101Enabling TC-BPDU guardWhen a switch receives topology change (TC) BPDUs (the BPDUs that notify devices of topologychanges), the switch flushes its forwarding address entries. If someone forges TC-BPDUs to attack theswitch, the switch will receive a large number of TC-BPDUs within a short time and be busy withforwarding address entry flushing. This affects network stability.With the TC-BPDU guard function, you can set the maximum number of immediate forwarding addressentry flushes that the device can perform every a specified period of time (10 seconds). For TC-BPDUsreceived in excess of the limit, the device performs a forwarding address entry flush when the time periodexpires. This prevents frequent flushing of forwarding address entries.To enable TC-BPDU guard:Step Command Remarks1. Enter system view. system-view N/A2. Enable the TC-BPDU guard function. stp tc-protection enable Optional.Enabled by default.3. Configure the maximum number offorwarding address entry flushes that thedevice can perform every 10 seconds.stp tc-protection thresholdnumberOptional.6 by default.NOTE:H3C does not recommend you disable this feature.Enabling BPDU dropIn a spanning tree network, after receiving BPDUs, the device performs STP calculation according to thereceived BPDUs and forwards received BPDUs to other devices in the network. This allows maliciousattackers to attack the network by forging BPDUs. By continuously sending forged BPDUs, they can makeall the devices in the network perform STP calculations all the time. As a result, problems such as CPUoverload and BPDU protocol status errors occur.To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not receiveany BPDUs and is invulnerable to forged BPDU attacks.To enable BPDU drop on an Ethernet interface:Step Command Remarks1. Enter system view. system-view N/A2. Enter Layer 2 Ethernetinterface view.interface interface-typeinterface-number N/A3. Enable BPDU drop on thecurrent interface. bpdu-drop any Disabled by default.NOTE:Because a port with BPDU drop enabled also drops the received 802.1X packets, do not enable BPDUdrop and 802.1X on a port at the same time. For more information about 802.1X, seeSecurityConfiguration Guide.