION CONFIGURATION...
Page 112: ...98 CHAPTER 18 MAC ADDRESS TABLE MANAGEMENT...
Page 126: ...112 CHAPTER 19 LOGGING IN THROUGH TELNET...
Page 162: ...148 CHAPTER 20 MSTP CONFIGURATION...
Page 274: ...260 CHAPTER 29 IGMP SNOOPING CONFIGURATION...
Page 276: ...262 CHAPTER 30 ROUTING PORT JOIN TO MULTICAST GROUP CONFIGURATION...
Page 298: ...284 CHAPTER 33 SNMP CONFIGURATION...
Page 304: ...290 CHAPTER 34 RMON CONFIGURATION...
Page 338: ...324 CHAPTER 36 SSH TERMINAL SERVICES...
Page 356: ...342 CHAPTER 38 FTP AND TFTP CONFIGURATION...
Page 365: ...Information Center Configuration Example 351 S4200G terminal logging...
Page 366: ...352 CHAPTER 39 INFORMATION CENTER...
Page 378: ...364 CHAPTER 40 BOOTROM AND HOST SOFTWARE LOADING...
Page 384: ...370 CHAPTER 41 Basic System Configuration and Debugging...
Page 388: ...374 CHAPTER 43 NETWORK CONNECTIVITY TEST...
Page 406: ...392 CHAPTER 45 CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS...