cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
756
Views
2
Helpful
20
Replies

STP

Mlex1
Spotlight
Spotlight
Hello, i want to understand How i use this stp commands for me the two options clear.

1. option

spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
spanning-tree portfast edge bpdufilter default

and i tested bpduguard/bpdufilter on eve-ng active both command globally i didn't see any result, when i connect hacker switch, Hacker SW became root,
priority on hacker sw 0 it's just for test.

here i have some confuse about bpdufilter, how i understand bpdufilter it filter bpdu's?

2. option

Activate both command on interface GigabitEthernet0/2 sw3

interface GigabitEthernet0/2
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

in this case SW1 and HAcker both became root.

SW1#show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 500c.0001.0000
This bridge is the root

Atacker(config-if)#do show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 1
Address 500c.0004.0000
This bridge is the root

3. option

on interface in sw3 gi0/2 configured bpdufilter and guard root
in this case also SW1 and HAcker's sw both became root.
How i choose correct stp configuration for network?
topologytopology
Wish all the best
1 Accepted Solution

Accepted Solutions

Hello
The ports the "Hacker" switch is connecting to -  did you manually configure that port to be a TRUNK?  otherwise it recommended all edge ports in production  should be an administrative mode of access, if you do that then your "hacker switch should be negated for attaching.

int x/x
switchport mode access

Note:
bpduguard = will errdisable/shutdown the port as/when a bpdu is received.
interface bpdufilter =
will filter bpdus even without portfast enabled on the interface

global bpdufilter
will trigger the port to stop using portfast (so go through the nornal stp process) ONLY if portfast is also enabled So  if no bpdus are seen on enablement of the port then after a very short of time the port transitions straight into a forwarding state however if bpdus are seen then they a filtered from that port which in effect disables spanning-tree on that port


Now bpduguard/filter work slight different when enabled to together .
Interface bpduguard/filter  - Filter will ALWAYS take precedence over guard so if bpdus are received then the filtering will occur and no blocking with happen

Global bpduguard/filter = If its deemed both features are required then this is the recommended approach as when both are enabled globally FILTER will negate the port from sending any BPDUs , and if they are received the GUARD will errdisable/shutdown the interface, as/when those ports are specified as edge ports as I mention above.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

20 Replies 20

Mlex1
Spotlight
Spotlight

am i right for proper stp configuration good way this one?

globally active spanning-tree portfast default

and on edge interface configure this commands

spanning-tree bpdufilter enable
spanning-tree guard root

 

if some one has any other option please add. thanks in advance 

Wish all the best

below is recommend for where you config STP feature 

ccnp-switch-faq-protecting-spanning-tree-protocol-topology.jpg

regarding using bdpufilter I dont recommend at all 

MHM

For portfast and bpduguard in global vs per interface'

In global I see many issue of run it in global' you can use it but with restrictions.

I prefer per interface.

MHM

second question, if i enable on interface on edge switch bdpufilter it's ok? 

int et0/0

des ISP

spanning-tree bpdufilter enable

Wish all the best

This I will answer you in PM

MHM

Hello


@MHM Cisco World wrote:
in global I see many issue of run it in global' you can use it but with restrictions.

Can you elaborate ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

permissible combination on a switch port

        loop guard and udlp
         Root guard and udlp

Not permissible on a switch port
      Root guard and Loop guard
       Root guard and BPDU guard

 am i'm right here you mean at same time or in generally?

Wish all the best

This Q I dont get

Can you more elaborate 

MHM

regarding using bdpufilter I dont recommend at all. why

bdpufilter - Stops a port from seding BPDUs or processing received BPDUs, reason only this one or has another reason

share any link, with all duny respect share please this book/document

Mlex1_0-1733216587430.png

 

Wish all the best

I know bdpufilter will stop bpdu' but SW use bpdu to detect loop and hence if one mistake add filter under interface connect to SW loop will happened and all network will be down full by multicast and broadcast.

I will send you some case use it as PM

MHM

Hello
The ports the "Hacker" switch is connecting to -  did you manually configure that port to be a TRUNK?  otherwise it recommended all edge ports in production  should be an administrative mode of access, if you do that then your "hacker switch should be negated for attaching.

int x/x
switchport mode access

Note:
bpduguard = will errdisable/shutdown the port as/when a bpdu is received.
interface bpdufilter =
will filter bpdus even without portfast enabled on the interface

global bpdufilter
will trigger the port to stop using portfast (so go through the nornal stp process) ONLY if portfast is also enabled So  if no bpdus are seen on enablement of the port then after a very short of time the port transitions straight into a forwarding state however if bpdus are seen then they a filtered from that port which in effect disables spanning-tree on that port


Now bpduguard/filter work slight different when enabled to together .
Interface bpduguard/filter  - Filter will ALWAYS take precedence over guard so if bpdus are received then the filtering will occur and no blocking with happen

Global bpduguard/filter = If its deemed both features are required then this is the recommended approach as when both are enabled globally FILTER will negate the port from sending any BPDUs , and if they are received the GUARD will errdisable/shutdown the interface, as/when those ports are specified as edge ports as I mention above.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

The ports the "Hacker" switch is connecting to - did you manually configure that port to be a TRUNK?
yes manually

interface bpdufilter = will filter bpdus even without portfast enabled on the interface
i want to understand what does this bpdu do what is the profit on interface, if just filter bpdu's as mantioned above mister MHM Cisco World we don't need use bpdufilter on interface.

Wish all the best

Hello


@Mlex1 wrote:

The ports the "Hacker" switch is connecting to - did you manually configure that port to be a TRUNK?
yes manually

interface bpdufilter = will filter bpdus even without portfast enabled on the interface
i want to understand what does this bpdu do what is the profit on interface, if just filter bpdu's as mantioned above mister MHM Cisco World we don't need use bpdufilter on interface.


So why would you manually open up a port to be a trunk for any one just attach to it?, you wouldn't, the whole idea is to negate unauthorised access, hence all edge ports should be defined as edge ports - if you manually set the port to be a trunk as such bpdugaurd/filtering/portfast is negated 

 


@Mlex1 wrote:

interface bpdufilter = will filter bpdus even without portfast enabled on the interface
i want to understand what does this bpdu do what is the profit on interface, if just filter bpdu's as mantioned above mister MHM Cisco World we don't need use bpdufilter on interface.


I have stated what BPDU filter/guard either filters or blocks the receiving/sending of bpdus on a port as such it will negate a "hacker" switch (using you terminology) from attaching to the network and claiming itself to become a root plus it has varying effects based on how it applied -  globally/interface 

As for @MHM Cisco World comments i guess we need some elaboration on what they mean

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Interface bpduguard/filter  - Filter will ALWAYS take precedence over guard so if bpdus are received then the filtering will occur and no blocking with happen

This statement not correct

Bpdufilter prevent SW send bpdu 

Bpduguard make SW detect receive bpdu 

So both not relate

MHM

Review Cisco Networking for a $25 gift card