Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

331

332

333

334

335

336

337

338

339

340

Understanding and Configuring SpanGuard

March 14, 2011 Page 21 of 29

•thetimeoutexpires,

•theportismanuallyunlocked,

•theportisnolongeradministrativelyconfiguredasadminedge=True,or

•theSpanGuardfunctionisdisabled.

TheportwillbecomelockedagainifitreceivesanotheroffendingBPDUafterthetimeoutexpires

oritismanuallyunlocked.

IntheeventofaDoSattack

withSpanGuardenabledandconfigured,noSpanningTreetopology

changesortopologyreconfigurationswillbeseeninyournetwork.ThestateofyourSpanning

TreewillbecompletelyunaffectedbythereceptionofanyspoofedBPDUs,regardlessofthe

BPDUtype,ratereceivedordurationoftheattack.

Bydefault,when

SNMPandSpanGuard areenabled,atrapmessagewillbegeneratedwhen

SpanGuarddetectsthatanunauthorizedporthastriedtojoinaSpanningTree.

Configuring SpanGuard

UsethefollowingcommandstoconfiguredeviceportsforSpanGuard,toenabletheSpanGuard

function,andtoreviewSpanGuardstatusonthedevice.

Reviewing and Setting Edge Port Status

Reviewandsetedgeportstatusasfollows:

1. Usetheshowcommandsdescribedin“DefiningEdgePortStatus”onpage17todetermine

edgeportadministrativestatusonthedevice.

2. SetedgeportadministrativestatustofalseonallknownISLs.

3. Setedgeportadministrativestatustotrueonanyremainingports

whereSpanGuard

protectionisdesired.ThisindicatestoSpanGuardthattheseportsarenotexpectingtoreceive

anyBPDUs.IftheseportsdoreceiveBPDUs,theywillbecomelocked.

Enabling and Adjusting SpanGuard

UsethiscommandtoenableSpanGuardonthedevice:

set spantree spanguard enable

UsethiscommandtoadjusttheSpanGuardtimeoutvalue.Thissetsthelengthoftimethata

SpanGuard‐affectedportwillremainlocked:

set spantree spanguardtimeout timeout

Validvaluesare0–65535seconds.Defaultis300seconds.Settingthevalueto0willsetthe

timeouttoforever.

UsethiscommandtomanuallyunlockaportthatwaslockedbytheSpanGuardfunction.This

overridesthespecified timeoutvariable:

set spantree spanguardlock port-string

Note: In order to utilize the SpanGuard function, you must know which ports are connected

between switching devices as ISLs (inter-switch links). Also, you must configure edge port status

(adminedge = true or false) on the entire switch, as described in “Defining Edge Port Status” on

page 17, before SpanGuard will work properly.