Notes: Switching: STP and basic Switch Security.
Where Switches are:
Network <- Routers /Packets / IP addresses
Data Link <- Switches, Bridges / Frames / MAC Addresses
Physical < – Hubs, Repeaters / Bits / Ethernet
STP, IEEE 802.1d or Spanning Tree Protocol is used on switches to prevent switching loops. Switching loops occur when frames are constantly “looped” through redundant links that connect switches to one another.
When you look at Figure1, you’ll notice a triangle topology where all the switches are connected to each other.
Well lets say that there was no STP running on these switches. Host 192.168.10.11 sends out a broadcast frame (ffff.ffff.ffff). Maybe it was sending out a DHCP request. Well, what happens with broadcast frames? They are flooded of course. This means the switch will send out a copy of that frame out every port. This means, the broadcast would also be sent out the trunk ports of SW5 to SW3 and SW4. Well, SW3 and SW4 will see that this is a broadcast frame.
What will those switches do? They will also flood this frame as well. It’s destination is ffff.ffff.ffff, so it is sent out every port. The rule of switching is that it will never send a frame back out the same port it received it on. Well, this means SW3 won’t send the broadcast back to SW5, instead, it will send it to SW4. The same thing goes with S4, it won’t send the broadcast back to SW5, instead it will be sent to SW3. This is where your problem becomes more noticeable, the broadcast, that was once originating from SW5, has gone to SW4 and SW3, and those switches are send each other those broadcasts. Those switches will then take the broadcast it just received from each other, and guess what? They’re broadcast frames! They’re going to keep flooding them out and now SW5 is going to get that broadcast back! What is SW5 going to do with the broadcast it just received from SW3 and SW4? Hey, its a broadcast! Gotta send these broadcasts out! They’re destined for ffff.ffff.ffff! (Remember, a group of switches (layer2 network) is still a broadcast domain.)
This is were insanity starts, and this all happens in about a second. And this will keep happening until either the redundant links are disconnected, or worse… the switches crash. Then office pandemonium ensues.
This is the reason STP was invented, and runs on switches by default. To close redundant links to keep switching loops from occurring. The broadcast that 192.168.10.11 sent out won’t be able to cross the link from SW5 to SW4, so it stops the loop from occuring. Notice in the switch topology in Figure1, that there are green dots and an orange dot. That orange dot indicates the link that STP has closed off. When redundant links are closed by STP, it means they have been placed into “blocking mode”.
This is SW4’s output of ‘show spanning-tree’:
SW4#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 1 Address 0002.4A11.C0A3 Cost 4 Port 25(GigabitEthernet1/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 8193 (priority 8192 sys-id-ext 1) Address 0006.2A99.5DA7 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi1/1 Root FWD 4 128.25 P2p Gi1/2 Altn BLK 4 128.26 P2p
You will notice here, that Gi1/2, the ‘Sts’ (Status), is ‘BLK'(Blocking). This is the redundant link that STP decided to close off.
STP also calculates the best path to hosts according to it’s MAC table based on how fast the links are. You could have a switched network with 5 switches, and you could have a path that a frame would have to traverse of 2 links(path1), and a path of 3 links(path2). But based on whether a port is 10mbps, 100mbps, or 1000mpbs (even 10gb), stp will always choose the fastest. Path1 could be 2 links of 100mbps, but path2 could be 3 links of 1000mbps. Well, it would prefer path2 over path1 because those three gigabit hops actually provide a faster data throughput than the two 100mbps hops. (Once I get to my CCNA portion, there will be a lot more about STP Mechanics, how it determines cost, the costs of links, what it does while it is busy converging, rootbridges, election, etc. What you’re seeing here is only the CCENT (ICND1) portion.)
- STP is a mechanism on switches to prevent switching loops
- STP stops switching loops by closing off redundant links
- It determines optimal paths across it’s destination based on cost
- STP, Spanning-Tree Protocol, 802.1d
- Runs on switches by default.
- Switching loops are bad mmmkay?
Basic Switch Security
There are plenty of reasons you need to take your switch security seriously. Actually, you should take every bit of network security seriously. Never undermine the importance of security, because if you do, you’re going to have a hell of a time dealing with security problems. Security isn’t just there to keep intruders out, its also there to keep someone who has no idea what they are doing from messing up your configurations.
Lock up your switches, routers, or any networking hardware. You definitely don’t want someone walking in on your network and thinking “hmm what does this mode button do?” Oh look, the lights are flashing in a neat pattern now. Seriously, you need to keep networking hardware safe. Keep it in a locked room. Keep faceplates over your network racks. Lock your network/server cabinets. This is common sense. Would you go park your car in a parking lot downtown and just leave the keys in your car with all your windows rolled down?
There are many well known defaults on switches that need to be addressed upon completion of configuration. These are things that people look for when they intend to break into your network. There are tons of security parameters on switches, but basically, these are what you need to know for the CCENT.
- By Default, they are turned on. On routers they aren’t. When you are finished with a switch, you should shutdown all your unused ports using the ‘shutdown’ command at the specified interface:
SW5#conf t SW5(config)#interface fastEthernet 0/5 SW5(config-if)#shutdown %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down SW5(config-if)#
- Another default posing a security risk is that they are all set to ‘dynamic‘, meaning they are actively either going to trunk, or they are going become an access port to an end device. This means someone can use one of their own switches and gain access this way. Some hackers also know how to get the NIC on a PC to try and trunk with a switch, this can cause lots of problems as well.:
SW5(config)#interface fastEthernet 0/5 SW5(config-if)#switchport mode ? access Set trunking mode to ACCESS unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode trunk Set trunking mode to TRUNK unconditionally SW5(config-if)#switchport mode access
- By default, they are part of a well-known VLAN. They are in VLAN1. This can also pose as a security risk. Unused ports should be moved to fake VLANs that lead to nowhere.:
SW5(config-if)#switchport access ? vlan Set VLAN when interface is in access mode SW5(config-if)#switchport access vlan ? <1-1005> VLAN ID of the VLAN when this port is in access mode SW5(config-if)#switchport access vlan 321
MAC Addresses: There are a few ways to tighten a switch’s security by managing the MAC Addresses that are allowed on the switch. Doing this will allow you to configure parameters for each port on a switch to only allow one MAC from a host to be plugged into that port. This is to keep people from plugging other devices into, lets say, their cubicle’s ethernet port. Or it will stop people with malicious intent to try and plug in other switches even. This is done through the ‘switchport port-security’ at the interface level on switches.
SW5# SW5#conf t Enter configuration commands, one per line. End with CNTL/Z. SW5(config)#interface fastethernet 0/5 SW5(config-if)#switchport port-security ? mac-address Secure mac address maximum Max secure addresses violation Security violation mode <cr>
Now, before you can even use this feature, you need to go in and switch the port’s mode from ‘dynamic’ to ‘access’. This tells the switch there will be an end device on this port and not another switch. Then, you need to enable the feature on the switch first. You need to go to the interface level to add this option.
SW5(config-if)#interface fastEthernet 0/5 SW5(config-if)#switchport ? access Set access mode characteristics of the interface mode Set trunking mode of the interface native Set trunking native characteristics when interface is in trunking mode nonegotiate Device will not engage in negotiation protocol on this interface port-security Security related command priority Set appliance 802.1p priority trunk Set trunking characteristics of the interface voice Voice appliance attributes SW5(config-if)#switchport mode access SW5(config-if)#switchport port-security
Simply by entering ‘switchport port-security’, you’ll enable the option on this switch to use this feature on the specified port.
Here I will be talking about the options.
- mac-address: – This parameter is where you can either manually add an end device’s or host’s ethernet MAC address.
SW5(config-if)#switchport port-security mac-address ? H.H.H 48 bit mac address sticky Configure dynamic secure addresses as sticky
-H.H.H is where you would add the host’s MAC address. Now, of course, if you were working IT in a large company this would be a bit of a pain because would have to go to each individual interface, grab the mac address and input them yourself. But your threat of an enormous workload is taken away with ‘sticky’. This switch in the syntax allows you to use the mac that is currently connected to the switch, it will automatically add it for you.
I would really only use this feature if you know your company has a strict policy for end users to not fiddle with their workstations or plug anything else in.
- maximum – This parameter is used to specify the quantity of allowed mac addresses on a given interface. This means you could say a port can only be allowed to have a maximum of 2 devices on it because maybe the end user also brings, say, a laptop from home and they want to plug it in. This could also be because the end user also has an IP Phone in their office as well, and the PC has to connect to the IP phone to get connectivity to the switch.
SW5(config-if)#switchport port-security maximum ? <1-132> Maximum addresses
- violation – This is a parameter that you can specify what a switch must do if it detects an unauthorized mac address on a port. This is a rather powerful part of switchport security.
SW5(config-if)#switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode
As you can see there are three switches for this syntax. ‘Protect’, ‘restrict’, and ‘shutdown’.
Shutdown – This is the default of ‘switchport port-security’. When an un-authorized mac address is detected on that port, the switch will shutdown the port adds an entry to the log stating that it shut that port down. When you go to check on the status of that port, it won’t say ‘administratively down’ rather it will say ‘err-disabled’. If the port goes into ‘err-disabled’ mode, you have to log into the switch and manually turn the port back on.
Protect – This tells the switch to drop the frames that are coming in on that port. Nothing more, none of the traffic from the un-authorized mac address is allowed to traverse the switch.
Restrict – This tells the switch to drop the frames that are coming in on that port. None of the traffic from the un-authorized mac address is allowed to traverse the switch. Additionally, the switch will then add an entry to the log stating that there has been an un-authorized mac address on that port.
Checking The Parameters:
So you’ve gone through and set all these options, and you need to make sure you have configured everything correctly. Well, there is a nice, quick and simple way to make sure you’ve set everything.
The output below is ‘show port-security interface fastEthernet 0/5’ after configuring a maximum of one allowed mac address, shutdown is the violation mode, and is set to authorize the first and only mac address it first learns about on fastethernet 0/5. If you look to Figure1, you can see that host 192.168.10.11 is on that port.:
SW5#show port-security interface fastEthernet 0/5 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0060.47BA.7250:10 Security Violation Count : 0
Lets say that the switch does actually detect an un-authorized mac address on that port. Say for instance, that user 192.168.10.11 (yeah, I know, I’m not being really creative for names at the moment.), tries to plug in a different device into that ethernet port in his cubicle. Maybe its his laptop. Well, from the output shown above ‘Maximum MAC Addresses : 1’ means, there is one and only one mac address allowed, and currently authorized on that port. And the violation mode is to shutdown that port. So what will the switch show if it actually happens?:
Well, first you would see in the log:
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
Then, when we check on the port-security status:
SW5#show port-security interface fastEthernet 0/5 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0007.EC6D.C364:10 Security Violation Count : 1
Notice in the field ‘Security Violation Count’, the value has changed from 0 to 1. The ‘Last Source Address’ has changed as well. Port security has been triggered on this port and is now shutdown.
This is the output of ‘show interfaces fastEthernet 0/5’:
FastEthernet0/5 is down, line protocol is down (err-disabled) Hardware is Lance, address is 00d0.9740.9e01 (bia 00d0.9740.9e01) BW 100000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s ------------OUTPUT OMITTED------------
Here you can see the port is now down, next to ‘line protocol’ you see ‘(err-disabled), this means the switch brought this port down on it’s own because of a certain error. There are parameters on Cisco’s switches that can cause it to be shutdown because of errors.
Again, once a port is shutdown because of an error, an administrator has to go in and manually turn the port back on with ‘no shutdown’ on the interface level.