Configuration prerequisites, Configuration procedure, Configuration example – H3C Technologies H3C S3600 Series Switches User Manual

1-35

Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by
sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent this
type of attacks by utilizing the BPDU guard function. With this function enabled on a switch, the switch
shuts down the edge ports that receive configuration BPDUs and then reports these cases to the
administrator. Ports shut down in this way can only be restored by the administrator.

You are recommended to enable BPDU guard for devices with edge ports configured.

Configuration Prerequisites

MSTP runs normally on the switch.

Configuration procedure

Follow these steps to configure BPDU guard:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enable the BPDU guard
function

stp bpdu-protection

Required
The BPDU guard function is
disabled by default.

Configuration example

# Enable the BPDU guard function.

system-view

[Sysname] stp bpdu-protection

As Gigabit ports of an S3600 Ethernet switch cannot be shut down, the BPDU guard function is not
applicable to these ports even if you enable the BPDU guard function and specify these ports to be
MSTP edge ports.

Configuring Root Guard

A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST
and its secondary root bridges are usually located in the high-bandwidth core region. Configuration
errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge,
which causes a new root bridge to be elected and network topology jitter to occur. In this case, flows that
should travel along high-speed links may be led to low-speed links, and network congestion may occur.