Configuring TC Protection on a Device

After Topology Change (TC) protection is enabled, you can set the number of times for a Multiple Spanning Tree Protocol (MSTP) process to process TC-BPDUs within a specified time. TC protection avoids frequent deletion of MAC address entries and ARP entries, thereby protecting devices.

Context

An attacker may send pseudo TC-BPDUs to attack devices. Devices receive a large number of TC BPDUs in a short time and delete entries frequently, which burdens system processing and degrades network stability.

TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are processed by a device within a specified time is configurable. If the number of TC-BPDUs that the device receives within a specified time exceeds the specified threshold, the device handles TC-BPDUs only for the specified number of times. Excessive TC-BPDUs are processed by the device as a whole for once after the timer (that is, the specified time period) expires. This protects the device from frequently deleting MAC entries and ARP entries, thus avoiding over-burdened.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run stp process process-id

    The MSTP process view is displayed.

    This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If you perform configurations in the MSTP process 0, skip is step.

  3. Run stp tc-protection

    TC protection is enabled for the MSTP process.

  4. Run either or both of the following commands to configure TC protection parameters.

    • To set the time for a device to process the maximum number of TC BPDUs, run the stp tc-protection interval interval-value command.
    • To set the maximum number of TC BPDUs that a device processes within a specified period, run the stp tc-protection threshold threshold command.

    • There are two TC protection parameters: time needed to process the maximum number of TC BPDUs and the maximum number of TC BPDUs processed within a specified period. For example, if the time is set to 10 seconds and the maximum number is set to 5, when a device receives TC BPDUs, the device processes only the first 5 TC BPDUs within 10 seconds and processes the other TC BPDUs after the time expires.

    • The device processes only the maximum number of TC BPDUs specified in the stp tc-protection threshold command within the time specified in the stp tc-protection interval command. The processing of other TC BPDUs is delayed, which may slow down spanning tree convergence.

  5. Run commit

    The configuration is committed.

Parent Topic: Configuring MSTP Protection Functions
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >