Jump to content



Photo

Configurations with STP

stp

  • Please log in to reply
6 replies to this topic

#1 netsurfer802

netsurfer802

    Neowinian

  • Joined: 27-September 10

Posted 03 November 2013 - 22:38

I am studying computer security and had try to Google what terms mean in the following content was not able to get a clear explanation for the what "BPDU Guard", "Root Guard" and what "Loop Guard" mean in the following context.  Thanks in advanced for an explanation.

 

  • Enable features such as portfast, BPDU Guard, Root Guard, and Loop Guard to mitigate spanning tree attacks. These features prevent an attacker from injecting malicious STP traffic on a protected port or detect potential loops.



#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 101
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 04 November 2013 - 00:47

Problem is to understand what for example root guard is, you need to understand what a root switch is and how it's set or elected, etc. Without understanding the concepts of spanning tree - its very difficult to understand how to secure the protocol ;)

More than happy to go into these with you - but seems we will have to start with the very basics of spanning tree. Because if you understood stp then you would now what portfast, root and what a loop is how BPDUs come into play in the root bridge election for example.

To be honest if your having to look up these terms, then it kind of pointless to try and study how to secure stp if you don't even understand what it is.

Wouldn't basic networking be a prerequisite before taking computer security class? Did you skip some classes?

#3 OP netsurfer802

netsurfer802

    Neowinian

  • Joined: 27-September 10

Posted 05 November 2013 - 00:02

No, actually I'm Network+ certified and even if I did have to look up these terms earlier if not it doesn't seem like I would be getting much of any where.



#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 101
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 November 2013 - 00:54

So your network+ and don't understand what a root switch, root bridge is? And don't know what a BPDU is?

I looked up the objectives of this exam - clearly spanning tree is part of it

objectives.png

And they talk about troubleshooting spanning loop - but you don't know what a root switch or root bridge is and what a bridge protocol data unit is??

2.5
Given a scenario, troubleshoot common router and switch problems
Switching loop

So I am confused here.. Where do we start? ;)

#5 fusi0n

fusi0n

    Don't call it a come back

  • Tech Issues Solved: 3
  • Joined: 08-July 04
  • OS: OSX 10.9\Windows 10\Ubuntu
  • Phone: LG G3

Posted 05 November 2013 - 01:15

So your network+ and don't understand what a root switch, root bridge is? And don't know what a BPDU is?

I looked up the objectives of this exam - clearly spanning tree is part of it

http://www.neowin.net/forum/public/style_images/ip.board-neowin/attachicon.gif objectives.png

And they talk about troubleshooting spanning loop - but you don't know what a root switch or root bridge is and what a bridge protocol data unit is??

2.5
Given a scenario, troubleshoot common router and switch problems
Switching loop

So I am confused here.. Where do we start? ;)

/me bows down

Sent from my GT-I9505G using Tapatalk



#6 +theblazingangel

theblazingangel

    Software Engineer

  • Tech Issues Solved: 6
  • Joined: 25-March 04
  • Location: England, UK

Posted 05 November 2013 - 01:27

Do you understand spanning tree (STP) or not? As budman said, you really need to understand STP first if you're to properly understand these features.

All of these features help protect the integrity of the network.
  • BPDU Guard: BPDUs are used by switches to communicate STP information between each other. On ports where BPDU communication is never expected to take place, such as those connecting directly to hosts, portfast might be enabled. With portfast enabled STP is still running on the port, but the switch rushes the port through the states to bring it up faster. If another switch were accidentally or maliciously connected to such a port, there's a good chance that due to portfast, STP would fail to detect a bridging loop. BPDU guard is a feature for protecting the integrity of the network in such a scenario; If it detects an incoming BPDU communication, it blocks it and shuts down the port.
  • Root Guard: This feature helps provide control over which switches can become the root switch in STP. A port with root guard enabled will send/forward BPDUs to a switch connected to it but block any incoming and therefore block root status from being assigned to a switch connected via that port.
  • Loop guard: An STP topology's integrity relies upon a regular flow of BPDUs from the root. If for some reason these stop being received, ports in the blocking state (to break a bridging loop) may be cycled into a designated state, which if the lack of receipt of BPDUs is a mistake has resulted in that loop being recreated. Loop guard keeps track of BPDU activity on non-designated ports and should BPDUs stop being received, instead of allowing the ports to cycle to designated status, it holds them in a loop-inconsistent status until BPDUs start being received again.


#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 101
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 November 2013 - 11:41

^ exactly!!! I could see if you don't really understand STP very clear and concise explanations blazingangel posted would be gibberish. Which is my point..

Which is why its pointless to try and study the methods of security in stp, if you don't first understand stp.

So do we start with the basics of stp and move forward, or what? I would prob start here

http://www.cisco.com...tocol_home.html