Scribd
Upload
407 views5 pages

7.5 Mitigate STP Attacks

Uploaded by

Thoriq Thoriq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
407 views5 pages

7.5 Mitigate STP Attacks

Uploaded by

Thoriq Thoriq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

7.

5 Mitigate STP Attacks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Mitigate STP Attacks
PortFast and BPDU Guard
Recall that network attackers can manipulate the Spanning Tree Protocol (STP) to
conduct an attack by spoofing the root bridge and changing the topology of a network.
To mitigate STP attacks, use PortFast and Bridge Protocol Data Unit (BPDU) Guard:
PortFast
• PortFast immediately brings a port to the forwarding state from a blocking state,
bypassing the listening and learning states.
• Apply to all end-user access ports.

BPDU Guard
• BPDU guard immediately error disables a port that receives a BPDU.
• Like PortFast, BPDU guard should only be configured on interfaces attached to end
devices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Mitigate STP Attacks
Configure PortFast
PortFast bypasses the STP listening and learning states to minimize the time that access
ports must wait for STP to converge.
• Only enable PortFast on access ports.
• PortFast on inter switch links can create a spanning-tree loop.

PortFast can be enabled:


• On an interface – Use the spanning-
tree portfast interface configuration
command.
• Globally – Use the spanning-tree
portfast default global configuration
command to enable PortFast on all
access ports.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Mitigate STP Attacks
Configure PortFast (Cont.)
To verify whether PortFast is enabled globally you can use either the:
• show running-config | begin span command
• show spanning-tree summary command

To verify if PortFast is enabled an interface, use the show running-config interface type/number
command.

The show spanning-tree interface type/number detail command can also be used for verification.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Mitigate STP Attacks
Configure BPDU Guard
An access port could receive an unexpected BPDUs accidentally or because a user connected an
unauthorized switch to the access port.
• If a BPDU is received on a BPDU Guard enabled access port, the port is put into error-disabled
state.
• This means the port is shut down and must be manually re-enabled or automatically recovered
through the errdisable recovery cause psecure_violation global command.

BPDU Guard can be enabled:


• On an interface – Use the spanning-tree bpduguard
enable interface configuration command.
• Globally – Use the spanning-tree portfast
bpduguard default global configuration command to
enable BPDU Guard on all access ports.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50

You might also like