Thursday, February 13, 2014

Advanced STP BPDU Filter


Lessons Learned:

BPDU Filter:

Filters BPDU’s in and out. The filter will basically drop BPDU’s as they come in out go out an interface.

The command can be configured on the link level or globally. The command basically will disable spanning-tree either on an interface or if configured globally, on all interfaces.

Typical used at the access-layer down to the end host. This will help to prevent a L2 man-in-the-middle attach or other forms of denial of service attacks. We also don’t want to give out information about who is the root bridge, etc.

Configure feature:

Interface Gi0/1
#Spanning-tree bpdufilter enable

Verify if configured at the link level.

You can verify if the interface is now either sending / receiving BPDUs or not –

#sh spanning-tree int gi0/1 detail | in BPDU

You can also configure BPDUFilter globally in conjunction with portFast.

#spanning-tree portfast default

This now means all interfaces except for Trunk links will now be running portFast.

Verify
#sh spanning-tree int gi0/1 portfast

(will show if enable or not)

We can also configure globally:

#spanning-tree portfast bpdufilter default

This means that for any interface that is in the portfast mode, that interface will not be sending any BPDU’s out.

If configured on the link level we will not be sending BPDU’s in or out.

If configured globally, it will only filter BPDU’s out the interface.

If the interface on the other side starts to send BPDU’s – based on the config above. This will disable the portfast feature in the interface. If you combine portfast default and portfast BPDU default – the switch will automatically figure out which interfaces should be edge ports. It will accomplish this by looking for interfaces where BPDU’s are not coming in the interface.

For the interfaces that do not receive BPDU’s in – the switch will not sent BPDU’s out, This si because the BPDUFIlter feature is enabled. But if the switch does start to receive BPDU’s inbound, it will remove the portfast feature form the interface. This is a way the switch can tell if it should or should not be running spanning-tree on that particular interface.

Basically this will automate which interfaces should or should not run portfast.

This is a potential security issue. It can leave you open to a L2 man in the middle attack.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)