Modules 10 – 13: L2 Security and WLANs Exam Answers Full
1. In setting up a small office network, the network administrator decides to assign private IP addresses dynamically to workstations and mobile devices. Which feature must be enabled on the company router in order for office devices to access the internet?
- MAC filtering
2. What is a difference between autonomous APs that operate in a home environment and controller-based APs that operate in a corporate environment?
- Autonomous APs incorporate the functions of a router, switch, and AP into one device.
- Autonomous APs do not support PoE.
- Controller-based APs can be automatically configured and managed by a WLAN controller.
- Controller-based APs are known as lightweight APs and require an initial configuration to operate.
3. Which WLC tab would a network administrator typically use to see a summary view of the most heavily used WLANs including the number of clients using a particular WLAN?
4. Users on an IEEE 802.11n network are complaining of slow speeds. The network administrator checks the AP and verifies it is operating properly. What can be done to improve the wireless performance in the network?
- Split the wireless traffic between the 802.11n 2.4 GHz band and the 5 GHz band.
- Change the authentication method on the AP.
- Switch to an 802.11g AP.
- Set the AP to mixed mode.
5. Why is authentication with AAA preferred over a local database method?
- It uses less network bandwidth.
- It requires a login and password combination on the console, vty lines, and aux ports.
- It provides a fallback authentication method if the administrator forgets the username or password.
- It specifies a different password for each line or port.
6. What is involved in an IP address spoofing attack?
- A legitimate network IP address is hijacked by a rogue node.
- A rogue node replies to an ARP request with its own MAC address indicated for the target IP address.
- A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients.
- Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server.
7. In a server-based AAA implementation, which protocol will allow the router to successfully communicate with the AAA server?
8. What three services are provided by the AAA framework? (Choose three.)
9. What two protocols are supported on Cisco devices for AAA communications? (Choose two.)
10. Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack?
11. What is the purpose of AAA accounting?
- to collect and report application usage
- to determine which resources the user can access
- to prove users are who they say they are
- to determine which operations the user can perform
12. When security is a concern, which OSI Layer is considered to be the weakest link in a network system?
- Layer 4
- Layer 2
- Layer 3
- Layer 7
13. Which Layer 2 attack will result in a switch flooding incoming frames to all ports?
- ARP poisoning
- IP address spoofing
- MAC address flooding
- Spanning Tree Protocol manipulation
14. Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?
15. Which Cisco solution helps prevent MAC and IP address spoofing attacks?
- Port Security
- DHCP Snooping
- IP Source Guard
- Dynamic ARP Inspection
16. What is a recommended best practice when dealing with the native VLAN?
- Turn off DTP.
- Use port security.
- Assign it to an unused VLAN.
- Assign the same VLAN number as the management VLAN.
17. On what switch ports should PortFast be enabled to enhance STP stability?
- all end-user ports
- only ports that attach to a neighboring switch
- all trunk ports that are not root ports
- only ports that are elected as designated ports
18. Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?
- ip dhcp snooping
- switchport port-security mac-address sticky
- switchport port-security violation shutdown
- switchport port-security mac-address sticky mac-address
19. Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)
- port security
- extended ACL
- DHCP snooping
- DHCP server failover
- strong password on DHCP servers
20. What is the best way to prevent a VLAN hopping attack?
- Disable STP on all nontrunk ports.
- Use ISL encapsulation on all trunk links.
- Use VLAN 1 as the native VLAN on trunk ports.
- Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
21. Which procedure is recommended to mitigate the chances of ARP spoofing?
- Enable port security globally.
- Enable DHCP snooping on selected VLANs.
- Enable DAI on the management VLAN.
- Enable IP Source Guard on trusted ports.
22. What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)
- unknown port
- untrusted port
- unauthorized port
- trusted DHCP port
- authorized DHCP port
- established DHCP port
23. Which two commands can be used to enable PortFast on a switch? (Choose two.)
- S1(config-if)# spanning-tree portfast
- S1(config-line)# spanning-tree portfast
- S1(config)# spanning-tree portfast default
- S1(config-if)# enable spanning-tree portfast
- S1(config)# enable spanning-tree portfast default
24. An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation?
- Reboot the switch.
- Issue the shutdown command followed by the no shutdown command on the interface.
- Issue the no switchport port-security command, then re-enable port security.
- Issue the no switchport port-security violation shutdown command on the interface.
25. A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first?
- ip dhcp snooping
- ip dhcp snooping vlan
- ip dhcp snooping trust
- ip dhcp snooping limit rate
26. A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command?
- to check the destination MAC address in the Ethernet header against the MAC address table
- to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs
- to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
- to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body
27. Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?
- BPDU filter
- port security
- storm control
- root guard
28. What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
- VLAN hopping
- DHCP spoofing
- ARP poisoning
- ARP spoofing
29. A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router?
- ip arp inspection vlan
- ip arp inspection trust
- ip dhcp snooping
- spanning-tree portfast
30. Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?
31. In the context of mobile devices, what does the term tethering involve?
- connecting a mobile device to another mobile device or computer to share a network connection
- connecting a mobile device to a hands-free headset
- connecting a mobile device to a 4G cellular network
- connecting a mobile device to a USB port on a computer in order to charge the mobile device
32. Which feature of 802.11n wireless access points allows them to transmit data at faster speeds than previous versions of 802.11 Wi-Fi standards did?
33. Which method of wireless authentication is currently considered to be the strongest?
- shared key
34. Which parameter is commonly used to identify a wireless network name when a home wireless AP is being configured?
- ad hoc
35. Which characteristic describes a wireless client operating in active mode?
- ability to dynamically change channels
- must know the SSID to connect to an AP
- must be configured for security before attaching to an AP
- broadcasts probes that request the SSID
36. Which IEEE standard operates at wireless frequencies in both the 5 GHz and 2.4 GHz ranges?
37. Which statement describes an autonomous access point?
- It is used for networks that require a large number of access points.
- It is a standalone access point.
- It is server-dependent.
- It is managed by a WLAN controller.
38. Which two roles are typically performed by a wireless router that is used in a home or small business? (Choose two.)
- access point
- WLAN controller
- Ethernet switch
- RADIUS authentication server
39. Which protocol and port numbers are used by both IPv4 and IPv6 CAPWAP tunnels? (Choose two.)
- 5246 and 5247
- 17 and 163
40. If three 802.11b access points need to be deployed in close proximity, which three frequency channels should be used? (Choose three.)
41. Which type of telecommunication technology is used to provide Internet access to vessels at sea?
- municipal WiFi
42. Which wireless network topology is being configured by a technician who is installing a keyboard, a mouse, and headphones, each of which uses Bluetooth?
- ad hoc mode
- infrastructure mode
- mixed mode
43. Which type of wireless topology is created when two or more Basic Service Sets are interconnected by Ethernet?
- WiFi Direct
- ad hoc WLAN
44. What Wi-Fi management frame is regularly broadcast by APs to announce their presence?
45. A user is configuring a wireless access point and wants to prevent any neighbors from discovering the network. What action does the user need to take?
- Disable SSID broadcast.
- Enable WPA encryption.
- Configure DMZ settings.
- Configure a DNS server.
46. When a wireless network in a small office is being set up, which type of IP addressing is typically used on the networked devices?
47. A user has just purchased a generic home router and would like to secure it. What should be done to help secure the wireless home router?
- Change the default administrator password.
- Set a private IPv4 network for the internal network.
- Change the default SSID.
- Allow only IPv6 traffic to enter the router.
48. Which protocol could be used by a company to monitor devices such as a wireless LAN controller (WLC)?
49. When configuring a Cisco 3500 series wireless LAN controller (WLC) for a WPA2 Enterprise WLAN, what has to be created on the WLC before creating the new WLAN?
- a new SSID
- a security module
- a security policy
- a VLAN for the wireless network
50. What is a DHCP scope as it relates to a WLAN configured on the WLC controller?
- a corporate plan for allocation of IP addresses for wireless clients
- a pool of IP addresses for WLAN clients
- security rules associated with DHCP for WLANs
- the distance allotted for wireless clients that can receive IP addressing information
51. Why would a technician configure a passphrase for a WLAN on a wireless router?
- to protect someone from changing the configuration
- to configure wireless client authentication
- to protect someone from cabling directly to the router and accessing the router
- to protect the SSID from being changed
52. A customer installs a wireless access point at home in the closet next to the kitchen. The customer mentions that the wireless communication performance seems degraded when the cordless phone or the microwave oven is in use. What is the possible reason for this degradation?
- The access point is close to walls.
- The cordless phone joins the WLAN and shares the available bandwidth.
- The wireless signal is in the same radio frequency range as the household devices are in.
- The access point is on the same electrical circuit as the phone base unit and microwave oven are.
- The surge of electricity when a microwave oven is in use disrupts the operation of the access point.
53. What functionality is required on routers to provide remote workers with VoIP and videoconferencing capabilities?
54. A wireless router is displaying the IP address of 192.168.0.1. What could this mean?
- The NAT function is not working on the wireless router.
- The wireless router still has the factory default IP address.
- Dynamic IP address allocation has been configured on the router and is functioning correctly.
- The wireless router has been configured to use the frequencies on channel 1.
55. A laptop cannot connect to a wireless access point. Which two troubleshooting steps should be taken first? (Choose two.)
- Ensure that the wireless NIC is enabled.
- Ensure that the laptop antenna is attached.
- Ensure that the wireless SSID is chosen.
- Ensure that the correct network media is selected.
- Ensure that the NIC is configured for the proper frequency.