Question about Spanning-tree

Answered Question
Mar 13th, 2007
User Badges:

Hi.

What will happen if the switch receive rogue BPDU, Superior BPDU packets on the vlan, which is not taking part on STP? And it isn't on portfast mode.

As i understand there should be nothing related with unauthorized activity, as switch doesn't have any STP instance for that vlan. Am i right?


Correct Answer by Francois Tallet about 10 years 1 month ago

Your question include a lot of different concerns. Let me answer with a list of statements that, hopefully, covers what you are looking for.

-1- forget about portfast. Portfast does not disable STP and will do nothing to prevent bpdus from being received.

-2- in PVST modes, if stp is disabled on a vlan, the bpdu is flooded in this vlan

-3- in PVST modes, if a bpdu is received on a vlan that is not configured on a trunk, it is dropped.

-4- generally speaking, you can only trust completely a port or not at all. If there is a possibility that an un-cooperative device is connected on a port, you don't want to accept any bpdus from this port. The simplest protection is to configure rootguard, that will just prevent better information to be injected on the port. Else you can use bpduguard, that will shut down the port as soon as it receives a bpdu. Eventually, you can configure some kind of port security, because someone can still generate a layer 2 loop between two access ports while never relaying bpdus.

Regards,

Francois

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Amit Singh Tue, 03/13/2007 - 01:48
User Badges:
  • Cisco Employee,

Leo, if you dont hav STP enabled for a vlan on the switch then neither of the switch will send a BPDU for that vlan on the link. No Bpdu will be seen for that vlan on the switch.A loop will happen if you connect redundant links between the switches on the same vlan.


HTH,

-amit singh



Correct Answer
Francois Tallet Tue, 03/13/2007 - 09:28
User Badges:
  • Gold, 750 points or more

Your question include a lot of different concerns. Let me answer with a list of statements that, hopefully, covers what you are looking for.

-1- forget about portfast. Portfast does not disable STP and will do nothing to prevent bpdus from being received.

-2- in PVST modes, if stp is disabled on a vlan, the bpdu is flooded in this vlan

-3- in PVST modes, if a bpdu is received on a vlan that is not configured on a trunk, it is dropped.

-4- generally speaking, you can only trust completely a port or not at all. If there is a possibility that an un-cooperative device is connected on a port, you don't want to accept any bpdus from this port. The simplest protection is to configure rootguard, that will just prevent better information to be injected on the port. Else you can use bpduguard, that will shut down the port as soon as it receives a bpdu. Eventually, you can configure some kind of port security, because someone can still generate a layer 2 loop between two access ports while never relaying bpdus.

Regards,

Francois

Actions

This Discussion