24/05/2021

1

GC2020-2021Topic: Spanning Tree Protocol

What you will learn

� How Spanning Tree Protocol (STP) works

� A glance at Rapid Spanning Tree Protocol (RSTP)

1

GC2020-2021Spanning Tree Protocol

� Defined in IEEE 802.1d standard

� To prevent looping frames in bridged (switched) LANs with redundant links, STP blocks some ports from forwarding and receiving (data) frames

� Only one active path exists between any pair of LAN segments

� Drawbacks:

• The network does not take advantage of some links

• Some traffic travels a longer path, because a shorter path is blocked

2

24/05/2021

2

GC2020-2021What STP does

� STP places each bridge/switch port in either a forwarding state or a blocking state

� Switches can forward frames out ports and receive frames in ports that are in forwarding state

� Switches do not forward frames out ports and receive frames in ports that are in blocking state

� A port can be in disabled state (the port is not included in active STP topology)� Operational state forced by the network

manager

� The port is failed

� The port is connected to no device

H1

H3

H2

3

GC2020-2021What STP does (cont.)

� If the link between SW1 and SW3 fails, STP converges so that SW3 no longer blocks its 0/27 interface

H1

H3

H2

4

24/05/2021

3

GC2020-2021How STP works

� STP creates a spanning tree in three phases:� Election of the root bridge

• The STP elects a single bridge, among all the bridges, to be the root of the spanning tree

• All ports of the root bridge are put in forwarding state

� Selection of the root port• Each non-root bridge selects the port (known as the root port) that gives

the best path from itself to the root bridge• The root port is put in forwarding state

� Selection of the designated port• For each LAN segment, from among the bridges attached to the

segment, STP elects the one closest to the root bridge as the designated bridge

• The designated bridge’s interface attached to that segment is called the designated port and is put in forwarding state

• All the ports of the root bridge are designated ports

� All other ports are placed in blocking state5

GC2020-2021Bridge Protocol Data Units (BPDUs)

� Bridges exchange protocol frames, called BPDUs

� BPDUs are sent to the multicast address 01-80-C2-00-00-00

Multicast01-80-C200-00-00

SinglecastBridge address

XY

LengthDest. Addr. Source Addr.

0x42 0x42

DSAP SSAP

0x03

Control

Configuration BPDUor

Topology Change Notification BPDU

BPDU

FCS

BPDU: Bridge Protocol Data UnitDSAP: Destination Service Access PointSSAP: Source Service Access Point

LLC PDU

6

24/05/2021

4

GC2020-2021Types and format of BPDUs

� (a) Configuration BPDU (also called hello messages): used to define the loop-free topology

� (b) Topology Change Notification (TCN) BPDU: used by a bridge to notify the root bridge about a detected topology change

dictatedby the root bridge 7

GC2020-2021Types of BPDUs (cont.)

� Root Bridge ID: the identifier of the bridge assumed to be the root bridge

� Root Path cost: cost of the least-cost path to the root bridge from the bridge transmitting this configuration BPDU

� Bridge ID: identifier of the bridge transmitting this configuration BPDU

� Port ID: identifies the port from which the configuration BPDU is sent

� Hello Time: the time that elapses between consecutive configuration BPDUs, generated by the root bridge(or by a bridge that assumes itself to be the root bridge); the default value is 2 seconds.

� Maximum age: how long a bridge should wait, after beginning not to hear hellos, before trying to change the topology; the default value is 20 seconds.

� Forward Delay: used to defer the transition to the forwarding state of a port that was in blocking state; the default value is 15 seconds.

8

24/05/2021

5

GC2020-2021Bridge identifier and port identifier

� (Original) bridge priority (16 bits)� Default: 32768� Recommendation: to be modified

with increments or decrements at steps of 4096 unitsBridge Priority Bridge MAC Address

Bridge Identifier or Root Bridge Identifier

PortIdentifier

Port priority

Port number

� Port priority (1 byte)� Default: 128� Recommendation: to be modified

with increments or decrements at steps of 16 units

� Normally, a Port ID is denoted in Hexadecimals. For example, 0x8015 is equivalent to 128.21 (in binary 1000000000010101), where the first part is the Port priority and the second part is the Port number

9

GC2020-2021Port cost

� A cost is associated to each port of a bridge

� Port costs can be configured

� IEEE recommended the following values

The original STP Cost-Bandwidth table10

24/05/2021

6

GC2020-2021Port cost (cont.)

� The revised 802.1D has increased the path cost to a 32-bit value, providing more granularity:

� The port cost is added to the root path cost in a hello message received on “this” port in order to determine the cost of the path to the root through “this” port 11

GC2020-2021Election of the root bridge

� At the beginning of the root-election process, each bridge assumes itself to be the root and so transmits hello messages on each of its ports with its ID as root bridge and as transmitting bridge and zero as cost

� A bridge compares the root ID field in the received configuration messages with its own bridge ID

� A bridge with a lower numeric value for the bridge ID is a better candidate� If a tie occurs based on priority, the MAC address is

compared

� If a bridge hears of a better candidate, it stops advertising itself as root and starts forwarding the hellos sent by the better bridge

12

24/05/2021

7

GC2020-2021Election of the root bridge (cont.)

� Eventually, the root bridge will be the bridge with the lowest numeric value for the bridge ID

� Only the root bridge will be generating hello messages

� Before forwarding a hello message, a bridge

� adds the cost of the port on which the hello was received to the root path cost (in the hello)

� puts its own bridge ID in the homonymous field

� puts the identifier of the port from which the hello will be forwarded in the homonymous field

� The bridge priority allows the network manager to influence the choice of root bridge

13

GC2020-2021Election of the root bridge (cont.)

� The root election process in action:

� SW1 and SW3 are advertising themselves as root

� SW2 believes that SW1 is a better root candidate

� SW1 will be the winner

• a tie occurs based on priority, but SW1’s MAC address is lower than SW3’s MAC address

Cost = 100

Cost = 100

14

24/05/2021

8

GC2020-2021Selection of the root port

• SW2’s best cost is seen in the hello entering its port 0/26• SW3’s best cost is seen in the hello entering its 0/26 port

Cost = 100

� If there are alternatives paths to the root, each non-root bridge receives hellos on more ports� The bridge selects its root

port based on the conditions below (in the order 1-2-3-4, if a tie occurs)(1) The port is that from which it has

a minimal cost to the root bridge

(2) The hello received has the smallest bridge ID

(3) The hello received has the smallest port ID

(4) The port has the smallest port ID

15

GC2020-2021Selection of the designated port

� For each LAN segment, the designated bridge (and, thus, the designated port) is that advertising the lowest cost hello onto the LAN segment

� In case a tie occurs, the priority order above (see the conditions in the 15th slide) is considered

� When STP stabilizes, only the designated bridge advertises hellos on a LAN segment

c

Legend

Root port

Designated port

Port in blocking state

Symbology defined in IEEE 802.1w (see the slide 21)

Root bridge

16

24/05/2021

9

GC2020-2021Reacting to changes in the network

� Each bridge uses the repetitive (every hello time) hearing of hellos from the root as a way to know that its path to the root is still working� The root bridge dictates the Hello time, the Max age, and the Forward

delay• All the bridges in the bridged LAN use the same values

� If a bridge does not receive a hello for Max age seconds, something is failed or, in general, changed� It injects TCNs into the network in order to start the process of changing

the spanning tree• It advertises itself as root again or believes the next best claim of who should

be the root

� In order to avoid loops, a port that has to move from blocking state to forwarding state enters the interim listening state first

� After the Forward Delay amount of time, the port state is changed to learning state

� After another Forward Delay amount of time, the interface is (finally!) placed in forwarding state

17

GC2020-2021Spanning Tree Intermediate States

� The listening state allows each device to wait to make sure that there are no new better hellos with a new better root

� The learning state allows the bridge to learn the new location of MAC addresses without allowing forwarding and possibly causing loops

� Using the default (it means recommended) timers, 50 seconds(20 +15 +15) are required before a port can switch from blocking state to forwarding state

18

24/05/2021

10

GC2020-2021

� The best way to lower STP’s default 50-second convergence time is to avoid convergence altogether

� IEEE 802.1AX standard allows to combine more parallel Ethernet links, bundled in a single logical link (more network bandwidth and more availability)

� Link Aggregation Control Protocol (LACP)

� STP treats the aggregate links as a single link

• If at least one of the links is UP, STP convergence does not have to occur

� Only full-duplex point-to-point links, operating at the same data rate, can be bundled

How to avoid STP convergence time

Ethernetstation

Ethernetstation

19

GC2020-2021Rapid Spanning Tree Protocol

� RSTP (IEEE 802.1w, merged in 820.1D-2004) works just like STP in several ways:� It elects the root switch using the same parameters and

tiebreakers

� It elects the root port on non-root switches with the same rules

� It elects a designated switch on each LAN segment with the same rules

� It places each port in either forwarding or blocking state (RSTP calls the blocking state “discarding” instead of “blocking”)

20

24/05/2021

11

GC2020-2021Rapid Spanning Tree (cont.)

� Discarding means that the port does not forward frames, process received frames, or learn MAC addresses, but it listens for BPDUs� it acts just like the STP blocking state

� RSTP uses an interim learning state, which works just like the STP learning state, but for only a short time

� Some mechanisms aiming at reducing convergence time have been defined. For example,

� RSTP designates ports that receive suboptimal BPDUs as alternate ports

• If a non-root switch (e.g., SW3 in the figure) stops getting hellos from the root switch, RSTP on that switch chooses the best alternate port as the new root port

� RSTP immediately places the ports related to edges in forwarding state when the links are active

Links

EdgeRoot switch

21

GC2020-2021Rapid Spanning Tree (cont.)

� RSTP has been defined to reduce network convergence times (typically, less than 10 seconds, in some cases, as low as 1 to 2seconds) in networks like that in the left side (case a) of the figure below, but not in networks like that on the right (case b)

(a) (b)22

24/05/2021

12

GC2020-2021

� STP has no provisions for authentication of the BPDUs� In order to change the spanning tree, an attacker could send out hello

messages with a bridge priority of zero from his PC

Some STP security considerations

LegendRoot port

Designated port

Blocking port

Rogue switch(PC with bridging)

Root

Hello

A B

DC

DistributionLayer

Access Layer

23

GC2020-2021

� The network manager could set the root bridge priority to zero in an effort to secure the root bridge position, but there is no guarantee against a bridge with a priority of zero and a lower MAC address

LegendRoot port

Designated port

Blocking port

Rogue switch(PC with bridging)

Root

A B

DC

DistributionLayer

Access Layer

Some STP security considerations (cont.)

The new spanning tree

24

24/05/2021

13

GC2020-2021

LegendRoot port

Designated port

Blocking port

Rogue switch(PC with bridging)

Root

HelloHello

A B

DC

DistributionLayer

Access Layer

� In the figure below, the attacker has established two links to twodifferent access switches� The attacker tries to change the spanning tree by sending out BPDUs with a

bridge priority of zero from his PC

Some STP security considerations (cont.)

25

GC2020-2021

� Consider the new spanningtree in the figure: all traffic between the access switches C and D flows through the attacker’s PC

� The attacker can sniff traffic, act as a man-in-the-middle, create a DoS condition (making his links much slower than the other links)

Some STP security considerations (cont.)

� Attack mitigation� Disabling STP in all cases in which there are no loops

� (Better!) Filtering which ports are allowed to participate in the STP process. For example, on Cisco devices two principal options are available:� BPDU Guard disables any port configured with the “PortFast” option that receives

a BPDU� The Portfast option causes a switch port (generally, a user port) to enter the

Forwarding state immediately, bypassing the Listening and Learning states

� Root Guard disables a port that would become an STP root port

Root

DistributionLayer

Access Layer

A B

C D

Rogue switch

26