From 172db956a36f8bd7de04275768a60150bf9aa6e8 Mon Sep 17 00:00:00 2001 From: shango-wk Date: Thu, 28 May 2026 01:25:20 +0200 Subject: [PATCH] add BPDU Guard & BPDU Filter --- 21. BPDU Guard & BPDU Filter (STP Toolkit).md | 157 +++++++++++++++++- 1 file changed, 153 insertions(+), 4 deletions(-) diff --git a/21. BPDU Guard & BPDU Filter (STP Toolkit).md b/21. BPDU Guard & BPDU Filter (STP Toolkit).md index 3a5a254..75df67b 100644 --- a/21. BPDU Guard & BPDU Filter (STP Toolkit).md +++ b/21. BPDU Guard & BPDU Filter (STP Toolkit).md @@ -7,12 +7,161 @@ tags: [] # BPDU Guard & BPDU Filter (STP Toolkit) +PortFast makes a port start in the Forwarding state when it is connected, but it doesn't disable STP +on the port. +- The port will continue to send BPDUs every 2 seconds. + +Because end hosts don't run STP and send BPDUs, a PortFast enabled port shouldn't receive BPDUs +- But what if it does? + +If a PortFast-enabled port receives an STP BPDU, it will revert to acting like a regular STP port +(without PortFast) + +## BPDU Guard + +### The problem + +PortFast should only be enabled on ports connected to non-switch devices (end osts, routers). +- A PortFast-enabled port still sends BPDUs and will operate like a regular STP port if it +receives VPDUs from a neighbor. +- If an end user carelessly connects a switch to a port meant for end hosts,, it could affect the +STP topology. +- *BPDU Guard* acts as a safeguard against this. + +### The Solution + +BPDU Guard protects the network from unauthorized switches being connected to ports intended for end hosts. +It can be configured separately from [[PortFast]] but both features are usually used together. +They both enhance STP's functionality on ports inteded for end hosts. + +A BPDU Guard-enabled port contibues to send BPDUs, but if it receives a BPDU it enters the error-disabled state. +- In effect, this disbales the port. + +### Configuration + +Like PorFast, BPDU Guard can be configured in two ways: + +per-port: +```Cisco +SW3(config-if)# spanning-tree bpduguard enable +``` + +default +```Cisco +SW3(config)# spanning-tree portfast bpduguard default +``` + +When enabled by default *BPDU Guard* is activated on **All Portfast-enabled ports**. + +disableing it +```Cisco +SW3(config)# spanning-tree bpduguard disable +``` + +### Errdisable + +ErrDiable is a [[Cisco]] switch feature that disables a port under certain conditions, such as BPDU +Guard violation. +More examples are +- Power Policing violations +- Port Security violations +- DAI (Dynamic ARP inspection) violations + +to re-enable an err-disabled port, *first solve the underlying issue* +- if you re0enable the port without fixing the issue, it will just be err-disabled again. + +You can re-enable an err-disabled port in two ways: +1. Manual: use *shutdown* and *no shutdown* to reset the disabled port. +2. Automatic: *ErrDisable Recovery* + +#### ErrDisable Recovery + +ErrDisable Recovery is a feature that automatically re-enables err disabled ports after a certain period of time + +ErrDisable Recovery is disabled by default + +to view it status use + +```Cisco +SW1# show errdisable recovery +``` + +The default recovery timer is 300 seconds (5minutes). +- err-disabled interfaces will be automatically re-enabled after 5 minutes + +command to modify the interval is +```Cisco +SW1# errdisable recovery interval *seconds* +``` + +to enable ErrDisable Recovery for ports disabled by a particular cause use +```Cisco +SW1(config)# errdisble recovery cause *cause* +``` + +## BPDU Filter + +### The Problem + +A switch port connected to an end host contnues sending BPDUs every 2 seconds. +- regardless of whether PortFast and/or BPDU GUard are enabled +If the port doeen't connect to a switch, sending BPDUs is unnecessary and undesirable for a +coupe of reasons +1. Sendig BPDUs uses some bandwidth and processing power on the witch (althrough it's minimal). +2. BPDUs contain information about the LAN's STP topology + - If maximum security is a concern, you should avoid sending this info to user devices. + +Bpdu Filter solves this by preventing a port from sending BPDUs + +### The Solution + +BPDU FIlter stops a port fro sending BPDUs +- Unlike BPDU Guard, it does not disable the port if it receives a BPDU +BPDU filter can be enabled in two ways: + +per-port: +```Cisco +SW3(config-if)# spanning-tree bpdufilter enable +``` +The port will not send BPDUs +The port will ignore any BPDUs it receives. +In effect this disables [[STP]] on the port. *Use with caution!* + +default +```Cisco +SW3(config)# spanning-tree portfast bpdufilter default +``` +BPDU Filter will be activated on all *PortFast-enabled ports*. + You can use spanning-tree bpdufilter disable to disable it on specific ports. +The port will not send BPDUs +If the port receives a BPDU, PortFast and BPDU Filter are disabled, and it operates as a normal STP Port. + +## Recommandation + +Enable PortFast and BPDU Guard however you prefer (per-port or by default) +- Only enable BPDU Filter by default (global config mode). +- Unless you have a very good reason to enable it per-port + +*BPDU Guard* and *BPDU Filter* can be enabled on the same port at the same time: + +--- + +If BPDU Filter is enabled in global-confg mode and the port receives a BPDU: +1. BPDU Filter will be disabled +2. BPDU Guard will be triggered (and err-disable the interface) + +--- + +If BPDU Fileter is enabled in interface config mode and the port receives a BPDU: +- The BPDU will be ignored +- BPDU Guard will *not* be triggered + ## Review ### BPDU Guard - -Automatically disab +Automatically disables a port if it receives a BPDU, protecting the STP topology by preventing +unauthorized devices from becoming part of the network -BPDU Fileter - +### BPDU Filter +Stops a port from sending BPDUs or processing received BPDUs