Enabling TC-BPDU guard

When a device receives topology change (TC) BPDUs (the BPDUs that notify devices of topology changes), it flushes its forwarding address entries. If someone uses TC-BPDUs to attack the device, the device will receive a large number of TC-BPDUs within a short time and be busy with forwarding address entry flushing. This affects network stability.

TC-BPDU guard allows you to set the maximum number of immediate forwarding address entry flushes performed within 10 seconds after the device receives the first TC-BPDU. For TC-BPDUs received in excess of the limit, the device performs a forwarding address entry flush when the time period expires. This prevents frequent flushing of forwarding address entries. As a best practice, enable TC-BPDU guard.

To enable TC-BPDU guard:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the TC-BPDU guard function.	stp tc-protection	By default, TC-BPDU guard is enabled. As a best practice, do not disable this feature.
3. (Optional.) Configure the maximum number of forwarding address entry flushes that the device can perform every 10 seconds.	stp tc-protection threshold number	The default setting is 6.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable the TC-BPDU guard function.

stp tc-protection

By default, TC-BPDU guard is enabled.

As a best practice, do not disable this feature.

3. (Optional.) Configure the maximum number of forwarding address entry flushes that the device can perform every 10 seconds.

stp tc-protection threshold number

The default setting is 6.

prev	up	next
Configuring TC-BPDU transmission restriction	home	Enabling BPDU drop