< Home

MSTP Security

Attack Behavior

  • Root bridge change attack

    Due to a malicious attack, the valid root switch on a network may receive a Bridge Protocol Data Unit (BPDU) with a higher priority and loses its roles, causing an incorrect change of the network topology.

  • BPDU attack

    Edge ports are directly connected to terminals and will not receive BPDUs in normal cases. If an attacker forges BPDUs to attack a switch, the switch automatically changes the edge port receiving the BPDUs to a non-edge port and recalculates the spanning tree, resulting in network flapping.

Security Policy

To defend against the preceding attacks, configure the following security policies on a switch:

  • Root protection

    Enable root protection on the switch to protect its root switch role by retaining the role of the designated port.

  • BPDU protection

    Configure BPDU protection on the switch to prevent BPDU attacks.

Configuration Method

  • Configure root protection.

    Configure root protection for the GE1/0/1 interface.

    <HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] stp root-protection

  • Configure BPDU protection.

    Configure BPDU protection on the switch.

    <HUAWEI> system-view
[HUAWEI] stp bpdu-protection
Parent Topic: Control Plane
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >