WEBVTT

0
00:01.790 --> 00:09.380
OK  I’ve just shown you how a script kiddy could destroy your multi-thousand dollar Cisco Enterprise

1
00:09.380 --> 00:10.400
class Switch.

2
00:10.790 --> 00:14.100
But what can you do to protect your network?

3
00:14.120 --> 00:22.470
One way to avoid the dreaded CDP flood attack is to disable CDP on the entire switch. Let’s do it!

4
00:24.670 --> 00:36.480
This is the console connection to the switch: config t
and the no cdp run.  CDP was disabled

5
00:36.630 --> 00:41.350
globally: do show cdp traffic

6
00:45.010 --> 00:48.380
And you notice that CDP is not enabled.

7
00:49.770 --> 00:55.050
However sometimes you don't want to disable the CDP entirely.

8
00:55.050 --> 01:07.560
Another way is to pick specific interfaces and disable CDP on those interfaces only: do show ip interface

9
01:07.590 --> 01:08.040
brief.

10
01:08.070 --> 01:12.690
Let's see the interfaces! okay!

11
01:12.960 --> 01:17.910
And I want to disable CDP on FastEthernet0

12
01:17.940 --> 01:32.820
/1:  int FastEthernet 0/1 no cdp enable. I've just to disable the CDP on

13
01:32.850 --> 01:38.800
that interface only. But what if you don't want to disable CDP at all?

14
01:38.880 --> 01:47.580
In fact it's a useful protocol that's  why it exists and is enabled by default on Cisco devices.

15
01:47.700 --> 01:52.820
Another more viable option is to enable port security on the switch.

16
01:52.860 --> 02:00.690
This will protect the switch by limiting and identifying MAC addresses that are allowed to access a

17
02:00.690 --> 02:08.790
port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached

18
02:09.060 --> 02:12.560
when a new MAC address is attempting to access the port,

19
02:12.570 --> 02:20.480
a security violation occurs and by default of that security violation means shut down the port.

20
02:20.610 --> 02:28.140
You will not only protect the switch against this attack and many others but you will also find out

21
02:28.140 --> 02:30.480
where the attack was launched from.

22
02:30.600 --> 02:35.160
And of course the switch continuous to work as expected.

23
02:35.160 --> 02:41.910
We could have an entire discussion on port security but it's not the topic of this lecture.

24
02:46.020 --> 02:51.560
Okay, let's launch the CDP DoS attack again!


25
02:51.760 --> 02:56.040
I'm going back yersinia lauch attack

26
02:56.460 --> 02:59.260
flooding CDP table and

27
02:59.400 --> 02:59.820
Okay!

28
03:04.740 --> 03:07.910
The attack is running! Let's

29
03:07.920 --> 03:11.120
check the switch CPU utilization again.

30
03:14.990 --> 03:19.480
I'm executing the same show process cpu command

31
03:24.770 --> 03:36.410
and the CPU utilization for 5s is only 5% ; when CDP was running it was 99 % so it's

32
03:36.410 --> 03:37.870
a big difference.

33
03:38.740 --> 03:45.400
Congratulations you've just learned how to protect your Cisco devices against CDP attacks!