Tc-bpdu attack guard, Bpdu dropping, Configuration prerequisites – H3C Technologies H3C WX3000 Series Unified Switches User Manual

22-35

With the loop guard function enabled, the root guard function and the edge port configuration are
mutually exclusive.

TC-BPDU attack guard

Normally, a device removes its MAC address table and ARP entries upon receiving TC-BPDUs. If a
malicious user sends a large amount of TC-BPDUs to a device in a short period, the device may be
busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation,
occupy large amount of bandwidth and increase device CPU utilization.

With the TC-BPDU attack guard function enabled, a device performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the device only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a device
from being busy in removing the MAC address table and ARP entries.

You can use the stp tc-protection threshold command to set the maximum times for a device to
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the device performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the device stops performing the removing operation. For example, if you set the
maximum times for a device to remove the MAC address table and ARP entries to 100 and the device
receives 200 TC-BPDUs in the period, the device removes the MAC address table and ARP entries for
only 100 times within the period.

BPDU dropping

In a STP-enabled network, some users may send BPDU packets to the device continuously in order to
destroy the network. When a device receives the BPDU packets, it will forward them to other devices.
As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the devices or
cause errors in the protocol state of the BPDU packets.

In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is
enabled on a port, the port will not receive or forward any BPDU packets. In this way, the device is
protected against the BPDU packet attacks so that the STP calculation is assured to be right.

Configuration Prerequisites

MSTP runs normally on the device.

Configuring BPDU Guard

Configuration procedure

Follow these steps to configure BPDU guard:

To do…

Use the command…

Remarks

Enter system view

system-view

—