Displaying and Maintaining MSTP 235
Enabling TC-BPDU
Attack Guard
When receiving a TC-BPDU (a PDU used as notification of topology change), the
device will delete the corresponding forwarding address entry. If someone forges
TC-BPDUs to attack the device, the device will receive a larger number of
TC-BPDUs within a short time, and frequent deletion operations bring a big
burden to the device and hazard network stability.
With the TC-BPDU guard function enabled, the device limits the maximum
number of times of immediately deleting forwarding address entries within 10
seconds after it receives TC-BPDUs to the value set with the stp tc-protection
threshold command (assume the value is X). At the same time, the system
monitors whether the number of TC-BPDUs received within that period of time is
larger than X. If so, the device will perform another deletion operation after that
period of time elapses. This prevents frequent deletion of forwarding address
entries.
Follow these steps to enable TC-BPDU attack guard:
n
We recommend that you keep this feature enabled.
Displaying and
Maintaining MSTP
Enter Ethernet
interface view
or port group
view
Enter Ethernet
interface view
interface interface-type
interface-number
Required
Use either command.
Configurations made in
Ethernet interface view will
take effect on the current
port only; configurations
made in port group view will
take effect on all ports in the
port group.
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Enable the loop guard function
for the port(s)
stp loop-protection Required
Disabled by default
To do… Use the command… Remarks
To do… Use the command… Remarks
Enter system view system-view -
Enable the TC-BPDU attack guard function stp tc-protection enable Optional
Enabled by default
Configure the maximum number of times
the device deletes forwarding address
entries within a certain period of time
immediately after it receives TC-BPDUs
stp tc-protection
threshold number
Optional
6 by default
To do… Use the command… Remarks
View the information about
abnormally blocked ports
display stp abnormal-port Available in any view
View the information about ports
blocked by STP protection actions
display stp down-port Available in any view
To Next Page
Loading...
