add BPDU Guard & BPDU Filter
This commit is contained in:
@@ -7,12 +7,161 @@ tags: []
|
||||
|
||||
# BPDU Guard & BPDU Filter (STP Toolkit)
|
||||
|
||||
PortFast makes a port start in the Forwarding state when it is connected, but it doesn't disable STP
|
||||
on the port.
|
||||
- The port will continue to send BPDUs every 2 seconds.
|
||||
|
||||
Because end hosts don't run STP and send BPDUs, a PortFast enabled port shouldn't receive BPDUs
|
||||
- But what if it does?
|
||||
|
||||
If a PortFast-enabled port receives an STP BPDU, it will revert to acting like a regular STP port
|
||||
(without PortFast)
|
||||
|
||||
## BPDU Guard
|
||||
|
||||
### The problem
|
||||
|
||||
PortFast should only be enabled on ports connected to non-switch devices (end osts, routers).
|
||||
- A PortFast-enabled port still sends BPDUs and will operate like a regular STP port if it
|
||||
receives VPDUs from a neighbor.
|
||||
- If an end user carelessly connects a switch to a port meant for end hosts,, it could affect the
|
||||
STP topology.
|
||||
- *BPDU Guard* acts as a safeguard against this.
|
||||
|
||||
### The Solution
|
||||
|
||||
BPDU Guard protects the network from unauthorized switches being connected to ports intended for end hosts.
|
||||
It can be configured separately from [[PortFast]] but both features are usually used together.
|
||||
They both enhance STP's functionality on ports inteded for end hosts.
|
||||
|
||||
A BPDU Guard-enabled port contibues to send BPDUs, but if it receives a BPDU it enters the error-disabled state.
|
||||
- In effect, this disbales the port.
|
||||
|
||||
### Configuration
|
||||
|
||||
Like PorFast, BPDU Guard can be configured in two ways:
|
||||
|
||||
per-port:
|
||||
```Cisco
|
||||
SW3(config-if)# spanning-tree bpduguard enable
|
||||
```
|
||||
|
||||
default
|
||||
```Cisco
|
||||
SW3(config)# spanning-tree portfast bpduguard default
|
||||
```
|
||||
|
||||
When enabled by default *BPDU Guard* is activated on **All Portfast-enabled ports**.
|
||||
|
||||
disableing it
|
||||
```Cisco
|
||||
SW3(config)# spanning-tree bpduguard disable
|
||||
```
|
||||
|
||||
### Errdisable
|
||||
|
||||
ErrDiable is a [[Cisco]] switch feature that disables a port under certain conditions, such as BPDU
|
||||
Guard violation.
|
||||
More examples are
|
||||
- Power Policing violations
|
||||
- Port Security violations
|
||||
- DAI (Dynamic ARP inspection) violations
|
||||
|
||||
to re-enable an err-disabled port, *first solve the underlying issue*
|
||||
- if you re0enable the port without fixing the issue, it will just be err-disabled again.
|
||||
|
||||
You can re-enable an err-disabled port in two ways:
|
||||
1. Manual: use *shutdown* and *no shutdown* to reset the disabled port.
|
||||
2. Automatic: *ErrDisable Recovery*
|
||||
|
||||
#### ErrDisable Recovery
|
||||
|
||||
ErrDisable Recovery is a feature that automatically re-enables err disabled ports after a certain period of time
|
||||
|
||||
ErrDisable Recovery is disabled by default
|
||||
|
||||
to view it status use
|
||||
|
||||
```Cisco
|
||||
SW1# show errdisable recovery
|
||||
```
|
||||
|
||||
The default recovery timer is 300 seconds (5minutes).
|
||||
- err-disabled interfaces will be automatically re-enabled after 5 minutes
|
||||
|
||||
command to modify the interval is
|
||||
```Cisco
|
||||
SW1# errdisable recovery interval *seconds*
|
||||
```
|
||||
|
||||
to enable ErrDisable Recovery for ports disabled by a particular cause use
|
||||
```Cisco
|
||||
SW1(config)# errdisble recovery cause *cause*
|
||||
```
|
||||
|
||||
## BPDU Filter
|
||||
|
||||
### The Problem
|
||||
|
||||
A switch port connected to an end host contnues sending BPDUs every 2 seconds.
|
||||
- regardless of whether PortFast and/or BPDU GUard are enabled
|
||||
If the port doeen't connect to a switch, sending BPDUs is unnecessary and undesirable for a
|
||||
coupe of reasons
|
||||
1. Sendig BPDUs uses some bandwidth and processing power on the witch (althrough it's minimal).
|
||||
2. BPDUs contain information about the LAN's STP topology
|
||||
- If maximum security is a concern, you should avoid sending this info to user devices.
|
||||
|
||||
Bpdu Filter solves this by preventing a port from sending BPDUs
|
||||
|
||||
### The Solution
|
||||
|
||||
BPDU FIlter stops a port fro sending BPDUs
|
||||
- Unlike BPDU Guard, it does not disable the port if it receives a BPDU
|
||||
BPDU filter can be enabled in two ways:
|
||||
|
||||
per-port:
|
||||
```Cisco
|
||||
SW3(config-if)# spanning-tree bpdufilter enable
|
||||
```
|
||||
The port will not send BPDUs
|
||||
The port will ignore any BPDUs it receives.
|
||||
In effect this disables [[STP]] on the port. *Use with caution!*
|
||||
|
||||
default
|
||||
```Cisco
|
||||
SW3(config)# spanning-tree portfast bpdufilter default
|
||||
```
|
||||
BPDU Filter will be activated on all *PortFast-enabled ports*.
|
||||
You can use spanning-tree bpdufilter disable to disable it on specific ports.
|
||||
The port will not send BPDUs
|
||||
If the port receives a BPDU, PortFast and BPDU Filter are disabled, and it operates as a normal STP Port.
|
||||
|
||||
## Recommandation
|
||||
|
||||
Enable PortFast and BPDU Guard however you prefer (per-port or by default)
|
||||
- Only enable BPDU Filter by default (global config mode).
|
||||
- Unless you have a very good reason to enable it per-port
|
||||
|
||||
*BPDU Guard* and *BPDU Filter* can be enabled on the same port at the same time:
|
||||
|
||||
---
|
||||
|
||||
If BPDU Filter is enabled in global-confg mode and the port receives a BPDU:
|
||||
1. BPDU Filter will be disabled
|
||||
2. BPDU Guard will be triggered (and err-disable the interface)
|
||||
|
||||
---
|
||||
|
||||
If BPDU Fileter is enabled in interface config mode and the port receives a BPDU:
|
||||
- The BPDU will be ignored
|
||||
- BPDU Guard will *not* be triggered
|
||||
|
||||
## Review
|
||||
|
||||
### BPDU Guard
|
||||
|
||||
Automatically disab
|
||||
Automatically disables a port if it receives a BPDU, protecting the STP topology by preventing
|
||||
unauthorized devices from becoming part of the network
|
||||
|
||||
|
||||
BPDU Fileter
|
||||
|
||||
### BPDU Filter
|
||||
Stops a port from sending BPDUs or processing received BPDUs
|
||||
|
||||
Reference in New Issue
Block a user