Leaflet

18
OL-11615-01
A newer version of STP, called Rapid-STP (RSTP), is defined in IEEE 802.1w. RSTP works similarly
to STP, but provides better convergence after a failure of a switch, switch port, or a LAN. RSTP
significantly reduces the time to reconfigure the active topology of the network when changes to the
physical topology or its configuration parameters occur. RSTP supersedes STP specified in 802.1D, but
remains compatible with STP.
STP is a useful protocol, but unfortunately both versions of the protocol were conceived with no security
in mind and, as a result, they are vulnerable to several types of attacks. STP does not implement any
authentication and encryption to protect the exchange of BPDUs. Because of the lack of authentication,
anyone can speak to an STP-enabled device. An attacker could very easily inject bogus BPDUs,
triggering a topology recalculation. A forced change to the STP topology could lead into a DoS
condition, or leave the attacker as a man-in-the-middle. In addition, because BPDUs are not encrypted,
it is fairly simple to intercept BPDUs in transit, revealing important topology information.
Fortunately, Catalyst 6500 and 4500 Series switches support a set of features that help protect bridged
networks using STP, and these are covered in this section (with exceptions noted). The following are the
recommended best practices:
Disable VLAN auto-negotiated trunking on user ports.
Disable unused ports and put them into an unused VLAN (as covered in the previous section).
Use Per-VLAN Spanning Tree (PVST).
Implement port security (refer to Port Security, page 27).
Enable traffic storm control (refer to Traffic Storm Control, page 32).
Configure BPDU guard.
Configure STP root guard.
Note Catalyst 6500 and 4500 Series switches provide other Layer 2 services that are not directly related to
infrastructure protection but that help secure the network. Refer to
Other Security Services, page 109 to
learn more about these security services.
Disabling Auto-Negotiated Trunking
By default, all Ethernet ports on Catalyst switches are set to auto-negotiated trunking mode.
Auto-negotiated trunking allows switches to automatically negotiate ISL and 802.1Q trunks. The
negotiation is managed by the Dynamic Trunking Protocol (DTP). Setting a port to auto-negotiated
trunking mode makes the port willing to convert the link into a trunk link, and the port becomes a trunk
port if the neighboring port is set as a trunk, or configured in desirable mode. At the same time, a port
configured in desirable mode becomes a trunk if the neighboring port is set to trunk, desirable, or auto
mode.
While the auto-negotiation of trunks facilitates the deployment of switches, anyone can take advantage
of this feature and easily set up an illegitimate trunk. For this reason, auto-negotiation trunking should
be disabled on all ports connecting to end users.
In Catalyst OS, auto-negotiated trunking can be disabled on a port using the set trunk off command. By
default, auto-negotiated trunking is set to auto, which causes the port to become a trunk port if the
neighboring port tries to negotiate a trunk link. Using the off keyword forces the port to become a
nontrunk port and persuades the neighboring port to become a nontrunk port:
Console> (enable) set trunk mod/ports {on | off | desirable | auto | nonegotiate} [
vlans
|
none] [isl | dot1q | dot10 | lane | negotiate]