NEW DUMPS– How to prepare the Cisco 642-813 exam and to 100 percent pass it without any problem?Cisco 642-813 just published the newest Cisco 642-813 Flydumps with all the new updated exam questions and answers. You can get the free new version on Flydumps.com
Exam A
QUESTION 1
Which statement is true about RSTP topology changes?
A. Any change in the state of the port generates a TC BPDU.
B. Only nonedge ports moving to the forwarding state generate a TC BPDU.
C. If either an edge port or a nonedge port moves to a block state, then a TC BPDU is generated.
D. Only edge ports moving to the blocking state generate a TC BPDU.
E. Any loss of connectivity generates a TC BPDU.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The IEEE 802.1D Spanning Tree Protocol was designed to keep a switched or bridged network loop free,
with adjustments made to the network topology dynamically. A topology change typically takes 30
seconds, where a port moves from the Blocking state to the Forwarding state after two intervals of the
Forward Delay timer. As technology has improved, 30 seconds has become an unbearable length of time
to wait for a production network to failover or “heal” itself during a problem.
Topology Changes and RSTP
Recall that when an 802.1D switch detects a port state change (either up or down), it signals the Root
Bridge by sending topology change notification (TCN) BPDUs. The Root Bridge must then signal a
topology change by sending out a TCN message that is relayed to all switches in the STP domain. RSTP
detects a topology change only when a nonedge port transitions to the Forwarding state. This might seem
odd because a link failure is not used as a trigger. RSTP uses all of its rapid convergence mechanisms to
prevent bridging loops from forming.
Therefore, topology changes are detected only so that bridging tables can be updated and corrected as
hosts appear first on a failed port and then on a different functioning port. When a topology change is
detected, a switch must propagate news of the change to other switches in the network so they can correct
their bridging tables, too. This process is similar to the convergence and synchronization mechanism-
topology change (TC) messages propagate through the network in an everexpanding wave.
QUESTION 2
Refer to the exhibit.
Which four statements about this GLBP topology are true? (Choose four.)
A. Router A is responsible for answering ARP requests sent to the virtual IP address.
B. If router A becomes unavailable, router B forwards packets sent to the virtual MAC address of router A.
C. If another router is added to this GLBP group, there would be two backup AVGs.
D. Router B is in GLBP listen state.
E. Router A alternately responds to ARP requests with different virtual MAC addresses.
F. Router B transitions from blocking state to forwarding state when it becomes the AVG.
Correct Answer: ABDE Section: (none) Explanation
Explanation/Reference:
Explanation:
With GLBP the following is true:
With GLB, there is 1 AVG and 1 standby VG. In this case Company1 is the AVG and Company2 is the
standby. Company2 would act as a VRF and would already be forwarding and routing packets.
Any additional routers would be in a listen state.
As the role of the Active VG and load balancing, Company1 responds to ARP requests with different virtual
MAC addresses.
In this scenario, Company2 is the Standby VF for the VMAC 0008.b400.0101 and would become the
Active VF if Company1 were down.
As the role of the Active VG, the primary responsibility is to answer ARP requests to the virtual IP address.
As an AVF router Company2 is already forwarding/routing packets
QUESTION 3
Refer to the exhibit.
Which VRRP statement about the roles of the master virtual router and the backup virtual router is true?
A. Router A is the master virtual router, and router B is the backup virtual router. When router A fails, router B becomes the master virtual router. When router A recovers, router B maintains the role of master virtual router.
B. Router A is the master virtual router, and router B is the backup virtual router. When router A fails, router B becomes the master virtual router. When router A recovers, it regains the master virtual router role.
C. Router B is the master virtual router, and router A is the backup virtual router. When router B fails, router A becomes the master virtual router. When router B recovers, router A maintains the role of master virtual router.
D. Router B is the master virtual router, and router A is the backup virtual router. When router B fails, router A becomes the master virtual router. When router B recovers, it regains the master virtual router role.
Correct Answer: B Section: (none) Explanation Explanation/Reference:
Explanation:
QUESTION 4
Which description correctly describes a MAC address flooding attack?
A. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking device then becomes the destination address found in the Layer 2 frames sent by the valid network device.
B. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking device then becomes the source address found in the Layer 2 frames sent by the valid network device.
C. The attacking device spoofs a destination MAC address of a valid host currently in the CAM table. The switch then forwards frames destined for the valid host to the attacking device.
D. The attacking device spoofs a source MAC address of a valid host currently in the CAM table. The switch then forwards frames destined for the valid host to the attacking device.
E. Frames with unique, invalid destination MAC addresses flood the switch and exhaust CAM table space. The result is that new entries cannot be inserted because of the exhausted CAM table space, and traffic is subsequently flooded out all ports.
F. Frames with unique, invalid source MAC addresses flood the switch and exhaust CAM table space. The result is that new entries cannot be inserted because of the exhausted CAM table space, and traffic is subsequently flooded out all ports.
Correct Answer: F Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 5
Refer to the exhibit.
An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type of attack?
A. All switch ports in the Building Access block should be configured as DHCP trusted ports.
B. All switch ports in the Building Access block should be configured as DHCP untrusted ports.
C. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted ports.
D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted ports.
E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.
F. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted ports.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: One of the ways that an attacker can gain access to network traffic is to spoof responses that would be sent by a valid DHCP server. The DHCP spoofing device replies to client DHCP requests. The legitimate server may reply also, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first. The intruder’s DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server. In the case of a gateway, the clients will then forward packets to the attacking device, which will in turn send them to the desired destination. This is referred to as a “man-in-the-middle” attack, and it may go entirely undetected as the intruder intercepts the data flow through the network. Untrusted ports are those that are not explicitly configured as trusted. A DHCP binding table is built for untrusted ports. Each entry contains the client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOFFER, DHCPACK, DHCPNAK.
QUESTION 6
Refer to the exhibit.
The web servers WS_1 and WS_2 need to be accessed by external and internal users. For security reasons, the servers should not communicate with each other, although they are located on the same subnet. However, the servers do need to communicate with a database server located in the inside network. Which configuration isolates the servers from each other?
A. The switch ports 3/1 and 3/2 are defined as secondary VLAN isolated ports. The ports connecting to the two firewalls are defined as primary VLAN promiscuous ports.
B. The switch ports 3/1 and 3/2 are defined as secondary VLAN community ports. The ports connecting to the two firewalls are defined as primary VLAN promiscuous ports.
C. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as primary VLAN promiscuous ports.
D. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as primary VLAN community ports.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Service providers often have devices from multiple clients, in addition to their own servers, on a single
Demilitarized Zone (DMZ) segment or VLAN. As security issues proliferate, it becomes necessary to
provide traffic isolation between devices, even though they may exist on the same Layer 3 segment and
VLAN. Catalyst 6500/4500 switches implement PVLANs to keep some switch ports shared and some
switch ports isolated, although all ports exist on the same VLAN. The 2950 and 3550 support “protected
ports,” which are functionality similar to PVLANs on a per- switch basis.
A port in a PVLAN can be one of three types:
Isolated: An isolated port has complete Layer 2 separation from other ports within the same PVLAN,
except for the promiscuous port. PVLANs block all traffic to isolated ports, except the traffic from
promiscuous ports. Traffic received from an isolated port is forwarded to only promiscuous ports.
Promiscuous: A promiscuous port can communicate with all ports within the PVLAN, including the
community and isolated ports. The default gateway for the segment would likely be hosted on a
promiscuous port, given that all devices in the PVLAN will need to communicate with that port. Community:
Community ports communicate among themselves and with their promiscuous ports. These interfaces are
isolated at Layer 2 from all other interfaces in other communities, or in isolated ports within their PVLAN.
QUESTION 7
What does the command udld reset accomplish?
A. allows a UDLD port to automatically reset when it has been shut down
B. resets all UDLD enabled ports that have been shut down
C. removes all UDLD configurations from interfaces that were globally enabled
D. removes all UDLD configurations from interfaces that were enabled per-port
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 8
Refer to the exhibit.
Dynamic ARP Inspection is enabled only on switch SW_A. Host_A and Host_B acquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A ?
A. The spoof packets are inspected at the ingress port of switch SW_A and are permitted.
B. The spoof packets are inspected at the ingress port of switch SW_A and are dropped.
C. The spoof packets are not inspected at the ingress port of switch SW_A and are permitted.
D. The spoof packets are not inspected at the ingress port of switch SW_A and are dropped.
Correct Answer: C Section: (none) Explanation Explanation/Reference:
Explanation:
When configuring DAI, follow these guidelines and restrictions:
· DAI is an ingress security feature; it does not perform any egress checking. · DAI is not effective for hosts
connected to routers that do not support DAI or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from
the one with no checking. This action secures the ARP caches of hosts in the domain enabled for DAI. ·
DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings
in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP
packets that have dynamically assigned IP addresses. · When DHCP snooping is disabled or in non-DHCP
environments, use ARP ACLs to permit or to deny packets.
· DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports. In our
example, since Company2 does not have DAI enabled (bullet point 2 above) packets will not be inspected
and they will be permitted.
Reference:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dynarp.html
QUESTION 9
Which statement is true about Layer 2 security threats?
A. MAC spoofing, in conjunction with ARP snooping, is the most effective counter-measure against reconnaissance attacks that use Dynamic ARP Inspection to determine vulnerable attack points.
B. DHCP snooping sends unauthorized replies to DHCP queries.
C. ARP spoofing can be used to redirect traffic to counter Dynamic ARP Inspection.
D. Dynamic ARP Inspection in conjunction with ARP spoofing can be used to counter DHCP snooping attacks.
E. MAC spoofing attacks allow an attacking device to receive frames intended for a different network host.
F. Port scanners are the most effective defense against Dynamic ARP Inspection.
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation:
First of all, MAC spoofing is not an effective counter-measure against any reconnaissance attack; it IS an
attack! Furthermore, reconnaissance attacks don’t use dynamic ARP inspection (DAI); DAI is a switch
feature used to prevent attacks.
QUESTION 10
What does the global configuration command ip arp inspection vlan 10-12,15 accomplish?
A. validates outgoing ARP requests for interfaces configured on VLAN 10, 11, 12, or 15
B. intercepts all ARP requests and responses on trusted ports
C. intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D. discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The “ip arp inspection” command enables Dynamic ARP Inspection (DAI) for the specified VLANs. DAI is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain “man-in-the- middle” attacks.
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/dynarp .html
QUESTION 11
Refer to the exhibit.
Host A has sent an ARP message to the default gateway IP address 10.10.10.1. Which statement is true?
A. Because of the invalid timers that are configured, DSw1 does not reply.
B. DSw1 replies with the IP address of the next AVF.
C. DSw1 replies with the MAC address of the next AVF.
D. Because of the invalid timers that are configured, DSw2 does not reply.
E. DSw2 replies with the IP address of the next AVF.
F. DSw2 replies with the MAC address of the next AVF.
Correct Answer: F Section: (none) Explanation
Explanation/Reference:
Explanation:
The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to overcome the
limitations of existing redundant router protocols. Some of the concepts are the same as with HSRP/
VRRP, but the terminology is different and the behavior is much more dynamic and robust.
The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual gateway
(AVG). This router has the highest priority value, or the highest IP address in the group, if there is no
highest priority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returns depends on which load-balancing algorithm it is configured to use. In any event, the virtual MAC address supported by one of the routers in the group is returned. According to exhibit, Router Company2 is the Active Virtual Gateway (AVG) router because it has highest IP address even having equal priority. When router Company1 sends the ARP message to 10.10.10.1 Router Company2 will reply to Company1 as a Active Virtual Router.
QUESTION 12
What are two methods of mitigating MAC address flooding attacks? (Choose two.)
A. Place unused ports in a common VLAN.
B. Implement private VLANs.
C. Implement DHCP snooping.
D. Implement port security.
E. Implement VLAN access maps
Correct Answer: DE Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 13
Refer to the exhibit.
What information can be derived from the output?
A. Interfaces FastEthernet3/1 and FastEthernet3/2 are connected to devices that are sending BPDUs with a superior root bridge parameter and no traffic is forwarded across the ports. After the sending of BPDUs has stopped, the interfaces must be shut down administratively, and brought back up, to resume normal operation.
B. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a superior root bridge parameter, but traffic is still forwarded across the ports.
C. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a superior root bridge parameter and no traffic is forwarded across the ports. After the inaccurate BPDUs have been stopped, the interfaces automatically recover and resume normal operation.
D. Interfaces FastEthernet3/1 and FastEthernet3/2 are candidates for becoming the STP root port, but neither can realize that role until BPDUs with a superior root bridge parameter are no longer received on at least one of the interfaces.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 14
What is one method that can be used to prevent VLAN hopping?
A. Configure ACLs.
B. Enforce username and password combinations.
C. Configure all frames with two 802.1Q headers.
D. Explicitly turn off DTP on all unused ports.
E. Configure VACLs.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
When securing VLAN trunks, also consider the potential for an exploit called VLAN hopping. Here, an
attacker positioned on one access VLAN can craft and send frames with spoofed 802.1Q tags so that the
packet payloads ultimately appear on a totally different VLAN, all without the use of a router.
For this exploit to work, the following conditions must exist in the network configuration:
The attacker is connected to an access switch port.
The same switch must have an 802.1Q trunk.
The trunk must have the attacker’s access VLAN as its native VLAN. To prevent from VLAN hopping turn
off Dynamic Trunking Protocol on all unused ports.
QUESTION 15
Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering the spanning-tree topology of a network?
A. BPDU guard can guarantee proper selection of the root bridge.
B. BPDU guard can be utilized along with PortFast to shut down ports when a switch is connected to the port.
C. BPDU guard can be utilized to prevent the switch from transmitting BPDUs and incorrectly altering the root bridge election.
D. BPDU guard can be used to prevent invalid BPDUs from propagating throughout the network.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 16
What two steps can be taken to help prevent VLAN hopping? (Choose two.)
A. Place unused ports in a common unrouted VLAN.
B. Enable BPDU guard.
C. Implement port security.
D. Prevent automatic trunk configurations.
E. Disable Cisco Discovery Protocol on ports where it is not necessary.
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 17
Refer to the exhibit.
Assume that Switch_A is active for the standby group and the standby device has only the default HSRP configuration. Which statement is true?
A. If port Fa1/1 on Switch_A goes down, the standby device takes over as active.
B. If the current standby device had the higher priority value, it would take over the role of active for the HSRP group.
C. If port Fa1/1 on Switch_A goes down, the new priority value for the switch would be 190.
D. If Switch_A had the highest priority number, it would not take over as active router.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 18
When an attacker is using switch spoofing to perform VLAN hopping, how is the attacker able to gather information?
A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that is allowed on the trunk.
B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch, regardless of the VLAN to which the data belongs.
C. The attacking station generates frames with two 802.1Q headers to cause the switch to forward the frames to a VLAN that would be inaccessible to the attacker through legitimate means.
D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with the domain information to capture the data.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
DTP should be disabled for all user ports on a switch. If the port is left with DTP auto-configured (default on
many switches), an attacker can connect and arbitrarily cause the port to start trunking and therefore pass
all VLAN information.
Reference:
http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance0900aecd8
00ebd1e.pdf
QUESTION 19
Refer to the exhibit.
GLBP has been configured on the network. When the interface serial0/0/1 on router R1 goes down, how is the traffic coming from Host1 handled?
A. The traffic coming from Host1 and Host2 is forwarded through router R2 with no disruption.
B. The traffic coming from Host2 is forwarded through router R2 with no disruption. Host1 sends an ARP request to resolve the MAC address for the new virtual gateway.
C. The traffic coming from both hosts is temporarily interrupted while the switchover to make R2 active occurs.
D. The traffic coming from Host2 is forwarded through router R2 with no disruption. The traffic from Host1 is dropped due to the disruption of the load balancing feature configured for the GLBP group.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to overcome the limitations of existing redundant router protocols. Some of the concepts are the same as with HSRP/VRRP, but the terminology is different and the behavior is much more dynamic and robust and allows for load balancing. The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual gateway (AVG). This router has the highest priority value, or the highest IP address in the group, if there is no highest priority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returns depends on which load-balancing algorithm it is configured to use. In any event, the virtual MAC address supported by one of the routers in the group is returned. According to exhibit, Company1 is the active virtual gateway and Company2 is the standby virtual gateway. So, when Company1 goes down, Company2 will become active virtual gateway and all data goes through Company2.
QUESTION 20
Refer to the exhibit.
DHCP snooping is enabled for selected VLANs to provide security on the network. How do the switch ports handle the DHCP messages?
A. A DHCPOFFER packet from a DHCP server received on Ports Fa2/1 and Fa2/2 is dropped.
B. A DHCP packet received on ports Fa2/1 and Fa2/2 is dropped if the source MAC address and the DHCP client hardware address does not match Snooping database.
C. A DHCP packet received on ports Fa2/1 and Fa2/2 is forwarded without being tested.
D. A DHCPRELEASE message received on ports Fa2/1 and Fa2/2 has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received and is dropped.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Cisco 642-813 tests containing questions that cover all sides of tested subjects that help our members to be prepared and keep high level of professionalism.The main purpose of Cisco 642-813 exam is to provide high quality test that can secure and verify knowledge, give overview of question types and complexity that can be represented on real exam certification