I have been preparing for the Cisco CCNA Security Exam, and wanted to see if it is actually possible to make a poorly configured switch create a switching loop even if BPDU Guard was enabled on the access switch. If the rogue switch filters all the BPDU packets.
I’ll pretend the 48 port Cisco 2960g is an access layer switch, with ports 0 – 44 configured as access ports, with usual security practises for access ports. First I’ll enable DHCP Snooping, then I’ll put them in access mode (no trunking), and enable portfast and bpduguard:
enable configure terminal ip dhcp snooping interface range g0/1 - 44 ip dhcp snooping limit rate 20 spanning-tree portfast spanning-tree bpduguard enable switchport mode access switchport access vlan 25 no shut
Then you will also need to make the port where the DHCP server is connected a trusted port:
enable configure terminal interface Port-channel 1 ip dhcp snooping trust
Also make sure the DHCP server is on the same VLAN as the access port is set to use, or use DHCP forwarding on a router to allow those devices to get addresses on that VLAN.
That takes care of a few basic security settings. Portfast will skip the listening and learning states. This is usually beneficial for clients using DHCP, because they can discover their address right away. BPDUGuard will prevent a switch from disrupting the spanning-tree protocol, by becoming a new root bridge. This would cause all the links between switches to be down for up to 30s (15s per listening, and blocking modes by default), unless rapid STP was enabled (with spanning-tree mode rapid-pvst), which would reduce that a bit. Now we need to goto the rogue switch, and tell it to drop not send out any BPDU packets (if it did, the access switch would disable the port).
I have ports G0/1, and F0/8 connected from the rogue switch to the access switch.
enable configure terminal no spanning-tree vlan 1 interface g0/1 switchport mode access switchport access vlan 1 spanning-tree bpdufilter enable exit interface f0/8 switchport mode access switchport access vlan 1 spanning-tree bpdufilter enable exit
Then send out a broadcast ping, and you will find a broadcast storm actually occurs. While trying this, I didn’t have the bpdufilter enabled at first, and the access switch quickly disabled the port. To stop the loop/storm, just disable one of the ports, or pull one of the cables to break the loop. This brings up another useful security feature on the Cisco switches, Storm Control. I’ll go back to the access switch, and enable that feature:
enable configure terminal interface range g0/1-44 storm-control broadcast level 20
I typed that command in during a broadcast storm caused by the switching loop, and as soon as I hit enter, the storm ended. The command will drop all broadcast traffic if the broadcast traffic reaches a level of 20% of the traffic on the port. It could also be set in packets per second, or bits per second. There you have it, you can accidentally/intentionally create a switching loop. By using storm-control you can stop the issue from escalating too much. Just remember to use BPDU filter carefully.
Since I’m studying for an exam, I’ll touch on three more features, two utilize the DHCP snooping database to prevent attackers from wreaking havoc on a network. First there is DAI – Dynamic ARP Inspection, which compares incoming ARP packets against the DHCP snooping database, to verify that the IP address and MAC Address match. This feature would stop someone from overflowing the CAM table (and so would port security). It also allows the administrator to specify a maximum rate of ARP packets to allow in. Second there is IP Source Guard, which is very similar to DAI, except it looks at all of the packets source MAC addresses, where as DAI only watches ARP Packets. Thirdly there is Port Security. Port security in many cases would prevent a rogue switch from causing a broadcast storm, in addition to CAM table overflow attacks. During a broadcast storm caused by a rogue switch, all of the broadcast packets should be looping through that switch, and chances are there will eventually be more than one source mac address in that loop, which port-security would notice, and shutdown the port. I’m only going to enable IP Source Guard, (not both IP Source Guard and DAI), and port security. To do this type:
enable configure terminal interface range g0/1 - 44 switchport port-security violation protect switchport port-security maximum 3 switchport port-security mac-address sticky ip verify source port-security
A few notes on some options for the above. The switchport port-security violation command has 4 options: protect Drops the packets from the unlisted source address, and allows the rest of the traffic through restrict Drops the packets from the unlisted source address, and allows the rest of the traffic through, plus generates log messages shutdown Shuts the port down
Since I had these switches up and running, the other thing I wanted to try, is link aggregation between a Netgear M4100, and a Cisco 2960g. It turns out that is ridiculously easy. In this example, I have ports 25 and 26 on the Netgear switch wired to ports 45 and 46 on the 2960g. On the cisco IOS console, type:
enable configure terminal interface range g0/45 - 46 channel-group 1 mode active exit exit
That puts ports 45 and 46 into channel group 1. The word active sets the interfaces to negotiate the link aggregation protocol using LACP which is standardized, as opposed to PAgP, which is a Cisco proprietary protocol. The on the Netgear Switch, it is very similar:
configure interface 0/25-0/26 addport lag 1
That’s it, now you can unplug one of the cables, and the link will stay up, and it will do some load-balancing.
While I have these switches, I thought I would take some photos of the inside. The 2960g access layer switch
The 2960PD, which is pretty cool, it has no power supply, and runs on power supplied via POE. Unfortunately it does not have POE pass through like the Ubiquiti Nano Switch, but it is managed.