Operation Manual – MSTPH3C S7500 Series Ethernet Switches Chapter 1 MSTP Configuration1-31 system-view[H3C] interface ethernet2/0/1[H3C-Ethernet2/0/1] stp mcheck1.5 Guard Function Configuration1.5.1 IntroductionThe following guard functions are available on an MSTP-enabled switch: BPDU guard,root guard, loop guard, and TC-BPDU attack guard.I. BPDU guardNormally, the access ports of the devices operating on the access layer directly connectto terminals (such as PCs) or file servers. These ports are usually configured as edgeports to achieve rapid transition. But they resume non-edge ports automatically uponreceiving configuration BPDUs, which causes spanning tree regeneration and networktopology jitter.Normally, no configuration BPDU will reach edge ports. But malicious users can attacka network by sending configuration BPDUs deliberately to edge ports to cause networkjitter. You can prevent this type of attacks by utilizing the BPDU guard function. With thisfunction enabled on a switch, the switch shuts down the edge ports that receiveconfiguration BPDUs and then reports these cases to the administrator. If a port is shutdown, only the administrator can restore it.II. Root guardA root bridge and its secondary root bridges must reside in the same region. A CISTand its secondary root bridges are usually located in the high-bandwidth core region.Configuration errors or attacks may result in configuration BPDUs with their prioritieshigher than that of a root bridge, which causes a new root bridge to be elected andnetwork topology jitter to occur. In this case, flows that should travel along high-speedlinks may be led to low-speed links, and network congestion may occur.You can avoid this problem by utilizing the root guard function. Ports with this functionenabled can only be kept as designated ports in all MSTIs. When a port of this typereceives configuration BPDUs with higher priorities, it changes to discarding state(rather than becomes a non-designated port) and stops forwarding packets (as if it isdisconnected from the link). It resumes the normal state if it does not receive anyconfiguration BPDUs with higher priorities for a specified period.III. Loop guardA switch maintains the states of the root port and other blocked ports by receiving andprocessing BPDUs from the upstream switch. These BPDUs may get lost because ofnetwork congestions and link failures. If a switch does not receive BPDUs from the