CCNA Sem 2 Module 10-13
Which IEEE standard operates at wireless frequencies in both the 5 GHz and 2.4 GHz ranges? 802.11b 802.11a 802.11n 802.11g
802.11n
Which of the following encryption methods uses CCMP to recognize if the encrypted and non-encrypted bits have been altered? RC4 TKIP AES
AES
A threat actor sends a message that causes all other devices to believe the MAC address of the threat actor's device is the default gateway. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping
ARP spoofing
Which of the following components are integrated in a wireless home router? (Choose three.) Access point Switch Router Range extender
Access Point Switch Router Range extender
Which AAA component is responsible for collecting and reporting usage data for auditing and billing purposes? Authentication Authorization Accounting
Accounting
What is the term for an AP that does not send a beacon, but waits for clients to send probes? Active Infrastructure Ad hoc Passive
Active
Which wireless topology mode is used by two devices to connect in a peer-to-peer network? Ad hoc Infrastructure Tethering
Ad hoc
A threat actor changes the MAC address of the threat actor's device to the MAC address of the default gateway. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping
Address spoofing
What is a recommended best practice when dealing with the native VLAN? Assign it to an unused VLAN. Use port security. Assign the same VLAN number as the management VLAN. Turn off DTP.
Assign it to an unused VLAN
Which AAA component is responsible for controlling who is permitted to access the network? Authentication Authorization Accounting
Authentication
Which of the following is an IEEE 802.15 WPAN standard that uses a device-pairing process to communicate? Cellular WiMAX Wi-Fi Bluetooth
Bluetooth
What two protocols are supported on Cisco devices for AAA communications? (Choose two.) LLDP VTP RADIUS TACACS+ HSRP
CDP
A threat actor discovers the IOS version and IP addresses of the local switch. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping
CDP reconnaissance
A user has just purchased a generic home router and would like to secure it. What should be done to help secure the wireless home router? Allow only IPv6 traffic to enter the router. Set a private IPv4 network for the internal network. Change the default administrator password. Change the default SSID.
Change the default administrator password
What is a difference between autonomous APs that operate in a home environment and controller-based APs that operate in a corporate environment? Autonomous APs do not support PoE. Controller-based APs can be automatically configured and managed by a WLAN controller. Autonomous APs incorporate the functions of a router, switch, and AP into one device. Controller-based APs are known as lightweight APs and require an initial configuration to operate.
Controller-based APs can be automatically configured and managed by a WLAN controller.
Which of the following mitigation techniques prevents ARP spoofing and ARP poisoning attacks? IPSG DHCP snooping DAI Port security
DAI
Which of the following mitigation techniques prevents DHCP starvation and DHCP spoofing attacks? IPSG DHCP snooping DAI Port security
DHCP snooping
Which Layer 2 attack will result in legitimate users not getting valid IP addresses? ARP spoofing DHCP starvation IP address spoofing MAC address flooding
DHCP starvation
A user is configuring a wireless access point and wants to prevent any neighbors from discovering the network. What action does the user need to take? Enable WPA encryption. Configure a DNS server. Configure DMZ settings. Disable SSID broadcast.
Disable SSID broadcast
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow? Disable DTP. Disable STP. Enable port security. Place unused ports in an unused VLAN.
Enable port security.
A laptop cannot connect to a wireless access point. Which two troubleshooting steps should be taken first? (Choose two.) Ensure that the NIC is configured for the proper frequency. Ensure that the wireless SSID is chosen. Ensure that the laptop antenna is attached. Ensure that the wireless NIC is enabled. Ensure that the correct network media is selected.
Ensure that the wireless SSID is chosen. Ensure that the wireless NIC is enabled.
