2013 Latest Cisco 350-001 Exam Section 2: LAN Security (9

2013 Latest Cisco 350-001 Exam Section 2: LAN Security (9 Questions)

Private VLANs are set up in a Cisco switch for 3 ports as shown below:
tamer (enable) show pvlan
Primary Secondary Secondary-Type Port

500 501 community 5/37
500 502 isolated 5/38-39

tamer (enable) show pvlan mapping
Port Primary Secondary

15/1 500 501-502

interface vlan 500
ip address
ip proxy-arp

A PC called TKHost is plugged in to port 5/38, using ip address Based on the information above, TKHost has which of the following?
A. Layer 3 connectivity with Port 5/37 and port 5/39.
B. Layer 2 connectivity with Port 5/39 but not with port 5/37.
C. Layer 3 connectivity with Port 5/39 but not with port 5/37.
D. Layer 2 connectivity with Port 5/37 and port 5/39.
E. None of the above.
Answer: A
Private VLAN ports can be one of the following:
Promiscuous- A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
Isolated- An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
Community- Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
In this case TKHost is in an isolated VLAN, so it will have complete layer 2 separation from all other ports. However, there is nothing preventing routing from taking place, and with inter-vlan routing TKHost will have layer 3 connectivity to the other ports.

QUESTION NO: 2 The Testking network administrator wants to authenticate LAN users attached to ports on the existing Catalyst 6509 switch. In order to do this, the following is configured:
aaa new-model
username myname password abc123
aaa authentication ppp access-dotx local
aaa authentication login access1 local
aaa authentication dotlx default radius
dotlx system-auth-control
tacacs-server host key qvert123
radius-server host key poiuy098
interface fastethernet 5/1

dotlx port control auto

What is the effect of the configuration on users attempting to access FastEthernet 5/1?
A. They will be authenticated via ppp using the local database.
B. The will be authenticated via ppp using the server at IP address
C. They will be authenticated via ppp using the server at IP address
D. They will be authenticated via 802.1x using the local database.
E. They will be authenticated via 802.1x using the server at IP address
F. They will be authenticated via 802.1x using the server at IP address
Answer: F
When you enable 802.1X port-based authentication, note the following syntax information:
To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Enter at least one of these keywords:
-group radius-Use the list of all RADIUS servers for authentication. –
none-Use no authentication. The client is automatically authenticated by the switch without using the information supplied by the client. This example shows how to enable AAA and 802.1X on Fast Ethernet port 5/1: Router# configure terminal TK1(config)# aaa new-model TK1(config)# aaa authentication dot1x default group radius TK1(config)# dot1x system-auth-control TK1(config)# interface fastethernet 5/1 TK1(config-if)# dot1x port-control auto TK1(config-if)# end In this example, the default 802.1x authentication method is configured to be RADIUS, and the RADIUS server is located at IP address

QUESTION NO: 3 For security reasons, you wish to maintain a degree of logical separation between your servers and the rest of the LAN. The servers should be able to see broadcasts and multicasts only from each other and the default gateway. They should not see this type of traffic from other LAN devices. What kind of ports should be configured for these servers on the Catalyst switch?
A. Span Ports.
B. Private Ports.
C. Community Ports.
D. Isolated Ports.
E. Promiscuous Ports.
F. Access Ports.
Answer: C
Private VLANs provide Layer-2 isolation between ports within the same private VLAN on the Catalyst 6000 family switches. Ports belonging to a private VLAN are associated with a common set of supporting VLANs that are used to create the private VLAN structure. There are three types of private VLAN ports: promiscuous, isolated, and community. Community ports communicate among themselves and with their promiscuous ports. These ports are isolated at Layer 2 from all other ports in other communities or isolated ports within their private VLAN. They communicate directly only with each other and their default gateway.
Incorrect Answers:
A. SPAN ports are used for network analyzers to capture data packets. They do not provide any level of security between users.
B. This question is an example of a type of private VLAN. However, there is no notion of a private port.
D. A promiscuous port communicates with all other private VLAN ports and is the port used to communicate with devices such as routers, LocalDirector, backup servers, and administrative workstations.
E. An isolated port has complete Layer 2 separation from all other ports within the same private VLAN with the exception of the promiscuous port.
F. Access ports do not exist.

