3Com WX3000 Series Operation Manual page 206

Loop guard
A device maintains the states of the root port and other blocked ports by receiving and processing
BPDUs from the upstream device. These BPDUs may get lost because of network congestions or
unidirectional link failures. If a device does not receive BPDUs from the upstream device for certain
period, the device selects a new root port; the original root port becomes a designated port; and the
blocked ports turns to the forwarding state. This may cause loops in the network.
The loop guard function suppresses loops. With this function enabled, if link congestions or
unidirectional link failures occur, both the root port and the blocked ports become designated ports and
turn to the discarding state. In this case, they stop forwarding packets, and thereby loops can be
prevented.
With the loop guard function enabled, the root guard function and the edge port configuration are
mutually exclusive.
TC-BPDU attack guard
Normally, a device removes its MAC address table and ARP entries upon receiving TC-BPDUs. If a
malicious user sends a large amount of TC-BPDUs to a device in a short period, the device may be
busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation,
occupy large amount of bandwidth and increase device CPU utilization.
With the TC-BPDU attack guard function enabled, a device performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the device only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a device
from being busy in removing the MAC address table and ARP entries.
You can use the stp tc-protection threshold command to set the maximum times for a device to
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the device performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the device stops performing the removing operation. For example, if you set the
maximum times for a device to remove the MAC address table and ARP entries to 100 and the device
receives 200 TC-BPDUs in the period, the device removes the MAC address table and ARP entries for
only 100 times within the period.
BPDU dropping
In a STP-enabled network, some users may send BPDU packets to the device continuously in order to
destroy the network. When a device receives the BPDU packets, it will forward them to other devices.
As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the devices or
cause errors in the protocol state of the BPDU packets.
In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is
enabled on a port, the port will not receive or forward any BPDU packets. In this way, the device is
protected against the BPDU packet attacks so that the STP calculation is assured to be right.
1-36