Category Archives: Switching

BPDU Filter and its Potential to Cause a Network Loop

Spanning-tree “BPDU Filter” works similar to “BPDU Guard”, as it allows you to block BPDU’s. The major difference is that “BPDU Guard” will place an interface that receives the BPDU into an “err-disabled” state pretty much protecting the violating port while “BPDU Filter” just “filters” it leaving the port to stay up. If a user… Read More »

BPDU Guard Concept, STP Attack and Mitigation

BPDU Guard, BPDU Filter, Root Guard and Loop Guard are all considered spanning tree security features, they all have different characteristics as to what they protect and how they work. Spanning tree attacks can harm the data-plane at Layer 2 therefore using spanning tree security we can mitigate “Man in the Middle” type attacks, protect… Read More »

Dynamic ARP Inspection (DAI) Concept/Attack Example and Implementation

Dynamic ARP Inspection is a security feature that rejects invalid and malicious ARP packets, by using DAI we can prevent ARP Poisoning/Spoofing Attacks. The Address Resolution Protocol works the following way “192.168.0.1” wants to communicate with “192.168.0.50” however the switch does not know how to reach the layer 3 address as switches only understands L2… Read More »

Private VLAN Concept/Implementation

Private VLANs are basically VLANs within a VLAN, they partition a regular VLAN domain into sub-domains. A sub-domain is represented by a “Primary” VLAN and a “Secondary” VLAN, this is called a “VLAN pair”. You can have multiple VLAN pairs for example one VLAN pair for each sub-domain. All VLAN pairs share the same primary VLAN. The secondary VLAN… Read More »

DHCP Snooping Concept/Implementation

DHCP Snooping is a layer 2 security technology built into the IOS of a switch. The switch will drop DHCP Server messages in order to prevent unauthorized/rogue DHCP servers from offering IP addresses to DHCP clients. This is a very valuable security measure that can be used to help mitigate the network from attacks. DHCP… Read More »

Cisco Port-Security Concept/Implementation

Cisco port security is a layer 2 traffic control feature used to protect the network from unknown devices which may be plugged into the network either via a network point in a publicly available space or by a malicious user who has physical access to a network point. Port security works by first setting a… Read More »

Configure RADIUS Authentication on Server 2012 R2 for Cisco Devices

In this step-by-step guide we will setup NPS as a RADIUS server to authenticate users for our Cisco 3560X switch, this process will work on most Cisco switches and routers. In this example we will be using two AD security groups to define level 15 and level 1 user access. This is a good practice, for… Read More »