L2 Security Features Flashcards
1
Q
Port security allows you to:
A
Control which source MAC addresses are allowed to enter a switchport
2
Q
If an unauthorized source MAC address enters a port, the default action is:
A
Put the interface in an ‘err-disabled’ state
3
Q
With default settings, when port security is enabled, how many MAC addresses are allowed per port?
A
1
4
Q
T/F: With default settings, when port security is enabled, the switch will allow the first source MAC address that enters the interface
A
T
5
Q
T/F: With default settings, when port security is enabled, the switch will allow the most recently seen source MAC address that enters the interface
A
F
The first source MAC seen will be allowed by default
6
Q
T/F: You can change the maximum number of MAC addresses allowed by port security
A
T
7
Q
T/F: VoIP phone MACs do not count toward the number of source MAC addresses considered by port security
A
F
8
Q
T/F: VoIP phone MACs do count toward the number of source MAC addresses considered by port security
A
T
9
Q
T/F: The port security allowed source MAC has to be manually configured on the switch
A
F
By default, the MAC is dynamically learned from the first seen source MAC
10
Q
Explain why port security is useful
A
Controlling which devices are allowed to access the network.
11
Q
Explain which feature set of port security is more useful, specifying allowed MACs, or limiting the number of allowed MACs
A
Limiting the number of allowed MACs
MAC address spoofing is easy, but limiting the number of source MACs per interface means we can help mitigate the threat of DHCP starvation and other similar attacks
12
Q
What is the command to enable port security on an interface
A
switchport port-security
13
Q
T/F: Port security can be enabled on access and trunk ports, but they must first be statically configured as either trunks or access
A
T
14
Q
T/F: Port security can only be enabled on dynamic or access ports
A
F
Port security can only be enabled on static trunks or static access ports
15
Q
T/F: Port security can only be enabled on DTP dynamic auto or DTP dynamic desirable ports
A
F
Port security can’t be enabled on any DTP dynamic ports, regardless if auto or desirable
16
Q
T/F: Port security can only be enabled on access ports
A
F
Port security can be enabled on both access and trunk ports, so long as they are statically configured as such
17
Q
What must first be configured on an interface before the command switchport port-security will be accepted
A
Statically configuring the port as either a trunk or access port using switchport mode mode
18
Q
T/F: By default, learned allowed source MACs do not age out
A
T
19
Q
T/F: By default, learned allowed source MACs age out
A
F
20
Q
Instead of having to shut-no-shut an ErrDisabled switchport, you can use:
A
errdisable recovery
21
Q
T/F: By default, ErrDisable recovery is disabled for all ErrDisable reasons
A
T
22
Q
T/F: By default, ErrDisable recovery is enabled for all ErrDisable reasons
A
F
23
Q
Explain the default settings for ErrDisable recovery
A
Every 5 minutes (by default timer), all err-disabled interfaces will be re-enabled if and only if err-disable recovery has been enabled for the cause of the interface’s disablement
24
Q
What is the command to enable ErrDisable recovery for a specific ErrDisable cause
A
errdisable recovery cause err-disable-reason
25
What is the command to view all ErrDisable causes
**sh errdisable recovery**
26
What is the command to change the ErrDisable recovery timer
**errdisable recovery interval** *seconds*
27
What is the command to view all ErrDisable recovery enablings/disablings
**sh errdisable recovery**
28
ErrDisable recovery is useless if:
You don't remove the device that caused the interface to enter the err-disabled state
29
T/F: If the previous allowed MAC address was dynamically learned, it is cleared when the port is disabled
T
30
T/F: If the previous allowed MAC address was dynamically learned, it is cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch may re-learn the unauthorized MAC address as the allowed when the port is re-enabled
T
31
T/F: If the previous allowed MAC address was statically configured, it is cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch may re-learn the unauthorized MAC address as the allowed when the port is re-enabled
F
The MAC will not be cleared if it was manually configured
32
T/F: If the previous allowed MAC address was dynamically learned, it isn't cleared when the port is disabled. If you enable ErrDisable recovery for port security, then the switch has no chance of potentially re-learning the unauthorized MAC address as the allowed one when the port is re-enabled
F
The allowed MAC will be cleared if it was dynamically learned. There is a risk the unauthorized MAC could be re-learned as the allowed
33
List the port security violation modes
- Shutdown
- Restrict
- Protect
34
Explain the port security shutdown violation mode
Places port in err-disabled state. Generates one syslog and/or SNMP message when the port is disabled. Violation counter is set to 1 when the interface is disabled.
