89
Configuring protection functions
An MSTP-enabled device supports the following protection functions:
• BPDU guard
• Root guard
• Loop guard
• TC-BPDU guard
• BPDU drop
Configuration prerequisites
MSTP has been correctly configured on the device.
Enabling BPDU guard
For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file
servers. The access ports are configured as edge ports to allow rapid transition. When these ports receive
configuration BPDUs, the system will set these ports automatically as non-edge ports and start a new
spanning tree calculation process. This will cause a change of network topology. Under normal
conditions, these ports should not receive configuration BPDUs. However, if someone forges configuration
BPDUs maliciously to attack the devices, the network will become instable.
MSTP provides the BPDU guard function to protect the system against such attacks. With the BPDU guard
function enabled on the devices, when edge ports receive configuration BPDUs, MSTP will close these
ports and notify the NMS that these ports have been closed by MSTP. The closed ports will be re-
activated by the device after a detection interval. For more information about this detection interval, see
the Fundamentals Configuration Guide.
Make this configuration on a device with edge ports configured.
To enable BPDU guard:
To do... Use the command... Remarks
1. Enter system view
system-view —
2. Enable the BPDU guard
function for the device
stp bpdu-protection
Required
Disabled by default
BPDU guard does not take effect on loopback test-enabled ports. For more information about loopback
testing, see the chapter “Ethernet interface configuration.”
Enabling root guard
The root bridge and secondary root bridge of a spanning tree should be located in the same MST region.
Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth core
region during network design. However, because of possible configuration errors or malicious attacks in
the network, the legal root bridge may receive a configuration BPDU with a higher priority. The current
legal root bridge will be superseded by another device, causing an undesired change of the network
topology. As a result, the traffic that should go over high-speed links is switched to low-speed links,
resulting in network congestion.
To prevent this situation from happening, MSTP provides the root guard function. If the root guard function
is enabled on a port of a root bridge, this port will keep playing the role of designated port on all MSTIs.
Once this port receives a configuration BPDU with a higher priority from an MSTI, it immediately sets that
port to the listening state in the MSTI, without forwarding the packet (this is equivalent to disconnecting
To Next Page
Loading...
