HP0-Y11

ProCure Security 7.31

Version 1.0
QUESTION NO: 1

Which statement describes the security technology implemented in SNMPv3?

A. Public and private keys are used to encrypt and decrypt messages.
B. Examples of encryption algorithms commonly supported are DES and AES.
C. The MD5 algorithm produces a larger message digest than the SHA-1 algorithm.
D. A hash function takes a message of arbitrary bit length and produces ciphertext using a shared
secret.

Answer: B

QUESTION NO: 2

Which action should an administrator take if the ProCurve Connection-rate Filtering feature
blocks a port?

A. Unblock the port so that traffic can flow again.

B. Clear the intrusion flag and then re-enable the port.
C. Wait for the throttling period to expire before unblocking the port.
D. The port will be automatically unblocked after the received packet rate drops below a
threshold.

Answer: A

QUESTION NO: 3

You are configuring Dynamic ARP Protection on a ProCurve switch that connects to another
downstream switch, which has Dynamic ARP Protection enabled. Which configuration step
should you perform?

A. Define the downstream port as trusted.

B. Identify the upstream switch as the primary ARP authenticator.
C. Verify that Dynamic ARP Protection is not enabled on overlapping VLANs.
D. Allow sharing of the DHCP binding database stored on an external server.
E. Enable validation of all IP-to-MAC address bindings associated with the downstream switch.

Answer: A

QUESTION NO: 4

Which EAP method is considered the least secure solution for implementing 802.1X user
authentication on a wireless LAN?

A. SIM
B. MD5
C. TTLS
D. FAST
E. LEAP
F. PEAP

Answer: B

QUESTION NO: 5

Which security technology, supported in SSHv2 on the ProCurve Switch 5400zl series, allows
new symmetric keys to be generated periodically during a session with an SSH client?
A. RSA
B. AES
C. HMAC
D. Diffie-Hellman
E. Public and private keys

Answer: D

QUESTION NO: 6

What is the default state of a port configured for IEEE 802.1X port-access authentication?

A. disabled
B. restricted
C. authorized
D. unauthorized

Answer: D

QUESTION NO: 7

Which statement describes how SSL operates when using a Web browser to access the switch
management interface?

A. The client downloads and verifies the switch's certificate; creates a message containing the
client's public key, and encrypts the message using the switch's private key.

B. The client downloads and verifies the switch's public key, creates a message containing a
Diffie-Hellman value, and encrypts the message using the client's private key.

C. The client downloads and verifies the switch's certificate, creates a message containing a
symmetric key, and encrypts the message using the switch's public key.

D. The client downloads a preshared key from the switch, creates a challenge message
containing a hash of the preshared key, and the switch then verifies the challenge response.

Answer: C

QUESTION NO: 8

Which protocols are supported by a ProCurve switch for communication with a RADIUS server
that is used to authenticate 802.1X supplicants? (Select two.)

A. EAP-RADIUS
B. MD5-RADIUS
C. CHAP-RADIUS
D. PAP-SPAP-RADIUS
E. MS-CHAPv2-RADIUS

Answer: A, C

QUESTION NO: 9

Which statement describes security technology implemented in SNMPv3?

A. Examples of encryption algorithms commonly used are MD5 and SHA-1.

B. The AES algorithm produces a larger message digest than the DES algorithm.
C. Symmetric cryptography uses a pair of mathematically related keys to encrypt and decrypt
messages.
D. A hash function takes a message of arbitrary bit length and creates a fixed-length string
representing a message digest.
Answer: D

QUESTION NO: 10

The RADIUS server and switch are correctly configured. The switch has the VLAN assignments
and port-access commands configured, as shown in the exhibit.
What happens to port 10 after the user provides valid authentication information?

A. remains in an unauthorized state

B. becomes a member of VI.AN 20
C. becomes a member of VLAN 25
D. becomes a member of VLAN 200

Answer: C

QUESTION NO: 11

What is configured on a ProCurve switch to implement switch-to-switch 802.1X authentication?

A. user name and a password

B. EAP method and a shared secret
C. RADIUS protocol to use and a shared secret
D. base MAC address of the peer and a password

Answer: A

QUESTION NO: 12
Which statements describing SSH support on the ProCurve Switch 5400zl series are correct?
(Select three.)

A. Each SSH client's public key is stored in switch flash memory.

B. Acquiring a digital certificate from a Certificate Authority is optional.
C. A switch is always authenticated to a client using the switch's public key.
D. An SSH client can be authenticated based on user credentials or a public key.
E. Multiple SSH public and private key pairs for the switch can be used for increased security.

Answer: A, C, D

QUESTION NO: 13

Which configuration steps must you perform to implement the ProCurve Dynamic ARP protection
feature on a switch? (Select three.)

A. Enable it globally.
B. Define trusted ports.
C. Activate it on one or more VLANs.
D. Enable validation of source MAC addresses.
E. Allocate the IP-to-MAC address binding database.
F. Specify the valid MAC address formats supported.

Answer: A, B, C

QUESTION NO: 14

Which front panel security features are enabled by default? (Select three.)

A. factory-re set
B. reset-on-clear
C. password-clear
D. include-credentials
E. password-recovery
F. flash-memory-protection

Answer: A, C, E

QUESTION NO: 15

A customer wants to provide stricter network access for devices connecting to a ProCurve Switch
5406zl by implementing a combination of802.1X and MAC authentication. Which configuration
tasks must be performed on the RADIUS server to support the ports configured with MAC
authentication? (Select two.)

A. Configure EAP RADIUS for the authentication method.

B. Configure CHAP RADIUS for the authentication method.
C. Configure PAP to support unencrypted authentication of network devices.
D. Create a user in the user directory using the MAC address of the device for the user name and
password.
E. Create a user on the RADIUS server using the MAC address of the device for the user name
and the RADIUS shared secret for the password.

Answer: B, D

QUESTION NO: 16

Which statement describes the type of traffic that a VLAN ACL (VACL) filters?

A. IP traffic routed between different VLANs

B. routed or switched IP traffic leaving a static VLAN
C. IP traffic entering a physical port, port list, or static trunk
D. IP traffic routed between different subnets of the same VLAN
E. switched IP traffic moving between ports belonging to the same VLAN

Answer: E

QUESTION NO: 17

Which statements describing SSL operations for ProCurve switch management access are
correct? (Select four.)

A. A self-signed certificate is contained in the switch's private key.

B. The server-side SSL port number on the switch is configurable.
C. The public key used for SSL is separate from the one used for SSH.
D. You must generate a self-signed digital certificate or acquire a CA-signed certificate.
E. A CA-signed certificate contains the switch's public key and is digitally signed using a
Certificate Authority's private key.
F. When Web-based management through SSL is enabled, unencrypted Web-based
management is automatically disabled.

Answer: B, C, D, E

QUESTION NO: 18

Which two EAP methods support tunneling of a weaker authentication method such as MS-
CHAPv2?

A. TLSandSIM
B. PAPandSPAP
C. LEAP and FAST
D. PEAP and TTLS

Answer: D

QUESTION NO: 19

Which statements describing ACLs on the ProCurve Switch 5400zl series are correct? (Select
two.)

