BPDU
Protection
2.1 Context
Edge ports are directly connected to user terminals and generally do not
receive BPDUs. If a switch is attacked by forged BPDUs, edge ports will receive
the forged BPDUs. The switch automatically configures the edge ports as
non-edge ports and triggers a new spanning tree calculation, resulting in a
network flapping.
BPDU protection can be used to protect switches against attacks by sending
forged BPDUs.
2.2 Basic Concepts
After BPDU protection is enabled on a switch, the switch shuts down the edge
port that receives BPDUs and informs the NMS simultaneously. By default, BPDU
protection is disabled on a switch.
3. Configuration and
Implementation
On SW3, configure GE0/0/1 as an edge port and enable BPDU protection.
When GE0/0/1 on SW3 receives BPDUs, SW3 generates the following information and
shuts down GE0/0/1:
[code lang="Console"]
Apr 3 2014 11:09:41 SW3 %MSTP/4/BPDU_PROTECTION(l)[6]:This edged-port GigabitEthernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
Apr 3 2014 11:09:41 S9300-1 %IFPDT/4/IF_STATE(l)[7]:Interface GigabitEthernet6/0/1 has turned into DOWN state.
[/code]
[SW3] display stp interface
GigabitEthernet 0/0/1
----[Port26(GigabitEthernet0/0/1)]
[DOWN]----
Port Protocol
:Enabled
Port
Role
:Disabled Port
Port Priority
:128
Port Cost(Dot1T ) :Config=auto / Active=200000000
Designated Bridge/Port :0.0025-9ef8-9e7d / 128.3
Port
Edged
:Config=enabled / Active=enabled
BPDU-Protection
:Enabled
Point-to-point
:Config=auto / Active=false
Transit Limit :147
packets/s
Protection Type :None
Port STP Mode :MSTP
Port Protocol Type :Config=auto / Active=dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
… …
To enable GE0/0/1, run the undo shutdown command or configure port auto
recovery.
Run the error-down auto-recovery cause cause-item interval interval-value
command in the system view to enable ports to automatically go Up and set the
auto recovery delay. The value of interval interval-value is an
integer that ranges from 30 to 86400, in seconds. Note the following points
when setting this parameter:
A smaller value indicates a shorter delay for a port to go Up automatically and
a higher frequency at which a port alternates between Up and Down.
A larger value indicates a longer delay for a port to go Up automatically and
longer traffic interruption.
To learn more:
