Spanning-Tree Protocol (STP) Attacks
The Spanning-Tree Protocol (STP) is used in redundantly connected Layer 2 networks to prevent loops by placing interfaces or ports in either a blocking or a forwarding state. Because STP is a core component and requirement of the CCNA certification, this section will not be covered in detail. Instead, this section will focus on security features that can be enabled to secure switched networks that are running the Spanning-Tree Protocol.
STP attacks typically center on changing the root bridge of the Layer 2 network by injecting falsified Bridge Protocol Data Units information, which causes Spanning-Tree Protocol recalculations and effectively allows the attacker’s switch to become the root bridge of the Layer 2 network. When this happens, traffic is transmitted across the attacker’s switch, allowing him or her to view any and all data by using simple tools such as packet captures.
Cisco IOS Catalyst switches can be configured to allow administrators to enforce the placement of the root bridge in the Layer 2 network, prevent rogue switch network extensions, and ultimately mitigate STP attacks using the following two features:
- BPDU Guard
- Root Guard
BPDU Guard
The BPDU Guard feature is designed to keep the STP active topology predictable and to enhance network reliability by enforcing the STP domain borders. This feature either can be enabled globally (i.e. for the entire switch) or on a per-interface basis. In a valid switch configuration, ports configured for PortFast, which is used immediately to transition an interface on the switch to the forwarding state and is implemented on access ports, do not receive BPDUs.
Receiving a BPDU on an interface enabled for PortFast indicates an invalid configuration or possible security condition, i.e. the connection of an unauthorized device. The BPDU Guard feature places all ports with PortFast enabled that receive a BPDU into an error-disabled state. Once the interface has been placed into an error-disabled state, it must be enabled manually by the administrator, providing an additional layer of security, as well as a secure response to invalid configurations or possible security conditions.
At the global level, BPDU Guard is enabled by issuing the spanning-tree portfast bpduguard default global configuration command; and at the interface level, BPDU Guard is enabled by issuing the spanning-tree bpduguard enable interface configuration command. These two configuration options are illustrated in the following output:
| Sw1(config)#spanning-tree portfast bpduguard default
Sw1(config)#int fast0/1 Sw1(config-if)#spanning-tree bpduguard enable Sw1(config-if)#exit |
Once enabled, BPDU Guard can be validated by issuing the show spanning-tree summary. The information printed by this command is illustrated in the following output:
| Sw1#show spanning-tree summary
Switch is in pvst mode Root bridge for: VLAN0002 EtherChannel misconfiguration guard is enabled Extended system ID is enabled Portfast is disabled by default PortFast BPDU Guard is enabled by default Portfast BPDU Filter is disabled by default Loopguard is disabled by default UplinkFast is disabled BackboneFast is disabled Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active ———————- ——– ——— ——– ———- ———- VLAN0002 0 0 0 1 1 ———————- ——– ——— ——– ———- ———- 1 vlan 0 0 0 1 1 |
To verify BPDU Guard on a per-interface basis, the show spanning-tree interface [name] detail command can be used, as illustrated in the following output:
| Sw1#show spanning-tree interface fastethernet 0/1 detail
Port 1 (FastEthernet0/1) of VLAN0002 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.1. Designated root has priority 32770, address 000d.bd06.4100 Designated bridge has priority 32770, address 000d.bd06.4100 Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default Bpdu guard is enabled BPDU: sent 43, received 0 |
Root Guard
Root Guard is a Cisco Catalyst switch feature that allows administrators to identify the correct placement of the root switch in a Layer 2 network. The Root Guard feature is configured on any and all interfaces that are non-root ports. A root port, in a Spanning-Tree Protocol implementation, is any port on the switch that is closest to the root bridge of the Spanning-Tree-switched domain. The following diagram illustrates how the Root Guard feature would be implemented to prevent non-root ports from becoming root switches:
The diagram above illustrates a Layer 2-switched network consisting of five switches: Switch A through Switch E. The network administrators have decided to implement a predictable STP network and have configured Switch A as the STP root bridge by assigning a priority value of 4096 for all configured VLANs. For redundancy, the network administrators have configured Switch B with an STP priority value of 8192. Switches C, D, and E are all using default STP priority values of 32,768.
In this topology, there is no reason that Switch E should ever become the root bridge of the STP network. Therefore, the Root Guard feature can be enabled on the Switch C and Switch D interfaces that are connected to Switch E. This sets those interfaces as designated ports and if any device through those ports becomes the root bridge, perhaps through an incorrect configuration that results in superior BPDUs or via an STP attack, the interface will be placed into a root-inconsistent state. While the port is in this state, all traffic will be blocked by the switch. Additionally, the port will remain in this state until the superior BPDUs received on those ports are no longer being received.
Unlike the BPDU Guard feature, which can be enabled globally for the entire switch or on a per-interface basis, the Root Guard feature can only be enabled on a per-interface basis. This is performed via the spanning-tree guard root interface configuration command. The following configuration example illustrates how to configure the Root Guard feature on an interface:
| Sw1(config)#int fas 0/1
Sw1(config-if)#spanning-tree guard root Sw1(config-if)#exit |
Once configured, administrators can use the show spanning-tree interface [name] detail command to view Root Guard status on a per-interface basis, as follows:
| Sw1#show spanning-tree interface fastethernet 0/1 detail
Port 1 (FastEthernet0/1) of VLAN0002 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.1. Designated root has priority 32770, address 000d.bd06.4100 Designated bridge has priority 32770, address 000d.bd06.4100 Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default Bpdu guard is enabled Root guard is enabled on the port BPDU: sent 4860, received 0 |
Finally, the show spanning-tree inconsistentports command can be used to view inconsistent Spanning-Tree Protocol ports, as illustrated in the following output:
| Sw1#show spanning-tree inconsistentports
Name Interface Inconsistency ——————– ——————– —————— VLAN1 FastEthernet0/1 Root Inconsistent
Number of inconsistent ports (segments) in the system :1 |
Because BPDU Guard and Root Guard are among the most misunderstood topics, it is important to ensure that you have a solid understanding of the differences between these two features and of what their purposes are. The following table summarizes the BPDU Guard and Root Guard feature and what kind of STP attacks they are used to mitigate:
| STP Attack Type | STP Mitigation Technique | STP Mitigation Operation |
| Attacker attempts to connect an unauthorized network device, such as another switch, to an access port to gain access to the Layer 2-switched network | BPDU Guard, which is enabled globally or on a per-interface basis for all interfaces with PortFast enabled | BPDU Guard will error-disable an interface configured for PortFast that receives a BPDU |
| Attacker attempts to manipulate the STP root bridge so that all traffic is forwarded to his or her switch | Root Guard, which is enabled on a per-interface basis for all non-root ports on the switch | Root Guard will block all forwarding of packets on an interface that receives superior BPDUs that has this feature enabled |
Learn about STP security on the Cisco website.
Learn more by studying for the Cisco CCNP Enterprise exam.
Leave a Reply