CCNA 2 Chapter 2

What 4 things should you look for if an interface is down?

* check for proper or damaged cables/connectors * a mismatch in speed setting * excessive noise * late colissions

Compare EXEC mode commands enable password and enable secret password.

*The enable secret password command provides better security than the enable password. * The enable password and enable secret password protect access to privileged EXEC mode.

Which 2 statements are true regarding switch port security?

* Dynamically learned secure MAC addresses are lost when the switch reboots * If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.

What 2 important characteristics about Layer 2 Ethernet switches are true?

* Layer 2 switches have multiple collision domains * Layer 2 switches can send traffic based on the destination MAC address

For security purposes, should you use VLAN 1 for the management VLAN?

NO

Which command configures basic port security?

S1(config-if)# switchport mode access S1(config-if)# switchport port-security

Which command enables sticky learning for a switch port?

S1(config-if)# switchport port-security mac-address sticky

How can you access the switch OS if there are missing or damaged filed systems?

use the boot loader - connect via a console cable to a PC and use terminal emulation software

What 6 steps are needed to configure basic switch settings?

1 - erase and reload the switch 2 - assign hostname 3 - configure password encryption 4 - assign secret password 5 - prevent DNS lookups 6 - create MOTD

Describe the boot sequence for a Cisco switch:

1st - loads POST program stored in ROM 2nd - loads boot loader software stored in ROM 3rd - boot loader performs low-level CPU initialization & initializes the CPU registers 4th - boot loader initializes flash file system on the system board 5th - boot loader locates & loads a default IOS operating system software image into memory and transfers control of the switch over to IOS

If a switch has 2 ports, how many collision domains can it have?

2

Which ports are assigned to VLAN 1 by default?

ALL of them

The partial output of the show running-config command. The enable password on this switch is "cisco." What can be determined from the output shown?

Any configured line mode passwords will be encrypted in this configuration.

What are 2 ways to make a switch less vulnerable to attacks like MAC address flooding, CDP attacks, and Telnet attacks?.

Change passwords regularly. Turn off unnecessary services.

What happens when the transport input ssh command is entered on the switch vty lines?

Communication between the switch and remote users is encrypted.

VLAN 99 has been configured as the management VLAN with an IP address and subnet mask. Show interface VLAN99 output display shows the line protocol is down? Which action can change the state of the line?

Connect a host to an interface associated with VLAN 99

What happens when Host 1 attempts to send data?

Frames from Host 1 cause the interface to shut down.

What is included in CDP information?

IP address, software version, and the native VLAN - which attackers can use - DoS

Using the command switchport port-security - sets the maximum MAC addresses to what? And, the violation action to what?

Maximum 1 MAC address Violation action to shutdown

Where is the startup configuration stored?

NVRAM

The switch and workstation are administratively configured for full-duplex operation. What will or won't happen on this link?

No collisions will occur on this link.

Where is the running configuration stored?

RAM

Which command verifies which switch ports are up?

S1# show ip interface brief

Which command displays all secure MAC addresses configured on all switch interfaces?

S1# show port-security address

Which command verifies port security settings?

S1# show port-security int f0/1

Which 3 commands enable DHCP Snooping?

S1(config)# ip dhcp snooping S1(config)# ip dhcp snooping vlan ? S1(config)# ip dhcp snooping trust

What steps are needed to create a new VLAN on a switch to be managed remotely?

S1(config)# vlan 99 S1(config-vlan)# name Management S1(config-vlan)# exit S1(config)# interface vlan 99 S1(config-if)# ip address 172.16.1.15 255.255.0.0 S1(config-if)# no shutdown S1(config-if)# switchport access vlan 99 S1(config-if)# exit S1(config)# ip default-gateway 172.16.1.1 S1(config)# end S1#copy running-config startup-config

Which command sets the maximum # of secure MAC addresses allowed on a switch port?

S1(config-if)# switchport port-security maximum 50

Which command configures the violation mode on a switch port?

S1(config-if)# switchport port-security violation * after violation type protect, restrict, or shutdown

Which command disables a range of switch ports?

S1(config-if-range)# shutdown S1(config-if-range)# int range f0/4 - 24

What refers to a protocol that provides an encrypted connection? The protocol replaces the clear text Telnet protocol for Cisco device management.

SSH

What action does SW1 take on a frame sent from PCA to PCC if the MAC address table of SW1 is empty?

