The STP protocol, derived from the Spanning Tree Protocol, is designed to prevent loops in layer 2 networks. To achieve loop prevention, the STP protocol utilizes Bridge Protocol Data Units (BPDU) messages, which are sent and received by layer 2 devices.
In normal circumstances, when STP is running on a switch, it performs calculations to determine the Forward status of a port. This process takes approximately 30-50 seconds, during which user data is not transmitted. By leveraging the PortFast capability, we can quickly transition a port to the Forward state. This capability is configured on Access Mode ports connected to PCs, routers, and servers.
Switch(config-if)#spanning-tree portfastBPDU Guard is used on ports that do not require the receipt of these messages on an access port to prevent the transmission and reception of unnecessary BPDU messages. STP, running on a switch that may be connected to the network, is capable of configuring BPDU protocol changes. If a hacker attempts to inject messages into the network that it has connected to, the following command can be used:
Switch(config-if)#spanning-tree bpduguard enableRoot Guard is employed to prevent unauthorized switches from becoming the Root Switch through spoofing or replacing the Root Switch. The selection conditions for STP in the protocol are based on Switch ID. Swithc ID is combined of priroty (which is 32768 in Cisco switches) and MAC address. The switch with the lowest BPDU is chosen. This is determined by the Root Bridge or Root Switch, the switch with the highest priority. After any changes in the network, a new Root Switch will be selected, and traffic will not pass through its ports during this transition. If root-inconsistent is active and a switch becomes attached to that port, the port will be in Root Guard mode when it is on a switch port.
Switch(config-if)#spanning-tree guard root