minimizing service loss and data theft in a campus network describing stp security mechanisms
TRANSCRIPT
Minimizing Service Loss and Data Theft in a Campus Network
Describing STP Security Mechanisms
Protecting the Operation of STP
Protection against switches being added on PortFast ports.
• BPDU guard shuts ports down.
• BPDU filter specifies action to be taken when BPDUs are received.
Protecting the Operation of STP
BPDU GUARD 的功能是当这个端口收到任何的 BPDU 就马上设为 Error-Disabled 状态 . 近一步保护 portfast 端口,从而避免桥接环路。配置了 BPDU Guard 之后,端口只发不收 BPDU ,注意:配置了 BPDU Guard 之后,端口只发不收 BPDU 收到的时候就把端口进入 err-disable 状态!
BPDU Filtering 特性和 BPDU Guard 特性类似 . 通过使用 BPDU Filtering, 能够防止交换机在启用了 Port Fast 特性的端口上发送 BPDU 给主机。不需要都配置,一个就行。
Enabling and Verifying BPDU Guard
Switch#show spanning-tree summary totals Root bridge for: none.PortFast BPDU Guard is enabledEtherchannel misconfiguration guard is enabledUplinkFast is disabledBackboneFast is disabledDefault pathcost method used is short Name Blocking Listening Learning Forwarding STP Active-------------------- -------- --------- -------- ---------- ---------- 34 VLANs 0 0 0 36 36
Switch(config)#spanning-tree portfast bpduguard default
• Enables BPDU guard Switch(config-if)# no xxxx enable
Switch#show spanning-tree summary totals
• Displays BPDU guard configuration information
Describing BPDU Filtering
Switch#show spanning-tree summary totals Root bridge for:VLAN0010EtherChannel misconfiguration guard is enabledExtended system ID is disabledPortfast is enabled by defaultPortFast BPDU Guard is disabled by defaultPortfast BPDU Filter is enabled by defaultLoopguard is disabled by defaultUplinkFast is disabledBackboneFast is disabledPathcost method used is long Name Blocking Listening Learning Forwarding STP Active---------------------- -------- --------- -------- ---------- ----------2 vlans 0 0 0 3 3
Switch(config)#spanning-tree portfast bpdufilter default
• Enables BPDU filtering
Switch#show spanning-tree summary totals
• Displays BPDU filtering configuration information
Describing Root Guard
Describing Root Guard Configuration Commands
Switch(config-if)#spanning-tree guard root
• Configures root guard
Switch#show running-config interface fa 0/1Switch#show spanning-tree inconsistentports
• Verifies root guard • 配置根防护,在不希望连接到根桥的端口上配置。只发不收 bpdu
,端口不会成为根端口的!
Verifying Root Guard
Switch#show running-config interface fastethernet 5/8 Building configuration...Current configuration: 67 bytes!interface FastEthernet5/8switchport mode accessspanning-tree guard rootSwitch#show spanning-tree inconsistentports Name Interface Inconsistency-------------------- ---------------------- ------------------VLAN0001 FastEthernet3/1 Port Type InconsistentVLAN0001 FastEthernet3/2 Port Type InconsistentVLAN1002 FastEthernet3/1 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :3
Switch#show running-config interface interface mod/port
• Displays interface configuration information
Switch#show spanning-tree inconsistentports
• Displays information about ports in inconsistent states
Summary
• BPDU guard and BPDU filtering protect the operation of STP on PortFast-configured ports.
• When BPDU guard is configured globally, it affects all PortFast configured ports.
• BPDU guard can be configured per port, even on those ports not configured with PortFast.
• BPDU filtering can be configured globally or per port.
• The root switch cannot be elected via BPDUs received on a root-guard-configured port.
• Root guard can be configured and verified using various commands.
