7 Marks Questions

1. Discuss about default gateway limitations with a neat diagram.

Ans:
End devices are typically configured with a single default gateway IPv4 address.
• If the default gateway router interface fails, LAN hosts lose outside LAN connectivity.
• This occurs even if a redundant router or Layer 3 switch that could serve as a default
gateway exists.
In a switched network, each client receives only one default gateway. There is no way to
configure a secondary gateway, even if a second path exists to carry packets off the local
segment.

In the figure, R1 is responsible for routing packets from PC1. If R1 becomes unavailable, the
routing protocols can dynamically converge. R2 now routes packets from outside networks that
would have gone through R1. However, traffic from the inside network associated with R1,
including traffic from workstations, servers, and printers configured with R1 as their default
gateway, are still sent to R1 and dropped.
End devices are typically configured with a single IP address for a default gateway. This
address does not change when the network topology changes. If that default gateway IP address
cannot be reached, the local device is unable to send packets off the local network segment,
effectively disconnecting it from the rest of the network. Even if a redundant router exists that
could serve as a default gateway for that segment, there is no dynamic method by which these
devices can determine the address of a new default gateway.

2. With a neat diagram explain how a virtual Router can be used to provide Router
redundancy.
Ans:
One way prevent a single point of failure at the default gateway, is to implement a virtual
router. To implement this type of router redundancy, multiple routers are configured to work
together to present the illusion of a single router to the hosts on the LAN, as shown in the
figure. By sharing an IP address and a MAC address, two or more routers can act as a single
virtual router.
The IP address of the virtual router is configured as the default gateway for the workstations
on a specific IP segment. When frames are sent from host devices to the default gateway, the
hosts use ARP to resolve the MAC address that is associated with the IP address of the default
gateway. The ARP resolution returns the MAC address of the virtual router. Frames that are
sent to the MAC address of the virtual router can then be physically processed by the currently
active router within the virtual router group. A protocol is used to identify two or more routers
as the devices that are responsible for processing frames that are sent to the MAC or IP address
of a single virtual router. Host devices send traffic to the address of the virtual router. The
physical router that forwards this traffic is transparent to the host devices.
A redundancy protocol provides the mechanism for determining which router should take the
active role in forwarding traffic. It also determines when the forwarding role must be taken
over by a standby router. The transition from one forwarding router to another is transparent to
the end devices.
The ability of a network to dynamically recover from the failure of a device acting as a default
gateway is known as first-hop redundancy.
When the active router fails, the redundancy protocol transitions the standby router to the new
active router role. These are the steps that take place when the active router fails, as shown in
the figure:
1. The standby router stops seeing Hello messages from the forwarding router.
2. The standby router assumes the role of the forwarding router.
3. Because the new forwarding router assumes both the IP and MAC addresses of the
virtual router, the host devices see no disruption in service.
3. List and describe FHRP options.
Ans:
The following list defines the options available for First Hop Redundancy Protocols (FHRPs):
Hot Standby Router Protocol (HSRP) - A Cisco-proprietary FHRP designed to allow for
transparent failover of a first-hop IPv4 device. HSRP provides high network availability by
providing first-hop routing redundancy for IPv4 hosts on networks configured with an IPv4
default gateway address. HSRP is used in a group of routers for selecting an active device and
a standby device. In a group of device interfaces, the active device is the device that is used for
routing packets; the standby device is the device that takes over when the active device fails,
or when pre-set conditions are met. The function of the HSRP standby router is to monitor the
operational status of the HSRP group and to quickly assume packet-forwarding responsibility
if the active router fails.
HSRP for IPv6 - Cisco-proprietary FHRP providing the same functionality of HSRP, but in
an IPv6 environment. An HSRP IPv6 group has a virtual MAC address derived from the HSRP
group number and a virtual IPv6 link-local address derived from the HSRP virtual MAC
address. Periodic router advertisements (RAs) are sent for the HSRP virtual IPv6 link-local
address when the HSRP group is active. When the group becomes inactive these RAs stop after
a final RA is sent.
Virtual Router Redundancy Protocol version 2 (VRRPv2) - A non-proprietary election
protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP
routers on an IPv4 LAN. This allows several routers on a multiaccess link to use the same
virtual IPv4 address. A VRRP router is configured to run the VRRP protocol in conjunction
with one or more other routers attached to a LAN. In a VRRP configuration, one router is
elected as the virtual router master, with the other routers acting as backups, in case the virtual
router master fails.
VRRPv3 - Provides the capability to support IPv4 and IPv6 addresses. VRRPv3 works in
multi-vendor environments and is more scalable than VRRPv2.
Gateway Load Balancing Protocol (GLBP) - Cisco-proprietary FHRP that protects data
traffic from a failed router or circuit, like HSRP and VRRP, while also allowing load balancing
(also called load sharing) between a group of redundant routers.
GLBP for IPv6 - Cisco-proprietary FHRP providing the same functionality of GLBP, but in
an IPv6 environment. GLBP for IPv6 provides automatic router backup for IPv6 hosts
configured with a single default gateway on a LAN. Multiple first-hop routers on the LAN
combine to offer a single virtual first-hop IPv6 router while sharing the IPv6 packet forwarding
load.
ICMP Router Discovery Protocol (IRDP) - Specified in RFC 1256, is a legacy FHRP
solution. IRDP allows IPv4 hosts to locate routers that provide IPv4 connectivity to other
(nonlocal) IP networks.
4. List and define various options available for First Hop Redundancy Protocols.
Ans:
Same as Q3
5. Define HSRP. Describe HSRP priority and pre-emption.
Ans:
HSRP:
Cisco provides HSRP and HSRP for IPv6 as a way to avoid losing outside network access if
your default router fails. HSRP is a Cisco-proprietary FHRP that is designed to allow for
transparent failover of a first-hop IP device.
HSRP ensures high network availability by providing first-hop routing redundancy for IP hosts
on networks configured with an IP default gateway address. HSRP is used in a group of routers
for selecting an active device and a standby device. In a group of device interfaces, the active
device is the device that is used for routing packets; the standby device is the device that takes
over when the active device fails, or when pre-set conditions are met. The function of the HSRP
standby router is to monitor the operational status of the HSRP group and to quickly assume
packet-forwarding responsibility if the active router fails.

HSRP Priority and Preemption

The role of the active and standby routers is determined during the HSRP election process. By
default, the router with the numerically highest IPv4 address is elected as the active router.
However, it is always better to control how your network will operate under normal conditions
rather than leaving it to chance.
• HSRP priority can be used to determine the active router.
• The router with the highest HSRP priority will become the active router.
• By default, the HSRP priority is 100.
• If the priorities are equal, the router with the numerically highest IPv4 address is
elected as the active router.
• To configure a router to be the active router, use the standby priority interface
command. The range of the HSRP priority is 0 to 255.

By default, after a router becomes the active router, it will remain the active router even if
another router comes online with a higher HSRP priority.
• To force a new HSRP election process to take place when a higher priority router comes
online, preemption must be enabled using the standby preempt interface command.
Preemption is the ability of an HSRP router to trigger the re-election process. With
preemption enabled, a router that comes online with a higher HSRP priority will assume
the role of the active router.
• Preemption only allows a router to become the active router if it has a higher priority.
A router enabled for preemption, with equal priority but a higher IPv4 address will not
preempt an active router. Refer to the topology in the figure.
Note: With preemption disabled, the router that boots up first will become the active router if
there are no other routers online during the election process.

6. List and define HSRP States.

Ans:
HSRP State Description

Initial This state is entered through a configuration change or when an interface

first becomes available.
Learn The router has not determined the virtual IP address and has not yet seen a
hello message from the active router. In this state, the router waits to hear
from the active router.
Listen The router knows the virtual IP address, but the router is neither the active
router nor the standby router. It listens for hello messages from those
routers.
Speak The router sends periodic hello messages and actively participates in the
election of the active and/or standby router.
Standby The router is a candidate to become the next active router and sends
periodic hello messages.

7. Discuss about HSRP times.

Ans:
Each router only uses three timers in HSRP. The timers time hello messages. The HSRP
converges, when a failure occurs, depend on how the HSRP hello and hold timers are
configured. By default, these timers are set to 3 and 10 seconds, respectively, which means that
a hello packet is sent between the HSRP standby group devices every 3 seconds, and the
standby device becomes active when a hello packet has not been received for 10 seconds. You
can lower these timer settings to speed up the failover or preemption, but, to avoid increased
CPU usage and unnecessary standby state flapping, do not set the hello timer below one (1)
second or the hold timer below 4 seconds. Note that, if you use the HSRP tracking mechanism
and the tracked link fails, the failover or preemption occurs immediately, regardless of the hello
and hold timers. When a timer expires, the router transitions to a new HSRP state. The timers
can be changed with this command: standby [group-number] timers hellotime holdtime. For
example, standby 1 timers 5 15.
This table provides more information on these times:
Timer Description
Active This timer is used to monitor the active router. This timer starts any time an active
timer router receives a hello packet. This timer expires in accordance with the hold time
value that is set in the related field of the HSRP hello message.
Standby This timer is used in order to monitor the standby router. The timer starts any time
timer the standby router receives a hello packet. This timer expires in accordance with
the hold time value that is set in the respective hello packet.
Hello This timer is used to clock hello packets. All HSRP routers in any HSRP state
timer generate a hello packet when this hello timer expires.
8. List and define various network security devices.
Ans:
Various network security devices are required to protect the network perimeter from outside
access. These devices could include
i. Virtual private network (VPN) enabled router,
ii. Next-generation firewall (NGFW),
iii. Network access control (NAC) device.
i. VPN-enabled router
A VPN-enabled router provides a secure connection to remote users across a public network
and into the enterprise network. VPN services can be integrated into the firewall.

ii. Next-generation firewall (NGFW):

An NGFW provides stateful packet inspection, application visibility and control, a next-
generation intrusion prevention system (NGIPS), advanced malware protection (AMP), and
URL filtering.

iii. Network access control (NAC) device.

A NAC device includes authentication, authorization, and accounting (AAA) services. In larger
enterprises, these services might be incorporated into an appliance that can manage access
policies across a wide variety of users and device types. The Cisco Identity Services Engine
(ISE) is an example of a NAC device.
9. Explain Cisco ESA and WSA.
Ans:
Today endpoints are best protected by a combination of Network Access Control (NAC) , host-
based Advanced Malware Protection (AMP) software.
Cisco provides AMP which includes an Email Security Appliance (ESA), and a Web Security
Appliance (WSA).
ESA:
The Cisco ESA is a device that is designed to monitor Simple Mail Transfer Protocol (SMTP).
The Cisco ESA is constantly updated by real-time feeds from the Cisco Talos, which detects
and correlates threats and solutions by using a worldwide database monitoring system. This
threat intelligence data is pulled by the Cisco ESA every three to five minutes.
These are some of the functions of the Cisco ESA:
• Block known threats.
• Remediate against stealth malware that evaded initial detection.
• Discard emails with bad links (as shown in the figure).
• Block access to newly infected sites.
• Encrypt content in outgoing email to prevent data loss.

Fig: CISCO ESA discards the email with bad links.

1. Threat actor sends a phishing attack to an important host on the network.
2. The firewall forwards all email to the ESA.
3. The ESA analyzes the email, logs it, and if it is malware discards it.

WSA:

The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based threats.
It helps organizations address the challenges of securing and controlling web traffic. The Cisco
WSA combines advanced malware protection, application visibility and control, acceptable use
policy controls, and reporting.

Cisco WSA provides complete control over how users access the internet. Certain features and
applications, such as chat, messaging, video and audio, can be allowed, restricted with time
and bandwidth limits, or blocked, according to the organization’s requirements. The WSA can
perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, Web
application filtering, and encryption and decryption of web traffic.

In the figure, an internal corporate employee uses a smartphone to attempt to connect to a

known blacklisted site.

1. A user attempts to connect to a website.

2. The firewall forwards the website request to the WSA.
3. The WSA evaluates the URL and determines it is a known blacklisted site. The WSA
discards the packet and sends an access denied message to the user.
10. Discuss Cisco Email Security Appliance and Web Security Appliance.
Ans:
Same as above
11. Write a short note on IEEE 802.1X.
Ans:
The IEEE 802.1X standard is a port-based access control and authentication protocol. This
protocol restricts unauthorized workstations from connecting to a LAN through publicly
accessible switch ports. The authentication server authenticates each workstation that is
connected to a switch port before making available any services offered by the switch or the
LAN.
With 802.1X port-based authentication, the devices in the network have specific roles, as
shown in the figure.
Client (Supplicant) - This is a device running 802.1X-compliant client software, which is
available for wired or wireless devices.
Switch (Authenticator) – The switch acts as an intermediary between the client and the
authentication server. It requests identifying information from the client, verifies that
information with the authentication server, and relays a response to the client. Another device
that could act as authenticator is a wireless access point.
Authentication server – The server validates the identity of the client and notifies the switch
or wireless access point that the client is or is not authorized to access the LAN and switch
services.
The diagram shows the devices involved in 802.1x port-based authentication. On the left is the
supplicant, in this case a desktop, which requires access and responds to requests from a switch.
The supplicant is connected to the authenticator, in this case a switch, which controls physical
access to the network based on client authentication status. The authenticator is connected to
the authentication server which performs client authentication.
12. Discuss about Layer 2 vulnerabilities.
Ans:
Generally network administrators routinely implement security solutions to protect the
elements in Layer 3 up through Layer 7. They use VPNs, firewalls, and IPS devices to protect
these elements. However, if Layer 2 is compromised, then all the layers above it are also
affected.

For example, if a threat actor with access to the internal network captured Layer 2 frames, then
all the security implemented on the layers above would be useless. The threat actor could cause
a lot of damage on the Layer 2 LAN networking infrastructure.
Various categories of Layer 2(Switch) attacks:
Category Examples
 MAC Table Attacks Includes MAC address flooding attacks.

VLAN Attacks Includes VLAN hopping and VLAN double-tagging attacks.

It also includes attacks between devices on a common
VLAN.
DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks.

ARP Attacks Includes ARP spoofing and ARP poisoning attacks.

Address Spoofing Attacks Includes MAC address and IP address spoofing attacks.

STP Attacks Includes Spanning Tree Protocol manipulation attacks.

13. Explain about MAC address table flooding attack.

Ans:
All MAC tables have a fixed size and consequently, a switch can run out of resources in which
to store MAC addresses. MAC address flooding attacks take advantage of this limitation by
bombarding the switch with fake source MAC addresses until the switch MAC address table
is full.
When this occurs, the switch treats the frame as an unknown unicast and begins to flood all
incoming traffic out all ports on the same VLAN without referencing the MAC table. This
condition now allows a threat actor to capture all of the frames sent from one host to another
on the local LAN or local VLAN.
Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture
traffic within the local LAN or VLAN to which the threat actor is connected.
The figure shows how a threat actor can easily use the network attack tool macof to overflow
a MAC address table.

1. The threat actor is connected to VLAN 10 and uses macof to rapidly generate many
random source and destination MAC and IP addresses.
2. Over a short period of time, the switch’s MAC table fills up.
3. When the MAC table is full, the switch begins to flood all frames that it receives. As
long as macof continues to run, the MAC table remains full and the switch continues to
flood all incoming frames out every port associated with VLAN 10.
4. The threat actor then uses packet sniffing software to capture frames from any and all
devices connected to VLAN 10.
If the threat actor stops macof from running or is discovered and stopped, the switch eventually
ages out the older MAC address entries from the table and begins to act like a switch again.
14. Explain VLAN hopping attack.
Ans:
VLAN Hopping Attacks:
A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without
the aid of a router. In a basic VLAN hopping attack, the threat actor configures a host to act
like a switch to take advantage of the automatic trunking port feature enabled by default on
most switch ports.
The threat actor configures the host to spoof 802.1Q signaling and Cisco-proprietary Dynamic
Trunking Protocol (DTP) signaling to trunk with the connecting switch. If successful, the
switch establishes a trunk link with the host, as shown in the figure. Now the threat actor can
access all the VLANs on the switch. The threat actor can send and receive traffic on any VLAN,
effectively hopping between VLANs.

15. Explain VLAN double tagging.

Ans:
A VLAN double-tagging attack is unidirectional and works only when the attacker is connected
to a port residing in the same VLAN as the native VLAN of the trunk port. The idea is that
double tagging allows the attacker to send data to hosts or servers on a VLAN that otherwise
would be blocked by some type of access control configuration. Presumably the return traffic
will also be permitted, thus giving the attacker the ability to communicate with devices on the
normally blocked VLAN.
VLAN Attack Mitigation - VLAN hopping and VLAN double-tagging attacks can be
prevented by implementing the following trunk security guidelines:
• Disable trunking on all access ports.
• Disable auto trunking on trunk links so that trunks must be manually enabled.
 • Be sure that the native VLAN is only used for trunk links.

A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame that
already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q
tag did not specify.
• Step 1: The threat actor sends a double-tagged 802.1Q frame to the switch. The outer
header has the VLAN tag of the threat actor, which is the same as the native VLAN of
the trunk port.

• Step 2: The frame arrives on the first switch, which looks at the first 4-byte 802.1Q tag.
The switch sees that the frame is destined for VLAN 10, which is the native VLAN.
The switch forwards the packet out all VLAN 10 ports after stripping the VLAN 10
tag. The frame is not retagged because it is part of the native VLAN. At this point, the
VLAN 20 tag is still intact and has not been inspected by the first switch.

• Step 3: The frame arrives at the second switch which has no knowledge that it was
supposed to be for VLAN 10. Native VLAN traffic is not tagged by the sending switch
as specified in the 802.1Q specification. The second switch looks only at the inner
802.1Q tag that the threat actor inserted and sees that the frame is destined for VLAN
 20, the target VLAN. The second switch sends the frame on to the target or floods it,
depending on whether there is an existing MAC address table entry for the target.

16. Explain DHCP attacks.

Ans:
Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are
mitigated by implementing DHCP snooping.
DHCP Starvation Attack – The goal of this attack is to create a DoS for connecting clients.
DHCP starvation attacks require an attack tool such as Gobbler. Gobbler has the ability to look
at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates
DHCP discovery messages with bogus MAC addresses.
DHCP Spoofing Attack – This occurs when a rogue DHCP server is connected to the network
and provides false IP configuration parameters to legitimate clients. A rogue server can provide
a variety of misleading information, including the following:
• Wrong default gateway - The rogue server provides an invalid gateway or the IP address
of its host to create a man-in-the-middle attack. This may go entirely undetected as the
intruder intercepts the data flow through the network.
• Wrong DNS server - The rogue server provides an incorrect DNS server address
pointing the user to a nefarious website.
• Wrong IP address - The rogue server provides an invalid IP address effectively creating
a DoS attack on the DHCP client.

3 Marks Questions
1. Differentiate authentication and authorization.
Ans:
Sno. Authentication Authorization
1 Usually the first step of a security Usually comes after authentication
access control
2 Verifies the users identity Grants or denies the permission to user to
do something
 3. Common methods used are passwords, Permissions will be granted and monitored
answer to the security question, code by organization
sent via SMS or email etc.
4 Uses biometric data like finger prints, Common methods include role based
face recognition, retina scan etc. access control and attribute based access
control
5 It is visible by the user It is not visible by the user
6 Its can be changed by the user Its cant be changed by the user.

2. Identify the key differences between authentication and authorization.

Ans:
Same as above
3. How to configure SSH in a Cisco router?
Ans:
R1(config)# ip domain-name mvgr.com
R1(config)# crypto key generate rsa general-keys modulus 2048
R1(config)# username Admin secret cisco
R1(config)# ssh version 2
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
4. Show the commands to configure SSH in a Cisco router.
Ans:
Same as above
5. Differentiate Local and Server-based AAA Authentication.
Ans:
Sl Local based AAA Authentication Server-based AAA Authentication
No
1 Local AAA stores usernames and With the server-based method, the router
passwords locally in a network device accesses a central AAA server. The AAA
such as the Cisco router. Users server contains the usernames and
authenticate against the local database passwords for all users. When there are
multiple routers and switches, server-
based AAA is more appropriate.
2 Generally it uses Telnet or SSH. The router uses either the Remote
Authentication Dial-In User Service
(RADIUS) or Terminal Access Controller
Access Control System (TACACS+)
 protocols to communicate with the AAA
server.
3 Suited for small networks Suited for large and very large networks
4.

(Or)
Aspect Local AAA Authentication Server-based AAA Authentication
Authentication Authentication is performed Authentication is performed by a centralized
Location locally on the networking device server, such as a RADIUS or TACACS+
(e.g., router or switch). server.
Device Settings are configured Settings and user databases are centralized
Independence individually on each networking on the authentication server, reducing
device. configuration overhead on individual
devices.
Scalability Not suitable for large-scale Highly scalable, making it suitable for large
networks, as each device must be and complex networks, as changes can be
configured separately. made centrally.
User Users and credentials are User management is centralized on the
Management managed locally on each device, server, allowing for easier user provisioning,
requiring manual updates and modification, and deactivation.
synchronization.
Redundancy Lacks inherent redundancy; if a Provides redundancy options, such as
device fails, authentication may backup servers, ensuring authentication
fail for local users. availability even if one server fails.
Security Potentially less secure due to Offers a more standardized and controlled
variations in security practices security environment, with strong
across devices and the risk of authentication protocols and server
local compromise. hardening.
Authentication Typically supports basic Supports a wide range of authentication
Protocols authentication methods like local protocols, including EAP (Extensible
username/password or enable Authentication Protocol), PAP (Password
password. Authentication Protocol), and CHAP
(Challenge Handshake Authentication
Protocol).
Accounting and Limited accounting and logging Comprehensive accounting and logging
Logging capabilities, with logs stored features, with logs centrally stored for
locally on each device. auditing and analysis.
Ease of Requires individual Streamlines management through a
Management configuration on each centralized server, making it easier to
networking device, leading to enforce consistent policies and settings.
increased management
complexity.
6. Identify the basic difference between Local and Server-based AAA Authentication.
Ans:
Same as above
7. Write about accounting in AAA.
Ans:
AAA accounting collects and reports usage data. This data can be used for such purposes as
auditing or billing. The collected data might include the start and stop connection times,
executed commands, number of packets, and number of bytes.
A primary use of accounting is to combine it with AAA authentication. The AAA server keeps
a detailed log of exactly what the authenticated user does on the device, as shown in the figure.
This includes all EXEC and configuration commands issued by the user. The log contains
numerous data fields, including the username, the date and time, and the actual command that
was entered by the user. This information is useful when troubleshooting devices. It also
provides evidence for when individuals perform malicious acts.

1. When a user has been authenticated, the AAA accounting process generates a start
message to begin the accounting process.
2. When the user finishes, a stop message is recorded and the accounting process ends.
8. Identify the function of accounting in AAA.
Ans:
AAA accounting collects and reports usage data. This data can be used for such purposes as
auditing or billing. The collected data might include the start and stop connection times,
executed commands, number of packets, and number of bytes.
A primary use of accounting is to combine it with AAA authentication.
(or)
In the context of AAA (Authentication, Authorization, and Accounting), the function of
"accounting" is to provide detailed monitoring, logging, and auditing of user activities on a
network. Accounting plays a crucial role in ensuring network security, compliance, and
accountability. Here are the key functions of accounting in AAA:
1. Monitoring User Sessions: Accounting tracks the start and end times of user sessions,
including when users log in and log out of the network. This helps network
administrators keep tabs on active sessions.
 2. Usage Tracking: It records the network resources and services that users access during
their sessions. This can include data like which devices were used, the duration of
usage, and the amount of data transferred.
3. Resource Allocation: Accounting can track resource allocation, such as IP addresses,
bandwidth, and access permissions, to ensure that users are granted appropriate levels
of access based on their authorization profiles.
4. Security Auditing: It plays a critical role in security auditing by generating detailed logs
of user activities. These logs can be reviewed to detect any suspicious or unauthorized
behavior, which is essential for identifying security threats.
5. Billing and Reporting: In some cases, accounting is used for billing purposes in
environments where services are charged based on usage. It can generate usage reports
that help organizations bill users or departments accurately.
6. Troubleshooting: Detailed accounting records are valuable for troubleshooting network
issues. Network administrators can review accounting logs to identify the source of
problems or errors.
7. Compliance and Accountability: Accounting records are essential for compliance with
regulatory requirements and internal policies. They provide an audit trail that
demonstrates accountability and adherence to security and usage policies.
8. Historical Data: Accounting records can be stored for historical purposes, allowing
organizations to analyze past usage patterns, detect trends, and make informed
decisions about resource allocation and security measures.
9. Integration with Other AAA Components: Accounting works in conjunction with
authentication and authorization components in the AAA framework. For example,
when a user is authenticated and authorized to access specific resources, accounting
records the actual usage of those resources.

9. List and describe any three switch attack mitigation techniques.

Ans:
Switch Attack Mitigation
Solution Description
Port Security Prevents many types of attacks including MAC address flooding
attacks and DHCP starvation attacks.
DHCP Snooping Prevents DHCP starvation and DHCP spoofing attacks.
Dynamic ARP Inspection (DAI) Prevents ARP spoofing and ARP poisoning attacks.
IP Source Guard (IPSG) Prevents MAC and IP address spoofing attacks.

These Layer 2 solutions will not be effective if the management protocols are not secured. For
example, the management protocols Syslog, Simple Network Management Protocol (SNMP),
Trivial File Transfer Protocol (TFTP), telnet, File Transfer Protocol (FTP) and most other
common protocols are insecure; therefore, the following strategies are recommended:
 • Always use secure variants of these protocols such as SSH, Secure Copy Protocol
(SCP), Secure FTP (SFTP), and Secure Socket Layer/Transport Layer Security
(SSL/TLS).
• Consider using out-of-band management network to manage devices.
• Use a dedicated management VLAN where nothing but management traffic resides.
• Use ACLs to filter unwanted access.

10. List any three solutions and description of switch attack mitigation techniques.
Ans:
See the above answer
11. List layer 2 attack categories.
Ans:
Category Examples
MAC Table Attacks Includes MAC address flooding attacks.
VLAN Attacks Includes VLAN hopping and VLAN double-tagging attacks.
It also includes attacks between devices on a common VLAN.
DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks.
ARP Attacks Includes ARP spoofing and ARP poisoning attacks.
Address Spoofing Attacks Includes MAC address and IP address spoofing attacks.
STP Attacks Includes Spanning Tree Protocol manipulation attacks.

12. Identify various categories of layer 2 attacks.

Ans:
Same as above
13. Explain MAC address table flooding attack and its mitigation.
Ans:
All MAC tables have a fixed size and consequently, a switch can run out of resources in which
to store MAC addresses. MAC address flooding attacks take advantage of this limitation by
bombarding the switch with fake source MAC addresses until the switch MAC address table
is full.
When this occurs, the switch treats the frame as an unknown unicast and begins to flood all
incoming traffic out all ports on the same VLAN without referencing the MAC table. This
condition now allows a threat actor to capture all of the frames sent from one host to another
on the local LAN or local VLAN.
Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture
traffic within the local LAN or VLAN to which the threat actor is connected.
Mitigation of MAC address table flooding:
To mitigate MAC address table overflow attacks, network administrators must implement port
security. Port security will only allow a specified number of source MAC addresses to be
learned on the port.

14. Identify the consequences of ARP attack. Suggest a mitigation technique.

Ans:
Consequences:
The most direct impact of an ARP Poisoning attack is that traffic destined for one or more hosts
on the local network will instead be steered to a destination of the attacker’s choosing.
The traffic could be sent to the attacker’s machine or sent to a non-existent location. In the first
instance, there may be no observable effect, while the second may inhibit access to the network.
1. Man-in-the-Middle (MITM) Attacks: Attackers can intercept and eavesdrop on
network traffic passing between two legitimate devices. This allows them to capture
sensitive data, including login credentials, emails, and financial information.
2. Traffic Diversion: Attackers can redirect network traffic to pass through their device.
This enables them to control and manipulate network traffic, potentially leading to
unauthorized access to data or the insertion of malicious content.
3. Denial of Service (DoS): ARP attacks can disrupt network services by causing
confusion in the ARP cache of devices. Legitimate devices may be unable to
communicate with their intended destinations, resulting in network outages.
4. Data Modification: Attackers can modify data packets as they pass through their
device, which can lead to data corruption, unauthorized alterations, or the insertion of
malicious payloads.
5. Compromised Credentials: When users log in to network resources during an ARP
attack, their login credentials can be intercepted. Attackers may then use these stolen
credentials for unauthorized access.

ARP Attack Mitigation Technique:

• ARP spoofing and ARP poisoning are mitigated by implementing Dynamic ARP
Inspection (DAI).

15. How can VLAN attack mitigation be done?

Ans:
i) We should get rid of trunking on any access port that goes to end devices
ii) Dynamic Auto and Dynamic Desirable should be disables on those access ports
which are connected to end hosts
iii) Native VLANs should only be used on trunk links
iv) Do not put any host in the network on the default VLAN.
16. Define address spoofing and suggest a mitigation technique.
Ans:
IP addresses and MAC addresses can be spoofed for a variety of reasons. IP address spoofing
is when a threat actor hijacks a valid IP address of another device on the subnet, or uses a
random IP address. IP address spoofing is difficult to mitigate, especially when it is used inside
a subnet in which the IP belongs.

MAC address spoofing attacks occur when the threat actors alter the MAC address of their host
to match another known MAC address of a target host. The attacking host then sends a frame
throughout the network with the newly-configured MAC address.
Mitigation of IP Spoofing Attacks:
We can prevent IP Spoofing attacks by implementing of IP Source Guard (IPSG)

2 M Questions
Give the full form of RADIUS and TACACS.
Ans:
RADIUS: Remote Authentication Dial-In User Service
TACACS: Terminal Access Controller Access Control System
Elaborate RADIUS and TACACS.
Ans:
With the server-based method, the router accesses a central AAA server. The AAA
server contains the usernames and password for all users. The router uses either the
Remote Authentication Dial-In User Service (RADIUS) or Terminal Access
Controller Access Control System (TACACS+) protocols to communicate with the
AAA server.
Differentiate Spoofing and Snooping.
Ans:
Snooping is a form of eavesdropping with the purpose of learning information that
is not intended to be visible or shared. Spoofing, on the other hand, is a method
used to make an electronic device or network look like it is a trusted source.
What is the difference between Spoofing and Snooping.
Ans:

List the DHCP messages between a DHCP client and server in a proper order.
Ans:
Discovery
Offer
Request
Acknowledge

What are the messages exchanged between a DHCP client and server?
Ans:
The client broadcasts a DHCPDISCOVER.

Each server may respond with a DHCPOFFER message.

The client receives one or more DHCPOFFER messages from one or more servers
and chooses one server from which to request configuration parameters.
The client broadcasts a DHCPREQUEST message.

Those servers not selected by the DHCPREQUEST message use the message as
notification that the client has declined that server's offer.

The server selected in the DHCPREQUEST message commits the responds with a
DHCPACK message containing the configuration parameters for the requesting
client.

The client receives the DHCPACK message with configuration parameters. At this
point, the client is configured.

If the client receives a DHCPNAK message, the client restarts the configuration
process.

The client may choose to relinquish its lease on a network address by sending a
DHCPRELEASE message to the server (e.g. on shutdown).

The server receives the DHCPRELEASE message and marks the lease as free.

Define Unsolicited ARP reply with an example.

Ans:
A client can send an unsolicited ARP Reply called a “gratuitous ARP”. Other hosts
on the subnet store the MAC address and IP address contained in the gratuitous
ARP in their ARP tables.

A Gratuitous ARP is an ARP Response that was not prompted by an ARP Request.
The Gratuitous ARP is sent as a broadcast, as a way for a node to announce or
update its IP to MAC mapping to the entire network.

Example:
An attacker can send a gratuitous ARP message containing a spoofed MAC address
to a switch, and the switch would update its MAC table accordingly. In a typical
attack, a threat actor sends unsolicited ARP Replies to other hosts on the subnet
with the MAC Address of the threat actor and the IP address of the default
gateway, effectively setting up a man-in-the-middle attack.
Identify the purpose of DAI.
Ans:
Dynamic ARP Inspection (DAI)
With DAI we can mitigate ARP spoofing and ARP poisoning
Give the full forms of the following: a) BPDU b) IPSG c) SFTP d) DAI
Ans:
a) BPDU: Bridge Protocol Data Unit
b) IPSG: IP Source Guard
c) SFTP: Secure File Transfer Protocol
d) DAI: Dynamic ARP Inspection
Identify the vulnerabilities of VLAN.
Ans:
CAM Table Overflow/Media Access Control (MAC) Attack.
Address Resolution Protocol (ARP) attack.
Switch Spoofing/Basic VLAN Hopping Attack.
Double Tagging/Double Encapsulation VLAN Hopping Attack.
Identify the vulnerabilities of DHCP.
Ans:
DHCP Starvation
DHCP Spoofing
Identify the purpose of CDP.
Ans:
CDP (Cisco Discovery Protocol) is enabled on all Cisco devices by default.
Network administrators also use CDP to help configure and troubleshoot network
devices. CDP information is sent out CDP-enabled ports in periodic, unencrypted,
unauthenticated broadcasts. CDP information includes the IP address of the device,
IOS software version, platform, capabilities, and the native VLAN. The device
receiving the CDP message updates its CDP database.

How can you mitigate CDP attack?

Ans:
To mitigate the exploitation of CDP, limit the use of CDP on devices or ports. For
example, disable CDP on edge ports that connect to untrusted devices.

List the commands of Cisco router to mitigate CDP attack.

Ans:
Switch(config)# no cdp run
Switch(config-if)# no cdp enable
Switch(config)# no lldp run
Switch(config-if)# no lldp transmit
Switch(config-if)# no lldp receive

Identify the type of attack possible on STP and what is the remedy for it?
Ans:

Type of Attack on STP: Attackers can manipulate STP by spoofing the root bridge
and altering the network topology, potentially capturing all traffic within the
switched domain.
Remedy: To mitigate this STP manipulation attack, implement BPDU Guard on all
access ports.

Describe the purpose of BPDU guard.

Ans:
• The STP attack can be mitigated by implementing BPDU Guard.
• It should be applied on all access ports to effectively safeguard the network
against unauthorized STP manipulation attempts.