STP different protection mechanism, a complete explaination

_ February 19, 2022_ Zindagi Technologies

In the last blog, we discussed STP and how it works, types of topology change, and their effect on the network. In this, we will explain what different mechanisms are to protect STP.

Types of mechanisms to protect STP are as follows: –

Root Guard
Loop Guard
BPDU Guard
BPDU Filter
UDLD

Root Guard

It is a mechanism to protect the root bridge from attack. Attacker connects its switch with lower mac address and priority in the network to become the root bridge, it changes the port role and port state in the topology.

Before the attack on the Root Bridge, communication takes place from PC1 – SW2- SW1-PC2.

After the attack on the Root Bridge, communication takes place from PC1-SW2-SW3-SW1-PC2.

The attacker connects to SW3 to generate a superior BPDU, which changes port role. ALT port of SW3 changes to RP and takes 30 sec to come to the forwarding state. As the PC1 sends traffic via SW3 after 30 seconds attacker shut down its switch. Re-election of root bridge takes place; this is how the user will be unable to send traffic.

To protect the STP topology from such attack, enable Root Guard on the trunk DP port. Trunk DP port where Root Guard is enabled when receive a superior BPDU goes in the “Root Inconsistent state”. Root Inconsistent state port will be recovered automatically after 20 seconds when attacker remove

Command to enable Root Guard

SW1# interface range e0/0, e0/1

SW1# spanning-tree guard root

Loop Guard

Due to IOS bug SW1 stop sending BPDU. SW3 after 20 second remove the superior BPDU stored at e1 and make it as DP and start sending BPDU received at e0. Alt port e0 is made as RP. There will be no Alt blocking port in the topology. Hence loop occurred.

NOTE- Port where BPDU is not received, BPDU is sent through it. To prevent this loop guard is enabled on RP trunk port.

Trunk RP in which loop guard is enabled if try to transmit BPDU will become “Loop Inconsistent State”. As the IOS bug is removed and BPDU is sent from E0 of SW1 and received at RP port Of SW3, it will immediately recover from an inconsistent state.

Loop guard was basically made if fiber optic cable is used between switches. Fiber optic has two wires, one for sending and other for receiving. If one of them is not working still line protocol will be up.

Command to enable Loop Guard

SW3# interface e1

SW3# spanning-tree guard loop

BPDU Guard

In the access port, we will enable BPDU Guard to protect from attackers. Port where BPDU Guard is enabled and when BPDU is sent to it. It will go in an err-disable state, no data plane and control plane traffic are allowed on that port. To recover from err-disabled state manually shut and no shut the interface.

Command to enable BPDU guard

SW2# interface e2

SW2# spanning-tree bpduguard enable

Command to check which interface is in err-disable state

SW# show interface status err-disabled

Command to recover err-disable state automatically

SW# err-disable recovery cause bpduguard

SW# err-disable recovery interval <time>

BPDU Filter

BPDU Filter is applied on the access port. Port, where BPDU Filter is applied, will not send BPDU through it and when received it will simply discard.

Command to enable BPDU Filter

SW# spanning tree portfast default

(All-access ports will be port fast)

SW# spanning tree portfast bpdufilter default

UDLD (Unidirectional Link Detection)

It is used to detect unidirectional link.
It is cisco proprietary protocol.
It is layer 2 protocol.

We enable UDLD on both port of the switch. If the link gets unidirectional, switch will inform.

UDLD has two modes: –

Normal

In this mode, if the link gets unidirectional, switch will generate log message.

Aggressive

In this mode, if the link gets unidirectional, switch will generate log message and keep the port in err-disable state.

NOTE: – UDLD can be used for the ethernet cable

Command to enable UDLD

SW# udld enable

SW# interface e0

SW# udld port aggressive

Zindagi Technologies is an IT consulting company having engineers with decades of experience in planning, designing, and implementing Data Centers along with Managed IT Services, cybersecurity, cloud services. If you want to secure your network, we are just a call away. Please ping us on +91-9773973971 or drop us a mail at out and we can get in touch with us.

Author
Jainul Khan
Associate Consultant

Post Views: 3,213

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Our Clients

Contacts

What are the different mechanisms to protect Spanning Tree Protocol (STP)?

Leave a comment Cancel reply

Delhi NCR

Bangalore

Chennai

About Us

Quick Links

Contact Us

Subscribe to our latest updates!