Wired Intelligent Edge

I have MDF1 connected to 2 IDF switches, IDF1 and IDF2. IDF1 and IDF2 has default gateway as firewall ip address which is directly connected to MDF1. IDF1/2 are connected to each other as well. I have configured spanning tree as below and made MDF1 as root switch:

MDF1

spanning-tree enable
spanning-tree priority 1

IDF1/2

spanning-tree enable
spanning-tree priority 5

What is the recommended configuration for bpdu guard or bpdu protection or root guard or bpdu-filter or pvst-filter? What is the best practice configuration to configure all this along with existing spanning tree configuration. Is it configured on individual ports and where it is needed?

Hi Nick,

Apologies for resurrecting this thread, but I am wondering if you ever came to an answer/conclusion on this?

Thanks!

I understand that the use of these options --- bpdu guard, root guard, bpdu filter, pvst filter --- is strongly related on how much control you have on the attachment of unauthorized / unknown devices to your network.

If you have full confidence that this will never occur, then you can just ignore these options, set up your switches and be happy. But if you don't have this level of control, or if you're connecting to devices on different administration domains, you may use those resources, taking into account which behaviour is desired to each situation.

---

@JQueiroz wrote: If you have full confidence that this will never occur, then you can just ignore these options, set up your switches and be happy.

The OP should not have such level of confidence, in any case (I mean: no matter neither the confidence level it is believed to have nor the contrary).

If I were the OP I would act at two levels:

• at Core level (Where STP Root should be placed)
• at Distribution/Access levels

At Core level: at least enforce the planned STP Topology by protecting the STP Root position through root-guard feature applied on each port used as downlink to any downstream Distribution/Access Switches.

The purpose is nicely summarized here:

"Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge but can set the root bridge priority to 0 in an effort to secure the root bridge position. The root guard feature provides a way to enforce the root bridge placement in the network. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state and no traffic can be forwarded across this port while it is in this state. To enforce the position of the root bridge it is imperative that root guard is enabled on all ports where the root bridge should never appear."

At Distribution/Access levels (where it is supposed edge devices are/will be connected): some STP releated featurs such as bpdu-protection, admin-edge-port, point-to-point-mac and loop-protect can be used as protection mechanisms based on switch port type and purpose (as example, interfaces used for uplinks to Core would be set with point-to-point-mac true...instead loop-protect, bpdu-protection and admin-edge-port would be used and enabled on every port that as an end device connected).

Edit: what is reported above is referred to (HP ProVision of ProCurve line) ArubaOS-Switch based switches.