Most Cisco security exams are about understanding Cisco's viewpoint on security and how its sales, marketing and products fit within the network. The Securing Networks Using Intrusion Prevention Systems (IPS) security exam is no exception: It's all about Cisco's IPS and Intrusion Detection System (IDS) security products. On my 642-532 exam, the questions quizzed my knowledge on how to configure Cisco IPS and IDS devices and how to use them to identify, mitigate and secure a Cisco network.
I received 63 questions and was given 90 minutes to complete the IPS exam, which included a traditional simulation question and a new question type. This new one presented the IPS console, a network topology, four to five questions, and a simulated attack scenario – I'll have more on this later. The passing score was 825 on a scale of 300 to 1,000 points possible. Like all Cisco exams that I've ever taken, I couldn't move back through the question set, mark a question for later review or change my answer, like you can on most other vendors' certification exams. I find Cisco exams easier overall, with many of the questions in the form of one or two sentences with only one correct answer.
In your CCNA studies, you learned about PortFast and the trouble it can cause if configured on the wrong port!
Suitable only for switch ports connected directly to a single host, PortFast allows a port running STP to go directly from blocking to forwarding mode.
A Cisco router will give you a warning when you configure PortFast:
SW1(config)#int fast 0/5
%Warning: portfast should only be enabled on ports connected to a
single host. Connecting hubs, concentrators, switches, bridges, etc…
to this interface when portfast is enabled, can cause temporary
bridging loops. Use with CAUTION
%Portfast has been configured on FastEthernet0/5 but will only have effect when the interface is in a non-trunking mode.
ot only will the switch warn you about the proper usage of PortFast, but you must put the port into access mode before PortFast will take effect.
Now, you´d think that would be enough of a warning, right? But there is a chance – just a chance – that someone is going to manage to connect a switch to a port running Portfast. That could lead to two major problems, the first being the formation of a switching loop. Remember, the reason we have listening and learning modes is to help prevent switching loops. The next problem is that there could be a new root bridge elected – and it could be a switch that isn´t even in your network!
BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that´s running BPDU Guard, the port will be shut down and placed into error disabled state, shown on the switch as err-disabled. A port placed in err-disabled state must be reopened manually.
BPDU Guard is off on all ports by default, and is enabled as shown here:
SW1(config)#int fast 0/5
SW1(config-if)#spanning-tree bpduguard enable
It´s a good idea to enable BPDU Guard on any port you´re running PortFast on. There´s no cost in overhead, and it does prevent the possibility of a switch sending BPDUs into a port configured with PortFast – not to mention the possibility of a switch not under your control becoming a root switch to your network!