48
• Enabling root guard
• Enabling loop guard
• Configuring port role restriction
• Configuring TC-BPDU transmission restriction
• Enabling TC-BPDU guard
• Enabling BPDU drop
• Enabling PVST BPDU guard
• Disabling dispute guard
Configuring BPDU guard
About BPDU guard
For access layer devices, the access ports can directly connect to the user terminals (such as PCs)
or file servers. The access ports are configured as edge ports to allow rapid transition. When these
ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and
starts a new spanning tree calculation process. This causes a change of network topology. Under
normal conditions, these ports should not receive configuration BPDUs. However, if someone uses
configuration BPDUs maliciously to attack the devices, the network will become unstable.
The spanning tree protocol provides the BPDU guard feature to protect the system against such
attacks. When edge ports receive configuration BPDUs on a device with BPDU guard enabled, the
device performs the following operations:
• Shuts down these ports.
• Notifies the NMS that these ports have been shut down by the spanning tree protocol.
The device reactivates the ports that have been shut down when the port status detection timer
expires. You can set this timer by using the
shutdown-interval command. For more information
about this command, see device management commands in Fundamentals Command Reference.
Restrictions and guidelines
You can configure the BPDU guard feature in system view or on a per-edge port basis. An edge port
preferentially uses the port-specific BPDU guard setting. If the port-specific BPDU guard setting is
not available, the edge port uses the global BPDU guard setting.
Configure BPDU guard on edge ports which directly connect to a user terminal rather than other
device or shared LAN segment.
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see Ethernet interface configuration in Interface Configuration Guide.
Enabling BPDU guard in system view
1. Enter system view.
system-view
2. Enable BPDU guard globally.
stp bpdu-protection
By default, BPDU guard is globally disabled.
Configuring BPDU guard in interface view
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
To Next Page
Loading...