A. A sequence number is used for each Access Control Entry.

B. Criteria may include Layer 2, Layer 3, and Layer 4 identifiers.
C. Each new Access Control Entry is appended to the beginning of the list.
D. It can filter IP traffic to or from a host, a group of hosts, or entire subnets.
E. It can be assigned to the console port, a physical port, a static trunk, or a VLAN interface.

Answer: A, D

QUESTION NO: 20

What are infrastructure defense capabilities provided by the ProCurve ProActive Defense network
security solution? (Select four.)

A. virus throttling
B. device hosting
C. ICMP throttling
D. host-based IPS
E. dynamic ARP protection
F. DHCP spoofing protection

Answer: A, C, E, F
QUESTION NO: 21

The customer is considering using the Authorized IP Managers feature.

What are examples of switch management access that can be protected by this feature? (Select
four.)

A. SSL
B. telnet
C. TFTP
D. SNMP
E. 802.1X
F. console

Answer: A, B, C, D

QUESTION NO: 22

What are the effects of issuing the management-vlan command on a ProCurve switch? (Select
two.)

A. It bypasses the Authorized IP Managers list, if configured.

B. It requires that the local switch manager or operator user account be used to log in to the
switch.
C. It allows management stations within the Secure Management VLAN to source traffic to other
VLANs.
D. It provides encrypted and authenticated session flow between the switch and the management
station in the Secure Management VLAN.
E. It disables the ability for a switch to receive management traffic on any IP address other than
the one assigned to the Secure Management VLAN.

Answer: C, E

QUESTION NO: 23

To configure RADIUS authentication of switch management users on a ProCurve switch, the

RADIUS server must support which authentication method?

A. encrypted authentication using SSL

B. encrypted authentication using PEAP
C. encrypted authentication using CHAP
D. unencrypted authentication using HTTP
E. unencrypted authentication using MS-CHAP
F. unencrypted authentication using PAP or SPAP

Answer: F

QUESTION NO: 24

When designing a Secure Management VLAN, which ProCurve solution should an administrator
implement at the core and Layer 2 edge devices for greater security?

A. Enable Secure Management VLANs to provide security at the core and at the Layer 2
switches; ACLs are not required.
B. Configure a separate management network with dedicated ports to isolate all management
traffic at the core and at the Layer 2 switches.
C. Enable Secure Management VLANs to provide security at the core; apply an IP address only
to the core switch, and use ACLs at the Layer 2 switches.
D. Use ACLs to provide security at the core; enable Secure Management VLANs at the Layer 2
switches, and apply IP address only to the Secure Management VLAN.

Answer: D
QUESTION NO: 25

Which Port Security learn mode is used in conjunction with 802.1Xto temporarily learn a MAC
address of an 802.1X authenticated session?

A. static
B. configured
C. continuous
D. port-access
E. limited-continuous

Answer: D

QUESTION NO: 26

Which statement describing dynamic VLAN assignment for 802.1X authenticator ports on
ProCurve switches is correct?

A. If a GVRP-learned VLAN is used, the RADIUS server must specify that attribute.
B. The VLAN used may be statically defined on the switch or learned through GVRP.
C. If a client fails authentication, the port is reassigned to the Secure Management VLAN.
D. If a client is authenticated, but no VLAN attribute is returned by a RADIUS server, the switch
blocks the port.

Answer: B

QUESTION NO: 27

A Web authenticator port is currently in the authenticating state. Which statement is correct?

A. The client can communicate with any destination located in the authorized VLAN.
B. Any DNS name resolves to the switch IP address and any IP address resolves to the switch
MAC address.
C. By default, a client connected to a Web authenticator port is initially assigned an IP address in
the VLAN to which it is connected.
D. The client is prevented from communicating with any IP address until the RADIUS server
responds indicating the user has been authenticated.

Answer: B

QUESTION NO: 28

Which EAP methods support authentication of a RADIUS server based on a digital certificate?
(Select three.)

A. AKA
B. TLS
C. MD5
D. TTLS
E. LEAP
F. PEAP

Answer: B, D, F

QUESTION NO: 29

Why should the ProCurve BPDU Protection feature be enabled on a port?

A. The port needs to participate in BPDU communications.

B. This ensures the port does not continue to receive BPDUs.
C. A topology change should occur when a port's link status changes.
D. The port is permanently configured as the root port in the spanning-tree.

Answer: B

QUESTION NO: 30

Which statement describing the ProCurve Connection-rate Filtering feature is correct?

A. The connection-rate filter sensitivity is configurable on a per-port basis.

B. It protects against both known and unknown threats, but requires intrusion signature updates.
C. It uses the Traffic Monitoring feature to determine whether traffic activity represents an
intrusion.
D. A connection-rate ACL can be used to allow some or all inbound traffic through a port that has
been throttled or blocked.

Answer: D

QUESTION NO: 31

A customer currently manages all ProCurve switches using unencrypted Web-based

management, but now wants to use SSL for encrypted Web-based management. Which steps
must be completed before enabling SSL? (Select two.)

A. Generate an HTTPS client certificate.

B. Disable unencrypted Web-based management first.
C. Generate a self-signed server certificate for HTTPS.
D. Import a certificate request from a Certificate Authority.
E. Generate public and private keys for an HTTPS certificate.

Answer: C, E

QUESTION NO: 32

Which Port Security learn mode allows any MAC address to be dynamically learned as a device
connects to a port?

A. static
B. configured
C. continuous
D. port-access

Answer: C

QUESTION NO: 33

When designing a Secure Management VLAN, which ProCurve solution should an administrator
implement at the core and Layer 2 edge devices for greater security?

A. Enable Secure Management VLANs to provide security at the core and at the Layer 2
switches; ACLs are not required.
B. Configure a separate management network with dedicated ports to isolate all management
traffic at the core and at the Layer 2 switches.
C. Enable Secure Management VLANs to provide security at the core; apply an IP address only
to the core switch, and use ACLs at the Layer 2 switches.
D. Use ACLs to provide security at the core; enable Secure Management VLANs at the Layer 2
switches, and apply IP address only to the Secure Management VLAN.

Answer: D
QUESTION NO: 34

When configuring SSL on a ProCurve switch, which user authentication methods can be
specified? (Select three.)

A. 802.1X
B. RADIUS
C. Kerberos
D. public key
E. TACACS+
F. local user name and password

Answer: B, E, F

QUESTION NO: 35

The network administrator of a university realizes that students in campus housing buildings are
connecting wireless access points and small-scale switches to the network. The administrator
wants to limit a particular port to one MAC address at a time, but is not concerned about the
actual address. Which security feature provides flexibility while effectively limiting a port to a
single MAC address at a time?

A. 802.1X MAC authentication

B. MAC Lockout learn mode static
C. MAC Lockdown learn mode continuous
D. Port Security learn mode limited-continuous

Answer: D

QUESTION NO: 36

What are the capabilities of centralized authentication for management users of ProCurve
switches? (Select three.)

A. It can use the local switch user accounts as a security fallback option.
B. A RADIUS, TACACS+, or Kerberos authentication server can be used.
C. It can control access from the console port, Telnet clients, SSH clients, and Web browsers.
D. It supports many of the more commonly used EAP methods including PEAP, TLS and TTLS.
E. Individual user names and passwords can be used for stronger management and accounting.

Answer: A, C, E

QUESTION NO: 37

What is a capability of the Secure Access Wizard supported by ProCurve Identity Driven
Manager?

A. It configures 802.1X authenticator ports and RADIUS server settings on a switch.

B. It verifies the integrity of the ProCurve Identity Driven Manager database using Active
Directory.
C. It conceals all security-related credentials stored in the switch configuration before backing up
the file.
D. It checks a switch configuration file's 802.1X, Web, or MAC authentication settings for
consistency and reports any errors.

Answer: A

QUESTION NO: 38
You have ProCurve Identity Driven Manager currently deployed in your network and have
recently modified an Access Profile. Which task should you perform next?

A. Restart the IDM Agent.

B. Deploy the configuration.
C. Run the Secure Access Wizard.
D. Update the Access Policy Groups.
E. Start Active Directory synchronization.
F. Rediscover switches affected by the changes.

Answer: B

QUESTION NO: 39

Which statements describing ACLs on the ProCurve Switch 3500yl series are correct? (Select
two.)

A. IP routing must be enabled.

B. Criteria may include Layer 3 and Layer 4 identifiers.
C. Each ACL includes the hidden allow any Access Control Entry.
D. Each new Access Control Entry is appended to the beginning of the list.
E. It may be assigned to a physical port, a static trunk, or a VLAN interface.

Answer: B, E

QUESTION NO: 40

You have just installed two ProCurve 5406zl switches, one on the second floor and one on the
third floor of your office. You are using 802.1X for port-access authentication. All users have an
802.1X supplicant installed on their computers and you have configured a RADIUS server with a
remote access policy for each floor. Shortly after connecting the computers, users on the second
floor report that they cannot access any network resources. You can ping the RADIUS server
from both switches, but when you check the RADIUS log, you see authentication requests
coming only from the third floor switch. Why are the second floor users unable to connect to the
network?

A. The IP address of the RADIUS server has not been configured on the second floor switch.
B. The second floor computers are using the wrong EAP type for authentication with the RADIUS
server.
C. The shared secret configured on the second floor switch does not match the shared secret
configured on the RADIUS server.
D. No default gateway has been configured on the second floor switch, therefore no
authentication requests can reach the RADIUS server.

Answer: A

QUESTION NO: 41

Which statement describing SSH support on the ProCurve Switch 3500yl series is correct?

A. Authentication of the switch to an SSH client is optional.

B. An SSH client key pair created using RSA or DSA can be used.
C. An SSH client can be authenticated based on user credentials or a public key.
D. Each concurrently connected SSH client must use a distinct public key if RSA is used.

Answer: C

QUESTION NO: 42

Which statements describing capabilities of Port Security on ProCurve switches are correct?
(Select two.)
A. It can be applied to an edge port, static trunk, or dynamic trunk.
B. It can be concurrently active with MAC Lockout on a switch if the same MAC addresses are
configured.
C. A port can be configured for traffic monitoring mode and access attempts silently logged when
an intrusion is detected.
D. The default operating mode is continuous, which allows any device to access a port without
causing a security response.
E. It includes eavesdrop protection, which prevents use of a port for flooding unicast packets
addressed to MAC addresses unknown to the switch.

Answer: D, E

QUESTION NO: 43

Network security can be described in terms of multiple layers of security. Which action describes
a perimeter security measure?

A. limiting switch access to SSH

B. deploying 802.1X authentication
C. installing an Intrusion Prevention System
D. using a secure operating system for network applications

Answer: C

QUESTION NO: 44

Which statements describing the ProCurve SNMP Message Throttling feature are correct?
(Select two.)

A. Message throttling can be enabled or disabled based on the event severity level.
B. The amount of time that repeating events are throttled depends on the severity level.
C. Messages are throttled based on having the same severity level and the duration between
repeated messages.
D. It controls the rate that SNMP traps are sent to one or more trap receivers and messages are
sent to the switch Event Log.
E. If a given type of event continues to occur after a configurable number of cycles, generation of
subsequent messages are disabled until the administrator unblocks them.

Answer: B, D

QUESTION NO: 45

Which benefits are provided by the ProCurve SNMP Message Throttling feature?
(Select two.)

A. It automatically regulates duplicate messages for a given recurring event.

B. It blocks SNMP connection attempts after a configured number of failed logins.
C. It limits the consumption of switch CPU resources when collecting statistics during heavy
network loading.
D. It suppresses any repeating messages sent to the switch Intrusion Log after a configured
threshold is reached.
E. It controls the rate that SNMP traps are sent to one or more trap receivers and messages are
sent to the switch Event Log.

Answer: A, E

QUESTION NO: 46

A university shares a core routing switch between two departments. Each department has a
separate ProCurve edge switch deployed and neither department wants the other to have
management access to their respective switch. Which security measures can prevent
management access by the respective departments? (Select three.)

A. Enable the Privilege Mode option.

B. Configure Authorized IP Managers.
C. Define Secure Management VLANs.
D. Implement Command Authorization.
E. Use RADIUS authentication with separate policies.

Answer: B, C, E

QUESTION NO: 47

Which statements describing the Command Authorization feature on the ProCurve Switch 5400zl
series are correct? (Select three.)

A. It requires the use of a RADIUS authentication server.

B. AAA accounting for commands must be enabled on the switch.
C. It can be used only to limit commands issued within the manager-access level.
D. Two vendor-specific attributes are used to define a list of commands and whether the
commands are allowed or denied.
E. It is applicable to switch management users accessing the switch through the console port or
the Web browser interface.
F. A list of allowed or denied commands is sent to the switch by the RADIUS server after the user
is successfully authenticated.

Answer: A, D, F

QUESTION NO: 48

When using DHCP Snooping, which action can the switch perform if a client sends a DHCP
message with option 82 set?

A. Send a negative acknowledgement to the client.

B. Remove the option 82 field and relay the DHCP message.
C. Block the client's port and log a message in the Intrusion Log.
D. Replace the field with the switch's MAC address and the source port identifier.
E. Simulate a DHCP response to the potential rogue client using the internal DHCP server on the
switch.

Answer: D

QUESTION NO: 49

Which statements describing the implementation of Authorized IP Managers are correct? (Select
three.)

A. It has precedence over any authentication methods that may be configured.

B. It requires that the user account used for switch management access has manager-level
access.
C. If you specify the IP address 10.1.8.0 without an IP mask, a single IP address will be allowed
access.
D. It is most useful for insecure switch management access methods that include console port,
Telnet, and TFTP.
E. The IP mask of an Authorized IP Manager entry has no dependency on the subnet mask of the
IP addresses assigned to management stations.

Answer: A, C, E

QUESTION NO: 50
Authentication of switch management or general network users can involve multiple network
components. Which statement describing these network components is correct?

A. A user directory server operates as the policy enforcement point.

B. The authentication server is also known as the policy decision point.
C. A ProCurve switch functions as a policy repository for switch management access using a
remote user account.
D. A RADIUS access-accept message is used by a client to acknowledge authentication settings
assigned by the server.

Answer: B

QUESTION NO: 51

Which statement describing Web authentication support on the ProCurve Switch 5400zl series is
correct?

A. User credentials or a digital certificate can authenticate the client.

B. It is mutually exclusive of other authentication methods on the same port.
C. After successful user authentication, a port is assigned to a VLAN based on an order of
priority.
D. If a port is configured to support multiple users, different static untagged VLANs can be
assigned concurrently.

Answer: C

QUESTION NO: 52

A Windows XP workstation is configured with 802.1X supplicant software.

When a client connects to a switch port with 802.1X authentication enabled, which EAP
messages may be generated by the supplicant to gain access to the network? (Select two.)

A. EAPOL-start
B. EAP-request-identity
C. EAP-access-request
D. EAP-response-identity
E. EAP-access-challenge

Answer: A, D

QUESTION NO: 53

Which type of message is sent by a RADIUS client to a RADIUS server?

A. access-query
B. access-request
C. access-challenge
D. access-response

Answer: B

QUESTION NO: 54

Which statement describing RADIUS accounting support on the ProCurve Switch 5400zl series is
correct?

A. The network accounting option is used to collect statistics for switch management sessions.
B. The switch can be configured to allow the RADIUS server to query the switch for periodic
updates of accounting statistics.
C. ProCurve IDM can be used to parse the accounting logs on the RADIUS server and produce
reports accessible in ProCurve Manager.
D. The start-stop accounting option causes the switch to create an accounting statistic record
when a user's login session begins and ends.

Answer: D

QUESTION NO: 55

Which statement describing the ProCurve Connection-rate Filtering feature is correct?

A. When enabled, it is automatically globally activated.

B. Any outbound traffic destined for a host that has been throttled or blocked is permitted.
C. It protects against both known and unknown threats, but requires intrusion signature updates.
D. It uses the Traffic Monitoring feature to determine whether traffic activity represents an
intrusion.

Answer: B

QUESTION NO: 56

You have just installed two ProCurve 5406zl switches, one on the second floor and one on the
third floor of your office. You are using 802.1X for port-access authentication. All users have an
802.1X supplicant installed on their computers and you have configured a RADIUS server with a
remote access policy for each floor. Shortly after connecting the computers, users on the second
floor report that they cannot access any network resources. You can ping the RADIUS server
from both switches, but when you check the RADIUS log, you see authentication requests
coming only from the third floor switch. Why are the second floor users unable to connect to the
network?

A. The IP address of the RADIUS server has not been configured on the second floor switch.
B. The second floor computers are using the wrong EAP type for authentication with the RADIUS
server.
C. The shared secret configured on the second floor switch does not match the shared secret
configured on the RADIUS server.
D. No default gateway has been configured on the second floor switch, therefore no
authentication requests can reach the RADIUS server.

Answer: A

QUESTION NO: 57

Which statements describing the ProCurve switch debug facility are correct? (Select two.)

A. The instrumentation monitor must be enabled first.

B. Specific debug message categories can be selectively enabled.
C. The debug destinations can be set to a session window and a Syslog server concurrently.
D. Debug messages have the same format as standard Event Log messages including the event
type and timestamp.

Answer: B, C

QUESTION NO: 58

Which statement describes the type of traffic that a Routed ACL (RACL) filters?
(Select two.)

A. IP traffic entering a physical port, port list, or static trunk

B. switched IP traffic moving between ports belonging to the same VLAN
C. routed IP traffic arriving on one VLAN and leaving through another VLAN
D. switched IP traffic moving between ports belonging to the same subnet of a multinetted VLAN
E. routed IP traffic arriving on one subnet and leaving through another subnet within the same
multinetted VLAN
Answer: C, E

QUESTION NO: 59

Which capabilities are supported for extended ACLs on the ProCurve Switch 3500yl series?
(Select two.)

A. sequence number for each Access Control Entry

B. ACL numeric identifier can be between 1 and 1024
C. optional use of log option for allow and deny actions
D. specification of well-known ICMP and IGMP message types
E. selectable action of allow or deny for the hidden Access Control Entry

Answer: A, D

QUESTION NO: 60

Which statements describing MAC authentication on ProCurve switches are correct? (Select
two.)

A. It can be configured on the same port with Web authentication and 802.1X authentication.
B. The device's MAC address is sent to the RADIUS server as the user name and password.
C. The switch's built-in DHCP server initially assigns an IP address in the 192.168.0.0 private
subnet.
D. The switch automatically initiates user authentication of a device when the device
communicates on a MAC authenticator port.
E. Configuration involves defining ports as MAC authenticators, the RADIUS authentication
protocol to use, and then activating the ports for MAC authentication operation.

Answer: B, D

QUESTION NO: 61

A network engineer is responsible for setting up RADIUS authentication of management users for
ProCurve switches. As part of the planning, which information must the network engineer obtain
from the person who manages the RADIUS server? (Select three.)

A. EAP method that is configured

B. IP address of the RADIUS server
C. authentication port number of the RADIUS server
D. shared secret or encryption key used by the RADIUS server
E. names of the users that will be authorized to use the switch
F. whether local authentication can be supported as a secondary method

Answer: B, C, D

QUESTION NO: 62

What are the effects of implementing a Secure Management VLAN on a ProCurve switch?
(Select two.)

A. It prevents IP routing between the user VLANs configured on the switch.

B. Switch management access is limited to those ports assigned to the Secure Management
VLAN.
C. It allows one management IP address per physical switch, regardless of the number of user
VLANs.
D. It allows switch management access only through SSH, SSL Web browser, and SNMPv3
secure client applications.
E. It provides encrypted and authenticated session flow between the switch and the management
station in the Secure Management VLAN.
Answer: B, C

QUESTION NO: 63

You have enabled Port Security and specified the send-disable response option. Which
administrative action, if any, is required after an intrusion occurs to enable the port to return to
normal operation?

A. The port must be enabled.

B. The intrusion flag must be cleared.
C. The port is automatically reset after a delay timer expires.
D. The intrusion flag must be cleared and the port must be enabled.

Answer: D

QUESTION NO: 64

Various ProCurve switches support the Privileged Mode feature for switch management users
authenticated through RADIUS. Which benefit does this feature provide when enabled?

A. It automatically provides manager-level access to an authenticated user.

B. It provides an SNMPv3 user with read/write access to the switch authentication MIB.
C. It allows an unauthenticated user to issue the enable command without requiring a local
password.
D. It enables an authenticated user with operator-level access to view security credentials stored
in the switch configuration file.

Answer: A

QUESTION NO: 65

Which statements describing the ProCurve switch debug facility are correct? (Select two.)

A. The instrumentation monitor must be enabled first.

B. Specific debug message categories can be selectively enabled.
C. The debug destinations can be set to a session window and a Syslog server concurrently.
D. Debug messages have the same format as standard Event Log messages including the event
type and timestamp.

Answer: B, C

QUESTION NO: 66

Which statement correctly describes the effect of configuring the encryption keys for multiple
RADIUS servers on a ProCurve switch?

A. The encryption keys for all servers in the domain must be different.
B. The encryption keys for all servers in the domain must be the same.
C. An encryption key associated with a server overrides the globally defined key.
D. A globally defined encryption key overrides the key associated with an individual server.

Answer: C

QUESTION NO: 67

Which criteria can selectively identify traffic to be mirrored using the ProCurve Traffic Mirroring
feature? (Select two.)

A. ACL
B. traffic direction
C. packet size range
D. LLDP-MED identifier

Answer: A, B

QUESTION NO: 68

You are providing network access in several conference rooms for employees and visitors. When
dealing with physical access to equipment, what should you consider? (Select three.)

A. Who has access to the room?

B. Is there a guest access policy?
C. Is it in a secure area of the building?
D. Who knows the manager-level passwords?
E. Has accessibility been limited to administrators only?
F. Which ports are assigned to the management VLAN?
G. Does the data center meet military-level security requirements?

Answer: A, B, C

QUESTION NO: 69

A customer calls you and describes a switch management access problem involving SSH. The
customer indicates that he is denied access after supplying the login credentials. The customer is
using a RADIUS server for centralized authentication, and has used the ping command to verify
that the SSH client, switch, and RADIUS server are all reachable. What is a potential cause of
this problem?

A. A self-signed digital certificate has not been installed on the switch.

B. SSH has not been configured for the login access level on the switch.
C. A remote-access policy on the RADIUS server has not been configured to support the CHAP
protocol.
D. The digital certificate of the public Certificate Authority used by the switch has not been
installed in the SSH client.

Answer: C

QUESTION NO: 70

What is an operational difference between the TLS and MD5 EAP methods?

A. TLS uses a challenge/handshake mechanism for authentication; MD5 uses certificates for
authentication.
B. TLS uses a challenge/handshake mechanism for authentication and encryption; MD5 uses
certificates for authentication and encryption.
C. TLS uses digital certificates for mutual authentication; MD5 uses a challenge/handshake
mechanism to authenticate the client to the server.
D. TLS uses a name and password along with digital certificates to produce a session key; MD5
uses a name and password to produce a session key.

Answer: C

QUESTION NO: 71

You have a customer who has just installed a ProCurve 3500yl switch in an open area of his
office. Although the switch is installed in a closed rack with a locking door, the customer is
concerned that someone could access the front panel buttons on the switch. Which commands
allow the customer to prevent the switch from having its passwords and configuration information
cleared? (Select two.)
A. front-panel-security lockdown
B. no front-panel-security factory-reset
C. no front-panel-security password-clear
D. no front-panel-security password-recovery
E. front-panel-security password-clear reset-on-clear
F. no front-panel-security password-clear reset-on-clear

Answer: B, C

QUESTION NO: 72

The network administrator of a private college wants to enable Web authentication for all switch
edge ports in the student housing buildings. In addition, the administrator wants to address the
growing problem of students using unauthorized switches to connect multiple devices through a
port. Which additional configuration helps prevent more than one authenticated user from
connecting to a port that has Web authentication enabled with the default settings?

A. Enable port security with the address-limit 1 option.

B. The default client limit is 1, so no further configuration is required.
C. Enable port security with the learn-mode port-access option.
D. Add an option to the port-access command that limits the number of MAC addresses to 1.

Answer: B

QUESTION NO: 73

Which vulnerability is the ProCurve DHCP Snooping feature designed to protect against? (Select
two.)

A. exhaustion of the IP address pool by a DHCP client

B. spoofing of IP address leases by a rogue DHCP server
C. excessive rate of connection attempts to the DHCP port
D. broadcast storms consisting of DHCP responses from unknown IP addresses
E. replacing a responding DHCP server's IP address with an erroneous IP address
F. substitution of one DHCP client's MAC address with another client's MAC address

Answer: A, B

QUESTION NO: 74

A customer, who is already using SSH for secure communications, wants the client to be
authenticated by the switch using RSA. Which additional steps are necessary to set up client
authentication? (Select two.)

A. Copy the client public key to the switch.

B. Copy the client private key to the switch.
C. Generate a public and private key pair on the client.
D. Generate a public and private key pair on the switch.
E. Copy the switch public and private key pair to the client.

Answer: A, C

QUESTION NO: 75

Which statement describing the MAC Lockdown feature supported on the ProCurve Switch
5400zl series is correct?

A. A MAC address can be locked down to one or more trunks.

B. It is enforced at the network edge by configuring the feature globally on a core switch.
C. Once a port becomes locked down, the network administrator must disable and then re-enable
the port to connect another device.
D. To be locked down, a device with a specified MAC address must access the network by
passing through the assigned port and VLAN.

Answer: D

QUESTION NO: 76

Which statements describing SNMPv3 support on the ProCurve Switch 3500yl series are correct?
(Select three.)

A. Message privacy can be implemented using RSA encryption.

B. SNMPvl and SNMPv2c access can be restricted to read-only.
C. When SNMPv3 is first enabled, a user called initial is automatically created.
D. By default, all SNMPv3, SNMPv2c, and SNMPvl are enabled but not configured.
E. An SNMPv3 user's access rights are based on the group to which it is assigned.

Answer: B, C, E

QUESTION NO: 77

You are the manager of several IT staff members who have the authority to make configuration
changes to ProCurve 3500yl switches deployed within your organization. How can you centralize
authentication of IT staff members who log in to the switches with manager privileges?

A. Define a unique manager account for each IT staff member on each switch.
B. Configure RADIUS accounting services on the server to record each manager login event.
C. Leverage existing directory services by importing the team members' user name/password
pairs to the local user database of each switch.
D. Configure the switches to use a RADIUS server that accesses the existing user directory, and
configure the server to accept authentication requests from the switches.

Answer: D

QUESTION NO: 78

Which statements describing the 802.1X user authentication process are correct?
(Select two.)

A. The supplicant and authentication server must support the same EAP method for the
authentication process to proceed.
B. A switch passes EAP messages between the supplicant and authentication switch without
modification or translation.
C. After a RADIUS server confirms a user is authenticated, the switch sends an EAP-Success
message and sets the port state to authorized.
D. Different RADIUS servers must be configured on the switch if authentication of both switch
management users and 802.1X supplicants will be performed.
E. If a supplicant receives an EAP-Request message specifying a particular EAP method to be
supported, the authentication session is closed if the supplicant does not support that EAP
method.

Answer: A, C

QUESTION NO: 79

Which statement describing Public Key Infrastructure (PKI), as typically used for SSL, is correct?

A. It uses digital certificates to manage symmetric key exchanges between a sender and a
receiver.
B. It is a symmetric key scheme that uses digital certificates and certificate authorities to encrypt
messages.
C. It uses a mathematically complementary key pair, one private and one public, but does not use
digital certificates.
D. It uses a symmetric key scheme to manage key exchange and uses digital certificates to
encrypt the message to ensure confidentiality, authentication, integrity and nonrepudiation.

Answer: A

QUESTION NO: 80

Which sources can be specified for the ProCurve Traffic Mirroring feature? (Select three.)

A. trunk
B. VLAN
C. port group
D. network port
E. console port
F. LLDP-MED identifier

Answer: A, B, D

QUESTION NO: 81

Which SNMPv3 security enhancements supported on ProCurve switches are not available in
SNMPvl and SNMPv2c? (Select two.)

A. message privacy
B. user-based read and write access restrictions
C. configurable command, response, and trap receiver ports
D. TCP-based message flow control and acknowledgements
E. management station access control based on IP address or DNS name

Answer: A, B

QUESTION NO: 82

The RADIUS server and switch are correctly configured. The switch has the VLAN assignments
and port-access commands configured, as shown in the diagram.
What happens to port 10 after the user connects to the network?
A. remains in an unauthorized state
B. becomes a member of VLAN 20
C. becomes a member of VLAN 25
D. becomes a member of VLAN 200

Answer: D

QUESTION NO: 83

Which EAP method supports authentication of an 802.1X supplicant based on a user's digital
certificate?

