{"id":827,"date":"2021-08-20T03:08:57","date_gmt":"2021-08-20T03:08:57","guid":{"rendered":"http:\/\/feralpacket.org\/?p=827"},"modified":"2021-08-20T03:08:57","modified_gmt":"2021-08-20T03:08:57","slug":"stp-security-features-notes","status":"publish","type":"post","link":"https:\/\/feralpacket.org\/?p=827","title":{"rendered":"STP Security Features Notes"},"content":{"rendered":"

STP Security Features<\/span><\/p>\n

BPDU Guard<\/span><\/p>\n

 – Checks for any incoming BPDUs<\/p>\n

 – Will block any port that receives a BPDU<\/p>\n

     -> The port is err-disabled<\/p>\n

 – Global configuration<\/p>\n

     -> Only affects ports configured for portfast<\/p>\n

SW1(config)# spanning-tree portfast bpduguard default<\/span><\/p>\n

 – Interface configuration<\/p>\n

     -> Portfast not required<\/p>\n

     -> \u201cno\u201d command used to disable BPDU Guard on the interface if it is configured globally<\/p>\n

SW1(config)# int fa0\/1<\/span><\/p>\n

 spanning-tree bpduguard enable<\/span><\/p>\n

BPDU Filter<\/span><\/p>\n

  – Global configuration<\/p>\n

     -> Stops sending BPDUs out all interfaces configured for portfast<\/p>\n

     -> If BPDU is received<\/p>\n

          -> Disables portfast<\/p>\n

          -> Starts listening \/ learning procedure<\/p>\n

SW1(config)# spanning-tree portfast bpdufilter default<\/span><\/p>\n

 – Interface configuration<\/p>\n

     -> Stops sending BPDUs on the interface<\/p>\n

     -> Ignores received BPDUs<\/p>\n

SW1(config)# int fa0\/1<\/span><\/p>\n

 spanning-tree bpdufilter enable<\/span><\/p>\n

If BPDU Guard and BPDU Filter are configured on the same interface<\/p>\n

 – Stops sending BPDUs out the interface<\/p>\n

 – The interface is err-disabled if a BPDU is received<\/p>\n

Root Guard<\/span><\/p>\n

 – Interface configuration<\/p>\n

     -> Exams incoming BPDUs<\/p>\n

     -> If a superior BPDU is received, the port is err-disabled<\/p>\n

     -> Root inconsistant mode<\/p>\n

     -> Recommended for edge switches<\/p>\n

          -> Can be configured on the root switch<\/p>\n

SW1(config)# int fa0\/1<\/span><\/p>\n

 spanning-tree guard root<\/span><\/p>\n

Loop Guard<\/span><\/p>\n

 – On a non-designated port (blocking)<\/p>\n

     -> If BPDUs are no longer received, the port is err-disabled<\/p>\n

Unidirectional Link Detection (UDLD)<\/span><\/p>\n

 – Can be configured on any link between two ports<\/p>\n

 – Has hello mechanism to check tx & rx<\/p>\n

     -> Sent every 15 seconds<\/p>\n

     -> If 3 consecutive hellos are missed, an action is taken<\/p>\n

          -> udld mode normal<\/p>\n

               -> Syslog message<\/p>\n

               -> SNMP trap sent (if configured)<\/p>\n

          -> udld mode aggressive<\/p>\n

               -> Starts sending hellos every second for 8 seconds<\/p>\n

               -> If no hellos are received, the port is err-disabled<\/p>\n

 – Global configuration<\/p>\n

SW1(config)# udld mode { aggressive | normal }<\/span><\/p>\n

 – Interface configuration<\/p>\n

SW1(config)#  int fa0\/1<\/span><\/p>\n

 udld mode { aggressive | normal }<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

STP Security Features<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[31,61,15],"class_list":["post-827","post","type-post","status-publish","format-standard","hentry","category-ccie","tag-published","tag-spanning-tree","tag-stp"],"_links":{"self":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=827"}],"version-history":[{"count":1,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/827\/revisions"}],"predecessor-version":[{"id":972,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/827\/revisions\/972"}],"wp:attachment":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}