|
0:00:13
|
Now the next case would be if we want to prevent against these type of attacks in the spanning tree for the Layer 2 man in the middle attack
|
|
0:00:21
|
but we still want to allow some devices to run spanning tree.
|
|
0:00:26
|
This is where the root guard feature is going to come in.
|
|
0:00:31
|
From a design point of view, when we look at the layered Layer 2 network
|
|
0:00:38
|
if we were to have the core switches
|
|
0:00:44
|
that are then connected down to distribution
|
|
0:00:50
|
and from distribution we go down to access. Typically the Layer 2 spanning tree root bridge would be somewhere in the core.
|
|
0:01:06
|
Okay, we'll say maybe this is root for VLANs A. This other one is root for VLANs B.
|
|
0:01:12
|
So we want to make sure that if you want to send traffic between the access layers you have to go to the core of the network first
|
|
0:01:20
|
instead of going through some of the distribution layers.
|
|
0:01:23
|
Okay, the way we control this is just by setting the spanning tree root to be in the core so then if A1 wants to get to A2
|
|
0:01:32
|
the traffic is going to have to go up to the core, over, and down. Okay? Even if there's some sort of diverse link connectivity where maybe these two
|
|
0:01:40
|
distribution switches are connected or even if someone connects the access layer switches together, we wouldn't be able to use those links for transit
|
|
0:01:49
|
because we have to go up to the root bridge first.
|
|
0:01:53
|
Now in this type of design what we would want to prevent against is someone in the access layer or someone in the distribution layer
|
|
0:02:03
|
either accidentally electing the wrong root bridge or someone purpose advertising themself as root for the purpose of doing the Layer 2 man in the middle attack.
|
|
0:02:15
|
This is where the root guard feature comes in. So on the core of the network, on the downstream facing interfaces,
|
|
0:02:24
|
and on the distribution level facing downstream, we would enable the root guard.
|
|
0:02:31
|
This feature says check the BPDUs as they come in.
|
|
0:02:37
|
I'm going to allow spanning tree updates to com in but in the case where a superior
|
|
0:02:46
|
BPDU comes in, which is a better cost to the root bridge, then we're going to disable that link
|
|
0:02:53
|
or more specifically we'll disable that instance of spanning tree. So it's on a per VLAN basis
|
|
0:03:00
|
or in the case of multiple spanning tree it would be on a per user defined instance where we would disable the link.
|
|
0:03:09
|
So typically this would be in the Layer 2 core facing downstream and then the Layer 2 distribution facing downstream.
|
|
0:03:20
|
So let's look at this within the case of our topology. Okay, we have again switch four that is connected to router four and router six.
|
|
0:03:32
|
Previously I had the BPDU guard feature configured so that when any of these devices sent any spanning tree packets in
|
|
0:03:40
|
the links were disabled. In this case we'll look at it with root guard where it should only care about the superior BPDUs or the advertisement which is a better cost to the root bridge.
|
|
0:04:02
|
So first on switch four let's remove the previous configuration we had. If we show run include spanning tree
|
|
0:04:11
|
I want to remove the port fast default and remove the BPDU guard default.
|
|
0:04:23
|
Okay, also we saw we had this at the interface level on one of these
|
|
0:04:30
|
so I'm going to remove this on router four's port.
|
|
0:04:35
|
Instead at these interfaces we are going to run the spanning tree guard for root
|
|
0:04:43
|
on both router four and six's interfaces.
|
|
0:04:51
|
Now on four and six we're going to configure bridging. So on router four we'll say bridge
|
|
0:05:00
|
ten protocol IEEE but the bridge ten priority is going to be the highest numerical value.
|
|
0:05:11
|
So we could see there it tells us a lower priority is more likely to be the root bridge. I'm setting my priority to be the maximum so I'm the least likely to be elected root.
|
|
0:05:22
|
Then at the link level we'll enable the bridge group, bridge group ten.
|
|
0:05:28
|
Likewise, router six is going to do the same thing. Bridge ten protocol IEEE.
|
|
0:05:40
|
Bridge ten priority is 65535 and then at the link level bridge ten...or bridge group ten.
|
|
0:05:55
|
If we look at our topology diagram router four is configured in VLAN 20, router six is configured in VLAN 30.
|
|
0:06:05
|
So I now want to know who are the root bridges for VLANs 20 and 30.
|
|
0:06:16
|
So next I'm going to go to switch one and configure switch one to be the root for those. We'll say spanning tree VLAN 20 root primary,
|
|
0:06:28
|
spanning tree VLAN 30 root primary. So I don't care what the priority value is, I just want mine to be lower than what the current root is.
|
|
0:06:38
|
If we show spanning tree root, we see that for VLANs 20 and 30 our root cost is zero.
|
|
0:06:53
|
This means that we are the root bridge for these particular instances; which is what we expect because we issued the root primary command.
|
|
0:07:02
|
Okay, we can see what our MAC address is there. It's 9B80. If we were to look at router four and six
|
|
0:07:12
|
and show spanning tree ten, where ten is the bridge group number I created,
|
|
0:07:20
|
we see that the current root has that particular address 9B80.
|
|
0:07:29
|
This effectively means that the BPDUs coming from switch one
|
|
0:07:38
|
are going from switch one to switch three, switch three to switch four, and switch four out to router four and likewise out to router six.
|
|
0:07:49
|
These are going to be two different instances of spanning tree because switch four has separate VLAN numbers assigned to the links. We have VLANs 20 and 30.
|
|
0:07:58
|
If we look at likewise on router six and show spanning tree VLAN 10
|
|
0:08:08
|
or show spanning tree ten, not VLAN ten,
|
|
0:08:15
|
we see that same value 9B80 and then the priority number that reflects that this is VLAN 30.
|
|
0:08:27
|
So if we were to look at the priority actual number that is on switch one
|
|
0:08:34
|
it is for this particular VLAN 24606. That's what router six sees here - 24606.
|
|
0:08:47
|
Okay, so this is at least telling us up to this point that those two routers are participating in the spanning tree domain.
|
|
0:08:54
|
Switch four has not disabled either of those links because the guard feature that we're running is listening just for the superior BPDUs.
|
|
0:09:04
|
If we look at the show spanning tree interface FastEthernet four detail
|
|
0:09:17
|
we see that we are the designated bridge so this is our priority, this is our MAC address. We are sending and receiving BPDUs and root guard is enabled.
|
|
0:09:31
|
The link is not disabled though. Forwarding is going to be fine. If we now were to go to router four and change the bridge priority to be lower
|
|
0:09:40
|
so if we say the priority is zero, once switch four starts to receive these advertisements, now the root guard feature is going to kick in.
|
|
0:09:53
|
If we look at the show spanning tree interface FastEthernet four detail it says that the...it says VLAN 20 is broken.
|
|
0:10:06
|
VLAN 20 is broken because we have a root in consistent state. So this is talking about the root guard.
|
|
0:10:15
|
So at this point router four would no longer be able to send any traffic into the network.
|
|
0:10:23
|
Switch four will continue to monitor the link and once router four stops sending
|
|
0:10:30
|
these superior BPDUs, then switch four should be able to enable the link. If we look at the show interface status
|
|
0:10:42
|
it says that FastEthernet four is connected, which can be a little bit confusing because the link is not actually being used,
|
|
0:10:50
|
we would have to look at the show spanning tree on the interface to see if it is actually blocking or not.
|
|
0:10:57
|
Okay, but now at this point since router four is no longer advertising superior BPDUs then we could allow this link to be used.
|
|
0:11:09
|
So again, configuration wise this is at the port level, spanning tree guard root, and in a normal design we would want to use this at the access or distribution layers
|
|
0:11:22
|
or excuse me, the core or distribution layers, pointing downstream towards the access.
|
|
0:11:29
|
You could technically do it on the access layer as well but normally you would run either BPDU filter or BPDU guard down there to begin with.
|
