Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

331

332

333

334

335

336

337

338

339

340

Understanding and Configuring SpanGuard

March 14, 2011 Page 20 of 29

Understanding and Configuring SpanGuard

ThissectionprovidesinformationaboutthefollowingSpanGuardtopicsandtasks:

• WhatIsSpanGuard?(page20)

• HowDoesItOperate?(page20)

• ConfiguringSpanGuard(page21)

What Is SpanGuard?

AsdescribedpreviouslyintheoverviewofSpanGuardonpage5,thisfeatureenablesEnterasys

switchingdevicestodetectunauthorizedbridgesinyournetwork,resolvingthethreatofrepeated

topologychangenotificationsornewrootbridgeannouncementscausingaDenialofService

(DoS)condition.ItpreventsSpanningTreerespansthatcan

occurwhenBPDUsarereceivedon

userportsandnotifiesyou(networkmanagement)theywereattempted.

IfaSpanGuardenabledportreceivesaBPDU,itbecomeslockedandtransitionstotheblocking

state.Itwillonlytransitionoutoftheblockingstateafteragloballyspecifiedtimeorwhenitis



manuallyunlocked.

Bydefault,SpanGuardisgloballydisabledonN‐Series,S‐Series,stackable,and standaloneswitch

devicesandmustbegloballyenabledtooperateonalluserports.Forconfigurationinformation,

referto“ConfiguringSpanGuard”onpage 21.

How Does It Operate?

SpanGuardhelpsprotectagainstSpanningTreeDenialofService(DoS)SpanGuardattacksas

wellasunintentional/unauthorizedconnectedbridgesbyinterceptingreceivedBPDUson

configuredportsandlockingtheseportssotheydonotprocessanyreceivedpackets.

Whenenabled,receptionofaBPDUonaportthatisadministrativelyconfiguredas

aSpanning

Treeedgeport(adminedge=True)willcausetheporttobecomelockedandthestatesetto

blocking.Whenthisconditionismet,packetsreceivedonthatportwillnotbeprocessedfora

specifiedtimeoutperiod.Theportwillbecomeunlockedwheneither:

Display a list of MSTIs configured on the device. show spantree mstilist

Display the mapping of one or more filtering

database IDs (FIDs) to Spanning Trees. Since

VLANs are mapped to FIDs, this shows to which SID

a VLAN is mapped.

show spantree mstmap [fid fid]

Display the Spanning Tree ID(s) assigned to one or

more VLANs.

show spantree vlanlist [vlan-list]

Display MST configuration identifier elements,

including format selector, configuration name,

revision level, and configuration digest.

show spantree mstcfgid

Display protocol-specific MSTP counter information. show spantree debug [port port-string]

[sid sid] [active]

Table 6 Commands for Monitoring MSTP (continued)

Task Command