WEBVTT 00:00.000 --> 00:00.990 >> Now that we've looked in 00:00.990 --> 00:02.834 network connectivity devices 00:02.834 --> 00:04.695 and we know the difference between a hub, 00:04.695 --> 00:07.005 a switch, a router, and a VLAN, 00:07.005 --> 00:08.850 what we'll do in the next couple of sections 00:08.850 --> 00:10.290 is look at them more in-depth. 00:10.290 --> 00:12.270 In this section, are going to take 00:12.270 --> 00:13.770 >> a look at switches and VLANs 00:13.770 --> 00:16.930 >> and configuring them in a secure environment. 00:17.389 --> 00:19.470 >> One of the first things we'll 00:19.470 --> 00:21.315 talk about is port mirroring. 00:21.315 --> 00:23.130 We've talked about how a switch learns 00:23.130 --> 00:25.020 the network over time and 00:25.020 --> 00:26.640 switch learns what MAC address is 00:26.640 --> 00:29.490 attached to each port and then follows ports. 00:29.490 --> 00:32.265 The first thing we want to look at is port mirroring. 00:32.265 --> 00:34.130 With port mirroring, this comes into 00:34.130 --> 00:36.050 play when we have a device like a sniffer 00:36.050 --> 00:37.895 or an intrusion detection system 00:37.895 --> 00:39.830 that we want to bring on the network. 00:39.830 --> 00:41.060 We've already said that switches 00:41.060 --> 00:42.350 really learn the network and 00:42.350 --> 00:45.200 forward traffic out only the appropriate port. 00:45.200 --> 00:48.230 But when I have an intrusion detection system or if 00:48.230 --> 00:49.460 I have a sniffer and I want to 00:49.460 --> 00:51.275 evaluate the traffic on my network, 00:51.275 --> 00:53.615 when I plug into a single port on a switch, 00:53.615 --> 00:55.280 there really shouldn't be traffic coming 00:55.280 --> 00:56.780 out the port because nobody who is 00:56.780 --> 00:58.400 directing traffic specifically to 00:58.400 --> 01:00.935 my sniffer or to my IDS. 01:00.935 --> 01:04.955 What we want to do is enable a mode called port SPAN. 01:04.955 --> 01:08.280 As you know, everything stands for something. 01:08.980 --> 01:13.595 The SPAN stands for Switched Port Analyzer. 01:13.595 --> 01:16.100 Essentially, that's an administrative mode, 01:16.100 --> 01:17.660 which is just going to allow 01:17.660 --> 01:20.555 the network packets to come out of a particular port. 01:20.555 --> 01:23.645 That particular port on which I've enabled SPAN. 01:23.645 --> 01:25.700 This is one of the ways we're going to be able to 01:25.700 --> 01:27.910 monitor traffic on a switch network. 01:27.910 --> 01:31.590 Like we said, switches are Layer 2 devices. 01:31.590 --> 01:34.175 They use MAC addresses to learn the network. 01:34.175 --> 01:35.840 They store that MAC address in 01:35.840 --> 01:37.410 a table called the CAM table 01:37.410 --> 01:39.200 and that's where the MAC addresses 01:39.200 --> 01:41.065 are mapped to specific ports. 01:41.065 --> 01:42.740 We want to consider things like 01:42.740 --> 01:45.210 MAC flooding as a threat and what happens with 01:45.210 --> 01:47.690 MAC flooding is the legitimate entries in 01:47.690 --> 01:49.460 the CAM table are overwritten with 01:49.460 --> 01:51.545 bogus entries and ultimately, 01:51.545 --> 01:53.630 what it winds up doing is causing the switch to 01:53.630 --> 01:56.365 forget all the ports that is learned over time. 01:56.365 --> 01:58.140 When a switch doesn't know what 01:58.140 --> 01:59.840 port forwarded traffic out, 01:59.840 --> 02:00.900 it acts just like a hub 02:00.900 --> 02:03.660 >> and since all data out all ports 02:03.660 --> 02:05.030 >> until it learns the network again, 02:05.030 --> 02:07.570 >> so MAC flooding is a concern. 02:07.570 --> 02:10.020 With considering MAC addresses, 02:10.020 --> 02:12.410 we want to perhaps add the security of requiring 02:12.410 --> 02:15.620 a specific MAC address to connect to a specific port. 02:15.620 --> 02:18.050 Sometimes there are flood guards you can enable 02:18.050 --> 02:20.365 on a switch to look for things like MAC flooding. 02:20.365 --> 02:21.800 We just want to make sure that the 02:21.800 --> 02:23.060 >> CAM table is protected 02:23.060 --> 02:25.880 >> because like I said when the CAM tables is overwritten, 02:25.880 --> 02:28.250 the device turns back into being a hub, 02:28.250 --> 02:31.775 which from the standpoint of securities is very weak. 02:31.775 --> 02:35.300 Spanning Tree Protocol is a technique that's used to 02:35.300 --> 02:36.860 eliminate the problem or at least 02:36.860 --> 02:39.535 mitigate the problem of switching loops. 02:39.535 --> 02:41.540 Many times we have switches 02:41.540 --> 02:43.550 connected together with redundant links, 02:43.550 --> 02:45.200 because if one link goes down, 02:45.200 --> 02:46.820 we still want connectivity. 02:46.820 --> 02:48.560 The problem with that is that we can 02:48.560 --> 02:50.150 have a problem where the switches learn 02:50.150 --> 02:53.420 the same destination IP address on multiple ports, 02:53.420 --> 02:55.220 and that causes confusion because 02:55.220 --> 02:56.420 the broadcast will send out 02:56.420 --> 02:58.340 that information to the other switches, 02:58.340 --> 03:00.650 you wind up having something called switching loop, 03:00.650 --> 03:02.960 which can cause lots of problems and can cause 03:02.960 --> 03:04.520 MAC table to be overwritten 03:04.520 --> 03:06.535 and cause some conflicts there. 03:06.535 --> 03:09.980 What Spanning Tree Protocols does is very basic. 03:09.980 --> 03:11.495 When you have redundant links, 03:11.495 --> 03:12.950 you can figure those links so 03:12.950 --> 03:14.525 that one is in a state of listening, 03:14.525 --> 03:16.385 the other is in forwarding mode. 03:16.385 --> 03:19.220 The port that's in forwarding is sending traffic, 03:19.220 --> 03:21.110 while the other is sitting there waiting 03:21.110 --> 03:23.665 till the main port or forwarding port fails. 03:23.665 --> 03:25.830 In that state, the listening ports 03:25.830 --> 03:27.715 become active forwarding ports. 03:27.715 --> 03:29.390 It's a way of prioritizing 03:29.390 --> 03:31.100 one link while telling the other links to 03:31.100 --> 03:32.300 stand down until there's 03:32.300 --> 03:35.580 a failure and need for redundancy arises. 03:35.810 --> 03:40.520 With VLANs, we have VLAN tagging or VLAN trunking. 03:40.520 --> 03:43.355 This is what allows VLANs or inter-VLAN traffic 03:43.355 --> 03:44.800 to happen on a switch. 03:44.800 --> 03:47.270 Ultimately, if we're connecting a switch to 03:47.270 --> 03:50.090 a router and we've got multiple VLANs on a switch, 03:50.090 --> 03:51.980 there has to be a way for that router to 03:51.980 --> 03:53.900 differentiate the switch to 03:53.900 --> 03:56.625 which VLAN to send traffic to. 03:56.625 --> 03:58.945 If you can see in this illustration, 03:58.945 --> 04:00.595 there are a couple of different VLANs. 04:00.595 --> 04:02.350 Remember, we're assuming 04:02.350 --> 04:04.000 this is a Layer 2 switch based on 04:04.000 --> 04:05.800 this diagram and a Layer 2 switch 04:05.800 --> 04:08.405 can't allow inter-VLAN communication. 04:08.405 --> 04:10.875 What they've done in this illustration rather, 04:10.875 --> 04:12.625 than using a three-layer switch, 04:12.625 --> 04:14.500 is they've connected that Layer 2 switch 04:14.500 --> 04:16.405 to a router, and that works. 04:16.405 --> 04:18.270 The traffic goes out to the router, 04:18.270 --> 04:19.410 the router adds a tag, 04:19.410 --> 04:21.854 >> and sends our packet back to the switch. 04:21.854 --> 04:24.209 >> If it has traffic, in this illustration 04:24.209 --> 04:27.100 for the 172.16.20 network, 04:27.100 --> 04:29.475 it gives a tag that says VLAN 10. 04:29.475 --> 04:32.665 If it's for the 172.16.10 network, 04:32.665 --> 04:34.990 it gives a tag called VLAN 20, 04:34.990 --> 04:36.505 so that a Layer 2 switch can 04:36.505 --> 04:38.335 understand where to send traffic. 04:38.335 --> 04:42.225 Remember, Layer 2 switches only use MAC addresses. 04:42.225 --> 04:45.235 We have VLANs that need to communicate with each other. 04:45.235 --> 04:47.120 They are separate IP addresses 04:47.120 --> 04:49.325 and we have to have a Layer 3 device. 04:49.325 --> 04:52.130 If we didn't have a Layer 3 device or a router, 04:52.130 --> 04:54.800 then we could have used a Layer 3 switch.