Operation Manual - STP
Quidway S3500 Series Ethernet Switches
Chapter 1 MSTP Region-configuration
Huawei Technologies Proprietary
1-24
Note that the command can be used only if the switch runs MSTP. The command does
not make any sense when the switch runs in STP-compatible mode.
1.2.14 Configure the Switch Security Function
An MSTP switch provides BPDU protection , Root protection functions, loop protection
and TC-protection .
I. BPDU protection
For an access device, the access port is generally directly connected to the user
terminal (e.g., PC) or a file server, and the access port is set to edge port to implement
fast transition. When such port receives BPDU packet, the system will automatically set
it as a non-edge port and recalculate the spanning tree, which causes the network
topology flapping. In normal case, these ports will not receive STP BPDU. If someone
forges BPDU to attack the switch, the network will flap. BPDU protection function is
used against such network attack.
II. Root protection
The primary and secondary root bridgees of the spanning tree, especially those of ICST,
shall be located in the same region. It is because the primary and secondary roots of
CIST are generally placed in the core region with a high bandwidth in network design.
In case of configuration error or malicious attack, the legal primary root may receive the
BPDU with a higher priority and then loose its place, which causes network topology
change errors. Due to the illegal change, the traffic supposed to travel over the
high-speed link may be pulled to the low-speed link and congestion will occur on the
network. Root protection function is used against such problem.
III. loop protection
The root port and other blocked ports maintain their state according to the BPDUs send
by uplink switch. Once the link is blocked or has trouble, then the ports cannot receive
BPDUs and the switch will select root port again. In this case, the former root port will
turn into specified port and the former blocked ports will enter forwarding state, as a
result, a link loop will be generated.
The security functions can control the generation of loop. After it is enabled, the root
port cannot be changed, the blocked port will maintain in “Discarding” state and do not
forward packets, thus to avoid link loop.
IV. TC-protection
As a general rule, the switch deletes the corresponding entries in the MAC address
table and ARP table upon receiving TC-BPDU packets. When under malicious attacks
of TC-BPDU packets, the switch shall receive a great number of TC-BPDU packets in a
very short period. Too frequent delete operations shall consume huge switch sources
and bring great risk to network stability.