Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813....
Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813.
1. Welcome to Cisco Switch: Watch Me First! (17 min)
2. The Switches Domain: Core Concepts and Design (42 min)
3. VLANs: Configuration and Verification (13 min)
4. VLANs: In-Depth Trunking (35 min)
5. VLANs: VLAN Trunking Protocol (33 min)
6. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1 (23 min)
7. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2 (34 min)
8. STP: Rapid Spanning Tree Concepts and Configuration (24 min)
9. EtherChannel: Aggregating Redundant Links (24 min)
10. L3 Switching: InterVLAN Routing Extraordinaire (28 min)
11. L3 Switching: Understanding CEF Optimization (16 min)
12. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1 (43 min)
13. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2 (23 min)
14. Campus Security: Basic Port Security and 802.1x (32 min)
15. Campus Security: VLAN and Spoofing Attacks (31 min)
16. Campus Security: STP Attacks and Other Security Considerations (15 min)
17. Campus VoIP: Overview, Considerations, and AutoQoS (44 min)
18. Wireless LAN: Foundation Concepts and Design Part 1 (26 min)
19. Wireless LAN: Foundation Concepts and Design Part 2 (22 min)
20. Wireless LAN: Frequencies and 802.11 Standards (34 min)
21. Wireless LAN: Understanding the Hardware (30 min)
22. The Switches Domain: Additional Life-Saving Technology (22 min)
23. Monitoring: Your Pulse on the Network (45 min)
24. Campus Security: VACLs (14 min)

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

00:00:00

All right. It's time to wrap up the campus security section, and actually the whole BCMSN series with a video talking about spanning tree protocol attacks and how an intruder can manipulate spanning tree to, well, bury your network in a couple of commands.

00:00:17

Then we'll just wrap things up by looking at switch security best practices. Just kind of a bullet list of when you get a new switch or you're setting up your existing switch equipment, what are some Cisco recommended best practices to deploy them in the most secure possible way. I remember when I first started

00:00:34

teaching in the Cisco arena. I started off with the CCNA class because I was only a CCNA. And I was having a great time teaching it and was getting to a section on spanning tree and was talking about spanning tree and describing what the root bridge is and how the root is elected and things like that and how key that is. Big part of the network is who is the root bridge and emphasizing

00:00:55

that to the students. And a student raises their hand and says, yeah, Jim, I can't remember his name, and Jim said: Well, if the root bridge is so critical, and that's kind of the core of the network, right. I said, oh, yeah, core of the network. He said what's to keep somebody from bringing in their own switch and like setting their priority really low so they become the root bridge. And I said: Ah, I don't know. That's a good question.

00:01:24

And I scratched my head. And I've been teaching for 11 years. And that's happened many times. And so that night I'm at home looking at books. What's to keep somebody from doing that. And the answer is nothing. There is nothing that's keeping somebody from bringing a switch into the network and becoming the root bridge. Likewise, you could also have somebody maliciously bringing

00:01:48

in a switch into the network to attach dual cables like this to port fast enabled ports which port fast disable spanning tree. So by an intruder running one cable to his cubicle jack and then running to the neighboring cubicle jack or just the spare jack somewhere, he could potentially start a small loop in the network, because port fast won't detect the looping packets right away.

00:02:12

So spanning tree manipulation. How do we stop it? Well, there are two major features that are in Cisco switches that will really help out. Number one, excuse me, on those port fast ports, any port enabled for port fast should also have a feature called BPDU guard. Guard, phonetic spelling. G u a r d. BPDU guard.

00:02:34

What that is is a sensor that if it detects a BPDU immediately shuts down the port. Think back to spanning tree. Spanning tree, its language that it speaks is BPDU. When somebody is communicating to spanning tree, they'll be using BPDUs. So BPDU guard, whenever

00:02:55

a BPDU is detected on any port, it will shut it down. The minute this intruder plugs in their switch, chunk, chunk, that port is disabled. It's very immediate. As a matter of fact, let me bring up my switch and show this to you. I'm plugged into a CAT 3550. And I'm going to get under, let's use interface fast ethernet 0/1, and the command, it's very simple to turn it on. Spanning tree. You just type in BPDU guard, enter. Wait

00:03:35

a second. Enable. There we go. Enable. And that turns it on on the interface. Now, at that point anytime let me show you. I've got a cable dangling from this switch on fast Ethernet 0/1. I'm going to reach under my desk here, connect it to another switch.

00:03:50

Watching on the screen. Watch this. Click. Light just went on and wham, the port just went down. Did you see how fast that was? Because remember one of the first things that happens in a rapid spanning tree environment, which is what we're running here, is immediately as soon as the electric signal is sent, a BPDU is sent out to detect any loops. So right away, receive

00:04:10

BPDU with BPDU guard enabled, disabling port. I'll type in show interface fast Ethernet 0/1 and you can see that the port has now entered an error disabled state. That's also what happens if you violate MAC address security. So what we can do is just do a shut and a no shut to power that port back on. And let me just do a do command. There we go and

00:04:36

we've got the not connect now. So we are back in the not connected state. So that is the BPDU guard, which, to answer my CC and A student's question, I could have said, yeah, BPDU guard will do that. But Cisco also created a system for even the good ports.

00:04:53

I mean, ports that are uplinked to other switches and so on to prevent maybe a misconfigured switch from becoming the root. Now, let's say instead of this being an intruder switch down here, let me just cross that out, we'll just say this is some closet switch. It's an access layer switch. I'll put AL switch.

00:05:13

Now, if we've got our network and we've got the corporate network, maybe these are our two core switches. This is the root bridge, and this is the back up root, if the primary root bridge goes down. Now, we don't ever want this switch to become the root

00:05:30

bridge, because it's in a closet, and if both core switches are down, I would say we've got bigger problems than determining who the root bridge is. So what we can do is enable a second feature on our Cisco switches. It's called root guard. What it does I'll say it again root guard because I think I severed root guard. It protects

00:05:53

what ports valid roots are detected on. That was a horrible way of saying that. Let me explain it a little better. This core switch is our root. Why is it our root? Because we set it to become the root. Now, by default every other port that is connected

00:06:10

to another switch has the potential to be elected as the root. This became the root because we set the priority lower. But if the priority on this one went lower, then this one would become the root. But what I can do is on my root bridge, the one that is currently elected the root, I can set root guard on any port connected to a switch that is not supposed to become the root.

00:06:35

Now, obviously this port would not be one that I want to enable root guard on, because if this switch went down in some way, I would want this one to take over and become the root. So that's a valid place to not have root guard. However, this port right

00:06:49

here and this port right here are two places where I would want the root guard feature to be on. Now, this feature is somewhat timing based I guess this is the best way I can say it. Meaning you need to set it up after you have the root elected. For example,

00:07:08

if I've got a new switch in my network, we'll say this guy my access layer switch that I'm installing, and for whatever reason I turn on root guard on this port and then connect it to the network, well, this switch being powered on thinks it's the root.

00:07:25

Because until it communicates with the rest of the network it's going to say, well, I'm the root of the network. And no one because I don't see anyone else. But as soon as I plug these cables in right here, if I've turned on root guard on this switch, it's going to say whoa, there's another switch that's trying to become the root. Dangerous, let's go ahead and shut down that port.

00:07:44

Oh, another switch is trying to become the root. Dangerous, let's shut down that port. You can see root guard is one of those things you only turn on on the root switch itself. And perhaps the back up root if you have a network big enough to become one. So let

00:07:58

me show you how to do that. I'll bring it back up here. It's one command. We don't need to set up a full topology to explain it. I'm going to type in spanning tree, guard, root, enter. Kind of reverse English. Spanning tree guard root. At that point fast Ethernet 0/1 is enabled for root guard, which means there will never be a switch that connects to fast Ethernet 0/1 that can become the root because this switch I'm on right now is the root and it will not be pre empted by any switch connecting to fast Ethernet 0/1. Now, one term you should know I'm not going to set up the full topology because it's just so simple of an explanation but when if this port comes in and tries to become the root. We just enabled

00:08:49

this one for root guard, and this one says, hey, I want to be the root, it will disable this port but instead of putting it into an error disable state it will actually label it as an inconsistent port. So that's just a term to know off the top of your head.

00:09:04

If you see inconsistent ports, it is because it is a port that you turned on root guard for and said we cannot have a root on here and someone came in and said I want to be the root. So root guard says that's inconsistent. Let's disable the port. Well, let's wrap things up by looking at the Cisco best practices for Cisco switches. Just rules of thumb that you should keep in mind

00:09:26

on any new switch you deploy. Number one is to disable CDP wherever possible. Now, that used to be something where I could easily say, oh, yeah, just turn off CDP on any new device. However, there are becoming more and more things that use CDP as a viable function rather than just discovering other devices. For example,

00:09:47

IP phones need CDP for quality of service, and VLAN assignment. So it's no longer just possible to disable CDP on an entire switch. But you can turn off CDP on a port by port basis on ports that aren't going to use it. Every packet that CDP sends is in clear

00:10:06

text. And it contains pretty essential information about the switch, like what port they're coming into. IOS image. The IP address of the switch, and anybody with a packet sniffer can get it. So on a switch you can either from global config mode type in no CDP run. That turns it off everywhere. But as I mentioned

00:10:24

it's not possible to do that in many cases. So we could go under an interface and just type in no CDP enable, and that turns it off on a port by port basis. Now, second one is to lock down spanning tree. Just like I was mentioning on the previous slide, putting BPDU guard on every port you have port fast on it can be very handy to do that. I

00:10:47

don't know if I showed you this. I think I showed you this. But under an interface you can type in switch port. Oh, what is it? Mode? Oh. No. Right there. Switch port host. Did I tell you about that one? Switch port host automatically turns it on to an access port. Sets the access port. Turns on port fast and disables any

00:11:13

Ethernet channel capabilities for the port all in one scoop. So that is a handy command to do all of those things. But at the same time you still need to add BPDU guard to it. I don't know why that just popped into my head. That's just my handy command for the day, I think. Third, disable trunk negotiation

00:11:31

on access ports. Under every single port, either type in switch port host or switchboard mode access to make sure it's hard coded as an access port and it will not become a trunk. That causes VLAN hopping. Physical security is key. That almost goes without

00:11:47

saying, but I know a lot of the IDFs and wiring closets that I've seen have sometimes been left out in the open, just found a free corner. And sometimes that's all you can do because of the building that you're in; but if you can get these switches behind locked doors, that really helps increase your security in a big way. Somebody can just touch the switch. There's a huge

00:12:08

security vulnerability. Fifth, place unused ports in a black hole VLAN. A black hole is actually a name I came up with because whenever I create this VLAN on a switch, I name it black hole. Just any unused port. Something that doesn't have anything plugged into it at the time I put into this VLAN. Now, there's no routing for that VLAN.

00:12:32

There's no DHTP server, there's no VLAN interface for it. It's just an empty VLAN. So if somebody does plug into an unused port, they'll get connectivity, meaning their jack will light up as if there's an electric signal there, but nothing more. A self assigned IP address is all about they'll get and they're in the black hole. So that helps minimize who is using unused ports

00:12:56

in your network. Easy enough by the way, it's easy enough to do that. All you have to do is just do a show IP interface brief and document every port that is down during a typical business day minus the SIG people you'll be able to quickly tell which ports are in use and are not in use. Finally, last one is six,

00:13:16

use SSH whenever possible. Just about every Cisco switch with a modern image can support SSH. Actually, I think this one does not. Let me do a transport input question mark. Now, see that's why I said whenever possible. This switch right here only supports telenet, but I'm almost positive that my other key switch here let me bring that into the picture, line VTY 04 transport input. There it is. SSH. Every image that Cisco ships nowadays is running SSH. You don't have to get a

00:13:56

security image anymore to get SSH. Because telenet is, as you can imagine, very vulnerable. Everything is in clear text. So use SSH to manage your devices. Well, let's wrap things up for the last time. We have talked about spanning tree protocol attacks and ways to prevent them or just a misconfiguration in your network and ways to keep it from destroying it by using BPDU guard and root guard. Finally,

00:14:24

we just talked about Cisco's best practices for every switch across your organization. At this point in the series, we're at the end, and I know you are feeling much more confident with your switching capability than you did before you started this series. And I hope that

00:14:41

this information will be valuable to you whether you're using it to study for a certification exam and get your CCNP or whether you're using it for practical application and going back to the office and actually implementing a bunch of the stuff that we talked about. But whatever the application, I wish you well,

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Intermediate 11 hrs 24 videos

COURSE RATING

Basic Plan Features


Speed Control
Included in this course
Play videos at a faster or slower pace.

Bookmarks
Included in this course
Pick up where you left off watching a video.

Notes
Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

NuggetLab
Files/materials that supplement the video training

Premium Plan Features


Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003