CCNP switching 642-813 Questions and Answers,ccnp switching questions and answers,ccnp switching exam questions and answers,ccnp switching certification dumps,ccnp switching dumps,ccnp exam dumps,ccnp questions and answers for 642-813 certifications Page 10 -- Infibee

General Knowledge
General Aptitude
General English
Networking
Interview Questions
- .NET
- Java
- ASP.NET
- C++
- Perl
- Python
- Ruby and Rails
- Struts
- Core Java
- Hibernate
- DB2
- MS SQL Server
- MySQL
- Oracle
- SQL
- DBMS
- Data Warehousing
- Data structures and Algorithms
- CCNA
- CCNP Routing
- CCNP Switching
- Internetworking
- Border Gateway Protocol
- MCSE
- Exchange Server
- Windows Server 2008
- DNS & Active Directory
- Firewall Questions
- Unix
- Linux Server Administrator
- Linux System Administrator
- Linux File Manipulation
Database

Home
Networking
CCNP Switching 642-813

46.

An attacker is launching a DoS attack on the Company network using a hacking tool designed to exhaust the IP address space available from the DHCP servers for a period of time. Which procedure would best defend against this type of attack?

A.
Configure only trusted interfaces with root guard.
B.
Implement private VLANs (PVLANs) to carry only user traffic.
C.
Implement private VLANs (PVLANs) to carry only DHCP traffic.
D.
Configure only untrusted interfaces with root guard.
E.
Configure DHCP spoofing on all ports that connect untrusted clients.
F.
Configure DHCP snooping only on ports that connect trusted DHCP servers.

Answer & Explanation
Report

Answer : [F]
Explanation :

Cisco Catalyst switches can use the DHCP snooping feature to help mitigate this type of attack. When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted. Legitimate DHCP servers can be found on trusted ports, whereas all other hosts sit behind untrusted ports.
By default, all switch ports are assumed to be untrusted so that DHCP replies are not expected or permitted. Only trusted ports are allowed to send DHCP replies. Therefore, you should identify only the ports where known, trusted DHCP servers are located. You can do this with the following interface configuration command:
Switch( config-if)#ip dhcp snooping trust

Report

Name

47.

Company has implemented 802.1X authentication as a security enhancement. Which statement is true about 802.1x port-based authentication?

A.
TACACS+ is the only supported authentication server type.
B.
If a host initiates the authentication process and does not receive a response, it assumes it is not authorized.
C.
RADIUS is the only supported authentication server type.
D.
Before transmitting data, an 802.1x host must determine the authorization state of the switch.
E.
Hosts are required to have a 802.1x authentication client or utilize PPPoE.
F.
None of the other alternatives apply.

Answer & Explanation
Report

Answer : [C]
Explanation :

The IEEE 802.1x standard defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the workstation is connected. After authentication succeeds, normal traffic can pass through the port.
Authentication server: Performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. The RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server.

Report

Name

48.

The DAI feature has been implemented in the Company switched LAN. Which three statements are true about the dynamic ARP inspection (DAI) feature? (Select three)

A.
DAI can be performed on ingress ports only.
B.
DAI can be performed on both ingress and egress ports.
C.
DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
D.
DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of hosts in the domain.
E.
DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.

Answer & Explanation
Report

Answer : [A, C, E]
Explanation :

To prevent ARP spoofing or "poisoning," a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting and validating all ARP requests and responses. Each intercepted ARP reply is verified for valid MAC-address-to-IP-address bindings before it is forwarded to a PC to update the ARP cache. ARP replies coming from invalid devices are dropped.
DAI determines the validity of an ARP packet based on a valid MAC-address-to-IP-address bindings database built by DHCP snooping. In addition, to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against user-configured ARP ACLs. To ensure that only valid ARP requests and responses are relayed, DAI takes these actions:
* Forwards ARP packets received on a trusted interface without any checks
* Intercepts all ARP packets on untrusted ports
* Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets that can update the local ARP cache
* Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings.

Report

Name

49.

On a Company switch named R1 you configure the following:
iparp inspection vlan 10-12, 15
What is the purpose of this global configuration command made on R1?

A.
Discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
B.
Validates outgoing ARP requests for interfaces configured on VLAN 10, 11, 12, or 15
C.
Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D.
Intercepts all ARP requests and responses on trusted ports.
E.
None of the other alternatives apply

Answer & Explanation
Report

Answer : [C]
Explanation :

The "ip arp inspection" command enables Dynamic ARP Inspection (DAI) for the specified VLANs. DAI is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain "man-inthe- middle" attacks.

Report

Name

50.

What is true about access control on bridged and routed VLAN traffic? (Select three)

A.
Router ACLs can be applied to the input and output directions of a VLAN interface.
B.
Bridged ACLs can be applied to the input and output directions of a VLAN interface.
C.
Only router ACLs can be applied to a VLAN interface.
D.
VLAN maps and router ACLs can be used in combination.
E.
VLAN maps can be applied to a VLAN interface.

Answer & Explanation
Report

Answer : [A,B,D]
Explanation :

Router ACLs are applied on interfaces as either inbound or outbound. To filter both bridged and routed traffic, VLAN maps can be used by themselves or in conjunction with router ACLs.
VLAN ACLs, also called VLAN maps, which filter both bridged and routed packets. VLAN maps can be used to filter packets exchanged between devices in the same VLAN.

Report

Name

Pages
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Sitemap