642 - 813 CERT PREPARE CORRECT ANSWERS EDU …...VLAN is 5) -> D is correct. (Note: an 802.1Q trunks...

642 - 813 CERT PREPARE CORRECT ANSWERS EDU-GEEZU

Number: 642 - 813Passing Score: 790Time Limit: 120 minFile Version: 1.0

http://www.gratisexam.com/

642- 813 (Implementing Cisco Switc hed Networks)

CERT PREPARE

EDU-GEEZU

Exam A

QUESTION 1The network operations center has received a call stating that Users in VLAN 107 are unable to accessresources through R1. From the information contained in the graphic, what is the cause of this problem?

A. spanning tree is not enabled on VLAN 107B. VTP is pruning VLAN 107C. VLAN 107 does not exist on switch SAD. VLAN 107 is not configured on the trunk

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

"VLAN allowed on trunk" Each trunk allows all VLANs by default. However, administrator can remove or add tothe list by using the "switchport trunk allowed" command.

"VLANs allowed and active in management" To be active, a VLAN must be in this list.

"VLANs in spanning tree forwarding state and not pruned" This list is a subset of the "allowed and active" listbut with any VTP-pruned VLANs removed.

All VLANs were configured except VLAN 101 so D is not correct. VLAN 107 exists in the "allowed and active"section so A and C are not correct, too. In the "forwarding state and not pruned" we dont see VLAN 107 so theadministrator had wrongly configured this VLAN as pruned.

QUESTION 2Study the diagram below carefully, which three statements are true? (Choose three)

A. DTP packets are sent from Switch SB.B. DTP is not running on Switch SA.C. A trunk link will be formed.D. The native VLAN for Switch SB is VLAN 1.

Correct Answer: ACDSection: (none)Explanation


Dynamic Trunking Protocol (DTP) is the Cisco-proprietary that actively attempts to negotiate a trunk linkbetween two switches. If an interface is set to switchport mode dynamic desirable, it will actively attempt toconvert the link into trunking mode. If the peer port is configured as switchport mode trunk, dynamic desirable,or dynamic auto mode, trunking is negotiated successfully -> C is correct.

SB is in "dynamic desirable" mode so it will send DTP packets to SA to negotiate a trunk link -> A is correct.

On an 802.1Q trunk, DTP packets are sent on the native VLAN. By default, it is VLAN 1 (notice that SAs nativeVLAN is 5) -> D is correct.

(Note: an 802.1Q trunks native VLAN is the only VLAN that has untagged frames)

Below is the switchport modes for easy reference:

Mode Function

Dynamic Auto Creates the trunk based on the DTP request from the neighboring switch.

Communicates to the neighboring switch via DTP that the interface would Dynamic likeDesirable to become a trunk if the neighboring switch interface is able to become a trunk.

Automatically enables trunking regardless of the state of the neighboring Trunk switchand regardless of any DTP requests sent from the neighboring switch.

Trunking is not allowed on this port regardless of the state of the neighboring switch interface and regardless ofany DTP requests sent from the Accessneighboringswitch.

Prevents the interface from generating DTP frames. This command can be used only when the interfaceswitchport mode is access or trunk. You must Nonegotiate manually configure the neighboring interface as atrunk interface to establish atrunk link.

QUESTION 3Regarding the exhibit and the partial configuration of switch SA and SB. STP is configured on all switches in thenetwork. SB receives this error message on the console port:

00:06:34: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/5 (not half duplex),with SA FastEthernet0/4 (half duplex), with TBA05071417(Cat6K-B) 0/4 (half duplex).

What would be the possible outcome of the problem?

A. The root port on switch P4S-SB will fall back to full-duplex mode.B. The interfaces between switches P4S-SA and P4S-SB will transition to a blocking stateC. The root port on switch P4S-SA will automatically transition to full-duplex mode.D. Interface Fa0/6 on switch SB will transit to a forwarding state and create a bridging loop.

Correct Answer: DSection: (none)Explanation


From the output, we learned that the interfaces on two switches are operating in different duplex modes: Fa0/4of SA in half-duplex mode & Fa0/5 of SB in full-duplex mode. In this case, because SB is operating in fullduplex mode, it does not check the carrier sense before sending frames (CSMA/CD is not used in full-duplexmode). Therefore, SB can start to send frames even if SA is using the link and a collision will occur. The resultof this is SA will wait a random time before attempting to transmit another frame. If B sends enough frames to Ato make every frame sent from A (which includes the BPDUs) get dropped then SB can think it has lost rootbridge (B does not receive BPDUs from A anymore). Therefore SB will unblock its Fa0/6 interface fortransmitting and cause a bridging loop.

QUESTION 4What is a characteristic of multi-VLAN access ports?

A. The port has to support STP PortFast.B. The auxiliary VLAN is for data service and is identified by the PVID.C. The port hardware is set as an 802.1Q trunk.D. Both the voice service and data service use the same trust boundary.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation

The multi-VLAN port feature on the Catalyst 2900 XL/3500 XL switches allows for configuring a single port intwo or more VLANs. This feature allows users from different VLANs to access a server or router withoutimplementing InterVLAN routing capability. A multi-VLAN port performs normal switching functions in all itsassigned VLANs. VLAN traffic on the multi- VLAN port is not encapsulated as it is in trunking -> The port is setas an 802.1Q trunk -> C is correct.

Note: The limitations of implementing multi-VLAN port features are listed below.

1) You cannot configure a multi-VLAN port when a trunk is configured on the switch. You must connect themulti-VLAN port only to a router or server. The switch automatically transitions to VTP transparent mode whenthe multi-VLAN port feature is enabled, making the VTP disabled.

2) The multi-VLAN port feature is supported only on the Catalyst 2900 XL/3500 XL series switches. This featureis not supported on the Catalyst 4000/5000/6000 series or any other Cisco Catalyst switches.

The following example shows how to configure a port for multi-VLAN mode:Switch(config-if)# switchport mode multiThe following example shows how to assign a multi-VLAN port already in multi mode to a range of VLANs:Switch(config-if)# switchport multi vlan 5-10

QUESTION 5The Company LAN switches are being configured to support the use of Dynamic VLANs. Which of the followingare true of dynamic VLAN membership? (Choose two)


A. VLAN membership of a user always remains the same even when he/she is moved to another location.B. VLAN membership of a user always changes when he/she is moved to another location.C. Membership can be static or dynamic.D. Membership can be static only.

Correct Answer: ACSection: (none)Explanation


Please read the explanation of

QUESTION 6Static VLANs are being used on the Company network. What is true about static VLANs?

A. Devices use DHCP to request their VLAN.B. Attached devices are unaware of any VLANs.C. Devices are assigned to VLANs based on their MAC addresses,D. Devices are in the same VLAN regardless of which port they attach to.



The VLAN tags are only added/removed at the switches. Attached devices are unaware of the existence ofVLAN in the network.

QUESTION 7The Company LAN is becoming saturated with broadcasts and multicast traffic. What could you do to help anetwork with many multicasts and broadcasts?

A. Creating smaller broadcast domains by implementing VLANs.B. Separate nodes into different hubs.C. Creating larger broadcast domains by implementing VLANs.D. Separate nodes into different switches.E. All of the above.

Correct Answer: ASection: (none)Explanation


By default, switches flood multicasts out all ports (same as broadcasts). However, many switches and routerscan be configured to support multicast traffic, and that support is based on the network addresses uses bymulticasts. By implementing VLANs, broadcasts and multicast traffic are only sent to ports in the same VLAN ofthe sending device.

QUESTION 8You have configured a Cisco Catalyst switch to perform Layer 3 routing via an SVI and have assigned thatinterface to VLAN 20. To check the status of the SVI, you issue the show interfaces vlan 20 command at theCLI prompt. You see from the output display that the interface is in an "up/up" state. What must be true in anSVI configuration to bring the VLAN and line protocol up?

A. The port must be physically connected to another Layer 3 device.B. At least one port in VLAN 20 must be active.C. The Layer 3 routing protocol must be operational and receiving routing updates from neighboring peer

devices.D. Because this is a virtual interface, the operational status will always be in an "up/up" state.



To be "up/up," a router VLAN interface must fulfill the following general conditions:

* The VLAN exists and is "active" on the VLAN database of the switch.* The VLAN interface exists on the router and is not administratively down.* At least one Layer 2 (access port or trunk) port exists, has a link "up" on this VLAN and is in spanning-treeforwarding state on the VLAN.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/l3_i nt.html)

Lets see an example of configuring Switch Virtual Interface (SVI) to perform interVLAN routing between PC0 &PC1:

Configuration

//Create two VLANs

L3Switch(config)#vlan 10L3Switch(config-vlan)#vlan 20L3Switch(config-vlan)#exit

L3Switch(config)#interface fa0/1L3Switch(config-if)#switchport mode accessL3Switch(config-if)#switchport access vlan 10

L3Switch(config)#interface fa0/2L3Switch(config-if)#switchport mode accessL3Switch(config-if)#switchport access vlan 20L3Switch(config-if)#exit

//Enable IP routing on this Layer 3 Switch

L3Switch(config)#ip routing

//Create two SVIs for interVLAN routing:

L3Switch(config)#interface vlan 10L3Switch(config-if)#ip address 10.0.0.1 255.255.255.0

L3Switch(config)#interface vlan 20L3Switch(config-if)#ip address 20.0.0.1 255.255.255.0

On PC0, assign the IP address 10.0.0.2 255.255.255.0 and the default gateway: 10.0.0.1 On PC1, assign theIP address 20.0.0.2 255.255.255.0 and the default gateway: 20.0.0.1

Now we can ping from PC0 to PC1:

PC0>ping 20.0.0.2

Pinging 20.0.0.2 with 32 bytes of data:

Reply from 20.0.0.2: bytes=32 time=40ms TTL=127Reply from 20.0.0.2: bytes=32 time=40ms TTL=127Reply from 20.0.0.2: bytes=32 time=40ms TTL=127Reply from 20.0.0.2: bytes=32 time=40ms TTL=127

QUESTION 9What two pieces of information will the show vlan id 5 command display? (Choose two)

A. Ports in VLAN 5B. UtilizationC. VLAN information on port 0/5D. FiltersE. MTU and type

Correct Answer: AESection: (none)Explanation


The show vlan id vlan-id command display information about a particular VLAN. But notice that this commandwill also list trunk ports that allow this VLAN to run on. An example of the "show vlan id" command is shownbelow:

QUESTION 10What are some virtues of implementing end-to-end VLANs? (Choose two)

A. End-to-end VLANs are easy to manage.B. Users are grouped into VLANs independent of a physical location.C. Each VLAN has a common set of security and resource requirements for all members.D. Resources are restricted to a single location.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:ExplanationThere are two kinds of VLANs:

* End-to-end VLANs: also called campuswide VLANs, span the entire switch fabric of a network. They arepositioned to support maximum flexibility and mobility of end devices. Users can be assigned to VLANsregardless of their physical location. As a user moves around the campus, that users VLAN membership staysthe same. End-to-end VLANs should group users according to common requirements. All users in a VLANshould have roughly the same traffic flow patterns

* Local VLANs: based on geographic locations by demarcation at a hierarchical boundary (core, distribution,access)

(Reference: CCNP SWITCH 642-813 Official Certification Guide)

QUESTION 11Which two statements are true about a switched virtual interface (SVI)? (Choose two)

A. An SVI is created by entering the no switchport command in interface configuration mode.B. An SVI is normally created for the default VLAN (VLAN1) to permit remote switch administration.C. An SVI provides a default gateway for a VLAN.D. Multiple SVIs can be associated with a VLAN.E. SVI is another name for a routed port.



Catalyst L2 fixed configuration switches that run Cisco IOS Software have only one configurable IPmanagement interface, which by default is interface VLAN 1. Pure layer 2 switches can have only one interfaceVLAN up at the time. This is called the management VLAN (in IOS) or the sc0 interface (in CatOS). The mainpurpose of this interface is management (telnet, SNMP, etc). If the switch is a Layer 3 switch, you can configuremultiple VLANs and route between them. An L3 switch can handle multiple IPs, so there is no specificmanagement VLAN on the switch.

(Reference:http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008010e9c a.shtml)

QUESTION 12Two switches SA and SB are connected as shown below. Given the below partial configuration, which twostatements are true about VLAN traffic? (Choose two)

A. VLANs 1-5 will be blocked if fa0/10 goes down. B. VLANs 6-10 have a port priority of 128 on fa0/10.C. VLANs 6-10 will use fa0/10 as a backup only.D. VLANs 1-10 are configured to load share between fa0/10 and fa0/12.

Correct Answer: CDSection: (none)Explanation


Lets assume that SA is the root bridge for all VLANs, it will make the explanation a bit clearer...

First we should understand what will happen if nothing is configured (use default values). Because we assumed

that SA is the root bridge so all of its ports will forward. SB will need to block one of its ports to avoid a bridgingloop between the two switches. But how does SB select its blocked port? Well, the answer is based on theBPDUs it receives from SA. A BPDU is superior than another if it has:1. A lower Root Bridge ID2. A lower path cost to the Root3. A lower Sending Bridge ID4. A lower Sending Port ID

These four parameters are examined in order. In this specific case, all the BPDUs sent by SA have the sameRoot Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only parameter left toselect the best one is the Sending Port ID (Port ID = port priority + port index). If using default values, thedefault port prioritys value is 32 or 128 (128 is much more popular today but 32 is also a default port prioritysvalue), so SB will compare port index values, which are unique to each port on the switch, and because Fa0/12is inferior to Fa0/10, SB will select the port connected with Fa0/10 (of SA) as its root port and block the otherport.

To change the default decision of selecting root port, we can change the port priority of each interface. Theabove picture is true for VLAN 1-5 because port Fa0/10 has a lower port-priority so the peer port will be chosenas the root port. For VLAN 6-10, port Fa0/12 has higher priority ID (lower port priority value) so SB will block itsupper port.

For answer A "VLANs 1-5 will be blocked if fa0/10 goes down" is not correct because if Fa0/10 goes down, SBwill unblock its lower port therefore VLANs 1-5 will still operate.

For answer B "VLANs 6-10 have a port priority of 128 on fa0/10 is not always correct because VLAN 6-10 canhave a different port priority (of 32) according to the Ciscos link below.

Answer C is correct because VLAN 6-10 uses Fa0/12 link as it main path. Fa0/10 is the backup path and is onlyopened when port Fa0/12 fails.

Answer D is correct because this configuration provide load-balance traffic based on VLAN basis. VLANs 1-5use Fa0/10 and VLANs 6-10 use Fa0/12 as their main paths.

Note: We can not assure the answer B is always correct so we should choose C and D if the question asks usto give only 2 choices).

Reference (and good resource, too):

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96a.shtml

QUESTION 13You have just created a new VLAN on your network. What is one step that you should include in your VLANbased implementation and verification plan?

A. Verify that trunked links are configured to allow the VLAN traffic.B. Verify that the switch is configured to allow for trunking on the switch ports.C. Verify that each switch port has the correct IP address space assigned to it for the new VLAN.D. Verify that different native VLANs exist between two switches for security purposes.

Correct Answer: A

Section: (none)Explanation


A VLAN-based implementation and verification plan should include:

* Verification that trunked links are configured to allow the newly created VLANs.* Verification that the SVI has already been created and that it shows up on all required switches using theshow vlan command.

QUESTION 14The network administrator needs to enable VTP pruning within the network. What action should a networkadministrator take to enable VTP pruning on an entire management domain?

A. enable VTP pruning on every switch in the domainB. enable VTP pruning on any client switch in the domainC. Enable VTP pruning on any switch in the management domainD. enable VTP pruning on a VTP server in the management domain


Explanation/Reference:

QUESTION 15You have just created a new VLAN on your network for inter-VLAN routing. What is one step that you shouldinclude in your VLAN-based implementation and verification plan?

A. Verify that different native VLANs exist between two switches for security purposes.B. Verify that the switch is configured to allow for trunking on the switch ports.C. Verify that each switch port has the proper IP address space assigned to it for the new VLAN.D. Verify that the VLAN virtual interface has been correctly created and enabled.



QUESTION 16Under what circumstances should an administrator prefer local VLANs over end-to-end VLANs?

A. Eighty percent of traffic on the network is destined for Internet sites.B. There are common sets of traffic filtering requirements for workgroups located in multiple buildings.C. Eighty percent of a workgroups traffic is to the workgroups own local server.D. Users are grouped into VLANs independent of physical location.

Correct Answer: ASection: (none)

Explanation


End-to-end VLAN follows the 80/20 rule in which 80 percent of user traffic stays within the local workgroup,whereas 20 percent is destined for a remote resource in the campus network (like Internet...).

In contrast to end-to-end-VLAN, local VLAN follows the 20/80 rule: only 20 percent of traffic is local, whereas 80percent is destined to a remote re-source across the core layer -> A is correct.


QUESTION 17You are assigning VLANs to the ports of switch R1. What VLAN number value is an assigned to the defaultVLAN?

A VLAN 1003

A. VLAN 1B. VLAN ONC. VLAN AD. VLAN 0



QUESTION 18What is a characteristic of a static VLAN membership assignment?

A. VMPS server lookup is requiredB. Easy to configureC. Ease of adds, moves, and changesD. Based on MAC address of the connected device



There are two types of VLAN membership assignment:* Static VLAN: switch ports are assigned to specific VLANs manually

* Dynamic VLAN: switch automatically assigns the port to a VLAN using information from the user device likeMAC address, IP address etc. When a device is connected to a switch port, the switch must, in effect, query adatabase to establish VLAN membership.

Static VLAN assignment provides a simple way to assign VLAN to a port while Dynamic VLANs allow a greatdeal of flexibility and mobility for end users but require more administrative overhead.

QUESTION 19

Which two statements are true about best practices in VLAN design? (Choose two.)

A. Routing should occur at the access layer if voice VLANs are utilized. Otherwise, routing should occur at thedistribution layer.

B. Routing may be performed at all layers but is most commonly done at the core and distribution layers.C. Routing should not be performed between VLANs located on separate switches.D. VLANs should be local to a switch.E. VLANs should be localized to a single switch unless voice VLANs are being utilized.

Correct Answer: BDSection: (none)Explanation


First lets review main characteristics of three layers in a campus network:

* Access layer:

+ Low cost per switch port+ High port density+ Scalable uplinks to higher layers+ User access functions such as VLAN membership, traffic and protocol filtering, and quality of service (QoS)+ Resiliency through multiple uplinks

* Distribution Layer:

+ Aggregation of multiple access-layer devices+ High Layer 3 throughput for packet handling+ Security and policy-based connectivity functions through access lists or packet filters + QoS features+ Scalable and resilient high-speed links to the core and access layers

* Core layer:

+ Very high throughput at Layer 3+ No costly or unnecessary packet manipulations (access lists, packet filtering) + Redundancy and resiliencefor high availability+ Advanced QoS functionsWe can see at Distribution and Core layers, Layer 3 throughput (routing) is very high -> B is correct.

Nowadays, end-to-end VLANs are not recommended in an enterprise network, unless there is a good reason.In an end-to-end VLAN, broadcast traffic is carried over from one end of the network to the other, creating thepossibility for a broadcast storm or Layer 2 bridging loop to spread across the whole extent of a VLAN. This canexhaust the bandwidth of distribution and core-layer links, as well as switch CPU resources. Now the storm orloop has disrupted users on the end-to-end VLAN, in addition to users on other VLANs that might be crossingthe core.

When such a problem occurs, troubleshooting becomes more difficult. In other words, the risks of end-to-endVLANs outweigh the convenience and benefits.

From that we can infer VLAN traffic should be local to the switch -> D is correct.


QUESTION 20

Refer to the exhibit. The user who is connected to interface FastEthernet 0/1 is on VLAN 10 and cannot accessnetwork resources. On the basis of the information in the exhibit, which command sequence would correct theproblem?

A. SW1(config)# vlan 10SW1(config-vlan)# no shut

B. SW1(config)# interface fastethernet 0/1SW1(config-if)# switchport mode accessSW1(config-if)# switchport access vlan 10

C. SW1(config)# interface fastethernet 0/1SW1(config-if)# switchport mode access

D. SW1(config)# vlan 10SW1(config-vlan)# state active

E. SW1(config)# interface fastethernet 0/1SW1(config-if)# no shut

Correct Answer: ESection: (none)Explanation


QUESTION 21Which of the following technologies would an Internet Service Provider use to support overlapping customerVLAN IDs over transparent LAN services?

A. 802.1q tunnelingB. ATMC. SDHD. IP Over Optical NetworkingE. ISL



Using the IEEE 802.1Q tunneling (QinQ) feature, service providers can use a single VLAN to supportcustomers who have multiple VLANs. The trick here is instead of removing the VLAN tag received fromcustomers, the ISPs edge switch puts that traffic into the VLAN assigned to that port and adds another VLANtag outside that tag. Lets see an example:

When Switch A (of the Service Provider) receives customer traffic from an 802.1Q trunk port, it does not stripthe received 802.1Q tag from the frame header; instead, the tunnel port leaves the 802.1Q tag intact, adds a 1-byte Ethertype field (0×8100) and a 1-byte length field and puts the received customer traffic into the VLAN towhich the tunnel port is assigned. This Ethertype 0×8100 traffic, with the received 802.1Q tag intact, is calledtunnel traffic. Notice that "VLAN X" here can be one or multiple VLANs, all will be tagged with VLAN 4 (supposeVLAN 4 is assigned to Company A).

A benefit of 802.1qQ tunneling is multiple companies can use the overlapped VLANs. For example, Company Acan use VLANs 1 to 100 while Company B can use VLANs 50 to 100 (overlapped from VLANs 50 to 100). TheISPs switches can still classify them because they are attached to different outer VLAN tags. In the exampleabove Company A is assigned to VLAN 4 so we can assign Company B to VLAN 5, Company C to VLAN 6 andso on.

The link between the 802.1Q trunk port on a customer device and the tunnel port is called an asymmetrical linkbecause one end is configured as an 802.1Q trunk port and the other end is configured as a tunnel port.

Note: By default, the native VLAN traffic of a dot1q trunk is sent untagged, which cannot be double-tagged inthe service provider network. Because of this situation, the native VLAN traffic might not be tunneled correctly.Be sure that the native VLAN traffic is always sent tagged in an asymmetrical link. To tag the native VLANegress traffic and drop all untagged ingress traffic, enter the global vlan dot1q tag native command.

QUESTION 22Refer to the exhibit. On the basis of the output generated by the show commands, which two statements aretrue? (Choose two)

A. Interface gigabitethernet 0/1 has been configured as Layer 3 ports.B. Interface gigabitethernet 0/1 does not appear in the show vlan output because switchport is enabled.

C. Interface gigabitethernet 0/1 does not appear in the show vlan output because it is configured as a trunkinterface.

D. VLAN2 has been configured as the native VLAN for the 802.1q trunk on interface gigabitethernet 0/1.E. Traffic on VLAN 1 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.F. Traffic on VLAN 2 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.

Correct Answer: CFSection: (none)Explanation


From the output of show interface gigabitethernet 0/1 switchport command we can see this port is currentlyconfigured as trunked port (Operational Mode: trunk) and uses 802.1q encapsulation. So surely the "show vlan"command will not list this port -> C is correct.

Also from the first output we learned the native VLAN is VLAN 1 (Trunking Native Mode VLAN:1) so only trafficfrom this VLAN is sent untagged -> traffic sent from VLAN 2 out this port will have an 802.1q header applied ->F is correct.

QUESTION 23The Company LAN switches are being configured to support the use of Dynamic VLANs. What should beconsidered when implementing a dynamic VLAN solution? (Choose two)

A. Each switch port is assigned to a specific VLAN.B. Dynamic VLANs require a VLAN Membership Policy Server.C. Devices are in the same VLAN regardless of which port they attach to.D. Dynamic VLAN assignments are made through the command line interface.



Dynamic VLANs provide membership based on the MAC address of an end-user device. When a device isconnected to a switch port, the switch must, in effect, query a database to establish VLAN membership. Anetwork administrator also must assign the users MAC address to a VLAN in the database of a VLANMembership Policy Server (VMPS) -> B is correct.

When the link comes up, the switch does not forward traffic to or from this port until the port is assigned to aVLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS,which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, the VMPSsends the VLAN number for that port. If there is no match, the VMPS either denies the request or shuts downthe port (depending on the VMPS secure mode setting) -> Devices are in the same VLAN regardless of whichport they attach to -> C is correct.

QUESTION 24When you issue a command show port 3/1 on an Ethernet port, you observe the ,,Giants column has a non-zero entry. What could cause of this?

A. IEEE 802.1QB. IEEE 802.10C. Misconfigured NIC

D. User configurationE. All of the above



Generally, frames that are greater than 1522 bytes are categorized as giant frames (notice that a normalEthernet frame has a size that ranges from 64 bytes to 1518 bytes). Giant frames often are the result of someprotocol-tagging mechanisms, for example 802.1Q frames (1522 bytes), MPLS (1518 + 4 * n, where n is thenumber of stacked labels), ISL frames (1548 bytes).

There are nothing wrong with giant frames, just make sure you configure both end devices to support theseframes.Note: In fact, frames that are created by 802.1Q are often known as baby giants (frames that are slightly largerthan 1518 bytes).

QUESTION 25You have just created a new VLAN on your network. What is one step that you should include in your VLANbased implementation and verification plan?

A. Verify that different native VLANs exist between two switches for security purposes,B. Verify that the VLAN was added on all switches with the use of the show vlan command.C. Verify that the switch is configured to allow for trunking on the switch ports,D. Verify that each switch port has the correct IP address space assigned to it for the new VLAN.



Different native VLANs will cause error messages about the mismatch, and the potential exists that traffic willnot pass correctly between the two native VLANs (although a trunk can be brought up with different nativeVLANs on each end) -> A is not correct.

Answer C is reasonable but it should be done after configuring trunking, not creating a new VLAN -> C is notcorrect.

A layer 2 switch only needs one IP address for management purpose -> D is not correct. Answer B is the bestchoice to verify if our new VLAN was created, and which ports are associated with it.

QUESTION 26You want to configure a switched internetwork with multiple VLANs as shown above. Which of the followingcommands should you issue on SwitchA for the port connected to SwitchB?

A. switchport mode trunkB. switchport access vlan 5C. switchport mode access vlan 5D. switchport trunk native vlan 5



To support interVLAN routing, the links between two switches must be configured as trunk link.

QUESTION 27Refer to the exhibit. Based upon the output of show vlan on switch CAT2, what can we conclude aboutinterfaces Fa0/13 and Fa0/14?

A. That interfaces Fa0/13 and Fa0/14 are in VLAN 1B. That interfaces Fa0/13 and Fa0/14 are downC. That interfaces Fa0/13 and Fa0/14 are trunk interfacesD. That interfaces Fa0/13 and Fa0/14 have a domain mismatch with another switchE. That interfaces Fa0/13 and Fa0/14 have a duplex mismatch with another switch



Trunk ports are part of multiple VLANs, not of just a single VLAN so they never show up in the show vlancommand. You can check the trunk port with the show interfaces trunk or show interface {port} switchportcommand. You can find an example output of this command in

QUESTION 28Refer to the exhibit. VLAN 1 and VLAN 2 are configured on the trunked links between Switch A and Switch B.Port Fa 0/2 on Switch B is currently in a blocking state for both VLANs. What should be done to load balanceVLAN traffic between Switch A and Switch B?

A. Lower the port priority for VLAN 1 on port 0/1 for Switch A.B. Lower the port priority for VLAN 1 on port 0/2 for Switch A.C. Make the bridge ID of Switch B lower than the ID of Switch A.D. Enable HSRP on the access ports.



In general, lower the port priority for VLAN 1 will lower the Root Bridge ID for port Fa0/2 on Switch A -> trafficfor VLAN 1 will flow via Fa0/2 link.

QUESTION 29On a multilayer Catalyst switch, which interface command is used to convert a Layer 3 interface to a Layer 2interface?

A. switchport access vlan vlan-idB. switchportC. switchport mode accessD. no switchport



QUESTION 30Refer to the exhibit and the show interfaces fastethernet0/1 switchport outputs. Users in VLAN 5 on switchSW_A complain that they do not have connectivity to the users in VLAN 5 on switch SW_B. What should bedone to fix the problem?

A. Configure the same number of VLANs on both switches.B. Create switch virtual interfaces (SVI) on both switches to route the traffic.C. Define VLAN 5 in the allowed list for the trunk port on SW_A.D. Disable pruning for all VLANs in both switches.E. Define VLAN 5 in the allowed list for the trunk port on SW_B.



SW_A is missing VLAN 5 in the "Trunking VLANs Enabled", that means the trunk link currently does not accepttraffic from VLAN 5 to be sent on the link.

QUESTION 31Refer to the show interface Gi0/1 switchport command output shown in the exhibit. Which two statements aretrue about this interface? (Choose two)

A. This interface is a member of a voice VLAN.B. This interface is configured for access mode.C. This interface is a dot1q trunk passing all configured VLANs.D. This interface is a member of VLAN 7.E. This interface is a member of VLAN 1.



QUESTION 32In the three-layer hierarchical network design model; whats associated with the access layer? (Choose two)

A. optimized transport structureB. high port densityC. boundary definitionD. data encryptionE. local VLANsF. route summaries

Correct Answer: BESection: (none)Explanation


Main characteristics of three layers in the three-layer hierarchical network design model:

* Access layer:+ Low cost per switch port+ High port density+ Scalable uplinks to higher layers+ User access functions such as VLAN membership, traffic and protocol filtering, and quality of service (QoS)+ Resiliency through multiple uplinks

* Distribution Layer:+ Aggregation of multiple access-layer devices+ High Layer 3 throughput for packet handling+ Security and policy-based connectivity functions through access lists or packet filters + QoS features+ Scalable and resilient high-speed links to the core and access layers

* Core layer:+ Very high throughput at Layer 3+ No costly or unnecessary packet manipulations (access lists, packet filtering) + Redundancy and resiliencefor high availability+ Advanced QoS functions

Also, end-to-end VLANs and local VLANs belong to access layer.

QUESTION 33Refer to the following exhibits:

Exhibit #1

Exhibit #2

Study the exhibits carefully. The switchport output in Exhibit #1 displays the default settings of interfaceFastEthernet 0/13 on switch Sw1. Figure 2 displays the desired interface settings. Which command sequencewould configure interface FastEthernet 0/13 as displayed in Exhibit #2?

A. Sw1(config-if)# switchport trunk encapsulation dot1q Sw1 (config-if)# switchport mode dynamic autoSw1 (config-if)# switchport trunk native DATASw1 (config-if)# switchport trunk allowed vlan add 1,10,20

B. Sw1(config-if)# switchport trunk encapsulation dot1q Sw1(config-if)# switchport mode dynamic desirableSw1(config-if)# switchport trunk native vlan DATASw1(config-if)# switchport trunk allowed vlan 1,10,20

C. Sw1 (config-if)# switchport trunk encapsulation dot1q Sw1 (config-if)# switchport mode trunkSw1 (config-if)# switchport trunk native DATASw1 (config-if)# switchport trunk allowed vlan 1,10,20

D. Sw1(config-if)# switchport trunk encapsulation dot1q Sw1(config-if)#switchport mode dynamic desirableSw1(config-if)#switchport trunk native vlan 10

E. Sw1 (config-if)# switchport trunk encapsulation dot1q Sw1 (config-if)# switchport mode dynamic desirableSw1 (config-if)# switchport trunk native vlan 10Sw1 (config-if)# switchport trunk allowed vlan 1,10,20



QUESTION 34

Which of the following statements is true about the 80/20 rule (Choose two)?

A. 20 percent of the traffic on a network segment should be local.B. no more than 20 percent of the network traffic should be able to move across a backbone.C. no more than 80 percent of the network traffic should be able to move across a backbone.D. 80 percent of the traffic on a network segment should be local.



The 80/20 rule states that 80 percent of user traffic stays within the local workgroup, whereas 20 percent isdestined for a remote resource in the campus network

QUESTION 35Which statement is correct about 802.1Q trunking?

A. Both switches must be in the same VTP domain.B. The encapsulation type of both ends of the trunk does not have to match.C. The native VLAN on both ends of the trunk must be VLAN 1.D. 802.1Q trunking can only be configured on a Layer 2 port.E. In 802.1Q trunking, all VLAN packets are tagged on the trunk link, except the native VLAN.



By default frames from the native VLAN are not tagged. To force a switch to tag the native VLAN on all its802.1Q trunks, we can use the following command:

Switch(config)#vlan dot1q tag native

QUESTION 36Which switch command enables a trunking protocol that appends a four byte CRC to the packet?

A. CompanySwitch(config-if)#switchport trunk encapsulation dot1qB. CompanySwitch(config-if)#switchport trunk encapsulation itefC. CompanySwitch(config-if)#switchport trunk encapsulation fddiD. CompanySwitch(config-if)#switchport trunk encapsulation isl



The ISL frame consists of three primary fields: the encapsulation frame (original frame), which is encapsulatedby the ISL header, and the FCS at the end:

ISL Header Encapsulation Frame (Original Data) FCS

In ISL, the original frame is encapsulated and an additional header is added before the frame is carried over atrunk link. Also, a FCS is generated based on some fields in the ISL Header and the Encapsulation Frame andadded to the end of the frame. At the receiving end, the header and FCS are removed and the frame isforwarded to the assigned VLAN. The FCS field consists of 4 bytes and contains a 32-bit CRC value.

Note: The addition of the new FCS does not alter the original FCS that is contained within the encapsulatedframe.

QUESTION 37While using a packet analyzer, you notice four additional bytes being added to the packets in the Companynetwork. Which protocol inserts a four byte tag into the Ethernet frame and recalculates CRC value?

A. DTPB. VTPC. 802.1QD. ISL



802.1Q is the IEEE standard for tagging frames on a trunk and supports up to 4096 VLANs. In 802.1Q, thetrunking device inserts a 4-byte tag into the original frame and recomputes the frame check sequence (FCS)before the device sends the frame over the trunk link. At the receiving end, the tag is removed and the frame isforwarded to the assigned VLAN. 802.1Q does not tag frames on the native VLAN.

Note: IEEE 802.1Q uses an internal tagging mechanism which inserts a 4-byte tag field in the original Ethernetframe itself.

(Reference:http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094665.shtml )

QUESTION 38Which statement is correct about 802.1Q trunking?

A. Both switches must be in the same VTP domain.B. The encapsulation type of both ends of the trunk does not have to match.C. The native VLAN on both ends of the trunk must be VLAN 1.D. 802.1Q trunking can only be configured on a Layer 2 port.E. In 802.1Q trunking, all VLAN packets are tagged on the trunk link, except the native VLAN.



QUESTION 39Which command alone will disable trunking on a Layer 2 switch port?

A. no switchport trunk native vlan vlan-idB. switchport nonegotiateC. no switchport mode dynamic desirableD. switchport mode access



The "switchport mode access" command forces a switch port to always behave as an access port (with nocapability of establishing trunks).

Note: When using the switchport nonegotiate command, Dynamic Inter-Switch Link Protocol and DynamicTrunking Protocol (DISL/DTP)-negotiation packets are not sent on the interface. The device trunks or does nottrunk according to the mode parameter given: access or trunk.

QUESTION 40ISL is being configured on a Company switch. Which of the following choices are true regarding the ISLprotocol? (Choose two)

A. It can be used between Cisco and non-Cisco switch devices.B. It calculates a new CRC field on top of the existing CRC field.C. It adds 4 bytes of protocol-specific information to the original Ethernet frame.D. It adds 30 bytes of protocol-specific information to the original Ethernet frame.



ISL encapsulates the entire Ethernet frame (Fast Ethernet or Gigabit Ethernet) with a 26-byte header and a 4-byte frame check sequence (FCS) for a total of 30 bytes of overhead.

ISL Header FCSEncapsulation Frame (Original Data)(26 bytes) (4 bytes)

QUESTION 41A new Company switch was just configured using the "switchport trunk native vlan 7 command. What does thisinterface command accomplish?

A. Causes the interface to apply ISL framing for traffic on VLAN 7B. Configures the trunking interface to forward traffic from VLAN 7C. Configures the interface to be a trunking port and causes traffic on VLAN 7 to be 802.1q taggedD. Configures the trunking interface to send traffic from VLAN 7 untagged



The "switchport trunk native vlan 7 sets VLAN 7 to be the native VLAN so traffic to this VLAN will be untagged.Also untagged traffic are automatically assumed to be in VLAN 7 -> A is correct.

QUESTION 42If you needed to transport traffic coming from multiple VLANs (connected between switches), and your CTOwas insistent on using an open standard, which protocol would you use?

A. 802.11BB. spanning-treeC. 802.1QD. ISLE. VTPF. Q.921



IEEE's 802.1Q VLAN tagging is the industry standard to carry traffic for multiple VLANs on a single trunkinginterface between two Ethernet switches while Inter-Switch Link (ISL) is a Cisco proprietary VLAN taggingprotocol.

QUESTION 43The Company core switches use 802.1Q trunks to connect to each other. How does 802.1Q trunking keeptrack of multiple VLANs?

A. It tags the data frame with VLAN information and recalculates the CRC valueB. It encapsulates the data frame with a new header and frame check sequenceC. It modifies the port index of a data frame to indicate the VLAND. It adds a new header containing the VLAN ID to the data frame



IEEE 802.1Q uses an internal tagging mechanism which inserts a 4-byte tag field in the original Ethernet frameitself between the Source Address and Type/Length fields. This tag includes VLAN information (12 bits) todistinguish between VLANs on the link.

QUESTION 44You are the network administrator tasked with designing a switching solution for the Company network. Whichof the following statements describing trunk links are INCORRECT? (Choose four)

A. The trunk link belongs to a specific VLAN.B. Multiple trunk links are used to connect multiple end user devices.C. A trunk link only supports native VLAN.D. Trunk links use 802.10 to identify a VLAN.E. The native VLAN of the trunk link is the VLAN that the trunk uses for untagged packets.

Correct Answer: ABCDSection: (none)Explanation


QUESTION 45You are the network administrator at Company and switch R1 is configured as shown below:

interface GigabitEthernet0/1switchport mode trunkswitchport trunk encapsulation dot1qswitchport trunk native vlan 5

If untagged frames are arriving on interface GigabitEthernet0/1 of R1, which of the following statement arecorrect?

A. Untagged frames are automatically assumed to be in VLAN 5.B. Untagged frames are defaulted to VLAN 1 traffic.C. Untagged frames are dropped because all packets are tagged when dot1q trunked.D. Untagged frames are determined on the other switchE. Untagged frames are not supported on 802.1Q trunks.



The "switchport trunk native vlan 5 sets VLAN 5 to be the native VLAN so traffic to this VLAN will be untagged.Also untagged traffic are automatically assumed to be in VLAN 5 -> A is correct.

Note: The native VLAN must match on both sides of the trunk link for 802.1Q; otherwise the link will not work.

QUESTION 46What are three results of issuing the "switchport host" command? (Choose three)

A. disables EtherChannelB. enables port securityC. disables Cisco Discovery ProtocolD. enables PortFastE. disables trunkingF. enables loopguard

Correct Answer: ADESection: (none)Explanation


Catalyst 6500 switches running Cisco IOS software support the macro command switchport host. Theswitchport host macro command was designed to facilitate the configuration of switch ports that connect to endstations. Entering this command sets the switch port mode to access, enables spanning tree PortFast, anddisables channel grouping, all at the same time. The switchport host macro command can be used as analternative to the switchport mode access command.

(Reference:http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap7.ht ml)

QUESTION 47If you were to configure an ISL Ethernet trunk between two Cisco switches, named R1 and R2, what would youhave to include at the end of the link for the trunk to operate correctly? (Choose two)

A. An identical VTP mode.B. An identical speed/duplex.C. An identical trunk negotiation parameter.D. An identical trunk encapsulation parameter.



One of the requirements for trunking to work is for speed and duplex to be the same on both sides. -> B iscorrect.

Maybe answer D wants to mention about encapsulation type (ISL or 802.1q) so it is an acceptable answer.

(Reference:http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_example09186a008014859e.shtml)

QUESTION 48Which three statements are correct with regard to the IEEE 802.1Q standard? (Choose three)

A. The IEEE 802.1Q frame format adds a 4 byte field to a Ethernet frameB. The packet is encapsulated with a 26 byte header and a 4 byte FCSC. The protocol uses point-to-multipoint connectivityD. The protocol uses point-to-point connectivityE. The IEEE 802.1Q frame retains the original MAC destination addressF. The IEEE 802.1Q frame uses multicast destination of 0×01-00-0c-00-00



There are two ways to implement Ethernet trunking:

* Inter-Switch Link Protocol (ISL, a Cisco proprietary protocol)* 802.1Q (IEEE standard)

In Cisco implementation, a trunk is a point-to-point link, although it is possible to use the 802.1Q encapsulationon an Ethernet segment shared by more than two devices. Such a configuration is seldom needed but is stillpossible with the disablement of DTP negotiation -> D is correct.

IEEE 802.1Q uses an internal tagging mechanism which inserts a 4-byte tag field in the original Ethernet frameitself between the Source Address and Type/Length fields -> A is correct.

The SA field is the source address field of the ISL packet. It is a 48-bit value -> F is correct.

(Reference:http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008012ecf3 .shtml)

QUESTION 49Refer to the exhibit. Why are users from VLAN 100 unable to ping users on VLAN 200?

A. Encapsulation on the switch is wrong.B. Trunking needs to be enabled on Fa0/1.C. The native VLAN is wrong.D. VLAN 1 needs the no shutdown command.E. IP routing needs to be enabled on the switch.



In this question, maybe the exhibit forgot to describe Fa0/1 is the port on the switch which is connected to therouter. To allow interVLAN routing between VLAN 100 and 200, this port must be configured as trunk port.

If you wish to see the full configuration of interVLAN routing, please read my interVLAN routing tutorial (you willsee the configuration at the bottom of that tutorial).

QUESTION 50What is the effect of applying the "switchport trunk encapsulation dot1q" command to a port on a Cisco Catalystswitch?

A. By default, native VLAN packets going out this port will be tagged.B. Without an encapsulation command, 802.1Q will be the default encapsulation if DTP fails to negotiate a

trunking protocol.

C. The interface will support the reception of tagged and untagged traffic.D. If the device connected to this port is not 802.1Q-enabled, it will not be able to handle 802.1Q packets.



The "switchport trunk encapsulation dot1q" command configures trunk encapsulation as 802.1q, whichsupports the reception of tagged and untagged traffic -> C is correct.

Note: If your switch does not accept this command, try to enter "switchport" command first to configure theinterface as a Layer 2 port.

QUESTION 51Two Company switches are connected via a trunk link. In this network, the original frame is encapsulated andan additional header is added before the frame is carried over a trunk link. At the receiving end, the header isremoved and the frame is forwarded to the assigned VLAN. This describes which technology?

A. DISLB. ISLC. DTPD. IEEE 802.1QE. MPLS



Unlike 8021.q, ISL keeps the original frame unchanged. It only adds another header to that frame beforesending out over a trunk link.

QUESTION 52Which of the following trunking modes are unable to request their ports to convert their links into trunk links?(Choose two)

A. NegotiateB. DesignateC. NonegotiateD. AutoE. ManualF. Off



The mode auto (dynamic auto) causes the device not to send DTP Request but wait for DTP Request from

neighboring device.

By using and switchport mode trunk and switchport nonegotiate commands, we can enable trunking to a devicethat does not support DTP. But notice that the switchport nonegotiate command causes the device not to sendDTP Request frames.

Therefore both "auto" and "nonegotiate" modes makes the switch not to send request (which is "unable toconvert their links into trunk links") -> C and D are correct.

QUESTION 53

You administer the network shown above. You issue the show interfaces trunk command on SwitchA andreceive the following output:

Which of the following statements is true regarding VLAN 32?

A. VLAN 32 is not allowed on the trunk port.B. VLAN 32 is not active on the switch.C. Traffic from VLAN 32 is not being sent over the trunk port.D. Traffic from VLAN 32 is not restricted to only the trunk ports that require it.



In the "Vlans allowed and active in management domain" VLAN 32 is not listed so we can conclude it is notactive.

QUESTION 54Which statement is true regarding the configuration of ISL trunks?

A. A Catalyst switch cannot have ISL and IEEE 802.1q trunks enabled.B. All Catalyst switches support ISL trunking.

C. A Catalyst switch will report giants if one side is configured for ISL while the other side is not.D. ISL trunking requires that native VLANs match.


Explanation/Reference:ExplanationFirst you should know "giant" frames are frames that exceed the maximum IEEE 802.3 frame size (usuallygreater then 1518 bytes). As you know, ISL does not modify the original Ethernet frame it received but it addsanother outer header. In particular, it uses a 26 byte header and 4 byte FCS (30 bytes in total).

ISL Header FCSEncapsulation Frame (Original Data)(26 bytes) (4 bytes)

But a normal Ethernet frame itself can have a maximum size of 1518 bytes. Therefore an Ethernet frame canbe up to 1518 + 30 = 1548 bytes, which creates a "giant".

That is why both ends must be configured as ISL trunks because only ISL-aware devices are able to read it.

QUESTION 55Which configuration option will cause the link between two Cisco 3600 Series Multiservice Platforms to becomea functional trunk?

A. switchport dynamic auto switchport dynamic autoB. switchport access vlan 10

switchport mode dynamic desirableC. switchport mode trunk switchport nonegotiateD. Leave both ports with the default trunk settings.



QUESTION 56If you were to set up a VLAN trunk over a Fast Ethernet link on switch R1, which trunk mode would you set thelocal port to on R1 if you wanted it to respond to requests from its link partner (R2) and become a trunk?

A. AutoB. NegotiateC. DesignateD. Nonegotiate



QUESTION 57Which two statements are true about best practices in VLAN design? (Choose two)

A. Routing should occur at the access layer if voice VLANs are utilized. Otherwise, routing should occur at thedistribution layer.

B. Routing may be performed at all layers but is most commonly done at the core and distribution layers.C. Routing should not be performed between VLANs located on separate switches.D. VLANs should be local to a switch.E. VLANs should be localized to a single switch unless voice VLANs are being utilized.



QUESTION 58You need to configure a new Company switch to support DTP. Which DTP switchport mode parameter sets theswitch port to actively send and respond to DTP negotiation frames?

A. AccessB. NonegotiateC. TrunkD. Dynamic desirableE. Dynamic auto



QUESTION 59Company uses MSTP within their switched LAN. What is the main purpose of Multiple Instance Spanning TreeProtocol (MSTP)?

A. To enhance Spanning Tree troubleshooting on multilayer switchesB. To reduce the total number of spanning tree instances necessary for a particular topologyC. To provide faster convergence when topology changes occur in a switched networkD. To provide protection for STP when a link is unidirectional and BPDUs are being sent but not received



Instead of running an STP instance for every VLAN, MSTP runs a number of VLAN- independent STPinstances. By allowing a single instance of STP to run for multiple VLANs, MSTP keeps the number of STPinstances to minimum (saving switch resources) while optimizing Layer 2 switching environment (loadbalancing traffic to different paths for different VLANs.).

QUESTION 60Which of the following specifications will allow you to associate VLAN groups to STP instances so you canprovide multiple forwarding paths for data traffic and enable load balancing?

A. IEEE 802.1d (STP)B. IEEE 802.1s (MST)C. IEEE 802.1q (CST)D. IEEE 802.1w (RSTP)



QUESTION 61Refer to the exhibit. All network links are FastEthernet. Although there is complete connectivity throughout thenetwork, Front Line users have been complaining that they experience slower network performance whenaccessing the Server Farm than the Reception office experiences. Based on the exhibit, which two statementsare true? (Choose two)

A. Changing the bridge priority of S1 to 4096 would improve network performance.B. Changing the bridge priority of S1 to 36864 would improve network performance.C. Changing the bridge priority of S2 to 36864 would improve network performance.D. Changing the bridge priority of S3 to 4096 would improve network performance.E. Disabling the Spanning Tree Protocol would improve network performance.F. Upgrading the link between S2 and S3 to Gigabit Ethernet would improve performance.



All three switches have the same bridge priority (32768 default value) and S1 has the lowest MAC -> S1 is theroot bridge and all traffic must go through it -> Front Line Users (S2) must go through S1 to reach Server Farm(S3). To overcome this problem, S2 or S3 should become the root switch and we can do it by changing thebridge priority of S1 to a higher value (which lower its priority answer B) or lower the bridge priority value (whichhigher its priority answer D)

QUESTION 62Refer to the exhibit. Initially, LinkA is connected and forwarding traffic. A new LinkB is then attached betweenSwitchA and HubA. Which two statements are true about the possible result of attaching the second link?(Choose two)

A. The switch port attached to LinkB will not transistion to up.B. One of the two switch ports attached to the hub will go into blocking mode when a BPDU is received.C. Both switch ports attached to the hub will transition to the blocking state.D. A heavy traffic load could cause BPDU transmissions to be blocked and leave a switching loop.E. The switch port attached to LinkA will immediately transition to the blocking state.



we know that there will have only one Designated port for each segment (notice that the two ports of SwitchAare on the same segment as they are connected to a hub). The other port will be in Blocking state. But howdoes SwitchA select its Designated and Blocking port? The decision process involves the following parametersinside the BPDU:

* Lowest path cost to the Root* Lowest Sender Bridge ID (BID)* Lowest Port ID

In this case, both interfaces of SwitchA have the same "path cost to the root" and "sender bridge ID" so thethird parameter "lowest port ID" will be used. Suppose two interfaces of SwitchA are fa0/1 & fa0/2 then SwitchAwill select fa0/1 as its Designated port (because fa0/1 is inferior to fa0/2) -> B is correct.

Suppose the port on LinkA (named portA) is in forwarding state and the port on LinkB (named portB) is inblocking state. In blocking state, port B still listens to the BPDUs. If the traffic passing through LinkA is tooheavy and the BPDUs can not reach portB, portB will move to listening state (after 20 seconds for STP) thenlearning state (after 15 seconds) and forwarding state (after 15 seconds). At this time, both portA & portB are inforwarding state so a switching loop will occur -> D is correct.

QUESTION 63Refer to the exhibit. Switch S1 is running mst IEEE 802.1s. Switch S2 contains the default configuration runningIEEE 802.1D. Switch S3 has had the command spanning-tree mode rapid- pvst running IEEE 802.1w. What willbe the result?

A. IEEE 802.1D and IEEE 802.1w are incompatible. All three switches must use the same standard or notraffic will pass between any of the switches.

B. Switches S1, S2, and S3 will be able to pass traffic between themselves.C. Switches S1, S2, and S3 will be able to pass traffic between themselves. However, if there is a topology

change, Switch S2 will not receive notification of the change.D. Switches S1 and S3 will be able to exchange traffic but neither will be able to exchange traffic with Switch

S2



A switch running both MSTP and RSTP supports a built-in protocol migration mechanism that enables it tointeroperate with legacy 802.1D switches. If this switch receives a legacy 802.1D configuration BPDU (a BPDUwith the protocol version set to 0), it sends only 802.1D BPDUs on that port. An MST switch can also detect thata port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3) associatedwith a different region, or an RST BPDU (version 2).However, the switch does not automatically revert to the MSTP mode if it no longer receives 802.1D BPDUsbecause it cannot determine whether the legacy switch has been removed from the link unless the legacyswitch is the designated switch

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/config uration/guide/swmstp.html)

QUESTION 64Refer to the exhibit. Switch S2 contains the default configuration. Switches S1 and S3 both have had thecommand spanning-tree mode rapid-pvst issued on them. What will be the result?

A. IEEE 802.1D and IEEE 802.1w are incompatible. All three switches must use the same standard or notraffic will pass between any of the switches.

B. Switches S1, S2. and S3 will be able to pass traffic between themselves.C. Switches S1, S2. and S3 will be able to pass traffic between themselves. However, if there is a topology

change. Switch S2 will not receive notification of the change.D. Switches S1 and S3 will be able to exchange traffic but neither will be able to exchange traffic with Switch

S2.



QUESTION 65Which two statements are true when the extended system ID feature is enabled? (Choose two)

A. The BID is made up of the bridge priority value (2 bytes) and bridge MAC address (6 bytes).B. The BID is made up of the bridge priority (4 bits), the system ID (12 bits), and a bridge MAC address (48

bits).C. The BID is made up of the system ID (6 bytes) and bridge priority value (2 bytes).D. The system ID value is the VLAN ID (VID).E. The system ID value is a unique MAC address allocated from a pool of MAC addresses assigned to the

switch or module.F. The system ID value is a hex number used to measure the preference of a bridge in the spanning-tree

algorithm.



In short, with the use of IEEE 802.1t spanning-tree extensions, some of the bits previously used for the switchpriority are now used for the extended system ID

Only four high-order bits of the 16-bit Bridge Priority field carry actual priority. Therefore, priority can beincremented only in steps of 4096. In most cases, the Extended System ID holds the VLAN ID. For example, ifour VLAN ID is 5 and we use the default bridge priority 32768 then the 16-bit Priority will be 32768 + 5 = 32773.

Note: The MAC address is reserved when the extended system ID feature is enabled.

QUESTION 66Which set of statements about Spanning Tree Protocol default timers is true?

A. The hello time is 2 seconds.The forward delay is 10 seconds.The max_age timer is 15 seconds.

B. The hello time is 2 seconds.The forward delay is 15 seconds.The max_age timer is 20 seconds.

C. The hello time is 2 seconds.The forward delay is 20 seconds.The max_age timer is 30 seconds.

D. The hello time is 5 seconds.The forward delay is 10 seconds.The max_age timer is 15 seconds.

E. The hello time is 5 seconds.The forward delay is 15 seconds.The max_age timer is 20 seconds.



There are several STP timers, as this list shows:

* Hello - The hello time is the time between each bridge protocol data unit (BPDU) that is sent on a port. Thistime is equal to 2 seconds (sec) by default, but you can tune the time to be between 1 and 10 sec.* Forward delay The forward delay is the time that is spent in the listening and learning state. This time is equalto 15 sec by default, but you can tune the time to be between 4 and 30 sec.* Max age The max age timer controls the maximum length of time that passes before a bridge port saves itsconfiguration BPDU information. This time is 20 sec by default, but you can tune the time to be between 6 and40 sec.

(Reference:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094954.shtml )

QUESTION 67Refer to the exhibit. Switch 15 is configured as the root switch for VLAN 10 but not for VLAN20. If the STP configuration is correct, what will be true about Switch 15?

A. All ports will be in forwarding mode.B. All ports in VLAN 10 will be in forwarding mode.C. All ports in VLAN 10 will be in forwarding mode and all ports in VLAN 20 will be in blocking mode.D. All ports in VLAN 10 will be in forwarding mode and all ports in VLAN 20 will be in standby mode.



All ports on root bridge are designated ports, which are in forwarding state but notice in this case Switch 15 isthe root switch for VLAN 10 -> all ports in VLAN 10 will be in forwarding state. We can not say anything aboutthe modes of ports of Switch 15 in other VLANs.

QUESTION 68Refer to the exhibit. STP has been implemented in the network. Switch SW_A is the root switch for the defaultVLAN. To reduce the broadcast domain, the network administrator decides to split users on the network intoVLAN 2 and VLAN 10. The administrator issues the command spanning-tree vlan 2 root primary on switchSW_A. What will happen as a result of this change?

A. All ports of the root switch SW_A will remain in forwarding mode throughout the reconvergence of thespanning tree domain.

B. Switch SW_A will change its spanning tree priority to become root for VLAN 2 only.C. Switch SW_A will remain root for the default VLAN and will become root for VLAN 2.D. No other switch in the network will be able to become root as long as switch SW_A is up and running.



This command sets the switch to become root for a given VLAN. It works by lowering the priority of the switchuntil it becomes root. Once the switch is root, it will not prevent any other switch from becoming root. Inparticular, if the current root bridge is greater than 24576 then our switch will drop to 24576. If the current rootbridge is less than 24576, our new bridge priority will be (Priority value of the current root bridge 4096).

This command does not affect other VLAN so SW_A will remain root for the default VLAN -> C is correct.

Note: This command is not shown in a Catalyst switch configuration because the command is actually a macroexecuting other switch commands.

QUESTION 69Refer to the exhibit. Based on the output of the show spanning-tree command, which statement is true?

A. Switch SW1 has been configured with the spanning-tree vlan 1 root primary global configuration command.B. Switch SW1 has been configured with the spanning-tree vlan 1 root secondary global configuration

command.C. Switch SW1 has been configured with the spanning-tree vlan 1 priority 24577 global configuration

command.D. Switch SW1 has been configured with the spanning-tree vlan 1 hello-time 2 global configuration command.E. The root bridge has been configured with the spanning-tree vlan 1 root secondary global configuration

command.



The command "spanning-tree vlan 1 root secondary" sets its bridge ID to a value which is higher than thecurrent root bridge but lower than other switches in the network -> If the current root bridge fails, Sw1 willbecome the root bridge.

If no priority has been configured, every switch will have the same default priority of 32768. Assuming all otherswitches are at default priority, the spanning-tree vlan vlan-id root primary command sets a value of 24576.Also, assuming all other switches are at default priority, the spanning-tree vlan vlan-id root secondary commandsets a value of 28672.

In this question, the bridge priority of Sw1 is 28673, not 28672 because the extended system ID (indicated assys-id-ext) is 1, indicating this is the STP instance for VLAN 1. In fact, the bridge priority is 28672.

QUESTION 70Refer to the exhibit. On the basis of the output of the show spanning-tree inconsistentports command, whichstatement about interfaces FastEthernet 0/1 and FastEthernet 0/2 is true?

A. They have been configured with the spanning-tree bpdufilter disable command.B. They have been configured with the spanning-tree bpdufilter enable command.C. They have been configured with the spanning-tree bpduguard disable command.D. They have been configured with the spanning-tree bpduguard enable command.E. They have been configured with the spanning-tree guard loop command.F. They have been configured with the spanning-tree guard root command.

Correct Answer: FSection: (none)Explanation


We can configure the root guard feature to prevent unauthorized switches from becoming the root bridge.When you enable root guard on a port, if that port receives a superior BPDU, instead of believing the BPDU,the port goes into a root-inconsistent state. While a port is in the root- inconsistent state, no user data is sentacross it. However, after the superior BPDUs stop, the port returns to the forwarding state.

For example, in the topology above suppose S1 is the current root bridge. If a hacker plugs a switch on S3which sends superior BPDUs then it will become the new root bridge, this will also change the traffic path andmay result in a traffic jam. By enabling root guard on S3 port, if spanning-tree calculations cause an interface tobe selected as the root port, the interface transitions to the root-inconsistent (blocked) state instead to preventthe hacker's switch from becoming the root switch or being in the path to the root.

QUESTION 71Refer to the exhibit. What information can be derived from the output?

A. Devices connected to interfaces FastEthemet3/1 and FastEthemet3/2 are sending BPDUs with a superiorroot bridge parameter and no traffic is forwarded across the ports. Once inaccurate BPDUs have beenstopped, the interfaces will need to be administratively shut down, and brought back up, to resume normaloperation.

B. Devices connected to interfaces FastEthemet3/1 and FastEthernet3/2 are sending BPDUs with a superiorroot bridge parameter, but traffic is still forwarded across the ports.

C. Devices connected to interfaces FastEthemet3/1 and FastEthemet3/2 are sending BPDUs with a superiorroot bridge parameter and no traffic is forwarded across the ports. Once inaccurate BPDUs have beenstopped, the interfaces automatically recover and resume normal operation.

D. Interfaces FastEthemet3/1 and FastEthemet3/2 are candidate for becoming the STP root port, but neithercan realize that role until BPDUs with a superior root bridge parameter are no longer received on at leastone of the interfaces.



Same explanation as

QUESTION 72Which statement is correct about RSTP port roles?

A. The designated port is the switch port on every nonroot bridge that is the chosen path to the root bridge.There can be only one designated port on every switch. The designated port assumes the forwarding statein a stable active topology. All switches connected to a given segment listen to all BPDUs and determine theswitch that will be the root switch for a particular segment.

B. The disabled port is an additional switch port on the designated switch with a redundant link to the segmentfor which the switch is designated. A disabled port has a higher port 10 than the disabled port on thedesignated switch. The disabled port assumes the discarding state in a stable active topology.

C. The backup port is a switch port that offers an alternate path toward the root bridge. The backup portassumes a discarding state in a stable, active topology. The backup port will be present on nondesignatedswitches and will make a transition to a designated port if the current designated path fails.

D. The root port is the switch port on every nonroot bridge that is the chosen path to the root bridge. There canbe only one root port on every switch. The root port assumes the forwarding state in a stable activetopology.



To learn about RSTP port roles, please read my RSTP tutorial.

QUESTION 73How are STP timers and state transitions affected when a topology change occurs in an STP environment?

A. All ports will temporarily transition to the learning state for a period equal to the max age timer plus theforward delay interval.

B. All ports will transition temporarily to the learning state for a period equal to the forward delay interval.C. The default aging time for MAC address entries will be reduced for a period of the max age timer plus the

forward delay interval.D. The default hello time for configuration BPDUs will be reduced for the period of the max age timer.


Explanation/Reference:Answer: C (but the wording may cause you to misunderstand)

Explanation

If a switch stops receiving Hellos, it means that there is a failure in the network. The switch will initiate theprocess of changing the Spanning-tree topology. The process requires the use of 3 STP timers:* Hello - the time between each bridge protocol data unit (BPDU) that is sent on a port. This time is equal to 2seconds (sec) by default, but you can tune the time to be between 1 and 10 sec.* Forward delay the time that is spent in the listening and learning state. This time is equal to 15 sec by default,but you can tune the time to be between 4 and 30 sec.* Max age maximum length of time a BPDU can be stored without receiving an update.. This time is 20 sec bydefault, but you can tune the time to be between 6 and 40 sec.

Max Age is the time that a bridge stores a BPDU before discarding it.

Switches (Bridges) keep its MAC address table entries for 300 seconds (5 minutes, known as aging time), bydefault. When a network topology change happens, the Switch (Bridge) temporarily lowers the aging time to thesame as the forward delay time (15 seconds) to relearn the MAC address changes happened because oftopology change.

This is important because normally only after five minutes an entry is aged out from the MAC address table ofthe switch and the network devices could be unreachable for up to 5 minutes. This is known as a black holebecause frames can be forwarded to a device, which is no longer available.

Notice that shortening the aging time to 15 seconds does not flush the entire table, it just accelerates the agingprocess. Devices that continue to "speak" during the 15-second age-out period never leave the bridging table.Therefore in this question, to be clearer answer C should state "The default aging time for MAC address entrieswill be reduced to forward_delay time for a period of the max age timer plus the forward delay interval."

(Reference:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094797.shtml )

QUESTION 74Refer to the exhibit. The command spanning-tree guard root is configured on interface Gi0/0 on both switch S2and S5. The global configuration command spanning-tree uplinkfast has been configured on both switch S2and S5. The link between switch S4 and S5 fails. Will Host A be able to reach Host B?

A. Fifty percent of the traffic will successfully reach Host B, and fifty percent will dead-end at switch S3because of a partial spanning-tree loop.

B. No. Traffic will pass from switch S6 to S2 and dead-end at S2.C. No. Traffic will loop back and forth between switch S6 and Host A.D. No. Traffic will loop back and forth between switches S2 and S3.E. Yes. Traffic will pass from switch S6 to S2 to S1.



First we should understand about UpLinkFast.

Suppose S1 is the root bridge in the topology above. S3 is connected to S1 via two paths: one direct path andanother goes through S2. Suppose the port directly connected to S1 is root port -> port connected to S2 will bein Blocking state. If the primary link goes down, the blocked port will need about 50 seconds to move fromBlocking -> Listening -> Learning -> Forwarding to be used.

To shorten the downtime, a feature called Uplink Fast can be used. When the primary (root) link fails, anotherblocked link can be brought up immediately for use. When UplinkFast is enabled, it is enabled for the entireswitch and all VLANs. It cannot be enabled for individual VLANs.

In this question, the Root Guard feature has been enabled on Gi0/0 of S2 & S5 so these two Gi0/0 ports cannotbe root ports and cannot forward traffic -> the link between S2 & S6 must be used.

Note: The idea of Uplink Fast is based on blocked ports which are possible to become a root port. Thereforethe Uplink Fast feature is not allowed on the root bridge -> S2 & S5 cannot be root bridges in this case.

QUESTION 75Refer to the exhibit. The command spanning-tree guard root is configured on interface Gi0/0 on both switch S2and S5. The global configuration command spanning-tree uplinkfast has been configured on both switch S2and S5. The link between switch S4 and S5 fails. Will Host A be able to reach Host B?

A. Yes. Traffic can pass either from switch S6 to S3 to S2 to S1, or, from switch S6 to S5 to S2 to S1.B. No. Traffic will pass from switch S6 to S5 and dead-end at interface Gi0/0.C. No. Traffic will loop back and forth between switch S5 and S2.D. Yes. Traffic will pass from switch S6 to S3 to S2 to S1.E. No. Traffic will either pass from switch S6 to S5 and dead-end, or traffic will pass from switch S6 to S3 to S2

and dead-end.



Same explanation as

QUESTION 76Which two statements about the various implementations of STP are true? (Choose two)

A. Common Spanning Tree maintains a separate spanning-tree instance for each VLAN configured in the

network.B. The Spanning Tree Protocol (STP) is an evolution of the IEEE 802.1w standard.C. Per-VLAN Spanning Tree (PVST) supports 802.1Q trunking.D. Per-VLAN Spanning Tree Plus (PVST+) is an enhancement to 802.1Q specification and is supported only

on Cisco devices.E. Rapid Spanning Tree Protocol (RSTP) includes features equivalent to Cisco PortFast, UplinkFast, and

BackboneFast for faster network reconvergence.F. Multiple Spanning Tree (MST) assumes one spanning-tree instance for the entire Layer 2 network,

regardless of the multiple number of VLANs.

Correct Answer: DESection: (none)Explanation


Common Spanning Tree only uses one spanning-tree instance for all VLANs in the network -> A is not correct.

Rapid Spanning Tree Protocol (RSTP; IEEE 802.1w) can be seen as an evolution of the 802.1D standard morethan a revolution. The 802.1D terminology remains primarily the same. Most parameters have been leftunchanged so users familiar with 802.1D can rapidly configure the new protocol comfortably -> B is not correct.

Per-VLAN spanning tree protocol plus (PVST+) is a Cisco proprietary protocol that expands on the SpanningTree Protocol (STP) by allowing a separate spanning tree for each VLAN. Cisco first developed this protocol asPVST, which worked with the Cisco ISL trunking protocol, and then later developed PVST+ which utilizes the802.1Q trunking protocol. PVST+ allows interoperability between CST and PVST in Cisco switches -> C is notcorrect but D is correct.

RSTP significantly reduces the time to reconverge the active topology of the network when changes to thephysical topology or its configuration parameters occur. RSTP supports Edge Ports (similar to PortFast),UplinkFast, and BackboneFast for faster network reconvergence. Rapid Spanning Tree Protocol (RSTP) canalso revert back to 802.1D STP for interoperability with older switches and existing infrastructures -> E iscorrect.

Multiple Spanning Tree can map one or more VLANs to a single STP instance. Multiple instances of STP canbe used (hence the name MST), with each instance supporting a different group of VLANs. For example,instead of creating 50 STP separate STP instances for 50 VLANs, we can create only 2 STP instances eachfor 25 VLANs. This helps saving switch resources -> F is not correct.

QUESTION 77Given the diagram and assuming that STP is enabled on all switch devices, which two statements are true?(Choose two)

A. DSW11 will be elected the root bridge.B. DSW12 will be elected the root bridge.C. ASW13 will be elected the root bridge.D. P3/1 will be elected the nondesignated port.E. P2/2 will be elected the nondesignated port.F. P3/2 will be elected the nondesignated port.

Correct Answer: ADSection: (none)Explanation


QUESTION 78Which two RSTP port roles include the port as part of the active topology? (Choose two)

A. rootB. designatedC. alternateD. backupE. forwardingF. learning

Correct Answer: ABSection: (none)Explanation


QUESTION 79What is the result of entering the command spanning-tree loopguard default?

A. The command enables both loop guard and root guard.B. The command changes the status of loop guard from the default of disabled to enabled.C. The command activates loop guard on point-to-multipoint links in the switched network.

D. The command will disable EtherChannel guard.



This command is used in global configuration mode to enable loop guard on all ports of a given switch. Todisable it, use the "no" keyword at the beginning of this command.

QUESTION 80Refer to the exhibit. The service provider wants to ensure that switch S1 is the root switch for its own networkand the network of the customer. On which interfaces should root guard be configured to ensure that thishappens?

A. interfaces 1 and 2B. interfaces 1,2,3, and 4C. interfaces 1, 3, 5, and 6D. interfaces 5 and 6E. interfaces 5, 6, 7, and 8F. interfaces 11 and 12



Let's see what will happen if we set port 5 & 6 as "root guard" ports:

First, notice that the "root guard" command cannot be used on root switch (because this command is based onblocked port while a root switch can't have a blocked port -> two middle switches cannot become root bridges.

Moreover, the neighbor switch which has its port connected with this "root guard" port can't be the root bridge.For example if we configure port 6 as "root guard" port, the left-bottom switch (the switch with ports 3, 4) can'tbe root bridge because that will make port 6 root port. Therefore by configuring port 5 & 6 as "root guard" ports,

two switches in the "Customer network" cannot become root bridge.

QUESTION 81Examine the diagram. A network administrator has recently installed the above switched network using 3550sand would like to control the selection of the root bridge. Which switch should the administrator configure as theroot bridge and which configuration command must the administrator enter to accomplish this?

A. DSW11(config)# spanning-tree vlan 1 priority 4096B. DSW12(config)# set spanning-tree priority 4096C. ASW13(config)# spanning-tree vlan 1 priority 4096D. DSW11(config)# set spanning-tree priority 4096E. DSW12(config)# spanning-tree vlan 1 priority 4096F. ASW13(config)# set spanning-tree priority 4096



First, only switches in Distribution section should become root bridge -> only DSW11 or DSW12 should bechosen.

The traffic passing root bridge is always higher than other switches so we should choose switch with highestspeed connection to be root bridge -> DSW12 with two 100Mbps connections should be chosen.

Also, the correct command to change priority value for a specific VLAN is spanning-treee vlan VLAN-ID priorityPriority-number.

QUESTION 82What must be the same to make multiple switches part of the same Multiple Spanning Tree (MST)?

A. VLAN instance mapping and revision numberB. VLAN instance mapping and member listC. VLAN instance mapping, revision number, and member listD. VLAN instance mapping, revision number, member list, and timers

Correct Answer: A



MST maps multiple VLANs that have the same traffic flow requirements into the same spanning-tree instance.The main enhancement introduced by MST raises the problem, however, of determining what VLAN is to beassociated with what instance. More precisely, based on received BPDUs, devices need to identify theseinstances and the VLANs that are mapped to the instance.

To be part of a common MST region, a group of switches must share the same configuration attributes. Inparticular, the configuration name (or region name 32 bits), revision number (16 bits), and VLAN mapping(associate VLANs with spanning-tree instances) need to be the same for all the switches within the sameregion.

An example of configuring MST on a switch is shown below:

Configuration DescriptionSwitch(config)# spanning-treeTurn on MST (and RSTP) on this switchmode mst

Switch(config)# spanning-treeEnter MST configuration submodemst configuration

Switch(config-mst)# nameName MST instancecertprepare

Set the 16-bit MST revision number. It is not incremented Switch(config-mst)# revision 5automatically when you commit a new MST configuration.

Switch(config-mst)#instance 1Map instance with respective VLANsvlan 5-10

Switch(config-mst)#instance 2vlan 11-15

QUESTION 83Which three items are configured in MST configuration submode? (Choose three)

A. Region nameB. Configuration revision numberC. VLAN instance mapD. IST STP BPDU hello timerE. CST instance mapF. PVST+ instance map

Correct Answer: ABCSection: (none)Explanation


Same as

QUESTION 84Which three statements about the MST protocol (IEEE 802.1S) are true? (Choose three)

A. To verify the MST configuration, the show pending command can be used in MST configuration mode.B. When RSTP and MSTP are configured; UplinkFast and BackboneFast must also be enabled.C. All switches in the same MST region must have the same VLAN-to-instance mapping, but different

configuration revision numbers.D. All switches in an MST region, except distribution layer switches, should have their priority lowered from the

default value 32768.E. An MST region is a group of MST switches that appear as a single virtual bridge to adjacent CST and MST

regions.F. Enabling MST with the "spanning-tree mode mst" global configuration command also enables RSTP.

Correct Answer: AEFSection: (none)Explanation


The show pending command can be used to verify the MST configuration (pending configuration). An exampleof this command is shown below:

Note:

The above commands do these tasks:+ Enter MST configuration mode+ Map VLANs 10 to 20 to MST instance 1

+ Name the region certprepare+ Set the configuration revision to 1+ Display the pending configuration+ Apply the changes, and return to global configuration mode The MST region appears as a single bridge tospanning tree configurations outside the region -> a MST region appears as a single virtual bridge to adjacentCST and MST regions -> E is correct.

By enabling MST you also enable RSTP because MST relies on the RSTP configuration to operate -> F iscorrect.

QUESTION 85Which two statements concerning STP state changes are true? (Choose two)

A. Upon bootup, a port transitions from blocking to forwarding because it assumes itself as root.B. Upon bootup, a port transitions from blocking to listening because it assumes itself as root.C. Upon bootup, a port transitions from listening to forwarding because it assumes itself as root.D. If a forwarding port receives no BPDUs by the max_age time limit, it will transition to listening.E. If a forwarding port receives an inferior BPDU, it will transition to listening.F. If a blocked port receives no BPDUs by the max_age time limit, it will transition to listening.

Correct Answer: BFSection: (none)Explanation


QUESTION 86Which statement correctly describes the Cisco implementation of RSTP?

A. PortFast, UplinkFast, and BackboneFast specific configurations are ignored in Rapid PVST mode.B. RSTP is enabled globally and uses existing STP configuration.C. Root and alternative ports transition immediately to the forwarding state.D. Convergence is improved by using sub-second timers for the blocking, listening, learning, and forwarding

port states.



To turn on RSTP, use this command in global configuration mode:

Switch(config)# spanning-tree mode mst

Note: This command turn on both MST & RSTP.

QUESTION 87The network administrator maps VLAN 10 through 20 to MST instance 2. How will this information bepropagated to all appropriate switches?

A. Information will be carried in the RSTP BPDUs.B. It will be propagated in VTP updates.C. Information stored in the Forwarding Information Base and the switch will reply on query.

D. Multiple Spanning Tree must be manually configured on the appropriate switches.



QUESTION 88Which MST configuration statement is correct?

A. MST configurations can be propagated to other switches using VTP.B. After MST is configured on a Switch, PVST+ operations will also be enabled by default.C. MST configurations must be manually configured on each switch within the MST region.D. MST configurations only need to be manually configured on the Root Bridge.E. MST configurations are entered using the VLAN Database mode on Cisco Catalyst switches.



QUESTION 89While logged into a Company switch you issue the following command:

CompanySwitch(config-mst)#instance 10 vlan 11-12What does this command accomplish?

A. It enables a PVST+ instance of 10 for vlan 11 and vlan 12B. It enables vlan 11 and vlan 12 to be part of the MST region 10C. It maps vlan 11 and vlan 12 to the MST instance of 10.D. It creates an Internal Spanning Tree (1ST) instance of 10 for vlan 11 and vlan 12E. It create a Common Spanning Tree (CST) instance of 10 for vlan 11 and vlan 12F. It starts two instances of MST, one instance for vlan 11 and another instance for vlan 12.



MST maps multiple VLANs that have the same traffic flow requirements into the same spanning-tree instance.The main enhancement introduced by MST raises the problem, however, of determining what VLAN is to beassociated with what instance. More precisely, based on received BPDUs, devices need to identify theseinstances and the VLANs that are mapped to the instance.

An example of configuring MST on a switch is shown below:

Configuration Description

Switch(config)# spanning-treeTurn on MST (and RSTP) on this switch

mode mst

Switch(config)# spanning-treeEnter MST configuration submodemst configuration

Switch(config-mst)# nameName MST instancecertprepare

Set the 16-bit MST revision number. It is not incremented Switch(config-mst)# revision 5automatically when you commit a new MST configuration.

Switch(config-mst)#instance 1Map instance 1 with respective VLANs (VLAN 5 to 10) vlan 5-10

Switch(config-mst)#instance 2Map instance 2 with respective VLANs (VLAN 11 to 15) vlan 11-15

Note: To be part of a common MST region, a group of switches must share the same configuration attributes.In particular, the configuration name (or region name 32 bits), revision number (16 bits), and VLAN mapping(associate VLANs with spanning-tree instances) need to be the same for all the switches within the sameregion.

QUESTION 90By default, all VLANs will belong to which MST instance when using Multiple STP?

A. MST00B. MST01C. the last MST instance configuredD. none



By default, all VLANs are assigned to MST instance 0. Instance 0 is known as the Internal Spanning-Tree (IST),which is reserved for interacting with other Spanning-Tree Protocols (STPs) and other MST regions.

QUESTION 91What will occur when a nonedge switch port that is configured for Rapid Spanning Tree does not receive aBPDU from its neighbor for three consecutive hello time intervals?

A. RSTP information is automatically aged out.B. The port sends a TCN to the root bridge.C. The port moves to listening state,D. The port becomes a normal spanning tree port.



In STP 802.1D, a non-root bridge only generates BPDUs when it receives one on the root port. But in RSTP802.1w, a bridge sends a BPDU with its current information every hello-time seconds (2 by default), even if itdoes not receive any from the root bridge. Also, on a given port, if hellos are not received three consecutivetimes, protocol information can be immediately aged out (or if max_age expires). Because of the previouslymentioned protocol modification, BPDUs are now used as a keep-alive mechanism between bridges. A bridgeconsiders that it loses connectivity to its direct neighbor root or designated bridge if it misses three BPDUs in arow. This fast aging of the information allows quick failure detection. If a bridge fails to receive BPDUs from aneighbor, it is certain that the connection to that neighbor is lost. This is opposed to 802.1D where the problemmight have been anywhere on the path to the root.(Reference:http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.sht ml)

QUESTION 92A port in a redundant topology is currently in the blocking state and is not receiving BPDUs. To ensure that thisport does not erroneously transition to the forwarding state, which command should be configured to satisfy therequirement?

A. Switch(config)#spanning-tree loopguard defaultB. Switch(config-if)#spanning-tree bpdufilterC. Switch(config)#udld aggressiveD. Switch(config-if)#spanning-tree bpduguard



Loop guard prevents alternate or root ports from becoming the designated port due to a failure that could leadto a unidirectional link. An example is shown below:

Suppose S1 is the root bridge. S3s port connected with S2 is currently blocked. Because of unidirectional linkfailure on the linkbetween S2 and S3, S3 is not receiving BPDUs from S2.

Without loop guard, the blocking port on S3 will transition to listening (upon max age timer expiration) ->learning -> forwarding state which create a loop.n With loop guard enabled, the blocking port on S3 willtransition into the STP loop-inconsistent state upon expiration of the max age timer. Because a port in the STPloop-inconsistent state will not pass user traffic, no loop is created. The loop-inconsistent state is effectivelyequal to the blocking state.

To enable loop guard globally use the command spanning-tree loopguard default.

QUESTION 93You are the administrator of a switch and currently all host-connected ports are configured with the portfastcommand. You have received a new directive from your manager that states that, in the future, any host-connected port that receives a BPDU should automatically disable PortFast and begin transmitting BPDUs.Which of the following commands will support this new requirement?

A. Switch(config)# spanning-tree portfast bpduguard defaultB. Switch(config-if)# spanning-tree bpduguard enableC. Switch(config-if)# spanning-tree bpdufilter enableD. Switch(config)# spanning-tree portfast bpdufilter default



The bpdufilter option feature is used to globally enable BPDU filtering on all Port Fast-enabled interfaces andthis prevent the switch interfaces connected to end stations from sending or receiving BPDUs.

Note: The spanning-tree portfast bpdufilter default global configuration command can be overridden by thespanning-tree bdpufilter enable command in interface mode.

QUESTION 94Which two statements correctly describe characteristics of the PortFast feature? (Choose two)

A. STP will be disabled on the port.B. PortFast can also be configured on trunk ports.C. PortFast is required to enable port-based BPDU guard.D. PortFast is used for both STP and RSTP host ports.E. PortFast is used for STP-only host ports.



You can use PortFast on switch or trunk ports connected to a single workstation, switch, or server to allowthose devices to connect to the network immediately, instead of waiting for the port to transition from thelistening and learning states to the forwarding state -> B is correct.

Also, PortFast can be used for both STP and RSTP -> D is correct.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.ht ml)

Answer C is not correct because BPDU guard can be enabled without PortFast. But what will happen if thePortFast and BPDU guard features are configured on the same port?

Well, at the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. TheBPDU guard transitions the port into errdisable state, and a message appears on the console

2000 May 12 15:13:32 %SPANTREE-2-RX_PORTFAST:Received BPDU on PortFast enable port. Disabling2/1 2000May 12 15:13:32 %PAGP-5-PORTFROMSTP:Port 2/1 left bridge port 2/1

(Reference and good resource:http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml)

QUESTION 95Which of the following commands can be issued without interfering with the operation of loop guard?

A. Switch(config-if)#spanning-tree guard rootB. Switch(config-if)#spanning-tree portfastC. Switch(config-if)#switchport mode trunkD. Switch(config-if)#switchport mode access



PortFast & Root guard should be placed on ports configured as access ports while loop guard should be placedon trunk ports -> we can use the "switchport mode trunk" without interfering with the operation of loop guard.

QUESTION 96Which statement correctly describes enabling BPDU guard on an access port that is also enabled for PortFast?

A. Upon startup, the port transmits 10 BPDUs. If the port receives a BPDU, PortFast and BPDU guard aredisabled on that port and it assumes normal STP operation.

B. The access port ignores any received BPDU.C. If the port receives a BPDU, it is placed into the error-disable state.D. BPDU guard is only configured globally and the BPDU filter is required for port-level configuration.



If any BPDU is received on a port where BPDU guard is enabled, that port is put into the errdisable stateimmediately. The port is shut down in an error condition and must be either manually re-enabled orautomatically recovered through the errdisable timeout function.

Note: A port that has PortFast enabled also has BPDU guard automatically enabled. By combining PortFast &BPDU guard we have a port that can quickly enter the Forwarding state from Blocking state and automaticallyshut down when receiving BPDUs.

QUESTION 97Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering the spanning-treetopology of a network?

A. BPDU guard can guarantee proper selection of the root bridge.B. BPDU guard can be utilized along with PortFast to shut down ports when a switch is connected to the port.C. BPDU guard can be utilized to prevent the switch from transmitteing BPDUs and incorrectly altering the root

bridge election.D. BPDU guard can be used to prevent invalid BPDUs from propagating throughout the network.



QUESTION 98Which three statements about STP timers are true? (Choose three)

A. STP timers values (hello, forward delay, max age) are included in each BPDU.B. A switch is not concerned about its local configuration of the STP timers values. It will only consider the

value of the STP timers contained in the BPDU it is receiving.C. To successfully exchange BPDUs between two switches, their STP timers value (hello, forward delay, max

age) must be the same.D. If any STP timer value (hello, forward delay, max age) needs to be changed, it should at least be changed

on the root bridge and backup root bridge.E. On a switched network with a small network diameter, the STP hello timer can be tuned to a lower value to

decrease the load on the switch CPU.F. The root bridge passes the timer information in BPDUs to all routers in the Layer 3 configuration.

Correct Answer: ABDSection: (none)Explanation


Each BPDU includes the hello, forward delay, and max age STP timers. An IEEE bridge is not concerned aboutthe local configuration of the timers value. The IEEE bridge considers the value of the timers in the BPDU thatthe bridge receives. Effectively, only a timer that is configured on the root bridge of the STP is important. If youlose the root, the new root starts to impose its local timer value on the entire network. So, even if you do notneed to configure the same timer value in the entire network, you must at least configure any timer changes onthe root bridge and on the backup root bridge.


QUESTION 99Refer to the exhibit. Which statement is true about the output? CAT1# show spanning-tree interface FastEthernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0001 is forwardingPort path cost 19, Port priority 128, Port Identifier 128.1. Designated root has priority 32769, address 000a.4107.7400 Designated bridge has priority 32769, address 000a.4107.7400Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0Number of transitions to forwarding state: 1BPDU: sent 237, received 1

CAT2# show spanning-tree interface FastEthernet 0/2 detail Port 2 (FastEthernet0/2) of VLAN0001 is blockingPort path cost 19, Port priority 128, Port Identifier 128.2. Designated root has priority 32769, address 000a.4107.7400

Designated bridge has priority 32769, address 000a.4107.7400 Designated port id is 128.1, designated path cost 0 Timers: message age 1, forward delay 0, hold 0Number of transitions to forwarding state: 0BPDU: sent 1, received 242

CAT3# show spanning-tree interface FastEthernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0001 is forwardingPort path cost 19, Port priority 128, Port Identifier 128.1. Designated root has priority 32769, address 000a.4107.7400 Designated bridge has priority 32769, address 000a.4107.7400 Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0Number of transitions to forwarding state: 1BPDU: sent 24, received 0

A. The port on switch CAT1 is forwarding and sending BPDUs correctly.B. The port on switch CAT1 is blocking and sending BPDUs correctly.C. The port on switch CAT2 is forwarding and receiving BPDUs correctly.D. The port on switch CAT2 is blocking and sending BPDUs correctly.E. The port on switch CAT3 is forwarding and receiving BPDUs correctly.F. The port on switch CAT3 is forwarding, sending, and receiving BPDUs correctly.



From the first lines of the "show" commands and the BPDU sent and received we can conclude:

CAT1 is forwarding and sending BPDUs correctly (BPDU: sent 237, received 1) but it is not receiving BPDUs.CAT2 is blocking and receiving BPDUs correctly (BPDU: sent 1, received 242) but it is not sending BPDUs.CAT3 is forwarding and sending BPDUs correctly (BPDU: sent 24, received 0) but it is not receiving BPDUs.

-> only answer A is correct.

QUESTION 100Which of the following specifications is a companion to the IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)algorithm, and warrants the use multiple spanning-trees?

A. IEEE 802.1s (MST)B. IEEE 802.1Q (CST)C. Cisco PVST+D. IEEE 802.1d (STP)



MST maps multiple VLANs into a spanning tree instance, with each instance having a spanning tree topologyindependent of other spanning tree instances. This architecture provides multiple forwarding paths for data

traffic, enables load balancing, and reduces the number of STP instances required to support a large number ofVLANs. MST improves the fault tolerance of the network because a failure in one instance (forwarding path)does not affect other instances (forwarding paths).

Note: RSTP is automatically turned on along with MST (the "spanning-tree mode mst" in global configurationmode will turn on both RSTP & MST)

(Reference:http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel _4_0_1a/MST.html)

QUESTION 101What two things will occur when an edge port receives a BPDU? (Choose two)

A. The port immediately transitions to the Forwarding state.B. The switch generates a Topology Change Notification (TCN) BPDU.C. The port immediately transitions to the err-disable state.D. The port becomes a normal STP switch port.



The concept of edge port basically corresponds to the PortFast feature. An edge port directly transitions to theforwarding state, and skips the listening and learning stages. An edge port that receives a BPDU immediatelyloses edge port status and becomes a normal spanning tree port.

(Reference:http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.sht ml#edge)

QUESTION 102Which statement is true about RSTP topology changes?

A. Only nonedge ports moving to the blocking state generate a TC BPDU.B. Any loss of connectivity generates a TC BPDU.C. Any change in the state of the port generates a TC BPDU.D. Only nonedge ports moving to the forwarding state generate a TC BPDU.E. If either an edge port or a nonedge port moves to a block state, then a TC BPDU is generated.



When a Switch (Bridge) discovers topology change, it generates a TCN (Topology Change Notification) BPDU(Bridge Protocol Data Unit) and sends the TCN BPDU on its root port. The upstream Switch (Bridge) respondsback the sender with TCA (Topology Change Acknowledgment) BPDU (Bridge Protocol Data Unit) and TCA(Topology Change Acknowledgment) BPDU (Bridge Protocol Data Unit)The upstream Switch (Bridge) (bridge which received the TCN BPDU) generates another TCN BPDU andsends out via its Root Port. The process continues until the Root Switch (Bridge) receives the TCN BPDU.When the Root Switch (Bridge) is aware that there is a topology change in the network, it starts to send out itsConfiguration BPDUs with the topology change (TC) bit set. Configuration BPDUs are received by every Switch

(Bridge) in the network and all bridges become aware of the network topology change.

The switch never generates a TCN when a port configured for PortFast goes up or down -> it means no TC willbe created for PortFast (or Edge Port) -> D is correct.(Reference:http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094797.shtml )

QUESTION 103Which of the following conditions guarantees that a broadcast storm cannot occur?

A. a native VLAN mismatch on either side of an 802.1Q linkB. BPDU filter configured on a link to another switchC. Spanning Tree Protocol enabled on both Layer 2 and multilayer switchesD. PortFast enabled on all access and trunk ports



QUESTION 104Which two statements are true about port BPDU Guard and BPDU filtering? (Choose two)

A. BPDU guard can be enabled globally, whereas BPDU filtering must be enabled on a per- interface basis.B. When globally enabled, BPDU port-guard and BPDU filtering apply only to PortFast enabled ports.C. When globally enabled. BPDU port-guard and BPDU filtering apply only to trunking-enabled ports.D. When a BPDU is received on a BPDU port-guard enabled port, the interface goes into the err- disabled

state.E. When a BPDU is received on a BPDU filtering enabled port, the interface goes into the err- disabled state.F. When a BPDU is received on a BPDU filtering enabled port, the interface goes into the STP blocking state.



QUESTION 105Which of the following will generate an RSTP topology change notification?

A. an edge port that transitions to the forwarding stateB. a non-edge port that transitions to the blocking stateC. a non-edge port that transitions to the forwarding stateD. an edge port that transitions to the blocking stateE. any port that transitions to the blocking stateF. any port that transitions to the forwarding state



QUESTION 106What is the effect of configuring the following command on a switch?

Switch(config)# spanning-tree portfast bpdufilter default

A. If BPDUs are received by a port configured for PortFast, then PortFast is disabled and the BPDUs areprocessed normally.

B. If BPDUs are received by a port configured for PortFast, they are ignored and none are sent.C. If BPDUs are received by a port configured for PortFast, the port will transition to forwarding state.D. The command will enable BPDU filtering on all ports regardless of whether they are configured for BPDU

filtering at the interface level.




QUESTION 107Refer to the show spanning-tree mst configuration output shown in the exhibit. What should be changed in theconfiguration of the switch SW_2 in order for it to participate in the same MST region?

A. Switch SW_2 must be configured with the revision number of 2.B. Switch SW_2 must be configured with a different VLAN range.C. Switch SW_2 must be configured with the revision number of 1.D. Switch SW_2 must be configured with a different MST name.



QUESTION 108Switch R1 has been configured with the root guard feature. What statement is true if the spanning treeenhancement Root Guard is enabled?

A. If BPDUs are not received on a non-designated port, the port is moved into the STP loop- inconsistentblocked state

B. If BPDUs are received on a PortFast enabled port, the port is disabled. C. If inferior BPDUs are received on a root port, all blocked ports become alternate paths to the root bridge.D. If superior BPDUs are received on a designated port, the interface is placed into the root- inconsistent

blocked state.



QUESTION 109Based on the show spanning-tree vlan 200 output shown in the exhibit, which two statements about the STPprocess for VLAN 200 are true? (Choose two)

A. BPDUs will be sent out every two seconds.B. The time spent in the listening state will be 30 seconds.C. The time spent in the learning state will be 15 seconds.D. The maximum length of time that the BPDU information will be saved is 30 seconds.E. This switch is the root bridge for VLAN 200.F. BPDUs will be sent out every 10 seconds.

Correct Answer: BFSection: (none)Explanation


From the output you learn that:

+ This is not the root bridge for VLAN 200 (it does not have the line "This bridge is the root" and the root bridgeinformation is shown first. It has a Alternative port). + The root bridge is sending Hello every 10 seconds, MaxAge is 20 seconds and Forward Delay is 15 seconds while the local bridge is sending Hello every 2 seconds,Max Age is 20 seconds and Forward Delay is 15 seconds.

Aan IEEE bridge is not concerned about the local configuration of the timers value. The IEEE bridge considersthe value of the timers in the BPDU that the bridge receives. Effectively, only a timer that is configured on theroot bridge of the STP is important. In this case, the local switch will import STP timers from the root bridge ->The listening state (or learning state) will be 30 seconds, which equals to Forward Delay. Also BPDUs will besent out every 10 seconds (Hello packets).


QUESTION 110Switch R1 and R2 both belong to the Company VTP domain. What's true about the switch operation in VTPdomains? (Choose two)

A. A switch can only reside in one management domainB. A switch is listening to VTP advertisements from their own domain onlyC. A switch is listening to VTP advertisements from multi domainsD. A switch can reside in one or more domainsE. VTP is no longer supported on Catalyst switches



A VTP domain (also called a VLAN management domain) is made up of one or more network devices thatshare the same VTP domain name and that are interconnected with trunks. A network device can beconfigured to be in one and only one VTP domain -> A is correct.

If the switch receives a VTP advertisement over a trunk link, it inherits the management domain name and theVTP configuration revision number. The switch ignores advertisements with a different management domainname or an earlier configuration revision number -> B is correct.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vtp.html)

Note: Just for your information, if a switch has not belonged to any VTP domain yet and it receives a VTPadvertisement with a VTP domain (whose password is not set), it will join that domain automatically.

QUESTION 111How does VTP pruning enhance network bandwidth?

A. by restricting unicast traffic to across VTP domainsB. by reducing unnecessary flooding of traffic to inactive VLANsC. by limiting the spreading of VLAN informationD. by disabling periodic VTP updates



VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicastframes on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN.

The following example shows the operation of a VTP domain without and with VTP Pruning.

Without VTP Pruning:

VTP domain without VTP Pruning

When PC A sends a broadcast frame on VLAN 10, it travels across all trunk links in the VTP domain. SwitchesServer, Sw2, and Sw3 all receive broadcast frames from PC A. But only Sw3 has user on VLAN 10 and it is awaste of bandwidth on Sw2. Moreover, that broadcast traffic also consumes processor time on Sw2. The linkbetween switches Server and Sw2 does not carry any VLAN 10 traffic so it can be "pruned".

VTP domain with VTP Pruning

-> B is correct.

QUESTION 112VTP devices in a network track the VTP revision number. What is a VTP configuration revision number?

A. A number for identifying changes to the network switch.B. A number for identifying changes to the network router.C. A number for identifying changes to the network topology.



QUESTION 113VTP switches use advertisements to exchange information with each other. Which of the followingadvertisement types are associated with VTP? (Choose three)

A. Domain advertisementsB. Advertisement requests from clientsC. Subset advertisementsD. Summary advertisements

Correct Answer: BCDSection: (none)Explanation


All VTP packets contain these fields in the header:

* VTP protocol version: 1, 2, or 3* VTP message types:1) Summary advertisements (inform adjacent Catalysts of the current VTP domain name and the configurationrevision number)2) Subset advertisement (is sent following the summary advertisement and contains a list of VLAN information)3) Advertisement requests (is needed in the case it is reset, the VTP domain name has been changed or it hasreceived a VTP summary advertisement with a higher configuration revision than it own).

(For more information about these VTP types, please read:http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml )

4) VTP join messages (similar to the Advertisement request messages but with a different Message Type fieldvalue and a few more parameters, including VTP domain name, and a VLAN bit string. If the bit is set, floodedtraffic for that VLAN should be received on that trunk. Each trunk port maintains a state variable per VLAN -Joined/Pruned. If the state is Joined, the trunk port is allowed to send broadcast and flooded unicast traffic onthis VLAN. If the state is Pruned, the trunk port will not send the broadcast or flooded unicast traffic on thisVLAN. VTP join messages are sent when the VTP Client first joins a VTP domain to inform the VTP Serversabout its existence in that VTP domain).* Management domain length* Management domain name

QUESTION 114The lack of which two prevents VTP information from propagating between switches? (Choose two)

A. A root VTP serverB. A trunk portC. VTP priorityD. VLAN 1



VTP advertisements only travel through trunk ports -> B is correct.

VLAN 1 is a special VLAN selected by design to carry specific information such as CDP (Cisco DiscoveryProtocol), VTP, PAgP and DTP. This is always the case and cannot be changed. Cisco recommends not to useVLAN 1 as a standard VLAN to carry network data -> D is correct.

QUESTION 115Which two DTP modes will permit trunking between directly connected switches? (Choose two)

A. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain A)B. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain B)C. dynamic auto (VTP domain A) to dynamic auto (VTP domain A)D. dynamic auto (VTP domain A) to dynamic auto (VTP domain B)E. dynamic auto (VTP domain A) to nonegotiate (VTP domain A)F. nonegotiate (VTP domain A) to nonegotiate (VTP domain B)

Correct Answer: AFSection: (none)Explanation



Mode Function





Forces the port to permanently trunk but prevents the interface from generatingNonegotiateDTP frames. This command can be used only when the interface switchport modeis access or trunk. You must manually configure the neighboring interface as atrunk interface to establish a trunk link.

Note: If an interface is set to switchport mode dynamic desirable, it will actively attempt to convert the link intotrunking mode. If the peer port is configured as switchport mode trunk, dynamic desirable, or dynamic automode, trunking is negotiated successfully -> A is correct.

B is not correct because 2 dynamic desirable mode in 2 different VTP domains cannot create a trunk link.

Dynamic auto waits to receive DTP from the neighbor so if 2 interfaces are set to this mode, none of them willreceive DTP frames -> C and D are not correct.

A port in Nonegotiate mode can be set to access or trunk port mode but it will not send DTP. Dynamic auto alsodoes not send DTP -> a trunk link cannot be created -> E is not correct.

Also, when setting ports to nonegotiate, that port will not send DTP. We can set both interfaces to trunk link -> atrunk link can be created between two different VTP domains -> F is correct.

QUESTION 116The Company switches are configured to use VTP. What's true about the VLAN trunking protocol (VTP)?(Choose two)

A. VTP messages will not be forwarded over nontrunk links.B. VTP domain names need to be identical. However, case doesn't matter.C. A VTP enabled device which receives multiple advertisements will ignore advertisements with higher

configuration revision numbers.D. A device in "transparent" VTP v.1 mode will not forward VTP messages.E. VTP pruning allows switches to prune VLANs that do not have any active ports associated with them.



Answer A is obviously correct as VTP advertisements only travel through trunk ports.

VTP domain names are case-sensitive. That means the domain "certprepare" is different from "Certprepare".There is no exception -> B is not correct. A VTP enabled device which receives multiple advertisements willupdate (not ignore) advertisements with higher configuration revision numbers, provided that it has the sameVTP domain name and password -> C is not correct.

Answer D is not clear. In VTP Version 1, a VTP transparent switch inspects VTP messages for the domainname and version and forwards a message only if the version and domain name match. Because VTP Version2 supports only one domain, it forwards VTP messages in transparent mode without inspecting the version anddomain name. So in this case we don't have enough information to conclude about answer D.

Answer E is not clear too. VTP will prune VLANs on trunks connected to switches that do not have portsassociated with the VLANs. I am not sure what Cisco wants to say in answer E.

But if we consider answer E to be incorrect then the best answers should be A and D.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/config uration/guide/swvtp.html#wp1035121)

QUESTION 117The Company switches have all been upgraded to use VTP version 2. What are two benefits provided in VTPVersion 2 that are not available in VTP Version 1? (Choose two)

A. VTP version 2 supports Token Ring VLANs.B. VTP version 2 allows VLAN consistency checks.C. VTP version 2 saves VLAN configuration memory.D. VTP version 2 reduces the amount of configuration necessary.E. The VTP version 2 allows active redundant links when used with spanning tree.



The major difference is that VTP V2 introduces support for Token Ring VLANs. If you use Token Ring VLANs,you must enable VTP V2 -> A is correct.

In VTP version 2, VLAN consistency checks (such as VLAN names and values) are performed only when youenter new information through the command-line interface (CLI) or Simple Network Management Protocol(SNMP). Consistency checks are not performed when new information is obtained from a VTP message orwhen information is read from NVRAM. If the digest on a received VTP message is correct, its information isaccepted without consistency checks -> B is correct.

(Reference:http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml )

QUESTION 118Switch R1 is configured to use the VLAN Trunking Protocol (VTP). What does R1 advertise in its VTP domain?

A. The VLAN ID of all known VLANs, the management domain name, and the total number of trunk links onthe switch.

B. The VLAN ID of all known VLANs, a 1-bit canonical format (CF1 Indicator), and the switch configurationrevision number.

C. The management domain name, the switch configuration revision number, the known VLANs, and theirspecific parameters.

D. A 2-byte TPID with a fixed value of 0×8100 for the management domain number, the switch configurationrevision number, the known VLANs, and their specific parameters.



VTP advertises its management domain name, the switch configuration revision number, the known VLANs,and their specific parameters -> C is correct. Note: IEEE 802.1Q VLAN (not VTP) tag uses the tag protocolidentifier (TPID) field to identify the protocol type. The Default TPID value in IEEE 802.1Q, is 0×8100 -> D is notcorrect.

QUESTION 119Which two statements correctly describe VTP? (Choose two.)

A. Transparent mode always has a configuration revision number of 0.B. Transparent mode cannot modify a VLAN database.C. Client mode cannot forward received VTP advertisements.D. Client mode synchronizes its VLAN database from VTP advertisements.E. Server mode can synchronize across VTP domains.



QUESTION 120

Switch R1 and R2 both belong to the Company VTP domain. What's true about the switch operation in VTPdomains? (Choose two)

A. A switch can only reside in one management domainB. A switch is listening to VTP advertisements from their own domain onlyC. A switch is listening to VTP advertisements from multi domainsD. A switch can reside in one or more domainsE. VTP is no longer supported on Catalyst switches



A VTP domain (also called a VLAN management domain) is made up of one or more network devices thatshare the same VTP domain name and that are interconnected with trunks. A network device can beconfigured to be in one and only one VTP domain -> A is correct. If the switch receives a VTP advertisementover a trunk link, it inherits the management domain name and the VTP configuration revision number. Theswitch ignores advertisements with a different management domain name or an earlier configuration revisionnumber -> B is correct.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vtp.html)

Note: Just for your information, if a switch has not belonged to any VTP domain yet and it receives a VTPadvertisement with a VTP domain (whose password is not set), it will join that domain automatically.

QUESTION 121How does VTP pruning enhance network bandwidth?

A. by restricting unicast traffic to across VTP domainsB. by reducing unnecessary flooding of traffic to inactive VLANsC. by limiting the spreading of VLAN informationD. by disabling periodic VTP updates



VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicastframes on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN.

The following example shows the operation of a VTP domain without and with VTP Pruning.

Without VTP Pruning:

VTP domain without VTP Pruning

When PC A sends a broadcast frame on VLAN 10, it travels across all trunk links in the VTP domain. SwitchesServer, Sw2, and Sw3 all receive broadcast frames from PC A. But only Sw3 has user on VLAN 10 and it is awaste of bandwidth on Sw2. Moreover, that broadcast traffic also consumes processor time on Sw2. The linkbetween switches Server and Sw2 does not carry any VLAN 10 traffic so it can be "pruned".

VTP domain with VTP Pruning

-> B is correct.

QUESTION 122

VTP devices in a network track the VTP revision number. What is a VTP configuration revision number?

A. A number for identifying changes to the network switch.B. A number for identifying changes to the network router.C. A number for identifying changes to the network topology.



QUESTION 123VTP switches use advertisements to exchange information with each other. Which of the followingadvertisement types are associated with VTP? (Choose three)

A. Domain advertisementsB. Advertisement requests from clientsC. Subset advertisementsD. Summary advertisements



All VTP packets contain these fields in the header:

* VTP protocol version: 1, 2, or 3* VTP message types:1) Summary advertisements (inform adjacent Catalysts of the current VTP domain name and the configurationrevision number)2) Subset advertisement (is sent following the summary advertisement and contains a list of VLAN information)3) Advertisement requests (is needed in the case it is reset, the VTP domain name has been changed or it hasreceived a VTP summary advertisement with a higher configuration revision than it own).(For more information about these VTP types, please read:http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml )

4) VTP join messages (similar to the Advertisement request messages but with a different Message Type fieldvalue and a few more parameters, including VTP domain name, and a VLAN bit string. If the bit is set, floodedtraffic for that VLAN should be received on that trunk. Each trunk port maintains a state variable per VLAN -Joined/Pruned. If the state is Joined, the trunk port is allowed to send broadcast and flooded unicast traffic onthis VLAN. If the state is Pruned, the trunk port will not send the broadcast or flooded unicast traffic on thisVLAN. VTP join messages are sent when the VTP Client first joins a VTP domain to inform the VTP Serversabout its existence in that VTP domain).* Management domain length* Management domain name

QUESTION 124The lack of which two prevents VTP information from propagating between switches? (Choose two)

A. A root VTP serverB. A trunk portC. VTP priority

D. VLAN 1



VTP advertisements only travel through trunk ports -> B is correct.

VLAN 1 is a special VLAN selected by design to carry specific information such as CDP (Cisco DiscoveryProtocol), VTP, PAgP and DTP. This is always the case and cannot be changed. Cisco recommends not to useVLAN 1 as a standard VLAN to carry network data -> D is correct.

QUESTION 125Which two DTP modes will permit trunking between directly connected switches? (Choose two)

A. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain A)B. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain B)C. dynamic auto (VTP domain A) to dynamic auto (VTP domain A)D. dynamic auto (VTP domain A) to dynamic auto (VTP domain B)E. dynamic auto (VTP domain A) to nonegotiate (VTP domain A)F. nonegotiate (VTP domain A) to nonegotiate (VTP domain B)

Correct Answer: AFSection: (none)Explanation



Mode Function





Forces the port to permanently trunk but prevents the interface from generatingDTP frames. This command can be used only when the interface switchport Nonegotiate modeis access or trunk. You must manually configure the neighboring interface as atrunk interface to establish a trunk link.

Note: If an interface is set to switchport mode dynamic desirable, it will actively attempt to convert the link intotrunking mode. If the peer port is configured as switchport mode trunk, dynamic desirable, or dynamic automode, trunking is negotiated successfully -> A is correct.

B is not correct because 2 dynamic desirable mode in 2 different VTP domains cannot create a trunk link.

Dynamic auto waits to receive DTP from the neighbor so if 2 interfaces are set to this mode, none of them willreceive DTP frames -> C and D are not correct.

A port in Nonegotiate mode can be set to access or trunk port mode but it will not send DTP. Dynamic auto alsodoes not send DTP -> a trunk link cannot be created -> E is not correct. Also, when setting ports to nonegotiate,that port will not send DTP. We can set both interfaces to trunk link -> a trunk link can be created between twodifferent VTP domains -> F is correct.

QUESTION 126The Company switches are configured to use VTP. What's true about the VLAN trunking protocol (VTP)?(Choose two)

A. VTP messages will not be forwarded over nontrunk links.B. VTP domain names need to be identical. However, case doesn't matter.C. A VTP enabled device which receives multiple advertisements will ignore advertisements with higher

configuration revision numbers.D. A device in "transparent" VTP v.1 mode will not forward VTP messages.E. VTP pruning allows switches to prune VLANs that do not have any active ports associated with them.



Answer A is obviously correct as VTP advertisements only travel through trunk ports.

VTP domain names are case-sensitive. That means the domain "certprepare" is different from "Certprepare".There is no exception -> B is not correct.

A VTP enabled device which receives multiple advertisements will update (not ignore) advertisements withhigher configuration revision numbers, provided that it has the same VTP domain name and password -> C isnot correct.

Answer D is not clear. In VTP Version 1, a VTP transparent switch inspects VTP messages for the domainname and version and forwards a message only if the version and domain name match. Because VTP Version2 supports only one domain, it forwards VTP messages in transparent mode without inspecting the version anddomain name. So in this case we don't have enough information to conclude about answer D.

Answer E is not clear too. VTP will prune VLANs on trunks connected to switches that do not have portsassociated with the VLANs. I am not sure what Cisco wants to say in answer E.

But if we consider answer E to be incorrect then the best answers should be A and D.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/config uration/guide/swvtp.html#wp1035121)

QUESTION 127The Company switches have all been upgraded to use VTP version 2. What are two benefits provided in VTPVersion 2 that are not available in VTP Version 1? (Choose two)

A. VTP version 2 supports Token Ring VLANs.B. VTP version 2 allows VLAN consistency checks.C. VTP version 2 saves VLAN configuration memory.D. VTP version 2 reduces the amount of configuration necessary.E. The VTP version 2 allows active redundant links when used with spanning tree.



The major difference is that VTP V2 introduces support for Token Ring VLANs. If you use Token Ring VLANs,you must enable VTP V2 -> A is correct.

In VTP version 2, VLAN consistency checks (such as VLAN names and values) are performed only when youenter new information through the command-line interface (CLI) or Simple Network Management Protocol(SNMP). Consistency checks are not performed when new information is obtained from a VTP message orwhen information is read from NVRAM. If the digest on a received VTP message is correct, its information isaccepted without consistency checks -> B is correct.

(Reference:http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml )

QUESTION 128

Switch R1 is configured to use the VLAN Trunking Protocol (VTP). What does R1 advertise in its VTP domain?

A. The VLAN ID of all known VLANs, the management domain name, and the total number of trunk links onthe switch.

B. The VLAN ID of all known VLANs, a 1-bit canonical format (CF1 Indicator), and the switch configurationrevision number.

C. The management domain name, the switch configuration revision number, the known VLANs, and theirspecific parameters.

D. A 2-byte TPID with a fixed value of 0×8100 for the management domain number, the switch configurationrevision number, the known VLANs, and their specific parameters.



VTP advertises its management domain name, the switch configuration revision number, the known VLANs,and their specific parameters -> C is correct.

Note: IEEE 802.1Q VLAN (not VTP) tag uses the tag protocol identifier (TPID) field to identify the protocol type.The Default TPID value in IEEE 802.1Q, is 0×8100 -> D is not correct.

QUESTION 129Which two statements correctly describe VTP? (Choose two.)

A. Transparent mode always has a configuration revision number of 0.B. Transparent mode cannot modify a VLAN database.C. Client mode cannot forward received VTP advertisements.D. Client mode synchronizes its VLAN database from VTP advertisements.E. Server mode can synchronize across VTP domains.



QUESTION 130What two steps can be taken to help prevent VLAN hopping? (Choose two)

A. Place unused ports in a common unrouted VLANB. Enable BPDU guardC. Implement port securityD. Prevent automatic trunk configurationE. Disable CDP on ports where it is not necessary



VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send orreceive packets onvarious VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofingor double tagging.

1) Switch spoofing:

The attacker can connect an unauthorized Cisco switch to a Company switch port. The unauthorized switch cansend DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to theCompany switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk bydefault.

(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

2) Double-Tagging:

In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the nativeVLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack(VLAN 20).

When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches withits native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same nativeVLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to theVictim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.

Please notice that if the port in which the attacker connects to is an access port then he can make an attacktoo. But maybe you will wonder "what a switch do if it receives tagged traffic from an access port?". Here is theanswer quoted from Cisco site:

Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access portreceives a tagged packet (Inter-Switch Link [ISL] or 802.1Q tagged) for the VLAN assigned to the port, thepacket is forwarded. If the port receives a tagged packet for another VLAN, the packet is dropped, the sourceaddress is not learned, and the frame is counted in the No destination statistic.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/confi guration/guide/swint.html#wp1107751)

So in this case, the attacker is on VLAN 10, which is also the native VLAN -> the packet is forwarded.

To mitigate VLAN Hopping, the following things should be done:

1) If no trunking is required, configure port as an access port, this also disables trunking on that interface:

Switch(config-if)# switchport mode access

2) If trunking is required, try to configure the port to Nonegotiate to prevent DTP frames from being sent.Switch(config-if)# switchport mode trunkSwitch(config-if)# switchport nonegotiate

-> Therefore answer D Prevent automatic trunk configuration is correct.

3) Set the native VLAN to an unused VLAN and don't use this VLAN for any other purpose:

Switch(config-if)# switchport trunk native vlan VLAN-ID

4) Force the switch to tag the native VLAN on all its 802.1Q trunks:

Switch(config)# vlan dot1q tag native

In this question, answer A Place unused ports in a common unrouted VLAN is also correct because theDouble-Tagging method requires the attacker's port must be in the same VLAN with Native VLAN -> Placethese ports in unrouted VLAN will put these ports in different VLAN from the Native VLAN.

QUESTION 131What is one method that can be used to prevent VLAN hopping on the network?

A. Configure VACLs.B. Configure all frames with two 802.1Q headers.C. Enforce username/password combinations.D. Explicitly turn off Dynamic Trunking Protocol (DTP) on all unused ports.E. All of the above



Disable DTP so that switchport will not negotiate trunking on the link by this command:

Switch(config-if)# switchport nonegotiate

Or a better way is to configure it as an access port:

Switch(config-if)# switchport mode access

Note: VACLs should only be used to mitigate DHCP Snooping, not VLAN Hopping by filtering out DHCP Replyfrom outside ports.

QUESTION 132Which two statements about VLAN hopping are true? (Choose two)

A. Attacks are prevented by utilizing the port-security feature.B. An end station attempts to gain access to all VLANs by transmitting Ethernet frames in the 802.1q

encapsulation.C. Configuring an interface with the "switchport mode dynamic" command will prevent VLAN hopping.D. An end station attempts to redirect VLAN traffic by transmitting Ethernet frames in the 802.1q

encapsulation.E. Configuring an interface with the "switchport mode access" command will prevent VLAN hopping.

Correct Answer: BESection: (none)Explanation



QUESTION 133When an attacker is using switch spoofing to perform VLAN hopping, how is the attacker able to gatherinformation?

A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that isallowed on the trunk.

B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch,regardless of the VLAN to which the data belongs.

C. The attacking station will generate frames with two 802.1Q headers to cause the switch to forward theframes to a VLAN that would be inaccessible to the attacker through legitimate means.

D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with thedomain information in order to capture the data.



QUESTION 134What are three required steps to configure DHCP snooping on a switch? (Choose three)

A. Configure the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCPrequest messages.

B. Configure DHCP snooping globally.C. Configure the switch as a DHCP sewer.D. Configure DHCP snooping on an interface.E. Configure all interfaces as DHCP snooping trusted interfaces.F. Configure DHCP snooping on a VLAN or range of VLANs.

Correct Answer: BDFSection: (none)Explanation


To configure DHCP snooping feature, at least three steps must be done:

Sequence and Description Command

1. Configure global DHCP snooping Switch(config)# ip dhcp snooping

2. Configure trusted ports (as least on 1port). Switch(config-if)# ip dhcp snooping trustBy default, all ports are untrusted

3. Configure DHCP snooping for the Switch(config)# ip dhcp snooping vlan {VLAN-ID | selected VLANs VLANrange}

Other steps are just optional:

+ Configure DHCP Option 82Switch(config)# ip dhcp snooping information option

+ Configure the number of DHCP packets per second (pps) that are acceptable on the port:Switch(config-if)# ip dhcp snooping limit rate {rate}

Reference: SWITCH Student Guide

QUESTION 135Which statement is true about DHCP spoofing operation?

A. DHCP spoofing and SPAN cannot be used on the same port of a switch.B. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a

dynamic ARP packet.C. To prevent a DHCP spoofing, the switch must have DHCP server services disabled and a static entry

pointing towards the DHCP server.D. DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.



First let's analyze answer A.

Switched Port Analyzer (SPAN) feature copies network traffic from a VLAN or group of ports to a selected port.SPAN is generally referred to as Port mirroring. An example of configuring SPAN port is shown below:

Switch(config)#monitor session 1 source interface FastEthernet 0/1 Switch(config)#monitor session 1destination interface FastEthernet 0/2

The above configuration will capture all traffic from interface FastEthernet 0/1 and send it to interfaceFastEthernet 0/2.

Answer A is a bit unclear because SPAN involves 2 ports: source and destination ports; but we don't knowwhich port is mentioned. SPAN does not affect the switching function on the source port but it does affect thedestination port: all incoming traffic is disable on destination port so DHCP spoofing cannot be done on thisport. I suppose this question wants to mention about source port, which makes answer A incorrect.

Although it is not mentioned in the books but answer B is the best choice. If the DHCP server can create astatic ARP entry that cannot be updated by a dynamic ARP packet then the attacker cannot change the MACaddress information of the DHCP server on client -> B is correct.

Usually a switch does not have DHCP server services; also a static entry pointing towards the DHCP server willnot help prevent DHCP spoofing -> C is not correct.

Place all unused ports in an unused VLAN can prevent VLAN Hopping, not DHCP spoofing -> D is not correct.

QUESTION 136Refer to the exhibit. What type of attack is being defended against?

A. Snooping attackB. Rogue device attackC. STP attackD. VLAN attackE. Spoofing attackF. MAC flooding attack



DHCP snooping is a method used to defend DHCP spoofing.

QUESTION 137An attacker is launching a DoS attack with a public domain hacking tool that is used to exhaust the IP addressspace available from the DHCP servers for a period of time. Which procedure would best defend against thistype of attack?

A. Configure only trusted interfaces with root guard.B. Implement private VLANs (PVLANs) to carry only user traffic.C. Implement private VLANs (PVLANs) to carry only DHCP traffic.D. Configure only untrusted interfaces with root guard.E. Configure DHCP spoofing on all ports that connect untrusted clients.F. Configure DHCP snooping only on ports that connect trusted DHCP servers.



To defend DHCP spoofing attack, we only need to configure DHCP snooping on trusted interfaces becauseother ports are classified as untrusted ports by default.

QUESTION 138Refer to the exhibit. DHCP snooping is enabled for selected VLANs to provide security on the network. How dothe switch ports handle the DHCP messages?

A. Ports Fa2/1 and Fa2/2 source DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages andrespond to DHCP requests.

B. Ports Fa2/1 and Fa2/2 respond to DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages.C. Ports Fa2/1 and Fa2/2 are eligible to source all DHCP messages and respond to DHCP requests. Port

Fa3/1 can source DHCP requests only.D. All three ports, Fa2/1, Fa2/2, and Fa3/1, are eligible to source all DHCP messages and respond to DHCP

requests.



Trusted ports are allowed to send all types of DHCP messages. Untrusted ports can send only DHCP requests.If a DHCP response is seen on an untrusted port, the port is shut down. In this case, Fa2/1 & Fa2/2 are trusted(can send all types of DHCP messages) while Fa3/1 is untrusted (can only send DHCP requests).

QUESTION 139Refer to the exhibit. An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish aDHCP server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type ofattack?

A. All switch ports in the Building Access block should be configured as DHCP untrusted ports.B. All switch ports in the Building Access block should be configured as DHCP trusted ports.C. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted

ports.D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted

ports.E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.F. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted

ports.



All switch ports connecting to hosts should only send DHCP Requests and they are the ports that can be easilyaccessed by an attacker -> They should be configured as DHCP untrusted ports.

QUESTION 140Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)

A. DAI can be performed on ingress ports only.B. DAI can be performed on both ingress and egress ports.C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of

hosts in the domain.E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other

switches as trusted.F. DAI is supported on access and trunk ports only.

Correct Answer: ACESection: (none)Explanation


DAI is an ingress security feature and does not perform any egress checking -> A is correct

DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports -> C is correct.

We should configure access switch ports as untrusted because in most cases an attacker will use these ports.By default, all interfaces are untrusted. We only need to configure all switch ports connected to other switchesas trusted -> E is correct.

(Reference:http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/c onfiguration/guide/n1000v_security_13arpinspect.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/confi guration/guide/swdynarp.html)

QUESTION 141What does the global configuration command "ip arp inspection vlan 10-12,15 accomplish?

A. Discards ARP packets with invalid IP-to-MAC address bindings on trusted portsB. Validates outgoing ARP requests for interfaces configured on VLAN 10,11,12, or 15C. Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindingsD. Intercepts all ARP requests and responses on trusted ports



The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports + Verifies that each of these interceptedpackets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding thepacket to the appropriate destination + Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the SourceProtocol and Source Hardware address values against the snooping table database for that port.If the MAC address and IP address and the corresponding port do not match the snooping database entry, theARP packets are dropped. DAI thus prevents the node from specifying a non- legitimate IP-MAC addressbinding which differs from what was given by the DHCP server.

QUESTION 142Refer to the exhibit. Dynamic ARP inspection (DAI) is enabled on switch SW_A only. Both Host_A and Host_Bacquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be ifHost_B initiated an ARP spoof attack toward Host_A?

A. The spoof packets will be inspected at the ingress port of switch SW_A and will be permitted.B. The spoof packets will not be inspected at the ingress port of switch SW_A and will be permitted.C. The spoof packets will not be inspected at the ingress port of switch SW_A and will be dropped.D. The spoof packets will be inspected at the ingress port of switch SW_A and will be dropped.



Port Fa0/23 of SW_A is configured as trusted port while DAI is not enabled on SW_B so if Host_B sends spoofpackets, SW_B and SW_A will not inspect and forward them.

QUESTION 143Which three statements are true about DAI? (Choose three)

A. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindingsstored in the DHCP Snooping database.

B. DAI forwards all ARP packets received on a trusted interface without any checks.C. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings

stored in the CAM table.D. DAI forwards all ARP packets received on a trusted interface after verifying and inspecting the packet

against the DAI table.E. DAI intercepts all ARP packets on untrusted portsF. DAI is used to prevent against a DHCP Snooping attack.

Correct Answer: ABESection: (none)Explanation


Same as

QUESTION 144Refer to the exhibit. Which statement is true?

Router(config)# vlan access-map pass 10Router(config-access-map)# match ip address ABCRouter(config- access-map)# action forwardRouter(config)# vlan filter pass vlan-list 5-10

A. IP traffic matching access list ABC is forwarded through VLANs 5-10.B. IP traffic matching VLAN list 5-10 will be forwarded, and all other traffic will be dropped.C. All VLAN traffic matching VLAN list 5-10 will be forwarded, and all traffic matching access list ABC is

dropped.D. All VLAN traffic in VLANs 5-10 that match access list ABC will be forwarded, and all else will be dropped.



Each VACL has an implicit "deny all" statement at the end, just like a regular ACL. From the exhibit we learn theVACL "pass" is applied from VLAN 5 to 10 with "action forward" -> All VLAN traffic in VLANs 5-10 that matchABC access list will be forwarded, other traffic in VLAN 5 to 10 will be dropped.

QUESTION 145VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map thatdoes not contain a match clause?

A. Implicit deny feature at end of list.B. Implicit deny feature at start of list.C. Implicit forward feature at end of listD. Implicit forward feature at start of list.



If a VLAN map does not contain a match clause then it matches all type of traffic. Maybe this question is notclear but we should understand as "Which of the following actions are taken in a VLAN map that does notmatch a match clause?".

QUESTION 146Refer to the exhibit. What will happen to the traffic within VLAN 14 with a source address of 172.16.10.5?

Switch# show ip access-lists net_10Extended IP access list net_1010 permit ip 10.0.0.0 0.255.255.255 anySwitch# conf tSwitch(config)# vlan access-map thor 10Switch(config-access-map)# match ip address net_10 Switch(config-access-map)# action forwardSwitch(config-access-map)# exitSwitch(config)# vlan filter thor vlan-list 12-16

A. The traffic will be forwarded to the router processor for further processing.B. The traffic will be dropped.C. The traffic will be forwarded to the TCAM for further processing.D. The traffic will be forwarded to without further processing.



The source address of 172.16.10.5 is not matched with access list net_10. Something like this at the end of theaccess-map:

vlan access-map thoraction drop

-> The traffic from 172.16.10.5 is dropped -> B is correct.

QUESTION 147Which of the following should you enable to prevent a switch from forwarding packets with source addressesthat are outside an administratively defined group? (Select the best answer)

A. DAIB. STPC. PVLAND. port security



When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that hassource addresses outside the group of defined addresses.

The example below configures secure MAC address 0000.1234.5678. Only traffic from this MAC is forwarded.

Switch(config)# interface fastethernet 0/1

Switch(config-if)# switchport mode accessSwitch(config-if)# switchport port-securitySwitch(config-if)# switchport port-security mac-address 0000.1234.5678

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/por t_sec.html)

QUESTION 148You need to configure port security on switch R1. Which two statements are true about this technology?(Choose two)

A. Port security can be configured for ports supporting VoIP.B. With port security configured, four MAC addresses are allowed by default.C. The network administrator must manually enter the MAC address for each device in order for the switch to

allow connectivity.D. With port security configured, only one MAC addresses is allowed by default.E. Port security cannot be configured for ports supporting VoIP.



Port security can be set on ports supporting VoIP. This example shows how to designate a maximum of oneMAC address for a voice VLAN (for a Cisco IP Phone) and one MAC address for the data VLAN (for a PC) onFast Ethernet interface 5/1 and to verify the configuration:Switch(config)# interface fa5/1Switch(config-if)# switchport mode accessSwitch(config-if)# switchport port-securitySwitch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-securitymaximum 1 vlan voice Switch(config-if)# switchport port-security maximum 1 vlan access

-> A is correct.

By default, only one MAC addresses is allowed but we can use the "switchport port-security maximum number"command to set the maximum number of MAC allowed -> D is correct.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port _sec.html)

QUESTION 149

Refer to the exhibit. The "show port-security interface fa0/1" command was issued on switch SW1. Given theoutput that was generated, which two security statements are true? (Choose two)

A. Interface FastEthernet 0/1 was configured with the switchport port-security aging command.B. Interface FastEthernet 0/1 was configured with the switchport port-security protect command.C. Interface FastEthernet 0/1 was configured with the switchport port-security violation restrict command.D. When the number of secure IP addresses reaches 10, the interface will immediately shut down.E. When the number of secure MAC addresses reaches 10, the interface will immediately shut down and an

SNMP trap notification will be sent.


Explanation/Reference:Answer: B E (wrong)

Explanation

The "Violation Mode: Protect" tells us this interface has been configured with the switchport port-security protectcommand. Protect mode drops packets with unknown source addresses when the violation occurs -> B iscorrect.

Well, I cannot say answer E is correct. There is something wrong here. In "Protect" mode, when the number ofsecure MAC addresses reaches 10, the interface will not be shut down (it just drops unknown source MAC);also an SNMP trap notification will not be sent (an SNMP would be sent in "Shutdown" or "Restrict" mode). Soin the exam you I am sure you will see another version of answer E.

QUESTION 150Refer to the exhibit. Which interface or interfaces on switch SW_A can have the port security feature enabled?

A. Ports 0/1 and 0/2B. The trunk port 0/22 and the EtherChannel portsC. Ports 0/1, 0/2 and 0/3D. Ports 0/1, 0/2, 0/3, the trunk port 0/22 and the EtherChannel portsE. Port 0/1F. Ports 0/1, 0/2, 0/3 and the trunk port 0/22



Port security can only be configured on static access ports or static trunk ports (DTP disabled). In this case wedon't know if the ports of the trunk link have DTP disabled or not -> only Fa0/1, Fa0/2 and Fa0/3 can beconfigured port security.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_6_ea2c/confi guration/guide/swgports.html)

QUESTION 151When configuring port security on a Cisco Catalyst switch port, what is the default action taken by the switch if aviolation occurs?

A. protect (drop packets with unknown source addresses)B. restrict (increment SecurityViolation counter)C. shutdown (access or trunk port)D. transition (the access port to a trunking port)



There are three port security violation modes:+ protect - Drops packets with unknown source addresses until you remove a sufficient number of secure MACaddresses to drop below the maximum value. + restrict - Drops packets with unknown source addresses untilyou remove a sufficient number of secure MAC addresses to drop below the maximum value and causes theSecurityViolation counter to increment.+ shutdown - Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

The default behavior for a security violation is to shut down that port permanently.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/por t_sec.html)

QUESTION 152You are responsible for increasing the security within the Company LAN. Of the following choices listed below,which is true regarding layer 2 security and mitigation techniques?

A. Enable root guard to mitigate ARP address spoofing attacks.B. Configure DHCP spoofing to mitigate ARP address spoofing attacks.C. Configure PVLANs to mitigate MAC address flooding attacks.D. Enable root guard to mitigate DHCP spoofing attacks.E. Configure dynamic APR inspection (DAI) to mitigate IP address spoofing on DHCP untrusted ports.F. Configure port security to mitigate MAC address flooding.



Root guard is used to mitigate Spanning-tree compromises, not ARP address spoofing -> A and D are notcorrect.DHCP spoofing is mitigated by DHCP snooping -> B is not correct.

PVLAN is often used to protect devices on a common VLAN, give them more separation even though they areon the same VLAN. It is not used to mitigate MAC address flooding attacks -> C is not correct.

DAI should be used to mitigate ARP Spoofing attack in which the attacker fakes its MAC as the destinationMAC to receive traffic intended for valid destination -> E is not correct.

MAC flooding attack is a technique in which the attacker floods the switch with packets, each containingdifferent source MAC address. This makes the switch learn the MAC addresses until its memory is used up.Now the switch acts like a hub, in which all incoming packets are broadcast out on all ports instead of just to thecorrect destination port as normal operation. The attacker can listen to these broadcast packets and capturesensitive data.

To protect against this type of attack, port security feature can be used to limit and allow specific MAC toaccess the port -> F is correct. (VLAN Access map with a "mac access list" can also be used to filter MAC).

QUESTION 153Refer to the exhibit. From the configuration shown, what can be determined?

Switch(config)# interface FastEthemet0/1Switch(config-if)# switchport access vlan 21Switch(config-if)# switchport mode access

Switch(config-if)# switchport voice vlan 22Switch(config-if)# switchport port-securitySwitch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violationrestrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-securitymac-address sticky 0000.0000.0002 Switch(config-if)# switchport port-security mac-address 0000.0000.0003Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice Switch(config-if)#switchport port-security mac-address 0000.0000.0004 vlan voice Switch(config-if)# switchport port-securitymaximum 10 vlan access Switch(config-if)# switchport port-security maximum 10 vlan voice

A. The sticky addresses will only be those manually configured MAC addresses enabled with the stickykeyword.

B. The remaining secure MAC addresses will be dynamically learned, converted to sticky secure MACaddresses, and added to the running configuration.

C. Since a voice VLAN is configured in this example, port security should be set for a maximum of 2.D. A security violation will restrict the number of addresses to a maximum of 10 addresses per access VLAN

and voice VLAN. The port will be shut down if more than 10 devices per VLAN attempt to access the port.



The "sticky" keyword in switchport port-security mac-address sticky command converts all the dynamic secureMAC addresses, including those that were dynamically learned before sticky learning was enabled, to stickysecure MAC addresses and adds to the running configuration.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/config uration/guide/swtrafc.html)

QUESTION 154What are two methods of mitigating MAC address flooding attacks? (Choose two)

A. Place unused ports in a common VLAN.B. Implement private VLANs.C. Implement DHCP snooping.D. Implement port security.E. Implement VLAN access maps.



MAC flooding attack is a technique in which the attacker floods the switch with packets, each containingdifferent source MAC address. This makes the switch learn the MAC addresses until its memory is used up.Now the switch acts like a hub, in which all incoming packets are broadcast out on all ports instead of just to thecorrect destination port as normal operation. The attacker can listen to these broadcast packets and capturesensitive data.

To protect against this type of attack, port security feature can be used to limit and allow specific MAC toaccess the port. VLAN Access map with a "mac access list" can also be used to filter MAC -> D & E arecorrect.

QUESTION 155Given the configuration on a switch interface, what happens when a host with the MAC address of0003.0003.0003 is directly connected to the switch port?

switchport mode accessswitchport port-securityswitchport port-security maximum 2switchport port-security mac-address 0002.0002.0002 switchport port-security violation shutdown

A. The host will be allowed to connect.B. The port will shut down.C. The host can only connect through a hub/switch where 0002.0002.0002 is already connected.D. The host will be refused access.



The maximum number of hosts allowed to connect is set to 2. One of them is specified as MAC0002.0002.0002 so another MAC can be allowed to connect.

QUESTION 156Refer to the exhibit. Which of these is true based upon the output shown in the command?

switch# show port-security interface fastethernet 0/1 Port Security: EnabledPort status: SecureUpViolation mode: ShutdownMaximum MAC Addresses: 11Total MAC Addresses: 11Configured MAC Addresses: 3Aging time: 20 minsAging type: InactivitySecureStatic address aging: EnabledSecurity Violation count: 0

A. If the number of devices attempting to access the port exceeds 11, the port will shut down for 20 minutes,as configured.

B. The port has security enabled and has shut down due to a security violation.C. The port is operational and has reached its configured maximum allowed number of MAC addresses.D. The port will allow access for 11 MAC addresses in addition to the 3 configured MAC addresses.



Notice that the "Violation mode: Shutdown" line only describes what the switch will do if a violation occurs; it isnot the current status of that port. The last line "Security Violation count:0 tells us no violation has occurred -> the port is operational. Also "the Maximum MAC" and "Total MACAddresses" are both 11 -> the maximum MAC addresses have ben reached.

From the "Configured MAC Addresses: 3 we also learn that there are 3 MAC addresses are manually learned

and 8 MAC addresses are dynamically learned.

QUESTION 157Refer to the exhibit. Based on the running configuration that is shown for interface FastEthemet0/2, what twoconclusions can be deduced? (Choose two)

!interface FastEthernet0/2switchport mode accessswitchport port-securityswitchport port-security maximum 6switchport port-security aging time 5switchport port-security aging staticswitchport port-security mac-address stickyswitchport port-security mac-address 0000.0000.000b switchport port-security mac-address sticky0000.0000.4141 switchport port-security mac-address sticky 0000.0000.5050 no ip address

A. Connecting a host with MAC address 0000.0000.4147 will move interface FastEthemet0/2 into errordisabled state.

B. The host with address 0000.0000.4141 is removed from the secure address list after 5 seconds of inactivity.C. The sticky secure MAC addresses are treated as static secure MAC addresses after the running

configuration is saved to the startup configuration and the switch is restarted.D. Interface FastEthemet0/2 is a voice VLAN port.E. The host with address 0000.0000.000b is removed from the secure address list after 300 seconds.

Correct Answer: CESection: (none)Explanation


In this case the "switchport port-security aging time 5 sets aging time to 5 minutes and the "switchport port-security aging static" tells the switch to age out for statically configured MAC addresses -> the MAC0000.0000.000b will be aged out after 5 minutes (300 seconds).

Note: Cisco switch does not support port security aging of sticky secure MAC addresses -> the sticky secureMAC addresses are not aged out.

QUESTION 158Refer to the exhibit. What will happen when one more user is connected to interface FastEthernet 5/1?

A. The first address learned on the port will be removed from the secure address list and be replaced with thenew address.

B. All secure addresses will age out and be removed from the secure address list. This will cause the securityviolation counter to increment.

C. The packets with the new source addresses will be dropped until a sufficient number of secure MACaddresses are removed from the secure address list.

D. The interface will be placed into the error-disabled state immediately, and an SNMP trap notification will besent.



There are three violation mode of port security:

+ Protect: drop packets (port is not shutdown)+ Restrict: drop packets and increase violation counter, send SNMP trap notification (port is not shutdown)+ Shutdown (default mode): put port into error-distabled state (same as shutdown state), send SNMP trapnotification

QUESTION 159When you enable port security on an interface that is also configured with a voice VLAN, what is the maximumnumber of secure MAC addresses that should be set on the port?

A. No more than one secure MAC address should be set.B. The default will be set.C. The IP phone should use a dedicated port, therefore only one MAC address is needed per port.D. No value is needed if the switchport priority extend command is configured.E. No more than two secure MAC addresses should be set.



Usually, an IP Phone needs two MAC addresses, one for the voice vlan and one for the access vlan. If youdon't want other devices to access this port then you should not set more than two secure MAC addresses.

Below is an example for this configuration:

Switch(config)# interface fa0/1Switch(config-if)# switchport mode accessSwitch(config-if)# switchport port-securitySwitch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-securitymaximum 1 vlan voice Switch(config-if)# switchport port-security maximum 1 vlan access //Configure staticMAC addresses for these VLANsSwitch(config-if)#switchport port-security mac-address sticky 0000.0000.0001 Switch(config-if)#switchport port-security mac-address sticky 0000.0000.0002 vlan voice

exam by glop gives different answer please confirm

(For more information about this, please readhttp://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port _sec.html)

QUESTION 160Refer to the exhibit. What type of attack would be mitigated by this configuration?

A. ARP spoofingB. MAC spoofingC. VLAN hoppingD. CDP manipulationE. MAC flood attackF. spanning tree compromises



The maximum number of hosts allowed is 5 so an attacker can not flood the switch with many source MACaddresses -> This configuration is effective against MAC flooding attack.

QUESTION 161

Refer to the exhibit. Port security has been configured on port Fa0/5. What would happen if another device isconnected to the Fa0/5 port after the maximum number of devices has been reached, even if one or more ofthe original MAC addresses are inactive?

A. The port will permit the new MAC address because one or more of the original MAC addresses are inactive.B. The port will permit the new MAC address because one or more of the original MAC addresses will age out.C. Because the new MAC address is not configured on the port, the port will not permit the new MAC address.D. Although one or more of the original MAC addresses are inactive, the port will not permit the new MAC

address.


Explanation/Reference:ExplanationThe port-security aging time is set to 0 so it is disabled for this port -> even if the original MAC addresses areinactive, the port will not permit the new MAC address.

QUESTION 162Refer to the exhibit. The web servers WS_1 and WS_2 need to be accessed by external and internal users. Forsecurity reasons, the servers should not communicate with each other, although they are located on the samesubnet. The servers do need, however, to communicate with a database server located in the inside network.What configuration will isolate the servers from each other?

A. The switch ports 3/1 and 3/2 will be defined as secondary VLAN community ports. The ports connecting tothe two firewalls will be defined as primary VLAN promiscuous ports.

B. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLAN

promiscuous ports.C. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLAN

community ports.D. The switch ports 3/1 and 3/2 will be defined as secondary VLAN isolated ports. The ports connecting to the

two firewalls will be defined as primary VLAN promiscuous ports.



WS_1 and WS_2 cannot communicate with each other so we can put them into isolated ports. Isolated portscan only communicate with promiscuous ports so Fa3/34 and Fa3/35 should be promiscuous ports so that theycan send and receive data with the Data Server.

Note: Answer A is not clear because it does not state the switch ports 3/1 and 3/2 are put into the same ordifferent VLAN community ports. If they are put into different VLAN communities then answer A is correct.

QUESTION 163Refer to the exhibit. What can be concluded about VLANs 200 and 202?

A. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in thesame VLAN. VLAN 200 carries traffic between community ports and to promiscuous ports.

B. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in thesame VLAN. VLAN 200 carries traffic from isolated ports to a promiscuous port.

C. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in thesame VLAN. VLAN 202 carries traffic between community ports and to promiscuous ports.

D. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in thesame VLAN. VLAN 202 carries traffic from isolated ports to a promiscuous port.



In fact the exhibit above is wrong, that output should be from the command show vlan private- vlan. The showvlan private-vlan type should give output like this:

Vlan Type-------- ---------202 Primary200 isolated

With this output we can see VLAN 202 is configured as the primary VLAN while VLAN 200 is configured assecondary (isolated) VLAN -> B is correct.

QUESTION 164Private VLANs can be configured as which three of these port types? (Choose three)

A. isolatedB. protectedC. privateD. associatedE. promiscuousF. community

Correct Answer: AEFSection: (none)Explanation


There are three types of ports can be configured in a Private VLAN: isolated, promiscuous, community.

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with anotherisolated port. Also, there can be only 1 isolated VLAN per PVLAN.* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port sothat all devices in PVLAN can go outside.* Community: can communicate with other members of that community and promiscuous ports but cannotcommunicate with other communities. There can be multiple community VLANs per PVLAN.

QUESTION 165Refer to the exhibit. From the configuration shown, what can you determine about the private VLANconfiguration?

Switch# configure terminalSwitch (config)# vlan 20Switch (config-vlan)# private-vlan primarySwitch (config-vlan)# exitSwitch (config)# vlan 501Switch (config-vlan)# private-vlan isolatedSwitch (config-vlan )#exitSwitch (config)# vlan 502Switch (config-vlan)#private-vlan communitySwitch (config-vlan)# exitSwitch (config)# vlan 503Switch (config-vlan )# private-vlan communitySwitch (config-vlan)# exitSwitch (config)# vlan 20Switch (config-vlan)#private-vlan association 501-503 Switch (config-vlan)# end

A. Only VLAN 503 will be the community PVLAN because multiple community PVLANs are not allowed.B. Users of VLANs 501 and 503 will be able to communicate.C. VLAN 502 is a secondary VLAN.D. VLAN 502 will be a standalone VLAN because it is not associated with any other VLANs.



There are two types of secondary VLAN: isolated and community. In this case VLAN 502 is a community VLAN-> C is correct.

In a PVLAN, multiple community VLANs are allowed. But notice a PVLAN can have only one primary VLAN andone isolated VLAN -> A is not correct.

Only community in the same VLAN can communicate with each other. Users in different communities are notable to communicate -> B is not correct.

The command private-vlan association 501-503 associates VLANs 501, 502 and 503 to the Primary VLAN 20 -> D is not correct.

QUESTION 166When configuring private VLANs, which configuration task must you do first?

A. Configure the private VLAN port parameters.B. Configure and map the secondary VLAN to the primary VLAN.C. Disable IGMP snooping.D. Set the VTP mode to transparent.



Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do notsupport private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode stillforwards other VTP updates to its neighbors.

QUESTION 167A switch has been configured with Private VLANs. With that type of PVLAN port should the default gateway beconfigured?

A. TrunkB. IsolatedC. PrimaryD. CommunityE. Promiscuous



A default gateway should be configured Promiscuous type so that all devices in PVLAN can go outside.

QUESTION 168You work as a network technician, study the exhibit carefully. What is the effect on the trust boundary ofconfiguring the command mls qos trust cos on the switch port that is connected to the IP phone?

A. Effectively the trust boundary has been moved to the IP phone. B. The host is now establishing the CoS value and has effectively become the trust boundaryC. The switch SW is rewriting packets it receives from the IP phone and determining the CoS value.D. The switch SW will no longer tag incoming voice packets and will trust the distribution layer switch to set the

CoS.



The "mls qos trust cos" command is used to configure the port trust state (by default, the port is not trusted). Byusing this command, you can configure the switch port to which the telephone is connected to trust the CoSlabels of all traffic received on that port.

(Note: All current Cisco IP Phones include an internal three-port Layer 2 switch therefore you can think an IPPhone as a switch and network administrators generally accept a Cisco IP Phone as a trusted device.)

QUESTION 169If you are a network technician, study the exhibit carefully. Which switch interface configuration commandwould automatically configure quality of service (QoS) for voice over IP (VoIP) within a QoS domain?

A. auto qos voip cisco-phoneB. mls qos trustC. switchport priority extend cos 7D. switchport priority extend trust



The command "mls qos trust" is used to configure the port trust state (by default, the port is not trusted).

The command "switchport priority extend cos 7 sets the IP phone port to override the priority received from thePC or the attached device (7 is the highest priority).

The command "switchport priority extend trust" tells the Cisco IP Phone to trust the CoS value of the connectedPC without remark all packets sent form PC to CoS 0, by default.

QUESTION 170

Study the exhibit carefully. Which statement is true about the voice traffic coming to the switch access port thatis connected to the IP phone?

A. The voice VLAN must be configured as a native VLAN on the switch.B. A PC connected to a switch port via an IP phone must support a trunking encapsulation.C. The traffic on the voice VLAN must be tagged with 802.1p encapsulation in order to coexist on the same

LAN segment with a PC.D. A PC connected to a switch port via an IP phone is unaware of the presence of the phone.



The voice VLAN can be configured over a unique voice VLAN (known as the voice VLAN ID or VVID) or overnative VLAN -> A is not correct.

The ports k between PC and IP Phone are always functioned as access-mode switch ports so there is no needto support a trunking encapsulation -> B is not correct.

The traffic on the voice VLAN can be tagged with 802.1p encapsulation or 802.1q encapsulation -> C is notcorrect.

Most Cisco IP Phone models operate as a three-port switch as shown below. Nowadays, the voice traffic anddata traffic will normally be on different IP subnets and the IP Phone is unaware of the presence of the phone.

QUESTION 171Study the exhibit carefully. Which statement is true when voice traffic is forwarded on the same VLAN used bythe data traffic?

A. Quality of service cannot be applied for the voice traffic.B. The voice traffic cannot be forwarded to the distribution layer.C. Port security cannot be enabled on the switch that is attached to the IP phone.D. The voice traffic cannot use 802.1p priority tagging.



QUESTION 172Which two codes are supported by Cisco VoIP equipment?

A. G.701 and G719B. G.711 and G.729C. G.721 and G.739D. G.731 and G.749



QUESTION 173Study the exhibit carefully, then tell me what is the problem with this configuration?

A. Spanning tree PortFast cannot be configured on a port where a voice VLAN is configured. B. The switch port must be configured as a trunk. C. Sticky secure MAC addresses cannot be used on a port when a voice VLAN is configured D. Spanning tree PortFast cannot be configured on a port when a sticky secure MAC address is used.



QUESTION 174Study the exhibit carefully. Both host stations are part of the same subnet but are in different VLANs. On thebasis of the information presented in the exhibit, which statement is true about an attempt to ping from host tohost?

A. Layer 3 device is needed for the ping command to be successful. B. A trunk port will need to be configured on the link between SA and SB for the ping command to be

successful. C. The two different hosts will need to be in the same VLAN in order for the ping command to be successful. D. The ping command will be successful without any further configuration changes.



For two hosts in different VLANs, we must use a layer 3 device to transport packages between them. However,in this case both switches are set in "access" mode therefore the VLAN information sent between them will beset as untagged. Moreover, they are in the same subnet so they can ping each other without a layer 3 device.

QUESTION 175Based on the following exhibit, which problem is preventing users on VLAN 100 from pinging addresses onVLAN 200?

A. Native VLAN mismatch.B. Subinterfaces should be created on Fa0/7 and Fa0/8 on DLS1.C. Trunking needs to be enabled.D. The ip routing command is missing on DLS1.



To allow communication between two VLANs, we need to enables Layer 3 routing on the switch with the "iprouting" command. Some flatforms are enabled by default but some are not.

QUESTION 176Based on the network diagram and routing table output in the exhibit, which one of these statements is true?

A. InterVLAN routing has been configured properly, and the workstations have connectivity to each other.B. InterVLAN routing will not occur since no routing protocol has been configured.C. Although interVLAN routing is not enabled, both workstations will have connectivity to each other.D. Although interVLAN routing is enabled, the workstations will not have connectivity to each other.E. None of the above.


Explanation/Reference:Explanation:In the output we can see both VLAN10 and VLAN20 are shown up (as networks 10.1.1.0 and 10.2.2.0) so therouting has been configured properly. Notice that the "C" letter indicates that these networks are directlyconnected with the router.

QUESTION 177Study the following exhibit carefully, what is the reason that users from VLAN 100 can't ping users on VLAN200?

A. IP routing needs to be enabled on the switchB. Trunking needs to be enabled on Fa0/1 C. VLAN 1 needs the no shutdown commandD. The native VLAN is wrong



The Fa0/1 interface on the switch is not configured with trunking mode. It needs to be configured as shownbelow:

SA(config)#interface Fa0/1SA(config-if)#switchport mode trunkSA(config-if)#switchport trunk encapsulation dot1q

QUESTION 178

Assume that a host sends a packet to a destination IP address and that the CEF-based switch does not yethave a valid MAC address for the destination. How is the ARP entry (MAC address) of the next-hop destinationin the FIB get?

A. The sending host must send an ARP request for itB. All packets to the destination are droppedC. The Layer 3 forwarding engine (CEF hardware) must send an ARP request for itD. CEF must wait until the Layer 3 engine sends an ARP request for it



If a valid MAC address for the destination is not found, the Layer 3 forwarding engine can't forward the packetin hardware due to the missing Layer 2 next-hop address. Therefore the packet is sent to the Layer 3 Engine sothat it can generate an ARP request (this is called the "CEF glean" state)

QUESTION 179CEF is a complete new routing switch technology . Which two table types are CEF components?(Choose two)

A B C D

A. adjacency tablesB. caching tables

C. neighbor tablesD. forwarding information base



QUESTION 180Which protocol specified by RFC 2281 provides network redundancy for IP networks, ensuring that user trafficimmediately and transparently recovers from first-hop failures in network edge devices or access circuits?

A. ICMPB. IRDPC. HSRPD. STP



HSRP is a Cisco-proprietary protocol developed to allow several routers or multilayer switches to appear as asingle gateway IP address. This protocol is described in RFC 2281.

QUESTION 181Which of the following HSRP router states does an active router enter when it is preempted by a higher priorityrouter?

A. activeB. speakC. learnD. listenE. initF. standby



First we should review all the HSRP States:

State Description

This is the beginning state. It indicates HSRP is not running. It happens when the Initialconfiguration changes or the interface is first turned on

The router knows both IP and MAC address of the virtual router but it is not the active Listenor standby router. For example, if there are 3 routers in HSRP group, the router which is not in active or standby

state will remain in listen state.

The router sends periodic HSRP hellos and participates in the election of the active or Speakstandby router.

In this state, the router monitors hellos from the active router and it will take the active Standbystate when the current active router fails (no packets heard from active router)

The router forwards packets that are sent to the HSRP group. The router also sends Activeperiodic hello messages

Now let's take an example of a router passing through these states. Suppose there are 2 routers A and B in thenetwork; router A is turned on first. It enters the initial state. Then it moves to listen state in which it tries to hearif there are already active or standby routers for this group. After learning no one take the active or standbystate, it determines to take part in the election by moving to speak state. Now it starts sending hello messagescontaining its priority. These messages are sent to the multicast address 224.0.0.2 (which can be heard by allmembers in that group). When it does not hear a hello message with a higher priority it assumes the role ofactive router and moves to active state. In this state, it continues sending out periodic hello messages.

Now router B is turned on. It also goes through initial and listen state. In listen state, it learns that router A hasbeen already the active router and no other router is taking standby role so it enters speak state to compete forthe standby router -> it promotes itself as standby router.

Now to our main question! We want router B to become active router so we set a higher priority number thanthe priority of A and ask router B to take over the role of active router (with the preempt command). Now routerA will fall back to the speak state to compete for active or standby state -> it becomes standby router becauseits priority is now lower than that of router A.(Therefore answer B is correct).

Note: Suppose router A is in active state while router B is in standby state. If router B does not hear hellomessages from router A within the holdtime, router B goes into speak state to announce its priority to all HSRPmembers and compete for the active state. But if at some time it receives a message from the active router thathas a lower priority than its priority (because the administrator change the priority in either router), it can takeover the active role by sending out a hello packet with parameters indicating it wants to take over the activerouter. This is called a coup hello message.

(Reference and good resource:http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a91.shtml )

QUESTION 182Which three statements are true of a default HSRP configuration? (Choose three)

A. The Standby hello time is 2 seconds.B. Two HSRP groups are configured.C. The Standby track interface priority decrement is 10.D. The Standby hold time is 10 secondsE. The Standby priority is 100.F. The Standby delay is 3 seconds.

Correct Answer: CDESection: (none)Explanation


The table below shows the default values of popular HSRP parameters:

Feature Default Setting

Standby group number 0

System assigned as: 0000.0c07.acXX, where XX is the HSRP Standby MAC addressgroup number

Standby priority 100

Standby delay 0 (no delay)

Standby track interfacepriority

Standby hello time 3 seconds

Standby holdtime 10 seconds

Note:

* Standby delay: If router A is the HSRP active router and then loses a link, which causes it to become standbyrouter, and then the link comes back, the delay command causes router A to wait before it becomes activeagain. For example, with the "standby preempt delay minimum 30" command, it waits for 30 seconds for therouter to become active.

* Standby track: For example, consider this configuration:standby priority 150standby track serial 0

An HSRP priority of 150 is configured with the standby priority command and HSRP is configured to track thestate of interface Serial0. Because no decrement value is specified in the standby track command, the HSRPpriority is decremented by the default value of 10 when the tracked interface goes down.

(Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/conf iguration/guide/swhsrp.html)

QUESTION 183hostname Switch1interface Vlan10ip address 172.16.10.32 255.255.255.0no ip redirectsstandby 1 ip 172.16.10.110standby 1 timers 1 5standby 1 priority 130hostname Switch2interface Vlan10ip address 172.16.10.33 255.255.255.0no ip redirectsstandby 1 ip 172.16.10.110standby 1 timers 1 5standby 1 priority 120

HSRP was implemented and configured on two switches while scheduled network maintenance wasperformed.After the two switches have finished rebooting, you notice via show commands that Switch2 is the HSRP activerouter. Which two items are most likely the cause of Switch1 not becoming the active router? (Choose two)

A. booting delaysB. standby group number does not match VLAN number

C. IP addressing is incorrectD. premption is disabledE. incorrect standby timersF. IP redirect is disabled



When two routers are turned on at the same time, the router completes booting process first will take the activerole. Without the "preempt" configured, even a new router with a higher priority cannot take over the activerole.In the configuration of Switch1 we don't see the "preempt" command configured.

QUESTION 184hostname Switch1interface Vlan10ip address 172.16.10.32 255.255.255.0no ip redirectsstandby 1 ip 172.16.10.110standby 1 timers msec 200 msec 700standby 1 preempt

hostname Switch2interface Vlan10ip address 172.16.10.33 255.255.255.0no ip redirectsstandby 1 ip 172.16.10.110standby 1 timers msec 200 msec 750standby 1 priority 110standby 1 preempt

hostname Switch3interface Vlan10ip address 172.16.10.34 255.255.255.0no ip redirectsstandby 1 ip 172.16.10.110standby 1 timers msec 200 msec 750standby 1 priority 150standby 1 preempt

Refer to the exhibit. Three switches are configured for HSRP. Switch1 remains in the HSRP listen state. Whatis the most likely cause of this status?

A. this is normal operationB. standby group number does not match VLAN numberC. IP addressing is incorrectD. incorrect priority commandsE. incorrect standby timers



Explanation

Only Switch 1 is not configured with the priority so it will have the default priority of 100, which is smaller thanthat of Switch2 (110) and Switch3 (150). Moreover, both Switch2 and Switch3 have the "preempt" command sosurely Switch3 becomes active router while Switch2 becomes standby router -> Switch1 will be in listen state(Please read the explanation of

QUESTION 185What are three possible router states of HSRP routers on a LAN? (Choose three)

A. StandbyB. EstablishedC. ActiveD. IdleE. BackupF. Init

Correct Answer: ACFSection: (none)Explanation


Same as

QUESTION 186Refer to the exhibit. Which configuration on the HSRP neighboring device ensures that it becomes the activeHSRP device in the event that port fa1/1 on Switch_A goes down?

Switch_A(config-if)# ip address 10.10.10.1 255.255.255.0 Switch_A(config-if)# standby 1 priority 200Switch_A(config-if)# standby 1 preemptSwitch_A(config-if)# standby 1 track interface fa 1/1 Switch_A(config-if)# standby 1 ip 10.10.10.10

A. Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0 Switch_B(config-if)#standby 1 priority 200Switch_B(config-if)#standby 1 preemptSwitch_B(config-if)#standby 1 ip 10.10.10.10Switch_B(config-if)#standby 1 track interface fa 1/1

B. Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0 Switch_B(config-if)#standby 1 priority 200Switch_B(config-if)#standby 1 ip 10.10.10.10

C. Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0 Switch_B(config-if)#standby 1 priority 195Switch_B(config-if)#standby 1 preemptSwitch_B(config-if)#standby 1 ip 10.10.10.10

D. Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0 Switch_B(config-if)#standby 1 priority 190Switch_B(config-if)#standby 1 ip 10.10.10.10Switch_B(config-if)#standby 1 track interface fa 1/1



Switch_A is not configured standby track priority value so it will use the default track priority of 10 -> WhenSwitch_A goes down, its priority is 200 10 = 190 so Switch_B must be configured with a priority higher than190. Also Switch_B must have the "preempt" command configured to take over the active state -> C is correct.

Note: Answer A is not correct because Switch_B has the same priority value of Switch_A, but the Switch_B's ipaddress on the HSRP interface is higher (10.10.10.2 is higher than 10.10.10.1) so Switch_B will take over theactive state of Switch_A even when Switch_A is still operational.

QUESTION 187Which two statements about the HSRP priority are true? (Choose two)

A. To assign the HSRP router priority in a standby group, the standby group-number priority priority-valueglobal configuration command must be used.

B. The default priority of a router is zero (0).C. The no standby priority command assigns a priority of 100 to the router.D. Assuming that preempting has also been configured, the router with the lowest priority in an HSRP group

would become the active router.E. When two routers in an HSRP standby group are configured with identical priorities, the router with the

highest configured IP address will become the active router.

Correct Answer: CESection: (none)Explanation


The "no standby priority" command will reset the priority to the default value (100) -> C is correct.

To understand answer E please read the explanation of

QUESTION 188HSRP has been configured between two Company devices. Which of the following describe reasons fordeploying HSRP? (Choose three)

A. HSRP provides redundancy and fault toleranceB. HSRP allows one router to automatically assume the function of the second router if the second router failsC. HSRP allows one router to automatically assume the function of the second router if the second router

startsD. HSRP provides redundancy and load balancing



Answer A and B are correct because they are the functions of HSRP. I just want to mention about answer D. Infact answer D is not totally correct, in SWITCH only GLBP has the load- balancing feature. HSRP can onlyload-sharing by configuring some different HSRP groups. But answer D is the only choice left in this question sowe have to choose it.

QUESTION 189Regarding high availability, with the MAC address 0000.0c07.ac03, what does the "03 represent?

A. The GLBP group numberB. The type of encapsulationC. The HSRP router number

D. The VRRP group numberE. The HSRP group numberF. The active router number



The last two-digit hex value in the MAC address presents the HSRP group number.

QUESTION 190Three Cisco Catalyst switches have been configured with a first-hop redundancy protocol. While reviewingsome show commands, debug output, and the syslog, you discover the following information:

Jan 9 08:00:42.623: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Standby -> ActiveJan 9 08:00:56.011: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Active -> SpeakJan 9 08:01:03.011: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Speak -> StandbyJan 9 08:01:29.427: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Standby -> ActiveJan 9 08:01:36.808: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Active -> SpeakJan 9 08:01:43.808: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Speak -> Standby

What conclusion can you infer from this information?

A. VRRP is initializing and operating correctly.B. HSRP is initializing and operating correctly.C. GLBP is initializing and operating correctly.D. VRRP is not properly exchanging three hello messages.E. HSRP is not properly exchanging three hello messages.F. GLBP is not properly exchanging three hello messages.



These error messages describe a situation in which a standby HSRP router did not receive three successiveHSRP hello packets from its HSRP peer (by default, hello messages are sent every 3 seconds while theholdtime is 10 seconds). The output shows that the standby router moves from the standby state to the activestate. Shortly thereafter, the router returns to the standby state. Unless this error message occurs during theinitial installation, an HSRP issue probably does not cause the error message. The error messages signify theloss of HSRP hellos between the peers. When you troubleshoot this issue, you must verify the communicationbetween the HSRP peers. A random, momentary loss of data communication between the peers is the mostcommon problem that results in these messages. HSRP state changes are often due to High CPU Utilization. Ifthe error message is due to high CPU utilization, put a sniffer on the network and the trace the system thatcauses the high CPU utilization.(Reference and good resource:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml)

QUESTION 191You administer a network that uses two routers, R1 and R2, configured as an HSRP group to provideredundancy for the gateway. Router R1 is the active router and has been configured as follows:

R1#configure terminalR1(config)#interface fa0/0R1(config-if)#ip address 10.10.0.5 255.255.255.0R1(config-if)#standby 1 priority 150R1(config-if)#standby preempt delay minimum 50R1(config-if)#standby 1 track interface fa0/2 15R1(config-if)#standby 1 ip 10.10.0.20

Which of the following describes the effect the "standby preempt delay minimum 50" command will have onrouter R1?

A. The HSRP priority for router R1 will increase to 200.B. Router R1 will become the standby router if the priority drops below 50.C. The HSRP priority for router R1 will decrease to 50 points when FaO/2 goes down.D. Router R1 will wait 50 seconds before attempting to preempt the active router.



If R1, for some reason, loses its active state, the "standby preempt delay minimum 50 command will cause R1to wait 50 seconds before it tries to get the active state again -> D is correct.

QUESTION 192Refer to the exhibit. HSRP has been configured and Link A is the primary route to router R4. When Link A fails,router R2 (Link B) becomes the active router. Which router will assume the active role when Link A becomesoperational again?

A. The primary router R1 will reassume the active role when it comes back online.B. The standby router R2 will remain active and will forward the active role to router R1 only in the event of its

own failure.C. The standby router R2 will remain active and will forward the active role to router R1 only in the event of

Link B failure.D. The third member of the HSRP group, router R3, will take over the active role only in event of router R2

failure.


Explanation/Reference:ExplanationWhen R1 fails, the "standby 1 preempt" command on R2 will cause R2 to take over the active state of R1. Butwhen R1 comes up again, the "standby 1 preempt" command on R1 will help R1 take over the active stateagain. Without the "preempt" command configured on R2, R2 only takes over the active state only if it receivesinformation indicating that there is no router currently in active state (by default it does not receive 3 hellomessages from the active router). Without the "preempt" command on R2, it will not become active router even

if its priority is higher than all other routers.

QUESTION 193Which first-hop redundancy solution listed would supply clients with MAC address 0000.0C07.AC0A for group10 in response to an ARP request for a default gateway?

A. IRDPB. Proxy ARPC. GLBPD. HSRPE. VRRPF. IP Redirects



The last two-digit hex value in the MAC address presents the HSRP group number. In this case 0A in hexaequals 10 in decimal so this router belongs to group 10 and it is running HSRP.

QUESTION 194What three tasks must a network administrator perform to properly configure Hot Standby Routing Protocol(HSRP)? (Choose three)

A. Define the encapsulation type.B. Define the standby router.C. Define the standby IP address.D. Enable the standby priority.



QUESTION 195You want to allow Router R1 to immediately become the active router if its priority is highest than the activerouter fails. What command would you use if you wanted to configure this?

A. en standby 1 preemptB. standby 1 preempt enableC. standby 1 preemptD. hot standby 1 preempt



QUESTION 196

Routers R1 and R2 are configured for HSRP as shown below:

Router R1:

interface ethernet 0ip address 20.6.2.1 255.255.255.0standby 35 ip 20.6.2.21standby 35 priority 100interface ethernet 1ip address 20.6.1.1 255.255.255.0standby 34 ip 20.6.1.21

Router R2:

interface ethernet 0ip address 20.6.2.2 255.255.255.0standby 35 ip 20.6.2.1interface ethernet 1ip address 20.6.1.2 255.255.255.0standby 34 ip 20.6.1.21standby 34 priority 100

You have configured the routers R1 & R2 with HSRP. While debugging router R2 you notice very frequentHSRP group state transitions. What is the most likely cause of this?

A. physical layer issuesB. no spanning tree loopsC. use of non-default HSRP timersD. failure to set the command standby 35 preempt



Both routers are not configured with the "preempt" command so by default they only take over the active statewhen they believe there is no active router (by default they don't hear 3 successive hello messages from theactive router). Therefore the most likely cause of this problem is a link failure between them (physical layerissue) -> A is correct.

QUESTION 197In which three HSRP states do routers send hello messages? (Choose three)

A. LearnB. SpeakC. StandbyD. ListenE. ActiveF. Remove

Correct Answer: BCESection: (none)Explanation


Explanation

Speak state: sends hello messages to compete for the standby or active role. Standby state: send hellomessages to inform it is the standby router so that other routers (which are not active or standby router, in listenstate) know the standby router is still there. Active state: sends hello messages to indicate it is still up

QUESTION 198In the hardware address 0000.0c07.ac0a, what does 07.ac represent?

A. HSRP well-known physical MAC addressB. Vendor codeC. HSRP router numberD. HSRP group numberE. HSRP well-known virtual MAC address


Explanation/Reference:ExplanationThe HSRP standby IP address is a virtual MAC address which is composed of 0000.0c07.ac**. In which "**" isthe HSRP group number in hexadecimal.

QUESTION 199Refer to the exhibit. Which two problems are the most likely cause of the exhibited output? (Choose two)

Vlan8 Group 8Local state is Active, priority 110, may preemptHellotime 3 holdtime 10Next hello sent in 00:00:01.168Hot standby IP address is 10.1.2.2 configuredActive router is localStandby router is unknown expiredStandby virtual mac address is 0000.0c07.ac085 state changes, last state change 00:05:03

A. Transport layer issuesB. VRRP misconfigurationC. HSRP misconfigurationD. Physical layer issuesE. Spanning tree issues



When you see this error, it means the local router fails to receive HSRP hellos from neighbor router. Two thingsyou should check first are the physical layer connectivity and verify the HSRP configuration. An example ofHSRP misconfiguration is the mismatched of HSRP standby group and standby IP address.

Another thing you should check is the mismatched VTP modes.

(Reference:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml)

QUESTION 200Which two statements are true about the Hot Standby Router Protocol (HSRP)? (Choose two)

A. Load sharing with HSRP is achieved by creating multiple subinterfaces on the HSRP routers.B. Routers configured for HSRP can belong to multiple groups and multiple VLANs.C. Load sharing with HSRP is achieved by creating HSRP groups on the HSRP routers.D. All routers configured for HSRP load balancing must be configured with the same priority.E. Routers configured for HSRP must belong to only one group per HSRP interface.



B is correct according tohttp://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/confi guration/guide/swhsrp.html

To load sharing with HSRP, we can divide traffic into two HSRP groups:

+ One group assigns the active state for one switch+ The other group assigns the active state for the other switch

The example below shows how to load sharing with HSRP:

In this topology, R1 is the active router for Group 1 and is the standby router for Group 2 while R2 is the activerouter for Group 2 and is the standby router for Group 1. The configurations of R1 and R2 are shown below:

R1: R2:interface fa0/1 //Group 1 interface fa0/1 //Group 2ip address 192.168.1.2 ip address 192.168.2.3standby 1 ip 192.168.1.1 standby 2 ip 192.168.2.1standby 1 priority 150 standby 2 priority 150standby 1 preempt standby 2 preemptstandby 1 track Serial 0 standby 2 track Serial 0! !interface fa0/0 //Group 2 interface fa0/0 //Group 1ip address 192.168.2.2 ip address 192.168.1.3standby 2 ip 192.168.2.1 standby 1 ip 192.168.1.1standby 2 priority 145 standby 1 priority 145standby 2 preempt standby 1 preempt

-> C is correct.

Note: An interface can belong to multiple HSRP groups, and the same HSRP group can be applied to differentinterfaces -> E is not correct.

QUESTION 201Refer to the exhibit. Assume that Switch_ A is active for the standby group and the standby device has only thedefault HSRP configuration. What conclusion is valid?

Switch_A(config-if)# ip address 10.10.10.1 255.255.255.0 Switch_A(config-if)# standby 1 priority 200Switch_A(config-if)# standby 1 preemptSwitch_A(config-if)# standby 1 track interface fa 1/1 Switch_A(config-if)# standby 1 ip 10.10.10.10

A. If port Fa1/1 on Switch_ A goes down, the standby device will take over as active.B. If the current standby device were to have the higher priority value, it would take over the role of active for

the HSRP group.C. If port Fa1/1 on Switch_ A goes down, the new priority value for the switch would be 190.D. If Switch_ A had the highest priority number, it would not take over as active router.



By default, the standby track interface decrement is 10 so if interface fa1/1 goes down, the new priority value is200 10 = 190

QUESTION 202Which statement best describes first-hop redundancy protocol status, given the command output in the exhibit?

A. The first-hop redundancy protocol is not configured for this interface.B. HSRP is configured for group 10.C. HSRP is configured for group 11.

D. VRRP is configured for group 10.E. VRRP is configured for group 11.F. GLBP is configured with a single AVF.



The MAC address of the last IP is 0000.0c07.ac0b indicates HSRP has been configured for group 11 (0b inhexa = 11 in decimal).

QUESTION 203HSRP has been configured between two Company devices. What kind of message does an HSRP configuredrouter send out every 3 seconds?

A. RetireB. CoupC. ResignD. SendE. Hello



QUESTION 204The following command was issued on a router that is being configured as the active HSRP router.standby ip 10.2.1.1

Which statement is true about this command?

A. This command will not work because the HSRP group information is missingB. The HSRP MAC address will be 0000 0c07 ac00C. The HSRP MAC address will be 0000 0c07 ac01.D. The HSRP MAC address will be 0000.070c ad01.E. This command will not work because the active parameter is missing



The full syntax of the command above is:

standby [group-number] ip [ip-address [secondary]]

Therefore in the command "standby ip 10.2.1.1 we recognize it is using the default group- number, which is 0 ->The last two-digit hex value of HSRP MAC address should be "00.

QUESTION 205What can be determined about the HSRP relationship from the displayed debug output?

*Mar 1 00:12:16.871: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115 *Mar 1 00:12:16.871:SB11: Vl11 Active router is 172.16.11.112 *Mar 1 00:12:18.619: %LINK-3-UPDOWN: Interface Vlan11,changed state to up *Mar 1 00:12:18.623: SB: Vl11 Interface up*Mar 1 00:12:18.623: SB11: Vl11 Init: a/HSRP enabled *Mar t 00:12:18.623: SB11: Vl11 Init-> Listen*Mar 1 00:12:19.619: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1 1, changed state to up*Mar 1 00:12:19.819: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115 *Mar 1 00:12:19.819:SB11: V111 Listen: h/Hello rcvd from lower pri Active router (50/172.16.11.112)*Mar 1 00:12:22.815: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115 *Mar 1 00:12:22.815:SB11: Vl11 Listen: h/Hello rcvd from lower pri Active router *Mar 1 00:12:25.683: SB11: Vl11 Hello in172.16.11.112 Active pri 50 ip 172.16.11.115 *Mar 1 00:12:25.683: SB11: Vl11 Listen: h/Hello rcvd from lowerpri Active router (50/172.16.11.112)*Mar 1 00:12:28.623: SB11: Vl11 Listen: d/Standby timer expired (unknown) *Mar 1 00:12:28.623: SB11: Vl11Listen-> Speak*Mar 1 00:12:28.623: SB11: Vl11 Hello out 172.16.11.111 Speak pri 100 ip 172.16.11.115 *Mar 1 00:12:28.659:SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115 *Mar 1 00:12:28.659: SB11: Vl11 Speak h/Hello rcvd from lower pri Active router (50/172.16.11.112)*Mar 1 00:12:31.539: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115 *Mar 1 00:12:31.539:SB11: Vl11 Speak h/Hello rcvd from lower pri Active router (50/172.16.11.112)*Mar 1 00:12:31.575: SB11: Vl11 Hello out 172.16.11.111 Speak pri 100 ip 172.16.11.115 *Mar 1 00:12:34.491:SB11: Vl11 Hello in 172.16 11.112 Active pri 50 ip 172.16.11.115

A. Router 172.16.11.112 will be the active router because its HSRP priority is preferred over router172.16.11.111

B. Router 172.16.11.111 will be the active router because its HSRP priority is preferred over router172.16.11.112

C. The IP address 172.16.11.111 is the virtual HSRP router IP address.D. The IP address 172.16.11.112 is the virtual HSRP router IP address.E. The nonpreempt feature is enabled on the 172.16.11.112 router.F. The preempt feature is not enabled on the 172.16.11.111 router.


Explanation/Reference:ExplanationTo understand the output you should learn these terms:

Field DescriptionAbbreviation for "standby"SB

Vl11 Interface on which a Hot Standby packet was sent or received.

Hello in Hello packet received from the specified IP address.

Hello out Hello packet sent from the specified IP address.

pri Priority advertised in the hello packet.

ip address Hot Standby group IP address advertised in the hello packet.

state Transition from one state to another.

(Reference: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_s1.html)

From the output we learn:

Line Debug output Description

Vl11 Hello in 172.16.11.112 Priority of 172.16.11.112 is 50 (its standby IP address is Active pri 50 ip172.16.11.115 172.16.11.115)

2 Active router is 172.16.11.112 The current active router is 172.16.11.112

Interface Vlan11, changed state3 Interface Vlan11 is turned onto up

6 Init-> Listen Our router changes from Init to Listen state

After the standby timer expired (line 14), our router 15 Listen-> Speakchanges from Listen to Speak state

Hello out 172.16.11.111 Speak Our router IP is 172.16.11.111, priority is 100 (its pri 100 ip 172.16.11.115standby IP address is also 172.16.11.115)

The Hellos received from lower priority Active router but Speak h/Hello rcvd from lower18 our router does not send Coup message to take over pri Active routeractive state

In short, our router (172.16.11.111) changes from Init -> Listen -> Speak state. It received hellos from the activerouter 172.16.11.112 with lower priority but it does not send Coup message to take over active state -> It is notconfigured with the "preempt" command.

QUESTION 206Refer to the exhibit. Based on the "debug standby" output in the exhibit, which HSRP statement is true?

*May 10 20:34:08.925: *SYS- 5-CONFIG_I: Configured from console by console *May 10 20:34:10.213: LINK-3-UPDOWN: Interface Vlan11, changed state to up *May 10 20:34:10.221: SB: Vl11 : Interface up*May 10 20:34:10.221: SB11: Vl11 Init: a/HSRP enabled *May 10 20:34:10.221: SB11: Vl11 Init -> Listen*May 10 20:34:11.213: LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan11 changed state to up*May 10 20:34:20.221: SB11: Vl11 Listen: c/Active timer expired (unknown) *May 10 20:34:20.221: SB11: Vl11Listen -> Speak*May 10 20:34:20.221: SB11: Vl11 Hello out 10.10.10, 111 Speak pri 100 ip 10.10. 10.115 *May 1020:34:28.905; SB11: Vl11 Hello out 10.10.10.111 Speak pri 100 ip 10.10. 10.115 *May 10 20:34:30.221: SB11:Vl11 Speak: d/Standby timer expired (unknown) *May 10 20:34:30.221: SB11: Vl11 Standby router is local *May10 20:34:30.221; SB11: Vl11 Speak -> Standby*May 10 20:34:30.221; SB11: Vl11 Hello out 10.10.10.111 Standby pri 100 ip 10.10. 10.115 *May 1020:34:30.221: SB11: Vl11 Standby: e/Active timer expired (unknown) *May 10 20:34:30.221: SB11: Vl11 Activerouter is local *May 10 20:34:30.221: SB11: Vl11 Standby router is unknown, was local *May 10 20:34:30.221:SB11: Vl11 Standby -> Active*May 10 20:34:30.221: %STANDBY-6- STATECHANGE: Vlan11 Group 11 state Standby -> Active*May 10 20:34:30.221: SB11: Vl11 Hello out 10.10.10.111 Active pri 100 ip 10.10. 10.115 *May 1020:34:33.085: SB11: Vl11 Hello out 10.10.10.111 Active pri 100 ip 10.10. 10.115

A. DSW111 is the active router because it is the only HSRP-enabled router on that segment.B. DSW111 is the active router because the standby timer has been incorrectly configured.C. DSW111 is the active router because it has a lower priority on that VLAN.D. DSW111 is the active router because it has a lower IP address on that VLAN.E. DSW111 is the active router and is advertising the virtual IP address 10.10.10.111 on VLAN 11.

Correct Answer: A



From the output we learn that DSW111 moves from Init -> Listen -> Speak -> Standby -> Active and all themessages are "Hello out" (no messages are "Hello in"). This means that DSW111 is the only router sendingmessages in this segment.

(If you don't know about these terms please read the explanation of

QUESTION 207Refer to the exhibit. Based on the debug output shown in the exhibit, which three statements about HSRP aretrue? (Choose three.)*Mar 1 00 16:43.095: %LINK-3-UPDOWN: Interface Vlan11, changed state to up *Mar 1 00 16:43.099: SB:Vl11 Interface up*Mar 1 00 16:43.099: SB11: Vl11 Init: a/HSRP enabled *Mar 1 00 16:43.099: SB11: Vl11 Init -> Listen*Mar 1 00 16:43.295: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115 *Mar 1 00 16:43.295:SB11: Vl11 Active router is 172.16.11.112 *Mar 1 00 16:43.295: SB11: Vl11 Listen: h/Hello rcvd from lower priActive router (50/172.16.11.112)*Mar 1 o o 16:43.295: SB11: Vl11 Active router is local, was 172.16.11.112 *Mar 1 00 16:43.299: %STANDBY-6-STATECHANGE: Vlan11 Group 11 state Listen -> Active*Mar 1 00 16:43.299: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115 *Mar 1 00 16:43.303:SB11: Vl11 Hello in 172.16.11.112 Speak pri 50 ip 172.16.11.115 *Mar 1 00 16:46.207: SB11: Vl11 Hello out172.16.11.111 Active pri 100 ip 172.16.11.115 *Mar 1 00 16:49.095: SB11: Vl11 Hello in 172.16.11.112 Speakpri 50 ip 172.16.11.115

A. The router with IP address 172.16.11.111 has preempt configured.B. The final active router is the router with IP address 172.16.11.111.C. The router with IP address 172.16.11.112 has nonpreempt configured.D. The priority of the router with IP address 172.16.11.112 is preferred over the router with IP address

172.16.11.111.E. The router with IP address 172.16.11.112 is using default HSRP priority.F. The IP address 172.16.11.116 is the virtual HSRP IP address.

Correct Answer: ABFSection: (none)Explanation


QUESTION 208

Examine the router output above. Which two items are correct? (Choose two)

A. The local IP address of Router A is 10.1.0.6.B. The local IP address of Router A is 10.1.0.20.C. If Ethernet 0/2 goes down, the standby router will take over.D. When Ethernet 0/3 of RouterA comes back up, the priority will become 105.E. Router A will assume the active state if its priority is the highest.


Explanation/Reference:The current state of this router is "active" and the standby router is 10.1.0.6, which makes answer A incorrect)

The IP address of the local router is not mentioned so we can't conclude answer B. Notice that the IP 10.1.0.20is just the virtual IP address of this HSRP group.

+ "Tracking 2 objects, 0 up" -> both Ethernet0/2 and 0/3 are currently down so the priority of RouterA wasreduced from 120 to 95 (120 15 10). Therefore when Ethernet0/3 is up again, the priority of RouterA will be 95+ 10 = 105 -> D is correct.

From the line "preempt enabled" we learn this router is configured with "preempt" command so it will take overthe active state if its priority is the highest -> E is correct. But a funny thing in this question is even when twointerfaces are down, the priority of RouterA is still higher than the standby router so it is still the active router(the priority of standby router is 75). This also makes answer C incorrect.

QUESTION 209Refer to the exhibit. On the basis of the information provided in the exhibit, which two sets of procedures arebest practices for Layer 2 and 3 failover alignment? (Choose two)

A. Configure the D-SW1 switch as the active HSRP router and the STP root for all VLANs.Configure the D-SW2 switch as the standby HSRP router and backup STP root for all VLANs.

B. Configure the D-SW1 switch as the standby HSRP router and the STP root for VLANs 11 and 110.Configure the D-SW2 switch as the standby HSRP router and the STP root for VLANs 12 and 120.

C. Configure the D-SW1 switch as the active HSRP router and the STP root for VLANs 11 and 110. Configurethe D-SW2 switch as the active HSRP router and the STP root for VLANs 12 and 120.

D. Configure the D-SW2 switch as the active HSRP router and the STP root for all VLANs.Configure the D-SW1 switch as the standby HSRP router and backup STP root for all VLANs.

E. Configure the D-SW1 switch as the active HSRP router and the backup STP root for VLANs 11 and 110.Configure the D-SW2 switch as the active HSRP router and the backup STP root for VLANs 12 and 120.

F. Configure the D-SW1 switch as the standby HSRP router and the backup STP root for VLANs 12 and 120.Configure the D-SW2 switch as the standby HSRP router and the backup STP root for VLANs 11 and 110.

Correct Answer: CFSection: (none)Explanation


The "best practices for Layer 2 and 3 failover alignment" here means using load sharing of HSRP.

To load sharing with HSRP, we can divide traffic into two HSRP groups:

+ One group assigns the active state for one switch+ The other group assigns the active state for the other switch

-> C and F are correct.

QUESTION 210Which three of the following network features are methods used to achieve high availability? (Choose three)

A. Spanning Tree Protocol (STP)B. Delay reduction

C. Hot Standby Routing Protocol (HSRP)D. Dynamic routing protocolsE. Quality of Service (QoS)F. Jitter management

Correct Answer: ACDSection: (none)Explanation


STP, HSRP and dynamic routing protocols provide backup paths to reach the destination and achieve highavailability.

Note: Quality of Service (Qos) only prioritizes specific type of data over other types and provides no highavailability.

QUESTION 211Which command will ensure that R2 will be the primary router for traffic using the gateway address of172.16.15.20?

A. On R2 add the command standby 1 priority 80B. On R1 add the command standby 1 priority 110C. On R1 add the command standby 1 priority 80D. On R2 remove the command standby 1 preempt



By default the priority value of HSRP is 100 so in order to ensure that R2 will be the primary router for trafficusing the gateway address of 172.16.15.20 we can set the priority of R2 higher than 100 or set the priority of R1lower than 100 -> only C is correct.

QUESTION 212Which command will need to be added to External_A to ensure that it will take over if serial 0/0 on External_Bfails?

A. standby 1 priority 130B. standby 1 preemptC. standby 1 track fastethernet 0/0D. standby 1 track 10.10.10.1



The "standby 1 preempt" command on External_A router will make External_A take over the active state if itlearns that its priority is higher than that of External_B router. In this case, when S0/0 interface of External_Bfails, its priority will be 105 10 = 95, which is smaller than the default priority value (100) on External_A.

QUESTION 213Refer to the exhibit and the partial configuration on routers R1 and R2. Hot Standby Routing Protocol (HSRP) isconfigured on the network to provide network redundancy for the IP traffic. The network administrator noticedthat R2 does not became active when the R1 serial0 interface goes down. What should be changed in theconfiguration to fix the problem?

A. The Serial0 interface on router R2 should be configured with a decrement value of 20.B. The Serial0 interface on router R1 should be configured with a decrement value of 20.C. R2 should be configured with a standby priority of 100.D. R2 should be configured with a HSRP virtual address.



When Serial0 of R1 goes down, the priority of R1 is still higher than that of R2 (115 10 = 105 > 100) so weshould configured the decrement value of 20 on R1 with the command: standby 1 track Serial0 20.

QUESTION 214Refer to the exhibit. Which Virtual Router Redundancy Protocol (VRRP) statement is true about the roles of themaster virtual router and the backup virtual router?

A. Router A is the master virtual router, and Router B is the backup virtual router. When Router A fails, RouterB will become the master virtual router. When Router A recovers, Router B will maintain the role of mastervirtual router.

B. Router A is the master virtual router, and Router B is the backup virtual router. When Router A fails, RouterB will become the master virtual router. When Router A recovers, it will regain the master virtual router role.

C. Router B is the master virtual router, and Router A is the backup virtual router. When Router B fails, RouterA will become the master virtual router. When Router B recovers, it will regain the master virtual router role.

D. Router B is the master virtual router, and Router A is the backup virtual router. When Router B fails, RouterA will become the master virtual router. When Router B recovers, Router A will maintain the role of mastervirtual router.



RouterA is the master virtual router because of higher priority value.

By default, a preemptive scheme is enabled whereby a higher priority backup virtual router that becomesavailable takes over for the backup virtual router that was elected to become master virtual router. You candisable this preemptive scheme using the no vrrp preempt command. If preemption is disabled, the backupvirtual router that is elected to become master virtual router remains the master until the original master virtualrouter recovers and becomes master again.

-> B is correct.

(Reference: http://www.cisco.com/en/US/docs/ios/12_0st/12_0st18/feature/guide/st_vrrpx.html)

QUESTION 215Which one of the statements below correctly describes the Virtual Router Redundancy Protocol (VRRP), whichis being used in the Company network to provide redundancy?

A. A VRRP group has one active and one or more standby virtual routers.B. A VRRP group has one master and one or more backup virtual routers.C. A VRRP group has one master and one redundant virtual router.



Unilike HSRP (which has one active router, one standby router and many listening routers), a VRRP group hasone master router and one or more backup routers. All backup routers are in backup state.

QUESTION 216Which router redundancy protocol cannot be configured for interface tracking?

A. GLBPB. HSRPC. RPRD. VRRPE. SLBF. RPR+



VRRP cannot directly track an interface status but interfaces can be tracked through a tracked object. Noticethat HSRP and GLBP can track both object and interface status.

QUESTION 217Which protocol allows for the automatic selection and simultaneous use of multiple available gateways as wellas automatic failover between those gateways?

A. VRRPB. GLBPC. IRDPD. HSRP



In HSRP and VRRP, only the primary router is used to forward traffic, others routers must wait for the primaryone down before they are used. Also, the bandwidth of the standby (and other) routers are not used andwasted. With GLBP, up to four gateways can be used simultaneously. There is still one virtual IP address in agroup, but GLBP can automatically select which router in the group to forward traffic by sending the virtual MACaddress of a selected router to that host.

QUESTION 218Which two statements are true about HSRP, VRRP, and GLBP? (Choose two)

A. GLBP and VRRP allow for MD5 authentication, whereas HSRP does not.B. HSRP allows for multiple upstream active links being simultaneously used, whereas GLBP does not.C. GLBP allows for router load balancing of traffic from a network segment without the different host IP

configurations required to achieve the same results with HSRP.D. Unlike HSRP and VRRP, GLBP allows automatic selection and simultaneous use of multiple available

gateways.E. GLBP allows for router load balancing of traffic from a network segment by utilizing the creation of multiple

standby groups.



QUESTION 219Refer to the exhibit. What is this configuration an example of?

track 1 interface POS 5/0 ip routingtrack 2 interface POS 6/0 ip routinginterface fastethernet 0/0glbp 10 weighting 110 lower 95 upper 105glbp 10 weighting track 1 decrement 10glbp 10 weighting track 2 decrement 10glbp 10 forwarder preempt delay minimum 60

A. GLBP weightingB. Default AVF and AVG configurationC. GLBP MD5 authenticationD. GLBP text authenticationE. GLBP timer manipulation



The command "glbp 10 weighting 110 lower 95 upper 105 specifies the initial weighting value (110), the lower(95) and the upper (105) thresholds. Notice that if the weight falls below the lower threshold then the router willnot be an Active Virtual Forwarder (AVF) until the weight rises up to the higher threshold.

When the track object fails, the weighting is decremented by the value after the "decrement" keyword. In thiscase, POS5/0 and POS6/0 are tracked objects and if one of them fails, the weighting is decreased by 10 -> theweighting = 110 10 = 100. This value is still higher than the lower value 95 so this router is still the AVF. If bothinterfaces fail, the weighting will be smaller than the lower value so this router loses the AVF (until both

interfaces are up again).

QUESTION 220Refer to the exhibit. Which four statements accurately describe this GLBP topology? (Choose four)

A. Router A is responsible for answering ARP requests sent to the virtual IP address.B. If Router A becomes unavailable. Router B will forward packets sent to the virtual MAC address of Router

A.C. Router A alternately responds to ARP requests with different virtual MAC addresses.D. Router B will transition from blocking state to forwarding state when it becomes the AVG.E. If another router were added to this GLBP group, there would be two backup AVGs.F. Router B is in GLBP listen state.

Correct Answer: ABCESection: (none)Explanation


In a GLBP group, the AVG assigns a virtual MAC address to each member of the GLBP group. It also answersAddress Resolution Protocol (ARP) requests for the virtual IP address -> A is correct.

When Router A becomes unavailable, Router B will take over the job of forwarding packets for virtual MACaddress 0007.b400.0101 of Router A -> B is correct.

Router A can load balance traffic by alternately responding to ARP requests with different virtual MACaddresses. In this case two virtual MAC addresses 0007.b400.0101 and 0007.b400.0102 will be usedalternately in ARP Replies -> C is correct. Both Router A and Router B are in forwarding state. The trick here isclient 1 only sends traffic to Router A while client 2 only sends traffic to Router B -> D is not correct.

If another router were added to this GLBP group, Router B and it can forward packets in the case of Router Afails -> E is correct (but notice that the newly added router would be in listening state).

In GLBP, there are 3 states in a group: active, standby, or listen. Members of a GLBP group elect one gatewayto be the Active Virtual Gateway (AVG) for that group. It also elects one member as Standby Virtual Gateway(SVG). If there are more than two members, then the members that remain are in the listen state. In this case,Router A is elected as AVG while Router B is elected as SVG -> Router B is in active state -> F is not correct.

(Reference:http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00807d2520.shtml)

QUESTION 221Exhibit:

You work as a network engineer at Certprepare.com. You study the exhibit carefully. Which GLBP device hostsreceive the MAC address assignment?

A. R1B. R2C. The AVGD. The AVF



Notice that the MAC address of the AVF is not the physical MAC address of R1 or R2. It is a virtual MAC

address used in GLBP and is used by hosts to send traffic to these routers.

QUESTION 222Refer to the exhibit. Host A has sent an ARP message to the default gateway IP address 10.10.10.1. Whichstatement is true?

A. DSw2 will reply with the IP address of the next AVF.B. DSw1 will reply with the MAC address of the next AVF.C. Because of the invalid timers that are configured, DSw1 will not reply.D. DSw1 will reply with the IP address of the next AVF.E. Because of the invalid timers that are configured, DSw2 will not reply.F. DSw2 will reply with the MAC address of the next AVF.



The priorities of two switches are equal so GLBP uses IP address of that interface to choose the AVG -> DSw2wins the election because of higher real IP address and become the AVG. Therefore it will reply all theincoming ARP Requests with the MAC address of the next AVF (DSw1 and DSw2 alternately in this case.

QUESTION 223Refer to the exhibit. The Gateway Load Balancing Protocol has been configured on routers R1 and R2, andhosts A and B have been configured as shown. Which statement can be derived from the exhibit?

A. The host A default gateway has been configured as 10.88.1.10/24.B. The GLBP weighted load balancing mode has been configured.C. The GLBP round-robin, load-balancing mode has been configured.D. The GLBP host-dependent, load-balancing mode has been configured.E. The host A default gateway has been configured as 10.88.1.1/24.F. The host A default gateway has been configured as 10.88.1.4/24.



QUESTION 224Refer to the exhibit. What is the result of setting GLBP weighting at 105 with lower threshold 90 and upperthreshold 100 on this router?

A. Only if both tracked objects are up will this router will be available as an AVF for group 1.B. Only if the state of both tracked objects goes down will this router release its status as an AVF for group 1.C. If both tracked objects go down and then one comes up, but the other remains down, this router will be

available as an AVF for group 1.D. This configuration is incorrect and will not have any effect on GLBP operation.E. If the state of one tracked object goes down then this router will release its status as an AVF for group 1.


Explanation/Reference:ExplanationEach tracked object goes down will decrease the weighting of this router by 10, that makes the weighting = 105 10 = 95. This value is still higher than the lower threshold (90) so this router is not lost its status as an AVF.Only if both tracked objects go down, the weighting will fall below the lower threshold (105 10 10 = 85 < 90)and this router will release its status as an AVF for group 1 -> B is correct.

QUESTION 225Which describes the default load balancing scheme used by the Gateway Load Balancing Protocol (GLBP)?

A. Per host using a strict priority schemeB. Per session using a round-robin schemeC. Per session using a strict priority schemeD. Per GLBP group using a strict priority scheme

E. Per host basis using a round robin-schemeF. Per GLBP group using a round-robin scheme



In GLBP, there are 3 operational modes for load balancing:

+ Weighted load-balancing: traffic is balanced proportional to a configured weight + Host-dependent load-balancing: a host is used the same virtual MAC address as long as that MAC is participating in the GLBPgroup.+ Round-robin load-balancing: each virtual MAC is used to respond to each ARP Request alternately. This isalso the default load balancing scheme used by GLBP.

QUESTION 226Refer to the exhibit. GLBP has been configured on the network. When the interface serial0/0/1 on router R1goes down, how is the traffic coming from Host1 handled?

A. The traffic coming from Host2 is forwarded through router R2 with no disruption. The traffic from Host1 isdropped due to the disruption of the load balancing feature configured for the glbp group.

B. The traffic coming from both hosts is temporarily interrupted while the switchover to make R2 active occurs.C. The traffic coming from Host2 is forwarded through router R2 with no disruption. Host1 sends an ARP

request to resolve the MAC address for the new virtual gateway.D. The traffic coming from Host1 and Host2 is forwarded through router R2 with no disruption.



When R1 goes down, the weighting is decreased by 10 by default, priority = 110 10 = 100 but it is still higherthan the lower threshold (90) so R1 does not give up its role as a virtual forwarder and continues forwarding

traffic but the Serial 0/0/1 was down so traffic from Host 1 cannot be routed. Therefore we can't say answer D iscorrect.

Maybe there is something wrong in the exhibit. To make answer D correct, the weighting command should be"glbp 10 weighting 100 lower 95 upper 105.

QUESTION 227Refer to the exhibit. What statement is true based upon the configuration of router R1 and router R2?

A. Router R2 will become the master for Virtual Router 1, and router R1 will become the backup for VirtualRouter 2.

B. Router R1 will become the master for Virtual Router 1, and router R2 will become the backup for VirtualRouter 2.

C. Router R1 will become the active virtual gateway.D. Router R2 will become the active virtual gateway.E. The hello and hold timers are incompatible with OSPF type 5 LSAs.F. The hello and hold timers are incompatible with multi-homed BGP.



R2 is configured with the "priority" command so it will use the default priority value of 100, which is smaller thanthat of R1 (150) -> R1 will be active virtual gateway.

QUESTION 228You have just purchased a new Cisco 3550 switch running the enhanced IOS and need to configure it to beinstalled in a high availability network. Which three types of interfaces can be used to configure HSRP on a3550 EMI switch? (Choose three)

A. BVI interfaceB. routed portC. SVI interfaceD. Access portE. EtherChannel port channelF. Loopback Interface

Correct Answer: BCESection: (none)Explanation


To configure HSRP, a Layer 3 interface is needed. They can be:

- Routed port: a physical port configured as a Layer 3 port by entering the no switchport interface configurationcommand. SVI: a VLAN interface created by using the interface vlan vlan_id global configuration command and by defaulta Layer 3 interface. Etherchannel port channel in Layer 3 mode: a port-channel logical interface created by using the interface port-channel port-channel-number global configuration command and binding the Ethernet interface into the channelgroup.

Reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/confi guration/guide/swhsrp.html

QUESTION 229You work as a network technician , study the exhibit carefully. Which two statements are true about the outputfrom the show standby vlan 50 command? (Choose two)

Catalyst_A# show standby vlan 50VLAN50 Group 1Local State is Active, priority 200 may preemptHellotime 3 sec, holdtime 10 secNext hello sent in 1.302Virtual IP address is 192.168.1.1 configuredActive router is localStandby router is 192.186.1.11 expires in 9.443Virtual MAC address is 0000.0c07.ac01Authentication text AuthenKey2 state changes, last state change 00:11:30IP redundancy name is hsrp-Vl150-1 (default)

VLAN50 -Group 2Local State is Standby , priority 100Hellotime 3 sec, holdtime 10 sec

Next hello sent in 0.98Virtual IP address is 192.186.1.2 configuredActive router is 192.168.1.11 , priority 200 expires in 6.334 Standby router is localAuthentication text AuthenKey3 state changes, last state change 0:09:30IP redundancy name is hsrp-Vl150-2 (default)

A. Catalyst_A is load sharing traffic in VLAN 50.B. Hosts using the default gateway address of 192.168.1.2 will have their traffic sent to Catalyst_A.C. The command standby 1 preempt was added to Catalyst_A.D. Hosts using the default gateway address of 192.168.1.1 will have their traffic sent to 192.168.1.11 even

after Catalyst _A becomes available again.

Correct Answer: ACSection: (none)Explanation


The output shows that the Catalyst_A switch is the active router for HSRP group 1 and the standby router forHSRP group 2 on interface VLAN 50. This means that another switch is the active router for HSRP group 2 oninterface VLAN 50 -> A is correct, Catalyst_A is load sharing traffic in VLAN 50.

B is not correct, only hosts using the default gateway address of 192.168.1.1 will have their traffic sent toCatalyst_A

From the output, we notice that there is a line showing that Local State is Active, priority 200 may preempt. Thisindicates the command standby 1 preempt was added to Catalyst_A. If the active router (this router) fails,another router takes over its active role. The original active router is not allowed to resume the active role whenit is restored until the new active router fails. Pre- empting allows a higher-priority router to take over the activerole immediately.

QUESTION 230:

You are a network technician, study the exhibit carefully. Both routers are configured for the Gateway LoadBalancing Protocol (GLBP). Which statement is true?

A. The default gateway address of each host should be set to the virtual IP address.B. The default gateway addresses of both hosts should be set to the IP addresses of both routers.C. The hosts will have different default gateway IP addresses and different MAC addresses for each.D. The hosts will learn the proper default gateway IP address from Router RA.



QUESTION 231:

You are a network technician, study the exhibit carefully. Assume that Host PC can ping the CorporateHeadquarters and that HSRP is configured on DS1, which is then reloaded. Assume that DS2 is thenconfigured and reloaded. On the basis of this information, what conclusion can be drawn?

DS1# show running-config DS2# show running-config

interface Vlan10 interface Vlan10ip address 10.10.10.2 255.255.255.0 ip address 10.10.10.3 255.255.255.0 no ip redirects no ip redirectsstandby 60 priority 105 standby 60 priority 150standby 60 ip 10.10.10.1 standby 60 ip 10.10.10.1standby 60 track GigabitEthernet 0/1 standby 60 track GigabitEthernet 0/1

A. DS1 will be the active router because it booted first.B. DS1 will be the standby router because it has the lower IP address.C. DS1 will be the active router because it has the lower priority configured.D. DS2 will be the active router because it booted last.



The configuration does not have the standby 60 preemptcommand so the first booted router will take the activerole with any priority.

QUESTION 232HSRP is a Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to appear as asingle gateway address. Which two statements are true about the Hot Standby Router Protocol (HSRP)?(Choose two)

A. Load sharing with HSRP is achieved by creating multiple subinterfaces on the HSRP routers.B. Routers configured for HSRP can belong to multiple groups and multiple VLANs.C. All routers configured for HSRP load balancing must be configured with the same priority.D. Load sharing with HSRP is achieved by creating HSRP groups on the HSRP routers.



QUESTION 233If you are a network technician, study the exhibit carefully. Which Virtual Router Redundancy Protocol (VRRP)statement is true about the roles of the master virtual router and the backup virtual router?

RA(config)# interface f0/0RA(config-if)# ip address 10.0.0.1 255.255.255.0RA(config-if)# vrrp 1 priority 110RA(config-if)# vrrp 1 ip 10.0.0.10----------------------------------------------RB(config)# interface f0/0RB(config-if)# ip address 10.0.0.2 255.255.255.0RB(config-if)# vrrp 1 priority 100RB(config-if)# vrrp 1 ip 10.0.0.10

A. Router RA is the master virtual router, and Router RB is the backup virtual router. When Router RA fails,Router RB will become the master virtual router. When Router RA recovers, Router RB will maintain therole of master virtual router.

B. Router RA is the master virtual router, and Router RB is the backup virtual router. When Router RA fails,Router RB will become the master virtual router. When Router RA recovers, it will regain the master virtualrouter role.

C. Router RB is the master virtual router, and Router RA is the backup virtual router. When Router RB fails,Router RA will become the master virtual router. When Router RB recovers, RouterRA will maintain the roleof master.

D. Router P4S-RB is the master virtual router, and Router RA is the backup virtual router.When Router P4S-RB fails, RouterRA will become the master virtual router. When Router RB recovers, it will regain the master virtual routerrole.



Router RA is the master virtual router because of its higher priority (110). By default, the preempting functionis enabled so Router RB will become the master virtual router when RA fails; and when RA recovers, it will takethe master role again.

QUESTION 234You are a network technician, do you know which three statements are correct about a default HSRPconfiguration? (Choose three)

A. The Standby track interface priority is 10.B. The Standby priority is 100.C. The Standby hold time is 10 seconds.D. Two HSRP groups are configured.



QUESTION 235:

You work as a network technician at Technical Corporation. Your boss is interested in GLBP. Study the networktopology exhibit carefully. Which three statements accurately describe this GLBP topology? (Choose three)

A B C D

A. If RA becomes unavailable, RB will forward packets sent to the virtual MAC address of RA.B. RA is responsible for answering ARP requests sent to the virtual IP address.C. If another router were added to this GLBP group, there would be two backup AVGs.D. RA alternately responds to ARP requests with different virtual MAC addresses.


Explanation/Reference:Explanation:If RA fails, the GLBP protocol informs RB to replace the AVG that is down. The new AVG (in this case RB) willforward the packet sent to the 0008.b400.0101 virtual mac address, so the client sees no disruption of servicenor does it need to resolve a new MAC address for the default gateway. -> A is correct.

RA, which is the AVG, replies to the ARP requests from clients with different virtual MAC addresses, thusachieving load balancing -> B is correct.

RA is elected as the AVG and RB is elected as the standby virtual gateway. If another router is added to thisGLBP group, it will become a backup AVG -> there is only one backup AVG -> C is not correct.

RA alternately responds to ARP requests with different virtual MAC addresses this is the way GLBP providesload balancing over multiple routers (gateways) using a single virtual IP address and multiple virtual MACaddresses. Which MAC address it returns depends on which load- balancing algorithm it is configured to use ->D is correct.

QUESTION 236Which three protocols have been developed for IP routing redundancy to protect against first-hop router failure?(Choose three)

A. GLBPB. ICMPC. MSTPD. HSRPE. VRRPF. NHRP



All three protocols above are used for IP routing redundancy to protect against first-hop router failure. Somemain differences of them are listed below:

HSRP: is a Cisco proprietary protocol.VRRP: Open standard, created by IETFGLBP: is a Cisco proprietary protocol. It is the only protocol (in three) supports load-balancing.

QUESTION 237Which two Lightweight Access Point Protocol (LWAPP) statements are true? (Choose two)

A. Layer 3 LWAPP is a UDP / IP frame that requires a Cisco Aironet AP to obtain an IP address using DHCP.B. Data traffic is encapsulated in UDP packets with a source port of 1024 and a destination port of 12223.C. Data traffic is encapsulated in TCP packets with a source port of 1024 and destination port of 12223.D. Control traffic is encapsulated in UDP packets with a source port of 1024 and a destination port of 12223.



QUESTION 238Which statement about the Lightweight Access Point Protocol (LWAPP) is true?

A. LWAPP encrypts control traffic between the AP and the controller.B. LWAPP encrypts user traffic with a x.509 certificate using AES-CCMPC. LWAPP encrypts both control traffic and user data.D. When set to Layer 3, LWAPP uses a proprietary protocol to communicate with the Cisco Aironet APs.



QUESTION 239LWAPP is meant to be a network protocol for access points that also provides for centralized management.Which issue or set of issues does the Lightweight Access Point Protocol (LWAPP) address?

A. provides security by blocking communication between access points and wireless clients.B. reduction of processing in wireless controllers.C. distributed approach to authentication, encryption, and policy enforcement.D. access point discovery, information exchange, and configuration.



QUESTION 240If you are a network technician, which two WLAN client utility statements do you think are true? (Choose two)

A. In a Windows XP environment, a client adapter can only be configured and managed with the MicrosoftWireless Configuration Manager.

B. The Microsoft Wireless Configuration Manager can be configured to display the Aironet System Tray Utility(ASTU) icon in the Windows system tray.

C. The Cisco Aironet Desktop Utility (ADU) and the Microsoft Wireless Configuration Manager can both beenabled at the same time to setup WLAN client cards.

D. The Aironet Desktop Utility (ADU) can be used to enable or disable the adapter radio and to configure LEAPauthentication with dynamic WEP.



QUESTION 241In order to enhance worker productivity, a Cisco wireless network has been implemented at all locations. Whichthree WLAN statements are true? (Choose three)

A. A WLAN client that is operating in half-duplex mode will delay all clients in that WLAN.B. Ad hoc mode allows mobile clients to connect directly without an intermediate AP.C. A lightweight AP receives control and configuration from a WLAN controller to which it is associated.D. WLANs are designed to share the medium and can easily handle an increased demand of channel

contention.



QUESTION 242Currently in draft status at the IETF, LWAPP outlines a standard protocol to be used by switches or routers tocontrol a group of IEEE 802.11 wireless LAN access points and make their deployment much simpler than ispossible today. Which statement about the Lightweight Access Point Protocol (LWAPP) protocol is true?

A. The processing of 802.11 data and management protocols and access point capabilities is distributedbetween a lightweight access point and a centralized WLAN controller.

B. LWAPP authenticates all access points in the subnet and establishes a secure communication channel witheach of them.

C. LWAPP advertises its WDS capability and participates in electing the best WDS device for the wirelessLAN.

D. LWAPP aggregates radio management forward information and sends it to a wireless LAN solution engine.



QUESTION 243Which set of statements describes the correct order and process of a wireless client associating with a wirelessaccess point?

A. 1. Client sends probe request.2. Access point sends probe response.3. Client initiates association.4. Access point accepts association.5. Access point adds client MAC address to association table.

B. 1. Client sends probe request.2. Access point sends probe response.3. Access point initiates association.4. Client accepts association.5. Access point adds client MAC address to association table.

C. 1. Access point sends probe request .2. Client sends probe response.3. Client initiates association.4. Access point accepts association.5. Client adds access point MAC address to association table.

D. 1. Client sends probe request.2. Access point sends probe response.3. Client initiates association.4. Access point accepts association.5. Client adds access point MAC address to association table.



QUESTION 244You are a network technician, study the exhibit carefully. What should be taken into consideration when usingthe Cisco Aironet Desktop Utility (ADU) to configure the static WEP keys on the wireless client adapter?

A. Before the client adapter WEP key is generated, all wireless infrastructure devices (such as access points,servers, etc.) must be properly configured for LEAP authentication.

B. The client adapter WEP key should be generated by the AP and forwarded to the client adapter before theclient adapter can establish communication with the wireless network.

C. In infrastructure mode the client adapter WEP key must match the WEP key used by the access point. In adhoc mode all client WEP keys within the wireless network must match each other.

D. The client adapter WEP key should be generated by the authentication server and forwarded to the clientadapter before the client adapter can establish communication with the wireless network.



QUESTION 245You work as a network technician ,please study the exhibit carefully. When it attempts to register to a wirelessLAN controller (WLC), what type of message is transmitted by the lightweight access point (LAP)?

A. The LAP will send both Layer 2 and Layer 3 Lightweight Access Point Protocol (LWAPP) mode discoveryrequest messages at the same time.

B. The LAP will send Layer 2 Lightweight Access Point Protocol (LWAPP) mode discovery request messagesonly.

C. The LAP will send Layer 3 Lightweight Access Point Protocol (LWAPP) mode discovery request messagesonly.

D. The LAP will send Layer 2 Lightweight Access Point Protocol (LWAPP) mode discovery request messages.If the attempt fails, the LAP will try Layer 3 LWAPP WLC discovery.



QUESTION 246Please study the exhibit carefully. Which one is true about the configuration of access point MAC addresses onthe wireless client?

A. If the wireless client is out of range of the specified access point or points it will not associate with otheraccess points.

B. Each access point MAC address that is specified must have a separate SSID configured on the GENERALconfiguration tab.

C. Each access point MAC address that is specified must have the same SSID configured on the GENERALconfiguration tab.

D. If the wireless client is out of range of the specified access point or points it can associate with other accesspoints.



Exam B

QUESTION 1

LACP with STP Sim May 10th, 2012 in LabSim Go to comments Question (not sure about the requirement, I will try to update soon!)

1. Use non proprietary mode of aggregation with Switch B being the initiator — Assumed use LACP with Bbeing in Active mode 2. Use non proprietary trunking and no negotiation — Assumed use switchport mode trunk and switchport trunkencapsulation dot1q 3. Restrict only to vlans needed — Assumed either vtp pruning or allowed vlan list. vtp pruning command didnot seem to work on the simulator so landed using allowed vlan list 4. SVI on vlan 1 with some ip and subnet given 5. Configure switch A so that nodes other side of Router C are accessible — Assumed this to mean that onswitch A default gatway has to be configured. 6. Make switch B the root — Could not get this to work. Exam hung when I tried the command spanning-treevlan 1,21-23 priority 4096 So passed on this configuration. Anyone else got this correct What I tried .. on Switch A verify with show run if you need to create vlans 21-23

A.B.C.D.

Correct Answer: Section: (none)Explanation

Explanation/Reference:What I tried .. on Switch Averify with show run if you need to create vlans 21-23int range fa0/9 – 10switchport mode accessswitchport access vlan 21spanning-tree portfastno shutint range fa0/13 – 14switchport mode accessswitchport access vlan 22spanning-tree portfastno shutint range fa0/16 – 16switchport mode accessswitchport access vlan 23spanning-tree portfastno shutint range fa0/3 – 4channel-protocol lacpchannel group 1 mode passiveno shutint port-channel 1switchport mode trunkswitchport trunk encapsulation dot1qspanning-tree allowed vlans 1,21-23no shutint vlan 1ip address x.y.z.11 255.a.b.cno shutOn switch B run the command show cdp neighbors detail and get the ip address of port from router C.Now use this ip address of port of router C to configure as default gateway on Switch ASA(config)# ip default-gateway 192.168.1.1On switch B do only the channel group and port-channel stuffOnly mode is active instead of passive.copy run start did not work. Tried combos of wr, copy running-config startup-config, copy system:running-confignvram:startup-config. All variations did not work.Got some errors on mismatch of native VLAN. Switch B had some ports on vlan 98 configured for native vlan.Tried setting native vlan on Port-channel 1 on switch B to 1. Configuration command took but errors still wereoccuring. Ran out of time I had allocated so gave up.

QUESTION 2

MLS WITH EIGRP

Notice: This is just a sketch about this sim. I can not guarantee the information posted below is correct. So ifyou know anything new about this sim please post here. Your ideas and comments are warmly welcome!Question:

I am still not sure about the question but we need to configure the Multilayer Switch so that PCs from VLAN 2and VLAN 3 can communicate with the Server.

A.B.C.D.


Explanation/Reference:the config (commented by a certprepare.com’s reader but he does not leave his name, but please say thank tohim!)mls>enablemls# configure terminalmls(config)# int gi0/1mls(config-if)#no switchport -> not sure about this command line, but you should use this command if thesimulator does not let you assign IP address on Gi0/1 interface.mls(config-if)# ip address 10.10.10.2 255.255.255.0

mls(config-if)# no shutdownmls(config-if)# exitmls(config)# int vlan 2mls(config-if)# ip address 190.200.250.33 255.255.255.224mls(config-if)# no shutdownmls(config-if)# int vlan 3mls(config-if)# ip address 190.200.250.65 255.255.255.224mls(config-if)# no shutdownmls(config-if)#exitmls(config)# ip routing (Notice: MLS will not work without this command)mls(config)# router eigrp 650mls(config-router)# network 10.10.10.0 0.0.0.255mls(config-router)# network 190.200.250.32 0.0.0.31mls(config-router)# network 190.200.250.64 0.0.0.31NOTE : THE ROUTER IS CORRECTLY CONFIGURED, so you will not miss within it in the exam , also don’tmodify/delete any port just do the above configuration.in order to complete the lab , you should expect the ping to SERVER to succeed from the MLS , and from thePCs as well.If the above configuration does not work, you should configure EIGRP with “no auto-summary” command:no auto-summary

QUESTION 3VTP LabApril 16th, 2012 in LabSim Go to comments Question:The headquarter offices for a book retailer are enhancing their wiring closets with Layer3 switches. The newdistribution-layer switch has been installed and a new access-layer switch cabled to it. Your task is to configureVTP to share VLAN information from the distribution-layer switch to the access-layer devices. Then, it isnecessary to configure interVLAN routing on the distribution layer switch to route traffic between the differentVLANs that are configured on the access-layer switches; however, it is not necessary for you to make thespecific VLAN port assignments on the access-layer switches. Also, because VLAN database mode is beingdeprecated by Cisco, all VLAN and VTP configurations are to be completed in the global configuration mode.Please reference the following table for the VTP and VLAN information to be configured:

Requirements:VTP Domain name cisco

VLAN Ids 20 21

IP Addresses 172.16.71.1/24 172.16.132.1/24

These are your specific tasks:1. Configure the VTP information with the distribution layer switch as the VTP server2. Configure the VTP information with the access layer switch as a VTP client3. Configure VLANs on the distribution layer switch4. Configure inter-VLAN routing on the distribution layer switch5. Specific VLAN port assignments will be made as users are added to the access layer switches in the future.6. All VLANs and VTP configurations are to completed in the global configuration. To configure the switch clickon the host icon that is connected to the switch be way of a serial console cable.

A.B.C.D.


Explanation/Reference:Answer and Explanation:

1) Configure the VTP information with the distribut ion layer switch as the VTP server :

DLSwitch#configure terminalDLSwitch(config)#vtp mode serverDLSwitch(config)#vtp domain cisco (use cisco, not CISCO because it is case sensitive)(Requirement 2 will be solved later)3) Configure VLANs on the distribution layer switchTo create VLANs on a switch, use the vlan vlanID# command:DLSwitch(config)#vlan 20DLSwitch(config)#vlan 21Configure Ip addresses for Vlans:DLSwitch(config)#interface vlan 20DLSwitch(if-config)#ip address 172.16.71.1 255.255.255.0DLSwitch(if-config)#no shutdownDLSwitch(if-config)#interface vlan 21DLSwitch(if-config)#ip address 172.16.132.1 255.255.255.0DLSwitch(if-config)#no shutdownDLSwitch(if-config)#exit4) Configure inter-VLAN routing on the distribution layer switch

DLSwitch(config)#ip routingDLSwitch(config)#exitDLSwitch#copy running-config startup-config2) Configure the VTP information with the access la yer switch as a VTP clientALSwitch#configure terminalALSwitch(config)#vtp mode clientALSwitch(config)#vtp domain ciscoALSwitch(config)#exit

ALSwitch#copy running-config startup-config(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)

QUESTION 4VTP Lab 2April 20th, 2012 in LabSim Go to comments Question:Acme is a small export company that has an existing enterprise network comprised of 5 switches; CORE,DSW1,DSW2,ASW1 and ASW2. The topology diagram indicates their desired pre-VLAN spanning treemapping. Previous configuration attempts have resulted in the following issues: – CORE should be the root bridge for VLAN 20; however, DSW1 is currently the root bridge for VLAN 20. – Traffic for VLAN 30 should be forwarding over the gig 1/0/6 trunk port between DSW1 and DSW2. HoweverVLAN 30 is currently using gig 1/0/5. – Traffic for VLAN 40 should be forwarding over the gig 1/0/5 trunk port between DSW1 and DSW2. HoweverVLAN 40 is currently using gig 1/0/6.You have been tasked with isolating the cause of these issuer and implementing the appropriate solutions. Youtask is complicated by the fact that you only have full access to DSW1, with isolating the cause of these issuesand implementing the appropriate solutions. Your task is complicated by the fact that you only have full accessto DSW1, with the enable secret password cisco. Only limited show command access is provided on CORE,and DSW2 using the enable 2 level with a password of acme. No configuration changes will be possible onthese routers. No access is provided to ASW1 or ASW2.

A.B.C.D.


Explanation/Reference:Answer and Explanation:1) “CORE should be the root bridge for VLAN 20; how ever, DSW1 is currently the rootbridge for VLAN 20 ″ -> We need to make CORE switch the root bridge for VLAN 20.By using the “show spanning-tree” command as shown above, we learned that DSW1 is the root bridge forVLAN 20 (notice the line “This bridge is the root”).DSW1>enableDSW1#show spanning-tree

To determine the root bridge, switches send and compare their priorities and MAC addresses with each other.The switch with the lowest priority value will have highest priority and become the root bridge. Therefore, wecan deduce that the priority of DSW1 switch is lower than the priority of the CORE switch so it becomes the rootbridge. To make the CORE the root bridge we need to increase the DSW1′s priority value, the best valueshould be 61440 because it is the biggest value allowed to assign and it will surely greater than of COREswitch. (You can use another value but make sure it is greater than the CORE priority value by checking if theCORE becomes the root bridge or not; and that value must be in increments of 4096).(Notice that the terms bridge and switch are used interchangeably when discussing STP)DSW1#configure terminal DSW1(config)#spanning-tree vlan 20 priority 614402) “Traffic for VLAN 30 should be forwarding over t he gig 1/0/6 trunk port betweenDSW1 and DSW2. However VLAN 30 is currently using g ig 1/0/5″DSW1 is the root bridge for VLAN 30 (you can re-check with the show spanning-tree command as above), soall the ports are in forwarding state for VLAN 30. But the question said that VLAN 30 is currently using Gig1/0/5

so we can guess that port Gig1/0/6 on DSW2 is in blocking state (for VLAN 30 only), therefore all traffic forVLAN 30 will go through port Gig1/0/5.

The root bridge for VLAN 30, DSW1, originates the Bridge Protocol Data Units (BPDUs) and switch DSW2receives these BPDUS on both Gig1/0/5 and Gig1/0/6 ports. It compares the two BPDUs received, both havethe same bridge-id so it checks the port cost, which depends on the bandwidth of the link. In this case bothhave the same bandwidth so it continues to check the sender’s port id (includes port priority and the portnumber of the sending interface). The lower port-id value will be preferred so the interface which received thisport-id will be the root and the other interface (higher port-id value) will be blocked.In this case port Gig1/0/6 of DSW2 received a Priority Number of 128.6 (means that port priority is 128 and portnumber is 6) and it is greater than the value received on port Gig1/0/5 (with a Priority Number of 128.5) so portGig1/0/6 will be blocked. You can check again with the “show spanning-tree” command. Below is the output(notice this command is issued on DSW1 – this is the value DSW2 received and used to compare).

Therefore, all we need to do is to change the priority of port Gig1/0/6 to a lower value so the neighboring portwill be in forwarding state. Notice that we only need to change this value for VLAN 30, not for all VLANs.DSW1(config)#interface g1/0/6 DSW1(config-if)#spanning-tree vlan 30 port-priority 64 DSW1(config-if)#exit3) “Traffic for VLAN 40 should be forwarding over t he gig 1/0/5 trunk port betweenDSW1 and DSW2. However VLAN 40 is currently using g ig 1/0/6″Next we need to make sure traffic for VLAN 40 should be forwarding over Gig1/0/5 ports. It is a similar job,right? But wait, we are not allowed to make any configurations on DSW2, how can we change its port-priorityfor VLAN 40? There is another solution for this…Besides port-priority parameter, there is another value we can change: the Cost value (or Root Path Cost).Although it depends on the bandwidth of the link but a network administrator can change the cost of a spanningtree, if necessary, by altering the configuration parameter in such a way as to affect the choice of the root of thespanning tree.Notice that the Root Path Cost is the cost calculated by adding the cost in the received hello to the cost of theinterface the hello BPDU was received. Therefore if you change the cost on an interface of DSW1 then onlyDSW1 will learn the change.By default, the cost of a 100Mbps link is 19 but we can change this value to make sure that VLAN 40 will useinterface Gig1/0/5.DSW1(config)#interface g1/0/5 DSW1(config-if)#spanning-tree vlan 40 cost 1 DSW1(config-if)#end

You should re-check to see if everything was configured correctly:DSW1#show spanning-tree

Save the configuration:DSW1#copy running-config startup-config(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)Remember these facts about Spanning-tree:Path Selection:1) Prefer the neighbor advertising the lowest root ID2) Prefer the neighbor advertising the lowest cost to root3) Prefer the neighbor with the lowest bridge ID4) Prefer the lowest sender port IDSpanning-tree cost:

Other good resource for reference:http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96a.shtml

QUESTION 5AAAdot1x Lab SimApril 12th, 2012 in LabSim Go to comments Question:Acme is a small shipping company that has an existing enterprise network comprised of 2 switches;DSW1 andASW1. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that will be used toprovide the shipping personnel access to the server. For security reasons, it is necessary to restrict access toVLAN 20 in the following manner:– Users connecting to ASW1’s port must be authenticate before they are given access to the network.Authentication is to be done via a Radius server:– Radius server host: 172.120.39.46– Radius key: rad123– Authentication should be implemented as close to the host device possible.– Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.– Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.– Packets from devices in any other address range should be dropped on VLAN 20.– Filtering should be implemented as close to the server farm as possible.The Radius server and application servers will be installed at a future date. You have been tasked withimplementing the above access control as a pre-condition to installing the servers. You must use the availableIOS switch features.

A.B.C.D.


Explanation/Reference:Answer and Explanation:1) Configure ASW1Enable AAA on the switch:ASW1(config)#aaa new-modelThe new-model keyword refers to the use of method lists, by which authentication methods and sources can begrouped or organized.Define the server along with its secret shared password:ASW1(config)#radius-server host 172.120.39.46 key rad123ASW1(config)#aaa authentication dot1x default group radiusThis command causes the RADIUS server defined on the switch to be used for 802.1x authentication.Enable 802.1x on the switch:ASW1(config)#dot1x system-auth-controlConfigure Fa0/1 to use 802.1x:ASW1(config)#interface fastEthernet 0/1ASW1(config-if)#switchport mode accessASW1(config-if)#dot1x port-control autoNotice that the word “auto” will force connected PC to authenticate through the 802.1x exchange.ASW1(config-if)#exitASW1#copy running-config startup-config2) Configure DSW1:Define an access-list:DSW1(config)#ip access-list standard 10 (syntax: ip access-list {standard | extended} acl-name)DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255DSW1(config-ext-nacl)#exitDefine an access-map which uses the access-list above:DSW1(config)#vlan access-map MYACCMAP 10 (syntax: vlan access-map map_name [0-65535] )DSW1(config-access-map)#match ip address 10 (syntax: match ip address {acl_number | acl_name})

DSW1(config-access-map)#action forwardDSW1(config-access-map)#exitDSW1(config)#vlan access-map MYACCMAP 20DSW1(config-access-map)#action drop (drop other networks)DSW1(config-access-map)#exitApply a vlan-map into a vlan:DSW1(config)#vlan filter MYACCMAP vlan-list 20 (syntax: vlan filter mapname vlan-list list)DSW1#copy running-config startup-config(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)

QUESTION 6Spanning Tree Lab SimApril 14th, 2012 in LabSim Go to comments Question:The headquarter office for a cement manufacturer is installing a temporary Catalyst 3550 in an IDF to connect24 additional users. To prevent network corruption, it is important to have the correct configuration prior toconnecting to the production network. It will be necessary to ensure that the switch does not participate in VTPbut forwards VTP advertisements that are received on trunk ports.Because of errors that have been experienced on office computers, all nontrunking interfaces should transitionimmediately to the forwarding state of Spanning tree. Also, configure the user ports (all FastEthernet ports) sothat the ports are permanently nontrunking.

Requirements:You will configure FastEthernet ports 0/12 through 0/24 for users who belong to VLAN 20. Also, all VLAN andVTP configurations are to be completed in global configuration mode as VLAN database mode is beingdeprecated by Cisco. You are required to accomplish the following tasks:1. Ensure the switch does not participate in VTP but forwards VTP advertisements received on trunk ports.2. Ensure all non-trunking interfaces (Fa0/1 to Fa0/24) transition immediately to the forwarding state ofSpanning-Tree.3. Ensure all FastEthernet interfaces are in a permanent non-trunking mode.4. Place FastEthernet interfaces 0/12 through 0/24 in VLAN 20.

A.B.C.D.


Explanation/Reference:Answer and Explanation:Switch>enableSwitch#configure terminal Switch(config)#interface range fa0/1 – 24 Switch(config-if-range)#switchport mode access (Make all FasEthernet interfaces into access mode) Switch(config-if-range)#spanning-tree portfast (Enables the PortFast on interface)

Next, we need to assign FastEthernet ports 0/12 through 0/24 to VLAN 20.By default, all ports on the switch are in VLAN 1. To change the VLAN associated with a port, you need to go toeach interface (or a range of interfaces) and tell it which VLAN to be a part of.Switch(config-if-range)#interface range fa0/12 – 24 Switch(config-if-range)#switchport access vlan 20 (Make these ports members of vlan 20) Switch(config-if-range)#exitNext we need to make this switch in transparent mode. In this mode, switch doesn’t participate in the VTPdomain, but it still forwards VTP advertisements through any configured trunk links.Switch(config)#vtp mode transparent Switch(config)#exit Switch#copy running-config startup-config(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)

Exam C

QUESTION 1

STP HotspotApril 10th, 2012 in Hotspot Go to comments QuestionOnline Incorporated is an internet game provide. The game service network had recently added an additionalswitch block with multiple VLANs configured. Unfortunately, system administrators neglected to document thespanning-tree topology during configuration. For baseline purpose, you will be required to identify the spanning-tree topology for the switch block. Using the output of “show spanning-tree” command on switch SW-C and theprovided physical topology, answer the following questions:

The output of “show spanning-tree” command on SW-C:

The output of “show spanning-tree” command on SW-C:

Question 1:Which spanning Tree Protocol has been implemented on SW-B?A. STP/IEEE 802.1DB. MSTP/IEEE 802.1sC. PVST+D. PVRSTE. None of the above

Answer: CExplanation:On the Fa0/2 interface we can see the type of connection is P2p Peer (STP) and Cisco says that: “!— TypeP2p Peer(STP) represents that the neighbor switch runs PVST.” Please visit this link to understand more http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00807b0670.shtmlQuestion 2:Which bridge ID belongs to SW-B?A. 24623.000f.34f5.0138B. 32768.000d.bd03.0380C. 32768.000d.65db.0102D. 32769.000d.65db.0102E. 32874.000d.db03.0380F. 32815.000d.db03.0380

Answer: AExplanation:Have a look at the output at VLAN0047:

Notice there are two “Cost” value in the picture, the above “Cost” is the total cost from the current switch to theroot bridge while the second “Cost” refers to the cost on that interface (Fa0/2). Both these “Cost” are the sameso we can deduce that the root bridge is connectly directly to this switch on Fa0/2 interface -> the root bridge isSwitch B, and the “Address” field shows its MAC address 000f.34f5.0138. Notice Bridge ID = Bridge Priority +MAC address.Question 3:Which port role has interface Fa0/2 of SW-A adopted for VLAN 47?A. Root portB. Nondesigned portC. Designated portD. Backup portE. Alternate port

Answer: CExplanation:We learned that Switch B is the root bridge for VLAN 47 so port Fa0/1 on SwitchA and Fa0/2 on SwitchCshould be the root ports, and from the output of SwitchC, we knew that port Fa0/1 of SwitchC is in blockingstate. Therefore its opposite port on SwitchA must be in designated state (forwarding).So, can Fa0/2 of SW-A be in blocking state? The answer is no so that BPDU packets can be received on Fa0/1of SW-C. It will remain in blocking state as long as a steady flow of BPDUs is received.Question 4:Which port state is interface Fa0/2 of SW-B in for VLANs 1 and 106?A. ListeningB. LearningC. DisabledD. BlockingE. ForwardingF. Discarding

Answer: DExplanation:As explained in question 2, we can deduce SW-A is the root bridge for VLANs 1 and 106 so ports Fa0/1 onSW-B and SW-C will be the root ports. From the output of SW-C for VLANs 1 and 106, port Fa0/2 of this switchis designated (forwarding) so we can deduce interface Fa0/2 of SW-B is in blocking status.Question 5:Which bridge ID belongs to SW-A?A. 24623.000f.34f5.0138B. 32768.000d.bd03.0380C. 32768.000d.65db.0102D. 32769.000d.65db.0102E. 32874.000d.db03.0380F. 32815.000d.db03.0380

Answer: DExplanation:SW-A is the root bridge for VLANs 1 and 106 and we can easily find the MAC address of this root bridge fromthe output of SW-C, it is 000d.65db.0102. Notice that SW-A has 2 bridge IDs for VLANs 1 and 106, they are32769.000d.65db.0102 and 24682.000d.65db.0102

A.B.C.D.



QUESTION 2HSRP HotspotApril 8th, 2012 in Hotspot Go to comments Question:

- DSW1( Distribute switch 1) is the primary device for Vlan 101, 102, 105– DSW2 ( Distribute switch 2) is the primary device for Vlan 103 and 104

Question 1:

During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1. All other interface were up.During this time, DSW1 remained the active device for Vlan 102′s HSRP group. You have determined thatthere is an issue with the decrement value in the track command in Vlan 102′s HSRP group. What need to bedone to make the group function properly?A. The DSW1′s decrement value should be configured with a value from 5 to 15B. The DSW1′s decrement value should be configured with a value from 9 to 15C. The DSW1′s decrement value should be configured with a value from 11 to 18D. The DSW1′s decrement value should be configured with a value from 195 to less than 205E. The DSW1′s decrement value should be configured with a value from 200 to less than 205F. The DSW1′s decrement value should be greater than 190 and less 200

Answer: CExplanation:The question clearly stated that there was an issue with the decrement value in VLAN 102 so we should checkVLAN 102 on both DSW1 and DSW2 switches first. Click on the PC Console1 and PC Console2 to accessthese switches then use the “show running-config” command on both switchesDSW1>enableDSW1#show running-configDSW2>enableDSW2#show running-config

As shown in the outputs, the DSW1′s priority is 200 and is higher than that of DSW2 so DSW1 becomes activeswitch for the group. Notice that the interface Gig1/0/1 on DSW1 is being tracked so when this interface goesdown, HSRP automatically reduces the router’s priority by a configurable amount, in this case 5. Therefore thepriority of DSW1 goes down from 200 to 195. But this value is still higher than that of DSW2 (190) so DSW1remains the active switch for the group. To make DSW2 takes over this role, we have to configure DSW1′sdecrement value with a value equal or greater than 11 so that its result is smaller than that of DSW2 (200 – 11< 190). Therefore C is the correct answer.Question 2:During routine maintenance, G1/0/1 on DSW1 was shutdown. All other interface were up. DSW2 became theactive HSRP device for Vlan101 as desired. However, after G1/0/1 on DSW1 was reactivated. DSW1 did notbecome the active HSRP device as desired. What need to be done to make the group for Vlan101 functionproperly?A. Enable preempt on DSW1′s Vlan101 HSRP groupB. Disable preempt on DSW1′s Vlan101 HSRP groupC. Decrease DSW1′s priority value for Vlan101 HSRP group to a value that is less than priority value configuredon DSW2′s HSRP group for Vlan101D. Decrease the decrement in the track command for DSW1′s Vlan 101 HSRP group to a value less than thevalue in the track command for DSW2′s Vlan 101 HSRP group.

Answer: AExplanation:Continue to check VLAN 101 on both switches…

We learned that DSW1 doesn’t have the “standby 1 preempt” command so it can’t take over the active roleagain even if its priority is the highest. So we need to enable this command on VLAN 101 of DSW1.Question 3:DSW2 has not become the active device for Vlan103′s HSRP group even though all interfaces are active. Asrelated to Vlan103′s HSRP group. What can be done to make the group function properly?A. On DSW1, disable preemptB. On DSW1, decrease the priority value to a value less than 190 and greater than 150C. On DSW2, increase the priority value to a value greater 241 and less than 249D. On DSW2, increase the decrement value in the track command to a value greater than 10 and less than 50.

Answer: B or CExplanation:

The reason DSW2 has not become the active switch for Vlan103 is because the priority value of DSW1 ishigher than that of DSW2. In order to make DSW2 become the active switch, we need to increase DSW2′spriority (to higher than 200) or decrease DSW1′s priority (to lower than 190).Question 4:If G1/0/1 on DSW1 is shutdown, what will be the current priority value of the Vlan105′s group on DSW1?A. 95B. 100C. 150D. 200

Answer: AExplanation:Below is the output of VLAN 105:

If G1/0/1 on DSW1 is shutdown, its priority will decrease 55 so, its value will be 150 – 55 = 95Question 5:What is the configured priority value of the Vlan105′s group on DSW2 ?A. 50B. 100C. 150D. 200

Answer: BExplanation:Below is the output of VLAN 105 of DSW2:

We don’t see the priority of DSW2 so it is using the default value (100).Question 6:During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1 and DSW2. All other interfacewere up. During this time, DSW1 became the active device for Vlan104′s HSRP group. As related to Vlan104′sHSRP group, what can be done to make the group function properly?A. On DSW1, disable preemptB. On DSW2, decrease the priority value to a value less than 150C. On DSW1, increase the decrement value in the track command to a value greater than 6D. On DSW1, disable track command.

Answer: CExplanation:

The question asks us how to keep the active role of DSW2. From the outputs, we learned that if both interfacesG1/0/1 of DSW1 and DSW2 are shutdown, the priority of DSW1 will be 150 – 1 = 149 and that of DSW2 will be200 – 55 = 145 -> DSW1 will become the active switch.The main point here is that we have to configure so in such a way that when both interfaces G1/0/1 of DSW1and DSW2 are shutdown, the priority of DSW2 is still greater than that of DSW1. Therefore the priority value ofDSW1 should be smaller than 145, or we have to configure the decrement value of DSW1 to a value greaterthan 6 ( 6 = 150 – 144) -> C is the correct answer.Notice: To keep the active role of DSW2, we can disable “preempt” on DSW1 (answer A) so that it will not takeover the active role when DSW1 is downed but it also means that VLAN 104 will not have active switch ->VLAN104 will fail.

A.B.C.D.

Correct Answer: Section: (none)

Explanation


Exam D

QUESTION 1

A.B.C.D.


Explanation/Reference:Answer:1) Trunk: Set the switch port to trunk mode and negotiate to become a trunk. 2) Nonegotiate: Specify that the DTP packets are not sent out of this interface. 3) Access: Set a switch port to permanent nontrunking mode.4) Dynamic Auto: Set the switch port to respond, but not actively send DTP frames. 5) Dynamic Desirable: Make the interface actively attempt to convert the link to a trunk link.(This means the interface is ready to autonegotiate trunking encapsulation and form a trunklink (using DTP) with a neighbor port in desirable, auto, or on mode.)Explanation:Dynamic Trunking Protocol (DTP) is the Cisco-proprietary that actively attempts to negotiatea trunk link between two switches. Below is the switchport modes (or DTP modes) foreasy reference:

Mode Function

Dynamic Auto Creates the trunk based on the DTP request from the neighboringswitch.

DynamicDesirable

Communicates to the neighboring switch via DTP that the interfacewould like to become a trunk if the neighboring switch interface is able to

become a trunk.

TrunkAutomatically enables trunking regardless of the state of theneighboring switch and regardless of any DTP requests sent from the neighboring switch.

Access

Trunking is not allowed on this port regardless of the state of theneighboring switch interface and regardless of any DTP requests sent from theneighboring switch.

Nonegotiate

Prevents the interface from generating DTP frames. This commandcan be used only when the interface switchport mode is access or trunk. Youmust manually configure the neighboring interface as a trunk interface toestablish a trunk link.

QUESTION 2Question 2:This is a drag and drop question which is about the correct sequence of steps that awireless client takes during the process of association with an access point (AP). Drag theitems to the proper locations.

A.B.C.D.



Explanation:Any wireless client attempting to use the wireless network must first arrange a membershipwith the AP. Membership with the AP is called an association. The client must send anassociation request message, and the AP grants or denies the request by sending anassociation reply message. Once associated, all communications to and from the clientmust pass through the AP. Clients associate with access points as follows:1) The client sends a probe request.2) The AP sends a probe response.3) The client initiates an association to an AP. Authentication and any other securityinformation is sent to the AP.4) The AP accepts the association.5) The AP adds the client’s MAC address to its association table.

QUESTION 3

A.B.C.D.


Explanation/Reference:Answer:

1) Listening: sends and receives BPDUs to determine root, but does not update the MACaddress table.2) Disabled: does not participate in frame forwarding or in STP.3) Blocking: does not participate in frame forwarding.

4) Fowarding: sends and receives data frames.5) Learning: populates the MAC address table, but will not forward user data.Notice: A port begins its life in a Disabled state, moving through several passivestates and, finally, into an active state if allowed to forward traffic.

QUESTION 4Question 4 (not sure about the question)network level – RSTP, NSFsystem level – Dual power supply, SSOmanagement level – NTP , IP SLAverify that the vlan is assigned to the proper portsverify that creation of the virtual interfaceVerify that there is inter-switch connectivityverify that switchports are properly prunedNumber of IP SubnetsVLAN to IP mappingLocation of each VLANVLAN assignments

A.B.C.D.



QUESTION 5Drag the choices on the left to the boxes on the right that should be included when creatinga VLAN-based implementation plan. Not all choices will be used.

A.B.C.D.


Explanation/Reference:+ reference to design documents+ roll back guidelines+ detailed implementation plans+ time required to perform the implementation

(In this question we don’t need to sort in the correct order)ExplanationAn implementation plan requires:+ A description of the task+ References to design documents+ Detailed implementation guidelines+ Detailed rollback guidelines in case of failure+ The estimated time required for implementation

QUESTION 6Question 2You have a VLAN implementation that requires inter-vlan routing using layer 3 switches.Drag the steps on the left that should be part of the verification plan to the spaces on theright. Not all choices will be used.

A.B.C.D.


Explanation/Reference:Answer:+ Verify that there is inter-switch connectivity+ Verify that the data and voice VLANs are NOT assigned a trunk’s native VLAN+ Verify that the needed Switch Virtual interfaces have been created+ Verify that the proper ports are assigned to the VLAN

QUESTION 7

A.B.C.D.


Explanation/Reference:Answer:v1:+ get next request+ unsolicited alert msgv2:+ informed request+ incremental 64 bit of new datav4:+ user name+ security levelQuestion 4Categorize the high availability network resource or feature with the management level,network level, or system level used.

QUESTION 8

A.B.C.D.


Explanation/Reference:Answer:Management Level:+ IP SLA responder+ NTPNetwork Level:+ RSTP+ NSFSystem Level:+ Dual Power Supplies+ SSO

QUESTION 9Match the HSRP states on the left with the correct definition on the right.

A.B.C.D.


Explanation/Reference:Answer:+ Initial : State from which the router begin the HSRP process+ Standby : A candidate to become the next active router+ Learn : The router is still waiting to hear from the active router+ Active : The router is currently forwarding packets+ Listen : Listens for hello messages from the active and standby router+ Speak: Participates in the election for the active or standby router

QUESTION 10Sort the syslog priority from highest to lowest

A.B.C.D.


Explanation/Reference:Answer:1) emergency2) alert3) critical4) error5) warning6) notice7) informational8) debugExplanationThe syslog levels and descriptions are listed below:

Code Severity Description0 Emergency system is unusable (such as an imminent system crash)

1 Alert action must be taken immediately (such as a corrupted system

database)

2 Critical Critical conditions (such as a hardware error)

3 Error Error conditions

4 Warning Warning conditions

5 Notice normal but significant condition. It is not an error, but possibly shouldbe handled in a special way

6 Informational Informational message

7 Debug Debug-level message

QUESTION 11Match the Attributes on the left with the types of VLAN designs on right.

A.B.C.D.


Explanation/Reference:Answer:End-to-End VLANs:+ As a user moves through a campus, the VLAN membership of the user remains the same,regardless of the physical switch this user attaches to.+ Users are grouped into each VLAN regardless of the physical locations.Local VLANs:+ Create with Physical boundaries in mind rather then the departments or organization ofthe users on the devices.

+ VLANs on one switch are not advertised to all other switches in the network, nor do theyneed to be created in the VLAN database of any other switch.

QUESTION 12You have been tasked with planning a VLAN solution that will connect a seiver in onebuliding to several hosts in another building. The solution should be built using the local vlanmodel and layer 3 switching at the distribution layer. Identify the questions related to thisvlan solution that would ask the network administrator before you start the planning bydragging them into the target zone one the right. Not all questions will be used.

A.B.C.D.


Explanation/Reference:Answer:+ Is there inter-switch connectivity?+ What routing protocol will be used?+ What VLANs are available on each switch?+ What switch ports are available in each building?+ What IP addresses are available on each subnet?

QUESTION 13

A.B.C.D.


Explanation/Reference:Answer:Local vlan:+ 20/80 rule+ leverages on stp+ leverages on routing+ locally significantDistributed vlan:+ 80/20 rule+ leverages on vtp+ leverages on switching+ globally significant

642 - 813 CERT PREPARE CORRECT ANSWERS EDU …...VLAN is 5) -> D is correct. (Note: an 802.1Q trunks...

Documents

Transcript of 642 - 813 CERT PREPARE CORRECT ANSWERS EDU …...VLAN is 5) -> D is correct. (Note: an 802.1Q trunks...