Where are port ACLs (PACL) applied?

PACLs are applied to a L2 switch port, trunk port, or EtherChannel port. The PACL feature is available only on IOS-based Catalyst switches. The PACLs apply to all traffic on the port, including all VLANs on a trunk port.

What does a FWSM use as interfaces since there are no physical interfaces on the module?

A FWSM uses internal VLAN interfaces. You assign these VLANs to the FWSM to the physical switch ports, and hosts connect to those ports.

What are a few of the features provided by DHCP Snooping?

It includes the capability to trust a port as a DHCP server and prevent unauthorized DHCP server responses from untrusted access ports. Another feature is per-port DHCP message rate limiting, which is configuable in pps and is used to prevent DoS attacks.

What kind of information is stored on a switch when using DHCP snooping?

DHCP snooping builds a DHCP binding table that contains the client IP addresses, MAC addresses, ports, VLAN numbers, leases, and binding types. The Supervisor Engine adds the ingress module, port, VLAN, and switch MAC address to the packet before forwarding the request to the DHCP server.

What command enables DHCP snooping on a particular VLAN?

What command enables rate limited DHCP snooping on a particular interface?

What command displays the DHCP snooping setting on a switch?

Describe the general concept of the IP Source Guard  (IPSG) feature.

IPSG derives the valid source port information with the help of the DHCP snooping binding table or static source binding. With IPSG configured, on link up, the only packets allowed are the DHCP packets. Once the DHCP server assigns the IP address, the DHCP snooping binding is updated. IPSG then automatically installs a per-port VLAN ACL (PVACL) for the interface. Any IP traffic form the host port with a source IP address other than that in the IP source binding will be filtered out.

What are the 2 different levels of IP traffic security filtering provided by IPSG?

- Source IP address filter - IP traffic is filtered based on its source IP address. Only IP traffic with the IP address that matches the IP source binding entry is permitted.

 

- Source IP and MAC address filter - IP traffic is filtered based on its source IP address as well as its MAC address. Only IP traffic with source IP and MAC addresses matchingthe IP source binding entry are permitted 

What is the default setting on a port when using IPSG?

By default, if the IP filter is enabled without any IP source binding on the port, the default PVACL that denies all IP traffic is installed on the port. Similarly, when the IP filter is disabled, any IP source filter PVACL will be removed from the interface.

What interface-level command enables IPSG with source MAC and IP filtering?

What command configures a static IP source binding on a Catalyst switch?

What does the dynamic ARP inspection feature use to verify that a source MAC address is originating from the correct port?

The switch is able to determine the correct port by manual configuration or dynamically using the DHCP snooping binding table. In addtion, the violator port is err-disabled.

What command allows you to apply ARP throttling on an interface?

What command specifies one or more AAA methods for use on interfaces running IEEE 802.1X?

What command configures a switch's AAA authentication list?

What command initiates configuration of RSA keys for SSH access?

What command configures an interface for authorization state of 802.1X?

What command enables 802.1X globally on a switch?

What command applies the AAA authentication list to a line or set of lines?

What command enables DAI trust for an interface?

What command enables DAI for a speicific VLAN?

What command enables DHCP snooping?

What command enables/disables DHCP snooping trust for the interface?

What command enables DHCP snooping for a specific VLAN?

What command enables IPSG for a specified interface ans uses DHCP snooping information?

What command configures MAC address filtering for the specified MAC address in the specified VLAN?

What command enables/disables DHCP option 82 tagging by a switch?

What command displays configuration and statistics for DAI?

What command displays DHCP snooping configuration and statistics?

What command displays DHCP snooping bindings?

What command displays the IP Source Guard bindings?

What command displays the IPSG status for the configured interfaces?

What command configures unicast or multicast flooding blocking feature?

What command specifies the port security aging options?