Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Question about Spanning-tree

Hi.

What will happen if the switch receive rogue BPDU, Superior BPDU packets on the vlan, which is not taking part on STP? And it isn't on portfast mode.

As i understand there should be nothing related with unauthorized activity, as switch doesn't have any STP instance for that vlan. Am i right?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Question about Spanning-tree

Your question include a lot of different concerns. Let me answer with a list of statements that, hopefully, covers what you are looking for.

-1- forget about portfast. Portfast does not disable STP and will do nothing to prevent bpdus from being received.

-2- in PVST modes, if stp is disabled on a vlan, the bpdu is flooded in this vlan

-3- in PVST modes, if a bpdu is received on a vlan that is not configured on a trunk, it is dropped.

-4- generally speaking, you can only trust completely a port or not at all. If there is a possibility that an un-cooperative device is connected on a port, you don't want to accept any bpdus from this port. The simplest protection is to configure rootguard, that will just prevent better information to be injected on the port. Else you can use bpduguard, that will shut down the port as soon as it receives a bpdu. Eventually, you can configure some kind of port security, because someone can still generate a layer 2 loop between two access ports while never relaying bpdus.

Regards,

Francois

2 REPLIES
Cisco Employee

Re: Question about Spanning-tree

Leo, if you dont hav STP enabled for a vlan on the switch then neither of the switch will send a BPDU for that vlan on the link. No Bpdu will be seen for that vlan on the switch.A loop will happen if you connect redundant links between the switches on the same vlan.

HTH,

-amit singh

Re: Question about Spanning-tree

Your question include a lot of different concerns. Let me answer with a list of statements that, hopefully, covers what you are looking for.

-1- forget about portfast. Portfast does not disable STP and will do nothing to prevent bpdus from being received.

-2- in PVST modes, if stp is disabled on a vlan, the bpdu is flooded in this vlan

-3- in PVST modes, if a bpdu is received on a vlan that is not configured on a trunk, it is dropped.

-4- generally speaking, you can only trust completely a port or not at all. If there is a possibility that an un-cooperative device is connected on a port, you don't want to accept any bpdus from this port. The simplest protection is to configure rootguard, that will just prevent better information to be injected on the port. Else you can use bpduguard, that will shut down the port as soon as it receives a bpdu. Eventually, you can configure some kind of port security, because someone can still generate a layer 2 loop between two access ports while never relaying bpdus.

Regards,

Francois

119
Views
0
Helpful
2
Replies