Module 8 Exam
Module 8 ‐ 1 ‐
1. During authentication initiation, what happens if an 802.1X‐enabled client does not receive
an EAP‐request/identity frame after three attempts to start authentication?
· The client continues to send EAP‐request/identity frames to the switch.
· The client refuses any further frames.
· The client sends frames as if the port is in the authorized state. (*)
· The client determines that the port is switched to the unauthorized state.
2. Which statement is true when the spanning‐tree portfast bpduguard default global
configuration command is configured on a Catalyst 2950 switch?
· The command enables BPDU Guard on UplinkFast‐enabled ports.
· This command limits the switch ports through which the root bridge may be negotiated.
· Any PortFast‐enabled port that no longer receives BPDUs will automatically begin
forwarding frames.
· Any PortFast‐enabled port that receives a BPDU will go into an error‐disabled state. (*)
3. Which two statements regarding Loop Guard are true? (Choose two.)
· Loop Guard and UDLD can be enabled simultaneously. (*)
· Loop Guard provides no protection against STP failures that occur because the
designated switch is not sending BPDUs.
· Loop Guard provides protection against miswiring.
· Loop Guard works on shared links or on links have been unidirectional since initial setup.
· On an EtherChannel, Loop Guard will put the entire channel in a loop‐inconsistent state
if any physical link in the bundle fails. (*)
4. How should unused ports on a switch be configured in order to prevent VLAN hopping
attacks?
· Configure them with the UDLD feature.
· Configure them with the PAgP protocol.
· Configure them as trunk ports for the native VLAN.
· Configure them as access ports. (*)
5. The command switchport port‐security violation protect performs which function?
· A trap notification is sent to the network management station.
· The interface will shut down upon a violation and must be manually re‐enabled.
· The interface will shut down upon a violation and will be dynamically re‐enabled.
· Packets from unknown sources are dropped until the maximum allowable MAC
addresses drops below a certain value. (*)
6. Which three global configuration commands are required for configuring port‐based
authentication? (Choose three.)
· dot1x system‐auth‐control (*)
· dot1x port‐control auto
· aaa new‐model (*)
· aaa authentication dot1x {{default}} method1... (*)
· aaa authorization network lucy group tacacs+
· aaa authentication login host local
Module 8 Exam
Module 8 ‐ 2 ‐
7. Refer to the exhibit. Access1 has an uplink port directly connnected to Distribution1, a
distribution‐layer switch. Considering best practices for configuring dynamic ARP inspection,
what is wrong with this configuration?
· All ARP packets on untrusted ports are not intercepted.
· All ARP packets received on a trusted interface should be inspected.
· All intercepted packets should be verified for a valid IP‐to‐MAC address binding before
forwarding.
· Interface FastEthernet0/14 is not configured as a trusted port. (*)
· Only VLAN1 on the switch should be configured for dynamic ARP inspection.
· Dynamic ARP inspection should take place on distribution‐layer switches.
8. Interface FastEthernet 0/1 has been configured with the spanning‐tree guard root
command. Which two commands can be used to verify the root guard configuration and the
root guard state? (Choose two.)
· show running‐config interface fastethernet 0/1 (*)
· show running‐config include rootguard
· show spanning‐tree include rootguard
· show spanning‐tree inconsistentports (*)
· show root guard
· show vlan rootguard
9. Which statement is true regarding a port configured with Loop Guard?
· Once a BPDU is received on a Loop Guard port that is in a loop‐inconsistent state, the
port will transition to forwarding state automatically.
· Once a BPDU is received on a Loop Guard port that is in a loop‐inconsistent state, the
port will transition to the appropriate state as determined by the normal function of
Spanning Tree. (*)
· Once a BPDU is received on a Loop Guard port that is in a loop‐inconsistent state, the
port will be disabled and the administrator must re‐enable it manually.
· Once a BPDU is received on a Loop Guard port that is in a loop‐inconsistent state, the
port will transition to blocking state.
Module 8 Exam
Module 8 ‐ 3 ‐
10. Refer to the exhibit. A network administrator has entered the configuration indicated in the
exhibit. However, the switchport command is rejected. What command would resolve this
problem?
· switchport mode access (*)
· switchport mode dot1q‐tunnel
· switchport mode dynamic
· switchport mode trunk
· switchport port‐security maximum 1
· switchport port‐security mac‐address sticky
11. When implementing 802.1x port‐based authentication, which statement is true regarding
what traffic is allowed through the switch from an unauthenticated host?
· DHCP requests are forwarded.
· EAPOL traffic is forwarded. (*)
· Only ARP requests are forwarded.
· All traffic is forwarded.
· No traffic is forwarded.
12. Refer to the exhibit. Given the configuration on the ALSwitch, what is the end result?
· Forces all hosts attached to a port to authenticate before being allowed access to the
network.
· Disables 802.1x port‐based authentication and causes the port to allow normal traffic
without authenticating the client. (*)
· Enables 802.1x authentication on the port.
· Globally disables 802.1x authentication.
13. Which statement is true regarding 802.1x port‐based authentication?
· Authentication can only be initiated by the host.
· Authentication can only be initiated by the switch.
· Authentication can be initiated by either the switch or the host. (*)
· If the host does not receive a response to a start frame, it goes into the shutdown mode.
· When a host attached to a switchport comes up, the authentication server queries the
host for 802.1x authentication information.
Module 8 Exam
Module 8 ‐ 4 ‐
14. Refer to the exhibit. Port security has been configured on the Fa 0/12 interface of switch SW‐
1. Given the information in the exhibit, which statement is true?
· Frames from PC1 will be dropped, and a log message is created.
· Frames from PC1 will be dropped, and there will be no log of the violation.
· Frames from PC1 will be forwarded to its destination. (*)
· Frames from PC1 will cause the interface to shut down immediately, and a log entry is
made.
Module 8 Exam
Module 8 ‐ 5 ‐
15. Refer to the exhibit. Network policy dictates that security functions should be administered
using AAA. Which configuration would create a default login authentication list that uses
RADIUS as the first authentication method, the enable password as the second method, and
the local database as the final method?
· SW‐1(config)# aaa new‐model
SW‐1(config)# radius‐server host 10.10.10.12 key secret
SW‐1(config)# aaa authentication default group‐radius local
· SW‐1(config)# aaa new‐model
SW‐1(config)# radius‐server host 10.10.10.12 key secret
SW‐1(config)# aaa authentication default group‐radius enable local
· SW‐1(config)# aaa new‐model
SW‐1(config)# radius‐server host 10.10.10.12 key secret
SW‐1(config)# aaa authentication login default group radius enable local (*)
· SW‐1(config)# aaa new‐model
SW‐1(config)# radius server host 10.10.10.12 key secret
SW‐1(config)# aaa authentication login default group radius enable local none
· SW‐1(config)# aaa new‐model
SW‐1(config)# radius server host 10.10.10.12 key secret
SW‐1(config)# aaa authentication login default group‐radius enable local none
16. To increase port security on a switch, the interface configuration command switchport host
has been configured on specific switchports. What two outcomes will result from this
configuration? (Choose two.)
· channel group will be enabled
· disables the sending of BPDUs
· enables STP PortFast (*)
· enables the sending of DTP packets
· places the port into access mode (*)
Module 8 Exam
Module 8 ‐ 6 ‐
17. A network administrator is tasked with protecting a server farm by implementing Private
VLANs. Each server should only be allowed to communicate with the default gateway. The
default gateway should be able to communicate with all devices. Which type of PVLAN
should be configured on the switch port connecting to the default gateway?
· isolated
· promiscuous (*)
· ISL
· community
· 802.1Q
18. A network administrator is tasked with protecting a server farm by implementing Private
VLANs. Each server should only be allowed to communicate with the default gateway. Which
type of PVLAN should be configured on the switch port connecting to a server?
· isolated (*)
· promiscuous
· ISL
· community
· 802.1Q
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment