Configuring Tc-Bpdu Attack Guard - H3C S3100 Series Operation Manual
H3c s3100 series ethernet switches operation manual
Hide thumbs
Also See for S3100 Series:
- Command manual (1244 pages) ,
- Installation manual (94 pages) ,
- Operation manual (32 pages)
Table of Contents
Advertisement
Configuration example
# Enable the loop guard function on Ethernet 1/0/1.
<Sysname> system-view
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp loop-protection
Configuring TC-BPDU Attack Guard
Normally, a switch removes its MAC address table and ARP entries upon receiving Topology Change
BPDUs (TC-BPDUs). If a malicious user sends a large amount of TC-BPDUs to a switch in a short
period, the switch may be busy in removing the MAC address table and ARP entries, which may affect
spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the switch only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch
from being busy in removing the MAC address table and ARP entries.
You can use the stp tc-protection threshold command to set the maximum times for a switch to
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the switch performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the switch stops performing the removing operation. For example, if you set the
maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch
receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for
only 100 times within the period.
Configuration prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure the TC-BPDU attack guard function:
To do...
Enter system view
Enable the TC-BPDU attack
guard function
Set the maximum times that a
switch can remove the MAC
address table and ARP entries
within each 10 seconds
Configuration example
# Enable the TC-BPDU attack guard function
<Sysname> system-view
[Sysname] stp tc-protection enable
Use the command...
system-view
stp tc-protection enable
stp tc-protection threshold
number
1-38
Remarks
—
Required
The TC-BPDU attack guard
function is disabled by default.
Optional
Advertisement
Chapters
Table of Contents
Troubleshooting
