Mod 11 switch security configuration
Refer to the exhibit. PC1 and PC2 should be able to obtain IP address assignments from the DHCP server. How many ports among switches should be assigned as trusted ports as part of the DHCP snooping configuration?
7
1. What is a recommended best practice when dealing with the native VLAN?
Assign it to an unused VLAN.
What are three techniques for mitigating VLAN attacks? (Choose three.)
Disable DTP. Enable trunking manually. Set the native VLAN to an unused VLAN.
5. What is the best way to prevent a VLAN hopping attack?
Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
6. Which procedure is recommended to mitigate the chances of ARP spoofing?
Enable DHCP snooping on selected VLANs.
A network administrator enters the following commands on the switch SW1. SW1(config)# interface range fa0/5 - 10SW1(config-if)# ip dhcp snooping limit rate 6 What is the effect after these commands are entered?
FastEthernet ports 5 through 10 can receive up to 6 DHCP discovery messages per second.
Refer to the exhibit. Port security has been configured on the Fa 0/12 interface of switch S1. What action will occur when PC1 is attached to switch S1 with the applied configuration?
Frames from PC1 will cause the interface to shut down immediately, and a log entry will be made.
9. An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation?
Issue the shutdown command followed by the no shutdown command on the interface.
A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac . What is the purpose of this configuration command?
It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
15. Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?
RAM
Which two commands can be used to enable BPDU guard on a switch? (Choose two.)
S1(config-if)# spanning-tree bpduguard enable S1(config)# spanning-tree portfast bpduguard default
8. Which two commands can be used to enable PortFast on a switch? (Choose two.)
S1(config-if)# spanning-tree portfast S1(config)# spanning-tree portfast default
Refer to the exhibit. Port Fa0/2 has already been configured appropriately. The IP phone and PC work properly. Which switch configuration would be most appropriate for port Fa0/2 if the network administrator has the following goals? No one is allowed to disconnect the IP phone or the PC and connect some other wired device. If a different device is connected, port Fa0/2 is shut down. The switch should automatically detect the MAC address of the IP phone and the PC and add those addresses to the running configuration.
SWA(config-if)# switchport port-securitySWA(config-if)# switchport port-security maximum 2SWA(config-if)# switchport port-security mac-address sticky
Refer to the exhibit. The Fa0/2 interface on switch S1 has been configured with the switchport port-security mac-address 0023.189d.6456 command and a workstation has been connected. What could be the reason that the Fa0/2 interface is shutdown?
The MAC address of PC1 that connects to the Fa0/2 interface is not the configured MAC address.
Refer to the exhibit. What can be determined about port security from the information that is shown?
The port violation mode is the default for any port that has port security enabled.
Which type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN?
VLAN double-tagging
13. What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
VLAN hopping
2. On what switch ports should PortFast be enabled to enhance STP stability?
all end-user ports
14. A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router?
ip arp inspection trust
10. A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first?
ip dhcp snooping
12. Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?
port security
4. Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)
port security DHCP snooping
What security benefit is gained from enabling BPDU guard on PortFast enabled interfaces?
preventing rogue switches from being added to the network
A network administrator is configuring port security on a Cisco switch. The company security policy specifies that when a violation occurs, packets with unknown source addresses should be dropped and no notification should be sent. Which violation mode should be configured on the interfaces?
protect
3. Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?
shutdown
As part of the new security policy, all switches on the network are configured to automatically learn MAC addresses for each port. All running configurations are saved at the start and close of every business day. A severe thunderstorm causes an extended power outage several hours after the close of business. When the switches are brought back online, the dynamically learned MAC addresses are retained. Which port security configuration enabled this?
sticky secure MAC addressesc
11. A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command?
to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
7. What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)
trusted DHCP port untrusted port
