CCNA 4 v6 Chapter 5: Check Your Understanding Questions Answers

Feb 1, 2023 Last Updated: Feb 1, 2023 CCNA 4 Exam Answers No Comments
Tweet Share Pin it

CCNA 4 v6.0 (Connecting Networks v6) Chapter 5: Network Security and Monitoring: Check Your Understanding Questions Answers

1. Which statement describes SNMP operation?

  • A get request is used by the SNMP agent to query the device for data.
  • A set request is used by the NMS to change configuration variables in the agent device.
  • An NMS periodically polls the SNMP agents that are residing on managed devices by using traps to query the devices for data.
  • An SNMP agent that resides on a managed device collects information about the device and stores that information remotely in the MIB that is located on the NMS.

Explanation: An SNMP agent that resides on a managed device collects and stores information about the device and its operation. This information is stored by the agent locally in the MIB. An NMS periodically polls the SNMP agents that are residing on managed devices by using the get request to query the devices for data. A set request is used by the NMS to change the configuration in the agent device or to initiate actions within a device.

2. Which SNMP feature provides a solution to the main disadvantage of SNMP polling?

  • SNMP community strings
  • SNMP get messages
  • SNMP set messages
  • SNMP trap messages

Explanation: To solve the issue of the delay that exists between when an event occurs and the time it is noticed via polling by the NMS, you can use SNMP trap messages. SNMP trap messages are generated from SNMP agents and are sent to the NMS immediately to inform it of certain events without having to wait for the device to be polled by the NMS.

3. When SNMPv1 or SNMPv2 is being used, which feature provides secure access to MIB objects?

  • Community strings
  • Message integrity
  • Packet encryption
  • Source validation

Explanation: SNMPv1 and SNMPv2 use community strings to control access to the MIB. SNMPv3 uses encryption, message integrity, and source validation.

4. Which SNMP version uses weak community string-based access control and supports bulk retrieval?

  • SNMPv1
  • SNMPv2c
  • SNMPv3
  • SNMPv2Classic

Explanation: Both SNMPv1 and SNMPv2c use a community-based form of security, and community strings are plaintext passwords. Plaintext passwords are not considered a strong security mechanism. Version 1 is a legacy solution and not often encountered in networks today.

5. A network administrator has issued the snmp-server user admin1 admin v3 encrypted auth md5 abc789 priv des 256 key99 command. What are two features of this command? (Choose two.)

  • It adds a new user to the SNMP group.
  • It allows a network administrator to configure a secret encrypted password on the SNMP server.
  • It forces the network manager to log in to the agent to retrieve the SNMP messages.
  • It restricts SNMP access to defined SNMP managers.
  • It uses the MD5 authentication of the SNMP messages.

Explanation: The command snmp-server user admin1 admin v3 encrypted auth md5 abc789 priv des 256 key99 creates a new user and configures authentication with MD5. The command does not use a secret encrypted password on the server. The command snmp-server community string access-list-number-or-name restricts SNMP access to defined SNMP managers.

6. A network administrator issues two commands on a router:

R1(config)# snmp-server host 10.10.50.25 version 2c campus
R1(config)# snmp-server enable traps

What can be concluded after the commands are entered?

  • If an interface comes up, a trap is sent to the server.
  • No traps are sent because the notification-types argument was not specified yet.
  • The snmp-server enable traps command needs to be used repeatedly if a particular subset of trap types is desired.
  • Traps are sent using the source IP address 10.10.50.25.

Explanation: The snmp-server enable traps command enables SNMP to send trap messages to the NMS at 10.10.50.25. This notification-types argument can be used to specify what specific type of trap is sent. If this argument is not used, all trap types are sent. If the notification-types argument is used, repeated use of this command is required if another subset of trap types is desired.

7. Which security feature should be enabled to prevent an attacker from overflowing the MAC address table of a switch?

  • BPDU filter
  • Port security
  • Root guard
  • Storm control

Explanation: Port security limits the number of source MAC addresses allowed through a switch port. This feature can prevent an attacker from flooding a switch with many spoofed MAC addresses.

8. What protocol should be disabled to help mitigate VLAN hopping attacks?

  • ARP
  • CDP
  • DTP
  • STP

Explanation: To mitigate a VLAN hopping attack, disable Dynamic Trunking Protocol (DTP) and set the native VLAN of trunk links to a VLAN not in use.

9. What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

  • CAM table attack
  • DHCP spoofing attack
  • DHCP starvation attack
  • IP address spoofing

Explanation: DHCP starvation attacks are launched by an attacker with the intent to create a DoS situation for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

10. What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?

  • Disable both protocols on all interfaces where they are not required.
  • Enable CDP on edge devices and enable LLDP on interior devices.
  • Use the default router settings for CDP and LLDP.
  • Use the open standard LLDP rather than CDP.

Explanation: Both discovery protocols can provide hackers with sensitive network information. They should not be enabled on edge devices and should be disabled globally or on a per-interface basis if not required. CDP is enabled by default.

11. Why is the SPAN feature necessary on today’s switches?

  • Switches do not flood traffic on all ports; they switch traffic based on destination MAC address.
  • Switches flood data traffic on all ports, overloading probes and traffic sniffers.
  • Switches flood control traffic on all ports, overloading probes and traffic sniffers.

Explanation: The SPAN feature copies or mirrors traffic between an ingress and egress port.

12. Which command should you use to verify the SPAN session?

  • show monitor
  • show monitor span
  • show monitor span session
  • show session

Explanation: The show monitor command enables you to verify the SPAN session. The command displays the type of the session, the source ports for each traffic direction, and the destination port.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x