CCNA Security FAQ: Protecting Switch Infrastructure

CCNA Security FAQ: Protecting Switch Infrastructure

Question. Examine the following partial switch configuration and choose all the statements that correctly describe what is being accomplished.
10-1
A. When the level of broadcasts has reached 62.5% of total traffic, the multicasts will be limited to 3,000 packets per second (pps) and unicast traffic will be limited to 50 Mbps.

B. Broadcast traffic will be allowed up to 62.5% of total bandwidth on the interface. When this is exceeded, frames will be discarded until the broadcast traffic falls back below that level.

C. Multicast traffic will be discarded above 3,000 packets per second (pps) on this port, and will only start being forwarded again after it has fallen below the 2,000 pps lower threshold.

D. Unicast traffic will be discarded above 50 Mbps on this port, and will only start being forwarded again after it has fallen below the 25 Mbps lower threshold.

E. A shutdown notification message will be sent to the SNMP NMS when all of the three configured thresholds (broadcast, multicast, and unicast) have been reached.

Answer: The correct answers are b, c, and d. Answer a is incorrect because the thresholds for multicast and unicast traffic are independent of one another. Answer e is incorrect because the action shutdown command will shut down the port if any of the configured thresholds have been reached.
Question. What Cisco Catalyst switch feature can isolate ports from one another, even though those ports belong to the same VLAN?
A. Private VLAN
B. Policing
C. Per-VLAN Spanning Tree (PVST)
D. Dynamic ARP Inspection (DAI)

Answer: A
Question. What are the two main approaches for launching a VLAN hopping attack? (Choose two.)
A. Gratuitous ARP (GARP)
B. Switch spoofing
C. Double tagging
D. DHCP spoofing

Answer: B and C
Question. What Spanning Tree Protocol (STP) protection mechanism disables a switch port if the port receives a Bridge Protocol Data Unit (BPDU)?
A. Root Guard
B. BPDU Guard
C. PortFast
D. UplinkFast

Answer: B

Question. True or false. A CAM table overflow attack is an attack whereby the attacker injects frames into a switch port with the source address of a known station. This is done in an attempt to fool the switch into forwarding frames that are supposed to go to the known station to the attacker’s switch port instead.

Answer: False. The attack described is a MAC address spoofing attack. A CAM table overflow attack sends many frames into a switch port with various source MAC addresses in an attempt to overflow the CAM table and make the switch act like a hub for subsequent frames; this floods frames out all ports, including the one that the attacker is connected to.
Question. A Cisco Catalyst switch stores port MAC address assignments in what type of table?
A. ARP cache
B. FIB table
C. Adjacency database
D. CAM table

Answer: D

Question. Which statements best describe the effect or application of the following interface configuration command? (Choose all that apply.)

A. BPDU guard is enabled, ensuring that the switch will refuse BPDUs on this port.

B. Root guard is enabled, ensuring that the switch will refuse root bridge BPDUs that have a superior Bridge ID (BID) to the current root bridge.

C. The port immediately transitions to a forwarding state when a link is established, bypassing spanning tree blocking mode.

D. The assumption is that there is no possibility of topological loops on this port as this command will prevent the root bridge from blocking on this port.

E. None of the above.

Answer: c and d are correct. A and b are incorrect because, though the descriptions are accurate, BPDU guard and root guard are enabled with different commands.

Question. True or false. The switchport port-security interface configuration command cannot be used on a trunk port.

Answer: True. The switchport port-security command can only be used on an access port. Access ports are used for endpoint connectivity.
Question. What Cisco Catalyst switch feature can help protect against DHCP server spoofing?
A. DAI
B. GARP
C. DHCP snooping
D. VACLs

Answer: C

Question. What are the two methods for bringing a port out of the err-disabled state?
A. Enter the errdisable recovery cause psecure-violation command in global configuration.

B. Enter the recover-lockout enable command in global configuration.

C. Enter the shutdown and no shutdown commands in order in interface configuration mode on the affected port.

D. Enter the no port-shutdown sticky-learn command in interface configuration mode on the affected port.

E. None of the above.

Answer: a and c are correct. Answers b and d are non-existent commands.
Question. What type of message might an attacker send to a host to convince the host that the attacker’s MAC address is the host’s next-hop MAC address?
A. GARP
B. DAI
C. BPDU
D. DHCPACK

Answer: A
Question. If a switch is running in the fail-open mode, what happens when the switch’s CAM table fills to capacity and a new frame arrives?
A. The frame is dropped.
B. A copy of the frame is forwarded out all switch ports other than the port the frame was received on.
C. The frame is transmitted on the native VLAN.
D. The switch sends a NACK segment to the frame’s source MAC address

Answer: B
Question. What kind of MAC address is dynamically learned by a switch port and then added to the switch’s running configuration?
A. Static secure MAC address
B. Dynamic secure MAC address
C. Sticky secure MAC address
D. Pervasive secure MAC address

Answer: C
Question. What Cisco Catalyst switch feature can be used in an Intrusion Detection System (IDS) solution to cause the switch to send a copy of traffic for analysis by an IDS sensor?
A. GARP
B. DHCP snooping
C. DAI
D. SPAN

Answer: D
Question. What are three potential responses of a switch port to a port security violation? (Choose three.)
A. Protect
B. Isolate
C. Restrict
D. Shut down

Answer: A, C, and D
Question. What two Cisco Catalyst switch features can be used to mitigate man-in-the-middle attacks? (Choose the two best answers.)
A. DAI
B. Private VLANs
C. DHCP snooping
D. VACLs

Answer: A and C

Question. True or false. The switched port analyzer (SPAN) feature on Cisco Catalyst switches can be configured to copy all the traffic only from a specific VLAN to a dedicated monitoring port.

Answer: False. SPAN can copy (replicate) traffic from specific ports as well as VLANs to a dedicated monitoring port. It is very useful when certain flows through the switch need to be monitored for signs of intrusion and other purposes.
Question. In an IEEE 802.1x deployment, EAPOL messages typically are sent between which two devices?
A. Between the authenticator and the authentication server
B. Between the supplicant and the authentication server
C. Between the RADIUS server and the authenticator
D. Between the supplicant and the authenticator

Answer: D
Question. A RADIUS server acts as which component in an IEEE 802.1x deployment?

A. Supplicant
B. Authentication server
C. Authenticator
D. Method list

Answer: B
Question. What EAP type usually leverages MS-CHAPv2 as its authentication protocol?
A. PEAP
B. EAP-TLS
C. EAP-MD5
D. LEAP

Answer: A
Question. What happens to a client that successfully authenticates with a Cisco Catalyst switch port using 802.1x but also creates a port security violation?
A. The client can transmit regardless of the port security settings, because of the successful 802.1x authentication.

B. After the client authenticates, it is allowed to transmit on the network if the switch is configured for AAA authorization, which explicitly permits network access for the client.

C. The client cannot transmit because of the port security violation, even though it successfully authenticated.

D. This is an invalid configuration, because port security and 802.1x features on a port are mutually exclusive.

Answer: C
Question. When is a Cisco Catalyst switch port placed in a restricted VLAN?
A. When a connected client fails to authenticate after a certain number of attempts

B. If a connected client does not support 802.1x

C. After a connected client exceeds a specified idle time

D. When 802.1x is not globally enabled on the Cisco Catalyst switch

Answer: A
Question. Which command configures a Cisco Catalyst switch port to operate in multiple-host mode?
A. Switch(config)# dot1x host-mode multi-host
B. Switch(config-if)# enable dot1x multi-host
C. Switch(config)# no host-mode single-host
D. Switch(config-if)# dot1x host-mode multi-host

Answer: D

About the author

Scott

Leave a Comment