Shared Flashcard Set

Details

CCNP SWITCH 642-813 - Campus Network Security
Campus Network Security
30
Computer Networking
Professional
07/07/2010

Additional Computer Networking Flashcards

 


 

Cards

Term
Can port security be enabled globally?
Definition
No, it is enabled on a per-port basis.
Term
In regard to port security, what are 'Sticky MAC addresses'?
Definition
MACs that are learned dynamically from incoming traffic on the port.
Term
By default, will Sticky MACs time-out of the MAC address table for port security?
Definition
Nope... by default no aging occurs.
Term
What are the three types of violations on port-security?
Definition
-Shutdown, puts the port into the errdiabled state.
-Restrict, Port stays up, but traffic from the violating MAC addresses are dropped. (counters, SNMP traps, syslog, etc)
-Protect, port stays up, violating MACs are dropped, but no record is kept.
Term
how can you flush the port-security table?
Definition
'clear port-security dynamic'
Term
What is 802.1x used for?
Definition
Port based Authentication.
Term
What type of server is needed for Port-Based Authentication?
Definition
a RADIUS server.
Term
What is the command to enable 802.1x port-based security on a switchport, and what are the three states it can be configured for?
Definition
'dot1x port-control'
-Force-authorized, connects any client without authentication (the Default!)
-Force-unauthorized, Never authorizes anyone, effectively disabled the port.
-Auto, Authorizes upon successful authentication, and requires client software.
Term
Explain DHCP snooping.
Definition
A rouge DHCP server exists on a subnet, and replies to all requests with its own addresses. This is a basic man-in-the-middle attack.
Term
How does DHCP snooping work on Cisco devices? What is the default behavior?
Definition
Ports can be trusted or untrusted. DHCP replies from untrusted ports will be discarded, and that port will be placed in the errdisabled state.
-Default behavior is that all ports are UNtrusted.
Term
What type of attack is IP Source Guard designed to protect against?
Definition
IP Spoofing.
Term
How does IP source guard work?
Definition
It checks the DHCP Snooping table to build a custom ACL for the port to filter rouge IPs, and it uses port security to filter out rouge MACs from those IPs.
Term
What two features must be enabled to get the most out of IP Source Guard?
Definition
DHCP snooping and port security.
Term
What command enables IP source guard on an interface?
Definition
'ip verify source [port-security]'
Term
What type of attack is Dynamic ARP Inspection designed to mitigate?
Definition
ARP Poisoning or ARP spoofing.
Term
How does Dynamic ARP Inspection work?
Definition
Ports are either trusted or UNtrusted (default!). When ARP replies are received on UNtrusted ports, it either compares the reply information to its static information or to the DHCP snooping database. If ARP replies are invalid they are dropped and a log entry is made.
Term
Where on a switch is Dynamic ARP Inspection enabled?
Definition
On a per-VLAN basis.
Term
What ports should be trusted in Dynamic ARP Inspection?
Definition
ports connected to other switches.
Term
What is the command to enable Dynamic ARP Inspection Validation, and what are the three options for it?
Definition
(config)
'ip arp inspection validate'
-src-mac, Checks the source MAC in the header against the sender MAC in the ARP reply.
-dst-mac, Checks the destination MAC in the header against the target MAC in the ARP reply.
-IP, Checks the senders IP address against the target IP in all ARP replies.
Term
Access Lists that can filter within a VLAN are know as what?
Definition
VLAN Access Lists (VACL)
Term
How to VACLs differ from ACLs?
Definition
VACLs can permit, deny, or redirect, and they are configured in a 'route map' fashion. They also do not get applies 'in' or 'out', they just 'are'.
Term
What command enables an access map for a VACL?
Definition
'vlan access-map NAME'
Term
What command applies a VACL to a VLAN?
Definition
(global)
'vlan filter NAME vlan-list LIST'
Term
What is a primary VLAN?
What is a secondary VLAN?
Definition
-Primary VLANs are logically assigned to normal VLANs.
-Secondary VLANs can communicate with primary VLANs, but not with another secondary VLAN.
Term
What are the two types of secondary VLANs?
Definition
-Isolated, can only communicate with the Primary VLAN.
-Community, Can communicate with the primary VLAN, and others in the same secondary VLAN.
Term
All secondary VLANs must be associated with one _____?
Definition
Primary VLAN.
Term
Are private VLANs globally or locally significant?
Definition
Locally Significant, as VTP doesn't transmit any private VLAN information.
Term
What are the two modes that physical switchports can be configured as for Private VLANs?
Definition
-Promiscuous, Can communicate with primary or secondary VLANs (this should be on primary ports).
-Host, communicates only with promiscuous ports, or ports on the same community VLAN.
Term
What is switch spoofing? How do you fight it?
Definition
Where a malicious user exploits the autonegotiating nature of DTP to negotiate a trunk port with a switch.
-Fight it by assigning every port to a static DTP mode (switchport mode access/trunk)
Term
What is VLAN Hopping? How do you fight it?
Definition
When a malicious user double-tags a frame with two VLAN IDs, to get his traffic onto another VLAN.
-Fight it by setting the native VLAN of the trunk to a bogus, or unused, VLAN. And pruning the Actual Network Native VLAN off both ends of the trunk. OR you can force the trunk to tag the native VLAN.
Supporting users have an ad free experience!