Module 14: Quiz – Layer 2 Security Considerations (Answers) Network Security

1. What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports?

  • broadcast
  • control
  • user
  • management

Explanation: PVLAN protected ports do not exchange any data traffic with other protected ports. The only traffic that is exchanged between protected ports is control traffic generated by network devices.

2. A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command?

  • It checks the source MAC address in the Ethernet header against the user-configured ARP ACLs.
  • It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
  • It checks the source MAC address in the Ethernet header against the target MAC address in the ARP body.
  • It checks the source MAC address in the Ethernet header against the MAC address table.

Explanation: DAI can be configured to check for both destination or source MAC and IP addresses:

  • Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
  • Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
  • IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

3. What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?

  • Disable STP.
  • Enable port security.
  • Disable DTP.
  • Place unused ports in an unused VLAN.

Explanation: A MAC address (CAM) table overflow attack, buffer overflow, and MAC address spoofing can all be mitigated by configuring port security. A network administrator would typically not want to disable STP because it prevents Layer 2 loops. DTP is disabled to prevent VLAN hopping. Placing unused ports in an unused VLAN prevents unauthorized wired connectivity.

4. What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

  • DHCP starvation
  • DHCP spoofing
  • CAM table attack
  • IP address spoofing

Explanation: DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

5. When security is a concern, which OSI Layer is considered to be the weakest link in a network system?​

  • Layer 3
  • Layer 7
  • Layer 2
  • Layer 4

Explanation: Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weakest link. In addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.

6. If two switches are configured with the same priority and the same extended system ID, what determines which switch becomes the root bridge?

  • the lowest IP address
  • the MAC address with the highest hexadecimal value
  • the highest BID
  • the Layer 2 address with the lowest hexadecimal value

Explanation: When other factors are equal, the switch with the lowest MAC address will have the lowest BID, and will become the root bridge. STP functions on Layer 2 and does not use IP addressing as a factor.​

7. Which statement describes the behavior of a switch when the MAC address table is full?

  • It treats frames as unknown unicast and floods all incoming frames to all ports on the switch.
  • It treats frames as unknown unicast and floods all incoming frames to all ports within the collision domain.
  • It treats frames as unknown unicast and floods all incoming frames to all ports across multiple switches.
  • It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN.

Explanation: When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.

8. A cybersecurity analyst is using the macof tool to evaluate configurations of switches deployed in the backbone network of an organization. Which type of LAN attack is the analyst targeting during this evaluation?

  • VLAN hopping
  • MAC address table overflow
  • DHCP spoofing
  • VLAN double-tagging

Explanation: Macof is a network attack tool and is mainly used to flood LAN switches with MAC addresses.

9. What determines which switch becomes the STP root bridge for a given VLAN?

  • the highest priority
  • the lowest bridge ID
  • the highest MAC address
  • the lowest IP address

Explanation: STP uses a root bridge as a central point for all spanning tree calculations. To select a root bridge, STP conducts an election process. All switches in the broadcast domain participate in the election process. The switch with the lowest bridge ID, or BID, is elected as the root bridge. The BID is made up of a priority value, an extended system ID, and the MAC address of the switch.

10. What action can a network administrator take to help mitigate the threat of VLAN hopping attacks?

  • Configure all switch ports to be members of VLAN 1.
  • Enable PortFast on all switch ports.
  • Disable automatic trunking negotiation.
  • Disable VTP.

Explanation: There are two methods for mitigating VLAN hopping attacks:

  1. disabling automatic trunking negotiation on switchports
  2. turning trunking off on all unused nontrunk switchport

11. Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.)

  • Port Security
  • DHCP Snooping
  • Web Security Appliance
  • Dynamic ARP Inspection
  • IP Source Guard

Explanation: Cisco provides solutions to help mitigate Layer 2 attacks including these:

  • IP Source Guard (IPSG) – prevents MAC and IP address spoofing attacks
  • Dynamic ARP Inspection (DAI) – prevents ARP spoofing and ARP poisoning attacks
  • DHCP Snooping – prevents DHCP starvation and SHCP spoofing attacks
  • Port Security – prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks

Web Security Appliance (WSA) is a mitigation technology for web-based threats.

12. What is the only type of port that an isolated port can forward traffic to on a private VLAN?

  • another isolated port
  • any access port in the same PVLAN
  • a community port
  • a promiscuous port

Explanation: PVLANs are used to provide Layer 2 isolation between ports within the same broadcast domain. The level of isolation can be specified with three types of PVLAN ports:

  • Promiscuous ports that can forward traffic to all other ports
  • Isolated ports that can only forward traffic to promiscuous ports
  • Community ports that can forward traffic to other community ports and promiscuous ports

13. What additional security measure must be enabled along with IP Source Guard to protect against address spoofing?

  • port security
  • BPDU Guard
  • DHCP snooping
  • root guard

Explanation: Like Dynamic ARP Inspection (DAI), IP Source Guard (IPSG) needs to determine the validity of MAC-address-to-IP-address bindings. To do this IPSG uses the bindings database built by DHCP snooping.


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments