Cisco CCNA ICND2 640-816

General Switching: Troubleshooting and Security Best Practices

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

00:00:00 - So you're sitting at your desk on a cheery Friday morning and
00:00:05 - your phone rings, you pick it up and answer, hello. The person
00:00:09 - on the other and says hey this is John over in the sales department,
00:00:12 - how are you doing and you'll say good and he'll say I'm having problems. My computer
00:00:16 - I can't do anything, the email doesn't work, the internet
00:00:20 - doesn't work, you know, I don't know what
00:00:24 - to do, but I do know that in the lower hand corner, you know by
00:00:27 - the clock in Windows it has this little picture of the computer
00:00:31 - with an X over it. I think that means something's, something's
00:00:35 - bad. So stop right there, pause on a Friday; what goes through
00:00:39 - your mind as somebody describes to you that in Windows there's a
00:00:43 - little computer with an X over it in the lower right
00:00:45 - hand corner by the clock. Well you may be thinking oh it must be network
00:00:50 - disconnected; it could be a port shut down; it could be a bad
00:00:54 - network card; there's a lot of things that should immediately
00:00:57 - shoot through your mind as you get more and more experience in the
00:00:59 - CISCO world and that's what I hope to give you as you walk
00:01:03 - through this video, is just a switch troubleshooting thought
00:01:06 - process; how to think through problems as they come up.
00:01:10 - I will then show you from my experience some common troubleshooting areas for
00:01:13 - the switched network that you may run across. Finally,
00:01:18 - the layer two world, the data link layer switches, are one of
00:01:22 - the softest squishiest areas for security in the network world
00:01:26 - today. Now that is changing because there's been so much focus
00:01:29 - on firewalls and internet security, that a lot of people have
00:01:34 - left switches behind. As I mentioned that is changing and I want to show
00:01:37 - you some of the best practice from CISCO security recommendations
00:01:41 - for your switch network.
00:01:44 - When troubleshooting a switched network, the number one thing
00:01:48 - that can help you is to be familiar with that network and
00:01:51 - you can partner that was the number two on the screen, absolutely
00:01:55 - have an accurate network diagram. Those two things combined
00:01:59 - together will give you 90% of your troubleshooting.
00:02:03 - For example, you've seen just going through this series,
00:02:06 - the network diagram we've been using has evolved, it's a living
00:02:10 - diagram. As we add trunks to the network, we show lines connecting,
00:02:14 - we label them trunks, we add Vlans to the network, we show what
00:02:17 - ports are in the Vlans, we show WAN links, we show IP
00:02:20 - addresses. In a CISCO admins life, the network diagram is the
00:02:25 - lifeline of the network. If you let that go then troubleshooting
00:02:30 - becomes just a nightmare no matter what. So troubleshooting
00:02:34 - switch networks thankfully
00:02:37 - with those two things in place, with familiarity, that's
00:02:42 - a tough one to say and inaccurate network diagram, it should
00:02:46 - not be too bad. There's not too much they can go wrong at layer
00:02:49 - two. Now
00:02:51 - don't take that to say that there's nothing bad that can happen
00:02:54 - at layer two, there's all kinds of crazy stuff that can go on, but if you
00:02:57 - are familiar and have an accurate network diagram, your 90%
00:03:00 - of the way there. Once those two pieces are in place whenever
00:03:04 - an issue comes up you need to, I guess, learn to work logically.
00:03:09 - This is the best way I can say it, is this is something that only
00:03:12 - comes with experience. I know we're talking at the CCNA
00:03:16 - level, but as you sit in network environments and you
00:03:20 - will get experience as you get your CCNA, as you move into a
00:03:24 - more more network realms, you'll have experience which just common
00:03:28 - things that come up. And you'll be able to work logically from
00:03:31 - the bottom up and what I mean by that is with the OSI model. Now
00:03:36 - the reason I hesitate to say, use the OSI model for troubleshooting,
00:03:40 - is because sometimes it just doesn't make sense. For example
00:03:45 - somebody is saying, hey I can get to these
00:03:49 - websites, but I can't access the server, I don't no can you help me
00:03:52 - out? I mean step one of that isn't to go, well let's think is your
00:03:57 - network cable connected? Is there a break in the line?
00:04:00 - You know insert professional voice man there, I don't know
00:04:04 - where that came from. So you don't, you think okay they're
00:04:08 - surfing the net, they're not able to get to that server, okay,
00:04:12 - maybe there's some routing issues between the Vlans, maybe other
00:04:15 - security between the Vlans that's blocking that person
00:04:18 - from the server. So when you're working logically, you need
00:04:22 - to take the problem that's being described and then apply
00:04:25 - what you know about the network to be true. Meaning if they're
00:04:28 - able to surf the internet that means they are physically connected;
00:04:31 - they're getting out of the network; NAT is working properly.
00:04:34 - All those kinds of things instantly come into your mind, but
00:04:38 - don't have to say that nothing really happens at the physical
00:04:42 - layer. There are times where I'll be troubleshooting a problem
00:04:45 - for an hour and then come to find out, oh
00:04:49 - it's a button on the laptop that turned off the the network card or
00:04:53 - something like that. You know it's just one of those kinds
00:04:55 - of issues. So working logically from the bottom up, combining
00:04:59 - the experience in the familiarity with your network is the
00:05:02 - best troubleshooting process for any network.
00:05:05 - I'm glad I talked about that fault process first, because I was just
00:05:08 - thinking, I am going to give you some common troubleshooting issues that
00:05:12 - you may run into and some of the solutions. This is not one
00:05:15 - of those lists to memorize and say, okay if that happens I do
00:05:18 - this. It needs to blend into that logic and that train of thought
00:05:22 - to think, oh I've heard of something like that before,
00:05:25 - let me check these general areas. So here some of the common
00:05:28 - issues. First off on the port, these are with the physical port themselves.
00:05:32 - Number one cabling issues, never hurts to just verify that things
00:05:36 - are connected right. Second, verify that speed and duplex
00:05:40 - are auto negotiating correctly.
00:05:43 - As I mentioned in some of the previous videos, speed and duplex
00:05:46 - is set to auto by default and it's got, you know, 90-95%
00:05:50 - success rate, so it's pretty good, but that means that you will
00:05:54 - occasionally have a duplex miss negotiation, if that's the word,
00:05:59 - but it's never the speed, the speed always works out okay. It's the
00:06:03 - duplex, one side will be set to half, the other side will be full. What
00:06:07 - will happen is you will get very poor performance from that device, because
00:06:11 - you're dropping tons of packets. Now on some of the switches in
00:06:15 - some, I guess,
00:06:17 - devices that access the network a lot, high traffic devices, it will
00:06:21 - send so many errors to the switch, the switch will shut down the port
00:06:24 - or technically put into a error disabled state. So if it does
00:06:29 - that, that's the better in my opinion, because their port
00:06:32 - goes out and they'll call you right away and you can go and go,
00:06:35 - oh I see you've got a ton of errors, let's figure this out.
00:06:38 - So hard coding the speed and duplex on those ports is the best
00:06:41 - bet. Finally check that the assigned Vlan has not been deleted.
00:06:46 - So here's the scenario, you've got a PC that's plugged
00:06:51 - into a switch and it's assigned a Vlan 10, but Vlan 10
00:06:56 - has been de-commissioned, meaning the company is no
00:06:59 - longer going to be using Vlan 10 for their network. Well
00:07:02 - you may think you've moved all the devices out and then remove
00:07:06 - Vlan 10 and what will happen to this port is it becomes kind of a nothing
00:07:11 - port, it becomes lost literally. The light on the front of the
00:07:15 - port is your best indicator because it will immediately turn
00:07:18 - amber, there will be an orange color, so you can just look at the
00:07:21 - port and go oh there's a problem, do some show commands.
00:07:25 - If a computer is assigned to a port or I should say a port is
00:07:30 - assigned to a Vlan and that Vlan no longer exists, the
00:07:34 - port goes into this limbo state, where it just can't access anything.
00:07:39 - It's not like it goes back to the default Vlan or anything. So you'll
00:07:42 - know if the Vlan has gone, because the device that's attached cannot
00:07:46 - access anything.
00:07:49 - Now we move into the spanning tree issues. Spanning tree issues
00:07:52 - if you have an issue will be a major one. With spanning, well I shouldn't say
00:07:57 - always, but most of the time it's going to be like network down,
00:08:01 - fire in the hole, people screaming and all that kind of stuff. It's
00:08:03 - a major issue. I guess the thing
00:08:08 - that I can tell you that you'll be able to see if there's a
00:08:11 - spanning tree issue, is if you walk into the IT room and look
00:08:15 - at the switches, they'll all be just blinking like mad.
00:08:20 - If you've worked in a network for while, you'll get the general
00:08:23 - feel for just how things look when you walk into the IT room.
00:08:26 - You know you'll see some lights blinking here and there. You know
00:08:29 - some lights are going to be green and solid and so on, but when
00:08:32 - you go into a spanning network where there's a spanning tree
00:08:35 - issue and I should say more specifically a loop has occurred,
00:08:38 - where there's, there's looping packets. You'll know it because
00:08:41 - you'll walk into that IT room and it just looks like
00:08:45 - a Bon Jovi light show, it's just wow, you know everything is
00:08:49 - going crazy and that should immediately trigger in your mind something
00:08:53 - is very wrong, as in you know probably a spanning tree issue.
00:08:57 - What's happening is all of your switches will be pegged, you know
00:09:01 - 90 to 100% processed utilization. All the PCs
00:09:05 - and networks will probably be down, although some may get
00:09:08 - some access but very slowly because everything is so saturated.
00:09:12 - So to solve the immediate issue, grab your network diagram, remember
00:09:16 - that familiarity and disconnect your redundant links. If a loop
00:09:20 - has occurred that means spanning tree is broken down somewhere
00:09:23 - in the network, find the redundancy and start disconnecting it.
00:09:27 - That will eliminate the immediate issue and at least
00:09:31 - get the network back and operational. Sure redundancy isn't in
00:09:34 - place, but that's a side not. We don't need redundancy
00:09:37 - if the networks are down. So from their ensure all links are
00:09:42 - reflected on a network diagram. There is plenty of times, it has
00:09:47 - happened to me, where people just start daisy chaining hubs to another
00:09:50 - hub to another hub and so on. Now we don't get too deep into spanning
00:09:54 - tree in the CCNA level,
00:09:57 - but spanning tree has an effective radius, meaning distance
00:10:03 - of about five devices. So when you have a switch in your network,
00:10:07 - if you plug another switch into it and daisy chain another switch
00:10:10 - and daisy chain another switch, you know what I mean, this daisy chaining effect.
00:10:13 - Well you can get about five away before spanning tree just starts breaking
00:10:16 - down. So somewhere around here if you accidentally connect
00:10:20 - something like that, spanning tree won't be able to detect a
00:10:23 - loop then chaos breaks out. There's actually, I read this; ah I
00:10:27 - wish I could remember what it was. There's this great White
00:10:30 - paper about a hospital. It's literally a CISCO hero story where
00:10:36 - there's this hospital where this exact system occurred. Where they just,
00:10:40 - you know the network kept growing and somebody, just not even
00:10:43 - thinking, plugged this switch and plugged in another computer and the
00:10:46 - entire hospital network went down. Now when you're talking hospitals,
00:10:51 - you're talking life support systems; you're talking doctor
00:10:55 - notification systems, I mean that's a network right there
00:10:58 - where people are depending literally and lives depend
00:11:02 - on the network and CISCO got the call that the whole hospital had
00:11:05 - gone down. This White paper, I've got to find it for you, hang on hand on;
00:11:11 - I've got to write this down. I am opening a little notepad document over here,
00:11:16 - find hospital
00:11:19 - White paper. It's a great read, I'm telling you, because I'll give you
00:11:25 - the climax of the story. CISCO literally throws a bunch
00:11:29 - of CCIE's on a plane from San Jose, flies them
00:11:33 - out to this hospital. Within, it's some goofy amount of time,
00:11:37 - like five hours, they completely gut out the entire hospital
00:11:41 - network and put in all new CISCO equipment.
00:11:44 - They're not even troubleshooting the problem, they're just
00:11:47 - gutting the thing and putting new CISCO gear in to bring the
00:11:50 - network back on line, because you know lives are dependent
00:11:53 - on this. So, anyway it ends up being that the whole story
00:11:57 - is that it was a spanning tree issue that took the hospital
00:12:00 - down. So
00:12:02 - what was I talking about, here we go; so links are reflected
00:12:06 - on the network diagram. Make sure the root, oh that's
00:12:10 - how I got on that story. There's a lot of times where
00:12:13 - people will start daisy chaining things and network diagrams never
00:12:16 - get updated, that's my point in telling you that. A lot
00:12:19 - of times employees say, oh let me hook you up here Fred, they
00:12:22 - just daisy chain a switch, not knowing of the ramifications. So again port
00:12:27 - security is big on that one, we'll talk about that later time. Alright, ensure
00:12:31 - root bridge selection is appropriate. Meaning, find the core switch
00:12:35 - of your network and elect that as your root bridge. Make sure all switches
00:12:40 - are running rapid spanning tree protocol if possible. Meaning,
00:12:44 - if you have a fairly modern network where all the switches
00:12:47 - are newer so rapid spanning tree will recover much faster.
00:12:51 - Alright enough on spanning tree. Vlan and trunking issues. Vlan
00:12:55 - issues, number one watch out for native Vlan mismatch. Now
00:12:59 - again the native Vlan is what a trunk port is assigned to
00:13:04 - if it's not trunking. It was for, if you had a hub in
00:13:08 - the middle of two switches. So if this is a trunk port the native
00:13:11 - Vlan on each of these should be the same by default on
00:13:15 - CISCO switches the native Vlan is one. If you have a native Vlan
00:13:19 - mismatch, the switch will start reporting it on the screen. It will
00:13:23 - say hey, native Vlan mismatch detected and that would be maybe this
00:13:27 - one is Vlan 10 and this is Vlan 1.
00:13:30 - What happens if you have a native Vlan mismatch, is that the
00:13:34 - Vlans will bleed together, meaning traffic from Vlan 1 and broadcasts
00:13:39 - in Vlan 1 will bleed into Vlan 10 and Vlan 10
00:13:42 - broadcasts will bleed into Vlan 1. You can have issues like
00:13:46 - IP addresses from the wrong sub-net being assigned, because
00:13:49 - DHCP requests end up flying to the wrong Vlan. So
00:13:53 - just make sure that on your trunk ports, the native Vlan is set
00:13:57 - to be the same. If you need more info on the native Vlan,
00:13:59 - it's back into the Vlan nuggets. That's where
00:14:03 - we talked about that originally, so I don't want to rehash that
00:14:06 - whole thing here. Hard code trunk ports to on, you might remember
00:14:10 - that by default every port of a CISCO switch is set to
00:14:15 - dynamically negotiate. Meaning if a computer plugs in,
00:14:19 - it becomes an access port, if another switch is detected, it becomes
00:14:22 - a trunk port. That's not good for security and just management
00:14:26 - purposes so just hard code things. Hard code all your
00:14:30 - trunk ports to on, on the ones who want to be trunks. Verify IP addresses
00:14:34 - assignments in a Vlan. Make sure that the Vlan sub-net
00:14:37 - is the same sub-net that all the PC's are ending up with and use
00:14:41 - ping and trace route to diagnose routing issues. Those are your
00:14:44 - best friends when trying to figure out what's wrong with maybe
00:14:47 - your route around the stick that gets you off the Vlan.
00:14:50 - Lastly VTP issues; Vlan trafficking protocol. Number
00:14:55 - one, verify your trunks. VTP is the Vlan trunking protocol,
00:15:00 - it's used to replicate Vlans and I mentioned it when we were talking about
00:15:04 - before, VTP is not a trunking protocol even though it's
00:15:07 - in the name, it just replicates. But the reason it got that name is because
00:15:12 - VTP only works over trunk links. So verify that you
00:15:15 - have trunks. Second, verify all your the VTP info. Make sure
00:15:19 - the domain name, the password, the version numbers and
00:15:22 - VTP modes; you might remember server client or transparent mode
00:15:26 - for VTP. Verify that all those things lineup and last
00:15:31 - but not least you don't find this in many CISCO documentations,
00:15:34 - but to completely flush all Vlan information off a switch,
00:15:40 - you want to go into privileged mode and type in
00:15:45 - delete flash:Vlan.dat. All the Vlan information
00:15:51 - is stored in that file. You'll never see Vlan information
00:15:55 - in the running config. If you do a show run, you'll won't see any VTP,
00:15:59 - nothing, it's all stored in Vlan.dat, it's kept separate.
00:16:02 - So if you want to truly flush a switch, just try again delete
00:16:06 - that file and reboot, that will clear out all the Vlan information.
00:16:12 - Now let's take a turn and look at switch security. Actually
00:16:15 - before we do I want to bring up that hospital White paper I promised
00:16:19 - I would find. I sort of found it, I can't find the original paper itself.
00:16:24 - There was a PDF and if you find that, that would be awesome if you could
00:16:27 - email me. But right on here on Google, I want you to go to Google
00:16:31 - and type in CISCO hospital White paper spanning tree. It's a
00:16:36 - strange string, but that will find it. These first two links are the
00:16:39 - same article. It's a shorter version of the original full article
00:16:43 - which is called All systems down. Actually it's very well
00:16:47 - written, it's almost like a suspense novel.
00:16:51 - They essentially walks through how the hospital
00:16:54 - network failed and the four days that it took to get it up
00:16:58 - and running. Actually and I read through the article again,
00:17:01 - I couldn't stop myself. There was one thing I just
00:17:05 - misspoke on the previous slide, the distance that spanning tree
00:17:08 - can go is seven switches not five. I said five, so they actually
00:17:13 - went beyond seven switches at this network in multiple links.
00:17:16 - So it blew everybody's mind. Alright, with that let's turn back to switch
00:17:20 - security. Most of the focus in networks today and I think I
00:17:24 - mentioned this at the beginning of this video, is on the
00:17:27 - network perimeter. Just about every article and magazine is
00:17:31 - all talking about internet security and how you need to protect
00:17:34 - your internal network from the internet. So everybody focuses
00:17:38 - their eyes right here on this boundary, between the internet
00:17:44 - and the internal switched world. Now
00:17:48 - the problem with that is, first off it's not a problem, you definitely
00:17:52 - need internet security, but it leaves the inside of your network
00:17:56 - like a squishy oreo center. If somebody gets in, then they just
00:18:00 - have fluff to cut through, there's no security there
00:18:03 - to stop them.
00:18:05 - Now thankfully wireless has actually added a lot of eyes to the internal
00:18:08 - network, because wireless broadcasts your internal network to the
00:18:12 - rest of the world, so we've had to increase the security. So
00:18:17 - here is the security checklist that CISCO recommends you go
00:18:20 - through. Number one is physical security. If somebody can get to
00:18:25 - your switch physically they can do a lot of damage very quickly.
00:18:30 - As a matter of fact, I am not to sure how many of you know this,
00:18:32 - but on a CISCO stackable switch, and when I say stackable, I mean just
00:18:36 - the normal small switches you buy for networks, not the big
00:18:40 - chassis ones like the 6500 series, but just a normal switch.
00:18:43 - If you hold the button on the front of the switch, it's
00:18:47 - the little mode button for 10 seconds or more, the switch will
00:18:52 - automatically erase all its configuration and go back to the
00:18:55 - factory default. Now you can turn that feature off, but most people
00:18:59 - don't even know that feature exists so just about every
00:19:02 - switch that I've seen leaves it on. So if somebody busts
00:19:05 - into the IT room or just gets to the switch; we'll not make it
00:19:08 - so dramatic and holds one of those buttons for 10 seconds,
00:19:11 - they can completely nuke the config. So physical security is a
00:19:14 - must. Second, is set passwords and logon banners. We talked about
00:19:19 - that already on console ports, on VT wi-lines, enable
00:19:22 - secret. A third is disable the web server.
00:19:27 - On older IOS last versions, the web server feature is enabled
00:19:31 - by default and even on some of the newer versions. To disable
00:19:35 - it go into global config mode and type in no ip http server.
00:19:40 - That shuts it off. You can also type in no ip http
00:19:45 - secure.
00:19:47 - This one doesn't have it, there's actually on other IOS
00:19:50 - versions the secure server, which is the http S version. That
00:19:55 - one is not on by default, but if you want to shut down both web
00:19:58 - servers that's how you do it. The web interface is most of the
00:20:03 - time not useful anyway. Now some of the newer switches have
00:20:06 - a full-blown graphic interface that show the switch and you
00:20:09 - can actually point and click, it's very pretty, but most
00:20:12 - of most of the older ones don't have that. When I say older
00:20:15 - I mean a year or two old. So they'll just have a text window
00:20:19 - where you can start executing commands and there are some vulnerabilities
00:20:22 - that have been found in that web server. So just turning it
00:20:25 - off is the best bet.
00:20:27 - Limit remote access subnets and we'll talk about access
00:20:30 - lists in a moment, but what that means is don't let people telnet
00:20:34 - into the switch or SSH into the switch that don't belong
00:20:37 - there. If somebody can telnet to the IP address of the
00:20:40 - switch they can just randomly begin trying passwords to break
00:20:44 - in. By using an access list,
00:20:47 - you can say only this IP address or only this subnet of addresses
00:20:53 - is allowed to telnet to the switch or SSH to the
00:20:56 - switch. So when possible, block it down that way. Next use SSH
00:21:01 - rather than telnet. I will fully admit to you that
00:21:04 - SSH is more inconvenient, not only because it's
00:21:09 - a pain to set up, but also because telnet is just about
00:21:14 - embedded in every operating system. You go to Windows and open
00:21:17 - a command prompt and you've got telnet. You don't have to download
00:21:20 - puddy or or tera term in order to get SSH capabilities.
00:21:24 - So telnet is a little bit more inconvenient, but SSH is far more
00:21:29 - secure. Next configure logging. Most people will just leave
00:21:35 - logging at default. Which is on the console. What that means is
00:21:39 - you see right there, I'm connected to the console port,
00:21:42 - every time you do something it will report something to the
00:21:45 - screen or any time an interface goes up or shuts down, it will
00:21:48 - report to you this interface is up or down. All the reporting
00:21:52 - is sent to the console port. Now the best bet to track
00:21:59 - that, is to go into global config mode and type in logging. I'll show you
00:22:05 - the simplest way; logging buffered
00:22:09 - and then type in a memory level. So we'll just say 64,000.
00:22:14 - What that does is allocate 64,000 bytes
00:22:18 - which is a decent amount it's not a huge amount, I'd say it will
00:22:21 - hold maybe
00:22:23 - depending on the type of network, but maybe three, four, five
00:22:26 - days of logging information on what's happening on a switch
00:22:30 - to the memory. So you can then go back and type in show log
00:22:36 - and it will show you all of, well, see; you can see right there 64,000
00:22:39 - bytes. No messages have been generated yet. Here, let me do this.
00:22:44 - Let's generate some messages.
00:22:47 - I'll do a shut down, no shut down. There we go, it's back up, interface 0/24
00:22:55 - shut down, no shut down, just you know get some messages
00:22:59 - going on here, there we go. Now I'm going to go back and do a show log.
00:23:05 - Full command is show logging and you can see all of the stuff
00:23:08 - that happened is saved in that memory buffer. So I can go
00:23:12 - back and see what's going on. Now of course there's going to
00:23:14 - be more interesting stuff than interfaces going up and going down
00:23:18 - on a full production switch, but that is setting up logging.
00:23:21 - The other way that you can log, is you can type in logging from
00:23:25 - global config mode and type in the IP address of a remote
00:23:29 - host. Now that remote host could be just a PC running, I'll show you a handy program
00:23:36 - of the day. It is, let's see if I can remember, let me open a new window
00:23:41 - here. It's
00:23:44 - kiwi syslog;;
00:23:52 - right there, Kiwi Syslog. Now if you go here you'll see
00:23:56 - right here a freewee, I can't even say it,
00:23:58 - a freewee, a freeware Syslog Daemon and when you
00:24:03 - click on that you can download this for your PC. It is just
00:24:07 - a pretty nice logging system that will receive these messages
00:24:11 - and you can put them in a table format; you can search through them;
00:24:14 - you can find them; there in a buffer and all that
00:24:17 - kind of stuff. So you install that and run on a PC and then
00:24:21 - you go to your command line and point your switch to the PC
00:24:26 - running the Kiwi Syslog and that will configure logging.
00:24:29 - Now down at the bottom we will see limit CDP reach when possible, limit
00:24:34 - where CDP is running. Now there's two ways to do that. Go
00:24:38 - into global config mode and type in no cdp followed by run, which
00:24:45 - turns off CDP on the switch as a whole, thus the global
00:24:49 - config mode. That will disable CDP everywhere and you will no longer
00:24:54 - be able to see the switch using the CISCO discovery protocol.
00:24:57 - You can also go under each interface if you'd rather do it
00:25:00 - on an interface by interface basis and type in no cdp enable.
00:25:05 - Now the reason that is a good security practice, is because
00:25:10 - CDP is something being originated by the switch. Meaning the
00:25:14 - switch is going to send out CDP broadcasts once every 60
00:25:19 - seconds out of every single port that it's connected to. Somebody
00:25:23 - can just open up a packet sniffer on their computer and receive
00:25:26 - the CDP information, which tells them the name of the switch; the IP
00:25:30 - address of the switch; the IOS version it's running; you know
00:25:33 - all the CDP information we talked about; in was that in this
00:25:37 - series, maybe even the previous series, that you can see on
00:25:40 - all the different devices just in case it was the previous series.
00:25:43 - Let me just make sure. I'll do a show cdp neighbors, that should help refresh your
00:25:48 - memory, show cdp neighbors detail. Seeing what is connected
00:25:52 - to this device via CDP. So a lot of times it's good to turn
00:25:56 - that off. Now you notice I have, when possible, that's because
00:26:00 - a lot of the new CISCO equipment like there IP phones need
00:26:05 - CDP to operate correctly or to operate efficiently I should
00:26:08 - say. So it may not be possible to turn off CDP.
00:26:12 - Last but not least,
00:26:14 - use BPDU guard on port-fast ports. Now you might remember port
00:26:20 - fast was the utility that essentially disabled spanning tree.
00:26:24 - So if you plug in a PC, it immediately goes online rather than
00:26:28 - waiting for the 30 seconds that spanning tree takes to
00:26:31 - make report go active. Now it's always best to couple that with
00:26:35 - BPDU guard. Let me first show you the syntax, then I'll explain
00:26:40 - what that is.
00:26:41 - You go under your interface that is enabled for port fast, you
00:26:46 - type in spanning tree followed by bpduguard. What it says
00:26:50 - is don't accept BPDUs on this interface. Now if you think back,
00:26:55 - if you're thinking BPDUs, that sounds familiar, it's from
00:26:58 - the spanning tree videos earlier in the series. Spanning tree
00:27:02 - uses BPDUs to announce itself. So what BPDU guard does is if you have
00:27:07 - a switch enabled for port fast and you connect
00:27:12 - another switch, well that violates the port fast agreement.
00:27:17 - Port fast is only for PCs. So if a BPDU comes into that port,
00:27:22 - the switch realizes that another switch has been attached to
00:27:25 - that port and it will immediately shut down this interface. BPDU guard
00:27:29 - will take it down. So that's very handy to help prevent
00:27:34 - a lot of loops. It also helps prevent this kind of scenario.
00:27:37 - Somebody plugs in a hub under their cubicle and daisy chains
00:27:41 - to another port in another cubicle which links back to the
00:27:44 - switch. Well the switch will send out a BPDU out this port,
00:27:48 - go through the hub, through another hub and it will come back
00:27:51 - into itself. BPDU guard detects
00:27:56 - that and will shut down both of those interfaces because it
00:27:59 - detects a loop in process. So that is a great one. I want
00:28:03 - to make sure you don't confuse that with BPDU filter.
00:28:07 - BPDU filter is a dangerous one. It says don't accept or I
00:28:12 - should say don't send or receive BPDUs on this interface.
00:28:16 - The reason that's dangerous is it will ignore BPDUs
00:28:21 - coming on that port, it doesn't shut the port down. So somebody
00:28:24 - could set something like this up with BPDU filter turned
00:28:27 - on and the switch would never detect the loop and that's what
00:28:30 - would cause one of those hospital incidents that take the network
00:28:33 - down. That wraps up the troubleshooting and security practices
00:28:39 - for our switch network and that wraps up switches for this entire
00:28:44 - video series. We are not going to talk about switches anymore. It's going to
00:28:47 - be all router concepts from here on out. So let's recap. We saw
00:28:51 - the switch general troubleshooting process looking at the OSI
00:28:55 - model as a guide, using a familiarization with your network
00:29:00 - and a logical network diagram to help you out. We then saw alot of the common
00:29:04 - troubleshooting areas for our switch networks; things like the
00:29:06 - port issues and spanning tree issues. And we saw securing the
00:29:10 - switch network, the best practices that CISCO recommends to lock
00:29:13 - down the inside of your network a little tighter than leaving
00:29:17 - it as is, which is wide open. I hope this has been informative
00:29:21 - for you and I'd like to thank you for viewing.

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS