Switch Access Layer Security

Question 1

What is DHCP Snooping?

Answer 1

Switch Security feature that drops DHCP Server responces if they do not come in on a trusted port.

Config won’t be tested but it is enabled by:
SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 10
SW1(config)# interface fast 0/24
SW1(config-if)# ip dhcp snooping trust

Question 2

What is Dynamic ARP Inspection?

Answer 2

Switch watches DHCP traffic and keeps track of which IPs were assigned to which MAC addresses. Invalid ARP traffic is then dropped.

*Requires DHCP snooping to be enabled on the switch.

Config won’t be tested but it is enabled by:
SW1(config)# ip arp inspection vlan 10
SW1(config)# interface fast 0/24
SW1(config-if)# ip arp inspection trust <- must trust ports that dont have DHCP clients on them.

Question 3

What is 802.1X?

Answer 3

A form of Port Authentication.

Must be configured on the end device and on the access switch. When first plugged in, they can only communicate with the external authentication server.

Question 4

What are the 3 options for port security?

Answer 4

1. Protect - Port is not shutdown - offending traffic is dropped
2. Restrict - Port is not shutdown - offending traffic is dropped - logs are written
3. Shutdown - Port is shutdown

Question 5

Command to view port security settings on a port

Answer 5

SW1# show port-security interface f0/1

Question 6

Command to auto restore port disabled by port security?

Answer 6

SW1(config)# errdisable recovery cause psecure-violation
SW1(config)# errdisable recovery interval 600

Question 7

Command to show mac addresses learned via port security?

Answer 7

SW1# show port-security address