H3C LS-3100-52P-OVS-H3 Operation Manual - page 275
1-39
By keeping receiving BPDUs from the upstream device, a device can maintain the state of the root port
and blocked ports. However, due to link congestion or unidirectional link failures, these ports may fail to
receive BPDUs from the upstream devices. In this case, the downstream device will reselect the port
roles: those ports in forwarding state that failed to receive upstream BPDUs will become designated
ports, and the blocked ports will transition to the forwarding state, resulting in loops in the switched
network. The loop guard function can suppress the occurrence of such loops.
If a loop guard–enabled port fails to receive BPDUs from the upstream device, and if the port took part
in STP calculation, all the instances on the port, no matter what roles the port plays, will be set to, and
stay in, the Discarding state.
Follow these steps to enable loop guard:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet
interface view
or Layer-2
aggregate
interface view
interface interface-type
interface-number
Enter
interface view
or port group
view
Enter port
group view
port-group manual
port-group-name
Required
Use either command.
Configurations made in
interface view will take effect
on the current port only;
configurations made in port
group view will take effect on
all ports in the port group.
Enable the loop guard function
for the port(s)
stp loop-protection
Required
Disabled by default
Enabling TC-BPDU Attack Guard
When receiving a TC-BPDU (a BPDU used as notification of a topology change), the device will refresh
the forwarding address entries. If someone forges TC-BPDUs to attack the device, the device will
receive a larger number of TC-BPDUs within a short time, and frequent refresh operations bring a big
burden to the device and hazard network stability.
With the TC-BPDU guard function enabled, the device limits the maximum number of times of
immediately refreshing forwarding address entries within 10 seconds after it receives the first
TC-BPDUs to the value set with the stp tc-protection threshold command (assume the value is X). At
the same time, the system monitors whether the number of TC-BPDUs received within that period of
time is larger than X. If so, the device will perform another refresh operation after that period of time
elapses. This prevents frequent refreshing of forwarding address entries.
Follow these steps to enable TC-BPDU attack guard:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable the TC-BPDU attack guard function
stp tc-protection enable
Optional
Enabled by default
Configure the maximum number of times the
device refreshes forwarding address entries
within a certain period of time immediately
after it receives the first TC-BPDU
stp tc-protection
threshold number
Optional
6 by default