CRT 11.6 Module Quiz - Switch Security Configuration
Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.) - port security - DHCP server failover - extended ACL - strong password on DHCP servers - DHCP snooping
- port security - DHCP snooping Topic 11.3.0 - In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use up all the available IP addresses that the DHCP server can issue. In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network so that it provides clients with false DNS server addresses. The port security feature can limit the number of dynamically learned MAC addresses per port or allow only known valid NICs to be connected via their specific MAC addresses. The DHCP snooping feature can identify the legitimate DHCP servers and block fake DHCP servers from issuing IP address information. These two features can help fight against DHCP attacks.
Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco? - ip dhcp snooping - switchport port-security mac-address sticky mac-address - switchport port-security mac-address sticky - shutdown - switchport port-security violation shutdown
- shutdown Topic 11.1.0 - Unlike router Ethernet ports, switch ports are enabled by default. Cisco recommends disabling any port that is not used. The ip dhcp snooping command globally enables DHCP snooping on a switch. Further configuration allows defining ports that can respond to DHCP requests. The switchport port-security command is used to protect the network from unidentified or unauthorized attachment of network devices.
A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command? - to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body - to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body - to check the destination MAC address in the Ethernet header against the MAC address table - to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs
- to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body Topic 11.4.0 - DAI can be configured to check for both destination or source MAC and IP addresses: Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.) - authorized DHCP port - unknown port - untrusted port - established DHCP port - unauthorized port - trusted DHCP port
- untrusted port - trusted DHCP port Topic 11.3.0 - DHCP snooping recognizes two types of ports on Cisco switches: 1) Trusted DHCP ports - switch ports connecting to upstream DHCP servers 2) Untrusted ports - switch ports connecting to hosts that should not be providing DHCP server messages
What is a recommended best practice when dealing with the native VLAN? - Assign the same VLAN number as the management VLAN. - Assign it to an unused VLAN. - Turn off DTP. - Use port security.
- Assign it to an unused VLAN. Topic 11.2.0 - Port security cannot be enabled on a trunk and trunks are the only types of ports that have a native VLAN. Even though turning DTP off on a trunk is a best practice, it does not have anything to do with native VLAN risks. To prevent security breaches that take advantage of the native VLAN, place the native VLAN in an unused VLAN other than VLAN 1. The management VLAN should also be an unused VLAN that is different from the native VLAN and something other than VLAN 1.
What is the best way to prevent a VLAN hopping attack? - Disable STP on all nontrunk ports. - Use ISL encapsulation on all trunk links. - Use VLAN 1 as the native VLAN on trunk ports. - Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
- Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports. Topic 11.2.0 - VLAN hopping attacks rely on the attacker being able to create a trunk link with a switch. Disabling DTP and configuring user-facing ports as static access ports can help prevent these types of attacks. Disabling the Spanning Tree Protocol (STP) will not eliminate VLAN hopping attacks.
Which procedure is recommended to mitigate the chances of ARP spoofing? - Enable port security globally. - Enable DAI on the management VLAN. - Enable IP Source Guard on trusted ports. - Enable DHCP snooping on selected VLANs.
- Enable DHCP snooping on selected VLANs. Topic 11.4.0 - To mitigate the chances of ARP spoofing, these procedures are recommended: Implement protection against DHCP spoofing by enabling DHCP snooping globally. Enable DHCP snooping on selected VLANs. Enable DAI on selected VLANs. Configure trusted interfaces for DHCP snooping and ARP inspection. Untrusted ports are configured by default.
An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation? - Issue the no switchport port-security violation shutdown command on the interface. - Reboot the switch. - Issue the no switchport port-security command, then re-enable port security. - Issue the shutdown command followed by the no shutdown command on the interface.
- Issue the shutdown command followed by the no shutdown command on the interface. Topic 11.1.0 - If an interface that has been protected with port security goes into the err-disabled state, then a violation has occurred and the administrator should investigate the cause of the violation. Once the cause is determined, the administrator can issue the shutdown command followed by the no shutdown command to enable the interface.
Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command? - NVRAM - RAM - flash - ROM
- RAM Topic 11.1.0 - When MAC addresses are automatically learned by using the sticky command option, the learned MAC addresses are added to the running configuration, which is stored in RAM.
Which two commands can be used to enable PortFast on a switch? (Choose two.) - S1(config-if)# spanning-tree portfast - S1(config)# enable spanning-tree portfast default - S1(config-line)# spanning-tree portfast - S1(config-if)# enable spanning-tree portfast - S1(config)# spanning-tree portfast default
- S1(config-if)# spanning-tree portfast - S1(config)# spanning-tree portfast default Topic 11.5.0 - PortFast can be configured on all nontrunking ports using the spanning-tree portfast default global configuration command. Alternatively, PortFast can be enabled on an interface using the spanning-tree portfast interface configuration command.
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? - DHCP spoofing - ARP spoofing - ARP poisoning - VLAN hopping
- VLAN hopping Topic 11.2.0 - Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to VLANs not in use.
On what switch ports should PortFast be enabled to enhance STP stability? - only ports that are elected as designated ports - only ports that attach to a neighboring switch - all end-user ports - all trunk ports that are not root ports
- all end-user ports Topic 11.5.0 - PortFast will immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. If configured on a trunk link, immediately transitioning to the forwarding state could lead to the formation of Layer 2 loops.
A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router? - spanning-tree portfast - ip arp inspection trust - ip dhcp snooping - ip arp inspection vlan
- ip arp inspection trust Topic 11.4.0 - In general, a router serves as the default gateway for the LAN or VLAN on the switch. Therefore, the uplink interface that connects to a router should be a trusted port for forwarding ARP requests.
A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first? - ip dhcp snooping trust - ip dhcp snooping - ip dhcp snooping limit rate - ip dhcp snooping vlan
- ip dhcp snooping Topic 11.3.0 - The steps to enable DHCP snooping include these: Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command. Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command. Step 3. Enable DHCP snooping by VLAN, or by a range of VLANs.
Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch? - port security - BPDU filter - root guard - storm control
- port security Topic 11.1.0 - Port security limits the number of source MAC addresses allowed through a switch port. This feature can prevent an attacker from flooding a switch with many spoofed MAC addresses.
