Chapter 10-11 Study guide
A threat actor sends a BPDU message with priority 0. What type of attack is this? Address Spoofing Arp Spoofing CDP reconnaissance DHCP Starvation STP Attack VLAN Hopping
STP Attack
What would be the primary reason a threat actor would launch a MAC address overflow attack? So that the threat actor can see frames that are destined for other devices. So that the threat actor can execute arbitrary code on the switch. So that the switch stops forwarding traffic. So that the legitimate hosts cannot obtain a MAC address.
So that the threat actor can see frames that are destined for other devices.
What is TACACS+?
Terminal Access Controller Access Control System
What is the behavior of a switch as a result of a successful MAC address table attack? The switch will shut down. The switch interfaces will transition to the error-disabled state. The switch will forward all received frames to all other ports within the vlan. The switch will drop all received frames
The switch will forward all received frames to all other ports within the vlan.
Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch? root guard BPDU filter storm control port security
port security
Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.) ectended ACL DHCP server failover port security strong password on DHCP servers DHCP snooping.
port security DHCP snooping.
Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco? switchport port-security violation shutdown ip dhcp spoofing switchport port-security mac-address sticky mac-address switchport port-security mac-address sticky shutdown
shutdown
Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this? Accessibility Authentication Authorization Accounting Auditing
Authorization
What three services are provided by the AAA framework? (Choose three.) Authorization Autobalancing Accounting Autoconfiguration Authentication Automation
Authorization Accounting Authentication
Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack? LLDP HTTP CDP FTP
CDP
A threat actor discovers the IOS version and IP addresses of the local switch. What type of attack is this? Address Spoofing Arp Spoofing CDP reconnaissance DHCP Starvation STP Attack VLAN Hopping
CDP reconnaissance
Which of the following mitigation techniques prevents ARP spoofing and ARP poisoning attacks? IPSG DHCP snooping DAI Port Security
DAI
Which of the following mitigation techniques prevents DHCP starvation and DHCP spoofing attacks? IPSG DHCP Snooping DAI Port Security
DHCP Snooping
A threat actor leases all the available IP addresses on a subnet. What type of attack is this? Address Spoofing Arp Spoofing CDP reconnaissance DHCP Starvation STP Attack VLAN Hopping
DHCP Starvation
Which Layer 2 attack will result in legitimate users not getting valid IP addresses? DHCP starvation ARP spoofing IP address spoofing MAC address flooding
DHCP starvation
What is the best way to prevent a VLAN hopping attack? Disable trunk neogtiation for trunk ports and statically set nontrunk ports as access ports. Use VLAN 1 as the native VLAN on trunk ports. User ISL encpasulation on all trunk links. Disable STP on all nontrunk ports.
Disable trunk neogtiation for trunk ports and statically set nontrunk ports as access ports.
Which procedure is recommended to mitigate the chances of ARP spoofing? Enable IP Source Guard on trusted ports. Enable port security globally, Enable DHCP snooping on selected VLANs. Enable DAI on the management VLAN.
Enable DHCP snooping on selected VLANs.
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow? Enable Port Security Disable STP Place unused ports in an unused VLAN Disable DTP.
Enable Port Security
Which Cisco solution helps prevent MAC and IP address spoofing attacks? Port Security IP Source Guard DHCP Snooping Dynamic ARP Inspection
IP Source Guard.
An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation? Reboot the switch. Issue the no switchport port-security violation shutdown command on the interface. Issue the shutdown command followed by the no shutdown command on the interface. Issue the no switchport port-security command, then re-enable port security
Issue the shutdown command followed by the no shutdown command on the interface.
Why is authentication with AAA preferred over a local database method? It uses network bandwidth. It provides a fallback authentication method if the administrator forgets the username and password. It specifies a different password for each line or port It requires a login and password combination on console, vty lines, and aux ports.
It provides a fallback authentication method if the administrator forgets the username and password.
When security is a concern, which OSI Layer is considered to be the weakest link in a network system? Layer 2 Layer 3 Layer 4 Layer 7
Layer 2
Which Layer 2 attack will result in a switch flooding incoming frames to all ports? ARP poisoning MAC address overflow IP address spoofing Spanning Tree Protocol manipulation
MAC address overflow.
Which three Cisco products focus on endpoint security solutions? (Choose three.) Adaptive Security Appliance NAC Appliance SSL/IPsec VPN Appliance. IPS Sensor Appliance Web Security Appliance Email Security Appliance
NAC Appliance Web Security Appliance Email Security Appliance
What mitigation technique must be implemented to prevent MAC address overflow attacks? IPSG DAI Port Security DHCP Snooping
Port Security
Which of the following mitigation techniques prevents many types of attacks including MAC address table overflow and DHCP starvation attacks? IPSG DHCP snooping DAI Port Security
Port Security
In a server-based AAA implementation, which protocol will allow the router to successfully communicate with the AAA server? RADIUS SSH 802.1x TACACS
RADIUS
What two protocols are supported on Cisco devices for AAA communications? (Choose two.) RADIUS VTP HSRP TACACS+ LLDP
RADIUS TACACS+
Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command? flash NVRAM ROM RAM
RAM
What does RADIUS stand for?
Remote Authentication Dial-In User Service
Which two commands can be used to enable PortFast on a switch? (Choose two.) S1(config)# enable spanning-tree portfast default S1(config-line)# spanning-tree portfast S1(config)# spanning-tree portfast default S1(config-if)# enable spanning-tree portfast S1(config-if)# spanning-tree portfast
S1(config)# spanning-tree portfast default S1(config-if)# spanning-tree portfast
A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command? To check the destination MAC address in the Ethernet header against the user-configured ARP ACLs. To check the destination MAC address in the Ethernet header against the MAC address table. To check the destination MAC address in the Ethernet header against the source MAC address in the ARP body. To check the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
To check the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
What is the purpose of AAA accounting? To collect and report application usage. To determine which operations the user can perform. To prove users are who they say they are. To determine which resources the user can access.
To collect and report application usage.
True or False?In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.
True
What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.) Trusted DHCP Port. Untrusted Port. Estabolished DHCP port. Authorized Port. Unauthorized Port. Unknown Port.
Trusted DHCP Port. Untrusted Port.
A threat actor configures a host with the 802.1Q protocol and forms a trunk with the connected switch. What type of attack is this? Address Spoofing Arp Spoofing CDP reconnaissance DHCP Starvation STP Attack VLAN Hopping
VLAN Hopping
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? ARP spoofing ARP poisoning DHCP spoofing VLAN hopping
VLAN hopping
Which of the following mitigation techniques are used to protect Layer 3 through Layer 7 of the OSI Model? (Choose three.) DHCP Snooping VPN Firewalls IPSG IPS Devices
VPN Firewalls IPS devices
A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router? ip dhcp snooping ip arp inspection trust spanning-tree portfast ip arp inspection vlan.
ip arp inspection trust
A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first? ip dhcp snooping ip dhcp snooping limit rate ip dhcp snooping vlan ip dhcp snooping trust
ip dhcp snooping
What is involved in an IP address spoofing attack? A rogue node applies to an ARP request with its own MAC address indicated for the target IP address. Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server. A legitimate network IP address is hijacked by a rogue node. A rogue DHCP server provides a false IP configuration parameters to legitimate DHCP clients.
A legitimate network IP address is hijacked by a rogue node.
A threat actor sends a message that causes all other devices to believe the MAC address of the threat actor's device is the default gateway. What type of attack is this? Address Spoofing Arp Spoofing CDP reconnaissance DHCP Starvation STP Attack VLAN Hopping
ARP Spoofing
A threat actor changes the MAC address of the threat actor's device to the MAC address of the default gateway. What type of attack is this? Address Spoofing ARP spoofing CDP reconnaissance DHCP Starvation STP attack VLAN hopping
Address Spoofing.
On what switch ports should PortFast be enabled to enhance STP stability? Only ports that attach to a neighboring switch. Only ports that are elected as designated ports All trunk ports that are not root ports All end-user ports.
All end-user ports.
What is a recommended best practice when dealing with the native VLAN? Turn off DTP. Assign the same VLAN number as the management VLAN. Use port security. Assign it to an unused VLAN.
Assign it to an unused VLAN.
