Enabling tc-bpdu guard, Enabling bpdu drop – H3C Technologies H3C S5560 Series Switches User Manual

Page 137

103

Step

Command

Remarks

Enable TC-BPDU transmission
restriction.

stp tc-restriction

By default, TC-BPDU transmission
restriction is disabled.

Enabling TC-BPDU guard

When a device receives topology change (TC) BPDUs (the BPDUs that notify devices of topology

changes), it flushes its forwarding address entries. If someone uses TC-BPDUs to attack the device, the
device will receive a large number of TC-BPDUs within a short time and be busy with forwarding address

entry flushing. This affects network stability.
TC-BPDU guard allows you to set the maximum number of immediate forwarding address entry flushes

performed within 10 seconds after the device receives the first TC-BPDU. For TC-BPDUs received in excess
of the limit, the device performs a forwarding address entry flush when the time period expires. This

prevents frequent flushing of forwarding address entries. H3C recommends that you enable TC-BPDU

guard.
To enable TC-BPDU guard:

Step Command

Remarks

Enter system view.

system-view

N/A

Enable the TC-BPDU guard function.

stp tc-protection

By default, TC-BPDU guard is
enabled.
H3C recommends not
disabling this feature.

(Optional.) Configure the maximum
number of forwarding address entry

flushes that the device can perform every

10 seconds.

stp tc-protection threshold

number

The default setting is 6.

Enabling BPDU drop

In a spanning tree network, every BPDU arriving at the device triggers an STP calculation process and is

then forwarded to other devices in the network. Malicious attackers might use the vulnerability to attack

the network by forging BPDUs. By continuously sending forged BPDUs, they can make all devices in the
network continue performing STP calculations. As a result, problems such as CPU overload and BPDU

protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not receive

any BPDUs and is invulnerable to forged BPDU attacks.
To enable BPDU drop on an Ethernet interface:

Step Command

Remarks

Enter system view.

system-view

N/A

Enter Layer 2 Ethernet

interface view.

interface interface-type
interface-number

N/A

This manual is related to the following products:

H3C S5130 Series Switches H3C S5120 Series Switches H3C SR8800 H3C SR6600-X H3C SR6600 H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module