CCNA Sem 2 Module 10-13

Which IEEE standard operates at wireless frequencies in both the 5 GHz and 2.4 GHz ranges? 802.11b 802.11a 802.11n 802.11g

802.11n

Which of the following encryption methods uses CCMP to recognize if the encrypted and non-encrypted bits have been altered? RC4 TKIP AES

AES

A threat actor sends a message that causes all other devices to believe the MAC address of the threat actor's device is the default gateway. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping

ARP spoofing

Which of the following components are integrated in a wireless home router? (Choose three.) Access point Switch Router Range extender

Access Point Switch Router Range extender

Which AAA component is responsible for collecting and reporting usage data for auditing and billing purposes? Authentication Authorization Accounting

Accounting

What is the term for an AP that does not send a beacon, but waits for clients to send probes? Active Infrastructure Ad hoc Passive

Active

Which wireless topology mode is used by two devices to connect in a peer-to-peer network? Ad hoc Infrastructure Tethering

Ad hoc

A threat actor changes the MAC address of the threat actor's device to the MAC address of the default gateway. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping

Address spoofing

What is a recommended best practice when dealing with the native VLAN? Assign it to an unused VLAN. Use port security. Assign the same VLAN number as the management VLAN. Turn off DTP.

Assign it to an unused VLAN

Which AAA component is responsible for controlling who is permitted to access the network? Authentication Authorization Accounting

Authentication

Which of the following is an IEEE 802.15 WPAN standard that uses a device-pairing process to communicate? Cellular WiMAX Wi-Fi Bluetooth

Bluetooth

What two protocols are supported on Cisco devices for AAA communications? (Choose two.) LLDP VTP RADIUS TACACS+ HSRP

CDP

A threat actor discovers the IOS version and IP addresses of the local switch. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping

CDP reconnaissance

A user has just purchased a generic home router and would like to secure it. What should be done to help secure the wireless home router? Allow only IPv6 traffic to enter the router. Set a private IPv4 network for the internal network. Change the default administrator password. Change the default SSID.

Change the default administrator password

What is a difference between autonomous APs that operate in a home environment and controller-based APs that operate in a corporate environment? Autonomous APs do not support PoE. Controller-based APs can be automatically configured and managed by a WLAN controller. Autonomous APs incorporate the functions of a router, switch, and AP into one device.​ Controller-based APs are known as lightweight APs and require an initial configuration to operate.

Controller-based APs can be automatically configured and managed by a WLAN controller.

Which of the following mitigation techniques prevents ARP spoofing and ARP poisoning attacks? IPSG DHCP snooping DAI Port security

DAI

Which of the following mitigation techniques prevents DHCP starvation and DHCP spoofing attacks? IPSG DHCP snooping DAI Port security

DHCP snooping

Which Layer 2 attack will result in legitimate users not getting valid IP addresses? ARP spoofing DHCP starvation IP address spoofing MAC address flooding

DHCP starvation

A user is configuring a wireless access point and wants to prevent any neighbors from discovering the network. What action does the user need to take? Enable WPA encryption. Configure a DNS server. Configure DMZ settings. Disable SSID broadcast.

Disable SSID broadcast

What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow? Disable DTP. Disable STP. Enable port security. Place unused ports in an unused VLAN.

Enable port security.

A laptop cannot connect to a wireless access point. Which two troubleshooting steps should be taken first? (Choose two.) Ensure that the NIC is configured for the proper frequency. Ensure that the wireless SSID is chosen. Ensure that the laptop antenna is attached. Ensure that the wireless NIC is enabled. Ensure that the correct network media is selected.

Ensure that the wireless SSID is chosen. Ensure that the wireless NIC is enabled.

Which feature of 802.11n wireless access points allows them to transmit data at faster speeds than previous versions of 802.11 Wi-Fi standards did? MIMO WPS MITM SPS

MIMO

What type of attack is an "evil twin AP" attack? DoS MITM Wireless intruder Radio interference

MITM (man in the middle)

Which WLC tab would a network administrator typically use to see a summary view of the most heavily used WLANs including the number of clients using a particular WLAN? WLANs Controller Monitor Commands

Monitor

In setting up a small office network, the network administrator decides to assign private IP addresses dynamically to workstations and mobile devices. Which feature must be enabled on the company router in order for office devices to access the internet? MAC filtering NAT QoS UPnP

NAT

Which of the following modulation techniques is used in the new 802.11ax standard? DSSS FHSS OFDM OFDMA

OFDMA

Which of the following antennas provide 360 degrees of coverage? Wireless NIC Directional Omnidirectional MIMO

Omnidirectional

Which of the following authentication methods does not use a password shared between the wireless client and the AP? WEP WPA WPA2 WPA3 Open

Open

What is the term for an AP that openly advertises its service periodically? Active Infrastructure Ad hoc Passive

Passive

What mitigation technique must be implemented to prevent MAC address overflow attacks? IPSG DAI Port security DHCP snooping

Port security

What functionality is required on routers to provide remote workers with VoIP and videoconferencing capabilities? PPPoE VPN QoS IPsec

QoS

In a server-based AAA implementation, which protocol will allow the router to successfully communicate with the AAA server? RADIUS SSH TACACS​ 802.1x

RADIUS

Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command? flash ROM RAM NVRAM

RAM

Which encryption method is used by the original 802.11 specification? AES TKIP AES or TKIP RC4

RC4

Which attack encrypts the data on hosts in an attempt to extract a monetary payment from the victim? DDoS Data breach Malware Ransomware

Ransomware

Which of the following is most likely NOT the source of a wireless DoS attack? Radio interference Improperly configured devices Rogue AP Malicious user

Rogue AP

Which two commands can be used to enable PortFast on a switch? (Choose two.) S1(config)# spanning-tree portfast default S1(config)# enable spanning-tree portfast default S1(config-line)# spanning-tree portfast S1(config-if)# spanning-tree portfast S1(config-if)# enable spanning-tree portfast

S1(config)# spanning-tree portfast default S1(config-if)# spanning-tree portfast

Which protocol could be used by a company to monitor devices such as a wireless LAN controller (WLC)? SNMP SSH PAT NTP

SNMP

Which parameter is commonly used to identify a wireless network name when a home wireless AP is being configured? ad hoc ESS BESS SSID

SSID

A threat actor sends a BPDU message with priority 0. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping

STP attack

What would be the primary reason a threat actor would launch a MAC address overflow attack? -So that the threat actor can see frames that are destined for other devices. -So that the threat actor can execute arbitrary code on the switch. -So that the switch stops forwarding traffic. -So that legitimate hosts cannot obtain a MAC address.

So that the threat actor can see frames that are destined for other devices.

Users on an IEEE 802.11n network are complaining of slow speeds. The network administrator checks the AP and verifies it is operating properly. What can be done to improve the wireless performance in the network? Switch to an 802.11g AP. Change the authentication method on the AP. Split the wireless traffic between the 802.11n 2.4 GHz band and the 5 GHz band. Set the AP to mixed mode.

Split the wireless traffic between the 802.11n 2.4 GHz band and the 5 GHz band.

A wireless router is displaying the IP address of 192.168.0.1. What could this mean? The NAT function is not working on the wireless router. Dynamic IP address allocation has been configured on the router and is functioning correctly. The wireless router has been configured to use the frequencies on channel 1. The wireless router still has the factory default IP address.

The wireless router still has the factory default IP address.

A customer installs a wireless access point at home in the closet next to the kitchen. The customer mentions that the wireless communication performance seems degraded when the cordless phone or the microwave oven is in use. What is the possible reason for this degradation? The surge of electricity when a microwave oven is in use disrupts the operation of the access point. The access point is on the same electrical circuit as the phone base unit and microwave oven are. The cordless phone joins the WLAN and shares the available bandwidth. The access point is close to walls. The wireless signal is in the same radio frequency range as the household devices are in.

The wireless signal is in the same radio frequency range as the household devices are in.

True or False: An ESS is created when two or more BSSs need to be joined to support roaming clients. True False

True

True or False? In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.

True

A threat actor configures a host with the 802.1Q protocol and forms a trunk with the connected switch. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping

VLAN hopping

What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? ARP spoofing ARP poisoning VLAN hopping DHCP spoofing

VLAN hopping

Which devices are specifically designed for network security? (Choose three) VPN-enabled router NGFW Switch WLC NAC

VPN-enabled router NGFW NAC

Which of the following wireless networks are specified in the IEEE 802.11 standards for the 2.4 GHz and 5 GHz radio frequencies? WPAN WLAN WMAN WWAN

WLAN

Which method of wireless authentication is currently considered to be the strongest? shared key WEP WPA2 WPA open

WPA2

Which device monitors HTTP traffic to block access to risky sites and encrypt outgoing messages? NGFW ESA NAC WSA

WSA

Which three Cisco products focus on endpoint security solutions? (Choose three.) IPS Sensor Appliance Web Security Appliance Email Security Appliance SSL/IPsec VPN Appliance Adaptive Security Appliance NAC Appliance

Web Security Appliance Email Security Appliance NAC Appliance

When configuring a Cisco 3500 series wireless LAN controller (WLC) for a WPA2 Enterprise WLAN, what has to be created on the WLC before creating the new WLAN? a security policy a VLAN for the wireless network a new SSID a security module

a VLAN for the wireless network

What is a DHCP scope as it relates to a WLAN configured on the WLC controller? a pool of IP addresses for WLAN clients the distance allotted for wireless clients that can receive IP addressing information security rules associated with DHCP for WLANs a corporate plan for allocation of IP addresses for wireless clients

a pool of IP addresses for WLAN clients

Which wireless network topology is being configured by a technician who is installing a keyboard, a mouse, and headphones, each of which uses Bluetooth? infrastructure mode mixed mode ad hoc mode hotspot

ad hoc mode

On what switch ports should PortFast be enabled to enhance STP stability? all trunk ports that are not root ports only ports that attach to a neighboring switch only ports that are elected as designated ports all end-user ports

all end-user ports

What three services are provided by the AAA framework? (Choose three.) authentication autoconfiguration autobalancing accounting authorization automation

authentication accounting authorization

Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this? auditing accounting authentication accessibility authorization

authorization

What Wi-Fi management frame is regularly broadcast by APs to announce their presence? authentication probe association beacon

beacon

In the context of mobile devices, what does the term tethering involve? connecting a mobile device to a USB port on a computer in order to charge the mobile device connecting a mobile device to a hands-free headset connecting a mobile device to another mobile device or computer to share a network connection connecting a mobile device to a 4G cellular network

connecting a mobile device to another mobile device or computer to share a network connection

A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router? ip arp inspection trust ip dhcp snooping spanning-tree portfast ip arp inspection vlan

ip arp inspection trust

A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first? ip dhcp snooping limit rate ip dhcp snooping ip dhcp snooping vlan ip dhcp snooping trust

ip dhcp snooping

Which characteristic describes a wireless client operating in active mode? must know the SSID to connect to an AP broadcasts probes that request the SSID must be configured for security before attaching to an AP ability to dynamically change channels

must know the SSID to connect to an AP

Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch? root guard BPDU filter port security storm control

port security

Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.) port security DHCP snooping strong password on DHCP servers extended ACL DHCP server failover

port security DHCP snooping

When a wireless network in a small office is being set up, which type of IP addressing is typically used on the networked devices? wireless private network public

private

Which type of telecommunication technology is used to provide Internet access to vessels at sea? cellular satellite municipal WiFi WiMax

satellite

Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco? ip dhcp snooping switchport port-security mac-address sticky mac-address shutdown switchport port-security mac-address sticky switchport port-security violation shutdown

shutdown

Why would a technician configure a passphrase for a WLAN on a wireless router? to configure wireless client authentication to protect someone from cabling directly to the router and accessing the router to protect the SSID from being changed to protect someone from changing the configuration

to configure wireless client authentication

What are the best ways to secure WLANs? (Choose two.) Authentication SSID cloaking Encryption MAC address filtering

Authentication Encryption

In an 802.1X implementation, which device is responsible for relaying responses? Supplicant Authenticator Router Authentication server Client

Authenticator

Which AAA component is responsible for determining what the user can access? Authentication Authorization Accounting

Authorization

What two protocols are supported on Cisco devices for AAA communications? (Choose two.) LLDP VTP RADIUS TACACS+ HSRP

-RADIUS -TACACS+

What UDP ports and IP protocols are used by CAPWAP for IPv4? (Choose three.) 17 136 5246 5247 802.11

17 5246 5247

Which of the following is a standalone device, like a home router, where the entire WLAN configuration resides on the device? Range extender Autonomous AP Controller-based AP USB Wireless NIC

Autonomous AP

A threat actor leases all the available IP addresses on a subnet. What type of attack is this? Address spoofing ARP spoofing CDP reconnaissance DHCP starvation STP attack VLAN hopping

DHCP starvation

Which Layer 2 attack will result in legitimate users not getting valid IP addresses? IP address spoofing MAC address flooding DHCP starvation ARP spoofing

DHCP starvation

Which of the following modulation techniques spreads a signal over a larger frequency band? DSSS FHSS OFDM OFDMA

DSSS

What is the best way to prevent a VLAN hopping attack? Use ISL encapsulation on all trunk links. Disable STP on all nontrunk ports. Use VLAN 1 as the native VLAN on trunk ports. Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

Which device monitors SMTP traffic to block threats and encrypt outgoing messages to prevent data loss? NGFW ESA NAC WSA

ESA

Which type of wireless topology is created when two or more Basic Service Sets are interconnected by Ethernet? IBISS ESS WiFi Direct BSS ad hoc WLAN

ESS

Which three Cisco products focus on endpoint security solutions? (Choose three.) Email Security Appliance IPS Sensor Appliance NAC Appliance SSL/IPsec VPN Appliance Web Security Appliance Adaptive Security Appliance

Email Security Appliance NAC Appliance Web Security Appliance

Which procedure is recommended to mitigate the chances of ARP spoofing? Enable DHCP snooping on selected VLANs. Enable port security globally. Enable IP Source Guard on trusted ports. Enable DAI on the management VLAN.

Enable DHCP snooping on selected VLANs

What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow? Place unused ports in an unused VLAN. Enable port security. Disable DTP. Disable STP.

Enable port security

Which two roles are typically performed by a wireless router that is used in a home or small business? (Choose two.) WLAN controller repeater Ethernet switch access point RADIUS authentication server

Ethernet switch access point

Which of the following modulation techniques rapidly switches a signal among frequency channels? DSSS FHSS OFDM OFDMA

FHSS

True or False: A rogue AP is a misconfigured AP connected to the network and a possible source of DoS attacks. True False

False

True or False: DTLS is enabled by default on the control and data CAPWAP tunnels. True False

False

True or False: Laptops that do not have an integrated wireless NIC can only be attached to the network through a wired connection. True False

False

True or False: When you need to expand the coverage of a small network, the best solution is to use a range extender. True False

False

Which Cisco solution helps prevent MAC and IP address spoofing attacks? Dynamic ARP Inspection DHCP Snooping IP Source Guard Port Security

IP Source Guard

Which of the following mitigation techniques prevents MAC and IP address spoofing? IPSG DHCP snooping DAI Port security

IPSG

What IP versions does CAPWAP support? IPv4 only IPv6 only IPv4 by default, but can configure IPv6 IPv6 by default, but can configure IPv4

IPv4 by default, but can configure IPv6

Which standards organization is responsible for allocating radio frequencies? IEEE ITU-R Wi-Fi Alliance

ITU-R

Which of the following mitigation techniques prevents many types of attacks including MAC address table overflow and DHCP starvation attacks? IPSG DHCP snooping DAI Port security

Port security

Which of the following authentication methods has the user enter a pre-shared password? (Choose two) Open WPA Personal WPA Enterprise WPA2 Personal WPA2 Enterprise

WPA Personal WPA2 Personal

Which of the following wireless networks typically uses lower powered transmitters for short ranges? WPAN WLAN WMAN WWAN

WPAN

What is involved in an IP address spoofing attack? -A legitimate network IP address is hijacked by a rogue node. -Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server. -A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients. -A rogue node replies to an ARP request with its own MAC address indicated for the target IP address.

-A legitimate network IP address is hijacked by a rogue node

In the split MAC architecture for CAPWAP, which of the following are the responsibility of the WLC? (Choose four.) -Authentication -Packet acknowledgments and retransmissions -Beacons and probe responses -Association and re-association of roaming clients -MAC layer data encryption and decryption -Termination of 802.11 traffic on a wired interface -Frame translation to other protocols -Frame queueing and packet prioritization

-Authentication -Association and re-association of roaming clients -Termination of 802.11 traffic on a wired interface -Frame translation to other protocols

Which of the following statements are true about modes of operation for a FlexConnect AP? (Choose two.) -In connect mode, the WLC is unreachable and the AP switches local traffic and performs client authentication locally. -In standalone mode, the WLC is unreachable and the AP switches local traffic and performs client authentication locally. -In connect mode, the WLC is reachable and performs all its CAPWAP functions. -In standalone mode, the WLC is reachable and performs all its CAPWAP functions

-In standalone mode, the WLC is unreachable and the AP switches local traffic and performs client authentication locally. -In connect mode, the WLC is reachable and performs all its CAPWAP functions.

An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation? -Reboot the switch. -Issue the no switchport port-security command, then re-enable port security. -Issue the no switchport port-security violation shutdown command on the interface. -Issue the shutdown command followed by the no shutdown command on the interface.

-Issue the shutdown command followed by the no shutdown command on the interface.

How many address fields are in the 802.11 wireless frame? 2 3 4 5

4

Which protocol and port numbers are used by both IPv4 and IPv6 CAPWAP tunnels? (Choose two.) 5246 and 5247 UDP ICMP 17 and 163 TCP

5246 and 5427 UDP

If three 802.11b access points need to be deployed in close proximity, which three frequency channels should be used? (Choose three.) 6 8 3 5 11 1

6 2 1

Which 802.11 standards exclusively use the 5 GHz radio frequency? (Choose 2) 802.11a 802.11g 802.11n 802.11ac 802.11ax

802.11a 802.11ac

What is the purpose of AAA accounting? to determine which operations the user can perform to determine which resources the user can access to collect and report application usage to prove users are who they say they are

to collect and report application usage

What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.) unauthorized port trusted DHCP port unknown port established DHCP port untrusted port authorized DHCP port

trusted DHCP port untrusted port

In the split MAC architecture for CAPWAP, which of the following are the responsibility of the AP? (Choose four.) -Authentication -Packet acknowledgments and retransmissions -Beacons and probe responses -Association and re-association of roaming clients -MAC layer data encryption and decryption -Termination of 802.11 traffic on a wired interface -Frame translation to other protocols -Frame queueing and packet prioritization

-Packet acknowledgments and retransmissions -Beacons and probe responses -MAC layer data encryption and decryption -Frame queueing and packet prioritization

What is the behavior of a switch as a result of a successful MAC address table attack? -The switch will shut down. -The switch interfaces will transition to the error-disabled state. -The switch will forward all received frames to all other ports within the VLAN. -The switch will drop all received frames.

-The switch will forward all received frames to all other ports within the VLAN.

Which of the following mitigation techniques are used to protect Layer 3 through Layer 7 of the OSI Model? (Choose three.) DHCP snooping VPN Firewalls IPSG IPS devices

-VPN -Firewalls -IPS devices

A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command? -to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body -to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs -to check the destination MAC address in the Ethernet header against the MAC address table -to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body

-to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body

How many channels are available for the 2.4 GHz band in Europe? 11 13 14 24

13

What UDP ports and IP protocols are used by CAPWAP for IPv6? (Choose three.) 17 136 5246 5247 802.11

136 5246 5247

How many channels are available for the 5 GHz band? 11 13 14 24

24

Which statement describes an autonomous access point? It is used for networks that require a large number of access points. It is managed by a WLAN controller. It is server-dependent. It is a standalone access point.

It is a standalone access point

Why is authentication with AAA preferred over a local database method? It requires a login and password combination on the console, vty lines, and aux ports.​ It specifies a different password for each line or port. It uses less network bandwidth. It provides a fallback authentication method if the administrator forgets the username or password.

It provides a fallback authentication method if the administrator forgets the username or password.

When security is a concern, which OSI Layer is considered to be the weakest link in a network system?​ Layer 4 Layer 2 Layer 7 Layer 3

Layer 2

Which Layer 2 attack will result in a switch flooding incoming frames to all ports? Spanning Tree Protocol manipulation ARP poisoning IP address spoofing MAC address overflow

MAC address overflow