Configuring Protection Functions 233ConfiguringProtection FunctionsAn MSTP-compliant device supports the following protection functions:■ BPDU guard■ Root guard■ Loop guard■ TC-BPDU attack guardn ■ The the Switch 4800G support the BPDU guard, root guard and loop guardfunctions.■ Among loop guard, root guard and edge port setting, only one function cantake effect on the same port at the same time.ConfigurationprerequisitesMSTP has been correctly configured on the device.Enabling BPDU Guard For access layer devices, the access ports generally connect directly with userterminals (such as PCs) or file servers. In this case, the access ports are configuredas edge ports to allow rapid transition of these ports. When these ports receiveconfiguration BPDUs, the system will automatically set these ports as non-edgeports and start a new spanning tree calculation process. This will cause a changeof network topology. Under normal conditions, these ports should not receiveconfiguration BPDUs. However, if someone forges configuration BPDUsmaliciously to attack the devices, network instability will occur.MSTP provides the BPDU guard function to protect the system against suchattacks. With the BPDU guard function enabled on the devices, when edge portsreceive configuration BPDUs, MSTP will close these ports and notify the NMS thatthese ports have been closed by MSTP. Those ports closed thereby can be restoredonly by the network administers.n It is recommended that you enable the BPDU guard on your device.Follow these steps to enable BPDU guard:Enabling Root Guard The root bridge and secondary root bridge of a panning tree should be located inthe same MST region. Especially for the CIST, the root bridge and secondary rootbridge are generally put in a high-bandwidth core region during network design.However, due to possible configuration errors or malicious attacks in the network,the legal root bridge may receive a configuration BPDU with a higher priority. Inthis case, the current, legal root bridge will be superseded by another device,causing undesired change of the network topology. As a result of this kind ofillegal topology change, the traffic that should go over high-speed links is drawnto low-speed links, resulting in network congestion.To do… Use the command… RemarksEnter system view system-view -Enable the BPDU guard function on the device stp bpdu-protection RequiredDisabled by default