CCNA 2 v7 Modules 10 – 13 L2 Security and WLANs Exam Answers PDF

Preview

Summary

CCNA 2 v7 Modules 10 - 13 L2 Security and WLANs Exam Answers...

Description

Switching, Routing, and Wireless Essentials ( Version 7.00) – L2 Security and WLANs Exam 1. Which Layer 2 attack will result in legitimate users not getting valid IP addresses?  ARPs poofing  DHCP starvation I Paddr essspoofing  MACaddr essfl oodi ng 2. What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?  Di sabl eDTP.  Di sabl eSTP.  Enable port security.  Pl aceunusedpor t si nanunusedVLAN. 3. Which three Cisco products focus on endpoint security solutions? (Choose three.) I PSSensorAppl i ance  Web Security Appliance  Email Security Appliance  SSL/ I PsecVPNAppl i ance  Adapt i v eSec ur i t yAppl i ance  NAC Appliance 4. True or False? In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.  true f al se 5. Which authentication method stores usernames and passwords in the router and is ideal for small networks? s er v er basedAAAov erTACACS+ l oc al AAAoverRADI US s er v er basedAAA l oc al AAAoverTACACS+  local AAA s er v er basedAAAov erRADI US Explanation: I nas mal l net wor kwi t haf ewnet wor kdevi ces ,AAAaut hent i cat i onc anbe i mpl ement edwi t ht hel ocal dat abaseandwi t huser namesandpasswor dss t or edont henet wor k devi ces .Aut hent i cat i onus i ngt heTACACS+orRADI USpr ot ocol wi l lr equi r ededi cat edACS s er v er sal t hought hi saut hent i cat i onsol ut i ons cal eswel li nal ar genet wor k . 6. What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?  Enabl eCDPonedgedevi ces ,andenabl eLLDPoni nt er i ordevi ces .  Us et heopens t andar dLLDPr at hert hanCDP.  Us et hedef aul tr out ers et t i ngsf orCDPandLLDP.  Disable both protocols on all interfaces where they are not required.

Explanation: Bot hdi scov er ypr ot ocol scanpr ovi dehack er swi t hs ensi t i venet wor k i nf or mat i on.Theyshoul dnotbeenabl edonedgedevi ces,andshoul dbedi s abl edgl obal l yoron aper i nt er f acebasi si fnotr equi r ed.CDPi senabl edbydef aul t . 7. Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?  SNMP  TFTP  SSH  SCP Explanation: T el netusespl ai nt extt ocommuni cat ei nanet wor k.Theuser nameand pass wor dcanbecapt ur edi ft hedat at r ansmi ssi oni si nt er cept ed.SSHencr y pt sdat a c ommuni cat i onsbet weent wonet wor kdevi ces.TFTPandSCPar eusedf orfi l et r ansf erov ert he net wor k .SNMPi sus edi nnet wor kmanagementsol ut i ons . 8. Which statement describes the behavior of a switch when the MAC address table is full? I tt r eat sf r amesasunknownuni castandfl oodsal l i ncomi ngf r amest oal lpor t sont he s wi t ch. I tt r eat sf r amesasunknownuni castandfl oodsal l i ncomi ngf r amest oal lpor t sacr oss mul t i pl eswi t c hes.  It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN. I tt r eat sf r amesasunknownuni castandfl oodsal l i ncomi ngf r amest oal lpor t swi t hi nt he col l i si ondomai n. Explanation: Whent heMACaddr esst abl ei sf ul l ,t hes wi t c ht r eat st hef r ameasanunk nown uni cas tandbegi nst ofloodal l i nc omi ngt r affict oal l por t sonl ywi t hi nt hel ocal VLAN. 9. What device is considered a supplicant during the 802.1X authentication process? t her out ert hati sser vi ngast hedef aul tgat eway t heaut hent i cat i onser v ert hati sper f or mi ngcl i entaut hent i cat i on  the client that is requesting authentication t heswi t cht hati scont r ol l i ngnet wor kaccess Explanation: Thedevi cesi nv ol v edi nt he802. 1Xaut hent i cat i onpr ocessar easf ol l ows :  Thes uppl i cant ,whi c hi st hecl i entt hati sr equest i ngnet wor kacc ess  Theaut hent i cat or ,whi chi st hes wi t cht hatt hecl i enti sconnect i ngt oandt hati sact ual l y cont r ol l i ngphy si cal net wor kacces s  Theaut hent i cat i ons er v er ,whi c hper f or mst heact ual aut hent i cat i on 10. Refer to the exhibit. Port Fa0/2 has already been configured appropriately. The IP phone and PC work properly. Which switch configuration would be most appropriate for port Fa0/2 if the network administrator has the following goals?

Noonei sal l owedt odi sconnectt heI Pphoneort hePCandconnectsomeot herwi r eddevi ce. I fadi ffer entdevi cei sconnect ed,por tFa0/ 2i ss hutdown. Theswi t chshoul daut omat i c al l ydet ectt heMACaddr es soft heI Pphoneandt hePCandadd t hoseaddr essest ot her unni ngc onfi gur at i on.  SWA( configi f ) #s wi t chpor tpor t secur i t y

SWA( c onfigi f ) #s wi t chpor tpor t secur i t ymac addr es sst i cky  SWA( configi f ) #s wi t chpor tpor t secur i t y

SWA( c onfigi f ) #s wi t chpor tpor t secur i t ymax i mum 2 SWA( c onfigi f ) #s wi t chpor tpor t secur i t ymac addr es sst i cky SWA( c onfigi f ) #s wi t chpor tpor t secur i t yvi ol at i onr est r i ct  SWA( configi f ) #s wi t chpor tpor t secur i t ymacaddr es sst i cky SWA( c onfigi f ) #s wi t chpor tpor t secur i t ymax i mum 2  SWA(config-if)# switchport port-security SWA(config-if)# switchport port-security maximum 2 SWA(config-if)# switchport port-security mac-address sticky Explanation: Thedef aul tmodef orapor tsecur i t yvi ol at i oni st oshutdownt hepor tso t heswitchport port-security violation commandi snotnec essar y .Theswitchport port-security commandmustbeent er edwi t hnoaddi t i onal opt i onst oenabl epor tsecur i t y f ort hepor t .Then,addi t i onalpor ts ecur i t yopt i onscanbeadded. 11. Refer to the exhibit. Port security has been configured on the Fa 0/12 interface of switch S1. What action will occur when PC1 is attached to switch S1 with the applied configuration?

 Fr amesf r om PC1wi l lbef or war dedsi ncet hes wi t chpor tpor t s ecur i t yvi ol at i oncommand

i smi ssi ng.  Fr amesf r om PC1wi l lbef or war dedt oi t sdest i nat i on,andal ogent r ywi l l bec r eat ed.  Fr amesf r om PC1wi l lbef or war dedt oi t sdest i nat i on,butal ogent r ywi l l notbecr eat ed.

 Frames from PC1 will cause the interface to shut down immediately,

and a log entry will be made.  Fr amesf r om PC1wi l lbedr opped,andt her ewi l lbenol ogoft hevi ol at i on.  Fr amesf r om PC1wi l lbedr opped,andal ogmessagewi l l bec r eat ed.

Explanation: Manual configur at i onoft hesi ngl eal l owedMACaddr esshasbeenent er edf or por tf a0/ 12.PC1hasadi ffer entMACaddr essandwhenat t achedwi l lcauset hepor tt oshut down( t hedef aul tac t i on) ,al ogmessaget obeaut omat i cal l ycr eat ed,andt hevi ol at i oncount er t oi ncr ement .Thedef aul tact i onofs hut downi sr ecommendedbecauset her est r i ctopt i onmi ght f ai li fanat t acki sunder way . 12. Which type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN?  DHCPs poofing  DHCPs t ar v at i on  VLAN double-tagging  DTPs poofing Explanation: SpoofingDTPmessagesf or cesas wi t chi nt ot r unki ngmodeaspar tofaVLANhoppi ngat t ack,butVLANdoubl et aggi ngwor ksev eni ft r unkpor t sar edi sabl ed.Changi ngt he nat i v eVLANf r om t hedef aul tt oanunusedVLANr educest hepossi bi l i t yoft hi st y peofat t ack. DHCPspoofingandDHCPs t ar v at i onexpl oi tvul ner abi l i t i esi nt heDHCPmessageex c hange. 13. A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command? I tc heckst hesour ceMACaddr es si nt heEt her netheaderagai nstt heus er configur ed ARPACLs . I tc heckst hesour ceMACaddr es si nt heEt her netheaderagai nstt heMACaddr ess t abl e.  It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. I tc heckst hesour ceMACaddr es si nt heEt her netheaderagai nstt het ar getMAC addr essi nt heARPbody . Explanation: DAIc anbeconfi gur edt ocheckf orbot hdest i nat i onorsour ceMACandI P addr esses :  Destination MAC –Chec kst hedest i nat i onMACaddr es si nt heEt her netheader agai nstt het ar getMACaddr essi nt heARPbody .  Source MAC –Chec k st hes our ceMACaddr es si nt heEt her netheaderagai nstt he senderMACaddr es si nt heARPbody .  IP address –Chec kst heARPbodyf ori nv al i dandunexpect edI Paddr es sesi nc l udi ng addr esses0. 0. 0. 0,255. 255. 255. 255,andal l I Pmul t i c astaddr esses. 14. Which two commands can be used to enable BPDU guard on a switch? (Choose two.)  S1( config) #s panni ngt r eebpduguar ddef aul t  S1( configi f ) #s panni ngt r eepor t f as tbpduguar d  S1(config)# spanning-tree portfast bpduguard default  S1( configi f ) #enabl es panni ngt r eebpduguar d  S1(config-if)# spanning-tree bpduguard enable Explanation: BPDUguar dc anbeenabl edonal l Por t Fast enabl edpor t sbyus i ng t hespanning-tree portfast bpduguard default gl obal configur at i oncommand.

Al t er nat i v el y ,BPDUguar dcanbeenabl edonaPor t Fast enabl edpor tt hr ought heuseof t hespanning-tree bpduguard enable i nt er f ac econfi gur at i oncommand. 15. As part of the new security policy, all switches on the network are configured to automatically learn MAC addresses for each port. All running configurations are saved at the start and close of every business day. A severe thunderstorm causes an extended power outage several hours after the close of business. When the switches are brought back online, the dynamically learned MAC addresses are retained. Which port security configuration enabled this?  aut os ecur eMACaddr ess es  dy nami csec ur eMACaddr esses s t at i cs ecur eMACaddr es ses  sticky secure MAC addresses Explanation: Wi t hst i c kysecur eMACaddr essi ng,t heMACaddr es sesc anbeei t her dy nami c al l yl ear nedormanual l yconfi gur edandt hens t or edi nt headdr esst abl eandaddedt o t her unni ngconfigur at i onfil e.I ncont r ast ,dynami cs ec ur eMACaddr essi ngpr ovi desf or dy nami c al l yl ear nedMACaddr essi ngt hati sst or edonl yi nt headdr es st abl e. 16. Which type of management frame may regularly be broadcast by an AP?  aut hent i cat i on  pr ober equest  pr ober esponse  beacon Explanation: Beaconsar et heonl ymanagementf r amet hatmayr egul ar l ybebr oadcastby anAP.Pr obi ng,aut hent i cat i on,andas soci at i onf r amesar eusedonl ydur i ngt heassoci at i on( or r eassoci at i on)pr ocess . 17. What are the two methods that are used by a wireless NIC to discover an AP? (Choose two.)  del i v er i ngabr oadc astf r ame  receiving a broadcast beacon frame i ni t i at i ngat hr eewayhands hak e s endi nganARPr eques t  transmitting a probe request Explanation: T womet hodscanbeusedbyawi r el essdev i cet odi scov erandr egi s t erwi t han accesspoi nt :passi vemodeandact i v emode.I npassi vemode,t heAPsendsabr oadcast beaconf r amet hatcont ai nst heSSI Dandot herwi r el essset t i ngs .I nac t i v emode,t hewi r el ess devi cemustbemanual l yc onfi gur edf ort heSSI D,andt hent hedevi cebr oadcast sapr obe r equest . 18. A technician is configuring the channel on a wireless router to either 1, 6, or 11. What is the purpose of adjusting the channel? t oenabl edi ffer ent802. 11st andar ds  to avoid interference from nearby wireless devices t odi sabl ebr oadc ast i ngoft heSSI D t opr ovi dest r ongersecur i t ymodes Explanation: Channel s1,6,and11ar esel ect edbecauset heyar e5channel sapar t .t hus mi ni mi zi ngt hei nt er f er enc ewi t hadj acentchannel s.Achannel f r equenc ycani nt er f er ewi t h

c hannel sonei t hersi deoft hemai nf r equenc y .Al lwi r el essdevi cesneedt obeusedon nonadj acentchannel s. 19. While attending a conference, participants are using laptops for network connectivity. When a guest speaker attempts to connect to the network, the laptop fails to display any available wireless networks. The access point must be operating in which mode?  mi x ed  pas si v e  active  open Explanation: Act i v ei samodeusedt oconfi gur eanaccesspoi nts ot hatc l i ent smustknow t heSSI Dt oconnectt ot heaccesspoi nt .APsandwi r el essr out er scanoper at ei nami x edmode meani ngt hatt hatmul t i pl ewi r el essst andar dsar esuppor t ed.Openi sanaut hent i c at i onmodef or anaccesspoi ntt hathasnoi mpactont hel i st i ngofav ai l abl ewi r el essnet wor ksf oracl i ent . Whenanacc esspoi nti sc onfi gur edi npas si vemode,t heSSI Di sbr oadcasts ot hatt henameof wi r el essnet wor kwi l l appeari nt hel i st i ngofav ai l abl enet wor k sf orcl i ent s . 20. A network administrator is required to upgrade wireless access to end users in a building. To provide data rates up to 1.3 Gb/s and still be backward compatible with older devices, which wireless standard should be implemented?  802. 11n  802.11ac  802. 11g  802. 11b Explanation: 802. 11acpr ovi desdat ar at esupt o1. 3Gb/ sandi ss t i l l backwar dcompat i bl e wi t h802. 11a/ b/ g/ ndev i ces .802. 11gand802. 11nar eol derst andar dst hatcannotr eachspeeds ov er1Gb/ s.802. 11adi sanewers t andar dt hatcanoffert heor et i cal speedsofupt o7Gb/ s. 21. A technician is about to install and configure a wireless network at a small branch office. What is the first security measure the technician should apply immediately upon powering up the wireless router?  Enabl eMACaddr essfi l t er i ngont hewi r el essr out er .  Confi gur eencr y pt i onont hewi r el essr out erandt heconnect edwi r el es sdevi ces .  Change the default user-name and password of the wireless router.  Di sabl et hewi r el essnet wor kSSI Dbr oadcas t . Explanation: Thefir stact i onat ec hni ci anshoul ddot os ecur eanewwi r el essnet wor ki st o c hanget hedef aul tuser nameandpasswor doft hewi r el es sr out er .Thenextact i onwoul d usual l ybet oconfigur eenc r ypt i on.Thenoncet hei ni t i algr oupofwi r el esshost shavec onnec t ed t ot henet wor k,MACaddr essfi l t er i ngwoul dbeenabl edandSSI Dbr oadcastdi sabl ed.Thi swi l l pr ev entnewunaut hor i z edhost sf r om fi ndi ngandconnect i ngt ot hewi r el essnet wor k. 22. On a Cisco 3504 WLC dashboard, which option provides access to the full menu of features?  Ac c essPoi nt s  Net wor kSummar y  Advanced  Rogues Explanation: TheCi sco3504WLCdashboar ddi spl ay swhenauserl ogsi nt ot heWL C.I t pr ovi dessomebasi cs et t i ngsandmenust hatus er scanqui ckl yaccesst oi mpl ementav ar i et yof

c ommonconfigur at i ons .Bycl i cki ngt heAdvanced but t on,t heuserwi l l ac cesst he adv ancedSummary pageandaccessal l t hef eat ur esoft heWLC. 23. Which step is required before creating a new WLAN on a Cisco 3500 series WLC?  Cr eat eanewSSI D.  Bui l dorhav eanSNMPser verav ai l abl e.  Bui l dorhav eaRADI USser v erav ai l abl e.  Create a new VLAN interface. Explanation: EachnewWLANconfi gur edonaCi s co3500s er i esWLCneedsi t sownVLAN i nt er f ace.Thusi ti sr equi r edt hatanewVLANi nt er f acet obecr eat edfir stbef or eanewWLAN c anbecr eat ed. 24. A network engineer is troubleshooting a newly deployed wireless network that is using the latest 802.11 standards. When users access high bandwidth services such as streaming video, the wireless network performance is poor. To improve performance the network engineer decides to configure a 5 Ghz frequency band SSID and train users to use that SSID for streaming media services. Why might this solution improve the wireless network performance for that type of service?  Requ i r i ngt heuser st os wi t cht ot he5GHzbandf ors t r eami ngmedi ai si nconv eni entand wi l l r esul ti nf eweruser saccessi ngt heses er v i ces.  The 5 GHz band has more channels and is less crowded than the 2.4 GHz band, which makes it more suited to streaming multimedia.  The5GHzbandhasagr eat err angeandi st her ef or el i kel yt obei nt er f er encef r ee.  Theonl yuser st hatcans wi t cht ot he5GHzbandwi l lbet hosewi t ht hel at es twi r el es s NI Cs,whi chwi l l r educeusage. Explanation: Wi r el es sr angei sdet er mi nedbyt heaccesspoi ntant ennaandout putpower , nott hef r equenc ybandt hati sused.I nt hi sscenar i oi ti sst at edt hatal l user shav ewi r el essNI Cs t hatcompl ywi t ht hel at estst andar d,andsoal lcanac cesst he5GHzband.Al t houghsome user smayfindi ti nconv eni entt os wi t cht ot he5Ghzbandt oacc esss t r eami ngs er vi c es,i ti st he gr eat ernumberofchannel s ,notj ustf ewerus er s ,t hatwi l l i mpr ovenet wor kper f or manc e. 25. A network administrator is configuring a RADIUS server connection on a Cisco 3500 series WLC. The configuration requires a shared secret password. What is the purpose for the shared secret password? I ti susedbyt heRADI USs er v ert oaut hent i cat eWLANuser s . I ti susedt oaut hent i cat eandenc r y ptus erdat aont heWLAN.  It is used to encrypt the messages between the WLC and the RADIUS server. I tal l owsuser st oaut hent i cat eandacces st heWLAN. Explanation: TheRADI USpr ot ocol usessecur i t yf eat ur est opr ot ectcommuni cat i ons bet weent heRADI USser v erandcl i ent s .Ashar edsecr eti st hepasswor dusedbet weent he WL Candt heRADI USs er v er .I ti snotf orenduser s . 26. Which three parameters would need to be changed if best practices are being implemented for a home wireless AP? (Choose three.)  wi r el esscl i entoper at i ngs y st em pas swor d  ant ennaf r equency  wireless network password  wi r el essbeacont i me

 AP password  SSID

Explanation: AssoonasanAPi st ak enoutofabox ,t hedef aul tdev i cepass wor d,SSI D,and s ecur i t ypar amet er s( wi r el essnet wor kpasswor d)s houl dbes et .Thef r equencyofawi r el ess ant ennacanbeadj ust ed,butdoi ngsoi snotr equi r ed.Thebeacont i mei snotnor mal l y c onfi gur ed.Thewi r el esscl i entoper at i ngs ys t em passwor di snotaffect edbyt heconfigur at i onof ahomewi r el essnet wor k . 27. Which access control component, implementation, or protocol is based upon usernames and passwords?  802. 1X  ac count i ng  authentication  aut hor i z at i on 28. Which type of wireless network is based on the 802.11 standard and a 2.4-GHz or 5-GHz radio frequency?  wi r el essmet r opol i t anar eanet wor k  wi r el esswi dear eanet wor k  wireless local-area network  wi r el essper sonal ar eanet wor k 29. Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.)  DHCP Snooping I PSour ceGuar d  Dy nami cARPI nspect i on  Port Security  WebSec ur i t yAppl i ance Explanation: Ci scopr ovi dessol ut i onst ohel pmi t i gat eLay er2at t acksi ncl udi ngt hese:  IP Source Guard (IPSG) –p r ev ent sMACandI Paddr essspoofingat t ac ks  Dynamic ARP Inspection (DAI) –p r ev ent sARPspoofi ngandARPpoi soni ng at t acks  DHCP Snooping –pr ev ent sDHCPs t ar v at i onandSHCPs poofingat t acks  Port Security –p r ev ent smanyt ypesofat t acksi ncl udi ngMACt abl eover flowat t ac ks andDHCPst ar v at i onat t ack s WebSecur i t yAppl i ance( WSA)i sami t i gat i ont echnol ogyf orwebbas edt hr eat s . 30. What are three techniques for mitigating VLAN attacks? (Choose three.)  Enable trunking manually.  Disable DTP.  Enabl eSour ceGuar d.  Set the native VLAN to an unused VLAN.  Us epr i v at eVLANs.  Enabl eBPDUguar d. Explanation: Mi t i gat i ngaVLANat t ackc anbedonebydi s abl i ngDy nami cT r unki ngPr ot ocol ( DTP) ,manual l yset t i ngpor t st ot r unki ngmode,andbyset t i ngt henat i v eVLANoft r unkl i nkst o VLANsnoti nus e. 31. Refer to the exhibit. What can be determined about port security from the information that is shown?

 Thepor thast hemax i mum numberofMACaddr essest hati ssuppor t edbyaLay er2

s wi t chpor twhi chi sconfi gur edf orpor ts ecur i t y .  Thepor thasbeenshutdown.  The port violation mode is the default for any port that has port

security enabled.  Thepor thast woat t acheddev i ces .

Explanation: ThePort Security l i nes i mpl ys howsast at eofEnabled i ft heswitchport port-security command( wi t hnoopt i ons)hasbeenent er edf orapar t i c ul ars wi t chpor t .I fa por tsecur i t yvi ol at i onhadoccur r ed,adi ffer enter r ormes sageappear ss uchasSecureshutdown.Themax i mum numberofMACaddr ess essuppor t edi s50.TheMaximum MAC Addresses l i nei susedt os howhowmanyMACaddr ess escanbel ear ned( 2i nt hi scase) . TheSticky MAC Addresses l i nes howst hatonl yonede...