I tend to agree
Cheers, Donald Robb Productive Networks / Network Consultant ______________________________________________________________ CCIE Written, CCIP, CCSP, CCDP, CCNP, CCNA: Voice, JNCIP, SCP, MCSA 2003, Security+, CCSE.R65, PACE Experts-Exchange: Guru - R&S From: Pedram Zadeh [mailto:[email protected]] Sent: January-12-12 10:30 PM To: Donald Robb Cc: CCIE KID; CCIE OSL; Cisco certification Subject: Re: [OSL | CCIE_RS] OT: Authentication in STP I would say "STP Authentication mechanism" would be exactly similar to BPDU guard! I cannot see any difference in results. On Fri, Jan 13, 2012 at 4:26 PM, Donald Robb <[email protected]> wrote: In that case you could try 802.1x authentication across the ports as a solution. Also some NMS's can watch the mac tables. I would imagine they never bothered with a secure STP because it would kill compatibility with dumb switches etc. Cheers, Donald Robb Productive Networks / Network Consultant ______________________________________________________________ CCIE Written, CCIP, CCSP, CCDP, CCNP, CCNA: Voice, JNCIP, SCP, MCSA 2003, Security+, CCSE.R65, PACE Experts-Exchange: Guru - R&S From: CCIE KID [mailto:[email protected]] Sent: January-12-12 10:18 PM To: Donald Robb Cc: Pedram Zadeh; CCIE OSL; Cisco certification Subject: Re: [OSL | CCIE_RS] OT: Authentication in STP Hi Donald, I dont want to err-disable the port. Just do a authentication based on MAC address or else BPDU generated from the switch. So i would like to talk about STP AUTHENTICATION which can be done to authenticate the switch. Why people didnt invent any STP Authentication mechanism? Is there anything whihc is not pushing them to write a RFC on STP Authentication. On Fri, Jan 13, 2012 at 10:39 AM, Donald Robb <[email protected]> wrote: The protocols are Cisco proprietary but that doesn't mean that other vendors don't have similar features, Juniper switches call bpduguard BPDU-Protect for example. Anyway the basic functionality is the same across vendors if the switch detects a BPDU from any device it will disable the port etc. Cheers, Donald Robb Productive Networks / Network Consultant ______________________________________________________________ CCIE Written, CCIP, CCSP, CCDP, CCNP, CCNA: Voice, JNCIP, SCP, MCSA 2003, Security+, CCSE.R65, PACE Experts-Exchange: Guru - R&S -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of CCIE KID Sent: January-12-12 9:40 PM To: Pedram Zadeh Cc: CCIE OSL; Cisco certification Subject: Re: [OSL | CCIE_RS] OT: Authentication in STP Hi Pedram, All the protocols which u guys say is CISCO PROPRIETARY .. Is there any open standard ptotocol which does this job. If i connect a Alcatel Lucent switch or else a Juniper Switch , how will a Cisco Switch react.. So thats what the whole point here? On Fri, Jan 13, 2012 at 10:03 AM, Pedram Zadeh <[email protected]>wrote: > For this goal, you should configure *all* access ports as portfast and > also configure spanning-tree portfast bpduguard default. If any rogue > switch get connected and start to participate in STP process, the port > will be put in err-disable mode and they should get administrator to resolve it! > syslog and snmp trap also can be configured to notify admin as well. > > On Fri, Jan 13, 2012 at 2:18 PM, CCIE KID <[email protected]> wrote: > >> Hi buddy, >> >> We are using VTP in Transparent mode. So it is literally turning off VTP. >> It is not all about VTP password. Customer wants to check a >> particular switch when connected to the network should be a >> legitimate switch and it should be checked against a database to >> authenticate whether it is a legitimate switch or a rogue switch. >> >> Thats what i am looking for some authentication with respect to STP. >> >> >> >> >> >> >> On Fri, Jan 13, 2012 at 4:44 AM, WaLeEd AlShErIf >> <[email protected] >> >wrote: >> >> > I agree with David , you need to use VTP password , here is a link >> > for >> it >> > >> > >> > >> http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note091 >> 86a0080094c52.shtml >> > >> > Yours, >> > Waleed >> > >> > *From:* David Sudjiman <[email protected]> >> > *To:* CCIE KID <[email protected]> >> > *Cc:* CCIE OSL <[email protected]>; Cisco certification < >> > [email protected]> >> > *Sent:* Thursday, January 12, 2012 11:56 PM >> > *Subject:* Re: [OSL | CCIE_RS] OT: Authentication in STP >> >> > >> > Your customer didn't mistakenly read about VTP password? >> > >> > Regards, >> > David Sudjiman >> > (Sent from Mobile) >> > >> > On 13/01/2012, at 5:22 AM, CCIE KID <[email protected]> wrote: >> > >> > > Hi fellas, >> > > >> > > My customer is asking for any authentication in STP. Can someone >> > > tell >> me >> > > that if there is any Authentication mechanism in STP to validate >> > > to >> > correct >> > > birdges with some hash value and try to avoid rogue bridges with >> this. I >> > > searched in RFC's and i guess there is no Authentication >> > > mechanism in >> > STP . >> > > So is there any other IEEE standard for STP Authentication. >> > > I found Cisco Proprietary Root Guards which basically tells avoid >> > > any superior BPDUs and avoid that port as Root port. >> > > >> > > I know Root Guard doesnt do any authentication . But is there any >> other >> > > mechnaism where can do authenticating the bridges in STP logic >> > > >> > > I believe Radia Perlman is still kicking for this :) >> > > >> > > >> > > -- >> > > With Warmest Regards, >> > > >> > > CCIE KID >> > > CCIE#29992 (Security) >> > > _______________________________________________ >> > > For more information regarding industry leading CCIE Lab >> > > training, >> > please visit www.ipexpert.com >> > > >> > > Are you a CCNP or CCIE and looking for a job? Check out >> > www.PlatinumPlacement.com <http://www.platinumplacement.com/> >> >> > > >> > > http://onlinestudylist.com/mailman/listinfo/ccie_rs >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, >> please >> > visit www.ipexpert.com >> > >> > Are you a CCNP or CCIE and looking for a job? Check out >> > www.PlatinumPlacement.com >> > >> > http://onlinestudylist.com/mailman/listinfo/ccie_rs >> > >> > >> > >> >> >> -- >> With Warmest Regards, >> >> CCIE KID >> CCIE#29992 (Security) >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs >> > > -- With Warmest Regards, CCIE KID CCIE#29992 (Security) _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs -- With Warmest Regards, CCIE KID CCIE#29992 (Security) _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
