cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5813
Views
0
Helpful
6
Replies

Prevent Spanning tree from advertising outbound packets

jandtci27
Level 1
Level 1

Hi,

I have a 2960 switch with a connected workstation.

The switchport is configured for portfast and the BPDUguard is enable on the switch by default

When I wireshark the information on the connected pc then i see a lot of STP Packets coming in from the switch.

I would like to disable these messages because the information that is in the capture packets can be misused by an attacker who has access to this workstation, to obtain information of the spanning-tree configuration of the company.

Is it possible to disable the spanning-tree information that is sent from the switch ?

regards

Jan

2 Accepted Solutions

Accepted Solutions

John Blakley
VIP Alumni
VIP Alumni

You should be able to configure bpdufilter to stop it. The only issue is that you effectively stop stp on that port which could be dangerous.

Understanding How PortFast BPDU Filtering Works

BPDU filtering allows you to avoid transmitting  BPDUs on PortFast-enabled ports that are connected to an end system.  When you enable PortFast on the switch, spanning tree places ports in  the forwarding state immediately, instead of going through the  listening, learning, and forwarding states.

By default, spanning tree sends BPDUs from all  ports regardless of whether PortFast is enabled. BDPU filtering is on a  per-switch basis; after you enable BPDU filtering, it applies to all  PortFast-enabled ports on the switch.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

Jandtci27l,

If you configure 'spanning-tree portfast bpdufilter default' in global configuration mode, then it will be applied "conditionally" based on ports that are configured with portfast.

This will prevent a port connected to an end device, from transmitting BPDUs to the end device.

If you configure 'spanning-tree bpdufilter enable' directly on a port, it is applied "unconditionally" and will always prevent BPDUs from being sent and or received.

View solution in original post

6 Replies 6

John Blakley
VIP Alumni
VIP Alumni

You should be able to configure bpdufilter to stop it. The only issue is that you effectively stop stp on that port which could be dangerous.

Understanding How PortFast BPDU Filtering Works

BPDU filtering allows you to avoid transmitting  BPDUs on PortFast-enabled ports that are connected to an end system.  When you enable PortFast on the switch, spanning tree places ports in  the forwarding state immediately, instead of going through the  listening, learning, and forwarding states.

By default, spanning tree sends BPDUs from all  ports regardless of whether PortFast is enabled. BDPU filtering is on a  per-switch basis; after you enable BPDU filtering, it applies to all  PortFast-enabled ports on the switch.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Hi John,

Thanks for your reply

I'm configuring it at this moment on a C3560 switch with IOS Version 12.2(53)SE, but the command is not existing (set spantree ....). Is it possible that it is only available on a more recent IOS version ?

The command will be globally applied on the switch on all ports configured in 'spanning-tree portfast'. Will it also be active on ports configured with 'spanning-tree portfast trunk' ?

global spanning-tree commands on the switch are :

  spanning-tree mode rapid-pvst

  spanning-tree loopguard default

  spanning-tree portfast bpduguard default

  no spanning-tree optimize bpdu transmission


Regards

Jan

Jandtci27l,

If you configure 'spanning-tree portfast bpdufilter default' in global configuration mode, then it will be applied "conditionally" based on ports that are configured with portfast.

This will prevent a port connected to an end device, from transmitting BPDUs to the end device.

If you configure 'spanning-tree bpdufilter enable' directly on a port, it is applied "unconditionally" and will always prevent BPDUs from being sent and or received.

Hi John,

thanks, this has solved the issue.

thank you both for answering and helping

regards

Jan

Hi all,

maybe still a small question : what will be the impact of the global command 'spanning-tree portfast bpdufilter default' on ports that are configured with 'spanning-tree portfast trunk' ?

will they also stop transmitting BPDU packets ? I suppose they will keep on transmitting because it is conditional. (But if they should stop, isn't this dangerous for the correct working of the spanning-tree protocol ?)

regards

Jan

Jandtci27,

When you enable 'spanning-tree portfast bpdufilter default', it will "conditionally" enable this on all access ports configured with portfast.

I would assume this would not configure bpduguard for a port configured with 'spanning-tree portfast trunk".

You could always, either test this, OR enable it, and check to amke sure its not configured with bpdufilter, and if it is, you can disable it with an interface level command.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: