Module 11 - Switch Security Configuration

Question 1

What is a recommended best practice when dealing with the native VLAN?

Use port security.

Turn off DTP.

Assign the same VLAN number as the management VLAN.

Assign it to an unused VLAN.

Answer 1

Assign it to an unused VLAN.

Topic 11.2.0 - Port security cannot be enabled on a trunk and trunks are the only types of ports that have a native VLAN. Even though turning DTP off on a trunk is a best practice, it does not have anything to do with native VLAN risks. To prevent security breaches that take advantage of the native VLAN, place the native VLAN in an unused VLAN other than VLAN 1. The management VLAN should also be an unused VLAN that is different from the native VLAN and something other than VLAN 1.

Question 2

On what switch ports should PortFast be enabled to enhance STP stability?

Only ports that are elected as designated ports

All trunk ports that are not root ports

All end-user ports

Only ports that attach to a neighboring switch

Answer 2

All end-user ports

Topic 11.5.0 - PortFast will immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. If configured on a trunk link, immediately transitioning to the forwarding state could lead to the formation of Layer 2 loops.

Question 3

Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?

ip dhcp snooping

switchport port-security mac-address sticky mac-address

switchport port-security mac-address sticky

switchport port-security violation shutdown

shutdown

Answer 3

shutdown

Topic 11.1.0 - Unlike router Ethernet ports, switch ports are enabled by default. Cisco recommends disabling any port that is not used. The ip dhep snooping command globally enables DHCP snooping on a switch. Further configuration allows defining ports that can respond to DHCP requests. The switchport port-security command is used to protect the network from unidentified or unauthorized attachment of network devices.

Question 4

Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)

Strong password on DHCP servers

DHCP server failover

Port security

DHCP snooping

Extended ACL

Answer 4

Port security
DHCP snooping

Topic 11.3.0 - In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use up all the available IP addresses that the DHCP server can issue.
In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network so that it provides clients with false DNS server addresses. The port security feature can limit the number of dynamically learned MAC addresses per port or allow only known valid NICs to be connected via their specific MAC addresses. The DHCP snooping feature can identify the legitimate DHCP servers and block fake DHCP servers from issuing IP address information. These two features can help fight against DHCP attacks.

Question 5

What is the best way to prevent a VLAN hopping attack?

Use ISL encapsulation on all trunk links.

Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

Use VLAN 1 as the native VLAN on trunk ports.

Disable STP on all nontrunk ports.

Answer 5

Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

Topic 11.2.0 - VLAN hopping attacks rely on the attacker being able to create a trunk link with a switch. Disabling DTP and configuring user-facing ports as static access ports can help prevent these types of attacks. Disabling the Spanning Tree Protocol (STP) will not eliminate VLAN hopping attacks.

Question 6

Which procedure is recommended to mitigate the chances of ARP spoofing?

Enable DAl on the management VLAN.

Enable IP Source Guard on trusted ports.

Enable DHCP snooping on selected VLANs.

Enable port security globally.

Answer 6

Enable DHCP snooping on selected VLANs.

Topic 11.4.0 - To mitigate the chances of ARP spoofing, these procedures are recommended:
- Implement protection against DHCP spoofing by enabling DHCP snooping globally.
- Enable DHCP snooping on selected VLANs.
- Enable DAl on selected VLANs.
- Configure trusted interfaces for DHCP snooping and ARP inspection. Untrusted ports are configured by default.

Question 7

What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)

Unknown port
Trusted DHCP port
Untrusted port
Unauthorized port
Established DHCP port
Authorized DHCP port

Answer 7

Trusted DHCP port
Untrusted port

Topic 11.3.0 - DHCP snooping recognizes two types of ports on Cisco switches:
- Trusted DHCP ports - switch ports connecting to upstream DHCP servers
- Untrusted ports - switch ports connecting to hosts that should not be providing DHCP
server messages

Question 8

Which two commands can be used to enable PortFast on a switch? (Choose two.)

S1 (config-line)# spanning-tree portfast

S1 (config)# spanning-tree portfast default

S1 (config-if)# enable spanning-tree portfast

S1 (config)# enable spanning-tree portfast default

S1 (config-if)# spanning-tree portfast

Answer 8

S1 (config)# spanning-tree portfast default

S1 (config-if)# spanning-tree portfast

Topic 11.5.0 - PortFast can be configured on all nontrunking ports using the spanning-tree portfast default global configuration command. Alternatively, PortFast can be enabled on an interface using the spanning-tree portfast interface configuration command.

Question 9

An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation?

Issue the shutdown command followed by the no shutdown command on the interface.

Issue the no switchport port-security violation shutdown command on the interface.

Reboot the switch.

Issue the no switchport port-security command, then re-enable port security.

Answer 9

Issue the shutdown command followed by the no shutdown command on the interface.

Topic 11.1.0 - If an interface that has been protected with port security goes into the err-disabled state, then a violation has occurred and the administrator should investigate the cause of the violation. Once the cause is determined, the administrator can issue the shutdown command followed by the no shutdown command to enable the interface.

Question 10

A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first?

ip dhcp snooping limit rate
ip dhcp snooping
ip dhcp snooping vlan
ip dhcp snooping trust

Answer 10

ip dhcp snooping

Topic 11.3.0 - The steps to enable DHCP snooping include these:
- Step 1. Enable DHCP snooping using the ip dhop snooping global configuration command.
- Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
- Step 3. Enable DHCP snooping by VLAN, or by a range of VLANs.

Question 11

A network administrator is configuring DAl on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command?

To check the destination MAC address in the Ethernet header against the user-configured ARP ACLs

To check the destination MAC address in the Ethernet header against the MAC address table

To check the destination MAC address in the Ethernet header against the source MAC address in the ARP body

To check the destination MAC address in the Ethernet header against the target MAC address in the ARP body

Answer 11

To check the destination MAC address in the Ethernet header against the target MAC address in the ARP body

Topic 11.4.0 - DAl can be configured to check for both destination or source MAC and IP addresses:
- Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
- Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
- IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
* L

Question 12

Which security feature should be enabled in order to prevent an attacker from overflowing the
MAC address table of a switch?

Port security
Root guard
Storm control
BPDU filter

Answer 12

Port security

Topic 11.1.0 - Port security limits the number of source MAC addresses allowed through a switch port. This feature can prevent an attacker from flooding a switch with many spoofed MAC addresses.

Question 13

What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
DHCP spoofing
ARP poisoning
ARP spoofing
VLAN hopping

Answer 13

VLAN hopping

Topic 11.2.0 - Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to VLANs not in
use.

Question 14

A network administrator is configuring DAl on a switch. Which command should be used on the uplink interface that connects to a router?

ip arp inspection trust
ip arp inspection vlan
ip dhcp snooping
spanning-tree portfast

Answer 14

ip arp inspection trust

Topic 11.4.0 - In general, a router serves as the default gateway for the LAN or VLAN on the switch. Therefore, the uplink interface that connects to a router should be a trusted port for forwarding ARP requests.

Question 15

Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?

ROM
NVRAM
RAM
Flash

Answer 15

RAM

Topic 11.1.0 - When MAC addresses are automatically learned by using the sticky command option, the learned MAC addresses are added to the running configuration,
which is stored in RAM.