Home
Blog
Hobbies
Movies
Recipes
Dogs
Videos
CCNA Security
Engineering
Forum
Submit
CCNA Security
Home
Chapters
Search
Endpoint and Layer 2 Security Quiz
Securing the Local Area Network
Question 1 of 12
Port security on a Cisco switch can be configured to limit which of the following?
Select the best answer:
The maximum number of IP addresses per port
The maximum number of MAC addresses allowed on a switchport
The VLAN a port is allowed to carry
The speed and duplex settings on an access port
When port security violation mode is set to "shutdown", a violation causes:
Select the best answer:
The offending frame is dropped silently with no notification
The port is placed in err-disabled state and a syslog/SNMP alert is generated
The frame is dropped and the violation counter increments, port stays up
All MAC addresses are cleared and the port restarts learning
Port security violation mode "restrict" differs from "protect" in that restrict:
Select the best answer:
Shuts down the port immediately on the first violation
Drops violating frames AND increments the violation counter with a log/SNMP notification
Drops violating frames silently without any notification
Allows the frame but logs the source MAC address
BPDU Guard, when enabled on a switchport, will:
Select the best answer:
Prevent the switch from participating in STP entirely
Err-disable the port if a BPDU is received on it
Force the port to become the STP root bridge
Filter BPDUs so they are not forwarded out access ports
DHCP Snooping protects against which type of attack?
Select the best answer:
MAC address flooding attacks on the switch CAM table
Rogue DHCP servers assigning false IP addressing to clients
VLAN hopping via double-tagged 802.1Q frames
STP root bridge election manipulation
Dynamic ARP Inspection (DAI) relies on which feature to validate ARP packets?
Select the best answer:
Port security sticky MAC address table
DHCP Snooping binding table
802.1X authentication database
Spanning Tree BPDU filtering
A VLAN hopping attack using "double tagging" works because:
Select the best answer:
The attacker sends oversized frames that overflow the switch buffer
The switch strips the outer native-VLAN tag and forwards the inner-tagged frame to the target VLAN
The attacker sends STP TCN BPDUs to flush the MAC table
The attacker exploits a weak VLAN ACL to bypass inter-VLAN routing
The best mitigation for switch spoofing VLAN hopping attacks is to:
Select the best answer:
Enable BPDU Guard on all trunk ports
Disable DTP and manually configure ports as access or trunk
Enable DHCP Snooping on the native VLAN
Apply a VACL (VLAN ACL) to all user VLANs
Storm control on a Cisco switch is used to:
Select the best answer:
Prevent STP topology changes from flooding the network
Limit broadcast, multicast, or unicast traffic to a configured threshold
Restrict the number of MAC addresses learned on a port
Block rogue DHCP servers from responding to client requests
Root Guard on a switchport prevents:
Select the best answer:
BPDUs from being forwarded out access ports
A connected device from becoming the STP root bridge via that port
Trunk ports from carrying traffic on the native VLAN
MAC flooding from overwhelming the switch CAM table
Which Cisco switch command enables port security and sets the maximum MAC addresses to 2?
Select the best answer:
switchport port-security mac-limit 2
switchport port-security maximum 2
port-security max-mac-count 2
switchport security maximum-mac 2
Private VLANs (PVLANs) are used to:
Select the best answer:
Encrypt traffic between hosts on the same VLAN
Isolate hosts in the same IP subnet from communicating with each other
Extend a VLAN across WAN links using 802.1Q trunking
Prevent inter-VLAN routing without a Layer 3 switch
Previous
Next
Submit Quiz