Selecting Switching

and Routing Protocols

Switching and the OSI Layers
• A switch refers to a device that operates at Layers 1 and 2 of the OSI
reference model.
• In general, a Layer 3 switch, routing switch, or switching router is a device
that can handle both Layer 2 and Layer 3 switching of data.
• A Layer 3 switch is a high-speed router that can include interfaces that
make a forwarding decision based solely on Layer 2 information.
Transparent Bridging
• A transparent bridge connects one or more LAN segments so that end
systems on different end segments can communicate with each other
transparently. An end system sends a frame to a destination without
knowing whether the destination is local or on the other side of a
transparent bridge. Transparent bridges are so named because their
presence is transparent to end systems.
• The switching table also sometimes goes by the names
bridging table, MAC address table, or Content Addressable Memory
(CAM) table.
• To avoid excessive broadcast traffic, bridged and switched networks
should be segmented with routers or divided into VLANs.
• A bridge is a store-and-forward device. Store and forward means that
the bridge receives a complete frame, determines which outgoing
port to use, prepares the frame for the out-going port, calculates a
cyclic redundancy check (CRC), and transmits the frame when the
medium is free on the outgoing port.
Selecting Spanning Tree Protocol
Enhancements
• PortFast
• 802.1D supports the concept of a switch edge port. An edge port
corresponds to the Cisco PortFast feature.
• The Rapid Spanning Tree Protocol (RSTP) can also automatically detect
edge ports. Edge ports transition directly to the forwarding state.
• With IP networks, the most serious problem with switch port startup delay
is that a client might timeout while waiting to receive an IP address from a
DHCP server.
• With some implementations, if this happens, the client uses an address
from the Automatic Private IP Addresses range (169.254.0.1 through
169.254.255.254) rather than an address assigned by a DHCP server.
• PortFast is meant to be used only on ports that do not connect
another switch; however, sometimes this is unpredictable, especially
as users and junior network administrators become more networking
savvy and decide to install their own equipment.
• To protect a network that uses PortFast, Cisco supports a feature
called BPDU Guard that shuts down a PortFast-enabled port if a
bridge protocol data unit (BPDU) from another switch is received.
UplinkFast
• UplinkFast is a Cisco feature that can be configured on access layer
switches. UplinkFast improves the convergence time of STP if a failure
of a redundant uplink from an access layer switch occurs. An uplink is
a connection from an access layer switch to a higher-end
switch in the distribution layer of a hierarchical network design.
• With the default STP parameters, the recovery takes between 30 and
50 seconds. With UplinkFast, the recovery takes about 1 second.
• uplinkFast should be configured only on access layer switches at the
edge of your network and not on distribution or core layer switches.
 BackboneFast
• Cisco also supports a feature called BackboneFast, which can save a
switch up to 20 seconds (Maximum Age) when recovering from an
indirect link failure that occurs on a nonlocal port.
• BackboneFast speeds converge after a failure by taking advantage of
the fact that a switch involved in a nonlocal failure might be able to
move into the listening state immediately.
Unidirectional Link Detection
• Sometimes hardware fails in such a way that connectivity between two
switches works in only one direction. This is called a nidirectional link.
Switch A can hear Switch B, but Switch B can’t hear Switch A.
• repeater or cable, being unable to transmit or receive.
• unidirectional link can cause a loop in a switched network.
• switch port can’t send data, it can’t send BPDUs, and its partner might be
unaware of its existence.
• vendors recognized the potential for a problem and offered fixes. Cisco
provides the UniDirectional Link Detection (UDLD) protocol on high-end
switches.
• UDLD allows devices connected through fiber-optic or copper
Ethernet cables to monitor the physical configuration of the cables
and detect when a unidirectional link exists.
When a unidirectional link is detected, UDLD shuts down the affected
port and alerts the user.
LoopGuard
• Cisco also supports a feature called LoopGuard that is intended to
provide additional protection against loops.
• This usually happens because one of the ports of a physically
redundant topology stops receiving BPDUs, perhaps because of a
unidirectional link problem.
• You can choose either UDLD or STP LoopGuard, or both, which is
recommended. UDLD works better than LoopGuard on EtherChannel
UDLD disables only the failed interface. The channel remains
functional with the remaining interfaces. STP LoopGuard blocks the
entire channel in such a failure.
STP Manipulation Attack
Root Bridge • Spanning tree protocol operates by
Priority = 8192
MAC Address=
electing a root bridge
0000.00C0.1234
F F
• STP builds a tree topology
• STP manipulation changes the
F topology of a network—the attacking
F
host appears to be the root bridge

F B
STP Manipulation Attack
Root Bridge
Priority = 8192
F F B
F

F
F F F

F B F F
Root
Bridge

Attacker The attacking host broadcasts out STP

configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
BPDU Guard Root
Bridge
F F

F
F

F B
BPDU
Guard
Enabled
STP
Attacker BPDU

Switch(config)#
spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast
enabled
Root Guard
Root Bridge
Priority = 0
F F
MAC Address =
0000.0c45.1a5d
F F
Root
Guard
Enabled
F B
F

STP BPDU
Attacker Priority = 0
MAC Address = 0000.0c45.1234

Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
Virtual LANs
• A campus network should be designed using small bandwidth and
small broadcast domains.
• a bandwidth domain is also called a collision domain.
• A broadcast domain is a set of devices that can all hear each other’s
broadcast frames. The campus access layer should use switches
and provide broadcast control, however. To accomplish this, virtual
LANs are necessary.
LAN Storm Attack
Broadcast Broadcast

Broadcast Broadcast

Broadcast Broadcast

• Broadcast, multicast, or unicast packets are flooded on all ports in the

same VLAN.
• These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.
VLAN Attacks

▪ Segmentation
▪ Flexibility
▪ Security

VLAN = Broadcast Domain = Logical Network (Subnet)

VLAN Hopping Attack

802.1Q VLAN
10
Trunk

VLAN Server
20

Attacker sees traffic destined for servers Server

A VLAN hopping attack can be launched by

spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode.
Port Security Overview
Port 0/1 allows MAC A
Port 0/2 allows MAC B
MAC A Port 0/3 allows MAC C

0/1

0/2
0/3
MAC A
MAC F

Attacker 1

Allows an administrator to statically specify MAC Attacker 2

Addresses for a port or to permit the switch to dynamically
learn a limited number of MAC
addresses
CLI Commands
Switch(config-if)#
switchport mode access
• Sets the interface mode as access
Switch(config-if)#
switchport port-security
• Enables port security on the interface
Switch(config-if)#
switchport port-security maximum value
• Sets the maximum number of secure MAC addresses for
the interface (optional)
Mitigating VLAN Attacks

Trunk
(Native VLAN = 10)

1. Disable trunking on all access

ports.
2. Disable auto trunking and manually
enable trunking