Chapter 8 - Configuring Ethernet Switching

Question 1

What command moves you into global configuration mode?

Answer 1

configure terminal

Question 2

What command enables a password when a user tries to enable mode?

Answer 2

enable secret {password}

Question 3

What commands enable a login and password for console 0?

Answer 3

#configure terminal
#line console 0
#password {password}
#login

Question 4

What commands enable a login and password?

Answer 4

username {username} password {password}

Interface sub-command login local

Question 5

What’s another way to authenticate users other than using the local username and passwords on a switch?

Answer 5

Using a AAA server - authentication, authorization, and accounting

Question 6

What protocols are normally used between a Cisco device and a AAA server to secure the traffic?

Answer 6

RADIUS or TACACS+

Question 7

What are the 4 steps to enabling SSH on a switch?

Answer 7

Step 1.) Configure the vty lines to use usernames (using login local command) or a AAA server
Step 2.) If using local logins, configure the usernames and passwords
Step 3.) Configure the switch to use a matched public and private key pair to use for encryption.
Step 4.) Optional - Enable SSH v2

Question 8

What two commands configure the switch to use a matched public and private key pair for encryption?

Answer 8

#ip domain-name {name}
#crypto key generate rsa

Question 9

What global command enables SSH v2?

Answer 9

ip ssh version 2

Question 10

What 2 commands give some information about the status of SSH on the switch?

Answer 10

#show ip ssh
#show ssh

Question 11

What command lists information about each SSH client currently connected into the switch?

Answer 11

show ssh

Question 12

Which command enables or disables SSH or telnet on the vty lines?

Answer 12

transport input vty subcommand

Valid commands are transport input {all | none | telnet | ssh}

Question 13

What global configuration command will encrypt the passwords in the running configuration file?

Answer 13

service password-encryption

Question 14

Once the service password-encryption command is entered and then if the no service password-encryption is entered, how does it treat the passwords in the config file?

Answer 14

Once the no service password-encryption file is entered, the current passwords in the file are unchanged. However, any new changes will show the passwords in clear text.

Question 15

Switches can protect the enable mode requiring that a user enter a password. What is the old and new command for enabling this password?

Answer 15

The older one is:
#enable password {password}
The newer one is:
#enable secret {password}

Question 16

If both enable commands are configured, which one does the switch use or prefer?

Answer 16

enable secret command

Question 17

If only one enable command is configured, what password does the switch require?

Answer 17

The password used in the enable command that was configured.

Question 18

If neither enable command was used, what password is required?

Answer 18

Console users are allowed into enable mode without a password prompt while others are rejected.

Question 19

How is the encryption that the enable secret command uses different than the service password-encryption command?

Answer 19

The enable secret command uses MD5 or Message Digest 5 hash versus the weaker encryption that the enable secret command uses.

Question 20

What command is preferred to hide the password for a username?

Answer 20

username secret {password}

Question 21

What type of encryption does the username secret command use?

Answer 21

SHA-256 (type 4)

Question 22

What are 3 types of banner messages that can be set up using the banner command?

Answer 22

Message of the day (MOTD), Login, and Exec

Question 23

What command lists the commands currently held in the history buffer?

Answer 23

show history

Question 24

Which command from console or vty line config mode, sets the default number of commands saved in the history buffer for the user(s) of the console or vty lines?

Answer 24

history size {x}

Question 25

From Exec mode, this command allows a single user to set, just for this one login session, the size of his history buffer.

Answer 25

terminal history size {x}

Question 26

Which command can disable syslog messages that show up at the console?

Answer 26

no logging console

Question 27

Which command pretty much tells the switch to only display syslog messages at more convenient times such as at the end of a show command?

Answer 27

logging synchronous

Question 28

Which vty subcommand lets you set the length of the inactivity timer?

Answer 28

exec-timeout {minutes seconds}

Question 29

By default, the switch automatically disconnects connected users on the vty lines after how much time?

Answer 29

5 minutes of inactivity

Question 30

An switched virtual interface (SVI) is also known as what?

Answer 30

VLAN interface

Question 31

Enabling an IP address on a switch vlan allows for what?

Answer 31

Remote access in order to manage the switch.

Question 32

What are the steps to set up an IP address on VLAN 1 of a switch?

Answer 32

#configure terminal
#interface vlan 1
#ip address {ip-address mask}
#no shutdown
#ip default-gateway {ip-address}
Optional #ip name-server {ip-address 1 ip-address 2}

Question 33

How would you configure vlan 1 for dhcp instead of assigning an address statically?

Answer 33

#configure terminal
#interface vlan 1
#ip address dhcp

Question 34

What are 2 different commands you can use to verify the IPv4 configuration of a switch?

Answer 34

show running-config

show interface vlan {x}

Question 35

What command shows temporarily leased IP address and other parameters if using dhcp?

Answer 35

show dhcp lease

Question 36

If you’ve just configured the duplex and speed settings of ports, what’s a command you can use to verify these settings?

Answer 36

show interfaces status

Question 37

What command would you use if you wanted to configure multiple fast ethernet ports at the same time?

Answer 37

interface range FastEthernet {x/x-x}

Question 38

What could an engineer enable on a switch to allow only certain devices to connect through a port?

Answer 38

port security

Question 39

What are 3 variations or rules of port security?

Answer 39

1) Define a maximum # of source MAC addresses allowed for all frames coming in the interface.
2) Watch all incoming frames, and keep a list of all source MAC addresses, plus a counter of the # of different source MAC addresses.
3) When adding a new source MAC address to the list, if the number of MAC addresses pushes past the configured maximum, a port security violation has occurred. The switch takes action (the default action is to shutdown the interface).

Question 40

What is the first configuration step in enabling port security?

Answer 40

Make the switch interface either a static access or trunk interface using switchport mode access or switchport mode trunk.

Question 41

After enabling the switchport mode access or trunk command, what’s the next step in enabling port security?

Answer 41

Use the switchport port-security interface subcommand.

Question 42

What command would you use to override the default maximum number (1) of allowed MAC addresses associated with the interface?

Answer 42

switchport port-security maximum {number}

Question 43

What command would you use to override the default action to take upon a security violation (shutdown)?

Answer 43

switchport port-security violation {protect | restrict | shutdown}

Question 44

What command would you use to predefine any allowed source MAC address(es) for this interface?

Answer 44

switchport port-security mac-address {mac-address}

Question 45

What command would you use to tell the switch to “sticky learn” dynamically learned MAC addresses?

Answer 45

switchport port-security mac-address sticky

Question 46

What command would you use to verify port security?

Answer 46

show port-security interface

Question 47

What are 3 actions that a switch can take when a port security violation occurs?

Answer 47

1) Discards offending traffic
2) Sends log and SNMP messages
3) Disables the interface, discarding all traffic

Question 48

Of the 3 options of the switchport port-security violation command (protect, restrict, and shutdown), which discards offending traffic?

Answer 48

protect, restrict, and shutdown

Question 49

Of the 3 options of the switchport port-security violation command (protect, restrict, and shutdown), which sends log and SNMP messages?

Answer 49

restrict and shutdown

Question 50

Of the 3 options of the switchport port-security violation command (protect, restrict, and shutdown), which disables the interface, discarding all traffic?

Answer 50

shutdown

Question 51

What are 4 things an engineer can do to secure unused ports?

Answer 51

1) Use the shutdown command to completely shut the interface down
2) Prevent VLAN trunking by using the switchport mode access command.
3) Assign the port to an unused VLAN using switchport access vlan {#} command
4) Set the native VLAN to not be VLAN 1, but to instead be an unused VLAN using the switchport trunk native vlan {vlan-id} command