beautypg.com

Iv. tc-bpdu attack prevention, V. bpdu packet drop, 2 configuration prerequisites – H3C Technologies H3C S3100 Series Switches User Manual

Page 210: 2 configuration prerequisites -35

background image

Operation Manual – MSTP
H3C S3100-52P Ethernet Switch

Chapter 1 MSTP Configuration

1-35

The loop prevention function suppresses loops. With this function enabled, if link
congestions or unidirectional link failures occur, both the root port and the blocked ports
become designated ports and turn to the discarding state. In this case, they stop
forwarding packets, and thereby loops can be prevented.

IV. TC-BPDU attack prevention

A switch removes MAC address entries and ARP entries upon receiving TC-BPDUs. If
a malicious user sends a large amount of TC-BPDUs to a switch in a short period, the
switch may be busy in removing MAC address entries and ARP entries, which may
decrease the performance of the switch and affect the stability of the network.

With the TC-BPDU prevention function enabled, the switch performs only one
removing operation in a specified period (it is 10 seconds by default) after it receives a
TC-BPDU. The switch also checks to see whether other TC-BPDUs arrive in this period
and performs another removing operation in the next period if a TC-BPDU is received.
Such a mechanism prevents a switch from busying itself in performing removing
operations.

Caution:

Among loop prevention function, root protection function, and edge port setting, only
one can be valid on a port at one time.

V. BPDU packet drop

In a STP-enabled network, some users may send BPDU packets to the switch
continuously in order to destroy the network. When a switch receives the BPDU
packets, it will forward them to other switches. As a result, STP calculation is performed
continuously, which may occupy too much CPU of the switches or cause errors in the
protocol state of the BPDU packets.

In order to avoid this problem, you can enable the function of dropping BPDU packets
on the Ethernet ports. Once the function is enabled on a port, the port will not receive
and forward any BPDU packets. In this way, the switch is protected again the BPDU
packet attack so that the STP calculation is assured to be right.

1.5.2 Configuration Prerequisites

MSTP runs normally on the switch.

See also other documents in the category H3C Technologies Routers: