{"id":13,"date":"2017-05-17T17:27:00","date_gmt":"2017-05-17T17:27:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=13"},"modified":"2024-11-17T17:35:46","modified_gmt":"2024-11-17T17:35:46","slug":"bpdu-filter-and-its-potential-to-cause-a-network-loop","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/bpdu-filter-and-its-potential-to-cause-a-network-loop\/","title":{"rendered":"BPDU Filter and its Potential to Cause a Network Loop"},"content":{"rendered":"\n

BPDU Guard, BPDU Filter, Root Guard and Loop Guard are all considered spanning tree security features, they all have different characteristics as to what they protect and how they work. Spanning tree attacks can harm the data-plane at Layer 2 therefore using spanning tree security we can mitigate \u201cMan in the Middle\u201d type attacks, protect against changes in the spanning tree topology, protect the \u201cRoot Bridge\u201d and prevent overall network loops.<\/p>\n\n\n\n

Spanning-tree \u201cBPDU Filter\u201d works similar to \u201cBPDU Guard\u201d, as it allows you to block BPDU\u2019s. The major difference is that \u201cBPDU Guard\u201d will place an interface that receives the BPDU into an \u201cerr-disabled\u201d state pretty much protecting the violating port while \u201cBPDU Filter\u201d just \u201cfilters\u201d it leaving the port to stay up. If a user connects a switch on these ports, potentially this will cause a network loop. You must be careful if you are using BPDU filter and this should only be configured on interfaces in \u201cAccess Mode\u201d which connect back to a \u201cHost\u201d device. This should never be configured on interfaces that connect to other switches.<\/p>\n\n\n\n

BPDU Filter can be configured globally or on a port by port basis, and there is a difference between the two<\/p>\n\n\n\n

Global<\/strong> \u2013 If BPDU filter is enabled globally, then any interface with \u201cPortfast\u201d configured will not send or receive any BPDU\u2019s. However, when the port does receive a BPDU then it will lose its \u201cPortfast\u201d status, disable BPDU Filtering and act as a normal port.<\/p>\n\n\n\n

Port by Port<\/strong> \u2013 If BPDU Filter is enabled on a port by port basis, the port will ignore incoming BPDU\u2019s and it will also not send out any BPDU\u2019s. This is the same as disabling spanning tree.<\/p>\n\n\n\n

Network Loop example <\/strong><\/p>\n\n\n\n

Warning: do not carry out anything outlined in this guide on a live network, and always ensure you have the relevant permissions if you are testing this out for yourself, this should only be done in a lab environment or test network. This document is for the purpose of understanding how the technology works.<\/strong><\/p>\n\n\n\n

In the example below we will configure \u201cBPDU Filter\u201d on the switch interfaces individually, then we will connect these ports back to switches. The example will demonstrate a broadcast storm and how the technology is capable of taking down a network if it is used incorrectly. The below has been setup in GNS3, however the same applies to physical kit. Basic network connectivity has been configured and RSTP is blocking \u201cE0\/1\u201d on \u201cSW-2\u201d<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Lets Begin\u2026<\/p>\n\n\n\n

Step 1:<\/strong> lets take a look at the Spanning-tree topology as it looks before we enable BPDU Filter<\/p>\n\n\n\n

SW-1<\/strong><\/p>\n\n\n\n

show spanning-tree<\/code><\/pre>\n\n\n\n
From the output below we can see that the switch is running RSTP, \u201cSW-1\u201d is the root bridge and all the ports on the root are forwarding.<\/p>\n\n\n\n
<\/p>\n\n\n\n
SW-2<\/strong><\/p>\n\n\n\n
show spanning-tree<\/code><\/pre>\n\n\n\n
On \u201cSW-2\u201d we can see that it is also running RSTP, the MAC address of the root bridge is \u201caabb.cc00.0300\u201d which is the MAC of \u201cSW-1\u201d. Interface \u201cE0\/0\u201d is the root port and \u201cE0\/1\u201d is being blocked to prevent the loop.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Step 2:<\/strong> Lets take a look at the CPU usage of both switches<\/p>\n\n\n\n
SW-1<\/strong><\/p>\n\n\n\n
show process cpu<\/code><\/pre>\n\n\n\n
We can see that they utilization is very low, as we would expect to see.<\/p>\n\n\n\n
\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\3.jpg\"<\/figure>\n\n\n\n
SW-2<\/strong><\/p>\n\n\n\n
show process cpu<\/code><\/pre>\n\n\n\n
\u201cSW-2 CPU\u201d utilization is also low<\/p>\n\n\n\n

