1-35
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp mcheck
Configuring Guard Functions
The following guard functions are available on an MSTP-enabled switch: BPDU guard, root guard, loop
guard, TC-BPDU attack guard, and BPDU drop.
Configuring BPDU Guard
Normally, the access ports of the devices operating on the access layer are directly connected to
terminals (such as PCs) or file servers. These ports are usually configured as edge ports to achieve
rapid transition. But they resume non-edge ports automatically upon receiving configuration BPDUs,
which causes spanning tree recalculation and network topology jitter.
Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by
sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent this
type of attacks by utilizing the BPDU guard function. With this function enabled on a switch, the switch
shuts down the edge ports that receive configuration BPDUs and then reports these cases to the
administrator. Ports shut down in this way can only be restored by the administrator.
You are recommended to enable BPDU guard for devices with edge ports configured.
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure BPDU guard:
To do... Use the command... Remarks
Enter system view
system-view
—
Enable the BPDU guard
function
stp bpdu-protection
Required
The BPDU guard function is
disabled by default.
Configuration example
# Enable the BPDU guard function.
<Sysname> system-view
[Sysname] stp bpdu-protection
To Next Page
Loading...