Cisco CCNP SWITCH 642-813

Campus Security: STP Attacks and Other Security Considerations

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

00:00:00 - All right. It's time to wrap up the campus security section,
00:00:04 - and actually the whole BCMSN series with a video talking about
00:00:08 - spanning tree protocol attacks and how an intruder can manipulate
00:00:12 - spanning tree to, well, bury your network in a couple of commands.
00:00:17 - Then we'll just wrap things up by looking at switch security
00:00:20 - best practices. Just kind of a bullet list of when you get a
00:00:23 - new switch or you're setting up your existing switch equipment,
00:00:26 - what are some Cisco recommended best practices to deploy them
00:00:29 - in the most secure possible way. I remember when I first started
00:00:34 - teaching in the Cisco arena. I started off with the CCNA class
00:00:37 - because I was only a CCNA. And I was having a great time teaching
00:00:41 - it and was getting to a section on spanning tree and was talking
00:00:45 - about spanning tree and describing what the root bridge is and
00:00:49 - how the root is elected and things like that and how key that
00:00:51 - is. Big part of the network is who is the root bridge and emphasizing
00:00:55 - that to the students. And a student raises their hand and says,
00:00:59 - yeah, Jim, I can't remember his name, and Jim said: Well, if
00:01:05 - the root bridge is so critical, and that's kind of the core of
00:01:09 - the network, right. I said, oh, yeah, core of the network. He
00:01:11 - said what's to keep somebody from bringing in their own switch
00:01:15 - and like setting their priority really low so they become the
00:01:17 - root bridge. And I said: Ah, I don't know. That's a good question.
00:01:24 - And I scratched my head. And I've been teaching for 11 years.
00:01:28 - And that's happened many times. And so that night I'm at home
00:01:31 - looking at books. What's to keep somebody from doing that. And
00:01:35 - the answer is nothing. There is nothing that's keeping somebody
00:01:40 - from bringing a switch into the network and becoming the root
00:01:43 - bridge. Likewise, you could also have somebody maliciously bringing
00:01:48 - in a switch into the network to attach dual cables like this
00:01:53 - to port fast enabled ports which port fast disable spanning tree.
00:01:58 - So by an intruder running one cable to his cubicle jack and then
00:02:02 - running to the neighboring cubicle jack or just the spare jack
00:02:05 - somewhere, he could potentially start a small loop in the network,
00:02:09 - because port fast won't detect the looping packets right away.
00:02:12 - So spanning tree manipulation. How do we stop it? Well, there
00:02:17 - are two major features that are in Cisco switches that will really
00:02:21 - help out. Number one, excuse me, on those port fast ports, any
00:02:27 - port enabled for port fast should also have a feature called
00:02:31 - BPDU guard. Guard, phonetic spelling. G u a r d. BPDU guard.
00:02:34 - What that is is a sensor that if it detects a BPDU immediately
00:02:40 - shuts down the port. Think back to spanning tree. Spanning tree,
00:02:43 - its language that it speaks is BPDU. When somebody is communicating
00:02:50 - to spanning tree, they'll be using BPDUs. So BPDU guard, whenever
00:02:55 - a BPDU is detected
00:02:58 - on any port, it will shut it down. The minute this intruder plugs
00:03:05 - in their switch, chunk, chunk, that port is disabled. It's very
00:03:11 - immediate. As a matter of fact, let me bring up my switch and
00:03:15 - show this to you. I'm plugged into a CAT 3550.
00:03:21 - And I'm going to get under, let's use interface
00:03:25 - fast ethernet 0/1, and the command, it's very simple to turn
00:03:29 - it on. Spanning tree. You just type in BPDU guard, enter. Wait
00:03:35 - a second. Enable. There we go. Enable. And that turns it on on
00:03:39 - the interface. Now, at that point anytime let me show you. I've
00:03:43 - got a cable dangling from this switch on fast Ethernet 0/1. I'm
00:03:46 - going to reach under my desk here, connect it to another switch.
00:03:50 - Watching on the screen. Watch this. Click. Light just went on
00:03:55 - and wham, the port just went down. Did you see how fast that
00:03:57 - was? Because remember one of the first things that happens in
00:04:00 - a rapid spanning tree environment, which is what we're running
00:04:03 - here, is immediately as soon as the electric signal is sent,
00:04:06 - a BPDU is sent out to detect any loops. So right away, receive
00:04:10 - BPDU with BPDU guard enabled, disabling port. I'll type in show
00:04:15 - interface fast Ethernet 0/1
00:04:19 - and you can see that the port has now entered an error disabled
00:04:23 - state. That's also what happens if you violate MAC address security.
00:04:27 - So what we can do is just do a shut and a no shut to power that
00:04:32 - port back on. And let me just do a do command. There we go and
00:04:36 - we've got the not connect now. So we are back in the not connected
00:04:41 - state. So that is the BPDU guard, which, to answer my CC and
00:04:45 - A student's question, I could have said, yeah, BPDU guard will
00:04:48 - do that. But Cisco also created a system for even the good ports.
00:04:53 - I mean, ports that are uplinked to other switches and so on to
00:04:57 - prevent maybe a misconfigured switch from becoming the root.
00:05:02 - Now, let's say instead of this being an intruder switch down
00:05:06 - here, let me just cross that out, we'll just say this is some
00:05:09 - closet switch. It's an access layer switch. I'll put AL switch.
00:05:13 - Now, if we've got our network and we've got the corporate network,
00:05:17 - maybe these are our two core switches. This is the root bridge,
00:05:21 - and this is the back up root, if the primary root bridge goes
00:05:25 - down. Now, we don't ever want this switch to become the root
00:05:30 - bridge, because it's in a closet, and if both core switches are
00:05:35 - down, I would say we've got bigger problems than determining
00:05:37 - who the root bridge is. So what we can do is enable a second
00:05:43 - feature on our Cisco switches. It's called root guard. What it
00:05:47 - does I'll say it again root guard because I think I severed root
00:05:51 - guard. It protects
00:05:53 - what ports valid roots are detected on. That was a horrible way
00:05:59 - of saying that. Let me explain it a little better. This core
00:06:02 - switch is our root. Why is it our root? Because we set it to
00:06:06 - become the root. Now, by default every other port that is connected
00:06:10 - to another switch has the potential to be elected as the root.
00:06:15 - This became the root because we set the priority lower. But if
00:06:18 - the priority on this one went lower, then this one would become
00:06:21 - the root. But what I can do is on my root bridge, the one that
00:06:25 - is currently elected the root, I can set root guard on any port
00:06:30 - connected to a switch that is not supposed to become the root.
00:06:35 - Now, obviously this port would not be one that I want to enable
00:06:38 - root guard on, because if this switch went down in some way,
00:06:41 - I would want this one to take over and become the root. So that's
00:06:45 - a valid place to not have root guard. However, this port right
00:06:49 - here and this port right here are two places where I would want
00:06:53 - the root guard feature to be on. Now, this feature is somewhat
00:07:00 - timing based I guess this is the best way I can say it. Meaning
00:07:04 - you need to set it up after you have the root elected. For example,
00:07:08 - if I've got a new switch in my network, we'll say this guy my
00:07:15 - access layer switch that I'm installing, and for whatever reason
00:07:18 - I turn on root guard on this port and then connect it to the
00:07:21 - network, well, this switch being powered on thinks it's the root.
00:07:25 - Because until it communicates with the rest of the network it's
00:07:27 - going to say, well, I'm the root of the network. And no one because
00:07:32 - I don't see anyone else. But as soon as I plug these cables in
00:07:35 - right here, if I've turned on root guard on this switch, it's
00:07:39 - going to say whoa, there's another switch that's trying to become
00:07:42 - the root. Dangerous, let's go ahead and shut down that port.
00:07:44 - Oh, another switch is trying to become the root. Dangerous, let's
00:07:46 - shut down that port. You can see root guard is one of those things
00:07:50 - you only turn on on the root switch itself. And perhaps the back
00:07:54 - up root if you have a network big enough to become one. So let
00:07:58 - me show you how to do that. I'll bring it back up here. It's
00:08:01 - one command. We don't need to set up a full topology to explain
00:08:04 - it. I'm going to type in spanning tree, guard, root,
00:08:10 - enter. Kind of reverse English. Spanning tree guard root. At
00:08:14 - that point fast Ethernet 0/1 is enabled for root guard, which
00:08:19 - means there will never be a switch that connects to fast Ethernet
00:08:24 - 0/1 that can become the root because this switch I'm on right
00:08:28 - now is the root and it will not be pre empted by any switch connecting
00:08:32 - to fast Ethernet 0/1. Now, one term you should know I'm not going
00:08:37 - to set up the full topology because it's just so simple of an
00:08:40 - explanation but when
00:08:44 - if this port comes in and tries to become the root. We just enabled
00:08:49 - this one for root guard, and this one says, hey, I want to be
00:08:51 - the root, it will disable this port but instead of putting it
00:08:55 - into an error disable state it will actually label it as an inconsistent
00:09:01 - port. So that's just a term to know off the top of your head.
00:09:04 - If you see inconsistent ports, it is because it is a port that
00:09:08 - you turned on root guard for and said we cannot have a root on
00:09:11 - here and someone came in and said I want to be the root. So root
00:09:14 - guard says that's inconsistent. Let's disable the port. Well,
00:09:18 - let's wrap things up by looking at the Cisco best practices for
00:09:23 - Cisco switches. Just rules of thumb that you should keep in mind
00:09:26 - on any new switch you deploy. Number one is to disable CDP wherever
00:09:31 - possible. Now, that used to be something where I could easily
00:09:35 - say, oh, yeah, just turn off CDP on any new device. However,
00:09:39 - there are becoming more and more things that use CDP as a viable
00:09:44 - function rather than just discovering other devices. For example,
00:09:47 - IP phones need CDP for quality of service, and VLAN assignment.
00:09:52 - So it's no longer just possible to disable CDP on an entire switch.
00:09:57 - But you can turn off CDP on a port by port basis on ports that
00:10:01 - aren't going to use it. Every packet that CDP sends is in clear
00:10:06 - text. And it contains pretty essential information about the
00:10:09 - switch, like what port they're coming into. IOS image. The IP
00:10:13 - address of the switch, and anybody with a packet sniffer can
00:10:15 - get it. So on a switch you can either from global config mode
00:10:20 - type in no CDP run. That turns it off everywhere. But as I mentioned
00:10:24 - it's not possible to do that in many cases. So we could go under
00:10:28 - an interface and just type in no CDP enable, and that turns it
00:10:31 - off on a port by port basis.
00:10:34 - Now, second one is to lock down spanning tree. Just like I was
00:10:38 - mentioning on the previous slide, putting BPDU guard on every
00:10:42 - port you have port fast on it can be very handy to do that. I
00:10:47 - don't know if I showed you this. I think I showed you this. But
00:10:51 - under an interface you can type in switch port. Oh, what is it?
00:10:56 - Mode? Oh. No. Right there. Switch port host. Did I tell you about
00:11:02 - that one? Switch port host automatically turns it on to an access
00:11:08 - port. Sets the access port. Turns on port fast and disables any
00:11:13 - Ethernet channel capabilities for the port all in one scoop.
00:11:17 - So that is a handy command to do all of those things. But at
00:11:21 - the same time you still need to add BPDU guard to it. I don't
00:11:24 - know why that just popped into my head. That's just my handy
00:11:26 - command for the day, I think. Third, disable trunk negotiation
00:11:31 - on access ports. Under every single port, either type in switch
00:11:34 - port host or switchboard mode access to make sure it's hard coded
00:11:39 - as an access port and it will not become a trunk. That causes
00:11:42 - VLAN hopping. Physical security is key. That almost goes without
00:11:47 - saying, but I know a lot of the IDFs and wiring closets that
00:11:51 - I've seen have sometimes been left out in the open, just found
00:11:54 - a free corner. And sometimes that's all you can do because of
00:11:58 - the building that you're in; but if you can get these switches
00:12:02 - behind locked doors, that really helps increase your security
00:12:06 - in a big way. Somebody can just touch the switch. There's a huge
00:12:08 - security vulnerability.
00:12:11 - Fifth, place unused ports in a black hole VLAN. A black hole
00:12:17 - is actually a name I came up with because whenever I create this
00:12:20 - VLAN on a switch, I name it black hole. Just any unused port.
00:12:24 - Something that doesn't have anything plugged into it at the time
00:12:28 - I put into this VLAN. Now, there's no routing for that VLAN.
00:12:32 - There's no DHTP server, there's no VLAN interface for it. It's
00:12:36 - just an empty VLAN. So if somebody does plug into an unused port,
00:12:40 - they'll get connectivity, meaning their jack will light up as
00:12:45 - if there's an electric signal there, but nothing more. A self
00:12:48 - assigned IP address is all about they'll get and they're in the
00:12:51 - black hole. So that helps minimize who is using unused ports
00:12:56 - in your network. Easy enough by the way, it's easy enough to
00:12:58 - do that. All you have to do is just do a show IP interface brief
00:13:02 - and document every port that is down during a typical business
00:13:07 - day minus the SIG people you'll be able to quickly tell which
00:13:10 - ports are in use and are not in use. Finally, last one is six,
00:13:16 - use SSH whenever possible. Just about every Cisco switch with
00:13:20 - a modern image can support
00:13:24 - SSH. Actually, I think this one
00:13:27 - does not. Let me do a transport input question mark. Now, see
00:13:31 - that's why I said whenever possible. This switch right here only
00:13:35 - supports telenet, but I'm almost positive that my other
00:13:41 - key switch here let me bring that into the picture,
00:13:45 - line VTY 04 transport input. There it is. SSH. Every image that
00:13:52 - Cisco ships nowadays is running SSH. You don't have to get a
00:13:56 - security image anymore to get SSH. Because telenet is, as you
00:14:01 - can imagine, very vulnerable. Everything is in clear text. So
00:14:04 - use SSH to manage your devices.
00:14:08 - Well, let's wrap things up for the last time. We have talked
00:14:12 - about spanning tree protocol attacks and ways to prevent them
00:14:15 - or just a misconfiguration in your network and ways to keep it
00:14:18 - from destroying it by using BPDU guard and root guard. Finally,
00:14:24 - we just talked about Cisco's best practices for every switch
00:14:27 - across your organization.
00:14:29 - At this point in the series, we're at the end, and I know you
00:14:34 - are feeling much more confident with your switching capability
00:14:37 - than you did before you started this series. And I hope that
00:14:41 - this information will be valuable to you whether you're using
00:14:44 - it to study for a certification exam and get your CCNP or whether
00:14:48 - you're using it for practical application and going back to the
00:14:51 - office and actually implementing a bunch of the stuff that we
00:14:54 - talked about. But whatever the application, I wish you well,
00:14:58 - and I hope to see you again soon. And, of course, last but not
00:15:02 - least, I hope this has been informative for you, and I'd like
00:15:06 - to thank you for viewing.

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Premium Features

Transcender® Practice Exams

These practice tests help you review your knowledge and prepare you for exams.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS