Config Router

You are here: Home / Cisco / CCNP Switch FAQ: Securing VLANs

CCNP Switch FAQ: Securing VLANs

by

CCNP Switch FAQ: Securing VLANs

Q1. Which one of the following can filter packets even if they are not routed to another Layer 3 interface?
a. IP extended access lists
b. MAC address access lists
c. VLAN access lists
d. Port-based access lists

Answer: C

Q2. In what part of a Catalyst switch are VLAN ACLs implemented?
a. NVRAM
b. CAM
c. RAM
d. TCAM

Answer: D

Q3. Which one of the following commands can implement a VLAN ACL called test?
a. access-list vlan test
b. vacl test
c. switchport vacl test
d. vlan access-map test

Answer: D

Q4. After a VACL is configured, where is it applied?
a. Globally on a VLAN
b. On the VLAN interface
c. In the VLAN configuration
d. On all ports or interfaces mapped to a VLAN

Answer: A

Q5. Which of the following private VLANs is the most restrictive?
a. Community VLAN
b. Isolated VLAN
c. Restricted VLAN
d. Promiscuous VLAN

Answer: B

Q6. Thevlan 100 command has just been entered. What is the next command needed to configure VLAN 100 as a secondary isolated VLAN?
a. private-vlan isolated
b. private-vlan isolated 100
c. pvlan secondary isolated
d. No further configuration necessary

Answer: A

Q7. What type of port configuration should you use for private VLAN interfaces that connect to a router?
a. Host
b. Gateway
c. Promiscuous
d. Transparent

Answer: C

Q8. Promiscuous ports must be ______________ to primary and secondary VLANs, and host ports must be ________________.
a. Mapped, associated
b. Mapped, mapped
c. Associated, mapped
d. Associated, associated

Answer: A

Q9. In a switch spoofing attack, an attacker makes use of which one of the following?
a. The switch management IP address
b. CDP message exchanges
c. Spanning Tree Protocol
d. DTP to negotiate a trunk

Answer: D

Q10. Which one of the following commands enables you to prevent a switch spoofing attack on an end-user port?
a. switchport mode access
b. switchport mode trunk
c. no switchport spoof
d. spanning-tree spoof-guard

Answer: A

Q11. Which one of the following represents the spoofed information an attacker sends in a VLAN hopping attack?
a. 802.1Q tags
b. DTP information
c. VTP information
d. 802.1x information

Answer: A
Figure: VLAN Hopping Attack Process

Q12. Which one of the following methods can be used to prevent a VLAN hopping attack?
a. Use VTP throughout the network.
b. Set the native VLAN to the user access VLAN.
c. Remove the native VLAN from a trunk link.
d. Avoid using EtherChannel link bundling.

Answer: C

More Resources