A. TLS
B. MD5
C. FAST
D. TTLS
E. LEAP
F. PEAP

Answer: A

QUESTION NO: 84

To provide maximum security when deploying DHCP Snooping on a ProCurve switch, which
configuration tasks should be performed on the switch for a local DHCP server?
(Select two.)

A. Specify the subnets associated with the scopes.

B. Enable encryption for the IP address lease database.
C. Define the port connecting to the DHCP server as trusted.
D. Define the DHCP server's IP address as an authorized server.
E. Configure the optional authorization protocol used to communicate with the DHCP server.

Answer: C, D

QUESTION NO: 85
A customer calls you and describes a switch management-access problem involving SSL The
customer accesses the SSL login page, but he is denied access after supplying the login
credentials. The customer is using a RADIUS server for centralized authentication, and has used
the ping command to verify that the client, switch, and RADIUS server are all reachable. What is
a potential cause of this problem?

A. The client's public key has not been stored in switch flash memory.
B. The HTTP Web management server is enabled, but not the SSL Web management server.
C. The switch has not been configured to use RADIUS for the login access level for Web
management.
D. A remote access policy on the RADIUS server has not been configured to support the correct
EAP method.

Answer: C

QUESTION NO: 86

You are configuring an ACL and want to identify all addresses in the range:
10.1.32.0 through 10.1.47.255 that have a common value in the first 20 bits. Which format
represents the correct ACL mask that could be used?

A. 10.1.32.0 0.0.0.255
B. 10.1.32.0 0.0.15.255
C. 10.1.32.0 0.0.20.255
D. 10.1.32.0 0.0.240.255
E. 10.1.32.0 0.0.255.255

Answer: B

QUESTION NO: 87

Network security can be described in terms of multiple layers of security.

Which actions describe examples of network access control measures? (Select three.)

A. implementing dynamic ACLs

B. using only SSL for switch access
C. implementing Web authentication
D. defining Port Security on switch ports
E. deploying an Intrusion Detection System in a server farm

Answer: A, C, D

QUESTION NO: 88

Which security attributes are accomplished by using a Hashed Message Authentication Code
(HMAC)? (Select two.)

A. privacy
B. integrity
C. authenticity
D. nonrepudiation
E. secure key distribution

Answer: B, C

QUESTION NO: 89

Which statements describing Web authentication support on ProCurve switches are correct?
(Select two.)

A. An SSL-based login is required.

B. It can be configured on ports that also have MAC authentication assigned.
C. A successfully authenticated user can be redirected to a configurable URL.
D. The switch's built-in DHCP, ARP, and DNS services assist with Web authentication while a
port is in the authenticating state.
E. When a client connects to a Web authenticator port and a Web browser is opened, the Web
browser is automatically redirected to the switch's Web-Auth home page.

Answer: C, D

QUESTION NO: 90

Which role does the authenticator play in the 802.1X authentication process?

A. The authenticator provides two-way translation between EAP messages and RADIUS
messages.
B. The authenticator validates the EAP-identity-request and responds with either an accept or
reject message.
C. The authenticator sends an access-challenge message to the supplicant to request client
credentials.
D. The authenticator encapsulates an EAP-access-request inside of a RADIUS response-identity
packet and forwards it for validation.

Answer: A

QUESTION NO: 91

Hash functions are used in various network security applications including SNMPv3. Which
statement describes the process that is performed on a message during the hash operation?

A. Predetermined sized blocks are created and then encrypted using a private key.
B. Predetermined sized blocks are created and sequentially fed into the hashing function.
C. Random sized blocks are created based on the encryption algorithm used and then encrypted
using a private key.
D. Random sized blocks are created based on the encryption algorithm used and sequentially fed
into the hashing function.

Answer: B

QUESTION NO: 92

Under which condition should the ProCurve BPDU Filtering feature be enabled on a port?

A. The port is not at risk of receiving spoofed BPDUs.

B. The port exhibits excessively high data utilization rates.
C. You do not want the port to participate in BPDU communications.
D. The port receives an abnormally high number of BPDUs due to frequent topology changes.

Answer: C

QUESTION NO: 93

Which statements describing SSH operations on the ProCurve Switch 3500yl series are correct?
(Select three.)

A. Erasing the switch public and private keys automatically disables SSH.
B. The switch's public and private SSH keys can be viewed using a CLI show command.
C. The maximum number of client public keys stored in switch flash memory is configurable.
D. If secure file transfer is enabled for SSH, the switch TFTP server is automatically disabled.
E. When erasing client public keys, you can specify the operator-access or manager-access
level.
Answer: A, D, E

QUESTION NO: 94

You want to use 802.1X port-access authentication to assign Microsoft Active Directory users to a
particular VLAN based on user credentials. Which condition must exist?

A. The VLAN ID must exist on the switch.

B. The VLAN ID must be defined in a GVRP configuration.
C. The port through which the user is authenticating must be defined as a member of the VLAN.
D. The user must be a member of an Active Directory Group that has an associated RADIUS
remote- access policy.

Answer: A

QUESTION NO: 95

Which configuration steps must you perform to implement the ProCurve Dynamic ARP protection
feature on a switch? (Select three.)

A. Enable it globally.
B. Define trusted ports.
C. Activate it on one or more VLANs.
D. Enable validation of source MAC addresses.
E. Allocate the IP-to-MAC address binding database.
F. Specify the valid MAC address formats supported.

Answer: A, B, C

QUESTION NO: 96

For what purpose can the ProCurve Instrumentation Monitor be used?

A. identify well-known intrusions based on predefined signatures

B. collect traffic statistics that can be used to determine historical trends
C. monitor network traffic on selected ports and send the packets to an IDS or IPS
D. report anomalies on the switch caused by common attacks or irregular conditions

Answer: D

QUESTION NO: 97

What are the main steps for configuring SNMPv3 management access after enabling SNMPv3 on
a ProCurve Switch 5406zl?

A. create users; assign users to groups

B. create users; create groups; assign users to groups
C. create users; create communities; assign users to communities
D. create communities; create groups; assign communities to groups

Answer: A

QUESTION NO: 98

Which statements describing a static port ACL are correct? (Select two.)

A. It can be implemented as an extended ACL only.

B. Adding a port to a trunk applies the trunk's ACL configuration to the new member.
C. It is useful where clients with differing access needs are likely to use the same port.
D. Can be conditionally assigned to a port based on the connecting device's MAC address.
E. It filters any inbound IP traffic on the designated port, regardless of whether it is switched or
routed.

Answer: B, E

QUESTION NO: 99

You want to limit management of your ProCurve Switch 5412zl using IP Authorized Managers.
You have configured an IP Authorized Manager entry of 10.1.8.0 255.255.255.248.
What is the maximum number of distinct IP addresses that will be allowed to manage the switch?

A. 1
B. 4
C. 8
D. 254
E. 256

Answer: C

QUESTION NO: 100

You receive an urgent call from a customer who forgot his password, and therefore cannot
access the CLI of a ProCurve 5406zl switch. For security purposes, the front panel password-
clear function was previously disabled. How can you help the customer regain management
access to the switch?

A. Contact ProCurve support to obtain the default password.

B. Use the Reset and Clear buttons on the front panel of the switch together to return the switch
to factory defaults.
C. Press the Clear button on the front panel of the switch for at least 10 seconds to return the
switch to factory defaults.
D. Press the Reset button on the front panel of the switch for at least 20 seconds to return the
switch to factory defaults.

Answer: B

QUESTION NO: 101

Which method or feature can control access for both switch management and general network
users?

A. Port Security
B. Open VLAN mode
C. MAC authentication
D. RADIUS authentication
E. SSH client digital certificates

Answer: D

QUESTION NO: 102

Which action or configuration step should you take when implementing remote mirroring using the
ProCurve Traffic Mirroring feature?

A. enabling jumbo frames

B. configuring a connection-rate filter
C. enabling SNMP message throttling
D. enabling the instrumentation monitor

Answer: A
QUESTION NO: 103

What is a benefit of the ProCurve BPDU Filtering feature?

A. It allows you to permit or deny selected user traffic on individual spanning-tree ports.
B. It balances the traffic load between two or more spanning-tree ports currently in the forwarding
state.
C. It prevents a port from being part of a spanning-tree topology that may otherwise cause a
topology loop.
D. It controls spanning-tree operation on selected ports that you do not want to participate in
spanning-tree communications.

Answer: D

QUESTION NO: 104

Which change occurs when the include-credentials command is enabled on the ProCurve Switch
5400zl series?

A. SSH authentication for switch management access will include the Web browser's public key.
B. Configured user names for operator and manager accounts are viewable in the switch
configuration file.
C. Administrative privilege level is enabled for switch management access by authenticated
RADIUS users.
D. An SNMPv3 account with authentication and privacy support is required for SNMP access to
the switch.
E. Windows domain login credentials are passed to a RADIUS server by the switch for users
authenticated using 802.1X.

Answer: B

QUESTION NO: 105

Which EAP methods support authentication of an 802.1X supplicant based on a user's name and
password? (Select two.)

A. SIM
B. TLS
C. TTLS
D. SPAP
E. PEAP
F. CHAP

Answer: C, E

QUESTION NO: 106

How does the ProCurve Connection-rate Filtering feature operate?

A. When the aggregate flow of packets sent over a trunk or list of ports reaches a threshold,
selected packets are dropped.
B. When a source IP address generates a rate of connection requests to multiple destinations
that exceeds a threshold, a configured action is applied.
C. When the number of TCP SYN requests sent to any one of the switch's management
interfaces exceeds a configured limit, the source port is disabled.
D. When an excessive number of source IP addresses attempt to create a Denial of Service
attack on a given destination IP address, the source ports are throttled.

Answer: B
QUESTION NO: 107

Which statements describing the implementation of Authorized IP Managers are correct? (Select
two.)

A. An access level of manager or operator can be optionally assigned.

B. An allowed management station can be specified using an IP address or DNS name.
C. A potential management station is authorized before RADIUS authentication is performed.
D. The maximum number of entries that can be defined depends on whether single IP address or
IP address ranges are configured.
E. The IP mask specified must be inclusive of the underlying subnet mask of the IP addresses
assigned to the management stations.

Answer: A, C

QUESTION NO: 108

What is the benefit of saving the DHCP Snooping binding database that contains IP address to
MAC address mappings?

A. It will be available after a reboot of the switch.

B. It conserves switch ASIC memory resources.
C. It allows the switch to determine if a DHCP server is a rogue system.
D. It protects the switch from rogue DHCP servers while the switch is rebooting.

Answer: A

QUESTION NO: 109

To configure RADIUS authentication of switch management users on a ProCurve switch, the

RADIUS server must support unencrypted authentication using which protocol?

A. HTTP
B. PEAP
C. CHAP
D. MS-CHAP
E. PAPorSPAP
F. MD5orSHA-1

Answer: E

QUESTION NO: 110

Which statements describing RADIUS accounting support on the ProCurve Switch 3500yl series
are correct? (Select three.)

A. The network accounting option is applicable only to 802.1X user sessions.

B. RADIUS accounting can control commands available at the management interface.
C. The Layer 4 port to which accounting statistics are sent is configurable on the switch.
D. The accounting statistics can be optionally stored in switch flash memory if a reboot occurs.
E. ProCurve IDM uses RADIUS accounting information to provide user session monitoring and
reporting information.

Answer: A, C, E

QUESTION NO: 111

When using DHCP Snooping, which action can the switch perform if a client sends a DHCP
message with option 82 set?

A. Mark the source client as untrusted and forward to a valid DHCP server.
B. Replace the field with the switch's IP address and the source port identifier.
C. Ignore the DHCP message because this is not a capability of DHCP Snooping.
D. Authenticate the DHCP message and forward it if the client is attached to a trusted port.

Answer: B

QUESTION NO: 112

Which access methods can be configured on a ProCurve switch for authentication of switch
management users through a RADIUS server? (Select four.)

A. SSH
B. Telnet
C. WLAN
D. 802.1X
E. console
F. TACACS+
G. Web browser

Answer: A, B, E, G

QUESTION NO: 113

Which attributes can ProCurve Identity Driven Manager apply to a user's session after the user is
authenticated? (Select three.)

A. ACL
B. user group
C. QoS setting
D. bandwidth limit
E. login session limit
F. unauthorized VLAN ID

Answer: A, C, D

QUESTION NO: 114

Which statements describing SNMPv3 support on the ProCurve Switch 5400zl series are correct?
(Select three.)

A. Message authentication can be implemented using MD5 or SHA-1.

B. Privacy and authentication protocols are configured on a per-user basis.
C. Public and private keys must be created before SNMPv3 can be enabled.
D. A password must be defined when selecting a privacy or authentication protocol.
E. SNMPvl and SNMPv2c access must be restricted to read-only if SNMPv3 is enabled.

Answer: A, B, D

QUESTION NO: 115

Which statement describing standard and extended ACLs on the ProCurve Switch 5400zl series
is correct?

A. An extended ACL supports filtering on both source and destination TCP/UDP ports, while a
standard ACL supports only source TCP/UDP ports.
B. Standard and extended ACLs can both specify TCP/UDP ports, but only an extended ACL can
specify the precedence and type of service identifiers.
C. A standard ACL can specify only a filter based on a destination IP address, while an extended
ACL can specify both source and destination IP addresses.
D. An extended ACL can filter traffic from a source TCP/UDP port to a destination IP address,
while a standard ACL filters only traffic based on the source IP address.
Answer: D

QUESTION NO: 116

What is the purpose of defining IP-to-MAC address bindings on a ProCurve switch that has
Dynamic ARP Protection enabled?

A. to specify clients connected to untrusted ports

B. to lock down the switch's IP addresses to its base MAC address
C. to identify devices that do not use DHCP, but have a static IP address assigned
D. to provide security on those ports where different clients may connect overtime
E. to protect uplink ports that connect to other switches that do not support Dynamic ARP
Protection

Answer: C

QUESTION NO: 117

You are the network administrator for an organization with a security policy that limits network
access to specific computers. Which restriction can you specify if you enable Port Security on
ProCurve edge switches?

A. list of permitted MAC addresses per switch

B. single specific permitted MAC address per port
C. single permitted user name and password pair per port
D. list of permitted user name and password pairs per switch

Answer: B

QUESTION NO: 118

Which statements describe capabilities of the ProCurve Instrumentation Monitor?

(Select two.)

