3Com 4200G 12-Port Configuration Manual page 151

Protection Function Configuration 137
Root protection
A root bridge and its secondary root bridges must reside in the same region. A CIST
and its secondary root bridges are usually located in the high-bandwidth core region.
Configuration errors or attacks may result in configuration BPDUs with their priorities
higher than that of a root bridge, which causes new root bridge to be elected and
network topology jitter to occur. In this case, flows that should travel along
high-speed links may be led to low-speed links, and network congestion may occur.
You can avoid this by utilizing the root protection function. Ports with this function
enabled can only be kept as designated ports in all spanning tree instances. When a
port of this type receives configuration BPDUs with higher priorities, it changes to
discarding state (rather than becomes a non-designated port) and stops forwarding
packets (as if it is disconnected from the link). It resumes the normal state if it does
not receive any configuration BPDUs with higher priorities for a specified period.
Loop prevention
A switch maintains the states of the root port and other blocked ports by receiving
and processing BPDUs from the upstream switch. These BPDUs may get lost because
of network congestions and link failures. If a switch does not receive BPDUs from the
upstream switch for certain period, the switch selects a new root port; the original
root port becomes a designated port; and the blocked ports transit to forwarding
state. This may cause loops in the network.
The loop prevention function suppresses loops. With this function enabled, a root
port does not gives up its position and blocked ports remain in discarding state (do
not forward packets), and thereby loops can be prevented.
TC-BPDU attack prevention
A switch removes MAC address entries and ARP entries upon receiving TC-BPDUs. If a
malicious user sends a large amount of TC-BPDUs to a switch in a short period, the
switch may busy itself in removing MAC address entries and ARP entries, which may
decreases the performance and stability of the switch.
With the TC-BPDU prevention function enabled, the switch performs only one
removing operation in a specified period (it is 10 seconds by default) after it receives a
TC-BPDU. The switch also checks to see if other TC-BPDUs arrive in this period and
performs another removing operation in the next period if a TC-BPDU is received.
Such a mechanism prevents a switch from busying itself in performing removing
operations.
CAUTION: Among loop prevention function, root protection function, and edge port
setting, only one can be valid on the same port.
Prerequisites MSTP runs normally on the switch.