CCIE Security V4 Technology Labs  Section 2: Threat

Identification and Mitigation


Preventing STP Reconnaissance Attacks
Using BPDU Filter
Last updated: May 3, 2013

Task
Configure SW1 so that if a traffic capture is performed on its ports connecting to R1 or R2, no STP
topology information will be exposed.
If a BPDU is received inbound on Fa0/1 or Fa0/2, only Fa0/2 should start negotiating the STP port
state.

Overview
The BPDU Filter feature, like the BPDU Guard feature, is used to terminate the STP domain, and
can also be enabled at port level or global level. The difference between them is that when
configured at the interface level, the BPDU Filter feature drops all inbound BPDUs and does not
send BPDUs out the interface. When it is configured at global level, it sends out exactly 11 BPDUs
on all portfast-enabled interfaces, and if no BPDU is received it stops sending BPDUs; however,
after a BPDU is received inbound on an interface, it is accepted and STP port state negotiation
starts, so BPDU Filter becomes inactive. Unlike BPDU Guard, the interface does not go into err-
disable when a violation occurs. Other user traffic will continue to be forwarded inbound and
outbound.

BPDU Filter can be enabled at the port level using the command
spanning-tree bpdufilter enable; in this case, it is applied unconditionally to the port. BPDU
Filter can be enabled globally using the command
spanning-tree portfast bpdufilter default; in this case, it gets applied only to portfast-
enabled ports (access or trunk), also called edge ports. Note that even if you apply portfast (access
or trunk) to a port, if it receives a BPDU, it gets out of the portfast-enabled state, so this feature is
conditional.

BPDU Filter could be used in ISP scenarios, in which the ISP and customer have a layer 2
connection but don't want to have a common STP domain, so BPDU Filter is applied at port level.

Based on task requirements, we must enable BPDU Filter on Fa0/1 at interface level and on Fa0/2
at global level. Note that portfast is enabled on Fa0/2 from the initial configuration.

Remember that BPDU Filter has different functions depending on how it was enabled. If both BPDU
Guard and BPDU Filter are enabled at the same time on an interface, order of operation dictates
that BPDU Filter be applied first; the port will never reach the err-disabled state if a BPDU is
received because the inbound BPDU is filtered.

Configuration
SW1:

interface FastEthernet0/1
spanning-tree bpdufilter enable
!
spanning-tree portfast bpdufilter default

Verification
Verify that BPDU Filter is enabled on both ports, and notice the output difference between the two
ports.

Rack1SW1#show spanning-tree vlan 13 interface fastEthernet 0/1 detail | i filter

Bpdu filter is enabled
!
!
Rack1SW1#show spanning-tree vlan 23 interface fastEthernet 0/2 detail | i filter
Bpdu filter is enabled by default

You can also verify whether the BPDU Filter is enabled at global level by using the following
command.

Rack1SW1#show spanning-tree summary | i Filter

Portfast BPDU Filter Default is enabled