Module 10

Question 1

What does AAA stand for in network security?

Answer 1

Authentication, Authorization, Accounting

AAA provides a framework for network access control.

Question 2

What is Local AAA Authentication?

Answer 2

Stores usernames and passwords locally in a network device

Ideal for small networks.

Question 3

What is Server-Based AAA Authentication?

Answer 3

Router accesses a central AAA server using RADIUS or TACACS+ protocols

More appropriate for networks with multiple devices.

Question 4

What is the purpose of AAA Authorization?

Answer 4

Governs what users can and cannot do on the network after authentication

Uses attributes to determine user privileges.

Question 5

What does AAA Accounting do?

Answer 5

Collects and reports usage data for auditing or billing

Logs data such as connection times and executed commands.

Question 6

What is the IEEE 802.1X standard?

Answer 6

A port-based access control and authentication protocol

Restricts unauthorized workstations from connecting to a LAN.

Question 7

What roles do devices play in 802.1X authentication?

Answer 7

Client (Supplicant), Switch (Authenticator), Authentication Server

Each has a specific function in the authentication process.

Question 8

What types of attacks are categorized under Layer 2 Security Threats?

Answer 8

MAC Table Attacks, VLAN Attacks, DHCP Attacks, ARP Attacks, Address Spoofing Attacks, STP Attacks

These attacks exploit vulnerabilities at Layer 2 of the OSI model.

Question 9

What is a MAC Address Table Attack?

Answer 9

Involves flooding a switch with fake source MAC addresses until the table is full

This can disrupt normal network operations.

Question 10

What is a VLAN Hopping Attack?

Answer 10

Enables traffic from one VLAN to be seen by another VLAN without a router

This attack can compromise network segmentation.

Question 11

What is DHCP Snooping?

Answer 11

A security feature that prevents DHCP starvation and DHCP spoofing attacks

Helps to secure DHCP operations on a network.

Question 12

What is Dynamic ARP Inspection (DAI)?

Answer 12

Prevents ARP spoofing and ARP poisoning attacks

It verifies ARP packets on the network.

Question 13

What is IP Source Guard (IPSG)?

Answer 13

Prevents MAC and IP address spoofing attacks

It ensures that only valid IP addresses are used on a network.

Question 14

True or False: Layer 2 vulnerabilities can affect all layers above it.

Answer 14

True

Compromise at Layer 2 can render security measures at higher layers ineffective.

Question 15

What is the function of a Next-Generation Firewall (NGFW)?

Answer 15

Provides stateful packet inspection and advanced malware protection

It integrates multiple security functions into one device.

Question 16

Fill in the blank: The primary use of AAA accounting is to combine it with AAA _______.

Answer 16

authentication

This provides a log of user actions and helps in auditing.

Question 17

What does the Cisco Email Security Appliance (ESA) do?

Answer 17

Monitors SMTP, blocks known threats, and encrypts outgoing email

It uses real-time threat intelligence to enhance email security.

Question 18

What does the Cisco Web Security Appliance (WSA) provide?

Answer 18

Mitigation technology for web-based threats and application visibility

It controls web traffic based on organizational policies.

Question 19

What is Port Security?

Answer 19

Prevents MAC address flooding attacks and DHCP starvation attacks

It limits the number of MAC addresses that can be learned on a port.

Question 20

What is an example of an attack that can be mitigated by implementing BPDU Guard?

Answer 20

STP Attack

BPDU Guard protects against manipulation of the Spanning Tree Protocol.

Question 21

What is IP address spoofing?

Answer 21

IP address spoofing is when a threat actor hijacks a valid IP address of another device on the subnet or uses a random IP address.

Question 22

How can IP and MAC address spoofing be mitigated?

Answer 22

Implementing IP Source Guard (IPSG).

Question 23

What is a STP attack?

Answer 23

A STP attack involves threat actors manipulating Spanning Tree Protocol (STP) to spoof the root bridge and change the topology of a network.

Question 24

How can STP attacks be mitigated?

Answer 24

By implementing BPDU Guard on all access ports.

Question 25

What information does CDP provide?

Answer 25

CDP provides the IP address of the device, IOS software version, platform, capabilities, and the native VLAN.

Question 26

How can the exploitation of CDP be mitigated?

Answer 26

Limit the use of CDP on devices or ports.

Question 27

What is a DHCP starvation attack?

Answer 27

An attack that aims to create a DoS for connecting clients by leasing all available IP addresses with bogus MAC addresses.

Question 28

What is a rogue DHCP server?

Answer 28

A rogue DHCP server provides false IP configuration parameters to legitimate clients.

Question 29

What types of misleading information can a rogue DHCP server provide?

Answer 29

It can provide:
* Wrong default gateway
* Wrong DNS server
* Wrong IP address

Question 30

What is ARP spoofing?

Answer 30

ARP spoofing is when an attacker sends a gratuitous ARP message containing a spoofed MAC address to a switch, allowing for a man-in-the-middle attack.

Question 31

How can ARP spoofing be mitigated?

Answer 31

By implementing Dynamic ARP Inspection (DAI).

Question 32

What is a MAC address table overflow attack?

Answer 32

An attack that floods a switch with fake source MAC addresses until the switch’s MAC address table is full.

Question 33

What happens when a switch’s MAC address table is full?

Answer 33

The switch treats incoming frames as unknown unicast and floods all traffic out all ports on the same VLAN.

Question 34

What is a VLAN hopping attack?

Answer 34

A VLAN hopping attack allows traffic from one VLAN to be seen by another VLAN without the aid of a router.

Question 35

What is a VLAN double-tagging attack?

Answer 35

An attack where a hidden 802.1Q tag is embedded inside a frame with another 802.1Q tag, allowing it to reach a different VLAN.

Question 36

How can VLAN hopping and double-tagging attacks be mitigated?

Answer 36

By implementing trunk security guidelines such as:
* Disable trunking on all access ports
* Disable auto trunking on trunk links
* Ensure the native VLAN is only used for trunk links.

Question 37

What command disables CDP globally on a device?

Answer 37

no cdp run

Question 38

What command enables CDP globally on a device?

Answer 38

cdp run

Question 39

What command disables CDP on a port?

Answer 39

no cdp enable

Question 40

What command enables CDP on a port?

Answer 40

cdp enable

Question 41

True or False: CDP information is sent in encrypted broadcasts.

Answer 41

False

Question 42

What tool can be used for DHCP starvation attacks?

Answer 42

Gobbler

Question 43

What does the Dynamic ARP Inspection (DAI) do?

Answer 43

DAI helps to prevent ARP spoofing and ARP poisoning.

Question 44

What is a gratuitous ARP?

Answer 44

An unsolicited ARP Reply sent by a client.

Question 45

Fill in the blank: The tool _______ can flood a switch with bogus frames to create a MAC address table overflow attack.

Answer 45

macof

Question 46

What is the primary function of DHCP servers?

Answer 46

To dynamically provide IP configuration information to clients.

Question 47

What is an example of a DHCP spoofing attack?

Answer 47

A rogue DHCP server providing an invalid IP address to clients.