CCNP switch slides 7 Flashcards

1
Q

source

A

http://quizlet.com/3373218/ccnp-switch-deck-7-flash-cards/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

On what basis is port security turned on?

A

Port basis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the configurable range of remembered MAC addresses?

A

1-1024

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do sticky mac addresses work?

A

When port security is turned on, by default, mac addresses are sticky and no aging occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does port-security shutdown do?

A

Puts port into errdisable state. Must be manually re-enabled or errdisable recovered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does port-security restrict do?

A

Port stays up, but packets from violating MACs are dropped. Switch logs violating packets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does port-security protect do?

A

Port stays up, packets from violating MACs dropped, no logging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What must be supported for port-based security to occur?

A

802.1x with EAP over LAN (EAPOL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

At what layer does EAPOL run?

A

L2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How is 802.1x configured for port security?

A

RADIUS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the 6 steps to configure 802.1x for port security?

A

1-enable AAA on switch, 2-define RADIUS servers, 3-define authentication method, 4-enable 802.1x on switch, 5-conf. 802.1x ports, 6-allow hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is 802.1x force-authorized?

A

the port is forced to always authorize any connected client with no authentication necessary (default)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is 802.1x force-unauthorized?

A

port is forced to never authorize any connected client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is 802.1x auto?

A

The port uses 802.1x exchange to move from unauthorized to authorized. Requires app on client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What scope is 802.1x enabled?

A

globally

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What categories can ports be in with dhcp snooping enabled?

A

trusted or untrusted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is an untrusted port under dhcp snooping?

A

any dhcp reply coming from an untrusted port is discarded and the offending port is put in errdisable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What data does DHCP snooping track?

A

completed dhcp bindings, mac addresses, IP addresses, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How is DHCP snooping enabled (scope)?

A

globally

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

When DHCP snooping is turned on, by default, it considers all ports ______

A

untrusted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How does adding option-82 to DHCP snooping affect things?

A

The switch adds its MAC to the option 82 field so that the DHCP reply echoes back the switch’s own information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

what is dhcp snooping rate limiting?

A

Limits the number if dhcp requests on a port\

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are spoofed addresses?

A

They disguise the origin of an attack

24
Q

What does IP source guard do?

A

makes use of the DHCP snooping database and static ip source binding entries. If enabled, switch will test addresses

25
Q

What 2 conditions does IP source guard check for?

A

source IP and MAC must match those addresses learned by DHCP snooping or a static entry

26
Q

What is step 1 of enabling IP source guard?

A

configure and enable DHCP snooping

27
Q

If you want IP source guard to detect spoofed MAC addresses, what must you do?

A

turn on port security

28
Q

How do you configure IP source guard for hosts that don’t use DHCP?

A

by creating a static IP binding

29
Q

What is DAI?

A

Dynamic arp inspection

30
Q

How does DAI work?

A

all ARP packets that arrive on untrusted ports are inspected.

31
Q

What happens when an ARP reply is received on an untrusted port?

A

The switch checks the MAC and IP reported in the reply against trusted values. If they don’t match, it is dropped and logged

32
Q

How does a DAI enabled switch gather trusted ARP info?

A

from the DHCP snooping database or from static entries

33
Q

On what scope is DAI enabled?

A

per VLAN

34
Q

Which ports should you consider trusted for DAI?

A

those that connect to other switches

35
Q

How do you configure DAI for statically configured IP addresses?

A

by an ARP access list that defines the permitted bindings

36
Q

what does the static keyword do when applying an arp ACL?

A

prevents the dhcp binding DB from being checked.

37
Q

Can ARP replies be checked

A

yes

38
Q

what does the src-mac option do when checking ARP replies

A

checks the source MAC in the header against the sender MAC in the ARP reply

39
Q

what does the dst-mac option do when checking ARP replies

A

checks the destination MAC in the header against the target MAC in the ARP reply

40
Q

what does the ip option do when checking ARP replies

A

checks the sender’s ip in all arp requests and checks the sender’s IP against target IP in all replies

41
Q

what does the switchport host macro do?

A

sets the switchport mode to access, enables portfast, and turns off channel grouping for the port

42
Q

When should CDP be enabled?

A

only for trusted Cisco gear, especially phones

43
Q

How are VACLs configured?

A

as a VLAN access map

44
Q

How are VACLs applied

A

to a VLAN and not to a VLAN interface (SVI)

45
Q

what is a PVLAN?

A

a private VLAN can be logically associated with a special secondary vlan

46
Q

what if a secondary VLAN?

A

hosts associated with a secondary VLAN can communicate with ports on the primary but not with another secondary VLAN

47
Q

what are the 2 types of secondary VLAN?

A

isolated and community

48
Q

what is an isolated secondary VLAN?

A

any ports associated with an isolated vlan can reach the primary, but not any other secondary. Hosts withn an isolated vlan can’t reach each other

49
Q

What is a community secondary VLAN?

A

hosts within a secondary can communicate with each other and with the primary, but not with another secondary vlan

50
Q

Does VTP pass private VLAN configuration?

A

no

51
Q

Of what significance are private VLANs

A

local only

52
Q

What are the two private vlan association modes?

A

promiscuous and host

53
Q

What is the PVLAN promiscuous mode?

A

connects to a router, firewall, or gateway. Can communicate with anything else connected to the primary or any secondary. Ignores pvlan config

54
Q

What is the PVLAN host mode?

A

connects to a host on an isolated or community vlan. Communicates only with promiscuous port or ports on same community vlan

55
Q

How do you prevent switch spoofing?

A

by configuring every switch port to have an expected and controlled behavior

56
Q

How do you prevent VLAN hopping?

A

set the native VLAN of a trunk to a bogus or unused VLAN ID then prune the native VLAN off both ends of the trunk