CCNA Cc Network Security Questions

75 of 120 questions · Page 1/2 · Cc Network Security topic · Answers revealed

1
MCQhard

A company is deploying a security device that inspects HTTP and HTTPS traffic, applies OWASP rules, and can block malicious requests before they reach the web server. Which device best fits this description?

A.Honeypot
B.Intrusion Prevention System (IPS)
C.Web Application Firewall (WAF)
D.Stateful firewall
AnswerC

Correct. WAF specializes in web traffic and OWASP rules.

Why this answer

A Web Application Firewall (WAF) is specifically designed to protect web applications by inspecting HTTP/HTTPS traffic and applying rules like OWASP.

2
Multi-Selectmedium

A security analyst is investigating a potential DDoS attack. Which of the following are common indicators of a DDoS? (Choose TWO)

Select 2 answers
A.Low CPU usage on servers
B.Unusually high traffic volume from multiple IP addresses
C.Single source sending many packets
D.Slow network performance and increased latency
E.Decrease in DNS queries
AnswersB, D

DDoS uses distributed sources.

Why this answer

High volume of traffic from many sources and increased latency are signs of DDoS.

3
MCQhard

A security engineer is configuring a network security device that can block malicious HTTP requests based on application-layer inspection. Which device type is most suitable?

A.Intrusion Prevention System (IPS)
B.Network-based Intrusion Detection System (NIDS)
C.Web Application Firewall (WAF)
D.Stateful firewall
AnswerC

Correct. WAF inspects HTTP/HTTPS application layer traffic.

Why this answer

A Web Application Firewall (WAF) specifically inspects HTTP/HTTPS traffic and can block attacks like SQL injection and XSS.

4
MCQhard

During a DDoS attack, a company's web server is overwhelmed with a high volume of SYN packets from spoofed IP addresses, never completing the TCP handshake. Which type of attack is this?

A.ICMP flood
B.UDP flood
C.Amplification attack
D.SYN flood
AnswerD

Correct. SYN flood exploits the TCP handshake.

Why this answer

A SYN flood sends many SYN packets to exhaust server resources by leaving half-open connections.

5
MCQmedium

A network administrator is troubleshooting connectivity issues and notices that frames are being dropped due to excessive collisions. Which OSI layer is most directly associated with this issue?

A.Physical
B.Data Link
C.Network
D.Transport
AnswerB

Frames and collision detection (CSMA/CD) are Layer 2 functions.

Why this answer

Collisions occur at the Data Link layer (Layer 2) where frames are transmitted over shared media. Hubs and CSMA/CD operate at this layer.

6
Multi-Selecthard

A security team is analyzing network segmentation strategies. Which THREE of the following are benefits of using VLANs for network segmentation?

Select 3 answers
A.They allow logical grouping of users regardless of physical location
B.They eliminate the need for IP addressing
C.They increase the collision domain size
D.They reduce broadcast traffic by dividing broadcast domains
E.They can isolate sensitive systems from the rest of the network
AnswersA, D, E

VLANs group devices based on function, not location.

Why this answer

VLANs provide logical separation, improve security, reduce broadcast domain size, and allow flexible grouping without physical rewiring.

7
MCQeasy

Which protocol is used to resolve IP addresses to MAC addresses on a local network?

AnswerA

ARP resolves IP to MAC.

Why this answer

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses within the same network.

8
Multi-Selectmedium

A network administrator needs to segment traffic and isolate sensitive systems. Which two technologies can achieve this? (Choose TWO.)

Select 2 answers
B.VLANs
C.Stateful firewall
D.DMZ
E.Subnetting
AnswersB, E

Correct. VLANs segment traffic on a switch.

Why this answer

VLANs provide logical segmentation at Layer 2, and subnetting divides IP networks, often used with routing to isolate traffic. DMZ is a specific segment for public servers, not general segmentation. Firewalls and IDS are security devices, not segmentation technologies.

9
MCQhard

A security analyst notices a high volume of ICMP Echo Reply packets from an external server to an internal host that never sent Echo Requests. Which type of attack is likely occurring?

A.Smurf attack
B.SYN flood
C.ARP poisoning
D.DNS amplification
AnswerA

Smurf attack sends ICMP Echo Requests to a broadcast address with spoofed source, causing many replies to flood the victim.

Why this answer

Unsolicited ICMP replies may indicate a DoS attack using reflected traffic.

10
MCQhard

A security analyst detects a large volume of small ICMP echo request packets from multiple external sources targeting a single internal server, causing the server to become unresponsive. Which type of attack is this?

A.ICMP flood (DDoS)
B.ARP spoofing
C.Man-in-the-middle
D.SYN flood
AnswerA

Multiple sources send ICMP echo requests, a common DDoS technique.

Why this answer

A DDoS attack using ICMP flood overwhelms the target with echo requests, consuming bandwidth and resources.

11
MCQeasy

A security analyst notices unusual traffic on the network and wants to capture packets for analysis without altering traffic. Which device should they use?

B.Intrusion Prevention System (IPS)
C.Proxy server
D.Network tap
AnswerD

A network tap provides a passive copy of traffic for analysis.

Why this answer

A network tap (or port mirror) creates a copy of traffic for passive monitoring. A firewall blocks/allows traffic, an IPS blocks malicious traffic, and a proxy modifies requests.

13
Multi-Selectmedium

A network administrator is designing a DMZ to host a web server, an email server, and a DNS server. Which TWO of the following principles should be applied to secure the DMZ? (Select TWO.)

Select 2 answers
A.Use a firewall to control traffic between the DMZ and internal network.
B.Place all DMZ servers on the same VLAN to simplify management.
C.Implement separate VLANs for each type of server to limit lateral movement.
D.Allow all outbound traffic from the DMZ to the internet for ease of use.
E.Disable logging on DMZ devices to conserve resources.
AnswersA, C

A firewall enforces strict access rules from DMZ to internal.

Why this answer

Proper segmentation and access control are key; placing servers on separate VLANs and restricting inbound/outbound traffic with firewalls are essential.

14
MCQeasy

Which OSI layer is responsible for logical addressing and routing?

A.Data Link layer
B.Network layer
C.Transport layer
D.Physical layer
AnswerB

Network layer (Layer 3) is responsible for IP addressing and routing.

Why this answer

The Network layer (Layer 3) handles IP addressing and routing decisions.

15
Multi-Selectmedium

Which three of the following are benefits of using VLANs in a network? (Choose three.)

Select 3 answers
A.Enhanced security through network segmentation
B.Eliminates the need for routing
C.Increased collision domains
D.Reduction of broadcast traffic
E.Simplified network administration when users move
AnswersA, D, E

VLANs isolate traffic between groups.

Why this answer

VLANs improve security through segmentation, reduce broadcast traffic, and simplify network changes. They do not increase collision domains (switches eliminate collisions) and do not replace routing.

16
MCQeasy

What is the primary difference between an IDS and an IPS?

A.IDS is faster than IPS
B.IDS is hardware, IPS is software
C.IDS monitors only hosts, IPS monitors network
D.IDS only alerts, IPS can block traffic
AnswerD

IPS is inline and can take action.

Why this answer

IDS is passive (alerts), IPS is inline (can block).

17
Multi-Selectmedium

A security analyst is investigating a potential DDoS attack on the company's web server. Which two symptoms are indicative of a SYN flood attack? (Select TWO.)

Select 2 answers
A.Increased DNS query responses
B.High number of ICMP echo replies
C.Unusual outbound traffic on port 80
D.Large number of half-open connections
E.High number of SYN packets with no ACK
AnswersD, E

The server keeps connections in SYN-RECEIVED state.

Why this answer

Option D is correct because a SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to a target server without completing the handshake, resulting in a large number of half-open connections that exhaust server resources. These connections remain in a SYN_RECEIVED state, consuming memory and preventing legitimate connections from being established.

Exam trap

Cisco often tests the distinction between the symptom of 'half-open connections' (the server-side resource exhaustion) and the traffic pattern of 'SYN packets with no ACK' (the attacker's behavior), expecting candidates to recognize both as correct indicators of a SYN flood.

18
MCQhard

A company deploys a device that inspects HTTP and HTTPS traffic to block SQL injection and cross-site scripting attacks. This device is best described as a:

A.Stateful firewall
B.Web application firewall (WAF)
C.Honeypot
D.Network-based IPS
AnswerB

WAF is purpose-built for web traffic and application-layer attacks.

Why this answer

A Web Application Firewall (WAF) is specifically designed to protect web applications by filtering and monitoring HTTP/HTTPS traffic, often using rules like OWASP to block common attacks.

19
Multi-Selectmedium

An organization wants to protect its internal network from unsolicited inbound traffic while allowing responses to outbound connections. Which TWO firewall features or types are best suited for this? (Select TWO)

Select 2 answers
A.Packet filtering (stateless)
C.Application proxy
D.Stateful inspection
E.IDS
AnswersB, D

NGFW includes stateful inspection and provides this capability.

Why this answer

Stateful inspection tracks connection state to allow return traffic. NGFW includes stateful inspection plus advanced features. Packet filtering alone is stateless; proxy and IDS are not optimal.

20
MCQeasy

Which firewall type operates at Layer 3 and Layer 4, making decisions based solely on source/destination IP and port numbers?

A.Stateful inspection firewall
B.Packet filtering firewall
C.Next-generation firewall (NGFW)
D.Application proxy firewall
AnswerB

Packet filtering decisions are based on L3/L4 headers only.

Why this answer

Packet filtering firewalls are stateless and examine packet headers in isolation.

21
MCQmedium

A network administrator needs to segment traffic between departments without additional hardware. Which technology allows this logical separation on a Layer 2 switch?

A.Subnetting
C.VPN
D.DMZ
AnswerB

Correct. VLANs provide logical segmentation on a Layer 2 switch.

Why this answer

VLANs (Virtual Local Area Networks) allow logical segmentation on a switch, separating traffic at Layer 2 without extra hardware.

22
MCQeasy

Which of the following is a benefit of using VLANs in a network?

A.Logical segmentation without additional hardware
B.Elimination of all broadcast traffic
C.Faster data transfer speeds
D.Increased physical security
AnswerA

VLANs segment traffic logically on the same switch.

Why this answer

VLANs allow logical segmentation of a network at Layer 2, improving security and reducing broadcast traffic without requiring additional physical switches.

23
MCQeasy

A firewall that filters traffic based solely on source and destination IP addresses and ports without considering the state of connections is known as a:

A.Application proxy
B.Stateless firewall
C.Stateful firewall
D.Next-generation firewall
AnswerB

Stateless firewalls inspect packets individually.

Why this answer

A stateless (packet-filtering) firewall examines each packet independently and does not track connection state.

24
MCQmedium

A company's public web server is placed in a separate network segment that is accessible from the internet but isolated from the internal LAN. What is this network architecture called?

A.Subnet
B.Honeypot
D.DMZ
AnswerD

DMZ provides controlled access to public servers while protecting the internal network.

Why this answer

A DMZ (demilitarized zone) is a buffer network for public-facing services.

25
MCQhard

An organization uses a network segmentation strategy that creates separate broadcast domains on a single switch. Which technology is being used?

A.DMZ
B.Honeypot
C.Subnetting
AnswerD

VLANs create separate broadcast domains on a switch.

Why this answer

VLANs (Virtual Local Area Networks) logically segment a switch into multiple isolated broadcast domains, improving security and reducing broadcast traffic.

26
MCQmedium

Which OSI layer is responsible for logical addressing, routing, and forwarding of packets, and where does an IP address operate?

A.Layer 2 – Data Link
B.Layer 1 – Physical
C.Layer 3 – Network
D.Layer 4 – Transport
AnswerC

Correct. IP addresses and routing are at Layer 3.

Why this answer

Layer 3 (Network) handles IP addresses, routing, and packet forwarding.

27
MCQeasy

Which protocol is considered insecure because it transmits data, including passwords, in cleartext, and its use should be avoided in favor of more secure alternatives?

A.SSH
B.SFTP
AnswerD

Correct. Telnet is cleartext and insecure.

Why this answer

Telnet (port 23) transmits data in cleartext. SSH is its secure replacement.

28
MCQmedium

Which firewall type inspects the entire packet, including application data, and can enforce rules based on user identity?

A.Application proxy firewall
B.Packet filtering firewall
C.Next-generation firewall (NGFW)
D.Stateful inspection firewall
AnswerC

Correct. NGFW includes application ID, user ID, and IPS.

Why this answer

Next-generation firewalls (NGFW) combine deep inspection with application ID and user ID.

29
MCQmedium

A company deploys a network security device that can block malicious traffic in real-time by inspecting packet payloads and application data. However, the device occasionally blocks legitimate traffic. Which device is described?

A.IPS
C.WAF
D.IDS
AnswerA

IPS can block, with risk of blocking legitimate traffic.

Why this answer

An Intrusion Prevention System (IPS) sits inline and can block traffic based on deep inspection, but may cause false positives that disrupt legitimate communications.

30
MCQhard

Which of the following is a common mitigation technique for a SYN flood attack?

A.SYN cookies
B.Use UDP instead of TCP
C.Disable TCP timestamps
D.Increase the TCP backlog queue
AnswerA

SYN cookies encode connection state in the SYN-ACK response.

Why this answer

SYN cookies allow the server to respond to SYN requests without maintaining state until the connection is verified, reducing the impact of SYN floods.

31
MCQeasy

Which protocol is considered insecure because it transmits data in cleartext, including passwords?

A.SFTP
B.SSH
AnswerD

Correct. Telnet uses cleartext transmission.

Why this answer

Telnet (port 23) sends all data, including credentials, in plaintext.

32
MCQmedium

A company wants to host a public-facing web server and an email server while protecting the internal network. Which network architecture is best suited for this purpose?

A.Subnetting
B.Full mesh topology
C.Virtual LAN (VLAN)
D.DMZ
AnswerD

DMZ is designed to host public-facing services securely.

Why this answer

A DMZ (demilitarized zone) is a segmented network that sits between the internet and the internal network, hosting public-facing servers while allowing controlled access from both sides.

33
MCQeasy

Which of the following protocols operates at the Transport layer and provides reliable, connection-oriented communication?

B.TCP
C.IP
D.UDP
AnswerB

TCP provides reliable, connection-oriented communication.

Why this answer

TCP provides reliable delivery via acknowledgments and retransmissions, and uses a three-way handshake to establish a connection. UDP is connectionless and unreliable.

34
MCQmedium

A company places a web server and an email server in a separate network segment that is accessible from the internet but isolated from the internal LAN. What is this segment called?

B.DMZ
C.Honeypot
D.Subnet
AnswerB

DMZ is a buffer network for public services.

Why this answer

A DMZ (demilitarized zone) hosts public-facing services with controlled access to internal network.

35
MCQhard

An organization wants to prevent malicious HTTP requests targeting a web application. Which security device is specifically designed for this purpose?

A.NIDS
B.HIDS
C.WAF
D.IPS
AnswerC

WAF is designed to protect web applications from attacks like SQL injection and XSS.

Why this answer

WAF (Web Application Firewall) inspects HTTP/HTTPS traffic and applies OWASP rules.

36
Multi-Selectmedium

A security analyst is investigating a potential man-in-the-middle attack. Which two techniques are commonly used by attackers to perform MITM attacks? (Choose two.)

Select 2 answers
A.SYN flood
B.Packet sniffing
C.ARP poisoning
D.Rogue Wi-Fi access points
E.IP spoofing
AnswersC, D

ARP poisoning allows interception by associating attacker's MAC with a legitimate IP.

Why this answer

ARP poisoning and rogue Wi-Fi are common MITM techniques. IP spoofing can be part of MITM but is not a standalone technique; SYN flood is DoS.

37
MCQmedium

An attacker captures network traffic and forges the source IP address to impersonate a trusted host. Which type of network threat is this?

A.Sniffing
B.Spoofing
C.Man-in-the-middle
D.Denial of Service
AnswerB

Correct. Forging source IP is IP spoofing.

Why this answer

Spoofing involves falsifying source addresses (IP, ARP, email).

38
MCQeasy

A network administrator is troubleshooting connectivity issues and suspects a problem at the Data Link layer. Which of the following addresses would be most relevant to examine?

A.IP address
C.Port number
D.Domain name
AnswerB

MAC addresses are used at Layer 2 for frame delivery.

Why this answer

The Data Link layer (Layer 2) uses MAC addresses to identify devices on the same network segment. IP addresses operate at the Network layer (Layer 3), and port numbers at the Transport layer (Layer 4).

39
MCQmedium

An attacker sends an email to an employee that appears to come from the CEO, asking for sensitive data. This is an example of which type of threat?

A.Spoofing
B.Phishing
C.Man-in-the-middle
D.Sniffing
AnswerA

Spoofing refers to falsifying the source address, in this case, email.

Why this answer

Email spoofing involves forging the sender address to deceive the recipient.

40
Multi-Selectmedium

A security analyst is reviewing network traffic and notices that some devices are using a protocol that does not guarantee delivery and has no error recovery. Which TWO transport layer protocols fit this description? (Select TWO)

Select 2 answers
AnswersC, D

ICMP does not guarantee delivery.

Why this answer

UDP is connectionless and unreliable. ICMP operates at the network layer but also lacks reliability. The other options are reliable or application-layer.

41
MCQmedium

In the OSI model, which layer uses MAC addresses to forward frames and supports VLANs?

A.Layer 2 - Data Link
B.Layer 4 - Transport
C.Layer 3 - Network
D.Layer 1 - Physical
AnswerA

Correct. MAC addressing, switching, and VLANs are Layer 2 functions.

Why this answer

Layer 2 (Data Link) uses MAC addresses and switches; VLANs operate at this layer.

42
Multi-Selectmedium

A security analyst is deploying network security devices. Which TWO of the following are characteristics of an Intrusion Detection System (IDS)?

Select 2 answers
A.Can be placed inline to block malicious traffic
B.Operates in passive mode by monitoring a copy of traffic
C.Can automatically reconfigure firewall rules
D.Ensures zero false positives
E.Generates alerts when suspicious activity is detected
AnswersB, E

IDS typically uses a SPAN port or tap to monitor traffic passively.

Why this answer

IDS is passive, monitors traffic, and generates alerts but does not block traffic. It can be network-based or host-based.

43
MCQhard

A security analyst detects an ARP spoofing attack on the local network. What is the primary goal of an ARP spoofing attack?

A.To disable the switch by sending fake VLAN tags
B.To overwhelm the network with broadcast traffic
C.To redirect traffic to the attacker's machine for eavesdropping or modification
D.To corrupt the DNS cache
AnswerC

Correct. ARP spoofing enables man-in-the-middle attacks.

Why this answer

ARP spoofing allows an attacker to intercept traffic by associating their MAC address with the IP address of a legitimate host.

44
MCQmedium

An organization wants to place its public web server, email server, and DNS server in a network that is accessible from the internet but isolated from the internal corporate network. Which network design should be used?

A.DMZ
B.VPN
D.Subnet
AnswerA

Correct. A DMZ hosts public-facing servers with controlled access.

Why this answer

A DMZ (demilitarized zone) is a buffer network for public-facing servers.

46
MCQmedium

A security analyst wants to detect malicious traffic on the network without affecting performance. Which type of device should be deployed?

A.IDS
B.Honeypot
C.IPS
AnswerA

IDS passively monitors and alerts without affecting performance.

Why this answer

An Intrusion Detection System (IDS) passively monitors traffic and generates alerts, without blocking traffic. An Intrusion Prevention System (IPS) is inline and can block, but may introduce latency.

47
Multi-Selecteasy

Which two protocols operate at the Transport layer of the OSI model? (Choose TWO.)

Select 2 answers
B.TCP
C.IP
D.Ethernet
E.UDP
AnswersB, E

Correct. TCP is a Transport layer protocol.

Why this answer

TCP and UDP are the primary Transport layer protocols. IP is Network layer, Ethernet is Data Link, and HTTP is Application layer.

48
MCQeasy

A network administrator needs to allow secure remote management of a router. Which protocol and port should be used?

A.FTP on port 21
B.HTTP on port 80
C.SSH on port 22
D.Telnet on port 23
AnswerC

SSH encrypts all traffic, including authentication.

Why this answer

SSH (port 22) provides encrypted remote access, unlike Telnet which sends data in cleartext.

49
Multi-Selectmedium

Which three ports are commonly used by secure protocols? (Choose THREE.)

Select 3 answers
A.80 (HTTP)
B.443 (HTTPS)
C.22 (SSH)
D.23 (Telnet)
E.636 (LDAPS)
AnswersB, C, E

Correct. HTTPS is HTTP over SSL/TLS.

Why this answer

HTTPS uses 443, SSH uses 22, and LDAPS uses 636. HTTP (80), Telnet (23), and FTP (21) are insecure or unencrypted.

50
MCQeasy

An organization wants to separate its internal network from a publicly accessible web server. Which network segmentation technique should be used to isolate the web server while allowing controlled access?

A.Honeypot
B.Subnetting
C.DMZ
AnswerC

Correct. A DMZ isolates public-facing servers from the internal network.

Why this answer

A DMZ (demilitarized zone) is a network segment that hosts public-facing services and is isolated from the internal network.

51
MCQmedium

A security administrator is configuring a network device that monitors traffic and generates alerts when suspicious patterns are detected. The device does not block traffic. Which type of system is being deployed?

A.Web Application Firewall (WAF)
B.Intrusion Detection System (IDS)
C.Intrusion Prevention System (IPS)
D.Next-Generation Firewall (NGFW)
AnswerB

Correct. IDS monitors and alerts without blocking.

Why this answer

An IDS (Intrusion Detection System) is passive and only alerts, while an IPS actively blocks.

52
Multi-Selecthard

An organization is selecting a network security solution to protect against advanced threats. Which THREE features are characteristic of a Next-Generation Firewall (NGFW)? (Select THREE.)

Select 3 answers
A.Static packet filtering based on IP and port
B.Application identification and control
C.User identity awareness
D.Stateful packet inspection
E.Integrated intrusion prevention system (IPS)
AnswersB, C, E

NGFW can identify applications regardless of port.

Why this answer

NGFWs include deep packet inspection, application awareness, and integrated IDS/IPS capabilities.

53
Multi-Selecthard

A network administrator is implementing a DMZ to host a web server and an email server. Which THREE security best practices should be followed? (Select THREE)

Select 3 answers
A.Place only public-facing servers (e.g., web, email) in the DMZ.
B.Use a firewall to control traffic between the internet, DMZ, and internal network.
C.Configure the DMZ to communicate directly with the internal network without restrictions.
D.Allow all inbound traffic to the DMZ from the internet for ease of access.
E.Restrict inbound traffic to only required services (e.g., HTTP, SMTP).
AnswersA, B, E

Internal servers should remain in the internal network.

Why this answer

Proper DMZ design includes: placing only public-facing servers in DMZ, restricting inbound traffic to necessary ports, and preventing direct communication from DMZ to internal network. Using private IPs and disabling firewall are incorrect.

54
MCQhard

During a penetration test, an analyst uses a tool to intercept and modify traffic between a client and server by exploiting the Address Resolution Protocol (ARP). This attack is an example of which type of threat?

A.Spoofing
B.Denial of Service (DoS)
C.Sniffing
D.Man-in-the-middle (MITM)
AnswerD

ARP poisoning enables MITM by redirecting traffic through the attacker.

Why this answer

ARP poisoning allows an attacker to intercept traffic on a local network, enabling man-in-the-middle attacks.

55
MCQmedium

A network administrator wants to control traffic based on source and destination IP addresses and port numbers, while also tracking the state of connections. Which type of firewall should they choose?

A.Stateless packet filtering
B.Application proxy
C.Stateful inspection
D.Next-generation firewall (NGFW)
AnswerC

Stateful firewalls maintain state tables and filter based on connection context.

Why this answer

Stateful inspection firewalls track connection state and filter based on IP/port.

56
Multi-Selectmedium

An organization wants to ensure that only authorized devices can connect to the wired network. Which TWO methods can be used to enforce this?

Select 2 answers
A.802.1X authentication
B.Firewall rules
D.NAT
E.VLAN segmentation
AnswersA, C

802.1X requires device authentication before access.

Why this answer

Port security limits the number of MAC addresses on a switch port, and 802.1X requires authentication before granting network access. VLANs segment but do not authenticate, and firewalls filter traffic but not at the access level.

57
Multi-Selecthard

An organization is experiencing network attacks where the attacker forges the source IP address. Which two types of attacks commonly use IP spoofing? (Choose TWO.)

Select 2 answers
A.ARP spoofing
B.MAC flooding
C.Ping of death
D.SYN flood
E.DNS amplification
AnswersD, E

Correct. Attackers often spoof source IPs in SYN floods.

Why this answer

SYN floods often spoof source IPs to hide the attacker, and DNS amplification attacks use spoofed source IPs to direct responses to the victim. ARP spoofing is local and does not involve IP spoofing in the same way, while MAC flooding and ping of death are different.

58
MCQeasy

Which of the following is a connectionless, unreliable transport protocol?

A.IP
B.TCP
C.UDP
AnswerC

UDP is connectionless and fast but unreliable.

Why this answer

UDP is connectionless and does not guarantee delivery.

59
MCQeasy

Which layer of the OSI model is responsible for routing packets based on IP addresses?

A.Data Link layer
B.Transport layer
C.Network layer
D.Physical layer
AnswerC

Correct. The Network layer routes packets using IP addresses.

Why this answer

The Network layer (Layer 3) handles logical addressing and routing of packets.

60
MCQhard

A company deploys a firewall that inspects packet headers and maintains a state table to track active connections. It drops any incoming packets that do not match an established connection. What type of firewall is this?

A.Application proxy firewall
B.Stateful inspection firewall
C.Next-generation firewall
D.Packet filtering firewall
AnswerB

Correct. Stateful inspection tracks connection state.

Why this answer

A stateful inspection firewall tracks connections and blocks unsolicited inbound traffic.

61
MCQeasy

Which OSI layer is responsible for routing packets across networks using IP addresses?

A.Layer 1 - Physical
B.Layer 3 - Network
C.Layer 4 - Transport
D.Layer 2 - Data Link
AnswerB

Correct. Routing and IP addressing occur at Layer 3.

Why this answer

The Network layer (Layer 3) is responsible for logical addressing and routing. It uses IP addresses to determine the best path for packets to travel from source to destination across different networks. Protocols like IP (IPv4/IPv6), OSPF, and BGP operate at this layer to perform routing decisions.

Exam trap

Cisco often tests the distinction between Layer 2 switching (MAC-based forwarding within a VLAN) and Layer 3 routing (IP-based forwarding between subnets), so the trap here is confusing the Data Link layer's local delivery role with the Network layer's internetwork routing function.

How to eliminate wrong answers

Option A is wrong because Layer 1 (Physical) deals with the physical transmission of raw bits over media (e.g., cables, voltages, frequencies) and has no concept of IP addresses or routing. Option C is wrong because Layer 4 (Transport) provides end-to-end communication, segmentation, and reliability (e.g., TCP/UDP), but it does not perform routing or use IP addresses for path selection. Option D is wrong because Layer 2 (Data Link) handles frame delivery within a single network segment using MAC addresses and protocols like Ethernet, not IP routing across networks.

62
MCQeasy

Which protocol operates at the Transport layer and provides reliable, connection-oriented data delivery?

A.TCP
B.UDP
C.IP
AnswerA

TCP is reliable and connection-oriented.

Why this answer

TCP (Transmission Control Protocol) uses a three-way handshake, sequencing, and acknowledgments to ensure reliable delivery.

63
MCQmedium

A network administrator is configuring a switch to logically separate the Accounting and HR departments on the same physical switch. Which technology should be used?

A.Subnetting
B.DMZ
D.Honeypot
AnswerC

VLANs provide Layer 2 separation.

Why this answer

VLANs can partition a physical switch into multiple logical segments, isolating traffic between groups.

64
Multi-Selecthard

An organization is planning to deploy a DMZ to host web and email servers accessible from the internet. Which three security best practices should be implemented for the DMZ? (Choose three.)

Select 3 answers
A.Use a single firewall to connect internet, DMZ, and internal network
B.Allow all traffic from the DMZ to the internal network for ease of management
C.Use a separate VLAN for DMZ servers to isolate traffic
D.Place a firewall between the internet and the DMZ, and another between the DMZ and the internal network
E.Configure strict access control rules to allow only necessary services
AnswersC, D, E

VLAN segmentation adds another layer of isolation.

Why this answer

Firewalls on both sides, strict access rules, and separate VLANs are best practices. Direct internal access and single firewall are not recommended.

65
MCQmedium

An attacker intercepts communications between a client and server by establishing independent connections with each. The client believes it is talking to the server, but the attacker relays messages. What is this attack?

A.Phishing
B.Man-in-the-middle
C.Replay attack
D.DoS
AnswerB

The attacker positions between client and server.

Why this answer

A man-in-the-middle (MITM) attack involves an attacker intercepting and relaying messages between two parties.

66
MCQmedium

A company wants to isolate its public web server from internal networks to reduce risk. The server must be accessible from the internet. Which network architecture should be used?

A.Implement a DMZ
B.Place the server on the internal LAN with a strong firewall rule
C.Use a VLAN to logically separate the server
D.Connect the server directly to the internet without firewall
AnswerA

A DMZ is specifically designed to host public-facing services with controlled access.

Why this answer

A DMZ (demilitarized zone) is a segmented network that hosts public-facing servers, providing an extra layer of security between the internet and the internal network.

67
MCQhard

An organization experiences intermittent network outages. The security team notices that the ARP cache on several switches has entries pointing to an unknown MAC address for the default gateway. Which attack is most likely occurring?

A.ARP spoofing
B.DNS poisoning
C.IP spoofing
D.MAC flooding
AnswerA

ARP spoofing falsifies IP-to-MAC mappings.

Why this answer

ARP spoofing (or ARP poisoning) involves sending forged ARP messages to associate the attacker's MAC with the IP of the default gateway, causing traffic to be misrouted. This can lead to man-in-the-middle attacks or denial of service.

68
MCQmedium

A security analyst notices an unusually high number of incomplete TCP connection requests. Which type of attack is most likely occurring?

A.SYN flood
B.Smurf attack
C.ARP spoofing
D.DNS amplification
AnswerA

Correct. SYN flood is a DoS attack that sends many SYN packets to exhaust server resources.

Why this answer

SYN flood attacks exploit the TCP three-way handshake by sending many SYN packets without completing the handshake, exhausting server resources.

69
MCQmedium

An attacker intercepts communication between two parties by sending forged ARP messages. This is an example of which type of attack?

A.Sniffing
B.Spoofing
C.DoS
D.Man-in-the-middle
AnswerD

ARP poisoning enables interception of communications.

Why this answer

ARP poisoning allows man-in-the-middle attacks by associating attacker's MAC with the victim's IP.

70
MCQhard

An attacker sends a forged ARP response to a switch, associating the attacker's MAC address with the IP address of the default gateway. The switch updates its ARP cache accordingly. This is an example of which attack?

A.MAC flooding
B.DNS spoofing
C.IP spoofing
D.ARP spoofing
AnswerD

Forged ARP replies redirect traffic to the attacker.

Why this answer

ARP spoofing (or ARP poisoning) involves sending fake ARP messages to associate the attacker's MAC with a legitimate IP, enabling man-in-the-middle attacks.

71
Multi-Selectmedium

A network engineer is designing a DMZ. Which three servers should typically be placed in the DMZ? (Choose THREE.)

Select 3 answers
A.Web server
B.DHCP server
C.Mail server
D.Database server
E.DNS server
AnswersA, C, E

Correct. Web servers are public-facing.

Why this answer

Public-facing servers like web, mail, and DNS servers are typically placed in a DMZ to isolate them from the internal network. DHCP servers are usually internal, and database servers are kept internal for security.

72
MCQeasy

Which OSI layer is responsible for routing packets based on IP addresses?

A.Layer 3 – Network
B.Layer 1 – Physical
C.Layer 4 – Transport
D.Layer 2 – Data Link
AnswerA

Network layer routes packets using IP addresses.

Why this answer

Layer 3 (Network) handles packet forwarding and routing using IP addresses.

73
MCQmedium

A security analyst detects a large number of incomplete TCP connection requests (SYN segments) directed at a server. This is indicative of which type of attack?

A.ICMP flood
B.UDP flood
C.Smurf attack
D.SYN flood
AnswerD

SYN flood exploits TCP three-way handshake by sending many SYN packets without completing.

Why this answer

SYN flood is a DoS attack that exhausts server resources by initiating many half-open connections.

74
MCQmedium

Which protocol is considered insecure because it transmits data, including credentials, in cleartext?

A.SFTP
B.SSH
AnswerC

Correct. Telnet transmits data in cleartext.

Why this answer

Telnet (port 23) sends all data in cleartext, making it vulnerable to eavesdropping. SSH is the secure alternative.

75
Multi-Selecthard

A company wants to mitigate the risk of a man-in-the-middle (MITM) attack. Which three measures are effective? (Choose THREE.)

Select 3 answers
A.Deploy a VPN for remote connections
B.Implement mutual authentication
C.Enable ARP spoofing protection
D.Use HTTPS with proper certificate validation
E.Use WPA2 encryption on the Wi-Fi network
AnswersA, B, D

Correct. VPNs encrypt all traffic between endpoints.

Why this answer

Using HTTPS with certificate validation ensures encrypted and authenticated communication, VPNs create encrypted tunnels, and mutual authentication verifies both parties. ARP spoofing is an attack vector, not a mitigation. WPA2 is for Wi-Fi but can be vulnerable if not properly configured.

Page 1 of 2 · 120 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cc Network Security questions.

CCNA Cc Network Security Questions — Page 1 of 2 | Courseiva