add BPDU Guard & BPDU Filter
This commit is contained in:
@@ -7,12 +7,161 @@ tags: []
|
|||||||
|
|
||||||
# BPDU Guard & BPDU Filter (STP Toolkit)
|
# BPDU Guard & BPDU Filter (STP Toolkit)
|
||||||
|
|
||||||
|
PortFast makes a port start in the Forwarding state when it is connected, but it doesn't disable STP
|
||||||
|
on the port.
|
||||||
|
- The port will continue to send BPDUs every 2 seconds.
|
||||||
|
|
||||||
|
Because end hosts don't run STP and send BPDUs, a PortFast enabled port shouldn't receive BPDUs
|
||||||
|
- But what if it does?
|
||||||
|
|
||||||
|
If a PortFast-enabled port receives an STP BPDU, it will revert to acting like a regular STP port
|
||||||
|
(without PortFast)
|
||||||
|
|
||||||
|
## BPDU Guard
|
||||||
|
|
||||||
|
### The problem
|
||||||
|
|
||||||
|
PortFast should only be enabled on ports connected to non-switch devices (end osts, routers).
|
||||||
|
- A PortFast-enabled port still sends BPDUs and will operate like a regular STP port if it
|
||||||
|
receives VPDUs from a neighbor.
|
||||||
|
- If an end user carelessly connects a switch to a port meant for end hosts,, it could affect the
|
||||||
|
STP topology.
|
||||||
|
- *BPDU Guard* acts as a safeguard against this.
|
||||||
|
|
||||||
|
### The Solution
|
||||||
|
|
||||||
|
BPDU Guard protects the network from unauthorized switches being connected to ports intended for end hosts.
|
||||||
|
It can be configured separately from [[PortFast]] but both features are usually used together.
|
||||||
|
They both enhance STP's functionality on ports inteded for end hosts.
|
||||||
|
|
||||||
|
A BPDU Guard-enabled port contibues to send BPDUs, but if it receives a BPDU it enters the error-disabled state.
|
||||||
|
- In effect, this disbales the port.
|
||||||
|
|
||||||
|
### Configuration
|
||||||
|
|
||||||
|
Like PorFast, BPDU Guard can be configured in two ways:
|
||||||
|
|
||||||
|
per-port:
|
||||||
|
```Cisco
|
||||||
|
SW3(config-if)# spanning-tree bpduguard enable
|
||||||
|
```
|
||||||
|
|
||||||
|
default
|
||||||
|
```Cisco
|
||||||
|
SW3(config)# spanning-tree portfast bpduguard default
|
||||||
|
```
|
||||||
|
|
||||||
|
When enabled by default *BPDU Guard* is activated on **All Portfast-enabled ports**.
|
||||||
|
|
||||||
|
disableing it
|
||||||
|
```Cisco
|
||||||
|
SW3(config)# spanning-tree bpduguard disable
|
||||||
|
```
|
||||||
|
|
||||||
|
### Errdisable
|
||||||
|
|
||||||
|
ErrDiable is a [[Cisco]] switch feature that disables a port under certain conditions, such as BPDU
|
||||||
|
Guard violation.
|
||||||
|
More examples are
|
||||||
|
- Power Policing violations
|
||||||
|
- Port Security violations
|
||||||
|
- DAI (Dynamic ARP inspection) violations
|
||||||
|
|
||||||
|
to re-enable an err-disabled port, *first solve the underlying issue*
|
||||||
|
- if you re0enable the port without fixing the issue, it will just be err-disabled again.
|
||||||
|
|
||||||
|
You can re-enable an err-disabled port in two ways:
|
||||||
|
1. Manual: use *shutdown* and *no shutdown* to reset the disabled port.
|
||||||
|
2. Automatic: *ErrDisable Recovery*
|
||||||
|
|
||||||
|
#### ErrDisable Recovery
|
||||||
|
|
||||||
|
ErrDisable Recovery is a feature that automatically re-enables err disabled ports after a certain period of time
|
||||||
|
|
||||||
|
ErrDisable Recovery is disabled by default
|
||||||
|
|
||||||
|
to view it status use
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1# show errdisable recovery
|
||||||
|
```
|
||||||
|
|
||||||
|
The default recovery timer is 300 seconds (5minutes).
