CCNA Security Chapter 6 Exam
CCNA Security Chapter 6 Exam
1. As a recommended practice for Layer 2 security, how should VLAN 1 be treated? | ||
All access ports should be assigned to VLAN 1. | ||
All trunk ports should be assigned to VLAN 1. | ||
VLAN 1 should be used for management traffic. | ||
VLAN 1 should not be used. | ||
2. With IP voice systems on data networks, which two types of attacks target VoIP specifically? (Choose two.) | ||
CoWPAtty | ||
Kismet | ||
SPIT | ||
virus | ||
vishing | ||
3. Which option best describes a MAC address spoofing attack? | ||
An attacker gains access to another host and masquerades as the rightful user of that device. | ||
An attacker alters the MAC address of his host to match another known MAC address of a target host. | ||
An attacker alters the MAC address of the switch to gain access to the network device from a rogue host device. | ||
An attacker floods the MAC address table of a switch so that the switch can no longer filter network access based on MAC addresses. | ||
4. Which attack relies on the default automatic trunking configuration on most Cisco switches? | ||
LAN storm attack | ||
VLAN hopping attack | ||
STP manipulation attack | ||
MAC address spoofing attack | ||
5. Which two measures are recommended to mitigate VLAN hopping attacks? (Choose two.) | ||
Use a dedicated native VLAN for all trunk ports. | ||
Place all unused ports in a separate guest VLAN. | ||
Disable trunk negotiation on all ports connecting to workstations. | ||
Enable DTP on all trunk ports. | ||
Ensure that the native VLAN is used for management traffic. | ||
6. Which three are SAN transport technologies? (Choose three.) | ||
Fibre Channel | ||
SATA | ||
iSCSI | ||
IP PBX | ||
FCIP | ||
IDE | ||
7. Refer to the exhibit. What action will the switch take when the maximum number of secure MAC addresses has reached the allowed limit on the Fa0/2 port? | ||
Packets with unknown source addresses are dropped, but notification of the dropped packets is sent. | ||
The VLAN that Fa0/2 is on is set to error-disabled and all traffic on the VLAN is stopped. | ||
The interface immediately becomes error-disabled and the port LED is turned off. | ||
Packets with unknown source addresses are dropped without notification. | ||
8. Which software tool can a hacker use to flood the MAC address table of a switch? | ||
macof | ||
Cisco CCP | ||
kiwi syslog server | ||
protocol analyzer | ||
9. Which two methods are used to mitigate VLAN attacks? (Choose two.) | ||
enabling port security on all trunk ports | ||
using a dummy VLAN for the native VLAN | ||
implementing BPDU guard on all access ports | ||
disabling DTP autonegotiation on all trunk ports | ||
using ISL instead of 802.1q encapsulation on all trunk interfaces | ||
10. Which three switch security commands are required to enable port security on a port so that it will dynamically learn a single MAC address and disable the port if a host with any other MAC address is connected? (Choose three.) | ||
switchport mode access | ||
switchport mode trunk | ||
switchport port-security | ||
switchport port-security maximum 2 | ||
switchport port-security mac-address sticky | ||
switchport port-security mac-address mac-address | ||
11.What is an example of a trusted path in an operating system? | ||
digital certificate | ||
digital signature | ||
hash message authentication | ||
Ctrl-Alt-Delete key sequence | ||
12. Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices? | ||
These devices are not managed by the corporate IT department. | ||
These devices are more varied in type and are portable. | ||
These devices connect to the corporate network through public wireless networks. | ||
These devices pose no risk to security as they are not directly connected to the corporate network. | ||
13. Which Cisco IronPort appliance would an organization install to manage and monitor security policy settings and audit information? | ||
C-Series | ||
M-Series | ||
S-Series | ||
SenderBase-Series | ||
14. Which Cisco IronPort appliance would an organization install to protect against malware? | ||
C-Series | ||
M-Series | ||
S-Series | ||
SenderBase-Series | ||
15. What is the goal of the Cisco NAC framework and the Cisco NAC appliance? | ||
to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network | ||
to monitor data from the company to the ISP in order to build a real-time database of current spam threats from both internal and external sources | ||
to provide anti-malware scanning at the network perimeter for both authenticated and non-authenticated devices | ||
to provide protection against a wide variety of web-based threats, including adware, phishing attacks, Trojan horses, and worms | ||
16. When the Cisco NAC appliance evaluates an incoming connection from a remote device against the defined network policies, what feature is being used? | ||
authentication and authorization | ||
posture assessment | ||
quarantining of noncompliant systems | ||
remediation of noncompliant systems | ||
17. Which command is used to configure the PVLAN Edge feature? | ||
switchport block | ||
switchport nonnegotiate | ||
switchport protected | ||
switchport port-security violation protect | ||
18. Which statement is true about a characteristic of the PVLAN Edge feature on a Cisco switch? | ||
All data traffic that passes between protected ports must be forwarded through a Layer 2 device. | ||
All data traffic that passes between protected ports must be forwarded through a Layer 3 device. | ||
Only broadcast traffic is forwarded between protected ports. | ||
Only unicast traffic is forwarded between protected ports. | ||
19. What is the default configuration of the PVLAN Edge feature on a Cisco switch? | ||
All active ports are defined as protected. | ||
All ports are defined as protected. | ||
No ports are defined as protected. | ||
EtherChannel groups are defined as protected ports. | ||
20. Under which circumstance is it safe to connect to an open wireless network? | ||
The connection utilizes the 802.11n standard. | ||
The device has been updated with the latest virus protection software. | ||
The connection is followed by a VPN connection to a trusted network. | ||
The user does not plan on accessing the corporate network when attached to the open wireless network. | ||
