SWITCH 642-813 Category

HSRP Hotspot

April 11th, 2015 certprepare 70 comments

Question

 —————————————————————————————————————————————————————–

For your information, the “show running-config” commands are posted below for your reference but please notice in the exam you have to issue this command to get the output:

DSW1#show running-config

interface Vlan101
 ip address 192.168.101.1 255.255.255.0
 standby 1 ip 192.168.101.254
 standby 1 priority 200
 standby 1 track GigabitEthernet1/0/1 55
!
interface Vlan102
 ip address 192.168.102.1 255.255.255.0
 standby 2 ip 192.168.102.254
 standby 2 priority 200
 standby 2 preempt
 standby 2 track GigabitEthernet1/0/1 5
!
interface Vlan103
 ip address 192.168.103.1 255.255.255.0
 standby 3 ip 192.168.103.254
 standby 3 priority 200
 standby 3 preempt
 standby 3 track GigabitEthernet1/0/1
!
interface Vlan104
 ip address 192.168.104.1 255.255.255.0
 standby 4 ip 192.168.104.254
 standby 4 priority 150
 standby 4 preempt
 standby 4 track GigabitEthernet1/0/1 1
!
interface Vlan105
 ip address 192.168.105.1 255.255.255.0
 standby 5 ip 192.168.105.254
 standby 5 priority 150
 standby 5 preempt
 standby 5 track GigabitEthernet1/0/1 55
DSW2#show running-config

interface Vlan101
 ip address 192.168.101.2 255.255.255.0
 standby 1 ip 192.168.101.254
 standby 1 priority 150
 standby 1 preempt
 standby 1 track GigabitEthernet1/0/1
!
interface Vlan102
 ip address 192.168.102.2 255.255.255.0
 standby 2 ip 192.168.102.254
 standby 2 priority 190
 standby 2 preempt
 standby 2 track GigabitEthernet1/0/1
!
interface Vlan103
 ip address 192.168.103.2 255.255.255.0
 standby 3 ip 192.168.103.254
 standby 3 priority 190
 standby 3 preempt
 standby 3 track GigabitEthernet1/0/1 50
!
interface Vlan104
 ip address 192.168.104.2 255.255.255.0
 standby 4 ip 192.168.104.254
 standby 4 priority 200
 standby 4 preempt
 standby 4 track GigabitEthernet1/0/1 55
!
interface Vlan105
 ip address 192.168.105.2 255.255.255.0
 standby 5 ip 192.168.105.254
 standby 5 preempt
 standby 5 track GigabitEthernet1/0/1

Read more…

VLAN Questions

May 18th, 2014 certprepare 8 comments

Here you will find answers to VLAN Questions

Question 1

You are assigning VLANs to the ports of switch R1. What VLAN number value is an assigned to the default VLAN?

A VLAN 1003
B. VLAN 1
C. VLAN ON
D. VLAN A
E. VLAN 0

 

Answer: B

Question 2

What is a characteristic of a static VLAN membership assignment?

A. VMPS server lookup is required
B. Easy to configure
C. Ease of adds, moves, and changes
D. Based on MAC address of the connected device

 

Answer: B

Explanation

There are two types of VLAN membership assignment:

* Static VLAN: switch ports are assigned to specific VLANs manually

* Dynamic VLAN: switch automatically assigns the port to a VLAN using information from the user device like MAC address, IP address etc. When a device is connected to a switch port, the switch must, in effect, query a database to establish VLAN membership.

Static VLAN assignment provides a simple way to assign VLAN to a port while Dynamic VLANs allow a great deal of flexibility and mobility for end users but require more administrative overhead.

Question 3

What is a characteristic of multi-VLAN access ports?

A. The port has to support STP PortFast.
B. The auxiliary VLAN is for data service and is identified by the PVID.
C. The port hardware is set as an 802.1Q trunk.
D. Both the voice service and data service use the same trust boundary.

 

Answer: C

Explanation

The multi-VLAN port feature on the Catalyst 2900 XL/3500 XL switches allows for configuring a single port in two or more VLANs. This feature allows users from different VLANs to access a server or router without implementing InterVLAN routing capability. A multi-VLAN port performs normal switching functions in all its assigned VLANs. VLAN traffic on the multi-VLAN port is not encapsulated as it is in trunking -> The port is set as an 802.1Q trunk -> C is correct.

Note: The limitations of implementing multi-VLAN port features are listed below.

1) You cannot configure a multi-VLAN port when a trunk is configured on the switch. You must connect the multi-VLAN port only to a router or server. The switch automatically transitions to VTP transparent mode when the multi-VLAN port feature is enabled, making the VTP disabled.

2) The multi-VLAN port feature is supported only on the Catalyst 2900 XL/3500 XL series switches. This feature is not supported on the Catalyst 4000/5000/6000 series or any other Cisco Catalyst switches.

The following example shows how to configure a port for multi-VLAN mode:
Switch(config-if)# switchport mode multi

The following example shows how to assign a multi-VLAN port already in multi mode to a range of VLANs:
Switch(config-if)# switchport multi vlan 5-10

Question 4

The Company LAN switches are being configured to support the use of Dynamic VLANs. Which of the following are true of dynamic VLAN membership? (Choose two)

A. VLAN membership of a user always remains the same even when he/she is moved to another location.
B. VLAN membership of a user always changes when he/she is moved to another location.
C. Membership can be static or dynamic.
D. Membership can be static only.

 

Answer: A C

Explanation

Please read the explanation of Question 2

Question 5

Which of the following technologies would an Internet Service Provider use to support overlapping customer VLAN ID’s over transparent LAN services?

A. 802.1q tunneling
B. ATM
C. SDH
D. IP Over Optical Networking
E. ISL

 

Answer: A

Explanation

Using the IEEE 802.1Q tunneling (QinQ) feature, service providers can use a single VLAN to support customers who have multiple VLANs. The trick here is instead of removing the VLAN tag received from customers, the ISP’s edge switch puts that traffic into the VLAN assigned to that port and adds another VLAN tag outside that tag. Let’s see an example:

802_1q_tunneling_QinQ.jpg

When Switch A (of the Service Provider) receives customer traffic from an 802.1Q trunk port, it does not strip the received 802.1Q tag from the frame header; instead, the tunnel port leaves the 802.1Q tag intact, adds a 1-byte Ethertype field (0x8100) and a 1-byte length field and puts the received customer traffic into the VLAN to which the tunnel port is assigned. This Ethertype 0x8100 traffic, with the received 802.1Q tag intact, is called tunnel traffic. Notice that “VLAN X” here can be one or multiple VLANs, all will be tagged with VLAN 4 (suppose VLAN 4 is assigned to Company A).

A benefit of 802.1qQ tunneling is multiple companies can use the overlapped VLANs. For example, Company A can use VLANs 1 to 100 while Company B can use VLANs 50 to 100 (overlapped from VLANs 50 to 100). The ISP’s switches can still classify them because they are attached to different outer VLAN tags. In the example above Company A is assigned to VLAN 4 so we can assign Company B to VLAN 5, Company C to VLAN 6 and so on.

The link between the 802.1Q trunk port on a customer device and the tunnel port is called an asymmetrical link because one end is configured as an 802.1Q trunk port and the other end is configured as a tunnel port.

Note: By default, the native VLAN traffic of a dot1q trunk is sent untagged, which cannot be double-tagged in the service provider network. Because of this situation, the native VLAN traffic might not be tunneled correctly. Be sure that the native VLAN traffic is always sent tagged in an asymmetrical link. To tag the native VLAN egress traffic and drop all untagged ingress traffic, enter the global vlan dot1q tag native command.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1qtnl.html)

Question 6

Static VLANs are being used on the Company network. What is true about static VLANs?

A. Devices use DHCP to request their VLAN.
B. Attached devices are unaware of any VLANs.
C. Devices are assigned to VLANs based on their MAC addresses,
D. Devices are in the same VLAN regardless of which port they attach to.

 

Answer: B

Explanation

The VLAN tags are only added/removed at the switches. Attached devices are unaware of the existence of VLAN in the network.

Question 7

The Company LAN switches are being configured to support the use of Dynamic VLANs. What should be considered when implementing a dynamic VLAN solution? (Choose two)

A. Each switch port is assigned to a specific VLAN.
B. Dynamic VLANs require a VLAN Membership Policy Server.
C. Devices are in the same VLAN regardless of which port they attach to.
D. Dynamic VLAN assignments are made through the command line interface.

 

Answer: B C

Explanation

Dynamic VLANs provide membership based on the MAC address of an end-user device. When a device is connected to a switch port, the switch must, in effect, query a database to establish VLAN membership. A network administrator also must assign the user’s MAC address to a VLAN in the database of a VLAN Membership Policy Server (VMPS) -> B is correct.

When the link comes up, the switch does not forward traffic to or from this port until the port is assigned to a VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, the VMPS sends the VLAN number for that port. If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting) -> Devices are in the same VLAN regardless of which port they attach to -> C is correct.

Question 8

The Company LAN is becoming saturated with broadcasts and multicast traffic. What could you do to help a network with many multicasts and broadcasts?

A. Creating smaller broadcast domains by implementing VLANs.
B. Separate nodes into different hubs.
C. Creating larger broadcast domains by implementing VLANs.
D. Separate nodes into different switches.
E. All of the above.

 

Answer: A

Explanation

By default, switches flood multicasts out all ports (same as broadcasts). However, many switches and routers can be configured to support multicast traffic, and that support is based on the network addresses uses by multicasts. By implementing VLANs, broadcasts and multicast traffic are only sent to ports in the same VLAN of the sending device.

Question 9

You have just created a new VLAN on your network. What is one step that you should include in your VLAN based implementation and verification plan?

A. Verify that different native VLANs exist between two switches for security purposes,
B. Verify that the VLAN was added on all switches with the use of the show vlan command.
C. Verify that the switch is configured to allow for trunking on the switch ports,
D. Verify that each switch port has the correct IP address space assigned to it for the new VLAN.

 

Answer: B

Explanation

Different native VLANs will cause error messages about the mismatch, and the potential exists that traffic will not pass correctly between the two native VLANs (although a trunk can be brought up with different native VLANs on each end) -> A is not correct.

Answer C is reasonable but it should be done after configuring trunking, not creating a new VLAN -> C is not correct.

A layer 2 switch only needs one IP address for management purpose -> D is not correct.

Answer B is the best choice to verify if our new VLAN was created, and which ports are associated with it.

Question 10

You have configured a Cisco Catalyst switch to perform Layer 3 routing via an SVI and have assigned that interface to VLAN 20. To check the status of the SVI, you issue the show interfaces vlan 20 command at the CLI prompt. You see from the output display that the interface is in an “up/up” state. What must be true in an SVI configuration to bring the VLAN and line protocol up?

A. The port must be physically connected to another Layer 3 device.
B. At least one port in VLAN 20 must be active.
C. The Layer 3 routing protocol must be operational and receiving routing updates from neighboring peer devices.
D. Because this is a virtual interface, the operational status will always be in an “up/up” state.

 

Answer: B

Explanation

To be “up/up,” a router VLAN interface must fulfill the following general conditions:

* The VLAN exists and is “active” on the VLAN database of the switch.
* The VLAN interface exists on the router and is not administratively down.
* At least one Layer 2 (access port or trunk) port exists, has a link “up” on this VLAN and is in spanning-tree forwarding state on the VLAN.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/l3_int.html)

Let’s see an example of configuring Switch Virtual Interface (SVI) to perform interVLAN routing between PC0 & PC1:

SVI_simple_topology.jpg

Configuration

//Create two VLANs

L3Switch(config)#vlan 10
L3Switch(config-vlan)#vlan 20
L3Switch(config-vlan)#exit

L3Switch(config)#interface fa0/1
L3Switch(config-if)#switchport mode access
L3Switch(config-if)#switchport access vlan 10

L3Switch(config)#interface fa0/2
L3Switch(config-if)#switchport mode access
L3Switch(config-if)#switchport access vlan 20
L3Switch(config-if)#exit

//Enable IP routing on this Layer 3 Switch

L3Switch(config)#ip routing

//Create two SVIs for interVLAN routing:

L3Switch(config)#interface vlan 10
L3Switch(config-if)#ip address 10.0.0.1 255.255.255.0

L3Switch(config)#interface vlan 20
L3Switch(config-if)#ip address 20.0.0.1 255.255.255.0

On PC0, assign the IP address 10.0.0.2 255.255.255.0 and the default gateway: 10.0.0.1
On PC1, assign the IP address 20.0.0.2 255.255.255.0 and the default gateway: 20.0.0.1

Now we can ping from PC0 to PC1:

PC0>ping 20.0.0.2

Pinging 20.0.0.2 with 32 bytes of data:

Reply from 20.0.0.2: bytes=32 time=40ms TTL=127
Reply from 20.0.0.2: bytes=32 time=40ms TTL=127
Reply from 20.0.0.2: bytes=32 time=40ms TTL=127
Reply from 20.0.0.2: bytes=32 time=40ms TTL=127

Practice SWITCH Labs with Packet Tracer

May 17th, 2014 certprepare 79 comments

The title said it all. Below are the screenshots of the lab files

Real_MLS_EIGRP.jpg

 

REAL_STP_LACP.jpg

 

Files included:

+ MLS with EIGRP lab
+ LACP – STP Lab

Download these lab files from certprepare.com

Please say thanks to Jojo who created these lab-sims. Now you can practice with real SWITCH Lab questions.

Updated:

Ghost sent me a new version of these lab files (on Apr-30-2013) which include:

+ MLS with EIGRP lab
+ LACP – STP Lab
+ VTP Lab
+ VTP 2 lab
+ STP Lab

You can download it here and please say thanks to him:

Download new updated lab files from certprepare.com

Note: AAAdot1x sim is not supported in Packet Tracer so we can’t create one for you to practice.

LACP with STP Sim

May 17th, 2014 certprepare 2,244 comments

Question

You work for SWITCH.com. They have just added a new switch (SwitchB) to the existing network as shown in the topology diagram.

LACP_STP_topology.jpg

RouterA is currently configured correctly and is providing the routing function for devices on SwitchA and SwitchB. SwitchA is currently configured correctly, but will need to be modified to support the addition of SwitchB. SwitchB has a minimal configuration. You have been tasked with competing the needed configuring of SwitchA and SwitchB. SwitchA and SwitchB use Cisco as the enable password.

Configuration Requirements for SwitchA

– The VTP and STP configuration modes on SwitchA should not be modified.
– SwitchA needs to be the root switch for vlans 11, 12, 13, 21, 22 and 23. All other vlans should be left are their default values.

Configuration Requirements for SwitchB

– Vlan 21, Name: Marketing, will support two servers attached to fa0/9 and fa0/10
– Vlan 22, Name: Sales, will support two servers attached to fa0/13 and fa0/14
– Vlan 23, Name: Engineering, will support two servers attached to fa0/15 and fa0/16
– Access ports that connect to server should transition immediately to forwarding state upon detecting the connection of a device.
– SwitchB VTP mode needs to be the same as SwitchA.
– SwitchB must operate in the same spanning tree mode as SwitchA.
– No routing is to be configured on SwitchB.
– Only the SVI vlan 1 is to be configured and it is to use address 192.168.1.11/24.

Inter-switch Connectivity Configuration Requirements:

– For operational and security reasons trunking should be unconditional and Vlans 1, 21, 22 and 23 should tagged when traversing the trunk link.
– The two trunks between SwitchA and SwitchB need to be configured in a mode that allows for the maximum use of their bandwidth for all vlans. This mode should be done with a non-proprietary protocol, with SwitchA controlling activation.
– Propagation of unnecessary broadcasts should be limited using manual pruning on this trunk link.

Answer and Explanation:

Read more…

MLS and EIGRP Sim

May 17th, 2014 certprepare 153 comments

Question

You have been tasked with configuring multilayer SwitchC, which has a partial configuration and has been attached to RouterC as shown in the topology diagram.

You need to configure SwitchC so that Hosts H1 and H2 can successful ping the server S1. Also SwitchC needs to be able to ping server S1. Due to administrative restrictions and requirements you should not add/delete VLANs, changes VLAN port assignments or create trunk links. Company policies forbid the use of static or default routing. All routes must be learned via EIGRP 650 routing protocol.

You do not have access to RouterC, RouterC is correctly configured. No trunking has been configured on RouterC.
Routed interfaces should use the lowest host on a subnet when possible. The following subnets are available to implement this solution:
– 10.10.10.0/24
– 190.200.250.32/27
– 190.200.250.64/27
Hosts H1 and H2 are configured with the correct IP address and default gateway.
SwitchC uses Cisco as the enable password.
Routing must only be enabled for the specific subnets shown in the diagram.

EIGRP_MLS_sim.jpg

Answer and Explanation

Read more…

VTP Lab 2

May 17th, 2014 certprepare 78 comments

Question

Answer and Explanation

Read more…

VTP Lab

May 17th, 2014 certprepare 62 comments

Question:

The headquarter offices for a book retailer are enhancing their wiring closets with Layer3 switches. The new distribution-layer switch has been installed and a new access-layer switch cabled to it. Your task is to configure VTP to share VLAN information from the distribution-layer switch to the access-layer devices. Then, it is necessary to configure interVLAN routing on the distribution layer switch to route traffic between the different VLANs that are configured on the access-layer switches; however, it is not necessary for you to make the specific VLAN port assignments on the access-layer switches. Also, because VLAN database mode is being deprecated by Cisco, all VLAN and VTP configurations are to be completed in the global configuration mode. Please reference the following table for the VTP and VLAN information to be configured:

VTP_Lab.jpg

Requirements:

VTP Domain name cisco  
VLAN Ids 20 21
IP Addresses 172.16.71.1/24 172.16.132.1/24

These are your specific tasks:

1. Configure the VTP information with the distribution layer switch as the VTP server
2. Configure the VTP information with the access layer switch as a VTP client
3. Configure VLANs on the distribution layer switch
4. Configure inter-VLAN routing on the distribution layer switch
5. Specific VLAN port assignments will be made as users are added to the access layer switches in the future.
6. All VLANs and VTP configurations are to completed in the global configuration. To configure the switch click on the host icon that is connected to the switch be way of a serial console cable.

Answer and Explanation:

 

Read more…

Spanning Tree Lab Sim

May 17th, 2014 certprepare 43 comments

Question:

The headquarter office for a cement manufacturer is installing a temporary Catalyst 3550 in an IDF to connect 24 additional users. To prevent network corruption, it is important to have the correct configuration prior to connecting to the production network. It will be necessary to ensure that the switch does not participate in VTP but forwards VTP advertisements that are received on trunk ports.
Because of errors that have been experienced on office computers, all nontrunking interfaces should transition immediately to the forwarding state of Spanning tree. Also, configure the user ports (all FastEthernet ports) so that the ports are permanently nontrunking.

SpanningTreeLab.jpg

Requirements:
You will configure FastEthernet ports 0/12 through 0/24 for users who belong to VLAN 20. Also, all VLAN and VTP configurations are to be completed in global configuration mode as VLAN database mode is being deprecated by Cisco. You are required to accomplish the following tasks:

1. Ensure the switch does not participate in VTP but forwards VTP advertisements received on trunk ports.
2. Ensure all non-trunking interfaces (Fa0/1 to Fa0/24) transition immediately to the forwarding state of Spanning-Tree.
3. Ensure all FastEthernet interfaces are in a permanent non-trunking mode.
4. Place FastEthernet interfaces 0/12 through 0/24 in VLAN 20.

Answer and Explanation:

Read more…

AAAdot1x Lab Sim

May 17th, 2014 certprepare 1,701 comments

Question

Answer and Explanation

Read more…

VLAN Questions 2

May 17th, 2014 certprepare 4 comments

Here you will find answers to VLAN Questions – Part 2

Question 1

Refer to the exhibit. Based upon the output of show vlan on switch CAT2, what can we conclude about interfaces Fa0/13 and Fa0/14?

show_vlan.jpg

A. That interfaces Fa0/13 and Fa0/14 are in VLAN 1
B. That interfaces Fa0/13 and Fa0/14 are down
C. That interfaces Fa0/13 and Fa0/14 are trunk interfaces
D. That interfaces Fa0/13 and Fa0/14 have a domain mismatch with another switch
E. That interfaces Fa0/13 and Fa0/14 have a duplex mismatch with another switch

 

Answer: C

Explanation

Trunk ports are part of multiple VLANs, not of just a single VLAN so they never show up in the show vlan command. You can check the trunk port with the show interfaces trunk or show interface {port} switchport command. You can find an example output of this command in Question 8.

Note: Trunk ports that are not connected appear by default in vlan 1 and also appear in the output of the show vlan command.

Question 2

What two pieces of information will the show vlan id 5 command display? (Choose two)

A. Ports in VLAN 5
B. Utilization
C. VLAN information on port 0/5
D. Filters
E. MTU and type

 

Answer: A E

Explanation

The show vlan id vlan-id command display information about a particular VLAN. But notice that this command will also list trunk ports that allow this VLAN to run on. An example of the “show vlan id” command is shown below:

show_vlan_id.jpg

Question 3

What are some virtues of implementing end-to-end VLANs? (Choose two)

A. End-to-end VLANs are easy to manage.
B. Users are grouped into VLANs independent of a physical location.
C. Each VLAN has a common set of security and resource requirements for all members.
D. Resources are restricted to a single location.

 

Answer: B C

Explanation

There are two kinds of VLANs:

* End-to-end VLANs: also called campuswide VLANs, span the entire switch fabric of a network. They are positioned to support maximum flexibility and mobility of end devices. Users can be assigned to VLANs regardless of their physical location. As a user moves around the campus, that user’s VLAN membership stays the same. End-to-end VLANs should group users according to common requirements. All users in a VLAN should have roughly the same traffic flow patterns

* Local VLANs: based on geographic locations by demarcation at a hierarchical boundary (core, distribution, access)

(Reference: CCNP SWITCH 642-813 Official Certification Guide)

Question 4

Which two statements are true about a switched virtual interface (SVI)? (Choose two)

A. An SVI is created by entering the no switchport command in interface configuration mode.
B. An SVI is normally created for the default VLAN (VLAN1) to permit remote switch administration.
C. An SVI provides a default gateway for a VLAN.
D. Multiple SVIs can be associated with a VLAN.
E. SVI is another name for a routed port.

 

Answer: B C

Explanation

Catalyst L2 fixed configuration switches that run Cisco IOS Software have only one configurable IP management interface, which by default is interface VLAN 1. Pure layer 2 switches can have only one interface VLAN up at the time. This is called the management VLAN (in IOS) or the sc0 interface (in CatOS). The main purpose of this interface is management (telnet, SNMP, etc). If the switch is a Layer 3 switch, you can configure multiple VLANs and route between them. An L3 switch can handle multiple IPs, so there is no specific management VLAN on the switch.

(Reference: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008010e9ca.shtml)

Question 5

You have just created a new VLAN on your network. What is one step that you should include in your VLAN based implementation and verification plan?

A. Verify that trunked links are configured to allow the VLAN traffic.
B. Verify that the switch is configured to allow for trunking on the switch ports.
C. Verify that each switch port has the correct IP address space assigned to it for the new VLAN.
D. Verify that different native VLANs exist between two switches for security purposes.

 

Answer: A

Explanation

A VLAN-based implementation and verification plan should include:

* Verification that trunked links are configured to allow the newly created VLANs.
* Verification that the SVI has already been created and that it shows up on all required switches using the show vlan command.

Question 6

You have just created a new VLAN on your network for inter-VLAN routing. What is one step that you should include in your VLAN-based implementation and verification plan?

A. Verify that different native VLANs exist between two switches for security purposes.
B. Verify that the switch is configured to allow for trunking on the switch ports.
C. Verify that each switch port has the proper IP address space assigned to it for the new VLAN.
D. Verify that the VLAN virtual interface has been correctly created and enabled.

 

Answer: D

Explanation

Same as Question 5.

Question 7

Under what circumstances should an administrator prefer local VLANs over end-to-end VLANs?

A. Eighty percent of traffic on the network is destined for Internet sites.
B. There are common sets of traffic filtering requirements for workgroups located in multiple buildings.
C. Eighty percent of a workgroup’s traffic is to the workgroup’s own local server.
D. Users are grouped into VLANs independent of physical location.

 

Answer: A

Explanation

End-to-end VLAN follows the 80/20 rule in which 80 percent of user traffic stays within the local workgroup, whereas 20 percent is destined for a remote resource in the campus network (like Internet…).

In contrast to end-to-end-VLAN, local VLAN follows the 20/80 rule: only 20 percent of traffic is local, whereas 80 percent is destined to a remote re-source across the core layer -> A is correct.

(Reference: CCNP SWITCH 642-813 Official Certification Guide)

Question 8

Which of the following statements is true about the 80/20 rule (Choose two)?

A. 20 percent of the traffic on a network segment should be local.
B. no more than 20 percent of the network traffic should be able to move across a backbone.
C. no more than 80 percent of the network traffic should be able to move across a backbone.
D. 80 percent of the traffic on a network segment should be local.

 

Answer: B D

Explanation

The 80/20 rule states that 80 percent of user traffic stays within the local workgroup, whereas 20 percent is destined for a remote resource in the campus network

 

Question 9

Which two statements are true about best practices in VLAN design? (Choose two.)

A. Routing should occur at the access layer if voice VLANs are utilized. Otherwise, routing should occur at the distribution layer.
B. Routing may be performed at all layers but is most commonly done at the core and distribution layers.
C. Routing should not be performed between VLANs located on separate switches.
D. VLANs should be local to a switch.
E. VLANs should be localized to a single switch unless voice VLANs are being utilized.

 

Answer: B D

Explanation

First let’s review main characteristics of three layers in a campus network:

* Access layer:

+ Low cost per switch port
+ High port density
+ Scalable uplinks to higher layers
+ User access functions such as VLAN membership, traffic and protocol filtering, and quality of service (QoS)
+ Resiliency through multiple uplinks

* Distribution Layer:

+ Aggregation of multiple access-layer devices
+ High Layer 3 throughput for packet handling
+ Security and policy-based connectivity functions through access lists or packet filters
+ QoS features
+ Scalable and resilient high-speed links to the core and access layers

* Core layer:

+ Very high throughput at Layer 3
+ No costly or unnecessary packet manipulations (access lists, packet filtering)
+ Redundancy and resilience for high availability
+ Advanced QoS functions

We can see at Distribution and Core layers, Layer 3 throughput (routing) is very high -> B is correct.

Nowadays, end-to-end VLANs are not recommended in an enterprise network, unless there is a good reason. In an end-to-end VLAN, broadcast traffic is carried over from one end of the network to the other, creating the possibility for a broadcast storm or Layer 2 bridging
loop to spread across the whole extent of a VLAN. This can exhaust the bandwidth of distribution and core-layer links, as well as switch CPU resources. Now the storm or loop has disrupted users on the end-to-end VLAN, in addition to users on other VLANs that might
be crossing the core.

When such a problem occurs, troubleshooting becomes more difficult. In other words, the risks of end-to-end VLANs outweigh the convenience and benefits.

From that we can infer VLAN traffic should be local to the switch -> D is correct.

(Reference: CCNP SWITCH 642-813 Official Certification Guide)

Question 10

show_interfaces_fastethernet_switchport.jpg

Refer to the exhibit. The user who is connected to interface FastEthernet 0/1 is on VLAN 10 and cannot access network resources. On the basis of the information in the exhibit, which command sequence would correct the problem?

A. SW1(config)# vlan 10
SW1(config-vlan)# no shut

B. SW1(config)# interface fastethernet 0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10

C. SW1(config)# interface fastethernet 0/1
SW1(config-if)# switchport mode access

D. SW1(config)# vlan 10
SW1(config-vlan)# state active

E. SW1(config)# interface fastethernet 0/1
SW1(config-if)# no shut

 

Answer: E

 

VLAN Questions 3

May 16th, 2014 certprepare 1 comment

Here you will find answers to VLAN Questions – Part 3

Question 1

Refer to the exhibit. On the basis of the output generated by the show commands, which two statements are true? (Choose two)

show_interface_gigabitethernet_show_vlan.jpg

A. Interface gigabitethernet 0/1 has been configured as Layer 3 ports.
B. Interface gigabitethernet 0/1 does not appear in the show vlan output because switchport is enabled.
C. Interface gigabitethernet 0/1 does not appear in the show vlan output because it is configured as a trunk interface.
D. VLAN2 has been configured as the native VLAN for the 802.1q trunk on interface gigabitethernet 0/1.
E. Traffic on VLAN 1 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.
F. Traffic on VLAN 2 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.

 

Answer: C F

Explanation

From the output of show interface gigabitethernet 0/1 switchport command we can see this port is currently configured as trunked port (Operational Mode: trunk) and uses 802.1q encapsulation. So surely the “show vlan” command will not list this port -> C is correct.

Also from the first output we learned the native VLAN is VLAN 1 (Trunking Native Mode VLAN:1) so only traffic from this VLAN is sent untagged -> traffic sent from VLAN 2 out this port will have an 802.1q header applied -> F is correct.

Question 2

When you issue a command show port 3/1 on an Ethernet port, you observe the ‘Giants’ column has a non-zero entry. What could cause of this?

A. IEEE 802.1Q
B. IEEE 802.10
C. Misconfigured NIC
D. User configuration
E. All of the above

 

Answer: A

Explanation

Generally, frames that are greater than 1522 bytes are categorized as giant frames (notice that a normal Ethernet frame has a size that ranges from 64 bytes to 1518 bytes). Giant frames often are the result of some protocol-tagging mechanisms, for example 802.1Q frames (1522 bytes), MPLS (1518 + 4 * n, where n is the number of stacked labels), ISL frames (1548 bytes).

There are nothing wrong with giant frames, just make sure you configure both end devices to support these frames.

Note: In fact, frames that are created by 802.1Q are often known as baby giants (frames that are slightly larger than 1518 bytes).

Question 3

You want to configure a switched internetwork with multiple VLANs as shown above. Which of the following commands should you issue on SwitchA for the port connected to SwitchB?

switchport_mode_trunk.jpg

A. switchport mode trunk
B. switchport access vlan 5
C. switchport mode access vlan 5
D. switchport trunk native vlan 5

 

Answer: A

Explanation

To support interVLAN routing, the links between two switches must be configured as trunk link.

Question 4

Refer to the exhibit. VLAN 1 and VLAN 2 are configured on the trunked links between Switch A and Switch B. Port Fa 0/2 on Switch B is currently in a blocking state for both VLANs. What should be done to load balance VLAN traffic between Switch A and Switch B?

trunk_blocking_state.jpg

A. Lower the port priority for VLAN 1 on port 0/1 for Switch A.
B. Lower the port priority for VLAN 1 on port 0/2 for Switch A.
C. Make the bridge ID of Switch B lower than the ID of Switch A.
D. Enable HSRP on the access ports.

 

Answer: B

Explanation

Please read the explanation of Question 3 in http://www.certprepare.com/vlan-questions-4.

In general, a BPDU is superior than another if it has:

1. A lower Root Bridge ID
2. A lower path cost to the Root
3. A lower Sending Bridge ID
4. A lower Sending Port ID

These four parameters are examined in order. In this specific case, all the BPDUs sent by Switch A have the same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only parameter left to select the best one is the Sending Port ID (Port ID = port priority + port index). Which port Switch B will block is based on the Sending Bridge ID it receives from Switch A. So lower the port priority for VLAN 1 will lower the Sending Bridge ID for port Fa0/2 on Switch A -> traffic for VLAN 1 will flow via Fa0/2 link.

Question 5

On a multilayer Catalyst switch, which interface command is used to convert a Layer 3 interface to a Layer 2 interface?

A. switchport access vlan vlan-id
B. switchport
C. switchport mode access
D. no switchport

 

Answer: B

Question 6

Refer to the exhibit and the show interfaces fastethernet0/1 switchport outputs. Users in VLAN 5 on switch SW_A complain that they do not have connectivity to the users in VLAN 5 on switch SW_B. What should be done to fix the problem?

show_interfaces_fastethernet_switchport_switch.jpg

A. Configure the same number of VLANs on both switches.
B. Create switch virtual interfaces (SVI) on both switches to route the traffic.
C. Define VLAN 5 in the allowed list for the trunk port on SW_A.
D. Disable pruning for all VLANs in both switches.
E. Define VLAN 5 in the allowed list for the trunk port on SW_B.

 

Answer: C

Explanation

SW_A is missing VLAN 5 in the “Trunking VLANs Enabled”, that means the trunk link currently does not accept traffic from VLAN 5 to be sent on the link.

Question 7

Refer to the show interface Gi0/1 switchport command output shown in the exhibit. Which two statements are true about this interface? (Choose two)

show_interface_gigabitethernet_access.jpg

A. This interface is a member of a voice VLAN.
B. This interface is configured for access mode.
C. This interface is a dot1q trunk passing all configured VLANs.
D. This interface is a member of VLAN 7.
E. This interface is a member of VLAN 1.

 

Answer: B D

Question 8

In the three-layer hierarchical network design model; what’s associated with the access layer? (Choose two)

A. optimized transport structure
B. high port density
C. boundary definition
D. data encryption
E. local VLANs
F. route summaries

 

Answer: B E

Explanation

Main characteristics of three layers in the three-layer hierarchical network design model:

* Access layer:
+ Low cost per switch port
+ High port density
+ Scalable uplinks to higher layers
+ User access functions such as VLAN membership, traffic and protocol filtering, and quality of service (QoS)
+ Resiliency through multiple uplinks

* Distribution Layer:
+ Aggregation of multiple access-layer devices
+ High Layer 3 throughput for packet handling
+ Security and policy-based connectivity functions through access lists or packet filters
+ QoS features
+ Scalable and resilient high-speed links to the core and access layers

* Core layer:
+ Very high throughput at Layer 3
+ No costly or unnecessary packet manipulations (access lists, packet filtering)
+ Redundancy and resilience for high availability
+ Advanced QoS functions

Also, end-to-end VLANs and local VLANs belong to access layer.

Question 9

Refer to the following exhibits:

Exhibit #1

show_interfaces_fastethernet_switchport_dynamic_auto.jpg

Exhibit #2

show_interfaces_fastethernet_switchport_dynamic_desirable.jpg

Study the exhibits carefully. The switchport output in Exhibit #1 displays the default settings of interface FastEthernet 0/13 on switch Sw1. Figure 2 displays the desired interface settings. Which command sequence would configure interface FastEthernet 0/13 as displayed in Exhibit #2?

A.
Sw1(config-if)# switchport trunk encapsulation dot1q
Sw1 (config-if)# switchport mode dynamic auto
Sw1 (config-if)# switchport trunk native DATA
Sw1 (config-if)# switchport trunk allowed vlan add 1,10,20

B.
Sw1(config-if)# switchport trunk encapsulation dot1q
Sw1(config-if)# switchport mode dynamic desirable
Sw1(config-if)# switchport trunk native vlan DATA
Sw1(config-if)# switchport trunk allowed vlan 1,10,20

C.
Sw1 (config-if)# switchport trunk encapsulation dot1q
Sw1 (config-if)# switchport mode trunk
Sw1 (config-if)# switchport trunk native DATA
Sw1 (config-if)# switchport trunk allowed vlan 1,10,20

D.
Sw1(config-if)# switchport trunk encapsulation dot1q
Sw1(config-if)#switchport mode dynamic desirable
Sw1(config-if)#switchport trunk native vlan 10

E.
Sw1 (config-if)# switchport trunk encapsulation dot1q
Sw1 (config-if)# switchport mode dynamic desirable
Sw1 (config-if)# switchport trunk native vlan 10
Sw1 (config-if)# switchport trunk allowed vlan 1,10,20

 

Answer: E

Question 10

What is the result of these commands?

Switch (config)#interface range fa0/0-5
Switch(config-if-range)#switchport access vlan 2

A. Two new vlans are created on six switch ports
B. One new vlan is created on five switch ports
C. Six new vlans are created on six switch ports
D. One new vlan is created with the vlan number 2

 

Answer: D

Explanation

If the administrator has not created VLAN 2 before typing this command, a message will appear informing that VLAN 2 is created automatically.

VLAN Questions 4

May 15th, 2014 certprepare No comments

Here you will find answers to VLAN Questions – Part 4


Question 1

Which three statements apply to access control of both bridged and routed traffic for VLANs? (Choose three)

A. Router ACLs can be applied to the input and output directions of a VLAN interface
B. Bridged ACLs can be applied to the input and output directions of a VLAN interface
C. Only router ACLs can be applied to a VLAN interface
D. VLAN maps can be applied to a VLAN interface
E. VLAN maps and router ACLs can be used in combination

 

Answer: A C E

Explanation

Bridged ACL (or VLAN Access-list, or VLAN map) is used to filter traffic that is flowing within a VLAN. It can only be applied to a VLAN, not interface -> C is correct.

An Interface VLAN (or Switch Virtual Interface – SVI) is very similar to a physical interface on a router, although it is a virtual interface only. We can apply Router ACL to the inbound and outbound direction of a VLAN interface -> A is correct.

To apply access control to both bridged and routed traffic, you can use VACLs alone or a combination of VACLs and ACLs. You can define ACLs on the VLAN interfaces to apply access control to both the ingress and egress routed traffic. You can define a VACL to apply access control to the bridged traffic. -> E is correct.

Note: In CCNA we learned about Access list, in fact it is Router Access list.

(Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html#wp1149682)

Question 2

When you create a network implementation for a VLAN solution, what is one procedure that you should include in your plan?

A. Perform an incremental implementation of components.
B. Implement the entire solution and then test end-to-end to make sure that it is performing as designed.
C. Implement trunking of all VLANs to ensure that traffic is crossing the network as needed before performing any pruning of VLANs.
D. Test the solution on the production network in off hours.

 

Answer: A

Explanation

Implementation Plan
+ Some examples of organizational objectives when developing a VLAN implementation plan could include: improving customer support, increasing competitiveness, and reducing costs
+ When creating a VLAN implementation plan, it is critical to have a summary implementation plan that lays out the implementation overview.
+ Incremental implementation of components is the recommended approach when defining a VLAN implementation plan.

Question 3

Two switches SA and SB are connected as shown below. Given the below partial configuration, which two statements are true about VLAN traffic? (Choose two)

vtp_traffic

A – VLANs 1-5 will be blocked if fa0/10 goes down.
B – VLANs 6-10 have a port priority of 128 on fa0/10.
C – VLANs 6-10 will use fa0/10 as a backup only.
D – VLANs 1-10 are configured to load share between fa0/10 and fa0/12.

 

Answer: C D

Explanation:

Let’s assume that SA is the root bridge for all VLANs, it will make the explanation a bit clearer…

First we should understand what will happen if nothing is configured (use default values). Because we assumed that SA is the root bridge so all of its ports will forward. SB will need to block one of its ports to avoid a bridging loop between the two switches. But how does SB select its blocked port? Well, the answer is based on the BPDUs it receives from SA. A BPDU is superior than another if it has:

1. A lower Root Bridge ID
2. A lower path cost to the Root
3. A lower Sending Bridge ID
4. A lower Sending Port ID

These four parameters are examined in order. In this specific case, all the BPDUs sent by SA have the same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only parameter left to select the best one is the Sending Port ID (Port ID = port priority + port index). If using default values, the default port priority’s value is 32 or 128 (128 is much more popular today but 32 is also a default port priority’s value), so SB will compare port index values, which are unique to each port on the switch, and because Fa0/12 is inferior to Fa0/10, SB will select the port connected with Fa0/10 (of SA) as its root port and block the other port.

vtp_traffic_explanation_blockFa012

To change the default decision of selecting root port, we can change the port priority of each interface. The above picture is true for VLAN 1-5 because port Fa0/10 has a lower port-priority so the peer port will be chosen as the root port. For VLAN 6-10, port Fa0/12 has higher priority ID (lower port priority value) so SB will block its upper port.

For answer A – “VLANs 1-5 will be blocked if fa0/10 goes down” – is not correct because if Fa0/10 goes down, SB will unblock its lower port therefore VLANs 1-5 will still operate.

For answer B – “VLANs 6-10 have a port priority of 128 on fa0/10” – is not always correct because VLAN 6-10 can have a different port priority (of 32) according to the Cisco’s link below.

Answer C is correct because VLAN 6-10 uses Fa0/12 link as it main path. Fa0/10 is the backup path and is only opened when port Fa0/12 fails.

Answer D is correct because this configuration provide load-balance traffic based on VLAN basis. VLANs 1-5 use Fa0/10 and VLANs 6-10 use Fa0/12 as their main paths.

Note: We can not assure the answer B is always correct so we should choose C and D if the question asks us to give only 2 choices).

Reference (and good resource, too):

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96a.shtml

VLAN Trunking Questions

May 15th, 2014 certprepare 6 comments

Here you will find answers to VLAN Trunking Questions

Question 1

Which statement is correct about 802.1Q trunking?

A. Both switches must be in the same VTP domain.
B. The encapsulation type of both ends of the trunk does not have to match.
C. The native VLAN on both ends of the trunk must be VLAN 1.
D. 802.1Q trunking can only be configured on a Layer 2 port.
E. In 802.1Q trunking, all VLAN packets are tagged on the trunk link, except the native VLAN.

 

Answer: E

Explanation

By default frames from the native VLAN are not tagged. To force a switch to tag the native VLAN on all its 802.1Q trunks, we can use the following command:

Switch(config)#vlan dot1q tag native

 

Question 2

Which switch command enables a trunking protocol that appends a four byte CRC to the packet?

A. CompanySwitch(config-if)#switchport trunk encapsulation dot1q
B. CompanySwitch(config-if)#switchport trunk encapsulation itef
C. CompanySwitch(config-if)#switchport trunk encapsulation fddi
D. CompanySwitch(config-if)#switchport trunk encapsulation isl

 

Answer: D

Explanation

The ISL frame consists of three primary fields: the encapsulation frame (original frame), which is encapsulated by the ISL header, and the FCS at the end:

ISL Header Encapsulation Frame (Original Data) FCS

In ISL, the original frame is encapsulated and an additional header is added before the frame is carried over a trunk link. Also, a FCS is generated based on some fields in the ISL Header and the Encapsulation Frame and added to the end of the frame. At the receiving end, the header and FCS are removed and the frame is forwarded to the assigned VLAN. The FCS field consists of 4 bytes and contains a 32-bit CRC value.

Note: The addition of the new FCS does not alter the original FCS that is contained within the encapsulated frame.

Question 3

While using a packet analyzer, you notice four additional bytes being added to the packets in the Company network. Which protocol inserts a four byte tag into the Ethernet frame and recalculates CRC value?

A. DTP
B. VTP
C. 802.1Q
D. ISL

 

Answer: C

Explanation

802.1Q is the IEEE standard for tagging frames on a trunk and supports up to 4096 VLANs. In 802.1Q, the trunking device inserts a 4-byte tag into the original frame and recomputes the frame check sequence (FCS) before the device sends the frame over the trunk link. At the receiving end, the tag is removed and the frame is forwarded to the assigned VLAN. 802.1Q does not tag frames on the native VLAN.

Note: IEEE 802.1Q uses an internal tagging mechanism which inserts a 4-byte tag field in the original Ethernet frame itself.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094665.shtml)

Note: From the Question 2 and Question 3 we can see a big difference in the way of using the FCS field in 802.1Q and ISL. 802.1Q modifies and FCS field inside the original Ethernet frame while ISL leaves the original FCS field inside the Ethernet frame unchanged, it just adds another FCS field outside the original Ethernet frame.

Therefore please pay attention to which question is asked. Question 2 asks “appends a four byte CRC to the packet” which means ISL while Question 3 says “inserts a four byte tag into the Ethernet frame” which means 802.1Q.

Question 5

Which command alone will disable trunking on a Layer 2 switch port?

A. no switchport trunk native vlan vlan-id
B. switchport nonegotiate
C. no switchport mode dynamic desirable
D. switchport mode access

 

Answer: D

Explanation

The “switchport mode access” command forces a switch port to always behave as an access port (with no capability of establishing trunks).

Note: When using the switchport nonegotiate command, Dynamic Inter-Switch Link Protocol and Dynamic Trunking Protocol (DISL/DTP)-negotiation packets are not sent on the interface. The device trunks or does not trunk according to the mode parameter given: access or trunk.

 

Question 6

ISL is being configured on a Company switch. Which of the following choices are true regarding the ISL protocol? (Choose two)

A. It can be used between Cisco and non-Cisco switch devices.
B. It calculates a new CRC field on top of the existing CRC field.
C. It adds 4 bytes of protocol-specific information to the original Ethernet frame.
D. It adds 30 bytes of protocol-specific information to the original Ethernet frame.

 

Answer: B D

Explanation

ISL encapsulates the entire Ethernet frame (Fast Ethernet or Gigabit Ethernet) with a 26-byte header and a 4-byte frame check sequence (FCS) for a total of 30 bytes of overhead.

ISL Header
(26 bytes)
Encapsulation Frame (Original Data) FCS
(4 bytes)

Question 7

A new Company switch was just configured using the “switchport trunk native vlan 7” command. What does this interface command accomplish?

A. Causes the interface to apply ISL framing for traffic on VLAN 7
B. Configures the trunking interface to forward traffic from VLAN 7
C. Configures the interface to be a trunking port and causes traffic on VLAN 7 to be 802.1q tagged
D. Configures the trunking interface to send traffic from VLAN 7 untagged

 

Answer: D

Explanation

The “switchport trunk native vlan 7” sets VLAN 7 to be the native VLAN so traffic to this VLAN will be untagged. Also untagged traffic are automatically assumed to be in VLAN 7 -> D is correct.

Question 8

If you needed to transport traffic coming from multiple VLANs (connected between switches), and your CTO was insistent on using an open standard, which protocol would you use?

A. 802.11B
B. spanning-tree
C. 802.1Q
D. ISL
E. VTP
F. Q.921

 

Answer: C

Explanation

IEEE’s 802.1Q VLAN tagging is the industry standard to carry traffic for multiple VLANs on a single trunking interface between two Ethernet switches while Inter-Switch Link (ISL) is a Cisco proprietary VLAN tagging protocol.

Question 9

The Company core switches use 802.1Q trunks to connect to each other. How does 802.1Q trunking keep track of multiple VLANs?

A. It tags the data frame with VLAN information and recalculates the CRC value
B. It encapsulates the data frame with a new header and frame check sequence
C. It modifies the port index of a data frame to indicate the VLAN
D. It adds a new header containing the VLAN ID to the data frame

 

Answer: A

Explanation

IEEE 802.1Q uses an internal tagging mechanism which inserts a 4-byte tag field in the original Ethernet frame itself between the Source Address and Type/Length fields. This tag includes VLAN information (12 bits) to distinguish between VLANs on the link.

802_1q_frame_structure.jpg

Question 10

You are the network administrator tasked with designing a switching solution for the Company network. Which of the following statements describing trunk links are INCORRECT? (Choose four)

A. The trunk link belongs to a specific VLAN.
B. Multiple trunk links are used to connect multiple end user devices.
C. A trunk link only supports native VLAN.
D. Trunk links use 802.10 to identify a VLAN.
E. The native VLAN of the trunk link is the VLAN that the trunk uses for untagged packets.

 

Answer: A B C D

 

VLAN Trunking Questions 2

May 15th, 2014 certprepare 2 comments

Here you will find answers to VLAN Trunking Questions – Part 2

Question 1

You are the network administrator at Company and switch R1 is configured as shown below:

interface GigabitEthernet0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 5

If untagged frames are arriving on interface GigabitEthernet0/1 of R1, which of the following statement are correct?

A. Untagged frames are automatically assumed to be in VLAN 5.
B. Untagged frames are defaulted to VLAN 1 traffic.
C. Untagged frames are dropped because all packets are tagged when dot1q trunked.
D. Untagged frames are determined on the other switch
E. Untagged frames are not supported on 802.1Q trunks.

 

Answer: A

Explanation

The “switchport trunk native vlan 5” sets VLAN 5 to be the native VLAN so traffic to this VLAN will be untagged. Also untagged traffic are automatically assumed to be in VLAN 5 -> A is correct.

Note: The native VLAN must match on both sides of the trunk link for 802.1Q; otherwise the link will not work.

Question 2

What are three results of issuing the “switchport host” command? (Choose three)

A. disables EtherChannel
B. enables port security
C. disables Cisco Discovery Protocol
D. enables PortFast
E. disables trunking
F. enables loopguard

 

Answer: A D E

Explanation

Catalyst 6500 switches running Cisco IOS software support the macro command switchport host. The switchport host macro command was designed to facilitate the configuration of switch ports that connect to end stations. Entering this command sets the switch port mode to access, enables spanning tree PortFast, and disables channel grouping, all at the same time. The switchport host macro command can be used as an alternative to the switchport mode access command.

(Reference: http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap7.html)

Question 3

If you were to configure an ISL Ethernet trunk between two Cisco switches, named R1 and R2, what would you have to include at the end of the link for the trunk to operate correctly? (Choose two)

A. An identical VTP mode.
B. An identical speed/duplex.
C. An identical trunk negotiation parameter.
D. An identical trunk encapsulation parameter.

 

Answer: B D

Explanation

One of the requirements for trunking to work is for speed and duplex to be the same on both sides. -> B is correct.

Maybe answer D wants to mention about encapsulation type (ISL or 802.1q) so it is an acceptable answer.

(Reference: http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_example09186a008014859e.shtml)

Question 4

Which three statements are correct with regard to the IEEE 802.1Q standard? (Choose three)

A. The IEEE 802.1Q frame format adds a 4 byte field to a Ethernet frame
B. The packet is encapsulated with a 26 byte header and a 4 byte FCS
C. The protocol uses point-to-multipoint connectivity
D. The protocol uses point-to-point connectivity
E. The IEEE 802.1Q frame uses multicast destination of 0x01-00-0c-00-00
F. The IEEE 802.1Q frame retains the original MAC destination address

 

Answer: A D F

Explanation

There are two ways to implement Ethernet trunking:

* Inter-Switch Link Protocol (ISL, a Cisco proprietary protocol)
* 802.1Q (IEEE standard)

In Cisco implementation, a trunk is a point-to-point link, although it is possible to use the 802.1Q encapsulation on an Ethernet segment shared by more than two devices. Such a configuration is seldom needed but is still possible with the disablement of DTP negotiation -> D is correct.

IEEE 802.1Q uses an internal tagging mechanism which inserts a 4-byte tag field in the original Ethernet frame itself between the Source Address and Type/Length fields -> A is correct.

802_1q_frame_structure.jpg

 

The SA field is the source address field of the ISL packet. It is a 48-bit value -> F is correct.

(Reference: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008012ecf3.shtml)

Question 5

Refer to the exhibit. Why are users from VLAN 100 unable to ping users on VLAN 200?

Trunking_switch_router.jpg

A. Encapsulation on the switch is wrong.
B. Trunking needs to be enabled on Fa0/1.
C. The native VLAN is wrong.
D. VLAN 1 needs the no shutdown command.
E. IP routing needs to be enabled on the switch.

 

Answer: B

Explanation

In this question, maybe the exhibit forgot to describe Fa0/1 is the port on the switch which is connected to the router. To allow interVLAN routing between VLAN 100 and 200, this port must be configured as trunk port.

If you wish to see the full configuration of interVLAN routing, please read my interVLAN routing tutorial (you will see the configuration at the bottom of that tutorial).

Question 6

What is the effect of applying the “switchport trunk encapsulation dot1q” command to a port on a Cisco Catalyst switch?

A. By default, native VLAN packets going out this port will be tagged.
B. Without an encapsulation command, 802.1Q will be the default encapsulation if DTP fails to negotiate a trunking protocol.
C. The interface will support the reception of tagged and untagged traffic.
D. If the device connected to this port is not 802.1Q-enabled, it will not be able to handle 802.1Q packets.

 

Answer: C

Explanation

The “switchport trunk encapsulation dot1q” command configures trunk encapsulation as 802.1q, which supports the reception of tagged and untagged traffic -> C is correct.

Note: If your switch does not accept this command, try to enter “switchport” command first to configure the interface as a Layer 2 port.

Question 7

Two Company switches are connected via a trunk link. In this network, the original frame is encapsulated and an additional header is added before the frame is carried over a trunk link. At the receiving end, the header is removed and the frame is forwarded to the assigned VLAN. This describes which technology?

A. DISL
B. ISL
C. DTP
D. IEEE 802.1Q
E. MPLS

 

Answer: B

Explanation

Unlike 8021.q, ISL keeps the original frame unchanged. It only adds another header to that frame before sending out over a trunk link. For more information about this difference, please read the explanations of Question 2 and Question 3 in the first VLAN Trunking Questions part.

Question 8

Which of the following trunking modes are unable to request their ports to convert their links into trunk links? (Choose two)

A. Negotiate
B. Designate
C. Nonegotiate
D. Auto
E. Manual
F. Off

 

Answer: C D

Explanation

The mode auto (dynamic auto) causes the device not to send DTP Request but wait for DTP Request from neighboring device.

By using and switchport mode trunk and switchport nonegotiate commands, we can enable trunking to a device that does not support DTP. But notice that the switchport nonegotiate command causes the device not to send DTP Request frames.

Therefore both “auto” and “nonegotiate” modes makes the switch not to send request (which is “unable to convert their links into trunk links”) -> C and D are correct.

Question 9

show_interfaces_trunk_topology.jpg

You administer the network shown above. You issue the show interfaces trunk command on SwitchA and receive the following output:

show_interfaces_trunk_command.jpg

Which of the following statements is true regarding VLAN 32?

A. VLAN 32 is not allowed on the trunk port.
B. VLAN 32 is not active on the switch.
C. Traffic from VLAN 32 is not being sent over the trunk port.
D. Traffic from VLAN 32 is not restricted to only the trunk ports that require it.

 

Answer: C

Explanation

In the “Vlans in spanning tree forwarding state and not pruned” VLAN 32 is not listed so we can conclude it is not in forwarding state or it is pruned. But with the above topology STP cannot block any port so we can deduce it is pruned.

Question 10

Which statement is true regarding the configuration of ISL trunks?

A. A Catalyst switch cannot have ISL and IEEE 802.1q trunks enabled.
B. All Catalyst switches support ISL trunking.
C. A Catalyst switch will report giants if one side is configured for ISL while the other side is not.
D. ISL trunking requires that native VLANs match.

Answer: C

Explanation

First you should know “giant” frames are frames that exceed the maximum IEEE 802.3 frame size (usually greater then 1518 bytes). As you know, ISL does not modify the original Ethernet frame it received but it adds another outer header. In particular, it uses a 26 byte header and 4 byte FCS (30 bytes in total).

ISL Header
(26 bytes)
Encapsulation Frame (Original Data) FCS
(4 bytes)

But a normal Ethernet frame itself can have a maximum size of 1518 bytes. Therefore an Ethernet frame can be up to 1518 + 30 = 1548 bytes, which creates a “giant”.

That is why both ends must be configured as ISL trunks because only ISL-aware devices are able to read it.

VLAN Trunking Questions 3

May 15th, 2014 certprepare 2 comments

Here you will find answers to VLAN Trunking Questions – Part 3

Question 1

Which configuration option will cause the link between two Cisco 3600 Series Multiservice Platforms to become a functional trunk?

A. switchport dynamic auto switchport dynamic auto
B. switchport access vlan 10
switchport mode dynamic desirable
C. switchport mode trunk switchport nonegotiate
D. Leave both ports with the default trunk settings.

 

Answer: D

Question 2

If you were to set up a VLAN trunk over a Fast Ethernet link on switch R1, which trunk mode would you set the local port to on R1 if you wanted it to respond to requests from its link partner (R2) and become a trunk?

A. Auto
B. Negotiate
C. Designate
D. Nonegotiate

 

Answer: A

Question 3

Which two statements are true about best practices in VLAN design? (Choose two)

A. Routing should occur at the access layer if voice VLANs are utilized. Otherwise, routing should occur at the distribution layer.
B. Routing may be performed at all layers but is most commonly done at the core and distribution layers.
C. Routing should not be performed between VLANs located on separate switches.
D. VLANs should be local to a switch.
E. VLANs should be localized to a single switch unless voice VLANs are being utilized.

 

Answer: B D

Question 4

You need to configure a new Company switch to support DTP. Which DTP switchport mode parameter sets the switch port to actively send and respond to DTP negotiation frames?

A. Access
B. Nonegotiate
C. Trunk
D. Dynamic desirable
E. Dynamic auto

 

Answer: D

Question 5

Refer to the exhibit.

native_VLAN_configurations.jpg

The link between switch SW1 and switch SW2 is configured as a trunk, but the trunk failed to establish connectivity between the switches. Based on the configurations and the error messages received on the console of SW1, what is the cause of the problem?

A. The two ends of the trunk have different duplex settings.
B. The two ends of the trunk have different EtherChannel configurations.
C. The two ends of the trunk have different native VLAN configurations.
D. The two ends of the trunk allow different VLANs on the trunk.

 

Answer: C

Explanation

As you can see in the configuration of two switches, the native VLAN on SW1 is set to 1 while the native VLAN on SW2 is set to 2. This will cause a “native VLAN mismatch” error and it looks like this:

#CDP-4-NATIVE VLAN_MISMATCH: Native VLAN mismatch discovered on Fa0/1 …

Remember the native VLAN must match on both sides of the trunk link for 802.1Q; otherwise the link will not work. Also, Spanning Tree Protocol (STP) will place the port in a port VLAN ID (PVID) inconsistent state and will not forward on the link.

Question 6

A standalone wireless AP solution is being installed into the campus infrastructure. The access points appear to boot correctly, but wireless clients are not obtaining correct access. You verify that this is the local switch configuration connected to the access point:

interface ethernet 0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
mls qos trust dscp

What is the most likely cause of the problem?

A. QoS trust should not be configured on a port attached to a standalone AP.
B. QoS trust for switchport mode access should be defined as “cos”.
C. switchport mode should be defined as “trunk” with respective QoS.
D. switchport access vlan should be defined as “1”.

 

Answer: C

Explanation

The link between the switch and access point should be configured as trunked link and set the encapsulation on the switch port to dot1q:

Switch(config)#interface ethernet 0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encapsulation dot1q

You can read more about how to configure the switch connected with an AP here: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.

Question 7

Which statement about the configuration and application of port access control lists is true?

A. PACLs can be applied in the inbound or outbound direction of a Layer 2 physical interface.
B. At Layer 2, a MAC address PACL takes precedence over any existing Layer 3 PACL.
C. When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
D. PACLs are not supported on EtherChannel interfaces.

 

Answer: C

Explanation

When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.

With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swacl.html#wp1174694)

Question 8

Given the configurations on SwitchA and SwitchB, which two statements are true? (Choose two)

switchport_mode_trunk_dot1q.jpg

A. The trunk is currently using the ISL trunking protocol
B. The trunk is currently using the 802.1q trunking protocol
C. By default, the trunk can only support one VLAN, and only that single VLAN is transmitted across the trunk
D. By default all VLANs will be transmitted across this trunk
E. By default, SwitchA and SwitchB’s FastEthernet 0/1 port will not generate DTP messages

 

Answer: B D

Explanation

The command “switchport trunk encapsulation dot1q” sets the trunking encapsulation format to IEEE 802.1Q-> B is correct.

By default all VLANs are allowed to transmitted across the trunk -> D is correct.

Note: The “switchport mode trunk” command enables trunking on the interface.

Question 9

Given the configurations on SwitchA and SwitchB, which statement is true?

switch_access_link.jpg

A. The link is set to auto-negotiate trunking, and it will automatically become a trunk link unless configured otherwise
B. The link is a trunking link and by default all VLANs will be transmitted across this link
C. The link is prevented from generating DTP frames, turning the Negotiation of Trunking off
D. The link is not a trunk link so both interfaces must be on the same VLAN and only that single VLAN is transmitted across the link

 

Answer: D

Explanation

First you should understand how this topology works:

When PC1 sends traffic to Sw_A, Sw_A realizes that PC1 belongs to VLAN 2 so it will forward out of its Gi0/1 port which also belongs to VLAN 2. On the other side, Sw_B receives this frame coming from its Gi0/1 port so it believes this frame belongs to VLAN 5. Sw_B will forward this frame out of its Fa0/1 which belongs to VLAN 5, too -> PC1 & PC2 can communicate without further configuration provided that they are in the same subnet (so they don’t need a Layer 3 device).

Answer D is not clear when stating “both interfaces must be on the same VLAN”. We are not sure of “both interfaces” means “both interfaces on two switches (two Gi0/1 interfaces)” or “both interfaces on the same switch (Fa0/1 & Gi0/1 of Sw_A or Sw_B)”. If it means “both interfaces on two switches (two Gi0/1 interfaces)” then answer D is obviously incorrect as two PCs can still communicate even though they are not in the same VLAN (VLAN 2 & 5 in this case). If it means “both interfaces on the same switch” (must be on the same VLAN) then answer D is acceptable.

Answer C is interesting, it raises a question: will DTP be sent with the “switchport mode access” on an interface? From some official books the answer is “yes, DTP is still sent out of this type of port”. For example check Table 2.9 of this link: http://www.ciscopress.com/articles/article.asp?p=1416303&seqNum=2:

switchport mode access: Never trunks; sends DTP to help other side reach same conclusion

Although some other resources say DTP would not be sent on this type of port but we should follow the official books -> Answer C is incorrect.

Question 10

By default, which statement is correct when an IEEE 802.1Q trunk port receives an untagged frame?

A. The frame is considered in the native VLAN and forwarded to the ports associated with that VLAN
B. The frame is encapsulated and tagged as in the native VLAN
C. The frame is broadcast on all ports regardless of VLAN association
D. The frame is dropped

 

Answer: A

VLAN Trunking Questions 4

May 15th, 2014 certprepare No comments

Here you will find answers to VLAN Trunking Questions – Part 4


Question 1

When a VLAN port configured as a trunk receives an untagged frame, what will happen?

A. The frame will be dropped
B. The frame will cause an error message to be sent
C. The frame will be processed as a native VLAN frame
D. The frame will first be tagged, then processed as a native VLAN frame

 

Answer: C

Question 2

Study the diagram below carefully, which three statements are true? (Choose three)

dtp_diagram

dtp

A – DTP packets are sent from Switch SB.
B – DTP is not running on Switch SA.
C – A trunk link will be formed.
D – The native VLAN for Switch SB is VLAN 1.

 

Answer: A C D

Explanation:

Dynamic Trunking Protocol (DTP) is the Cisco-proprietary that actively attempts to negotiate a trunk link between two switches. If an interface is set to switchport mode dynamic desirable, it will actively attempt to convert the link into trunking mode. If the peer port is configured as switchport mode trunk, dynamic desirable, or dynamic auto mode, trunking is negotiated successfully -> C is correct.

SB is in “dynamic desirable” mode so it will send DTP packets to SA to negotiate a trunk link -> A is correct.

On an 802.1Q trunk, DTP packets are sent on the native VLAN. By default, it is VLAN 1 (notice that SA’s native VLAN is 5) -> D is correct.

(Note: an 802.1Q trunk’s native VLAN is the only VLAN that has untagged frames)

Below is the switchport modes for easy reference:

Mode Function
Dynamic Auto Creates the trunk based on the DTP request from the neighboring switch.
Dynamic Desirable Communicates to the neighboring switch via DTP that the interface would like
to become a trunk if the neighboring switch interface is able to become a trunk.
Trunk Automatically enables trunking regardless of the state of the neighboring switch
and regardless of any DTP requests sent from the neighboring switch.
Access Trunking is not allowed on this port regardless of the state of the neighboring
switch interface and regardless of any DTP requests sent from the neighboring
switch.
Nonegotiate Prevents the interface from generating DTP frames. This command can be
used only when the interface switchport mode is access or trunk. You must
manually configure the neighboring interface as a trunk interface to establish a
trunk link.

 

 

 

InterVLAN Routing

May 15th, 2014 certprepare 2 comments

Here you will find answers to InterVLAN Routing questions

Question 1

Study the exhibit carefully. Both host stations are part of the same subnet but are in different VLANs. On the basis of the information presented in the exhibit, which statement is true about an attempt to ping from host to host?

samesubnetDifferentVLAN

A – Layer 3 device is needed for the ping command to be successful.
B – A trunk port will need to be configured on the link between SA and SB for the ping command to be successful.
C – The two different hosts will need to be in the same VLAN in order for the ping command to be successful.
D – The ping command will be successful without any further configuration changes.

 

Answer: D

Explanation

When PC1 sends traffic to SA, SA realizes that PC1 belongs to VLAN 2 so it will forward out of its Gi0/1 port which also belongs to VLAN 2. On the other side, SB receives this frame coming from its Gi0/1 port so it believes this frame belongs to VLAN 5. SB will forward this frame out of its Fa0/1 which belongs to VLAN 5, too -> PC1 & PC2 can communicate without further configuration provided that they are in the same subnet (so they don’t need a Layer 3 device).

Question 2

Based on the following exhibit, which problem is preventing users on VLAN 100 from pinging addresses on VLAN 200?

routing_interVLAN

A – Native VLAN mismatch.
B – Subinterfaces should be created on Fa0/7 and Fa0/8 on DLS1.
C – Trunking needs to be enabled.
D – The ip routing command is missing on DLS1.

 

Answer: D

Explanation

To allow communication between two VLANs, we need to enables Layer 3 routing on the switch with the “ip routing” command. Some flatforms are enabled by default but some are not.

Question 3

Based on the network diagram and routing table output in the exhibit, which one of these statements is true?

vlan10_20_routing

A – InterVLAN routing has been configured properly, and the workstations have connectivity to each other.
B – InterVLAN routing will not occur since no routing protocol has been configured.
C – Although interVLAN routing is not enabled, both workstations will have connectivity to each other.
D – Although interVLAN routing is enabled, the workstations will not have connectivity to each other.
E – None of the above.

 

Answer: A

Explanation

In the output we can see both VLAN10 and VLAN20 are shown up (as networks 10.1.1.0 and 10.2.2.0) so the routing has been configured properly. Notice that the “C” letter indicates that these networks are directly connected with the router.

Question 4

Study the following exhibit carefully, what is the reason that users from VLAN 100 can’t ping users on VLAN 200?

inter_Routing

A – IP routing needs to be enabled on the switch
B – Trunking needs to be enabled on Fa0/1
C – VLAN 1 needs the no shutdown command
D – The native VLAN is wrong

 

Answer: B

Explanation

The Fa0/1 interface on the switch is not configured with trunking mode. It needs to be configured as shown below:

SA(config)#interface Fa0/1
SA(config-if)#switchport mode trunk
SA(config-if)#switchport trunk encapsulation dot1q

Question 5

Assume that a host sends a packet to a destination IP address and that the CEF-based switch does not yet have a valid MAC address for the destination. How is the ARP entry (MAC address) of the next-hop destination in the FIB get?

A – The sending host must send an ARP request for it
B – All packets to the destination are dropped
C – The Layer 3 forwarding engine (CEF hardware) must send an ARP request for it
D – CEF must wait until the Layer 3 engine sends an ARP request for it

 

Answer: D

Explanation

If a valid MAC address for the destination is not found, the Layer 3 forwarding engine can’t forward the packet in hardware due to the missing Layer 2 next-hop address. Therefore the packet is sent to the Layer 3 Engine so that it can generate an ARP request (this is called the “CEF glean” state).

Question 6

CEF is a complete new routing switch technology . Which two table types are CEF components? (Choose two)

A – adjacency tables
B – caching tables
C – neighbor tables
D – forwarding information base

 

Answer: A D

Explanation

The two main components of CEF operation are:

+ Forwarding Information Base: is built from the Multilayer Switch’s routing table and is sorted to optimize searches.
+ Adjacency Tables: is built from Multilayer Switch’s ARP table. Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries.

CEF_ARP

Reference: http://www.cisco.com/c/en/us/support/docs/routers/12000-series-routers/47321-ciscoef.html.

Question 7

Refer to the exhibit.

show_ip_route_show_vlan_brief.jpg

Host A and Host B are connected to the Cisco Catalyst 3550 switch and have been assigned to their respective VLANs. The rest of the 3550 configuration is the default configuration. Host A is able to ping its default gateway, 10.10.10.1, but is unable to ping Host B. Given the output in the exhibit, which statement is true?

A. HSRP must be configured on SW1.
B. A separate router is needed to support inter-VLAN routing.
C. Interface VLAN 10 must be configured on the SW1 switch.
D. The global configuration command “ip routing” must be configured on the SW1 switch.
E. VLANs 10 and 15 must be created in the VLAN database mode.
F. VTP must be configured to support inter-VLAN routing.

 

Answer: D

Explanation

To enable routing on a Layer 3 switch first we have to use the ip routing command. From the output of “show vlan brief” command above, we learn that ports connected to hosts have been configured as access ports and assigned to VLAN 10 & 15. The missing thing here is only the “ip routing” command. Below lists the full configuration so that these two hosts can communicate.

ip routing
!
interface FastEthernet0/10
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/15
 switchport access vlan 15
 switchport mode access
!
interface Vlan10
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan15
 ip address 10.15.15.1 255.255.255.0

Question 8

Which three statements about routed ports on a multilayer switch are true? (Choose three)

A. A routed port can support VLAN subinterfaces.
B. A routed port takes an IP address assignment.
C. A routed port can be configured with routing protocols.
D. A routed port is a virtual interface on the multilayer switch.
E. A routed port is associated only with one VLAN.
F. A routed port is a physical interface on the multilayer switch.

 

Answer: B C F

Explanation

A routed port is a physical port on a switch, that acts like a normal port on a router. It supports all routing protocols and can take an IP address assignment. It does not however support VLAN subinterfaces and it is also not associated with a single VLAN. It is configured on a port connected to a router. To configure a port on a switch Layer 3 a routed port, enter the “no switchport” command under interface mode.

A switch virtual interface (SVI) is not considered a routed port. SVIs support both routing and switching protocols, while routed ports do not support any layer 2 protocols (like STP).

Question 9

Which two statements describe a routed switch port on a multilayer switch? (Choose two)

A. Layer 2 switching and Layer 3 routing are mutually supported.
B. The port is not associated with any VLAN.
C. The routed switch port supports VLAN subinterfaces.
D. The routed switch port is used when a switch has only one port per VLAN or subnet.
E. The routed switch port ensures that STP remains in the forwarding state.

