CCNA 5.0 - Security Fundamentals Flashcards
True or false: TACACS+ is Cisco-proprietary.
True
What port/protocol does TACACS+ use?
TCP 49
What port/protocol does RADIUS use?
UDP 1812 and 1813
What global command hides passwords in the config?
service password-encryption
If neither an enable password or secret is configured, what will console users experience?
They’ll be able to go straight from user exec to privileged exec without having to put in a password.
If neither an enable password or secret is configured, what will telnet/SSH users experience?
Their session requests will be rejected.
What is the default hashing method on a Cisco device?
Message Digest 5 (MD5)
What does the 7 indicate in “enable secret 7…”?
The password has been encrypted, not hashed, and can be retrieved with special tools. (Vigenere cypher)
What does the 8 indicate in “enable secret 8…”?
SHA-256 was used to hash the password
What does the 9 indicate in “enable secret 9…”?
The password was hashed with Scrypt
What global command allows you to choose the hashing method for enable secret?
enable algorithm-type (type) secret (password)
Port security can handle a maximum of how many MAC addresses?
132
What are the three port security violation modes?
Protect, Restrict, Shutdown
In port security, what does Protect mode do?
Drops all traffic that doesn’t match the security configuration.
In port security, what does Restrict mode do?
Drops all traffic that doesn’t match the security configuration, and sends log/SNMP messages.
In port security, what does Shutdown mode do?
Drops all traffic, sends log/SNMP, and err-disables the port.
Which is the default port security violation mode?
Shutdown
If one or more ports are shut down due to port security, what global config command can be used to automatically recover?
errdisable recovery
True or false: port security Protect mode will increment the violation counter even though the port remains up.
False - the violation counter will not increment in Protect mode, it will simply drop offending traffic.
What two global commands are required to enable DHCP Snooping?
1) ip dhcp snooping
2) ip dhcp snooping vlan (number)
If a switch is not configured as a DHCP relay agent, what command is also necessary?
no ip dhcp snooping information option
What interface command should be used if a DoS attack against DHCP snooping is suspected?
ip dhcp snooping limit rate (seconds)
What global commands are used in conjunction with DHCP snooping limit rate commands?
1) errdisable recovery cause dhcp-rate-limit
2) errdisable recovery interval (seconds)
True or false: when DHCP snooping is enabled globally, all ports are considered untrusted.
True - interfaces must be manually configured to be trusted
Which happens first, DHCP or ARP?
DHCP
Dynamic ARP Inspection relies on what other security technology running on a switch?
DHCP Snooping
Do DHCP Snooping and DAI work in the interface ASIC or the switch CPU?
the switch CPU, making both features a vulnerability
What global command configures DAI on a VLAN?
ip arp inspection vlan (number)
What interface command configures a trusted DAI port?
ip arp inspection trust
What is the difference between IPSec tunnel mode vs transport mode?
Tunnel mode is used for site-to-site encryption, in which the entire IP packet including header is encrypted then encapsulated.
Transport mode is for user-level remote access, and only the data is encrypted. The original IP header is used.
