Home > ICND2 – Security Questions

ICND2 – Security Questions

October 9th, 2017 in ICND2 200-105 Go to comments

[am4show have=’p2;’]

Premium Member: You can test your knowledge with these questions first via this link.

[/am4show]

Question 1

[am4show have=’p2;’]Which protocol authenticates connected devices before allowing them to access the LAN?

A. 802.1d
B. 802.11
C. 802.1w
D. 802.1x

 

Answer: D[/am4show]

Explanation

802.1x is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN.

Question 2

[am4show have=’p2;’]What is a difference between TACACS+ and RADIUS in AAA?

A. Only TACACS+ allows for separate authentication.
B. Only RADIUS encrypts the entire access-request packet.
C. Only RADIUS uses TCP.
D. Only TACACS+ couples authentication and authorization.

 

Answer: A[/am4show]

Explanation

TACACS+ is an AAA protocol developed by Cisco. TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting. For example, it is possible to use the Kerberos Protocol for authentication and TACACS+ for authorization and accounting. After an AAA client passes authentication through a Kerberos server, the AAA client requests authorization information from a TACACS+ server without the necessity to re-authenticate the AAA client by using the TACACS+ authentication mechanism.

Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.

Reference: http://www.cisco.com/c/dam/en/us/products/collateral/security/secure-access-control-server-windows/prod_white_paper0900aecd80737943.pdf

Question 3

[am4show have=’p2;’]What can be done to secure the virtual terminal interfaces on a router? (Choose two)

A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.

 

Answer: D E[/am4show]

Explanation

It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> A is not correct.

We can not physically secure a virtual interface because it is “virtual” -> B is not correct.

To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct; E is correct.

The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login -> D is correct.

Question 4

[am4show have=’p2;’]Which protocol is an open standard protocol framework that is commonly used in VPNs, to provide secure end-to-end communications?

A. RSA
B. L2TP
C. IPsec
D. PPTP

 

Answer: C[/am4show]

Explanation

One of the most widely deployed network security technologies today is IPsec over VPNs. It provides high levels of security through encryption and authentication, protecting data from unauthorized access.

Question 5

[am4show have=’p2;’]Which IPsec security protocol should be used when confidentiality is required?

A. MD5
B. PSK
C. AH
D. ESP

 

Answer: D[/am4show]

Question 6

[am4show have=’p2;’]Which three options are types of Layer 2 network attack? (Choose three.)

A. ARP attacks
B. brute force attacks
C. spoofing attacks
D. DDOS attacks
E. VLAN hopping
F. botnet attacks

 

Answer: A C E[/am4show]

Question 7

[am4show have=’p2;’]Which option describes a drawback of proxy ARP?

A. It overwrites MAC addresses
B. It can make it more difficult for the administrator to locale device misconfigurations
C. It dynamically establishes layer 2 tunneling protocol which increase network overhead
D. If proxy ARP is configured on multiple devices , the internal L2 network may become vulnerable to DDOS

 

Answer: D[/am4show]

Question 8

[am4show have=’p2;’]What type of attack is when trusted source replace MAC tables with untrusted?

A. DHCP snooping
B. port snooping
C.
D.

 

Answer: A[/am4show]

Question 9

[am4show have=’p2;’]Which three response does TACAS+ give while querying..something like that. (Choose three)

A. error
B. accept
C. continue
D. persist
E. fault

 

Answer: A B C[/am4show]

Question 10

[am4show have=’p2;’]Which feature can validate address requests and filter out invalid messages?

A. IP Source Guard
B. port security
C. DHCP snooping
D. dynamic ARP inspection

 

Answer: C[/am4show]

Comments (7) Comments
  1. Hdawg
    November 7th, 2017

    can anyone give me the link to the QUESTIONS? of this section? I can’t find them

  2. Jazz
    November 21st, 2017

    Need to purchase premium member ship for questions

  3. streetlife
    November 25th, 2017

    beau……. link to 486q?

  4. AJ
    February 15th, 2018

    @9tut

    shouldn’t the answer for Question 8 be DHCP Spoofing? instead of DHCP snooping?

  5. Satchmo
    July 18th, 2018

    Q8. I agree with AJ. (DHCP Spoofing)
    Snooping is designed to prevent such attacks.

    DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable.
    It validates DHCP messages received from untrusted sources and filters out invalid messages.
    With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP packets that are received on untrusted ports.

    DHCP snooping helps prevent DHCP spoofing by copying DHCP messages to the control plane and using the information in the packets to create anti-spoofing filters. The anti-spoofing filters bind a client’s MAC address to its DHCP-assigned IP address and use this information to filter spoofed DHCP messages

  6. Tenedos
    November 23rd, 2019

    Answer for question is DHCP SPOOFING which is a form of attack. As others have mentioned DHCP SNOOPING helps prevent DHCP spoofing.

    DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list themselves (spoofs) as the default gateway or DNS server, hence, initiating a man in the middle attack. With that, it is possible that they can intercept traffic from users before forwarding to the real gateway or perform DoS by flooding the real DHCP server with request to choke ip address resources.
    This can be mitigated by configuring DHCP Snooping which enables specific ports only to pass DHCP traffic. All other ports will be untrusted and can only send DHCP requests. If a DHCP offer is detected in a untrusted port, it will be shut down.

    Here’s a sample config.

    SW(config)# ! Enable DHCP snooping on the switch

    SW(config)#ip dhcp snooping

    SW(config)# ! Enable DHCP snooping for the specific VLAN

    SW(config)#ip dhcp snooping vlan 1

    SW(config)#int fa0/1

    SW(config-if)# ! Set the port as trusted

    SW(config-if)#ip dhcp snooping trust

    SW(config-if)# ! Enable rate limiting to prevent flooding attacks

    SW(config-if)#ip dhcp snooping limit rate 15

    More details here:

    http://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/

  7. KD
    February 17th, 2020

    Ans to Q5 : ESP

    IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), which provide security services for IP datagrams.

    ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).

    AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.