To mitigate Spanning-Tree Protocol manipulation, use the root guard and the
BPDU guard features to enforce the placement of the root bridge in the network
as well as enforce the Spanning-Tree Protocol domain borders. The root guard
feature is designed to provide a way to enforce the root-bridge placement in
the network. The Spanning-Tree Protocol BPDU guard is designed to allow network
administrators to keep the active network topology predictable. While BPDU
guard may seem unnecessary given that the administrator can set the bridge
priority to zero, there is still no guarantee that it will be elected as the
root bridge because there might be a bridge with priority zero and a lower
bridge ID. BPDU guard is best deployed towards user-facing ports to prevent
rogue switch network extensions by an attacker.
Spanning-Tree Protocol
Guard
Use the spanning-tree guard interface
configuration command to enable root guard or loop guard on all the VLANs
associated with the selected interface. Root guard restricts which interface is
allowed to be the Spanning-Tree root port or the path to the root for the
switch. Loop guard prevents alternate or root ports from becoming designated
ports when a failure creates a unidirectional link. Use the
no form of this command to return to the default setting.
The syntax for the spanning-tree guard command is shown in
Figure
.
Spanning-Tree Protocol BPDU Guard
Use the spanning-tree
portfast global configuration command to globally enable BPDU
filtering on Port Fast-enabled ports, the BPDU guard feature on Port
Fast-enabled ports, or the Port Fast feature on all nontrunking ports. The BPDU
filtering feature prevents the switch port from sending or receiving BPDUs. The
BPDU guard feature puts Port Fast-enabled ports that receive BPDUs in an
error-disabled state. Use the no form of this command to
return to the default setting. The syntax for the spanning-tree
portfast command is shown in Figure
.