CCNP switch slides 18 Flashcards

1
Q

source

A

http://www.coursehero.com/flashcards/430748/CCNP-SWITCH-642-813-Campus-Network-Security/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is VLAN Hopping? How do you fight it?

A

When a malicious user double-tags a frame with two VLAN IDs, to get his traffic onto another VLAN. -Fight it by setting the native VLAN of the trunk to a bogus, or unused, VLAN. And pruning the Actual Network Native VLAN off both ends of the trunk. OR you can force the trunk to tag the native VLAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Are private VLANs globally or locally significant?

A

Locally Significant, as VTP doesn’t transmit any private VLAN information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is switch spoofing? How do you fight it?

A

Where a malicious user exploits the autonegotiating nature of DTP to negotiate a trunk port with a switch. -Fight it by assigning every port to a static DTP mode (switchport mode access/trunk)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a primary VLAN?What is a secondary VLAN?

A

-Primary VLANs are logically assigned to normal VLANs. -Secondary VLANs can communicate with primary VLANs, but not with another secondary VLAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What type of attack is IP Source Guard designed to protect against?

A

IP Spoofing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

All secondary VLANs must be associated with one _____?

A

Primary VLAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Access Lists that can filter within a VLAN are know as what?

A

VLAN Access Lists (VACL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can port security be enabled globally?

A

No, it is enabled on a per-port basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What ports should be trusted in Dynamic ARP Inspection?

A

ports connected to other switches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How does DHCP snooping work on Cisco devices? What is the default behavior?

A

Ports can be trusted or untrusted. DHCP replies from untrusted ports will be discarded, and that port will be placed in the errdisabled state. -Default behavior is that all ports are UNtrusted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does IP source guard work?

A

It checks the DHCP Snooping table to build a custom ACL for the port to filter rouge IPs, and it uses port security to filter out rouge MACs from those IPs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What two features must be enabled to get the most out of IP Source Guard?

A

DHCP snooping and port security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type of server is needed for Port-Based Authentication?

A

a RADIUS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is 802.1x used for?

A

Port based Authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the three types of violations on port-security?

A

-Shutdown, puts the port into the errdiabled state. -Restrict, Port stays up, but traffic from the violating MAC addresses are dropped. (counters, SNMP traps, syslog, etc)-Protect, port stays up, violating MACs are dropped, but no record is kept.

17
Q

Explain DHCP snooping.

A

A rouge DHCP server exists on a subnet, and replies to all requests with its own addresses. This is a basic man-in-the-middle attack.

18
Q

In regard to port security, what are ‘Sticky MAC addresses’?

A

MACs that are learned dynamically from incoming traffic on the port.

19
Q

What command enables an access map for a VACL?

A

‘vlan access-map NAME’

20
Q

What command enables IP source guard on an interface?

A

‘ip verify source [port-security]’

21
Q

How does Dynamic ARP Inspection work?

A

Ports are either trusted or UNtrusted (default!). When ARP replies are received on UNtrusted ports, it either compares the reply information to its static information or to the DHCP snooping database. If ARP replies are invalid they are dropped and a log entry is made.

22
Q

What is the command to enable Dynamic ARP Inspection Validation, and what are the three options for it?

A

(config)’ip arp inspection validate’-src-mac, Checks the source MAC in the header against the sender MAC in the ARP reply.-dst-mac, Checks the destination MAC in the header against the target MAC in the ARP reply.-IP, Checks the senders IP address against the target IP in all ARP replies.

23
Q

Where on a switch is Dynamic ARP Inspection enabled?

A

On a per-VLAN basis.

24
Q

What is the command to enable 802.1x port-based security on a switchport, and what are the three states it can be configured for?

A

‘dot1x port-control’-Force-authorized, connects any client without authentication (the Default!)-Force-unauthorized, Never authorizes anyone, effectively disabled the port.-Auto, Authorizes upon successful authentication, and requires client software.

25
Q

What are the two modes that physical switchports can be configured as for Private VLANs?

A

-Promiscuous, Can communicate with primary or secondary VLANs (this should be on primary ports).-Host, communicates only with promiscuous ports, or ports on the same community VLAN.

26
Q

What type of attack is Dynamic ARP Inspection designed to mitigate?

A

ARP Poisoning or ARP spoofing.

27
Q

By default, will Sticky MACs time-out of the MAC address table for port security?

A

Nope… by default no aging occurs.

28
Q

What are the two types of secondary VLANs?

A

-Isolated, can only communicate with the Primary VLAN. -Community, Can communicate with the primary VLAN, and others in the same secondary VLAN.

29
Q

What command applies a VACL to a VLAN?

A

(global)’vlan filter NAME vlan-list LIST’

30
Q

how can you flush the port-security table?

A

‘clear port-security dynamic’

31
Q

How to VACLs differ from ACLs?

A

VACLs can permit, deny, or redirect, and they are configured in a ‘route map’ fashion. They also do not get applies ‘in’ or ‘out’, they just ‘are’.