Configuration Guide MSTP Configuration
Understanding BPDU Source MAC Check
The gobal of the BPDU source MAC check funciton is to prevent malicious
attack on the switch by sending the BPDU message manually and thus cause
the MSTP protocol work abnormally. When the peer switch connected to a port
in the point-to-point mode is determined, enabling the BPDU source MAC check
function can receive only the BPDU message from the remote switch and
discard all other BPDU messages to protect against malicious attacks. You can
configure the corresponding MAC addresses for the BPDU source MAC check
fucntion on a specific port in the interface mode. Only one MAC address is
configured for one port. BPDU source MAC check can be disabled by using the
no bpdu src-mac-check command. In this case, any BPDU message is
received on the port.
Understanding Invalid Length Filtering for BPDU
When the Ethernet length field of the BPDU message exceeds 1500 bits, this
BPDU message is discarded in order to avoid receiving invalid BPDU
messages.
Understanding ROOT Guard
In network design, root bridge and backup root bridge are always divided in the
same region. Due to error configuration of accendant and malicious attack in
the network, it is possible that root bridge receives configuration message of
higher priority and loses the current root bridge position, leading to error
turbulance of network topology, which Root Guard function can prevent from
occuring.
When enabling Root Guard, it enforces the port role of all the instances as
specified port. Once the port receives configuration message of higher priority,
Root Guard will set the interface as root-inconsistent (blocked). If there is no
configuration message of higher priority during the time long enough, the port
will be restored to be the original normal status.
You shall disable ROOT Guard function if this function results in the blocked
status for interfaces and it needs manual configuration to restore to the normal
status. You can use the command spanning-tree guard none in the interface
configuration mode to disable Root Guard function.
To Next Page
Loading...
