Add filters to an uplink port for internet provider

[Reginaldo]

Hi

Can anyone tell me how to add filters to an uplink port for my internet provider, in order to block spanning tree BPDUs and the LLDP protocol?

For example, on Cisco switches, I already use the commands below:
no lldp transmit
spanning-tree portfast
spanning-tree bpdufilter enable

[Cristek]

Hi,
I'm new here but I now know some of these as I had to learn them for our customers. The Network Configuration Guide describes all this in great detail.

You can mark a port into a predefined group and then tell the switch what to do if 'something' comes into this group. This 'something' can be:
bgp bpdu dhcp-server dns-reply dvmrp isis ospf pim rip spoof vrrp
So if you want to filter ospf traffic and shutdown the port for bpdu traffic:

Code: Select all

policy port group UserPorts 1/1/1
qos user-port filter ospf user-port shutdown bpdu
qos apply

If shutting down the port, you'll also need this if you want unlimited auto-recoveries:

Code: Select all

violation recovery-time 60
violation recovery-maximum infinite

By default the switch sends and receives LLDP packets. You can choose to only process received packets or disable them altogether:

Code: Select all

lldp port 1/1/1 lldpdu rx
lldp port 1/1/1 lldpdu disable

Alcatel switches don't support CDP. Maybe you can create a policy to drop that specific type of packets (?). You'll have to investigate the options there.

Some of the more experienced guys will probably add a few bits and pieces to this

[silvio]

Hi Reginaldo,
do you whish to filter the outgoing or the incomming packets at your switch?
For the incomming you can use the userport feature - but I would in this case prefere to use all with filter (no shutdown). LLDP will not work for this. There you need your own policy with condition for destination mac of lldp and action deny.
For outgoing you can disable STP and LLDP at the port.
BR Silvio

[Reginaldo]

Hi Silvio.

I believe that only for outgoing should solve the problem, because my concern is that the internet provider's equipment is not elected as a root bridge in spanning tree, so stopping sending BPDUs on this port should solve the problem.
As for LLDP, it also prevents third parties from identifying my equipment.

In the case of LLDP, I believe that using the command below should solve the problem:
lldp port 1/1/X lldpdu RX or Disable

But regarding spanning tree, is there an option to disable it per port on the 6560?


Thanks.

[Cristek]

When I posted my examples, they were just a baseline for you to adapt. As per Silvio, shutting down an ISP port is not really a good idea.
You may or may not want to filter dhcp and/or bpdus from your ISP:

Code: Select all

policy port group UserPorts 1/1/1
qos user-port filter bpdu dhcp
qos apply

Personally, I don't think disabling STP on that port is a good idea. Instead, you can prevent them from becoming the root bridge:

Code: Select all

spantree cist port 1/1/1 root-guard enable

But if you really want to disable it altogether:

Code: Select all

spantree cist port 1/1/1 disable

And if you want to be extra careful:

Code: Select all

loopback-detection enable
loopback-detection port 1/1/1 enable

And you already know how to disable LLDP

But I can't help but notice that you seem to be focusing on Layer 2. Could you turn that port into an L3 port instead? Obviously you haven't given enough details so I'm just wondering!

[Reginaldo]

Hi Cristek

Thank you for your help!