Last Updated on June 27, 2019 by Admin
Implementing Network Security ( Version 2.0) – CCNAS Chapter 6 Exam Online
CCNAS – Chapter 6 Exam
Quiz-summary
0 of 24 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
Information
CCNAS – Chapter 6 Exam
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 24 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Average score |
|
Your score |
|
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- Answered
- Review
-
Question 1 of 24
1. Question
1 pointsRefer to the exhibit. The Fa0/2 interface on switch S1 has been configured with the switchport port-security mac-address 0023.189d.6456 command and a workstation has been connected. What could be the reason that the Fa0/2 interface is shutdown?Correct
Incorrect
The security violation counter for Fa0/2 has been incremented (evidenced by the 1 in the SecurityViolation column). The most secure addresses allowed on port Fa0/2 is 1 and that address was manually entered. Therefore, PC1 must have a different MAC address than the one configured for port Fa0/2. Connections between end devices and the switch, as well as connections between a router and a switch, are made with a straight-through cable.
Hint
The security violation counter for Fa0/2 has been incremented (evidenced by the 1 in the SecurityViolation column). The most secure addresses allowed on port Fa0/2 is 1 and that address was manually entered. Therefore, PC1 must have a different MAC address than the one configured for port Fa0/2. Connections between end devices and the switch, as well as connections between a router and a switch, are made with a straight-through cable. -
Question 2 of 24
2. Question
1 pointsTwo devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation?Correct
Incorrect
The PVLAN Edge feature does not allow one device to see traffic that is generated by another device. Ports configured with the PVLAN Edge feature are also known as protected ports. BPDU guard prevents unauthorized connectivity to a wired Layer 2 switch. SPAN is port mirroring to capture data from one port or VLAN and send that data to another port. DTP (Dynamic Trunking Protocol) is automatically enabled on some switch models to create a trunk if the attached device is configured for trunking. Cisco recommends disabling DTP as a best practice.
Hint
The PVLAN Edge feature does not allow one device to see traffic that is generated by another device. Ports configured with the PVLAN Edge feature are also known as protected ports. BPDU guard prevents unauthorized connectivity to a wired Layer 2 switch. SPAN is port mirroring to capture data from one port or VLAN and send that data to another port. DTP (Dynamic Trunking Protocol) is automatically enabled on some switch models to create a trunk if the attached device is configured for trunking. Cisco recommends disabling DTP as a best practice. -
Question 3 of 24
3. Question
2 pointsWhich two functions are provided by Network Admission Control? (Choose two.)Correct
Incorrect
The port security feature can be used to limit how many MAC addresses can be learned on a switch port and help prevent MAC address table overflow attacks. Storm control is a feature that can prevent excessive broadcasts and multicasts from disrupting other LAN traffic. These functions are not provided by Network Admission Control (NAC).
Hint
The port security feature can be used to limit how many MAC addresses can be learned on a switch port and help prevent MAC address table overflow attacks. Storm control is a feature that can prevent excessive broadcasts and multicasts from disrupting other LAN traffic. These functions are not provided by Network Admission Control (NAC). -
Question 4 of 24
4. Question
1 pointsWhich spanning-tree enhancement prevents the spanning-tree topology from changing by blocking a port that receives a superior BPDU?Correct
Incorrect
Root guard prevents the placement of the root bridge from changing by blocking any port that receives a superior BPDU. A superior BPDU is one with a higher root bridge ID than the currently selected root bridge has.
Hint
Root guard prevents the placement of the root bridge from changing by blocking any port that receives a superior BPDU. A superior BPDU is one with a higher root bridge ID than the currently selected root bridge has. -
Question 5 of 24
5. Question
1 pointsWhich security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?Correct
Incorrect
Port security limits the number of source MAC addresses allowed through a switch port. This feature can prevent an attacker from flooding a switch with many spoofed MAC addresses.
Hint
Port security limits the number of source MAC addresses allowed through a switch port. This feature can prevent an attacker from flooding a switch with many spoofed MAC addresses. -
Question 6 of 24
6. Question
1 pointsIn what situation would a network administrator most likely implement root guard?Correct
Incorrect
Root guard in conjunction with PortFast, and BPDU guard is used to prevent an STP manipulation attack.
Hint
Root guard in conjunction with PortFast, and BPDU guard is used to prevent an STP manipulation attack. -
Question 7 of 24
7. Question
1 pointsWhat component of Cisco NAC is responsible for performing deep inspection of device security profiles?Correct
Incorrect
The Cisco NAC Agent is a lightweight agent that runs on endpoint devices. The function of this agent is to perform deep inspection of the security profile of the endpoints. This includes inspecting the registry settings, services, and files.
Hint
The Cisco NAC Agent is a lightweight agent that runs on endpoint devices. The function of this agent is to perform deep inspection of the security profile of the endpoints. This includes inspecting the registry settings, services, and files. -
Question 8 of 24
8. Question
1 pointsWhat is the role of the Cisco NAC Manager in implementing a secure networking infrastructure?Correct
Incorrect
Cisco NAC authenticates users and assess the policy compliance of the device the user is using to connect to the network. The role of the Cisco NAC Manager is to define the security policies of user access and endpoint security policies.
Hint
Cisco NAC authenticates users and assess the policy compliance of the device the user is using to connect to the network. The role of the Cisco NAC Manager is to define the security policies of user access and endpoint security policies. -
Question 9 of 24
9. Question
1 pointsWhat is the role of the Cisco NAC Server within the Cisco Secure Borderless Network Architecture?Correct
Incorrect
Cisco NAC is used in the Cisco Borderless Network Architecture to authenticate users and ensure user devices are compliant with security policies. The Cisco NAC server assesses and enforces security policy compliance.
Hint
Cisco NAC is used in the Cisco Borderless Network Architecture to authenticate users and ensure user devices are compliant with security policies. The Cisco NAC server assesses and enforces security policy compliance. -
Question 10 of 24
10. Question
1 pointsWhat is the role of the Cisco NAC Guest Server within the Cisco Borderless Network architecture?Correct
Incorrect
Cisco NAC is used in the Cisco Borderless Network Architecture to authenticate users and ensure that user devices are compliant with security policies. The Cisco NAC Guest Server manages guest network access and the ability to create guest accounts.
Hint
Cisco NAC is used in the Cisco Borderless Network Architecture to authenticate users and ensure that user devices are compliant with security policies. The Cisco NAC Guest Server manages guest network access and the ability to create guest accounts. -
Question 11 of 24
11. Question
3 pointsWhich three functions are provided under Cisco NAC framework solution? (Choose three.)Correct
Incorrect
The goal of both the Cisco NAC framework and the Cisco NAC Appliance is to ensure that only hosts that are authenticated and have their security posture examined and approved are permitted onto the network. They provide four important functions: authentication, authorization, and accounting; posture assessment (evaluating an incoming device against the security policies), quarantining of non-compliant systems, and remediation of noncompliant devices. They do not provide VPN connection or intrusion detection/prevention services.
Hint
The goal of both the Cisco NAC framework and the Cisco NAC Appliance is to ensure that only hosts that are authenticated and have their security posture examined and approved are permitted onto the network. They provide four important functions: authentication, authorization, and accounting; posture assessment (evaluating an incoming device against the security policies), quarantining of non-compliant systems, and remediation of noncompliant devices. They do not provide VPN connection or intrusion detection/prevention services. -
Question 12 of 24
12. Question
1 pointsWhich feature is part of the Antimalware Protection security solution?Correct
Incorrect
The Antimalware Protection (AMP) security solution can enable malware detection and blocking, continuous analysis, and retrospective alerting with the following:File reputation – analysis of files inline and blocking or applying policies File sandboxing – analysis of unknown files to understand true file behavior File retrospection – continuing to analyze files for changing threat levels
Hint
The Antimalware Protection (AMP) security solution can enable malware detection and blocking, continuous analysis, and retrospective alerting with the following:File reputation – analysis of files inline and blocking or applying policies File sandboxing – analysis of unknown files to understand true file behavior File retrospection – continuing to analyze files for changing threat levels -
Question 13 of 24
13. Question
1 pointsWhat security countermeasure is effective for preventing CAM table overflow attacks?Correct
Incorrect
Port security is the most effective method for preventing CAM table overflow attacks. Port security gives an administrator the ability to manually specify what MAC addresses should be seen on given switch ports. It provides a method for limiting the number of MAC addresses that can be dynamically learned over a switch port.
Hint
Port security is the most effective method for preventing CAM table overflow attacks. Port security gives an administrator the ability to manually specify what MAC addresses should be seen on given switch ports. It provides a method for limiting the number of MAC addresses that can be dynamically learned over a switch port. -
Question 14 of 24
14. Question
1 pointsWhat is the behavior of a switch as a result of a successful CAM table attack?Correct
Incorrect
As a result of a CAM table attack, a switch can run out of memory resources to store MAC addresses. When this happens, no new MAC addresses can be added to the CAM table and the switch will forward all received frames to all other ports. This would allow an attacker to capture all traffic that is flooded by the switch.
Hint
As a result of a CAM table attack, a switch can run out of memory resources to store MAC addresses. When this happens, no new MAC addresses can be added to the CAM table and the switch will forward all received frames to all other ports. This would allow an attacker to capture all traffic that is flooded by the switch. -
Question 15 of 24
15. Question
1 pointsWhat additional security measure must be enabled along with IP Source Guard to protect against address spoofing?Correct
Incorrect
Like Dynamic ARP Inspection (DAI), IP Source Guard (IPSG) needs to determine the validity of MAC-address-to-IP-address bindings. To do this IPSG uses the bindings database built by DHCP snooping.
Hint
Like Dynamic ARP Inspection (DAI), IP Source Guard (IPSG) needs to determine the validity of MAC-address-to-IP-address bindings. To do this IPSG uses the bindings database built by DHCP snooping. -
Question 16 of 24
16. Question
3 pointsWhat are three techniques for mitigating VLAN hopping attacks? (Choose three.)Correct
Incorrect
Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links to VLANs not in use.
Hint
Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links to VLANs not in use. -
Question 17 of 24
17. Question
2 pointsWhat two mechanisms are used by Dynamic ARP inspection to validate ARP packets for IP addresses that are dynamically assigned or IP addresses that are static? (Choose two.)Correct
Incorrect
Two methods can be used by Dynamic ARP Inspection (DAI) to determine the validity of MAC-address-to-IP-address bindings. One is a bindings database built by DHCP snooping. The other method is through the use of user-configured ARP ACLs.
Hint
Two methods can be used by Dynamic ARP Inspection (DAI) to determine the validity of MAC-address-to-IP-address bindings. One is a bindings database built by DHCP snooping. The other method is through the use of user-configured ARP ACLs. -
Question 18 of 24
18. Question
1 pointsWhat protocol should be disabled to help mitigate VLAN hopping attacks?Correct
Incorrect
Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to a VLAN not in use.
Hint
Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to a VLAN not in use. -
Question 19 of 24
19. Question
1 pointsWhat network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?Correct
Incorrect
DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.
Hint
DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts. -
Question 20 of 24
20. Question
1 pointsWhat is the only type of port that an isolated port can forward traffic to on a private VLAN?Correct
Incorrect
PVLANs are used to provide Layer 2 isolation between ports within the same broadcast domain. The level of isolation can be specified with three types of PVLAN ports:Promiscuous ports that can forward traffic to all other ports Isolated ports that can only forward traffic to promiscuous ports Community ports that can forward traffic to other community ports and promiscuous ports
Hint
PVLANs are used to provide Layer 2 isolation between ports within the same broadcast domain. The level of isolation can be specified with three types of PVLAN ports:Promiscuous ports that can forward traffic to all other ports Isolated ports that can only forward traffic to promiscuous ports Community ports that can forward traffic to other community ports and promiscuous ports -
Question 21 of 24
21. Question
1 pointsWhich STP stability mechanism is used to prevent a rogue switch from becoming the root switch?Correct
Incorrect
There are several recommended STP stability mechanisms to help mitigate STP manipulation attacks:
- PortFast - Used to immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state. This is applied to all end-user ports.
- BPDU guard - Immediately error-disables a port that receives a BPDU. This is applied to all end-user ports.
- Root guard - Prevents a switch from becoming the root switch. Applied to all ports where root switch should not be located.
- Loop guard - Detects unidirectional links to prevent alternate or root ports from becoming designated ports. Applied to all ports that are or can become non-designated.
Hint
There are several recommended STP stability mechanisms to help mitigate STP manipulation attacks:- PortFast - Used to immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state. This is applied to all end-user ports.
- BPDU guard - Immediately error-disables a port that receives a BPDU. This is applied to all end-user ports.
- Root guard - Prevents a switch from becoming the root switch. Applied to all ports where root switch should not be located.
- Loop guard - Detects unidirectional links to prevent alternate or root ports from becoming designated ports. Applied to all ports that are or can become non-designated.
-
Question 22 of 24
22. Question
1 pointsHow can a user connect to the Cisco Cloud Web Security service directly?Correct
Incorrect
A client can connect to the Cisco CWS service directly by using a proxy autoconfiguration (PAC) file installed on the end device. The Cisco CWS connector is a software component integrated into four Cisco products including Cisco ASA, Cisco WSA, and Cisco AnyConnect Secure Mobility Client. A client can use the Cisco CWS service through these products.
Hint
A client can connect to the Cisco CWS service directly by using a proxy autoconfiguration (PAC) file installed on the end device. The Cisco CWS connector is a software component integrated into four Cisco products including Cisco ASA, Cisco WSA, and Cisco AnyConnect Secure Mobility Client. A client can use the Cisco CWS service through these products. -
Question 23 of 24
23. Question
1 pointsWhat security benefit is gained from enabling BPDU guard on PortFast enabled interfaces?Correct
Incorrect
BPDU guard immediately error-disables a port that receives a BPDU. This prevents rogue switches from being added to the network. BPDU guard should only be applied to all end-user ports.
Hint
BPDU guard immediately error-disables a port that receives a BPDU. This prevents rogue switches from being added to the network. BPDU guard should only be applied to all end-user ports. -
Question 24 of 24
24. Question
1 pointsWhich mitigation technique would prevent rogue servers from providing false IP configuration parameters to clients?Correct
Incorrect
When DHCP snooping is enabled, a switch will deny packets containing unauthorized DHCP server messages coming from an untrusted port.
Hint
When DHCP snooping is enabled, a switch will deny packets containing unauthorized DHCP server messages coming from an untrusted port.