CCNP switch slides 7 Flashcards
source
http://quizlet.com/3373218/ccnp-switch-deck-7-flash-cards/
On what basis is port security turned on?
Port basis
What is the configurable range of remembered MAC addresses?
1-1024
How do sticky mac addresses work?
When port security is turned on, by default, mac addresses are sticky and no aging occurs
What does port-security shutdown do?
Puts port into errdisable state. Must be manually re-enabled or errdisable recovered
What does port-security restrict do?
Port stays up, but packets from violating MACs are dropped. Switch logs violating packets
What does port-security protect do?
Port stays up, packets from violating MACs dropped, no logging
What must be supported for port-based security to occur?
802.1x with EAP over LAN (EAPOL)
At what layer does EAPOL run?
L2
How is 802.1x configured for port security?
RADIUS
What are the 6 steps to configure 802.1x for port security?
1-enable AAA on switch, 2-define RADIUS servers, 3-define authentication method, 4-enable 802.1x on switch, 5-conf. 802.1x ports, 6-allow hosts
What is 802.1x force-authorized?
the port is forced to always authorize any connected client with no authentication necessary (default)
What is 802.1x force-unauthorized?
port is forced to never authorize any connected client
What is 802.1x auto?
The port uses 802.1x exchange to move from unauthorized to authorized. Requires app on client
What scope is 802.1x enabled?
globally
What categories can ports be in with dhcp snooping enabled?
trusted or untrusted
What is an untrusted port under dhcp snooping?
any dhcp reply coming from an untrusted port is discarded and the offending port is put in errdisable
What data does DHCP snooping track?
completed dhcp bindings, mac addresses, IP addresses, etc.
How is DHCP snooping enabled (scope)?
globally
When DHCP snooping is turned on, by default, it considers all ports ______
untrusted
How does adding option-82 to DHCP snooping affect things?
The switch adds its MAC to the option 82 field so that the DHCP reply echoes back the switch’s own information
what is dhcp snooping rate limiting?
Limits the number if dhcp requests on a port\
What are spoofed addresses?
They disguise the origin of an attack
What does IP source guard do?
makes use of the DHCP snooping database and static ip source binding entries. If enabled, switch will test addresses
What 2 conditions does IP source guard check for?
source IP and MAC must match those addresses learned by DHCP snooping or a static entry
What is step 1 of enabling IP source guard?
configure and enable DHCP snooping
If you want IP source guard to detect spoofed MAC addresses, what must you do?
turn on port security
How do you configure IP source guard for hosts that don’t use DHCP?
by creating a static IP binding
What is DAI?
Dynamic arp inspection
How does DAI work?
all ARP packets that arrive on untrusted ports are inspected.
What happens when an ARP reply is received on an untrusted port?
The switch checks the MAC and IP reported in the reply against trusted values. If they don’t match, it is dropped and logged
How does a DAI enabled switch gather trusted ARP info?
from the DHCP snooping database or from static entries
On what scope is DAI enabled?
per VLAN
Which ports should you consider trusted for DAI?
those that connect to other switches
How do you configure DAI for statically configured IP addresses?
by an ARP access list that defines the permitted bindings
what does the static keyword do when applying an arp ACL?
prevents the dhcp binding DB from being checked.
Can ARP replies be checked
yes
what does the src-mac option do when checking ARP replies
checks the source MAC in the header against the sender MAC in the ARP reply
what does the dst-mac option do when checking ARP replies
checks the destination MAC in the header against the target MAC in the ARP reply
what does the ip option do when checking ARP replies
checks the sender’s ip in all arp requests and checks the sender’s IP against target IP in all replies
what does the switchport host macro do?
sets the switchport mode to access, enables portfast, and turns off channel grouping for the port
When should CDP be enabled?
only for trusted Cisco gear, especially phones
How are VACLs configured?
as a VLAN access map
How are VACLs applied
to a VLAN and not to a VLAN interface (SVI)
what is a PVLAN?
a private VLAN can be logically associated with a special secondary vlan
what if a secondary VLAN?
hosts associated with a secondary VLAN can communicate with ports on the primary but not with another secondary VLAN
what are the 2 types of secondary VLAN?
isolated and community
what is an isolated secondary VLAN?
any ports associated with an isolated vlan can reach the primary, but not any other secondary. Hosts withn an isolated vlan can’t reach each other
What is a community secondary VLAN?
hosts within a secondary can communicate with each other and with the primary, but not with another secondary vlan
Does VTP pass private VLAN configuration?
no
Of what significance are private VLANs
local only
What are the two private vlan association modes?
promiscuous and host
What is the PVLAN promiscuous mode?
connects to a router, firewall, or gateway. Can communicate with anything else connected to the primary or any secondary. Ignores pvlan config
What is the PVLAN host mode?
connects to a host on an isolated or community vlan. Communicates only with promiscuous port or ports on same community vlan
How do you prevent switch spoofing?
by configuring every switch port to have an expected and controlled behavior
How do you prevent VLAN hopping?
set the native VLAN of a trunk to a bogus or unused VLAN ID then prune the native VLAN off both ends of the trunk
