Configuring Guard Functions; Configuring Bpdu Guard - 3Com 4210 9-Port Configuration Manual

[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp mcheck

Configuring Guard Functions

The following guard functions are available on an MSTP-enabled switch: BPDU guard, root guard, loop
guard, TC-BPDU attack guard, and BPDU drop.

Configuring BPDU Guard

Normally, the access ports of the devices operating on the access layer are directly connected to
terminals (such as PCs) or file servers. These ports are usually configured as edge ports to achieve
rapid transition. But they resume non-edge ports automatically upon receiving configuration BPDUs,
which causes spanning tree recalculation and network topology jitter.
Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by
sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent this
type of attacks by utilizing the BPDU guard function. With this function enabled on a switch, the switch
shuts down the edge ports that receive configuration BPDUs and then reports these cases to the
administrator. Ports shut down in this way can only be restored by the administrator.
You are recommended to enable BPDU guard for devices with edge ports configured.
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure BPDU guard:
To do...
Enter system view
Enable the BPDU guard
function
Configuration example
# Enable the BPDU guard function.
<Sysname> system-view
[Sysname] stp bpdu-protection
Use the command...
system-view
stp bpdu-protection
1-35
Remarks
—
Required
The BPDU guard function is
disabled by default.