1

www.paktraining.com
maybeccie.paktraining.com
mateenamc@gmail.com
Lecture#2
Introduction to Security Device Manager
Following are the Commands that we have to apply before accessing
Router through Security Device Manager (SDM):
Config t
ip http server
ip http secure-server
username idrees password Raaziqg10
username idrees privilege 15
ip http authentication local
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no shutdown

Lecture#3
AAA (Authentication Authorization & Accounting)
Authentication :
Authentication decides who can get in and who can't.
Note:
The most common usage for AAA Authentication is for login
authentication, but it can also be used as the enable password
itself (#enable view)or to authenticate PPP connections.
Authorization :
Authorization decides what users can do once they get authenticated.
Accounting :
Accounting tracks the resources used by the authorized user. This
tracking can be used for security purposes(detecting users doing
things they shouldn't be doing), or for tracking network usage in
order to bill other departments in your company.
Here's a brief look at each category and what accounting information
can be recorded.

Information regarding EXEC mode commands issued by a user.:

Connection: Information regarding all outbound connections made

from network access server. Includes Telnet and rlogin.
EXEC:

Information about user EXEC terminal sessions.

Network: Information regarding all PPP, ARAP, and

SLIP sessions.

Resource: Information regarding start and stop records for calls

passing authentication, and stop records for calls that fail
authentication.
System:

Non-user-related system-level events are recorded.

Practical Labs:

Accessing a Router through Telnet without Entering a Password.

(config)#aaa new-model
(config)#aaa authentication login default none
(config)#login vty 0 4
(config-line)#login authentication default

Accessing a Router through Telnet by entering local credentials.

(config)#username idrees password Raaziqg10

(config)#aaa new-model
(config)#aaa authentication login AAA_LIST local
(config)#line vty 0 4
(config)#login authentication AAA_LIST
How to create privilege level 5 User.
(config)#username idrees privilege 5 password Raaziqg10

For Checking Privilege level

#Show privilege

Creating Enabling password for privilege level 5 users

(config)#enable secret level 5 Raaziqg10
Note:This enabling password will be asked when privilege level 4
or below level 4 user wants to apply the following command .
#enable 5

How to allow only privilege level 5 and above than privilege

level 5 users to use config t command, while all other users
below privilege level 5 cannot use config tcommand .
(config)#privilege exec level 5 config t

If the first option times out or returns an error, the second

option is used.If the first option returns an authentication
failure, the second option is not used.

3
(config)#aaa new-model
(config)#tacacs-server host 172.13.13.3 key CCNP
(config)#radius-server host 172.13.13.2 key CCNP
(config)#aaa authentication login default group

Lecture#4
Layer 2 Security
All passwords appear in the configuration in clear text by default
except the enable secret.
The command service password-encryption
will encrypt the remaining passwords.Cisco switches have more VTY
lines than routers.Routers allow up to five simultaneous Telnet
sessions, and obviously switches allow more! The default behavior is
the same, however.
Any user who telnets in to the switch will be
placed into user exec mode, and will then be prompted for the proper
enable mode password.
If neither the enable secret nor the enable password has been set, the
user will not be able to enter enable mode.
(config)#line vty 0 15
(config)#password valentine
(config)#service password-encryption

How to make Privilege level 15 user and Only user with password

(config)#username idrees privilege 15 password CCIE

(config)#username idrees password CCIE

Port security Commands :

o

Port-security cannot be applied on following port types :

A. Trunk ports
B. Ports palced in an Etherchannel
C. Destination SPAN port
D. 802.1x ports

(config-if)#switchport port-security violation protect

o In this switch interface on violation packets are only
dropped. No err-disable error and No SNMP trap message. When
you enable that feature by default it will allow only and
only 1 mac address.
(config-if)#switchport port-security violation restrict
o In this switch interface on violation packets are being
dropped, SNMP trap message has been generated. No errdisable error.When you enable that feature by default it
will allow only and only 1 mac address.

(config)#Switchport port-security
OR
(config-if)#switchport port-security violation shutdown
o Its the default of violation. In this switch put interface
in err-disable state and genereate SNMP trap. We can see
this through following command. When you enable that feature
by default it will allow only and only 1 mac address.

Show command for seeing err-disable and other details.

#Show port-security int f0/0
OR
#Show port-security
(config-if)#switchport port-security maximum 3
o Max 3 Mac addresses will be allowed on this specific
interface.
(config-if)#switchport port-security mac-address abc.abc.abc
o It will be added in running-config. This would be added in
trusted mac address for this specifi interface.

(config-if)#switchport port-security aging-time 3

o By default Aging time for dynamically learned mac addresses
is disabled.

Configuring MAC-Table SNMP Trap messages :

By using following command SNMP Trap message will be generated
when a MAC entry is added or removed from the table.
(config-if)#snmp trap mac-notification {added or remove}

Dot1x port based authentication :

It provides better layer 2 security than port-security feature.
The name refers to IEEE 802.1x, the standard upon which this
feature is based. Cisco authentication server must be RADIUS
you cant use TACACS or TACACS+.
One major difference b/w dot1x port-based authentication and port
security is that that in dot1x you have to configure host and
switch ports with 802.1X Extensible authentication protocol over
LANs(EAPOL).
Dot1x Deployment consists of:
A.Dot1x-enabled PC is called supplicant.
B.Dot1x enabled switch is called authenticator.
c.RADIUS server acting as authentication server.

Dot1x divides PC Physical port in 2 logical ports & dot1x create

automatically these 2 logical port, we dont have to create those
2 logical ports.
A.Controlled port:
It cannot transmit user data until authentication has taken
Place.
B.Uncontrolled port:
It can transmit only and only following protocols:
a. Extensible Authentication Protocol Over LANs
(EAPOL)
b. Spanning tree (STP)
c. Cisco Discovery Protocol (CDP)
Once Authentication take place, the controlled port opens & user
data is transmitted.

To configure dot1x,AAA must be 1st enabled.

(config)#aaa new-model
(config)#aaa authentication dot1x default group radius local
(config)#dot1x system-auth-control
Enable or disable System Auth Control
(config)#int f0/7
(config-if)#dot1x port-control {auto/force-authorized/forceunauthrized}

Force-authorized: It forces the port to authorize any host attempting

to use the port,but authentication is not required.Basically,there is
no authentication on this port type.
Force-Unauthorized: In this state the port unable to authorize any
client- even clients who could otherwise successfully authenticate
Auto: Auto setting enables dot1x on the port, which will begin the
process as unauthorized. Only the necessary EAPOL(Extensible
Authentication Protocol Over LANs)frames will be sent and received
while the ports unauthorized. Once the authentication is complete,
normal transmission and receiving can begin.

7
EAP is more of a framework than a specific protocol, there are over 40
different types(Methods)of EAP. some of them are following:
A. Cisco LEAP(Lightweight Extensible Authentication Protocol):
LEAP is cisco-Proprietry, but 3rd party vendors can support it via
the cisco Compatible Extensions Program. RADIUS server will
authenticate the client, then the client will authenticate the
RADIUS server, resulting in strong 2-way authentication.
B. EAP-FAST (Extensible Authentication Protocol-flexible
Authentication via Secure Tunneling):
It builds a tunnel through which the mutual authentication will
take place. Where LEAP is really wide open to attack and
compromise. FAST makes secure tunnel without the bother of
using secure certificates. You do have the option of configuring
certificates with EAP-FAST.EAP-FAST is a 3 phase process.
1. First phase is officially named phase zero. In this phase an
encrypted tunnel is created. We need to get a protected access
credential(PAC)on the client. Its an optional phase, since PAC
can be manually configured on the client, but generally the
PAC will be dynamically assigned.
If the PAC is dynamically assigned, it could be intercepted en
route to the client. If you are concerned about this,you can do
following 2 things.
A. Configure the PAC manually on the client.
B. Introduce secure certificates to the EAP-FAST Process.
2. In phase 2,credentials are exchanged and mutual authentication
is performed.
C. Protected EAP (PEAP):
It is strong open-standard security scheme(Microsoft & RSA
security made it). It has following 2 different versions:
1. PEAPv0/EAP-MSCHAPv2
2. PEAPv1/EAP-GTC (Generic Token Card)
With either flavor, there is secure digital certificate involved.
the clients will not have a certificate, but the authentication
server will.
D. EAP-TLS (Extensible Authentication Protocol-Transport
Layer Security )
EAP-TLS is an open-standard protocol. It's also a bit
controversial because it requires the clients to have a secure
certificate as well as the authentication server.

SPAN (Switch Port Analyzer)Operation & Configuration :

8
We've secured the ports, but there will also come a time when we
want to connect a network analyzer to a switch port. A common
situation is illustrated below, where we want to analyze traffic
sourced from the three PCs. To properly analyze the traffic, the
network analyzer needs a copy of every frame the hosts are
sending - but how are we going to get it there?
SPAN allows the switch to mirror the traffic from the source
port(s) to the destination port to which the network analyzer is
attached. (In some Cisco documentation, the destination port is
referred to as the monitor port.)
It's the location of the source ports that determines the SPAN
version that needs to run on the switch. The sessions are totally
separate operations, but the number of simultaneous sessions you
can run differs from one switch platform to another. More
powerful switches can run as many as 64 sessions at once. SPAN
had 3 types :
1. Local SPAN:
In this the destination (Where Network Analyzer is
attached)and source ports are all on the same switch.
A. Configuration of Local SPAN :
(config)#monitor session 1 source interface f 1/0/1 - 9
(config)#monitor session 1 destination interface f 1/0/10
#show monitor
2. Remote SPAN (RSPAN):
What if the traffic to be
monitored is on one switch, but the only vacant
port available is on another switch? RSPAN is the solution.
Both switches will need to be configured for RSPAN, since the
switch connected to the PCs will need to send mirrored frames
across the trunk.A separate VLAN will be created that will
carry only the mirrored frames.There are some factors you need
to consider when configuring RSPAN,which are as follow:
If there were intermediate switches between the two they
would all need to be RSPAN-capable.
VTP treats the RSPAN VLAN like any other VLAN. It will
be propagated throughout the VTP domain if configured on
a VTP server. Otherwise, it's got to be manually
configured on every switch along the intermediate path.
VTP Pruning will also prune the RSPAN VLAN under the same
circumstances that it would prune a "normal" VLAN.
MAC address learning is disabled for the RSPAN VLAN.
The source and destination must be defined on both the
switch with the source port and the switch connected to
the network analyzer, but the commands are not the same
on each.

3. VLAN-based SPAN (VSPAN):

If the source was a VLAN rather than a collection of physical

9
ports, VLAN-based SPAN (VSPAN) would be in effect.
B. Configuration of VSPAN
Create the VLAN first, and identify it as the RSPAN VLAN with
the remote-span command.
SW1(config)#vlan 30
SW1(config-vlan)#remote-span
o SW1 is the source switch, and the traffic from ports 0/1 0/5 will be monitored and frames mirrored to SW2 via RSPAN
VLAN 30.
SW1(config)#monitor session 1 source interface fast 0/1 - 5
SW1(config)#monitor session 1 desti remote vlan 30
reflector-port fast 0/12
o Reflector port is a port that will be copying the SPAN
traffic onto the VLAN.
o

SW2 will receive

network analyzer
SW2(config)#monitor
SW2(config)#monitor

the mirrored traffic and will send it to a

on port 0/10.
session 1 source remote vlan 30
session 1 destination interface fast 0/10

#show Monitor
Source Port

Destination port

Source port can participate

in multiple simultaneous SPAN
sessions.

Destination port can

participate in only one SPAN
session.

Source port can be part of

an Etherchannel.

Destination port cannot be

part of an Etherchannel.

Source port can be any port

type - Ethernet,FastEthernet,
etc.
Source port cannot be a
destination port.

Destination port can be any

port type.
Destination port cannot be
a source port.
Destination port doesn't
participate in STP, CDP, VTP,
PaGP, LACP, or DTP

Trunk ports can be configured as source and/or destination SPAN

ports; the default behavior will result in the monitoring of all
active VLANs on the trunk.

10

Filtering Intra-VLAN Traffic

ACL can filter traffic traveling between VLANs, it can't do
anything about traffic from one host in a VLAN to another host in
the same VLAN. Why not? It relates to how ACLs are applied on a
multilayer switch. You know that the CAM (Content Addressable
Memory) table holds the MAC addresses that the switch has
learned, but the TCAM - Ternary Content Addressable Memory - cuts
down on the number of lookups required to compare a packet
against an ACL.
This filtering of packets by the switch hardware speeds up the
process, but this limits ACL capability. An ACL can be used to
filter inter-VLAN traffic, but not intra-VLAN traffic. To filter
traffic between hosts in the same VLAN, we've got to use a VLAN
Access List (VACL).
Even though a VACL will do the actual filtering, an ACL has to be
written as well. The ACL will be used to as the match criterion
within the VACL. For example, let's say we have the subnet
172.10.10.0 /24's addresses configured on hosts in VLAN 100. The
hosts 172.10.10.1 - 3 are not to be allowed to communicate with
any other hosts on the VLAN, including each other. An ACL will
be written to identify these hosts.
(config)#ip access-list extended NO_123_CONTACT
(config-ext-nacl)#permit ip 171.10.10.0 0.0.0.3 172.10.10.0 0.0.0.255

Notice that even though the three source addresses named in the
ACL are the ones that will not be allowed to communicate with
other hosts in the VLAN, the ACL statement is permit, not deny.
The deny part is coming!
Now the VLAN access-map will be written, with any traffic
matching the ACL to be dropped and all other traffic to be
forwarded. Note that the second access-map clause has no match
clause, meaning that any traffic that isn't affect by clause 10
will be forwarded. That is the VACL equivalent of ending an ACL
with "permit any".
If you configure a VACL without a final "action forward" clause,
all traffic that does not match a specific clause in the VACL
will be dropped.
(config)# vlan access-map NO_123 10
(config-access-map)# match ip address NO_123_CONTACT
(config-access-map)# action drop
(config-access-map)# vlan access-map NO_123 20
(config-access-map)# action forward
Finally, we've to apply the VACL in global configuration mode.
The VLAN to be filtered is specified at the end of the command
with the vlan-list option.

11

(config)# vlan filter NO_123 vlan-list 100

Some additional notes and tips regarding VACLs:
Bridged traffic, as well as non-IP and non-IPX traffic,should
Be filtered with VACLs.
VACLs run from top to bottom, and run until a match occurs.
VACLs have an implicit deny at the end. The VACL equivalent of
"permit all" is an "action forward" clause with no match
criterion,
as shown in the previous example. If traffic is not expressly
forwarded, it's implicitly dropped!.
Only one VACL can be applied to a VLAN.
The sequence numbers allow you to go back and add lines without
rewriting the entire VACL. They are still active while being
edited.
A routing ACL can be applied to a SVI to filter inbound and/or
outbound traffic just as you would apply one to a physical
interface, but VACLs are not applied in that way - they're
applied in global configuration mode.
On L3 switches, you may run into a situation where there's a
VACL configured, and a "normal" ACL affecting incoming traffic
that is applied to a routed port & that belongs to that same
VLAN. In this case, packets entering that VLAN will be matched
against the VACL first; if the traffic is allowed to proceed,
it will then be matched against the inbound ACL on that port.

Private VLAN :

This may well be the ultimate in filtering VLAN traffic! Hosts can
be placed into a secondary VLAN, which is going to have one of two
results:
The host will be able to communicate with other hosts in the
secondary VLAN and with the primary VLAN, but not with hosts in
other secondary VLANs - this is a community private VLAN
The host can communicate with the primary VLAN, but with no other
hosts, including other hosts in its own secondary VLAN -- this is
an isolated private VLAN. In the following example, the router is
located off a switch port that has been configured as a private
VLAN port. There are options here as well:
The device connected to the private VLAN port can communicate
with any device connected to any primary or secondary VLAN this is promiscuous mode. This is the recommended mode for
ports connected to gateway devices, such as the router seen
below.
The host connected to the port is on either type of private VLAN
(isolated or community), and can communicate with devices found off
other promiscuous ports. If the host is configured as part of a
community private VLAN, the host can also communicate with other
hosts in that private VLAN.

12

DHCP Snooping:

The potential for trouble starts when a host sends out a DHCP
Discovery packet, it listens for DHCPOffer packets - and as we know,
the host will accept the first Offer it gets!

Part of that DHCPOffer is the address to which the host should set
its default gateway. In this network, there's no problem, because
there's only one DHCP Server. The host will receive the DHCPOffer
and set its default gateway accordingly. What if a DHCP server that
does not belong on our network - a rogue DHCP server - is placed on
that subnet?
Now we've got a real problem, because that host is going to use the
information in the first DHCPOffer packet it receives - and if the
host uses the Offer from the rogue DHCP server, the host will
actually set its default gateway to the rogue server's IP address!
The rogue server could also have the host set its DNS server address
to the rogue server's address as well. This opens the host and the
network to several nasty kinds of attacks.
DHCP Snooping allows the switch to serve as a firewall between hosts
and untrusted DHCP servers. DHCP Snooping classifies interfaces on
the switch into one of two categories - trusted and untrusted. DHCP
messages received on trusted interfaces will be allowed to pass
through the switch. Not only will DHCP messages received on
untrusted interfaces be dropped by the switch, the interface itself
will be placed into err-disabled state.
Now, you're probably asking "How does the switch determine which
ports are trusted and which ports are untrusted?" By default, the
switch considers all ports untrusted - which means we better
remember to configure the switch to trust some ports when we enable
DHCP Snooping!
First, we need to enable DHCP Snooping on the entire switch:
(config)#ip dhcp snooping
o Its must to enable it 1st.
(config)#ip dhcp snooping vlan 4
o It adds vlan 4 in trusted valn
(config)#no ip dhcp snooping vlan 1
o We can remove vlan 1 which by default has been added in
Trusted vlans When we enable dhcp snooping.
(config)#ip dhcp snooping information option
o It enables option 82
(config)#int f1/0/1

13
(config-if)#ip dhcp snooping trust
#show ip dhcp snooping
Note the "rate limit" for the untrusted port is set to
"unlimited". That rate limit refers to the number of DHCP packets
the interface can accept in one second (packets per second).
To change that value and protect the interface against a
concentrated stream of spoofed DHCP messages, use the ip dhcp
snooping limit rate command.
SW1(config-if)#ip dhcp snooping limit rate 5

DAI(Dynamic ARP Inspection):

It uses DHCP Snooping Database so thats why DHCP snooping must
be enabled before configuring DAI.
o

How ARP works:

When a system wants to send data to another computer, it prepares

an IP packet with the appropriate destination IP. This packet is
passed down to the link-layer (usually Ethernet). This layer
needs to encapsulate the IP packet in an Ethernet frame before it
can be sent.
An Ethernet frame must be addressed to a destination hardware
address (MAC address). But which MAC address corresponds with the
destination IP address? This is looked up in the ARP cache. The
ARP cache contains mappings of the form (IP -> MAC).

o Source and Destination Hosts on the Same Local Network :

The sending host will
its routing table. If
network (subnet) then
the destination, only
illustrates this:

first look up the destination IP address in

the destination IP is on the same physical
there are no routers between the host and
hubs or switches. The following image

14

o ARP Resolution Steps:

1. Host A (1.1.1.1) wants to transmit a packet to host B
(2.2.2.2). Host A tries to look up the hardware address for
IP 2.2.2.2 in its ARP cache, but determines that it is not
present. It must find the MAC address and add the mapping.
2. An ARP request is broadcast by Host A by using the destination
MAC address FF-FF-FF-FF-FF-FF. The request basically says: Who
has 2.2.2.2 MAC address? Tell 1.1.1.1!
3. Each host on the network receives the ARP request sent by Host
A, which contains a source IP and MAC of Host A. Host B
determines the requested IP matches its own IP, and that it
should process the request. The information in the request is
used to add a mapping (1.1.1.1 -> MAC of Host A) to Host Bs
ARP cache.
4. Host B sends an ARP reply containing its MAC address and IP
directly to Host A.
5. Host A receives the ARP reply, and adds the mapping to its ARP
cache: (2.2.2.2 -> MAC of Host B).
From this point, Host A uses the mapping stored in its ARP cache
for sending packets to Host B.

o Source and Destination Hosts on Different Networks

If the routing table determines that the packet needs to travel
through a gateway to reach the destination host, a different
scenario occurs.

15

o ARP Resolution Steps:

1. Host A (1.1.1.1) wants to transmit a packet to host B
(2.2.2.2). Host A determines that it must send the packet
through its default gateway, of which it knows the IP:
1.1.2.3. Host A tries to look up the hardware address for IP
1.1.2.3 in its ARP cache, but determines that it is not
present. It must find the MAC address and add the mapping.
2. An ARP request is broadcast by Host A by using the
destination MAC address FF-FF-FF-FF-FF-FF. The request
basically says: Who has 1.1.2.3? Tell 1.1.1.1!.
3. Each host on the network receives the ARP request sent by
Host A, which contains a source IP and MAC of Host A. Router
determines the requested IP matches its own IP, and that it
should process the request. The information in the request
is used to add a mapping (1.1.1.1 -> MAC of Host A) to
Routers ARP cache.
4. The router sends an ARP reply containing its MAC address and
IP directly to Host A.
5. Host A receives the ARP reply, and adds the mapping to its
ARP cache: (1.1.2.3 -> MAC of Router).
Now Host A can send the IP packet to Router, which forwards the
packet to Host B. If Host B is connected directly to Router, the
same ARP process is used for communication between them.
Alternatively, there can be one or more routers between Router
and Host B, so the packet will first travel through those
devices. But the key point to remember is that communication on
the same physical network (between hosts on local networks,
between routers, etc) always requires the sender to know the
hardware address of the receiver, and thus requires ARP.

