05-04-2016 10:55 PM - edited 02-20-2020 09:44 PM
Hi All,
Currently I am studying for CCNP Security 300-206 (SENSS).
I came across following doubts. Though they seems to be silly & funny, I cannot resist my self without posting them here.
1 > What will happen if we give "Maximum Allowed MAC 5" and "MAC-Address Sticky" Commands together under same Interface?
2 > Does DHCP Snooping Database table stores NON-DHCP Clients(Lets say static) MAC & IP addresses ?
3 > Does DHCP Snooping and Dynamic ARP Inspection mechanisms will work under plain Layer 2 only switch ?
4 > Can "Source Guard" stops Rough APR packets, Like Dynamic ARP Inspection ?
5 > Can Private VLAN interfaces communicate with Primary VLAN Interfaces ?
It may need little Explanation - Here the scenario :
Suppose we have Primary VLAN 100, Community VLAN 200 & Isolated VLAN 300. And following are the interface assignments :
Gi 0/1,Gi0/2 --> Primary VLAN 100
Gi 0/3,Gi0/4 --> Community VLAN 200
Gi 0/5,Gi0/6 --> Isolated VLAN 300
But we have Converted Only Gi0/1 into Promiscuous Port, And mapped VLAN 200 & VLAN 300.
Can Gi 0/3,Gi0/4,Gi 0/5& Gi0/6 communicate with Gi 0/2 ?
Could someone please help ?
Thanks in Advance,
Prasanna Kumar Desireddy
Solved! Go to Solution.
05-04-2016 11:46 PM
1) Port-security allows only one MAC by default. Sticky adds the learned address to the config and "fixes" this address. If you change portsecurity to allow five addresses, then all these up to five addresses are added to the config.
2) No, If you are using this table for other functions like DAI or IPSG, then you have to define static exceptions for the systems without DHCP. Before implementing these functions I make sure that ideally all systems are using DHCP. Even printers, cameras, multifunction devices and so on. Many of these get reservations on the DHCP-server, but they should use DHCP to make functions like DAI and IPSG manageble.
3) What is a "plain Layer 2 switch" for you? Today, the definition Layer2 or Layer3 defines how the device does it's forwarding. A Catalyst 2960 is typically used with Layer2 forwarding. But that doesn't mean that there are no functions to look into the payload and inspect the traffic up to the application layer. These functions were also available on the older Catalyst 2950 (initially there was no DAI, but DHCP Snooping) and are now available on all (Catalyst) Access-switches.
4) No, each function has it's own security function. DAI is for inspecting the ARP-payload, IPSG is for inspecting the source addresses.
5) not sure what you mean ...
If Gi0/3-Gi0/6 are configured for private VLANs as mentioned, then they can communicate directly with Gi0/2. If they are not yet configured (I assume that's what you mean with "converted"), then they are probably member of a different VLAN and can communicate with Gi0/2 through a Layer3 device.
Some links to Config-Guides with more information:
05-04-2016 11:46 PM
1) Port-security allows only one MAC by default. Sticky adds the learned address to the config and "fixes" this address. If you change portsecurity to allow five addresses, then all these up to five addresses are added to the config.
2) No, If you are using this table for other functions like DAI or IPSG, then you have to define static exceptions for the systems without DHCP. Before implementing these functions I make sure that ideally all systems are using DHCP. Even printers, cameras, multifunction devices and so on. Many of these get reservations on the DHCP-server, but they should use DHCP to make functions like DAI and IPSG manageble.
3) What is a "plain Layer 2 switch" for you? Today, the definition Layer2 or Layer3 defines how the device does it's forwarding. A Catalyst 2960 is typically used with Layer2 forwarding. But that doesn't mean that there are no functions to look into the payload and inspect the traffic up to the application layer. These functions were also available on the older Catalyst 2950 (initially there was no DAI, but DHCP Snooping) and are now available on all (Catalyst) Access-switches.
4) No, each function has it's own security function. DAI is for inspecting the ARP-payload, IPSG is for inspecting the source addresses.
5) not sure what you mean ...
If Gi0/3-Gi0/6 are configured for private VLANs as mentioned, then they can communicate directly with Gi0/2. If they are not yet configured (I assume that's what you mean with "converted"), then they are probably member of a different VLAN and can communicate with Gi0/2 through a Layer3 device.
Some links to Config-Guides with more information:
05-06-2016 09:16 AM
Many Thnaks Karsten,
4>> So you are saying, IPSG cannot inspect Payload, It will just verify Source IP/MAC ?
Thanks in Advance,
Prasanna Kumar Desireddy
05-06-2016 09:22 AM
4>> So you are saying, IPSG cannot inspect Payload, It will just verify Source IP/MAC ?
Right, payload-inspection is not what IPSG was build for. It's a feature that prevents spoofed source-addresses. And that is done by looking at the IP-header (and optionally the L2 header with the port-security)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide