Rstp bpdu guard – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Features Guide

Section V: Spanning Tree Protocols

281

RSTP BPDU Guard

This feature monitors RSTP edge ports on stand-alone switches or
AT-9400Ts stacks and disables the ports if they receive BPDU packets.
The benefit of this feature is that it prevents the use of edge ports by RSTP
devices and so reduces the possibility of unwanted changes to a network
topology.

When RSTP detects a loop in a network topology, it performs a process
called convergence in which the RSTP devices identify the ports to be
blocked to prevent the loop. The length of time the process requires
depends on a number of factors, including the number of RSTP devices
and ports in the domain. Long convergence processes can affect network
performance because areas of a network may be isolated while the
devices check for loops and enable or disable ports.

You can decrease the amount of time of the convergence process by
designating edge ports on the switches. These ports are connected to
devices that are at the edge of a network, such as workstations and
printers. The advantages of edge ports are that they typically do not
participate in the convergence process and that they immediately
transition to the forwarding state, skipping the intermediate listening and
learning states.

Edge ports, however, can leave a spanning tree domain vulnerable to
unwanted topology changes. This can happen if someone connects a
RSTP device to an edge port, causing the other RSTP devices in the
domain to perform the convergence process to integrate the new device
into the spanning tree domain. If the new device assumes the role of root
bridge, the new topology might be undesirable. In the worst case scenario,
someone could use an edge port to introduce false BDPUs into a network
to deliberately initiate a change.

The BPDU guard feature lets you protect your network from unnecessary
convergences by preventing the use of edge ports by RSTP devices.
When this feature is active on the switch, any edge port that receives
BPDU packets is automatically disabled, preventing the initiation of the
convergence process. You are notified of the event with an SNMP trap. An
edge port remains disabled until you enable it again with the management
software, such as with the ENABLE SWITCH PORT command in the
command line.

Here are the guidelines to this feature:



BPDU guard is set at the switch level and has only two possible
settings: enabled or disabled. When this feature is enabled, those
ports that have been designated as edge ports automatically have the
feature. The default setting is disabled.