11.6.4 Module Quiz – Switch Security Configuration Answers
1. What is a recommended best practice when dealing with the native VLAN?
- Use port security.
- Turn off DTP.
- Assign it to an unused VLAN.
- Assign the same VLAN number as the management VLAN.
2. On what switch ports should PortFast be enabled to enhance STP stability?
- only ports that are elected as designated ports
- all trunk ports that are not root ports
- all end-user ports
- only ports that attach to a neighboring switch
3. Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?
- switchport port-security mac-address sticky mac-address
- ip dhcp snooping
- switchport port-security violation shutdown
- switchport port-security mac-address sticky
4. Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)
- DHCP server failover
- extended ACL
- port security
- DHCP snooping
- strong password on DHCP servers
5. What is the best way to prevent a VLAN hopping attack?
- Use ISL encapsulation on all trunk links.
- Disable STP on all nontrunk ports.
- Use VLAN 1 as the native VLAN on trunk ports.
- Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
6. Which procedure is recommended to mitigate the chances of ARP spoofing?
- Enable port security globally.
- Enable DHCP snooping on selected VLANs.
- Enable IP Source Guard on trusted ports.
- Enable DAI on the management VLAN.
7. What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)
- unknown port
- trusted DHCP port
- unauthorized port
- established DHCP port
- untrusted port
- authorized DHCP port
8. Which two commands can be used to enable PortFast on a switch? (Choose two.)
- S1(config-if)# enable spanning-tree portfast
- S1(config-if)# spanning-tree portfast
- S1(config)# enable spanning-tree portfast default
- S1(config)# spanning-tree portfast default
- S1(config-line)# spanning-tree portfast
9. An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation?
- Reboot the switch.
- Issue the shutdown command followed by the no shutdown command on the interface.
- Issue the no switchport port-security command, then re-enable port security.
- Issue the no switchport port-security violation shutdown command on the interface.
10. A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first?
- ip dhcp snooping
- ip dhcp snooping limit rate
- ip dhcp snooping vlan
- ip dhcp snooping trust
11. A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command?
- to check the destination MAC address in the Ethernet header against the MAC address table
- to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body
- to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs
- to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
12. Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?
- storm control
- port security
- BPDU filter
- root guard
13. What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
- VLAN hopping
- DHCP spoofing
- ARP poisoning
- ARP spoofing
14. A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router?
- ip arp inspection trust
- ip dhcp snooping
- ip arp inspection vlan
- spanning-tree portfast
15. Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?
16. Which method would mitigate a MAC address flooding attack?
- Configuring port security
- Increasing the size of the CAM table
- Increasing the speed of switch ports
- Using ACLs to filter broadcast traffic on the switch
17. Which action will bring an error-disabled switch port back to an operational state?
- Clear the MAC address table on the switch.
- Issue the shutdown and no shutdown interface config commands.
- Issue the switchport mode access interface config command.
- Remove and reconfigure port security on the interface.
18. Which two statements are true regarding switch port security? (Choose two.)
- After entering the sticky parameter, only MAC addresses subsequently learned are converted to secure MAC addresses.
- Dynamically learned secure MAC addresses are lost when the switch reboots.
- If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.
- The three configurable violation modes all log violations via SNMP.
- The three configurable violation modes all require user intervention to reenable ports.
19. Port security has been enabled on access ports to allow a maximum of two MAC addresses. Which port security violation would drop the frame and send a notification to the syslog server if the maximum number of MAC addresses is exceeded?
20. Which feature should be configured on PortFast enabled switches to prevent rogue switches from being added to a network?
- BPDU guard
- DHCP snooping
- Port security
21. Which port security feature enables switches to automatically learn and retain MAC addresses for each port?
- Auto secure MAC addresses
- Dynamic secure MAC addresses
- Static secure MAC addresses
- Sticky secure MAC addresses
22. Assume that BPDU Guard has been enabled globally on all access ports. However, one port must not be configured with the feature. Which command would explicitly disable BPDU Guard on that switch port?
- S1(config)# no spanning-tree bpduguard default
- S1(config)# no spanning-tree portfast bpduguard default
- S1(config-if)# no enable spanning-tree bpduguard
- S1(config-if)# no spanning-tree bpduguard enable
- S1(config-if)# no spanning-tree portfast bpduguard
23. Which DAI command checks the source MAC address in the Ethernet header against the target MAC address in the ARP body?
- ip arp inspection validate dst-mac
- ip arp inspection validate dst-mac ip
- ip arp inspection validate ip
- ip arp inspection validate src-mac
24. What is the result of entering the ip dhcp snooping limit rate 4 interface configuration command?
- The port can receive up to 4 DHCP discovery messages per second.
- The port can receive up to 4 DHCP offer messages per second.
- The port can send up to 4 DHCP messages per second.
- The port can send up to 4 DHCP offer discovery messages per second.
25. Port security has been enabled on a switch port. What is the default violation mode in use by default?
26. What techniques should be done to mitigate VLAN attacks? (Choose three.)
- Disable DTP.
- Enable BPDU guard.
- Enable Source Guard.
- Enable trunking manually.
- Set the native VLAN to an unused VLAN.
- Use private VLANs.
27. Port security has been enabled on interface Fa0/1 and the show port-security interface fa0/1 command has been entered. What does the Port Status “Secure-up” message indicate?
- The Fa0/1 port is currently error-disabled.
- The Fa0/1 port violation mode is “protect”.
- There are no hosts connected to the secured Fa0/1 port.
- There is a host connected to the secured Fa0/1 port.