F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Network Management Configuration Guide-6PW100
99
Ste
p
Command
Remarks
178. Enter system view. system-view N/A
179. Enter Ethernet interface view or Layer 2
aggregate interface view.
interface interface-type
interface-number
N/A
180. Enable No Agreement Check.
stp no-agreement-check
By default, No Agreement
Check is disabled.
1155BNo Agreement Check configuration example
1. Network requirements
As shown in
2308HFigure 57:
{ Firewall A connects to a third-party firewall (Firewall B) that has a different spanning tree
implementation. Both firewalls are in the same region.
{ The third-party device (Firewall B) is the regional root bridge, and Firewall A is the downstream
device.
Figure 57 Network diagram
2. Configuration procedure
# Enable No Agreement Check on GigabitEthernet 0/1 of Firewall A.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 0/1
[DeviceA-GigabitEthernet0/1] stp no-agreement-check
444BConfiguring protection functions
A spanning tree device supports the following protection functions:
• BPDU guard
• Root guard
• Loop guard
• TC-BPDU guard
1156BEnabling BPDU guard
For access layer devices, access ports can directly connect to user terminals (such as PCs) or file servers.
Access ports are configured as edge ports to allow rapid transition. When these ports receive
configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new
spanning tree calculation process. This causes a change of network topology. Under normal conditions,
these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs
maliciously to attack the devices, the network will become unstable.
The spanning tree protocol provides the BPDU guard function to protect the system against such attacks.
With the BPDU guard function enabled on devices, when edge ports receive configuration BPDUs, the
GE0/1
Firewall A Firewall B
GE0/1
Root port Designated port
Root bridge