1-35To do… Use the command… RemarksEnter system view system-view —Enter Ethernet port view interface interface-type interface-number —Perform the mCheck operation stp mcheck RequiredConfiguration Example# Perform the mCheck operation on GigabitEthernet 1/0/1.1) Perform this configuration in system view system-view[device] stp interface GigabitEthernet1/0/1 mcheck2) Perform this configuration in Ethernet port view system-view[device] interface GigabitEthernet1/0/1[device-GigabitEthernet1/0/1] stp mcheckConfiguring Guard FunctionsIntroductionThe following guard functions are available on an MSTP-enabled device: BPDU guard, root guard, loopguard, TC-BPDU attack guard, and BPDU drop.BPDU guardNormally, the access ports of the devices operating on the access layer are directly connected toterminals (such as PCs) or file servers. These ports are usually configured as edge ports to achieverapid transition. But they resume non-edge ports automatically upon receiving configuration BPDUs,which causes spanning tree recalculation and network topology jitter.Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network bysending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent thistype of attacks by utilizing the BPDU guard function. With this function enabled on a device, the deviceshuts down the edge ports that receive configuration BPDUs and then reports these cases to theadministrator. Ports shut down in this way can only be restored by the administrator.Root guardA root bridge and its secondary root bridges must reside in the same region. The root bridge of the CISTand its secondary root bridges are usually located in the high-bandwidth core region. Configurationerrors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge,which causes a new root bridge to be elected and network topology jitter to occur. In this case, flows thatshould travel along high-speed links may be led to low-speed links, and network congestion may occur.You can avoid this problem by utilizing the root guard function. Ports with this function enabled can onlybe kept as designated ports in all spanning tree instances. When a port of this type receivesconfiguration BPDUs with higher priorities, it turns to the discarding state (rather than become anon-designated port) and stops forwarding packets (as if it is disconnected from the link). It resumes thenormal state if it does not receive any configuration BPDUs with higher priorities for a specified period.
