Term
| Can port security be enabled globally? |
|
Definition
| No, it is enabled on a per-port basis. |
|
|
Term
| In regard to port security, what are 'Sticky MAC addresses'? |
|
Definition
| MACs that are learned dynamically from incoming traffic on the port. |
|
|
Term
| By default, will Sticky MACs time-out of the MAC address table for port security? |
|
Definition
| Nope... by default no aging occurs. |
|
|
Term
| What are the three types of violations on port-security? |
|
Definition
-Shutdown, puts the port into the errdiabled state.
-Restrict, Port stays up, but traffic from the violating MAC addresses are dropped. (counters, SNMP traps, syslog, etc)
-Protect, port stays up, violating MACs are dropped, but no record is kept. |
|
|
Term
| how can you flush the port-security table? |
|
Definition
| 'clear port-security dynamic' |
|
|
Term
|
Definition
| Port based Authentication. |
|
|
Term
| What type of server is needed for Port-Based Authentication? |
|
Definition
|
|
Term
| What is the command to enable 802.1x port-based security on a switchport, and what are the three states it can be configured for? |
|
Definition
'dot1x port-control'
-Force-authorized, connects any client without authentication (the Default!)
-Force-unauthorized, Never authorizes anyone, effectively disabled the port.
-Auto, Authorizes upon successful authentication, and requires client software. |
|
|
Term
|
Definition
| A rouge DHCP server exists on a subnet, and replies to all requests with its own addresses. This is a basic man-in-the-middle attack. |
|
|
Term
| How does DHCP snooping work on Cisco devices? What is the default behavior? |
|
Definition
Ports can be trusted or untrusted. DHCP replies from untrusted ports will be discarded, and that port will be placed in the errdisabled state.
-Default behavior is that all ports are UNtrusted. |
|
|
Term
| What type of attack is IP Source Guard designed to protect against? |
|
Definition
|
|
Term
| How does IP source guard work? |
|
Definition
| It checks the DHCP Snooping table to build a custom ACL for the port to filter rouge IPs, and it uses port security to filter out rouge MACs from those IPs. |
|
|
Term
| What two features must be enabled to get the most out of IP Source Guard? |
|
Definition
| DHCP snooping and port security. |
|
|
Term
| What command enables IP source guard on an interface? |
|
Definition
| 'ip verify source [port-security]' |
|
|
Term
| What type of attack is Dynamic ARP Inspection designed to mitigate? |
|
Definition
| ARP Poisoning or ARP spoofing. |
|
|
Term
| How does Dynamic ARP Inspection work? |
|
Definition
| Ports are either trusted or UNtrusted (default!). When ARP replies are received on UNtrusted ports, it either compares the reply information to its static information or to the DHCP snooping database. If ARP replies are invalid they are dropped and a log entry is made. |
|
|
Term
| Where on a switch is Dynamic ARP Inspection enabled? |
|
Definition
|
|
Term
| What ports should be trusted in Dynamic ARP Inspection? |
|
Definition
| ports connected to other switches. |
|
|
Term
| What is the command to enable Dynamic ARP Inspection Validation, and what are the three options for it? |
|
Definition
(config)
'ip arp inspection validate'
-src-mac, Checks the source MAC in the header against the sender MAC in the ARP reply.
-dst-mac, Checks the destination MAC in the header against the target MAC in the ARP reply.
-IP, Checks the senders IP address against the target IP in all ARP replies. |
|
|
Term
| Access Lists that can filter within a VLAN are know as what? |
|
Definition
|
|
Term
| How to VACLs differ from ACLs? |
|
Definition
| VACLs can permit, deny, or redirect, and they are configured in a 'route map' fashion. They also do not get applies 'in' or 'out', they just 'are'. |
|
|
Term
| What command enables an access map for a VACL? |
|
Definition
|
|
Term
| What command applies a VACL to a VLAN? |
|
Definition
(global)
'vlan filter NAME vlan-list LIST' |
|
|
Term
What is a primary VLAN?
What is a secondary VLAN? |
|
Definition
-Primary VLANs are logically assigned to normal VLANs.
-Secondary VLANs can communicate with primary VLANs, but not with another secondary VLAN. |
|
|
Term
| What are the two types of secondary VLANs? |
|
Definition
-Isolated, can only communicate with the Primary VLAN.
-Community, Can communicate with the primary VLAN, and others in the same secondary VLAN. |
|
|
Term
| All secondary VLANs must be associated with one _____? |
|
Definition
|
|
Term
| Are private VLANs globally or locally significant? |
|
Definition
| Locally Significant, as VTP doesn't transmit any private VLAN information. |
|
|
Term
| What are the two modes that physical switchports can be configured as for Private VLANs? |
|
Definition
-Promiscuous, Can communicate with primary or secondary VLANs (this should be on primary ports).
-Host, communicates only with promiscuous ports, or ports on the same community VLAN. |
|
|
Term
| What is switch spoofing? How do you fight it? |
|
Definition
Where a malicious user exploits the autonegotiating nature of DTP to negotiate a trunk port with a switch.
-Fight it by assigning every port to a static DTP mode (switchport mode access/trunk) |
|
|
Term
| What is VLAN Hopping? How do you fight it? |
|
Definition
When a malicious user double-tags a frame with two VLAN IDs, to get his traffic onto another VLAN.
-Fight it by setting the native VLAN of the trunk to a bogus, or unused, VLAN. And pruning the Actual Network Native VLAN off both ends of the trunk. OR you can force the trunk to tag the native VLAN. |
|
|
