Modules 13 - 14: Layer 2 and Endpoint Security

Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices?

These devices are more varied in type and are portable.

What two internal LAN elements need to be secured? (Choose two.)

IP phones

switches

What are two examples of traditional host-based security measures? (Choose two.)

host-based IPS

antimalware software

In an 802.1x deployment, which device is a supplicant?

end-user station

A company implements 802.1X security on the corporate network. A PC is attached to the network but has not authenticated yet. Which 802.1X state is associated with this PC?

unauthorized

An 802.1X client must authenticate before being allowed to pass data traffic onto the network. During the authentication process, between which two devices is the EAP data encapsulated into EAPOL frames? (Choose two.)

supplicant (client)

authenticator (switch)

Which command is used as part of the 802.1X configuration to designate the authentication method that will be used?

aaa authentication dot1x

What is involved in an IP address spoofing attack?

A legitimate network IP address is hijacked by a rogue node.

At which layer of the OSI model does Spanning Tree Protocol operate?

Layer 2

A network administrator uses the spanning-tree loopguard default global configuration command to enable Loop Guard on switches. What components in a LAN are protected with Loop Guard?

All point-to-point links between switches.

Which procedure is recommended to mitigate the chances of ARP spoofing?

Enable DHCP snooping on selected VLANs.

Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.)

promiscuous ports

community ports belonging to the same community

Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?

SSH

How can DHCP spoofing attacks be mitigated?

by implementing DHCP snooping on trusted ports

Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.)

This port is currently up.

Security violations will cause this port to shut down immediately.

The switch port mode for this interface is access mode.

Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation?

PVLAN Edge

What is the behavior of a switch as a result of a successful CAM table attack?

The switch will forward all received frames to all other ports.

Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports?

802.1x

What device is considered a supplicant during the 802.1X authentication process?

the client that is requesting authentication

Which term describes the role of a Cisco switch in the 802.1X port-based access control?

authenticator

What type of data does the DLP feature of Cisco Email Security Appliance scan in order to prevent customer data from being leaked outside of the company?

outbound messages

What is the goal of the Cisco NAC framework and the Cisco NAC appliance?

to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network

Which Cisco solution helps prevent MAC and IP address spoofing attacks?

IP Source Guard

What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?

VLAN hopping

What is the result of a DHCP starvation attack?

Legitimate clients are unable to lease IP addresses.

A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac . What is the purpose of this configuration command?

to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body