BPDU Guard, Root Guard + Port Security

layer2

I’m still using the topology above. I am going to setup the following security measures BPDU Guard, Root Guard and Port Security and use the Kali Linux box in my topology to launch attacks FUN TIMES!

BPDU Guard

So BPDU Guard is used to protect the switch from an attacker that connects into the network via a switch port. Host port (Access port) shouldn’t send in BPDU messages into the switch. Once you enable BPDU Guard on an access port and a BPDU message is received on that port the switch will disable the port. This could prevent manipulation of your current STP topology.

bpduguardconf

The port was already configured as an access port on VLAN 10. I have R1 acting as a DHCP Server handing out IP addresses in the 10.1.10.0/24 range so the Kali Linux machine got the IP address of 10.1.10.2.

To enable BPDU it is straight forward using the command #spanning-tree bpduguard enable

Now that BPDU Guard is enabled it is time to send in BPDU messages on the access port Gi1/1.

On the Kali Linux machine I’m using an attack tool called Yersinia. I used the interactive option which is:

root@kali:~# yersinia -I

bpduattack

I know I’m not showing much in the screen above but the second line in the output is the BPDU packet getting sent into the access port of the switch which results in the port getting shutdown.

bpduerrport

Before I sent the BPDU packet in on Access port Gi1/1 I checked the status of the interface and you can see that it is connected meaning it’s up and on VLAN 10.

Next, the BPDU is sent on Gi1/1 from the Kali Linux machine causing the port to go err-disabled and it was shutdown automatically by the switch as you can see from the second interface status command.

To get the port back up you have to bring it back up manually (there is a way to do it automatically which I will show later). You need to go into the interface do a shutdown followed by a no shutdown, doing just a no shutdown will NOT bring it back up.

bpduportup

So as you can see I just did a no shutdown first and the port didn’t come back up, but after doing a shutdown followed by a no shutdown the port came back up.

As I mentioned above you can have the switch automatically bring the port back up after a period of time with no BPDU violations.

Enter the commands below in global configuration to enable errdisable recovery for BPDU Guard.

errdisablebpduconfig

I’ll launch another attack on that port and let us see the port go down and back up automatically.

bpduautorecov

As you can see (just about) that the port went down at 20:35:01 due to a BPDU Guard violation and 30 seconds later the port came back up at 20:35:31.

Root Guard

I have removed BPDU Guard from interface Gi1/1 and now I’m going to configure Root Guard. Root Guard is useful if you have your switch connected to another switch you do not manage or have no control over, to prevent it claiming root for STP and causing problems with your STP topology or you may have a less powerful switch in your topology and you never want that less powerful switch becoming the root switch.

rootguard

Go into the interface that is connected to the other switch in my case I am configuring it on the port that is connected to the Kali Linux machine so I can run an attack to try and claim that I am the root switch. Once I run the attack you can see that the switch puts the port in blocking mode.

rootblocking

The port is now in blocking mode. The port will unblock once the attack or the switch stops trying to claim that it’s the root switch.

Port Security

How many MAC addresses should a switch port have? One for the host that is connected to it? What about if that same user has an IP Phone? We might see two MAC addresses on that port. However, you do not want hundreds of MAC addresses on any given switch port and the main reason for that is the switch can only hold so many MAC addresses in its CAM table. If a switch is overloaded with too many MAC addresses than what it can’t hold in its CAM Table memory will be broadcast to all ports in the switch because it can’t add the MAC port mapping to its CAM table anymore.

This is where port security comes into play. We can use port security to restrict the number of MAC addresses allowed on a switch port. For example, if you set the limit to 2 MAC addresses and a 3rd MAC address showed up on that port the switch could shut the port down in doing so it is protecting itself from an attack such as the CAM table overflow attack where an attacker floods the switch with spoofed MAC addresses and filling up the CAM tables memory.

Before putting on port security on my access port I’m going to run a CAM table overflow attack using my Kali Linux machine and a tool called macof. This will send in thousands of spoofed MAC addresses and cause the CAM table to fill up.

mactable

At the moment I don’t have a lot of MAC addresses in my MAC table. Running the #show mac address-table count command shows me that I have one MAC addresses in VLAN 1 and another in VLAN 10.

I’ll now log into the Kali Linux machine and run the macof attack.

kalimacof

This is a screenshot of the macof attack in progress sending thousands of spoofed MAC addresses into the switch. My switch started to complain straight away about CPU load which isn’t surprising since I am running all of the nodes in VM as it is.

mactablefull

As you can see the number of MAC addresses on VLAN 10 is now at 11983 and I only ran the command for a few seconds as my switch wasn’t responding due to high CPU. This just shows how easy it is to cause damage to a network running a simple attack.

I’m going to configure port security on port Gi1/1 so it will shut the port down after it receives more than 5 MAC addresses. Again just like BPDU Guard you can configure the switch to automatically bring the port back up after a period of time, 30 seconds is the default and minimum time you can set the errdisable recovery command to.

portsec2

Above shows how to configure port-security and setting the max allowed mac addresses to 5. Also, I set the port to shutdown if a violation happens. You can set a violation to take different actions depending on how you configure it. They are: Protect, Restrict or Shutdown.

Also included in the printout above is the current state of the ports with port-security configured on them. There is a mac address on each port and both of the max allowed set to 5 and there are no violations at the moment and lastly what action should be taken if a violation is triggered and that is to shutdown the port.

Time to run macof again and see what happens!

portsecdown

As you can see that port-security detected the attack and shutdown the port!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s