CCC NET 126 Chapter 2
late collision
A collision that occurs after 512 bytes of an Ethernet frame - the preamble - have been transmitted.
dynamic secure MAC address
A port security method used when MAC addresses are dynamically learned from frames entering a switch port. The address is added to the MAC address table but is removed when the switch restarts.
show version
Displays status of system hardware and software
show mac-address-table or show mac address-table
Displays the MAC address table
switchport port-security violation protect
Frames with unknown source addresses are dropped and a notification is sent.
switchport port-security violation restrict
Frames with unknown source addresses are dropped and no notification is sent.
Full-duplex communication increases effective bandwidth by allowing both ends of a connection to transmit and receive data simultaneously.
How does full-duplex communication increase effective bandwidth on a network?
it has been manually disabled (the shutdown command has been issued) in the active configuration.
If the interface is administratively down.
There could be an encapsulation type mismatch, the interface on the other end could be error-disabled, or there could be a hardware problem.
If the interface is up and the line protocol is down, a problem exists.
a cable is not attached or some other interface problem exists.
If the line protocol and the interface are both down.
Shutdown
In this (default) violation mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It increments the violation counter. When a secure port is in the error-disabled state, it can be brought out of this state by entering the shutdown and no shutdown interface configuration mode commands.
Local master clock Master clock on the Internet GPS or atomic clock
NTP can get the correct time from an internal or external time source including the following:
switch virtual interface - S V I
Provides basic Layer 3 functions for a switch, which does not have a dedicated physical interface for IP addressing.
22, 23
SSH is assigned to TCP port ______. Telnet is assigned to TCP port ______.
The 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mb/s, but when they are set to 1000 Mb/s (1 Gb/s), they operate only in full-duplex mode.
Switch port speeds come in 10/100/1000. Which can be set to half-duplex?
CDP discovers other Cisco devices that are directly connected, which allows the devices to auto-configure their connection. In some cases, this simplifies configuration and connectivity.
The Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can be configured to use. What does CDP do, and how can it assist you?
MAC address flooding
The attacker fills the switch MAC address table with invalid MAC addresses.
On the management VLAN. A layer 2 switch is allotted a single Layer 3 logical address in the form of a switch virtual interface-SVI-used for managing the switch.
The network administrator wants to configure an IP address on a Cisco switch. How does the network administrator assign the IP address?
show controllers ethernet-controller fa 0/1 phy | include Auto-MDIX
What command would you use to examine the auto-MDIX setting for Fastethernet port 0/1?
load a power-on self-test program
What is the first action in the boot sequence when a switch is powered on?
The boot loader provides access into the switch if the operating system cannot be used because of missing or damaged system files.
When does the boot loader provide access into the switch?
For security purposes
Why it is considered a best practice to use a VLAN other than VLAN 1 for the management VLAN?
output errors
the sum of all errors that prevented the final transmission of datagrams out of the interface that is being examined.
Automatic medium-dependent interface crossover - auto-MDIX
A feature that allows a port to automatically sense what type of cable - crossover or straight-through - is attached and configure the port so it will function properly.
security audit
A gathering of information to determine the type of information an attacker could obtain by capturing and analyzing network traffic.
port security
A generic term meaning procedures and configurations performed on a switch interface to protect the network from attacks and unauthorized wired devices.
Cisco discovery protocol - CDP
A media and protocol independent device-discovery protocol that runs on Cisco equipment such as routers, access servers, bridges, and switches. With this enabled, a device can advertise its existence to other directly connected devices and receive information about other devices on the same LAN or on the remote side of a WAN.
Connect a host to an interface associated with VLAN 99.
A network administrator has configured VLAN 99 as the management VLAN and has configured it with an IP address and subnet mask. The administrator issues the show interface vlan 99 command and notices that the line protocol is down. Which action can change the state of the line protocol to up?
static secure MAC address
A port security method used when MAC addresses are manually configured on a switch port.
sticky secure MAC address
A port security method used where MAC addresses are either manually configured or dynamically learned from frames entering a switch port. The addresses are stored in the MAC address table and automatically added to the switch running configuration.
runt
A problematic Ethernet frame of a size less than 64 bytes, the minimum frame size. These are caused by malfunctioning NICs and improperly terminated Ethernet cables.
giant
A problematic Ethernet frame of excess size caused by a malfunctioning NIC or an improperly terminated or unterminated cable.
secure shell - SSH
A protocol that supports secure communication with a remote device that has been configured to accept an SSH connection.
Network Time Protocol - NTP
A protocol used to synchronize the date and time for networked devices.
MAC address table overflow attack
A security issue when an attacker sends multiple frames that contain fake source MAC addresses that are entered into and fill the MAC address table of a switch. The switch is forced to broadcast all frames out all ports allowing an attacker to capture and view addresses.
DHCP spoofing attacks
A server is inserted into the network after launching a DHCP starvation attack. The illegitimate DHCP server issues inappropriate IP address-associated information so that clients send network traffic to a machine controlled by the attacker.
boot loader
A small program stored in ROM that runs immediately after POST successfully completes. It is used to initialize a network device like a router or a switch. This locates and launches the operating system.
trusted port
A switch port that has been identified as one that can source any type of DHCP message. These ports have a DHCP server attached or can be a port that is a link that connects toward the DHCP server.
untrusted port
A switch port that has been identified as one that is allowed to accept - source - only DHCP request messages. All other types of DHCP message types are denied. These are used with enabling DHCP snooping to prevent an unauthorized device from providing IP address-related information to legitimate network devices.
MAC flood attack
A type of attack that is the same as MAC address table overflow attack.
1. First, the switch loads a power-on self-test (POST) program stored in ROM. POST checks the CPU subsystem. It tests the CPU, DRAM, and the portion of the flash device that makes up the flash file system. 2. Next, the switch loads the boot loader software. The boot loader is a small program stored in ROM and is run immediately after POST successfully completes. 3. The boot loader performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, the quantity of memory, and its speed. 4. The boot loader initializes the flash file system on the system board. 5. Finally, the boot loader locates and loads a default IOS operating system software image into memory and hands control of the switch over to the IOS.
After a Cisco switch is powered on, it goes through a boot sequence. Explain each step.
Telnet D O S attack
An attack that locks a legitimate network administrator from remotely accessing a network device using Telnet.
Packets with unknown source addresses are dropped and the interface becomes error-disabled and turns off the port LED.
An attacker has bypassed physical security and was able to connect a laptop to a Ethernet interface on a switch. If all the switch ports are configured with port security and the violation mode is set to factory-default, which action is taken against the attacker?
penetration testing
An intentional attack by authorized personnel against a network to determine network vulnerabilities.
DHCP snooping
An optional switch security feature that acts as a firewall between untrusted network devices and trusted DHCP servers.
denial-of-service attack - D O S
Any attack that prevents legitimate network devices from sending data on or participating in the network.
DHCP starvation
Broadcast requests for IP addresses with spoofed MAC addresses
By default, the switch is configured to have the management of the switch controlled through VLAN 1.
By default, the switch is configured to have the management of the switch controlled through which VLAN?
All ports are assigned to VLAN 1 by default.
By default, which switch ports are assigned to VLAN 1?
Gigabit Ethernet and 10Gb NICs require full-duplex connections to operate.
Can Gigabit Ethernet and 10Gb NICs work at half duplex?
Adjusting port speed, bandwidth, and security requirements.
Cisco switches run a Cisco IOS, and can be manually configured to better meet the needs of the network. This includes:
show ip (interface-id)
Displays IP information about an interface
show startup-config
Displays current startup configuration
show history
Displays history of commands entered
show flash:
Displays information about the flash file system
show interfaces (interface id)
Displays interface status and configuration
Port security limits the number of valid MAC addresses allowed on a port. The MAC addresses of legitimate devices are allowed access, while other MAC addresses are denied.
Explain how port security works.
Check to make sure that the proper cables are being used. Additionally, check the cable and connectors for damage. If a bad or incorrect cable is suspected, replace the cable. If the interface is still down, the problem may be due to a mismatch in speed setting. The speed of an interface is typically auto-negotiated; therefore, even if it is manually configured on one interface, the connecting interface should auto-negotiate accordingly. If a speed mismatch does occur through misconfiguration or a hardware or software issue, then that may result in the interface going down. Manually set the same speed on both conne
Explain in detail what to do if the interface is down:
Telnet is an older protocol that uses unsecure plaintext transmission of both the login authentication (username and password) and the data transmitted between the communicating devices.
Explain what the problems with using telnet are?
Numerous DHCP requests are sent to the DHCP server from spoofed hosts, causing the DHCP address pool to become depleted.
How can DHCP packets be used to threaten a switched LAN?
To mitigate DHCP attacks, use the DHCP snooping and port security features on the Cisco Catalyst switches.
How can you mitigate DHCP attacks?
To mitigate against brute force password attacks use strong passwords that are changed frequently.
How can you mitigate against brute force password attacks?
Using the show interfaces command, check for indications of excessive noise. Indications may include an increase in the counters for runts, giants, and CRC errors. If there is excessive noise, first find and remove the source of the noise, if possible. Also, verify that the cable does not exceed the maximum cable length and check the type of cable that is used. For copper cable, it is recommended that you use at least Category 5. If noise is not an issue, check for excessive collisions. If there are collisions or late collisions, verify the duplex settings on both ends of the connection. Much like the speed setting, the duplex setting is usually auto-negotiated. If there does appear to be a duplex mismatch, manually set the duplex on both connection ends. It is recommended to use full-duplex if both sides support it.
If the interface is up, but issues with connectivity are still present:
access
In a properly designed network, LAN switches are responsible for directing and controlling the data flow at the _______ layer to networked resources.
Develop a written security policy for the organization. Shut down unused services and ports. Use strong passwords and change them often. Control physical access to devices. Avoid using standard insecure HTTP websites, especially for login screens; instead use the more secure HTTPS. Perform backups and test the backed up files on a regular basis. Educate employees about social engineering attacks, and develop policies to validate identities over the phone, via email, and in person. Encrypt and password-protect sensitive data. Implement security hardware and software, such as firewalls. Keep software up-to-date by installing security patches weekly or daily, if possible.
List the best practices for securing a network.
Because penetration tests can have adverse effects on the network, they are carried out under very controlled conditions, following documented procedures detailed in a comprehensive network security policy. An off-line test bed network that mimics the actual production network is the ideal. The test bed network can be used by networking staff to perform network penetration tests.
Penetration tests can have adverse effects on a network. Explain what needs to be done to minimize these factors.
50 to 60 100 200
Standard, shared hub-based Ethernet configuration efficiency is typically rated at _____ to _____ percent of the stated bandwidth. Full-duplex offers ______ percent efficiency in both directions (transmitting and receiving). This results in a ______ percent potential use of the stated bandwidth
Interface status-refers to the hardware layer and, essentially, reflects whether the interface is receiving the carrier detect signal from the other end. Line protocol status-refers to the data link layer and reflects whether the data link layer protocol keepalives are being received.
The output from the show interface command can be used to detect common media issues. One of the most important parts of this output is the display of the line and data link protocol status. Explain each in detail.
Collisions
These in half-duplex operations are completely normal and you should not worry about them, as long as you are pleased with half-duplex operations. However, you should never see these in a properly designed and configured network that uses full-duplex communication. It is highly recommended that you use full-duplex unless you have older or legacy equipment that requires half-duplex.
CRC error
This is a process to check for errors within the Layer 2 frame. The sending device generates a CRC and includes this value in the FCS field. The receiving device generates a CRC and compares it to the received CRC to look for errors. If they match, no error has occurred. If they do not match, the frame is dropped. These on Ethernet and serial interfaces usually mean a media or cable problem.
DHCP starvation attack
This type of attack overloads a DHCP server with illegitimate requests. When the DHCP pool of IP addresses is empty, DHCP requests from legitimate network clients cannot be fulfilled, and as a result the devices cannot participate in the network. This attack is commonly used before a DHCP spoofing attack.
To remotely manage a switch it needs to have an IP address and default gateway configured.
To remotely manage a switch what does it needs to have configured?
brute force password attack
Uses a trial-and-error approach to password cracking using software programs that run combinations of characters and common dictionary words to decipher passwords
Telnet attack
Using brute force password attacks to gain access to a switch.
CDP attack
Using proprietary Cisco protocols to gain information about a switch
Autonegotiation set duplex and speed. Autonegotiation is the default mode for a Cisco switch port.
What 2 tasks does auto negotiation in an Ethernet network accomplish?
Security auditing and penetration testing are two basic functions that network security tools perform.
What are two basic functions that network security tools perform?
Mismatched settings for the duplex mode and speed of switch ports can cause connectivity issues. Auto-negotiation failure creates mismatched settings.
What are two issues that can cause connectivity issues between ports?
Change passwords regularly. Turn off unnecessary services.
What are two ways to make a switch less vulnerable to attacks like MAC address flooding, CDP attacks, and Telnet attacks?
To display port security settings for the switch or for the specified interface, use the show port-security [interface interface-id] command.
What command can you use to display port security settings for the switch or for the specified interface?
Use the show ip ssh command to verify that the switch supports SSH.
What command can you use to verify that a switch supports SSH?
The boot loader command line supports commands to format the flash file system, reinstall the operating system software, and recover from a lost or forgotten password. For example, the dir command can be used to view a list of files within a specified directory
What commands can be executed through the boot loader command line interface?
When using auto-MDIX on an interface, the interface speed and duplex must be set to auto so that the feature operates correctly.
What else must be set to auto when using auto-MDIX on an interface?
Network Time Protocol (NTP) is a protocol that is used to synchronize the clocks of computer systems over packet-switched, variable-latency data networks. NTP allows network devices to synchronize their time settings with an NTP server.
What is Network Time Protocol (NTP)?
When a server connects to a switch, the switch port should have the port speed manually configured, the auto negotiation feature used for duplex.
What is a Cisco best practice for deploying switches?
A secure method of providing clocking for the network is for network administrators to implement their own private network master clocks, synchronized to UTC, using satellite or radio.
What is a secure method of providing clocking for a network?
A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch.
What is a simple method that many administrators use to help secure the network from unauthorized access?
Network administrators are provided with correct timestamps on log messages. This is especially important when troubleshooting problems.
What is an advantage of having the correct date and time on a network device?
Username and password authentication. SSH is a more secure method of accessing a device from a remote network.
What is an advantage of using SSH over Telnet when remotely connecting to a switch?
One way to mitigate MAC address table overflow attacks is to configure port security.
What is one way to mitigate MAC address table overflow attacks?
If the device connected to this port is also set for full duplex, the device participates in collision-free communication. The switch will connect with full duplex when auto negotiating with a peer device. The default configuration for a switch port is auto negotiating.
What is the effect of entering the following command on a Fast Ethernet switch port? SW1 (config-if)# duplex full
Prevents unauthorized DHCP servers. When DHCP snooping is configured, switch ports are configured as whether a trusted or untrusted port. A device connected to a trusted port can send any type of DHCP message into the switch. An untrusted port only allows DHCP requests.
What is the purpose of DHCP snooping?
The administrator should determine what caused the security violation before re-enabling the port.
What should an administrator do before re-enabling a port that has been shut down with port security?
To prepare a switch for remote management access, the switch must be configured with an IP address and a subnet mask. Keep in mind, that to manage the switch from a remote network, the switch must be configured with a default gateway.
What three things are necessary for a switch to be managed from a remote network?
A security audit reveals the type of information an attacker can gather simply by monitoring network traffic.
What type of information does a security audit reveal?
Restrict
When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. In this mode, there is a notification that a security violation has occurred.
Protect
When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. There is no notification that a security violation has occurred.
When the cable type is unknown. Auto-MDIX is not supported on every device, but if supported, this feature will allow the interface to automatically detect the required connection type and configure the port appropriately.
When would auto-MDIX be best to use?
Half-duplex communication creates performance issues because data can flow in only one direction at a time, often resulting in collisions.
Why does half-duplex communication create performance issues? What happens?
The default gateway provides a means for the administrator of the switch to access networks not directly connected to the switch and allows for remote connectivity from a different network because when connected, the return packets from the switch can be sent to the remote network device.
Why should a default gateway be assigned to a switch?
