|
0:00:13
|
Next we have the BPDU guard feature which is similar to the BPDU filter
|
|
0:00:20
|
in which case we're trying to perform some sort of action once BPDUs come in.
|
|
0:00:25
|
The difference is that instead of reverting ourself out of the ports fast state or instead of stopping filtering BPDUs out
|
|
0:00:34
|
we're essentially just going to shut the port down. We're going to send it into the error disabled state.
|
|
0:00:39
|
This would be the more secure implementation of filtering with spanning tree
|
|
0:00:45
|
where we have a security policy implemented that says at the access layer
|
|
0:00:49
|
there should be no reason what so ever that any access port is sending spanning tree packets into us.
|
|
0:00:56
|
Because we know that our phones, that our printers, that our end hosts - that stuff is not supposed to be running spanning tree.
|
|
0:01:02
|
If the links do start to run spanning tree it means one of two things.
|
|
0:01:08
|
Either someone plugged the cables in wrong or they're purposely trying to do some sort of malicious attack.
|
|
0:01:15
|
But BPDU guard would prevent against either of these cases. Some sort of Layer 1 misconfiguration of the cabling
|
|
0:01:21
|
or someone trying to do the Layer 2 man in the middle attack.
|
|
0:01:28
|
Just like the BPDU filter feature, we could do this at the interface level and in global config.
|
|
0:01:34
|
In global config it would be in conjunction with port fast; at the interface level it's going to be on its own.
|
|
0:01:40
|
In either case just like BPDU filter, the interface level is going to override the global config.
|
|
0:01:47
|
So at the interface level we could say no spanning tree BPDU filter or no spanning tree BPDU guard
|
|
0:01:54
|
that would override the global configuration that we have with portfast.
|
|
0:02:01
|
So let's look at this now on
|
|
0:02:06
|
one of the other switches. Let's say on switch four. So switch four has two different links.
|
|
0:02:13
|
One of them is going to router four; one of them is going to router six.
|
|
0:02:26
|
On the link to router four this is an access port that is in VLAN 20.
|
|
0:02:32
|
The link type is dynamic desirable which means we are running DTP
|
|
0:02:37
|
but since the router's not running DTP we should see it automatically
|
|
0:02:41
|
fall back to access mode. So if we show interface FastEthernet four switchport
|
|
0:02:48
|
we could see that the operational mode is access. It's not a trunk port.
|
|
0:02:54
|
Now at the link level here on the port to router four we'll configure spanning tree
|
|
0:03:02
|
BPDU guard as opposed to BPDU filter. BPDU guard enable.
|
|
0:03:12
|
Now the switch is going to be looking for any spanning tree packets to come in.
|
|
0:03:16
|
If we look at the show spanning tree interface FastEthernet four detail and look just for the BPDUs
|
|
0:03:26
|
we would see that we are sending them outbound but we have not received anything inbound.
|
|
0:03:35
|
If router four starts the spanning tree process
|
|
0:03:43
|
we should see that once the switch receives the BPDUs, it says BPDU guard is on. I received a BPDU. It means I have to disable the port.
|
|
0:03:54
|
So now the link is going to go into the error disable state either until we shut the link down and bring it back up
|
|
0:04:02
|
or the error disable recovery timer expires.
|
|
0:04:09
|
So on switch four now when we look at the spanning tree detail, it's not going to show us anything because the link is disabled.
|
|
0:04:17
|
If we show interface status
|
|
0:04:22
|
we see FastEthernet four is in the error disabled state
|
|
0:04:26
|
which means that we cannot send traffic out the link and we cannot receive the traffic in.
|
|
0:04:31
|
So it's essentially the equivalent of just shutting the port down.
|
|
0:04:37
|
Now depending on the individual platform and version you're working with
|
|
0:04:41
|
some versions have the recovery timer on by default but not all of them.
|
|
0:04:47
|
If we look at switch four and say show error disable recovery...just show error disable recovery,
|
|
0:04:58
|
in this case for BPDU guard the timer is disabled.
|
|
0:05:06
|
What this means is that some administrator would then have to log in to the switch, shut the port down manually,
|
|
0:05:14
|
and say no shut down in order to get it out of the error disabled state.
|
|
0:05:21
|
The key point about this is that if the error disabled state was just temporary because of some sort of misconfiguration
|
|
0:05:28
|
then you'd still have to log into the switch, shut the port down, and bring it back up.
|
|
0:05:33
|
So potentially someone could do some sort of Layer 1 denial of service attack
|
|
0:05:37
|
by plugging their host into every single port
|
|
0:05:42
|
sending BPDUs and then all the ports would be disabled so anyone else who comes onto the link later they're not going to be able to use it.
|
|
0:05:49
|
Okay, normally what you would want to do, well it really depends on the security policy, but what you can do at least
|
|
0:05:56
|
is turn this recovery timer on. We could say that the error disable recovery timer
|
|
0:06:04
|
or the recovery interval it's called, let's say it's 30 seconds and if we do show error disable
|
|
0:06:19
|
What was it? Recovery...
|
|
0:06:24
|
Okay, the timer we configured it but that particular method is still disabled.
|
|
0:06:31
|
So what we would need to say is not only what is the interval but what is the cause that you would try to recover from.
|
|
0:06:42
|
So in this particular case the cause is BPDU guard.
|
|
0:06:49
|
So we'll see other cases later when we get to 802.1x authentication, port security,
|
|
0:06:57
|
the MAC address limit feature, this type of stuff can also be controlled by the error disable recovery timer.
|
|
0:07:07
|
But unless we actually turn it on and set the timer then the link is never going to be used.
|
|
0:07:15
|
So we should see at this point 30 seconds after I enabled the feature we try to take the interface out of error disabled mode. So now it comes up
|
|
0:07:25
|
but we see we're still receiving spanning tree packets so we're going to shut it down again.
|
|
0:07:30
|
Only once router four stops running bridging
|
|
0:07:37
|
will the switch say that this is a valid port to be used. So the next time we come out of the error disable state then the links should stay in the up mode.
|
|
0:08:01
|
So now we can see the link is up and we should be able to use this for forwarding so on router four we should be able to ping now router three who's in the same VLAN.
|
|
0:08:16
|
But of course now since the port changed its status to up this sent a topology change notification
|
|
0:08:26
|
so now we have to wait for spanning tree to re-converge. So router four is actually not going to have reachability at least for 30 seconds which we can see now it does.
|
|
0:08:38
|
Now the other cases I mentioned to run this would be to do it globally in conjunction with port fast. So if we say spanning tree port fast default
|
|
0:08:48
|
and spanning tree BPDU guard default, this now again means that port fast is on every interface that is not a trunk.
|
|
0:08:59
|
We are listening for BPDUs to come in but in this case
|
|
0:09:04
|
instead of reverting the interface out of port fast state, if the link starts to run bridging
|
|
0:09:17
|
then we're going to send it into error disable.
|
|
0:09:21
|
So this would be the more secure implementation of automating port fast where you're saying every link
|
|
0:09:29
|
I'm going to assume it's an edgeport if it is not a trunk. So if I say show spanning tree VLAN 10, VLAN 20, and VLAN 30
|
|
0:09:45
|
we could see one of the edgeports in VLAN 30 which is the link that connects to router six
|
|
0:09:54
|
that was automatically configured with port fast. If router four stops bridging, so if the bridge group is disabled,
|
|
0:10:05
|
once the 30 second timer expires then we should be able to see if we look at the show
|
|
0:10:13
|
show spanning tree interface FastEthernet four port fast
|
|
0:10:26
|
we see now that port fast is enabled.
|
|
0:10:33
|
So it's similar functionality between these two - BPDU filter and BPDU guard. The difference is what is the action that you take.
|
|
0:10:40
|
With BPDU filter you stop filtering the updates when you learn that someone is running spanning tree. With BPDU guard you just shut the port down.
|
|
0:10:52
|
So both case you're essentially disabling spanning tree but the second one is more secure - using the BPDU guard.
|
