CCNP-SWITCHING 300-115
Mohamed Samir YouTube channel
Double CCIEs #27042(R/S&SP)
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Part VII: Securing
Switched Networks
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Preventing Spoofing
Attacks
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Preventing Spoofing Attacks
•
•
•
•
•
Malicious users sometimes can send spoofed—information to trick switches or
other hosts into using a rogue machine as a gateway.
The attacker’s goal is to become the man in the middle
• This section describes three Cisco Catalyst features
1- DHCP snooping
2- IP Source Guard
3- dynamic ARP inspection
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
DHCP Snooping
• switch ports are categorized as trusted or untrusted
• Legitimate DHCP servers can be found on trusted ports,
others behind untrusted ports
• Any DHCP replies coming from an untrusted port are
discarded
• In addition, the port automatically is shut down in the
errdisable state
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
DHCP Snooping
Switch(config)# ip dhcp snooping vlan 104
Switch(config)# interface range gigabitethernet 1/0/35 – 36
Switch(config-if)# ip dhcp snooping limit rate 3
Switch(config-if)# interface gigabitethernet 1/1/1
Switch(config-if)# ip dhcp snooping trust
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
IP Source Guard
• IP Source Guard does this by making use of the DHCP snooping
database and static IP source binding entries
• If DHCP snooping is configured and enabled, the switch learns the
MAC and IP addresses of hosts that use DHCP
• The source IP address must be identical to the IP address learned by
DHCP snooping or a static entry
• For static IPs
• Switch(config)# ip source binding mac-address vlan vlan-id ipaddress interface gig 1/1
• Switch(config)# interface gig 1/1
• Switch(config-if)# ip verify source [port-security]
• Switch# show ip verify source [interface gig 1/1]
• Switch# show ip source binding [ip-address] [mac-address] [dhcpsnooping | static] [interface gig 1/1] [vlan vlan-id]
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Dynamic ARP Inspection DAI
• attack is known as ARP poisoning or ARP spoofing (man in the middle)
• All switch ports are classified as trusted or untrusted
• If an ARP reply contains invalid information or values that conflict with
entries in the trusted database it is dropped and a log message is
generated.
• Switch(config)# ip arp inspection vlan 104
• Switch(config)# arp access-list StaticARP
• Switch(config-acl)# permit ip host 192.168.1.10 mac host 0006.5b02.a841
• Switch(config-acl)# exit
• Switch(config)# ip arp inspection filter StaticARP vlan 104
• Switch(config)# interface gigabitethernet 1/0/49
• Switch(config-if)# ip arp inspection trust
• show ip arp inspection
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Any questions ?
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com
Thank you
for your
time ! 
‫شكرا‬
‫جزاكم هللا خير‬
Mohamed Samir
© 2015 Mohamed Samir YouTube channel
All rights reserved.
www.mohamedsamir.com