11.1_Impelement Port Security Flashcards
___are considered to be the weakest link in a company’s security infrastructure.
Layer 2 devices
A simple method that many administrators use to help secure the network from unauthorized access is to _____
disable all unused ports on a switch
to disable a port
shutdown
to enable a port
no shutdown
to configure a range or ports
interface range TYPE MODULE/FIRST-NUMBER–LAST NUMBER
The simplest and most effective method to prevent MAC address table overflow attacks is to enable ___.
port security
When a port configured with port security receives a frame, the source MAC address of the frame is compared to the list of secure source MAC addresses that were manually configured or dynamically learned on the port.
Port security limits the number of ___allowed on a port.
valid MAC addresses
To set the maximum number of MAC addresses allowed on a port, use the command __
switchport port-security maximum VALUE
The default port security value is___
1
TRUE OR FALSE
The maximum number of secure MAC addresses that can be configured is fixed.
FALSE
It depends the switch and the IOS.
3 WAYS FOR MAC LEARNING
1. ____
The administrator manually configures a static MAC address(es) by using the following command for each secure MAC address on the port:____
Manually Configured
switchport port-security mac-address MAC-ADDRESS
3 WAYS FOR MAC LEARNING
2. ____
When the ___ command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the startup configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address.
Dynamically Learned
switchport port-security
3 WAYS FOR MAC LEARNING
3. ____
The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command:____
Dynamically Learned – Sticky
switchport port-security mac-address sticky
The output of the ___command lists the two learned MAC addresses.
show port-security address
____can be used to set the aging time for static and dynamic secure addresses on a port.
Port security aging
Two types of aging are supported per port:
____: The secure addresses on the port are deleted after the specified aging time.
Absolute
Two types of aging are supported per port:
__: The secure addresses on the port are deleted only if they are inactive for the specified aging time.
Inactivity
Use ___to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses
aging
Use the ____ command to enable or disable static aging for the secure port, or to set the aging time or type.
switchport port-security aging
PARAMETERS FOR switchport port-security aging { static | time time | type {absolute | inactivity}}
Enable aging for statically configured secure addresses on this port.
static
PARAMETERS FOR switchport port-security aging { static | time time | type {absolute | inactivity}}
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.
time TIME
PARAMETERS FOR switchport port-security aging { static | time time | type {absolute | inactivity}}
Set the absolute aging time. All the secure addresses on this port age out exactly after the time (in minutes) specified and are removed from the secure address list
type absolute
PARAMETERS FOR switchport port-security aging { static | time time | type {absolute | inactivity}}
Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
type inactivity
If the MAC address of a device attached to the port differs from the list of secure addresses, then a port violation occurs. By default, the port enters the ____ state.
error-disabled
To set the port security violation mode, use the following command:
switchport port-security violation { protect | restrict | shutdown}
Security Violation Mode Descriptions
switchport port-security violation { protect | restrict | shutdown}
The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog message. It increments the violation counter. When a secure port is in the error-disabled state, an administrator must re-enable it by entering the ***and no ** commands.
shutdown
Security Violation Mode Descriptions
switchport port-security violation { protect | restrict | shutdown}
The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value. This mode causes the Security Violation counter to increment and generates a syslog message.
restrict
Security Violation Mode Descriptions
switchport port-security violation { protect | restrict | shutdown}
This is the least secure of the security violation modes. The port drops packets with unknown MAC source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value. No syslog message is sent.
protect
Security Violation Mode Comparison
Violation Mode| Discards Offending Traffic| Sends Syslog Message| Increase Violation Counter| Shuts Down Port
YES-NO-NO-NO
Protect
Security Violation Mode Comparison
Violation Mode| Discards Offending Traffic| Sends Syslog Message| Increase Violation Counter| Shuts Down Port
YES-YES-YES-NO
restrict
Security Violation Mode Comparison
Violation Mode| Discards Offending Traffic| Sends Syslog Message| Increase Violation Counter| Shuts Down Port
YES-YES-YES-YES
shutdown
To verify that MAC addresses are “sticking” to the configuration, use the ___ command as shown in the example for FastEthernet 0/19
show run INTERFACE