Router and Switch Security

Question 1

Which command is used to enter Global Configuration Mode on a Cisco router?
A) configure terminal

B) config t

C) config

D) configure

Answer 1

Answer: A) configure terminal

Question 2

What does the service password-encryption command do?
A) Encrypts passwords in the configuration file

B) Sets the password for the enable secret

C) Enables SSH access

D) Configures the console password

Answer 2

Answer: A) Encrypts passwords in the configuration file

Question 3

Which command will permit only SSH traffic into the VTY lines?
A) transport input ssh

B) transport input telnet

C) transport input all

D) transport input none

Answer 3

Answer: A) transport input ssh

Question 4

What is the default port number for HTTPS?
A) 21

B) 22

C) 80

D) 443

Answer 4

Answer: D) 443

Question 5

Which protocol is used for secure remote access to a Cisco router?
A) Telnet

B) HTTP

C) SSH

D) FTP

Answer 5

Answer: C) SSH

Question 6

Which command is used to configure a password for the console line?
A) line con 0

B) password cisco

C) login

D) All of the above

Answer 6

Answer: D) All of the above

Question 7

What is the purpose of the login block-for command?
A) To set a timeout for login attempts

B) To block login attempts after a specified number of failed attempts

C) To enable login for a specific user

D) To configure login authentication

Answer 7

Answer: B) To block login attempts after a specified number of failed attempts

Question 8

Which command disables CDP on a specific interface?
A) no cdp enable

B) cdp run

C) cdp enable

D) no cdp run

Answer 8

Answer: A) no cdp enable

Question 9

What is the function of the switchport port-security command?
A) To configure the port as a trunk port

B) To enable port security features

C) To set the port to access mode

D) To disable the port

Answer 9

Answer: B) To enable port security features

Question 10

Which option is a valid violation mode for port security?
A) shutdown

B) restrict

C) protect

D) All of the above

Answer 10

Answer: D) All of the above

Question 11

What does the switchport port-security maximum command specify?
A) The maximum number of MAC addresses allowed on the port

B) The maximum number of devices allowed to connect

C) The maximum number of VLANs allowed on the port

D) The maximum number of IP addresses allowed

Answer 11

Answer: A) The maximum number of MAC addresses allowed on the port

Question 12

Which command is used to configure a port to allow only one specific MAC address?
A) switchport port-security mac-address sticky

B) switchport port-security mac-address 0001.2222.3333

C) switchport port-security maximum 1

D) All of the above

Answer 12

Answer: D) All of the above

Question 13

What is the purpose of the switchport port-security violation restrict command?
A) To shut down the port upon violation

B) To restrict access to the port upon violation

C) To allow all devices to connect

D) To log violations only

Answer 13

Answer: B) To restrict access to the port upon violation

Question 14

Which command is used to configure a port to allow only VLANs 10 to 20?
A) switchport trunk allowed vlan 10-20

B) switchport access vlan 10-20

C) switchport mode trunk

D) switchport vlan 10-20

Answer 14

Answer: A) switchport trunk allowed vlan 10-20

Question 15

What is the function of the no shutdown command on a switch port?
A) To disable the port

B) To enable the port

C) To configure the port as a trunk

D) To set the port to access mode

Answer 15

Answer: B) To enable the port

Question 16

Which command is used to configure a password for the auxiliary line?
A) line aux 0

B) password cisco

C) login

D) All of the above

Answer 16

Answer: D) All of the above

Question 17

What does the service password-encryption command do?
A) Encrypts passwords in the configuration file

B) Sets the password for the enable secret

C) Enables SSH access

D) Configures the console password

Answer 17

Answer: A) Encrypts passwords in the configuration file

Question 18

Which command is used to configure a password for the console line?
A) line con 0

B) password cisco

C) login

D) All of the above

Answer 18

Answer: D) All of the above

Question 19

What is the purpose of the login block-for command?
A) To set a timeout for login attempts

B) To block login attempts after a specified number of failed attempts

C) To enable login for a specific user

D) To configure login authentication

Answer 19

Answer: B) To block login attempts after a specified number of failed attempts

Question 20

Which command disables CDP on a specific interface?
A) no cdp enable

B) cdp run

C) cdp enable

D) no cdp run

Answer 20

Answer: A) no cdp enable

Question 21

What is the function of the switchport port-security command?
A) To configure the port as a trunk port

B) To enable port security features

C) To set the port to access mode

D) To disable the port

Answer 21

Answer: B) To enable port security features

Question 22

Which option is a valid violation mode for port security?
A) shutdown

B) restrict

C) protect

D) All of the above

Answer 22

Answer: D) All of the above

Question 23

What does the switchport port-security maximum command specify?
A) The maximum number of MAC addresses allowed on the port

B) The maximum number of devices allowed to connect

C) The maximum number of VLANs allowed on the port

D) The maximum number of IP addresses allowed

Answer 23

✅ Answer: A) The maximum number of MAC addresses allowed on the port

Question 24

What is the primary purpose of a switch’s CAM table?
A) To store IP addresses

B) To map MAC addresses to switch ports

C) To control VLANs

D) To encrypt data

Answer 24

Answer: B) To map MAC addresses to switch ports

Question 25

Which attack exploits the CAM table by flooding it with fake MAC addresses? A) DDoS attack B) DHCP spoofing C) CAM table overflow D) ARP poisoning

Answer 25

Answer: C) CAM table overflow

Question 26

Which command displays the dynamic MAC address table on a Cisco switch? A) show arp B) show ip interface brief C) show mac address-table D) show interface status

Answer 26

Answer: C) show mac address-table

Question 27

How can CAM table overflow be mitigated? A) Enable CDP B) Use port security C) Configure SNMP D) Enable DTP

Answer 27

Answer: B) Use port security

Question 28

Which port security mode logs a violation but does not shut the port down? A) Shutdown B) Restrict C) Protect D) Monitor

Answer 28

Answer: B) Restrict

Question 29

Which command sets a switch port to learn MAC addresses dynamically and retain them? A) mac-address sticky B) switchport port-security mac-address sticky C) port-security sticky D) sticky mac-address

Answer 29

Answer: B) switchport port-security mac-address sticky

Question 30

What does the switchport port-security violation shutdown command do? A) Sends a log message B) Drops violating traffic C) Disables the port (err-disabled) D) Restricts traffic to one MAC

Answer 30

Answer: C) Disables the port (err-disabled)

Question 31

What happens when a port goes into err-disabled state? A) It remains operational B) It shuts down and must be manually re-enabled C) It restarts automatically D) It starts flooding traffic

Answer 31

Answer: B) It shuts down and must be manually re-enabled

Question 32

What is the command to re-enable a port that is in err-disabled state? A) no shutdown B) enable port C) port restart D) reboot port

Answer 32

Answer: A) no shutdown

Question 33

Which protocol provides secure remote CLI access to a router? A) Telnet B) SNMP C) SSH D) HTTP

Answer 33

Answer: C) SSH

Question 34

Which command limits VTY lines to SSH only? A) transport input ssh B) ssh-only C) line ssh enable D) no telnet

Answer 34

Answer: A) transport input ssh

Question 35

Which key size is recommended for SSH encryption? A) 512 bits B) 768 bits C) 1024 bits D) 2048 bits

Answer 35

Answer: D) 2048 bits

Question 36

What is required to enable SSH on a Cisco device? (Choose two) A) Hostname and domain name configured B) SNMP enabled C) RSA key pair generated D) HTTP server enabled

Answer 36

Answer: A) Hostname and domain name configured Answer: C) RSA key pair generated

Question 37

What command generates an RSA key pair for SSH? A) crypto key generate rsa B) ssh key enable C) keygen ssh D) generate key

Answer 37

Answer: A) crypto key generate rsa

Question 38

Which command shows current SSH connections? A) show ssh B) show users C) show sessions D) show crypto ssh

Answer 38

Answer: A) show ssh

Question 39

What is the main reason Telnet is discouraged for remote access? A) It is slow B) It uses too much memory C) It is not encrypted D) It needs special hardware

Answer 39

Answer: C) It is not encrypted

Question 40

What does the enable secret command do? A) Configures a Telnet password B) Enables routing protocols C) Sets an encrypted privileged mode password D) Enables all interfaces

Answer 40

Answer: C) Sets an encrypted privileged mode password

Question 41

What is the default privilege level for users accessing a router via VTY lines? A) 0 B) 1 C) 15 D) 10

Answer 41

Answer: B) 1

Question 42

Which command allows an administrator to view the running config? A) show run B) config t C) show ip interface D) enable config

Answer 42

Answer: A) show run

Question 43

Which type of ACL is used to filter traffic based on source and destination IP? A) Standard ACL B) Extended ACL C) Named ACL D) Access Class

Answer 43

Answer: B) Extended ACL

Question 44

Which type of ACL can be applied to VTY lines? A) Extended ACL B) Standard ACL C) Named ACL D) Access-class ACL

Answer 44

Answer: D) Access-class ACL

Question 45

Which command assigns an ACL to VTY lines? A) access-class 10 in B) ip access-group 10 in C) access-list 10 permit D) vty access-class 10 in

Answer 45

Answer: A) access-class 10 in

Question 46

Which switch security feature disables unused ports? A) Port security B) Shutdown interface C) BPDU guard D) Disable unused interfaces manually

Answer 46

Answer: D) Disable unused interfaces manually

Question 47

Which command disables an interface on a switch? A) no enable B) shutdown C) disable D) interface down

Answer 47

Answer: B) shutdown

Question 48

Which feature protects against STP manipulation? A) BPDU Guard B) Root Guard C) PortFast D) EtherChannel

Answer 48

Answer: A) BPDU Guard

Question 49

Which feature ensures a specific switch remains the STP root? A) Root Guard B) BPDU Guard C) STP Priority D) PortFast

Answer 49

Answer: A) Root Guard

Question 50

What is the best practice for securing unused switch ports? A) Enable VTP B) Use dynamic trunking C) Set ports to access mode and disable them D) Enable CDP

Answer 50

Answer: C) Set ports to access mode and disable them

Question 51

What is the purpose of the banner motd command? A) Encrypts the console password B) Displays a message to unauthorized users C) Enables telnet access D) Logs out inactive users

Answer 51

Answer: B) Displays a message to unauthorized users

Question 52

Which command is used to verify port security violations? A) show port-security B) show switchport C) show mac address-table D) show interface status

Answer 52

Answer: A) show port-security

Question 53

What does the "sticky" option in port security do? A) Rejects all unknown MAC addresses B) Dynamically learns and retains MAC addresses C) Enables port mirroring D) Prevents port shutdown

Answer 53

Answer: B) Dynamically learns and retains MAC addresses

Question 54

Which VTY command limits the number of concurrent logins? A) login local B) transport input ssh C) access-class D) exec-timeout

Answer 54

Answer: D) exec-timeout

Question 55

Which two components are needed to configure SSH access on a router? A) SNMP and Telnet B) Domain name and hostname C) HTTP server and enable secret D) Access-list and NAT

Answer 55

Answer: B) Domain name and hostname

Question 56

What is the default SSH version on most Cisco IOS devices? A) Version 1.0 B) Version 2.0 C) Version 1.99 D) None enabled by default

Answer 56

Answer: C) Version 1.99 (Indicates support for both v1 and v2)

Question 57

Which command sets the SSH version on a router? A) ip ssh version 2 B) ssh enable C) crypto ssh enable D) set ssh version

Answer 57

Answer: A) ip ssh version 2

Question 58

Which security feature automatically shuts down a port after a specified number of failed MAC violations? A) PortFast B) BPDU Guard C) Port Security with shutdown violation mode D) STP Guard

Answer 58

Answer: C) Port Security with shutdown violation mode

Question 59

Which AAA method allows local authentication first, then uses TACACS+ if local fails? A) aaa new-model B) login local C) aaa authentication login default local group tacacs+ D) enable secret

Answer 59

Answer: C) aaa authentication login default local group tacacs+

Question 60

What does the command ip access-group 100 in do? A) Assigns ACL 100 to outbound traffic B) Applies ACL 100 to an interface for inbound traffic C) Enables port security D) Applies standard ACL 100 to VTY lines

Answer 60

Answer: B) Applies ACL 100 to an interface for inbound traffic

Question 61

Which command allows you to see which MAC address triggered a port security violation? A) show interface B) show port-security interface C) show mac address-table D) debug port-security

Answer 61

Answer: B) show port-security interface

Question 62

What is the maximum number of sticky MAC addresses that can be learned on a port by default? A) 1 B) 2 C) 8 D) 50

Answer 62

Answer: A) 1

Question 63

Which of the following is a best practice for configuring switch port security? A) Set ports to dynamic desirable B) Allow all MAC addresses C) Limit MAC addresses and use sticky D) Use default port configurations

Answer 63

Answer: C) Limit MAC addresses and use sticky

Question 64

What is the purpose of the access-class command on VTY lines? A) Enables port security B) Restricts VTY access based on IP C) Blocks SSH connections D) Configures login banners

Answer 64

Answer: B) Restricts VTY access based on IP

Question 65

Which of the following is NOT a valid violation mode in port security? A) Restrict B) Protect C) Shutdown D) Monitor

Answer 65

Answer: D) Monitor

Question 66

What is a key risk of enabling unused switch ports? A) No performance impact B) High power consumption C) Unauthorized access D) IP conflicts

Answer 66

Answer: C) Unauthorized access

Question 67

Which configuration would best prevent a rogue DHCP server on the network? A) Port security B) DHCP snooping C) Access-list D) NAT

Answer 67

Answer: B) DHCP snooping

Question 68

Which mode should be used to disable a switch port? A) no switchport B) shutdown C) disable D) down

Answer 68

Answer: B) shutdown

Question 69

Which protocol should be disabled on unused ports for better security? A) VTP B) SNMP C) CDP D) DTP

Answer 69

Answer: D) DTP (Disabling Dynamic Trunking Protocol prevents auto-trunking attacks)

Question 70

How do you remove a dynamically learned MAC address from the CAM table? A) erase mac-table B) clear mac address-table dynamic C) delete mac address-table D) reset mac table

Answer 70

Answer: B) clear mac address-table dynamic