CompTIA Security+ SY0-601 – 3.3 Implement secure network designs. Part 2

4. VLAN’s and Port Security

In this video, I’m going to be talking about VLANs and securing of switches, also known as port security. We’ll take a look at some ways to configure a switch. Now, before I get into this video, I’m going to be doing some hands on with you guys. I’m going to show you guys how to configure VLANs on a Cisco switch using a command line. This is not going to replace a CCNA class. I’m just going to give you an introduction to it. If you like what you’re seeing and you like how I’m configuring it and you’re interested more in learning this, get your CTNA. It’s a great follow up to this certification. In particular, as soon as you’re finished with this, I would suggest moving on to that. Remember, something you can’t secure what you don’t understand. I have a great security background, but I’m also a super technical person.

I personally have over four different Cisco certifications such as CCNA, CCNP, and so on. Okay, so I’m going to talk to you guys today about VLANs, and then we’ll see how to configure a switch. Now, I did include a video about installing package racers. So if you want to follow on the lab, you could. So don’t forget to check out that video. Package racer is where we can emulate setting up switches and configuring them. Okay, so let’s talk about VLANs, right? So what exactly are VLANs? Virtual Lans. VLANs is logical segmentation of your network. VLANs is a normal thing in corporate America today because in corporate networks around the world, when you want to segment your network, maybe you have sales, you have finance, you have marketing, you have management.

You don’t want the traffic from these different networks be coming into each other. So I’m going to show you guys what I mean in one of my famous diagrams here. So let’s say you got a big switch and the switch has ports on it, right? So on this port, what you can do is connect another switch to It. And all of these computers that are connected to this one, maybe you could make It marketing. And then on this one, you can connect another switch to It, and maybe you can make this sale. Maybe on this one you can make another switch to It ports, their computers, and then we’ll say accounting. So what we’re doing is we’re segmenting the network so traffic from marketing cannot come to sales. Traffic from sales can get to accounting and so on.

So you really segmenting the traffic by the departments within the organization. And then one of these ports here, you can connect to a router, and the router will connect to the Internet. So that way if anybody calls a big router there, that way if anybody needs Internet marketing, sales accountant, they can go through the router and it’s all done with switching. So remember, switches, what switches do is that they will segment your network. Now, you got to have a specialized switch for this. Not every switch that you go and buy in a network is going to have the ability to do this. You actually have to purchase what’s called managed switches to do this. So I’m going to show you guys how to set this up with a Cisco switch. And I’ve installed package racer on one of my computer.

We’re going to log into it, we’re going to configure it. And then when we’re done, we’re going to talk about port security here and some things we should be familiar with in port security. So let’s go and set up a switch here. Where is my package racer? Okay, so I’ve installed package race. I’ve started up, I have a blank one here. And we’re going to put some devices on here. So the first thing I want to do is I want to add in a switch. I’m going to go here. I’m going to click on switch and we’re going to add this 29 60 switch. We’re doing some basic configs. So this is fine. I’m going to add two workstations. It doesn’t really matter, right? I just need to show you guys how to configure it so you could visually see how VLANs are being configured on switches. Again, this does not substitute a CCNA class.

This is not meant for that. Okay? So I’m going to add a computer. I’m going to add another computer. So we’re going to connect two computers to two different VLANs in here. All right? So we’re going to add a connection point. Let’s do a straight cable. We’re going to take from this computer, fast Eton at zero. Here we go. Fast heating at zero to the switch port. Now note that this thing says fast Ethernet zero one. So that’s the interface we’re connecting that to. We’ll take cable from this one on a fast Ethernet and we’ll put this on a fast Ethernet too. So we have one connected to interface, fast Ethernet zero one and zero slash two. Got to remember those interfaces. Now if I double click on the switch here and I go to its command line configurations, I can see that this is the switch when it boots up, right? This is the switch booting up here.

Now remember, packet tracer emulates, not emulate, but it basically gives you almost a fully functional versions of these switches and you’re really good for studying your Cisco certifications. So it’s telling me it’s booted up and it’s telling me now that I have just connected the interface fast Ethernet zero change its state to up. Fast Ethernet two changed its state to up. So now we have two in there. So what I’m going to do is I’m going to go and configure the switch. Here’s what we’re going to do. We’re going to make two VLANs VLAN. One of the VLANs will call sales. And then we’ll put fast Ethernet one into it. And then we’ll make VLAN three. Call marketing and then we’ll put another one in there. All right, let’s see how to do this. So we’re going to go in here and we’re going to type enable to get into the switches configuration.

We’ll type config t configuration. This is configuration of terminal. This brings me into my global configuration. Now I can really start configuring the switch. So the switch comes with VLAN one. Everything is assigned to VLAN One. So what I want to do is I want to make some new VLANs. I’m going to say VLAN two. I just typed VLAN two. That’s all I have to do. And I’m going to name this one Sales. And that’s it. I’m just going to type Exit. Then I’m going to type let’s create another VLAN in there, VLAN Three. We’ll name this one Marketing and that’s it. Basically, I just configure three VLANs in there. We’ll type exit. Now what I want to do is I want to go into the switches interfaces and I want to configure port one to be in VLAN two and port two to be in VLAN three.

If you remember that, let’s do interface. And by the way, you don’t know how to configure Cisco devices. You don’t have to type out the full command. If you press tab, it completes it for you. Or you can just type in. We only have one of them. So we’ll say F zero one is the first interface, the fasteatenant zero one that brings up this interface. And what we want to do is you want to tell the switch, hey, you can start using this port to send and receive data. So let’s say switch port mode. Let’s say access. Okay, so now it’s ready to actually start receiving data. And then we’ll say switch port and then we’ll say access. We’re going to put this one in VLAN, VLAN two. Okay, so that’s it, this port. Now that fast Ethernet is in port one. And we’ll type exit. Here we’ll go back to it.

We’ll say f two. We’re going to enable that. We’re going to say switch port mode. Access. Because we wanted to access that and then we wanted to do VLAN. But put this one in VLAN three just to retype in the commands. VLAN three. Okay, we just created so what we did there is we just created we just took a switch. We configured it to have one, the first port being VLAN two. We configured second port to be in VLAN three. That’s all we did so far. So if you want to see what I mean. So imagine hold on, let me get my switch here. Here we go. So what I’m trying to say is this here. So let’s say to the switch that we had, let’s say this was that Cisco switch. We took that first port, this port, and we put it into VLAN two. And then we put this one into VLAN three.

So technically, if we have another switch connect, that is not a Cisco switch, right? But if we have data coming out of data coming into this port, data will never go into this port because we just separated them completely. There are two different VLANs. Now really is what we just did there. Okay, so next thing up we’re doing is I want to talk about what’s known as port security and port security. So port security is what we can do to help secure our switch. Now, the first thing I want to mention is loop prevention. So switches, when they connect switches, let’s say they have a switch. What they do is they do redundant connections. So here you have a switches, switch one, switch two, switch three. And we create notice how these things have redundant connections and sometimes people put two lines in them.

But these redundant connections can start to cause loops in the devices. So the way to do this notice term for your exam, the way we’re going to help this is with STP, the Spanish re protocol. Now the Spanish re protocol basically is what’s going to have to prevent your switching loops or your loop prevention and a switch. Remember, that’s your exam. The next thing I want to talk about is broadcast storm prevention and Bridge protocol data unit guards. So there is something really important to know that really affects and brings down an entire network. There’s something called a broadcast storm. Broadcast storm occurs when there is a lot of frames going through the network to the point where basically there’s some kind of loop with these frames going on in the network. And what this does is that it will definitely bring the network down.

I mean, all the connections look good, but all the lights starts flinkering. It starts going crazy on the switches. Generally look on the switch light blinks as data is coming in and out. But when there’s a broadcast term, it almost goes solid. So you could actually do broadcast storm control on your switches, on the interface and set a threshold of level of how much of this you’re willing to accept. I’ll show you guys that right now. So we’re going to go back in here and we’re just going to stay on this interface here. And what we’re going to do is talk and do this broadcast storm. So for this one, we’re going to type storm control broadcast and we’re going to say the level, we’re just going to say 50. And this basically does that. It helps to reduce broadcast storming a lot. The other one that is mentioned on our exam now is something that’s called bridge Protocol Data Unit Guard.

Bridge protocol data unit guard. So what happens is when the STP is running, it uses Bridge protocol data units to keep the switching network updated. Now what can happen is not every port needs it and sometimes hackers can connect computers into your switching network and start to inject wrong information about STP. And what eventually happens is they can take control of your switching network by becoming what’s known as a root bridge. If that doesn’t make a lot of sense, don’t worry about it. This is more of a Cisco topic. I’m not sure what it’s doing on this exam, but it’s here. So what we want to do is we want to prevent this from happening and we actually have a command in our switch for that. So let’s take a look at that. So bridge protocol data unit guard.

So we want to enable that on our switch and interface. And this is going to be done with the span and tree. So we’re going to do spanning oh, you know what, I got to do this in the next module. All right. So we’ll do spanning free, we’ll do PD bridge protocol data unit card. No, this doesn’t want to work here. Actually, you know what, I think I have to do this in the other interface. You see guys, I haven’t done this in so long. Interface one, type zero first. So we’ll do Spanish free bridge protocol data unit guard enable and that basically enables it. That was it. If you just put that out there, that basically enables it. That’s all this thing does is that it enables it. All right, some problems typing in some commands in there, problems with command line. Guys, welcome to the world of command line.

That’s what you want to make sure you try not to do this out of your head all the time. You should write these commands out. Okay? So this basically enabled the PDU guard in the system so hackers just can’t connect to the port. Now this, you got to go every port and do it by the port. Okay? The next thing we’re going to be talking about is something called DHCP snooping. So how do we prevent DHCP snooping? You guys should know this term. For example, famous concept for your exam. Hackers can come into your network and then connect rogue DHCP servers to your network. So what you want to do is you want to enable the command to be able to detect these world DHCP server and not have them on. It’s a very simple thing to do. DHCP snoopin. This one I have to go back. We’re going to type in on here. IP DHCP DHCP snooping.

That is it. It enabled it global configuration through our all switches and that’s as hard as that get, okay? So remember, DHCP snoopiness to remove, detect and get rid of malicious or we should say rogue DHCP servers in your network. Now the other thing here we’re talking about is Mac address filtering or Mac filtering. What this is going to do is this is going to basically prevent certain computers from connecting to your switch. This is a good security to have. So let’s say you take a switch and what you do is you’re going to take the switch and you’re going to bound the ports on the switch to only accept certain Mac addresses. So that way if some a rogue device comes and plugs it in, the switch is like, oh, what’s your Mac address? And they’re like, oh, that’s not the Mac address I have configured here, so I’m not allowing you in.

So it’s basically saying that, hey, you can’t plug like right now, this unmanaged switch. You can plug any device and it’ll take it. But if we enable port with the Cisco switch and we enable port security, then you know what, it wouldn’t take any computer. It’ll take just the devices we configure. This can be a pain to set up because now you got to go get all the Mac addresses of all the devices and you got to set them up. This, of course, could be difficult. Let’s take a look here at how to do this. Okay, so this one, I know I got to be in an interface because this generally applies to an interface interface f zero one. We’ll just do it on that interface. We’ll type switch wit switch port. Then we’ll do port security. We’re just going to enable that. So I just enabled it because you got to enable port security.

Now what I got to do is I now have to tell it, you know what, I want to accept only certain Mac addresses, and I’m going to go in here and I’m going to put in a made up Mac address. So we got to put in that. And I’m just making this up right now. So you can just get a Mac address in there. Okay, that’s it. So this port on this switch will only accept that Mac address, and you could add in some additional others in there. Okay, so this is how you would configure port security. So remember for your exam that port security is the ability to lock out certain Mac addresses from joining your network. This is good security to have. That way, if your switch is in a physical area and people come up to it and want to plug into it, they can’t they got to have a certain Mac address in here. And as long as they don’t have the ability to log into your switch and configure it, they really can’t get in.

I mean, they could spoof the Mac address. All right, so hopefully you guys enjoyed this stuff. Once again. This lab I was a little reluctant to do because this is more of a Cisco based thing. I personally haven’t touched Cisco stuff in the last, I would say, five years or so. I haven’t taught a Cisco class, and it took me a couple of minutes to remember how to configure all these devices. You forget these commands relatively quickly. I want you guys, if you’re interested in this, you like seeing of what I do this is basically how to configure a Cisco route if you’ve never seen it before. Or maybe you’ve done this before and you know exactly what I was doing. Hey, that’s a great thing, but consider moving on to a CCNA when finish here. All right, so we just talked with VLANs and VLAN segmentations, and we talked about port security in this section.