3Com Switch 8800 Advanced Software V5 Configuration Guide
132 CHAPTER 11: MSTP CONFIGURATION
■ TC-BPDU attack guard
A device removes the corresponding forwarding entries upon receiving a TC-BPDU
(a PDU notifying of a topology change). If a malicious user forges large amount of
TC-BPDUs and sends them to a device in a short period, the device may be busy
removing the forwarding entries, decreasing the performance of the switch and
introducing potential stability risks.
The TC-BPDU attack guard function can relieve a switch from this dilemma. With
this function enabled, the device removes the forwarding address entries only
once within a specific period (10 seconds) after it receives a TC-BPDU. At the same
time, the system monitors whether other TC-BPDUs are received within that
period. If so, the device will perform another removing operation after the period
elapses. This prevents removing forwarding address entries frequently.
Configuration
Prerequisites
MSTP has been correctly configured on the device.
Enabling the BPDU
Guard Function
n
We recommend that you enable the BPDU guard function.
Configuration procedure
Following these steps to enable the BPDU guard function:
Configuration example
# Enable the BPDU guard function.
<Sysname> system-view
[Sysname] stp bpdu-protection
Enabling the Root Guard
Function
n
We recommend that you enable the root guard function.
Configuration procedure
Follow these steps to enable the root guard function:
To do... Use the command... Remarks
Enter system view system-view -
Enable the BPDU guard
function for the device
stp bpdu-protection Required
Disabled by default
To do... Use the command... Remarks
Enter system view System-view -