11-01-2016 11:00 PM - edited 03-08-2019 08:00 AM
Hi All,
So recently I'm working on a project configuring the network and the issue of BPDU guard came up during security discussions. The network I'm configuring is layer 3 based and spanning tree is not running at all. There are a few layer 2 switches but they only connect to layer 3 switches and never another layer 2 switch. Does enabling BPDU guard on the ports (layer 3 and layer 2 switches) provide any security benefits? My initial thoughts are it doesn't since I'm not running spanning tree, but my superior disagrees...
I'm still fairly new to networking so just wanted to open a discussion here to get more view points and learn something. Comments welcome.
11-02-2016 01:39 AM
Hi I actually kind of agree with your superior just my opinion you may not be running STP in a full on layer 2 topology but its still running on the single switch as a process and feature on every port unless you specifically disabled it using STP filter which isn't a good idea , STP is there to protect and portfast and bpduguard as best practice should still be applied to a single switch where possible, someone could easily come up cross patch a cable back by mistake to same switch
11-02-2016 07:05 PM
I had no idea STP was still running unless it's disabled! Thanks.
I guess this is a defensive measure that's good to have.
So I should enable BPDU guard on all ports that are non trunk? even the ones on the layer 3 switches?
11-02-2016 09:21 PM
There is not much point enabling bpdu guard if the link is pure layer 2. as soon as you start using SVI's on your layer 3 switches that could be a different story.
I would personally put bpdu guard on on access ports only, ie. places where you would normally never expect something to connect to that generates BPDU.s i.e. will take part in STP.
11-03-2016 01:15 AM
its best practice to use it on access ports where you would use port fast , use the 2 commands together , using bpdugaurd without portfast will do nothing its conditional so you can enable per port or just enable it globally and it will only apply itself to ports that have portfast enabled , you would only use filter if you were connecting to a switch that did not understand bpdus
global
spanning-tree portfast bpduguard default
11-03-2016 05:45 PM
ok. So for access ports I enable this feature.
What about routing port? When the configuration is "no switchport", what would happen if someone patched the wrong cable in from another switch?
Is it correct to assume any layer 2 BPDUs are just going to get dropped and nothing can route via the port (unless the connected switch has the correct ip address and layer 3 routing protocol).
11-04-2016 01:35 AM
routed ports don't participate in stp so it wont cause any loop at layer 2 if connected , once no switchport is used all layer 2 services/features are switched off at the port so it wont understand bpdus or acknowledge them
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide