Networking Technologies by Johnny Bandin
Networking Knowledge
Networking KnowledgeAnsible
Networking Knowledge
Networking KnowledgeAnsible
  • Cisco Networking Fundamentals
  • VLANs Knowledge
    • Creating and Assigning VLANs
    • Creating Trunks
    • Creating SVIs
  • etherchannel overview
    • Etherchannel Layer 2 LACP Configuration
    • Etherchannel Layer 3 LACP Configuration
  • DHCP Overview
    • DHCP Configuration
  • Layer 2 Security
    • Blackhole VLAN Configuration
    • Port Security
    • BPDUGuard and Root Guard
    • DHCP Snooping Configuration
    • Dynamic ARP Inspection
  • Key Chains
  • ACLs
    • Standard ACLs
    • Extended and Named ACLs
  • EIGRP
    • EIGRP Named Mode
    • EIGRP Authentication, Passive-Interface, Summarization
    • EIGRP Stub Routing, Leak-Maps
Powered by GitBook
On this page
  1. Layer 2 Security

BPDUGuard and Root Guard

PreviousPort SecurityNextDHCP Snooping Configuration

Last updated 2 years ago

- The spanning-tree protocol is a Layer 2 Control plane protocol that prevents switching loops by electing a root bridge and placing switchport into a Forwarding or blocking state. Cisco switches will send Bridge Protocol Datagram Units per VLAN to elect a root switch, which all other switches will forward traffic too.

- STP is also vulnerable to Layer 2 attacks like Superior BDPU's, and malicious users creating a broadcast storm by flooding the switched architecture with BPDU's.

- Rootguard will prevent the manipulation of root bridge elections by placing protecting the root bridge from receiving superior BPDU's.

For this How To we will configure rootguard on the root switches trunk ports.

SW3(config)#interface range eth0/1 - 2 # This command brings you into the sub-configuration mode for a range of interfaces.

SW3(config-if-range)#spanning-tree guard root # This command will place a designated port on the root bridge into a "blocking" state

Verification. Now lets see what happens to our topology once we apply rootguard and attempt to send a superior BPDU to SW3

As you can see here SW3 is the root bridge for VLAN. We have already configured rootguard. Now lets go to SW2 and try to make it the root bridge and check what happens on SW3

- As you can see now the two interfaces facing the other switches are in a blocking state. This is because SW2 tried to send a "superior BPDU" to SW3 from SW1 and from itself.

BPDUGuard

BPDUGuard is a feature we apply to our access ports to prevent the interfaces facing our users from processing BPDUs. This protects our switched architecture from BPDUs being flooded into the network.

SW2(config)#interface range eth0/1, eth0/3 # This command brings you into the sub-configuration mode for a range of interfaces.

SW2(config-if-range)#spanning-tree bpduguard enable # This command will place a port into an "err-disabled" state if the port receives a BPDU

The full configuration is shown below

Verification. Now let's attach a switch to the access ports and see how they respond. As we can see below with a switch connected and sending BPDU's the access port goes into a "err-disabled" state.

Layer 2 Network Security Diagram
show spanning-tree vlan 10 command and output
spanning-tree vlan 10 priority command
show spanning-tree vlan command and output
spanning-tree bpduguard enable command/configuration
Quick Clip of the devices we are configuring
show interface ethernet command that shows the "err-disabled" state
show interface status using REGEX to only see the "err-disabled" interfaces
Page cover image