Configuring Bpdu Dropping - H3C S5600 Series Operation Manual

receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for
only 100 times within the period.
Configuration prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure the TC-BPDU attack guard function:
To do...
Enter system view
Enable the TC-BPDU attack guard
function
Set the maximum times that a
switch can remove the MAC
address table and ARP entries
within each 10 seconds
Configuration example
# Enable the TC-BPDU attack guard function
<Sysname> system-view
[Sysname] stp tc-protection enable
# Set the maximum times for the switch to remove the MAC address table and ARP entries within 10
seconds to 5.
<Sysname> system-view
[Sysname] stp tc-protection threshold 5

Configuring BPDU Dropping

In a STP-enabled network, some users may send BPDU packets to the switch continuously in order to
destroy the network. When a switch receives the BPDU packets, it will forward them to other switches.
As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the switches
or cause errors in the protocol state of the BPDU packets.
In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is
enabled on a port, the port will not receive or forward any BPDU packets. In this way, the switch is
protected against the BPDU packet attacks so that the STP calculation is assured to be right.
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure BPDU dropping:
To do...
Enter system view
Enter Ethernet port view
Enable BPDU dropping
Use the command...
system-view
stp tc-protection enable
stp tc-protection threshold
number
Use the command...
system-view
interface interface-name
bpdu-drop any
1-37
Remarks
—
Required
The TC-BPDU attack guard
function is disabled by default.
Optional
Remarks
—
—
Required
BPDU dropping is disabled by default.