Cisco CCNP SWITCH 642-813

Campus Security: VLAN and Spoofing Attacks

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

00:00:00 - Sometimes when I'm putting slides together, I find pictures that
00:00:04 - are, uh, they're good, they're just more of kind of amusing,
00:00:08 - keeps the slide a little lighter and so on. And sometimes I found
00:00:11 - pictures that are just priceless. And that would be one of them.
00:00:15 - That picture
00:00:18 - perfectly explains Campus Security, or, I should say, Layer 2
00:00:23 - Security. It reminds me when I saw that I, I, you know, thought
00:00:29 - many things when I saw that picture. But it reminded me of when
00:00:32 - I was a kid. My dad actually took me aside and he said "Jer,
00:00:37 - if you ever get in a fight with a bully at school, the key is
00:00:41 - to go for the nose" he said, because if you hit them in the nose,
00:00:45 - you know it just hurts so bad it doesn't matter how big that
00:00:48 - bully is, they're going to fall over. Thankfully I never had
00:00:53 - the opportunity to apply his advice because I found out later
00:00:56 - that you can actually kill somebody by hitting them in the nose
00:00:59 - at just the right angle anyway. But the point of all this story
00:01:03 - is that you're essentially, if you're ignoring Layer 2 security,
00:01:08 - you've got your nose exposed to the network. Meaning it doesn't
00:01:11 - matter what kind of access list you have set up, it doesn't matter
00:01:15 - the strength of your firewall, your firewall redundancy, none
00:01:18 - of that matters because your nose is right there exposed for
00:01:23 - somebody to hit. And if they hit it, your whole network goes
00:01:26 - down with it. So that's why this Campus Security is so essential.
00:01:30 - And we're going to transition that into now VLAN and spoofing
00:01:34 - attacks. We are gonna start off by talking about what VLAN hopping
00:01:38 - attacks are and how it's, how easy it is to prevent them. But
00:01:42 - a lot of people forget. Also, we'll move into a fairly new concept
00:01:47 - called private VLANs which are amazing. I love them, but if you
00:01:51 - don't understand what VLANs are, then, boy, this will this will
00:01:54 - push you over the edge. Then we'll look at finally mitigating
00:01:59 - spoofing. We'll talk about what spoofing is all about and we
00:02:02 - mitigate spoofing with snooping, two equally odd terms to combat
00:02:08 - each other and using a feature called IP Source Guard. The
00:02:12 - first kind of attack is called a VLAN Hopping attack. What this
00:02:17 - is is where a hacker or an intruder negotiates a trunk connection
00:02:21 - with the switch. And once that happens, you can move between
00:02:25 - VLANs seamlessly. All of the VLAN accesses, they have the things
00:02:29 - preventing people from moving between VLANs and protecting your
00:02:32 - servers are gone. If you're running voice over IP, the hacker
00:02:36 - could move their switch or their computer onto the voice over
00:02:41 - IP VLAN and then start tapping people's conversations and recording
00:02:44 - them into wav files. So that's a pretty serious attack. Now you
00:02:50 - notice the second bullet says it's simple yet easily forgotten
00:02:54 - prevention to keep this from happening. The reason why is you
00:02:58 - know life happens. Businesses get busy and you know you're sitting
00:03:01 - there and you run out of switch ports and they're like, ah, get
00:03:04 - another Cisco switch on order. You know, next day you get the
00:03:07 - switch in. Next day un box it, you're like, oh, this is just
00:03:10 - going in a wiring closet. You put it in there. Create the VLANs
00:03:13 - and assign the ports to the right VLAN, and you're good to go.
00:03:16 - But what you don't realize a lot of times, and I forget a ton
00:03:21 - of times, I mean there's so much stuff to remember. That's why
00:03:23 - you need like a list of best practices that you run down every
00:03:28 - time you get a new device in the network. Let me just, this is
00:03:30 - a base config switch, just has a name, and I think a couple VLANs
00:03:34 - on there. I'll do a sort running config and I want you to notice
00:03:39 - every single port on a switch by default has switch port mode
00:03:46 - dynamic desirable.
00:03:49 - Now let's go under the interface. I'll just go under let's do
00:03:53 - this interface range fast Ethernet 01 to 24 and I'll do a switch
00:03:59 - port mode. You can see that we have access.1qtunnel
00:04:06 - dynamic and trunk. Now access mode means it is a hard coded VLAN
00:04:11 - and it never changes. Trunk means it's a trunk and it's uplinked
00:04:14 - to another switch. Dynamic means it's both meaning if the switch
00:04:21 - sees another switch and it negotiates with the other switch.
00:04:25 - And we talked about this earlier in the series using the dynamic
00:04:27 - trunking protocol. It's gonna negotiate a trunk and become a
00:04:31 - trunk and that's the default mode for everything. Now from an
00:04:35 - easy to use perspective, sure, that's great because we can just
00:04:38 - plug switches together. They automatically negotiates trunks
00:04:41 - or access ports. But for that intruder's perspective, that's
00:04:45 - not good. Well, I guess from them it's good because all they
00:04:49 - have to do is simulate some DTP packets (Dynamic Trunking Protocols)
00:04:54 - or even simpler just bring in a manage switch another Cisco switch
00:04:58 - or some other vendor, plug it in there and it negotiates a trunk
00:05:02 - and now they can assign whatever ports they want to VLANs that
00:05:07 - they shouldn't belong in. Now that's the point of that second
00:05:12 - bullet. It's simple yet easily forgotten prevention. What do
00:05:14 - you think the prevention is?
00:05:17 - Well, we're under the mode right here, switch port mode
00:05:22 - access, that's it. That's all you gotta do. And now when I go
00:05:25 - back and do a show run. You can see all the ports have switch
00:05:28 - port mode access. They are hard coded to a specific VLAN. As
00:05:32 - of right now they are all on VLAN1 and that will now prevent
00:05:35 - the hacker from negotiating any kind of trunk connection with
00:05:38 - the switch. Now
00:05:40 - let's move into what I would consider the killer concept of the
00:05:43 - day. It's private VLANs. I call it that because when I first
00:05:48 - saw em I was thinking, wow, that's amazing. It's VLANs within
00:05:53 - VLANs. But before we get into the technical reality behind them,
00:05:57 - let's talk about why we need them. When cable modems first came
00:06:01 - out I was one of the first subscribers to em and this was probably
00:06:06 - a good decade ago now. It was out here in Arizona. We had Cox
00:06:11 - Communications who partnered up with the At Home Network. And
00:06:14 - to give you an idea of how early I was on the cable modem system,
00:06:18 - I actually got the email address. It was the best email address
00:06:24 - I've ever had. I would give it to people and they'd be "really
00:06:26 - seriously, that's your email?" and that was it Jeremy@home but
00:06:29 - then At Home went out of business and I lost it, cursed At Home
00:06:33 - Network. Anyway, when I first got on the cable modem
00:06:38 - network it was funny, I mean, we had Windows 95 or maybe even
00:06:42 - 3.1 but it was early on, Windows I think it was Windows 95 and
00:06:47 - we were connected to the cable modem network. And I was thinking,
00:06:50 - wow, this is amazing. You know really high speed internet. I
00:06:53 - loved it and all that. And then I double clicked on Network Neighborhood,
00:06:57 - you remember that little icon in Windows 95 that kind of let
00:07:01 - you use, browse the network just via net buoy or something like
00:07:04 - that. Well, I actually saw in the Network Neighborhood here's
00:07:08 - my house, Jerry's house, and I saw my neighbor's house and I
00:07:14 - saw their neighbor's house and all the other people who were
00:07:18 - on the cable modem network and you know back then I didn't really
00:07:21 - have much, as much of a network mindset as I did now, ah, that's
00:07:25 - interesting, and I double clicked on it and I actually saw, you
00:07:29 - know, their printers and file shares and stuff like that. I mean
00:07:32 - back then
00:07:34 - network browsing wasn't really secure with Windows 95. And just
00:07:39 - to be funny I actually printed a few things to, ah, I don't even
00:07:43 - know if it was my neighbor. I just saw their computer name but
00:07:46 - I printed a few things to their printer just to make myself smile
00:07:50 - and probably freak somebody out. But anyway, the point of that
00:07:53 - is it was a wide open network on the cable modem world. I could
00:07:57 - see everybody that was on the same subnet as me. So they needed
00:08:01 - a system that somehow we could all be on the same subnet because
00:08:05 - you don't want to create a zillion subnets for all these people.
00:08:08 - Because, remember, every single time you subnet, you waste IP
00:08:11 - addresses because you have the network and broadcast ID, so you
00:08:14 - can't do that. So we need a system to where somehow all these
00:08:18 - people can be on the same subnet and yet within that subnet can
00:08:23 - not access each other. I know it sounds like an easy solution
00:08:28 - at first. But when you really think of it and you're like, well,
00:08:31 - no it's not really an easy solution because we've got people
00:08:34 - coming into switch ports right here that I mean they need to
00:08:38 - get to this router which is on their same subnet but can't get
00:08:41 - over here and there's no real access list that you can, you know,
00:08:45 - start applying. And if there was, it just would be a nightmare
00:08:48 - because all these addresses are DHCP assigned, huh, you see the
00:08:52 - issue? That's were private VLANs come in. What private VLANs
00:08:57 - can do is create VLANs within VLANs.
00:09:03 - Here's how it works. Private VLANs are really just sub VLANs
00:09:08 - of a big VLAN. Hehe, let me draw it up because that's a little
00:09:12 - easier. When we create private VLANs, we'll create something
00:09:16 - known as a primary VLAN. And we'll say that VLAN 5 and that'll
00:09:21 - be our primary. That's the one that defines what subnet everybody's
00:09:25 - in. It's a VLAN as we've all come to know VLANs. Now within VLAN
00:09:30 - 5 I can go ahead and add different sub VLANs. Looks like a chocolate
00:09:35 - chip cookie. Or we have these different sub VLANs inside of here
00:09:38 - that, you know, maybe this one is VLAN sub VLAN 20, this one
00:09:43 - over here is sub VLAN 30 and so on. And these VLANs can then
00:09:47 - be isolated from each other. Oh, actually there is three different
00:09:51 - kinds of sub VLANs that you can create and three different types
00:09:55 - of port assignments that you can have. You can have promiscuous
00:09:58 - ports, isolated ports, and community ports. Here's how it works.
00:10:04 - Let's say that this segment over here on the left represents
00:10:08 - the DMZ and I have three servers attached to that DMZ, maybe
00:10:12 - a web server,
00:10:15 - a SQL database. And over here is an FTP server. Now the web server
00:10:22 - and the SQL database go hand in hand because the web servers,
00:10:25 - one of those dynamic websites that pulls all of its, it's a database
00:10:29 - driven website. It pulls all its data from the SQL server. So
00:10:32 - those have to be able to speak. The FTP server, however, is just
00:10:36 - its own thing. It's used to dump files here and there. And I
00:10:39 - want make sure that it's as secure as possible. Well, what I
00:10:42 - can do is create the FTP server or add the FTP server as an isolated
00:10:48 - port. What that is is a port that is in the VLAN. We'll say this
00:10:55 - on the chocolate chip cookie over here is an isolated port. It's
00:10:58 - a port that in the VLAN but cannot speak to anybody else in the
00:11:02 - VLAN. It's isolated on its own. Now that poses a problem because
00:11:08 - how does it reach the default gateway and get out to the internet
00:11:11 - so that people can drag and drop files? Well, this port I'll
00:11:15 - configure as a promiscuous port. I'll just put prom right next
00:11:19 - to that. Promiscuous ports can be reached by anything within
00:11:25 - the private VLAN. So, for instance, I've got, you know, sub VLAN
00:11:28 - 20, sub VLAN 30, the isolated port over here, another isolated
00:11:32 - port over here, all of those can reach the promiscuous port.
00:11:36 - Now there's only one other type of port and that is the community.
00:11:40 - That's what these two will be in. The web server and the SQL
00:11:45 - server end up inside of a community port which is truly the sub
00:11:49 - VLAN which we'll go ahead and say that's community 30 or sub
00:11:52 - VLAN 30. The community port can reach other things within their
00:11:56 - community so they'll be able to talk just fine and they'll be
00:11:59 - able to reach the promiscuous port so they'll be able to get
00:12:03 - out to the internet. So at that point we now have community ports
00:12:07 - and isolated ports, now this group over here just represents
00:12:10 - a set of posts in the network and I'll put them in their own
00:12:14 - community port. We'll say community 50, which allows them to
00:12:18 - get to the promiscuous port, reach each other, but I can then
00:12:22 - ban them from reaching community 30 and they're definitely not
00:12:25 - gonna to be able to reach the isolated port nor will the isolated
00:12:28 - port reach them. That's great because the FTP server, if it gets
00:12:34 - compromised, meaning somebody sends a file that's a malicious
00:12:38 - trojan and they take over and gain control of the FTP server,
00:12:42 - well, at that point they can only get to the FTP server. They're
00:12:46 - completely isolated from reaching other things in my DMZ and
00:12:50 - definitely, excuse me, isolated from reaching the community of
00:12:54 - hosts down here. So that's how private VLANs function. So
00:12:59 - going back to my cable company home scenario, all we would have
00:13:03 - to do to solve this situation is use private VLANs and set up
00:13:07 - each house or each port going to the house as an isolated port
00:13:12 - to where the isolated port will only be able to reach the promiscuous
00:13:16 - port which is their default gateway that allows them out to the
00:13:19 - Internet. So private VLANs are pretty powerful providing for
00:13:23 - providing isolation and segmentation within one VLAN. I
00:13:28 - think seeing private VLANs configured will help explain a lot
00:13:32 - of the questions you might be having, cause one config speaks
00:13:35 - a thousand words. What I have is a diagram reflecting essentially
00:13:39 - what we saw in the previous slide with the DMZ servers. Over
00:13:43 - on the left I've got my World Wide Web server. In the middle
00:13:47 - I've got my SQL database, and on the right hand side I have my
00:13:51 - FTP server.
00:13:53 - Now what I want to do is set this up in a similar fashion to
00:13:56 - where FTP is an isolated port, SQL and www are a community port
00:14:02 - that will be in the, excuse me, the same sub VLAN and this router
00:14:06 - up here will be a promiscuous port that all of these can access
00:14:09 - and yet the FTP server will be isolated from the web and
00:14:14 - SQL Server and vice versa. So when we start configuring this,
00:14:19 - the first thing we need to make sure is in place is our VLAN
00:14:22 - numbers. When you configure private VLANs, you have to have one
00:14:26 - parent VLAN or what's officially called the primary VLAN. This
00:14:31 - is the real VLAN that encompasses all of the sub VLANs or private
00:14:36 - VLANs inside of it, and we'll say the primary VLAN is 200 and
00:14:40 - that will define the subnet, you remember VLAN equals a subnet,
00:14:43 - and that will be the subnet everybody's on. Now the sub VLANs
00:14:47 - or the private VLANs are not going to be separate subnets. They're
00:14:49 - all part of the primary. So we'll make the community VLAN 205,
00:14:55 - we'll make the isolated VLAN 210.
00:14:58 - Now you can only have one isolated VLAN per primary, but you
00:15:02 - can have many ports in that isolated VLAN and every single, for
00:15:06 - instance, if I had five servers assigned to the isolated VLAN
00:15:09 - 210 it's not like those five servers can talk, they're all isolated
00:15:12 - from each other, even though they're in the same VLAN 210. Now
00:15:16 - when we start configuring this, uh, first thing I want to make
00:15:19 - sure of is that you notice the port numbers, you see fast Ethernet
00:15:22 - module 4, port 24, this is not my 3550 I'm actually using one
00:15:27 - of my client's 6500 switches because the 3550 does not support
00:15:32 - this and don't worry no production networks will be harmed in
00:15:36 - the shooting of this film, and I'm saying that more to reassure
00:15:40 - myself than to reassure you. But
00:15:43 - first things first, let's get on that 6500. And I'm going to
00:15:47 - get into global config mode, and first thing I want to mention
00:15:50 - is the telnet session's gonna be a little slower. This is a high
00:15:53 - traffic network. And it's half way around the world. So first
00:15:58 - thing we have to do is set this into VTP transparent mode. So
00:16:03 - I'm gonna type VTP mode transparent. Private VLANs can only be
00:16:08 - configured on a transparent mode switch. If it's one of the other's
00:16:11 - server or client, it's gonna say, sorry, rejected, you can't
00:16:14 - do it. And the reason for that, you don't want your private VLANs
00:16:17 - being propagated via VTP to the rest of the network. So we're
00:16:21 - transparent mode. Now let's create our primary VLAN first. I'll
00:16:25 - type in VLAN 200. It's just like creating a new VLAN. And I'm
00:16:30 - going to add the syntax private VLAN followed by and there's
00:16:34 - are three different options, primary,
00:16:38 - isolated, and community. Now promiscuous is going to be configured
00:16:43 - on the port level. We'll do that in a moment. And association,
00:16:46 - I'm gonna talk about, well, in just a moment. So this one is
00:16:50 - the primary. It's the parent of all of them. So I'm going to
00:16:53 - type in primary, hit enter. We've started our private VLAN config.
00:16:57 - I'm gonna exit back out, and I just want to show you something.
00:17:00 - I'm gonna type in VTP mode server and right away it's gonna give
00:17:04 - me an error saying, sorry, you can't do that cause there's private
00:17:07 - VLANs configured on this device, just to verify that you can,
00:17:11 - you have to be in transparent mode. So I'm gonna type in VLAN.
00:17:14 - Let's create
00:17:16 - the community, one, do VLAN 205,
00:17:20 - and then I will type in private VLAN. And this is gonna be a
00:17:24 - community, exit out, VLAN 210, wait for my prompt to catch up,
00:17:29 - private VLAN, and this will be isolated.
00:17:33 - Enter. So now I've got my three private VLANs created and they're
00:17:37 - good to go. The last thing I have to do on the VLAN
00:17:42 - itself is to associate these two sub VLANs with the primary because
00:17:49 - I could have many sets of private VLANs configured on my switch,
00:17:52 - you know one for the DMZ, one for some clients, and so on. I
00:17:56 - need to associate these sub VLANs with the primary. So I'm going
00:18:00 - to go back into VLAN 200. And, by the way, some people say you
00:18:03 - should create the primary last because of this, but the order
00:18:06 - doesn't really matter. You just have to go back in. And I'm gonna
00:18:09 - type in private VLAN. Now we're gonna follow this up with the
00:18:12 - association. Now you see what that keyword is for It associates
00:18:16 - the primary VLAN with these two private VLANs. So I'm gonna type
00:18:22 - in association, hit the question mark and you can see you type
00:18:25 - in a list, you just add some, remove some or however you want
00:18:28 - to do, I'll go ahead and put, uh, I want to associate
00:18:32 - 205 and 210. Those are my two private
00:18:38 - VLANs. Might be comma 210,
00:18:40 - okay, there we go. No space. Sometimes the spacing counts. So
00:18:46 - we've got the private VLAN now associated, the primary associated
00:18:50 - with the two sub VLANs 205 and 210. The
00:18:54 - last piece of setting this up is associating the ports. But before
00:18:58 - we do that, I want to verify that everything is looking okay.
00:19:02 - I'll do a control Z, back out to privilege mode,
00:19:07 - and type in the command show VLAN private VLAN type.
00:19:14 - And right there we see our three private VLANs that we've created.
00:19:17 - 200 is the primary type. That is the parent. 205 is the community
00:19:22 - VLAN. And 210 is the isolated VLAN. So let's set up the ports.
00:19:26 - We do this from each individual interface. And let's go back
00:19:29 - here. I'm gonna set up my two community ports, first 4/24 and
00:19:33 - 4/25. So I'm gonna go into global config
00:19:38 - 4/24 and I'm gonna type in switch port mode private VLAN and
00:19:49 - follow that up with the type that it is. We either have the host
00:19:54 - or the promiscuous and you can already see the first command
00:19:56 - we'll use on the promiscuous port. Uh, in this case the community
00:20:00 - ports are considered hosts. This is part of the host that are
00:20:04 - connecting to the network. We'll then type in what VLAN it belongs
00:20:08 - to. I'm gonna type in switch port private VLAN and then you type
00:20:12 - in host association. And this is where it can get complex, if
00:20:16 - you're not prepared for this. You have to type in the primary
00:20:19 - VLAN followed by the secondary VLAN or the sub VLAN. So in our
00:20:24 - example the primary VLAN is gonna be 200 and then the sub VLAN
00:20:28 - will be the community one 205. So let's jump back in there. I'm
00:20:32 - gonna say host association and it's coming up and saying what
00:20:35 - is the primary normal or extended range. We're gonna the normal
00:20:39 - range, it's 200, now it's coming up and saying what is your secondary.
00:20:42 - The secondary is 205.
00:20:46 - Good. That port fast Ethernet 024 is now associated with that
00:20:51 - private VLAN. I'll get under fast Ethernet 4/25
00:20:56 - and do the same thing because let me just make sure on my diagram
00:20:59 - 4/25, uh, just hit the up arrow a couple of times, private VLAN.
00:21:05 - This is a host port and then it is part of private VLAN host
00:21:08 - association 200 and 205. Now we'll do the isolated port, no different
00:21:14 - because the VLAN is what really defines its function. So I'm
00:21:17 - gonna go under fast Ethernet 0/26
00:21:21 - or I keep saying 0. I'm so used to it. 4/26. I'll do private
00:21:25 - VLAN host. But this time the host association is going to be
00:21:29 - 200/210. And just by associating with that VLAN that's configured
00:21:36 - as an isolated VLAN, we're good to go. Now let's do the final
00:21:40 - one which is the promiscuous port fast Ethernet 4/27.
00:21:45 - Under this port I'm gonna do the same command, but instead of
00:21:48 - typing private VLAN host, we're gonna use the private VLAN promiscuous
00:21:52 - to let it know this is my promiscuous port that everybody can
00:21:55 - access. But remember this switch can have multiple private VLAN
00:21:59 - domains configured, meaning I can have different primary private
00:22:02 - VLAN numbers, different secondary, and so on. So what I'll do
00:22:07 - is set up my mappings of what private VLANs can reach this promiscuous
00:22:14 - port. I'm gonna type in switch port private VLAN
00:22:19 - and I'm gonna do the mapping command and it's gonna come up and
00:22:22 - say what is your primary that this promiscuous port applies to.
00:22:26 - It's gonna be 200. Then what is your list of secondary VLAN ID's
00:22:31 - from the primary that can access this promiscuous port. In that
00:22:35 - case it's 205 and 210.
00:22:38 - Does that make sense? That's that's really all there is to the
00:22:42 - private VLANs, is you're just, it's almost like archaic
00:22:46 - access list, if you will, that you're saying these ports are
00:22:49 - accessible by these ones and this is promiscuous it can reach
00:22:52 - these ones. You really have full control of what devices and
00:22:56 - what hosts can access what ports. That is an end to end private
00:23:00 - VLAN configuration. So
00:23:03 - the last thing we'll do, just trying to think, we've got the
00:23:08 - private VLAN set up.
00:23:11 - It thinks that it, hehe, let me just do some show commands and
00:23:14 - verify everything is working. Show VLAN, private VLAN,
00:23:20 - do a question mark. I mean right there is where we can verify
00:23:24 - everything that we're looking at and everything we've configured.
00:23:27 - We've got the primary of 200, primary 200, and you can notice
00:23:31 - under both the isolated and community we have the promiscuous
00:23:35 - port that's been listed and then the specific ports that I've
00:23:38 - assigned. Another common annoyance we have in our networks are
00:23:42 - these man in the middle attacks which are getting easier and
00:23:46 - easier to pull off. Again, what the hacker does in this case
00:23:49 - is they attach their PC to just a normal switch port and watch
00:23:53 - the ARP messages. For example, let's say that this computer over
00:23:57 - on the left is wanting to communicate some information to the
00:24:00 - accounting server on the right. If it's the first time they spoke
00:24:04 - it will send out an ARP message saying who is
00:24:10 - It wants to know the MAC address for the server. Now this intruder
00:24:13 - here hears that and enters subset request quickly with their
00:24:18 - own version of what the MAC address is for that server. So they
00:24:22 - come in and say oh well my MAC address is blelelele, whichever
00:24:26 - MAC address this intruder's PC has. So from there on out, until
00:24:30 - that ARP entry times out, this person sends all their messages
00:24:35 - to the intruder's MAC address who has a way of forwarding off
00:24:39 - to the server's real MAC address because they know the server's
00:24:43 - MAC address and that executes a man in the middle attack allowing
00:24:46 - them to receive whatever information is being sent over to that
00:24:52 - server. Now you can even do a two way man in the middle attack
00:24:55 - where you can see the responses from the server to the client.
00:24:58 - Either way these things can be very annoying to say the least
00:25:02 - in our network. Encryption VPN connections are of course one
00:25:05 - way to stop em but not many people have the technology to employ
00:25:09 - VPN's across the local area network. So Cisco modified one of
00:25:14 - their favorite features called DHCP Snooping to also block man
00:25:19 - in the middle attacks. Now DHCP Snooping, and I know I've mentioned
00:25:23 - it before in one of the previous videos, allows you to keep rogue
00:25:27 - DHCP servers from getting into the network. So I'm gonna bring
00:25:31 - up my switch right here. To turn on DHCP Snooping all I have
00:25:34 - to do is type in IPDHCP Snooping
00:25:39 - from global config mode and, wham, the feature's on. It will
00:25:42 - now stop DHCP replies from any
00:25:47 - non trusted port. So I need to go under my port, that is, oops,
00:25:51 - connected to my DTP server and say IPDHCP Snooping trust,
00:25:58 - haha, and it's trusted, and that allows this port to be trusted.
00:26:03 - Now I'm preventing rogue DHCP servers from getting into my network.
00:26:07 - So somebody brings in one of those Netgear or Linksys routers
00:26:10 - from home and tries to hand out invalid IP addresses, they're
00:26:13 - gonna get their port shut down. That's the feature of DHCP Snooping.
00:26:18 - But here's the side benefit.
00:26:22 - Your switch, after you turn on DHCP Snooping, also turns on this
00:26:28 - side feature which allows it to track all of the bindings of
00:26:34 - IP addresses in your entire network. Here's the scoop. The switch
00:26:39 - begins watching the trusted port, meaning it will see the DHP
00:26:43 - requests and it will, the DHCP replies, and it will build a MAC
00:26:50 - address to IP address mapping table, let me show it to you. I'll
00:26:53 - type in show IDHCP snooping bindings.
00:26:59 - Check this out. This is from my network here in my home office.
00:27:02 - You can see it's got all of these different IP addresses that
00:27:05 - its learned about and it binded them, bound them to the correct
00:27:11 - MAC address for them over on the left hand side. This is awesome,
00:27:16 - because as soon as it sees somebody trying to pull off this sort
00:27:20 - of thing where it comes in and says, hey, ARP, who is this server
00:27:24 - and this guy replies and say, oh, I am the server with a different
00:27:28 - MAC address, then it is in this table right here. Immediately
00:27:33 - we can have our switch shut down their port. That's awesome.
00:27:36 - Not only do we prevent the man in the middle attack, but we immediately
00:27:40 - which port it came from. And if we are fast enough, we can run
00:27:44 - over to that user's PC and find out who is trying to do and execute
00:27:49 - a man in the middle attack and, well, you know what comes after
00:27:52 - that. So that's the scoop. We've taken a feature that's initially
00:27:57 - used to prevent rogue DHCP servers and used it to prevent man
00:28:01 - in the middle attacks.
00:28:04 - In some of their high end switches Cisco took it a step further,
00:28:08 - and when I say high end, I mean 3750,
00:28:12 - 4500, 6500,
00:28:15 - those kind of switches that have beefier processors. They introduced
00:28:17 - this feature called IP Source Guard. Now we saw DHCP Snooping
00:28:21 - says I will build a table. And if somebody comes in and ARPs,
00:28:25 - or I should say replies to an ARP with a MAC address, does that
00:28:29 - does not match my mapping, then I'm gonna shut their port down.
00:28:33 - Well, Source Guard takes it even further. It watches the DHCP
00:28:37 - reply. Let's say our DHCP server is right here and that's our
00:28:42 - trusted port, the request goes out and says, hey, I need an IP
00:28:46 - address, the DHCP server gets that and replies and says, oh,
00:28:49 - your IP address will be
00:28:53 - and I've associated with that MAC address below. Source Guard
00:28:58 - steps it up and dynamically creates a behind the scene access
00:29:02 - list for that port, an access list on the port that denies every
00:29:07 - other IP address except this and denies every other MAC address
00:29:10 - except that coming on that port. Oh, that's amazing. The only
00:29:16 - problem with Source Guard is if you have an extremely large network
00:29:21 - with a lot of clients, your router can run out, your switch can
00:29:26 - run out of hardware resources for the access list that it's creating
00:29:29 - and switch over to a software switching mode which is a big slowdown
00:29:35 - compared to hardware switching. You use your wireline support.
00:29:39 - So Source Guard I would only use, if you have a switch, you know
00:29:42 - that can really scale to the number of clients that you have
00:29:45 - supporting it. The command that you use to enable Source Guard
00:29:50 - is you just go under the interface and you type in IP verify.
00:29:55 - I don't have a switch that can do it. And I was a bit nervous
00:29:59 - to use my client's 6500 for this one. IP verify source
00:30:06 - VLAN DHCP Snooping,
00:30:12 - I should have wrote this up before, it's a long command, DHCP
00:30:16 - Snooping, then you type in port
00:30:20 - security right after that.
00:30:25 - Once you do that you've enabled IP Source Guard on the port and
00:30:29 - you can do that with an interface range command and it will lock
00:30:31 - down once DHCP replies are received who can even get into that
00:30:36 - port. Good stuff. You gotta protect the nose of your network
00:30:40 - from getting taken out. We've seen some good tactics to prevent
00:30:45 - VLAN attacks and spoofing attacks. First off, making sure that
00:30:50 - we hard code every single port as an access port that goes to
00:30:53 - an end user worker station, otherwise people can start VLAN hopping.
00:30:57 - We also saw the concept of private VLANs which are VLANs within
00:31:02 - VLANs and went through the configuration of that. And then we
00:31:05 - looked at mitigating spoofing with DHCP Snooping and IP Source
00:31:10 - Guard. I hope this has been informative for you and I'd like
00:31:12 - to thank you for viewing.

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Premium Features

Transcender® Practice Exams

These practice tests help you review your knowledge and prepare you for exams.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS