BPDU Filter Lab Tips

  • BPDU Filter at the Interface Level will stop BPDU from being received on that interface and sent out on that interface.
  • BPDU Filter at the Global Level will stop BDPUs from being sent out on all portfast enabled interfaces (it will send a few initially though to detect if the other device is running spanning tree). It should also be noted that it does not filter BPDU it if it is received on the interface, this is because if it is received the port will lose it’s portfast status anyways.
  • spanning-tree portfast default & spanning-tree bpdufilter default at the Global Level will allow the switch to automatically figure which interfaces should be edge ports by looking at interfaces where BPDUs are not coming in, which in turn means we will not send BPDUs out (BPDU filter). If we do recieve BPDU inbound, we will take this port out of portfast and disable the bpdufilter. Overall we figure out which interfaces should run portfast and which ones should not and then for the ones that are running portfast, we will kick in bdpufilter so that we do not send spanning tree information down the link (as there should be no reason too as these should be hosts etc and not switches on the other end of the link). running these two features together leaves you open to a layer 2 man-in-the-middle attack whereby the attacker becomes the root so that traffic is transit and can be sniffed.
The below URL is a link to an excellent video from INE describing the above.
Advertisements

STP Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

STP

*** Theory ***

  • BPDU – Sent every 2 sec to well known multicast address of 01-80-c2-00-00-00. 2 types of BPDU.
    • Topology change notification (TCN-BPDU) – Sent by any switch if their port goes into forwarding or goes from forwarding or learning mode to blocking mode. The switch sends TCN to root bridge and each switch on the way acknowledges it. Portfast ports can’t generate TCN
    • Configuration – used for actual STP calculation. Sent only by root bridge and fwd by other bridges. BDPU also does elections for root bridge. It the boss of STP timers & values
    • BID – Bridge ID priority value – made from default value and MAC address. MAC ties the break if all are default value of 32768. Can be prompted. Lowest BID wins
    • Root bridge – will always have it ports in designated forwarding state
    • Non bridge – will have one port in block. The root port is the port used to get to the root bridge
    • Root port – used by non root bridge to reach root bridge. This is selected by port cost (speed). BPDU carries root port cost & is locally significant
      • Selection: Lowest BID > Lowest root path cost > Lowest sender BID > Lowest Port
      • Post cost – E=100, FE=19, GE=4, 10GE=2. Can change this in interface config mode for specific spanning-tree vlans.
      • Port States
        • Disabled (Dis) – Administratively down
        • Blocking – Can only accept BPDU
        • Listening – Can accept and send BPDU only
        • Learning – learning MAC addresses
        • Forwarding – send / receive BPDU, Frames etc
        • Timers
          • Hello – Root bridge sends configuration BPDU, 2 seconds by default
          • Forwarding delay – 15 seconds, learning + listening
          • Maximum age – 20 seconds, how long it holds superior BPDU before discarding it
          • Load sharing – Can have vlans 1-5 go over one port and 6-10 over another. Do this by manipulating port priority under global spanning tree configuration
          • Port Fast – Used for host ports. Allows port to go blocking straight to forwarding mode
          • Uplink Fast – is group of ports, if one goes down a new port goes straight to forwarding for switch –to-switch etc – Use on access layer switches only! – takes 1 – 3 seconds. Cant be configured on root switch. Can’t be run on per vlan basis
          • Backbonefast – If SW1 is pri root bridge and SW2 is sec root bridge and both connect to SW3. If link between SW1 and SW2 fails, SW3 gets BPDU from SW1 and SW2 claiming to be the root. SW3 will compare priority and ignore the higher priority BPDU (Inferior BPDU). Once SW3 > SW2 max age reach 0. SW3 tells SW2 that SW1 is still the true root. Backbone fasts skips the MaxAge stage, so delay cut from 50 to 30 sec. Uses Root link query (RLQ) to see who the root bridge is for the local switch (used only in Backbone). Backbonefast need to be enabled on all switches .
          • Root Guard – Configured at the port level and disqualifies downstream switches in becoming the root. If it receives superior BPDU, it ignores it and put the port into root-inconsistent state.
          • BPDU Guard – Prevents other switch connecting. Places port in err-disable. Have to do no shutdown manually once it done. Runs with portfast only
          • BPDU Filtering – Globally, it disables portfast when BPDU is received. Interface, Quietly ignored/dropped
          • UDLD – Used to detect unidirectional links. E.g. fibre. Two modes, one is aggressive. Sends eight ‘pings’’ in 8 seconds, if no response then closes port. It waits for the first received frame then it starts the 8 second timer
          • Half duplex – Uses CSMA/CD rules (Listens to segment and sends frames)
          • Loop Guard – prevents port from going from block to forwarding e.e. if link between two switches go uni-directional.
          • BPDU Skew Detection – BPDU needs to propagate fast. If too slow, this will send a notification
          • RSTP (802.1W)-
            • Transition
              • STP: disabled > blocking > listening > learning > forwarding
                • Root bridge sends BPDU every 2 seconds. Non root forwards it
            • RSTP: discarding > learning > forwarding
              • All switches generate BPDU. Therefore all switch expects to see a BPDU from neighbour, if 3 are missed  the link is considered down. The switch then ages out which cuts the detection process in STP from 20 to 6 seconds in RSTP
  • Port states
    • Alternate – same as STP block port.
    • Backup – redundant path
    • Edge port – connect to single host / like portfast
    • P2P port – connected to another switch in full duplex
    • PVST – Cisco propriety. Runs STP per VLAN
    • PVST+ – PSVT does not work well with common spanning-tree. This one works with .1Q instead of ISL
    • MST – Multiple Spanning-Tree: Up to 16 instances in a region (0-15). 0 is for IST, which sends MST BPDU

*** Commands ***

  • Show spanning-tree interface: STP port state, handy for different port state for different vlans