CCNP Switch Lab 6-2, Securing Spanning Tree Protocol
Topology
Objectives
- Secure the Layer 2 spanning-tree topology with BPDU guard.
- Protect the primary and secondary root bridge with root guard.
- Protect switch ports from unidirectional links with UDLD.
Background
This lab is a continuation of Lab 6-1 and uses the network configuration set up in that lab. In this lab, you will secure the network against possible spanning-tree disruptions, such as rogue access point additions and the loss of stability to the root bridge by the addition of switches to the network. The improper addition of switches to the network can be either malicious or accidental. In either case, the network can be secured against such a disruption.
Note: This lab uses Cisco WS-C2960-24TT-L switches with the Cisco IOS image c2960-lanbasek9-mz.122- 46.SE.bin, and Catalyst 3560-24PS switches with the Cisco IOS image c3560-advipservicesk9-mz.122- 46.SE.bin. You can use other switches (such as 2950 or 3550) and Cisco IOS Software versions if they have comparable capabilities and features. Depending on the switch model and Cisco IOS Software version, the commands available and output produced might vary from what is shown in this lab.
Required Resources
- 2 switches (Cisco 2960 with the Cisco IOS Release 12.2(46)SE C2960-LANBASEK9-M image or comparable)
- 2 switches (Cisco 3560 with the Cisco IOS Release 12.2(46)SE C3560-ADVIPSERVICESK9-mz image or comparable)
- Ethernet and console cables
Note: Be sure to save your final device configurations to use with the next lab.
Step 1: Load or verify the configurations from Lab 6-1.
a. Verify that the configurations from Lab 6-1 are loaded on the devices by issuing the show vtp status command. The output should show that the current VTP domain is SWPOD, and VLANs 100 and 200 should be represented in the number of existing VLANs. The output from switch ALS2 is shown as an example. If the switches are not configured properly, erase the startup config, delete the vlan.dat file, and load the configurations saved at the end of lab 6-1.
Note: If you are loading the configurations from Lab 6-1, they do not include VLAN and VTP commands. You must first configure ALS1 and ALS2 as VTP clients and then create VLANs 100 (staff) and 200 (student) and the VTP domain name on DLS1. Refer to Lab 6-1 for assistance.
ALS1# show vtp status VTP Version : running VTP2 Configuration Revision : 4 Maximum VLANs supported locally : 255 Number of existing VLANs : 7 VTP Operating Mode : Client VTP Domain Name : SWPOD VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x18 0x59 0xE2 0xE0 0x28 0xF3 0xE7 0xD1 Configuration last modified by 172.16.1.3 at 3-12-93 19:46:16
How many VLANs exist in the network? How many of these are defaults?
There are seven VLANs in the network; five of these are built in.
b. Issue the show vlan brief command on DLS1. The student and staff VLANs should be listed in the
output of this command.
Which ports are not listed for VLAN 1? Why is this?
Ports Fa0/7 through Fa0/12 are not listed because they were configured as trunk ports.
c. Issue the show interfaces trunk command on DLS2. If trunking was configured properly in Lab 6-1, interfaces Fast Ethernet 0/7–0/12 should be in trunking mode on all switches.
Are any VLANs being pruned from these trunks? How can you tell?
Yes. All the VLANs that are not being used and, therefore, do not need to be trunked, are pruned. The last section of the output of the show interfaces trunk command shows the VLANs that are not pruned.
d. Issue the show spanning-tree vlan 1 command on DLS2. The results from this command might vary, and DLS2 might not be the root in your topology. In the following output, this bridge is currently the root of the spanning tree.
Where is the spanning-tree root in your lab network? Is this root bridge optimal for your network?
In the example shown, the root is DLS2. It would be optimal for the distribution layer switches to be root switches.
What is the priority of the current root bridge?
The priority is 32769.
Step 2: Configure the primary and secondary root bridges for the VLANs.
In most cases, you must manually configure the spanning-tree root to ensure optimized paths throughout the Layer 2 network. This topic is covered in Module 3. For this scenario, DLS1 acts as the root for VLANs 1 and 100 and performs the secondary function for VLAN 200. In addition, DLS2 is the primary root bridge for VLAN 200 and secondary bridge for VLANs 1 and 100.
a. Configure STP priority for the primary and secondary roots using the spanning-tree vlan vlan ID root
{primary | secondary} command.
DLS1(config)# spanning-tree vlan 1,100 root primary
DLS1(config)# spanning-tree vlan 200 root secondary
DLS2(config)# spanning-tree vlan 1,100 root secondary
DLS2(config)# spanning-tree vlan 200 root primary
b. Verify the configuration on both DLS1 and DLS2 using the show spanning-tree command.
According to the output, what is the root for VLAN 100? For VLAN 200?
The root bridge for VLAN 100 is DLS1. The root bridge for VLAN 200 is DLS2.
Step 3: Configure root guard.
To maintain an efficient STP topology, the root bridge must remain predictable. If a foreign or rogue switch is maliciously or accidentally added to the network, the STP topology could be changed if the new switch has a lower BID than the current root bridge. Root guard helps prevent this by putting a port that hears these BPDUs in the root-inconsistent state. Data cannot be sent or received over the port while it is in this state, but the switch can listen to BPDUs received on the port to detect a new root advertising itself. Root guard is enabled on a per-port basis with the spanning-tree guard root command. You should use root guard on switch ports where you would never expect to find the root bridge for a VLAN.
a. In the topology diagram, Fast Ethernet ports 0/13 and 0/14 on each switch are not being used as trunk or access ports. It is possible that a switch could be accidentally or maliciously added to those ports. Configure root guard on these ports to ensure that if a switch is added, it is not allowed to take over as root.
DLS1(config)# interface range fastEthernet 0/13 - 14 DLS1(config-if-range)# spanning-tree guard root
b. Configure root guard on the same ports for DLS2, ALS1, and ALS2.
What will happen if a switch is connected to Fa0/13 via a crossover cable?
The port could go into an inconsistent state if the new switch tries to become the root bridge.
Step 4: Demonstrate root guard functionality.
Verify your configuration to make sure that root guard was not accidentally configured on a port that should hear root advertisements, such as a port on ALS2 that is connected to the root bridge.
a. Use the show spanning-tree vlan 1 command on ALS2 to look for a root port. In the following example,
b. Configure root guard on the root port that you found. Note that this configuration is for teaching purposes only. This would not be done in a production network.
ALS2(config) # interface FastEthernet 0/9 ALS2(config-if)# spanning-tree guard root
Notice that as soon as you issue this command, you receive a message that root guard has been enabled and that the port is now in the blocking state for the specific VLANs configured. This port has been transitioned to this state because it receives a BPDU that claims to be the root.
1w4d: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/9. 1w4d: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/9 on VLAN0001.
c. Verify which ports are in this inconsistent state with the show spanning-tree inconsistentports command.
ALS2# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- ------------------ VLAN0001 FastEthernet0/9 Root Inconsistent VLAN0100 FastEthernet0/9 Root Inconsistent VLAN0200 FastEthernet0/9 Root Inconsistent Number of inconsistent ports (segments) in the system : 3
d. Because this configuration is not intended for normal operation, remove it using the no spanning-tree guard root command.
ALS2(config)# interface FastEthernet 0/9 ALS2(config-if)# no spanning-tree guard root
When the configuration is removed, a message indicates that the port is being unblocked.
1w4d: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/9. 1w4d: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/9 on VLAN0001.
Step 5: Configure BPDU guard.
Because PortFast is enabled on all user access ports on ALS1 and ALS2, BPDUs are not expected to be heard on these ports. Any BPDUs that are heard could result in a disruption of the STP topology, so you should protect these ports from any type of accidental or malicious behavior which leads to BPDUs arriving at the port. If a rogue access point or switch is placed on these ports, BPDUs would most likely be heard. BPDU guard protects ports from this type of situation by placing the interface in the error-disable state. The BPDU guard feature provides a secure response to invalid configurations because the network administrator must manually put the interface back in service.
a. To enable BPDU guard on PortFast-enabled ports, use the spanning-tree portfast bpduguard default global configuration command.
ALS1(config)# spanning-tree portfast bpduguard default ALS2(config)# spanning-tree portfast bpduguard default
b. Verify your configuration using the show spanning-tree summary command.
Which action will be taken if a wireless access point sending BPDUs is connected to Fa0/15 on ALS1?
If the port was configured as an access port, it should go into an error-disabled state. If the port was configured as a trunk port, BPDU guard should not take effect.
Step 6: Enable broadcast storm control on trunk ports.
If a basic unmanaged switch is connected to an access port, a broadcast storm can result, which can lead to network failure. Implementing broadcast storm protection on trunk interfaces can help prevent this.
a. Enable storm control for broadcasts on Fast Ethernet ports 0/7 and 0/8 on ALS1 with a 50 percent rising suppression level using the storm-control broadcast command. ALS1 trunk ports Fa0/7 and Fa0/8 are shown here as an example.
ALS1(config)# interface FastEthernet 0/7 ALS1(config-if)# storm-control broadcast level 50 ALS1(config-if)# interface FastEthernet 0/8 ALS1(config-if)# storm-control broadcast level 50
b. Verify the configuration of interface Fa0/7 with the show running-config command.
ALS1# show running-config interface fastEthernet 0/7 Building configuration... Current configuration : 155 bytes ! interface FastEthernet0/7 switchport mode trunk storm-control broadcast level 50.00 ip dhcp snooping trust end
Step 7: Configure UDLD.
A unidirectional link occurs when traffic is transmitted between neighbors in one direction only. Unidirectional links can cause spanning-tree topology loops. UDLD allows devices to detect when a unidirectional link exists and shut down the affected interface.
You can configure UDLD on a per-port basis or globally for all fiber-optic gigabit interfaces. The aggressive keyword places the port in the error-disable state when a violation occurs on the port.
DLS1(config)# udld ? aggressive Enable UDLD protocol in aggressive mode on fiber ports except where locally configured enable Enable UDLD protocol on fiber ports except where locally configured
a. Enable UDLD protection on Fast Ethernet ports 1 –24 on all switches using the udld port aggressive command. Configure UDLD globally for all fiber-optic gigabit interfaces for future use using the udld enable command.
Note: This lab assumes the existence of fiber-optic gigabit ports, although this might not be the case with your lab equipment.
DLS1(config)# interface range FastEthernet 0/1 - 24 DLS1(config-if-range)# udld port aggressive DLS1(config-if-range)# exit DLS1(config)# udld enable DLS2(config)# interface range FastEthernet 0/1 - 24 DLS2(config-if-range)# udld port aggressive DLS2(config-if-range)# exit DLS2(config)# udld enable ALS1(config)# interface range FastEthernet 0/1 - 24 ALS1(config-if-range)# udld port aggressive ALS1(config-if-range)# exit ALS1(config)# udld enable ALS2(config)# interface range FastEthernet 0/1 - 24 ALS2(config-if-range)# udld port aggressive ALS2(config-if-range)# exit ALS2(config)# udld enable
b. Verify your configuration using the show udld interface-id command.
ALS2# show udld Fa0/15 Interface Fa0/15 --- Port enable administrative configuration setting: Enabled / in aggressive mode Port enable operational state: Enabled / in aggressive mode Current bidirectional state: Unknown Current operational state: Link down Message interval: 7 Time out interval: 5 No neighbor cache information stored
What is the operation state of this interface?
The operational state of this interface is link down.
Note: Although not configured in this lab, loop guard can be configured as an alternative or in addition to UDLD. The functionality overlaps, partly in the sense that both protect against STP failures caused by unidirectional links. Based on the various design considerations, you can choose UDLD or the loop guard feature or both. In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software. As a result, the designated switch does not send BPDUs. However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links. In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, loop guard puts it into loop-inconsistent state to block the whole channel.
Note: Save your final device configurations for use with the next lab.
Device Configurations (Instructor version)
Switch DLS1
hostname DLS1 ! enable secret class ! ip routing ! ip dhcp relay information trust-all ! udld enable ! spanning-tree vlan 1,100 priority 24576 spanning-tree vlan 200 priority 28672 ! interface FastEthernet0/1 udld port aggressive ! interface FastEthernet0/2 udld port aggressive ! interface FastEthernet0/3 udld port aggressive ! interface FastEthernet0/4 udld port aggressive ! interface FastEthernet0/5 udld port aggressive ! interface FastEthernet0/6 udld port aggressive ! interface FastEthernet0/7 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/8 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/9 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/10 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/11 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/12 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/13 udld port aggressive spanning-tree guard root ! interface FastEthernet0/14 udld port aggressive spanning-tree guard root ! interface FastEthernet0/15 udld port aggressive ! interface FastEthernet0/16 udld port aggressive ! interface FastEthernet0/17 udld port aggressive ! interface FastEthernet0/18 udld port aggressive ! interface FastEthernet0/19 udld port aggressive ! interface FastEthernet0/20 udld port aggressive ! interface FastEthernet0/21 udld port aggressive ! interface FastEthernet0/22 udld port aggressive ! interface FastEthernet0/23 udld port aggressive ! interface FastEthernet0/24 udld port aggressive ! interface Vlan1 ip address 172.16.1.3 255.255.255.0 standby 1 ip 172.16.1.1 standby 1 priority 150 standby 1 preempt no shutdown ! interface Vlan100 ip address 172.16.100.3 255.255.255.0 standby 1 ip 172.16.100.1 standby 1 priority 150 standby 1 preempt ! interface Vlan200 ip address 172.16.200.3 255.255.255.0 standby 1 ip 172.16.200.1 standby 1 preempt ! line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
Switch DLS2
hostname DLS2 ! enable secret class ! ip routing ! ip dhcp relay information trust-all ! udld enable ! spanning-tree vlan 1,100 priority 28672 spanning-tree vlan 200 priority 24576 ! interface FastEthernet0/1 udld port aggressive ! interface FastEthernet0/2 udld port aggressive ! interface FastEthernet0/3 udld port aggressive ! interface FastEthernet0/4 udld port aggressive ! interface FastEthernet0/5 udld port aggressive ! interface FastEthernet0/6 udld port aggressive ! interface FastEthernet0/7 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/8 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/9 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/10 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/11 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/12 switchport trunk encapsulation dot1q switchport mode trunk udld port aggressive ! interface FastEthernet0/13 udld port aggressive spanning-tree guard root ! interface FastEthernet0/14 udld port aggressive spanning-tree guard root ! interface FastEthernet0/15 udld port aggressive ! interface FastEthernet0/16 udld port aggressive ! interface FastEthernet0/17 udld port aggressive ! interface FastEthernet0/18 udld port aggressive ! interface FastEthernet0/19 udld port aggressive ! interface FastEthernet0/20 udld port aggressive ! interface FastEthernet0/21 udld port aggressive ! interface FastEthernet0/22 udld port aggressive ! interface FastEthernet0/23 udld port aggressive ! interface FastEthernet0/24 udld port aggressive ! interface Vlan1 ip address 172.16.1.4 255.255.255.0 standby 1 ip 172.16.1.1 standby 1 preempt no shutdown ! interface Vlan100 ip address 172. 16.100.4 255.255.255.0 standby 1 ip 172.16.100.1 standby 1 preempt ! interface Vlan200 ip address 172.16.200.4 255.255.255.0 standby 1 ip 172.16.200.1 standby 1 priority 150 standby 1 preempt ! line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
Switch ALS1
hostname ALS1 ! enable secret class ! username janedoe password 0 cisco username johndoe password 0 cisco username joesmith password 0 cisco aaa new-model aaa authentication dot1x default local ! udld enable ! ip dhcp snooping vlan 100,200 ip dhcp snooping ! spanning-tree portfast bpduguard default ! interface FastEthernet0/1 udld port aggressive ! interface FastEthernet0/2 udld port aggressive ! interface FastEthernet0/3 udld port aggressive ! interface FastEthernet0/4 udld port aggressive ! interface FastEthernet0/5 udld port aggressive ! interface FastEthernet0/6 udld port aggressive ! interface FastEthernet0/7 switchport mode trunk udld port aggressive storm-control broadcast level 50.00 ip dhcp snooping trust ! interface FastEthernet0/8 switchport mode trunk udld port aggressive storm-control broadcast level 50.00 ip dhcp snooping trust ! interface FastEthernet0/9 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/10 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/11 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/12 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/13 udld port aggressive spanning-tree guard root ! interface FastEthernet0/14 udld port aggressive spanning-tree guard root ! interface FastEthernet0/15 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/16 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/17 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/18 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/19 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/20 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/21 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/22 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/23 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/24 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky udld port aggressive dot1x port-control auto spanning-tree portfast ip dhcp snooping limit rate 20 ! interface Vlan1 ip address 172.16.1.101 255.255.255.0 no shutdown ! ip default-gateway 172.16.1.1 ! line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
Switch ALS2
hostname ALS2 ! enable secret class ! udld enable ! ip dhcp snooping vlan 100,200 ip dhcp snooping ! spanning-tree portfast bpduguard default ! interface FastEthernet0/1 udld port aggressive ! interface FastEthernet0/2 udld port aggressive ! interface FastEthernet0/3 udld port aggressive ! interface FastEthernet0/4 udld port aggressive ! interface FastEthernet0/5 udld port aggressive ! interface FastEthernet0/6 udld port aggressive ! interface FastEthernet0/7 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/8 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/9 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/10 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/11 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/12 switchport mode trunk udld port aggressive ip dhcp snooping trust ! interface FastEthernet0/13 udld port aggressive spanning-tree guard root ! interface FastEthernet0/14 udld port aggressive spanning-tree guard root ! interface FastEthernet0/15 switchport access vlan 200 switchport mode access switchport port-security udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/16 switchport access vlan 200 switchport mode access switchport port-security udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/17 switchport access vlan 200 switchport mode access switchport port-security udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/18 switchport access vlan 200 switchport mode access switchport port-security udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/19 switchport access vlan 200 switchport mode access switchport port-security udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/20 switchport access vlan 200 switchport mode access switchport port-security udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/21 switchport access vlan 200 switchport port-security switchport mode access udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/22 switchport access vlan 200 switchport mode access switchport port-security udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/23 switchport access vlan 200 switchport mode access switchport port-security udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface FastEthernet0/24 switchport access vlan 200 switchport mode access switchport port-security udld port aggressive spanning-tree portfast ip dhcp snooping limit rate 20 ! interface Vlan1 ip address 172.16.1.102 255.255.255.0 no shutdown ! ip default-gateway 172.16.1.1 ! line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
More Resources