5.4 Spanning Tree

There is a flaw in the design of the access to the core network we are building: the access switches all have two connections to the core switches. If the network devices were talking Layer 3, this would be no problem, but of course, the switches are speaking Layer 2. This means that they cannot use dynamic routing protocols to determine the best path . Why is this a problem?

Figure 5.6 shows a typical network scenario in which the user at his workstation needs to get to a server connected to a different switch. Because redundancy has been implemented in the core of the network, the access switch has two paths to get to the core switches. The person at the workstation wants to get to the departmental server, connected to a different switch. The packet has two paths to travel to get to the second switch; it can go through Core 1 or Core 2, either of which can forward it to the destination switch. When the workstation sends a packet out to the server, both Core 1 and Core 2 receive the packet and forward it on to the server's switch. Core 1 and Core 2 see that a packet has been transmitted from the other core switch and now think that the workstation is directly attached to the other core. When the response comes from the server switch, Core 1 and Core 2 will attempt to forward it to the other core switch, creating a routing loop. Some packets will manage to travel from workstation to server, but most will not.

In a large network, this type of routing loop can cause a broadcast storm , which is capable of making the network unavailable.

The Spanning Tree Protocol (STP) helps remove these types of routing loops on redundant Layer 2 networks. STP, a standard defined by the IEEE as 802.1D, creates a series of active and inactive ports on the switches. Traffic is forwarded only through the active ports, while the inactive ports listen for a failure so they can take over.

STP determines which ports will be active and which will be inactive by using the spanning tree algorithm (STA). The STA selects a base of operations, called the root bridge , and calculates all of the paths on the network based on that root bridge. The STP is able to determine the best way for data to travel throughout the network.

When a switch is first added to the network, it assumes it is the root bridge, and it sets its identification, called the bridge ID, equal to the root bridge. The bridge ID is a combination of the two numbers , the 16-bit priority, which is configured by default to be 32768 on most switches (Cisco, Foundry, Nortel, Bay Networks, Extreme, etc.) and the 48-bit MAC address. The switch sends the information to the rest of the switches in the network using a message format called bridge protocol data units (BPDU). The switch with the lowest bridge ID and MAC address becomes the root bridge in the network.

Once a root bridge has been selected, all switches participating in STP listen on all ports for BPDU messages. If the switch receives BPDU messages on multiple ports, it will choose the port with the lowest cost to the root bridge to be the active port; the other ports will go into standby mode. If multiple ports have the same cost to the root bridge, then the port with the lowest port ID will be chosen as the active port.

5.4.1 Spanning Tree Security

One problem is that there is no inherent security in STP. An attacker who is able to gain physical access to a network could plug a switch into the network, configure it to join an STP group , and force it to be the root bridge, thus controlling the flow of traffic on the network, and being able to sniff all traffic that comes into the interloping switch.

STP is also an all or nothing protocol. It has to be enabled for all ports or none. This only serves to make it easier for the attacker described in the previous example to take over a switched network. The attacker does not even have to guess which ports are activated for STP (unlike VLANs, which are configured on a per-port basis), because they all are.

The lack of any security precautions inherent in STP has forced vendors to develop their own security enhancements to STP. While it is good that vendors are taking a proactive response, it also means that one vendor's version of STP may not be implemented the same as other vendors .

For example, Cisco Root Guard prevents other switches in the network from becoming the root bridge, unless the designated root bridge fails. Root Guard allows a network administrator to keep the network intact, while still providing failover. Root Guard is built into all Cisco switches that support STP. Root Guard configuration is relatively simple: Decide which port should be the bridge root, and declare it to be guarded . You can even select a port that is not currently the root bridge. To make this configuration on a Cisco switch running CatOS use the following command:

 core1> (enable) set spantree guard root 1/24  Rootguard on port 1/24 is enabled.  Warning!! Enabling rootguard may result in a topology change.  core1> (enable) 

If the switch is running Cisco IOS, the commands are:

 Core1(config)#interface fastEthernet 0/12  Core1(config-if)#spanning-tree rootguard  Core1(config-if)#^Z  *Mar 15 20:15:16: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Rootguard  enabled on port FastEthernet0/12 VLAN 1.  Core1# 

There are a number of vendor-specific enhancements that will make STP safer to run on switched networks. As long as a network is homogenous it is a good idea to refer to vendor documentation to determine what type of STP security you can apply to the access and core layers .