STP Security Features Notes

STP Security Features

BPDU Guard

 – Checks for any incoming BPDUs

 – Will block any port that receives a BPDU

     -> The port is err-disabled

 – Global configuration

     -> Only affects ports configured for portfast

SW1(config)# spanning-tree portfast bpduguard default

 – Interface configuration

     -> Portfast not required

     -> “no” command used to disable BPDU Guard on the interface if it is configured globally

SW1(config)# int fa0/1

 spanning-tree bpduguard enable

BPDU Filter

  – Global configuration

     -> Stops sending BPDUs out all interfaces configured for portfast

     -> If BPDU is received

          -> Disables portfast

          -> Starts listening / learning procedure

SW1(config)# spanning-tree portfast bpdufilter default

 – Interface configuration

     -> Stops sending BPDUs on the interface

     -> Ignores received BPDUs

SW1(config)# int fa0/1

 spanning-tree bpdufilter enable

If BPDU Guard and BPDU Filter are configured on the same interface

 – Stops sending BPDUs out the interface

 – The interface is err-disabled if a BPDU is received

Root Guard

 – Interface configuration

     -> Exams incoming BPDUs

     -> If a superior BPDU is received, the port is err-disabled

     -> Root inconsistant mode

     -> Recommended for edge switches

          -> Can be configured on the root switch

SW1(config)# int fa0/1

 spanning-tree guard root

Loop Guard

 – On a non-designated port (blocking)

     -> If BPDUs are no longer received, the port is err-disabled

Unidirectional Link Detection (UDLD)

 – Can be configured on any link between two ports

 – Has hello mechanism to check tx & rx

     -> Sent every 15 seconds

     -> If 3 consecutive hellos are missed, an action is taken

          -> udld mode normal

               -> Syslog message

               -> SNMP trap sent (if configured)

          -> udld mode aggressive

               -> Starts sending hellos every second for 8 seconds

               -> If no hellos are received, the port is err-disabled

 – Global configuration

SW1(config)# udld mode { aggressive | normal }

 – Interface configuration

SW1(config)#  int fa0/1

 udld mode { aggressive | normal }

