beautypg.com

Configuring protection functions, Enabling bpdu guard, Enabling root guard – H3C Technologies H3C S12500 Series Switches User Manual

Page 107

background image

94

Configuring protection functions

A spanning tree device supports the following protection functions:

BPDU guard

Root guard

Loop guard

TC-BPDU guard

Enabling BPDU guard

IMPORTANT:

BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see

Interface Configuration Guide.

For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file

servers. The access ports are configured as edge ports to allow rapid transition. When these ports

receive configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new
spanning tree calculation process. This causes a change of network topology. Under normal conditions,

these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs

maliciously to attack the devices, the network will become instable.
The spanning tree protocol provides the BPDU guard function to protect the system against such attacks.
With the BPDU guard function enabled on the devices, when edge ports receive configuration BPDUs,

the system will close these ports and notify the NMS that these ports have been closed by the spanning

tree protocol. Ports disabled in this way will be re-activated by the device after a detection interval. For

more information about this detection interval, see Fundamentals Configuration Guide.
Configure BPDU guard on a device with edge ports configured.
To enable BPDU guard:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable the BPDU guard

function for the switch.

stp bpdu-protection

By default, BPDU guard is
disabled.

Enabling root guard

IMPORTANT:

On a port, the root guard function and the loop guard function are mutually exclusive.

The root bridge and secondary root bridge of a spanning tree should be located in the same MST region.

Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth core

region during network design. However, due to possible configuration errors or malicious attacks in the

network, the legal root bridge might receive a configuration BPDU with a higher priority. The current
legal root bridge will be superseded by another device, causing an undesired change of the network

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: