CCNP switch slides 7

Question 1

source

Answer 1

http://quizlet.com/3373218/ccnp-switch-deck-7-flash-cards/

Question 2

On what basis is port security turned on?

Answer 2

Port basis

Question 3

What is the configurable range of remembered MAC addresses?

Answer 3

1-1024

Question 4

How do sticky mac addresses work?

Answer 4

When port security is turned on, by default, mac addresses are sticky and no aging occurs

Question 5

What does port-security shutdown do?

Answer 5

Puts port into errdisable state. Must be manually re-enabled or errdisable recovered

Question 6

What does port-security restrict do?

Answer 6

Port stays up, but packets from violating MACs are dropped. Switch logs violating packets

Question 7

What does port-security protect do?

Answer 7

Port stays up, packets from violating MACs dropped, no logging

Question 8

What must be supported for port-based security to occur?

Answer 8

802.1x with EAP over LAN (EAPOL)

Question 9

At what layer does EAPOL run?

Answer 9

L2

Question 10

How is 802.1x configured for port security?

Answer 10

RADIUS

Question 11

What are the 6 steps to configure 802.1x for port security?

Answer 11

1-enable AAA on switch, 2-define RADIUS servers, 3-define authentication method, 4-enable 802.1x on switch, 5-conf. 802.1x ports, 6-allow hosts

Question 12

What is 802.1x force-authorized?

Answer 12

the port is forced to always authorize any connected client with no authentication necessary (default)

Question 13

What is 802.1x force-unauthorized?

Answer 13

port is forced to never authorize any connected client

Question 14

What is 802.1x auto?

Answer 14

The port uses 802.1x exchange to move from unauthorized to authorized. Requires app on client

Question 15

What scope is 802.1x enabled?

Answer 15

globally

Question 16

What categories can ports be in with dhcp snooping enabled?

Answer 16

trusted or untrusted

Question 17

What is an untrusted port under dhcp snooping?

Answer 17

any dhcp reply coming from an untrusted port is discarded and the offending port is put in errdisable

Question 18

What data does DHCP snooping track?

Answer 18

completed dhcp bindings, mac addresses, IP addresses, etc.

Question 19

How is DHCP snooping enabled (scope)?

Answer 19

globally

Question 20

When DHCP snooping is turned on, by default, it considers all ports ______

Answer 20

untrusted

Question 21

How does adding option-82 to DHCP snooping affect things?

Answer 21

The switch adds its MAC to the option 82 field so that the DHCP reply echoes back the switch’s own information

Question 22

what is dhcp snooping rate limiting?

Answer 22

Limits the number if dhcp requests on a port\

Question 23

What are spoofed addresses?

Answer 23

They disguise the origin of an attack

Question 24

What does IP source guard do?

Answer 24

makes use of the DHCP snooping database and static ip source binding entries. If enabled, switch will test addresses

Question 25

What 2 conditions does IP source guard check for?

Answer 25

source IP and MAC must match those addresses learned by DHCP snooping or a static entry

Question 26

What is step 1 of enabling IP source guard?

Answer 26

configure and enable DHCP snooping

Question 27

If you want IP source guard to detect spoofed MAC addresses, what must you do?

Answer 27

turn on port security

Question 28

How do you configure IP source guard for hosts that don't use DHCP?

Answer 28

by creating a static IP binding

Question 29

What is DAI?

Answer 29

Dynamic arp inspection

Question 30

How does DAI work?

Answer 30

all ARP packets that arrive on untrusted ports are inspected.

Question 31

What happens when an ARP reply is received on an untrusted port?

Answer 31

The switch checks the MAC and IP reported in the reply against trusted values. If they don't match, it is dropped and logged

Question 32

How does a DAI enabled switch gather trusted ARP info?

Answer 32

from the DHCP snooping database or from static entries

Question 33

On what scope is DAI enabled?

Answer 33

per VLAN

Question 34

Which ports should you consider trusted for DAI?

Answer 34

those that connect to other switches

Question 35

How do you configure DAI for statically configured IP addresses?

Answer 35

by an ARP access list that defines the permitted bindings

Question 36

what does the static keyword do when applying an arp ACL?

Answer 36

prevents the dhcp binding DB from being checked.

Question 37

Can ARP replies be checked

Answer 37

yes

Question 38

what does the src-mac option do when checking ARP replies

Answer 38

checks the source MAC in the header against the sender MAC in the ARP reply

Question 39

what does the dst-mac option do when checking ARP replies

Answer 39

checks the destination MAC in the header against the target MAC in the ARP reply

Question 40

what does the ip option do when checking ARP replies

Answer 40

checks the sender's ip in all arp requests and checks the sender's IP against target IP in all replies

Question 41

what does the switchport host macro do?

Answer 41

sets the switchport mode to access, enables portfast, and turns off channel grouping for the port

Question 42

When should CDP be enabled?

Answer 42

only for trusted Cisco gear, especially phones

Question 43

How are VACLs configured?

Answer 43

as a VLAN access map

Question 44

How are VACLs applied

Answer 44

to a VLAN and not to a VLAN interface (SVI)

Question 45

what is a PVLAN?

Answer 45

a private VLAN can be logically associated with a special secondary vlan

Question 46

what if a secondary VLAN?

Answer 46

hosts associated with a secondary VLAN can communicate with ports on the primary but not with another secondary VLAN

Question 47

what are the 2 types of secondary VLAN?

Answer 47

isolated and community

Question 48

what is an isolated secondary VLAN?

Answer 48

any ports associated with an isolated vlan can reach the primary, but not any other secondary. Hosts withn an isolated vlan can't reach each other

Question 49

What is a community secondary VLAN?

Answer 49

hosts within a secondary can communicate with each other and with the primary, but not with another secondary vlan

Question 50

Does VTP pass private VLAN configuration?

Answer 50

no

Question 51

Of what significance are private VLANs

Answer 51

local only

Question 52

What are the two private vlan association modes?

Answer 52

promiscuous and host

Question 53

What is the PVLAN promiscuous mode?

Answer 53

connects to a router, firewall, or gateway. Can communicate with anything else connected to the primary or any secondary. Ignores pvlan config

Question 54

What is the PVLAN host mode?

Answer 54

connects to a host on an isolated or community vlan. Communicates only with promiscuous port or ports on same community vlan

Question 55

How do you prevent switch spoofing?

Answer 55

by configuring every switch port to have an expected and controlled behavior

Question 56

How do you prevent VLAN hopping?

Answer 56

set the native VLAN of a trunk to a bogus or unused VLAN ID then prune the native VLAN off both ends of the trunk