Spanning Tree Attacks Question

KenjinKenjin Member Posts: 20 ■□□□□□□□□□
I have a question regarding spanning tree attacks.

just reading about enabling pbdugaurd to stop spanning tree attacks, ok I understand the concept of that but.... if we put all the spare ports on our network into another vlan. Wouldn't that stop the attack and acheive the same thing? because the attackers switch would not be a part of any of our vlans?

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    All unused ports should be shutdown and placed in an unused VLAN.

    You would still need BPDU guard if the attack was launched from an authorized users port. You should also hard code the access ports so that they can not negotiate a trunk and wreak havoc on your whole switched network.
    An expert is a man who has made all the mistakes which can be made.
  • KenjinKenjin Member Posts: 20 ■□□□□□□□□□
    like I said if all unused ports were in an unused vlan, so my question is, how could an attack happen on an unauthorized port, if all the unused ports where in the unused vlan? thats my question. oh and of course all ports were changed form the default state of dynamic desirable.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    It won't happen on an unused access port that is assigned to an unused VLAN unless it negotiates a trunk.

    You need BPDU Guard to stop an attack on an authorized access port on a used VLAN.
    An expert is a man who has made all the mistakes which can be made.
  • KenjinKenjin Member Posts: 20 ■□□□□□□□□□
    thanks for clarifying that for me
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Also ensure that unused VLAN is not allowed on any of your trunks.
    An expert is a man who has made all the mistakes which can be made.
Sign In or Register to comment.