03-31-2016 08:13 AM - edited 03-08-2019 05:10 AM
Hi this is a really silly question, but please advise me as I am confused.
I know BPDU is used for spanning-tree, which is layer2.
What happens when I connect a router to a BPDUguard-enabled interface of a switch?
Will it err-disable the port or can I just use it with no problem?
As far as I know, a router doesn't participate in spanning-tree and send any BPDU, so switches will not consider it as a malicious device.
If my assumption is correct, what technology on layer 2 other than port-security can prevent layer-3 device from connecting to it, and vice versa?
I would really appreciate any comment.
Thanks.
Solved! Go to Solution.
03-31-2016 08:40 AM
Hi!
No, the router will not trigger the BPDUguard feature in your switch since Routers do NOT send BPDUs.
A technology you can use to avoid layer 3 connection to your switch and prevent attacks or other not-desirable network behaviors from your access ports you can use DAI (Dynamic ARP Inspection) which validates ARP replies comparing it with a local-trusted internal database thus host will not answer ARPs with other MAC Addresses other than the specified in the internal database.
Please refer to the next link for configuration and detailed explanation of DAI:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html
Hope it helps, best regards!
JC
03-31-2016 08:40 AM
Hi!
No, the router will not trigger the BPDUguard feature in your switch since Routers do NOT send BPDUs.
A technology you can use to avoid layer 3 connection to your switch and prevent attacks or other not-desirable network behaviors from your access ports you can use DAI (Dynamic ARP Inspection) which validates ARP replies comparing it with a local-trusted internal database thus host will not answer ARPs with other MAC Addresses other than the specified in the internal database.
Please refer to the next link for configuration and detailed explanation of DAI:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html
Hope it helps, best regards!
JC
03-31-2016 08:44 AM
Hi,
You are correct.
Just make sure that the router is not running bridging like BVI or has Ethernet switch card connecting back to your switch network etc.
If it is you will need to make adjustments like loopguard instead etc.
Regards
Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide