13-14 sec
Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports? RADIUS TACACS+ 802.1x SSH
802.1x
What is involved in an IP address spoofing attack? ADVERTISING A rogue node replies to an ARP request with its own MAC address indicated for the target IP address. Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server. A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients. A legitimate network IP address is hijacked by a rogue node.
A legitimate network IP address is hijacked by a rogue node.
A network administrator uses the spanning-tree loopguard default global configuration command to enable Loop Guard on switches. What components in a LAN are protected with Loop Guard? All Root Guard enabled ports. All PortFast enabled ports. All point-to-point links between switches. All BPDU Guard enabled ports.
All point-to-point links between switches.
Which procedure is recommended to mitigate the chances of ARP spoofing? Enable DHCP snooping on selected VLANs. Enable IP Source Guard on trusted ports. Enable DAI on the management VLAN. Enable port security globally.
Enable DHCP snooping on selected VLANs.
Which Cisco solution helps prevent MAC and IP address spoofing attacks? Port Security DHCP Snooping IP Source Guard Dynamic ARP Inspection
IP Source Guard
What two internal LAN elements need to be secured? (Choose two.) edge routers IP phones fiber connections switches cloud-based hosts
IP phones switches
At which layer of the OSI model does Spanning Tree Protocol operate? Layer 1 Layer 2 Layer 3 Layer 4
Layer 2
What is the result of a DHCP starvation attack? Legitimate clients are unable to lease IP addresses. Clients receive IP address assignments from a rogue DHCP server. The attacker provides incorrect DNS and default gateway information to clients. The IP addresses assigned to legitimate clients are hijacked.
Legitimate clients are unable to lease IP addresses
Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation? PVLAN Edge DTP SPAN BPDU guard
PVLAN Edge
Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices? SNMP TFTP SSH SCP
SSH
What is the behavior of a switch as a result of a successful CAM table attack? The switch will drop all received frames. The switch interfaces will transition to the error-disabled state. The switch will forward all received frames to all other ports. The switch will shut down.
The switch will forward all received frames to all other ports.
Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices? These devices are not managed by the corporate IT department. These devices pose no risk to security as they are not directly connected to the corporate network. These devices connect to the corporate network through public wireless networks. These devices are more varied in type and are portable.
These devices are more varied in type and are portable.
Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.) Three security violations have been detected on this interface. This port is currently up. The port is configured as a trunk link. Security violations will cause this port to shut down immediately. There is no device currently connected to this port. The switch port mode for this interface is access mode
This port is currently up. Security violations will cause this port to shut down immediately. The switch port mode for this interface is access mode
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? VLAN hopping DHCP spoofing ARP poisoning ARP spoofing
VLAN hopping
Which command is used as part of the 802.1X configuration to designate the authentication method that will be used? dot1x system-auth-control aaa authentication dot1x aaa new-model dot1x pae authenticator
aaa authentication dot1x
Which term describes the role of a Cisco switch in the 802.1X port-based access control? agent supplicant authenticator authentication server
authenticator
How can DHCP spoofing attacks be mitigated? by disabling DTP negotiations on nontrunking ports by implementing port security by the application of the ip verify source command to untrusted ports by implementing DHCP snooping on trusted ports
by implementing DHCP snooping on trusted ports
In an 802.1x deployment, which device is a supplicant? RADIUS server access point switch end-user station
end-user station
What are two examples of traditional host-based security measures? (Choose two.) host-based IPS NAS 802.1X antimalware software host-based NAC
host-based IPS antimalware software
What type of data does the DLP feature of Cisco Email Security Appliance scan in order to prevent customer data from being leaked outside of the company? inbound messages outbound messages messages stored on a client device messages stored on the email server
outbound messages
Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.) community ports belonging to other communities promiscuous ports isolated ports within the same community PVLAN edge protected ports community ports belonging to the same community
promiscuous ports community ports belonging to the same community
An 802.1X client must authenticate before being allowed to pass data traffic onto the network. During the authentication process, between which two devices is the EAP data encapsulated into EAPOL frames? (Choose two.) ADVERTISING data nonrepudiation server authentication server (TACACS) supplicant (client) authenticator (switch) ASA Firewall
supplicant (client) authenticator (switch)
What device is considered a supplicant during the 802.1X authentication process? the router that is serving as the default gateway the authentication server that is performing client authentication the client that is requesting authentication the switch that is controlling network access
the client that is requesting authentication
A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac . What is the purpose of this configuration command? to check the destination MAC address in the Ethernet header against the MAC address table to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body
to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body Dest MAC and Target MAC
What is the goal of the Cisco NAC framework and the Cisco NAC appliance? to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network to monitor data from the company to the ISP in order to build a real-time database of current spam threats from both internal and external sources to provide anti-malware scanning at the network perimeter for both authenticated and non-authenticated devices to provide protection against a wide variety of web-based threats, including adware, phishing attacks, Trojan horses, and worms
to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network
A company implements 802.1X security on the corporate network. A PC is attached to the network but has not authenticated yet. Which 802.1X state is associated with this PC? err-disabled disabled unauthorized forwarding
unauthorized
