All Cisco-Network Study Notes: 01/05/09

Understanding Cisco VTP

Understanding Cisco VTP 106

The above-mentioned area briefly alluded to addition LAN agreement alleged VTP. VTP reduces

administration aerial in a switched network. With VTP, back you configure a new

VLAN on a about-face appointed as a VTP server, advice apropos that VLAN is

Example 4-5 Verification of the Port’s New Status

6K-3-S720#show interface f5/14 trunk

Port Approach Encapsulation Status Native vlan

Fa5/14 adorable n-802.1q trunking 1

Port Vlans accustomed on trunk

Fa5/14 1-4094

Port Vlans accustomed and alive in administration domain

Fa5/14 1-3,8-13,15,17-22,39,44-46,48-52,55-71,75-76,80-81,85-90,95,100-102,

104,111-112,120-121,130,150-151,161-162,200-204,210,250-251,265,300-301,304,

350-351,400-407,440-445,448,500-503,550,555,600,665-667,701,720,730,740,750,770,

780,800-802,822-823,839,888,900-904,906,921,997-999,1001,1100-1102,1121,1200-

1300,1448,1500-1501,1800-1801,1822,2000-2001,2500,2800,3120-3121,3500,3850-3851,

3900-3901,4000-4003,4094

Port Vlans in spanning timberline forwarding accompaniment and not pruned

Fa5/14 none

6K-3-S720#

Understanding Cisco VTP 81

distributed to all switches in the VTP domain, thereby removing the charge to manually

configure anniversary about-face one by one. You can configure a about-face to accomplish in one of four

different VTP modes:

• Server. Here, you can create, modify, and annul VLANs and specify other

configuration parameters, such as VTP adaptation and VTP pruning, for the absolute VTP

domain. VTP servers acquaint their VLAN agreement to added switches in the

same VTP area and accord their VLAN agreement with added switches

based on advertisements accustomed over block links. VTP server is the absence mode.

• Client. VTP audience behave the aforementioned way as VTP servers, but you cannot create,

change, or annul VLANs on a VTP client.

• Transparent. VTP cellophane switches do not participate in VTP. A VTP transparent

switch does not acquaint its VLAN configuration, and it does not accord its

VLAN agreement based on accustomed advertisements; however, in VTP adaptation 2,

transparent switches advanced VTP advertisements that they accept out of their trunk

ports. They act like a cellophane wire with commendations to VTP messages: They forward

them after processing them.

• Off. In the three antecedent modes, VTP advertisements are accustomed and beatific as soon

as the about-face enters the administration area state. In VTP Off mode, switches behave

the aforementioned as in VTP Cellophane mode, except that VTP advertisements are not

forwarded, but dropped.

A VTP area comprises switches that allotment a accepted VTP area name. VTP reduces

the charge to manually configure the aforementioned VLAN everywhere. VTP is a Cisco-proprietary

protocol that is attainable on best Cisco Catalyst alternation products. Three versions of the

protocol exist: VTP v1, v2, and v3. Versions 1 and 2 are about identical. (Version 2 simply

introduced abutment for Token Ring VLANs.) Adaptation 3 represents a above check of the

protocol that was motivated in allotment by assertive aegis considerations.

VTP Vulnerabilities

Over the accomplished few years, both vulnerabilities6,7 and specific VTP attacks that can force a

switch into accepting VLAN database updates accept surfaced. Those problems are discussed

in Chapter 11, “Information Leaks with Cisco Ancillary Protocols.”

NOTE A abundant overview of VTP, including packet-level traces, is attainable in advertence 5 in the

section, “References.” Users absorbed in agreement capacity are acerb encouraged to

visit this URL.

82 Chapter 4: Are VLANS Safe?

Summary

Partial compassionate of VLAN tagging and accepted LAN protocols such as Cisco DTP

and VTP, accompanying with anachronous accessories still calmly attainable on the Internet,4 frequently

contributes to the quick adjournment of VLANs as a applicable accompaniment to a defended network

design. Are VLANs unsafe? VLANs charge be taken for what they are: On a properly

configured switch, they accommodate Layer 2 cartage isolation. Layer 2 abreast guarantees that

traffic entering a about-face anchorage in VLAN X charcoal bedfast to VLAN X, unless a router is

involved. This is the alone aegis agreement that a VLAN provides. Configuration

techniques, such as the actual tagging of frames on trunks and disabling VTP/DTP

toward end-user ports, accumulate VLAN bent attacks at bay.

References

1http://standards.ieee.org/getieee802/download/802.1Q-2005.pdf.

2http://yersinia.sourceforge.net.

3http://www.ciscopress.com/articles/article.asp?p=29803&seqNum=3&.

4http://www.sans.org/resources/idfaq/vlan.php.

5http://www.cisco.com/warp/public/473/21.html.

6http://www.securityfocus.com/archive/1/445896/30/0/threaded.

7http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml.

Understanding Cisco Activating Trunking Protocol

To advance the user experience, abounding avant-garde LAN switches abode with a bulk of

mechanisms and protocols that automate network-configuration chores. Cisco Dynamic

Trunking Agreement (DTP) avalanche into that category.

Crafting a DTP Attack

DTP is Cisco-proprietary protocol. Its purpose is to actuate whether two switches that

are affiliated appetite to actualize a trunk. In the accident that both switches assume to agree, a trunk

is automatically brought up with a ambit of mutually adequate parameters, such as

encapsulation and the VLAN range.

NOTE Ample DTP literature3 is accessible in added publications, and it’s above this book’s scope

to awning all agreement aspects or enumerate matrices of accessible DTP combinations. As

a quick reference, actuality is a description of the several altered DTP anchorage states:

• Auto. The anchorage listens for DTP frames from the adjoining switch. If the

neighboring about-face says it wants to be a trunk, or is a trunk, the auto accompaniment creates the

trunk with the adjoining switch. Auto does not bear any absorbed to become an

trunk; it alone depends on the adjoining about-face to accomplish the trunking decision.

• Desirable. DTP is announced to the adjoining switch. Adorable communicates to the

neighboring about-face that it is able of actuality a block and wants the neighboring

switch to additionally be a trunk.

• On. DTP is announced to the adjoining switch. The On accompaniment automatically enables

trunking on the port, behindhand of the accompaniment of its adjoining switch. It charcoal a

trunk unless it receives a DTP packet that absolutely disables the trunk.

Example 4-2 Cisco IOS Agreement for Unconditional Tagging of Frames

CiscoSwitch(config)#vlan dot1q tag native

CiscoSwitch(config)#interface GigabitEthernet2/1

CiscoSwitch(config-if)#switchport block built-in vlan tag

Understanding Cisco Activating Trunking Agreement 77

• Nonegotiate. DTP is not announced to the adjoining switch. Nonegotiate

automatically and actually enables trunking on its port, behindhand of the state

of its adjoining switch. This is a accepted ambience against end stations that can

understand trunking (such as VMWare basic machines).

• Off. Trunking is not accustomed on this anchorage behindhand of the DTP approach configured on

the added switch.

The actuality that DTP is a agreement anon rings a alarm to a hacker. Something forth the

lines of, “Let’s see whether I can fool this about-face anchorage into acceptable a block by sending it

a manually crafted DTP frame!,” is a accustomed anticipation for a LAN hacker. If a about-face anchorage has

been configured to accelerate and/or accept to DTP advertisements, a hacker can calmly beset the

port into acceptable a block (see Example 4-3).

The activating port-level agreement indicates to the about-face that it should automatically try

to bulk out what to do with the port. Although DTP eases the agreement of trunks, it is

potentially alarming back enabled on user-facing ports.

If you anticipate ambience up a DTP advance takes a accomplished hacker who’s carefully accustomed with

packet-building libraries, bethink this: There is consistently Yersinia.

Figure 4-7 shows that, already again, back it comes to hacking LAN protocols, Yersinia is up

for the challenge. It comes arranged with a DTP frame-injection bore that allows a hacker

to accelerate any approximate DTP anatomy to the switch. Also, a prebuilt DTP anatomy approach can turn

an biting about-face anchorage into a trunk. If a hacker succeeds and transforms a anchorage into a

trunk, bent VLANs is trivial.

Example 4-3 Configuring a Anchorage to Accelerate and Accept DTP Packets

CiscoSwitch(config-if)#interface g7/8

CiscoSwitch(config-if)#switchport approach ?

access Set trunking approach to ACCESS unconditionally

dot1q-tunnel set trunking approach to TUNNEL unconditionally

dynamic Set trunking approach to dynamically accommodate admission or block mode

private-vlan Set the approach to private-vlan host or promiscuous

trunk Set trunking approach to TRUNK unconditionally

CiscoSwitch(config-if)#switchport approach activating ?

auto Set trunking approach activating agreement constant to AUTO

desirable Set trunking approach activating agreement constant to DESIRABLE

78 Chapter 4: Are VLANS Safe?

Figure 4-7 Yersinia’s DTP Module

Example 4-4 shows the antecedent anchorage agreement of an absolute DTP attack.

Example 4-4 Antecedent Anchorage Agreement for DTP Exploit

CiscoSwitch#show running-config interface f5/14

Building configuration...

Current agreement : 249 bytes

interface FastEthernet5/14

description SERVER_ETH1

switchport approach activating desirable

switchport admission vlan 100

no ip address

logging accident link-status

logging accident spanning-tree status

logging accident trunk-status

spanning-tree portfast

end

CiscoSwitch#show interface f5/14 trunk

Port Approach Encapsulation Status Built-in vlan

Fa5/14 adorable accommodate not-trunking 1

Understanding Cisco Activating Trunking Agreement 79

The anchorage is in activating adorable approach and is currently not trunking. Things are about to

change as you blaze up Yersinia:

[root@server sample]# yersinia dtp -v 1 -i eth1 -smac 00:ca:fe:be:ef:00 -dmac

01:00:0C:CC:CC:CC -neighbor 00:00:0c:11:22:33 -domain CISCO -attack 0

Ouch!! Invalid attack!! Valid yersinia ATTACK types are:

1: NONDOS advance sending DTP packet

2: NONDOS advance enabling trunking

MOTD: Do you accept a Lexicon CX-7? Share it!! ;)

A typo was agilely alien in the antecedent command to get Yersinia to account the

range of DTP attacks it can perform. A plain-vanilla DTP packet injector and a prebuilt

frame advance to force the adjoining about-face anchorage to become a trunk. Does the about-face fall

for the additional attack? Here’s the verification:

[root@server sample]# yersinia dtp -v 1 -i eth1 -smac 00:ca:fe:be:ef:00 –dmac

01:00:0C:CC:CC:CC -neighbor 00:00:0c:11:22:33 -domain CISCO -attack 2

<*> Starting NONDOS advance enabling trunking...

<*> Press any key to stop the advance <*>

Two ambit bulk in the antecedent Yersinia command: the destination MAC address

(01:00:0C:CC:CC:CC) and the VLAN Trunking Agreement (VTP) area name. The MAC

address is a Cisco-specific multicast MAC abode acclimated by several LAN protocols, such as

CDP and VTP. DTP uses the Subnetwork Admission Agreement (SNAP) encapsulation, along

with agreement ID 0x2004, to analyze itself because the MAC abode is not sufficient. The

VTP area charge bout the area currently configured on the switch. Some interesting

logs arise on the about-face anon afterwards the attack:

.Jan 25 04:24:45.065: %LINEPROTO-5-UPDOWN: Line agreement on Interface

FastEthernet5/14, afflicted accompaniment to down

Jan 25 04:24:45.054: %LINEPROTO-SP-5-UPDOWN: Line agreement on Interface

FastEthernet5/14, afflicted accompaniment to down

.Jan 25 04:24:48.078: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks

.Jan 25 04:24:48.122: %LINEPROTO-5-UPDOWN: Line agreement on Interface

FastEthernet5/14, afflicted accompaniment to up

Jan 25 04:24:48.107: %LINEPROTO-SP-5-UPDOWN: Line agreement on Interface

FastEthernet5/14, afflicted accompaniment to up

Jan 25 04:24:48.551: %DTP-SP-5-TRUNKPORTON: Anchorage Fa5/14 has become dot1q trunk

Port Vlans accustomed on trunk

Fa5/14 100

Port Vlans accustomed and alive in administration domain

Fa5/14 100

Port Vlans in spanning timberline forwarding accompaniment and not pruned

Fa5/14 100

CiscoSwitch#

Example 4-4 Antecedent Anchorage Agreement for DTP Exploit (Continued)

80 Chapter 4: Are VLANS Safe?

According to the aftermost log message, the anchorage has become a trunk! It’s time to double-check,

as Example 4-5 shows.

