17 Oct

When your ISP sends you BPDU frames…

As an end-user, you should never receive STP BPDU frames from the ISP. The workstation in enterprise networks should not either. It is always a resultĀ of misconfiguration or lack of knowledge from network engineers about basics of network security. BPDU can reveal information about your network that can be later used to compromise it. In the worst case, an attacker can impact your system by changing the spanning-tree topology and perform a Man-In-The-Middle attack.

I noticed that my ISP is sending me BPDU frames. Let’s see, using this case real-life scenario, what we can tell about his network.

Read More

09 May

Detecting Unidirectional Link Failure on STP

UDLD is a nice mechanism detecting unidirectional transmission over fiber or copper link. But it tests only physical layer. Therefore if there is a problem with transmitting BPDUs over link UDLD won’t detect this problem which may cause loops in network.

IEEE 802.1D-2004 Rapid STP standard defines dispute mechanism that works similar to UDLD but on layer 2 of OSI model. Root bridge is sending Superiors BPDUs over it’s links and is waiting for replies from the neighbors. If an adjacent switch respond in a way suggesting it didn’t receive SBPDU, root bridge block its port, thus preventing the bridging loop.

Dispute mechanism works only for RSTP and MST BPDUs because those ones includes the role and state of the sending port.

Dispute can be found on Catalyst 6500 with IOS 12.2(33) SXI and above, Catalyst 4500 and 4900 since 12.2(52)SG release as well as on Nexus switches.