STP Portfast, BPDU Guard, Root Guard Configs | STP Attacks Prevention - joye-max/Networking-Labs GitHub Wiki

STP ATTACK PREVENTION

STP PORTFAST

Portfast enables the switch to instantaneously transition from blocking state to forwarding state immediately through bypassing the listening and learning state. PortFast is highly recommended only on non-trunking access ports, such as edge ports, because the ports typically do not send not receive BPDU.

BPDU Guard

Because PortFast can be enabled on non-trunking ports connecting two switches, spanning-tree loops can occur because Bridge Protocol Data Units (BPDUs) are still being transmitted and received on these ports.

Therefore, PortFast BPDU Guard prevents the loop from happening by moving non-trunking switch ports into an errdisable state when the Bridge protocol Data Unit is accepted on that port.

ROOT Guard

Root guard is an STP feature that is enables on a port -by-port basis ; it prevents a configured port from becoming a root port. Root guard prevents a downstream switch (often misconfigured or rogue) from becoming a root bridge in topology. Root guard function by placing a port in an errDisabled state if a superior BPDU is received on a configured pot. This prevents the configured DP with root guard from becoming an RP.

STP (Spanning Tree Protocol) is a networking protocol used in switches to prevent problems caused by loops in a network.

What is a Loop in Networking?

A loop happens when there are multiple paths for data to travel between devices. This can confuse the network, leading to:

• Endless data circulation (broadcast storms).

• Network slowdowns or crashes.

Why is STP Used?

1. Stops Loops: STP automatically detects loops in the network and blocks extra paths to stop them from causing problems.

2. Provides Backup: If the main connection fails, STP activates a backup path to keep the network running.

3. Keeps the Network Stable: By managing paths, STP prevents unnecessary data traffic and makes the network more reliable.