BDDU Filter & BPDUGuard & SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN

aqusingh7 · ‎10-13-2008

What does BPDUFilter actually do? Does it stop BPDUs coming and going? or// Does it convert Portfast to STP Topology again?

BPDUGuard puts a port into error disabled state if it receives a BPDU but what does "SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN" do?

Which are the access layer configurations and which are not?

zubair-shaikh · ‎10-13-2008

Dear aqusingh7

Here i tried to give you possible answers to your questions.Please let me know if you have any further queries?

Q.What does BPDUFilter actually do

if you enable PortFast on a port, by default that port still generates configuration BPDUs. Any connected device receives and might process configuration BPDUs unnecessarily. You can configure a feature called BPDU Filter, which prevents a PortFast-enabled port from sending configuration BPDUs. If configuration BPDUs are received on the PortFast-enabled port, the port either loses its PortFast status (or is manually shut down if BPDU guard is configured), or it ignores the BPDUs, depending on how you configure BPDU Filter.

Configuring BPDU Filter so that all configuration BPDUs received on a port are dropped can be useful for service provider environments, where a service provider provides Layer 2 Ethernet access for customers

Q.Does it stop BPDUs coming and going

PortFast BPDU filtering allows the administrator to prevent the system from sending or even receiving

BPDUs on specified ports.

Q.Does it convert Portfast to STP Topology again?

Ports do not converts to topology, they cahnge their state depending own STP Topology i.e change in the network

Q.what does "SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN" do?

In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode is further configurable by specifying whether the port will be permanently disabled or disabled for only a specified time. The default behavior during a security violation is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts

When a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager. An SNMP trap will not be sent if you have configured the port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security violation.

Edison Ortiz · ‎10-13-2008

Taken from the documentation:

Understanding BPDU Filtering

The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.

Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.

You can enable the BPDU filtering feature for the entire switch or for an interface.

_______________________

SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN works in conjunction with port-security which is another feature in Cisco switches. BPDUGuard is more inline with BPDU features.

____________________

Access Layer configuration is when you set the port on access mode switchport mode access. There are other modes the port can be set to: trunk and if the switch is a Layer3 switch, it can also be set to routed mode.

HTH,

__

Edison.

Giuseppe Larosa · ‎10-13-2008

Hello Baljit,

BPDU filter does not allow BPDUs to be sent out

this command is useful for service providers that want to isolate their switches from customer switches in some L2 services scenario.

It is not recommended at access layer it is not a protection mechanism

On access ports with portfast enable bpdu guard: if a BPDU is heard the port will be disabled.

This is the right feature for access-layer.

switchport port-security violation shutdown refers to port security.

Port-security can be used to protect switches from some L2 attacks like MAC flooding.

Port-security is concerned with the MAC addresses that are heard as source MAC on the port not with STP.

You can :

define what mac address is a legitimate user of the port

OR

you can declare that the port has to accept the first N MAC addresses and reject all the others.

When a violation of port-security occurs the command says to shutdown the port

Port-security can be deployed at the access layer but it is a different matter then STP.

Hope to help

Giuseppe

jimmyc_2 · ‎01-05-2009

Hi Guiseppe,

Does BPDU guard force a switch into err-disable if a hub is applied, or only another switch?

It would seem a hub doesn't send BPDU's (although I guess it could recycle the original ones).

Jimmyc

satish_zanjurne · ‎10-13-2008

1.BPDU Filter

By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled.

BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system

So here it is avoiding sending BPDU's from portfast ports.

BDPU filtering is on a per-switch basis; after you enable BPDU filtering, it applies to all PortFast-enabled ports on the switch.

2.BPDU Guard

Because PortFast can be enabled on nontrunking ports connecting two switches, spanning tree loops can occur because BPDUs are still being transmitted and received on those ports.

The PortFast BPDU guard feature prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When the BPDU guard feature is enabled on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs, instead of putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. If a PortFast-configured interface receives a BPDU, an invalid configuration exists, such as connection of an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations because the administrator must manually put the interface back in service.

3.Port Security

SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN

Above commands is not releated to STP, but it is port security.You can define max. number of MAC addresses that can be learned or you can bind MAC with a port ,if number of MAC addresses which are learned on a port reaches to max., then you can define to either protect the port or shutdown it or restrict the MAC's

For detail on port security follow below link

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swtrafc.html#wp1038501

HTH..rate if helpful..

arnichol · ‎10-13-2008

BPDU Filter stops sending BPDU. But it cannot stop BPDU coming from the neighbor.If it receive BPDU packets from BPDU enable port it receives and process and drop.

From the secuirty point, BPDU guard is more secure because it errdisable the port as soon as a BPDU received. but BPDU Filter still process BPDU and drop.so large number of BPDU from BPDU enabled port might still bring up CPU utilization.

Switch-port PORT-secuirty VIOLATION DOWN, it bring down secured port if it violate the configured values.

Aqdas Muneer · ‎02-12-2009

hi,

Should you configure bpdufilter enable and bpduguard enable on the same interface. I know what their functions are, but dont know what would happen if they both are configured on a switchport. Which one would get the precedent?

thanks.

b.julin · ‎02-12-2009

Based on the discussion we just had in the newer thread here, unless you are an ISP connecting to a peer or customer over an L2 link you are very confident will not be touched by end users, never use the per-interface command "spanning-tree bpdufilter enable" whether or not the port is in portfast.

If you are an ISP or trying something really fancy, this command is useful to separate your spanning tree from someone else's when you know there can be no loops. An ISP would not want to use bpduguard because it would down the link.

If you use the bpduguard without bpdufilter, anyone who creates a loop from one port of one of your switches to another, or anyone who plugs in a switch that is more intelligent than something they bought at Circuit City, or anyone who tries to send malicious BPDUs will

be shut down. If you use errdisable recovery cause bpdufilter, you can let them back on automatically after a few minutes.

If you use the two commands together, then it is as if you used spanning tree bpdufilter enable alone. Which is bad.

If you remove spanning tree bpdufilter enable and spanning tree bpduguard enable from your interfaces, and you globally issue the command spanning tree portfast bpdufilter default, then you get an entirely different behavior: the port will come up fast, but if it sees a BPDU it will go back and do it right and come up slower and use the BPDUs to prevent loops. This will protect you against loops, but not malicious BPDUs.

After looking this all over I think bpduguard is the best bet for a port that is facing an end station. For a router, the global spanning tree portfast bpdufilter enable command would be safest, and in the worst case it means if your router starts send BPDUs for some reason, you will lose portfast, but eerything will still run otherwise. The only reason to worry about portfast is if you have boot-time traffic like DHCP that will not wait 45 seconds for the link to come up.

So unless you have a foolproof way to make sure your manager doesn't walk into the network room late at night and accidentally move your router link into a switch port, don't bother with spanning tree bpdufilter enable, it is not worth it.