Switch Port Protection

One of the interesting things about teaching for a company a certification is that
even though CompTIA is vendor neutral There are certain situations where vendors
start to show their head.

And this is a great example of this in this particular episode switch port
protection.

We're going to be talking about switch ports now switch port is accompted term.

Basically you have two types of ports in this world.

There are ports that connect to switches.

Now these are not going to have IP addresses or anything like that.

We have ports that connect two network cards so a network card could for example be
the ports in a router.

Routers have IP addresses are individual systems of IP addresses.

My little camera when I plug it in with its RJ 45 has an IP address but switches
don't have IP addresses they don't support layer 3 directly.

So to differentiate a regular port from a port that's in one of our switches.

Cisco coined the term switch port.

So with that in mind I want to talk a little bit about how we can protect all of
these little ports on our switches.

The situation is like this if I'm going to be connecting switches together when I
don't want to create is I don't want to make a connection between these that would
make what we call a bridging loop.

And these are bad things.

Now there is a protocol called the spanning tree protocol which is built into
pretty much all managed switches which will detect these types of things happening.

And if it's detected it will automatically turn off one of the ports somewhere to
get the loop to stop.

And if you look at this diagram I could unplug any one of these ports and I would
still have a good connection on all the switches I just can't have a loop now.

SEPs been around for a long time and it works pretty much automatically and it
works great.

However over the last few years there have been security issues that have come up
that have required us to kick up our protection when it comes to our switch ports.

Now when you're setting up STP and by the way you don't set up anything this is all
done automatically.

This is an eraser.

This actually bothers me to even have that loop drawn they're going to get rid of
that and make this pretty again.

There we go.

Now I'm happy.

So when you start plugging switches together they will automatically using the T-P
will begin to negotiate certain things that are very important.

And one of those is going to become the root bridge but Mike it's a switch.

Yeah I know it's a multi-port switch.

The term we use is Root bridge if you want to call it the root switch in your own
head.

Go for it.

But we use the term root bridge.

And what will happen is these guys will then begin to negotiate how far away they
are from the root and it's great it's a beautiful part of the protocol.

However some evil person got clever and came up with a way where they could just
plug in their own switch and then all of a sudden say oh I'm the root.

And it would cause havoc.

To counter this we come up with the concept of a root guard.

The regard is pretty simple.

All it does is it memorizes the Mac address for the decided route.

And if anybody else ever comes in unauthorized it simply turns off any connection
to the bad guy.

That works great.

But then there's other issues that come into play.

For example most of the ports on our switches are designed to connect individual
computers only of a few of our ports connect to other switches.

However it's relatively easy for someone often not evil they are just not thinking
to unplug an individual system.

And plug in a switch.

This can be a potential security disaster.

So what Cisco invented is something called BPDU Guard.

All this means is that when this guys initially configured we will turn him on to
say look the only thing you're ever going to connect to is another computer.

So the moment we try to plug in a switch the switch is going to start sending out
what are known as BPDU views which are basically the negotiation of as T.P. for
Cisco devices.
And the moment that happens this port right here completely disables itself.

I mean it disables itself so much that the only way to turn this port back on is
for an administrator to manually go into the switch configuration and turn it back
on.

They do this on purpose because there should never be a switch plugged into this
port only another computer should be plugged in.

And it's because of BP guard.

Cisco invented this methodology which is actually quite popular.

The last one I want to talk about that goes way beyond SDP but does a great job for
protecting our switchboards is DHCP snooping DHCP snooping is pretty
straightforward.

We should only have one DHCP server in any broadcast domain and that's fantastic.

However it's easy enough to accidentally or on purpose.

Plug in other DHCP the server in fact when we put DHCP up here so there's no
question mark DHCP snooping is a very simple process where you can figure the
switches to say you are directly connected to a DHCP server.

So I will go into the switch and I will say Port seven in this particular case I
can read it you can't is directly connected to a DHCP server.

That way if somebody were to come along and try to plug it other DHCP be server
over here the system would automatically know that there is a rogue DHCP server and
begin shutting off ports.

That's a pretty powerful tool and a really great way to get around DHCP servers.

So remember when it comes to spanning tree protocol we've gone way beyond the
basics looking for things like roof Guard BP guard and DHCP snooping our standard
equipment on any good switch today.

Switch ports do not use IP addresses or work with Layer 3

Switch interconnections use STP to detect looping by deactivating the port, if

necessary

BPDU guard is a Cisco methos allowing only non-switch devices to connect to the
switch

Port Bonding

I've got two switches here that are trunked together through one single trunk line
and well I've got a problem.

I have so many devices working on these two switches while the coil you're not
plugged in right now but normally they are that my trunk line is getting
overwhelmed and I need to come up with some way to increase the bandwidth of my
trunk line.

Now I guess I could buy new switches that were higher speed but I'd like to keep
using what I have.
So what we're going to do is we're going to do something called port bonding.

Now Port bonding has about a bazillion names to it.

It's called Link aggregation channel bonding port trunking Nick trunking Nic
teaming.

There's a million different names for this but CompTIA concentrates on the term
port bonding and that's what I want us to concentrate on.

So what we're going to be doing here is we're going to go through a process of

taking two ports on each one of these devices and by the way this is not limited to
do you can do with more than two if you'd like.

And they're going to work together as a team and in essence they will act as one
single higher speed port.

So right now here's my setup I've got this one trunk right here and I'm going to
set up two more ports and I'm going to make two ports on each one of these switches
work together and make all this happen.

So to do that we're going to have to go in.

And this is also an opportunity for us to take a look at some Cisco IOS commands
while we're at it.

So what I'm going to do is you can see I'm already connected right now to one of
the switches and I know his IP address.

So I'm just going to fire up putty and I'm going to connect to him and show you how
this all happens.

All right.

So here I am I'm going to start up the SO I GOT putty running.

Let me do the password.

Type in the right password.

There we go.

I need to warn you network plus is not going to test you on IOS.

However if you're doing a lot of stuff with switches you're going to be working
with a lot of Cisco stuff.

Most of the heavy lifting we do is in the command line interface which is ios so
get used to this stuff.

I figured this be one great example to show you.

All right.

So what I'm going to do here is I'm going to go into each switch and I'm going to
take Ports 23 and 24 of each switch.

And I'm going to make them into a group now in the Cisco IOS world the first thing
we do is we make a group and then we go in and we assign the individual switch
ports to that group.

So follow the bouncing ball as I type in these commands.

So I have to type in config terminal to get things started.

Now the first thing we're going to do is interface port channel 1.

So basically we've just told the switch to create a group and they call it port
channel for us to connect these two physical ports together OK.

Now what imma do is assign each of these to it.

So we'll go in.

So we're going to make sure it's a trunk that we go actually into the switch
switchboard itself and I'm going to start with 23.

All right.

And now I'm going to assign it to that group

OK.

Now you see I've typed in channel group one mode.

Now the protocol we're going to be using is called LACP.

There were earlier protocols but this one pretty much I could connect switches from
different brands and everybody to make this work.

So what we need to do is we need to say is this port going to be an active or

passive or whatever type of port we want.

I'm going to say active.

That basically means if I connect you to something look for another port that's
ready to do some port bonding so I'm going to just go ahead instead of his active
OK that's done.

So what I need to do now is basically repeat the process so this time we're going
to go so I'm going to the other port.

All right.

So I've now set up both of these ports to be part of that group.

What I'm going to do now is go ahead and get the other ones set up and then we're
going to come back and actually see how all this works.

OK.

Well if I've done it all correctly I'm going to go ahead and plug in another
crossover.

And let's see what happens.

So I did it for 23 and 24 on both sides.

And if I'm doing it right we should see some lights begin to kick on and we now
have port bonded our ports 23 and 24 on each one of these guys so it should be work
in the best way to find out is to fire putty and take a look.

OK so I've got putty here and it's already logged in.

So I'm going to type a very specific command that says show interface and I want to
see that port channel number one.

All right.

There's a lot of gooblygok here.

But the important thing I want you to take a look at is right here.

You see where it says BW 200000 kilobits.

What that's telling us is that port channel right there is now running to 100
megabit connections together so we have the total bandwidth of 200 megabits So it's
working yea fantastic and life is better now.

There's a couple of things need to be careful with here.

If you remember we set the port up as active.

So you have a choice with LACP you can turn it on as active or as passive when you
set it up as active.

That means I don't care what's happening.

I'm sending out LACP traffic.

If you set up as passive.

That means I will wait till I hear from a port that is sending me stuff and then
I'll start talking.

Cisco says set them all up as active so you can do the Cisco way however for the
scope of the exam.

As long as you set one is active and one is passive It doesn't matter which one or
both active it will work.

If you set them as both passive it's not going to work.

So make sure you know that the last thing I want to touch on is that when you've
got these up and running it's a very very bad idea to go into your configuration
and take one of them out without first pulling out your cable.

If you don't do that you're going to create a broadcast storm and there are lots
and lots of famous stories on the Internet of very large networks being taken down
through one very very careful miscalculation so be careful.

Port bonding links switchports to increase bandwidth

Use LACP for the trunking protocol

Set ports to active

Port Mirroring

I've got a little problem with my old Cisco 30 550 switch here.

Well you see the problem's not really with the switch.

The problem is one of the devices that I have plugged into it it's giving me a lot
of weird information it's running hard.

I'm nervous that things are coming in and out of that device that I don't want to
see.

Now I could go to that device and do all kinds of things.

But it's a busy computer so what I want to be able to do is monitor all the IP
traffic coming in and out of this device and I want to do it remotely.

Now normally with a switch you can't do that.

I mean the beauty of a switch is that it's a point to point connection.

So I can't sniff the traffic going in or out of one port from a different port.

Well with a good manager which you can and we call this port mirroring what we're
going to do here is we're going to configure this switch to say listen I want you
to listen in on the port that that bad computers plugged into.

And I want you to send all the traffic in and out.

That's coming from that bad computer.

And I want you to send a copy over to my system.

So let's go ahead and do that and we're going to be doing that using iOS.

OK.

So I've already got potty running.

So let's go ahead and just go through the process of setting this up.

It's actually pretty easy so I'm going to run good config tty config terminal and
now what I'm going to have to do first is I'm going to have to say look I want to
create a session sniffing session kind of like and we're going to give it a number
in this case.

I don't have any Let's call it number one.

And then I'm going to say what is the source of my sniffing So let's run that
command first.

So what we did here is we said listen let's create a first sniffing session and
we're going to call it Session 1 and I want the source to be my fast ethernet port
22.

So that's all I've done up to this point.

What we now have to do is say well what do you want to send all this data to.
So wherever I'm going to plug my sniffing device in is where I need to say where my
destination is going to be.

So let's go ahead and run that command.

So will monitor session one except this time I'm going to say destination.

And in this case I'm going to pick the particular interface that I'm going to be
plug it into which just happens to be number 23 and viola.

It's done.

So setting up port mirroring is actually fairly simple.

With Cisco devices using IOS as some So-ho devices also have Portmeirion it's
usually in a graphical interface and you just say turn on port mirin and send it to
port three kind of stuff.

The important thing that we need to appreciate here is that port mirin gives us the
ability to remotely monitor the data that's going in and out of a particular
source.

Now in here I'm just using one actual switch port.

But if I wanted to I could set it up for an entire VLAN and I want to see all the
data coming out of VLAN 2 and send it all to my system and yes it can make a huge
mess but it absolutely does work.

So when you absolutely positively have to know what's happening way over there use
port Port Mirroring.

Port mirroring enables the traffic flowing through one port to be monitored on
another port

This feature enables administrators to remotely inspect traffic from a suspicious

machine

Port mirroring is configured on a switch by providing a source port and a

destination port