Configuration Guide 342
Configuring Spanning Tree STP Security Configurations
Step 2 interface {fastEthernet
port
| range fastEthernet
port-list
| gigabitEthernet
port
| range
gigabitEthernet
port-list
| ten-gigabitEthernet
port
| range ten-gigabitEthernet
port-list
| port-
channel
port-channel-id
| range port-channel
port-channel-list
}
Enter interface configuration mode.
Step 3 spanning-tree guard loop
(Optional) Enable Loop Protect. It is recommended to enable this function on root ports and
alternate ports.
When there are link congestions or link failures in the network, the switch will not receive
BPDUs from the upstream device in time. Loop Protect is used to avoid loop caused by the
recalculation in this situation. With Loop Protect function enabled, the port will temporarily
transit to a blocking state after it does not receive BPDUs in time.
Step 4 spanning-tree guard root
(Optional) Enable Root Protect. It is recommended to enable this function on the designated
ports of the root bridge.
Switches with faulty configurations may produce a higher-priority BPDUs than the root
bridge’s, and this situation will cause recalculation of the spanning tree. Root Protect is used
to ensure that the desired root bridge will not lose its position in the scenario above. With root
protect enabled, the port will temporarily transit to blocking state when it receives higher-
priority BDPUs. After two forward delays, if the port does not receive any other higher-priority
BDPUs, it will transit to its normal state.
Step 5 spanning-tree guard tc
(Optional) Enable the TC Guard function. It is recommended to enable this function on the
ports of non-root switches.
TC Guard function is used to prevent the switch from frequently changing the MAC address
table. With TC Guard function enabled, when the switch receives TC-BPDUs, it will not process
the TC-BPDUs at once. The switch will wait for a fixed time and process the TC-BPDUs
together after receiving the first TC-BPDU, then it will restart timing.
Step 6 spanning-tree bpduguard
(Optional) Enable the BPDU Protect function. It is recommended to enable this function on
edge ports.
Edge ports in spanning tree are used to connect to the end devices and it doesn’t receive
BPDUs in the normal situation. If edge ports receive BPDUs, it may be an attack. BPDU Protect
is used to protect the switch from the attack talked above. With BPDU protect function
enabled, the edge ports will be shutdown when they receives BPDUs, and will report these
cases to the administrator. Only the administrator can restore the state of the ports.
Step 7 spanning-tree bpdufilter
(Optional) Enable or disable BPDU Filter. It is recommended to enable this function on edge
ports.
With BPDU filter function enabled, the port does not receive or forward BPDUs, but it sends out
its own BPDUs. BPDU Filter can prevent the switch from being attacked as with BPDU Protect.
To Next Page
Loading...
