Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
6163
Views
0
Helpful
6
Replies

Prevent Spanning tree from advertising outbound packets

Go to solution
jandtci27
Level 1
Level 1

ā€Ž02-18-2014 07:20 AM - edited ā€Ž03-07-2019 06:16 PM

Hi,

I have a 2960 switch with a connected workstation.

The switchport is configured for portfast and the BPDUguard is enable on the switch by default

When I wireshark the information on the connected pc then i see a lot of STP Packets coming in from the switch.

I would like to disable these messages because the information that is in the capture packets can be misused by an attacker who has access to this workstation, to obtain information of the spanning-tree configuration of the company.

Is it possible to disable the spanning-tree information that is sent from the switch ?

regards

Jan

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni

ā€Ž02-18-2014 07:31 AM

You should be able to configure bpdufilter to stop it. The only issue is that you effectively stop stp on that port which could be dangerous.

Understanding How PortFast BPDU Filtering Works

BPDU filtering allows you to avoid transmitting  BPDUs on PortFast-enabled ports that are connected to an end system.  When you enable PortFast on the switch, spanning tree places ports in  the forwarding state immediately, instead of going through the  listening, learning, and forwarding states.

By default, spanning tree sends BPDUs from all  ports regardless of whether PortFast is enabled. BDPU filtering is on a  per-switch basis; after you enable BPDU filtering, it applies to all  PortFast-enabled ports on the switch.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to jandtci27

ā€Ž02-19-2014 02:22 AM

Jandtci27l,

If you configure 'spanning-tree portfast bpdufilter default' in global configuration mode, then it will be applied "conditionally" based on ports that are configured with portfast.

This will prevent a port connected to an end device, from transmitting BPDUs to the end device.

If you configure 'spanning-tree bpdufilter enable' directly on a port, it is applied "unconditionally" and will always prevent BPDUs from being sent and or received.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
John Blakley
VIP Alumni
VIP Alumni

ā€Ž02-18-2014 07:31 AM

You should be able to configure bpdufilter to stop it. The only issue is that you effectively stop stp on that port which could be dangerous.

Understanding How PortFast BPDU Filtering Works

BPDU filtering allows you to avoid transmitting  BPDUs on PortFast-enabled ports that are connected to an end system.  When you enable PortFast on the switch, spanning tree places ports in  the forwarding state immediately, instead of going through the  listening, learning, and forwarding states.

By default, spanning tree sends BPDUs from all  ports regardless of whether PortFast is enabled. BDPU filtering is on a  per-switch basis; after you enable BPDU filtering, it applies to all  PortFast-enabled ports on the switch.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
jandtci27
Level 1
Level 1
In response to John Blakley

ā€Ž02-18-2014 11:59 PM

Hi John,

Thanks for your reply

I'm configuring it at this moment on a C3560 switch with IOS Version 12.2(53)SE, but the command is not existing (set spantree ....). Is it possible that it is only available on a more recent IOS version ?

The command will be globally applied on the switch on all ports configured in 'spanning-tree portfast'. Will it also be active on ports configured with 'spanning-tree portfast trunk' ?

global spanning-tree commands on the switch are :

  spanning-tree mode rapid-pvst

  spanning-tree loopguard default

  spanning-tree portfast bpduguard default

  no spanning-tree optimize bpdu transmission


Regards

Jan

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to jandtci27

ā€Ž02-19-2014 02:22 AM

Jandtci27l,

If you configure 'spanning-tree portfast bpdufilter default' in global configuration mode, then it will be applied "conditionally" based on ports that are configured with portfast.

This will prevent a port connected to an end device, from transmitting BPDUs to the end device.

If you configure 'spanning-tree bpdufilter enable' directly on a port, it is applied "unconditionally" and will always prevent BPDUs from being sent and or received.

0 Helpful

Go to solution
jandtci27
Level 1
Level 1
In response to JohnTylerPearce

ā€Ž02-19-2014 07:36 AM

Hi John,

thanks, this has solved the issue.

thank you both for answering and helping

regards

Jan

0 Helpful

Go to solution
jandtci27
Level 1
Level 1
In response to jandtci27

ā€Ž02-21-2014 12:30 AM

Hi all,

maybe still a small question : what will be the impact of the global command 'spanning-tree portfast bpdufilter default' on ports that are configured with 'spanning-tree portfast trunk' ?

will they also stop transmitting BPDU packets ? I suppose they will keep on transmitting because it is conditional. (But if they should stop, isn't this dangerous for the correct working of the spanning-tree protocol ?)

regards

Jan

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to jandtci27

ā€Ž02-21-2014 02:51 AM

Jandtci27,

When you enable 'spanning-tree portfast bpdufilter default', it will "conditionally" enable this on all access ports configured with portfast.

I would assume this would not configure bpduguard for a port configured with 'spanning-tree portfast trunk".

You could always, either test this, OR enable it, and check to amke sure its not configured with bpdufilter, and if it is, you can disable it with an interface level command.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card