CCN-Lab 7

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 13

FATIMA JINNAH WOMEN UNIVERSITY

Department Of Software Engineering

LAB 7
Summary:
Items Description
Course Title Computer Communication and Networks
Lab Title Switching (Switch Port Security & Spanning Tree Protocol)
Duration 3 Hours
Operating System Windows 7
/Tool/Language Cisco Packet Tracer Software
Objective Switchport Security

Port Security
By default, all interfaces on a Cisco switch are turned on. That means that an attacker could connect to
your network through a wall socket and potentially threaten your network. If you know which devices
will be connected to which ports, you can use the Cisco security feature called port security. By using
port security, a network administrator can associate specific MAC addresses with the interface, which
can prevent an attacker to connect his device. This way you can restrict access to an interface so that
only the authorized devices can use it. If an unauthorized device is connected, you can decide what
action the switch will take, for example discarding the traffic and shutting down the port.

To configure port security, three steps are required:


1. define the interface as an access interface by using the switchport mode access interface
subcommand
2. enable port security by using the switchport port-security interface subcommand
3. define which MAC addresses are allowed to send frames through this interface by using
the switchport port-security mac-address MAC_ADDRESS interface subcommand or using
the swichport port-security mac-address sticky interface subcommand to dynamically learn the
MAC address of the currently connected host

 
Two steps are optional:
1. define what action the switch will take when receiving a frame from an unauthorized device by
using the port security violation {protect | restrict | shutdown} interface subcommand. All three
options discards the traffic from the unauthorized device. The restrict and shutdown options
send a log messages when a violation occurs. Shut down mode also shuts down the port.
2. define the maximum number of MAC addresses that can be used on the port by using
the switchport port-security maximum NUMBER interface submode command

switchport port-security mac address


We have two options static and dynamic to associate mac address with interface.
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

In static method we have to manually define exact host mac address with switchport port-security mac-
address MAC_address command. This is the most secure method but it needs a lot of manual works.
We need to enter all mac addresses manually that is too much tedious job.
In dynamic mode we use sticky feature that allows interface to learn mac address automatically.
Interface will learn mac addresses until it reaches maximum number of allowed hosts.
switchport port-security violation
We need to specify what action; it should take in security violation. Three possible modes are available:
Protect: - This mode will only work with sticky option. In this mode frames from non-allowed address
would be dropped. It will not make log entry for dropped frames. Interface will learn address until it
reach maximum allowed number. Any additionally learned addresses would be dropped while keeping
interface operational.
Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this mode,
switch will make a log entry and generate a security violation alert.
Shutdown: - In this mode switch will generate the violation alert and disable the port. Only way to re-
enable the port is to manually enter no shutdown command. This is the default violation mode.

Addressing Table:

Device Interface IP address Subnet Mask


S1 VLAN 1 NIL
PC 1 FA0/1 10.10.10.10 255.255.255.0
PC 2 FA0/2 10.10.10.11 255.255.255.0
BSE FA0/3 10.10.10.12 255.255.255.0

Lab Task: Implement Switchport Security for different workstations based on above study.

Part 1: Configure Port Security


a. Access the command line for S1 and enable port security on FA0/1 and FA0/2.
b. Set the maximum so that only 1 device can access these ports
c. Secure the ports so that the MAC address of a device id dynamically learned and added to the
running configuration
d. Set the violation so that the Fast Ethernet ports 0/1 and 0/2 are not disabled when the violation
occurs, but the packets are dropped from the unknown source.
e. Disable the running unused ports. Hint. Use the range keyword to apply this configuration to all
the ports simultaneously.
Part 2. Verify the port security
a. From PC1, Ping PC2
b. Verify port security is enabled and the MAC addresses of PC1 and PC2 were added to the
running configuration.
c. Attach BSE laptop to ant unused switch port and notice the link lights are Red.
d. Access this port by using command no Shutdown and ping the PC1 from BSE laptop.

Switch>enable
Switch#configure terminal
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

Switch(config)#interface range fastEthernet 0/1-2

Switch(config-if-range)#switchport mode access


Switch(config-if-range)#switchport port-security ?
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if-range)#switchport port-security ?
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
Switch(config-if-range)#switchport port-security mac-address sticky
Switch(config-if-range)#switchport port-security violation restrict

Switch#configure terminal
Switch(config)#interface range fastEthernet 0/3-24
Switch(config-if-range)#shutdown

Switch#show running-config

Switch#show port-security

Switch#show port-security interface fa0/1

1- PORT SECURITY VIOLATION (shutdown)

Switch(config-if)#switchport port-security violation shutdown


Switch(config-if)#end
Switch#show port-security interface fa0/1

2- PORT SECURITY VIOLATION (restrict)


Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#end
Switch#show port-security interface fa0/1

3- PORT SECURITY VIOLATION (protect)

Switch(config-if)#switchport port-security violation protect


Switch(config-if)#end
Switch#show port-security interface fa0/1
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

STP - Spanning Tree Protocol

Learn STP features (BPDU, Root Bridge, Port Costs and Path Costs), STP ports & states (Designated, Non-
Designated, Blocking, Listening, Learning, Forwarding, Disable and Convergence) and STP functions
(Removing layer 2 loops, duplicate frame and broadcast storms) in details with examples.

For backup purpose we usually create redundant links. Redundant links are extremely useful in
preventing entire network down situation that is triggered from single link failure. With all of its
advantages, redundant link is a double edged sword. It creates network loops that flood down frames.
STP removes loops as well as other evils of redundant link.

Layer 2 loop example

Above figure illustrates a simple layer 2 loop. In this network, LAN segment has two links to server.

1. Primary / Main Link (S1, S2, S3, S6)


2. Redundant / Backup Link (S1, S4, S5, S6)

Multiple layer 2 connections between LAN segment and server create following problems

 Broadcast Storms
 Duplicate Frame copies
 Unstable MAC Table

Before we dig these problems in more detail remember that a switch always floods three kinds of
frames: unknown unicast, broadcast and multicast.
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

Broadcast Storms

Assume that PC0 perform an ARP request to find the MAC address of Server. ARP (Address Resolution
Protocol) uses broadcast method to locate the MAC address of device.

In this circumstance PC0 will generate single broadcast frame. Switch S1 will receive it from PC0. Switch
S1 will flood this broadcast frame from all remaining ports except the incoming port.

Without any loop removing mechanism, switches will flood broadcasts endlessly throughout the
network. This is known as broadcast storm. Next figure illustrates how a broadcast frame is continually
being flooded throughout the network.

Endless Cycle One

PC0 => S1 => S2 => S3 => S6 => (Server and) S5 => S4 => S1 => (PC0 and) S2 => S3 .......

Endless Cycle Two

PC0 => S1 => S4 => S5 => S6 => (Server and) S3 => S2 => S1 => (PC0 and) S4 => S5 .......

Duplicate frame copies

In looped network, a device could receive duplicate copies of same frame from different switches.
Assume that PC0 sends a unicast frame to Server. Switch floods unknown unicast from all of its ports,
except the incoming port. Above figure demonstrates how the Server will receive duplicate copies of
unicast frame simultaneously. Duplicate frame copies create additional overhead on the network.
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

Unstable MAC Table

When switch receives a frame, it checks source MAC address in frame and associate that interface with
finding MAC address. Next time when switch receives a frame for this MAC address, it will forward that
frame from this interface. These entries are stored in MAC Address Table. Switch uses MAC Address
Table to forward the frame. Looped network can make MAC Address Table unstable. For example,
assume that PC0 sends a unicast frame to Server. Switch S6 receives this frame from two interfaces
(interface connected to S3 and interface connected to S5). When it receives frame from S3, it associate
PC0 MAC address with the interface that is connected with S3. Again when it receives same frame from
S5, it think that location of PC0 has been changed and it would update the entry in MAC address table.

Same thing will happen again when it receives frame from switch S3 again. MAC address table would be
totally confused about the PC0 location because the switch S6 is receiving the PC0’s frame from more
than one link. Situation becomes bad to worse when switch stuck in constantly updating the MAC
Address Table with source locations and fail to forward the frame. This is known as thrashing the MAC
Table.

STP is the answer of all issues explained above. STP was developed to solve each problem that is trigged
due to layer two loops. Before we explain how the STP works, you need to be familiar with some basic
terms of STP and their function within STP.

BPDU

BPDU (Bridge Protocol Data Unit) is a multicast frame that is used to share information about switch and
its interface connections. Switches use BPDU to learn the network topology; other switches connections
and any existing loops. BPDU frames are sent out as multicast in every two seconds.

Root Bridge

All decisions in STP are made from the perspective of Root Bridge. Switch with the lowest switch ID is
selected as Root Bridge. BPDU contains Switch ID. Switch ID is made from priority of the switch and MAC
address of switch itself. Default priority is set to 32768. Switch with the lowest MAC address will be
selected as the root switch, if you don’t change the default priority value. You can override root
selection process by changing the priority value. If you want one switch to be Root Bridge, change its
priority value to less than 32768.

Selection process of Root Bridge runs each time a network change occurs like as adding new switch in
topology, removing existing switch or Root Bridge failure. If other switches in network do not receive
BPDUs from Root Bridge within 20 seconds, they assume that Root Bridge has failed and will begin a
new election process to choose a new Root Bridge.

Non-Root Bridge

All other switches in network except Root Bridge are the non-Root Bridges. Non-Root Bridge receives
updates from Root Bridge and update its STP database.
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

Port Costs

STP assigns each port a cost, called port cost. Port cost is used to choose the best path when multiple
links are available between two switches. Cost of port is determined by the bandwidth of connected
media link. Switch always use lower port cost to forward the frames. Two set of port costs exist.

Bandwidth Old Cost Value New Cost Value


10 Gbps 1 2
1 Gbps 1 4
100 Mbps 10 19
10 Mbps 100 100

Some old series switches like Catalyst 1900 uses old cost value. Cisco already discontinued these old
series switches. New series switches like 2960 uses new cost value. Lower cost value is always preferred
over higher cost value while selecting link.

Path Costs

Path cost is an accumulated value of port costs from Root Bridge to other switches in network. It is
always calculated from Root Bridge. Default path cost at Root Bridge is 0. BPDU contains path cost
information. When Root Bridge advertises BPDU out from its interface, it set path costs to 0. When
connected switch receives this BPDU, it increments path cost by adding the port cost value of its
incoming port. For example if switch receive this BPDU on Gigabit interface then path cost would be 0
(Value it receive from Root Bridge) + 4 (port cost value, see above table) equal to 4. Now this switch will
set path cost value to 4 in BPDU frame and forward it. Assume that next switch is connected with this
switch and receives updated BPDU on fast Ethernet port. Path cost for new switch would be 23. Path
costs value received in BPDU + Port cost ( 4+ 19 = 23).

Root Port

Root port is a port that is directly connected with the Root Bridge, or has the shortest path to the Root
Bridge. Shortest path is path that has lowest path cost value. Remember that switch can go through
many other switches to get the root. So it’s not always the shortest path but it is the fastest path that
will be used.

Designated Port

Designated port is the port that is selected as having the lowest port cost. Designated port would be
marked as forwarding port.
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

Non-Designated Port

Non-designated port is the port that is selected as having the higher port cost than the designated port.
Non-designated port would be marked as blocking port.

Forwarding Port

Forwarding port is used to forward the frames.

Blocking Port

Blocking port remains disable to remove loops.

STP port states

Ports on switch running STP go through the five different states. During STP convergence, switches will
move their root and designated ports through the various states: blocking, listening, learning, and
forwarding, whereas any other ports will remain in a blocked state.

Blocking

In blocking state, switch only listen and process BPDUs on its ports. Any other frames except BPDUs are
dropped. In this state, switch try to find out which port would be root port, which ports would be
designated ports and which ports would remains in blocking state to remove loops. A port will remain in
this state for twenty seconds. By default all ports are in blocking state, when we powered on the switch.
Only root port and designated ports will move into next state. All remaining ports will remain in this
state.

Listening

After twenty seconds, root port and designated ports will move into listening state. In this state ports
still listen and process only BPDUs. All other frames except BPDUs are dropped. In this state switch will
double check the layer 2 topology to make sure that no loops occur on the network before processing
data frames. Ports remain in this state for fifteen seconds.

Learning

Root port and designated ports enter in learning state from listening state. In this state ports still listen
and process BPDUs. However, in this state ports start processing user frames. Switch examines source
address in the frames and updates its MAC Address Table. Switch will not forward user frames to
destination ports in this state. Ports stay in this state for fifteen seconds.
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

Forwarding

In forwarding state, ports will listen and process BPDUs. In this state ports will also process user frames,
update MAC Address Table and forward user traffic through the ports.

Disable

Disable ports are manually shut down or removed from STP by an administrator. All unplugged ports
also remain in disable state. Disable ports do not participate in STP.

Convergence

Convergence is a state where all ports on switch have transitioned to either forwarding or blocking
modes. During the STP converging, all user data frames would be dropped. No user data frame will be
forwarded until convergence is complete. Usually convergence takes place in fifty seconds (20 seconds
of blocking state + 15 seconds of listing state + 15 seconds of learning state).

STP Operations

First thing a STP enable network do, is the election of Root Bridge. Switches share BPDUs with each
other to select the Root Bridge. Switch that has lowest priority will become root. Default priority is set to
32768. If priority value is same then switch with lowest MAC address would be selected as root. In our
network switch S3 has lowest MAC address. Since we did not change priority value, switch S3 would be
chosen as Root Bridge.

 Every switch selects single port (that has shortest path cost) from all its ports and marked it as
root port.
 If two switches have multiple connections, only single connection that has shortest path cost
would be marked as designated port.
 Any port that is not either a root port or designated port would be blocked.

Next figure show, how STP changes a physically looped topology in virtually looped free topology.
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

show spanning-tree command

show spanning-tree command provides useful information about STP operation. This information could
be divided in three subsets. First set contains information about Root Bridge. Second set contains
information about switch itself. Third set lists active interfaces status those are participating in STP
operation.
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering
FATIMA JINNAH WOMEN UNIVERSITY
Department Of Software Engineering

On Root Bridge first and second subset information would be same.

On non-Root Bridge first subset shows information about Root Bridge while second subset shows
information about switch itself.

Priority value is a sum of default priority value and VLAN ID.

You might also like