# Delete Startup Configuration
delete nvram:startup-config
# Delete VLAN database
delete flash:vlan.dat
# Show mac address of a client on fa0/24
show mac address-table int fa0/24
# Manual source binding
ip source binding aaaa.bbbb.cccc vlan 131 10.123.3.123 interface gi1/0/22
# View source guard configuration (not source guard binding table)
show ip verify source
show ip verify source | e vlan
# View Source guard binding table
show ip source binding
# Configure IP Source Guard
int range gi1/0/1-24
ip source verify
*You cannot configure IP source guard on a layer 3 routed interface!*
*DHCP snooping is enabled on those vlans*
*IP source guard does not block DHCP messages*
Layer 2 protection
DAI (Dynamic ARP inspection)
Layer 3 protection
DHCP snooping & IP source guard
To prevent gratuitous ARP, setup DAI
When DAI is configured and man-in-the-middle attack happens, denial of service occurs. In order to recover from DOS, we need to turn of some of the security features to confirm.
# Disable dhcp snooping
no ip dhcp snoop
# Send 1000 ping
ping 10.123.9.11 repeat 1000
# Check interfaces summary for Receive bits/sec (RXBS)
show interfaces summary
# Enable storm control on an interface
storm-control broadcast level 10
storm-control action shutdown
# Show storm control
show storm-control broadcast
# Allow auto recovery (after 30 sec)
errdisable recovery cause storm-control
errdisable recovery interval 30