Port Security Lab

You are the network security administrator for Big Money Bank Co. You are informed that an attacker
has performed a CAM table overflow attack by sending spoofed MAC addresses on one of the switch
ports. The attacker has since been identified and escorted out of the campus. You now need to take
action to configure the switch port to protect against this kind of attack in the future.

For purposes of this test, the attacker was connected via a hub to the Fa0/12 interface of the switch.
The topology is provided for your use. The enable password of the switch is cisco. Your task is to
configure the Fa0/12 interface on the switch to limit the maximum number of MAC addresses that are
allowed to access the port to two and to shutdown the interface when there is a violation.
Ii which three ways does the TACACS protocol difer fror RADIUS? (Choose three.)
A. TACACS uses TCP to corruiicate with the NAS.
B. TACACS cai eicrypt the eitre packet that is seit to the NAS.
C. TACACS supports per-corraid authorizatoi.
D. TACACS autheitcates aid authorizes sirultaieously, causiig fewer packets to be
traisrited.
E. TACACS uses UDP to corruiicate with the NAS.
F. TACACS eicrypts oily the password feld ii ai autheitcatoi packet.

Which two iext-geieratoi eicryptoi algorithrs does Cisco recorreid? (Choose two.)
A. AES
B. 3DES
C. DES
D. MD5
E. DH-1024
F. SHA-384

What are two default Cisco IOS privilege levels? (Choose two.)
A. 0
B. 1
C. 5
D. 7
E. 10
F. 15

Which two autheitcatoi types does OSPF support? (Choose two.)

A. plaiitext
B. MD5
C. HMAC
D. AES 256
E. SHA-1
F. DES
Which two statereits about stateless frewalls are true? (Choose two.)
A. They corpare the 5-tuple of each iicoriig packet agaiist coifgurable rules.
B. They caiiot track coiiectois.
C. They are desigied to work rost efcieitly with stateless protocols such as HTTP or
HTTPS.
D. Cisco IOS caiiot irplereit ther because the platorr is stateful by iature.
E. The Cisco ASA is irplicitly stateless because it blocks all trafc by default.

What is the purpose of the Iitegrity corpoieit of the CIA triad?

A. to eisure that oily authorized partes cai rodify data
B. to deterriie whether data is relevait
C. to create a process for accessiig data
D. to eisure that oily authorized partes cai view data

Which tool cai ai atacker use to aterpt a DDoS atack?

A. botiet
B. Trojai horse
C. virus
D. adware

What type of algorithr uses the sare key to eicrypt aid decrypt data?
A. a syrretric algorithr
B. ai asyrretric algorithr
C. a Public Key Iifrastructure algorithr
D. ai IP security algorithr

What is the efect of the givei corraid sequeice?

A. It coifgures IKE Phase 1.
B. It coifgures a site-to-site VPN tuiiel.
C. It coifgures a crypto policy with a key size of 14400.
D. It coifgures IPSec Phase 2.
What is the efect of the givei corraid sequeice?
A. It defies IPSec policy for trafc sourced fror 10.10.10.0/24 with a destiatoi of
10.100.100.0/24.
B. It defies IPSec policy for trafc sourced fror 10.100.100.0/24 with a destiatoi of
10.10.10.0/24.
C. It defies IKE policy for trafc sourced fror 10.10.10.0/24 with a destiatoi of
10.100.100.0/24.
D. It defies IKE policy for trafc sourced fror 10.100.100.0/24 with a destiatoi of
10.10.10.0/24.

Ai atacker iistalls a rogue switch that seids superior BPDUs oi your ietwork. What is a
possible result of this
actvity?
A. The switch could ofer fake DHCP addresses.
B. The switch could becore the root bridge.
C. The switch could be allowed to joii the VTP doraii.
D. The switch could becore a traispareit bridge

What is a reasoi for ai orgaiizatoi to deploy a persoial frewall?

A. To protect eidpoiits such as desktops fror ralicious actvity.
B. To protect oie virtual ietwork segreit fror aiother.
C. To deterriie whether a host reets riiirur security posture requirereits.
D. To create a separate, ioi-persisteit virtual eiviroireit that cai be destroyed afer a
sessioi.
E. To protect the ietwork fror DoS aid syi-food atacks.
What type of frewall would use the givei coifguratoi liie?
A. a stateful frewall
B. a persoial frewall
C. a proxy frewall
D. ai applicatoi frewall
E. a stateless frewall

How does a zoie-based frewall irplereitatoi haidle trafc betweei iiterfaces ii the sare
zoie?
A. Trafc betweei two iiterfaces ii the sare zoie is allowed by default.
B. Trafc betweei iiterfaces ii the sare zoie is blocked uiless you coifgure the sare-
security perrit corraid.
C. Trafc betweei iiterfaces ii the sare zoie is always blocked.
D. Trafc betweei iiterfaces ii the sare zoie is blocked uiless you apply a service policy
to the zoie pair.

A specifc URL has beei ideitfed as coitaiiiig ralware. What actoi cai you take to block
users fror accideitally
visitig the URL aid becoriig iifected with ralware.
A. Eiable URL flteriig oi the perireter router aid add the URLs you wait to block to the
router's local URL list.
B. Eiable URL flteriig oi the perireter frewall aid add the URLs you wait to allow to the
router's local URL list.
C. Eiable URL flteriig oi the perireter router aid add the URLs you wait to allow to the
frewall's local URL list.
D. Create a blacklist that coitaiis the URL you wait to block aid actvate the blacklist
oi the perireter router.
E. Create a whitelist that coitaiis the URLs you wait to allow aid actvate the whitelist
oi the perireter router.
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?

A. no switchport nonnegotiate
B. switchport
C. no switchport mode dynamic auto
D. no switchpor

In which type of attack does the attacker attempt to overload the CAM table on a switch so that the switch
acts as a hub?

A. gratuitous ARP
B. MAC flooding
C. MAC spoofing
D. DoS

Which protocols use encryption to protect the confidentiality of data transmitted between two parties?
(Choose two.)

A. FTP
B. SSH
C. Telnet
D. AAA
E. HTTPS
F. HTTP
Which Cisco product can help mitigate web-based attacks within a network?

A. Adaptive Security Appliance

B. Web Security Appliance
C. Email Security Appliance
D. Identity Services Engine

By which kind of threat is the victim tricked into entering username and password information at a
disguised website?

A. Spoofing
B. Malware
C. Spam
D. Phishing

Which statement about IOS privilege levels is true?

A. Each privilege level is independent of all other privilege levels.

B. Each privilege level supports the commands at its own level and all levels above it.
C. Each privilege level supports the commands at its own level and all levels below it.
D. Privilege-level commands are set explicitly for each user.

In which type of attack does an attacker send email message that ask the recipient to click a link such
ashttps://www.cisco.net.cc/securelogs?

A. pharming
B. phishing
C. solicitation
D. secure transaction

Which firewall configuration must you perform to allow traffic to flow in both directions between two zones?

You can configure a single zone pair that allows bidirectional traffic flows from for any zone except the self-
A. zone.
B. You must configure two zone pair, one for each direction.
C. You can configure a single zone pair that allows bidirectional traffic flows for any zone.
You can configure a single zone pair that allows bidirectional traffic flows only if the source zone is the less
D. secure zone.

Which two services define cloud networks? (Choose two.)

A. Infrastructure as a Service
B. Platform as a Service
C. Security as a Service
D. Compute as a Service
E. Tenancy as a Service

When a company puts a security policy in place, what is the effect on the companys business?

A. Minimizing risk
B. Minimizing total cost of ownership
C. Minimizing liability
D. Maximizing compliance

Which option describes information that must be considered when you apply an access list to a physical
interface?

A. Protocol used for filtering

B. Direction of the access class
C. Direction of the access group
D. Direction of the access list

What are the three layers of a hierarchical network design? (Choose three.)

A. core
B. access
C. server
D. user
E. internet
F. distribution

In what type of attack does an attacker virtually change a devices burned-in address in an attempt to
circumvent access lists and mask the devices true identity?

A. gratuitous ARP
B. ARP poisoning
C. IP spoofing
D. MAC spoofing