Whispers & Screams
And Other Things

Rapid Spanning Tree Protocol

The IEEE 802.1D Spanning Tree Protocol was designed to keep a switched or bridged network loop free, with adjustments made to the network topology dynamically. A topology change typically takes 30 seconds, with a port moving from the Blocking state to the Forwarding state after two intervals of the Forward Delay Timer. As technology has improved, 30 seconds has become an unbearable length of time to wait for a production network to fail over or "heal" itself during a problem.

The IEEE 802.1w standard was developed to used 802.1D's principal concepts and make the resulting convergence much faster. This is also known as the Rapid Spanning Tree Protocol (RSTP), which defines how switches must interact with each other to keep the network topology loop free, in a very efficient manner.

As with 802.1D, RSTP's basic functionality can be applied as a single instance or multiple instances. This can be done by using RSTP as the underlying mechanism for the Cisco-proprietary Per-VLAN Spanning Tree Protocol (PVST+). The resulting combination is called Rapid PVST+ (RPVST+). RSTP is also used as part of the IEEE 802.1s Multiple Spanning Tree (MST) operation. RSTP operates consistently in each, but replicating RSTP as multiple instances requires different approaches.

RSTP Port Behaviour
In 802.1D,each switch port is assigned a role and a state at any given time. Depending on the ports proximity to the Root Bridge, it takes on one of the following roles:

    • Root Port


    • Designated Port


    • Blocking Port (neither root nor designated)

Tge Cisco proprietary UplinkFast feature also reserved a hidden alternate port role for ports that offered parallel paths to the root but were in the Blocking state.

Each switch port is also assigned one of five possible states:

    • Disabled


    • Blocking


    • Listening


    • Learning


    • Forwarding

Only the forwarding state allows data to be sent and received. A ports state is somewhat tied to its role. For example, a blocking port cannot be a root port or a designated port.

RSTP achieves its rapid nature by letting each switch interact with its neighbours through each port. This interaction is performed based on a ports role, not strictly on the BPDU's that are relayed from the Root Bridge. After the role is determined, each port can be given a state that determines what it does with incoming data.

The Root Bridge in a network using RSTP is elected just as with 802.1D- by the lowest Bridge ID. After all switches agree on the identity of the root, the following port roles are determined.

    • Root Port - The one switch port on each switch that has the best root path cost to the root. This is identical to 802.1D. (By definition the root bridge has no root ports.)


    • Designated Port - The switch port on a network segment that has the best root path cost to the root.


    • Alternate Port - A port that has an alternative path to the root, different than the path the root port takes. This path is less desirable than that of the root port. (An example of this is an access-layer switch with two uplink ports; one becomes the root port, and the other is an alternate port.)


    • Backup port - A port that provides a redundant (but less desirable) connection to a segment where another switch port already connects. If that common segment is lost, the switch might or might not have a path back to the root.

RSTP defines port states only according to what the port does with incoming frames. (Naturally, if incoming frames are ignored or dropped, so are outgoing frames.) Any port role can have any of these port states:

    • Discarding - Incoming frames are simply dropped; no MAC addresses are learned. (This state combines the 802.1D Disabled, Blocking and Listening states because all three did not effectively forward anything. The Listening state is not needed because RSTP can quickly negotiate a state change without listening for BPDUs first.


    • Learning - Incoming frames are dropped but MAC addresses are learned.


    • Forwarding - Incoming frames are forwarded according to MAC addresses that have been (and are being) learned.


Continue reading
391 Hits

An examination of DHCP Snooping with option 82 on Cisco.

DHCP snooping is a DHCP feature that provides security by filtering untrusted DHCP messages from hosts or other devices on the network. DHCP snooping accomplishes this level of security by building and maintaining a DHCP snooping binding table.

An untrusted DHCP message is a DHCP message that the switch receives from outside the network or firewall or from an unauthorised DHCP server that can cause security attacks within a network. DHCP snooping is used along with the interface tracking feature, which inserts option 82 in the DHCP messages by the switch. Option 82 is the Relay Agent Information Option as described in RFC 3046.

The use of DHCP snooping extends existing security capabilities, including the capability to trust a port as a DHCP server and prevent unauthorised DHCP server responses from untrusted access ports. Another DHCP snooping supported feature is per-port DHCP message rate limiting, which is configurable in packets per second (pps) and is used to prevent DoS attacks. The DHCP snooping feature is useful in ISP networks, university campuses and Long Range Ethernet (LRE) network scenarios to prevent misconfigured or malicious DHCP servers from causing user-connectivity problems (such as giving out bogus DHCP addresses).

DHCP snooping builds a DHCP binding table that contains client IP addresses, MAC addresses, ports, VLAN numbers, leases and binding types. Switches support the enabling of the DHCP snooping feature on a per VLAN basis. With this feature the switch intercepts all DHCP messages within the layer 2 VLAN domain. With option 82 enabled, the Supervisor Engine adds the ingress module, port, VLAN and switch MAC address to the packet before forwarding the DHCP request to the DHCP server. The DHCP server can track the IP address that it assigns from the DHCP pool.

With this feature the switch restricts end-user ports (untrusted ports) to sending only DHCP requests, while all other types of DHCP traffic, such as DHCP offer responses, are dropped by the switch. DHCP snooping trusted ports are the ones connected to the known DHCP servers or uplink ports to the distribution switch that provide the path to the DHCP server. Trusted ports can send and receive any DHCP message . In this manner the switch allows only trusted DHCP serves to give out DHCP addresses via DHCP responses. Therefore this feature prevents users from setting up their own DHCP servers and providing unauthorised addresses.

In summary, DHCP snooping with option 82 provides an excellent mechanism to prevent DHCP DoS attacks or misconfigured clients from causing anomalous behaviour in the network.

Continue reading
387 Hits