Practice Q's - Unsorted Flashcards
What command disables 802.1x authentication on a port and permits traffic without authentication?
A. dot1x port-control disable
B. dot1x port-control force-unauthorized
C. dot1x port-control auto
D. dot1x port-control force-authorized
Answer: D
Explanation:
The command dot1x port-control force-authorized is used to disable 802.1x on a port and permit traffic without authentication. Dot1x ports are in one of two states, authorized or unauthorized.
Authorized ports permit user traffic to flow through the port. This state usually follows successful authentication. Unauthorized ports only permit authorization traffic to flow through the port.
Usually a port begins in the unauthorized state. A user is then allowed to exchange AAA authentication traffic with the port. Once the user has been authenticated successfully, the port is changed to the authorized state and the user is permitted to use the port normally.
Normal use of 802.1x has the port configured with the dot1x port-control auto statement. This places the port in the unauthorized state until successful authentication. After successful authentication, the port is changed to the authorized state.
When 802.1x is initially configured, the default port control of the ports is force-authorized. This forces the port to be in the authorized state without successful authentication. This setting disables the need for authentication and permits all traffic.
The force-unauthorized keyword configures the port as an unauthorized port regardless of authentication traffic. A port configured with this key word would not permit user traffic, not even authentication traffic.
The command dot1x port-control disable is not a valid command due to incorrect syntax.
What attack technique can be used to force user traffic through an attacking device, causing a man-in-the-middle attack?
A. VLAN hopping
B. DHCP spoofing
C. Rogue device
D. MAC flooding
Answer: B
Explanation:
DHCP spoofing is an attack that can be used to force user traffic through an attacking device.
This is accomplished by an attacker responding to DHCP queries form users. Eliminating the response from the correct DHCP server would make this more effective, but if the attacker’s response gets to the client first, the client will accept it.
The DHCP response from the attacker will include a different gateway or DNS server address. If they define a different gateway, the user traffic will be forced to travel through a device controlled by the attacker.
This will allow the attacker to capture traffic and gain company information. If the attacker changes the DNS server in the response, they can use their own DNS server to force traffic to selected hosts to go to a device they control.
Again, this would allow the attacker to capture traffic and gain information.
VLAN hopping is an attack that allows an attacker to access network resources on a different VLAN without passing through a router. The attacker can create a packet with two VLAN headers on it and send it to a switch. The switch port will strip off the first header and leave the second.
The second header will be seen as the originating VLAN allowing the attacker access to a VLAN they are not connected to. This becomes a security concern because this hopping can be accomplished without passing through a router and its security access lists. For this reason, private VLANs and VACLs should be used to secure access between VLANs.
MAC flooding is an attach technique which attempts to fill a switch table so the attacker can capture flooded traffic sent from the switch. The concept of this attack is to use the CAM table limit to the attacker’s advantage. The attacker would send packets addressed from a large number of
MAC addresses to the switch. The switch adds the source MAC address to the MAC address table. Eventually no more MAC addresses can be added because the table is full. When this occurs, any packets destined for a MAC address not in the table will be flooded to all other ports.
This would allow the attacker to see the flooded traffic and capture information. The switch would be essentially functioning as a hub in this case.
A rogue device is a device attached to the network that is not under the control of the organization. This term is normally used to mean a wireless device, perhaps an access point that is not operating as a part of the company’s infrastructure. Employees may bring their own access points and connect them to the network so they can use their computer wirelessly.
This creates a security gap since the device is probably not secured to protect the traffic. An attacker could connect a rogue access point to a company’s network and capture traffic from outside the company’s premises.
Which option is a benefit of using VSS?
A. reduces cost
B. simplifies configuration
C. provides two independent supervisors with two different control planes
D. removes the need for a First Hop Redundancy Protocol
Answer: D
Explanation: First Hop Redundancy Protocols (FHRPs) such as VRRP and HSRP were designed to allow for a highly available first IP route hop for host systems. FHRPs allow two (or more) distinct routers to share a common IP address providing a redundant Layer-3 default gateway for end nodes. The VSS system creates a single logical router at Layer 3.
This VSS routing instance fulfills this first-hop role without the need for a dedicated protocol. The VSS IP route is highly available due to MEC and the resiliency of the VSS system.
VSS eliminates the need for FHRP at the aggregation layer of the data center.
In the following partial output of the show run command, which MAC address or addresses will be removed from the list of secure addresses after 240 seconds?
A. 0000.0000.aaaa
B. 0000.0000.bbbb
C. 0000.0000.aaaa and 0000.0000.bbbbb
D. none of the MAC addresses will be removed after 240 seconds
Answer: A
Explanation:
The only address that will be removed or aged out of the secure MAC address list will be 0000.0000.aaaa. When port security is used on an interface, not only can you set a maximum number of MAC addresses that can use the interface, but you can also set the amount of time that an address can reside in the secure list.
When the switchport port-security command is used, you can specify whether the command applies to statically assigned MAC addresses or dynamically learned MAC addresses, called sticky addresses. In this scenario, line 6 of the output specifies that the command applies to static addresses. Since 0000.0000.aaaa is the only statically assigned MAC address (assigned in line 8 of the output), it is the only address that will age out. The amount of time is configured in terms of minutes and is done on line 5 with the switchport port-security aging time 4 command.
The MAC address 0000.0000.bbbb will not age out because it is a sticky secure address. The aging command only applies to static MAC addresses.