11.6.4 Module Quiz – Switch Security Configuration Answers
1. What is a recommended best practice when dealing with the native VLAN?
- Use port security.
- Turn off DTP.
- Assign it to an unused VLAN.
- Assign the same VLAN number as the management VLAN.
Explanation: Port security cannot be enabled on a trunk and trunks are the only types of ports that have a native VLAN. Even though turning DTP off on a trunk is a best practice, it does not have anything to do with native VLAN risks. To prevent security breaches that take advantage of the native VLAN, place the native VLAN in an unused VLAN other than VLAN 1. The management VLAN should also be an unused VLAN that is different from the native VLAN and something other than VLAN 1.
2. On what switch ports should PortFast be enabled to enhance STP stability?
- only ports that are elected as designated ports
- all trunk ports that are not root ports
- all end-user ports
- only ports that attach to a neighboring switch
Explanation: PortFast will immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. If configured on a trunk link, immediately transitioning to the forwarding state could lead to the formation of Layer 2 loops.
3. Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?
- switchport port-security mac-address sticky mac-address
- ip dhcp snooping
- switchport port-security violation shutdown
- switchport port-security mac-address sticky
Explanation: Unlike router Ethernet ports, switch ports are enabled by default. Cisco recommends disabling any port that is not used. The ip dhcp snooping command globally enables DHCP snooping on a switch. Further configuration allows defining ports that can respond to DHCP requests. The switchport port-security command is used to protect the network from unidentified or unauthorized attachment of network devices.
4. Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)
- DHCP server failover
- extended ACL
- port security
- DHCP snooping
- strong password on DHCP servers
Explanation: In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use up all the available IP addresses that the DHCP server can issue. In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network so that it provides clients with false DNS server addresses. The port security feature can limit the number of dynamically learned MAC addresses per port or allow only known valid NICs to be connected via their specific MAC addresses. The DHCP snooping feature can identify the legitimate DHCP servers and block fake DHCP servers from issuing IP address information. These two features can help fight against DHCP attacks.
5. What is the best way to prevent a VLAN hopping attack?
- Use ISL encapsulation on all trunk links.
- Disable STP on all nontrunk ports.
- Use VLAN 1 as the native VLAN on trunk ports.
- Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
Explanation: VLAN hopping attacks rely on the attacker being able to create a trunk link with a switch. Disabling DTP and configuring user-facing ports as static access ports can help prevent these types of attacks. Disabling the Spanning Tree Protocol (STP) will not eliminate VLAN hopping attacks.
6. Which procedure is recommended to mitigate the chances of ARP spoofing?
- Enable port security globally.
- Enable DHCP snooping on selected VLANs.
- Enable IP Source Guard on trusted ports.
- Enable DAI on the management VLAN.
Explanation: To mitigate the chances of ARP spoofing, these procedures are recommended:
- Implement protection against DHCP spoofing by enabling DHCP snooping globally.
- Enable DHCP snooping on selected VLANs.
- Enable DAI on selected VLANs.
- Configure trusted interfaces for DHCP snooping and ARP inspection. Untrusted ports are configured by default.
7. What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)
- unknown port
- trusted DHCP port
- unauthorized port
- established DHCP port
- untrusted port
- authorized DHCP port
Explanation: DHCP snooping recognizes two types of ports on Cisco switches:
- Trusted DHCP ports – switch ports connecting to upstream DHCP servers
- Untrusted ports – switch ports connecting to hosts that should not be providing DHCP server messages
8. Which two commands can be used to enable PortFast on a switch? (Choose two.)
- S1(config-if)# enable spanning-tree portfast
- S1(config-if)# spanning-tree portfast
- S1(config)# enable spanning-tree portfast default
- S1(config)# spanning-tree portfast default
- S1(config-line)# spanning-tree portfast
Explanation: PortFast can be configured on all nontrunking ports using the spanning-tree portfast default global configuration command. Alternatively, PortFast can be enabled on an interface using the spanning-tree portfast interface configuration command.
9. An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation?
- Reboot the switch.
- Issue the shutdown command followed by the no shutdown command on the interface.
- Issue the no switchport port-security command, then re-enable port security.
- Issue the no switchport port-security violation shutdown command on the interface.
Explanation: If an interface that has been protected with port security goes into the err-disabled state, then a violation has occurred and the administrator should investigate the cause of the violation. Once the cause is determined, the administrator can issue the shutdown command followed by the no shutdown command to enable the interface.
10. A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first?
- ip dhcp snooping
- ip dhcp snooping limit rate
- ip dhcp snooping vlan
- ip dhcp snooping trust
Explanation: The steps to enable DHCP snooping include these:
- Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command.
- Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
- Step 3. Enable DHCP snooping by VLAN, or by a range of VLANs.
11. A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command?
- to check the destination MAC address in the Ethernet header against the MAC address table
- to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body
- to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs
- to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
Explanation: DAI can be configured to check for both destination or source MAC and IP addresses:
- Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
- Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
- IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
12. Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?
- storm control
- port security
- BPDU filter
- root guard
Explanation: Port security limits the number of source MAC addresses allowed through a switch port. This feature can prevent an attacker from flooding a switch with many spoofed MAC addresses.
13. What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
- VLAN hopping
- DHCP spoofing
- ARP poisoning
- ARP spoofing
Explanation: Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to VLANs not in use.
14. A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router?
- ip arp inspection trust
- ip dhcp snooping
- ip arp inspection vlan
- spanning-tree portfast
Explanation: In general, a router serves as the default gateway for the LAN or VLAN on the switch. Therefore, the uplink interface that connects to a router should be a trusted port for forwarding ARP requests.
15. Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?
Explanation: When MAC addresses are automatically learned by using the sticky command option, the learned MAC addresses are added to the running configuration, which is stored in RAM.
16. Which method would mitigate a MAC address flooding attack?
- Configuring port security
- Increasing the size of the CAM table
- Increasing the speed of switch ports
- Using ACLs to filter broadcast traffic on the switch
Explanation: Port security can be configured on switches to assist in preventing the MAC address table from being overwhelmed with invalid MAC addresses. ACLs will not assist a switch in filtering broadcast traffic, and increasing the size of the CAM table or the speed of switch ports will not resolve this issue.
17. Which action will bring an error-disabled switch port back to an operational state?
- Clear the MAC address table on the switch.
- Issue the shutdown and no shutdown interface config commands.
- Issue the switchport mode access interface config command.
- Remove and reconfigure port security on the interface.
Explanation: When a violation occurs on a switch port that is configured for port security with the shutdown violation action, it is put into the error-disabled state. It can be brought back up by shutting down the interface and then issuing the no shutdown command.
18. Which two statements are true regarding switch port security? (Choose two.)
- After entering the sticky parameter, only MAC addresses subsequently learned are converted to secure MAC addresses.
- Dynamically learned secure MAC addresses are lost when the switch reboots.
- If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.
- The three configurable violation modes all log violations via SNMP.
- The three configurable violation modes all require user intervention to reenable ports.
Explanation: Dynamically learned secure MAC addresses are lost when the switch reboots. Sticky MAC addresses are learned and added to the running config. These addressess can be retained if the configuration is saved and then rebooted. MAC addresses may also be configured statically (that is, manually). If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.
19. Port security has been enabled on access ports to allow a maximum of two MAC addresses. Which port security violation would drop the frame and send a notification to the syslog server if the maximum number of MAC addresses is exceeded?
Explanation: In port security implementation, an interface can be configured for one of three violation modes: Protect-a port security violation causes the interface to drop packets with unknown source addresses and no notification is sent that a security violation has occurred. Restrict-a port security violation causes the interface to drop packets with unknown source addresses and to send a notification that a security violation has occurred. Shutdown-a port security violation causes the interface to immediately become error-disabled and turns off the port LED. No notification is sent that a security violation has occurred.
20. Which feature should be configured on PortFast enabled switches to prevent rogue switches from being added to a network?
- BPDU guard
- DHCP snooping
- Port security
Explanation: BPDU guard immediately error-disables a port that receives a BPDU. This prevents rogue switches from being added to the network. BPDU guard should be applied only to all end-user ports.
21. Which port security feature enables switches to automatically learn and retain MAC addresses for each port?
- Auto secure MAC addresses
- Dynamic secure MAC addresses
- Static secure MAC addresses
- Sticky secure MAC addresses
Explanation: With sticky secure MAC addressing, the MAC addresses can be either dynamically learned or manually configured and then stored in the address table and added to the running configuration file. In contrast, dynamic secure MAC addressing provides for dynamically learned MAC addressing that is stored only in the address table.
22. Assume that BPDU Guard has been enabled globally on all access ports. However, one port must not be configured with the feature. Which command would explicitly disable BPDU Guard on that switch port?
- S1(config)# no spanning-tree bpduguard default
- S1(config)# no spanning-tree portfast bpduguard default
- S1(config-if)# no enable spanning-tree bpduguard
- S1(config-if)# no spanning-tree bpduguard enable
- S1(config-if)# no spanning-tree portfast bpduguard
Explanation: BPDU guard can be enabled on all PortFast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Alternatively, BPDU guard can be enabled on a PortFast-enabled port through the use of the spanning-tree bpduguard enable interface configuration command.
23. Which DAI command checks the source MAC address in the Ethernet header against the target MAC address in the ARP body?
- ip arp inspection validate dst-mac
- ip arp inspection validate dst-mac ip
- ip arp inspection validate ip
- ip arp inspection validate src-mac
Explanation: DAI can be configured to check for both destination or source MAC and IPv4 addresses. Destination MAC checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. Source MAC checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
24. What is the result of entering the ip dhcp snooping limit rate 4 interface configuration command?
- The port can receive up to 4 DHCP discovery messages per second.
- The port can receive up to 4 DHCP offer messages per second.
- The port can send up to 4 DHCP messages per second.
- The port can send up to 4 DHCP offer discovery messages per second.
Explanation: When DHCP snooping is being configured, the number of DHCP discovery messages that untrusted ports can receive per second should be rate-limited by using the ip dhcp snooping limit rate interface configuration command. When a port receives more messages than the rate allows, the extra messages will be dropped.
25. Port security has been enabled on a switch port. What is the default violation mode in use by default?
Explanation: If no violation mode is specified when port security is enabled on a switch port, the security violation mode defaults to “shutdown”.
26. What techniques should be done to mitigate VLAN attacks? (Choose three.)
- Disable DTP.
- Enable BPDU guard.
- Enable Source Guard.
- Enable trunking manually.
- Set the native VLAN to an unused VLAN.
- Use private VLANs.
Explanation: Mitigating a VLAN attack can be done by disabling Dynamic Trunking Protocol (DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links to VLANs not in use.
27. Port security has been enabled on interface Fa0/1 and the show port-security interface fa0/1 command has been entered. What does the Port Status “Secure-up” message indicate?
- The Fa0/1 port is currently error-disabled.
- The Fa0/1 port violation mode is “protect”.
- There are no hosts connected to the secured Fa0/1 port.
- There is a host connected to the secured Fa0/1 port.
Explanation: A Port Status of Secure-down means there are no hosts connected. Secure-up means there is at least one host connected to the port. Secure-shutdown means the port is error-disabled.