Network Security ( Version 1) – Network Security 1.0 Modules 13 – 14: Layer 2 and Endpoint Security Group Exam Answers
1. Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices?
- These devices are not managed by the corporate IT department.
- These devices pose no risk to security as they are not directly connected to the corporate network.
- These devices connect to the corporate network through public wireless networks.
- These devices are more varied in type and are portable.
2. What two internal LAN elements need to be secured? (Choose two.)
- edge routers
- IP phones
- fiber connections
- cloud-based hosts
3. What are two examples of traditional host-based security measures? (Choose two.)
- host-based IPS
- antimalware software
- host-based NAC
4. In an 802.1x deployment, which device is a supplicant?
- RADIUS server
- access point
- end-user station
5. A company implements 802.1X security on the corporate network. A PC is attached to the network but has not authenticated yet. Which 802.1X state is associated with this PC?
6. An 802.1X client must authenticate before being allowed to pass data traffic onto the network. During the authentication process, between which two devices is the EAP data encapsulated into EAPOL frames? (Choose two.)
- data nonrepudiation server
- authentication server (TACACS)
- supplicant (client)
- authenticator (switch)
- ASA Firewall
7. Which command is used as part of the 802.1X configuration to designate the authentication method that will be used?
- dot1x system-auth-control
- aaa authentication dot1x
- aaa new-model
- dot1x pae authenticator
8. What is involved in an IP address spoofing attack?
- A rogue node replies to an ARP request with its own MAC address indicated for the target IP address.
- Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server.
- A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients.
- A legitimate network IP address is hijacked by a rogue node.
9. At which layer of the OSI model does Spanning Tree Protocol operate?
- Layer 1
- Layer 2
- Layer 3
- Layer 4
10. A network administrator uses the spanning-tree loopguard default global configuration command to enable Loop Guard on switches. What components in a LAN are protected with Loop Guard?
- All Root Guard enabled ports.
- All PortFast enabled ports.
- All point-to-point links between switches.
- All BPDU Guard enabled ports.
11. Which procedure is recommended to mitigate the chances of ARP spoofing?
- Enable DHCP snooping on selected VLANs.
- Enable IP Source Guard on trusted ports.
- Enable DAI on the management VLAN.
- Enable port security globally.
12. Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.)
- community ports belonging to other communities
- promiscuous ports
- isolated ports within the same community
- PVLAN edge protected ports
- community ports belonging to the same community
13. Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?
14. How can DHCP spoofing attacks be mitigated?
- by disabling DTP negotiations on nontrunking ports
- by implementing port security
- by the application of the ip verify source command to untrusted ports
- by implementing DHCP snooping on trusted ports
15. Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.)
- Three security violations have been detected on this interface.
- This port is currently up.
- The port is configured as a trunk link.
- Security violations will cause this port to shut down immediately.
- There is no device currently connected to this port.
- The switch port mode for this interface is access mode.
16. Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation?
- PVLAN Edge
- BPDU guard
17. What is the behavior of a switch as a result of a successful CAM table attack?
- The switch will drop all received frames.
- The switch interfaces will transition to the error-disabled state.
- The switch will forward all received frames to all other ports.
- The switch will shut down.
18. Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports?
19. What device is considered a supplicant during the 802.1X authentication process?
- the router that is serving as the default gateway
- the authentication server that is performing client authentication
- the client that is requesting authentication
- the switch that is controlling network access
20. Which term describes the role of a Cisco switch in the 802.1X port-based access control?
- authentication server
21. What type of data does the DLP feature of Cisco Email Security Appliance scan in order to prevent customer data from being leaked outside of the company?
- inbound messages
- outbound messages
- messages stored on a client device
- messages stored on the email server
22. What is the goal of the Cisco NAC framework and the Cisco NAC appliance?
- to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network
- to monitor data from the company to the ISP in order to build a real-time database of current spam threats from both internal and external sources
- to provide anti-malware scanning at the network perimeter for both authenticated and non-authenticated devices
- to provide protection against a wide variety of web-based threats, including adware, phishing attacks, Trojan horses, and worms
23. Which Cisco solution helps prevent MAC and IP address spoofing attacks?
- Port Security
- DHCP Snooping
- IP Source Guard
- Dynamic ARP Inspection
25. What is the result of a DHCP starvation attack?
- Legitimate clients are unable to lease IP addresses.
- Clients receive IP address assignments from a rogue DHCP server.
- The attacker provides incorrect DNS and default gateway information to clients.
- The IP addresses assigned to legitimate clients are hijacked.
26. A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac . What is the purpose of this configuration command?
- to check the destination MAC address in the Ethernet header against the MAC address table
- to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs
- to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
- to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body