Loading...
首页 > CCNP系列认证> 路由和交换(CCNP) > SWITCH考试 v1.0 > 文档

SWITCH Set 8

创建于: 2010-01-03 12:34:44          

Review Questions

The following review questions are taken from the current SWITCH curriculum. These review questions do not reflect the actual questions you will receive on the live certification exam. They are only meant to supplement your learning experience.

 

This content is only accessible by Registered Users. If you have not yet registered, you will be prompted to Register, before proceeding to access this content.

 

Review Now

评论 (10)
  • Aaron Street

    Aaron Street  说: 2010-11-16 23:04:09

    It doesn't trust the known DHCP server automagically, this is the most logically correct answer.

    Been listing to to much Jeremy I think

    but yes I agree question 14 is not right. no where have is seen it say it starts to trust any other ports. DHCP snooping deals with DHCP replies, so it never needs to trust a client port. (or at least it should always stop dhcp offers on these ports even if the client is a valid client)

    the only port that should ever need to be trusted is the on leading to the server.

  • David L - Cisco Education Specia

    David L - Cisco Education Specia  说: 2010-09-15 21:26:12

    I agree that this question could be worded better. I will try to get it revised so there is not so much confusion.

    Rest assured that the questions on the actual exams are edited more thoroughly.

  • David Diaz

    David Diaz  说: 2010-09-14 03:06:46

    I agree. Here's what Jeremy Cioara's video say:

    "To turn on DHCP snooping all I have to do is type in 'ip dhcp snooping' from global config mode and wham, the feature's on. It will now stop DHCP replies from any non-trusted port. So I need to go under my port that is connected to my DHCP server and say: 'ip dhcp snooping trust'. And that will allow this port to be trusted. Now i am preventing rogue DHCP servers from getting into my network".

    It doesn't trust the known DHCP server automagically, this is the most logically correct answer.

  • David L - Cisco Education Specia

    David L - Cisco Education Specia  说: 2010-09-11 09:20:56

    I found this material on pages 404 and 405 of the CCNP SWITCH 642-813 Official Certification Guide by David Hucaby.

    It states "When securing VLAN trunks, also consider the potential for an exploit called "VLAN hopping". Here, an attacker positioned on one access VLAN can craft and send frames with spoofed 802.1Q tags so that the packet payloads ultimately appear on a totally different VLAN, all without the use of a router."

    It goes on to say "...The regular frame—or malicious payload, in this case—is first given an 802.1Q tag with the VLAN ID of the target VLAN. Then a second bogus 802.1Q tag is added with the attacker’s access VLAN ID..".

    The switch forwards the double-tagged frame out of the trunk interface as it strips off the first tag. What's left is the second tag which is the VLAN of the target.

    It also gives a couple of solutions to mitigate this type of attack.

    Hope this helps

  • Lars Arvidsson

    Lars Arvidsson  说: 2010-08-19 19:23:32

    14. With DHCP snooping, which port is "trusted"?

    Any port (to client and to server) can become trusted as soon as a DHCP transaction is secured.

    The port to the known DHCP server ought to be trusted, but you have to configure it. When you enable DHCP snooping globally, all interfaces become untrusted. Then you configure trusted interfaces, typically uplinks to servers (not to clients).

  • Arnout Swinnen

    Arnout Swinnen  说: 2010-06-19 04:39:19

    I also do

  • stefanm

    stefanm  说: 2010-06-17 15:17:53

    I think the answer to question 14 should be:

    The port to the known DHCP server is always trusted.

  • Nick

    Nick  说: 2010-05-17 07:43:34

    All the questions were relevant, except this one:

    What is the purpose of the VLAN hopping with double tagging attack?

    I don't remember reading up on this one or seeing it in any of the videos I've used.

    The only double tagging and I can recall is when the native VLAN is tagged and the attacker attempts to add an 802.1Q tag to the native VLAN.

  • Thien Thu

    Thien Thu  说: 2010-05-11 16:47:04

    The questions are reasonable and covers topics on switch security.

  • Igor

    Igor  说: 2010-03-13 20:19:44

    These sets of questions are contain wrong answers...Well, as it seems to me ;-)

    It's also weird, that some questions exist about topics, which aren't covered neither in Official Certification Guide nor in Quick Reference, etc.

    Regards,

    Igor.