16

Host A is to send data to Host B. How will Router1 handle

the data frame received from Host A?

While transferring data through many different networks, the

source and destination IP addresses are not changed. Only the
source and destination MAC addresses are changed. So in this
case, Host A will use the IP address of Host B and the MAC
address of Fa0/0 interface to send data. When the router receives
this data, it replaces the source MAC address with it own Fa0/2
interfaces MAC address and replaces the destination MAC address
with Host Bs MAC address before sending to Host B
A. Router1 will strip off the source MAC address and replace it
with the MAC address on the forwarding FastEthernet interface.
C. Router1 will strip off the destination MAC address and replace
it with the MAC address of
F. Router1 will forward the data frame out interface
FastEthernet0/2.

Packet that has been sent By Host A

Src-ip

Src-MAC

Host A IP Host A MAC

address

Dest-ip

Dest MAC

Host B ip Router f0/0 MAC

Packet After sending by Router

17

Src-IP
Dest MAC

Src-MAC

Host A IP Router f0/2 Interface MAC

Dest-IP
Host B ip Host B

Just as we must protect against rogue DHCP servers, we have to be

wary of rogue ARP users as well. A rogue device can overhear part
of the ARP process in action and make itself look like a
legitimate part of the network. This happens through ARP Cache
Poisoning. (This is also known as ARP Spoofing - be aware of both
names for your exam.)
Enabling Dynamic ARP Inspection (DAI) prevents this behavior by
building a database of trusted MAC-IP address mappings. This
database is the same database that is built by the DHCP Snooping
process, and
static ARP configurations can be used by DAI as well.
DAI uses the concept of trusted and untrusted ports, just as DHCP
Snooping does. However, untrusted ports in DAI do not
automatically drop ARP Requests and Replies.
Once the IP-MAC address database is built, every single ARP
Request and ARP Reply received on an untrusted interface is
examined. If the ARP message has an approved MAC-IP address
mapping, the message is forwarded appropriately; if not, the ARP
message is dropped.
If the interface has been configured as trusted, DAI allows the
ARP message to pass through without checking the database of
trusted mappings. DAI is performed as ARP messages are received,
not transmitted.
Since DAI uses entries in the DHCP Snooping database to do its
job, DHCP Snooping must be enabled before beginning to configure
DAI. After that, the first step in configuring DAI is to name the
VLAN(s) that will be using DAI.
SW-1(config)#ip arp inspection vlan 4
SW-1(config)#int fa1/0/3
SW-1(config-if)#ip arp inspection trust
SW-1(config)#ip arp inspection validate ip ?
allow
Specify exceptions to IP address validation
dst-mac Validate destination MAC address
src-mac Validate source MAC address
You can actually specify validation of more than one of those
addresses. Here's what happens with each:
o "src-mac" compares the source MAC address in the Ethernet
header and the MAC address of the source of the ARP message.
o "dst-mac" compares the destination MAC address in the
Ethernetheader and the MAC destination address of the ARP
message.

18
o

"ip" compares the IP address of the sender of the ARP

Request against the destination address of the ARP Reply.

If you run DAI in your network, most likely you'll run it on all
of your switches. Cisco's recommended trusted/untrusted port
configuration is to have all ports connected to hosts run as
untrusted and all ports connected to switches as trusted. Since
DAI runs only on ingress ports, this configuration scheme ensures
that every ARP packet is checked once, but no more than that.
The DHCP snooping feature dynamically builds a DHCP binding
table, which contains the MAC addresses associated with specic
IP addresses. Additionally, this feature supports static MAC
address to IP address mappings, which might be appropriate for
network devices, such as routers. This DHCP binding table can be
used by the Dynamic ARP Inspection (DAI) feature to help prevent
Address Resolution Protocol (ARP) spoong attacks.
Recall the purpose of ARP requests. When a network device needs
to determine the MAC address that corresponds to an IP address,
the device can send an ARP request. The target device replies to
the requesting device with an ARP reply. The ARP reply contains
the requested MAC address.
Attackers can attempt to launch an attack by sending gratuitous
ARP (GARP) replies. These GARP messages can tell network devices
that the attackers MAC address corresponds to specic IP
addresses.
Extra :

Gratuitous ARP :
o

Gratuitous ARP request is an ARP request where the source

and Destination IP addresses are both set to the IP of the
machine issuing the packet & the destination MAC is
ff:ff:ff:ff:ff:ff (broadcast address), no reply would occur
for this.
Gratutious ARP reply is a reply to which no request has been
made.

Gratuitous ARP is useful for following reasons:

o

They can help in detecting IP conflicts. When a machine

receives an ARP request containing a source IP that matches
its own IP, then it knows there is an IP conflict.

19
o
o

They inform switch of the MAC address of the machine on a

given switch port.
They assist in the updating of other machines ARP Tables

For example, the attacker might be able to convince a PC that the

attackers MAC address is the MAC address of the PCs default
gateway. As a result, the PC starts sending trafc to the
attacker. The attacker captures the trafc and then forwards the
trafc to the appropriate default gateway.
To illustrate, consider Figure Below. PC1 is congured with a
default gateway of 192.168.0.1. However, the attacker sends GARP
messages to PC1, telling PC1 that the MAC address corresponding
to 192.168.0.1 is BBBB.BBBB.BBBB, which is the attackers MAC
address. Similarly, the attacker sends GARP messages to the
default gateway, claiming that the MAC address corresponding to
PC1s IP address of 192.168.0.2 is BBBB.BBBB.BBBB. This ARP cache
poisoning causes PC1 and Router1 to exchange trafc via the
attackers PC.
Therefore, this type of ARP spoong attack is considered to be a
man-in-the-middle attack.

Networks can be protected from ARP spoong attacks using the

DAI feature. DAI works similarly to DHCP snooping by using
trusted and untrusted ports. ARP replies are allowed into the
switch on trusted ports. However, if an ARP reply enters the
switch on an untrusted port, the contents of the ARP reply are
compared to the DHCP binding table to verify its accuracy. If the
ARP reply is inconsistent with the DHCP binding table, the ARP

20
reply is dropped, and the port is disabled.
The rst step in conguring DAI is to enable DAI for one or more
VLANs. For example, to enable DAI for VLAN 100, enter the
following global conguration mode command:
SW3550(config)# ip arp inspection vlan 100
By default, the DAI feature considers all switch ports to be
untrusted ports. Therefore, trusted ports must be explicitly
congured. These trusted ports are the ports on which ARP replies
are expected. For example, to congure port Gigabit 0/6 to be a
DAI trusted port, use the following syntax:
SW3550(config)# interface gigabitethernet 0/6
SW3550(config-if)# ip arp inspection trust

o If host uses static IP assignment:

Arp access-list static-arp
permit ip host 10.10.10.163 mac host aabb.ccdd.0011
end
Ip arp inspection filter static-arp vlan 101

IP Source Guard

It uses DHCP Snooping Database so thats why DHCP snooping must be

enabled before configuring IP Source guard.
We can use IP Source Guard to prevent a host on the network from
using another host's IP address. IP Source Guard works in tandem
with DHCP Snooping, and uses the DHCP Snooping database to carry out
this operation.
As with DAI, DHCP Snooping must be enabled before enabling IP Source
Guard. When the host first comes online and connects to an untrusted
port on the switch, the only traffic that can reach that host are
DHCP packets. When the client successfully acquires an IP address
from the DHCP Server, the switch makes a note of this IP address
assignment.
IP Source Guard is a security feature that restricts IP traffic on
untrusted Layer 2 ports by filtering traffic based on the DHCP
snooping binding database or manually configured IP source bindings.
This feature helps prevent IP spoofing attacks when a host tries to
spoof and use the IP address of another host. Any IP traffic coming
into the interface with a source IP address other than that assigned
(via DHCP or static configuration) will be filtered out on the
untrusted Layer 2 ports.

21
OR
The IP Source Guard feature is enabled in combination with the DHCP
snooping feature on untrusted Layer 2 interfaces. It builds and
maintains an IP source binding table that is learned by DHCP
snooping or manually configured (static IP source bindings). An
entry in the IP source binding table contains the IP address and the
associated MAC and VLAN numbers. The IP Source Guard is supported on
Layer 2 ports only, including access and trunk ports.

Configuration example:
Interface gigabitEthernet1/0/1
Ip verify source port-security

MAC Address Flooding Attacks:

A MAC Address Flooding attack is an attempt by a network intruder to

overwhelm the switch memory reserved for maintenance of the MAC
address table. The intruder generates a large number of frames with
different source MAC addresses - all of them invalid. As the
switch's MAC address table capabilities are exhausted, valid entries
cannot be made - and this results in those valid frames being
broadcast instead of unicast.
This has three side effects, all unpleasant:
The MAC address table fills to capacity, preventing
legitimate entries from being made.
The large number of unnecessary broadcasts quickly consumes
bandwidth as well as overall switch resources
The intruder can easily intercept packets with a packet sniffer,
since the unnecessarily broadcasted packets will be sent out every
port on the switch - including the port the intruder is using.

o How to prevent MAC Flooding

I think the switchport block unicast is exactly what is being
looked for here. When a mac-address table becomes full, it
flushes old entries. So real mac addresses can get lost from the
mac address table. When this happens, flooding of many
legitimate unicast frames will likely occur. So an attacker can
send a lot of spoofed mac addresses to a port in order to fill
the cam table. As long as the table is full of bogus macaddresses, flooding of unicast will be "needed".
By default, switches only forward based on destination MAC
address ,the command "switchport block unicast" would stop the
first frame from being forwarded if it was an unknown

22
destination. e.g this traffic would simply be dropped as opposed
to flooding.
switchport block unicast is actually switchport block broadcast
The other item worth mentioning is that I didn't think you could
do a "switchport block broadcast". Broadcast, by definition,
should be flooded. Therefore, I would be very careful and
understand the consequences if you can and do block broadcasts.
The FF:FF:FF:FF:FF:FF will not be learned by the mac-address
table and therefore always flooded. There is no concept of
learning this address, since nothing should be sourced from this
address. There is, however, a "switchport block multicast" that
can look for multicast association requests. With "switchport
block multicast", frames with a multicast destination should only
be forwarded to the appropriate port(s) as opposed to flooded to
the entire vlan
If we added the command switchport block unicast, then the switch
would not forward unicasts frames, unless it knew which port to
forward it to.
So an initial frame destined for 0200.2222.2222,
if the switch didn't yet have it in the mac address table, would
drop it for that vlan.
If the switch does know that the MAC
address lives on the same port, based on adding the source
address to the table, it would not forward it to any other
ports.
I believe this would defeat the attack.
So as opposed to preventing flooding, there is also a need to
protect the mac-address table. Since this is a type of forged
source mac address attack, we can use "port-security" to restrict
a port to a number (possibly one) source mac address. Once this
number is exceeded, the switch can trap, shutdown the port, or
discard the incoming frames. I just wanted to point this out in
case a similar question arises.
Through dot1x we can protect our MAC table from rogue entries in
it.