Sure enough, it worked! With one simple packet, a hacker gets burning admission to a whopping

range of 4000+ VLANs. This is impressive, because the basal bulk of effort

involved.

Countermeasures to DTP Attacks

Fortunately, the antitoxin to DTP attacks is simple and efficient: Do not leave userfacing

ports in activating agreement mode. Hard-code them as admission ports instead and

place them in a changeless VLAN. This silently drops DTP frames at the anchorage akin with no

performance impact. With DTP frames dropped, attempts to force the anchorage into acceptable a

trunk fail.

Verification of the Port’s New Status

6K-3-S720#show interface f5/14 trunk

Port Approach Encapsulation Status Built-in vlan

Fa5/14 adorable n-802.1q trunking 1

Port Vlans accustomed on trunk

Fa5/14 1-4094

Port Vlans accustomed and alive in administration domain

Fa5/14 1-3,8-13,15,17-22,39,44-46,48-52,55-71,75-76,80-81,85-90,95,100-102,

104,111-112,120-121,130,150-151,161-162,200-204,210,250-251,265,300-301,304,

350-351,400-407,440-445,448,500-503,550,555,600,665-667,701,720,730,740,750,770,

780,800-802,822-823,839,888,900-904,906,921,997-999,1001,1100-1102,1121,1200-

1300,1448,1500-1501,1800-1801,1822,2000-2001,2500,2800,3120-3121,3500,3850-3851,

3900-3901,4000-4003,4094

Port Vlans in spanning timberline forwarding accompaniment and not pruned

Fa5/14 none

6K-3-S720#

Attack of the 802.1Q Tag Stack

Nothing in the 802.1Q blueprint forbids assorted after tags to be chained,

thereby accomplishing a 802.1Q tag stack. Figure 4-3 represents a two-level 802.1Q tag stack.

Figure 4-3 Assorted 802.1Q Tags

There are accepted use cases for stacking assorted 802.1Q tags. One of them is Cisco

QinQ, area up to 4096 VLANs can be multiplexed central a distinct VLAN ID. The aboriginal tag

from larboard to appropriate (outer tag) charcoal the same, while the additional tag (inner tag) takes any

value alignment from 1 to 4096.

QinQ offers a way to calibration able-bodied accomplished the 12 $.25 allotted to VLAN IDs by alms up to 4096

* 4096 accessible combinations. As it turns out, this absorbing tag-stacking acreage lays the

groundwork for an generally talked-about VLAN bent advance alleged the double-nested

VLAN attack. Figure 4-4 shows the attempt in activity abaft the attack.

First 802.1Q Tag Additional 802.1Q Tag

4 Bytes 4 Bytes

Double 802.1Q Stack

Ethernet Anatomy with Two 802.1Q Tags (Not to scale)

Destination MAC

0 × 8100 Pri CFI VID#1 0x8100 Pri CFI VID#2

Source MAC Dot 1Q Dot 1Q EtherType Data

72 Chapter 4: Are VLANS Safe?

Figure 4-4 Nested VLAN Bent Attack

The bounds of this advance are

• The attacker’s anchorage is in VLAN 5.

• The built-in VLAN of the block is VLAN 5.

Generally speaking, for the advance to succeed, a block on the about-face charge accept the same

native VLAN as a VLAN assigned to an admission port. With this exploit, what an antagonist tries

to accomplish is to inject cartage from VLAN X into VLAN Y with no router involved. The fact

that no router is complex implies that the advance is unidirectional: The victim won’t be able

to acknowledge to the attacker’s packet. In this case, this is no affair to the antagonist because,

chances are, you are ambidextrous with a denial-of-service (DoS) advance (where a “killer packet”

might be beatific to the victim, for example).

Here is how the antagonist proceeds:

1 The antagonist crafts a anatomy with two 802.1Q tags: 5 and 96.

2 The aboriginal (outer) tag matches the attacker’s admission port’s VLAN (5).

3 The additional (inner) tag matches the victim’s admission port’s VLAN (96).

4 The antagonist sends the anatomy (which acceptable contains a analgesic packet).

5 The anatomy enters about-face 1; here, it gets classified into VLAN 5.

6 The anatomy is destined to a MAC abode amid off the trunk.

7 Because the built-in VLAN of the block to about-face 2 is 5, the aboriginal tag is bare off.

(Remember that frames on the built-in VLAN biking untagged.)

Attacker

Port:

VLAN 5

802.1Q, Frame

802.1Q, 802.1Q

Destination MAC Source MAC 8100 96 0800 Data

Nested VLAN Bent Attack

1st Tag 2nd Tag

Note: Only Works if Block Has the Same

Native VLAN as the Attacker’s Anchorage Victim

8100 5

VLAN 96

VLAN x 2

Frame

Strip Off 1st Tag

Switch 1 About-face 2

IEEE 802.1Q Overview 73

8 The anatomy carries a additional tag (96) followed by data. This is how it leaves the trunk

on about-face 1.

9 The anatomy arrives on about-face 2 with tag 96. As such, it is classified by about-face 2 as

belonging to VLAN 96.

10 The anatomy is delivered to the victim in VLAN 96. VLAN bent aloof happened!

The advance ability assume convoluted. After all, it involves manually crafting an Ethernet

frame so that it contains two tags and some data. This is difficult to cull off—definitely not

something in the branch of a calligraphy kiddie. That account ability accept been accurate a few years

ago—before Yersinia2 entered the scene.

NOTE The Yersinia Layer 2 advance apparatus was alien in Chapter 3, “Attacking the Spanning Tree

Protocol.” If you are not accustomed with this tool, see Chapter 3 for a arbitrary of this Layer

2 hacker’s Swiss-army knife.

Yersinia makes it accessible to inject double-tagged frames into the network, as Figure 4-5 and

Figure 4-6 show.

Figure 4-5 Yersinia’s 802.1Q Advance Screen

74 Chapter 4: Are VLANS Safe?

Figure 4-6 Yersinia’s Nested VLAN Advance Screen

The advance is absolutely menu-driven. Using Yersinia, it is accessible to adapt the frame’s

contents and specify its alien and close 802.1Q tags, as the lower allocation of Figure 4-6

shows. After the anatomy is constructed, a simple abrasion bang sends it out on the port. It

doesn’t get abundant easier than that.

This advance is decidedly difficult to trace. From a protocol’s standpoint, no abhorrent play

occurs—chaining 802.1Q headers is not illegal, and the about-face won’t accuse back it sees

such frames. You can baffle this advance in three ways:

• Ensure that the built-in VLAN is not assigned to any admission port.

• Clear the built-in VLAN from the block (not recommended).

• Force all cartage on the block to consistently backpack a tag (preferred).

Option 1 is accessible on switches from all vendors. It is aloof a amount of configuring the

switch in a way that ensures admission ports aren’t placed in a VLAN that is acclimated as the native

VLAN of a block on the aforementioned switch. For example, if you accept a block whose built-in VLAN

is 10, accomplish abiding that no admission anchorage is a affiliate of VLAN 10.

IEEE 802.1Q Overview 75

On the added hand, options 2 and 3 ability not be accessible on all LAN switches. Advantage 2

consists of manually allowance (or pruning) the built-in VLAN off the trunk. For example, to

achieve this, the Cisco IOS agreement would attending like what’s apparent in Archetype 4-1.

Example 4-1 removes VLAN 10 from the trunk, thereby allowance the built-in VLAN. Various

reasons abide for why you should not opt for this choice. Several “system” protocols await on

the attendance of the built-in VLAN to action properly, and protocol-level compatibility

between switches ability no best be affirmed with the built-in VLAN gone. Advantage 3 is

the adopted method. Its operation is straightforward: It ensures that all cartage abrogation a

trunk consistently carries a tag. In a way, it gets rid of the built-in VLAN concept, but it does not

disrupt cartage beatific to or from the built-in VLAN. It aloof tags it.

WARNING Be accurate back interoperating with a about-face that does not accommodate this option; it breaks

communication on the built-in VLAN.

Within the ancestors of Cisco switches, assertive discrepancies abide apropos the specifics of

the feature. For example, with the advantage enabled, a Catalyst 6500 about-face ensures that both

outgoing and admission frames are consistently tagged. Frames accession on a block after a tag

are dropped. On the added hand, the Catalyst 3750 tags all approachable traffic, but it is lenient

toward admission cartage that arrives untagged.

NOTE Regardless of platform-specific idiosyncrasies, the advantage to tag all block cartage is available

on best Cisco switches.

Depending on the software version, the command is accessible either globally or on a perport

basis. Archetype 4-2 lists the all-around and per-port configurations:

Example 4-1 Cisco IOS Block Anchorage Agreement to Clear Built-in VLAN

CiscoSwitch(config)#interface GigabitEthernet2/1

CiscoSwitch(config-if)#switchport

CiscoSwitch(config-if)#switchport block encapsulation dot1q

CiscoSwitch(config-if)#switchport block built-in vlan 10

CiscoSwitch(config-if)#switchport block acquiesce vlan 1-500

CiscoSwitch(config-if)#switchport block acquiesce vlan abolish 10

CiscoSwitch(config-if)#

76 Chapter 4: Are VLANS Safe?

dot1q tag built-in prevents double-encapsulation/nested VLAN attacks by never stripping

off the alien tag in the attendance of a double-tagged frame. That way, both tags abide intact

throughout the alteration of the anatomy beyond the trunk, abrogation the antagonist empty-handed in

terms of VLAN hopping.

Cisco IOS Agreement for Unconditional Tagging of Frames

CiscoSwitch(config)#vlan dot1q tag native

CiscoSwitch(config)#interface GigabitEthernet2/1

CiscoSwitch(config-if)#switchport block built-in vlan tag

Go Native

Readers somewhat accustomed with IEEE blueprint apparently apperceive that it is generally a

concern of the institute’s blueprint to abide backward-compatible with previous

iterations of assorted IEEE texts. The 802.1Q blueprint is no different. As such, it

includes a accouterment for block ports to backpack both tagged and untagged frames. Frames

70 Chapter 4: Are VLANS Safe?

riding on a block anchorage after any 802.1Q tags are said to be allotment of the built-in VLAN. A

protocol that uses the built-in VLAN is 802.1D. This ensures affinity with switches

that do not run a per-VLAN spanning timberline (PVST). Bridge Protocol Abstracts Units (BPDU)

exchanged over the built-in VLAN serve as the base for a everyman accepted denominator loopfree

topology. Addition archetypal appliance includes Cisco IP phones area the data

originating from a accessory absorbed to the buzz is untagged in a accustomed abstracts VLAN while

voice cartage arrives tagged on the about-face port.

Figure 4-2 illustrates a baby LAN comprised of two switches and four hosts. Hosts A and

B are in VLAN 10, while hosts B and D are in VLAN 20. The switches interconnect by an

802.1Q trunk, which carries frames for VLANs 10 and 20.

Figure 4-2 Built-in VLAN Concept

When a anatomy from host B to host D enters about-face 1, it is internally flagged as acceptance to

VLAN 20. That VLAN 20 tag is maintained over the block until the anatomy is delivered to

its ultimate destination. About-face 2 strips off the 802.1Q tag aloof afore it delivers the frame

to host D. The action hardly differs back advice amid hosts A and C is

involved. The built-in VLAN for the block is VLAN 10. This agency that cartage from VLAN

10 is beatific untagged on that trunk. Back cartage from host A enters about-face 1, it is internally

marked as a VLAN 10 frame. However, this appearance is not preserved beyond the trunk.

Switch 1 sends out the anatomy with no 802.1Q header. Back the anatomy arrives on about-face 2,

it is automatically classified into the built-in VLAN of the block and delivered to host C.

This action is analytical to understand, because it leads to the aboriginal abeyant aegis issue.

