[Free] Download New Updated (December) Cisco 640-554 Exam Questions 101-110

By | December 12, 2015

Ensurepass

QUESTION 101

Which statement describes a best practice when configuring trunking on a switch port?

 

A.

Disable double tagging by enabling DTP on the trunk port.

B.

Enable encryption on the trunk port.

C.

Enable authentication and encryption on the trunk port.

D.

Limit the allowed VLAN(s) on the trunk to the native VLAN only.

E.

Configure an unused VLAN as the native VLAN.

 

Correct Answer: E

Explanation:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

 

Double Encapsulation Attack

When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet’s only VLAN identifier. Therefore, by double encapsulating packets with two different tags, traffic can be made to hop across VLANs.

This scenario is to be considered a misconfiguration, since the 802.1Q standard does not necessarily force the users to use the native VLAN in these cases. As a matter of fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don’t use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets.

 

 

QUESTION 102

Which type of Layer 2 attack causes a switch to flood all incoming traffic to all ports?

 

A.

MAC spoofing attack

B.

CAM overflow attack

C.

VLAN hopping attack

D.

STP attack

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html

 

Summary

The MAC Address Overflow attack is effective if the proper mitigation techniques are not in place on the Cisco Catalyst 6500 series switch. By using publicly (free) and available Layer 2 attack tools found on the Internet, anyone who understands how to setup and run these tools could potentially launch an attack on your network.

 

MAC address monitoring is a feature present on Cisco Catalyst 6500 Series switches. This feature helps mitigate MAC address flooding and other CAM overflow attacks by limiting the total number of MAC addresses learned by the switch on per-port or per-VLAN basis. With MAC Address Monitoring, a maximum threshold for the total number of MAC addresses can be configured and enforced on a per-port and/or per-VLAN basis.

 

MAC address monitoring in Cisco IOS Software allows the definition of a single upper (maximum) threshold. In addition, the number of MAC addresses learned can only be monitored on a per-port or per-VLAN basis, and not a per-port-per-VLAN. By default, MAC address monitoring is disabled in Cisco IOS Software. However, the maximum threshold for all ports and VLANs is configured to 500 MAC address entries, and when the threshold is exceeded the system is set to generate a system message along with a syslog trap. These default values take effect only when MAC address monitoring is enabled. The system can be configured to notify or disable the port or VLAN every time the number of learned MAC addresses exceeds the predefined threshold. In our test, we used the “mac-address-table limit” command on the access layer port interface to configure the MAC address monitoring feature.

 

 

QUESTION 103

What is the best way to prevent a VLAN hopping attack?

 

A.

Encapsulate trunk ports with IEEE 802.1Q.

B.

Physically secure data closets.

C.

Disable DTP negotiations.

D.

Enable BDPU guard.

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

 

802.1Q and ISL Tagging Attack

Tagging attacks are malicious schemes that allow a user on a VLAN to get unauthorized access to
another VLAN. For example, if a switch port were configured as DTP auto and were to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN. Therefore, a malicious user could start communicating with other VLANs through that compromised port.

Sometimes, even when simply receiving regular packets, a switch port may behave like a full- fledged trunk port (for example, accept packets for VLANs different from the native), even if it is not supposed to. This is commonly referred to as “VLAN leaking” (see [5] for a report on a similar issue).

 

 

QUESTION 104

Which statement about PVLAN Edge is true?

 

A.

PVLAN Edge can be configured to restrict the number of MAC addresses that appear on a single port.

B.

The switch does not forward any traffic from one protected port to any other protected port.

C.

By default, when a port policy error occurs, the switchport shuts down.

D.

The switch only forwards traffic to ports within the same VLAN Edge.

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

 

Note. Some switches (as specified in the Private VLAN Catalyst Switch Support Matrix ) currently support only the PVLAN Edge feature. The term “protected ports” also refers to this feature.

 

PVLAN Edge ports have a restriction that prevents communication with other protected ports on the same switch. Protected ports on separate switches, however, can communicate with each other. Do not confuse this feature with the normal PVLAN configurations that this document shows. For more information on protected ports, refer to the Configuring Port Security section of the document Configuring Port-Based Traffic Control.

 

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swtrafc.html

 

Configuring Protected Ports

Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.

 

Protected ports have these features:

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all traffic passing between protected ports must be forwarded through a Layer 3 device.

Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

The default is to have no protected ports defined.

 

 

QUESTION 105

If you are implementing VLAN trunking, which additional configuration parameter should be added to the trunking configuration?

 

A.

no switchport mode access

B.

no switchport trunk native VLAN 1

C.

switchport mode DTP

D.

switchport nonnegotiate

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html

 

Layer 2 LAN Port Modes

Table 17-2 lists the Layer 2 LAN port modes and describes how they function on LAN ports. switchport mode access Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The LAN port becomes a nontrunk port even if the neighboring LAN port does not agree to the change.

 

switchport mode dynamic desirable

Makes the LAN port actively attempt to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN port is set to trunk, desirable, or auto mode. This is the default mode for all LAN ports.

 

switchport mode dynamic auto

Makes the LAN port willing to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN port is set to trunk or desirable mode. switchport mode trunk Puts the LAN port into permanent trunking mode and negotiates to convert the link into a trunk link. The LAN port becomes a trunk port even if the neighboring port does not agree to the change.

 

switchport nonegotiate

Puts the LAN port into permanent trunking mode but prevents the port from generating DTP frames. You must configure the neighboring port manually as a trunk port to establish a trunk link.

 

 

 

 

QUESTION 106

In which type of Layer 2 attack does an attacker broadcast BDPUs with a lower switch priority?

 

A.

MAC spoofing attack

B.

CAM overflow attack

C.

VLAN hopping attack

D.

STP attack

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_605972.html

 

Introduction

The purpose of this paper is to identify how easily the Spanning-Tree Protocol (STP) can be compromised to allow eavesdropping in a switched corporate environment and how to mitigate this vulnerability using L2 security features that are available on the Cisco┬« Catalyst┬« 6500. The Spanning Tree Protocol (STP) Man in The Middle (MiTM) attack compromises the STP “Root Bridge” election process and allows a hacker to use their PC to masquerade as a “Root Bridge,” thus controlling the flow of L2 traffic. In order to understand the attack, the reader must have a basic understanding of the “Root Bridge” Election process and the initial STP operations that build the loop free topology. Therefore, the first section of this document, Overview of the STP Root Bridge Election Process, will be devoted to providing a simplified explanation of 802.1d STP operations as it pertains to understanding the STP MiTM attack. If you require a more comprehensive overview of STP, please review the LAN Switching Chapter of the Cisco Catalyst 6500 Configuration Guide on Cisco.com.

 

 

QUESTION 107

Which security measure must you take for native VLANs on a trunk por
t?

 

A.

Native VLANs for trunk ports should never be used anywhere else on the switch.

B.

The native VLAN for trunk ports should be VLAN 1.

C.

Native VLANs for trunk ports should match access VLANs to ensure that cross-VLAN traffic from multiple switches can be delivered to physically disparate switches.

D.

Native VLANs for trunk ports should be tagged with 802.1Q.

 

Correct Answer: A

Explanation:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801315 9f.shtml

 

Double Encapsulation Attack

When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be t
he native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet’s only VLAN identifier. Therefore, by double encapsulating packets with two different tags, traffic can be made to hop across VLANs.

 

This scenario is to be considered a misconfiguration, since the 802.1Q standard does not necessarily force the users to use the native VLAN in these cases. As a matter of fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don’t use this VLAN for any other purpose.

Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets.

 

 

QUESTION 108

Refer to the exhibit. Which switch is designated as the root bridge in this topology?

 

clip_image002

 

A.

It depends on which switch came on line first.

B.

Neither switch would assume the role of root bridge because they have the same default priority.

C.

switch X

D.

switch Y

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml

 

Rules of Operation

This section lists rules for how STP works. When the switches first come up, they start the root switch selection process. Each switch transmits a BPDU to the directly connected switch on a per- VLAN basis.

As the BPDU goes out through the network, each switch compares the BPDU that the switch sends to the BPDU that the switch receives from the neighbors. The switches then agree on which switch is the root switch. The switch with the lowest bridge ID in the network wins this election process.

 

 

QUESTION 109

When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured maximum number of allowed MAC addresses value is exceeded?

 

A.

The port remains enabled, but bandwidth is throttled
until old MAC addresses are aged out.

B.

The port is shut down.

C.

The MAC address table is cleared and the new MAC address is entered into the table.

D.

The violation mode of the port is set to restrict.

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.html

 

Default Port Security Configuration

Port security

Disabled on a port

Maximum number of secure MAC addresses

Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent.

 

Aging

Disabled

 

Aging type

Absolute

 

Static Aging

Disabled

 

Sticky

Disabled

 

 

QUESTION 110

Which statement best represents the characteristics of a VLAN?

 

A.

Ports in a VLAN will not share broadcasts amongst physically separate switches.

B.

A VLAN can only connect across a LAN within the same building.

C.

A VLAN is a logical broadcast domain that can span multiple physical LAN segments.

D.

A VLAN provides individual port security.

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4 _0_1a/VLANs.html

 

Configuring VLANs

You can use virtual LANs (VLANs) to divide the network into separate logical areas. VLANs can also be considered as broadcast domains.

Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in that VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router.

 

Free VCE & PDF File for Cisco 640-554 Exam Questions

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …