Root Protection of Rapid Spanning Tree Protocol
Introduction
This document describes RSTP root protection and how to configure root protection. This function enhances switched network reliability, manageability, and security.
Understanding RSTP Root Protection
The root bridge on a network may receive superior RST BPDUs due to incorrect configurations or malicious attacks. When this occurs, the root bridge can no longer serve as the root bridge and the network topology will incorrectly change. As a result, traffic may be switched from high-speed links to low-speed links, leading to network congestion.
In Figure 1, DeviceA and DeviceB are deployed at the core layer of the network. The bandwidth of the link between these two devices is 1000 Mbit/s. DeviceA is the root bridge on the network. DeviceC is deployed at the access layer. The bandwidth of the links between DeviceC and DeviceA and between DeviceC and DeviceB is 100 Mbit/s. Normally, the link between DeviceB and DeviceC is blocked.
When a new device, DeviceD, is deployed and connects to DeviceC, DeviceD is elected as the new root bridge because it has a higher bridge priority than DeviceA. If the 1000 Mbit/s link between the core switches DeviceA and DeviceB is blocked, VLAN traffic is transmitted through the two 100 Mbit/s links. As a result, network congestion and traffic loss may occur.
In this case, root protection can be configured on DeviceC's port that connects to DeviceD. Root protection is enabled on a designated port, the port role cannot be changed. When the designated port receives a superior RST BPDU, the port enters the Discarding state and does not forward packets. If the port does not receive any superior RST BPDUs within a specified period (two intervals of the Forward Delay timer by default), the port automatically enters the Forwarding state.
NOTE: - Root protection takes effect only on designated ports.
- Loop protection and root protection cannot be configured on the same port simultaneously.
- Loop protection in MSTP and VBST is similar to that in RSTP. The difference is that all VLANs in RSTP share a spanning tree, and traffic of all VLANs is forwarded along the same path. MSTP and VBST can forward traffic of different VLANs along different paths.
Configuring Root Protection
- Run the system-view command to enter the system view.
- Run the interface interface-type interface-number command to enter the view of the port that participates in STP calculation.
- Run the stp root-protection command to enable root protection on the port.
By default, root protection is disabled on a port. Root protection takes effect only on designated ports. Root protection and loop protection cannot be configured on the same port.
The following example shows how to configure loop protection on GigabitEthernet0/0/1 and check whether the configuration is successful.
<HUAWEI> system-view
[HUAWEI] interface GigabitEthernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] stp root-protection
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING ROOT
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
0 GigabitEthernet0/0/4 ROOT FORWARDING NONE
According to the preceding information, the Protection field of GigabitEthernet0/0/1 is displayed as ROOT, indicating that root protection has been enabled on the port.