Which feature of 802.11n wireless access points allows them to transmit data at faster speeds than previous versions of 802.11 Wi-Fi standards did? MIMO WPS MITM SPS
MIMO
What type of attack is an "evil twin AP" attack? DoS MITM Wireless intruder Radio interference
MITM (man in the middle)
Which WLC tab would a network administrator typically use to see a summary view of the most heavily used WLANs including the number of clients using a particular WLAN? WLANs Controller Monitor Commands
Monitor
In setting up a small office network, the network administrator decides to assign private IP addresses dynamically to workstations and mobile devices. Which feature must be enabled on the company router in order for office devices to access the internet? MAC filtering NAT QoS UPnP
NAT
Which of the following modulation techniques is used in the new 802.11ax standard? DSSS FHSS OFDM OFDMA
OFDMA
Which of the following antennas provide 360 degrees of coverage? Wireless NIC Directional Omnidirectional MIMO
Omnidirectional
Which of the following authentication methods does not use a password shared between the wireless client and the AP? WEP WPA WPA2 WPA3 Open
Open
What is the term for an AP that openly advertises its service periodically? Active Infrastructure Ad hoc Passive
Passive
What mitigation technique must be implemented to prevent MAC address overflow attacks? IPSG DAI Port security DHCP snooping
Port security
What functionality is required on routers to provide remote workers with VoIP and videoconferencing capabilities? PPPoE VPN QoS IPsec
QoS
In a server-based AAA implementation, which protocol will allow the router to successfully communicate with the AAA server? RADIUS SSH TACACS 802.1x
RADIUS
Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command? flash ROM RAM NVRAM
RAM
Which encryption method is used by the original 802.11 specification? AES TKIP AES or TKIP RC4
RC4
Which attack encrypts the data on hosts in an attempt to extract a monetary payment from the victim? DDoS Data breach Malware Ransomware
Ransomware
Which of the following is most likely NOT the source of a wireless DoS attack? Radio interference Improperly configured devices Rogue AP Malicious user
Rogue AP
Which two commands can be used to enable PortFast on a switch? (Choose two.) S1(config)# spanning-tree portfast default S1(config)# enable spanning-tree portfast default S1(config-line)# spanning-tree portfast S1(config-if)# spanning-tree portfast S1(config-if)# enable spanning-tree portfast
S1(config)# spanning-tree portfast default S1(config-if)# spanning-tree portfast
Which protocol could be used by a company to monitor devices such as a wireless LAN controller (WLC)? SNMP SSH PAT NTP
SNMP
Which parameter is commonly used to identify a wireless network name when a home wireless AP is being configured? ad hoc ESS BESS SSID
SSID
A threat actor sends a BPDU message with priority 0. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping
STP attack
What would be the primary reason a threat actor would launch a MAC address overflow attack? -So that the threat actor can see frames that are destined for other devices. -So that the threat actor can execute arbitrary code on the switch. -So that the switch stops forwarding traffic. -So that legitimate hosts cannot obtain a MAC address.
So that the threat actor can see frames that are destined for other devices.
Users on an IEEE 802.11n network are complaining of slow speeds. The network administrator checks the AP and verifies it is operating properly. What can be done to improve the wireless performance in the network? Switch to an 802.11g AP. Change the authentication method on the AP. Split the wireless traffic between the 802.11n 2.4 GHz band and the 5 GHz band. Set the AP to mixed mode.
Split the wireless traffic between the 802.11n 2.4 GHz band and the 5 GHz band.
A wireless router is displaying the IP address of 192.168.0.1. What could this mean? The NAT function is not working on the wireless router. Dynamic IP address allocation has been configured on the router and is functioning correctly. The wireless router has been configured to use the frequencies on channel 1. The wireless router still has the factory default IP address.
The wireless router still has the factory default IP address.
A customer installs a wireless access point at home in the closet next to the kitchen. The customer mentions that the wireless communication performance seems degraded when the cordless phone or the microwave oven is in use. What is the possible reason for this degradation? The surge of electricity when a microwave oven is in use disrupts the operation of the access point. The access point is on the same electrical circuit as the phone base unit and microwave oven are. The cordless phone joins the WLAN and shares the available bandwidth. The access point is close to walls. The wireless signal is in the same radio frequency range as the household devices are in.
The wireless signal is in the same radio frequency range as the household devices are in.
True or False: An ESS is created when two or more BSSs need to be joined to support roaming clients. True False
True
True or False? In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.
