Configuration example, Configuring tc-bpdu attack guard, Configuration prerequisites – H3C Technologies H3C S3100 Series Switches User Manual

Page 257: Configuration procedure

Advertising
background image

1-38

Configuration example

# Enable the loop guard function on Ethernet 1/0/1.

<Sysname> system-view

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] stp loop-protection

Configuring TC-BPDU Attack Guard

Normally, a switch removes its MAC address table and ARP entries upon receiving Topology Change
BPDUs (TC-BPDUs). If a malicious user sends a large amount of TC-BPDUs to a switch in a short
period, the switch may be busy in removing the MAC address table and ARP entries, which may affect
spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization.

With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the switch only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch
from being busy in removing the MAC address table and ARP entries.

You can use the stp tc-protection threshold command to set the maximum times for a switch to
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the switch performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the switch stops performing the removing operation. For example, if you set the
maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch
receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for
only 100 times within the period.

Configuration prerequisites

MSTP runs normally on the switch.

Configuration procedure

Follow these steps to configure the TC-BPDU attack guard function:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable the TC-BPDU attack
guard function

stp tc-protection enable

Required
The TC-BPDU attack guard
function is disabled by default.

Set the maximum times that a
switch can remove the MAC
address table and ARP entries
within each 10 seconds

stp tc-protection threshold
number

Optional

Configuration example

# Enable the TC-BPDU attack guard function

<Sysname> system-view

[Sysname] stp tc-protection enable

Advertising
Popular Brands
Popular manuals