Cisco ch10-12
It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body (Explanation: DAI can be configured to check for both destination or source MAC and IP addresses: Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.)
A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command?
802.11ac (Explanation: 802.11ac provides data rates up to 1.3 Gb/s and is still backward compatible with 802.11a/b/g/n devices. 802.11g and 802.11n are older standards that cannot reach speeds over 1Gb/s. 802.11ad is a newer standard that can offer theoretical speeds of up to 7 Gb/s.)
A network administrator is required to upgrade wireless access to end users in a building. To provide data rates up to 1.3 Gb/s and still be backward compatible with older devices, which wireless standard should be implemented?
The 5 GHz band has more channels and is less crowded than the 2.4 GHz band, which makes it more suited to streaming multimedia. (Explanation: Wireless range is determined by the access point antenna and output power, not the frequency band that is used. In this scenario it is stated that all users have wireless NICs that comply with the latest standard, and so all can access the 5 GHz band. Although some users may find it inconvenient to switch to the 5 Ghz band to access streaming services, it is the greater number of channels, not just fewer users, that will improve network performance.)
A network engineer is troubleshooting a newly deployed wireless network that is using the latest 802.11 standards. When users access high bandwidth services such as streaming video, the wireless network performance is poor. To improve performance the network engineer decides to configure a 5 Ghz frequency band SSID and train users to use that SSID for streaming media services. Why might this solution improve the wireless network performance for that type of service?
Change the default user-name and password of the wireless router. (Explanation: The first action a technician should do to secure a new wireless network is to change the default user-name and password of the wireless router. The next action would usually be to configure encryption. Then once the initial group of wireless hosts have connected to the network, MAC address filtering would be enabled and SSID broadcast disabled. This will prevent new unauthorized hosts from finding and connecting to the wireless network.)
A technician is about to install and configure a wireless network at a small branch office. What is the first security measure the technician should apply immediately upon powering up the wireless router?
to avoid interference from nearby wireless devices (Explanation: Channels 1, 6, and 11 are selected because they are 5 channels apart. thus minimizing the interference with adjacent channels. A channel frequency can interfere with channels on either side of the main frequency. All wireless devices need to be used on nonadjacent channels.)
A technician is configuring the channel on a wireless router to either 1, 6, or 11. What is the purpose of adjusting the channel?
sticky secure MAC addresses (Explanation: With sticky secure MAC addressing, the MAC addresses can be either dynamically learned or manually configured and then stored in the address table and added to the running configuration file. In contrast, dynamic secure MAC addressing provides for dynamically learned MAC addressing that is stored only in the address table.)
As part of the new security policy, all switches on the network are configured to automatically learn MAC addresses for each port. All running configurations are saved at the start and close of every business day. A severe thunderstorm causes an extended power outage several hours after the close of business. When the switches are brought back online, the dynamically learned MAC addresses are retained. Which port security configuration enabled this?
Advanced The Cisco 3504 WLC dashboard displays when a user logs into the WLC. It provides some basic settings and menus that users can quickly access to implement a variety of common configurations. By clicking the Advanced button, the user will access the advanced Summary page and access all the features of the WLC.
On a Cisco 3504 WLC dashboard, which option provides access to the full menu of features?
SWA(config-if)# switchport port-security SWA(config-if)# switchport port-security maximum 2 SWA(config-if)# switchport port-security mac-address sticky (Explanation: The default mode for a port security violation is to shut down the port so the switchport port-security violation command is not necessary. The switchport port-security command must be entered with no additional options to enable port security for the port. Then, additional port security options can be added.)
Refer to the exhibit. Port Fa0/2 has already been configured appropriately. The IP phone and PC work properly. Which switch configuration would be most appropriate for port Fa0/2 if the network administrator has the following goals? No one is allowed to disconnect the IP phone or the PC and connect some other wired device. If a different device is connected, port Fa0/2 is shut down. The switch should automatically detect the MAC address of the IP phone and the PC and add those addresses to the running configuration.
Frames from PC1 will cause the interface to shut down immediately, and a log entry will be made. (Explanation: Manual configuration of the single allowed MAC address has been entered for port fa0/12. PC1 has a different MAC address and when attached will cause the port to shut down (the default action), a log message to be automatically created, and the violation counter to increment. The default action of shutdown is recommended because the restrict option might fail if an attack is underway.)
Refer to the exhibit. Port security has been configured on the Fa 0/12 interface of switch S1. What action will occur when PC1 is attached to switch S1 with the applied configuration?
True
True or False? In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.
receiving a broadcast beacon frame transmitting a probe request (Explanation: Two methods can be used by a wireless device to discover and register with an access point: passive mode and active mode. In passive mode, the AP sends a broadcast beacon frame that contains the SSID and other wireless settings. In active mode, the wireless device must be manually configured for the SSID, and then the device broadcasts a probe request.)
What are the two methods that are used by a wireless NIC to discover an AP? (Choose two.)
the client that is requesting authentication (Explanation: The devices involved in the 802.1X authentication process are as follows: The supplicant, which is the client that is requesting network access The authenticator, which is the switch that the client is connecting to and that is actually controlling physical network access The authentication server, which performs the actual authentication)
What device is considered a supplicant during the 802.1X authentication process?
Enable port security
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?
Disable both protocols on all interfaces where they are not required. (Explanation: Both discovery protocols can provide hackers with sensitive network information. They should not be enabled on edge devices, and should be disabled globally or on a per-interface basis if not required. CDP is enabled by default.)
What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?
DHCP starvation
Which Layer 2 attack will result in legitimate users not getting valid IP addresses?
local AAA (Explanation: In a small network with a few network devices, AAA authentication can be implemented with the local database and with usernames and passwords stored on the network devices. Authentication using the TACACS+ or RADIUS protocol will require dedicated ACS servers although this authentication solution scales well in a large network.)
Which authentication method stores usernames and passwords in the router and is ideal for small networks?
SSH (Explanation: Telnet uses plain text to communicate in a network. The username and password can be captured if the data transmission is intercepted. SSH encrypts data communications between two network devices. TFTP and SCP are used for file transfer over the network. SNMP is used in network management solutions.)
Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?
It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN. (Explanation: When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.)
Which statement describes the behavior of a switch when the MAC address table is full?
Create a new VLAN interface. (Explanation: Each new WLAN configured on a Cisco 3500 series WLC needs its own VLAN interface. Thus it is required that a new VLAN interface to be created first before a new WLAN can be created.)
Which step is required before creating a new WLAN on a Cisco 3500 series WLC?
Web Security Appliance Email Security Appliance NAC Appliance
Which three Cisco products focus on endpoint security solutions? (Choose three.)
S1(config)# spanning-tree portfast bpduguard default S1(config-if)# spanning-tree bpduguard enable (Explanation: BPDU guard can be enabled on all PortFast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Alternatively, BPDU guard can be enabled on a PortFast-enabled port through the use of the spanning-tree bpduguard enable interface configuration command.)
Which two commands can be used to enable BPDU guard on a switch?
VLAN double-tagging (Explanation: Spoofing DTP messages forces a switch into trunking mode as part of a VLAN-hopping attack, but VLAN double tagging works even if trunk ports are disabled. Changing the native VLAN from the default to an unused VLAN reduces the possibility of this type of attack. DHCP spoofing and DHCP starvation exploit vulnerabilities in the DHCP message exchange.)
Which type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN?
beacon (Explanation: Beacons are the only management frame that may regularly be broadcast by an AP. Probing, authentication, and association frames are used only during the association (or reassociation) process.)
Which type of management frame may regularly be broadcast by an AP?
active (Explanation: Active is a mode used to configure an access point so that clients must know the SSID to connect to the access point. APs and wireless routers can operate in a mixed mode meaning that that multiple wireless standards are supported. Open is an authentication mode for an access point that has no impact on the listing of available wireless networks for a client. When an access point is configured in passive mode, the SSID is broadcast so that the name of wireless network will appear in the listing of available networks for clients.)
While attending a conference, participants are using laptops for network connectivity. When a guest speaker attempts to connect to the network, the laptop fails to display any available wireless networks. The access point must be operating in which mode?