Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1072
Views
0
Helpful
3
Replies

How BPDU Filtering provides security?

veddotcom
Level 1
Level 1

‎04-08-2012 08:24 AM - edited ‎03-07-2019 06:01 AM

1.I know,the port on which BPDU Filtering operates, it disables the incoming and outgoing of BPDU which prevents looping and hence provides security.

2.However it also states if any of the portfast port (on which BPDU Filtering is already operating) receives a BPDU, the BPDU filter will take that port out of the portfast state and force that port to be part of STP topology again.

My question is,

First of all when the BPDU filtering is enabled, in which case the port will encounter the BPDU for which the second statement is...

[I am assuming somehow port will reveice the BPDU even after enabling BPDU Filter]

if a new switch is plugged into the portfast port on which BPDU filter is enabled, the new switch will send BPDUs, and then according to the rule, the portfast port will now allow BPDU transmission in both direction, resulting new switch could be root switch. isn't it?

Kindly clear my confusion guys, where i am wrong?

Thanks & Regards

Labels:
0 Helpful
3 Replies 3

Matthew Blanshard
Cisco Employee
Cisco Employee

‎04-08-2012 11:36 AM

To accomplish what you desire you will need to use the spanning-tree portfast bpdufilter default command.  There are two distinct behaviors of bpdufilter explained below:

1)  "Spanning-tree bpdufilter enable" on the interface.  This disables the sending and receiving of BPDU's on the port.  All BPDU's incoming on the port are discarded.  This effectivly removes the port from ever participating in spanning tree.

2)  "Spanning-tree portfast bpdufilter default" in global configuration.  What this configuration will do is any port which is in portfast mode will not send out BPDU's but will receive BPDU's and when it does will revert the port back to a normal spanning-tree port, and lose it's portfast state. 

So in this instance you will need to use option #2 to solve this problem. 

HTH,

-Matt

0 Helpful

veddotcom
Level 1
Level 1
In response to Matthew Blanshard

‎04-08-2012 09:49 PM

Thanks Matt for your valuable reply and making BPDU filter more clear, however i m still confused with the security part of the BPDU,

I mean whats the point of re-enabling the portfast port for STP again, doesn't it sound security vulnerable..For Example which i given above..

if a new switch is plugged into the portfast port on which BPDU filter is enabled, the new switch will send BPDUs, and then according to the rule, the portfast port will now allow BPDU transmission in both direction, resulting new switch could be root switch. isn't it?

0 Helpful

Aileron88
Level 1
Level 1
In response to veddotcom

‎04-09-2012 02:07 AM

That is correct. When the portfast port that has been enabled with bpdufilter recieves the BPDU it will revert out of the portfast state and move through the standard spanning-tree states. The new switch can be the root, but you can use the spanning-tree root guard feature to prevent this from happening. From a security point of view they make sure that if a switch is plugged in that is in taking part in the spanning-tree topology. I wouldn't want anyone plugging switches in that shouldn't be there, so I would use the bpduguard feature myself.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card