Solved: Re: Stop unneeded Spanning-Tree messages

Kevin Melton · ‎01-17-2007

One of my customers has a 3550 switch installed in their DMZ.

I was running Ethereal with a Monitor Session plugged into the switch today. I noticed some odd "STP" messages showing up in the capture; specifically one that shows "LOOP". What is weird about this is that the source and destination MAC of the LOOP message are the same ( they are VLAN 1's MAC).

I tried turning off two different global STP settings to see if they would curtail the STP messages picked up by Ethereal ( one was GLOBAL spanning-tree mode pvst; the other was spanning-tree extend system-id), but it seems as if these cannot be shutoff.

I cannot get the messages to stop being generated by the switch.

Does anyone know how to disable Spanning-Tree on a 3550??

thanks

Francois Tallet · ‎01-23-2007

You can switch to mst mode to generate only a single bpdu per port and per hello-time. You can configure global bpdufilter in order to avoid sending bpdus on access ports (configured for portfast) while not risking introducing loops.

If you pay little attention to your STP configuraiton, STP will not take bandwidth on the link (if this is of any concern to you), while still providing some backup mechanism in term of mis-wiring.

There is not much useful information a user can get from looking into bpdus. Bpduguard or rootguard can help preventing intrusions in your stp domain. So overall, I don't think enable STP puts the network in danger. I would rather say that accidental connection are more likely than an hostile attack in an enterprise environment. And it's probably even easier to attack an L2 network with no STP.

So even if STP is not needed because there is no physical redundancy, I think it's wise keeping it.

View solution in original post

lgijssel · ‎01-17-2007

This is likely not STP. Instead, these messages are loopback packtes used to verify the network connection.

You should be able to switch them off using the interface command: no keepalive

Be aware of the drawbacks that this will have i.e. the interface not detecting a cable problem or a link-state change.

Regards,

Leo

Kevin Melton · ‎01-23-2007

This was a good answer for the "LOOP" packets. I looked at the associated MAC, then went to the interface and entered " no keepalive" as instructed. The loopback messages stopped.

Now that I know what they are, we can document them and wont freak out and think they are STP messages.

Thanks for your answer.

glen.grant · ‎01-17-2007

Do not ever turn off spanning tree , this is your main protection against getting layer 2 loops in your network .

sundar.palaniappan · ‎01-17-2007

Hi,

The following config mode command will turn off spanning tree completely in the switch.

no spanning-tree vlan 1-1005

Exercise caution when using this command. Remember, you have no protections against layer 2 loops when you have disabled spanning tree. Use this command only if there is no potential for layer 2 loop in your network. Even, if there is a single redundant connection then the whole LAN would go into a giant loop.

HTH

Sundar

Kevin Melton · ‎01-23-2007

Well aware of what spanning-tree does. We have ZERO redundant connections on this clients network. I do not see the need to run STP.

mheusinger · ‎01-23-2007

Hi,

Just one remark. Given, you turn off STP, then any one implementing a loop unintentionally with a cross cable or any mislabeling on your patch panels can immediately bring down your network.

So I would seriously consider leaving spanning tree activated. Of course you should evaluate security related threats and exploits. But then there are additional features like port security, root guard and bpdu filtering, which should be considered when defining the security policy.

From another point of view:

what is more likely that one hacker uses STP to gain information about your network or bring down your network or that someone unintentionally creates a loop.

Hope this helps!

Regards, Martin

Francois Tallet · ‎01-23-2007

You can switch to mst mode to generate only a single bpdu per port and per hello-time. You can configure global bpdufilter in order to avoid sending bpdus on access ports (configured for portfast) while not risking introducing loops.

If you pay little attention to your STP configuraiton, STP will not take bandwidth on the link (if this is of any concern to you), while still providing some backup mechanism in term of mis-wiring.

There is not much useful information a user can get from looking into bpdus. Bpduguard or rootguard can help preventing intrusions in your stp domain. So overall, I don't think enable STP puts the network in danger. I would rather say that accidental connection are more likely than an hostile attack in an enterprise environment. And it's probably even easier to attack an L2 network with no STP.

So even if STP is not needed because there is no physical redundancy, I think it's wise keeping it.

Kevin Melton · ‎01-23-2007

Thanks for all of your insight. I am going to leave STP on. It does not seem to consume bandwidth at all. All of the explanations provided made sense. This one was the most concise.

Good Day!