Re: Open standard features like Rootguard, BPDU Guard

ajay kondapalli · ‎02-16-2011

Hi,

We have Cisco propreitary features like Root Guard , BPDU Guard, Loop Guard to protect from unauthorised access to network by connecting swithces

to our network enhancing security .

What are the open standard features like Root guard or BPDU Guard or BPDU Filtering etc ?

Thanks,

Ajay

Peter Paluch · ‎02-16-2011

Ajay,

There is, in my opinion, nothing proprietary about the Root Guard, BPDU Guard, BPDU Filter, or the Loop Guard. All these features are merely an added logic about receiving/sending BPDUs but they do not modify the STP behavior or the BPDU format in any way, and they are all perfectly interoperable with pure 802.1D/802.1Q STP/RSTP/MSTP implementations. While it is possible that different vendors may call these functions by different names, there is, I guess, nothing preventing them from implementing similar functionality to their products. However, I do not think there are any open RFCs, Internet Drafts or standards that describe functions similar to these additional STP features.

I am not sure if I have answered your question... please feel free to ask further!

Best regards,

Peter

ajay kondapalli · ‎02-17-2011

Thanks Peter for your reply, I understand what you are saying, But in my opinion, if we take ehterchannels there is open standard LACP,

if we take Portfast or Uplinkfast and Backbonefast of cisco, we have a replacement RSTP for those. In that way , there should be something for Rootgurad and

BPDU guard for IEEE.

Commands may be somewhat different for different vendors, but there should be one standard for all.

Thanks,

Ajay.

Giuseppe Larosa · ‎02-16-2011

Hello Ajay,

all the features that you have mentioned are not negotiated with the neighbors, but are ways to put constraints to STP behaviour so that some topology changes are not permitted.

As a result of this, each vendor has implemented most of them with similar naming.

I may be wrong but the standards cover what is exchanged between devices so 802.1s and underlying 802.1W are documented and MST is the best way to implement STP in modern multi vendor networks

Hope to help

Giuseppe

ajay kondapalli · ‎02-19-2011

So if we use MST in multivendor network , there will not be any problem related to switch security even an intruder connects his own

switch to access layer switch. MST can protect from topology changes like Root guard. right ? Is it

Thanks,

Ajay

Peter Paluch · ‎02-19-2011

Hi Ajay,

So if we use MST in multivendor network , there will not be any problem related to switch security even an intruder connects his own

switch to access layer switch. MST can protect from topology changes like Root guard. right ?

No, that's not correct. The MST has no added security features. With respect to security enhancements, there are none, and the MSTP is just as (in)secure as RSTP or STP.

The Root Guard, Loop Guard, BPDU Guard and BPDU Filter are, as you have yourself described them, proprietary extensions to the STP made by Cisco. Whether they are proprietary can be a matter of debate (with respect to their intellectual ownership, sure, they are Cisco's; however, their principle of operation is so trivial that anybody can implement them) but still, they are not part of the official STP/RSTP/MSTP standard, and I do not know of any other standard, recommendation or RFC that describes similar features.

The bottom line is - if you need similar functions to be supported in different vendor's products, you have to ask him to implement them. If you find the standardization effort lacking in this area then perhaps nobody needs these functionalities to be actually covered by a standard or a recommendation, but then again, I believe that at least submitting an Internet Draft should be actually possible even to us.

Best regards,

Peter