L2 security – Spanning Tree Protocol features.

a) BPDU Guard – it’s a feature that prevents access ports from participating in the spanning tree process. You can enable the feature globally or on an interface:

ASW1(config)#spanning-tree portfast bpduguard default

Below we can see what happens when we enable the interface and then we plug switch to this port:

*Mar  3 16:16:44.459: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  3 16:16:44.853: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
*Mar  3 16:16:44.904: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/24 with BPDU Guard enabled. Disabling port.
*Mar  3 16:16:44.904: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24 in err-disable state
*Mar  3 16:16:44.912: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar  3 16:16:46.909: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to down

To avoid shutting down the port, we can enable the same action only for offending Vlan:

ASW1(config)#errdisable detect cause bpduguard shutdown vlan

Mar  3 16:24:21.663: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  3 16:24:22.032: %SPANTREE-2-BLOCK_BPDUGUARD_VP: Received BPDU on port Fa0/24, vlan 1 with BPDU Guard enabled. Disabling vlan.
*Mar  3 16:24:22.032: %PM-4-ERR_DISABLE_VP: bpduguard error detected on Fa0/24, vlan 1.  Putting in err-disable state.
*Mar  3 16:24:22.041: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar  3 16:24:22.041: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
*Mar  3 16:24:23.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up

And we see that only the Vlan1 is down, the physical port is up:

ASW1#sh ip int b | i Vlan1|FastEthernet0/24
Vlan1                  172.16.1.101    YES NVRAM  up                    down    
FastEthernet0/24       unassigned      YES unset  up                    up      
ASW1#

We can also enable the feature per an interface and it works exactly the same:

!
interface FastEthernet0/24
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable
end

b) BPDU Filter -
We can enable the feature globally:

ASW1(config)# spanning-tree portfast bpdufilter default

And then we can check if the feature is enabled:

ASW1#sh spanning-tree summary 
Switch is in pvst mode
Root bridge for: none
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is enabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          1          1
---------------------- -------- --------- -------- ---------- ----------
1 vlan                       0         0        0          1          1
ASW1#

But when any port receives BPDU the portfast state is disabled:

ASW1#sh spanning-tree interface fastEthernet 0/24 portfast 
VLAN0001            enabled

[we plug switch to the port Fa0/24 now]

ASW1#sh spanning-tree interface fastEthernet 0/24 portfast 
VLAN0001            disabled

And then port accepts BPDU from neighbors:

ASW1#sh spanning-tree interface fastEthernet 0/24 detail 
 Port 24 (FastEthernet0/24) of VLAN0001 is root forwarding 
   Port path cost 19, Port priority 128, Port Identifier 128.24.
   Designated root has priority 32769, address 44e4.d96a.3880
   Designated bridge has priority 32769, address 44e4.d96a.3880
   Designated port id is 128.24, designated path cost 0
   Timers: message age 1, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 0, received 13
ASW1#sh spanning-tree interface fastEthernet 0/24 detail 
 Port 24 (FastEthernet0/24) of VLAN0001 is root forwarding 
   Port path cost 19, Port priority 128, Port Identifier 128.24.
   Designated root has priority 32769, address 44e4.d96a.3880
   Designated bridge has priority 32769, address 44e4.d96a.3880
   Designated port id is 128.24, designated path cost 0
   Timers: message age 2, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 0, received 15
ASW1#

BPDU Filter can be enabled also on the interface but you have to remember that it prevents from sending and receiving BPDU packets unconditionally:

ASW1#sh run int fa0/24
Building configuration...

Current configuration : 115 bytes
!
interface FastEthernet0/24
 switchport mode access
 spanning-tree portfast
 spanning-tree bpdufilter enable
end

c) Root guard

The STP feature prevents port, on which you enable the feature, from becoming the root port. It means the switch connected to that interface can’t be the root switch in this network segment: ASW1, DS21 and DSW2. ASW2 STP messages are blocked because the port has status: ‘root inconsistent’, which means there is no STP communication between them and they started a new root switch election.

  _____  RP     _____
  |ASW1 |/______|ASW2 |___ root switch     
  |_____|       |_____|
     |    \   /    | 
     |     \ /     |
     |      \      | 
     |     / \     | RP 
     |    /   \    |/
   _____ /-RP  \ _____
  |DSW1 |_______|DSW2 |    
  |_____|       |_____|

Let’s configure the feature on all RPs (root ports):

DSW2(config)#int Port-channel 1
DSW2(config-if)#spanning-tree guard root 
DSW2(config-if)#
*Mar  3 19:42:05.847: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Port-channel1.
*Mar  3 19:42:06.594: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Port-channel1 on VLAN0001.

You can see now the port is in the root-inconsistent state:

DSW2#sh spanning-tree 
*Mar  3 19:42:48.604: %SYS-5-CONFIG_I: Configured from console by console

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     88f0.7715.0800
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     88f0.7715.0800
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/5             Desg FWD 19        128.7    P2p 
Fa1/0/6             Desg FWD 19        128.8    P2p 
Fa1/0/24            Desg FWD 19        128.26   P2p 
Po1                 Desg BKN*12        128.512  P2p *ROOT_Inc 
Po2                 Desg FWD 12        128.520  P2p

d) Loop guard

The feature prevents an interface to become a designate port. Imagine a failure where ASW2 (root switch) can’t receive any BPDU from DSW1 but DSW1 is not aware of it. Let’s see what happens:

  _____  RP     _____
  |ASW1 |/______|ASW2 |___ root switch     
  |_____|       |_____|
     |    \   /    | 
     |     \ /     |
     |      \      | 
     |     / \     | RP 
     |    /   \    |/
   _____ /-RP  \ _____
  |DSW1 |_______|DSW2 |    
  |_____|       |_____|

This is the current port status table where Fa0/3 on DSW1 is the Root Port.

DSW1#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        19
             Port        5 (FastEthernet0/3)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Root FWD 19        128.5    P2p 
Fa0/5               Altn BLK 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p 

Now, enable BPDU filter on ASW2 to simulate a link error:

ASW2(config)#int Fa0/11
ASW2(config-if)#spanning-tree bpdufilter enable 

Let’s see what happens on DSW1:

*Apr 25 05:44:21.560: STP: VLAN0001 new root port Fa0/5, cost 31
*Apr 25 05:44:21.560: STP: VLAN0001 Fa0/5 -> listening
DSW1# STP: VLAN1000 new root port Fa0/5, cost 31
*Apr 25 05:44:22.005: STP: VLAN1000 Fa0/5 -> listening

DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        31
             Port        7 (FastEthernet0/5)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Desg FWD 19        128.5    P2p 
Fa0/5               Root LIS 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p 

DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        31
             Port        7 (FastEthernet0/5)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Desg FWD 19        128.5    P2p 
Fa0/5               Root LRN 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p 


 --More-- 
*Apr 25 05:44:36.567: STP: VLAN0001 Fa0/5 -> learning
*Apr 25 05:44:51.575: STP[1]: Generating TC trap for port FastEthernet0/5
*Apr 25 05:44:51.575: STP: VLAN0001 sent Topology Change Notice on Fa0/5
*Apr 25 05:44:51.575: STP: VLAN0001 Fa0/5 -> forwarding

As we see the port Fa0/3 (that one which doesn’t receive BPDU) was elected as the designated port what causes problems like we can see here:

*Apr 25 05:45:07.739: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:45:19.022: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:45:27.058: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:45:34.105: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:45:34.105: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:45:49.229: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:45:49.330: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:46:04.337: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:46:04.404: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:46:19.504: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:46:19.504: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:46:34.603: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:46:34.603: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:46:49.703: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:46:49.703: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:47:04.811: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:47:04.811: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:47:19.902: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:47:19.902: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:47:35.010: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/3 and port Fa0/5
*Apr 25 05:47:35.010: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:47:50.109: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5684.2b55 in vlan 1 is flapping between port Fa0/5 and port Fa0/3
*Apr 25 05:47:50.109: %SW_MATM-4-MACFLAP_NOTIF: Host 88f0.7715.0840 in vlan 1 is flapping between port Fa0/3 and port Fa0/5

DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        31
             Port        7 (FastEthernet0/5)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Desg FWD 19        128.5    P2p 
Fa0/5               Root FWD 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p

As we see, despite the problem with the interface, Fa0/3 was elected as the ‘Desg’ port.

Let’s do the same test with ‘Loop Guard’ feature enabled:

DSW1(config)#spanning-tree loopguard default

On ASW2 I enable BPDU filtering once again:

ASW2(config-if)#spanning-tree bpdufilter enable

DSW1#
*Apr 25 06:07:26.284: %SYS-5-CONFIG_I: Configured from console by consolesh sp
DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        19
             Port        5 (FastEthernet0/3)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Root FWD 19        128.5    P2p 
Fa0/5               Altn BLK 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p 



DSW1#debug spanning-tree events 
Spanning Tree event debugging is on
DSW1#
*Apr 25 06:08:23.772: STP: VLAN0001 sent Topology Change Notice on Fa0/3
*Apr 25 06:08:23.772: STP[1]: Generating TC trap for port FastEthernet0/3
*Apr 25 06:08:23.772: STP: VLAN0001 Fa0/3 -> blocking
*Apr 25 06:08:23.772: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/3 on VLAN0001.
*Apr 25 06:08:23.772: STP: VLAN0001 new root port Fa0/5, cost 31
*Apr 25 06:08:23.772: STP: VLAN0001 Fa0/5 -> listening
*Apr 25 06:08:23.780: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Apr 25 06:08:25.776: STP: VLAN0001 sent Topology Change Notice on Fa0/5
*Apr 25 06:08:38.779: STP: VLAN0001 Fa0/5 -> learning

DSW1#sh spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     44e4.d96a.3880
             Cost        31
             Port        7 (FastEthernet0/5)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     e8ba.705a.b600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Altn BLK 19        128.3    P2p 
Fa0/2               Altn BLK 19        128.4    P2p 
Fa0/3               Desg BKN*19        128.5    P2p *LOOP_Inc 
Fa0/5               Root LRN 19        128.7    P2p 
Fa0/6               Altn BLK 19        128.8    P2p 


 --More-- 
*Apr 25 06:08:53.786: STP[1]: Generating TC trap for port FastEthernet0/5
*Apr 25 06:08:53.786: STP: VLAN0001 sent Topology Change Notice on Fa0/5
*Apr 25 06:08:53.786: STP: VLAN0001 Fa0/5 -> forwarding
*Apr 25 06:08:53.794: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Now, we see the port’s status is ‘Loop inconsistent’ what means all traffic is restricted.

 
3
Kudos
 
3
Kudos

Now read this

VPN - GRE over IPsec SSO

As I promised in my last post I will add the stateful switchover to the following scenario: The first step is to remove tunnel1 from r5 and r4 and then add tunnel0 on r4. Next implementation of HSRP and changing ‘tunnel source’ on r3 and... Continue →