CCNP Switch 300-115 Study Guide – Switch Security

I recently sat my CCNP 300-115 – Switch exam. I spent months taking notes on all of the important information needed to pass the exam. This study guide focuses on all things related to Switch Security.

Please see other CCNP Switch Sudy Guides

• CCNP Switch 300-115 Study Guide
• CCNP Switch 300-115 Study Guide – VLANs and VTP
• CCNP Switch 300-115 Study Guide – First Hop Redundancy Protocols
• CCNP Switch 300-115 Study Guide – STP
• CCNP Switch 300-115 Study Guide – EtherChannels
• CCNP Switch 300-115 Study Guide – CDP and LLDP

Infrastructure/ Switch Security

• Command to configure a switch automate the re-enabling of ports after a shutdown violation – #errdisable recovery cause psecure-violation
• If errdisable recovery is configured, the interface is recovered automatically when the root problem is corrected
• The #show errdisable recovery command displays the conditions in which autorecovery is enabled.
• Port security must be enabled at the port level and the port must be an access port
• Port security can also be configured on static trunk ports
• Default value for the errdisable recovery interval is 300 secs
• Port security is disabled on a switch by default.
• 2 ways a port can respond to a port security violation – the port enters the errdisable state, the security violation counter is incremented and the port sends an SNMP trap
• Shutdown is the default violation mode
• Command to configure switch to only learn 1 MAC address – #switchport port-security maximum 1
• Port security violation will occur when -When a port with a secure MAC address attempts to use a different port in the same VLAN, when a port has received more Mac addresses allowed
• Security violation mode which will drop unknown pa jets then sends a trap – restrict
• Two circumstances can cause a port to errdisable – the switch incurred a port security violation or it learned a new MAC address.
• #show interface status err-disabled – enables you to determine whether any interface on a device was shutdown
• Portion of AAA looks at what the user has access to – authorisation

• The AAA authorisation type that includes PPP, SLIP, and ARAP – Network
• Which authentication service is needed to configure 802.1x – Radius with eap extension
• A network engineer configured port security and 802.1x on the same interface – it allows port security to secure the MAC address that 801.2x authenticates
• Command used to login a user and set immediate access to privilege mode – aaa authorisation exec default group radius
• 3 types of radius server responses – accept, reject, challenge
• Features of Tacacs – encrypts the whole payload, uses TCP, separates authentication and authorisation
• Command used to force the default authentication group to fall back to the cases sensitive local user database – aaa authentication login default group tacacs+ local-case if-authenticated
• Command used when TACACS+ is unreachable while the device will use the local database – aaa authentication login default group TACACS+ local
• How to configure a device to use a remote security database – configure device query remote security database, configure user profile in remote security database
• Tacacs+ separates aaaa attributes
• Radius – industry standard AAA mechanism that uses the industry neutral mechanism for user authentication and authorisation
• Command used to configure vendor specific attributes with Radius – #radius-server vsa send
• Two types of packets that Tacacs+ works with – request, response
• 3 features of Tacacs+ – supports TCP port 49, supports packet encryption, supports client-server architecture
• Tacacs+ = Cisco proprietary
• Effect of the line keyword entered at the end of an AAA method list – sets the last resort failback authentication method
• Two differences between Radius and Tacacs+ – Only Radius uses UDP, Only Tacacs+ uses user privilege levels to determine which commands the user can execute
• Two statements about the local user database – it can be configured to grant a user-specific privilege level, it can be used as the only method of authentication or as a backup for other methods
• Tacacs+ encrypts the entire TCP packet containing Tacacs+ information
• Tacacs+ supports PAP and CHAP authentication
• AAA authorisation method uses a vendor-neutral directory information protocol – LDAP
• Which command enables a radius server configuration to use a vendor-proprietary attributes – radius server vsa send authentication
• Three features of AAA with Radius – it encrypts the password for transmission, it integrates authorisation and authentication methods, it secures access to network devices
• Two statements about Tacacs+ – It is Cisco proprietary technology, it supports several less common protocols in addition to IP
• Tacacs+ – forms a centralised device authentication which allows each AAA feature to function separately
• Console is a backup authentication method and you can set user privileged levels
• The Local user database can be main and also backup authentication method and you can set user privileged levels
• Protocol that offers data integrity, encryption, authentication, and antireplay functions for Ipsec VPN – ESP protocol.
• Types of firewalls that work at layer 4 and above – application layer, State-full inspection
• Command used to override the priority of frames arriving on cisco phone. #switchport priority extend trust
• On a catalyst 6500, which feature provides network security enforcement – VACL
• When Port security and 802.1x are configured on the same interface – it allows port security to secure MAC address that 802.1x authenticates
• Which authentication method is needed to configure 802.1x – Radius with eap extension
• Cisco’s recommendation for security at the distribution layer is by using standard and extended access lists.
• Command used to configure a vty line to use mylist authorisation method – #authorisation exec mylist
• Default value for errdisable recovery interval – 300 seconds
• Authorisation looks at what the user has access to
• Port security can be configured on static trunk ports

• Which AA authorisation type includes PPP, SLIP and ARAP connections – Network
• Which Authentication service is needed to configure 802.1x – Radius with EAP Extension
• 3 features of AAA with Radius – it encrypts the password for transmission, it integrates authorisation with authentication functions, it secures access to network devices
• Command to automatically place users in enable mode after they authenticate with TACACS+ – aaa authentication exec default group tacacs+ if-authenticated
• TACACS+ – It is cisco proprietary, it supports several less-common protocol in addition to IP
• TACACS+ – form of centralised device authentication that allows each AAA feature to function separately.
• Radius server responses – CHALLENGE, REJECT, ACCEPT
• TACACs – encryption is performed on the entire packet and processes each AAA function separately
• Radius – Encryption is performed only on the password component and processes authentication and authorisation together.
• 2 ways a port responds to a port-security violation – port enters the en-disabled state, the port enters the shutdown state.
• Which errdisable recovery command option enables a device to recover from an incorrect sfp state – gbic-invalid
• #show interface status err-disabled – used to verify errdisable on any interface
• #show errdisable recovery – used to view the reason a port was error-disabled
• Errdisable detection is enabled by default on ports with port security enabled
• When a port is error-disabled, all traffic stops on the port and port led changes to solid orange.
• Two circumstance can cause a port to errdisable – the switch incurred a port security violation, it learned a new mac address.
• 2 ways a port can respond to a port-security violation – The port enters the err-disabled state, The port enters the shutdown state