Spanning Tree Protocol Security
Today I will discuss about Spanning Tree Protocol Security issue. Spanning Tree Protocol (STP), also known as 802.1d, is a Layer 2 protocol designed to prevent loops within switched networks. Typically, STP goes through a number of states (e.g., block, listen, learn, and forward) before a port is able to pass user traffic.
A vulnerability associated with STP is that a system within the network can actively modify the STP topology. There is no authentication that would prevent such an action. The bridge ID, a combination of a two-byte priority and a six-byte MAC address, determines the root bridge within a network.
- 1. STP Portfast Bridge Protocol Data Unit (BPDU) Guard
The STP Portfast BPDU Guard allows network administrators to enforce the STP topology on ports enabled with Portfast. Systems attached to ports with the Portfast BPDU Guard enabled will not be allowed to modify the STP topology. Upon reception of a BPDU message, the port is disabled and stops passing all network traffic.
This feature can be enabled both globally and individually for ports configured with Portfast. By default, STP BPDU guard is disabled. The following Spanning Tree Protocol Security command is used to globally enable this feature on a Cisco 3550 series switch.
Switch(config)# spanning-tree portfast bpduguard default
Use the following command to verify the configuration.
Switch> show spanning-tree summary totals
To enable this feature at the interface level on a Cisco 3550 series switch, use the following command.
Switch(config-if)# spanning-tree bpduguard enable
When STP BPDU guard disables a switch port, it can be configured to recover automatically, or it can be manually re-enabled by a network administrator. The following commands can be used to configure a port to automatically recover when placed in a disabled state.
In the example below, a port placed in an error-disabled state will recover after 400 seconds.
Switch(config)# errdisable recovery cause bpduguard
Switch(config)# errdisable recovery interval 400
- 2. STP Root Guard
The STP Root Guard feature is another mechanism used to protect the STP topology. Unlike the BPDU Guard, STP Root Guard allows participation in STP as long as the attached system does not attempt to become the root. If the Root Guard is activated, then the port recovers automatically after it quits receiving the superior BPDUs that would make it the root. Root Guard can be applied to one or more ports on edge switches and on internal switches on a network. In general, apply this feature to those ports on each switch that should not become the root.
The following command is used within the interface configuration mode to enable STP Root Guard on the Cisco 3550 series switch.
Switch(config-if)# spanning-tree guard root