New CCNA – Security Questions.

By | July 5, 2017

This is CCNA commonly asked security questions. You have to read and understand mostly ACLs, Switchport security, VPN etc…
You might see the use of different grammar, context, and configuration. Just try and figure out what the question is all about.




Question 1
Refer to the exhibit. The following commands are executed on interface fa0/1 of 2950Switch.
2950Switch(config-if)#switchport port-security
2950Switch(config-if)#switchport port-security mac-address sticky
2950Switch(config-if)#switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two)

A. The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
E. Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.

Answer: B D
Explanation
Please read more on Switch Security

Question 2
Select the action that results from executing these commands:
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
A. A dynamically learned MAC address is saved in the startup-configuration file.
B. A dynamically learned MAC address is saved in the running-configuration file.
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.

Answer: B
Explanation
The full syntax of the second command is:
switchport port-security mac-address sticky [MAC]
If the mac address is not specified as shown in the question above, the switch will attach the dynamically learned MAC Address and store it the running-configuration.

Question 3
Which set of commands is recommended to prevent the use of a hub in the access layer?
A.
switch(config-if)#switchport mode trunk
switch(config-if)#switchport port-security maximum 1
B.
switch(config-if)#switchport mode trunk
switch(config-if)#switchport port-security mac-address 1
C.
switch(config-if)#switchport mode access
switch(config-if)#switchport port-security maximum 1
D.
switch(config-if)#switchport mode access
switch(config-if)#switchport port-security mac-address 1

Answer: C
Explanation
Port security can only be used on access port connected to a host the maximum 1 command describes the number of hosts that are allowed to connect to this port.
As we saw in the previous question (3) to allow a fixed MAC address to connect, you must use the “switchport port-security mac-address ” command.

Question 4
Which Cisco Catalyst feature automatically disables the port in an operational PortFast upon receipt of a BPDU?
A. BackboneFast
B. UplinkFast
C. Root Guard
D. BPDU Guard
E. BPDU Filter

Answer: D
Explanation
PortFast enables a port to enter the forwarding state almost immediately by intensely decreasing the time of the listening and learning states. Portfast minimizes the time it takes for the server or workstation to come online, thus preventing problems with applications such as DHCP, DNS etc.
The BPDU Guard feature is used to protect the Spanning Tree domain from external influence. BPDU Guard is disabled by default but is recommended for all ports on which the Port Fast feature has been enabled.

Question 5
Which two commands correctly verify whether port security has been configured on port FastEthernet 0/12 on a switch? (Choose two)
A. SW1# show switchport port-security interface FastEthernet 0/12
B. SW1# show switchport port-secure interface FastEthernet 0/12
C. SW1# show port-security interface FastEthernet 0/12
D. SW1# show running-config

Answer: C D
Explanation
You can verify whether port security has been configured by using the “show running-config” or “show port-security interface ”command:

Question 6
Refer to the exhibit. A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands.

Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two)
A. Port security needs to be globally enabled.
B. Port security needs to be enabled on the interface.
C. Port security needs to be configured to shut down the interface in the event of a violation.
D. Port security needs to be configured to allow only one learned MAC address.
E. Port security interface counters need to be cleared before using the show command.
F. The port security configuration needs to be saved to NVRAM before it can become active.

Answer: B D
Explanation
From the exhibit above, the “Port Security” is in “Disabled” state (line 2 in the output). To enable Port security feature, we must enable it on that interface first with the command:
SwitchA(config-if)#switchport port-security and the command switchport port-security maximum 2 to be reduced to switchport port-security maximum 1 since its only PCA is allowed to access the network




Question 7
A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two)
A. The network administrator can apply port security to dynamic access ports
B. The network administrator can configure static secure or sticky secure mac addresses in the voice vlan.
C. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.
D. The network administrator can apply port security to EtherChannels.
E. When dynamic mac address learning is enabled on an interface, the switch can learn new addresses up to the maximum defined.

Answer: C E
Explanation
Follow these guidelines when configuring port security:
* Port security can only be configured on static access ports, trunk ports, or 802.1Q tunnel ports.  A is not correct.
*A secure port cannot be a dynamic access port.
*A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
* A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group. -> D is not correct
*You cannot configure static secure or sticky secure MAC addresses on a voice VLAN. -> B is not correct.
* When you enable port security on an interface that is also configured with a voice VLAN, you must set the              maximum allowed secure addresses on the port to at least two.
* If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on         the voice VLAN.
* When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses      seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN        (to which the port belongs) are learned as sticky secure addresses.
* The switch does not support port security aging of sticky secure MAC addresses.
* The protect and restrict options cannot be simultaneously enabled on an interface.
(Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swtrafc.html#wp1038546)

Question 8
Which protocol is an open standard protocol framework that is commonly used in VPNs to provide secure end-to-end connections?
A. PPTP
B. IPsec
C. RSA
D. L2TP

Answer: B
Explanation
One of the most widely deployed network security technologies today is IPsec over VPNs. It provides high levels of security through encryption and authentication, protecting data from unauthorized access.