• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/54

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

54 Cards in this Set

  • Front
  • Back
  • 3rd side (hint)
What are the four different categories of attack toward a switch at layer 2?
MAC address-based attacks, VLAN attacks, spoofing attacks, and attacks on switch devices
These are the four main categories of attacks that are perpetrated toward switches.
What is the intention behind a CAM table attack?
To fill all of the available rows in the CAM table
By completely filling the CAM table, this forces the switch to flood out each subsequent frame out all ports. This does two things: It creates a large amount of unnecessary switch traffic, and it opens up a potential security opening. Frames that would normally be directed at a specific port must be flooded to all ports, potentially allowing a sniffer to pick up this traffic.
What is the purpose of the "Sticky Learning" feature on a Cisco switch?
To provide the functionality of both dynamic and static MAC port-security in one command
When using the "Sticky Learning" feature, the switch listens for the initial traffic received on a switchport. After this traffic is received, the switch takes the source MAC address and creates a static port security entry in the switch's running configuration.
What Cisco IOS command enables port security on an interface?
switch(config-if)#switchport port-security
This command enables port security on a specific interface and must be configured first, before other port security commands, in order for them to work.
Which Cisco IOS command is used to set the maximum number of MAC addresses that are allowed on a switchport?
switch(config-if)#switchport port-security maximum max-value
This command sets the total number of MAC addresses that are allowed to send and receive traffic to a switchport.
Which Cisco IOS command is used to change the port security violation behavior?
switch(config-if)#switchport port-security violation violation
This command changes the default violation behavior. By default, a port will shut down on a violation.
Which Cisco IOS command is used to specify a MAC address to be allowed on a switchport?
switch(config-if)#switchport port-security mac-address mac-address
This command is used to specify a MAC address that will be allowed to send and receive traffic on a switchport.
What are the three available port security violation actions?
Shutdown, restrict, and protect
The shutdown action is rather obvious. This action shuts down the port when a violation occurs; the interface is error-disabled. The restrict action drops all the packets coming from the invalid host and increments the violation counter. The protect action drops all the packets coming from the invalid host and does NOT increment the violation counter.
Which Cisco IOS command is used to display the status of port security?
switch#show port-security
This command shows the currently configured switchports, which have port security enabled. Under each port, it shows the counters associated with each port and the violation action.
What do the three As in AAA stand for?
Authentication, Authorization, and Accounting
Authentication is the process of ensuring the identity of the user. Authorization is the processing of getting permission to do specific tasks. Accounting is the recording of events and activities.
What are the two AAA protocols common used on Cisco devices?
TACACS+ and RADIUS
Both TACACS+ and RADIUS are used for AAA purposes, but are implemented a little differently. TACACS+ handles all the As individually and uses TCP. RADIUS combines authentication and authorization As and uses UDP.
What standard was created as a port-based access control and authentication protocol?
802.1X
The IEEE 802.1X protocol was created to provide both access control and authentication on a switchport.
What are the 802.1X devices?
Client, authentication server, and authenticator
The client is simply the device that is initiating the traffic. The authentication server performs the actual authentication of the client. The authenticator controls the physical access to the network based on the authentication status.
What is the initial status of a port that is configured with 802.1X?
Unauthorized
While in the unauthorized state, the port will not allow any traffic except 802.1X protocol packets.
Which Cisco IOS command is used to enable AAA?
switch(config)#aaa new-model
This command enables the use of AAA on the device.
Which Cisco IOS command is used to change the default AAA 802.1X authentication behavior?
switch(config)#aaa authentication dot1x default method1 method2
This command is used to configure the device with the authentication method to use for 802.1X. The available supported option is group radius.
Which Cisco IOS command is used to globally enable 802.1X authentication?
switch(config)#dot1x system-auth-control
This command enables 802.1X port-based authentication globally on the device.
Which Cisco IOS command is used to enable 802.1X authentication on a specific port or interface?
switch(config-if)#authentication port-control control-method
This command allows the ability to control 802.1X authentication on a specific port or interface. The control-method can be either auto, force-authorized, or force-unauthorized.
What are the available methods of 802.1X port control on a device?
Auto, force authorized, and force unauthorized
While in auto mode, a port will not allow any traffic except 802.1X authentication traffic until the client is authenticated. After the client has been authenticated, the port allows normal traffic. In force authorized mode, the port effectively disables 802.1X authentication and allows normal traffic to pass. In force unauthenticated mode, the port will not allow any traffic. By default, all ports are in force authorized mode.
