Configure The Switch Security Function - Huawei Quidway S3000 Series Operation Manual

Operation Manual - STP
Quidway S3000 Series Ethernet Switches
Table1-15 Set mCheck of the specified port
Set mCheck of the specified port
This command can be used when the bridge runs RSTP in RSTP mode, but it cannot
be used when the bridge runs RSTP in STP-compatible mode.

1.2.16 Configure the Switch Security Function

An RSTP switch provides BPDU protection and Root protection functions.
For an access device, the access port is generally directly connected to the user
terminal (e.g., PC) or a file server, and the access port is set to edge port to implement
fast transition. When such port receives BPDU packet, the system will automatically set
it as a non-edge port and recalculate the spanning tree, which causes the network
topology flapping. In normal case, these ports will not receive STP BPDU. If someone
forges BPDU to attack the switch, the network will flap. BPDU protection function is
used against such network attack.
In case of configuration error or malicious attack, the primary root may receive the
BPDU with a higher priority and then loose its place, which causes network topology
change errors. Due to the erroneous change, the traffic supposed to travel over the
high-speed link may be pulled to the low-speed link and congestion will occur on the
network. Root protection function is used against such problem.
The root port and other blocked ports maintain their state according to the BPDUs send
by uplink switch. Once the link is blocked or encountering a faulty condition, the ports
cannot receive BPDUs and the switch will select root port again. In this case, the former
root port will turn into a BDPU specified port and the former blocked ports will enter into
a forwarding state, as a result, a link loop will be generated.
The security functions can control the generation of loop. After it is enabled, the root
port cannot be changed, the blocked port will maintain in "Discarding" state and do not
forward packets, thus to avoid link loop.
You can use the following command to configure the security functions of the switch.
Perform the following configuration in corresponding views.
Table1-16 Configure the switch security function
Configure switch BPDU protection (from system view)
Restore the disabled BPDU protection state, as defaulted, (from
system view).
Configure switch Root protection (from Ethernet port view)
Operation
Operation
1-17
Chapter 1 RSTP Configuration
Command
stp mcheck
stp bpdu-protection
undo stp bpdu-protection
stp root-protection
Command