Yes it is called BPDU Protect, It is configured like so: drobb@Backbone# set ethernet-switching-options bpdu-block interface ge-0/0/1
Cheers, Donald Robb Productive Networks / Network Consultant ______________________________________________________________ CCIE Written, CCIP, CCSP, CCDP, CCNP, CCNA: Voice, JNCIP, SCP, MCSA 2003, Security+, CCSE.R65, PACE Experts-Exchange: Guru - R&S -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Pedram Zadeh Sent: January-12-12 10:06 PM To: CCIE KID Cc: CCIE OSL; Cisco certification Subject: Re: [OSL | CCIE_RS] OT: Authentication in STP It seems that Juniper also support BPDU guard feature! at least they refer it in their document: http://www.juniper.net/us/en/local/pdf/implementation-guides/8010002-en.pdf On Fri, Jan 13, 2012 at 3:58 PM, CCIE KID <[email protected]> wrote: > No i am talking about having Juniper switches on distribution and > access layer switches as Cisco . > So probably when u connect a Cisco switch towards the distribution switch. > > 802.1x is the port based authentication . so probably my customer is > focussed more on Devices rather than the ports it is connected to. > So probably one idea is to use MAC based authentication or else inside > BPDUS we wil use a Hash value which we can create some thing and > validate. > > > > > > On Fri, Jan 13, 2012 at 10:23 AM, Pedram Zadeh <[email protected]>wrote: > >> And, besides, if you have Cisco switch on one side, that solution >> still works because you implement it on your Cisco switch. STP BPDU >> is not Cisco proprietary, so Juniper switch also will send BPDU. >> >> >> On Fri, Jan 13, 2012 at 3:40 PM, CCIE KID <[email protected]> wrote: >> >>> Hi Pedram, >>> >>> All the protocols which u guys say is CISCO PROPRIETARY .. Is there >>> any open standard ptotocol which does this job. If i connect a >>> Alcatel Lucent switch or else a Juniper Switch , how will a Cisco Switch react.. >>> >>> So thats what the whole point here? >>> >>> >>> >>> On Fri, Jan 13, 2012 at 10:03 AM, Pedram Zadeh <[email protected]>wrote: >>> >>>> For this goal, you should configure *all* access ports as portfast >>>> and also configure spanning-tree portfast bpduguard default. If any >>>> rogue switch get connected and start to participate in STP process, >>>> the port will be put in err-disable mode and they should get administrator to resolve it! >>>> syslog and snmp trap also can be configured to notify admin as well. >>>> >>>> On Fri, Jan 13, 2012 at 2:18 PM, CCIE KID <[email protected]> wrote: >>>> >>>>> Hi buddy, >>>>> >>>>> We are using VTP in Transparent mode. So it is literally turning >>>>> off VTP. >>>>> It is not all about VTP password. Customer wants to check a >>>>> particular switch when connected to the network should be a >>>>> legitimate switch and it should be checked against a database to >>>>> authenticate whether it is a legitimate switch or a rogue switch. >>>>> >>>>> Thats what i am looking for some authentication with respect to STP. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Fri, Jan 13, 2012 at 4:44 AM, WaLeEd AlShErIf < >>>>> [email protected]>wrote: >>>>> >>>>> > I agree with David , you need to use VTP password , here is a >>>>> > link >>>>> for it >>>>> > >>>>> > >>>>> > >>>>> http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note >>>>> 09186a0080094c52.shtml >>>>> > >>>>> > Yours, >>>>> > Waleed >>>>> > >>>>> > *From:* David Sudjiman <[email protected]> >>>>> > *To:* CCIE KID <[email protected]> >>>>> > *Cc:* CCIE OSL <[email protected]>; Cisco >>>>> > certification < [email protected]> >>>>> > *Sent:* Thursday, January 12, 2012 11:56 PM >>>>> > *Subject:* Re: [OSL | CCIE_RS] OT: Authentication in STP >>>>> >>>>> > >>>>> > Your customer didn't mistakenly read about VTP password? >>>>> > >>>>> > Regards, >>>>> > David Sudjiman >>>>> > (Sent from Mobile) >>>>> > >>>>> > On 13/01/2012, at 5:22 AM, CCIE KID <[email protected]> wrote: >>>>> > >>>>> > > Hi fellas, >>>>> > > >>>>> > > My customer is asking for any authentication in STP. Can >>>>> > > someone >>>>> tell me >>>>> > > that if there is any Authentication mechanism in STP to >>>>> > > validate to >>>>> > correct >>>>> > > birdges with some hash value and try to avoid rogue bridges >>>>> > > with >>>>> this. I >>>>> > > searched in RFC's and i guess there is no Authentication >>>>> > > mechanism >>>>> in >>>>> > STP . >>>>> > > So is there any other IEEE standard for STP Authentication. >>>>> > > I found Cisco Proprietary Root Guards which basically tells >>>>> > > avoid >>>>> any >>>>> > > superior BPDUs and avoid that port as Root port. >>>>> > > >>>>> > > I know Root Guard doesnt do any authentication . But is there >>>>> > > any >>>>> other >>>>> > > mechnaism where can do authenticating the bridges in STP logic >>>>> > > >>>>> > > I believe Radia Perlman is still kicking for this :) >>>>> > > >>>>> > > >>>>> > > -- >>>>> > > With Warmest Regards, >>>>> > > >>>>> > > CCIE KID >>>>> > > CCIE#29992 (Security) >>>>> > > _______________________________________________ >>>>> > > For more information regarding industry leading CCIE Lab >>>>> > > training, >>>>> > please visit www.ipexpert.com >>>>> > > >>>>> > > Are you a CCNP or CCIE and looking for a job? Check out >>>>> > www.PlatinumPlacement.com <http://www.platinumplacement.com/> >>>>> >>>>> > > >>>>> > > http://onlinestudylist.com/mailman/listinfo/ccie_rs >>>>> > _______________________________________________ >>>>> > For more information regarding industry leading CCIE Lab >>>>> > training, >>>>> please >>>>> > visit www.ipexpert.com >>>>> > >>>>> > Are you a CCNP or CCIE and looking for a job? Check out >>>>> > www.PlatinumPlacement.com >>>>> > >>>>> > http://onlinestudylist.com/mailman/listinfo/ccie_rs >>>>> > >>>>> > >>>>> > >>>>> >>>>> >>>>> -- >>>>> With Warmest Regards, >>>>> >>>>> CCIE KID >>>>> CCIE#29992 (Security) >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>>> http://onlinestudylist.com/mailman/listinfo/ccie_rs >>>>> >>>> >>>> >>> >>> >>> -- >>> With Warmest Regards, >>> >>> CCIE KID >>> CCIE#29992 (Security) >>> >>> >>> >> > > > -- > With Warmest Regards, > > CCIE KID > CCIE#29992 (Security) > > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
