Security, networking and system integration: VTP domain Enterprise Client/Server

Vlan domain design (STP, VTP, GUARD) security

Here we have a typical (single point of failure) Enterprise Campus network design spread across two sites. We have a distribution layer missing, I think because of the budget cuts, so this design implements a Core and Access layers to the users. The hierarchy deploys Core/Access topology with following elements:

Two buildings, two sites
Two Core swtiches, Layer 3 capable
Two PBX servers (not configured , only IP address assigned for simulation)
Several access Layer 2 swithches and
User workstations and VOIP terminals

This case scenario setup has been designed to comply with a cross site VTP domain. All the switches L3 and L2 are joined in a single domain. The two layer 3 core swithces play the role of a VTP server, as the other C2960 are configured as a VTP clients. I am using Packet tracer to simulate this.

Now lets look at some configuration scripts to elaborate on them further.

Core switch allocated in SITE 2:

hostname L3SW1
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool VOICE_1
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
option 150 ip 172.16.1.1
ip dhcp pool DATA_VLAN_1
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
ip routing
!
spanning-tree mode rapid-pvst
spanning-tree vlan 100,200-201,300-301,500,999 priority 24576
spanning-tree vlan 1,101,202,350 priority 28672
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0/1
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root
!
interface FastEthernet0/3
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description VOICE_VLAN_1
ip address 172.16.1.1 255.255.255.0
!
interface Vlan200
no ip address
!
interface Vlan201
description DATA_VLAN_1
ip address 192.168.100.1 255.255.255.0
!
interface Vlan300
ip address 100.100.100.1 255.255.255.0
!
interface Vlan301
ip address 200.200.200.1 255.255.255.0
!
interface Vlan500
description MGMT_VLAN
ip address 10.10.10.1 255.255.255.0
!
router eigrp 10
network 10.10.10.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 192.168.100.0

no auto-summary

Core switch allocated in SITE 1:

hostname L3SW2

ip dhcp pool VOICE_2

network 17.19.1.0 255.255.255.0

default-router 17.19.1.1

option 150 ip 17.19.1.1

ip dhcp pool DATA_VL_2

network 192.168.200.0 255.255.255.0

default-router 192.168.200.1

ip routing

spanning-tree mode rapid-pvst

spanning-tree vlan 1,101,202,350 priority 24576

spanning-tree vlan 201 priority 28672

interface Loopback0

ip address 10.0.0.2 255.255.255.255

interface FastEthernet0/1

switchport trunk native vlan 200

switchport trunk encapsulation dot1q

switchport mode trunk

interface FastEthernet0/2

switchport trunk native vlan 200

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree guard root

interface FastEthernet0/3

switchport trunk native vlan 200

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree guard root

interface FastEthernet0/4

switchport trunk native vlan 200

switchport trunk encapsulation dot1q

switchport mode trunk

interface Vlan1

no ip address

shutdown

interface Vlan101

description VOICE_VLAN_2

ip address 17.19.1.1 255.255.255.0

interface Vlan202

description DATA_VLAN_2

ip address 192.168.200.1 255.255.255.0

interface Vlan350

description MARK_VL1_###

ip address 201.200.201.1 255.255.255.0

interface Vlan500

description MGMT_VLAN

ip address 10.10.10.2 255.255.255.0

router eigrp 10

network 10.10.10.0 0.0.0.255

network 192.168.200.0

network 17.19.1.0 0.0.0.255

network 201.200.201.0

no auto-summary

On the current working config scripts we can see that I have chosen the Cisco propriearity EIGRP routing protocol to advertise subnets between the SITES. The links between the core and access switches are configured as trunks with Native VLAN capability. Vlan 200 is chosen for this option.

On both sides configured on the VTP server switches we have voice and data VLANs. VLANs that are numbered 100 and 201 are used on the site 2 access switches and on the Site 1 we have VLANs 101 and 202 for voice and telephony network traffic. VLAN 500 is configured for managament purposes of the equipment. I have implemented the Rapid Per Vlan spanning tree protocol for a faster recovery and better convergence time. A show output will elaborate on how many VLANs are configured.

L3SW1#sh spanning-tree summary

Switch is in rapid-pvst mode

Root bridge for: VOICE_1 DATA_1 DATA_VLAN_1 SRV_VL_1 MARK_VL_1 MGMT VLAN0999

Extended system ID is enabled

Portfast Default is disabled

PortFast BPDU Guard Default is disabled

Portfast BPDU Filter Default is disabled

Loopguard Default is disabled

EtherChannel misconfig guard is disabled

UplinkFast is disabled

BackboneFast is disabled

Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active

---------------------- -------- --------- -------- ---------- ----------

VLAN0001 0 0 0 3 3

VLAN0100 0 0 0 3 3

VLAN0101 0 0 0 3 3

VLAN0200 0 0 0 3 3

VLAN0201 0 0 0 3 3

VLAN0202 0 0 0 3 3

VLAN0300 0 0 0 3 3

VLAN0301 0 0 0 3 3

VLAN0350 0 0 0 3 3

VLAN0500 0 0 0 3 3

VLAN0999 0 0 0 3 3

---------------------- -------- --------- -------- ---------- ----------

11 vlans 0 0 0 33 33

On the current output we can see the L3 switch on the site 1 is the root bridge for the VLANs that I have chosen to be. This is done using the following command: L3SW1(config)#spanning-tree vlan 999 root primary. The idea is to keep the VLANs on the site 1 to have a root server as corresponding Layer 3 switch in the current site. This way we can stop from flooding the STP packets and unnecessary BPDUs over the trunk link between the core switches.

