Configuring root guard, Configuration prerequisites, Configuration procedure – H3C Technologies H3C S3100 Series Switches User Manual
Page 255
1-36
Configuring Root Guard
A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST
and its secondary root bridges are usually located in the high-bandwidth core region. Configuration
errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge,
which causes a new root bridge to be elected and network topology jitter to occur. In this case, flows that
should travel along high-speed links may be led to low-speed links, and network congestion may occur.
You can avoid this problem by utilizing the root guard function. Ports with this function enabled can only
be kept as designated ports in all MSTIs. When a port of this type receives configuration BPDUs with
higher priorities, it turns to the discarding state (rather than become a non-designated port) and stops
forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not
receive any configuration BPDUs with higher priorities for a specified period.
z
You are recommended to enable root guard on the designated ports of a root bridge.
z
Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions
enabled on a port, any of the other two functions cannot take effect even if you have configured it
on the port.
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure the root guard function in system view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable the root guard function
on specified ports
stp interface
interface-list
root-protection
Required
The root guard function is
disabled by default.
Follow these steps to enable the root guard function in Ethernet port view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
Interface
interface-type
interface-number
—
Enable the root guard function
on the current port
stp root-protection
Required
The root guard function is
disabled by default.