Protecting Against STP Layer 2 Attack

There are two main protection mechanism against attack on STP process, Protecting with Root Guard and Layer 2 Protecting with BPDU Guard. Let’s see how is that working…

Layer 2 Protecting with Root Guard

The Root Guard can be enabled on all switch ports that should not become root ports. So that means on every port that is not a root port. Just to remind you, root port on each switch is the port considered to be closest to the root bridge switch. If a port configured for Root Guard receives a superior BPDU, he will not believe the BPDU, and then instead of becoming the new root port the port goes into a root-inconsistent state. While a port is in the root-inconsistent state he is completely blocked for user data, no user data is sent across it. However, there is some hope for him, after the superior BPDUs stop, the port returns to the forwarding state.

Switch1(config)# interface gigabitethernet 0/1
Switch1(config-if)# spanning-tree guard root

Layer 2 Protecting with BPDU Guard

The BPDU Guard must be enabled on all ports that have the Cisco PortFast feature configured. The PortFast feature is enabled on ports that connect to host devices, such as end-user PCs. It makes possible to skip almost all waiting time required for the port to go into forwarding state after being connected.

Remember that classic STP convergence process is to slow for todays networks. Before the port moves into forwarding state STP puts the port in the blocking state for 20 seconds, listening state for 15 seconds, learning state for other 15 seconds and then finally makes it go into forwarding state. All this because STP must be sure that this port will not make a layer 2 loop when enters the forwarding state.

The logic of PortFast is that a port that connects to an end-user device does not have the potential to create a topology loop. For this reason the port can go active sooner by skipping STP’s listening and learning states. Because these PortFast ports are connected to end-user devices, they should never receive a BPDU (BPDU is sent only by switches). Therefore, if a port enabled for BPDU Guard receives a BPDU, the port is disabled and the violation of that policy is reported and stopped in that way.

Configuring BPDU Guard:

Cat3550(config)# interface gigabitethernet 0/2
Cat3550(config-if)# spanning-tree port fast bpduguard

Leave a Reply