Module 11 Flashcards
What command is used to verify if PortFast is enabled globally?
show spanning-tree summary
Alternatively, you can use show running-config | begin span.
What are the three ways a VLAN hopping attack can be launched?
- Spoofing DTP messages to cause trunking mode
- Introducing a rogue switch enabling trunking
- Performing a double-tagging attack
What is the first step to mitigate VLAN hopping attacks?
Disable DTP negotiations on non-trunking ports using the switchport mode access command.
What command is used to display all secure MAC addresses?
show port-security address
This command shows both manually configured and dynamically learned MAC addresses.
What does DHCP snooping do?
Filters DHCP messages and rate-limits DHCP traffic on untrusted ports.
What is the goal of a DHCP starvation attack?
To create a Denial of Service (DoS) for connecting clients.
How can DHCP spoofing attacks be mitigated?
By using DHCP snooping on trusted ports.
What command is used to enable DHCP snooping?
ip dhcp snooping
What happens when a port is in the error-disabled state?
No traffic is sent or received on that port.
What command is used to re-enable a port in the error-disabled state?
shutdown followed by no shutdown.
What is the function of Dynamic ARP Inspection (DAI)?
Prevents ARP spoofing and ARP poisoning by verifying IP-to-MAC bindings.
What command is used to configure DAI to drop invalid ARP packets?
ip arp inspection validate {src-mac | dst-mac | ip}
What does BPDU Guard do?
Immediately error disables a port that receives a BPDU.
How can BPDU Guard be enabled globally?
spanning-tree portfast bpduguard default
What command is used to verify port security settings for a specific interface?
show port-security interface
Fill in the blank: To manually enable the trunk link on a trunking port, use the _______ command.
switchport mode trunk
What are the three port security violation modes?
- shutdown
- restrict
- protect
What does the ‘restrict’ mode do in port security?
Drops packets with unknown source addresses and increments the violation counter.
True or False: PortFast can be enabled on inter-switch links.
False
PortFast should only be enabled on access ports.
What is the purpose of the DHCP snooping binding table?
It binds the source MAC address to the IP address assigned by the DHCP server.
What command is used to view the clients that have received DHCP information?
show ip dhcp snooping binding
What should be configured as trusted interfaces for DHCP snooping and ARP inspection?
Uplink ports connected to other switches.
What is the default mode for port security violations?
shutdown
What command is used to limit the number of DHCP discovery messages on untrusted interfaces?
ip dhcp snooping limit rate packets-per-second
What must be done if an unauthorized device is connected to a secure port?
Eliminate the security threat before re-enabling the port.
What should be done to all switch ports before deployment for production use?
All switch ports should be secured.
This includes configuring port security and disabling unused ports.
What is the default setting for Layer 2 switch ports?
Dynamic auto (trunking on).
This means they can automatically negotiate trunking.
What is the simplest method to prevent MAC address table overflow attacks?
Enable port security.
This limits the number of valid MAC addresses allowed on a port.
How can a switch learn about MAC addresses on a secure port?
In one of three ways:
* Manually configured
* Dynamically learned
* Dynamically learned – sticky
What occurs when a port violation happens due to a differing MAC address?
The port enters the error-disabled state.
In this state, no traffic is sent or received on that port.
How can VLAN hopping attacks be mitigated?
By:
* Disabling DTP negotiations
* Disabling unused ports
* Manually setting trunking
* Using a native VLAN other than VLAN 1
What does DHCP snooping do?
It determines whether DHCP messages are from a trusted or untrusted source and filters them.
It also rate-limits DHCP traffic from untrusted sources.
What is required for Dynamic ARP Inspection (DAI) to function?
DHCP snooping.
What is the purpose of implementing Dynamic ARP Inspection?
To mitigate ARP spoofing and ARP poisoning.
How can Spanning Tree Protocol (STP) manipulation attacks be mitigated?
By using PortFast and Bridge Protocol Data Unit (BPDU) Guard.
What command is used to enable port security on an interface?
switchport port-security.
What does the command ‘switchport port-security maximum’ do?
Sets the maximum number of MAC addresses allowed on a port.
What are the two types of aging supported by port security?
- Absolute
- Inactivity
What command is used to verify port security configurations?
show port-security interface and show port-security address.
What is the default port security value for the maximum number of MAC addresses allowed on a port?
1.
Fill in the blank: The command to manually configure a static MAC address on a secure port is ‘switchport port-security mac-address _______’.
[mac-address]
True or False: Port security can be configured on dynamic access ports.
False.
Port security can only be configured on manually configured access or trunk ports.
What happens if a port configured with port security has more than one device connected to it?
The port will transition to the error-disabled state.
What command is used to disable an unused port on a switch?
shutdown.
What command is used to reactivate a previously disabled port?
no shutdown.
What is the command to set the aging type for secure MAC addresses?
switchport port-security aging.
