====== Configuration example for UserPort security ====== Through the function "UserPorts" you can filter certain control protocols on your access ports that you normally wouldn't expect nor want to receive from users. This feature is often called "BPDUShutdown" while it is not the BPDU that imposes an issue but often an undetected network loop that you want to avoid (e.g. by unmanaged SOHO switch with a hairpin cable). UserPort security will generate a Fake-BPDU on ports that are configured and on reception of this frame on another or same port, will shut down the port for a certain period of time (or until link-down, link-up event). Through that mechanism you can easily avoid network loops at the edge. This configuration would be a good starting point: qos user-port filter bgp ospf rip vrrp dhcp-server pim dvmrp dns-reply user-port shutdown bpdu policy port group UserPorts 1/3-48 qos apply It is extremely important that you exclude the UPLINK ports from the UserPorts port range, as you normally expect BPDUs on that port! The example above filters packets that impose an attack to dynamic routing protocols and prevents DHCP- and DNS-spoofing (as the filter allows only client-side type of protocol operations). "BPDU" needs to stay as "shutdown" as it is not the BPDU but more the looped network traffic that puts your network at risk. In networks where you come across more intelligent "SOHO switches", it is a good practice to enable Loopback-Detection (LBD). [[english:deploy-loopback-detection-lbd|Additional UserPort security by deploying Loopback-Detection]]