CCNA2 - Chapter 11

Question 1

– easiest for hackers to deploy

Answer 1

Layer 2 attacks

Question 2

prevents MAC address table overflow attacks
- PS limits the no. of valid MAC addresses allowed on a port. (admin manually configure MAC, dynamically learned)
- 1 only permitted MAC addresses, PS controls unauthorized access to the network

Answer 2

Enabling port security

Question 3

command to enable port security

Answer 3

S1(config-if)# sw port-security
o If the port is set to dynamic auto (trunking on), the command above will be rejected

Question 4

4 types of port security

Answer 4

• aging
• mac-address
• maximum
• violation

Question 5

limit & learn MAC add

Answer 5

• default = 1
• max = depends on sw and IOS

Question 6

3 ways learn MAC ADDRESS

Answer 6

1. Manually configured
   S1(config-ig)# sw port-security mac-address [ma]
2. Dynamically learned: current source MAC connected to the port is auto secured (not added in run config). Rebooted – port re-learn device’s MAC A
3. Dynamically learned – sticky: Admin enable switch to 2 and stick them to run config
   S1(config-if)# sw port-security mac-address sticky
   * Save

Sh port-security int and sh port-security add – verify congurations

Question 7

2 types of aging

Answer 7

1. Absolute secure addresses on the port are deleted after the specified aging time
2. Inactivity The secure addresses on the port are deleted if they are inactive for a specified time.

S1(config-if)# sw port-security aging {static | time time | type {absolute | inactivity}}

Question 8

Port security violation modes

Answer 8

1. Shutdown (D) – error-disabled state immediately, off LED, send syslog message
2. Restrict – port drops packets with unknown source addresses (counter to increment and generates a syslog message)
3. Protect – least secure (no syslog message is sent)

Question 9

ports in error-disabled state

Answer 9

Sh int – identifies the port status as err-disabled
Sh port-security int – secure-shutdown

Question 10

Verify port security

Answer 10

Sh port-security – display port-security settings for all switches
Sh port-security interface – view
Sh run | begin int f0/19 – verify that MAC address are ‘sticking’ to the configuration
Sh port-security address – display all secure MAC addresses

Question 11

is launched in one of three ways:
- Spoofing DTP messages from the attacking host (sw -> trunking mode)
o Attacker send traffic tagged w/ target vlan
- Introducing a rogue switch & enable trunk
o Attacker can access ALL vlans on the victim switch
- Double-tagging (d-encapsulated) attack
o Takes advantage of the way hardware on most switches operate

Answer 11

VLAN hopping attack

Question 12

Steps to Mitigate VLAN Hopping Attacks

Answer 12

1. Disable DTP (auto trunking) negotiation on non-trunking ports (sw mode)
2. Disable unused ports & put them in unused vlan
3. Manually enable trunk link on trunking port (sw mode trunk)
4. Disable DTP negotiations on trunking port (sw nonegotiate)
5. Set native vlan to a vlan other tan VLAN 1 (sw trunk native vlan vlan_no)

Question 13

– attack tools such as Gobbler to create a Denial of Service (DoS) for connecting clients
- Can be effectively mitigated using port security. Gobbler = unique source MACaddress for each DHCP request sent
- Gobbler – configured to use the actuate int MAC add as the source ethernet add

Answer 13

DHCP starvation attack

Question 14

– requires more protection
- Can be mitigated using DHCP snooping on trusted ports

Answer 14

DHCP spoofing attacks

Question 15

– filters DHCP messages and rate-limits DHCP traffic on untrusted ports
* Trusted sources
o Dev. Under admin control (sw, r, servers)
o Trusted int (trunk links, server p)
* Untrusted Source
o Dev outside the network & all access ports

Answer 15

DHCP snooping

Question 16

– includes the source MAC add of device on an untrusted port & IP add assigned
- MAC & IP add are bound together
- Aka _________________________________

Answer 16

DHCP table
DHCP snooping binding table

Question 17

Steps to Implement DHCP Snooping

Answer 17

1. Enable DHCP snooping (S1(config)# ip dhcp snooping)
2. On trusted ports (S1(config-if)# ip dhcp snooping trust)
3. On untrusted int (S1(config-if)# ip dhcp limit rate packets-per-second)
4. Enable DHCP snooping by VLAN (S1(config)# ip dhcp snooping vlan)

S1# sh ip dhcp snooping – verify DHCP snooping settings
S1# s hip dhcp snooping binding – view the clients that have receive DHCP infos

Question 18

– requires DHCP snooping and helps prevent ARP attacks by
- Not relaying invalid ARP replies to other ports
- Verify each intercepted packet for a valid IP-to-MAC binding
- Drop & log ARP replies coming from invalid
- Error-disable the int if the configured DAI no of ARP packets is exceeded

Answer 18

Dynamic ARP Inspection (DAI)

Question 19

DAI Implementation Guidelines

Answer 19

• Enable DHCP snooping globally
• Enable DHCP snooping on selected VLANs
• Enable DAI on selected VLANs
• Configure trusted int for DHCP snooping & ARP inspection
  o Trusted (uplink ports that connected to other switches)
  o Untrusted ( all access ports)

Question 20

Destination, source & IP add

Answer 20

Destination MAC – checks the DM add in the Ethernet header against the target MAC add in ARP body
Source MAC – checks the SM add in the Ethernet header against the sender MAC address in the ARP body.
IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

Question 21

PortFast and BPDU Guard

Answer 21

Portfast
- Immediately brings a port to the forwarding state from a blocking state, bypassing the listening and learning states
- Apply to all end-user access ports
BPDU Guard
- immediately error disables a port that receives a BPDU
- Like PortFast, BPDU guard should only be configured on interfaces attached to end devices

Question 22

Configure PortFast

Answer 22

• Only enable portfast on access ports
• Portfast on inter switch link = spanning-tree loop

On int – S1(config-if)# spanning-tree portfast
Globally - S1(config)# spanning-tree portfast default

Question 23

Verify PortFast

Answer 23

Verify PortFAst is enabled GLOBALLY
- Sh run | begin span
- Sh spanning-tree summary
Verify PortFAst is enabled in an INTERFACE
- Sh run int type/number
- Sh run int type/number detail

Question 24

Configure BPDU Guard

Answer 24

• If a BPDU is received on a BPDU Guard enabled access port, the port is put into error-disabled state
• This means the port is shut down and must be manually re-enabled or automatically recovered through the errdisable recovery cause secure_violation global command

On interface – S1(config-if)# spanning-tree bpduguard enable
Globally – S1(config)# spanning-tree bpduguard default