Root Guard, BPDU Guard and BPDU Filter
Network Attackers can launch different types of attacks on Spanning Tree Protocol (STP). One type of Spanning Tree Protocol (STP) attack is to inject superior BPDUs in Layer 2 network. A superior BPDU is a BPDU which has a lower Bridge ID. In a normal network, superior BPDU's are generated by Root Bridge. If any other switch generate a superior BPDU, Spanning Tree Protocol (STP) recalculations will happen and the switch which generated superior BPDU will become the new Root Bridge.
By injecting a superior BPDUs in Layer 2 network, an attacker can cause Spanning Tree Protocol (STP) recalculations and finally result in re-convergence of the Spanning Tree Protocol (STP). Attackers can achieve Spanning Tree Protocol (STP) attacks by adding a rogue switch configured with lower bridge ID, or by using some software which are available for free download.
When a new rogue Root Bridge is introduced inside Spanning Tree Protocol (STP), all the traffic from other switches start flowing via the new rogue Root Bridge. Attacker can now start capturing the network traffic for sensitive data.
Cisco Switches have different features for protection against Spanning Tree Protocol (STP) attacks. Root Guard, BPDU Guard and BPDU Filter are some features available for protection against Spanning Tree Protocol (STP) related attacks.
Root Guard, BPDU Guard and BPDU Filter
Root Guard: Root Guard protects the Spanning Tree Protocol (STP) topology attack of replacing the original Root Bridge with a rogue Root Switch. When a Root Guard feature enabled switch port receives a superior BPDU from a rogue switch, the state of the port is changed into a root-inconsistent state, thus enforcing the position of original Root Bridge. Once the port state is changed into root-inconsistent state (similar to STP listening state), no user data is sent via that port.
Visit following link to learn more about Root Guard and how to configure Root Guard in Cisco Switches
BPDU Guard: BPDU Guard feature is typically implemented on an access port configured with PortFast. When a BPDU Guard enabled port receive BPDU from the connected device, BPDU Guard disables the port and the port state is changed to Errdisable state.
Visit following link to learn more about BPDU Guard and how to configure BPDU Guard in Cisco Switches
BPDU Filter: BPDU Filter feature is also typically implemented on an access port configured with PortFast. BPDU Filter feature allows you to stop generating BPDUs on an access port configured with PortFast.
Visit following link to learn more about BPDU Filter and how to configure BPDU Filter in Cisco Switches
