As a continuation of the STP Root Protection feature I want to describe additional STP protection functions and show you, where these functions should be implemented, in a typical campus LAN environment.
BPDU Protection feature can be used to protect switches against STP BPDU attacks. It should be implemented on every switch, which has ports directly connected to end-user workstations. This is because we do not expect receiving STP BPDU from user workstations. When STP BPDUs are received on the edge port, STP topology recalculation occurs, causing network flapping. If the port is configured with BPDU Protection and the switching device receives STP BPDUs, then the port is placed into shutdown state, protecting STP topology from recalculation. By default BPDU Protection feature is disabled on Huawei switches. To enable it:
<labnario_sw>system-view [labnario_sw]interface Ethernet 0/0/1 [labnario_sw-Ethernet0/0/1]stp edged-port enable [labnario_sw-Ethernet0/0/1]quit [labnario_sw]stp bpdu-protection
When a switch port is configured as a STP Edged and STP BPDU is received, the port is placed into shutdown state:
May 13 2013 20:17:00-08:00 labnario_sw%%01MSTP/4/BPDU_PROTECTION(l):This edged-port Ethernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
[labnario_sw-Ethernet0/0/1]dis cur int e0/0/1 # interface Ethernet0/0/1 shutdown stp edged-port enable [labnario_sw-Ethernet0/0/1]dis int eth0/0/1 Ethernet0/0/1 current state : Administratively DOWN Line protocol current state : DOWN