Security Fundamentals Flashcards
An inbound access list has been configured on a serial interface to deny packet entry for TCP and UDP ports 21, 23, and 25. What types of packets will be permitted by this ACL? (Choose three).
A. FTP
B. HTTP
C. Telnet
D. POP3
E. SMTP
F. DNS
An inbound access list has been configured on a serial interface to deny packet entry for TCP and UDP ports 21, 23, and 25. What types of packets will be permitted by this ACL? (Choose three).
A. FTP
B. HTTP
C. Telnet
D. POP3
E. SMTP
F. DNS
An administrator has connected devices to a switch and, for security reasons, wants the dynamically learned MAC addresses from the address table added to the running configuration. What must be done to accomplish this?
A. Enable port security and use the keyword sticky.
B. Set the switchport mode to trunk and save the running configuration.
C. Use the switchport protected command to have the MAC addresses added to the configuration.
D. Use the no switchport port-security command to allow MAC addresses to be added to the configuration.
An administrator has connected devices to a switch and, for security reasons, wants the dynamically learned MAC addresses from the address table added to the running configuration. What must be done to accomplish this?
A. Enable port security and use the keyword sticky.
B. Set the switchport mode to trunk and save the running configuration.
C. Use the switchport protected command to have the MAC addresses added to the configuration.
D. Use the no switchport port-security command to allow MAC addresses to be added to the configuration.
What is the purpose of the switchport command? Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address 0018.DE8B.4BF8
A. It ensures that only the device with the MAC address 0018.DE8B.4BF8 will be able to connect to the port that is being configured.
B. It informs the switch that traffic destined for MAC address 0018.DE8B.4BF8 should only be sent to the port that is being configured.
C. It will act like an access list and the port will filter packets that have a source or destination MAC of 0018.DE8B.4BF8.
D. The switch will shut down the port of any traffic with source MAC address of 0018.DE8B.4BF8.
What is the purpose of the switchport command? Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address 0018.DE8B.4BF8
A. It ensures that only the device with the MAC address 0018.DE8B.4BF8 will be able to connect to the port that is being configured.
B. It informs the switch that traffic destined for MAC address 0018.DE8B.4BF8 should only be sent to the port that is being configured.
C. It will act like an access list and the port will filter packets that have a source or destination MAC of 0018.DE8B.4BF8.
D. The switch will shut down the port of any traffic with source MAC address of 0018.DE8B.4BF8.
Why would a network administrator configure port security on a switch?
A. To prevent unauthorized Telnet access to a switch port.
B. To prevent unauthorized hosts from accessing the LAN.
C. To limit the number of Layer 2 broadcasts on a particular switch port.
D. Block unauthorized access to the switch management interfaces.
Why would a network administrator configure port security on a switch?
A. To prevent unauthorized Telnet access to a switch port.
B. To prevent unauthorized hosts from accessing the LAN.
C. To limit the number of Layer 2 broadcasts on a particular switch port.
D. Block unauthorized access to the switch management interfaces.
How can you ensure that only the MAC address of a server is allowed by switch port Fa0/1?
A. Configure port Fa0/1 to accept connections only from the static IP address of the server.
B. Configure the server MAC address as a static entry of port security.
C. Use a proprietary connector type on Fa0/1 that is incomputable with other host connectors.
D. Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.
How can you ensure that only the MAC address of a server is allowed by switch port Fa0/1?
A. Configure port Fa0/1 to accept connections only from the static IP address of the server.
B. Configure the server MAC address as a static entry of port security.
C. Use a proprietary connector type on Fa0/1 that is incomputable with other host connectors.
D. Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.
A company has placed a networked PC in a lobby so guests can have access to the corporate directory. A security concern is that someone will disconnect the directory PC and re-connect their laptop computer and have access to the corporate network. For the port servicing the lobby, which three configuration steps should be performed on the switch to prevent this? (Choose three).
A. Enable port security.
B. Create the port as a trunk port.
C. Create the port as an access port. D. Create the port as a protected port.
E. Set the port security aging time to 0.
F. Statically assign the MAC address to the address table. G. Configure the switch to discover new MAC addresses after a set time of inactivity.
A company has placed a networked PC in a lobby so guests can have access to the corporate directory. A security concern is that someone will disconnect the directory PC and re-connect their laptop computer and have access to the corporate network. For the port servicing the lobby, which three configuration steps should be performed on the switch to prevent this? (Choose three).
A. Enable port security.
B. Create the port as a trunk port.
C. Create the port as an access port.
D. Create the port as a protected port.
E. Set the port security aging time to 0.
F. Statically assign the MAC address to the address table. G. Configure the switch to discover new MAC addresses after a set time of inactivity.
Which two commands correctly verify whether port security has been configured on port FastEthernet 0/ 12 on a switch? (Choose two).
A. SW1# show port-secure interface FastEthernet 0/ 12 B. SW1# show switchport port-secure interface FastEthernet 0/ 12
C. SW1# show running-config
D. SW1# show port-security interface FastEthernet 0/ 12 E. SW1# show switchport port-security interface FastEthernet 0/ 12
Which two commands correctly verify whether port security has been configured on port FastEthernet 0/ 12 on a switch? (Choose two).
A. SW1# show port-secure interface FastEthernet 0/ 12 B. SW1# show switchport port-secure interface FastEthernet 0/ 12
C. SW1# show running-config
D. SW1# show port-security interface FastEthernet 0/ 12
E. SW1# show switchport port-security interface FastEthernet 0/ 12
What will be the result if the following configuration commands are implemented on a Cisco switch?
Switch( config-if)# switchport port-security
Switch( config-if)# switchport port-security mac-address sticky
A. A dynamically learned MAC address is saved in the startup-configuration file.
B. A dynamically learned MAC address is saved in the running-configuration file.
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.
What will be the result if the following configuration commands are implemented on a Cisco switch?
Switch( config-if)# switchport port-security
Switch( config-if)# switchport port-security mac-address sticky
A. A dynamically learned MAC address is saved in the startup-configuration file.
**B. A dynamically learned MAC address is saved in the running-configuration file. **
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.
A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two).
A. The network administrator can apply port security to dynamic access ports.
B. The network administrator can apply port security to EtherChannels.
C. When dynamic MAC address learning is enabled on an interface, the switch can learn new addresses, up to the maximum defined.
D. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.
E. The network administrator can configure static secure or sticky secure MAC addresses in the voice VLAN.
A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two).
A. The network administrator can apply port security to dynamic access ports.
B. The network administrator can apply port security to EtherChannels.
C. When dynamic MAC address learning is enabled on an interface, the switch can learn new addresses, up to the maximum defined.
D. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.
E. The network administrator can configure static secure or sticky secure MAC addresses in the voice VLAN.
Refer to the exhibit.
A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/ 1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two).
A. Port security needs to be globally enabled.
B. Port security needs to be enabled on the interface.
C. Port security needs to be configured to shut down the interface in the event of a violation.
D. Port security needs to be configured to allow only one learned MAC address.
E. Port security interface counters need to be cleared before using the show command.
F. The port security configuration needs to be saved to NVRAM before it can become active.
Refer to the exhibit.
A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/ 1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two).
A. Port security needs to be globally enabled.
B. Port security needs to be enabled on the interface.
C. Port security needs to be configured to shut down the interface in the event of a violation.
D. Port security needs to be configured to allow only one learned MAC address.
E. Port security interface counters need to be cleared before using the show command.
F. The port security configuration needs to be saved to NVRAM before it can become active.
Which set of commands is recommended to prevent the use of a hub in the access layer?
A. switch( config-if)# switchport mode trunk
switch( config-if)# switchport port-security maximum 1
B. switch( config-if)# switchport mode trunk
switch( config-if)# switchport port-security mac-address 1
C. switch( config-if)# switchport mode access
switch( config-if)# switchport port-security maximum 1 D. switch( config-if)# switchport mode access
switch( config-if)# switchport port-security mac-address 1
Which set of commands is recommended to prevent the use of a hub in the access layer?
A. switch( config-if)# switchport mode trunk
switch( config-if)# switchport port-security maximum 1
B. switch( config-if)# switchport mode trunk
switch( config-if)# switchport port-security mac-address 1
C. switch( config-if)# switchport mode access
switch( config-if)# switchport port-security maximum 1
D. switch( config-if)# switchport mode access
switch( config-if)# switchport port-security mac-address 1
Refer to the exhibit.
The following commands are executed on interface fa0/ 1 of 2950Switch.
2950Switch( config-if)# switchport port-security 2950Switch( config-if)# switchport port-security mac-address sticky
2950Switch( config-if)# switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/ 1. What two functions will occur when this frame is received by 2950Switch? (Choose two).
A. The MAC address table will now have an additional entry of fa0/ 1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/ 1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/ 1.
E. Hosts B and C may forward frames out fa0/ 1 but frames arriving from other switches will not be forwarded out fa0/ 1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/ 1.
Refer to the exhibit.
The following commands are executed on interface fa0/ 1 of 2950Switch.
2950Switch( config-if)# switchport port-security 2950Switch( config-if)# switchport port-security mac-address sticky
2950Switch( config-if)# switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/ 1. What two functions will occur when this frame is received by 2950Switch? (Choose two).
A. The MAC address table will now have an additional entry of fa0/ 1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/ 1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/ 1.
E. Hosts B and C may forward frames out fa0/ 1 but frames arriving from other switches will not be forwarded out fa0/ 1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/ 1.
What are two recommended ways of protecting network device configuration files from outside network security threats? (Choose two).
A. Allow unrestricted access to the console or VTY ports. B. Use a firewall to restrict access from the outside to the network devices.
C. Always use Telnet to access the device command line because its data is automatically encrypted.
D. Use SSH or another encrypted and authenticated transport to access device configurations.
E. Prevent the loss of passwords by disabling password encryption.
What are two recommended ways of protecting network device configuration files from outside network security threats? (Choose two).
A. Allow unrestricted access to the console or VTY ports. B. Use a firewall to restrict access from the outside to the network devices.
C. Always use Telnet to access the device command line because its data is automatically encrypted.
D. Use SSH or another encrypted and authenticated transport to access device configurations.
E. Prevent the loss of passwords by disabling password encryption.
What is the effect of this configuration?
line vty 0 4 password todd login transport input ssh
A. It configures SSH globally for all logins.
B. It tells the router or switch to try to establish an SSH connection first and if that fails to use Telnet.
C. It configures a Cisco network device to use the SSH protocol on incoming communications via the VTY lines. D. It configures the device to only use only Telnet on the VTY lines.
What is the effect of this configuration?
line vty 0 4
password todd
login transport input ssh
A. It configures SSH globally for all logins.
B. It tells the router or switch to try to establish an SSH connection first and if that fails to use Telnet.
C. It configures a Cisco network device to use the SSH protocol on incoming communications via the VTY lines.
D. It configures the device to only use only Telnet on the VTY lines.
On which options are standard access lists based?
A. destination address and wildcard mask
B. destination address and subnet mask
C. source address and subnet mask
D. source address and wildcard mask
On which options are standard access lists based?
A. destination address and wildcard mask
B. destination address and subnet mask
C. source address and subnet mask
D. source address and wildcard mask
Refer to the exhibit.
Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet 172.21.1.128/ 28) from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended?
A. ACDB
B. BADC
C. DBAC
D. CDBA
Refer to the exhibit.
Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet 172.21.1.128/ 28) from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended?
A. ACDB
B. BADC
C. DBAC
D. CDBA
Refer to the exhibit.
An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102?
A. no ip access-class 102 in
B. no ip access-class 102 out
C. no ip access-group 102 in
D. no ip access-group 102 out
E. no ip access-list 102 in
Refer to the exhibit.
An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102?
A. no ip access-class 102 in
B. no ip access-class 102 out
C. no ip access-group 102 in
D. no ip access-group 102 out
E. no ip access-list 102 in
Which statement about access lists that are applied to an interface is true?
A. You can place as many access lists as you want on any interface.
B. You can apply only one access list on any interface.
C. You can configure one access list, per direction, per Layer 3 protocol.
D. You can apply multiple access lists with the same protocol or in different directions.
Which statement about access lists that are applied to an interface is true?
A. You can place as many access lists as you want on any interface.
B. You can apply only one access list on any interface.
C. You can configure one access list, per direction, per Layer 3 protocol.
D. You can apply multiple access lists with the same protocol or in different directions.