Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1309
Views
0
Helpful
1
Replies

About BPDU sending and receiving

Go to solution
from88
Level 4
Level 4

ā€Ž10-14-2011 01:30 AM - edited ā€Ž03-07-2019 02:48 AM

Hello,

Im reading a LAN SWITCH Security book and i have a question regarding this sentence from the book:

"a root port should typically be sending many more BPDUs than  it is receiving. The opposite is taking place here, indicating suspicious activity."

But the root port in stable topology doesn't forward (send) and BPDU's at all. It just receives on it's port and forwards to desiganted ports on that switch.

Here is example from my network topology:

gigabitEthernet 0/12 is root port in vlan 80:

show spanning-tree vlan 80 interface gigabitEthernet 0/12 detail

Port 12 (GigabitEthernet0/12) of VLAN0080 is forwarding

   Port path cost 4, Port priority 128, Port Identifier 128.12.

   Designated root has priority 32848, address 0055.9331.d880

   Designated bridge has priority 32848, address 0055.9331.d880

   Designated port id is 128.26, designated path cost 0

   Timers: message age 1, forward delay 0, hold 0

   Number of transitions to forwarding state: 1

   Link type is point-to-point by default

   BPDU: sent 54, received 29995327

is this a mistake in a book?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarpysh
Cisco Employee
Cisco Employee

ā€Ž10-14-2011 02:34 AM

This is mistake indeed. They should have written non-root port.

What they described in that article is that they sent malicious BPDU to generic non-root port 8/1 and made it root. So that became root port and started to receive more BPDUs when it sent. Whish is normal for root port.

Same for your network - root port - receiving more than sending.

Nik,

HTH,
Niko

View solution in original post

0 Helpful
1 Reply 1

Go to solution
nkarpysh
Cisco Employee
Cisco Employee

ā€Ž10-14-2011 02:34 AM

This is mistake indeed. They should have written non-root port.

What they described in that article is that they sent malicious BPDU to generic non-root port 8/1 and made it root. So that became root port and started to receive more BPDUs when it sent. Whish is normal for root port.

Same for your network - root port - receiving more than sending.

Nik,

HTH,
Niko
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card