Doubt in Common Mitigation Techniques

Atharva Bet

Hello,
Absolutely love the show so far. It's nice to see Mr. Don Pezet come in as a guest instructor. I was watching Common Mitigation Techniques, Part 2 N10-007. There Mr. Don talks about Spanning Tree Protocol, BPDU Guard, Root Guard & loops. I actually couldn't get that part and am unable to connect the links between them. @wes-bryan , Sir can you please explain it in detail if it's relevant for the exam?
Thanks.

wes-bryan

@Atharva-Bet, good questions:

A loop in any network is when the same data gets sent across different links simultaneously. They will typically amplify themselves to the point that network performance is dramatically affected.
Layer 3 loops are routing loops that occur at the Network layer of the OSI model with packets.
Layer 2 loops are switching loops that occur at the Data-link Layer of the OSI model with frames. This is where technologies like Spanning Tree Protocol (STP), Bridge Data Protocol Units (BPDUs), BPDU Guard and Root Guard operate.
Spanning Tree Protocol is a switching technology that helps to prevent switching loops in networks, that have multiple switches. When the protocol is enabled, all switches will go through an election process to determine which switch will be the root. Once the election is done there are certain ports on the switches will be shut down and others will be in a forwarding state, connected back to the root. The goal will be to stop switching loops by controlling which ports forward and which are blocked. The BPDU is a message that sends information about the ports (MAC address, priority, cost) that switches use to determine the network topology. If this can be manipulated, then an attacker could influence the flow of traffic on the network or change the topology. This is where BPDU guard comes in as it will detect unauthorized BPDUs (rogue switch or misconfiguration) and shutdown the port on the switch in which it was received.
Root Guard, remember that the switches that are participating Spanning Tree Protocol will go through and election process prior to forwarding traffic. This is done to elect a "root" bridge (older switching terminology) and this root will have all ports in a forwarding state. This essentially forms the top of a logical tree topology with the root at the top. If an attack can forward traffic as a "root" then the traffic will not be blocked. Root Guard configured on a port, prevents a switch from becoming the root.
Next up is Root Guard, remember that the switches that are participating Spanning Tree Protocol will go through an election process prior to forwarding traffic. This is done to elect a "root" bridge (older switching terminology) and this root will have all ports in a forwarding state. This essentially forms the top of a logical tree topology with the root at the top. If an attacker can forward traffic as a "root" then the traffic will not be blocked. Root Guard configured on a port, prevents a switch from becoming the root.

I hope this helps. Keep those questions coming!