Term
What command disables HTTP server access on a switch using IOS? Using CatOS?
|
|
Definition
IOS: no ip http server CatOS: set ip http server disable
|
|
|
Term
What is the difference between a static and perminent MAC address filter?
|
|
Definition
Catalyst switches retain permanent filters until the administrator manually clears the configuration, unlike the static filters, which are cleared after a reset.
|
|
|
Term
What are the different options available for AAA authorization?
|
|
Definition
- Auth-proxy - Auth-proxy applies security policies on a per-user basis. With the use of auth-proxy, each user brings up a web browser to authenticate to a TACACS+ or RADIUS server before accessing the network. - Commands - Command authorization applies authorization to all EXEC commands, including configuration commands associated with a specific privilege level - EXEC - EXEC refers to the attributes associated with a user EXEC terminal session. - Network - Network autorization applies to the types of network connections. - Reverse access - Reverse access refers to reverse sessions commonly used on console servers for access to different lines. |
|
|
Term
What are the different authorization methods supported by AAA?
|
|
Definition
- TACACS+ - The AAA authorization daemon on the Cisco switch communicates with the TACACS+ server to determine correct authorization for different options - RADIUS - Similar to TACACS+, it stores authorization creditials about a specific user - If-authenticated - Allows a user to access any requested function as long as the AAA daemon previously and successfully authenticated the user. - None - Disables authorization for the respective interface - Local - Uses a databse of usernames and passwords configured on the switch. |
|
|
Term
What are the different accounting types supported by AAA accounting?
|
|
Definition
- Networking accounting - Provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts - Connection accounting - Provides information about all outbound connections made from the network, such as Telnet and rlogin - EXEC accounting - Provides information about user EXEC terminal sessions on the network access server. - System accounting - Provides information about all system-level events - Command accounting - Provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server - Resource accounting - Provides start and stop record support for calls that have passed user auhentication. |
|
|
Term
What command enables AAA globally?
|
|
Definition
|
|
Term
What command specifies the IP address of the TACACS+ server to use for AAA?
|
|
Definition
| tacacs-server host ip-address |
|
|
Term
What command specifes the key to use against a TACACS server for AAA?
|
|
Definition
|
|
Term
What command configures the maximum number of MAC address allowed per port using IOS? Using CatOS? |
|
Definition
IOS: switchport port-security maximum {max-number} CatOS: set port security {mod/port} {max-number}
|
|
|
Term
What command configures a MAC address manually on an interface using IOS? Using CatOS?
|
|
Definition
IOS: switchport port-security mac-address CatOS: set port security {mod/port} {mac-address}
|
|
|
Term
What command configures the max age of a dynamically learned MAC address using IOS? Using CatOS?
|
|
Definition
IOS: switchport security aging time {time} CatOS: set port security {mod/port} age {time}
|
|
|
Term
What are the different ways that violations in port security can occur?
|
|
Definition
1. A frame with an unauthorized source MAC address is received on a secure port 2. A port receives a new frame when it has already learned the maximum number of MAC addresses allowed on that port |
|
|
Term
What can a switch do after detecting a security violation on a port?
|
|
Definition
- Shutdown - Err-disable the port permanently or for a specific period of time - Restrict -Continue to operate by drop frames from unauthorized hosts. - Protect (IOS only) - Continue to operate, but drop frames from newer hosts when the maximum number of learned addresses has been exceeded |
|
|
Term
What command sets the port violation action on a switch to err-disable using IOS? CatOS?
|
|
Definition
IOS: err-disable recovery cause secure-violation CatOS: set err-disable-timeout enable reason_for_err-disable
|
|
|
Term
What command configures the time that a port will stay in err-disable before clearing again Using IOS? Using CatOS
|
|
Definition
IOS: err-disable recovery interval {time-interval} CatOS: set err-disable timeout interval time-interval
|
|
|
Term
What command will convert all dynamic port security-learned MAC addresses to sticky secure MAC addresses?
|
|
Definition
| switchport port-security mac-address sticky |
|
|
Term
What is the difference between configuring a MAC address filter on a switch using IOS versus one using CatOS?
|
|
Definition
The Cisco ISO does not have an equivalent to the static filters present in CatOS. So all filters using IOS are considered permanent.
|
|
|
Term
What command sets a MAC address filter on a switch using IOS? Using CatOS?
|
|
Definition
IOS: mac-address-table static mac-address vlan vlan-id drop CatOS: set cam [static | permanent] filter mac-address
|
|
|
Term
What command enables or disables unicast floods on a switch with CatOS? Or on an interface using IOS?
|
|
Definition
CatOS:set port unicast-flood {mod/port} {enable | diable} IOS: switchport block {unicast | broadcast}
|
|
|
Term
What kind of traffic is allows on a switch port before the device can authenticate the client using an 802.1X authentication server?
|
|
Definition
Until the authentication server authenitcates the workstation, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the workstation connects.
|
|
|
Term
What are the 3 defined devices using with 802.1X port-based authentication?
|
|
Definition
- Client - The workstation that is requesting authentication to the network using 802.1X - Authentication server - Responsible for validating the requests from the client forwarded by the switch. Currently, the authentication servers are RADUIS server with Extensible Authentication Protocol (EAP) - Switch - The switch is responsible for forwarding the 802.1X request from the clients to the autneitcation server and granting access to the network based on successful authentication.
|
|
|
Term
What are the different options that a port can be configured using 802.1X?
|
|
Definition
- Forced-authorized - Disables 802.1X and causes the port to transition to the autorized state without requiring an authentication exchange. This is the default setting. - Forced-unauthorized - Causes the port in the unauthorized state,ignoring all attempts by the client to authenticate. - Auto - Enables 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. |
|
|
Term
What series of commands globally enables 802.1X on a switch using IOS? What command enables it on a switch using CatOS?
|
|
Definition
IOS: aaa new-model aaa authentication dot1x {default} method1 dot1x system-auth-control CatOS: set dot1x system-auth-control enable |
|
|
Term
What command configured 802.1X on an interface using IOS? Using CatOS?
|
|
Definition
IOS: dot1x port-control auto CatOS: set port dot1x mod/port port-control auto
|
|
|
Term
How many ACL per-packet lookups are supported on a Catalyst switch?
|
|
Definition
Most Catalyst switches support only 4 ACL lookups per packet: an input and output security ACL, and an input and output QoS ACL.
|
|
|
Term
Cisco L3 MLS recognize what types of ACLs?
|
|
Definition
- Router ACL (RACL) - Standard Cisco IOS-configured ACL applied to routed interfaces - VLAN ACL - Known as access-maps, apply to all traffic in a VLAN. They support filtering based on Ethertype and MAC addresses - QoS ACL - Define packets that are to be applied to QoS classification, marking, policing and scheduling. - Port ACL (PACL) - ACLs applied on a L2 port to control traffic entering or leaving the port. |
|
|
Term
What are the different methods of performing an ACL merge on a Catalyst switch?
|
|
Definition
- Order independent - Switches transform ACLs from a series of order-dependent actions to a set of order-independent masks and patterns. The resulting ACL is generally large, and processor and memory intensive - Order depedent - ACLs in TCAM retain their order-dependent aspects. The computation is much faster and less processor-intensive.
|
|
|
Term
What are the different types of VACL actions supported by Catalyst 6500 switches?
|
|
Definition
- Forward (Permit) - Forwards the frame as normal. Furthermore, the permit action with the capture option is essentially a switch port analyzer option. - Drop (Deny) - When a flow matches a drop (deny) ACL entry, it will be checked agaist the next ACL in the same sequence or next sequence. If the flow does not match an ACL entry, the packet is denied. -Redirect - The VACL redirect action is ureful for redirecting specific traffic for monitoring, security, or switching purposes. |
|
|
Term
What command creates and sequences a VLAN access map?
|
|
Definition
| vlan access-map map-name [seq#] |
|
|
Term
What command attaches a VLAN access map to a VLAN?
|
|
Definition
| vlan filter map-name vlan-list list |
|
|
Term
What command specifies the maximum number of allowed MAC addresses for an interface?
|
|
Definition
| switchport port-security maximum <number> |
|
|
Term
What command specifies the violation action for the interface port security?
|
|
Definition
switchport port-security violation {restrict | shutdown}
|
|
|
Term
What command configures the virtual terminal for allowable protocols?
|
|
Definition
|
|
Term
What command configures or modifies a VLAN map entry for a VLAN packet filter?
|
|
Definition
| vlan access-map name [number] |
|
|
Term
What command assigns a VLAN access-map to a VLAN or a range of VLANs?
|
|
Definition
| vlan filter mapname vlan-list list |
|
|