As these devices are running of a VM in GNS 3 let\u2019s take a look at the CPU usage of the GNS3 VM.<\/p>\n\n\n\n
We can that it is operating normally with a low utilization<\/p>\n\n\n\n
\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\3.jpg\"<\/figure>\n\n\n\n
Step 3:<\/strong> Configure BPDU Filter on both switch interfaces.<\/p>\n\n\n\n
SW-1<\/strong><\/p>\n\n\n\n
conf t\nint e0\/1\nswitchport mode access\nswitchport access vlan 1\nspanning-tree bpdufilter enable\nspanning-tree portfast  (Not required to make BPDU Filter work)<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
SW-2<\/strong><\/p>\n\n\n\n
conf t\nint e0\/1\nswitchport mode access\nswitchport access vlan 1\nspanning-tree bpdufilter enable\nspanning-tree portfast (Not required to make BPDU Filter work)<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
Step 4:<\/strong> Lets take a look at the Spanning-tree topology,<\/p>\n\n\n\n
SW-1<\/strong><\/p>\n\n\n\n
show spanning-tree<\/code><\/pre>\n\n\n\n
As \u201cSW-1\u201d was the root bridge initially, nothing has changed on this switch, all ports are still forwarding.<\/p>\n\n\n\n
<\/p>\n\n\n\n
SW-2<\/strong><\/p>\n\n\n\n
show spanning-tree<\/code><\/pre>\n\n\n\n
On \u201cSW-2\u201d we can see that the Spanning-tree topology has changed, as we are no longer sending and receiving BPDU\u2019s on \u201cE0\/1\u201d the port has transitioned from a blocking state and into a forwarding state. This now means that the port is no longer blocking traffic and there is a loop between the switches. If a broadcast enters the network, it will keep going round and round without any end. On a production network this will mean a network death as thousands of broadcast frames keep looping continuously.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Step 5:<\/strong> Generate some broadcast on the network, from \u201cSW-1\u201d ping \u201cSW-2\u201d<\/p>\n\n\n\n
ping 192.168.1.2<\/code><\/pre>\n\n\n\n
The first response is lost due to ARP, which is the broadcast. The network is now going to keep looping this broadcast, and if enough broadcast enters the loop the switches will become unresponsive and experience a high CPU utilisation.<\/p>\n\n\n\n

From \u201cSW-2\u201d generate more broadcast traffic<\/p>\n\n\n\n
ping 192.168.1.1<\/code><\/pre>\n\n\n\n
ping 192.168.10.1<\/code><\/pre>\n\n\n\n
\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\11.jpg\"<\/figure>\n\n\n\n
Both \u201cSW-1\u201d and \u201cSW-2\u201d have become unresponsive, as they are not responding we can\u2019t check the CPU utilization, my expectation is that they will be at 100%, if this was physical kit we might have been able to check.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\13.jpg\"<\/figure>\n\n\n\n
Looking at the GNS3 VM the CPU has spiked to 100%<\/p>\n\n\n\n

Also on physical kit, at this point the lights would flash continuously really fast.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Global Configuration Example <\/strong><\/p>\n\n\n\n
Step 1. <\/strong>Configure BPDU Filter globally<\/p>\n\n\n\n
spanning-tree portfast bpdufilter default (GNS3 CMD \u2013 spanning-tree portfast edge bpdufilter default)<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Step 2.<\/strong> Allow ports to participate in BPDU Filter<\/p>\n\n\n\n
int e0\/0\nspanning-tree portfast<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
BPDU Guard, BPDU Filter, Root Guard and Loop Guard are all considered spanning tree security features, they all have different characteristics as to what they<\/p>\n","protected":false},"author":1,"featured_media":129,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,9],"tags":[19,14,15,20,21,22,16,23,13],"class_list":["post-13","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-switching","tag-arp","tag-bpdu","tag-bpdu-filter","tag-broadcast","tag-loop","tag-rstp","tag-spanning-tree","tag-stp","tag-switching"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/13","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=13"}],"version-history":[{"count":11,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/13\/revisions"}],"predecessor-version":[{"id":605,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/13\/revisions\/605"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/129"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=13"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=13"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=13"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}