CCNA Security Chapter 6

1.

1 point

What security countermeasure is effective for preventing CAM table overflow attacks?

DHCP snooping

IP source guard

Dynamic ARP Inspection

port security

2.

1 point

What is the behavior of a switch as a result of a successful CAM table attack?

The switch will shut down.

The switch interfaces will transition to the error-disabled state.

The switch will forward all received frames to all other ports.

The switch will drop all received frames.

3.

1 point

Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation?

SPAN

DTP

BPDU guard

PVLAN Edge

4.

1 point

What is the role of the Cisco NAC Server within the Cisco Secure Borderless Network Architecture?

providing post-connection monitoring of all endpoint devices

defining role-based user access and endpoint security policies

assessing and enforcing security policy compliance in the NAC environment

providing the ability for company employees to create guest accounts

5.

1 point

What two mechanisms are used by Dynamic ARP inspection to validate ARP packets for IP addresses that are dynamically assigned or IP addresses that are static? (Choose two.)

IP ACLs

ARP ACLs

MAC-address-to-IP-address bindings

Source Guard

RARP

6.

1 point

What are three techniques for mitigating VLAN hopping attacks? (Choose three.)

Set the native VLAN to an unused VLAN.

Enable trunking manually.

Use private VLANs.

Enable Source Guard.

Disable DTP.

Enable BPDU guard.

7.

1 point

DHCP _________ is a mitigation technique to prevent rogue DHCP servers from providing false IP configuration parameters.

8.

1 point

What is the role of the Cisco NAC Guest Server within the Cisco Borderless Network architecture?

It provides post-connection monitoring of all endpoint devices.

It defines role-based user access and endpoint security policies.

It provides the ability for creation and reporting of guest accounts.

It performs deep inspection of device security profiles.

9.

1 point

What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

DHCP spoofing

DHCP starvation

IP address spoofing

CAM table attack

10.

1 point

In what situation would a network administrator most likely implement root guard?

on all switch ports that connect to a Layer 3 device

on all switch ports that connect to another switch that is not the root bridge

on all switch ports that connect to host devices

on all switch ports that connect to another switch

on all switch ports (used or unused)

11.

1 point

What is the only type of port that an isolated port can forward traffic to on a private VLAN?

a community port

any access port in the same PVLAN

a promiscuous port

another isolated port

12.

1 point

Which spanning-tree enhancement prevents the spanning-tree topology from changing by blocking a port that receives a superior BPDU?

root guard

BDPU filter

PortFast

BPDU guard

13.

1 point

Which STP stability mechanism is used to prevent a rogue switch from becoming the root switch?

root guard

loop guard

Source Guard

BPDU guard

14.

1 point

Which two functions are provided by Network Admission Control? (Choose two.)

limiting the number of MAC addresses that can be learned on a single switch port

ensuring that only authenticated hosts can access the network

stopping excessive broadcasts from disrupting network traffic

protecting a switch from MAC address table overflow attacks

enforcing network security policy for hosts that connect to the network

15.

1 point

Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?

storm control

port security

root guard

BPDU filter

16.

1 point

Which three functions are provided under Cisco NAC framework solution? (Choose three.)

secure connection to servers

scanning for policy compliance

intrusion prevention

remediation for noncompliant devices

VPN connection

AAA services

17.

1 point

How can a user connect to the Cisco Cloud Web Security service directly?

by accessing a Cisco CWS server before visiting the destination web site

through the connector that is integrated into any Layer 2 Cisco switch

by establishing a VPN connection with the Cisco CWS

by using a proxy autoconfiguration file in the end device

18.

1 point

What security benefit is gained from enabling BPDU guard on PortFast enabled interfaces?

preventing buffer overflow attacks

enforcing the placement of root bridges

protecting against Layer 2 loops

preventing rogue switches from being added to the networkcessing a Cisco CWS server before visiting the destination web site

19.

1 point

Which feature is part of the Antimalware Protection security solution?

spam blocking

file retrospection

data loss prevention

user authentication and authorization

20.

1 point

What component of Cisco NAC is responsible for performing deep inspection of device security profiles?

Cisco NAC Agent

Cisco NAC Profiler

Cisco NAC Manager

Cisco NAC Server

21.

1 point

What is the role of the Cisco NAC Manager in implementing a secure networking infrastructure?

to define role-based user access and endpoint security policies

to perform deep inspection of device security profiles

to assess and enforce security policy compliance in the NAC environment

to provide post-connection monitoring of all endpoint devices

22.

1 point

What protocol should be disabled to help mitigate VLAN hopping attacks?

CDP

DTP

STP

ARP

23.

1 point

Refer to the exhibit. The Fa0/2 interface on switch S1 has been configured with the switchport port-security mac-address 0023.189d.6456 command and a workstation has been connected. What could be the reason that the Fa0/2 interface is shutdown?

The Fa0/24 interface of S1 is configured with the same MAC address as the Fa0/2 interface.

S1 has been configured with a switchport port-security aging command.

The MAC address of PC1 that connects to the Fa0/2 interface is not the configured MAC address.

The connection between S1 and PC1 is via a crossover cable.

24.

1 point

What additional security measure must be enabled along with IP Source Guard to protect against address spoofing?

root guard

BPDU Guard

DHCP snooping

port security