Mitigating STP Attacks
An STP attack is a network attack that targets the spanning tree protocol used on switches to prevent loops in network topologies. This attack involves sending forged BPDUs, which switches use to exchange STP information about the network topology.
The attacker sends superior BPDUs with a lower bridge ID than the current root bridge, causing other switches to believe the attacker's switch is the root bridge. Once the attacker's switch becomes the root bridge, it can control the network topology by manipulating the forwarding of packets.
As you can see from the image above, initially, SW1 is the root bridge, but this changes when the attacker starts sending superior BPDU packets. Consequently, the attacker becomes the root bridge, and after STP calculations, different ports become blocked, which leads to an easily established man-in-the-middle attack.
To protect against an STP attack, you should implement the root guard feature. It prevents unauthorized changes to the STP calculations by denying superior BPDU packets from being received on the interfaces where it is enabled.
However, when such a thing happens, the interface transitions to a root-inconsistent state (becomes passive) and stays in this mode until they cease arriving.
As you can see from the image above, when the root guard feature is enabled, SW1 continues to operate as a root bridge regardless of the superior BPDUs received. To enable this feature, you must configure the spanning-tree guard root command in the interface configuration mode for the interfaces you want to protect against this attack.