CCNA Network Security Questions

29 of 104 questions · Page 2/2 · Network Security · Answers revealed

76
MCQmedium

A security auditor discovers that several unused switch ports are in default configuration. The auditor recommends implementing a security measure that will disable the port if an unauthorized device is connected, and then automatically re-enable the port after a specified time period. Which feature should be configured on the switch ports?

A.802.1X with RADIUS authentication and guest VLAN
B.Port security with violation mode 'shutdown' and errdisable recovery interval
C.DHCP snooping and dynamic ARP inspection
D.Storm control and broadcast suppression
AnswerB

Port security shutdown disables the port on violation, and errdisable recovery allows automatic re-enablement after a configured time.

Why this answer

Port security with violation mode 'shutdown' disables the port when an unauthorized device is detected, and the errdisable recovery interval automatically re-enables the port after a specified time period. This directly matches the auditor's requirement to disable on unauthorized connection and auto-re-enable after a timeout.

Exam trap

Cisco often tests the distinction between port security's 'shutdown' violation mode (which triggers errdisable) and 'restrict' or 'protect' modes (which do not disable the port), leading candidates to incorrectly assume any port security mode meets the requirement for automatic re-enablement.

How to eliminate wrong answers

Option A is wrong because 802.1X with RADIUS authentication and guest VLAN controls network access at Layer 2 using authentication, but it does not disable the port or provide automatic re-enablement after a timeout; it either grants or denies access based on credentials. Option C is wrong because DHCP snooping and dynamic ARP inspection are security features that prevent DHCP spoofing and ARP poisoning, but they do not disable switch ports upon unauthorized device connection or include an errdisable recovery mechanism. Option D is wrong because storm control and broadcast suppression limit excessive broadcast, multicast, or unknown unicast traffic to prevent network storms, but they do not disable ports based on unauthorized device detection or provide automatic re-enablement.

77
MCQhard

An attacker sends ICMP echo request packets to the broadcast address of a network, with the source IP address spoofed to be the target's IP address. This causes all hosts on the network to send ICMP echo replies to the target, overwhelming it. Which type of attack is this?

A.Smurf attack
B.Fraggle attack
C.Ping flood
D.ARP poisoning
AnswerA

A Smurf attack uses ICMP echo requests to the broadcast address with a spoofed source IP to generate a flood of replies to the victim.

Why this answer

This is a classic Smurf attack, which exploits ICMP by sending echo request packets to the network's broadcast address with the source IP spoofed as the target. All hosts on the network receive the request and reply to the spoofed source, flooding the target with ICMP echo replies and consuming its bandwidth or resources.

Exam trap

CompTIA often tests the distinction between Smurf (ICMP) and Fraggle (UDP) attacks, so candidates mistakenly choose Fraggle when they see 'broadcast' and 'spoofed source' without noting the protocol used.

How to eliminate wrong answers

Option B (Fraggle attack) is wrong because it uses UDP echo traffic to the broadcast address, not ICMP echo requests. Option C (Ping flood) is wrong because it involves sending a high volume of ICMP echo requests directly to the target from a single or multiple sources, not leveraging broadcast amplification with a spoofed source. Option D (ARP poisoning) is wrong because it manipulates ARP tables to intercept traffic on a local network, not using ICMP or broadcast amplification.

78
MCQmedium

A company wants to deploy a wireless network with the highest level of security for client authentication. The network will use a RADIUS server. Which authentication method should be used?

A.WPA2-PSK
B.WPA3-SAE
C.802.1X with EAP-TLS
D.802.1X with PEAP
AnswerC

EAP-TLS provides mutual authentication using certificates on both client and server, offering the highest level of security for enterprise wireless.

Why this answer

Option C is correct because 802.1X with EAP-TLS provides certificate-based mutual authentication, eliminating the risk of credential theft or dictionary attacks. This is the strongest authentication method for enterprise wireless networks, as it requires both the client and the RADIUS server to present valid X.509 certificates, ensuring a cryptographically verified identity on both sides.

Exam trap

The trap here is that candidates often confuse PEAP with EAP-TLS because both use TLS, but PEAP only authenticates the server with a certificate while the client authenticates with a password (e.g., MSCHAPv2), making it less secure than full mutual certificate authentication in EAP-TLS.

How to eliminate wrong answers

Option A is wrong because WPA2-PSK uses a pre-shared key that is shared among all clients, making it vulnerable to offline dictionary attacks and lacking per-user authentication or centralized RADIUS integration. Option B is wrong because WPA3-SAE, while more secure than WPA2-PSK, still relies on a shared password (simultaneous authentication of equals) and does not provide certificate-based mutual authentication or integration with a RADIUS server for individual user credentials. Option D is wrong because 802.1X with PEAP uses a server-side certificate but tunnels the client authentication (typically MSCHAPv2) inside a TLS tunnel, which is susceptible to credential theft if the tunnel is compromised or if the client does not validate the server certificate properly.

79
MCQhard

An IT security analyst is implementing a solution to detect malware on endpoints by monitoring system calls and file integrity. Which of the following types of controls is being deployed?

A.Host-based Intrusion Detection System (HIDS)
B.Network-based Intrusion Detection System (NIDS)
C.Firewall
D.Virtual Private Network (VPN)
AnswerA

HIDS monitors the host's internals like system calls, logs, and file changes for signs of intrusion or malware.

Why this answer

A Host-based Intrusion Detection System (HIDS) monitors system calls, file integrity, and operating system logs directly on the endpoint. This matches the scenario because the analyst is deploying a solution that detects malware by observing low-level system behavior and verifying file integrity, which are core HIDS functions.

Exam trap

The trap here is that candidates confuse HIDS with NIDS, thinking any 'intrusion detection' must be network-based, but the question's focus on system calls and file integrity clearly points to host-level monitoring.

How to eliminate wrong answers

Option B is wrong because a Network-based Intrusion Detection System (NIDS) monitors network traffic for malicious patterns, not system calls or file integrity on individual endpoints. Option C is wrong because a firewall controls traffic flow based on rules (e.g., IP addresses, ports) and does not monitor system calls or file integrity. Option D is wrong because a Virtual Private Network (VPN) encrypts traffic between endpoints and does not perform intrusion detection or file integrity monitoring.

80
MCQhard

An attacker is launching a DHCP starvation attack by sending a large number of DHCP discover messages with spoofed MAC addresses. This exhausts the DHCP pool and causes legitimate clients to fail to obtain IP addresses. Which security feature should be implemented on the switch to mitigate this attack?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection (DAI)
D.802.1X
AnswerB

DHCP snooping includes rate limiting and filters DHCP messages on untrusted ports, effectively preventing DHCP starvation and rogue DHCP servers.

Why this answer

DHCP snooping is the correct mitigation because it filters untrusted DHCP messages on access ports. By default, it only allows DHCP server responses (OFFER, ACK, etc.) on trusted ports (typically uplinks to the legitimate DHCP server) and drops them on untrusted ports, preventing a rogue or spoofed server from replying. Additionally, DHCP snooping builds a DHCP snooping binding table that tracks valid MAC-to-IP address mappings, which can be used to rate-limit DHCP discover messages and detect starvation attacks.

Exam trap

CompTIA often tests DHCP snooping as the answer for DHCP starvation attacks, but candidates confuse it with DAI because both rely on the DHCP snooping binding table, forgetting that DAI only validates ARP packets, not DHCP messages.

How to eliminate wrong answers

Option A is wrong because port security limits the number of MAC addresses learned on a switch port, but it does not inspect or filter DHCP messages; it cannot prevent a flood of DHCP discovers with spoofed MACs from exhausting the DHCP pool. Option C is wrong because Dynamic ARP Inspection (DAI) validates ARP packets using the DHCP snooping binding table to prevent ARP spoofing, but it does not inspect DHCP discover messages or rate-limit them, so it cannot mitigate a DHCP starvation attack. Option D is wrong because 802.1X provides port-based network access control through authentication (e.g., with RADIUS), but it does not filter or rate-limit DHCP traffic; once a client is authenticated, it can still send a flood of DHCP discovers.

81
MCQmedium

An organization has separate VLANs for the HR and Finance departments. Both VLANs use a single Layer 3 switch to route between them. The HR department needs access to a shared printer located in the Finance VLAN, but all other traffic between the VLANs should be blocked. Which of the following should be configured?

A.Configure an ACL on the Layer 3 switch to permit specific traffic between VLANs
B.Place the printer in the HR VLAN
C.Create a separate VLAN for the printer
D.Use a wireless access point to bridge the VLANs
AnswerA

Correct. ACLs on the Layer 3 switch can filter inter-VLAN traffic to allow only the required printer access.

Why this answer

An ACL on the Layer 3 switch can filter inter-VLAN traffic at the routed interface (SVI or routed port). By permitting only the HR subnet’s traffic to the printer’s IP address and denying all other inter-VLAN traffic, you meet the requirement of selective access while blocking everything else. This is the standard method for policy-based segmentation between VLANs.

Exam trap

The trap here is that candidates often think placing the printer in the same VLAN or creating a dedicated VLAN solves the problem, but they overlook that ACLs are the precise tool for granular, policy-based filtering between VLANs on a Layer 3 switch.

How to eliminate wrong answers

Option B is wrong because moving the printer to the HR VLAN would place it in the same broadcast domain as HR, eliminating the need for routing but failing to keep the printer logically separate from Finance; the printer is a shared resource that should remain accessible to HR without being physically or logically relocated. Option C is wrong because creating a separate VLAN for the printer would require additional routing rules and still allow all traffic from HR to that VLAN unless an ACL is applied, making it an unnecessary extra step that does not by itself block other inter-VLAN traffic. Option D is wrong because a wireless access point bridges at Layer 2, not Layer 3, and would merge the VLANs or create a security bypass, violating the requirement to block all other traffic between VLANs.

82
MCQhard

A security analyst discovers that an attacker is sending large numbers of incomplete TCP connection requests to a server, causing the server to run out of resources and stop responding to legitimate requests. Which type of attack is this, and which mitigation should be implemented?

A.SYN flood; enable TCP intercept or SYN cookies
B.Ping flood; implement rate limiting
C.Smurf attack; disable IP-directed broadcasts
D.ARP poisoning; enable dynamic ARP inspection
AnswerA

The attack is a SYN flood. TCP intercept (or SYN cookies) allows the server to manage half-open connections and mitigate resource exhaustion.

Why this answer

This is a SYN flood attack, where the attacker sends a high volume of TCP SYN packets without completing the three-way handshake, exhausting the server's connection queue. Enabling TCP intercept (on Cisco devices) or SYN cookies (RFC 4987) allows the server to validate handshakes before allocating resources, mitigating the attack.

Exam trap

The trap here is that candidates confuse a SYN flood with a ping flood or Smurf attack because all involve flooding, but only SYN floods target the TCP three-way handshake state table.

How to eliminate wrong answers

Option B is wrong because a ping flood uses ICMP Echo Request packets, not TCP connection requests, and rate limiting is a generic mitigation that does not address the specific TCP state exhaustion. Option C is wrong because a Smurf attack amplifies ICMP traffic using IP-directed broadcasts, not incomplete TCP connections, and disabling directed broadcasts does not prevent SYN floods. Option D is wrong because ARP poisoning manipulates Layer 2 address resolution to intercept traffic, not exhaust TCP resources, and dynamic ARP inspection is a mitigation for ARP spoofing, not SYN floods.

83
MCQhard

A security analyst notices that a user's workstation is sending encrypted DNS queries to an external IP address over TCP port 853. This traffic is being used to establish a covert communication channel to bypass the company's security controls. Which technique is being employed?

A.DNS poisoning
B.DNS tunneling
C.DNS amplification
D.DNS zone transfer
AnswerB

DNS tunneling encapsulates data in DNS queries and responses, often using encryption, to bypass firewalls and exfiltrate data.

Why this answer

DNS tunneling is the correct answer because the analyst observed encrypted DNS queries over TCP port 853 (DNS over TLS) being used to establish a covert communication channel. This technique encapsulates non-DNS data (e.g., command-and-control traffic) within DNS query and response packets, allowing the attacker to bypass security controls by hiding malicious traffic inside legitimate DNS traffic.

Exam trap

The trap here is that candidates may confuse DNS tunneling with DNS poisoning or amplification because all involve DNS abuse, but only tunneling uses DNS as a covert data carrier, not for cache corruption or traffic amplification.

How to eliminate wrong answers

Option A is wrong because DNS poisoning (also known as DNS cache poisoning) involves corrupting a DNS resolver's cache with forged records to redirect users to malicious sites, not establishing a covert channel over encrypted DNS. Option C is wrong because DNS amplification is a volumetric DDoS attack that exploits open resolvers to flood a target with large DNS responses, not a technique for covert communication. Option D is wrong because DNS zone transfer is a legitimate administrative mechanism for replicating DNS zone data between authoritative servers, typically over TCP port 53, and is not used for covert channels.

84
MCQmedium

A security team is deploying a new intrusion detection system (IDS) and wants to analyze all traffic entering and exiting the network without introducing latency or a single point of failure. How should the IDS be connected to the network?

A.Inline between the firewall and the core switch
B.Connected to a network tap or spanned port on the core switch
C.Directly connected to the internet router
D.Connected to the management network
AnswerB

Using a network tap or SPAN port allows the IDS to passively listen to traffic without affecting the data path.

Why this answer

Connecting the IDS to a network tap or a spanned port (SPAN/mirror port) on the core switch allows it to receive a copy of all traffic entering and exiting the network without being in the data path. This passive deployment introduces zero latency because the IDS never forwards or blocks traffic, and it eliminates a single point of failure since the network continues to operate if the IDS fails or is taken offline.

Exam trap

Cisco often tests the distinction between inline (active) and passive (out-of-band) deployments, and the trap here is that candidates mistakenly choose inline placement because they think the IDS must 'see' all traffic by being in the path, ignoring the latency and single-point-of-failure consequences.

How to eliminate wrong answers

Option A is wrong because placing the IDS inline between the firewall and core switch forces all traffic to pass through the device, which introduces latency and creates a single point of failure — if the IDS fails, traffic stops. Option C is wrong because connecting the IDS directly to the internet router would only capture traffic to/from that specific interface, not all network traffic, and it would still be inline if placed in the forwarding path. Option D is wrong because the management network carries only out-of-band administrative traffic, not the production data flows that the IDS needs to analyze.

85
MCQmedium

A network administrator wants to ensure that only authorized devices can access the network on a switch port. The administrator has a list of allowed MAC addresses. Which security feature should be enabled on the switch port?

A.802.1X
B.MAC address filtering
C.Port security
D.VLAN hopping prevention
AnswerC

Port security allows restricting access based on MAC addresses, preventing unauthorized devices.

Why this answer

Port security is the correct feature because it allows the administrator to specify a list of allowed MAC addresses per switch port. When a device with an unauthorized MAC address attempts to connect, the switch can either block the traffic, generate an alert, or disable the port (errdisable state). This directly enforces access control based on the MAC address list provided.

Exam trap

Cisco often tests the distinction between port security and MAC address filtering: candidates mistakenly choose 'MAC address filtering' because it sounds correct, but Cisco expects the exact feature name 'port security' as it is the configured command on a switch port.

How to eliminate wrong answers

Option A is wrong because 802.1X is a port-based authentication protocol that requires a RADIUS server to authenticate users or devices via credentials or certificates, not a static list of MAC addresses. Option B is wrong because MAC address filtering is a general term often used in wireless networks or router ACLs, not a specific Cisco switch feature; on a switch port, the correct implementation is port security, which includes MAC address filtering as a sub-function. Option D is wrong because VLAN hopping prevention (e.g., disabling DTP, setting native VLAN to an unused ID) is a security measure to prevent attackers from jumping between VLANs, not a mechanism to restrict which MAC addresses can access a specific port.

86
MCQhard

A security analyst observes that an internal server is sending a large volume of TCP SYN packets to various external IP addresses, but never completing the three-way handshake. This behavior is indicative of which type of attack?

A.Man-in-the-middle attack
B.SYN flood attack
C.DDoS amplification attack
D.Smurf attack
AnswerB

A SYN flood attack is characterized by sending numerous SYN packets without completing the handshake, overwhelming the victim's connection table. The internal server is likely compromised and acting as the attacker.

Why this answer

The correct answer is B. A SYN flood attack occurs when an attacker sends a high volume of TCP SYN packets to a target but never completes the three-way handshake by sending the final ACK. This leaves the target's connection table half-open, consuming resources and potentially exhausting its ability to accept legitimate connections.

The observed behavior—internal server sending many SYN packets without completing the handshake—matches the classic signature of a SYN flood, though typically the attacker spoofs the source IP to avoid response traffic.

Exam trap

CompTIA often tests the distinction between a SYN flood (which uses TCP SYN packets and incomplete handshakes) and a DDoS amplification attack (which uses UDP or other protocols with spoofed sources), so candidates mistakenly choose amplification when they see 'large volume' and 'external IPs' without recognizing the TCP SYN signature.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, not flooding a target with incomplete TCP handshakes. Option C is wrong because a DDoS amplification attack relies on sending small queries to a vulnerable service (e.g., DNS, NTP) with a spoofed source IP, causing the service to send large responses to the victim; this does not involve TCP SYN packets or incomplete handshakes. Option D is wrong because a Smurf attack uses ICMP echo requests sent to a broadcast address with a spoofed source IP, causing all hosts on the network to reply to the victim; it does not use TCP SYN packets.

87
MCQhard

A security analyst discovers that users on the network are receiving ARP replies that map the default gateway IP address to an unknown MAC address. This is causing intermittent connectivity issues. Which type of attack is occurring, and what security feature should be implemented to prevent it?

A.MAC flooding; port security
B.ARP poisoning; Dynamic ARP Inspection (DAI)
C.DHCP starvation; DHCP snooping
D.DNS poisoning; DNSSEC
AnswerB

DAI trusts only ARP responses that match a valid IP-to-MAC binding, preventing ARP spoofing.

Why this answer

This attack is ARP poisoning (also called ARP spoofing), where an attacker sends forged ARP replies to associate the default gateway's IP address with the attacker's MAC address. This allows the attacker to intercept, modify, or drop traffic intended for the gateway. Dynamic ARP Inspection (DAI) prevents this by validating ARP packets against a trusted DHCP snooping binding table, dropping any ARP reply that contains an IP-to-MAC mapping not present in the table.

Exam trap

CompTIA often tests the distinction between Layer 2 attacks (ARP poisoning, MAC flooding) and Layer 3/4 attacks (DHCP starvation, DNS poisoning), so candidates mistakenly choose DHCP starvation or DNS poisoning because they involve 'spoofing' or 'poisoning' without recognizing that the symptom—ARP replies mapping the gateway IP to an unknown MAC—is a direct indicator of ARP manipulation.

How to eliminate wrong answers

Option A is wrong because MAC flooding floods the switch's CAM table with fake MAC addresses to force it into fail-open mode, causing unicast flooding, not ARP reply manipulation; port security limits the number of MAC addresses per port but does not validate ARP mappings. Option C is wrong because DHCP starvation exhausts the DHCP server's IP address pool by sending many fake DHCP requests, preventing legitimate clients from obtaining IPs, not by sending forged ARP replies; DHCP snooping filters untrusted DHCP messages but does not directly inspect ARP packets. Option D is wrong because DNS poisoning corrupts DNS resolver caches to redirect domain names to malicious IPs, not by manipulating ARP replies at Layer 2; DNSSEC adds cryptographic signatures to DNS records but does not operate at the ARP level.

88
MCQmedium

A security analyst discovers that an unauthorized device is sending forged ARP replies, causing other devices to map the default gateway IP address to the attacker's MAC address. Which security feature should be implemented on the switches to prevent this attack?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection
D.BPDU guard
AnswerC

DAI specifically inspects ARP messages and blocks invalid ones, directly countering ARP spoofing.

Why this answer

Dynamic ARP Inspection (DAI) is the correct choice because it validates ARP packets on a per-port basis, ensuring that only legitimate ARP replies with correct IP-to-MAC bindings are forwarded. DAI uses a DHCP snooping binding table (or static ARP ACLs) to intercept and verify ARP packets, dropping forged replies that attempt to poison the ARP cache of other devices.

Exam trap

CompTIA often tests the distinction between DHCP snooping (which builds the binding table) and Dynamic ARP Inspection (which uses that table to filter ARP), leading candidates to mistakenly choose DHCP snooping as the direct defense against ARP spoofing.

How to eliminate wrong answers

Option A is wrong because port security limits the number of MAC addresses per port or restricts specific MAC addresses, but it does not inspect the content of ARP messages or prevent ARP spoofing. Option B is wrong because DHCP snooping builds a trusted binding table of IP-to-MAC mappings, but it alone does not filter ARP traffic; it is a prerequisite for DAI, not the direct defense against forged ARP replies. Option D is wrong because BPDU guard is a Spanning Tree Protocol (STP) feature that disables a port if a BPDU is received, protecting against bridge loops, not ARP spoofing attacks.

89
MCQmedium

A company is implementing network access control to ensure only authenticated users can connect to the wired network. Users must authenticate using their domain credentials before gaining full network access. Which standard should be implemented?

A.802.1X
B.802.3af
C.802.11i
D.802.1Q
AnswerA

802.1X provides authentication for devices attempting to connect to a network port, verifying credentials against a central server.

Why this answer

802.1X is the IEEE standard for port-based network access control (PNAC). It uses the Extensible Authentication Protocol (EAP) to authenticate devices attempting to connect to a wired or wireless LAN, requiring valid domain credentials before the switch port grants full network access.

Exam trap

Cisco often tests 802.1X by contrasting it with 802.11i, trapping candidates who confuse wireless security standards with wired port-based access control.

How to eliminate wrong answers

Option B (802.3af) is wrong because it defines Power over Ethernet (PoE) standards for delivering power over twisted-pair cabling, not authentication. Option C (802.11i) is wrong because it specifies security mechanisms for wireless networks (WPA2/AES-CCMP), not wired network access control. Option D (802.1Q) is wrong because it is the standard for VLAN tagging and trunking, not for authenticating users before granting network access.

90
MCQmedium

A security analyst notices that the network has been flooded with packets that have the same source IP address as the company's internal DNS server. This is likely an example of which type of attack?

A.Smurf attack
B.IP spoofing
C.Man-in-the-middle
D.ARP poisoning
AnswerB

IP spoofing involves forging the source IP address in packets to make them appear to come from a trusted source.

Why this answer

IP spoofing is the correct answer because the attacker is forging the source IP address of packets to impersonate the company's internal DNS server. By flooding the network with packets that appear to originate from a trusted internal server, the attacker can bypass security controls, launch reflection attacks, or cause denial of service. This directly matches the scenario where the source IP is falsified to match a legitimate internal host.

Exam trap

CompTIA often tests the distinction between IP spoofing and Smurf attacks, where candidates mistakenly choose Smurf because both involve spoofed source addresses, but Smurf specifically requires ICMP and broadcast amplification, not arbitrary packet flooding with a DNS server's IP.

How to eliminate wrong answers

Option A is wrong because a Smurf attack uses ICMP echo requests sent to a broadcast address with a spoofed victim source IP, causing all hosts on the network to reply to the victim; it does not specifically impersonate a DNS server. Option C is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, not flooding the network with packets from a spoofed source IP. Option D is wrong because ARP poisoning manipulates ARP tables to associate a malicious MAC address with a legitimate IP address, enabling traffic interception, but it does not involve flooding with packets having a spoofed source IP.

91
MCQmedium

A security analyst discovers that an unauthorized device is sending forged ARP replies to poison the ARP caches of other devices on the network. Which security feature should be implemented on the switches to prevent this?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection
D.STP BPDU guard
AnswerC

DAI uses the DHCP snooping binding table to validate ARP packets and drop spoofed ones.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets on a per-interface basis by intercepting all ARP requests and replies and verifying that they match entries in the DHCP snooping binding table. If an ARP reply contains a forged IP-to-MAC mapping, DAI drops the packet, preventing ARP cache poisoning. This directly stops the described attack where an unauthorized device sends forged ARP replies.

Exam trap

CompTIA often tests the distinction between DHCP snooping (which builds the trust database) and Dynamic ARP Inspection (which uses that database to filter ARP traffic), leading candidates to mistakenly choose DHCP snooping as the direct solution for ARP spoofing.

How to eliminate wrong answers

Option A is wrong because port security limits the number of MAC addresses on a port or restricts specific MACs, but it does not inspect or validate the content of ARP messages. Option B is wrong because DHCP snooping builds a binding table of trusted DHCP assignments and filters rogue DHCP servers, but it does not validate ARP packets on its own. Option D is wrong because STP BPDU guard protects against rogue bridge protocol data units that could cause spanning tree topology changes, not against forged ARP replies.

92
MCQmedium

A company is deploying a wireless network that requires the highest level of security for client authentication. The network must use a RADIUS server. Which wireless security standard should be implemented?

A.WPA2-Personal
B.WPA3-Enterprise
C.WPA2-Enterprise
D.WPA3-Personal
AnswerB

WPA3-Enterprise provides the highest security with 192-bit encryption and requires a RADIUS server for authentication, meeting the requirement.

Why this answer

WPA3-Enterprise (option B) is correct because it mandates the use of a RADIUS server for 802.1X/EAP authentication and provides the highest level of wireless security, including 192-bit minimum-strength security suite (CNSA Suite) and SAE handshake replacement for the 4-way handshake. This meets the requirement for both RADIUS integration and maximum authentication security.

Exam trap

Cisco often tests the distinction between WPA2-Enterprise and WPA3-Enterprise, where candidates mistakenly choose WPA2-Enterprise because it also uses RADIUS, overlooking that WPA3-Enterprise provides superior security with SAE and mandatory 192-bit encryption.

How to eliminate wrong answers

Option A is wrong because WPA2-Personal uses a pre-shared key (PSK) and does not require a RADIUS server, failing the requirement for RADIUS-based authentication. Option C is wrong because while WPA2-Enterprise does use a RADIUS server, it relies on the older 4-way handshake with TKIP or AES-CCMP and lacks the stronger cryptographic protections of WPA3, such as perfect forward secrecy and mandatory 192-bit security, making it less secure than WPA3-Enterprise.

93
MCQeasy

Which security feature on a switch can prevent an attacker from sending forged ARP messages to redirect traffic?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection
D.VLAN segmentation
AnswerC

DAI uses the DHCP snooping binding table to validate ARP packets and drop invalid ones, preventing ARP spoofing.

Why this answer

Dynamic ARP Inspection (DAI) is the correct answer because it validates ARP packets against a trusted database (the DHCP snooping binding table) to ensure that the MAC-to-IP address mapping is legitimate. By intercepting and verifying all ARP requests and replies on untrusted ports, DAI prevents an attacker from sending forged ARP messages to redirect traffic (ARP spoofing).

Exam trap

Cisco often tests the distinction between DHCP snooping (which builds the trust database) and Dynamic ARP Inspection (which uses that database to validate ARP traffic), leading candidates to mistakenly choose DHCP snooping as the direct defense against ARP spoofing.

How to eliminate wrong answers

Option A is wrong because Port Security limits the number of MAC addresses allowed on a switch port and can block unauthorized MACs, but it does not inspect or validate ARP messages, so it cannot prevent ARP spoofing attacks. Option B is wrong because DHCP snooping builds a binding table of legitimate DHCP leases and filters untrusted DHCP messages, but it does not directly inspect ARP traffic; it only provides the database that DAI uses for validation.

94
MCQmedium

A security analyst notices that a web server is receiving a large number of ICMP echo reply packets from many different external hosts. The server did not send any echo requests. Which type of attack is most likely occurring?

A.Smurf attack
B.Ping flood
C.ICMP tunneling
D.Fraggle attack
AnswerA

The Smurf attack uses IP broadcast and spoofing to cause multiple replies to be sent to the victim, creating a flood of ICMP traffic.

Why this answer

A Smurf attack exploits IP broadcast addressing and ICMP. The attacker sends a large number of ICMP echo request packets with a spoofed source IP (the victim's IP) to a network's broadcast address. All hosts on that network then send ICMP echo reply packets to the victim, overwhelming it with traffic.

Since the server never sent any echo requests, the unsolicited flood of echo replies is the hallmark of a Smurf attack.

Exam trap

Cisco often tests the distinction between a Smurf attack (unsolicited replies from many hosts due to a spoofed broadcast request) and a ping flood (direct requests from the attacker to the victim), so candidates mistakenly choose 'ping flood' when they see a flood of ICMP traffic.

How to eliminate wrong answers

Option B (Ping flood) is wrong because a ping flood involves the attacker directly sending a high volume of ICMP echo request packets to the victim, not unsolicited echo replies from many external hosts. Option C (ICMP tunneling) is wrong because ICMP tunneling is a covert channel technique used to encapsulate non-ICMP data (e.g., SSH, DNS) inside ICMP packets for exfiltration or bypassing firewalls, not for generating a flood of unsolicited echo replies.

95
MCQeasy

A network administrator wants to prevent rogue DHCP servers from offering IP addresses to clients on the network. Which security feature should be enabled on the switches?

A.DHCP snooping
B.Dynamic ARP Inspection (DAI)
C.Port Security
D.IP Source Guard
AnswerA

DHCP snooping examines DHCP traffic and blocks unauthorized DHCP server responses from untrusted ports.

Why this answer

DHCP snooping is the correct security feature because it acts as a firewall between untrusted hosts and trusted DHCP servers. It validates DHCP messages by filtering out responses from unauthorized DHCP servers on untrusted ports, preventing rogue servers from offering IP addresses to clients. This is achieved by building and maintaining a DHCP snooping binding database that tracks valid IP-to-MAC address mappings.

Exam trap

CompTIA often tests the distinction between DHCP snooping and Dynamic ARP Inspection (DAI), where candidates mistakenly choose DAI because they confuse ARP spoofing with rogue DHCP server attacks.

How to eliminate wrong answers

Option B (Dynamic ARP Inspection) is wrong because it validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, not DHCP server impersonation. Option C (Port Security) is wrong because it limits the number of MAC addresses allowed on a switch port to prevent MAC flooding attacks, not DHCP rogue server prevention. Option D (IP Source Guard) is wrong because it filters IP traffic based on the DHCP snooping binding table to prevent IP spoofing, but it does not directly block rogue DHCP server messages.

96
MCQmedium

A network administrator wants to prevent unauthorized devices from connecting to the network through a switch port. Which security feature should be enabled on the switch?

A.802.1X
B.Port security
C.MAC filtering
D.Storm control
AnswerA

802.1X authenticates devices before allowing them to send traffic, providing strong access control.

Why this answer

802.1X is the correct answer because it provides port-based network access control (PNAC) that authenticates devices before granting network access. It uses the Extensible Authentication Protocol (EAP) over LAN (EAPoL) to communicate with a RADIUS server, ensuring only authorized users or devices can connect through the switch port. This prevents unauthorized devices from accessing the network at Layer 2, regardless of MAC address or IP configuration.

Exam trap

The trap here is that candidates confuse port security or MAC filtering with true authentication, but Cisco tests that 802.1X is the only feature that performs per-device authentication against a central server, not just static MAC-based controls.

How to eliminate wrong answers

Option B (Port security) is wrong because it only limits the number of MAC addresses allowed on a port or locks specific MAC addresses, but it does not authenticate devices; an attacker can spoof a permitted MAC address and bypass the restriction. Option C (MAC filtering) is wrong because it is a static access control list based on MAC addresses, which can be easily spoofed and does not provide dynamic authentication or integration with a central identity store like RADIUS.

97
MCQeasy

Which of the following security mechanisms requires a user to authenticate before gaining access to the wired network at a switch port?

A.802.1X
B.Port security
C.ACL
D.MAC authentication
AnswerA

802.1X is a Layer 2 protocol that blocks all traffic until the device authenticates, providing strong access control.

Why this answer

802.1X is a port-based Network Access Control (NAC) standard (IEEE 802.1X) that requires a user or device to authenticate via an authentication server (e.g., RADIUS) before the switch port transitions from an unauthorized to an authorized state, allowing full network access. It uses Extensible Authentication Protocol (EAP) over LAN (EAPoL) to carry authentication messages between the supplicant (client), authenticator (switch), and authentication server. This ensures that only authenticated users can access the wired network at the switch port level.

Exam trap

Cisco often tests the distinction between 802.1X (user authentication) and port security (MAC address filtering), leading candidates to confuse MAC-based restrictions with true authentication mechanisms.

How to eliminate wrong answers

Option B (Port security) is wrong because it restricts access based on MAC addresses, not user authentication; it can be bypassed by spoofing a permitted MAC address and does not involve a user credential challenge. Option C (ACL) is wrong because an Access Control List filters traffic based on IP addresses, ports, or protocols after a device is already connected; it does not enforce user authentication before granting network access. Option D (MAC authentication) is wrong because it authenticates based on the device's MAC address, not a user identity; it is a simpler, less secure method that can be spoofed and does not require interactive user credentials.

98
MCQeasy

A company wants to ensure that only devices with known MAC addresses can connect to the guest Wi-Fi network. Which security feature should be configured on the wireless controller?

A.WPA2-Enterprise
B.MAC filtering
C.802.1X
D.WPA3-Personal
AnswerB

MAC filtering restricts network access to clients whose MAC addresses are on an allowed list.

Why this answer

MAC filtering allows the wireless controller to maintain an allowlist of known MAC addresses, so only devices with those addresses can associate with the guest SSID. This directly meets the requirement to restrict access based on MAC addresses without requiring authentication credentials from users.

Exam trap

Cisco often tests the misconception that 802.1X or WPA2-Enterprise can filter by MAC address, but these are authentication protocols for user/device identity, not MAC-based access control.

How to eliminate wrong answers

Option A is wrong because WPA2-Enterprise uses 802.1X/EAP for user-based authentication (e.g., via RADIUS), not MAC address validation, and would require credentials from every guest. Option C is wrong because 802.1X is a port-based authentication framework that relies on credentials or certificates, not MAC addresses, and is typically used for corporate networks, not guest Wi-Fi.

99
MCQmedium

A network administrator notices that a large number of ICMP echo request packets are being sent to the broadcast address of the network from a single host. This is causing performance degradation. Which type of attack is this?

A.ARP spoofing
B.MAC flooding
C.Smurf attack
D.DNS amplification
AnswerC

A Smurf attack uses ICMP echo requests to a broadcast address to create a denial-of-service via amplification.

Why this answer

The smurf attack exploits ICMP by sending echo request packets to a network's broadcast address with a spoofed source IP of the victim. All hosts on the network then reply to the victim, overwhelming it with traffic and causing performance degradation. This matches the scenario of a single host sending ICMP echo requests to the broadcast address.

Exam trap

CompTIA often tests the distinction between amplification attacks (smurf vs. DNS amplification) by focusing on the protocol used (ICMP vs. UDP) and the target address (broadcast vs. open resolver), leading candidates to confuse smurf with DNS amplification if they only remember 'amplification' without the protocol details.

How to eliminate wrong answers

Option A is wrong because ARP spoofing involves sending forged ARP messages to link an attacker's MAC address with a legitimate IP, causing traffic interception, not ICMP broadcast floods. Option B is wrong because MAC flooding targets a switch's CAM table by sending many frames with fake source MAC addresses to force it into fail-open mode, not by using ICMP packets. Option D is wrong because DNS amplification uses small DNS queries with a spoofed source IP to cause large responses from open resolvers, leveraging UDP, not ICMP echo requests to a broadcast address.

100
MCQhard

A security analyst notices that a network switch is receiving DHCP discover messages from a rogue device offering IP addresses. The rogue device is causing clients to obtain invalid IP addresses and lose network connectivity. Which security feature should be implemented on the switch to prevent this type of attack?

A.Dynamic ARP inspection (DAI)
B.DHCP snooping
C.Port security
D.802.1X authentication
AnswerB

DHCP snooping validates DHCP messages and blocks rogue DHCP servers by only allowing DHCP server messages on trusted ports.

Why this answer

B is correct because DHCP snooping is a security feature that filters untrusted DHCP messages on a switch. It distinguishes between trusted ports (connected to legitimate DHCP servers) and untrusted ports (connected to clients or rogue devices). When a rogue device sends DHCP discover messages offering IP addresses, DHCP snooping on untrusted ports drops those messages, preventing the rogue server from assigning invalid IP addresses.

Exam trap

The trap here is that candidates confuse DHCP snooping with Dynamic ARP Inspection (DAI), but DAI only protects against ARP-based attacks, not rogue DHCP servers, while DHCP snooping directly addresses the described scenario.

How to eliminate wrong answers

Option A is wrong because Dynamic ARP Inspection (DAI) validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, but it does not filter or block rogue DHCP server messages. Option C is wrong because Port Security limits the number of MAC addresses allowed on a port to prevent MAC flooding attacks, but it does not inspect or block DHCP messages from unauthorized servers.

101
Drag & Dropmedium

Drag and drop the steps to configure a VLAN on a managed switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN creation involves entering config mode, creating the VLAN, and assigning ports.

102
MCQhard

A company wants to ensure that only users who have successfully authenticated Active Directory credentials can access the wired network. The network switches support IEEE 802.1X. Which additional component must be deployed to complete the solution?

A.A RADIUS server
B.A DHCP server
C.A certificate authority
D.A TACACS+ server
AnswerA

RADIUS is the standard authentication server used with 802.1X to validate credentials against an identity source like Active Directory.

Why this answer

IEEE 802.1X port-based authentication requires a RADIUS server to act as the authentication server. The switch (authenticator) forwards the user's credentials to the RADIUS server, which validates them against Active Directory and returns an accept or reject decision. Without a RADIUS server, the switch has no way to verify the user's credentials against the central identity store.

Exam trap

Cisco often tests the distinction between RADIUS (for network access) and TACACS+ (for device administration), leading candidates to mistakenly choose TACACS+ because it is associated with authentication, even though 802.1X specifically requires RADIUS.

How to eliminate wrong answers

Option B is wrong because a DHCP server only assigns IP addresses and does not perform authentication; it cannot validate Active Directory credentials. Option C is wrong because a certificate authority issues digital certificates for certificate-based authentication (e.g., EAP-TLS), but the question specifies that users authenticate with Active Directory credentials, not certificates, and 802.1X can use password-based EAP methods (e.g., PEAP-MSCHAPv2) that do not require a CA. Option D is wrong because TACACS+ is a Cisco-proprietary protocol primarily used for device administration (e.g., authenticating network engineers to switches/routers), not for end-user network access authentication via 802.1X; RADIUS is the standard for network access control.

103
MCQhard

A security analyst detects that an attacker is sending forged ARP replies to associate the attacker's MAC address with the IP address of the default gateway. What is this attack called?

A.ARP poisoning
B.MAC flooding
C.DHCP snooping
D.DNS spoofing
AnswerA

ARP poisoning directly exploits the ARP protocol by injecting false entries into a target's ARP cache, redirecting traffic destined for the gateway to the attacker.

Why this answer

ARP poisoning (also known as ARP spoofing) is the correct answer because the attacker sends forged ARP replies to associate their MAC address with the IP address of the default gateway. This causes the victim's switch to update its ARP cache with the attacker's MAC for the gateway's IP, enabling man-in-the-middle attacks where the attacker intercepts traffic destined for the gateway.

Exam trap

Cisco often tests the distinction between ARP poisoning (which targets the ARP cache) and MAC flooding (which targets the switch's CAM table), leading candidates to confuse the two because both involve MAC addresses and network attacks.

How to eliminate wrong answers

Option B (MAC flooding) is wrong because MAC flooding overwhelms a switch's CAM table with fake MAC addresses to force it into fail-open mode (hub mode), not by sending forged ARP replies to associate a MAC with a specific IP. Option C (DHCP snooping) is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages to prevent rogue DHCP servers, not an attack that sends forged ARP replies.

104
MCQmedium

A security auditor discovers that an unauthorized switch has been connected to an access port in the wiring closet. The rogue switch caused a network loop and disrupted connectivity. Which security feature, if enabled on the access port, would have prevented this by disabling the port when a BPDU is received?

A.BPDU guard
B.Root guard
C.Loop guard
D.UDLD
AnswerA

Correct. BPDU guard disables a port that receives a BPDU, effectively blocking unauthorized switches.

Why this answer

BPDU guard is the correct answer because it is specifically designed to protect against rogue switch connections on access ports. When enabled, if a port receives any Bridge Protocol Data Unit (BPDU), it immediately places the port into an errdisable state, effectively disabling it and preventing a potential network loop. This directly addresses the scenario where an unauthorized switch connected to an access port caused a loop.

Exam trap

CompTIA often tests the distinction between BPDU guard and Root guard, where candidates mistakenly choose Root guard thinking it prevents loops, but Root guard only protects the root bridge election and does not disable a port upon BPDU reception.

How to eliminate wrong answers

Option B (Root guard) is wrong because it does not disable a port upon receiving a BPDU; instead, it prevents a port from becoming a root port by placing it into a root-inconsistent state if a superior BPDU is received, which protects the spanning-tree root bridge placement, not against rogue switches. Option C (Loop guard) is wrong because it prevents alternate or root ports from becoming designated ports in the absence of BPDUs, typically used to detect unidirectional links and prevent loops, but it does not disable a port when a BPDU is received. Option D (UDLD) is wrong because it detects unidirectional links by exchanging proprietary messages and can place a port in errdisable state for unidirectional failures, but it does not react to BPDU reception and is not a direct defense against rogue switches causing loops.

← PreviousPage 2 of 2 · 104 questions total

Ready to test yourself?

Try a timed practice session using only Network Security questions.