Category Archives: Cisco Switching

Using Cisco Smart Licensing and Deploying a Satellite Device On-Prem

Cisco are slowly moving away from the traditional method of manual license management and activation, newer devices utilise a feature called Smart Licensing to help manage, register and activate Cisco network devices. This is achieved ultimately by allowing the network device to communicate to the Cisco Cloud and “Call Home”. Smart Licensing is linked to… Read More »

BPDU Filter and its Potential to Cause a Network Loop

Spanning-tree “BPDU Filter” works similar to “BPDU Guard”, as it allows you to block BPDU’s. The major difference is that “BPDU Guard” will place an interface that receives the BPDU into an “err-disabled” state pretty much protecting the violating port while “BPDU Filter” just “filters” it leaving the port to stay up. If a user… Read More »

BPDU Guard Concept, STP Attack and Mitigation

BPDU Guard, BPDU Filter, Root Guard and Loop Guard are all considered spanning tree security features, they all have different characteristics as to what they protect and how they work. Spanning tree attacks can harm the data-plane at Layer 2 therefore using spanning tree security we can mitigate “Man in the Middle” type attacks, protect… Read More »

Dynamic ARP Inspection (DAI) Concept/Attack Example and Implementation

Dynamic ARP Inspection is a security feature that rejects invalid and malicious ARP packets, by using DAI we can prevent ARP Poisoning/Spoofing Attacks. The Address Resolution Protocol works the following way “192.168.0.1” wants to communicate with “192.168.0.50” however the switch does not know how to reach the layer 3 address as switches only understands L2… Read More »

Private VLAN Concept/Implementation

Private VLANs are basically VLANs within a VLAN, they partition a regular VLAN domain into sub-domains. A sub-domain is represented by a “Primary” VLAN and a “Secondary” VLAN, this is called a “VLAN pair”. You can have multiple VLAN pairs for example one VLAN pair for each sub-domain. All VLAN pairs share the same primary VLAN. The secondary VLAN… Read More »

DHCP Snooping Concept/Implementation

DHCP Snooping is a layer 2 security technology built into the IOS of a switch. The switch will drop DHCP Server messages in order to prevent unauthorized/rogue DHCP servers from offering IP addresses to DHCP clients. This is a very valuable security measure that can be used to help mitigate the network from attacks. DHCP… Read More »