Bpdu Guard Configuration - H3C S7500 Series Operation Manual

Operation Manual – MSTP
H3C S7500 Series Ethernet Switches
upstream switch for a certain period, the switch selects a new root port; the original root
port becomes a designated port; and the blocked ports transit to forwarding state. This
may cause loops in the network.
The loop guard function suppresses loops. With this function enabled, if link
congestions or uni-directional link failures occur, both the root port and the blocked
ports become designated ports and change to discarding state. In this case, they stop
forwarding packets, and thereby loops can be prevented.
IV. TC-BPDU attack guard
A switch removes MAC address entries and ARP entries upon receiving TC-BPDUs. If
a malicious user sends a large amount of TC-BPDUs to a switch in a short period, the
switch may busy itself in removing MAC address entries and ARP entries, which may
decreases the performance and stability of the switch.
With the TC-BPDU guard function enabled, the switch performs only one removing
operation in a specified period ( 10 seconds by default) after it receives a TC-BPDU.
The switch also checks to see if other TC-BPDUs arrive in this period and performs
another removing operation in the next period if a TC-BPDU is received. Such a
mechanism prevents a switch from busying itself in performing removing operations.
Caution:
Among loop guard function, root guard function, and edge port setting, only one can be
valid on a port at one time.
1.5.2 Configuration Prerequisites
MSTP runs normally on the switch.

1.5.3 BPDU Guard Configuration

I. Configuration procedure
Follow these steps to enable the BPDU guard function:
To do ...
Enter system view
Enable the BPDU
guard function
Use the command ...
system-view
stp bpdu-protection
1-32
Chapter 1 MSTP Configuration
Remarks
—
Required
The BPDU guard function is
disabled by default.