Securing Local Area Network: Endpoint Security Quiz

Questions and Answers

What feature enables a router to keep a secure local copy of running image and config files in Cisco IOS?

• Role-Based CLI access
• Resilient Configuration (correct)
• AutoSecure
• Cisco AMP

Which technology can be used to lock down a router mentioned in the text?

• AutoSecure (correct)
• Secure Copy Protocol (SCP)
• Role-Based CLI access
• Dynamic Arp Inspection

What is used to shut down logins and log messages if a password attack is suspected as per the text?

• Role-Based CLI access
• VLAN Truck security
• Cisco NAC
• AutoSecure (correct)

Which technology can be implemented to mitigate VLAN hopping attacks as mentioned in the text?

VLAN Truck security (A)

What is used to mitigate ARP attacks according to the text?

Dynamic Arp Inspection (B)

Which technique can be used to mitigate address spoofing based on the text?

IP Source Guard (D)

What is the purpose of VLAN hopping attacks?

To allow an attacker to become a member of all VLANs (B)

How does a VLAN Double-Tagging attack work?

By tagging transmitted frames with multiple 802.1q headers (A)

What is a mitigation strategy for VLAN hopping attacks?

Manually enabling trunk link only on required ports (B)

What could be a method used to mitigate double 802.1Q encapsulation VLAN attacks?

Using the native VLAN 1 for all trunk ports (A)

What action should be taken on unused switch ports to help mitigate VLAN attacks?

Disable all unused switch ports and place them in an unused VLAN (A)

Why is it essential to disable Dynamic Trunk Protocol (DTP) negotiations on ports?

To prevent an attacker from spoofing a switch and becoming a member of all VLANs (D)

What is the purpose of Dynamic ARP Inspection (DAI)?

To prevent ARP poisoning attacks by intercepting and verifying ARP packets (C)

How does DAI mitigate ARP poisoning?

By dropping or logging ARP replies from invalid devices (B)

Which step is a recommended best practice for configuring Dynamic ARP Inspection?

Configuring all uplink ports as untrusted (C)

What is the role of rate limiting in Dynamic ARP Inspection?

To automatically disable interfaces when the limit is exceeded (D)

Why does DAI require DHCP snooping?

To determine the validity of an ARP packet based on MAC-address-to-IP-address bindings (C)

How does DAI differentiate between valid and invalid devices in preventing ARP spoofing?

By verifying IP-to-MAC binding in intercepted packets (C)

What does DAI check when configured to verify destination MAC addresses?

Destination MAC address in Ethernet header against target MAC address in ARP body (B)

Why is IP address spoofing difficult to mitigate, especially inside the same subnet?

Switches overwrite MAC table entries (A)

How does IP Source Guard (IPSG) differ from Dynamic ARP Inspection (DAI)?

IPSG protects against IP and MAC spoofing, while DAI focuses only on IP addresses (D)

What is a consequence of MAC address spoofing attacks on a switch?

The switch assigns the attacker's MAC to the target host's port (C)

Why must an attacker constantly send frames with spoofed addresses in a MAC address spoofing attack?

To ensure frames continue to be incorrectly forwarded (D)

How does DAI differ from IPSG in terms of packet inspection?

DAI inspects only ARP packets, while IPSG examines every packet (A)

What practice immediately brings an interface configured as an access or trunk port to forwarding state from a blocking state?

PortFast (D)

Which practice prevents an inappropriate switch from becoming the root bridge?

Root Guard (A)

What feature immediately error disables a port that receives a BPDU?

BPDU Guard (B)

Which practice prevents alternate or root ports from becoming designated ports due to a unidirectional link failure?

Loop Guard (B)

In what scenario should Root Guard be applied?

All ports which should not become root ports (D)

Where can PortFast be configured globally on all non-trunking ports?

Via the spanning-tree portfast default command (C)

Flashcards are hidden until you start studying