 

Answer: B D

Explanation

A routed switch port on a Layer 3 switch is same as a port on a router. By default, ports on a multilayer switch will all be running in Layer 2 mode. To configure a port as a routed port, use the “no switchport” command. From now, the port is not associated with any VLAN -> B is correct.

Also like ports in a router, each port can only belongs to one VLAN or subnet -> D is correct.

Question 10

Refer to the exhibit.

Switch# show ip cef vlan 30 detail
IP CEF with switching (Table Version 11), flags=0x0
10 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0
13 leaves, 12 nodes, 14248 bytes, 14 inserts, 1 invalidations
0 load sharing elements, 0 bytes, 0 references
universal per-destination load sharing algorithm, id 4B936A24
2(0) CEF resets, 0 revisions of existing leaves
Resolution Timer: Exponential (currently 1s, peak 1s)
0 in-place/0 aborted modifications
refcounts: 1061 leaf, 1052 node
Table epoch: 0 (13 entries at this epoch)
10.1.30.0/24, version 6, epoch 0, attached, connected
0 packets, 0 bytes
via Vlan30,0 dependencies
valid glean adjacency

Which statement is true?

A. Cisco Express Forwarding load balancing has been disabled.
B. SVI VLAN 30 connects directly to the 10.1.30.0/24 network due to a valid glean adjacency.
C. VLAN 30 is not operational because no packet or byte counts are indicated.
D. The IP Cisco Express Forwarding configuration is capable of supporting IPv6.

 

Answer: B

Explanation

A glean adjacency entry indicates that a particular next hop should be directly connected, but there is no MAC header rewrite information available.

When a router is connected directly to several hosts, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.

(A good resource: http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_paper09186a00800a62d9.shtml#express and http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/13706-20.html)

InterVLAN Routing 2

May 15th, 2014 certprepare 2 comments

Here you will find answers to InterVLAN Routing questions – Part 2

Question 1

Refer to the exhibit.

Switch# configure terminal
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# switchport autostate exclude
Switch(config-if)# exit

You have configured an interface to be an SVI for Layer 3 routing capabilities. Assuming that all VLANs have been correctly configured, what can be determined?

A. Interface gigabitethemet0/2 will be excluded from Layer 2 switching and enabled for Layer 3 routing.
B. The command switchport autostate exclude should be entered in global configuration mode, not subinterface mode, to enable a Layer 2 port to be configured for Layer 3 routing.
C. The configured port is excluded in the calculation of the status of the SVI.
D. The interface is missing IP configuration parameters; therefore, it will only function at Layer 2.

 

Answer: C

Explanation

An SVI is considered “up” as long as at least one port in its associated VLAN is active and forwarding. If all ports in the VLAN are down, the interface goes down to avoid creating a routing black hole. You might not want the status of a particular port (one not connected to a host) to affect the SVI’s status. The switchport autostate exclude command enables you to exclude the access ports/trunks in defining the status of the SVI (up or down) even if it belongs to the same VLAN; for example when traffic analyzers are attached to a host. They will stay up, but are just passive monitors, so if all other devices in the VLAN go down – this port would prevent the VLAN from going down, so autostate exclude is applied to allow the VLAN to still go down.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/l3_int.html)

Question 2

Which two steps are necessary to configure inter-VLAN routing between multilayer switches? (Choose two)

A. Configure a dynamic routing protocol.
B. Configure SVI interfaces with IP addresses and subnet masks.
C. Configure access ports with network addresses.
D Configure switch ports with the autostate exclude command.
E. Document the MAC addresses of the switch ports.

 

Answer: A B

Explanation

A multilayer switch can use a switched virtual interface (SVI) to provide inter-VLAN routing rather than use an external router.

When we have some multilayer switches (MLS) for inter-VLAN routing we should configure a dynamic routing protocol (OSPF is currently the most popular one). For example in the topology below:

interVLAN_routing_some_MLS_dynamic_routing.jpg

We have to configure interVLAN routing between VLAN 10 & 30 so that hosts attached to SW1 in VLAN 10 can talk to hosts attached to SW3 in VLAN 30. Of course we can use static routes but it is not recommended, especially when we add more Layer 3 Switches or more VLANs in the future.

Question 3

When configuring a routed port on a Cisco multilayer switch, which configuration task is needed to enable that port to function as a routed port?

A. Enable the switch to participate in routing updates from external devices with the router command in global configuration mode.
B. Enter the no switchport command to disable Layer 2 functionality at the interface level.
C. Each port participating in routing of Layer 3 packets must have an IP routing protocol assigned on a per-interface level.
D. Routing is enabled by default on a multilayer switch, so the port can become a Layer 3 routing interface by assigning the appropriate IP address and subnet information.

 

Answer: B

Question 4

Refer to the exhibit, which is from a Cisco Catalyst 3560 Series Switch.

Switch#configure terminal
Switch(config)#interface gigabitethernet0/2
Switch(config-if)#no switchport
Switch(config-if)#ip address 192.20.135.21 255.255.255.0
Switch(config-if)#no shutdown

Which statement about the Layer 3 routing functionality of the interface is true?

A. The interface is configured correctly for Layer 3 routing capabilities.
B. The interface needs an additional configuration entry to enable IP routing protocols.
C. Since the interface is connected to a host device, the spanning-tree portfast command must be added to the interface.
D. An SVI interface is needed to enable IP routing for network 192.20.135.0.

 

Answer: A

Question 5

Refer to the exhibit

InterVLAN_routing_SVIs.jpg

For the configuration shown, which is the recommended method of providing inter VLAN routing?

A. Determine which switch is the root bridge then connect a router on a stick to it
B. Configure SVIs on the core switches
C. Configure SVIs on the distribution switches
D. Configure SVIs on the access layer switches

 

Answer: C

Explanation

Cisco recommends using layer 3 routing at the distribution layer of the multilayer switched network to terminate local VLANS, isolate network problems, and avoid access layer issues from affecting the core -> SVIs should be configured on Distribution switches.

VTP Questions

May 14th, 2014 certprepare 4 comments

Here you will find answers to VTP Questions

Note: If you are not sure about VTP, please read my VTP tutorial and the VTP Flash tutorial by Cisco.

Question 1

Switch R1 and R2 both belong to the Company VTP domain. What’s true about the switch operation in VTP domains? (Choose two)

A. A switch can only reside in one management domain
B. A switch is listening to VTP advertisements from their own domain only
C. A switch is listening to VTP advertisements from multi domains
D. A switch can reside in one or more domains
E. VTP is no longer supported on Catalyst switches

 

Answer: A B

Explanation

A VTP domain (also called a VLAN management domain) is made up of one or more network devices that share the same VTP domain name and that are interconnected with trunks. A network device can be configured to be in one and only one VTP domain -> A is correct.

If the switch receives a VTP advertisement over a trunk link, it inherits the management domain name and the VTP configuration revision number. The switch ignores advertisements with a different management domain name or an earlier configuration revision number -> B is correct.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vtp.html)

Note: Just for your information, if a switch has not belonged to any VTP domain yet and it receives a VTP advertisement with a VTP domain (whose password is not set), it will join that domain automatically.

Question 2

How does VTP pruning enhance network bandwidth?

A. by restricting unicast traffic to across VTP domains
B. by reducing unnecessary flooding of traffic to inactive VLANs
C. by limiting the spreading of VLAN information
D. by disabling periodic VTP updates

 

Answer: B

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN.

The following example shows the operation of a VTP domain without and with VTP Pruning.

Without VTP Pruning:

VTP_Pruning_example.jpg

VTP domain without VTP Pruning

When PC A sends a broadcast frame on VLAN 10, it travels across all trunk links in the VTP domain. Switches Server, Sw2, and Sw3 all receive broadcast frames from PC A. But only Sw3 has user on VLAN 10 and it is a waste of bandwidth on Sw2. Moreover, that broadcast traffic also consumes processor time on Sw2. The link between switches Server and Sw2 does not carry any VLAN 10 traffic so it can be “pruned”.

VTP_Pruning_Enabled.jpg

VTP domain with VTP Pruning

-> B is correct.

Question 3

VTP devices in a network track the VTP revision number. What is a VTP configuration revision number?

A. A number for identifying changes to the network switch.
B. A number for identifying changes to the network router.
C. A number for identifying changes to the network topology.

 

Answer: C

Explanation

The answer to this question is unclear but acceptable. The answer “A number for identifying changes to the network router” is obviously incorrect. The answer “A number for identifying changes to the network switch” is also not correct because we can add a new switch to our topology without making change to our current revision number (lower revision number, different VTP domain, password…). So the most suitable answer should be “A number for identifying changes to the network topology”. But in fact we should understand VTP Revision number as “A number for identifying changes to the VLAN database”.

Question 4

VTP switches use advertisements to exchange information with each other. Which of the following advertisement types are associated with VTP? (Choose three)

A. Domain advertisements
B. Advertisement requests from clients
C. Subset advertisements
D. Summary advertisements

 

Answer: B C D

Explanation

All VTP packets contain these fields in the header:

* VTP protocol version: 1, 2, or 3
* VTP message types:
1) Summary advertisements (inform adjacent Catalysts of the current VTP domain name and the configuration revision number)
2) Subset advertisement (is sent following the summary advertisement and contains a list of VLAN information)
3) Advertisement requests (is needed in the case it is reset, the VTP domain name has been changed or it has received a VTP summary advertisement with a higher configuration revision than it own).

(For more information about these VTP types, please read: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml)

4) VTP join messages (similar to the Advertisement request messages but with a different Message Type field value and a few more parameters, including VTP domain name, and a VLAN bit string. If the bit is set, flooded traffic for that VLAN should be received on that trunk. Each trunk port maintains a state variable per VLAN – Joined/Pruned. If the state is Joined, the trunk port is allowed to send broadcast and flooded unicast traffic on this VLAN. If the state is Pruned, the trunk port will not send the broadcast or flooded unicast traffic on this VLAN. VTP join messages are sent when the VTP Client first joins a VTP domain to inform the VTP Servers about its existence in that VTP domain).
* Management domain length
* Management domain name

Question 5

The lack of which two prevents VTP information from propagating between switches? (Choose two)

A. A root VTP server
B. A trunk port
C. VTP priority
D. VLAN 1

 

Answer: B D

Explanation

VTP advertisements only travel through trunk ports -> B is correct.

VLAN 1 is a special VLAN selected by design to carry specific information such as CDP (Cisco Discovery Protocol), VTP, PAgP and DTP. This is always the case and cannot be changed. Cisco recommends not to use VLAN 1 as a standard VLAN to carry network data. Therefore a switch needs VLAN 1 so that it can send VTP information. -> D is correct.

Question 6

Which two DTP modes will permit trunking between directly connected switches? (Choose two)

A. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain A)
B. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain B)
C. dynamic auto (VTP domain A) to dynamic auto (VTP domain A)
D. dynamic auto (VTP domain A) to dynamic auto (VTP domain B)
E. dynamic auto (VTP domain A) to nonegotiate (VTP domain A)
F. nonegotiate (VTP domain A) to nonegotiate (VTP domain B)

 

Answer: A F

Explanation

Below is the switchport modes for easy reference:

Mode Function
Dynamic Auto Creates the trunk based on the DTP request from the neighboring switch.
Dynamic Desirable Communicates to the neighboring switch via DTP that the interface would like
to become a trunk if the neighboring switch interface is able to become a trunk.
Trunk Automatically enables trunking regardless of the state of the neighboring switch
and regardless of any DTP requests sent from the neighboring switch.
Access Trunking is not allowed on this port regardless of the state of the neighboring
switch interface and regardless of any DTP requests sent from the neighboring
switch.
Nonegotiate Forces the port to permanently trunk but prevents the interface from generating
DTP frames. This command can be used only when the interface switchport mode
is access or trunk. You must manually configure the neighboring interface as a
trunk interface to establish a trunk link.

Note: If an interface is set to switchport mode dynamic desirable, it will actively attempt to convert the link into trunking mode. If the peer port is configured as switchport mode trunk, dynamic desirable, or dynamic auto mode, trunking is negotiated successfully -> A is correct.

B is not correct because 2 dynamic desirable mode in 2 different VTP domains cannot create a trunk link.

Dynamic auto waits to receive DTP from the neighbor so if 2 interfaces are set to this mode, none of them will receive DTP frames -> C and D are not correct.

A port in Nonegotiate mode can be set to access or trunk port mode but it will not send DTP. Dynamic auto also does not send DTP -> a trunk link cannot be created -> E is not correct.

Also, when setting ports to nonegotiate, that port will not send DTP. We can set both interfaces to trunk link -> a trunk link can be created between two different VTP domains -> F is correct.

Question 7

The Company switches are configured to use VTP. What’s true about the VLAN trunking protocol (VTP)? (Choose two)

A. VTP messages will not be forwarded over nontrunk links.
B. VTP domain names need to be identical. However, case doesn’t matter.
C. A VTP enabled device which receives multiple advertisements will ignore advertisements with higher configuration revision numbers.
D. A device in “transparent” VTP v.1 mode will not forward VTP messages.
E. VTP pruning allows switches to prune VLANs that do not have any active ports associated with them.

 

Answer: A D

Explanation

Answer A is obviously correct as VTP advertisements only travel through trunk ports.

VTP domain names are case-sensitive. That means the domain “certprepare” is different from “Certprepare”. There is no exception -> B is not correct.

A VTP enabled device which receives multiple advertisements will update (not ignore) advertisements with higher configuration revision numbers, provided that it has the same VTP domain name and password -> C is not correct.

Answer D is not clear. In VTP Version 1, a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. Because VTP Version 2 supports only one domain, it forwards VTP messages in transparent mode without inspecting the version and domain name. So in this case we don’t have enough information to conclude about answer D.

Answer E is not clear too. VTP will prune VLANs on trunks connected to switches that do not have ports associated with the VLANs. I am not sure what Cisco wants to say in answer E.

But if we consider answer E to be incorrect then the best answers should be A and D.

VTP_Pruning_Enabled.jpg

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swvtp.html#wp1035121)

Question 8

The Company switches have all been upgraded to use VTP version 2. What are two benefits provided in VTP Version 2 that are not available in VTP Version 1? (Choose two)

A. VTP version 2 supports Token Ring VLANs.
B. VTP version 2 allows VLAN consistency checks.
C. VTP version 2 saves VLAN configuration memory.
D. VTP version 2 reduces the amount of configuration necessary.
E. The VTP version 2 allows active redundant links when used with spanning tree.

 

Answer: A B

Explanation

The major difference is that VTP V2 introduces support for Token Ring VLANs. If you use Token Ring VLANs, you must enable VTP V2 -> A is correct.

In VTP version 2, VLAN consistency checks (such as VLAN names and values) are performed only when you enter new information through the command-line interface (CLI) or Simple Network Management Protocol (SNMP). Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM. If the digest on a received VTP message is correct, its information is accepted without consistency checks -> B is correct.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml)

Question 9

Switch R1 is configured to use the VLAN Trunking Protocol (VTP). What does R1 advertise in its VTP domain?

A. The VLAN ID of all known VLANs, the management domain name, and the total number of trunk links on the switch.
B. The VLAN ID of all known VLANs, a 1-bit canonical format (CF1 Indicator), and the switch configuration revision number.
C. The management domain name, the switch configuration revision number, the known VLANs, and their specific parameters.
D. A 2-byte TPID with a fixed value of 0x8100 for the management domain number, the switch configuration revision number, the known VLANs, and their specific parameters.

 

Answer: C

Explanation

VTP advertises its management domain name, the switch configuration revision number, the known VLANs, and their specific parameters -> C is correct.

Note: IEEE 802.1Q VLAN (not VTP) tag uses the tag protocol identifier (TPID) field to identify the protocol type. The Default TPID value in IEEE 802.1Q, is 0x8100 -> D is not correct.

Question 10

Which two statements correctly describe VTP? (Choose two.)

A. Transparent mode always has a configuration revision number of 0.
B. Transparent mode cannot modify a VLAN database.
C. Client mode cannot forward received VTP advertisements.
D. Client mode synchronizes its VLAN database from VTP advertisements.
E. Server mode can synchronize across VTP domains.

 

Answer: A D

VTP Questions 2

May 13th, 2014 certprepare No comments

Here you will find answers to VTP Questions – Part 2

Question 1

What action should a network administrator take to enable VTP pruning on an entire management domain?

A. Enable VTP pruning on any switch in the management domain.
B. Enable VTP pruning on any client switch in the management domain.
C. Enable VTP pruning on a VTP server in the management domain.
D. Enable VTP pruning on every switch in the management domain.
E. Disable VTP pruning on a VTP server in the management domain.

 

Answer: C

Explanation

VTP pruning should only be enabled on VTP servers, all the clients in the VTP domain will automatically enable VTP pruning -> C is correct.

Question 2

What must be configured on a Cisco switch in order to advertise VLAN information?

A. VTP mode
B. VTP password
C. VTP revision number
D. VTP pruning
E. VTP domain name

 

Answer: E

Explanation

A Cisco switch needs a VTP domain name to advertise VLAN information to other switches and it must be configured on a Cisco switch.

Note: If a switch is configured as a VTP server without a VTP domain name, you cannot configure a VLAN on the switch

Question 3

Refer to the exhibit. VTP has been enabled on the trunk links between all switches within the Certprepare domain. An administrator has recently enabled VTP pruning. Port 1 on Switch 1 and port 2 on Switch 4 are assigned to VLAN 2. A broadcast is sent from the host connected to Switch 1. Where will the broadcast propagate?

VTP_pruning_broadcast.jpg

A. Every switch in the network receives the broadcast and will forward it out all ports.
B. Every switch in the network receives the broadcast, but only Switch 4 will forward it out port 2.
C. Switches 1, 2, and 4 will receive the broadcast, but only Switch 4 will forward it out port 2.
D. Only Switch 4 will receive the broadcast and will forward it out port 2.

 

Answer: C

Explanation

With VTP pruning enabled network-wide, switch 2 and switch 4 automatically use VTP to learn that none of the switches in the lower-left part of the figure have any ports assigned to VLAN 10. As a result, switch 2 and switch 4 prune VLAN 2 from the trunks connected to these switches. The pruning causes switch 2 and switch 4 to not send frames in VLAN 2 out these trunks -> Switches 3, 5 and 6 will not receive the broadcast while Switch 4 will receive it and forward out to port 2 -> C is correct.

Question 4

Switch R1 is part of the Company VTP domain. What’s true of VTP Pruning within this domain?

A. It does not prune traffic from VLANs that are pruning-ineligible
B. VLAN 1 is always pruning-eligible
C. It will prune traffic from VLANs that are pruning-ineligible
D. VLAN 2 is always pruning-ineligible

 

Answer: A

Explanation

VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs greater than 1005) are also pruning-ineligible -> A is correct.

Question 5

Switch R1 has been configured with DTP using the desirable option. Which statement describes Dynamic Trunking Protocol (DTP) desirable mode?

A. The interface actively attempts to convert the link to a trunk link.
B. The interface is put into permanent trunking mode but prevented from generating DTP frames.
C. The interface is put into permanent trunking mode and negotiates to convert the link into a trunk link.
D. The interface is put into a passive mode, waiting to convert the link to a trunk link.

 

Answer: A

Explanation

Note: If an interface is set to switchport mode dynamic desirable, it will actively attempt to convert the link into trunking mode. If the peer port is configured as switchport mode trunk, dynamic desirable, or dynamic auto mode, trunking is negotiated successfully.

Question 6

Refer to the exhibit. What happens when the switch SW2 is connected to the rest of the network in the VTP domain Lab_Network?

VTP_show_vtp_status.jpg

A. The recently introduced switch SW2 adds one more VLAN to the VLAN database in the VTP domain.
B. The recently introduced switch SW2 creates a STP loop in the VTP domain.
C. The recently introduced switch SW2 removes all configured VLANs throughout the VTP domain.
D. The recently introduced switch SW2 switches over to VTP transparent mode in order to be included into the VTP domain.
E. A trunk should be configured between the two switches in order to integrate SW2 into the VTP domain.

 

Answer: C

Explanation

The Configuration Revision number of SW2 is higher than that of SW1 (147 > 47) and SW2 is operating in Client mode so it can send update to other switches. The result is SW1 and other switches in that VTP domain will remove their current VLAN information and copy VLAN information from SW2.

Question 7

What is the default VTP advertisement for subset advertisements in Catalyst switches that are in server or client mode?

A. 30 seconds
B. 5 minutes
C. 1 minute
D. 10 seconds
E. 5 seconds

 

Answer: B

Explanation

Subset advertisements list the specific changes that have been performed, such as creating or deleting a VLAN, suspending or activating a VLAN, changing the name of a VLAN, and changing a VLAN’s maximum transmission unit (MTU), status of the VLAN, VLAN type (such as Ethernet or Token Ring), length of the VLAN name, VLAN number, security association identifier (SAID) value. Summary advertisements are sent out every 300 seconds (5 minutes) by default.

Question 8

Two Company switches are connected via a trunk using VTP. Which VTP information does a Catalyst switch advertise on its trunk ports when using VTP? (Choose two)

A. STP root status
B. VTP mode
C. Negotiation status
D. Management domain
E. Configuration revision number

 

Answer: D E

Question 9

The network operations center has received a call stating that users in VLAN 107 are unable to access resources through Router 1. From the information contained in the graphic, what is the cause of this problem?

VTP_pruning_VLAN.jpg

A. VLAN 107 does not exist on switch A.
B. VTP is pruning VLAN 107.
C. VLAN 107 is not configured on the trunk.
D. Spanning tree is not enabled on VLAN 107.

 

Answer: B

Explanation

From the “VLANs in spanning tree forwarding state and not pruned” we can deduce that VLAN 107 is currently pruned on switch A.

Question 10

A switch that is to be added to the production network has been preconfigured (trunks, VLANs, VTP, and STP) and was tested in your lab. After installing the switch into the network, the entire network went down. What might explain what happened?

A. The new switch happened to be running Cisco Catalyst operating system, while the other network switches were running Cisco IOS Software.
B. The configuration revision of the new switch was higher than the configuration revision of the production VTP domain.
C. The link costs on the new switch are set to a high value, causing all ports on the new switch to go into a forwarding mode and none into blocking mode, thereby causing a spanning-tree loop.
D. The ports connecting to the two switches have been configured incorrectly. One side has the command switchport mode access and the other switchport mode trunk.

 

Answer: B

Explanation

If the configuration revision number of the new switch is higher than that of the rest of Cisco switches and it is in Client or Server mode with the same VTP domain then it can wipe out other switches’ VLAN information. This is a nightmare if you are working for a large company and it can make you to lose your job so please remember this: always set your newly added Cisco switch to VTP Transparent mode before plugging into your working network. This step also resets the Configuration Revision Number of that switch back to 0, which is safe to plug into your network.

VTP Questions 3

May 12th, 2014 certprepare No comments

Here you will find answers to VTP Questions – Part 3

Question 1

Which two statements correctly describe VTP? (Choose two)

A. Transparent mode always has a configuration revision number of 0.
B. Transparent mode cannot modify a VLAN database.
C. Client mode cannot forward received VTP advertisements.
D. Client mode synchronizes its VLAN database from VTP advertisements.
E. Server mode can synchronize across VTP domains.

 

Answer: A D

Explanation

When setting a switch to Transparent mode, the switch’s configuration revision number is automatically reset to 0 -> A is correct.

Not only client mode but server mode synchronize its VLAN database from VTP advertisements -> D is correct.

Question 2

The network administrator needs to enable VTP pruning within the network. What action should a network administrator take to enable VTP pruning on an entire management domain?

A – enable VTP pruning on every switch in the domain
B – enable VTP pruning on any client switch in the domain
C – enable VTP pruning on any switch in the management domain
D – enable VTP pruning on a VTP server in the management domain

 

Answer: D

Question 3

The network operations center has received a call stating that Users in VLAN 107 are unable to access resources through R1. From the information contained in the graphic, what is the cause of this problem?

vtp_pruning

vtp_pruning_output.jpg

A – spanning tree is not enabled on VLAN 107
B – VTP is pruning VLAN 107
C – VLAN 107 does not exist on switch SA
D – VLAN 107 is not configured on the trunk

 

Answer: B

Explanation:

“VLAN allowed on trunk” – Each trunk allows all VLANs by default. However, administrator can remove or add to the list by using the “switchport trunk allowed” command.

“VLANs allowed and active in management” – To be active, a VLAN must be in this list.

“VLANs in spanning tree forwarding state and not pruned” – This list is a subset of the “allowed and active” list but with any VTP-pruned VLANs removed.

All VLANs were configured except VLAN 101 so D is not correct. VLAN 107 exists in the “allowed and active” section so A and C are not correct, too. In the “forwarding state and not pruned” we don’t see VLAN 107 so the administrator had wrongly configured this VLAN as pruned.

 

STP Questions

May 10th, 2014 certprepare 3 comments

Here you will find answers to STP Questions

Question 1

Company uses MSTP within their switched LAN. What is the main purpose of Multiple Instance Spanning Tree Protocol (MSTP)?

A. To enhance Spanning Tree troubleshooting on multilayer switches
B. To reduce the total number of spanning tree instances necessary for a particular topology
C. To provide faster convergence when topology changes occur in a switched network
D. To provide protection for STP when a link is unidirectional and BPDUs are being sent but not received

 

Answer: B

Explanation

Instead of running an STP instance for every VLAN, MSTP runs a number of VLAN-independent STP instances. By allowing a single instance of STP to run for multiple VLANs, MSTP keeps the number of STP instances to minimum (saving switch resources) while optimizing Layer 2 switching environment (load balancing traffic to different paths for different VLANs.).

Question 2

Which of the following specifications will allow you to associate VLAN groups to STP instances so you can provide multiple forwarding paths for data traffic and enable load balancing?

A. IEEE 802.1d (STP)
B. IEEE 802.1s (MST)
C. IEEE 802.1q (CST)
D. IEEE 802.1w (RSTP)

 

Answer: B

Question 3

Refer to the exhibit. All network links are FastEthernet. Although there is complete connectivity throughout the network, Front Line users have been complaining that they experience slower network performance when accessing the Server Farm than the Reception office experiences. Based on the exhibit, which two statements are true? (Choose two)

bridge_priority_network_optimize.jpg

A. Changing the bridge priority of S1 to 4096 would improve network performance.
B. Changing the bridge priority of S1 to 36864 would improve network performance.
C. Changing the bridge priority of S2 to 36864 would improve network performance.
D. Changing the bridge priority of S3 to 4096 would improve network performance.
E. Disabling the Spanning Tree Protocol would improve network performance.
F. Upgrading the link between S2 and S3 to Gigabit Ethernet would improve performance.

 

Answer: B D

Explanation

All three switches have the same bridge priority (32768 – default value) and S1 has the lowest MAC -> S1 is the root bridge and all traffic must go through it -> Front Line Users (S2) must go through S1 to reach Server Farm (S3). To overcome this problem, S2 or S3 should become the root switch and we can do it by changing the bridge priority of S1 to a higher value (which lower its priority – answer B) or lower the bridge priority value (which higher its priority – answer D)

Question 4

Refer to the exhibit. Initially, LinkA is connected and forwarding traffic. A new LinkB is then attached between SwitchA and HubA. Which two statements are true about the possible result of attaching the second link? (Choose two)

STP_switch_loop_block.jpg

A. The switch port attached to LinkB will not transistion to up.
B. One of the two switch ports attached to the hub will go into blocking mode when a BPDU is received.
C. Both switch ports attached to the hub will transition to the blocking state.
D. A heavy traffic load could cause BPDU transmissions to be blocked and leave a switching loop.
E. The switch port attached to LinkA will immediately transition to the blocking state.

 

Answer: B D

Explanation

we know that there will have only one Designated port for each segment (notice that the two ports of SwitchA are on the same segment as they are connected to a hub). The other port will be in Blocking state. But how does SwitchA select its Designated and Blocking port? The decision process involves the following parameters inside the BPDU:

* Lowest path cost to the Root
* Lowest Sender Bridge ID (BID)
* Lowest Port ID

In this case, both interfaces of SwitchA have the same “path cost to the root” and “sender bridge ID” so the third parameter “lowest port ID” will be used. Suppose two interfaces of SwitchA are fa0/1 & fa0/2 then SwitchA will select fa0/1 as its Designated port (because fa0/1 is inferior to fa0/2) -> B is correct.

Suppose the port on LinkA (named portA) is in forwarding state and the port on LinkB (named portB) is in blocking state. In blocking state, port B still listens to the BPDUs. If the traffic passing through LinkA is too heavy and the BPDUs can not reach portB, portB will move to listening state (after 20 seconds for STP) then learning state (after 15 seconds) and forwarding state (after 15 seconds). At this time, both portA & portB are in forwarding state so a switching loop will occur -> D is correct.

Question 5

Refer to the exhibit. Switch S1 is running mst IEEE 802.1s. Switch S2 contains the default configuration running IEEE 802.1D. Switch S3 has had the command spanning-tree mode rapid-pvst running IEEE 802.1w. What will be the result?

STP_simple.jpg

A. IEEE 802.1D and IEEE 802.1w are incompatible. All three switches must use the same standard or no traffic will pass between any of the switches.
B. Switches S1, S2, and S3 will be able to pass traffic between themselves.
C. Switches S1, S2, and S3 will be able to pass traffic between themselves. However, if there is a topology change, Switch S2 will not receive notification of the change.
D. Switches S1 and S3 will be able to exchange traffic but neither will be able to exchange traffic with Switch S2

 

Answer: B

Explanation

A switch running both MSTP and RSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy 802.1D switches. If this switch receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only 802.1D BPDUs on that port. An MST switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3) associated with a different region, or an RST BPDU (version 2).
However, the switch does not automatically revert to the MSTP mode if it no longer receives 802.1D BPDUs because it cannot determine whether the legacy switch has been removed from the link unless the legacy switch is the designated switch

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swmstp.html)

Question 6

Refer to the exhibit. Switch S2 contains the default configuration. Switches S1 and S3 both have had the command spanning-tree mode rapid-pvst issued on them. What will be the result?

STP_simple.jpg

A. IEEE 802.1D and IEEE 802.1w are incompatible. All three switches must use the same standard or no traffic will pass between any of the switches.
B. Switches S1, S2. and S3 will be able to pass traffic between themselves.
C. Switches S1, S2. and S3 will be able to pass traffic between themselves. However, if there is a topology change. Switch S2 will not receive notification of the change.
D. Switches S1 and S3 will be able to exchange traffic but neither will be able to exchange traffic with Switch S2.

 

Answer: B

Question 7

Which two statements are true when the extended system ID feature is enabled? (Choose two)

A. The BID is made up of the bridge priority value (2 bytes) and bridge MAC address (6 bytes).
B. The BID is made up of the bridge priority (4 bits), the system ID (12 bits), and a bridge MAC address (48 bits).
C. The BID is made up of the system ID (6 bytes) and bridge priority value (2 bytes).
D. The system ID value is the VLAN ID (VID).
E. The system ID value is a unique MAC address allocated from a pool of MAC addresses assigned to the switch or module.
F. The system ID value is a hex number used to measure the preference of a bridge in the spanning-tree algorithm.

 

Answer: B D

Explanation

In short, with the use of IEEE 802.1t spanning-tree extensions, some of the bits previously used for the switch priority are now used for the extended system ID

extended_system_id_stp.jpg

Only four high-order bits of the 16-bit Bridge Priority field carry actual priority. Therefore, priority can be incremented only in steps of 4096. In most cases, the Extended System ID holds the VLAN ID. For example, if our VLAN ID is 5 and we use the default bridge priority 32768 then the 16-bit Priority will be 32768 + 5 = 32773.

Note: The MAC address is reserved when the extended system ID feature is enabled.

Question 8

Which set of statements about Spanning Tree Protocol default timers is true?

A.
The hello time is 2 seconds.
The forward delay is 10 seconds.
The max_age timer is 15 seconds.

B.
The hello time is 2 seconds.
The forward delay is 15 seconds.
The max_age timer is 20 seconds.

C.
The hello time is 2 seconds.
The forward delay is 20 seconds.
The max_age timer is 30 seconds.

D.
The hello time is 5 seconds.
The forward delay is 10 seconds.
The max_age timer is 15 seconds.

E.
The hello time is 5 seconds.
The forward delay is 15 seconds.
The max_age timer is 20 seconds.

 

Answer: B

Explanation

There are several STP timers, as this list shows:

* Hello – The hello time is the time between each bridge protocol data unit (BPDU) that is sent on a port. This time is equal to 2 seconds (sec) by default, but you can tune the time to be between 1 and 10 sec.
* Forward delay – The forward delay is the time that is spent in the listening and learning state. This time is equal to 15 sec by default, but you can tune the time to be between 4 and 30 sec.
* Max age – The max age timer controls the maximum length of time that passes before a bridge port saves its configuration BPDU information. This time is 20 sec by default, but you can tune the time to be between 6 and 40 sec.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094954.shtml)

Question 9

Refer to the exhibit. Switch 15 is configured as the root switch for VLAN 10 but not for VLAN 20. If the STP configuration is correct, what will be true about Switch 15?

STP_forwarding.jpg

A. All ports will be in forwarding mode.
B. All ports in VLAN 10 will be in forwarding mode.
C. All ports in VLAN 10 will be in forwarding mode and all ports in VLAN 20 will be in blocking mode.
D. All ports in VLAN 10 will be in forwarding mode and all ports in VLAN 20 will be in standby mode.

 

Answer: B

Explanation

All ports on root bridge are designated ports, which are in forwarding state but notice in this case Switch 15 is the root switch for VLAN 10 -> all ports in VLAN 10 will be in forwarding state. We can not say anything about the modes of ports of Switch 15 in other VLANs.

Question 10

Refer to the exhibit. STP has been implemented in the network. Switch SW_A is the root switch for the default VLAN. To reduce the broadcast domain, the network administrator decides to split users on the network into VLAN 2 and VLAN 10. The administrator issues the command spanning-tree vlan 2 root primary on switch SW_A. What will happen as a result of this change?

STP_root.jpg

A. All ports of the root switch SW_A will remain in forwarding mode throughout the reconvergence of the spanning tree domain.
B. Switch SW_A will change its spanning tree priority to become root for VLAN 2 only.
C. Switch SW_A will remain root for the default VLAN and will become root for VLAN 2.
D. No other switch in the network will be able to become root as long as switch SW_A is up and running.

 

Answer: C

Explanation

This command sets the switch to become root for a given VLAN. It works by lowering the priority of the switch until it becomes root. Once the switch is root, it will not prevent any other switch from becoming root. In particular, if the current root bridge is greater than 24576 then our switch will drop to 24576. If the current root bridge is less than 24576, our new bridge priority will be (Priority value of the current root bridge – 4096).

This command does not affect other VLAN so SW_A will remain root for the default VLAN -> C is correct.

Note: This command is not shown in a Catalyst switch configuration because the command is actually a macro executing other switch commands.

STP Questions 2

May 10th, 2014 certprepare 3 comments

Here you will find answers to STP Questions – Part 2

Question 1

Refer to the exhibit. Based on the output of the show spanning-tree command, which statement is true?

STP_show_spanning-tree.jpg

A. Switch SW1 has been configured with the spanning-tree vlan 1 root primary global configuration command.
B. Switch SW1 has been configured with the spanning-tree vlan 1 root secondary global configuration command.
C. Switch SW1 has been configured with the spanning-tree vlan 1 priority 24577 global configuration command.
D. Switch SW1 has been configured with the spanning-tree vlan 1 hello-time 2 global configuration command.
E. The root bridge has been configured with the spanning-tree vlan 1 root secondary global configuration command.

 

Answer: B

Explanation

The command “spanning-tree vlan 1 root secondary” sets its bridge ID to a value which is higher than the current root bridge but lower than other switches in the network -> If the current root bridge fails, Sw1 will become the root bridge.

If no priority has been configured, every switch will have the same default priority of 32768. Assuming all other switches are at default priority, the spanning-tree vlan vlan-id root primary command sets a value of 24576. Also, assuming all other switches are at default priority, the spanning-tree vlan vlan-id root secondary command sets a value of 28672.

In this question, the bridge priority of Sw1 is 28673, not 28672 because the extended system ID (indicated as sys-id-ext) is 1, indicating this is the STP instance for VLAN 1. In fact, the bridge priority is 28672.

Question 2

Refer to the exhibit. On the basis of the output of the show spanning-tree inconsistentports command, which statement about interfaces FastEthernet 0/1 and FastEthernet 0/2 is true?

show_spanning-tree_inconsistentports.jpg

A. They have been configured with the spanning-tree bpdufilter disable command.
B. They have been configured with the spanning-tree bpdufilter enable command.
C. They have been configured with the spanning-tree bpduguard disable command.
D. They have been configured with the spanning-tree bpduguard enable command.
E. They have been configured with the spanning-tree guard loop command.
F. They have been configured with the spanning-tree guard root command.

 

Answer: F

Explanation

We can configure the root guard feature to prevent unauthorized switches from becoming the root bridge. When you enable root guard on a port, if that port receives a superior BPDU, instead of believing the BPDU, the port goes into a root-inconsistent state. While a port is in the root-inconsistent state, no user data is sent across it. However, after the superior BPDUs stop, the port returns to the forwarding state.

STP_simple.jpg

For example, in the topology above suppose S1 is the current root bridge. If a hacker plugs a switch on S3 which sends superior BPDUs then it will become the new root bridge, this will also change the traffic path and may result in a traffic jam. By enabling root guard on S1 port which is connected to S3 port, if spanning-tree calculations cause an interface to be selected as the root port, the interface transitions to the root-inconsistent (blocked) state instead to prevent the hacker’s switch from becoming the root switch or being in the path to the root.

Question 3

Refer to the exhibit. What information can be derived from the output?

STP_show_spanning-tree_inconsistentports.jpg

A. Devices connected to interfaces FastEthemet3/1 and FastEthemet3/2 are sending BPDUs with a superior root bridge parameter and no traffic is forwarded across the ports. Once inaccurate BPDUs have been stopped, the interfaces will need to be administratively shut down, and brought back up, to resume normal operation.
B. Devices connected to interfaces FastEthemet3/1 and FastEthernet3/2 are sending BPDUs with a superior root bridge parameter, but traffic is still forwarded across the ports.
C. Devices connected to interfaces FastEthemet3/1 and FastEthemet3/2 are sending BPDUs with a superior root bridge parameter and no traffic is forwarded across the ports. Once inaccurate BPDUs have been stopped, the interfaces automatically recover and resume normal operation.
D. Interfaces FastEthemet3/1 and FastEthemet3/2 are candidate for becoming the STP root port, but neither can realize that role until BPDUs with a superior root bridge parameter are no longer received on at least one of the interfaces.

 

Answer: C

Explanation

Same explanation as question 2.

Question 4

Which statement is correct about RSTP port roles?

A. The designated port is the switch port on every nonroot bridge that is the chosen path to the root bridge. There can be only one designated port on every switch. The designated port assumes the forwarding state in a stable active topology. All switches connected to a given segment listen to all BPDUs and determine the switch that will be the root switch for a particular segment.
B. The disabled port is an additional switch port on the designated switch with a redundant link to the segment for which the switch is designated. A disabled port has a higher port 10 than the disabled port on the designated switch. The disabled port assumes the discarding state in a stable active topology.
C. The backup port is a switch port that offers an alternate path toward the root bridge. The backup port assumes a discarding state in a stable, active topology. The backup port will be present on nondesignated switches and will make a transition to a designated port if the current designated path fails.
D. The root port is the switch port on every nonroot bridge that is the chosen path to the root bridge. There can be only one root port on every switch. The root port assumes the forwarding state in a stable active topology.

 

Answer: D

Explanation

To learn about RSTP port roles, please read my RSTP tutorial.

Question 5

How are STP timers and state transitions affected when a topology change occurs in an STP environment?

A. All ports will temporarily transition to the learning state for a period equal to the max age timer plus the forward delay interval.
B. All ports will transition temporarily to the learning state for a period equal to the forward delay interval.
C. The default aging time for MAC address entries will be reduced for a period of the max age timer plus the forward delay interval.
D. The default hello time for configuration BPDUs will be reduced for the period of the max age timer.

 

Answer: C (but the wording may cause you to misunderstand)

Explanation

If a switch stops receiving Hellos, it means that there is a failure in the network. The switch will initiate the process of changing the Spanning-tree topology. The process requires the use of 3 STP timers:
* Hello – the time between each bridge protocol data unit (BPDU) that is sent on a port. This time is equal to 2 seconds (sec) by default, but you can tune the time to be between 1 and 10 sec.
* Forward delay – the time that is spent in the listening and learning state. This time is equal to 15 sec by default, but you can tune the time to be between 4 and 30 sec.
* Max age – maximum length of time a BPDU can be stored without receiving an update.. This time is 20 sec by default, but you can tune the time to be between 6 and 40 sec.

Max Age is the time that a bridge stores a BPDU before discarding it.

Switches (Bridges) keep its MAC address table entries for 300 seconds (5 minutes, known as aging time), by default. When a network topology change happens, the Switch (Bridge) temporarily lowers the aging time to the same as the forward delay time (15 seconds) to relearn the MAC address changes happened because of topology change.

This is important because normally only after five minutes an entry is aged out from the MAC address table of the switch and the network devices could be unreachable for up to 5 minutes. This is known as a black hole because frames can be forwarded to a device, which is no longer available.

Notice that shortening the aging time to 15 seconds does not flush the entire table, it just accelerates the aging process. Devices that continue to “speak” during the 15-second age-out period never leave the bridging table.

Therefore in this question, to be clearer answer C should state “The default aging time for MAC address entries will be reduced to forward_delay time for a period of the max age timer plus the forward delay interval.”

(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094797.shtml)

Question 6

Refer to the exhibit. The command spanning-tree guard root is configured on interface Gi0/0 on both switch S2 and S5. The global configuration command spanning-tree uplinkfast has been configured on both switch S2 and S5. The link between switch S4 and S5 fails. Will Host A be able to reach Host B?

STP_spanning-tree_root_guard.jpg

A. Fifty percent of the traffic will successfully reach Host B, and fifty percent will dead-end at switch S3 because of a partial spanning-tree loop.
B. No. Traffic will pass from switch S6 to S2 and dead-end at S2.
C. No. Traffic will loop back and forth between switch S6 and Host A.
D. No. Traffic will loop back and forth between switches S2 and S3.
E. Yes. Traffic will pass from switch S6 to S2 to S1.

 

Answer: E

Explanation

First we should understand about UpLinkFast.

STP_simple.jpg

Suppose S1 is the root bridge in the topology above. S3 is connected to S1 via two paths: one direct path and another goes through S2. Suppose the port directly connected to S1 is root port -> port connected to S2 will be in Blocking state. If the primary link goes down, the blocked port will need about 50 seconds to move from Blocking -> Listening -> Learning -> Forwarding to be used.

To shorten the downtime, a feature called Uplink Fast can be used. When the primary (root) link fails, another blocked link can be brought up immediately for use. When UplinkFast is enabled, it is enabled for the entire switch and all VLANs. It cannot be enabled for individual VLANs.

In this question, the Root Guard feature has been enabled on Gi0/0 of S2 & S5 so these two Gi0/0 ports cannot be root ports and cannot forward traffic -> the link between S2 & S6 must be used.

Note: The idea of Uplink Fast is based on blocked ports which are possible to become a root port. Therefore the Uplink Fast feature is not allowed on the root bridge -> S2 & S5 cannot be root bridges in this case.

 

Question 7

Refer to the exhibit. The command spanning-tree guard root is configured on interface Gi0/0 on both switch S2 and S5. The global configuration command spanning-tree uplinkfast has been configured on both switch S2 and S5. The link between switch S4 and S5 fails. Will Host A be able to reach Host B?

STP_spanning-tree_uplinkfast.jpg

A. Yes. Traffic can pass either from switch S6 to S3 to S2 to S1, or, from switch S6 to S5 to S2 to S1.
B. No. Traffic will pass from switch S6 to S5 and dead-end at interface Gi0/0.
C. No. Traffic will loop back and forth between switch S5 and S2.
D. Yes. Traffic will pass from switch S6 to S3 to S2 to S1.
E. No. Traffic will either pass from switch S6 to S5 and dead-end, or traffic will pass from switch S6 to S3 to S2 and dead-end.

 

Answer: D

Explanation

Same explanation as Question 6. When the link between S4 – S5 goes down, Gi0/0 on S5 cannot become root port because of Root Guard feature on it. But maybe Host A can’t reach host B in the first 15 seconds after the link between S4 & S5 fails by default. It is the time for S5 to clear the MAC address table (please read the explanation of Question 5 for more detail).

Question 8

Which two statements about the various implementations of STP are true? (Choose two)

A. Common Spanning Tree maintains a separate spanning-tree instance for each VLAN configured in the network.
B. The Spanning Tree Protocol (STP) is an evolution of the IEEE 802.1w standard.
C. Per-VLAN Spanning Tree (PVST) supports 802.1Q trunking.
D. Per-VLAN Spanning Tree Plus (PVST+) is an enhancement to 802.1Q specification and is supported only on Cisco devices.
E. Rapid Spanning Tree Protocol (RSTP) includes features equivalent to Cisco PortFast, UplinkFast, and BackboneFast for faster network reconvergence.
F. Multiple Spanning Tree (MST) assumes one spanning-tree instance for the entire Layer 2 network, regardless of the multiple number of VLANs.

 

Answer: D E

Explanation

Common Spanning Tree only uses one spanning-tree instance for all VLANs in the network -> A is not correct.

Rapid Spanning Tree Protocol (RSTP; IEEE 802.1w) can be seen as an evolution of the 802.1D standard more than a revolution. The 802.1D terminology remains primarily the same. Most parameters have been left unchanged so users familiar with 802.1D can rapidly configure the new protocol comfortably -> B is not correct.

Per-VLAN spanning tree protocol plus (PVST+) is a Cisco proprietary protocol that expands on the Spanning Tree Protocol (STP) by allowing a separate spanning tree for each VLAN. Cisco first developed this protocol as PVST, which worked with the Cisco ISL trunking protocol, and then later developed PVST+ which utilizes the 802.1Q trunking protocol. PVST+ allows interoperability between CST and PVST in Cisco switches -> C is not correct but D is correct.

RSTP significantly reduces the time to reconverge the active topology of the network when changes to the physical topology or its configuration parameters occur. RSTP supports Edge Ports (similar to PortFast), UplinkFast, and BackboneFast for faster network reconvergence. Rapid Spanning Tree Protocol (RSTP) can also revert back to 802.1D STP for interoperability with older switches and existing infrastructures -> E is correct.

Multiple Spanning Tree can map one or more VLANs to a single STP instance. Multiple instances of STP can be used (hence the name MST), with each instance supporting a different group of VLANs. For example, instead of creating 50 STP separate STP instances for 50 VLANs, we can create only 2 STP instances – each for 25 VLANs. This helps saving switch resources -> F is not correct.

Question 9

Given the diagram and assuming that STP is enabled on all switch devices, which two statements are true? (Choose two)

root_bridge_elect.jpg

A. DSW11 will be elected the root bridge.
B. DSW12 will be elected the root bridge.
C. ASW13 will be elected the root bridge.
D. P3/1 will be elected the nondesignated port.
E. P2/2 will be elected the nondesignated port.
F. P3/2 will be elected the nondesignated port.

 

Answer: A D

Explanation

If all the switches are turned on at the same time, DSW11 will win the election and become Root Bridge because it has lowest Bridge ID (including Bridge Priority and MAC address) so all of its ports are Designated Port (forwarding state).

Also P2/1, P3/2 and P4/1 become Root Ports because they are closest to the Root Bridge (in terms of path cost) for each switch.

P3/1 will be Nondesignated (Blocked) Port because P1/2 must be a Designated Port (of course P1/2 advertises better BPDU, in other words better Bridge ID, than P3/1).

root_bridge_elect_explained.jpg

Question 10

Which two RSTP port roles include the port as part of the active topology? (Choose two)

A. root
B. designated
C. alternate
D. backup
E. forwarding
F. learning

 

Answer: A B

Explanation

A port with the root or a designated port role is included in the active topology. A port with the alternate or backup port role is excluded from the active topology. That means when you draw a topology to show the traffic flow, only root and designated port role would be included in your topology.

(Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_44_se/configuration/guide/3550SCG/swmstp.html#wp1071141)

STP Questions 3

May 10th, 2014 certprepare 2 comments

Here you will find answers to STP Questions – Part 3

Question 1

What is the result of entering the command spanning-tree loopguard default?

A. The command enables both loop guard and root guard.
B. The command changes the status of loop guard from the default of disabled to enabled.
C. The command activates loop guard on point-to-multipoint links in the switched network.
D. The command will disable EtherChannel guard.

 

Answer: B

Explanation

This command is used in global configuration mode to enable loop guard on all ports of a given switch. To disable it, use the “no” keyword at the beginning of this command.

Question 2

Refer to the exhibit. The service provider wants to ensure that switch S1 is the root switch for its own network and the network of the customer. On which interfaces should root guard be configured to ensure that this happens?

STP_root_guard.jpg

A. interfaces 1 and 2
B. interfaces 1,2,3, and 4
C. interfaces 1, 3, 5, and 6
D. interfaces 5 and 6
E. interfaces 5, 6, 7, and 8
F. interfaces 11 and 12

 

Answer: D

Explanation

Let’s see what will happen if we set port 5 & 6 as “root guard” ports:

First, notice that the “root guard” command cannot be used on root switch (because this command is based on blocked port – while a root switch can’t have a blocked port -> two middle switches cannot become root bridges.

Moreover, the neighbor switch which has its port connected with this “root guard” port can’t be the root bridge. For example if we configure port 6 as “root guard” port, the left-bottom switch (the switch with ports 3, 4) can’t be root bridge because that will make port 6 root port. Therefore by configuring port 5 & 6 as “root guard” ports, two switches in the “Customer network” cannot become root bridge.

Note: Root guard should be enabled on the ports (on the Network Provider side) which are connected to the customer network where a hacker can easily exploit. In this question, root guard should be placed on port 5 & 6 to prevent customer’s switches try to become root switches. We can’t use Root guard on ports 7 & 8 because this feature is only used on designated ports, and it does not allow the port to become non-designated.

Question 3

Examine the diagram. A network administrator has recently installed the above switched network using 3550s and would like to control the selection of the root bridge. Which switch should the administrator configure as the root bridge and which configuration command must the administrator enter to accomplish this?

root_bridge_elect.jpg

A. DSW11(config)# spanning-tree vlan 1 priority 4096
B. DSW12(config)# set spanning-tree priority 4096
C. ASW13(config)# spanning-tree vlan 1 priority 4096
D. DSW11(config)# set spanning-tree priority 4096
E. DSW12(config)# spanning-tree vlan 1 priority 4096
F. ASW13(config)# set spanning-tree priority 4096

 

Answer: E

Explanation

First, only switches in Distribution section should become root bridge -> only DSW11 or DSW12 should be chosen.

The traffic passing root bridge is always higher than other switches so we should choose switch with highest speed connection to be root bridge -> DSW12 with two 100Mbps connections should be chosen.

Also, the correct command to change priority value for a specific VLAN is spanning-treee vlan VLAN-ID priority Priority-number.

Question 4

What must be the same to make multiple switches part of the same Multiple Spanning Tree (MST)?

A. VLAN instance mapping and revision number
B. VLAN instance mapping and member list
C. VLAN instance mapping, revision number, and member list
D. VLAN instance mapping, revision number, member list, and timers

 

Answer: A

Explanation

MST maps multiple VLANs that have the same traffic flow requirements into the same spanning-tree instance. The main enhancement introduced by MST raises the problem, however, of determining what VLAN is to be associated with what instance. More precisely, based on received BPDUs, devices need to identify these instances and the VLANs that are mapped to the instance.

To be part of a common MST region, a group of switches must share the same configuration attributes. In particular, the configuration name (or region name – 32 bits), revision number (16 bits), and VLAN mapping (associate VLANs with spanning-tree instances) need to be the same for all the switches within the same region.

An example of configuring MST on a switch is shown below:

Configuration Description
Switch(config)# spanning-tree mode mst Turn on MST (and RSTP) on this switch
Switch(config)# spanning-tree mst configuration Enter MST configuration submode
Switch(config-mst)# name certprepare Name MST instance
Switch(config-mst)# revision 5 Set the 16-bit MST revision number. It is not incremented automatically when you commit a new MST configuration.
Switch(config-mst)#instance 1 vlan 5-10 Map instance with respective VLANs
Switch(config-mst)#instance 2 vlan 11-15  

Question 5

Which three items are configured in MST configuration submode? (Choose three)

A. Region name
B. Configuration revision number
C. VLAN instance map
D. IST STP BPDU hello timer
E. CST instance map
F. PVST+ instance map

 

Answer: A B C

Explanation

Same as Question 4.

Question 6

Which three statements about the MST protocol (IEEE 802.1S) are true? (Choose three)

A. To verify the MST configuration, the show pending command can be used in MST configuration mode.
B. When RSTP and MSTP are configured; UplinkFast and BackboneFast must also be enabled.
C. All switches in the same MST region must have the same VLAN-to-instance mapping, but different configuration revision numbers.
D. All switches in an MST region, except distribution layer switches, should have their priority lowered from the default value 32768.
E. An MST region is a group of MST switches that appear as a single virtual bridge to adjacent CST and MST regions.
F. Enabling MST with the “spanning-tree mode mst” global configuration command also enables RSTP.

 

Answer: A E F

Explanation

The show pending command can be used to verify the MST configuration (pending configuration). An example of this command is shown below:

MST_show_pennding.jpg

Note:

The above commands do these tasks:
+ Enter MST configuration mode
+ Map VLANs 10 to 20 to MST instance 1
+ Name the region certprepare
+ Set the configuration revision to 1
+ Display the pending configuration
+ Apply the changes, and return to global configuration mode

The MST region appears as a single bridge to spanning tree configurations outside the region -> a MST region appears as a single virtual bridge to adjacent CST and MST regions -> E is correct.

By enabling MST you also enable RSTP because MST relies on the RSTP configuration to operate -> F is correct.

Question 7

Which two statements concerning STP state changes are true? (Choose two)

A. Upon bootup, a port transitions from blocking to forwarding because it assumes itself as root.
B. Upon bootup, a port transitions from blocking to listening because it assumes itself as root.
C. Upon bootup, a port transitions from listening to forwarding because it assumes itself as root.
D. If a forwarding port receives no BPDUs by the max_age time limit, it will transition to listening.
E. If a forwarding port receives an inferior BPDU, it will transition to listening.
F. If a blocked port receives no BPDUs by the max_age time limit, it will transition to listening.

 

Answer: B F

Question 8

Which statement correctly describes the Cisco implementation of RSTP?

A. PortFast, UplinkFast, and BackboneFast specific configurations are ignored in Rapid PVST mode.
B. RSTP is enabled globally and uses existing STP configuration.
C. Root and alternative ports transition immediately to the forwarding state.
D. Convergence is improved by using sub-second timers for the blocking, listening, learning, and forwarding port states.

 

Answer: B

Explanation

To turn on RSTP, use this command in global configuration mode:

Switch(config)# spanning-tree mode mst

Note: This command turn on both MST & RSTP.

Question 9

The network administrator maps VLAN 10 through 20 to MST instance 2. How will this information be propagated to all appropriate switches?

A. Information will be carried in the RSTP BPDUs.
B. It will be propagated in VTP updates.
C. Information stored in the Forwarding Information Base and the switch will reply on query.
D. Multiple Spanning Tree must be manually configured on the appropriate switches.

 

Answer: D

Question 10

Which MST configuration statement is correct?

A. MST configurations can be propagated to other switches using VTP.
B. After MST is configured on a Switch, PVST+ operations will also be enabled by default.
C. MST configurations must be manually configured on each switch within the MST region.
D. MST configurations only need to be manually configured on the Root Bridge.
E. MST configurations are entered using the VLAN Database mode on Cisco Catalyst switches.

 

Answer: C

STP Questions 4

May 10th, 2014 certprepare No comments

Here you will find answers to STP Questions – Part 4

Question 1

While logged into a Company switch you issue the following command:

CompanySwitch(config-mst)#instance 10 vlan 11-12

What does this command accomplish?

A. It enables a PVST+ instance of 10 for vlan 11 and vlan 12
B. It enables vlan 11 and vlan 12 to be part of the MST region 10
C. It maps vlan 11 and vlan 12 to the MST instance of 10.
D. It creates an Internal Spanning Tree (IST) instance of 10 for vlan 11 and vlan 12
E. It create a Common Spanning Tree (CST) instance of 10 for vlan 11 and vlan 12
F. It starts two instances of MST, one instance for vlan 11 and another instance for vlan 12.

 

Answer: C

Explanation

MST maps multiple VLANs that have the same traffic flow requirements into the same spanning-tree instance. The main enhancement introduced by MST raises the problem, however, of determining what VLAN is to be associated with what instance. More precisely, based on received BPDUs, devices need to identify these instances and the VLANs that are mapped to the instance.

An example of configuring MST on a switch is shown below:

Configuration Description
Switch(config)# spanning-tree mode mst Turn on MST (and RSTP) on this switch
Switch(config)# spanning-tree mst configuration Enter MST configuration submode
Switch(config-mst)# name certprepare Name MST instance
Switch(config-mst)# revision 5 Set the 16-bit MST revision number. It is not incremented automatically when you commit a new MST configuration.
Switch(config-mst)#instance 1 vlan 5-10 Map instance 1 with respective VLANs (VLAN 5 to 10)
Switch(config-mst)#instance 2 vlan 11-15 Map instance 2 with respective VLANs (VLAN 11 to 15)

Note: To be part of a common MST region, a group of switches must share the same configuration attributes. In particular, the configuration name (or region name – 32 bits), revision number (16 bits), and VLAN mapping (associate VLANs with spanning-tree instances) need to be the same for all the switches within the same region.

Question 2

By default, all VLANs will belong to which MST instance when using Multiple STP?

A. MST00
B. MST01
C. the last MST instance configured
D. none

 

Answer: A

Explanation

By default, all VLANs are assigned to MST instance 0. Instance 0 is known as the Internal Spanning-Tree (IST), which is reserved for interacting with other Spanning-Tree Protocols (STPs) and other MST regions.

Question 3

What will occur when a nonedge switch port that is configured for Rapid Spanning Tree does not receive a BPDU from its neighbor for three consecutive hello time intervals?

A. RSTP information is automatically aged out.
B. The port sends a TCN to the root bridge.
C. The port moves to listening state,
D. The port becomes a normal spanning tree port.

 

Answer: A

Explanation

In STP 802.1D, a non-root bridge only generates BPDUs when it receives one on the root port. But in RSTP 802.1w, a bridge sends a BPDU with its current information every hello-time seconds (2 by default), even if it does not receive any from the root bridge. Also, on a given port, if hellos are not received three consecutive times, protocol information can be immediately aged out (or if max_age expires). Because of the previously mentioned protocol modification, BPDUs are now used as a keep-alive mechanism between bridges. A bridge considers that it loses connectivity to its direct neighbor root or designated bridge if it misses three BPDUs in a row. This fast aging of the information allows quick failure detection. If a bridge fails to receive BPDUs from a neighbor, it is certain that the connection to that neighbor is lost. This is opposed to 802.1D where the problem might have been anywhere on the path to the root.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml)

Question 4

A port in a redundant topology is currently in the blocking state and is not receiving BPDUs. To ensure that this port does not erroneously transition to the forwarding state, which command should be configured to satisfy the requirement?

A. Switch(config)#spanning-tree loopguard default
B. Switch(config-if)#spanning-tree bpdufilter
C. Switch(config)#udld aggressive
D. Switch(config-if)#spanning-tree bpduguard

 

Answer: A

Explanation

Loop guard prevents alternate or root ports from becoming the designated port due to a failure that could lead to a unidirectional link. An example is shown below:

STP_loop_guard.jpg

Suppose S1 is the root bridge. S3’s port connected with S2 is currently blocked. Because of unidirectional link failure on the link
between S2 and S3, S3 is not receiving BPDUs from S2.

Without loop guard, the blocking port on S3 will transition to listening (upon max age timer expiration) -> learning -> forwarding state which create a loop.n

With loop guard enabled, the blocking port on S3 will transition into the STP loop-inconsistent state upon expiration of the max age timer. Because a port in the STP loop-inconsistent state will not pass user traffic, no loop is created. The loop-inconsistent state is effectively equal to the blocking state.

To enable loop guard globally use the command spanning-tree loopguard default.

Question 5

You are the administrator of a switch and currently all host-connected ports are configured with the portfast command. You have received a new directive from your manager that states that, in the future, any host-connected port that receives a BPDU should automatically disable PortFast and begin transmitting BPDUs. Which of the following commands will support this new requirement?

A. Switch(config)# spanning-tree portfast bpduguard default
B. Switch(config-if)# spanning-tree bpduguard enable
C. Switch(config-if)# spanning-tree bpdufilter enable
D. Switch(config)# spanning-tree portfast bpdufilter default

 

Answer: D

Explanation

The bpdufilter option feature is used to globally enable BPDU filtering on all Port Fast-enabled interfaces and this prevent the switch interfaces connected to end stations from sending or receiving BPDUs.

Note: The spanning-tree portfast bpdufilter default global configuration command can be overridden by the spanning-tree bdpufilter enable command in interface mode.

 

Question 6

Which two statements correctly describe characteristics of the PortFast feature? (Choose two)

A. STP will be disabled on the port.
B. PortFast can also be configured on trunk ports.
C. PortFast is required to enable port-based BPDU guard.
D. PortFast is used for both STP and RSTP host ports.
E. PortFast is used for STP-only host ports.

 

Answer: B D

Explanation

You can use PortFast on switch or trunk ports connected to a single workstation, switch, or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state -> B is correct.

Also, PortFast can be used for both STP and RSTP -> D is correct.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html)

Answer C is not correct because BPDU guard can be enabled without PortFast. But what will happen if the PortFast and BPDU guard features are configured on the same port?

Well, at the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console

2000 May 12 15:13:32 %SPANTREE-2-RX_PORTFAST:Received BPDU on PortFast enable port. Disabling 2/1 2000
May 12 15:13:32 %PAGP-5-PORTFROMSTP:Port 2/1 left bridge port 2/1

(Reference and good resource: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml)

Question 7

Which of the following commands can be issued without interfering with the operation of loop guard?

A. Switch(config-if)#spanning-tree guard root
B. Switch(config-if)#spanning-tree portfast
C. Switch(config-if)#switchport mode trunk
D. Switch(config-if)#switchport mode access

 

Answer: C

Explanation

In general, Loop Guard is configured on non-designated ports (blocking or root ports) and it prevents them from becoming designated ports when the current designated ports stop sending BPDUs.

Root Guard should be configured on designated ports and prevents them from becoming root ports. Therefore Root Guard is incompatible with Loop Guard.

PortFast should be placed on ports configured as access ports while Loop Guard should be placed on trunk ports -> we can use the “switchport mode trunk” without interfering with the operation of Loop Guard.

Question 8

Which statement correctly describes enabling BPDU guard on an access port that is also enabled for PortFast?

A. Upon startup, the port transmits 10 BPDUs. If the port receives a BPDU, PortFast and BPDU guard are disabled on that port and it assumes normal STP operation.
B. The access port ignores any received BPDU.
C. If the port receives a BPDU, it is placed into the error-disable state.
D. BPDU guard is only configured globally and the BPDU filter is required for port-level configuration.

 

Answer: C

Explanation

If any BPDU is received on a port where BPDU guard is enabled, that port is put into the err-disable state immediately. The port is shut down in an error condition and must be either manually re-enabled or automatically recovered through the errdisable timeout function.

Note: A port that has PortFast enabled also has BPDU guard automatically enabled. By combining PortFast & BPDU guard we have a port that can quickly enter the Forwarding state from Blocking state and automatically shut down when receiving BPDUs.

Question 9

Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering the spanning-tree topology of a network?

A. BPDU guard can guarantee proper selection of the root bridge.
B. BPDU guard can be utilized along with PortFast to shut down ports when a switch is connected to the port.
C. BPDU guard can be utilized to prevent the switch from transmitteing BPDUs and incorrectly altering the root bridge election.
D. BPDU guard can be used to prevent invalid BPDUs from propagating throughout the network.

 

Answer: B

Question 10

Which three statements about STP timers are true? (Choose three)

A. STP timers values (hello, forward delay, max age) are included in each BPDU.
B. A switch is not concerned about its local configuration of the STP timers values. It will only consider the value of the STP timers contained in the BPDU it is receiving.
C. To successfully exchange BPDUs between two switches, their STP timers value (hello, forward delay, max age) must be the same.
D. If any STP timer value (hello, forward delay, max age) needs to be changed, it should at least be changed on the root bridge and backup root bridge.
E. On a switched network with a small network diameter, the STP hello timer can be tuned to a lower value to decrease the load on the switch CPU.
F. The root bridge passes the timer information in BPDUs to all routers in the Layer 3 configuration.

 

Answer: A B D

Explanation

Each BPDU includes the hello, forward delay, and max age STP timers. An IEEE bridge is not concerned about the local configuration of the timers value. The IEEE bridge considers the value of the timers in the BPDU that the bridge receives. Effectively, only a timer that is configured on the root bridge of the STP is important. If you lose the root, the new root starts to impose its local timer value on the entire network. So, even if you do not need to configure the same timer value in the entire network, you must at least configure any timer changes on the root bridge and on the backup root bridge.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094954.shtml)

 

STP Questions 5

May 10th, 2014 certprepare 1 comment

Here you will find answers to STP Questions – Part 5

Quick notes:

BPDU filtering: prevents the switch interfaces connected to end stations from sending or receiving BPDUs.
BPDU port-guard: If any BPDU is received on a port where BPDU guard is enabled, that port is put into the err-disable state immediately.

Question 1

Refer to the exhibit. Which statement is true about the output?

CAT1# show spanning-tree interface FastEthernet 0/1 detail
Port 1 (FastEthernet0/1) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.1.
Designated root has priority 32769, address 000a.4107.7400
Designated bridge has priority 32769, address 000a.4107.7400
Designated port id is 128.1, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 237, received 1
CAT2# show spanning-tree interface FastEthernet 0/2 detail
Port 2 (FastEthernet0/2) of VLAN0001 is blocking
Port path cost 19, Port priority 128, Port Identifier 128.2.
Designated root has priority 32769, address 000a.4107.7400
Designated bridge has priority 32769, address 000a.4107.7400
Designated port id is 128.1, designated path cost 0
Timers: message age 1, forward delay 0, hold 0
Number of transitions to forwarding state: 0
BPDU: sent 1, received 242
CAT3# show spanning-tree interface FastEthernet 0/1 detail
Port 1 (FastEthernet0/1) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.1.
Designated root has priority 32769, address 000a.4107.7400
Designated bridge has priority 32769, address 000a.4107.7400
Designated port id is 128.1, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 24, received 0

A. The port on switch CAT1 is forwarding and sending BPDUs correctly.
B. The port on switch CAT1 is blocking and sending BPDUs correctly.
C. The port on switch CAT2 is forwarding and receiving BPDUs correctly.
D. The port on switch CAT2 is blocking and sending BPDUs correctly.
E. The port on switch CAT3 is forwarding and receiving BPDUs correctly.
F. The port on switch CAT3 is forwarding, sending, and receiving BPDUs correctly.

 

Answer: A

Explanation

From the first lines of the “show” commands and the BPDU sent and received we can conclude:

CAT1 is forwarding and sending BPDUs correctly (BPDU: sent 237, received 1) but it is not receiving BPDUs.
CAT2 is blocking and receiving BPDUs correctly (BPDU: sent 1, received 242) but it is not sending BPDUs.
CAT3 is forwarding and sending BPDUs correctly (BPDU: sent 24, received 0) but it is not receiving BPDUs.

-> only answer A is correct.

Question 2

Which of the following specifications is a companion to the IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) algorithm, and warrants the use multiple spanning-trees?

A. IEEE 802.1s (MST)
B. IEEE 802.1Q (CST)
C. Cisco PVST+
D. IEEE 802.1d (STP)

 

Answer: A

Explanation

MST maps multiple VLANs into a spanning tree instance, with each instance having a spanning tree topology independent of other spanning tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of STP instances required to support a large number of VLANs. MST improves the fault tolerance of the network because a failure in one instance (forwarding path) does not affect other instances (forwarding paths).

Note: RSTP is automatically turned on along with MST (the “spanning-tree mode mst” in global configuration mode will turn on both RSTP & MST)

(Reference: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/MST.html)

Question 3

What two things will occur when an edge port receives a BPDU? (Choose two)

A. The port immediately transitions to the Forwarding state.
B. The switch generates a Topology Change Notification (TCN) BPDU.
C. The port immediately transitions to the err-disable state.
D. The port becomes a normal STP switch port.

Answer: B D

Explanation

The concept of edge port basically corresponds to the PortFast feature. An edge port directly transitions to the forwarding state, and skips the listening and learning stages. An edge port that receives a BPDU immediately loses edge port status and becomes a normal spanning tree port.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml#edge)

Question 4

Which statement is true about RSTP topology changes?

A. Only nonedge ports moving to the blocking state generate a TC BPDU.
B. Any loss of connectivity generates a TC BPDU.
C. Any change in the state of the port generates a TC BPDU.
D. Only nonedge ports moving to the forwarding state generate a TC BPDU.
E. If either an edge port or a nonedge port moves to a block state, then a TC BPDU is generated.

 

Answer: D

Explanation

When a Switch (Bridge) discovers topology change, it generates a TCN (Topology Change Notification) BPDU (Bridge Protocol Data Unit) and sends the TCN BPDU on its root port. The upstream Switch (Bridge) responds back the sender with TCA (Topology Change Acknowledgment) BPDU (Bridge Protocol Data Unit) and TCA (Topology Change Acknowledgment) BPDU (Bridge Protocol Data Unit)
The upstream Switch (Bridge) (bridge which received the TCN BPDU) generates another TCN BPDU and sends out via its Root Port. The process continues until the Root Switch (Bridge) receives the TCN BPDU.
When the Root Switch (Bridge) is aware that there is a topology change in the network, it starts to send out its Configuration BPDUs with the topology change (TC) bit set. Configuration BPDUs are received by every Switch (Bridge) in the network and all bridges become aware of the network topology change.

