User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentEnterasys Matrix DFE-Gold Series

Configuring Spanguard

5-16 Configuring Spanning Trees

Configuring Spanguard

ThissectionprovidesinformationaboutthefollowingSpanguardtasks:

• OverviewoftheSpanguardFunction

• EnablingandAdjustingSpanguard

Overview of the Spanguard Function

EnterasysNetworks’SpanguardfunctionprovidestheabilityforEnterasysswitchestodetect

unauthorizedbridgesinthenetwork.ItprotectsagainstSpanningTreeDenialofService(DoS)

attacksaswellasunintentional/unauthorizedconnectedbridges.Thisisdonebyintercepting

receivedBPDUsonconfiguredportsandlockingtheseportssotheydonot

processanyreceived

packets—thusprotectingtheintegrityoftheSpanningTreetopology.

Bydefault,Spanguardisgloballydisabled.Whenenabled,receptionofaBPDUonaportthatis

administrativelyconfiguredasaspanningtreeedgeport(adminedge=True)willcausetheport

tobecomelockedandthestate

settoblocking.Whenthisconditionismet,packetsreceivedon

thatportwillnotbeprocessedforaspecifiedtimeou tperiod.Theportwillbecomeunlocked

wheneither:

•Thetimeoutexpires

•Theportismanuallyunlocked

•Theportisnolongeradministrativelyconfiguredasadminedge=True

•TheS pangua rdfunction isdisabled

TheportwillbecomelockedagainshouldanotheroffendingBPDUbereceivedonthatportafter

expirationofthetimeoutormanualunlockingofthatportoccurs.

IntheeventofaDoSattackwithSpanguardenabledandconfigured,nospanningtreetopology

changesortopologyreconfigurationswillbeseen.The

stateofthespanningtreewillbe

completelyunaffectedbythereceptionofanyspoofedBPDUsregardlessoftheBPDUtype,rate

receivedordurationoftheattack.

Bydefault,whenSNMPandSpanguardareenabled,atrapmessagewillbegeneratedwhen

Spanguarddetectsthatanunauthorizedporthastried

tojoinaSp anningTree.

Display the mapping of one or more filtering

database IDs (FIDs) to spanning trees. Since VLANs

are mapped to FIDs, this shows to which SID a

VLAN is mapped.

show spantree mstmap [fid fid]

Display the spanning tree ID(s) assigned to one or

more VLANs.

show spantree vlanlist [vlan-list]

Display MST configuration identifier elements,

including format selector, configuration name,

revision level, and configuration digest.

show spantree mstcfgid

Display protocol-specific MSTP counter information. show spantree debug [port port-string]

[sid sid] [active]

Table 5-4 Commands for Monitoring MSTP (continued)

Task Command