L2 Security Features Flashcards

1
Q

Port security allows you to:

A

Control which source MAC addresses are allowed to enter a switchport

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If an unauthorized source MAC address enters a port, the default action is:

A

Put the interface in an ‘err-disabled’ state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

With default settings, when port security is enabled, how many MAC addresses are allowed per port?

A

1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

T/F: With default settings, when port security is enabled, the switch will allow the first source MAC address that enters the interface

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

T/F: With default settings, when port security is enabled, the switch will allow the most recently seen source MAC address that enters the interface

A

F

The first source MAC seen will be allowed by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

T/F: You can change the maximum number of MAC addresses allowed by port security

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

T/F: VoIP phone MACs do not count toward the number of source MAC addresses considered by port security

A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

T/F: VoIP phone MACs do count toward the number of source MAC addresses considered by port security

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

T/F: The port security allowed source MAC has to be manually configured on the switch

A

F

By default, the MAC is dynamically learned from the first seen source MAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain why port security is useful

A

Controlling which devices are allowed to access the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain which feature set of port security is more useful, specifying allowed MACs, or limiting the number of allowed MACs

A

Limiting the number of allowed MACs

MAC address spoofing is easy, but limiting the number of source MACs per interface means we can help mitigate the threat of DHCP starvation and other similar attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the command to enable port security on an interface

A

switchport port-security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

T/F: Port security can be enabled on access and trunk ports, but they must first be statically configured as either trunks or access

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

T/F: Port security can only be enabled on dynamic or access ports

A

F

Port security can only be enabled on static trunks or static access ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

T/F: Port security can only be enabled on DTP dynamic auto or DTP dynamic desirable ports

A

F

Port security can’t be enabled on any DTP dynamic ports, regardless if auto or desirable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

T/F: Port security can only be enabled on access ports

A

F

Port security can be enabled on both access and trunk ports, so long as they are statically configured as such

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What must first be configured on an interface before the command switchport port-security will be accepted

A

Statically configuring the port as either a trunk or access port using switchport mode mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

T/F: By default, learned allowed source MACs do not age out

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

T/F: By default, learned allowed source MACs age out

A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Instead of having to shut-no-shut an ErrDisabled switchport, you can use:

A

errdisable recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

T/F: By default, ErrDisable recovery is disabled for all ErrDisable reasons

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

T/F: By default, ErrDisable recovery is enabled for all ErrDisable reasons

A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Explain the default settings for ErrDisable recovery

A

Every 5 minutes (by default timer), all err-disabled interfaces will be re-enabled if and only if err-disable recovery has been enabled for the cause of the interface’s disablement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the command to enable ErrDisable recovery for a specific ErrDisable cause

A

errdisable recovery cause err-disable-reason

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the command to view all ErrDisable causes

A

sh errdisable recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the command to change the ErrDisable recovery timer

A

errdisable recovery interval seconds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the command to view all ErrDisable recovery enablings/disablings

A

sh errdisable recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

ErrDisable recovery is useless if:

A

You don’t remove the device that caused the interface to enter the err-disabled state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

T/F: If the previous allowed MAC address was dynamically learned, it is cleared when the port is disabled

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

T/F: If the previous allowed MAC address was dynamically learned, it is cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch may re-learn the unauthorized MAC address as the allowed when the port is re-enabled

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

T/F: If the previous allowed MAC address was statically configured, it is cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch may re-learn the unauthorized MAC address as the allowed when the port is re-enabled

A

F

The MAC will not be cleared if it was manually configured

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

T/F: If the previous allowed MAC address was dynamically learned, it isn’t cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch has no chance of potentially re-learning the unauthorized MAC address as the allowed one when the port is re-enabled

A

F

The allowed MAC will be cleared if it was dynamically learned. There is a risk the unauthorized MAC could be re-learned as the allowed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

List the port security violation modes

A
  • Shutdown
  • Restrict
  • Protect
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Explain the port security shutdown violation mode

A

Places port in err-disabled state. Generates one syslog and/or SNMP message when the port is disabled. Violation counter is set to 1 when the interface is disabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Explain the port security restrict violation mode

A

Switch discards traffic from unauthorized MAC addresses. Interface is not disabled. Generates a syslog and/or SNMP message each time an unauthorized MAC is detected. Violation counter incremented by 1 for each unauthorized frame.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Explain the port security protect violation mode

A

Switch discards traffic from unauthorized MAC addresses. Interface is not disabled. Doesn’t generate any syslog/SNMP messages, doesn’t increment violation counter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the command to configure a secure mac aging time on a switchport

A

switchport port-security aging time minutes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

T/F: The default aging type of a secure MAC is absolute

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Explain what absolute aging of a secure MAC means

A

After the secure MAC is learned, the aging timer starts and is not refreshed by traffic from that source MAC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Explain what inactivity aging of a secure MAC means

A

After the secure MAC is learned, the aging timer starts but is reset every time a frame from that source MAC is received on the interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is the command to configure the aging type of a switchport

A

switchport port-security aging type {absolute | inactivity}

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

T/F: By default, only dynamically learned secure MACs will age out

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

T/F: By default, secure static MAC agins is disabled by default

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is the command to enable secure static MAC aging

A

switchport port-security aging static

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is the command to enable sticky secure MAC address learning

A

switchport port-security mac-address sticky

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Define a sticky secure MAC address:

A

A secure MAC address that will never age out (needs to be saved to start config to make truly permanent)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

T/F: Issuing switchport port-security mac-address sticky converts all current dynamically-learned secure MAC addresses to sticky secure MAC addresses

A

T

48
Q

T/F: Issuing switchport port-security mac-address sticky converts only the most recent dynamically-learned secure MAC, as well as future dynamically learned secure MACs

A

F

This command converts all current dynamically-learned secure MACs

49
Q

T/F: Issuing no switchport port-security mac-address sticky converts all current sticky secure MAC addresses to regular dynamically-learned secure MAC addresses

A

T

50
Q

T/F: Issuing no switchport port-security mac-address sticky converts only the most recently learned sticky secure MAC to a regular dynamically-learned secure MAC

A

F

Converts all sticky secure MACs

51
Q

What is the command to view all secure MAC addresses on a switch

A

sh mac address-table secure

52
Q

Define DHCP snooping:

A

A security featue that is used to filter DHCP messages received on untrusted ports

53
Q

T/F: DHCP snooping only filters DHCP messages

A

T

54
Q

T/F: All switchports are untrusted by default

A

T

55
Q

T/F: All switchports are trusted by default

A

F

56
Q

In regard to DHCP snooping: Best practice is for uplink ports to be _____ and downlink ports to be ______

A

trusted, untrusted

57
Q

In regard to DHCP snooping: Uplink ports point toward ______, downlink ports point toward ______

A

Core network infrastructure, clients

58
Q

What are two types of attacks that DHCP snooping can mitigate?

A

DHCP starvation, DHCP poisoning

59
Q

DHCP poisoning can be used for a _____ attack

A

Man in the middle

60
Q

A ______ DHCP server is malicious and attempts to hijack legitimate DHCP server functionalities

A

Spurious DHCP server

61
Q

DHCP server messages received on an untrusted port are always:

A

Discarded

62
Q

T/F: DHCP server messages received on an untrusted port are always forwarded

A

F

DHCP server messages received on an untrusted port are always discarded

63
Q

What happens when a DHCP message is received on a trusted port?

A

It is forwarded as normal without inspection

64
Q

What happens when a DHCP message is received on an untrusted port?

A

It is inspected and the appropriate action is taken

65
Q

If a DHCP server message is received on an untrusted port, what happens?

A

The frame is immediately discarded

66
Q

If a DHCP server message is received on a trusted port, what happens?

A

The frame is forwarded as normal

67
Q

If a DHCP client message is received on an untrusted port, what happens?

A

For DISCOVER/REQUEST messages:
- Check if the frame’s source MAC and the DHCP CHADDR fields match
- Match == forward
- Mismatch == discard

For RELEASE/DECLINE messages:
- Check if the packet’s source IP address and the receiving interface match the entry in the DHCP snooping binding table
- Match == forward
- Mismatch == discard

68
Q

How is a DHCP snooping binding table populated

A

When a client successfully leases an IP address from a server, an entry is made

69
Q

A DHCP snooping binding table contains what information?

A

MAC address, IP address, lease time, binding type, VLAN number, and interface that corresponds to the local untrusted interfaces of a switch

70
Q

What is the command to enable DHCP snooping globally?

A

ip dhcp snooping

71
Q

What is the command to enable DHCP snooping on a VLAN?

A

ip dhcp snooping vlan vlan-id

72
Q

What is the command to make an interface DHCP snooping trusted

A

ip dhcp snooping trust

73
Q

What is the command to view the DHCP snooping binding table

A

sh ip dhcp snooping binding

74
Q

How are DHCP RELEASE and DECLINE messages checked when they enter an untrusted interface?

A

The IP address and interface ID are checked against the DHCP snooping binding table to ensure they match. The packet is dropped if there is a mismatch, and processed normally if they match

75
Q

What is the command to configure DHCP rate limiting on an interface?

A

ip dhcp snooping rate limit packets-per-second

Reccommended to set at 100 packets/sec

75
Q

If an interface crosses the configured DHCP snooping rate limit, what is the result?

A

The interface is err-disabled

The interface can be re-enabled either manually or automatically with errdisable recovery

76
Q

What is the command to enable errdisable recovery for DHCP snooping rate limiting

A

errdisable recovery cause dhcp-rate-limit

77
Q

What is a feature of DHCP snooping that is useful in preventing DHCP exhaustion attacks?

A

DHCP snooping rate limiting

78
Q

Describe the function of DHCP option 82

A

Provides additional information about which DHCP relay agent received the client’s message, on which interface, in which VLAN, etc.

DHCP relay agents can add option 82 to messages they forward to the remote DHCP server

79
Q

T/F: With DHCP snooping enabled, by default Cisco switches will add Option 82 to DHCP messages they receive from clients, even if the switch isn’t acting as a DHCP relay agent

A

T

80
Q

T/F: With DHCP snooping enabled, by default Cisco switches do not add Option 82 to DHCP messages they receive from clients

A

F

81
Q

A DHCP message with Option 82 is received on a DHCP snooping untrusted port. What action is taken?

A

The switch immediately drops the DHCP message

82
Q

What is the command to stop a switch from adding Option 82 information to DHCP DISCOVER messages

A

no ip dhcp snooping information option

83
Q

Which of the following DHCP message types will always be discarded if received on a DHCP snooping untrusted interface? (pick multiple)

a) DISCOVER
b) REQUEST
c) NAK
d) OFFER
e) DECLINE
f) RELEASE
g) ACK

A

C, D, G

These message types are all DHCP server messages so are always discarded on untrusted interfaces

84
Q

Which of the following is not stored in the DHCP snooping binding database?

a) IP Address
b) Interface
c) VLAN
d) Default gateway
e) MAC address

A

D

Default gateway is not in the binding database

85
Q

Which of the following are functions of DHCP snooping (pick multiple)?

a) Limiting the rate of DHCP messages
b) Filtering DHCP messages on trusted ports
c) Filtering DHCP messages on untrusted ports
d) Filtering all DHCP messages

A

A and C

  • Limiting the rate of DHCP messages
  • Filtering DHCP messages on untrusted ports
86
Q

When DHCP snooping inspects a DHCP DISCOVER message that arrives on an untrusted interface, what does it check? (pick multiple)

a) Source MAC address
b) CHADDR
c) IP address
d) Interface

A

A and B

For DHCP DISCOVER messages, the source MAC of the frame and the Client Hardware Address fields are checked to ensure they match

87
Q

DHCP snooping rate-limiting is configured on SW1’s g0/1 interface. What happens if DHCP messages are received on g0/1 at a rate faster than the configured limit?

a) The messages that cross the limit will be dropped
b) The interface will be disabled
c) All DHCP messages on the interface will be dropped
d) A warning syslog message will be created

A

B

The interface will be placed in an err-disabled state

88
Q

Which of the following L2 attacks uses the MAC address of another known host on the network in order to bypass port security measures?

a) ARP poisoning
b) VLAN hopping
c) MAC flooding
d) DHCP spoofing
e) MAC spoofing

A

E

89
Q

What is a Gratuitous ARP message

A

An ARP reply that is sent without receiving an ARP request. Sent to broadcast MAC address, allowing other devices to learn the MAC address of the sending device without having to send an ARP request

90
Q

In regard to Dynamic ARP inspection, what trust state are all ports in by default?

A

Untrusted

91
Q

A frame containing an encapsulated IP packet is received on an interface. What actions are taken by dynamic ARP inspection.

A

Normal operation occurs. Dynamic ARP inspection only filters ARP messages

92
Q

In regard to dynamic ARP inspection: trusted ports should be between ______, and untrusted ports should be between _______

A

Trusted: network device to network device
Untrusted: network device to end host

93
Q

Describe an ARP poisoning attack:

A

A man in the middle attack done by the following:

Manipulating a target’s ARP table so that traffic is sent to the attacker instead of the correct machine. This can be done by the attacker sending gratuitous ARP messages using another device’s IP address

94
Q

On untrusted ports, what does dynamic ARP inspection check?

A

The sender MAC address and sender IP address have a corresponding match in the DHCP snooping binding table

95
Q

On trusted ports, what does dynamic ARP inspection check?

A

Nothing. Dynamic ARP inspection does not perform any checks on ARP messages on trusted ports

96
Q

An ARP message is received on an untrusted interface. Dynamic ARP inspection is enabled. What happens next?

A

Dynamic ARP inspection checks if the sender’s IP and sender’s MAC address have a corresponding entry in the DHCP snooping binding table.

Match = forward normally
No match = discard message

97
Q

Since not all hosts use DHCP, what approach can be used to service hosts that have static IP addresses?

A

ARP ACLs can be used

98
Q

What happens to traffic from hosts that aren’t using DHCP when their traffic is received on an untrusted port?

A

All ARP messages sent from the static host will be dropped. Non ARP traffic will still be forwarded

99
Q

What is the command to enable dynamic ARP inspection on a vlan?

A

ip arp inspection vlan vlan-id

100
Q

What is the command to configure a switchport as trusted by dynamic ARP inspection

A

ip arp inspection trust

101
Q

Do you have to enable dynamic ARP inspection globally, as well as per-VLAN, like DHCP snooping?

A

No

102
Q

Is dynamic ARP inspection rate limiting enabled by default?

A

Yes, on untrusted ports

At 15 packets per second

Disabled on trusted ports

103
Q

Dynamic ARP inspection has a burst interval, explain what it does

A

Allows you to configure rate limiting by saying:

limit to X packets per Y seconds

104
Q

What is the command to configure dynamic ARP inspection rate limiting on an interface

A

ip arp inspection limit rate packets burst interval time-in-seconds

This configures a limit of packets per time-in-seconds

If burst interval is unspecified, the default rate is per 1 second

105
Q

What is the command to enable errdisable recovery for dynamic ARP inspection

A

errdisable recovery cause arp-inspection

106
Q

What are the three optional checks that can be configured for dynamic ARP inspection

A
  • destination MAC address
  • IP addresses
  • source MAC address
107
Q

What is the command to enable optional checks of dynamic ARP inspection

A

ip arp inspection validate { dst-mac &| ip &| src-mac }

108
Q

What is the command to view dynamic ARP inspection configurations

A

sh ip arp inspection

109
Q

You issue the ip arp inspection vlan 1 command on SW1. Which of the following statements is true about SW1 after issuing the command?

a) All interfaces in VLAN 1 are untrusted
b) DAI isn’t fully enabled until globally enabled with ip arp inspection
c) Only ARP messages from hosts with a static IP address will be permitted
d) DHCP snooping is enabled

A

A

All other statements are false

110
Q

The following commands are configured on SW1. Which of the following statements is true after the commands have been issued?

SW1(config)# ip arp inspection validate ip
SW1(config)# ip arp inspection validate src-mac
SW1(config)# ip arp inspection validate dst-mac

a) DAI validation is only enabled for IP addresses
b) DAI validation is only enabled for source MAC addresses
c) DAI validation is only enabled for destination MAC addresses
d) DAI validation is enabled for all three causes

A

C

Each command overwrote the previous. All 3 options need to be included in the same command for all 3 to take effect

111
Q

Which of the following is true about DAI rate limiting? (pick more than one)

a) It is enabled on trusted and untrusted ports by default
b) It is enabled on untrusted ports by default
c) It is enabled at a rate of 10 packets per second by default
d) It is enabled at a rate of 15 packets per second by default

A

B and D

112
Q

DAI inspects the sender IP and MAC addresses to determine whether an ARP packet should be forwarded or dropped. Which of the following does it check the sender IP and MAC against? (pick more than one)

a) MAC address table
b) DHCP snooping binding table
c) ARP table
d) ARP ACLs

A

B and D

113
Q

Which of the following commands limit ARP messages to a maximum average of 15 per second? (pick two)

a) ip arp inspection limit rate 15
b) ip arp inspection limit rate 30 burst interval 3
c) ip arp inspection limit rate 45 burst interval 3
d) ip arp inspection limit rate 30 burst interval 1

A

A and C

114
Q

You issue the following commands on Switch1:
~~~
Switch1(config)# ip arp inspection vlan 11,14,18
Switch1(config)# interface f0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport mode access vlan 14
Switch1(config-if)# ip arp inspection trust
Switch1(config-if)# interface range f0/2 - 4
Switch1(config-if-range)# switchport access vlan 14
Switch1(config-if-range)# switchport mode access
~~~

Which of the following statements are true (pick 2)?

a) All ports in VLAN 14 are trusted ports
b) The f0/1 port in VLAN 14 is a trusted port
c) Ports in every VLAN except VLAN 14 are trusted ports
d) Every port in VLANs 11, 14, and 18 is an untrusted port
e) Every port except the f0/1 port in VLAN 14 is an untrusted port

A

B, E

115
Q
A