Scribd Logo
Upload

Welcome to Scribd!

  • CCNP Switch - Chapter 6

    Uploaded by

    armani_delato
    17K views9 pages
    Port can act as destination port for all SPAN sessions configured on the switch. Port channel interfaces (EtherChannel) can be configured as source and destination ports for a single SPAN session.

    Original Description:

    Original Title

    CCNP Switch -Chapter 6

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Port can act as destination port for all SPAN sessions configured on the switch. Port channel interfaces (EtherChannel) can be configured as source and destination ports for a single SPAN session.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17K views9 pages

    CCNP Switch - Chapter 6

    Uploaded by

    armani_delato
    Port can act as destination port for all SPAN sessions configured on the switch. Port channel interfaces (EtherChannel) can be configured as source and destination ports for a single SPAN session.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Top of Form

    Close Window

    Assessment System

    1. Assessment 2. Assessment 3. Take


    Selection Settings Assessment

    Take Assessment - SWITCH Chapter 6 - CCNP SWITCH (Version 6.0)

    T
    7182995
    o
    p
    Time Remaining:
    o
    f 01:59:43
    F
    o
    r Bottom of Form
    m

    Which statement is true about a local SPAN configuration?


    A port can act as the destination port for all SPAN sessions configured on the switch.

    A port can be configured to act as a source and destination port for a single SPAN session.
    Both Layer 2 and Layer 3 switched ports can be configured as source or destination ports for
    a single SPAN session.
    Port channel interfaces (EtherChannel) can be configured as source and destination ports for
    a single SPAN session.
    Top of Form

    Refer to the exhibit. Which statement is true about the local SPAN configuration on switch
    SW1?
    The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored
    on port Fa3/1.
    The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored
    on port Fa3/1, but only if port Fa3/1 is configured in VLAN 10.
    The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored
    on port Fa3/1, but only if port Fa3/1 is configured as trunk.
    The SPAN session transmits to a device on port Fa3/21 only a copy of unicast traffic that is
    monitored on port Fa3/1. All multicast and BPDU frames will be excluded from the
    monitoring process.
    Top of Form

    Refer to the exhibit. Which statement is true about the VSPAN configuration on switch SW1?
    The VSPAN session that is configured on port Fa3/4 can monitor only the ingress traffic for
    any of the VLANs.
    The VSPAN session that is configured on port Fa3/4 can monitor only the egress traffic for
    any of the VLANs.
    Port Fa3/4 must be associated with VLAN 10 or VLAN 20 in order to monitor the traffic for
    any of the VLANs.
    The VSPAN session transmits a copy of the ingress traffic for VLAN 10 and the egress
    traffic for VLAN 20 out interface Fa3/4.
    Top of Form
    Which configuration guideline applies to using the capture option in VACL?
    Capture ports transmit traffic that belongs to all VLANs.

    The capture port captures all packets that are received on the port.

    The switch has a restriction on the number of capture ports.

    The capture port needs to be in the spanning-tree forwarding state for the VLAN.

    All access ports on a switch are configured with the administrative mode of dynamic
    auto. An attacker, connected to one of the ports, sends a malicious DTP frame.
    What is the intent of the attacker?

    VLAN hopping

    DHCP spoofing attack

    MAC flooding attack

    ARP poisoning attack

    Top of Form

    Refer to the exhibit. A network engineer is securing a network against DHCP spoofing attacks. On all
    switches, the engineer applied the ip dhcp snooping command and enabled DHCP snooping on all
    VLANs with the ip dhcp snooping vlan command. What additional step should be taken to configure
    the security required on the network?
    Issue the ip dhcp snooping trust command on all uplink interfaces on SW1, SW2 and SW3.

    Issue the ip dhcp snooping trust command on all interfaces on SW2 and SW3.

    Issue the ip dhcp snooping trust command on all interfaces on SW1, SW2, and SW3.
    Issue the ip dhcp snooping trust command on all interfaces on SW1, SW2, and SW3 except
    interface Fa0/1 on SW1.
    Bottom of Form

    Top of Form
    Which countermeasure can be implemented to determine the validity of an ARP packet, based on
    the valid MAC-address-to-IP address bindings stored in a DHCP snooping database?
    DHCP spoofing

    dynamic ARP inspection

    CAM table inspection

    MAC snooping

    Top of Form
    How should unused ports on a switch be configured in order to prevent VLAN hopping attacks?
    Configure them with the UDLD feature.

    Configure them with the PAgP protocol.

    Configure them as trunk ports for the native VLAN 1.

    Configure them as access ports and associate them with an unused VLAN.

    Top of Form

    Refer to the exhibit. Given the configuration on the ALSwitch, what is the end result?
    forces all hosts that are attached to a port to authenticate before being allowed access to the network
    disables 802.1x port-based authentication and causes the port to allow normal traffic without
    authenticating the client
    enables 802.1x authentication on the port
    globally disables 802.1x authentication
    Bottom of Form

    Top of Form

    Refer to the exhibit. Network policy dictates that security functions should be administered using AAA.
    Which configuration would create a default login authentication list that uses RADIUS as the first
    authentication method, the enable password as the second method, and the local database as the final
    method?
    SW-1(config)# aaa new-model
    SW-1(config)# radius-server host 10.10.10.12 key secret
    SW-1(config)# aaa authentication default group-radius local
    SW-1(config)# aaa new-model
    SW-1(config)# radius-server host 10.10.10.12 key secret
    SW-1(config)# aaa authentication default group-radius enable local
    SW-1(config)# aaa new-model
    SW-1(config)# radius-server host 10.10.10.12 key secret
    SW-1(config)# aaa authentication login default group radius enable local
    SW-1(config)# aaa new-model
    SW-1(config)# radius server host 10.10.10.12 key secret
    SW-1(config)# aaa authentication login default group radius enable local none
    SW-1(config)# aaa new-model
    SW-1(config)# radius server host 10.10.10.12 key secret
    SW-1(config)# aaa authentication login default group-radius enable local none
    Bottom of Form

    Top of Form
    Refer to the exhibit. A switch is being configured to support AAA authentication on the console
    connection. Given the information in the exhibit, which three statements are correct? (Choose three.)
    The authentication login admin line console command is required.

    The login authentication admin line console command is required.


    The configuration creates an authentication list that uses a named access list called group as the first
    authentication method, a TACACS+ server as the second method, the local username database as
    the third method, the enable password as the fourth method, and none as the last method.
    The configuration creates an authentication list that uses a TACACS+ server as the first authentication
    method, the local username database as the second method, the enable password as the third method,
    and none as the last method.
    The none keyword enables any user logging in to successfully authenticate if all other methods return
    an error.
    The none keyword specifies that a user cannot log in if all other methods have failed.
    Bottom of Form
    Top of Form
    What is one way to mitigate spanning-tree compromises?
    Statically configure the primary and backup root bridge.

    Implement private VLANs.

    Place all unused ports into a common VLAN (not VLAN 1).

    Configure MAC address VLAN access maps.

    What is one way to mitigate ARP spoofing?

    Enable dynamic ARP inspection.

    Configure MAC address VLAN access maps.

    Enable root guard.

    Implement private VLANs. Bottom of Form

    Top of Form
    What are two purposes for an attacker launching a MAC table flood? (Choose two.)
    to initiate a man-in-the-middle attack
    to initiate a denial of service (DoS) attack

    to capture data from the network

    to gather network topology information

    to exhaust the address space available to the DHCP

    Refer to the exhibit. After the configuration has been applied to ACSw22, frames
    that are bound for the node on port FastEthernet 0/1 are periodically being dropped.
    What should be done to correct the issue?

    Add the switchport port-security mac-address sticky command to the


    interface configuration.

    Change the port speed to speed auto with the interface configuration mode.

    Use the switchport mode trunk command in the interface configuration.

    Remove the switchport command from the interface configuration.


    Refer to the exhibit. What is the state of the monitoring session?

    This is a remote monitored session.

    No data is being sent from the session.

    SPAN session number 2 is being used.

    The session is only monitoring data sent out Fa0/1.

    Top of Form
    What is the function of the 6500 Network Analysis Module?
    monitors traffic on ingress ports

    sends TCP resets to an attacker TCP session

    gathers multilayer information from data flows that pass through the switch

    provides remote monitoring of multiple switches across a switched network


    What technology can be used to help mitigate MAC address flooding attacks?

    root guard
    Private VLANs

    DHCP snooping

    VLAN access maps

    Dynamic ARP Inspection

    Top of Form
    What advantage for monitoring traffic flows does using VACLs with the capture option offer over
    using SPAN?
    VLAN ACLs can be used to capture denied traffic.

    VLAN ACLs can be used to capture traffic on a spanning-tree blocked port.

    VLAN ACLs can be used to capture traffic based on Layer 2, 3, or 4 information.


    VLAN ACLs can be used to capture traffic to the CPU separate from the traffic that is hardware
    switched.
    Bottom of Form

    Top of Form
    What Cisco tool can be used to monitor events happening in the switch?
    Embedded Event Manager

    Intrusion Prevention System

    Network Analysis module

    Switched Port Analyzer


    Bottom of Form
    Bottom of Form
    Bottom of Form

    You might also like