Operation Manual – MSTP
H3C S3100-52P Ethernet Switch
Chapter 1 MSTP Configuration
1-44
IV. TC-BPDU attack guard
Normally, a switch removes its MAC address table and ARP entries upon receiving
TC-BPDUs. If a malicious user sends a large amount of TC-BPDUs to a switch in a
short period, the switch may be busy in removing the MAC address table and ARP
entries, which may affect spanning tree calculation, occupy large amount of bandwidth
and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing
operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by default)
at the same time. Before the timer expires, the switch only performs the removing
operation for limited times (up to six times by default) regardless of the number of the
TC-BPDUs it receives. Such a mechanism prevents a switch from being busy in
removing the MAC address table and ARP entries.
You can use the
stp tc-protection threshold
command to set the maximum times for a
switch to remove the MAC address table and ARP entries in a specific period. When
the number of the TC-BPDUs received within a period is less than the maximum times,
the switch performs a removing operation upon receiving a TC-BPDU. After the number
of the TC-BPDUs received reaches the maximum times, the switch stops performing
the removing operation. For example, if you set the maximum times for a switch to
remove the MAC address table and ARP entries to 100 and the switch receives 200
TC-BPDUs in the period, the switch removes the MAC address table and ARP entries
for only 100 times within the period.
V. BPDU dropping
In a STP-enabled network, some users may send BPDU packets to the switch
continuously in order to destroy the network. When a switch receives the BPDU
packets, it will forward them to other switches. As a result, STP calculation is performed
repeatedly, which may occupy too much CPU of the switches or cause errors in the
protocol state of the BPDU packets.
In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once
the function is enabled on a port, the port will not receive or forward any BPDU packets.
In this way, the switch is protected against the BPDU packet attacks so that the STP
calculation is assured to be right.
1.6.2 Configuration Prerequisites
MSTP runs normally on the switch.
1.6.3 Configuring BPDU Guard
I. Configuration procedure
Follow these steps to configure BPDU guard: