L2 Security Features Flashcards
Port security allows you to:
Control which source MAC addresses are allowed to enter a switchport
If an unauthorized source MAC address enters a port, the default action is:
Put the interface in an ‘err-disabled’ state
With default settings, when port security is enabled, how many MAC addresses are allowed per port?
1
T/F: With default settings, when port security is enabled, the switch will allow the first source MAC address that enters the interface
T
T/F: With default settings, when port security is enabled, the switch will allow the most recently seen source MAC address that enters the interface
F
The first source MAC seen will be allowed by default
T/F: You can change the maximum number of MAC addresses allowed by port security
T
T/F: VoIP phone MACs do not count toward the number of source MAC addresses considered by port security
F
T/F: VoIP phone MACs do count toward the number of source MAC addresses considered by port security
T
T/F: The port security allowed source MAC has to be manually configured on the switch
F
By default, the MAC is dynamically learned from the first seen source MAC
Explain why port security is useful
Controlling which devices are allowed to access the network.
Explain which feature set of port security is more useful, specifying allowed MACs, or limiting the number of allowed MACs
Limiting the number of allowed MACs
MAC address spoofing is easy, but limiting the number of source MACs per interface means we can help mitigate the threat of DHCP starvation and other similar attacks
What is the command to enable port security on an interface
switchport port-security
T/F: Port security can be enabled on access and trunk ports, but they must first be statically configured as either trunks or access
T
T/F: Port security can only be enabled on dynamic or access ports
F
Port security can only be enabled on static trunks or static access ports
T/F: Port security can only be enabled on DTP dynamic auto or DTP dynamic desirable ports
F
Port security can’t be enabled on any DTP dynamic ports, regardless if auto or desirable
T/F: Port security can only be enabled on access ports
F
Port security can be enabled on both access and trunk ports, so long as they are statically configured as such
What must first be configured on an interface before the command switchport port-security will be accepted
Statically configuring the port as either a trunk or access port using switchport mode mode
T/F: By default, learned allowed source MACs do not age out
T
T/F: By default, learned allowed source MACs age out
F
Instead of having to shut-no-shut an ErrDisabled switchport, you can use:
errdisable recovery
T/F: By default, ErrDisable recovery is disabled for all ErrDisable reasons
T
T/F: By default, ErrDisable recovery is enabled for all ErrDisable reasons
F
Explain the default settings for ErrDisable recovery
Every 5 minutes (by default timer), all err-disabled interfaces will be re-enabled if and only if err-disable recovery has been enabled for the cause of the interface’s disablement
What is the command to enable ErrDisable recovery for a specific ErrDisable cause
errdisable recovery cause err-disable-reason
What is the command to view all ErrDisable causes
sh errdisable recovery
What is the command to change the ErrDisable recovery timer
errdisable recovery interval seconds
What is the command to view all ErrDisable recovery enablings/disablings
sh errdisable recovery
ErrDisable recovery is useless if:
You don’t remove the device that caused the interface to enter the err-disabled state
T/F: If the previous allowed MAC address was dynamically learned, it is cleared when the port is disabled
T
T/F: If the previous allowed MAC address was dynamically learned, it is cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch may re-learn the unauthorized MAC address as the allowed when the port is re-enabled
T
T/F: If the previous allowed MAC address was statically configured, it is cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch may re-learn the unauthorized MAC address as the allowed when the port is re-enabled
F
The MAC will not be cleared if it was manually configured
T/F: If the previous allowed MAC address was dynamically learned, it isn’t cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch has no chance of potentially re-learning the unauthorized MAC address as the allowed one when the port is re-enabled
F
The allowed MAC will be cleared if it was dynamically learned. There is a risk the unauthorized MAC could be re-learned as the allowed
List the port security violation modes
- Shutdown
- Restrict
- Protect
Explain the port security shutdown violation mode
Places port in err-disabled state. Generates one syslog and/or SNMP message when the port is disabled. Violation counter is set to 1 when the interface is disabled.
Explain the port security restrict violation mode
Switch discards traffic from unauthorized MAC addresses. Interface is not disabled. Generates a syslog and/or SNMP message each time an unauthorized MAC is detected. Violation counter incremented by 1 for each unauthorized frame.
Explain the port security protect violation mode
Switch discards traffic from unauthorized MAC addresses. Interface is not disabled. Doesn’t generate any syslog/SNMP messages, doesn’t increment violation counter
What is the command to configure a secure mac aging time on a switchport
switchport port-security aging time minutes
T/F: The default aging type of a secure MAC is absolute
T
Explain what absolute aging of a secure MAC means
After the secure MAC is learned, the aging timer starts and is not refreshed by traffic from that source MAC.
Explain what inactivity aging of a secure MAC means
After the secure MAC is learned, the aging timer starts but is reset every time a frame from that source MAC is received on the interface
What is the command to configure the aging type of a switchport
switchport port-security aging type {absolute | inactivity}
T/F: By default, only dynamically learned secure MACs will age out
T
T/F: By default, secure static MAC agins is disabled by default
T
What is the command to enable secure static MAC aging
switchport port-security aging static
What is the command to enable sticky secure MAC address learning
switchport port-security mac-address sticky
Define a sticky secure MAC address:
A secure MAC address that will never age out (needs to be saved to start config to make truly permanent)