Module 11

Question 1

What command is used to verify if PortFast is enabled globally?

Answer 1

show spanning-tree summary

Alternatively, you can use show running-config | begin span.

Question 2

What are the three ways a VLAN hopping attack can be launched?

Answer 2

• Spoofing DTP messages to cause trunking mode
• Introducing a rogue switch enabling trunking
• Performing a double-tagging attack

Question 3

What is the first step to mitigate VLAN hopping attacks?

Answer 3

Disable DTP negotiations on non-trunking ports using the switchport mode access command.

Question 4

What command is used to display all secure MAC addresses?

Answer 4

show port-security address

This command shows both manually configured and dynamically learned MAC addresses.

Question 5

What does DHCP snooping do?

Answer 5

Filters DHCP messages and rate-limits DHCP traffic on untrusted ports.

Question 6

What is the goal of a DHCP starvation attack?

Answer 6

To create a Denial of Service (DoS) for connecting clients.

Question 7

How can DHCP spoofing attacks be mitigated?

Answer 7

By using DHCP snooping on trusted ports.

Question 8

What command is used to enable DHCP snooping?

Answer 8

ip dhcp snooping

Question 9

What happens when a port is in the error-disabled state?

Answer 9

No traffic is sent or received on that port.

Question 10

What command is used to re-enable a port in the error-disabled state?

Answer 10

shutdown followed by no shutdown.

Question 11

What is the function of Dynamic ARP Inspection (DAI)?

Answer 11

Prevents ARP spoofing and ARP poisoning by verifying IP-to-MAC bindings.

Question 12

What command is used to configure DAI to drop invalid ARP packets?

Answer 12

ip arp inspection validate {src-mac | dst-mac | ip}

Question 13

What does BPDU Guard do?

Answer 13

Immediately error disables a port that receives a BPDU.

Question 14

How can BPDU Guard be enabled globally?

Answer 14

spanning-tree portfast bpduguard default

Question 15

What command is used to verify port security settings for a specific interface?

Answer 15

show port-security interface

Question 16

Fill in the blank: To manually enable the trunk link on a trunking port, use the _______ command.

Answer 16

switchport mode trunk

Question 17

What are the three port security violation modes?

Answer 17

• shutdown
• restrict
• protect

Question 18

What does the ‘restrict’ mode do in port security?

Answer 18

Drops packets with unknown source addresses and increments the violation counter.

Question 19

True or False: PortFast can be enabled on inter-switch links.

Answer 19

False

PortFast should only be enabled on access ports.

Question 20

What is the purpose of the DHCP snooping binding table?

Answer 20

It binds the source MAC address to the IP address assigned by the DHCP server.

Question 21

What command is used to view the clients that have received DHCP information?

Answer 21

show ip dhcp snooping binding

Question 22

What should be configured as trusted interfaces for DHCP snooping and ARP inspection?

Answer 22

Uplink ports connected to other switches.

Question 23

What is the default mode for port security violations?

Answer 23

shutdown

Question 24

What command is used to limit the number of DHCP discovery messages on untrusted interfaces?

Answer 24

ip dhcp snooping limit rate packets-per-second

Question 25

What must be done if an unauthorized device is connected to a secure port?

Answer 25

Eliminate the security threat before re-enabling the port.

Question 26

What should be done to all switch ports before deployment for production use?

Answer 26

All switch ports should be secured.

This includes configuring port security and disabling unused ports.

Question 27

What is the default setting for Layer 2 switch ports?

Answer 27

Dynamic auto (trunking on).

This means they can automatically negotiate trunking.

Question 28

What is the simplest method to prevent MAC address table overflow attacks?

Answer 28

Enable port security.

This limits the number of valid MAC addresses allowed on a port.

Question 29

How can a switch learn about MAC addresses on a secure port?

Answer 29

In one of three ways:
* Manually configured
* Dynamically learned
* Dynamically learned – sticky

Question 30

What occurs when a port violation happens due to a differing MAC address?

Answer 30

The port enters the error-disabled state.

In this state, no traffic is sent or received on that port.

Question 31

How can VLAN hopping attacks be mitigated?

Answer 31

By:
* Disabling DTP negotiations
* Disabling unused ports
* Manually setting trunking
* Using a native VLAN other than VLAN 1

Question 32

What does DHCP snooping do?

Answer 32

It determines whether DHCP messages are from a trusted or untrusted source and filters them.

It also rate-limits DHCP traffic from untrusted sources.

Question 33

What is required for Dynamic ARP Inspection (DAI) to function?

Answer 33

DHCP snooping.

Question 34

What is the purpose of implementing Dynamic ARP Inspection?

Answer 34

To mitigate ARP spoofing and ARP poisoning.

Question 35

How can Spanning Tree Protocol (STP) manipulation attacks be mitigated?

Answer 35

By using PortFast and Bridge Protocol Data Unit (BPDU) Guard.

Question 36

What command is used to enable port security on an interface?

Answer 36

switchport port-security.

Question 37

What does the command ‘switchport port-security maximum’ do?

Answer 37

Sets the maximum number of MAC addresses allowed on a port.

Question 38

What are the two types of aging supported by port security?

Answer 38

1. Absolute
2. Inactivity

Question 39

What command is used to verify port security configurations?

Answer 39

show port-security interface and show port-security address.

Question 40

What is the default port security value for the maximum number of MAC addresses allowed on a port?

Answer 40

1.

Question 41

Fill in the blank: The command to manually configure a static MAC address on a secure port is ‘switchport port-security mac-address _______’.

Answer 41

[mac-address]

Question 42

True or False: Port security can be configured on dynamic access ports.

Answer 42

False.

Port security can only be configured on manually configured access or trunk ports.

Question 43

What happens if a port configured with port security has more than one device connected to it?

Answer 43

The port will transition to the error-disabled state.

Question 44

What command is used to disable an unused port on a switch?

Answer 44

shutdown.

Question 45

What command is used to reactivate a previously disabled port?

Answer 45

no shutdown.

Question 46

What is the command to set the aging type for secure MAC addresses?

Answer 46

switchport port-security aging.