Leaflet

OL-11615-01

occurs in one VLAN, the effects are contained in that VLAN, shielding the rest of the network. The

Catalyst switches implement several versions of PVST (such as PVST+ and Rapid-PVST+). It should be

noted that some of these versions are Cisco proprietary, and they should not be used in multi-vendor

environments.

Another good practice is to enable BPDU guard on all ports connecting to non-switching devices, such

as workstations and servers. Non-switching devices are not supposed to participate in STP. Therefore,

they should not send any BPDUs. When enabled on a port, BPDU guard shutdowns the port as soon as

a BPDU is received in that port. In this way, BPDU guard helps prevent unauthorized access and the

illegal injection of forged BPDUs. It should be noted that BPDU guard requires STP Portfast to first be

configured on the port.

Because all topology calculations in STP are based on the location of the root bridge, another good

security practice is to enforce the placement of the root bridge. To that end, an administrator can set the

root bridge priority to 0. But unfortunately, nothing can prevent another switch from being configured

with a priority 0 and a lower MAC address. Fortunately, STP root guard provides an effective way to

enforce the placement of the root bridge. When enabled on selected ports STP root guard prevents the

surrounding switches from becoming the root bridge.

STP root guard should be configured on all ports connecting to non-root candidate switches (switches

that should never become the root bridge). In a typical environment, you can always identify ports where

the root bridge should not appear. For example, as shown in

Figure 6, Switch A is the root bridge and

Switch D is not expected to become root. Hence, to prevent Switch D from negotiating a root role, STP

root guard should be enabled on the Switch C port that connects to Switch D.

Figure 6 STP Root Guard

Note Loop Guard cannot be enabled if root guard is enabled.

Deploying Routing Protocol Security

This section provides the deployment guidelines for the tools and best practices used to protect the

dynamic exchange of routing updates, as described in

Routing Protocol Security, page 24.

Implementing neighbor authentication is a recommended security practice. Protocols such as BGP,

EIGRP, OSPF, and IS-IS support various forms of neighbor authentication, including plain text and MD5

authentication. Plain text authentication sends the authenticating key itself over the wire, which is not

secure. Plain text authentication only helps avoid accidental changes to the routing updates. Whenever

190963

Root

Guard

Root