CNA 252 Chapter 5
no cdp enable
Command to disable CDP on a port
get-request
Command to retrieve a value from a specific variable
set-request
Command to store a value in a specific variable
snmp-server community [string] [access-list-number-or-name]
Command to restrict SNMP access to NMS hosts that are permitted by an ACL
snmp-server user [username] [groupname] v3 [encrypted] [auth {md5 | sha} auth-password] [priv {des | 3des | aes {128 | 192 | 256}} priv-password]
Command to add a new user to the SNMP group
snmp-server community [string] ro | rw
Command to configure the community string and access level
snmp-server group [groupname {v1 | v2c | v3 [auth | noauth | priv}]
Command to create a new SNMP group on the device
no cdp run
Command to disable CDP globally on a device
snmp-server location [text]
Command to document the location of the device
snmp-server contact [text]
Command to document the system contact
snmp-server enable traps
Command to enable traps on an SNMP agent
snmp-server host [host-id] [version {1 | 2c | 3 [auth | noauth | priv]}] [community-string]
Command to specify the recipient of the SNMP trap operations
Traps
SNMP agents can forward information directly to a network manager using ___
False, neither provide authentication
SNMPv2c is better than SNMPv1 because it provides authentication of the source of a management message [True or False]
Local AAA Authentication
Uses a local database for authentication; self-contained authentication
Server-Based AAA Authentication
Uses a server for authentication; much more scalable
Disable DTP
What is the best way to stop most VLAN attacks?
Port 161
What port does the SNMP manager query the MIB for SNMP agents?
Set action
Action to change configurations on an agent
Get action
Action to collect information from an SNMP agent
Simple Network Management Protocol (SNMP)
An application layer protocol that provides a message format for communication between managers and agents
DHCP spoofing attack
Attack where an attacker configures a fake DHCP server on the network to issue IP addresses to clients
DHCP starvation attack
Attack where an attacker floods the DHCP server with bogus DHCP requests and eventually leases all of the available IP addresses in the DHCP server pool
MAC Address Table Flooding Attack
Attack where the MAC table is full so packets are flooded out every port, turning the switch into a hub
Telnet DoS Attack
Attack where the attacker continuously requests Telnet connections in an attempt to render the Telnet service unavailable and preventing an administrator from remotely accessing a switch
Brute Force Password Attack
Attacker where the attacker uses a list of common passwords, dictionary words, and variations of words to discover the administrative password
SNMP agent
Is responsible for providing access to the local MIB
snmpget -v2c(version of snmp) -c [community string] X.X.X.X(ip address of monitored device) x.x.x.x.x.x.x.x.x.x.x(OID)
Just memorize the snmpget utility command format.
Cisco Discovery Protocol (CDP)
Layer 2 link discovery protocol
Dynamic ARP Inspection (DAI)
Prevents ARP spoofing and ARP poisoning attacks
DHCP Snooping
Prevents DHCP starvation and DHCP spoofing attacks
IP Source Guard (IPSG)
Prevents MAC and IP address spoofing attacks
Port Security
Prevents many types of ttacks including CAM table overflow attacks and DHCP starvation attacks
TACACS+ and RADIUS protocols
Protocols used to communicate between the router and AAA security servers
Read-write (rw)
Provides access to the MIB variables and allows these variables to be chaned
Read-only (ro)
Provides access to the MIB variables, but does not allow these variables to be changed
False, RADIUS encrypts only passwords
RADIUS only encrypts usernames [True or False]
get-response
Reply to get-request with requested information, also replies to send-request commands
SNMP manager
Runs the SNMP management software and queries SNMP agents
Management Information Base (MIB)
Stores data about the device and operational statistics and are meant to be available to authenticated remote users
True
TACACS+ is considered more secure than RADIUS because it encrypts everything [True or False]
Untrusted DHCP ports
These ports connect to hosts that should not be providing DHCP server messages
Trusted DHCP ports
These ports should lead to legitimate DHCP servers replying with DHCP Offer and DHCP Ack messages
Authenticator (Switch)
This controls physical access to the network based on the authentication status of the client.
Supplicant (Client)
This device requests access to LAN and switch services and then responds to requests from the switch
Authentication server
This performs the actual authentication of the client
- Message integrity and authentication - Encryption - Access control
What are the three security features that SNMPv3 provides?
- 1 .iso - 3 .org - 6 .dod - 1 .internet - 4 .private - 1 .enterprises - 9 .cisco 1.3.6.1.4.1.9
What is part of the OID that stays the same and what do the numbers stand for?
RADIUS to encapsulate and EAP to de-encapsulate
What protocols does the Authenticator use when talking with the server and the client
