Configuring tc-bpdu attack guard, Configuration prerequisites, Configuration procedure – H3C Technologies H3C S3600 Series Switches User Manual
Page 291: Configuration example
1-38
Configuring TC-BPDU Attack Guard
Normally, a switch removes its MAC address table and ARP entries upon receiving Topology Change
BPDUs (TC-BPDUs). If a malicious user sends a large amount of TC-BPDUs to a switch in a short
period, the switch may be busy in removing the MAC address table and ARP entries, which may affect
spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the switch only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch
from being busy in removing the MAC address table and ARP entries.
You can use the stp tc-protection threshold command to set the maximum times for a switch to
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the switch performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the switch stops performing the removing operation. For example, if you set the
maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch
receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for
only 100 times within the period.
Configuration prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure the TC-BPDU attack guard function:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable the TC-BPDU attack
guard function
stp tc-protection enable
Required
The TC-BPDU attack guard
function is disabled by default.
Set the maximum times that a
switch can remove the MAC
address table and ARP entries
within each 10 seconds
stp tc-protection threshold
number
Optional
Configuration example
# Enable the TC-BPDU attack guard function
[Sysname] stp tc-protection enable
# Set the maximum times for the switch to remove the MAC address table and ARP entries within 10
seconds to 5.
[Sysname] stp tc-protection threshold 5