The root guard prevents the wrong switch from becoming the
spanning tree root. If a root guard port receives a superior BPDU that might
cause it to become a root port, the port is put into a “root-inconsistent” state
and does not pass traffic through it. If the port stops receiving these BPDUs,
it automatically re-enables itself.
In short- Root Guard is similar to the BPDU Guard. The root guard feature prevents a designating port from becoming a root port.
let's see the configuration: -
Topology:
- configure the topology as per the diagram.
- assign the IP addresses to their respective ports
- configure trunking between switches
- configure switch-4 root bridge for VLAN 1
- configure KALI machine to act as a switch and become the ROOT bridge for VLAN 1
- make sure the attacker will not become a ROOT bridge
- to prevent this attack configure Root Guard
- we want to switch 4 to not accept superior BPDU\ and make it root-inconsistent to that port.
(Starting from configuring the IP addresses on the PCs)
PC1> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC1 10.1.1.10/8 10.1.1.1 00:50:79:66:68:00
PC2> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC2 10.1.1.11/8 10.1.1.1 00:50:79:66:68:01
PC3> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC3 10.1.1.13/8 10.1.1.1 00:50:79:66:68:02
PC4> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC4 10.1.1.14/8 255.0.0.0 00:50:79:66:68:03
PC5> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC5 10.1.1.15/8 255.0.0.0 00:50:79:66:68:04
PC6> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC6 10.1.1.16/8 255.0.0.0 00:50:79:66:68:05
PC7> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC7 10.1.1.17/8 255.0.0.0 00:50:79:66:68:06
PC8> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC8 10.1.1.18/8 255.0.0.0 00:50:79:66:68:07
PC9> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC9 10.1.1.19/8 255.0.0.0 00:50:79:66:68:08
PC10> show ip all
NAME IP/MASK GATEWAY MAC DNS
PC10 10.1.1.20/8 255.0.0.0 00:50:79:66:68:09
(Now assign the IP 10.1.1.2 on the Kali machine)
(Click on the setting icon assign the IP on Kali)
(Configure trunking between switches)
Switch-1(config)#interface gigabitEthernet 0/0
Switch-1(config-if)#switchport trunk encapsulation dot1q
Switch-1(config-if)#switchport mode trunk
Switch-1(config-if)#switchport trunk allowed vlan all
Switch-1(config-if)#exit
Switch-1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/0 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/0 1-4094
Switch-2(config)#interface range gigabitEthernet 0/0-1
Switch-2(config-if-range)#switchport trunk encapsulation do
Switch-2(config-if-range)#switchport trunk encapsulation dot1q
Switch-2(config-if-range)#switchport mode trunk
Switch-2(config-if-range)#switchport trunk allowed vlan all
Switch-2(config-if-range)#exit
Switch-2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/0 on 802.1q trunking 1
Gi0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/0 1-4094
Gi0/1 1-4094
Port Vlans allowed and active in management domain
Gi0/0 1,100,200,300
Gi0/1 1,100,200,300
Switch-3(config)#interface range gigabitEthernet 0/0-1
Switch-3(config-if-range)#switchport trunk encapsulation dot1q
Switch-3(config-if-range)#switchport mode trunk
Switch-3(config-if-range)#switchport trunk allowed vlan all
Switch-3(config-if-range)#exit
Switch-3(config)#end
Switch-3#show interface trunk
Port Mode Encapsulation Status Native vlan
Gi0/0 on 802.1q trunking 1
Gi0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/0 1-4094
Gi0/1 1-4094
Port Vlans allowed and active in management domain
Gi0/0 1,100,200,300
Gi0/1 1,100,200,300
Switch-4(config)#interface range gigabitEthernet 0/0-1
Switch-4(config-if-range)#switchport trunk encapsulation dot1q
Switch-4(config-if-range)#switchport trunk allowed vlan all
Switch-4(config-if-range)#exit
Switch-4(config)#exit
Switch-4#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/0 desirable 802.1q trunking 1
Gi0/1 desirable 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/0 1-4094
Gi0/1 1-4094
Port Vlans allowed and active in management domain
Gi0/0 1,100,200,300
Gi0/1 1,100,200,300
Switch-5(config)#interface gigabitEthernet 0/1
Switch-5(config-if)#switchport trunk encapsulation dot1q
Switch-5(config-if)#switchport mode trunk
Switch-5(config-if)#switchport trunk allowed vlan all
Switch-5(config-if)#exit
Switch-5(config)#exit
Switch-5#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/1 1-4094
Port Vlans allowed and active in management domain
Gi0/1 1,100,200,300
(Configure switch-4 root bridge for VLAN 1)
Switch-4(config)#spanning-tree vlan 1 root primary
Switch-4(config)#end
Switch-4#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0c92.011b.0000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 0c92.011b.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0 Desg FWD 4 128.1 Shr
Gi0/1 Desg FWD 4 128.2 Shr
Gi0/2 Desg FWD 4 128.3 Shr
Gi0/3 Desg FWD 4 128.4 Shr
Gi1/0 Desg FWD 4 128.5 Shr
Gi1/1 Desg FWD 4 128.6 Shr
Gi1/2 Desg FWD 4 128.7 Shr
Gi1/3 Desg FWD 4 128.8 Shr
Gi2/0 Desg FWD 4 128.9 Shr
Gi2/1 Desg FWD 4 128.10 Shr
Gi2/2 Desg FWD 4 128.11 Shr
Gi2/3 Desg FWD 4 128.12 Shr
Gi3/0 Desg FWD 4 128.13 Shr
Gi3/1 Desg FWD 4 128.14 Shr
Gi3/2 Desg FWD 4 128.15 Shr
Gi3/3 Desg FWD 4 128.16 Shr
(Now let's ping to ensure the connectivity)
PC1> ping 10.1.1.2
84 bytes from 10.1.1.2 icmp_seq=1 ttl=64 time=21.895 ms
84 bytes from 10.1.1.2 icmp_seq=2 ttl=64 time=38.968 ms
84 bytes from 10.1.1.2 icmp_seq=3 ttl=64 time=49.215 ms
84 bytes from 10.1.1.2 icmp_seq=4 ttl=64 time=51.478 ms
84 bytes from 10.1.1.2 icmp_seq=5 ttl=64 time=36.524 ms
PC1> ping 10.1.1.12
84 bytes from 10.1.1.12 icmp_seq=1 ttl=64 time=19.803 ms
84 bytes from 10.1.1.12 icmp_seq=2 ttl=64 time=9.089 ms
84 bytes from 10.1.1.12 icmp_seq=3 ttl=64 time=34.237 ms
84 bytes from 10.1.1.12 icmp_seq=4 ttl=64 time=23.287 ms
84 bytes from 10.1.1.12 icmp_seq=5 ttl=64 time=10.744 ms
PC1> ping 10.1.1.15
84 bytes from 10.1.1.15 icmp_seq=1 ttl=64 time=52.330 ms
84 bytes from 10.1.1.15 icmp_seq=2 ttl=64 time=50.599 ms
84 bytes from 10.1.1.15 icmp_seq=3 ttl=64 time=50.814 ms
84 bytes from 10.1.1.15 icmp_seq=4 ttl=64 time=44.130 ms
84 bytes from 10.1.1.15 icmp_seq=5 ttl=64 time=81.414 ms
PC1> ping 10.1.1.19
84 bytes from 10.1.1.19 icmp_seq=1 ttl=64 time=78.078 ms
84 bytes from 10.1.1.19 icmp_seq=2 ttl=64 time=116.942 ms
84 bytes from 10.1.1.19 icmp_seq=3 ttl=64 time=126.684 ms
84 bytes from 10.1.1.19 icmp_seq=4 ttl=64 time=57.858 ms
84 bytes from 10.1.1.19 icmp_seq=5 ttl=64 time=70.056 ms
PC1>
(Configure KALI machine to act as a switch and become the ROOT bridge for VLAN 1)
(Install yersinia tool. and remember this blog purpose is to educate not to harm)
(Make sure the attacker will not become a ROOT bridge)
Switch-4#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0c92.011a.0000
Cost 12
Port 1 (GigabitEthernet0/0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 0c92.011b.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0 Root FWD 4 128.1 Shr
Gi0/1 Desg FWD 4 128.2 Shr
Gi0/2 Desg FWD 4 128.3 Shr
Gi0/3 Desg FWD 4 128.4 Shr
Gi1/0 Desg FWD 4 128.5 Shr
Gi1/1 Desg FWD 4 128.6 Shr
Gi1/2 Desg FWD 4 128.7 Shr
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
{As you can see our switch-4 is no longer root unfortunately. attacker machine become the root for our network)
to prevent this attack, configure Root Guard we want to switch 4 to not accept superior BPDU\ and make it root-inconsistent to that port.
Switch-4(config)#interface gigabitEthernet 0/0
Switch-4(config-if)#spanning-tree guard root
Switch-4(config-if)#exit
*Jul 5 05:36:36.974: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet0/0.
*Jul 5 05:36:36.980: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/0 on VLAN0100.
(As you can see the switch-4 block gig 0/0)
Switch-4#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0c92.011b.0000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 0c92.011b.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0 Desg BKN*4 128.1 Shr *ROOT_Inc
Gi0/1 Desg FWD 4 128.2 Shr
Gi0/2 Desg FWD 4 128.3 Shr
Gi0/3 Desg FWD 4 128.4 Shr
Gi1/0 Desg FWD 4 128.5 Shr
Gi1/1 Desg FWD 4 128.6 Shr
Gi1/2 Desg FWD 4 128.7 Shr
Gi1/3 Desg FWD 4 128.8 Shr
(Switch-4 again become the root for VLAN 1)
I hope you like this blog, please visit to our YouTube program https://youtu.be/F5MG1qNwp9c )
No comments:
Post a Comment