Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

STP recommendations to configure end-user ports

Andrew95
Occasional Contributor

STP recommendations to configure end-user ports

Hello,

I'm configuring LAN for a big office with 2510-24 switches at access level.
What is your opinion regarding STP configuration for end-user ports ?

Is admin-edge-port parameter enough ? Or root-guard or even bpdu-protection is necessary ?
6 REPLIES
Mohammed Faiz
Honored Contributor

Re: STP recommendations to configure end-user ports

Hi,

I've never had an issue with just the admin-edge port value set, although that's mostly on 2610/2650/2810 switches (I've haven't used a 2510 series yet).
I've only used BPDU filter on ports to other switches that I *definitely* don't want spanning tree running too.
Andrew95
Occasional Contributor

Re: STP recommendations to configure end-user ports

I'm thinking about malicious user which bring some STP capable device or software and is doing something bad to my network.

I'm also worry about unicast floods (packets to unknown MAC addresses) which can be run by user.
Mohammed Faiz
Honored Contributor

Re: STP recommendations to configure end-user ports

I'm thinking about malicious user which bring some STP capable device or software and is doing something bad to my network.

Hmm, well the possibilities I see are:

- A user adds a device that drops/ignores BPDU packets to an edge port and creates a loop on that device.

There, you want to enable to loop-protect feature.

- A user adds a device that sends BPDU packets out intefering with your MSTP config

I'm not sure how much an issue this can be if you're using MSTP as the other device would have to match the config-name and config-revision parameters but I might be missing something.
Michael_Breuer
Esteemed Contributor

Re: STP recommendations to configure end-user ports

Hello Andrew,

my recommendation to tune/secure edge ports:

1) STP Admin Edge port: will save you ~3 seconds when bringing a port online, but will not protect your port.
2) BPDU Protection: Will protect that a rogue switch will be connected
3) Loop Protection: Will cover some loop scenarious which cannot be covered by STP.


Cheers,

Michael
www.ingentive.net
Ingentive Networks GmbH

Re: STP recommendations to configure end-user ports

With bpdu protection remember to set a timeout, else the port'll just stay down until it's administratively disabled or the switch is rebooted.

Issuing the command:

spanning-tree bpdu-protection-timeout 60

Will mean the switch re-enables the port after 60 seconds.

Re: STP recommendations to configure end-user ports

* administratively enabled