cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
338
Views
10
Helpful
7
Replies

STP and some L2 security

Antonio_1_2
Level 1
Level 1

Hello,

I have a few questions regarding STP and L2 security in general.

1)

I read in books that STP sends its BPDU packets via VLAN 1 untagged, but when I used Ethereal sniffer I

found out that BPDU packets are tagged with VLAN for which it sends information about (PVST+).

(i.e for vlan 10 BPDU are tagged with VLAN 10..etc). So when does STP use VLAN 1?

2)

I need two L2 redundant links between two locations. If ISP give me two L2 access port in order to connect

those two loacations would STP work and block one of the links (suppose that I use VLAN 100

on my side and ISP uses VLAN 200 in its core). I tested this scenario in LAB and it works but

I don't know why is it so theoreticaly. I thought that swiches would ignore BPDU-s that come from different VLAN.

3)

UDLD is used if one direction on optical fiber (Rx or Tx) is broken. But if I disconnect from port one of the links, i.e I pull

out RX link and Tx stays in, the ports on both sides of the cable go down. I tested that on new swtiches, but isn't then UDLD feature

sufficient. It seems that ports always go down if only one direction is disconnected so STP can't make a loop.

Were my test an cocnlusion regular?

Thanks in advance,

regards,

A

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Antonio,

Happy new year !

1) the question is what STP type:

old STP 802.1D is mono instance and sends out its BPDUs untagged

PVST+ tunnels its BPDUs for all instances using the right vlan-id and putting a vlan-id field inside that gives a consistency check (if external vlan-id is is different then internal something strange and the port is disabled but only if it is a trunk)

MST sends BPDUs only on the IST with fields for all instances

2) as said above if the ports are access ports (non trunks) legacy BPDUs 802.1D are used and no consistency check is performed so you can connect a port in vlan100 with one in vlan 200.

Or the provider is doing 802.1Q tunneling with L2 tunneling

3) you may provide more details however UDLD triggers also on a congested link for example.

UDLD is too slow for Rapid STP both RPVST and MST.

Hope to help

Giuseppe

Thank you Giuseppe

Happy new year.

A

And just one more question: 802.1D STP and MST uses VLAN 1 for coummunication via BPDU? Or it uses native VLAN which can be defined via switchport trunk native vlan command?

regards,

A

Hello Antonio,

MST will use one vlan associated to the IST

802.1D STP should use the native vlan on trunk

Hope to help

Giuseppe

I ask that because I wanted to know would STP work if that VLAN (used for BPDU) was removed from the trunk that connects two switches.

regards,

A

Hello Antonio,

a very useful document that collects very useful data about L2 protocols

http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml#pre4

if the port is a trunk it should detect a Vlan mismatch as I described in previous posts or you have configured 802.1Q tunneling ?

Hope to help

Giuseppe

Thanks Giuseppe.

A

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco