Chinese
English
-
MSTP can only keep its port role as a designated port for a designated port with root protection enabled. Once the designated port with root protection enabled receives an RST BPDU with higher priority, the port state will enter the Discarding state and no longer forwards the message. After a period of time (usually twice the Forward Delay), if the port never receives another RST BPDU with higher priority, the port will automatically return to the normal Forwarding state.
-
BPDU protection
After BPDU protection is activated on the router, if an edge port receives an RST BPDU, the edge port will be shutdown, but the attributes of the edge port will remain unchanged, and the network management system will be notified at the same time.
-
TC protection
After enabling the anti TC-BPDU message attack function, the number of times the router processes topology change messages per unit time is configurable. If the number of topology change messages received by the router per unit time is greater than the configured threshold, then the router will only process the number of times specified by the threshold. For other topology change messages that exceed the threshold, the router processes them only once in unison after the timer expires. This avoids frequent deletion of MAC address table entries and ARP table entries, thus achieving the purpose of protecting the device.
-
Loop protection
After the loop protection function is activated, if the root port or alternate port does not receive RST BPDUs from the upstream for a long time, it will send a notification message to the network administrator (or enter the Discarding state if it is the root port). The blocking port, on the other hand, will remain in the blocking state and will not forward the message, thus not forming a loop in the network. The port state does not return to normal to the Forwarding state until the root port receives the RST BPDU.
Attack Method Introduction
-
Root bridge change attack
Due to misconfiguration by maintenance personnel or malicious attacks in the network, the root bridge receives BPDUs with higher priority and loses its status as the root bridge, redoing spanning tree calculations, and due to topology changes, it may cause high-speed traffic to migrate to low-speed links, causing network congestion.
-
BPDU attack
After an edge port receives a BPDU, the port status will change to non-edge port, which will result in the recalculation of spanning tree, and if an attacker forges a configuration message to maliciously attack a router, it will cause a network shock.
-
TC protection
The router will delete MAC address table entries and ARP table entries after receiving topology change messages, which will cause a great impact on the CPU if operated frequently.
-
Loop protection
When there is link congestion or unidirectional link failure, the root and alternate ports will age. Aging of the Root port will cause the system to reselect the Root port (which may be incorrect), and aging of the Alternate port will migrate to the Forwarding state, which will create a loop.
The technical information in this chapter and the related SDH equipment troubleshooting procedures are provided by Shenzhen Optical Transmission Network Technology Co. Huawei SDH optical transmission equipment, SDH transmission equipment sales phone: 13430988088 Welcome to call!
