Module 11: Switch Security Configuration

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/26

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

27 Terms

1
New cards

What is a recommended best practice when dealing with the native VLAN?

A. Use port security.
B. Turn off DTP.
C. Assign it to an unused VLAN.
D. Assign the same VLAN number as the management VLAN.

C. Assign it to an unused VLAN.

2
New cards

On what switch ports should PortFast be enabled to enhance STP stability?

A. only ports that are elected as designated ports
B. all trunk ports that are not root ports
C. all end-user ports
D. only ports that attach to a neighboring switch

C. all end-user ports

3
New cards

Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?

A. switchport port-security mac-address sticky mac-address
B. ip dhcp snooping
C. shutdown
D. switchport port-security violation shutdown
E. switchport port-security mac-address sticky

C. shutdown

4
New cards

Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)

A. DHCP server failover
B. extended ACL
C. port security
D. DHCP snooping
E. strong password on DHCP servers

C. port security
D. DHCP snooping

5
New cards

What is the best way to prevent a VLAN hopping attack?

A. Use ISL encapsulation on all trunk links.
B. Disable STP on all nontrunk ports.
C. Use VLAN 1 as the native VLAN on trunk ports.
D. Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

D. Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

6
New cards

Which procedure is recommended to mitigate the chances of ARP spoofing?

A. Enable port security globally.
B. Enable DHCP snooping on selected VLANs.
C. Enable IP Source Guard on trusted ports.
D. Enable DAI on the management VLAN.

B. Enable DHCP snooping on selected VLANs.

7
New cards

What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)

A. unknown port
B. trusted DHCP port
C. unauthorized port
D. established DHCP port
E. untrusted port
F. authorized DHCP port

B. trusted DHCP port
E. untrusted port

8
New cards

Which two commands can be used to enable PortFast on a switch? (Choose two.)

A. S1(config-if)# enable spanning-tree portfast
B. S1(config-if)# spanning-tree portfast
C. S1(config)# enable spanning-tree portfast default
D. S1(config)# spanning-tree portfast default
E. S1(config-line)# spanning-tree portfast

B. S1(config-if)# spanning-tree portfast
D. S1(config)# spanning-tree portfast default

9
New cards

An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation?

A. Reboot the switch.
B. Issue the shutdown command followed by the no shutdown command on the interface.
C. Issue the no switchport port-security command, then re-enable port security.
D. Issue the no switchport port-security violation shutdown command on the interface.

B. Issue the shutdown command followed by the no shutdown command on the interface.

10
New cards

A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first?

A. ip dhcp snooping
B. ip dhcp snooping limit rate
C. ip dhcp snooping vlan
D. ip dhcp snooping trust

A. ip dhcp snooping

11
New cards

A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command?

A. to check the destination MAC address in the Ethernet header against the MAC address table
B. to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body
C. to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs
D. to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body

D. to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body

12
New cards

Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?

A. storm control
B. port security
C. BPDU filter
D. root guard

B. port security

13
New cards

What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?

A. VLAN hopping
B. DHCP spoofing
C. ARP poisoning
D. ARP spoofing

A. VLAN hopping

14
New cards

A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router?

A. ip arp inspection trust
B. ip dhcp snooping
C. ip arp inspection vlan
D. spanning-tree portfast

A. ip arp inspection trust

15
New cards

Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?

A. flash
B. NVRAM
C. RAM
D. ROM

C. RAM

16
New cards

Which method would mitigate a MAC address flooding attack?

A. Configuring port security
B. Increasing the size of the CAM table
C. Increasing the speed of switch ports
D. Using ACLs to filter broadcast traffic on the switch

A. Configuring port security

17
New cards

Which action will bring an error-disabled switch port back to an operational state?

A. Clear the MAC address table on the switch.
B. Issue the shutdown and no shutdown interface config commands.
C. Issue the switchport mode access interface config command.
D. Remove and reconfigure port security on the interface.

B. Issue the shutdown and no shutdown interface config commands.

18
New cards

Which two statements are true regarding switch port security? (Choose two.)

A. After entering the sticky parameter, only MAC addresses subsequently learned are converted to secure MAC addresses.
B. Dynamically learned secure MAC addresses are lost when the switch reboots.
C. If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.
D. The three configurable violation modes all log violations via SNMP.
E. The three configurable violation modes all require user intervention to reenable ports.

B. Dynamically learned secure MAC addresses are lost when the switch reboots.
C. If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.

19
New cards

Port security has been enabled on access ports to allow a maximum of two MAC addresses. Which port security violation would drop the frame and send a notification to the syslog server if the maximum number of MAC addresses is exceeded?

A. Protect
B. Restrict
C. Shutdown
D. Warning

B. Restrict

20
New cards

Which feature should be configured on PortFast enabled switches to prevent rogue switches from being added to a network?

A. BPDU guard
B. DAI
C. DHCP snooping
D. Port security

A. BPDU guard

21
New cards

Which port security feature enables switches to automatically learn and retain MAC addresses for each port?

A. Auto secure MAC addresses
B. Dynamic secure MAC addresses
C. Static secure MAC addresses
D. Sticky secure MAC addresses

D. Sticky secure MAC addresses

22
New cards

Assume that BPDU Guard has been enabled globally on all access ports. However, one port must not be configured with the feature. Which command would explicitly disable BPDU Guard on that switch port?

A. S1(config)# no spanning-tree bpduguard default
B. S1(config)# no spanning-tree portfast bpduguard default
C. S1(config-if)# no enable spanning-tree bpduguard
D. S1(config-if)# no spanning-tree bpduguard enable
E. S1(config-if)# no spanning-tree portfast bpduguard

D. S1(config-if)# no spanning-tree bpduguard enable

23
New cards

Which DAI command checks the source MAC address in the Ethernet header against the target MAC address in the ARP body?

A. ip arp inspection validate dst-mac
B. ip arp inspection validate dst-mac ip
C. ip arp inspection validate ip
D. ip arp inspection validate src-mac

D. ip arp inspection validate src-mac

24
New cards

What is the result of entering the ip dhcp snooping limit rate 4 interface configuration command?

A. The port can receive up to 4 DHCP discovery messages per second.
B. The port can receive up to 4 DHCP offer messages per second.
C. The port can send up to 4 DHCP messages per second.
D. The port can send up to 4 DHCP offer discovery messages per second.

A. The port can receive up to 4 DHCP discovery messages per second.

25
New cards

Port security has been enabled on a switch port. What is the default violation mode in use by default?

A. Restrict
B. Disabled
C. Protect
D. Shutdown

D. Shutdown

26
New cards

What techniques should be done to mitigate VLAN attacks? (Choose three.)

A. Disable DTP.
B. Enable BPDU guard.
C. Enable Source Guard.
D. Enable trunking manually.
E. Set the native VLAN to an unused VLAN.
F. Use private VLANs.

A. Disable DTP.
D. Enable trunking manually.
E. Set the native VLAN to an unused VLAN.

27
New cards

Port security has been enabled on interface Fa0/1 and the show port-security interface fa0/1 command has been entered. What does the Port Status “Secure-up” message indicate?

A. The Fa0/1 port is currently error-disabled.
B. The Fa0/1 port violation mode is “protect”.
C. There are no hosts connected to the secured Fa0/1 port.
D. There is a host connected to the secured Fa0/1 port.

D. There is a host connected to the secured Fa0/1 port.