Spanning Tree Attacks Question
Kenjin
Member Posts: 20 ■□□□□□□□□□
I have a question regarding spanning tree attacks.
just reading about enabling pbdugaurd to stop spanning tree attacks, ok I understand the concept of that but.... if we put all the spare ports on our network into another vlan. Wouldn't that stop the attack and acheive the same thing? because the attackers switch would not be a part of any of our vlans?
just reading about enabling pbdugaurd to stop spanning tree attacks, ok I understand the concept of that but.... if we put all the spare ports on our network into another vlan. Wouldn't that stop the attack and acheive the same thing? because the attackers switch would not be a part of any of our vlans?
Comments
-
networker050184
Mod Posts: 11,962 Mod
All unused ports should be shutdown and placed in an unused VLAN.
You would still need BPDU guard if the attack was launched from an authorized users port. You should also hard code the access ports so that they can not negotiate a trunk and wreak havoc on your whole switched network.An expert is a man who has made all the mistakes which can be made. -
Kenjin
Member Posts: 20 ■□□□□□□□□□
like I said if all unused ports were in an unused vlan, so my question is, how could an attack happen on an unauthorized port, if all the unused ports where in the unused vlan? thats my question. oh and of course all ports were changed form the default state of dynamic desirable.
-
networker050184
Mod Posts: 11,962 Mod
It won't happen on an unused access port that is assigned to an unused VLAN unless it negotiates a trunk.
You need BPDU Guard to stop an attack on an authorized access port on a used VLAN.An expert is a man who has made all the mistakes which can be made. -
networker050184
Mod Posts: 11,962 Mod
Also ensure that unused VLAN is not allowed on any of your trunks.An expert is a man who has made all the mistakes which can be made.