Archive for May 2009

BCMSN Notes — STP States

May 21, 2009, 8:49 pm

I’ve decided to take on the CCNP certification, so I’m going to wind up with a few posts will be more my own notes than anything.  :)

A switch port on a 2960 comes up with a default configuration on VLAN 1.  What happens from the perspective of spanning-tree?

  • First, the port comes up on blocking mode.  This is to make sure that loops aren’t created without first listening to the network to see what’s going on.
  • Next, if the port may be a root or designated port, the port is moved to the listening state.  In this state, the port can send and receives BPDUs only.  It can’t send traffic, but it can discover the other switches participating in STP.
  • After the forwarding delay, the port goes into the learning state.   In this state, the port can send and receive BPDUs as in listening, but it can now receive traffic.  It can’t yet send any.
  • After the forwarding delay again, the port goes into the forwarding state.  The port can now send and receive data.

If the port is configured with spanning-tree portfast, the mode goes from blocking directly to forwarding without going through these steps.  Obviously you don’t want a switch plugged into a port configured for portfast since you may wind up with a loop.

Here’s the debug spanning-tree events output from one of my labs.  F0/3 is configured for portfast.  I shut/no shut it to see what happens.

*Mar  8 18:09:51.163: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
sw01#
*Mar  8 18:09:51.747: set portid: VLAN0007 Fa0/3: new port id 8003
*Mar  8 18:09:51.747: STP: VLAN0007 Fa0/3 ->jump to forwarding from blocking
sw01#
*Mar  8 18:09:53.739: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up
*Mar  8 18:09:54.739: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up

Notice the “jump to forwarding from blocking”.

Here’s the same output when the port is not in portfast mode.  Notice the timestamps.  It takes about 30 seconds (2 x default foward delay) to go from blocking to listening to learning to forwarding.

*Mar  8 18:13:05.313: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
sw01#
*Mar  8 18:13:06.013: set portid: VLAN0007 Fa0/3: new port id 8003
*Mar  8 18:13:06.013: STP: VLAN0007 Fa0/3 -> listening
sw01#
*Mar  8 18:13:06.381: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up
*Mar  8 18:13:07.381: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
sw01#
*Mar  8 18:13:21.013: STP: VLAN0007 Fa0/3 -> learning
sw01#
*Mar  8 18:13:36.013: STP: VLAN0007 Fa0/3 -> forwarding

Send any obvious corrections and questions my way.

Tags: , , , , , , , , , ,
Category: Uncategorized  |  4 Comments

How Do You Know?

May 4, 2009, 1:05 pm

I’ve got a non-technical one for you today.  If you’re paying attention to stuff around you, you’ll probably end up with a little paranoia after reading this.

We’re having another circuit installed, and the LEC came out to do their end-to-end testing.  The tech, Dan, calls me up on the phone and tells me who he was and what he needed to do; I agree to meet him in the lobby to escort him on his way.  Now, I’ve never met Dan and can’t really vouch for him.  He had the polo shirt and khakis that we all come to expect.  He had a pile of generic-looking badges on his belt with his picture and name on them.  He had a satchel full of fulls and equipment.  He looked the part, but how hard is it to get a shirt, print up & laminate a few badges, and put some tools in a bag?  Was Dan really who he said he was?  Should I really have let Dan in the telco room?

In this case, I would say Dan was legitimate; he called the right phone number and mentioned the correct circuit we were installing, but I cannot say beyond a shadow of a doubt that he was supposed to be messing with that equipment.

My wife’s in retail, and I asked her if she has any similar stories.  She had quite a few, actually, usually involving the building’s security.  Her store has security guards come in and out from time to time, and it’s always a different person.  They never identify themselves to anyone in the store, but their decked out in the shirt we all come to expect.  Around here, it’s illegal identify yourself as the police if you’re not, and that includes patches and badges.  You can, however, go to the local store and buy security patches and maybe even a badge — now the outfit is complete.  How can employees in the store be sure that the guy with the security patches is really who he says he is?  Will people even question his being there?

People are known to be trusting.  That’s just how people are, and there’s nothing you can do about it.  We assume that people who say they are an authority are that authority, which is a bad thing if you’re trying to be secure.  A coworker on the secuirty side loves to tell the story of the KFC in Manchester, New Hampshire, where a highly-skilled social engineer phoned in, told the employees that he was with the corporate office, and had them doing all sorts of things.  Let’s just say it ended with them all naked in the snow in the parking lot, urinating on each other, and lighting their clothes on fire — all just because someone on the phone told them to do so.  What would people do if you actually showed up looking the part?

The next time a vendor shows up, I think I’ll ask him to prove who he is just to see how he or she reacts.

Tags: , , ,
Category: Uncategorized  |  Comment