CCNP switch slides 18

Question 1

source

Answer 1

http://www.coursehero.com/flashcards/430748/CCNP-SWITCH-642-813-Campus-Network-Security/

Question 2

What is VLAN Hopping? How do you fight it?

Answer 2

When a malicious user double-tags a frame with two VLAN IDs, to get his traffic onto another VLAN. -Fight it by setting the native VLAN of the trunk to a bogus, or unused, VLAN. And pruning the Actual Network Native VLAN off both ends of the trunk. OR you can force the trunk to tag the native VLAN.

Question 3

Are private VLANs globally or locally significant?

Answer 3

Locally Significant, as VTP doesn’t transmit any private VLAN information.

Question 4

What is switch spoofing? How do you fight it?

Answer 4

Where a malicious user exploits the autonegotiating nature of DTP to negotiate a trunk port with a switch. -Fight it by assigning every port to a static DTP mode (switchport mode access/trunk)

Question 5

What is a primary VLAN?What is a secondary VLAN?

Answer 5

-Primary VLANs are logically assigned to normal VLANs. -Secondary VLANs can communicate with primary VLANs, but not with another secondary VLAN.

Question 6

What type of attack is IP Source Guard designed to protect against?

Answer 6

IP Spoofing.

Question 7

All secondary VLANs must be associated with one _____?

Answer 7

Primary VLAN.

Question 8

Access Lists that can filter within a VLAN are know as what?

Answer 8

VLAN Access Lists (VACL)

Question 9

Can port security be enabled globally?

Answer 9

No, it is enabled on a per-port basis.

Question 10

What ports should be trusted in Dynamic ARP Inspection?

Answer 10

ports connected to other switches.

Question 11

How does DHCP snooping work on Cisco devices? What is the default behavior?

Answer 11

Ports can be trusted or untrusted. DHCP replies from untrusted ports will be discarded, and that port will be placed in the errdisabled state. -Default behavior is that all ports are UNtrusted.

Question 12

How does IP source guard work?

Answer 12

It checks the DHCP Snooping table to build a custom ACL for the port to filter rouge IPs, and it uses port security to filter out rouge MACs from those IPs.

Question 13

What two features must be enabled to get the most out of IP Source Guard?

Answer 13

DHCP snooping and port security.

Question 14

What type of server is needed for Port-Based Authentication?

Answer 14

a RADIUS server.

Question 15

What is 802.1x used for?

Answer 15

Port based Authentication.

Question 16

What are the three types of violations on port-security?

Answer 16

-Shutdown, puts the port into the errdiabled state. -Restrict, Port stays up, but traffic from the violating MAC addresses are dropped. (counters, SNMP traps, syslog, etc)-Protect, port stays up, violating MACs are dropped, but no record is kept.

Question 17

Explain DHCP snooping.

Answer 17

A rouge DHCP server exists on a subnet, and replies to all requests with its own addresses. This is a basic man-in-the-middle attack.

Question 18

In regard to port security, what are ‘Sticky MAC addresses’?

Answer 18

MACs that are learned dynamically from incoming traffic on the port.

Question 19

What command enables an access map for a VACL?

Answer 19

‘vlan access-map NAME’

Question 20

What command enables IP source guard on an interface?

Answer 20

‘ip verify source [port-security]’

Question 21

How does Dynamic ARP Inspection work?

Answer 21

Ports are either trusted or UNtrusted (default!). When ARP replies are received on UNtrusted ports, it either compares the reply information to its static information or to the DHCP snooping database. If ARP replies are invalid they are dropped and a log entry is made.

Question 22

What is the command to enable Dynamic ARP Inspection Validation, and what are the three options for it?

Answer 22

(config)’ip arp inspection validate’-src-mac, Checks the source MAC in the header against the sender MAC in the ARP reply.-dst-mac, Checks the destination MAC in the header against the target MAC in the ARP reply.-IP, Checks the senders IP address against the target IP in all ARP replies.

Question 23

Where on a switch is Dynamic ARP Inspection enabled?

Answer 23

On a per-VLAN basis.

Question 24

What is the command to enable 802.1x port-based security on a switchport, and what are the three states it can be configured for?

Answer 24

‘dot1x port-control’-Force-authorized, connects any client without authentication (the Default!)-Force-unauthorized, Never authorizes anyone, effectively disabled the port.-Auto, Authorizes upon successful authentication, and requires client software.

Question 25

What are the two modes that physical switchports can be configured as for Private VLANs?

Answer 25

-Promiscuous, Can communicate with primary or secondary VLANs (this should be on primary ports).-Host, communicates only with promiscuous ports, or ports on the same community VLAN.

Question 26

What type of attack is Dynamic ARP Inspection designed to mitigate?

Answer 26

ARP Poisoning or ARP spoofing.

Question 27

By default, will Sticky MACs time-out of the MAC address table for port security?

Answer 27

Nope… by default no aging occurs.

Question 28

What are the two types of secondary VLANs?

Answer 28

-Isolated, can only communicate with the Primary VLAN. -Community, Can communicate with the primary VLAN, and others in the same secondary VLAN.

Question 29

What command applies a VACL to a VLAN?

Answer 29

(global)’vlan filter NAME vlan-list LIST’

Question 30

how can you flush the port-security table?

Answer 30

‘clear port-security dynamic’

Question 31

How to VACLs differ from ACLs?

Answer 31

VACLs can permit, deny, or redirect, and they are configured in a ‘route map’ fashion. They also do not get applies ‘in’ or ‘out’, they just ‘are’.