Apply BPDU Guard to Server Farm Switch

Unanswered Question
May 18th, 2008

Hi NetPro,

is that necessary to apply BPDU Guard to Server Farm Switch ? or compulsory must implement BPDU Guard to Server Farm Switch ?

your reply will be highly appreciated.

thanks.

Regards

Jack

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (12 ratings)
Loading.
graemeporter Sun, 05/18/2008 - 23:10

Hi Jack,

Your server farm switch is generally going to be isolated from your user environment; the only people who could connect a switch to the server farm switch are going to have access to your computer room anyway.

BPDU Guard just prevents rogue switches from being connected to user ports; it's a method for keeping your LAN safe from users who might accidentally cause spanning-tree recalculations or damage to your VLAN configurations by connecting a mis-configured switch to the network. The difference between your server farm switches and your user access switches is that the users have direct access to the switchports on the user access switches.

So long as your server support guys know not to connect any switches to the server farm switches, then BPDU Guard shouldn't be necessary.

Hope this helps!

Kind regards,

Graeme

ney25 Mon, 05/19/2008 - 02:21

Hi Graeme,

thanks for your informations, your replied was extremely helpful for me. thanks :)

regards,

Jack

I would. It's not going to cost you anything and after all, no one should be plugging switches into your server access ports right? While an admin is inheritantly more trustworthy then a user they can make mistakes. You don't want a tired admin accidentally looping up your network. I would take a look at the cisco-desktop SmartPort macro and modify it to suit your env.

graemeporter Mon, 05/19/2008 - 14:43

Hi,

I would disagree - BPDU Guard is, after all, another process to run on your switches. Disabling the process frees up resources on your switch, as it removes the need to check each packet to see if it is a BPDU.

Fair enough, it is possible for admins to make mistakes too (I do, frequently - my piece de resistance being accidentally tripping out a UPS that was powering one of our two core 6509s, resulting in a massive spanning tree recalc on all our campus VLANs, temporary loss of connectivity for all our users, and an interruption of service for our IP phones - over 1000 of them) - but I think it's better to minimize your use of resources.

BPDU Guard should definitely be on your user access level switches, but if you can get away without it on your server switches, then you probably should.

Kind regards,

Graeme

I've not seen any documentation stating that there's a performance penalty for implementing BPDU Guard. Do you have evidence to the contrary? The switch, rather spanning tree, is going to send, receive and subsequently process BPDUs regardless of whether the feature is enabled. All BPDU guard does is tell the switch what to do in the event spanning tree hears a bpdu on an interface that it shouldn't.

Plan for the worst, hope for the best.

Francois Tallet Mon, 05/19/2008 - 16:33

Yep, BPDU guard is just a test executed on the receive path of the BPDU. Whether you enable the feature or not, you're going to do this test, so there is no performance benefit in not enabling BPDU guard.

Regards,

Francois

graemeporter Tue, 05/20/2008 - 05:39

Sorry, I stand corrected - I had assumed BPDU Guard was an extra process for the switch to run.

Thanks for the info!

Kind regards,

Graeme

ney25 Tue, 05/20/2008 - 17:21

Hi Francois.

so, which means in the server farm switch not necessary to implement BPDU Guard ? is that what u mean ?

thanks .

regards,

Jack

Francois Tallet Wed, 05/21/2008 - 09:04

I see BPDU guard as a feature enforcing a security policy rather than a loop prevention measure.

You enable BPDU guard on a edge port, where you don't expect a bridge to be connected. If you receive BPDUs on this port, there is an inconsistency in your network. You have several options:

-1- you are not too concerned about this and let STP run on this port. Just do nothing: STP prevents loops. Peering with an unknown switch can be risky however, as it may impact the topology of your network.

-2- you want to privilege connectivity and are ready to let STP run on this port as long as it's not messing up with the topology of your core: enabled root guard.

-3- you are rather conservative and you prefer to bring this port down: enable bpdu guard.

Note that it's not because you have enable bpdu guard that you are protected against loop. STP does that. If the device that is connected to this port is hostile, it can introduce a loop without sending bpdus anyway.

However, in term of security, bpduguard is currently the only feature that protects your switch against a denial of service attack. Bpdus are sent to the processor, and a port receiving a high rate of bpdus will have an impact on the CPU. Bpdu guard protects against that by bringing this particular link down.

So I would really recommend enabling bpdu guard (and probably some form of port security) on an edge port accessible to end users. In a confined and secured data center environment (where you expect errors and not attacks), it's probably not that critical and depends on your security strategy...

Regards,

Francois

lamav Tue, 05/20/2008 - 05:59

John, that was nice, dude. Good judgement call and good info to support it.

Im jazzing you up with 5 points... :-)

Victor

Actions

This Discussion