Scribd
Upload
293 views7 pages

STP (Spanning Tree Protocol) Attack

STP attacks aim to change the root bridge of a Layer 2 network by injecting falsified BPDU information. This allows the attacker's switch to become the root bridge and see all traffic. Cisco switches can mitigate STP attacks using BPDU Guard and Root Guard. BPDU Guard disables ports receiving BPDUs when PortFast is enabled. Root Guard blocks traffic on non-root ports that receive superior BPDUs.

Uploaded by

sethkartikeya08
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
293 views7 pages

STP (Spanning Tree Protocol) Attack

STP attacks aim to change the root bridge of a Layer 2 network by injecting falsified BPDU information. This allows the attacker's switch to become the root bridge and see all traffic. Cisco switches can mitigate STP attacks using BPDU Guard and Root Guard. BPDU Guard disables ports receiving BPDUs when PortFast is enabled. Root Guard blocks traffic on non-root ports that receive superior BPDUs.

Uploaded by

sethkartikeya08
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

STP (Spanning Tree Protocol) Attack:

In Layer 2 networks with redundant connections, the Spanning-Tree Protocol (STP)


is used to stop loops by setting ports or interfaces to either a forwarding or
blocking state. This subject will not be explored in detail because STP is a
fundamental element and requirement of the CCNA certification. Rather, the
security mechanisms that can be activated to protect switched networks that use
the Spanning-Tree Protocol will be the focus of this section.

STP attacks typically center on changing the root bridge of the Layer 2 network by
injecting falsified Bridge Protocol Data Units information, which causes Spanning-
Tree Protocol recalculations and effectively allows the attacker’s switch to become
the root bridge of the Layer 2 network. When this happens, traffic is transmitted
across the attacker’s switch, allowing him or her to view all data by using simple
tools such as packet captures.
Cisco IOS Catalyst switches can be configured to allow administrators to enforce
the placement of the root bridge in the Layer 2 network, prevent rogue switch
network extensions, and ultimately mitigate STP attacks using the following two
features:
 BPDU Guard
 Root Guard
BPDU Guard:
The BPDU Guard feature is designed to keep the STP active topology predictable
and to enhance network reliability by enforcing the STP domain borders. This
feature either can be enabled globally (i.e., for the entire switch) or on a per-
interface basis. In a valid switch configuration, ports configured for PortFast, which
is used immediately to transition an interface on the switch to the forwarding
state and is implemented on access ports, do not receive BPDUs.
Receiving a BPDU on a PortFast-enabled interface suggests that there may be a
security issue or that an unauthorized device is connected. All ports with PortFast
enabled that receive a BPDU are put into an error-disabled state by the BPDU
Guard feature. The administrator must manually enable the interface after it has
been put into an error-disabled state. This adds another level of protection and
ensures a safe reaction to potentially dangerous security situations or incorrect
configurations.
At the global level, BPDU Guard is enabled by issuing the spanning-tree portfast
bpduguard default global configuration command; and at the interface level,
BPDU Guard is enabled by issuing the spanning-tree bpduguard enable interface
configuration command. These two configuration options are illustrated in the
following output:
Sw1(config)#spanning-tree portfast bpduguard default
Sw1(config)#int fast0/1

Sw1(config-if)#spanning-tree bpduguard enable

Sw1(config-if)#exit

Once enabled, BPDU Guard can be validated by issuing the show spanning-tree
summary. The information printed by this command is illustrated in the following
output:
Sw1#show spanning-tree summary
Switch is in pvst mode

Root bridge for: VLAN0002

EtherChannel misconfiguration guard is enabled

Extended system ID is enabled

Portfast is disabled by default

PortFast BPDU Guard is enabled by default

Portfast BPDU Filter is disabled by default

Loopguard is disabled by default

UplinkFast is disabled

BackboneFast is disabled

Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active

———————- ——– ——— ——– ———- ———-

VLAN0002 0 0 0 1 1

———————- ——– ——— ——– ———- ———-

1 vlan 0 0 0 1 1
To verify BPDU Guard on a per-interface basis, the show spanning-tree interface
[name] detail command can be used, as illustrated in the following output:
Sw1#show spanning-tree interface fastethernet 0/1 detail
Port 1 (FastEthernet0/1) of VLAN0002 is forwarding

Port path cost 19, Port priority 128, Port Identifier 128.1.

Designated root has priority 32770, address 000d.bd06.4100

Designated bridge has priority 32770, address 000d.bd06.4100

Designated port id is 128.1, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

Link type is point-to-point by default

Bpdu guard is enabled

BPDU: sent 43, received 0

ROOT Guard:
Root Guard is a Cisco Catalyst switch feature that allows administrators to identify
the correct placement of the root switch in a Layer 2 network. The Root Guard
feature is configured on all interfaces that are non-root ports. A root port, in a
Spanning-Tree Protocol implementation, is any port on the switch that is closest to
the root bridge of the Spanning-Tree-switched domain. The following diagram
illustrates how the Root Guard feature would be implemented to prevent non-
root ports from becoming root switches:
The diagram above illustrates a Layer 2-switched network consisting of five
switches: Switch A through Switch E. To establish a predictable STP network, the
network administrators have designated Switch A as the STP root bridge and given
each configured VLAN a priority value of 4096. The network administrators have
Switch B configured with a STP priority value of 8192 for redundancy. The STP
priority values of 32,768 are the default settings for switches C, D, and E.
In this topology, there is no reason that Switch E should ever become the root
bridge of the STP network. Therefore, the Root Guard feature can be enabled on
the Switch C and Switch D interfaces that are connected to Switch E. This sets
those interfaces as designated ports and if any device through those ports
becomes the root bridge, perhaps through an incorrect configuration that results
in superior BPDUs or via an STP attack, the interface will be placed into a root-
inconsistent state. While the port is in this state, all traffic will be blocked by the
switch. Additionally, the port will remain in this state until the superior BPDUs
received on those ports are no longer being received.
The Root Guard feature can only be enabled per-interface, in contrast to the BPDU
Guard feature, which can be enabled globally for the entire switch or on an
interface-by-interface basis. The spanning-tree guard root interface configuration
command is used to do this. The Root Guard feature on an interface can be
configured as shown in the following example configuration:
Sw1(config)#int fas 0/1
Sw1(config-if)#spanning-tree guard root

Sw1(config-if)#exit

Once configured, administrators can use the show spanning-tree interface [name]
detail command to view Root Guard status on a per-interface basis, as follows:
Sw1#show spanning-tree interface fastethernet 0/1 detail
Port 1 (FastEthernet0/1) of VLAN0002 is forwarding

Port path cost 19, Port priority 128, Port Identifier 128.1.

Designated root has priority 32770, address 000d.bd06.4100

Designated bridge has priority 32770, address 000d.bd06.4100

Designated port id is 128.1, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

Link type is point-to-point by default

Bpdu guard is enabled

Root guard is enabled on the port

BPDU: sent 4860, received 0


Lastly, inconsistent Spanning-Tree Protocol ports can be viewed by using the show
spanning-tree inconsistentports command, as shown in the output below:
Sw1#show spanning-tree inconsistentports

Name Interface Inconsistency

——————– ——————– ——————

VLAN1 FastEthernet0/1 Root Inconsistent

Number of inconsistent ports (segments) in the system :1

It's crucial to make sure you comprehend the distinctions between BPDU Guard
and Root Guard as well as their respective functions, as they are two of the most
misinterpreted subjects. The BPDU Guard and Root Guard features, along with the
types of STP attacks they counter, are outlined in the following table:

STP Attack Type STP Mitigation Technique STP Mitigation Operation

Attacker attempts to connect an BPDU Guard, which is enabled BPDU Guard will error-disable an
unauthorized network device, globally or on a per-interface interface configured for PortFast
such as another switch, to an basis for all interfaces with that receives a BPDU
access port to gain access to the PortFast enabled
Layer 2-switched network

Attacker attempts to manipulate Root Guard, which is enabled on Root Guard will block all
the STP root bridge so that all a per-interface basis for all non- forwarding of packets on an
traffic is forwarded to his or her root ports on the switch interface that receives superior
switch BPDUs that has this feature
enabled

You might also like