STP and some L2 security

Unanswered Question
Dec 31st, 2008
User Badges:

Hello,


I have a few questions regarding STP and L2 security in general.


1)

I read in books that STP sends its BPDU packets via VLAN 1 untagged, but when I used Ethereal sniffer I

found out that BPDU packets are tagged with VLAN for which it sends information about (PVST+).

(i.e for vlan 10 BPDU are tagged with VLAN 10..etc). So when does STP use VLAN 1?


2)

I need two L2 redundant links between two locations. If ISP give me two L2 access port in order to connect

those two loacations would STP work and block one of the links (suppose that I use VLAN 100

on my side and ISP uses VLAN 200 in its core). I tested this scenario in LAB and it works but

I don't know why is it so theoreticaly. I thought that swiches would ignore BPDU-s that come from different VLAN.


3)

UDLD is used if one direction on optical fiber (Rx or Tx) is broken. But if I disconnect from port one of the links, i.e I pull

out RX link and Tx stays in, the ports on both sides of the cable go down. I tested that on new swtiches, but isn't then UDLD feature

sufficient. It seems that ports always go down if only one direction is disconnected so STP can't make a loop.

Were my test an cocnlusion regular?


Thanks in advance,


regards,

A

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Giuseppe Larosa Wed, 12/31/2008 - 07:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Antonio,

Happy new year !


1) the question is what STP type:

old STP 802.1D is mono instance and sends out its BPDUs untagged

PVST+ tunnels its BPDUs for all instances using the right vlan-id and putting a vlan-id field inside that gives a consistency check (if external vlan-id is is different then internal something strange and the port is disabled but only if it is a trunk)

MST sends BPDUs only on the IST with fields for all instances


2) as said above if the ports are access ports (non trunks) legacy BPDUs 802.1D are used and no consistency check is performed so you can connect a port in vlan100 with one in vlan 200.

Or the provider is doing 802.1Q tunneling with L2 tunneling


3) you may provide more details however UDLD triggers also on a congested link for example.

UDLD is too slow for Rapid STP both RPVST and MST.


Hope to help

Giuseppe


Antonio_1_2 Wed, 12/31/2008 - 08:53
User Badges:

And just one more question: 802.1D STP and MST uses VLAN 1 for coummunication via BPDU? Or it uses native VLAN which can be defined via switchport trunk native vlan command?


regards,

A

Giuseppe Larosa Wed, 12/31/2008 - 09:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Antonio,


MST will use one vlan associated to the IST


802.1D STP should use the native vlan on trunk


Hope to help

Giuseppe


Antonio_1_2 Fri, 01/02/2009 - 00:39
User Badges:

I ask that because I wanted to know would STP work if that VLAN (used for BPDU) was removed from the trunk that connects two switches.


regards,

A

Giuseppe Larosa Fri, 01/02/2009 - 04:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Antonio,


a very useful document that collects very useful data about L2 protocols


http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml#pre4


if the port is a trunk it should detect a Vlan mismatch as I described in previous posts or you have configured 802.1Q tunneling ?


Hope to help

Giuseppe



Actions

This Discussion