03-13-2007 12:50 AM - edited 03-05-2019 02:52 PM
Hi.
What will happen if the switch receive rogue BPDU, Superior BPDU packets on the vlan, which is not taking part on STP? And it isn't on portfast mode.
As i understand there should be nothing related with unauthorized activity, as switch doesn't have any STP instance for that vlan. Am i right?
Solved! Go to Solution.
03-13-2007 09:28 AM
Your question include a lot of different concerns. Let me answer with a list of statements that, hopefully, covers what you are looking for.
-1- forget about portfast. Portfast does not disable STP and will do nothing to prevent bpdus from being received.
-2- in PVST modes, if stp is disabled on a vlan, the bpdu is flooded in this vlan
-3- in PVST modes, if a bpdu is received on a vlan that is not configured on a trunk, it is dropped.
-4- generally speaking, you can only trust completely a port or not at all. If there is a possibility that an un-cooperative device is connected on a port, you don't want to accept any bpdus from this port. The simplest protection is to configure rootguard, that will just prevent better information to be injected on the port. Else you can use bpduguard, that will shut down the port as soon as it receives a bpdu. Eventually, you can configure some kind of port security, because someone can still generate a layer 2 loop between two access ports while never relaying bpdus.
Regards,
Francois
03-13-2007 01:48 AM
Leo, if you dont hav STP enabled for a vlan on the switch then neither of the switch will send a BPDU for that vlan on the link. No Bpdu will be seen for that vlan on the switch.A loop will happen if you connect redundant links between the switches on the same vlan.
HTH,
-amit singh
03-13-2007 09:28 AM
Your question include a lot of different concerns. Let me answer with a list of statements that, hopefully, covers what you are looking for.
-1- forget about portfast. Portfast does not disable STP and will do nothing to prevent bpdus from being received.
-2- in PVST modes, if stp is disabled on a vlan, the bpdu is flooded in this vlan
-3- in PVST modes, if a bpdu is received on a vlan that is not configured on a trunk, it is dropped.
-4- generally speaking, you can only trust completely a port or not at all. If there is a possibility that an un-cooperative device is connected on a port, you don't want to accept any bpdus from this port. The simplest protection is to configure rootguard, that will just prevent better information to be injected on the port. Else you can use bpduguard, that will shut down the port as soon as it receives a bpdu. Eventually, you can configure some kind of port security, because someone can still generate a layer 2 loop between two access ports while never relaying bpdus.
Regards,
Francois
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide