11. Refer to the exhibit. Port security has been configured on the Fa 0/12 interface of switch S1. What action will occur when PC1 is attached to switch S1 with the applied configuration?

Frames from PC1 will cause the interface to shut down immediately, and a log entry will be made.

Frames from PC1 will be forwarded since the switchport port-security violation command is missing.

Frames from PC1 will be forwarded to its destination, and a log entry will be created.

Frames from PC1 will be forwarded to its destination, but a log entry will not be created.

Frames from PC1 will be dropped, and there will be no log of the violation.

13. A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command?

It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.

It checks the source MAC address in the Ethernet header against the user-configured ARP ACLs.

It checks the source MAC address in the Ethernet header against the MAC address table.

It checks the source MAC address in the Ethernet header against the target MAC address in the ARP body.

14. Which two commands can be used to enable BPDU guard on a switch? (Choose two.)

S1(config)# spanning-tree portfast bpduguard default

S1(config-if)# spanning-tree bpduguard enable

S1(config)# spanning-tree bpduguard default

S1(config-if)# spanning-tree portfast bpduguard

S1(config-if)# enable spanning-tree bpduguard

17. What are the two methods that are used by a wireless NIC to discover an AP? (Choose two.)

receiving a broadcast beacon frame

initiating a three-way handshake

18. A technician is configuring the channel on a wireless router to either 1, 6, or 11. What is the purpose of adjusting the channel?

to avoid interference from nearby wireless devices

to enable different 802.11 standards

to disable broadcasting of the SSID

to provide stronger security modes

21. A technician is about to install and configure a wireless network at a small branch office. What is the first security measure the technician should apply immediately upon powering up the wireless router?

Change the default user-name and password of the wireless router.

Enable MAC address filtering on the wireless router.

Configure encryption on the wireless router and the connected wireless devices.

Disable the wireless network SSID broadcast.

23. Which step is required before creating a new WLAN on a Cisco 3500 series WLC?

Build or have an SNMP server available.

Build or have a RADIUS server available.

24. A network engineer is troubleshooting a newly deployed wireless network that is using the latest 802.11 standards. When users access high bandwidth services such as streaming video, the wireless network performance is poor. To improve performance the network engineer decides to configure a 5 Ghz frequency band SSID and train users to use that SSID for streaming media services. Why might this solution improve the wireless network performance for that type of service?

The 5 GHz band has more channels and is less crowded than the 2.4 GHz band, which makes it more suited to streaming multimedia.

Requiring the users to switch to the 5 GHz band for streaming media is inconvenient and will result in fewer users accessing these services.

The 5 GHz band has a greater range and is therefore likely to be interference-free.

The only users that can switch to the 5 GHz band will be those with the latest wireless NICs, which will reduce usage.

25. A network administrator is configuring a RADIUS server connection on a Cisco 3500 series WLC. The configuration requires a shared secret password. What is the purpose for the shared secret password?

It is used to encrypt the messages between the WLC and the RADIUS server.

It is used by the RADIUS server to authenticate WLAN users.

It is used to authenticate and encrypt user data on the WLAN.

It allows users to authenticate and access the WLAN.

26. Which three parameters would need to be changed if best practices are being implemented for a home wireless AP? (Choose three.)

wireless client operating system password

28. Which type of wireless network is based on the 802.11 standard and a 2.4-GHz or 5-GHz radio frequency?

wireless metropolitan-area network

30. What are three techniques for mitigating VLAN attacks? (Choose three.)

Set the native VLAN to an unused VLAN.

31. Refer to the exhibit. What can be determined about port security from the information that is shown?

The port violation mode is the default for any port that has port security enabled.

The port has the maximum number of MAC addresses that is supported by a Layer 2 switch port which is configured for port security.

The port has two attached devices.

33. A technician is troubleshooting a slow WLAN that consists of 802.11b and 802.11g devices . A new 802.11n/ac dual-band router has been deployed on the network to replace the old 802.11g router. What can the technician do to address the slow wireless speed?

Split the wireless traffic between the 802.11n 2.4 GHz band and the 5 GHz band.

Update the firmware on the new router.

Configure devices to use a different channel.

35. What is the function provided by CAPWAP protocol in a corporate wireless network?

CAPWAP provides the encapsulation and forwarding of wireless user traffic between an access point and a wireless LAN controller.

CAPWAP creates a tunnel on Transmission Control Protocol (TCP) ports in order to allow a WLC to configure an autonomous access point.

CAPWAP provides connectivity between an access point using IPv6 addressing and a wireless client using IPv4 addressing.

CAPWAP provides the encryption of wireless user traffic between an access point and a wireless client.

Open the PT Activity. Perform the tasks in the activity instructions and then answer the question. Which event will take place if there is a port security violation on switch S1 interface Fa0/1?

Packets with unknown source addresses will be dropped.

The interface will go into error-disabled state.

39. What is the result of a DHCP starvation attack?

Legitimate clients are unable to lease IP addresses.

The attacker provides incorrect DNS and default gateway information to clients.

The IP addresses assigned to legitimate clients are hijacked.

Clients receive IP address assignments from a rogue DHCP server.

40. Which feature or configuration on a switch makes it vulnerable to VLAN double-tagging attacks?

the native VLAN of the trunking port being the same as a user VLAN

the limited size of content-addressable memory space

the automatic trunking port feature enabled for all ports by default

mixed duplex mode enabled for all ports by default

44. A laptop cannot connect to a wireless access point. Which two troubleshooting steps should be taken first? (Choose two.)

Ensure that the wireless NIC is enabled.

Ensure that the wireless SSID is chosen.

Ensure that the correct network media is selected.

Ensure that the laptop antenna is attached.

Ensure that the NIC is configured for the proper frequency.

45. What is an advantage of SSID cloaking?

Clients will have to manually identify the SSID to connect to the network.

It is the best way to secure a wireless network.

SSIDs are very difficult to discover because APs do not broadcast them.

It provides free Internet access in public locations where knowing the SSID is of no concern.

47. A company has recently implemented an 802.11n wireless network. Some users are complaining that the wireless network is too slow. Which solution is the best method to enhance the performance of the wireless network?

Split the traffic between the 2.4 GHz and 5 GHz frequency bands.

Disable DHCP on the access point and assign static addresses to the wireless clients.

Upgrade the firmware on the wireless access point.

Replace the wireless NICs on the computers that are experiencing slow connections.

Modules 10-13: L2 Security and WLANs Quiz

1.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

1. Which Layer 2 attack will result in legitimate users not getting valid IP addresses?

Arp spoofing

DHCP starvation

IP address spoofing

Mac address Flooding

Answer explanation

Explanation: The DHCP starvation attack causes the exhaustion of the IP address pool of a DHCP server before legitimate users can obtain valid IP addresses.

2.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

2. What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?

Disable Dtp

Disable STP

Enable port security

Place unused ports in an unused VLAN

Answer explanation

Explanation: A MAC address (CAM) table overflow attack, buffer overflow, and MAC address spoofing can all be mitigated by configuring port security. A network administrator would typically not want to disable STP because it prevents Layer 2 loops. DTP is disabled to prevent VLAN hopping. Placing unused ports in an unused VLAN prevents unauthorized wired connectivity.

3.

MULTIPLE SELECT QUESTION

45 sec • 1 pt

3. Which three Cisco products focus on endpoint security solutions? (Choose three.)

IPs sensor Appliance

Web Security Appliance

Email Security Appliance

Adaptive Security Appliance

NAC Appliance

Answer explanation

Explanation: The primary components of endpoint security solutions are Cisco Email and Web Security appliances, and Cisco NAC appliance. ASA, SSL/IPsec VPN, and IPS sensor appliances all provide security solutions that focus on the enterprise network, not on endpoint devices.

4.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

True Or false?
In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.

True

False

5.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

5. Which authentication method stores usernames and passwords in the router and is ideal for small networks?

Server-based AAA over TACACS+

local AAA over RAIDUS

server-based AAA

Local AAA

local AAA over TACS+

Answer explanation

Explanation: In a small network with a few network devices, AAA authentication can be implemented with the local database and with usernames and passwords stored on the network devices. Authentication using the TACACS+ or RADIUS protocol will require dedicated ACS servers although this authentication solution scales well in a large network.

6.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

6. What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?

Enable CDP on edge devices, and enable LLDP on interior devices

Use the open standard LLDP rather than CDP

Use the default router settings for CDP and LLDP

Disable both protocols on all interfaces where they are not required

Answer explanation

Explanation: Both discovery protocols can provide hackers with sensitive network information. They should not be enabled on edge devices, and should be disabled globally or on a per-interface basis if not required. CDP is enabled by default.

7.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

7. Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?

SNMP

TFTP

SSH

SCP

Answer explanation

Explanation: Telnet uses plain text to communicate in a network. The username and password can be captured if the data transmission is intercepted. SSH encrypts data communications between two network devices. TFTP and SCP are used for file transfer over the network. SNMP is used in network management solutions.

8.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

8. Which statement describes the behavior of a switch when the MAC address table is full?

It treats frames as unknown unicast and floods all incoming frames to all ports on the switch

It treats frames as unknown unicast and floods all incoming frames to all ports across multiple switches.

It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN.

It treats frames as unknown unicast and floods all incoming frames to all ports within the collision domain.

Answer explanation

Explanation: When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.

9.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

9. What device is considered a supplicant during the 802.1X authentication process?

the router that is serving as the default gateway

the authentication server that is performing client authentication

the client that is requesting authentication

the switch that is controlling network access

Answer explanation

Explanation: The devices involved in the 802.1X authentication process are as follows:
The supplicant, which is the client that is requesting network access
The authenticator, which is the switch that the client is connecting to and that is actually controlling physical network access
The authentication server, which performs the actual authentication

10.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

10. Refer to the exhibit. Port Fa0/2 has already been configured appropriately. The IP phone and PC work properly. Which switch configuration would be most appropriate for port Fa0/2 if the network administrator has the following goals?
No one is allowed to disconnect the IP phone or the PC and connect some other wired device.
If a different device is connected, port Fa0/2 is shut down.
The switch should automatically detect the MAC address of the IP phone and the PC and add those addresses to the running configuration.

SWA(config-if)# switchport port-security
SWA(config-if)# switchport port-security mac-address sticky

SWA(config-if)# switchport port-security
SWA(config-if)# switchport port-security maximum 2
SWA(config-if)# switchport port-security mac-address sticky SWA(config-if)# switchport port-security violation restrict

SWA(config-if)# switchport port-security mac-address sticky
SWA(config-if)# switchport port-security maximum 2

SWA(config-if)# switchport port-security

SWA(config-if)# switchport port-security maximum 2

SWA(config-if)# switchport port-security mac-address sticky

Answer explanation

Explanation: The default mode for a port security violation is to shut down the port so the switchport port-security violation command is not necessary. The switchport port-security command must be entered with no additional options to enable port security for the port. Then, additional port security options can be added.

Modules 10-13: L2 Security and WLANs

80 questions

1. Which Layer 2 attack will result in legitimate users not getting valid IP addresses?

Explanation: The DHCP starvation attack causes the exhaustion of the IP address pool of a DHCP server before legitimate users can obtain valid IP addresses.

2. What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?

3. Which three Cisco products focus on endpoint security solutions? (Choose three.)

Explanation: The primary components of endpoint security solutions are Cisco Email and Web Security appliances, and Cisco NAC appliance. ASA, SSL/IPsec VPN, and IPS sensor appliances all provide security solutions that focus on the enterprise network, not on endpoint devices.

True Or false?
In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.

5. Which authentication method stores usernames and passwords in the router and is ideal for small networks?

6. What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?

Explanation: Both discovery protocols can provide hackers with sensitive network information. They should not be enabled on edge devices, and should be disabled globally or on a per-interface basis if not required. CDP is enabled by default.

7. Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?

8. Which statement describes the behavior of a switch when the MAC address table is full?

Explanation: When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.

9. What device is considered a supplicant during the 802.1X authentication process?

Create a free account and access millions of resources

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Computers

Modules 10-13: L2 Security and WLANs

80 questions

1. Which Layer 2 attack will result in legitimate users not getting valid IP addresses?

Explanation: The DHCP starvation attack causes the exhaustion of the IP address pool of a DHCP server before legitimate users can obtain valid IP addresses.

2. What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?

3. Which three Cisco products focus on endpoint security solutions? (Choose three.)

Explanation: The primary components of endpoint security solutions are Cisco Email and Web Security appliances, and Cisco NAC appliance. ASA, SSL/IPsec VPN, and IPS sensor appliances all provide security solutions that focus on the enterprise network, not on endpoint devices.

True Or false?In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.

5. Which authentication method stores usernames and passwords in the router and is ideal for small networks?

6. What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?

Explanation: Both discovery protocols can provide hackers with sensitive network information. They should not be enabled on edge devices, and should be disabled globally or on a per-interface basis if not required. CDP is enabled by default.​

7. Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices?

8. Which statement describes the behavior of a switch when the MAC address table is full?

Explanation: When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.

9. What device is considered a supplicant during the 802.1X authentication process?

Create a free account and access millions of resources

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Computers

True Or false?
In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.

Explanation: Both discovery protocols can provide hackers with sensitive network information. They should not be enabled on edge devices, and should be disabled globally or on a per-interface basis if not required. CDP is enabled by default.