Network Device Management and Security Flashcards

1
Q

What prevents rogue DHCP servers?

A

DHCP snooping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What prevents ARP attacks?

A

DAI (Dynamic ARP inspection)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What protects network resources and provides user mobility?

A

Identity-based networking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is DHCP snooping?

A

Layer 2 firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How are interfaces configured for DHCP snooping?

A

trusted and untrusted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which interface is configured as the trusted interface?

A

the one closest to the DHCP server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does DHCP build when DHCP snooping is enabled?

A

binding database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does DAI intercept?

A

All ARP requests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does DAI verify?

A

Each intercepted packet for a valid IP to MAC binding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does an Identity based network verify?

A

The users when they connect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the IEEE standard for Identity based networking?

A

802.1x

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the three roles defined by 802.1x?

A

Client

Authenticator

Authentication server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The switch that controls physical access to the network

A

Authenticator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The server that authenticates each client that connects to a switch before making any service available in the network.

A

Authentication server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Manages all users and administrative access that you need for the entire network

A

AAA Server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the two most popular methods to create external AAA servers?

A

RADIUS

TACACS +

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What method provides authentication and authorization in 1 process?

A

RADIUS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Cisco proprietary mechanism that separates AAA services

A

TACACS +

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What authentication method uses UDP?

A

RADIUS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What authentication method uses TCP?

A

TACACS +

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What command enables AAA services?

A

aaa new-model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

To avoid being locked out of the router, what must you do first?

A

define a local username and password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What command configures SRV1 as a RADIUS server with the name myRadiusRV1?

What command configures “radiusPassword” as a shared key?

A

radius server myRadiusSRV1

key radiusPassword

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

On R1, what command would add this newly created RADIUS server to the group?

A

aaa group server radius MyRadiusGroup

server name myRadiusSRV1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What command immediately applies local authentication to all lines and interfaces (except the console line0)?

A

aaa new-model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What would be the command to configure the local user admin that has a password of Cisco123?

A

username admin password Cisco123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What command specifies the router to use this RADIUS group for login authentication? If the RADIUS server fails, the fallback to local authentication should be set.

A

aaa authentication login default

group MyRadiusGroup local

28
Q

What commands on R1 allow you to configure SRV1 as a TACACS+ server using “tacacsPassword” as the key?

A

tacacs server myTacacsSRV1

address ipv4 10.1.1.10

key tacacsPassword

29
Q

On R1, what commands allow you to add this newly created TACACS server to the group?

A

aaa group server tacacs+ MyTacacsGroup

server name myTacacsSRV1

30
Q

What command specifies R1 to use this TACACS+ group for login authentication? If the TACACS+ server fails the fallback to local authentication should be set

A

aaa authentication login default

group MyTacacsGroup local

31
Q

All users that log in to the HQ router via Telnet must authenticate to the TACACS+ server with the IP address 172.16.100.22 and the shared key “Cisco123.”

The TACACS+ server should be named “TacacsSRV” and should be associated with the TACACS+ server group name “TacacsSRV_group.” What commands enable this?

A

aaa new-model tacacs server TacacsSRV

address ipv4 172.16.100.22

key Cisco123

exit

aaa group server tacacs+ TacacsSRV

group server name TacacsSRV

32
Q

What command configures the device to use the TACACS+ server for login authentication and specifies that if the authentication server is unreachable, users should be able to login with a backup local user account that is stored on the HQ router?

A

aaa authentication login default

group TacacsSRV_group local

33
Q

What command is used to enable 802.1x authentication on a single interface?

A

authentication port-control

34
Q

What must be enabled before individual ports can be configured to use 802.1x authentication?

A

enable 802.1x across entire platform

35
Q

What three modes can be configured in the authentication port-control command?

A

auto

force-authorized

force-unauthorized

36
Q

When the _____ keyword is used, any device connected to the port must undergo the authorization process before gaining access to the network

A

auto

37
Q

When the _____ keyword is used, any device connected to an 802.1x-enabled port is automatically authorized and granted access to the network.

A

force-authorized

38
Q

When the _____ keyword is used, any connected device is automatically unauthorized and denied from accessing the network.

A

force-unauthorized

39
Q

What command enables 802.1x authentication globally on a switch?

A

dot1x system-auth-control

40
Q

After issuing the authentication port-control auto command, what command is used to prepare a single port to accept traffic from multiple hosts?

A

authentication host-mode multi-host

41
Q

What command is used to restore the default 802.1x parameters on a device?

A

dot1x default

42
Q

What command allows you to verify the 802.1x authentication parameters?

A

show dot1x

43
Q

Combines authentication and authorization into a single function and encrypts only the password in Access-Request packets

A

RADIUS

44
Q

What command sets a DHCP rate limit on an untrusted interface to a limit of 100 packets per second? This command prevents a denial of service attack where someone is flooding the legitimate DHCP server with an overwhelming amount of DHCP discover messages.

A

ip dhcp snooping limit rate 100

45
Q

Causes a DHCP request packet to contain information indicating the switch port from which the DHCP request came

A

DHCP option 82

46
Q

A protocol with multiple variants (called “methods”) that define how authentication and encryption are performed between 802.1x supplicant and authenticator.

A

EAP (Extensible Authentication Protocol)

47
Q

When _____ mode is used, the first device to use the port must be authenticated. After the initial device is authenticated, any additional device using the port will be allowed network access.

A

multihost

48
Q

Which protocol is capable of providing router command authorization capabilities?

A

TACACS+

49
Q

The following commands were issued on a switch: switchport mode access switchport port-security switchport port-security maximum 3 switchport port-security mac-address sticky What describes the result of port security violation of an unknown packet?

A

port disabled SNMP or syslog messages sent

50
Q

Which protocol authenticates connected devices before allowing them to access the LAN?

A

802.1x

51
Q

What is the difference between TACACS+ and RADIUS in AAA?

  • Only TACACS+ allows for separate authentication
  • Only RADIUS encrypts the entire access-request packet
  • Only RADIUS uses TCP
  • Only TACACS+ couples authentication and authorization
A

Only TACACS+ allows for separate authentication

52
Q

What can be done to secure the virtual terminal interfaces on a router? (Choose two.)

A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
A
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
53
Q

What three actions will the switch take when a frame with an unknown source MAC address arrives at the interface? (Select three.)

A. Send an SNMP trap.
B. Send a syslog message.
C. Increment the Security Violation counter.
D. Forward the traffic.
E. Write the MAC address to the startup-config.
F. Shut down the port.

A

A. Send an SNMP trap.
B. Send a syslog message.
C. Increment the Security Violation counter.

54
Q

Refer to the exhibit. Which of these correctly describes the results of port security violation of an unknown packet?

A. port enabled; unknown packets dropped; no SNMP or syslog messages
B. port enabled; unknown packets dropped; SNMP or syslog messages
C. port disabled; no SNMP or syslog messages
D. port disabled; SNMP or syslog messages

A

D. port disabled; SNMP or syslog messages

55
Q

The following configuration is applied to a Layer 2 Switch:

interface fastethernet 0/4
switchport mode access
switchport port-security
switchport port-security mac-address 0000.1111.1111
switchport port-security maximum 2
swithcport port-security

What is the result of the above configuration being applied to the switch?

A. A host with a mac address of 0000.1111.1111 and up to two other hosts can connect to FastEthernet 0/4 simultaneously
B. A host with a mac address of 0000.1111.1111 and one other host can connect to Fast Ethernet 0/4 simultaneously
C. Violating addresses are dropped and no record of the violation is kept
D. The switch can send an SNMP message to the network management station
E. The port is effectively shutdown

A

B. A host with a mac address of 0000.1111.1111 and one other host can connect to Fast Ethernet 0/4 simultaneously

D. The switch can send an SNMP message to the network management station

56
Q

Which set of commands is recommended to prevent the use of a hub in the access layer?

A. switch(config-if)#switchport mode trunk switch(config-if)#switchport port-security maximum 1
B. switch(config-if)#switchport mode trunk switch(config-if)#switchport port-security mac-address 1
C. switch(config-if)#switchport mode access switch(config-if)#switchport port-security maximum 1
D. switch(config-if)#switchport mode access switch(config-if)#switchport port-security mac-address 1

A

C. switch(config-if)#switchport mode access switch(config-if)#switchport port-security maximum 1

57
Q

A network administrator needs to allow only one Telnet connection to a router. For anyone viewing the configuration and issuing the show run command, the password for Telnet access should be encrypted. Which set of commands will accomplish this task?

A. service password-encryption access-listl permit 192.168.1.0.0.0.0.255 line vty0 4 login password cisco access-class 1
B. enable password secret line vty0 login password cisco
C. service password-encryption line vty0 login password cisco
D. service password-encryption line vty0 4 login password cisco
A

C. service password-encryption line vty0 login password cisco

58
Q

Which two commands correctly verify whether port security has been configured on port FastEthernet 0/12 on a switch? (Choose two.)

A. SW1#show port-secure interface FastEthernet 0/12
B. SW1#show switchport port-secure interface FastEthernet 0/12
C. SW1#show running-config
D. SW1#show port-security interface FastEthernet 0/12
E. SW1#show switchport port-security interface FastEthernet 0/12

A

C. SW1#show running-config
D. SW1#show port-security interface FastEthernet 0/12

59
Q

A network administrator needs to configure port security on a switch.
Which two statements are true? (Choose two.)

A. The network administrator can apply port security to dynamic access ports.
B. The network administrator can apply port security to EtherChannels.
C. When dynamic MAC address learning is enabled on an interface, the switch can learn new addresses, up to the maximum defined.
D. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration. to change the default administrative distance of a route in the route table protec ting a server from unauthorized access c ontrolling path selection, based on the route metric
E. The network administrator can configure static secure or sticky secure MAC addresses in the voice VLAN.

A

C. When dynamic MAC address learning is enabled on an interface, the switch can learn new addresses, up to the maximum defined.
D. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration. to change the default administrative distance of a route in the route table protec ting a server from unauthorized access c ontrolling path selection, based on the route metric

60
Q

A network administrator wants to ensure that only the server can connect to port Fa0/1 on a Catalyst switch. The server is plugged into the switch Fa0/1 port and the network administrator is about to bring the server online. What can the administrator do to ensure that only the MAC address of the server is allowed by switch port Fa0/1? (Choose two.)

A. Configure port Fa0/1 to accept connections only from the static IP address of the server.
B. Employ a proprietary connector type on Fa0/1 that is incompatible with other host connectors.
C. Configure the MAC address of the server as a static entry associated with port Fa0/1.
D. Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.
E. Configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server.
F. Configure an access list on the switch to deny server traffic from entering any port other than Fa0/1.

A

C. Configure the MAC address of the server as a static entry associated with port Fa0/1.

E. Configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server.

61
Q

How does using the service password-encryption command on a router provide additional security?

A. by encrypting all passwords passing through the router
B. by encrypting passwords in the plain text configuration file
C. by requiring entry of encrypted passwords for access to the device
D. by configuring an MD5 encrypted key to be used by routing protocols to validate routing exchanges
E. by automatically suggesting encrypted passwords for use in configuring the router

A

B. by encrypting passwords in the plain text configuration file

62
Q

Refer to the exhibit. Some 2950 series switches are connected to the conference area of the corporate headquarters network. The switches provide two to three jacks per conference room to host laptop connections for employees who visit the headquarters office. When large groups of employees come from other locations, the network administrator often finds that hubs have been connected to wall jacks in the conference area although the ports on the access layer switches were not intended to support multiple workstations.

A. Configure static entries in the switch MAC address table to include the range of addresses used by visiting employees.
B. Configure an ACL to allow only a single MAC address to connect to the switch at one time.
C. Use the mac-address-table 1 global configuration command to limit each port to one source MAC address.
D. Implement Port Security on all interfaces and use the port-security maximum 1 command to limit port access to a single MAC address.
E. Implement Port Security on all interfaces and use the port-security mac-address sticky command to limit access to a single MAC address.
F. Implement Port Security at global configuration mode and use the port-security maximum 1 command to allow each switch only one attached hub.

A

D. Implement Port Security on all interfaces and use the port-security maximum 1 command to limit port access to a single MAC address.

63
Q

A network administrator must configure 200 switch ports to accept traffic from only the currently attached host devices. What would be the most efficient way to configure MAC-level security on all these ports?

A. Visually verify the MAC addresses and then telnet to the switches to enter the switchport-port security mac-address command.
B. Have end users e-mail their MAC addresses. Telnet to the switch to enter the switchport-port security mac-address command.
C. Use the switchport port-security MAC address sticky command on all the switch ports that have end devices connected to them.
D. Use show mac-address-table to determine the addresses that are associated with each port and then enter the commands on each switch for MAC address port-security.

A

C. Use the switchport port-security MAC address sticky command on all the switch ports that have end devices connected to them.

64
Q

Select the action that results from executing these commands.

Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky

A. A dynamically learned MAC address is saved in the startup-configuration file.
B. A dynamically learned MAC address is saved in the running-configuration file.
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.

A

B. A dynamically learned MAC address is saved in the running-configuration file.

65
Q

Refer to the exhibit.The following commands are executed on interface fa0/1 of 2950 Switch.

2950Switch(config-if)# switchport port-security
2950Switch(config-if)# switchport port-security mac-address sticky
2950Switch(config-if)# switchport port-security maximum 1

The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two.)

A. The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
E. Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.

A

B. Only host A will be allowed to transmit frames on fa0/1.

D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.