Configuring TC Protection on a Switching Device
Context
If an attacker sends a large number of malicious TC BPDUs to a switching device within a short period, the device will constantly delete MAC address entries and ARP entries. This wastes resources on the device and threatens network stability.
To suppress TC BPDUs, enable TC protection on a switching device and set the maximum number of TC BPDUs that the device can process within a given time period. If the number of TC BPDUs that the switching device receives within a given time period exceeds the specified threshold, the switching device processes only the specified number of TC BPDUs. After the specified time period expires, the switching devices process all the excess TC BPDUs together. This function prevents the switching device from frequently deleting MAC entries and ARP entries.
Procedure
- Run:
system-viewThe system view is displayed.
- Run:
stp tc-protection interval interval-value
The time period during which the device processes the maximum number of TC BPDUs is set.
By default, the time period is the same as the Hello timer interval.
- Run:
stp tc-protection threshold threshold
The maximum number of TC BPDUs the switching device can process within a specified time period is set.
By default, the device processes only one TC BPDU within a specified time period.
The switch only processes TC BPDUs up to the maximum specified by the stp tc-protection threshold command within the time period specified by the stp tc-protection interval command. Other packets are processed after a delay, so spanning tree convergence speed is slower. For example, if the time period is set to 10 seconds and the maximum of TC BPDUs is set to 5, the switch processes only the first five TC BPDUs within 10 seconds. Subsequent TC BPDUs are processed together after a 10 second delay.