A. The anomaly detection engine can detect zero-day attacks.

B. Alerts can be sent to the switch Event Log or to SNMP trap receivers.
C. It supports integration with the ProCurve Manager Traffic Monitor component.
D. Predefined threshold levels can be used or specific values can be set for thresholds.
E. Ports are automatically blocked if the number of intrusions of a given category is exceeded.
F. System resource usage based on 802.1X, Web, and MAC authentication sessions can be
monitored.

Answer: B, D

QUESTION NO: 119

Which action or configuration step should you take when implementing remote mirroring using the
ProCurve Traffic Mirroring feature?

A. enabling jumbo frames

B. configuring a connection-rate filter
C. enabling SNMP message throttling
D. enabling the instrumentation monitor

Answer: A

QUESTION NO: 120

Which type of information is displayed in the switch configuration file when the include-credentials
command is enabled? (Select three.)

A. public keys of SSH clients

B. DHCP Snooping IP-to-MAC address binding database
C. shared secret used to communicate with a RADIUS server
D. SSL public/private key pair of the switch's Web authenticator
E. plaintext passwords of the operator and manager user accounts
F. SNMPv3 user name and authentication and privacy protocol settings

Answer: A, C, F

QUESTION NO: 121

Which statements describing SSL operations on the ProCurve Switch 5400zl series are correct?
(Select two.)

A. Common public and private keys can be used for SSH and SSL
B. Symmetric encryption algorithms supported include 3DES and DES.
C. The switch's certificate can be viewed, but the SSL public key cannot.
D. With SSL enabled, if you attempt to access the switch using HTTP, the Web browser is
automatically redirected.
E. If a self-signed certificate is used, a Web browser initiates a challenge to verify the identity of
the signer of the certificate.

Answer: B, C

QUESTION NO: 122

You have a ProCurve Switch 3500yl-48G which has two configured VLANs. VLAN 10 has an IP
address range of 10.1.10.0/24 and is where the servers reside. VLAN 24 has an IP address
range of 10.1.24.0/24 and is where the network clients reside. You configure an ACL with these
entries:

permit tcp 10.1.24.0 0.0.0.0 10.1.10.10 255.255.255.255 eq ftp permit tcp 10.1.24.0 0.0.0.0
10.1.10.10 255.255.255.255 eq http permit tcp 10.1.24.0 0.0.0.0 10.1.10.10 255.255.255.255 eq
telnet

When you apply this ACL statically to ports in VLAN 24, what is the effect on the clients located in
VLAN 24?

A. They would have no access at all because the ACL is misconfigured.

B. They could not access anything in the 10.1.10.0 subnet because IP has not been specified in
the ACL
C. They would be allowed only FTP, HTTP, and telnet access to 10.1.10.10, but no access
anywhere else.
D. They would be allowed only FTP, HTTP, and telnet access to 10.1.10.10, but full access to
everything else in the 10.1.10.0 subnet.

Answer: C

QUESTION NO: 123

Which statements describing a dynamic port ACL are correct? (Select two.)

A. It can be implemented as either a standard or extended ACL

B. It filters switched IP traffic either inbound or outbound on a designated port.
C. It requires the use of 802.1X, Web, or MAC authentication services on the switch.
D. It is useful where clients with differing access needs are likely to use the same port.
E. Configuration of the ACL is done on the switch and then read dynamically by a RADIUS server
when a user connects.
Answer: C, D

QUESTION NO: 124

A network administrator plans to use centralized authentication to control switch management

access to all ProCurve switches through the console port. It is decided that the RADIUS server
will be the primary authentication method and no secondary authentication method will be
allowed. What will be the result of this proposed configuration?

A. The primary authentication method for operator-level access through the console port is the
RADIUS server; if no RADIUS server is found, access is denied.
B. The primary authentication method for manager-level access through the console port is the
RADIUS server; if no RADIUS server is found, access is denied.
C. This configuration is not allowed because the console port must allow the use of a user name
from the local switch database in the event that the RADIUS server is not reachable.
D. The primary authentication method for manager-level access through the console port is the
RADIUS server; if no RADIUS server is found, only operator-level access is granted.

Answer: C

QUESTION NO: 125

MAC Lockdown has been configured to lock down a device on port A1 in VLAN 10. During a
maintenance task, the device is accidentally connected to port B5 in VLAN 8. Which statement
correctly describes the state of port B5?

A. The port is operational because it is not the port configured for MAC Lockdown.
B. The port is listed as enabled and up, but the device is prevented from transmitting into the
network.
C. The port is listed as disabled and down and the device is prevented from transmitting into the
network.
D. Because the MAC Lockdown feature is not configured on the second module, the device can
successfully connect to the port.
E. The port is listed as throttled and will automatically be re-examined after a delay period. If the
device is still connected it will be blocked.

Answer: B

QUESTION NO: 126

What are the main components of the ProCurve ProActive Defense network security solution?
(Select three.)

A. stateful firewall
B. access control
C. network immunity
D. secure infrastructure
E. intrusion prevention system
F. antivirus and antispam integration

Answer: B, C, D

QUESTION NO: 127

What are the minimum configuration steps required to implement the ProCurve DHCP Snooping
feature on a switch? (Select three.)

A. Enable it globally.
B. Define trusted ports.
C. Specify option 82 parameters.
D. Activate it on one or more VI_ANs.
E. Identify the DHCP server's IP address.
F. Specify the server where the lease database is stored.
G. Specify the maximum number of IP addresses per subnet allowed to be assigned by a DHCP
server.

Answer: A, B, D

QUESTION NO: 128

When configuring SSH on a ProCurve switch, which user authentication methods can be
specified? (Select four.)

A. 802.1X
B. RADIUS
C. Kerberos
D. public key
E. TACACS+
F. Web browser
G. local user name and password

Answer: B, D, E, G

QUESTION NO: 129

A Network Resource Access Rule in ProCurve Identity Driven Manager is most similar to which
object?

A. Access Policy Group

B. Access Control Entry
C. Remote Access Policy
D. Network Dial-in Restrictions
E. Authorized RADIUS Servers List

Answer: B

QUESTION NO: 130

You have configured Open VLAN mode for the 802.1X authenticator ports in your company's
network. After a client connects to a port and the user is successfully authenticated, the port's
membership is changed to untagged in one of the following VLANs.

A. Underlying VLAN configured for the port

B. VLAN from the user's RADIUS profile
C. Authorized VLAN

What is the order of priority used to determine the VLAN?

D. A B
E. A C
F. B A
G. B C
H. C A
I. C B

Answer: D

QUESTION NO: 131

What is a benefit of the ProCurve BPDU Protection feature?

A. It eliminates the need for a topology change when a port's link status changes.
B. It ignores received BPDUs and does not send its own BPDUs on designated ports.
C. It protects the active spanning-tree topology by preventing spoofed BPDUs from entering the
spanning-tree domain.
D. It prevents a spanning-tree port from changing between various operational states during a
broadcast storm or when a loop is detected.

Answer: C

QUESTION NO: 132

You have configured a list of ports on a ProCurve switch for 802.1X port-access authentication.
Which configuration step is required to complete the configuration?

A. Configure the authorized VLAN identifier.

B. Set the state of the ports to authorized for802.1X.
C. Use the start-eapol command to enable 802.1X operations.
D. Use the aaa port-access authenticator active command to activate the ports.

Answer: D