ccnp sw ch 17

The flashcards below were created by user boultonm on FreezingBlue Flashcards.

  1. Which one of the following can filter packets even if they are not routed to another Layer 3 interface?

    a. IP extended acls
    b. MAC address acls
    c. VLAN acls
    d. Port-based acls
  2. In what part of a Catalyst switch are VLAN acls implemented?

    a. NVRAM
    b. CAM
    c. RAM
    d TCAM
  3. Which one of the following commands can implement a VLAN ACL called test?

    a. access-list vlan test
    b. vacl test
    c. switchport vacl test
    d. vlan access-map test
  4. After VACL is configured, where is it applied?

    a. Globally on a VLAN
    b. in the VLAN interface
    c. In the VLAN config
    d. On all ports or interfaces mapped to a VLAN
  5. Which of the following private VLANs is the most restrictive?

    a. Community VLAN
    b. Isolated VLAN
    c. Restricted VLAN
    d. Promiscuous VLAN
  6. the vlan 100 cmd has just been entered. What is the next command needed to configure vlan 100 as a secondary isolated VLAN?

    a. private-vlan isolated
    b. private-vlan isolated 100
    c. pvlan secondary isolated
    d. no further configuration necessary
  7. What type of port config should you use for private VLAN interfaces that connect to a router?

    a. host
    b. gateway
    c. promiscuous
    d. transparent
  8. Promiscuous ports must be  ________ to primary and secondary VLANS, and host ports must be ____________.

    a. Mapped, associated
    b. Mapped, mapped
    c. Associated, mapped
    d. Associated, associated
  9. In a switch spoofing attack, an attacker makes use of which one of the following?

    a. the switch management IP address
    b. CDP message exchanges
    c. Spanning Tree Protocol
    d. DTP to negotiate a trunk
  10. Which one of the following commands can be used to prevent a switch spoofing attack on an end=user port

    a. switchport mode access
    b. switchport mode trunk
    c. no switchport spoof
    d. spanning-tree spoof-guard
  11. Which one fo the following represents the spoofed information an attacker sends in a VLAN hopping attack?

    a. 802.1Q tags
    b. DTP information
    c. VTP information
    d. 802.1x information
  12. Which one of the following methods can be used to prevent a VLAN hopping attack?

    a. Use VTP through the network
    b. Set the native VLAN to the user access VLAN
    c. Prune the Native VLAN off a trunk link.
    d. Avoid using EtherCHannel link bundling
  13. detail VACL configuration.
    • G ip access-list extended local 17
    • ACL permit ip host
    • ACL  exit
    • G vlan access-map block-17 10
    • AM match ip address local-17
    • AM action drop
    • AM vlan access-map block-17 20
    • AM action forward
    • AM exit
    • G   vlan filter block-17 vlan-list 99

    • Note.  ACL local-17 IDs IP address to block. Access-map says "based on ACL local-17, drop, then forward the rest".
    • Then, the last line sets the filter onto vlan 99.
  14. Describe a Private VLAN (PVLAN)
    Where a host or primary vlan can be logically associated with a secondary vlan.  The secondary vlan can then talk to ports in the primary vlan (e.g. a router).
  15. What are the 2 types of secondary vlans?  (in a private vlan setting).
    Isolated - all hosts on this can only talk to the primary vlan.

    Community - these hosts can talk to the primary vlan and with each other.  they can't cross private vlan boundaries.
  16. Are private vlans local or global in nature?
    Local.  VTP does not pass private vlan info.  If PVLANs cross switches, they must be set up on each switch.
  17. What must be done to configure a port for PVLAN use?
    associate a vlan with the port.  Define port mode. 

    Promiscuous - This port can talk to both primary vlan and private vlans.  This ignores private vlan rules.  Usually a router, firewall or gateway.

    Host - this connects to a regular host.  port talks only with a promiscuous port or ports in the same community vlan.
  18. What default DTP setting permits switch spoofing? 

    How do you mitigate this?
    Admin mode: dynamic auto  (this means that if DTP is requested, the port will allow DTP trunking)

    Mitigate:  use switchport mode access cmd.  This makes the port to not allow any trunking.
  19. Describe VLAN hopping.
    Where an attacker crafts a package with a double 802.1Q tags.  first tag is real vlan the host is on.  second tag is for the "hopped-to" vlan. 

    This requires that the trunk uses the native VLAN. 

    Mitigate,  mark the trunks native vlan and prune from both ends of the trunk. 


    • use cmd vlan dot1q tag native
    • This will force the switch to tag all native vlans.
Card Set:
ccnp sw ch 17
2013-12-18 18:52:36

ch 17
Show Answers: