Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Chapter 9. Port Security and Access Cont... > Chapter Review Questions - Pg. 555

    . . . ge-0/0/9.0 Authenticator Connecting This example shows that as a result of an 802.1X daemon restart, a formerly authen- ticated client is transitioned back to the connection state, which forces a reauthentica- tion attempt. The successful RADIUS-based authentication of a non-responsive host concludes the 802.1X configuration and verification lab. 802.1X Port-Based Authentication Summary EX platforms provide wide-ranging support for the IEEE 802.1X standard and offer both port- and MAC-level access control to a switched network. In addition to various EAP methods, you can support non-802.1X hosts using either local or RADIUS-based MAC authentication. Support is offered for single or multiple supplicants per port, with the ability to indi- vidually authenticate each or allow others to ride on the coattails of the first authori- zation. EX switches also support VSAs for dynamic firewall or VLAN assignment, to include a guest VLAN concept that safely partitions users who fail authentication into a specific VLAN with limited access. Conclusion EX switches offer a variety of Layer 2 security and port-level access controls. These features help to ensure that only authorized users can access secured portions of your network, and also guard against common attacks such as unauthorized DHCP services, ARP poisoning, and IP address spoofing. When combined with Layer 2 security, built- in Layer 3 firewall capabilities, and general JUNOS software robustness, it is clear that you can deploy a hardened Layer 2/Layer 3 network based strictly on EX platforms (and a RADIUS server, if desired). Users who require deep packet inspection for real-time antivirus or intrusion detection and prevention, or who need stateful services such as NAT or IP Security, will need to augment their EX switches with other Juniper products that are designed for sophisti- cated IP services or security-related functions. Chapter Review Questions 1. Which is true regarding MAC limiting? a. It is currently not supported because not learning all MAC addresses breaks bridging b. It can be based on an allowed list of MACs on a per-port basis c. It can be based on an allowed MAC number, per port Chapter Review Questions | 555