CCNA Security - Chapter 6
snooping
DHCP ________ is a mitigation technique to prevent rogue DHCP servers from providing false IP configuration parameters.
- by using a proxy autoconfiguration file in the end device
How can a user connect to the Cisco Cloud Web Security service directly? - through the connector that is integrated into any Layer 2 Cisco switch - by using a proxy autoconfiguration file in the end device - by accessing a Cisco CWS server before visiting the destination web site - by establishing a VPN connection with the Cisco CWS
- on all switch ports that connect to another switch that is not the root bridge
In what situation would a network administrator most likely implement root guard? - on all switch ports (used or unused) - on all switch ports that connect to a Layer 3 device - on all switch ports that connect to host devices - on all switch ports that connect to another switch - on all switch ports that connect to another switch that is not the root bridge
- The MAC address of PC1 that connects to the Fa0/2 interface is not the configured MAC address.
Refer to the exhibit. The Fa0/2 interface on switch S1 has been configured with the switchport port-security mac-address 0023.189d.6456 command and a workstation has been connected. What could be the reason that the Fa0/2 interface is shutdown? - The connection between S1 and PC1 is via a crossover cable. - The Fa0/24 interface of S1 is configured with the same MAC address as the Fa0/2 interface. - S1 has been configured with a switchport port-security aging command. - The MAC address of PC1 that connects to the Fa0/2 interface is not the configured MAC address.
- PVLAN Edge
Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation? - PVLAN Edge - DTP - SPAN - BPDU guard
- DHCP snooping
What additional security measure must be enabled along with IP Source Guard to protect against address spoofing? - port security - BPDU Guard - root guard - DHCP snooping
- Set the native VLAN to an unused VLAN. - Disable DTP. - Enable trunking manually.
What are three techniques for mitigating VLAN hopping attacks? (Choose three.) - Set the native VLAN to an unused VLAN. - Disable DTP. - Enable Source Guard. - Enable trunking manually. - Enable BPDU guard. - Use private VLANs.
- Cisco NAC Agent
What component of Cisco NAC is responsible for performing deep inspection of device security profiles? - Cisco NAC Profiler - Cisco NAC Agent - Cisco NAC Manager - Cisco NAC Server
- The switch will forward all received frames to all other ports.
What is the behavior of a switch as a result of a successful CAM table attack? - The switch will forward all received frames to all other ports. - The switch will drop all received frames. - The switch interfaces will transition to the error-disabled state. - The switch will shut down.
- a promiscuous port
What is the only type of port that an isolated port can forward traffic to on a private VLAN? - a community port - a promiscuous port - another isolated port - any access port in the same PVLAN
- It provides the ability for creation and reporting of guest accounts.
What is the role of the Cisco NAC Guest Server within the Cisco Borderless Network architecture? - It defines role-based user access and endpoint security policies. - It provides the ability for creation and reporting of guest accounts. - It provides post-connection monitoring of all endpoint devices. - It performs deep inspection of device security profiles.
- to define role-based user access and endpoint security policies
What is the role of the Cisco NAC Manager in implementing a secure networking infrastructure? - to define role-based user access and endpoint security policies - to assess and enforce security policy compliance in the NAC environment - to perform deep inspection of device security profiles - to provide post-connection monitoring of all endpoint devices
- assessing and enforcing security policy compliance in the NAC environment
What is the role of the Cisco NAC Server within the Cisco Secure Borderless Network Architecture? - providing the ability for company employees to create guest accounts - providing post-connection monitoring of all endpoint devices - defining role-based user access and endpoint security policies - assessing and enforcing security policy compliance in the NAC environment
- DHCP starvation
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease? - DHCP spoofing - CAM table attack - IP address spoofing - DHCP starvation
- DTP
What protocol should be disabled to help mitigate VLAN hopping attacks? - STP - ARP - CDP - DTP
- preventing rogue switches from being added to the network
What security benefit is gained from enabling BPDU guard on PortFast enabled interfaces? - enforcing the placement of root bridges - preventing buffer overflow attacks - preventing rogue switches from being added to the network - protecting against Layer 2 loops
- port security
What security countermeasure is effective for preventing CAM table overflow attacks? - DHCP snooping - Dynamic ARP Inspection - IP source guard - port security
- MAC-address-to-IP-address bindings - ARP ACLs
What two mechanisms are used by Dynamic ARP inspection to validate ARP packets for IP addresses that are dynamically assigned or IP addresses that are static? (Choose two.) - MAC-address-to-IP-address bindings - RARP - ARP ACLs - IP ACLs - Source Guard
- root guard
Which STP stability mechanism is used to prevent a rogue switch from becoming the root switch? - Source Guard - BPDU guard - root guard - loop guard
- file retrospection
Which feature is part of the Antimalware Protection security solution? - file retrospection - user authentication and authorization - data loss prevention - spam blocking
- implementing port security
Which mitigation technique would prevent rogue servers from providing false IP configuration parameters to clients? - turning on DHCP snooping - implementing port security - implementing port-security on edge ports - disabling CDP on edge ports
+ port security
Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch? + root guard + port security + storm control + BPDU filter
+ root guard
Which spanning-tree enhancement prevents the spanning-tree topology from changing by blocking a port that receives a superior BPDU? + BDPU filter + PortFast + BPDU guard + root guard
- AAA services - scanning for policy compliance - remediation for noncompliant devices
Which three functions are provided under Cisco NAC framework solution? (Choose three.) - VPN connection - AAA services - intrusion prevention - scanning for policy compliance - secure connection to servers - remediation for noncompliant devices
- enforcing network security policy for hosts that connect to the network - ensuring that only authenticated hosts can access the network
Which two functions are provided by Network Admission Control? (Choose two.) - protecting a switch from MAC address table overflow attacks - enforcing network security policy for hosts that connect to the network - ensuring that only authenticated hosts can access the network - stopping excessive broadcasts from disrupting network traffic - limiting the number of MAC addresses that can be learned on a single switch port
- VLAN double-tagging
Which type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN? - DTP spoofing - DHCP spoofing - VLAN double-tagging - DHCP starvation
