CCNA FAQ : Implementing Switch Security
Q1. What is the significance of securing physical access to a switch?
Q2. How can you harden (make secure) the Cisco IOS?
Q3. How can you secure the management VLAN?
Q4. How can you ensure that only one specific end device is attached to a switch port?
Answer: To ensure that a single device is attached to a switch port, enable port security and allow only one MAC address as the maximum (the default). For additional security, manually or dynamically (using sticky learning) specify the device’s MAC address.
Q5. Why could CDP be a potential security risk?
Q6. Which of the following is not a violation action of port security?
A. Protect
B. Shut down
C. Notify
D. Restrict
Chapter 16: Implementing Switch Security
Apply Your Knowledge
Q7. Which is not a recommended way to secure unassigned ports?
A. Assign a dummy VLAN.
B. Change the native VLAN.
C. Change the management VLAN.
D. Shut down unused interfaces.
Q8. Which commands resulted in the following output? (Choose two) Switch# show interfaces trunk
Switch# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 desirable 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 1-4094 Port Vlans allowed and active in management domain Fa0/1 1-100,102-4094 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 1-100,102-4094
A. Switch(config-if)# switchport trunk allowed vlan except 101
B. Switch(config-if)# switchport trunk disallowed vlan 101
C. Switch(config-if)# switchport trunk except vlan 101
D. Switch(config-if)# switchport trunk allowed vlan remove 101
Q9. Which of the following is not a recommended security implementation for securing the Catalyst switch?
A. SSH
B. Disable the console port.
C. Configure the login and password for the vty lines.
D. Allow only specific management IP address(es) into the vty lines.
Q10. Which command produced the following output?
Switch# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age(mins) ---- ----------- ---- ----- ------------- 1 1234.5678.9ABF SecureConfigured Fa0/9 - -------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
A. Switch(config-if)# switchport port-security sticky
B. Switch(config-if)# switchport port-security mac-address 1234.5678.9abf
C. Switch(config-if)# switchport port-security mac-address
sticky
D. Switch(config-if)# switchport port-security 1234.5678.9abf
Q11. Given the following:
Switch# show port-security interface fa0/6 Port Security : Enabled Port Status : Err-disabled Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 2 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address : fa53.c39b.af34 Security Violation Count : 1
which of the following is a possible cause of the output?
A. Fast Ethernet 0/6 is receiving traffic and working correctly.
B. A static MAC address has been configured on Fast Ethernet 0/6.
C. Fast Ethernet 0/6 is learning sticky MAC addresses.
D. Fast Ethernet 0/6 is shut down because a violation has occurred.
Q12. Why is the following output false
Switch# show port-security interface fa0/2 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 10 Total MAC Addresses : 50 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address : de26.287b.2490 Security Violation Count : 0
A. There are more MAC addresses than the maximum allowed and no violations.
B. You cannot have the violation action be shutdown unless static secure MAC addresses
are configured.
C. Sticky addresses must be configured if there is more than one MAC address.
D. The maximum MAC addresses cannot be changed from the default value of 1.
Q13. After changing the management VLAN to a VLAN other than VLAN 1, you lose SSH access to the switch. Which of the following is not a valid reason why?
A. The new management VLAN interface was not administratively enabled.
B. The port of the management computer has to be assigned to the new management VLAN.
C. The Layer 3 gateway must have access to the new management VLAN if the switch is on a network other than the management PC.
D. The management station’s ARP entry has not timed out for the old VLAN interface.
Q14. Which of the following is false regarding what happens when you use the login local command on line configurations?
A. The switch uses the username and password configured from the global configuration.
B. You are prompted for a login and password as long as you don’t use the password command on the line configuration.
C. This command can be configured on vty lines, the auxiliary port, and the console port.
D. The password can be encrypted using the username username secret password command.
15. Which of the following is not a default state of switches?
A. VLANs allowed on the trunk are all but the management VLAN.
B. Port security violation action is shut down.
C. Maximum number of MAC addresses learned on port security-enabled interfaces is 1.
D. Management VLAN is VLAN 1.