Chapter 8
how many bits in the modulus
after entering the "crypto key genereate rsa" command; what information does the CLI ask the user?
no
after the "no service password-encryption" command is used; will changes to existing passwords be encrypted?
ip domain-name (example.com) crypto key generate rsa
black commands
enable use of local usernames
blue what's happening
switchport port-security mac-address (mac-address) @interface subcommand
command to configure specific allowable MACs for an interface
global config mode
green mode
telnet or SSH
green protocols
Tells IOS to prompt for a password.
login purpose
Console and vty configuration mode
password (pass-value) mode
-a working IP configuration -login security on the vty lines
what is required to allow a vty (Telnet or SSH) session user to reach user mode
shutdown
what is the default action taken upon a security violation
"begin" shows the output starting at line vty "section" only shows the output for that section "include" only shows line that include the text
what is the difference in the out put of the three commands? show running-config | begin (line vty) show running-config | section (line vty) show running-config | include (line vty)
create an encryption key create usernames and passwords
what must a user do to configure a switch to support inbound SSH login
line vty 0 15 login local
when Configuring Switches how do you tell the switch to use local username login authentication
global config mode
when Configuring Switches to Use Local Username Login Authentication; in what mode do you enter the command "username wendell password odom"
@vty mode login local
when configuring a switch to support inbound SSH login; how do you Enable Use of Local Usernames
@ global config mode ip domain-name example.com crypto key generate rsa
when configuring a switch to support inbound SSH login; how do you create an encryption key
any character, then the banner login, then end with the same character from the beginning
when configuring the banner login with the "banner login" command what else do you need to type besides the banner login?
farts.example.com
when configuring the switch to support inbound SSH login; what will the name for the key be if the domain name is "example.com" and the switch's hostname is "farts"?
no
when viewing the results of the show running-config (or show startup-config if the configuration was saved to the startup) will you be able to read the password created by the "enable secret" global command?
yes
when viewing the results of the show running-config (or show startup-config if the configuration was saved to the startup) will you be able to read the password created by the "password (p/w)" command?
SSH, RADIUS and TACACS+
which protocols encrypt sent passwords
a d
An engineer had formerly configured a Cisco 2960 switch to allow Telnet access so that the switch expected a password of mypassword from the Telnet user. The engineer then changed the configuration to support Secure Shell. Which of the following commands could have been part of the new configuration? A. A login local vty mode subcommand B. A username (name) password (password) vty mode subcommand C. A transport input ssh global configuration command D. A username name password password global configuration command
b e f
An engineer's desktop PC connects to a switch at the main site. A router at the main site connects to each branch office through a serial link, with one small router and switch at each branch. Which of the following commands must be configured on the branch office switches, in the listed configuration mode, to allow the engineer to telnet to the branch office switches? A. The password command in console line configuration mode B. The ip default-gateway command in global configuration mode C. The ip default-gateway command in VLAN configuration mode D. The ip address command in global configuration mode E. The password command in vty line configuration mode F. The ip address command in interface configuration mode
Port channel misconfiguration BPDU (bridge protocol data unit) guard violation Late-collision detection Link-flap detection Security violation
An interface is placed in the error disabled state when the switch detects an error on the port. Some conditions that cause IOS to place a port in this state are:
c
Imagine that you have configured the enable secret command, followed by the enable password command, from the console. You log out of the switch and log back in at the console. Which command defines the password that you had to enter to access privileged mode? A. The password command, if it's configured B. enable password C. enable secret D. Neither
b
The following command was copied and pasted into configuration mode when a user was telnetted into a Cisco switch: banner login this is the login banner Which of the following is true about what occurs the next time a user logs in from the console? A. The banner text "this is the login banner" is displayed. B. The banner text "his is" is displayed. C. No banner text is displayed. D. The banner text "Login banner configured, no text defined" is displayed.
c
Which of the following is required when configuring port security with sticky learning? A. Defining the specific allowed MAC addresses using the switchport port-security mac-address interface subcommand B. All the other answers list required commands C. Enabling port security with the switchport port-security interface subcommand D. Setting the maximum number of allowed MAC addresses on the interface with the switchport port-security maximum interface subcommand
switchport port-security maximum (number) @ the interface subcommand
command to configure maximum number of allowed MAC addresses associated with the interface
switchport port-security mac-address sticky
command to configure sticky learning on a switch
switchport port-security violation {protect | restrict | shutdown} @interface subcommand
command to override the default action to take upon a security violation
delete
delete
no
do all varieties of port security define a maximum number of destination MAC addresses allowed for all frames coming in the interface.
yes
do all varieties of port security define a maximum number of source MAC addresses allowed for all frames coming in the interface.
no
do all varieties of port security define a minimum number of source MAC addresses allowed for all frames coming in the interface.
no
do all varieties of port security do nothing when attempting to add a new MAC address and it exceeds the configured maximum
no
do all varieties of port security take action when attempting to add a new IP address and it exceeds the configured maximum
yes
do all varieties of port security take action when attempting to add a new MAC address it exceeds the configured maximum
no
do all varieties of port security watch all incoming frames, and keep a list of all destination MAC addresses, plus a counter of the number of different destination IP addresses.
no
do all varieties of port security watch all incoming frames, and keep a list of all source IP addresses, plus a counter of the number of different source IP addresses.
yes
do all varieties of port security watch all incoming frames, and keep a list of all source MAC addresses, plus a counter of the number of different source MAC addresses.
yes
do the default console configuration settings allow a console user to reach both user mode and enable mode without supplying a password.
no
do the default vty (Telnet or SSH) configuration settings allow a console user to reach both user mode and enable mode without supplying a password.
no
do you need to predefine the specific MAC addresses with sticky learning
global mode
grey mode
switchport port-security @ the interface subcommand
how do you enable port security
@ global config or subcommand mode "interface vlan1"
how do you get into the vlan 1 interface?
"switchport mode {access|trunk}" @ the interface subcommand
how do you set a switch interface to be an access port or trunk port?
shutdown @ interface subcommand.
how does one Administratively disable an interface
switchport access vlan (number) @interface subcommand
how does one assign a port to an unused VLAN
switchport mode access @ interface subcommand
how does one make a port a nontrunking interface
switchport trunk native vlan (vlan-id) @ interface subcommand.
how does one set the native VLAN to not be VLAN 1, but to instead be an unused VLAN
yes
if a password is changed with the "service password-encryption" command in the configuration; will the new password still be encrypted?
no
if the "no service password-encryption" command is used; will existing passwords loose their encryption?
discards offending traffic
if the option on the switchport port-security violation command is "protect" what does it do?
-discards offending traffic -sends log and SNMP messages
if the option on the switchport port-security violation command is "restrict" what does it do?
-discards offending traffic -sends log and SNMP messages -disables the interface, discarding all traffic
if the option on the switchport port-security violation command is "shutdown" what does it do?
type out the command line for each MAC
if you have multiple MACs to configure to be the only allowable ones do you enter a range or do you have to type out the command line for each MAC
it requires a username
in configuration, how is SSH different from Telnet?
enable
in the CLI, the symbol "#" terminating the prompt denotes the user is in which mode?
user
in the CLI, the symbol ">" terminating the prompt denotes the user is in which mode?
no
is it necessary to use the "login local" command in the line vty 0 15 interface IF the password/username is not being stored locally
no
is the following command a global config mode command: "transport input ssh"?
no
is the ~transport input ssh~ command a global configuration command
global or any interface config
line console 0 mode
global or any interface config
line vty (1st-vty last-vty) mode
Changes the context to vty configuration mode for the range of vty lines listed in the command
line vty (1st-vty last-vty) purpose
Console and vty configuration mode.
login mode
"ip address" ip-address "no shutdown" @ global config mode"ip default-gateway" ip-address
once in the correct vlan interface, what further commands need to be issued to configure ipv4 on a switch
create encryption key
purple what's happening
create usernames and passwords
red what's happening
in a large network, storing pairs locally requires that every router and switch be configured
what advantage does securing access with external authentication servers present when compared to storing password/username pairs locally?
protect restrict shutdown
what are all the optional security violation actions
set maximum # allowed MACs Override default security violation action Predefine allowed source MACs "sticky learn"
what are four options for configuring port security
set the interface to trunk or access mode and enable port security
what are two things that need to be done to configure port security
status information about the SSH server itself
what does the "show ip ssh" command list
information about each SSH client currently connected into the switch
what does the "show ssh" command list
- a working IP configuration - login security on the vty lines - enable mode security
what is required to allow a vty (Telnet or SSH) session user to reach enable mode
yes
when viewing the results of the show running-config (or show startup-config if the configuration was saved to the startup) will you be able to read the password created by the "username (name) password (p/w)" global command?
VTY mode
yellow mode
global
"service password-encryption" mode
Changes the context to console configuration mode.
line console 0 purpose
global configuration mode
username "name" password "password"; mode?
enable secret
IOS accepts only the password as configured in which command if both the enable secret and the enable password passwords are configured?
b
In which of the following modes of the CLI could you configure the duplex setting for interface Fast Ethernet 0/5? A. Enable mode B. Interface configuration mode C. Global configuration mode D. User mode E. VLAN mode
stores username/password pairs
What does an AAA server do
authentication, authorization, and accounting
What does an AAA server stand for
1
What is the default setting for the maximum number of MAC addresses
e
Which of the following describes a way to disable IEEE standard autonegotiation on a 10/100 port on a Cisco switch? A. Configure the speed 100 interface subcommand B. Configure the no negotiate interface subcommand C. Configure the negotiate disable interface subcommand D. Configure the duplex half interface subcommand E. Configure the speed 100 and duplex full interface subcommands F. Configure the duplex full interface subcommand
improves the underlying security algorithms provides login banner support
advantages of SSH v2 over v1
AAA server
fuschia device
RADIUS or TACACS+
purple protocols
the "password" command, in both console and vty modes; the "username (name) password (p/w)" global command
the "service password-encryption" affects which passwords
example: show running-config | begin (line vty) show running-config | section (line vty) show running-config | include(line vty)
the show commands can list a lot of info, how can you skip to the desired area?
Administratively disable the interface make the port a nontrunking interface Assign the port to an unused VLAN Set the native VLAN to not be VLAN 1, but to instead be an unused VLAN,
to secure unused switch interfaces what do you do?
Emma(config-if)# ip address dhcp Emma(config-if)# no shutdown
to tell the switch to use DHCP on the interface, and enable the interface; which commands?
all - Supports SSH and Telnet none- supports neither telnet - supports Telnet SSH - supports SSH
transport input {all | none | telnet | ssh} meaning for each switch
vty subcommand
transport input {all | none | telnet | ssh} mode?
@ global config mode username (somename) password ( some p/w) username (somename2) password ( some p/w2)
when configuring a switch to support inbound SSH login; how do you create usernames and passwords
@global config ip ssh version 2
when configuring a switch to support inbound SSH login; how do you use SSH Version 2 rather than Version 1.