Enabling Tc-Bpdu Attack Guard - H3C LS-3100-52P-OVS-H3 Operation Manual

By keeping receiving BPDUs from the upstream device, a device can maintain the state of the root port
and blocked ports. However, due to link congestion or unidirectional link failures, these ports may fail to
receive BPDUs from the upstream devices. In this case, the downstream device will reselect the port
roles: those ports in forwarding state that failed to receive upstream BPDUs will become designated
ports, and the blocked ports will transition to the forwarding state, resulting in loops in the switched
network. The loop guard function can suppress the occurrence of such loops.
If a loop guard–enabled port fails to receive BPDUs from the upstream device, and if the port took part
in STP calculation, all the instances on the port, no matter what roles the port plays, will be set to, and
stay in, the Discarding state.
Follow these steps to enable loop guard:
To do...
Enter system view
Enter
interface view
or port group
view
Enable the loop guard function
for the port(s)

Enabling TC-BPDU Attack Guard

When receiving a TC-BPDU (a BPDU used as notification of a topology change), the device will refresh
the forwarding address entries. If someone forges TC-BPDUs to attack the device, the device will
receive a larger number of TC-BPDUs within a short time, and frequent refresh operations bring a big
burden to the device and hazard network stability.
With the TC-BPDU guard function enabled, the device limits the maximum number of times of
immediately refreshing forwarding address entries within 10 seconds after it receives the first
TC-BPDUs to the value set with the stp tc-protection threshold command (assume the value is X). At
the same time, the system monitors whether the number of TC-BPDUs received within that period of
time is larger than X. If so, the device will perform another refresh operation after that period of time
elapses. This prevents frequent refreshing of forwarding address entries.
Follow these steps to enable TC-BPDU attack guard:
Enter system view
Enable the TC-BPDU attack guard function
Configure the maximum number of times the
device refreshes forwarding address entries
within a certain period of time immediately
after it receives the first TC-BPDU
Use the command...
system-view
Enter Ethernet
interface view
interface interface-type
or Layer-2
interface-number
aggregate
interface view
Enter port
port-group manual
group view port-group-name
stp loop-protection
To do... Use the command...
system-view
stp tc-protection enable
stp tc-protection
threshold number
1-39
Remarks
—
Required
Use either command.
Configurations made in
interface view will take effect
on the current port only;
configurations made in port
group view will take effect on
all ports in the port group.
Required
Disabled by default
Remarks
—
Optional
Enabled by default
Optional
6 by default