1-42Enabling Loop GuardWe recommend that you enable loop guard on your device.By keeping receiving BPDUs from the upstream device, a device can maintain the state of the root portand blocked ports. However, due to link congestion or unidirectional link failures, these ports may fail toreceive BPDUs from the upstream devices. In this case, the downstream device will reselect the portroles: those ports in forwarding state that failed to receive upstream BPDUs will become designatedports, and the blocked ports will transition to the forwarding state, resulting in loops in the switchednetwork. The loop guard function can suppress the occurrence of such loops.If a loop guard–enabled port fails to receive BPDUs from the upstream device, and if the port took partin STP calculation, all the instances on the port, no matter what roles the port plays, will be set to, andstay in, the Discarding state.Follow these steps to enable loop guard:To do... Use the command... RemarksEnter system view system-view —Enter Ethernetinterface view,or Layer-2aggregateinterface viewinterface interface-typeinterface-numberEnterinterface viewor port groupviewEnter portgroup viewport-group manualport-group-nameRequiredUse either command.Configurations made ininterface view will take effecton the current port only;configurations made in portgroup view will take effect onall ports in the port group.Enable the loop guard functionfor the port(s) stp loop-protection RequiredDisabled by defaultEnabling TC-BPDU Attack GuardWhen receiving topology change (TC) BPDUs (the BPDUs used to notify topology changes), a switchflushes its forwarding address entries. If someone forges TC-BPDUs to attack the switch, the switch willreceive a larger number of TC-BPDUs within a short time and be busy with forwarding address entryflushing. This affects network stability.With the TC-BPDU guard function, you can set the maximum number of immediate forwarding addressentry flushes that the switch can perform within 10 seconds after receiving the first TC-BPDU. ForTC-BPDUs received in excess of the limit, the switch performs forwarding address entry flush onlywhen the 10-second timer expires. This prevents frequent flushing of forwarding address entries.Follow these steps to enable TC-BPDU attack guard: