Skip to main content

L2 security – Spanning Tree Protocol features.

a) BPDU Guard – it’s a feature that prevents access ports from participating in the spanning tree process. You can enable the feature globally or on an interface:

ASW1(config)#spanning-tree portfast bpduguard default

Below we can see what happens when we enable the interface and then we plug switch to this port:
 
*Mar  3 16:16:44.459: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  3 16:16:44.853: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
*Mar  3 16:16:44.904: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/24 with BPDU Guard enabled. Disabling port.
*Mar  3 16:16:44.904: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24 in err-disable state
*Mar  3 16:16:44.912: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar  3 16:16:46.909: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to down

To avoid shutting down the port, we can enable the same action only for offending Vlan:
 
ASW1(config)#errdisable detect cause bpduguard shutdown vlan

Mar  3 16:24:21.663: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  3 16:24:22.032: %SPANTREE-2-BLOCK_BPDUGUARD_VP: Received BPDU on port Fa0/24, vlan 1 with BPDU Guard enabled. Disabling vlan.
*Mar  3 16:24:22.032: %PM-4-ERR_DISABLE_VP: bpduguard error detected on Fa0/24, vlan 1.  Putting in err-disable state.
*Mar  3 16:24:22.041: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar  3 16:24:22.041: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
*Mar  3 16:24:23.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up

And we see that only the Vlan1 is down, the physical port is up:
 
ASW1#sh ip int b | i Vlan1|FastEthernet0/24
Vlan1                  172.16.1.101    YES NVRAM  up                    down    
FastEthernet0/24       unassigned      YES unset  up                    up      
ASW1#

We can also enable the feature per an interface and it works exactly the same:
 
!
interface FastEthernet0/24
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable
end

b) BPDU Filter - We can enable the feature globally:
 
ASW1(config)# spanning-tree portfast bpdufilter default

And then we can check if the feature is enabled:
 
ASW1#sh spanning-tree summary 
Switch is in pvst mode
Root bridge for: none
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is enabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          1          1
---------------------- -------- --------- -------- ---------- ----------
1 vlan                       0         0        0          1          1
ASW1#

But when any port receives BPDU the portfast state is disabled:
 
ASW1#sh spanning-tree interface fastEthernet 0/24 portfast 
VLAN0001            enabled

[we plug switch to the port Fa0/24 now]

ASW1#sh spanning-tree interface fastEthernet 0/24 portfast 
VLAN0001            disabled

And then port accepts BPDU from neighbors:
 
ASW1#sh spanning-tree interface fastEthernet 0/24 detail 
 Port 24 (FastEthernet0/24) of VLAN0001 is root forwarding 
   Port path cost 19, Port priority 128, Port Identifier 128.24.
   Designated root has priority 32769, address 44e4.d96a.3880
   Designated bridge has priority 32769, address 44e4.d96a.3880
   Designated port id is 128.24, designated path cost 0
   Timers: message age 1, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 0, received 13
ASW1#sh spanning-tree interface fastEthernet 0/24 detail 
 Port 24 (FastEthernet0/24) of VLAN0001 is root forwarding 
   Port path cost 19, Port priority 128, Port Identifier 128.24.
   Designated root has priority 32769, address 44e4.d96a.3880
   Designated bridge has priority 32769, address 44e4.d96a.3880
   Designated port id is 128.24, designated path cost 0
   Timers: message age 2, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 0, received 15
ASW1#

BPDU Filter can be enabled also on the interface but you have to remember that it prevents from sending and receiving BPDU packets unconditionally:

ASW1#sh run int fa0/24
Building configuration...

Current configuration : 115 bytes
!
interface FastEthernet0/24
 switchport mode access
 spanning-tree portfast
 spanning-tree bpdufilter enable
end

c) Root guard
The STP feature prevents port, on which you enable the feature, from becoming the root port. It means the switch connected to that interface can’t be the root switch in this network segment: ASW1, DS21 and DSW2. ASW2 STP messages are blocked because the port has status: ‘root inconsistent’, which means there is no STP communication between them and they started a new root switch election.

   _____  RP     _____
  |ASW1 |/______|ASW2 |___ root switch     
  |_____|       |_____|
     |    \   /    | 
     |     \ /     |
     |      \      | 
     |     / \     | RP 
     |    /   \    |/
   _____ /-RP  \ _____
  |DSW1 |_______|DSW2 |    
  |_____|       |_____|

Let’s configure the feature on all RPs (root ports):

DSW2(config)#int Port-channel 1
DSW2(config-if)#spanning-tree guard root 
DSW2(config-if)#
*Mar  3 19:42:05.847: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Port-channel1.
*Mar  3 19:42:06.594: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Port-channel1 on VLAN0001.

You can see now the port is in the root-inconsistent state:

DSW2#sh spanning-tree 
*Mar  3 19:42:48.604: %SYS-5-CONFIG_I: Configured from console by console

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     88f0.7715.0800
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     88f0.7715.0800
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/5             Desg FWD 19        128.7    P2p 
Fa1/0/6             Desg FWD 19        128.8    P2p 
Fa1/0/24            Desg FWD 19        128.26   P2p 
Po1                 Desg BKN*12        128.512  P2p *ROOT_Inc 
Po2                 Desg FWD 12        128.520  P2p

d) Loop guard
The feature prevents an interface to become a designate port. Imagine a failure where ASW2 (root switch) can’t receive any BPDU from DSW1 but DSW1 is not aware of it. Let’s see what happens:

   _____  RP     _____
  |ASW1 |/______|ASW2 |___ root switch     
  |_____|       |_____|
     |    \   /    | 
     |     \ /     |
     |      \      | 
     |     / \     | RP 
     |    /   \    |/
   _____ /-RP  \ _____
  |DSW1 |_______|DSW2 |    
  |_____|       |_____|

This is the current port status table where Fa0/3 on DSW1 is the Root Port.

DSW1#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        19
             Port        5 (FastEthernet0/3)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Root FWD 19        128.5    P2p 
Fa0/5               Altn BLK 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p

Now, enable BPDU filter on ASW2 to simulate a link error:

ASW2(config)#int Fa0/11
ASW2(config-if)#spanning-tree bpdufilter enable

Let’s see what happens on DSW1:

*Apr 25 05:44:21.560: STP: VLAN0001 new root port Fa0/5, cost 31
*Apr 25 05:44:21.560: STP: VLAN0001 Fa0/5 -> listening
DSW1# STP: VLAN1000 new root port Fa0/5, cost 31
*Apr 25 05:44:22.005: STP: VLAN1000 Fa0/5 -> listening

DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        31
             Port        7 (FastEthernet0/5)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Desg FWD 19        128.5    P2p 
Fa0/5               Root LIS 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p 

DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        31
             Port        7 (FastEthernet0/5)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Desg FWD 19        128.5    P2p 
Fa0/5               Root LRN 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p 


 --More-- 
*Apr 25 05:44:36.567: STP: VLAN0001 Fa0/5 -> learning
*Apr 25 05:44:51.575: STP[1]: Generating TC trap for port FastEthernet0/5
*Apr 25 05:44:51.575: STP: VLAN0001 sent Topology Change Notice on Fa0/5
*Apr 25 05:44:51.575: STP: VLAN0001 Fa0/5 -> forwarding

As we see the port Fa0/3 (that one which doesn’t receive BPDU) was elected as the designated port what causes problems like we can see here:

*Apr 25 05:45:07.739: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:45:19.022: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:45:27.058: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:45:34.105: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:45:34.105: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:45:49.229: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:45:49.330: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:46:04.337: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:46:04.404: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:46:19.504: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:46:19.504: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:46:34.603: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:46:34.603: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:46:49.703: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:46:49.703: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:47:04.811: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:47:04.811: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:47:19.902: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:47:19.902: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:47:35.010: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:47:35.010: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:47:50.109: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:47:50.109: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5

DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        31
             Port        7 (FastEthernet0/5)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Desg FWD 19        128.5    P2p 
Fa0/5               Root FWD 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p

As we see, despite the problem with the interface, Fa0/3 was elected as the ‘Desg’ port.
Let’s do the same test with ‘Loop Guard’ feature enabled:

DSW1(config)#spanning-tree loopguard default

On ASW2 I enable BPDU filtering once again:

ASW2(config-if)#spanning-tree bpdufilter enable

DSW1#
*Apr 25 06:07:26.284: %SYS-5-CONFIG_I: Configured from console by consolesh sp
DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        19
             Port        5 (FastEthernet0/3)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Root FWD 19        128.5    P2p 
Fa0/5               Altn BLK 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p 



DSW1#debug spanning-tree events 
Spanning Tree event debugging is on
DSW1#
*Apr 25 06:08:23.772: STP: VLAN0001 sent Topology Change Notice on Fa0/3
*Apr 25 06:08:23.772: STP[1]: Generating TC trap for port FastEthernet0/3
*Apr 25 06:08:23.772: STP: VLAN0001 Fa0/3 -> blocking
*Apr 25 06:08:23.772: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/3 on VLAN0001.
*Apr 25 06:08:23.772: STP: VLAN0001 new root port Fa0/5, cost 31
*Apr 25 06:08:23.772: STP: VLAN0001 Fa0/5 -> listening
*Apr 25 06:08:23.780: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Apr 25 06:08:25.776: STP: VLAN0001 sent Topology Change Notice on Fa0/5
*Apr 25 06:08:38.779: STP: VLAN0001 Fa0/5 -> learning

DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        31
             Port        7 (FastEthernet0/5)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Desg BKN*19        128.5    P2p *LOOP_Inc 
Fa0/5               Root LRN 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p 


 --More-- 
*Apr 25 06:08:53.786: STP[1]: Generating TC trap for port FastEthernet0/5
*Apr 25 06:08:53.786: STP: VLAN0001 sent Topology Change Notice on Fa0/5
*Apr 25 06:08:53.786: STP: VLAN0001 Fa0/5 -> forwarding
*Apr 25 06:08:53.794: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Now, we see the port’s status is ‘Loop inconsistent’ what means all traffic is restricted.
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more