Mitigating STP attacks
PortFast and BPDU Guard
A network attacker can also mess around with the Spanning Tree Protocol (STP) by spoofing the root bridge and changing the entire topology of a network. Like for example configuring his/her own computer act as the root bridge.
To mitigate STP attacks, we can use PortFast and BPDU Guard (Bridge Protocol Data Unit Guard):
| PortFast |
| When using PortFast on an interface, it immediately brings such interface to a “forwarding” state both if configured as an access or trunk port. This will bypass “listening” and “learning” states. It can be applied to all end-user ports. PortFast should only be configured on ports attached to end devices. |
| BPDU Guard |
| BPDU Guard will immediately error disable a port that receives a BPDU. This should also be configured only on interfaces attached to end devices. |
PortFast and BPDU Guard Implementation
Configuring PortFast
PortFast will bypass the STP “listening” and “learning” states to lower the time that access ports must wait for STP to converge. When enabled on a port that is connected to another switch, PortFast will portray a risk of creating a spanning-tree loop.
Configuring PortFast on an interface
S1(config)# interface [interface] S1(config-if)# switchport mode access S1(config-if)# spanning-tree portfast
Configuring PortFast on an interface range Complete Configuration Example
S1> enable S1# configure terminal S1(config)# interface range fa0/3 - fa0/22 S1(config-if)# switchport mode access S1(config-if)# spanning-tree portfast %Portfast has been configured on FastEthernet0/1 but will only have effect when the interface is in a non-trunking mode. %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION
Portfast can also be configured globally on all access ports
Configuring PortFast Globally on all access ports
S1(config)# spanning-tree portfast default
Configuring PortFast on an interface range Complete Configuration Example
S1> enable S1# configure terminal S1(config)# spanning-tree portfast default %Warning: this command enables portfast by default on all interfaces. You should now disable portfast explicitly on switched ports leading to hubs, switches and bridges as they may create temporary bridging loops. S1(config)# exit S1#
Configuring BPDU Guard
Although we enabled PortFast, the interface will still be listening for BPDUs. Unexpected BPDUs might be both accidental or even someone who wants to add a switch to the network unauthorized.
If a BPDU Guard enabled interface receives any BPDUs, the port will be put into error-disabled state and will be shutdown. The port must be manually re-enabled.
Configuring BPDU Guard on an interface
S1(config-if)# spanning-tree bpduguard enable
Configuring BPDU Guard on an interface range Complete Configuration Example
S1> enable S1# configure terminal S1(config)# interface range fa0/3 - fa0/22 S1(config-if)# spanning-tree bpduguard enable S1(config-if)# exit S1(config)#
BPDU Guard can also be configured globally on all access ports
Configuring BPDU Guard Globally on all PortFast enabled access ports
S1(config)# spanning-tree portfast bpduguard default
Configuring BPDU Guard Globally on all PortFast enabled access ports Complete Configuration Example
S1> enable S1# configure terminal S1(config)# spanning-tree portfast bpduguard default S1(config)# exit S1#
[NOTE] Always enable BPDU Guard on all PortFast-enabled ports.