The switch never generates a TCN when a port configured for PortFast goes up or down -> it means no TC will be created for PortFast (or Edge Port) -> D is correct.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094797.shtml)

Question 5

Which of the following conditions guarantees that a broadcast storm cannot occur?

A. a native VLAN mismatch on either side of an 802.1Q link
B. BPDU filter configured on a link to another switch
C. Spanning Tree Protocol enabled on both Layer 2 and multilayer switches
D. PortFast enabled on all access and trunk ports

 

Answer: C

Question 6

Which two statements are true about port BPDU Guard and BPDU filtering? (Choose two)

A. BPDU guard can be enabled globally, whereas BPDU filtering must be enabled on a per-interface basis.
B. When globally enabled, BPDU port-guard and BPDU filtering apply only to PortFast enabled ports.
C. When globally enabled. BPDU port-guard and BPDU filtering apply only to trunking-enabled ports.
D. When a BPDU is received on a BPDU port-guard enabled port, the interface goes into the err-disabled state.
E. When a BPDU is received on a BPDU filtering enabled port, the interface goes into the err-disabled state.
F. When a BPDU is received on a BPDU filtering enabled port, the interface goes into the STP blocking state.

 

Answer: B D

Question 7

Which of the following will generate an RSTP topology change notification?

A. an edge port that transitions to the forwarding state
B. a non-edge port that transitions to the blocking state
C. a non-edge port that transitions to the forwarding state
D. an edge port that transitions to the blocking state
E. any port that transitions to the blocking state
F. any port that transitions to the forwarding state

 

Answer: C

Question 8

What is the effect of configuring the following command on a switch?

Switch(config)# spanning-tree portfast bpdufilter default

A. If BPDUs are received by a port configured for PortFast, then PortFast is disabled and the BPDUs are processed normally.
B. If BPDUs are received by a port configured for PortFast, they are ignored and none are sent.
C. If BPDUs are received by a port configured for PortFast, the port will transition to forwarding state.
D. The command will enable BPDU filtering on all ports regardless of whether they are configured for BPDU filtering at the interface level.

 

Answer: A

Explanation

Please read the explanation of Question 3

Question 9

Refer to the show spanning-tree mst configuration output shown in the exhibit. What should be changed in the configuration of the switch SW_2 in order for it to participate in the same MST region?

spanning-tree_mst_configuration.jpg

A. Switch SW_2 must be configured with the revision number of 2.
B. Switch SW_2 must be configured with a different VLAN range.
C. Switch SW_2 must be configured with the revision number of 1.
D. Switch SW_2 must be configured with a different MST name.

 

Answer: C

Question 10

Switch R1 has been configured with the root guard feature. What statement is true if the spanning tree enhancement Root Guard is enabled?
A. If BPDUs are not received on a non-designated port, the port is moved into the STP loop-inconsistent blocked state
B. If BPDUs are received on a PortFast enabled port, the port is disabled.
D C. If superior BPDUs are received on a designated port, the interface is placed into the root-inconsistent blocked state.
D. If inferior BPDUs are received on a root port, all blocked ports become alternate paths to the root bride.

 

Answer: C

STP Questions 6

May 10th, 2014 certprepare 1 comment

Here you will find answers to STP Questions – Part 6

Question 1

Based on the show spanning-tree vlan 200 output shown in the exhibit, which two statements about the STP process for VLAN 200 are true? (Choose two)

show_spanning-tree_vlan.jpg

A. BPDUs will be sent out every two seconds.
B. The time spent in the listening state will be 30 seconds.
C. The time spent in the learning state will be 15 seconds.
D. The maximum length of time that the BPDU information will be saved is 30 seconds.
E. This switch is the root bridge for VLAN 200.
F. BPDUs will be sent out every 10 seconds.

 

Answer: B F

Explanation

From the output you learn that:

+ This is not the root bridge for VLAN 200 (it does not have the line “This bridge is the root” and the root bridge information is shown first. It has a Alternative port).
+ The root bridge is sending Hello every 10 seconds, Max Age is 20 seconds and Forward Delay is 15 seconds while the local bridge is sending Hello every 2 seconds, Max Age is 20 seconds and Forward Delay is 15 seconds.

Aan IEEE bridge is not concerned about the local configuration of the timers value. The IEEE bridge considers the value of the timers in the BPDU that the bridge receives. Effectively, only a timer that is configured on the root bridge of the STP is important. In this case, the local switch will import STP timers from the root bridge -> The listening state (or learning state) will be 30 seconds, which equals to Forward Delay. Also BPDUs will be sent out every 10 seconds (Hello packets).

(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094954.shtml)

Question 2

RSTP_Block.jpg

All links in this network are layer 2, fast Ethernet 100 Mb/s and operating as trunks. After a failure, the link between ASW-1 and DSW-1 has incorrectly come back up at 10 Mb/s although it is connected.

Which one of the following will occur as a result of this failure?

A. There will be no change to the forwarding path to traffic from ASW-1
B. ASW1 will block Fa0/24 in order to maintain the shortest path to the root bridge DSW-1
C. ASW-1 will block Fa0/23 in order to maintain the shortest path to the root bridge DSW-1
D. ASW-1 will elect DSW-2 as the root primary since it is close than DSW-1

 

Answer: C

Explanation

The picture below shows the port roles of all ports when the topology is converged after the failure.

RSTP_Block_port_roles.jpg

RP: Root Port
BP: Blocked Port
DP: Designated Port

Question 3

Regarding the exhibit and the partial configuration of switch SA and SB. STP is configured on all switches in the network. SB receives this error message on the console port:

00:06:34: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/5 (not half duplex), with SA FastEthernet0/4 (half duplex), with TBA05071417(Cat6K-B) 0/4 (half duplex).

What would be the possible outcome of the problem?

STP_mismatched_duplex.jpg

A – The root port on switch SB will fall back to full-duplex mode.
B – The interfaces between switches SA and SB will transition to a blocking state.
C – The root port on switch SA will automatically transition to full-duplex mode.
D – Interface Fa0/6 on switch SB will transit to a forwarding state and create a bridging loop.

 

Answer: D

Explanation:

From the output, we learned that the interfaces on two switches are operating in different duplex modes: Fa0/4 of SA in half-duplex mode & Fa0/5 of SB in full-duplex mode. In this case, because SB is operating in full duplex mode, it does not check the carrier sense before sending frames (CSMA/CD is not used in full-duplex mode). Therefore, SB can start to send frames even if SA is using the link and a collision will occur. The result of this is SA will wait a random time before attempting to transmit another frame. If B sends enough frames to A to make every frame sent from A (which includes the BPDUs) get dropped then SB can think it has lost root bridge (B does not receive BPDUs from A anymore). Therefore SB will unblock its Fa0/6 interface for transmitting and cause a bridging loop.

STP Hotspot

May 10th, 2014 certprepare No comments

Question

Online Incorporated is an internet game provide. The game service network had recently added an additional switch block with multiple VLANs configured. Unfortunately, system administrators neglected to document the spanning-tree topology during configuration. For baseline purpose, you will be required to identify the spanning-tree topology for the switch block. Using the output of “show spanning-tree” command on switch SW-C and the provided physical topology, answer the following questions:

SpanningTreeBCMSNHotspot

The output of “show spanning-tree” command on SW-C:

SpanningTree_show_spanning_tree

Read more…

VLAN Access Map

May 9th, 2014 certprepare No comments

Here you will find answers to VLAN Access Map (VACL)

Quick review:

1. Define a VLAN access map
Switch(config)# vlan access-map map_name [sequence]

2. Configure a match clause:
Switch(config-access-map)# match {ip address | ipx address | mac address} {acl-number | acl-name}

3. Configure an action clause:
Switch(config-access-map)# action {drop | forward | redirect}

4. Apply a map to VLANs:
Switch(config)# vlan filter map_name vlan_list list

To verify the VACL configuration:
Switch# show vlan access-map map_name
Switch# show vlan filter [ access-map map_name | vlan vlan_id ]

An example of VACL:

The following example show how to define and apply a VLAN access map to forward packets matching certprepare_acl access list. All other packets in VLAN 10 to 20 are dropped due to the implicit “deny all” at the end of the access map.

// Define access list
Router(config)# ip access-list extended certprepare_acl
Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)#exit
————————————————————————————————-
//Define VLAN Access map
Router(config)# vlan access-map certprepare 10
Router(config-access-map)# match ip address certprepare_acl
Router(config-access-map)# action forward
Router(config-access-map)# exit
————————————————————————————————-
//Apply VACL to VLAN 10 to 20
Router(config)# vlan filter certprepare vlan-list 10-20

Question 1

Refer to the exhibit. Which statement is true?

Router(config)# vlan access-map pass 10
Router(config-access-map)# match ip address ABC
Router(config- access-map)# action forward
Router(config)# vlan filter pass vlan-list 5-10

A. IP traffic matching access list ABC is forwarded through VLANs 5-10.
B. IP traffic matching VLAN list 5-10 will be forwarded, and all other traffic will be dropped.
C. All VLAN traffic matching VLAN list 5-10 will be forwarded, and all traffic matching access list ABC is dropped.
D. All VLAN traffic in VLANs 5-10 that match access list ABC will be forwarded, and all else will be dropped.

 

Answer: D

Explanation

Each VACL has an implicit “deny all” statement at the end, just like a regular ACL. From the exhibit we learn the VACL “pass” is applied from VLAN 5 to 10 with “action forward” -> All VLAN traffic in VLANs 5-10 that match ABC access list will be forwarded, other traffic in VLAN 5 to 10 will be dropped.

Question 2

VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map that does not contain a match clause?

A. Implicit deny feature at end of list.
B. Implicit deny feature at start of list.
C. Implicit forward feature at end of list
D. Implicit forward feature at start of list.

 

Answer: C

Explanation

VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, provided that the access map contains at least one “match” clause.

If you configure like this:
Switch(config)# vlan access-map test
Switch(config-access-map)#match ip address ABC
Switch(config-access-map)#action forward
Switch(config-access-map)#exit

Then all unmatched traffic will be dropped because of an implicit “deny all” at the end of the VACL.

But if there is NOT A MATCH statement, then the default behavior of the VACL is the forward traffic. If you configure like this:
Switch(config)# vlan access-map test
Switch(config-access-map)#exit

Then “show run” you will find an “action forward” automatically placed under the vlan access-map command -> Answer C is correct.

Question 3

Refer to the exhibit. What will happen to the traffic within VLAN 14 with a source address of 172.16.10.5?

Switch# show ip access-lists net_10
Extended IP access list net_10
10 permit ip 10.0.0.0 0.255.255.255 any
Switch# conf t
Switch(config)# vlan access-map thor 10
Switch(config-access-map)# match ip address net_10
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter thor vlan-list 12-16

A. The traffic will be forwarded to the router processor for further processing.
B. The traffic will be dropped.
C. The traffic will be forwarded to the TCAM for further processing.
D. The traffic will be forwarded to without further processing.

 

Answer: B

Explanation

The source address of 172.16.10.5 is not matched with access list net_10. Something like this at the end of the access-map:

vlan access-map thor
action drop

-> The traffic from 172.16.10.5 is dropped -> B is correct.

Question 4

What is the method used to filter traffic being bridged within a VLAN?

A. Ethernet maps
B. Router ACLs
C. VLAN maps
D. IP ACLs

 

Answer: C

EtherChannel Questions

May 8th, 2014 certprepare 16 comments

Here you will find answers to EtherChannel Questions

Notes:

The Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) facilitate the automatic creation of EtherChannels by exchanging packets between Ethernet interfaces. The Port Aggregation Protocol (PAgP) is a Cisco-proprietary solution, and the Link Aggregation Control Protocol (LACP) is standards based.

LACP modes:

+ on: the link aggregation is forced to be formed without any LACP negotiation. A port-channel is formed only if the peer port is also in “on” mode.
+ off: disable LACP and prevent ports to form a port-channel
+ passive: the switch does not initiate the channel, but does understand incoming LACP packets
+ active: send LACP packets and willing to form a port-channel

PAgP modes:

+ on: The link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed only if the peer port is also in “on” mode.
+ off: disable PAgP and prevent ports to form a port-channel
+ desirable: send PAgP packets and willing to form a port-channel
+ auto: does not start PAgP packet negotiation but responds to PAgP packets it receives

An EtherChannel in Cisco can be defined as a Layer 2 EtherChannel or a Layer 3 EtherChannel.
+ For Layer 2 EtherChannel, physical ports are placed into an EtherChannel group. A logical port-channel interface will be created automatically. An example of configuring Layer 2 EtherChannel can be found in Question 1 in this article.

+ For Layer 3 EtherChannel, a Layer 3 Switch Virtual Interface (SVI) is created and then the physical ports are bound into this Layer 3 SVI. An example of configuring Layer 3 EtherChannel can be found in Question 6 in this article.

Question 1

Refer to the exhibit. LACP has been configured on Switch1 as shown. Which is the correct command set to configure LACP on Switch2?

LACP_channel-group.jpg

A.
Switch2# configure terminal
Switch2(config)# interface range gigabitethernet3/1 -2
Switch2(config-if)# channel-group 5 mode auto

B.
Switch2# configure terminal
Switch2(config)# interface range gigabitethemet3/1 -2
Switch2(config-if)# channel-group 5 mode passive

C.
Switch2# configure terminal
Switch2(config)# interface range gigabitethernet3/1 -2
Switch2(config-if)# channel-group 5 mode desirable

D.
Switch2# configure terminal
Switch2(config)# interface range gigabitethernet3/1 -2
Switch2(config-if)# channel-group 5 mode on

 

Answer: B

Explanation

LACP trunking supports four modes of operation, as follows:
* On: The link aggregation is forced to be formed without any LACP negotiation. In other words, the switch will neither send the LACP packet nor process any incoming LACP packet. This is similar to the on state for PAgP.
* Off: The link aggregation will not be formed. We do not send or understand the LACP packet. This is similar to the off state for PAgP.
* Passive: The switch does not initiate the channel, but does understand incoming LACP packets. The peer (in active state) initiates negotiation (by sending out an LACP packet) which we receive and reply to, eventually forming the aggregation channel with the peer. This is similar to the auto mode in PAgP.
* Active: We are willing to form an aggregate link, and initiate the negotiation. The link aggregate will be formed if the other end is running in LACP active or passive mode. This is similar to the desirable mode of PAgP.

LACP does not have “auto” & “desirable” modes so A & C are not correct.

Also there are only three valid combinations to run the LACP link aggregate, as follows:

Switch Switch Description
active active Recommended
active passive Link aggregation occurs if negotiation is successful.
on on Link aggregation occurs without LACP. Although this works, it is not recommended.

Therefore if Switch1 is set “active” mode, we cannot set “on” mode on Switch2 -> D is not correct.

Only answer B is suitable in this case.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a0080094470.shtml)

An example of configuring Layer 2 EtherChannel using LACP (applied these commands to both switches):

SW(config)#interface range f0/1 – 2
SW(config-if-range)#channel-group 1 mode active

Question 2

Refer to the exhibit. The command switchport mode access is issued on interface FastEthernet0/13 on switch CAT1. What will be the result?

channel-group_switchport-mode-access.jpg

A. The command will be rejected by the switch.
B. Interfaces FastEthernet0/13 and FastEthemet0/14 will no longer be bundled.
C. Dynamic Trunking Protocol will be turned off on interfaces FastEthernet0/13 and FastEthemet0/14.
D. Interfaces FastEthernet0/13 and FastEthernet0/14 will only allow traffic from the native VLAN.
E. Interfaces FastEthernet0/13 and FastEthernet0/14 will continue to pass traffic for VLANs 88,100,360.

 

Answer: B

Explanation

The default channel protocol in Cisco switches is Port Aggregation Protocol (PAgP). PAgP groups the interfaces with the same speed, duplex mode, native VLAN, VLAN range, and trunking status and type. After grouping the links into an EtherChannel, PAgP adds the group to the spanning tree as a single switch port.

An interface in the on mode that is added to a port channel is forced to have the same characteristics as the already existing on mode interfaces in the channel (applied for both PAgP & LACP). So if we configure “switchport mode access” on Fa0/13, this interface will no longer be bundled with Fa0/14.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_14_ea1/configuration/guide/swethchl.html#wpxref12539)

Question 3

What is the result of entering the command “port-channel load-balance src-dst-ip” on an EtherChannel link?

A. Packets are distributed across the ports in the channel based on both the source and destination MAC addresses.
B. Packets are distributed across the ports in the channel based on both the source and destination IP addresses.
C. Packets are balanced across the ports in the channel based first on the source MAC address, then on the destination MAC address, then on the IP address.
D. Packets are distributed across the access ports in the channel based first on the source IP address and then the destination IP addresses.

 

Answer: B

Explanation

The syntax of configuring load balancing on a Cisco switch is:

Switch(config)# port-channel load-balance method

Many methods can be used here. By default, the “src-dst-ip” (source and destination IP address) method is used for Layer 3 switching. Let’s take an example to understand more about this method.

EtherChannel_Load_balancing-src-dst-ip.jpg

In the topology above, Switch1 uses the “src-dst-ip” method to load balancing traffic to Switch2. With this method, only one link is used for a specific pair of source & destination IP address and the switch uses the XOR function to generate the hash that is used to determine which interface to use. Suppose the packets have the source IP of 1.1.1.1 & destination IP of 1.1.1.2. Write them in binary we get:

1.1.1.1 = 0000 0001.0000 0001.0000 0001.0000 0001
1.1.1.2 = 0000 0001.0000 0001.0000 0001.0000 0010

In this case we have only 2 interfaces in this channel group so the XOR function only gets the last bit, which means 1 XOR 0 = 1. Each interface is assigned an index that starts from 0 so Fa0/2 will be indexed 1 -> traffic will be sent over Fa0/2.

If we have 4 interfaces in a channel group then XOR function gets last 2 bits. If we have 8 interfaces, it gets 3 bits and so on. For example, with 8 interfaces the result will be 3 (because 001 XOR 010 = 011) -> Fa0/4 will be used.

Note: If the two address values have the same bit value, the XOR result is always 0. If the two address bits differ, the XOR result is always 1. For example, 0 XOR 0 = 0; 0 XOR 1 = 1; 1 XOR 0 = 1; 1 XOR 1 = 0.

In conclusion, the “port-channel load-balance src-dst-ip” command uses a pair of source & destination IP address to select the port to send traffic to -> B is correct.

Question 4

Refer to the exhibit. Which statement is true about the display of the command “show pagp 1 neighbor” command?

show_pagp_neighbor.jpg

A. STP packets are sent out the Gi0/1 interface only.
B. STP packets are sent out both the Gi0/1 and Gi0/2 interfaces.
C. CDP packets are sent out the Gi0/1 interface only.
D. CDP packets are sent out the Gi0/2 interface only.

 

Answer: A

Explanation

DTP and CDP send and receive packets over all the physical interfaces in the EtherChannel while STP always chooses the first operational port in an EtherChannel bundle -> A is correct.

Question 5

Refer to the exhibit. On the basis of the information that is generated by the show commands, which two EtherChannel statements are true? (Choose two)

show_etherchannel_summary.jpg

A. Interfaces FastEthernet 0/1 and 0/2 have been configured with the channel-group 1 mode desirable command.
B. Interfaces FastEthernet 0/3 and 0/4 have been configured with the no switchport command.
C. Interface Port-Channels 1 and 2 have been assigned IP addresses with the ip address commands.
D. Port-Channels 1 and 2 are providing two 400 Mbps EtherChannels.
E. Port-Channels 1 and 2 are capable of combining up to 8 FastEthernet ports to provide full-duplex bandwidth of up to 16 Gbps between a switch and another switch or host.
F. Switch SW1 has been configured with a Layer 3 EtherChannel.

 

Answer: A D

Explanation

In fact answer A is not totally correct because two ports Fa0/1 & Fa0/2 of Sw1 can use the “channel-group 1 mode auto” command while the peer ports use the “channel-group 1 mode desirable” command. But maybe it is the best choice in this case.

Answer B is not correct because this is a Layer 2 EtherChannel (from the lines “Po1 (SU)” & “Group state = L2”) but the “no switchport” is only used to configure Layer 3 EtherChannel.

Answer C is not correct because the port-channel is automatically created in a Layer 2 EtherChannel.

In this case we can see the ports are FastEthernet ports -> Port-Channels 1 and 2 are capable of combining up to 8 FastEthernet ports to provide full-duplex bandwidth of up to 1.6 Gbps (8 links of FastEthernet ports), not 16 Gbps. Port-Channels can provide up to 16 Gbps if they group 8 links of GigabitEthernet -> E is not correct.

SW1 has been configured with a Layer 2 EtherChannel (from the lines “Po1 (SU)” & “Group state = L2”) -> F is not correct.

Usually the EtherChannel protocol is shown when using the “show etherchannel summary” command (after the “Port-channel” column) but in this case we see no “protocol” column so we can assume it uses the default EtherChannel protocol PAgP.

There are 2 ports in each group so there are 4 Ethernet ports in total -> 4 x 100Mbps = 400Mbps in full duplex (which means “two 400 Mbps EtherChannels” in answer D) -> D is correct.

Question 6

Which statement is true regarding the Port Aggregation Protocol?

A. Configuration changes made on the port-channel interface apply to all physical ports assigned to the portchannel interface.
B. Configuration changes made on a physical port that is a member of a port-channel interface apply to the port-channel interface.
C. Configuration changes are not permitted with Port Aggregation Protocol; instead, the standardized Link Aggregation Control Protocol should be used if configuration changes are required.
D. The physical port must first be disassociated from the port-channel interface before any configuration changes can be made.

 

Answer: A

Explanation

The port-channel interface represents for the whole bundle and all the configurations on this interface are applied to all physical ports that are assigned to this logical interface.

Note: We must manually create port-channel logical interface when configuring Layer 3 EtherChannels. The port-channel logical interface is automatically created when configuring Layer 2 EtherChannels (you can’t put Layer 2 ports into a manually created port channel interface).

An example of configuring Layer 3 EtherChannels with port-channel interfaces:

EtherChannel_Load_balancing-src-dst-ip.jpg

Switch1(config)# interface port-channel 1
Switch1(config-if)# no switchport
Switch1(config-if)# ip address 192.168.1.1 255.255.255.0
Switch1(config-if)# exit
Switch1(config)# interface range fastethernet0/1 -2
Switch1(config-if-range)# no switchport
Switch1(config-if-range)# no ip address
Switch1(config-if-range)# channel-group 1 mode desirable
Switch2(config)# interface port-channel 1
Switch2(config-if)# no switchport
Switch2(config-if)# ip address 192.168.1.2 255.255.255.0
Switch2(config-if)# exit
Switch2(config)# interface range fastethernet0/1 -2
Switch2(config-if-range)# no switchport
Switch2(config-if-range)# no ip address
Switch2(config-if-range)# channel-group 1 mode auto

Note: The “no switchport” command is required to change interface from layer2 to layer3 mode.

Question 7

Which three statements are true of the Link Aggregation Control Protocol (LACP)? (Choose three)

A. LACP is used to connect to non-Cisco devices.
B. LACP packets are sent with the command channel-group 1 mode desirable.
C. LACP packets are sent with the command channel-group 1 mode active.
D. Standby interfaces should be configured with a higher priority.
E. Standby interfaces should be configured with a lower priority.

 

Answer: A C D

Explanation

LACP is part of the IEEE specification 802.3ad so that it can be used on non-Cisco devices -> A is correct.

With mode “active”, the switch will send LACP packets, initiates negotiations with remote ports and willing to form a port-channel if it receives a response -> C is correct.

LACP uses the port priority with the port number to form the port identifier. The port priority determines which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.

An example of configuring LACP port priority:

Router(config-if)# lacp port-priority 100

Note: Valid range is from 1 to 65535. The higher the number, the lower the priority so standby interfaces should be configured with a higher priority -> D is correct.

Question 8

Refer to the exhibit. What does the command channel-group 1 mode desirable do?

Interface FastEthernet 0/13
Channel-group 1 mode desirable

A. enables LACP unconditionally
B. enables PAgP only if a PAgP device is detected
C. enables PAgP unconditionally
D. enables Etherchannel only
E. enables LACP only if a LACP device is detected

 

Answer: C

Explanation

First, “desirable” is a mode on PAgP, not LACP. “enable PAgP unconditionally” means that port will send PAgP packets to form an EtherChannel port (initiate negotiations with other ports). A channel is formed with another port group in either desirable or auto mode.

Note:

Mode “auto” enables PAgP only if a PAgP device is detected and mode “on” forces the port to form a channel.

Question 9

Which statement best describes implementing a Layer 3 EtherChannel?

A. EtherChannel is a Layer 2 and not a Layer 3 feature.
B. Implementation requires switchport mode trunk and matching parameters between switches.
C. Implementation requires disabling switchport mode.
D. A Layer 3 address is assigned to the channel-group interface.

 

Answer: C

Explanation

By default, the ports on a multilayer switch (MLS) will all be running in Layer 2 mode. A port must be configured as a routing port before it is configured as a Layer 3 EtherChannel -> require to use the “no switchport” command.

Drag and Drop Questions

May 8th, 2014 certprepare 4 comments

Here you will find answers to Drap and Drop questions

Question 1:

Place the DTP mode with its correct description:

DTP_modes

 

Answer:

1) Trunk: Set the switch port to trunk mode and negotiate to become a trunk.
2) Nonegotiate: Specify that the DTP packets are not sent out of this interface.
3) Access: Set a switch port to permanent nontrunking mode.
4) Dynamic Auto: Set the switch port to respond, but not actively send DTP frames.
5) Dynamic Desirable: Make the interface actively attempt to convert the link to a trunk link. (This means the interface is ready to autonegotiate trunking encapsulation and form a trunk link (using DTP) with a neighbor port in desirable, auto, or on mode.)

Explanation:

Dynamic Trunking Protocol (DTP) is the Cisco-proprietary that actively attempts to negotiate a trunk link between two switches. Below is the switchport modes (or DTP modes) for easy reference:

Mode Function
Dynamic Auto Creates the trunk based on the DTP request from the neighboring switch.
Dynamic Desirable Communicates to the neighboring switch via DTP that the interface would like
to become a trunk if the neighboring switch interface is able to become a trunk.
Trunk Automatically enables trunking regardless of the state of the neighboring switch
and regardless of any DTP requests sent from the neighboring switch.
Access Trunking is not allowed on this port regardless of the state of the neighboring
switch interface and regardless of any DTP requests sent from the neighboring
switch.
Nonegotiate Prevents the interface from generating DTP frames. This command can be
used only when the interface switchport mode is access or trunk. You must
manually configure the neighboring interface as a trunk interface to establish a
trunk link.

Question 2:

This is a drag and drop question which is about the correct sequence of steps that a wireless client takes during the process of association with an access point (AP). Drag the items to the proper locations.

wireless_association.jpg

 

Answer:

wireless_association_answer.jpg

Explanation:

Any wireless client attempting to use the wireless network must first arrange a membership with the AP. Membership with the AP is called an association. The client must send an association request message, and the AP grants or denies the request by sending an association reply message. Once associated, all communications to and from the client must pass through the AP. Clients associate with access points as follows:

1) The client sends a probe request.
2) The AP sends a probe response.
3) The client initiates an association to an AP. Authentication and any other security information is sent to the AP.
4) The AP accepts the association.
5) The AP adds the client’s MAC address to its association table.

 

Question 3:

Drag and drop question. Drag the items to the proper locations.

STP_process

 

Answer:

STP_process_answer

1) Listening: sends and receives BPDUs to determine root, but does not update the MAC address table.
2) Disabled: does not participate in frame forwarding or in STP.
3) Blocking: does not participate in frame forwarding.
4) Fowarding: sends and receives data frames.
5) Learning: populates the MAC address table, but will not forward user data.

Notice: A port begins its life in a Disabled state, moving through several passive states and, finally, into an active state if allowed to forward traffic.

Question 4 (not sure about the question)

verify that the vlan is assigned to the proper ports
verify that creation of the virtual interface
Verify that there is inter-switch connectivity
verify that switchports are properly pruned

Number of IP Subnets
VLAN to IP mapping
Location of each VLAN
VLAN assignments

 

Drag and Drop Questions 2

May 8th, 2014 certprepare No comments

Here you will find answers to Drag and Drop Questions – Part 2

Question 1

Drag the choices on the left to the boxes on the right that should be included when creating a VLAN-based implementation plan. Not all choices will be used.

VLAN_implementation_plan.jpg

 

Answer:

+ reference to design documents
+ roll back guidelines
+ detailed implementation plans
+ time required to perform the implementation

(In this question we don’t need to sort in the correct order)

Explanation

An implementation plan requires:

+ A description of the task
+ References to design documents
+ Detailed implementation guidelines
+ Detailed rollback guidelines in case of failure
+ The estimated time required for implementation

Question 2

You have a VLAN implementation that requires inter-vlan routing using layer 3 switches. Drag the steps on the left that should be part of the verification plan to the spaces on the right. Not all choices will be used.

VLAN_implementation.jpg

 

Answer:

+ Verify that there is inter-switch connectivity
+ Verify that the data and voice VLANs are NOT assigned a trunk’s native VLAN
+ Verify that the needed Switch Virtual interfaces have been created
+ Verify that the proper ports are assigned to the VLAN

Explanation

“The data and voice VLANs are NOT assigned a trunk’s native VLAN”: Voice VLAN configuration is only supported on switch access ports; voice VLAN configuration is not supported on trunk ports.

Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swvoip.html

Question 3

Match the SNMP versions and associated features

SNMP_version_features.jpg

 

Answer:

v1:
+ get next request
+ unsolicited alert msg

v2:
+ informed request
+ incremental 64 bit of new data

v3:
+ user name
+ security level

Question 4

Categorize the high availability network resource or feature with the management level, network level, or system level used.

network_resources.jpg

 

Answer:

Management Level:
+ IP SLA responder
+ NTP

Network Level:
+ RSTP
+ NSF

System Level:
+ Dual Power Supplies
+ SSO

Question 5

Match the HSRP states on the left with the correct definition on the right.

HSRP states.jpg

 

Answer:

+ Initial: State from which the router begin the HSRP process
+ Standby: A candidate to become the next active router
+ Learn: The router is still waiting to hear from the active router
+ Active: The router is currently forwarding packets
+ Listen: Listens for hello messages from the active and standby router
+ Speak: Participates in the election for the active or standby router

 

Question 6

Syslog information can generate messages up to and including the configured severity level. Organize the levels by dragging each name from the left to the  right. Put the highest level at the top and lowest at the bottom.

syslog_priority.jpg

 

Answer:

1) emergency
2) alert
3) critical
4) error
5) warning
6) notice
7) informational
8) debug

Explanation

The syslog levels and descriptions are listed below:

Code Severity Description
0 Emergency system is unusable (such as an imminent system crash)
1 Alert action must be taken immediately (such as a corrupted system database)
2 Critical Critical conditions (such as a hardware error)
3 Error Error conditions
4 Warning Warning conditions
5 Notice normal but significant condition. It is not an error, but possibly should be handled in a special way
6 Informational Informational message
7 Debug Debug-level message

Question 7

Match the Attributes on the left with the types of VLAN designs on right.

VLAN_attributes.jpg

 

Answer:

End-to-End VLANs:
+ As a user moves through a campus, the VLAN membership of the user remains the same, regardless of the physical switch this user attaches to.
+ Users are grouped into each VLAN regardless of the physical locations.

Local VLANs:
+ Create with Physical boundaries in mind rather then the departments or organization of the users on the devices.
+ VLANs on one switch are not advertised to all other switches in the network, nor do they need to be created in the VLAN database of any other switch.

Question 8

You have been tasked with planning a VLAN solution that will connect a seiver in one buliding to several hosts in another building. The solution should be built using the local vlan model and layer 3 switching at the distribution layer. Identify the questions related to this vlan solution that would ask the network administrator before you start the planning by dragging them into the target zone one the right. Not all questions will be used.

VLAN_soutions.jpg

 

Answer:

+ Is there inter-switch connectivity?
+ What routing protocol will be used?
+ What VLANs are available on each switch?
+ What switch ports are available in each building?
+ What IP addresses are available on each subnet?

Drag and Drop Questions 3

May 8th, 2014 certprepare 2 comments

Question 1

Prioritize the traffic types by dragging them from the left to the appropriate Cisco priority level on the right. Put the highest priority at the top and lowest priority at the bottom.

packet_cos_priority.jpg

 

Answer:

+ voice
+ video interactive
+ video streaming
+ call signaling
+ ip routing
+ network management

(http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoSIntro.html)

Question 2

Drag and drop the appropriate characteristics of Local VLANs and End-to-end VLANs

local_VLAN_end-to-end_VLAN.jpg

 

Answer:

Local VLANs:
+ easy to maintain
+ users are based on geographic boundaries or their physical location

End-to-end VLANs:
+ users are grouped into VLANs independent of a physical location
+ each VLAN has a common set of security and resource
+ users are assigned to the vlan regardless of their physical location within the campus n/w
+ Based on port security

Explanation

End-to-end VLAN: VLAN members reside on different switches throughout the network. They are used when hosts are assigned to VLANs for policy reasons, rather than physical location.

Local VLAN: Hosts are assigned to VLANs based on their location, such as a floor in a building. This design is more scalable and easier to troubleshoot because the traffic flow is more deterministic. It enables more redundancy and minimizes failure domains.

(Reference: CCNP SWITCH 642-813 Quick Reference Guide)

Question 3

Drag the steps on the left that should be part of a VLAN-based verification plan to the spaces on the right. Not all choices will be used.

VLAN_based_verification_plan.jpg

 

Answer:
+ Verify that there is inter-switch connectivity
+ Verify that switchports are properly pruned
+ Verify that creation of the virtual interface
+ Verify that the VLAN is assigned to the proper port

HSRP Questions

May 7th, 2014 certprepare 3 comments

Here you will find answers to Hot Standby Router Protocol (HSRP) Questions

Question 1

Which protocol specified by RFC 2281 provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from first-hop failures in network edge devices or access circuits?

A. ICMP
B. IRDP
C. HSRP
D. STP

 

Answer: C

Explanation

HSRP is a Cisco-proprietary protocol developed to allow several routers or multilayer switches to appear as a single gateway IP address. This protocol is described in RFC 2281.

Question 2

Which of the following HSRP router states does an active router enter when it is preempted by a higher priority router?

A. active
B. speak
C. learn
D. listen
E. init
F. standby

 

Answer: B

Explanation

First we should review all the HSRP States:

State Description
Initial This is the beginning state. It indicates HSRP is not running. It happens when the configuration changes or the interface is first turned on
Listen The router knows both IP and MAC address of the virtual router but it is not the active or standby router. For example, if there are 3 routers in HSRP group, the router which is not in active or standby state will remain in listen state.
Speak The router sends periodic HSRP hellos and participates in the election of the active or standby router.
Standby In this state, the router monitors hellos from the active router and it will take the active state when the current active router fails (no packets heard from active router)
Active The router forwards packets that are sent to the HSRP group. The router also sends periodic hello messages

Now let’s take an example of a router passing through these states. Suppose there are 2 routers A and B in the network; router A is turned on first. It enters the initial state. Then it moves to listen state in which it tries to hear if there are already active or standby routers for this group. After learning no one take the active or standby state, it determines to take part in the election by moving to speak state. Now it starts sending hello messages containing its priority. These messages are sent to the multicast address 224.0.0.2 (which can be heard by all members in that group). When it does not hear a hello message with a higher priority it assumes the role of active router and moves to active state. In this state, it continues sending out periodic hello messages.

Now router B is turned on. It also goes through initial and listen state. In listen state, it learns that router A has been already the active router and no other router is taking standby role so it enters speak state to compete for the standby router -> it promotes itself as standby router.

Now to our main question! We want router B to become active router so we set a higher priority number than the priority of A and ask router B to take over the role of active router (with the preempt command). Now router A will fall back to the speak state to compete for active or standby state -> it becomes standby router because its priority is now lower than that of router A. (Therefore answer B is correct).

Note: Suppose router A is in active state while router B is in standby state. If router B does not hear hello messages from router A within the holdtime, router B goes into speak state to announce its priority to all HSRP members and compete for the active state. But if at some time it receives a message from the active router that has a lower priority than its priority (because the administrator change the priority in either router), it can take over the active role by sending out a hello packet with parameters indicating it wants to take over the active router. This is called a coup hello message.

(Reference and good resource: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a91.shtml)

Question 3

Which three statements are true of a default HSRP configuration? (Choose three)

A. The Standby hello time is 2 seconds.
B. Two HSRP groups are configured.
C. The Standby track interface priority decrement is 10.
D. The Standby hold time is 10 seconds
E. The Standby priority is 100.
F. The Standby delay is 3 seconds.

 

Answer: C D E

Explanation

The table below shows the default values of popular HSRP parameters:

Feature Default Setting
Standby group number 0
Standby MAC address System assigned as: 0000.0c07.acXX, where XX is the HSRP group number
Standby priority 100
Standby delay 0 (no delay)
Standby track interface priority 10
Standby hello time 3 seconds
Standby holdtime 10 seconds

Note:

* Standby delay: If router A is the HSRP active router and then loses a link, which causes it to become standby router, and then the link comes back, the delay command causes router A to wait before it becomes active again. For example, with the “standby preempt delay minimum 30” command, it waits for 30 seconds for the router to become active.

* Standby track: For example, consider this configuration:
standby priority 150
standby track serial 0

An HSRP priority of 150 is configured with the standby priority command and HSRP is configured to track the state of interface Serial0. Because no decrement value is specified in the standby track command, the HSRP priority is decremented by the default value of 10 when the tracked interface goes down.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/configuration/guide/swhsrp.html)

Question 4

hostname Switch1
interface Vlan10
ip address 172.16.10.32 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers 1 5
standby 1 priority 130
——————————————————–
hostname Switch2
interface Vlan10
ip address 172.16.10.33 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers 1 5
standby 1 priority 120

HSRP was implemented and configured on two switches while scheduled network maintenance was performed.
After the two switches have finished rebooting, you notice via show commands that Switch2 is the HSRP active router. Which two items are most likely the cause of Switch1 not becoming the active router? (Choose two)

A. booting delays
B. standby group number does not match VLAN number
C. IP addressing is incorrect
D. premption is disabled
E. incorrect standby timers
F. IP redirect is disabled

 

Answer: A D

Explanation

When two routers are turned on at the same time, the router completes booting process first will take the active role. Without the “preempt” configured, even a new router with a higher priority cannot take over the active role.In the configuration of Switch1 we don’t see the “preempt” command configured.

Question 5

hostname Switch1
interface Vlan10
ip address 172.16.10.32 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers msec 200 msec 700
standby 1 preempt
hostname Switch2
interface Vlan10
ip address 172.16.10.33 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers msec 200 msec 750
standby 1 priority 110
standby 1 preempt
hostname Switch3
interface Vlan10
ip address 172.16.10.34 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers msec 200 msec 750
standby 1 priority 150
standby 1 preempt

Refer to the exhibit. Three switches are configured for HSRP. Switch1 remains in the HSRP listen state. What is the most likely cause of this status?

A. this is normal operation
B. standby group number does not match VLAN number
C. IP addressing is incorrect
D. incorrect priority commands
E. incorrect standby timers

 

Answer: A

Explanation

Only Switch 1 is not configured with the priority so it will have the default priority of 100, which is smaller than that of Switch2 (110) and Switch3 (150). Moreover, both Switch2 and Switch3 have the “preempt” command so surely Switch3 becomes active router while Switch2 becomes standby router -> Switch1 will be in listen state (Please read the explanation of question 2 to understand more about this state).

Question 6

What are three possible router states of HSRP routers on a LAN? (Choose three)

A. Standby
B. Established
C. Active
D. Idle
E. Backup
F. Init

 

Answer: A C F

Explanation

Same as Question 2

Question 7

Refer to the exhibit. Which configuration on the HSRP neighboring device ensures that it becomes the active HSRP device in the event that port fa1/1 on Switch_A goes down?

Switch_A(config-if)# ip address 10.10.10.1 255.255.255.0
Switch_A(config-if)# standby 1 priority 200
Switch_A(config-if)# standby 1 preempt
Switch_A(config-if)# standby 1 track interface fa 1/1
Switch_A(config-if)# standby 1 ip 10.10.10.10

A.
Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0
Switch_B(config-if)#standby 1 priority 200
Switch_B(config-if)#standby 1 preempt
Switch_B(config-if)#standby 1 ip 10.10.10.10
Switch_B(config-if)#standby 1 track interface fa 1/1

B.
Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0
Switch_B(config-if)#standby 1 priority 200
Switch_B(config-if)#standby 1 ip 10.10.10.10

C.
Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0
Switch_B(config-if)#standby 1 priority 195
Switch_B(config-if)#standby 1 preempt
Switch_B(config-if)#standby 1 ip 10.10.10.10

D.
Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0
Switch_B(config-if)#standby 1 priority 190
Switch_B(config-if)#standby 1 ip 10.10.10.10
Switch_B(config-if)#standby 1 track interface fa 1/1

 

Answer: C

Explanation

Switch_A is not configured standby track priority value so it will use the default track priority of 10 -> When Switch_A goes down, its priority is 200 – 10 = 190 so Switch_B must be configured with a priority higher than 190. Also Switch_B must have the “preempt” command configured to take over the active state -> C is correct.

Note: Answer A is not correct because Switch_B has the same priority value of Switch_A, but the Switch_B’s ip address on the HSRP interface is higher (10.10.10.2 is higher than 10.10.10.1) so Switch_B will take over the active state of Switch_A even when Switch_A is still operational.

Question 8

Which two statements about the HSRP priority are true? (Choose two)

A. To assign the HSRP router priority in a standby group, the standby group-number priority priority-value global configuration command must be used.
B. The default priority of a router is zero (0).
C. The no standby priority command assigns a priority of 100 to the router.
D. Assuming that preempting has also been configured, the router with the lowest priority in an HSRP group would become the active router.
E. When two routers in an HSRP standby group are configured with identical priorities, the router with the highest configured IP address will become the active router.

 

Answer: C E

Explanation

The “no standby priority” command will reset the priority to the default value (100) -> C is correct.

To understand answer E please read the explanation of Question 7.

Question 9

HSRP has been configured between two Company devices. Which of the following describe reasons for deploying HSRP? (Choose three)

A. HSRP provides redundancy and fault tolerance
B. HSRP allows one router to automatically assume the function of the second router if the second router fails
C. HSRP allows one router to automatically assume the function of the second router if the second router starts
D. HSRP provides redundancy and load balancing

 

Answer: A B D

Explanation

Answer A and B are correct because they are the functions of HSRP. I just want to mention about answer D. In fact answer D is not totally correct, in SWITCH only GLBP has the load-balancing feature. HSRP can only load-sharing by configuring some different HSRP groups. But answer D is the only choice left in this question so we have to choose it.

Question 10

Regarding high availability, with the MAC address 0000.0c07.ac03, what does the “03” represent?

A. The GLBP group number
B. The type of encapsulation
C. The HSRP router number
D. The VRRP group number
E. The HSRP group number
F. The active router number

 

Answer: E

Explanation

The last two-digit hex value in the MAC address presents the HSRP group number.

HSRP Questions 2

May 7th, 2014 certprepare 4 comments

Here you will find answers to HSRP Questions – Part 2

Question 1

Three Cisco Catalyst switches have been configured with a first-hop redundancy protocol. While reviewing some show commands, debug output, and the syslog, you discover the following information:

Jan 9 08:00:42.623: %STANDBY-6-STATECHANGE: Standby: 49:
Vlan149 state Standby -> Active
Jan 9 08:00:56.011: %STANDBY-6-STATECHANGE: Standby: 49:
Vlan149 state Active -> Speak
Jan 9 08:01:03.011: %STANDBY-6-STATECHANGE: Standby: 49:
Vlan149 state Speak -> Standby
Jan 9 08:01:29.427: %STANDBY-6-STATECHANGE: Standby: 49:
Vlan149 state Standby -> Active
Jan 9 08:01:36.808: %STANDBY-6-STATECHANGE: Standby: 49:
Vlan149 state Active -> Speak
Jan 9 08:01:43.808: %STANDBY-6-STATECHANGE: Standby: 49:
Vlan149 state Speak -> Standby

What conclusion can you infer from this information?

A. VRRP is initializing and operating correctly.
B. HSRP is initializing and operating correctly.
C. GLBP is initializing and operating correctly.
D. VRRP is not properly exchanging three hello messages.
E. HSRP is not properly exchanging three hello messages.
F. GLBP is not properly exchanging three hello messages.

 

Answer: E

Explanation

These error messages describe a situation in which a standby HSRP router did not receive three successive HSRP hello packets from its HSRP peer (by default, hello messages are sent every 3 seconds while the holdtime is 10 seconds). The output shows that the standby router moves from the standby state to the active state. Shortly thereafter, the router returns to the standby state. Unless this error message occurs during the initial installation, an HSRP issue probably does not cause the error message. The error messages signify the loss of HSRP hellos between the peers. When you troubleshoot this issue, you must verify the communication between the HSRP peers. A random, momentary loss of data communication between the peers is the most common problem that results in these messages. HSRP state changes are often due to High CPU Utilization. If the error message is due to high CPU utilization, put a sniffer on the network and the trace the system that causes the high CPU utilization.

(Reference and good resource: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml)

Question 2

You administer a network that uses two routers, R1 and R2, configured as an HSRP group to provide redundancy for the gateway. Router R1 is the active router and has been configured as follows:

R1#configure terminal
R1(config)#interface fa0/0
R1(config-if)#ip address 10.10.0.5 255.255.255.0
R1(config-if)#standby 1 priority 150
R1(config-if)#standby preempt delay minimum 50
R1(config-if)#standby 1 track interface fa0/2 15
R1(config-if)#standby 1 ip 10.10.0.20

Which of the following describes the effect the “standby preempt delay minimum 50” command will have on router R1?

A. The HSRP priority for router R1 will increase to 200.
B. Router R1 will become the standby router if the priority drops below 50.
C. The HSRP priority for router R1 will decrease to 50 points when Fa0/2 goes down.
D. Router R1 will wait 50 seconds before attempting to preempt the active router.

 

Answer: D

Explanation

If R1, for some reason, loses its active state, the “standby preempt delay minimum 50” command will cause R1 to wait 50 seconds before it tries to get the active state again -> D is correct.

Question 3

Refer to the exhibit. HSRP has been configured and Link A is the primary route to router R4. When Link A fails, router R2 (Link B) becomes the active router. Which router will assume the active role when Link A becomes operational again?

HSRP_active_standby.jpg

A. The primary router R1 will reassume the active role when it comes back online.
B. The standby router R2 will remain active and will forward the active role to router R1 only in the event of its own failure.
C. The standby router R2 will remain active and will forward the active role to router R1 only in the event of Link B failure.
D. The third member of the HSRP group, router R3, will take over the active role only in event of router R2 failure.

 

Answer: A

Explanation

When R1 fails, the “standby 1 preempt” command on R2 will cause R2 to take over the active state of R1. But when R1 comes up again, the “standby 1 preempt” command on R1 will help R1 take over the active state again. Without the “preempt” command configured on R2, R2 only takes over the active state only if it receives information indicating that there is no router currently in active state (by default it does not receive 3 hello messages from the active router). Without the “preempt” command on R2, it will not become active router even if its priority is higher than all other routers.

Question 4

Which first-hop redundancy solution listed would supply clients with MAC address 0000.0C07.AC0A for group 10 in response to an ARP request for a default gateway?

A. IRDP
B. Proxy ARP
C. GLBP
D. HSRP
E. VRRP
F. IP Redirects

 

Answer: D

Explanation

The last two-digit hex value in the MAC address presents the HSRP group number. In this case 0A in hexa equals 10 in decimal so this router belongs to group 10 and it is running HSRP.

Question 5

What three tasks will a network administrator perform to successfully configure Hot Standby Routing Protocol? (Choose three)

A. Define the encapsulation type
B. Define the standby router
C. Define the IP address
D. Enable the standby mode
E. Enable HSRP

 

Answer: B C E

Question 6

You want to allow Router R1 to immediately become the active router if its priority is highest than the active router fails. What command would you use if you wanted to configure this?

A. en standby 1 preempt
B. standby 1 preempt enable
C. standby 1 preempt
D. hot standby 1 preempt

 

Answer: C

Question 7

Routers R1 and R2 are configured for HSRP as shown below:

Router R1:

interface ethernet 0
ip address 20.6.2.1 255.255.255.0
standby 35 ip 20.6.2.21
standby 35 priority 100
!
interface ethernet 1
ip address 20.6.1.1 255.255.255.0
standby 34 ip 20.6.1.21

Router R2:

interface ethernet 0
ip address 20.6.2.2 255.255.255.0
standby 35 ip 20.6.2.21
!
interface ethernet 1
ip address 20.6.1.2 255.255.255.0
standby 34 ip 20.6.1.21
standby 34 priority 100

You have configured the routers R1 & R2 with HSRP. While debugging router R2 you notice very frequent HSRP group state transitions. What is the most likely cause of this?

A. physical layer issues
B. no spanning tree loops
C. use of non-default HSRP timers
D. failure to set the command standby 35 preempt

 

Answer: A

Explanation

The configuration on both R1 and R2 are correct. But both routers are not configured with the “preempt” command so by default they only take over the active state when they believe there is no active router (by default they don’t hear 3 successive hello messages from the active router). Therefore the most likely cause of this problem is a link failure between them (physical layer issue) -> A is correct.

Question 8

In which three HSRP states do routers send hello messages? (Choose three)

A. Learn
B. Speak
C. Standby
D. Listen
E. Active
F. Remove

 

Answer: B C E

Explanation

Speak state: sends hello messages to compete for the standby or active role.
Standby state: send hello messages to inform it is the standby router so that other routers (which are not active or standby router, in listen state) know the standby router is still there.
Active state: sends hello messages to indicate it is still up

Question 9

In the hardware address 0000.0c07.ac0a, what does 07.ac represent?

A. HSRP well-known physical MAC address
B. Vendor code
C. HSRP router number
D. HSRP group number
E. HSRP well-known virtual MAC address

 

Answer: E

Explanation

The HSRP standby IP address is a virtual MAC address which is composed of 0000.0c07.ac**. In which “**” is the HSRP group number in hexadecimal.

Question 10

Refer to the exhibit. Which two problems are the most likely cause of the exhibited output? (Choose two)

Vlan8 – Group 8
Local state is Active, priority 110, may preempt
Hellotime 3 holdtime 10
Next hello sent in 00:00:01.168
Hot standby IP address is 10.1.2.2 configured
Active router is local
Standby router is unknown expired
Standby virtual mac address is 0000.0c07.ac08
5 state changes, last state change 00:05:03

A. Transport layer issues
B. VRRP misconfiguration
C. HSRP misconfiguration
D. Physical layer issues
E. Spanning tree issues

 

Answer: C D

Explanation

When you see this error, it means the local router fails to receive HSRP hellos from neighbor router. Two things you should check first are the physical layer connectivity and verify the HSRP configuration. An example of HSRP misconfiguration is the mismatched of HSRP standby group and standby IP address.

Another thing you should check is the mismatched VTP modes.

(Reference: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml)

HSRP Questions 3

May 7th, 2014 certprepare 2 comments

Here you will find answers to HSRP Questions – Part 3

Question 1

Which two statements are true about the Hot Standby Router Protocol (HSRP)? (Choose two)

A. Load sharing with HSRP is achieved by creating multiple subinterfaces on the HSRP routers.
B. Routers configured for HSRP can belong to multiple groups and multiple VLANs.
C. Load sharing with HSRP is achieved by creating HSRP groups on the HSRP routers.
D. All routers configured for HSRP load balancing must be configured with the same priority.
E. Routers configured for HSRP must belong to only one group per HSRP interface.

 

Answer: B C

Explanation

B is correct according to http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swhsrp.html

To load sharing with HSRP, we can divide traffic into two HSRP groups:

+ One group assigns the active state for one switch
+ The other group assigns the active state for the other switch

The example below shows how to load sharing with HSRP:

HSRP_load_sharing.jpg

In this topology, R1 is the active router for Group 1 and is the standby router for Group 2 while R2 is the active router for Group 2 and is the standby router for Group 1. The configurations of R1 and R2 are shown below:

R1:
interface fa0/1 //Group 1
ip address 192.168.1.2
standby 1 ip 192.168.1.1
standby 1 priority 150
standby 1 preempt
standby 1 track Serial 0
!
interface fa0/0 //Group 2
ip address 192.168.2.2
standby 2 ip 192.168.2.1
standby 2 priority 145
standby 2 preempt
R2:
interface fa0/1 //Group 2
ip address 192.168.2.3
standby 2 ip 192.168.2.1
standby 2 priority 150
standby 2 preempt
standby 2 track Serial 0
!
interface fa0/0 //Group 1
ip address 192.168.1.3
standby 1 ip 192.168.1.1
standby 1 priority 145
standby 1 preempt

-> C is correct.

Note: An interface can belong to multiple HSRP groups, and the same HSRP group can be applied to different interfaces -> E is not correct.

Question 2

Refer to the exhibit. Assume that Switch_ A is active for the standby group and the standby device has only the default HSRP configuration. What conclusion is valid?

Switch_A(config-if)# ip address 10.10.10.1 255.255.255.0
Switch_A(config-if)# standby 1 priority 200
Switch_A(config-if)# standby 1 preempt
Switch_A(config-if)# standby 1 track interface fa 1/1
Switch_A(config-if)# standby 1 ip 10.10.10.10

A. If port Fa1/1 on Switch_ A goes down, the standby device will take over as active.
B. If the current standby device were to have the higher priority value, it would take over the role of active for the HSRP group.
C. If port Fa1/1 on Switch_ A goes down, the new priority value for the switch would be 190.
D. If Switch_ A had the highest priority number, it would not take over as active router.

 

Answer: C

Explanation

By default, the standby track interface decrement is 10 so if interface fa1/1 goes down, the new priority value is 200 – 10 = 190

Question 3

Which statement best describes first-hop redundancy protocol status, given the command output in the exhibit?

HSRP_show_ip_arp.jpg

A. The first-hop redundancy protocol is not configured for this interface.
B. HSRP is configured for group 10.
C. HSRP is configured for group 11.
D. VRRP is configured for group 10.
E. VRRP is configured for group 11.
F. GLBP is configured with a single AVF.

 

Answer: C

Explanation

The MAC address of the last IP is 0000.0c07.ac0b indicates HSRP has been configured for group 11 (0b in hexa = 11 in decimal).

Question 4

HSRP has been configured between two Company devices. What kind of message does an HSRP configured router send out every 3 seconds?

A. Retire
B. Coup
C. Resign
D. Send
E. Hello

 

Answer: E

Question 5

The following command was issued on a router that is being configured as the active HSRP router.
standby ip 10.2.1.1

Which statement is true about this command?

A. This command will not work because the HSRP group information is missing
B. The HSRP MAC address will be 0000.0c07.ac00
C. The HSRP MAC address will be 0000.0c07.ac01
D. The HSRP MAC address will be 0000.070c.ad01
E. This command will not work because the active parameter is missing

 

Answer: B

Explanation

The full syntax of the command above is:

standby [group-number] ip [ip-address [secondary]]

Therefore in the command “standby ip 10.2.1.1” we recognize it is using the default group-number, which is 0 -> The last two-digit hex value of HSRP MAC address should be “00”.

 

Question 6

What can be determined about the HSRP relationship from the displayed debug output?

*Mar 1 00:12:16.871: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115
*Mar 1 00:12:16.871: SB11: Vl11 Active router is 172.16.11.112
*Mar 1 00:12:18.619: %LINK-3-UPDOWN: Interface Vlan11, changed state to up
*Mar 1 00:12:18.623: SB: Vl11 Interface up
*Mar 1 00:12:18.623: SB11: Vl11 Init: a/HSRP enabled
*Mar t 00:12:18.623: SB11: Vl11 Init-> Listen
*Mar 1 00:12:19.619: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1 1, changed state to up
*Mar 1 00:12:19.819: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115
*Mar 1 00:12:19.819: SB11: V111 Listen: h/Hello rcvd from lower pri Active router (50/172.16.11.112)
*Mar 1 00:12:22.815: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115
*Mar 1 00:12:22.815: SB11: Vl11 Listen: h/Hello rcvd from lower pri Active router
*Mar 1 00:12:25.683: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115
*Mar 1 00:12:25.683: SB11: Vl11 Listen: h/Hello rcvd from lower pri Active router (50/172.16.11.112)
*Mar 1 00:12:28.623: SB11: Vl11 Listen: d/Standby timer expired (unknown)
*Mar 1 00:12:28.623: SB11: Vl11 Listen-> Speak
*Mar 1 00:12:28.623: SB11: Vl11 Hello out 172.16.11.111 Speak pri 100 ip 172.16.11.115
*Mar 1 00:12:28.659: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115
*Mar 1 00:12:28.659: SB11: Vl11 Speak h/Hello rcvd from lower pri Active router (50/172.16.11.112)
*Mar 1 00:12:31.539: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115
*Mar 1 00:12:31.539: SB11: Vl11 Speak h/Hello rcvd from lower pri Active router (50/172.16.11.112)
*Mar 1 00:12:31.575: SB11: Vl11 Hello out 172.16.11.111 Speak pri 100 ip 172.16.11.115
*Mar 1 00:12:34.491: SB11: Vl11 Hello in 172.16 11.112 Active pri 50 ip 172.16.11.115

A. Router 172.16.11.112 will be the active router because its HSRP priority is preferred over router 172.16.11.111
B. Router 172.16.11.111 will be the active router because its HSRP priority is preferred over router 172.16.11.112
C. The IP address 172.16.11.111 is the virtual HSRP router IP address.
D. The IP address 172.16.11.112 is the virtual HSRP router IP address.
E. The nonpreempt feature is enabled on the 172.16.11.112 router.
F. The preempt feature is not enabled on the 172.16.11.111 router.

 

Answer: F

Explanation

To understand the output you should learn these terms:

Field Description
SB Abbreviation for “standby”
Vl11 Interface on which a Hot Standby packet was sent or received.
Hello in Hello packet received from the specified IP address.
Hello out Hello packet sent from the specified IP address.
pri Priority advertised in the hello packet.
ip address Hot Standby group IP address advertised in the hello packet.
state Transition from one state to another.

(Reference: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_s1.html)

From the output we learn:

Line Debug output Description
1 Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115 Priority of 172.16.11.112 is 50 (its standby IP address is 172.16.11.115)
2 Active router is 172.16.11.112 The current active router is 172.16.11.112
3 Interface Vlan11, changed state to up Interface Vlan11 is turned on
6 Init-> Listen Our router changes from Init to Listen state
15 Listen-> Speak After the standby timer expired (line 14), our router changes from Listen to Speak state
16 Hello out 172.16.11.111 Speak pri 100 ip 172.16.11.115 Our router IP is 172.16.11.111, priority is 100 (its standby IP address is also 172.16.11.115)
18 Speak h/Hello rcvd from lower pri Active router The Hellos received from lower priority Active router but our router does not send Coup message to take over active state

In short, our router (172.16.11.111) changes from Init -> Listen -> Speak state. It received hellos from the active router 172.16.11.112 with lower priority but it does not send Coup message to take over active state -> It is not configured with the “preempt” command.

Question 7

Refer to the exhibit. Based on the “debug standby” output in the exhibit, which HSRP statement is true?

*May 10 20:34:08.925: *SYS- 5-CONFIG_I: Configured from console by console
*May 10 20:34:10.213: LINK-3-UPDOWN: Interface Vlan11, changed state to up
*May 10 20:34:10.221: SB: Vl11 : Interface up
*May 10 20:34:10.221: SB11: Vl11 Init: a/HSRP enabled
*May 10 20:34:10.221: SB11: Vl11 Init -> Listen
*May 10 20:34:11.213: LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan11 changed state to up
*May 10 20:34:20.221: SB11: Vl11 Listen: c/Active timer expired (unknown)
*May 10 20:34:20.221: SB11: Vl11 Listen -> Speak
*May 10 20:34:20.221: SB11: Vl11 Hello out 10.10.10, 111 Speak pri 100 ip 10.10. 10.115
*May 10 20:34:28.905; SB11: Vl11 Hello out 10.10.10.111 Speak pri 100 ip 10.10. 10.115
*May 10 20:34:30.221: SB11: Vl11 Speak: d/Standby timer expired (unknown)
*May 10 20:34:30.221: SB11: Vl11 Standby router is local
*May 10 20:34:30.221; SB11: Vl11 Speak -> Standby
*May 10 20:34:30.221; SB11: Vl11 Hello out 10.10.10.111 Standby pri 100 ip 10.10. 10.115
*May 10 20:34:30.221: SB11: Vl11 Standby: e/Active timer expired (unknown)
*May 10 20:34:30.221: SB11: Vl11 Active router is local
*May 10 20:34:30.221: SB11: Vl11 Standby router is unknown, was local
*May 10 20:34:30.221: SB11: Vl11 Standby -> Active
*May 10 20:34:30.221: %STANDBY-6- STATECHANGE: Vlan11 Group 11 state Standby -> Active
*May 10 20:34:30.221: SB11: Vl11 Hello out 10.10.10.111 Active pri 100 ip 10.10. 10.115
*May 10 20:34:33.085: SB11: Vl11 Hello out 10.10.10.111 Active pri 100 ip 10.10. 10.115

A. DSW111 is the active router because it is the only HSRP-enabled router on that segment.
B. DSW111 is the active router because the standby timer has been incorrectly configured.
C. DSW111 is the active router because it has a lower priority on that VLAN.
D. DSW111 is the active router because it has a lower IP address on that VLAN.
E. DSW111 is the active router and is advertising the virtual IP address 10.10.10.111 on VLAN 11.

 

Answer: A

Explanation

From the output we learn that DSW111 moves from Init -> Listen -> Speak -> Standby -> Active and all the messages are “Hello out” (no messages are “Hello in”). This means that DSW111 is the only router sending messages in this segment.

(If you don’t know about these terms please read the explanation of Question 6)

Question 8

Refer to the exhibit. Based on the debug output shown in the exhibit, which three statements about HSRP are true? (Choose three.)

*Mar 1 00 16:43.095: %LINK-3-UPDOWN: Interface Vlan11, changed state to up
*Mar 1 00 16:43.099: SB: Vl11 Interface up
*Mar 1 00 16:43.099: SB11: Vl11 Init: a/HSRP enabled
*Mar 1 00 16:43.099: SB11: Vl11 Init -> Listen
*Mar 1 00 16:43.295: SB11: Vl11 Hello in 172.16.11.112 Active pri 50 ip 172.16.11.115
*Mar 1 00 16:43.295: SB11: Vl11 Active router is 172.16.11.112
*Mar 1 00 16:43.295: SB11: Vl11 Listen: h/Hello rcvd from lower pri Active router (50/172.16.11.112)
*Mar 1 o o 16:43.295: SB11: Vl11 Active router is local, was 172.16.11.112
*Mar 1 00 16:43.299: %STANDBY-6-STATECHANGE: Vlan11 Group 11 state Listen -> Active
*Mar 1 00 16:43.299: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00 16:43.303: SB11: Vl11 Hello in 172.16.11.112 Speak pri 50 ip 172.16.11.115
*Mar 1 00 16:46.207: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00 16:49.095: SB11: Vl11 Hello in 172.16.11.112 Speak pri 50 ip 172.16.11.115

A. The router with IP address 172.16.11.111 has preempt configured.
B. The final active router is the router with IP address 172.16.11.111.
C. The router with IP address 172.16.11.112 has nonpreempt configured.
D. The priority of the router with IP address 172.16.11.112 is preferred over the router with IP address 172.16.11.111.
E. The router with IP address 172.16.11.112 is using default HSRP priority.
F. The IP address 172.16.11.115 is the virtual HSRP IP address.

 

Answer: A B F

Question 9

HSRP_show_standby.jpg

Examine the router output above. Which two items are correct? (Choose two)

A. The local IP address of Router A is 10.1.0.6.
B. The local IP address of Router A is 10.1.0.20.
C. If Ethernet 0/2 goes down, the standby router will take over.
D. When Ethernet 0/3 of RouterA comes back up, the priority will become 105.
E. Router A will assume the active state if its priority is the highest.

 

Answer: D E

The current state of this router is “active” and the standby router is 10.1.0.6, which makes answer A incorrect)

The IP address of the local router is not mentioned so we can’t conclude answer B. Notice that the IP 10.1.0.20 is just the virtual IP address of this HSRP group.

+ “Tracking 2 objects, 0 up” -> both Ethernet0/2 and 0/3 are currently down so the priority of RouterA was reduced from 120 to 95 (120 – 15 – 10). Therefore when Ethernet0/3 is up again, the priority of RouterA will be 95 + 10 = 105 -> D is correct.

From the line “preempt enabled” we learn this router is configured with “preempt” command so it will take over the active state if its priority is the highest -> E is correct. But a funny thing in this question is even when two interfaces are down, the priority of RouterA is still higher than the standby router so it is still the active router (the priority of standby router is 75). This also makes answer C incorrect.

Question 10

Refer to the exhibit. On the basis of the information provided in the exhibit, which two sets of procedures are best practices for Layer 2 and 3 failover alignment? (Choose two)

HSRP_STP.jpg

A. Configure the D-SW1 switch as the active HSRP router and the STP root for all VLANs. Configure the D-SW2 switch as the standby HSRP router and backup STP root for all VLANs.
B. Configure the D-SW1 switch as the standby HSRP router and the STP root for VLANs 11 and 110. Configure the D-SW2 switch as the standby HSRP router and the STP root for VLANs 12 and 120.
C. Configure the D-SW1 switch as the active HSRP router and the STP root for VLANs 11 and 110. Configure the D-SW2 switch as the active HSRP router and the STP root for VLANs 12 and 120.
D. Configure the D-SW2 switch as the active HSRP router and the STP root for all VLANs. Configure the D-SW1 switch as the standby HSRP router and backup STP root for all VLANs.
E. Configure the D-SW1 switch as the active HSRP router and the backup STP root for VLANs 11 and 110. Configure the D-SW2 switch as the active HSRP router and the backup STP root for VLANs 12 and 120.
F. Configure the D-SW1 switch as the standby HSRP router and the backup STP root for VLANs 12 and 120. Configure the D-SW2 switch as the standby HSRP router and the backup STP root for VLANs 11 and 110.

 

Answer: C F

Explanation

The “best practices for Layer 2 and 3 failover alignment” here means using load sharing of HSRP.

To load sharing with HSRP, we can divide traffic into two HSRP groups:

+ One group assigns the active state for one switch
+ The other group assigns the active state for the other switch

-> C and F are correct.

Also please read an example of HSRP load sharing in the explanation of Question 1 on this page.

 

HSRP Questions 4

May 7th, 2014 certprepare No comments

Here you will find answers to HSRP Questions – Part 4

Question 1

Which three of the following network features are methods used to achieve high availability? (Choose three)

A. Spanning Tree Protocol (STP)
B. Delay reduction
C. Hot Standby Routing Protocol (HSRP)
D. Dynamic routing protocols
E. Quality of Service (QoS)
F. Jitter management

 

Answer: A C D

Explanation

STP, HSRP and dynamic routing protocols provide backup paths to reach the destination and achieve high availability.

Note: Quality of Service (Qos) only prioritizes specific type of data over other types and provides no high availability.

Question 2

Which command will ensure that R2 will be the primary router for traffic using the gateway address of 172.16.15.20?

HSRP_preempt.jpg

A. On R2 add the command standby 1 priority 80
B. On R1 add the command standby 1 priority 110
C. On R1 add the command standby 1 priority 80
D. On R2 remove the command standby 1 preempt

 

Answer: C

Explanation

By default the priority value of HSRP is 100 so in order to ensure that R2 will be the primary router for traffic using the gateway address of 172.16.15.20 we can set the priority of R2 higher than 100 or set the priority of R1 lower than 100 -> only C is correct.

Question 3

Which command will need to be added to External_A to ensure that it will take over if serial 0/0 on External_B fails?

HSRP_track.jpg

A. standby 1 priority 130
B. standby 1 preempt
C. standby 1 track fastethernet 0/0
D. standby 1 track 10.10.10.1

 

Answer: B

Explanation

The “standby 1 preempt” command on External_A router will make External_A take over the active state if it learns that its priority is higher than that of External_B router. In this case, when S0/0 interface of External_B fails, its priority will be 105 – 10 = 95, which is smaller than the default priority value (100) on External_A.

Question 4

Refer to the exhibit and the partial configuration on routers R1 and R2. Hot Standby Routing Protocol (HSRP) is configured on the network to provide network redundancy for the IP traffic. The network administrator noticed that R2 does not became active when the R1 serial0 interface goes down. What should be changed in the configuration to fix the problem?

HSRP_interface_down.jpg

A. The Serial0 interface on router R2 should be configured with a decrement value of 20.
B. The Serial0 interface on router R1 should be configured with a decrement value of 20.
C. R2 should be configured with a standby priority of 100.
D. R2 should be configured with a HSRP virtual address.

 

Answer: B

Explanation

When Serial0 of R1 goes down, the priority of R1 is still higher than that of R2 (115 – 10 = 105 > 100) so we should configured the decrement value of 20 on R1 with the command: standby 1 track Serial0 20.

Question 5

Three Cisco Catalyst switches have been configured with a first-hop redundancy protocol. While reviewing some show commands, debug output, and the syslog, you discover the following information:

Jan 9 08:00:42.623: %STANDBY-6-STATECHANGE. Standby: 49:Vlan149 state Standby -> Active
Jan 9 08:00:56.011: %STANDBY-6-STATECHANGE. Standby: 49:Vlan149 state Active -> Speak
Jan 9 08:01:03.011: %STANDBY-6-STATECHANGE. Standby: 49:Vlan149 state Speak -> Standby
Jan 9 08:01:29.427: %STANDBY-6-STATECHANGE. Standby: 49:Vlan149 state Standby -> Active
Jan 9 08:01:36.808: %STANDBY-6-STATECHANGE. Standby: 49:Vlan149 state Active -> Speak
Jan 9 08:01:43.808: %STANDBY-6-STATECHANGE. Standby: 49:Vlan149 state Speak -> Standby

What conclusion can you infer from this information?

A. VRRP is initializing and operating correctly.
B. HSRP is initializing and operating correctly.
C. GLBP is initializing and operating correctly.
D. VRRP is not exchanging three hello messages properly.
E. HSRP is not exchanging three hello messages properly.
F. GLBP is not exchanging three hello messages properly.

 

Answer: E

Explanation

These error messages describe a situation in which a standby HSRP router did not receive three successive HSRP hello packets from its HSRP peer. The output shows that the standby router moves from the standby state to the active state. Shortly thereafter, the router returns to the standby state. Unless this error message occurs during the initial installation, an HSRP issue probably does not cause the error message. The error messages signify the loss of HSRP hellos between the peers. When you troubleshoot this issue, you must verify the communication between the HSRP peers. A random, momentary loss of data communication between the peers is the most common problem that results in these messages. HSRP state changes are often due to High CPU Utilization. If the error message is due to high CPU utilization, put a sniffer on the network and the trace the system that causes the high CPU utilization.

There are several possible causes for the loss of HSRP packets between the peers. The most common problems are physical layer problems, excessive network traffic caused by spanning tree issues or excessive traffic caused by each Vlan.

(Reference: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml#t1)

Question 6

Refer to the exhibit. Routers R1 and R2 are configured in an HSRP group to provide redundancy to the users on Network A. The T1 link between R1 and Network B has failed. How will HSRP respond to the failure?

HSRP_active_router.jpg

R1# show running-config
!
interface Ethernet0
ip address 171.16.6.5 255.255.255.0
standby 1 ip 171.16.6.100
standby 1 priority 105
standby 1 preempt
standby 1 track Serial0 10
standby 1 track Serial1 10
!
interface Serial0
ip address 10.10.1.1 255.255.255.0
!
interface Serial1
ip address 10.10.3.3 255.255.255.0
!
R2# show running-config
!
interface Ethernet0
ip address 171.16.6.6 255.255.255.0
standby 1 ip 171.16.5 100
standby 1 preempt
standby 1 track Serial0 10
!
interface Serial0
ip address 10.10.2.2 255.255.255.0
!

A. R1 will change its priority but will remain active using the Frame Relay backup link to forward the traffic to Network B
B. R2 will assume the role of active router and will use its T1 link to forward the traffic to Network B
C. Both routers R1 and R2 will be active, and the traffic will be load balanced between the T1 links
D. Both routers R1 and R2 will be inactive, and the users on Network A will lose the connectivity to Network B

 

Answer: B

Explanation

On R1, interface E0 is configured with the priority of 105 (standby 1 priority 105) while interface E0 of R2 uses the default priority of 100 so R1 will become the active router. Both the routers are configured with “preempt” feature so if one of them has a higher priority than the active router, it assumes control as the active router.

Both the routers are configure to track interface S0 (connected R3 via T1 links) so if its T1 links fails, the hot standby priority on the device decreases by 10 (the default decrement value). In this case if T1 link connected to R1 fails its priority would be 105 – 10 = 95 and it is smaller than that of R2 (100, by default) so R2 will take the active role and send Network A traffic via its T1 link.

Question 7

Which high availability service is verified by the show standby command?

A. VRRP
B. GLBP
C. HSRP
D. MSTP
E. PVRST

 

Answer: C

Explanation

The syntax for VRRP and GLBP begins with “vrrp” and “glbp” respectively, for example: “vrrp 10 priority 110”; “glbp 10 priority 254” while the syntax for HSRP is “standby …”, for example “standby 1 ip 10.10.10.1”.

Question 8

HSRP_STP_timer_flap.jpg

Observe the topology in the exhibit. HSRP is configured between RTB and RTC with RTC as the active router. SW2 is configured as the root bridge for the Spanning Tree Protocol. What will happen if the serial connection of RTC is down?

A. STP will not need to be recalculated because RTB will take over as active router
B. RTB and RTC will flap between active and standby because the timers for the STP are greater that the timers for HSRP
C. All traffic will automatically forward to RTB
D. SW3 will take over as the new root bridge

 

Answer: B

Explanation

To make the explanation easier we added port numbers to our routers and switches.

HSRP_STP_timer_flap_explanation.jpg

When S0/0 interface on RTC goes down, suppose RTC is tracking this interface and it is lost the active role. RTB will take the active role and turns on its Fa0/0 port. SW2 detects this link-state change and a spanning tree protocol transition takes place. The port Fa0/1 (on Sw2) takes approximately 30 seconds to go through the listening, learning, and forwarding stages. This time period exceeds the default timeouts of the HSRP hello processes so RTC, after reaching the Standby state, becomes Active because no hello packets were received from the RTB. Once again, the port Fa0/1 on Sw3 needs 30 seconds to reach final forwarding stage and that causes RTB tries to get the active role again -> Both RTB and RTC will flap between active and standby.

Note: HSRP changes its state when it fails to receive three consecutive HSRP hello packets from its peer. By default, hello timer is set to 3 seconds. That means a hello packet is sent between the HSRP standby group devices every 3 seconds, and the standby device becomes active when a hello packet has not been received for 10 seconds.(Reference: http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/13782-8.html)

Note: Physical link-state changes caused by HSRP state changes occur specifically on the network module-Fast Ethernet (NM-FE) interfaces on Cisco 2600, Cisco 3600 and Cisco 7200 series routers. This behavior no longer occurs in Cisco IOS® Software release 12.1(3) and higher.

Question 9

What is the maximum number of HSRP standby groups that can be configured on a Cisco router?

A. 16
B. 32
C. 64
D. 128
E. 256

 

Answer: E

Question 10

You have just purchased a new Cisco 3550 switch running the enhanced IOS and need to configure it to be installed in a high availability network. Which three types of interfaces can be used to configure HSRP on a 3550 EMI switch? (Choose three)

A – BVI interface
B – routed port
C – SVI interface
D – Access port
E – EtherChannel port channel
F – Loopback Interface

Answer: B C E

Explanation:

To configure HSRP, a Layer 3 interface is needed. They can be:

Routed port: a physical port configured as a Layer 3 port by entering the no switchport interface configuration command.
SVI: a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface.
Etherchannel port channel in Layer 3 mode: a port-channel logical interface created by using the interface port-channel port-channel-number global configuration command and binding the Ethernet interface into the channel group.

Reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swhsrp.html

HSRP Questions 5

May 7th, 2014 certprepare No comments

Here you will find answers to HSRP Questions – Part 5

Question 1

You work as a network technician , study the exhibit carefully. Which two statements are true about the output from the show standby vlan 50 command? (Choose two)

Catalyst_A# show standby vlan 50
VLAN50 – Group 1
Local State is Active, priority 200 may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 1.302
Virtual IP address is 192.168.1.1 configured
Active router is local
Standby router is 192.186.1.11 expires in 9.443
Virtual MAC address is 0000.0c07.ac01
Authentication text ”AuthenKey”
2 state changes, last state change 00:11:30
IP redundancy name is “hsrp-Vl150-1” (default)VLAN50 -Group 2
Local State is Standby , priority 100
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.98
Virtual IP address is 192.186.1.2 configured
Active router is 192.168.1.11 , priority 200 expires in 6.334
Standby router is local
Authentication text “AuthenKey”
3 state changes, last state change 0:09:30
IP redundancy name is “hsrp-Vl150-2” (default)

A. Catalyst_A is load sharing traffic in VLAN 50.
B. Hosts using the default gateway address of 192.168.1.2 will have their traffic sent to Catalyst_A.
C. The command standby 1 preempt was added to Catalyst_A.
D. Hosts using the default gateway address of 192.168.1.1 will have their traffic sent to 192.168.1.11 even after Catalyst _A becomes available again.

 

Answer: A C

Explanation

The output shows that the Catalyst_A switch is the active router for HSRP group 1 and the standby router for HSRP group 2 on interface VLAN 50. This means that another switch is the active router for HSRP group 2 on interface VLAN 50 -> A is correct, Catalyst_A is load sharing traffic in VLAN 50.

B is not correct, only hosts using the default gateway address of 192.168.1.1 will have their traffic sent to Catalyst_A

From the output, we notice that there is a line showing that “Local State is Active, priority 200 may preempt”. This indicates the command “standby 1 preempt” was added to Catalyst_A. If the active router (this router) fails, another router takes over its active role. The original active router is not allowed to resume the active role when it is restored until the new active router fails. Pre-empting allows a higher-priority router to take over the active role immediately.

Question 2

You are a network technician, study the exhibit carefully. Assume that Host PC can ping the Corporate Headquarters and that HSRP is configured on DS1, which is then reloaded. Assume that DS2 is then configured and reloaded. On the basis of this information, what conclusion can be drawn?

HSRP_Reboot

DS1# show running-config
interface Vlan10
ip address 10.10.10.2 255.255.255.0
no ip redirects
standby 60 priority 105
standby 60 ip 10.10.10.1
standby 60 track GigabitEthernet 0/1
———————————————
DS2# show running-config
interface Vlan10
ip address 10.10.10.3 255.255.255.0
no ip redirects
standby 60 priority 150
standby 60 ip 10.10.10.1
standby 60 track GigabitEthernet 0/1

A. DS1 will be the active router because it booted first.
B. DS1 will be the standby router because it has the lower IP address.
C. DS1 will be the active router because it has the lower priority configured.
D. DS2 will be the active router because it booted last.

 

Answer: A

Explanation

The configuration does not have the “standby 60 preempt”command so the first booted router will take the active role with any priority.

Question 3

HSRP is a Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to appear as a single gateway address. Which two statements are true about the Hot Standby Router Protocol (HSRP)? (Choose two)

A – Load sharing with HSRP is achieved by creating multiple subinterfaces on the HSRP routers.
B – Routers configured for HSRP can belong to multiple groups and multiple VLANs.
C – All routers configured for HSRP load balancing must be configured with the same priority.
D – Load sharing with HSRP is achieved by creating HSRP groups on the HSRP routers.

 

Answer: B D

Question 4

You are a network technician, do you know which three statements are correct about a default HSRP configuration? (Choose three)

A – The Standby track interface priority is 10.
B – The Standby priority is 100.
C – The Standby hold time is 10 seconds.
D – Two HSRP groups are configured.

 

Answer: A B C

Question 5

Which three protocols have been developed for IP routing redundancy to protect against first-hop router failure? (Choose three)

A. GLBP
B. ICMP
C. MSTP
D. HSRP
E. VRRP
F. NHRP

 

Answer: A D E

Explanation

All three protocols above are used for IP routing redundancy to protect against first-hop router failure. Some main differences of them are listed below:

HSRP: is a Cisco proprietary protocol.
VRRP: Open standard, created by IETF
GLBP: is a Cisco proprietary protocol. It is the only protocol (in three) supports load-balancing.

VRRP Questions

May 6th, 2014 certprepare 1 comment

Here you will find answers to (VRRP) Questions

Note: The main difference between HSRP and VRRP is that HSRP is a Cisco proprietary protocol while VRRP is an open standard. In VRRP, the active router is referred to as the master virtual router.

Question 1

Refer to the exhibit. Which Virtual Router Redundancy Protocol (VRRP) statement is true about the roles of the master virtual router and the backup virtual router?

VRRP_master_backup_router.jpg

A. Router A is the master virtual router, and Router B is the backup virtual router. When Router A fails, Router B will become the master virtual router. When Router A recovers, Router B will maintain the role of master virtual router.
B. Router A is the master virtual router, and Router B is the backup virtual router. When Router A fails, Router B will become the master virtual router. When Router A recovers, it will regain the master virtual router role.
C. Router B is the master virtual router, and Router A is the backup virtual router. When Router B fails, Router A will become the master virtual router. When Router B recovers, it will regain the master virtual router role.
D. Router B is the master virtual router, and Router A is the backup virtual router. When Router B fails, Router A will become the master virtual router. When Router B recovers, Router A will maintain the role of master virtual router.

 

Answer: B

Explanation

RouterA is the master virtual router because of higher priority value.

By default, a preemptive scheme is enabled whereby a higher priority backup virtual router that becomes available takes over for the backup virtual router that was elected to become master virtual router. You can disable this preemptive scheme using the no vrrp preempt command. If preemption is disabled, the backup virtual router that is elected to become master virtual router remains the master until the original master virtual router recovers and becomes master again.

-> B is correct.

(Reference: http://www.cisco.com/en/US/docs/ios/12_0st/12_0st18/feature/guide/st_vrrpx.html)

Question 2

Which one of the statements below correctly describes the Virtual Router Redundancy Protocol (VRRP), which is being used in the Company network to provide redundancy?

A. A VRRP group has one active and one or more standby virtual routers.
B. A VRRP group has one master and one or more backup virtual routers.
C. A VRRP group has one master and one redundant virtual router.
D. A VRRP group has one active and one backup virtual router

 

Answer: B

Explanation

Unilike HSRP (which has one active router, one standby router and many listening routers), a VRRP group has one master router and one or more backup routers. All backup routers are in backup state.

Question 3

Which router redundancy protocol cannot be configured for interface tracking?

A. GLBP
B. HSRP
C. RPR
D. VRRP
E. SLB
F. RPR+

 

Answer: D

Explanation

VRRP cannot directly track an interface status but interfaces can be tracked through a tracked object. Notice that HSRP and GLBP can track both object and interface status.

Question 4

Which protocol will enable a group of routers to form a single virtual router and will use the real IP address of a router as the gateway address?

A. Proxy ARP
B. HSRP
C. IRDP
D. VRRP
E. GLBP

 

Answer: D

Explanation

VRRP is similar to HSRP but. However, with VRRP the IP address used can be either a virtual one or the actual IP address of the primary router.

Note: With HSRP, two or more devices support a virtual router with a fictitious MAC address and unique IP address. Hosts use
this IP address as their default gateway.

Question 5

If you are a network technician, study the exhibit carefully. Which Virtual Router Redundancy Protocol (VRRP) statement is true about the roles of the master virtual router and the backup virtual router?

VRRP

RA(config)# interface f0/0
RA(config-if)# ip address 10.0.0.1 255.255.255.0
RA(config-if)# vrrp 1 priority 110
RA(config-if)# vrrp 1 ip 10.0.0.10
———————————————————————
RB(config)# interface f0/0
RB(config-if)# ip address 10.0.0.2 255.255.255.0
RB(config-if)# vrrp 1 priority 100
RB(config-if)# vrrp 1 ip 10.0.0.10

A – Router RA is the master virtual router, and Router RB is the backup virtual router. When Router RA fails, Router RB will become the master virtual router. When Router RA recovers, Router RB will maintain the role of master virtual router.
B – Router RA is the master virtual router, and Router RB is the backup virtual router. When Router RA fails, Router RB will become the master virtual router. When Router RA recovers, it will regain the master virtual router role.
C – Router RB is the master virtual router, and Router RA is the backup virtual router. When Router RB fails, Router RA will become the master virtual router. When Router RB recovers, RouterRA will maintain the role of master.
D – Router RB is the master virtual router, and Router RA is the backup virtual router. When Router RB fails, Router
RA will become the master virtual router. When Router RB recovers, it will regain the master virtual router role.

 

Answer: B

Explanation:

Router RA is the master virtual router because of its higher priority (110). By default, the pre-empting function is enabled so Router RB will become the master virtual router when RA fails; and when RA recovers, it will take the master role again.

GLBP Questions

May 6th, 2014 certprepare 5 comments

Here you will find answers to Gateway Load Balancing Protocol (GLBP) Questions

If you are not sure about GLBP, please read our GLBP tutorial.

Question 1

Which protocol allows for the automatic selection and simultaneous use of multiple available gateways as well as automatic failover between those gateways?

A. VRRP
B. GLBP
C. IRDP
D. HSRP

 

Answer: B

Explanation

In HSRP and VRRP, only the primary router is used to forward traffic, others routers must wait for the primary one down before they are used. Also, the bandwidth of the standby (and other) routers are not used and wasted. With GLBP, up to four gateways can be used simultaneously. There is still one virtual IP address in a group, but GLBP can automatically select which router in the group to forward traffic by sending the virtual MAC address of a selected router to that host.

Question 2

Which two statements are true about HSRP, VRRP, and GLBP? (Choose two)

A. GLBP and VRRP allow for MD5 authentication, whereas HSRP does not.
B. HSRP allows for multiple upstream active links being simultaneously used, whereas GLBP does not.
C. GLBP allows for router load balancing of traffic from a network segment without the different host IP configurations required to achieve the same results with HSRP.
D. Unlike HSRP and VRRP, GLBP allows automatic selection and simultaneous use of multiple available gateways.
E. GLBP allows for router load balancing of traffic from a network segment by utilizing the creation of multiple standby groups.

 

Answer: C D

Question 3

Refer to the exhibit. What is this configuration an example of?

track 1 interface POS 5/0 ip routing
track 2 interface POS 6/0 ip routing
interface fastethernet 0/0
glbp 10 weighting 110 lower 95 upper 105
glbp 10 weighting track 1 decrement 10
glbp 10 weighting track 2 decrement 10
glbp 10 forwarder preempt delay minimum 60

A. GLBP weighting
B. Default AVF and AVG configuration
C. GLBP MD5 authentication
D. GLBP text authentication
E. GLBP timer manipulation

 

Answer: A

Explanation

The command “glbp 10 weighting 110 lower 95 upper 105” specifies the initial weighting value (110), the lower (95) and the upper (105) thresholds. Notice that if the weight falls below the lower threshold then the router will not be an Active Virtual Forwarder (AVF) until the weight rises up to the higher threshold.

When the track object fails, the weighting is decremented by the value after the “decrement” keyword. In this case, POS5/0 and POS6/0 are tracked objects and if one of them fails, the weighting is decreased by 10 -> the weighting = 110 – 10 = 100. This value is still higher than the lower value 95 so this router is still the AVF. If both interfaces fail, the weighting will be smaller than the lower value so this router loses the AVF (until both interfaces are up again).

Question 4

Refer to the exhibit. Which four statements accurately describe this GLBP topology? (Choose four)

GLBP_AVG_AVF.jpg

A. Router A is responsible for answering ARP requests sent to the virtual IP address.
B. If Router A becomes unavailable. Router B will forward packets sent to the virtual MAC address of Router A.
C. Router A alternately responds to ARP requests with different virtual MAC addresses.
D. Router B will transition from blocking state to forwarding state when it becomes the AVG.
E. If another router were added to this GLBP group, there would be two backup AVGs.
F. Router B is in GLBP listen state.

 

Answer: A B C E

Explanation

In a GLBP group, the AVG assigns a virtual MAC address to each member of the GLBP group. It also answers Address Resolution Protocol (ARP) requests for the virtual IP address -> A is correct.

When Router A becomes unavailable, Router B will take over the job of forwarding packets for virtual MAC address 0007.b400.0101 of Router A -> B is correct.

Router A can load balance traffic by alternately responding to ARP requests with different virtual MAC addresses. In this case two virtual MAC addresses 0007.b400.0101 and 0007.b400.0102 will be used alternately in ARP Replies -> C is correct.

Both Router A and Router B are in forwarding state. The trick here is client 1 only sends traffic to Router A while client 2 only sends traffic to Router B -> D is not correct.

If another router were added to this GLBP group, Router B and it can forward packets in the case of Router A fails -> E is correct (but notice that the newly added router would be in listening state).

In GLBP, there are 3 states in a group: active, standby, or listen. Members of a GLBP group elect one gateway to be the Active Virtual Gateway (AVG) for that group. It also elects one member as Standby Virtual Gateway (SVG). If there are more than two members, then the members that remain are in the listen state. In this case, Router A is elected as AVG while Router B is elected as SVG -> Router B is in active state -> F is not correct.

(Reference: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00807d2520.shtml)

Question 5

Exhibit:

GLBP_AVF.jpg

You work as a network engineer at Certprepare.com. You study the exhibit carefully. Which GLBP device hosts receive the MAC address assignment?

A. R1
B. R2
C. The AVG
D. The AVF

 

Answer: D

Explanation

Notice that the MAC address of the AVF is not the physical MAC address of R1 or R2. It is a virtual MAC address used in GLBP and is used by hosts to send traffic to these routers.

 

Question 6

Refer to the exhibit. Host A has sent an ARP message to the default gateway IP address 10.10.10.1. Which statement is true?

GLBP_show_running-config.jpg

A. DSw2 will reply with the IP address of the next AVF.
B. DSw1 will reply with the MAC address of the next AVF.
C. Because of the invalid timers that are configured, DSw1 will not reply.
D. DSw1 will reply with the IP address of the next AVF.
E. Because of the invalid timers that are configured, DSw2 will not reply.
F. DSw2 will reply with the MAC address of the next AVF.

 

Answer: F

Explanation

The priorities of two switches are equal so GLBP uses IP address of that interface to choose the AVG -> DSw2 wins the election because of higher real IP address and become the AVG. Therefore it will reply all the incoming ARP Requests with the MAC address of the next AVF (DSw1 and DSw2 alternately in this case.

Question 7

Refer to the exhibit. The Gateway Load Balancing Protocol has been configured on routers R1 and R2, and hosts A and B have been configured as shown. Which statement can be derived from the exhibit?

GLBP_default_gateway.jpg

A. The host A default gateway has been configured as 10.88.1.10/24.
B. The GLBP weighted load balancing mode has been configured.
C. The GLBP round-robin, load-balancing mode has been configured.
D. The GLBP host-dependent, load-balancing mode has been configured.
E. The host A default gateway has been configured as 10.88.1.1/24.
F. The host A default gateway has been configured as 10.88.1.4/24.

 

Answer: A

Question 8

Refer to the exhibit. What is the result of setting GLBP weighting at 105 with lower threshold 90 and upper threshold 100 on this router?

show_glbp_FastEthernet.jpg

A. Only if both tracked objects are up will this router will be available as an AVF for group 1.
B. Only if the state of both tracked objects goes down will this router release its status as an AVF for group 1.
C. If both tracked objects go down and then one comes up, but the other remains down, this router will be available as an AVF for group 1.
D. This configuration is incorrect and will not have any effect on GLBP operation.
E. If the state of one tracked object goes down then this router will release its status as an AVF for group 1.

 

Answer: B

Explanation

Each tracked object goes down will decrease the weighting of this router by 10, that makes the weighting = 105 – 10 = 95. This value is still higher than the lower threshold (90) so this router is not lost its status as an AVF. Only if both tracked objects go down, the weighting will fall below the lower threshold (105 – 10 – 10 = 85 < 90) and this router will release its status as an AVF for group 1 -> B is correct.

Question 9

Which describes the default load balancing scheme used by the Gateway Load Balancing Protocol (GLBP)?

A. Per host using a strict priority scheme
B. Per session using a round-robin scheme
C. Per session using a strict priority scheme
D. Per GLBP group using a strict priority scheme
E. Per host basis using a round robin-scheme
F. Per GLBP group using a round-robin scheme

 

Answer: E

Explanation

In GLBP, there are 3 operational modes for load balancing:

+ Weighted load-balancing: traffic is balanced proportional to a configured weight
+ Host-dependent load-balancing: a host is used the same virtual MAC address as long as that MAC is participating in the GLBP group.
+ Round-robin load-balancing: each virtual MAC is used to respond to each ARP Request alternately. This is also the default load balancing scheme used by GLBP.

Question 10

Refer to the exhibit. GLBP has been configured on the network. When the interface serial0/0/1 on router R1 goes down, how is the traffic coming from Host1 handled?

GLBP_weighting_track.jpg

A. The traffic coming from Host2 is forwarded through router R2 with no disruption. The traffic from Host1 is dropped due to the disruption of the load balancing feature configured for the glbp group.
B. The traffic coming from both hosts is temporarily interrupted while the switchover to make R2 active occurs.
C. The traffic coming from Host2 is forwarded through router R2 with no disruption. Host1 sends an ARP request to resolve the MAC address for the new virtual gateway.
D. The traffic coming from Host1 and Host2 is forwarded through router R2 with no disruption.

 

Answer: D (?)

Explanation

When R1 goes down, the weighting is decreased by 10 by default, priority = 110 – 10 = 100 but it is still higher than the lower threshold (95) so R1 does not give up its role as a virtual forwarder and continues forwarding traffic but the Serial 0/0/1 was down so traffic from Host 1 cannot be routed. Therefore we can’t say answer D is correct.

Maybe there is something wrong in the exhibit. To make answer D correct, the weighting command should be “glbp 10 weighting 100 lower 95 upper 105”.

GLBP Questions 2

May 6th, 2014 certprepare 1 comment

Here you will find answers to Gateway Load Balancing Protocol (GLBP) Questions – Part 2

If you are not sure about GLBP, please read our GLBP tutorial.

Question 1

Refer to the exhibit. What statement is true based upon the configuration of router R1 and router R2?

GLBP_show_running-config_gigabitethernet.jpg

A. Router R2 will become the master for Virtual Router 1, and router R1 will become the backup for Virtual Router 2.
B. Router R1 will become the master for Virtual Router 1, and router R2 will become the backup for Virtual Router 2.
C. Router R1 will become the active virtual gateway.
D. Router R2 will become the active virtual gateway.
E. The hello and hold timers are incompatible with OSPF type 5 LSAs.
F. The hello and hold timers are incompatible with multi-homed BGP.

 

Answer: C

Explanation

R2 is configured with the “priority” command so it will use the default priority value of 100, which is smaller than that of R1 (150) -> R1 will be active virtual gateway.

Question 2

Which type of scheme describes the default operation of Global Load Balancing Protocol (GLBP)?

A. Per host using a round robin scheme
B. Per host using a strict priority scheme
C. Per session using a round robin scheme
D. Per session using a strict priority scheme
E. Per GLBP group using a round robin scheme
F. Per GLBP group using a strict priority scheme

 

Answer: A

Explanation

GLBP load sharing is done in one of three ways:

Round-robin load-balancing algorithm: Each router MAC is used sequentially to respond to ARP requests. This is the default load balancing mode in GLBP and is suitable for any number of end hosts. ->
Weighted load-balancing algorithm
: Traffic is balanced proportional to a configured weight. Each GLBP router in the group will advertise its weighting and assignment; the AVG will act based on that value. For example, if there are two routers in a group and R1 has double the forwarding capacity of router B, the weighting value of router A should be configured to be double the amount of R2.
Host-dependent load-balancing algorithm: A given host always uses the same router.

Question 3

You are a network technician, study the exhibit carefully. Both routers are configured for the Gateway Load Balancing Protocol (GLBP). Which statement is true?

GLBP1

A. The default gateway address of each host should be set to the virtual IP address.
B. The default gateway addresses of both hosts should be set to the IP addresses of both routers.
C. The hosts will have different default gateway IP addresses and different MAC addresses for each.
D. The hosts will learn the proper default gateway IP address from Router RA.

Answer: A

Question 4

You work as a network technician at Technical Corporation. Your boss is interested in GLBP. Study the network topology exhibit carefully. Which three statements accurately describe this GLBP topology? (Choose three)

GLBP_AVG

A – If RA becomes unavailable, RB will forward packets sent to the virtual MAC address of RA.
B – RA is responsible for answering ARP requests sent to the virtual IP address.
C – If another router were added to this GLBP group, there would be two backup AVGs.
D – RA alternately responds to ARP requests with different virtual MAC addresses.

 

Answer: A B D

Explanation

If RA fails, the GLBP protocol informs RB to replace the AVG that is down. The new AVG (in this case RB) will forward the packet sent to the 0008.b400.0101 virtual mac address, so the client sees no disruption of service nor does it need to resolve a new MAC address for the default gateway. -> A is correct.

RA, which is the AVG, replies to the ARP requests from clients with different virtual MAC addresses, thus achieving load balancing -> B is correct.

RA is elected as the AVG and RB is elected as the standby virtual gateway. If another router is added to this GLBP group, it will become a backup AVG -> there is only one backup AVG -> C is not correct.

“RA alternately responds to ARP requests with different virtual MAC addresses” this is the way GLBP provides load balancing over multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses. Which MAC address it returns depends on which load-balancing algorithm it is configured to use -> D is correct.

Wireless Questions

May 5th, 2014 certprepare 2 comments

Here you will find answers to Wireless Questions

Note: Old questions have been deleted so there is only one valid question here.

Question 1

A campus infrastructure supports wireless clients via Cisco Aironet AG Series 1230,1240, and 1250 access points. With DNS and DHCP configured, the 1230 and 1240 access points appear to boot and operate normally. However, the 1250 access points do not seem to operate correctly.

What is the most likely cause of this problem?

A. DHCP with option 150
B. DHCP with option 43
C. PoE
D. DNS
E. Switch port does not support gigabit speeds

 

Answer: C

Private VLAN (PVLAN)

May 5th, 2014 certprepare 9 comments

Here you will find answers to Private VLAN Questions

Quick review:

The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANs and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLANs inside VLAN”.

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

PVLAN_Promiscuous_Community_Isolated.jpg

For example, in the topology above:

+ Host A cannot communicate with Host B, C, D, E and F. It can only communicate with Promiscuous port to the router. Notice that even two Isolated ports in the same VLAN cannot communicate with each other.

+ Host C can communicate with Host D because they are in the same community but Host C cannot communicate with E and F because they are in a different community.

+ All hosts can go outside through promiscuous port.

Also I want to mention about the concept of “primary VLAN” and “secondary VLAN”. PVLAN can have only one primary VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs are isolated or community VLANs.

PVLAN_Primary_VLAN_Secondary_VLAN.jpg

Configuration of PVLAN:

1. Set VTP mode to transparent
2. Create secondary (isolated and community) VLANs and primary VLAN
3. Associate secondary VLANs to the primary VLAN
4. Configure interfaces as promiscuous interfaces
5. Configure interfaces to be isolated or community interfaces.

Sample configuration used the topology above:

//First set VTP to transparent mode
Switch(config)#vtp mode transparent

//Create secondary VLANs
Switch(config)#vlan 101
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#vlan 102
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#vlan 103
Switch(config-vlan)#private-vlan community

//Create primary VLAN
Switch(config-vlan)#vlan 100
Switch(config-vlan)#private-vlan primary

//Associate secondary (isolated, community) VLANs to the primary VLAN
Switch(config-vlan)#private-vlan association 101,102,103

//Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the secondary VLAN.
Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101,102,103

//Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate VLANs (A and B to isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN 103):
Switch(config)# interface range f0/2 – 0/3 //connect to host A and B
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

Switch(config-if)# interface range f0/3 -0/4 //connect to host C and D
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102

Switch(config-if)# interface f0/5 – 0/6 //connect to host E and F
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 103

To check the configuration, use this command:

Switch# show vlan private-vlan

Question 1

Refer to the exhibit. The web servers WS_1 and WS_2 need to be accessed by external and internal users. For security reasons, the servers should not communicate with each other, although they are located on the same subnet. The servers do need, however, to communicate with a database server located in the inside network. What configuration will isolate the servers from each other?

PVLAN_promiscuous_ports.jpg

A. The switch ports 3/1 and 3/2 will be defined as secondary VLAN community ports. The ports connecting to the two firewalls will be defined as primary VLAN promiscuous ports.
B. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLAN promiscuous ports.
C. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLAN community ports.
D. The switch ports 3/1 and 3/2 will be defined as secondary VLAN isolated ports. The ports connecting to the two firewalls will be defined as primary VLAN promiscuous ports.

 

Answer: D

Explanation

WS_1 and WS_2 cannot communicate with each other so we can put them into isolated ports. Isolated ports can only communicate with promiscuous ports so Fa3/34 and Fa3/35 should be promiscuous ports so that they can send and receive data with the Data Server.

Note: Answer A is not clear because it does not state the switch ports 3/1 and 3/2 are put into the same or different VLAN community ports. If they are put into different VLAN communities then answer A is correct.

Question 2

Refer to the exhibit. What can be concluded about VLANs 200 and 202?

show_vlan_private-vlan_type.jpg

A. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 200 carries traffic between community ports and to promiscuous ports.
B. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 200 carries traffic from isolated ports to a promiscuous port.
C. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 202 carries traffic between community ports and to promiscuous ports.
D. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 202 carries traffic from isolated ports to a promiscuous port.

 

Answer: B

Explanation

In fact the exhibit above is wrong, that output should be from the command “show vlan private-vlan”. The “show vlan private-vlan type” should give output like this:

Vlan Type
202
200
Primary
isolated

With this output we can see VLAN 202 is configured as the primary VLAN while VLAN 200 is configured as secondary (isolated) VLAN -> B is correct.

Question 3

Private VLANs can be configured as which three of these port types? (Choose three)

A. isolated
B. protected
C. private
D. associated
E. promiscuous
F. community

 

Answer: A E F

Explanation

There are three types of ports can be configured in a Private VLAN: isolated, promiscuous, community.

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

Question 4

Refer to the exhibit. From the configuration shown, what can you determine about the private VLAN configuration?

Switch# configure terminal
Switch (config)# vlan 20
Switch (config-vlan)# private-vlan primary
Switch (config-vlan)# exit
Switch (config)# vlan 501
Switch (config-vlan)# private-vlan isolated
Switch (config-vlan )#exit
Switch (config)# vlan 502
Switch (config-vlan)#private-vlan community
Switch (config-vlan)# exit
Switch (config)# vlan 503
Switch (config-vlan )# private-vlan community
Switch (config-vlan)# exit
Switch (config)# vlan 20
Switch (config-vlan)#private-vlan association 501-503
Switch (config-vlan)# end

A. Only VLAN 503 will be the community PVLAN because multiple community PVLANs are not allowed.
B. Users of VLANs 501 and 503 will be able to communicate.
C. VLAN 502 is a secondary VLAN.
D. VLAN 502 will be a standalone VLAN because it is not associated with any other VLANs.

 

Answer: C

Explanation

There are two types of secondary VLAN: isolated and community. In this case VLAN 502 is a community VLAN -> C is correct.

In a PVLAN, multiple community VLANs are allowed. But notice a PVLAN can have only one primary VLAN and one isolated VLAN -> A is not correct.

Only community in the same VLAN can communicate with each other. Users in different communities are not able to communicate -> B is not correct.

The command “private-vlan association 501-503” associates VLANs 501, 502 and 503 to the Primary VLAN 20 -> D is not correct.

Question 5

When configuring private VLANs, which configuration task must you do first?

A. Configure the private VLAN port parameters.
B. Configure and map the secondary VLAN to the primary VLAN.
C. Disable IGMP snooping.
D. Set the VTP mode to transparent.

 

Answer: D

Explanation

Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do not support private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode still forwards other VTP updates to its neighbors.

Question 6

A switch has been configured with Private VLANs. With what type of PVLAN port should the default gateway be configured?

A. Trunk
B. Isolated
C. Primary
D. Community
E. Promiscuous

 

Answer: E

Explanation

A default gateway should be configured Promiscuous type so that all devices in PVLAN can go outside.

VLAN Hopping Questions

May 5th, 2014 certprepare No comments

Here you will find answers to VLAN Hopping Questions

Question 1

What two steps can be taken to help prevent VLAN hopping? (Choose two)

A. Place unused ports in a common unrouted VLAN
B. Enable BPDU guard
C. Implement port security
D. Prevent automatic trunk configuration
E. Disable CDP on ports where it is not necessary

 

Answer: A D

Explanation

VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on
various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging.

1) Switch spoofing:

Switch_Spoofing.jpg

The attacker can connect an unauthorized Cisco switch to a Company switch port. The unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.

(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

2) Double-Tagging:

Double_Tagging.jpg

In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20).

When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.

Please notice that if the port in which the attacker connects to is an access port then he can make an attack too. But maybe you will wonder “what a switch do if it receives tagged traffic from an access port?”. Here is the answer quoted from Cisco site:

Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or 802.1Q tagged) for the VLAN assigned to the port, the packet is forwarded. If the port receives a tagged packet for another VLAN, the packet is dropped, the source address is not learned, and the frame is counted in the No destination statistic.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swint.html#wp1107751)

So in this case, the attacker is on VLAN 10, which is also the native VLAN -> the packet is forwarded.

To mitigate VLAN Hopping, the following things should be done:

1) If no trunking is required, configure port as an access port, this also disables trunking on that interface:

Switch(config-if)# switchport mode access

2) If trunking is required, try to configure the port to Nonegotiate to prevent DTP frames from being sent.

Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate

-> Therefore answer D – Prevent automatic trunk configuration is correct.

3) Set the native VLAN to an unused VLAN and don’t use this VLAN for any other purpose:

Switch(config-if)# switchport trunk native vlan VLAN-ID

4) Force the switch to tag the native VLAN on all its 802.1Q trunks:

Switch(config)# vlan dot1q tag native

In this question, answer A – Place unused ports in a common unrouted VLAN is also correct because the Double-Tagging method requires the attacker’s port must be in the same VLAN with Native VLAN -> Place these ports in unrouted VLAN will put these ports in different VLAN from the Native VLAN.

Question 2

What is one method that can be used to prevent VLAN hopping on the network?

A. Configure VACLs.
B. Configure all frames with two 802.1Q headers.
C. Enforce username/password combinations.
D. Explicitly turn off Dynamic Trunking Protocol (DTP) on all unused ports.
E. All of the above

 

Answer: D

Explanation

Disable DTP so that switchport will not negotiate trunking on the link by this command:

Switch(config-if)# switchport nonegotiate

Or a better way is to configure it as an access port:

Switch(config-if)# switchport mode access

Note: VACLs should only be used to mitigate DHCP Snooping, not VLAN Hopping by filtering out DHCP Reply from outside ports.

Question 3

Which two statements about VLAN hopping are true? (Choose two)

A. Attacks are prevented by utilizing the port-security feature.
B. An end station attempts to gain access to all VLANs by transmitting Ethernet frames in the 802.1q encapsulation.
C. Configuring an interface with the “switchport mode dynamic” command will prevent VLAN hopping.
D. An end station attempts to redirect VLAN traffic by transmitting Ethernet frames in the 802.1q encapsulation.
E. Configuring an interface with the “switchport mode access” command will prevent VLAN hopping.

 

Answer: B E

Explanation

Please read the explanation of Question 1.

Question 4

When an attacker is using switch spoofing to perform VLAN hopping, how is the attacker able to gather information?

A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that is allowed on the trunk.
B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch, regardless of the VLAN to which the data belongs.
C. The attacking station will generate frames with two 802.1Q headers to cause the switch to forward the frames to a VLAN that would be inaccessible to the attacker through legitimate means.
D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with the domain information in order to capture the data.

 

Answer: A

Explanation

Please read the explanation of Question 1.

DHCP Spoofing Questions

May 5th, 2014 certprepare No comments

Here you will find answers to DHCP Spoofing Questions

Quick review of DHCP Spoofing:

DHCP_Spoofing_Attack.jpg

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

DHCP_Spoofing_Attack_Trust_Untrust_Ports.jpg

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

Note: ARP is a stateless protocol so an ARP Reply sent to client does not require authentication

Question 1

What are three required steps to configure DHCP snooping on a switch? (Choose three)

A. Configure the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages.
B. Configure DHCP snooping globally.
C. Configure the switch as a DHCP server.
D. Configure DHCP snooping on an interface.
E. Configure all interfaces as DHCP snooping trusted interfaces.
F. Configure DHCP snooping on a VLAN or range of VLANs.

 

Answer: B D F

Explanation

To configure DHCP snooping feature, at least three steps must be done:

Sequence and Description Command
1. Configure global DHCP snooping Switch(config)# ip dhcp snooping
2. Configure trusted ports (as least on 1 port).
By default, all ports are untrusted
Switch(config-if)# ip dhcp snooping trust
3. Configure DHCP snooping for the selected VLANs Switch(config)# ip dhcp snooping vlan {VLAN-ID | VLAN range}

Other steps are just optional:

+ Configure DHCP Option 82
Switch(config)# ip dhcp snooping information option

+ Configure the number of DHCP packets per second (pps) that are acceptable on the port:
Switch(config-if)# ip dhcp snooping limit rate {rate}

Reference: SWITCH Student Guide

Question 2

Which statement is true about DHCP spoofing operation?

A. DHCP spoofing and SPAN cannot be used on the same port of a switch.
B. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.
C. To prevent a DHCP spoofing, the switch must have DHCP server services disabled and a static entry pointing towards the DHCP server.
D. DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.

 

Answer: B

Explanation

First let’s analyze answer A.

Switched Port Analyzer (SPAN) feature copies network traffic from a VLAN or group of ports to a selected port. SPAN is generally referred to as Port mirroring. An example of configuring SPAN port is shown below:

Switch(config)#monitor session 1 source interface FastEthernet 0/1
Switch(config)#monitor session 1 destination interface FastEthernet 0/2

The above configuration will capture all traffic from interface FastEthernet 0/1 and send it to interface FastEthernet 0/2.

Answer A is a bit unclear because SPAN involves 2 ports: source and destination ports; but we don’t know which port is mentioned. SPAN does not affect the switching function on the source port but it does affect the destination port: all incoming traffic is disable on destination port so DHCP spoofing cannot be done on this port. I suppose this question wants to mention about source port, which makes answer A incorrect.

Although it is not mentioned in the books but answer B is the best choice. If the DHCP server can create a static ARP entry that cannot be updated by a dynamic ARP packet then the attacker cannot change the MAC address information of the DHCP server on client -> B is correct.

Usually a switch does not have DHCP server services; also a static entry pointing towards the DHCP server will not help prevent DHCP spoofing -> C is not correct.

Place all unused ports in an unused VLAN can prevent VLAN Hopping, not DHCP spoofing -> D is not correct.

Question 3

Refer to the exhibit. What type of attack is being defended against?

show_ip_dhcp_snooping.jpg

A. Snooping attack
B. Rogue device attack
C. STP attack
D. VLAN attack
E. Spoofing attack
F. MAC flooding attack

 

Answer: E

Explanation

DHCP snooping is a method used to defend DHCP spoofing.

Question 4

An attacker is launching a DoS attack with a public domain hacking tool that is used to exhaust the IP address space available from the DHCP servers for a period of time. Which procedure would best defend against this type of attack?

A. Configure only trusted interfaces with root guard.
B. Implement private VLANs (PVLANs) to carry only user traffic.
C. Implement private VLANs (PVLANs) to carry only DHCP traffic.
D. Configure only untrusted interfaces with root guard.
E. Configure DHCP spoofing on all ports that connect untrusted clients.
F. Configure DHCP snooping only on ports that connect trusted DHCP servers.

 

Answer: F

Explanation

To defend DHCP spoofing attack, we only need to configure DHCP snooping on trusted interfaces because other ports are classified as untrusted ports by default.

Question 5

Refer to the exhibit. DHCP snooping is enabled for selected VLANs to provide security on the network. How do the switch ports handle the DHCP messages?

show_ip_dhcp_snooping_2.jpg

A. Ports Fa2/1 and Fa2/2 source DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages and respond to DHCP requests.
B. Ports Fa2/1 and Fa2/2 respond to DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages.
C. Ports Fa2/1 and Fa2/2 are eligible to source all DHCP messages and respond to DHCP requests. Port Fa3/1 can source DHCP requests only.
D. All three ports, Fa2/1, Fa2/2, and Fa3/1, are eligible to source all DHCP messages and respond to DHCP requests.

 

Answer: C

Explanation

Trusted ports are allowed to send all types of DHCP messages. Untrusted ports can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down. In this case, Fa2/1 & Fa2/2 are trusted (can send all types of DHCP messages) while Fa3/1 is untrusted (can only send DHCP requests).

Question 6

Refer to the exhibit. An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type of attack?

DHCP_Spoofing_untrusted_port.jpg

A. All switch ports in the Building Access block should be configured as DHCP untrusted ports.
B. All switch ports in the Building Access block should be configured as DHCP trusted ports.
C. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted ports.
D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted ports.
E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.
F. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted ports.

 

Answer: F

Explanation

All switch ports connecting to hosts should only send DHCP Requests and they are the ports that can be easily accessed by an attacker -> They should be configured as DHCP untrusted ports.

Question 7

Refer to the exhibit.

show_ip_dhcp_snooping_packets.jpg

DHCP snooping is enabled for selected VLANs to provide security on the network. How do the switch ports handle the DHCP messages?

A. A DHCPOFFER packet from a DHCP seiver received on Ports Fa2/1 and Fa2/2 is dropped.
B. A DHCP packet received on ports Fa2/1 and Fa2/2 is dropped if the source MAC address and the DHCP client hardware address does not match Snooping database.
C. A DHCP packet received on ports Fa2/1 and Fa2/2 is forwarded without being tested.
D. A DHCPRELEASE message received on ports Fa2/1 and Fa2/2 has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received and is dropped.

 

Answer: C

Explanation

Interface Fa2/1 & 2/2 have been configured as trusted ports so packets received on these interfaces are forwarded without being tested.

(For a quick review of DHCP snooping please read: http://www.certprepare.com/dhcp-spoofing-questions.

Dynamic ARP Inspection DAI

May 4th, 2014 certprepare No comments

Here you will find answers to Dynamic ARP Inspection (DAI) Questions

Question 1

Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)

A. DAI can be performed on ingress ports only.
B. DAI can be performed on both ingress and egress ports.
C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of hosts in the domain.
E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
F. DAI is supported on access and trunk ports only.

 

Answer: A C E

Explanation

DAI is an ingress security feature and does not perform any egress checking -> A is correct

DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports -> C is correct.

We should configure access switch ports as untrusted because in most cases an attacker will use these ports. By default, all interfaces are untrusted. We only need to configure all switch ports connected to other switches as trusted -> E is correct.

(Reference: http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security_13arpinspect.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdynarp.html)

Question 2

What does the global configuration command “ip arp inspection vlan 10-12,15” accomplish?

A. Discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
B. Validates outgoing ARP requests for interfaces configured on VLAN 10,11,12, or 15
C. Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D. Intercepts all ARP requests and responses on trusted ports

 

Answer: C

Explanation

The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port. If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.

Question 3

Refer to the exhibit. Dynamic ARP inspection (DAI) is enabled on switch SW_A only. Both Host_A and Host_B acquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A?

Dynamic_ARP_Inspection_DHCP.jpg

A. The spoof packets will be inspected at the ingress port of switch SW_A and will be permitted.
B. The spoof packets will not be inspected at the ingress port of switch SW_A and will be permitted.
C. The spoof packets will not be inspected at the ingress port of switch SW_A and will be dropped.
D. The spoof packets will be inspected at the ingress port of switch SW_A and will be dropped.

 

Answer: B

Explanation

Port Fa0/23 of SW_A is configured as trusted port while DAI is not enabled on SW_B so if Host_B sends spoof packets, SW_B and SW_A will not inspect and forward them.

Question 4

Which three statements are true about DAI? (Choose three)

A. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the DHCP Snooping database.
B. DAI forwards all ARP packets received on a trusted interface without any checks.
C. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the CAM table.
D. DAI forwards all ARP packets received on a trusted interface after verifying and inspecting the packet against the DAI table.
E. DAI intercepts all ARP packets on untrusted ports
F. DAI is used to prevent against a DHCP Snooping attack.

 

Answer: A B E

Explanation

Same as Question 2

Port Security Questions

May 4th, 2014 certprepare 1 comment

Here you will find answers to Port Security Questions

Quick review:

Port security feature can be used to limit the number of MAC addresses on a port. It can also allow specific MAC addresses to send traffic into that port.

Question 1

Which of the following should you enable to prevent a switch from forwarding packets with source addresses that are outside an administratively defined group? (Select the best answer)

A. DAI
B. STP
C. PVLAN
D. port security

 

Answer: D

Explanation

When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses.

The example below configures secure MAC address 0000.1234.5678. Only traffic from this MAC is forwarded.

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address 0000.1234.5678

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)

Question 2

You need to configure port security on switch R1. Which two statements are true about this technology? (Choose two)

A. Port security can be configured for ports supporting VoIP.
B. With port security configured, four MAC addresses are allowed by default.
C. The network administrator must manually enter the MAC address for each device in order for the switch to allow connectivity.
D. With port security configured, only one MAC addresses is allowed by default.
E. Port security cannot be configured for ports supporting VoIP.

 

Answer: A D

Explanation

Port security can be set on ports supporting VoIP. This example shows how to designate a maximum of one MAC address for a voice VLAN (for a Cisco IP Phone) and one MAC address for the data VLAN (for a PC) on Fast Ethernet interface 5/1 and to verify the configuration:
Switch(config)# interface fa5/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1 vlan voice
Switch(config-if)# switchport port-security maximum 1 vlan access

-> A is correct.

 

By default, only one MAC addresses is allowed but we can use the “switchport port-security maximum number” command to set the maximum number of MAC allowed -> D is correct.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port_sec.html)

Question 3

show_port_security_interface.jpg

Refer to the exhibit. The “show port-security interface fa0/1” command was issued on switch SW1. Given the output that was generated, which two security statements are true? (Choose two)

A. Interface FastEthernet 0/1 was configured with the switchport port-security aging command.
B. Interface FastEthernet 0/1 was configured with the switchport port-security violation protect command.
C. Interface FastEthernet 0/1 was configured with the switchport port-security violation restrict command.
D. When the number of secure IP addresses reaches 10, the interface will immediately shut down.
E. When the number of secure MAC addresses reaches 10, the interface will immediately shut down and an SNMP trap notification will be sent.

 

Answer: B E (wrong)

Explanation

The “Violation Mode: Protect” tells us this interface has been configured with the switchport port-security violation protect command. Protect mode drops packets with unknown source addresses when the violation occurs -> B is correct.

Well, I cannot say answer E is correct. There is something wrong here. In “Protect” mode, when the number of secure MAC addresses reaches 10, the interface will not be shut down (it just drops unknown source MAC); also an SNMP trap notification will not be sent (an SNMP would be sent in “Shutdown” or “Restrict” mode). So in the exam you I am sure you will see another version of answer E.

Question 4

Refer to the exhibit. Which interface or interfaces on switch SW_A can have the port security feature enabled?

port_security_ports.jpg

A. Ports 0/1 and 0/2
B. The trunk port 0/22 and the EtherChannel ports
C. Ports 0/1, 0/2 and 0/3
D. Ports 0/1, 0/2, 0/3, the trunk port 0/22 and the EtherChannel ports
E. Port 0/1
F. Ports 0/1, 0/2, 0/3 and the trunk port 0/22

 

Answer: C

Explanation

Port security can only be configured on static access ports or static trunk ports (DTP disabled). In this case we don’t know if the ports of the trunk link have DTP disabled or not -> only Fa0/1, Fa0/2 and Fa0/3 can be configured port security.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_6_ea2c/configuration/guide/swgports.html)

Question 5

When configuring port security on a Cisco Catalyst switch port, what is the default action taken by the switch if a violation occurs?

A. protect (drop packets with unknown source addresses)
B. restrict (increment SecurityViolation counter)
C. shutdown (access or trunk port)
D. transition (the access port to a trunking port)

 

Answer: C

Explanation

There are three port security violation modes:
+ protect – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
+ restrict – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
+ shutdown – Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

The default behavior for a security violation is to shut down that port permanently.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)

Question 6

You are responsible for increasing the security within the Company LAN. Of the following choices listed below, which is true regarding layer 2 security and mitigation techniques?

A. Enable root guard to mitigate ARP address spoofing attacks.
B. Configure DHCP spoofing to mitigate ARP address spoofing attacks.
C. Configure PVLANs to mitigate MAC address flooding attacks.
D. Enable root guard to mitigate DHCP spoofing attacks.
E. Configure dynamic APR inspection (DAI) to mitigate IP address spoofing on DHCP untrusted ports.
F. Configure port security to mitigate MAC address flooding.

 

Answer: F

Explanation

Root guard is used to mitigate Spanning-tree compromises, not ARP address spoofing -> A and D are not correct.

DHCP spoofing is mitigated by DHCP snooping -> B is not correct.

PVLAN is often used to protect devices on a common VLAN, give them more separation even though they are on the same VLAN. It is not used to mitigate MAC address flooding attacks -> C is not correct.

DAI should be used to mitigate ARP Spoofing attack in which the attacker fakes its MAC as the destination MAC to receive traffic intended for valid destination -> E is not correct.

MAC flooding attack is a technique in which the attacker floods the switch with packets, each containing different source MAC address. This makes the switch learn the MAC addresses until its memory is used up. Now the switch acts like a hub, in which all incoming packets are broadcast out on all ports instead of just to the correct destination port as normal operation. The attacker can listen to these broadcast packets and capture sensitive data.

To protect against this type of attack, port security feature can be used to limit and allow specific MAC to access the port -> F is correct. (VLAN Access map with a “mac access list” can also be used to filter MAC).

Question 7

Refer to the exhibit. From the configuration shown, what can be determined?

Switch(config)# interface FastEthemet0/1
Switch(config-if)# switchport access vlan 21
Switch(config-if)# switchport mode access
Switch(config-if)# switchport voice vlan 22
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 20
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002
Switch(config-if)# switchport port-security mac-address 0000.0000.0003
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice
Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice
Switch(config-if)# switchport port-security maximum 10 vlan access
Switch(config-if)# switchport port-security maximum 10 vlan voice

A. The sticky addresses will only be those manually configured MAC addresses enabled with the sticky keyword.
B. The remaining secure MAC addresses will be dynamically learned, converted to sticky secure MAC addresses, and added to the running configuration.
C. Since a voice VLAN is configured in this example, port security should be set for a maximum of 2.
D. A security violation will restrict the number of addresses to a maximum of 10 addresses per access VLAN and voice VLAN. The port will be shut down if more than 10 devices per VLAN attempt to access the port.

 

Answer: B

Explanation

The “sticky” keyword in switchport port-security mac-address sticky command converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds to the running configuration.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swtrafc.html)

Question 8

What are two methods of mitigating MAC address flooding attacks? (Choose two)

A. Place unused ports in a common VLAN.
B. Implement private VLANs.
C. Implement DHCP snooping.
D. Implement port security.
E. Implement VLAN access maps.

 

Answer: D E

Explanation

MAC flooding attack is a technique in which the attacker floods the switch with packets, each containing different source MAC address. This makes the switch learn the MAC addresses until its memory is used up. Now the switch acts like a hub, in which all incoming packets are broadcast out on all ports instead of just to the correct destination port as normal operation. The attacker can listen to these broadcast packets and capture sensitive data.

To protect against this type of attack, port security feature can be used to limit and allow specific MAC to access the port. VLAN Access map with a “mac access list” can also be used to filter MAC -> D & E are correct.

Question 9

Given the configuration on a switch interface, what happens when a host with the MAC address of 0003.0003.0003 is directly connected to the switch port?

switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address 0002.0002.0002
switchport port-security violation shutdown

A. The host will be allowed to connect.
B. The port will shut down.
C. The host can only connect through a hub/switch where 0002.0002.0002 is already connected.
D. The host will be refused access.

 

Answer: A

Explanation

The maximum number of hosts allowed to connect is set to 2. One of them is specified as MAC 0002.0002.0002 so another MAC can be allowed to connect.

Question 10

Refer to the exhibit. Which of these is true based upon the output shown in the command?

switch# show port-security interface fastethernet 0/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0

A. If the number of devices attempting to access the port exceeds 11, the port will shut down for 20 minutes, as configured.
B. The port has security enabled and has shut down due to a security violation.
C. The port is operational and has reached its configured maximum allowed number of MAC addresses.
D. The port will allow access for 11 MAC addresses in addition to the 3 configured MAC addresses.

 

Answer: C

Explanation

Notice that the “Violation mode: Shutdown” line only describes what the switch will do if a violation occurs; it is not the current status of that port. The last line “Security Violation count: 0” tells us no violation has occurred -> the port is operational. Also “the Maximum MAC” and “Total MAC Addresses” are both 11 -> the maximum MAC addresses have ben reached.

From the “Configured MAC Addresses: 3” we also learn that there are 3 MAC addresses are manually learned and 8 MAC addresses are dynamically learned.

Port Security Questions 2

May 4th, 2014 certprepare 1 comment

Here you will find answers to Port Security Questions – Part 2

Question 1

Refer to the exhibit. Based on the running configuration that is shown for interface FastEthemet0/2, what two conclusions can be deduced? (Choose two)

!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security maximum 6
switchport port-security aging time 5
switchport port-security aging static
switchport port-security mac-address sticky
switchport port-security mac-address 0000.0000.000b
switchport port-security mac-address sticky 0000.0000.4141
switchport port-security mac-address sticky 0000.0000.5050
no ip address

A. Connecting a host with MAC address 0000.0000.4147 will move interface FastEthemet0/2 into error disabled state.
B. The host with address 0000.0000.4141 is removed from the secure address list after 5 seconds of inactivity.
C. The sticky secure MAC addresses are treated as static secure MAC addresses after the running configuration is saved to the startup configuration and the switch is restarted.
D. Interface FastEthemet0/2 is a voice VLAN port.
E. The host with address 0000.0000.000b is removed from the secure address list after 300 seconds.

 

Answer: C E

Explanation

In this case the “switchport port-security aging time 5” sets aging time to 5 minutes and the “switchport port-security aging static” tells the switch to age out for statically configured MAC addresses -> the MAC 0000.0000.000b will be aged out after 5 minutes (300 seconds).

Note: Cisco switch does not support port security aging of sticky secure MAC addresses -> the sticky secure MAC addresses are not aged out.

Question 2

Refer to the exhibit. What will happen when one more user is connected to interface FastEthernet 5/1?

show_port-security_interface_fastethernet.jpg

A. The first address learned on the port will be removed from the secure address list and be replaced with the new address.
B. All secure addresses will age out and be removed from the secure address list. This will cause the security violation counter to increment.
C. The packets with the new source addresses will be dropped until a sufficient number of secure MAC addresses are removed from the secure address list.
D. The interface will be placed into the error-disabled state immediately, and an SNMP trap notification will be sent.

 

Answer: D

Explanation

There are three violation mode of port security:

+ Protect: drop packets (port is not shutdown)
+ Restrict: drop packets and increase violation counter, send SNMP trap notification (port is not shutdown)
+ Shutdown (default mode): put port into error-distabled state (same as shutdown state), send SNMP trap notification

Question 3

When you enable port security on an interface that is also configured with a voice VLAN, what is the maximum number of secure MAC addresses that should be set on the port?

A. No more than one secure MAC address should be set.
B. The default will be set.
C. The IP phone should use a dedicated port, therefore only one MAC address is needed per port.
D. No value is needed if the switchport priority extend command is configured.
E. No more than two secure MAC addresses should be set.

 

Answer: E

Explanation

Usually, an IP Phone needs two MAC addresses, one for the voice vlan and one for the access vlan. If you don’t want other devices to access this port then you should not set more than two secure MAC addresses.

Below is an example for this configuration:

Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1 vlan voice
Switch(config-if)# switchport port-security maximum 1 vlan access
//Configure static MAC addresses for these VLANs
Switch(config-if)#switchport port-security mac-address sticky 0000.0000.0001
Switch(config-if)#switchport port-security mac-address sticky 0000.0000.0002 vlan voice

(For more information about this, please read http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port_sec.html)

Question 4

Refer to the exhibit. What type of attack would be mitigated by this configuration?

show_port-security.jpg

A. ARP spoofing
B. MAC spoofing
C. VLAN hopping
D. CDP manipulation
E. MAC flood attack
F. spanning tree compromises

 

Answer: E

Explanation

The maximum number of hosts allowed is 5 so an attacker can not flood the switch with many source MAC addresses -> This configuration is effective against MAC flooding attack.

Question 5

Refer to the exhibit. Port security has been configured on port Fa0/5. What would happen if another device is connected to the Fa0/5 port after the maximum number of devices has been reached, even if one or more of the original MAC addresses are inactive?

show_run_port_security.jpg

A. The port will permit the new MAC address because one or more of the original MAC addresses are inactive.
B. The port will permit the new MAC address because one or more of the original MAC addresses will age out.
C. Because the new MAC address is not configured on the port, the port will not permit the new MAC address.
D. Although one or more of the original MAC addresses are inactive, the port will not permit the new MAC address.

 

Answer: D

Explanation

The port-security aging time is set to 0 so it is disabled for this port -> even if the original MAC addresses are inactive, the port will not permit the new MAC address.

IP SLA Questions

May 3rd, 2014 certprepare No comments

Here you will find answers to IP SLA Questions

Question 1

Which two items best describe a Cisco IOS IP SLA responder? (Choose two)

A. required at the destination to implement Cisco IOS IP SLA services
B. improves measurement accuracy
C. required for VoIP jitter measurements
D. provides security on Cisco IOS IP SLA messages via LEAP or EAP-FAST authentication
E. responds to one Cisco IOS IP SLA operation per port
F. stores the resulting test statistics

 

Answer: B C

Explanation

Cisco IOS IP Service Level Agreements (SLAs) allow users to monitor network performance between Cisco routers or from either a Cisco router to a remote IP device. Cisco IOS IP SLA has been the most popular way to measure performance statistics (ie: latency, jitter, packet loss, and MOS). Cisco IOS IP SLAs Responder is a component embedded in the destination Cisco router whose functionality is to respond to Cisco IOS IP SLAs request packets. The responder adds timestamps to the echoed packets to allow unidirectional packet loss, latency, and jitter measurements to a Cisco device. The accuracy of the measurements is improved significantly if the responder is used.

(Reference: http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper09186a00802d5efe.html)

Question 2

Which two statements best describe Cisco IOS IP SLA? (Choose two)

A. only implemented between Cisco source and destination-capable devices
B. statistics provided by syslog, CLI, and SNMP
C. measures delay, jitter, packet loss, and voice quality
D. only monitors VoIP traffic flows
E. provides active monitoring

 

Answer: C E

Explanation

Cisco IOS IP SLA has been the most popular way to measure performance statistics (ie: latency, jitter, packet loss, and MOS).

Security Questions

May 2nd, 2014 certprepare 2 comments

Here you will find answers to Security Questions

Question 1

Which two components should be part of a security implementation plan? (Choose two)

A. detailed list of personnel assigned to each task within the plan
B. a Layer 2 spanning-tree design topology
C. rollback guidelines
D. placing all unused access ports in VLAN 1 to proactively manage port security
E. enabling SNMP access to Cisco Discovery Protocol data for logging and forensic analysis

 

Answer: B C

Explanation

Implementing a security plan includes:
+ STP design topology
+ Rollback guidelines
+ Summary and detailed implementation steps
+ Incident response plan
+ Security policy

Question 2

Which description correctly describes a MAC address flooding attack?

A. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking device then becomes the destination address found in the Layer 2 frames sent by the valid network device.

B. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking device then becomes the source address found in the Layer 2 frames sent by the valid network device.

C. The attacking device spoofs a destination MAC address of a valid host currently in the CAM table. The switch then forwards frames destined for the valid host to the attacking device.

D. The attacking device spoofs a source MAC address of a valid host currently in the CAM table. The switch then forwards frames destined for the valid host to the attacking device.

E. Frames with unique, invalid destination MAC addresses flood the switch and exhaust CAM table space. The result is that new entries cannot be inserted because of the exhausted CAM table space, and traffic is subsequently flooded out all ports.

F. Frames with unique, invalid source MAC addresses flood the switch and exhaust CAM table space. The result is that new entries cannot be inserted because of the exhausted CAM table space, and traffic is subsequently flooded out all ports.

 

Answer: F

Explanation

MAC flooding attack is a technique in which the attacker floods the switch with packets, each containing different source MAC address. This makes the switch learn the MAC addresses until its memory is used up. Now the switch acts like a hub, in which all incoming packets are broadcast out on all ports instead of just to the correct destination port as normal operation. The attacker can listen to these broadcast packets and capture sensitive data.

Question 3

By itself, what does the command “aaa new-model” enable?

A. It globally enables AAA on the switch, with default lists applied to the VTYs.
B. Nothing; you must also specify which protocol (RADIUS or TACACS) will be used for AAA.
C. It enables AAA on all dot1x ports.
D. Nothing; you must also specify where (console, TTY, VTY, dot1x) AAA is being applied.

 

Answer: A

Explanation

Before you can use any of the services Authentication, authorization, and accounting (AAA) network security services provide, you must enable AAA. Enable AAA by using the aaa new-model global configuration command.

Question 4

Refer to the exhibit.

Switch# configure terminal
Switch(config)# interface gigabitethemet0/1
Switch(config-if)# ip verify source port-security
Switch(config-if)# exit
Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2 interface gigabitethernet0/1
Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface gigabitethernet0/1
Switch(config)# end

Which two statements about this Layer 3 security configuration example are true? (Choose two)

A. Static IP source binding can be configured only on a routed port.
B. Source IP and MAC filtering on VLANs 10 and 11 will occur.
C. DHCP snooping will be enabled automatically on the access VLANs.
D. IP Source Guard is enabled.
E. The switch will drop the configured MAC and IP address source bindings and forward all other traffic.

 

Answer: B D

Explanation

The command “ip verify source port-security” enables IP source guard (on Gi0/1) -> D is correct. Notice that without the keyword “port-security”, the switch only inspects source IP address. With the keyword “port-security”, the source MAC address is also inspected -> B is correct.

Question 5

Which statement is true about Layer 2 security threats?

A. MAC spoofing, in conjunction with ARP snooping, is the most effective counter-measure against reconnaissance attacks that use Dynamic ARP Inspection to determine vulnerable attack points.
B. DHCP snooping sends unauthorized replies to DHCP queries.
C. ARP spoofing can be used to redirect traffic to counter Dynamic ARP Inspection.
D. Dynamic ARP Inspection in conjunction with ARP spoofing can be used to counter DHCP snooping attacks.
E. MAC spoofing attacks allow an attacking device to receive frames intended for a different network host.
F. Port scanners are the most effective defense against Dynamic ARP Inspection.

 

Answer: E

Explanation

Attacking device spoofs the MAC address of a valid host currently in the CAM table. The switch then forwards frames destined for the valid host to the attacking device -> E is correct.

Question 6

A network is deployed using recommended practices of the enterprise campus network model, including users with desktop computers connected via IP phones. Given that all components are QoS-capable, where are the two optimal locations for trust boundaries to be configured by the network administrator? (Choose two)

A. host
B. IP phone
C. access layer switch
D. distribution layer switch
E. core layer switch

 

Answer: B C

Explanation

The perimeter formed by switches that do not trust incoming QoS is called the trust boundary (or in other words, trust boundary is the interface where the marking on a packet is trusted). Trust boundary should be as close to the edge as possible. In a large network, the distribution layer switches are often heavily loaded so it is better to apply QoS to IP Phone or access layer switch (which are responsible for lesser traffic).

If we trust from the IP Phone, when data from hosts reach the IP Phone, the switch will ignore the CoS/ToS markings and consider all data packets to have a value of 0.

Answer A is not correct because a trust boundary at the host is not trustworthy.

Note:

To understand the concept of a trust boundary, you must first have a basic understanding of QoS markings. As a device sends traffic, that
traffic may or may not have QoS markings attached to it. These markings may or may not be trustworthy. For example, a Cisco IP phone marks all of its traffic with an extremely high priority. In this case, the markings are trustworthy because the audio traffic from the phone does indeed need high-priority service. However, a technology-savvy user might configure a computer to mark traffic from it with the same high-priority marking as the voice traffic. In this case, the marking is not trustworthy.

Now we can jump back to the concept of a trust boundary. The trust boundary is the point of the network where you begin trusting that the network traffic is accurately identified with the correct QoS marking. Depending on the capabilities of the devices on your network, you can you can begin applying QoS markings close to the user devices, as shown in the picture below.

trust_boundary_qos.jpg

Cisco IP phones have the ability to mark their own traffic as high priority and strip any high-priority markings from traffic sent by the attached PC. If you are using the Cisco IP phone to mark traffic, you have extended the trust boundary to point 1 shown in the picture above. This is the ideal trust point because it distributes the QoS marking process to many Cisco IP phones rather than forcing the switches to apply QoS markings to a higher volume of traffic. If you have PCs attached to the network and you have access layer switches with QoS capabilities, you can begin marking at these devices (this is point 2 in the figure above). If your access layer switches do not have QoS capabilities, then the first possible place you can apply QoS markings is at the distribution layer switches (shown as point 3 in the picture above). This will work just fine; however, it adds an extra load to the distribution layer switches. Likewise, you will have network traffic passing through access layer switches without any QoS treatment. Although this is usually a safe bet – because access layer switches typically have higher-speed connections, on which congestion is rare – it is always best to apply QoS in as many places as possible where there is a potential bottle-neck.

(Reference: CCNA Voice Official Exam Certification Guide)

Question 7

Which optional feature of an Ethernet switch disables a port on a point-to-point link if the port does not receive traffic while Layer 1 status is up?

A BackboneFast
B. UplinkFast
C. Loop Guard
D. UDLD aggressive mode
E. Fast Link Pulse bursts
F. Link Control Word

 

Answer: D

Explanation

UDLD is a Layer 2 protocol that enables devices to monitor the physical configuration of the cables and detect when a unidirectional link exists. UDLD detects a unidirectional link by sending periodic hellos out to the interface. UDLD supports two modes of operation: normal (the default) and aggressive.

In normal mode, if the interfaces are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so. In case, the logical link is considered undetermined, and UDLD does not disable the interface.

In aggressive mode, UDLD detects a unidirectional link by using the previous detection methods. UDLD in aggressive mode can also detect a unidirectional link on a point-to-point link on which no failure between the two devices is allowed. In these cases, UDLD shuts down the affected interface.

Note: Aggressive mode is the recommended mode when configuring UDLD.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swudld.html#wp1020819)

Question 8

Which statement about 802.1x port-based authentication is true?

A. Hosts are required to have an 802.1x authentication client or utilize PPPoE.
B. Before transmitting data, an 802.1x host must determine the authorization state of the switch.
C. RADIUS is the only supported authentication server type.
D. If a host initiates the authentication process and does not receive a response, it assumes it is not authorized.

 

Answer: C

Explanation

For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html)

Question 9

What is needed to verify that a newly implemented security solution is performing as expected?

A. a detailed physical and logical topology
B. a cost analysis of the implemented solution
C. detailed logs from the AAA and SNMP servers
D. results from audit testing of the implemented solution

 

Answer: D

Explanation

Verifying a security solution includes two points:
+ Verification of an implemented security solution requires results from audit testing of the implemented solution
+ Verifying a documentation for rollback plan

Question 10

Which Cisco IOS command globally enables port-based authentication on a switch?

A. aaa port-auth enable
B. radius port-control enable
C. dot1x system-auth-control
D. switchport aaa-control enable

 

Answer: C

Explanation

We must enable 802.1X authentication for the entire system before configuring it for individual ports. After you globally enable 802.1X authentication, you can configure individual ports for 802.1X authentication if they meet the specific requirements that are required by 802.1X.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.3and8.4glx/configuration/guide/8021x.html)