Understanding and Configuring SpanGuard
15-30 Configuring Spanning Tree
How Does It Operate?
SpanGuard helps protect against Spanning Tree Denial of Service (DoS) SpanGuard attacks as
well as unintentional or unauthorized connected bridges, by intercepting received BPDUs on
configured ports and locking these ports so they do not process any received packets.
When enabled, reception of a BPDU on a port that is administratively configured as a Spanning
Tree edge port (adminedge = True) will cause the port to become locked and the state set to
blocking. When this condition is met, packets received on that port will not be processed for a
specified timeout period. The port will become unlocked when:
• the timeout expires,
• the port is manually unlocked,
• the port is no longer administratively configured as adminedge = True, or
• the SpanGuard function is disabled.
The port will become locked again if it receives another offending BPDU after the timeout expires
or it is manually unlocked.
In the event of a DoS attack with SpanGuard enabled and configured, no Spanning Tree topology
changes or topology reconfigurations will be seen in your network. The state of your Spanning
Tree will be completely unaffected by the reception of any spoofed BPDUs, regardless of the
BPDU type, rate received or duration of the attack.
By default, when SNMP and SpanGuard are enabled, a trap message will be generated when
SpanGuard detects that an unauthorized port has tried to join a Spanning Tree.
Configuring SpanGuard
Use the following commands to configure device ports for SpanGuard, to enable the SpanGuard
function, and to review SpanGuard status on the device.
Reviewing and Setting Edge Port Status
Review and set edge port status as follows:
1. Use the show commands described in “Defining Edge Port Status” on page 15-24 to determine
edge port administrative status on the device.
2. Set edge port administrative status to false on all known ISLs.
3. Set edge port administrative status to true on any remaining ports where SpanGuard
protection is desired. This indicates to SpanGuard that these ports are not expecting to receive
any BPDUs. If these ports do receive BPDUs, they will become locked.
Enabling and Adjusting SpanGuard
Use this command to enable SpanGuard on the device:
set spantree spanguard enable
Use this command to adjust the SpanGuard timeout value. This sets the length of time that a
SpanGuard-affected port will remain locked:
set spantree spanguardtimeout timeout
Note: To use the SpanGuard function, you must know which ports are connected between
switching devices as ISLs (inter-switch links). Also, you must configure edge port status
(adminedge = true or false) on the entire switch, as described in “Defining Edge Port Status” on
page 15-24, before SpanGuard will work properly.
To Next Page
Loading...
Need help?
General