SWITCHING BASIC.
STP topology of switched network is very susceptible to indefinite attack by various means, most of the case, intruder do introduced rouge switch into already running STP domain and wiped out entire STP database, in order to protect STP topology such cases, STP introduced many features as below.
1. PORT FAST.
2. BPDU guard
3. BPDU filter
4. ROOT guard
5. LOOP guard
1. PORT FAST
generally, according to spanning tree protocol rules, every port has to go through diffrent port state inorder to come into forwarding mode like blocked--->listening-->learning-->forwarding. Means port has to spent 15 sec in listening and another 15 sec in learning mode, this 30 seconday is consider as delay in network before ports get ready to send actual data packets. Since some network environment where time and delay senstive services like voip n video streaming need good take care from these delays. Hence inorder to overcome these delay situations we can put those ports which is connecting mentioned delay senstive servers into port fast, now tbese ports are no need to spent 30 sec in order to come into forwarding mode. I.e once cable is connected on those ports, ports will go into forwarding state n ready to send n recieve data packets. Simply you can enable port fast feature on all those ports which is connecting Workstatkons and Servers, Remember! at any Cause if any bpdu packets are received on port fast enabled ports, port will loss its port fast feature and come into normal port state.because port-fast actually does not disable STP on port , it merely accelerates STP convergence process, hence if any BPDU received on port-fast enabled port , it will transition through normal STP process state.
2. BPDU GUARD.
Bpdu guard is tecnique where you are forcefully guarding, receiving and processing Bpdu messages on switch port where its enabled. Normally all switch port has to go through stp rules where it has to spend 15 sec for listening and 15 sec for learning mode before making it available to send data packets. Total 30 sec,switch ports are not ready to send or receive actual data packet. this 30 sec delay is not a avoidable in some situation where delay sensitive services like VOIP and others. Inorder to overcome this 30 sec delay we confugure those port as port fast.so that they dont have to wait 30 sec and stp put those ports into forwarding state directly. Some how this isnt be mission acomplished. If a bad guy connected other stitch with better priority on that port. What will happen? Blahh. rogue switch will elected as root switch in your stp domain and Advertised better bpdu messages and all your existing stp domain will over write n reconverged. This is buge pain. In order to avoid these situations, we can configure Bpdu guard globally on switch or by port basis. If we configure bpdu globally, it will apply automatically on those ports which is configured as port fast. Once bpdu received on those ports, bpdu guard will put those port into error mode and will not process bpdu messages any more. Means its save your stp domain from reconverged. Shortly bpdu guard is switch feature where u can apply on those port where u r not expecting bpdu messages at all.
3. BPDU FILTER
this is the type of method where BPDU is filtered at switch interface level. Once bpdu filter command is configured under any of switch port, and same port will stop sending or receiving BPDU to and from other switches. Issue arises when mustakenly configured this command under switch port where filter BPDU is not actually intended. once switch interface stop receiving Bpdu, so Stp thinks that there must be issue at upstream switches or its port level, because of that its not receiving or sending out BPDU. So alternatively, stp act and will put blocked port in to forwarding mode, and this cause huge l2 loops, l2 packets dont have any TTL values set n hence it moves indefinate time.
if you dont cautiously use this command in the switching network. You are are going to loss your job soon or later.
i suggest, use this filter command as less as possible, because using this command without understanding proper network topology or stp domain, it siliently create huge switch loops.
4. ROOT GUARD
root guard is specific feafure provided by all STP types where it helps network engineers to predict exact Root bridge location or position in complicated stp network. They can simply asuring root bridge by making non-root switches a non-elegible for root bridge selection by applying all there port with root guard command. After root guard command is configured on those non root switches , if superior BPDU are recieved on those switches. Simply switch port which recieved suprior BPDU goes into root inconsistance state(error) and avoid advertising same BPDU further to other switches. Or stop itself from root bridge election.
No comments:
Post a Comment