Enhancing STP and Configuring STP Protection Functions part 2

30 0 0 0

BPDU Protection

2.1 Context
 

http://image.hw3static.com/hi/showimage-15712497-432623-4103cdb858bda4f8bd0995e30f6ced09.jpg


Edge ports are directly connected to user terminals and generally do not receive BPDUs. If a switch is attacked by forged BPDUs, edge ports will receive the forged BPDUs. The switch automatically configures the edge ports as non-edge ports and triggers a new spanning tree calculation, resulting in a network flapping.
BPDU protection can be used to protect switches against attacks by sending forged BPDUs.

2.2 Basic Concepts
 

http://image.hw3static.com/hi/showimage-15712507-432623-df5516296e9f4fa68b5636d3907f2188.jpg


After BPDU protection is enabled on a switch, the switch shuts down the edge port that receives BPDUs and informs the NMS simultaneously. By default, BPDU protection is disabled on a switch.

3. Configuration and Implementation

http://image.hw3static.com/hi/showimage-15712513-432623-dd0ef2c0629f17e8aa6392af5c6e3c0c.jpg

 

On SW3, configure GE0/0/1 as an edge port and enable BPDU protection.
When GE0/0/1 on SW3 receives BPDUs, SW3 generates the following information and shuts down GE0/0/1:

[code lang="Console"]
Apr  3 2014 11:09:41 SW3 %MSTP/4/BPDU_PROTECTION(l)[6]:This edged-port GigabitEthernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
Apr  3 2014 11:09:41 S9300-1 %IFPDT/4/IF_STATE(l)[7]:Interface GigabitEthernet6/0/1 has turned into DOWN state.
[/code]



[SW3] display stp interface GigabitEthernet 0/0/1

----[Port26(GigabitEthernet0/0/1)] [DOWN]----
 Port Protocol            :Enabled
 Port Role                 :Disabled Port
 Port Priority             :128
 Port Cost(Dot1T )     :Config=auto / Active=200000000
 Designated Bridge/Port   :0.0025-9ef8-9e7d / 128.3
 Port Edged              :Config=enabled / Active=enabled
 BPDU-Protection      :Enabled
 Point-to-point          :Config=auto / Active=false
 Transit Limit           :147 packets/s
 Protection Type       :None
 Port STP Mode        :MSTP 
 Port Protocol Type     :Config=auto / Active=dot1s
 BPDU Encapsulation   :Config=stp / Active=stp
 PortTimes                 :Hello 2s MaxAge 20s FwDly 15s RemHop 20
… …


To enable GE0/0/1, run the undo shutdown command or configure port auto recovery.

Run the error-down auto-recovery cause cause-item interval interval-value command in the system view to enable ports to automatically go Up and set the auto recovery delay. The value of interval interval-value is an integer that ranges from 30 to 86400, in seconds. Note the following points when setting this parameter:
A smaller value indicates a shorter delay for a port to go Up automatically and a higher frequency at which a port alternates between Up and Down.
A larger value indicates a longer delay for a port to go Up automatically and longer traffic interruption.

To learn more: 


Enhancing STP and Configuring STP Protection Functions part 1

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top