3com 5500-ei pwr Instruccion De Instalación
1-38
period, the switch may be busy in removing the MAC address table and ARP entries, which may affect
spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization.
spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the switch only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch
from being busy in removing the MAC address table and ARP entries.
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the switch only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch
from being busy in removing the MAC address table and ARP entries.
You can use the stp tc-protection threshold command to set the maximum times for a switch to
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the switch performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the switch stops performing the removing operation. For example, if you set the
maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch
receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for
only 100 times within the period.
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the switch performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the switch stops performing the removing operation. For example, if you set the
maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch
receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for
only 100 times within the period.
Configuration prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure the TC-BPDU attack guard function:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable the TC-BPDU attack
guard function
guard function
stp tc-protection enable
Required
The TC-BPDU attack guard
function is disabled by default.
The TC-BPDU attack guard
function is disabled by default.
Set the maximum times that a
switch can remove the MAC
address table and ARP entries
within each 10 seconds
switch can remove the MAC
address table and ARP entries
within each 10 seconds
stp tc-protection threshold
number
number
Optional
Configuration example
# Enable the TC-BPDU attack guard function
<Sysname> system-view
[Sysname] stp tc-protection enable
# Set the maximum times for the switch to remove the MAC address table and ARP entries within 10
seconds to 5.
seconds to 5.
<Sysname> system-view
[Sysname] stp tc-protection threshold 5
Configuring BPDU Dropping
In a STP-enabled network, some users may send BPDU packets to the switch continuously in order to
destroy the network. When a switch receives the BPDU packets, it will forward them to other switches.
destroy the network. When a switch receives the BPDU packets, it will forward them to other switches.