Operation Manual – MSTPH3C S5500-EI Series Ethernet Switches Chapter 1 MSTP Configuration1-48Follow these steps to enable BPDU guard:To do... Use the command... RemarksEnter system view system-view —Enable the BPDU guardfunction on the device stp bpdu-protection RequiredDisabled by default1.8.3 Enabling Root GuardThe root bridge and secondary root bridge of a panning tree should be located in thesame MST region. Especially for the CIST, the root bridge and secondary root bridgeare generally put in a high-bandwidth core region during network design. However, dueto possible configuration errors or malicious attacks in the network, the legal root bridgemay receive a configuration BPDU with a higher priority. In this case, the current, legalroot bridge will be superseded by another device, causing undesired change of thenetwork topology. As a result of this kind of illegal topology change, the traffic thatshould go over high-speed links is drawn to low-speed links, resulting in networkcongestion.To prevent this situation from happening, MSTP provides the root guard function toprotect the root bridge. If the root guard function is enabled on a port, this port will keepplaying the role of designated port on all MST instances. Once this port receives aconfiguration BPDU with a higher priority from an MST instance, it immediately setsthat instance port to the listening state, without forwarding the packet (this is equivalentto disconnecting the link connected with this port). If the port receives no BPDUs with ahigher priority within twice the forwarding delay, the port will revert to its original state.Note:It is recommended that you enable the root guard feature on your device.Follow these steps to enable root guard: