CCNA FAQ : Implementing Switch Security

CCNA FAQ : Implementing Switch Security

Q1. What is the significance of securing physical access to a switch?

Answer: An attacker can maliciously cause physical damage to the switch and/or the cables connected to the switch and ultimately bring down your network. If the attacker wants to covertly attack the network or gain unauthorized access to other devices or networks, he or she can also gain console access to the switch and perform password recovery to reconfigure the switch or discover other devices. For these reasons, it is imperative to ensure that the physical equipment and cables are secured from unauthorized users.

Q2. How can you harden (make secure) the Cisco IOS?

Answer: The first step to hardening the Cisco IOS is to secure all points of terminal entry to the IOS. This entails assigning passwords (or usernames/password combinations) to the console, aux, and vty lines. Additionally, if any of these services are not being used, you should disable EXEC access. For remote access, you should use SSH over Telnet if possible and allow SSH only on the vty lines. After terminal access is secured, you should ensure that all passwords are encrypted in the configuration, disable CDP on interfaces that do not require it, and decrease the amount of time an EXEC session can remain idle.

Q3. How can you secure the management VLAN?

Answer: The best way to secure the management VLAN is to assign a different VLAN interface as the management VLAN. You can achieve this easily by assigning the IP address to a VLAN specifically created for management (other than VLAN 1). In addition, disallow that VLAN from traversing trunk links to other switches that do not require it.

Q4. How can you ensure that only one specific end device is attached to a switch port?

Answer: To ensure that a single device is attached to a switch port, enable port security and allow only one MAC address as the maximum (the default). For additional security, manually or dynamically (using sticky learning) specify the device’s MAC address.

Q5. Why could CDP be a potential security risk?

Answer: CDP advertises pertinent information for discovery and troubleshooting. Information such as CDPadvertising ports, hostname, and IP addresses can be intercepted and used to attack the switch.

Q6. Which of the following is not a violation action of port security?
A. Protect
B. Shut down
C. Notify
D. Restrict
Chapter 16: Implementing Switch Security
Apply Your Knowledge

Answer: C. Notify is not a valid action of port security. The three actions that can be configured are shut down, protect, and restrict.

Q7. Which is not a recommended way to secure unassigned ports?
A. Assign a dummy VLAN.
B. Change the native VLAN.
C. Change the management VLAN.
D. Shut down unused interfaces.

Answer: B. Changing the native VLAN will not secure an unused port; in fact, it might cause VLAN leakage. Assigning a dummy VLAN, shutting down unused interfaces, and changing the management VLAN are all viable ways of protecting unassigned ports.

Q8. Which commands resulted in the following output? (Choose two) Switch# show interfaces trunk

A. Switch(config-if)# switchport trunk allowed vlan except 101
B. Switch(config-if)# switchport trunk disallowed vlan 101
C. Switch(config-if)# switchport trunk except vlan 101
D. Switch(config-if)# switchport trunk allowed vlan remove 101

Answer: A, D. Based upon the output of the show interfaces trunk command, all the VLANs are allowed over the trunk except VLAN 101. Answer A is correct because that command tells the switch to allow all VLANs except VLAN 101. Answer D is also correct because it specifies that VLAN 101 should be removed from the list (which, by default, is all VLANs). Answers B and C are incorrect because they are not valid command syntax.

Q9. Which of the following is not a recommended security implementation for securing the Catalyst switch?
A. SSH
B. Disable the console port.
C. Configure the login and password for the vty lines.
D. Allow only specific management IP address(es) into the vty lines.

Answer: B. Answer B is not a recommended security implementation because you will always require console access as a failsafe to gain access to Cisco devices. SSH, login/passwords for vty lines, and specifying management IP address(es) of management station(s) are all recommended security implementations.

Q10. Which command produced the following output?

Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
A. Switch(config-if)# switchport port-security sticky
B. Switch(config-if)# switchport port-security mac-address 1234.5678.9abf
C. Switch(config-if)# switchport port-security mac-address
sticky
D. Switch(config-if)# switchport port-security 1234.5678.9abf

Answer: B. Because the output indicates that the MAC address is SecureConfigured, it must have been manually configured using the switchport port-security mac-address 1234.5678.9abf command. Answers A and D are not valid command syntax for port security. Answer C is valid syntax, but the output for the MAC address would show up as SecureDynamic.

Q11. Given the following:

which of the following is a possible cause of the output?
A. Fast Ethernet 0/6 is receiving traffic and working correctly.
B. A static MAC address has been configured on Fast Ethernet 0/6.
C. Fast Ethernet 0/6 is learning sticky MAC addresses.
D. Fast Ethernet 0/6 is shut down because a violation has occurred.

Answer: D. The port status of the output indicates that it is in an error-disabled state, which means that a violation has occurred and that the default action (shutdown) has disabled the port. Because the maximum MAC addresses is configured as 1, and it has learned two MAC addresses, it is safe to say that this is the cause of the violation. Answer A is incorrect because the port is not in a Secure-Up (active) state. Answer B is incorrect because the count of configured MAC addresses is 0. Answer C is incorrect as well because the output indicates that the sticky MAC address count is also 0.

Q12. Why is the following output false

A. There are more MAC addresses than the maximum allowed and no violations.
B. You cannot have the violation action be shutdown unless static secure MAC addresses
are configured.
C. Sticky addresses must be configured if there is more than one MAC address.
D. The maximum MAC addresses cannot be changed from the default value of 1.

Answer: A. If the number of MAC addresses is exceeded, security violations should increase, and the configured action should take place (in this case, shutdown). Answer B is incorrect because you can have the violation be shutdown on dynamic, sticky-learned, or static MAC addresses. Answer C is incorrect because it is not required (although it might be more practical) to configure sticky addresses when there is more than one secure MAC address. Answer D is incorrect because the maximum MAC addresses can be configured to be more than 1.

Q13. After changing the management VLAN to a VLAN other than VLAN 1, you lose SSH access to the switch. Which of the following is not a valid reason why?
A. The new management VLAN interface was not administratively enabled.
B. The port of the management computer has to be assigned to the new management VLAN.
C. The Layer 3 gateway must have access to the new management VLAN if the switch is on a network other than the management PC.
D. The management station’s ARP entry has not timed out for the old VLAN interface.

Answer: D. Changing the management VLAN does not change the switch’s MAC address. Thus, any device that has an ARP entry tying the IP address of the switch to its MAC address will not be different when moving that IP to another management VLAN, and SSH should still work. Answer A is incorrect because the new management VLAN must be administratively enabled. Answer B is incorrect because devices connected to the switch must have access to the new management VLAN. If the port connected to the management station is not in that VLAN, the port will not be able to reach the VLAN because it is in a separate broadcast domain. Similarly, answer C is incorrect because the router or Layer 3 switch must have access to the new management VLAN to route the SSH traffic between the remote network and the local switch.

Q14. Which of the following is false regarding what happens when you use the login local command on line configurations?
A. The switch uses the username and password configured from the global configuration.
B. You are prompted for a login and password as long as you don’t use the password command on the line configuration.
C. This command can be configured on vty lines, the auxiliary port, and the console port.
D. The password can be encrypted using the username username secret password command.

Answer: B. You will still be prompted for a login and password, regardless of whether a password is configured. The switch uses the local username and password (which can be encrypted using the username username secret password command) and can be assigned to console, aux, and vty lines, so answers A, C, and D are incorrect.

15. Which of the following is not a default state of switches?
A. VLANs allowed on the trunk are all but the management VLAN.
B. Port security violation action is shut down.
C. Maximum number of MAC addresses learned on port security-enabled interfaces is 1.
D. Management VLAN is VLAN 1.

Answer: A. By default, all VLANs (including the management VLAN) are allowed to traverse trunks. The default port security violation state is to shut down, so answer B is incorrect. Answer C is incorrect because the maximum number of MAC addresses for port security is 1. Answer D is also incorrect because the default management VLAN is 1.

About the author

Prasanna

Leave a Comment