nerdexam
ExamsGCIHQuestions#680
GIAC

GCIH · Question #680

GCIH Question #680: Real Exam Question with Answer & Explanation

The correct answer is A: Gi1/1/3. A CAM table with multiple MAC addresses mapped to a single port indicates a MAC flooding attack or a rogue device acting as an aggregation point, making that port suspicious.

Reconnaissance, Scanning, and Enumeration

Question

Alice is checking for unusual activity on the LAN that she administers. Based on the CAM table excerpt below, what port should be investigated further?

Exhibit

GCIH question #680 exhibit

Options

  • AGi1/1/3
  • BGi1/1/4
  • CGi1/1/2
  • DGi1/1/5

Explanation

A CAM table with multiple MAC addresses mapped to a single port indicates a MAC flooding attack or a rogue device acting as an aggregation point, making that port suspicious.

Common mistakes.

  • B. Gi1/1/4 appears to have a normal, single MAC-to-port mapping consistent with a legitimate end device.
  • C. Gi1/1/2 shows a typical single-device association in the CAM table and does not exhibit anomalous behavior.
  • D. Gi1/1/5 also reflects a standard single MAC address mapping and presents no indicators of unusual activity.

Concept tested. CAM table flooding and MAC-based anomaly detection

Reference. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html

Topics

#CAM table analysis#MAC flooding#switch port security#network forensics

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice