No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


BPDU Protection

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
BPDU Protection

BPDU Protection


This document explains the BPDU protection function and how to configure BPDU protection. BPDU protection is one of the enhanced STP functions, which improves the reliability, manageability, and security of networks.

BPDU Protection

Edge ports

In RSTP, a designated port on the network edge is called an edge port. An edge port directly connects to a terminal and does not connect to any other switches.

An edge port does not participate in RSTP calculation. This port can transition from Disable to Forwarding state without a delay. An edge port becomes a common STP port once it is connected to a switch and receives a configuration BPDU. The spanning tree needs to be recalculated, causing network flapping.

BPDU protection

On a switch, ports directly connected to a user terminal (such as a PC) or file server are edge ports. In Figure 1-1, S3 sets the port connected to a PC as an edge port. Typically, no RST BPDUs are sent to edge ports. However, if an edge port receives forged RST BPDUs, the switch automatically sets the edge port as a non-edge port and recalculates the spanning tree. If the bridge priority in the forged RST BPDUs is higher than the priority of the root bridge on the network, the network topology changes, which may interrupt service traffic. Forging RST BPDUs is a simple type of Denial of Service (DoS) attacks.

Figure 1-1 BPDU protection

BPDU protection enables a switch to set the state of an edge port to Error-Down if the edge port receives an RST BPDU. In this case, the port remains the edge port, and the switch sends a notification to the NMS. In addition, the following log is generated on the switch:

MSTP/4/BPDU_PROTECTION:This edged-port [port-name] that enabled BPDU-Protection will be shutdown, because it received BPDU packet!

Configuring BPDU Protection

# Enable the BPDU protection on the switch.

<HUAWEI> system-view
[HUAWEI] stp bpdu-protection

After the configuration is complete, you can run the display stp active command in any view to check whether BPDU protection is enabled based on the value in BPDU-Protection field.

<HUAWEI> display stp active
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge         :61440.781d-ba56-f06c
Config Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC      :61440.781d-ba56-f06c / 0 (This bridge is the root)
CIST RegRoot/IRPC   :61440.781d-ba56-f06c / 0 (This bridge is the root)
CIST RootPortId     :0.0
BPDU-Protection     :Disabled
Updated: 2019-06-29

Document ID: EDOC1100090433

Views: 572

Downloads: 16

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next