ActualTests.Cisco.640-802.Exam.Q.and.A.08.15.08-DDU (1130589), страница 32
Текст из файла (страница 32)
Switch A does not have an IP address assigned to the management VLAN.Answer: BExplanation:This scenario requires inter-VLAN routing, which requires a layer three device. Based onthe information above, a trunk has indeed been set up to route traffic between VLAN's sothe problem is that default gateway has been specified in the switch, so traffic will not beforwarded to the router from the switch from one VLAN to the other.QUESTION 257:The Certkiller network administrator wants to ensure that only a single web servercan connect to pot Fa0/1 on a catalyst switch.
The server is plugged into the switch'sFast Eth. 0/1 port and the network administrator is about to bring the server online.What can the administrator do to ensure that only the MAC address of this server isallowed by switch port Fa0/1? (Choose two)A. Configure port Fa0/1 to accept connections only from the static IP address of theserverB. Configure the MAC address of the server as a static entry associated with port Fa0/1C. Employ a proprietary connector type on Fa0/1 that is incomputable with other hostconnectorsD. Configure port security on Fa0/1 to reject traffic with a source MAC address otherthan that of the serverE.
Bind the IP address of the server to its MAC address on the switch to prevent otherhosts from spoofing the server IP addressAnswer: B, DExplanation:You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernetport when the MAC address of the station attempting to access the port is different fromany of the MAC addresses specified for that port.Actualtests.com - The Power of Knowing640-802When a secure port receives a packet, the source MAC address of the packet is comparedto the list of secure source addresses that were manually configured or autoconfigured(learned) on the port.
If a MAC address of a device attached to the port differs from thelist of secure addresses, the port either shuts down permanently (default mode), shutsdown for the time you have specified, or drops incoming packets from the insecure host.The port's behavior depends on how you configure it to respond to a security violation.When a security violation occurs, the Link LED for that port turns orange, and alink-down trap is sent to the Simple Network Management Protocol (SNMP) manager.An SNMP trap is not sent if you configure the port for restrictive violation mode. A trapis sent only if you configure the port to shut down during a security violation.QUESTION 258:The network administrator has configured port security on a Certkiller switch.
Whywould a network administrator configure port security on this Certkiller device?A. To prevent unauthorized hosts from getting access to the LANB. To limit the number of Layer 2 broadcasts on a particular switch portC. To prevent unauthorized Telnet or SSH access to a switch portD. To prevent the IP and MAC address of the switch and associated portsE. None of the aboveAnswer: AExplanation:You can use the portsecurity feature to restrict input to an interface by limiting and identifying MACaddresses of the stations allowed to access the port. When you assign secure MACaddresses to a secure port, the port does not forward packets with source addressesoutside the group of defined addresses.
If you limit the number of secure MAC addressesto one and assign a single secure MAC address, the workstation attached to that port isassured the full bandwidth of the port.If a port is configured as a secure port and the maximum number of secure MACaddresses is reached, when the MAC address of a station attempting to access the port isdifferent from any of the identified secure MAC addresses, a security violation occurs.Also, if a station with a secure MAC address configured or learned on one secure portattempts to access another secure port, a violation is flagged.Reference:http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d6QUESTION 259:The network security policy for Certkiller requires that only one host be permittedActualtests.com - The Power of Knowing640-802to attach dynamically to each switch interface.
If that policy is violated, the interfaceshould be automatically disabled. Which two commands must the Certkiller networkadministrator configure on the 2950 Catalyst switch to meet this policy? (Choosetwo)A. SW Certkiller 1(config-if)# switchport port-security maximum 1B. SW Certkiller 1(config)# mac-address-table secureC. SW Certkiller 1(config)# access-list 10 permit ip hostD.
SW Certkiller 1(config-if)# switchport port-security violation shutdownE. SW Certkiller 1(config-if)# ip access-group 10Answer: A, DExplanationCatalyst switches offer the port security feature to control port access based on MACaddresses. To configure port security on an access layer switch port, begin by enabling itwith the following interface configuration command:Switch(config-if)# switchport port-securityNext, you must identify a set of allowed MAC addresses so that the port can grant themaccess. You can explicitly configure addresses or they can be dynamically learned fromport traffic. On each interface that uses port security, specify the maximum number ofMAC addresses that will be allowed access using the following interface configurationcommand:Switch(config-if)# switchport port-security maximum max-addrFinally, you must define how each interface using port security should react if a MACaddress is in violation by using the following interface configuration command:Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}A violation occurs if more than the maximum number of MAC addresses are learned, orif an unknown (not statically defined) MAC address attempts to transmit on the port.
Theswitch port takes one of the following configured actions when a violation is detected:shutdown-The port is immediately put into the errdisable state, which effectively shuts it down. It mustbe re-enabled manually or through errdisable recovery to be used again.restrict-The port is allowed to stay up, but all packets from violating MAC addresses aredropped. The switch keeps a running count of the number of violating packets and cansend an SNMP trap and a syslog message as an alert of the violation.protect-The port is allowed to stay up, as in the restrict mode. Although packets fromviolating addresses are dropped, no record of the violation is kept.QUESTION 260:Three hosts connect to a Certkiller switch as shown below:Actualtests.com - The Power of Knowing640-802Certkiller 3 Mac Address Table Exhibit:Ethernet FrameExhibit:You work as a network technician at Certkiller and are working on the networkshown above.
You are administering the 2950 Cisco switch named Certkiller 3 andyou enter the following commands on interface fa0/1 of the switch.Certkiller 3(config-if)# switchport port-securityCertkiller 3(config-if)# switchport port-security mac-address stickyCertkiller 3(config-if)# switchport port-security maximum 1The Ethernet frame that is shown arrives on interface fa0/1. Based on theinformation provided, what two functions will occur when this frame is received byCertkiller 3? (Choose two)A. All frames arriving on Certkiller 3 with a destination of 0000.00aa.aaaa will beforwarded out fa0/1.B.
Hosts B and C may forward frames out fa0/1 but frames arriving from other switcheswill not be forwarded out fa0/1.C. Only frames from source 0000.00bb.bbbb, the first learned MAC address ofCertkiller 3, will be forwarded out fa0/1.D. This frame will be discarded when it is received by Certkiller 3.E.
Only host Certkiller A will be allowed to transmit frames on fa0/1.F. The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.Answer: A, EExplanation:The configuration shown here is an example of port security, specifically port securityusing sticky addresses. You can use port security with dynamically learned and staticMAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that areallowed to send traffic into the port. When you assign secure MAC addresses to a secureport, the port does not forward ingress traffic that has source addresses outside the groupof defined addresses. If you limit the number of secure MAC addresses to one and assignActualtests.com - The Power of Knowing640-802a single secure MAC address, the device attached to that port has the full bandwidth ofthe port.Port security with sticky MAC addresses provides many of the same benefits as portsecurity with static MAC addresses, but sticky MAC addresses can be learneddynamically.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
