BPDU Guard and BPDU Filter

If you work in networking you place the highest of importance on protecting your network from such risk as switching loops or any problem related to your switching architecture and ultimately ensuring the continual uninterrupted service of spanning-tree. With the spanning tree protocol the most important cog in the mechanism is the root bridge. The slightest change in the position of the Root Bridge will cause service disruption on the network with data and voice session timing out and the only thing that can cause this disruption is the injection of a Superior BPDU. 

Network Attackers can launch different types of attacks on Spanning Tree Protocol (STP). One type of Spanning Tree Protocol (STP)attack is to inject superior BPDUs in Layer 2 network. A superior BPDU is a BPDU which has a lower Bridge ID then the root bridge. In a normal network, superior BPDU’s are generated by Root Bridge. If any other switch generate a superior BPDU, Spanning Tree Protocol (STP) recalculations will happen and the switch which generated superior BPDU will become the new Root Bridge.

By activating STP on a network, the listening and monitoring of these BPDU’s can result in a longer time for convergence (nearly 50 seconds). This is very high in networking terms. In most cases, this is a critical issue, especially for important network services like VoIP, servers etc. If you know confidently that there will only be either a PC or server plugged into a particular port you can activate portfast. PortFast is the solution to this problem of delays when client computers are connecting to switches. With PortFast enabled on a port, you effectively take the port and tell spanning tree not to implement STP on that port and not to listen to the BPDUs as it is not a Layer-2 device.

BPDU Guard

BPDU Guard is designed to protect your switching network. A port configured with port-fast port is designed to be connected to a device where BPDU’s aren’t expected. BPDU Guard is a Portfast configuration, and will only impact ports that are configured with Portfast, and the reason for this is the purpose of BPDU Guard is to put a port in err-disable (down) if ANY type of BPDU is received on that port! This could be a end user device, server or access-point.  When an unexpected BPDU is detected (an end-user wants to plug in a switch in his cubicle) the port will shutdown and enter a err-disable state.

When enabled globally this is a fantastic solution to protecting port-fast ports on access switches where you don’t expect a switch to be plugged in.

BPDU Filter

BPDU filter is a feature used to filter sending or receiving BPDUs on a switchport. This is also a Portfast only command, which can be configured at the interface level or globally, and its purpose is to stop ALL BPDUs from being sent or received on Portfast enabled interfaces. It is extremely useful on those ports which are configured as portfast ports as there is no need to send or receive any BPDU messages on of these ports. BPDU filter can be configured globally or under the interface level.

Leave a Reply