126 
Configuring protection features 
A spanning tree device supports the following protection features: 
•  BPDU guard 
•  Root guard 
•  Loop guard 
•  Port role restriction 
•  TC-BPDU transmission restriction 
•  TC-BPDU guard 
•  BPDU drop 
•  PVST BPDU guard 
•  Dispute gurad 
Configuring BPDU guard 
For access layer devices, the access ports can directly connect to the user terminals (such as PCs) 
or file servers. The access ports are configured as edge ports to allow rapid transition. When these 
ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and 
starts a new spanning tree calculation process. This causes a change of network topology. Under 
normal conditions, these ports should not receive configuration BPDUs. However, if someone uses 
configuration BPDUs maliciously to attack the devices, the network will become unstable. 
The spanning tree protocol provides the BPDU guard feature to protect the system against such 
attacks. When edge ports receive configuration BPDUs on a device with BPDU guard enabled, the 
device performs the following operations:  
•  Shuts down these ports. 
•  Notifies the NMS that these ports have been shut down by the spanning tree protocol. 
The device reactivates the shutdown ports after a detection interval. For more information about this 
detection interval, see Fundamentals Configuration Guide. 
You can configure the BPDU guard feature globally or on a per-edge port basis. 
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about 
loopback testing, see Interface Configuration Guide.  
Enabling BPDU guard globally 
The global BPDU guard setting takes effect on all edge ports that are not configured by using the stp 
port bpdu-protection command. 
To enable BPDU guard globally: 
 
Step Command Remarks 
1.  Enter system view. 
system-view 
N/A 
2.  Enable BPDU guard globally. 
stp bpdu-protection 
By default, BPDU guard is globally 
disabled. 
 
Configuring BPDU guard on an interface 
An edge port preferentially uses the port-specific BPDU guard setting. If the port-specific BPDU 
guard setting is not available, the edge port uses the global BPDU guard setting. 
To configure BPDU guard on an interface: