拓扑:
1. bpdu protection
边缘端口直接和用户终端相连,正常情况下,边缘端口不会收到BPDU报文。如果***者伪造BPDU恶意***交换设备,当边缘端口接收到BPDU报文时,交换设备会自动将边缘端口设置为非边缘端口,并重新进行生成树计算,从而引起网络震荡。通过使能BPDU保护可以防止伪造BPDU恶意***。
注意:请在有边缘端口的交换设备上进行以下配置。
SW4:
interface GigabitEthernet0/0/23
port link-type access
port default vlan 10
stp edged-port enable //开启边缘端口特性
stp bpdu-protection //全局开启stp bpdu防护功能,边缘端口会自动使能BPDU防护功能
[SW4]dis stp b
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 ALTE DISCARDING NONE
0 GigabitEthernet0/0/2 ROOT FORWARDING NONE
0 GigabitEthernet0/0/24 DESI FORWARDING BPDU
[SW4]dis stp int g0/0/24
-------[CIST Global Info][Mode RSTP]-------
CIST Bridge :32768.4c1f-cccc-5bbd
Config Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times :Hello 1s MaxAge 10s FwDly 12s MaxHop 20
CIST Root/ERPC :0 .4c1f-ccdc-1bae / 20000
CIST RegRoot/IRPC :32768.4c1f-cccc-5bbd / 0
CIST RootPortId :128.2
BPDU-Protection :Enabled
TC or TCN received :35
TC count per hello :0
STP Converge Mode :Normal
Time since last TC :0 days 0h:7m:42s
Number of TC :11
Last TC occurred :GigabitEthernet0/0/23
----[Port24(GigabitEthernet0/0/24)][FORWARDING]----
Port Protocol :Enabled
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Designated Bridge/Port :32768.4c1f-cccc-5bbd / 128.24
Port Edged :Config=enabled / Active=enabled
BPDU-Protection :Enabled
此时当边缘端口G0/0/23接口收到BPDU,接口将shutdown
[SW4]
Jan 19 2019 21:56:45-08:00 SW4 %%01PHY/1/PHY(l)[2]: GigabitEthernet0/0/23: change status to up
Jan 19 2019 21:56:46-08:00 SW4 %%01MSTP/4/BPDU_PROTECTION(l)[3]:This edged-port GigabitEthernet0/0/23 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
Jan 19 2019 21:56:46-08:00 SW4 %%01PHY/1/PHY(l)[4]: GigabitEthernet0/0/23: change status to down
1. bpdu filter
对于运行生成树协议的通信网络,当通过命令stp edged-port enable将当前端口配置成边缘端口,该端口便不再参与生成树计算,从而帮助加快网络拓扑的收敛时间以及加强网络的稳定性。可是端口仍然会发送BPDU报文,这可能导致BPDU报文发送到其他网络,引起其他网络产生震荡。
在网络边缘设备上接口上配置stp bpdu-filter enable,使边缘端口不处理、不发送BPDU报文,该端口即为BPDU filter端口。该端口将无法成功与对端设备直连端口协商STP协议状态,请用户慎用,建议只在边缘端口上配置该命令。交换机连接之间的端口不要配置bpdu-filter。
注意:stp bpdu-filter default和stp edged-port default后,设备上所有的端口不会主动发送BPDU报文,且均不会主动与对端设备直连端口协商,所有端口均处于转发状态。这将可能导致网络成环,引起广播风暴,请用户慎用。
SW4:
stp bpdu-protection
interface GigabitEthernet0/0/23
port link-type access
port default vlan 10
stp bpdu-filter enable
stp edged-port enable
此时当接口收到BPDU,也不会处理,也不会发送BPDU,接口不会置为shutdown状态。
[SW4]dis stp int g0/0/23
-------[CIST Global Info][Mode RSTP]-------
CIST Bridge :32768.4c1f-cccc-5bbd
Config Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times :Hello 1s MaxAge 10s FwDly 12s MaxHop 20
CIST Root/ERPC :0 .4c1f-ccdc-1bae / 20000
CIST RegRoot/IRPC :32768.4c1f-cccc-5bbd / 0
CIST RootPortId :128.2
BPDU-Protection :Enabled
TC or TCN received :35
TC count per hello :0
STP Converge Mode :Normal
Time since last TC :0 days 0h:29m:46s
Number of TC :11
Last TC occurred :GigabitEthernet0/0/23
----[Port23(GigabitEthernet0/0/23)][FORWARDING]----
Port Protocol :Enabled
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Designated Bridge/Port :32768.4c1f-cccc-5bbd / 128.23
Port Edged :Config=enabled / Active=disabled
BPDU-Protection :Enabled
Point-to-point :Config=auto / Active=true
Transit Limit :147 packets/hello-time
Protection Type :None
Port STP Mode :RSTP
Port Protocol Type :Config=auto / Active=dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes :Hello 1s MaxAge 10s FwDly 12s RemHop 20
TC or TCN send :0
TC or TCN received :0
BPDU Sent :0
TCN: 0, Config: 0, RST: 0, MST: 0
BPDU Received :0
TCN: 0, Config: 0, RST: 0, MST: 0
[SW4]
环路问题:
现在在PC1上ping 10.1.1.2可以访问。
如果在SW4的GigabitEthernet0/0/2接口使能stp bpdu-filter,接口是stp状态转换为forwarding状态,此时当PC1访问PC2会产生广播风暴及MAC地址flapping,
interface GigabitEthernet0/0/2
stp bpdu-filter enable
[SW4]dis stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
0 GigabitEthernet0/0/23 DESI FORWARDING BPDU
0 GigabitEthernet0/0/24 DESI FORWARDING BPDU
此时PC1不能访问PC2。
[SW4]
Jan 19 2019 22:26:11-08:00 SW4 L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7 MAC move detected, VlanId = 10, MacAddress = 5489-987a-5cb5, Original-Port = GE0/0/2, Flapping port = GE0/0/3. Please check the network accessed to flapping port.
在PC1的E0/1抓包会看到广播风暴现象,显示如下: