Configuring guard functions, Configuring bpdu guard, Configuration prerequisites – H3C Technologies H3C S3100 Series Switches User Manual

1-35

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] stp mcheck

Configuring Guard Functions

The following guard functions are available on an MSTP-enabled switch: BPDU guard, root guard, loop
guard, TC-BPDU attack guard, and BPDU drop.

Configuring BPDU Guard

Normally, the access ports of the devices operating on the access layer are directly connected to
terminals (such as PCs) or file servers. These ports are usually configured as edge ports to achieve
rapid transition. But they resume non-edge ports automatically upon receiving configuration BPDUs,
which causes spanning tree recalculation and network topology jitter.

Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by
sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent this
type of attacks by utilizing the BPDU guard function. With this function enabled on a switch, the switch
shuts down the edge ports that receive configuration BPDUs and then reports these cases to the
administrator. Ports shut down in this way can only be restored by the administrator.

You are recommended to enable BPDU guard for devices with edge ports configured.

Configuration Prerequisites

MSTP runs normally on the switch.

Configuration procedure

Follow these steps to configure BPDU guard:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enable the BPDU guard
function

stp bpdu-protection

Required
The BPDU guard function is
disabled by default.

Configuration example

# Enable the BPDU guard function.

<Sysname> system-view

[Sysname] stp bpdu-protection