5.7 Layer 2 Security Features

Question 1

Define:

Layer 2 security features

Answer 1

Security mechanisms that protect against threats at the Data Link layer.

Layer 2 security features include DHCP snooping, Dynamic ARP Inspection (DAI), and Port Security, all designed to protect the network from unauthorized access, ARP spoofing, and rogue DHCP servers.

Question 2

Define:

DHCP snooping

Answer 2

A security feature that prevents rogue DHCP servers from assigning IP addresses.

DHCP snooping monitors DHCP messages and ensures that only trusted servers can assign IP addresses, blocking unauthorized DHCP servers from providing incorrect or malicious IP configurations.

Question 3

How does DHCP snooping enhance network security?

Answer 3

It limits DHCP traffic to trusted servers only.

By filtering DHCP messages and allowing only trusted servers to respond, DHCP snooping prevents rogue servers from assigning malicious IP addresses to clients, thus securing the network.

Question 4

How do trusted and untrusted ports differ in DHCP snooping?

Answer 4

• Trusted ports: Permit DHCP server messages.
• Untrusted ports: Used for client devices.

Trusted ports are typically connected to authorized DHCP servers, while untrusted ports are used for client devices that receive DHCP assignments but should not send DHCP offers.

Question 5

What command enables DHCP snooping on a Cisco switch?

Answer 5

ip dhcp snooping

This command is required to enable DHCP snooping globally, and additional configurations are needed to define trusted ports and specify VLANs to monitor.

Question 6

What are the steps to configure DHCP snooping?

Answer 6

1. Enable DHCP snooping globally with ip dhcp snooping.
2. Define trusted and untrusted ports.
3. Enable DHCP snooping on specific VLANs with ip dhcp snooping vlan [vlan_id].
4. Optionally configure rate limiting for DHCP requests.

DHCP snooping helps secure the network by ensuring that only authorized DHCP servers can assign IP addresses.

Question 7

True or False

DHCP snooping only works with IP addresses.

Answer 7

False

While DHCP snooping is focused on IP-to-MAC bindings, it also provides valuable data for Dynamic ARP Inspection (DAI), which helps protect against ARP spoofing.

Question 8

What does DHCP snooping prevent in a network?

Answer 8

Unauthorized DHCP servers from assigning IP addresses.

By monitoring and controlling DHCP messages, DHCP snooping ensures only legitimate DHCP servers can assign IP addresses to clients, preventing network disruption.

Question 9

True or False:

DHCP snooping only works with IP addresses.

Answer 9

False

While DHCP snooping is focused on IP-to-MAC bindings, it also provides valuable data for Dynamic ARP Inspection (DAI), which helps protect against ARP spoofing.

Question 10

Fill in the blank:

Dynamic ARP Inspection (DAI) helps protect against ______ ______.

Answer 10

ARP spoofing

DAI validates ARP messages to ensure that they are not malicious, preventing attackers from sending false ARP replies to hijack network traffic.

Question 11

What does the show ip dhcp snooping binding command display?

Answer 11

The IP-to-MAC address bindings learned via DHCP snooping.

This database is used by Dynamic ARP Inspection (DAI) to validate ARP messages and prevent ARP spoofing attacks.

Question 12

What is the primary function of Dynamic ARP Inspection (DAI)?

Answer 12

It prevents ARP spoofing

DAI checks ARP requests and responses against the DHCP snooping database, ensuring the IP-MAC bindings are correct to prevent attackers from sending falsified ARP responses.

Question 13

How does Dynamic ARP Inspection (DAI) protect against ARP spoofing?

Answer 13

It validates ARP packets against the DHCP snooping binding database.

DAI ensures that ARP messages contain valid IP-to-MAC mappings, preventing attackers from sending false ARP responses to hijack traffic.

Question 14

What command enables Dynamic ARP Inspection (DAI) on a Cisco switch for a VLAN?

Answer 14

ip arp inspection vlan [vlan_id]

This command enables DAI for specific VLANs, allowing the switch to inspect ARP packets and validate them using the bindings provided by DHCP snooping.

Question 15

True or False:

Dynamic ARP Inspection (DAI) works without DHCP snooping.

Answer 15

False

DAI depends on the IP-to-MAC bindings learned via DHCP snooping to validate ARP messages.

Without DHCP snooping, DAI cannot verify ARP packet authenticity, making both features dependent on each other.

Question 16

Define:

Port Security

Answer 16

A feature that limits access to a switch port based on the MAC address.

Port Security ensures that only authorized devices, identified by their MAC addresses, can communicate on the port, preventing unauthorized devices from accessing the network.

Question 17

Describe how Port Security works with the “restrict” mode.

Answer 17

It drops packets from unauthorized devices but logs violations.

In restrict mode, the port allows traffic from trusted devices, drops traffic from unauthorized devices, and logs the violation, providing visibility into potential security threats.

Question 18

What happens if a Port Security violation occurs in shutdown mode?

Answer 18

The port is disabled and must be manually re-enabled.

In shutdown mode, if a violation occurs, the switch disables the port to prevent unauthorized access, requiring manual intervention to bring the port back online.

Question 19

Define:

sticky MAC addresses

Answer 19

MAC addresses automatically learned and bound to a port.

Sticky MAC addresses are dynamically learned and stored by the switch, even after reboots, simplifying the management of trusted devices.

Question 20

What are the three Port Security violation modes?

Answer 20

1. Protect
2. Restrict
3. Shutdown

Protect – Drops packets from unauthorized devices.

Restrict – Drops packets and logs violations.

Shutdown – Disables the port and requires manual intervention.

Question 21

Why would you configure Port Security with a limit on MAC addresses?

Answer 21

To prevent unauthorized devices from accessing the network.

Limiting the number of MAC addresses per port ensures that only the expected number of devices can connect, reducing the risk of unauthorized network access.

Question 22

What is the default behavior of Port Security when a violation occurs?

Answer 22

The default mode is shutdown, which disables the port.

In the default configuration, Port Security automatically disables the port when a violation is detected to prevent unauthorized access, requiring manual intervention to restore access.

Question 23

How does Port Security handle dynamically learned MAC addresses?

Answer 23

By learning and binding the MAC addresses to the port.

Dynamic MAC addresses can be either sticky or non-sticky, allowing flexibility in managing devices that temporarily connect to the network.

Question 24

What command enables Port Security on a switch?

Answer 24

switchport port-security

This command enables Port Security on a port, and further configurations, such as setting the maximum number of MAC addresses, can be applied.

Question 25

What does the **show port-security** command display?

Answer 25

It shows **port security settings** and **violations** for each port. ## Footnote The **command** provides details about MAC address learning, the number of devices connected, and any security violations or disabled ports.

Question 26

# True or False: Dynamic ARP Inspection (DAI) **requires** static IP-to-MAC mappings.

Answer 26

False ## Footnote **DAI** uses the IP-to-MAC bindings dynamically created by DHCP snooping to validate ARP messages, eliminating the need for static mappings.