Last Updated on June 20, 2021 by Admin 2
300-420 : Designing Cisco Enterprise Networks (ENSLD) : Part 07
-
Which protocol is used to maintain the contents of the Cisco Express Forwarding (CEF) adjacency table?
- ARP
- RARP
- PING
- INARP
Explanation:
The CEF adjacency table is maintained as each adjacent node is discovered. Link header entries are created and stored in the adjacency table as the information is learned through the ARP protocol.
Cisco Express Forwarding (CEF) is a Layer 3 switching technology based on information contained in the Forwarding Information Base (FIB) and the adjacency table.
The FIB is conceptually equivalent to a routing table in that it contains information used in the packet forwarding decision. The adjacency table contains information about the adjacent route processors. The adjacency table contains the MAC information for the next-hop addresses for all FIB entries. A device is considered adjacent if it is reachable over a single Layer 2 connection. It is stored in DRAM.
The Layer 3 processor engine builds the FIB and adjacency tables in software. That information is distributed from the control-plane hardware to the data-plane hardware Application Specific Integrated Circuits (ASICs) at the port or line card. This enhances the Layer 3 forwarding operation by moving it from the software-based engine to the ASICs. Of course, there are exception packets that are still software-processed, such as non-conforming protocols and datalink encapsulations.
Reverse ARP (RARP) is used an obsolete networking protocol used by a host computer to obtain its Internet Protocol (IPv4) address when it has available its link-layer address, such as an Ethernet address. It has been replaced with DHCP. It is not used maintain the contents of the Cisco Express Forwarding (CEF) adjacency table
INverse ARP (INARP) is used by Frame relay connection to dynamically learn the DLCI associated with a connection. It is not used maintain the contents of the Cisco Express Forwarding (CEF) adjacency table
PING is a diagnostic tool used to test connectivity. It is not used maintain the contents of the Cisco Express Forwarding (CEF) adjacency table.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify switch administration -
You have executed the following commands on switch A:
300-420 Part 07 Q02 050 What is the result of executing the given commands? (Choose two.)
- Only the listed RADIUS server is used for authentication
- 802.1X authentication is enabled on the Fa0/1 interface only
- The key for the RADIUS server is firstKey111
- AAA is not enabled on the switch
Explanation:
A default list is used for the RADIUS server for authentication and the key for the RADIUS server is firstKey111. A RADIUS server combines the authentication and authorization processes. Before you configure the RADIUS server, you should enable AAA by using the aaa new-model command in the global configuration mode. Then, you can specify the location of the RADIUS server and the key using the radius-server host command. In this case, the RADIUS server is located at the IP address 192.168.105.67 and requires the key firstKey111 as the encryption key. This key must be mutually agreed upon by the server and the clients.
The aaa authentication dot1x default group radius command creates a method list for 802.1X authentication. The default group radius keywords specify that the default method will be to use all listed RADIUS servers to authenticate clients. Since only one is listed, it will be the only one used.
It is incorrect to state that 802.1X authentication is enabled on the Fa0/1 interface only. The interface range Fa 0/1 – 11 and the dot1x port-control auto commands specify that 802.1X authentication is enabled on the interfaces Fa0/1 to Fa0/11.
It is incorrect to stat that AAA is not enabled on the switch. The aaa new-model command enables AAA globally on the switch.
Objective:
Infrastructure Security
Sub-Objective:
Describe device security using Cisco IOS AAA with TACACS+ and RADIUS -
DRAG DROP
Match the name of the Layer 2 network attack on the left with the description on the right.300-420 Part 07 Q03 051 Question 300-420 Part 07 Q03 051 Answer Explanation:
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
You want to configure your Catalyst 6500 switch to redirect certain IP traffic from VLANs 22 through 33 to the Gigabit Ethernet interface that resides at slot 4, port 1. The IP traffic to be redirected must match an ACL named tn1.Which of the following sets of commands should you issue?
- vlan access-map 22-33match ip address tn1action redirect gigabitethernet 4/1vlan filter tn1
- vlan access-map ge1match ip address tn1action redirect gigabitethernet 4/1vlan filter ge1 vlan-list 22-33
- vlan access-map tn1match ip address ge1action redirect gigabitethernet 4/1vlan filter tn1 vlan-list 22 33
- vlan access-map ge1match ip address tn1action redirect gigabitethernet 4/1vlan filter ge1 vlan-list 22 33
Explanation:
To appropriately configure your Catalyst 6500 switch in this scenario, you should issue the following commands:
Switch(config) vlan access-map ge1 Switch(config-access-map) match ip address tn1 Switch(config-access-map) action redirect gigabitethernet 4/1 Switch(config-access-map) exit Switch(config) vlan filter ge1 vlan-list 22-33
VLAN access control lists (VACLs) are used to control how packets are switched within a virtual local area network (VLAN). To configure a VACL, you shouldperform the following actions:
- Define the VLAN access map by issuing the vlan access-map command.
- Define the configured ACL that traffic must match for an action to be triggered by issuing the match command; any traffic that does not match the conditions specified by the configured ACL or ACLs is dropped.
- Define the action that will be triggered when traffic matches the configured ACL by issuing the action command.
- Apply the VACL to one or more VLANs by issuing the vlan filter command.
The syntax for the vlan access-map command is vlan access-map map-name [sequence-number], where map-name is the name assigned to the VLAN access map. The optional sequence-number parameter defines the order in which the access map statements are checked. Therefore, the command vlan access-map ge1 creates a VLAN access map named ge1 with no sequence number.
The match command can filter traffic based on IP address, IPX address or Media Access Control (MAC) address. The syntax for the match command is match {ip address {acl-number | acl-name} | ipx address {acl-number | acl-name} | mac address acl-name}, where acl-number and acl-name are the number and name of the access list, respectively. Therefore, the commandmatch ip address tn1 specifies that only traffic that matches ACL tn1 will trigger the action specified in the action command.
The action command will configure the VACL to drop, forward, or redirect traffic that matches the access list specified in the match command. The syntax for the action command is action {drop | forward | redirect interface slot/port}. Therefore, the command action redirect gigabitethernet 4/1 will redirect traffic that matches the access list to Gigabit Ethernet interface 4-1.
The syntax for the vlan filter command is vlan filter map-name {vlan-list vlan-list}, where map-name is the name of the VLAN access map and vlan-list is the VLAN or VLANs that should be filtered by the VACL. Therefore, the command vlan filter ge1 vlan-list 22-33 applies the VLAN access map named ge1 to VLANs 22 through 33.
The following command set incorrectly specifies the VLAN access map and filter:
Switch(config)vlan access-map 22-33 Switch(config-access-map) match ip address tn1 Switch(config-access-map) action redirect gigabitethernet 4/1 Switch(config-access-map) exit Switch(config) vlan filter tn1
The following command set incorrectly specifies the VLAN access map and the match statement. This command is also missing the required hyphen in the list of VLANs specified after the vlan-list keyword:
Switch(config) vlan access-map tn1 Switch(config-access-map) match ip address ge1 Switch(config-access-map) action redirect gigabitethernet 4/1 Switch(config-access-map) exit Switch(config) vlan filter tn1 vlan-list 22 33
This following command is missing the required hyphen in the list of VLANs specified after the vlan-list keyword:
Switch(config) vlan access-map ge1 Switch(config-access-map) match ip address tn1 Switch(config-access-map) action redirect gigabitethernet 4/1 Switch(config-access-map) exit Switch(config) vlan filter ge1 vlan-list 22 33
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
Which PVLAN port type can only send frames to promiscuous ports?
- private
- promiscuous
- isolated
- community
- public
Explanation:
There are three types of ports in a private VLAN (PVLAN): promiscuous, isolated, and community. A PVLAN isolated port type can only send frames to promiscuous ports.
Consider the following graphic:
300-420 Part 07 Q05 052 Host B is attached to a promiscuous mode port. In this mode, Host B can send and receive frames with other promiscuous, isolated, or community ports assigned to the same privateVLAN. Therefore, frames can be exchanged with Hosts A or C. Hosts A and C are attached to isolated ports. Isolated ports are able to send frames to promiscuous ports but not to each other.
Isolated and promiscuous ports can be combined to achieve a desired level of separation between particular machines while still allowing required access to services. As another example, suppose that security policy dictated that Host A and Host C cannot communicate with one another, but both computers needed to access a database on Host B. The isolated ports keep them from communicating with one another, while the use of a promiscuous port to Host B allows them to access the database. Any other resources in the network that either machine needs access to should be therefore connected with a promiscuous port.
