Lately I’ve been revisiting Ethernet switching and Spanning Tree related topics in much more depth than before. While working through a lab I stumbled upon something I found interesting. I didn’t plan on writing tonight, so I’ll try to make this brief.
The focus is the link from SW1 G0/2 to SW2 G0/3. SW1 is the VLAN 20 root bridge with priority 4096. SW1 G0/2 is an access port in VLAN 20 with Portfast and BPDU Guard enabled. SW2 G0/3 is an access port in VLAN 1 with no extra features. My primary goal was to refresh myself on Portfast, BPDU Guard, and Error Disable Recovery.
What I found interesting is that SW2 is accepting VLAN 20 BPDUs from SW1 on G0/3 and reacting to them as if they are VLAN 1 BPDUs. Notice the root bridge priority in the output below. 4096 (SW1’s VLAN 20 priority) + extended system ID 20 = 4116.
SW2#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4116
Address 5254.0007.1092
Cost 9
Port 4 (GigabitEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 5254.001d.e09b
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3 Root FWD 4 128.4 P2p
Why this is happening
Because these are access ports, SW1 is not sending PVST+ BPDUs. The “+” in PVST+ indicates that STP is operating over 802.1Q trunks. To support PVST, 12 bits were borrowed from the bridge priority field to represent the VLAN. SW2 is accepting the BPDU and operating by the rules of Common Spanning Tree. In CST, there is no extended system ID to represent the VLAN number, all 16 bits are utilized to represent the bridge priority.
NON PVST+ BPDU being received by SW2. Notice the SAP value 0x42
A PVST+ BPDU uses SNAP PID 0x010b:
More information about the bridge priority and extended system ID field is available here: https://routingloop.net/stp-bridge-priority-4096/
Further testing confirms that this technique can be used to connect a rogue switch to an access port and hijack the root bridge role. Configuring a rogue bridge with VLAN 1 priority 0 will cause the STP domain to accept the rogue bridge as the new root with priority 1. The rogue bridge does not need to be participating in the same VLAN number as the VLAN being attacked.