R3166-R3206-HP High-End Firewalls Network Management Configuration Guide-6PW101
83
[Firewall-GigabitEthernet0/1] stp no-agreement-check
Configuring protection functions
A spanning tree device supports the following protection functions:
• BPDU guard
• Root guard
• Loop guard
• TC-BPDU guard
1. Configuration prerequisites
The spanning tree feature has been correctly configured on the device.
2. Enabling BPDU guard
For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file
servers. The access ports are configured as edge ports to allow rapid transition. When these ports
receive configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new
spanning tree calculation process. This causes a change of network topology. Under normal conditions,
these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs
maliciously to attack the devices, the network will become instable.
The spanning tree protocol provides the BPDU guard function to protect the system against such attacks.
With the BPDU guard function enabled on the devices, when edge ports receive configuration BPDUs,
the system will close these ports and notify the NMS that these ports have been closed by the spanning
tree protocol. Ports disabled in this way will be re-activated by the device after a detection interval. For
more information about this detection interval.
Configure BPDU guard on a device with edge ports configured.
Follow these steps to enable BPDU guard:
To do... Use the command...
Remarks
Enter system view system-view —
Enable the BPDU guard
function for the device
stp bpdu-protection
Required
Disabled by default.
NOTE:
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see
Network Management Configuration Guide
.
3. Enabling root guard
The root bridge and secondary root bridge of a spanning tree should be located in the same MST region.
Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth core
region during network design. However, due to possible configuration errors or malicious attacks in the
network, the legal root bridge may receive a configuration BPDU with a higher priority. The current legal
root bridge will be superseded by another device, causing an undesired change of the network topology.
As a result, the traffic that should go over high-speed links is switched to low-speed links, resulting in
network congestion.
To prevent this situation, MSTP provides the root guard function. If the root guard function is enabled on
a port of a root bridge, this port plays the role of designated port on all MSTIs. Once this port receives
a configuration BPDU with a higher priority from an MSTI, it immediately sets that port to the listening
state in the MSTI, without forwarding the packet (this is equivalent to disconnecting the link connected