00:00:00 - All right. It's time to wrap up the campus security section,
00:00:04 - and actually the whole BCMSN series with a video talking about
00:00:08 - spanning tree protocol attacks and how an intruder can manipulate
00:00:12 - spanning tree to, well, bury your network in a couple of commands.
00:00:17 - Then we'll just wrap things up by looking at switch security
00:00:20 - best practices. Just kind of a bullet list of when you get a
00:00:23 - new switch or you're setting up your existing switch equipment,
00:00:26 - what are some Cisco recommended best practices to deploy them
00:00:29 - in the most secure possible way. I remember when I first started
00:00:34 - teaching in the Cisco arena. I started off with the CCNA class
00:00:37 - because I was only a CCNA. And I was having a great time teaching
00:00:41 - it and was getting to a section on spanning tree and was talking
00:00:45 - about spanning tree and describing what the root bridge is and
00:00:49 - how the root is elected and things like that and how key that
00:00:51 - is. Big part of the network is who is the root bridge and emphasizing
00:00:55 - that to the students. And a student raises their hand and says,
00:00:59 - yeah, Jim, I can't remember his name, and Jim said: Well, if
00:01:05 - the root bridge is so critical, and that's kind of the core of
00:01:09 - the network, right. I said, oh, yeah, core of the network. He
00:01:11 - said what's to keep somebody from bringing in their own switch
00:01:15 - and like setting their priority really low so they become the
00:01:17 - root bridge. And I said: Ah, I don't know. That's a good question.
00:01:24 - And I scratched my head. And I've been teaching for 11 years.
00:01:28 - And that's happened many times. And so that night I'm at home
00:01:31 - looking at books. What's to keep somebody from doing that. And
00:01:35 - the answer is nothing. There is nothing that's keeping somebody
00:01:40 - from bringing a switch into the network and becoming the root
00:01:43 - bridge. Likewise, you could also have somebody maliciously bringing
00:01:48 - in a switch into the network to attach dual cables like this
00:01:53 - to port fast enabled ports which port fast disable spanning tree.
00:01:58 - So by an intruder running one cable to his cubicle jack and then
00:02:02 - running to the neighboring cubicle jack or just the spare jack
00:02:05 - somewhere, he could potentially start a small loop in the network,
00:02:09 - because port fast won't detect the looping packets right away.
00:02:12 - So spanning tree manipulation. How do we stop it? Well, there
00:02:17 - are two major features that are in Cisco switches that will really
00:02:21 - help out. Number one, excuse me, on those port fast ports, any
00:02:27 - port enabled for port fast should also have a feature called
00:02:31 - BPDU guard. Guard, phonetic spelling. G u a r d. BPDU guard.
00:02:34 - What that is is a sensor that if it detects a BPDU immediately
00:02:40 - shuts down the port. Think back to spanning tree. Spanning tree,
00:02:43 - its language that it speaks is BPDU. When somebody is communicating
00:02:50 - to spanning tree, they'll be using BPDUs. So BPDU guard, whenever
00:02:55 - a BPDU is detected
00:02:58 - on any port, it will shut it down. The minute this intruder plugs
00:03:05 - in their switch, chunk, chunk, that port is disabled. It's very
00:03:11 - immediate. As a matter of fact, let me bring up my switch and
00:03:15 - show this to you. I'm plugged into a CAT 3550.
00:03:21 - And I'm going to get under, let's use interface
00:03:25 - fast ethernet 0/1, and the command, it's very simple to turn
00:03:29 - it on. Spanning tree. You just type in BPDU guard, enter. Wait
00:03:35 - a second. Enable. There we go. Enable. And that turns it on on
00:03:39 - the interface. Now, at that point anytime let me show you. I've
00:03:43 - got a cable dangling from this switch on fast Ethernet 0/1. I'm
00:03:46 - going to reach under my desk here, connect it to another switch.
00:03:50 - Watching on the screen. Watch this. Click. Light just went on
00:03:55 - and wham, the port just went down. Did you see how fast that
00:03:57 - was? Because remember one of the first things that happens in
00:04:00 - a rapid spanning tree environment, which is what we're running
00:04:03 - here, is immediately as soon as the electric signal is sent,
00:04:06 - a BPDU is sent out to detect any loops. So right away, receive
00:04:10 - BPDU with BPDU guard enabled, disabling port. I'll type in show
00:04:15 - interface fast Ethernet 0/1
00:04:19 - and you can see that the port has now entered an error disabled
00:04:23 - state. That's also what happens if you violate MAC address security.
00:04:27 - So what we can do is just do a shut and a no shut to power that
00:04:32 - port back on. And let me just do a do command. There we go and
00:04:36 - we've got the not connect now. So we are back in the not connected
00:04:41 - state. So that is the BPDU guard, which, to answer my CC and
00:04:45 - A student's question, I could have said, yeah, BPDU guard will
00:04:48 - do that. But Cisco also created a system for even the good ports.
00:04:53 - I mean, ports that are uplinked to other switches and so on to
00:04:57 - prevent maybe a misconfigured switch from becoming the root.
00:05:02 - Now, let's say instead of this being an intruder switch down
00:05:06 - here, let me just cross that out, we'll just say this is some
00:05:09 - closet switch. It's an access layer switch. I'll put AL switch.
00:05:13 - Now, if we've got our network and we've got the corporate network,
00:05:17 - maybe these are our two core switches. This is the root bridge,
00:05:21 - and this is the back up root, if the primary root bridge goes
00:05:25 - down. Now, we don't ever want this switch to become the root
00:05:30 - bridge, because it's in a closet, and if both core switches are
00:05:35 - down, I would say we've got bigger problems than determining
00:05:37 - who the root bridge is. So what we can do is enable a second
00:05:43 - feature on our Cisco switches. It's called root guard. What it
00:05:47 - does I'll say it again root guard because I think I severed root
00:05:51 - guard. It protects
00:05:53 - what ports valid roots are detected on. That was a horrible way
00:05:59 - of saying that. Let me explain it a little better. This core
00:06:02 - switch is our root. Why is it our root? Because we set it to
00:06:06 - become the root. Now, by default every other port that is connected
00:06:10 - to another switch has the potential to be elected as the root.
00:06:15 - This became the root because we set the priority lower. But if
00:06:18 - the priority on this one went lower, then this one would become
00:06:21 - the root. But what I can do is on my root bridge, the one that
00:06:25 - is currently elected the root, I can set root guard on any port
00:06:30 - connected to a switch that is not supposed to become the root.
00:06:35 - Now, obviously this port would not be one that I want to enable
00:06:38 - root guard on, because if this switch went down in some way,
00:06:41 - I would want this one to take over and become the root. So that's
00:06:45 - a valid place to not have root guard. However, this port right
00:06:49 - here and this port right here are two places where I would want
00:06:53 - the root guard feature to be on. Now, this feature is somewhat
00:07:00 - timing based I guess this is the best way I can say it. Meaning
00:07:04 - you need to set it up after you have the root elected. For example,
00:07:08 - if I've got a new switch in my network, we'll say this guy my
00:07:15 - access layer switch that I'm installing, and for whatever reason
00:07:18 - I turn on root guard on this port and then connect it to the
00:07:21 - network, well, this switch being powered on thinks it's the root.
00:07:25 - Because until it communicates with the rest of the network it's
00:07:27 - going to say, well, I'm the root of the network. And no one because
00:07:32 - I don't see anyone else. But as soon as I plug these cables in
00:07:35 - right here, if I've turned on root guard on this switch, it's
00:07:39 - going to say whoa, there's another switch that's trying to become
00:07:42 - the root. Dangerous, let's go ahead and shut down that port.
00:07:44 - Oh, another switch is trying to become the root. Dangerous, let's
00:07:46 - shut down that port. You can see root guard is one of those things
00:07:50 - you only turn on on the root switch itself. And perhaps the back
00:07:54 - up root if you have a network big enough to become one. So let
00:07:58 - me show you how to do that. I'll bring it back up here. It's
00:08:01 - one command. We don't need to set up a full topology to explain
00:08:04 - it. I'm going to type in spanning tree, guard, root,
00:08:10 - enter. Kind of reverse English. Spanning tree guard root. At
00:08:14 - that point fast Ethernet 0/1 is enabled for root guard, which
00:08:19 - means there will never be a switch that connects to fast Ethernet
00:08:24 - 0/1 that can become the root because this switch I'm on right
00:08:28 - now is the root and it will not be pre empted by any switch connecting
00:08:32 - to fast Ethernet 0/1. Now, one term you should know I'm not going
00:08:37 - to set up the full topology because it's just so simple of an
00:08:40 - explanation but when
00:08:44 - if this port comes in and tries to become the root. We just enabled
00:08:49 - this one for root guard, and this one says, hey, I want to be
00:08:51 - the root, it will disable this port but instead of putting it
00:08:55 - into an error disable state it will actually label it as an inconsistent
00:09:01 - port. So that's just a term to know off the top of your head.
00:09:04 - If you see inconsistent ports, it is because it is a port that
00:09:08 - you turned on root guard for and said we cannot have a root on
00:09:11 - here and someone came in and said I want to be the root. So root
00:09:14 - guard says that's inconsistent. Let's disable the port. Well,
00:09:18 - let's wrap things up by looking at the Cisco best practices for
00:09:23 - Cisco switches. Just rules of thumb that you should keep in mind
00:09:26 - on any new switch you deploy. Number one is to disable CDP wherever
00:09:31 - possible. Now, that used to be something where I could easily
00:09:35 - say, oh, yeah, just turn off CDP on any new device. However,
00:09:39 - there are becoming more and more things that use CDP as a viable
00:09:44 - function rather than just discovering other devices. For example,
00:09:47 - IP phones need CDP for quality of service, and VLAN assignment.
00:09:52 - So it's no longer just possible to disable CDP on an entire switch.
00:09:57 - But you can turn off CDP on a port by port basis on ports that
00:10:01 - aren't going to use it. Every packet that CDP sends is in clear
00:10:06 - text. And it contains pretty essential information about the
00:10:09 - switch, like what port they're coming into. IOS image. The IP
00:10:13 - address of the switch, and anybody with a packet sniffer can
00:10:15 - get it. So on a switch you can either from global config mode
00:10:20 - type in no CDP run. That turns it off everywhere. But as I mentioned
00:10:24 - it's not possible to do that in many cases. So we could go under
00:10:28 - an interface and just type in no CDP enable, and that turns it
00:10:31 - off on a port by port basis.
00:10:34 - Now, second one is to lock down spanning tree. Just like I was
00:10:38 - mentioning on the previous slide, putting BPDU guard on every
00:10:42 - port you have port fast on it can be very handy to do that. I
00:10:47 - don't know if I showed you this. I think I showed you this. But
00:10:51 - under an interface you can type in switch port. Oh, what is it?
00:10:56 - Mode? Oh. No. Right there. Switch port host. Did I tell you about
00:11:02 - that one? Switch port host automatically turns it on to an access
00:11:08 - port. Sets the access port. Turns on port fast and disables any
00:11:13 - Ethernet channel capabilities for the port all in one scoop.
00:11:17 - So that is a handy command to do all of those things. But at
00:11:21 - the same time you still need to add BPDU guard to it. I don't
00:11:24 - know why that just popped into my head. That's just my handy
00:11:26 - command for the day, I think. Third, disable trunk negotiation
00:11:31 - on access ports. Under every single port, either type in switch
00:11:34 - port host or switchboard mode access to make sure it's hard coded
00:11:39 - as an access port and it will not become a trunk. That causes
00:11:42 - VLAN hopping. Physical security is key. That almost goes without
00:11:47 - saying, but I know a lot of the IDFs and wiring closets that
00:11:51 - I've seen have sometimes been left out in the open, just found
00:11:54 - a free corner. And sometimes that's all you can do because of
00:11:58 - the building that you're in; but if you can get these switches
00:12:02 - behind locked doors, that really helps increase your security
00:12:06 - in a big way. Somebody can just touch the switch. There's a huge
00:12:08 - security vulnerability.
00:12:11 - Fifth, place unused ports in a black hole VLAN. A black hole
00:12:17 - is actually a name I came up with because whenever I create this
00:12:20 - VLAN on a switch, I name it black hole. Just any unused port.
00:12:24 - Something that doesn't have anything plugged into it at the time
00:12:28 - I put into this VLAN. Now, there's no routing for that VLAN.
00:12:32 - There's no DHTP server, there's no VLAN interface for it. It's
00:12:36 - just an empty VLAN. So if somebody does plug into an unused port,
00:12:40 - they'll get connectivity, meaning their jack will light up as
00:12:45 - if there's an electric signal there, but nothing more. A self
00:12:48 - assigned IP address is all about they'll get and they're in the
00:12:51 - black hole. So that helps minimize who is using unused ports
00:12:56 - in your network. Easy enough by the way, it's easy enough to
00:12:58 - do that. All you have to do is just do a show IP interface brief
00:13:02 - and document every port that is down during a typical business
00:13:07 - day minus the SIG people you'll be able to quickly tell which
00:13:10 - ports are in use and are not in use. Finally, last one is six,
00:13:16 - use SSH whenever possible. Just about every Cisco switch with
00:13:20 - a modern image can support
00:13:24 - SSH. Actually, I think this one
00:13:27 - does not. Let me do a transport input question mark. Now, see
00:13:31 - that's why I said whenever possible. This switch right here only
00:13:35 - supports telenet, but I'm almost positive that my other
00:13:41 - key switch here let me bring that into the picture,
00:13:45 - line VTY 04 transport input. There it is. SSH. Every image that
00:13:52 - Cisco ships nowadays is running SSH. You don't have to get a
00:13:56 - security image anymore to get SSH. Because telenet is, as you
00:14:01 - can imagine, very vulnerable. Everything is in clear text. So
00:14:04 - use SSH to manage your devices.
00:14:08 - Well, let's wrap things up for the last time. We have talked
00:14:12 - about spanning tree protocol attacks and ways to prevent them
00:14:15 - or just a misconfiguration in your network and ways to keep it
00:14:18 - from destroying it by using BPDU guard and root guard. Finally,
00:14:24 - we just talked about Cisco's best practices for every switch
00:14:27 - across your organization.
00:14:29 - At this point in the series, we're at the end, and I know you
00:14:34 - are feeling much more confident with your switching capability
00:14:37 - than you did before you started this series. And I hope that
00:14:41 - this information will be valuable to you whether you're using
00:14:44 - it to study for a certification exam and get your CCNP or whether
00:14:48 - you're using it for practical application and going back to the
00:14:51 - office and actually implementing a bunch of the stuff that we
00:14:54 - talked about. But whatever the application, I wish you well,
00:14:58 - and I hope to see you again soon. And, of course, last but not
00:15:02 - least, I hope this has been informative for you, and I'd like
00:15:06 - to thank you for viewing.