ccnp sw ch 16

Card Set Information

ccnp sw ch 16
2013-11-13 04:26:40

ch 16
Show Answers:

  1. Which feature can grant access through a port only if the howt with MAC address 0005.0004.0003 is connected?

    a. SPAN
    b. MAC address ACL
    c. Port security
    d. Port-based authentication
  2. Port security is being used to control access to a switch port. Which one of these commands will put the port into the errdisable state if an unauthorized station connects?

    a. switchport port-security violation protect
    b. switchport port-security violation restrict
    c. switchport port-security violation errdisable
    d. switchport port-security violation shutdown
  3. If port security is left to its default configuration, how many different MAC addresses can be learned at one time on a switch port?

    a. 0
    b. 1
    c. 16
    d. 256
  4. The following commands are configured on a Catalyst switch port. What happens when the host with MAC address 0001.0002.0003 tries to connect?

    switchport port-security
    switchport port-security max 3
    switchport port-security mac-address 0002.0002.0002
    switchport port-security violation shutdown

    a. The port shuts down
    b. the host is allowed to connect
    c. The host is denied a connection
    d. The host can connect only when 0002.0002.0002 is not connected
    • note: max 3 with one static allows 2 more to connect.
  5. What protocol is used for port-based authentication?

    a. 802.1d
    b. 802.1q
    c. 802.1x
    d. 802.1w
  6. When 802.1x is used for a switch port, where must it be configured?

    a. Switch port and client pc
    b. Switch port only
    c. Client PC only
    d. Switch port and a RADIUS server
  7. When port-based authentication is enabled globally, what is the default behavior for all switch ports?

    a. Authenticate users before enabling the port
    b. Allow all connections without authentication
    c. Do not allow any connections
    d. There is no default behavior
  8. When port-based authentication is enabled, what method is available for a user to authenticate?

    a. web browser
    b. telnet session
    c. 802.1x client
    d. DHCP
  9. The users in a department are using a variety of host platforms, some old and some new. All of them have been approved with a user ID in a FADIUS server database. Which one of these features should be used to restrict access to the switch orts in the building?

    a. AAA authentication
    b. AAA authorization
    c. Port security
    d. Port-based authentication
  10. With DHCP snooping, an untrusted port filters out which one of the following?

    a. DHCP replies from legitimate DHCP servers
    b. DHCP replies from rogue DHCP servers
    c. DHCP replies from legitimate DHCP clients
    d. DHCP replies from rogue DHCP clients
  11. Which two of the following methods does a switch use to detect spoofed addresses when IP Source Guard is enabled?

    a. ARP entries
    b. DHCP database
    c. DHCP snooping database
    d. Static IP source binding entries
    e. Reverse path-forwarding entries
    c and d
  12. Which one of the following should be configured as a trusted port for dynamic ARP inspection?

    a. The port where the ARP server is located
    b. The port where an end-user host is located
    c. The port where another switch is located
    d. None; all ports are untrusted
  13. Which two of the following methods should you use to secure inbound CLI sessions to a switch?

    a. Disable all inbound CLI connections
    b. Use SSH only
    c. Use telnet only
    d. Apply an access list to the vty lines
    b and d
  14. Suppose you need to disable CDP advertisements on a switch port so that untrusted devices cannot learn anything about your switch. Which one of the following interface configuration commands should be used?

    a. cdp disable
    b. no cdp
    c. no cdp enable
    d. no cdp trust
  15. What are the 3 port security options and what do they do?
    shutdown - port gets shutdown and errdisable recovery needs to be used to open it up again.

    Restrict - port stays up, but packets from bad mac address are dropped.  Can generate SNMP trap and syslog message.

    Protect - port stays up, packets from bad mac address are dropped, no syslog or SNMP traps are generated.
  16. What feature can a switch use to mitigate ARP poisoning or ARP spoofing attacks?
    Dynamic Arp Inspection (DIA)

    like DHCP spoofing, DIA uses the classification of trusted or untrusted ports.  By default, all ports in the named vlan are untrusted.  only trust ports attached to other switches.
  17. detail CLI cmds for port security.
    • switchport port-security
    • switchport port-security max 4
    • switchport port-security mac-address 0000.0000.0000
    • switchport port-security violation (shut, restrict, protect)
  18. detail CLI for port-based authentication.
    • G  aaa auth dot1x default group radius
    • G  dot1x system-suth-control
    • I   dot1x port-control {force-authorized | force-unauthorized | auto}
    • I   dot1x host-mode multi-host
  19. detail CLI for dhcp snooping configuration.
    • G  ip dhcp snooping
    • I   ip dhcp snooping trust
    • I   ip dhcp snooping limit rate 3
  20. detail ip source guard CLI.
    • ip source binding 0001.0002.0003 vlan 10
    • I  ip verify source [port security]
  21. Dynamic Arp Inspection

    detail DIA config cmds
    • V ip arp inspection vlan 10-1024
    • I  ip arp inspection trust

    • arp access-list <name>
    • permit ip host <sender-ip> mac host <sender-mac> [log]

    ip arp inspection filter <arp-acl-name> vlan <vlan-range> [static]

    ip arp inspection validate <src-mac> <dst-mac> <ip>