Double-Tagging VLAN Hopping: This attack exploits the way switches process 802.1Q tags on the native VLAN. By changing the native VLAN to an unused ID (not the default VLAN 1), the attacker's double-tagged frames are dropped or misdirected, neutralizing the exploit.

MAC Flooding: While Port Security is a direct mitigation, 802.1x authentication effectively mitigates this by enforcing strict access control. It prevents unauthorized devices (which might run flooding tools like macof) from connecting to the network and injecting frames to overflow the CAM table.

Man-in-the-Middle (MITM): DHCP snooping specifically mitigates MITM attacks caused by rogue DHCP servers (DHCP spoofing). It validates DHCP messages and builds a binding database used to block untrusted DHCP traffic.

Switch Spoofing: This relies on the Dynamic Trunking Protocol (DTP) to negotiate a trunk link. Disabling DTP (using switchport nonegotiate) prevents an attacker from tricking the switch into forming a trunk.

Cisco Systems, Inc., "Layer 2 Security Configuration Guide, Cisco IOS Release 15.0S," Configuring DHCP Snooping, Chapter 2. (Confirms DHCP snooping prevents rogue DHCP servers, a primary vector for MITM).

Cisco Systems, Inc., "VLAN Configuration Guide, Cisco IOS Release 15.1," Configuring VLANs. (Documents the recommendation to change the native VLAN to an unused ID to prevent 802.1Q double-tagging).

Cisco Networking Academy, CCNA Security v2.0 Courseware, Chapter 10: Layer 2 Security. (Explicitly maps DTP disabling to switch spoofing mitigation and 802.1x as an access control measure against flooding/unauthorized access).

S. Yusuf, CCNA Security 210-260 Official Cert Guide, Cisco Press, 2015, pp. 145-148. (Discusses VLAN hopping mitigation and the use of native VLAN tagging/pruning).

The image illustrates a 2.4 GHz Wi-Fi channel allocation plan using the three non-overlapping channels: 1, 6, and 11, which are represented by the three distinct shading patterns. In a proper design, adjacent access points (APs) should use different, non-overlapping channels to prevent interference.

• Zones 3 and 6 are shown as adjacent, but both share the same shading pattern (crosshatch). This indicates they are incorrectly configured to operate on the same channel (e.g., Channel 1).
• This overlap creates significant Cochannel Interference (CCI), where signals from both APs collide. Devices in this area will struggle to differentiate the signals, leading to data corruption, high retransmission rates, and packet loss, which the user experiences as intermittent connectivity.

A. between zones 1 and 2: These zones have different shading (crosshatch vs. double-crosshatch), indicating they use different non-overlapping channels (e.g., 1 and 6). This is a correct design.

B. between zones 2 and 5: These zones have different shading (double-crosshatch vs. diagonal lines), indicating they use different non-overlapping channels (e.g., 6 and 11). This is a correct design.

C. between zones 3 and 4: These zones have different shading (crosshatch vs. double-crosshatch), indicating they use different non-overlapping channels (e.g., 1 and 6). This is a correct design.

Source: Cisco. (2019). Enterprise Mobility 8.5 Design Guide.

Reference: Chapter 2, "WLAN RF Design Considerations," section "Channel Reuse."

Content: This guide details that in the 2.4 GHz band, only channels 1, 6, and 11 are non-overlapping. A fundamental principle of WLAN RF design is to create a channel reuse plan where "no two adjacent cells operate on the same channel." When same-channel cells are adjacent, as shown between zones 3 and 6, it results in co-channel interference, which "limits the performance and capacity" of the network.

Source: Carnegie Mellon University. (2017). 15-441: Networking and the Internet, Lecture 21: Wireless.

Reference: Slide 42-44, "Interference."

Content: This university courseware explains that sources of interference in 802.11 include other APs. It explicitly diagrams how adjacent APs must use different channels (e.g., 1, 6, 11) to avoid interference. When APs on the same channel are too close, their coverage overlaps, and a client in that overlap region cannot reliably communicate, as the CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) mechanism is compromised.

Source: Gurevitch, A., He, A., & Zhang, J. (2007). The impact of co-channel interference on 802.11n network performance. 2007 IEEE International Conference on Communications.

DOI: https://doi.org/10.1109/ICC.2007.94

Content: This peer-reviewed publication analyzes the effects of CCI. It confirms that as co-channel interference increases (which occurs when same-channel APs are placed near each other), the "packet error rate increases significantly," and overall network throughput is "severely degraded." This degradation manifests to a user as intermittent or dropped connections.

A floating static route serves as a backup to a dynamically learned route. To function as a backup, its administrative distance (AD) must be higher than the primary route's AD. The question specifies the primary route is learned via external EIGRP, which has a default AD of 170. Therefore, the floating static route must have an AD greater than 170. The destination LAN on R86 has an IP of 10.80.65.170/29. The correct network address for this is 10.80.65.168 with a subnet mask of 255.255.255.248. The next-hop IP address from R14 is R86's serial interface, 10.73.65.66. Option C correctly combines the network, mask, next-hop, and an AD of 171, which is greater than 170.

A. The network address, mask, and administrative distance are incorrect. An AD of 1 would make this the primary route, not a backup. B. The network address, mask, and next-hop are incorrect. An AD of 89 is lower than EIGRP's AD, so it would not be a floating route. D. The command syntax is invalid. It incorrectly uses a wildcard mask instead of a subnet mask and has an incorrect next-hop address.

1. Cisco Systems, Inc., Cisco IOS IP Routing: Protocol-Independent Command Reference, "ip route" command documentation. This document confirms the syntax ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [distance]. It specifies that distance is the administrative distance for the route.

2. Cisco Systems, Inc., IP Routing: EIGRP Configuration Guide, Cisco IOS Release 15M&T, "EIGRP Administrative Distance". This guide states, "The administrative distance for an external EIGRP route is 170 by default."

3. Odom, W. (2019). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press. Chapter 15, "Static Routing," section "Floating Static Routes," explains that a floating static route is configured with a higher administrative distance than the dynamic routing protocol it is intended to back up. Table 15-1 lists the default AD for External EIGRP as 170.

The question requires a protocol that supports separate authorization and authentication processes. Terminal Access Controller Access-Control System Plus (TACACS+) is designed with this separation as a core feature. It uses distinct protocol messages and processes for authentication and authorization, allowing these functions to be handled independently, even by different servers. This modularity provides granular control and flexibility. While often used for device administration (including managing wireless APs), its protocol design directly matches the question's explicit requirement for separation. In contrast, RADIUS combines authentication and authorization into a single function, sending authorization details within the authentication acceptance message.

A. RADIUS: This protocol combines authentication and authorization into a single packet exchange (Access-Accept), which contradicts the requirement for separate solutions.

C. 802.1X: This is an IEEE standard for port-based network access control; it is an authentication framework, not a specific AAA protocol itself. It relies on a backend protocol like RADIUS.

D. Kerberos: This is a ticket-based authentication protocol for client/server applications and is not used for AAA functions between a network access device like an AP and a central server.

---

1. Cisco Press. Odom

W. (2020). CCNA 200-301 Official Cert Guide

Volume 2. Cisco Press. In Chapter 23

"Securing Network Devices

" the section "Comparing RADIUS and TACACS+" states

"TACACS+ separates the authentication

authorization

and accounting functions... RADIUS combines the authentication and authorization functions."

2. Official Vendor Documentation. Cisco Systems

(2023). Security Configuration Guide: AAA

Cisco IOS XE Cupertino 17.9.x. Chapter: "Configuring TACACS+". In the "TACACS+ Overview" section

it states

"TACACS+ provides for separate and modular authentication

authorization

and accounting facilities."

3. Official Vendor Documentation. Cisco Systems

(2023). Security Configuration Guide: AAA

Cisco IOS XE Cupertino 17.9.x. Chapter: "Configuring RADIUS". The "RADIUS Overview" section describes the process where the "RADIUS server authenticates the user and returns the configuration information... to the NAS [AP] for delivery to the user." This confirms the combined nature of the authentication and authorization response.

The Cisco DNA Center Overall Health Dashboard provides a high-level, at-a-glance

summary of the network's status. A key feature of this dashboard is to highlight the most

critical problems impacting the network. This includes presenting a list of the top 10

global issues, allowing administrators to quickly identify and prioritize the most

significant problems affecting network devices and clients. The dashboard's primary

purpose is to offer a consolidated view of network and client health scores and to

surface major ongoing issues.

•

B: The Overall Health Dashboard provides summaries and health scores, not

detailed activity logs for a specific number of devices. Detailed logging is

available in other sections of Cisco DNA Center, but it's not the primary function

of this top-level dashboard.

•

C: This is too narrow. The dashboard provides a summary of the entire network's

health, including both wired and wireless devices, as well as clients connected to

them. It is not limited to only wireless devices.

•

D: This is incorrect because the dashboard's focus is on the health of network

devices (routers, switches, access points) and clients, not servers and

workstations. While it assesses device health, it doesn't specifically focus on

CPU usage for end-user computing devices.

/561

1. Cisco DNA Center User Guide, Release 2.3.5: This guide explicitly describes

the main dashboard's features. It states, "The top-10 lists show the problematic

network devices, the top issues that are impacting the health score..."

o Source: Cisco, "Cisco DNA Center User Guide, Release 2.3.5"

o URL: https://www.cisco.com/c/en/us/td/docs/cloud-systemsmanagement/network-automation-and-management/dna-center/2-3-

5/user_guide/b_cisco_dna_center_ug_2_3_5/m_health_dashboard.html

o Reference: See the section "Network Health and Top-10 Issues."

2. Cisco DNA Center Data Sheet: This document outlines the key capabilities,

including Assurance. It mentions that the platform provides "overall network,

client, and application health" and helps to "proactively identify issues" by

highlighting top problems.

o Source: Cisco, "Cisco DNA Center Data Sheet"

o URL: https://www.cisco.com/c/en/us/products/collateral/cloud-systemsmanagement/dna-center/nb-06-dna-center-data-sheet-cte-en.html

o Reference: See the "Cisco DNA Assurance and Analytics" section, which

describes visibility into top issues.

/561

The command spanning-tree vlan forward-time is used to configure the Forward Delay timer for a specific VLAN. In Spanning Tree Protocol (STP) and its variants like Rapid PVST+, the Forward Delay timer dictates the duration a port spends in the listening state and subsequently in the learning state before it can transition to the forwarding state. Each of these states (listening and learning) lasts for the period defined by the forward-time value. Therefore, this command allows an administrator to set the specific time period for these states.

Cisco IOS LAN Switching Command Reference - Spanning-Tree Commands: spanning-tree

[vlan vlan-list] forward-time seconds

"Use the spanning-tree forward-time command in global configuration mode or the

spanning-tree vlan forward-time command in interface configuration mode to set the time

that a Layer 2 port waits before it changes from the listening and learning states to the

forwarding state."

/561

Source: Cisco. (Specific document version varies, e.g., Catalyst 9300 Series Switches, IOS

XE Bengaluru 17.6.x). A general reference can be found in Cisco IOS command references

for switches. Example: Cisco Catalyst 3750 Switch Software Configuration Guide,

12.2(25)SEE - "Configuring STP" section, "STP Timers".

CCNA 200-301 Official Cert Guide, Volume 1 by Wendell Odom (Cisco Press):

Chapter 3: "Spanning Tree Protocol Concepts" discusses STP timers. "Forward Delay: The

number of seconds an interface stays in the listening state, and then the number of seconds

an interface stays in the learning state. Default: 15 seconds."

Source: Odom, W. (2019). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press.

(Chapter on STP).

Cisco documentation on "Understanding and Configuring Spanning Tree Protocol (STP) on

Catalyst Switches":

This document typically explains the STP timers: "Forward DelayThe time that is spent in

the listening and learning state. The default is 15 seconds."

Source: Cisco Systems, "Understanding and Configuring Spanning Tree Protocol (STP) on

Catalyst Switches" (available on Cisco.com, specific document ID may vary by switch

model and IOS version).

Phishing is a form of social engineering that targets the human element, tricking employees into divulging sensitive information or performing actions that compromise security. While technical controls are part of a defense-in-depth strategy, the most direct and effective program to mitigate successful phishing attacks is user awareness training. This training educates employees on how to recognize the characteristics of phishing emails (e.g., suspicious links, urgent requests, spoofed senders) and what actions to take. By addressing the root cause—human error—organizations can significantly reduce their vulnerability to these attacks.

A. email system patches: Patches address software vulnerabilities, whereas phishing primarily exploits human psychology, not a technical flaw in the email system.

B. physical access control: This secures physical premises and equipment, which is irrelevant to preventing an employee from clicking a malicious link in an email.

C. software firewall enabled on all PCs: A firewall can block malicious connections but does not prevent the user from receiving the phishing email or being deceived by its content.

1. Odom

W. (2019). CCNA 200-301 Official Cert Guide

Volume 2. Cisco Press. In Chapter 22

"Security Fundamentals

" the section on "Mitigating Threats" discusses that user training is a primary method to counter social engineering attacks like phishing.

2. Cisco Networking Academy. (2020). CCNA: Enterprise Networking

Security

and Automation (ENSA) v7.0 Curriculum. Module 3

"Network Security Concepts

" Section 3.4.1

"Best Practices

" identifies user education as a crucial best practice for mitigating social engineering attacks.

3. National Institute of Standards and Technology (NIST). (2003). Special Publication 800-50: Building an Information Technology Security Awareness and Training Program. Section 2.2

"The Importance of Security Awareness and Training

" establishes that a comprehensive training program is essential to help users recognize and respond to threats like phishing.

Link-Local Addresses (FE80::/10): These are mandatory for IPv6 communication and are used for neighbor discovery and housekeeping on a single link. Their scope is strictly limited to the local link ("attached to a single subnet") and they are not routed. In typical vendor implementations (e.g., Cisco IOS), while an interface can hold multiple Global Unicast addresses, it generally supports only one active Link-Local address; configuring a manual Link-Local address overwrites the existing one.

Unique Local Addresses (ULAs): Defined by the prefix FC00::/7 (which includes FD00::/8), these are the IPv6 equivalent of IPv4 private addressing (RFC 1918). They are designed for "exclusive use internally" within a site or organization and are not intended to be routed on the public Internet.

IETF RFC 4291, "IP Version 6 Addressing Architecture," Section 2.5.6 (Link-Local IPv6 Unicast Addresses) and Section 2.8 (A Node's Required Addresses).

IETF RFC 4193, "Unique Local IPv6 Unicast Addresses," Section 3.1 (Format) and Section 1 (Introduction/Applicability).

Cisco Systems, "IPv6 Configuration Guide, Cisco IOS XE Release 3S," Chapter: IPv6 Addressing and Basic Connectivity. (Confirms Link-Local behavior where manual configuration overrides the automatically generated address).

Authentication is the fundamental process of identifying a user or device, typically through credentials, ensuring the entity is who it claims to be (verifies identity). Authorization follows authentication and enforces policies to determine which resources, commands, or services the authenticated entity is permitted to access (verifies access rights). Accounting measures and records the resources a user consumes during their access, such as connection time, data sent/received, or commands issued, for auditing and billing purposes (tracks activity). CoA (Change of Authorization), an extension to the RADIUS protocol (RFC 5176), allows the AAA server (e.g., Cisco ISE) to send unsolicited messages to the Network Access Server (NAS) to dynamically modify the characteristics or permissions of an active session (updates session attributes).

Cisco Systems. "Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS XE 17." Chapter: AAA Overview. Section: "AAA Fundamentals." (Official Cisco Documentation).

Chiba, M., et al. "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)." RFC 5176, Internet Engineering Task Force (IETF), January 2008. Section 1.1 "Applicability" (describes changing session authorization).

Cisco Systems. "Cisco Identity Services Engine Administrator Guide, Release 2.4." Chapter: Change of Authorization. Section: "Understanding Change of Authorization."

The MIB (Management Information Base) is a hierarchical database defining the "variables" (objects) that can be monitored on a device. An SNMP trap is an "unsolicited message" sent by the agent to the manager to alert it of a specific event (like a link going down) without the manager asking for it. The SNMP agent is the software process running on the managed device that "responds to status requests" (Get/Set messages) from the manager. Finally, the SNMP manager (or management station) is the central entity that polls devices and collects data; it "resides on an NMS" (Network Management System).

Case, J., Fedor, M., Schoffstall, M., & Davin, J. (1990). A Simple Network Management Protocol (SNMP). IETF RFC 1157.

Section 3.2.1: Describes the "Management Information Base (MIB)" as a collection of managed objects.

Section 4.1.6: Defines the "Trap-PDU" regarding unsolicited event reporting.

Section 3.1: Discusses the architecture involving "network management stations" (Managers) and "network elements" (Agents).

DOI: https://doi.org/10.17487/RFC1157

Cisco Systems. IP Application Services Configuration Guide, Cisco IOS Release 12.4. "Configuring SNMP Support."

Section "SNMP Overview": Explicitly defines the SNMP manager as running on the NMS and the SNMP agent as residing on the managed device.

Section "SNMP Notifications": Defines traps as unsolicited messages.

Stallings, W. (1999). SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley Professional.

Chapter 4: Covers the SNMPv1 architecture, defining the roles of the Manager, Agent, and MIB structure.