Chapter 9


Why and how should you separate public (external) and private (internal) VLANs?


Answer: You should separate public (external) and private (internal) VLANs because separating your internal and external networks provides a measure of security in the network by not exposing internal resources to the outside world. You should do so by using two switches and a firewall in the network: one switch on the public, or outer, side of the firewall and one switch on the private, or inner, side of the firewall.


What is port security?


Answer: Port security is used to deny access to a switch or a network connected to that switch's port. When port security is enabled on a switch, any MAC address not specified for that port is denied access to the switch and any networks to which the switch is connected.


What is the difference between in-band and out-of-band management and the benefit of each?


Answer: In-band management means that network management traffic is carried to the network management workstations and managers across the same network as the data traffic. This includes the same devices and consumes the same bandwidth as the user data traffic. Out-of-band management means that network management traffic is carried to the network management workstations and managers across a separate network from the user data traffic.

The benefit of in-band management is that little additional money is spent in building the network management infrastructure. The accompanying drawback of in-band management is that it uses network resources designed for your users. The benefit of out-of-band management is that the network management traffic does not impact the data traffic and therefore does not consume network bandwidth. The drawback of out-of-band management is the cost of building a second network infrastructure to carry your network management traffic.


What are some of the common Layer 2 attacks on a network?


Answer: Some of the most common Layer 2 attacks are MAC flooding attacks, ARP attacks, private VLAN attacks, multicast brute-force attacks, Spanning-Tree attacks, and random frame stress attacks.


What is an ARP attack?


Answer: ARP attacks can occur on the same VLAN as well as different VLANs and can fool a switch into forwarding packets to a network device in a different VLAN by sending ARP packets containing forged identities. ARP attacks require the attacker to spoof the MAC address of a legitimate member of a VLAN by pretending to be that legitimate member. ARP spoofing, or ARP poisoning, is an effective attack because the switch does not know that someone has stolen the legitimate MAC address.