H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – MSTP
H3C S7500E Series Ethernet Switches Chapter 1 MSTP Configuration
1-48
Note:
It is recommended that you enable the loop guard feature on your device.
Follow these steps to enable loop guard:
To do... Use the command... Remarks
Enter system view
system-view
—
Enter
Ethernet
interface
view
interface interface-type
interface-number
Enter
Ethernet
interface
view or port
group view
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Required
Use either command.
Configurations made in
Ethernet interface view
will take effect on the
current port only;
configurations made in
port group view will take
effect on all ports in the
port group.
Enable the loop guard
function for the port(s)
stp loop-protection
Required
Disabled by default
1.8.5 Enabling TC-BPDU Attack Guard
When receiving a TC-BPDU (a PDU used as notification of topology change), the
device will delete the corresponding forwarding address entry. If someone forges
TC-BPDUs to attack the device, the device will receive a larger number of TC-BPDUs
within a short time, and frequent deletion operations bring a big burden to the device
and hazard network stability.
With the TC-BPDU guard function enabled, the device limits the maximum number of
times of immediately deleting forwarding address entries within 10 seconds after it
receives TC-BPDUs to the value set with the stp tc-protection threshold command
(assume the value is X). At the same time, the system monitors whether the number of
TC-BPDUs received within that period of time is larger than X. If so, the device will
perform another deletion operation after that period of time elapses. This prevents
frequent deletion of forwarding address entries.
Follow these steps to enable TC-BPDU attack guard:
To do... Use the command... Remarks
Enter system view
system-view
—
Enable the TC-BPDU attack
guard function
stp tc-protection enable
Optional
Enabled by default