this video is part of my complete practical CCNA course where I'm not showing you things using simulations but I'm actually demonstrating stuff with real equipment such as Cisco switches Linux in this case Kali Linux which I'll use to hack this network Windows devices and a Mac I've also got great news in that Cisco is sponsoring this video and making Labs available so that you can practice what I'm doing here yourself use the links below to access CSCO U so that you can practice this yourself. In the CCNA exam 200-301 v1. 1 they tell us that we need to know root guard Loop guard BPDU filter and BPDU guard for the exam in this video I'm specifically going to show you root guard and demonstrate it as well as BPDU guard but again rather than just using a simulation I'm going to attack these physical devices using Kali Linux and a Python script that I've written now you don't have to study the Python script for the CCNA exam even though highly recommend that you learn python what you need to know is how to use root guard as an example and BPDU guard to protect a Spanning Tree Network I'm going to show you those two in this video and in the next video I'll show you Loop guard and BPD filtering.
Did you know that you can join Cisco U for free and get access to a whole bunch of content there is both paid as well as free content available on Cisco U huge amount of content available in their paid tier where you get access to networking train training security training cloud training and a whole bunch of other training it's not just Cisco training you also get access to third party training as part of Cisco U but if you can't afford the price of Cisco U there is a whole bunch of free training available you can get access to various tutorials created on Cisco U once again you can practice what I'm showing you in this video on Cisco U for free I really want to thank Cisco for sponsoring this video as well as creating Labs that go with this training so use the link below once again to sign up to CSCO show The Love register for a free account get access to the free content there as well as follow along with this video now back to me showing you how you can use Python to hack networks and then I'll show you how to protect your networks from fake BPDUs sent into a Spanning Tree network using very basic Python scripts. So let's start with root guard so what is root guard it basically protects your Spanning Tree topology against unauthorized switches attempting to become the root bridge in other words they send superior BPDUs not inferior BPDUs or Bridge Protocol Data Units Superior BPDUs means that they have a lower priority as an example or lower Mac address and therefore through the election process become the root we want to block that so root guard is going to block access on a port until receipt of superior BPDU stops this allows you to protect your network against hackers which I'm going to demonstrate in this video or switches that are introduced into the topology that have a lower priority or lower Mac address in other words are going to be elected as the root bridge now in a Spanning Tree environment like this this switch could be the root as an example and this could be the backup route we do not want to allow switches to tell us that they are the root Bridge or root switch remember Bridge as a term in Spanning Trees based on bridges that existed years ago so we often talk about a root Bridge rather than a root switch in Spanning Tree so here's a example a rogue switch is introduced into the environment sending BPDUs but in this case Superior BPDUs let's say this switch has a priority of 4096 it's the root switch or the root bridge in the topology this switch sends BPDUs saying I am the root Bridge my priority is 0 as an example this will therefore become the root bridge but we want to stop that we want to make sure that our switch remains the root bridge in the same way we don't want to switch like this switch over here this access switch telling the network that it's the root Bridge we're going to error disable a port where Superior BPDUs are received now there's no better way I think to show this than to do a demonstration in this example I'm using Kali Linux which is running over here on this laptop in a Virtual Machine I'm going to send BPDUs from Kali using a Python script at the moment this switch the 9200CX switch in the middle is is the root switch but we going to say that we are the root switch by sending Superior BPDUs so in our topology we've got the 9200 over here we've got a Cisco 1000 switch switch one over here and another Cisco 1000 switch over here so three Cisco switches the 9200 has a Mac connected to it and the 1,000 series switches have Windows devices connected to them but the important part of the network is what's going to happen on this port 1/0/2 on the 9200 so the 9200 series switch I'll go to enable mode show Spanning Tree notice at the moment for VLAN1 the root ID and the bridge ID are the same so in other words the priority for both is 4097 that's because this switch and I'll just type sh run | include span to show us the output this switch has a priority set to 4096 increments of 4096 to set the priority this one is set to 4096 this is VLAN1 so the priority here is 4097 4096 + 1 because extended system IDs are used on this switch so what we can see is that this bridge is the root in other words this switch in the middle is the root switch we can see that all ports are designated ports all ports of forwarding we would expect the root switch or root bridge to have all ports as designated ports and all of them forwarding so again shows spanning tree local switch is the root priority of the root and Bridge are the same Mac address is the same okay but on Kali Linux which is connected to gigabit 102 on the 9200 we're going to send BPDUs so ls on Kali I've got the script spanning tree root hack. py I'm going to run the script so that you can see what happens and then I'll talk a bit about the script again you don't have to learn the details of the script I'm basically using something called scapy to create packets and inject packets into the network so sudo python3 I'm using Python 3 in this example and the python script that we're going to run is stp root_hack.
py before I run that again show spanning tree notice this port gigabit 102 is a designated port it's forwarding the local switch is the root switch okay so run the script put in my sudo password something happens now you can see packets are being sent into the network previously gigabit 1/0/2 was a designated Port show spanning tree now notice gigabit 1/0/2 is now root Port it is forwarding but notice the root switch has a MAC address of a bunch of zeros and a one I don't know about you but I think that's a little bit suspicious which device has a MAC address of all 0 and a one and notice the priority is set to 0 in other words Kali Linux has now become the root switch in the topology again gigabit 1/0/2 is the root Port of the 9200 series switch in our topology this port is a root Port indicating that the root switch of the topology is Kali Linux by running a simple python script made Kali the root switch of our topology so again on the switch gigabit 102 is the root Port of the switch it's no longer the root the root has a priority of 0 and a MAC address of 1 what I'll do is stop the script on Kali on the switch show spanning tree still showing root Port give it a bit of time and as you can see it's now become the designated Port the switch has now become the root again whereas previously it wasn't the root if I run the script again switch was the root no longer the root the root is now Kali Linux so by running a simple python script I'm able to change the root switch in a Spanning Tree topology this is what the script looks like what I'm doing basically and again you don't need to know the details of the script I'm just showing you this for interest sake you can get the script on my GitHub so I have put the script on my GitHub using this link or you can just search for David Bombal GitHub and you'll find my scapy scripts what I'm doing is importing scapy scapy allows you to create or forge packets of any kind if you like so you can put layer three above layer four as an example you can mix your layers up you can do all kinds of interesting things with scapy create packets that shouldn't be allowed on a network but in this example I'm importing scapy and then I'm going to capture a Spanning Tree packet this is the destination Mac address for Spanning Tree so rather than creating a frame from scratch I'm going to capture this frame off the network with a destination address of this and then all I'm going to do is change some values in the packet so I'm going to change the source Mac address to be this so when the packet is sent into the network we can actually view the packet that's sent out at Layer Two the destination Mac address is the spanning tree protocol but I've changed the source to be a bunch of 0s and 1 so that's the source Mac address LLC has values that haven't been changed and this is the advantage of capturing a packet and then manipulating it when you send it out because you don't have to create all the layers but notice the root Mac address is this and the bridge Mac address is this because in the packet I'm saying root Mac address is this bridge Mac address is this and I'm setting the root ID to this and the bridge ID to this so I'm basically changing all the fields in the packet to ensure that my Kali Linux machine becomes the root so root ID is that bridge ID is that Mac addresses are set to a bunch of zeros and a one I've set the port ID age max age and other timers I've just left at default again one of the advantages of grabbing the packet off the Y and then just making changes to it is that your packet is a or frame is a legitimate packet or frame and you're just changing some values rather than having to recreate the entire packet so again you don't have to know this for the exam but there is my simple python script I'm showing the frame and then I'm creating a loop where I send 50 packets into the network so I'm sending packet into the network waiting a second and then looping so every second just send a BPDU into the network saying that I am the root switch and the net result is once again show spanning Tree on the 9200 it has this port as a designated Port it is the root switch but as soon as I launch my script it captures the packet off the wire or frame off the wire manipulates it and sends frames into the network the 9200 is no longer the spanning tree root the root becomes Kali you're going to want to stop this kind of nonsense and the way to do that again is to use root guard so I'll show you how to set up root guard first and then I'll show you demo 2 where a switch has a lower priority and becomes the root switch okay to enable root guard you do this on a per Port basis so you go into Global configuration mode and then on each interface or each port in this example gigabit 1/0/1 or for this specific example be 1/0/2 we enable root guard by using the command spanning tree guard root so simple as that to set this up if you type show run and a interface such as gigabit 1/0/1 you'll see in the output that that command has been enabled on your interface so before continuing with slides let's actually do a demonstration so we can see what's happening practically so on the switch conft interface gigabit 1/0/2 in this example spanning tree press question mark guard question mark root question mark enter so all I have to do is type that command on the interface and as you can see root guard has been enabled on that interface of the switch now in my topology I also have an interface to these two switches so I could enable spanning tree root guard on both of those ports so let's do that while we're here so I'll press up key twice go on to interface gigabit 1/0/3 and enable spanning tree guard root on that go on to the other interface gigabit 1/0/4 and enable spanning tree guard root on that interface okay so that may not be so clear so I'll type show run | begin gig and as you can see there in the running configuration of the switch this interface this interface and this interface have spanning tree root guard enabled on them okay so let's see what happens when Kali Linux sends BPDUs into the network so I'll clear the screen here and type pseudo and run the command again sudo python spanning tree root hack packets are now being sent into the network and notice straight away on the switch it says spanning tree root guard block root guard blocking on Port gigabit 1/0/2 on VLAN1 so show spanning tree now notice we've got a root inconsistent output notice on gigabit 1/0/2 it says blocking for for VLAN 1 root inconsistent so this is done on a per VLAN basis for VLAN1 that Port is blocked you can see once again in the output that it was blocking on VLAN1 and notice now it says unblock on VLAN 1 and that's because BPDUs are no longer being received so the port is now moved to the learning state it is now a designated port and should transition to the forwarding state after a period of time so it's learning and then should go forwarding which it's now done because no BPDUs are being received that's because Kali only sends 50 packets and then stops but if I run that again notice Port is now blocking again so shows spanning tree this port is now blocking Port is marked as a root inconsistent okay so what triggers root guard to block a port so the trigger is when a superior BPDUs is received by the switch switch on a specific Port the port is then put into the broken state for that VLAN so I said blocking but it's actually seen as broken all traffic is discarded the port state is root inconsistent as we could see over here notice broken root inconsistent by default the port is restored after a period of time when Superior BPDUs are no longer received and that's what we saw here notice root guard unblock Port is unblocking on gigabit 1/0/2 in VLAN 1 because no Superior BPDUs are received by the switch now you can use the command show spanning tree inconsistent ports to see which ports are in the inconsistent state so at the moment show spanning tree looks good show spanning tree inconsistent ports now you can see no ports are inconsistent at the moment but let's change that by running our script again so you can see that root guard is blocking the port show spanning tree inconsistent ports this port gigabit 1/0/2 on VLAN 1 is now root inconsistent number of ports in system is 1 if we look at a specific interface so gigabit 1/0/2 you can see that for this interface which is different to say 1/0/1 this interface is broken root inconsistent is the current state now that no BPDUs are received if we run that command again notice it's back to a point-to-point link it's busy learning the role is now designated status is learning and that will take a bit of time and then it will go forwarding as you can see over there send BPDUs again into the network Port is blocking show spanning tree status is broken type is Rooting consistent okay I think I've covered that enough now last demonstration is to simply change one of the switches to be a root switch so rather than introducing another switch into the topology I'm simply going to make this switch switch1 say that it's the root switch so on the 9200 show spanning tree at the moment switch is the root switch all ports are designated ports and are forwarding but what I'll do on the 1000 series switch switch1 that's the switch at the top here I will type spanning tree VLAN1 priority and in this case I'll set it to 0 the reason why is Show run | include span shows me that this switch has a priority of 4096 so I need to make the 1000 series switch have a lower priority so I'll set that to 0 and notice straight away root guard blocking on gigabit 1/0/3 so show spanning tree again this port is now broken root inconsistent on the switch show spanning tree it says that it's the root switch all ports are designated and I'll just do that command again so we can see clearly for VLAN1 priority is 1 it thinks it's the root switch but on the other side this switch is blocking the 1000 series switch so what I'll do is remove that command show spanning tree now switch still thinks it's the root it's now learned that it's no longer the root the switch with this priority 4096 and this Mac address is the root in other words the 9200 the local switch has a higher priority and Mac address so it now has a root port forwarding to the root switch and on the root switch or the 9200 notice the port is no longer blocking because no superior BPDUs are received okay so I think that's enough I have now shown you how to enable root guard using this simple command you do that on ports where you don't want to receive Superior BPDUs and if you do the port on a specific VLAN is basically blocked now let's talk about BPDU guard and how you can use BPDU guard to protect a spanning tree Network now on ports such as these two connected to PCs you may enable PortFast so spanning tree doesn't have to go through the different stages of blocking listening learning forwarding it can immediately go forwarding the problem with that is what happens if BPDUs are received by clients in that case we want to enable BPDU guard so that the port is error disabled if we receive BPDUs now a user with a PC may be connected directly to a switch but may decide that they're going to use a switch to allow two PCs to connect to the network in that case BPDUs may be sent by that switch and the switch could potentially become the root Bridge remember lowest Mac address lowest priority becomes the root Bridge which means that an old switch could potentially become the root Bridge of your topology another thing a user may do is connect two ports to the switch and that will cause a loop if you've got PortFast enabled on your edge switch so the moral of the story is don't trust your users enable BPDU guard on PortFast Port so that users don't by mistake or on purpose cause spanning tree loops or cause problems in your topology so in this topology I've changed it slightly I've made switch1 the root Bridge so this little 1000 series switch is now the route I've changed the cables as well so that the 9200 the middle switch is now connected to this bottom switch on Port 1/0/4 and c1002 is connect connected to the top switch so basically from the 9200 series point of view to get to the root Bridge it has to go via c1002 this bottom switch we can see that on the switch shows spanning tree its root port is gigabit 1/0/4 the switch in the topology but Kali Linux is now going to send BPDUs saying that it has a better path to get to the root Bridge so basically we're going to tell the switch to use that path to get to the root Bridge which means it should block this port because it has a better path to get to the root bridge in other words it'll cause problems in the network if this Mac sends traffic to this PC or to that PC it's not going to be able to send that traffic successfully because this port is now blocking so again we're going to make this switch believe that its root Port is the port to the Kali Linux machine when this Mac tries to send traffic through the network it's not going to work because this port is blocking so we're going to essentially break this network so on the MacBook at the top there I've got it sending a continuous ping to both the PCs on the Mac if we do a command such as if config pipe grip 192 we can see that its IP address is 192. 168. 1.
2 it's pinging 1. 1 which is this Windows computer and pinging 1. 3 which is the Windows computer at the top continuous ping from the Mac to those two PCS let's hack the network user a simple Python script once again script that looks like this essentially what we're going to do is sniff spanning tree destination Mac address is spanning tree we're going to manipulate the packet to say that the path cost to get to the root is zero and we're going to send 50 packets into the network so ls on Kali we're going to block the network so cat stp block that's the script again you don't need to know this python script for the exam I simply want to show you a practical example of this so sudo of python spanning tree block before I hit enter notice once again on the 9200 series switch its root Port is gigabit 1/0/4 1/0/2 where the PC is connected is forwarding and it's a designated Port so press enter put in my password go back to the switch notice the root Port has become 1/0/2 GB 1/0/4 which was originally the root Port is now an alternate port and the state is blocking it was forwarding and now it's blocking because the switch believes that the best path to the root is via the hacking machine it believes that it can get to the root Bridge or root switch via the Kali Linux machine which it can't obviously what you'll notice is pings are failing on the MacBook the Mac is no longer able to Ping 192.
168. 1. 1 this Windows computer or 192.
168. 1.