The third type of port is a community port. A community port can communicate with other community ports of the same private VLAN or promiscuous ports.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
Which IOS interface configuration command is required to configure a switch port to be a promiscuous PVLAN access port?
- switchport mode promiscuous
- switchport mode promiscuous-vlan
- switchport mode private-vlan host
- switchport mode private-vlan promiscuous
Explanation:
A promiscuous port type can send frames to all other ports in the same private VLAN (PVLAN). The switchport mode private-vlan promiscuous command configures a port to be a promiscuous port. The syntax is as follows:
switch(config-if)# switchport mode private-vlan promiscuous
There are three types of ports in a private VLAN (PVLAN): promiscuous, isolated, and community. A promiscuous port can send and receive frames with other promiscuous, isolated, or community ports assigned to the same private VLAN. Isolated ports are able to send frames to promiscuous ports, but not to each other. A community port can communicate with other community ports of the same private VLAN or with promiscuous ports.
Private VLANs are supported on switches that allow the configuration of primary and secondary VLANs. A primary VLAN carries the traffic between the promiscuous port and the isolated and community ports assigned to the same primary VLAN. There are two types of secondaryVLANs, isolated and community. Isolated VLANs carry traffic from isolated ports to promiscuous ports. Community VLANs carry traffic between community ports and to the promiscuous port. Therefore, on a promiscuous port, you would use the following command syntax to configure its primary and secondary VLANs:
switch(config-if)# private-vlan mapping primary_vlan_id secondary_vlan_id
PVLANs are created using the following special VLAN configuration commands:
switch(config)# vlan vlan_id switch(config-vlan)# private-vlan [primary | isolated | community] switch(config-vlan)# private-vlan association secondary_vlan_list
Host ports are defined using the following special PVLAN configuration command:
switch(config-if)# switchport mode private-vlan host
The command used for isolated and community ports is as follows:
switch(config-if)# switchport mode private-vlan host-association primary_vlan_id secondary_vlan_id
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
As the network administrator, you have enabled port security on the Fa0/1 port of a switch. Fa0/1 is not a trunk port. You have configured the port security so that the MAC addresses 1111.1111.1111 and 2222.2222.2222 are allowed to connect to the switch port.Which of the following commands were required to configure the port security so that only the MAC addresses 1111.1111.1111 and 2222.2222.2222 are allowed to connect to the switch port.? (Choose all that apply.)
- switchport mode trunk
- switchport port-security
- switchport mode access
- switchport port-security maximum 2
- switchport port-security maximum 3
Explanation:
The following commands were executed on the switch port:
switchport mode access
switchport port-security
switchport port-security maximum 2The switchport mode access command configures the switch port as an access port. The switchport port-security command enables port security on the switch port. The switchport port-security maximum 2 command specifies that at most two MAC addresses can be connected to the switch port.
The complete set of commands that were executed on the Fa0/1 of the switch port is as follows:
300-420 Part 07 Q07 053 It is not required that the switchport port-security aging be executed. This can be used to specify the duration for which all addreses are secured.
The switchport port-security maximum 3 command was not execute on the switch port. This command specifies that three MAC addresses can be allowed on that switch port, instead of only two secure MAC addresses.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
Which type of network attack takes advantage of the Dynamic Trunking Protocol (DTP)?
- VLAN hopping
- MAC flooding
- DHCP spoofing
- Rogue access points
Explanation:
VLAN hopping is an attack deigned to gain unauthorized access to a VLAN by using DTP to negotiate a trunk link with another switch. If a switch port configured as DTP auto was toreceive a fake DTP packet, it might become a trunk port and begin accepting traffic destined for any VLAN. Therefore, a malicious user could start communicating with other VLANs through that compromised port.
A MAC flooding attack does not use DTP as a part of its operation. This attack floods the switch with fake MAC addresses until the MAC table is full. When this happens, the switch starts sending all frames out all ports, allowing the hacker to capture data from all ports.
DHCP snooping does not use DTP as a part of its operation. It is not an attack but a security measure. DHCP snooping filters un-trusted DHCP messages using a DHCP snooping binding database. A DHCP snooping binding database is also referred to as a DHCP snooping binding table. This can be used to prevent a rouge DHCP server from assigning configuration information to clients.
Rogue access points do not use DTP as a part of their operation. These are unauthorized access points connected to an open switch port or wall outlet for the purpose of gaining access to the wired network wirelessly.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What command should be used to view the private VLANs configured on ports and the private VLAN mappings?
- show vlan brief
- show pvlan
- show interfaces switchport
- show mac-address-table
Explanation:
The command show interfaces switchport is used to verify private VLANs configured on ports and the private VLAN mappings. The following is a sample of the output:
300-420 Part 07 Q09 054 This output reveals that Fa3/1 is a promiscuous port in private VLAN (PVLAN) 20. PVLAN 20 is a member of the primary VLAN 200. Since this is a promiscuous port, it is able to exchange information with all other PVLANs associated with VLAN 200.
The show vlan brief command is only used to view the VLANs that exist and the ports that are members of them. No information about PVLANs and member association is included.
The show mac-address-table command is used to view the MAC addresses stored in the switches memory and the port and VLAN they are members of. No information about PVLANs is included in this output.
The command show pvlan is incorrect due to invalid syntax.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What is accomplished by the command switchport port-security violation protect?
- The switch will generate a log message but will not block any packets
- The switch will drop packets that are in violation and generate a log message
- The switch will drop packets that are in violation, but not generate a log message
- The switch will shut down the interface when packets in violation are detected
Explanation:
The command switchport port-security port violation protect will cause the switch to drop packets that are in violation, but does not generate a log message. The complete syntax of the command is:
switch(config-if)# switchport port-security violation protect
The port-security command is used to lock a port to a specific MAC addresses. Port security can be used to limit access to a port by MACaddress. It can be applied to:
access ports
VoIP ports
ports where multiple MAC addresses are expected, such as a port connecting to a hubIt cannot be applied to trunk ports or to ports that are part of an Etherchannel.
Three keywords can be used with this command: protect, restrict and shutdown. The restrict keyword tells the port to drop packets and generate a log message for packets that are in violation. The protect keyword tells the port to drop packets without generating a log message for packets that are in violation. The shutdown keyword causes the port to be place into the errdisable state if a violation is detected.
The following configuration, generated from a partial output of the show run command, would apply port security to the Fa0/1 interface. It would allow five addresses to access the interface at time. This count includes addresses that have been seen by the port but are currently inactive. Therefore, if five addresses have been seen and three are inactive, then a sixth address would not be allowed. If the port security maximum command has not been issued, the default behavior will only allow one address on the port.
The aging command can be used to force inactive addresses to be dropped from the list of addresses seen, thereby allowing active addresses access to the port.
300-420 Part 07 Q10 055 The above configuration also includes a static entry for the MAC address 0006.0006.0006. This means that this address is always in the list, and so in effect, this configuration leaves only four other dynamic MAC addresses that can connect at a time.
There is no option to generate a log message but not block any packets.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What Cisco Catalyst switch feature can be used to define ports as trusted for DHCP server connections?
- DHCP snooping
- port security
- 802.1x
- private VLANs
Explanation:
DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP spoofing is an attack that can be used to force user traffic through an attacking device. This is accomplished by an attacker responding to DHCP queries from users. Eliminating the response from the correct DHCP server would make this more effective, but if the attacker’s response gets to the client first, the client will accept it.
The DHCP response from the attacker will include a different gateway or DNS server address. If they define a different gateway, the user traffic will be forced to travel through a device controlled by the attacker. This will allow the attacker to capture traffic and gain company information. If the attacker changes the DNS server in the response, they can use their own DNS server to force traffic to selected hosts to go to a device they control. Again, this would allow the attacker to capture traffic and gain information.
DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK, from the company DHCP server. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
The three required stepsto implement DHCP snooping are:
1.Enable DHCP snooping globally with the ip dhcp snooping command. switch(config)# ip dhcp snooping 2.Enable DHCP snooping for a VLAN with the vlan parameter: switch(config)# ip dhcp snooping vlan vlan # (for example, ip dhcp snooping 10 12 specifies snooping on VLANs 10 and 12) 3.Define an interface as a trusted DHCP port with the trust parameter: switch(config-if)# ip dhcp snooping trust
When specifying trusted ports, access ports on edge switches should be configured as untrusted, with the exception of any ports that may have company DHCP severs connected. Only portswhere DHCP traffic is expected should be trusted. Most certainly, ports in any area of the network where attacks have been detected should be configured as untrusted.
Some additional parameters that can be used with the ip dhcp snooping command are:
switch(config)# ip dhcp snooping verify mac-address – this command enables DHCP MAC address verification.
switch(config)# ip dhcp snooping information option allow-untrusted – this command enables untrusted ports to accept incoming DHCP packets with option 82 information. DHCP option 82 is used to identify the location of a DHCP relay agent operating on a subnet remote to the DHCP server.When DHCP snooping is enabled, no other relay agent-related commands are available. The disabled commands include:
ip dhcp relay information check global configuration command
ip dhcp relay information policy global configuration command
ip dhcp relay information trust-all global configuration command
ip dhcp relay information option global configuration command
ip dhcp relay information trusted interface configuration commandDHCP Authorized ARP can also be used to mitigate DHCP spoofing. When implemented, the server assigns an IP address to a client and then creates a static mapping. The DHCP server then sends periodic ARPs to clients to make sure that the clients are still active. Clients respond with an ARP reply. Unauthorized clients cannot respond to these periodic ARPs. The unauthorized ARP responses are blocked at the DHCP server.
Private VLANs are a method of protecting or isolating different devices on the same port and VLAN. A VLAN can be divided into private VLANs, where some devices are able to access other devices and some are completely isolated from others. This was designed so service providers could keep customers on the same port isolated from each other, even if the customers had the same Layer 3 networks.
Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not to limit which ports can have DHCP servers connected to them.
802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch, but it cannot control which ports are permitted to have a DHCP server attached to it.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
Which IOS configuration command is required to configure a VLAN as a private VLAN?
-
switch(config-vlan)# private-vlan common
-
switch(config-vlan)# private-vlan private
-
switch(config-vlan)# private-vlan primary
-
switch(config-vlan)# private-vlan transparent
Explanation:
Private VLANs (PVLANs) are created using the following special VLAN configuration commands:
switch(config)# vlan vlan_id switch(config-vlan)# private-vlan [primary | isolated | community] switch(config-vlan)# private-vlan association secondary_vlan_list
There are three types of ports in a PVLAN: promiscuous, isolated, and community. A promiscuous port can send and receive frames with other promiscuous, isolated, or community ports assigned to the same private VLAN. The interface on the switch that is the default gateway for the segment should be a promiscuous port. Isolated ports are able to send frames to promiscuous ports, but not to each other. A community port can communicate with other community ports of the same private VLAN or with promiscuous ports.
Private VLANs are supported on switches that allow the configuration of primary and secondary VLANs. A primary VLAN carries the traffic between the promiscuous port and the isolated and community ports assigned to the same primary VLAN. There are two types of secondary VLANs: isolated and community. Isolated VLANs carry traffic from isolated ports to promiscuous ports. Community VLANs carry traffic between community ports and to the promiscuous port.
Ports are defined using the following special PVLAN configuration command:
switch(config-if)# switchport mode private-vlan [promiscuous | host]
The command used for isolated and community ports is as follows:
switch(config-if)# switchport mode private-vlan host-association primary_vlan_id secondary_vlan_id
The following command syntax is used to configure a promiscuous port’s primary and secondary VLANs:
switch(config-if)# private-vlan mapping primary_vlan_id secondary_vlan_id
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
-
What command should be used to view the private VLANs configured on ports and the private VLAN mappings?
- show vlan brief
- show pvlan
- show interfaces switchport
- show mac-address-table
Explanation:
The command show interfaces switchport is used to verify private VLANs configured on ports and the private VLAN mappings. The following is a sample of the output:
300-420 Part 07 Q13 056 This output reveals that Fa3/1 is a promiscuous port in private VLAN (PVLAN) 20. PVLAN 20 is a member of the primary VLAN 200. Since this is a promiscuous port, it is able to exchange information with all other PVLANs associated with VLAN 200.
The show vlan brief command is only used to view the VLANs that exist and the ports that are members of them. No information about PVLANs and member association is included.
The show mac-address-table command is used to view the MAC addresses stored in the switches memory and the port and VLAN they are members of. No information about PVLANs is included in this output.
The command show pvlan is incorrect due to invalid syntax.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
Which PVLAN port types can send frames through a switch to community and promiscuous ports? (Choose two.)
- public
- private
- isolated
- community
- promiscuous
Explanation:
Community ports and promiscuous ports can send frames to other community ports and promiscuous ports in the same private VLAN.
There are three types of ports in a private VLAN (PVLAN): promiscuous, isolated, and community. A PVLAN community port (a port in the same VLAN) and promiscuous ports (a port that can forward to all interfaces, including the isolated and community ports within a PVLAN) can send traffic to other community or promiscuous ports.
Isolated ports are able to send frames to promiscuous ports, but not to other isolated ports.
A community port can communicate with other community ports in the same privateVLAN or with promiscuous ports.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What command produced the output in the exhibit?
300-420 Part 07 Q15 057 - show port-security interface
- show vlan private-vlan type
- show port-security
- show ip dhcp snooping
Explanation:
The exhibit displays the output of the show port-security command. This command is useful in verifying the reaction set for packets in violation. In the exhibit, Fa5/1 is configured to shut down if a violating packet is received. Port Fa5/5 is configured to drop violating packets, and port Fa5/11 is configured to drop packets and generate a log message.
The output also indicates the number of secure MAC addresses permitted on each interface, the number of secure MAC addresses currently in use on the port, and how many security violations have already occurred.
The show port-security interface command shows the port security configuration on the specified interface. Below is an example of that command output:
300-420 Part 07 Q15 058 In the above example, seven MAC addresses are allowed on this interface. It can be seen that seven are now connected. Therefore, if one more user connects to the hub or switch that is connected to this port, the port will be placed into the err-disabled state and an SMTP trap message will be sent.
The show vlan private-vlan type command displays the private VLANs on the switch and whether they are primary, isolated, or community VLANs. An example of the command output is below:
300-420 Part 07 Q15 059 In the output, VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 303 carries traffic from isolated ports to a promiscuous port.
The show ip dhcp snooping command displays whether DHCP snooping is enabled, what VLANs it is configured for, and what ports are trusted DHCP ports. An example output is below.
300-420 Part 07 Q15 060 The show ip dhcp snoopingcommand output indicates that:
The switch is defending against a DHCP spoofing attack (indicated by lines 2 and 3)
Two ports are trusted and one is not (shown in bottom table)
Option 82 (relay agent information) is only allowed on trusted ports (indicated by lines 4 and 5)
ARP spoofing is being monitored (indicated by line 6)Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What attack technique uses double VLAN tagging to access network devices that might not otherwise be accessible?
- VLAN hopping
- DHCP spoofing
- Rogue devices
- MAC flooding
Explanation:
Double VLAN tagging is used by a VLAN hopping attack. An attacker can create a packet with two VLAN headers on it and send it to a switch. The switch port will strip off the first header and leave the second. The second header will be seen as the originating VLAN, allowing the attacker access to a VLAN they are not connected to. This becomes a security concern because this hopping can be accomplished without passing through a router and its security access lists. For this reason, private VLANs and VACLs should be used to secure access between VLANs.
DHCP spoofing is an attack that can be used to force user traffic through an attacking device. This is accomplished by an attacker responding to DHCP queries from users. Eliminating the response from the correct DHCP server would make this more effective, but if the attacker’s response gets to the client first, the client will accept it. The DHCP response from the attacker will include a different gateway or DNS server address. If they define a different gateway, the user traffic will be forced to travel through a device controlled by the attacker. This will allow the attacker to capture traffic and gain company information. If the attacker changes the DNS server in the response, they can use their own DNS server to force traffic to selected hosts to go to a device they control. Again, this would allow the attacker to capture traffic and gain information.
MAC flooding is an attack technique that attempts to fill a switch’s MAC address table so the attacker can capture flooded traffic sent from the switch. The concept of this attack is to use the CAM table limit to the attacker’s advantage. The attacker would send packets addressed from a large number of MAC addresses to the switch. The switch adds the source MAC address to the MAC address table. Eventually no more MAC addresses can be added because the table is full. When this occurs, any packets destined for a MAC address not in the table will be flooded to all other ports. This would allow the attacker to see the flooded traffic and capture information. The switch would be essentially functioning as a hub in this case.
A rogue device is a device attached to the network that is not under the control of the organization. This term is normally used to mean a wireless device, perhaps an access point that is not operating as a part of the company’s infrastructure. Employees may bring their own access points and connect them to the network so they can use their computer wirelessly. This creates a security gap since the device is probably not secured to protect the traffic. An attacker could connect a rogue access point to a company’s network and capture traffic from outside the company’s premises.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What Cisco switch features are designed to work together to mitigate ARP spoofing attacks? (Choose two.)
- DHCP snooping
- port security
- 802.1x
- DAI
Explanation:
Dynamic ARP inspection (DAI) and DHCP snooping are Cisco features designed to work together to mitigate ARP spoofing attacks. DAI validates ARP packets in a network. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP-address bindings stored in the DHCP snooping database. This capability protects the network from some man-in-the-middle attacks. The following global configuration command instructs the switch to intercept, log, and discard packets with invalid IP-to-MAC address bindings for the specified VLANs.
switch(config)# ip arp inspection vlan 10-12,15
When configuring DAI, ports are configured as either trusted or untrusted. DAI forwards all packets received on a trusted interface without checks but intercepts all packets on an untrusted port.
DHCP snooping creates an IP address to MAC address database that DAI uses to validate ARP packets. It compares the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates attackers spoofing MAC addresses. The following command enables DHCP MAC address verification:
router(config)# ip dhcp snooping verify mac-address
DHCP Authorized ARP can also be used to mitigate ARP spoofing. When implemented, the server assigns an IP address to a client and then creates a static mapping. The DHCP server then sends periodic ARPs to clients to make sure that the clients are still active. Clients respond with an ARP reply. Unauthorized clients cannot respond to these periodic ARPs. The unauthorized ARP responses are blocked at the DHCP server.
DHCP snooping also is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server packets such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not eliminate ARP spoofing.
802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch; it does not inspect ARP packets.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What command would be used to verify trusted DHCP ports?
- show mls qos
- show ip dhcp snooping
- show ip trust
- show ip arp trust
Explanation:
The command show ip dhcp snooping is used to verify trusted DHCP ports. This command is used to verify which ports are intended to have DHCP servers connected to them. DHCP snooping creates an IP address to MAC address database that Dynamic ARP Inspection (DAI) uses to validate ARP packets. It compares the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates attackers that are spoofing MAC addresses.
DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
MLS QOS has no bearing on DHCP services, so show mls qos is not correct.
The other commands are incorrect because of invalid syntax.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What switch security configuration requires AAA to be configured on the switch?
- VACL
- 802.1x
- Private VLAN
- port security
Explanation:
802.1x requires AAA to be configured on the switch. 802.1x uses AAA authentication to control access to the port.
The overall steps required to configure a switch for 802.1x are:
Enable AAA on the switch.
Define the external RADIUS server(s) and the key to be used for encryption.
Define the authentication method.
Enable 802.1x on the switch.
Configure each switch port that will use 802.1x.
Optionally allow multiple hosts on the switch port.<font size=”2″ face=
Objective:
Infrastructure Security
Sub-Objective:
Describe device security using Cisco IOS AAA with TACACS+ and RADIUS -
Which protocol provides port-based access control and authentication?
- 802.1X
- 802.1W
- 802.1P
- 802.1Q
Explanation:
IEEE 802.1X provides port-based access control and authentication.
IEEE 802.1X is a client-server based access control model. If IEEE 802.1X is enabled on a switch interface, the interface is in an unauthorized state until it is authenticated. Until the station is authenticated, the only protocols allowed through switch ports are:
CDP
STP
EAP-over-LAN (EAPOL is the only type of traffic accepted from a station)The supplicant PAE sends EAPOL packets that indicate its request for access through the switch to the LAN. The switch performs the authenticator role by processing the EAPOL packets from the port-attached supplicant PAE and forwarding an authentication request to the authentication server. The only supported authentication server is a Remote Access Dial-In User Server (RADIUS) server with EAP extensions. The authentication server checks the identity of the client (the supplicant PAE) and will either accept or reject the request. If the server accepts the request, the port is authorized and the switch will send and receive all frames. If it fails, only EAPOL packets will continue to be processed. Once the client is finished with the connection, an EAPOL logoff is issued, and the switch port once again becomes unauthorized.
Below is a sample configuration to enable 802.1X authentication and enable it on an interface:
switch(config)# aaa new-model switch(config)# aaa authentication dot1x default group radius switch(config)# dot1x system-auth-control switch(config-if)# dot1x port-control auto
802.1w is the standard for Rapid Spanning Tree Protocol (RSTP). It is not related to port-based access control and authentication.
802.1P is a method for assigning priority to packets traversing a network. It is not related to port-based access control and authentication.
802.1Q describes VLAN tagging. It is not related to port-based access control and authentication.
Objective:
Infrastructure Security
Sub-Objective:
Describe device security using Cisco IOS AAA with TACACS+ and RADIUS -
What command produces the output in the exhibit?
300-420 Part 07 Q21 061 - show port-security interface
- show vlan private-vlan type
- show port-security
- show ip dhcp snooping
Explanation:
The exhibit displays the output of the show port-security command. This command is useful in verifying the reaction set for packets in violation. In the exhibit, Fa5/1 is configured to shut down if a violating packet is received. Port Fa5/5 is configured to drop violating packets and port Fa5/11 is configured to drop packets and generate a log message.
The output also indicates the number of secure MAC addresses permitted on each interface, the number of secure MAC addresses currently in use on the port, and how many security violations there have been.
The show port-security interface command shows the port security configuration on the specified interface. Below is an example of the command and its output:
300-420 Part 07 Q21 062 In the example, seven MAC addresses are allowed on this interface. It can be seen that seven are now connected. Therefore, if one more user connects to the hub or switch connected to this port, the port will be placed into the err-disabled state and an SMTP trap message will be sent.
The show vlan private-vlan type command displays the private VLANs on the switch and indicates whether they are primary, isolated, or community VLANs. An example of the output is below:
300-420 Part 07 Q21 063 In the output, VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 303 carries traffic from isolated ports to a promiscuous port.
The show ip dhcp snooping command displays whether DHCP snooping is enabled, what VLANs it is configured for, and what ports are trusted DHCP ports. An example of the output is below:
300-420 Part 07 Q21 064 The output indicates that:
The switch is defending against a DHCP spoofing attack (indicated by lines 2 and 3)
Two ports are trusted and one is not (shown in bottom table)
Option 82 (relay agent information) is only allowed on trusted ports (indicated by lines 4 and 5)
ARP spoofing is being monitored (indicated by line 6)Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What Cisco Catalyst switch feature is designed to inspect ARP packets and mitigate ARP spoofing attacks?
- DHCP snooping
- port security
- 802.1x
- DAI
Explanation:
ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending an ARP message with a forged identity to a transmitting host. Dynamic ARP inspection (DAI) is a Cisco feature designed to inspect ARP packets and mitigate spoofing attacks. It works in combination with DHCP snooping. DHCP snooping creates an IP address to MAC address database that DAI uses to validate ARP packets. It compares the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates attackers from spoofing MAC addresses. Characteristics of DAI include:
DAI can only be performed on ingress ports
DAI is supported on access ports, trunk ports, Etherchannel ports, and private VLAN ports
DAI should be configured on all access switch ports as untrusted, and on all switch ports connected to other switches as trustedAn interface can be configured as trusted by using the ip arp inspection trust command. Consider the configuration shown below. If an ARP spoof attack arrives on interface Fa0/2, it will not be inspected because the port is set as trusted, and the spoof packets will be allowed.
<output omitted> ip arp inspection vlan 5 interface fastethernet 0/2 switchport mode trunk swtchport trunk encapsulation dot1q ip arp inspection trust
DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not eliminate ARP spoofing.
802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch; it does not inspect ARP packets.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What is accomplished by the command switchport port-security violation restrict?
- The switch will generate a log message but will not block any packets.
- The switch will drop packets that are in violation and generate a log message.
- The switch will drop packets that are in violation, but not generate a log message.
- The switch will shut down the interface when packets in violation are detected.
Explanation:
The command switchport port-security violation restrict drops packets that are in violation and generates a log message. The complete syntax of the command is:
switch(config-if)# switchport port-security violation restrict
The port security command is used to lock a port down to specific MAC addresses. The three keywords that can be used with this command are protect, restrict, and shutdown. The protect keyword tells the port to drop packets without generating a log message for packets that are in violation. The restrict keyword tells the port to drop packets and generates a log message for packets that are in violation. The shutdown keyword causes the port to be disabled if a violation is detected.
There is no option to generate a log message but not block any packets.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features