SW1 floods the frame on all ports on SW1, except for the port that received the frame.

What happens whent the command banner login "Authorized personnel Only" is issued on a switch?

The command will cause the message Authorized personnel Only to display before a user logs in.

When a collision occurs in a network using CSMA/CD, how do hosts with data to transmit respond after the backoff period has expired?

The hosts return to a listen-before-transmit mode.

When a switch receives a frame and the source MAC address is not found in the switching table, what action will be taken by the switch to process the incoming frame?

The switch will map the source MAC address to the port on which it was received.

What is DCHP snooping?

a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests - ports are identified as trusted & untrusted

Describe penetration testing:

a simulated attack against the network to determine how vulnerable it would be in a real attack - admin can identify weaknesses

What is SVI (switched virtual interface)?

a special IP address Cisco switches can be configured with - used for remote access to the switch

Define late collisions (output error):

after 512 bits of the frame - the preamble - have been transmitted - usually caused by excessive cable lengths or duplex misconfiguration

What would be an ideal environment to carry out penetration tests?

an off-line test bed network that mimics the actual production network

A network administrator uses the CLI to enter a command that requires several parameters. The switch responds with "% Incomplete command". The administrator cannot remember the missing parameters. What can the administrator do to get the parameter information?

append a space and then ? to the last parameter

What is DHCP spoofing?

attacker configures a fake DHCP server to issue DHCP address to clients - forces clients to use false DNS servers - makes clients use the attacker as their default gateway - caused DHCP address pool to become depleted

What is a DHCP starvation attack?

attacker floods the DHCP server with requests to use up all available IP addresses the DHCP server can issue - leads to DoS

Define a brute force attack:

attacker uses a dictionary to find common passwords to initiate a Telnet session

To use auto-MDIX on an interface, what must the interface speed and duplex be set to so auto-MDIX operates correctly?

auto detect

A network technician wants to implement SSH as the means by which a router may be managed remotely. What are 2 procedures that the technician should use to use SSH?

configure authentication define the asymmetrical keys

What do you need to do for remote switch management?

configure the switch with an IP address and subnet mask - if managing the switch from a remote network - also configure the switch with the default gateway

What should be looked at when troubleshooting switch port issues?

duplex and speed settings

What is a MAC address table overflow attack?

flooding attacks make use of limited size in a MAC address table to overwhelm the switch with fake source MAC addresses until the switch MAC address table is full

Which command line interface (CLI) mode allows users to configure switch parameters, such as the hostname and password?

global configuration mode

Which hosts will receive a broadcast frame sent from Host A?

hosts B, C, D, and E

Define runts (input error):

less than 64-byte minimum allowed length - usually caused by malfunctioning NICs

Define giants (input error):

longer than the maximum allowed length

The network admin has decided to allow only SSH connections to Switch1. After the commands are applied, the admin is able to connect to Switch1 using both SSH and Telnet. What is most likely the problem?

missing transport input ssh command

What is the factory default interface violation mode?

shutdown - interface becomes error disabled

What is Network Time Protocol (NTP)?

synchronizes the clocks of computer systems over packet-switched, variable-latency data networks

In full-duplex mode, what should be disabled?

the NIC collision detection circuit

What happens if a rouge device on an untrusted port tries to send a DHCP response packet into the network?

the port is shut down

Define input errors:

the sum of all errors in datagrams received on the interface

Define output errors:

the sum of all errors that prevented the final transmission of datagrams out of the interface

If you disable sticky learning, what happens to sticky secure MAC addresses?

they remain part of the MAC address table, but are removed from the running configuration

If a network admin enters these commands on a switch, what will be the result? Switch1(config-line)# line console 0 Switch1(config-line)# password cisco Switch1(config-line)# login

to secure console port access with password cisco

Which ports can source all DHCP messages?

trusted

Which ports can source DHCP source requests only?

untrusted

How do you secure a network?

use a written security policy, shut down unused services & ports, use strong passwords & change them often, control physical access to devices, use HTTPS, perform backups, develop policies to validate identities (over the phone, via email, and in person), encrypt & password-protect sensitive data, implement security hardware & software (firewalls), install security patches often, and use network security auditing tools.

What causes a CRC input error?

usually a media or cable error

The switch and the hub have default configurations, and the switch has built its CAM table. Which of the hosts will capture a copy of the frame when workstation A sends a unicast packet to workstation C?

workstation C