L2 Security Features Flashcards
Port security allows you to:
Control which source MAC addresses are allowed to enter a switchport
If an unauthorized source MAC address enters a port, the default action is:
Put the interface in an ‘err-disabled’ state
With default settings, when port security is enabled, how many MAC addresses are allowed per port?
1
T/F: With default settings, when port security is enabled, the switch will allow the first source MAC address that enters the interface
T
T/F: With default settings, when port security is enabled, the switch will allow the most recently seen source MAC address that enters the interface
F
The first source MAC seen will be allowed by default
T/F: You can change the maximum number of MAC addresses allowed by port security
T
T/F: VoIP phone MACs do not count toward the number of source MAC addresses considered by port security
F
T/F: VoIP phone MACs do count toward the number of source MAC addresses considered by port security
T
T/F: The port security allowed source MAC has to be manually configured on the switch
F
By default, the MAC is dynamically learned from the first seen source MAC
Explain why port security is useful
Controlling which devices are allowed to access the network.
Explain which feature set of port security is more useful, specifying allowed MACs, or limiting the number of allowed MACs
Limiting the number of allowed MACs
MAC address spoofing is easy, but limiting the number of source MACs per interface means we can help mitigate the threat of DHCP starvation and other similar attacks
What is the command to enable port security on an interface
switchport port-security
T/F: Port security can be enabled on access and trunk ports, but they must first be statically configured as either trunks or access
T
T/F: Port security can only be enabled on dynamic or access ports
F
Port security can only be enabled on static trunks or static access ports
T/F: Port security can only be enabled on DTP dynamic auto or DTP dynamic desirable ports
F
Port security can’t be enabled on any DTP dynamic ports, regardless if auto or desirable
T/F: Port security can only be enabled on access ports
F
Port security can be enabled on both access and trunk ports, so long as they are statically configured as such
What must first be configured on an interface before the command switchport port-security will be accepted
Statically configuring the port as either a trunk or access port using switchport mode mode
T/F: By default, learned allowed source MACs do not age out
T
T/F: By default, learned allowed source MACs age out
F
Instead of having to shut-no-shut an ErrDisabled switchport, you can use:
errdisable recovery
T/F: By default, ErrDisable recovery is disabled for all ErrDisable reasons
T
T/F: By default, ErrDisable recovery is enabled for all ErrDisable reasons
F
Explain the default settings for ErrDisable recovery
Every 5 minutes (by default timer), all err-disabled interfaces will be re-enabled if and only if err-disable recovery has been enabled for the cause of the interface’s disablement
What is the command to enable ErrDisable recovery for a specific ErrDisable cause
errdisable recovery cause err-disable-reason
What is the command to view all ErrDisable causes
sh errdisable recovery
What is the command to change the ErrDisable recovery timer
errdisable recovery interval seconds
What is the command to view all ErrDisable recovery enablings/disablings
sh errdisable recovery
ErrDisable recovery is useless if:
You don’t remove the device that caused the interface to enter the err-disabled state
T/F: If the previous allowed MAC address was dynamically learned, it is cleared when the port is disabled
T
T/F: If the previous allowed MAC address was dynamically learned, it is cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch may re-learn the unauthorized MAC address as the allowed when the port is re-enabled
T
T/F: If the previous allowed MAC address was statically configured, it is cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch may re-learn the unauthorized MAC address as the allowed when the port is re-enabled
F
The MAC will not be cleared if it was manually configured
T/F: If the previous allowed MAC address was dynamically learned, it isn’t cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch has no chance of potentially re-learning the unauthorized MAC address as the allowed one when the port is re-enabled
F
The allowed MAC will be cleared if it was dynamically learned. There is a risk the unauthorized MAC could be re-learned as the allowed
List the port security violation modes
- Shutdown
- Restrict
- Protect
Explain the port security shutdown violation mode
Places port in err-disabled state. Generates one syslog and/or SNMP message when the port is disabled. Violation counter is set to 1 when the interface is disabled.
Explain the port security restrict violation mode
Switch discards traffic from unauthorized MAC addresses. Interface is not disabled. Generates a syslog and/or SNMP message each time an unauthorized MAC is detected. Violation counter incremented by 1 for each unauthorized frame.
Explain the port security protect violation mode
Switch discards traffic from unauthorized MAC addresses. Interface is not disabled. Doesn’t generate any syslog/SNMP messages, doesn’t increment violation counter
What is the command to configure a secure mac aging time on a switchport
switchport port-security aging time minutes
T/F: The default aging type of a secure MAC is absolute
T
Explain what absolute aging of a secure MAC means
After the secure MAC is learned, the aging timer starts and is not refreshed by traffic from that source MAC.
Explain what inactivity aging of a secure MAC means
After the secure MAC is learned, the aging timer starts but is reset every time a frame from that source MAC is received on the interface
What is the command to configure the aging type of a switchport
switchport port-security aging type {absolute | inactivity}
T/F: By default, only dynamically learned secure MACs will age out
T
T/F: By default, secure static MAC agins is disabled by default
T
What is the command to enable secure static MAC aging
switchport port-security aging static
What is the command to enable sticky secure MAC address learning
switchport port-security mac-address sticky
Define a sticky secure MAC address:
A secure MAC address that will never age out (needs to be saved to start config to make truly permanent)
T/F: Issuing switchport port-security mac-address sticky converts all current dynamically-learned secure MAC addresses to sticky secure MAC addresses
T
T/F: Issuing switchport port-security mac-address sticky converts only the most recent dynamically-learned secure MAC, as well as future dynamically learned secure MACs
F
This command converts all current dynamically-learned secure MACs
T/F: Issuing no switchport port-security mac-address sticky converts all current sticky secure MAC addresses to regular dynamically-learned secure MAC addresses
T
T/F: Issuing no switchport port-security mac-address sticky converts only the most recently learned sticky secure MAC to a regular dynamically-learned secure MAC
F
Converts all sticky secure MACs
What is the command to view all secure MAC addresses on a switch
sh mac address-table secure
Define DHCP snooping:
A security featue that is used to filter DHCP messages received on untrusted ports
T/F: DHCP snooping only filters DHCP messages
T
T/F: All switchports are untrusted by default
T
T/F: All switchports are trusted by default
F
In regard to DHCP snooping: Best practice is for uplink ports to be _____ and downlink ports to be ______
trusted, untrusted
In regard to DHCP snooping: Uplink ports point toward ______, downlink ports point toward ______
Core network infrastructure, clients
What are two types of attacks that DHCP snooping can mitigate?
DHCP starvation, DHCP poisoning
DHCP poisoning can be used for a _____ attack
Man in the middle
A ______ DHCP server is malicious and attempts to hijack legitimate DHCP server functionalities
Spurious DHCP server
DHCP server messages received on an untrusted port are always:
Discarded
T/F: DHCP server messages received on an untrusted port are always forwarded
F
DHCP server messages received on an untrusted port are always discarded
What happens when a DHCP message is received on a trusted port?
It is forwarded as normal without inspection
What happens when a DHCP message is received on an untrusted port?
It is inspected and the appropriate action is taken
If a DHCP server message is received on an untrusted port, what happens?
The frame is immediately discarded
If a DHCP server message is received on a trusted port, what happens?
The frame is forwarded as normal
If a DHCP client message is received on an untrusted port, what happens?
For DISCOVER/REQUEST messages:
- Check if the frame’s source MAC and the DHCP CHADDR fields match
- Match == forward
- Mismatch == discard
For RELEASE/DECLINE messages:
- Check if the packet’s source IP address and the receiving interface match the entry in the DHCP snooping binding table
- Match == forward
- Mismatch == discard
How is a DHCP snooping binding table populated
When a client successfully leases an IP address from a server, an entry is made
A DHCP snooping binding table contains what information?
MAC address, IP address, lease time, binding type, VLAN number, and interface that corresponds to the local untrusted interfaces of a switch
What is the command to enable DHCP snooping globally?
ip dhcp snooping
What is the command to enable DHCP snooping on a VLAN?
ip dhcp snooping vlan vlan-id
What is the command to make an interface DHCP snooping trusted
ip dhcp snooping trust
What is the command to view the DHCP snooping binding table
sh ip dhcp snooping binding
How are DHCP RELEASE and DECLINE messages checked when they enter an untrusted interface?
The IP address and interface ID are checked against the DHCP snooping binding table to ensure they match. The packet is dropped if there is a mismatch, and processed normally if they match
What is the command to configure DHCP rate limiting on an interface?
ip dhcp snooping rate limit packets-per-second
Reccommended to set at 100 packets/sec
If an interface crosses the configured DHCP snooping rate limit, what is the result?
The interface is err-disabled
The interface can be re-enabled either manually or automatically with errdisable recovery
What is the command to enable errdisable recovery for DHCP snooping rate limiting
errdisable recovery cause dhcp-rate-limit
What is a feature of DHCP snooping that is useful in preventing DHCP exhaustion attacks?
DHCP snooping rate limiting
Describe the function of DHCP option 82
Provides additional information about which DHCP relay agent received the client’s message, on which interface, in which VLAN, etc.
DHCP relay agents can add option 82 to messages they forward to the remote DHCP server
T/F: With DHCP snooping enabled, by default Cisco switches will add Option 82 to DHCP messages they receive from clients, even if the switch isn’t acting as a DHCP relay agent
T
T/F: With DHCP snooping enabled, by default Cisco switches do not add Option 82 to DHCP messages they receive from clients
F
A DHCP message with Option 82 is received on a DHCP snooping untrusted port. What action is taken?
The switch immediately drops the DHCP message
What is the command to stop a switch from adding Option 82 information to DHCP DISCOVER messages
no ip dhcp snooping information option
Which of the following DHCP message types will always be discarded if received on a DHCP snooping untrusted interface? (pick multiple)
a) DISCOVER
b) REQUEST
c) NAK
d) OFFER
e) DECLINE
f) RELEASE
g) ACK
C, D, G
These message types are all DHCP server messages so are always discarded on untrusted interfaces
Which of the following is not stored in the DHCP snooping binding database?
a) IP Address
b) Interface
c) VLAN
d) Default gateway
e) MAC address
D
Default gateway is not in the binding database
Which of the following are functions of DHCP snooping (pick multiple)?
a) Limiting the rate of DHCP messages
b) Filtering DHCP messages on trusted ports
c) Filtering DHCP messages on untrusted ports
d) Filtering all DHCP messages
A and C
- Limiting the rate of DHCP messages
- Filtering DHCP messages on untrusted ports
When DHCP snooping inspects a DHCP DISCOVER message that arrives on an untrusted interface, what does it check? (pick multiple)
a) Source MAC address
b) CHADDR
c) IP address
d) Interface
A and B
For DHCP DISCOVER messages, the source MAC of the frame and the Client Hardware Address fields are checked to ensure they match
DHCP snooping rate-limiting is configured on SW1’s g0/1 interface. What happens if DHCP messages are received on g0/1 at a rate faster than the configured limit?
a) The messages that cross the limit will be dropped
b) The interface will be disabled
c) All DHCP messages on the interface will be dropped
d) A warning syslog message will be created
B
The interface will be placed in an err-disabled state
Which of the following L2 attacks uses the MAC address of another known host on the network in order to bypass port security measures?
a) ARP poisoning
b) VLAN hopping
c) MAC flooding
d) DHCP spoofing
e) MAC spoofing
E
What is a Gratuitous ARP message
An ARP reply that is sent without receiving an ARP request. Sent to broadcast MAC address, allowing other devices to learn the MAC address of the sending device without having to send an ARP request
In regard to Dynamic ARP inspection, what trust state are all ports in by default?
Untrusted
A frame containing an encapsulated IP packet is received on an interface. What actions are taken by dynamic ARP inspection.
Normal operation occurs. Dynamic ARP inspection only filters ARP messages
In regard to dynamic ARP inspection: trusted ports should be between ______, and untrusted ports should be between _______
Trusted: network device to network device
Untrusted: network device to end host
Describe an ARP poisoning attack:
A man in the middle attack done by the following:
Manipulating a target’s ARP table so that traffic is sent to the attacker instead of the correct machine. This can be done by the attacker sending gratuitous ARP messages using another device’s IP address
On untrusted ports, what does dynamic ARP inspection check?
The sender MAC address and sender IP address have a corresponding match in the DHCP snooping binding table
On trusted ports, what does dynamic ARP inspection check?
Nothing. Dynamic ARP inspection does not perform any checks on ARP messages on trusted ports
An ARP message is received on an untrusted interface. Dynamic ARP inspection is enabled. What happens next?
