30 Questions
What feature enables a router to keep a secure local copy of running image and config files in Cisco IOS?
Resilient Configuration
Which technology can be used to lock down a router mentioned in the text?
AutoSecure
What is used to shut down logins and log messages if a password attack is suspected as per the text?
AutoSecure
Which technology can be implemented to mitigate VLAN hopping attacks as mentioned in the text?
VLAN Truck security
What is used to mitigate ARP attacks according to the text?
Dynamic Arp Inspection
Which technique can be used to mitigate address spoofing based on the text?
IP Source Guard
What is the purpose of VLAN hopping attacks?
To allow an attacker to become a member of all VLANs
How does a VLAN Double-Tagging attack work?
By tagging transmitted frames with multiple 802.1q headers
What is a mitigation strategy for VLAN hopping attacks?
Manually enabling trunk link only on required ports
What could be a method used to mitigate double 802.1Q encapsulation VLAN attacks?
Using the native VLAN 1 for all trunk ports
What action should be taken on unused switch ports to help mitigate VLAN attacks?
Disable all unused switch ports and place them in an unused VLAN
Why is it essential to disable Dynamic Trunk Protocol (DTP) negotiations on ports?
To prevent an attacker from spoofing a switch and becoming a member of all VLANs
What is the purpose of Dynamic ARP Inspection (DAI)?
To prevent ARP poisoning attacks by intercepting and verifying ARP packets
How does DAI mitigate ARP poisoning?
By dropping or logging ARP replies from invalid devices
Which step is a recommended best practice for configuring Dynamic ARP Inspection?
Configuring all uplink ports as untrusted
What is the role of rate limiting in Dynamic ARP Inspection?
To automatically disable interfaces when the limit is exceeded
Why does DAI require DHCP snooping?
To determine the validity of an ARP packet based on MAC-address-to-IP-address bindings
How does DAI differentiate between valid and invalid devices in preventing ARP spoofing?
By verifying IP-to-MAC binding in intercepted packets
What does DAI check when configured to verify destination MAC addresses?
Destination MAC address in Ethernet header against target MAC address in ARP body
Why is IP address spoofing difficult to mitigate, especially inside the same subnet?
Switches overwrite MAC table entries
How does IP Source Guard (IPSG) differ from Dynamic ARP Inspection (DAI)?
IPSG protects against IP and MAC spoofing, while DAI focuses only on IP addresses
What is a consequence of MAC address spoofing attacks on a switch?
The switch assigns the attacker's MAC to the target host's port
Why must an attacker constantly send frames with spoofed addresses in a MAC address spoofing attack?
To ensure frames continue to be incorrectly forwarded
How does DAI differ from IPSG in terms of packet inspection?
DAI inspects only ARP packets, while IPSG examines every packet
What practice immediately brings an interface configured as an access or trunk port to forwarding state from a blocking state?
PortFast
Which practice prevents an inappropriate switch from becoming the root bridge?
Root Guard
What feature immediately error disables a port that receives a BPDU?
BPDU Guard
Which practice prevents alternate or root ports from becoming designated ports due to a unidirectional link failure?
Loop Guard
In what scenario should Root Guard be applied?
All ports which should not become root ports
Where can PortFast be configured globally on all non-trunking ports?
Via the spanning-tree portfast default command
Test your knowledge on securing a Local Area Network with a focus on Endpoint Security and Layer 2 Security Considerations. Questions may cover topics such as enhancing login process security, configuring privilege levels on Cisco routers, Role-Based CLI access, and Cisco IOS Resilient Configuration feature.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
