Enabling bpdu drop, Displaying and maintaining spanning tree protocols – H3C Technologies H3C WX5500E Series Access Controllers User Manual

Page 104

Advertising
background image

93

Step Command

Remarks

3.

Configure the maximum number of
forwarding address entry flushes that the

device can perform every 10 seconds.

stp tc-protection threshold
number

Optional.
The default setting is 6.

Enabling BPDU drop

In a spanning tree network, after receiving BPDUs, the device performs STP calculations according to the

received BPDUs and forwards received BPDUs to other devices in the network. This allows malicious
attackers to attack the network by forging BPDUs. By continuously sending forged BPDUs, an attacker

could make all devices in the network perform STP calculations all the time. As a result, the CPU becomes

overloaded and BPDU protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not receive
any BPDUs and is invulnerable to forged BPDU attacks.
A port with BPDU drop enabled also drops 802.1X packets. Therefore, do not enable both BPDU drop

and 802.1X on the same port. For more information about 802.1X, see Security Configuration Guide.
To enable BPDU drop on an Ethernet interface:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter Ethernet interface view.

interface interface-type
interface-number

N/A

3.

Enable BPDU drop on the
current interface.

bpdu-drop any

By default, BPDU drop is disabled.

Displaying and maintaining spanning tree

protocols

Task Command

Remarks

Display information about ports blocked
by spanning tree protection functions.

display stp abnormal-port [ | { begin |
exclude | include } regular-expression ]

Available in any
view.

Display BPDU statistics on ports.

display stp bpdu-statistics [ interface
interface-type interface-number [ instance

instance-id ] ] [ | { begin | exclude |

include } regular-expression ]

Available in any
view.

Display information about ports shut
down by spanning tree protection
functions.

display stp down-port [ | { begin |
exclude | include } regular-expression ]

Available in any
view.

Display the historical information of port
role calculation for the specified MSTI or

all MSTIs..

display stp [ instance instance-id | vlan
vlan-id ] history [ | { begin | exclude |

include } regular-expression ]

Available in any
view.

Advertising
Popular Brands
Popular manuals