Dynamic ARP inspection checks if the sender’s IP and sender’s MAC address have a corresponding entry in the DHCP snooping binding table.
Match = forward normally
No match = discard message
Since not all hosts use DHCP, what approach can be used to service hosts that have static IP addresses?
ARP ACLs can be used
What happens to traffic from hosts that aren’t using DHCP when their traffic is received on an untrusted port?
All ARP messages sent from the static host will be dropped. Non ARP traffic will still be forwarded
What is the command to enable dynamic ARP inspection on a vlan?
ip arp inspection vlan vlan-id
What is the command to configure a switchport as trusted by dynamic ARP inspection
ip arp inspection trust
Do you have to enable dynamic ARP inspection globally, as well as per-VLAN, like DHCP snooping?
No
Is dynamic ARP inspection rate limiting enabled by default?
Yes, on untrusted ports
At 15 packets per second
Disabled on trusted ports
Dynamic ARP inspection has a burst interval, explain what it does
Allows you to configure rate limiting by saying:
limit to X packets per Y seconds
What is the command to configure dynamic ARP inspection rate limiting on an interface
ip arp inspection limit rate packets burst interval time-in-seconds
This configures a limit of packets per time-in-seconds
If burst interval is unspecified, the default rate is per 1 second
What is the command to enable errdisable recovery for dynamic ARP inspection
errdisable recovery cause arp-inspection
What are the three optional checks that can be configured for dynamic ARP inspection
- destination MAC address
- IP addresses
- source MAC address
What is the command to enable optional checks of dynamic ARP inspection
ip arp inspection validate { dst-mac &| ip &| src-mac }
What is the command to view dynamic ARP inspection configurations
sh ip arp inspection
You issue the ip arp inspection vlan 1 command on SW1. Which of the following statements is true about SW1 after issuing the command?
a) All interfaces in VLAN 1 are untrusted
b) DAI isn’t fully enabled until globally enabled with ip arp inspection
c) Only ARP messages from hosts with a static IP address will be permitted
d) DHCP snooping is enabled
A
All other statements are false
The following commands are configured on SW1. Which of the following statements is true after the commands have been issued?
SW1(config)# ip arp inspection validate ip SW1(config)# ip arp inspection validate src-mac SW1(config)# ip arp inspection validate dst-mac
a) DAI validation is only enabled for IP addresses
b) DAI validation is only enabled for source MAC addresses
c) DAI validation is only enabled for destination MAC addresses
d) DAI validation is enabled for all three causes
C
Each command overwrote the previous. All 3 options need to be included in the same command for all 3 to take effect
Which of the following is true about DAI rate limiting? (pick more than one)
a) It is enabled on trusted and untrusted ports by default
b) It is enabled on untrusted ports by default
c) It is enabled at a rate of 10 packets per second by default
d) It is enabled at a rate of 15 packets per second by default
B and D
DAI inspects the sender IP and MAC addresses to determine whether an ARP packet should be forwarded or dropped. Which of the following does it check the sender IP and MAC against? (pick more than one)
a) MAC address table
b) DHCP snooping binding table
c) ARP table
d) ARP ACLs
B and D
Which of the following commands limit ARP messages to a maximum average of 15 per second? (pick two)
a) ip arp inspection limit rate 15
b) ip arp inspection limit rate 30 burst interval 3
c) ip arp inspection limit rate 45 burst interval 3
d) ip arp inspection limit rate 30 burst interval 1
A and C
You issue the following commands on Switch1:
Switch1(config)# ip arp inspection vlan 11,14,18 Switch1(config)# interface f0/1 Switch1(config-if)# switchport mode access Switch1(config-if)# switchport mode access vlan 14 Switch1(config-if)# ip arp inspection trust Switch1(config-if)# interface range f0/2 - 4 Switch1(config-if-range)# switchport access vlan 14 Switch1(config-if-range)# switchport mode access
Which of the following statements are true (pick 2)?
a) All ports in VLAN 14 are trusted ports
b) The f0/1 port in VLAN 14 is a trusted port
c) Ports in every VLAN except VLAN 14 are trusted ports
d) Every port in VLANs 11, 14, and 18 is an untrusted port
e) Every port except the f0/1 port in VLAN 14 is an untrusted port
B, E
