1 00:00:00,780 --> 00:00:07,530 BPDU Guard is one of multiple security mechanisms available in spanning tree to protect your spanning tree 2 00:00:07,530 --> 00:00:08,730 network. 3 00:00:08,730 --> 00:00:16,050 This could be something as simple as a user connecting a cheap consumer switch to your network that doesn't 4 00:00:16,050 --> 00:00:22,050 support spanning tree and hence causing a loop or something malicious such as an attacker plugging in 5 00:00:22,050 --> 00:00:24,210 a switch and making that switch 6 00:00:24,210 --> 00:00:32,070 the root of the spanning tree so that the attacker can analyze your network traffic that traverses that 7 00:00:32,070 --> 00:00:38,730 switch or it could be an attacker simply connecting a switch to your topology. 8 00:00:38,810 --> 00:00:46,870 Lowering the priority and degrading the performance of your network considerably by forcing the network 9 00:00:46,870 --> 00:00:51,710 traffic to go through a low performance switch. 10 00:00:51,730 --> 00:00:58,570 So one of the options you have to stop this is BPDU Guard which will disable a port if any BPDU user received 11 00:00:58,570 --> 00:00:59,860 on that port. 12 00:00:59,880 --> 00:01:06,100 This is useful on ports that are going to be used as access ports and that should never be connected 13 00:01:06,100 --> 00:01:07,570 to another switch. 14 00:01:07,570 --> 00:01:12,240 In other words ports that are gonna be configured as portfast ports. 15 00:01:12,420 --> 00:01:15,100 There are two ways to configure BPDU Guard. 16 00:01:15,360 --> 00:01:22,040 You can either do it on a per-interface basis or configure it globally on a switch on a per-port basis 17 00:01:22,050 --> 00:01:28,900 you would type spanning tree portfast and then spanning tree BPDU Guard enable or globally on the switch 18 00:01:28,900 --> 00:01:36,290 you can use the command spanning tree portfast default. So in this topology let's assume that this hubs shouldn't 19 00:01:36,290 --> 00:01:37,850 be connected to the network 20 00:01:38,690 --> 00:01:47,330 and will enable BPDU Guard on switch 2 and switch 3 because we shouldn't be receiving BPDUs on any of these 21 00:01:47,330 --> 00:01:52,580 ports, these ports should be connected to user PCs rather than a hub. 22 00:01:55,280 --> 00:02:01,840 So conf t spanning tree portfast edge BPDU 23 00:02:04,560 --> 00:02:13,940 guard, we have globally enabled BPDu Guard on switch 2. At the moment port gigabit 24 00:02:13,950 --> 00:02:22,100 01 is not enabled for Portfast and we can see that by using the command show spanning tree interface 25 00:02:22,370 --> 00:02:32,760 interface gigabit 01 portfast. So it's disabled but now in gigabit 01 let's type spanning tree port 26 00:02:32,760 --> 00:02:33,210 fast 27 00:02:36,750 --> 00:02:44,160 notice very quickly BPDU Guard warns us that a BPDU was received on these port and the port has been 28 00:02:44,160 --> 00:02:52,290 disabled. So BPDU Guard error detected on this port, port is placed in the error, disabled state port has gone 29 00:02:52,290 --> 00:02:56,600 down. So show interface 30 00:02:56,650 --> 00:03:04,880 Gigabit 01 interfaces down line protocol is down because the port was error disabled. 31 00:03:06,110 --> 00:03:08,330 Show spanning tree, 32 00:03:08,450 --> 00:03:10,960 notice the port is not shown in the output here. 33 00:03:12,010 --> 00:03:17,530 If we look at gigabit 01 portfast we can see that no spanning tree information is available in this port 34 00:03:17,530 --> 00:03:23,740 because the port has been error disabled, shows spanning tree inconsistent ports 35 00:03:26,560 --> 00:03:35,820 show spanning tree summary, we can see that the switch is using rapid previous t and we can see that 36 00:03:35,820 --> 00:03:39,010 portfast edge BPDU Guard default is enabled. 37 00:03:39,970 --> 00:03:46,510 So I'll shut that port down and then no shut it, 38 00:03:46,610 --> 00:03:54,830 and let's see what happens again, so no shut it notice immediately 39 00:03:54,830 --> 00:03:59,020 the port is error disabled. So do show run interface 40 00:03:59,240 --> 00:04:04,250 Gigabit 01 we need to remove this portfast command. 41 00:04:04,250 --> 00:04:08,000 So no spanning tree portfast 42 00:04:11,690 --> 00:04:15,340 and do show run interface gigabit 01. 43 00:04:15,590 --> 00:04:19,230 We've now removed porfast. So shut the port down 44 00:04:20,380 --> 00:04:21,640 and no shut it. 45 00:04:23,870 --> 00:04:34,500 Notice the port has come up, show spanning tree blocked ports gigabit 01 one is now being blocked because 46 00:04:36,430 --> 00:04:43,120 that port is an alternate port on this segment the designated port is gigabit 01 on switch 47 00:04:43,150 --> 00:04:50,620 3 and we can see that by typing show spanning tree, notice gigabit 01 is the designated port 48 00:04:50,620 --> 00:04:51,340 on the segment, 49 00:04:51,340 --> 00:04:52,270 this is a hub. 50 00:04:52,330 --> 00:04:53,360 Please note. 51 00:04:53,560 --> 00:04:56,820 So this is the designated port for this segment. 52 00:04:57,600 --> 00:05:03,890 This port gigabit 01 is blocking on switch 2. 53 00:05:04,290 --> 00:05:11,250 So these ports should have been connected to PCs but if a user connected a hub with someone trying to 54 00:05:11,250 --> 00:05:15,930 do something malicious, BPDU Guard block supports immediately. 55 00:05:15,930 --> 00:05:19,090 Now we can configure this on a per port basis. 56 00:05:19,380 --> 00:05:20,960 So let's do that on gigabit 57 00:05:20,970 --> 00:05:27,530 02. spanning tree. BPDU, 58 00:05:27,570 --> 00:05:30,380 Guard, enable 59 00:05:34,030 --> 00:05:39,100 notice immediately a BPDU was received on the port. Port goes to the disable mode. 60 00:05:39,190 --> 00:05:45,340 So if you enable it on an interface the port doesn't even need to be configured as a portfast port. 61 00:05:46,030 --> 00:05:47,790 When a BPDUs received on the port 62 00:05:47,800 --> 00:05:51,140 it immediately error disables. 63 00:05:51,270 --> 00:05:52,920 So do show interface 64 00:05:52,920 --> 00:05:57,220 Gigabit 02, notice the port is down. 65 00:05:57,550 --> 00:05:58,540 It's error disabled.