No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is ME60 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring MSTP Protection Functions

Configuring MSTP Protection Functions

Multiple Spanning Tree Protocol (MSTP) protection functions are as follows, and you can configure one or more functions as required.

Applicable Environment

MSTP provides the following protection functions, as listed in Table 14-2.

Table 14-2 MSTP protection

MSTP Protection

Scenario

Configuration Impact

BPDU protection

An edge port changes to be a non-edge port after receiving a BPDU, which triggers spanning tree recalculation. If an attacker keeps sending bogus BPDUs to a switching device, network flapping occurs.

After BPDU protection is enabled on the switching device, the switching device shuts down the edge port if the edge port receives an RST BPDU, and notifies the NMS of the shutdown event. The attributes of the edge port are not changed.

TC protection

Generally, after receiving TC BPDUs (packets for advertising network topology changes), a switching device needs to delete MAC entries and ARP entries. Frequent deletion operations will exhaust CPU resources.

TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are processed by a switching device within a given time period is configurable. If the number of TC-BPDUs that the switching device receives within the given time exceeds the specified threshold, the switching device handles TC-BPDUs only for the specified number of times. Excessive TC-BPDUs are processed by the switching device as a whole for once after the timeout period expires. This protects the switching device from frequently deleting MAC entries and ARP entries, thus avoiding over-burden.

Root protection

Due to incorrect configurations or malicious attacks on the network, a root bridge may receive BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve as the root bridge, and the network topology is illegitimately changed, triggering spanning tree recalculation. This may transfer traffic from high-speed links to low-speed links, causing traffic congestion.

To address this issue, the root protection function can be configured to protect the root bridge by preserving the role of the designated port. With this function, when the designated port receives RST BPDUs with a higher priority, the port enters the Discarding state and does not forward the BPDUs. If the port does not receive any RST BPDUs with a higher priority for a certain period (double the Forward Delay), the port transitions to the Forwarding state.

Loop protection

A root port or an alternate port will age if link congestion or a one-way link failure occurs. After the root port ages, a switching device may re-select a root port incorrectly and after the alternate port ages, the port enters the Forwarding state. Loops may occur in such a situation.

The loop protection function can be used to prevent such network loops. If the root port or alternate port cannot receive RST BPDUs from the upstream switching device, the root port is blocked and the switching device notifies the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and no longer forwards packets. This prevents loops on the network. The root port restores the Forwarding state after new RST BPDUs are received.

Share-link protection

In the scenario where a switching device is dual-homed to a network, when the share link of multiple processes fails, loops may occur.

Share-link protection can address such a problem. This function forcibly changes the working mode of the local switching device to RSTP. Share-link protection needs to be used together with root protection to avoid network loops.

Abnormal packet filtering

On a network running STP, RSTP, or MSTP, a device may receive unexpected STP, RSTP, or MSTP packets due to incorrect configurations or malicious network attacks. If these unexpected packets are transparently transmitted on the network, spanning tree calculation may be affected, causing network flapping.

After the function to filter abnormal packets is enabled, the device discards the packets carrying a specified source MAC address or VLAN ID. In this manner, unexpected packets are not transparently transmitted on the network, preventing network flapping.

NOTE:
  • After a device normally starts, there is a default MSTP process with the ID 0. MSTP configurations in the system view and interface view both belong to this process.

  • For more information about MSTP multi-process configuration, see Configuring MSTP Multi-process.

Pre-configuration Tasks

Before configuring MSTP protection functions on a switching device, complete the following task:

  • Configuring basic MSTP functions

    NOTE:
    Configuring an edge port on the switching device before configuring BPDU protection.

Configuration Procedures

You can choose one or more configuration tasks (excluding "Checking the Configuration") as required.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059440

Views: 26885

Downloads: 18

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next