CH 6 & 7 Flashcards
feature where If BPDUs show up where they should not, the switch protects itself.
BPDU Guard
Controls which ports are not allowed to become root ports to remote
root switches
root guard
Limits the number of MAC addresses to be learned on an access
switch port
port security
Prevents rogue DHCP servers from impacting the network.
DHCP snooping
Prevents spoofing of Layer 2 information by hosts.
dynamic arp inspection
Prevents spoofing of Layer 3 information by hosts
IP Source Guard
you can authenticate
users before allowing their data frames into the network
802.1x
Limits the amount of broadcast or multicast traffic flowing through
the switch
storm control
Used for traffic control and to enforce policy
ACL’s
a security feature that acts like a firewall between untrusted hosts and
trusted DHCP servers
DHCP snooping
intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
DAI (dynamic arp inspection)
breaking the infrastructure down into smaller components and then
systematically focusing on how to secure each of those components
Network Foundation Protection
(NFP)
what 2 features can be used to protect the control plane
CoPP and CPPr
uses UDP port 123, and it allows network devices to
synchronize their time
NTP
This feature maintains a secure working copy of the router IOS image and the startup configuration files at all times. Once the
feature is enabled, the administrator cannot disable it remotely (but can if connected directly
on the console)
Secure Bootset
IPv6 link local addresses begin with what?
FE80
How many bits in an IPv6 Addrss
128
What characters are added to the 48 bit MAC address to arrive at a 64 bit host ID in a link local IPv6 address
FFFE
::1 what type of IPv6 address is this?
Link local (same as 127.0.0.1in IPv4)
The IPv6 multicast group that all IPv6 devices join is
FF02::1
In addition to the multicast group address of FF02::1
that is joined by all devices configured for IPv6, routers that have had routing enabled
for IPv6 also join which multicast group?
FF02:2
Global
IPv6 unicast addresses have the first four characters in the range of ?
2000 - 3FFF
What are the 2 types of process switched traffic
receive adjacency traffic, data plane traffic requiring special processing by CPU
List the types of data plane traffic that require special processing by the CPU
ACLs, URPF, IP options, Fragmentations, TTL expired, ICMP unreachable, Traffic requiring ARP request, Non-IP Traffic
When creating an ACL for use with a CoPP policy, what does a deny rule in the ACL do?
Packets that match a deny rule are excluded from that class
and cascade to the next class (if one exists) for classification.
CPPr can restrict traffic with finer granularity by dividing the aggregate control plane into
three separate control plane categories known as sub-interfaces, what are the 3 subinterfaces
■ Host sub-interface
■ Transit sub-interface
■ CEF-Exception sub-interface
List some shortcomings of legacy IPS
■ They often need to be operated in conjunction with other products or tools (firewalls,
analytics, and correlation tools).
■ They are sometimes not very effective and may be ignored.
■ Their operation costs and the operating resources they need are high.
■ They can leave infrastructures imperfectly covered against attackers.
List some of the newer capabilities of NGIPS
application awareness and control, content awareness, contextual awareness, host and user awareness, automated tuning and recommendations, impact and vulnerability assessment of the events taking place
originally created by SourceFire, is an open source IPS tool that is widely used in the industry
Snort
a collection of one or more inline, passive, switched, or routed interfaces
(or ASA interfaces) that you can use to manage and classify traffic in different policies.
security zone
a solution that allows you to manage your firewalls from the cloud. You can write a policy once and enforce it consistently across multiple
Cisco ASA and Cisco FTD devices
Cisco Defense Orchestrator (CDO)
a stateful firewall used in Cisco
IOS devices
Zone Based Firewall (ZBFW)
what type of firewalls can also be implemented in an SD-WAN solution
ZBFW
What type of traffic can transparent FW’s inspect that routed FW’s can’t.
Traffic on the same LAN segment
Cisco ASA acts as a secured bridge that
switches traffic from one interface to another.
single mode transparent firewall
In a multimode transparent firewall (MMTF), Cisco ASA acts in a similar fashion to how it
performs in single mode, with two major exceptions:
1) An interface can’t be shared between 2 context in this mode
2) you must configure an IP address to the bridge virtual interface
(BVI) in each context for administration and management purposes
For failover configuration, which device can’t do active/active…ASA or FTD
FTD
Which models of FTD can be configured as a cluster
9300 and 4100
When you deploy a cluster, the FTD devices create a cluster-control link. By default, what port-channel number is assigned
port-channel 48
FTD 9300’s are capable of intra-chassis clustering which utilizes the backplane for cluster communications. When deploying inter-chassis clustering, what is required for cluster communication?
Physical interface in etherchannel configuration.
How should the cluster control link be sized?
The cluster control link should be sized to match the throughput of each cluster participant because both data and control traffic are forwarded over the cluster control link.
An ACL is a collection of security rules or policies that allows or denies packets after looking at the packet headers and other attributes. Each permit or deny statement in the ACL
is referred to as an?
Access Control Entry (ACE)
List the 5 tuples of an ACL
Source port
Source Address
Destination port
Destination Address
Protocol
The Cisco ASA supports four different types of ACLs to provide a flexible and scalable
solution to filter unauthorized packets into the network, what are they?
Standard
Extended
Ether-type
Web-type
Standard ACLs are used to identify packets based on their destination IP addresses. These
ACLs can be used in which scenarios?
split-tunnel ACL
route-redistribution in route-maps
An
EtherType ACL can be configured only if?
ASA is in transparent mode
A Webtype ACL allows Cisco ASA administrators to restrict traffic coming through?
SSL VPN Tunnels
what can be added to the end of an access-group command to specify an ACL as a management access rule
control-plane
True or False. Management-specific protocols provide their own control-plane protection and have
higher precedence than a to-the-box traffic-filtering ACL
True
If you deploy interface ACLs to block all ICMP traffic, the security appliance, by default,
does not restrict the ICMP traffic that is destined to its own interface. How can you filter ICMP traffic to the ASA’s interfaces?
ICMP policy or control plan ACLs
Cisco ASA supports which 4 methods for translating an address?
■ Static NAT/PAT
■ Dynamic NAT/PAT
■ Policy NAT/PAT
■ Identity NAT
examines decoded
packets for attacks based on patterns and can block or alter malicious traffic
intrusion policy
attempt to make the streams of packets as much as possible like the
reassembled packets that will be seen by the endpoints receiving them
preprocessor
list a few examples of preprocessors that FTD has
DNS, HTTP, SIP, FTP & Telnet, SSH, SMTP, POP & IMAP, Network preprocessors, Threat preprocessors
provides next-generation security services that go beyond pointin-time detection. It provides continuous analysis and tracking of files and also retrospective
security alerts so that a security administrator can take action during and after an attack
Cisco AMP for Networks
