Wednesday, 31 August 2016

STP - Spanning Tree Protocol Explained With Examples


In this tutorial I will explain Spanning Tree Protocol (STP) with examples. For backup purpose we usually create redundant links. Redundant links are extremely useful in preventing entire network down situation that is triggered from single link failure. With all of its advantages, redundant link is a double edged sword. It creates network loops that flood down frames. STP removes loops as well as other evils of redundant link.

Layer 2 loop example



Above figure illustrates a simple layer 2 loop. In this network, LAN segment has two links to server.

Ø  Primary / Main Link (S1, S2, S3, S6)

Ø  Redundant / Backup Link (S1, S4, S5, S6)

Multiple layer 2 connections between LAN segment and server create following problems

ü  Broadcast Storms

ü  Duplicate Frame copies

ü  Unstable MAC Table

Before we dig these problems in more detail remember that a switch always floods three kinds of frames: unknown unicast, broadcast and multicast. 

Broadcast Storms

Assume that PC0 perform an ARP request to find the MAC address of Server. ARP (Address Resolution Protocol) uses broadcast method to locate the MAC address of device.

In this circumstance PC0 will generate single broadcast frame. Switch S1 will receive it from PC0. Switch S1 will flood this broadcast frame from all remaining ports except the incoming port.

Without any loop removing mechanism, switches will flood broadcasts endlessly throughout the network. This is known as broadcast storm. Next figure illustrates how a broadcast frame is continually being flooded throughout the network.



Endless Cycle One

PC0 => S1 => S2 => S3 => S6 => (Server and) S5 => S4 => S1 => (PC0 and) S2 => S3 …………..

Endless Cycle Two

PC0 => S1 => S4 => S5 => S6 => (Server and) S3 => S2 => S1 => (PC0 and) S4 => S5 …………..

Duplicate frame copies

In looped network, a device could receive duplicate copies of same frame from different switches. Assume that PC0 sends a unicast frame to Server. Switch floods unknown unicast from all of its ports, except the incoming port. Above figure demonstrates how the Server will receive duplicate copies of unicast frame simultaneously. Duplicate frame copies create additional overhead on the network.

Unstable MAC Table

When switch receives a frame, it checks source MAC address in frame and associate that interface with finding MAC address. Next time when switch receives a frame for this MAC address, it will forward that frame from this interface. These entries are stored in MAC Address Table. Switch uses MAC Address Table to forward the frame.  Looped network can make MAC Address Table unstable. For example, assume that PC0 sends a unicast frame to Server. Switch S6 receives this frame from two interfaces (interface connected to S3 and interface connected to S5). When it receives frame from S3, it associate PC0 MAC address with the interface that is connected with S3. Again when it receives same frame from S5, it think that location of PC0 has been changed and it would update the entry in MAC address table.

Same thing will happen again when it receives frame from switch S3 again. MAC address table would be totally confused about the PC0 location because the switch S6 is receiving the PC0’s frame from more than one link. Situation becomes bad to worse when switch stuck in constantly updating the MAC Address Table with source locations and fail to forward the frame. This is known as thrashing the MAC Table. 

STP is the answer of all issues explained above. STP was developed to solve each problem that is trigged due to layer two loops. Before we explain how the STP works, you need to be familiar with some basic terms of STP and their function within STP.

BPDU

BPDU (Bridge Protocol Data Unit) is a multicast frame that is used to share information about switch and its interface connections. Switches use BPDU to learn the network topology; other switches connections and any existing loops. BPDU frames are sent out as multicast in every two seconds.

Root Bridge

All decisions in STP are made from the perspective of Root Bridge. Switch with the lowest switch ID is selected as Root Bridge.  BPDU contains Switch ID. Switch ID is made from priority of the switch and MAC address of switch itself. Default priority is set to 32768. Switch with the lowest MAC address will be selected as the root switch, if you don’t change the default priority value.  You can override root selection process by changing the priority value. If you want one switch to be Root Bridge, change its priority value to less than 32768.

Selection process of Root Bridge runs each time a network change occurs like as adding new switch in topology, removing existing switch or Root Bridge failure. If other switches in network do not receive BPDUs from Root Bridge within 20 seconds, they assume that Root Bridge has failed and will begin a new election process to choose a new Root Bridge.

Non-Root Bridge

All other switches in network except Root Bridge are the non-root bridges. Non-root Bridge receives update from Root Bridge and updates its STP database.

Port Costs

STP assigns each port a cost, called port cost. Port cost is used to choose the best path when multiple links are available between two switches. Cost of port is determined by the bandwidth of connected media link. Switch always use lower port cost to forward the frames. Two set of port costs exist.





Bandwidth
Old Cost Value
New Cost Value
10  Gbps
1
2
1 Gbps
1
4
100 Mbps
10
19
10  Mbps
100
100



Some old series switches like Catalyst 1900 uses old cost value. Cisco already discontinued these old series switches. New series switches like 2960 uses new cost value. Lower cost value is always preferred over higher cost value while selecting link.



Path Costs

Path cost is an accumulated value of port costs from Root Bridge to other switches in network. It is always calculated from Root Bridge. Default path cost at Root Bridge is 0. BPDU contains path cost information. When Root Bridge advertises BPDU out from its interface, it set path costs to 0. When connected switch receives this BPDU, it increments path cost by adding the port cost value of its incoming port. For example if switch receives this BPDU on Gigabit interface then path cost would be 0 (Value it receive from Root Bridge) + 4 (port cost value, see above table) equal to 4. Now this switch will set path cost value to 4 in BPDU frame and forward it. Assume that next switch is connected with this switch and receives updated BPDU on fast Ethernet port. Path cost for new switch would be 23. Path costs value received in BPDU + Port cost (4+ 19 = 23).



Root Port

Root port is a port that is directly connected with the Root Bridge, or has the shortest path to the Root Bridge. Shortest path is path that has lowest path cost value. Remember that switch can go through many other switches to get the root. So it’s not always the shortest path but it is the fastest path that will be used.



Designated Port

Designated port is the port that is selected as having the lowest port cost. Designated port would be marked as forwarding port.



Non-Designated Port

Non-designated port is the port that is selected as having the higher port cost than the designated port. Non-designated port would be marked as blocking port.



Forwarding Port

Forwarding port is used to forward the frames.



Blocking Port

Blocking port remains disable to remove loops.



STP port states

Ports on switch running STP go through the five different states. During STP convergence, switches will move their root and designated ports through the various states: blocking, listening, learning, and forwarding, whereas any other ports will remain in a blocked state.

Blocking :- In blocking state, switch only listen and process BPDUs on its ports. Any other frames except BPDUs are dropped. In this state, switch try to find out which port would be root port, which ports would be designated ports and which ports would  remains in blocking state to remove loops. A port will remain in this state for twenty seconds. By default all ports are in blocking state, when we powered on the switch. Only root port and designated ports will move into next state. All remaining ports will remain in this state.



Listening :-  After twenty seconds, root port and designated ports will move into listening state. In this state ports still listen and process only BPDUs. All other frames except BPDUs are dropped. In this state switch will double check the layer 2 topology to make sure that no loops occur on the network before processing data frames. Ports remain in this state for fifteen seconds.



Learning :- Root port and designated ports enter in learning state from listening state. In this state ports still listen and process BPDUs. However, in this state ports start processing user frames. Switch examines source address in the frames and updates its MAC Address Table. Switch will not forward user frames to destination ports in this state. Ports stay in this state for fifteen seconds.



Forwarding :- In forwarding state, ports will listen and process BPDUs. In this state ports will also process user frames, update MAC Address Table and forward user traffic through the ports.



Disable :- Disable ports are manually shut down or removed from STP by an administrator. All unplugged ports also remain in disable state. Disable ports do not participate in STP.



Convergence

Convergence is a state where all ports on switch have transitioned to either forwarding or blocking modes. During the STP converging, all user data frames would be dropped.  No user data frame will be forwarded until convergence is complete.  Usually convergence takes place in fifty seconds (20 seconds of blocking state + 15 seconds of listing state + 15 seconds of learning state).



STP Operations



First thing a STP enable network do, is the election of Root Bridge.  Switches share BPDUs with each other to select the Root Bridge. Switch that has lowest priority will become root.  Default priority is set to 32768. If priority value is same then switch with lowest MAC address would be selected as root. In our network switch S3 has lowest MAC address. Since we did not change priority value, switch S3 would be chosen as Root Bridge.



ü  Every switch selects single port (that has shortest path cost) from all its ports and marked it as root port.

ü  If two switches have multiple connections, only single connection that has shortest path cost would be marked as designated port.

ü  Any port that is not either a root port or designated port would be blocked.  



Next figure show, how STP changes a physically looped topology in virtually looped free topology.



 show spanning-tree command



show spanning-tree command provides useful information about STP operation. This information could be divided in three subsets. First set contains information about Root Bridge. Second set contains information about switch itself. Third set lists active interfaces status those are participating in STP operation.



On Root Bridge first and second subset information would be same.



On non-root bridge first subset shows information about Root Bridge while second subset shows information about switch itself.

Priority value is a sum of default priority value and VLAN ID.





That’s all for this article. In next article I will explain another CCNA topic in detail with examples.




Switchport Port Security Explained With Examples


Port security features add additional layer of security in LAN network. It is used to secure the switch port. In this article we will explain port security with examples. We will illustrate how a switch locks down the ports based on MAC address to prevent unauthorized access. For demonstration purpose we will use packet tracer network simulator software. 

Port Security

Anyone can access unsecure network resources by simply plugging his host into one of our available switch ports. A user can also change his physical location in LAN network without telling the admin. You can secure layer two accesses as well as keep users in their tracks by using port security. Thus port security feature enhances the LAN security.

Create a simple topology as illustrate in following figure



Click PC0 and Click Desktop and Click IP Configuration and select Static from radio options and assign the IP address (10.0.0.10) and subnet mask (255.0.0.0)



Follow same process to assign IP address (10.0.0.20) and subnet mask (255.0.0.0) to PC1.



Click Server0 and click Desktop and click IP Configuration and select Static from radio options and assign IP address (10.0.0.100) and subnet mask (255.0.0.0)



That’s all initial configuration we need to demonstrate the port security.

How to configure port security

To configure port security we need to access the command prompt of switch. Click Switch and click CLI and press Enter Key.


Port can be secure from interface mode. Use enable command to move in Privilege Exec mode. From Privilege Exec mode use configure terminal command to enter in Global Configuration mode. From global configuration mode enter in specific interface.



Port security feature will not work on three types of ports.

1.      Trunk ports

2.      Ether channel ports

3.      Switch port analyzer ports

Port security will work on host port. In order to configure port security we need to set it as host port. It could be done easily by switchport mode access command. You can secure trunk connections with port security but that is beyond the scope of this article. I will cover them in CCNP section.

Following figure illustrates available commands for port security.



How to enable switchport port-security

Port security is disabled by default. switchport port-security command enables it.

switchport port-security limit maximum number of hosts

According to our requirements we can limit hosts that can be associated with an interface. We can set this limit anywhere from 1 to 132. Maximum number of devices that can be associated with the interface is 132. By default it is set to 1. switchport port-security maximum value command will set the maximum number of hosts.

switchport port-security mac address

We have two options static and dynamic to associate mac address with interface.

In static method we have to manually define exact host mac address with switchport port-security mac-address MAC_address command. This is the most secure method but it needs a lot of manual works. We need to enter all mac addresses manually that is too much tedious job.

In dynamic mode we use sticky feature that allows interface to learn mac address automatically. Interface will learn mac addresses until it reaches maximum number of allowed hosts. 

switchport port-security violation

We need to specify what action; it should take in security violation. Three possible modes are available:

Protect: - This mode will only work with sticky option. In this mode frames from non-allowed address would be dropped. It will not make log entry for dropped frames. Interface will learn address until it reach maximum allowed number. Any additionally learned addresses would be dropped while keeping interface operational.



Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this mode, switch will make a log entry and generate a security violation alert.



Shutdown: - In this mode switch will generate the violation alert and disable the port. Only way to re-enable the port is to manually enter no shutdown command. This is the default violation mode.



switchport port security example

In our topology PC0 is connected with F0/1 port of switch. Enter following commands to secure F0/1 port.




Switchport port security explained



Command
Description

Switch>enable

Move in privilege exec mode
Switch#configure terminal

Move in global configuration mode
Switch(config)#interface fastethernet 0/1

Move in interface mode
Switch(config-if)#switchport mode access

Assign port as host port
Switch(config-if)#switchport port-security

Enable port security feature on this port
Switch(config-if)#switchport port-security maximum 1

Set limit for hosts that can be associated with interface. Default value is 1. Skip this command to use default value.

Switch(config-if)#switchport port-security violation shutdown

Set security violation mode. Default mode is shutdown. Skip this command to use default mode.
Switch(config-if)#switchport port-security mac-address sticky

Enable sticky feature.



We have successfully secured F0/1 port of switch. We used dynamic address learning feature of interface. Switch will associate first learned mac address (on interface F0/1) with this port. You can check MAC Address table for currently associated address.






So far no mac address is associated with F0/1 port. Switch learns mac address from incoming frames. Check our following article to learn, how a switch learn mac address or how it build MAC address table.



We need to generate frame from PC0 that would be receive on F0/1 port of switch. ping command is used to test the connectivity between two hosts. In our scenario we have connectivity between server and pc. We can use this utility to generate frames from PC0.




To access command prompt of PC0 click PC0 and click Desktop menu item and click Command Prompt. Use ping command to generate frames.

 

Now check again the MAC Address table on switch.



One interesting thing that you may notice here is the type. Switch learns this address dynamically but it is showing as STATIC. This is the magic of sticky option, which we used with port security command. Sticky option automatically converts dynamically learned address in static address.



Switchport port security testing

 


In our topology we have one additional PC. Assume that, this is the cracker’s PC. To gain unauthorized access in network he unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).


Click red x button on the right hand partition of packet tracer window and place the X over the connection between Switch and PC0. This will remove the connection.



Click lightning bolt button on the bottom left-handed corner and click copper straight –through connection.



Click PC1 and select FastEthernet port. Next click Switch and select the same F0/1 port.

From the command prompt of PC1 try to ping the Server IP.





What happened this time? Why ping command did not get response from server? Because switch detected the mac address change and shutdown the port.



Verify port security



We have three commands to verify the port security



show port-security



This command displays port security information about all the interfaces on switch.



show port-security address



Display statically defined or dynamically learned address with port security.



show port-security interface interface



Display port security information about the specific interface.




 How to reset an interface that is disabled due to violation of port security



When an interface is down due to port security violation, we have two options to bring it back. First is following global configuration mode command



Switch(config)# errdisable recovery cause psecure-violation



This command neither includes in CCNA exam nor available in packet tracer.

Second option is manually restart the interface. Unplugged cable from unauthorized pc and plugged back it to authorized pc.

 



Run following commands on switch and test connectivity from pc