CCNP Switch Questions/Answers Securing Campus Infrastructure

Transcription

1 What statement is true about a local SPAN configuration? A. A port can act as the destination port for all SPAN sessions configured on the switch. B. A port can be configured to act as a source and destination port for a single SPAN session. C. Both Layer 2 and Layer 3 switched ports can be configured as source or destination ports for a single SPAN session. D. Port channel interfaces (EtherChannel) can be configured as source and destination ports for a single SPAN session. Answer: C The following additional guidelines or restrictions apply to local SPAN: - Both Layer 2 switched ports (LAN ports configured with the switchport command) and Layer 3 ports (LAN ports configured with the no switchport command) can be configured as source or destination ports in Cisco IOS based switches. - A port can act as the destination port for only one SPAN session. - A port cannot be configured as a destination port if it is a source port of a span session. - Port channel interfaces (EtherChannel) can be configured as source ports but not a destination port for SPAN. - SPAN supports configuration of source ports belonging to different VLANs. - Traffic direction is both by default for SPAN sources. - Destination ports never participate in a spanning-tree instance. Local SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the destination port are from the source port. As a result, SPAN destination ports should not be connected to another switch because this might cause a network loop. - Destination ports get a copy of all packets switched through the switch regardless of whether the packets actually leave the switch due to STP blocking state on an egress port

2 Refer to the exhibit. Which statement is true about the local SPAN configuration on switch SW1? A. The SPAN session transmits to a device on port fa3/21 a copy of all traffic that is monitored on port fa3/1. B. The SPAN session transmits to a device on port fa3/21 a copy of all traffic that is monitored on port fa3/1, but configured in VLAN 10. C. The SPAN session transmits to a device on port fa3/21 a copy of all traffic that is monitored on port fa3/1, but configured as trunk. D. The SPAN session transmits to a device on port fa3/21 only a copy of unicast traffic that is monitored on port fa3/1 and BPDU frames will be excluded from the monitoring process. Answer: A Above is displayed configuration example for Local SPAN. Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis

3 Refer to the exhibit. Which statement is true about the VSPAN configuration on switch SW1? A. The VSPAN session that is configured on port fa3/4 can monitor only the ingress traffic for any of the VLANs. B. The VSPAN session that is configured on port fa3/4 can monitor only the egress traffic for any of the VLANs. C. Port fa3/4 must be associated with VLAN 10 or VLAN 20 in order to monitor the traffic for any of the VLANs. D. The VSPAN session transmits a copy of the ingress traffic for VLAN 10 and the egress traffic for VLAN 20 out interface fa3/4. Answer: D The following additional guidelines or restrictions apply to VSPAN: - VSPAN sessions, with both ingress and egress options configured, forward duplicate packets from the source port only if the packets get switched in the same VLAN. One copy of the packet is from the ingress traffic on the ingress port, and the other copy of the packet is from the egress traffic on the egress port. VSPAN monitors only traffic that leaves or enters Layer 2 ports in the VLAN: Routed traffic that enters a monitored VLAN is not captured if the SPAN session is configured with that VLAN as an ingress source because traffic never appears as ingress traffic entering a Layer 2 port in the VLAN. Traffic that is routed out of a monitored VLAN, which is configured as an egress source in a SPAN session, is not captured because the traffic never appears as egress traffic leaving a Layer 2 port in that VLAN

4 Which configuration guideline applies to using the capture option in VACL? A. Capture ports transmit traffic that belongs to all VLANs. B. The capture port captures all packets that are received on the port. C. The switch has a restriction on the number of captured ports. D. The capture port needs to be in the spanning-tree forwarding state for the VLAN. Answer: D The Catalyst 6500 family of switches offers an additional feature to monitor traffic flows through the switch. SPAN, VSPAN, and RSPAN configuration applies to all traffic on the source port or source VLAN in one or both directions. Using VACLs with the capture option, the network analyzer receives only a copy of traffic matching the configured ACL. Because the ACL might match Layers 2, 3, or 4 information, the VACL with the capture option offers a useful and powerful complementary value to the SPAN and RSPAN features. The following configuration guidelines apply to using the capture option in VACL: - The capture port needs to be in the spanning-tree forwarding state for the VLAN. - The switch has no restriction on the number of capture ports. - The capture port captures only packets permitted by the configured ACL. - Capture ports transmit only traffic belonging to the capture port VLAN. To capture traffic going to many VLANs, configure the capture port as a trunk carrying the required VLANs

5 All access ports on a switch are configured with the administrative mode of dynamic auto. An attacker, connected to one of these ports, sends a malicious DTP frame. What is the intent of the attacker? A. VLAN hopping B. DHCP spoofing attack C. MAC flooding attack D. ARP poisoning attack Answer: A VLAN hopping is attack where attacker device sends or collects packets from VLAN that shouldn t be accessible to that attacker device. VLAN hopping can be done by switch spoofing or double tagging. First form of attack is when by default Cisco switch ports are set in auto mode. If interface receive DTP frame, then link becomes trunk. So attacker can access VLANs in these cases: - Attacker sends DTP frame, attacker port became trunk port and attacker can attack any VLAN on the trunk. - In switch spoofing attack, attacker configures system to act (spoof) as a switch. Then authorized switch sends DTP frames and configure trunk. So attacker got access to VLANs

6 Refer to the exhibit. A network engineer is securing a network against DHCP spoofing attacks. On all switches, the engineer applied the ip dhcp snooping command and enabled DHCP snooping on all VLANs with the ip dhcp snooping vlan command. What additional step should be taken to configure the security required on the network? A. Issue the ip dhcp snooping trust command on all uplink interfaces on SW1, SW2 and SW3. B. Issue the ip dhcp snooping trust command on all interfaces on SW2 and SW3. C. Issue the ip dhcp snooping trust command on all interfaces on SW1, SW2 and SW3. D. Issue the ip dhcp snooping trust command on all interfaces on SW1, SW2 and SW3 except interface fa0/1 on SW1. Answer: A DHCP Snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages, whereas untrusted ports can source requests only. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. Switch end-user ports are configured as untrusted ports and ports that connect to other device are configured as trusted. DHCP Snooping can be applied on VLAN on switch. In our example end-user ports on SW2 and SW3 should be untrusted. Fa0/1, fa0/2 and fa0/3 ports on SW1 should be trusted. Port of SW2 that is connected to fa0/2 of SW1 should be trusted port. Port of SW3 that is connected to fa0/3 of SW1 should be trusted port

7 Which countermeasures can be implemented to determine the validity of an ARP packet, based on the valid MAC-address-to-IP address bindings stored in a DHCP snooping database? A. DHCP spoofing B. Dynamic ARP inspection C. CAM table inspection D. MAC snooping Answer: B In a normal ARP operation, a host sends a broadcast to determine the MAC address of a host with a particular IP address. The device at that IP address replies with its MAC address. The originating host caches the ARP response, using it to populate the destination Layer 2 header of packets sent to that IP address. By spoofing an ARP reply from a legitimate device with a gratuitous ARP, an attacking device appears to be the destination host sought by the senders. The ARP reply from the attacker causes the sender to store the MAC address of the attacking system in its ARP cache. All packets destined for those IP addresses are forwarded through the attacker system. ARP does not have any authentication. It is quite simple for a malicious user to spoof addresses by using tools such as ettercap, dsniff, and arpspoof to poison the ARP tables of other hosts on the same VLAN. In a typical attack, a malicious user can send unsolicited ARP replies (gratuitous ARP packets) to other hosts on the subnet with the attacker s MAC address and the default gateway s IP address. Frames intended for default gateways sent from hosts with poisoned ARP tables are sent to the hacker s machine (enabling the packets to be sniffed) or an unreachable host as a DoS attack. ARP poisoning leads to various man-in-themiddle attacks, posing a security threat in the network. Dynamic ARP inspection helps prevent the man-in-the-middle attacks by not relaying invalid or gratuitous ARP replies out to other ports in the same VLAN. Dynamic ARP inspection intercepts all ARP requests and all replies on the untrusted ports. Each intercepted packet is verified for valid IP-to-MAC bindings that are gathered via DHCP snooping. Denied ARP packets are either dropped or logged by the switch for auditing, so ARP poisoning attacks are stopped. Incoming ARP packets on the trusted ports are not inspected. Dynamic ARP inspection also can rate-limit ARP requests from client ports to minimize port scanning mechanisms

8 How should unused ports on a switch be configured in order to prevent VLAN hopping attacks? A. Configure them with the UDLD feature. B. Configure then with the PAgP protocol. C. Configure them as trunk ports for the native VLAN 1. D. Configure them as access ports and associate them with an unused VLAN. Answer: D Best practice to prevent VLAN hopping attacks are: - Configure all unused ports as access ports, so that trunking can t be done trough these ports. - Place all unused ports in shutdown states and associate them with VLAN that carries just unused ports. On this VLAN it is not permitted to be user data traffic. - When you set trunk link, native VLAN must be different from all other user data VLANs. - Trunking is set to on or nonegotiate (not negotiated). - Native VLAN is not carried on the trunk

9 Refer to the exhibit. Network policy dictates that security functions should be administered using AAA. Which configuration would create a default login authentication list that uses RADIUS as the first authentication method, the enable password as the second method and the local database as the final method? A. SW1(config)#aaa new-model; SW1(config)#radius-server host key secret; SW1(config)#aaa authentication default group-radius local B. SW1(config)#aaa new-model; SW1(config)#radius-server host key secret; SW1(config)#aaa authentication default group-radius enable local C. SW1(config)#aaa new-model; SW1(config)#radius-server host key secret; SW1(config)#aaa authentication login default group radius enable local D. SW1(config)#aaa new-model; SW1(config)#radius-server host key secret; SW1(config)#aaa authentication login default group radius enable local none Answer: C

10 AAA is architectural framework for configuring three independent security functions in a consistent manner. AAA provides a modular way of performing the following services: - Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support and depending on the security protocol you select, encryption. Authentication is the way a user is identified prior to being allowed access to the network and network services. You configure AAA authentication by defining a named list of authentication methods and then applying that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it must be applied to a specific interface before any of the defined authentication methods will be performed. The only exception is the default method list (which is named default). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list. All authentication methods, except for local, line passwords and enable authentication must be defined through AAA. R1(config)#aaa new-model R1(config)#aaa authentication login {default list-name}method1[method2 ] R1(config)#line[aux console tty vty]line-number[ending-line-number] R1(config-line)#login authentication [default list-name] R1(config-if)#aaa authentication ppp[default list-name]method1[method2 ] R1(config)#interface interface-type interface-number R1(config-if)#ppp authentication {protocol1[protocol2 ]}[if-needed][default list-name]

11 - Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support and support of IP, IPX, ARA and Telnet. AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user s actual capabilities and restrictions. The database can be located locally on the access server or router or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. All authorization must be defined through AAA. As with authentication, you configure AAA authorization by defining a named list of authorization methods and then applying that list to various interfaces. - Accounting provides the method for collecting and sending security server information used for billing, auditing and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets and number of bytes. Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RASIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods and then applying that list to various interfaces

12 You control the port authorization state by using the dot1x port-control interface configuration command and these keywords: force-authorized disables 802.1x authentication and cause the port to transition to the authorized state without any authentication exchange required. The port sends and receives normal traffic without 802.1x based authentication of the client. This is the default setting. force-unauthorized causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface. auto enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client s MAC address

13 Refer to the exhibit. A switch is being configured to support AAA authentication on the console connection. Given the information in the exhibit, which three statements are correct? (Choose three) A. The authentication login admin line console command is required. B. The login authentication admin line console command is required. C. The configuration creates authentication list that uses a named access list called group as the first authentication method, a TACACS+ server as the second method, the local username database as the third method, the enable password as the fourth method and none as the last method. D. The configuration creates an authentication list that uses a TACACS+ server as the first authentication method, the local username database as the second method, the enable password as the third method and none as the last method. E. The none keyword enables any user logging in to successfully authenticate if all other methods return an error. F. The none keyword specifies that a user cannot log in if all other methods have failed. Answer: B, D, E Switch(config)#aaa new-model /enables AAA globally on the switch Switch(config)#aaa authentication login admin group tacacs+ local enable none / These are lists of authentication methods. "admin" is name of the list, and the / methods listed on the same lines are the methods in the order to be tried. In the table are shown AAA authentication login methods

14 We can apply admin group on console (in our example, or can be Telnet) Switch(config)#line con 0 Switch(config-line)#password whatever Switch(config-line)#exec-timeout 0 0 Switch(config-line)#login authentication admin More on: Link