Spanning-tree security

Spanning-tree security

by Cyrus Lok on Friday, January 8, 2010 at 12:42am

Spanning tree protocol is a protocol that’s created to eliminate redundant links of a switch in order to prevent broadcast storm.

Having redundant links for switch is good because if one link goes down the other link can be a backup however it also creates problem of broadcast storm, your switches will receive multiple duplicated copies of mac addresses and the broadcast storm will cause your switch cpu resources to go up as well as causing serious high latency to your internal network.

Spanning tree basic (I am doing keepalive, damn… I am losing this knowledge gradually…-_-“)
How spanning tree protocol works:
1. elect a root bridge, a root bridge will have its interface turn on (forwarding state aka designated ports)
2. after root bridge is elected, those non-root bridge must elect a designated port and a root port.
3. root port is a port that is nearest to the root bridge
4. designated port is the port is a forwarding port
5. anything that’s neither a root port nor a designated port will be blocked.

The original 802.1d spanning tree protocol will take 50s for switch port to change from blocking state to a forwarding state.
the newer version 802.1w hastens this process by introducing 3 states: blocking, listening and forwarding. This save up to 20s of convergence time of a spanning tree network.

A root bridge is elected on the following condition:
1. low bridge priority, for cisco catalyst switch the default value is 32768, setting your bridge priority to 0 makes your switch to be unbeatable, the priority is an increment of 4096.
2. assume all switches have the same bridge priority, spanning tree protocol will look for a switch that has a lower mac address.

From a switch how do you know which switch is the root bridge?
use this command in user EXEC mode: show spanning-tree summary

S0#show spanning-tree summary
Switch is in pvst mode
Root bridge for: default
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is disabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
———————- ——– ——— ——– ———- ———-
VLAN0001 0 0 0 3 3

———————- ——– ——— ——– ———- ———-
1 vlans 0 0 0 3 3

Root bridge for: default, tells you that this switch is the root.

the other command is show spanning-tree
S0#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 0090.2BAA.1456
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4097 (priority 4096 sys-id-ext 1)
Address 0090.2BAA.1456
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 P2p

Only a root bridge has all its interface being in forwarding state i.e. designated port. A root bridge has no root port or port that’s in blocking state.
Look at this:
Bridge ID Priority 4097 (priority 4096 sys-id-ext 1)
The default should be 32768, this was originally not the root bridge I made it to be the root because it is the switch that’s connecting a trunk link to my router (Oh yes election is kelong…lol)

Let’s look at another switch which used to be a root bridge, but I made it lost the election (evil smile*)

S1#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 0090.2BAA.1456
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0010.11CB.4A45
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/3 Desg FWD 19 128.3 P2p
Fa0/1 Root FWD 19 128.1 P2p

A non-root bridge will have designated port or a blocked port and a root port.
Look at this:
Root ID Priority 4097
and this:
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
this tells you that this is a non-root bridge, the root bridge has a lower priority than this switch.

Look at the third switch now:

S2#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 0090.2BAA.1456
Cost 19
Port 2(FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 00E0.B09A.8027
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/2 Root FWD 19 128.2 P2p
Fa0/3 Altn BLK 19 128.3 P2p

This non-root switch has a root port and a blocked port, the interface must be blocked as this is redundant, the root port shows that this interface is nearest to the root bridge.

Spanning tree security is a security implemented to prevent “man-in-the-middle-attack”, if you switch has no security implemented and the hacker has the key to your datacentre… hehehehe…. he can bring a switch or a laptop and attached to your switch port and do “black magic”…-_-”

Some catalyst switches have all the ports configured as this switchport mode dynamic… what this means is if I connect a switch to this port it will become switchport mode trunk, if i connect a host (computer, ip phone, printer) it will be switchport mode access. So the hacker brings a switch and connect to this dynamically configured port… lol…. the port becomes a trunk, and he can configure his switch to be a root bridge and he can use wireshark to sniff all packets going to his own switch.. great… he/she sees all…-_-”

To prevent this use the following commands to help you guard your switch.

1. configure your switch port that connects to your router and/or switch as trunk
S0(config-if)#switchport mode trunk
S0(config-if)#switchport port-security maximum 1
S0(config-if)#switchport port-security mac-address sticky
S0(config-if)#switchport port-security violation shutdown

This means, interface is a trunk, only one mac address is allowed, and the first mac address that’s connected to the switch port is the only mac address that’s allowed, if other than the first mac address is connected to this port shutdown the port.

Configure the switch port that connects a host to switchport mode access.

for my Root bridge
fa0/1 and fa0/2 are a designated port connect to another switch, I shall set these to trunk mode and apply the rest of the port-security commands as above, in order to prevent other unauthorized switch from becoming a root bridge I shall set spanning-tree guards to protect my interface
I shall go to my fa0/1 and fa0/2 and configure root guard:
S0(config-if)#spanning-tree guard root

For other ports that are configured as access port I shall turn off spanning tree and apply bpdu guard.
For this root bridge, fa0/1 and fa0/2 are connected to a switch; fa0/3 is connected to router, hence fa0/4 to fa0/24 I shall configure them as access port and apply port fast and bpdu guard on them.
S0(config)#interface range fa0/4 – 24
S0(config-if-range)#spanning-tree portfast
S0(config-if-range)#spanning-tree bpduguard enable

bpdu stands for Bridge packet data unit, it is a “love” message sent throughout switches to inform which is the root and what’s the port role, a host is not a switch and hence should not be sending bpdu to corrupt my spanning-tree data. Portfast is a feature to turn off spanning tree, so that during spanning tree convergence my pcs can still be accessing resources from the servers, while converging all ports are in blocking mode (that’s why I need to turn off spanning tree on all access ports because hosts are not taking part on root bridge election). bpdu guard prevents bpdu from sending out from the port.

There’s another way to make the above process easier, that is from global configuration mode, apply this command:
S0(config)#spanning-tree portfast bpduguard default
this means whenever I apply port fast on an interface bpdu guard will also be enabled

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s