Switch Security Configuration

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/32

flashcard set

Earn XP

Description and Tags

Flashcards covering switch security configuration topics.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

33 Terms

1
New cards

Port Security

Limits the number of valid MAC addresses allowed on a port and can control unauthorized network access.

2
New cards

switchport port-security

Interface configuration command to enable port security. Can only be configured on manually configured access ports or manually configured trunk ports.

3
New cards

show port-security interface

Command to display the current port security settings for a specific interface.

4
New cards

switchport port-security maximum value

Command to set the maximum number of MAC addresses allowed on a port.

5
New cards

Manually Configured MAC address

Administrator configures a static MAC address using the 'switchport port-security mac-address mac-address' command.

6
New cards

Dynamically Learned MAC address

The switch automatically secures the current source MAC for the device connected to the port, but it is not added to the running configuration. The port will have to re-learn the device’s MAC address after a reboot.

7
New cards

Dynamically Learned – Sticky MAC Address

The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the command: Switch(config-if)# switchport port-security mac-address sticky

8
New cards

Port Security Aging

Used to set the aging time for static and dynamic secure addresses on a port.

9
New cards

switchport port-security aging {static | time time | type {absolute | inactivity}}

Command to enable or disable static aging for the secure port, or to set the aging time or type.

10
New cards

Port Security Violation Modes

Action taken when the MAC address of a device attached to a port differs from the list of secure addresses.

11
New cards

switchport port-security violation {shutdown | restrict | protect}

Command to set the port security violation mode.

12
New cards

err-disabled

Port status when a port is shutdown and no traffic is sent or received.

13
New cards

show port-security

Command to display port security settings for the switch.

14
New cards

show port-security address

Command to display all secure MAC addresses that are manually configured or dynamically learned on all switch interfaces.

15
New cards

VLAN Hopping Attack

Attack launched by spoofing DTP messages, introducing a rogue switch, or using a double-tagging attack.

16
New cards

Steps to Mitigate VLAN Hopping Attacks

Disable DTP, disable unused ports, manually enable trunk links, disable DTP on trunking ports, and set the native VLAN to a VLAN other than VLAN 1.

17
New cards

DHCP Starvation Attack

The goal is to create a Denial of Service (DoS) for connecting clients.

18
New cards

DHCP Spoofing Attack

Attack mitigated by using DHCP snooping on trusted ports.

19
New cards

DHCP Snooping

Filters DHCP messages and rate-limits DHCP traffic on untrusted ports.

20
New cards

ip dhcp snooping

Global configuration command to enable DHCP snooping.

21
New cards

ip dhcp snooping trust

Interface configuration command to designate trusted ports.

22
New cards

ip dhcp snooping limit rate

Interface configuration command to limit the number of DHCP discovery messages on untrusted interfaces.

23
New cards

ip dhcp snooping vlan

Global configuration command to enable DHCP snooping by VLAN.

24
New cards

show ip dhcp snooping

Privileged EXEC command to verify DHCP snooping settings.

25
New cards

show ip dhcp snooping binding

Command to view the clients that have received DHCP information.

26
New cards

Dynamic ARP Inspection (DAI)

Requires DHCP snooping and helps prevent ARP attacks.

27
New cards

DAI Implementation Guidelines

Enable DHCP snooping globally, enable DHCP snooping on selected VLANs, enable DAI on selected VLANs, and configure trusted interfaces.

28
New cards

PortFast

Immediately brings a port to the forwarding state from a blocking state, bypassing the listening and learning states. Apply to all end-user access ports.

29
New cards

BPDU Guard

Immediately error disables a port that receives a BPDU. Should only be configured on interfaces attached to end devices.

30
New cards

spanning-tree portfast

Interface configuration command to enable PortFast on an interface.

31
New cards

spanning-tree portfast default

Global configuration command to enable PortFast on all access ports.

32
New cards

spanning-tree bpduguard enable

Interface configuration command to enable BPDU Guard on an interface.

33
New cards

spanning-tree portfast bpduguard default

Global configuration command to enable BPDU Guard on all access ports.