Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
35 Cards in this Set
- Front
- Back
|
Which is the primary Layer 2 mechanism that allows multiple devices in the same VLAN to communicate with each other even though those devices are physically connected to different switches?
a. IP address b. Default gateway d. 802.1D |
c
|
|
|
How does a switch know about parallel Layer 2 paths?
a. 802.1Q b. BPDU c. CDP d. NTP |
b
|
|
|
When implemented, which of the following helps prevent CAM table overflows?
a. 802.1w b. BPDU Guard c. Root Guard d. Port security |
d
|
|
|
Which of the following is not a best practice for security?
a. Leaving the native VLAN as VLAN 1 b. Shutting down all unused ports and placing them in an unused VLANc. Limiting the number of MAC addresses learned on a specific portd. Disabling negotiation of switch port mode |
a
|
|
|
What is the default number of MAC addresses allowed on a switch port that is configuredwith port security?a. 1b. 5c. 15d. Depends on the switch model
|
a
|
|
|
Which two items normally have a one-to-one correlation?a. VLANsb. Classful IP networksc. IP subnetworksd. Number of switchese. Number of routers
|
a & C
|
|
|
What is a typical method used by a device in one VLAN to reach another device in a second VLAN?a. ARP for the remote device’s MAC addressb. Use a remote default gatewayc. Use a local default gatewayd. Use trunking on the PC
|
C
|
|
|
Which two configuration changes prevent users from jumping onto any VLAN they choose to join?a. Disabling negotiation of trunk portsb. Using something else other than VLAN 1 as the “native” VLANc. Configuring the port connecting to the client as a trunkd. Configuring the port connecting to the client as an access port
|
A & D
|
|
|
If you limit the number of MAC addresses learned on a port to five, what benefits do you get from the port security feature? (Choose all that apply.)a. Protection for DHCP servers against starvation attacksb. Protection against IP spoofingc. Protection against VLAN hoppingd. Protection against MAC address spoofinge. Protection against CAM table overflow attacks
|
A & E
|
|
|
Why should you implement Root Guard on a switch?a. To prevent the switch from becoming the rootb. To prevent the switch from having any root portsc. To prevent the switch from having specific root portsd. To protect the switch against MAC address table overflows
|
C
|
|
|
Why should CDP be disabled on ports that face untrusted networks?a. CDP can be used as a DDoS vector.b. CDP can be used as a reconnaissance tool to determine information about the device.c. Disabling CDP will prevent the device from participating in spanning tree with untrusted devices.d. CDP can conflict with LLDP on ports facing untrusted networks.
|
B
|
|
|
Which of the following is not a true statement for DHCP snooping?
a. DHCP snooping validates DHCP messages received from untrusted sources and filters out invalid messages b. DHCP snooping information is stored in a binding database. c. DHCP snooping is enabled by default on all VLANs. d. DHCP snooping rate-limits DHCP traffic from trusted and untrusted sources. |
C
|
|
|
Which of the following is not a true statement regarding dynamic ARP inspection (DAI)?
a. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. b. DAI helps to mitigate MITM attacks. c. DAI determines validity of ARP packets based on IP-to-MAC address bindings found in the DHCP snooping database. d. DAI is enabled on a per-interface basis. |
D
|
|
|
Another name for a layer 2 broadcast domain is:
|
VLAN
|
|
|
What is the 802.1 suffix for VLAN tagging?
|
802.1Q
|
|
|
If there is no 802.1Q tag on the the frame, what will the switch assume?
|
That the frame originates from the native VLAN
|
|
|
Why is autonegotiation risky?
|
An attacker can negotiate a trunk with a switch then access any available VLANs.
|
|
|
How do we get 2 devices on a VLAN to communicate with devices outside?
|
Inter-VLAN Routing
|
|
|
How to use virtual Subinterfaces to route.
|
Trunk from switch to router, on the router we set sub-interfaces and tell it to pay attention to the dot1q tags.The PCs then need to configure a default gateway.
|
|
|
What is the 802.1 suffix for authenticating users before allowing their data frames on the network?
|
802.1X
|
|
|
What is the 802.1 suffix for spanning tree protocol?
|
802.1D
|
|
|
What is the purpose of spanning tree?
|
Stops loops from occurring in switches
|
|
|
What switch becomes the root bridge?>
|
The one with the lowest bridge ID
|
|
|
How does spanning tree communicate? With what protocol?
|
BPDU. Bridge Protocol data units
|
|
|
If you have 5 VLANs, how many instances of STP do you have?
|
5. aka Per-VLAN Spanning Tree Plus (PVST+)
|
|
|
What is the 802.1 suffix for Rapid Spanning Tree?
|
802.1w
|
|
|
A common security practice would be to not use which VLAN and why?
|
We should not use VLAN 1, because it is the default native VLAN and all it's traffic is untagged.
|
|
|
How should we configure our ports to ensure that users cannot negotiate a trunk.
|
Ports facing the end users should be set to access, and those to other switches/routers should be trunk ports.
|
|
|
What is a good way to ensure port security?
|
Limiting the number of MAC addresses that can be learned on an access switchport. Implemented on a port-by-port basis. Can shut down the port, restrict the port (generates syslog and blocks) or protect (just blocks)
|
|
|
What is root guard?
|
Controls which ports are not allowed to become root ports to remote switches.
|
|
|
What is BPDU Guard?
|
If a BPDU is seen inbound on a port then the switchport disables the port. Prevents another switch, which would send out BPDUs from connecting.
|
|
|
Why would you configure root guard?
|
Your switch might be connected to a switch that you don't manage. You don't want that remote switch tampering with your STP topology, or learning about other root ports.
|
|
|
What is a best practice for CPD?
|
Disable CDP on ports facing untrusted networks.
|
|
|
What does DHCP snooping do?
|
Acts like a firewall between unrusted hosts and trusted DHCP servers. Validates DHCP messages from untrusted sources, rate-limits traffic, builds and maintains DHCP snooping binding database, and utilizes that database to validate requests from untrusted hosts.
|
|
|
How is DHCP snooping enabled?
|
Enabled on a per-VLAN basis. configure DHCP server, enable on at least one VLAN. Ensure DHCP server is connected through a trusted interface. Config the DHCP snooping database agent. Enable globally.
|
