Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
37 Cards in this Set
- Front
- Back
|
To enable the port security feature on a switch port. By default switches dynamically learns MAC`s, called Sticky MACs. Can learn up to maximum number of address secured on a port.
|
switch(config-if)# switchport port-security
|
|
|
To specify the maximum number of MACs that will be allowed access on the interface that uses port security. Default is 1.
|
switch(config-if)# switchport port-security maximum [1 - 1024]
|
|
|
To statically define 1 or more MACs on an interface. If the number of static addresses configured is less than the max number of address secured on a port, the remaining addresses are learned dynamically.
|
switch(config-if)# switchport port-security mac-address [MACs in : format]
|
|
|
To define how port reacts to a MAC violation (e.g. max num MACs learnt, unknown MAC on port). Shutdown = port put in err-disable, Restrict = port stays up but packets from violating MACs dropped and log entry kept, Protect = Same as restrict but no record of violation kept.
|
switch(config-if)# switchport port-security violation [shutdown | restrict | protect]
|
|
|
To convert all dynamic port security learned MACs to sticky secure MAC addresses.
|
switch(config-if)# switchport port-security mac-address sticky
|
|
|
To clear the complete port cache of learned MACs
|
switch# clear port-security dynamic [address [MAC] | interface [type] [mod/num]]
|
|
|
To display port security information for that interface. Also shows status, violation mode, last src Address, violation count and number of max MACs, total MACs, sticky MACs and configured MACs
|
switch# show port-security interface [type] [mod/num]
|
|
|
To display the MAC address table security information. Summary showing number of max MACs, configured MACs security violations and security actions.
|
switch# show port-security
|
|
|
To see a quick summary of the port in err-disable along with the reason for err-disable.
|
switch# show interfaces state err-disable
|
|
|
To enable authentication, authorization and accounting (AAA) on the switch, by default disabled.
|
switch(config)# aaa new-model
|
|
|
To define the external RADIUS server with its secret shared password which provides a key for encrypting the authentication session. The cmd can be repeated to define additional RADIUS servers.
|
switch(config)# radius-server host [hostname | IP address] key [string]
|
|
|
To define the authentication method for 802.1x. This cmd causes all RADIUS servers defined on the switch to be used.
|
switch(config)# aaa authentication dot1x default group radius
|
|
|
To globally enable 802.1x port-based authentication on the switch
|
switch(config)# dot1x system-auth-control
|
|
|
To configure each switchport that will use 802.1x. Force-authorized (default) = disables 802.1 authentication so authorizes without authentication, force-unauthorized = never authorizes so port cant pass traffic, auto = uses 802.1x to move from unauthorized to authorized state.
|
switch(config-if)# dot1x port-control [force-authorized | force-unauthorized | auto]
|
|
|
To verify the 802.1x operation on each switch port that’s configured to use port-based authentication.
|
switch# show dot1x all
|
|
|
to configure DHCP snooping, enable globally. A switch intercepts all DHCP replies from trusted ports and floods them throughout the network. If dhcp reply comes from untrusted port is dropped and port put in errdisable state.
|
switch(config)# ip dhcp snooping
|
|
|
To identify the VLAN where dhcp snooping should be implemented. Either single vlan, or start and end vlan.
|
switch(config)# ip dhcp snooping vlan [vlan-id]
|
|
|
To identify trusted ports. By default all ports are untrusted. Only trusted ports are allowed to send dhcp replies.
|
switch(config-if)# ip dhcp snooping trust
|
|
|
To rate limit DHCP traffic on untrusted ports. By default unlimited rate of dhcp requests per second is accepted.
|
switch(config-if)# ip dhcp snooping limit rate [1 - 2048]
|
|
|
To enable/ disable DHCP option 82 (default enabled). On untrusted ports switch adds own MAC and switch port identifier in the option 82 field of the request. It can double check this when a dhcp reply is received
|
switch(config)# [no] ip dhcp snooping information option
|
|
|
To display DHCP snooping configuration and status. Use binding to show all the known DHCP bindings that have been overheard. The switch maintains these in it own DHCP snooping binding database.
|
switch# show ip dhcp snooping [binding]
|
|
|
To display the status of the insertion and removal of the DHCP option 82 field on all interfaces.
|
switch# show running-config
|
|
|
To configure a static ip src binding, were the hosts MAC is bound to a specific VLAN, IP and is expected on a specific interface. Use if you aren't using DHCP snooping. If you want IP src Guard to detect spoofed MACs you will also need to configure and enable port security.
|
switch(config)# ip source binding [mac] vlan [vlan-id] [ip-add] interface [type] [mod/num]
|
|
|
To enable IP src Guard on a interface. Only inspects IP src, add port-security to inspect src MAC also.
|
switch(config-if)# ip verify source [port-security]
|
|
|
To verify the IP src Guard status
|
switch# show ip verify source [interface [type] [mod/num]]
|
|
|
To verify the information contained in the IP src binding database, either learned or statically configured.
|
switch# show ip dhcp snooping binding [ip-add] [mac] [dhcp snooping |static] [interface [type] [mod/num]] [vlan [vlan-id]]
|
|
|
To enable DAI on 1 or a range of vlans. A switch can gather trusted ARP info from statically configured entries or from dynamic entries in DHCP snooping database.
|
switch(config)# ip arp inspection vlan [vlan-id]
|
|
|
To configure a trusted DAI port. By default all ports untrusted. You should identify trusted ports as those connected to other switches
|
switch(config-if)# ip arp inspection trust
|
|
|
To configure an ARP Access List that defines static MAC-IP address bindings that are permitted. Use for hosts with static IPs, since will be no DHCP messages.
|
switch(config)# arp access-list [acl-name] then switch(config-acl)# permit ip host [sender IP] mac host [sender-mac] then switch(config-acl)# exit
|
|
|
To apply the Arp ACL. When ARP entries are intercepted their contents are first matched against ACL, if no match then the DHCP snooping database is checked. Using "static" stops the DHCP binding database being checked.
|
switch(config)#ip arp inspection filter [acl-name] vlan [vlan-range] [static]
|
|
|
To enable DAI validation. By default only MAC and IP contained in ARP reply validated, this also validates the actual MAC contained in the Ethernet header of ARP reply. src-mac = checks src MAC in Ethernet header against sender MAC in ARP reply, dst-mac = = checks dst MAC in Ethernet header against target MAC in ARP reply | ip = checks ip address in all ARP requests & senders IP against target IP in all ARP replies.
|
switch(config)#ip arp inspection validate [src-mac | dst-mac | ip]
|
|
|
To display DAI status information
|
switch# show ip arp inspection
|
|
|
To automatically encrypt password strings that are stored in the switch configuration. Although encryption isn't strong, it can stop casual observers seeing passwords over your shoulder.
|
switch(config)# server password-encryption
|
|
|
At what layer does 802.1x operate?
|
It is a L2 protocol. When enabled a switch port will not pass any traffic until a user has authenticated with the switch. Port-based authentication can be handled by 1 or more external RADIUS servers. The authentication server authenticates each host connected by a switch port before making available any services offered by the switch or LAN.
|
|
|
What's DHCP snooping
|
Uses trusted and untrusted ports to stop someone spoofing the dhcp server and sending crafted DHCP replies with bogus info (e.g. wrong DG). It also keeps track of the completed dhcp bindings and leases as clients receive legitimate dhcp replies.
|
|
|
What's IP source Guard
|
It is a feature that detects and suppresses address spoofing attacks (changing src IP of a packet sent), even if they occur within the same subnet. that’s sent. IP src guard does this by making use of the DHCP snooping database, as well as static IP source binding entries. Uses Dynamic ACLs to check src IP and port security to check src MACs. If the address is something other than the one learned or statically configured, the switch will drop the packet.
|
|
|
What is Dynamic ARP Inspection
|
It protects ARP poisoning or ARP Spoofing, where an attacker sends its own crafted ARP reply when it hears an ARP request. Works like DHCP snooping with trusted and untrusted ports, and the switch intercepting and inspecting all packets that arrive on an untrusted port.
|
