Configuring Bpdu Dropping - 3Com 4210 9-Port Configuration Manual

# Set the maximum times for the switch to remove the MAC address table and ARP entries within 10
seconds to 5.
<Sysname> system-view
[Sysname] stp tc-protection threshold 5

Configuring BPDU Dropping

In a STP-enabled network, attackers may send BPDUs to switches continuously in order to destroy the
network. When a switch receives BPDUs, it will forward them to other switches. As a result, STP
calculation is performed repeatedly, which may occupy too much CPU of the switches or cause errors in
the protocol state of the BPDUs.
To address this threat, you can enable BPDU dropping on Ethernet ports of the switches. With BPDU
dropping enabled, a port will not receive or forward any BPDUs. In this way, switches are protected
against forged BPDU attacks, thus ensuring correct STP calculation.
You can enable BPDU dropping on ports that need not receive or forward BPDUs, for example, edge
ports.
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure BPDU dropping:
To do...
Enter system view
Enter Ethernet port view
Enable BPDU dropping
Configuration example
# Enable BPDU dropping on Ethernet 1/0/1.
<Sysname>system-view
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] bpdu-drop any
Use the command...
system-view
interface interface-name
bpdu-drop any
1-39
Remarks
—
—
Required
BPDU dropping is disabled by
default.