Extra Points about VLAN:

o Access Mode :
Access mode is for client devices, like normal desktops, printers, etc. An access mode
port only sends and accepts untagged frames. An access mode port in VLAN 5 belongs to
VLAN 5 and no other VLAN. It will only send and receive traffic on VLAN 5.

23

o Trunk Mode :
Trunk mode uses tagged and untagged frames. The fact that it uses 802.1q tagged frames
implies that it is connected to a device which is capable of dealing with 802.1q frames.
But very often Ethernet cards in server machines can be configured for 802.1q as well,
i.e. you can run a trunk mode port to a server connecting it directly into multiple VLANs.
The "tag" contains the number of the VLAN to which this particular frame belongs to.
Due to that, the receiving side is able to correctly assign each received frame to the
correct VLAN. If the switch send a VLAN 5 tagged frame through a trunk port the
receiving side knows that this frame belongs to VLAN 5 and thus can forward it correctly
to the next hop maintaining separation of VLANs etc.
Trunking is generally related to switches, but routers, firewalls, and all manner of devices
can connect with trunks as well.
o ip default-gateway (when IP routing is disabled)
When your switch is configured to route with IP, it does not need to have a default
gateway set.
o ip default-network (when IP routing is enabled)
o ip route 0.0.0.0 0.0.0.0 (when IP routing is enabled

VLAN Hopping :
VLAN hopping can be accomplished by switch spoofing or double
tagging.

o Double Tagging (Redirecting one vlan traffic to another vlan)

One form of VLAN Hopping is double tagging, so named because the
intruder will transmit frames that are "double tagged" with two
separate VLAN IDs. As you'll see in our example, certain
circumstances must exist for a double tagging attack to be
successful:
o
o
o

The intruder's host device must be attached to an access

port.
The VLAN used by that access port must be the native VLAN.
The term "native VLAN" tips us off to the third requirement
- dot1q must be the trunking protocol in use, since ISL
doesn't use the native VLAN.

24

o Double-Tagging Diagrammatic Explanation:

o In this attack, the attacking computer generates frames with two 802.1Q tags. The
first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and
the second matches the VLAN of a host it wants to attack (VLAN 20).
o When the packet from the attacker reaches Switch A, Switch A only sees the first
VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed.
Switch A forwards the frame. Switch B receives the frame with tag of VLAN 20
so it removes this tag and forwards out to the Victim computer.
o Switch Spoofing (gaining Access to All vlans):
Switch spoofing is another variation of VLAN Hopping that is even
worse than double tagging, because this version allows the rogue
to pretend to be a member of *all* VLANs in your network. Many
Cisco switch ports now run in dynamic desirable mode by default,
which means that a port is sending out Dynamic Trunking Protocol
frames in an aggressive effort to form a trunk. A potential
problem exists, since the switch doesn't really know what kind of
device is receiving the DTP frames.
There are two defenses for VLAN Hopping attacks; the one you
choose depends on the port type:
o Every port on your switch that does not lead to another
known switch should be placed into access mode. That
disables the port's ability to create a trunk, and in turn
disables the rogue host's ability to spoof being a switch!

25
o

Trunking ports should be placed into unconditional

trunking mode and then DTP frame transmission should
be disabled.

o Switch spoofing diagrammatic Explanation :

The attacker can connect an unauthorized Cisco switch to a Company switch port. The
unauthorized switch can send DTP frames and form a trunk with the Company Switch. If
the attacker can establish a trunk link to the Company switch, it receives traffic to all
VLANs through the trunk because all VLANs are allowed on a trunk by default.(Instead
of using a Cisco Switch, the attacker can use a software to create and send DTP frames).
To mitigate VLAN Hopping, the following things should be done:
1) If no trunking is required, configure port as an access port, this also disables trunking o
n that interface:
Switch(config-if)# switchport mode access
2) If trunking is required, try to configure the port to Nonegotiate to prevent DTP frames
from being sent.
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
3) Set the native VLAN to an unused VLAN and dont use this VLAN for any other
purpose:
Switch(config-if)# switchport trunk native vlan VLAN-ID
4) Force the switch to tag the native VLAN on all its 802.1Q trunks:
Switch(config)# vlan dot1q tag native

26

Preventing Rogue Switch to become Root Switch :

We have two powerful tools at our disposal to make sure that even
if a rogue switch makes its way into our network, we can prevent
it from becoming the root - Root Guard and BPDU Guard. These
tools work in totally different manners. let's take a detailed
look at how each of these tools operate and how they're
configured.

A. Root Guard :
If a switch is not under your administrative control, a rogue
switch, becomes the root switch of your network, it can lead to
all kinds of trouble. Remember our discussion of SPAN (Switch
Port Analyser) earlier in this section? If an intruder managed to
introduce a rogue switch into your network, he could simply
configure SPAN on the switch to obtain a copy of all data
crossing the switch!
STP has no default behavior to prevent this from happening; the
spanning-tree vlan root command helps you determine which
switches become the root and secondary root, but does nothing to
disqualify a switch from becoming the root.
We will take following Example:

27

28

To prevent SW4 from becoming the root or secondary root, SW3's

port that will receive BPDUs from SW4 should be configured with
Root Guard. When the BPDU comes in from SW4, SW3 will recognize
this as a superior BPDU, one that would result in a new root
switch being elected. Root Guard will actually block that
superior BPDU, discard it, and put the port into rootinconsistent state.
Here's the console message we receive as a result on S3:
00:26:46: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port
FastEthernet0/24 on VLAN0023.
When those superior BPDUs stop coming, SW3 will allow that port
to transition normally through the STP port states.

o Configuration :
(config)#int f0/1
(config-if)#spanning guard root

B. BPDU Guard :
there is a chance - just a chance - that someone is going to
manage to connect a switch to a port running Portfast. That could
lead to two major problems:
A.

