DCCOR Security
Which databases are managed by the fabric binding feature? (Choose two answers.) 1) Configuration database 2) Inactive database 3) Active database 4) Startup database
1) Configuration database 3) Active database The fabric binding feature maintains a configuration database (config-database) and an active database. The config-database is a read-write database that collects the configurations you perform. These configurations are enforced only upon activation. This activation overwrites the active database with the contents of the config-database. The active database is read-only and is the database that checks each switch that attempts to log in.
What UCS authentication protocol does not require user attributes? 1) LDAP with group mapping 2) RADIUS 3) TACACS+ 4) Key chain authentication
1) LDAP with group mapping For RADIUS and TACACS+ configurations, you must configure a user attribute in each remote authentication provider through which users log in to the Cisco UCS Manager. This user attribute holds the roles and locales assigned to each user. This step is not required for LDAP configurations that use LDAP group mapping to assign roles and locales.
Port security can be configured using which of the following methods? (Choose three answers.) 1) Manual Database Configuration 2) Auto-Learning without CFS Distribution 3) Fabric Binding 4) Auto-Learning with CFS Distribution
1) Manual Database Configuration 2) Auto-Learning without CFS Distribution 4) Auto-Learning with CFS Distribution Fabric binding binds the fabric at the switch level, whereas port security binds devices at the interface level.
What does Control Plane Policing (CoPP) protect? 1) The CPU against DDoS 2) Memory against memory leaks 3) The NX-OS against unauthorized access 4) All of the above
1) The CPU against DDoS The Cisco NX-OS device provides CoPP to prevent denial-of-service (DoS) attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the supervisor module or CPU itself.
Which statements are TRUE regarding the fabric binding feature? (Choose two answers.) 1) The fabric binding feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. 2) Fabric binding is configured on a per-VSAN basis. 3) Fabric binding can be distributed by CFS and hence configured automatically on each switch in the fabric. 4) Fabric binding uses pWWNs/nWWNs.
1) The fabric binding feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. 2) Fabric binding is configured on a per-VSAN basis. Fabric binding cannot be distributed by CFS and must be configured manually on each switch in the fabric. Fabric binding uses a set of sWWNs.
Microsegmentation improves network performance. 1) True 2) False
1) True When the network is microsegmented, there are fewer end devices per subnetwork, thus minimizing traffic flow and optimizing the network.
Which of the following statements are CORRECT regarding user roles on Cisco MDS 9000 Series Switches? (Choose two answers.) 1) User roles contain rules that define the operations allowed for the user who is assigned the role. 2) Each user role can contain multiple rules, but each user cannot have multiple roles. 3) Up to 16 rules can be configured for each role. 4) User roles cannot be used to create VSAN administrators.
1) User roles contain rules that define the operations allowed for the user who is assigned the role. 3) Up to 16 rules can be configured for each role. Each user role can contain multiple rules, and each user can have multiple roles. Roles can be used to create VSAN administrators. Depending on the configured rules, these VSAN administrators can configure MDS features (for example, zone, fcdomain, or VSAN properties) for their VSANs without affecting other VSANs. Also, if the role permits operations in multiple VSANs, the VSAN administrators can change VSAN membership of F or FL ports among these VSANs.
By default, the user accounts without an administrator role can access the ____________. (Choose two answers.) 1) show command 2) config terminal command 3) Interface <interface name> 4) Router OSPF
1) show command 2) config terminal command By default, the user accounts without an administrator role can access only the show, exit, end, and configure terminal commands. You can add rules to allow users to configure features.
When you enable DHCP snooping, what does an untrusted port filter out? 1) DHCP replies from a legitimate DHCP server 2) DHCP replies from a rogue server 3) DHCP requests from a legitimate client 4) DHCP requests from rogue clients
2) DHCP replies from a rogue server The device validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping enabled. The device forwards the DHCP packet unless any of the following conditions occur (in which case, the packet is dropped): - The device receives a DHCP response packet (such as a DHCPACK, DHCPNAK, or DHCPOFFER packet) on an untrusted interface. - The device receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on. - The device receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
If no contract is applied between intra-endpoints, no traffic flow is allowed between the provider and the consumer. 1) True 2) False
2) False While different endpoint groups (EPGs) can only communicate with other endpoint groups based on the contract rules defined, no contract is required for intra-endpoint group communication. Intra-endpoint group communication from endpoint to endpoint in the same endpoint group is allowed by default.
Dynamic ARP inspections help mitigate an attack based on which one of the following parameters with an ARP reply packet? 1) Source IP address 2) MAC address 3) Destination IP address 4) Sequence number
2) MAC address ARP inspections allow a network administrator to intercept, log, and discard ARP packets with invalid MAC address-to-IP address bindings.
Which of the following statements are TRUE regarding the port security feature? (Choose two answers.) 1) Port security binds the fabric at the switch level. 2) Port security requires activation on a per-VSAN basis. 3) Port security cannot be distributed by CFS. 4) Port security uses pWWNs/nWWNs or fWWNs/sWWNs.
2) Port security requires activation on a per-VSAN basis. 4) Port security uses pWWNs/nWWNs or fWWNs/sWWNs. Port security binds devices at the interface level. Port security can be distributed by CFS
What are the most common AAA protocols? (Choose two answers.) 1) TCP/IP 2) RADIUS 3) TACACS+ 4) LDAP
2) RADIUS 3) TACACS+ Nexus devices support local and remote AAA. Remote AAA services are provided through the RADIUS and TACACS+ protocols. TCP/IP is not an AAA protocol, and LDAP is not commonly used for network authentication.
What are the UCS authentication protocols that support dual-factor authentications? (Choose two answers.) 1) LDAP 2) RADIUS 3) TACACS+ 4) Local
2) RADIUS 3) TACACS+ Two-factor authentication is supported by associating RADIUS or TACACS+ provider groups with designated authentication domains and enabling two-factor authentication for those domains. Two-factor authentication does not support IPM and is not supported when the authentication realm is set to LDAP, local, or none.
What is the key start time in the keychain? 1) The absolute time that the lifetime ends 2) The absolute time that the lifetime begins 3) The number of seconds after the start time 4) Infinite lifetime (no end time)
2) The absolute time that the lifetime begins Start time: The absolute time that the lifetime begins. End time: The end time can be defined in one of the following ways: - The absolute time that the lifetime ends - The number of seconds after the start time that the lifetime ends - Infinite lifetime (no end time)
What ports are used by RADIUS protocols? (Choose two answers.) 1) UDP 49 2) UDP 1645/1646 3) TCP 1645/1646 4) UDP 1812/1813
2) UDP 1645/1646 3) TCP 1645/1646 RADIUS uses the UDP 1645/1646 and 1812/1813 ports.
What command would you enter to set up authentication on your router to query the TACACS+ servers and, if unable to communicate to the servers, authenticate from the local password? 1) aaa authentication login default group radius enable 2) aaa authentication login default group tacacs+ local 3) aaa authentication login default group tacacs+ enable 4) aaa authentication login default group tacacs+ none
2) aaa authentication login default group tacacs+ local The aaa authentication login default group tacacs+ local command uses AAA as a default login and tries the TACACS+ group because it is first in the list; then it tries the local account.
The LDAP client/server protocol uses which TCP port number for transport requirements? 1) 2003 2) 1812 3) 389 4) 49
3) 389 The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements.
Which of the following statements are INCORRECT regarding TACACS+? (Choose two answers.) 1) TACACS+ uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol. 2) TACACS+ provides independent, modular AAA facilities. Authorization can be done without authentication. 3) TACACS+ encrypts passwords only. 4) TACACS+ is an open protocol supported by multiple vendors.
3) TACACS+ encrypts passwords only. 4) TACACS+ is an open protocol supported by multiple vendors. TACACS+ is a Cisco proprietary protocol. TACACS+ encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. RADIUS encrypts passwords only.
What port is used by LDAP SSL protocols? 1) UDP 49 2) UDP 1645/1646 3) TCP 636 4) TCP 389
3) TCP 636 LDAP uses STARTTLS. This allows encrypted communication using port 389. Cisco UCS negotiates a TLS session on port 636 for SSL, but initial connection starts unencrypted on 389.
By default, how many MAC addresses are permitted to be learned on a switch port with port security enabled? 1) Eight 2) Four 3) Two 4) One
4) One When port security is enabled, the default maximum number of permitted MAC address is one.