beautypg.com

Enabling bpdu drop, Displaying and maintaining the spanning tree – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 87

background image

78

device will receive a large number of TC-BPDUs within a short time and be busy with forwarding address

entry flushing. This affects network stability.
With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address

entry flushes that the device can perform every a certain period of time. For TC-BPDUs received in excess

of the limit, the device performs a forwarding address entry flush when the time period expires. This

prevents frequent flushing of forwarding address entries.
Follow these steps to enable TC-BPDU guard:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable the TC-BPDU guard function

stp tc-protection enable

Optional
Enabled by default.

Set the maximum number of immediate
forwarding address entry flushes that the
device can perform every a certain period of

time

stp tc-protection threshold
number

Optional
6 by default.

NOTE:

H3C does not recommend you disable this feature.

Enabling BPDU drop

In a spanning tree network, after receiving BPDUs, the device performs STP calculation according to the

received BPDUs and forwards received BPDUs to other devices in the network. This allows malicious

attackers to forge BPDUs to attack the network: By continuously sending forged BPDUs, they can make all

the devices in the network perform STP calculations all the time. As a result, problems such as CPU
overload and BPDU protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not receive

any BPDUs and is invulnerable to forged BPDU attacks.
Follow these steps to enable BPDU drop on an Ethernet interface:

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet interface view

interface interface-type
interface-number

Enable BPDU drop on the current
interface

bpdu-drop any

Required
Disabled by default.

Displaying and maintaining the spanning tree

To do...

Use the command...

Remarks

Display information about ports blocked
by spanning tree protection functions

display stp abnormal-port [ | { begin |
exclude | include } regular-expression ]

Available in any view

See also other documents in the category H3C Technologies Routers: