Module 14

Question 1

is considered to be the weakest link in the network system.

Answer 1

Layer 2

Question 2

Includes MAC table overflow (also called MAC Address Flooding) Attacks.

Answer 2

MAC Table Attacks

Question 3

Includes VLAN hopping and VLAN double‐tagging attacks. It also includes attacks between devices on a common VLAN.

Answer 3

VLAN Attacks

Question 4

Includes DHCP starvation and DHCP spoofing attacks.

Answer 4

DHCP Attacks

Question 5

Includes ARP spoofing and ARP poisoning attacks.

Answer 5

ARP Attacks

Question 6

Includes MAC Address and IP address spoofing attacks.

Answer 6

Address Spoofing Attacks

Question 7

Includes Spanning Tree Protocol manipulation attacks.

Answer 7

STP Attacks

Question 8

The following strategies are recommended:

Answer 8

*Always use secure variants of these protocols such as SSH, SCP, and SSL.
*Consider using out-of-band (OOB) management.
*Use a dedicated management VLAN where nothing but management traffic
resides.
*Use ACLs to filter unwanted access.

Question 9

pyramid

Answer 9

port security
dhcp snooping
dai
ipsg

Question 10

prevents many types of attacks including MAC table overflow attacks and DHCP
starvation attacks.

Answer 10

Port Security

Question 11

prevents DHCP starvation and DHCP spoofing attacks by rogue DHCP servers.

Answer 11

DHCP spoofing

Question 12

prevents ARP spoofing and ARP poisoning attacks.

Answer 12

Dynamic ARP Inspection (DAI)

Question 13

prevents MAC and IP address spoofing attacks

Answer 13

IP Source Guard (IPSG)

Question 14

If Layer 2 is disrupted by a cyber attack, all layers above it will be affected.

Answer 14

True

Question 15

It is important to protect Layer 2 by always using secure variants of protocols such as

In addition, ___ should be used to filter unwanted access.

Answer 15

SSH, SCP, and SSL.

ACLs

Question 16

are available on Cisco switches to directly mitigate Layer 2 attacks.

Answer 16

Port security, DHCP Snooping, DAI, and IP Source Guard

Question 17

One type of Layer 2 attack floods the switch with frames with __

Answer 17

random MAC source addresses.

Question 18

___ can quickly overwhelm the MAC table of a switch causing a MAC table overflow exploit.

Answer 18

Threat actor tools such as macof

Question 19

A simple but effective way to prevent Layer 2 attacks is to

Answer 19

shutdown all unused ports.

Question 20

is a simple way to directly address MAC address overflow attacks.

Answer 20

Port security

Question 21

attacks enable threat actors to access VLANs that they are not authorized to access.

Answer 21

VLAN hopping and VLAN double-tagging

Question 22

In ____, a threat actor connects a host computer to a switch and then attempts to negotiate the switchport to become trunk using DTP.

Answer 22

VLAN hopping attacks

Question 23

In _____, a threat actor adds a false VLAN tag to malicious traffic in addition to the legitimate tag.

Answer 23

VLAN double-tagging attacks

Question 24

can be vulnerable to PVLAN proxy attacks.

Answer 24

Private VLAN promiscuous ports

Question 25

PVLAN proxy attacks can be mitigated through the use of

Answer 25

access control lists.

Question 26

Two types of DHCP attacks are

Answer 26

DHCP starvation and DHCP spoofing.

Question 27

The goal of the DHCP starvation attack is

Answer 27

DoS for connecting clients.

Question 28

A___ occurs when a rogue DHCP server is connected to the network and
provides false IP configuration parameters to legitimate clients.

Answer 28

DHCP spoofing attack

Question 29

Both DHCP attacks are mitigated by implementing

Answer 29

DHCP snooping.

Question 30

Any host can claim to be the owner of any IP and MAC address.

Answer 30

True

Question 31

occur when threat actors alter the MAC address of their host to match another known MAC address of a target host.

Answer 31

MAC address spoofing attacks

Question 32

__, which requires DHCP snooping to be enabled, can mitigate ARP spoofing by ensuring that
only valid ARP Requests and Replies are sent into the network.

Answer 32

DAI

Question 33

is when a rogue PC hijacks a valid IP address of a neighbor, or a uses a random IP address.

Answer 33

IP address spoofing

Question 34

To protect against MAC and IP address spoofing, configure ___ operates like DAI, but it
looks at every packet, not just the ARP packets.

Answer 34

IPSG

Question 35

is a loop-prevention network protocol that allows for redundancy while creating a loop-free
Layer 2 topology.

Answer 35

STP

Question 36

Threat actors can manipulate the STP to conduct an attack by

Answer 36

spoofing the root bridge and
changing the topology of a network.

Question 37

Cisco switches have a number of STP stability mechanisms such as

Answer 37

PortFast, BPDU Guard, Root Guard, and Loop Guard.

Question 38

What type of attack occurs when a threat actor sends packets with false MAC or IP addresses?

Answer 38

Address spoofing occurs when a threat actor sends packets that have false MAC or IP addresses.

Question 39

What type of attack sends false address requests to a server until all addresses are used and none are available for legitimate users?

Answer 39

DHCP attacks include DHCP starvation which is an attack in which false requests are made to a DHCP server until all available addresses are exhausted.

Question 39

What prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks?

Answer 39

Port Security prevents many types of attack including CAM table overflow attacks and DHCP starvation attacks.

Question 40

What prevents DHCP starvation and spoofing attacks?

Answer 40

DHCP Snooping prevents DHCP starvation and DHCP spoofing attacks.

Question 41

What prevents MAC and IP address spoofing attacks?

Answer 41

IP Source Guard helps prevent MAC and IP address spoofing attacks.

Question 42

Which statement describes STP?

Answer 42

STP is used to prevent Layer 2 loops on Ethernet LANs.

Question 43

Without STP on the Ethernet LAN, which three types of frames could cause a catastrophic loop in the network? (Choose three.)

Answer 43

Without STP enabled, unknown unicast, multicast, and broadcast frames could loop endlessly on the network, causing catastrophic network failure.

Question 44

What device is elected by the Spanning Tree Algorithm? All other switches determine a single least-cost path to this device.

Answer 44

The STP algorithm elects a root bridge on the LAN. All other switches calculate the lowest cost path to the root bridge.

Question 45

What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports?

Answer 45

control

PVLAN protected ports do not exchange any data traffic with other protected ports. The only traffic that is exchanged between protected ports is control traffic generated by network devices.

Question 46

A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command?

Answer 46

it checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body

DAI can be configured to check for both destination or source MAC and IP addresses:

Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

Question 47

What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?

Answer 47

enable port security

A MAC address (CAM) table overflow attack, buffer overflow, and MAC address spoofing can all be mitigated by configuring port security. A network administrator would typically not want to disable STP because it prevents Layer 2 loops. DTP is disabled to prevent VLAN hopping. Placing unused ports in an unused VLAN prevents unauthorized wired connectivity.

Question 48

What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

Answer 48

dhcp starvation

DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

Question 49

When security is a concern, which OSI Layer is considered to be the weakest link in a network system?​

Answer 49

layer 2

Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weakest link. In addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.

Question 50

If two switches are configured with the same priority and the same extended system ID, what determines which switch becomes the root bridge?

Answer 50

the layer 2 address with the lowest hexadecimal value

When other factors are equal, the switch with the lowest MAC address will have the lowest BID, and will become the root bridge. STP functions on Layer 2 and does not use IP addressing as a factor.​

Question 51

Which statement describes the behavior of a switch when the MAC address table is full?

Answer 51

it treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN

When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.

Question 52

A cybersecurity analyst is using the macof tool to evaluate configurations of switches deployed in the backbone network of an organization. Which type of LAN attack is the analyst targeting during this evaluation?

Answer 52

MAC address table overflow

Macof is a network attack tool and is mainly used to flood LAN switches with MAC addresses.

Question 53

What determines which switch becomes the STP root bridge for a given VLAN?

Answer 53

the lowest bridge ID

STP uses a root bridge as a central point for all spanning tree calculations. To select a root bridge, STP conducts an election process. All switches in the broadcast domain participate in the election process. The switch with the lowest bridge ID, or BID, is elected as the root bridge. The BID is made up of a priority value, an extended system ID, and the MAC address of the switch.

Question 54

What action can a network administrator take to help mitigate the threat of VLAN hopping attacks?

Answer 54

disable automatic trunking negotiation

There are two methods for mitigating VLAN hopping attacks:
disabling automatic trunking negotiation on switchports
turning trunking off on all unused nontrunk switchport

Question 55

Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.)

Answer 55

port security

dhcp snooping

Cisco provides solutions to help mitigate Layer 2 attacks including these:
IP Source Guard (IPSG) - prevents MAC and IP address spoofing attacks
Dynamic ARP Inspection (DAI) - prevents ARP spoofing and ARP poisoning attacks
DHCP Snooping - prevents DHCP starvation and SHCP spoofing attacks
Port Security - prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks
Web Security Appliance (WSA) is a mitigation technology for web-based threats.

Question 56

What is the only type of port that an isolated port can forward traffic to on a private VLAN?

Answer 56

a promiscuous port

PVLANs are used to provide Layer 2 isolation between ports within the same broadcast domain. The level of isolation can be specified
with three types of PVLAN ports:
Promiscuous ports that can forward traffic to all other ports
Isolated ports that can only forward traffic to promiscuous ports
Community ports that can forward traffic to other community ports and promiscuous ports

Question 57

What additional security measure must be enabled along with IP Source Guard to protect against address spoofing?

Answer 57

dhcp snooping

Like Dynamic ARP Inspection (DAI), IP Source Guard (IPSG) needs to determine the validity of MAC-address-to-IP-address bindings. To do this IPSG uses the bindings database built by DHCP snooping.