Enabling Bpdu Dropping - H3C S5500-SI Series Operation Manual

With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address
entry flushes that the switch can perform within a certain period of time after receiving the first TC-BPDU.
For TC-BPDUs received in excess of the limit, the switch performs forwarding address entry flush only
when the time period expires. This prevents frequent flushing of forwarding address entries.
Follow these steps to enable TC-BPDU guard:
To do...
Enter system view
Enable the TC-BPDU guard
function
Configure the maximum
number of forwarding address
entry flushes that the device
can perform within a specific
time period after it receives the
first TC-BPDU
We recommend that you keep this feature enabled.

Enabling BPDU Dropping

In a STP-enabled network, some users may send BPDU packets to the switch continuously in order to
destroy the network. When a switch receives the BPDU packets, it will forward them to other switches.
As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the switches
or cause errors in the protocol state of the BPDU packets.
In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is
enabled on a port, the port will not receive or forward any BPDU packets. In this way, the switch is
protected against the BPDU packet attacks so that the STP calculation is assured to be right.
Follow these steps to enable BPDU dropping:
To do...
Enter system view
Enter
interface view
or port group
view
Enable BPDU dropping for the
port(s)
Use the command...
system-view
stp tc-protection enable
stp tc-protection threshold
number
Use the command...
system-view
Enter Ethernet
interface view,
interface interface-type
or Layer 2
interface-number
aggregate
interface view
Enter port
port-group manual
group view
port-group-name
bpdu-drop any
1-37
Remarks
—
Optional
Enabled by default
Optional
6 by default
Remarks
—
Required
Use either command
Required
Disabled by default