Security Fundamentals

Question 1

Enable port security on an interface:
SW1(config-if)# […]

Answer 1

switchport port-security

Question 2

Manually configure a secure MAC address on the interface.
SW1(config-if)# […]

Answer 2

switchport port-security mac-address mac-address

Question 3

Enable sticky secure MAC address learning:
SW1(config-if)# […]

Answer 3

switchport port-security mac-address sticky

Question 4

Configure the port security violation mode:
SW1(config-if)# […]

Answer 4

switchport port-security violation {shutdown | restrict | protect}

Question 5

Configure the port security aging time:
SW1(config-if)# […]

Answer 5

switchport port-security aging time minutes

Question 6

Configure the port security aging type:
SW1(config-if)# […]

Answer 6

switchport port-security aging type {absolute | inactivity}

Question 7

Enable aging of static secure MAC addresses
SW1(config-if)# […]

Answer 7

switchport port-security aging static

Question 8

Enable errdisable recovery for port security violations:
SW1(config)# […]

Answer 8

errdisable recovery cause psecure-violation

Question 9

Configure the errdisable recovery interval:
SW1(config)# […]

Answer 9

errdisable recovery interval seconds

Question 10

Show all secure MAC addresses on the switch:
SW1# […]

Answer 10

show mac address-table secure

Question 11

Show a summary of port security-enabled switchports
SW1# […]

Answer 11

show port-security

Question 12

Show port security information for an individual switchport
SW1# […]

Answer 12

show port-security interface interface

Question 13

Show a summary of errdisable recovery information:
SW1# […]

Answer 13

show errdisable recovery

Question 14

Port security [can/can’t] be enabled on an interface configured as switchport mode dynamic auto

Answer 14

can’t

Question 15

Port security [can/can’t] be enabled on an interface configured as switchport mode dynamic desirable

Answer 15

can’t

Question 16

When an interface is shutdown by port security, its status in the output of show interfaces status will be […]

Answer 16

err-disabled

Question 17

Manually re-enable an interface disabled by port security:
SW1(config-if)# […]
SW1(config-if)# […]

Answer 17

shutdown
no shutdown

Question 18

The default errdisable recovery timer is […]

Answer 18

300 seconds (5 minutes)

Question 19

Errdisable recovery is [enabled/disabled] by default for all causes.

Answer 19

disabled

Question 20

What is the default port security violation mode?

Answer 20

Shutdown

Question 21

Port security shutdown violation mode:
Syslog/SNMP messages [are/aren’t] generated.

Answer 21

are

Question 22

Port security restrict violation mode:
Syslog/SNMP messages [are/aren’t] generated.

Answer 22

are

Question 23

Port security protect violation mode:
Syslog/SNMP messages [are/aren’t] generated.

Answer 23

aren’t

Question 24

Port security shutdown violation mode:
The interface [is/isn’t] disabled.

Answer 24

is

Question 25

Port security restrict violation mode: The interface [is/isn't] disabled.

Answer 25

isn't

Question 26

Port security protect violation mode: The interface [is/isn't] disabled.

Answer 26

isn't

Question 27

Port security shutdown violation mode: The violation counter [is/isn't] incremented.

Answer 27

is

Question 28

Port security restrict violation mode: The violation counter [is/isn't] incremented.

Answer 28

is

Question 29

Port security protect violation mode: The violation counter [is/isn't] incremented.

Answer 29

isn't

Question 30

The default port security aging type is [...].

Answer 30

absolute

Question 31

Port security secure static address aging is [enabled/disabled] by default.

Answer 31

disabled

Question 32

Enable DHCP Snooping on the switch: SW1(config)# [...]

Answer 32

ip dhcp snooping

Question 33

Enable DHCP Snooping on a VLAN: SW1(config)# [...]

Answer 33

ip dhcp snooping vlan vlan-number

Question 34

Enable errdisable recovery for DHCP rate limiting violations: SW1(config)# [...]

Answer 34

errdisable recovery cause dhcp-rate-limit

Question 35

Configure the DHCP snooping-enabled switch to not add option 82 to DHCP messages: SW1(config)# [...]

Answer 35

no ip dhcp snooping information option

Question 36

Configure a DHCP snooping trusted port: SW1(config-if)# [...]

Answer 36

ip dhcp snooping trust

Question 37

Limit the rate that DHCP messages are allowed on a DHCP snooping enabled interface: SW1(config-if)# [...]

Answer 37

ip dhcp snooping limit rate packets-per-second

Question 38

Show the DHCP snooping binding table: SW1# [...]

Answer 38

show ip dhcp snooping binding

Question 39

When DHCP snooping is enabled, all interfaces are [trusted/untrusted] by default.

Answer 39

untrusted

Question 40

DHCP snooping untrusted port: If a DHCP [...] message is received, discard it with no further checks.

Answer 40

Server

Question 41

DHCP snooping untrusted port: If a DHCP [...] message is received, inspect the message to determine if it should be forwarded or discarded.

Answer 41

client

Question 42

DHCP Snooping: When a client successfully leases an IP address from a server, create a new entry in the [...]

Answer 42

DHCP Snooping Binding Table

Question 43

If DHCP snooping rate-limiting is configured and the rate is exceeded, what happens?

Answer 43

The interface is err-disabled

Question 44

DHCP Option [...] is also known as the DHCP Relay Agent Information Option.

Answer 44

82

Question 45

By default, Cisco switches will drop DHCP messages with Option 82 that are received on an [...] port.

Answer 45

untrusted

Question 46

Enable DAI for a VLAN: SW1(config)# [...]

Answer 46

ip arp inspection vlan vlan

Question 47

Enable err-disable recovery for DAI rate limiting: SW1(config)# [...]

Answer 47

errdisable recovery cause arp-inspection

Question 48

Enable additional DAI validation checks: SW1(config)# [...]

Answer 48

ip arp inspection validate (src-mac | dst-mac | ip)

Question 49

Configure a DAI trusted interface: SW1(config-if)# [...]

Answer 49

ip arp inspection trust

Question 50

Configure DAI rate limiting: SW1(config-if)# [...]

Answer 50

ip arp inspection limit rate packets [burst interval seconds]

Question 51

Create an ARP ACL: SW1(config)# [...]

Answer 51

arp access-list name

Question 52

Configure an ARP ACL entry mapping an IP address to a MAC address (permit) SW1(config-arp-nacl)# [...]

Answer 52

permit ip host ip-address mac host mac-address

Question 53

Apply an ARP ACL to DAI: SW1(config)# [...]

Answer 53

ip arp inspection filter arp-acl-name vlan vlan

Question 54

Show a summary of DAI configuration and statistics: SW1# [...]

Answer 54

show ip arp inspection

Question 55

Show a summary of DAI interfaces: SW1# [...]

Answer 55

show ip arp inspection interfaces

Question 56

DAI: All ports are [trusted/untrusted] by default.

Answer 56

untrusted

Question 57

DAI checks ARP messages' [...] and [...] fields against the DHCP snooping binding table and ARP ACLs.

Answer 57

sender MAC / sender IP

Question 58

DAI checks ARP messages' sender MAC and sender IP fields against the [...] and [...].

Answer 58

DHCP snooping binding table / ARP ACLs

Question 59

DAI inspects ARP messages received on [...] ports.

Answer 59

untrusted

Question 60

DAI rate limiting is enabled on [...] ports by default.

Answer 60

untrusted

Question 61

DAI rate limiting is enabled on untrusted ports with a rate of [...] by default.

Answer 61

15 packets per second

Question 62

ACLs are an ordered sequence of [...]

Answer 62

ACEs (Access Control Entries)

Question 63

ACLs must be [...] to take effect.

Answer 63

applied to an interface

Question 64

How many ACLs can be applied to a single interface?

Answer 64

Two: one inbound one outbound

Question 65

What will happen if a packet doesn’t match any of the entries in an ACL?

Answer 65

It will be dropped ('implicit deny')

Question 66

The [...] tells the router to deny all traffic that doesn’t match any of the configured entries in the ACL.

Answer 66

implicit deny

Question 67

What ranges of numbers can be used to identify standard numbered ACLs?

Answer 67

1-99, 1300-1999

Question 68

Configure a standard numbered ACL entry, specifying the IP/mask. R1(config)# [...]

Answer 68

access-list number {deny | permit} ip wildcard-mask

Question 69

Configure a standard numbered ACL entry, permitting or denying all source IPs. R1(config)# [...]

Answer 69

access-list number {deny | permit} any

Question 70

Configure a remark for standard numbered ACL: R1(config)# [...]

Answer 70

access-list number remark remark

Question 71

View all IP ACLs on the router: R1# [...]

Answer 71

show ip access-lists

Question 72

View all ACLs on the router: R1# [...]

Answer 72

show access-lists

Question 73

Standard ACLs should be applied as close to the [...] as possible.

Answer 73

destination

Question 74

[...] ACLs should be applied as close to the destination as possible.

Answer 74

Standard

Question 75

Apply an ACL to an interface: R1(config-if)# [...]

Answer 75

ip access-group acl {in | out}

Question 76

Enter standard named ACL config mode: R1(config)# [...]

Answer 76

ip access-list standard acl-name

Question 77

Configure a permit or deny entry for a standard named ACL: R1(config-std-nacl)# [...]

Answer 77

[entry-number] {deny | permit} ip wildcard-mask

Question 78

Delete an ACL entry by specifying the sequence number: R1(config-std-nacl)# [...]

Answer 78

no sequence-number

Question 79

You [can/can't] delete individual ACL entries in global config mode.

Answer 79

can't

Question 80

You [can/can't] delete individual ACL entries in named ACL config mode.

Answer 80

can

Question 81

Resequence an ACL: R1(config)# [...]

Answer 81

ip access-list resequence acl-id starting-seq-num increment

Question 82

Extended numbered ACL ranges:

Answer 82

100-199, 2000-2699

Question 83

Configure an extended ACL entry, specifying protocol, source IP, and destination IP: R1(config-ext-nacl)#

Answer 83

{permit | deny} protocol src-ip dest-ip (use either host before each IP address for /32, or specify a wildcard mask)

Question 84

Enter extended named ACL config mode: R1(config)# [...]

Answer 84

ip access-list extended {name | number}

Question 85

OSPF = IP protocol number [...]

Answer 85

89

Question 86

Which extended ACL entry command option? [...] matches a single port.

Answer 86

eq port-num

Question 87

Which extended ACL entry command option? [...] matches all ports greater than the specified number.

Answer 87

gt port-num

Question 88

Which extended ACL entry command option? [...] matches all ports less than the specified number.

Answer 88

lt port-num

Question 89

Which extended ACL entry command option? [...] matches all ports except the specified number.

Answer 89

neq port-num

Question 90

Which extended ACL entry command option? [...] matches the specified range of ports.

Answer 90

range lowest-number highest-number

Question 91

Which command can be used to view which ACLs are applied to an interface? R1# [...]

Answer 91

show ip interface interface-id