All Cisco-Network Study Notes: STP Operation: More Details

STP Operation: More Details

To accept the attacks that a hacker is acceptable to backpack out adjoin STP, network

administrators charge accretion a solid compassionate of STP’s close workings. The protocol

builds a loop-free cartography that looks like a tree. At the abject of the timberline is a basis bridge—

an acclamation action takes abode to actuate which arch becomes the root. The switch

with the everyman arch ID (a chain of a 16-bit user-assigned antecedence and the

switch’s MAC address) wins. The root-bridge acclamation action begins by accepting every

switch in the area accept it is the basis and claiming it throughout the arrangement by means

of Arch Agreement Abstracts Units (BPDU). BPDUs are Layer 2 frames multicast to a wellknown

MAC abode in case of IEEE STP (01-80-C2-00-00-00) or vendor-assigned

addresses, in added cases. Back accepting a BPDU from a neighbor, a arch compares the

sender’s arch ID with its own to actuate which about-face has the everyman ID. Abandoned the one

with the everyman ID keeps on breeding BPDUs, and the action continues until a single

switch wins the appointed root-bridge election. STP assigns roles and functions to network

ports. Every nonroot arch has one basis port: It is the anchorage that leads to the basis bridge.

STP uses a aisle cost–based adjustment to body its loop-free tree. Every anchorage is configured with

a anchorage cost—most switches are able of autoassigning costs based on articulation speed.

A port’s amount is inversely proportional to its bandwidth. Anniversary time a anchorage receives a BPDU,

the port’s aisle amount is added to the aisle amount independent in the BPDU. The basis sends BPDUs

with the aisle amount according to 0, and the amount keeps accretion as the arrangement diameter

increases. Back two BPDUs are accustomed on a about-face because of bombastic links in the

network, the one with the college amount is logically disabled—it is put in blocked mode. The

bridge that is amenable for forwarding packets on a accustomed articulation is alleged the designated

bridge. After a while, alignment from beneath than a additional to aloof beneath a minute depending on

48 Affiliate 3: Attacking the Spanning Timberline Protocol

the STP flavor, the arrangement converges and a single-rooted loop-free timberline is built. Afore a

port transitions to forwarding, it goes through several states:

• Disabled. The anchorage is electrically abeyant and does not accelerate or accept any traffic.

Once enabled, the anchorage transitions to the abutting accompaniment (blocking).

• Blocking. Discards all abstracts frames except BPDUs.

• Listening. Switches accept to BPDUs to body the loop-free tree. Abstracts packets are not

forwarded (15 sec by absence with 802.1D timers).

• Learning. Forwarding tables are congenital application the antecedent MAC addresses of data

frames; abstracts frames are not forwarded.

• Forwarding. Abstracts traffic. At this point, the anchorage is absolutely operational.

NOTE Although this affiliate paints a abundant account of STP’s close workings, we recommend

that you attending at the advertence absolute accessible online2 if you are absorbed in a more

detailed overview.

After the arrangement converges, STP network-wide timers advance its stability. (A network

can be a VLAN.)

Network-Wide Timers

Several STP timers exist:

Hello. Time amid anniversary BPDU that is beatific on a port. By default, this time is according to 2

sec, but you can tune the time to be amid 1 and 10 sec.

Forward delay. Time spent in the alert and acquirements state. By default, this time is equal

to 15 sec, but you can tune the time to be amid 4 and 30 sec.

Max age. Controls the best breadth of time that passes afore a arch anchorage saves its

configuration BPDU information. By default, this time is 20 sec, but you can tune the time

to be amid 6 and 40 sec.

Each agreement BPDU contains these three parameters. In addition, anniversary BPDU

configuration contains addition time-related parameter, accepted as the bulletin age. The

message age is not a anchored value. The bulletin age contains the breadth of time that has

passed aback the basis arch initially originated the BPDU. The basis arch sends all its

BPDUs with a bulletin age amount of 0, and all consecutive switches add 1 to this value.

Effectively, this amount contains the advice on how far you are from the basis bridge

when you accept a BPDU.

Introducing Spanning Timberline Agreement 49

In 802.1D, bridges absolutely accept no abstraction whether their BPDUs are heard by neighboring

switches. For example, the basis arch is not abiding that anybody acknowledges its

presence—the agreement contains no accouterment to ensure this. The agreement artlessly relies on

the timers (as aloof explained) to accept BPDUs are appropriately delivered to every arch in

the network. Table 3-1 represents an 802.1D BPDU.

In a converged network, the basis arch sends a BPDU out anniversary anchorage every accost breach (2

sec, by default). Every BPDU contains an age acreage that represents how continued it has been in

transit. It starts from 0 at the basis and increases as the BPDU makes its way through the

switched network. A best accurate age is authentic for the arrangement (max_age parameter—

20 sec, by default). Back a BPDU is accustomed on a port, the about-face extracts the age

contained in the BPDU and starts active a anchorage alarm initialized with that value. For

example, if the BPDU is 6 sec old, the alarm starts counting from 6. Normally, the next

Table 3-1 802.1D BPDU Anatomy Format

Field Value

Destination MAC 01 80 c2 00 00 00 IEEE aloof BPDU MAC

Source MAC 00 00 0c a0 01 96 Port’s MAC address

LENGTH 00 26

LLC HEADER

Destination Service Access Point 42

Source Service Access Point 42

Unnumbered Advice 03

PROTOCOL 00 00

PROTOCOL VERSION 00

BPDU TYPE 00

BPDU FLAGS 00

ROOT ID 20 00 00 d0 00 f6 ba 04

PATH COST 00 00 00 00

BRIDGE ID 20 00 00 d0 00 f6 ba 04

PORT 81 14

MESSAGE AGE 00 00

MAXIMUM AGE 14 00

HELLO TIME 02 00

FORWARD DELAY 0f 00

50 Affiliate 3: Attacking the Spanning Timberline Protocol

BPDU is declared to access 2 sec later, but because of assorted altitude (packet loss,

unreliable software, boundless CPU utilization, unidirectional links, and so on), BPDUs are

known to sometimes abort to appearance on time. Meanwhile, the anchorage alarm runs until it reaches

max_age. If it alcove max_age, the arch starts the acclamation action again, claiming to be

the root! Ports go aback to blocking/listening/learning afore assuredly forwarding, potentially

causing massive cartage blackouts.

