Chapter 17


"Do I Know This Already?"

1.

b

2.

d

3.

b

4.

c

5.

d

6.

b

7.

b

The trick is in the "maximum 3" keywords. This sets the maximum number of addresses that can be learned on a port. If only one static address is configured, two more addresses can be learned dynamically.

8.

c

9.

a

10.

b

11.

c

12.

c

Because of the variety of user host platforms, port-based authentication (802.1x) cannot be used. The problem also states that the goal is to restrict access to physical switch ports, so AAA is of no benefit. Port security can do the job by restricting access according to the end users' MAC addresses.

13.

b

14.

c

Q&A

1.

What does the acronym AAA stand for?

Answer:

Authentication, authorization, and accounting

2.

What external methods of authentication does a Catalyst switch support?

Answer:

RADIUS and TACACS+

3.

A RADIUS server is located at IP address 192.168.199.10. What command configures a Catalyst switch to find the server?

Answer:

radius-server host 192.168.199.10

4.

A Catalyst switch should be configured to authenticate users against RADIUS servers first, followed by TACACS+ servers. What command can define the authentication methods? Make sure users still can authenticate if none of the servers is available.

Answer:

aaa authentication login default radius tacacs+ local

5.

What is the purpose of authorization? What happens if authorization is not used?

Answer:

Authorization allows an external server to decide whether the authenticated user can gain access to specific resources or switch commands. If authorization is not used, the default behavior is that all users must authenticate as they move to the appropriate privilege level to run switch commands.

6.

Is it possible to use different methods to authorize users to run switch commands instead of making configuration changes?

Answer:

Yes; The aaa authorization command separates these functions so that each can have its own method list.

7.

When might the command switchport port-security maximum 2 be used?

Answer:

The switchport port-security maximum 2 command might be used if it is too much trouble to manually configure MAC addresses into the port security feature. Up to two MAC addresses then would be learned dynamically. The network administrator also might want to control what is connected to that switch port. If another switch or a hub were connected, the total number of active stations easily could rise above two.

8.

After port-based authentication is configured and enabled, can any host connect as long as the user can authenticate?

Answer:

No, only hosts that have 802.1x-capable applications can communicate with the switch port to properly authenticate.

9.

When the 802.1x force-authorized keyword is used, how does the switch react to users attempting to connect?

Answer:

The switch always authorizes any connecting user, without any authentication.

10.

Can more than one host be authenticated on a single switch port with port-based authentication?

Answer:

Yes, if the dot1x multi-hosts command is configured on the switch port interface.

11.

In DHCP spoofing and ARP poisoning attacks, what is the goal of the attacker? What Catalyst features can be used to mitigate the risk of these attacks?

Answer:

In both types of attacks, the attacker is attempting to be positioned as a man-in-the-middle, to be used as the default gateway address by unsuspecting clients. Sitting between a client and other resources, the attacker then can intercept and inspect packets coming from the client. The DHCP snooping and dynamic ARP inspection (DAI) Catalyst switch features can be used to detect and prevent these attacks when they are attempted.

12.

Which switch ports should be configured as trusted for DHCP snooping?

Answer:

You should configure a port as trusted only if it connects to a known, trusted DHCP server. In addition, you can make a port trusted if it connects to another switch that also is performing DHCP snooping.

13.

What is the function of a trusted port in DAI?

Answer:

No ARP inspection is performed on a trusted port; the inspection process is reserved for ARP replies on untrusted ports only. You can configure a port as trusted if it connects a neighboring switch that also has DAI enabled or if it connects to a trusted host.

14.

To inspect ARP information from a host that has received its IP address from a DHCP server, what must be enabled in addition to DAI?

Answer:

DHCP snooping must be enabled, too. The DHCP snooping feature maintains a database of dynamic MACtoIP address mappings. This information is used by DAI to validate the ARP responses it inspects.



CCNP Self-Study(c) CCNP BCMSN Exam Certification Guide
Red Hat Fedora 5 Unleashed
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 177

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net