BPDU Guard

If you work in networking you place the highest of importance on protecting your network from such risk as switching loops or any problem related to your switching architecture and ultimately ensuring the continual uninterrupted service of spanning-tree. With the spanning tree protocol, the most important cog in the mechanism is the root bridge. The slightest change in the position of the Root Bridge will cause service disruption on the network with data and voice session timing out and the only thing that can cause this disruption is the injection of a Superior BPDU. 

Network Attackers can launch different types of attacks on Spanning Tree Protocol (STP). One type of Spanning Tree Protocol (STP)attack is to inject superior BPDUs in the Layer 2 network. A superior BPDU is a BPDU that has a lower Bridge ID than the root bridge. In a normal network, superior BPDU’s are generated by Root Bridge. If any other switch generates a superior BPDU, Spanning Tree Protocol (STP) recalculations will happen and the switch which generated superior BPDU will become the new Root Bridge.

By activating STP on a network, the listening and monitoring of these BPDU’s can result in a long time for convergence (nearly 50 seconds). This is very high in networking terms. In most cases, this is a critical issue, especially for important network services like VoIP, servers etc. If you know confidently that there will only be either a PC or server plugged into a particular port you can activate portfast. PortFast is the solution to this problem of delays when client computers are connecting to switches. With PortFast enabled on a port, you effectively take the port and tell the spanning-tree not to implement STP on that port and not to listen to the BPDUs as it is not a Layer-2 device.

BPDU Guard

BPDU Guard is designed to protect your switching network. A port configured with port-fast port is designed to be connected to a device where BPDU’s aren’t expected. BPDU Guard is a Portfast configuration, and will only impact ports that are configured with Portfast, and the reason for this is the purpose of BPDU Guard is to put a port in err-disabled (down) if ANY type of BPDU is received on that port! This could be an end-user device, server or access point.  When an unexpected BPDU is detected (an end-user wants to plug in a switch in his cubicle) the port will shut down and enter an err-disable state.

When enabled globally this is a fantastic solution to protecting port-fast ports on access switches where you don’t expect a switch to be plugged in.

BPDU Filter

BPDU filter is a feature used to filter sending or receiving BPDUs on a switch port. This is also a Portfast only command, which can be configured at the interface level or globally, and its purpose is to stop ALL BPDUs from being sent or received on Portfast enabled interfaces. It is extremely useful on those ports which are configured as portfast ports as there is no need to send or receive any BPDU messages on of these ports. BPDU filter can be configured globally or under the interface level.

SuperTechman – Network Security – Best Practices

Leave a Reply

Your email address will not be published. Required fields are marked *