Chapter 5

Question 1

What AAA function verifies identity?

Answer 1

Authentication

Question 2

What AAA function determines user permissions?

Answer 2

Authorization

Question 3

What AAA function monitors resources being used and logs session statistics?

Answer 3

Accounting

Question 4

What does an AAA server typically do when it receives an authentication request?

Answer 4

Challenges the user’s credentials by asking for username and password

Question 5

What does the AAA server do after a user’s credentials are authenticated?

Answer 5

Authorizes them and decides which user profile to apply to the specific user

Question 6

Describe the last process in the AAA framework

Answer 6

Accounts for everything the user is doing within the network and monitors resource usage and session statistics

Question 7

What are two protocols used in IPsec?

Answer 7

ESP (encapsulating security payload)
AH (authentication header)

Question 8

Which protocol transports data in a site-to-site VPN?

Answer 8

IPsec

Question 9

How is encrypted multicast traffic carried between remote sites?

Answer 9

GRE (multicast) over IPsec (encryption)

Question 10

What category of traffic is sent with IPsec?

Answer 10

Unicast traffic between two endpoints

Question 11

What IPsec mode and protocol encrypt and encapsulate the entire packet?

Answer 11

Tunnel (encrypts) ESP (encapsulates)

Question 12

What does Internet Key Exchange (IKE) do?

Answer 12

Handles negotiation of protocols and algorithms. Generates the encryption and authentication keys

Question 13

Whats the difference between ESP tunnel and transport mode?

Answer 13

Tunnel protects the routing info by encrypting the IP header while transport mode only encrypts the payload and ESP trailer. Tunnel mode is used in site-to-site VPNs and transport mode is used in client-to-site VPNs.

Question 14

Which security program describes badge authentication for building access?

Answer 14

Physical access control

Question 15

Which security program describes purposely sending emails to their staff that simulates an attack?

Answer 15

User awareness

Question 16

What formats are available to select when configuring a WLAN with a WPA2 PSK in the GUI?

Answer 16

ASCII, hexadecimal

Question 17

What type of encryption is used for WPA2-PSK?

Answer 17

AES-128

Question 18

What is an enhancement that was implemented with WPA3?

Answer 18

Forward secrecy
SAE for authentication (protection against brute force attacks)
192-bit key encryption

Question 19

What encryption does WPA1 use?

Answer 19

TKIP

Question 20

Which WPA mode uses PSK for authentication?

Answer 20

Personal or WPA-PSK

Question 21

Which wireless security protocols use block chain cipher types?

Answer 21

WPA2, WPA3

Question 22

What does WPA3 replace PSK with?

Answer 22

SAE

Question 23

How many ASCII text characters can can a WPA pre-shared key contain?

Answer 23

8-63

Question 24

How many hexadecimal characters can can a WPA pre-shared key contain?

Answer 24

64 minimum

Question 25

What is a CRL?

Answer 25

Certificate Revocation List Informs devices when a certificate is revoked/withdrawn

Question 26

What is a CA?

Answer 26

Certificate Authority A trusted entity that grants digital certificates to individuals/organizations to establish secure connections

Question 27

What is 802.11x?

Answer 27

An authentication protocol to allow network access with a RADIUS server

Question 28

What is a mitigation technique for ARP spoofing?

Answer 28

Dynamic ARP inspection

Question 29

What is a mitigation technique for 802.1q double tagging?

Answer 29

Configuring a VLAN access control list (VACL)

Question 30

What is a mitigation technique for unwanted BPDUs on PortFast ports?

Answer 30

BPDU guard

Question 31

What is a mitigation technique for MAC flooding attacks?

Answer 31

Port security Authentication with AAA server 802.1x

Question 32

What does DHCP snooping do?

Answer 32

Determines whether or not traffic sources are trusted or untrusted Filters messages and rate-limits traffic from untrusted sources

Question 33

What threats can DHCP snooping mitigate?

Answer 33

Rogue DHCP server Rogue clients on the network Man-in-the-middle attacks

Question 34

What can be done in response to ARP poisoning?

Answer 34

Dynamic ARP inspection (DAI)

Question 35

What is a zero-day exploit?

Answer 35

When a new network vulnerability is found before a fix is available

Question 36

How can you control which devices can talk to a CPU?

Answer 36

CPU ACL

Question 37

What is access-class used for?

Answer 37

To tie an ACL to vty lines

Question 38

What is access-group used for?

Answer 38

To tie an ACL to an interface

Question 39

Where do you want to configure extended access lists?

Answer 39

As close to the source as possible

Question 40

What does implicit deny refer to?

Answer 40

If any ACL is configured, its the invisible "deny all" at the end

Question 41

What is the standard ACL range and extended range?

Answer 41

1-99 1300-1999

Question 42

Where do you want to configure standard access lists?

Answer 42

Closest to the destination

Question 43

How do you configure a standard access list?

Answer 43

#access-list n [permit/deny] [source address] [wildcard]

Question 44

How do you configure an ACL to block or forward data?

Answer 44

#ip access-group [acl#] [in/out]

Question 45

How can you verify if an access-group is configured?

Answer 45

#show ip interface

Question 46

How do you configure an extended access list?

Answer 46

#access-list n [permit/deny] [protocol] [source/wild] [destination/wild] [port number]

Question 47

What is the extended ACL range and extended range?

Answer 47

100-199 2000-2699

Question 48

What additional things can you configure extended ACLs for over standard ACLs?

Answer 48

Destination IP Port numbers

Question 49

What command is used to edit existing ACLs?

Answer 49

#ip access-list [extended] n

Question 50

What command can you use to verify ACL configuration?

Answer 50

show ip access-lists show access-lists

Question 51

For DHCP snooping, what interface should be configured as trusted on a switch?

Answer 51

The one connected to the DHCP server

Question 52

What can be done to mitigate VLAN hopping?

Answer 52

Put access ports in use into a VLAN that isn't the native VLAN Manually configure trunks and disable DTP

Question 53

How can you configure port security to dynamically learned MAC addresses?

Answer 53

#switchport port-security mac-address sticky

Question 54

How should port security be configured if you want logs generated?

Answer 54

#switchport port-security violation restrict

Question 55

What does protect do in port security configuration?

Answer 55

Drops packets from unknown sources but does not increase the counter

Question 56

Which two modes of port security drop packets when receiving packets from an unknown source?

Answer 56

Restrict Protect

Question 57

What is the difference between the shutdown and restrict commands in port security?

Answer 57

Both send traps, but restrict drops the packet and shutdown puts the interface in an err-disabled state upon receiving a packet from an unknown source

Question 58

What is the default behavior of port-security?

Answer 58

Only one MAC address can be learned and the default violation action is shutdown

Question 59

What encryption is applied with enable secret by default?

Answer 59

MD5 hash

Question 60

How do you configure a Telnet password?

Answer 60

line vty 0 15 password [password] [login]

Question 61

How do you configure a password for console login?

Answer 61

line console 0 password [password] login

Question 62

What happens if enable password and enable secret are configured?

Answer 62

The password is ignored

Question 63

What configuration can you apply to encrypt a password?

Answer 63

#service password-encryption

Question 64

How would you configure a SHA-256 password?

Answer 64

#enable algorithm-type sha256 secret [password]

Question 65

What kind of attacks can be mitigated with user awareness or training?

Answer 65

Brute-force attacks Pharming Social engineering

Question 66

What kind of attacks can be mitigated with physical access control?

Answer 66

Burglary Tailgating

Question 67

What does DAI filter?

Answer 67

ARP messages received on untrusted ports

Question 68

What kind of encryption does WEP use?

Answer 68

RC4

Question 69

What is CCMP?

Answer 69

Cipher Block Chaining Message Authentication Code Protocol Part of the 802.11i standard, uses the AES cipher to encrypt data

Question 70

Which wireless security protocol has an optional 192-bit encryption?

Answer 70

WPA3 Enterprise

Question 71

What is the configuration needed for DAI?

Answer 71

DHCP snooping enabled ip arp inspection vlan n ip arp inspection trust

Question 72

What is the configuration needed for DHCP snooping

Answer 72

ip dhcp snooping ip dhcp snooping vlan n (config-if)ip dhcp snooping trust/untrust

Question 73

What types of WLC deployments are there?

Answer 73

Unified/Centralized Cloud-Based Embedded Mobility Express

Question 74

What is backdoor malware?

Answer 74

A type of Trojan that allows attackers to gain remote access to a system by negating normal authentication procedures

Question 75

What is a feature of RSA?

Answer 75

Asymmetric encryption algorithm Public-key cryptosystem

Question 76

What privilege level grants the user access to privilege-exec mode?

Answer 76

15

Question 77

What privilege level grants the user access to user-exec mode?

Answer 77

1