642-813 Q&A – Implement a Security Extension of a Layer 2 solution (11-15)

Section 2 – Implement a Security Extension of a Layer 2 solution, given a network design and a set of requirements

QUESTION NO: 11
In the use of 802.1X access control, which three protocols are allowed through the switch port before authentication takes place? (Select three)
A. EAP-over-LAN
B. EAP MD5
C. STP
D. protocols not filtered by an ACL
E. CDP
F. TACACS+
Answer: A,C,E

Explanation:
The IEEE 802.1x standard defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the workstation is connected. After authentication succeeds, normal traffic can pass through the port.
The Authentication server performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Spanning-Tree Protocol (STP) is a Layer 2 protocol that utilizes a special-purpose algorithm to discover physical loops in a network and effect a logical loop-free topology. STP creates a loopfree tree structure consisting of leaves and branches that span the entire Layer 2 network. The actual mechanics of how bridges communicate and how the STP algorithm works will be discussed at length in the following topics. Note that the terms bridge and switch are used interchangeably when discussing STP. In addition, unless otherwise indicated, connections between switches are assumed to be trunks.
CDP is a Cisco proprietary protocol that operates at the Data Link layer. One unique feature about operating at Layer 2 is that CDP functions regardless of what Physical layer media you are using (UTP, fiber, and so on) and what Network layer routed protocols you are running (IP, IPX, AppleTalk, and so on). CDP is enabled on all Cisco devices by default, and is multicast every 60 seconds out of all functioning interfaces, enabling neighbor Cisco devices to collect information about each other. Although this is a multicast message, Cisco switches do not flood that out to all their neighbors as they do a normal multicast or broadcast.
For STP, CDP and EAP-over-LAN are allowed before Authentication.

QUESTION NO: 12
The DAI feature has been implemented in the Company switched LAN. Which three statements are true about the dynamic ARP inspection (DAI) feature? (Select three)
A. DAI can be performed on ingress ports only.
B. DAI can be performed on both ingress and egress ports.
C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of hosts in the domain.
E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
F. DAI is supported on access and trunk ports only.
Answer: A,C,E
Explanation:
To prevent ARP spoofing or "poisoning," a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting and validating all ARP requests and responses. Each intercepted ARP reply is verified for valid MAC-address-to-IP-address bindings before it is forwarded to a PC to update the ARP cache. ARP replies coming from invalid devices are dropped.
DAI determines the validity of an ARP packet based on a valid MAC-address-to-IP-address bindings database built by DHCP snooping. In addition, to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against user-configured ARP ACLs.
To ensure that only valid ARP requests and responses are relayed, DAI takes these actions:
* Forwards ARP packets received on a trusted interface without any checks
* Intercepts all ARP packets on untrusted ports
* Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets that can update the local ARP cache
* Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings

QUESTION NO: 13
An attacker is launching a DoS attack on the Company network using a hacking tool designed to exhaust the IP address space available from the DHCP servers for a period of time. Which procedure would best defend against this type of attack?
A. Configure only trusted interfaces with root guard.
B. Implement private VLANs (PVLANs) to carry only user traffic.
C. Implement private VLANs (PVLANs) to carry only DHCP traffic.
D. Configure only untrusted interfaces with root guard.
E. Configure DHCP spoofing on all ports that connect untrusted clients.
F. Configure DHCP snooping only on ports that connect trusted DHCP servers.
G. None of the other alternatives apply
Answer: F
Explanation:
Cisco Catalyst switches can use the DHCP snooping feature to help mitigate this type of attack.
When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted. Legitimate
DHCP servers can be found on trusted ports, whereas all other hosts sit behind untrusted ports.
By default, all switch ports are assumed to be untrusted so that DHCP replies are not expected or permitted. Only trusted ports are allowed to send DHCP replies. Therefore, you should identify only the ports where known, trusted DHCP servers are located. You can do this with the following interface configuration command:
Switch( config-if)#ip dhcp snooping trust

QUESTION NO: 14
Company has implemented 802.1X authentication as a security enhancement. Which statement is true about 802.1x port-based authentication?
A. TACACS+ is the only supported authentication server type.
B. If a host initiates the authentication process and does not receive a response, it assumes it is not authorized.
C. RADIUS is the only supported authentication server type.
D. Before transmitting data, an 802.1x host must determine the authorization state of the switch.
E. Hosts are required to havea 802.1x authentication client or utilize PPPoE.
Answer: C
Explanation:
The IEEE 802.1x standard defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the workstation is connected. After authentication succeeds, normal traffic can pass through the port.
Authentication server: Performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. The RADIUS security system with Extensible Authentication
Protocol (EAP) extensions is the only supported authentication server.

QUESTION NO: 15
In the use of 802.1X access control, which three protocols are allowed through the switch port before authentication takes place? Select three.
A. STP
B. CDP
C. EAP MD5
D. TACACS+
E. EAP-over-LAN
F. protocols not filtered by an ACL
Answer: A,B,E

admin
Author

admin