cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
267
Views
0
Helpful
2
Replies

Question about Spanning-tree

Leo_Stobbe
Level 1
Level 1

Hi.

What will happen if the switch receive rogue BPDU, Superior BPDU packets on the vlan, which is not taking part on STP? And it isn't on portfast mode.

As i understand there should be nothing related with unauthorized activity, as switch doesn't have any STP instance for that vlan. Am i right?

1 Accepted Solution

Accepted Solutions

Francois Tallet
Level 7
Level 7

Your question include a lot of different concerns. Let me answer with a list of statements that, hopefully, covers what you are looking for.

-1- forget about portfast. Portfast does not disable STP and will do nothing to prevent bpdus from being received.

-2- in PVST modes, if stp is disabled on a vlan, the bpdu is flooded in this vlan

-3- in PVST modes, if a bpdu is received on a vlan that is not configured on a trunk, it is dropped.

-4- generally speaking, you can only trust completely a port or not at all. If there is a possibility that an un-cooperative device is connected on a port, you don't want to accept any bpdus from this port. The simplest protection is to configure rootguard, that will just prevent better information to be injected on the port. Else you can use bpduguard, that will shut down the port as soon as it receives a bpdu. Eventually, you can configure some kind of port security, because someone can still generate a layer 2 loop between two access ports while never relaying bpdus.

Regards,

Francois

View solution in original post

2 Replies 2

Amit Singh
Cisco Employee
Cisco Employee

Leo, if you dont hav STP enabled for a vlan on the switch then neither of the switch will send a BPDU for that vlan on the link. No Bpdu will be seen for that vlan on the switch.A loop will happen if you connect redundant links between the switches on the same vlan.

HTH,

-amit singh

Francois Tallet
Level 7
Level 7

Your question include a lot of different concerns. Let me answer with a list of statements that, hopefully, covers what you are looking for.

-1- forget about portfast. Portfast does not disable STP and will do nothing to prevent bpdus from being received.

-2- in PVST modes, if stp is disabled on a vlan, the bpdu is flooded in this vlan

-3- in PVST modes, if a bpdu is received on a vlan that is not configured on a trunk, it is dropped.

-4- generally speaking, you can only trust completely a port or not at all. If there is a possibility that an un-cooperative device is connected on a port, you don't want to accept any bpdus from this port. The simplest protection is to configure rootguard, that will just prevent better information to be injected on the port. Else you can use bpduguard, that will shut down the port as soon as it receives a bpdu. Eventually, you can configure some kind of port security, because someone can still generate a layer 2 loop between two access ports while never relaying bpdus.

Regards,

Francois

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco