How to use the spanning tree BPDU guard to prevent switching loop/attacks on your network
As we all know, the spanning tree protocol is used to prevent switching loop but because of the 30 seconds delay, you can implement the rapid spanning tree protocol with portfast on interfaces connecting to end devices to eliminate this delay. When that is the, ports will transition quickly to forwarding state. To make sure that end users do not connect switches or run applications on their computers which will negotiate a trunk on the switch and subsequently become the root bridge, the spanning tree bpdu guard must be configured on ports.
A user can launch a man-in-the-middle attack by plugging a switch with lower priority number to the network. When this happens, the switch (provided it’s on the same VTP domain as the rest of the switches on the network) becomes the root bridge. As the root bridge, all user traffics will be sent via that switch to the gateway. The man in the middle can then user an app like wireshack to sniff and analyze user packets.
One of the ways to guard against the situation explained above is to enable the spanning tree bpdu guard on ports that are not connected t switches (access ports). When this is done, bpdu guard will shut down such port once bpdu is received from it. The configuration commands below show how to enable bpdu gaurd on a switch port.
sw(config)#spanning-tree portfast bpduguard default
sw(config-if)# spanning-tree portfast
sw(config-if)#spanning-tree bpduguard enable
sw(config-if)#errdisable recovery cause bpdu
sw(config)#errdisable recovery interval 30