5.1 KiB
id, aliases, tags
| id | aliases | tags | |
|---|---|---|---|
| 1779916771-SNCX |
|
BPDU Guard & BPDU Filter (STP Toolkit)
PortFast makes a port start in the Forwarding state when it is connected, but it doesn't disable STP on the port.
- The port will continue to send BPDUs every 2 seconds.
Because end hosts don't run STP and send BPDUs, a PortFast enabled port shouldn't receive BPDUs
- But what if it does?
If a PortFast-enabled port receives an STP BPDU, it will revert to acting like a regular STP port (without PortFast)
BPDU Guard
The problem
PortFast should only be enabled on ports connected to non-switch devices (end osts, routers).
- A PortFast-enabled port still sends BPDUs and will operate like a regular STP port if it receives VPDUs from a neighbor.
- If an end user carelessly connects a switch to a port meant for end hosts,, it could affect the STP topology.
- BPDU Guard acts as a safeguard against this.
The Solution
BPDU Guard protects the network from unauthorized switches being connected to ports intended for end hosts. It can be configured separately from PortFast but both features are usually used together. They both enhance STP's functionality on ports inteded for end hosts.
A BPDU Guard-enabled port contibues to send BPDUs, but if it receives a BPDU it enters the error-disabled state.
- In effect, this disbales the port.
Configuration
Like PorFast, BPDU Guard can be configured in two ways:
per-port:
SW3(config-if)# spanning-tree bpduguard enable
default
SW3(config)# spanning-tree portfast bpduguard default
When enabled by default BPDU Guard is activated on All Portfast-enabled ports.
disableing it
SW3(config)# spanning-tree bpduguard disable
Errdisable
ErrDiable is a Cisco switch feature that disables a port under certain conditions, such as BPDU Guard violation. More examples are
- Power Policing violations
- Port Security violations
- DAI (Dynamic ARP inspection) violations
to re-enable an err-disabled port, first solve the underlying issue
- if you re0enable the port without fixing the issue, it will just be err-disabled again.
You can re-enable an err-disabled port in two ways:
- Manual: use shutdown and no shutdown to reset the disabled port.
- Automatic: ErrDisable Recovery
ErrDisable Recovery
ErrDisable Recovery is a feature that automatically re-enables err disabled ports after a certain period of time
ErrDisable Recovery is disabled by default
to view it status use
SW1# show errdisable recovery
The default recovery timer is 300 seconds (5minutes).
- err-disabled interfaces will be automatically re-enabled after 5 minutes
command to modify the interval is
SW1# errdisable recovery interval *seconds*
to enable ErrDisable Recovery for ports disabled by a particular cause use
SW1(config)# errdisble recovery cause *cause*
BPDU Filter
The Problem
A switch port connected to an end host contnues sending BPDUs every 2 seconds.
- regardless of whether PortFast and/or BPDU GUard are enabled If the port doeen't connect to a switch, sending BPDUs is unnecessary and undesirable for a coupe of reasons
- Sendig BPDUs uses some bandwidth and processing power on the witch (althrough it's minimal).
- BPDUs contain information about the LAN's STP topology
- If maximum security is a concern, you should avoid sending this info to user devices.
Bpdu Filter solves this by preventing a port from sending BPDUs
The Solution
BPDU FIlter stops a port fro sending BPDUs
- Unlike BPDU Guard, it does not disable the port if it receives a BPDU BPDU filter can be enabled in two ways:
per-port:
SW3(config-if)# spanning-tree bpdufilter enable
The port will not send BPDUs The port will ignore any BPDUs it receives. In effect this disables STP on the port. Use with caution!
default
SW3(config)# spanning-tree portfast bpdufilter default
BPDU Filter will be activated on all PortFast-enabled ports. You can use spanning-tree bpdufilter disable to disable it on specific ports. The port will not send BPDUs If the port receives a BPDU, PortFast and BPDU Filter are disabled, and it operates as a normal STP Port.
Recommandation
Enable PortFast and BPDU Guard however you prefer (per-port or by default)
- Only enable BPDU Filter by default (global config mode).
- Unless you have a very good reason to enable it per-port
BPDU Guard and BPDU Filter can be enabled on the same port at the same time:
If BPDU Filter is enabled in global-confg mode and the port receives a BPDU:
- BPDU Filter will be disabled
- BPDU Guard will be triggered (and err-disable the interface)
If BPDU Fileter is enabled in interface config mode and the port receives a BPDU:
- The BPDU will be ignored
- BPDU Guard will not be triggered
Review
BPDU Guard
Automatically disables a port if it receives a BPDU, protecting the STP topology by preventing unauthorized devices from becoming part of the network
BPDU Filter
Stops a port from sending BPDUs or processing received BPDUs