Section 4.9: Spanning Tree Protocol Security Features

Cisco added two STP features to help guard against the 'unexpected'. These are:

• The Root Guard Feature, and • The BPDU Guard Feature.

4.9.1: Root Guard Feature

The root guard aspect was introduced to control where candidate Root Bridges can be linked and located on a network.

Switch ports are allocated with the following roles:

• Root Port role is assigned to the port on the switch that is the nearest to the Root Bridge.

• The Designated Port role is assigned to a port on a LAN segment nearest to the Root. The port transmits BPDUs.

• The Blocking role is assigned to ports that are not a Root Port or a Designated Port.

• Forwarding roles are allocated to ports that have no STP activity and are normal end user links.

• The Alternate Port role is allocated to a port in a blocking condition that can become a Root Port.

The Root Port and the Alternate Port is closest to the Root Bridge. A switch would find out the current Root Bridge's Bridge ID. Should another switch be introduced into the network with a higher Bridge ID, or a better BPDU, on a port where root guard is enabled, the new switch will not become the root. The port will remain in a root-inconsistent STP state for the duration that it receives superior BPDUs. No data is transmitted or received in a root-inconsistent STP. In this manner, a port that would usually only receive BPDUs is never a root port. The port returns to the normal STP state once superior BPDUs are no longer being received.

The option is disabled by default on switch ports. The following command enables the option:

Switch(config-if)# spanning-tree guard root

4.9.2: BPDU Guard Feature

The BPDU Guard feature was introduced to provide more security and integrity for switch ports that have STP PortFast enabled. When BPDU Guard is enabled, a port goes into an errdisable state when it receives any BPDU. The port shuts down and is manually enabled again or automatically recovered. In this manner a switch is prevented from being added to the port.

The option is disabled by default on switch ports. The following command enables the option:

Switch(config-if)# spanning-tree bpduguard enable