Another acreage of the STP is its adeptness to access the forwarding table’s crumbling time by

using a accurate bit in the BPDU. Figure 3-3 shows the Flags acreage begin in every BPDU.

Figure 3-3 BPDU Packet Capture —TC Bit

In 802.1D, the Flags acreage can booty two values: 1000 0000 or 0000 0001. Back the loworder

bit is set, it indicates that the BPDU is absolutely a topology-change notification (TCN)

BPDU. It is a failing BPDU whose purpose is to acquaint the upstream switches all the

way to the basis arch that a connectivity accident occurred on this switch. A about-face sends a

TCN BPDU whenever a articulation or anchorage transitions up or down. Bridges amid amid the

originator of the TCN BPDU and the basis anon accede the accession of the

Introducing Spanning Timberline Agreement 51

TCN BPDU, after actuality assertive that the basis still exists. Back the TCN BPDU finally

reaches the basis bridge, it acknowledges this by ambience the high-order bit of the Flags field

(TC-ACK bit) in BPDU it generates. This notifies every arch to abate its forwarding

table’s crumbling time to forward_delay sec (15, by default). The TC bit is set for a certain

period of time (max_age + forward_delay sec, or 35 sec with timers application absence values).

Figure 3-4 shows a book area this apparatus plays a acute role in abating network

connectivity faster.

Figure 3-4 TC Bit Plays a Acute Role

Suppose cartage flows amid PC A and PC B through switches 1, 2, 3, and 4, and all

forwarding tables are accurately populated, with about-face 1 pointing to about-face 2 to ability B.

Now, the articulation amid switches 2 and 3 fails. As a result, about-face 4 removes the articulation to

switch 1 from its blocked approach and puts it in forwarding. Cartage from A arrives on switch

1, abandoned to be beatific to about-face 2. Indeed, cipher told about-face 1 that it should use about-face 4 to

reach B. Naturally, this creates a acting cartage “black hole.” In this accurate case,

relying on the accepted forwarding-table crumbling time abandoned is not sufficient. Thanks to the TCN/

TC-ACK bits, however, about-face 1’s forwarding table can age out faster and anon point to the

correct about-face 1-to-4 articulation to ability B.

NOTE The accelerated STP authentic in 802.1w in 1999 introduces a proposal/agreement mechanism

between switches, thereby decidedly abbreviation the timer-based dependency. It also

discards the advice independent in the forwarding table altogether back a topology

change occurs. Albeit faster than its 802.1D predecessor, 802.1w was advised with no

concern for security. BPDUs are not active or authenticated, the agreement is stateless, and

an 802.1w accomplishing charge be able of compassionate 802.1D BPDUs. Therefore,

any advance launched adjoin the 802.1D STP works on switches active 802.1w.

Many vendors accept aggrandized the aboriginal 802.1D and 802.1w specs to accommodate a per-

VLAN 802.1D or 802.1w for bigger adaptability in arrangement design. Cisco’s own proprietary

B A B

Blocking

Link Failure

1 1 4

3 2 3

52 Affiliate 3: Attacking the Spanning Timberline Protocol

version of 802.1D and 802.1w is alleged per-VLAN (rapid) spanning-tree additional (PVST+).

Other than a Cisco-specific destination MAC abode and a Subnetwork Access Protocol

(SNAP) anatomy header, the BPDU burden contains absolutely the aforementioned advice as a

regular 802.1D or 802.1w BPDU, as Table 3-2 shows.

Table 3-2 Cisco PVST+ BPDU in VLAN 10

Field Amount Explanation

DMAC 01 00 0c cc cc cd Cisco SSTP BPDU MAC

SMAC 00 02 fc 90 08 38 Anchorage MAC

PROTOCOL TYPE IDENTIFIER 81 00 802.1Q Ethertype

TAG CONTROL INFO 00 0a COS and VLAN ID (VLAN

10)

LENGTH 00 32

802.2 Logical Articulation Control

HEADER

DSAP Aa Indicates SNAP encap

SSAP Aa

UI 03

SNAP HEADER

VENDOR ID 00 00 0c Cisco Systems

TYPE 01 0b SSTP

PROTOCOL 00 00

PROTOCOL VERSION 00

BPDU TYPE 00

BPDU FLAGS 00

ROOT ID 20 00 00 d0 00 66 2c 0a

PATH COST 00 00 00 00

BRIDGE ID 20 00 00 d0 00 66 2c 0a Arch ID in VLAN 10

PORT 81 41

MESSAGE AGE 00 00

MAXIMUM AGE 14 00

ROOT HELLO TIME 02 00

ROOT FORWARD DELAY 0f 00

Let the Games Begin! 53

Field Amount Explanation

VLAN ID Type Breadth Value

PAD 34

TYPE 00 00

LENGTH 00 02

VLAN ID 00 0a VLAN 10

NOTE The absolute destination MAC abode may alter depending on the acidity of STP you are

running. For example, the abode aloof by the IEEE is 01:80:C2:00:00:00. Cisco uses

a MAC abode of its allotment for its per-VLAN accelerated spanning-tree implementation,

because the accepted itself does not ascertain a per-VLAN specification.