HP 5820X series Configuration Manual page 98

Hide thumbs Also See for 5820X series:

Configuration manual (200 pages)

Configuration manual (294 pages)

Command reference manual (396 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

page of 244

/ 244
Contents
Table of Contents
Bookmarks

Table of Contents

Enabling TC-BPDU guard

When receiving TC BPDUs (the BPDUs used to notify topology changes), a switch flushes its forwarding

address entries. If someone forges TC-BPDUs to attack the switch, the switch will receive a large number of

TC-BPDUs within a short time and be busy with forwarding address entry flushing. This affects network

stability.

With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address

entry flushes that the switch can perform within a certain period of time after receiving the first TC-BPDU.

For TC-BPDUs received in excess of the limit, the switch performs forwarding address entry flush only

when the time period expires. This prevents frequent flushing of forwarding address entries.

To enable TC-BPDU guard:

To do...

Enter system view

Enable the TC-BPDU guard function

Configure the maximum number of

forwarding address entry flushes that the

device can perform within a specific time

period after it receives the first TC-BPDU

NOTE:

HP does not recommend you to disable this feature.

Enabling BPDU drop

In an STP-enabled network, after receiving BPDUs, a device performs STP calculation according to the

received BPDUs and forwards received BPDUs to other devices in the network. This allows malicious

attackers to forge BPDUs to attack the network: By continuously sending forged BPDUs, they can make all

devices in the network perform STP calculations all the time. As a result, problems such as CPU overload

and BPDU protocol status errors occur.

To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not receive

any BPDUs and is invulnerable to forged BPDU attacks.

To enable BPDU drop on an Ethernet interface:

To do...

Enter system view

Enter Ethernet interface view

Enable BPDU drop on the

current interface

Use the command...

system-view

stp tc-protection enable

stp tc-protection threshold

number

Use the command...

system-view

interface interface-type interface-

number

bpdu-drop any

Remarks

—

Optional

Enabled by default

Optional

6 by default

Remarks

—

Required

Disabled by default.

Table of Contents

Show Quick Links

Quick Links:
Management Ethernet Interface
Configuring Basic Settings of an Ethernet...

Hide quick links:

Table of Contents

This manual is also suitable for:

5800 series

HP 5820X series Configuration Manual page 98

Hide quick links:

Related Manuals for HP 5820X series

Related Products for HP 5820X series

This manual is also suitable for:

Table of Contents