11.6.4 Module Quiz – Switch Security Configuration (Answers)

Explanation: Port security cannot be enabled on a trunk and trunks are the only types of ports that have a native VLAN. Even though turning DTP off on a trunk is a best practice, it does not have anything to do with native VLAN risks. To prevent security breaches that take advantage of the native VLAN, place the native VLAN in an unused VLAN other than VLAN 1. The management VLAN should also be an unused VLAN that is different from the native VLAN and something other than VLAN 1.

Explanation: PortFast will immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. If configured on a trunk link, immediately transitioning to the forwarding state could lead to the formation of Layer 2 loops.

Explanation: Unlike router Ethernet ports, switch ports are enabled by default. Cisco recommends disabling any port that is not used. The ip dhcp snooping command globally enables DHCP snooping on a switch. Further configuration allows defining ports that can respond to DHCP requests. The switchport port-security command is used to protect the network from unidentified or unauthorized attachment of network devices.

Explanation: In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use up all the available IP addresses that the DHCP server can issue. In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network so that it provides clients with false DNS server addresses. The port security feature can limit the number of dynamically learned MAC addresses per port or allow only known valid NICs to be connected via their specific MAC addresses. The DHCP snooping feature can identify the legitimate DHCP servers and block fake DHCP servers from issuing IP address information. These two features can help fight against DHCP attacks.

Explanation: VLAN hopping attacks rely on the attacker being able to create a trunk link with a switch. Disabling DTP and configuring user-facing ports as static access ports can help prevent these types of attacks. Disabling the Spanning Tree Protocol (STP) will not eliminate VLAN hopping attacks.

Explanation: To mitigate the chances of ARP spoofing, these procedures are recommended:

• Implement protection against DHCP spoofing by enabling DHCP snooping globally.
• Enable DHCP snooping on selected VLANs.
• Enable DAI on selected VLANs.
• Configure trusted interfaces for DHCP snooping and ARP inspection. Untrusted ports are configured by default.​

Explanation: DHCP snooping recognizes two types of ports on Cisco switches:

• Trusted DHCP ports – switch ports connecting to upstream DHCP servers
• Untrusted ports – switch ports connecting to hosts that should not be providing DHCP server messages

Explanation: PortFast can be configured on all nontrunking ports using the spanning-tree portfast default global configuration command. Alternatively, PortFast can be enabled on an interface using the spanning-tree portfast interface configuration command.

Explanation: If an interface that has been protected with port security goes into the err-disabled state, then a violation has occurred and the administrator should investigate the cause of the violation. Once the cause is determined, the administrator can issue the shutdown command followed by the no shutdown command to enable the interface.

Explanation: The steps to enable DHCP snooping include these:

• Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command.
• Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
• Step 3. Enable DHCP snooping by VLAN, or by a range of VLANs.

Explanation: DAI can be configured to check for both destination or source MAC and IP addresses:

• Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
• Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
• IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

Explanation: Port security limits the number of source MAC addresses allowed through a switch port. This feature can prevent an attacker from flooding a switch with many spoofed MAC addresses.

Explanation: Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to VLANs not in use.

Explanation: In general, a router serves as the default gateway for the LAN or VLAN on the switch. Therefore, the uplink interface that connects to a router should be a trusted port for forwarding ARP requests.

Explanation: When MAC addresses are automatically learned by using the sticky command option, the learned MAC addresses are added to the running configuration, which is stored in RAM.

Explanation: Port security can be configured on switches to assist in preventing the MAC address table from being overwhelmed with invalid MAC addresses. ACLs will not assist a switch in filtering broadcast traffic, and increasing the size of the CAM table or the speed of switch ports will not resolve this issue.

Explanation: When a violation occurs on a switch port that is configured for port security with the shutdown violation action, it is put into the error-disabled state. It can be brought back up by shutting down the interface and then issuing the no shutdown command.

Explanation: Dynamically learned secure MAC addresses are lost when the switch reboots. Sticky MAC addresses are learned and added to the running config. These addressess can be retained if the configuration is saved and then rebooted. MAC addresses may also be configured statically (that is, manually). If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.

Explanation: In port security implementation, an interface can be configured for one of three violation modes: Protect-a port security violation causes the interface to drop packets with unknown source addresses and no notification is sent that a security violation has occurred. Restrict-a port security violation causes the interface to drop packets with unknown source addresses and to send a notification that a security violation has occurred. Shutdown-a port security violation causes the interface to immediately become error-disabled and turns off the port LED. No notification is sent that a security violation has occurred.

Explanation: BPDU guard immediately error-disables a port that receives a BPDU. This prevents rogue switches from being added to the network. BPDU guard should be applied only to all end-user ports.

Explanation: With sticky secure MAC addressing, the MAC addresses can be either dynamically learned or manually configured and then stored in the address table and added to the running configuration file. In contrast, dynamic secure MAC addressing provides for dynamically learned MAC addressing that is stored only in the address table.

Explanation: BPDU guard can be enabled on all PortFast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Alternatively, BPDU guard can be enabled on a PortFast-enabled port through the use of the spanning-tree bpduguard enable interface configuration command.

Explanation: DAI can be configured to check for both destination or source MAC and IPv4 addresses. Destination MAC checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. Source MAC checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

Explanation: When DHCP snooping is being configured, the number of DHCP discovery messages that untrusted ports can receive per second should be rate-limited by using the ip dhcp snooping limit rate interface configuration command. When a port receives more messages than the rate allows, the extra messages will be dropped.

Explanation: If no violation mode is specified when port security is enabled on a switch port, the security violation mode defaults to “shutdown”.

Explanation: Mitigating a VLAN attack can be done by disabling Dynamic Trunking Protocol (DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links to VLANs not in use.

Explanation: A Port Status of Secure-down means there are no hosts connected. Secure-up means there is at least one host connected to the port. Secure-shutdown means the port is error-disabled.