91
Enabling TC-BPDU guard
When receiving TC BPDUs (the BPDUs used to notify topology changes), a switch flushes its forwarding
address entries. If someone forges TC-BPDUs to attack the switch, the switch will receive a large number of
TC-BPDUs within a short time and be busy with forwarding address entry flushing. This affects network
stability.
With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address
entry flushes that the switch can perform within a certain period of time after receiving the first TC-BPDU.
For TC-BPDUs received in excess of the limit, the switch performs forwarding address entry flush only
when the time period expires. This prevents frequent flushing of forwarding address entries.
To enable TC-BPDU guard:
To do... Use the command... Remarks
1. Enter system view
system-view —
2. Enable the TC-BPDU guard function
stp tc-protection enable
Optional
Enabled by default
3. Configure the maximum number of
forwarding address entry flushes that the
device can perform within a specific time
period after it receives the first TC-BPDU
stp tc-protection threshold
number
Optional
6 by default
NOTE:
HP does not recommend you to disable this feature.
Enabling BPDU drop
In an STP-enabled network, after receiving BPDUs, a device performs STP calculation according to the
received BPDUs and forwards received BPDUs to other devices in the network. This allows malicious
attackers to forge BPDUs to attack the network: By continuously sending forged BPDUs, they can make all
devices in the network perform STP calculations all the time. As a result, problems such as CPU overload
and BPDU protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not receive
any BPDUs and is invulnerable to forged BPDU attacks.
To enable BPDU drop on an Ethernet interface:
To do... Use the command... Remarks
1. Enter system view
system-view —
2. Enter Ethernet interface view
interface interface-type interface-
number
—
3. Enable BPDU drop on the
current interface
bpdu-drop any
Required
Disabled by default.
To Next Page
Loading...
