Securing Local Area Network: Endpoint Security Quiz

Questions and Answers

What feature enables a router to keep a secure local copy of running image and config files in Cisco IOS?

Role-Based CLI access

Resilient Configuration (correct)

AutoSecure

Cisco AMP

Which technology can be used to lock down a router mentioned in the text?

AutoSecure (correct)

Secure Copy Protocol (SCP)

Role-Based CLI access

Dynamic Arp Inspection

What is used to shut down logins and log messages if a password attack is suspected as per the text?

Role-Based CLI access

VLAN Truck security

Cisco NAC

AutoSecure (correct)

Which technology can be implemented to mitigate VLAN hopping attacks as mentioned in the text?

VLAN Truck security

What is used to mitigate ARP attacks according to the text?

Dynamic Arp Inspection

Which technique can be used to mitigate address spoofing based on the text?

IP Source Guard

What is the purpose of VLAN hopping attacks?

To allow an attacker to become a member of all VLANs

How does a VLAN Double-Tagging attack work?

By tagging transmitted frames with multiple 802.1q headers

What is a mitigation strategy for VLAN hopping attacks?

Manually enabling trunk link only on required ports

What could be a method used to mitigate double 802.1Q encapsulation VLAN attacks?

Using the native VLAN 1 for all trunk ports

What action should be taken on unused switch ports to help mitigate VLAN attacks?

Disable all unused switch ports and place them in an unused VLAN

Why is it essential to disable Dynamic Trunk Protocol (DTP) negotiations on ports?

To prevent an attacker from spoofing a switch and becoming a member of all VLANs

What is the purpose of Dynamic ARP Inspection (DAI)?

To prevent ARP poisoning attacks by intercepting and verifying ARP packets

How does DAI mitigate ARP poisoning?

By dropping or logging ARP replies from invalid devices

Which step is a recommended best practice for configuring Dynamic ARP Inspection?

Configuring all uplink ports as untrusted

What is the role of rate limiting in Dynamic ARP Inspection?

To automatically disable interfaces when the limit is exceeded

Why does DAI require DHCP snooping?

To determine the validity of an ARP packet based on MAC-address-to-IP-address bindings

How does DAI differentiate between valid and invalid devices in preventing ARP spoofing?

By verifying IP-to-MAC binding in intercepted packets

What does DAI check when configured to verify destination MAC addresses?

Destination MAC address in Ethernet header against target MAC address in ARP body

Why is IP address spoofing difficult to mitigate, especially inside the same subnet?

Switches overwrite MAC table entries

How does IP Source Guard (IPSG) differ from Dynamic ARP Inspection (DAI)?

IPSG protects against IP and MAC spoofing, while DAI focuses only on IP addresses

What is a consequence of MAC address spoofing attacks on a switch?

The switch assigns the attacker's MAC to the target host's port

Why must an attacker constantly send frames with spoofed addresses in a MAC address spoofing attack?

To ensure frames continue to be incorrectly forwarded

How does DAI differ from IPSG in terms of packet inspection?

DAI inspects only ARP packets, while IPSG examines every packet

What practice immediately brings an interface configured as an access or trunk port to forwarding state from a blocking state?

PortFast

Which practice prevents an inappropriate switch from becoming the root bridge?

Root Guard

What feature immediately error disables a port that receives a BPDU?

BPDU Guard

Which practice prevents alternate or root ports from becoming designated ports due to a unidirectional link failure?

Loop Guard

In what scenario should Root Guard be applied?

All ports which should not become root ports

Where can PortFast be configured globally on all non-trunking ports?

Via the spanning-tree portfast default command