CCNA Security Questions

15 questions · Security topic · All types, answers revealed

1
MCQhard

Refer to the exhibit. A switch has IP Source Guard (IPSG) and port-security enabled on interface GigabitEthernet0/1. A host with IP 10.1.1.1 and MAC 00:1A:2B:3C:4D:5E is connected and tries to access a web server at 192.168.1.100. What will happen?

A.The traffic is blocked because the host is not using DHCP, so IPSG drops all non-DHCP traffic.
B.The traffic is permitted only if the destination is also in the 10.0.0.0/8 range.
C.The traffic is blocked because IP Source Guard requires a static binding for the host.
D.The traffic is permitted because the host's IP is within the allowed subnet and the MAC is valid according to port-security.
AnswerD

Correct: IP source guard checks that the source IP is in the binding table; if valid, traffic passes ACL.

Why this answer

Option D is correct because IP Source Guard (IPSG) on a switch port typically uses DHCP snooping bindings to validate traffic. However, when port-security is also enabled and the host's IP (10.1.1.1) falls within the configured subnet (e.g., 10.0.0.0/8), and the MAC address (00:1A:2B:3C:4D:5E) matches a port-security secure MAC address, the switch can permit the traffic. IPSG does not inherently block all non-DHCP traffic; it can be configured with static bindings or rely on DHCP snooping, but in this scenario, the combination of a valid subnet and port-security allows the traffic.

Exam trap

Cisco often tests the misconception that IPSG always requires DHCP snooping and blocks all non-DHCP traffic, but in reality, IPSG can be configured with port-security to allow traffic from statically assigned hosts within a valid subnet.

How to eliminate wrong answers

Option A is wrong because IPSG does not drop all non-DHCP traffic; it filters based on IP-to-MAC bindings from DHCP snooping or static entries, not the source of the IP assignment. Option B is wrong because IPSG does not restrict traffic based on the destination IP address; it only validates the source IP and MAC of the host. Option C is wrong because IPSG does not require a static binding for the host; it can use dynamic DHCP snooping bindings, and in this case, port-security provides an alternative validation mechanism.

2
MCQmedium

A network engineer applies the above CoPP policy on a router. The router has BGP peers, SSH management, and SNMP monitoring. After applying this policy, which traffic will be affected?

A.BGP sessions may flap due to dropped keepalives.
B.Data plane traffic will be dropped.
C.Only SSH sessions will be rate-limited.
D.SNMP and SSH will be unaffected because they are explicitly permitted.
AnswerA

BGP keepalives are matched and subject to the policer.

Why this answer

The CoPP policy applies to control plane traffic, not data plane traffic. BGP keepalives are control plane packets; if the policy drops or rate-limits them, BGP sessions may time out and flap. The correct answer is A because BGP keepalives are essential for maintaining neighbor adjacency, and dropping them directly causes session instability.

Exam trap

Cisco often tests the misconception that CoPP affects data plane traffic or that only management protocols like SSH are impacted, when in fact control plane policing targets all control plane packets, including routing protocol keepalives.

How to eliminate wrong answers

Option B is wrong because CoPP operates on the control plane, not the data plane; data plane traffic is forwarded in hardware and unaffected by control plane policing. Option C is wrong because the policy affects all control plane traffic matching the class maps, not just SSH; BGP and SNMP are also subject to rate-limiting or dropping. Option D is wrong because SNMP and SSH are not 'unaffected' — they are explicitly permitted only if they match a permit ACE in the class map; if the class map drops or rate-limits them, they will be affected.

3
MCQeasy

Refer to the exhibit. A network administrator notices that some DHCP packets are being dropped due to 'MAC Address Mismatch'. What is the most likely cause of this drop?

A.The DHCP server is sending packets with an incorrect server identifier option.
B.The DHCP client is using a different MAC address in the DHCP packet than the source MAC in the Ethernet frame.
C.The DHCP client is sending a request with an incorrect transaction ID.
D.The DHCP offer packet is arriving on an untrusted port.
AnswerB

MAC address mismatch occurs when the chaddr field does not match the source MAC.

Why this answer

The DHCP snooping feature on a switch compares the source MAC address in the Ethernet frame with the chaddr (client hardware address) field inside the DHCP packet. When a DHCP client sends a packet with a different MAC in the frame than in the chaddr field, the switch considers it a 'MAC Address Mismatch' and drops the packet. This security mechanism prevents a rogue client from spoofing another device's MAC address to obtain a lease.

Exam trap

Cisco often tests the distinction between Layer 2 MAC checks (frame vs. chaddr) and Layer 3 or application-layer checks (server identifier, transaction ID), leading candidates to confuse DHCP snooping drops with client-side validation failures.

How to eliminate wrong answers

Option A is wrong because the DHCP server identifier option (option 54) is used by clients to identify which server to respond to, and an incorrect server identifier would cause a client to ignore the offer, not a switch to drop the packet due to MAC mismatch. Option B is correct as described. Option C is wrong because an incorrect transaction ID (XID) would cause the DHCP client to ignore the server's reply, but the switch does not check the XID for MAC mismatch drops; the XID mismatch is a client-side validation issue.

Option D is wrong because an untrusted port is a DHCP snooping concept where the switch drops DHCP server messages (OFFER, ACK, etc.) received on that port, not client messages, and the 'MAC Address Mismatch' check applies to client messages on untrusted ports as well, but the specific cause described is the mismatch between frame MAC and chaddr.

4
Drag & Dropmedium

Drag and drop the steps to configure port security on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Port security limits unauthorized MAC addresses; violation mode defines action on violation.

5
Multi-Selectmedium

Which TWO of the following are valid methods to mitigate VLAN hopping attacks?

Select 2 answers
A.Configure switchport mode dynamic auto on all ports.
B.Disable Dynamic Trunking Protocol (DTP) on all access ports.
C.Set the native VLAN to VLAN 1 on all trunk ports.
D.Set the native VLAN to an unused VLAN ID on all trunk ports.
E.Use 802.1Q trunking instead of ISL.
AnswersB, D

Prevents trunk negotiation.

Why this answer

Option B is correct because disabling Dynamic Trunking Protocol (DTP) on all access ports prevents a switch port from automatically negotiating a trunk, which is the primary vector for VLAN hopping attacks. An attacker can spoof DTP messages to force a port into trunking mode, gaining access to multiple VLANs; disabling DTP eliminates this risk.

Exam trap

Cisco often tests the misconception that simply using 802.1Q trunking (Option E) or setting the native VLAN to VLAN 1 (Option C) provides security, when in fact the key mitigations are disabling DTP on access ports and using an unused native VLAN on trunk ports.

6
MCQhard

Your company has deployed a Cisco Catalyst 9300 switch stack as the distribution layer for a campus network. The network uses VLANs 10 (data), 20 (voice), and 30 (management). The switch stack is configured with DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) on access ports. Recently, users in VLAN 10 report intermittent connectivity issues. You notice that some users receive duplicate IP addresses from the DHCP server. The DHCP server is connected to a trunk port on the switch stack. After reviewing logs, you see that DHCPACK messages are being dropped on the trunk port. The DHCP snooping binding table shows entries for legitimate clients, but also some entries with MAC addresses from a different vendor. Which action should you take to resolve the issue?

A.Manually shut down the access ports that have unknown MAC addresses in the binding table.
B.Disable Dynamic ARP Inspection on VLAN 10.
C.Configure the trunk port connecting to the DHCP server as a trusted port for DHCP snooping.
D.Disable IP Source Guard on all access ports in VLAN 10.
AnswerC

DHCP snooping drops DHCP server responses on untrusted ports.

Why this answer

The DHCP snooping feature treats all ports as untrusted by default, which means DHCP server messages (DHCPOFFER, DHCPACK, DHCPNAK) are dropped on untrusted ports. Since the DHCP server is connected to a trunk port and DHCPACK messages are being dropped, that trunk port must be explicitly configured as a trusted port for DHCP snooping using the 'ip dhcp snooping trust' interface command. This allows legitimate DHCP server responses to reach clients, resolving the duplicate IP address issue caused by clients not receiving their assigned addresses.

Exam trap

Cisco often tests the default untrusted behavior of DHCP snooping on all ports, tricking candidates into thinking that only access ports need trust configuration, when in fact the port facing the DHCP server (even a trunk) must be explicitly trusted to allow server messages through.

How to eliminate wrong answers

Option A is wrong because manually shutting down access ports with unknown MAC addresses in the binding table does not address the root cause—DHCPACK messages being dropped on the trunk port—and would cause unnecessary outages for potentially legitimate clients. Option B is wrong because disabling Dynamic ARP Inspection (DAI) on VLAN 10 would remove ARP validation, which could allow ARP spoofing attacks, and it does not fix the DHCP server message filtering issue. Option D is wrong because disabling IP Source Guard (IPSG) on all access ports in VLAN 10 would remove IP spoofing protection on those ports, and it does not address the DHCP snooping trust configuration on the trunk port where the DHCP server is connected.

7
Multi-Selecteasy

Which TWO features are part of Cisco TrustSec for providing role-based access control?

Select 2 answers
A.Security Group Access Control Lists (SGACLs)
B.Change of Authorization (CoA)
C.802.1X authentication
D.Security Group Tags (SGTs)
E.MACsec encryption
AnswersA, D

SGACLs enforce policies based on SGTs.

Why this answer

Security Group Access Control Lists (SGACLs) are a core component of Cisco TrustSec, enforcing role-based access control by applying policies based on Security Group Tags (SGTs). SGACLs replace traditional IP-based ACLs, allowing dynamic, identity-aware traffic filtering that scales across the network.

Exam trap

Cisco often tests the distinction between the authentication mechanism (802.1X) and the authorization/enforcement components (SGTs and SGACLs), leading candidates to mistakenly select 802.1X as a TrustSec RBAC feature.

8
MCQeasy

An organization wants to implement 802.1X authentication on its wired network using Cisco ISE as the authentication server. The switches are configured with the necessary RADIUS settings. Which additional configuration is required on the switch interfaces to enable 802.1X?

A.dot1x pae authenticator
B.authentication port-control auto
C.authentication port-control force-authorized
D.authentication port-control force-unauthorized
AnswerB

Correct: this command enables 802.1X authentication on the interface.

Why this answer

Option B is correct because 'authentication port-control auto' is the required interface command to enable 802.1X authentication on a switch port. This command sets the port to initiate the authentication process, placing it in the unauthorized state until the client successfully authenticates via the RADIUS server (Cisco ISE). Without this command, the port will not enforce 802.1X.

Exam trap

Cisco often tests the distinction between the 'dot1x pae authenticator' command and the 'authentication port-control auto' command, leading candidates to mistakenly think the PAE command alone enables 802.1X, when in fact both are required for full functionality.

How to eliminate wrong answers

Option A is wrong because 'dot1x pae authenticator' is a subcommand that enables the Port Access Entity (PAE) role as authenticator, but it is not sufficient alone; the port must also be configured with 'authentication port-control auto' to actually enforce 802.1X. Option C is wrong because 'authentication port-control force-authorized' places the port in an always-authorized state, effectively disabling 802.1X authentication and allowing all traffic without verification. Option D is wrong because 'authentication port-control force-unauthorized' places the port in a permanently unauthorized state, blocking all traffic regardless of authentication attempts, which is not the goal for enabling 802.1X.

9
MCQmedium

A medium-sized enterprise is migrating to a Cisco DNA Center-managed network. The security policy requires that all administrative access to network devices be authenticated via TACACS+ and that authorization for commands be enforced per user role. The network team has configured ISE as the AAA server and integrated it with DNA Center. After configuration, engineers report that they can log in to devices via SSH but are not prompted for a password when entering 'enable' mode; instead, they are granted full privileges immediately. Additionally, while in configuration mode, some engineers can issue 'debug' commands that they should not have access to. The configuration on the devices includes 'aaa new-model', 'aaa authentication login default group tacacs+ local', 'aaa authorization exec default group tacacs+ local', and 'aaa authorization commands 15 default group tacacs+ local'. What is the most likely cause of the privilege escalation and missing authorization?

A.The TACACS+ server is not reachable, so the device is using local authentication, but the local database has all users at privilege level 15.
B.The 'aaa authentication enable default' command is missing, so the device is not requiring authentication to enter enable mode, and command authorization is not being enforced because the user is already at privilege 15.
C.Command authorization is only configured for privilege level 15, but users are logging in at level 1; they need 'aaa authorization commands 1 default' as well.
D.The 'privilege level' command is set to 15 on the VTY lines, bypassing AAA authorization.
AnswerB

Correct: Without enable authentication, users can enter enable mode without password; command authorization for level 15 may not be triggered if user already at level 15.

Why this answer

The missing 'aaa authentication enable default group tacacs+ local' command means the device does not require TACACS+ authentication to enter enable mode. Since the user is already at privilege level 15 after login (due to the 'aaa authorization exec' command or local user configuration), they are not prompted for a password and are granted full privileges immediately. Additionally, command authorization is only configured for privilege level 15 ('aaa authorization commands 15'), so once the user is at level 15, no further authorization checks are performed for commands like 'debug', bypassing the intended per-role enforcement.

Exam trap

Cisco often tests the distinction between authentication (who you are) and authorization (what you can do), and the trap here is that candidates assume 'aaa authorization commands 15' alone enforces command restrictions, but they overlook that without 'aaa authentication enable', users may already be at privilege 15, making command authorization ineffective.

How to eliminate wrong answers

Option A is wrong because if the TACACS+ server were unreachable, the 'aaa authentication login default group tacacs+ local' command would fall back to local authentication, but the issue is about enable mode and command authorization, not login; also, local users would not automatically be at privilege 15 unless explicitly configured. Option C is wrong because command authorization for privilege level 1 is irrelevant; the problem is that users are already at privilege 15, so commands at level 15 are authorized without further checks, and adding 'aaa authorization commands 1' would not fix the enable mode or the privilege escalation. Option D is wrong because the 'privilege level' command on VTY lines would set the initial privilege level for all users, but the configuration shown does not include this command, and the described behavior (no password prompt for enable, debug commands allowed) is consistent with missing enable authentication and command authorization at the current privilege level, not with a VTY line setting.

10
MCQhard

A security engineer is configuring CoPP (Control Plane Policing) on a Cisco router to protect the control plane from DoS attacks. The policy must rate-limit SSH traffic to 1 Mbps with a burst of 2000 bytes, and drop all other traffic destined to the control plane that exceeds a default rate. Which class-map and policy-map configuration is correct?

A.class-map match-all SSH match protocol ssh policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop
B.class-map match-all SSH match access-group name SSH_ACL policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop class class-default police 8000 conform-action transmit exceed-action drop
C.class-map match-all SSH match protocol ssh policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop class class-default police 8000 conform-action transmit exceed-action drop
D.class-map match-all SSH match protocol ssh policy-map COPP class SSH police 2000 1000000 conform-action transmit exceed-action drop
AnswerC

Correct: matches SSH protocol, police rate 1Mbps burst 2000, and default police for all other traffic.

Why this answer

Option C is correct because it uses the 'match protocol ssh' class-map to identify SSH traffic, applies a police rate of 1,000,000 bps (1 Mbps) with a burst of 2000 bytes, and includes a class-default with a police rate of 8000 bps to drop all other control-plane traffic exceeding a default rate. This matches the requirement to rate-limit SSH and drop other traffic that exceeds a default rate, which is a common CoPP best practice to protect the control plane.

Exam trap

Cisco often tests the requirement for a class-default policy in CoPP to drop all other traffic, and the trap here is that candidates may forget that without it, unmatched traffic is permitted by default, or they may confuse the order of police parameters (rate vs. burst).

How to eliminate wrong answers

Option A is wrong because it lacks a class-default policy; without it, any traffic not matching the SSH class is implicitly permitted, failing to drop other traffic exceeding a default rate. Option B is wrong because it uses 'match access-group name SSH_ACL' instead of 'match protocol ssh', which is less efficient and not the direct method for matching SSH protocol traffic; also, the class-default police rate of 8000 is correct, but the match method is incorrect for the requirement. Option D is wrong because it swaps the police parameters: the first value (2000) is the burst size and the second (1000000) is the rate, but the correct syntax is 'police rate burst', so this would apply a rate of 2000 bps and a burst of 1,000,000 bytes, which does not meet the 1 Mbps rate requirement.

11
Matchingmedium

Match each Spanning Tree Protocol (STP) variant to its key characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Original standard, slow convergence

Fast convergence, backward compatible

Multiple spanning trees per VLAN group

Cisco proprietary, per-VLAN STP

Cisco proprietary, per-VLAN RSTP

Why these pairings

STP variants differ in convergence speed and VLAN support.

12
MCQmedium

A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?

A.access-list INSIDE extended permit tcp 192.168.1.0 255.255.255.0 any eq 443 access-group INSIDE in interface inside
B.access-list GLOBAL extended permit ip 192.168.1.0 255.255.255.0 any
C.access-list GLOBAL extended permit tcp any any eq 443
D.access-list GLOBAL extended permit tcp 192.168.1.0 255.255.255.0 any eq 443
AnswerD

Correct: global access-list permits traffic from inside subnet to any on port 443.

Why this answer

In transparent mode, the ASA acts as a Layer 2 bridge, so traffic must be permitted by a global access list applied to the bridge group virtual interface (BVI). Option D correctly uses the GLOBAL access list to permit TCP traffic from the inside subnet (192.168.1.0/24) to any destination on port 443 (HTTPS), which satisfies the security policy.

Exam trap

Cisco often tests the misconception that transparent mode uses interface-based ACLs like routed mode, when in fact transparent mode requires global ACLs applied to the BVI, and the 'GLOBAL' keyword is mandatory for Layer 2 traffic filtering.

How to eliminate wrong answers

Option A is wrong because in transparent mode, access lists are applied globally to the BVI, not per interface; the 'access-group INSIDE in interface inside' command is invalid in transparent mode. Option B is wrong because it permits all IP traffic (including non-HTTPS) and uses the 'ip' protocol instead of 'tcp', which violates the requirement to allow only HTTPS. Option C is wrong because it permits any source (including untrusted external hosts) to initiate HTTPS traffic, which does not restrict traffic from inside to outside as required.

