- Home
- Networking
- CCNP Switching 642-813
41.
You are responsible for increasing the security within the Company LAN. Of the following choices
listed below, which is true regarding layer 2 security and mitigation techniques?
- A.Enable root guard to mitigate ARP address spoofing attacks.
- B.Configure DHCP spoofing to mitigate ARP address spoofing attacks.
- C.Configure PVLANs to mitigate MAC address flooding attacks.
- D.Enable root guard to mitigate DHCP spoofing attacks.
- E.Configure dynamic APR inspection (DAI) to mitigate IP address spoofing on DHCP untrusted ports.
- F.Configure port security to mitigate MAC address flooding.
- Answer & Explanation
- Report
Answer : [F]
Explanation :
Explanation :
| Use the port security commands to mitigate MAC-spoofing attacks. The port security command provides the capability to specify the MAC address of the system connected to a particular port. The command also provides the ability to specify an action to take if a port-security violation occurs. However, as with the CAM table-overflow attack mitigation, specifying a MAC address on every port is an unmanageable solution. Hold-down timers in the interface configuration menu can be used to mitigate ARP spoofing attacks by setting the length of time an entry will stay in the ARP cache. |
42.
You work as a network technician at Company.com. Your boss is interested in switch spoofing.
She asks you how an attacker would collect information with VLAN hoping through switch
spoofing. You should tell her that the attacking station...
- A.uses VTP to collect VLAN information that is sent out and then tags itself with the domain information in order to capture the data.
- B.will generate frames with two 802.1Q headers to cause the switch to forward the frames to a VLAN that would be inaccessible to the attacker through legitimate means.
- C.uses DTP to negotiate trunking with a switch port and captures all traffic that is allowed on the trunk.
- D.tags itself with all usable VLANs to capture data that is passed through the switch, regardless of the VLAN to which the data belongs.
- E.None of the other alternatives apply.
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| DTP should be disabled for all user ports on a switch. If the port is left with DTP auto-configured (default on many switches), an attacker can connect and arbitrarily cause the port to start trunking and therefore pass all VLAN information. |
43.
The VLANs in switch R1 are being modified. Which of the following are updated in R1 every time a
VLAN is modified? (Select all that apply)VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map that does not contain a match clause?
- A.Implicit deny feature at end of list.
- B.Implicit deny feature at start of list.
- C.Implicit forward feature at end of list
- D.Implicit forward feature at start of list.
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
| Each VLAN access map can consist of one or more map sequences, each sequence with a match clause and an action clause. The match clause specifies IP, IPX, or MAC ACLs for traffic filtering and the action clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry the associated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied. |
44.
You need to configure port security on switch R1. Which two statements are true about this
technology? (Select two)
- A.Port security can be configured for ports supporting VoIP.
- B.With port security configured, four MAC addresses are allowed by default.
- C.The network administrator must manually enter the MAC address for each device in order for the switch to allow connectivity.
- D.With port security configured, only one MAC addresses is allowed by default.
- E.Port security cannot be configured for ports supporting VoIP.
- Answer & Explanation
- Report
Answer : [A, D]
Explanation :
Explanation :
|
You can use the port security feature to restrict input to an interface by limiting and identifying
MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full
bandwidth of the port. This feature is indeed supported on voice VLAN ports. If you enable port security on a port configured with a voice VLAN and if there is a PC connected to the CiscoIPPhone, Cisco tells us to set the maximum allowed secure addresses on the port to at least 3. |
45.
The Company is concerned about Layer 2 security threats. Which statement is true about these
threats?
- A.MAC spoofing attacks allow an attacking device to receive frames intended for a different network host.
- B.Port scanners are the most effective defense against dynamic ARP inspection.
- C.MAC spoofing, in conjunction with ARP snooping, is the most effective counter-measure against reconnaissance attacks that use dynamic ARP inspection (DAI) to determine vulnerable attack points.
- D.Dynamic ARP inspection in conjunction with ARP spoofing can be used to counter DHCP snooping attacks.
- E.DHCP snooping sends unauthorized replies to DHCP queries.
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
| First of all, MAC spoofing is not an effective counter-measure against any reconnaissance attack; it IS an attack! Furthermore, reconnaissance attacks don't use dynamic ARP inspection (DAI); DAI is a switch feature used to prevent attacks. |
|
|
||||||||||||||||||||||||||||
