9 hours 49 minutes
here are a couple of extra security measures that we can take with our switches.
The first one is called D H C P. Snooping, and this is a feature that you can turn on on some switches.
It's based on the idea that the D. H C P Protocol is inherently insecure.
There really is no sour of authentication to make sure that the I P address is being assigned are from a legitimate D H C P server.
Just like so many of our protocols, D H C P was designed for function but not secure function, so we can add on security at the switch level and have the switch analyze the network for D H C P requests. Specifically D H C P offers, hopefully narrow down the offers that come from unauthorized HCP servers.
We've also got flood guards, and our switches can look for specific types of traffic that are in excess of what's normal.
Talked a lot about denial of service attacks or ping floods on switches, you can have Mac floods.
There are all sorts of floods. UDP floods TCP floods as Brian floods so ultimately looking for an inordinate amount of traffic as a specific type would be what a blood guard is going to do for you
the next to root guard and bpd you guard. Both have to do with spanning tree protocol.
We talked about spanning tree protocol briefly, but the whole idea is that spanning tree is designed to mitigate the problem with switching loops.
What spanning tree does is it creates a logical structure of an inverted tree where the roots, which is sort of the basis of the inverted tree
it's the root and all the other switches ultimately connect through pathway up to the root, and then any other redundant links are disabled.
Ultimately, everything is coming up through the roots.
We want to make sure that our particular routes, which is one that is capable of handling a solid amount of switching traffic because it's going to be very busy.
We also want to make sure that it is guarded and that we don't have the capability of another switch modifying or Impersonating the route. That's where the root guard feature comes in.
Then we have bpd you guard, which stands for bridge protocol data unit, and this is communication that should only go across drinking boards when one switches connecting to another switch or is connecting to a router.
We have access ports and trunk imports. Trucking is switched to switch access. Ports are where your client devices plug in. We want to make sure that we don't have bpd us coming in on client or access ports because that would indicate some sort of reconfiguring on our network environments.
So we turn bpd. You guard on with our access ports.
also, with Port Security, we can set configuration options like only allowing certain Mac addresses or a certain number of Mac addresses to connect to a certain port that's not really high in security because Mac addresses can be spoofed just like most addresses. However, that does give us one more layer of defense.
Our key takeaways
spent this chapter looking at switches more deeply, and we talked about the way switches Opry as well as some of the security concerns with switches.
We continue to focus on the fact that switches use Mac addresses, and we have to make sure that the table in which they store those Mac addresses is protected. Remember, that table is called the Cam table, and we're concerned with things like Mac flooding.
Another concern with switches is switching loops that lead to what are referred to as broadcast storms. And that's when all data is going out all ports on a switch because it's gotten confused as to where specific hosts are.
When a switch doesn't know where to send traffic, it kind of goes back to an operating like a hub, and all data goes out all ports all the time.
That can be caused by Mac Flood. But we can also see that as a result of redundant links that are set up to have additional fault tolerance. But if they're not configured properly with the spanning tree, it can cause a lot of confusing, making spanning tree very helpful.
We also talked about needing to monitor security through our switches, but because of how switches operate, we need to enable port span or port mirroring on a specific port on the switch. So that way we can view all traffic.
We also discuss villain tagging or chunking, which essentially is how we're going to enable violence to spend multiple switches and can also tag for layer two switches that still want to have the lands and allow that in Erbil and communication.