Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
830
Views
0
Helpful
3
Replies

CCNP Security Switch 300-206 (SENSS)

Go to solution
D Prasanna Kumar Reddy
Level 1
Level 1

‎05-04-2016 10:55 PM - edited ‎02-20-2020 09:44 PM

Hi All,

Currently I am studying for CCNP Security 300-206 (SENSS).

I came across following doubts. Though they seems to be silly & funny, I cannot resist my self without posting them here.

1 > What will happen if we give "Maximum Allowed MAC 5" and "MAC-Address Sticky" Commands together under same Interface?

2 > Does DHCP Snooping Database table stores NON-DHCP Clients(Lets say static) MAC & IP addresses ?

3 > Does DHCP Snooping and Dynamic ARP Inspection mechanisms will work under plain Layer 2 only switch ? 

4 > Can "Source Guard" stops Rough APR packets, Like Dynamic ARP Inspection ?

5 > Can Private VLAN interfaces communicate with Primary VLAN Interfaces ?

It may need little Explanation - Here the scenario :

Suppose we have Primary VLAN 100, Community VLAN 200 & Isolated VLAN 300.  And following are the interface assignments : 

Gi 0/1,Gi0/2 --> Primary VLAN 100

Gi 0/3,Gi0/4 --> Community VLAN 200

Gi 0/5,Gi0/6 --> Isolated VLAN 300

But we have Converted Only Gi0/1 into Promiscuous Port, And mapped VLAN 200 & VLAN 300.

Can Gi 0/3,Gi0/4,Gi 0/5& Gi0/6 communicate with Gi 0/2 ?

Could someone please help ?

Thanks in Advance,

Prasanna Kumar Desireddy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-04-2016 11:46 PM

1) Port-security allows only one MAC by default. Sticky adds the learned address to the config and "fixes" this address. If you change portsecurity to allow five addresses, then all these up to five addresses are added to the config.

2) No, If you are using this table for other functions like DAI or IPSG, then you have to define static exceptions for the systems without DHCP. Before implementing these functions I make sure that ideally all systems are using DHCP. Even printers, cameras, multifunction devices and so on. Many of these get reservations on the DHCP-server, but they should use DHCP to make functions like DAI and IPSG manageble.

3) What is a "plain Layer 2 switch" for you? Today, the definition Layer2 or Layer3 defines how the device does it's forwarding. A Catalyst 2960 is typically used with Layer2 forwarding. But that doesn't mean that there are no functions to look into the payload and inspect the traffic up to the application layer. These functions were also available on the older Catalyst 2950 (initially there was no DAI, but DHCP Snooping) and are now available on all (Catalyst) Access-switches.

4) No, each function has it's own security function. DAI is for inspecting the ARP-payload, IPSG is for inspecting the source addresses.

5) not sure what you mean ...

If Gi0/3-Gi0/6 are configured for private VLANs as mentioned, then they can communicate directly with Gi0/2. If they are not yet configured (I assume that's what you mean with "converted"), then they are probably member of a different VLAN and can communicate with Gi0/2 through a Layer3 device.

Some links to Config-Guides with more information:

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎05-04-2016 11:46 PM

1) Port-security allows only one MAC by default. Sticky adds the learned address to the config and "fixes" this address. If you change portsecurity to allow five addresses, then all these up to five addresses are added to the config.

2) No, If you are using this table for other functions like DAI or IPSG, then you have to define static exceptions for the systems without DHCP. Before implementing these functions I make sure that ideally all systems are using DHCP. Even printers, cameras, multifunction devices and so on. Many of these get reservations on the DHCP-server, but they should use DHCP to make functions like DAI and IPSG manageble.

3) What is a "plain Layer 2 switch" for you? Today, the definition Layer2 or Layer3 defines how the device does it's forwarding. A Catalyst 2960 is typically used with Layer2 forwarding. But that doesn't mean that there are no functions to look into the payload and inspect the traffic up to the application layer. These functions were also available on the older Catalyst 2950 (initially there was no DAI, but DHCP Snooping) and are now available on all (Catalyst) Access-switches.

4) No, each function has it's own security function. DAI is for inspecting the ARP-payload, IPSG is for inspecting the source addresses.

5) not sure what you mean ...

If Gi0/3-Gi0/6 are configured for private VLANs as mentioned, then they can communicate directly with Gi0/2. If they are not yet configured (I assume that's what you mean with "converted"), then they are probably member of a different VLAN and can communicate with Gi0/2 through a Layer3 device.

Some links to Config-Guides with more information:

0 Helpful

Go to solution
D Prasanna Kumar Reddy
Level 1
Level 1
In response to Karsten Iwen

‎05-06-2016 09:16 AM

Many Thnaks Karsten,

4>> So you are saying, IPSG cannot inspect Payload, It will just verify Source IP/MAC ?

Thanks in Advance,

Prasanna Kumar Desireddy

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to D Prasanna Kumar Reddy

‎05-06-2016 09:22 AM

4>> So you are saying, IPSG cannot inspect Payload, It will just verify Source IP/MAC ?

Right, payload-inspection is not what IPSG was build for. It's a feature that prevents spoofed source-addresses. And that is done by looking at the IP-header (and optionally the L2 header with the port-security)

0 Helpful
Customers Also Viewed These Support Documents