13
MCQmedium

A network engineer is configuring port security on a Cisco switch to prevent unauthorized devices from connecting. The requirement is to allow only the first two MAC addresses learned on an interface, and to disable the interface if a violation occurs. Which configuration achieves this?

A.switchport port-security maximum 2 switchport port-security violation err-disable
B.switchport port-security maximum 2 switchport port-security violation shutdown
C.switchport port-security maximum 2 switchport port-security violation protect
D.switchport port-security maximum 2 switchport port-security violation restrict
AnswerB

Correct: sets max to 2 and violation shutdown disables interface.

Why this answer

Option B is correct because the 'shutdown' violation mode places the interface into an err-disabled state when a port security violation occurs, which matches the requirement to disable the interface. The 'maximum 2' command limits the number of allowed MAC addresses to two, and the first two learned MAC addresses are dynamically secured. This combination ensures that any additional MAC address triggers a violation and disables the port.

Exam trap

Cisco often tests the distinction between 'shutdown' (disables the interface) and 'restrict' (drops traffic but keeps the interface up), leading candidates to confuse the two when the requirement explicitly calls for disabling the interface.

How to eliminate wrong answers

Option A is wrong because 'err-disable' is not a valid violation mode; the correct keyword is 'shutdown' to disable the interface. Option C is wrong because 'protect' drops packets from unknown MAC addresses but does not disable the interface or generate a syslog message, failing the requirement to disable the interface. Option D is wrong because 'restrict' drops packets from unknown MAC addresses and generates a syslog message but does not disable the interface, also failing the requirement.

14
MCQhard

A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?

A.The switch has IP Source Guard enabled, blocking valid DHCP traffic.
B.The interface GigabitEthernet0/1 is not configured as a trusted port for DHCP snooping.
C.The DHCP server is on a different subnet and the switch lacks an IP helper address.
D.The DHCP server is sending offers too quickly, exceeding the rate-limit on the switch.
AnswerB

Correct: Untrusted ports drop DHCP server messages; the server port must be trusted.

Why this answer

Option B is correct because the scenario states that DHCP snooping is configured globally and on VLAN 10, and that GigabitEthernet0/1 is connected to the DHCP server. However, for DHCP snooping to allow DHCP server messages (OFFER, ACK) to be forwarded, the interface connected to the legitimate DHCP server must be explicitly configured as a trusted port using the 'ip dhcp snooping trust' interface command. Without this, the switch treats all DHCP server responses as untrusted and drops them, preventing clients from receiving IP addresses.

Exam trap

Cisco often tests the distinction between trusted and untrusted ports in DHCP snooping, and the trap here is that candidates assume enabling DHCP snooping globally and on the VLAN is sufficient, forgetting that the server-facing interface must be explicitly trusted to allow DHCP server responses.

How to eliminate wrong answers

Option A is wrong because IP Source Guard (IPSG) is typically used to filter traffic based on the IP-to-MAC binding learned from DHCP snooping, but it does not block valid DHCP traffic itself; it blocks IP spoofing after the lease is assigned. Option C is wrong because the question states the DHCP server is connected directly to GigabitEthernet0/1, implying it is on the same VLAN, so an IP helper address is not needed; if the server were on a different subnet, the helper address would be required, but that is not the scenario described. Option D is wrong because DHCP snooping rate-limiting is applied on untrusted ports (client-facing) to prevent DHCP starvation attacks, not on the trusted port connected to the server; the trusted port has no rate-limit by default.

15
Multi-Selecthard

Which THREE of the following are characteristics of Cisco TrustSec (CTS) security architecture?

Select 3 answers
A.It uses IPsec to encrypt traffic between network devices.
B.It uses VLANs to segment traffic based on security roles.
C.It uses Security Group Tags (SGTs) to classify traffic.
D.It provides data confidentiality using IEEE 802.1AE (MACsec) encryption.
E.It uses Security Group Access Control Lists (SGACLs) to enforce policies.
AnswersC, D, E

SGTs are used for classification.

Why this answer

C is correct because Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on user, device, or role, rather than IP addresses. SGTs are 16-bit values (0–65535) assigned dynamically via authentication (e.g., 802.1X) or static mapping, enabling scalable policy enforcement.

Exam trap

Cisco often tests the misconception that TrustSec uses VLANs or IPsec for segmentation and encryption, when in fact it uses SGTs for classification and MACsec for Layer 2 encryption.

Ready to test yourself?

Try a timed practice session using only Security questions.