Chapter 8 - Securing Layer 2 Technologies

Question 1

How long does it take for a default configuration on a Cisco switch to check for loops?

Answer 1

30 seconds total.

15 seconds will be spent listening - no traffic forwarding, only waiting for BPDU’s.

15 more seconds will be spent learning, putting mac’s in the CAM table, but still waiting for a BPDU to avoid loops before forwarding packet traffic.

Question 2

What is the IEEE standard for “Tradional” Spanning Tree Protcol (STP)

Answer 2

802.1D

Question 3

What is the IEEE standard for Rapid Spanning Tree Protocol (RSTP)

Answer 3

802.1W

Question 4

What command will show you which ports are configured as trunks on a switch

Answer 4

show interfaces trunk

Question 5

What command will show you which ports are root ports, which are blocking, or forwarding, in addition to the bridge priority?

Answer 5

show spanning-tree

show spanning-tree vlan 100 (for per-vlan STP)

Question 6

How to you enable portfast on all interfaces of a switch globally?

Answer 6

(config)# spanning-tree portfast default

Question 7

What command is used to assign a native VLAN to a switch port?

Answer 7

(config-if)# switchport trunk native vlan 100

(100 is the number of the VLAN, it can be anything)

I assume you can use the if range command to set all ports on a switch to a certain native VLAN

Question 8

What is BPDU Guard used for?

Answer 8

When enabled on a switch port, BPDU guard will disable a switchport automatically when it sees a BPDU packet inbound.

A user on an access port should never be sending BPDU packets.This would only occur if a switch was introduced on this port.

Question 9

What command turns on BPDU Guard on a switchport?

Answer 9

(config-if)# spanning-tree bpduguard enable

• A port that has been disabled because of a violation shows a status of err-disabled
• To re-enable a port that has been shutdown due to a violation, use shudown and no shutdown

Question 10

How do you let a switch manage bringing a BPDU guarded port back up on its own?

Answer 10

(config) # errdisable recovery cause bpduguard
(config) # err disable recovery interval 30
* This will bring the port back online after 30 seconds if no more BPDU’s are received on the port in violation

Question 11

What does the CAM in CAM table stand for?

Answer 11

Content Addressable Memory

Question 12

How do you completely disable auto trunking on a switchport?

Answer 12

To disable dynamic trunking completely (DTP = dynamic trunking protocol) you can issue the switchport nonnegotiate command.

Question 13

What is PVLAN Edge used for?

Answer 13

Private VLAN Edge is enforced using the **switchport proteted” **command.

It prevents 2 devices that are on the same switch, in the same VLAN and same subnet, from talking to each other.

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port.

Switch(config)# interface range fa0/5-6
Switch(config-range)# switchport protected
Switch(config-range)# switchport mode access
Switch(config-range)# switchport access vlan 20

Even though these 2 ports are in the same VLAN, devices connected to these 2 ports won’t be able to communicate with each other.

Question 14

What is the default bridge priority on a Cisco switch?

Answer 14

32768

Remember, if all switches are using the default priority of 32768, then the switch with the lowest MAC address becomes the root bridge.

Question 15

What is IP Source guard used for?

Answer 15

IP source guard provides source IP address filtering on a Layer 2 (switch) port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address.

More info:

Uses a combination of dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access ports.