Configuration Guide MSTP Configuration
port, this port will enter the error-disabled status, indicating the configuration
error. At the same time, the port will be closed to show that some illegal users
may add a network device to the network, which change the network topology.
You can also use the spanning-tree bpduguard enable command to enable
BPDU guard on individual interface in the interface configuration mode (it is not
related to whether it is AutoEdge port or not ). Under this situation, it will enter
the error-disabled status if this interface receives the BPDU message.
Understanding BPDU Filter
The BPDU filter can be enabled globally or on individual interface. There are
some slightly difference between these two ways.
You can use the spanning-tree portfast bpdufilter default command to
enable the BPDU filter globally in the privileged mode. In this status, the BPDU
messages can not be received or sent through a Port Fast-enabled port or a
AutoEdge port, leading to no BPDU messages received by the host directly
connecting the port. The BPDU filter will be disabled when the Port Fast is
disabled for the AutoEdge port receives the BPDU message.
You can also use the spanning-tree bpdufilter enable command to enable the
BPDU filter on individual interface in the interface configuration mode (it is not
related to whether it is AutoEdge port or not). In this situation, this interface will
not receive or transmit the BPDU message, but execute the forwarding directly.
Understanding TC-protection
TC-BPDU messages are BPDU messages carrying with TC flag. When the L2
switch receives these messages, the network topology will change and the
MAC address table will be deleted. And for L3 switch, the route table will be
deleted and the port state in the ARP entry will change. To prevent the switch
from processing abovementioned operations when pseudo TC-BPDU
messages attack maliciously, too-heavy burden and network turbulance, the
TC-protection function comes into being.
Tc-protection can only be enabled or disabled globally. It is enabled by default.
Once Tc-protection is enabled, the switch will delete the message within a
certain period of time (usually 4 seconds) after receiving the TC-BPDU
message while monitoring the TC-BPDU message. If it receives the TC-BPDU
message during this period, it will perform the delete operation again after this
period expires. This eliminates the need of frequently deleting MAC address
entries and ARP entries.
To Next Page
Loading...
