Spanning Tree Protocol Security
Today I will discuss about Spanning Tree Protocol Security issue. Spanning Tree Protocol (STP), also known as 802.1d, is a Layer 2 protocol designed to prevent loops within switched networks. Typically, STP goes through a number of states (e.g., block, listen, learn, and forward) before a port is able to pass user traffic. [boxads]
A vulnerability associated with STP is that a system within the network can actively modify the STP topology. There is no authentication that would prevent such an action. The bridge ID, a combination of a two-byte priority and a six-byte MAC address, determines the root bridge within a network.
- 1. STP Portfast Bridge Protocol Data Unit (BPDU) Guard
The STP Portfast BPDU Guard allows network administrators to enforce the STP topology on ports enabled with Portfast. Systems attached to ports with the Portfast BPDU Guard enabled will not be allowed to modify the STP topology. Upon reception of a BPDU message, the port is disabled and stops passing all network traffic.
This feature can be enabled both globally and individually for ports configured with Portfast. By default, STP BPDU guard is disabled. The following Spanning Tree Protocol Security command is used to globally enable this feature on a Cisco 3550 series switch.
Switch(config)# spanning-tree portfast bpduguard default
Use the following command to verify the configuration.
Switch> show spanning-tree summary totals
To enable this feature at the interface level on a Cisco 3550 series switch, use the following command.
Switch(config-if)# spanning-tree bpduguard enable
Read more