Module 11 – Switch Security Configuration

shutdown

Navigate to each unused port and issue the Cisco IOS ______ command.

show port-security address

To display all secure MAC addresses that are manually configured or dynamically learned on all switch interfaces, use the ________________. 

interface range

To configure a range of ports, use the ____________ command.

show port-security interface

use the _____________ command to display the current port security settings.

switchport port-security maximum value

To set the maximum number of MAC addresses allowed on a port.

1

The default port security value is ___.

switchport port-security

is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the startup configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address.

switchport port-security mac-address sticky

The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command:

show port-security interface module and show port-security address

 command to verify the configuration.

Absolute

The secure addresses on the port are deleted after the specified aging time.

Inactivity

The secure addresses on the port are deleted only if they are inactive for the specified aging time.

switchport port-security aging

Use the ______________ command to enable or disable static aging for the secure port, or to set the aging time or type.

switchport port-security aging static

Enable aging for statically configured secure addresses on this port.

switchport port-security aging time time

Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.

switchport port-security aging type absolute

Set the absolute aging time. All the secure addresses on this port age out exactly after the time (in minutes) specified and are removed from the secure address list.

switchport port-security aging type inactivity

Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

aging

Use ____________ to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses.

violation

If the MAC address of a device attached to the port differs from the list of secure addresses, then a port________ occurs. By default, the port enters the error-disabled state.

switchport port-security violation shutdown

The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog message. It increments the violation counter. When a secure port is in the error-disabled state, an administrator must re-enable it by entering the __________ and __________ commands.

switchport port-security violation restrict

The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value. This mode causes the Security Violation counter to increment and generates a syslog message.

switchport port-security violation protect

This is the least secure of the security violation modes. The port drops packets with unknown MAC source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value. No syslog message is sent.

err-disabled

the show interface command identifies the port status as __________.

secure-shutdown

The output of the show port-security interface command now shows the port status as ____________.

show run

To verify that MAC addresses are “sticking” to the configuration, use the ___________ command.

switchport mode access

Disable DTP (auto trunking) negotiations on non-trunking ports by using the _______________ interface configuration command.

switchport mode trunk

Manually enable the trunk link on a trunking port by using the _________ command.

switchport nonegotiate

Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.

switchport trunk native vlan vlan_number

Set the native VLAN to a VLAN other than VLAN 1 by using the _________________ command.

1. Spoofing DTP messages

2. Introducing a rogue switch and enabling trunking

3. double-tagging (or double-encapsulated) attack

VLAN hopping attack can be launched in one of three ways:

Double-Tagging Attack

This attack takes advantage of the way hardware on most switches operate.

DHCP starvation attack

The goal of a _________ is to create a Denial of Service (DoS) for connecting clients.

Gobbler

DHCP starvation attacks require an attack tool such as _______.

port security

Recall that DHCP starvation attacks can be effectively mitigated by using _______________________

DHCP snooping

determines whether DHCP messages are from an administratively configured trusted or untrusted source.

ip dhcp snooping

Enable DHCP snooping by using the_________ global configuration command.

ip dhcp snooping trust

On trusted ports, use the ____________ interface configuration command.

ip dhcp snooping vlan

Enable DHCP snooping by VLAN, or by a range of VLANs, by using the __________________ global configuration command.

ARP Attack

a threat actor can send unsolicited ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway.

show ip dhcp snooping

Use the _____________ privileged EXEC command to verify DHCP snooping

show ip dhcp snooping binding

to view the clients that have received DHCP information.

Dynamic ARP Inspection (DAI)

requires DHCP snooping and helps prevent ARP attacks.

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

global configuration command used to configure DAI to drop ARP packets when the IP addresses are invalid. It can be used when the MAC addresses in the body of the ARP packets do not match the addresses that are specified in the Ethernet header.

PortFast

immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. Apply to all end-user ports.

BPDU Guard

guard immediately error disables a port that receives a BPDU.

spanning-tree portfast

PortFast can be enabled on an interface by using the _____________________ interface configuration command

spanning-tree portfast default

Portfast can be configured globally on all access ports by using the ______________ global configuration command.

show spanning-tree summary

To verify whether PortFast is enabled globally you can use the ____________________

show running-config interface type/number

To verify if PortFast is enabled an interface, use the __________ command.

errdisable recovery cause psecure_violation

If any BPDUs are received on a BPDU Guard enabled port, that port is put into error-disabled state. This means the port is shut down and must be manually re-enabled or automatically recovered through the_________________ global command.

spanning-tree bpduguard enable

BPDU Guard can be enabled on a port by using the ________________ interface configuration command.

spanning-tree portfast bpduguard default

Use the _______________ global configuration command to globally enable BPDU guard on all PortFast-enabled ports.

show spanning-tree summary

To display information about the state of spanning tree, use the _____________ command.

ip dhcp snooping limit rate

Limit the number of DHCP discovery messages that can be received per second on untrusted ports by using the _____________ interface configuration command.