Network security, spanning tree and BPDU guard

netmask127 · ‎11-01-2016

Hi All,

So recently I'm working on a project configuring the network and the issue of BPDU guard came up during security discussions. The network I'm configuring is layer 3 based and spanning tree is not running at all. There are a few layer 2 switches but they only connect to layer 3 switches and never another layer 2 switch. Does enabling BPDU guard on the ports (layer 3 and layer 2 switches) provide any security benefits? My initial thoughts are it doesn't since I'm not running spanning tree, but my superior disagrees...

I'm still fairly new to networking so just wanted to open a discussion here to get more view points and learn something. Comments welcome.

Mark Malone · ‎11-02-2016

Hi I actually kind of agree with your superior just my opinion you may not be running STP in a full on layer 2 topology but its still running on the single switch as a process and feature on every port unless you specifically disabled it using STP filter which isn't a good idea , STP is there to protect and portfast and bpduguard as best practice should still be applied to a single switch where possible, someone could easily come up cross patch a cable back by mistake to same switch

netmask127 · ‎11-02-2016

I had no idea STP was still running unless it's disabled! Thanks.

I guess this is a defensive measure that's good to have.

So I should enable BPDU guard on all ports that are non trunk? even the ones on the layer 3 switches?

Dennis Mink · ‎11-02-2016

There is not much point enabling bpdu guard if the link is pure layer 2. as soon as you start using SVI's on your layer 3 switches that could be a different story.

I would personally put bpdu guard on on access ports only, ie. places where you would normally never expect something to connect to that generates BPDU.s i.e. will take part in STP.

Please remember to rate useful posts, by clicking on the stars below.

Mark Malone · ‎11-03-2016

its best practice to use it on access ports where you would use port fast , use the 2 commands together , using bpdugaurd without portfast will do nothing its conditional so you can enable per port or just enable it globally and it will only apply itself to ports that have portfast enabled , you would only use filter if you were connecting to a switch that did not understand bpdus

global

spanning-tree portfast bpduguard default

netmask127 · ‎11-03-2016

ok. So for access ports I enable this feature.

What about routing port? When the configuration is "no switchport", what would happen if someone patched the wrong cable in from another switch?

Is it correct to assume any layer 2 BPDUs are just going to get dropped and nothing can route via the port (unless the connected switch has the correct ip address and layer 3 routing protocol).

Mark Malone · ‎11-04-2016

routed ports don't participate in stp so it wont cause any loop at layer 2 if connected , once no switchport is used all layer 2 services/features are switched off at the port so it wont understand bpdus or acknowledge them