3Com Switch 8800 Configuration Guide
Chapter 38 MSTP Region-configuration
38-30
You can configure mCheck variable on a port with either of the earlier-mentioned
measures. Note that the command can be used only if the switch runs MSTP. The
command does not make any sense when the switch runs in STP-compatible mode.
38.2.16 Configuring the Switch Protection Function
An MSTP switch provides BPDU protection, Root protection functions, loop protection
and TC-protection.
I. BPDU protection
For an access device, the access port is generally directly connected to the user
terminal (for example, PC) or a file server, and the access port is set to an edge port to
implement fast transition. When such a port receives BPDU packet, the system will
automatically set it as a non-edge port and recalculate the spanning tree, which causes
the network topology flapping. In normal cases, these ports will not receive STP BPDU.
If someone forges BPDU to attack the switch, the network will flap. BPDU protection
function is used against such network attacks.
II. Root protection
The primary and secondary root bridges of the spanning tree, especially those of ICST,
shall be located in the same region. It is because the primary and secondary roots of
CIST are generally placed in the core region with a high bandwidth in network design.
In case of configuration error or malicious attack, the legal primary root may receive the
BPDU with a higher priority and then loose its place, which causes network topology
change errors. Due to the illegal change, the traffic supposed to travel over the
high-speed link may be pulled to the low-speed link and congestion will occur on the
network. Root protection function is used against such problems.
III. Loop protection
The root port and other blocked ports maintain their states according to the BPDUs
send by uplink switch. Once the link is blocked or has trouble, then the ports cannot
receive BPDUs and the switch will select root port again. In this case, the former root
port will turn into specified port and the former blocked ports will enter forwarding state,
as a result, a link loop will be generated.
After the loop protection is enabled, for the root port, its role will not change, but its state
will change. For the blocked port, its role will change, but its state will maintain in
discarding. The blocked port does not forward packets, thus avoiding link loop.