HPE Community
Switches, Hubs, and Modems
1752467 Members
5915 Online
108788 Solutions
New Discussion юеВ

Re: STP recommendations to configure end-user ports

 
Andrew95
Occasional Contributor

тАО11-19-2009 07:22 AM

тАО11-19-2009 07:22 AM

STP recommendations to configure end-user ports

Hello,

I'm configuring LAN for a big office with 2510-24 switches at access level.
What is your opinion regarding STP configuration for end-user ports ?

Is admin-edge-port parameter enough ? Or root-guard or even bpdu-protection is necessary ?
0 Kudos
6 REPLIES 6
Mohammed Faiz
Honored Contributor

тАО11-19-2009 08:30 AM

тАО11-19-2009 08:30 AM

Re: STP recommendations to configure end-user ports

Hi,

I've never had an issue with just the admin-edge port value set, although that's mostly on 2610/2650/2810 switches (I've haven't used a 2510 series yet).
I've only used BPDU filter on ports to other switches that I *definitely* don't want spanning tree running too.
0 Kudos
Andrew95
Occasional Contributor

тАО11-19-2009 11:32 AM

тАО11-19-2009 11:32 AM

Re: STP recommendations to configure end-user ports

I'm thinking about malicious user which bring some STP capable device or software and is doing something bad to my network.

I'm also worry about unicast floods (packets to unknown MAC addresses) which can be run by user.
0 Kudos
Mohammed Faiz
Honored Contributor

тАО11-20-2009 03:02 AM

тАО11-20-2009 03:02 AM

Re: STP recommendations to configure end-user ports

I'm thinking about malicious user which bring some STP capable device or software and is doing something bad to my network.

Hmm, well the possibilities I see are:

- A user adds a device that drops/ignores BPDU packets to an edge port and creates a loop on that device.

There, you want to enable to loop-protect feature.

- A user adds a device that sends BPDU packets out intefering with your MSTP config

I'm not sure how much an issue this can be if you're using MSTP as the other device would have to match the config-name and config-revision parameters but I might be missing something.
0 Kudos
Michael_Breuer
Esteemed Contributor

тАО12-09-2009 02:43 PM

тАО12-09-2009 02:43 PM

Re: STP recommendations to configure end-user ports

Hello Andrew,

my recommendation to tune/secure edge ports:

1) STP Admin Edge port: will save you ~3 seconds when bringing a port online, but will not protect your port.
2) BPDU Protection: Will protect that a rogue switch will be connected
3) Loop Protection: Will cover some loop scenarious which cannot be covered by STP.


Cheers,

Michael
Ingentive Networks GmbH
0 Kudos
Arran Cudbard-Bell
Advisor

тАО12-20-2009 09:32 AM

тАО12-20-2009 09:32 AM

Re: STP recommendations to configure end-user ports

With bpdu protection remember to set a timeout, else the port'll just stay down until it's administratively disabled or the switch is rebooted.

Issuing the command:

spanning-tree bpdu-protection-timeout 60

Will mean the switch re-enables the port after 60 seconds.
0 Kudos
Arran Cudbard-Bell
Advisor

тАО12-21-2009 06:20 AM

тАО12-21-2009 06:20 AM

Re: STP recommendations to configure end-user ports

* administratively enabled
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.