[Free] Download New Updated (December) Cisco 640-554 Exam Questions 111-120

By | December 12, 2015

Ensurepass

QUESTION 111

Which Layer 2 protocol provides loop resolution by managing the physical paths to given network segments?

 

A.

root guard

B.

port fast

C.

HSRP

D.

STP

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml

 

Introduction< /font>

Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network.

 

 

QUESTION 112

When STP mitigation features are configured, where should the root guard feature be deployed?

 

A.

toward ports that connect to switches that should not be the root bridge

B.

on all switch ports

C.

toward user-facing ports

D.

Root guard should be configured globally on the switch.

 

Correct Answer: A

Explanation:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

 

The root guard feature provides a way to enforce the root bridge placement in the network. The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root- inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

 

 

QUESTION 113

DRAG DROP

Refer to the exhibit. Drag the port(s) from the left and drop them on the correct STP roles on the right. Not all options on the left are used.

 

clip_image002

clip_image004

 

Correct Answer:

clip_image006

 

 

 

QUESTION 114

clip_image008

clip_image010

Correct Answer:

Switch1#config t

Switch1(config)#interface fa0/12

Switch1(config-if)#switchport mode access

Switch1(config-if)#switchport port-security maximum 2

Switch1(config-if)#switchport port-security violation shutdown

Switch1(config-if)#no shut

Switch1(config-if)#end

Switch1#copy run start

 

 

QUESTION 115

Which two countermeasures can mitigate STP root bridge attacks? (Choose two.)

 

A.

root guard

B.

BPDU filtering

C.

Layer 2 PDU rate limiter

D.

BPDU guard

 

Correct Answer: AD

Explanation:

The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.

The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.

 

 

QUESTION 116

Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.)

 

A.

IP source guard

B.

port security

C.

root guard

D.

BPDU guard

 

Correct Answer: AB

Explanation:

Use the port security feature to mitigate MAC spoofing attacks. Port security provides the capability to specify the MAC address of the system connected to a particular port. This also provides the ability to specify an action to take if a port security violation occurs. IP source guard is a security feature that filters traffic based on the DHCP snooping binding database and on manually configured IP source bindings in order to restrict IP traffic on non- routed Layer 2 interfaces. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor. IP source guard prevents IP/MAC spoofing.

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html#ipsourceguard

 

 

QUESTION 117

Which statement correctly describes the function of a private VLAN?

 

A.

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains.

B.

A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains.

C.

A private VLAN enables the creation of multiple VLANs using one broadcast domain.

D.

A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain.

 

Correct Answer: A

Explanation:

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the switch from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs. All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus4000/nexus4000_i/sw/configuration/guide/rel_4_1_2_E1_1/n400xi_config/PrivateVLANs.html

 

 

QUESTION 118

What are two primary attack methods of VLAN hopping? (Choose two.)

 

A.

VoIP hopping

B.

switch spoofing

C.

CAM-table overflow

D.

double tagging

 

Correct Answer: BD

Explanation:

There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies network maintenance and improves performance, but it also opens the door to abuse. It is important to understand the general methodology behind these attacks and the primary approaches to mitigate them.

VLAN hopping enables traffic from one VLAN to be seen by another VLAN. Switch spoofing is a type of VLAN hopping attack that works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches.

Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify as shown below. An important characteristic of the double- encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link.

 

clip_image012

 

Double-Tagging Attack

Reference: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10

 

 

QUESTION 119

Which type of attack can be prevented by setting the native VLAN to an unused VLAN?

 

A.

VLAN-hopping attacks

B.

CAM-table overflow

C.

denial-of-service attacks

D.

MAC-address spoofing

 

Correct Answer: A

Explanation:

Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify.

The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports. In fact, it is considered a security best practice to use a fixed VLAN that is distinct from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks.

Reference: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10

 

 

QUESTION 120

What is the purpose of a trunk port?

 

A.

A trunk port carries traffic for multiple VLANs.

B.

A trunk port connects multiple hubs together to increase bandwidth.

C.

A trunk port separates VLAN broadcast domains.

D.

A trunk port provides a physical link specifically for a VPN.

 

Correct Answer: A

Explanation:

Ethernet interfaces can be configured either as access ports or trunk ports. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across the network.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/AccessTrunk.html

 

Free VCE & PDF File for Cisco 640-554 Exam Questions

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …