1-39
# Set the maximum times for the switch to remove the MAC address table and ARP entries within 10
seconds to 5.
<Sysname> system-view
[Sysname] stp tc-protection threshold 5
Configuring BPDU Dropping
In a STP-enabled network, attackers may send BPDUs to switches continuously in order to destroy the
network. When a switch receives BPDUs, it will forward them to other switches. As a result, STP
calculation is performed repeatedly, which may occupy too much CPU of the switches or cause errors in
the protocol state of the BPDUs.
To address this threat, you can enable BPDU dropping on Ethernet ports of the switches. With BPDU
dropping enabled, a port will not receive or forward any BPDUs. In this way, switches are protected
against forged BPDU attacks, thus ensuring correct STP calculation.
You can enable BPDU dropping on ports that need not receive or forward BPDUs, for example, edge
ports.
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure BPDU dropping:
To do... Use the command... Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-name
—
Enable BPDU dropping
bpdu-drop any
Required
BPDU dropping is disabled by
default.
Configuration example
# Enable BPDU dropping on Ethernet 1/0/1.
<Sysname>system-view
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] bpdu-drop any
To Next Page
Loading...