SWITCH 300-115 Category

CDP & LLDP Questions

May 16th, 2015 certprepare 208 comments

Question 1

Explanation

Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help in finding information about neighboring devices. The default values are 60 seconds for advertisements. Each neighbor will keep the information contained in a packet for 180 seconds (holddown timer).

Question 2

Question 3

Explanation

CDP runs at Layer 2 so a router running CDP can see a Layer 2 switch that is directly connected to it, provided that the Layer 2 switch also runs CDP.

Question 4

Explanation

Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2 protocol used by network devices to share information about their identities and functionality with other network elements.

Question 5

Explanation

Cisco Discovery Protocol Version 2 provides more intelligent, device-tracking features than those available in Version 1. One of the features available is an enhanced reporting mechanism for more rapid error tracking, which helps to reduce network downtime. Errors reported include mismatched native VLAN IDs (IEEE 802.1Q) on connected ports and mismatched port-duplex states between connected devices. Messages about reported errors can be sent to the console or to a logging server.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cdp/configuration/xe-3s/asr903/cdp-xe-3s-asr903-book/nm-cdp-discover.html

Question 6

Explanation

Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2 protocol used by network devices to share information about their identities and functionality with other network elements.

Question 7

Explanation

Cisco devices send periodic CDP announcements to the multicast destination address 01-00-0c-cc-cc-cc out each connected network interface. These multicast packets may be received by Cisco devices. This multicast destination is also used in other Cisco protocols such as VTP.

Question 8

Explanation

The information contained in Cisco Discovery Protocol announcements depends on the device type and the version of the operating system running on it. The following are examples of the types of information that can be contained in Cisco Discovery Protocol announcements:
+ Cisco IOS XE version running on a Cisco device
+ Duplex setting
+ Hardware platform of the device
+ Hostname
+ IP addresses of the interfaces on devices
+ Interfaces active on a Cisco device, including encapsulation type
+ Locally connected devices advertising Cisco Discovery Protocol
+ Native VLAN
+ VTP domain

Cisco Discovery Protocol Version 2 provides more intelligent device tracking features than Version 1.

Question 9

Explanation

Media Endpoint Discovery is an enhancement of LLDP, known as LLDP-MED, that provides the following facilities:
+ Auto-discovery of LAN policies such as VLAN, Layer 2 Priority and Differentiated services (Diffserv) settings, enabling plug and play networking.
+ Device location discovery to allow creation of location databases and, in the case of Voice over Internet Protocol (VoIP), Enhanced 911 services.
+ Extended and automated power management of Power over Ethernet (PoE) end points.
+ Inventory management, allowing network administrators to track their network devices, and determine their characteristics (manufacturer, software and hardware versions, serial or asset number).

The LLDP-MED protocol extension was formally approved and published as the standard ANSI/TIA-1057 by the Telecommunications Industry Association (TIA) in April 2006.

Question 10

Explanation

LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors. This protocol can advertise details such as configuration information, device capabilities, and device identity.
The switch supports these basic management TLVs. These are mandatory LLDP TLVs.
+ Port description TLV
+ System name TLV
+ System description TLV
+ System capabilities TLV
+ Management address TLV
These organizationally specific LLDP TLVs are also advertised to support LLDP-MED.
+ Port VLAN ID TLV ((IEEE 802.1 organizationally specific TLVs)
+ MAC/PHY configuration/status TLV(IEEE 802.3 organizationally specific TLVs)

-> No VTP information is supported in LLDP.

Question 11

Explanation

Cisco Discovery Protocol Version 2 has three additional type, length, values (TLVs): VTP Management Domain Name, Native VLAN, and full/half-Duplex.

Question 12

Explanation

The default CDP timer (the frequency a router sends CDP packets) is 60 seconds and the hold time (the amount of time a receiving device retains the CDP information sent by other devices) is 180 seconds. In this case the question wants to ask about CDP timer. Therefore half of the default CDP timer is 30 seconds.

Switch Questions

May 12th, 2015 certprepare 240 comments

Question 1

Explanation

The command “mac address-table aging-time 180” specifies the time before an entry ages out and is discarded from the MAC address table. The default is 300 seconds. Entering the value 0 disables the MAC aging.

Question 2

Question 3

Explanation

The switch learns which port the host is attaching by examining the source MAC address in frames received on a port. For example switch receives a frame with source MAC of 0000.0000.aaaa (abbreviated as “aaaa”) on port Fa0/1, it populates its MAC address-table with an entry like this “host aaaa on Fa0/1”. If the switch receives a frame with the same “aaaa” MAC from Fa0/2 then there will be a flap and the switch will log something like this:

%MAC_MOVE-SP-4-NOTIF: Host 0000.0000.aaaa in vlan 1 is flapping between port 0/1 and port 0/2

This flapping phenomenon may be the result of a Layer loop somewhere in your network, especially when STP is disabled for some reasons.

If you don’t want to see this message then issue the “no mac-address-table notification mac-move” or place a static entry with the “mac-address-table static 000.0000.aaaa vlan 1 interface fa0/1″on the switch. The command “mac-address-table notification mac-move” is disabled by default on 6500 & 7600 series but enabled by default on other series.

Question 4

Explanation

Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.

Storm control uses one of these methods to measure traffic activity:
+ Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic
+ Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
+ Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

The command “storm-control broadcast level 75 65” limits the broadcast traffic up to 75% of the bandwidth (75% is called the rising threshold). The port will start forwarding broadcast traffic again when it drops below 65% of the bandwidth (65% is called the falling threshold).

Note: If you don’t configure the falling threshold, it will use the same value of the rising threshold.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_25_fx/configuration/guide/2960scg/swtrafc.html#wp1063295

Question 5

Explanation

By using the “storm-control broadcast level [falling-threshold]” we can limit the broadcast traffic on the switch.

Question 6

Explanation

The command “show mac address-table” displays the MAC address table along with the port associated for the switch. The ‘show mac address-table address ” gives a more specific view of a specific MAC address.

Question 7

Question 8

Explanation

The command “storm-control action {shutdown | trap} ” specifies the action to be taken when a storm is detected. The default is to filter out the traffic and not to send traps.
+ Select the shutdown keyword to error-disable the port during a storm.
+ Select the trap keyword to generate an SNMP trap when a storm is detected.

EtherChannel Questions

May 9th, 2015 certprepare 84 comments

Notes:

The Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) facilitate the automatic creation of EtherChannels by exchanging packets between Ethernet interfaces. The Port Aggregation Protocol (PAgP) is a Cisco-proprietary solution, and the Link Aggregation Control Protocol (LACP) is standards based.

LACP modes:

+ on: the link aggregation is forced to be formed without any LACP negotiation. A port-channel is formed only if the peer port is also in “on” mode.
+ off: disable LACP and prevent ports to form a port-channel
+ passive: the switch does not initiate the channel, but does understand incoming LACP packets
+ active: send LACP packets and willing to form a port-channel

The table below lists if an EtherChannel will be formed or not for LACP:

LACP Active Passive
Active Yes Yes
Passive Yes No

PAgP modes:

+ on: The link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed only if the peer port is also in “on” mode.
+ off: disable PAgP and prevent ports to form a port-channel
+ desirable: send PAgP packets and willing to form a port-channel
+ auto: does not start PAgP packet negotiation but responds to PAgP packets it receives

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

An EtherChannel in Cisco can be defined as a Layer 2 EtherChannel or a Layer 3 EtherChannel.
+ For Layer 2 EtherChannel, physical ports are placed into an EtherChannel group. A logical port-channel interface will be created automatically. An example of configuring Layer 2 EtherChannel can be found in Question 1 in this article.

+ For Layer 3 EtherChannel, a Layer 3 Switch Virtual Interface (SVI) is created and then the physical ports are bound into this Layer 3 SVI.

For more information about EtherChannel, please read our EtherChannel tutorial.

Question 1

Explanation

The table below lists if an EtherChannel will be formed or not for LACP:

LACP Active Passive
Active Yes Yes
Passive Yes No

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP). According the two tables above we can see only “desirable” and “auto” (of PAgP) can form an Etherchannel bundle.

Note: If we want to use “on” mode, both ends must be configured in this “on” mode to create an Etherchannel bundle.

Question 2

Explanation

To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP).

Question 3

Explanation

In this case the EtherChannel bundle was configured to load-balance based on the destination IP address but there is only one web server (means one destination IP address). Therefore only one of the EtherChannel links is being utilized to reach the web server. To solve this problem we should configure load-balancing based on source IP address so that traffic to the web server would be shared among the links in the EtherChannel bundle with different hosts.

Question 4

Question 5

Explanation

If one end is passive and another end is active then the EtherChannel will be formed regardless the two interfaces in the same switch use different modes and different load-balancing method. Switch 1 will load-balance based on destination IP while Switch2 will load-balance based on source MAC address.

Question 6

Explanation

When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces. In the “show etherchannel” command output, The storm control settings appear on the EtherChannel but not on the physical port of the channel.

Note: You cannot configure storm control on the individual ports of that EtherChannel.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_22ea/SCG/scg/swtrafc.html

Question 7

Explanation

Issue the port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | src-port | dst-port | src-dst-port | mpls} global configuration command in order to configure the load balancing.

Question 8

Explanation

A LACP port priority is configured on each port using LACP. The port priority can be configured automatically or through the CLI. LACP uses the port priority with the port number to form the port identifier. The port priority determines which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.

The syntax of LACP port priority is (configured under interface mode):

lacp port-priority priority-value

The lower the range, the more likely that the interface will be used for LACP transmission.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/gigeth.html

Question 9

Explanation

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

For “on” mode, the link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed only if the peer port is also in “on” mode.

Question 10

Explanation

Interfaces Fa0/13 to Fa0/15 are bundled into Port-channel 12 and it is running with “desirable” mode -> it is using PAgP.

EtherChannel Questions 2

May 6th, 2015 certprepare 49 comments

Question 1

Explanation

From the output we see currently the Server_Switch is load balancing via source MAC address. By changing load-balance to another method the problem can be solved. In this case C is the best choice because other answers are surely incorrect.

Question 2

Explanation

Configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.

Note: If we only change the parameters on a physical port of the port-channel, the port-channel may go down because of parameter mismatch. For example, if you only configure “switchport trunk allowed vlan …” on a physical port, the port-channel will go down.

Question 3

Explanation

The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit EtherChannel) between your switch and another switch or host.

Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each EtherChannel must be the same speed, and all must be configured as either Layer 2 or Layer 3 interfaces.

Note: 800 Mbps full-duplex means data can be transmitted at 800 Mbps and received at 800 Mbps (1600 Mbps in total).

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_13_ea1/configuration/guide/3550scg/swethchl.html

Question 4

Explanation

From the last line of the output, we learn physical ports Fa0/13, Fa0/14, and Fa0/15 are bundled into Port-channel 1 and use LACP which is an open standard protocol.

Question 5

Explanation

The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit EtherChannel) between your switch and another switch or host. Therefore if we have 10 Gigabit Ethernet connections, only 8 links will be used.

Question 6

Explanation

Multichassis LACP (mLACP) is also supported on 7600 and ASR9000 series -> A is not correct.

mLACP supports both FastEthernet & GigabitEthernet -> B is not correct.

VSS mode does not support the mLACP for server access feature only. But mLACP is available in Virtual Switching Systems (VSS). An example of combination of VSS and mLACP is shown below:

mLACP_VSS.jpg

In the topology above, the mLACP is a port channel that spans the two chassis of a VSS. Notice that the two chassis of this VSS is connected via a Virtual Switch Link (VSL). VSL is a special link that carries control and data traffic between the two chassis of a VSS. In this case the VSL is implemented as an EtherChannel with two links.

Some of the restrictions for mLACP are mentioned at http://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/lanswitch/lanswitch-ethernet-channel-xe-3s-asr920-book/lsw_mlacp.html

+ mLACP does not support Fast Ethernet.
+ mLACP does not support half-duplex links.
+ mLACP does not support multiple neighbors.
+ Converting a port channel to mLACP can cause a service disruption (in a short time) -> D is not correct.

Question 7

Explanation

When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place.
If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority. The software assigns to every link between systems that operate LACP a unique priority made up of these elements (in priority order):
+ LACP system priority
+ System ID (a combination of the LACP system priority and the switch MAC address)
+ LACP port priority
+ Port number
In priority comparisons, numerically lower values have higher priority. The priority decides which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.
Ports are considered for active use in aggregation in link-priority order starting with the port attached to the highest priority link. Each port is selected for active use if the preceding higher priority selections can also be maintained. Otherwise, the port is selected for standby mode.

(Reference: http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swethchl.html#wp1144010)

Question 8

Explanation

The table below lists if an EtherChannel will be formed or not for LACP:

LACP Active Passive
Active Yes Yes
Passive Yes No

Therefore if switch 1 is configured LACP in active mode, the other end must be configured as Active or Passive mode.

Note: If the other end is configure with “On” mode, the EtherChannel will not be formed because in “On” mode, no negotiation is sent so the neighbor cannot receive any EtherChannel information.

Question 9

Explanation

When an EtherChannel is created, a logical interface will be created on the switches or routers representing for that EtherChannel. You can configure this logical interface the way you want. For example, assign access/trunk mode on switches or assign IP address for the logical interface on routers/Layer 3 switches… An example of a Layer 3 Etherchannel port is shown below:

interface PortChannel12
description Link to R2
ip address 10.2.4.13 255.255.255.252

Question 10

Explanation

To configure EtherChannel load balancing, “issue the port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | src-port | dst-port | src-dst-port | mpls} global configuration command in order to configure the load balancing”. Therefore only the “source MAC address and destination MAC address” answer is correct.

Reference this link: http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html

Question 11

Explanation

From the outputs of the “show etherchannel summary” commands we learn that Switch1 is configuring EtherChannel with LACP while Switch2 is configuring with EtherChannel “on” mode -> the EtherChannel bundle does not go up.

VLAN Questions

May 5th, 2015 certprepare 48 comments

Question 1

Explanation

The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swvoip.html

Question 2

Explanation

802.1Q VLAN frames are distinguished from ordinary Ethernet frames by the insertion of a 4-byte VLAN tag into the Ethernet header.

802.1q_header.png

Question 3

Explanation

Because the 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you must configure all switches in the service-provider network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes.

Question 4

Explanation

The VLAN ID field inside an 802.1q frame consists of 12 bits. Therefore we have 212 = 4096 VLAN IDs, theoretically.

802.1q_header.png

Question 5

Explanation

Each access port can be only assigned to one VLAN via the “switchport access vlan ” command.

Question 6

Explanation

This command is used to enable tagging of native VLAN frames on all 802.1Q trunk ports.

Answer A is not correct because even when the native VLAN is set to 1, all of the frames of the native VLAN are tagged.

Answer B is not correct because the control traffic still passes via the default VLAN (VLAN 1).

Answer C is not correct because all the frames are tagged with 4-byte dot1q tag.

Only answer D is best choice because control traffic (like CDP, VTP, STP, DTP…) uses VLAN 1 for communication. When the native VLAN is tagged (VLAN 1 by default) all control traffic is tagged too. If the native VLAN is not VLAN 1 then all the control traffic on VLAN 1 is still tagged by default (without using above command).

Question 7

Explanation

When you delete a VLAN, any LAN ports configured as access ports assigned to that VLAN become inactive. The ports remain associated with the VLAN (and inactive) until you assign them to a new VLAN.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vlans.html

Question 8

Explanation

The PortFast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the PortFast feature is not automatically disabled.

VLAN Trunking

May 3rd, 2015 certprepare 46 comments

Question 1

Explanation

These errors are generated because the native VLAN is not matched on the two switches (the native VLAN on SW-1 is not the default native VLAN 1 while the native VLAN on the other side is VLAN 1). The errors indicate that spanning tree has detected mismatched native VLANs and has shut down VLAN 1 on the trunk.

We should verify that the configurations of the native VLAN ID is consistent on the interfaces on each end of the IEEE 802.1Q trunk connection. When the configurations are consistent, spanning tree automatically unblocks the interfaces.

Question 2

Explanation

In 802.1Q, the trunking device inserts a 4-byte tag into the original frame and recomputes the frame check sequence (FCS) before the device sends the frame over the trunk link. At the receiving end, the tag is removed and the frame is forwarded to the assigned VLAN. 802.1Q does not tag frames on the native VLAN. It tags all other frames that are transmitted and received on the trunk.

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/8021q/17056-741-4.html

Question 3

Explanation

802.1Q is a industry standards based implementation of carrying traffic for multiple VLANs on a single trunking interface between two Ethernet switches. 802.1Q is for Ethernet networks only.

Question 4

Explanation

We can use the “switchport trunk allowed vlan ” to specify which VLANs are allowed to go through. Other VLANs will be dropped.

Question 5

Explanation

Manually configure trunking with the “switchport mode trunk” command and manually configure access interfaces with the “switchport mode access” prevent auto trunking on that interface.

Disable DTP with the “switchport nonegotiate” so that DTP messages are not advertised out of the interface is also a good way to prevent auto trunking.

Question 6

Explanation

There are two protocols that can be used for trunking: Inter-Switch Link (ISL) and 802.1Q. We can choose which protocol to run by the “switchport trunk encapsulation “. After that we can configure trunking mode with the “switchport mode trunk” command.

In fact this question is not clear and may cause confusion because Dynamic Trunking Protocol (DTP) is the protocol that can automatically negotiate for trunking.

Note: The DTP options can be dynamic auto, dynamic desirable, and trunk.

Question 7

Explanation

By default all VLANs are allowed to go through a trunk but if we apply the “switchport trunk allowed vlan ” then only these VLANs are allowed to go through, other VLANs are dropped so be careful when limiting VLANs on the trunks with this command.

Question 8

Explanation

We can use the “switchport trunk allowed vlan ” to specify which VLANs are allowed to go through. Other VLANs will be dropped.

Question 9

Explanation

First we will explain these two commands:

switchport access vlan 10
switchport mode trunk

The first command is used for an access port whist the second is used for a trunk so why are they here at the same time? In fact this interface was set as a trunk. The “switchport access vlan 10” is still there but it does not affect the operational mode of the port -> Gi1/0/1 is a trunk port so it will not appear in the “show vlan” command.

The “switchport voice vlan 11” command here only tries to confuse you. But it does have an effect on the port: Cisco uses CDP to specify a Cisco IP Phone and will automatically place that traffic into the voice VLAN. For example if we configure like this:

interface fa0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 11

Then the voice traffic from a Cisco IP Phone will be placed into VLAN 11.

Cisco_IP_Phone_data_voice_VLANs.jpg

Note: In the above configuration, the data and voice use the same interface fa0/0 so it should be configured as a trunk link.

(Reference: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_example09186a0080722cdb.shtml)

Question 10

Explanation

VLAN 1 is always used for CDP, VTP, PAgP traffic (except DTP uses native VLAN) even if VLAN 1 is not the native VLAN. If VLAN 1 is not the native VLAN then CDP, VTP, PAgP traffic will be tagged on the trunk.

In this question, after changing the default native VLAN to 999 while keeping the standard configuration on the other end, we cause a “native VLAN mismatched” error. Besides, CDP, VTP traffic is tagged on the local switch (as VLAN 1 is no longer the native VLAN) so the other end cannot understand them -> CDP, VTP traffic is dropped.

VTP Questions

May 1st, 2015 certprepare 80 comments

Question 1

Explanation

VTP updates can only be forwarded on trunk links.

Question 2

Explanation

VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vtp.html

Question 3

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN. In the below example, Server switch doesn’t send broadcast frame to Sw2 because Sw2 doesn’t have ports in VLAN 10.

VTP_Pruning_Enabled.jpg

Question 4

Explanation

Switch C can receive VLAN information from Switch A so Switch B can forward it to Switch C without updating its VLAN database -> Switch B is in VTP transparent mode.

Question 5

Explanation

VTP updates can only be forwarded on trunk links.

Question 6

Explanation

VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vtp.html

Question 7

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

Question 8

Explanation

VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

Question 9

Explanation

If a VTP client or server with a null domain receives a VTP message with the domain populated, it will assume the domain of the received message and add applicable VLANs to its database.

Question 10

Explanation

VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

VTP Questions 2

April 28th, 2015 certprepare 26 comments

Question 1

Explanation

VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. Therefore VTP pruning can be applied only from VLAN 2 to 1001.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swvtp.html

Question 2

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

Question 3

Explanation

In Client mode we cannot create VLAN and Switch1 does not have any trunk links so it cannot receive any VTP updates. There is no answer with configure trunk links so we have to choose the solution “change VTP mode to server and enable 802.1q”. But this is a dangerous solution because this switch can “update” other switches with its VLAN database via VTP.

Question 4

Explanation

From the output above we see Switch Company A cannot receive VTP updates from Switch Company B. Therefore we should check the trunking links connecting two switches. Manually force trunking may be a good solution.

Question 5

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

Question 6

Explanation

VLANs 2–1000 are eligible for pruning but VLAN 1 has a special meaning because it is normally used as a management VLAN and is not eligible for pruning. The only way we can remove VLAN 1 is through the “switchport trunk allowed vlan remove 1” command. But even when you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.

A good thing of clearing VLAN 1 is user data cannot travel via this VLAN anymore. BPDU traffic is also banned on this VLAN.

Note: The Cisco IOS-based Catalyst 2900XL/3500XL switches do not allow you to clear VLAN 1 from a trunk; however, the Catalyst 2950/3550, Cisco IOS 4000/4500, and native IOS 6000/6500 switches allow you to clear VLAN 1.

Question 7

Question 8

Explanation

If the revision number of the new switch is higher than other switches in the same VTP domain then it will overwrite other switches’ VLAN databases even if the new switch operates in VTP Client mode. So we should set the VTP mode of the new switch to Transparent (which will also reset its Revision Number to 0) before plugging to our network.

Question 9

Explanation

VTPv3 supports for extended VLAN range (VLANs 1006 to 4094). VTP versions 1 and 2 only supports VLANs 1 to 1005. If extended VLANs are configured, we cannot convert from VTP version 3 to version 1 or 2.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html

Question 10

Explanation

These switches are running VTPv1 so they cannot share the MST configuration with each other (only VTPv3 supports MST). Therefore in order to share the same MST with DSW2, DSW1 must be manually configured with the same region name, revision number and VLAN-to-instance mapping with DSW2.

STP Questions

April 25th, 2015 certprepare 46 comments

Question 1

Explanation

If we want to view the spanning-tree status of a specific VLAN, use the “spanning-tree vlan ” command. An example of the output of this command is shown below:

show_spanning-tree_vlan_30.jpg

Question 2

Explanation

SW3 needs to block one of its ports to SW2 to avoid a bridging loop between the two switches. But how does SW3 select its blocked port? Well, the answer is based on the BPDUs it receives from SW2. A BPDU is superior than another if it has:
1. A lower Root Bridge ID
2. A lower path cost to the Root
3. A lower Sending Bridge ID
4. A lower Sending Port ID

These four parameters are examined in order. In this specific case, all the BPDUs sent by SW2 have the same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only parameter left to select the best one is the Sending Port ID (Port ID = port priority + port index). The lower value of port priority, the higher priority that port has. Therefore we must change the port-priority on F1/1 to a lower value than that of Fa1/0. Zero is the lowest value we can assign to a port so we can assign this value to SW2 F1/1 and configure a higher value on Fa1/0. This is the command to complete this task:

SW2(config)#interface f1/1
SW2(config-if)#spanning-tree vlan port-priority 0

Note: If we don’t change the port priority, SW3 will compare port index values, which are unique to each port on the switch, and because Fa1/0 is inferior to Fa1/1, SW3 will select Fa1/0 as its root port and block the other port.

Question 3

Explanation

After powered on, the switches start sending BPDUs to elect a root bridge. A BPDU is superior than another if it has:

1. A lower Root Bridge ID
2. A lower path cost to the Root
3. A lower Sending Bridge ID
4. A lower Sending Port ID

From the output above, we learn that SW1 is the root bridge for VLAN 1 (from “this bridge is the root” line). SW1 has the “Bridge ID Priority” of 1 because SW1 has been configured with switch priority value of 0, which is also the lowest priority value (highest priority). This value is then added with the VLAN ID (VLAN 1 in this case) so the final value is 1.

Question 4

Explanation

After receiving BPDUs from upstream bridges, the switch add the STP cost of that port and choose the lowest value as its root port -> the STP cost of Fa0/21 is smallest so it is chosen as root port.

Question 5

Explanation

Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to forwarding state immediately without passing the listening and learning state. Therefore it can save about 30 to 45 seconds to transition through these states. To enable this feature, configure this command under interface mode:

Switch(config-if)#spanning-tree portfast

Question 6

Explanation

The “spanning-tree portfast bpdufilter default” command enables BPDU filtering on Portfast-enabled interfaces. This command prevents interfaces that are in a Portfast-operational state from sending BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Portfast-operational status, and BPDU filtering is disabled.

In conclusion, above command only affects ports that were configured with Portfast. It prevents these ports from sending BPDUs (notice that Portfast interfaces still send BPDUs) but the funny thing is that if it receives a BPDU, it will disable BPDU filtering and Portfast features.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html#wp1046220

Question 7

Explanation

Root guard does not allow the port to become a STP root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root-inconsistent STP state which is equal to a listening state. No traffic is forwarded across this port.

Below is an example of where to configure Root Guard on the ports. Notice that Root Guard is always configure on designated ports.

Root_Guard_Location.jpg

To configure Root Guard use this command:

Switch(config-if)# spanning-tree guard root

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

Question 8

Explanation

Although RSTP was configured on all ports but only edge-ports allow to run RSTP. RSTP cannot work on a trunk port. If we try to configure RSTP on a trunk port (support Fa0/24) we will receive this message:

%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc… to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION

%Portfast has been configured on FastEthernet0/24 but will only have effect when the interface is in a non-trunking mode.

Question 9

Explanation

UplinkFast is a Cisco specific feature that improves the convergence time of the Spanning-Tree Protocol (STP) in the event of the failure of an uplink. The UplinkFast feature is designed to run in a switched environment when the switch has at least one alternate/backup root port (port in blocking state), that is why Cisco recommends that UplinkFast be enabled only for switches with blocked ports, typically at the access-layer.

For example in the topology below:

STP_simple.jpg

Suppose S1 is the root bridge in the topology above. S3 is connected to S1 via two paths: one direct path and another goes through S2. Suppose the port directly connected to S1 is root port -> port connected to S2 will be in Blocking state. If the primary link goes down, the blocked port will need about 50 seconds to move from Blocking -> Listening -> Learning -> Forwarding to be used.

To shorten the downtime, a feature called Uplink Fast can be used. When the primary (root) link fails, another blocked link can be brought up immediately for use. When UplinkFast is enabled, it is enabled for the entire switch and all VLANs. It cannot be enabled for individual VLANs.

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10575-51.html

Question 10

Explanation

Every non-root bridge needs to elect a root port. The election of root port is as follows:

1) Based on lowest cost path to the root bridge
2) Then based on lowest upstream Bridge ID (Bridge ID = Bridge Priority + MAC)
3) Then based on lowest upstream Port ID (Port ID = Port Priority + Port Index)

Therefore we can use STP cost and port-priority to select the root port.

Question 11

Explanation

Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to forwarding state immediately without passing the listening and learning state. Therefore it can save about 30 to 45 seconds to transition through these states. To enable this feature, configure this command under interface mode:

Switch(config-if)#spanning-tree portfast

Question 12

Explanation

BPDUFilter is designed to suppress the sending and receiving of BPDUs on an interface. There are two ways of configuring BPDUFilter: under global configuration mode or under interface mode but they have subtle difference.

If BPDUFilter is configured globally via this command:

Switch(config)#spanning-tree portfast bpdufilter default

BPDUFilter will be enabled on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

If BPDUFilter is configured under interface mode like this:

Switch(config-if)#spanning-tree bpdufilter enable

It will suppress the sending and receiving of BPDUs. This is the same as disabling spanning tree on the interface. This choice is risky and should only be used when you are sure that port only connects to host devices.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

Question 13

Explanation

The “spanning-tree portfast bpdufilter default” command is configured under global configuration mode. To stop receiving unwanted BPDUs (for easier troubleshooting), he can issue the “spanning-tree portfast bpdufilter default” under global configuration mode. This will enable BPDUFilter on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

Question 14

Question 15

Explanation

If there are more than one connection between two switches, STP will automatically block one of them to prevent a loop. In particular, STP will block the link with higher priority value. Therefore if we want to force traffic to the secondary link we can lower the priority of the secondary link. For example:

Switch(config-if)#spanning-tree port-priority 48

Remember for switch (Layer 2 device), lower value is preferred over higher value. For router (Layer 3 device), higher value is preferred over lower value.

Question 16

Explanation

Spanning Tree Protocol elects a root bridge based on the Bridge IDs. The root bridge is the bridge with the lowest bridge ID. And Bridge ID = Bridge Priority + MAC Address. Therefore to prevent a switch from becoming the root bridge we can adjust STP priority to the maximum value.

RSTP Questions

April 21st, 2015 certprepare 19 comments

Question 1

Explanation

There are five port roles in RSTP:

* Root port – A forwarding port that is the closest to the root bridge in terms of path cost
* Designated port – A forwarding port for every LAN segment
* Alternate port – A best alternate path to the root bridge. This path is different than using the root port. The alternative port moves to the forwarding state if there is a failure on the designated port for the segment.
* Backup port – A backup/redundant path to a segment where another bridge port already connects. The backup port applies only when a single switch has two links to the same segment (collision domain). To have two links to the same collision domain, the switch must be attached to a hub.
* Disabled port – Not strictly part of STP, a network administrator can manually disable a port

There is no “blocking” port role like STP. The “alternative” and “backup” roles are only in RSTP.

Question 2

Explanation

RSTP is backward compatible with STP 802.1D. If a RSTP enabled port receives a (legacy) 802.1d BPDU, it will automatically configure itself to behave like a legacy port. It sends and receives 802.1d BPDUs only.

MST Questions

April 18th, 2015 certprepare 15 comments

Question 1

Explanation

Instead of using Per-VLAN Spanning Tree (PVST) or Rapid PVST which runs a separate STP instance for each active VLAN (there will have 20 STP instances for 20 VLANs), Multiple Spanning Tree (MST) maps multiple VLANs into a spanning tree instance, thereby reducing the number of spanning-tree instances needed. MST also reduces switch resources and managerial burdens.

Question 2

Explanation

Besides two MST instances 1 & 2, Instance 0 is a special instance for a region, known as the Internal Spanning Tree (IST). The IST always exists on all ports; you cannot delete the IST. By default, all VLANs are assigned to the IST. All other MST instances are numbered from 1 to 4094. The IST is the only STP instance that sends and receives BPDUs. All of the other MSTI information is contained in MST records (M-records), which are encapsulated within MST BPDUs.

Note:
+ The Common Spanning Tree (CST) interconnects the MST regions and any instance of 802.1D and 802.1w STP that may be running on the network
+ A Common and Internal Spanning Tree (CIST) is a collection of the ISTs in each MST region.

Question 3

Explanation

Unlike Per-VLAN Spanning Tree (PVST) which maintains a spanning tree instance for each VLAN configured in the network, Multiple Spanning Tree (MST) maps multiple VLANs into a spanning tree instance, thereby reducing the number of spanning-tree instances needed. MST also reduces switch resources and managerial burdens.

Private VLAN

April 15th, 2015 certprepare 30 comments

Quick review:

The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANs and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLANs inside VLAN”.

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

PVLAN_Promiscuous_Community_Isolated.jpg

For example, in the topology above:

+ Host A cannot communicate with Host B, C, D, E and F. It can only communicate with Promiscuous port to the router. Notice that even two Isolated ports in the same VLAN cannot communicate with each other.

+ Host C can communicate with Host D because they are in the same community but Host C cannot communicate with E and F because they are in a different community.

+ All hosts can go outside through promiscuous port.

Also I want to mention about the concept of “primary VLAN” and “secondary VLAN”. PVLAN can have only one primary VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs are isolated or community VLANs.

PVLAN_Primary_VLAN_Secondary_VLAN.jpg

Configuration of PVLAN:

1. Set VTP mode to transparent
2. Create secondary (isolated and community) VLANs and primary VLAN
3. Associate secondary VLANs to the primary VLAN
4. Configure interfaces as promiscuous interfaces
5. Configure interfaces to be isolated or community interfaces.

Sample configuration used the topology above:

//First set VTP to transparent mode
Switch(config)#vtp mode transparent

//Create secondary VLANs
Switch(config)#vlan 101
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#vlan 102
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#vlan 103
Switch(config-vlan)#private-vlan community

//Create primary VLAN
Switch(config-vlan)#vlan 100
Switch(config-vlan)#private-vlan primary

//Associate secondary (isolated, community) VLANs to the primary VLAN
Switch(config-vlan)#private-vlan association 101,102,103

//Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the secondary VLAN.
Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101,102,103

//Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate VLANs (A and B to isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN 103):
Switch(config)# interface range f0/2 – 0/3 //connect to host A and B
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

Switch(config-if)# interface range f0/3 -0/4 //connect to host C and D
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102

Switch(config-if)# interface f0/5 – 0/6 //connect to host E and F
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 103

To check the configuration, use this command:

Switch# show vlan private-vlan

Question 1

Explanation

Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do not support private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode still forwards other VTP updates to its neighbors.

Question 2

Explanation

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

Question 3

Explanation

Isolated VLAN is a secondary VLAN and it can only communicate with the promiscuous port. Also, there can be only 1 isolated VLAN per PVLAN (although this isolated VLAN can be configured to many ports, but these ports cannot communicate with each other).

Question 4

Explanation

Promiscuous port: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.

Question 5

Explanation

The default gateway is usually connected to promiscuous port so that all devices in PVLAN can go outside.

HSRP Questions

April 12th, 2015 certprepare 33 comments

If you are not sure about HSRP, please read our HSRP tutorial.

Question 1

Explanation

The “standby track” command allows you to specify another interface on the router for the HSRP process to monitor in order to alter the HSRP priority for a given group. If the line protocol of the specified interface goes down, the HSRP priority is reduced. This means that another HSRP router with higher priority can become the active router if that router has standby preempt enabled.An example of using this command is shown below:

interface Ethernet0
ip address 171.16.6.5 255.255.255.0
standby 1 ip 171.16.6.100
standby 1 priority 105
standby 1 preempt
standby 1 track Serial0

Question 2

Question 3

Explanation

The default decrement priority value of HSRP is 10 so 1,5,20 are wrong values -> B, C and D are not correct.

In “standby 1 track 100” command, “100” is the tracked object number, not the decrement value. Here we don’t specify a decrement value so the default value will be used -> Answer A is correct. An example of configuring tracked object number with HSRP is shown below:

Switch(config)# track 100 interface GigabitEthernet 0/0/0 line-protocol
Switch(config-track)#exit
Switch(config)#interface GigabitEthernet 0/0/0
Switch(config-if)# standby 1 track 100

If you want to specify a decrement value, we can use the “standby 1 track 100 decrement ” command instead.

Question 4

Explanation

The configuration of many hundreds of subinterfaces on the same physical interface, with each subinterface having its own HSRP group, can cause the processes of negotiation and maintenance of multiple HSRP groups to have a detrimental impact on network traffic and CPU utilization.

Only one HSRP group is required on a physical interface for the purposes of electing active and standby devices. This group is known as the master group. Other HSRP groups may be created on each subinterface and linked to the master group via the group name. These linked HSRP groups are known as client or slave groups.

The HSRP group state of the client groups follows that of the master group. Client groups do not participate in any sort of device election mechanism.

Client groups send periodic messages in order to refresh their virtual MAC addresses in switches and learning bridges. The refresh message may be sent at a much lower frequency compared with the protocol election messages sent by the master group.

The standby follow command configures an HSRP group to become an IP redundancy client of another HSRP group.
Client or slave groups must be on the same physical interface as the master group.
A client group takes its state from the master group it is following. Therefore, the client group does not use its timer, priority, or preemption settings. A warning is displayed if these settings are configured on a client group.

The following example shows how to configure HSRP group 2 as a client to the HSRP1 master group:
Router(config-if)# standby 2 follow HSRP1

Reference:
+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp-mgo.html
+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/command/fhp-cr-book/fhp-s2.html#wp6905113930

Question 5

Question 6

Question 7

Explanation

From the output, we learn that the “Standby router is unknown” so we can conclude R2 cannot see other HSRP routers in this group. The problem can be a spanning-tree loop or a HSRP misconfiguration (for example another router is configured with virtual IP address of 10.10.1.1 but in different HSRP group). But from the error message we see R2 can still communicate via its Fa1/0 so the problem may not be a spanning-tree loop.

HSRP Hotspot

April 11th, 2015 certprepare 70 comments

Question

 —————————————————————————————————————————————————————–

For your information, the “show running-config” commands are posted below for your reference but please notice in the exam you have to issue this command to get the output:

DSW1#show running-config

interface Vlan101
 ip address 192.168.101.1 255.255.255.0
 standby 1 ip 192.168.101.254
 standby 1 priority 200
 standby 1 track GigabitEthernet1/0/1 55
!
interface Vlan102
 ip address 192.168.102.1 255.255.255.0
 standby 2 ip 192.168.102.254
 standby 2 priority 200
 standby 2 preempt
 standby 2 track GigabitEthernet1/0/1 5
!
interface Vlan103
 ip address 192.168.103.1 255.255.255.0
 standby 3 ip 192.168.103.254
 standby 3 priority 200
 standby 3 preempt
 standby 3 track GigabitEthernet1/0/1
!
interface Vlan104
 ip address 192.168.104.1 255.255.255.0
 standby 4 ip 192.168.104.254
 standby 4 priority 150
 standby 4 preempt
 standby 4 track GigabitEthernet1/0/1 1
!
interface Vlan105
 ip address 192.168.105.1 255.255.255.0
 standby 5 ip 192.168.105.254
 standby 5 priority 150
 standby 5 preempt
 standby 5 track GigabitEthernet1/0/1 55
DSW2#show running-config

interface Vlan101
 ip address 192.168.101.2 255.255.255.0
 standby 1 ip 192.168.101.254
 standby 1 priority 150
 standby 1 preempt
 standby 1 track GigabitEthernet1/0/1
!
interface Vlan102
 ip address 192.168.102.2 255.255.255.0
 standby 2 ip 192.168.102.254
 standby 2 priority 190
 standby 2 preempt
 standby 2 track GigabitEthernet1/0/1
!
interface Vlan103
 ip address 192.168.103.2 255.255.255.0
 standby 3 ip 192.168.103.254
 standby 3 priority 190
 standby 3 preempt
 standby 3 track GigabitEthernet1/0/1 50
!
interface Vlan104
 ip address 192.168.104.2 255.255.255.0
 standby 4 ip 192.168.104.254
 standby 4 priority 200
 standby 4 preempt
 standby 4 track GigabitEthernet1/0/1 55
!
interface Vlan105
 ip address 192.168.105.2 255.255.255.0
 standby 5 ip 192.168.105.254
 standby 5 preempt
 standby 5 track GigabitEthernet1/0/1

Read more…

VRRP Questions

April 9th, 2015 certprepare 11 comments

Question 1

Explanation

Unlike HSRP or GLBP, VRPP is an open standard.

Question 2

Explanation

In VRRP, the active router is referred to as the master virtual router.

GLBP Questions

April 6th, 2015 certprepare 10 comments

Note: If you are not sure about GLBP, please read our GLBP tutorial.

Question 1

Explanation

The error message indicates a possible layer2 loop and STP configuration issues. Notice that the “duplicate address” here means the MAC address.

In order to resolve this issue, issue the show interface command to verify the MAC address of the interface. If the MAC address of the interface is the same as the one reported in the error message, then it indicates that this router is receiving its own hello packets sent. Verify the spanning-tree topology and check if there is any layer2 loop. If the interface MAC address is different from the one reported in the error message, then some other device with a MAC address reports this error message.

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/81565-glbp-cat65k.html#dr

Question 2

Explanation

The active virtual gateway (AVG) is responsible for answering the ARP Request for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses.

Question 3

Explanation

A GLBP group only has a maximum of four AVFs (means four virtual MAC addresses). If there are more than 4 gateways in a GLBP group then the rest will become Standby Virtual Forwarder (SVF) which will take the place of a AVF in case of failure.

SPAN Questions

April 3rd, 2015 certprepare 38 comments

Question 1

Explanation

We can add the “monitor session 1 filter vlan 10” command to limit monitored trafic from VLAN 10 only.

Question 2

Explanation

The network engineer is connecting to the Distribution switch but he wants to monitor an access switch -> remote SPAN must be used. An example of configuring remote SPAN which uses vlan 40 is shown below:

Access-Switch(config)# monitor session 1 source interface FastEthernet 0/1
Access-Switch(config)# monitor session 1 destination remote vlan 40
Distribution-Switch(config)#monitor session 2 source remote vlan 40
Distribution-Switch(config)# monitor session 2 destination interface FastEthernet 0/5

Question 3

Explanation

This command limits the monitored trafic on VLAN 1 to 8, 39, 52 only

Question 4

Explanation

From the output we see the status of gi0/12 is “monitoring”. It means this port is currently the destination of a SPAN session.

Question 5

Explanation

This is how to configure Remote SPAN (RSPAN) feature on two switches. Traffic on FastEthernet0/1 of Switch 1 will be sent to Fa0/10 of Switch2 via VLAN 40.

+ Configure on both switches
Switch1,2(config)#vlan 40
Switch1,2(config-vlan)#remote-span
+ Configure on Switch1
Switch1(config)# monitor session 1 source interface FastEthernet 0/1
Switch1(config)# monitor session 1 destination remote vlan 40
+ Configure on Switch2
Switch2(config)#monitor session 5 source remote vlan 40
Switch2(config)# monitor session 5 destination interface FastEthernet 0/10

So without the command “remote-span” on both switches, RSPAN cannot works properly.

Question 6

Explanation

The first command points out the source interface and the direction to be monitored, which is Gi0/4 and inbound traffic (rx) in this case. The second command tells our device to monitor only VLAN 3 running on Gi0/4 (notice that Gi0/4 is a trunk link). The last command requests monitored traffic to be sent to the destination port Gi0/5.

Question 7

Explanation

A source port can be monitored by some SPAN sessions but a destination port can be used for one session only. A destination port or a reflector port does not participate in STP while its SPAN session is active.

For more limitations of configuring SPAN please visit this link: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_14span.html#wp1239658

Question 8

Explanation

From the outputs we learn that the SPAN session 1 is incomplete because only source port is configured:

monitor session 1 source remote vlan 50

-> It needs to specify the destination port

while SPAN session 2 is configured correctly with source and destination ports:

monitor session 2 source interface fa0/14 (both)
monitor session 2 destination interface fa0/15

HSRP Sim

March 10th, 2015 certprepare 973 comments

Refer to the topology below. R1 and R2 are configured to run HSRP. The network administrator wants to ask you about how HSRP operates in the vent of a device failure.

HSRP_Topology.jpg

Read more…

AAA Questions

March 6th, 2015 certprepare 34 comments

Question 1

Explanation

AAA security provides the following services:
+ Authentication – Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
+ Authorization – Provides access control.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
+ Accounting – Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.

In conclusion, authorization specifies which resources the users are allowed to access.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html

Question 2

Explanation

In the “aaa authentication login login radius local” command, the first “login” is a keyword which authenticates users who want exec access into the access server (tty, vty, console and aux). The second “login” is a list name. “radius local” part indicates the RADIUS authentication should be used first. If the RADIUS server does not reply then use the local database to authenticate.

Question 3

Question 4

Explanation

Method lists are specific to the authorization type requested:
+ Auth-proxy – Applies specific security policies on a per-user basis. For detailed information on the authentication proxy feature, refer to the chapter “Configuring Authentication Proxy” in the “Traffic Filtering and Firewalls” part of this book.
+ Commands – Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
+ EXEC – Applies to the attributes associated with a user EXEC terminal session.
+ Network – Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
+ Reverse Access – Applies to reverse Telnet sessions.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named “default”). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.

Question 5

Explanation

For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html)

Question 6

Explanation

The console port is authenticated with NO_AUTH list. But this list does not contain any authentication method (it uses “none”) so no authentication is required when connecting to the console port.

Question 7

Explanation

The VTY line can be accessed via Telnet and SSH by default. It is authenticated by “default” list which is defined with the “aaa authentication login default group radius local line” command. Therefore users who access via Telnet or SSH are authenticated via RADIUS first, then local database and finally line VTY password.

Note: The “group” keyword provides a way to group existing server hosts. The feature allows the user to select a subset of the configured server hosts and use them for a particular service. Therefore we can understand “group radius” here means “some pre-defined radius servers”.

Question 8

Explanation

You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.

When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:
+ Single host mode—Port security learns the MAC address of the authenticated host.
+ Multiple host mode—Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.

If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.

The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.

If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.

Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_portsec.html#wp1258157

Port Security

March 6th, 2015 certprepare 28 comments

Question 1

Explanation

The “sticky” keyword in switchport port-security mac-address sticky command converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds to the running configuration.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swtrafc.html)

Question 2

Explanation

Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static trunk port is shown below:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport port-security

We cannot configure port security on a dynamic interface. For example we will see an error when try it:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode dynamic desirable
Switch(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

Question 3

Explanation

When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state. The “errdisable recovery cause psecure-violation” command brings a secure port out of error-disabled state.

Note: There is a similar command: “errdisable recovery cause security-violation” but it recovers a port from 802.1x violation disable state.

Question 4

Explanation

When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state.

Question 5

Explanation

If any one of the errdisable recovery conditions is enabled, the ports with this condition are reenabled after 300 seconds. You can also change this default of 300 seconds if you issue this command:

Switch(config)#errdisable recovery interval timer_interval_in_seconds

Question 6

Explanation

A sticky MAC address can be learned automatically or configured manually. When it is dynamically learned, the MAC address is automatically entered into the running configuration as a static MAC address; the address is then kept in the running configuration until a reboot. On reboot, the MAC address will be lost; if we want to keep the MAC address after a reboot, we need to save the running config (with the command copy running-config startup-config)

To turn on sticky feature on a switch, use the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky MAC addresses.

Question 7

Explanation

Be default, all interfaces on a switch do not run port security. To enable this feature we need to use the “switchport port-security” command under interface mode.

DHCP Snooping

March 6th, 2015 certprepare 59 comments

Quick review of DHCP Spoofing:

DHCP_Spoofing_Attack.jpg

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

DHCP_Spoofing_Attack_Trust_Untrust_Ports.jpg

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

Question 1

Explanation

To retain the bindings across switch reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon switch reload. Connectivity is lost as well.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dhcp.html#wp1090370

Question 2

Explanation

Static DHCP snooping binding defines a mapping between a fixed IP address and the client’s MAC address. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. This is how to configure a static DHCP snooping binding entry:

Switch#ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface expiry seconds

Question 3

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Therefore if the switch receives a packet that does not match any entries found in the DHCP binding database, that packet is assumed to be spoofed and will be discarded.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Question 4

Explanation

The command “ip verify source port-security” enables IP source guard with source IP and MAC address filtering. When using this command, there are two caveats:
+ The DHCP server must support option 82, or the client is not assigned an IP address.
+ The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swdhcp82.html

Question 5

Explanation

The following restrictions apply to IP source guard:
+ Supported only on ingress Layer 2 ports (including access and trunk ports)
+ Supported only in hardware; not applied to any traffic that is processed in software.
+ Does not support filtering of traffic based on MAC address.
+ Is not supported on private VLANs.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.pdf

Question 6

Explanation

The DHCP snooping binding database contains information about untrusted hosts with leased IP addresses. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, the VLAN number and interface information associated with the host.

Question 7

Explanation

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

Question 8

Explanation

DHCP snooping database contains MAC address-to-IP address bindings which Dynamic ARP Inspection (DAI) uses to determine the validity of an ARP packet.

Question 9

Explanation

When IP Source Guard with source IP filtering is enabled on an untrusted interface, DHCP snooping must be enabled because it filters traffic based on IP information stored in the corresponding DHCP binding table entry.

Question 10

Explanation

The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.

Question 11

Explanation

The DHCP snooping database stores at least 8,000 bindings.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

UDLD Questions

March 6th, 2015 certprepare 19 comments

Question 1

Explanation

UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect when a unidirectional link exists. All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a unidirectional link, it administratively shuts down the affected port and alerts you. Unidirectional links can cause a variety of problems, including spanning-tree topology loops.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swudld.html#wp1019932

Question 2

Explanation

A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device.

UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD can detect unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD can also detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to misconnected interfaces on fiber-optic links.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swudld.html

Question 3

Explanation

When unidirectional link occurs, UDLD can put that port into errdisable state (same as shutdown). The administrator must manually shut/no shut to bring that interface up. If we want the interface to automatically recover then configure the “errdisable autorecovery”. For example:

errdisable recovery cause udld
errdisable recovery interval 30

By doing so, the port will be place back in up state (no err-disabled state) after 30 seconds, if the port still has violation it will be placed again in “err-disabled” state, otherwise it will remain in up state.

Question 4

Explanation

UDLD aggressive mode is disabled by default. Configure UDLD aggressive mode only on point-to-point links between network devices that support UDLD aggressive mode. With UDLD aggressive mode enabled, when a port on a bidirectional link that has a UDLD neighbor relationship established stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After eight failed retries, the port is disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/udld.html#wp1027627

Question 5

SDM Questions

March 6th, 2015 certprepare 22 comments

Question 1

Explanation

SDM templates are used to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network. You can select a template to provide maximum system usage for some functions or use the default template to balance resources.

To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates prioritize system resources to optimize support for certain features. You can select SDM templates to optimize these features:
+ Access – The access template maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.
+ Default – The default template gives balance to all functions.
+ Routing – The routing template maximizes system resources for IPv4 unicast routing, typically required for a router or aggregator in the center of a network.
+ VLANs – The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

In addition, the dual IPv4 and IPv6 templates enable a dual stack environment.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swsdm.html

Question 2

Explanation

The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

Question 3

Explanation

The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

Question 4

Explanation

The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch only. But in this case this switch is also used for routing. The VLAN template disabled routing feature so all routing processing is sent to the CPU, seriously impacting switch performance, causing the CPU of the switch to spike, especially during peak hours.

StackWise Questions

March 6th, 2015 certprepare 19 comments

Question 1

Explanation

The switches are united into a single logical unit using special stack interconnect cables that create a bidirectional closed-loop path. This bidirectional path acts as a switch fabric for all the connected switches. Network topology and routing information is updated continuously through the stack interconnect. All stack members have full access to the stack interconnect bandwidth. The stack is managed as a single unit by a master switch, which is elected from one of the stack member switches.

Each switch in the stack has the capability to behave as a master or subordinate (member) in the hierarchy. The master switch is elected and serves as the control center for the stack. Both the master member switches act as forwarding processors. Each switch is assigned a number. Up to nine separate switches can be joined together. The stack can have switches added and removed without affecting stack performance.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/prod_white_paper09186a00801b096a.html

Question 2

Explanation

When we add a new switch to an existing switch stack, the election will take place automatically to choose a master switch. We don’t have to configure anything on the newly added switch. In the case you want the newly added switch to become the master, use this command then reload it:

switch(config)# switch 1 priority 15

Note: Turn off the switch before connecting the stackwise cables. Only turn it on after finishing connecting stackwise cables.

Question 3

Explanation

The picture below shows how StackWise cables are connected between switches:

stack_wise.jpg

When the stackwise cables are fully connected (as shown above), the stack ring speed is 32Gbps full-duplex. To efficiently load balance the traffic, the stackwise cables function bi-directionally with two 16 Gbps counter-rotating rings. It means packets are allocated between two logical counter-rotating paths. Each counter-rotating path supports 16 Gbps in both directions, yielding a traffic total of 32 Gbps bidirectionally.

A break in any one of the cables will result in the stack bandwidth being reduced to half (16 Gbps) of its full capacity.

Question 4

Question 5

Explanation

Subordinate switches keep their own spanning trees for each VLAN that they support. The master switch keeps a copy of all spanning tree tables for each VLAN in the stack. When a new VLAN is added or removed, all the existing switches will receive a notification of this event and update their tables accordingly.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/prod_white_paper09186a00801b096a.html

Miscellaneous Questions

March 6th, 2015 certprepare 48 comments

Question 1

Explanation

Nonstop Forwarding (NSF) works with Stateful switchover (SSO) to minimize the amount of time a network is unavailable to its users following a switchover. The main objective of Cisco NSF is to continue forwarding IP packets following a route processor (RP) switchover.

Usually, when a networking device restarts, all routing peers of that device detect that the device went down and then came back up. This transition results in what is called a routing flap, which could spread across multiple routing domains. Routing flaps caused by routing restarts create routing instabilities, which are detrimental to the overall network performance. Cisco NSF helps to suppress routing flaps in SSO-enabled devices, thus reducing network instability.

Cisco NSF allows for the forwarding of data packets to continue along known routes while the routing protocol information is being restored following a switchover. With Cisco NSF, peer networking devices do not experience routing flaps. Data traffic is forwarded through intelligent line cards while the standby RP assumes control from the failed active RP during a switchover. The ability of line cards to remain up through a switchover and to be kept current with the Forwarding Information Base (FIB) on the active RP is key to Cisco NSF operation.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/nonstop_forwarding.html#wp1102552

Question 2

Explanation

VSLs can be configured with up to eight links between the two switches across any combination of line cards or supervisor ports to provide a high level of redundancy. If for some rare reason all Virtual Switching Link (VSL) connections are lost between the virtual switch members leaving both the virtual switch members up, the VSS will transition to the dual active recovery mode.

In the dual active recovery mode, all interfaces except the VSL interfaces are in an operationally shut down state in the formerly active virtual switch member. The new active virtual switch continues to forward traffic on all links.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-virtual-switching-system-1440/prod_qas0900aecd806ed74b.html

Question 3

Explanation

If for some rare reason all Virtual Switching Link (VSL) connections are lost between the virtual switch members leaving both the virtual switch members up, the VSS will transition to the dual active recovery mode.

In the dual active recovery mode, all interfaces except the VSL interfaces are in an operationally shut down state in the formerly active virtual switch member. The new active virtual switch continues to forward traffic on all links.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-virtual-switching-system-1440/prod_qas0900aecd806ed74b.html

Question 4

Explanation

VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50 percent. This includes removing the need for Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP) -> D is correct.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-virtual-switching-system-1440/prod_qas0900aecd806ed74b.html

Question 5

Question 6

Explanation

If a BPDU is received on a port where BPDU guard is configured, that port is put into errdisable state (nearly the same as shutdown state) immediately. BPDU Guard is often configured on a PortFast-enabled port to prevent a switch from connecting to. When that switch begins to send BPDU to a BPDU guard port, it will be blocked immediately.

Question 7

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Drag and Drop

March 1st, 2015 certprepare 61 comments

Question 1

Drag and drop the characteristic from the left to the matching Layer 2 protocol on the right.

CDP_LLDP.jpg

Answer:

CDP:
+ default time between protocol frames is 60 seconds
+ use multicast address 0100.0ccc.cccc
+ support IEEE 802.2 and 802.3 encapsulation

LLDP:
+ send topology change notification
+ use multicast address 01-80-C2-00-00-0E
+ default time between protocol frames is 30 seconds

VTPv3 Sim

February 11th, 2015 certprepare 305 comments

You have been asked to install and configure a new switch in a customer network. Use the console access to the existing and new switches to configure and verify correct device configuration.

VTP_Topology.jpg

Read more…

SWITCH FAQs & Tips

February 8th, 2015 certprepare 113 comments

In this article, I will try to summarize all the Frequently Asked Questions in the SWITCH 642-813 Exam. Hope it will save you some time searching through the Internet and asking your friends & teachers.

1. Please tell me how many questions in the real SWITCH exam, and how much time to answer them?

There are 45 questions, including 3 lab-sims. You have 120 minutes to answer them but if your native language is not English, Cisco allows you a 30-minute exam time extension.

2. How much does the SWITCH 300-115 cost? And how many points I need to pass the exam?

This exam costs $250. You need at least 790/1000 points to pass this exam.

3. I passed the SWITCH exam, will I get a certificate for it?

No, Cisco does not ship SWITCH Exam certificate, it only ships you a certificate after completing the full CCNP track of 3 exams (ROUTE, SWITCH & TSHOOT).

4. Which sims will I see in the SWITCH exam?

The popular sims now are LACP with STP Sim, HSRP Sim, AAAdot1x Lab Sim and please notice that the IP addresses, switch names may be different (it is also true for Drag and Drop questions)

5. How many points will I get for one sim?

Maybe you will get about 80 to 100 points for each sim, just like the CCNA exam.

6. In the real exam, I clicked “Next” after choosing the answer, can I go back for reviewing?

No, you can’t go back so you can’t re-check your answers after clicking the “Next” button.

7. I understand I will get CCNP certificate after completing 3 exams ROUTE, SWITCH and TSHOOT but can I take them in any order I like?

Yes, you can take these 3 exams in any order you like but the most popular “roadmap” is ROUTE then SWITCH and TSHOOT.

8. What are your recommended materials for SWITCH 642-813?

There are many options you can choose, but below are materials used and recommended by many candidates:

Books:

  • CCNP SWITCH 642-813 Official Certification Guide
  • CCNP SWITCH Portable Command Guide
  • SWITCH 642-813 Student Guide (Volume 1 & 2)
  • SWITCH 642-813 Quick Reference

Video Training:

  • CCNP SWITCH 642-813 CBT Nuggets
  • SWITCH 642-813 Cisco Video Mentor

 

9. Why don’t I see any questions and answers on certprepare.com? I only see the explanation…

Because of copyrighted issues, we had to remove all the questions and answers. You can download a PDF file to see the questions at this link http://www.certprepare.com/switch-questions-and-answers

Share your SWITCH v2.0 Experience

February 7th, 2015 certprepare 8,260 comments

Please share with us your materials, the way you learned, your feeling and experience after taking the SWITCH v2.0 exam… But please DO NOT share any information about the detail of the exam or your personal information, your score, exam date and location, your email…

Note: Posting email is not allowed in the comment section.

Your posts are warmly welcome!

Practice SWITCH Labs with Packet Tracer

May 17th, 2014 certprepare 79 comments

The title said it all. Below are the screenshots of the lab files

Real_MLS_EIGRP.jpg

 

REAL_STP_LACP.jpg

 

Files included:

+ MLS with EIGRP lab
+ LACP – STP Lab

Download these lab files from certprepare.com

Please say thanks to Jojo who created these lab-sims. Now you can practice with real SWITCH Lab questions.

Updated:

Ghost sent me a new version of these lab files (on Apr-30-2013) which include:

+ MLS with EIGRP lab
+ LACP – STP Lab
+ VTP Lab
+ VTP 2 lab
+ STP Lab

You can download it here and please say thanks to him:

Download new updated lab files from certprepare.com

Note: AAAdot1x sim is not supported in Packet Tracer so we can’t create one for you to practice.

LACP with STP Sim

May 17th, 2014 certprepare 2,244 comments

Question

You work for SWITCH.com. They have just added a new switch (SwitchB) to the existing network as shown in the topology diagram.

LACP_STP_topology.jpg

RouterA is currently configured correctly and is providing the routing function for devices on SwitchA and SwitchB. SwitchA is currently configured correctly, but will need to be modified to support the addition of SwitchB. SwitchB has a minimal configuration. You have been tasked with competing the needed configuring of SwitchA and SwitchB. SwitchA and SwitchB use Cisco as the enable password.

Configuration Requirements for SwitchA

– The VTP and STP configuration modes on SwitchA should not be modified.
– SwitchA needs to be the root switch for vlans 11, 12, 13, 21, 22 and 23. All other vlans should be left are their default values.

Configuration Requirements for SwitchB

– Vlan 21, Name: Marketing, will support two servers attached to fa0/9 and fa0/10
– Vlan 22, Name: Sales, will support two servers attached to fa0/13 and fa0/14
– Vlan 23, Name: Engineering, will support two servers attached to fa0/15 and fa0/16
– Access ports that connect to server should transition immediately to forwarding state upon detecting the connection of a device.
– SwitchB VTP mode needs to be the same as SwitchA.
– SwitchB must operate in the same spanning tree mode as SwitchA.
– No routing is to be configured on SwitchB.
– Only the SVI vlan 1 is to be configured and it is to use address 192.168.1.11/24.

Inter-switch Connectivity Configuration Requirements:

– For operational and security reasons trunking should be unconditional and Vlans 1, 21, 22 and 23 should tagged when traversing the trunk link.
– The two trunks between SwitchA and SwitchB need to be configured in a mode that allows for the maximum use of their bandwidth for all vlans. This mode should be done with a non-proprietary protocol, with SwitchA controlling activation.
– Propagation of unnecessary broadcasts should be limited using manual pruning on this trunk link.

Answer and Explanation:

Read more…

MLS and EIGRP Sim

May 17th, 2014 certprepare 153 comments

Question

You have been tasked with configuring multilayer SwitchC, which has a partial configuration and has been attached to RouterC as shown in the topology diagram.

You need to configure SwitchC so that Hosts H1 and H2 can successful ping the server S1. Also SwitchC needs to be able to ping server S1. Due to administrative restrictions and requirements you should not add/delete VLANs, changes VLAN port assignments or create trunk links. Company policies forbid the use of static or default routing. All routes must be learned via EIGRP 650 routing protocol.

You do not have access to RouterC, RouterC is correctly configured. No trunking has been configured on RouterC.
Routed interfaces should use the lowest host on a subnet when possible. The following subnets are available to implement this solution:
– 10.10.10.0/24
– 190.200.250.32/27
– 190.200.250.64/27
Hosts H1 and H2 are configured with the correct IP address and default gateway.
SwitchC uses Cisco as the enable password.
Routing must only be enabled for the specific subnets shown in the diagram.

EIGRP_MLS_sim.jpg

Answer and Explanation

Read more…

VTP Lab 2

May 17th, 2014 certprepare 78 comments

Question

Answer and Explanation

Read more…

VTP Lab

May 17th, 2014 certprepare 62 comments

Question:

The headquarter offices for a book retailer are enhancing their wiring closets with Layer3 switches. The new distribution-layer switch has been installed and a new access-layer switch cabled to it. Your task is to configure VTP to share VLAN information from the distribution-layer switch to the access-layer devices. Then, it is necessary to configure interVLAN routing on the distribution layer switch to route traffic between the different VLANs that are configured on the access-layer switches; however, it is not necessary for you to make the specific VLAN port assignments on the access-layer switches. Also, because VLAN database mode is being deprecated by Cisco, all VLAN and VTP configurations are to be completed in the global configuration mode. Please reference the following table for the VTP and VLAN information to be configured:

VTP_Lab.jpg

Requirements:

VTP Domain name cisco  
VLAN Ids 20 21
IP Addresses 172.16.71.1/24 172.16.132.1/24

These are your specific tasks:

1. Configure the VTP information with the distribution layer switch as the VTP server
2. Configure the VTP information with the access layer switch as a VTP client
3. Configure VLANs on the distribution layer switch
4. Configure inter-VLAN routing on the distribution layer switch
5. Specific VLAN port assignments will be made as users are added to the access layer switches in the future.
6. All VLANs and VTP configurations are to completed in the global configuration. To configure the switch click on the host icon that is connected to the switch be way of a serial console cable.

Answer and Explanation:

 

Read more…

Spanning Tree Lab Sim

May 17th, 2014 certprepare 43 comments

Question:

The headquarter office for a cement manufacturer is installing a temporary Catalyst 3550 in an IDF to connect 24 additional users. To prevent network corruption, it is important to have the correct configuration prior to connecting to the production network. It will be necessary to ensure that the switch does not participate in VTP but forwards VTP advertisements that are received on trunk ports.
Because of errors that have been experienced on office computers, all nontrunking interfaces should transition immediately to the forwarding state of Spanning tree. Also, configure the user ports (all FastEthernet ports) so that the ports are permanently nontrunking.

SpanningTreeLab.jpg

Requirements:
You will configure FastEthernet ports 0/12 through 0/24 for users who belong to VLAN 20. Also, all VLAN and VTP configurations are to be completed in global configuration mode as VLAN database mode is being deprecated by Cisco. You are required to accomplish the following tasks:

1. Ensure the switch does not participate in VTP but forwards VTP advertisements received on trunk ports.
2. Ensure all non-trunking interfaces (Fa0/1 to Fa0/24) transition immediately to the forwarding state of Spanning-Tree.
3. Ensure all FastEthernet interfaces are in a permanent non-trunking mode.
4. Place FastEthernet interfaces 0/12 through 0/24 in VLAN 20.

Answer and Explanation:

Read more…

AAAdot1x Lab Sim

May 17th, 2014 certprepare 1,701 comments

Question

Answer and Explanation

Read more…