Last Updated on August 1, 2021 by Admin 2
What command produces the output in the exhibit?
- show port-security interface
- show vlan private-vlan type
- show port-security
- show ip dhcp snooping
The exhibit displays the output of the show port-security command. This command is useful in verifying the reaction set for packets in violation. In the exhibit, Fa5/1 is configured to shut down if a violating packet is received. Port Fa5/5 is configured to drop violating packets and port Fa5/11 is configured to drop packets and generate a log message.
The output also indicates the number of secure MAC addresses permitted on each interface, the number of secure MAC addresses currently in use on the port, and how many security violations there have been.
The show port-security interface command shows the port security configuration on the specified interface. Below is an example of the command and its output:
In the example, seven MAC addresses are allowed on this interface. It can be seen that seven are now connected. Therefore, if one more user connects to the hub or switch connected to this port, the port will be placed into the err-disabled state and an SMTP trap message will be sent.
The show vlan private-vlan type command displays the private VLANs on the switch and indicates whether they are primary, isolated, or community VLANs. An example of the output is below:
In the output, VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 303 carries traffic from isolated ports to a promiscuous port.
The show ip dhcp snooping command displays whether DHCP snooping is enabled, what VLANs it is configured for, and what ports are trusted DHCP ports. An example of the output is below:
The output indicates that:
The switch is defending against a DHCP spoofing attack (indicated by lines 2 and 3)
Two ports are trusted and one is not (shown in bottom table)
Option 82 (relay agent information) is only allowed on trusted ports (indicated by lines 4 and 5)
ARP spoofing is being monitored (indicated by line 6)
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features