SWITCHING ESSENTIALS

Verify Port Security Explanation

Command displays port security settings for the switch
show port-security displays details for a specific interface.
show port-security interface verify that MAC addresses are “sticking” to the
show run configuration
display all secure MAC addresses that are manually
show port-security address configured or dynamically learned on all switch
interfaces

Mitigate VLAN Attacks

VLAN Attack Review

VLAN Attack Review can be launched in one of three ways:

i. Spoofing DTP messages from the attacking host to cause the switch to enter trunking
mode.

ii. Introducing a rogue switch and enabling trunking
iii. Double-tagging (or double-encapsulated) attack

Steps to Mitigate VLAN Hopping Attacks

Step 1 Disable DTP (auto trunking) negotiations on non-trunking ports by using
the switchport mode access interface configuration command.
Step 2  Disable unused ports and put them in an unused VLAN.
Step 3  Manually enable the trunk link on a trunking port by using the switchport mode
trunk command
Step 4 Disable DTP (auto trunking) negotiations on trunking ports by using the switchport
nonegotiate command.
Step 5 Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk
native vlan vlan_number command

For example, assume the following:

 FastEthernet ports 0/1 through fa0/14 are active access ports
 FastEthernet ports 0/15 through 0/19 are not currently in use
 FastEthernet ports 0/20 through 0/24 are trunk ports

Page | 80

SW1 #configure terminal
SW1(config)# interface range fastEthernet 0/1 - 14
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# exit
SW1(config) # interface range fastEthernet 0/15 - 19
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 100
SW1(config-if-range)# exit
SW1(config) # interface range fastEthernet 0/20 - 24
SW1(config-if-range)# switchport mode trunk
SW1(config-if-range)# switchport nonegotiate
SW1(config-if-range)# switchport trunk native vlan 88
SW1(config-if-range)# end

Mitigate DHCP Attacks

DHCP Snooping

DHCP snooping filters DHCP messages and rate-limits DHCP traffic on untrusted ports
 Devices under administrative control (e.g., switches, routers, and servers) are trusted
sources.
 Trusted interfaces (e.g., trunk links, server ports) must be explicitly configured as
trusted
 Devices outside the network and all access ports are generally treated as untrusted
sources

DHCP table is built that includes the source MAC address of a device on an untrusted port and
the IP address assigned by the DHCP server to that device. This table is called the DHCP
snooping binding table.

Steps to Implement DHCP Snooping
Step 1 Enable DHCP snooping by using the ip dhcp snooping global configuration command
Step 2  On trusted ports, use the ip dhcp snooping trust interface configuration command
Step 3  On untrusted interfaces, limit the number of DHCP discovery messages that can be received
using the ip dhcp snooping limit rate packets-per-second interface configuration command.
Step 4  Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp
snooping vlan global configuration command

Page | 81

The following is an example of how to configure DHCP snooping on SW1:
• DHCP snooping is first enabled on SW1.
• The upstream interface to the DHCP server is explicitly trusted.
• F0/5 to F0/24 are untrusted and are, therefore, rate limited to six packets per second.
• Finally, DHCP snooping is enabled on VLANS 5, 10, 50, 51, and 52.

SW1 #configure terminal
SW1(config)# interface fastEthernet 0/1
SW1(config-if)# ip dhcp snooping trust
SW1(config-if)# exit
SW1(config)# interface range fastEthernet 0/5 - 24
SW1(config-if-range)# ip dhcp snooping limit rate 6
SW1(config-if)# exit
SW1(config)# ip dhcp snooping vlan 5,10,50-52
SW1(config)# end

Mitigate ARP Attacks

Dynamic ARP Inspection

Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:

I. Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.
II. Intercepting all ARP Requests and Replies on untrusted ports
III. Verifying each intercepted packet for a valid IP-to-MAC binding.
IV. Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.
V. Error-disabling the interface if the configured DAI number of ARP packets is exceeded.

DAI Implementation Guidelines

To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation
guidelines

DAI IMPLEMENTATION • Enable DHCP snooping globally.
• Enable DHCP snooping on selected VLANs.
• Enable DAI on selected VLANs.
• Configure trusted interfaces for DHCP

snooping and ARP inspection.

Page | 82

DAI Configuration
DAI will be configured to mitigate against ARP spoofing and ARP poisoning attacks
DHCP snooping is enabled because DAI requires the DHCP snooping binding table to
operate
Next, DHCP snooping and ARP inspection are enabled for the PCs on VLAN
The uplink port to the router is trusted, and therefore, is configured as trusted for
DHCP snooping and ARP inspection

SW1 #configure terminal
SW1(config)# ip dhcp snooping
SW1(config)# interface range g0/1 - 2
SW1(config-if-range)# ip dhcp snooping trust
SW1(config-if-range)# ip arp inspection trust
SW1(config-if-range)# exit
SW1(config)# ip dhcp snooping vlan 10,20,30-49
SW1(config)# ip arp inspection vlan 10,20,30-49

Page | 83

Mitigate STP Attacks

PortFast and BPDU Guards

To mitigate STP attacks, use PortFast and Bridge Protocol Data Unit (BPDU) Guard

Port Fast BPDU Guards

 Immediately brings a port to the  Immediately error disables a port that
forwarding state from a blocking state, receives a BPDU.

bypassing the listening and learning  BPDU guard should only be configured

states on interfaces attached to end devices.

 Apply to all end-user access ports

Configure Port Fast

PortFast bypasses the STP listening and learning states to minimize the time that access ports
must wait for STP to converge.

 Only enable PortFast on access ports.
 PortFast on inter switch links can create a spanning-tree loop.

PortFast can be enabled:

 On an interface – Use the spanning-tree portfast interface configuration command.
 Globally – Use the spanning-tree portfast default global configuration command to

enable PortFast on all access ports.

To verify whether PortFast is enabled globally you can use either the:

 show running-config | begin span command
 show spanning-tree summary command

SW1 #configure terminal
SW1(config)# interface fa0/1
SW1(config-if)# switchport mode access
SW1(config-if)# spanning-tree portfast
SW1(config-if)# exit
SW1(config)# spanning-tree portfast default

Configure BPDU Guard

An access port could receive an unexpected BPDUs accidentally or because a user connected
an unauthorized switch to the access port.

 If a BPDU is received on a BPDU Guard enabled access port, the port is put into error-
disabled state

 This means the port is shut down and must be manually re-enabled or automatically
recovered through the errdisable recovery cause psecure_violation global command

Page | 84

BPDU Guard can be enabled
 On an interface – Use the spanning-tree bpduguard enable interface configuration
command.
SW1 #configure terminal
SW1(config)# interface fa0/1
SW1(config-if)# spanning-tree bpduguard enable
SW1(config-if)# exit
SW1(config)# spanning-tree portfast bpduguard default
 Globally – Use the spanning-tree portfast bpduguard default global configuration
command to enable PortFast on all access ports.

Page | 85

Configuration Example: Switch Security Configuration

Topology

Addressing Table Interface IP Address Subnet Mask
Device G0/0/1 192.168.10.1 255.255.255.0
R1 255.255.255.0
R1 Loopback 0 10.10.1.1 255.255.255.0
SW1 VLAN 10 192.168.10.201 255.255.255.0
SW2 VLAN 10 192.168.10.202 255.255.255.0
PC-1 NIC 255.255.255.0
PC-2 NIC DHCP
DHCP

Page | 86

Configuration on R1:

Basic Configuration
Router(config)#hostname R1
R1(config)#enable secret secPwd
R1(config)#line console 0
R1(config-line) #password consPwd
R1(config-line) #login
R1(config)#line vty 0 15
R1(config-line) #password vtyPwd
R1(config-line) #login
R1(config)#banner motd #Authorized User Only! #
R1(config)#no ip domain-lookup
R1(config)#service password-encryption

Configure DHCP setting
R1(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.9
R1(config)# ip dhcp excluded-address 192.168.10.201 192.168.10.202
R1(config)#ip dhcp pool Staff
R1(dhcp-config)# network 192.168.10.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.10.1
R1(dhcp-config)# domain-name JTMK.com
R1(dhcp-config)# exit
R1(config)#interface loopback0
R1(config-if)#ip address 10.10.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#interface GigaEthernet 0/0/1
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)#exit
R1(config)# line con 0
R1(config)# logging synchronous
R1(config)# exec-timeout 0 0

Configuration on SW1:

Basic Configuration
Switch(config)#hostname SW1
SW1(config)#enable secret secPwd
SW1(config)#line console 0
SW1(config-line) #password consPwd
SW1(config-line) #login
SW1(config)#line vty 0 15
SW1(config-line) #password vtyPwd
SW1(config-line) #login
SW1(config)#banner motd #Authorized User Only! #
SW1(config)#no ip domain-lookup
SW1(config)#service password-encryption

Configure interface description for the ports that use in SW1
SW1(config)# interface fastEthernet 0/1
SW1(config-if)# description Link to SW2
SW1(config-if)# interface fastEthernet 0/5
SW1(config-if)# description Link to R1
SW1(config-if)# interface FastEthernet 0/6
SW1(config-if)# description Link to PC-A

Page | 87

Set the default-gateway for Management VLAN
SW1(config)# ip default-gateway 192.168.10.1

Configure VLAN 10
SW1(config)# vlan 10
SW1(config-vlan)# name Managemant
Configure SVI for VLAN 10
SW1(config)# interface vlan 10
SW1(config-if)# ip address 192.168.10.201 255.255.255.0
SW1(config-if)# description Management SVI
SW1(config-if)#no shutdown
Configure VLAN 333 with the name Native on SW1
SW1(config)# vlan 333
SW1(config-vlan)# name native
Configure VLAN 999 with name JTMKStaff on SW1
SW1(config-vlan)# vlan 999
SW1(config-vlan)# vlan JTMKStaff
Implement 802.1Q trunking
SW1(config)interface f0/1
SW1(config-if)#switchport mode trunk
SW1(config-if)# switchport trunk native vlan 333
Disable DTP negotiation on F0/1 on SW1
SW1(config)interface f0/1
SW1(config-if)# switchport nonegotiate
Configure access port
SW1(config)interface range f0/5 – 6
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10
Secure and disable unused switchport
SW1(config)#interface range f0/2-4, f0/7-24, g0/1-2
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 999
SW1(config-if-range)# shutdown
Enable port security on f0/6 with the setting
SW1(config)# interface f0/6
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security maximum 3
SW1(config-if)# switchport port-security violation restrict
SW1(config-if)# switchport port-security aging time 60
SW1(config-if)# switchport port-security aging type inactivity
Implement PortFast on all access port
SW1(config)# interface f0/5 -6
SW1(config-if)# spanning-tree portfast
Enable BPDU guard on SW1 VLAN 10 access ports connected on PC-A
SW1(config)# interface f0/6
SW1(config-if)# spanning-tree bpduguard enable

Page | 88

Configuration on SW2:

Basic Configuration
Switch(config)#hostname SW2
SW2(config)#enable secret secPwd
SW2(config)#line console 0
SW2(config-line) #password consPwd
SW2(config-line) #login
SW2(config)#line vty 0 15
SW2(config-line) #password vtyPwd
SW2(config-line) #login
SW2(config)#banner motd #Authorized User Only! #
SW2(config)#no ip domain-lookup
SW2(config)#service password-encryption

Configure interface description for the ports that use in SW1
SW2(config)# interface fastEthernet 0/1
SW2(config-if)# description Link to SW1
SW2(config-if)# interface fastEthernet 0/18
SW2(config-if)# description Link to PC-B

Set the default-gateway for Management VLAN
SW2(config)# ip default-gateway 192.168.10.1

Add VLAN 10 to SW2 and name the VLAN Management
SW2(config)# interface vlan 10
SW2(config-if)# ip address 192.168.10.202 255.255.255.0
SW2(config-if)# description Management SVI
SW2(config-if)# no shutdown

Configure VLAN 333 with the name Native on SW2
SW2(config-if)# vlan 333
SW2(config-vlan)# name native

Implement 802.1Q trunking
SW2(config)# interface f0/1
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk native vlan 333

Disable DTP negotiation on F0/1 on SW2
SW2(config)# interface f0/1
SW2(config-if)# switchport nonegotiate

Configure access ports
SW2(config)# interface f0/18
SW2(config-if)# switchport mode access
SW2(config-if)# switchport access vlan 10

Secure and disable unused switchports
SW2(config)# interface range f0/2-17 , f0/19-24, g0/1-2
SW2(config-if-range)# switchport mode access
SW2(config-if-range)# switchport access vlan 999
SW2(config-if-range)# shutdown

Configure port to add MAC address learned port automatically
SW2(config)# interface f0/18
SW2(config-if)# switchport port-security
SW2(config-if)# switchport port-security mac-address sticky

Configure port security with the setting on F0/18
SW2(config)# interface f0/18
SW2(config-if)# switchport port-security aging time 60

Page | 89

SW2(config-if)# switchport port-security maximum 2
SW2(config-if)# switchport port-security violation protect
Enable DHCP snooping and configure DHCP snooping on VLAN 10
SW2(config)# ip dhcp snooping
SW2(config)# ip dhcp snooping vlan 10
Configure trunk port on SW2 as trusted port
SW2(config)# interface f0/1
SW2(config-if)# ip dhcp snooping trust
Limit the untrusted port, F18 on SW2 to five DHCP packets per second
SW2(config)# interface f0/18
SW2(config-if)# ip dhcp snooping limit rate 5
Configure PortFast on all the access port
SW2(config)# interface range f0/18
SW2(config-if)# spanning-tree portfast
Enable BPDU guard on SW2 VLAn 10 access ports connected to PC-B
SW2(config)# interface range f0/18
SW2(config-if)# spanning-tree bpduguard enable

Page | 90

Identify the protocol that will allow the router to successfully
communicate with the AAA server in a server-based AAA
implementation

A. SSH
B. 802.1x
C. RADIUS
D. TACACS

Choose w hgiec
thtiLnagyve r 2 att ack will resu l t in legitimate
users n ot a lid IP addresses

A. ARP spoofing

B. DHCP starvation

C. IP address spoofing

D. MAC address flooding

Select the mitigation plan that is best for t h w a r
t i n g a DoS attack that
is creating a MAC address table overflow

​ A. Enable port security.
B. Disable DTP.
C. Disable STP.
D. Place unused ports in an unused VLAN.

4. Select the OSI Layer that is considered to be the weakest
link in a network system when security is a concern

A. Layer 4

B. Layer 7

C. Layer 2

D. Layer 3

Identify which Cisco solution helps prevent MAC and IP address
spoofing attacks

A. Dynamic ARP Inspection

B. IP Source Guard
C. Port Security
D. DHCP Snooping

Choose the best way to prevent a VLAN hopping attack

A. Use ISL encapsulation on all trunk links.
B. Disable STP on all nontrunk ports.
C. Use VLAN 1 as the native VLAN on trunk ports.
D. Disable trunk negotiation for trunk ports and statically set

nontrunk ports as access ports

Identify which procedure is recommended to mitigate
the chances of AR
P spoofing
A. Enable port security globally.
B. Enable DHCP snooping on selected VLANs.
C. Enable IP Source Guard on trusted ports.
D. Enable DAI on the management VLAN.

Select one type of switch ports that are used on Cisco switches
as part of the defense against DHCP spoofing att
acks
A. Unknown port
B. Trusted DHCP port
C. Unauthorized port
D. Established DHCP port

A network administ
rator is configuring DAI on a switch. Choose
the command that should be used on the uplink interface that
connects to a router
A. ip arp inspection trust
B. ip dhcp snooping
C. ip arp inspection vlan
D. spanning-tree portfast

A network administrator is configuring DAI on a switch with the
command ip arp inspection validate dst-mac. Select the purpose
of this configuration command.


A. To check the destination MAC address in the Ethernet header against

the MAC address table

B. To check the destination MAC address in the Ethernet header against

the source MAC address in the ARP body

C. To check the destination MAC address in the Ethernet header against

the user-configured ARP ACLs

D. To check the destination MAC address in the Ethernet header against

the target MAC address in the ARP body

references

1.Cisco Networking Academy (2020) Switching, Routing and
Wireless Essential v7.0 (SRWE) Companion Guide. Indianapolis,
US: Cisco Press.

2.Cisco Networking Academy (2020). Introduction to Networks
Companion Guide (CCNAv7). Indianapolis, US: Cisco Press.

3. Cisco Networking Academy (2020). CCNA 2 v7 Course Booklet.
Indianapolis, US: Cisco Press.

4.Cisco Networking Academy (2020). CCNA 2 v7 Labs & Study
Guide. Indianapolis, US: Cisco Press.

5.Cisco Networking Academy (2020). Introduction To Network
Course Booklet (CCNAv7). Indianapolis, US: Cisco Press.

6. Cisco Networking Academy (2020). CCNA 1 v7 Labs & Study
Guide. Indianapolis, US: Cisco Press.

7.CCNAv7 Introduction to Networks (ITN) (n.d.). Cisco Netacad
http://netacad.com

8.CCNAv7 Switching, Routing and Wireless Essentials (SRWE)
(n.d.). Cisco Netacad http://netacad.com

SWITCHING ESSENTIALS YOUR LOGO

SWITCHING ESSENTIALS is introduces Azizah Md.Aziz
students to the equipment, applications, and

protocols in a switched networks. The
chapter in this book are written based on the
syllabus of Switching Essentials for student

in Networking System Track, Diploma in
Digital Technology. The book provides
knowledge on Inter-VLAN routing, Variable
Length Subnet Mask (VLSM), Virtual Local
Area Networks (VLANs), Switch Security,
Spanning Tree Protocol and Link Aggregation
concepts through the introduction of

EtherChannel.

Syahrul Iyzani
Salehin

Aminah Hidayah
Mohamad Ariff