CCNA 2 Exam 4 Module 11 test
to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command?
ip arp inspection trust
A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router?
ip dhcp snooping
A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first?
Issue the shutdown command followed by the no shutdown command on the interface.
An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation?
S1(config-if)# no spanning-tree bpduguard enable
Assume that BPDU Guard has been enabled globally on all access ports. However, one port must not be configured with the feature. Which command would explicitly disable BPDU Guard on that switch port?
all end-user ports
On what switch ports should PortFast be enabled to enhance STP stability?
shutdown
Port security has been enabled on a switch port. What is the default violation mode in use by default?
There is a host connected to the secured Fa0/1 port.
Port security has been enabled on interface Fa0/1 and the show port-security interface fa0/1 command has been entered. What does the Port Status "Secure-up" message indicate?
VLAN hopping
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
trusted DHCP port untrusted port
What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)
Assign it to an unused VLAN.
What is a recommended best practice when dealing with the native VLAN?
Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports
What is the best way to prevent a VLAN hopping attack?
The port can receive up to 4 DHCP discovery messages per second.
What is the result of entering the ip dhcp snooping limit rate 4 interface configuration command?
- Disable DTP. - Enable trunking manually. - Set the native VLAN to an unused VLAN.
What techniques should be done to mitigate VLAN attacks? (Choose three.)
RAM
Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?
ip arp inspection validate src-mac
Which DAI command checks the source MAC address in the Ethernet header against the target MAC address in the ARP body?
Issue the shutdown and no shutdown interface config commands.
Which action will bring an error-disabled switch port back to an operational state?
shutdown
Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?
BPDU Guard
Which feature should be configured on PortFast enabled switches to prevent rogue switches from being added to a network?
Configuring port security
Which method would mitigate a MAC address flooding attack?
Sticky secure MAC addresses
Which port security feature enables switches to automatically learn and retain MAC addresses for each port?
Enable DHCP snooping on selected VLANs.
Which procedure is recommended to mitigate the chances of ARP spoofing?
port security
Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?
S1(config-if)# spanning-tree portfast S1(config)# spanning-tree portfast default
Which two commands can be used to enable PortFast on a switch? (Choose two.)
Port Security - DHCP Snooping
Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)
Dynamically learned secure MAC addresses are lost when the switch reboots. If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.
Which two statements are true regarding switch port security? (Choose two.)
Restrict
ort security has been enabled on access ports to allow a maximum of two MAC addresses. Which port security violation would drop the frame and send a notification to the syslog server if the maximum number of MAC addresses is exceeded?
