STP Security & Protection Features
Part 3 of 4 in the Complete STP Guide Series
Series Navigation: Part 1: STP Fundamentals | Part 2: STP Variants | Part 3: STP Security | Part 4: Troubleshooting
Why STP Security Matters
STP is vulnerable to attack for two primary reasons:
- STP builds topology by accepting BPDUs from neighboring switches
- Root Bridge is determined by the lowest Bridge ID
A malicious switch with low priority can be connected to the network and elected as Root Bridge, causing STP reconvergence and potential network instability or suboptimal topology.
Common STP Attack Scenarios
- Rogue Root Bridge Attack - Attacker connects switch with priority 0
- BPDU Flooding Attack - Overwhelming network with malformed BPDUs
- Accidental Misconfiguration - User connects unauthorized switch to PortFast port
- Topology Manipulation - Forcing suboptimal paths through malicious BPDUs
Root Guard - Preventing Unauthorized Root Bridges
Root Guard prevents an unauthorized switch from advertising itself as Root Bridge.
How Root Guard Works:
- If a BPDU superior to the Root Bridge is received on a Root Guard enabled port
- The port is placed in root-inconsistent state
- Port acts like blocking state - no frame forwarding
- Port continues listening for BPDUs
- Automatic recovery - when superior BPDUs stop, port transitions normally
Root Guard Configuration:
! Enable Root Guard on interface (typically distribution layer ports) Switch(config)# interface gi1/14 Switch(config-if)# spanning-tree guard root ! Verify Root Guard status Switch# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ----------------- ------------------ VLAN100 GigabitEthernet1/14 Root Inconsistent
Root Guard Deployment Guidelines:
- Enable on distribution layer ports connecting to access switches
- Do NOT enable on uplinks to legitimate root bridges
- Monitor inconsistentports for security violations
- Document all Root Guard interfaces for troubleshooting
BPDU Guard - Protecting PortFast Interfaces
BPDU Guard protects PortFast-enabled interfaces from receiving BPDUs, indicating an unauthorized switch connection.
BPDU Guard Operation:
- PortFast interfaces should never receive BPDUs (host-only connections)
- If BPDU received, port immediately goes to err-disable state
- Prevents accidental switch connection from disrupting STP topology
- Requires manual recovery (shutdown/no shutdown)
BPDU Guard Configuration:
! Per-interface BPDU Guard Switch(config)# interface gi1/14 Switch(config-if)# spanning-tree portfast Switch(config-if)# spanning-tree bpduguard enable ! Global BPDU Guard (applies to all PortFast interfaces) Switch(config)# spanning-tree portfast bpduguard default ! Manual recovery from err-disable Switch(config)# interface gi1/14 Switch(config-if)# shutdown Switch(config-if)# no shutdown
BPDU Guard Attack Prevention Lab
Scenario: Attacker connects malicious switch to access port
Lab Setup:
- Configure Switch2 as legitimate root bridge (priority 8192)
- Configure access port Gi0/3 with PortFast and BPDU Guard
- Attacker connects switch with priority 0 to Gi0/3
! Step 1: Configure legitimate root bridge Switch2(config)# spanning-tree vlan 1 priority 8192 ! Step 2: Configure protected access port Switch2(config)# interface gi0/3 Switch2(config-if)# switchport mode access Switch2(config-if)# spanning-tree portfast Switch2(config-if)# spanning-tree bpduguard enable ! Step 3: Verify before attack Switch2# show spanning-tree summary Root bridge for: VLAN0001 PortFast BPDU Guard Default is disabled
Attack Results WITHOUT BPDU Guard:
! Attacker becomes root bridge
Switch2# show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 1
Address 0001.1234.5678 ← ATTACKER!
Cost 19
Port 3 (GigabitEthernet0/3) ← Root port now points to attacker
Attack Results WITH BPDU Guard:
! Port immediately err-disabled
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/3 with BPDU Guard enabled. Disabling port.
Switch2# show interfaces gi0/3 status
Port Name Status Vlan Duplex Speed Type
Gi0/3 err-disabled 1 auto auto 10/100/1000BaseTX
! Spanning tree remains intact
Switch2# show spanning-tree
Root ID Priority 8193
Address 0002.ABCD.EFGH ← Legitimate root maintained
BPDU Filter - Alternative Protection Method
BPDU Filter provides different behavior than BPDU Guard:
BPDU Filter vs BPDU Guard:
| Feature | BPDU Guard | BPDU Filter |
|---|---|---|
| Action on BPDU | Err-disable port | Ignore/filter BPDUs |
| Security Level | High (immediate protection) | Medium (potential loop risk) |
| Recovery | Manual intervention required | Automatic |
| Use Case | Access ports (recommended) | Special scenarios only |
BPDU Filter Configuration:
! Global BPDU Filter (applies to PortFast ports only) Switch(config)# spanning-tree portfast bpdufilter default ! Per-interface BPDU Filter (use with extreme caution) Switch(config)# interface gi1/15 Switch(config-if)# spanning-tree bpdufilter enable
⚠️ BPDU Filter Warning:
Per-interface BPDU Filter essentially disables STP on that port. Use with extreme caution as it creates loop potential.
Loop Guard - Preventing Unidirectional Link Failures
Loop Guard provides protection when blocking ports stop receiving BPDUs due to unidirectional failures.
Loop Guard Scenarios:
- Fiber cable failures - TX works but RX fails
- High CPU utilization - Switch can't process BPDUs
- Software bugs - BPDU processing failures
- Hardware issues - Port receive problems
Loop Guard Operation:
- Monitors non-designated ports for BPDU reception
- If BPDUs stop arriving, port moves to loop-inconsistent state
- Port cannot forward traffic (prevents loops)
- Automatic recovery when BPDUs resume
Loop Guard Configuration:
! Global Loop Guard Switch(config)# spanning-tree loopguard default ! Per-interface Loop Guard Switch(config)# interface gi2/23 Switch(config-if)# spanning-tree guard loop ! Verify Loop Guard status Switch# show spanning-tree inconsistentports
Loop Guard Best Practices:
- Enable on trunk ports connecting to other switches
- Do NOT enable on access ports (they shouldn't receive BPDUs)
- Combine with UDLD for comprehensive unidirectional failure detection
- Monitor loop-inconsistent ports for network issues
UDLD - Unidirectional Link Detection
UDLD complements Loop Guard by detecting unidirectional links at the physical layer.
UDLD Operation:
- Sends UDLD ID frames every 15 seconds (configurable)
- Expects echo response from remote switch
- If no response received, assumes unidirectional failure
- Two modes: Normal (flag only) and Aggressive (err-disable)
UDLD Configuration:
! Global UDLD (fiber ports only) Switch(config)# udld enable message time 20 Switch(config)# udld aggressive message time 20 ! Per-interface UDLD Switch(config-if)# udld enable Switch(config-if)# udld aggressive Switch(config-if)# udld disable ! Verify and reset UDLD Switch# show udld Switch# udld reset
STP Security Feature Deployment Matrix
| Port Type | PortFast | BPDU Guard | Root Guard | Loop Guard | UDLD |
|---|---|---|---|---|---|
| Access (Host) | ✅ Enable | ✅ Enable | ❌ No | ❌ No | ❌ No |
| Distribution Downlink | ❌ No | ❌ No | ✅ Enable | ✅ Enable | ✅ If fiber |
| Core Uplink | ❌ No | ❌ No | ❌ No | ✅ Enable | ✅ If fiber |
| Trunk (Access) | ❌ No | ❌ No | ✅ Enable | ✅ Enable | ✅ If fiber |
Comprehensive STP Security Configuration
Complete Access Switch Configuration:
! Global STP security settings spanning-tree mode rapid-pvst spanning-tree portfast bpduguard default spanning-tree loopguard default ! Access port template (hosts) interface range gi1/1 - 24 switchport mode access spanning-tree portfast spanning-tree bpduguard enable description *** HOST ACCESS PORT *** ! Uplink to distribution (fiber) interface gi1/25 switchport mode trunk spanning-tree guard root udld aggressive description *** UPLINK TO DISTRIBUTION *** ! Management/monitoring logging host 192.168.1.100 snmp-server enable traps spanning-tree
Distribution Switch Configuration:
! Distribution layer STP settings spanning-tree mode rapid-pvst spanning-tree vlan 10,30,50 priority 24576 ! Root for these VLANs spanning-tree vlan 20,40 priority 28672 ! Secondary for these VLANs ! Downlinks to access switches interface range gi1/1 - 12 switchport mode trunk spanning-tree guard root spanning-tree guard loop udld aggressive description *** ACCESS SWITCH DOWNLINK *** ! Core uplinks interface range gi1/13 - 14 switchport mode trunk spanning-tree guard loop udld aggressive description *** CORE UPLINK ***
Security Monitoring and Troubleshooting
Essential Monitoring Commands:
! Check for security violations show spanning-tree inconsistentports show interfaces status err-disabled show udld neighbors ! Monitor STP changes show log | include SPANNING show spanning-tree summary totals show spanning-tree root detail ! Verify security configurations show running-config | section spanning-tree show spanning-tree interface detail show udld interface gi1/1
Common Security Alerts:
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/3 with BPDU Guard enabled %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Gi1/14 on VLAN0001 %UDLD-4-UDLD_PORT_DISABLED: UDLD disabled interface Gi1/25 %SPANTREE-7-LOOPGUARD_BLOCK: Loop guard blocking port Gi2/1 on VLAN0001
Incident Response Procedures
- BPDU Guard Violation: - Identify connecting device - Verify if authorized switch - If unauthorized, investigate security breach - If authorized, reconfigure as trunk port
- Root Guard Violation: - Check for rogue switch with lower priority - Verify legitimate root bridge configuration - Investigate network changes
- Loop Guard Activation: - Check physical connectivity - Verify UDLD status - Test cable integrity - Check remote switch health
Conclusion
STP security features are essential for protecting network integrity. BPDU Guard prevents unauthorized switches on access ports, Root Guard stops rogue root bridge elections, Loop Guard protects against unidirectional failures, and UDLD provides comprehensive link monitoring. Deploy these features systematically based on port roles and network requirements.
Continue to: Part 4: STP Troubleshooting & Real-World Labs
Part 3 of 4 in the Complete STP Guide Series - November 2025
No comments:
Post a Comment