What are the three different types of access lists supported by a Cisco multilayer switch?
Router access control lists, port access control lists, and VLAN access control lists
Router access control lists are the same as a typical access control lists on a router. A port access control list can be applied on any layer 2 switchport, trunk port, or port channel. A VLAN access control list controls traffic to and from a specific VLAN.
What are the four different categories of attack toward a switch at layer 2?
MAC address-based attacks, VLAN attacks, spoofing attacks, and attacks on switch devices
These are the four main categories of attacks that are perpetrated toward switches.
What is the intention behind a CAM table attack?
To fill all of the available rows in the CAM table
By completely filling the CAM table, this forces the switch to flood out each subsequent frame out all ports. This does two things: It creates a large amount of unnecessary switch traffic, and it opens up a potential security opening. Frames that would normally be directed at a specific port must be flooded to all ports, potentially allowing a sniffer to pick up this traffic.
What is the purpose of the "Sticky Learning" feature on a Cisco switch?
To provide the functionality of both dynamic and static MAC port-security in one command
When using the "Sticky Learning" feature, the switch listens for the initial traffic received on a switchport. After this traffic is received, the switch takes the source MAC address and creates a static port security entry in the switch's running configuration.
What Cisco IOS command enables port security on an interface?
switch(config-if)#switchport port-security
This command enables port security on a specific interface and must be configured first, before other port security commands, in order for them to work.
Which Cisco IOS command is used to set the maximum number of MAC addresses that are allowed on a switchport?
switch(config-if)#switchport port-security maximum max-value
This command sets the total number of MAC addresses that are allowed to send and receive traffic to a switchport.
Which Cisco IOS command is used to change the port security violation behavior?
switch(config-if)#switchport port-security violation violation
This command changes the default violation behavior. By default, a port will shut down on a violation.
Which Cisco IOS command is used to specify a MAC address to be allowed on a switchport?
switch(config-if)#switchport port-security mac-address mac-address
This command is used to specify a MAC address that will be allowed to send and receive traffic on a switchport.
What are the three available port security violation actions?
Shutdown, restrict, and protect
The shutdown action is rather obvious. This action shuts down the port when a violation occurs; the interface is error-disabled. The restrict action drops all the packets coming from the invalid host and increments the violation counter. The protect action drops all the packets coming from the invalid host and does NOT increment the violation counter.
Which Cisco IOS command is used to display the status of port security?
switch#show port-security
This command shows the currently configured switchports, which have port security enabled. Under each port, it shows the counters associated with each port and the violation action.
What do the three As in AAA stand for?
Authentication, Authorization, and Accounting
Authentication is the process of ensuring the identity of the user. Authorization is the processing of getting permission to do specific tasks. Accounting is the recording of events and activities.
What are the two AAA protocols common used on Cisco devices?
TACACS+ and RADIUS
Both TACACS+ and RADIUS are used for AAA purposes, but are implemented a little differently. TACACS+ handles all the As individually and uses TCP. RADIUS combines authentication and authorization As and uses UDP.
What standard was created as a port-based access control and authentication protocol?
802.1X
The IEEE 802.1X protocol was created to provide both access control and authentication on a switchport.
What are the 802.1X devices?
Client, authentication server, and authenticator
The client is simply the device that is initiating the traffic. The authentication server performs the actual authentication of the client. The authenticator controls the physical access to the network based on the authentication status.
What is the initial status of a port that is configured with 802.1X?
Unauthorized
While in the unauthorized state, the port will not allow any traffic except 802.1X protocol packets.
Which Cisco IOS command is used to enable AAA?
switch(config)#aaa new-model
This command enables the use of AAA on the device.
Which Cisco IOS command is used to change the default AAA 802.1X authentication behavior?
switch(config)#aaa authentication dot1x default method1 method2
This command is used to configure the device with the authentication method to use for 802.1X. The available supported option is group radius.
Which Cisco IOS command is used to globally enable 802.1X authentication?
switch(config)#dot1x system-auth-control
This command enables 802.1X port-based authentication globally on the device.
Which Cisco IOS command is used to enable 802.1X authentication on a specific port or interface?
switch(config-if)#authentication port-control control-method
This command allows the ability to control 802.1X authentication on a specific port or interface. The control-method can be either auto, force-authorized, or force-unauthorized.
What are the available methods of 802.1X port control on a device?
Auto, force authorized, and force unauthorized
While in auto mode, a port will not allow any traffic except 802.1X authentication traffic until the client is authenticated. After the client has been authenticated, the port allows normal traffic. In force authorized mode, the port effectively disables 802.1X authentication and allows normal traffic to pass. In force unauthenticated mode, the port will not allow any traffic. By default, all ports are in force authorized mode.
What are the three different types of access lists supported by a Cisco multilayer switch?
Router access control lists, port access control lists, and VLAN access control lists
Router access control lists are the same as a typical access control lists on a router. A port access control list can be applied on any layer 2 switchport, trunk port, or port channel. A VLAN access control list controls traffic to and from a specific VLAN.
Which Cisco IOS command is used to create a VLAN access map (access list)?
switch(config)#vlan access-map name [sequence-number]
This command creates a VLAN access-map if it doesn’t exist already and enter you into vlan access-map configuration mode. The sequence-number is optional and can be any number from 0 through 65535.
Which Cisco IOS command applies a VLAN access map to specific VLANs?
switch(config)#vlan filter map-name vlan-list vlan_list
This command is used to map a specific VLAN access map to a list of VLANs.
What Cisco feature is a per-port security mechanism used to differentiate an untrusted switchport connected to a DHCP client from a trusted switchport, which is connected to a DHCP server?
DHCP snooping
This feature is used to prevent against the spoofing of a DHCP server.
Which Cisco IOS command is used to enable DHCP snooping globally on a switch?
switch(config)#ip dhcp snooping
This command enables DHCP snooping globally on the switch. By default, all ports are considered untrusted.
Which Cisco IOS command is used to enable DHCP snooping on specific VLANs on a switch?
switch(config)#ip dhcp snooping vlan vlan-list
This command enables DHCP snooping on specific VLANs on the switch. By default, all ports that are in the configured VLANs are considered untrusted.
Which Cisco IOS command is used to configure a switchport as trusted by the DHCP snooping feature?
switch(config-if)#ip dhcp snooping trust
This command needs to be configured on a port that is connected to a DHCP server.
Which Cisco IOS command is used to display the status of DHCP snooping on a switch?
switch#show ip dhcp snooping
This command displays the entire DHCP spoofing configuration, including the configured DHCP spoofing VLANs and all configured switchports and their trusted statuses.
Which Cisco feature uses DHCP snooping as a mechanism for finding valid ARP entries?
Dynamic ARP inspection
This feature is used to prevent the ARP spoofing. It works by monitoring the IP assignments that are validly given by the DHCP server (and ensured using the DHCP snooping feature). It then intercepts all ARP requests and responses and makes sure that they are coming from the correct port and device, as assigned by the DHCP server.
Which Cisco IOS command is used to enable Dynamic ARP inspection on a VLAN list?
switch(config)#ip arp inspection vlan vlan-list
This command is used to enable DAI on specific VLANs; the vlan-list can contain a number of different VLANs in one statement.
Which Cisco IOS command is used to enable a port as trusted by Dynamic ARP inspection?
switch(config-if)#ip arp inspection trust
This command enables DAI on an interface and sets it as a trusted interface. This is only done typically on upstream ports.
Which Cisco IOS command is used to enable additional validation using the body of the ARP frame?
switch(config)#ip arp inspection validate [src-mac] [dst-mac] [ip]
This command enables additional validation through the use of the information in the ARP frame body. When src-mac is configured, the source MAC address in the Ethernet header is compared against the sender MAC address in the ARP frame body. When dst-mac is configured, the destination MAC address in the Ethernet header is compared against the target MAC address in the ARP frame body. When ip is configured, the IP addresses in the ARP frame body are checked to see if they are invalid or unexpected.
Which Cisco IOS command is used to enable IP source guard and filter based on the IP address binding?
switch(config-if)#ip verify source vlan dhcp-snooping
When using this command, the only IP traffic that will be allowed through the port is that with a source address that matches the address in the DHCP IP binding.
Which Cisco IOS command is used to enable IP source guard and filter based on the IP and MAC address binding?
switch(config-if)#ip verify source vlan dhcp-snooping port-security
When using this command, the only IP traffic that will be allowed through the port is that with a source address that matches the address in the DHCP IP binding AND with the original MAC addresses used when this binding occurred.
Which Cisco IOS command is used to disable the Cisco Discovery Protocol globally on a switch?
switch(config)#no cdp run
This command disables CDP. This is an advantage from a security perspective but also makes some troubleshooting harder, so use this wisely.