Topic: Spanning Tree Protocol

2018-2019

Topic: Spanning Tree Protocol

What you will learn

How Spanning Tree Protocol (STP) works

A glance at Rapid Spanning Tree Protocol (RSTP)

1/28

GC

2018-2019

Spanning Tree Protocol

Defined in IEEE 802.1d standard

To prevent looping frames in bridged (switched)

LANs with redundant links, STP blocks some ports

from forwarding and receiving (data) frames

Only one active path exists between any pair of LAN segments

Drawbacks:

• The network does not take advantage of some links • Some traffic travels a longer path, because a shorter path is

blocked

2018-2019

What STP does

STP places each bridge/switch port in either a forwardingstate or a

blockingstate

Switches can forward frames out ports and receive frames in ports that are in forwarding state

Switches do not forward frames out ports and receive frames in ports that are in blocking state

A port can be in disabledstate (the port is not included in active STP topology)

Operational state forced by the network manager

The port is failed

The port is connected to no device

H1 H3 H2 3/28 GC 2018-2019

What STP does (cont.)

If the link between SW1 and SW3 fails, STP converges so that SW3 no longer blocks its 0/27 interface

H1

H3

H2

2018-2019

How STP works

STP creates a spanning tree in three phases:

Election of the root bridge

• The STP elects a single bridge, among all the bridges, to be the root of the spanning tree

• All ports of the root bridge are put in forwarding state

Selection of the root port

• Each non-root bridge selects the port (known as the root port) that gives the best path from itself to the root bridge

• The root port is put in forwarding state

Selection of the designated port

• For each LAN segment, from among the bridges attached to the segment, STP elects the one closest to the root bridge as the designated bridge

• The designated bridge’s interface attached to that segment is called the

designated port and is put in forwarding state

• All the ports of the root bridge are designated ports

All other ports are placed in blocking state

5/28

GC

2018-2019

Bridge Protocol Data Units (BPDUs)

Bridges exchange protocol frames, called BPDUs

BPDUs are sent to the multicast address

01-80-C2-00-00-00

Multicast 01-80-C2 00-00-00 Singlecast Bridge address XY Length Dest. Addr. Source Addr.

0x42 0x42 DSAP SSAP 0x03 Control Configuration BPDU or Topology Change Notification BPDU BPDU FCS

BPDU: Bridge Protocol Data Unit DSAP: Destination Service Access Point SSAP: Source Service Access Point

LLC PDU

2018-2019

Types and format of BPDUs

(a) Configuration BPDU (also called hellomessages): used to define the loop-free topology

(b) Topology Change Notification(TCN) BPDU: used by a bridge to

notify the root bridge about a detected topology change

dictated by the root

bridge 7/28

GC

2018-2019

Types of BPDUs (cont.)

Root Bridge ID: the identifier of the bridge assumed to be the root bridge

Root Path cost: cost of the least-cost path to the root bridge from the bridge transmitting this configuration BPDU

Bridge ID: identifier of the bridge transmitting this configuration BPDU

Port ID: identifies the port from which the configuration BPDU is sent

Hello Time: the time that elapses between consecutive configuration BPDUs, generated by the root (or by a bridge that assumes itself to be the root); the default value is 2 seconds.

Maximum age: how long a bridge should wait, after beginning not to hear hellos, before trying to change the topology; the default value is

20seconds.

Forward Delay: used to defer the transition to the forwarding state of a port that was in blocking state; the default value is 15 seconds.

2018-2019

Bridge identifier and port identifier

(Original) bridge priority (16 bits)

Default: 32768

Recommendation: to be modified with increments or decrements at steps of 4096 units

Bridge Priority _{Bridge MAC Address} Bridge Identifier or Root Bridge Identifier

Port Identifier

Port priority Port number

Port priority (1 byte)

Default: 128

Recommendation: to be modified with increments or decrements at steps of 16 units

Normally, a Port ID is denoted in Hexadecimals. For example, 0x8015 is equivalent to 128.21 (in binary 1000000000010101), where the first part is the Port priority and the second part is the Port number

9/28

GC

2018-2019

Port cost

A cost is associated to each port of a bridge

Port costs can be configured

IEEE recommended the following values

The original STP Cost-Bandwidth table

2018-2019

Port cost (cont.)

The revised 802.1D has increased the path cost to a

32-bit value, providing more granularity:

The port cost is added to the root path cost in a hello

message received on “this” port in order to determine

the cost of the path to the root through “this” port

GC

2018-2019

Election of the root bridge

At the beginning of the root-election process, each

bridge assumes itself to be the root and so transmits

hello messages on each of its ports with its ID as

root and as transmitting bridge and zero as cost

A bridge compares the root ID field in the received

configuration messages with its own bridge ID

A bridge with a lower numeric value for the bridge

ID is a better candidate

If a tie occurs based on priority, the MAC address is compared

If a bridge hears of a better candidate, it stops

advertising itself as root and starts forwarding the

hellos sent by the better bridge

2018-2019

Election of the root bridge (cont.)

Eventually, the root bridge will be the bridge with the

lowest numeric value for the bridge ID

Only the root bridge will be generating hello messages

Before forwarding a hello message, a bridge

adds the cost of the port on which the hello was received to the root path cost (in the hello)

puts its own bridge ID in the homonymous field

puts the identifier of the port from which the hello will be forwarded in the homonymous field

The bridge priority allows the network manager to

influence the choice of root bridge

13/28

GC

2018-2019

Election of the root bridge (cont.)

The root election process in action:

SW1 and SW3 are advertising themselves as root SW2 believes that SW1 is a better root candidate SW1 will be the winner

• a tie occurs based on priority, but SW1’s MAC address is lower than SW3’s MAC address

Cost = 100

Cost = 100

2018-2019

Selection of the root port

• SW2’s best cost is seen in the hello entering its port 0/26 • SW3’s best cost is seen in the hello entering its 0/26 port

Cost = 100

If there are alternatives paths

to the root, each non-root

bridge receives hellos on

more ports

The bridge selects its root port based on the conditions below (in the order 1-2-3-4, if a tie occurs)

(1) The port is that from which it has a minimal cost to the root bridge (2) The BPDU received has the

smallest bridge ID

(3) The BPDU received has the smallest port ID

(4) The port has the smallest port ID

15/28

GC

2018-2019

Selection of the root port (cont.)

A case of ties on the conditions (1) and (2) at SW2

SW1

SW2

root bridge

Cost = 100 Cost = 100

2018-2019

Selection of the designated port

For each LAN segment, the designated bridge (and, thus,

the designated port) is that advertising the lowest cost

hello onto the LAN segment

In case a tie occurs, the priority order above (see the conditions in the 15th_{slide) is considered}

When STP stabilizes, only the designated bridge advertises

hellos on a LAN segment

c

Legend

Root port

Designated port

Port in blocking state

Symbology defined in IEEE 802.1w (see the slide 22)

Root bridge

17/28

GC

2018-2019

Reacting to changes in the network

Each bridge uses the repetitive (every hello time) hearing of hellos from the root as a way to know that its path to the root is still working

The root bridge dictates the Hello time, the Max age, and the Forward delay

• All the bridges in the bridged LAN use the same values

If a bridge does not receive a hello for Max age seconds, something is failed or, in general, changed

It injects TCNs into the network in order to start the process of changing the spanning tree

• It advertises itself as root again or believes the next best claim of who should be the root

In order to avoid loops, a port that has to move from blocking state to forwarding state enters the interim listening state first

After the Forward Delay amount of time, the port state is changed to

learningstate

After another Forward Delay amount of time, the interface is (finally!) placed in forwarding state

2018-2019

Spanning Tree Intermediate States

The listening state allows each device to wait to make sure that there are no new, better hellos with a new, better root

The learning state allows the bridge to learn the new location of MAC addresses without allowing forwarding and possibly causing loops

Using the default (it means recommended) timers, 50seconds

(20 +15 +15) are required before a port can switch from blocking state to forwarding state

19/28

GC

2018-2019

1. When a bridge notices that the topology is changed, it must inform

the root

2. The bridge periodically transmits a Topology Change Notification

(TCN) BPDU on its root port

It continues to do this until the parent bridge acknowledges by setting the TCA flag in its configuration BPDU

3. A bridge that receives a TCN on a designated port does two

things

It performs step 2 (that is, it informs its parent …)

It sets the TCA flag in the next configuration message it transmits on the LAN from which the TCN was received

4. The root bridge, as soon as receives a TCN message, sends a

configuration message with the TC flag set.

5. A bridge that is receiving configuration messages with the TC flag

set puts the ageing-time to the Forward Delay value within them until it starts receiving configuration messages without the TC flag set

• Bridges are forced to quickly remove invalid entries from their filtering database

Topology Change Notifications

2018-2019

The best way to lower STP’s default 50-second

convergence time is to avoid convergence altogether

IEEE 802.1AX

standard allows to combine more parallel

Ethernet links, bundled in a single logical link (more

network bandwidth and more availability)

Link Aggregation Control Protocol(LACP)

STP treats the aggregate links as a single link

• If at least one of the links is UP, STP convergence does not have to occur

Only full-duplex point-to-point links, operating at the same data rate, can be bundled

How to avoid STP convergence time

Ethernet station Ethernet station 21/28 GC 2018-2019

Rapid Spanning Tree Protocol

RSTP (IEEE 802.1w) works just like STP in several ways:

It elects the root switch using the same parameters and tiebreakers

It elects the root port on non-root switches with the same rules It elects a designated switch on each LAN segment with the same rules

It places each port in either forwarding or blocking state (RSTP calls the blocking state “discarding” instead of “blocking”)

2018-2019

Rapid Spanning Tree (cont.)

Discarding means that the port does not forward frames, process received frames, or learn MAC addresses, but it listens for BPDUs

it acts just like the STP blocking state

RSTP uses an interim learning state, which works just like the STP learning state, but for only a short time

Some mechanisms aiming at reducing convergence time have been defined. For example,

RSTP designates ports that receive suboptimal BPDUs as alternateports

• If a non-root switch (e.g., SW3 in the figure) stops getting hellos from the root switch, RSTP on that switch chooses the best alternate port as the new root port

RSTP immediately places the ports related to edges in forwarding state when the links are active

Links Edge 23/28 Root switch GC 2018-2019

Rapid Spanning Tree (cont.)

RSTP has been defined to reduce network convergence times (typically, less than 10 seconds, in some cases, as low as 1 to 2 seconds) in networks like that in the left side (case a) of the figure below, but not in networks like that on the right (case b)

(a) (b)

2018-2019

STP has no provisions for authentication of the BPDUs

In order to change the spanning tree, an attacker could send out hello messages with a bridge priority of zero from his PC

Some STP security considerations

Legend Root port Designated port Blocking port Rogue switch (PC with bridging) Root Hello A B D C Distribution Layer Access Layer 25/28 GC 2018-2019 Legend Root port Designated port Blocking port Rogue switch (PC with bridging) Root A B D C Distribution Layer Access Layer

Some STP security considerations (cont.)

The new spanning tree

26/28

The network manager could set the root bridge priority to zero in an effort to secure the root bridge position, but there is no

2018-2019 Legend Root port Designated port Blocking port Rogue switch (PC with bridging) Root Hello Hello A B D C Distribution Layer Access Layer

In the figure below, the attacker has established two links to two different access switches

The attacker tries to change the spanning tree by sending out BPDUs with a bridge priority of zero from his PC

Some STP security considerations (cont.)

27/28

GC

2018-2019

Consider the new spanning tree in the figure: all traffic between the access switches C and D flows through the attacker’s PC

The attacker can sniff traffic, act as a man-in-the-middle, create a DoS condition (making his links much slower than the other links)

Some STP security considerations (cont.)

Attack mitigation

Disabling STP in all cases in which there are no loops

(Better!) Filtering which ports are allowed to participate in the STP process. For example, on Cisco devices two principal options are available:

BPDU Guard disables any port configured with the “PortFast” option that receives a BPDU

The Portfast option causes a switch port (generally, a user port) to enter the Forwarding state immediately, bypassing the Listening and Learning states Root Guard disables a port that would become an STP root port