Configuring TC Protection on the Switch
Context
When malicious attackers send bogus TC BPDUs to attack the switch, the switch receives a large number of TC BPDUs within a short time. If MAC address entries and ARP entries are deleted frequently, the switch is heavily burdened, causing potential risks to the network.
TC protection is used to suppress TC BPDUs. You can set the number of times the switch processes TC BPDUs within a given time period. If the number of TC BPDUs that the switch receives within a given time exceeds the specified threshold, the switch processes TC BPDUs only for the specified number of times. After the specified number of times is reached, the switch processes excess TC BPDUs at one time only. For example, the period is set to 10s and the threshold is set to 5. After the switch receives TC BPDUs, the switch processes the first five TC BPDUs within 10s. After 10s, the switch processes subsequent TC BPDUs. In this way, the switch does not need to frequently delete MAC entries and ARP entries.
Procedure
- Run system-view
The system view is displayed.
- Configure either of or both of the parameters.
Run stp tc-protection interval interval-value
The time taken by the switch to process the maximum of TC BPDUs is 10s.
By default, the time is the Hello timer length.
Run stp tc-protection threshold threshold
10102The maximum number of TC BPDUs processed by the switch in a given time is set.
By default, the default number of times that the switch handles the TC BPDUs and updates forwarding entries is 1 within a unit time.
Within the time specified by stp tc-protection interval, the switch processes TC BPDUs of a number specified by stp tc-protection threshold. Other packets are delayed, so convergence may be affected.