Security fundamentals

What is the maximum number of MAC addresses port security allows by default on a switchport when enabled?

• A 1 ✓
• B 2
• C 8
• D 16

Answer: By default, port security allows a maximum of 1 MAC address per secured port.

Which port-security violation mode drops offending traffic, logs the event, and increments the violation counter without disabling the port?

• A protect
• B restrict ✓
• C shutdown
• D disable

Answer: Restrict mode drops traffic, generates a log/SNMP message, and increments the counter; protect drops silently and shutdown err-disables.

Which type of access control list can match on both source and destination IP addresses, protocols, and port numbers?

• A Standard ACL
• B Extended ACL ✓
• C Reflexive ACL only
• D Named standard ACL

Answer: Extended ACLs filter on source and destination addresses, protocol, and port numbers; standard ACLs match source only.

Which numbered range is valid for a standard IPv4 ACL?

• A 1-99 ✓
• B 100-199
• C 200-299
• D 300-399

Answer: Standard IPv4 ACLs use 1-99 (and the expanded 1300-1999); extended ACLs use 100-199 and 2000-2699.

What is the implicit rule at the end of every Cisco ACL?

• A permit ip any any
• B deny ip any any ✓
• C permit tcp any any
• D log all

Answer: Every ACL ends with an implicit 'deny any', so at least one permit statement is required to pass traffic.

In an ACL, what does the wildcard mask 0.0.0.255 match?

• A A single host
• B All hosts in a /24 network ✓
• C All hosts in a /16 network
• D Any address

Answer: A wildcard of 0.0.0.255 matches the first three octets exactly and any value in the last octet, i.e., a /24.