1-36Loop guardA device maintains the states of the root port and other blocked ports by receiving and processingBPDUs from the upstream device. These BPDUs may get lost because of network congestions orunidirectional link failures. If a device does not receive BPDUs from the upstream device for certainperiod, the device selects a new root port; the original root port becomes a designated port; and theblocked ports turns to the forwarding state. This may cause loops in the network.The loop guard function suppresses loops. With this function enabled, if link congestions orunidirectional link failures occur, both the root port and the blocked ports become designated ports andturn to the discarding state. In this case, they stop forwarding packets, and thereby loops can beprevented.With the loop guard function enabled, the root guard function and the edge port configuration aremutually exclusive.TC-BPDU attack guardNormally, a device removes its MAC address table and ARP entries upon receiving TC-BPDUs. If amalicious user sends a large amount of TC-BPDUs to a device in a short period, the device may bebusy in removing the MAC address table and ARP entries, which may affect spanning tree calculation,occupy large amount of bandwidth and increase device CPU utilization.With the TC-BPDU attack guard function enabled, a device performs a removing operation uponreceiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before thetimer expires, the device only performs the removing operation for limited times (up to six times bydefault) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a devicefrom being busy in removing the MAC address table and ARP entries.You can use the stp tc-protection threshold command to set the maximum times for a device toremove the MAC address table and ARP entries in a specific period. When the number of theTC-BPDUs received within a period is less than the maximum times, the device performs a removingoperation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches themaximum times, the device stops performing the removing operation. For example, if you set themaximum times for a device to remove the MAC address table and ARP entries to 100 and the devicereceives 200 TC-BPDUs in the period, the device removes the MAC address table and ARP entries foronly 100 times within the period.BPDU droppingIn a STP-enabled network, some users may send BPDU packets to the device continuously in order todestroy the network. When a device receives the BPDU packets, it will forward them to other devices.As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the devices orcause errors in the protocol state of the BPDU packets.In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function isenabled on a port, the port will not receive or forward any BPDU packets. In this way, the device isprotected against the BPDU packet attacks so that the STP calculation is assured to be right.
