Port Security Flashcards
What does port security use to authenticate frames?
The source MAC address.
Port security can only be configured on what kind of ports?
Access ports.
List the four options available when configuring an interface for port security.
Maximum, aging, MAC-address and violation.
What does the “Maximum” option configure?
The total number of secure MAC addresses allowed on a port.
What does the “Aging” option configure?
How long it takes for a secure MAC to age out, and when the aging starts (absolute or inactive).
What does the “MAC-Address” option configure?
The static MAC addresses, or enable sticky addresses.
What are the three violation options and their functions?
Shutdown (default) which err-disables the port, protect which discards offending frames, and restrict which discards offending frames and generates an SNMP trap/log.
What is the default port security interface config?
1 MAC allowed, dynamically learned, shutdown violation.
What are sticky addresses?
Dynamically-learned addresses that are saved to their interface in the running config.
Refer to the exhibit. Based on the running configuration that is shown for interface FastEthemet0/2, what two conclusions can be deduced? (Choose two)
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security maximum 6
switchport port-security aging time 5
switchport port-security aging static
switchport port-security mac-address sticky
switchport port-security mac-address 0000.0000.000b
switchport port-security mac-address sticky 0000.0000.4141
switchport port-security mac-address sticky 0000.0000.5050
no ip address
A. Connecting a host with MAC address 0000.0000.4147 will move interface FastEthemet0/2 into error disabled state.
B. The host with address 0000.0000.4141 is removed from the secure address list after 5 seconds of inactivity.
C. The sticky secure MAC addresses are treated as static secure MAC addresses after the running configuration is saved to the startup configuration and the switch is restarted.
D. Interface FastEthemet0/2 is a voice VLAN port.
E. The host with address 0000.0000.000b is removed from the secure address list after 300 seconds.
Answer: C E
Explanation
In this case the “switchport port-security aging time 5″ sets aging time to 5 minutes and the “switchport port-security aging static” tells the switch to age out for statically configured MAC addresses -> the MAC 0000.0000.000b will be aged out after 5 minutes (300 seconds).
Note: Cisco switch does not support port security aging of sticky secure MAC addresses -> the sticky secure MAC addresses are not aged out.
Refer to the exhibit. What will happen when one more user is connected to interface FastEthernet 5/1?
show_port-security_interface_fastethernet.jpg
A. The first address learned on the port will be removed from the secure address list and be replaced with the new address.
B. All secure addresses will age out and be removed from the secure address list. This will cause the security violation counter to increment.
C. The packets with the new source addresses will be dropped until a sufficient number of secure MAC addresses are removed from the secure address list.
D. The interface will be placed into the error-disabled state immediately, and an SNMP trap notification will be sent.
Answer: D
Explanation
There are three violation mode of port security:
+ Protect: drop packets (port is not shutdown)
+ Restrict: drop packets and increase violation counter, send SNMP trap notification (port is not shutdown)
+ Shutdown (default mode): put port into error-distabled state (same as shutdown state), send SNMP trap notification
Refer to the exhibit. What type of attack would be mitigated by this configuration?
show_port-security.jpg
A. ARP spoofing
B. MAC spoofing
C. VLAN hopping
D. CDP manipulation
E. MAC flood attack
F. spanning tree compromises
Answer: E
Explanation
The maximum number of hosts allowed is 5 so an attacker can not flood the switch with many source MAC addresses -> This configuration is effective against MAC flooding attack.
Refer to the exhibit. Port security has been configured on port Fa0/5. What would happen if another device is connected to the Fa0/5 port after the maximum number of devices has been reached, even if one or more of the original MAC addresses are inactive?
show_run_port_security.jpg
A. The port will permit the new MAC address because one or more of the original MAC addresses are inactive.
B. The port will permit the new MAC address because one or more of the original MAC addresses will age out.
C. Because the new MAC address is not configured on the port, the port will not permit the new MAC address.
D. Although one or more of the original MAC addresses are inactive, the port will not permit the new MAC address.
Answer: D
Explanation
The port-security aging time is set to 0 so it is disabled for this port -> even if the original MAC addresses are inactive, the port will not permit the new MAC address.
When you enable port security on an interface that is also configured with a voice VLAN, what is the maximum number of secure MAC addresses that should be set on the port?
A. No more than one secure MAC address should be set.
B. The default will be set.
C. The IP phone should use a dedicated port, therefore only one MAC address is needed per port.
D. No value is needed if the switchport priority extend command is configured.
E. No more than two secure MAC addresses should be set.
Answer: E
Explanation
Usually, an IP Phone needs two MAC addresses, one for the voice vlan and one for the access vlan. If you don’t want other devices to access this port then you should not set more than two secure MAC addresses.
Below is an example for this configuration:
Switch(config)# interface fa0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security maximum 1 vlan voice Switch(config-if)# switchport port-security maximum 1 vlan access //Configure static MAC addresses for these VLANs Switch(config-if)#switchport port-security mac-address sticky 0000.0000.0001 Switch(config-if)#switchport port-security mac-address sticky 0000.0000.0002 vlan voice
(For more information about this, please read http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port_sec.html)
Refer to the exhibit. Which interface or interfaces on switch SW_A can have the port security feature enabled?
A. Ports 0/1 and 0/2
B. The trunk port 0/22 and the EtherChannel ports
C. Ports 0/1, 0/2 and 0/3
D. Ports 0/1, 0/2, 0/3, the trunk port 0/22 and the EtherChannel ports
E. Port 0/1
F. Ports 0/1, 0/2, 0/3 and the trunk port 0/22
Answer: C
Explanation
Port security can only be configured on static access ports or static trunk ports (DTP disabled). In this case we don’t know if the ports of the trunk link have DTP disabled or not -> only Fa0/1, Fa0/2 and Fa0/3 can be configured port security.
(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_6_ea2c/configuration/guide/swgports.html)
Which of the following should you enable to prevent a switch from forwarding packets with source addresses that are outside an administratively defined group? (Select the best answer)
A. DAI
B. STP
C. PVLAN
D. port security
Answer: D
Explanation
When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses.
The example below configures secure MAC address 0000.1234.5678. Only traffic from this MAC is forwarded.
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address 0000.1234.5678
(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)
You need to configure port security on switch R1. Which two statements are true about this technology? (Choose two)
A. Port security can be configured for ports supporting VoIP.
B. With port security configured, four MAC addresses are allowed by default.
C. The network administrator must manually enter the MAC address for each device in order for the switch to allow connectivity.
D. With port security configured, only one MAC addresses is allowed by default.
E. Port security cannot be configured for ports supporting VoIP.
Answer: A D
Explanation
Port security can be set on ports supporting VoIP. This example shows how to designate a maximum of one MAC address for a voice VLAN (for a Cisco IP Phone) and one MAC address for the data VLAN (for a PC) on Fast Ethernet interface 5/1 and to verify the configuration:
Switch(config)# interface fa5/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1 vlan voice
Switch(config-if)# switchport port-security maximum 1 vlan access
-> A is correct.
By default, only one MAC addresses is allowed but we can use the “switchport port-security maximum number” command to set the maximum number of MAC allowed -> D is correct.
(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port_sec.html)
When configuring port security on a Cisco Catalyst switch port, what is the default action taken by the switch if a violation occurs?
A. protect (drop packets with unknown source addresses)
B. restrict (increment SecurityViolation counter)
C. shutdown (access or trunk port)
D. transition (the access port to a trunking port)
Answer: C
Explanation
There are three port security violation modes:
+ protect - Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
+ restrict - Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
+ shutdown - Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.
The default behavior for a security violation is to shut down that port permanently.
(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)
You are responsible for increasing the security within the Company LAN. Of the following choices listed below, which is true regarding layer 2 security and mitigation techniques?
A. Enable root guard to mitigate ARP address spoofing attacks.
B. Configure DHCP spoofing to mitigate ARP address spoofing attacks.
C. Configure PVLANs to mitigate MAC address flooding attacks.
D. Enable root guard to mitigate DHCP spoofing attacks.
E. Configure dynamic APR inspection (DAI) to mitigate IP address spoofing on DHCP untrusted ports.
F. Configure port security to mitigate MAC address flooding.
Answer: F
Explanation
Root guard is used to mitigate Spanning-tree compromises, not ARP address spoofing -> A and D are not correct.
DHCP spoofing is mitigated by DHCP snooping -> B is not correct.
PVLAN is often used to protect devices on a common VLAN, give them more separation even though they are on the same VLAN. It is not used to mitigate MAC address flooding attacks -> C is not correct.
DAI should be used to mitigate ARP Spoofing attack in which the attacker fakes its MAC as the destination MAC to receive traffic intended for valid destination -> E is not correct.
MAC flooding attack is a technique in which the attacker floods the switch with packets, each containing different source MAC address. This makes the switch learn the MAC addresses until its memory is used up. Now the switch acts like a hub, in which all incoming packets are broadcast out on all ports instead of just to the correct destination port as normal operation. The attacker can listen to these broadcast packets and capture sensitive data.
To protect against this type of attack, port security feature can be used to limit and allow specific MAC to access the port -> F is correct. (VLAN Access map with a “mac access list” can also be used to filter MAC).
Refer to the exhibit. From the configuration shown, what can be determined?
Switch(config)# interface FastEthemet0/1
Switch(config-if)# switchport access vlan 21
Switch(config-if)# switchport mode access
Switch(config-if)# switchport voice vlan 22
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 20
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002
Switch(config-if)# switchport port-security mac-address 0000.0000.0003
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice
Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice
Switch(config-if)# switchport port-security maximum 10 vlan access
Switch(config-if)# switchport port-security maximum 10 vlan voice
A. The sticky addresses will only be those manually configured MAC addresses enabled with the sticky keyword.
B. The remaining secure MAC addresses will be dynamically learned, converted to sticky secure MAC addresses, and added to the running configuration.
C. Since a voice VLAN is configured in this example, port security should be set for a maximum of 2.
D. A security violation will restrict the number of addresses to a maximum of 10 addresses per access VLAN and voice VLAN. The port will be shut down if more than 10 devices per VLAN attempt to access the port.
Answer: B
Explanation
The “sticky” keyword in switchport port-security mac-address sticky command converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds to the running configuration.
(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swtrafc.html)