The flashcards below are one of many sets on FreezingBlue Flashcards. What would you like to do?
A very important part of securing an organizational network involves the layer 2 parts of the network, specifically the switches. Many people can tend to ignore the security vulnerabilities that can be exploited at layer 2, but these devices are just as vulnerable as high layer devices but are just attacked in different ways. This article takes a look at these potential threats and at the different techniques and configurations that can be used to avoid them. It should be noted that this article is not intended to show all possible switch security methods but simply highlight the most commonly referenced.
A very important part of securing an organizational network involves the layer 2 parts of the network, specifically the switches. Many people can tend to ignore the security vulnerabilities that can be exploited at layer 2, but these devices are just as vulnerable as high layer devices but are just attacked in different ways. This article takes a look at these potential threats and at the different techniques and configurations that can be used to avoid them. It should be noted that this article is not intended to show all possible switch security methods but simply highlight the most commonly referenced.
- line console 0Global command that changes the context to console configuration mode
- line vtyGlobal command that changes the context to vty configuration mode for the range of vty lines listed in the command
- loginLine (console and vty) configuration mode. Tells IOS to prompt for a password (no username)
- password {pass-value}Line (console and vty) configuration mode. Lists the password required if the {login} command (with no other parameters) is configured
- interface {type port-number}Global command that changes the context to interface mode–for example, interface Fastethernet 0/1
- shutdown :: no shutdownInterface subcommand that disables or enables the interface, respectively
- hostname {name}Global command that sets this switch's hostname, which is also used as the first part of the switch's command prompt
- enable secret {pass-value}Global command that sets the automatically encrypted enable secret password. The password is used for any user to reach enable mode
- enable password {pass-value}Global command that sets the clear-text enable password, which is used only when the enable secret password is not configured
- exitMoves back to the next higher mode in configuration mode
- endExits configuration mode and goes back to enable mode from any of the configuration submodes
- Ctrl-zThis is not a command, but rather a two-key combination that together do the same thing as the end command
- no debug all :: undebug allEnable mode EXEC command to disable all currently enabled debugs
- show processEXEC command that lists statistics about CPU utilization
- terminal monitorEXEC command that tells Cisco IOS to send a copy of all syslog messages, including debug messages, to the Telnet or SSH user who issues this command
- reloadEnable mode EXEC command that reboots the switch or router
- copy {from-location to-location}Enable mode EXEC command that copies files from one file location to another. Locations include the startup-config and running-config files, files on TFTP and RPC servers, and flash memory
- copy running-config startup-configEnable mode EXEC command that saves the active config, replacing the startup-config file used when the switch initializes
- copy startup-config running-configEnable mode EXEC command that merges the startup config file with the currently active config file in the RAM
- show running-config :: show startup-configLists the contents of the running-config file or the startup-config file, respectively
- write erase :: erase startup-config :: erase nvramAll three enable mode EXEC commands erase the startup-config file
- setupEnable mode EXEC file that places the user in setup mode, in which Cisco OPS asks the user for input on simple switch configurations
- quitEXEC command that disconnects the user from the CLI session
- enableMoves the user from the user mode to enable (privileged) mode and prompts for an enable password if configured
- disableMoves the user from enable mode to user mode
- configure terminalEnable mode command that moves the user into configuration mode
- Basic Password Config (steps)
- line console 0 - for console access
- line vty {1st-vty 2nd-vty} - for telnet or SSH access
- login
- password
- Username/Password and SSH Config
- login local - tells IOS to prompt for a un and pw
- username {name} password {pass-value} - defines one of multiple possible un/pw
- crypto key generate rsa - creates and stores the keys required by SSH
- transport input {telnet | ssh} - defines whether Telnet and/or SSH access is allowed
- IP Address Config
- interface vlan {number} - changes context to VLAN interface mode
- ip address {ip-address subnet-mask} - for static IP configuration
- ip address dhcp - for dynamic IP configuration
- ip default-gateway {address} - not required with dhcp
- Interface Config
- interface {type port-number} - for example: {Fastethernet 0/1}
- interface range {type port-range} - for example: {Fastethernet 0/4 - 13}
- shutdown :: no shutdown
- speed {10 | 100 | 1000 | auto}
- duplex {auto | full | half}
- description {text} - engineer generated text
- hostname {name}Global command. Sets this switch's hostname, which is also used as the first part of the switch's command prompt
- history size {length}Line config mode. Defines the number of commands held in the history buffer, for later recall, for users of those lines
- switchport port-security mac-address {mac-address}Interface configuration mode command that statically adds a specific MAC address as an allowed MAC address on the interface
- switchport port-security mac-address stickyInterface subcommand that tells the switch to learn MAC addresses on the interface and add them to the configuration for the interface as secure MAC addresses
- switchport port-security maximum {value}Interface subcommand that sets the maximum number of static secure MAC addresses that can be assigned to a single interface
- switchport port-security violation {protect | restrict | shutdown}Interface command that tells the switch what to do if an inappropriate MAC address tries to access the network through a secure switch port
- show mac address-table dynamicLists the dynamically learned entries in the switch's address (forwarding) table
- show dhcp leaseLists any information the switch acquires as a dhcp client. This includes ip address, subnet mask, and default gateway information
- show crypto key mypubkey rsaLists the public and shared key created for use with SSH using the crypto key generate rsa global configuration command
- show interfaces statusLists one output line per interface, noting the description, operating state, and settings for duplex and speed on each interface
- show interfaces vlan 1Lists the interface status, the switch's IP address and mask, and much more
- show port-security interface {type number}Lists an interface's port security configuration settings and security operational status
- show cdp neighbors {type number}Lists one summary line of information about each neighbor, or just the neighbor found on a specific interface if an interface was listed
- show cdp neighbors detaillists one large set (approximately 15 lines) of information, one set for every neighbor
- show cdp entry {name}Lists the same information as the "show cdp neighbors detail" command, but only for the named neighbor (case-sensitive)
- show cdpStates whether CDP is enabled globally, and lists the default update and holdtime timers
- show cdp interface {type number}States whether CDP is enabled on each interface, or a single interface if the interface is listed, and states update and holdtime timers on those interfaces
- show cdp trafficLists global statistics for the number of CDP advertisements sent and received
- show mac address-table {dynamic :: static} {address} {interface} {vlan}Displays the MAC address table. The security option displays information about the restricted or static settings.
- show port-security {interface} {address}Displays information about security options configured on an interface
- show cdp neighborsLists one summary line of information about each neighbor, or just the neighbor found on a specific interface if an interface was listed
- show cdp neighbors detailLists one large set of information (approx. 15 lines) for every neighbor
- show cdp entry {name}Displays the same information as the "show cdp neighbors detail" command, but only for the named neighbor
- show cdpStates whether CDP is enabled globally, and lists the default update and holdtime timers
- show cdp interfaceStates whether CDP is enabled on each interface, or a single interface if the interface is listed, and states update and holdtime timers on those interfaces
- show cdp trafficDisplays global statistics for the number of CDP advertisements sent and received
- show interfacesDisplays detailed information about interface status, settings, and counters
- show interfaces statusDisplays summary information about interface status and settings, including actual speed and duplex, and whether the interface was autonegotiated
0 comments:
Post a Comment