Configuring Protection Functions 233
Configuring
Protection Functions
An MSTP-compliant device supports the following protection functions:
■ BPDU guard
■ Root guard
■ Loop guard
■ TC-BPDU attack guard
n
■ The the Switch 4800G support the BPDU guard, root guard and loop guard
functions.
■ Among loop guard, root guard and edge port setting, only one function can
take effect on the same port at the same time.
Configuration
prerequisites
MSTP has been correctly configured on the device.
Enabling BPDU Guard For access layer devices, the access ports generally connect directly with user
terminals (such as PCs) or file servers. In this case, the access ports are configured
as edge ports to allow rapid transition of these ports. When these ports receive
configuration BPDUs, the system will automatically set these ports as non-edge
ports and start a new spanning tree calculation process. This will cause a change
of network topology. Under normal conditions, these ports should not receive
configuration BPDUs. However, if someone forges configuration BPDUs
maliciously to attack the devices, network instability will occur.
MSTP provides the BPDU guard function to protect the system against such
attacks. With the BPDU guard function enabled on the devices, when edge ports
receive configuration BPDUs, MSTP will close these ports and notify the NMS that
these ports have been closed by MSTP. Those ports closed thereby can be restored
only by the network administers.
n
It is recommended that you enable the BPDU guard on your device.
Follow these steps to enable BPDU guard:
Enabling Root Guard The root bridge and secondary root bridge of a panning tree should be located in
the same MST region. Especially for the CIST, the root bridge and secondary root
bridge are generally put in a high-bandwidth core region during network design.
However, due to possible configuration errors or malicious attacks in the network,
the legal root bridge may receive a configuration BPDU with a higher priority. In
this case, the current, legal root bridge will be superseded by another device,
causing undesired change of the network topology. As a result of this kind of
illegal topology change, the traffic that should go over high-speed links is drawn
to low-speed links, resulting in network congestion.
To do… Use the command… Remarks
Enter system view system-view -
Enable the BPDU guard function on the device stp bpdu-protection Required
Disabled by default
To Next Page
Loading...
