CCNA 2 v7 Modules 10 – 13: L2 Security and WLANs Flashcards
Which Layer 2 attack will result in legitimate users not getting valid IP addresses?
ARP spoofing
DHCP starvation
IP address spoofing
MAC address flooding
DHCP starvation
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?
Disable DTP.
Disable STP.
Enable port security.
Place unused ports in an unused VLAN.
Enable port security.
Which three Cisco products focus on endpoint security solutions? (Choose three.)
IPS Sensor Appliance
Web Security Appliance
Email Security Appliance
SSL/IPsec VPN Appliance
Adaptive Security Appliance
NAC Appliance
Web Security Appliance
Email Security Appliance
NAC Appliance
True or False?
In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.
true
false
true
Which authentication method stores usernames and passwords in the router and is ideal for small networks?
server-based AAA over TACACS+
local AAA over RADIUS
server-based AAA
local AAA over TACACS+
local AAA
server-based AAA over RADIUS
local AAA
What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?
Enable CDP on edge devices, and enable LLDP on interior devices.
Use the open standard LLDP rather than CDP.
Use the default router settings for CDP and LLDP.
Disable both protocols on all interfaces where they are not required.
Disable both protocols on all interfaces where they are not required.
Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?
SNMP
TFTP
SSH
SCP
SSH
Which statement describes the behavior of a switch when the MAC address table is full?
It treats frames as unknown unicast and floods all incoming frames to all ports on the switch.
It treats frames as unknown unicast and floods all incoming frames to all ports across multiple switches.
It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN.
It treats frames as unknown unicast and floods all incoming frames to all ports within the collision domain.
It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN.
What device is considered a supplicant during the 802.1X authentication process?
the router that is serving as the default gateway
the authentication server that is performing client authentication
the client that is requesting authentication
the switch that is controlling network access
the client that is requesting authentication
Refer to the exhibit. Port Fa0/2 has already been configured appropriately. The IP phone and PC work properly. Which switch configuration would be most appropriate for port Fa0/2 if the network administrator has the following goals?
No one is allowed to disconnect the IP phone or the PC and connect some other wired device.
If a different device is connected, port Fa0/2 is shut down.
The switch should automatically detect the MAC address of the IP phone and the PC and add those addresses to the running configuration.
SWA(config-if)# switchport port-security
SWA(config-if)# switchport port-security mac-address sticky
SWA(config-if)# switchport port-security
SWA(config-if)# switchport port-security maximum 2
SWA(config-if)# switchport port-security mac-address sticky
SWA(config-if)# switchport port-security violation restrict
SWA(config-if)# switchport port-security mac-address sticky
SWA(config-if)# switchport port-security maximum 2
SWA(config-if)# switchport port-security
SWA(config-if)# switchport port-security maximum 2
SWA(config-if)# switchport port-security mac-address sticky
SWA(config-if)# switchport port-security
SWA(config-if)# switchport port-security maximum 2
SWA(config-if)# switchport port-security mac-address sticky
Refer to the exhibit. Port security has been configured on the Fa 0/12 interface of switch S1. What action will occur when PC1 is attached to switch S1 with the applied configuration?
Frames from PC1 will be forwarded since the switchport port-security violation command is missing.
Frames from PC1 will be forwarded to its destination, and a log entry will be created.
Frames from PC1 will be forwarded to its destination, but a log entry will not be created.
Frames from PC1 will cause the interface to shut down immediately, and a log entry will be made.
Frames from PC1 will be dropped, and there will be no log of the violation.
Frames from PC1 will be dropped, and a log message will be created.
Frames from PC1 will cause the interface to shut down immediately, and a log entry will be made.
Which type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN?
DHCP spoofing
DHCP starvation
VLAN double-tagging
DTP spoofing
VLAN double-tagging
A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command?
It checks the source MAC address in the Ethernet header against the user-configured ARP ACLs.
It checks the source MAC address in the Ethernet header against the MAC address table.
It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
It checks the source MAC address in the Ethernet header against the target MAC address in the ARP body.
It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
Which two commands can be used to enable BPDU guard on a switch? (Choose two.)
S1(config)# spanning-tree bpduguard default
S1(config-if)# spanning-tree portfast bpduguard
S1(config)# spanning-tree portfast bpduguard default
S1(config-if)# enable spanning-tree bpduguard
S1(config-if)# spanning-tree bpduguard enable
S1(config)# spanning-tree portfast bpduguard default
S1(config-if)# spanning-tree bpduguard enable
As part of the new security policy, all switches on the network are configured to automatically learn MAC addresses for each port. All running configurations are saved at the start and close of every business day. A severe thunderstorm causes an extended power outage several hours after the close of business. When the switches are brought back online, the dynamically learned MAC addresses are retained. Which port security configuration enabled this?
auto secure MAC addresses
dynamic secure MAC addresses
static secure MAC addresses
sticky secure MAC addresses
sticky secure MAC addresses
Which type of management frame may regularly be broadcast by an AP?
authentication
probe request
probe response
beacon
beacon
What are the two methods that are used by a wireless NIC to discover an AP? (Choose two.)
delivering a broadcast frame
receiving a broadcast beacon frame
initiating a three-way handshake
sending an ARP request
transmitting a probe request
receiving a broadcast beacon frame
transmitting a probe request
A technician is configuring the channel on a wireless router to either 1, 6, or 11. What is the purpose of adjusting the channel?
to enable different 802.11 standards
to avoid interference from nearby wireless devices
to disable broadcasting of the SSID
to provide stronger security modes
to avoid interference from nearby wireless devices
While attending a conference, participants are using laptops for network connectivity. When a guest speaker attempts to connect to the network, the laptop fails to display any available wireless networks. The access point must be operating in which mode?
mixed
passive
active
open
active
A network administrator is required to upgrade wireless access to end users in a building. To provide data rates up to 1.3 Gb/s and still be backward compatible with older devices, which wireless standard should be implemented?
802.11n
802.11ac
802.11g
802.11b
802.11ac
A technician is about to install and configure a wireless network at a small branch office. What is the first security measure the technician should apply immediately upon powering up the wireless router?
Enable MAC address filtering on the wireless router.
Configure encryption on the wireless router and the connected wireless devices.
Change the default user-name and password of the wireless router.
Disable the wireless network SSID broadcast.
Change the default user-name and password of the wireless router.
On a Cisco 3504 WLC dashboard, which option provides access to the full menu of features?
Access Points
Network Summary
Advanced
Rogues
Advanced
Which step is required before creating a new WLAN on a Cisco 3500 series WLC?
Create a new SSID.
Build or have an SNMP server available.
Build or have a RADIUS server available.
Create a new VLAN interface.
Create a new VLAN interface.
A network engineer is troubleshooting a newly deployed wireless network that is using the latest 802.11 standards. When users access high bandwidth services such as streaming video, the wireless network performance is poor. To improve performance the network engineer decides to configure a 5 Ghz frequency band SSID and train users to use that SSID for streaming media services. Why might this solution improve the wireless network performance for that type of service?
Requiring the users to switch to the 5 GHz band for streaming media is inconvenient and will result in fewer users accessing these services.
The 5 GHz band has more channels and is less crowded than the 2.4 GHz band, which makes it more suited to streaming multimedia.
The 5 GHz band has a greater range and is therefore likely to be interference-free.
The only users that can switch to the 5 GHz band will be those with the latest wireless NICs, which will reduce usage.
The 5 GHz band has more channels and is less crowded than the 2.4 GHz band, which makes it more suited to streaming multimedia.
A network administrator is configuring a RADIUS server connection on a Cisco 3500 series WLC. The configuration requires a shared secret password. What is the purpose for the shared secret password?
It is used by the RADIUS server to authenticate WLAN users.
It is used to authenticate and encrypt user data on the WLAN.
It is used to encrypt the messages between the WLC and the RADIUS server.
It allows users to authenticate and access the WLAN.
It is used to encrypt the messages between the WLC and the RADIUS server.
Which three parameters would need to be changed if best practices are being implemented for a home wireless AP? (Choose three.)
wireless client operating system password
antenna frequency
wireless network password
wireless beacon time
AP password
SSID
wireless network password
AP password
SSID
Which access control component, implementation, or protocol is based upon usernames and passwords?
802.1X
accounting
authentication
authorization
authentication
Which type of wireless network is based on the 802.11 standard and a 2.4-GHz or 5-GHz radio frequency?
wireless metropolitan-area network
wireless wide-area network
wireless local-area network
wireless personal-area network
wireless local-area network
Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.)
DHCP Snooping
IP Source Guard
Dynamic ARP Inspection
Port Security
Web Security Appliance
DHCP Snooping
Port Security
What are three techniques for mitigating VLAN attacks? (Choose three.)
Enable trunking manually.
Disable DTP.
Enable Source Guard.
Set the native VLAN to an unused VLAN.
Use private VLANs.
Enable BPDU guard.
Enable trunking manually.
Disable DTP.
Set the native VLAN to an unused VLAN.
Refer to the exhibit. What can be determined about port security from the information that is shown?
The port has the maximum number of MAC addresses that is supported by a Layer 2 switch port which is configured for port security.
The port has been shut down.
The port violation mode is the default for any port that has port security enabled.
The port has two attached devices.
The port violation mode is the default for any port that has port security enabled.
A network administrator of a college is configuring the WLAN user authentication process. Wireless users are required to enter username and password credentials that will be verified by a server. Which server would provide such service?
AAA
NAT
RADIUS
SNMP
RADIUS