Configuring bpdu dropping, Configuration prerequisites, Configuration procedure – H3C Technologies H3C S3600 Series Switches User Manual

1-39

Configuring BPDU Dropping

In a STP-enabled network, some users may send BPDU packets to the switch continuously in order to
destroy the network. When a switch receives the BPDU packets, it will forward them to other switches.
As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the switches
or cause errors in the protocol state of the BPDU packets.

In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is
enabled on a port, the port will not receive or forward any BPDU packets. In this way, the switch is
protected against the BPDU packet attacks so that the STP calculation is assured to be right.

Configuration Prerequisites

MSTP runs normally on the switch.

Configuration procedure

Follow these steps to configure BPDU dropping:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enter Ethernet port view

interface

interface-name

—

Enable BPDU dropping

bpdu-drop any

Required
BPDU dropping is disabled by default.

Configuration example

# Enable BPDU dropping on Ethernet 1/0/1.

system-view

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] bpdu-drop any

Configuring Digest Snooping

Introduction

According to IEEE 802.1s, two interconnected switches can communicate with each other through
MSTIs in an MST region only when the two switches have the same MST region-related configuration.
Interconnected MSTP-enabled switches determine whether or not they are in the same MST region by
checking the configuration IDs of the BPDUs between them (A configuration ID contains information
such as region ID and configuration digest).

As some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot
communicate with the other switches in an MST region even if they are configured with the same MST
region-related settings as the other switches in the MST region.

This problem can be overcome by implementing the digest snooping feature. If a port on an S3600
Ethernet switch is connected to another manufacturer's switch that has the same MST region-related
configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest
snooping on the port. Then the S3600 Ethernet switch regards another manufacturer's switch as in the
same region; it records the configuration digests carried in the BPDUs received from another
manufacturer's switch, and put them in the BPDUs to be sent to the another manufacturer's switch. In