Configuring TC Protection on a Switch

Context

If attackers forge TC-BPDUs to attack the switch, the switch receives a large number of TC BPDUs within a short period. If MAC address entries and ARP entries are deleted frequently, the switch is heavily burdened, causing potential risks to the network.

TC protection is used to suppress TC BPDUs. The number of TC BPDUs processed by a switch within a given period is configurable. If the number of TC BPDUs received by a switch exceeds the specified threshold within a given period, the switch handles only the specified number of TC BPDUs. The processing of excess TC BPDUs is delayed until after the specified period expires. This protects the switch from becoming overburdened with frequently deleting MAC entries and ARP entries.

Procedure

Run system-view
The system view is displayed.
(Optional) Run stp process process-id
The MSTP process view is displayed.

Skip this step if you perform configurations in the MSTP process 0.
Run stp tc-protection interval interval-value
The time taken by the device to process the maximum number of TC BPDUs is set.

By default, the device processes the maximum number of TC BPDUs at an interval of the Hello time.
Run stp tc-protection threshold threshold
The number of times the MSTP process handles the received TC BPDUs and updates forwarding entries within a given time is set.

Within the time specified by stp tc-protection interval, the switch processes the number of TC BPDUs specified by stp tc-protection threshold. Packets that exceed this threshold are delayed, so spanning tree convergence may be affected. For example, if the period is set to 10s and the threshold is set to 5, the device processes five TC BPDUs within 10s. After 10s, the device processes subsequent TC BPDUs.