CCNP Switch FAQ: Securing Switch Access

CCNP Switch FAQ: Securing Switch Access

Q1. Which switch feature can grant access through a port only if the host with MAC address 0005.0004.0003 is connected?
a. SPAN
b. MAC address ACL
c. Port security
d. Port-based authentication

Answer:  C

Q2. Port security is being used to control access to a switch port. Which one of these commands will put the port into the errdisable state if an unauthorized station connects?
a. switchport port-security violation protect
b. switchport port-security violation restrict
c. switchport port-security violation errdisable
d. switchport port-security violation shutdown

Answer: D

Q3. If port security is enabled and left to its default configuration, how many different MAC addresses can be learned at one time on a switch port?
a. 0
b. 1
c. 16
d. 256

Answer: B

Q4. The following commands are configured on a Catalyst switch port. What happens when the host with MAC address 0001.0002.0003 tries to connect?
switchport port-security
switchport port-security maximum 3
switchport port-security mac-address 0002.0002.0002
switchport port-security violation shutdown
a. The port shuts down.
b. The host is allowed to connect.
c. The host is denied a connection.
d. The host can connect only when 0002.0002.0002 is not connected.

Answer: B. The trick is in the maximum 3 keywords. This sets the maximum number of addresses that can be learned on a port. If only one static address is configured, two more addresses can be learned dynamically.

Q5. What protocol is used for port-based authentication?
a. 802.1D
b. 802.1Q
c. 802.1X
d. 802.1w

Answer: C

Q6. When 802.1X802.1X is used for a switch port, where must it be configured?
a. Switch port and client PC
b. Switch port only
c. Client PC only
d. Switch port and a RADIUS server

Answer: A

Q7. When port-based authentication is enabled globally, what is the default behavior for all switch ports?
a. Authenticate users before enabling the port.
b. Allow all connections without authentication.
c. Do not allow any connections.
d. There is no default behavior.

Answer: B

Q8. When port-based authentication is enabled, what method is available for a user to authenticate?
a. Web browser
b. Telnet session
c. 802.1X client
d. DHCP

Answer: C

Q9. The users in a department are using a variety of host platforms, some old and some new. All of them have been approved with a user ID in a RADIUS server database. Which one of these features should be used to restrict access to the switch ports in the building?
a. AAA authentication
b. AAA authorization
c. Port security
d. Port-based authentication

Answer: C. Because of the variety of user host platforms, port-based authentication (802.1X) cannot be used. The problem also states that the goal is to restrict access to physical switch ports, so AAA is of no benefit. Port security can do the job by restricting access according to the end users’ MAC addresses.

Q10. Which of the following are types of frames that Storm Control can limit before they can cause problems for hosts that are connected to a switch? (Choose all that apply.)
a. Unicast frames
b. Broadcast frames
c. Multicast frames
d. Unknown unicast frames

Answer: B, C, D
Figure: Using Storm Control to Limit Received Frames Before They Are Flooded

Q11. Suppose that an interface receives the following configuration command: storm-control broadcast level 10 Storm control will be triggered when which one of the following rising thresholds is reached?
a. At least 10 broadcast frames are received
b. At least 10 hosts are connected to a VLAN that will receive a flooded broadcast frame
c. Broadcast frames exceed 10 percent of the interface bandwidth
d. Broadcast frames exceed 10 percent of the interface MTU size

Answer: C

Q12. Which two of the following methods should you use to secure inbound CLI sessions to a switch?
a. Disable all inbound CLI connections.
b. Use SSH only.
c. Use Telnet only.
d. Apply an access list to the vty lines.

Answer: B, D

Q13. Suppose that you need to disable CDP and LLDP advertisements on a switch port so that untrusted devices cannot learn anything about your switch. Which one of the following answers contains the interface configuration commands that should be used?
a. cdp disable
lldp disable
b. no cdp
no lldp
c. no cdp enable
no lldp transmit
d. no cdp transmit
no lldp transmit

Answer: C

More Resources

About the author

Prasanna

Leave a Comment