CCNA Security FAQ: Protecting Switch Infrastructure
Question. Examine the following partial switch configuration and choose all the statements that correctly describe what is being accomplished.
A. When the level of broadcasts has reached 62.5% of total traffic, the multicasts will be limited to 3,000 packets per second (pps) and unicast traffic will be limited to 50 Mbps.
B. Broadcast traffic will be allowed up to 62.5% of total bandwidth on the interface. When this is exceeded, frames will be discarded until the broadcast traffic falls back below that level.
C. Multicast traffic will be discarded above 3,000 packets per second (pps) on this port, and will only start being forwarded again after it has fallen below the 2,000 pps lower threshold.
D. Unicast traffic will be discarded above 50 Mbps on this port, and will only start being forwarded again after it has fallen below the 25 Mbps lower threshold.
E. A shutdown notification message will be sent to the SNMP NMS when all of the three configured thresholds (broadcast, multicast, and unicast) have been reached.
A. Private VLAN
B. Policing
C. Per-VLAN Spanning Tree (PVST)
D. Dynamic ARP Inspection (DAI)
A. Gratuitous ARP (GARP)
B. Switch spoofing
C. Double tagging
D. DHCP spoofing
A. Root Guard
B. BPDU Guard
C. PortFast
D. UplinkFast
Question. True or false. A CAM table overflow attack is an attack whereby the attacker injects frames into a switch port with the source address of a known station. This is done in an attempt to fool the switch into forwarding frames that are supposed to go to the known station to the attacker’s switch port instead.
A. ARP cache
B. FIB table
C. Adjacency database
D. CAM table
Question. Which statements best describe the effect or application of the following interface configuration command? (Choose all that apply.)
Catalyst1(config-if)#spanning-tree portfast
A. BPDU guard is enabled, ensuring that the switch will refuse BPDUs on this port.
B. Root guard is enabled, ensuring that the switch will refuse root bridge BPDUs that have a superior Bridge ID (BID) to the current root bridge.
C. The port immediately transitions to a forwarding state when a link is established, bypassing spanning tree blocking mode.
D. The assumption is that there is no possibility of topological loops on this port as this command will prevent the root bridge from blocking on this port.
E. None of the above.
Question. True or false. The switchport port-security interface configuration command cannot be used on a trunk port.
A. DAI
B. GARP
C. DHCP snooping
D. VACLs
Question. What are the two methods for bringing a port out of the err-disabled state?
A. Enter the errdisable recovery cause psecure-violation command in global configuration.
B. Enter the recover-lockout enable command in global configuration.
C. Enter the shutdown and no shutdown commands in order in interface configuration mode on the affected port.
D. Enter the no port-shutdown sticky-learn command in interface configuration mode on the affected port.
E. None of the above.
A. GARP
B. DAI
C. BPDU
D. DHCPACK
A. The frame is dropped.
B. A copy of the frame is forwarded out all switch ports other than the port the frame was received on.
C. The frame is transmitted on the native VLAN.
D. The switch sends a NACK segment to the frame’s source MAC address
A. Static secure MAC address
B. Dynamic secure MAC address
C. Sticky secure MAC address
D. Pervasive secure MAC address
A. GARP
B. DHCP snooping
C. DAI
D. SPAN
A. Protect
B. Isolate
C. Restrict
D. Shut down
A. DAI
B. Private VLANs
C. DHCP snooping
D. VACLs
Question. True or false. The switched port analyzer (SPAN) feature on Cisco Catalyst switches can be configured to copy all the traffic only from a specific VLAN to a dedicated monitoring port.
A. Between the authenticator and the authentication server
B. Between the supplicant and the authentication server
C. Between the RADIUS server and the authenticator
D. Between the supplicant and the authenticator
A. Supplicant
B. Authentication server
C. Authenticator
D. Method list
A. PEAP
B. EAP-TLS
C. EAP-MD5
D. LEAP
A. The client can transmit regardless of the port security settings, because of the successful 802.1x authentication.
B. After the client authenticates, it is allowed to transmit on the network if the switch is configured for AAA authorization, which explicitly permits network access for the client.
C. The client cannot transmit because of the port security violation, even though it successfully authenticated.
D. This is an invalid configuration, because port security and 802.1x features on a port are mutually exclusive.
A. When a connected client fails to authenticate after a certain number of attempts
B. If a connected client does not support 802.1x
C. After a connected client exceeds a specified idle time
D. When 802.1x is not globally enabled on the Cisco Catalyst switch
A. Switch(config)# dot1x host-mode multi-host
B. Switch(config-if)# enable dot1x multi-host
C. Switch(config)# no host-mode single-host
D. Switch(config-if)# dot1x host-mode multi-host