CCNA2 Module 11

Layer 2

Considered as the weakest link in the OSI model

shutdown

Command to use to disable unused ports

port security

The simplest and most effective method to prevent MAC address table overflow attacks is to enable _____ ________.

_____ ________. limits the number of valid MAC addresses allowed on a port

By limiting the number of permitted MAC addresses on a port to one, _____ ________ can be used to control unauthorized access to the network.

S1(config)# interface f0/1

S1(config-if)# switchport port-security

Command rejected: FastEthernet0/1 is a dynamic port.

S1(config-if)# switchport mode access

S1(config-if)# switchport port-security

command to enable port security

port-security interface

Use the show ____________ _______ command to display the current port security settings

switchport port-security

If an active port is configured with the _________ _______________ command and more than one device is connected to that port, the port will transition to the error-disabled state

switchport port-security maximum value

To set the maximum number of MAC addresses allowed on a port, use the following command:

1. Manually Configured

2. Dynamically Learned

3. Dynamically Learned – Sticky

The switch can be configured to learn about MAC addresses on a secure port in one of three ways:

Manually Configured

The administrator manually configures a static MAC address(es) by using the following command for each secure MAC address on the port

Dynamically Learned

When the switchport port-security command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the startup configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address.

Dynamically Learned – Sticky

The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command:

show port-security interface

show port-security address

Commands used to verify the port-security interface

Port Security Aging

______ __________ _______ can be used to set the aging time for static and dynamic secure addresses on a port.

Absolute - The secure addresses on the port are deleted after the specified aging time

Inactivity - The secure addresses on the port are deleted only if they are inactive for the specified aging time.

Port security aging can be used to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:

aging

Use ______ to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses.

switchport port-security aging

Use the ________________________ command to enable or disable static aging for the secure port, or to set the aging time or type.

static

time

type absolute

type inactivity

switchport port-security aging parameters:

port violation

If the MAC address of a device attached to the port differs from the list of secure addresses, then a ____ ________ occurs. By default, the port enters the error-disabled state.

switchport port-security violation { protect | restrict | shutdown }

To set the port security violation mode, use the following command:

shutdown

restrict

protect

Security Violation Modes (3)

Protect

What is the violation mode used?

Discards Offending Traffic? Yes

Sends Syslog Message? No

Increase Violation Counter? No

Shuts Down Port? No

Restrict

What is the violation mode used?

Discards Offending Traffic? Yes

Sends Syslog Message? Yes

Increase Violation Counter? Yes

Shuts Down Port? No

Shutdown

What is the violation mode used?

Discards Offending Traffic? Yes

Sends Syslog Message? Yes

Increase Violation Counter? Yes

Shuts Down Port? Yes

turned off

when port protocol and link status are changed to down and the port LED is ________ ___.

show run

To verify that MAC addresses are “sticking” to the configuration, use the _____ ___ command

VLAN Hopping Attacks

These steps are used to mitigate what?

Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command.

Step 2: Disable unused ports and put them in an unused VLAN.

Step 3: Manually enable the trunk link on a trunking port by using the switchport mode trunk command.

Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.

Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command.

Spoofing DTP messages

This is a way VLAN hopping attacks are initiated:

___________ ___ ____________ from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination.

rogue switch

This is a way VLAN hopping attacks are initiated:

Introducing a _______ _______ and enabling trunking. The attacker can then access all the VLANs on the victim switch using this method.

Double tagging (or double-encapsulated)

This is a way VLAN hopping attacks are initiated:

_________ _________ attack. This attack takes advantage of the way hardware on most switches operate.

Denial of Service (DoS)

The goal of a DHCP starvation attack is to create a __________ ___ ___________ for connecting clients.

Gobbler

DHCP starvation attacks require an attack tool such as?

port security

DHCP starvation attacks can be effectively mitigated by using ____ __________ because Gobbler uses a unique source MAC address for each DHCP request sent.

Ethernet address

Mitigating DHCP spoofing attacks requires more protection. Gobbler could be configured to use the actual interface MAC address as the source ________ _______, but specify a different Ethernet address in the DHCP payload.

DHCP snooping

DHCP spoofing attacks can be mitigated by using ______ ___________ on trusted ports.

Source MAC Addresses

DHCP snooping does not rely on ______ ___ ________. Instead, DHCP snooping determines whether DHCP messages are from an administratively configured trusted or untrusted source. It then filters DHCP messages and rate-limits DHCP traffic from untrusted sources.

trusted sources, untrusted source

Devices under your administrative control, such as switches, routers, and servers, are _______ _____. Any device beyond the firewall or outside your network is an _______ _____.

untrusted port

Rogue DHCP server would be on an _______ ____ after enabling DHCP snooping. All interfaces are treated as untrusted by default. Trusted interfaces are typically trunk links and ports directly connected to a legitimate DHCP server. These interfaces must be explicitly configured as trusted.

DHCP snooping binding table

A DHCP table is built that includes the source MAC address of a device on an untrusted port and the IP address assigned by the DHCP server to that device. The MAC address and IP address are bound together. Therefore, this table is called the _____ _________ __________ ______.

DHCP Attacks

These steps are used to mitigate what?

Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command.

Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.

Step 3. Limit the number of DHCP discovery messages that can be received per second on untrusted ports by using the ip dhcp snooping limit rate interface configuration command.

Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp snooping vlan global configuration command.

show ip dhcp snooping, show ip dhcp snooping binding

Use the _____ __ ____ _______ privileged EXEC command to verify DHCP snooping and ______ __ _____ ________ ________ to view the clients that have received DHCP information

Dynamic ARP Inspection (DAI)

DHCP snooping is also required by _______ ____ ________

unsolicited ARP requests

In a typical ARP attack, a threat actor can send _________ ___ _________ to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway

ARP Requests, Replies

To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ____ ________ and _______ are relayed.

DHCP snooping

Dynamic ARP inspection (DAI) requires ____ ________ and helps prevent ARP attacks by:

• Not relaying invalid or gratuitous ARP Requests out to other ports in the same VLAN.

• Intercepting all ARP Requests and Replies on untrusted ports.

• Verifying each intercepted packet for a valid IP-to-MAC binding.

• Dropping and logging ARP Requests coming from invalid sources to prevent ARP poisoning.

• Error-disabling the interface if the configured DAI number of ARP packets is exceeded.

ARP Attacks

These guidelines are used by DAI to mitigate what?

Enable DHCP snooping globally.

Enable DHCP snooping on selected VLANs.

Enable DAI on selected VLANs.

Configure trusted interfaces for DHCP snooping and ARP inspection.

access

It is generally advisable to configure all _______ switch ports as untrusted and to configure all uplink ports that are connected to other switches as trusted.

Destination MAC

This can be used by DAI to check the destination MAC address in the Ethernet header against the target MAC address in ARP body.

Source MAC

This can be used by DAI to check the source MAC address in the Ethernet header against the sender MAC address in the ARP body.

IP address

This can be used by DAI to check the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

It is a global configuration command is used to configure DAI to drop ARP packets when the IP addresses are invalid. It can be used when the MAC addresses in the body of the ARP packets do not match the addresses that are specified in the Ethernet header.

Spanning Tree Protocol (STP)

Network attackers can manipulate the ________ ___ _______ to conduct an attack by spoofing the root bridge and changing the topology of a network

STP Attacks

Portfast and BPDU guard is used to mitigate what?

PortFast

this immediately brings an interface configured as an access port to the forwarding state from a blocking state, bypassing the listening and learning states. Apply to all end-user ports. It should only be configured on ports attached to end devices.

BPDU guard

this immediately error disables a port that receives a BPDU. It should only be configured on interfaces attached to end devices.

Portfast

_______ bypasses the STP listening and learning states to minimize the time that access ports must wait for STP to converge

spanning-tree loop

If PortFast is enabled on a port connecting to another switch, there is a risk of creating a _____________ _____.

spanning-tree portfast

this is an interface configuration command used to enable portfast

spanning-tree portfast default

Portfast can be configured globally on all access ports by using this global configuration command.

show running-config | begin span, show spanning-tree summary command

To verify whether PortFast is enabled globally you can use either the ______________________________ command or the ______________________________

show running-config interface type/number

To verify if PortFast is enabled on an interface, use this command _____________________________

BPDUs

Even though PortFast is enabled, the interface will still listen for ________

BPDU Guard

If any BPDUs are received on a ______ _______ enabled port, that port is put into error-disabled state

errdisable recovery cause bpduguard

When a port is in the shutdown state caused by the BPDU guard, we must manually re-enable or automatically recover it through the _______________________________ global command.

spanning-tree bpduguard enable

spanning-tree portfast bpduguard default

BPDU Guard can be enabled on a port by using the _______________________________ interface configuration command, otherwise use the ______________________________ global configuration command to globally enable BPDU guard on all PortFast-enabled ports.

show spanning-tree summary

To display information about the state of spanning tree, use the __________________________ command