Enhancing STP and Configuring STP Protection Functions part 2

BPDU Protection

2.1 Context
 

Edge ports are directly connected to user terminals and generally do not receive BPDUs. If a switch is attacked by forged BPDUs, edge ports will receive the forged BPDUs. The switch automatically configures the edge ports as non-edge ports and triggers a new spanning tree calculation, resulting in a network flapping.
BPDU protection can be used to protect switches against attacks by sending forged BPDUs.

2.2 Basic Concepts
 

After BPDU protection is enabled on a switch, the switch shuts down the edge port that receives BPDUs and informs the NMS simultaneously. By default, BPDU protection is disabled on a switch.

3. Configuration and Implementation

 

On SW3, configure GE0/0/1 as an edge port and enable BPDU protection.
When GE0/0/1 on SW3 receives BPDUs, SW3 generates the following information and shuts down GE0/0/1:

[code lang="Console"]
Apr  3 2014 11:09:41 SW3 %MSTP/4/BPDU_PROTECTION(l)[6]:This edged-port GigabitEthernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
Apr  3 2014 11:09:41 S9300-1 %IFPDT/4/IF_STATE(l)[7]:Interface GigabitEthernet6/0/1 has turned into DOWN state.
[/code]

[SW3] display stp interface GigabitEthernet 0/0/1
----[Port26(GigabitEthernet0/0/1)] [DOWN]----
 Port Protocol            :Enabled
 Port Role                 :Disabled Port
 Port Priority             :128
 Port Cost(Dot1T )     :Config=auto / Active=200000000
 Designated Bridge/Port   :0.0025-9ef8-9e7d / 128.3
 Port Edged              :Config=enabled / Active=enabled
 BPDU-Protection      :Enabled
 Point-to-point          :Config=auto / Active=false
 Transit Limit           :147 packets/s
 Protection Type       :None
 Port STP Mode        :MSTP 
 Port Protocol Type     :Config=auto / Active=dot1s
 BPDU Encapsulation   :Config=stp / Active=stp
 PortTimes                 :Hello 2s MaxAge 20s FwDly 15s RemHop 20
… …

To enable GE0/0/1, run the undo shutdown command or configure port auto recovery.

Run the error-down auto-recovery cause cause-item interval interval-value command in the system view to enable ports to automatically go Up and set the auto recovery delay. The value of interval interval-value is an integer that ranges from 30 to 86400, in seconds. Note the following points when setting this parameter:
A smaller value indicates a shorter delay for a port to go Up automatically and a higher frequency at which a port alternates between Up and Down.
A larger value indicates a longer delay for a port to go Up automatically and longer traffic interruption.

To learn more: