Network Geeks

Spanning Tree Protections

Types of mechanisms to protect STP are as follows: –

 Root Guard

 Loop Guard

 BPDU Guard

 BPDU Filter

 UDLD

1. Root Guard
It is a mechanism to protect the root bridge from attack. Attacker connects its switch with lower mac
address and priority in the network to become the root bridge, it changes the port role and port
state in the topology.

Before the attack on the Root Bridge, communication takes place from PC1 – SW2- SW1-PC2.

After the attack on the Root Bridge, communication takes place from PC1-SW2-SW3-SW1-PC2.

The attacker connects to SW3 to generate a superior BPDU, which changes port role. ALT port of SW3
changes to DP and takes 30 sec to come to the forwarding state. As the PC1 sends traffic via SW3

Contact: - [email protected]
YouTube: - http://www.youtube.com/@networkinggeeks6266
 Network Geeks

after 30 seconds attacker shut down its switch. Re-election of root bridge takes place; this is how the
user will be unable to send traffic.

To protect the STP topology from such attack, enable Root Guard on the DP port. DP port where Root
Guard is enabled when receive a superior BPDU goes in the “Root Inconsistent state”. Root
Inconsistent state port will be recovered automatically after 20 seconds when attacker remove

Command to enable Root Guard

SW1(config)# interface range e0/0, e0/1

SW1(config-if)# spanning-tree guard root

2. Loop Guard
Due to issue in link, SW1 stop sending BPDU. SW3 after 20 second remove the superior BPDU stored
at e1 and make it as DP and start sending BPDU received at e0. Alt port e0 is made as RP. There will
be no Alt blocking port in the topology. Hence loop occurred.

NOTE- Port where BPDU is not received, BPDU is sent through it. To prevent this loop guard is
enabled on RP ports.

Contact: - [email protected]
YouTube: - http://www.youtube.com/@networkinggeeks6266
 Network Geeks

RP in which loop guard is enabled if try to transmit BPDU will become “Loop Inconsistent State”. As
the wire is replaced and BPDU is sent from E0 of SW1 and received at RP port Of SW3, it will
immediately recover from an inconsistent state.

Loop guard was basically made if Fiber optic cable is used between switches. Fiber optic has two
wires, one for sending and other for receiving. If one of them is not working still line protocol will be
up.

Command to enable Loop Guard

SW3(config)# interface e1

SW3(config-if)# spanning-tree guard loop

3. BPDU Guard
In the access port, we will enable BPDU Guard to protect from attackers. Port where BPDU Guard is
enabled and when BPDU is sent to it. It will go in an err-disable state, no data plane and control
plane traffic are allowed on that port. To recover from err-disabled state manually shut and no shut
the interface. Or we can enable error-disable recovery for that.

Contact: - [email protected]
YouTube: - http://www.youtube.com/@networkinggeeks6266
 Network Geeks

Command to enable BPDU guard

SW2(config)# interface e2

SW2(config-if)# spanning-tree bpduguard enable

Command to check which interface is in err-disable state

SW# show interface status err-disabled

Command to recover err-disable state automatically

SW(config)# err-disable recovery cause bpduguard

SW(config)# err-disable recovery interval <time>

4. BPDU Filter
BPDU Filter is applied on the access port. Port, where BPDU Filter is applied, will not send BPDU
through it and when received it will simply discard.

Command to enable BPDU Filter

Contact: - [email protected]
YouTube: - http://www.youtube.com/@networkinggeeks6266
 Network Geeks

SW(config)# spanning tree portfast default

(All-access ports will be port fast)

SW(config)# spanning tree portfast bpdufilter default

5. UDLD (Unidirectional Link Detection)

 It is cisco proprietary protocol.

 It is layer 2 protocol.

UDLD messages are sent at regular intervals, as long as the link is active. You can configure the
message interval UDLD uses. (The default is 15 seconds.) The objective behind UDLD is to detect a
unidirectional link condition before STP has time to move a blocked port into the Forwarding state.
To do this, the target time must be less than the Max Age timer plus two intervals of the Forward
Delay timer, or 50 seconds. UDLD can detect a unidirectional link after about three times the UDLD
message interval (45 seconds total, using the default).

We enable UDLD on both port of the switch. If the link gets unidirectional, switch will inform.

UDLD has two modes of operation:

■ Normal mode: When a unidirectional link condition is detected, the port is allowed to continue its
operation. UDLD merely marks the port as having an undetermined state and generates a syslog
message.

■ Aggressive mode: When a unidirectional link condition is detected, the switch takes action to
reestablish the link. UDLD messages are sent out once a second for 8 seconds. If none of those
messages is echoed back, the port is placed in the error disable state so that it cannot be used.

In this mode, if the link gets unidirectional, switch will generate log message and keep the port in err-
disable state.

NOTE: – UDLD can be used for the ethernet cable

Command to enable UDLD

SW(config)# udld enable

SW(config)# interface e0

SW(config-if)# udld port aggressive

Contact: - [email protected]
YouTube: - http://www.youtube.com/@networkinggeeks6266