拓撲:
1. bpdu protection
邊緣端口直接和用戶終端相連,正常情況下,邊緣端口不會收到BPDU報文。如果***者僞造BPDU惡意***交換設備,當邊緣端口接收到BPDU報文時,交換設備會自動將邊緣端口設置爲非邊緣端口,並重新進行生成樹計算,從而引起網絡震盪。通過使能BPDU保護可以防止僞造BPDU惡意***。
注意:請在有邊緣端口的交換設備上進行以下配置。
SW4:
interface GigabitEthernet0/0/23
port link-type access
port default vlan 10
stp edged-port enable //開啓邊緣端口特性
stp bpdu-protection //全局開啓stp bpdu防護功能,邊緣端口會自動使能BPDU防護功能
[SW4]dis stp b
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 ALTE DISCARDING NONE
0 GigabitEthernet0/0/2 ROOT FORWARDING NONE
0 GigabitEthernet0/0/24 DESI FORWARDING BPDU
[SW4]dis stp int g0/0/24
-------[CIST Global Info][Mode RSTP]-------
CIST Bridge :32768.4c1f-cccc-5bbd
Config Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times :Hello 1s MaxAge 10s FwDly 12s MaxHop 20
CIST Root/ERPC :0 .4c1f-ccdc-1bae / 20000
CIST RegRoot/IRPC :32768.4c1f-cccc-5bbd / 0
CIST RootPortId :128.2
BPDU-Protection :Enabled
TC or TCN received :35
TC count per hello :0
STP Converge Mode :Normal
Time since last TC :0 days 0h:7m:42s
Number of TC :11
Last TC occurred :GigabitEthernet0/0/23
----[Port24(GigabitEthernet0/0/24)][FORWARDING]----
Port Protocol :Enabled
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Designated Bridge/Port :32768.4c1f-cccc-5bbd / 128.24
Port Edged :Config=enabled / Active=enabled
BPDU-Protection :Enabled
此時當邊緣端口G0/0/23接口收到BPDU,接口將shutdown
[SW4]
Jan 19 2019 21:56:45-08:00 SW4 %%01PHY/1/PHY(l)[2]: GigabitEthernet0/0/23: change status to up
Jan 19 2019 21:56:46-08:00 SW4 %%01MSTP/4/BPDU_PROTECTION(l)[3]:This edged-port GigabitEthernet0/0/23 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
Jan 19 2019 21:56:46-08:00 SW4 %%01PHY/1/PHY(l)[4]: GigabitEthernet0/0/23: change status to down
1. bpdu filter
對於運行生成樹協議的通信網絡,當通過命令stp edged-port enable將當前端口配置成邊緣端口,該端口便不再參與生成樹計算,從而幫助加快網絡拓撲的收斂時間以及加強網絡的穩定性。可是端口仍然會發送BPDU報文,這可能導致BPDU報文發送到其他網絡,引起其他網絡產生震盪。
在網絡邊緣設備上接口上配置stp bpdu-filter enable,使邊緣端口不處理、不發送BPDU報文,該端口即爲BPDU filter端口。該端口將無法成功與對端設備直連端口協商STP協議狀態,請用戶慎用,建議只在邊緣端口上配置該命令。交換機連接之間的端口不要配置bpdu-filter。
注意:stp bpdu-filter default和stp edged-port default後,設備上所有的端口不會主動發送BPDU報文,且均不會主動與對端設備直連端口協商,所有端口均處於轉發狀態。這將可能導致網絡成環,引起廣播風暴,請用戶慎用。
SW4:
stp bpdu-protection
interface GigabitEthernet0/0/23
port link-type access
port default vlan 10
stp bpdu-filter enable
stp edged-port enable
此時當接口收到BPDU,也不會處理,也不會發送BPDU,接口不會置爲shutdown狀態。
[SW4]dis stp int g0/0/23
-------[CIST Global Info][Mode RSTP]-------
CIST Bridge :32768.4c1f-cccc-5bbd
Config Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times :Hello 1s MaxAge 10s FwDly 12s MaxHop 20
CIST Root/ERPC :0 .4c1f-ccdc-1bae / 20000
CIST RegRoot/IRPC :32768.4c1f-cccc-5bbd / 0
CIST RootPortId :128.2
BPDU-Protection :Enabled
TC or TCN received :35
TC count per hello :0
STP Converge Mode :Normal
Time since last TC :0 days 0h:29m:46s
Number of TC :11
Last TC occurred :GigabitEthernet0/0/23
----[Port23(GigabitEthernet0/0/23)][FORWARDING]----
Port Protocol :Enabled
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Designated Bridge/Port :32768.4c1f-cccc-5bbd / 128.23
Port Edged :Config=enabled / Active=disabled
BPDU-Protection :Enabled
Point-to-point :Config=auto / Active=true
Transit Limit :147 packets/hello-time
Protection Type :None
Port STP Mode :RSTP
Port Protocol Type :Config=auto / Active=dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes :Hello 1s MaxAge 10s FwDly 12s RemHop 20
TC or TCN send :0
TC or TCN received :0
BPDU Sent :0
TCN: 0, Config: 0, RST: 0, MST: 0
BPDU Received :0
TCN: 0, Config: 0, RST: 0, MST: 0
[SW4]
環路問題:
現在在PC1上ping 10.1.1.2可以訪問。
如果在SW4的GigabitEthernet0/0/2接口使能stp bpdu-filter,接口是stp狀態轉換爲forwarding狀態,此時當PC1訪問PC2會產生廣播風暴及MAC地址flapping,
interface GigabitEthernet0/0/2
stp bpdu-filter enable
[SW4]dis stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
0 GigabitEthernet0/0/23 DESI FORWARDING BPDU
0 GigabitEthernet0/0/24 DESI FORWARDING BPDU
此時PC1不能訪問PC2。
[SW4]
Jan 19 2019 22:26:11-08:00 SW4 L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7 MAC move detected, VlanId = 10, MacAddress = 5489-987a-5cb5, Original-Port = GE0/0/2, Flapping port = GE0/0/3. Please check the network accessed to flapping port.
在PC1的E0/1抓包會看到廣播風暴現象,顯示如下: