Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813....
Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813.
1. Welcome to Cisco Switch: Watch Me First! (17 min)
2. The Switches Domain: Core Concepts and Design (42 min)
3. VLANs: Configuration and Verification (13 min)
4. VLANs: In-Depth Trunking (35 min)
5. VLANs: VLAN Trunking Protocol (33 min)
6. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1 (23 min)
7. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2 (34 min)
8. STP: Rapid Spanning Tree Concepts and Configuration (24 min)
9. EtherChannel: Aggregating Redundant Links (24 min)
10. L3 Switching: InterVLAN Routing Extraordinaire (28 min)
11. L3 Switching: Understanding CEF Optimization (16 min)
12. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1 (43 min)
13. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2 (23 min)
14. Campus Security: Basic Port Security and 802.1x (32 min)
15. Campus Security: VLAN and Spoofing Attacks (31 min)
16. Campus Security: STP Attacks and Other Security Considerations (15 min)
17. Campus VoIP: Overview, Considerations, and AutoQoS (44 min)
18. Wireless LAN: Foundation Concepts and Design Part 1 (26 min)
19. Wireless LAN: Foundation Concepts and Design Part 2 (22 min)
20. Wireless LAN: Frequencies and 802.11 Standards (34 min)
21. Wireless LAN: Understanding the Hardware (30 min)
22. The Switches Domain: Additional Life-Saving Technology (22 min)
23. Monitoring: Your Pulse on the Network (45 min)
24. Campus Security: VACLs (14 min)

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

00:00:00

Sometimes when I'm putting slides together, I find pictures that are, uh, they're good, they're just more of kind of amusing, keeps the slide a little lighter and so on. And sometimes I found pictures that are just priceless. And that would be one of them.

00:00:15

That picture perfectly explains Campus Security, or, I should say, Layer 2 Security. It reminds me when I saw that I, I, you know, thought many things when I saw that picture. But it reminded me of when I was a kid. My dad actually took me aside and he said "Jer,

00:00:37

if you ever get in a fight with a bully at school, the key is to go for the nose" he said, because if you hit them in the nose, you know it just hurts so bad it doesn't matter how big that bully is, they're going to fall over. Thankfully I never had the opportunity to apply his advice because I found out later that you can actually kill somebody by hitting them in the nose at just the right angle anyway. But the point of all this story

00:01:03

is that you're essentially, if you're ignoring Layer 2 security, you've got your nose exposed to the network. Meaning it doesn't matter what kind of access list you have set up, it doesn't matter the strength of your firewall, your firewall redundancy, none of that matters because your nose is right there exposed for somebody to hit. And if they hit it, your whole network goes

00:01:26

down with it. So that's why this Campus Security is so essential. And we're going to transition that into now VLAN and spoofing attacks. We are gonna start off by talking about what VLAN hopping attacks are and how it's, how easy it is to prevent them. But

00:01:42

a lot of people forget. Also, we'll move into a fairly new concept called private VLANs which are amazing. I love them, but if you don't understand what VLANs are, then, boy, this will this will push you over the edge. Then we'll look at finally mitigating

00:01:59

spoofing. We'll talk about what spoofing is all about and we mitigate spoofing with snooping, two equally odd terms to combat each other and using a feature called IP Source Guard. The first kind of attack is called a VLAN Hopping attack. What this is is where a hacker or an intruder negotiates a trunk connection with the switch. And once that happens, you can move between

00:02:25

VLANs seamlessly. All of the VLAN accesses, they have the things preventing people from moving between VLANs and protecting your servers are gone. If you're running voice over IP, the hacker could move their switch or their computer onto the voice over IP VLAN and then start tapping people's conversations and recording them into wav files. So that's a pretty serious attack. Now you

00:02:50

notice the second bullet says it's simple yet easily forgotten prevention to keep this from happening. The reason why is you know life happens. Businesses get busy and you know you're sitting there and you run out of switch ports and they're like, ah, get another Cisco switch on order. You know, next day you get the

00:03:07

switch in. Next day un box it, you're like, oh, this is just going in a wiring closet. You put it in there. Create the VLANs and assign the ports to the right VLAN, and you're good to go. But what you don't realize a lot of times, and I forget a ton of times, I mean there's so much stuff to remember. That's why

00:03:23

you need like a list of best practices that you run down every time you get a new device in the network. Let me just, this is a base config switch, just has a name, and I think a couple VLANs on there. I'll do a sort running config and I want you to notice

00:03:39

every single port on a switch by default has switch port mode dynamic desirable. Now let's go under the interface. I'll just go under let's do this interface range fast Ethernet 01 to 24 and I'll do a switch port mode. You can see that we have access.1qtunnel dynamic and trunk. Now access mode means it is a hard coded VLAN

00:04:11

and it never changes. Trunk means it's a trunk and it's uplinked to another switch. Dynamic means it's both meaning if the switch sees another switch and it negotiates with the other switch. And we talked about this earlier in the series using the dynamic trunking protocol. It's gonna negotiate a trunk and become a

00:04:31

trunk and that's the default mode for everything. Now from an easy to use perspective, sure, that's great because we can just plug switches together. They automatically negotiates trunks or access ports. But for that intruder's perspective, that's not good. Well, I guess from them it's good because all they

00:04:49

have to do is simulate some DTP packets (Dynamic Trunking Protocols) or even simpler just bring in a manage switch another Cisco switch or some other vendor, plug it in there and it negotiates a trunk and now they can assign whatever ports they want to VLANs that they shouldn't belong in. Now that's the point of that second

00:05:12

bullet. It's simple yet easily forgotten prevention. What do you think the prevention is? Well, we're under the mode right here, switch port mode access, that's it. That's all you gotta do. And now when I go back and do a show run. You can see all the ports have switch

00:05:28

port mode access. They are hard coded to a specific VLAN. As of right now they are all on VLAN1 and that will now prevent the hacker from negotiating any kind of trunk connection with the switch. Now let's move into what I would consider the killer concept of the day. It's private VLANs. I call it that because when I first

00:05:48

saw em I was thinking, wow, that's amazing. It's VLANs within VLANs. But before we get into the technical reality behind them, let's talk about why we need them. When cable modems first came out I was one of the first subscribers to em and this was probably a good decade ago now. It was out here in Arizona. We had Cox

00:06:11

Communications who partnered up with the At Home Network. And to give you an idea of how early I was on the cable modem system, I actually got the email address. It was the best email address I've ever had. I would give it to people and they'd be "really

00:06:26

seriously, that's your email?" and that was it Jeremy@home but then At Home went out of business and I lost it, cursed At Home Network. Anyway, when I first got on the cable modem network it was funny, I mean, we had Windows 95 or maybe even 3.1 but it was early on, Windows I think it was Windows 95 and we were connected to the cable modem network. And I was thinking,

00:06:50

wow, this is amazing. You know really high speed internet. I loved it and all that. And then I double clicked on Network Neighborhood, you remember that little icon in Windows 95 that kind of let you use, browse the network just via net buoy or something like that. Well, I actually saw in the Network Neighborhood here's

00:07:08

my house, Jerry's house, and I saw my neighbor's house and I saw their neighbor's house and all the other people who were on the cable modem network and you know back then I didn't really have much, as much of a network mindset as I did now, ah, that's interesting, and I double clicked on it and I actually saw, you know, their printers and file shares and stuff like that. I mean

00:07:32

back then network browsing wasn't really secure with Windows 95. And just to be funny I actually printed a few things to, ah, I don't even know if it was my neighbor. I just saw their computer name but I printed a few things to their printer just to make myself smile and probably freak somebody out. But anyway, the point of that

00:07:53

is it was a wide open network on the cable modem world. I could see everybody that was on the same subnet as me. So they needed a system that somehow we could all be on the same subnet because you don't want to create a zillion subnets for all these people.

00:08:08

Because, remember, every single time you subnet, you waste IP addresses because you have the network and broadcast ID, so you can't do that. So we need a system to where somehow all these people can be on the same subnet and yet within that subnet can not access each other. I know it sounds like an easy solution

00:08:28

at first. But when you really think of it and you're like, well, no it's not really an easy solution because we've got people coming into switch ports right here that I mean they need to get to this router which is on their same subnet but can't get over here and there's no real access list that you can, you know, start applying. And if there was, it just would be a nightmare

00:08:48

because all these addresses are DHCP assigned, huh, you see the issue? That's were private VLANs come in. What private VLANs can do is create VLANs within VLANs. Here's how it works. Private VLANs are really just sub VLANs of a big VLAN. Hehe, let me draw it up because that's a little

00:09:12

easier. When we create private VLANs, we'll create something known as a primary VLAN. And we'll say that VLAN 5 and that'll be our primary. That's the one that defines what subnet everybody's in. It's a VLAN as we've all come to know VLANs. Now within VLAN

00:09:30

5 I can go ahead and add different sub VLANs. Looks like a chocolate chip cookie. Or we have these different sub VLANs inside of here that, you know, maybe this one is VLAN sub VLAN 20, this one over here is sub VLAN 30 and so on. And these VLANs can then be isolated from each other. Oh, actually there is three different

00:09:51

kinds of sub VLANs that you can create and three different types of port assignments that you can have. You can have promiscuous ports, isolated ports, and community ports. Here's how it works. Let's say that this segment over here on the left represents the DMZ and I have three servers attached to that DMZ, maybe a web server, a SQL database. And over here is an FTP server. Now the web server

00:10:22

and the SQL database go hand in hand because the web servers, one of those dynamic websites that pulls all of its, it's a database driven website. It pulls all its data from the SQL server. So those have to be able to speak. The FTP server, however, is just

00:10:36

its own thing. It's used to dump files here and there. And I want make sure that it's as secure as possible. Well, what I can do is create the FTP server or add the FTP server as an isolated port. What that is is a port that is in the VLAN. We'll say this

00:10:55

on the chocolate chip cookie over here is an isolated port. It's a port that in the VLAN but cannot speak to anybody else in the VLAN. It's isolated on its own. Now that poses a problem because how does it reach the default gateway and get out to the internet so that people can drag and drop files? Well, this port I'll configure as a promiscuous port. I'll just put prom right next

00:11:19

to that. Promiscuous ports can be reached by anything within the private VLAN. So, for instance, I've got, you know, sub VLAN 20, sub VLAN 30, the isolated port over here, another isolated port over here, all of those can reach the promiscuous port. Now there's only one other type of port and that is the community.

00:11:40

That's what these two will be in. The web server and the SQL server end up inside of a community port which is truly the sub VLAN which we'll go ahead and say that's community 30 or sub VLAN 30. The community port can reach other things within their community so they'll be able to talk just fine and they'll be able to reach the promiscuous port so they'll be able to get out to the internet. So at that point we now have community ports

00:12:07

and isolated ports, now this group over here just represents a set of posts in the network and I'll put them in their own community port. We'll say community 50, which allows them to get to the promiscuous port, reach each other, but I can then ban them from reaching community 30 and they're definitely not gonna to be able to reach the isolated port nor will the isolated port reach them. That's great because the FTP server, if it gets

00:12:34

compromised, meaning somebody sends a file that's a malicious trojan and they take over and gain control of the FTP server, well, at that point they can only get to the FTP server. They're completely isolated from reaching other things in my DMZ and definitely, excuse me, isolated from reaching the community of hosts down here. So that's how private VLANs function. So

00:12:59

going back to my cable company home scenario, all we would have to do to solve this situation is use private VLANs and set up each house or each port going to the house as an isolated port to where the isolated port will only be able to reach the promiscuous port which is their default gateway that allows them out to the Internet. So private VLANs are pretty powerful providing for

00:13:23

providing isolation and segmentation within one VLAN. I think seeing private VLANs configured will help explain a lot of the questions you might be having, cause one config speaks a thousand words. What I have is a diagram reflecting essentially what we saw in the previous slide with the DMZ servers. Over

00:13:43

on the left I've got my World Wide Web server. In the middle I've got my SQL database, and on the right hand side I have my FTP server. Now what I want to do is set this up in a similar fashion to where FTP is an isolated port, SQL and www are a community port that will be in the, excuse me, the same sub VLAN and this router up here will be a promiscuous port that all of these can access and yet the FTP server will be isolated from the web and SQL Server and vice versa. So when we start configuring this,

00:14:19

the first thing we need to make sure is in place is our VLAN numbers. When you configure private VLANs, you have to have one parent VLAN or what's officially called the primary VLAN. This is the real VLAN that encompasses all of the sub VLANs or private VLANs inside of it, and we'll say the primary VLAN is 200 and that will define the subnet, you remember VLAN equals a subnet, and that will be the subnet everybody's on. Now the sub VLANs

00:14:47

or the private VLANs are not going to be separate subnets. They're all part of the primary. So we'll make the community VLAN 205, we'll make the isolated VLAN 210. Now you can only have one isolated VLAN per primary, but you can have many ports in that isolated VLAN and every single, for instance, if I had five servers assigned to the isolated VLAN 210 it's not like those five servers can talk, they're all isolated from each other, even though they're in the same VLAN 210. Now when we start configuring this, uh, first thing I want to make sure of is that you notice the port numbers, you see fast Ethernet module 4, port 24, this is not my 3550 I'm actually using one of my client's 6500 switches because the 3550 does not support this and don't worry no production networks will be harmed in the shooting of this film, and I'm saying that more to reassure myself than to reassure you. But

00:15:43

first things first, let's get on that 6500. And I'm going to get into global config mode, and first thing I want to mention is the telnet session's gonna be a little slower. This is a high traffic network. And it's half way around the world. So first thing we have to do is set this into VTP transparent mode. So

00:16:03

I'm gonna type VTP mode transparent. Private VLANs can only be configured on a transparent mode switch. If it's one of the other's server or client, it's gonna say, sorry, rejected, you can't do it. And the reason for that, you don't want your private VLANs

00:16:17

being propagated via VTP to the rest of the network. So we're transparent mode. Now let's create our primary VLAN first. I'll type in VLAN 200. It's just like creating a new VLAN. And I'm going to add the syntax private VLAN followed by and there's are three different options, primary, isolated, and community. Now promiscuous is going to be configured

00:16:43

on the port level. We'll do that in a moment. And association, I'm gonna talk about, well, in just a moment. So this one is the primary. It's the parent of all of them. So I'm going to type in primary, hit enter. We've started our private VLAN config. I'm gonna exit back out, and I just want to show you something.

00:17:00

I'm gonna type in VTP mode server and right away it's gonna give me an error saying, sorry, you can't do that cause there's private VLANs configured on this device, just to verify that you can, you have to be in transparent mode. So I'm gonna type in VLAN.

00:17:14

Let's create the community, one, do VLAN 205, and then I will type in private VLAN. And this is gonna be a community, exit out, VLAN 210, wait for my prompt to catch up, private VLAN, and this will be isolated. Enter. So now I've got my three private VLANs created and they're

00:17:37

good to go. The last thing I have to do on the VLAN itself is to associate these two sub VLANs with the primary because I could have many sets of private VLANs configured on my switch, you know one for the DMZ, one for some clients, and so on. I need to associate these sub VLANs with the primary. So I'm going

00:18:00

to go back into VLAN 200. And, by the way, some people say you should create the primary last because of this, but the order doesn't really matter. You just have to go back in. And I'm gonna type in private VLAN. Now we're gonna follow this up with the association. Now you see what that keyword is for It associates

00:18:16

the primary VLAN with these two private VLANs. So I'm gonna type in association, hit the question mark and you can see you type in a list, you just add some, remove some or however you want to do, I'll go ahead and put, uh, I want to associate 205 and 210. Those are my two private VLANs. Might be comma 210, okay, there we go. No space. Sometimes the spacing counts. So

00:18:46

we've got the private VLAN now associated, the primary associated with the two sub VLANs 205 and 210. The last piece of setting this up is associating the ports. But before we do that, I want to verify that everything is looking okay. I'll do a control Z, back out to privilege mode, and type in the command show VLAN private VLAN type.

00:19:14

And right there we see our three private VLANs that we've created. 200 is the primary type. That is the parent. 205 is the community VLAN. And 210 is the isolated VLAN. So let's set up the ports. We do this from each individual interface. And let's go back

00:19:29

here. I'm gonna set up my two community ports, first 4/24 and 4/25. So I'm gonna go into global config 4/24 and I'm gonna type in switch port mode private VLAN and follow that up with the type that it is. We either have the host or the promiscuous and you can already see the first command we'll use on the promiscuous port. Uh, in this case the community

00:20:00

ports are considered hosts. This is part of the host that are connecting to the network. We'll then type in what VLAN it belongs to. I'm gonna type in switch port private VLAN and then you type in host association. And this is where it can get complex, if

00:20:16

you're not prepared for this. You have to type in the primary VLAN followed by the secondary VLAN or the sub VLAN. So in our example the primary VLAN is gonna be 200 and then the sub VLAN will be the community one 205. So let's jump back in there. I'm gonna say host association and it's coming up and saying what is the primary normal or extended range. We're gonna the normal

00:20:39

range, it's 200, now it's coming up and saying what is your secondary. The secondary is 205. Good. That port fast Ethernet 024 is now associated with that private VLAN. I'll get under fast Ethernet 4/25 and do the same thing because let me just make sure on my diagram 4/25, uh, just hit the up arrow a couple of times, private VLAN. This is a host port and then it is part of private VLAN host association 200 and 205. Now we'll do the isolated port, no different because the VLAN is what really defines its function. So I'm

00:21:17

gonna go under fast Ethernet 0/26 or I keep saying 0. I'm so used to it. 4/26. I'll do private VLAN host. But this time the host association is going to be 200/210. And just by associating with that VLAN that's configured as an isolated VLAN, we're good to go. Now let's do the final

00:21:40

one which is the promiscuous port fast Ethernet 4/27. Under this port I'm gonna do the same command, but instead of typing private VLAN host, we're gonna use the private VLAN promiscuous to let it know this is my promiscuous port that everybody can access. But remember this switch can have multiple private VLAN

00:21:59

domains configured, meaning I can have different primary private VLAN numbers, different secondary, and so on. So what I'll do is set up my mappings of what private VLANs can reach this promiscuous port. I'm gonna type in switch port private VLAN and I'm gonna do the mapping command and it's gonna come up and say what is your primary that this promiscuous port applies to.

00:22:26

It's gonna be 200. Then what is your list of secondary VLAN ID's from the primary that can access this promiscuous port. In that case it's 205 and 210. Does that make sense? That's that's really all there is to the private VLANs, is you're just, it's almost like archaic access list, if you will, that you're saying these ports are accessible by these ones and this is promiscuous it can reach these ones. You really have full control of what devices and

00:22:56

what hosts can access what ports. That is an end to end private VLAN configuration. So the last thing we'll do, just trying to think, we've got the private VLAN set up. It thinks that it, hehe, let me just do some show commands and verify everything is working. Show VLAN, private VLAN,

00:23:20

do a question mark. I mean right there is where we can verify everything that we're looking at and everything we've configured. We've got the primary of 200, primary 200, and you can notice under both the isolated and community we have the promiscuous port that's been listed and then the specific ports that I've assigned. Another common annoyance we have in our networks are

00:23:42

these man in the middle attacks which are getting easier and easier to pull off. Again, what the hacker does in this case is they attach their PC to just a normal switch port and watch the ARP messages. For example, let's say that this computer over on the left is wanting to communicate some information to the accounting server on the right. If it's the first time they spoke

00:24:04

it will send out an ARP message saying who is 10.1.1.10. It wants to know the MAC address for the server. Now this intruder here hears that and enters subset request quickly with their own version of what the MAC address is for that server. So they come in and say oh well my MAC address is blelelele, whichever MAC address this intruder's PC has. So from there on out, until

00:24:30

that ARP entry times out, this person sends all their messages to the intruder's MAC address who has a way of forwarding off to the server's real MAC address because they know the server's MAC address and that executes a man in the middle attack allowing them to receive whatever information is being sent over to that server. Now you can even do a two way man in the middle attack

00:24:55

where you can see the responses from the server to the client. Either way these things can be very annoying to say the least in our network. Encryption VPN connections are of course one way to stop em but not many people have the technology to employ VPN's across the local area network. So Cisco modified one of

00:25:14

their favorite features called DHCP Snooping to also block man in the middle attacks. Now DHCP Snooping, and I know I've mentioned it before in one of the previous videos, allows you to keep rogue DHCP servers from getting into the network. So I'm gonna bring

00:25:31

up my switch right here. To turn on DHCP Snooping all I have to do is type in IPDHCP Snooping from global config mode and, wham, the feature's on. It will now stop DHCP replies from any non trusted port. So I need to go under my port, that is, oops, connected to my DTP server and say IPDHCP Snooping trust, haha, and it's trusted, and that allows this port to be trusted.

00:26:03

Now I'm preventing rogue DHCP servers from getting into my network. So somebody brings in one of those Netgear or Linksys routers from home and tries to hand out invalid IP addresses, they're gonna get their port shut down. That's the feature of DHCP Snooping.

00:26:18

But here's the side benefit. Your switch, after you turn on DHCP Snooping, also turns on this side feature which allows it to track all of the bindings of IP addresses in your entire network. Here's the scoop. The switch begins watching the trusted port, meaning it will see the DHP requests and it will, the DHCP replies, and it will build a MAC address to IP address mapping table, let me show it to you. I'll

00:26:53

type in show IDHCP snooping bindings. Check this out. This is from my network here in my home office. You can see it's got all of these different IP addresses that its learned about and it binded them, bound them to the correct MAC address for them over on the left hand side. This is awesome,

00:27:16

because as soon as it sees somebody trying to pull off this sort of thing where it comes in and says, hey, ARP, who is this server and this guy replies and say, oh, I am the server with a different MAC address, then it is in this table right here. Immediately

00:27:33

we can have our switch shut down their port. That's awesome. Not only do we prevent the man in the middle attack, but we immediately which port it came from. And if we are fast enough, we can run over to that user's PC and find out who is trying to do and execute a man in the middle attack and, well, you know what comes after that. So that's the scoop. We've taken a feature that's initially

00:27:57

used to prevent rogue DHCP servers and used it to prevent man in the middle attacks. In some of their high end switches Cisco took it a step further, and when I say high end, I mean 3750, 4500, 6500, those kind of switches that have beefier processors. They introduced

00:28:17

this feature called IP Source Guard. Now we saw DHCP Snooping says I will build a table. And if somebody comes in and ARPs, or I should say replies to an ARP with a MAC address, does that does not match my mapping, then I'm gonna shut their port down. Well, Source Guard takes it even further. It watches the DHCP

00:28:37

reply. Let's say our DHCP server is right here and that's our trusted port, the request goes out and says, hey, I need an IP address, the DHCP server gets that and replies and says, oh, your IP address will be 10.1.1.50 and I've associated with that MAC address below. Source Guard

00:28:58

steps it up and dynamically creates a behind the scene access list for that port, an access list on the port that denies every other IP address except this and denies every other MAC address except that coming on that port. Oh, that's amazing. The only problem with Source Guard is if you have an extremely large network with a lot of clients, your router can run out, your switch can run out of hardware resources for the access list that it's creating and switch over to a software switching mode which is a big slowdown compared to hardware switching. You use your wireline support.

00:29:39

So Source Guard I would only use, if you have a switch, you know that can really scale to the number of clients that you have supporting it. The command that you use to enable Source Guard is you just go under the interface and you type in IP verify. I don't have a switch that can do it. And I was a bit nervous

00:29:59

to use my client's 6500 for this one. IP verify source VLAN DHCP Snooping, I should have wrote this up before, it's a long command, DHCP Snooping, then you type in port security right after that. Once you do that you've enabled IP Source Guard on the port and you can do that with an interface range command and it will lock down once DHCP replies are received who can even get into that port. Good stuff. You gotta protect the nose of your network

00:30:40

from getting taken out. We've seen some good tactics to prevent VLAN attacks and spoofing attacks. First off, making sure that we hard code every single port as an access port that goes to an end user worker station, otherwise people can start VLAN hopping.

00:30:57

We also saw the concept of private VLANs which are VLANs within VLANs and went through the configuration of that. And then we looked at mitigating spoofing with DHCP Snooping and IP Source Guard. I hope this has been informative for you and I'd like to thank you for viewing.

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Intermediate 11 hrs 24 videos

COURSE RATING

Basic Plan Features


Speed Control
Included in this course
Play videos at a faster or slower pace.

Bookmarks
Included in this course
Pick up where you left off watching a video.

Notes
Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

NuggetLab
Files/materials that supplement the video training

Premium Plan Features


Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003