Switch Security Flashcards
The switch maintains a ________________, which records the association between the MAC address of a device and the IP address it has been assigned by an authorized DHCP server. This table helps the switch identify legitimate DHCP responses.
DHCP Snooping Binding Table
What is DHCP Snooping?
DHCP Snooping is a security feature available on Cisco switches. It works by inspecting DHCP messages exchanged between DHCP clients and DHCP servers and compares it to the DHCP Snooping Binding Table to make sure that the association between the MAC Address of the device and the IP address is valid. If it’s not it will drop the packet
How would you enable DHCP Snooping on a switch?
ip dhcp snooping
ip dchp snooping {vlan} (You want to make sure you do this for all VLANs)
int {int}
ip dhcp snooping trust (You want to enable this on upstream ports pointing to the valid DHCP server)
When you are enabling ip dhcp snooping trust, what is happening with that command?
You are enabling that interface to be a trusted interface to receive valid DHCP traffic
What happens if DHCP traffic arrives a port that is not trusted?
The switch will drop that DHCP traffic
What protocol would you use to stop a Man in the Middle attack?
DAI - Dynamic ARP Inspection
True or False: DAI (Dynamic ARP Inspection) can work without DHCP Snooping being turned on
False. DHCP Snooping has to be turned on for DAI to work because DHCP Snooping is the protocol that is actually building the DHCP Snooping Binding Table that DAI will use to inspect traffic.
Briefly explain DAI
DAI is a security feature that works by inspecting ARP packets as they traverse the network and it validates the mapping between IP addresses and MAC addresses via the DHCP Snooping Binding Table
How does DAI know about the mappings between the IP Address and MAC Address?
The DHCP Snooping Binding Table
How would you configure DAI?
int {int}
ip arp inspection trust
(this for all non-DHCP related hosts on the switch such as servers, routers, etc. They have to be trusted)
ip arp inspection vlan {vlan-id)
(This is for all your PCs that are getting their IP Address from DHCP, they shouldn’t be trusted ports so they need DAI on them)
At what layer is DAI enabled on?
Layer 2 (VLAN Layer) and Layer 3.
Context: While DAI primarily operates at Layer 2, its purpose is to protect the integrity of ARP data used at Layer 3. It verifies that the ARP information provided by devices matches the information in the DHCP binding table. This helps ensure that the IP-to-MAC address mappings used at Layer 3 are accurate and haven’t been tampered with by malicious devices.
How would you configure port security at the interface level?
int {int}
switchport port-security
If you configure Port Security with no additional parameters then how many MAC Addresses are allowed to transmit on that port?
1
True or False: The port security command should only be enabled on the ports that something is plugged into?
False. It should be enabled on every port on the switch because it controls the number of MAC Addresses that a port will accept traffic from
Describe a scenario where Port Security would be a good thing.
If someone unplugged a PC from a wall port and stuck a wifi access point in it’s place and connected multiple devices to it. At that point the switch would be receiving traffic from multiple MAC Addresses and if Port security was configured then it would only accept traffic from 1 MAC address and drop all other packets.
How does Port Security know which device is allowed?
The one currently in the MAC Address table for that port.
Are you able switch out devices with Port Security and it learn another MAC Address?
Yes, the port is not locked down to a particular MAC Address. It’s just the number of MAC Addresses the port will accept traffic from
How would you verify a interfaces port security settings?
show port-security int {int}
What are the three Security Violation Actions for Port Security?
Shutdown (default)
Protect
Restrict
What Violation Action is this: The interface is placed into the error-disabled state, blocking all traffic
Shutdown
What violation action is this: Traffic from unauthorized addresses is dropped. Traffic from allowed addresses is forwarded. Traffic from the learned MAC Address will still be able to transmit. All other hosts’ traffic will be dropped
Protect
What Security Violation Action is this: Traffic from unauthorized addresses is dropped, logged and the violation counter incremented. Traffic from allowed addresses is forwarded
Restrict
How would you change the violation actions manually?
int {int}
switchport port-security violation protect (or restrict)
remember shutdown is the default
What command would you use to auto recover from a port being disabled by a port security violation?
errdisable recovery cause psecure-violation
errdisable recovery interval 600
By default how many MAC Addresses are allowed when generic Port Security is enabled?
1
What commands would you use to set it to multiple MAC Addresses allowed for Port Security?
int {int}
switchport port-security maximum 2 (or greater)
What commands would you use to lock down an access port to one static MAC Address?
int {int}
switchport port-security
switchport port-security mac-address {mac-address}
switchport port-security maximum 1
If you didn’t want to have to find every MAC Address and add it to an access port for Port Security how could you tell the access port to just use the MAC Address already in place?
int {int}
switchport port-security
switchport port-security mac-address sticky
What command would verify port security addresses?
show port-security address
If you wanted to see how many ports had been shut down because of a violation what command would you use?
show port-security
When viewing the command show port-security address, what does Dynamic Configure and SecureConfigured mean?
Dynamic Configured = Dynamically learned MAC Address
SecureConfigured = Manually configured at the access port level