Download Print this page

HP A3100-8 v2 SI Configuration Manual Page 88

A3100 v2 switch series layer 2 - lan switching.
Hide thumbs

Advertisement

NOTE:
Do not enable loop guard on a port that connects user terminals. Otherwise, the port will stay in the
discarding state in all MSTIs because it cannot receive BPDUs.
Among loop guard, root guard and edge port settings, only one function (whichever is configured the
earliest) can at a time take effect on a port.
Enabling TC-BPDU guard
When a switch receives topology change (TC) BPDUs (the BPDUs that notify devices of topology
changes), the switch flushes its forwarding address entries. If someone forges TC-BPDUs to attack the
switch, the switch will receive a large number of TC-BPDUs within a short time and be busy with
forwarding address entry flushing. This affects network stability.
With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address
entry flushes that the switch can perform within a specified period of time after it receives the first
TC-BPDU. For TC-BPDUs received in excess of the limit, the switch performs forwarding address entry flush
only when the time period expires. This prevents frequent flushing of forwarding address entries.
Follow these steps to enable TC-BPDU guard:
To do...
Enter system view
Enable the TC-BPDU guard function
Configure the maximum number of
forwarding address entry flushes that the
device can perform within a specific time
period after it receives the first TC-BPDU
NOTE:
HP does not recommend you to disable this feature.
Enabling BPDU drop
In an STP-enabled network, after receiving BPDUs, a device performs STP calculation according to the
received BPDUs and forwards received BPDUs to other devices in the network. This allows malicious
attackers to attack the network by forging BPDUs. By continuously sending forged BPDUs, they can make
all the devices in the network perform STP calculations all the time. As a result, problems such as CPU
overload and BPDU protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not receive
any BPDUs and is invulnerable to forged BPDU attacks.
Follow these steps to enable BPDU drop on an Ethernet interface:
To do...
Enter system view
Enter Ethernet interface view
Enable BPDU drop on the current
interface
Use the command...
system-view
stp tc-protection enable
stp tc-protection threshold
number
Use the command...
system-view
interface interface-type
interface-number
bpdu-drop any
81
Remarks
Optional
Enabled by default.
Optional
6 by default.
Remarks
Required
Disabled by default.

Advertisement

Comments to this Manuals

Symbols: 0
Latest comments: