Modules 13 - 14: Layer 2 and Endpoint Security
18. Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports? - RADIUS - TACACS+ - 802.1x - SSH
802.1x
11. Which procedure is recommended to mitigate the chances of ARP spoofing? - Enable DHCP snooping on selected VLANs. - Enable IP Source Guard on trusted ports. - Enable DAI on the management VLAN. - Enable port security globally.
Enable DHCP snooping on selected VLANs.
13. Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices? - SNMP - TFTP - SSH - SCP
SSH
1. Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices? - These devices are not managed by the corporate IT department. - These devices pose no risk to security as they are not directly connected to the corporate network. - These devices connect to the corporate network through public wireless networks. - These devices are more varied in type and are portable.
These devices are more varied in type and are portable.
7. Which command is used as part of the 802.1X configuration to designate the authentication method that will be used? - dot1x system-auth-control - aaa authentication dot1x - aaa new-model - dot1x pae authenticator
aaa authentication dot1x
8. What is involved in an IP address spoofing attack? - A rogue node replies to an ARP request with its own MAC address indicated for the target IP address. - Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server. - A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients. - A legitimate network IP address is hijacked by a rogue node.
- A legitimate network IP address is hijacked by a rogue node.
10. A network administrator uses the spanning-tree loopguard default global configuration command to enable Loop Guard on switches. What components in a LAN are protected with Loop Guard? - All Root Guard enabled ports. - All PortFast enabled ports. - All point-to-point links between switches. - All BPDU Guard enabled ports.
- All point-to-point links between switches.
23. Which Cisco solution helps prevent MAC and IP address spoofing attacks? - Port Security - DHCP Snooping - IP Source Guard - Dynamic ARP Inspection
- IP Source Guard
2. What two internal LAN elements need to be secured? (Choose two.) - edge routers - IP phones - fiber connections - switches - cloud-based hosts
- IP phones - switches
9. At which layer of the OSI model does Spanning Tree Protocol operate? - Layer 1 - Layer 2 - Layer 3 - Layer 4
- Layer 2
25. What is the result of a DHCP starvation attack? - Legitimate clients are unable to lease IP addresses. - Clients receive IP address assignments from a rogue DHCP server. - The attacker provides incorrect DNS and default gateway information to clients. - The IP addresses assigned to legitimate clients are hijacked.
- Legitimate clients are unable to lease IP addresses.
16. Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation? - PVLAN Edge - DTP - SPAN - BPDU guard
- PVLAN Edge
17. What is the behavior of a switch as a result of a successful CAM table attack? - The switch will drop all received frames. - The switch interfaces will transition to the error-disabled state. - The switch will forward all received frames to all other ports. - The switch will shut down.
- The switch will forward all received frames to all other ports.
24. What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? - VLAN hopping - DHCP spoofing - ARP poisoning - ARP spoofing
- VLAN hopping
20. Which term describes the role of a Cisco switch in the 802.1X port-based access control? - agent - supplicant - authenticator - authentication server
- authenticator
14. How can DHCP spoofing attacks be mitigated? - by disabling DTP negotiations on nontrunking ports - by implementing port security - by the application of the ip verify source command to untrusted ports - by implementing DHCP snooping on trusted ports
- by implementing DHCP snooping on trusted ports
4. In an 802.1x deployment, which device is a supplicant? - RADIUS server - access point - switch - end-user station
- end-user station
3. What are two examples of traditional host-based security measures? (Choose two.) - host-based IPS - NAS - 802.1X - antimalware software - host-based NAC
- host-based IPS - antimalware software
21. What type of data does the DLP feature of Cisco Email Security Appliance scan in order to prevent customer data from being leaked outside of the company? - inbound messages - outbound messages - messages stored on a client device - messages stored on the email server
- outbound messages
12. Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.) - community ports belonging to other communities - promiscuous ports - isolated ports within the same community - PVLAN edge protected ports - community ports belonging to the same community
- promiscuous ports - community ports belonging to the same community
6. An 802.1X client must authenticate before being allowed to pass data traffic onto the network. During the authentication process, between which two devices is the EAP data encapsulated into EAPOL frames? (Choose two.) - data nonrepudiation server - authentication server (TACACS) - supplicant (client) - authenticator (switch) - ASA Firewall
- supplicant (client) - authenticator (switch)
19. What device is considered a supplicant during the 802.1X authentication process? - the router that is serving as the default gateway - the authentication server that is performing client authentication - the client that is requesting authentication - the switch that is controlling network access
- the client that is requesting authentication
26. A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac . What is the purpose of this configuration command? - to check the destination MAC address in the Ethernet header against the MAC address table - to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs - to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body - to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body
- to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
22. What is the goal of the Cisco NAC framework and the Cisco NAC appliance? - to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network - to monitor data from the company to the ISP in order to build a real-time database of current spam threats from both internal and external sources - to provide anti-malware scanning at the network perimeter for both authenticated and non-authenticated devices - to provide protection against a wide variety of web-based threats, including adware, phishing attacks, Trojan horses, and worms
- to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network
5. A company implements 802.1X security on the corporate network. A PC is attached to the network but has not authenticated yet. Which 802.1X state is associated with this PC? - err-disabled - disabled - unauthorized - forwarding
- unauthorized