STP Filters (BPDUfilter+BPDUguard+rootguard)

STP Convergence Optimization:

 Portfast
 Uplinkfast
 Backbonefast

STP Filters:
 BPDU Filter
 BPDU Guard
 Root Guard

STP Loop Prevention

 Loop Guard
 UDLD

F0/0 E0/0
R SW1

A description STP Filters It is that the switch was suddenly sent to him by BPDU messengers and they
were received

In the next forecast, a scenario will be created that simulates this imagination. Here is

The explanation

The switch has received a BPDU message, and it is assumed that it is not allowed to receive that message,
so what is the solution

In the above drawing, assuming that the router connected to the switch is end device

Assuming that in the previous scenario, the router works as an end device, and this is only for
assumption and not real, and a BPDU message was sent to switch 1, what is expected

Hint

The end device is the last access device, but for the explanation to be clear, it was explained on a router,
and because we will convert the router into a switch in the following steps

Fares Mostafa
 Firstly

Let us ask ourselves whether port E0/0 receives BPDU messages or not

the answer: No Because he is connected end device

But we will assume that he received a BPDU message in.

1-BPDU Fliter

2-BPDU Guard

BPDU Filter

BPDU Fliter

per int: doesn’t send Globally: doesn’t

BPDU and doesn’t send BPDU and
process BPDU Process BPDU
Explanation of the two ways of effect

- Per interface: doesn’t send BPDU and doesn’t process BPDU

- Globally: doesn’t send BPDU and Process BPDU

Effect when it works per interface

The result is similar to that you have disabled a protocol spanning tree

Down

In this case, there is no problem, the problem is when the device connected to the switch is not represented

Fares Mostafa
 The question that arises is when the problem is, which we mentioned earlier when the connection is
through 2 switches or a router and a switch

In this case, the first switch will send a BPDU message especially if they are based on redundancy

Conclusion

Switch 1 sends a BPDU message to switch 2 and switch 2

does an action drop Message

Why is it happening drop Message?

Because I Active BPDU Filter On the level per interface

Here two messages will be sent from BPDU and happen loop

It is highly recommended not to activate the level interface

But in case you need to implement BPDU Filter recommended activate the level globally

BPDU Guard: When applied to the switch in both cases, they have the same effect (error disable)

to solve a problem error disable It is Shutdown the port and no Shutdown port

Practical application Gns3

Fares Mostafa
Fares Mostafa
In the previous laboratory, BPDU messages are sent, but no message is received by the switch, and it ignores
them as shown in the pictures

Fares Mostafa
We will activate a protocol Spanning tree on the router and we notice the changes

Hint

The router here will play the root role because it is value priority = 0

Fares Mostafa
Per interface: doesn’t send BPDU and doesn’t process BPDU

Globally: doesn’t send BPDU and Process BPDU

Fares Mostafa
Fares Mostafa
Back to default 300 seconds

In the case of changing the default setting value

Fares Mostafa
 Hint

It is recommended to change the value interval before cause so the old default time is not used

Fares Mostafa
 Hint

What are the types of error disable error disable

It is mandatory to enable (BPDUfilter+BPDUguard) on access layer switches only

Root Guard
Hierarchical

Fares Mostafa
 Root Guard
Core

Inconsistent port
Distribution Distribution

ROOT
Access Access
Superior BPDU Access Access

Man in the middle attack

practical application

Fares Mostafa
Router

Switch

Switch

Fares Mostafa
Router

Fares Mostafa