1-35Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network bysending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent thistype of attacks by utilizing the BPDU guard function. With this function enabled on a switch, the switchshuts down the edge ports that receive configuration BPDUs and then reports these cases to theadministrator. Ports shut down in this way can only be restored by the administrator.You are recommended to enable BPDU guard for devices with edge ports configured.Configuration PrerequisitesMSTP runs normally on the switch.Configuration procedureFollow these steps to configure BPDU guard:To do... Use the command... RemarksEnter system view system-view —Enable the BPDU guardfunction stp bpdu-protectionRequiredThe BPDU guard function isdisabled by default.Configuration example# Enable the BPDU guard function. system-view[Sysname] stp bpdu-protectionConfiguring Root GuardA root bridge and its secondary root bridges must reside in the same region. The root bridge of the CISTand its secondary root bridges are usually located in the high-bandwidth core region. Configurationerrors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge,which causes a new root bridge to be elected and network topology jitter to occur. In this case, flows thatshould travel along high-speed links may be led to low-speed links, and network congestion may occur.You can avoid this problem by utilizing the root guard function. Ports with this function enabled can onlybe kept as designated ports in all MSTIs. When a port of this type receives configuration BPDUs withhigher priorities, it turns to the discarding state (rather than become a non-designated port) and stopsforwarding packets (as if it is disconnected from the link). It resumes the normal state if it does notreceive any configuration BPDUs with higher priorities for a specified period.
