BPDU Filter Lab Tips

  • BPDU Filter at the Interface Level will stop BPDU from being received on that interface and sent out on that interface.
  • BPDU Filter at the Global Level will stop BDPUs from being sent out on all portfast enabled interfaces (it will send a few initially though to detect if the other device is running spanning tree). It should also be noted that it does not filter BPDU it if it is received on the interface, this is because if it is received the port will lose it’s portfast status anyways.
  • spanning-tree portfast default & spanning-tree bpdufilter default at the Global Level will allow the switch to automatically figure which interfaces should be edge ports by looking at interfaces where BPDUs are not coming in, which in turn means we will not send BPDUs out (BPDU filter). If we do recieve BPDU inbound, we will take this port out of portfast and disable the bpdufilter. Overall we figure out which interfaces should run portfast and which ones should not and then for the ones that are running portfast, we will kick in bdpufilter so that we do not send spanning tree information down the link (as there should be no reason too as these should be hosts etc and not switches on the other end of the link). running these two features together leaves you open to a layer 2 man-in-the-middle attack whereby the attacker becomes the root so that traffic is transit and can be sniffed.
The below URL is a link to an excellent video from INE describing the above.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: