QUESTION 121
Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a trusted database?
A. |
Dynamic ARP Inspection |
B. |
storm control |
C. |
VTP pruning |
D. |
DHCP snooping |
Correct Answer: A
Explanation:
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html
QUESTION 122
Which command creates a login authentication method named “login” that will primarily use RADIUS and fail over to the local user database?
A. |
(config)# aaa authentication login default radius local |
B. |
(config)# aaa authentication login login radius local |
C. |
(config)# aaa authentication login default local radius |
D. |
(config)# aaa authentication login radius local |
Correct Answer: B
Explanation:
In the command “aaa authentication login login radius local” the second login is the name of the AAA method. It also lists radius first then local, so it will primarily use RADIUS for authentication and fail over to the local user database only if the RADIUS server is unreachable.
QUESTION 123
Which authentication service is needed to configure 802.1x?
A. |
RADIUS with EAP Extension |
B. |
TACACS+ |
C. |
RADIUS with CoA |
D. |
RADIUS using VSA |
Correct Answer: A
Explanation:
With 802.1x, the authentication server–performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not theclient is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client.The Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. span>
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2940/software/release/12-1_19_ea1/configuration/guide/2940scg_1/sw8021x.pdf
QUESTION 124
Which feature describes MAC addresses that are dynamically learned or manually configured, stored in the address table, and added to the running configuration?
A. |
sticky |
B. |
dynamic |
C. |
static |
D. |
secure |
Correct Answer: A
Explanation:
With port security, you can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.pdf
QUESTION 125
When you configure private VLANs on a switch, which port type connects the switch to the gateway router?
A. |
promiscuous |
B. |
community |
C. |
isolated |
D. |
trunked |
Correct Answer: A
Explanation:
There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port.
Host port further divides in two types – Isolated port (I-Port) and Community port (C-port).
Reference: http://en.wikipedia.org/wiki/Private_VLAN
QUESTION 126
SWITCH.com is an IT company that has an existing enterprise network comprised of two layer 2 only switches; DSW1 and ASW1. The topology diagram indicates their layer 2 mapping. VLAN 20 is a new VLAN that will be used to provide the shipping personnel access to the server. Corporate polices do not allow layer 3 functionality to be enabled on the switches. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:
Users connecting to VLAN 20 via portfO/1 on ASW1 must be authenticated before they are given access to the network. Authentication is to be done via a Radius server:
Radius server host: 172.120.40.46
Radius key: rad123
Authentication should be implemented as close to the host as possible.
Devices on VLAN 20 are restricted to the subnet of 172.120.40.0/24.
Packets from devices in the subnet of 172.120.40.0/24 should be allowed on VLAN 20.
Packets from devices in any other address range should be dropped on VLAN 20.
Filtering should be implemented as close to the serverfarm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.
Correct Answer:
Step1: Console to ASW1 from PC console 1
ASW1(config)#aaa new-model
ASW1(config)#radius-server host 172.120.39.46 key rad123
ASW1(config)#aaa authentication dot1x default group radius
ASW1(config)#dot1x system-auth-control
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#switchport mode access
ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#exit
ASW1#copy run start
Step2: Console to DSW1 from PC console 2
DSW1(config)#ip access-list standard 10
DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-ext-nacl)#exit
DSW1(config)#vlan access-map PASS 10
DSW1(config-access-map)#match ip address 10
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit
DSW1(config)#vlan access-map PASS 20
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit
DSW1(config)#vlan filter PASS vlan-list 20
DSW1#copy run start
QUESTION 127
Which private VLAN access port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports?
A. |
promiscuo |
B. |
isolated port |
C. |
community port |
D. |
trunk port |
Correct Answer: A
Explanation:
The types of private VLAN ports are as follows:
Promiscuous–A promiscuous port belongs to the primary VLAN.The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary VLANs, or no secondary VLANs, associated to that port. You can associate a secondary VLAN to more than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same primary VLAN. You may want to do this for load-balancing or redundancy purposes. You can also have secondary VLANs that are not associated to any promiscuous port.
Isolated–An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports. Private VLANs block all traffic to isolatedports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.
Community–A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports. These interfaces are isolated from all other interfaces in other communities and from all isolated ports within the private VLAN domain.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html
QUESTION 128
Which command globally enables AAA on a device?
A. |
aaa new-model |
B. |
aaa authentication |
C. |
aaa authorization |
D. |
aaa accounting |
Correct Answer: A
Explanation:
To configure AAA authentication, enable AAA by using the aaa new-model global configuration command. AAA features are not available for use until you enable AAA globally by issuing the aaa new-model command.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html
QUESTION 129
The network monitoring application alerts a network engineer of a client PC that is acting as a rogue DHCP server. Which two commands help trace this PC when the MAC address is known? (Choose two.)
A. |
switch# show mac address-table |
B. |
switch# show port-security |
C. |
switch# show ip verify source |
D. |
switch# show ip arp inspection |
E. |
switch# show mac address-table address <mac address> |
Correct Answer: AE
Explanation:
These two commands will show the MAC address table, including the switch port that the particular host is using. Here is an example output:
Switch>show mac-address-table
Dynamic Addresses Count: 9
Secure Addresses (User-defined) Count: 0
Static Addresses (User-defined) Count: 0
System Self Addresses Count: 41
Total MAC addresses: 50
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
——————- ———— —- ——————–
0010.0de0.e289 Dynamic 1 FastEthernet0/1
0010.7b00.1540 Dynamic 2 FastEthernet0/5
0010.7b00.1545 Dynamic 2 FastEthernet0/5
QUESTION 130
Which type of information does the DHCP snooping binding database contain?
A. |
untrusted hosts with leased IP addresses |
B. |
trusted hosts with leased IP addresses |
C. |
untrusted hosts with available IP addresses |
D. |
trusted hosts with available IP addresses |
Correct Answer: A
Explanation:
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:
Validates DHCP messages received from untrusted sources and filters out invalid messages.
Rate-limits DHCP traffic from trusted and untrusted sources.
Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
Free VCE & PDF File for Cisco 300-115 Practice Tests
Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …