Network Security > Modules 13-14 > Flashcards

Modules 13-14 Flashcards

(52 cards)

Study These Flashcards
1
Q

Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices?

a) These devices are not managed by the corporate IT department.

b) These devices pose no risk to security as they are not directly connected to the corporate network.

c) These devices connect to the corporate network through public wireless networks.

d) These devices are more varied in type and are portable.

A

Answer:
d) These devices are more varied in type and are portable.

Explanation:
Traditional network security has two major focuses: (1) end point protection using antivirus software and enabling the personal firewall, and (2) network border protection with firewalls, proxy servers, and network packet scanning devices or software. This type of protection is not suited for the new network devices that are mobile, frequently access cloud storage, and may be a personal device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What two internal LAN elements need to be secured? (Choose two.)

a) edge routers

b) IP phones

c) fiber connections

d) switches

e) cloud-based hosts

A

Answer:
b) IP phones
d) switches

Explanation:
Internal network protection is just as important as securing the network perimeter. Internal LAN elements can be broken up into endpoints and network infrastructure devices. Common endpoints include laptops, desktops, servers, and IP phones. LAN infrastructure devices include switches and access points.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are two examples of traditional host-based security measures? (Choose two.)

a) host-based IPS

b) NAS

c) 802.1X

d) antimalware software

e) host-based NAC

A

Answer:
a) host-based IPS
d) antimalware software

Explanation:
Traditional host-based security measures include antivirus/antimalware software, host-based IPS, and host-based firewall. Antivirus and antimalware software detects and mitigates viruses and malware. A host-based IPS is used to monitor and report on the system configuration and application activity, security events, policy enforcement, alerting, and rootkit detection. A host-based firewall restricts incoming and outgoing connections for a particular host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In an 802.1x deployment, which device is a supplicant?

a) RADIUS server

b) access point

c) switch

d) end-user station

A

Answer:
d) end-user station

Explanation:
In 802.1x, a supplicant is the end-user device (such as a laptop) that is attempting to attach to the WLAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A company implements 802.1X security on the corporate network. A PC is attached to the network but has not authenticated yet. Which 802.1X state is associated with this PC?

a) err-disabled

b) disabled

c) unauthorized

d) forwarding

A

Answer:
c) unauthorized

Explanation:
When a port is configured for 802.1X, the port starts in the unauthorized state and stays that way until the client has successfully authenticated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

During 802.1X authentication, between which two devices is EAP data encapsulated into EAPOL frames? (Choose two.)

a) data nonrepudiation server

b) authentication server (TACACS)

c) supplicant (client)

d) authenticator (switch)

e) ASA Firewall

A

Answer:
c) supplicant (client); d) authenticator (switch)

Explanation:
When a client supplicant is starting the 802.1X message exchange, an EAPOL-Start message is sent between the supplicant and the authenticator, which is the switch. EAP data between the supplicant and the authenticator is encapsulated in EAPOL frames.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which command is used as part of the 802.1X configuration to designate the authentication method that will be used?

a) dot1x system-auth-control

b) aaa authentication dot1x

c) aaa new-model

d) dot1x pae authenticator

A

Answer:
b) aaa authentication dot1x

Explanation:
The aaa authentication dot1x default group radius command specifies that RADIUS is used as the method for 802.1X port-based authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is involved in an IP address spoofing attack?

a) A rogue node replies to an ARP request with its own MAC address indicated for the target IP address.

b) Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server.

c) A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients.

d) A legitimate network IP address is hijacked by a rogue node.

A

Answer:
d) A legitimate network IP address is hijacked by a rogue node.

Explanation:
In an IP address spoofing attack, the IP address of a legitimate network host is hijacked and used by a rogue node. This allows the rogue node to pose as a valid node on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

At which layer of the OSI model does Spanning Tree Protocol operate?

a) Layer 1

b) Layer 2

c) Layer 3

d) Layer 4

A

Answer:
b) Layer 2

Explanation:
Spanning Tree Protocol (STP) is a Layer 2 technology for preventing Layer 2 loops between redundant switch paths.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What components in a LAN are protected with Loop Guard?

a) All Root Guard enabled ports.

b) All PortFast enabled ports.

c) All point-to-point links between switches.

d) All BPDU Guard enabled ports.

A

Answer:
c) All point-to-point links between switches.

Explanation:
Loop Guard can be enabled globally using the spanning-tree loopguard default global configuration command. This enables Loop Guard on all point-to-point links.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which procedure is recommended to mitigate the chances of ARP spoofing?

a) Enable DHCP snooping on selected VLANs.

b) Enable IP Source Guard on trusted ports.

c) Enable DAI on the management VLAN.

d) Enable port security globally.

A

Answer:
a) Enable DHCP snooping on selected VLANs.

Explanation:
To mitigate the chances of ARP spoofing, these procedures are recommended:
– Implement protection against DHCP spoofing by enabling DHCP snooping globally.
– Enable DHCP snooping on selected VLANs.
– Enable DAI on selected VLANs.
– Configure trusted interfaces for DHCP snooping and ARP inspection. Untrusted ports are configured by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.)

a) community ports belonging to other communities

b) promiscuous ports

c) isolated ports within the same community

d) PVLAN edge protected ports

e) community ports belonging to the same community

A

Answer:
b) promiscuous ports; e) community ports belonging to the same community

Explanation:
Community ports can send and receive information with ports within the same community, or with a promiscuous port. Isolated ports can only communicate with promiscuous ports. Promiscuous ports can talk to all interfaces. PVLAN edge protected ports only forward traffic through a Layer 3 device to other protected ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?

a) SNMP

b) TFTP

c) SSH

d) SCP

A

Answer:
c) SSH

Explanation:
Telnet uses plain text to communicate in a network. The username and password can be captured if the data transmission is intercepted. SSH encrypts data communications between two network devices. TFTP and SCP are used for file transfer over the network. SNMP is used in network management solutions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How can DHCP spoofing attacks be mitigated?

a) by disabling DTP negotiations on nontrunking ports

b) by implementing port security

c) by the application of the ip verify source command to untrusted ports

d) by implementing DHCP snooping on trusted ports

A

Answer:
d) by implementing DHCP snooping on trusted ports

Explanation:
One of the procedures to prevent a VLAN hopping attack is to disable DTP (auto trunking) negotiations on nontrunking ports. DHCP spoofing attacks can be mitigated by using DHCP snooping on trusted ports. The ip verify source interface configuration command is used to enable IP Source Guard on untrusted ports to protect against MAC and IP address spoofing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Port-security verification on SWC fa0/2 — what can be concluded? (Choose three.)

a) Three security violations have been detected on this interface.

b) This port is currently up.

c) The port is configured as a trunk link.

d) Security violations will cause this port to shut down immediately.

e) There is no device currently connected to this port.

f) The switch port mode for this interface is access mode.

A

Answer:
b) This port is currently up.; d) Security violations will cause this port to shut down immediately.; f) The switch port mode for this interface is access mode.

Explanation:
Because the security violation count is at 0, no violation has occurred. The system shows that 3 MAC addresses are allowed on port fa0/2, but only one has been configured and no sticky MAC addresses have been learned.

The port is up because of the port status of secure-up. The violation mode is what happens when an unauthorized device is attached to the port. A port must be in access mode in order to activate and use port security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Two devices on the same switch must be totally isolated. Which feature provides this isolation?

a) PVLAN Edge

b) DTP

c) SPAN

d) BPDU guard

A

Answer:
a) PVLAN Edge

Explanation:
The PVLAN Edge feature does not allow one device to see traffic that is generated by another device. Ports configured with the PVLAN Edge feature are also known as protected ports.

BPDU guard prevents unauthorized connectivity to a wired Layer 2 switch.

SPAN is port mirroring to capture data from one port or VLAN and send that data to another port.

DTP (Dynamic Trunking Protocol) is automatically enabled on some switch models to create a trunk if the attached device is configured for trunking. Cisco recommends disabling DTP as a best practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the behavior of a switch as a result of a successful CAM table attack?

a) The switch will drop all received frames.

b) The switch interfaces will transition to the error-disabled state.

c) The switch will forward all received frames to all other ports.

d) The switch will shut down.

A

Answer:
c) The switch will forward all received frames to all other ports.

Explanation:
As a result of a CAM table attack, a switch can run out of memory resources to store MAC addresses.

When this happens, no new MAC addresses can be added to the CAM table and the switch will forward all received frames to all other ports. This would allow an attacker to capture all traffic that is flooded by the switch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports?

a) RADIUS

b) TACACS+

c) 802.1x

d) SSH

A

Answer:
c) 802.1x

Explanation:
802.1x is an IEEE standard that defines port-based access control. By authenticating each client that attempts to connect to the LAN, 802.1x provides protection from unauthorized clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What device is considered a supplicant during the 802.1X authentication process?

a) the router that is serving as the default gateway

b) the authentication server that is performing client authentication

c) the client that is requesting authentication

d) the switch that is controlling network access

A

Answer:
c) the client that is requesting authentication

Explanation:
The devices involved in the 802.1X authentication process are as follows:

The supplicant, which is the client that is requesting network access
The authenticator, which is the switch that the client is connecting to and that is actually controlling physical network access

The authentication server, which performs the actual authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which term describes the role of a Cisco switch in the 802.1X port-based access control?

a) agent

b) supplicant

c) authenticator

d) authentication server

A

Answer:
c) authenticator

Explanation:
802.1X port-based authentication defines specific roles for the devices in the network:
Client (Supplicant) – The device that requests access to LAN and switch services
Switch (Authenticator) – Controls physical access to the network based on the authentication status of the client
Authentication server – Performs the actual authentication of the client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What type of data does the DLP feature of Cisco ESA scan to prevent leaks?

a) inbound messages

b) outbound messages

c) messages stored on a client device

d) messages stored on the email server

Study These Flashcards
A

Answer:
b) outbound messages

Explanation:
Cisco ESAs control outbound messages through data-loss prevention (DLP), email encryption, and optional integration with the RSA Enterprise Manager. This control helps ensure that the outbound messages comply with industry standards and are protected in transit.

22
Q

What is the goal of the Cisco NAC framework and the Cisco NAC appliance?

a) to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network

b) to monitor data from the company to the ISP in order to build a real-time database of current spam threats from both internal and external sources

c) to provide anti-malware scanning at the network perimeter for both authenticated and non-authenticated devices

d) to provide protection against a wide variety of web-based threats, including adware, phishing attacks, Trojan horses, and worms

Study These Flashcards
A

Answer:
a) to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network

Explanation:
The NAC framework uses the Cisco network infrastructure and third-party software to ensure the wired and wireless endpoints that want to gain access to the network adheres to the requirements defined by the security policy.

The Cisco NAC Appliance is the device that enforces security policy compliance.

23
Q

Which Cisco solution helps prevent MAC and IP address spoofing attacks?

a) Port Security

b) DHCP Snooping

c) IP Source Guard

d) Dynamic ARP Inspection

Study These Flashcards
A

Answer:
c) IP Source Guard

Explanation:
Cisco provides solutions to help mitigate Layer 2 attacks including:

IP Source Guard (IPSG) – prevents MAC and IP address spoofing attacks

Dynamic ARP Inspection (DAI) – prevents ARP spoofing and ARP poisoning attacks

DHCP Snooping – prevents DHCP starvation and SHCP spoofing attacks

Port Security – prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks.

24
Q

What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?

a) VLAN hopping

b) DHCP spoofing

c) ARP poisoning

d) ARP spoofing

Study These Flashcards
A

Answer:
a) VLAN hopping

Explanation:
Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to VLANs not in use.

25
What is the result of a DHCP starvation attack? a) Legitimate clients are unable to lease IP addresses. b) Clients receive IP address assignments from a rogue DHCP server. c) The attacker provides incorrect DNS and default gateway information to clients. d) The IP addresses assigned to legitimate clients are hijacked.
Answer: a) Legitimate clients are unable to lease IP addresses. Explanation: DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.
26
Purpose of ip arp inspection validate dst-mac in DAI? a) to check the destination MAC address in the Ethernet header against the MAC address table b) to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs c) to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body d) to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body
Answer: c) to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body Explanation: DAI can be configured to check for both destination or source MAC and IP addresses: Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
27
A switch has the following command issued as part of an 802.1X deployment: address ipv4 10.1.1.50 auth-port 1812 acct-port 1813 What is the purpose of this command? a) It identifies the address of the default gateway and the ports used for traffic destined for remote networks. b) It identifies the address of the RADIUS server and ports on the server used for RADIUS traffic. c) It identifies the address of the RADIUS server and the ports used for EAPOL messages. d) It identifies the address of the switch to which the client connects and the ports used for the EAPOL messages.
Answer: b) It identifies the address of the RADIUS server and ports on the server used for RADIUS traffic. Explanation: When using 802.1x authentication, a switch must be configured with the IP address of the RADIUS server, and the port numbers used to communicate with the authentication server.
28
Which device is used as the authentication server in an 802.1X implementation? a) wireless router b) Ethernet switch c) access point d) RADIUS server
Answer: d) RADIUS server Explanation: In an 802.1x implementation the authentication server is typically a host server running software supporting the RADIUS and EAP protocols.
29
What are two main capabilities of a NAC system? (Choose two.) a) route filtering b) incident response c) DMZ protection d) security posture check e) administrative role assignment
Answer: b) incident response; d) security posture check Explanation: The primary goal of a network access control (NAC) system is to allow only authorized and compliant systems onto the network. NAC systems can have the following capabilities: profiling and visibility – recognize and profile users and devices before malicious code can cause damage guest network access – manage guest access including authentication, registration, and sponsoring security posture check – evaluate security policy compliance by user type, device type, and operating system incident response – mitigate network threats by enforcing security policies
30
Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation? a) ASA b) AVC c) ESA d) WSA
Answer: d) WSA Explanation: The Cisco Web Security Appliance (WSA) acts as a web proxy for an enterprise network. WSA can provide many types of logs related to web traffic security including ACL decision logs, malware scan logs, and web reputation filtering logs. The Cisco Email Security Appliance (ESA) is a tool to monitor most aspects of email delivery, system functioning, antivirus, antispam operations, and block list and allowed list decisions. The Cisco ASA is a firewall appliance. The Cisco Application Visibility and Control (AVC) system combines multiple technologies to recognize, analyze, and control over 1000 applications.
31
Which command is used to enable AAA as part of the 802.1X configuration process on a Cisco device? a) aaa new-model b) dot1x pae authenticator c) dot1x system-auth-control d) aaa authentication dot1x
Answer: a) aaa new-model Explanation: The first step in configuring 802.1X is to enable AAA using the aaa new-model global configuration command. The next step is to designate the RADIUS server and configure its address and ports.
32
The switch port to which a client attaches is configured for the 802.1X protocol. The client must authenticate before being allowed to pass data onto the network. Between which two 802.1X roles is EAP data encapsulated using RADIUS? (Choose two.) a) encrypter b) authenticator c) data nonrepudiation server d) supplicant e) authentication server
Answer: b) authenticator; e) authentication server Explanation: When a client supplicant is starting the 802.1X message exchange, an EAPOL-Start message is sent between the supplicant and the authenticator, which is the switch. The authenticator then sends EAP data, encapsulated using RADIUS, to the authentication server.
33
Which host-based security measure is used to restrict incoming and outgoing connections? a) host-based firewall b) antivirus/antimalware software c) host-based IPS d) rootkit
Answer: a) host-based firewall Explanation: A host-based firewall is software installed on a single host that restricts incoming and outgoing connections to that host.
34
Which security service is provided by 802.1x? a) malware analysis of files b) malware analysis and protection across the full attack continuum c) protection against emerging threats for Cisco products d) port-based network access control
Answer: d) port-based network access control Explanation: 802.1x is an industry standard for providing port-based network access control. It provides a mechanism to authenticate devices onto the local-area networks and WLANs.
35
Why is it important to protect endpoints? a) After an endpoint is breached, an attacker can gain access to other devices. b) Endpoints are the starting point for VLAN attacks. c) Endpoints are susceptible to STP manipulation attacks that can disrupt the rest of the LAN. d) A breached endpoint gives a threat actor access to system configuration that can modify security policy.
Answer: a) After an endpoint is breached, an attacker can gain access to other devices. Explanation: Two internal LAN elements to protect are the endpoints and the network infrastructure devices. Endpoints are susceptible to malware-related attacks and once infiltrated, can become a starting point to access other system devices.
36
Websites are rated based on the latest website reputation intelligence. Which endpoint security measure prevents endpoints from connecting to websites that have a bad rating? a) spam filtering b) DLP c) host-based IPS d) antimalware software e) denylisting
Answer: e) denylisting Explanation: Denylisting blocks endpoints from connecting to suspicious websites that have a bad reputation based on the latest intelligence.
37
When would the authentication port-control command be used during an 802.1X implementation? a) when a client has sent an EAPOL-logoff message b) when the authentication server is located at another location and cannot be reached c) when the authentication server is located in the cloud d) when an organization needs to control the port authorization state on a switch
Answer: d) when an organization needs to control the port authorization state on a switch Explanation: The authentication port-control switch interface command is used when an organization wants to control the port authorization state, of a particular port, during the 802.1X authentication process. When the authentication port-control auto command is issued, it enables 802.1X port-based authentication and only allows EAPOL, STP, and CDP traffic to be sent until the client device has been authenticated.
38
When using 802.1X authentication, what device controls physical access to the network, based on the authentication status of the client? a) the authentication server b) the router that is serving as the default gateway c) the supplicant d) the switch that the client is connected to
Answer: d) the switch that the client is connected to Explanation: The devices involved in the 802.1X authentication process are as follows: The supplicant, which is the client that is requesting network access The authenticator, which is the switch that the client is connecting and that is actually controlling physical network access The authentication server, which performs the actual authentication
39
A port has been configured for the 802.1X protocol and the client has successfully authenticated. Which 802.1X state is associated with this PC? a) up b) authorized c) enabled d) forwarding
Answer: b) authorized Explanation: (After authentication succeeds, the port transitions to the authorized state and normal data traffic is allowed.)
40
What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports? a) broadcast b) control c) user d) management
Answer: b) control Explanation: PVLAN protected ports do not exchange any data traffic with other protected ports. The only traffic that is exchanged between protected ports is control traffic generated by network devices.
41
A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command? a) It checks the source MAC address in the Ethernet header against the user-configured ARP ACLs. b) It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. c) It checks the source MAC address in the Ethernet header against the target MAC address in the ARP body. d) It checks the source MAC address in the Ethernet header against the MAC address table.
Answer: b) It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. Explanation: DAI can be configured to check for both destination or source MAC and IP addresses: Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
42
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow? a) Disable STP. b) Enable port security. c) Disable DTP. d) Place unused ports in an unused VLAN.
Answer: b) Enable port security. Explanation: A MAC address (CAM) table overflow attack, buffer overflow, and MAC address spoofing can all be mitigated by configuring port security. A network administrator would typically not want to disable STP because it prevents Layer 2 loops. DTP is disabled to prevent VLAN hopping. Placing unused ports in an unused VLAN prevents unauthorized wired connectivity.
43
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease? a) DHCP starvation b) DHCP spoofing c) CAM table attack d) IP address spoofing
Answer: a) DHCP starvation Explanation: DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.
44
When security is a concern, which OSI Layer is considered to be the weakest link in a network system? a) Layer 3 b) Layer 7 c) Layer 2 d) Layer 4
Answer: c) Layer 2 Explanation: Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weakest link. In addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.
45
If two switches are configured with the same priority and the same extended system ID, what determines which switch becomes the root bridge? a) the lowest IP address b) the MAC address with the highest hexadecimal value c) the highest BID d) the Layer 2 address with the lowest hexadecimal value
Answer: d) the Layer 2 address with the lowest hexadecimal value Explanation: When other factors are equal, the switch with the lowest MAC address will have the lowest BID, and will become the root bridge. STP functions on Layer 2 and does not use IP addressing as a factor.
46
Which statement describes the behavior of a switch when the MAC address table is full? a) It treats frames as unknown unicast and floods all incoming frames to all ports on the switch. b) It treats frames as unknown unicast and floods all incoming frames to all ports within the collision domain. c) It treats frames as unknown unicast and floods all incoming frames to all ports across multiple switches. d) It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN.
Answer: d) It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN. Explanation: When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.
47
A cybersecurity analyst is using the macof tool to evaluate configurations of switches deployed in the backbone network of an organization. Which type of LAN attack is the analyst targeting during this evaluation? a) VLAN hopping b) MAC address table overflow c) DHCP spoofing d) VLAN double-tagging
Answer: b) MAC address table overflow Explanation: Macof is a network attack tool and is mainly used to flood LAN switches with MAC addresses.
48
What determines which switch becomes the STP root bridge for a given VLAN? a) the highest priority b) the lowest bridge ID c) the highest MAC address d) the lowest IP address
Answer: b) the lowest bridge ID Explanation: STP uses a root bridge as a central point for all spanning tree calculations. To select a root bridge, STP conducts an election process. All switches in the broadcast domain participate in the election process. The switch with the lowest bridge ID, or BID, is elected as the root bridge. The BID is made up of a priority value, an extended system ID, and the MAC address of the switch.
49
What action can a network administrator take to help mitigate the threat of VLAN hopping attacks? a) Configure all switch ports to be members of VLAN 1. b) Enable PortFast on all switch ports. c) Disable automatic trunking negotiation. d) Disable VTP.
Answer: c) Disable automatic trunking negotiation. Explanation: There are two methods for mitigating VLAN hopping attacks: disabling automatic trunking negotiation on switchports turning trunking off on all unused nontrunk switchport
50
Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.) a) Port Security b) DHCP Snooping c) Web Security Appliance d) Dynamic ARP Inspection e) IP Source Guard
Answer: a) Port Security; b) DHCP Snooping Explanation: Cisco provides solutions to help mitigate Layer 2 attacks including these: IP Source Guard (IPSG) – prevents MAC and IP address spoofing attacks Dynamic ARP Inspection (DAI) – prevents ARP spoofing and ARP poisoning attacks DHCP Snooping – prevents DHCP starvation and SHCP spoofing attacks Port Security – prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks Web Security Appliance (WSA) is a mitigation technology for web-based threats.
51
What is the only type of port that an isolated port can forward traffic to on a private VLAN? a) another isolated port b) any access port in the same PVLAN c) a community port d) a promiscuous port
Answer: d) a promiscuous port Explanation: PVLANs are used to provide Layer 2 isolation between ports within the same broadcast domain. The level of isolation can be specified with three types of PVLAN ports: Promiscuous ports that can forward traffic to all other ports Isolated ports that can only forward traffic to promiscuous ports Community ports that can forward traffic to other community ports and promiscuous ports
52
What additional security measure must be enabled along with IP Source Guard to protect against address spoofing? a) port security b) BPDU Guard c) DHCP snooping d) root guard
Answer: c) DHCP snooping Explanation: Like Dynamic ARP Inspection (DAI), IP Source Guard (IPSG) needs to determine the validity of MAC-address-to-IP-address bindings. To do this IPSG uses the bindings database built by DHCP snooping.
Network Security
flashcards
Decks in class (22)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions