86
Enabling BPDU guard
For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file
servers. The access ports are configured as edge ports to allow rapid transition. When these ports receive
configuration BPDUs, the system automatically sets these ports as non-edge ports and starts a new
spanning tree calculation process. This causes a change of network topology. Under normal conditions,
these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs
maliciously to attack the devices, the network will become unstable.
MSTP provides the BPDU guard function to protect the system against such attacks. With the BPDU guard
function enabled on the devices, when edge ports receive configuration BPDUs, MSTP closes these ports
and notifies the NMS that these ports have been closed by MSTP. The device will reactivate the closed
ports after a detection interval. For more information about this detection interval, see the Fundamentals
Configuration Guide.
Make this configuration on a device with edge ports configured.
Follow these steps to enable BPDU guard:
Enable the BPDU guard function
for the device
Required
Disabled by default.
NOTE:
BPDU guard does not take effect on loopback testing-enabled ports. For more information about
loopback testing, see the chapter ―Ethernet interface configuration.‖
Enabling root guard
The root bridge and secondary root bridge of a spanning tree should be located in the same MST region.
Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth core
region during network design. However, because of possible configuration errors or malicious attacks in
the network, the legal root bridge might receive a configuration BPDU with a higher priority. Another
device will supersede the current legal root bridge, causing an undesired change of the network
topology. The traffic that should go over high-speed links is switched to low-speed links, resulting in
network congestion.
To prevent this situation, MSTP provides the root guard function. If the root guard function is enabled on a
port of a root bridge, this port will keep playing the role of designated port on all MSTIs. After this port
receives a configuration BPDU with a higher priority from an MSTI, it immediately sets that port to the
listening state in the MSTI, without forwarding the packet. This is equivalent to disconnecting the link
connected to this port in the MSTI. If the port receives no BPDUs with a higher priority within twice the
forwarding delay, it reverts to its original state.
Make this configuration on a designated port.
Follow these steps to enable root guard:
Enter interface
view or port
group view
Enter Ethernet interface
view or Layer 2 aggregate
interface view
interface interface-type
interface-number
Required
Use either command.
To Next Page
Loading...
Need help?
General
