HPE Community
Aruba & ProVision-based
1753604 Members
6311 Online
108797 Solutions
New Discussion юеВ

Re: enable spanning-tree without add bpdu protection

 
fredoxmm
Occasional Contributor

тАО02-09-2017 05:04 AM

тАО02-09-2017 05:04 AM

enable spanning-tree without add bpdu protection

Hi.

I've just enable spanning-tree on my switches, and add this parameter : bpdu-protection-timeout 60 & I enable RSTP version.

This is just what I did.

So if I'm not mistaken, automatically, the switch detect if it needs to enable edge or not to a port (If there is an switch connected to a port, the edge is not enable).

So my question is do I need to manually enable on each port "bpdu-protection" and "admin-edge-port" on those where I have computers connected..?

As I understand these 2 options is to secure at a better level the setup and alert the network admin if someone plug an swich (stp) on an edge port, right?

If I only enable Spanning-tree, does it prevent against loop ?

regards

0 Kudos
3 REPLIES 3
Vince-Whirlwind
Honored Contributor

тАО02-09-2017 03:33 PM

тАО02-09-2017 03:33 PM

Re: enable spanning-tree without add bpdu protection

Some people are content simply enabling STP.

admin-edge-port on your access ports is a good idea, the port will come up more quickly - not so important for PCs, but definitely a very good idea for IP phones.

BPDU protection is good on all access ports, or you could enable BPDU filtering instead

You should also configure loop-protect on all access ports, to guard against loops that are occurring outside your spanning-tree, eg somebody creates a loop on an unmanaged switch that they've connected to one of your access ports.

0 Kudos
fredoxmm
Occasional Contributor

тАО02-10-2017 12:33 AM

тАО02-10-2017 12:33 AM

Re: enable spanning-tree without add bpdu protection

Can you confirm please this :

By default If I only enable STP, the switch makes the ports automatically in Edge or not.
But, doest it protect my network against loop or not?

If Not, I will have to edit my ports & enable more options like bpdu etc..

0 Kudos
Vince-Whirlwind
Honored Contributor

тАО02-12-2017 04:51 PM

тАО02-12-2017 04:51 PM

Re: enable spanning-tree without add bpdu protection

Yes, turning on STP will protect you from any loops that occur locally on any of your switches.

Switchports that don't see any BPDUs for 3 seconds will put themselves in auto-edge mode.
You can manually set all your access switchports to admin-edge-port so they don't wait 3 seconds before coming up.

BPDU protection/filtering are useful to protect your STP topology from being changed by unauthorised devices.
Loop-protection is useful to protect your network from loops that are created on devices outside your STP topology.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.