Level 7
Level 8

Configuring Ethernet Switching


109 words 0 ignored

Ready to learn       Ready to review

Ignore words

Check the boxes below to ignore/unignore words, then click save at the bottom. Ignored words will never appear in any learning session.

All None

Ignore?
access to the CLI
The first step to securing a switch is to secure __.
enable mode
Securing the CLI includes protecting access to __, because from there, an attacker could reload the switch or change the configuration.
password recovery/ reset
If you can touch the switch, even if the console had all the available password protections, you could still perform the switch __ procedure in five minutes anyway and get into the switch.
open
By default, console access is __.
no username
Cisco switches can protect user mode with a simple password—with __, for console and Telnet users.
vty password
Telnet users must supply the Telnet password, also called the __.
enable password
Cisco switches protect enable mode for any user with the __.
login, password
The __ command tells IOS to use simple password security, and the __ command defines the password.
enable secret
IOS protects enable mode using the enable secret password, configured using the global command __.
same passwords
A login method that uses simple text passwords (without usernames) works, but it requires that everyone know the __.
unique login details
Cisco switches support other login authentication methods that use a username and password so that each user has __ that do not have to be shared.
locally,external server, AAA
One method configures the username/password pairs __ on the switch, and the other relies on an __ called an __ server.
login local
The vty and/or console line needs to be told to make use of a locally configured username and password (per the __ line subcommand).
local usernames
When a Telnet user connects to the switch, the user will be prompted first for a username and then for a password. The username/password pair must be from the list of __, or the login is rejected.
locally
Using __ configured username/password pairs means that every switch and router needs the configuration for all users who might need to log in to the devices.
AAA server
When using a __ for authentication, the switch (or router) simply sends a message to the server asking whether the username and password are allowed, and the server replies.
RADIUS, TACACS+
The connection between the user and the switch or router uses Telnet or SSH. And the switch and AAA server typically use either the __ or __ protocol, both of which encrypt the passwords as they traverse the network.
Telnet login, usernames
To support SSH, Cisco switches require the base configuration used to support __ with __, plus additional configuration.
login local, AAA server
[STEP 1] Configure the vty lines to use usernames, with either locally configured usernames (using the __ command) or a __.
username
[STEP 2] If using locally defined usernames, add one or more __ global configuration commands to configure username/password pairs.
matched public and private key pair
[STEP 3] Configure the switch to generate a __ to use for encryption.
ip domain-name
[STEP 3-A] As a prerequisite for the next command, configure a DNS domain name with the __ global configuration command.
crypto key generate rsa
[STEP 3-B] Create the encryption keys using the __ global configuration command.
ip ssh version 2
[STEP 4] (Optional) Enable SSH Version 2 using the __ global command for enhanced security.
crypto key
The __ command actually prompts the user for more information and generates some messages while the key is being generated.
SSH v2
__ improves the underlying security algorithms over SSH v1 and adds some other small advantages, like banner support.
transport input {all | none | telnet | ssh}
Switches can control their support of Telnet and/or SSH on the vty lines using the __ vty subcommand.
enable secret
only the __ command automatically hides the password value by default.
service password-encryption
To prevent password vulnerability in a printed version of the configuration file, or in a backup copy of the configuration file stored on a server, you can encrypt some passwords using the __ global configuration command.
service password-encryption
This command affects how IOS stores passwords for the password command, in both console and vty modes, and the username password global command.
immediately encrypts
At the moment that the service password-encryption command is configured, IOS __ all existing password commands (in console and vty modes) and global command passwords (username/password).
no service password-encryption
At the moment the __ command is used, disabling password encryption, IOS does nothing to the existing passwords, leaving them all as encrypted.
clear text
From that point forward, while the service password-encryption command is no longer in the configuration, IOS stores any changed password values for these commands as __.
|
The __ at the end of a show command sends the output of the command to another function.
begin
The __ function, takes the output from the command and starts listing the text beginning when the first occurrence of the listed text shows up.
enable password
The older __ command stores the password as clear text, and the only option to encrypt it is the weak service password-encryption command.
Message Digest 5 hash
This newer command applies a mathematical function to the password, called a __, storing the results of the formula in the enable secret command in the configuration file.
encryption type 5
The show running-configuration command shows that IOS changed the enable secret command, now listing __ (meaning it is an MD5 hash).
no enable secret
You can delete the enable secret password using the __ command, without even having to enter the password value.
show running-config | include enable secret
The __ command lists the output from show running-config, but only lines that include the casesensitive text “enable secret.”
SHA-256, encryption type 4
Cisco has added another hash algorithm to the enable secret command for routers: __. This algorithm is stronger than MD5, with IOS listing this algorithm as __.
username secret
Today, the __ command is preferred over the username password command, much like the enable secret command is preferred over the enable password command.
banner
A __ is simply some text that appears on the screen for the user.
before login, after
You can configure a router or switch to display multiple banners, some __ and some __.
Message of the Day
Shown before the login prompt. Used for temporary messages that can change from time to time, such as “Router1 down for maintenance at midnight.”
Login
Shown before the login prompt but after the MOTD banner. Used for permanent messages such as “Unauthorized Access Prohibited.”
Exec
Shown after the login prompt. Used to supply information that should be hidden from unauthorized users.
MOTD
The banner global configuration command can be used to configure all three types of these banners. In each case, the type of banner is listed as the first parameter, with __ being the default option.
beginning delimiter character
The first nonblank character after the banner type is called a __.
same delimiter character
The CLI knows that the banner has been configured as soon as the user enters the __ again.
show history
Lists the commands currently held in the history buffer.
history size
From console or vty line configuration mode, sets the default number of commands saved in the history buffer for the user(s) of the console or vty lines, respectively.
terminal history size
From EXEC mode, this command allows a single user to set, just for this one login session, the size of his or her history buffer.
console
The __ automatically receives copies of all unsolicited syslog messages on a switch.
no logging console, logging console
The display of these messages at the console can be disabled and enabled with the__ and __ global commands.
syslog messages
IOS (by default) displays __ on the console’s screen at any time—including right in the middle of a command you are entering, or in the middle of the output of a show command.
logging synchronous
IOS supplies a solution to this problem by telling the switch to display syslog messages only at more convenient times. To do so, just configure the __ console line subcommand.
5 minutes
By default, the switch automatically disconnects console and vty (Telnet and SSH) users after __ of inactivity.
exec-timeout {minutes} {seconds}
The __ line subcommand lets you set the length of that inactivity timer, with the special value of 0 minutes and 0 seconds meaning “never time out.”
default settings, enabled, VLAN 1
Cisco switches leave the factory with __, with all interfaces __ and with autonegotiation __ for ports that can use it. All interfaces default to be part of __.
overhead management traffic
The IP address has nothing to do with how switches forward Ethernet frames; it simply exists to support __.
virtual NIC
A switch uses concepts similar to a host, except that the switch can use a __.
switched virtual interface
The switch then uses a NIC-like concept called a __, or more commonly, a VLAN interface, that acts like the switch’s own NIC for connecting into a LAN to send IP packets.
only one VLAN interface
A typical Layer 2 Cisco LAN switch can use __ at a time, but the network engineer can choose which VLAN interface, putting the switch’s management traffic into a particular VLAN.
multilayer switches, Layer 3 switches
Other Cisco switches, called __ or __, can also route IP packets using the Layer 3 logic normally used by routers.
interface vlan 1
[1] Enter VLAN 1 configuration mode using the __ global configuration command.
ip address {ip-address} {mask}
[2] Assign an IP address and mask using the __ interface subcommand.
no shutdown
[3] If not already enabled, enable the VLAN 1 interface using the __ interface subcommand.
ip default-gateway {ip-address}
[4] Add the __ global command to configure the default gateway.
ip name-server {ip-address1} {ip-address2} . . .
[5] (Optional) Add the __ global command to configure the switch to use DNS to resolve names into their matching IP address.
no shutdown, shutdown
To administratively enable an interface on a switch, use the __ interface subcommand; to disable an interface, use the __ interface subcommand.
DHCP
The switch can also use __ to dynamically learn its IPv4 settings.
ip address dhcp
VLAN interface mode. Configures the switch as a DHCP client to discover its IP address, mask, and default gateway.
show running-config
The switch IPv4 configuration can be checked in several places. First, you can always look at the current configuration using the __ command.
show interface vlan {x}
Second, you can look at the IP address and mask information using the __ command, which shows detailed status information about the VLAN interface in VLAN x.
show dhcp lease
If using DHCP, use the __ command to see the (temporarily) leased IP address and other parameters.
DHCP-learned
The switch does not store the __ IP configuration in the running-config file.
Interfaces, autonegotiation
__ can be configured to use the duplex and speed subcommands to configure those settings statically, or can use __ (the default).
description
The __ command, which is simply a text description that can be configured by the administrator.
show interfaces status
This command lists a single line for each interface, the first part of the interface description, and the speed and duplex settings.
notconnect status
The __ means that the physical link is not currently working, including reasons like no cable being connected, the other device being powered off, or the other device putting the port in a shutdown state.
autonegotiated
The output lists the resulting speed and duplex (a-full and a-100), in which the a- refers to the fact that these values were __.
interface range
You can configure a command on a range of interfaces at the same time using the __ command.
speed, duplex
Configuring both the __ and __ on a Cisco switch interface disables autonegotiation.
port security
The engineer can use __ to restrict that interface so that only the expected devices can use it.
source MAC address
Port security identifies devices based on the __ of Ethernet frames the devices send.
per port
Switches enable port security __, with different settings available __.
port security violation
When a frame with a new source MAC address arrives, pushing the number of MAC addresses past the allowed maximum, a __ occurs.
sticky secure MAC addresses
Port security provides an easy way to discover the MAC addresses used off each port using a feature called __.
switchport mode trunk
[1] Make the switch interface either a static access or trunk interface, using the switchport mode access or the __ interface subcommands, respectively.
switchport port-security
[2] Enable port security using the __ interface subcommand.
switchport port-security maximum
[3] (Optional) Override the default maximum number of allowed MAC addresses associated with the interface (1) by using the __ interface subcommand.
switchport port-security violation {protect | restrict | shutdown}
[4] (Optional) Override the default action to take upon a security violation (shutdown) using the __ interface subcommand.
switchport port-security mac-address
[5] (Optional) Predefine any allowed source MAC address(es) for this interface, using the __ command. Use the command multiple times to define more than one MAC address.
switchport port-security mac-address sticky
[6] (Optional) Tell the switch to “sticky learn” dynamically learned MAC addresses with the __ interface subcommand.
sticky addresses
Port security does not save the configuration of the __, so use the copy running-config startup-config command if desired.
show port-security interface
This command lists the configuration settings for port security on an interface, plus it lists several important facts about the current operation of port security, including information about any security violations.
disabled because of port security
The show port-security interface fastethernet 0/1 command shows that the interface is in a secure-shutdown state, which means that the interface has been __.
discard the offending frame
The switch can be configured to use one of three actions when a violation occurs. All three options cause the switch to __.
syslog messages, SNMP trap messages
The actions include the sending of __ to the console, sending __ to the network management station, and disabling the interface.
{protect | restrict | shutdown}
Discards offending traffic
{restrict | shutdown}
Sends log and SNMP messages
{shutdown}
Disables the interface, discarding all traffic
error disabled
The shutdown option does not actually add the shutdown subcommand to the interface configuration. Instead, IOS puts the interface in an __ state, which makes the switch stop all inbound and outbound frames.
shutdown, no shutdown
To recover from err-disabled state, someone must manually disable the interface with the __ interface command and then enable the interface with the __ command.
unused interfaces
With all default configuration on switches, __ might be used by an attacker to gain access to the LAN.
switchport mode access
Prevent VLAN trunking by making the port a nontrunking interface using the __ interface subcommand.
switchport access vlan
Assign the port to an unused VLAN using the __ interface subcommand.
switchport trunk native vlan
Set the native VLAN to not be VLAN 1, but to instead be an unused VLAN, using the __ interface subcommand.
Level 9