Guard Function Configuration - H3C S7500 Series Operation Manual

Operation Manual – MSTP
H3C S7500 Series Ethernet Switches
<H3C> system-view
[H3C] interface ethernet2/0/1
[H3C-Ethernet2/0/1] stp mcheck

1.5 Guard Function Configuration

1.5.1 Introduction
The following guard functions are available on an MSTP-enabled switch: BPDU guard,
root guard, loop guard, and TC-BPDU attack guard.
I. BPDU guard
Normally, the access ports of the devices operating on the access layer directly connect
to terminals (such as PCs) or file servers. These ports are usually configured as edge
ports to achieve rapid transition. But they resume non-edge ports automatically upon
receiving configuration BPDUs, which causes spanning tree regeneration and network
topology jitter.
Normally, no configuration BPDU will reach edge ports. But malicious users can attack
a network by sending configuration BPDUs deliberately to edge ports to cause network
jitter. You can prevent this type of attacks by utilizing the BPDU guard function. With this
function enabled on a switch, the switch shuts down the edge ports that receive
configuration BPDUs and then reports these cases to the administrator. If a port is shut
down, only the administrator can restore it.
II. Root guard
A root bridge and its secondary root bridges must reside in the same region. A CIST
and its secondary root bridges are usually located in the high-bandwidth core region.
Configuration errors or attacks may result in configuration BPDUs with their priorities
higher than that of a root bridge, which causes a new root bridge to be elected and
network topology jitter to occur. In this case, flows that should travel along high-speed
links may be led to low-speed links, and network congestion may occur.
You can avoid this problem by utilizing the root guard function. Ports with this function
enabled can only be kept as designated ports in all MSTIs. When a port of this type
receives configuration BPDUs with higher priorities, it changes to discarding state
(rather than becomes a non-designated port) and stops forwarding packets (as if it is
disconnected from the link). It resumes the normal state if it does not receive any
configuration BPDUs with higher priorities for a specified period.
III. Loop guard
A switch maintains the states of the root port and other blocked ports by receiving and
processing BPDUs from the upstream switch. These BPDUs may get lost because of
network congestions and link failures. If a switch does not receive BPDUs from the
1-31
Chapter 1 MSTP Configuration