Topic 6 - Infrastructure Security Flashcards Preview

CCNA 200 - 125 Flash cards > Topic 6 - Infrastructure Security > Flashcards

Flashcards in Topic 6 - Infrastructure Security Deck (27)
Loading flashcards...

what port the Port security is applied to?

Access port


Can Port security be applied to Trunk port?

No. Can be applied to only Access port


What happens to port when the violation occurs?

interface will shutdown


What method is used to stop interfaces to shutdown when violation occurs?

#Switchport port security Violation protect


Explain what the below modes does:
1 - Port Security PROTECT:
2 - Port Security RESTRICT:
3 - Port Security Shutdown

PROTECT - Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count

RESTRICT: Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count

SHUTDOWN: Shuts down the port if there is a security violation.


Static port security
Dynamic port security

Set the MAC addresses that are allowed to use the port.  If less than the maximum are set than the remaining are learned dynamically.

Switch(config-if)#switchport port-security mac-address


Sticky port

Enable sticky learning on the interface

Switch(config-if)#switchport port-security mac-address sticky


Maximum MAC Addresses port

Set the number of MAC addresses allowed to use this port

Switch(config-if)#switchport port-security maximum (1-3072)


Violation Actions port security

Set the action to be taken when port-security is violated

Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}

Protect - Least secure, Frames from unsecured MAC's are not forwarded.

Restrict - Medium Secure, Frames from unsecured MAC's are not forwarded + Syslog + SNMP trap ( message to Monitoring tool ) + Violation counter

Shutdown - Default one and it shuts down


Error-disabled recovery

Once port security is violated on an interface, the interface will go to err-disabled. To return it to normal, do the following:

Switch#show interface status err-disabled

Switch#config t
Switch(config)#interface f0/1
Switch(config-if)#no shutdown


After the port is disabled and to bring back automatically, what command do we use?

To Automatically, recover once the port is recovered from Error disabled

#Errdisable recovery


Explain DHCP Snooping ?

DHCP snooping (a good thing) is a security feature, typically on a switch, that acts like a firewall between untrusted hosts and trusted DHCP servers
DHCP snooping is enabled on a per-VLAN basis and is inactive by default


Explain 802.1x ?

- A client-server-based access control and authentication protocol preventing unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated

- The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN

- After authentication is successful, normal traffic can pass through the port


Explain Nondefault native VLAN?

- The default native VLAN is VLAN1

- The nondefault native VLAN means you changed the native VLAN to be something other than VLAN 1.

- There are a lot of things that are defaulted to VLAN 1 and that means a lot of bad things can happen either accidentally or by way of purposeful exploits.

- VLAN hopping by way of double tagging is one such exploit.  It can be easily averted by using a nondefault native vlan


Types of access lists?

Standard, Extended and Named


Explain Access List

Access-lists are used to permit and deny different traffic based on the filtering criteria specified in the list

Access-lists are evaluated top down from first entry to last entry

Access-lists are applied to interfaces



• Standard ACLs are numbered from 1 to 99

• Permit or deny traffic using subnet and wildcard mask

• Cannot permit or deny based on ports

• Implicit deny is automatically added to the end of each access-list

• Place Standard ACLs close to the destination



• Extended ACLs are numbered from 100-199

• Permit or deny traffic from specific source IPs or ranges to specific destination IPs or ranges

• Can also permit or deny based on specific ports or port ranges

• Implicit deny is automatically added to the end of each access-list

• Place extended ACL's close to the source



Router#config t
Router(config)#access-list 10 permit

Router(config)#access-list 10 permit
Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 10 in



Router#config t
Router(config)#access-list 100 permit udp any eq 53

Router(config)#access-list 100 permit tcp any eq 80

Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 100 in



Application Policy Infrastructure Controller - Enterprise Module (APIC-EM)



- Terminal Access Controller Access control system.
- Authentication, Authorization, and Accounting.
- Remote Access Dial-In User Service


Explain TACACS+

• TACACS+ Terminal Access Controller Access Control Service Plus
• TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server
• TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation
• We must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available
• TACACS+ provides for separate and modular authentication, authorization, and accounting facilities
TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently



• The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization

• When a RADIUS Authentication request is sent to the AAA server, the AAA client expects to receive a reply containing the Authorization result


Explain Local authentication

• Authentication is a way of identifying a user before permitting access to the network and network services.

• Local authentication on a device references usernames and passwords configured locally on the device

• Local authentication restricts access to the User Exec command mode to the accounts configured on the device

• To configure local authentication

Router(config)#username [username] password [password]
Router(config)#aaa new-model
Router(config)#aaa authentication login default local


Explain Secure password ( In terms of device hardening )

• A secure password prevents access to the Privileged Exec command mode

• The enable password stores the password in plain text in the configuration

Router(config)#enable password [password]

• The enable secret creates an MD5 hash of the plain-text password that is entered and stores the hash in the configuration

• It is recommended to use enable secret instead of enable password

Router(config)#enable secret [password]


Explain Login Banner

• A login banner appears just before the Username: prompt when user authentication is required to login to a device. Like warning messages on ACT etc

• A character delimiter is required to specify the beginning and end of the login banner

Router1(config)#banner login ?
LINE c banner-text c, where 'c' is a delimiting character
Router1(config)#banner login %this is the login banner%