Tp-Link TL-SG3216 Инструкция по эксплуатации онлайн [94/236] 38897

A CIST and its secondary root bridges are usually located in the high-bandwidth core region.

Wrong configuration or malicious attacks may result in configuration BPDU packets with higher

priorities being received by the legal root bridge, which causes the current legal root bridge to lose

its position and network topology jitter to occur. In this case, flows that should travel along

high-speed links may lead to low-speed links, and network congestion may occur.

To avoid this, MSTP provides root protect function. Ports with this function enabled can only be set

as designated ports in all spanning tree instances. When a port of this type receives BDPU

packets with higher priority, it transits its state to blocking state and stops forwarding packets (as if

it is disconnected from the link). The port resumes the normal state if it does not receive any

configuration BPDU packets with higher priorities for a period of two times of forward delay.

¾ TC Protect

A switch removes MAC address entries upon receiving TC-BPDU packets. If a user maliciously

sends a large amount of TC-BPDU packets to a switch in a short period, the switch will be busy

with removing MAC address entries, which may decrease the performance and stability of the

network.

To prevent the switch from frequently removing MAC address entries, you can enable the TC

protect function on the switch. With TC protect function enabled, if the account number of the

received TC-BPDUs exceeds the maximum number you set in the TC threshold field, the switch

will not performs the removing operation in the TC protect cycle. Such a mechanism prevents the

switch from frequently removing MAC address entries.

¾ BPDU Protect

Ports of the switch directly connected to PCs or servers are configured as edge ports to rapidly

transit their states. When these ports receive BPDUs, the system automatically configures these

ports as non-edge ports and regenerates spanning trees, which may cause network topology jitter.

Normally these ports do not receive BPDUs, but if a user maliciously attact the switch by sending

BPDUs, network topology jitter occurs.

To prevent this attack, MSTP provides BPDU protect function. With this function enabled on the

switch, the switch shuts down the edge ports that receive BPDUs and reports these cases to the

administrator. If a port is shut down, only the administrator can restore it.

¾ BPDU Filter

BPDU filter function is to prevent BPDUs flood in the STP network. If a switch receives malicious

BPDUs, it forwards these BPDUs to the other switched in the network, which may result in

spanning trees being continuously regenerated. In this case, the switch occupying too much CPU

or the protocol status of BPDUs is wrong.

With BPDU filter function enabled, a port does not receive or forward BPDUs, but it sends out its

own BPDUs. Such a mechanism prevents the switch from being attacked by BPDUs so as to

guarantee generation the spanning trees correct.

Choose the menu Spanning Tree→STP Security→Port Protect to load the following page.