|
||||||
|
- err-disabled interfaces will be automatically re-enabled after 5 minutes
|
||||||
|
|
||||||
|
command to modify the interval is
|
||||||
|
```Cisco
|
||||||
|
SW1# errdisable recovery interval *seconds*
|
||||||
|
```
|
||||||
|
|
||||||
|
to enable ErrDisable Recovery for ports disabled by a particular cause use
|
||||||
|
```Cisco
|
||||||
|
SW1(config)# errdisble recovery cause *cause*
|
||||||
|
```
|
||||||
|
|
||||||
|
## BPDU Filter
|
||||||
|
|
||||||
|
### The Problem
|
||||||
|
|
||||||
|
A switch port connected to an end host contnues sending BPDUs every 2 seconds.
|
||||||
|
- regardless of whether PortFast and/or BPDU GUard are enabled
|
||||||
|
If the port doeen't connect to a switch, sending BPDUs is unnecessary and undesirable for a
|
||||||
|
coupe of reasons
|
||||||
|
1. Sendig BPDUs uses some bandwidth and processing power on the witch (althrough it's minimal).
|
||||||
|
2. BPDUs contain information about the LAN's STP topology
|
||||||
|
- If maximum security is a concern, you should avoid sending this info to user devices.
|
||||||
|
|
||||||
|
Bpdu Filter solves this by preventing a port from sending BPDUs
|
||||||
|
|
||||||
|
### The Solution
|
||||||
|
|
||||||
|
BPDU FIlter stops a port fro sending BPDUs
|
||||||
|
- Unlike BPDU Guard, it does not disable the port if it receives a BPDU
|
||||||
|
BPDU filter can be enabled in two ways:
|
||||||
|
|
||||||
|
per-port:
|
||||||
|
```Cisco
|
||||||
|
SW3(config-if)# spanning-tree bpdufilter enable
|
||||||
|
```
|
||||||
|
The port will not send BPDUs
|
||||||
|
The port will ignore any BPDUs it receives.
|
||||||
|
In effect this disables [[STP]] on the port. *Use with caution!*
|
||||||
|
|
||||||
|
default
|
||||||
|
```Cisco
|
||||||
|
SW3(config)# spanning-tree portfast bpdufilter default
|
||||||
|
```
|
||||||
|
BPDU Filter will be activated on all *PortFast-enabled ports*.
|
||||||
|
You can use spanning-tree bpdufilter disable to disable it on specific ports.
|
||||||
|
The port will not send BPDUs
|
||||||
|
If the port receives a BPDU, PortFast and BPDU Filter are disabled, and it operates as a normal STP Port.
|
||||||
|
|
||||||
|
## Recommandation
|
||||||
|
|
||||||
|
Enable PortFast and BPDU Guard however you prefer (per-port or by default)
|
||||||
|
- Only enable BPDU Filter by default (global config mode).
|
||||||
|
- Unless you have a very good reason to enable it per-port
|
||||||
|
|
||||||
|
*BPDU Guard* and *BPDU Filter* can be enabled on the same port at the same time:
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
If BPDU Filter is enabled in global-confg mode and the port receives a BPDU:
|
||||||
|
1. BPDU Filter will be disabled
|
||||||
|
2. BPDU Guard will be triggered (and err-disable the interface)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
If BPDU Fileter is enabled in interface config mode and the port receives a BPDU:
|
||||||
|
- The BPDU will be ignored
|
||||||
|
- BPDU Guard will *not* be triggered
|
||||||
|
|
||||||
## Review
|
## Review
|
||||||
|
|
||||||
### BPDU Guard
|
### BPDU Guard
|
||||||
|
Automatically disables a port if it receives a BPDU, protecting the STP topology by preventing
|
||||||
Automatically disab
|
unauthorized devices from becoming part of the network
|
||||||
|
|
||||||
|
|
||||||
BPDU Fileter
|
### BPDU Filter
|
||||||
|
Stops a port from sending BPDUs or processing received BPDUs
|
||||||
|
|||||||
Reference in New Issue
Block a user