CCNA vol 2 - ch 5, 6, 7, 8, 9 - security, cdp, lldp, ntp
What is a syslog server?
A central server where network devices can send their log records for storage to be analyzed later.
What severity level shows up when a user enters a debugging command?
7
What's a good device to implement DHCP snooping?
A switch, since it is positioned between DHCP clients and DHCP servers and can apply a logic to DHCP messages, deciding to filter some if needed.
What is a DHCP Snooping binding table and explain its use?
A table listing trusted clients' MAC Address, IP address, VLAN, and interface. It keeps track of active DHCP leases. This way, if an attacker wants to try to release some other device's IP address lease, the switch can detect the other device not being the actual DHCP server that gave the IP address in the first place.
What command makes a Cisco device the NTP server and not reference any other time source?
ntp master [optional stratum level] * without entering a stratum level, it is 8 by default
What command makes a Cisco device an NTP client (by referencing an external server) and automatically also an NTP server (to it's connected NTP devices)?
ntp server [server address OR server hostname] //this points to an NTP server to collect time info ex: ntp server time-a-b-nist.gov ntp server time-a-g-nist.gov (this makes the US national institute of standards and technology it's source of time data, two for redundancy)
What command makes this NTP server device give clients it's virtual loopback interface's IP address instead of a physical port's IP address for the purposes of NTP meessaging?
ntp source loopback [loopback ID]
Cisco devices have LLDP on or off by default?
off
What command shows whether CDP is globally enabled?
# show cdp
What command shows whether CDP is enabled on an interface?
# show cdp interface fa 0/0
What command sets LLDP on to only transmit LLDP messages on an interface?
(interface subcommand) lldp transmit This would override a global "no lldp run" command.
NTP stratums range from what to what?
0 - 15. Anything beyond 15 can't be set because it would be considered unreliably far away. A stratum of 0 is given to a reference clock which all others will reference.
What is the range of severity levels in Cisco devices?
0-7, where 0 is "System Unusable" and then it gets less severe
What is the default maximum MAC addresses allowed for a port with port-security enabled?
1 (at a time, not one specific device)
What are the three DHCP allocation modes?
1. dynamic - normal timed assignment of addresses 2. automatic - assigned IPs without timers 3.static - statically reserved IP addresses which it then gives to a device requesting an address (identified by MAC address)
What command sets the violation mode to shutdown?
switchport port-security violation shutdown
IOS typically enables CDP globally and on each interface by default. T or F?
true
sequence numbers can be added to log messages
true
CDP should be used only where needed, such as between network devices and IP phones. T or F?
True, disable it on other ports
What is the name for statically making an ARP table entry which will be looked at by DAI in order to give or deny access to some ARP message?
ARP ACLs
In DHCP snooping, for untrusted ports, what two fields are compared to see if the client is who they say they are?
DHCP chaddr field in the DHCP L3 message (client hardware address, which include MAC address) and the MAC address of the frame.
What are two main tools for defeating DHCP attacks?
DHCP snooping and Dynamic ARP Inspection (DAI)
What happens first for a new PC: DHCP or ARP?
DHCP, then ARP
What is CDP?
Cisco Discovery Protocol - a protocol that allows cisco devices to learn information about directly connected devices (neighbors). Information includes hostname, IP/MAC addresses on the connected link, neighbor interface (like fa 0/3), type of device, model etc.
Which allows "X messages per Y seconds" to be defined for incoming DHCP or ARP messages: DHCP Snooping or DAI?
DAI
Whereas DHCP snooping is concerned with building a database (binding table), what feature compares an ARP message to the DHCP Snooping binding table and the ARP ACLs in order to filter messages on a switch port?
DAI - Dynamic ARP Inspection
Regarding rate limits in DAI vs DHCP Snooping, what are the defaults for each?
DAI defaults to having a limit of 15 packets per second, and DHCP Snooping has no limits by default.
When a DHCP client wants to reject an ip address assignment, what message do they send the server?
DHCP Decline message
When DHCP client no longer needs an ip address, what message do they send to the server?
DHCP Release message
What is a good defense against a DoS attack on a switch with DHCP Snooping and/or Dynamic ARP Inspection features?
Define an allowed DHCP message rate, where if the rate exceeds, it puts the port in an err-disabled state. Then allow it to recover automatically after a certain amount of time (thus not allowing the switch CPU to be overwhelmed).
In the DORA process, which messages are from clients and which from the server?
Discover and Request = client Offer and Acknowledge = server
Be default, IOS shows log messages to console users for only some severity levels of messages. T or F
False, it shows all messages to all severity levels by default for console users (not telnet or ssh)
What is the DORA process?
How hosts gain IPv4 addresses: 1. Discover - initial broadcast message sent by client 2. Offer - broadcast sent by server with an ip address 3. Request 4. Acknowledgement
What does the ARP table show?
IP addresses and matching MAC addresses
For any DAI untrusted ports, when a host tries to use ARP, what does the switch compare in order to look for correctness of MAC address/IP address combinations?
It compares the ARP request (L3 data: ARP origin IP and origin MAC field) to it's DHCP Snooping binding table data. If there's a match, it allows the ARP message to go through, otherwise it gets dropped. The comparison asks "is this hardware leasing this IP address or is it lying?"
DHCP Snooping is similar to a firewall how?
It inspects DHCP messages and may filter or allow messages. This is a switch vlan setting and can be enabled or disabled by making a port trusted or untrusted. (Most will be untrusted)
An NTP device that lists an NTP server's reference IP address of 127.127.1.1 means what?
It means the server gets the time internally, not from another server.
By default, what does a Cisco NTP server use as it's reference time to use to sync other devices?
It's own internal clock
What layer does CDP work in?
Layer 2, it uses a data link header but no IP headers
What is LLDP?
Link Layer Discovery Protocol (an L2 protocol) 802.1AB allows routers and switches to see other devices information without having to log into that device (almost the same as CDP, but LLDP is an IEEE standard therefore it is vender neutral)
What is buffered logging?
Log messages are stored in RAM. User can use the "show logging" command to view logs.
Can an NTP primary server act as a secondary server?
No. Primary means they are only servers, while secondary servers get their time from other servers. Primary also means they get their time directly from the reference clocks. They are stratum 1.
What device have ARP tables?
PCs, Routers, L3 switches, and if an L2 switch has a management VLAN, it would also have it just for talking to PCs on the LAN. It's usually in a device that originates communication towards a device on the same LAN, where that device has an IP address destination but needs to know the MAC address. L2 switches are typically all about MAC tables/forwarding tables.
In DHCP snooping, which switch ports should be set to trusted? Also explain which port type would drop DHCP server messages.
Ports that are uplink ports relative to the DHCP server should be trusted (ports on switches pointing toward the DHCP server). Downlink ports (switch ports facing the client devices) should be set to untrusted. Untrusted means that an inspect of the DHCP client message will occur, although it will auto drop DHCP server messages received on here. For messages received on trusted ports, the switch will not inspect the packet.
How do NTP stratum levels define NTP time accuracy hierarchies?
Stratum defines a distance to the original reference clock. At first, the servers own stratum is 8. It can be set to a lower number to represent more accuracy. Each NTP client device's stratum will be 1 + it's NTP server's stratum, thus being perceived as less accurate. NTP clients will try to get the most accurate NTP rated neighbor device they can reach.
An attacker can send a server a DHCP release message pretending to be another client, so that it can attempt to lease that IP address for itself. T or F
True, but an entry in the DHCP snooping binding table for the original client would disallow the release message
If you set a device to be an NTP client refencing an internet NTP server with stratum of 1, and then use the command "ntp master 7", what would it reference for it's time data?
The stratum of lowest value will be used first (the internet server), and then, if it goes down, it will use the next highest stratum reference available, it's own internal clock in this case (which is what masters aka NTP servers do by default).
"Show lldp neighbors" displays capability codes which are currently enabled, but "show cdp neighbors" shows all possible codes whether enabled on any interface or not. T or F?
True
Because DAI uses the DHCP Snooping binding table, we need to set up DHCP snooping in order for DAI to allow any ARP traffic through. T or F?
True
Enterprise NTP servers ought to refer to at least two external NTP servers for redundancy. T or F?
True
Just like DHCP snooping, for DAI, you first enable it on a vlan, and then you select which ports to trust (the default is all untrusted). T or F?
True
NTP works the same way on routers and switches.
True
Typically, for DHCP Snooping and DAI, we set access ports connected to end user devices a untrusted. For DHCP snooping you'd have the uplinks point to the DHCP server as trusted. For DAI you would just have every other port as trusted. T or F?
True
Even though you can use dhcp to dynamically lease ip addresses to switch vlans and router interfaces, it's better practice not to do so for enterprises. Use static addresses. T or F?
True (the exception is edge routers which use dhcp for their ISP-facing interface)
Although Cisco routers can be DHCP servers, it is not recommended in enterprise environments. Instead use a dedicated server. T or F?
True, it's also better due to a server being a single centralized place to control all the networks DHCP, rather than each router being differently configured. If more than one router is used, they need to be configured with DHCP relay which points to the actual DHCP server.
NTP follows a client/server model. T or F?
True, servers supply time info and client adjust their time to match
Switch ports have MAC addresses, but routers trying to communicate with PCs on the LAN will not set the destination MAC to any of the switches ports, it will set it's destination to the PC. The switch will typically forward the frame, not change it. T or F?
True, unless the destination is the switch, such as for management.
How do you give a router a virtual interface that can be used instead of one particulate physical interface? What command?
Use a router loopback interface with the command: interface loopback [some ID number] then you'd be in interface config mode and give it an IP address
What is a spurious dhcp server?
When an attacker sets themselves up to be a dhcp server (in response to client DHCP discover messages) making itself the client's gateway, and keeping a copy of all messages. (a man in the middle attack, also called DHCP Poisoning)
What NTP command sets spring forward/ fall back time changes to the system clock? (name the rule EDT)
conf t clock summer-time EDT recurring
What NTP command defines a timezone named EST which is 5 hours behind Universal Time Coordinated (UTC)?
conf t clock timezone EST -5
What global command enables LLDP? What disables it?
conf t lldp run OR no lldp run Turning this on means both transmit and receive LLDP messages.
What is a port security violation mode, and what are the three?
describes what action should be taken if a violation occurs: (protect, restrict, or shutdown)
What NTP command sets the time and date to Oct 1st 2023 at midnight plus one minute and 32 seconds?
enable clock set 00:01:32 1 October 2023
What command sets the recovery interval used to recover an interface from an err-disabled state?
errdisable recovery interval [number of seconds]
What is the name for an ARP request initiated when a host changes it's MAC address, which is typically a broadcast that is sent without first receiving an ARP request? (It is meant to say "hey everyone on the LAN, my new MAC address is x") (which can be used by attackers for poisoning other device's ARP tables)
gratuitous ARP
What switch command shows dhcp leases used on this cisco device?
show dhcp lease
What interface subcommand sets the Dynamic ARP Inspection rate limit (how many bursts per second before putting the interface in an err-disabled state)?
ip arp inspection limit rate [x number of messages per 1 second] OR ip arp inspection limit rate x burst interval y (x number of messages in y seconds)
What interface subcommand makes a port, within a DAI-enabled vlan, trusted?
ip arp inspection trust
What global command enables DAI on vlan 11?
ip arp inspection vlan 11
What two global commands are needed to enable DHCP snooping on a switch?
ip dhcp snooping ip dhcp snooping vlan x
What interface subcommand puts a port as trusted for dhcp snooping?
ip dhcp snooping trust
What command on a router interface takes a packet destined for a dhcp server and relays it by changing the source ip to it's own ip and making the destination from 255.255.255.255 to the actual dhcp server's ip address? AKA: What command sets up dhcp relay on an interface?
ip helper-address [dhcp server ip address that's not in this LAN] * used if the dhcp server is outside of the host's subnet
On a windows pc, what command lists the routing table?
netstat -rn
What interface subcommand disables CDP?
no cdp enable
What global disables CDP in the entire device?
no cdp run *cdp run enables it, although it's on by default on cisco devices
To make DHCP Snooping work on a switch that is not also a DHCP relay agent, disable the option 82 feature using the ____ global command.
no ip dhcp snooping information option *the switch defaults to using this option, which is only good if it's a layer 3 switch that is also a relay agent. If it's connected to a router that is the relay agent, you need to turn this off. And if it's not a relay agent for any other reason, it needs to be off.
If you wanted a port security violation type that blocked violating traffic but remained in an up state, didn't generated any log messages, and didn't increment the violation counter, which mode would you use?
protect
If you wanted a port security violation type that blocked violating traffic but remained in an up state AND showed log messages/incrementing the violation counter after violations, which mode would you use?
restrict
What command shows the same output as "show cdp neighbors detail" but for only one neighbor (by hostname)? For LLDP?
show cdp entry [hostname] show lldp entry [hostname]
What command displays a list with short descriptions about each CDP neighbor?
show cdp neighbors OR show cdp neighbors [type and number such as fa 0/2]
What command displays a list with long descriptions about each CDP neighbor? For LLDP?
show cdp neighbors detail show lldp neighbors detail
What command shows DAI's dropped ARP messages?
show ip arp inspection OR: show ip arp inspection statistics
What command shows rate limit information about DAI interfaces?
show ip arp inspection interfaces
What command displays dhcp snooping current settings?
show ip dhcp snooping (or: show ip dhcp snooping binding)
What command can you use to verify if an interface is acting as a relay agent?
show ip interface g0/0 *labeled as Helper Address
What command displays lldp neighbors?
show lldp neighbors
What command lists MAC addresses learned from ports with port security (aka secure MAC addresses)?
show mac address-table secure OR show mac address-table static (shows secure and static)
What command shows a list of NTP devices and the devices they reference for their time adjustments?
show ntp associations
How do you show the NTP details of a device?
show ntp status
What enable mode command shows a brief view of all interfaces that use port security?
show port-security
What command shows a certain interface's port security details?
show port-security interface fa 0/1
What commands turns a port back on after it has been placed in an err-disabled state caused by a port security violation?
shutdown, no shutdown
Once a port has port security enabled, the switch considers an MAC addresses learned from this port as being (dynamic, static?).
static
To use switch port security, the port needs to be configured (statically or dynamically?), as either access trunk.
statically
What switch command enables switchport security on a port?
switchport port-security
What command sets a specific allowed MAC address on a switch port?
switchport port-security mac-address [mac address]
What command puts dynamically-learned port-security MAC addresses into the running-config so you don't have to manually put in the static secure MAC address, but it will still remember that one or several exact MAC addresses?
switchport port-security mac-address sticky *sticky addresses will never age out and will appear in the MAC address table as static *they are not in the start-up config, so you'll have to save it if you want it to remember on startup
What command overrides the default max allowable MAC addresses on a port?
switchport port-security maximum [number]
What command sets the action to take after a port detects a security violation?
switchport port-security violation [protect, restrict, or shutdown]