I've heard the bpdufilter /

furriousfox · ‎10-04-2016

I've got a rather unorthodox configuration I need help with.

SIDE A:
On the end that is configurable, sits a 2960 with ios 12.2. The ideal configuration for us, as a temporary measure, is to split this switch into 3 segments for each of the 3 uplink ports going to the other switches.

SIDE B:
On the other side of the uplink ports to the wall, are 3 switches that have static configurations we can't touch. Assume they have bpduguard (and probably more security and spanning tree features). Violations cause a port shutdown with no reset timer. Even without causing a loop, the ports shutdown immediately.

Port 1 = access port vlan 10 and uplink to other switch

Ports 2-16 = access port vlan 10

Port 17 = access port vlan 20 and uplink to other switch

Ports 18-32 = access port vlan 20

Port 33 = access port vlan 30 and uplink to other switch

Ports 34-42 = access port vlan 30

The ports being plugged into on SIDE B, are each access ports on 3 different switches. Each switch is a different vlan / network. E.g. 10, 20, 30.

On the SINGLE switch on SIDE A I am trying to make transparent and prevent loops on. I want to try the following configuration:

int gi0/1
	no cdp enable
	vtp mode off
	switchport mode access
	switchport access vlan 10
	switchport nonegotiate
	switchport protected
	spanning-tree portfast bpdufilter default

int range gi0/2-16
	switchport mode access
	switchport access vlan 10

int gi0/17
	no cdp enable
	vtp mode off
	switchport mode access
	switchport access vlan 20
	switchport nonegotiate
	switchport protected
	spanning-tree portfast bpdufilter default

int range gi0/18-32
	switchport mode access
	switchport access vlan 20

int gi0/33
	no cdp enable
	vtp mode off
	switchport mode access
	switchport access vlan 30
	switchport nonegotiate
	switchport protected
	spanning-tree portfast bpdufilter default

int range gi0/34-42
	switchport mode access
	switchport access vlan 30

So, with this port configuration, is there anything that would cause the switch to generate traffic that would cause a shutdown on the newer cisco switches on side B? Including BPDU, loops, etc.

Please let me know if I am missing anything or if you see any problems.

Our biggest worry would be to have the ports shutdown again or to cause a loop between vlans.

Thanks

Mark Malone · ‎10-04-2016

Hi

you could run into issues there turning off stp, its never a good idea to use bpdufilter on a switch connected to a switch , your disabling your loop prevention mechanism between the switches so if a loop does occur nothings going to stop it

if its not redundant your prob ok but if theres links connecting coming back another way you could have an issue easily

furriousfox · ‎10-05-2016

its never a good idea to use bpdufilter on a switch connected to a switch

I've heard mixed information on this. I've heard the bpdufilter / guard should be on ANY device outside of your core switches. Including if that device is another switch. I really could see either being right depending on the circumstance. Honestly I believe it's a matter of ownership / politics at that point isn't it?

Thanks for your response as well. We decided the safest thing to do is to place a firewall between each switch vlan and wall port to ensure that bpdu, cdp, etc do not cause an automatic shutdown.

Mark Malone · ‎10-06-2016

yes I do agree with that there is circumstances where you could use bpdufilter maybe with a hub in the network but just from the whole layer 2 aspect having devices in it that have stp turned off or are not using it I have seen it lead to problems when there is an actual issue locally and stp goes into a spin , I would never use it on normal switch only bpduguard and portfast always avoid filter as it removes the interface device from stp , a router or firewall is a good idea as it will break the broadcast domain so it logically separates the networks at layer 2

devils_advocate · ‎10-06-2016

I've heard the bpdufilter / guard should be on ANY device outside of your core switches

That is not true, BPDUFilter stops the switch sending BPUD's and although there are rare occasions that you may need it, its not something to be used often.

Honestly I believe it's a matter of ownership / politics at that point isn't it?

No its about configuring what is best for you whilst trying to protect your network from any issues.

We decided the safest thing to do is to place a firewall between each switch vlan and wall port to ensure that bpdu, cdp, etc do not cause an automatic shutdown.

That depends, would it be a Layer 3 Firewall or a transparent one?

devils_advocate · ‎10-05-2016

Hang on, you are plugging in your switch to three other switches and you have no idea on their configuration?

Assuming they do have BPDUguard enabled then the far end (i.e. their side) would be shutting down which means you must be speaking to somebody who manages their switches?

The proper way forward is to get whomever manages the far end switches to turn off BPDUGuard on the up/down link ports towards your 2960.

The bodge and not recommended way is to enable BPDUFilter on your end which will prevent your side from sending BPDU's.

The reality is though is without knowing the configuration on their side, you have no idea of the STP topology and disabling BPUD's could open you up to a loop.

furriousfox · ‎10-05-2016

I know the STP topology. Each switch is it's own vlan. Single links, no LACP, etc.

I understand ideally the best thing to do is work with the group responsible for the switches. However due to logistical and / or political reasons, this is not always possible. In this particular case, the switches at the other end cannot be changed from their configuration.

I do know that port sec is turned off on each of the ports coming to me, but I am certain BPDUGuard is on as last time a factory default switch was plugged in it caused an immediate shutdown.

There's no greater chance of causing a loop on my side than if someone accidentally plugged in on port on the wall directly into another.

I'm essentially wanting to take each of the ports on the wall and converting them into separate invisible switching hubs.

Which I believe this configuration will do as I turned off cdp, stp, dst, and bpdu's.

I also made each port protected so they are completely isolated from each other.

Mainly asking if the config I posted will accomplish this without causing a shutdown or loop at the other end.

The only way I could think to cause a loop would be to take a single cable and plug port gi0/2 into gi0/35 for instance. But this could happen as easily at the wall outlet.

devils_advocate · ‎10-06-2016

I know the STP topology

In that case, you know which switch is the root bridge for each of those VLAN's then yes?

Which I believe this configuration will do as I turned off cdp, stp, dst, and bpdu's.

What could go wrong..

At the end of the day, what you are doing is bodging it and hoping for the best. My suggestion would be to do it properly with help from whomever manages the upstream switches.

furriousfox · ‎10-07-2016

The root bridge is one step upstream from the switches on side B. It's a core switch controlling the vlan routing.

What could go wrong..

Can you tell me, outside of bad practices (and please believe that this is not the way I want to do things and is why I am trying to identify and mitigate anything.), what the increase in risk is with this configuration vs let's say, plugging in 3 dumb switching hubs into each port and using them separately.

Is there a better way to not trigger bpduguard on side B without turning on bpdufilter or disabling stp on the crosslinks? For example, would setting VTP to transparent help? Or tunneling some of the protocols, e.g. l2protocol-tunnel vtp.

what you are doing is bodging it and hoping for the best.

Unfortunately, you're 100% correct on this. But we have very few other options. And I seriously do appreciate you taking the time to provide input.

Like I said before though, now this is more of a thought experiment as we are adding a separate firewall between each vlan and switch to avoid any issue at all.

Making switch invisible to upstream switchs across multiple vlans