A. Router ACLs can be applied to the input and output directions of a VLAN interface.
B. Bridged ACLs can be applied to the input and output directions of a VLAN interface.
C. Only router ACLs can be applied to a VLAN interface.
D. VLAN maps and router ACLs can be used in combination.
E. VLAN maps can be applied to a VLAN interface

A. Discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
B. Validates outgoing ARP requests for interfaces configured on VLAN 10， 11， 12， or 15
C. Intercepts， logs， and discards ARP packets with invalid IP-to-MAC address bindings
D. Intercepts all ARP requests and responses on trusted ports
E. None of the other alternatives apply

A. Configure the switch to insert and remove DHCP relay information （option-82 field） in forwarded  DHCP request messages.
B. Configure DHCP snooping globally.
C. Configure the switch as a DHCP server.
D. Configure DHCP snooping on an interface.
E. Configure all interfaces as DHCP snooping trusted interfaces.
F. Configure DHCP snooping on a VLAN or range of VLANs.

A. STP
B. CDP
C. EAP MD5
D. TACACS+
E. EAP-over-LAN
F. protocols not filtered by an ACL

A. DAI can be performed on ingress ports only.
B. DAI can be performed on both ingress and egress ports.
C. DAI is supported on access ports， trunk ports， EtherChannel ports， and private VLAN ports.  
D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP  caches of hosts in the domain.
E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
F. DAI is supported on access and trunk ports only.

A. TACACS+ is the only supported authentication server type.
B. If a host initiates the authentication process and does not receive a response， it assumes it is  not authorized.
C. RADIUS is the only supported authentication server type.
D. Before transmitting data， an 802.1x host must determine the authorization state of the switch.
E. Hosts are required to havea 802.1x authentication client or utilize PPPoE.
F. None of the other alternatives apply.

A. The switch will uniquely authorize the client by using the client MAC address.
B. The switch will cause the port to remain in the unauthorized state， ignoring all attempts by the  client to authenticate.
C. The switch port will disable 802.1x port-based authentication and cause the port to transition to  the authorized state without any further authentication exchange.
D. The switch port will enable 802.1x port-based authentication and begin relaying authentication  messages between the client and the authentication server.

A. Configure only trusted interfaces with root guard.
B. Implement private VLANs （PVLANs） to carry only user traffic.
C. Implement private VLANs （PVLANs） to carry only DHCP traffic.
D. Configure only untrusted interfaces with root guard.
E. Configure DHCP spoofing on all ports that connect untrusted clients.
F. Configure DHCP snooping only on ports that connect trusted DHCP servers.
G. None of the other alternatives apply

A. MAC spoofing attacks allow an attacking device to receive frames intended for a different  network host.
B. Port scanners are the most effective defense against dynamic ARP inspection.
C. MAC spoofing, in conjunction with ARP snooping, is the most effective counter-measure against reconnaissance attacks that use dynamic ARP inspection (DAI) to determine vulnerable  attack points.
D. Dynamic ARP inspection in conjunction with ARP spoofing can be used to counter DHCP  snooping attacks.
E. DHCP snooping sends unauthorized replies to DHCP queries.
F. ARP spoofing can be used to redirect traffic to counter dynamic ARP inspection.
G. None of the other alternatives apply.

A. The port will permit the new MAC address because one or more of the original MAC addresses  are inactive.
B. The port will permit the new MAC address because one or more of the original MAC addresses  will age out.
C. Because the new MAC address is not configured on the port， the port will not permit the new  MAC address.
D. Although one or more of the original MAC addresses are inactive， the port will not permit the  new MAC address.

A. Spanning tree PortFast cannot be configured on a port where a voice VLAN is configured.
B. Sticky secure MAC addresses cannot be used on a port when a voice VLAN is configured.
C. Spanning tree PortFast cannot be configured on a port when a sticky secure MAC address is  used.
D. The switch port must be configured as a trunk.