Port Security

Question 1

What is Port Security in Cisco switches?

Answer 1

A Layer 2 security feature that restricts input to an interface by limiting and identifying MAC addresses

Question 2

What command enables Port Security on a switchport?

Answer 2

switchport port-security

Question 3

What are the three violation modes in Port Security?

Answer 3

Protect; Restrict; Shutdown

Question 4

What does the Protect violation mode do?

Answer 4

Drops packets with unknown source MAC addresses

Question 5

What does the Restrict violation mode do?

Answer 5

Drops packets and increments the security violation counter

Question 6

What does the Shutdown violation mode do?

Answer 6

Err-disables the port upon a violation

Question 7

How do you enable a port as an access port?

Answer 7

switchport mode access

Question 8

What command sets the maximum number of MAC addresses on a port?

Answer 8

switchport port-security maximum [number]

Question 9

What command sets a specific MAC address for port security?

Answer 9

switchport port-security mac-address [mac-address]

Question 10

What command allows dynamically learned MAC addresses to be saved?

Answer 10

switchport port-security mac-address sticky

Question 11

What is DHCP Snooping?

Answer 11

A security feature that acts like a firewall between untrusted hosts and trusted DHCP servers

Question 12

What does DHCP Snooping prevent?

Answer 12

Rogue DHCP servers from assigning IP addresses

Question 13

What is a trusted port in DHCP Snooping?

Answer 13

A port that allows DHCP server responses

Question 14

What is an untrusted port in DHCP Snooping?

Answer 14

A port that should only receive DHCP requests from clients

Question 15

What table does DHCP Snooping build?

Answer 15

The DHCP Snooping Binding Table

Question 16

What command enables DHCP Snooping globally?

Answer 16

ip dhcp snooping

Question 17

What command enables DHCP Snooping for a VLAN?

Answer 17

ip dhcp snooping vlan <vlan-id></vlan-id>

Question 18

What command marks an interface as trusted for DHCP Snooping?

Answer 18

ip dhcp snooping trust

Question 19

What command limits DHCP messages on a port?

Answer 19

ip dhcp snooping limit rate <rate></rate>

Question 20

What is Dynamic ARP Inspection (DAI)?

Answer 20

A security feature that validates ARP packets in a network

Question 21

What attack does DAI prevent?

Answer 21

ARP Spoofing/Poisoning

Question 22

What does DAI use to validate ARP packets?

Answer 22

The DHCP Snooping Binding Table

Question 23

Which ports are trusted in DAI?

Answer 23

Ports where ARP replies are not validated (usually connected to other switches or DHCP servers)

Question 24

Which ports are untrusted in DAI?

Answer 24

Ports that must have ARP replies validated (usually connected to clients)

Question 25

What command enables DAI globally?

Answer 25

ip arp inspection vlan

Question 26

What command marks a port as trusted for DAI?

Answer 26

ip arp inspection trust

Question 27

What happens if an invalid ARP packet is detected by DAI?

Answer 27

The switch drops the packet and can log the violation