12-02-2024 10:33 PM - edited 12-02-2024 10:40 PM
Solved! Go to Solution.
12-03-2024 01:47 AM
Hello
The ports the "Hacker" switch is connecting to - did you manually configure that port to be a TRUNK? otherwise it recommended all edge ports in production should be an administrative mode of access, if you do that then your "hacker switch should be negated for attaching.
int x/x
switchport mode access
Note:
bpduguard = will errdisable/shutdown the port as/when a bpdu is received.
interface bpdufilter = will filter bpdus even without portfast enabled on the interface
global bpdufilter will trigger the port to stop using portfast (so go through the nornal stp process) ONLY if portfast is also enabled So if no bpdus are seen on enablement of the port then after a very short of time the port transitions straight into a forwarding state however if bpdus are seen then they a filtered from that port which in effect disables spanning-tree on that port
Now bpduguard/filter work slight different when enabled to together .
Interface bpduguard/filter - Filter will ALWAYS take precedence over guard so if bpdus are received then the filtering will occur and no blocking with happen
Global bpduguard/filter = If its deemed both features are required then this is the recommended approach as when both are enabled globally FILTER will negate the port from sending any BPDUs , and if they are received the GUARD will errdisable/shutdown the interface, as/when those ports are specified as edge ports as I mention above.
12-02-2024 10:38 PM - edited 12-02-2024 10:48 PM
am i right for proper stp configuration good way this one?
globally active spanning-tree portfast default
and on edge interface configure this commands
spanning-tree bpdufilter enable
spanning-tree guard root
if some one has any other option please add. thanks in advance
12-02-2024 11:12 PM
below is recommend for where you config STP feature
regarding using bdpufilter I dont recommend at all
MHM
12-02-2024 11:31 PM
For portfast and bpduguard in global vs per interface'
In global I see many issue of run it in global' you can use it but with restrictions.
I prefer per interface.
MHM
12-03-2024 01:23 AM - edited 12-03-2024 01:24 AM
second question, if i enable on interface on edge switch bdpufilter it's ok?
int et0/0
des ISP
spanning-tree bpdufilter enable
12-03-2024 09:44 AM
This I will answer you in PM
MHM
12-03-2024 01:49 AM
Hello
@MHM Cisco World wrote:
in global I see many issue of run it in global' you can use it but with restrictions.
Can you elaborate ?
12-03-2024 12:39 AM - edited 12-03-2024 12:40 AM
permissible combination on a switch port
loop guard and udlp
Root guard and udlp
Not permissible on a switch port
Root guard and Loop guard
Root guard and BPDU guard
am i'm right here you mean at same time or in generally?
12-03-2024 09:43 AM
This Q I dont get
Can you more elaborate
MHM
12-03-2024 01:03 AM - edited 12-03-2024 01:07 AM
regarding using bdpufilter I dont recommend at all. why
bdpufilter - Stops a port from seding BPDUs or processing received BPDUs, reason only this one or has another reason
share any link, with all duny respect share please this book/document
12-03-2024 09:42 AM
I know bdpufilter will stop bpdu' but SW use bpdu to detect loop and hence if one mistake add filter under interface connect to SW loop will happened and all network will be down full by multicast and broadcast.
I will send you some case use it as PM
MHM
12-03-2024 01:47 AM
Hello
The ports the "Hacker" switch is connecting to - did you manually configure that port to be a TRUNK? otherwise it recommended all edge ports in production should be an administrative mode of access, if you do that then your "hacker switch should be negated for attaching.
int x/x
switchport mode access
Note:
bpduguard = will errdisable/shutdown the port as/when a bpdu is received.
interface bpdufilter = will filter bpdus even without portfast enabled on the interface
global bpdufilter will trigger the port to stop using portfast (so go through the nornal stp process) ONLY if portfast is also enabled So if no bpdus are seen on enablement of the port then after a very short of time the port transitions straight into a forwarding state however if bpdus are seen then they a filtered from that port which in effect disables spanning-tree on that port
Now bpduguard/filter work slight different when enabled to together .
Interface bpduguard/filter - Filter will ALWAYS take precedence over guard so if bpdus are received then the filtering will occur and no blocking with happen
Global bpduguard/filter = If its deemed both features are required then this is the recommended approach as when both are enabled globally FILTER will negate the port from sending any BPDUs , and if they are received the GUARD will errdisable/shutdown the interface, as/when those ports are specified as edge ports as I mention above.
12-03-2024 02:27 AM
The ports the "Hacker" switch is connecting to - did you manually configure that port to be a TRUNK?
yes manually
interface bpdufilter = will filter bpdus even without portfast enabled on the interface
i want to understand what does this bpdu do what is the profit on interface, if just filter bpdu's as mantioned above mister MHM Cisco World we don't need use bpdufilter on interface.
12-03-2024 03:40 AM - edited 12-03-2024 06:13 AM
Hello
@Mlex1 wrote:
The ports the "Hacker" switch is connecting to - did you manually configure that port to be a TRUNK?
yes manuallyinterface bpdufilter = will filter bpdus even without portfast enabled on the interface
i want to understand what does this bpdu do what is the profit on interface, if just filter bpdu's as mantioned above mister MHM Cisco World we don't need use bpdufilter on interface.
So why would you manually open up a port to be a trunk for any one just attach to it?, you wouldn't, the whole idea is to negate unauthorised access, hence all edge ports should be defined as edge ports - if you manually set the port to be a trunk as such bpdugaurd/filtering/portfast is negated
@Mlex1 wrote:interface bpdufilter = will filter bpdus even without portfast enabled on the interface
i want to understand what does this bpdu do what is the profit on interface, if just filter bpdu's as mantioned above mister MHM Cisco World we don't need use bpdufilter on interface.
I have stated what BPDU filter/guard either filters or blocks the receiving/sending of bpdus on a port as such it will negate a "hacker" switch (using you terminology) from attaching to the network and claiming itself to become a root plus it has varying effects based on how it applied - globally/interface
As for @MHM Cisco World comments i guess we need some elaboration on what they mean
12-03-2024 10:03 AM
Interface bpduguard/filter - Filter will ALWAYS take precedence over guard so if bpdus are received then the filtering will occur and no blocking with happen
This statement not correct
Bpdufilter prevent SW send bpdu
Bpduguard make SW detect receive bpdu
So both not relate
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide