VLAN Mismatches and STP

Lately I’ve been revisiting Ethernet switching and Spanning Tree related topics in much more depth than before. While working through a lab I stumbled upon something I found interesting. I didn’t plan on writing tonight, so I’ll try to make this brief.

The focus is the link from SW1 G0/2 to SW2 G0/3. SW1 is the VLAN 20 root bridge with priority 4096. SW1 G0/2 is an access port in VLAN 20 with Portfast and BPDU Guard enabled. SW2 G0/3 is an access port in VLAN 1 with no extra features. My primary goal was to refresh myself on Portfast, BPDU Guard, and Error Disable Recovery.

What I found interesting is that SW2 is accepting VLAN 20 BPDUs from SW1 on G0/3 and reacting to them as if they are VLAN 1 BPDUs. Notice the root bridge priority in the output below. 4096 (SW1’s VLAN 20 priority) + extended system ID 20 = 4116.

SW2#show spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    4116
             Address     5254.0007.1092
             Cost        9
             Port        4 (GigabitEthernet0/3)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     5254.001d.e09b
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3               Root FWD 4         128.4    P2p 

Why this is happening

Because these are access ports, SW1 is not sending PVST+ BPDUs. The “+” in PVST+ indicates that STP is operating over 802.1Q trunks. To support PVST, 12 bits were borrowed from the bridge priority field to represent the VLAN. SW2 is accepting the BPDU and operating by the rules of Common Spanning Tree. In CST, there is no extended system ID to represent the VLAN number, all 16 bits are utilized to represent the bridge priority.

NON PVST+ BPDU being received by SW2. Notice the SAP value 0x42

A PVST+ BPDU uses SNAP PID 0x010b:

More information about the bridge priority and extended system ID field is available here: https://routingloop.net/stp-bridge-priority-4096/

Further testing confirms that this technique can be used to connect a rogue switch to an access port and hijack the root bridge role. Configuring a rogue bridge with VLAN 1 priority 0 will cause the STP domain to accept the rogue bridge as the new root with priority 1. The rogue bridge does not need to be participating in the same VLAN number as the VLAN being attacked.