Imagine a misconfiguration on about-face 2 area the built-in VLANs on both ends of the trunk

that links switches 1 and 2 are mismatched. Frames beatific by about-face 1 on the built-in VLAN

arrive on about-face 2; here, they are classified into about-face 2’s built-in VLAN to alone be

sent out into that VLAN. If about-face 1’s built-in VLAN is 10 while about-face 2’s built-in VLAN

happens to be 20, you are faced with a VLAN bent problem! Cartage abrogation about-face 1

802.1Q Trunk

Native VLAN = 10

VLAN 20

Host A

Host B

Host B HostD

802.1Q Tag’s VID = VLAN 20

Host A Host C

No 802.1Q Tag

Host D

Host C

IEEE 802.1Q Overview 71

on VLAN 10 enters about-face 2 and gets classified in VLAN 20. This is not adorable behavior,

obviously. Fortunately, Cisco Discovery Protocol (CDP) comes to the rescue. CDP can help

pinpoint built-in VLAN conflict issues. Actuality is an archetype of the syslog message

produced back CDP comes beyond the problem:

.Jan 24 05:14:49.679: %CDP-4-NATIVE_VLAN_MISMATCH: Built-in VLAN conflict discovered

on GigabitEthernet7/8 (23), with 6K-2-S2.cisco.com GigabitEthernet1/16 (12).

In this cipher snippet, the built-in VLAN is 23 on one ancillary and 12 on the added end.

Assuming no built-in VLAN conflict agreement error, is it still accessible for cartage to hop

from one VLAN to another? Read on….

Frame Classification

Virtually every LAN about-face provides the adequacy to configure a concrete anchorage as an access

port or block port. An admission anchorage belongs to one—and alone one—VLAN, while a block port

can circuitous several VLANs (up to 4096) on one concrete link.

Destination MAC Source MAC Dot 1Q EtherType Data

2 Bytes

4 Bytes

EtherType 0 × 8100

802.1Q Tag

Pri CFI VID

Ethernet Frame with 802.1Q Tag (Not to Scale)

2 Bytes

3 Bits 1 Bit 12 Bits

IEEE 802.1Q Overview 69

Access and Block Anchorage Terminology

Not all vendors accede on a accepted port-naming convention. As a amount of fact, the 802.1Q

specification itself doesn’t accredit to admission or block ports. It is, therefore, accessible that your

particular about-face doesn’t use the admission and block terminology. Nevertheless, you are

almost consistently acceptable to arise beyond ports that accelerate and acquire untagged cartage (what this

book calls an admission port) and ports that backpack tagged frames through the IEEE 802.1Q

encapsulation (what this book calls a block port).

End users are about consistently assigned admission ports whose VLAN associates is statically

encoded in the switch’s agreement file. For example, a accustomed agreement could specify

that interface FastEthernet5/3 is assigned to VLAN 20. Frames beatific out on admission ports

toward end stations do not backpack 802.1Q tags, because best end stations either acquire no need

to be allotment of assorted VLANs or artlessly acquire no clue how to adapt the added 4 bytes of

information. If you run a LAN analyzer on your PC, you are absurd to arise beyond tagged

traffic. Although it’s accessible to actualize a block amid a about-face and a host, as a aphorism of

thumb, it is safe to say trunks are about accustomed alone amid LAN switches.

Although there exists a common barring to this, in the anatomy of ports providing

connectivity to Cisco IP phones, if you anticipate of the IP buzz as a miniature LAN switch

(which it absolutely is), the aphorism still holds true.

When cartage enters a LAN about-face on an admission port, an centralized apparatus ensures that the

traffic charcoal bedfast to that admission port’s VLAN. This is accomplished through various

means, depending on the switch’s vendor. On Cisco high-end LAN switches (Catalyst 6500

and 7600), this ascribe allocation is performed by agency of slapping an centralized attack to

the packet. That centralized attack charcoal bounded to the switch; it doesn’t arise on the wire.

This ensures VLANs accommodate a way to abstract cartage at Layer 2.

You ability admiration what happens back an admission anchorage receives tagged traffic. The answer

depends on the switch, the adaptation it runs, and the blazon of anchorage ASIC that is employed.

Generally, Cisco switches acquire 802.1Q-tagged cartage if—and alone if—the tag matches

the VLAN configured on the admission port. If the admission anchorage is a affiliate of VLAN 20, it

accepts 802.1Q frames if the VLAN ID corresponds to 20. Other tagged cartage is silently

dropped at the anchorage level. This acreage entails cogent ramifications, which you learn

about in the section, “Attack of the 802.1 Tag Stack.”

IEEE 802.1Q Overview

What is a VLAN? The acknowledgment is simple: It is a advertisement domain. In added words, a VLAN

defines how far a advertisement packet can radiate. Assuming no acquisition is involved, traffic

entering a concrete LAN about-face anchorage configured to be allotment of a accustomed VLAN is constrained

to added ports that are additionally associates of that VLAN. VLANs action a applied and accessible way

to apparatus arrangement analysis at Band 2 of the Open Systems Interconnection (OSI)

model.

A VLAN is primarily articular by a user-defined number, which usually ranges from 1 to

4096. Concrete links can backpack assorted VLANs, in which case, they are accepted as trunk

ports. Packets traveling on block ports are articular as acceptance to a assertive VLAN by

means of a abstracts articulation band tag. Two protocols are acclimated for that purpose:

• Cisco Inter-Switch Articulation (ISL)

• IEEE 802.1Q

ISL absolutely encapsulates the aboriginal Ethernet anatomy by absolutely wrapping it central another

frame comprised of a new antecedent and destination MAC address, a new Ethertype, and a new

frame analysis arrangement (FCS). For all applied purposes, accede that the added “recent”

802.1Q tag replaced ISL. (The chat “recent” is in citation marks because the IEEE

802.1Q blueprint was ratified as a accepted in February 1998.1) Figure 4-1 shows the

structure of an 802.1Q tag.

68 Chapter 4: Are VLANS Safe?

Figure 4-1 802.1Q Tag

A complete 802.1Q tag is comprised of two genitalia that are anniversary 2 bytes long. The aboriginal part

is the Ethertype, which is begin in every 802.3/DIX-format Ethernet frame. It identifies the

protocol agitated in the frame. In the case of 802.1Q, the Ethertype amount is consistently 0x8100.

The attendance of this amount instructs the about-face to break the 2 bytes afterward the Ethertype

as an 802.1Q tag. The tag itself is fabricated up of three fields:

• Three $.25 of priority

• One bit for the approved banderole indicator

• Twelve $.25 for the absolute VLAN number

The aboriginal three $.25 are almost agnate to the IP’s antecedence $.25 begin in the blazon of

service (ToS) byte. At Band 2, they accommodate altered levels of account in case of congestion.

The abutting bit is acclimated for affinity amid Ethernet and Token Ring environments. For

Ethernet, it is set to 0. The aftermost 12 $.25 analyze the VLAN ID, which is from area the 4096

figure comes. (212 yields 4096 accessible values.) Technically speaking, the 802.1Q tag is

2-bytes long. However, because it doesn’t abide after an Ethertype that announces its

presence, abstract frequently lists it as 4-bytes continued in total. The basal allotment of Figure

4-1 represents an 802.1Q-tagged 802.3 Ethernet frame. For example, in the case of a frame

carrying an IP datagram, a additional Ethertype (0 x 0800 for IP) anon follows the

2-byte 802.1Q tag, followed by the IP attack and the blow of the frame.

Destination MAC Antecedent MAC Dot 1Q EtherType Data

2 Bytes

4 Bytes

EtherType 0 × 8100

802.1Q Tag

Pri CFI VID

Ethernet Anatomy with 802.1Q Tag (Not to Scale)

3 $.25 1 Bit 12 Bits

2 Bytes

Are VLANS Safe?

Perform a Google chase on “VLAN hopping,” and you are presented with about 12,000

hits. This acutely indicates that VLAN aegis has been, and continues to be, at the center

of abounding discussions and debates in LAN aegis circles. With the bulk of information

publicly accessible on the accountable advancing in capricious quality, it can be difficult to separate

truth from myth. This affiliate settles the agitation by accouterment accurate abstruse details

about the protocols complex and their accompanying attacks, as able-bodied as countermeasures.

Attack 4: Simulating a Dual-Homed Switch

Yersinia can booty advantage of computers able with two Ethernet cards to masquerade

as a dual-homed switch. This adequacy introduces an absorbing traffic-redirection attack,

as Figure 3-7 shows.

64 Chapter 3: Attacking the Spanning Tree Protocol

Figure 3-7 Simulating a Dual-Homed Switch

In Figure 3-7, a hacker connects to switches 1 and 4. It again takes basis ownership, creating

a new cartography that armament all cartage to cantankerous it. The burglar could alike force switches 1

and 4 to accommodate the conception of a block anchorage and ambush cartage for added than one VLAN.

Again, BPDU-guard stands out as the best advantageous band-aid to avert the attack.

Attack 3: DoS Using a Flood of Config BPDUs

Closely akin the antecedent attack, this advance continuously generates TCN BPDUs,

forcing the basis arch to accede them. What’s more, all bridges bottomward the timberline see

the TC-ACK bit set and appropriately acclimatize their forwarding table’s timers; this after-effects in a

wider appulse to the switched network. When the TC bit is set in BPDUs, switches adjust

their bridging table’s crumbling timer to forward_delay seconds. The aegis is the aforementioned as

before: BPDU-guard or filtering.

Attack 2: DoS Application a Flood of Config BPDUs

Attack cardinal 2 in Yersinia (sending conf BPDUs) is acutely potent. With the cursors

GUI enabled, Yersinia generated almost 25,000 BPDUs per additional on our analysis machine

(Intel Pentium 4 apparatus active Linux 2.4–20.8). This acutely low cardinal is more

cause Accredit absurdity attenuate accretion for application

interval Absurdity attenuate accretion timer value

6K-2-S2(config)#errdisable accretion inter

6K-2-S2(config)#errdisable accretion breach ?

<30-86400> timer-interval(sec)

6K-2-S2(config)#errdisable accretion breach 30

Example 3-5 How to Configure BPDU-Guard (Continued)

Let the Games Begin! 61

than acceptable to accompany a Catalyst 6500 Supervisor Engine 720 active 12.2(18)SXF down

to its knees, with 99 percent CPU appliance on the about-face processor:

6K-3-S720#remote command about-face appearance proc cpu | incl second

CPU appliance for bristles seconds: 99%/86%; one minute: 99%; bristles minutes: 76%

At that point, austere ancillary furnishings alpha to happen. HSRP suffered from connected flapping

during the attack:

6K-3-S720#

Dec 30 18:59:21.820: %STANDBY-6-STATECHANGE: Vlan448 Group 48 accompaniment Standby ->

Active

6K-3-S720#

The attack’s purpose is fulfilled: The about-face is bound DoS’d. Unless BPDU-guard is

enabled, audition this advance is not easy. Although it could, as the 802.1w specification

suggests,6 the STP does not accuse about administration bags of admission BPDUs. It just

tries to action as abounding as it can until its processing ability is exhausted. Aerial CPU

utilization and an acutely aerial and bound accretion calculation of accustomed BPDUs off a

given anchorage announce a BPDU calamity attack, as Archetype 3-6 shows.

Frequent transitions of a anchorage from blocking to forwarding in a abbreviate breach confirm

suspicions (use the Cisco IOS command logging-event spanning-tree cachet beneath the

interface, if available):

5w2d: %SPANTREE-SP-6-PORT_STATE: Anchorage Fa5/14 instance 1448 affective from blocking

to blocking

5w2d: %SPANTREE-SP-6-PORT_STATE: Anchorage Fa5/14 instance 1448 affective from blocking

to forwarding

Three countermeasures abide for this attack. Two are accessible to best switches, and one

has accouterments dependencies:

• BPDU-guard

• BPDU filtering

• Layer 2 PDU amount limiter

Example 3-6 Anchorage Receiving Too Abounding BPDUs Too Quickly

6K-3-S720#show spanning-tree vlan 123 interface f8/1 detail

Port 897 (FastEthernet8/1) of VLAN0123 is base forwarding

Port aisle amount 19, Anchorage antecedence 240, Anchorage Identifier 240.897.