QUESTION NO: 4 Based on the VLAN Access Control List (VACL) configuration below, how many total mask entries are required in the Ternary Content Addressable table?
set security acl ip Control_Access permit host set security acl ip Control_Access deny set security acl ip Control_Access permit host set security acl ip Control_Access deny set security acl ip Control_Access permit host set security acl ip Control_Access deny host set security acl ip Control_Access permit host set security acl ip Control_Access deny host
A. 2
B. 3
C. 4
D. 6
E. 8
Answer: B
There will be 3: One to cover the 6 separate host ( masks, one for the mask, and the third for the mask.
Ternary CAM (TCAM) is a hardware piece of memory designed for rapid table lookups
by the ACL engine on the PFC and PFC2. The ACL engine performs ACL lookups based
on packets passing through the switch’s hardware. The result of the ACL engine lookup
into the TCAM determines how the switch handles a packet. For example, the packet
might be permitted or denied. The TCAM has a limited number of entries that are
populated with mask values and pattern values.

Incorrect Answers:
A, C. In the example above there are 3 different subnet masks, not 2 or 4.

D. Although there are 6 different entries with host masks (, we need to
account for the other two mask entries.

E. Although there are a total of 8 VLAN access control entries in this example, there are
only a total of 6 of them share a single mask entry and will be counted as only one in the
For a detailed discussion on TCAM refer the link below.


With regard to the use of VLAN Access Control Lists (VACL) on a Catalyst 6500 series switch, which of the following are true statements? (Choose all that apply.)
A. VACLs can be used to forward, drop, and redirect traffic based on Layer 2 and Layer 3 information.
B. VACLs cannot be used when using QoS on the switch.
C. VACLs can be used together with router interface access lists.
D. VACLs can be used for traffic that is being Layer 3 switched.
E. VACLs cause extra latency for traffic passing through the switch.
Answer: A, C, D
VACLs are similar to Router/IOS ACLs in terms of their definition, but they are used by Catalyst 6000 family switches to access control all packets it switches, including packets bridged within a VLAN. It can be used to act on layer 2 and 3 information, and can be used in conjunction with RACL’s.
Incorrect Answers:
B. VACLs can be used when using QoS on the switch. VACLs cause extra latency for traffic passing through the switch. For a detailed discussion on VACLs please go through the link below.
E. VACLs can be configured on a Catalyst 6500 at L2 without the need for an additional router. They are enforced at wire speed so there is no performance penalty in configuring VACLs on a Catalyst 6500. Since the lookup of VACLs is performed in hardware, regardless of the size of the access list, the forwarding rate remains unchanged. Reference:

QUESTION NO: 6 A new Catalyst 6500 running Cat OS was recently installed in the TestKing network. In order to increase the security of your LAN, you configure this Catalyst switch using port security. What statement is true about port security?
A. Port security can be configured on a trunk port.
B. Prot security can be configured on a SPAN destination port.
C. If a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager.
D. Port security can be configured on a SPAN source port.
E. Static CAM entries can be configured on a port configured with port security.
F. Ports that were disabled due to security violations will be automatically re-enabled when the host with the valid MAC address is re-connected.
Answer: C
Explanation: Port Security Configuration Guidelines
When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host. The port’s behavior depends on how you configure it to respond to a security violation. If a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security violation.
Reference: http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_guide_chapter09186a008007f
Incorrect Answers:
A, B, D, E. These incorrect answers can be summarized in the following statements:
You cannot configure port security on the trunk port of a 6500 with Cat OS.
You cannot enable port security on a SPAN destination port of the 6500 with Cat OS.
You cannot configure dynamic, static, or permanent CAM entries on a secure port.
When you enable port security on a port, any static or dynamic CAM entries associated
F. When a port becomes disabled due to a security violation, the switch port can only be
enabled again after manual intervention.

QUESTION NO: 7 After properly configuring multiple VLANs, a The Testking network has decided to increase the security of its VLAN environment. Which of the following can be done on a switched network to enhance security measures? (Choose all that apply).
A. If a port is connected to a “Foreign” device, make sure to disable CDP, DTP, PagP, UDLD, and any other unnecessary protocol, and to enable Uplinkfst/BPDU guard on it.
B. Enable the rootguard feature to prevent a directly or indirectly connected STP-capable device to affect the location of the root bridge.
C. Configure the VTP domains appropriately or turn off VTP altogether if you want to limit or prevent possible undesirable protocol interactions with regard to network-wide VLAN configuration.
D. Disable all unused ports and place them in an unused VLAN to avoid unauthorized access.
E. Set the native VLAN ID to match the port VLAN ID (PVID) of any 802.1Q trunks to prevent spoofing from one VLAN to another.
Answer: B, C, D
The root guard feature is designed to provide a way to enforce the root bridge placement in the network, and to prevent unauthorized devices from becoming the root. Turning off VTP if it is not used is generally a good idea, as a new switch with a higher ID value that is inserted into the VTP domain can be used to modify and delete all of the VLANs in an existing network. It is also a best practice to disable and isolate all unused ports, as this will prevent unauthorized users from entering the LAN, and plugging into the network via an unused port.
Incorrect Answers:
A. UDLD is a useful feature that provides no security risks. It is recommended to have
this feature enabled. BPDU guard and root guard are similar, but their impact is different.
BPDU guard disables the port upon BPDU reception if portfast is enabled on the port.
This effectively denies devices behind such ports to participate in STP.

E. If a user’s native VLAN I D is the same as the port VLAN ID (PVID) of the 802.1Q
trunk, then the user can send frames from his VLAN and have them “hop” to other
VLANs. This weakness is part of the 802.1Q specification and does not apply to Cisco
ISL trunking ports.
The workaround for this threat is to ensure that every 802.1Q trunking port has a PVID,
or native VLAN ID, that is unique throughout the campus network.

Passwords for Enterprise guests should normally be:

A. Easy to remember
B. Time limited to the guest visit
C. Be the same as the username
D. Be at least 10 characters
E. Contain uppercase letters
Answer: B
When guest access is required for visitors to the enterprise, the most important security measures that should be taken is to ensure that the guest user access is restricted to only the network resources that are needed, and for the passwords to only be active for the duration of the visit. This will prevent future unauthorized access into the network using these passwords.
Incorrect Answers:
A. Generally, passwords should be somewhat easy to remember for the users, while remaining secure. It is more important to use passwords that are not easily guessed than to provide for an easy to remember one.
C. This should never be done, since it is so easily guessed.
D. Although having enough characters to provide for a secure password is essential, secure passwords can be created with the use of fewer than 10 characters. For regular users, enforcing a rule of long passwords may be preferred, it is generally not necessary for guest access.
E. Although passwords should indeed contain a mix of lower and upper case letters, as well as numerical and special characters, this is not necessarily a requirement for guest users.

QUESTION NO: 9 When segmenting guest traffic across the enterprise wireless network you should take which of the following approaches?
A. Always give guest traffic higher priority
B. Always give guest traffic lower priority
C. Separate guest traffic as close to the edge as possible
D. Use a firewall
E. Use Access Lists
F. None of the above
Answer: C
You should consider the following implementation criteria before deploying wireless

Use policy groups (a set of filters) to map wired polices to the wireless side.

Use IEEE 802.1x to control user access to VLANs by using either RADIUS-based VLAN
assignment or RADIUS-based SSID access control.

Use separate VLANs to implement different classes of service.

Adhere to any other criteria specific to your organization’s network infrastructure.
Based on these criteria, you could choose to deploy wireless VLANs using the following

Segmentation by user groups-you can segment your WLAN user community and enforce a different security policy for each user group. For example, you could create three wired and wireless VLANs in an enterprise environment for full- and part-time employees, as well as providing guest access.
Segmentation by device types-You can segment your WLAN to enable different devices with different security levels to access the network. For example, you have hand-held devices that support only 40- or 128-bit static WEP coexisting with other devices using IEEE 802.1x with dynamic WEP in the same ESS. Each of these devices would be isolated into separate VLANs. For segmenting guest users from the rest of the network, the guest VLAN traffic should be segmented at the network edge, before the traffic reaches the core of the network. This is generally done at the VLAN level, before guest traffic reaches a router access list or firewall.
Ensurepass offers Latest 2013 CCIE 350-001 Real Exam Questions , help you to pass exam 100%.