Home > ICND2 – Security

ICND2 – Security

April 17th, 2015 in ICND2 200-101 Go to comments

[am4show have=’p2;’]

Premium Member: You can test your knowledge with these questions first via this link.

[/am4show]

Question 1

[am4show have=’p2;’]Refer to the exhibit. What three actions will the switch take when a frame with an unknown source MAC address arrives at the interface? (Select three)

show_port-security_interface.jpg

A. Send an SNMP trap.
B. Send a syslog message.
C. Increment the Security Violation counter.
D. Forward the traffic.
E. Write the MAC address to the startup-config.
F. Shut down the port.

 

Answer: A B C[/am4show]

Explanation

Notice that the Violation Mode is Restrict. In this mod, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped. You have to remove the secure mac-addresses below the maximum allowed number in order to learn a new MAC or allowing a host on the port. Also a SNMP trap is sent, a syslog message is logged in the syslog server and the violation counter increases.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)

Question 2

[am4show have=’p2;’]Which protocol is an open standard protocol framework that is commonly used in VPNs, to provide secure end-to-end communications?

A. RSA
B. L2TP
C. IPsec
D. PPTP

 

Answer: C[/am4show]

Explanation

One of the most widely deployed network security technologies today is IPsec over VPNs. It provides high levels of security through encryption and authentication, protecting data from unauthorized access.

Question 3

[am4show have=’p2;’]Refer to the exhibit. Which of these correctly describes the results of port security violation of an unknown packet?

Switch(config)#interface fastethernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#end

A. port enabled; unknown packets dropped; no SNMP or syslog messages
B. port enabled; unknown packets dropped; SNMP or syslog messages
C. port disabled; no SNMP or syslog messages
D. port disabled; SNMP or syslog messages

 

Answer: D[/am4show]

Explanation

The default violation mode is shutdown, which will shutdown the port when the maximum number of secure MAC addresses is exceeded. It also sends an SNMP trap, logs a syslog message, and increments the violation counter.

The three violation modes are listed below:

+protect – When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

+restrict – When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments.

+shutdown – In this mode, a port security violation causes the interface to immediately become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)

Question 4

[am4show have=’p2;’]The following configuration is applied to a Layer 2 Switch:

interface fastethernet 0/4
switchport mode access
switchport port-security
switchport port-security mac-address 0000.1111.1111
switchport port-security maximum 2

What is the result of the above configuration being applied to the switch?

A. A host with a mac address of 0000.1111.1111 and up to two other hosts can connect to FastEthernet 0/4 simultaneously
B. A host with a mac address of 0000.1111.1111 and one other host can connect to FastEthernet 0/4 simultaneously
C. Violating addresses are dropped and no record of the violation is kept
D. The switch can send an SNMP message to the network management station
E. The port is effectively shutdown

 

Answer: B[/am4show]

Question 5

[am4show have=’p2;’]What can be done to secure the virtual terminal interfaces on a router? (Choose two)

A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.

 

Answer: D E[/am4show]

Comments (52) Comments
  1. User
    November 12th, 2013

    Question 4 should rear (Choose two)

  2. EC
    November 20th, 2013

    In question 3 – will it not learn the first 3 unknown packets – maximum 3 and mac address sticky – then the 4th unknown packet will cause D – Port Disabled ?

  3. old_school
    November 25th, 2013

    EC – The question inferred that a Violation had already occured, and the objective is to pick what action would result from the violation.

  4. Eddis
    December 21st, 2013

    Q4

    Number of required answers not specified (2).

  5. Happy
    January 26th, 2014

    Shouldn’t Q4 say Choose two?

  6. 9tutq
    February 13th, 2014

    @all: Thanks for your detection. We have fixed it!

  7. kaykrew
    April 2nd, 2014

    Has question 4 been corrected? I do not see (Choose two) in Q4.
    Thanks

  8. EF
    April 3rd, 2014

    Shouldn’t the answers for Q5 be C and D? ACLs are applied with access-group not access-class.

  9. Exact
    April 4th, 2014

    @EF

    If I’m not mistaking, the access-group command is used for regular interfaces (S and Fa), while the access-class command is for VTY interfaces.

  10. Anthony
    April 8th, 2014

    You’re correct Exact, the command is access-group for “interfaces” and access-class for “lines”, and VTY is certainly a line

  11. mike
    April 11th, 2014

    Re q4…

    I think i’ve seen this question asking for both 1, and 2, answers. Think it depends how many answers the question you see asks for.

    technically, according to the wording of the question, only B would be correct – “A host with a mac address of 0000.1111.1111 and one other host can connect to FastEthernet 0/4 simultaneously”…but if another MAC address tried to access that port, THEN answer D would also be correct. The question doesn’t actually ask what would happen if a violation occurred.

    taking this ICND2 next week.

    good luck all.

  12. mike
    April 14th, 2014

    Took ICND2 earlier today, 986 / 1000.

    Questions 1, 3, 4 and 5 from this page were on there.

  13. Justin
    April 30th, 2014

    Passed ICND2 yesterday. 986/1000

    1, 3, 4 and 5 were on the test

  14. Inebrius
    May 7th, 2014

    Question 4 on my test yesterday was exactly as show here it even didn’t have (choose two) in it. But when I only tried to choose only one correct answer it gave me a warning that 2 answers needed to be chosen in this question and sent me back to the question to pick complete the question with 2 choices chosen.

  15. redtomatoo22
    May 7th, 2014

    Hi Inebrius my test is tomorrow, did all the question came from the 9tut
    Waiting for you replay

  16. fez
    May 8th, 2014

    1,3,4,5 were there

    Passed today my ICND@2 by 1000. Got different configuration of the Eigrp & frame Relay labs where there were different DLCIs and IP addresses, but same process was used to get answers (show commands, show ip protocols, show ip interface brief ).

    A question about GLBP and a question about netflow were on my test. You can find them here: http://www.examtut.com/2013/09/new-questions-in-ccna-200-120-hsrp-vrrp.html

    Study 9tut and this guy i found him really helpful. He has unique way of teaching http://www.danscourses.com If you can do all his videos again and again. Trust me you will get the concept. Also one thing i learned today is if you don’t know the concept it’ll be hard for you in the exam.

    All the best to every one in their path. Keep me in your good wishes.

  17. fez
    May 8th, 2014

    Also please note that for Question 4 it doesn’t ask you to choose how many. So you have to choose two.

    Answer B and D is right. I selected two in my exams and i have passed with 1000 marks so i am pretty sure you have to choose two.

  18. Damo
    May 19th, 2014

    ICND-2 exam topics don’t even mention port security, it should be in the ICND-1 exam (as per the exam topics given by Cisco)… But I did find that when I sat my ICND-1 exam there were several questions not listed in the exam topics were explicitly listed in the ICND-2 exam topics. I only just passed with a 867.

    I sit my ICND-2 exam (And Net+ just for laughs), thanks to everyone on this site, it’s been a huge help, better than a lot of the “pay for” services out there.

    Cheers

  19. Rob
    June 24th, 2014

    Question 3 – Should the answer be the following C. port disabled; no SNMP or syslog messages, The default violation mode is shutdown which disables the port however does not send syslog or snmp messages,

  20. izzarazzu
    June 28th, 2014

    Took the exam today. Pass 986/1000. Q1, Q3, Q5 were on there.
    Thanks 9tut.

  21. Guezouri
    July 30th, 2014

    The following configuration is applied to a Layer 2 Switch:

    interface fastethernet 0/4
    switchport mode access
    switchport port-security
    switchport port-security mac-address 0000.1111.1111
    switchport port-security maximum 2

    What is the result of the above configuration being applied to the switch?(choose 2)

    B. A host with a mac address of 0000.1111.1111 and one other host can connect to FastEthernet 0/4 simultaneously

    D. The switch can send an SNMP message to the network management station

    Answer: D E

  22. Guezouri
    July 30th, 2014

    sorry ANSWER : B D

  23. mc
    August 8th, 2014

    About Question 3:
    You must read carefully, if this command is missing: “switchport port-security” the correct answer is A.

  24. Ydnar
    August 16th, 2014

    simultaneously – existing, occurring, or operating at the same time;
    The only way you can connect two devices at the same time is to put a data vlan and a voice vlan on the port and have both vlans active at the same time.

    interface fastethernet 0/4
    switchport mode access
    switchport port-security
    switchport port-security mac-address 0000.1111.1111
    switchport port-security maximum 2

    Above configuration states nothing about vlans, so how can two devices connect to this port ‘simultaneously’? Plug in one device, disconnect, then plug in another device. This I can see as viable, but not simultaneously.

  25. shadrack tanui
    August 19th, 2014

    simultaneously – existing, occurring, or operating at the same time;
    The only way you can connect two devices at the same time is to put a data vlan and a voice vlan on the port and have both vlans active at the same time.

    interface fastethernet 0/4
    switchport mode access
    switchport port-security
    switchport port-security mac-address 0000.1111.1111
    switchport port-security maximum 2

    Above configuration states nothing about vlans, so how can two devices connect to this port ‘simultaneously’? Plug in one device, disconnect, then plug in another device. This I can see as viable, but not simultaneously.
    Ydnar you are right

  26. SB
    August 20th, 2014

    Yadnar,shadrack, have you thought about someone plugging in a switch, hub, wireless access point or even voip phone?

  27. Ant
    August 20th, 2014

    Tested today, 8/20. #2, 4, 5 were on there.

  28. Georges
    September 27th, 2014

    took the exam today and pass with 907. Question 1,3 and 4 were on there.
    location United States Florida.

    test ICND 2

    Thanks 9tut

  29. N8
    September 30th, 2014

    Took ICND2 today 986/100. All of these were on there. Thanks 9TUT

  30. abdo
    October 31st, 2014

    i think question 4 is wrong, the correct answer is
    D. The switch can send an SNMP message to the network management station

    because there is no way you can connect two devices simultaneously on an access mode link

  31. idunno
    October 31st, 2014

    @abdo, two devices can access the switchport if it’s connected to a second switch with device mac 0000.1111.1111 and another unknown device.

    port security can apply to frames of devices that start further down the link and traverse their way up to the secure switchport

  32. dsulli
    November 16th, 2014

    I believe Q1 is wrong, Violation mode restrict does not send SNMP, only violation mode Shutdown sends SNMP traps.
    found this in the the Cisco documentation here:
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html#wp1055296

    When configuring port security violation modes, note the following information:

    •protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

    •restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.

    •shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

  33. PaZ
    November 17th, 2014

    Hi dsulli,

    I agreed with you! From that document it seems that no SNMP trap is sent in restrict mode.
    Instead if you check these other two document it seems that a Trap is effectively sent to network.

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_6_ea2c/configuration/guide/scg/swgports.html

    So now I agree with 9tut! 😀

    Cheers

  34. Anonymous
    January 23rd, 2015

    Question 4
    the L2 switch will have a MAC address too….so…..why even set it to “2” it will effectively be the same as “1”

  35. Nic
    March 3rd, 2015

    Hi Guys, who will be able to help me with braindumps? everywhere I search on the internet, I have to pay and if you from South Africa, and you must multiply the amount that is in $ by 14 , it comes to a enormous amount 🙂 . Please it would be appreciated if someone can mail me a few. Thank you in advance. nallers@grintek.com

  36. barney
    March 20th, 2015

    passed on 3/13. questions 1 and 5. tks 9tut

  37. gidz
    April 24th, 2015

    Q4, i think this is wrong, you cant connect two devices on the same port simultaneously, and i believe the mode of the port is access, which means the end device must only be a host, if i am not mistaken.

  38. Anonymous
    April 28th, 2015

    @gidz: you could plug a hub in and have multiple host connected to that one switchport.

  39. Marco
    May 13th, 2015

    I got Q1, Q2, Q3 (“switchport port-security maximum 2” instead of 3 here), Q4, Q5 today in my ICND2 exam.
    Thanks 9tut.

  40. ttn
    May 16th, 2015

    Q1,2,3,4,5. today ICND2

  41. Rob
    May 19th, 2015

    question 1,2,3,4,5 today 19/5/15

  42. Anne Normous
    July 1st, 2015

    Just took the test today – 980/1000 Questions 1,2 and 3 were from this page. Thanks 9tuts! Also got Frame Relay, EIGRP and OSPF labs

    THERE IS NO NEED FOR ANY DUMPS – just study one book (Wendel or Todd) and the you tube lessons available free for visual knowledge. Along with 9tuts these are enough for 900 and over marks with ease.

    But you MUST understand the concepts and not mug up the answer as they change the options and answers

  43. 9tut
    July 13th, 2015

    @all: We had to move all the questions and answers out of 9tut. We can only keep the explanation. You can download the questions and answers at: https://mega.co.nz/#!oIdESYbD!yyu33vygrfKPy4rcmcbV6qW2fxINNoTokuDM3CjA_og

  44. hello
    July 18th, 2015

    As if today July 18 2015 -> I can NOT see any questions ONLY explanation.

  45. hello
    July 18th, 2015

    my apologies -> we have download file now -> link->
    https://mega.co.nz/#!oIdESYbD!yyu33vygrfKPy4rcmcbV6qW2fxINNoTokuDM3CjA_og

    Thank you.

  46. gogo
    July 22nd, 2015

    have U realised that the website gves nthng at all
    am realy stressed can anyone help me.find the PDF file

  47. 9tut
    July 22nd, 2015
  48. Eire
    February 23rd, 2016

    Passed the test last Thursday. I can confirm that Q4 in the test Now says select 2.

  49. MIKE
    May 12th, 2016

    Q1 TO 5 WAS AT MY ICND2 EXAM TODAY … BUT Q. NO. 4 WITH SAME MUTICHOICE…BUT ASKS FOR 3 ANSWERS FROM IT NOT ONLY ONE…I CHOOSE B,D,E…I HAVE NO OTHER OPTION HAHA
    PASSED WITH 986/1000…. 🙂

  50. Hank
    August 18th, 2016

    On question 4, it does not state that there is a ‘violation’ happening. Therefore, only choice B is correct. If violation, then B,D,E

  51. anon
    September 9th, 2016

    Got question 4 this week.. Asked for two answers. Since there is no violation happening, and it’s default, only answer D can work.

  52. Ble!
    September 19th, 2016

    thr are no qns displaying, just explanations