Manualshelf

R21xx-HP FlexFabric 11900 Layer 2 LAN Switching Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
919293949596979899100
88
Configuring protection functions
A spanning tree device supports the following protection functions:
BPDU guard
Root guard
Loop guard
Port role restriction
TC-BPDU transmission restriction
TC-BPDU guard
Enabling BPDU guard
For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file
servers. The access ports are configured as edge ports to allow rapid transition. When these ports
receive configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new
spanning tree calculation process. This causes a change of network topology. Under normal conditions,
these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs
maliciously to attack the devices, the network will become unstable.
The spanning tree protocol provides the BPDU guard function to protect the system against such attacks.
With the BPDU guard function enabled on the devices, when edge ports receive configuration BPDUs,
the system closes these ports and notifies the NMS that these ports have been closed by the spanning tree
protocol. The device reactivates the closed ports after a detection interval. For more information about
this detection interval, see Fundamentals Configuration Guide.
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see "Configuring Ethernet interfaces."
C
onfigure BPDU guard on a device with edge ports configured.
To enable BPDU guard:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the BPDU guard
function for the device.
stp bpdu-protection
By default, BPDU guard is
disabled.
Enabling root guard
The root bridge and secondary root bridge of a spanning tree should be located in the same MST region.
Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth core
region during network design. However, due to possible configuration errors or malicious attacks in the
network, the legal root bridge might receive a configuration BPDU with a higher priority. Another device
supersedes the current legal root bridge, causing an undesired change of the network topology. The
traffic that should go over high-speed links is switched to low-speed links, resulting in network congestion.
To prevent this situation, MSTP provides the root guard function. If the root guard function is enabled on
a port of a root bridge, this port plays the role of designated port on all MSTIs. After this port receives a
configuration BPDU with a higher priority from an MSTI, it immediately sets that port to the listening state
in the MSTI, without forwarding the packet. This is equivalent to disconnecting the link connected with