The DHCP pools are configured for data and voice vlan. So we can see the bindings of the end stations and the DCHP database that is residing on the L3 switch in SITE 2.

L3SW1#sh ip dhcp binding

IP address Client-ID/ Lease expiration Type

Hardware address

172.16.1.2 000A.F393.9CA5 -- Automatic

192.168.100.2 0050.0F92.BBD2 -- Automatic

192.168.100.3 0001.C794.E920 -- Automatic

The users attached to a Layer 2 swtiches are getting proper IP address from the coresponding VLAN that they have been assigned to. Now we can see on the Layer 2 , switch 2 the status of a current VLAN and the config scripts (L2 switch number 2 - site 2).

hostname L2SW1

spanning-tree mode rapid-pvst

interface FastEthernet0/1

switchport trunk native vlan 200

switchport mode trunk

interface FastEthernet0/2

switchport access vlan 201

switchport mode access

switchport voice vlan 101

interface Vlan1

no ip address

shutdown

interface Vlan500

ip address 10.10.10.51 255.255.255.0

A very simple config allows the trunking to happen with L3 switch. The FastEthernet0/2 interface is configured as an access switch. This allows the PBX server to communicate via the data VLAN in our case this is VLAN 201. To see that the root bridge server for a data vlan in this output will tell us that we are using L3 switch MAC address.

L2SW1#sh spanning-tree vlan 201

VLAN0201

Spanning tree enabled protocol rstp

Root ID Priority 24777

Address 0009.7C51.A730

Cost 19

Port 1(FastEthernet0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32969 (priority 32768 sys-id-ext 201)

Address 0004.9A34.59C3

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p

Fa0/2 Desg FWD 19 128.2 P2p

One more feature that I thaught that is missing, was a s security protection of the Root bridge. Every trunk interface of the Layer 3 switch connected to the access switch is configured with the Root Guard enhancement - spanning-tree guard root. This feature listens on the interface for superior BPDUs from the access swithces and denies the L2 switches to become the root bridge for a VLAN, as this is a task for a Layer 3 core switch. This seems a bit of harsh, but when you have 5000 clients on a single VLAN, if the root bridge is compromised by an attacker, he can bring the STP mechanism and the network down in seconds.

We can see this feature in action when I create a new VLAN on the Core switch called 555. The debug output on the core swtich tells us the he has gotten superior BPDUs from the Fa0/3 interface, that is connected to the Layer 2 switch.

L3SW1#

%SPANTREE-2-ROOTGUARDBLOCK: Port 0/3 tried to become non-designated in VLAN 555.

Moved to root-inconsistent state

An we can see the output of the L2 switch that it assumes that he is elected the root bridge for the VLAN 555:

L2SW2# sh spanning-tree vlan 555

VLAN0555

Spanning tree enabled protocol rstp

Root ID Priority 33323

Address 0001.9759.D62E

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33323 (priority 32768 sys-id-ext 555)

Address 0001.9759.D62E

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19 128.1 P2p

To remedy this we will tell the L3 switch to be the root bridge for the Vlan 555.

L3SW1(config)#spanning-tree vlan 500 root primary

With this in hand we can see after a couple of moments and, or in some simulation cases reloading the L2 switch , the root bridge is the L3 switch as supposed to.

L2SW2#sh spanning-tree vlan 555

VLAN0555

Spanning tree enabled protocol rstp

Root ID Priority 25131

Address 0009.7C51.A730

Cost 19

Port 1(FastEthernet0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33323 (priority 32768 sys-id-ext 555)

Address 0001.9759.D62E

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p

For the final test we will ping the PBX server from the Site 2 from a PC workstation allocated in Site 1.

From the current output we can see that the ping was successful. After doing a traceroute we can see that the PC as the first hop is using the DG of the VLAN202 that it resides on. The second hop is the MGMT vlan IP address of the L3 switch in the Site 2 , that knows how to get to the DG of the Data VLAN in the Site 2. With this seen we can comply that everything is working fine.

Now what is missing???

This scenario has many single point of failures. First thing that comes on my mind is another two core switches with the HSRP technology for redudancy.

Fell free to comment on any more features you would add.

Thanks.

Security, networking and system integration

Monday, August 26, 2013

VTP domain Enterprise Client/Server

Vlan domain design (STP, VTP, GUARD) security

No comments:

Post a Comment

Total Pageviews

Visitors