Chapter 6: Securing the Local-Area Network
by using a proxy autoconfiguration file in the end device
How can a user connect to the Cisco Cloud Web Security service directly? by establishing a VPN connection with the Cisco CWS by using a proxy autoconfiguration file in the end device by accessing a Cisco CWS server before visiting the destination web site through the connector that is integrated into any Layer 2 Cisco switch
on all switch ports that connect to another switch that is not the root bridge
In what situation would a network administrator most likely implement root guard? on all switch ports (used or unused) on all switch ports that connect to host devices on all switch ports that connect to another switch on all switch ports that connect to a Layer 3 device on all switch ports that connect to another switch that is not the root bridge
PVLAN Edge does not allow one device to see traffic that is generated by another device. Ports configured with the PVLAN Edge feature are also known as protected ports.
Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation? BPDU guard DTP PVLAN Edge SPAN
DHCP snooping
What additional security measure must be enabled along with IP Source Guard to protect against address spoofing? DHCP snooping BPDU Guard root guard port security
Disable DTP. Enable trunking manually. Set the native VLAN to an
What are three techniques for mitigating VLAN hopping attacks? (Choose three.) Disable DTP. Enable trunking manually. Set the native VLAN to an unused VLAN. Enable BPDU guard. Enable Source Guard. Use private VLANs
Cisco NAC Agent
What component of Cisco NAC is responsible for performing deep inspection of device security profiles? Cisco NAC Agent Cisco NAC Server Cisco NAC Profiler Cisco NAC Manager
The switch will forward all received frames to all other ports.
What is the behavior of a switch as a result of a successful CAM table attack? The switch will forward all received frames to all other ports. The switch will shut down. The switch will drop all received frames. The switch interfaces will transition to the error-disabled state.
a promiscuous port
What is the only type of port that an isolated port can forward traffic to on a private VLAN? a promiscuous port another isolated port any access port in the same PVLAN a community port
It provides the ability for creation and reporting of guest accounts.
What is the role of the Cisco NAC Guest Server within the Cisco Borderless Network architecture? It provides post-connection monitoring of all endpoint devices. It performs deep inspection of device security profiles. It defines role-based user access and endpoint security policies. It provides the ability for creation and reporting of guest accounts.
to define role-based user access and endpoint security policies
What is the role of the Cisco NAC Manager in implementing a secure networking infrastructure? to perform deep inspection of device security profiles to provide post-connection monitoring of all endpoint devices to define role-based user access and endpoint security policies to assess and enforce security policy compliance in the NAC environment
assessing and enforcing security policy compliance in the NAC environment
What is the role of the Cisco NAC Server within the Cisco Secure Borderless Network Architecture? providing the ability for company employees to create guest accounts assessing and enforcing security policy compliance in the NAC environment defining role-based user access and endpoint security policies providing post-connection monitoring of all endpoint devices
DHCP starvation
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease? DHCP starvation DHCP spoofing IP address spoofing CAM table attack
DTP
What protocol should be disabled to help mitigate VLAN hopping attacks? DTP STP CDP ARP
preventing rogue switches from being added to the network
What security benefit is gained from enabling BPDU guard on PortFast enabled interfaces? preventing rogue switches from being added to the network protecting against Layer 2 loops enforcing the placement of root bridges preventing buffer overflow attacks
port security
What security countermeasure is effective for preventing CAM table overflow attacks? port security DHCP snooping IP source guard Dynamic ARP Inspection
MAC-address-to-IP-address bindings ARP ACLs
What two mechanisms are used by Dynamic ARP inspection to validate ARP packets for IP addresses that are dynamically assigned or IP addresses that are static? (Choose two.) MAC-address-to-IP-address bindings ARP ACLs Source Guard IP ACLs RARP
root guard
Which STP stability mechanism is used to prevent a rogue switch from becoming the root switch? root guard loop guard BPDU guard Source Guard
file retrospection
Which feature is part of the Antimalware Protection security solution? spam blocking data loss prevention file retrospection user authentication and authorization
turning on DHCP snooping
Which mitigation technique would prevent rogue servers from providing false IP configuration parameters to clients? disabling CDP on edge ports implementing port-security on edge ports turning on DHCP snooping implementing port security
port security
Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch? BPDU filter port security storm control root guard
root guard
Which spanning-tree enhancement prevents the spanning-tree topology from changing by blocking a port that receives a superior BPDU? BDPU filter BPDU guard root guard PortFast
AAA services scanning for policy compliance remediation for noncompliant devices
Which three functions are provided under Cisco NAC framework solution? (Choose three.) AAA services VPN connection intrusion prevention secure connection to servers scanning for policy compliance remediation for noncompliant devices
ensuring that only authenticated hosts can access the network enforcing network security policy for hosts that connect to the network
Which two functions are provided by Network Admission Control? (Choose two.) protecting a switch from MAC address table overflow attacks ensuring that only authenticated hosts can access the network stopping excessive broadcasts from disrupting network traffic enforcing network security policy for hosts that connect to the network limiting the number of MAC addresses that can be learned on a single switch port
The MAC address of PC1 that connects to the Fa0/2 interface is not the configured MAC address.
he Fa0/2 interface on switch S1 has been configured with the switchport port-security mac-address 0023.189d.6456 command and a workstation has been connected. What could be the reason that the Fa0/2 interface is shutdown? The connection between S1 and PC1 is via a crossover cable. The Fa0/24 interface of S1 is configured with the same MAC address as the Fa0/2 interface. S1 has been configured with a switchport port-security aging command. The MAC address of PC1 that connects to the Fa0/2 interface is not the configured MAC address.