The first being the formation of a switching loop.

29

B.

Remember, the reason we have listening and learning modes is

to help prevent switching loops.
The possibility of switching loops actually pales next to
the other possibility - there could be a new root bridge
elected - and it could be a switch that isn't even in your
network!

Configuration:

Port based :

(config-if)#spanning-tree bpduguard enable

OR

Globally enabling on all portfast ports:

(config)#spanning-tree portfast bpduguard default

BPDU Filtering Vs BPDU Guard ?

o Portfast :
Purpose of PortFast is to minimize the time that access ports
must wait for STP to converge; it should only be used on access
(edge) ports connected to a single workstation or server, to
allow those devices to connect to the network immediately,
instead of waiting for STP to converge. There is no difference
between edge ports and PortFast ports. If you enable PortFast on
a port connected to a switch (a network port), you might create a
temporary bridging loop.
PortFast does not cancel STP in any way. STP still fully runs on
PortFast ports. STP still sends and receives BPDUs on that port,
just like on any other ports. The difference to a normal port is
two: PortFast port becomes Forwarding immediately after being
connected, and second, connecting or disconnecting a station from
a PortFast port does not generate topology changes in STP.
PortFast enabled port configured as an access port to enter the
forwarding state immediately, bypassing the listening and
learning states.. Interfaces connected to a single workstation or
server should not receive bridge protocol data units (BPDUs).
PortFast enabled port still runs spanning tree protocol. A

30
PortFast enabled port can immediately transition to the blocking
state if necessary (this could happen on receipt of a superior
BPDU). PortFast can be enabled on trunk ports for-example router,
where you're doing router on a stick. if the link flaps, it will
go into forwarding immediately, rather than going through the
full listening/learning stages.
o BPDU Guard :
BPDU Filtering & BPDU Guard both provide protection against
spanning-tree loops being created on ports where PortFast has
been enabled. A device attached to a PortFast interface is not
supposed to send BPDUs but should this happen BPDU Filtering and
BPDU Guard provide protection.
If any BPDUs (superior to the current root or not) are received
on port configured with BPDU Guard that port is put immediately
in err-disable state.
BPDU guard should be configured on all switches ports where STP
PortFast is enabled. This prevents any possibility that a switch
will be added to the port either intentionally or by mistake
BPDU Guard and BPDU Filtering can be configured in 2 different
ways, from global configuration mode or in interface
configuration mode. In global configuration mode the feature
(either BPDU guard or BPDU Filtering) will have effect on all
Port fast enabled ports only.

If configured in interface configuration mode it will only be

enable on the specific port:

o BPDU Filtering :
BPDU Filtering enabled port allows to stop sending or receiving
BPDUs.
As soon as a BPDU is received the port will lose its PortFast
status and BPDU filtering will be disabled. The port is then
taking back to normal STP operation and send/receive BPDUs.

31
If it is configured from global configuration mode BPDU Filtering
will be enabled on all configured PortFast ports.

Port Level Command :

Note:

If you enable BPDU Guard on the same interface as BPDU Filtering, BPDU
Guard
has no effect because BPDU Filtering takes precedence over BPDU
Guard. Reason is Explained below: BPDU Filter configured on a port prevents
this ports from sending and receiving BPDUs completely. The BPDU Guard on
the same port is therefore useless because received BPDUs will be dropped
rather than they can hit the Guard.

Configuation of BPDU Filtering is not a recommended configuration as it can

result in bridging loops.

Lecture#8
Site To Site VPN
R1(config)#int f0/0
R1(config-if)#ip add 10.10.10.1 255.255.255.0
R1(config)#int f1/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#router eigrp 100
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#no auto-summary
********* Site to Site VPN Configurations On R1 *************
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#hash md5
R1(config-isakmp)#lifetime 86400

32

R1(config)#crypto isakmp key 0 cisco address 192.168.1.2

R1(config)#crypto ipsec transform-set TRANS esp-3des esp-sha-hmac
R1(config)#access-list 100 permit icmp any any
R1(config)#crypto map MYMAP 10 ipsec-isakmp
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set peer 192.168.1.2
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set transform-set TRANS
R1(config-crypto-map)#set security-association lifetime seconds
86400
R1(config)#int fastEthernet 1/0
R1(config-if)#crypto map MYMAP
** Site to Site VPN Configurations On R2 **
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#group 2
R2(config-isakmp)#hash md5
R2(config-isakmp)#lifetime 86400
R2(config)#crypto isakmp key 0 cisco address 192.168.1.1
R2(config)#crypto ipsec transform-set TRANS esp-3des esp-sha-hmac
R2(config)#access-list 100 permit icmp any any
R2(config)#crypto map MYMAP 10 ipsec-isakmp
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#set pfs group2
R2(config-crypto-map)#set transform-set TRANS
R2(config-crypto-map)#set security-association lifetime seconds
86400
R2(config-crypto-map)#int f1/0
R2(config-if)#crypto map MYMAP