CCNA Security Questions

20 of 95 questions · Page 2/2 · Security · Answers revealed

76
MCQeasy

A data center switch port is configured for 802.1X with MAB as fallback. A device that does not support 802.1X is connected. Which method will allow the device to authenticate?

A.EAP-TLS
B.Web authentication
C.Local authentication using a pre-shared key
D.MAC authentication bypass
AnswerD

MAB is the fallback method for devices that do not support 802.1X.

Why this answer

When a device that does not support 802.1X is connected to a port configured for 802.1X with MAB as fallback, the switch detects that no EAPOL frames are received from the device. It then initiates MAC authentication bypass (MAB), which uses the device's MAC address as the identity for authentication against the RADIUS server. If the MAC address is allowed, the port is authorized, providing a seamless fallback authentication method for non-802.1X-capable devices.

Exam trap

The trap here is that candidates often confuse MAB with web authentication or assume that any non-802.1X device will automatically trigger web authentication, but Cisco tests that MAB is the first fallback method when configured, and it uses the MAC address, not a pre-shared key or certificate.

How to eliminate wrong answers

Option A is wrong because EAP-TLS is an 802.1X authentication method that requires the device to support 802.1X and present a client certificate, which the non-802.1X-capable device cannot do. Option B is wrong because web authentication (WebAuth) is a separate fallback method that redirects HTTP traffic to a captive portal for user credentials, but it is not the default or automatic fallback when MAB is configured; MAB is tried first before WebAuth. Option C is wrong because local authentication using a pre-shared key is not a standard 802.1X or MAB mechanism; MAB relies on RADIUS server authentication using the MAC address, not a locally configured pre-shared key.

77
MCQhard

A large enterprise data center uses Cisco ACI with a spine-leaf architecture. The security team requires that all traffic between the Web and App tiers be inspected by a firewall, but traffic within the same tier should be allowed directly. The Web EPG is in VRF PROD with Bridge Domain WEB-BD, and App EPG is in VRF PROD with Bridge Domain APP-BD. The firewall is connected as a service graph device in a different VRF (FW-VRF). The administrator configures a contract between Web and App EPGs that redirects traffic through the firewall. However, after implementation, traffic from Web to App is not passing through the firewall; instead, it is forwarded directly. The contract is applied correctly. What is the most likely cause?

A.The firewall is in a different VRF; service graphs require the firewall to be in the same VRF as the endpoints or use a shared VRF with appropriate route leaking.
B.The firewall is not reachable from the leaf switches due to a routing issue.
C.The contract filter is misconfigured, allowing direct communication without redirection.
D.The contract is applied only to intra-EPG traffic, not inter-EPG traffic.
AnswerA

ACI service graph redirection typically works within the same VRF or with PBR; different VRFs break the redirection.

Why this answer

In Cisco ACI, service graphs redirect traffic through firewall devices by inserting the firewall as a Layer 4-Layer 7 device in the traffic path. However, the service graph device must reside in the same VRF as the consumer and provider EPGs, or a shared VRF with proper route leaking must be configured, because ACI uses VRF isolation to enforce policy-based redirect (PBR). Since the firewall is in FW-VRF while both EPGs are in VRF PROD, the leaf switches cannot redirect traffic to the firewall without a common routing context, causing the contract to bypass the firewall and forward traffic directly.

Exam trap

Cisco often tests the misconception that a service graph device can be in any VRF as long as the contract is applied correctly, but in reality, the VRF alignment is mandatory for the redirect to function.

How to eliminate wrong answers

Option B is wrong because the question states the contract is applied correctly and the firewall is connected as a service graph device; a routing issue would typically manifest as unreachability or packet drops, not as direct forwarding without redirection. Option C is wrong because the contract filter controls which traffic is permitted or denied, not the redirection path; the service graph redirection is configured separately in the contract's service graph template. Option D is wrong because the contract is explicitly configured between Web and App EPGs, which is inter-EPG traffic, and intra-EPG traffic within the same tier is allowed directly by default without a contract.

78
Multi-Selecteasy

Which TWO of the following are valid methods to enforce security on a Cisco Nexus switch? (Choose two.)

Select 2 answers
A.SSHv2
B.NetFlow
C.Control Plane Policing (CoPP)
D.FabricPath
E.Private VLANs
AnswersC, E

CoPP protects the control plane by rate-limiting traffic.

Why this answer

Control Plane Policing (CoPP) is a valid security enforcement method on Cisco Nexus switches because it protects the control plane from excessive or malicious traffic by applying QoS policies that rate-limit packets destined for the supervisor module. By filtering traffic such as routing protocols, SSH, or ICMP, CoPP prevents CPU overload and DoS attacks, directly enforcing security at the control plane level.

Exam trap

Cisco often tests the distinction between security enforcement mechanisms (like CoPP and Private VLANs) and management protocols (like SSH) or monitoring tools (like NetFlow), leading candidates to mistakenly select SSHv2 as a security enforcement method.

79
MCQmedium

An engineer is configuring AAA on a Cisco Nexus switch to authenticate management access via TACACS+. The switch is reachable, but login attempts repeatedly fail. Which action should the engineer take to isolate the issue?

A.Enable 'debug tacacs' on the switch to see detailed TACACS+ exchange.
B.Run 'test aaa authentication login <user> <password> legacy' to validate AAA configuration.
C.Verify IP connectivity to the TACACS+ server using ping.
D.Check if the TACACS+ server port (49) is open using Telnet.
AnswerB

This command directly tests the AAA authentication process.

Why this answer

Option B is correct because the 'test aaa authentication login' command with the 'legacy' keyword directly validates the AAA authentication configuration against the TACACS+ server without requiring a full login session. This isolates whether the issue is with the AAA configuration itself versus network connectivity or server reachability, as the command simulates the exact authentication flow the switch uses.

Exam trap

Cisco often tests the distinction between connectivity verification (ping, port checks) and actual AAA authentication validation, trapping candidates who assume that reachability implies correct AAA operation, when in fact the shared secret, server configuration, or authentication method may be misconfigured.

How to eliminate wrong answers

Option A is wrong because enabling 'debug tacacs' generates verbose output that can overwhelm the console and impact performance, and it is a reactive troubleshooting step that should be used after confirming basic configuration and connectivity, not as the first isolation action. Option C is wrong because while IP connectivity is necessary, the switch is already reachable per the scenario, and ping only tests ICMP reachability, not whether the TACACS+ service is properly responding to authentication requests. Option D is wrong because using Telnet to test port 49 is not a valid method; Telnet uses TCP port 23, and testing a TACACS+ server port requires a TACACS+ client or a tool like 'telnet <server> 49' to check if the port is open, but this only verifies TCP connectivity, not the AAA authentication logic or shared secret correctness.

80
MCQmedium

A data center administrator is implementing Cisco TrustSec on a Nexus 7000 switch to enforce role-based access control. After configuring a security group tag (SGT) classification policy, users report that traffic between two servers is not being tagged. What is the most likely cause?

A.DHCP snooping is not enabled on the VLAN.
B.The ingress interface is missing the 'sgt' or 'ip policy' command to classify traffic.
C.The switch ASIC does not support TrustSec in hardware.
D.The SGT is assigned on the egress interface instead of ingress.
AnswerB

Ingress interface must have 'sgt' or 'ip policy' to assign SGTs.

Why this answer

Option B is correct because Cisco TrustSec requires the ingress interface to be explicitly configured with either the 'sgt' command (for static SGT assignment) or an 'ip policy' command (for dynamic SGT classification via a security group ACL). Without this, the switch cannot classify traffic and apply the SGT tag. The scenario describes a classification policy that is not being applied, which directly points to a missing ingress classification command.

Exam trap

The trap here is that candidates often assume SGT classification is automatic once a policy is defined, but Cisco explicitly tests that the ingress interface must have the 'sgt' or 'ip policy' command to trigger classification.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is unrelated to SGT classification; it is a security feature to prevent rogue DHCP servers and does not affect SGT tagging. Option C is wrong because the Nexus 7000 series switches (with the appropriate line cards, e.g., F2e, M3) support TrustSec in hardware; the question does not indicate a hardware limitation, and the issue is configuration-based. Option D is wrong because SGTs are assigned on the ingress interface, not egress; egress interfaces enforce policies based on the SGT but do not assign the tag.

81
MCQmedium

A VACL is configured to capture traffic between hosts in the same VLAN. The capture port is configured and the VACL is applied to the VLAN. However, no traffic is being captured. What is a likely reason?

A.The VACL is applied in the wrong direction
B.The capture port is a SPAN destination port
C.The VACL does not have a capture action
D.The capture port is not in the same VLAN
AnswerC

Without the capture action, the VACL will not copy packets to the capture port.

Why this answer

Option C is correct because a VACL (VLAN Access Control List) must explicitly include a capture action to forward matched traffic to a capture port. Without the capture action, the VACL only permits or denies traffic within the VLAN but does not trigger packet replication to the configured capture port. The capture action is configured using the `capture` keyword in the VACL configuration, and its absence is the most common reason for no traffic being captured.

Exam trap

The trap here is that candidates often assume a VACL applied to a VLAN will automatically send all matched traffic to a capture port, overlooking the explicit `capture` action required in the VACL configuration.

How to eliminate wrong answers

Option A is wrong because VACLs are applied to VLANs, not to interfaces, and they operate on traffic within the VLAN regardless of direction; direction-based ACLs are for router ACLs, not VACLs. Option B is wrong because a SPAN destination port cannot be used as a capture port for VACL capture; VACL capture requires a dedicated capture port configured with the `switchport capture` command, and SPAN and VACL capture are mutually exclusive on the same port. Option D is wrong because the capture port does not need to be in the same VLAN as the traffic being captured; VACL capture replicates traffic to the capture port regardless of its VLAN membership, as long as the capture port is configured correctly.

82
MCQmedium

In a private VLAN configuration, a host in a community VLAN needs to communicate with a host in the primary VLAN. What configuration is required on the switch?

A.The host in community VLAN must be on an isolated port
B.The host in primary VLAN must be on a promiscuous port
C.The host in community VLAN must be on a promiscuous port
D.The host in primary VLAN must be on a community port
AnswerB

The primary VLAN host must be on a promiscuous port to allow communication from community VLAN.

Why this answer

In a private VLAN configuration, a host in a community VLAN can communicate with a host in the primary VLAN only if the host in the primary VLAN is on a promiscuous port. The promiscuous port can communicate with all other ports in the private VLAN, including community and isolated ports, enabling inter-VLAN traffic through a Layer 3 gateway or a server connected to that port.

Exam trap

Cisco often tests the misconception that a community VLAN host can directly communicate with a primary VLAN host without a promiscuous port, or that the primary VLAN host must be on a community port, confusing the roles of promiscuous and community ports in private VLANs.

How to eliminate wrong answers

Option A is wrong because an isolated port can only communicate with promiscuous ports, not with community ports, so placing the community VLAN host on an isolated port would break its ability to communicate with the primary VLAN host. Option C is wrong because a community port can only communicate with other community ports in the same community VLAN and with promiscuous ports, but placing the community VLAN host on a promiscuous port would incorrectly allow it to communicate with all ports, violating the community VLAN's intended isolation. Option D is wrong because a primary VLAN host on a community port would restrict it to communicating only with other community ports in the same community VLAN and promiscuous ports, but it would not be able to communicate with hosts in other community VLANs or isolated ports, which is not the required behavior for a primary VLAN host.

83
MCQhard

A data center engineer is troubleshooting high CPU utilization on a Cisco Nexus 9000 switch. The engineer suspects a distributed denial-of-service (DDoS) attack targeting the switch. To mitigate the attack, the engineer configures a Control Plane Policing (CoPP) policy that drops all ICMP packets destined to the switch. The policy is applied to the control-plane using the 'service-policy input COPP' command. After applying the policy, the switch CPU utilization remains high, and ICMP traffic is still reaching the switch. The engineer verifies that the CoPP policy is applied and that the class-map matches ICMP. The policy-map has the correct police and drop actions. No other CoPP policies are applied. What is the most likely cause of the issue?

A.The switch requires a reload for the CoPP policy to take effect.
B.The attack traffic is entering through the management interface, which is not affected by CoPP.
C.The CoPP policy must be applied to the management VRF as well.
D.The class-map uses 'match protocol icmp' but the traffic uses a different protocol.
AnswerB

Management interfaces have separate control plane contexts; CoPP policies do not apply unless specifically configured for the management VRF.

Why this answer

CoPP policies are applied to the control plane in the ingress direction. However, traffic arriving on management interfaces is not subject to CoPP policies unless explicitly configured. Since the attack traffic likely enters via the management interface, CoPP does not filter it.

The correct solution is to configure a separate policy for the management interface or use management-plane protection.

84
Multi-Selecthard

Which THREE of the following must be enabled to implement 802.1X authentication with MAB fallback on a Cisco Nexus switch for a mixed environment of 802.1X-capable and non-802.1X endpoints? (Choose three.)

Select 3 answers
A.MACsec encryption on the port
B.AAA authentication with a RADIUS server
C.A RADIUS server configured with the MAC addresses of non-802.1X devices
D.A VLAN ACL to redirect traffic
E.802.1X globally enabled on the switch
AnswersB, C, E

AAA is required to authenticate users and devices.

Why this answer

Option B is correct because 802.1X authentication requires AAA to communicate with a RADIUS server. The RADIUS server validates the credentials (EAP over RADIUS) and returns an Accept or Reject, which the switch uses to authorize the port. Without AAA and a RADIUS server, the switch has no external authentication authority to process 802.1X requests or MAB fallback.

Exam trap

Cisco often tests the misconception that MACsec or VLAN ACLs are prerequisites for 802.1X with MAB, when in fact they are optional features that can be layered on top of the authentication process.

85
MCQhard

A large financial institution has a Cisco ACI fabric with multiple tenants. The security team requires that all management access to the APIC controllers be authenticated via multi-factor authentication (MFA) using a RADIUS server. The RADIUS server is configured to send a One-Time Password (OTP) challenge during authentication. The current configuration uses local authentication. The engineer needs to implement RADIUS authentication with MFA for APIC GUI and CLI access. The RADIUS server is reachable at 10.10.10.10, shared secret 'SecureSecret123'. The APIC is running software version 4.2(3). The engineer must ensure that local authentication is used as fallback if the RADIUS server is unreachable. Which of the following actions should the engineer take?

A.Configure TACACS+ as the authentication protocol and set the server IP and secret.
B.Enable local authentication only and require strong passwords.
C.Add a RADIUS provider with IP 10.10.10.10 and secret 'SecureSecret123', create a login domain with realm 'radius', set fallback to 'local', and assign the domain to users.
D.Configure LDAP authentication with the RADIUS server acting as an LDAP proxy.
AnswerC

Correct: RADIUS with PAP is used for MFA and fallback to local.

Why this answer

Option C is correct because it follows the required steps to configure RADIUS authentication with MFA on Cisco APIC: adding a RADIUS provider with the correct IP and shared secret, creating a login domain with realm 'radius', setting fallback to 'local', and assigning the domain to users. This ensures that the APIC sends authentication requests to the RADIUS server, which can issue an OTP challenge for MFA, and falls back to local authentication if the RADIUS server is unreachable.

Exam trap

Cisco often tests the requirement to create a login domain and assign it to users, as many candidates mistakenly think simply adding a RADIUS provider is sufficient without configuring the domain and fallback.

How to eliminate wrong answers

Option A is wrong because TACACS+ is not supported for APIC authentication; APIC only supports RADIUS, LDAP, and local authentication for management access. Option B is wrong because enabling only local authentication with strong passwords does not implement MFA via RADIUS, which is a specific requirement. Option D is wrong because LDAP authentication cannot use a RADIUS server as an LDAP proxy; LDAP and RADIUS are separate protocols with different purposes and configurations.

86
MCQmedium

A Cisco MDS 9000 switch is used in a storage network. The security policy requires that a junior administrator named 'user1' can view zone configurations but cannot make any changes. Currently, 'user1' is assigned the default 'network-operator' role, which allows read-only access to most configuration, but the engineer wants to ensure that zone modification is explicitly denied. The engineer creates a custom role named 'zone-viewer' and assigns it to 'user1'. The role should permit viewing of the running configuration related to zones but deny any command that modifies zone or zoneset configurations. Which configuration best achieves this objective?

A.role name zone-viewer feature zone; permit command configure terminal ; zone name etc.
B.role name zone-viewer permit command show zone*; permit command show zoneset*
C.role name zone-viewer rule 1 permit read-write; feature zone
D.role name zone-viewer permit command zone; permit command zoneset; permit command zone-create
AnswerB

Permits show commands for zone and zoneset, denying configuration commands by default.

Why this answer

Option B is correct because it uses the 'permit command' statements with wildcard patterns ('show zone*' and 'show zoneset*') to explicitly allow only show commands related to zones and zonesets. By not including any 'permit' or 'deny' statements for configuration commands (like 'configure terminal', 'zone', or 'zoneset'), the role implicitly denies all other commands, including those that modify zone or zoneset configurations. This matches the requirement to allow viewing but deny modifications.

Exam trap

Cisco often tests the implicit deny behavior of RBAC, where candidates mistakenly think they must explicitly deny modification commands, when in fact only permitting the desired show commands is sufficient to block all other commands.

How to eliminate wrong answers

Option A is wrong because it includes 'permit command configure terminal' and 'zone name etc.' which would allow the user to enter configuration mode and potentially modify zone configurations, violating the security policy. Option C is wrong because 'rule 1 permit read-write' grants full read-write access to the zone feature, allowing modifications, and does not restrict to read-only. Option D is wrong because it permits 'zone', 'zoneset', and 'zone-create' commands, which are used to create and modify zones and zonesets, directly contradicting the requirement to deny modifications.

87
MCQeasy

A data center switch is configured with 802.1X port-based authentication for edge ports. Users report authentication failures. The engineer wants to verify the authentication status of a specific interface. Which command should be used?

A.show aaa authentication
B.show dot1x
C.show authentication interface ethernet 1/1
D.show port-security interface ethernet 1/1
AnswerC

Displays 802.1X and MAC authentication status.

Why this answer

Option C is correct because the 'show authentication interface ethernet 1/1' command displays the 802.1X authentication status, including the state machine, authorized status, and method list for a specific interface. This command is part of the Identity-Based Networking Services (IBNS) framework and provides a comprehensive view of all authentication methods (802.1X, MAB, WebAuth) configured on the port, which is essential for troubleshooting authentication failures on edge ports.

Exam trap

Cisco often tests the distinction between the legacy 'show dot1x' command and the modern unified 'show authentication interface' command, trapping candidates who memorize the older command without realizing that newer IOS versions (e.g., IOS-XE 16.x+) consolidate all authentication status under the 'show authentication' hierarchy.

How to eliminate wrong answers

Option A is wrong because 'show aaa authentication' displays the global AAA authentication method lists and their order, not the per-interface authentication status or 802.1X state. Option B is wrong because 'show dot1x' without an interface keyword shows global 802.1X parameters, not the detailed per-interface status; even 'show dot1x interface ethernet 1/1' is deprecated in favor of the unified 'show authentication interface' command in newer IOS versions. Option D is wrong because 'show port-security interface ethernet 1/1' shows port security violation counts and secure MAC addresses, which is unrelated to 802.1X authentication state machines or EAPOL exchanges.

88
MCQmedium

An engineer is configuring Cisco ACI to secure inter-tenant traffic. Tenants 'TenantA' and 'TenantB' need to communicate via a shared service, such as a DNS server in TenantA. How should the contract be configured?

A.Create a contract in TenantA and apply it to the VRF shared between tenants.
B.Create a contract in TenantA. Set the DNS EPG as provider. In TenantB, create a consumer EPG and provide the contract from TenantA.
C.Create a contract in TenantB. Set the DNS EPG as consumer. In TenantA, create a provider EPG and provide the contract from TenantB.
D.Create a contract in TenantA. Set both DNS EPG and TenantB EPG as providers.
AnswerB

Standard shared service design: provider's tenant contains the contract.

Why this answer

In Cisco ACI, inter-tenant communication via a shared service requires the contract to be created in the tenant that owns the shared service (provider). The provider EPG (DNS server in TenantA) is set as the provider, and the consumer EPG (in TenantB) consumes the contract from TenantA. This allows TenantB to access the DNS service without exposing its own EPGs, maintaining security isolation while enabling necessary traffic.

Exam trap

Cisco often tests the misconception that the contract must be created in the consumer's tenant or applied to the VRF, but the correct approach is to create the contract in the provider's tenant and explicitly define the provider EPG.

How to eliminate wrong answers

Option A is wrong because applying a contract to the VRF shared between tenants does not define the provider/consumer relationship; contracts must be applied to EPGs, not VRFs, and the provider EPG must be explicitly set. Option C is wrong because the contract should be created in the tenant that owns the shared service (TenantA), not TenantB, and the DNS EPG should be the provider, not the consumer. Option D is wrong because setting both EPGs as providers would create a symmetric relationship, which is incorrect for a shared service scenario where one EPG provides and the other consumes; this would also break the intended unidirectional traffic flow.

89
MCQeasy

A network engineer is configuring device access control for Cisco NX-OS switches. The requirement is to use a protocol that separates authentication, authorization, and accounting, and encrypts all communication except the header. Which solution meets this requirement?

A.RADIUS
B.LDAP
C.SSH
D.TACACS+
AnswerD

TACACS+ encrypts entire packet except header and separates AAA functions.

Why this answer

TACACS+ is the correct choice because it separates authentication, authorization, and accounting (AAA) into distinct processes, and it encrypts the entire packet body, leaving only the standard TACACS+ header unencrypted. This meets the requirement for a protocol that provides granular AAA control with encrypted communication, unlike RADIUS which does not encrypt the full payload.

Exam trap

Cisco often tests the misconception that RADIUS encrypts all communication because it uses a shared secret, but in reality RADIUS only encrypts the password field, not the entire payload, making TACACS+ the correct choice for full-packet encryption beyond the header.

How to eliminate wrong answers

Option A (RADIUS) is wrong because it combines authentication and authorization into a single process, does not separate them, and only encrypts the password field in the Access-Request packet, leaving other attributes like username and accounting data in cleartext. Option B (LDAP) is wrong because it is a directory access protocol used for querying and modifying directory services, not a AAA protocol; it does not natively separate authentication, authorization, and accounting, nor does it encrypt all communication beyond the header by default. Option C (SSH) is wrong because it is a secure transport protocol for remote CLI access and file transfer, not a AAA protocol; it does not provide separate authentication, authorization, and accounting functions as a service.

90
MCQeasy

An administrator configures 'aaa authentication login default group tacacs+ local'. What happens if the TACACS+ server is unreachable?

A.The switch uses no authentication
B.Authentication fails
C.The switch tries the next method in the group
D.Local username database is used
AnswerD

The config includes 'local' as a fallback method after group tacacs+.

Why this answer

The command 'aaa authentication login default group tacacs+ local' configures a method list where the first method is TACACS+ and the second is local. If the TACACS+ server is unreachable (not responding, not rejecting), the switch falls back to the next method in the list, which is local authentication using the local username database. This fallback behavior is defined by Cisco IOS/IOS-XE authentication method lists, where 'local' acts as a backup when the primary method is unavailable.

Exam trap

Cisco often tests the distinction between a server being unreachable (fallback occurs) versus a server rejecting credentials (authentication fails immediately), causing candidates to incorrectly assume that any TACACS+ issue results in authentication failure.

How to eliminate wrong answers

Option A is wrong because the switch does not use 'no authentication'; the 'default' method list requires authentication, and fallback to local ensures authentication still occurs. Option B is wrong because authentication does not fail outright; failure only occurs if all methods in the list are exhausted or if the server explicitly rejects the credentials (e.g., via a 'DENIED' response). Option C is wrong because 'group tacacs+' is a single method group; the switch does not try 'the next method in the group'—it tries the next method in the list, which is 'local', not another server within the same group.

91
MCQeasy

An engineer needs to ensure that only authorized servers can connect to a specific switch port in a data center. The port connects to a critical database server with fixed MAC address 00:1a:2b:3c:4d:5e. Which configuration is most appropriate?

A.switchport port-security switchport port-security mac-address 001a.2b3c.4d5e switchport port-security violation shutdown
B.switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown
C.no switchport port-security spanning-tree portfast
D.switchport port-security switchport port-security maximum 2 switchport port-security violation protect
AnswerA

Statically configures the authorized MAC, exactly meeting the requirement.

Why this answer

Option A is correct because it explicitly binds the specific MAC address 001a.2b3c.4d5e to the port using port security, and sets the violation mode to shutdown, which disables the port if any unauthorized device attempts to connect. This ensures only the authorized database server can use the port, meeting the requirement precisely.

Exam trap

Cisco often tests the distinction between specifying a static MAC address versus relying on dynamic learning with a maximum count, where candidates mistakenly think limiting to one MAC is sufficient without binding the specific authorized address.

How to eliminate wrong answers

Option B is wrong because it only limits the maximum number of MAC addresses to 1 without specifying the allowed MAC address, so the port will learn the first MAC it sees, which could be an unauthorized device if it connects first. Option C is wrong because it disables port security entirely and enables spanning-tree portfast, which provides no MAC-based access control and allows any device to connect. Option D is wrong because it sets the maximum to 2, allowing two MAC addresses, and uses the protect violation mode, which simply drops frames from unauthorized sources without alerting or disabling the port, failing to ensure only the authorized server can connect.

92
MCQmedium

A server team reports that after connecting a new server to a switchport, the server can receive traffic but cannot send traffic. The port is configured with port security. What is the most likely cause?

A.The port is in errdisable state
B.The port security violation mode is set to protect
C.The port security maximum is set to 1 and another device is connected
D.The server MAC address is not in the allowed list
AnswerB

Protect mode drops offending frames silently, allowing the server to receive but not send traffic from an unknown MAC.

Why this answer

When port security violation mode is set to 'protect', the switch drops traffic from unauthorized MAC addresses without generating a syslog message or incrementing the violation counter. In this scenario, the server can receive traffic because the switch still forwards broadcast and unknown unicast frames to the port, but the server's transmitted frames are silently dropped because the switch does not learn the server's MAC address or forward its frames. This matches the symptom of one-way communication where the server can receive but not send.

Exam trap

Cisco often tests the distinction between the three port security violation modes (protect, restrict, shutdown) by presenting a symptom of one-way traffic, which candidates mistakenly attribute to a shutdown or restrict mode rather than the silent dropping behavior of protect.

How to eliminate wrong answers

Option A is wrong because an errdisable state would cause the port to be completely shut down, preventing both sending and receiving traffic, not just one-way communication. Option C is wrong because if the maximum MAC count is set to 1 and another device is connected, the violation action would trigger based on the configured mode (shutdown, restrict, or protect), but the symptom described (receive but not send) is specific to the protect mode, not a simple count limit. Option D is wrong because port security does not use an 'allowed list' of MAC addresses by default; it learns MAC addresses dynamically unless a static secure MAC address is configured, and even then, a mismatch would trigger the violation mode, not result in one-way traffic.

93
MCQmedium

A data center engineer is troubleshooting connectivity issues between two EPGs in the same tenant on a Cisco ACI fabric. The first EPG 'web_epg' is in VLAN 100 and the second EPG 'db_epg' is in VLAN 200. The contract 'web_to_db' allows TCP port 3306 from web_epg to db_epg. The EPGs are in the same VRF. The engineer has verified that the physical connectivity is correct and the endpoints are learning their IP addresses. However, traffic from web_epg to db_epg is not reaching the destination. The engineer checks the contract and sees that the subject 'mysql_access' has filter 'mysql' with direction 'both'. The provider is db_epg and consumer is web_epg. The engineer also notices that the default action in the contract is 'deny'. What is the most likely cause of the issue?

A.The contract direction is reversed: the provider should be the destination of the traffic. Since web_epg initiates to db_epg, web_epg should be the provider.
B.The VRF is not correctly associated with the EPGs.
C.A Layer 3 Outside (L3Out) is required for communication between EPGs in the same VRF.
D.The filter 'mysql' does not match TCP port 3306.
AnswerA

In ACI, the provider offers a service; the consumer initiates. Here web_epg initiates, so web_epg should be provider.

Why this answer

In Cisco ACI, the provider EPG is the one that offers a service (the destination of the traffic), and the consumer EPG is the one that initiates the connection. Since web_epg initiates TCP traffic to db_epg, db_epg should be the provider and web_epg the consumer. The contract is reversed, so the default deny action blocks the traffic because the consumer (web_epg) is not allowed to initiate toward the provider (db_epg) under the reversed roles.

Exam trap

Cisco often tests the provider/consumer directionality in ACI contracts, and the trap here is that candidates assume the provider is the source (initiator) of traffic, when in fact the provider is the destination (service offerer).

How to eliminate wrong answers

Option B is wrong because the VRF association is correct—both EPGs are in the same VRF, and the endpoints are learning IP addresses, indicating the VRF is properly configured. Option C is wrong because an L3Out is only needed for communication with external networks (outside the fabric), not between EPGs in the same VRF; intra-VRF communication uses contracts directly. Option D is wrong because the filter 'mysql' is a predefined filter that matches TCP port 3306, so it correctly permits the required traffic.

94
MCQhard

A Nexus switch experiences high CPU utilization due to excessive ICMP traffic. An engineer applies a CoPP policy that includes a class matching ICMP with a drop action. After applying, legitimate OSPF hello packets are also being dropped. What is the most likely cause?

A.The CoPP policy is applied to the wrong interface
B.The CoPP policy rate-limits all traffic including OSPF below its needed rate
C.OSPF packets match the default class which has a drop action
D.The class-map matches multiple protocols including OSPF
AnswerC

If the default class action is drop, any traffic not explicitly matched (including OSPF) will be dropped. This is a common misconfiguration.

Why this answer

Option C is correct because when a CoPP policy is applied, traffic that does not match any explicit class-map falls into the default class. If the default class has a drop action, all unmatched traffic—including OSPF hello packets (which use IP protocol 89)—will be dropped. The class-map matching ICMP (typically based on protocol or DSCP) does not match OSPF, so OSPF packets are handled by the default class, causing the observed behavior.

Exam trap

Cisco often tests the concept that the default class in CoPP is not automatically 'permit' and must be explicitly configured; the trap here is assuming that only the matched class (ICMP) is affected, while forgetting that unmatched traffic falls to the default class, which can have a drop action.

How to eliminate wrong answers

Option A is wrong because CoPP policies are applied globally to the control plane (via 'control-plane' and 'service-policy input'), not to individual interfaces; applying to the wrong interface would not affect control-plane traffic. Option B is wrong because the policy explicitly drops ICMP traffic, not rate-limits it; OSPF packets are not rate-limited but dropped entirely due to the default class action, not because of insufficient rate. Option D is wrong because the class-map matches only ICMP (e.g., match protocol icmp or match ip dscp cs0), and OSPF uses IP protocol 89, which is distinct; the class-map does not include OSPF.

95
MCQhard

An engineer observes that ARP packets are being dropped. Based on the exhibit, what is the drop rate percentage for ARP packets?

A.75%
B.25%
C.50%
D.100%
AnswerC

Half of the packets exceed the police rate and are dropped.

Why this answer

The exhibit shows that out of 1000 total ARP packets, 500 were dropped. The drop rate percentage is calculated as (dropped packets / total packets) * 100, which is (500/1000)*100 = 50%. Therefore, option C is correct.

Exam trap

Cisco often tests the ability to correctly compute a percentage from raw drop and total counts, where candidates might misread the exhibit or confuse drop rate with success rate, leading to incorrect answers like 25% or 75%.

How to eliminate wrong answers

Option A is wrong because 75% would require 750 dropped packets out of 1000, not 500. Option B is wrong because 25% would require 250 dropped packets out of 1000, not 500. Option D is wrong because 100% would require all 1000 packets to be dropped, but only 500 were dropped.

← PreviousPage 2 of 2 · 95 questions total

Ready to test yourself?

Try a timed practice session using only Security questions.