Port Security Questions

January 10th, 2021Go to comments

Premium Member: You can test your knowledge with these questions first via this link (via
HTML).

Question 1

A network administrator enabled port security on a switch interface connected to a printer. What is
the next configuration action in order to allow the port to learn the MAC address of the printer and
insert it into the table automatically?
A. implement auto MAC address learning
B. implement static MAC addressing.
C. enable sticky MAC addressing
D. enable dynamic MAC address learning

Answer: C
Question 2

Refer to the exhibit. Which port security violation mode is configured on interface Fa0/1?

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
00AA.1AB9.D22F on port FastEthernet0/1
%LINKPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

A. protect
B. shutdown VLAN
C. shutdown
D. restrict

Answer: C
Explanation

After the port security violation occurs, the Fa0/1 interface was shutdown so the port security is
using “shutdown” mode.

Question 3

A port security violation has occurred on a switch port due to the maximum MAC address count
being exceeded. Which command must be configured to increment the security-violation count and
forward an SNMP trap?
A. switchport port-security violation access
B. switchport port-security violation restrict
C. switchport port-security violation protect
D. switchport port-security violation shutdown

Answer: B
Access-list Questions
January 13th, 2021Go to comments
Premium Member: You can test your knowledge with these questions first via this link (via
HTML).

Note: If you are not sure about Access list, please read our Access List Tutorial.

Question 1

Refer to the exhibit. A network engineer must block access for all computers on VLAN 20 to the
web server via HTTP. All other computers must be able to access the web server. Which
configuration when applied to switch A accomplishes this task?

A.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
int vlan 100
ip access-group wwwblock in

B.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
permit ip any any
int vlan 20
ip access-group wwwblock in

C. config t
ip access-list extended wwwblock
permit ip any any
deny tcp any host 10.30.0.100 eq 80
int vlan 30
ip access-group wwwblock in

D.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
int vlan 20
ip access-group wwwblock in
 

Answer: B
Explanation

The “deny tcp any host 10.30.0.100 eq 80” command means “block all (any) traffic from accessing
web server at 10.30.0.100 on port 80”. And since it is applied to VLAN 20 interface so only
computers on VLAN 20 are affected.

In summary, just notice that 10.30.0.100 here is the destination IP address, not source address.

Note: The traffic flow from hosts in VLAN 20 to the Web Server is: host in VLAN 20 -> Interface
VLAN 20 -> Interface VLAN 30 -> Web Server. If we place the ACL: host in VLAN 20 -> (ACL
Inbound) Interface VLAN 20 -> Interface VLAN 30 -> Web Server. Therefore the ACL can block
traffic from VLAN 20.

Question 2

Refer to the exhibit. An extended ACL has been configured and applied to router R2. The
configuration failed to work as intended. Which two changes stop outbound traffic on TCP ports 25
and 80 to 10.0.20.0/26 from the 10.0.10.0/26 subnet while still allowing all other traffic? (Choose
two)

R2#config t
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq smtp
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq www
R2(config)#int gi0/2
R2(config-if)#ip access-group 101 in

A. Add a “permit ip any any” statement to the beginning of ACL 101 for allowed traffic
B. Add a “permit ip any any” statement at the end of ACL 101 for allowed traffic
C. The source and destination IPs must be swapped in ACL 101
D. The ACL must be configured the Gi0/2 interface inbound on R1
E. The ACL must be moved to the Gi0/1 interface outbound on R2

Answer: B C
Question 3

While examining excessive traffic on the network, it is noted that all incoming packets on an
interface appear to be allowed even though an IPv4 ACL is applied to the interface. Which two
misconfigurations cause this behavior? (Choose two)
A. The packets fail to match any permit statement
B. A matching permit statement is too high in the access list
C. A matching permit statement is too broadly defined
D. The ACL is empty
E. A matching deny statement is too high in the access list

Answer: B C
Explanation

If we have a matching permit statement too high in the access list then it will be matched first
before we can deny it. If a matching permit statement is too broadly defined (for example if we
only want to permit TCP traffic then we should not permit “ip” traffic, which includes both TCP and
UDP).

Question 4

Refer to the exhibit. What configuration on R1 denies SSH access from PC-1 to any R1 interface
and allows all other traffic?

A. access-list 100 deny tcp host 172.16.1.33 any eq 22

access-list 100 permit ip any any
line vty 0 15
access-class 100 in

B. access-list 100 deny tcp host 172.16.1.33 any eq 22

access-list 100 permit ip any any

interface GigabitEthernet0/0
ip access-group 100 in

C. line vty 0 15
access-class 100 in
access-list 100 deny tcp host 172.16.1.33 any eq 23
access-list 100 permit ip any any

D. access-list 100 deny tcp host 172.16.1.33 any eq 23

access-list 100 permit ip any any
line vty 0 15
access-class 100 in
 

Answer: A
Question 5

Refer to the exhibit. An administrator configures the following ACL in order to prevent devices on
the 192.168.1.0 subnet from accessing the server at 10.1.1.5:

access-list 100 deny ip 192.168.1.0 0.0.0.255 host 10.1.1.5

access-list 100 permit ip any any

Where should the administrator place this ACL for the most efficient use of network resources?

A. inbound on router A Fa0/0

B. outbound on router B Fa0/0
C. outbound on router A Fa0/1
D. inbound on router B Fa0/1

Answer: A
Explanation

By placing the ACL closest to the source, we can reduce unnecessary traffic passing between two
routers and the processing time of the router.

Question 6

Refer to the exhibit. Which two configurations would be used to create and apply a standard
access list on R1, so that only the 10.0.70.0/25 network devices are allowed to access the internal
database server? (Choose two)
A. R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip access-group 5 out

B. R1(config)# access-list 5 permit 10.0.54.0 0.0.1.255

C. R1(config)# interface Serial0/0/0

R1(config-if)# ip access-group 5 in

D. R1(config)# access-list 5 permit 10.0.70.0 0.0.0.127

E. R1(config)# access-list 5 permit any

Answer: A D
Question 7

Refer to the exhibit.

interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.0
ip access-group 2699 in
!
access-list 2699 deny icmp any 10.10.1.0 0.0.0.255 echo
access-list 2699 deny ip any 10.20.1.0 0.0.0.255
access-list 2699 permit ip any 10.10.1.0 0.0.0.255
access-list 2699 permit tcp any 10.20.1.0 0.0.0.127 eq 22

A network administrator must permit SSH access to remotely manage routers in a network. The
operations team resides on the 10.20.1.0/25 network. Which command will accomplish this task?

A. access-list 2699 permit udp 10.20.1.0 0.0.0.255

B. no access-list 2699 deny tcp any 10.20.1.0 0.0.0.127 eq 22
C. access-list 2699 permit tcp any 10.20.1.0 0.0.0.255 eq 22
D. no access-list 2699 deny ip any 10.20.1.0 0.0.0.255

Answer: D
Explanation
The operations team resides on 10.20.1.0/25 network which is a part of 10.20.1.0/24 network so
we need to remove the “deny” statement of the 10.20.1.0/25 network to allow SSH.

AAA Questions
January 12th, 2021Go to comments
Premium Member: You can test your knowledge with these questions first via this link (via
HTML).

If you are not sure about AAA, please read our AAA TACACS+ and RADIUS Tutorial.

Question 1

AAA stands for authentication, authorization, and accounting.

A. False
B. True

Answer: B
Question 2

Which effect does the aaa new-model configuration command have?

A. It configures the device to connect to a RADIUS server for AAA.
B. It configures a local user on the device.
C. It associates to RADIUS server to an AAA group.
D. It enables AAA services on the device.

Answer: D
Question 3

What is the primary difference between AAA authentication and authorization?

A. Authentication verifies a username and password, and authorization handles the communication
between the authentication agent and the user database
B. Authentication identifies a user who is attempting to access a system, and authorization
validates the users password
C. Authentication identifies and verifies a user who is attempting to access a system, and
authorization controls the tasks the user can perform
D. Authentication controls the system processes a user can access and authorization logs 9ie
activities the user initiates

Answer: C
Explanation

AAA stands for Authentication, Authorization and Accounting.

+ Authentication: Specify who you are (usually via login username & password)
+ Authorization: Specify what actions you can do, what resource you can access
+ Accounting: Monitor what you do, how long you do it (can be used for billing and auditing)

An example of AAA is shown below:

+ Authentication: “I am a normal user. My username/password is user_tom/learnforever“

+ Authorization: “user_tom can access LearnCCNA server via HTTP and FTP“
+ Accounting: “user_tom accessed LearnCCNA server for 2 hours“. This user only uses “show”
commands.

Question 4

Refer to the exhibit. Which password must an engineer use to enter the enable mode?

Atlanta#config t
Atlanta(config)#aaa new-model
Atlanta(config)#aaa authentication login default local
Atlanta(config)#line vty 0 4
Atlanta(config-line)#login authentication default
Atlanta(config-line)#exit
Atlanta(config)#username ciscoadmin password adminadmin123
Atlanta(config)#username ciscoadmin privilege 15
Atlanta(config)#enable password cisco123
Atlanta(config)#enable secret testing1234
Atlanta(config)#end

A. adminadmin123
B. default
C. testing1234
D. cisco123

Answer: C
Explanation

If neither the enable password command nor the enable secret command is configured, and if

there is a line password configured for the console, the console line password serves as the enable
password for all VTY sessions -> The “enable secret” will be used first if available, then “enable
password” and line password.

Reference: https://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_3/configuration/guide/cpt93_co
nfiguration/cpt93_configuration_chapter_010000.pdf

Question 5

What is a difference between RADIUS and TACACS+?

A. RADIUS is most appropriate for dial authentication, but TACACS+ can be used for multiple types
of authentication
B. TACACS+ encrypts only password information and RADIUS encrypts the entire payload
C. TACACS+ separates authentication and authorization, and RADIUS merges them
D. RADIUS logs all commands that are entered by the administrator, but TACACS+ logs only start,
stop, and interim commands

Answer: C

Question 6
How do AAA operations compare regarding user identification, user services and access control?
A. Authorization provides access control and authentication tracks user services
B. Authentication identifies users and accounting tracks user services
C. Accounting tracks user services, and authentication provides access control
D. Authorization identifies users and authentication provides access control

Answer: B

Security Questions
January 12th, 2021Go to comments
Premium Member: You can test your knowledge with these questions first via this link (via
HTML).

Question 1

An email user has been lured into clicking a link in an email sent by their company’s security
organization. The webpage that opens reports that it was safe but the link could have contained
malicious code. Which type of security program is in place?
A. Physical access control
B. Social engineering attack
C. brute force attack
D. user awareness

Answer: D
Explanation

This is a training program which simulates an attack, not a real attack (as it says “The webpage
that opens reports that it was safe”) so we believed it should be called a “user awareness”
program. Therefore the best answer here should be “user awareness”. This is the definition of
“User awareness” from CCNA 200-301 Offical Cert Guide Book:

“User awareness: All users should be made aware of the need for data confidentiality to protect
corporate information, as well as their own credentials and personal information. They should also
be made aware of potential threats, schemes to mislead, and proper procedures to report security
incidents. “

Note: Physical access control means infrastructure locations, such as network closets and data
centers, should remain securely locked.

Question 2

An engineer is asked to protect unused ports that are configured in the default VLAN on a switch.
Which two steps will fulfill the request? (Choose two)
A. Configure the ports in an EtherChannel
B. Administratively shut down the ports
C. Configure the port type as access and place in VLAN 99
D. Configure the ports as trunk ports
E. Enable the Cisco Discovery Protocol

Answer: B C
Question 3
Which configuration is needed to generate an RSA key for SSH on a router?
A. Configure the version of SSH
B. Configure VTY access
C. Create a user with a password
D. Assign a DNS domain name

Answer: D
Explanation

In order to generate an RSA key for SSH, we need to configure the hostname and a DNS domain
name on the router (a username and password is also required). Therefore in fact both answer C
and answer D are correct.

Question 4

Which two must be met before SSH can operate normally on a Cisco IOS switch? (Choose two)
A. The switch must be running a k9 (crypto) IOS image
B. The ip domain-name command must be configured on the switch
C. IP routing must be enabled on the switch
D. A console password must be configured on the switch
E. Telnet must be disabled on the switch

Answer: A B
Question 5

When a site-to-site VPN is used, which protocol is responsible for the transport of user data?
A. IKEv2
B. IKEv1
C. IPsec
D. MD5

Answer: C
Explanation

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with
each other over a public network such as the Internet. A site-to-site VPN means that two sites
create a VPN tunnel by encrypting and sending data between two devices. One set of rules for
creating a site-to-site VPN is defined by IPsec.
In the topology above, Remote Campus sites can connect to the Main Campus through site-to-site
VPNs.

Question 6

Which set of action satisfy the requirement for multi-factor authentication?

A. The user swipes a key fob, then clicks through an email link
B. The user enters a user name and password, and then clicks a notification in an authentication
app on a mobile device
C. The user enters a PIN into an RSA token, and then enters the displayed RSA key on a login
screen
D. The user enters a user name and password and then re-enters the credentials on a second
screen

Answer: B
Explanation

This is an example of how two-factor authentication (2FA) works:

1. The user logs in to the website or service with their username and password.
2. The password is validated by an authentication server and, if correct, the user becomes eligible
for the second factor.
3. The authentication server sends a unique code to the user’s second-factor method (such as a
smartphone app).
4. The user confirms their identity by providing the additional authentication for their second-
factor method.

Question 7

Which command prevents passwords from being stored in the configuration as plaintext on a
router or switch?
A. enable secret
B. service password-encryption
C. username Cisco password encrypt
D. enable password

Answer: B
Question 8

Refer to the exhibit. An administrator configures four switches for local authentication using
passwords that are stored in a cryptographic hash. The four switches must also support SSH
access for administrators to manage the network infrastructure. Which switch is configured
correctly to meet these requirements?
SW1(config-line)#line vty 0 15
SW1(config-line)#no login local
SW1(config-line)#password cisco
SW2(config)#username admin1 password abcd1234
SW2(config)#username admin2 password abcd1234
SW2(config-line)#line vty 0 15
SW2(config-line)#login local
SW3(config)#username admin1 secret abcd1234
SW3(config)#username admin2 secret abcd1234
SW3(config-line)#line vty 0 15
SW3(config-line)#login local
SW4(config)#username admin1 password abcd1234
SW4(config)#username admin2 password abcd1234
SW4(config-line)#line console 0
SW4(config-line)#login local

A. SW1
B. SW2
C. SW3
D. SW4

Answer: C
Explanation

The “login local” command instructs the device to use the username and password in its local
database for authentication. The secret is encrypted when it is stored on the local router.

Question 9

The service password-encryption command is entered on a router. What is the effect of this
configuration?
A. restricts unauthorized users from viewing clear-text passwords in the running configuration
B. prevents network administrators from configuring clear-text passwords
C. protects the VLAN database from unauthorized PC connections on the switch
D. encrypts the password exchange when a VPN tunnel is established

 
Answer: A
Explanation

The service password-encryption command will encrypt all current and future passwords so any
password existed in the configuration will be encrypted.

Question 10

In which two ways does a password manager reduce the chance of a hacker stealing a user’s
password? (Choose two)
A. It automatically provides a second authentication factor that is unknown to the original user
B. It uses an internal firewall to protect the password repository from unauthorized access
C. It protects against keystroke logging on a compromised device or web site
D. It stores the password repository on the local workstation with built-in antivirus and anti-
malware functionality
E. It encourages users to create stronger passwords

Answer: C E
Explanation

A password manager only helps you remember your chosen passwords without typing them by
yourself. It automatically fills into the password textbox for you so it does not provides a second
authentication factor. An example of second authentication factor is an one time password (OTP)
sent to your phone after typing your password and you have to type this OTP to authenticate.

By using a password manager, you are encouraged to create a complex password because you
don’t need to remember it.

Question 11

What are two purposes of launching a reconnaissance attack on a network? (Choose two)
A. to prevent other users from accessing the system
B. to escalate access privileges
C. to gather information about the network and devices
D. to scan for accessibility
E. to retrieve and modify data

Answer: C D
Question 1

Refer to the exhibit. An engineer booted a new switch and applied this configuration via the
console port. Which additional configuration must be applied to allow administrators to
authenticate directly to enable privilege mode via Telnet using local username and password?
Switch(config)#hostname R1
R1(config)#interface FastEthernet0/1
R1(config-if)#no switchport
R1(config-if)#ip address 10.100.20.42
255.255.255.0
R1(config-if)#line vty 0 4
R1(config-line)#login

A.
R1(config)#username admin
R1(config-if)#line vty 0 4
R1(config-line)#password p@ss1234

B.
R1(config)#username admin
R1(config-if)#line vty 0 4
R1(config-line)#password p@ss1234
R1(config-line)#transport input telnet

C.
R1(config)#username admin secret p@ss1234
R1(config-if)#line vty 0 4
R1(config-line)#login local
R1(config)#enable secret p@ss1234

D.
R1(config)#username admin privilege 15 secret p@ss1234
R1(config-if)#line vty 0 4
R1(config-line)#login local

Answer: D

Question 2

An organization secures its network with multi-factor authentication using an authenticator app on
employee smartphones. How is the application secured in the case of a user’s smartphone being
lost or stolen?
A. The application requires an administrator password to reactivated after a configured interval.
B. The application verifies that the user is in a specific location before it provides the second
factor.
C. The application requires the user to enter a PIN before it provides the second factor.
D. The application challenges a user by requiring an administrator password to reactivate when the
smartphone is rebooted.

Answer: C

Question 3

Which type of attack can be mitigated by dynamic ARP inspection?

A. malware
B. DDoS
C. worm
D. man-in-the-middle

Answer: D

Explanation

ARP attack (like ARP poisoning/spoofing, man-in-the-middle) is a type of attack in which a

malicious actor sends falsified ARP messages over a local area network as ARP allows a gratuitous
reply from a host even if an ARP request was not received. This results in the linking of an
attacker’s MAC address with the IP address of a legitimate computer or server on the network.
This is an attack based on ARP which is at Layer 2. Dynamic ARP inspection (DAI) is a security
feature that validates ARP packets in a network which can be used to mitigate this type of attack.

Question 4

Which technology is used to improve web traffic performance by proxy caching?

A. Firepower
B. FireSIGHT
C. ASA
D. WSA
 

Answer: D

Explanation

The Web Security appliance (WSA) intercepts requests that are forwarded to it by clients or other
devices over the network. Proxy caching is a setting in WSA that caches data to increase
performance.

Question 5

Which device performs stateful inspection of traffic?

A. access point
B. switch
C. wireless controller
D. firewall

Answer: D

Explanation

In stateful inspection, the firewall not only inspects packets up through the application layer/layer7
determining a packet’s header information and data content, but also monitors and keeps track of
the connection’s state. For all active connections traversing the firewall, the state information,
which may include IP addresses and ports involved, the sequence numbers and acknowledgement
numbers of the packets traversing the connection, TCP packet flags, etc. is maintained in a state
table.

Question 6

What are two recommendations for protecting network ports from being exploited when located in
an office space outside of an IT closet? (Choose two)
A. shut down unused ports
B. enable the PortFast feature on ports
C. implement port-based authentication
D. configure ports to a fixed speed
E. configure static ARP entries

Answer: A C

Question 7

What is a practice that protects a network from VLAN hopping attacks?

A. Change native VLAN to an unused VLAN ID
B. Enable dynamic ARP inspection
C. Configure an ACL to prevent traffic from changing VLANs
D. Implement port security on internet-facing VLANs

Answer: A

Explanation

VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking
device can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN
hopping can be accomplished by switch spoofing or double tagging. One of a popular type of VLAN
Hopping is

Double-Tagging attack:
In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag
matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the
VLAN of a host it wants to attack (VLAN 20).

When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it
matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all
links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it
removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the
attacker. In other words, this attack is only successful if the attacker belongs to the native VLAN of
the trunk link. Another important point is, this attack is strictly one way as it is impossible to
encapsulate the return packet.

To mitigate this type of attack, we can use VLAN access control lists (VACLs, which applies to all
traffic within a VLAN. We can use VACL to drop attacker traffic to specific victims/servers); or
implement Private VLANs; or keep the native VLAN of all trunk ports different from user VLANs.

Question 8

Which technology can prevent client devices from arbitrarily connecting to the network without
state remediation?
A. MAC Authentication Bypass
B. IP Source Guard
C. 802.1x
D. 802.11n

Answer: C

Explanation

The IEEE 802.1x standard defines a client-server-based access control and authentication protocol
that prevents unauthorized clients from connecting to a LAN through publicly accessible ports
unless they are properly authenticated. The authentication server authenticates each client
connected to a switch port before making available any services offered by the switch or the LAN.
Until the client is authenticated, 802.1x access control allows only Extensible Authentication
Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP)
traffic through the port to which the client is connected. After authentication is successful, normal
traffic can pass through the port.

DAI Questions
January 11th, 2021Go to comments
Premium Member: You can test your knowledge with these questions first via this link (via
HTML).

Question 11

Where does a switch maintain DHCP snooping information?

A. in the CAM table
B. in the VLAN database
C. in the DHCP binding database
D. in the MAC address table
 

Answer: C

Question 5

Refer to the exhibit. If the network environment is operating normally, which type of device must
be connected to interface FastEthernet 0/1?

ip arp inspection vlan 2-10

interface fastethernet 0/1
ip arp inspection trust

A. DHCP client
B. access point
C. router
D. PC

Answer: C

Explanation

To configure DHCP snooping feature, at least three steps must be done:

Sequence and Description Command

1. Configure global DHCP snooping Switch(config)# ip dhcp snooping

2. Configure trusted ports (as least on Switch(config-if)# ip dhcp snooping trust

1 port).
By default, all ports are untrusted

3. Configure DHCP snooping for the Switch(config)# ip dhcp snooping vlan {VLAN-

selected VLANs ID | VLAN range}

Note: To configure DHCP snooping with Dynamic ARP Inspection we need to add the command “ip
arp inspection vlan vlan-id” in global configuration mode and “ip arp inspection trust” in interface
mode.

In a normal network environment, we should trust interfaces that are connected to routers, not
end points.

Question 1

Refer to the exhibit. What is the effect of this configuration?

ip arp inspection vlan 2
interface fastethernet 0/1
switchport mode access
switchport access vlan 2

A. All ARP packets are dropped by the switch

B. Egress traffic is passed only if the destination is a DHCP server.
C. All ingress and egress traffic is dropped because the interface is untrusted
D. The switch discard all ingress ARP traffic with invalid MAC-to-IP address bindings

Answer: D

Explanation

Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.

Question 2

Refer to the exhibit. What is the effect of this configuration?

ip arp inspection vlan 2

interface fastethernet 0/1
switchport mode access
switchport access vlan 2

A. The switch port interface trust state becomes untrusted

B. The switch port remains administratively down until the interface is connected to another switch
C. Dynamic ARP inspection is disabled because the ARP ACL is missing
D. The switch port remains down until it is configured to trust or untrust incoming packets

Answer: A

Explanation

Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It
intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability
protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become
untrusted ports.

Wireless Questions
January 10th, 2021Go to comments
Premium Member: You can test your knowledge with these questions first via this link (via
HTML).

Note: If you are not sure about Wireless, please read our Wireless tutorial.

Quick Wireless Summary

WLAN Modes:
WLAN has two basic modes of operation:
* Ad-hoc mode: In this mode devices send data directly to each other without an AP.

* Infrastructure mode: Connect to a wired LAN, supports two modes (service sets):

+ Basic Service Set (BSS): uses only a single AP to create a WLAN
+ Extended Service Set (ESS): uses more than one AP to create a WLAN, allows roaming
in a larger area than a single AP. Usually there is an overlapped area between two APs to
support roaming. The overlapped area should be more than 10% (from 10% to 15%) to
allow users moving between two APs without losing their connections (called roaming).
The two adjacent APs should use non-overlapping channels to avoid interference. The
most popular non-overlapping channels are channels 1, 6 and 11 (will be explained later).

Roaming: The ability to use a wireless device and be able to move from one access point’s
range to another without losing the connection.
Cisco Access Points (APs) can operate in one of two modes: autonomous or lightweight
+ Autonomous: self-sufficient and standalone. Used for small wireless networks.
+ Lightweight: A Cisco lightweight AP (LAP) has to join a Wireless LAN Controller
(WLC) to function. LAP and WLC communicate with each other via a logical pair of
CAPWAP tunnels.
– Control and Provisioning for Wireless Access Point (CAPWAP) is an IETF standard
protocol which enables a WLC to manage multiple APs. CAPWAP is similar to LWAPP
 except the following differences:
+ CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and
encryption to protect traffic between APs and controllers. LWAPP uses AES.
+ CAPWAP has a dynamic maximum transmission unit (MTU) discovery mechanism.
+ CAPWAP runs on UDP ports 5246 (control messages) and 5247 (data messages)
Signal to Noise Ratio (SNR) is defined as the ratio of the transmitted power from the AP
to the ambient (noise floor) energy present. To calculate the SNR value, we add the Signal
Value to the Noise Value to get the SNR ratio. A positive value of the SNR ratio is always
better.
The 2.4 GHz band is subdivided into multiple channels each allotted 22 MHz bandwidth
and separated from the next channel by 5 MHz.
-> A best practice for 802.11b/g/n WLANs requiring multiple APs is to use non-
overlapping channels such as 1, 6, and 11.

Types of external antennas:

+ Omnidirectional: Provide 360-degree coverage. Ideal in houses and office areas
+ Directional: Focus the radio signal in a specific direction. Examples are the Yagi and
parabolic dish
+ Multiple Input Multiple Output (MIMO) – Uses multiple antennas (up to eight) to
increase bandwidth

Question 1

An engineer must configure a WLAN using the strongest encryption type for WPA2-PSK. Which
cipher fulfills the configuration requirement?
A. WEP
B. RC4
C. AES
D. TKIP

Answer: C

Explanation

Many routers provide WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) as options.
TKIP is actually an older encryption protocol introduced with WPA to replace the very-insecure WEP
encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer
considered secure, and is now deprecated. In other words, you shouldn’t be using it.
AES is a more secure encryption protocol introduced with WPA2 and it is currently the strongest
encryption type for WPA2-PSK.

Question 2

Which unified access point mode continues to serve wireless clients after losing connectivity to the
Cisco Wireless LAN Controller?
A. sniffer
B. mesh
C. flex connect
D. local

Answer: C

Explanation

In previous releases, whenever a FlexConnect access point disassociates from a controller, it

moves to the standalone mode. The clients that are centrally switched are disassociated. However,
the FlexConnect access point continues to serve locally switched clients. When the FlexConnect
access point rejoins the controller (or a standby controller), all clients are disconnected and are
authenticated again. This functionality has been enhanced and the connection between the clients
and the FlexConnect access points are maintained intact and the clients experience seamless
connectivity. When both the access point and the controller have the same configuration, the
connection between the clients and APs is maintained.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-
4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0
10001101.html

Question 3

Which QoS Profile is selected in the GUI when configuring a voice over WLAN deployment?
A. Bronze
B. Platinum
C. Silver
D. Gold

Answer: B

Explanation

Cisco Unified Wireless Network solution WLANs support four levels of QoS: Platinum/Voice,
Gold/Video, Silver/Best Effort (default), and Bronze/Background.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-
4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0
1010111.html

Question 4

Which design element is a best practice when deploying an 802.11b wireless infrastructure?
A. disabling TPC so that access points can negotiate signal levels with their attached wireless
devices.
B. setting the maximum data rate to 54 Mbps on the Cisco Wireless LAN Controller
C. allocating non overlapping channels to access points that are in close physical proximity to one
another
D. configuring access points to provide clients with a maximum of 5 Mbps

Answer: C

Question 5

Which statement about Link Aggregation when implemented on a Cisco Wireless LAN Controller is
true?
A. To pass client traffic two or more ports must be configured
B. The EtherChannel must be configured in “mode active”
C. When enabled the WLC bandwidth drops to 500 Mbps
D. One functional physical port is needed to pass client traffic

Answer: D

Explanation

Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It
bundles all of the controller’s distribution system ports into a single 802.3ad port channel.

Restriction for Link aggregation:

+ LAG requires the EtherChannel to be configured for ‘mode on’ on both the controller and the
Catalyst switch -> Answer B is not correct.
+ If the recommended load-balancing method cannot be configured on the Catalyst switch, then
configure the LAG connection as a single member link or disable LAG on the controller ->
Answer A is not correct while answer D is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-
guide/b_cg75/b_cg75_chapter_0100010.html

Question 6

Which mode allows access points to be managed by Cisco Wireless LAN Controllers?
A. autonomous
B. lightweight
C. bridge
D. mobility express

Answer: B

Explanation

A Lightweight Access Point (LAP) is an AP that is designed to be connected to a wireless LAN

(WLAN) controller (WLC). APs are “lightweight,” which means that they cannot act independently
of a wireless LAN controller (WLC). The WLC manages the AP configurations and firmware. The APs
are “zero touch” deployed, and individual configuration of APs is not necessary.

Reference: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/70278-lap-
faq.html

Question 7

Which type of wireless encryption is used for WPA2 in pre-shared key mode?
A. TKIP with RC4
B. RC4
C. AES-128
D. AES-256

Answer: D

Explanation

We can see in this picture we have to type 64 hexadecimal characters (256 bit) for the WPA2
passphrase so we can deduce the encryption is AES-256, not AES-128.

Reference: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-
wlan/67134-wpa2-config.html

Question 8

Which two values or settings must be entered when configuring a new WLAN in the Cisco Wireless
LAN Controller GUI? (Choose two)
A. management interface settings
B. QoS settings
C. ip address of one or more access points
D. SSID
E. Profile name

Answer: D E

Question 9
Which feature on the Cisco Wireless LAN Controller when enabled restricts management access
from specific networks?
A. CPU ACL
B. TACACS
C. Flex ACL
D. RADIUS

Answer: A

Explanation

Whenever you want to control which devices can talk to the main CPU, a CPU ACL is used.

Note: CPU ACLs only filter traffic towards the CPU, and not any traffic exiting or generated by the
CPU.

Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-
controllers/109669-secure-wlc.html

Question 10

Which 802.11 frame type is association response?

A. management
B. protected frame
C. control
D. action

Answer: A

Explanation

There are three main types of 802.11 frames: the Data Frame, the Management Frame and the
Control Frame. Association Response belongs to Management Frame. Association response is sent
in response to an association request.

Question 11

When configuring a WLAN with WPA2 PSK in the Cisco Wireless LAN Controller GUI, which two
formats are available to select? (Choose two)
A. ASCII
B. base64
C. binary
D. decimal
E. hexadecimal

Answer: A E

Explanation

When configuring a WLAN with WPA2 Preshared Key (PSK), we can choose the encryption key
format as either ASCII or HEX.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-
guide/b_wl_16_10_cg/multi-preshared-key.pdf
Question 12

What is a benefit of using a Cisco Wireless LAN Controller?

A. Central AP management requires more complex configurations
B. Unique SSIDs cannot use the same authentication method
C. It supports autonomous and lightweight APs
D. It eliminates the need to configure each access point individually

Answer: D

Question 13

Several new coverage cells are required to improve the Wi-Fi network of an organization. Which
two standard designs are recommended? (Choose two)

A. 5GHz provides increased network capacity with up to 23 nonoverlapping channels,

B. 5GHz channel selection requires an autonomous access point.
C. Cells that overlap one another are configured to use nonoverlapping channels.
D. Adjacent cells with overlapping channels use a repeater access point.
E. For maximum throughput, the WLC is configured to dynamically set adjacent access points to
the same channel.

Answer: C E

Question 1

How does CAPWAP communicate between an access point in local mode and a WLC?
A. The access point must directly connect to the WLC using a copper cable
B. The access point must not be connected to the wired network, as it would create a loop
C. The access point must be connected to the same switch as the WLC
D. The access point has the ability to link to any switch in the network, assuming connectivity to
the WLC

Answer: D

Question 2

Which WPA3 enhancement protects against hackers viewing traffic on the Wi-Fi network?
A. TKIP encryption
B. AES encryption
C. Scrambled encryption key
D. SAE encryption

Answer: D

Explanation

Wi-Fi Protected Access version 3 (WPA3) is a new Wi-Fi Alliance’s (WFA) security standard for
personal and enterprise networks. It aims to improve overall Wi-Fi security by using modern
security algorithms and stronger cipher suites. WPA3 has two parts:

+ WPA3-Personal: Uses simultaneous authentication of equals (SAE) instead of pre-shared

key (PSK), providing users with stronger security protections against attacks such as offline
dictionary attacks, key recovery, and message forging.

+ WPA3-Enterprise: Offers stronger authentication and link-layer encryption methods, and an

optional 192-bit security mode for sensitive security environments.
Question 3

What is a difference between local AP mode and FlexConnet AP mode?

A. Local AP mode creates two CAPWAP tunnels per AP to the WLC
B. FlexConnect AP mode fails to function if me AP loses connectivity with the WLC
C. FlexConnect AP mode bridges the traffic from the AP to the WLC when local switching is
configured
D. Local AP mode causes the AP to behave as if it were an autonomous AP

Answer: A

Explanation

In Central Switched (Local) mode, an AP creates two CAPWAP tunnels to the Wireless Controller.
One tunnel is used for forwarding data traffic and the other is used for forwarding the
management traffic.

Question 4

When a WPA2-PSK WLAN is configured in the Wireless LAN Controller, what is the minimum
number of characters that is required in ASCII format?
A. 6
B. 8
C. 12
D. 18

Answer: B

Explanation

WPA/WPA2 preshared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal

characters.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-
4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0
1010001.html

Question 5

Using direct sequence spread spectrum, which three 2.4-GHz channels are used to limit collisions?
A. 1,5,10
B. 1,2,3
C. 1,6,11
D. 5,6,7

Answer: C

Explanation

In the 2.4 GHz band, 1, 6, and 11 are the only non-overlapping channels.
Question 6

A wireless administrator has configured a WLAN; however, the clients need access to a less
congested 5-GHz network for their voice quality. What action must be taken to meet the
requirement?
A. enable AAA override
B. enable RX-SOP
C. enable DTIM
D. enable Band Select

Answer: D

Explanation

Band Select or Band Direction is a new feature that encourages dual band clients to connect to 5
G-Hz networks. Band select is disabled by default. The Band Select function provides a better
wireless experience for users.

Question 7

What is a function of Wireless LAN Controller?

A. send LWAPP packets to access points
B. use SSIDs to distinguish between wireless clients
C. register with a single access point that controls traffic between wired and wireless endpoints
D. monitor activity on wireless and wired LANs

Answer: A

Question 8

Which protocol prompts the Wireless LAN Controller to generate its own local web administration
SSL certificate for GUI access?
A. HTTP
B. HTTPS
C. TACACS+
D. RADIUS

Answer: B

Explanation

When you enable HTTPS, the controller generates its own local web administration SSL certificate
and automatically applies it to the GUI.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-
guide/b_cg80/b_cg80_chapter_011.html

Question 9

What is a recommended approach to avoid co-channel congestion while installing access points
that use the 2.4 GHz frequency?
A. different nonoverlapping channels
B. one nonoverlapping channel
C. one overlapping channel
D. different overlapping channels

Answer: A

Explanation

In the 2.4 GHz band, 1, 6, and 11 are the only non-overlapping channels so they should be chosen
while installing APs.