Jann Horn <jannhorn@xxxxxxxxxxxxxx> wrote on 04/28/2010 12:20:55 PM: > From: > > Jann Horn <jannhorn@xxxxxxxxxxxxxx> > ... > If you had a WLAN-link, you could simplify that a lot - as far as I > understand, you are able to make the switches redirect the traffic to > your machines. > Anyway, this attack sounds like something a good switch can easily > prevent by having a list of "STP trusted ports" or something like that. > Doesn't that exist? Best practice is to implement layer 2 security mechanisms which would identify these ports as "access" ports and shut them down if any STP traffic was received through these interfaces. On Cisco equipment, this is known as BPDU guard. http://www.cisco.com/en/US/customer/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml