Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Preventing outgoing BPDUs without BPDU filter

Hi,

We all know about preventing outgoing BPDUs in users ports using the BPDU filter command and, we also know how this command disables STP in those port where applied, leaving this ports unsecured against STP attacks. So, how can we restrict these outgoing BPDUs without disabling STP and compromising the border network?

 

Regards.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,Just as devils_advocate

Hi,

Just as devils_advocate mentioned, you could configure the BPDU Filter on the global level using the spanning-tree portfast bpdufilter default command. In this configuration, BPDU Filter applies only to PortFast-enabled ports and causes them to send out 11 BPDUs and then stop doing that until a BPDU is received on the port. This way of activating BPDU Filter does not conflict with the BPDU Guard and can be used simultaneously - in that case, if a port received a BPDU, BPDU Guard will err-disable it.

It should be mentioned that the information that "leaks" from BPDUs is, in my opinion, insignificant. What you can learn is the base MAC address of the root switch and its priority, the base MAC address of the nearest switch and its priority, perhaps the VLAN you're in - and that's about it. Do you personally see any ways of misusing that information?

Best regards,
Peter

 

6 REPLIES
Cisco Employee

Hi,I am afraid that disabling

Hi,

I am afraid that disabling outgoing BPDUs would not make sense because of the following reasons:

  • If the outgoing BPDUs are inferior to the incoming ones, the port will automatically cease sending BPDUs. This is normal STP behavior - a port receiving BPDUs superior to its own will stop sending its own BPDUs because nobody is interested in them.
  • If the outgoing BPDUs are superior to the incoming ones then stopping the outgoing BPDUs would cause the neighboring switch to make a wrong assumption that it is the only switch on the link and make its port Designated Forwarding, thereby possibly creating a loop. Note that it would not be sufficient to send a couple of superior BPDUs and then stop because the neighboring switch would have these BPDUs expires after a while, and would do the same wrong decision as just described.

Why would you want to disable outgoing BPDUs, anyway? The BPDU Filter feature has a different purpose - stopping sending BPDUs on PortFast-enabled ports where only end hosts are intended to be connected because in the majority of cases, sending BPDUs on such ports is a wase of effort, or effectively disabling STP on a per-port basis, allowing the network to be partitioned into independent STP domains (the loop-free interconnection of these domains falls on the responsibility of the network administrator as STP won't be able to save him here).

Best regards,
Peter

 

Community Member

Hi Peter,My goal is to

Hi Peter,

My goal is to protect STP using BPDU Guard for incoming BPDUs and, at the same time, to avoid leaking STP information in the end host ports by blocking outgoing BPDUs. Since applying both commands do not take effect, because BPDU Filter disables BPDU guard, I was wondering which is the valid solution for this.

 

Cheers.

If you want to not leak STP

If you want to not leak STP information from each host connected edge port then use BPDUFilter.

It will still error disable the port if it receives a BPDU but will not send any out the port either.

Bear in mind that using BPDUFilter increases the risk of an STP loop.

Personally I would rather send BPDUs out a port and 'leak STP information' than risk an STP loop.

Cisco Employee

Hi,Just as devils_advocate

Hi,

Just as devils_advocate mentioned, you could configure the BPDU Filter on the global level using the spanning-tree portfast bpdufilter default command. In this configuration, BPDU Filter applies only to PortFast-enabled ports and causes them to send out 11 BPDUs and then stop doing that until a BPDU is received on the port. This way of activating BPDU Filter does not conflict with the BPDU Guard and can be used simultaneously - in that case, if a port received a BPDU, BPDU Guard will err-disable it.

It should be mentioned that the information that "leaks" from BPDUs is, in my opinion, insignificant. What you can learn is the base MAC address of the root switch and its priority, the base MAC address of the nearest switch and its priority, perhaps the VLAN you're in - and that's about it. Do you personally see any ways of misusing that information?

Best regards,
Peter

 

Community Member

Thanks Peter,This is what I

Thanks Peter,

This is what I was looking for. I will test it.

Cheers.

What sort of 'STP attacks'

What sort of 'STP attacks' are you referring to.

BPDUFilter will stop the port sending BPDU's and will disable the port if it receives a BPDU.

BPDUGuard will still send BPDU's but will disable the port is if receives a BPDU.

Most people use a combination of Portfast and BPDUGuard on their host connected edge ports.

You could also go a step further and implement some other security features such as DHCP Snooping, ARP Inspection and IP Source Guard.

885
Views
0
Helpful
6
Replies
CreatePlease to create content