- STP (Spanning Tree Protocol)
- RSTP (Rapid Spanning Tree Protocol)
- MSTP (Multiple Spanning Tree Protocol)
- PVSTP+ (Per-VLAN Spanning Tree Plus)
I assume the reader is familiar with various spanning tree protocols and general difference between BPDU Guard and BPDU Filter. Here is just quick recap of relevant terminology
- BPDU Guard and BPDU Filtering are Spanning Tree Protocol security mechanisms.
- BPDU Guard is typically configured on particular switch edge port and it generally detects BPDU frames and because BPDU frames are not expected on edge port it disables the port temporary or permanently.
- BPDU Filter is also typically configured on switch edge port and detects BPDU frames however it does not disable switch port but instead filter these BPDU frames to mitigate impact on spanning tree protocol because BPDU frames can initiate topology change and selection of STP root.
Use Case 1/ Datacenter interconnect (aka DCI) where you are absolutely sure there cannot be the loop and you want to have two independent spanning tree regions and you really want filter BPDUs
- It is also CISCO’s best practice described in this white paper http://www.cisco.com/c/en/us/products/collateral/data-center-virtualization/data-center-interconnect/white_paper_c11_493718.html
- Rogue VM can send BPDUs to the network therefore some protection is needed especially in non-trusted environments like IaaS Cloud Providers so you have to choose between BPDU Guard and BPDU Filter + Broadcast Storm Control
- BPDU Guard can cause DoS when you don’t have control on ESXi configuration. See. http://blog.igics.com/2015/01/bpdu-filter-and-forged-transmit-on.html for further details
- BPDU Filter can help to mitigate topology changes when rogue VM is trying to be and not to be STP root switch periodically and initiate unwanted network topology changes
Force10 BPDU Guard
- Software-based implementation - BPDUs are received on an interface and passed to the CPU for analysis/action (logs will reflect dropped BPDUs)
- Occurs when interfaces are configured for portfast/edge-port with bpduguard and a BPDU is received
- Hardware-based implementation - BPDUs are dropped on ingress to the interface
- CPU does not receive BPDU, leaving CPU resources available for other tasks
- Logs will not reflect dropped BPDUs because it is possible only when BPDUs are sent to the CPU
- Occurs when STP is disabled globally or per-interface
confinterface gigabitethernet 0/1 spanning-tree rstp edge-port
confinterface gigabitethernet 0/1 spanning-tree rstp edge-port bpduguard
confinterface gigabitethernet 0/1 spanning-tree rstp edge-port bpduguard shutdown-on-violation
interface gigabitethernet 0/1