1-38
maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch
receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for
only 100 times within the period.
Configuration prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure the TC-BPDU attack guard function:
To do... Use the command... Remarks
Enter system view system-view
Enable the TC-BPDU attack
guard function stp tc-protection enable
Required
The TC-BPDU attack guard
function is disabled by default.
Set the maximum times that a
switch can remove the MAC
address table and ARP entries
within each 10 seconds
stp tc-protection threshold
number Optional
Configuration example
# Enable the TC-BPDU attack guard function
<Sysname> system-view
[Sysname] stp tc-protection enable
# Set the maximum times for the switch to remove the MAC address table and ARP entries within 10
seconds to 5.
<Sysname> system-view
[Sysname] stp tc-protection threshold 5
Configuring Digest Snooping
Introduction
According to IEEE 802.1s, two interconnected switches can communicate with each other through
MSTIs in an MST region only when the two switches have the same MST region-related configuration.
Interconnected MSTP-enabled switches determine whether or not they are in the same MST region by
checking the configuration IDs of the BPDUs between them (A configuration ID contains information
such as region ID and configuration digest).
As some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot
communicate with the other switches in an MST region even if they are configured with the same MST
region-related settings as the other switches in the MST region.
This problem can be overcome by implementing the digest snooping feature. If a port on a 3Com switch
4500 is connected to another manufacturer's switch that has the same MST region-related
configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest
snooping on the port. Then the switch 4500 regards another manufacturer's switch as in the same
region; it records the configuration digests carried in the BPDUs received from another manufacturer's