35
Explain the port security restrict violation mode
Switch discards traffic from unauthorized MAC addresses. Interface is not disabled. Generates a syslog and/or SNMP message each time an unauthorized MAC is detected. Violation counter incremented by 1 for each unauthorized frame.
36
Explain the port security protect violation mode
Switch discards traffic from unauthorized MAC addresses. Interface is not disabled. Doesn't generate any syslog/SNMP messages, doesn't increment violation counter
37
What is the command to configure a secure mac aging time on a switchport
**switchport port-security aging time** *minutes*
38
T/F: The default aging type of a secure MAC is absolute
T
39
Explain what absolute aging of a secure MAC means
After the secure MAC is learned, the aging timer starts and is not refreshed by traffic from that source MAC.
40
Explain what inactivity aging of a secure MAC means
After the secure MAC is learned, the aging timer starts but is reset every time a frame from that source MAC is received on the interface
41
What is the command to configure the aging type of a switchport
**switchport port-security aging type {absolute | inactivity}**
42
T/F: By default, only dynamically learned secure MACs will age out
T
43
T/F: By default, secure static MAC agins is disabled by default
T
44
What is the command to enable secure static MAC aging
**switchport port-security aging static**
45
What is the command to enable sticky secure MAC address learning
**switchport port-security mac-address sticky**
46
Define a sticky secure MAC address:
A secure MAC address that will never age out (needs to be saved to start config to make truly permanent)
47
T/F: Issuing **switchport port-security mac-address sticky** converts all current dynamically-learned secure MAC addresses to sticky secure MAC addresses
T
48
T/F: Issuing **switchport port-security mac-address sticky** converts only the most recent dynamically-learned secure MAC, as well as future dynamically learned secure MACs
F
This command converts all current dynamically-learned secure MACs
49
T/F: Issuing **no switchport port-security mac-address sticky** converts all current sticky secure MAC addresses to regular dynamically-learned secure MAC addresses
T
50
T/F: Issuing **no switchport port-security mac-address sticky** converts only the most recently learned sticky secure MAC to a regular dynamically-learned secure MAC
F
Converts all sticky secure MACs
51
What is the command to view all secure MAC addresses on a switch
**sh mac address-table secure**
52
Define DHCP snooping:
A security featue that is used to filter DHCP messages received on untrusted ports
53
T/F: DHCP snooping only filters DHCP messages
T
54
T/F: All switchports are untrusted by default
T
55
T/F: All switchports are trusted by default
F
56
In regard to DHCP snooping: Best practice is for uplink ports to be _____ and downlink ports to be ______
trusted, untrusted
57
In regard to DHCP snooping: Uplink ports point toward ______, downlink ports point toward ______
Core network infrastructure, clients
58
What are two types of attacks that DHCP snooping can mitigate?
DHCP starvation, DHCP poisoning
59
DHCP poisoning can be used for a _____ attack
Man in the middle
60
A ______ DHCP server is malicious and attempts to hijack legitimate DHCP server functionalities
Spurious DHCP server
61
DHCP server messages received on an untrusted port are always:
Discarded
62
T/F: DHCP server messages received on an untrusted port are always forwarded
F
DHCP server messages received on an untrusted port are always discarded
63
What happens when a DHCP message is received on a trusted port?
It is forwarded as normal without inspection
64
What happens when a DHCP message is received on an untrusted port?
It is inspected and the appropriate action is taken
65
If a DHCP server message is received on an untrusted port, what happens?
The frame is immediately discarded
66
If a DHCP server message is received on a trusted port, what happens?
The frame is forwarded as normal
67
If a DHCP client message is received on an untrusted port, what happens?
For DISCOVER/REQUEST messages:
- Check if the frame's source MAC and the DHCP CHADDR fields match
- Match == forward
- Mismatch == discard
For RELEASE/DECLINE messages:
- Check if the packet's source IP address and the receiving interface match the entry in the DHCP snooping binding table
- Match == forward
- Mismatch == discard
68
How is a DHCP snooping binding table populated
When a client successfully leases an IP address from a server, an entry is made
69
A DHCP snooping binding table contains what information?
MAC address, IP address, lease time, binding type, VLAN number, and interface that corresponds to the local untrusted interfaces of a switch
70
What is the command to enable DHCP snooping globally?
**ip dhcp snooping**
71
What is the command to enable DHCP snooping on a VLAN?
**ip dhcp snooping vlan** *vlan-id*
72
What is the command to make an interface DHCP snooping trusted
**ip dhcp snooping trust**
73
What is the command to view the DHCP snooping binding table
**sh ip dhcp snooping binding**
74
How are DHCP RELEASE and DECLINE messages checked when they enter an untrusted interface?
The IP address and interface ID are checked against the DHCP snooping binding table to ensure they match. The packet is dropped if there is a mismatch, and processed normally if they match
75
What is the command to configure DHCP rate limiting on an interface?
**ip dhcp snooping rate limit** *packets-per-second*
Reccommended to set at 100 packets/sec
75
If an interface crosses the configured DHCP snooping rate limit, what is the result?
The interface is err-disabled
The interface can be re-enabled either manually or automatically with errdisable recovery
76
What is the command to enable errdisable recovery for DHCP snooping rate limiting
**errdisable recovery cause dhcp-rate-limit**
77
What is a feature of DHCP snooping that is useful in preventing DHCP exhaustion attacks?
DHCP snooping rate limiting
78
Describe the function of DHCP option 82
Provides additional information about which DHCP relay agent received the client's message, on which interface, in which VLAN, etc.
DHCP relay agents can add option 82 to messages they forward to the remote DHCP server
79
T/F: With DHCP snooping enabled, by default Cisco switches will add Option 82 to DHCP messages they receive from clients, even if the switch isn't acting as a DHCP relay agent
T
80
T/F: With DHCP snooping enabled, by default Cisco switches do not add Option 82 to DHCP messages they receive from clients
F
81
A DHCP message with Option 82 is received on a DHCP snooping untrusted port. What action is taken?
The switch immediately drops the DHCP message
82
What is the command to stop a switch from adding Option 82 information to DHCP DISCOVER messages
**no ip dhcp snooping information option**
83
Which of the following DHCP message types will always be discarded if received on a DHCP snooping untrusted interface? (pick multiple)
a) DISCOVER
b) REQUEST
c) NAK
d) OFFER
e) DECLINE
f) RELEASE
g) ACK
C, D, G
These message types are all DHCP server messages so are always discarded on untrusted interfaces
84
Which of the following is not stored in the DHCP snooping binding database?
a) IP Address
b) Interface
c) VLAN
d) Default gateway
e) MAC address
D
Default gateway is not in the binding database
85
Which of the following are functions of DHCP snooping (pick multiple)?
a) Limiting the rate of DHCP messages
b) Filtering DHCP messages on trusted ports
c) Filtering DHCP messages on untrusted ports
d) Filtering all DHCP messages
A and C
- Limiting the rate of DHCP messages
- Filtering DHCP messages on untrusted ports
86
When DHCP snooping inspects a DHCP DISCOVER message that arrives on an untrusted interface, what does it check? (pick multiple)
a) Source MAC address
b) CHADDR
c) IP address
d) Interface
A and B
For DHCP DISCOVER messages, the source MAC of the frame and the Client Hardware Address fields are checked to ensure they match
87
DHCP snooping rate-limiting is configured on SW1's g0/1 interface. What happens if DHCP messages are received on g0/1 at a rate faster than the configured limit?
a) The messages that cross the limit will be dropped
b) The interface will be disabled
c) All DHCP messages on the interface will be dropped
d) A warning syslog message will be created
B
The interface will be placed in an err-disabled state
88
Which of the following L2 attacks uses the MAC address of another known host on the network in order to bypass port security measures?
a) ARP poisoning
b) VLAN hopping
c) MAC flooding
d) DHCP spoofing
e) MAC spoofing
E
89
What is a Gratuitous ARP message
An ARP reply that is sent without receiving an ARP request. Sent to broadcast MAC address, allowing other devices to learn the MAC address of the sending device without having to send an ARP request
90
In regard to Dynamic ARP inspection, what trust state are all ports in by default?
Untrusted
91
A frame containing an encapsulated IP packet is received on an interface. What actions are taken by dynamic ARP inspection.
Normal operation occurs. Dynamic ARP inspection only filters ARP messages
92
In regard to dynamic ARP inspection: trusted ports should be between ______, and untrusted ports should be between _______
Trusted: network device to network device
Untrusted: network device to end host
93
Describe an ARP poisoning attack:
A man in the middle attack done by the following:
Manipulating a target's ARP table so that traffic is sent to the attacker instead of the correct machine. This can be done by the attacker sending gratuitous ARP messages using another device's IP address
94
On untrusted ports, what does dynamic ARP inspection check?
The sender MAC address and sender IP address have a corresponding match in the DHCP snooping binding table
95
On trusted ports, what does dynamic ARP inspection check?
Nothing. Dynamic ARP inspection does not perform any checks on ARP messages on trusted ports
96
An ARP message is received on an untrusted interface. Dynamic ARP inspection is enabled. What happens next?
Dynamic ARP inspection checks if the sender's IP and sender's MAC address have a corresponding entry in the DHCP snooping binding table.
Match = forward normally
No match = discard message
97
Since not all hosts use DHCP, what approach can be used to service hosts that have static IP addresses?
ARP ACLs can be used
98
What happens to traffic from hosts that aren't using DHCP when their traffic is received on an untrusted port?
All ARP messages sent from the static host will be dropped. Non ARP traffic will still be forwarded
99
What is the command to enable dynamic ARP inspection on a vlan?
**ip arp inspection vlan** *vlan-id*
100
What is the command to configure a switchport as trusted by dynamic ARP inspection
**ip arp inspection trust**
101
Do you have to enable dynamic ARP inspection globally, as well as per-VLAN, like DHCP snooping?
No
102
Is dynamic ARP inspection rate limiting enabled by default?
Yes, on untrusted ports
At 15 packets per second
Disabled on trusted ports
103
Dynamic ARP inspection has a burst interval, explain what it does
Allows you to configure rate limiting by saying:
limit to X packets per Y seconds
104
What is the command to configure dynamic ARP inspection rate limiting on an interface
**ip arp inspection limit rate** *packets* **burst interval** *time-in-seconds*
This configures a limit of *packets* per *time-in-seconds*
If burst interval is unspecified, the default rate is per 1 second
105
What is the command to enable errdisable recovery for dynamic ARP inspection
**errdisable recovery cause arp-inspection**
106
What are the three optional checks that can be configured for dynamic ARP inspection
- destination MAC address
- IP addresses
- source MAC address
107
What is the command to enable optional checks of dynamic ARP inspection
**ip arp inspection validate** { dst-mac &| ip &| src-mac }
108
What is the command to view dynamic ARP inspection configurations
**sh ip arp inspection**
109
You issue the **ip arp inspection vlan 1** command on SW1. Which of the following statements is true about SW1 after issuing the command?
a) All interfaces in VLAN 1 are untrusted
b) DAI isn't fully enabled until globally enabled with **ip arp inspection**
c) Only ARP messages from hosts with a static IP address will be permitted
d) DHCP snooping is enabled
A
All other statements are false
110
The following commands are configured on SW1. Which of the following statements is true after the commands have been issued?
```
SW1(config)# ip arp inspection validate ip
SW1(config)# ip arp inspection validate src-mac
SW1(config)# ip arp inspection validate dst-mac
```
a) DAI validation is only enabled for IP addresses
b) DAI validation is only enabled for source MAC addresses
c) DAI validation is only enabled for destination MAC addresses
d) DAI validation is enabled for all three causes
C
Each command overwrote the previous. All 3 options need to be included in the same command for all 3 to take effect
111
Which of the following is true about DAI rate limiting? (pick more than one)
a) It is enabled on trusted and untrusted ports by default
b) It is enabled on untrusted ports by default
c) It is enabled at a rate of 10 packets per second by default
d) It is enabled at a rate of 15 packets per second by default
B and D
112
DAI inspects the sender IP and MAC addresses to determine whether an ARP packet should be forwarded or dropped. Which of the following does it check the sender IP and MAC against? (pick more than one)
a) MAC address table
b) DHCP snooping binding table
c) ARP table
d) ARP ACLs
B and D
113
Which of the following commands limit ARP messages to a maximum average of 15 per second? (pick two)
a) ip arp inspection limit rate 15
b) ip arp inspection limit rate 30 burst interval 3
c) ip arp inspection limit rate 45 burst interval 3
d) ip arp inspection limit rate 30 burst interval 1
A and C
114
You issue the following commands on Switch1:
```
Switch1(config)# ip arp inspection vlan 11,14,18
Switch1(config)# interface f0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport mode access vlan 14
Switch1(config-if)# ip arp inspection trust
Switch1(config-if)# interface range f0/2 - 4
Switch1(config-if-range)# switchport access vlan 14
Switch1(config-if-range)# switchport mode access
```
Which of the following statements are true (pick 2)?
a) All ports in VLAN 14 are trusted ports
b) The f0/1 port in VLAN 14 is a trusted port
c) Ports in every VLAN except VLAN 14 are trusted ports
d) Every port in VLANs 11, 14, and 18 is an untrusted port
e) Every port except the f0/1 port in VLAN 14 is an untrusted port
B, E
115
