Home » SWITCH 642-813 Q&As » Section 2 - Security of Layer 2 » 642-813 Q&A – Implement a Security Extension of a Layer 2 solution (6-10)

642-813 Q&A – Implement a Security Extension of a Layer 2 solution (6-10)

Section 2 – Implement a Security Extension of a Layer 2 solution, given a network design and a set of requirements

QUESTION NO: 6
You are responsible for increasing the security within the Company LAN. Of the following choices listed below, which is true regarding layer 2 security and mitigation techniques?
A. Enable root guard to mitigate ARP address spoofing attacks.
B. Configure DHCP spoofing to mitigate ARP address spoofing attacks.
C. Configure PVLANs to mitigate MAC address flooding attacks.
D. Enable root guard to mitigate DHCP spoofing attacks.
E. Configure dynamic APR inspection (DAI) to mitigate IP address spoofing on DHCP untrusted ports.
F. Configure port security to mitigate MAC address flooding
G. None of the other alternatives apply
Answer: F

Explanation:
Use the port security commands to mitigate MAC-spoofing attacks. The port security command provides the capability to specify the MAC address of the system connected to a particular port.
The command also provides the ability to specify an action to take if a port-security violation occurs. However, as with the CAM table-overflow attack mitigation, specifying a MAC address on every port is an unmanageable solution. Hold-down timers in the interface configuration menu can be used to mitigate ARP spoofing attacks by setting the length of time an entry will stay in the ARP cache.

QUESTION NO: 7
Refer to the exhibit. Port security has been configured on the switch port Fa0/5. What would happen if another device is connected to the port after the maximum number of devices has been reached, even if one or more of the original MAC addresses are inactive?

image
A. The port will permit the new MAC address because one or more of the original MAC addresses are inactive.
B. The port will permit the new MAC address because one or more of the original MAC addresses will age out.
C. Because the new MAC address is not configured on the port, the port will not permit the new MAC address.
D. Although one or more of the original MAC addresses are inactive, the port will not permit the new MAC address.
Answer: D
Explanation:
In this example the switch is configured for Port Security with the maximum number of allowed devices set to 11. When configuring port security, note the following syntax information about port security violation modes:
protect – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
restrict – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
shutdown – Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.
Normally, since the security violation has been set to protect, the switch indeed allow a new device to be added after an original MAC address is inactive. However, the key to this question is the
“aging time 0” command which has also been configured. This command disables aging, so the original MAC addresses would remain even when they were removed. Therefore the switch will not permit ay new MAC addresses.

QUESTION NO: 8
Which statement is true about these threats?
A. MAC spoofing attacks allow an attacking device to receive frames intended for a different network host.
B. Port scanners are the most effective defense against dynamic ARP inspection.
C. MAC spoofing, in conjunction with ARP snooping, is the most effective counter-measure against reconnaissance attacks that use dynamic ARP inspection (DAI) to determine vulnerable attack points.
D. Dynamic ARP inspection in conjunction with ARP spoofing can be used to counter DHCP snooping attacks.
E. DHCP snooping sends unauthorized replies to DHCP queries.
F. ARP spoofing can be used to redirect traffic to counter dynamic ARP inspection.
G. None of the other alternatives apply.
Answer: A
Explanation:
First of all, MAC spoofing is not an effective counter-measure against any reconnaissance attack; it IS an attack! Furthermore, reconnaissance attacks don’t use dynamic ARP inspection (DAI); DAI is a switch feature used to prevent attacks.

QUESTION NO: 9
Which statement is true about DHCP spoofing operation?
A. DHCP spoofing and SPAN cannot be used on the same port of a switch.
B. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.
C. To prevent a DHCP spoofing, the switch must have DHCP server services disabled and a static entry pointing towards the DHCP server.
D. DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.
E. None of the other alternatives apply.
Answer: B
Explanation:
About DHCP Spoofing:
Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as that same client PC. Now when the client broadcasts its DHCP request, the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default gateway.
When the client receives the reply, it begins using the spoofed gateway address. Packets destined for addresses outside the local subnet then go to the attacker’s machine first. The attacker can forward the packets to the correct destination, but in the meantime, it can examine every packet that it intercepts. In effect, this becomes a type of man-in-the-middle attack; the attacker is wedged into the path and the client doesn’t realize it.
About ARP:
Hosts normally use the Address Resolution Protocol (ARP) to resolve an unknown MAC address when the IP address is known. If a MAC address is needed so that a packet can be forwarded at Layer 2, a host broadcasts an ARP request that contains the IP address of the target in question.
If any other host is using that IP address, it responds with an ARP reply containing its MAC address.
To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.

QUESTION NO: 10
Refer to the exhibit. Which interface or interfaces on switch SW_A can have the port security feature enabled?

image
A. Ports 0/1 and 0/2
B. The trunk port 0/22 and the EtherChannel ports
C. Ports 0/1, 0/2 and 0/3
D. Ports 0/1, 0/2, 0/3, the trunk port 0/22 and the EtherChannel ports
E. Port 0/1
F. Ports 0/1, 0/2, 0/3 and the trunk port 0/22
Answer: C
Explanation:
Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a specific set or number of MAC addresses. Those addresses can be learned dynamically or configured statically. The port will then provide access to frames from only those addresses. If, however, the number of addresses is limited to four but no specific MAC addresses are configured, the port will allow any four MAC addresses to be learned dynamically, and port access will be limited to those four dynamically learned addresses. A port security feature called “sticky learning,” available on some switch platforms, combines the features of dynamically learned and statically configured addresses. When this feature is configured on an interface, the interface converts dynamically learned addresses to “sticky secure” addresses. This adds them to the running configuration as if they were configured using the switchport port-security mac-address command.