L2 and STP security on switches

We were talking about 6 L2 attacks in topic about DHCP snooping. There are also different attacks on switching technologies.One of the main L2 technologies is VLAN.

VLAN hopping
1) Spoofing of switch
Attacker is connecting to access port and is changing it to trunk
Mitigation is very simple – disable DTP negotiation on trunk interfaces.
Switch(config-if)# switchport nonegotiate
And put access ports to mode Access:
Switch(config-if)# switchport mode access

2) Double tagging.
When attacker is on access VLAN 5, his frames comes untagged from PC to the switch. If we have a native VLAN untagged between trunks, attacker can add double taggs to his frame. First tag will be removed by switch and frame will be sent to untagged VLAN, so second tag is still there. If two switches have a native untagged VLAN in trunk, it means that these bad frames sent by attacker will be delivered to second switch and can be forwarded to it’s VLANs.

Don’t use VLAN 1
Switch(config-if)# switchport access vlan 2
Change native VLAN on all trunk ports to some unused VLAN ID.
Switch(config-if)# switchport trunk native vlan 901
Explicit tagging of the native VLAN on all trunk ports.
Switch(config)# vlan dot1q tag native

STP attacks
In L2 topology when there are more than 2 switches connected to each other, spanning tree protocol is used to create loop-free design. It can be Per Vlan spanning tree, Rapid per vlan spanning tree or Multiple spanning tree. All three technologies have similar threats. Attacker is spoofing the root bridge in the topology. He can do these types of attack:

  • Send RAW configuration BPDU + Dos it
  • Send RAW TCN BPDU + DoS it
  • Claim that he is a root bridge or other role
  • STP security toolkit

    Root guard
    Setup on all ports where root message should not appear. Switch listens on ports and if he receives Root BPDU on prohibited port, port is shutdown.
    Switch(config-if)# spanning-tree guard root
    Switch(config-if)# do show spanning-tree inconsistentports

    Port-Fast
    STP has timeouts before port can become operation after plugin cable in. If we are 100% sure that to the port will be connected PC or similar end-user device, we can put port to Port-Fast state. It means STP on port is disabled and port will be activated immediately after plugging the cable.
    Switch(config-if)# spanning-tree portfast

    BPDU guard
    BPDU guard works on port fast ports only.
    What will happen if we connect another switch into Port-Fast port ? A loop can occur if switches will have second ports connected or if triangle topology is created. To prevent creation of loops and also to prevent connecting of rogue switch to access port feature BPDU guard exists.
    It will shutdown the port with error disable state if BPDU is received.
    Switch(config-if)# spanning-tree bpduguard enable
    Or we can enable BPDU guard for all port-fast interfaces by command:
    Switch(config)# spanning-tree portfast bpduguard default

    Loop guard
    Sometimes unidirectional errors happen on media, then one STP neighbor stops receiving BPDU on this link. If second switch was a root, this switch things that root is down and chooses another root, become root, block root port, unblock alternate port. This can cause a loop inside the network. To prevent it we can setup loop guard on trunks between switches. Loop guard will check if BPDUs are receive by neighbors properly, if not, it will put the port to inconsistent state.

    Switch(config-if)# spanning-tree guard loop
    And globally –
    Switch(config)# spanning-tree global-default loopguard enable

    Unidirectional Link Detection (UDLD)
    Technology and purpose is very similar to loop guard. The difference is that it operates on physical layer and STP software issues will not be caught. In fact STP software issues are rare and physical unidirectional errors are more common. The benefit of UDLD is operation on Ether-channels. In case when on one physical interface of ether-channel is a problem, it blocks only that particular physical interface, loop guard blocks the whole channel in this case. Loop guard also cannot be combined with Root guard, UDLD can. Conclusion – use loop guard in simple setups/access switches and UDLD on ether-channels and more important links. If you want to have 100% sure use both technologies.

    Switch(config-if)# udld port [aggressive]
    or globally:
    Switch(config)# udld enable

    Here are best-practice steps for L2 security:

    • Don’t use native VLAN in trunking
    • Don’t use VLAN 1 as a switch management VLAN
    • Disable Dynamic Trunking Protocol
    • Disable VTP on trunk ports (VTP attack is very simple)
    • Use port-security on access ports
    • Set all users ports by default to NON-TRUNK
    • Disable all unused ports
    • Use STP security toolkit