Layer 2 Security
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
Explanation
Because MAB uses the MAC address as a username and password, you should make sure that the RADIUS server can differentiate MAB requests from other types of requests for network access. This precaution will prevent other clients from attempting to use a MAC address as a valid credential. Cisco switches uniquely identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access-Request message. Therefore, you can use Attribute 6 to filter MAB requests at the RADIUS server.
Question 7
Explanation
Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
For example, in order to activate DHCP snooping on VLAN 2, we use the following command:
SW1(config)#ip dhcp snooping vlan 2
Question 8
Q7. I think it is A, after configuring DAI by default all ports are untrust and to achieve connectivity between the hosts, these must be associated in the binding table of the dhcp snooping.
Q7. the “ip arp inspection trust” command is applied to switch-to-switch interfaces.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html
If I get this question. My answer will be “DHCP Snooping not enabled on all VLANs” and here is why.
Look at the last two lines of this Cisco piece on DHCP Snooping.
Overview of DHCP Snooping
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:
•Validates DHCP messages received from untrusted sources and filters out invalid messages.
•Rate-limits DHCP traffic from trusted and untrusted sources.
•Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
•Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html
When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all ARP entries in the ARP table will be checked against a nonexistent DHCP database. When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1073418
The most accurated answer in Q7 will be A
@Admin
Why do you still think, that Q7 right answer is D?
The right answer is definitely:
A. DHCP snooping has not been enabled on all VLANs.
Regards,
Tiberiusz
@all: Thanks for your detection, we updated Q7.
@securitytut
Question 4
A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time. What two catalyst switch security features will prevent further violations? (Choose two)
A. DHCP Snooping
B. 802.1AE MacSec
C. Port security
D. IP Device track
E. Dynamic ARP inspection
F. Private VLANs
In one of Todd Lammle books the answer was B and F
I am confused now
Hi
Please advice is premium questions and tests are are enough to pass the exam CCNP SCOR 350-701, Please comment
Q.7 = Answer: D