Monday, August 26, 2013

VTP domain Enterprise Client/Server

Vlan domain design (STP, VTP, GUARD) security

Here we have a typical (single point of failure) Enterprise Campus network design spread across two sites. We have a distribution layer missing, I think because of the budget cuts, so this design implements a Core and Access layers to the users. The hierarchy deploys Core/Access topology with following elements:
  • Two buildings, two sites 
  • Two Core swtiches, Layer 3 capable
  • Two PBX servers (not configured , only IP address assigned for simulation)
  • Several access Layer 2 swithches and
  • User workstations and VOIP terminals
This case scenario setup has been designed to comply with a cross site VTP domain. All the switches L3 and L2 are joined in a single domain. The two layer 3 core swithces play the role of a VTP server, as the other C2960 are configured as a VTP clients. I am using Packet tracer to simulate this.
Now lets look at some configuration scripts to elaborate on them further.

Core switch allocated in SITE 2:

hostname L3SW1
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool VOICE_1
 network 172.16.1.0 255.255.255.0
 default-router 172.16.1.1
 option 150 ip 172.16.1.1
ip dhcp pool DATA_VLAN_1
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.1
ip routing
!
spanning-tree mode rapid-pvst
spanning-tree vlan 100,200-201,300-301,500,999 priority 24576
spanning-tree vlan 1,101,202,350 priority 28672
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0/1
 switchport trunk native vlan 200
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
 switchport trunk native vlan 200
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree guard root
!
interface FastEthernet0/3
 switchport trunk native vlan 200
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree guard root
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 description VOICE_VLAN_1
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan200
 no ip address
!
interface Vlan201
 description DATA_VLAN_1
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan300
 ip address 100.100.100.1 255.255.255.0
!
interface Vlan301
 ip address 200.200.200.1 255.255.255.0
!
interface Vlan500
 description MGMT_VLAN
 ip address 10.10.10.1 255.255.255.0
!
router eigrp 10
 network 10.10.10.0 0.0.0.255
 network 172.16.1.0 0.0.0.255
 network 192.168.100.0

 no auto-summary

Core switch allocated in SITE 1:

hostname L3SW2
!
ip dhcp pool VOICE_2
 network 17.19.1.0 255.255.255.0
 default-router 17.19.1.1
 option 150 ip 17.19.1.1
ip dhcp pool DATA_VL_2
 network 192.168.200.0 255.255.255.0
 default-router 192.168.200.1
ip routing
!
spanning-tree mode rapid-pvst
spanning-tree vlan 1,101,202,350 priority 24576
spanning-tree vlan 201 priority 28672
!
interface Loopback0
 ip address 10.0.0.2 255.255.255.255
!
interface FastEthernet0/1
 switchport trunk native vlan 200
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
 switchport trunk native vlan 200
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree guard root
!
interface FastEthernet0/3
 switchport trunk native vlan 200
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree guard root
!
interface FastEthernet0/4
 switchport trunk native vlan 200
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan101
 description VOICE_VLAN_2
 ip address 17.19.1.1 255.255.255.0
!
interface Vlan202
 description DATA_VLAN_2
 ip address 192.168.200.1 255.255.255.0
!
interface Vlan350
 description MARK_VL1_###
 ip address 201.200.201.1 255.255.255.0
!
interface Vlan500
 description MGMT_VLAN
 ip address 10.10.10.2 255.255.255.0
!
router eigrp 10
 network 10.10.10.0 0.0.0.255
 network 192.168.200.0
 network 17.19.1.0 0.0.0.255
 network 201.200.201.0
 no auto-summary

On the current working config scripts we can see that I have chosen the Cisco propriearity EIGRP routing protocol to advertise subnets between the SITES. The links between the core and access switches are configured as trunks with Native VLAN capability. Vlan 200 is chosen for this option.
On both sides configured on the VTP server switches we have voice and data VLANs. VLANs that are numbered 100 and 201 are used on the site 2 access switches and on the Site 1 we have VLANs 101 and 202 for voice and telephony network traffic. VLAN 500 is configured for managament purposes of the equipment. I have implemented the Rapid Per Vlan spanning tree protocol for a faster recovery and better convergence time. A show output will elaborate on how many VLANs are configured.

L3SW1#sh spanning-tree summary 
Switch is in rapid-pvst mode
Root bridge for: VOICE_1 DATA_1 DATA_VLAN_1 SRV_VL_1 MARK_VL_1 MGMT VLAN0999
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
EtherChannel misconfig guard is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          3          3
VLAN0100                     0         0        0          3          3
VLAN0101                     0         0        0          3          3
VLAN0200                     0         0        0          3          3
VLAN0201                     0         0        0          3          3
VLAN0202                     0         0        0          3          3
VLAN0300                     0         0        0          3          3
VLAN0301                     0         0        0          3          3
VLAN0350                     0         0        0          3          3
VLAN0500                     0         0        0          3          3
VLAN0999                     0         0        0          3          3

---------------------- -------- --------- -------- ---------- ----------
11 vlans                     0         0        0         33         33

On the current output we can see the L3 switch on the site 1 is the root bridge for the VLANs that I have chosen to be. This is done using the following command: L3SW1(config)#spanning-tree vlan 999 root primary. The idea is to keep the VLANs on the site 1 to have a root server as corresponding Layer 3 switch in the current site. This way we can stop from flooding the STP packets and unnecessary BPDUs over the trunk link between the core switches. 
The DHCP pools are configured for data and voice vlan. So we can see the bindings of the end stations and the DCHP database that is residing on the L3 switch in SITE 2.

L3SW1#sh ip dhcp binding 
IP address       Client-ID/              Lease expiration        Type
                 Hardware address
172.16.1.2       000A.F393.9CA5           --                     Automatic
192.168.100.2    0050.0F92.BBD2           --                     Automatic
192.168.100.3    0001.C794.E920           --                     Automatic

The users attached to a Layer 2 swtiches are getting proper IP address from the coresponding VLAN that they have been assigned to. Now we can see on the Layer 2 , switch 2 the status of a current VLAN and the config scripts (L2 switch number 2 - site 2).

hostname L2SW1
!
spanning-tree mode rapid-pvst
!
interface FastEthernet0/1
 switchport trunk native vlan 200
 switchport mode trunk
!
interface FastEthernet0/2
 switchport access vlan 201
 switchport mode access
 switchport voice vlan 101
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan500
 ip address 10.10.10.51 255.255.255.0

A very simple config allows the trunking to happen with L3 switch. The FastEthernet0/2 interface is configured as an access switch. This allows the PBX server to communicate via the data VLAN in our case this is VLAN 201. To see that the root bridge server for a data vlan in this output will tell us that we are using L3 switch MAC address.

L2SW1#sh spanning-tree vlan 201
VLAN0201
  Spanning tree enabled protocol rstp
  Root ID    Priority    24777
             Address     0009.7C51.A730
             Cost        19
             Port        1(FastEthernet0/1)
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32969  (priority 32768 sys-id-ext 201)
             Address     0004.9A34.59C3
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Root FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p

One more feature that I thaught that is missing, was a s security protection of the Root bridge. Every trunk interface of the Layer 3 switch connected to the access switch is configured with the Root Guard enhancement -  spanning-tree guard root. This feature listens on the interface for superior BPDUs from the access swithces and denies the L2 switches to become the root bridge for a VLAN, as this is a task for a Layer 3 core switch. This seems a bit of harsh, but when you have 5000 clients on a single VLAN, if the root bridge is compromised by an attacker, he can bring the STP mechanism and the network down in seconds.
We can see this feature in action when I create a new VLAN on the Core switch called 555. The debug output on the core swtich tells us the he has gotten superior BPDUs from the Fa0/3 interface, that is connected to the Layer 2 switch.

L3SW1# 

%SPANTREE-2-ROOTGUARDBLOCK: Port 0/3 tried to become non-designated in VLAN 555.
Moved to root-inconsistent state

An we can see the output of the L2 switch that it assumes that he is elected the root bridge for the VLAN 555:

L2SW2# sh spanning-tree vlan 555
VLAN0555
  Spanning tree enabled protocol rstp
  Root ID    Priority    33323
             Address     0001.9759.D62E
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33323  (priority 32768 sys-id-ext 555)
             Address     0001.9759.D62E
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p

To remedy this we will tell the L3 switch to be the root bridge for the Vlan 555.

L3SW1(config)#spanning-tree vlan 500 root primary 

With this in hand we can see after a couple of moments and, or in some simulation cases reloading the L2 switch , the root bridge is the L3 switch as supposed to.

L2SW2#sh spanning-tree vlan 555
VLAN0555
  Spanning tree enabled protocol rstp
  Root ID    Priority    25131
             Address     0009.7C51.A730
             Cost        19
             Port        1(FastEthernet0/1)
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33323  (priority 32768 sys-id-ext 555)
             Address     0001.9759.D62E
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Root FWD 19        128.1    P2p

For the final test we will ping the PBX server from the Site 2 from a PC workstation allocated in Site 1.


From the current output we can see that the ping was successful. After doing a traceroute we can see that the PC as the first hop is using the DG of the VLAN202 that it resides on. The second hop is the MGMT vlan IP address of the L3 switch in the Site 2 , that knows how to get to the DG of the Data VLAN in the Site 2. With this seen we can comply that everything is working fine.

Now what is missing???
This scenario has many single point of failures. First thing that comes on my mind is another two core switches with the HSRP technology for redudancy. 

Fell free to comment on any more features you would add.

Thanks.

No comments:

Post a Comment