True
A threat actor configures a host with the 802.1Q protocol and forms a trunk with the connected switch. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping
VLAN hopping
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? ARP spoofing ARP poisoning VLAN hopping DHCP spoofing
VLAN hopping
Which devices are specifically designed for network security? (Choose three) VPN-enabled router NGFW Switch WLC NAC
VPN-enabled router NGFW NAC
Which of the following wireless networks are specified in the IEEE 802.11 standards for the 2.4 GHz and 5 GHz radio frequencies? WPAN WLAN WMAN WWAN
WLAN
Which method of wireless authentication is currently considered to be the strongest? shared key WEP WPA2 WPA open
WPA2
Which device monitors HTTP traffic to block access to risky sites and encrypt outgoing messages? NGFW ESA NAC WSA
WSA
Which three Cisco products focus on endpoint security solutions? (Choose three.) IPS Sensor Appliance Web Security Appliance Email Security Appliance SSL/IPsec VPN Appliance Adaptive Security Appliance NAC Appliance
Web Security Appliance Email Security Appliance NAC Appliance
When configuring a Cisco 3500 series wireless LAN controller (WLC) for a WPA2 Enterprise WLAN, what has to be created on the WLC before creating the new WLAN? a security policy a VLAN for the wireless network a new SSID a security module
a VLAN for the wireless network
What is a DHCP scope as it relates to a WLAN configured on the WLC controller? a pool of IP addresses for WLAN clients the distance allotted for wireless clients that can receive IP addressing information security rules associated with DHCP for WLANs a corporate plan for allocation of IP addresses for wireless clients
a pool of IP addresses for WLAN clients
Which wireless network topology is being configured by a technician who is installing a keyboard, a mouse, and headphones, each of which uses Bluetooth? infrastructure mode mixed mode ad hoc mode hotspot
ad hoc mode
On what switch ports should PortFast be enabled to enhance STP stability? all trunk ports that are not root ports only ports that attach to a neighboring switch only ports that are elected as designated ports all end-user ports
all end-user ports
What three services are provided by the AAA framework? (Choose three.) authentication autoconfiguration autobalancing accounting authorization automation
authentication accounting authorization
Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this? auditing accounting authentication accessibility authorization
authorization
What Wi-Fi management frame is regularly broadcast by APs to announce their presence? authentication probe association beacon
beacon
In the context of mobile devices, what does the term tethering involve? connecting a mobile device to a USB port on a computer in order to charge the mobile device connecting a mobile device to a hands-free headset connecting a mobile device to another mobile device or computer to share a network connection connecting a mobile device to a 4G cellular network
connecting a mobile device to another mobile device or computer to share a network connection
A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router? ip arp inspection trust ip dhcp snooping spanning-tree portfast ip arp inspection vlan
ip arp inspection trust
A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first? ip dhcp snooping limit rate ip dhcp snooping ip dhcp snooping vlan ip dhcp snooping trust
ip dhcp snooping
Which characteristic describes a wireless client operating in active mode? must know the SSID to connect to an AP broadcasts probes that request the SSID must be configured for security before attaching to an AP ability to dynamically change channels
must know the SSID to connect to an AP
Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch? root guard BPDU filter port security storm control
port security
Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.) port security DHCP snooping strong password on DHCP servers extended ACL DHCP server failover
port security DHCP snooping
When a wireless network in a small office is being set up, which type of IP addressing is typically used on the networked devices? wireless private network public
private
Which type of telecommunication technology is used to provide Internet access to vessels at sea? cellular satellite municipal WiFi WiMax
satellite
Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco? ip dhcp snooping switchport port-security mac-address sticky mac-address shutdown switchport port-security mac-address sticky switchport port-security violation shutdown
shutdown
Why would a technician configure a passphrase for a WLAN on a wireless router? to configure wireless client authentication to protect someone from cabling directly to the router and accessing the router to protect the SSID from being changed to protect someone from changing the configuration
to configure wireless client authentication
What are the best ways to secure WLANs? (Choose two.) Authentication SSID cloaking Encryption MAC address filtering
Authentication Encryption
In an 802.1X implementation, which device is responsible for relaying responses? Supplicant Authenticator Router Authentication server Client
Authenticator
Which AAA component is responsible for determining what the user can access? Authentication Authorization Accounting
Authorization
What two protocols are supported on Cisco devices for AAA communications? (Choose two.) LLDP VTP RADIUS TACACS+ HSRP
-RADIUS -TACACS+
What UDP ports and IP protocols are used by CAPWAP for IPv4? (Choose three.) 17 136 5246 5247 802.11
17 5246 5247
Which of the following is a standalone device, like a home router, where the entire WLAN configuration resides on the device? Range extender Autonomous AP Controller-based AP USB Wireless NIC
Autonomous AP
A threat actor leases all the available IP addresses on a subnet. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping
DHCP starvation
Which Layer 2 attack will result in legitimate users not getting valid IP addresses? IP address spoofing MAC address flooding DHCP starvation ARP spoofing
DHCP starvation
Which of the following modulation techniques spreads a signal over a larger frequency band? DSSS FHSS OFDM OFDMA
DSSS
What is the best way to prevent a VLAN hopping attack? Use ISL encapsulation on all trunk links. Disable STP on all nontrunk ports. Use VLAN 1 as the native VLAN on trunk ports. Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
Which device monitors SMTP traffic to block threats and encrypt outgoing messages to prevent data loss? NGFW ESA NAC WSA
ESA
Which type of wireless topology is created when two or more Basic Service Sets are interconnected by Ethernet? IBISS ESS WiFi Direct BSS ad hoc WLAN
ESS
Which three Cisco products focus on endpoint security solutions? (Choose three.) Email Security Appliance IPS Sensor Appliance NAC Appliance SSL/IPsec VPN Appliance Web Security Appliance Adaptive Security Appliance
Email Security Appliance NAC Appliance Web Security Appliance
Which procedure is recommended to mitigate the chances of ARP spoofing? Enable DHCP snooping on selected VLANs. Enable port security globally. Enable IP Source Guard on trusted ports. Enable DAI on the management VLAN.
Enable DHCP snooping on selected VLANs
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow? Place unused ports in an unused VLAN. Enable port security. Disable DTP. Disable STP.
Enable port security
Which two roles are typically performed by a wireless router that is used in a home or small business? (Choose two.) WLAN controller repeater Ethernet switch access point RADIUS authentication server
Ethernet switch access point
Which of the following modulation techniques rapidly switches a signal among frequency channels? DSSS FHSS OFDM OFDMA
FHSS
True or False: A rogue AP is a misconfigured AP connected to the network and a possible source of DoS attacks. True False
False
True or False: DTLS is enabled by default on the control and data CAPWAP tunnels. True False
False
True or False: Laptops that do not have an integrated wireless NIC can only be attached to the network through a wired connection. True False
False
True or False: When you need to expand the coverage of a small network, the best solution is to use a range extender. True False
False
Which Cisco solution helps prevent MAC and IP address spoofing attacks? Dynamic ARP Inspection DHCP Snooping IP Source Guard Port Security
IP Source Guard
Which of the following mitigation techniques prevents MAC and IP address spoofing? IPSG DHCP snooping DAI Port security
IPSG
What IP versions does CAPWAP support? IPv4 only IPv6 only IPv4 by default, but can configure IPv6 IPv6 by default, but can configure IPv4
IPv4 by default, but can configure IPv6
Which standards organization is responsible for allocating radio frequencies? IEEE ITU-R Wi-Fi Alliance
ITU-R
Which of the following mitigation techniques prevents many types of attacks including MAC address table overflow and DHCP starvation attacks? IPSG DHCP snooping DAI Port security
Port security
Which of the following authentication methods has the user enter a pre-shared password? (Choose two) Open WPA Personal WPA Enterprise WPA2 Personal WPA2 Enterprise
WPA Personal WPA2 Personal
Which of the following wireless networks typically uses lower powered transmitters for short ranges? WPAN WLAN WMAN WWAN
WPAN
What is involved in an IP address spoofing attack? -A legitimate network IP address is hijacked by a rogue node. -Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server. -A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients. -A rogue node replies to an ARP request with its own MAC address indicated for the target IP address.
-A legitimate network IP address is hijacked by a rogue node
In the split MAC architecture for CAPWAP, which of the following are the responsibility of the WLC? (Choose four.) -Authentication -Packet acknowledgments and retransmissions -Beacons and probe responses -Association and re-association of roaming clients -MAC layer data encryption and decryption -Termination of 802.11 traffic on a wired interface -Frame translation to other protocols -Frame queueing and packet prioritization
-Authentication -Association and re-association of roaming clients -Termination of 802.11 traffic on a wired interface -Frame translation to other protocols
Which of the following statements are true about modes of operation for a FlexConnect AP? (Choose two.) -In connect mode, the WLC is unreachable and the AP switches local traffic and performs client authentication locally. -In standalone mode, the WLC is unreachable and the AP switches local traffic and performs client authentication locally. -In connect mode, the WLC is reachable and performs all its CAPWAP functions. -In standalone mode, the WLC is reachable and performs all its CAPWAP functions
-In standalone mode, the WLC is unreachable and the AP switches local traffic and performs client authentication locally. -In connect mode, the WLC is reachable and performs all its CAPWAP functions.
An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation? -Reboot the switch. -Issue the no switchport port-security command, then re-enable port security. -Issue the no switchport port-security violation shutdown command on the interface. -Issue the shutdown command followed by the no shutdown command on the interface.
-Issue the shutdown command followed by the no shutdown command on the interface.
How many address fields are in the 802.11 wireless frame? 2 3 4 5
4
Which protocol and port numbers are used by both IPv4 and IPv6 CAPWAP tunnels? (Choose two.) 5246 and 5247 UDP ICMP 17 and 163 TCP
5246 and 5427 UDP
If three 802.11b access points need to be deployed in close proximity, which three frequency channels should be used? (Choose three.) 6 8 3 5 11 1
6 2 1
Which 802.11 standards exclusively use the 5 GHz radio frequency? (Choose 2) 802.11a 802.11g 802.11n 802.11ac 802.11ax
802.11a 802.11ac
What is the purpose of AAA accounting? to determine which operations the user can perform to determine which resources the user can access to collect and report application usage to prove users are who they say they are
to collect and report application usage
What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.) unauthorized port trusted DHCP port unknown port established DHCP port untrusted port authorized DHCP port
trusted DHCP port untrusted port
In the split MAC architecture for CAPWAP, which of the following are the responsibility of the AP? (Choose four.) -Authentication -Packet acknowledgments and retransmissions -Beacons and probe responses -Association and re-association of roaming clients -MAC layer data encryption and decryption -Termination of 802.11 traffic on a wired interface -Frame translation to other protocols -Frame queueing and packet prioritization
-Packet acknowledgments and retransmissions -Beacons and probe responses -MAC layer data encryption and decryption -Frame queueing and packet prioritization
What is the behavior of a switch as a result of a successful MAC address table attack? -The switch will shut down. -The switch interfaces will transition to the error-disabled state. -The switch will forward all received frames to all other ports within the VLAN. -The switch will drop all received frames.
-The switch will forward all received frames to all other ports within the VLAN.
Which of the following mitigation techniques are used to protect Layer 3 through Layer 7 of the OSI Model? (Choose three.) DHCP snooping VPN Firewalls IPSG IPS devices
-VPN -Firewalls -IPS devices
A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command? -to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body -to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs -to check the destination MAC address in the Ethernet header against the MAC address table -to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
-to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
How many channels are available for the 2.4 GHz band in Europe? 11 13 14 24
13
What UDP ports and IP protocols are used by CAPWAP for IPv6? (Choose three.) 17 136 5246 5247 802.11
136 5246 5247
How many channels are available for the 5 GHz band? 11 13 14 24
24
Which statement describes an autonomous access point? It is used for networks that require a large number of access points. It is managed by a WLAN controller. It is server-dependent. It is a standalone access point.
It is a standalone access point
Why is authentication with AAA preferred over a local database method? It requires a login and password combination on the console, vty lines, and aux ports. It specifies a different password for each line or port. It uses less network bandwidth. It provides a fallback authentication method if the administrator forgets the username or password.
It provides a fallback authentication method if the administrator forgets the username or password.
When security is a concern, which OSI Layer is considered to be the weakest link in a network system? Layer 4 Layer 2 Layer 7 Layer 3
Layer 2
Which Layer 2 attack will result in a switch flooding incoming frames to all ports? Spanning Tree Protocol manipulation ARP poisoning IP address spoofing MAC address overflow
MAC address overflow