Operation Manual – MSTPH3C S3100 Series Ethernet Switches Chapter 1 MSTP Configuration1-43Operation Command DescriptionEnter Ethernet port view interface interface-typeinterface-number —Perform the mCheck operation stp mcheck Required1.5.3 Configuration Example# Perform the mCheck operation on Ethernet 1/0/1.1) Perform this configuration in system view system-view[Sysname] stp interface Ethernet1/0/1 mcheck2) Perform this configuration in Ethernet port view system-view[Sysname] interface Ethernet1/0/1[Sysname-Ethernet1/0/1] stp mcheck1.6 Configuring Guard Functions1.6.1 IntroductionThe following guard functions are available on an MSTP-enabled switch: BPDU guard,root guard, loop guard, TC-BPDU attack guard, and BPDU drop.I. BPDU guardNormally, the access ports of the devices operating on the access layer are directlyconnected to terminals (such as PCs) or file servers. These ports are usuallyconfigured as edge ports to achieve rapid transition. But they resume non-edge portsautomatically upon receiving configuration BPDUs, which causes spanning treerecalculation and network topology jitter.Normally, no configuration BPDU will reach edge ports. But malicious users can attacka network by sending configuration BPDUs deliberately to edge ports to cause networkjitter. You can prevent this type of attacks by utilizing the BPDU guard function. With thisfunction enabled on a switch, the switch shuts down the edge ports that receiveconfiguration BPDUs and then reports these cases to the administrator. Ports shutdown in this way can only be restored by the administrator.II. Root guardA root bridge and its secondary root bridges must reside in the same region. The rootbridge of the CIST and its secondary root bridges are usually located in thehigh-bandwidth core region. Configuration errors or attacks may result in configurationBPDUs with their priorities higher than that of a root bridge, which causes a new root
