H3C S5600 SERIES Operation Manual page 259

Root guard
A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST
and its secondary root bridges are usually located in the high-bandwidth core region. Configuration
errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge,
which causes a new root bridge to be elected and network topology jitter to occur. In this case, flows that
should travel along high-speed links may be led to low-speed links, and network congestion may occur.
You can avoid this problem by utilizing the root guard function. Ports with this function enabled can only
be kept as designated ports in all MSTIs. When a port of this type receives configuration BPDUs with
higher priorities, it turns to the discarding state (rather than become a non-designated port) and stops
forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not
receive any configuration BPDUs with higher priorities for a specified period.
Loop guard
A switch maintains the states of the root port and other blocked ports by receiving and processing
BPDUs from the upstream switch. These BPDUs may get lost because of network congestions or
unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for certain
period, the switch selects a new root port; the original root port becomes a designated port; and the
blocked ports turns to the forwarding state. This may cause loops in the network.
The loop guard function suppresses loops. With this function enabled, if link congestions or
unidirectional link failures occur, both the root port and the blocked ports become designated ports and
turn to the discarding state. In this case, they stop forwarding packets, and thereby loops can be
prevented.
With the loop guard function enabled, the root guard function and the edge port configuration are
mutually exclusive.
TC-BPDU attack guard
Normally, a switch removes its MAC address table and ARP entries upon receiving TC-BPDUs. If a
malicious user sends a large amount of TC-BPDUs to a switch in a short period, the switch may be busy
in removing the MAC address table and ARP entries, which may affect spanning tree calculation,
occupy large amount of bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the switch only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch
from being busy in removing the MAC address table and ARP entries.
You can use the stp tc-protection threshold command to set the maximum times for a switch to
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the switch performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the switch stops performing the removing operation. For example, if you set the
1-36