H3C S7500E Series Ethernet Switches Operation Manual

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

241

242

243

244

245

246

247

248

249

250

Operation Manual – MSTP

H3C S7500E Series Ethernet Switches Chapter 1 MSTP Configuration

1-46

1.8.2 Enabling BPDU Guard

For access layer devices, the access ports generally connect directly with user

terminals (such as PCs) or file servers. In this case, the access ports are configured as

edge ports to allow rapid transition of these ports. When these ports receive

configuration BPDUs, the system will automatically set these ports as non-edge ports

and start a new spanning tree calculation process. This will cause a change of network

topology. Under normal conditions, these ports should not receive configuration BPDUs.

However, if someone forges configuration BPDUs maliciously to attack the devices,

network instability will occur.

MSTP provides the BPDU guard function to protect the system against such attacks.

With the BPDU guard function enabled on the devices, when edge ports receive

configuration BPDUs, MSTP will close these ports and notify the NMS that these ports

have been closed by MSTP. Those ports closed thereby can be restored only by the

network administers.

 Note:

It is recommended that you enable the BPDU guard on your device.

Follow these steps to enable BPDU guard:

To do... Use the command... Remarks

Enter system view

system-view

—

Enable the BPDU guard

function on the device

stp bpdu-protection

Required

Disabled by default

1.8.3 Enabling Root Guard

The root bridge and secondary root bridge of a panning tree should be located in the

same MST region. Especially for the CIST, the root bridge and secondary root bridge

are generally put in a high-bandwidth core region during network design. However, due

to possible configuration errors or malicious attacks in the network, the legal root bridge

may receive a configuration BPDU with a higher priority. In this case, the current, legal

root bridge will be superseded by another device, causing undesired change of the

network topology. As a result of this kind of illegal topology change, the traffic that

should go over high-speed links is drawn to low-speed links, resulting in network

congestion.

To prevent this situation from happening, MSTP provides the root guard function to

protect the root bridge. If the root guard function is enabled on a port, this port will keep