What is a recommended best practice when dealing with the native VLAN?
Chapter 11 - Switch Security Configuration

Quiz
•
Computers
•
University
•
Hard
Hedvig Mendonca
Used 4+ times
FREE Resource
15 questions
Show all answers
1.
MULTIPLE CHOICE QUESTION
30 sec • 5 pts
Use port security.
Turn off DTP.
Assign it to an unused VLAN.
Assign the same VLAN number as the management VLAN.
Answer explanation
Port security cannot be enabled on a trunk and trunks are the only types of ports that have a native VLAN. Even though turning DTP off on a trunk is a best practice, it does not have anything to do with native VLAN risks. To prevent security breaches that take advantage of the native VLAN, place the native VLAN in an unused VLAN other than VLAN 1. The management VLAN should also be an unused VLAN that is different from the native VLAN and something other than VLAN 1.
2.
MULTIPLE CHOICE QUESTION
30 sec • 5 pts
On what switch ports should PortFast be enabled to enhance STP stability?
only ports that are elected as designated ports
all trunk ports that are not root ports
all end-user ports
only ports that attach to a neighboring switch
Answer explanation
PortFast will immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. If configured on a trunk link, immediately transitioning to the forwarding state could lead to the formation of Layer 2 loops.
3.
MULTIPLE CHOICE QUESTION
30 sec • 5 pts
Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?
switchport port-security mac-address sticky mac-address
ip dhcp snooping
shutdown
switchport port-security violation shutdown
switchport port-security mac-address sticky
Answer explanation
Unlike router Ethernet ports, switch ports are enabled by default. Cisco recommends disabling any port that is not used. The ip dhcp snooping command globally enables DHCP snooping on a switch. Further configuration allows defining ports that can respond to DHCP requests. The switchport port-security command is used to protect the network from unidentified or unauthorized attachment of network devices.
4.
MULTIPLE SELECT QUESTION
45 sec • 5 pts
Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)
DHCP server failover
extended ACL
port security
DHCP snooping
strong password on DHCP servers
Answer explanation
In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use up all the available IP addresses that the DHCP server can issue. In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network so that it provides clients with false DNS server addresses. The port security feature can limit the number of dynamically learned MAC addresses per port or allow only known valid NICs to be connected via their specific MAC addresses. The DHCP snooping feature can identify the legitimate DHCP servers and block fake DHCP servers from issuing IP address information. These two features can help fight against DHCP attacks.
5.
MULTIPLE CHOICE QUESTION
30 sec • 5 pts
What is the best way to prevent a VLAN hopping attack?
Use ISL encapsulation on all trunk links.
Disable STP on all nontrunk ports.
Use VLAN 1 as the native VLAN on trunk ports.
Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
Answer explanation
VLAN hopping attacks rely on the attacker being able to create a trunk link with a switch. Disabling DTP and configuring user-facing ports as static access ports can help prevent these types of attacks. Disabling the Spanning Tree Protocol (STP) will not eliminate VLAN hopping attacks.
6.
MULTIPLE CHOICE QUESTION
30 sec • 5 pts
Which procedure is recommended to mitigate the chances of ARP spoofing?
Enable port security globally.
Enable DHCP snooping on selected VLANs.
Enable IP Source Guard on trusted ports.
Enable DAI on the management VLAN.
Answer explanation
To mitigate the chances of ARP spoofing, these procedures are recommended:
Implement protection against DHCP spoofing by enabling DHCP snooping globally.
Enable DHCP snooping on selected VLANs.
Enable DAI on selected VLANs.
Configure trusted interfaces for DHCP snooping and ARP inspection. Untrusted ports are configured by default.
7.
MULTIPLE SELECT QUESTION
45 sec • 5 pts
What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)
unknown port
trusted DHCP port
unauthorized port
established DHCP port
untrusted port
Answer explanation
DHCP snooping recognizes two types of ports on Cisco switches:
Trusted DHCP ports – switch ports connecting to upstream DHCP servers
Untrusted ports – switch ports connecting to hosts that should not be providing DHCP server messages
Create a free account and access millions of resources
Similar Resources on Wayground
20 questions
J.611000.012.02 (MENGKONFIGURASI SWITCH PADA JARINGAN)

Quiz
•
University
15 questions
Quiz tentang VLAN

Quiz
•
11th Grade - University
20 questions
IT Essentials Ch 6 Review - Applied Networking

Quiz
•
9th Grade - University
20 questions
VLAN

Quiz
•
University
20 questions
ADMINISTRASI SISTEM JARINGAN

Quiz
•
University
10 questions
Switch Security Quiz

Quiz
•
University
15 questions
Cisco 2, Module 4

Quiz
•
University
20 questions
CompTIA Network+ - Ports and Protocols

Quiz
•
University
Popular Resources on Wayground
25 questions
Equations of Circles

Quiz
•
10th - 11th Grade
30 questions
Week 5 Memory Builder 1 (Multiplication and Division Facts)

Quiz
•
9th Grade
33 questions
Unit 3 Summative - Summer School: Immune System

Quiz
•
10th Grade
10 questions
Writing and Identifying Ratios Practice

Quiz
•
5th - 6th Grade
36 questions
Prime and Composite Numbers

Quiz
•
5th Grade
14 questions
Exterior and Interior angles of Polygons

Quiz
•
8th Grade
37 questions
Camp Re-cap Week 1 (no regression)

Quiz
•
9th - 12th Grade
46 questions
Biology Semester 1 Review

Quiz
•
10th Grade