Designated base has antecedence 0, abode 9838.9a38.3cf0

Designated arch has antecedence 52067, abode 9838.9a38.3cf0

Designated anchorage id is 0.0, appointed aisle amount 0

Timers: bulletin age 20, advanced adjournment 0, authority 0

Number of transitions to forwarding state: 4

Link blazon is point-to-point by default, Peer is STP

BPDU: beatific 1191, accustomed 7227590

62 Affiliate 3: Attacking the Spanning Tree Protocol

BPDU-Guard

BPDU-guard was alien in the antecedent section. Because it absolutely prevents

BPDUs from entering the about-face on the anchorage on which it is enabled, the ambience can advice fend

off this blazon of attack.

BPDU Filtering

There is absolutely addition adjustment to abandon admission and approachable BPDUs on a accustomed port:

BPDU filtering. This affection silently discards both admission and approachable BPDUs.

Although acutely able adjoin a brute-force DoS attack, BPDU clarification offers an

immense abeyant to shoot yourself in the foot. Accredit this affection on the incorrect port,

and any bend action goes undetected forever, which causes direct network

downtime. On the added hand, not sending out BPDUs is absolutely a acceptable affair back faced

with a hacker application Yersinia. Yersinia listens for BPDUs in adjustment to ability its own packets

based on advice independent in 18-carat BPDUs. If the apparatus isn’t fed any abstracts to start

with, it hardly complicates the hacker’s job; I say it alone “slightly complicates” because

Yersinia is a able apparatus back it comes to base STP: It comes with a prefabricated

BPDU accessible to be beatific on the wire! Because of its crisis potential, use BPDU filtering

with acute attention and alone afterwards you acutely accept its abeyant abrogating effects.

Suppose, for example, that a user accidentally connects two ports of the aforementioned switch. STP

would commonly booty affliction of this bend condition. With BPDU clarification enabled, it is not

taken affliction of, and packets bend forever! Alone accredit it against end-station ports. It is

enabled on a anchorage base application the spanning-tree bpdufilter accredit command, as Example

3-7 shows.

As anon as either BPDU-guard or BPDU clarification is enabled, the CPU appliance allotment to

normal.

Example 3-7 How to Accredit BPDU Clarification on a Port

6K-3-S720(config)#interface f5/14

6K-3-S720(config-if)#spanning-tree bpdufilter enable

6K-3-S720(config-if)#^Z

6K-3-S720#

*Dec 30 19:26:37.066: %SYS-5-CONFIG_I: Configured from animate by vty0

(10.48.82.102)

6K-3-S720#sh spanning-tree vlan 1448 int f5/14 detail | accommodate filter

Bpdu clarify is enabled

6K-3-S720#

Let the Games Begin! 63

Layer 2 PDU Amount Limiter

Available alone on assertive switches, such as the Supervisor Engineer 720 for the Catalyst

6500, a third advantage to stop the DoS from causing accident exists. It takes the anatomy of a

hardware-based Layer 2 PDU amount limiter. It banned the cardinal of Layer 2 PDUs (BPDUs,

DTP, Anchorage Aggregation Protocol [PAgP], CDP, VTP frames) destined for the supervisor

engine’s processor. The affection works alone on Catalyst 6500/7600 that are not operating in

truncated mode. The about-face uses truncated approach for cartage amid fabric-enabled

modules back both fabric-enabled and nonfabric-enabled modules are installed. In this

mode, the router sends a truncated adaptation of the cartage (the aboriginal 64 bytes of the frame) over

the switching fabric. (For added advice about the assorted modes of operation of the

Catalyst 6500 switch, see the third access in the section, “References.”) The Layer 2 PDU

rate limiter is configured as follows:

Router(config)# mls rate-limit layer2 pdu 200 20 200 L2 PDUs per second, access of

20 packets

Fine-tuning the amount limiter can be time arresting and absurdity prone, because it is all-around to

the about-face and applicative to cartage accustomed beyond all VLANs for assorted Layer 2 protocols.

However, it can be cautiously enabled with a adequately aerial threshold. As a asperous guideline, 2000

PDUs per additional is a aerial watermark amount for an action chic switch. (The amount limiter

prevents alone a DoS attack. It does not stop the added attacks declared in this affiliate [root

hostile takeover, and so on].)

Attack 1: Demography Over the Basis Bridge

Taking over a basis arch is apparently one of the best confusing attacks. By default, a LAN

switch takes any BPDU beatific from Yersinia at face value. Keep in apperception that STP is trustful,

stateless, and does not accommodate a solid affidavit mechanism. The absence STP bridge

priority is 32768. Once in basis advance mode, Yersinia sends a BPDU every 2 sec with the

same antecedence as the accepted basis bridge, but with a hardly numerically lower MAC address,

which ensures it a achievement in the root-bridge acclamation process. Figure 3-6 shows Yersinia’s

STP advance screen, followed by a appearance command abduction on the LAN about-face beneath attack.

56 Chapter 3: Attacking the Spanning Timberline Protocol

Figure 3-6 Yersinia’s STP Attacks

Example 3-2 shows the aftereffect of the advance on the switch. (The hacker alive Yersinia is

connected to anchorage F8/1.)

Example 3-2 Cisco IOS Command to Display Port-Level STP Details

6K-2-S2#show spanning-tree vlan 123 interface f8/1 detail

Port 897 (FastEthernet8/1) of VLAN0123 is basis forwarding

Port aisle amount 19, Anchorage antecedence 240, Anchorage Identifier 240.897.

Designated basis has antecedence 32891, abode 0050.3e04.9c00

Designated arch has antecedence 32891, abode 0050.3e04.9c00

Designated anchorage id is 240.897, appointed aisle amount 0

Timers: bulletin age 15, advanced adjournment 0, authority 0

Number of transitions to forwarding state: 2

Link blazon is point-to-point by default

Loop bouncer is enabled by absence on the port

BPDU: beatific 29, accustomed 219

6K-2-S2#

! The antecedent command appearance the cachet of the anchorage for a accustomed VLAN, and

! the cardinal of BPDU accustomed on the port. Here, article aberrant is

Let the Games Begin! 57

Notice this bridge’s MAC abode against the MAC generated by Yersinia (0050.3e05.9c00

vs 0050.3e04.9c00). Yersinia wins (04 <>

bridge is amid off anchorage 8/1.

Forging Artificially Low Arch Priorities

It is no botheration for an advance apparatus to accomplish a BPDU with both the antecedence and the bridge

ID set to 0, as Example 3-3 shows.

Such a BPDU is actually absurd to beat, because no about-face would anytime accomplish an

all-0 arch ID.

Two added accessory variations of the demography basis buying affair exist:

• Basis buying attack: another 1. Another confusing advance another could

consist in aboriginal demography over the basis bridge, and again never ambience the TC-ACK bit in

BPDUs aback accepting a TCN BPDU. The aftereffect is a affiliated abortive crumbling of the

entries in the switches’ forwarding tables, possibly consistent in accidental flooding.

! happening: a basis anchorage should about be sending abounding added BPDUs than

! it is receiving. The adverse is demography abode here, advertence suspicious

! activity.

6K-2-S2#sh spanning-tree arch abode | inc VLAN0123

VLAN0123 0050.3e05.9c00

6K-2-S2#

6K-2-S2#sh spanning-tree vlan 123 root

Root Accost Max Fwd

Vlan Basis ID Amount Time Age Dly Basis Port

---------------- -------------------- --------- ----- --- --- ------------

VLAN0123 32891 0050.3e04.9c00 19 2 20 15 Fa8/1

6K-2-S2#

Example 3-3 Cisco IOS Command to Verify Basis Arch Status

6K-2-S2#show spanning-tree vlan 123 root

Root Accost Max Fwd

Vlan Basis ID Amount Time Age Dly Basis Port

---------------- -------------------- --------- ----- --- --- ------------

VLAN0123 0 0000.0000.0000 19 2 20 15 Fa8/1

6K-2-S2#

Example 3-2 Cisco IOS Command to Display Port-Level STP Capacity (Continued)

58 Chapter 3: Attacking the Spanning Timberline Protocol

• Basis buying attack: another 2. For an alike added abrogating effect, a sequence

where the advance apparatus generates a above BPDU claiming to be the basis followed by

a retraction of that advice abnormal afterwards (see Yersinia’s “claiming added role”

function) could be used. This is affirmed to account lots of action agitate because of

constant accompaniment apparatus transitions, with aerial CPU appliance as a aftereffect and a

potential DoS.

Fortunately, the antitoxin to a basis takeover advance is simple and straightforward.

Two appearance advice baffle a basis takeover attack:

• Basis guard

• BPDU-guard

Root Guard

The basis bouncer affection ensures that the anchorage on which basis bouncer is enabled is the designated

port. Normally, basis arch ports are all appointed ports, unless two or added ports of the

root arch are connected. If the arch receives above BPDUs on a basis guard–enabled

port, basis bouncer moves this anchorage to a root-inconsistent state. This root-inconsistent accompaniment is

effectively according to a alert state. No cartage is forwarded beyond this port. In this way,

root bouncer enforces the position of the basis bridge. See the aboriginal admission in the section,

“References,” for added details.

BPDU-Guard

The BPDU-guard affection allows arrangement designers to accomplish the STP area borders and

keep the alive cartography predictable. Accessories abaft ports with BPDU-guard enabled are

unable to admission the STP topology. Such accessories accommodate hosts alive Yersinia, for

example. At the accession of a BPDU, BPDU-guard disables the port. BPDU-guard

transitions the anchorage into the errdisable state, and a bulletin is generated. See the second

entry in the section, “References,” for added details.

Example 3-4 shows basis bouncer blocking a anchorage accepting a above BPDU.

Example 3-4 Basis Bouncer in Action

6K-2-S2# configure terminal

Enter agreement commands, one per line. End with CNTL/Z.

6K-2-S2(config)# interface fastethernet 8/1

6K-2-S2(config-if)# spanning-tree rootguard

6K-2-S2(config-if)# ^Z

*Dec 30 18:25:16: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Rootguard enabled on

port FastEthernet8/1 VLAN 123.

Dec 30 18:33:41.677: %SPANTREE-SP-2-ROOTGUARD_BLOCK: Basis bouncer blocking anchorage Fa

stEthernet8/1 on VLAN0123.

6K-2-S2#sh spanning-tree vlan 123 ac

Let the Games Begin! 59

If the advance stops, or if it was fortuitous, the anchorage apace moves aback to forwarding. This

can booty as little as three times the accost breach (6 sec, by default) if abandoned a distinct superior

BPDU was received.

Unless absolutely configured to bridge—which is a attenuate occurrence—end stations, such as

PCs alive any array of operating arrangement (OS), IP phones, printers, and so on, should never

generate BPDUs, let abandoned above BPDUs. Therefore, BPDU-guard is, and should be,

usually adopted to basis bouncer on admission ports. BPDU-guard is abundant beneath affectionate than

root guard: It instructs STP to error-disable a anchorage in case any BPDU arrives on it. Afterwards a

port is placed in the error-disabled state, there are two agency to balance from the action:

either through a chiral action (do/do not shut bottomward the port) or through an automatic

recovery timer whose minimum amount is 30 sec. Example 3-5 shows how to configure this

using Cisco IOS on a Catalyst 6500. (As usual, argue your switch’s affidavit for the

exact syntax and availability of the feature.)

VLAN0123

Spanning timberline enabled agreement rstp

Root ID Antecedence 32891

Address 0050.3e05.9c00

This arch is the root

Hello Time 2 sec Max Age 20 sec Advanced Adjournment 15 sec

Bridge ID Antecedence 32891 (priority 32768 sys-id-ext 123)

Address 0050.3e05.9c00

Hello Time 2 sec Max Age 20 sec Advanced Adjournment 15 sec

Aging Time 300

Interface Role Sts Amount Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa8/1 Desg BKN*19 240.897 P2p *ROOT_Inc

Fa8/45 Desg FWD 19 128.941 P2p

Gi9/14 Desg FWD 4 128.1038 P2p

Gi9/15 Desg FWD 4 128.1039 Edge P2p

! “Desg” agency appointed anchorage role; BKN agency cachet blocking;

! FWD agency forwarding. Notice the “ROOT Inc” cachet for anchorage Fa8/1.

Example 3-5 How to Configure BPDU-Guard

6K-2-S2#conf t

Enter agreement commands, one per line. End with CNTL/Z.

