Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCNA > Chapter 35 - Implementing Switch Port Security > Flashcards

Chapter 35 - Implementing Switch Port Security Flashcards

1
Q

What is Port Security?

A
  • Cisco feature
  • A security feature used on switches which ensures that only pre determined devices can actually use certain switch ports for data transmission based on their MAC address.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What functons does Port Security perform?

A
  • Sets a limit on how many unique source MAC addresses can come in a single interface.
  • Keeps a list and counter of all source MAC addresses entering an interface.
  • Monitors newly learned MAC addresses and received frames to determine if they cause any Port Security violations.
  • Takes action to discard traffic that violates Port Security dependent on the configured violation mode
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can you define what MAC addresses are allowed on an interface in port-security?

A
  • Statically define a list of MAC addresses that are allowed on an interface
  • Dynamically learning the first of a defined amount of MAC addresses and only allowing those to pass in future
  • Dynamically learning some MAC addresses and statically defining others
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a Sticky Secure MAC Address?

A
  • Allows dynamically learned MAC addresses to be added to the running-config of the switch. Each learned MAC address will have a line showing as ‘switchport port-security mac-address sticky <mac>'</mac>
  • They will never age out
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or False. Port security runs on trunks and access ports.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or False. Port security runs on switchports that have dynamically learnt their state via DTP.

A

False. Access or trunk has to be statically set on the interface. It also must be the Administrative Mode not the Operational Mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What command do you use to enable port security on an interface? What other commands add onto this?

A
  • From interface configuration mode

-To enable Port Security:
‘switchport port-security’

  • To determine the maximum number of MAC addresses allowed in an interface (default of 1):
    ‘switchport port-security maximum <number>'</number>
  • To define how the switchport reacts to a violation (default is shutdown):
    ‘switchport port-security violation <protect/restrict/shutdown>’
  • To define an allowed source MAC on an interface (perform once for each MAC address):
    ‘switchport port-security mac-address <MAC>'</MAC>
  • To tell Port Security to save current and future dynamically learned MAC addresses into the running-config:
    ‘switchport port-security mac-address sticky’
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or False. Interfaces will still perform MAC learning when they have reached their maximum MAC address limit.

A

False, MAC addresses will not be added to the MAC address table. However, the last MAC that was allowed on the interface will still show up in ‘show switchport port-security int’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

True or False. The switch automatically saves any MAC addresses learned by Port Security that uses sticky mode.

A

False. You will need manually save the switch config.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

True or False. Port security can be implemented on Etherchannels

A

True. It should be performed on the Etherchannel interface rather than the physical interfaces participating in the Etherchannel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What command can you use to find information on port-security? What information does it show?

A

‘show port-security interface <Interface>'</Interface>

This can show:
- Port Security enabled/disabled
- The interface mode that port-security has entered it into
- The violation mode of the interface
- The maximum MAC addresses (including sticky) learned on the interface
- The last source address learned
- The number of security violations that have occurred

You can also use ‘show port-security’ which shows a brief of this information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does the port-security violation mode do?

A
  • Defines how an interface should react when a violation occurs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are examples of a port-security violation?

A
  • When the number of MAC addresses entering an interface exceeds that maximum number of MAC addresses allowed to be learned on that interface define by port-security
  • Where allowed MAC addresses are defined statically in port-security, any MAC addresses enter an interface that are not defined here will be considered a violation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

List whether port-security violation modes discard offending traffic

A
  • Protect - Yes
  • Restrict - Yes
  • Shutdown - Yes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

List whether port-security violation modes send log and SNMP messages

A
  • Protect - No
  • Restrict - Yes
  • Shutdown - Yes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

List whether port-security violation modes disable an interface by putting it in an err-disabled state

A
  • Protect - No
  • Restrict - No
  • Shutdown - Yes
17
Q

What happens to an interface when Shutdown port-security mode is set and a violation occurs?

A
  • The interface is put into an err-disabled state
  • The port-security status for the interface moves to secure-shutdown
  • No longer sends or receives traffic over this interface
18
Q

True or False. An interface can automatically recover from being put into an err-disabled state.

A

False by default. Unless one of the below commands is configured you need to shutdown and no shutdown the interface:

  • ‘errdisable recovery cause psecure-violation’ - A global command used to allow interfaces to recover from err-disabled when they have been put in this state specifically by port-security. This runs every 5 minutes
  • ‘errdisable recovery interval <time>' - A global command used to set the time that an interface has to wait to recover.</time>
19
Q

What is the main difference between violation mode Shutdown and modes Protect and Restrict?

A
  • Shutdown will disable the interface (secure-shutdown) and block all traffic. Protect and Restrict will keep the interface up (secure-up) and will continue to process good traffic but discard violating traffic.
20
Q

What is the main difference between violation mode Protect and violation mode Restrict?

A
  • Protect and Restrict both only disallow violating traffic, however, Protect will not increment its violation counter for violating traffic or produce log messages. Restrict will do both of these things.
21
Q

When you first enable port-security, how does a switch determine what MAC addresses to allow?

A
  • If the MAC address is not statically configured, the interface will allow only the first MAC address it receives. Any other MAC address after this will cause a violation.
22
Q

List whether port-security violation modes increment their violation counter

A
  • Protect - No
  • Restrict - Yes
  • Shutdown - Yes
23
Q

What is the default port-security violation mode?

A

Shutdown

24
Q

What is Secure MAC Aging?

A
  • The process by which the secure MAC address(es) in port-security is aged out to where it needs to be either readded statically or relearned dynamically.
  • Default Aging Timer is 0 mins (will not age out)
  • Default Aging Type is Absolute
  • Configured with ‘switchport port-security aging time <time>'</time>
25
Q

What are the different MAC Aging Types in port-security

A
  • Absolute - Will age out the secure MAC address(es) after the aging timer reaches 0 even if frames are still being received from that MAC address.
  • Inactivity - The aging timer counts down as with Absolute, however, it is reset anytime a frame is received from the current secure MAC address.
  • Configured with ‘switchport port-security aging type <absolute/inactivity>’
26
Q

True or False. Static secure MAC aging is disabled by default.

A

True.

27
Q

What command can you use to enable MAC aging for static secure MAC addresses?

A

‘switchport port-security aging static’

28
Q

What is the difference between dynamically learned secure MACs and sticky secure MACs?

A
  • Sticky secure MACs are saved to the running-config. Provided these are saved to the startup-config, the switch doesn’t need to dynamically relearn these MACs whereas with dynamic MACs, these are not saved and therefore will need to be relearned if the switch reboots.
29
Q

What are Sticky MAC addresses listed as in the mac-address table?

A

STATIC

CCNA (50 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions