Switch With Ans &Expl

Ccnp switchingCDP & LLDP Questions

Question 1

What is the default interval at which Cisco devices send Cisco Discovery Protocol advertisements?

A. 30 secondsB. 60 secondsC. 120 secondsD. 300 seconds

Answer: B

Explanation

Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help in finding information about neighboring devices. The default values are 60 seconds for advertisements. Each neighbor will keep the information contained in a packet for 180 seconds (holddown timer).

Question 2

Which statement about Cisco Discovery Protocol configuration on a Cisco switch is true?

A. CDP is enabled by default and can be disabled globally with the command no cdp run.B. CDP is disabled by default and can be enabled globally with the command cdp enable.C. CDP is enabled by default and can be disabled globally with the command no cdp enable.D. CDP is disabled by default and can be enabled globally with the command cdp run.

Answer: A

Question 3

A network engineer notices inconsistent Cisco Discovery Protocol neighbors according to the diagram that is provided. The engineer notices only a single neighbor that uses Cisco Discovery Protocol, but it has several routing neighbor relationships. What would cause the output to show only the single neighbor?

A. The routers are connected via a Layer 2 switch.B. IP routing is disabled on neighboring devices.C. Cisco Express Forwarding is enabled locally.D. Cisco Discovery Protocol advertisements are inconsistent between the local and remote devices.

Answer: A

Explanation

CDP runs at Layer 2 so a router running CDP can see a Layer 2 switch that is directly connected to it, provided that the Layer 2 switch also runs CDP.

Question 4

After the implementation of several different types of switches from different vendors, a network engineer notices that directly connected devices that use Cisco Discovery Protocol are not visible. Which vendor-neutral protocol could be used to resolve this issue?

A. Local Area MobilityB. Link Layer Discovery ProtocolC. NetFlowD. Directed Response Protocol

Answer: B

Explanation

Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2 protocol used by network devices to share information about their identities and functionality with other network elements.

Question 5

While doing network discovery using Cisco Discovery Protocol, it is found that rapid error tracking is not currently enabled. Which option must be enabled to allow for enhanced reporting mechanisms using Cisco Discovery Protocol?

A. Cisco Discovery Protocol version 2B. Cisco IOS Embedded Event ManagerC. logging bufferedD. Cisco Discovery Protocol source interfaceE. Cisco Discovery Protocol logging options

Answer: A

Explanation

Cisco Discovery Protocol Version 2 provides more intelligent, device-tracking features than those available in Version 1. One of the features available is an enhanced reporting mechanism for more rapid error tracking, which helps to reduce network downtime. Errors reported include mismatched native VLAN IDs (IEEE 802.1Q) on connected ports and mismatched port-duplex states between connected devices. Messages about reported errors can be sent to the console or to a logging server.

Question 6

A network engineer has just deployed a non-Cisco device in the network and wants to get information about it from a connected device. Cisco Discovery Protocol is not supported, so the open standard protocol must be configured. Which protocol does the network engineer configure on both devices to accomplish this?

A. IRDPB. LLDPC. NDPD. LLTD

Answer: B

Explanation

Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2 protocol used by network devices to share information about their identities and functionality with other network elements.

Question 7

Which statement about Cisco devices learning about each other through Cisco Discovery Protocol is true?

A. Each device sends periodic advertisements to multicast address 01:00:0C:CC:CC:CC.B. Each device broadcasts periodic advertisements to all of its neighbors.C. Each device sends periodic advertisements to a central device that builds the network topology.D. Each device sends periodic advertisements to all IP addresses in its ARP table.

Answer: A

Explanation

Cisco devices send periodic CDP announcements to the multicast destination address 01-00-0c-cc-cc-cc out each connected network interface. These multicast packets may be received by Cisco devices. This multicast destination is also used in other Cisco protocols such as VTP.

Question 8

Which option lists the information that is contained in a Cisco Discovery Protocol advertisement?

A. native VLAN IDs, port-duplex, hardware platformB. native VLAN IDs, port-duplex, memory errorsC. native VLAN IDs, memory errors, hardware platformD. port-duplex, hardware platform, memory errors

Answer: A

Explanation

The information contained in Cisco Discovery Protocol announcements depends on the device type and the version of the operating system running on it. The following are examples of the types of information that can be contained in Cisco Discovery Protocol announcements:+ Cisco IOS XE version running on a Cisco device+ Duplex setting+ Hardware platform of the device+ Hostname+ IP addresses of the interfaces on devices+ Interfaces active on a Cisco device, including encapsulation type+ Locally connected devices advertising Cisco Discovery Protocol+ Native VLAN+ VTP domain

Cisco Discovery Protocol Version 2 provides more intelligent device tracking features than Version 1.

Question 9

Which statement about LLDP-MED is true?

A. LLDP-MED is an extension to LLDP that operates between endpoint devices and network devices.B. LLDP-MED is an extension to LLDP that operates only between network devices.C. LLDP-MED is an extension to LLDP that operates only between endpoint devices.D. LLDP-MED is an extension to LLDP that operates between routers that run BGP.

Answer: A

Explanation

Media Endpoint Discovery is an enhancement of LLDP, known as LLDP-MED, that provides the following facilities:+ Auto-discovery of LAN policies such as VLAN, Layer 2 Priority and Differentiated services (Diffserv) settings, enabling plug and play networking.+ Device location discovery to allow creation of location databases and, in the case of Voice over Internet Protocol (VoIP), Enhanced 911 services.+ Extended and automated power management of Power over Ethernet (PoE) end points.+ Inventory management, allowing network administrators to track their network devices, and determine their characteristics (manufacturer, software and hardware versions, serial or asset number).

The LLDP-MED protocol extension was formally approved and published as the standard ANSI/TIA-1057 by the Telecommunications Industry Association (TIA) in April 2006.

Question 10

Which option describes a limitation of LLDP?

A. LLDP cannot provide information about VTP.B. LLDP does not support TLVs.C. LLDP can discover only Windows servers.D. LLDP can discover up to two devices per port.

Answer: A

Explanation

LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors. This protocol can advertise details such as configuration information, device capabilities, and device identity.The switch supports these basic management TLVs. These are mandatory LLDP TLVs.+ Port description TLV+ System name TLV+ System description TLV+ System capabilities TLV+ Management address TLVThese organizationally specific LLDP TLVs are also advertised to support LLDP-MED.+ Port VLAN ID TLV ((IEEE 802.1 organizationally specific TLVs)+ MAC/PHY configuration/status TLV(IEEE 802.3 organizationally specific TLVs)

-> No VTP information is supported in LLDP.

Question 11

Which statement about using native VLANs to carry untagged frames is true?

A. Cisco Discovery Protocol version 2 carries native VLAN information, but version 1 does not.B. Cisco Discovery Protocol version 1 carries native VLAN information, but version 2 does not.C. Cisco Discovery Protocol version 1 and version 2 carry native VLAN information.D. Cisco Discovery Protocol version 3 carries native VLAN information, but versions 1 and 2 do not.

Answer: A

Explanation

Cisco Discovery Protocol Version 2 has three additional type, length, values (TLVs): VTP Management Domain Name, Native VLAN, and full/half-Duplex.

Switch Questions

Question 1

What effect does the mac address-table aging-time 180 command have on the MAC address-table?

A. This is how long a dynamic MAC address will remain in the CAM table.B. The MAC address-table will be flushed every 3 minutes.C. The default timeout period will be 360 seconds.D. ARP requests will be processed less frequently by the switch.E. The MAC address-table will hold addresses 180 seconds longer than the default of 10 minutes.

Answer: A

Explanation

The command “mac address-table aging-time 180″ specifies the time before an entry ages out and is discarded from the MAC address table. The default is 300 seconds. Entering the value 0 disables the MAC aging.

Question 2

In a Cisco switch, what is the default period of time after which a MAC address ages out and is discarded?


Answer: C

Question 3

If a network engineer applies the command mac-address-table notification mac-move on a Cisco switch port, when is a syslog message generated?

A. A MAC address or host moves between different switch ports.B. A new MAC address is added to the content-addressable memory.C. A new MAC address is removed from the content-addressable memory.D. More than 64 MAC addresses are added to the content-addressable memory.

Answer: A

Explanation

The switch learns which port the host is attaching by examining the source MAC address in frames received on a port. For example switch receives a frame with source MAC of 0000.0000.aaaa (abbreviated as “aaaa”) on port Fa0/1, it populates its MAC address-table with an entry like this “host aaaa on Fa0/1″. If the switch receives a frame with the same “aaaa” MAC from Fa0/2 then there will be a flap and the switch will log something like this:

%MAC_MOVE-SP-4-NOTIF: Host 0000.0000.aaaa in vlan 1 is flapping between port 0/1 and port 0/2

This flapping phenomenon may be the result of a Layer loop somewhere in your network, especially when STP is disabled for some reasons.

If you don’t want to see this message then issue the “no mac-address-table notification mac-move” or place a static entry with the “mac-address-table static 000.0000.aaaa vlan 1 interface fa0/1″on the switch. The command “mac-address-table notification mac-move” is disabled by default on 6500 & 7600 series but enabled by default on other series.

Question 4

The command storm-control broadcast level 75 65 is configured under the switch port connected to the corporate mail server. In which three ways does this command impact the traffic? (Choose three)

A. SNMP traps are sent by default when broadcast traffic reaches 65% of the lower-level threshold.B. The switchport is disabled when unicast traffic reaches 75% of the total interface bandwidth.C. The switch resumes forwarding broadcasts when they are below 65% of bandwidth.D. Only broadcast traffic is limited by this particular storm control configuration.E. Multicast traffic is dropped at 65% and broadcast traffic is dropped at 75% of the total interface bandwidth.F. The switch drops broadcasts when they reach 75% of bandwidth.

Answer: C D F

Explanation

Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.

Storm control uses one of these methods to measure traffic activity:+ Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic+ Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received+ Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

The command “storm-control broadcast level 75 65″ limits the broadcast traffic up to 75% of the bandwidth (75% is called the rising threshold). The port will start forwarding broadcast traffic again when it drops below 65% of the bandwidth (65% is called the falling threshold).

Note: If you don’t configure the falling threshold, it will use the same value of the rising threshold.

Question 5

While troubleshooting a network outage, a network engineer discovered an unusually high level of broadcast traffic coming from one of the switch interfaces. Which option decreases consumption of bandwidth used by broadcast traffic?

A. storm controlB. SDM routingC. Cisco IOS parserD. integrated routing and bridgingE. Dynamic ARP Inspection

Answer: A

Explanation

By using the “storm-control broadcast level [falling-threshold]” we can limit the broadcast traffic on the switch.

Question 6

The network monitoring application alerts a network engineer of a client PC that is acting as a rogue DHCP server. Which two commands help trace this PC when the MAC address is known? (Choose two)

A. switch# show mac address-tableB. switch# show port-securityC. switch# show ip verify sourceD. switch# show ip arp inspectionE. switch# show mac address-table address

Answer: A E

Explanation

The command “show mac address-table” displays the MAC address table along with the port associated for the switch. The ‘show mac address-table address ” gives a more specific view of a specific MAC address.

Question 7

Which switch feature prevents traffic on a LAN from being overwhelmed by continuous multicast or broadcast traffic?

A. storm controlB. port securityC. VTP pruningD. VLAN trunking

Answer: A

Question 8

Which command would a network engineer apply to error-disable a switchport when a packet-storm is detected?

A. router(config-if)#storm-control action shutdownB. router(config-if)#storm-control action trapC. router(config-if)#storm-control action errorD. router(config-if)#storm-control action enable

Answer: A

Explanation

The command “storm-control action {shutdown | trap} ” specifies the action to be taken when a storm is detected. The default is to filter out the traffic and not to send traps.+ Select the shutdown keyword to error-disable the port during a storm.+ Select the trap keyword to generate an SNMP trap when a storm is detected.

Ether-Channel Questions

Notes:

The Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) facilitate the automatic creation of EtherChannels by exchanging packets between Ethernet interfaces. The Port Aggregation Protocol (PAgP) is a Cisco-proprietary solution, and the Link Aggregation Control Protocol (LACP) is standards based.

LACP modes:

+ on: the link aggregation is forced to be formed without any LACP negotiation. A port-channel is formed only if the peer port is also in “on” mode.+ off: disable LACP and prevent ports to form a port-channel+ passive: the switch does not initiate the channel, but does understand incoming LACP packets+ active: send LACP packets and willing to form a port-channel

The table below lists if an EtherChannel will be formed or not for LACP:

LACP Active Passive

Active Yes Yes

Passive

Yes No

PAgP modes:

+ on: The link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed only if the peer port is also in “on” mode.+ off: disable PAgP and prevent ports to form a port-channel+ desirable: send PAgP packets and willing to form a port-channel+ auto: does not start PAgP packet negotiation but responds to PAgP packets it receives

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto

Desirable Yes Yes

Auto Yes No

An EtherChannel in Cisco can be defined as a Layer 2 EtherChannel or a Layer 3 EtherChannel.+ For Layer 2 EtherChannel, physical ports are placed into an EtherChannel group. A logical port-channel interface will be created automatically. An example of configuring Layer 2 EtherChannel can be found in Question 1 in this article.

+ For Layer 3 EtherChannel, a Layer 3 Switch Virtual Interface (SVI) is created and then the physical ports are bound into this Layer 3 SVI.

Question 1

Refer to the exhibit.

Which set of configurations will result in all ports on both switches successfully bundling into an EtherChannel?

A. switch1 channel-group 1 mode active switch2 channel-group 1 mode autoB. switch1 channel-group 1 mode desirable switch2 channel-group 1 mode passiveC. switch1 channel-group 1 mode on switch2 channel-group 1 mode autoD. switch1 channel-group 1 mode desirable switch2 channel-group 1 mode auto

Answer: D

Explanation

The table below lists if an EtherChannel will be formed or not for LACP:

LACP Active Passive

Active Yes Yes

Passive

Yes No


PAgP Desirable Auto

Desirable Yes Yes

Auto Yes No

To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP). According the two tables above we can see only “desirable” and “auto” (of PAgP) can form an Etherchannel bundle.

Note: If we want to use “on” mode, both ends must be configured in this “on” mode to create an Etherchannel bundle.

Question 2

After an EtherChannel is configured between two Cisco switches, interface port channel 1 is in the down/down state. Switch A is configured with “channel-group 1 mode active”, while Switch B is configured with “channel-group 1 mode desirable”. Why is the EtherChannel bundle not working?

A. The switches are using mismatched EtherChannel negotiation modes.B. The switch ports are not configured in trunking mode.C. LACP priority must be configured on both switches.D. The channel group identifier must be different for Switch A and Switch B.

Answer: A

Explanation

To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP).

Question 3

An EtherChannel bundle has been established between a Cisco switch and a corporate web server. The network administrator noticed that only one of the EtherChannel links is being utilized to reach the web server. What should be done on the Cisco switch to allow for better EtherChannel utilization to the corporate web server?

A. Enable Cisco Express Forwarding to allow for more effective traffic sharing over the EtherChannel bundle.B. Adjust the EtherChannel load-balancing method based on destination IP addresses.C. Disable spanning tree on all interfaces that are participating in the EtherChannel bundle.D. Use link-state tracking to allow for improved load balancing of traffic upon link failure to the server.E. Adjust the EtherChannel load-balancing method based on source IP addresses.

Answer: E

Explanation

In this case the EtherChannel bundle was configured to load-balance based on the destination IP address but there is only one web server (means one destination IP address). Therefore only one of the EtherChannel links is being utilized to reach the web server. To solve this problem we should configure load-balancing based on source IP address so that traffic to the web server would be shared among the links in the EtherChannel bundle with different hosts.

Question 4

An access switch has been configured with an EtherChannel port. After configuring SPAN to monitor this port, the network administrator notices that not all traffic is being replicated to the management server. What is a cause for this issue?

A. VLAN filters are required to ensure traffic mirrors effectively.B. SPAN encapsulation replication must be enabled to capture EtherChannel destination traffic.C. The port channel can be used as a SPAN source, but not a destination.D. RSPAN must be used to capture EtherChannel bidirectional traffic.

Answer: C

Question 5


What is the result of the configuration?

A. The EtherChannels would not form because the load-balancing method must match on the devices.B. The EtherChannels would form and function properly even though the load-balancing and EtherChannel modes do not match.C. The EtherChannels would form, but network loops would occur because the load-balancing methods do not match.D. The EtherChannels would form and both devices would use the dst-ip load-balancing method because Switch1 is configured with EtherChannel mode active.

Answer: B

Explanation

If one end is passive and another end is active then the EtherChannel will be formed regardless the two interfaces in the same switch use different modes and different load-balancing method. Switch 1 will load-balance based on destination IP while Switch2 will load-balance based on source MAC address.

Question 6

A network engineer tries to configure storm control on an EtherChannel bundle. What is the result of the configuration?

A. The storm control settings will appear on the EtherChannel, but not on the associated physical ports.B. The configuration will be rejected because storm control is not supported for EtherChannel.C. The storm control configuration will be accepted, but will only be present on the physical interfaces.D. The settings will be applied to the EtherChannel bundle and all associated physical interfaces.

Answer: D

Explanation

When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces. In the “show etherchannel” command output, The storm control settings appear on the EtherChannel but not on the physical port of the channel.

Note: You cannot configure storm control on the individual ports of that EtherChannel.

Question 7

A network engineer must set the load balance method on an existing port channel. Which action must be done to apply a new load balancing method?

A. Configure the new load balancing method using port-channel load-balance.B. Adjust the switch SDM back to “default”.C. Ensure that IP CEF is enabled globally to support all load balancing methods.D. Upgrade the PFC to support the latest load balancing methods.

Answer: A

Explanation

Issue the port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | src-port | dst-port | src-dst-port | mpls}global configuration command in order to configure the load balancing.

Question 8

A network engineer configured a fault-tolerance link on Gigabit Ethernet links G0/1, G0/2, G0/3, and G0/4 between two switches using Ethernet port-channel. Which action allows interface G0/1 to always actively forward traffic in the port-channel?

A. Configure G0/1 as half duplex and G0/2 as full duplex.B. Configure LACP port-priority on G0/1 to 1.C. Configure LACP port-priority on G0/1 to 65535.D. LACP traffic goes through G0/4 because it is the highest interface ID.

Answer: B

Explanation

A LACP port priority is configured on each port using LACP. The port priority can be configured automatically or through the CLI. LACP uses the port priority with the port number to form the port identifier. The port priority determines which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.

The syntax of LACP port priority is (configured under interface mode):

lacp port-priority priority-value

The lower the range, the more likely that the interface will be used for LACP transmission.

Question 9

Which statement about the use of PAgP link aggregation on a Cisco switch that is running Cisco IOS Software is true?

A. PAgP modes are off, auto, desirable, and on. Only the combinations auto-desirable, desirable- desirable, and on-on allow the formation of a channel.B. PAgP modes are active, desirable, and on. Only the combinations active-desirable, desirable- desirable, and on-on allow the formation of a channel.C. PAgP modes are active, desirable, and on. Only the combinations active-active, desirable- desirable, and on-on allow the formation of a channel.D. PAgP modes are off, active, desirable, and on. Only the combinations auto-auto, desirable- desirable, and on-on allow the formation of a channel.

Answer: A

Explanation


PAgP Desirable Auto

Desirable Yes Yes

Auto Yes No

For “on” mode, the link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed only if the peer port is also in “on” mode.

Question 10Refer to the exhibit.

Which EtherChannel negotiation protocol is configured on the interface f0/13 – f0/15?

A. Link Combination Control ProtocolB. Port Aggregation ProtocolC. Port Combination ProtocolD. Link Aggregation Control Protocol

Answer: B

Explanation

Interfaces Fa0/13 to Fa0/15 are bundled into Port-channel 12 and it is running with “desirable” mode -> it is using PAgP.

Question 11


Users of PC-1 experience slow connection when a webpage is requested from the server. To increase bandwidth, the network engineer configured an EtherChannel on interfaces Fa1/0 and Fa0/1 of the server farm switch, as shown here:

Server_Switch#sh etherchannel load-balanceEtherChannel Load-Balancing Operational State (src-mac):Non-IP: Source MAC addressIPv4: Source MAC addressIPv6: Source IP addressServer_Switch#

However, traffic is still slow. Which action can the engineer take to resolve this issue?

A. Disable EtherChannel load balancing.B. Upgrade the switch IOS to IP services image.C. Change the load-balance method to dst-mac.D. Contact Cisco TAC to report a bug on the switch.

Answer: C

Explanation

From the output we see currently the Server_Switch is load balancing via source MAC address. By changing load-balance to another method the problem can be solved. In this case C is the best choice because other answers are surely incorrect.

Question 12

A network engineer changed the port speed and duplex setting of an existing EtherChannel bundle that uses the PAgP protocol. Which statement describes what happens to all ports in the bundle?

A. PAgP changes the port speed and duplex for all ports in the bundle.B. PAgP drops the ports that do not match the configuration.C. PAgP does not change the port speed and duplex for all ports in the bundle until the switch is rebooted.D. PAgP changes the port speed but not the duplex for all ports in the bundle.

Answer: A

Explanation

Configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.

Note: If we only change the parameters on a physical port of the port-channel, the port-channel may go down because of parameter mismatch. For example, if you only configure “switchport trunk allowed vlan …” on a physical port, the port-channel will go down.

Question 13

Which statement about using EtherChannel on Cisco IOS switches is true?

A. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel provides full-duplex bandwidth up to 800 Mbps only for Fast EtherChannel or 8 Gbps only for Gigabit EtherChannel.B. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel provides full-duplex bandwidth up to 1000 Mbps only for Fast EtherChannel or 8 Gbps only for Gigabit EtherChannel.C. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel provides full-duplex bandwidth up to 800 Mbps only for Fast EtherChannel or 16 Gbps only for Gigabit EtherChannel.D. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel provides full-duplex bandwidth up to 1000 Mbps only for Fast EtherChannel or 10 Gbps only for Gigabit EtherChannel.

Answer: A

Explanation

The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit EtherChannel) between your switch and another switch or host.

Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each EtherChannel must be the same speed, and all must be configured as either Layer 2 or Layer 3 interfaces.

Note: 800 Mbps full-duplex means data can be transmitted at 800 Mbps and received at 800 Mbps (1600 Mbps in total).

Question 14


Which statement about switch S1 is true?

A. Physical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 2 port-channel interface using an open standard protocol.B. Logical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 2 physical port-channel interface using a Cisco proprietary protocol.C. Physical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 3 port-channel interface using a Cisco proprietary protocol.D. Logical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 3 physical port-channel interface using an open standard protocol.

Answer: A

Explanation

From the last line of the output, we learn physical ports Fa0/13, Fa0/14, and Fa0/15 are bundled into Port-channel 1 and use LACP which is an open standard protocol.

Question 15

What is the maximum number of 10 Gigabit Ethernet connections that can be utilized in an EtherChannel for the virtual switch link?

A. 4B. 6C. 8D. 12

Answer: C

Explanation

The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit EtherChannel) between your switch and another switch or host. Therefore if we have 10 Gigabit Ethernet connections, only 8 links will be used.

Question 16

Which statement about restrictions for multichassis LACP is true?

A. It is available only on a Cisco Catalyst 6500 Series chassis.B. It does not support 1Gb links.C. Converting a port channel to mLACP can cause a service disruption.D. It is not available in VSS.

Answer: C

Explanation

Multichassis LACP (mLACP) is also supported on 7600 and ASR9000 series -> A is not correct.

mLACP supports both FastEthernet & GigabitEthernet -> B is not correct.

VSS mode does not support the mLACP for server access feature only. But mLACP is available in Virtual Switching Systems (VSS). An example of combination of VSS and mLACP is shown below:

In the topology above, the mLACP is a port channel that spans the two chassis of a VSS. Notice that the two chassis of this VSS is connected via a Virtual Switch Link (VSL). VSL is a special link that carries control and data traffic between the two chassis of a VSS. In this case the VSL is implemented as an EtherChannel with two links.

+ mLACP does not support Fast Ethernet.+ mLACP does not support half-duplex links.+ mLACP does not support multiple neighbors.+ Converting a port channel to mLACP can cause a service disruption (in a short time) -> D is not correct.

Question 17

Which four LACP components are used to determine which hot-standby links become active after an interface failure within an EtherChannel bundle? (Choose four)

A. LACP system priorityB. hot-standby link identification numberC. system IDD. interface bandwidth

E. LACP port priorityF. port numberG. interface MAC address

Answer: A C E F

Explanation

When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place.If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority. The software assigns to every link between systems that operate LACP a unique priority made up of these elements (in priority order):+ LACP system priority+ System ID (a combination of the LACP system priority and the switch MAC address)+ LACP port priority+ Port numberIn priority comparisons, numerically lower values have higher priority. The priority decides which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.Ports are considered for active use in aggregation in link-priority order starting with the port attached to the highest priority link. Each port is selected for active use if the preceding higher priority selections can also be maintained. Otherwise, the port is selected for standby mode.

VLAN Questions

Question 1

Which feature is automatically enabled when a voice VLAN is configured, but not automatically disabled when a voice VLAN is removed?

A. portfastB. port-securityC. spanning treeD. storm control

Answer: A

Explanation

The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.

Question 2

In which portion of the frame is the 802.1q header found?

A. within the Ethernet headerB. within the Ethernet payloadC. within the Ethernet FCSD. within the Ethernet source MAC address

Answer: A

Explanation

802.1Q VLAN frames are distinguished from ordinary Ethernet frames by the insertion of a 4-byte VLAN tag into the Ethernet header.

Question 3

What is required for a LAN switch to support 802.1q Q-in-Q encapsulation?

A. Support less than 1500 MTUB. Support 1504 MTU or higherC. Support 1522 layer 3 IP and IPX packetD. Support 1547 MTU only

Answer: B

Explanation

Because the 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you must configure all switches in the service-provider network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes.

Question 4

What is the size of the VLAN field inside an 802.1q frame?

A. 8-bitB. 12-bitC. 16-bitD. 32-bit

Answer: B

Explanation

The VLAN ID field inside an 802.1q frame consists of 12 bits. Therefore we have 212 = 4096 VLAN IDs, theoretically.

Question 5

What is the maximum number of VLANs that can be assigned to an access switchport without a voice VLAN?

A. 0B. 1C. 2D. 1024

Answer: B

Explanation

Each access port can be only assigned to one VLAN via the “switchport access vlan ” command.

Question 6

What does the command “vlan dot1q tag native” accomplish when configured under global configuration?

A. All frames within the native VLAN are tagged, except when the native VLAN is set to 1.B. It allows control traffic to pass using the non-default VLAN.C. It removes the 4-byte dot1q tag from every frame that traverses the trunk interface(s).D. Control traffic is tagged.

Answer: D

Explanation

This command is used to enable tagging of native VLAN frames on all 802.1Q trunk ports.

Answer A is not correct because even when the native VLAN is set to 1, all of the frames of the native VLAN are tagged.

Answer B is not correct because the control traffic still passes via the default VLAN (VLAN 1).

Answer C is not correct because all the frames are tagged with 4-byte dot1q tag.

Only answer D is best choice because control traffic (like CDP, VTP, STP, DTP…) uses VLAN 1 for communication. When the native VLAN is tagged (VLAN 1 by default) all control traffic is tagged too. If the native VLAN is not VLAN 1 then all the control traffic on VLAN 1 is still tagged by default (without using above command).

VLAN Trunking


SW-1#sh logging%SPANTREE-SP-2-RECV_PVID_ERR: Received BPDU with inconsistent peer Vlan id 1 on GigabitEthernet1/2 VLAN2013.%SPANTREE-SP-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/2 on VLAN0001. Inconsistent peer vlan.

A multilayer switch has been configured to send and receive encapsulated and tagged frames. VLAN 2013 on the multilayer switch is configured as the native VLAN. Which option is the cause of the spanning-tree error?

A. VLAN spanning-tree in SW-2 is configured.B. spanning-tree bpdu-filter is enabled.C. 802.1q trunks are on both sides, both with native VLAN mismatch.D. VLAN ID 1 should not be used for management traffic because its unsafe.

Answer: C

Explanation

These errors are generated because the native VLAN is not matched on the two switches (the native VLAN on SW-1 is not the default native VLAN 1 while the native VLAN on the other side is VLAN 1). The errors indicate that spanning tree has detected mismatched native VLANs and has shut down VLAN 1 on the trunk.

We should verify that the configurations of the native VLAN ID is consistent on the interfaces on each end of the IEEE 802.1Q trunk connection. When the configurations are consistent, spanning tree automatically unblocks the interfaces.

Question 2


3512xl(config)#int fastEthernet 0/1 3512xl(config-if)#switchport mode trunk 3512xl(config-if)#switchport trunk encapsulation dot1q

How many bytes are added to each frame as a result of the configuration?

A. 4-bytes except the native VLANB. 8-bytes except the native VLANC. 4-bytes including native VLAND. 8-bytes including native VLAN

Answer: A

Explanation

In 802.1Q, the trunking device inserts a 4-byte tag into the original frame and recomputes the frame check sequence (FCS) before the device sends the frame over the trunk link. At the receiving end, the tag is removed and the frame is forwarded to the assigned VLAN. 802.1Q does not tag frames on the native VLAN. It tags all other frames that are transmitted and received on the trunk.

Question 3

A network engineer must implement Ethernet links that are capable of transporting frames and IP traffic for different broadcast domains that are mutually isolated. Consider that this is a multivendor environment. Which Cisco IOS switching feature can be used to achieve the task?

A. PPP encapsulation with a virtual templateB. Link Aggregation Protocol at the access layerC. dot1q VLAN trunkingD. Inter-Switch Link

Answer: C

Explanation

802.1Q is a industry standards based implementation of carrying traffic for multiple VLANs on a single trunking interface between two Ethernet switches. 802.1Q is for Ethernet networks only.

Question 4

Which technique allows specific VLANs to be strictly permitted by the administrator?

A. VTP pruningB. transparent bridgingC. trunk allowed VLANsD. VLAN access-listE. L2P tunneling

Answer: C

Explanation

We can use the “switchport trunk allowed vlan ” to specify which VLANs are allowed to go through. Other VLANs will be dropped.

Question 5

For security reasons, the IT manager has prohibited users from dynamically establishing trunks with their associated upstream switch. Which two actions can prevent interface trunking? (Choose two)

A. Configure trunk and access interfaces manually.B. Disable DTP on a per interface basis.C. Apply BPDU guard and BPDU filter.D. Enable switchport block on access ports.

Answer: A B

Explanation

Manually configure trunking with the “switchport mode trunk” command and manually configure access interfaces with the “switchport mode access” prevent auto trunking on that interface.

Disable DTP with the “switchport nonegotiate” so that DTP messages are not advertised out of the interface is also a good way to prevent auto trunking.

Question 6

Which two protocols can be automatically negotiated between switches for trunking? (Choose two)

A. PPPB. DTPC. ISLD. HDLCE. DLCIF. DOT1Q

Answer: C F

Explanation

There are two protocols that can be used for trunking: Inter-Switch Link (ISL) and 802.1Q. We can choose which protocol to run by the “switchport trunk encapsulation “. After that we can configure trunking mode with the “switchport mode trunk” command.

In fact this question is not clear and may cause confusion because Dynamic Trunking Protocol (DTP) is the protocol that can automatically negotiate for trunking.

Note: The DTP options can be dynamic auto, dynamic desirable, and trunk.

Question 7

The network manager has requested that several new VLANs (VLAN 10, 20, and 30) are allowed to traverse the switch trunk interface. After the command “switchport trunk allowed vlan 10,20,30″ is issued, all other existing VLANs no longer pass traffic over the trunk. What is the root cause of the problem?

A. The command effectively removed all other working VLANs and replaced them with the new VLANs.B. VTP pruning removed all unused VLANs.C. ISL was unable to encapsulate more than the already permitted VLANs across the trunk.D. Allowing additional VLANs across the trunk introduced a loop in the network.

Answer: A

Explanation

By default all VLANs are allowed to go through a trunk but if we apply the “switchport trunk allowed vlan ” then only these VLANs are allowed to go through, other VLANs are dropped so be careful when limiting VLANs on the trunks with this command.

Question 8

A manager tells the network engineer to permit only certain VLANs across a specific trunk interface. Which option can be configured to accomplish this?

A. allowed VLAN listB. VTP pruningC. VACLD. L2P tunneling

Answer: A

Explanation

We can use the “switchport trunk allowed vlan ” to specify which VLANs are allowed to go through. Other VLANs will be dropped.

Question 9


interface GigabitEthernet 1/0/1 switchport access vlan 10 switchport trunk encapsulation dot1qswitchport mode trunk switchport voice vlan 11 spanning-tree portfast!

Which option shows the expected result if a “show vlan” command is issued?A.

B.

C.

D.

A. Exhibit AB. Exhibit BC. Exhibit CD. Exhibit D

Answer: A

Explanation

First we will explain these two commands:

switchport access vlan 10switchport mode trunk

The first command is used for an access port whist the second is used for a trunk so why are they here at the same time? In fact this interface was set as a trunk. The “switchport access vlan 10″ is still there but it does not affect the operational mode of the port -> Gi1/0/1 is a trunk port so it will not appear in the “show vlan” command.

The “switchport voice vlan 11″ command here only tries to confuse you. But it does have an effect on the port: Cisco uses CDP to specify a Cisco IP Phone and will automatically place that traffic into the voice VLAN. For example if we configure like this:

interface fa0/0switchport trunk encapsulation dot1qswitchport mode trunkswitchport voice vlan 11

Then the voice traffic from a Cisco IP Phone will be placed into VLAN 11.

Note: In the above configuration, the data and voice use the same interface fa0/0 so it should be configured as a trunk link.

VTP QuestionsQuestion 1

Several new switches have been added to the existing network as VTP clients. All of the new switches have been configured with the same VTP domain, password, and version. However, VLANs are not passing from the VTP server (existing network) to the VTP clients. What must be done to fix this?

A. Remove the VTP domain name from all switches with “null” and then replace it with the new domain name.B. Configure a different native VLAN on all new switches that are configured as VTP clients.C. Provision one of the new switches to be the VTP server and duplicate information from the existing network.D. Ensure that all switch interconnects are configured as trunks to allow VTP information to be transferred.

Answer: D

Explanation

VTP updates can only be forwarded on trunk links.

Question 2

After implementing VTP, the extended VLANs are not being propagated to other VTP switches. What should be configured for extended VLANs?

A. VTP does not support extended VLANs and should be manually added to all switches.B. Enable VTP version 3, which supports extended VLAN propagation.C. VTP authentication is required when using extended VLANs because of their ability to cause network instability.D. Ensure that all switches run the same Cisco IOS version. Extended VLANs will not propagate to different IOS versions when extended VLANs are in use.

Answer: B

Explanation

VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

Question 3

Which technique automatically limits VLAN traffic to only the switches that require it?

A. access listsB. DTP in nonegotiateC. VTP pruningD. PBR

Answer: C

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN. In the below example, Server switch doesn’t send broadcast frame to Sw2 because Sw2 doesn’t have ports in VLAN 10.

Question 4


Switch A, B, and C are trunked together and have been properly configured for VTP. Switch C receives VLAN information from the VTP server Switch A, but Switch B does not receive any VLAN information. What is the most probable cause of this behavior?

A. Switch B is configured in transparent mode.B. Switch B is configured with an access port to Switch A, while Switch C is configured with a trunk port to Switch B.C. The VTP revision number of the Switch B is higher than that of Switch A.D. The trunk between Switch A and Switch B is misconfigured.

Answer: A

Explanation

Switch C can receive VLAN information from Switch A so Switch B can forward it to Switch C without updating its VLAN database -> Switch B is in VTP transparent mode.

Question 5

A network is running VTPv2. After verifying all VTP settings, the network engineer notices that the new switch is not receiving the list of VLANs from the server. Which action resolves this problem?

A. Reload the new switch.B. Restart the VTP process on the new switch.C. Reload the VTP server.D. Verify connected trunk ports.

Answer: D

Explanation

VTP updates can only be forwarded on trunk links.

Question 6

After configuring new data VLANs 1020 through 1030 on the VTP server, a network engineer notices that none of the VTP clients are receiving the updates. What is the problem?

A. The VTP server must be reloaded.B. The VTP version number must be set to version 3.C. After each update to the VTP server, it takes up to 4 hours propagate.D. VTP must be stopped and restarted on the server.E. Another switch in the domain has a higher revision number than the server.

Answer: B

Explanation


Question 7

A network engineer is extending a LAN segment between two geographically separated data centers. Which enhancement to a spanning-tree design prevents unnecessary traffic from crossing the extended LAN segment?

A. Modify the spanning-tree priorities to dictate the traffic flow.B. Create a Layer 3 transit VLAN to segment the traffic between the sites.C. Use VTP pruning on the trunk interfaces.D. Configure manual trunk pruning between the two locations.

Answer: C

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

Question 8

When you design a switched network using VTPv2, how many VLANs can be used to carry user traffic?

A. 1000B. 1001C. 1024D. 2048E. 4095F. 4096

Answer: B

Explanation


Question 9

A new network that consists of several switches has been connected together via trunking interfaces. If all switches currently have the default VTP domain name “null”, which statement describes what happens when a domain name is configured on one of the switches?

A. The switch with the non-default domain name restores back to “null” upon reboot.B. Switches with higher revision numbers does not accept the new domain name.C. VTP summary advertisements are sent out of all ports with the new domain name.D. All other switches with the default domain name become VTP clients.

Answer: C

Explanation

If a VTP client or server with a null domain receives a VTP message with the domain populated, it will assume the domain of the received message and add applicable VLANs to its database.

Question 10

Which VTP mode is needed to configure an extended VLAN, when a switch is configured to use VTP versions 1 or 2?

A. transparentB. clientC. serverD. Extended VLANs are only supported in version 3 and not in versions 1 or 2.

Answer: D

Explanation


Question 11

Which VLAN range is eligible to be pruned when a network engineer enables VTP pruning on a switch?

A. VLANs 1-1001B. VLANs 1-4094C. VLANs 2-1001D. VLANs 2-4094

Answer: C

Explanation

VTP pruning still applies only to VLANs 1 to 1005, and VLANs 1002 to 1005 are still reserved and cannot be modified.

Question 12

Which feature must be enabled to eliminate the broadcasting of all unknown traffic to switches that are not participating in the specific VLAN?

A. VTP pruningB. port-securityC. storm controlD. bpdguard

Answer: A

Explanation


Question 13


Switch1(config)#vlan 10VTP vlan configuration not allowed when device is in CLIENT mode.Switch1#show interfaces trunk

Switch1#

The users in an engineering department that connect to the same access switch cannot access the network. The network engineer found that the engineering VLAN is missing from the database. Which action resolves this problem?

A. Disable VTP pruning and disable 802.1q.B. Update the VTP revision number.C. Change VTP mode to server and enable 802.1q.D. Enable VTP pruning and disable 802.1q.

Answer: C

Explanation

In Client mode we cannot create VLAN and Switch1 does not have any trunk links so it cannot receive any VTP updates. There is no answer with configure trunk links so we have to choose the solution “change VTP mode to server and enable 802.1q”. But this is a dangerous solution because this switch can “update” other switches with its VLAN database via VTP.

Question 14


The network switches for two companies have been connected and manually configured for the required VLANs, but users in company A are not able to access network resources in company B when DTP is enabled. Which action resolves this problem?

A. Delete vlan.dat and ensure that the switch with lowest MAC address is the VTP server.B. Disable DTP and document the VTP domain mismatch.C. Manually force trunking with switchport mode trunk on both switches.D. Enable the company B switch with the vtp mode server command.

Answer: C

Explanation

From the output above we see Switch Company A cannot receive VTP updates from Switch Company B. Therefore we should check the trunking links connecting two switches. Manually force trunking may be a good solution.

Question 15

A network engineer must improve bandwidth and resource utilization on the switches by stopping the inefficient flooding of frames on trunk ports where the frames are not needed. Which Cisco IOS feature can be used to achieve this task?

A. VTP pruningB. access listC. switchport trunk allowed VLAND. VLAN access-map

Answer: A

Explanation


Question 16

Which action allows a network engineer to limit a default VLAN from being propagated across all trunks?

A. Upgrade to VTP version 3 for advanced feature set support.B. Enable VTP pruning on the VTP server.C. Manually prune default VLAN with switchport trunk allowed vlans remove.D. Use trunk pruning vlan 1.

Answer: C

Explanation

VLANs 2–1000 are eligible for pruning but VLAN 1 has a special meaning because it is normally used as a management VLAN and is not eligible for pruning. The only way we can remove VLAN 1 is through the “switchport trunk allowed vlan remove 1″ command. But even when you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1. A good thing of clearing VLAN 1 is user data cannot travel via this VLAN anymore. BPDU traffic is also banned on this VLAN.

Note: The Cisco IOS-based Catalyst 2900XL/3500XL switches do not allow you to clear VLAN 1 from a trunk; however, the Catalyst 2950/3550, Cisco IOS 4000/4500, and native IOS 6000/6500 switches allow you to clear VLAN 1.

Question 17


Switch A, B, and C are trunked together and have been properly configured for VTP. Switch B has all VLANs, but Switch C is not receiving traffic from certain VLANs. What would cause this issue?

A. A VTP authentication mismatch occurred between Switch A and Switch B.B. The VTP revision number of Switch B is higher than that of Switch A.C. VTP pruning is configured globally on all switches and it removed VLANs from the trunk interface that is connected to Switch C.D. The trunk between Switch A and Switch B is misconfigured.

Answer: C

STP QuestionsQuestion 1

Which command does a network engineer use to verify the spanning-tree status for VLAN 10?

A. switch# show spanning-tree vlan 10B. switch# show spanning-tree bridgeC. switch# show spanning-tree briefD. switch# show spanning-tree summaryE. switch# show spanning-tree vlan 10 brief

Answer: A

Explanation

If we want to view the spanning-tree status of a specific VLAN, use the “spanning-tree vlan ” command. An example of the output of this command is shown below:

Question 2


f1/0 and f1/1 have the same end-to-end path cost to the designated bridge. Which action is needed to modify the Layer 2 spanning-tree network so that traffic for PC1 VLAN from switch SW3 uses switchport f1/1 as a primary port?

A. Modify the spanning-tree port-priority on SW1 f1/1 to 0 and f1/0 to 16.B. Modify the spanning-tree port-priority on SW1 f1/1 to 16 and f1/0 to 0.C. Modify the spanning-tree port-priority on SW2 f1/1 to 0 and f1/0 to 16.D. Modify the spanning-tree port-priority on SW2 f1/1 to 16 and f1/0 to 0.

Answer: C

Explanation

SW3 needs to block one of its ports to SW2 to avoid a bridging loop between the two switches. But how does SW3 select its blocked port? Well, the answer is based on the BPDUs it receives from SW2. A BPDU is superior than another if it has:1. A lower Root Bridge ID2. A lower path cost to the Root3. A lower Sending Bridge ID4. A lower Sending Port ID

These four parameters are examined in order. In this specific case, all the BPDUs sent by SW2 have the same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only parameter left to select the best one is the Sending Port ID (Port ID = port priority + port index). The lower value of port priority, the higher priority that port has. Therefore we must change the port-priority on F1/1 to a lower value than that of Fa1/0. Zero is the lowest value we can assign to a port so we can assign this value to SW2 F1/1 and configure a higher value on Fa1/0. This is the command to complete this task:

SW2(config)#interface f1/1SW2(config-if)#spanning-tree vlan port-priority 0

Note: If we don’t change the port priority, SW3 will compare port index values, which are unique to each port on the switch, and because Fa1/0 is inferior to Fa1/1, SW3 will select Fa1/0 as its root port and block the other port.

Question 3


Why would the switch be considered as a root bridge?

A. The bridge priority is 1 and all ports are forwarding.B. The switch priority for VLAN 1 and the macro specifies “This Bridge is the root”.C. The bridge priority is 128.19 and all ports are forwarding.D. The switch priority value is zero, it has the lowest priority value for VLAN 1.

Answer: D

Explanation

After powered on, the switches start sending BPDUs to elect a root bridge. A BPDU is superior than another if it has:

1. A lower Root Bridge ID2. A lower path cost to the Root3. A lower Sending Bridge ID4. A lower Sending Port ID

From the output above, we learn that SW1 is the root bridge for VLAN 1 (from “this bridge is the root” line). SW1 has the “Bridge ID Priority” of 1 because SW1 has been configured with switch priority value of 0, which is also the lowest priority value (highest priority). This value is then added with the VLAN ID (VLAN 1 in this case) so the final value is 1.

Question 4


All ports are members of VLAN 10. Considering the default cost of upstream bridges to the root bridge is equal, which option will be the new root port for VLAN 10?

A. interface f0/13B. interface f0/14C. interface f0/15D. interface f0/21

Answer: D

Explanation

After receiving BPDUs from upstream bridges, the switch add the STP cost of that port and choose the lowest value as its root port -> the STP cost of Fa0/21 is smallest so it is chosen as root port.

Question 5

A network engineer is trying to deploy a PC on a network. The engineer observes that when the PC is connected to the network, it takes 30 to 60 seconds for the PC to see any activity on the network interface card. Which Layer 2 enhancement can be used to eliminate this delay?

A. Configure port duplex and speed to auto negotiation.B. Configure port to duplex full and speed 1000.C. Configure spanning-tree portfast.D. Configure no switchport.

Answer: C

Explanation

Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to forwarding state immediately without passing the listening and learning state. Therefore it can save about 30 to 45 seconds to transition through these states. To enable this feature, configure this command under interface mode:

Switch(config-if)#spanning-tree portfast

Question 6

A network engineer configured an Ethernet switch using these commands.

Switch1(config) # spanning-tree portfast bpdufilter default

Which statement about the spanning-tree portfast feature on the switch is true?

A. If an interface is enabled for portfast receives BDPU, the port goes through the spanning-tree listening, learning, and forwarding states.B. If an interface is enabled for portfast receives BDPU, the port does not go through the spanning-tree listening, learning, and forwarding states.C. If an interface is enabled for portfast receives BDPU, the port is shut down immediately.D. If an interface is enabled for portfast receives BDPU, the port goes into the spanning-tree inconsistent state.

Answer: A

Explanation

The “spanning-tree portfast bpdufilter default” command enables BPDU filtering on Portfast-enabled interfaces. This command prevents interfaces that are in a Portfast-operational state from sending BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Portfast-operational status, and BPDU filtering is disabled.

In conclusion, above command only affects ports that were configured with Portfast. It prevents these ports from sending BPDUs (notice that Portfast interfaces still send BPDUs) but the funny thing is that if it receives a BPDU, it will disable BPDU filtering and Portfast features.

Question 7

Which statement describes what happens when a port configured with root guard receives a superior BPDU?

A. The port goes into errdisabled state and stops forwarding traffic.B. The port goes into BPDU-inconsistent state and stops forwarding traffic.C. The port goes into loop-inconsistent state and stops forwarding traffic.D. The port goes into root-inconsistent state and stops forwarding traffic.

Answer: D

Explanation

Root guard does not allow the port to become a STP root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root-inconsistent STP state which is equal to a listening state. No traffic is forwarded across this port. Below is an example of where to configure Root Guard on the ports. Notice that Root Guard is always configure on designated ports.

To configure Root Guard use this command:

Switch(config-if)# spanning-tree guard root

Question 8

An administrator recently configured all ports for rapid transition using PortFast. After testing, it has been determined that several ports are not transitioning as they should. What is the reason for this?

A. RSTP has been enabled per interface and not globally.B. The STP root bridge selection is forcing key ports to remain in non-rapid transitioning mode.C. STP is unable to achieve rapid transition for trunk links.D. The switch does not have the processing power to ensure rapid transition for all ports.

Answer: C

Explanation

Although RSTP was configured on all ports but only edge-ports allow to run RSTP. RSTP cannot work on a trunk port. If we try to configure RSTP on a trunk port (support Fa0/24) we will receive this message:

%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc… to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION

%Portfast has been configured on FastEthernet0/24 but will only have effect when the interface is in a non-trunking mode.

Question 9

Pilot testing of the new switching infrastructure finds that when the root port is lost, STP immediately replaces the root port with an alternative root port. Which spanning-tree technology is used to accomplish backup root port selection?

A. PVST+B. PortFastC. BackboneFastD. UplinkFastE. Loop GuardF. UDLD

Answer: D

Explanation

UplinkFast is a Cisco specific feature that improves the convergence time of the Spanning-Tree Protocol (STP) in the event of the failure of an uplink. The UplinkFast feature is designed to run in a switched environment when the switch has at least one alternate/backup root port (port in blocking state), that is why Cisco recommends that UplinkFast be enabled only for switches with blocked ports, typically at the access-layer.

For example in the topology below:

Suppose S1 is the root bridge in the topology above. S3 is connected to S1 via two paths: one direct path and another goes through S2. Suppose the port directly connected to S1 is root port -> port connected to S2 will be in Blocking state. If the primary link goes down, the blocked port will need about 50 seconds to move from Blocking -> Listening -> Learning -> Forwarding to be used.

To shorten the downtime, a feature called Uplink Fast can be used. When the primary (root) link fails, another blocked link can be brought up immediately for use. When UplinkFast is enabled, it is enabled for the entire switch and all VLANs. It cannot be enabled for individual VLANs.

Question 10

A network engineer must adjust the STP interface attributes to influence root port selection. Which two elements are used to accomplish this? (Choose two)

A. port-priorityB. costC. forward-timersD. link typeE. root guard

Answer: A B

Explanation

Every non-root bridge needs to elect a root port. The election of root port is as follows:

1) Based on lowest cost path to the root bridge2) Then based on lowest upstream Bridge ID (Bridge ID = Bridge Priority + MAC)3) Then based on lowest upstream Port ID (Port ID = Port Priority + Port Index)

Therefore we can use STP cost and port-priority to select the root port.

Question 11

For client server failover purposes, the application server team has indicated that they must not have the standard 30 second delay before their switchport enters a forwarding state. For their disaster recovery feature to operate successfully, they require the switchport to enter a forwarding state immediately. Which spanning-tree feature satisfies this requirement?

A. Rapid Spanning-TreeB. Spanning-Tree TimersC. Spanning-Tree FastPortD. Spanning-Tree PortFastE. Spanning-Tree Fast Forward

Answer: D

Explanation

Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to forwarding state immediately without passing the listening and learning state. Therefore it can save about 30 to 45 seconds to transition through these states. To enable this feature, configure this command under interface mode:

Switch(config-if)#spanning-tree portfast

Question 12

A network engineer is installing a switch for temporary workers to connect to. The engineer does not want this switch participating in Spanning Tree with the rest of the network; however, end user connectivity is still required. Which spanning-tree feature accomplishes this?

A. BPDU ignoreB. BPDU guardC. BPDU blockD. BPDU disableE. BPDU filter

Answer: E

Explanation

BPDUFilter is designed to suppress the sending and receiving of BPDUs on an interface. There are two ways of configuring BPDUFilter: under global configuration mode or under interface mode but they have subtle difference.

If BPDUFilter is configured globally via this command:

Switch(config)#spanning-tree portfast bpdufilter default

BPDUFilter will be enabled on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

If BPDUFilter is configured under interface mode like this:

Switch(config-if)#spanning-tree bpdufilter enable

It will suppress the sending and receiving of BPDUs. This is the same as disabling spanning tree on the interface. This choice is risky and should only be used when you are sure that port only connects to host devices.

Question 13

When troubleshooting a network problem, a network analyzer is connected to Port f0/1 of a LAN switch. Which command can prevent BPDU transmission on this port?

A. spanning-tree portfast bpdufilter defaultB. spanning-tree portfast bpduguard enableC. no spanning-tree link-type sharedD. spanning-tree bpduguard defaultAnswer: A

Explanation

The “spanning-tree portfast bpdufilter default” command is configured under global configuration mode. To stop receiving unwanted BPDUs (for easier troubleshooting), he can issue the “spanning-tree portfast bpdufilter default” under global configuration mode. This will enable BPDUFilter on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

RSTP QuestionsQuestion 1

After the recent upgrade of the switching infrastructure, the network engineer notices that the port roles that were once “blocking” are now defined as “alternate” and “backup”. What is the reason for this change?

A. The new switches are using RSTP instead of legacy IEEE 802.1D STP.B. IEEE 802.1D STP and PortFast have been configured by default on all newly implemented Cisco Catalyst switches.C. The administrator has defined the switch as the root in the STP domain.D. The port roles have been adjusted based on the interface bandwidth and timers of the new Cisco Catalyst switches.

Answer: A

Explanation

There are five port roles in RSTP:

* Root port – A forwarding port that is the closest to the root bridge in terms of path cost* Designated port – A forwarding port for every LAN segment* Alternate port – A best alternate path to the root bridge. This path is different than using the root port. The alternative port moves to the forwarding state if there is a failure on the designated port for the segment.* Backup port – A backup/redundant path to a segment where another bridge port already connects. The backup port applies only when a single switch has two links to the same segment (collision domain). To have two links to the same collision domain, the switch must be attached to a hub.* Disabled port – Not strictly part of STP, a network administrator can manually disable a port

There is no “blocking” port role like STP. The “alternative” and “backup” roles are only in RSTP.

Question 2

What happens on a Cisco switch that runs Cisco IOS when an RSTP-configured switch receives 802.1d BPDU?

A. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch receives an 802.1d BPDU, it responds with an 802.1d BPDU and eventually the two switches run 802.1d to communicate.B. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a 802.1d BPDU, it responds with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.C. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch receives a 802.1d BPDU, it does not respond with a 802.1d BPDU.D. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a 802.1d BPDU, it does not respond with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.

Answer: A

Explanation

RSTP is backward compatible with STP 802.1D. If a RSTP enabled port receives a (legacy) 802.1d BPDU, it will automatically configure itself to behave like a legacy port. It sends and receives 802.1d BPDUs only.

MST Questions

Question 1

A network engineer is setting up a new switched network. The network is expected to grow and add many new VLANs in the future. Which Spanning Tree Protocol should be used to reduce switch resources and managerial burdens that are associated with multiple spanning-tree instances?

A. RSTPB. PVSTC. MSTD. PVST+E. RPVST+

Answer: C

Explanation

Instead of using Per-VLAN Spanning Tree (PVST) or Rapid PVST which runs a separate STP instance for each active VLAN (there will have 20 STP instances for 20 VLANs), Multiple Spanning Tree (MST) maps multiple VLANs into a spanning tree instance, thereby reducing the number of spanning-tree instances needed. MST also reduces switch resources and managerial burdens.

Question 2

When two MST instances (MST 1 and MST 2) are created on a switch, what is the total number of spanning-tree instances running on the switch?

A. 1B. 2C. 3D. 4

Answer: C

Explanation

Besides two MST instances 1 & 2, Instance 0 is a special instance for a region, known as the Internal Spanning Tree (IST). The IST always exists on all ports; you cannot delete the IST. By default, all VLANs are assigned to the IST. All other MST instances are numbered from 1 to 4094. The IST is the only STP instance that sends and receives BPDUs. All of the other MSTI information is contained in MST records (M-records), which are encapsulated within MST BPDUs.

Note: + The Common Spanning Tree (CST) interconnects the MST regions and any instance of 802.1D and 802.1w STP that may be running on the network+ A Common and Internal Spanning Tree (CIST) is a collection of the ISTs in each MST region.

Question 3

To follow the Layer 2 switching guidelines, a network engineer decides to create a separate spanning tree for every group of 10 VLANs. Which version of spanning tree is appropriate to meet the company policy?

A. PVST+B. STPC. MSTD. RSTPE. RPVST+

Answer: C

Explanation

Besides two MST instances 1 & 2, Instance 0 is a special instance for a region, known as the Internal Spanning Tree (IST). The IST always exists on all ports; you cannot delete the IST. By default, all VLANs are assigned to the IST. All other MST instances are numbered from 1 to 4094. The IST is the only STP instance that sends and receives BPDUs. All of the other MSTI information is contained in MST records (M-records), which are encapsulated within MST BPDUs.

Note: + The Common Spanning Tree (CST) interconnects the MST regions and any instance of 802.1D and 802.1w STP that may be running on the network+ A Common and Internal Spanning Tree (CIST) is a collection of the ISTs in each MST region.

Private VLANQuick review:

The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast

domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANs and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLANs inside VLAN”.

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

For example, in the topology above:

+ Host A cannot communicate with Host B, C, D, E and F. It can only communicate with Promiscuous port to the router. Notice that even two Isolated ports in the same VLAN cannot communicate with each other.

+ Host C can communicate with Host D because they are in the same community but Host C cannot communicate with E and F because they are in a different community.

+ All hosts can go outside through promiscuous port.

Also I want to mention about the concept of “primary VLAN” and “secondary VLAN”. PVLAN can have only one primary VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs are isolated or community VLANs.

Configuration of PVLAN:

1. Set VTP mode to transparent2. Create secondary (isolated and community) VLANs and primary VLAN3. Associate secondary VLANs to the primary VLAN4. Configure interfaces as promiscuous interfaces5. Configure interfaces to be isolated or community interfaces.

Sample configuration used the topology above:

//First set VTP to transparent modeSwitch(config)#vtp mode transparent

//Create secondary VLANsSwitch(config)#vlan 101Switch(config-vlan)#private-vlan isolatedSwitch(config-vlan)#vlan 102 Switch(config-vlan)#private-vlan communitySwitch(config-vlan)#vlan 103 Switch(config-vlan)#private-vlan community

//Create primary VLANSwitch(config-vlan)#vlan 100Switch(config-vlan)#private-vlan primary

//Associate secondary (isolated, community) VLANs to the primary VLANSwitch(config-vlan)#private-vlan association 101,102,103

//Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the secondary VLAN.Switch(config)# interface f0/1 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping 100 101,102,103

//Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate VLANs (A and B to isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN 103):Switch(config)# interface range f0/2 – 0/3 //connect to host A and BSwitch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 100 101

Switch(config-if)# interface range f0/3 -0/4 //connect to host C and DSwitch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 100 102

Switch(config-if)# interface f0/5 – 0/6 //connect to host E and FSwitch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 100 103

To check the configuration, use this command:

Switch# show vlan private-vlan

Question 1

A network engineer wants to ensure Layer 2 isolation of customer traffic using a private VLAN. Which configuration must be made before the private VLAN is configured?

A. Disable VTP and manually assign VLANs.B. Ensure all switches are configured as VTP server mode.C. Configure VTP Transparent Mode.D. Enable VTP version 3.

Answer: C

Explanation

Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do not support private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode still forwards other VTP updates to its neighbors.

Question 2

Which private VLAN access port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports?

A. promiscuous portB. isolated portC. community portD. trunk port

Answer: A

Explanation

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

Question 3

Which private VLAN can have only one VLAN and be a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway?

A. isolated VLANB. primary VLANC. community VLAND. promiscuous VLAN

Answer: A

Explanation

Isolated VLAN is a secondary VLAN and it can only communicate with the promiscuous port. Also, there can be only 1 isolated VLAN per PVLAN (although this isolated VLAN can be configured to many ports, but these ports cannot communicate with each other).

Question 4

When you configure private VLANs on a switch, which port type connects the switch to the gateway router?

A. promiscuousB. communityC. isolatedD. trunked

Answer: A

Explanation

Promiscuous port: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.

Question 5

When you configure a private VLAN, which type of port must you configure the gateway router port as?

A. promiscuous portB. isolated portC. community portD. access port

Answer: A

Explanation

The default gateway is usually connected to promiscuous port so that all devices in PVLAN can go outside.

HSRP & VRRP & GLBP QuestionsQuestion 1

Which configuration command ties the router hot standby priority to the availability of its interfaces?

A. standby groupB. standby priorityC. backup interfaceD. standby track

Answer: D

Explanation

The “standby track” command allows you to specify another interface on the router for the HSRP process to monitor in order to alter the HSRP priority for a given group. If the line protocol of the specified interface goes down, the HSRP priority is reduced. This means that another HSRP router with higher priority can become the active router if that router has standby preempt enabled.An example of using this command is shown below:

interface Ethernet0 ip address 171.16.6.5 255.255.255.0standby 1 ip 171.16.6.100standby 1 priority 105standby 1 preemptstandby 1 track Serial0

Question 2

What is the default HSRP priority?

A. 50B. 100C. 120D. 1024

Answer: B

Question 3

Which command correctly configures standby tracking for group 1 using the default decrement priority value?

A. standby 1 track 100B. standby 1 track 100 decrement 1C. standby 1 track 100 decrement 5D. standby 1 track 100 decrement 20

Answer: A

Explanation

The default decrement priority value of HSRP is 10 so 1,5,20 are wrong values -> B, C and D are not correct.

In “standby 1 track 100″ command, “100” is the tracked object number, not the decrement value. Here we don’t specify a decrement value so the default value will be used -> Answer A is correct. An example of configuring tracked object number with HSRP is shown below:

Switch(config)# track 100 interface GigabitEthernet 0/0/0 line-protocolSwitch(config-track)#exitSwitch(config)#interface GigabitEthernet 0/0/0Switch(config-if)# standby 1 track 100

If you want to specify a decrement value, we can use the “standby 1 track 100 decrement ” command instead.

Question 4

Which command configures an HSRP group to become a slave of another HSRP group?

A. standby slaveB. standby group trackC. standby followD. standby group backup

Answer: C

Explanation

The configuration of many hundreds of subinterfaces on the same physical interface, with each subinterface having its own HSRP group, can cause the processes of negotiation and maintenance of multiple HSRP groups to have a detrimental impact on network traffic and CPU utilization.

Only one HSRP group is required on a physical interface for the purposes of electing active and standby devices. This group is known as the master group. Other HSRP groups may be created on each subinterface and linked to the master group via the group name. These linked HSRP groups are known as client or slave groups.

The HSRP group state of the client groups follows that of the master group. Client groups do not participate in any sort of device election mechanism.

Client groups send periodic messages in order to refresh their virtual MAC addresses in switches and learning bridges. The refresh message may be sent at a much lower frequency compared with the protocol election messages sent by the master group.

The standby follow command configures an HSRP group to become an IP redundancy client of another HSRP group.Client or slave groups must be on the same physical interface as the master group.A client group takes its state from the master group it is following. Therefore, the client group does not use its timer, priority, or preemption settings. A warning is displayed if these settings are configured on a client group.

The following example shows how to configure HSRP group 2 as a client to the HSRP1 master group:Router(config-if)# standby 2 follow HSRP1

Question 5

What is the default amount by which the hot standby priority for the router is decremented or incremented when the interface goes down or comes back up?

A. 1B. 5C. 10D. 15

Answer: C

Question 6

Which First Hop Redundancy Protocol is an IEEE Standard?

A. GLBPB. HSRPC. VRRPD. OSPF

Answer: C

Explanation

Unlike HSRP or GLBP, VRPP is an open standard.

Question 7

Which VRRP router is responsible for forwarding packets that are sent to the IP addresses of the virtual router?

A. virtual router masterB. virtual router backupC. virtual router activeD. virtual router standby

Answer: A

Explanation

In VRRP, the active router is referred to as the master virtual router.


%GLBP-4-DUPADDR:Duplicate address

Which option describes the reason for this message in a GLBP configuration?

A. Unavailable GLBP active forwarderB. Incorrect GLBP IP addressC. HSRP configured on same interface as GLBPD. Layer 2 loop

Answer: D

Explanation

The error message indicates a possible layer2 loop and STP configuration issues. Notice that the “duplicate address” here means the MAC address.

In order to resolve this issue, issue the show interface command to verify the MAC address of the interface. If the MAC address of the interface is the same as the one reported in the error message, then it indicates that this router is receiving its own hello packets sent. Verify the spanning-tree topology and check if there is any layer2 loop. If the interface MAC address is different from the one reported in the error message, then some other device with a MAC address reports this error message.

Question 9

Which gateway role is responsible for answering ARP requests for the virtual IP address in GLBP?

A. active virtual forwarderB. active virtual routerC. active virtual gatewayD. designated router

Answer: C

Explanation

The active virtual gateway (AVG) is responsible for answering the ARP Request for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses.

Question 10

What is the maximum number of virtual MAC addresses that GLBP allows per group?

A. 2B. 4C. 6D. 8

Answer: B

Explanation

A GLBP group only has a maximum of four AVFs (means four virtual MAC addresses). If there are more than 4 gateways in a GLBP group then the rest will become Standby Virtual Forwarder (SVF) which will take the place of a AVF in case of failure.

HSRP Hotspot

– DSW1( Distribute switch 1) is the primary device for Vlan 101, 102, 105

– DSW2 ( Distribute switch 2) is the primary device for Vlan 103 and 104

– A failure on gig1/0/1 on primary device should cause the primary device to release its status as the primary device, unless GigabitEthernet 1/0/1 on backup device has also failed.

For your information, the “show running-config” commands are posted below for your reference but please notice in the exam you have to issue this command to get the output:

DSW1#show running-config DSW2#show running-config

interface Vlan101 ip address 192.168.101.1 255.255.255.0 standby 1 ip 192.168.101.254 standby 1 priority 200 standby 1 track GigabitEthernet1/0/1 55!interface Vlan102 ip address 192.168.102.1 255.255.255.0 standby 2 ip 192.168.102.254 standby 2 priority 200 standby 2 preempt standby 2 track GigabitEthernet1/0/1 5!interface Vlan103 ip address 192.168.103.1 255.255.255.0 standby 3 ip 192.168.103.254 standby 3 priority 200 standby 3 preempt standby 3 track GigabitEthernet1/0/1!interface Vlan104 ip address 192.168.104.1 255.255.255.0 standby 4 ip 192.168.104.254 standby 4 priority 150 standby 4 preempt standby 4 track GigabitEthernet1/0/1 1!interface Vlan105 ip address 192.168.105.1 255.255.255.0 standby 5 ip 192.168.105.254 standby 5 priority 150 standby 5 preempt standby 5 track GigabitEthernet1/0/1 55

interface Vlan101 ip address 192.168.101.2 255.255.255.0 standby 1 ip 192.168.101.254 standby 1 priority 150 standby 1 preempt standby 1 track GigabitEthernet1/0/1!interface Vlan102 ip address 192.168.102.2 255.255.255.0 standby 2 ip 192.168.102.254 standby 2 priority 190 standby 2 preempt standby 2 track GigabitEthernet1/0/1!interface Vlan103 ip address 192.168.103.2 255.255.255.0 standby 3 ip 192.168.103.254 standby 3 priority 190 standby 3 preempt standby 3 track GigabitEthernet1/0/1 50!interface Vlan104 ip address 192.168.104.2 255.255.255.0 standby 4 ip 192.168.104.254 standby 4 priority 200 standby 4 preempt standby 4 track GigabitEthernet1/0/1 55!interface Vlan105 ip address 192.168.105.2 255.255.255.0 standby 5 ip 192.168.105.254 standby 5 preempt standby 5 track GigabitEthernet1/0/1

Question 1

During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1. All other interface were up. During this time, DSW1 remained the active device for Vlan 102’s HSRP group. You have determined that there is an issue with the decrement value in the track command in Vlan 102’s HSRP group. What need to be done to make the group function properly?

A. The DSW1’s decrement value should be configured with a value from 5 to 15 B. The DSW1’s decrement value should be configured with a value from 9 to 15 C. The DSW1’s decrement value should be configured with a value from 11 to 18 D. The DSW1’s decrement value should be configured with a value from 195 to less than 205 E. The DSW1’s decrement value should be configured with a value from 200 to less than 205 F. The DSW1’s decrement value should be greater than 190 and less 200

Answer: C

Explanation

The question clearly stated that there was an issue with the decrement value in VLAN 102 so we should check VLAN 102 on both DSW1 and DSW2 switches first. Click on the PC Console1 and PC Console2 to access these switches then use the “show running-config” command on both switches

DSW1>enableDSW1#show running-config

DSW2>enableDSW2#show running-config

As shown in the outputs, the DSW1’s priority is 200 and is higher than that of DSW2 so DSW1 becomes active switch for the group. Notice that the interface Gig1/0/1 on DSW1 is being tracked so when this interface goes down, HSRP automatically reduces the router’s priority by a configurable amount, in this case 5. Therefore the priority of DSW1 goes down from 200 to 195. But this value is still higher than that of DSW2 (190) so DSW1 remains the active switch for the group. To make DSW2 takes over this role, we have to configure DSW1’s decrement value with a value equal or greater than 11 so that its result is smaller than that of DSW2 (200 – 11 < 190). Therefore C is the correct answer.

Question 2

During routine maintenance, G1/0/1 on DSW1 was shutdown. All other interface were up. DSW2 became the active HSRP device for Vlan101 as desired. However, after G1/0/1 on DSW1 was reactivated. DSW1 did not become the active HSRP device as desired. What need to be done to make the group for Vlan101 function properly?

A. Enable preempt on DSW1’s Vlan101 HSRP group

B. Disable preempt on DSW1’s Vlan101 HSRP group

C. Decrease DSW1’s priority value for Vlan101 HSRP group to a value that is less than priority value configured on DSW2’s HSRP group for Vlan101

D. Decrease the decrement in the track command for DSW1’s Vlan 101 HSRP group to a value less than the value in the track command for DSW2’s Vlan 101 HSRP group.

Answer: A

Explanation

Continue to check VLAN 101 on both switches…

We learned that DSW1 doesn’t have the “standby 1 preempt” command so it can’t take over the active role again even if its priority is the highest. So we need to enable this command on VLAN 101 of DSW1.

Question 3

DSW2 has not become the active device for Vlan103’s HSRP group even though all interfaces are active. As related to Vlan103’s HSRP group. What can be done to make the group function properly?

A. On DSW1, disable preempt

B. On DSW1, decrease the priority value to a value less than 190 and greater than 150

C. On DSW2, increase the priority value to a value greater 200 and less than 250

D. On DSW2, increase the decrement value in the track command to a value greater than 10 and less than 50.

Answer: C

Explanation:

The reason DSW2 has not become the active switch for Vlan103 is because the priority value of DSW1 is higher than that of DSW2. In order to make DSW2 become the active switch, we need to increase DSW2’s priority (to higher than 200) or decrease DSW1’s priority (to lower than 190) -> B and C are correct.

But there is another requirement from this question that “A failure on gig1/0/1 on primary device should cause the primary device to release its status as the primary device, unless GigabitEthernet 1/0/1 on backup device has also failed”. This requirement makes answer B incorrect. For example, we choose to decrease the priority value on DSW1 to 160 (according to answer B) then DSW2 will become active switch (that is good). When Gi1/0/1 on DSW2 goes down, the priority of DSW2 will be 190 – 50 = 140 < 160 -> DSW1 will become new active switch (it is good, too). But when Gi1/0/1 on DSW1 also goes down, the priority of DSW1 will be 160 – 10 = 150 and it is still greater than 140 of DSW2 -> DSW2 cannot retake the active role as the requirement of this question.

Question 4

If G1/0/1 on DSW1 is shutdown, what will be the current priority value of the Vlan105’s group on DSW1?

A. 95 B. 100 C. 150 D. 200 Answer: A

Explanation

Below is the output of VLAN 105:

If G1/0/1 on DSW1 is shutdown, its priority will decrease 55 so, its value will be 150 – 55 = 95

Question 5

What is the configured priority value of the Vlan105’s group on DSW2 ?

A. 50

B. 100

C. 150

D. 200

Answer: B

Explanation

Below is the output of VLAN 105 of DSW2:

We don’t see the priority of DSW2 so it is using the default value (100).

Question 6

During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1 and DSW2. All other interface were up. During this time, DSW1 became the active device for Vlan104’s HSRP group. As related to Vlan104’s HSRP group, what can be done to make the group function properly?

A. On DSW1, disable preempt

B. On DSW2, decrease the priority value to a value less than 150

C. On DSW1, increase the decrement value in the track command to a value greater than 6

D. On DSW1, disable track command.

Answer: C

Explanation

The question asks us how to keep the active role of DSW2. From the outputs, we learned that if both interfaces G1/0/1 of DSW1 and DSW2 are shutdown, the priority of DSW1 will be 150 – 1 = 149 and that of DSW2 will be 200 – 55 = 145 -> DSW1 will become the active switch.

The main point here is that we have to configure so in such a way that when both interfaces G1/0/1 of DSW1 and DSW2 are shutdown, the priority of DSW2 is still greater than that of DSW1. Therefore the priority value of DSW1 should be smaller than 145, or we have to configure the decrement value of DSW1 to a value greater than 6 ( 6 = 150 – 144) -> C is the correct answer.

Notice: To keep the active role of DSW2, we can disable “preempt” on DSW1 (answer A) so that it will not take over the active role when DSW2 is downed but it also means that VLAN 104 will not have active switch -> VLAN104 will fail.

I gave the exam last week. The answer for Q.3 is C. The option C is changed to “On DSW2, increase the priority value to a value

greater 200 and less than 250″. Please update it. I got full 1000 marks, thanks to certprepare and JackCross التعليقات علي بص

SPAN Questions

Question 1


interface GigabitEthernet0/1 switchportswitchport mode trunkswitchport trunk allowed vlan 1-100!interface GigabitEthernet0/48 switchportswitchport mode access!monitor session 1 source interface GigabitEthernet0/1 monitor session 1 destination interface GigabitEthernet0/48

How can the traffic that is mirrored out the GigabitEthernet0/48 port be limited to only traffic that is received or transmitted in VLAN 10 on the GigabitEthernet0/1 port?

A. Change the configuration for GigabitEthernet0/48 so that it is a member of VLAN 10.B. Add an access list to GigabitEthernet0/48 to filter out traffic that is not in VLAN 10.C. Apply the monitor session filter globally to allow only traffic from VLAN 10.D. Change the monitor session source to VLAN 10 instead of the physical interface.

Answer: C

Explanation

We can add the “monitor session 1 filter vlan 10″ command to limit monitored trafic from VLAN 10 only.

Question 2


A network engineer wants to analyze all incoming and outgoing packets for an interface that is connected to an access switch. Which three items must be configured to mirror traffic to a packet sniffer that is connected to the distribution switch? (Choose three)

A. A monitor session on the distribution switch with a physical interface as the source and the remote SPAN VLAN as the destinationB. A remote SPAN VLAN on the distribution and access layer switchC. A monitor session on the access switch with a physical interface source and the remote SPAN VLAN as the destinationD. A monitor session on the distribution switch with a remote SPAN VLAN as the source and physical interface as the destinationE. A monitor session on the access switch with a remote SPAN VLAN source and the physical interface as the destinationF. A monitor session on the distribution switch with a physical interface as the source and a physical interface as the destination

Answer: B C D

Explanation

The network engineer is connecting to the Distribution switch but he wants to monitor an access switch -> remote SPAN must be used. An example of configuring remote SPAN which uses vlan 40 is shown below:

Access-Switch(config)# monitor session 1 source interface FastEthernet 0/1Access-Switch(config)# monitor session 1 destination remote vlan 40Distribution-Switch(config)#monitor session 2 source remote vlan 40Distribution-Switch(config)# monitor session 2 destination interface FastEthernet 0/5

Question 3

Interface FastEthernet0/1 is configured as a trunk interface that allows all VLANs. This command is configured globally:

monitor session 2 filter vlan 1 – 8, 39, 52

What is the result of the implemented command?

A. All VLAN traffic is sent to the SPAN destination interface.B. Traffic from VLAN 4 is not sent to the SPAN destination interface.C. Filtering a trunked SPAN port effectively disables SPAN operations for all VLANs.D. The trunk’s native VLAN must be changed to something other than VLAN 1.E. Traffic from VLANs 1 to 8, 39, and 52 is replicated to the SPAN destination port.

Answer: E

Explanation

This command limits the monitored trafic on VLAN 1 to 8, 39, 52 only

Question 4


A network engineer investigates a recent network failure and notices that one of the interfaces on the switch is still down. What is causing the line protocol on this interface to be shown as down?

A. There is a layer 1 physical issue.B. There is a speed mismatch on the interface.C. The interface is configured as the target of the SPAN session.D. The interface is configured as the source of the SPAN session.E. There is a duplex mismatch on the interface.

Answer: C

Explanation

From the output we see the status of gi0/12 is “monitoring”. It means this port is currently the destination of a SPAN session.

Question 5

RSPAN has been configured on a Cisco Catalyst switch; however, traffic is not being replicated to the remote switch. Which type of misconfiguration is a cause?

A. The local switch is overloaded with the amount of sourced traffic that must be replicated to the remote switch.

B. The RSPAN designated VLAN is missing the remote span command.

C. The local and remote RSPAN switches are configured using different session IDs.

D. The local RSPAN switch is replicating only Rx traffic to the remote switch.

Answer: B

Explanation

This is how to configure Remote SPAN (RSPAN) feature on two switches. Traffic on FastEthernet0/1 of Switch 1 will be sent to Fa0/10 of Switch2 via VLAN 40.

+ Configure on both switchesSwitch1,2(config)#vlan 40 Switch1,2(config-vlan)#remote-span+ Configure on Switch1Switch1(config)# monitor session 1 source interface FastEthernet 0/1Switch1(config)# monitor session 1 destination remote vlan 40+ Configure on Switch2Switch2(config)#monitor session 5 source remote vlan 40Switch2(config)# monitor session 5 destination interface FastEthernet 0/10

So without the command “remote-span” on both switches, RSPAN cannot works properly.

Question 6

What is the result of the SPAN configuration on a Cisco switch?

A. Configure a SPAN session to monitor the received traffic on interface g0/4 only for VLAN 3

B. Configure a SPAN session to monitor the received traffic on interface g0/5 only for VLAN 3

C. Configure a SPAN session to monitor the received traffic on interface g0/5 for all VLANs except VLAN 3

D. Configure a SPAN session to monitor the received traffic on interface g0/4 for all VLANs except VLAN 3

Answer: A

Explanation

The first command points out the source interface and the direction to be monitored, which is Gi0/4 and inbound traffic (rx) in this case. The second command tells our device to monitor only VLAN 3 running on Gi0/4 (notice that Gi0/4 is a trunk link). The last command requests monitored traffic to be sent to the destination port Gi0/5.

AAA Questions

Question 1

Which portion of AAA looks at what a user has access to?

A. authorizationB. authenticationC. accountingD. auditing

Answer: A

Explanation

AAA security provides the following services:+ Authentication – Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).+ Authorization – Provides access control.AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.+ Accounting – Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.

In conclusion, authorization specifies which resources the users are allowed to access.

Question 2

Which command creates a login authentication method named “login” that will primarily use RADIUS and fail over to the local user database?

A. (config)# aaa authentication login default radius localB. (config)# aaa authentication login login radius localC. (config)# aaa authentication login default local radiusD. (config)# aaa authentication login radius local

Answer: B

Explanation

In the “aaa authentication login login radius local” command, the first “login” is a keyword which authenticates users who want exec access into the access server (tty, vty, console and aux). The second “login” is a list name. “radius local” part indicates the RADIUS authentication should be used first. If the RADIUS server does not reply then use the local database to authenticate.

Question 3

Which command globally enables AAA on a device?

A. aaa new-modelB. aaa authenticationC. aaa authorizationD. aaa accounting

Answer: A

Question 4

Which AAA Authorization type includes PPP, SLIP, and ARAP connections?

A. networkB. IP mobileC. EXECD. auth-proxy

Answer: A

Explanation

Method lists are specific to the authorization type requested:+ Auth-proxy – Applies specific security policies on a per-user basis. For detailed information on the authentication proxy feature, refer to the chapter “Configuring Authentication Proxy” in the “Traffic Filtering and Firewalls” part of this book.+ Commands – Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.+ EXEC – Applies to the attributes associated with a user EXEC terminal session.+ Network – Applies to network connections. This can include a PPP, SLIP, or ARAP connection.+ Reverse Access – Applies to reverse Telnet sessions.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named “default”). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.

Question 5

Which authentication service is needed to configure 802.1x?

A. RADIUS with EAP ExtensionB. TACACS+C. RADIUS with CoAD. RADIUS using VSA

Answer: A

Explanation

For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

Question 6


username cisco password cisco!aaa new-model!radius-server host 10.1.1.50 auth-port 1812 key C1sc0123 aaa authentication login default group radius local line aaa authentication login NO_AUTH none!line vty 0 15login authentication default password linepass line console 0login authentication NO_AUTH

Which login credentials are required when connecting to the console port in this output?

A. none requiredB. username cisco with password ciscoC. no username with password linepassD. login authentication default

Answer: A

Explanation

The console port is authenticated with NO_AUTH list. But this list does not contain any authentication method (it uses “none”) so no authentication is required when connecting to the console port.

Question 7


username cisco password cisco!aaa new-model!radius-server host 10.1.1.50 auth-port 1812 key C1sc0123 aaa authentication login default group radius local line aaa authentication loging NO_AUTH none!line vty 0 15login authentication default password linepass line console 0login authentication NO_AUTH

When a network administrator is attempting an SSH connection to the device, in which order does the device check the login credentials?

A. RADIUS server, local username, line passwordB. RADIUS server, line password, local usernameC. Line password, local username, RADIUS serverD. Line password, RADIUS server, local username

Answer: A

Explanation

The VTY line can be accessed via Telnet and SSH by default. It is authenticated by “default” list which is defined with the “aaa authentication login default group radius local line” command. Therefore users who access via Telnet or SSH are authenticated via RADIUS first, then local database and finally line VTY password.

Note: The “group” keyword provides a way to group existing server hosts. The feature allows the user to select a subset of the configured server hosts and use them for a particular service. Therefore we can understand “group radius” here means “some pre-defined radius servers”.

Question 8

A network engineer configures port security and 802.1x on the same interface. Which option describes what this configuration allows?

A. It allows port security to secure the MAC address that 802.1x authenticates.B. It allows port security to secure the IP address that 802.1x authenticates.C. It allows 802.1x to secure the MAC address that port security authenticates.D. It allows 802.1x to secure the IP address that port security authenticates.

Answer: A

Explanation

You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.

When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:+ Single host mode—Port security learns the MAC address of the authenticated host.+ Multiple host mode—Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.

If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.

The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.

If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.

Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit.

Port Security

Question 1

Which feature describes MAC addresses that are dynamically learned or manually configured, stored in the address table, and added to the running configuration?

A. stickyB. dynamicC. staticD. secure

Answer: A

Explanation

The “sticky” keyword in switchport port-security mac-address sticky command converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds to the running configuration.

Question 2

On which interface can port security be configured?

A. static trunk portsB. destination port for SPANC. EtherChannel port groupD. dynamic access point

Answer: A

Explanation

Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static trunk port is shown below:

Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security

We cannot configure port security on a dynamic interface. For example we will see an error when try it:

Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# switchport port-securityCommand rejected: FastEthernet0/1 is a dynamic port.

Question 3

After port security is deployed throughout an enterprise campus, the network team has been overwhelmed with port reset requests. They decide to configure the network to automate the process of re-enabling user ports. Which command accomplishes this task?

A. switch(config)# errdisable recovery interval 180B. switch(config)# errdisable recovery cause psecure-violationC. switch(config)# switchport port-security protectD. switch(config)# switchport port-security aging type inactivityE. switch(config)# errdisable recovery cause security-violation

Answer: B

Explanation

When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state. The “errdisable recovery cause psecure-violation” command brings a secure port out of error-disabled state.

Note: There is a similar command: “errdisable recovery cause security-violation” but it recovers a port from 802.1x violation disable state.

Question 4

Which option is a possible cause for an errdisabled interface?

A. routing loopB. cable unpluggedC. STP loop guardD. security violation

Answer: D

Explanation

When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state.

Question 5

What is the default value for the errdisable recovery interval in a Cisco switch?


Answer: C

Explanation

If any one of the errdisable recovery conditions is enabled, the ports with this condition are reenabled after 300 seconds. You can also change this default of 300 seconds if you issue this command:

Switch(config)#errdisable recovery interval timer_interval_in_seconds

DHCP SnoopingQuick review of DHCP Spoofing:

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

Question 1

A Cisco Catalyst switch that is prone to reboots continues to rebuild the DHCP snooping database. What is the solution to avoid the snooping database from being rebuilt after every device reboot?

A. A DHCP snooping database agent should be configured.B. Enable DHCP snooping for all VLANs that are associated with the switch.C. Disable Option 82 for DHCP data insertion.D. Use IP Source Guard to protect the DHCP binding table entries from being lost upon rebooting.E. Apply ip dhcp snooping trust on all interfaces with dynamic addresses.

Answer: A

Explanation

To retain the bindings across switch reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon switch reload. Connectivity is lost as well.

Question 2

A server with a statically assigned IP address is attached to a switch that is provisioned for DHCP snooping. For more protection against malicious attacks, the network team is considering enabling dynamic ARP inspection alongside DHCP snooping. Which solution ensures that the server maintains network reachability in the future?

A. Disable DHCP snooping information option.B. Configure a static DHCP snooping binding entry on the switch.C. Trust the interface that is connected to the server with the ip dhcp snooping trust command.D. Verify the source MAC address of all untrusted interfaces with ip dhcp snooping verify mac-address command.

Answer: B

Explanation

Static DHCP snooping binding defines a mapping between a fixed IP address and the client’s MAC address. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. This is how to configure a static DHCP snooping binding entry:

Switch#ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface expiry seconds

Question 3

DHCP snooping and IP Source Guard have been configured on a switch that connects to several client workstations. The IP address of one of the workstations does not match any entries found in the DHCP binding database. Which statement describes the outcome of this scenario?

A. Packets from the workstation will be rate limited according to the default values set on the switch.B. The interface that is connected to the workstation in question will be put into the errdisabled state.C. Traffic will pass accordingly after the new IP address is populated into the binding database.D. The packets originating from the workstation are assumed to be spoofed and will be discarded.

Answer: D

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Therefore if the switch receives a packet that does not match any entries found in the DHCP binding database, that packet is assumed to be spoofed and will be discarded.

Question 4

A DHCP configured router is connected directly to a switch that has been provisioned with DHCP snooping. IP Source Guard with the ip verify source port-security command is configured under the interfaces that connect to all DHCP clients on the switch. However, clients are not receiving an IP address via the DHCP server.Which option is the cause of this issue?

A. The DHCP server does not support information option 82.B. The DHCP client interfaces have storm control configured.C. Static DHCP bindings are not configured on the switch.D. DHCP snooping must be enabled on all VLANs, even if they are not utilized for dynamic address allocation.

Answer: A

Explanation

The command “ip verify source port-security” enables IP source guard with source IP and MAC address filtering. When using this command, there are two caveats:+ The DHCP server must support option 82, or the client is not assigned an IP address. + The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

Question 5

A switch is added into the production network to increase port capacity. A network engineer is configuring the switch for DHCP snooping and IP Source Guard, but is unable to configure ip verify source under several of the interfaces. Which option is the cause of the problem?

A. The local DHCP server is disabled prior to enabling IP Source Guard.B. The interfaces are configured as Layer 3 using the no switchport command.C. No VLANs exist on the switch and/or the switch is configured in VTP transparent mode.D. The switch is configured for sdm prefer routing as the switched database management template.E. The configured SVIs on the switch have been removed for the associated interfaces.

Answer: B

Explanation

The following restrictions apply to IP source guard:+ Supported only on ingress Layer 2 ports (including access and trunk ports)+ Supported only in hardware; not applied to any traffic that is processed in software.+ Does not support filtering of traffic based on MAC address.+ Is not supported on private VLANs.

Question 6

Which type of information does the DHCP snooping binding database contain?

A. untrusted hosts with leased IP addressesB. trusted hosts with leased IP addressesC. untrusted hosts with available IP addressesD. trusted hosts with available IP addresses

Answer: A

Explanation

The DHCP snooping binding database contains information about untrusted hosts with leased IP addresses. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, the VLAN number and interface information associated with the host.

Question 7

Which command is needed to enable DHCP snooping if a switchport is connected to a DHCP server?

A. ip dhcp snooping trustB. ip dhcp snoopingC. ip dhcp trustD. ip dhcp snooping information

Answer: A

Explanation

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

Question 8

Which database is used to determine the validity of an ARP packet based on a valid IP-to-MAC address binding?

A. DHCP snooping databaseB. dynamic ARP databaseC. dynamic routing databaseD. static ARP database

Answer: A

Explanation

DHCP snooping database contains MAC address-to-IP address bindings which Dynamic ARP Inspection (DAI) uses to determine the validity of an ARP packet.

Question 9

When IP Source Guard with source IP filtering is enabled on an interface, which feature must be enabled on the access VLAN for that interface?

A. DHCP snoopingB. storm controlC. spanning-tree portfastD. private VLAN

Answer: A

Explanation

When IP Source Guard with source IP filtering is enabled on an untrusted interface, DHCP snooping must be enabled because it filters traffic based on IP information stored in the corresponding DHCP binding table entry.

Question 10

Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a trusted database?

A. Dynamic ARP InspectionB. storm controlC. VTP pruningD. DHCP snooping

Answer: A

Explanation

The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination+ Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.

UDLD Questions

Question 1

Which statement about the UDLD protocol is true?

A. UDLD is a Cisco-proprietary Layer 2 protocol that enables devices to monitor the physical status of links and detect unidirectional failures.B. UDLD is a Cisco-proprietary Layer 2 protocol that enables devices to advertise their identity, capabilities, and neighbors on a local area network.C. UDLD is a standardized Layer 2 protocol that enables devices to monitor the physical status of links and detect unidirectional failures.D. UDLD is a standardized Layer 2 protocol that enables devices to advertise their identity, capabilities, and neighbors on a local area network.

Answer: A

Explanation

UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect when a unidirectional link exists. All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a unidirectional link, it administratively shuts down the affected port and alerts you. Unidirectional links can cause a variety of problems, including spanning-tree topology loops.

Question 2

Which option lists the modes that are available for configuring UDLD on a Cisco switch?

A. normal and aggressiveB. active and aggressiveC. normal and activeD. normal and passiveE. normal and standby

Answer: A

Explanation

A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device.

UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD can detect unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD can also detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to misconnected interfaces on fiber-optic links.

Question 3

While working in the core network building, a technician accidently bumps the fiber connection between two core switches and damages one of the pairs of fiber. As designed, the link was placed into a non-forwarding state due to a fault with UDLD. After the damaged cable was replaced, the link did not recover. What solution allows the network switch to automatically recover from such an issue?

A. macrosB. errdisable autorecoveryC. IP Event DampeningD. command aliasesE. Bidirectional Forwarding Detection

Answer: B

Explanation

When unidirectional link occurs, UDLD can put that port into errdisable state (same as shutdown). The administrator must manually shut/no shut to bring that interface up. If we want the interface to automatically recover then configure the “errdisable autorecovery”. For example:

errdisable recovery cause udlderrdisable recovery interval 30

By doing so, the port will be place back in up state (no err-disabled state) after 30 seconds, if the port still has violation it will be placed again in “err-disabled” state, otherwise it will remain in up state.

Question 4

After UDLD is implemented, a Network Administrator noticed that one port stops receiving UDLD packets. This port continues to reestablish until after eight failed retries. The port then transitions into the errdisable state. Which option describes what causes the port to go into the errdisable state?

A. Normal UDLD operations that prevent traffic loops.B. UDLD port is configured in aggressive mode.C. UDLD is enabled globally.D. UDLD timers are inconsistent.

Answer: B

Explanation

UDLD aggressive mode is disabled by default. Configure UDLD aggressive mode only on point-to-point links between network devices that support UDLD aggressive mode. With UDLD aggressive mode enabled, when a port on a bidirectional link that has a UDLD neighbor relationship established stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After eight failed retries, the port is disabled.

Question 5

After reviewing UDLD status on switch ports, an engineer notices that the switch LEDs are green. Which statement describes what this indicates about the status of the port?

A. The port is fully operational and no known issues are detected.B. The bidirectional status of “unknown” indicates that the port will go into the disabled state because it stopped receiving UDLD packets from its neighbor.C. UDLD moved into aggressive mode after inconsistent acknowledgements were detected.D. The UDLD port is placed in the “unknown” state for 5 seconds until the next UDLD packet is received on the interface.

Answer: A

SDM Questions

Question 1

Which statement about the use of SDM templates in a Cisco switch is true?

A. SDM templates are used to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network.B. SDM templates are used to create Layer 3 interfaces (switch virtual interfaces) to permit hosts in one VLAN to communicate with hosts in another VLAN.C. SDM templates are used to configure ACLs that protect networks and specific hosts from unnecessary or unwanted traffic.D. SDM templates are used to configure a set of ACLs that allows the users to manage the flow of traffic handled by the route processor.E. SDM templates are configured by accessing the switch using the web interface.

Answer: A

Explanation

SDM templates are used to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network. You can select a template to provide maximum system usage for some functions or use the default template to balance resources.

To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates prioritize system resources to optimize support for certain features. You can select SDM templates to optimize these features:+ Access – The access template maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.+ Default – The default template gives balance to all functions.+ Routing – The routing template maximizes system resources for IPv4 unicast routing, typically required for a router or aggregator in the center of a network.+ VLANs – The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

In addition, the dual IPv4 and IPv6 templates enable a dual stack environment.

Question 2

Which SDM template disables routing and supports the maximum number of unicast MAC addresses?

A. VLANB. accessC. defaultD. routing

Answer: A

Explanation

The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

Question 3

Which SDM template is the most appropriate for a Layer 2 switch that provides connectivity to a large number of clients?

A. VLANB. default

C. accessD. routing

Answer: A

Explanation


Question 4

A network engineer deployed a switch that operates the LAN base feature set and decides to use the SDM VLAN template. The SDM template is causing the CPU of the switch to spike during peak working hours. What is the root cause of this issue?

A. The VLAN receives additional frames from neighboring switches.B. The SDM VLAN template causes the MAC address-table to overflow.C. The VLAN template disables routing in hardware.D. The switch needs to be rebooted before the SDM template takes effect.

Answer: C

Explanation


StackWise Questions

Question 1

What is the maximum number of switches that can be stacked using Cisco StackWise?

A. 4B. 5C. 8D. 9E. 10F. 13

Answer: D

Explanation

The switches are united into a single logical unit using special stack interconnect cables that create a bidirectional closed-loop path. This bidirectional path acts as a switch fabric for all the connected switches. Network topology and routing information is updated continuously through the stack interconnect. All stack members have full access to the stack interconnect bandwidth. The stack is managed as a single unit by a master switch, which is elected from one of the stack member switches.

Each switch in the stack has the capability to behave as a master or subordinate (member) in the hierarchy. The master switch is elected and serves as the control center for the stack. Both the master member switches act as forwarding processors. Each switch is assigned a number. Up to nine separate switches can be joined together. The stack can have switches added and removed without affecting stack performance.

Question 2

A network engineer wants to add a new switch to an existing switch stack. Which configuration must be added to the new switch before it can be added to the switch stack?

A. No configuration must be added.B. stack IDC. IP addressD. VLAN informationE. VTP information

Answer: A

Explanation

When we add a new switch to an existing switch stack, the election will take place automatically to choose a master switch. We don’t have to configure anything on the newly added switch. In the case you want the newly added switch to become the master, use this command then reload it:

switch(config)# switch 1 priority 15

Note: Turn off the switch before connecting the stackwise cables. Only turn it on after finishing connecting stackwise cables.

Question 3

What percentage of bandwidth is reduced when a stack cable is broken?

A. 0B. 25C. 50

D. 75E. 100

Answer: C

Explanation

The picture below shows how StackWise cables are connected between switches:

When the stackwise cables are fully connected (as shown above), the stack ring speed is 32Gbps full-duplex. To efficiently load balance the traffic, the stackwise cables function bi-directionally with two 16 Gbps counter-rotating rings. It means packets are allocated between two logical counter-rotating paths. Each counter-rotating path supports 16 Gbps in both directions, yielding a traffic total of 32 Gbps bidirectionally.

A break in any one of the cables will result in the stack bandwidth being reduced to half (16 Gbps) of its full capacity.

Miscellaneous Questions

Question 1

What is the function of NSF?

A. forward traffic simultaneously using both supervisorsB. forward traffic based on Cisco Express ForwardingC. provide automatic failover to back up supervisor in VSS modeD. provide nonstop forwarding in the event of failure of one of the member supervisors

Answer: D

Explanation

Nonstop Forwarding (NSF) works with Stateful switchover (SSO) to minimize the amount of time a network is unavailable to its users following a switchover. The main objective of Cisco NSF is to continue forwarding IP packets following a route processor (RP) switchover.

Usually, when a networking device restarts, all routing peers of that device detect that the device went down and then came back up. This transition results in what is called a routing flap, which could spread across multiple routing domains. Routing flaps caused by routing restarts create routing instabilities, which are detrimental to the overall network performance. Cisco NSF helps to suppress routing flaps in SSO-enabled devices, thus reducing network instability.

Cisco NSF allows for the forwarding of data packets to continue along known routes while the routing protocol information is being restored following a switchover. With Cisco NSF, peer networking devices do not experience routing flaps. Data traffic is forwarded through intelligent line cards while the standby RP assumes control from the failed active RP during a switchover. The ability of line cards to remain up through a switchover and to be kept current with the Forwarding Information Base (FIB) on the active RP is key to Cisco NSF operation.

Question 2

Which statement describes what happens if all VSL connections between the virtual switch members are lost?

A. Both virtual switch members cease to forward traffic.B. The VSS transitions to the dual active recovery mode, and both virtual switch members continue to forward traffic independently.C. The virtual switch members reload.D. The VSS transitions to the dual active recovery mode, and only the new active virtual switch continues to forward traffic.

Answer: D

Explanation

VSLs can be configured with up to eight links between the two switches across any combination of line cards or supervisor ports to provide a high level of redundancy. If for some rare reason all Virtual Switching Link (VSL) connections are lost between the virtual switch members leaving both the virtual switch members up, the VSS will transition to the dual active recovery mode.

In the dual active recovery mode, all interfaces except the VSL interfaces are in an operationally shut down state in the formerly active virtual switch member. The new active virtual switch continues to forward traffic on all links.

Question 3

Which statement describes what happens when a switch enters dual active recovery mode?

A. The switch shuts down and waits for the VSL link to be restored before sending traffic.B. All interfaces are shut down in the formerly active virtual switch member, but the new active virtual switch forwards

traffic on all links.C. The switch continues to forward traffic out all links and enables spanning tree on VSL link and all other links to prevent loops.D. The VSS detects which system was last in active state and shuts down the other switch.

Answer: B

Explanation

If for some rare reason all Virtual Switching Link (VSL) connections are lost between the virtual switch members leaving both the virtual switch members up, the VSS will transition to the dual active recovery mode.

In the dual active recovery mode, all interfaces except the VSL interfaces are in an operationally shut down state in the formerly active virtual switch member. The new active virtual switch continues to forward traffic on all links.

Question 4

Which option is a benefit of using VSS?

A. reduces costB. simplifies configurationC. provides two independent supervisors with two different control planesD. removes the need for a First Hop Redundancy Protocol

Answer: D

Explanation

VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50 percent. This includes removing the need for Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP) -> D is correct.

Switch With Ans &Expl

Documents

Transcript of Switch With Ans &Expl