Modules 13 - 14: Layer 2 and Endpoint Security
At which layer of the OSI model does Spanning Tree Protocol operate?
Layer 2
What is the result of a DHCP starvation attack?
Legitimate clients are unable to lease IP addresses.
Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation?
PVLAN Edge
Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?
SSH
What is the behavior of a switch as a result of a successful CAM table attack?
The switch will forward all received frames to all other ports.
Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices?
These devices are more varied in type and are portable.
Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.)
This port is currently up. Security violations will cause this port to shut down immediately. The switch port mode for this interface is access mode.
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
VLAN hopping
Which command is used as part of the 802.1X configuration to designate the authentication method that will be used?
aaa authentication dot1x
Which term describes the role of a Cisco switch in the 802.1X port-based access control?
authenticator
How can DHCP spoofing attacks be mitigated?
by implementing DHCP snooping on trusted ports
In an 802.1x deployment, which device is a supplicant?
end-user station
What are two examples of traditional host-based security measures? (Choose two.)
host-based IPS antimalware software
What type of data does the DLP feature of Cisco Email Security Appliance scan in order to prevent customer data from being leaked outside of the company?
outbound messages
Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.)
promiscuous ports community ports belonging to the same community
An 802.1X client must authenticate before being allowed to pass data traffic onto the network. During the authentication process, between which two devices is the EAP data encapsulated into EAPOL frames? (Choose two.)
supplicant (client) authenticator (switch)
What device is considered a supplicant during the 802.1X authentication process?
the client that is requesting authentication
A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac . What is the purpose of this configuration command?
to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
What is the goal of the Cisco NAC framework and the Cisco NAC appliance?
to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network
A company implements 802.1X security on the corporate network. A PC is attached to the network but has not authenticated yet. Which 802.1X state is associated with this PC?
unauthorized
Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports?
802.1x
What is involved in an IP address spoofing attack?
A legitimate network IP address is hijacked by a rogue node.
A network administrator uses the spanning-tree loopguard default global configuration command to enable Loop Guard on switches. What components in a LAN are protected with Loop Guard?
All point-to-point links between switches.
Which procedure is recommended to mitigate the chances of ARP spoofing?
Enable DHCP snooping on selected VLANs.
Which Cisco solution helps prevent MAC and IP address spoofing attacks?
IP Source Guard
What two internal LAN elements need to be secured? (Choose two.)
IP phones switches
