Course info
Apr 5, 2016
2h 24m

Learning how to properly secure the network infrastructure on your Cisco device can be overwhelming, but it doesn't have to be. This course, Infrastructure Security for CCNP Routing & Switching 300-115 SWITCH, will teach you the ins and outs in no time--it's also the final course on the CCNP SWITCH (300-115) exam. First, you'll cover SWITCH security features such as DHCP snooping and IP source guard and how they work together to protect your network from hackers. Next, you'll learn about how to use dynamic ARP inspection (DAI), port security, and storm control to keep hackers at bay. Finally, you'll learn about centralized authentication using RADIUS and TACACS+ and how to configure each of them, and end with a module that will help you prepare to succeed on your CCNP SWITCH exam. By the end of this course, you'll be able to secure your infrastructure, and you'll be one step closer to getting a great score on your 300-115 exam.

About the author
About the author

Ben Piper is an IT consultant and author of the "AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam", "AWS Certified Cloud Practitioner Study Guide: CLF-C01 Exam", and "Learn Cisco Network Administration in a Month of Lunches". You can contact Ben by visiting his website,

More from the author
Architecting for Operational Excellence on AWS
3h 20m
Mar 28, 2019
Architecting for Security on AWS
4h 8m
Sep 6, 2018
AWS Networking Deep Dive: Route 53 DNS
4h 10m
May 18, 2018
More courses by Ben Piper
Section Introduction Transcripts
Section Introduction Transcripts

Course Introduction
Welcome to Pluralsight. I'm Ben Piper, and this is Infrastructure Security for CCNP Routing & Switching 300-115 SWITCH. This is the fourth and final portion of the series covering the CCNP SWITCH exam. If you have not watched the other three courses in the series, I strongly encourage you to do so before continuing on with this one. This being the last course in the series, it builds upon the knowledge and skills you learned in all of the previous courses. This course corresponds to the following CCNP SWITCH exam topics: 2. 1 Configure and verify switch security features, and 2. 2 Describe device security using Cisco IOS AAA with TACACS+ and RADIUS. That's a mouthful. Now, that may not sound like a lot, but these two topics make up a full 20% of the exam. That's right, 20%. And when you drill down into the sub-topics, you'll see why. I'm going to list the sub-topics in the order that I present them in this course, which is not necessarily the order in which Cisco lists them on the exam blueprint. You're going to start by learning DHCP snooping and IP source guard in the next module. After that, you'll learn Dynamic ARP inspection, followed by port-based traffic control using Port Security and Storm Control. And then, AAA with TACACS+ and RADIUS with local privilege authorization fallback. To top it all off, I've got an entire module dedicated to helping you prepare for the SWITCH exam. So, as you can see, we've got a lot to cover, so I'm going to move through this course quicker than the previous courses. Remember, you'll have only two hours to take the SWITCH exam, so you won't have any time to waste. I want you to think of this final course as a test to see how well you can keep up. If you find yourself struggling at any point, take that to heart as a sign that you may need to go back and review one or more of the earlier courses before taking the exam.

DHCP Snooping and IP Source Guard
In this module, you're going to learn all about DHCP snooping and IP Source Guard. As I mentioned in the last module, DHCP snooping is designed to prevent unauthorized, or rogue, DHCP servers from handing out IP addresses and IP Source Guard checks to make sure that each device on the network uses only the IP address that the authorized DHCP server assigned to it. DHCP snooping and IP Source Guard are two separate technologies, but they're often configured together because they compliment each other really, really well. To put it in simple terms, DHCP snooping prevents unauthorized DHCP servers from handing out IP addresses on the network, while IP Source Guard prevents a device from using an IP address that it's not supposed to be using. Now, I realize that's kind of vague, but it will become a lot clearer after we look at DHCP snooping. For now, notice the theme here. We're trying to protect the network at layer three, the network layer, by controlling how IP addresses get allocated and who's allowed to use them. In this module, we're going to start out by looking at some DHCP-based attacks and how DHCP snooping mitigates them. We'll then configure DHCP snooping to stop those attacks and after we do that we'll configure IP source guard and see how it works together with DHCP snooping. This may not sound like a lot, but, as you're going to see, there's a lot of complexity behind these technologies and that makes them really good fodder for CCNP switch exam.