1 00:00:00,780 --> 00:00:07,530 BP God is one of multiple security mechanisms available in spending tree to protect your spending tree 2 00:00:07,530 --> 00:00:08,730 network. 3 00:00:08,730 --> 00:00:16,050 This could be something as simple as a user connecting a cheap consumer switch to a network that doesn't 4 00:00:16,050 --> 00:00:22,050 support spending tree and hence causing a loop or something malicious such as an attacker plugging in 5 00:00:22,050 --> 00:00:24,210 a switch and making that switch. 6 00:00:24,210 --> 00:00:32,070 The root of the spending tree so that the attacker can analyze your network traffic that traverses that 7 00:00:32,070 --> 00:00:38,730 switch or it could be an attack simply connecting a switch to your typology. 8 00:00:38,810 --> 00:00:46,870 Lowering the priority and degrading the performance of your network considerably by forcing the network 9 00:00:46,870 --> 00:00:51,710 traffic to go through a low performance switch. 10 00:00:51,730 --> 00:00:58,570 So one of the options you have to stop this is BPT U-God which will disable a port if any BPT user received 11 00:00:58,570 --> 00:00:59,860 on that port. 12 00:00:59,880 --> 00:01:06,100 This is useful on ports that are going to be used as access ports and that should never be connected 13 00:01:06,100 --> 00:01:07,570 to another switch. 14 00:01:07,570 --> 00:01:12,240 In other words ports that are going to be configured as port for sports. 15 00:01:12,420 --> 00:01:15,100 They are two ways to configure BPT U-God. 16 00:01:15,360 --> 00:01:22,040 You can either do it on a per interface basis or configure it globally on a switch on a per port basis 17 00:01:22,050 --> 00:01:28,900 you would top spending tree port first and then spending three BPT you God enable globally on the switch 18 00:01:28,900 --> 00:01:36,290 you can use the C'mon spending tree Port Foster default to policy let's assume that this hubs shouldn't 19 00:01:36,290 --> 00:01:37,850 be connected to the network. 20 00:01:38,690 --> 00:01:47,330 And will enable Beaugard on switch to switch 3 because we shouldn't be receiving BPT use on any of these 21 00:01:47,330 --> 00:01:52,580 ports these ports should be connected to use of PCs rather than a hub. 22 00:01:55,280 --> 00:02:01,840 So comfy spending tree port Fost edge PPD 23 00:02:04,560 --> 00:02:13,940 Galant we have globally enabled BPT God on switch to at the moment port gigabit. 24 00:02:13,950 --> 00:02:22,100 0 1 is not enabled for Port fust and we can see that by using the C'mon show spending tree interface 25 00:02:22,370 --> 00:02:32,760 interface gigabit 0 1 port Fost So it's disabled but known gigabit 0 1 let's top spending tree port 26 00:02:32,760 --> 00:02:33,210 first 27 00:02:36,750 --> 00:02:44,160 notice very quickly BPT God warns us that it be PDU is received on those port and the port has been 28 00:02:44,160 --> 00:02:52,290 disabled so BPT you got error detected on this port Port is placed in the disabled state port has gone 29 00:02:52,290 --> 00:02:56,600 down so show interface. 30 00:02:56,650 --> 00:03:04,880 Gigabit 0 1 interfaces don't line protocol these don't because the port was error disabled. 31 00:03:06,110 --> 00:03:08,330 Show spanning tree. 32 00:03:08,450 --> 00:03:10,960 Notice the port is not shown in the output here. 33 00:03:12,010 --> 00:03:17,530 If we look at gigabit 0 1 port Fosset we can see that no spending tree information is available in this 34 00:03:17,530 --> 00:03:23,740 port because the port has been disabled shows spanning tree inconsistent ports 35 00:03:26,560 --> 00:03:35,820 shows spanning trees summary we can see that the switches using rapid previous t and we can see that 36 00:03:35,820 --> 00:03:39,010 port Fosset age BPT U-God default is enabled. 37 00:03:39,970 --> 00:03:46,510 So shocked that port down and then no shut it. 38 00:03:46,610 --> 00:03:54,830 And let's see what happens again again so no shut it noticed immediately. 39 00:03:54,830 --> 00:03:59,020 The port is disabled so do show run interface. 40 00:03:59,240 --> 00:04:04,250 Gigabit 0 1 we need to remove this port Foster command. 41 00:04:04,250 --> 00:04:08,000 So no spending tree port Fosset 42 00:04:11,690 --> 00:04:15,340 and do show run interface gigabit Zera one. 43 00:04:15,590 --> 00:04:19,230 We've now removed port fust so shut the port down. 44 00:04:20,380 --> 00:04:21,640 And no shut it. 45 00:04:23,870 --> 00:04:34,500 Notice the port come up shows spanning tree blocked ports gigabit 01 one is now being blocked because 46 00:04:36,430 --> 00:04:43,120 that port is an alternate port on this segment the designated port is gigabit zero or one on switch 47 00:04:43,150 --> 00:04:50,620 three and we can see that by typing shows spending tree noticed gigabit at 0 1 is the designated port 48 00:04:50,620 --> 00:04:51,340 on the segment. 49 00:04:51,340 --> 00:04:52,270 This is a hub. 50 00:04:52,330 --> 00:04:53,360 Please note. 51 00:04:53,560 --> 00:04:56,820 So this is the designated port for this segment. 52 00:04:57,600 --> 00:05:03,890 This port can give but 0 1 is blocking on switch 2. 53 00:05:04,290 --> 00:05:11,250 So these ports should have been connected to PCs but if a user connected a hub with someone trying to 54 00:05:11,250 --> 00:05:15,930 do something malicious BPT U-God block supports immediately. 55 00:05:15,930 --> 00:05:19,090 Now we can configure this on a purport basis. 56 00:05:19,380 --> 00:05:20,960 So let's do that on gigabit. 57 00:05:20,970 --> 00:05:27,530 0 2 spanning tree BPT you PPD. 58 00:05:27,570 --> 00:05:30,380 Gawd Abel 59 00:05:34,030 --> 00:05:39,100 that is immediately BPT was received on the port Port goes to the disable mode. 60 00:05:39,190 --> 00:05:45,340 So if you enable it on an interface the port doesn't even need to be configured as a port first port 61 00:05:46,030 --> 00:05:47,790 when it BPT use received on the port. 62 00:05:47,800 --> 00:05:51,140 It immediately disables. 63 00:05:51,270 --> 00:05:52,920 So do show interface. 64 00:05:52,920 --> 00:05:57,220 Gigabit 0 2 notice the port is down. 65 00:05:57,550 --> 00:05:58,540 It's aero disabled.