CCNA 2 Module 11 Quiz – Switch Security Configuration (Answers)

1. What is a recommended best practice when dealing with the native VLAN?

  • Use port security.
  • Turn off DTP.
  • Assign it to an unused VLAN.
  • Assign the same VLAN number as the management VLAN.
Explanation: Port security cannot be enabled on a trunk and trunks are the only types of ports that have a native VLAN. Even though turning DTP off on a trunk is a best practice, it does not have anything to do with native VLAN risks. To prevent security breaches that take advantage of the native VLAN, place the native VLAN in an unused VLAN other than VLAN 1. The management VLAN should also be an unused VLAN that is different from the native VLAN and something other than VLAN 1.

2. On what switch ports should PortFast be enabled to enhance STP stability?

  • only ports that are elected as designated ports
  • all trunk ports that are not root ports
  • all end-user ports
  • only ports that attach to a neighboring switch
Explanation: PortFast will immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. If configured on a trunk link, immediately transitioning to the forwarding state could lead to the formation of Layer 2 loops.

3. Which command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?

  • switchport port-security mac-address sticky mac-address
  • ip dhcp snooping
  • shutdown
  • switchport port-security violation shutdown
  • switchport port-security mac-address sticky
Explanation: Unlike router Ethernet ports, switch ports are enabled by default. Cisco recommends disabling any port that is not used. The ip dhcp snooping command globally enables DHCP snooping on a switch. Further configuration allows defining ports that can respond to DHCP requests. The switchport port-security command is used to protect the network from unidentified or unauthorized attachment of network devices.

4. Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)

  • DHCP server failover
  • extended ACL
  • port security
  • DHCP snooping
  • strong password on DHCP servers
Explanation: In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use up all the available IP addresses that the DHCP server can issue. In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network so that it provides clients with false DNS server addresses. The port security feature can limit the number of dynamically learned MAC addresses per port or allow only known valid NICs to be connected via their specific MAC addresses. The DHCP snooping feature can identify the legitimate DHCP servers and block fake DHCP servers from issuing IP address information. These two features can help fight against DHCP attacks.

5. What is the best way to prevent a VLAN hopping attack?

  • Use ISL encapsulation on all trunk links.
  • Disable STP on all nontrunk ports.
  • Use VLAN 1 as the native VLAN on trunk ports.
  • Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
Explanation: VLAN hopping attacks rely on the attacker being able to create a trunk link with a switch. Disabling DTP and configuring user-facing ports as static access ports can help prevent these types of attacks. Disabling the Spanning Tree Protocol (STP) will not eliminate VLAN hopping attacks.

6. Which procedure is recommended to mitigate the chances of ARP spoofing?

  • Enable port security globally.
  • Enable DHCP snooping on selected VLANs.
  • Enable IP Source Guard on trusted ports.
  • Enable DAI on the management VLAN.

Explanation: To mitigate the chances of ARP spoofing, these procedures are recommended:

  • Implement protection against DHCP spoofing by enabling DHCP snooping globally.
  • Enable DHCP snooping on selected VLANs.
  • Enable DAI on selected VLANs.
  • Configure trusted interfaces for DHCP snooping and ARP inspection. Untrusted ports are configured by default.​

7. What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)

  • unknown port
  • trusted DHCP port
  • unauthorized port
  • established DHCP port
  • untrusted port
  • authorized DHCP port

Explanation: DHCP snooping recognizes two types of ports on Cisco switches:

  • Trusted DHCP ports – switch ports connecting to upstream DHCP servers
  • Untrusted ports – switch ports connecting to hosts that should not be providing DHCP server messages

8. Which two commands can be used to enable PortFast on a switch? (Choose two.)

  • S1(config-if)# enable spanning-tree portfast
  • S1(config-if)# spanning-tree portfast
  • S1(config)# enable spanning-tree portfast default
  • S1(config)# spanning-tree portfast default
  • S1(config-line)# spanning-tree portfast
Explanation: PortFast can be configured on all nontrunking ports using the spanning-tree portfast default global configuration command. Alternatively, PortFast can be enabled on an interface using the spanning-tree portfast interface configuration command.

9. An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation?

  • Reboot the switch.
  • Issue the shutdown command followed by the no shutdown command on the interface.
  • Issue the no switchport port-security command, then re-enable port security.
  • Issue the no switchport port-security violation shutdown command on the interface.
Explanation: If an interface that has been protected with port security goes into the err-disabled state, then a violation has occurred and the administrator should investigate the cause of the violation. Once the cause is determined, the administrator can issue the shutdown command followed by the no shutdown command to enable the interface.

10. A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first?

  • ip dhcp snooping
  • ip dhcp snooping limit rate
  • ip dhcp snooping vlan
  • ip dhcp snooping trust

Explanation: The steps to enable DHCP snooping include these:

  • Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command.
  • Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
  • Step 3. Enable DHCP snooping by VLAN, or by a range of VLANs.

11. A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac. What is the purpose of this configuration command?

  • to check the destination MAC address in the Ethernet header against the MAC address table
  • to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body
  • to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs
  • to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body

Explanation: DAI can be configured to check for both destination or source MAC and IP addresses:

  • Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
  • Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
  • IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses,, and all IP multicast addresses.

12. Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?

  • storm control
  • port security
  • BPDU filter
  • root guard
Explanation: Port security limits the number of source MAC addresses allowed through a switch port. This feature can prevent an attacker from flooding a switch with many spoofed MAC addresses.

13. What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?

  • VLAN hopping
  • DHCP spoofing
  • ARP poisoning
  • ARP spoofing
Explanation: Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to VLANs not in use.

14. A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router?

  • ip arp inspection trust
  • ip dhcp snooping
  • ip arp inspection vlan
  • spanning-tree portfast
Explanation: In general, a router serves as the default gateway for the LAN or VLAN on the switch. Therefore, the uplink interface that connects to a router should be a trusted port for forwarding ARP requests.

15. Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?

  • flash
  • RAM
  • ROM
Explanation: When MAC addresses are automatically learned by using the sticky command option, the learned MAC addresses are added to the running configuration, which is stored in RAM.

Notify of

Inline Feedbacks
View all comments