CCNP Switch FAQ: Securing VLANs
Q1. Which one of the following can filter packets even if they are not routed to another Layer 3 interface?
a. IP extended access lists
b. MAC address access lists
c. VLAN access lists
d. Port-based access lists
Q2. In what part of a Catalyst switch are VLAN ACLs implemented?
Q3. Which one of the following commands can implement a VLAN ACL called test?
a. access-list vlan test
b. vacl test
c. switchport vacl test
d. vlan access-map test
Q4. After a VACL is configured, where is it applied?
a. Globally on a VLAN
b. On the VLAN interface
c. In the VLAN configuration
d. On all ports or interfaces mapped to a VLAN
Q5. Which of the following private VLANs is the most restrictive?
a. Community VLAN
b. Isolated VLAN
c. Restricted VLAN
d. Promiscuous VLAN
Q6. Thevlan 100 command has just been entered. What is the next command needed to configure VLAN 100 as a secondary isolated VLAN?
a. private-vlan isolated
b. private-vlan isolated 100
c. pvlan secondary isolated
d. No further configuration necessary
Q7. What type of port configuration should you use for private VLAN interfaces that connect to a router?
Q8. Promiscuous ports must be ______________ to primary and secondary VLANs, and host ports must be ________________.
a. Mapped, associated
b. Mapped, mapped
c. Associated, mapped
d. Associated, associated
Q9. In a switch spoofing attack, an attacker makes use of which one of the following?
a. The switch management IP address
b. CDP message exchanges
c. Spanning Tree Protocol
d. DTP to negotiate a trunk
Q10. Which one of the following commands enables you to prevent a switch spoofing attack on an end-user port?
a. switchport mode access
b. switchport mode trunk
c. no switchport spoof
d. spanning-tree spoof-guard
Q11. Which one of the following represents the spoofed information an attacker sends in a VLAN hopping attack?
a. 802.1Q tags
b. DTP information
c. VTP information
d. 802.1x information
Q12. Which one of the following methods can be used to prevent a VLAN hopping attack?
a. Use VTP throughout the network.
b. Set the native VLAN to the user access VLAN.
c. Remove the native VLAN from a trunk link.
d. Avoid using EtherChannel link bundling.