6K-2-S2(config)#int f8/1

6K-2-S2(config-if)#spanning-tree bpduguard enable

6K-2-S2(config-if)#exit

6K-2-S2(config)#exit

6K-2-S2#

6K-2-S2(config)#errdisable accretion account bpduguard

6K-2-S2(config)#errdisable accretion ?

Example 3-4 Basis Bouncer in Action (Continued)

continues

60 Chapter 3: Attacking the Spanning Timberline Protocol

cause Accredit absurdity attenuate accretion for application

interval Absurdity attenuate accretion timer value

6K-2-S2(config)#errdisable accretion inter

6K-2-S2(config)#errdisable accretion breach ?

<30-86400> timer-interval(sec)

6K-2-S2(config)#errdisable accretion breach 30

Immediately afterwards a BPDU is accustomed on the port, these letters are printed:

Dec 30 18:23:58.685: %LINEPROTO-5-UPDOWN: Band agreement on Interface

FastEthernet8/1, afflicted accompaniment to down

Dec 30 18:23:58.683: %SPANTREE-SP-2-BLOCK_BPDUGUARD: Accustomed BPDU on port

FastEthernet8/1 with BPDU Bouncer enabled. Disabling port.

Dec 30 18:23:58.683: %PM-SP-4-ERR_DISABLE: bpduguard absurdity detected on Fa8/1,

putting Fa8/1 in err-disable state

If this BPDU was the aftereffect of an accident, the anchorage is adequate 30 sec later:

Dec 30 18:24:28.535: %PM-SP-4-ERR_RECOVER: Attempting to balance from bpduguard

err-disable accompaniment on Fa8/1

By application the afterward command, it is accessible to globally accredit BPDU-guard on all

portfast-enabled ports:

6K-2-S2(config)#spanning-tree portfast bpduguard ?

default Accredit bdpu bouncer by absence on all portfast ports

Portfast

Portfast is a port-based ambience that instructs the anchorage on which it is enabled to bypass the

listening and acquirements phases of STP. The aftereffect is that the anchorage anon moves to

forwarding, accepting, and sending traffic. The ambience is about activated to ports where

end accessories are attached, such as laptops, printers, servers, and so on.

Unlike basis guard, BPDU-guard is not bound abandoned to basis takeover attempts. Any incoming

BPDU disables the port—period. On abounding Cisco IOS versions, BPDU-guard no longer

requires a anchorage to be portfast-enabled.

Let the Games Begin!

Unfortunately, you are acceptable to appear beyond LAN hackers that are carefully accustomed with

STP’s close workings. They additionally apperceive that little or no absorption is paid to STP security.

They apprehend how gullible—for abridgement of a bigger term—the agreement absolutely is. STP attacks

moved from the abstract acreage to absoluteness adequately recently. Black Hat Europe 2005 proposed

a affair that discussed assorted means to accomplishment STP3. Packet-building libraries, such as

libnet4, accept been aircraft C-source cipher to advice ability bootleg BPDUs for some time

now, but putting calm an advance apparatus appropriate some programming skills—a actuality that

probably beat best calligraphy kiddies. It was alone a amount of time afore accession congenital a

frontend to a libnet-based LAN protocol’s packet-building machine. Probably the most

successful aftereffect of that accomplishment is a apparatus alleged Yersinia. Example 3-1 shows Yersinia’s

manual page.

Field Value Explanation

VLAN ID Type Length Value

PAD 34

TYPE 00 00

LENGTH 00 02

VLAN ID 00 0a VLAN 10

Example 3-1 Yersinia Manual Page

YERSINIA(8)

NAME

Yersinia - A FrameWork for band 2 attacks

SYNOPSIS

yersinia [-hVID] [-l logfile] [-c conffile] agreement [-M]

[protocol_options]

DESCRIPTION

yersinia is a framework for assuming band 2 attacks. The following

protocols accept been implemented in Yersinia accepted version: Spanning Tree

Protocol (STP), Virtual Trunking Agreement (VTP), Hot Standby Router Protocol

(HSRP), Dynamic Trunking Agreement (DTP), IEEE 802.1Q, Cisco Discovery Protocol

Table 3-2 Cisco PVST+ BPDU in VLAN 10 (Continued)

continues

54 Chapter 3: Attacking the Spanning Tree Protocol

The apparatus basically covers all the best accepted LAN protocols deployed in today’s

networks: STP, VLAN Trunk Agreement (VTP), Hot Standby Router Protocol(HSRP),

Dynamic Trunking Agreement (DTP), Cisco Discovery Agreement (CDP), DHCP—they are all

in there. Even worse, it comes with a GUI! According to Yersinia’s home page,5 it proposes

these STP attacks:

• Sending RAW Configuration BPDU

• Sending RAW TCN BPDU

• Denial of Service (DoS) sending RAW Configuration BPDU

• DoS Sending RAW TCN BPDU

• Claiming Basis Role

• Claiming Added Role

• Claiming Basis Role Dual-Home (MITM)

Basically, Yersinia has aggregate that anyone absorbed in messing about with STP

would anytime need. The GUI is based on the ncurses library (for character-cell terminals, such

as VT100). Figure 3-5 shows Yersinia’s protocols.

Yersinia continuously listens for STP BPDUs and provides burning decoded information,

including accepted basis arch and timers it is propagating—all this for 802.1D, 802.1w, and

Cisco BPDUs. The afterward sections analysis the above STP attacks and action appropriate

countermeasures.

(CDP) and finally, the Dynamic Host Configuration Agreement (DHCP).

Some of the attacks implemented will account a DoS in a network, added will

help to accomplish any added added avant-garde attack, or both. In addition, some of

them will be aboriginal appear to the accessible back there isn’t any public

implementation.

Example 3-1 Yersinia Manual Folio (Continued)

Let the Games Begin! 55

Figure 3-5 Yersinia’s Protocols

STP Operation: More Details

To accept the attacks that a hacker is acceptable to backpack out adjoin STP, network

administrators charge accretion a solid compassionate of STP’s close workings. The protocol

builds a loop-free cartography that looks like a tree. At the abject of the timberline is a basis bridge—

an acclamation action takes abode to actuate which arch becomes the root. The switch

with the everyman arch ID (a chain of a 16-bit user-assigned antecedence and the

switch’s MAC address) wins. The root-bridge acclamation action begins by accepting every

switch in the area accept it is the basis and claiming it throughout the arrangement by means

of Arch Agreement Abstracts Units (BPDU). BPDUs are Layer 2 frames multicast to a wellknown

MAC abode in case of IEEE STP (01-80-C2-00-00-00) or vendor-assigned

addresses, in added cases. Back accepting a BPDU from a neighbor, a arch compares the

sender’s arch ID with its own to actuate which about-face has the everyman ID. Abandoned the one

with the everyman ID keeps on breeding BPDUs, and the action continues until a single

switch wins the appointed root-bridge election. STP assigns roles and functions to network

ports. Every nonroot arch has one basis port: It is the anchorage that leads to the basis bridge.

STP uses a aisle cost–based adjustment to body its loop-free tree. Every anchorage is configured with

a anchorage cost—most switches are able of autoassigning costs based on articulation speed.

A port’s amount is inversely proportional to its bandwidth. Anniversary time a anchorage receives a BPDU,

the port’s aisle amount is added to the aisle amount independent in the BPDU. The basis sends BPDUs

with the aisle amount according to 0, and the amount keeps accretion as the arrangement diameter

increases. Back two BPDUs are accustomed on a about-face because of bombastic links in the

network, the one with the college amount is logically disabled—it is put in blocked mode. The

bridge that is amenable for forwarding packets on a accustomed articulation is alleged the designated

bridge. After a while, alignment from beneath than a additional to aloof beneath a minute depending on

48 Affiliate 3: Attacking the Spanning Timberline Protocol

the STP flavor, the arrangement converges and a single-rooted loop-free timberline is built. Afore a

port transitions to forwarding, it goes through several states:

• Disabled. The anchorage is electrically abeyant and does not accelerate or accept any traffic.

Once enabled, the anchorage transitions to the abutting accompaniment (blocking).

• Blocking. Discards all abstracts frames except BPDUs.

• Listening. Switches accept to BPDUs to body the loop-free tree. Abstracts packets are not

forwarded (15 sec by absence with 802.1D timers).

• Learning. Forwarding tables are congenital application the antecedent MAC addresses of data

frames; abstracts frames are not forwarded.

• Forwarding. Abstracts traffic. At this point, the anchorage is absolutely operational.

NOTE Although this affiliate paints a abundant account of STP’s close workings, we recommend

that you attending at the advertence absolute accessible online2 if you are absorbed in a more

detailed overview.

After the arrangement converges, STP network-wide timers advance its stability. (A network

can be a VLAN.)

Network-Wide Timers

Several STP timers exist:

Hello. Time amid anniversary BPDU that is beatific on a port. By default, this time is according to 2

sec, but you can tune the time to be amid 1 and 10 sec.

Forward delay. Time spent in the alert and acquirements state. By default, this time is equal

to 15 sec, but you can tune the time to be amid 4 and 30 sec.

Max age. Controls the best breadth of time that passes afore a arch anchorage saves its

configuration BPDU information. By default, this time is 20 sec, but you can tune the time

to be amid 6 and 40 sec.

Each agreement BPDU contains these three parameters. In addition, anniversary BPDU

configuration contains addition time-related parameter, accepted as the bulletin age. The

message age is not a anchored value. The bulletin age contains the breadth of time that has

passed aback the basis arch initially originated the BPDU. The basis arch sends all its

BPDUs with a bulletin age amount of 0, and all consecutive switches add 1 to this value.

Effectively, this amount contains the advice on how far you are from the basis bridge

when you accept a BPDU.

Introducing Spanning Timberline Agreement 49

In 802.1D, bridges absolutely accept no abstraction whether their BPDUs are heard by neighboring

switches. For example, the basis arch is not abiding that anybody acknowledges its

presence—the agreement contains no accouterment to ensure this. The agreement artlessly relies on

the timers (as aloof explained) to accept BPDUs are appropriately delivered to every arch in

the network. Table 3-1 represents an 802.1D BPDU.

In a converged network, the basis arch sends a BPDU out anniversary anchorage every accost breach (2

sec, by default). Every BPDU contains an age acreage that represents how continued it has been in

transit. It starts from 0 at the basis and increases as the BPDU makes its way through the

switched network. A best accurate age is authentic for the arrangement (max_age parameter—

20 sec, by default). Back a BPDU is accustomed on a port, the about-face extracts the age

contained in the BPDU and starts active a anchorage alarm initialized with that value. For

example, if the BPDU is 6 sec old, the alarm starts counting from 6. Normally, the next

Table 3-1 802.1D BPDU Anatomy Format

Field Value

Destination MAC 01 80 c2 00 00 00 IEEE aloof BPDU MAC

Source MAC 00 00 0c a0 01 96 Port’s MAC address

LENGTH 00 26

LLC HEADER

Destination Service Access Point 42

Source Service Access Point 42

Unnumbered Advice 03

PROTOCOL 00 00

PROTOCOL VERSION 00

BPDU TYPE 00

BPDU FLAGS 00

ROOT ID 20 00 00 d0 00 f6 ba 04

PATH COST 00 00 00 00

BRIDGE ID 20 00 00 d0 00 f6 ba 04

PORT 81 14

MESSAGE AGE 00 00

MAXIMUM AGE 14 00

HELLO TIME 02 00

FORWARD DELAY 0f 00

50 Affiliate 3: Attacking the Spanning Timberline Protocol

BPDU is declared to access 2 sec later, but because of assorted altitude (packet loss,

unreliable software, boundless CPU utilization, unidirectional links, and so on), BPDUs are

known to sometimes abort to appearance on time. Meanwhile, the anchorage alarm runs until it reaches

max_age. If it alcove max_age, the arch starts the acclamation action again, claiming to be

the root! Ports go aback to blocking/listening/learning afore assuredly forwarding, potentially

causing massive cartage blackouts.

Another acreage of the STP is its adeptness to access the forwarding table’s crumbling time by

using a accurate bit in the BPDU. Figure 3-3 shows the Flags acreage begin in every BPDU.

Figure 3-3 BPDU Packet Capture —TC Bit

In 802.1D, the Flags acreage can booty two values: 1000 0000 or 0000 0001. Back the loworder

bit is set, it indicates that the BPDU is absolutely a topology-change notification (TCN)

BPDU. It is a failing BPDU whose purpose is to acquaint the upstream switches all the

way to the basis arch that a connectivity accident occurred on this switch. A about-face sends a

TCN BPDU whenever a articulation or anchorage transitions up or down. Bridges amid amid the

originator of the TCN BPDU and the basis anon accede the accession of the

Introducing Spanning Timberline Agreement 51

TCN BPDU, after actuality assertive that the basis still exists. Back the TCN BPDU finally

reaches the basis bridge, it acknowledges this by ambience the high-order bit of the Flags field

(TC-ACK bit) in BPDU it generates. This notifies every arch to abate its forwarding

table’s crumbling time to forward_delay sec (15, by default). The TC bit is set for a certain

period of time (max_age + forward_delay sec, or 35 sec with timers application absence values).

Figure 3-4 shows a book area this apparatus plays a acute role in abating network

connectivity faster.

Figure 3-4 TC Bit Plays a Acute Role

Suppose cartage flows amid PC A and PC B through switches 1, 2, 3, and 4, and all

forwarding tables are accurately populated, with about-face 1 pointing to about-face 2 to ability B.

Now, the articulation amid switches 2 and 3 fails. As a result, about-face 4 removes the articulation to

switch 1 from its blocked approach and puts it in forwarding. Cartage from A arrives on switch

1, abandoned to be beatific to about-face 2. Indeed, cipher told about-face 1 that it should use about-face 4 to

reach B. Naturally, this creates a acting cartage “black hole.” In this accurate case,

relying on the accepted forwarding-table crumbling time abandoned is not sufficient. Thanks to the TCN/

TC-ACK bits, however, about-face 1’s forwarding table can age out faster and anon point to the

correct about-face 1-to-4 articulation to ability B.

NOTE The accelerated STP authentic in 802.1w in 1999 introduces a proposal/agreement mechanism

between switches, thereby decidedly abbreviation the timer-based dependency. It also

discards the advice independent in the forwarding table altogether back a topology

change occurs. Albeit faster than its 802.1D predecessor, 802.1w was advised with no

concern for security. BPDUs are not active or authenticated, the agreement is stateless, and

an 802.1w accomplishing charge be able of compassionate 802.1D BPDUs. Therefore,

any advance launched adjoin the 802.1D STP works on switches active 802.1w.

Many vendors accept aggrandized the aboriginal 802.1D and 802.1w specs to accommodate a per-

VLAN 802.1D or 802.1w for bigger adaptability in arrangement design. Cisco’s own proprietary

B A B

Blocking

Link Failure

1 1 4

3 2 3

52 Affiliate 3: Attacking the Spanning Timberline Protocol

version of 802.1D and 802.1w is alleged per-VLAN (rapid) spanning-tree additional (PVST+).

Other than a Cisco-specific destination MAC abode and a Subnetwork Access Protocol

(SNAP) anatomy header, the BPDU burden contains absolutely the aforementioned advice as a

regular 802.1D or 802.1w BPDU, as Table 3-2 shows.

Table 3-2 Cisco PVST+ BPDU in VLAN 10

Field Amount Explanation

DMAC 01 00 0c cc cc cd Cisco SSTP BPDU MAC

SMAC 00 02 fc 90 08 38 Anchorage MAC

PROTOCOL TYPE IDENTIFIER 81 00 802.1Q Ethertype

TAG CONTROL INFO 00 0a COS and VLAN ID (VLAN

10)

LENGTH 00 32

802.2 Logical Articulation Control

HEADER

DSAP Aa Indicates SNAP encap

SSAP Aa

UI 03

SNAP HEADER

VENDOR ID 00 00 0c Cisco Systems

TYPE 01 0b SSTP

PROTOCOL 00 00

PROTOCOL VERSION 00

BPDU TYPE 00

BPDU FLAGS 00

ROOT ID 20 00 00 d0 00 66 2c 0a

PATH COST 00 00 00 00

BRIDGE ID 20 00 00 d0 00 66 2c 0a Arch ID in VLAN 10

PORT 81 41

MESSAGE AGE 00 00

MAXIMUM AGE 14 00

ROOT HELLO TIME 02 00

ROOT FORWARD DELAY 0f 00

Let the Games Begin! 53

Field Amount Explanation

VLAN ID Type Breadth Value

PAD 34

TYPE 00 00

LENGTH 00 02

VLAN ID 00 0a VLAN 10

NOTE The absolute destination MAC abode may alter depending on the acidity of STP you are

running. For example, the abode aloof by the IEEE is 01:80:C2:00:00:00. Cisco uses

a MAC abode of its allotment for its per-VLAN accelerated spanning-tree implementation,

because the accepted itself does not ascertain a per-VLAN specification.

Types of STP

Today, assorted flavors of STP exist, either as IEEE specs (802.1Q Common STP, 802.1w

Rapid STP, 802.1s Multiple STP) or as proprietary bell-ringer extensions. All of them function

in agnate fashions; they are about differentiated alone by the time they charge to

recalculate an alternating cartography in case of a articulation failure. Proper STP operation is critical,

yet it is so fragile, which this affiliate is about to demonstrate.

Understanding 802.1D and 802.1Q Common STP

Originally authentic in 1993, the IEEE 802.1D certificate specifies an algorithm and a

protocol to actualize a loop-free cartography in a Layer 2 network. (At that time, there was no

concept of VLAN.) The algorithm additionally ensures automated reconfiguration afterwards a articulation or

device failure. The agreement converges boring by today’s standards: up to 50 abnormal (sec)

with the absence agreement timers. The 802.1Q blueprint after aggrandized the 802.1D by

defining VLANs, but it chock-full abbreviate of advising a way to run an individual

spanning-tree instance per VLAN—something abounding about-face vendors naturally

implemented application proprietary extensions to the 802.1D/Q standards.

Understanding 802.1w Rapid STP

Incorporated in the 2004 afterlight of the 802.1D standard, the 802.1w (Rapid

Reconfiguration of Spanning Tree) alien cogent changes, primarily in agreement of

convergence speeds. According to the IEEE, motivations abaft 802.1w accommodate the

following:

• The admiration to advance an bigger approach of arch operation that, while application the

plug-and-play allowances of spanning tree, discards some of the beneath adorable aspects of

the absolute STP (in particular, the cogent time it takes to reconfigure and restore

service on articulation failure/restoration).

• The ability that, although baby improvements in spanning-tree achievement are

possible by manipulating the absolute absence constant values, it is all-important to

introduce cogent changes to the way the spanning-tree algorithm operates to

achieve above improvements.

• The ability that it is accessible to advance improvements to spanning tree’s

operation that booty advantage of the accretion prevalence of structured wiring

approaches, while still application affinity with accessories based on the original

spanning-tree algorithm.

Introducing Spanning Timberline Agreement 47

The basal band is that 802.1w usually converges in beneath than a second. All Cisco switches

running contempo software versions accomplish 802.1w the absence STP.

Understanding 802.1s Multiple STP

The 802.1s supplement to IEEE 802.1Q adds the ability for bridges to use multiple

spanning trees, accouterment for cartage acceptance to altered VLANs to breeze over potentially

different paths aural the basic bridged LAN. The primary disciplinarian abaft the development

of 802.1s is the added scalability it provides in ample bridged networks. Indeed, an

arbitrary cardinal of VLANs can be mapped to a spanning-tree instance, rather than running

a distinct spanning-tree instance per VLAN. The loop-breaking algorithm now runs at the

instance akin instead of at the alone VLAN level. With 802.1s, you can, for example,

map a thousand VLANs to a distinct spanning-tree instance. This agency that all these

VLANs chase a distinct analytic cartography (a blocked anchorage blocks for all those VLANs), but

the abridgement in agreement of CPU cycles is significant.

Attacking the Spanning Tree Protocol

Attacking the

Spanning Tree Protocol

Radia Perlman, a acclaimed architect at Sun Microsystems, called as one of the 20 most

influential bodies in the industry in the 25th ceremony affair of Abstracts Communications

magazine and the aboriginal artist of the 802.1D spanning-tree blueprint afresh had

a few words to say about the protocol: “It’s time to accommodate (one of the Internet’s best widely

used technologies) in a way that is added able-bodied and gives added able paths.”1

Introducing Spanning Tree Protocol

Chapter 2, “Defeating a Acquirements Bridge’s Forwarding Process,” explained how Ethernet

switches body their forwarding tables by acquirements antecedent MAC addresses from abstracts traffic.

When an Ethernet anatomy arrives on a about-face anchorage in VLAN X with a destination MAC

address for which there is no access in the forwarding table, the about-face floods the frame. That

is, it sends a archetype of the anatomy to every distinct anchorage in VLAN X (except the anchorage that

originally accustomed the frame). Although this is altogether accomplished in a single-switch

environment, absorbing ancillary furnishings are empiric in multiswitch topologies, as Amount 3-1

shows. The amount represents a simple arrangement composed of two LAN switches

interconnected by two Ethernet links.

44 Chapter 3: Attacking the Spanning Tree Protocol

Figure 3-1 Basic Arrangement Setup

In the abutting steps, MAC addresses are calmly beneath to a single-letter architecture for

clarity. A accepted Ethernet MAC abode is absolutely fabricated up of 6 bytes. The following

sequence of contest occurs back an appliance on the top PC (MAC abode A)

communicates with the basal PC (MAC abode B):

1 The top PC sends a anatomy to the basal PC (destination MAC abode B).

2 About-face 1 learns that MAC abode A is off anchorage 0/1.

3 About-face 1 looks up MAC abode B; no bout is found.

4 About-face 1 sends out the anatomy on articulation X and Y (a action accepted as flooding).

5 About-face 2 receives the anatomy from A to B on articulation X and updates its forwarding table.

(A is on articulation X.)

A burning later, about-face 2 receives the exact aforementioned anatomy on articulation Y; this time, it

causes a new amend to the forwarding table. This is accepted as a chase condition—

whichever MAC abode arrives aboriginal wins the chase and gets installed in the forwarding

table.

6 About-face 2 looks up MAC abode B; no bout is found. (B hasn’t talked yet.)

7 About-face 2 sends out the anatomy on anchorage 0/2 and articulation Y (or X, depending on the outcome

of the chase action declared in Step 5).

MAC-address 0000.0000.000A

MAC-address 0000.0000.000B

A B

All Interfaces Are

in VLAN 5

Link Y

0/1

0/2

Link X

Switch 2

Switch 1

Introducing Spanning Tree Agreement 45

8 About-face 1 and PC B both accept the frame; however, this anatomy causes about-face 1 to

again amend its forwarding table. (MAC abode A is now off articulation Y or X.)

9 Return to Step 3 and bend forever. Even if B talks, annihilation changes because both

switches consistently amend their forwarding tables with incorrect information

(because of the amaranthine packet loop).

There is no such affair as a Time to Live (TTL) acreage in Ethernet headers. No routing

protocol distributes advice accompanying to MAC addresses and their whereabouts. Simply

put, abbreviate of a ability or articulation failure, annihilation can stop the packets from looping endlessly

between about-face 1 and 2. There’s no charge for a advertisement or multicast frame; a simple unicast

frame does fine.

The botheration is hardly new. After Radia Perlman’s assignment in the aboriginal 1990s, the IEEE

ratified her agreement assignment into a accepted accepted as 802.1D. 802.1D defines the original

Spanning Tree Agreement (STP), whose assignment is to attenuate bombastic paths from one end of

the Layer 2 arrangement to another, thereby accomplishing two goals: no packet duplication or loops

while still accouterment automated cartage rerouting in case of failure. If about-face 1 or about-face 2 (or

both) were active the STP, the cartography represented in Amount 3-1 would logically appear

as what’s apparent in Amount 3-2.

Figure 3-2 Loop-Free Cartography Calculated by STP

With articulation Y disabled by the spanning-tree algorithm active on about-face 2, packets from the

top PC to the basal PC can no best bend forever.

MAC-address A

Link Y: Blocking

MAC-address B

A B

0/1

0/2

Switch 2

Switch 1

Link X

STP is an acutely common protocol; it keeps around every distinct absolute Ethernetbased

LAN arrangement bend free.

Port security-MAC address activity notification-Unknown unicast flooding protection

64
MAC flooding and spoofing attacks combine two deadly elements: They are extremely
simple to carry out and yet so potent. They can help an attacker collect valuable
information, such as usernames and passwords, or simply impact the proper operation of
the targeted LAN. Although they date back several years, these attacks are still popular,
thanks to the widespread availability of simple tools that help perpetrate them. Fortunately,
countermeasures are almost as simple as the attacks and are widely available, such as
• Port security
• MAC address activity notification
• Unknown unicast flooding protection
Port security can impose a limit on the number of frames dynamically learned off a LAN
port. MAC notification gives clear and almost instantaneous visibility into potentially
suspicious activity on the network triggered by MAC addresses moving from one port to
another. Unknown unicast flooding protection allows users to set granular control over the
Example 2-14 Configuring and Monitoring Unicast Flood Protection
Router(config)# mac-address-table unicast-flood limit 3 vlan 100 filter 5
Router # show mac-address-table unicast-flood
Unicast Flood Protection status: enabled
Configuration:
vlan Kfps action timeout
------+----------+-----------------+----------
100 3 filter 5
Mac filters:
No. vlan source mac addr. installed on time left (mm:ss)
-----+------+-----------------+------------------------------+------------------
Summary 41
amount of unicast floods a given host off a port can generate. All three features are useful
against bridge-table DoS attacks.
Always consult your equipment’s documentation to stay up to date on the latest
developments regarding port security and to verify how your platform handles a specific
port-security feature.
References
1 International standard ISO/IEC 7498-1:1994; http://www.iso.ch.
2 http://www.monkey.org/~dugsong/dsniff/.
3 http://www.ettercap.sourceforge.net/.
4 http://yersinia.sourceforge.net/.
5 http://www.the.org/releases.php?q=parasite.
6 IEEE Std 802.3-2002, Section One.
Cisco Catalyst 6500 switch documentation. http://www.cisco.com/en/US/products/hw/
switches/ps708/.
Cisco Catalyst 4500 switch documentation. http://www.cisco.com/en/US/products/hw/
switches/ps4324/index.html.
Cisco Catalyst 3750 switch documentation. http://www.cisco.com/en/US/products/hw/
switches/ps5023/index.html.
IEEE 802.3 standard. http://standards.ieee.org/getieee802/802.3.html.
IANA Ethertype numbers. http://www.iana.org/assignments/ethernet-numbers.
Song, Dug. Macof (part of the dsniff package) tool. http://www.monkey.org/~dugsong/
dsniff/faq.html.

Unknown Unicast Calamity Protection

Some switches abode with a apparatus that can assure an absolute VLAN from unicast

flooding’s abrogating effects. This apparatus is accepted as unicast flood protection. As

already shown, back no access corresponds to a frame’s destination MAC abode in the

incoming VLAN, the anatomy is beatific to all forwarding ports aural the corresponding VLAN,

which causes flooding. Limited calamity is allotment of the accustomed switching process, but

continuous calamity causes adverse achievement furnishings on the network.

The unicast flood aegis affection can accelerate an active back a user-defined amount absolute has

been exceeded. It can additionally clarify the cartage or shut bottomward the anchorage breeding the floods when

20 a2e2.ba2b.6c18 SecureDynamic Fa8/4 -

20 b88c.0f06.6cb4 SecureDynamic Fa8/4 -

20 f492.f751.fab6 SecureDynamic Fa8/4 -

-------------------------------------------------------------------

Total Addresses in Arrangement (excluding one mac per port) : 2

Max Addresses absolute in Arrangement (excluding one mac per port) : 1024

6K-2-S2#

Example 2-13 CPU Utilization Because of Anchorage Security

6K-2-S2-sp# appearance proc cpu | incl Port-S

119 169420 275628 614 15.01% 11.21% 5.81% 0 Port-Security

6K-2-S2-sp#

Example 2-12 Displaying Secured Addresses Only (Continued)

40 Chapter 2: Defeating a Learning Bridge’s Forwarding Process

it detects alien unicast floods beyond a assertive threshold. Example 2-14 shows a

typical agreement taken from a Cisco Catalyst 6500 switch.

Configuring and Monitoring Unicast Flood Protection

Router(config)# mac-address-table unicast-flood absolute 3 vlan 100 clarify 5

Router # appearance mac-address-table unicast-flood

Unicast Flood Aegis status: enabled

Configuration:

vlan Kfps activity timeout

------+----------+-----------------+----------

100 3 clarify 5

Mac filters:

No. vlan antecedent mac addr. installed on time larboard (mm:ss)

-----+------+-----------------+------------------------------+------------------

You can adapt the agreement as follows:

• The absolute keyword specifies the unicast floods on a per antecedent MAC abode and per

VLAN basis; accurate ethics are from 1 to 4000 floods per additional (fps).

• The clarify keyword specifies how continued to clarify unicast flood traffic; accurate ethics are

from 1 to 34,560 minutes.

The active (or shutdown) keyword (not apparent here) configures the arrangement to accelerate an alert

message back the cardinal of unicast floods exceeds the flood amount limit. Another option

consists in application the abeyance keyword to acquaint the arrangement to shut bottomward the admission port

generating the floods back frames of unicast floods beat the flood rate.

Port Security

To stop an antagonist in his tracks, a apparatus alleged anchorage aegis comes to the rescue. In

its best basal form, anchorage aegis ties a accustomed MAC abode to a anchorage by not acceptance any

other MAC abode than the preconfigured one to appearance up on a anchored port. Back port

security initially shipped, users had to manually configure a acceptable MAC address—a

cumbersome and error-prone task.

Today, anchorage aegis is added adjustable and can accept for one or added MAC addresses before

locking bottomward admission to alone that or those dynamically abstruse MAC addresses. Dynamic

and changeless configurations are additionally permitted. A abuse occurs back the antecedent MAC

address of a anatomy differs from the account of defended addresses. At that point, three accomplishments are

possible:

• The anchorage error-disables for a defined duration. (It can be unlimited, but if not,

automatic accretion can be performed.) An Simple Network Management Protocol

(SNMP) allurement is generated.

• The anchorage drops frames from alien addresses (protect mode).

• The anchorage drops frames from alien addresses and increments a abuse counter.

SNMP accessories bearing is accessible on some releases/Cisco switches (restrict mode).

On assertive switches, anchorage aegis can additionally be configured to stop alien unicast floods to

be broadcast off a port.

When a defended articulation goes down, MAC addresses that were associated with the anchorage normally

disappear. However, some switches (Catalyst 6500 active a contempo IOS release, for

example) abutment adhesive MAC addresses—when the anchorage goes down, the MAC addresses

that accept been abstruse abide associated with that port. They can be adored in the

configuration file.

The best accepted and recommended port-security ambience is activating approach with one MAC

address for ports area a distinct accessory is declared to connect, with a bead activity on

violation (restrict action).

NOTE For IP Telephony configurations area a Cisco IP buzz connects to the anchorage and a PC

connects to the IP phone, three MAC addresses should be accustomed per defended port. The

phone itself uses one MAC address, and so does the PC. This makes two addresses. Where

does the third one appear from?

The IP buzz absolutely contains a processor affiliated to an centralized switch. That processor

uses a MAC abode back it sends traffic. Shortly afterwards booting, the IP buzz attempts to

discover (through the Cisco Discovery Protocol [CDP]) the articulation and abstracts VLAN

mappings. To do so, the buzz generates frames by application its MAC in the abstracts VLAN, which

is, at this point, the alone VLAN of which the buzz is aware. Therefore, the switch

temporarily sees three MAC addresses on the port.

38 Chapter 2: Defeating a Learning Bridge’s Forwarding Process

Example 2-10 shows a sample agreement and what can be accepted from it if an attack

occurs.

Port-Security Settings (Catalyst 6500)

6K-2-S2# appearance port-security interface f8/4

Port Aegis : Enabled

Port Status : Secure-up

Violation Approach : Restrict

Aging Time : 0 mins

Maximum MAC Addresses : 3

Total MAC Addresses : 3

Configured MAC Addresses : 0

Last Antecedent Abode : 4428.6d15.b219

Security Abuse Count : 9

Three activating addresses are permitted, and three accept been anchored (through addresses

that were gleaned from admission traffic). If you attending at the bridging table for interface F8/

4 in Archetype 2-11, however, you apprehension article apparently abrupt if you are

unfamiliar with anchorage security.

Displaying Addresses Abstruse from a Port

6K-2-S2# appearance mac-address-table interface f8/4

Legend: * - primary entry

vlan mac abode blazon apprentice ports

------+----------------+--------+-----+--------------------------

* 20 b88c.0f06.6cb4 changeless Yes Fa8/4

* 20 7235.1b19.d3e6 activating Yes Fa8/4

* 20 f492.f751.fab6 changeless Yes Fa8/4

* 20 52dd.c278.1203 activating Yes Fa8/4

* 20 9ef8.3070.8e9e activating Yes Fa8/4

* 20 a2e2.ba2b.6c18 changeless Yes Fa8/4

* 20 68dc.ce6e.be5d activating Yes Fa8/4

There are added than three addresses off that port! How can this be? Note that the switch

marks alone three addresses as static. Those are the defended addresses that anchorage security

learned dynamically. Cartage from any added abode is artlessly discarded—a appropriate bit is

used internally for that purpose; the appearance mac-address command abominably does not

display it. The appearance port-security abode command verifies that the changeless addresses

match those registered by anchorage security, as apparent in Archetype 2-12.

Displaying Anchored Addresses Only

6K-2-S2# appearance port-security address

Secure Mac Abode Table

-------------------------------------------------------------------

Vlan Mac Abode Blazon Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

20 a2e2.ba2b.6c18 SecureDynamic Fa8/4 -

20 b88c.0f06.6cb4 SecureDynamic Fa8/4 -

20 f492.f751.fab6 SecureDynamic Fa8/4 -

-------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 2

Max Addresses absolute in System (excluding one mac per port) : 1024

6K-2-S2#

Not all accouterments platforms acknowledge analogously back administration a MAC calamity advance application port

security. For example, during a abundant advance and with the activity on abuse set to restrict

or assure (no abeyance of the port), a Catalyst 6500 able with a Administrator Agent 1

or 2 ability become above back commands accompanying to the bridging table are executed

(show mac-address activating and so on). A quick attending at the administrator agent shows the

results in Archetype 2-13.

CPU Appliance Because of Anchorage Security

6K-2-S2-sp# appearance proc cpu | incl Port-S

119 169420 275628 614 15.01% 11.21% 5.81% 0 Port-Security

6K-2-S2-sp#

The aerial CPU appliance action is acquired by anchorage aegis actuality faced with a massive

flow of admission frames application accidental antecedent MAC addresses. Learning and filtering

traffic from those accidental MAC addresses is accomplished by a software assignment active on the

control plane, and as such, it uses CPU cycles. A Catalyst 6500 adapted with a Supervisor

Engine 720 does not display this evidence because it ships with a congenital hardware-based

rate limiter that prevents added than a few thousand packets per additional from hitting the

control plane.

Preventing MAC Calamity and Bluffing Attacks

Preventing MAC Calamity and Bluffing Attacks

Fortunately, there are several means to baffle MAC calamity and bluffing attacks. In this

section, you will apprentice about audition MAC activity, anchorage security, and alien unicast

flooding protection.

Detecting MAC Activity

To alpha with, abounding switches can be configured to acquaint the ambassador about frequent

MAC abode moves. Archetype 2-8 shows the Cisco IOS agreement to accredit this.

Although it is not activity to stop an advance from occurring, MAC notification provides a

pointer to a potentially apprehensive activity. For example, in Archetype 2-9, the activity on a

Linux host triggers this MAC notification alert.

21:17:03.057055 0:0:65:4:0:0 0:0:0:20:0:0 ip 60: 10.20.20.2.48643 >

10.20.20.1.telnet: . [tcp sum ok] ack 321387993 win 4128 [tos 0xc0] (ttl 255, id

1, len 40)

21:17:03.057232 0:0:65:4:0:0 0:0:0:20:0:0 ip 72: 10.20.20.2.48643 >

10.20.20.1.telnet: P [tcp sum ok] 0:18(18) ack 1 win 4128 [telnet DO SUPPRESS GO

AHEAD, WILL TERMINAL TYPE, WILL SEND LOCATION, WILL TSPEED, WILL NAWS, WILL LFLOW]

[tos 0xc0] (ttl 255, id 2, len 58)

[etc.]

Example 2-8 Enabling MAC Abode Moves Alarms on Cisco Switches

6K-1-720(config)# mac-address-table notification ?

mac-move Accredit Mac Move Notification

6K-1-720(config)#mac-address-table notification mac-move ?

Example 2-9 MAC Bluffing Detected by MAC Notification

[root@client root]# ifdown eth1

[root@client root]# macchanger --mac 00:00:09:03:00:02 eth1

Current MAC: 00:00:00:20:00:00 (Xerox Corporation)

Faked MAC: 00:00:09:03:00:02 (Xerox Corporation)

[root@client root]# ifup eth1

Dec 23 22:08:19.108: %MAC_MOVE-SP-4-NOTIF: Host 0000.0903.0002 in vlan 20 is

flapping amid anchorage Fa3/25 and anchorage Gi1/15

MAC Calamity Alternative: MAC Bluffing Attacks

All MAC calamity accoutrement force a about-face to “fail open” to after accomplish careful MAC

spoofing attacks. A MAC bluffing advance consists of breeding a anatomy from a malicious

host borrowing a accepted antecedent MAC abode already in use on the VLAN. This causes

the about-face to advanced frames out the incorrect port, as Figure 2-6 shows.

Figure 2-6 Bluffing a MAC Address

Although they’re acutely accessible to backpack out (most Ethernet adapters admittance their MAC

address to be modified), MAC bluffing attacks arise with a cogent drawback: Unlike

MAC calamity attacks, they accept the abeyant to account an actual abnegation of service

(DoS) to the spoofed host. In Figure 2-6, as anon as the actor on host C masquerades as

host B, host B absolutely stops accepting traffic. That is because a accustomed antecedent MAC

address cannot arise accompanying on altered ports central a accepted VLAN. The

switch updates its table based on the best afresh apparent frame. Cartage to host B can resume

if—and alone if—the 18-carat host B sources a frame, thereby afresh afterlight the switch’s

bridging table.

MAC B

MAC C

macof

Fa0/2

Fa0/3

Fa0/1

MAC

0000.CAFE.0000

B->?

VLAN

MAC Address

Interface

Fa0/2

Fa0/3

I will see

traffic

to B!

MAC Calamity Alternative: MAC Bluffing Attacks 35

Not Aloof Theory

Consider Example 2-6. A about-face (6K-4-S2) has aloof been MAC attacked. Its bridging table

is full. The about-face has a baffled interface in VLAN 20. Pings to 10.20.20.1 (a alien router)

are successful. The Abode Resolution Protocol (ARP) table reveals that the MAC address

associated to 10.20.20.1 is 0000.0020.0000. However, no access for that abode exists in the

bridging table! This agency that all cartage destined to 0000.0020.0000 is abounding to all ports

that are associates of VLAN 20.

If the host who started the MAC calamity advance now runs a packet analyzer, the contents

of a chat amid 6K-4K-S2 (10.20.20.2) and a alien host (10.20.20.1) can be

intercepted as apparent in Example 2-7.

Example 2-6 Revealing the Effects of a MAC Bluffing Attack

6K-4-S2# appearance mac-address-table count

MAC Entries for all vlans :

Dynamic Abode Count: 131028

Static Abode (User-defined) Count: 27

Total MAC Addresses In Use: 131055

Total MAC Addresses Available: 131072

6K-4-S2# ping 10.20.20.1

Type escape arrangement to abort.

Sending 5, 100-byte ICMP Echos to 10.20.20.1, abeyance is 2 seconds:

!!!!!

Success amount is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

6K-4-S2# appearance ip arp 10.20.20.1

Protocol Abode Age (min) Hardware Addr Blazon Interface

Internet 10.20.20.1 4 0000.0020.0000 ARPA Vlan20

6K-4-S2# appearance mac-add abode 0000.0020.0000

Legend: * - primary entry

vlan mac abode blazon apprentice ports

------+----------------+--------+-----+--------------------------

No entries present.

6K-4-S2#

Example 2-7 Intercepting a Alien Conversation

[root@linux-p4-linksys root]# ifconfig eth1 | grep inet

inet addr:10.21.21.100 Bcast:10.21.21.255 Mask:255.255.255.0

inet6 addr: fe80::200:caff:fefe:0/64 Scope:Link

[root@linux-p4-linksys root]# tcpdump -i eth1 tcp anchorage 23 -vne

tcpdump: alert on eth1

21:17:03.056077 0:0:65:4:0:0 0:0:0:20:0:0 ip 60: 10.20.20.2.48643 >

10.20.20.1.telnet: S [tcp sum ok] 3116159553:3116159553(0) win 4128

[tos 0xc0] (ttl 255, id 0, len 44)

continues

21:17:03.057055 0:0:65:4:0:0 0:0:0:20:0:0 ip 60: 10.20.20.2.48643 >

10.20.20.1.telnet: . [tcp sum ok] ack 321387993 win 4128 [tos 0xc0] (ttl 255, id

1, len 40)

21:17:03.057232 0:0:65:4:0:0 0:0:0:20:0:0 ip 72: 10.20.20.2.48643 >

10.20.20.1.telnet: P [tcp sum ok] 0:18(18) ack 1 win 4128 [telnet DO SUPPRESS GO

AHEAD, WILL TERMINAL TYPE, WILL SEND LOCATION, WILL TSPEED, WILL NAWS, WILL LFLOW]

[tos 0xc0] (ttl 255, id 2, len 58)

[etc.]

Even admitting the host has annihilation to do with 10.20.20.x, it can see all cartage between

10.20.20.1 and .2 acknowledgment to the MAC calamity attack.

Exploiting the Bridging Table: MAC Calamity Attacks

Virtually all LAN switches on the bazaar arise with a finite-size bridging table. Because

each access occupies a assertive bulk of memory, it is about absurd to architecture a

switch with absolute capacity. This advice is acute to a LAN hacker. High-end LAN

switches can abundance hundreds of bags of entries, while entry-level articles aiguille at a

few hundred. Table 2-1 recaps the absolute table sizes for assorted Cisco LAN switches.

Table 2-1 Cisco Switches’ Bridging Table Capacities

Switch Archetypal Cardinal of Bridge-Table Entries

Cisco Catalyst Express 500 8000

Cisco Catalyst 2948G 16,000

Cisco Catalyst 2940/50/55/60/70 Up to 8000

Cisco Catalyst 3500XL 8192

Cisco Catalyst 3550/60 Up to 12,000 (depending on the model)

Cisco Catalyst 3750/3750M 12,000

Cisco Catalyst 4500 32,768

Cisco Catalyst 4948 55,000

Cisco Catalyst 6500/7600 Up to 131,072 (more if broadcast affection cards are

installed)

VLAN Ports

MAC Abode VLAN Interface

0000.CAFE.0000

..B

Fa0/1

Fa0/2

Fa0/1, Fa0/2, Fa0/3

B->CAFE

MAC ..B

MAC ..C

Fa0/2

Fa0/3

Fa0/1

MAC

0000.CAFE.0000

1 CAFE->B

B->CAFE

I do not see

traffic to B!

28 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process

Forcing an Excessive Calamity Condition

If a about-face does not accept an access pointing to a destination MAC address, it floods the

frame. What happens aback a about-face does not accept allowance to abundance a new MAC address? And

what happens if an access that was there 2 abnormal ago was aloof overwritten by another

entry? These questions are apparently what Ian Vitek charge accept asked himself aback in 1999

when he wrote a little apparatus alleged macof (later ported to C by Dug Song).2 How switches

behave aback their bridging table is abounding depends on the vendor.

Most Cisco switches do not overwrite an absolute access in favor of a added contempo one;

however, afterwards an absolute access ages out, a new one replaces it. Other switches action in

a circular-buffer appearance aback advancing abounding bridging-table capacity. This agency that a new

entry (MAC abode Z, for example) artlessly overwrites an absolute earlier access (MAC

address B, for example). Cartage destined to MAC abode B now gets abounding out by all the

ports that are associates of the sender’s VLAN. If a hacker consistently maintains a full

bridging table, he can finer transform the about-face into a hub, which makes it accessible for

anyone off any anchorage to aggregate all cartage exchanged in the port’s VLAN, including one-toone

unicast conversations, as Figures 2-4 and 2-5 show.

Figure 2-4 Absolute Entries Are Overwritten

Figure 2-4 shows a academic LAN about-face with allowance to abundance two MAC addresses in its

bridging table. Although this about-face absolutely fits into the “ridiculously under-engineered

piece of equipment” category, it serves our analogy purposes well.

MAC Abode VLAN Interface

0000.CAFE.0000

..B

Fa0/1

Fa0/2

Fa0/3

Fa0/3 MAC B

MAC C

macof

Fa0/2

Fa0/3

Fa0/1

MAC

0000.CAFE.0000

Y->?

X->?

X ls on

Port 3

Y ls on

Port 3

Exploiting the Bridging Table: MAC Calamity Attacks 29

Host C starts active macof. The apparatus sends Ethernet frames to accidental destinations, each

time modifying the antecedent MAC address. Aback the aboriginal anatomy with antecedent MAC address

Y arrives on anchorage Fa0/3, it overwrites the 00:00:CAFE:00:00 entry. Aback the additional frame

arrives (source MAC Y), it overwrites the access pointing to B. At this point in time, all

communication amid 00:00:CAFE:00:00 and B now become accessible because of the

flooding action that macof created. Amount 2-5 illustrates this situation.

Figure 2-5 Forced Flooding

If a hacker continues to accomplish afflicted frames application those antecedent addresses (or any other

address), he will actualize a constant bridge-table abounding action that will force the about-face to

flood all traffic. This is area things get nasty. Switches about don’t body virtualized

bridging tables. A accustomed about-face can abundance N thousand MAC addresses total. If a distinct port

off of a distinct VLAN learns N thousand addresses, calamity occurs for all VLANs! Traffic

in VLAN 5 won’t magically hop into VLAN 6, but all advice demography abode in

VLAN 6 will be arresting to any eavesdropper affiliated to any anchorage in VLAN 6.

What Is a Virtualized Bridging Table?

Because about aggregate in engineering is a trade-off, manufacturers cannot build

switches with acutely aerial bridging-table capacities while advancement affordable prices.

So, aback a switch’s bridging table claims it can abundance up to 32,000 entries, that amount is

valid for the absolute switch, not on a per-VLAN basis. Therefore, if a distinct awful host

inside a VLAN manages to absolutely ample up the table, innocent bystanders in other

VLANs are affected. The about-face cannot abundance their antecedent MAC addresses.

MAC B

MAC C

macof

Fa0/2

Fa0/3

Fa0/1

MAC

0000.CAFE.0000

CAFE->B

MAC Address

No Access for B → Flood Cartage Destined to B

VLAN

Interface

Fa0/3

CAFE->B

I see traffic

to B!

30 Chapter 2: Defeating a Acquirements Bridge’s Forwarding Process

Introducing the macof Tool

Today, assorted accoutrement can accomplish MAC calamity attacks. These accoutrement accommodate Ettercap3,

Yersinia4, THC Parasite5, and macof. Macof is able and acutely simple to use.

Example 2-1 presents its chiral page.

Example 2-1 Macof Chiral Page

MACOF(8) MACOF(8)

NAME

macof - flood a switched LAN with accidental MAC addresses

SYNOPSIS

macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport]

[-y dport] [-n times]

DESCRIPTION

macof floods the bounded arrangement with accidental MAC addresses

(causing some switches to abort accessible in repeating mode,

facilitating sniffing). A beeline C anchorage of the original

Perl Net::RawIP macof affairs by Ian Vitek

OPTIONS

-i interface

Specify the interface to accelerate on.

-s src Specify antecedent IP address.

-d dst Specify destination IP address.

-e tha Specify ambition accouterments address.

-x sport

Specify TCP antecedent port.

-y dport

Specify TCP destination port.

-n times

Specify the cardinal of packets to send.

Values for any options larboard bearding will be generated

randomly.