Learn STP security with practical labs. Enhance networking skills & protect your network from threats efficiently.
Start now
STP (Spanning Tree Protocol) maintains loop free topologies in a redundant L2 network.
BPDU(Bridge Protocol Data Unit) messages are frames that switches distribute in between themselves. Switches choose the Root Bridge, Designated, and Root ports based on information from BPDUs.
STP Attack:
The attacker
sends BPDU messages
to inform the switches that he is now Root (by giving
himself the lowest priority).
If the two switches
to which attacker
connects are linked,
STP will block
the link between them, and they will only be able to communicate through the attacker – which is a school
example of the Man-in-the- Middle attack.
STP Attack Countermeasures:
BPDU guard is an addition
to STP, introduced to protect ports to which
end users connect.
BPDU messages
are exchanged only between switches, which means they are not expected to be received
on access ports.
If a BPDU guard-enabled port receives a BPDU packet,
that port will automatically be disabled – it will go into the “errdisable”
state.
BPDU guard can be configured globally on a switch – it will be enabled on all
PortFast ports:
S(config)# spanning-tree portfast bpduguard default
BPDU guard configuration per-port:
S(config-if)# spanning-tree bpduguard enable
S(config-if)# spanning-tree bpduguard disable
WARNING: A BPDU guard-enabled port will not take part in STP!
Root guard is another STP addition, similar to BPDU guard – but intended to protect ports on root switches, not access switches.
Root guard-enabled ports can still receive and send BPDU messages, but will block those neighbors that try to become a Root bridge.
S(config-if)#spanning-tree guard root
For your Practice Download the Packet Tracer File
👇
Let's Start Lab Practical:
Goal. Use the provided Packet Tracer file and follow the steps below. IP addresses are already configured on endpoints.
1. RSTP
Set on all switches:
SW(config)#spanning-tree mode rapid-pvst
2. Access + Portfast + BPDU guard
SW3, SW4, SW5 PC Connected port configured as:
SW(config)#interface GigabitEthernet 0/0
SW(config-if)#spanning-tree portfast
SW(config-if)#spanning-tree bpduguard enable
In this exercise, we only have VLAN 1 – which is the default VLAN – so no need for additional configuration.
3. Trunk
Configure all the inter-switch links as a Trunk Port:
SW(config)#interface GigabitEthernet 0/0
SW(config-if)#switchport mode trunk
4. Root bridge
Configure SW1 to be Root bridge:
SW(config)#spanning-tree vlan 1 root primary
5. Root guard
Configure SW1 and SW2 to be Root guard:
SW(config)#interface range GigabitEthernet 0/1-2
SW(config-if-range)#spanning-tree guard root
6. Test
To see the active interfaces and their roles, use the following command:
SW(config)#show spanning-tree active
Checking the BPDU guard configuration:
1. Add a new switch to the existing topology.
2. Connect the new switch to Switch3, port GigabitEthernet 0/0 (instead of WinPC1 A).
3. Notice that the link gets blocked.
4. Enter the following commands to check on SW3 interfaces:
SW#show interfaces GigabitEthernet 0/0
5. In the printout, notice “err-disabled” in the first line.
6. Return to the previous setup – connect WinPC1 back to SW3.
7. The link will stay inactive and this is due to port being switched off so it doesn’t notice any changes.
To enable the port again, use the following commands:
SW(config-if)#shutdown
SW(config-if)#no shutdown
Root guard test:
1. Configure SW3 to become Root bridge – use the following command to check the current Root bridge priority:
SW#show spanning-tree detail
2. We are interested in the information printed in 4th row:
“Current root has priority 24577”.
3. Now that we know what the current Root bridge priority is, we can set a lower priority on SW3:
SW(config)#spanning-tree vlan 1 priority 20480
4. If we open SW1’s CLI we will see the following message:
“%SPANTREE-2-ROOTGUARDBLOCK: Port 0/2 tried to become non-designated in VLAN 1.”
5. Printout of the following command will show that Switch1 remains root in spite of having a lower priority than SW3:
SW#show spanning-tree active
6. In the above’s command printout, we can also see that GigabitEthernet 0/2 is in BLK (blocked) state.
👉Learn the Next blog comming Soon
