Exam CISSP topic 1 question 361 discussion

I'm network eng with 15y of experience, if it's l2 problem it broadcast domain.

People choosing Opton-D, please read again the question, specially this part"...geographically diverse..."

If the disruption in the single Layer-2 network between geographically diverse data centers is due to a broadcast storm caused by a too-large broadcast domain, then C. Broadcast domain too large could indeed be the most likely cause. Broadcast storms can significantly impact network performance, leading to disruptions. Considering this, the answer might lean more towards C. Broadcast domain too large, especially if the disruption aligns with symptoms of a broadcast storm. Address spoofing (Option D) might be a security concern, but the context of a widespread disruption suggests a more systemic issue like a broadcast storm. Therefore, in this specific context, C. Broadcast domain too large seems to be a more fitting answer.

Answer D) Address Spoofing Spoofing attacks involve an attacker disguising themselves as a trusted entity to gain unauthorized access or manipulate data. ARP and DHCP spoofing, common Layer 2 attacks, can redirect traffic, cause disruptions, or allow attackers to eavesdrop on data. https://sechard.com/blog/mitigating-layer-2-network-attacks-with-sechard/#:~:text=Spoofing%20Attacks,attackers%20to%20eavesdrop%20on%20data.

C. Broadcast domain too large A broadcast storm caused by a broadcast domain that is too large is the most likely cause of a disruption in a single Layer-2 network spanning geographically diverse data centers. When the broadcast domain becomes too large, it can result in excessive broadcast traffic, leading to a broadcast storm. A broadcast storm can overwhelm the network, causing disruptions and impacting network performance.

Correct answer is C: disruption in a single Layer-2 network spanning between two geographically diverse data centers could be: C. Broadcast domain too large

Correct Answer is C: Think MPLS, Layer 2 spanning multiple geographical centres is what an MPLS network will do. L2.5

It seems like D is the best answer. "A problem with a large broadcast domain is that these hosts can generate excessive broadcasts and negatively affect the network." https://ccna-200-301.online/network-segmentation/ So too large of a broadcast domain wouldn't have just suddenly caused a problem that network admins can't figure out. Also this question is geared at a CISSP, so it must be security related. D. You can spoof a mac address, mac address is a layer2, so this is the answer.

I will choose B. It's unlikely that address spoofing will bring down a network unless it's combined with some sort of DoS. Smurf attack is layer 3, so it's unlikely to be the cause either.

Broadcast domain too large is a design problem not the root cause of the event. Even through the brodcast domain is too large, the network still can function. For root cause analysis, I will vote D.

"broadcast domain too large" is not the same as "broadcast storm" Broadcast domain too large could be a poor network design but it doesn't cause a network disruption event IMO. I am not considering Smurf Attack because the question say " a single L2 network" and this attack would have used all the bandwidth available affecting other networks spanned. I'd say D is correct

From the CBK books: Some access point vendors offer such features, including the ability to detect MAC address spoofing to mitigate the risk of someone forging a known whitelisted MAC. If MAC address is spoofed, the attacker can overwhelm the L2 network. ! Note that the question is talking about unknown event (happened suddenly). Also the large L2 broadcast could not mean it is extended over the geographic locations. And if the issue is because Large L2 network, then this should be ongoing problem, not as an incident.

The following are some Layer 2 attacks that can occur on your network: Address Resolution Protocol (ARP) Attacks. ... Content Addressable Memory (CAM) Table Overflows. ... Spanning Tree Protocol (STP) Attacks. ... Media Access Control (MAC) Spoofing. ... Switch Spoofing. ... Double Tagging. ... Cisco Discovery Protocol (CDP) Reconnaissance.

D is the best answer. This is a tricky question. Agree that the single L2 network spans between 2 geographically diverse DCs. But that simply does not bring down the DC and also question is not about the DCs going down. Address spoofing refers to MAC address spoofing. MAC address spoofing attack is where the impostor or hacker hunts the network for valid and original MAC addresses and circumvents access control measures, giving the hacker the advantage to pose as one of the valid MAC addresses. MAC address spoofing is which type of attack wherein the hacker is also able to bypass authentication checks as he presents this as the default gateway and copies all of the data passed on to the default gateway without being identified, giving him all the important details about applications in use and end-host IP addresses.

Spoofing is Layer 3 of OSI

This is the only plausible answer as broadcasting domains can bring any network down.

"disrupted a SINGLE Layer-2 network that spans between TWO geographically diverse data centers" Sounds overwhelmed, I have to say broadcast domain sounds most likely.