Study for 350-401

# Delete Startup Configuration
delete nvram:startup-config

# Delete VLAN database
delete flash:vlan.dat

# Show mac address of a client on fa0/24
show mac address-table int fa0/24

# Manual source binding
ip source binding aaaa.bbbb.cccc vlan 131 10.123.3.123 interface gi1/0/22

# View source guard configuration (not source guard binding table)
show ip verify source
show ip verify source | e vlan

# View Source guard binding table
show ip source binding

# Configure IP Source Guard
int range gi1/0/1-24
ip source verify

*You cannot configure IP source guard on a layer 3 routed interface!*
*DHCP snooping is enabled on those vlans*
*IP source guard does not block DHCP messages*

Layer 2 protection
DAI (Dynamic ARP inspection)

Layer 3 protection
DHCP snooping & IP source guard

To prevent gratuitous ARP, setup DAI

When DAI is configured and man-in-the-middle attack happens, denial of service occurs. In order to recover from DOS, we need to turn of some of the security features to confirm. 
# Disable dhcp snooping 
no ip dhcp snoop

# Send 1000 ping
ping 10.123.9.11 repeat 1000

# Check interfaces summary for Receive bits/sec (RXBS)
show interfaces summary

# Enable storm control on an interface
storm-control broadcast level 10
storm-control action shutdown

# Show storm control
show storm-control broadcast 

# Allow auto recovery (after 30 sec)
errdisable recovery cause storm-control 
errdisable recovery interval 30

Leave a Comment

Your email address will not be published. Required fields are marked *