This document discusses various mechanisms for minimizing service loss and data theft in a campus network, including BPDU guard, BPDU filtering, and root guard. BPDU guard and filtering protect ports configured for rapid transitioning and help prevent switches from being added. Root guard prevents a port from becoming a root port or blocking root port. The document provides configuration commands and commands for verifying these security mechanisms.
This document discusses various mechanisms for minimizing service loss and data theft in a campus network, including BPDU guard, BPDU filtering, and root guard. BPDU guard and filtering protect ports configured for rapid transitioning and help prevent switches from being added. Root guard prevents a port from becoming a root port or blocking root port. The document provides configuration commands and commands for verifying these security mechanisms.
This document discusses various mechanisms for minimizing service loss and data theft in a campus network, including BPDU guard, BPDU filtering, and root guard. BPDU guard and filtering protect ports configured for rapid transitioning and help prevent switches from being added. Root guard prevents a port from becoming a root port or blocking root port. The document provides configuration commands and commands for verifying these security mechanisms.
Minimizing Service Loss and Data Theft in a Campus Network
Describing STP Security Mechanisms
Protecting the Operation of STP
Protection against switches
being added on PortFast ports. • BPDU guard shuts ports down. • BPDU filter specifies action to be taken when BPDUs are received. Enabling and Verifying BPDU Guard
Switch(config)#spanning-tree portfast bpduguard
• Enables BPDU guard
Switch#show spanning-tree summary totals
• Displays BPDU guard configuration information Switch#show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled Etherchannel misconfiguration guard is enabled UplinkFast is disabled BackboneFast is disabled Default pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
Switch#show spanning-tree summary totals • Displays BPDU filtering configuration information Switch#show spanning-tree summary totals Root bridge for:VLAN0010 EtherChannel misconfiguration guard is enabled Extended system ID is disabled Portfast is enabled by default PortFast BPDU Guard is disabled by default Portfast BPDU Filter is enabled by default Loopguard is disabled by default UplinkFast is disabled BackboneFast is disabled Pathcost method used is long
Name Blocking Listening Learning Forwarding STP Active
• Displays information about ports in inconsistent states
Switch#show running-config interface fastethernet 5/8 Building configuration... Current configuration: 67 bytes ! interface FastEthernet5/8 switchport mode access spanning-tree guard root Switch#show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- ------------------ VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :3
Summary
• BPDU guard and BPDU filtering protect the operation of STP on
PortFast-configured ports. • When BPDU guard is configured globally, it affects all PortFast configured ports. • BPDU guard can be configured per port, even on those ports not configured with PortFast. • BPDU filtering can be configured globally or per port. • The root switch cannot be elected via BPDUs received on a root- guard-configured port. • Root guard can be configured and verified using various commands.