Vlan domain design (STP, VTP, GUARD) security
Here we have a typical (single point of failure) Enterprise Campus network design spread across two sites. We have a distribution layer missing, I think because of the budget cuts, so this design implements a Core and Access layers to the users. The hierarchy deploys Core/Access topology with following elements:
- Two buildings, two sites
- Two Core swtiches, Layer 3 capable
- Two PBX servers (not configured , only IP address assigned for simulation)
- Several access Layer 2 swithches and
- User workstations and VOIP terminals
This case scenario setup has been designed to comply with a cross site VTP domain. All the switches L3 and L2 are joined in a single domain. The two layer 3 core swithces play the role of a VTP server, as the other C2960 are configured as a VTP clients. I am using Packet tracer to simulate this.
Now lets look at some configuration scripts to elaborate on them further.
Core switch allocated in SITE 2:
hostname L3SW1
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool VOICE_1
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
option 150 ip 172.16.1.1
ip dhcp pool DATA_VLAN_1
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
ip routing
!
spanning-tree mode rapid-pvst
spanning-tree vlan 100,200-201,300-301,500,999 priority 24576
spanning-tree vlan 1,101,202,350 priority 28672
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0/1
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root
!
interface FastEthernet0/3
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description VOICE_VLAN_1
ip address 172.16.1.1 255.255.255.0
!
interface Vlan200
no ip address
!
interface Vlan201
description DATA_VLAN_1
ip address 192.168.100.1 255.255.255.0
!
interface Vlan300
ip address 100.100.100.1 255.255.255.0
!
interface Vlan301
ip address 200.200.200.1 255.255.255.0
!
interface Vlan500
description MGMT_VLAN
ip address 10.10.10.1 255.255.255.0
!
router eigrp 10
network 10.10.10.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 192.168.100.0
no auto-summary
Core switch allocated in SITE 2:
hostname L3SW1
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool VOICE_1
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
option 150 ip 172.16.1.1
ip dhcp pool DATA_VLAN_1
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
ip routing
!
spanning-tree mode rapid-pvst
spanning-tree vlan 100,200-201,300-301,500,999 priority 24576
spanning-tree vlan 1,101,202,350 priority 28672
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0/1
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root
!
interface FastEthernet0/3
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description VOICE_VLAN_1
ip address 172.16.1.1 255.255.255.0
!
interface Vlan200
no ip address
!
interface Vlan201
description DATA_VLAN_1
ip address 192.168.100.1 255.255.255.0
!
interface Vlan300
ip address 100.100.100.1 255.255.255.0
!
interface Vlan301
ip address 200.200.200.1 255.255.255.0
!
interface Vlan500
description MGMT_VLAN
ip address 10.10.10.1 255.255.255.0
!
router eigrp 10
network 10.10.10.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 192.168.100.0
no auto-summary
Core switch allocated in SITE 1:
hostname L3SW2
!
ip dhcp pool VOICE_2
network 17.19.1.0 255.255.255.0
default-router 17.19.1.1
option 150 ip 17.19.1.1
ip dhcp pool DATA_VL_2
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
ip routing
!
spanning-tree mode rapid-pvst
spanning-tree vlan 1,101,202,350 priority 24576
spanning-tree vlan 201 priority 28672
!
interface Loopback0
ip address 10.0.0.2 255.255.255.255
!
interface FastEthernet0/1
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root
!
interface FastEthernet0/3
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root
!
interface FastEthernet0/4
switchport trunk native vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan101
description VOICE_VLAN_2
ip address 17.19.1.1 255.255.255.0
!
interface Vlan202
description DATA_VLAN_2
ip address 192.168.200.1 255.255.255.0
!
interface Vlan350
description MARK_VL1_###
ip address 201.200.201.1 255.255.255.0
!
interface Vlan500
description MGMT_VLAN
ip address 10.10.10.2 255.255.255.0
!
router eigrp 10
network 10.10.10.0 0.0.0.255
network 192.168.200.0
network 17.19.1.0 0.0.0.255
network 201.200.201.0
no auto-summary
On the current working config scripts we can see that I have chosen the Cisco propriearity EIGRP routing protocol to advertise subnets between the SITES. The links between the core and access switches are configured as trunks with Native VLAN capability. Vlan 200 is chosen for this option.
On both sides configured on the VTP server switches we have voice and data VLANs. VLANs that are numbered 100 and 201 are used on the site 2 access switches and on the Site 1 we have VLANs 101 and 202 for voice and telephony network traffic. VLAN 500 is configured for managament purposes of the equipment. I have implemented the Rapid Per Vlan spanning tree protocol for a faster recovery and better convergence time. A show output will elaborate on how many VLANs are configured.
L3SW1#sh spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VOICE_1 DATA_1 DATA_VLAN_1 SRV_VL_1 MARK_VL_1 MGMT VLAN0999
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is disabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 3 3
VLAN0100 0 0 0 3 3
VLAN0101 0 0 0 3 3
VLAN0200 0 0 0 3 3
VLAN0201 0 0 0 3 3
VLAN0202 0 0 0 3 3
VLAN0300 0 0 0 3 3
VLAN0301 0 0 0 3 3
VLAN0350 0 0 0 3 3
VLAN0500 0 0 0 3 3
VLAN0999 0 0 0 3 3
---------------------- -------- --------- -------- ---------- ----------
11 vlans 0 0 0 33 33
On the current output we can see the L3 switch on the site 1 is the root bridge for the VLANs that I have chosen to be. This is done using the following command: L3SW1(config)#spanning-tree vlan 999 root primary. The idea is to keep the VLANs on the site 1 to have a root server as corresponding Layer 3 switch in the current site. This way we can stop from flooding the STP packets and unnecessary BPDUs over the trunk link between the core switches.
The DHCP pools are configured for data and voice vlan. So we can see the bindings of the end stations and the DCHP database that is residing on the L3 switch in SITE 2.
L3SW1#sh ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
172.16.1.2 000A.F393.9CA5 -- Automatic
192.168.100.2 0050.0F92.BBD2 -- Automatic
192.168.100.3 0001.C794.E920 -- Automatic
The users attached to a Layer 2 swtiches are getting proper IP address from the coresponding VLAN that they have been assigned to. Now we can see on the Layer 2 , switch 2 the status of a current VLAN and the config scripts (L2 switch number 2 - site 2).
hostname L2SW1
!
spanning-tree mode rapid-pvst
!
interface FastEthernet0/1
switchport trunk native vlan 200
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 201
switchport mode access
switchport voice vlan 101
!
interface Vlan1
no ip address
shutdown
!
interface Vlan500
ip address 10.10.10.51 255.255.255.0
A very simple config allows the trunking to happen with L3 switch. The FastEthernet0/2 interface is configured as an access switch. This allows the PBX server to communicate via the data VLAN in our case this is VLAN 201. To see that the root bridge server for a data vlan in this output will tell us that we are using L3 switch MAC address.
L2SW1#sh spanning-tree vlan 201
VLAN0201
Spanning tree enabled protocol rstp
Root ID Priority 24777
Address 0009.7C51.A730
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32969 (priority 32768 sys-id-ext 201)
Address 0004.9A34.59C3
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
One more feature that I thaught that is missing, was a s security protection of the Root bridge. Every trunk interface of the Layer 3 switch connected to the access switch is configured with the Root Guard enhancement - spanning-tree guard root. This feature listens on the interface for superior BPDUs from the access swithces and denies the L2 switches to become the root bridge for a VLAN, as this is a task for a Layer 3 core switch. This seems a bit of harsh, but when you have 5000 clients on a single VLAN, if the root bridge is compromised by an attacker, he can bring the STP mechanism and the network down in seconds.
We can see this feature in action when I create a new VLAN on the Core switch called 555. The debug output on the core swtich tells us the he has gotten superior BPDUs from the Fa0/3 interface, that is connected to the Layer 2 switch.
L3SW1#
%SPANTREE-2-ROOTGUARDBLOCK: Port 0/3 tried to become non-designated in VLAN 555.
Moved to root-inconsistent state
An we can see the output of the L2 switch that it assumes that he is elected the root bridge for the VLAN 555:
L2SW2# sh spanning-tree vlan 555
VLAN0555
Spanning tree enabled protocol rstp
Root ID Priority 33323
Address 0001.9759.D62E
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33323 (priority 32768 sys-id-ext 555)
Address 0001.9759.D62E
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
To remedy this we will tell the L3 switch to be the root bridge for the Vlan 555.
L3SW1(config)#spanning-tree vlan 500 root primary
With this in hand we can see after a couple of moments and, or in some simulation cases reloading the L2 switch , the root bridge is the L3 switch as supposed to.
L2SW2#sh spanning-tree vlan 555
VLAN0555
Spanning tree enabled protocol rstp
Root ID Priority 25131
Address 0009.7C51.A730
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33323 (priority 32768 sys-id-ext 555)
Address 0001.9759.D62E
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
For the final test we will ping the PBX server from the Site 2 from a PC workstation allocated in Site 1.
From the current output we can see that the ping was successful. After doing a traceroute we can see that the PC as the first hop is using the DG of the VLAN202 that it resides on. The second hop is the MGMT vlan IP address of the L3 switch in the Site 2 , that knows how to get to the DG of the Data VLAN in the Site 2. With this seen we can comply that everything is working fine.
Now what is missing???
This scenario has many single point of failures. First thing that comes on my mind is another two core switches with the HSRP technology for redudancy.
Fell free to comment on any more features you would add.
Thanks.
No comments:
Post a Comment