07-24-2014 07:28 AM - edited 03-07-2019 08:10 PM
Hi,
We all know about preventing outgoing BPDUs in users ports using the BPDU filter command and, we also know how this command disables STP in those port where applied, leaving this ports unsecured against STP attacks. So, how can we restrict these outgoing BPDUs without disabling STP and compromising the border network?
Regards.
Solved! Go to Solution.
07-24-2014 01:35 PM
Hi,
Just as devils_advocate mentioned, you could configure the BPDU Filter on the global level using the spanning-tree portfast bpdufilter default command. In this configuration, BPDU Filter applies only to PortFast-enabled ports and causes them to send out 11 BPDUs and then stop doing that until a BPDU is received on the port. This way of activating BPDU Filter does not conflict with the BPDU Guard and can be used simultaneously - in that case, if a port received a BPDU, BPDU Guard will err-disable it.
It should be mentioned that the information that "leaks" from BPDUs is, in my opinion, insignificant. What you can learn is the base MAC address of the root switch and its priority, the base MAC address of the nearest switch and its priority, perhaps the VLAN you're in - and that's about it. Do you personally see any ways of misusing that information?
Best regards,
Peter
07-24-2014 07:38 AM
Hi,
I am afraid that disabling outgoing BPDUs would not make sense because of the following reasons:
Why would you want to disable outgoing BPDUs, anyway? The BPDU Filter feature has a different purpose - stopping sending BPDUs on PortFast-enabled ports where only end hosts are intended to be connected because in the majority of cases, sending BPDUs on such ports is a wase of effort, or effectively disabling STP on a per-port basis, allowing the network to be partitioned into independent STP domains (the loop-free interconnection of these domains falls on the responsibility of the network administrator as STP won't be able to save him here).
Best regards,
Peter
07-24-2014 07:49 AM
Hi Peter,
My goal is to protect STP using BPDU Guard for incoming BPDUs and, at the same time, to avoid leaking STP information in the end host ports by blocking outgoing BPDUs. Since applying both commands do not take effect, because BPDU Filter disables BPDU guard, I was wondering which is the valid solution for this.
Cheers.
07-24-2014 08:17 AM
If you want to not leak STP information from each host connected edge port then use BPDUFilter.
It will still error disable the port if it receives a BPDU but will not send any out the port either.
Bear in mind that using BPDUFilter increases the risk of an STP loop.
Personally I would rather send BPDUs out a port and 'leak STP information' than risk an STP loop.
07-24-2014 01:35 PM
Hi,
Just as devils_advocate mentioned, you could configure the BPDU Filter on the global level using the spanning-tree portfast bpdufilter default command. In this configuration, BPDU Filter applies only to PortFast-enabled ports and causes them to send out 11 BPDUs and then stop doing that until a BPDU is received on the port. This way of activating BPDU Filter does not conflict with the BPDU Guard and can be used simultaneously - in that case, if a port received a BPDU, BPDU Guard will err-disable it.
It should be mentioned that the information that "leaks" from BPDUs is, in my opinion, insignificant. What you can learn is the base MAC address of the root switch and its priority, the base MAC address of the nearest switch and its priority, perhaps the VLAN you're in - and that's about it. Do you personally see any ways of misusing that information?
Best regards,
Peter
07-25-2014 12:39 AM
Thanks Peter,
This is what I was looking for. I will test it.
Cheers.
10-17-2018 12:53 AM
The best way to do is using BPDU Filter on Interface level instead of global level..
It will ignore incoming BPDU Frames as well as stop Outbound BPDU.. By this way, you can prevent STP Leaks
07-24-2014 08:14 AM
What sort of 'STP attacks' are you referring to.
BPDUFilter will stop the port sending BPDU's and will disable the port if it receives a BPDU.
BPDUGuard will still send BPDU's but will disable the port is if receives a BPDU.
Most people use a combination of Portfast and BPDUGuard on their host connected edge ports.
You could also go a step further and implement some other security features such as DHCP Snooping, ARP Inspection and IP Source Guard.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide