Week 9 - Network Management

Question 1

What is the main purpose of AAA on a network device?

A. Speeding up routing decisions
B. Enforcing network access control policies
C. Preventing Layer 2 loops
D. Replacing firewalls

Answer 1

Answer:
B. Enforcing network access control policies

Explanation:
AAA (Authentication, Authorization, Accounting) is an architectural framework that defines who can access the network, what they can do, and what they actually did. It lets you centrally control administrator and user access to network devices and services. Rather than relying on simple local passwords, AAA scales to large environments and provides per-user control and auditing.

Summary:

AAA = access control framework

Authentication: identify user

Authorization: control what they can do

Accounting: log what they did

Essential for secure, manageable networks

Question 2

Which AAA function decides what actions or commands a user is allowed to perform?

A. Authentication
B. Authorization
C. Accounting
D. Auditing

Answer 2

Answer:
B. Authorization

Explanation:
After a user is authenticated (identity verified), authorization determines what that user can actually do on the device. This can include which commands they can run, which interfaces they can configure, or which network resources they may access. It gives fine-grained control rather than simple “all or nothing” access.

Summary:

• Authorization happens after authentication
• Controls user permissions and command sets
• Often implemented via RADIUS/TACACS+ attributes
• Can be applied per-user or per-group
• Critical for least-privilege access

Question 3

Which AAA component records how long a user was connected and what resources they used?

A. Authentication
B. Authorization
C. Accounting
D. Auditing only on firewalls

Answer 3

Answer:
C. Accounting

Explanation:
Accounting tracks user activities and resource usage, such as logon time, executed commands, or bandwidth usage. This information is often exported to a centralized AAA or syslog server and is vital for auditing, billing, and forensic analysis after security incidents.

Summary:

• Accounting = logging usage and actions
• Captures start/stop times, commands, sessions
• Useful for audits and troubleshooting
• Helps detect misuse or suspicious activity
• Configured with AAA accounting rules

Question 4

Which of the following is NOT a typical benefit of using AAA?

A. Centralized access control
B. Command-level authorization
C. Automatic QoS configuration on all interfaces
D. Per-user accountability and logging

Answer 4

Answer:
C. Automatic QoS configuration on all interfaces

Explanation:
AAA improves security and manageability by centralizing authentication, providing granular authorization, and tracking user activity. It does not automatically handle QoS on interfaces; QoS is configured separately, although AAA attributes can influence policies in some designs.

Summary:

• AAA focuses on access, not QoS
• Benefits: central auth, per-user control, logging
• Supports standardized protocols (RADIUS/TACACS+)
• Scales better than local-only credentials
• Enables multi-admin environments with accountability

Question 5

What are the three common “factors” used for authentication?

A. IP, MAC address, hostname
B. Username, password, VLAN
C. Something you know, have, or are
D. Source port, destination port, protocol

Answer 5

Answer:
C. Something you know, have, or are

Explanation:
Authentication factors are typically categorized as: something you know (password, PIN), something you have (token, smartcard, certificate), and something you are (biometrics like fingerprint or retina). AAA can integrate with methods that use one or more of these factors.

Summary:

• Knowledge: passwords/PIN
• Possession: token, smartcard, cert
• Inheritance: biometrics
• Multi-factor = combine ≥2
• AAA can tie into all three types

Question 6

On a Cisco device, which command family enables AAA?

A. enable aaa
B. security aaa
C. aaa new-model
D. aaa authentication enable

Answer 6

Answer:
C. aaa new-model

Explanation:
On IOS devices, aaa new-model globally enables the AAA subsystem, allowing you to configure authentication, authorization, and accounting methods and method-lists. Without this command, the traditional line-password model is used instead.

Summary:

• aaa new-model turns on AAA
• Required before AAA commands work
• Moves away from simple line passwords
• Enables use of RADIUS/TACACS+
• Foundation for modern access control

Question 7

In AAA authentication, why is it best practice to configure multiple methods (e.g., RADIUS then local)?

A. To speed up authentication
B. To support multiple VLANs
C. To provide backup if a primary server fails
D. To prevent password reuse

Answer 7

Answer:
C. To provide backup if a primary server fails

Explanation:
AAA method lists often specify a primary method (RADIUS/TACACS+) and a fallback (local user database). If the primary remote server is unreachable, the device can still be accessed via local credentials, preventing lockout scenarios while still using centralized control.

Summary:

• Multiple methods = resilience
• Primary: remote server (RADIUS/TACACS+)
• Fallback: local database
• Prevents complete lockout if AAA server down
• Defined in aaa authentication method-lists

Question 8

Which statement about RADIUS and TACACS+ is TRUE?

A. Both are open standards
B. Both use TCP only
C. Both are AAA protocols using a client/server model
D. Both encrypt the entire packet

Answer 8

Answer:
C. Both are AAA protocols using a client/server model

Explanation:
RADIUS (open standard) and TACACS+ (Cisco proprietary) are AAA protocols in which a network device acts as a client (NAS) and communicates with a central AAA server. They differ in transport protocol, encryption scope, and how they handle authentication/authorization, but both implement AAA in a client/server architecture.

Summary:

• RADIUS & TACACS+ = AAA client/server
• NAS = client, AAA server = central authority
• Used for device access and network access
• Differ in security and granularity
• Core to centralized AAA in enterprises

Question 9

Which transport protocol does RADIUS use by default?

A. TCP
B. UDP
C. SCTP
D. ICMP

Answer 9

Answer:
B. UDP

Explanation:
RADIUS uses UDP (typically ports 1812/1813 or 1645/1646 on older implementations). UDP has lower overhead, which suits high-volume authentication traffic, but reliability is handled at the application level (retries, timeouts).

Summary:

• RADIUS uses UDP
• Common ports: 1812 (auth), 1813 (acct)
• Lightweight but needs retries/timeouts
• Good for high-volume access requests
• Less granular command control than TACACS+

Question 10

Which transport protocol does TACACS+ use?

A. UDP
B. TCP
C. ICMP
D. GRE

Answer 10

Answer:
B. TCP

Explanation:
TACACS+ runs over TCP, typically port 49. TCP provides connection-oriented communication and built-in reliability, which is helpful for command-by-command authorization flows and longer sessions between NAS and AAA server.

Summary:

• TACACS+ uses TCP (port 49)
• Connection-oriented and reliable
• Well-suited for command authorization
• Slightly more overhead than UDP
• Often used for device admin access

Question 11

Which statement about RADIUS packet encryption is correct?

A. RADIUS encrypts the entire packet
B. RADIUS encrypts only the username
C. RADIUS encrypts only the password field
D. RADIUS never encrypts anything

Answer 11

Answer:
C. RADIUS encrypts only the password field

Explanation:
RADIUS protects the user’s password by encrypting that field in the Access-Request. Other attributes (like username, NAS IP, and AV pairs) remain visible. This is less secure than TACACS+, which encrypts the entire payload between NAS and server.

Summary:

• RADIUS = password-only encryption
• Other attributes visible on the wire
• Uses shared secret for protection
• Less secure than TACACS+ for admin command control
• Still widely used for network access (VPN, Wi-Fi, 802.1X)

Question 12

Which statement about TACACS+ encryption is correct?

A. Only passwords are encrypted
B. The entire TACACS+ payload is encrypted
C. TACACS+ never encrypts credentials
D. Only command authorization messages are encrypted

Answer 12

Answer:
B. The entire TACACS+ payload is encrypted

Explanation:
TACACS+ encrypts the whole payload between NAS and AAA server, not just the password. This includes user credentials, authorization information, and accounting data, giving stronger confidentiality—especially important for device administration.

Summary:

• TACACS+ encrypts full payload
• More secure for CLI admin
• Uses TCP with shared secret
• Good fit for command-level authorization
• Cisco proprietary

Question 13

In RADIUS, which message type does the client (NAS) send first during authentication?

A. Access-Accept
B. Access-Request
C. Access-Challenge
D. Access-Reject

Answer 13

Answer:
B. Access-Request

Explanation:
When a user attempts to log in, the NAS sends an Access-Request to the RADIUS server containing username, encrypted password, and NAS attributes. The server then replies with Accept, Reject, or Challenge depending on the credentials and policies.

Summary:

• First step = Access-Request from NAS
• Contains credentials & NAS info
• Server responds with Accept/Reject/Challenge
• Often carries attributes (AV pairs)
• Combines auth + authorization in one flow

Question 14

In TACACS+, how are authentication and authorization handled compared to RADIUS?

A. TACACS+ combines them; RADIUS separates them
B. RADIUS combines them; TACACS+ separates them
C. Both always combine them
D. Both always separate them

Answer 14

Answer:
B. RADIUS combines them; TACACS+ separates them

Explanation:
RADIUS typically sends authentication and authorization as a single transaction (Access-Request / Access-Accept). TACACS+ can separate authentication from authorization, allowing very granular per-command authorization independent of the login step.

Summary:

• RADIUS: auth + authz often combined
• TACACS+: separates auth, authz, accounting
• TACACS+ supports per-command control
• Better suited to device administration
• RADIUS more common for network access (VPN, Wi-Fi)

Question 15

Where is it generally not ideal to use TACACS+?

A. For device admin CLI access
B. In multivendor environments
C. On Cisco-only networks
D. For per-command authorization

Answer 15

Answer:
B. In multivendor environments

Explanation:
TACACS+ is Cisco proprietary, so while some other vendors may support it, RADIUS is the standard choice for multivendor interoperability. If your environment mixes different network vendor devices, RADIUS is typically preferred for AAA.

Summary:

• TACACS+ is Cisco proprietary
• Best for Cisco-heavy environments
  *Multivendor → prefer RADIUS
• RADIUS is open standard (RFCs)
• Design choice depends on environment

Question 16

Which is a limitation of RADIUS in complex multi-service networks?

A. It cannot encrypt passwords
B. It cannot use UDP
C. Each session is tied to a single service type
D. It cannot log accounting data

Answer 16

Answer:
C. Each session is tied to a single service type

Explanation:
RADIUS sessions are usually tied to a specific service (e.g., network access, VPN). This makes it less flexible for situations where multiple services need to be authorized or controlled at once for the same user, compared to TACACS+’s more granular per-command/operation model.

Summary:

• RADIUS sessions typically per-service
• Less flexible for multi-service flows
• Still excellent for simple access (PPP, VPN, Wi-Fi)
• Not as fine-grained as TACACS+
• A design point for large, complex deployments

Question 17

What is “identity-based networking” trying to achieve?

A. Security based only on switch port location
B. Decisions based on who the user is, not where they connect
C. Only MAC-based filtering
D. Time-based access restrictions only

Answer 17

Answer:
B. Decisions based on who the user is, not where they connect

Explanation:
Identity-based networking authenticates users and applies policies (like VLAN assignment, ACLs, QoS) based on user identity, group, or role. It removes reliance on physical port security alone, which becomes impractical with wireless and mobile users.

Summary:

• Focus on who the user is
• Not tied to physical port location
• Supports mobility (Wi-Fi, laptops)
• Often uses 802.1X + RADIUS
• Can place user into specific VLAN or role

Question 18

Which standard underpins identity-based access control on wired/wireless LANs?

A. IEEE 802.3
B. IEEE 802.1D
C. IEEE 802.1X
D. IEEE 802.11ac

Answer 18

Answer:
C. IEEE 802.1X

Explanation:
802.1X is a port-based access control standard used on switches and wireless access points. It uses EAP over LAN (EAPOL) to authenticate clients before allowing normal data traffic through the port, integrating with RADIUS for backend decisions.

Summary:

• 802.1X = port-based network access control
• Used on wired switch ports & Wi-Fi
• Only EAPOL, CDP, STP allowed before auth
• Works with RADIUS as backend
  Foundation of identity-based networking

Question 19

In 802.1X terminology, what is the role of the supplicant?

A. The switch or AP
B. The AAA server
C. The client device requesting access
D. The router providing default gateway

Answer 19

Answer:
C. The client device requesting access

Explanation:
The supplicant is typically a workstation, laptop, or phone attempting to connect. It runs 802.1X client software, sends credentials using EAPOL, and waits for the authenticator’s decision (which comes from the authentication server).

Summary:

• Supplicant = end user device
• Runs 802.1X client/EAP
• Initiates authentication
• Communicates with authenticator (switch/AP)
• Ultimately controlled by auth server decision

Question 20

In 802.1X, what is the function of the authenticator?

A. Verify user credentials directly
B. Provide physical access control and relay EAP messages
C. Store user database
D. Encrypt all traffic end-to-end

Answer 20

Answer:
B. Provide physical access control and relay EAP messages

Explanation:
The authenticator is the edge device (switch port or AP) that physically controls whether traffic is allowed. It acts as a proxy, relaying EAP messages between the supplicant and the backend authentication server (usually RADIUS).

Summary:

• Authenticator = switch or AP
• Controls port state (authorized/unauthorized)
• Relays EAPOL ↔ RADIUS messages
• Doesn’t validate credentials itself
• Enforces result from authentication serverA

Question 21

Before a client is authenticated on an 802.1X-enabled switch port, which traffic types are typically allowed?

A. All IP traffic
B. Only HTTP and HTTPS
C. Only EAPOL, CDP, and STP
D. No traffic at all

Answer 21

Answer:
C. Only EAPOL, CDP, and STP

Explanation:
Until authentication succeeds, the port is in a controlled state. It must allow EAPOL (for auth), CDP (for discovery), and STP (for loop prevention) but blocks normal user data. After a successful login, the port transitions to an authorized state and forwards regular user traffic.

Summary:

• Pre-auth: EAPOL, CDP, STP only
• Data traffic blocked
• Prevents unauthorized access
• Allows control-plane protocols to function
• Post-auth: normal traffic permitted

Question 22

Which device typically acts as the authentication server in an 802.1X deployment?

A. The client OS
B. The distribution switch
C. A RADIUS server (e.g., ISE/NPS)
D. The default gateway router

Answer 22

Answer:
C. A RADIUS server (e.g., ISE/NPS)

Explanation:
The authentication server is a backend AAA platform (often RADIUS-based) that validates user credentials, applies policy, and instructs the authenticator whether to allow or deny access—and possibly which VLAN or ACL to apply.

Summary:

• Auth server = RADIUS/AAA system
• Validates credentials (EAP inside RADIUS)
• Returns Accept/Reject + attributes
• Integrates with directory (AD/LDAP)
• Core of identity-based networking

Question 23

Why is manual clock configuration on many network devices considered bad practice?

A. It uses extra CPU cycles
B. It breaks VLANs
C. It is inaccurate and not scalable
D. It disables SNMP

Answer 23

Answer:
C. It is inaccurate and not scalable

Explanation:
Setting time manually is error-prone, drifts over time, and doesn’t scale across many devices. Time synchronization is crucial for logs, certificates, and time-based security. Therefore, protocols like NTP/SNTP/PTP are used to maintain consistent and accurate time across the network.

Summary:

• Manual time = drift + inconsistency
• Breaks correlation of logs
• Causes issues with Kerberos/certs
• NTP/SNTP/PTP should be used instead
• Time sync is a core best practice

Question 24

What is the main role of Network Time Protocol (NTP) in a network?

A. Enforce VLAN security
B. Synchronize clocks between devices
C. Encrypt management traffic
D. Provide DHCP leases

Answer 24

Answer:
B. Synchronize clocks between devices

Explanation:
NTP is designed to keep device clocks synchronized to a reference time with millisecond-level accuracy. This supports accurate timestamps in logs, coordinated troubleshooting, and proper operation of time-sensitive protocols.

Summary:

• NTP = distributed clock sync
• Millisecond-level accuracy
• Essential for logging and security
• Uses stratum hierarchy of servers
• Commonly used on routers/switches/servers

Question 25

What is Simple Network Time Protocol (SNTP)? A. A different port of NTP used for IPv6 B. A simplified, lightweight version of NTP C. A proprietary Cisco replacement for NTP D. A time protocol used only in data centres

Answer 25

Answer: B. A simplified, lightweight version of NTP Explanation: SNTP provides similar functionality to NTP but with a simpler implementation and less complex algorithms. It’s used on devices that don’t need full NTP precision or advanced features, but it still uses the same port and cannot coexist with NTP on the same device. Summary: * SNTP = simplified NTP * Less complex, lower resource usage * Uses same UDP port as NTP * Cannot run alongside NTP on same device * Suitable where high precision not critical

Question 26

Why can’t NTP and SNTP usually be configured simultaneously on the same device? A. They are mutually exclusive in software licensing B. They use different time zones C. They share the same port and time service D. They require different hardware clocks

Answer 26

Answer: C. They share the same port and time service Explanation: Both NTP and SNTP use the same UDP port and act as time synchronization services. Running both would conflict, so most systems support enabling only one of them at a time. Summary: * NTP and SNTP use same port * Compete for same time service role * Device chooses one or the other * Avoids configuration conflicts * Pick NTP when you need more precision

Question 27

What is Precision Time Protocol (PTP) mainly used for? A. Low-accuracy log timestamps B. Sub-microsecond time synchronization C. DHCP relay optimization D. DNS record updates

Answer 27

Answer: B. Sub-microsecond time synchronization Explanation: PTP is designed for very high-precision time synchronization (sub-microsecond) used in environments like trading systems, industrial automation, or certain data centre applications. It’s more accurate than NTP but requires hardware and network support. Summary: * PTP = very high accuracy * Sub-microsecond synchronization * Used in specialized/industrial/DC environments * More complex than NTP * Supported by some high-end switches

Question 28

What is the primary purpose of SNMP in a network? A. Provide default gateway redundancy B. Manage VLAN trunking C. Expose device performance and status to an NMS D. Perform Layer 3 routing decisions

Answer 28

Answer: C. Expose device performance and status to an NMS Explanation: SNMP (Simple Network Management Protocol) enables a Network Management System (NMS) to query and receive information from network devices, such as interface statistics, CPU usage, and environmental status. It is used for monitoring, trending, and fault detection. Summary: * SNMP = network monitoring protocol * NMS polls agents for stats * Agents expose data via MIBs * Used for alerts, graphs, capacity planning * Standard across most vendors

Question 29

Which two main components make up an SNMP management system? A. Client and server B. Manager and agent C. Controller and listener D. Router and switch

Answer 29

Answer: B. Manager and agent Explanation: The SNMP manager (usually NMS software) sends queries and receives data. The SNMP agent runs on network devices, collects local information, and maps it into SNMP objects defined in MIBs. The manager uses this data for dashboards, alerts, and reports. Summary: * Manager = central NMS * Agent = local process on device * Manager polls agents via SNMP * Agents expose data via MIBs * Core model for monitoring

Question 30

What is a Management Information Base (MIB) in SNMP? A. A database of routing entries B. A directory service for usernames C. A structured collection of managed objects D. A log of SNMP traps

Answer 30

Answer: C. A structured collection of managed objects Explanation: A MIB defines the structure and naming of managed objects (OIDs) that SNMP agents expose. Each OID corresponds to a specific parameter (like interface in-octets). Agents maintain values for those objects; managers read or sometimes modify them. Summary: * MIB = definition of SNMP objects * Organised tree of OIDs * Defines what can be monitored/controlled * Agent stores values for these objects * Manager uses MIB to interpret responses

Question 31

What is the difference between SNMP polling and SNMP traps? A. Polling is push; traps are pull B. Polling is manager-initiated; traps are agent-initiated C. Both are always periodic D. Traps are only used for QoS

Answer 31

Answer: B. Polling is manager-initiated; traps are agent-initiated Explanation: Polling occurs when the NMS periodically queries agents (GET requests) for statistics. Traps are asynchronous notifications sent by the agent when specific events occur (e.g., link down), allowing near real-time alerting without waiting for the next poll. Summary: * Polling: manager → agent, scheduled * Traps: agent → manager, event-driven * Polling good for trends and usage * Traps good for alarms and faults * Both are key to effective monitoring

Question 32

Why is SNMP important for capacity planning? A. It configures routing tables automatically B. It reveals long-term usage and performance trends C. It encrypts management traffic D. It assigns IP addresses dynamically

Answer 32

Answer: B. It reveals long-term usage and performance trends Explanation: By regularly polling interfaces, CPU, and memory metrics, SNMP data can be graphed over time. This allows engineers to see growth patterns, identify when links or devices will reach capacity, and plan upgrades before performance degrades. Summary: * SNMP provides time-series performance data * Data feeds graphs and dashboards * Reveals growth and saturation points * Helps plan ahead for bandwidth/hardware * Essential for proactive network management

Question 33

In a campus network, why are AAA, NTP, SNMP, and 802.1X considered “best practices” rather than optional extras? A. They are only needed for very large ISPs B. They are mostly cosmetic and rarely used C. They provide foundational security, control, and manageability D. They replace all firewalls and IDS systems

Answer 33

Answer: C. They provide foundational security, control, and manageability Explanation: These features underpin secure, well-managed networks: AAA controls access, NTP ensures consistent time (critical for logs/security), SNMP provides monitoring, and 802.1X provides identity-based access control. In modern enterprise environments, they are effectively mandatory requirements. Summary: * AAA: secure admin & user access NTP/SNTP/PTP: consistent time across devices * SNMP: monitoring & fault management * 802.1X: identity-based access to LAN/WLAN * Form the baseline of a “managed” campus network

Question 34

Which AAA protocol is typically preferred for device administrator command authorization on Cisco gear? A. RADIUS B. TACACS+ C. SNMP D. 802.1X

Answer 34

Answer: B. TACACS+ Explanation: Because TACACS+ separates authentication and authorization and encrypts the entire payload, it’s ideal for per-command authorization and secure CLI access to routers and switches. RADIUS is still used, but it’s better suited for network access (VPN, Wi-Fi, 802.1X) than for granular device admin control. Summary: * TACACS+ favored for device admin * Supports per-command authorization * Full payload encryption * Uses TCP (port 49) * Often integrated with central AAA servers

Question 35

Which AAA protocol is more commonly used for 802.1X Wi-Fi or wired network access authentication? A. TACACS+ B. RADIUS C. SNMP D. PTP

Answer 35

Answer: B. RADIUS Explanation: 802.1X implementations on switches and wireless controllers almost always use RADIUS as the backend AAA protocol. The authenticator (AP/switch) relays EAP messages to a RADIUS server, which verifies credentials and returns authorization decisions and attributes like VLAN assignments. Summary: * 802.1X + RADIUS is the standard combo * Used for Wi-Fi and wired port access * RADIUS carries EAP payloads * Integrates with AD/LDAP/identity stores * Provides flexible access policies (VLANs, ACLs, etc.)

Question 36

Which AAA protocol is more commonly used for 802.1X Wi-Fi or wired network access authentication? A. TACACS+ B. RADIUS C. SNMP D. PTP

Answer 36

Answer: B. RADIUS Explanation: 802.1X deployments almost always rely on RADIUS as the backend AAA method. The switch/AP (authenticator) forwards EAP messages to the RADIUS server, which validates credentials, checks policy, and returns an Accept or Reject. The server may also assign VLANs, ACLs, or downloadable policies. Summary: * RADIUS is standard for 802.1X * Carries EAP authentication messages * Switch/AP forwards EAPOL → RADIUS * Integrates with AD/LDAP identity stores * Supports dynamic VLAN/ACL assignment

Question 37

What is the purpose of Private VLANs (PVLANs)? A. Provide routing between hosts B. Limit Layer 2 communication within the same VLAN C. Enable multicast optimisation D. Replace trunking

Answer 37

Answer: B. Limit Layer 2 communication within the same VLAN Explanation: PVLANs allow you to segment hosts at Layer 2 without creating multiple VLANs. They prevent unwanted host-to-host communication inside the same broadcast domain, providing stronger isolation (e.g., in data centres, multi-tenant hosting, ISP networks). Summary: * PVLANs isolate hosts at Layer 2 * Same VLAN, restricted communication * Reduce attack surface in shared environments * Hosts still share same gateway * Used in DCs, ISPs, hotels, shared networks

Question 38

Which PVLAN type allows communication only with the promiscuous port? A. Community B. Isolated C. Primary D. Secondary

Answer 38

Answer: B. Isolated Explanation: Isolated PVLAN ports cannot talk to each other but may communicate with the promiscuous port (the gateway or firewall). This is the strictest isolation mode, ideal for preventing east-west traffic. Summary: * Isolated → no host-to-host comms * Only talks to promiscuous port * Maximum tenant isolation * Good for security-sensitive networks * Still shares upstream VLAN

Question 39

Which PVLAN type allows communication only within the same group of hosts? A. Community B. Primary C. Isolated D. Router

Answer 39

Answer: A. Community Explanation: Community PVLAN hosts can communicate with each other and with the promiscuous port, but not with other communities or isolated ports — enabling flexible segmentation within the same VLAN. Summary: * Community ports = group-level communication * Each group isolated from other groups * Can still reach gateway (promiscuous) * Useful for departmental or service grouping * Adds segmentation without extra VLAN IDs

Question 40

Which PVLAN port type can communicate with ALL other ports? A. Community B. Promiscuous C. Isolated D. Secondary

Answer 40

Answer: B. Promiscuous Explanation: Promiscuous ports (usually the router or firewall) can talk to any isolated or community port. They act as the upstream gateway for all PVLAN segments. Summary: * Promiscuous = full communication * Gateway for all PVLAN types * Used for router/firewall/servers * Essential for upstream connectivity * Only one required per PVLAN domain

Question 41

What problem does DHCP Snooping prevent? A. ARP flooding B. Rogue DHCP servers giving bad IP settings C. Duplicate MAC addresses D. VLAN hopping attacks

Answer 41

Answer: B. Rogue DHCP servers giving bad IP settings Explanation: DHCP Snooping blocks DHCP messages on untrusted ports so attackers cannot act as DHCP servers. Only trusted ports (uplinks to real DHCP servers) may send DHCP offers/acks. Summary: * Blocks rogue DHCP servers * Protects against malicious IP assignments * Only trusted ports may send replies * Builds binding table for other features * Foundational Layer 2 security control

Question 42

What does the DHCP Snooping binding table record? A. VLAN numbers only B. MAC, IP, VLAN, interface, lease C. Only MAC addresses D. Only IP addresses

Answer 42

Answer: B. MAC, IP, VLAN, interface, lease Explanation: DHCP Snooping stores a trusted mapping between MAC address, IP address, assigned VLAN, switchport, and lease time. This information is then used by IP Source Guard and DAI to validate traffic. Summary: * Stores MAC → IP → port → VLAN mappings * Built from legitimate DHCP transactions * Used by IPSG and DAI * Ensures integrity of host identity * Helps prevent spoofing attacks

Question 43

Which DHCP packets are allowed on untrusted ports? A. DHCP Offer and DHCP ACK B. DHCP DISCOVER and REQUEST C. Only DHCP INFORM D. No DHCP traffic is allowed

Answer 43

Answer: B. DHCP DISCOVER and REQUEST Explanation: Untrusted ports only allow client-to-server messages. Server-to-client messages (Offer/ACK/NAK) are blocked to prevent rogue DHCP servers on access ports. Summary: * Clients on untrusted ports send DISCOVER/REQUEST * DHCP server replies blocked on untrusted ports * Only trusted ports may send Offer/ACK * Helps prevent rogue DHCP servers * Enforced at L2 in the switch

Question 44

What happens if a DHCP Offer is received on an untrusted port? A. It is relayed to the server B. It is forwarded normally C. It is dropped D. It triggers ARP inspection

Answer 44

Answer: C. It is dropped Explanation: Offers (DHCP server responses) must only come from trusted DHCP server ports. An Offer received on an untrusted port is considered rogue and is discarded to prevent malicious IP address assignment. Summary: * DHCP Offer on untrusted = dropped * Protects clients from rogue DHCP * Trusted ports = uplinks only * Enforcement occurs in hardware * Builds integrity of DHCP process

Question 45

What does Option 82 (DHCP Relay Agent Information) provide? A. Encryption B. Client identification and port location info C. VLAN assignment D. DNS server details

Answer 45

Answer: B. Client identification and port location info Explanation: Option 82 adds metadata about where the client is connected—such as switch ID and port—allowing DHCP servers to apply policies based on location (e.g., VLAN assignment, ACLs, IP ranges). Summary: * Adds port/switch info to DHCP requests * Helps DHCP server enforce policies * Useful for large enterprise networks * Often combined with 802.1X * Enhances IP assignment accuracy

Question 46

What security feature uses the DHCP Snooping table to block IP/MAC spoofing? A. DAI B. Port Security C. IP Source Guard D. STP Loop Guard

Answer 46

Answer: C. IP Source Guard Explanation: IPSG verifies that traffic from a host matches the trusted bindings (MAC, IP, VLAN, port). If a device spoofs an IP address, the switch blocks the traffic at ingress. Summary: * IPSG = anti-IP spoofing * Uses DHCP Snooping table * Checks MAC/IP/VLAN/Port match * Blocks spoofed or static IPs * Essential for host integrity

Question 47

What does IP Source Guard check for each incoming frame? A. TTL value B. VLAN hopping behaviour C. Source MAC + source IP match the binding D. Destination MAC validity

Answer 47

Answer: C. Source MAC + source IP match the binding Explanation: IP Source Guard enforces identity by verifying that each frame’s IP and MAC match the DHCP Snooping binding for that port. Anything mismatched is dropped. Summary: * Checks MAC ↔ IP consistency * Validates against DHCP bindings * Prevents host impersonation * Works per-port and per-VLAN * Strong anti-spoofing control

Question 48

What attack does Dynamic ARP Inspection (DAI) prevent? A. VLAN pruning B. ARP spoofing / ARP poisoning C. DHCP starvation D. STP topology attacks

Answer 48

Answer: B. ARP spoofing / ARP poisoning Explanation: DAI verifies ARP packets on untrusted ports, comparing ARP data to the DHCP Snooping binding table. Any mismatched or malicious ARP packets are dropped, stopping MITM attacks. Summary: * Stops ARP spoofing/poisoning * Checks ARP against DHCP Snooping bindings * Only trusted ports can send ARP replies * Prevents MITM attacks * Critical for L2 security

Question 49

What ARP fields does DAI validate? A. Only target IP B. Only sender MAC C. Sender IP, sender MAC, target IP, target MAC D. No ARP fields

Answer 49

Answer: C. Sender IP, sender MAC, target IP, target MAC Explanation: DAI inspects all ARP fields to ensure no host is pretending to be another device (e.g., gateway). All fields must match legitimate bindings or be trusted upstream. Summary: * Validates full ARP packet * Sender/target IP + MAC checked * Matches DHCP Snooping table * Blocks forged ARP replies * Prevents redirection of traffic

Question 50

What happens when DAI receives an ARP Reply on an untrusted port with no matching DHCP binding? A. It is forwarded B. It is rate-limited C. It is dropped D. It is rewritten

Answer 50

Answer: C. It is dropped Explanation: Only ARP replies from trusted ports (or those matching DHCP Snooping bindings) are allowed. Any ARP traffic lacking a valid entry is considered spoofed and discarded. Summary: * ARP reply on untrusted w/out binding = drop * Protects against gateway spoofing * Ensures trusted ARP infrastructure * Uses Snooping table for validation * Prevents MITM attacks

Question 51

Which attack floods a switch MAC table to force broadcast behaviour? A. Rogue DHCP attack B. MAC flooding attack C. ARP spoofing D. VLAN hopping

Answer 51

Answer: B. MAC flooding attack Explanation: Attackers flood a switch with fake source MACs, forcing it to revert to hub-like behaviour (broadcast forwarding). This allows sniffing and man-in-the-middle attacks. Summary: * Floods MAC table with bogus addresses * Switch enters fail-open/broadcast mode * Allows packet sniffing/MITM * Countered with port security * Layer-2 targeted attack

Question 52

Which feature prevents MAC flooding? A. DAI B. DHCP Snooping C. Port Security D. IPSG

Answer 52

Answer: C. Port Security Explanation: Port security limits the number of MAC addresses learned on a port. If the number exceeds the limit, traffic can be dropped, shut down, or restricted. Summary: * Limits learned MAC addresses * Blocks or shuts down on violation * Stops MAC flood attacks * Works on access ports * Basic L2 security feature

Question 53

What is the default behaviour when port security is violated (if not configured otherwise)? A. Shutdown (err-disable) B. Restrict C. Protect D. Drop only tagged frames

Answer 53

Answer: A. Shutdown (err-disable) Explanation: The default violation mode is “shutdown”, where the port enters err-disabled state. Other options include protect (drop only) and restrict (drop + log). Summary: * Default = shutdown on violation * Port goes err-disabled * Other modes: protect, restrict * Prevents unauthorised device access * Common for securing access ports

Question 54

Which attack involves sending a high number of DHCP DISCOVER messages to exhaust the DHCP pool? A. DHCP Snooping attack B. DHCP starvation attack C. ARP poisoning D. MAC flooding

Answer 54

Answer: B. DHCP starvation attack Explanation: DHCP starvation overwhelms the DHCP server with fake DISCOVER requests, consuming all available leases. Attackers often use tools like Yersinia. Summary: * Exhausts DHCP pool * Uses spoofed MACs * Prevents legit clients from obtaining IPs * Often paired with rogue DHCP servers * Mitigated by Snooping + port security

Question 55

Which feature prevents rogue DHCP servers AND supports IP/MAC validation? A. DAI B. IPSG C. DHCP Snooping D. Port Security

Answer 55

Answer: C. DHCP Snooping Explanation: DHCP Snooping blocks DHCP server responses on untrusted ports and builds the authoritative DHCP binding table, which is reused by IPSG and DAI. Summary: * Blocks rogue DHCP servers * Builds binding table (MAC/IP/VLAN/Port) * Used by IPSG + DAI * Ensures valid DHCP assignments * Protects host IP integrity

Question 56

DAI requires which other feature to function fully? A. Port Security B. DHCP Snooping C. GLBP D. ACLs

Answer 56

Answer: B. DHCP Snooping Explanation: DAI requires the DHCP snooping table to match ARP packets against MAC/IP combinations. Without it, DAI cannot validate the authenticity of ARP traffic. Summary: * DAI depends on Snooping table * Snooping provides trusted bindings * ARP compared against secure entries * Prevents ARP spoof/MITM * Must enable Snooping first

Question 57

What feature blocks traffic if the source IP does not match the binding table? A. DAI B. IPSG C. Port ACLs D. PVLANs

Answer 57

Answer: B. IPSG Explanation: IP Source Guard validates the source IP of incoming traffic against the DHCP Snooping binding. If a host spoofs an IP address, the frame is immediately dropped. Summary: * Prevents IP spoofing * Uses Snooping bindings * Enforced per-port * Drops mismatched IP/MAC frames * Complements DAI

Question 58

Which attack attempts to access VLANs outside the assigned one? A. ARP spoofing B. DHCP starvation C. VLAN hopping D. MAC flooding

Answer 58

Answer: C. VLAN hopping Explanation: VLAN hopping allows an attacker to send frames that appear to belong to another VLAN (e.g., double-tagging), enabling unauthorized access to other VLANs. Summary: * Attack to reach other VLANs * Often uses double-tagged frames * Exploits native VLAN weaknesses * Mitigated by disabling DTP/native VLAN * Best practice: native VLAN = unused

Question 59

Which configuration prevents VLAN hopping via trunk negotiation? A. Enable DTP on access ports B. Disable DTP (set to access or trunk static) C. Use VLAN 1 as native VLAN D. Permit all VLANs on trunk

Answer 59

Answer: B. Disable DTP Explanation: Disabling DTP prevents interfaces from forming undesired trunks. Access ports should be set to static access (switchport mode access), and trunks should be manually configured. Summary: * Disable DTP to prevent auto-trunking * Use static access or static trunk * Prevents VLAN hopping attacks * Control VLAN tagging behaviour * Best practice for security

Question 60

Which Layer 2 attack attempts to impersonate the gateway’s MAC address? A. MAC flooding B. Rogue DHCP C. ARP spoofing D. VLAN hopping

Answer 60

Answer: C. ARP spoofing Explanation: An attacker forges ARP replies claiming to be the gateway, redirecting traffic through their device. This enables MITM attacks. Summary: * ARP spoof = gateway impersonation * Redirects client traffic * Enables MITM attacks * Blocked by DAI * Relies on forged ARP replies

Question 61

What does port security “sticky” mode do? A. Blocks all unknown MACs B. Dynamically learns and saves MACs to the running config C. Requires manual MAC configuration D. Converts port into a trunk

Answer 61

Answer: B. Dynamically learns and saves MACs to the running config Explanation: Sticky mode learns MACs dynamically and writes them into the running configuration so learned MACs persist across reboots once saved. Summary: * Dynamically learns MACs * Saves to running config * Persist if copied to startup * Helps secure access ports * Easier than manual MAC entry

Question 62

Which feature validates ARP packets using hardware filtering? A. DAI B. IPSG C. DHCP Snooping D. PVLANs

Answer 62

Answer: A. DAI Explanation: Dynamic ARP Inspection uses ASIC-based validation to filter ARP packets quickly, preventing spoofing without CPU strain. Summary: * Hardware-based ARP validation * Fast and scalable * Protects against ARP spoofing * Relies on Snooping bindings * Integral L2 security feature

Question 63

Which feature prevents a host from using a static IP not assigned by DHCP? A. Port Security B. DAI C. IPSG D. PVLANs

Answer 63

Explanation: IP Source Guard ties the host’s IP to a DHCP-delivered address. Static IPs not matching the binding are dropped, preventing impersonation. Summary: * Ensures IP integrity * Static IPs blocked if not valid * Uses Snooping binding table * Prevents host impersonation * Works per-port per-VLAN

Question 64

Which feature limits ARP request/reply rate on a port? A. ARP rate limiter B. DAI C. Port Security D. IPSG

Answer 64

Answer: B. DAI Explanation: DAI includes a configurable rate limit to prevent ARP floods, protecting both the switch and clients from excessive ARP frames. Summary: * DAI can rate-limit ARP * Prevents ARP flood attacks * Helps maintain switch stability * Drop threshold configurable * Based on per-port limits

Question 65

Which attack involves installing a fake wireless AP to steal credentials? A. MAC flooding B. Evil twin attack C. DHCP starvation D. ARP poisoning

Answer 65

Answer: B. Evil twin attack Explanation: An attacker sets up a rogue wireless AP mimicking the SSID of a legitimate network, tricking users to connect and reveal credentials. Summary: * Rogue AP mimics real SSID * Used for credential theft * Man-in-the-middle opportunity * Requires wireless security to mitigate * Detected by WIPS/WIDS

Question 66

Which feature prevents frames with double VLAN tags being accepted? A. PVLANs B. Native VLAN removal C. DAI D. IPSG

Answer 66

Answer: B. Native VLAN removal Explanation: Double-tagging VLAN hopping attacks rely on the native VLAN passing untagged traffic. Setting the native VLAN to an unused VLAN and forcing tagging prevents the attack. Summary: * VLAN hopping relies on native VLAN * Use unused VLAN as native * Force tagging on all trunks * Mitigates double-tagging attacks * Common best practice

Question 67

An attacker sends thousands of DHCP DISCOVER messages. What protection helps stop this? A. IPSG B. DHCP Snooping C. Port Security D. PVLANs

Answer 67

Answer: C. Port Security Explanation: DHCP starvation uses many spoofed MAC addresses to request leases. Port security limits MAC learning, stopping the attacker from generating unlimited requests. Summary: * MAC flooding of DHCP requests * Port Security limits MAC count * Stops unlimited DISCOVER messages * Works with DHCP Snooping * Prevents pool exhaustion

Question 68

Which feature prevents spoofed ARP replies claiming a different MAC than the real one? A. IPSG B. DAI C. PVLAN D. DHCP Snooping

Answer 68

Answer: B. DAI Explanation: DAI compares ARP replies to DHCP Snooping bindings and drops any that do not match, blocking MITM attempts. Summary: * Validates ARP packet identity * Detects forged gateway claims * Stops ARP poisoning/MITM * Relies on Snooping bindings * Essential Layer 2 security

Question 69

Which feature prevents users from impersonating another IP by manually assigning it? A. Port Security B. IPSG C. DAI D. DHCP Snooping

Answer 69

Answer: B. IPSG Explanation: IPSG ensures a host uses only the IP address learned via DHCP Snooping. Any packet with a manual/incorrect IP is dropped. Summary: * Prevents static IP impersonation * Ensures IP is DHCP-assigned * Uses Snooping binding table * Works per-port/per-VLAN * Complements DAI and Port Security

Question 70

Which feature provides the MOST complete Layer 2 host identity validation? A. DHCP Snooping B. IPSG C. DAI D. Using all three together

Answer 70

Answer: D. Using all three together Explanation: DHCP Snooping provides bindings. IPSG validates source IP. DAI validates ARP. Together they create a complete identity validation system at Layer 2. Summary: * Snooping = binding creation * IPSG = anti-IP spoof * DAI = anti-ARP spoof * Combined = full L2 security * Used in modern enterprise networks

Question 71

Which feature best mitigates MAC address flooding attacks? A. DHCP Snooping B. DAI C. Port Security D. IPSG

Answer 71

Answer: C. Port Security Explanation: MAC flooding overwhelms the CAM table. Port security prevents excessive MAC learning, protecting the switch from fail-open behaviour. Summary: * Limits number of MACs per port * Counters MAC flooding attacks * Can shut down or drop frames * Essential access port protection * Works with other L2 security tools