PrepKing - GRATIS EXAM · 2012. 3. 16. · B: The Spanning Tree Protocol (STP) is used to prevent loops within a bridged network. Each VLAN runs a separate instance of the STP and

PrepKing

Number: 642-813Passing Score: 790Time Limit: 430 minFile Version: 8.0

http://www.gratisexam.com/

PrepKing - 642-813

Sections1. Layer 2, VTP, VLAN design2. Security3. Layer 3, ip routing4. Wireless5. VoIP6. HSRP, VRRP, GLBP7. RPR, RPR+, SSO, NSF8. SpanningTree9. Etherchannel10.Simulation11.Drag&Drop12.Common13.UDLD

Exam A

QUESTION 1Which method of Layer 3 switching uses a forwarding information base (FIB)?

A. Topology-based switchingB. Demand-based switchingC. Route cachingD. Flow-based switching

Correct Answer: ASection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation:The Layer 3 engine (essentially a router) maintains routing information, whether from static routes or dynamicrouting protocols. Basically, the routing table is reformatted into an ordered list with the most specific route first,for each IP destination subnet in the table. The new format is called a Forwarding Information Base (FIB) andcontains routing or forwarding information that the network prefix can reference. In other words, a route to10.1.0.0/16 might be contained in the FIB, along with routes to 10.1.1.0/24 and 10.1.1.128/25, if those exist.Notice that these examples are increasingly more specific subnets. In the FIB, these would be ordered with themost specific, or longest match, first, followed by less specific subnets. When the switch receives a packet, itcan easily examine the destination address and find the longest match entry in the FIB. The FIB also containsthe next-hop address for each entry. When a longest match entry is found in the FIB, the Layer 3 next-hopaddress is found, too.

QUESTION 2Refer to the exhibit. On the basis of the information provided in the exhibit, which two sets of procedures arebest practices for Layer 2 and 3 failover alignment? (Choose two.)

A. Configure the D-SW1 switch as the active HSRP router and the STP root for all VLANs. Configure the D-SW2 switch as the standby HSRP router and backup STP root for all VLANs.

B. Configure the D-SW1 switch as the standby HSRP router and the STP root for VLANs 11 and 110.

Configure the D-SW2 switch as the standby HSRP router and the STP root for VLANs 12 and 120. C. Configure the D-SW1 switch as the active HSRP router and the STP root for VLANs 11 and 110. Configure

the D-SW2 switch as the active HSRP router and the STP root for VLANs 12 and 120.D. Configure the D-SW2 switch as the active HSRP router and the STP root for all VLANs. Configure the D-

SW1 switch as the standby HSRP router and backup STP root for all VLANs. E. Configure the D-SW1 switch as the active HSRP router and the backup STP root for VLANs 11 and 110.

Configure the D-SW2 switch as the active HSRP router and the backup STP root for VLANs 12 and 120.F. Configure the D-SW1 switch as the standby HSRP router and the backup STP root for VLANs 12 and 120.

Configure the D-SW2 switch as the standby HSRP router and the backup STP root for VLANs 11 and 110.

Correct Answer: CFSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:Basically, each of the routers that provides redundancy for a given gateway address is assigned to a commonHSRP group. One router is elected as the primary, or active, HSRP router, another is elected as the standbyHSRP router, and all the others remain in the listen HSRP state. The routers exchange HSRP hello messagesat regular intervals, so they can remain aware of each other's existence, as well as that of the active router.

HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default,the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for thegroup. If all router priorities are equal or set to the default value, the router with the highest IP address on theHSRP interface becomes the active router. To set the priority, use the following interface configurationcommand:Switch(config-if)# standby group priority priority

When HSRP is configured on an interface, the router progresses through a series of states before becomingactive. This forces a router to listen for others in a group and see where it fits into the pecking order. The HSRPstate sequence is Disabled, Init, Listen, Speak, Standby, and, finally, Active.You can configure a router to preempt or immediately take over the active role if its priority is the highest at anytime. Use the following interface configuration command to allow preemption:Switch(config-if)# standby group preempt [delay seconds]

QUESTION 3If you needed to transport traffic coming from multiple VLANs (connected between switches), and your CTOwas insistent on using an open standard, which protocol would you use?

A. 802.11BB. spanning-treeC. 802.1QD. ISLE. VTPF. Q.921

Correct Answer: CSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:The act involved in the above question is trunking. The two trunking protocols in the answer choices are:802.1Q and ISL. ISL is Cisco proprietary and IEEE 802.1Q is based on an open standard. When non-Ciscoswitches are used along with Cisco switches and trunking is required, it is best to use the 802.1Qencapsulation.Incorrect Answers:

A: This standard is used in wireless networking and has nothing to do with VLAN switching.B: The Spanning Tree Protocol (STP) is used to prevent loops within a bridged network. Each VLAN runs aseparate instance of the STP and this is enabled by default.D: This is the alternative Cisco proprietary method of trunking.E: VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that manages the addition, deletion, andrenaming of VLANs on a network-wide basis. It is not used to actually transport VLAN traffic.F: This is an ISDN signaling standard and is not related with VLAN switching.

QUESTION 4Under what circumstances should an administrator prefer local VLANs over end-to-end VLANs?

A. Eighty percent of traffic on the network is destined for Internet sites.B. There are common sets of traffic filtering requirements for workgroups located in multiple buildings.C. Eighty percent of a workgroup's traffic is to the workgroup's own local server.D. Users are grouped into VLANs independent of physical location.

Correct Answer: ASection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:This geographic location can be as large as an entire building or as small as a single switch inside a wiringcloset. In a geographic VLAN structure, it is typical to find 80 percent of the traffic remote to the user (serverfarms and so on) and 20 percent of the traffic local to the user (local server, printers, and so on). Reference:Building Cisco Multilayer Switched Networks (Cisco Press) page 93

QUESTION 5What are some virtues of implementing end-to-end VLANs? (Choose two)

A. End-to-end VLANs are easy to manage.B. Users are grouped into VLANs independent of a physical location.


C. Each VLAN has a common set of security and resource requirements for all members.D. Resources are restricted to a single location.

Correct Answer: BCSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:In an end-to-end VLAN, users are grouped into VLANs independent of physical location and dependent ongroup or job function.Each VLAN has a common set of security requirements for all members.Incorrect Answers:A: End to end VLANs are more difficult to manage than local VLANs, due to the physical distances that theycan span.D: In an end-to-end VLAN, network resources are generally distributed across the entire enterprise wide areanetwork.

QUESTION 6Which of the following statements is true about the 80/20 rule (Choose two)?

A. 20 percent of the traffic on a network segment should be localB. no more than 20 percent of the network traffic should be able to move across a backbone.C. no more than 80 percent of the network traffic should be able to move across a backbone.D. 80 percent of the traffic on a network segment should be local

Correct Answer: BDSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:The 80/20 rule in network design originated from the idea that most of the traffic should remain local to theLAN, since bandwidth is plentiful compared to WAN links, and a great deal of broadcast traffic that is evident atthe LAN is not passed over the backbone. Note: With the availability of inexpensive bandwidth and centralizeddata centers, this rule appears to have become obsolete. In fact, most networks have taken on the 20/80 rules,as opposed to the legacy 80/20 rule.

QUESTION 7The Company LAN is becoming saturated with broadcasts and multicast traffic. What could you do to help anetwork with many multicasts and broadcasts?

A. Creating smaller broadcast domains by implementing VLANs.B. Separate nodes into different hubs.C. Creating larger broadcast domains by implementing VLANs.D. Separate nodes into different switches.E. All of the above.


Explanation/Reference:Explanation:Controlling broadcast propagation throughout the network is important to reduce the amount of overheadassociated with these frames. Routers, which operate at Layer 3 of the OSI model, provide broadcast domainsegmentation for each interface. Switches can also provide broadcast domain segmentation using virtual LANs(VLANs). A VLAN is a group of switch ports, within a single or multiple switches, that is defined by the switchhardware and/or software as a single broadcast domain. A VLANs goal is to group devices connected to aswitch into logical broadcast domains to control the effect that broadcasts have on other connected devices. AVLAN can be characterized as a logical network.Reference: Building Cisco Multilayer Switched Networks (Cisco Press) page 8

QUESTION 8The Company LAN switches are being configured to support the use of Dynamic VLANs. Which of the followingare true of dynamic VLAN membership? (Choose two)

A. VLAN membership of a user always remains the same even when he/she is moved to another location.B. VLAN membership of a user always changes when he/she is moved to another location.C. Membership can be static or dynamic.D. Membership can be static only.

Correct Answer: AC

Section: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:Dynamic VLAN memberships are based on the users MAC address connected to the port. If you have VTPserver, a VTP database file, a VTP client switch, and a dynamic port; regardless of where your physical locationis, you can still remain in the same VLAN.Incorrect Answers:B: This was true before the use of Dynamic VLAN membership, as VLANs were assigned to ports, not users.D: VLAN memberships can be either static or dynamic.

QUESTION 9The Company LAN switches are being configured to support the use of Dynamic VLANs. What should beconsidered when implementing a dynamic VLAN solution? (Choose two)

A. Each switch port is assigned to a specific VLAN.B. Dynamic VLANs require a VLAN Membership Policy Server.C. Devices are in the same VLAN regardless of which port they attach to.D. Dynamic VLAN assignments are made through the command line interface.


Explanation/Reference:Explanation:With VLAN Membership Policy Server (VMPS), you can assign switch ports to VLANs dynamically, based onthe source Media Access Control (MAC) address of the device connected to the port. When you move a hostfrom a port on one switch in the network to a port on another switch in the network, the switch assigns the newport to the proper VLAN for that host dynamically.Note: There are two types of VLAN port configurations: static and dynamic.Incorrect AnswersA: In a static VLAN, the administrator assigns switch ports to the VLAN, and the association does not changeuntil the administrator changes the port assignment.However, this is not the case of dynamic VLANs.D: The Command Line Interface is not used for dynamic VLAN assignments. Reference: Cisco Online,Configuring Dynamic Port VLAN Membership with VMPS

QUESTION 10In the three-layer hierarchical network design model; what's associated with the access layer? (Choose two)

A. optimized transport structureB. high port densityC. boundary definitionD. data encryptionE. local VLANsF. route summaries

Correct Answer: BESection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:The access layer is the outermost layer, and it is composed of the least sophisticated network equipment. Themost important function of the access layer is high port density, since these devices connect the individual end

users. The access layers are also where VLANs are implemented, since VLANs are assigned on a per-portbasis.

QUESTION 11You are assigning VLANs to the ports of switch R1. What VLAN number value is an assigned to the defaultVLAN?

A. VLAN 1003B. VLAN 1C. VLAN OND. VLAN AE. VLAN 0

Correct Answer: BSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation: The default VLAN is VLAN 1. Although this VLAN can be modified, it can not be deleted from theswitch. The following VLANs are on by default for all Cisco Catalyst switches:VLAN 1 - Default VLANVLAN 1002 - Default FDDI VLANVLAN 1003 - Default Token Ring VLANVLAN 1004 - Default FDDI Net VLANVLAN 1005 - Default Token Ring Net VLANIncorrect Answers:A: This is the default Token Ring VLAN that is installed in the switch IOS. It is seldom used.C: ON is a VTP configuration mode, but is not a normal VLAN name.D: Although any VLAN can be named VLAN A, it is not created by default.E: Although in Cisco IOS the number 0 has significance (i.e. ethernet 0, console port 0, serial 0) in VLANs 1 isthe default. VLAN 0 is an invalid VLAN and can not be used.

QUESTION 12The VLANs in switch R1 are being modified. Which of the following are updated in R1 every time a VLAN ismodified? (Choose two)

A. Configuration revision numberB. Configuration revision flag fieldC. Configuration revision reset switchD. Configuration revision database

Correct Answer: ADSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:For accountability reasons, every time a VLAN is modified the revision number changes, as does theinformation in the configuration revision database (as that is where the VLAN information is stored).Incorrect Answers:B, C: The configuration revision flag field, and the configuration revision reset switch don't exist in this context.

QUESTION 13

Given the above partial configuration, which two statements are true about VLAN traffic? (Choose two.)

A. VLANs 1-5 will use fa0/10 as a backup only.B. VLANs 6-10 will use fa0/10 as a backup only.C. VLANs 1-5 will be blocked if fa0/10 goes down.D. VLANs 1-10 are configured to load share between fa0/10 and fa0/12.E. VLANs 6-10 have a port priority of 128 on fa0/10.


Explanation/Reference:Explanation:Spanning-Tree Protocol (STP) is a Layer 2 protocol that utilizes a special-purpose algorithm to discoverphysical loops in a network and effect a logical loop-free topology. STP creates a loop-free tree structureconsisting of leaves and branches that span the entire Layer 2 network. The actual mechanics of how bridgescommunicate and how the STP algorithm works will be discussed at length in the following topics. Note that theterms bridge and switch are used interchangeably when discussing STP. In addition, unless otherwiseindicated, connections between switches are assumed to be trunks.

Load sharing can be accomplished using a couple of methods. The most common method of load sharing isthrough root bridge placement on a per-VLAN basis. This will distribute traffic for separate VLANs acrossseparate paths to different root bridges. A separate method divides the bandwidth supplied by parallel trunksconnecting switches. To avoid loops, STP normally blocks all but one parallel link between switches. Using loadsharing, traffic can be divided between the links according to which VLAN the traffic belongs.

Load sharing can be configured on trunk ports by using STP port priorities or STP path costs. For load sharingusing STP port priorities, both load-sharing links must be connected to the same switch. For load sharing usingSTP path costs, each load-sharing link can be connected to the same switch or to two different switches.Load Sharing Using STP Port PrioritiesWhen two ports on the same switch form a loop, the STP port priority setting determines which port is enabledand which port is in a blocking state. The priorities on a parallel trunk port can be set so that the port carries allthe traffic for a given VLAN. The trunk port with the higher priority (lower values) for a VLAN is forwarding trafficfor that VLAN. The trunk port with the lower priority (higher values) for the same VLAN remains in a Blockingstate for that VLAN. One trunk port sends or receives all traffic for the VLAN.

QUESTION 14

What is a characteristic of a static VLAN membership assignment?

A. VMPS server lookup is requiredB. Easy to configureC. Ease of adds, moves, and changesD. Based on MAC address of the connected device


Explanation/Reference:Explanation:Static port VLAN membership on the switch is assigned manually by the administrator on a port-by-port basis.Characteristics of static VLAN configurations include the following:1. Secure2. Easy to configure3. Straight forward to monitor4. Works well in networks where moves, adds, and changes are rare.Incorrect Answers:A: VMPS server lookups are a function of dynamic VLANs and are not used with statically assigned VLANs.C: Moves, adds, and changes, would require a network administrator to change the configuration of the switchevery time a change is required.D: This would describe a function of dynamic VLAN configurations, where the MAC address of the end userdetermines the VLAN that it belongs in, instead of the physical port.

QUESTION 15Static VLANs are being used on the Company network. What is true about static VLANs?

A. Devices use DHCP to request their VLAN.B. Attached devices are unaware of any VLANs.C. Devices are assigned to VLANs based on their MAC addresses.D. Devices are in the same VLAN regardless of which port they attach to.


Explanation/Reference:Explanation:LAN port VLAN membership can be assigned manually on a port-by-port basis. When you assign LAN ports toVLANs using this method, it is known as port-based, or static, VLAN membership.Attached devices will be unaware of any VLANs.Incorrect Answers:A: The DHCP service is not involved in VLAN assignment.C: Devices are not assigned to VLAN based on their MAC addresses. This is a function of dynamic VLANs.D: Static VLANs are configured on a port by port basis.Reference: Configuring VLANs

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/121_8aex/swconfig/vlans.htm

QUESTION 16Two Company switches are connected via a trunk using VTP. Which VTP information does a Catalyst switchadvertise on its trunk ports when using VTP? (Choose two)

A. STP root statusB. VTP mode

C. Negotiation statusD. Management domainE. Configuration revision number

Correct Answer: DESection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:The role of the VLAN Trunking Protocol (VTP) is to maintain VLAN configuration consistency across the entirenetwork. VTP is a messaging protocol that uses Layer 2 trunk frames to manage the addition, deletion, andrenaming of VLANs on a network-wide basis from a centralized switch that is in the VTP server mode. VTP isresponsible for synchronizing VLAN information within a VTP domain. This reduces the need to configure thesame VLAN information on each switch. Using VTP, each Catalyst Family Switch advertises the following on itstrunk ports:1. Management domain2. Configuration revision number3. Known VLANs and their specific parameters

QUESTION 17The lack of which two prevents VTP information from propagating between switches? (Choose two.)

A. A root VTP serverB. A trunk portC. VTP priorityD. VLAN 1


Explanation/Reference:Explanation:In Switch tow types of links are available, access and trunk. The interface is in access mode can carry theinformation of only one VLAN and trunk can carry the information of more than one VLAN. VTP carry theinformation of more than one vlan so Switch port should be in trunk mode. VLAN1 is the default VLAN on CiscoSwitch, by default all interface belongs to VLAN 1.

QUESTION 18What is the default VTP advertisement for subset advertisements in Catalyst switches that are in server orclient mode?

A. 30 secondsB. 5 minutesC. 1 minuteD. 10 secondsE. 5 seconds


Explanation/Reference:Explanation:Periodic ( default is 5 minutes) VTP advertisements are sent out each trunk port with the multicast destination

MAC address 01-00-0C-CC-CC-CC. VTP advertisements contain the following configuration information:1. VLAN IDs (ISL and 802.1Q)2. Emulated LAN names (ATM LANE)3. 802.10 SAID values (FDDI)4. VTP domain name5. VTP configuration revision number6. VLAN configuration, including the maximum transmission unit (MTU) size for each VLAN7. Frame format

QUESTION 19Refer to the exhibit. VTP has been enabled on the trunk links between all switches within the TEST domain. Anadministrator has recently enabled VTP pruning. Port 1 on Switch 1 and port 2 on Switch 4 are assigned toVLAN 2. A broadcast is sent from the host connected to Switch 1. Where will the broadcast propagate?

A. Every switch in the network receives the broadcast and will forward it out all ports.B. Every switch in the network receives the broadcast, but only Switch 4 will forward it out port 2.C. Switches 1, 2, and 4 will receive the broadcast, but only Switch 4 will forward it out port 2. D. Only Switch 4 will receive the broadcast and will forward it out port 2.


Explanation/Reference:Explanation:The default behavior of a switch is to propagate broadcast and unknown packets across the network. Thisbehavior results in a large amount of unnecessary traffic crossing the network.VTP pruning increases bandwidth efficiency by reducing unnecessary flooding of traffic, such as broadcast,multicast, unknown, and flooded unicast packets. VTP pruning increases available bandwidth by restrictingflooded traffic to those trunk links that the traffic must use to access the appropriate network devices. Bydefault, VTP pruning is disabled.Enabling VTP pruning on a VTP server enables pruning for the entire management domain. VTP pruning takeseffect several seconds after it is enabled. By default, VLANs 2 through 1000 or 2 through 1001 are pruningeligible, depending upon the platform. VTP pruning does not prune traffic from VLANs that are pruningineligible. VLAN 1 is always pruning ineligible and VLAN 1 cannot be removed from a trunk. However, the"VLAN 1 disable on trunk" feature available on Catalyst 4000, 5000, and 6000 family switches enables thepruning of user traffic, but not protocol traffic such as CDP and VTP, for VLAN 1 from a trunk. Use the vtppruning command to make VLANs pruning eligible on a Cisco IOS-based switch.Switch(vlan)#vtp pruningOnce pruning is enabled, use the switchport trunk pruning command to make a specific VLAN pruningineligible.Switch(config)#interface fastethernet 0/3Switch(config-if)#switchport trunk pruning vlan remove vlan 5

QUESTION 20What must be configured on a Cisco switch in order to advertise VLAN information?

A. VTP modeB. VTP passwordC. VTP revision numberD. VTP pruningE. VTP domain name

Correct Answer: ESection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:If the switch being installed is the first switch in the network, the management domain will need to be created.However, if the network has other switches running VTP, then the new switch will join an existing managementdomain. Verify the name of the management domain. If the management domain has been secured, verify andconfigure the password for the domain.To create a management domain or to add a switch to a management domain, use the vtp domain command inthe global configuration mode or VLAN configuration mode.Switch(config)#vtp domain nameSwitch(vlan)#vtp domain

QUESTION 21The Company switches have all been upgraded to use VTP version 2. What are two benefits provided in VTPVersion 2 that are not available in VTP Version 1? (Choose two)

A. VTP version 2 supports Token Ring VLANs.B. VTP version 2 allows VLAN consistency checks.C. VTP version 2 saves VLAN configuration memory.D. VTP version 2 reduces the amount of configuration necessary.E. VTP version 2 allows active redundant links when used with spanning tree.

Correct Answer: ABSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:VTP Version 2 includes the following improvements: Token Ring VLAN support, TLV support, transparentmode, and Consistency checks.Incorrect Answers:C, D: These were not improvements added to VTP Version 2.E: STP detects and prevents loops by logically disabling the redundant path ports so there are no activeredundant links.

QUESTION 22What action should a network administrator take to enable VTP pruning on an entire management domain?

A. Enable VTP pruning on any switch in the management domain.B. Enable VTP pruning on any client switch in the management domain.C. Enable VTP pruning on a VTP server in the management domain. D. Enable VTP pruning on every switch in the management domain.E. Disable VTP pruning on a VTP server in the management domain.


Explanation/Reference:Explanation:Enabling VTP pruning on a VTP server allows pruning for the entire management domain. Enabling this on theVTP server will mean that the VTP pruning configuration will be propagated to all VTP client switches within thedomain. VTP pruning takes effect several seconds after you enable it. By default, VLANs 2 through 1000 arepruning-eligible.Reference: Building Cisco Multilayer Switched Networks (Cisco Press) page 117

QUESTION 23The Company switches are configured to use VTP. What’s true about the VLAN trunking protocol (VTP)?(Choose two)

A. VTP messages will not be forwarded over nontrunk links.B. VTP domain names need to be identical. However, case doesn't matter.C. A VTP enabled device which receives multiple advertisements will ignore advertisements with higher

configuration revision numbers.D. A device in "transparent" VTP v.1 mode will not forward VTP messages.E. VTP pruning allows switches to prune VLANs that do not have any active ports associated with them.


Explanation/Reference:Explanation:VTP messages are only transmitted across trunk links. If the receiving switch is in transparent mode, theconfiguration is not changed. Switches in transparent mode do not participate in VTP. If you make VTP orVLAN configuration changes on a switch in transparent mode, the changes are not propagated to the otherswitches in the network.Incorrect Answers:B: The VTP domain name is case sensitive and it must be identical with the domain name configured on theVTP server.C: This is incorrect because if a VTP client receives an advertisement with a higher revision number, it won'tignore it. In fact, the advertisement with a higher revision level takes precedence when the switch is configuredin client mode.E: VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such as broadcast,multicast, unknown, and flooded unicast packets. VTP pruning increases available bandwidth by restrictingflooded traffic to those trunk links that the traffic must use to access the appropriate network devices. It doesnot prune the individual VLANs.

QUESTION 24Switch R1 and R2 both belong to the Company VTP domain. What’s true about the switch operation in VTPdomains? (Choose two)

A. A switch can only reside in one management domainB. A switch is listening to VTP advertisements from their own domain onlyC. A switch is listening to VTP advertisements from multi domainsD. A switch can reside in one or more domainsE. VTP is no longer supported on Catalyst switches

Correct Answer: ABSection: Layer 2, VTP, VLAN design

Explanation

Explanation/Reference:Explanation:A VTP domain is made up of one or more interconnected devices that share the same VTP domain name. Aswitch can be configured to be in only one VTP domain, and each VLAN has a name that is unique within amanagement domain. Typically, you use a VTP domain to ease administrative control of your network or toaccount for physical boundaries within your network. However, you can set up as many or as few VTP domainsas are appropriate for your administrative needs. Consider that VTP is transmitted on all trunk connections,including ISL, IEEE 802.1Q, 802.10, and LANE.Switches can only belong to one management domain with common VLAN requirements, and they only careabout the neighbors in their own domains. Reference: CCNP Switching Exam Certification Guide: DavidHucaby & Tim Boyles, Cisco Press 2001, ISBN 1-58720 000-7 page 114

QUESTION 25VTP devices in a network track the VTP revision number. What is a VTP configuration revision number?

A. A number for identifying changes to the network switch.B. A number for identifying changes to the network router.C. A number for identifying changes to the network topology.


Explanation/Reference:Explanation:The configuration revision number is a 32-bit number that indicates the level of revision for a VTP packet. EachVTP device tracks the VTP configuration revision number assigned to it, and most of the VTP packets containthe VTP configuration revision number of the sender.This information is used to determine whether the received information is more recent than the current version.Each time you make a VLAN change in a VTP device, the configuration revision is incremented by one. In orderto reset the configuration revision of a switch, change the VTP domain name and then change it back to theoriginal name.Incorrect Answers:A: Not all switch configuration changes will impact the VTP revision number. Only changes made to the VLANconfiguration will cause an increment in the revision number.B: VTP revision numbers are only used on network switches configured for VTP and are not used by Ciscorouters.Reference: Understanding and Configuring VLAN trunk protocol (VTP) Document ID:10558http://www.cisco.com/warp/public/473/21.html

QUESTION 26Switch R1 is configured to use the VLAN Trunking Protocol (VTP). What does R1 advertise in its VTP domain?

A. The VLAN ID of all known VLANs, the management domain name, and the total number of trunk links onthe switch.

B. The VLAN ID of all known VLANs, a 1-bit canonical format (CF1 Indicator), and the switch configurationrevision number.

C. The management domain name, the switch configuration revision number, the known VLANs, and theirspecific parameters.

D. A 2-byte TPID with a fixed value of 0x8100 for the management domain number, the switch configurationrevision number, the known VLANs, and their specific parameters.


Explanation/Reference:Explanation:"Each switch participating in VTP advertises VLAN information, revision numbers, and VLAN parameters on itstrunk ports to notify other switches in the management domain. VTP advertisements are sent as multicastframes. The switch intercepts frames sent to the VTP multicast address and processes them with itssupervisory processor VTP frames are forwarded out trunk links as a special case.The following global configuration information is distributed in VTP advertisements:

1. VLAN IDs (ISL and 802.1Q)2. Emulated LAN names (for ATM LANE)3. 802.10 SAID values (FDDI)4. VTP domain name5. VTP configuration revision number6. VLAN configuration, including maximum transmission unit (MTU) size for each VLAN7. Frame format

Reference: CCNP Switching Exam Certification Guide: page 115, David Hucaby & Tim Boyles, CiscoPress 2001, ISBN 1-58720 000-7Incorrect Answers:A: The total number of trunk links is not advertised.B: A CFI is not advertised.D: The TPID is not advertised. The value of 0x8100 is used to identify an 802.1Q trunking tag.

QUESTION 27VTP switches use advertisements to exchange information with each other. Which of the followingadvertisement types are associated with VTP? (Choose three)

A. Domain advertisementsB. Advertisement requests from clientsC. Subset advertisementsD. Summary advertisements

Correct Answer: BCDSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:VTP advertisements include:1. Summary Advertisements - These go out every 5 minutes or ever time the VLAN topology changes, and listsof information about the management domain (VTP version, domain name, configuration revision number,timestamp, MD5 encryption hash code, & number of subset advertisements incoming). When there is aconfiguration change, summary advertisements are complimented by or more subset advertisements.2. Subset advertisements - These are sent out by VTP domain servers after a configuration change. They listthe specifics of the change (VLAN creation / deletion / suspension / activation / name change / MTU change)and the VLAN parameters (VLAN status, VLAN type, MTU, VLAN name, VLAN number, SAID value).3. Advertisement Requests from Clients- VTP clients request specific VLAN information that they're lacking (ie.Client switch is reset and loses its database, or VTP domain membership changes) so they can be respondedby summary and subset advertisements. Reference: CCNP Switching Exam Certification Guide: pages 116-117 David Hucaby & Tim Boyles, Cisco Press 2001, ISBN 1-58720 000-7

QUESTION 28Switch R1 is part of the Company VTP domain. What's true of VTP Pruning within this domain?

A. It does not prune traffic from VLANs that are pruning-ineligibleB. VLAN 1 is always pruning-eligibleC. it will prune traffic from VLANs that are pruning-ineligibleD. VLAN 2 is always pruning-ineligible


Explanation/Reference:Explanation:By definition, pruning-ineligible VLANs can not be pruned. You can make specific VLANs pruning ineligible withthe clear vtp pruneeligible vlan_range command. By default, VLANs 2-1000 are pruning-eligible. Since thedefault VLAN for any switch port in a Catalyst switch is VLAN 1, it is not eligible for pruning.Incorrect Answers:B: VLAN 1 is always pruning-ineligibleC: The opposite is true.D: By default, VLANs 2-1000 are eligible to be pruned.

QUESTION 29Switch R1 is configured with VTP. Which two VTP modes will make R1 capable of creating and deleting VLANson itself? (Choose two)

A. ClientB. ServerC. TransparentD. Pass-throughE. Nonegotiate


Explanation/Reference:Explanation:VTP ModesYou can configure a switch to operate in any one of these VTP modes:1.Server-In VTP server mode, you can create, modify, and delete VLANs and specify other configurationparameters (such as VTP version) for the entire VTP domain. VTP servers advertise their VLAN configurationto other switches in the same VTP domain and synchronize their VLAN configuration with other switches basedon advertisements received over trunk links. VTP server is the default mode.2. Client-VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs ona VTP client.3. Transparent-VTP transparent switches do not participate in VTP. A VTP transparent switch does notadvertise its VLAN configuration and does not synchronize its VLAN configuration based on receivedadvertisements. However, in VTP version 2, transparent switches do forward VTP advertisements that theyreceive out their trunk interfaces.

If you configure the switch as VTP transparent, you can create and modify VLANs but the changes affect onlythe individual switch.Incorrect Answers:A: Clients can not modify, add, or delete any VLAN information.D, E: These options are not valid VTP modes.

QUESTION 30

Which three statements are true regarding the above diagram? (Choose three.)

A. DTP packets are sent from Switch B.B. The native VLAN for Switch B is vlan 1.C. A trunk link will be formed.D. DTP is not running on Switch A.E. Only VLANs 1-1001 will travel across the trunk link.

Correct Answer: ABCSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:You can manually configure trunk links on Catalyst switches for either ISL or 802.1Q mode. In addition, Ciscohas implemented a proprietary, point-to-point protocol called Dynamic Trunking Protocol (DTP) that negotiatesa common trunking mode between two switches. The negotiation covers the encapsulation (ISL or 802.1Q) aswell as whether the link becomes a trunk at all.You can configure the trunk encapsulation with the switchport trunk encapsulation command, as one of thefollowing:1. isl-VLANs are tagged by encapsulating each frame using the Cisco ISL protocol.2. dot1q-VLANs are tagged in each frame using the IEEE 802.1Q standard protocol. The only exception is thenative VLAN, which is sent normally and not tagged at all.1. negotiate (the default)-The encapsulation is negotiated to select either ISL or IEEE 802.1Q, whichever issupported by both ends of the trunk. If both ends support both types, ISL is favored. (The Catalyst 2950 switchdoes not support ISL encapsulation.) In the switchport mode command, you can set the trunking mode to anyof the following:1. trunk-This setting places the port in permanent trunking mode. The corresponding switch port at the otherend of the trunk should be similarly configured because negotiation is not allowed. You should also manuallyconfigure the encapsulation mode.2. dynamic desirable (the default)-The port actively attempts to convert the link into trunking mode. If the far-end switch port is configured to trunk, dynamic desirable, or dynamic auto mode, trunking is successfullynegotiated.3. dynamic auto-The port converts the link into trunking mode. If the far-end switch port is configured to trunk ordynamic desirable, trunking is negotiated. Because of the passive negotiation behavior, the link never becomes

a trunk if both ends of the link are left to the dynamic auto default.

QUESTION 31Two Company switches are connected via a trunk link. In this network, the original frame is encapsulated andan additional header is added before the frame is carried over a trunk link. At the receiving end, the header isremoved and the frame is forwarded to the assigned VLAN. This describes which technology?

A. DISLB. ISLC. DTPD. IEEE 802.1QE. MPLS


Explanation/Reference:Explanation:Inter-Switch Link ProtocolThe Inter-Switch Link (ISL) protocol is a Cisco proprietary method for preserving the source VLAN identificationof frames passing over a trunk link. ISL performs frame identification in Layer 2 by encapsulating each framebetween a header and trailer. Any Cisco switch or router device configured for ISL can process and understandthe ISL VLAN information. ISL is primarily used for Ethernet media, although Cisco has included provisions tocarry Token Ring, FDDI, and ATM frames over Ethernet ISL. (A Frame-Type field in the ISL header indicatesthe source frame type.) When a frame is destined out a trunk link to another switch or router, ISL adds a 26-byte header and a 4-byte trailer to the frame. The source VLAN is identified with a 10-bit VLAN ID field in theheader. The trailer contains a cyclic redundancy check (CRC) value to ensure the data integrity of the newencapsulated frame. Figure 6-3 shows how Ethernet frames are encapsulated and forwarded out a trunk link.Because tagging information is added at the beginning and end of each frame, ISL is sometimes referred to asdouble tagging.

QUESTION 32The Company core switches use 802.1Q trunks to connect to each other. How does 802.1Q trunking keeptrack of multiple VLANs?

A. It tags the data frame with VLAN information and recalculates the CRC valueB. It encapsulates the data frame with a new header and frame check sequenceC. It modifies the port index of a data frame to indicate the VLAND. It adds a new header containing the VLAN ID to the data frame


Explanation/Reference:Explanation:The IEEE 802.1Q protocol can also carry VLAN associations over trunk links. However, this frame identificationmethod is standardized, allowing VLAN trunks to exist and operate between equipment from multiple vendors.In particular, the IEEE 802.1Q standard defines an architecture for VLAN use, services provided with VLANs,and protocols and algorithms used to provide VLAN services. Like Cisco ISL, IEEE 802.1Q can be used forVLAN identification with Ethernet trunks. Instead of encapsulating each frame with a VLAN ID header andtrailer, 802.1Q embeds its tagging information within the Layer 2 frame. This method is referred to as single-tagging or internal tagging.802.1Q also introduces the concept of a native VLAN on a trunk. Frames belonging to this VLAN are notencapsulated with any tagging information. In the event that an end station is connected to an 802.1Q trunklink, the end station can receive and understand only the native VLAN frames. This provides a simple way to

offer full trunk encapsulation to the devices that can understand it, while giving normal access stations someinherent connectivity over the trunk.

QUESTION 33Refer to the exhibit. On the basis of the output generated by the show commands, which two statements aretrue? (Choose two.)

A. Because it is configured as a trunk interface, interface gigabitethernet 0/1 does not appear in the show vlanoutput.

B. VLAN 1 will not be encapsulated with an 802.1q header.C. There are no native VLANs configured on the trunk.D. VLAN 2 will not be encapsulated with an 802.1q header.E. All interfaces on the switch have been configured as access ports.F. Because it has not been assigned to any VLAN, interface gigabitethernet 0/1 does not appear in the show

vlan output.

Correct Answer: ABSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:

QUESTION 34Which three statements are correct with regard to the IEEE 802.1Q standard? (Choose three)

A. The IEEE 802.1Q frame format adds a 4 byte field to a Ethernet frameB. The packet is encapsulated with a 26 byte header and a 4 byte FCSC. The protocol uses point-to-multipoint connectivityD. The protocol uses point-to-point connectivityE. The IEEE 802.1Q frame uses multicast destination of 0x01-00-0c-00-00F. The IEEE 802.1Q frame retains the original MAC destination address

Correct Answer: ADFSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:The IEEE 802.1Q protocol can also carry VLAN associations over trunk links. However, this frame identificationmethod is standardized, allowing VLAN trunks to exist and operate between equipment from multiple vendors.In particular, the IEEE 802.1Q standard defines an architecture for VLAN use, services provided with VLANs,and protocols and algorithms used to provide VLAN services. Like Cisco ISL, IEEE 802.1Q can be used forVLAN identification with Ethernet trunks. Instead of encapsulating each frame with a VLAN ID header andtrailer, 802.1Q embeds its tagging information within the Layer 2 frame. This method is referred to as single-tagging or internal tagging.802.1Q also introduces the concept of a native VLAN on a trunk. Frames belonging to this VLAN are notencapsulated with any tagging information. In the event that an end station is connected to an 802.1Q trunklink, the end station can receive and understand only the native VLAN frames. This provides a simple way tooffer full trunk encapsulation to the devices that can understand it, while giving normal access stations someinherent connectivity over the trunk.

QUESTION 35Switch R1 has been configured with DTP using the desirable option. Which statement describes DynamicTrunking Protocol (DTP) desirable mode?

A. The interface actively attempts to convert the link to a trunk link.B. The interface is put into permanent trunking mode but prevented from generating DTP frames.C. The interface is put into permanent trunking mode and negotiates to convert the link into a trunk link.D. The interface is put into a passive mode, waiting to convert the link to a trunk link.


Explanation/Reference:Explanation:In the switchport mode command, you can set the trunking mode to any of the following:1. trunk-This setting places the port in permanent trunking mode. The corresponding switch port at the otherend of the trunk should be similarly configured because negotiation is not allowed. You should also manuallyconfigure the encapsulation mode.2. dynamic desirable (the default)-The port actively attempts to convert the link into trunking mode. If the far-end switch port is configured to trunk, dynamic desirable, or dynamic auto mode, trunking is successfullynegotiated.3. dynamic auto-The port converts the link into trunking mode. If the far-end switch port is configured to trunk ordynamic desirable, trunking is negotiated. Because of the passive negotiation behavior, the link never becomesa trunk if both ends of the link are left to the dynamic auto default.

QUESTION 36

Which switch command enables a trunking protocol that appends a four byte CRC to the packet?

A. CompanySwitch(config-if)#switchport trunk encapsulation dot1qB. CompanySwitch(config-if)#switchport trunk encapsulation itefC. CompanySwitch(config-if)#switchport trunk encapsulation fddiD. CompanySwitch(config-if)#switchport trunk encapsulation isl

Correct Answer: DSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:The Inter-Switch Link (ISL) protocol is a Cisco proprietary method for preserving the source VLAN identificationof frames passing over a trunk link. ISL performs frame identification in Layer 2 by encapsulating each framebetween a header and trailer. Any Cisco switch or router device configured for ISL can process and understandthe ISL VLAN information. ISL is primarily used for Ethernet media, although Cisco has included provisions tocarry Token Ring, FDDI, and ATM frames over Ethernet ISL. (A Frame-Type field in the ISL header indicatesthe source frame type.) When a frame is destined out a trunk link to another switch or router, ISL adds a 26-byte header and a 4-byte trailer to the frame. The source VLAN is identified with a 10-bit VLAN ID field in theheader. The trailer contains a cyclic redundancy check (CRC) value to ensure the data integrity of the newencapsulated frame. Figure 6-3 shows how Ethernet frames are encapsulated and forwarded out a trunk link.Because tagging information is added at the beginning and end of each frame, ISL is sometimes referred to asdouble tagging.

QUESTION 37While using a packet analyzer, you notice four additional bytes being added to the packets in the Companynetwork. Which protocol inserts a four byte tag into the Ethernet frame and recalculates CRC value?

A. DTPB. VTPC. 802.1QD. ISL


Explanation/Reference:Explanation:The IEEE 802.1Q protocol can also carry VLAN associations over trunk links. However, this frame identificationmethod is standardized, allowing VLAN trunks to exist and operate between equipment from multiple vendors.In particular, the IEEE 802.1Q standard defines an architecture for VLAN use, services provided with VLANs,and protocols and algorithms used to provide VLAN services. Like Cisco ISL, IEEE 802.1Q can be used forVLAN identification with Ethernet trunks. Instead of encapsulating each frame with a VLAN ID header andtrailer, 802.1Q embeds its tagging information within the Layer 2 frame. This method is referred to as single-tagging or internal tagging.802.1Q also introduces the concept of a native VLAN on a trunk. Frames belonging to this VLAN are notencapsulated with any tagging information. In the event that an end station is connected to an 802.1Q trunklink, the end station can receive and understand only the native VLAN frames. This provides a simple way tooffer full trunk encapsulation to the devices that can understand it, while giving normal access stations someinherent connectivity over the trunk.

QUESTION 38You need to configure a new Company switch to support DTP. Which DTP switchport mode parameter sets theswitch port to actively send and respond to DTP negotiation frames?

A. AccessB. NonegotiateC. TrunkD. Dynamic desirableE. Dynamic auto


Explanation/Reference:Explanation:dynamic desirable (the default)-The port actively attempts to convert the link into trunking mode. If the far-endswitch port is configured to trunk, dynamic desirable, or dynamic auto mode, trunking is successfullynegotiated.

QUESTION 39A new Company switch was just configured using the "switchport trunk native vlan 7" command. What does thisinterface command accomplish?

A. Causes the interface to apply ISL framing for traffic on VLAN 7B. Configures the trunking interface to forward traffic from VLAN 7C. Configures the interface to be a trunking port and causes traffic on VLAN 7 to be 802.1q taggedD. Configures the trunking interface to send traffic from VLAN 7 untagged


Explanation/Reference:Explanation:In 802.1Q trunking, all VLAN packets are tagged on the trunk link to indicate the VLAN to which they belong.Frames belonging to the Native VLAN are sent untagged on the trunk link. The Native VLAN contains ports notassigned to other VLANs that by default belong to VLAN 1. VLAN 1 is the Native VLAN by default, but VLANsother than VLAN 1 may be designated as the Native VLAN. However, the Native VLAN must be the same ontrunked switches in 802.1Q trunking. If a VLAN other than VLAN 1 is to be the Native VLAN, it needs to beidentified on the trunk ports. In the interface configuration mode of the trunk port(s), the IOS-based command todesignate the Native VLAN is switchport trunk native.Switch(config-if)#switchport trunk native vlan vlan-id

QUESTION 40Which statement is true regarding the configuration of ISL trunks?

A. A Catalyst switch cannot have ISL and IEEE 802.1q trunks enabled.B. All Catalyst switches support ISL trunking.C. A Catalyst switch will report giants if one side is configured for ISL while the other side is not.D. ISL trunking requires that native VLANs match.


Explanation/Reference:Explanation:The Inter-Switch Link (ISL) protocol is a Cisco proprietary method for preserving the source VLAN identificationof frames passing over a trunk link. ISL performs frame identification in Layer 2 by encapsulating each frame

between a header and trailer. Any Cisco switch or router device configured for ISL can process and understandthe ISL VLAN information. ISL is primarily used for Ethernet media, although Cisco has included provisions tocarry Token Ring, FDDI, and ATM frames over Ethernet ISL. (A Frame-Type field in the ISL header indicatesthe source frame type.) When a frame is destined out a trunk link to another switch or router, ISL adds a 26-byte header and a 4-byte trailer to the frame. The source VLAN is identified with a 10-bit VLAN ID field in theheader. The trailer contains a cyclic redundancy check (CRC) value to ensure the data integrity of the newencapsulated frame. Figure 6-3 shows how Ethernet frames are encapsulated and forwarded out a trunk link.Because tagging information is added at the beginning and end of each frame, ISL is sometimes referred to asdouble tagging.

QUESTION 41Refer to the exhibit. VLAN 1 and VLAN 2 are configured on the trunked links between Switch A and Switch B.Port Fa 0/2 on Switch B is currently in a blocking state for both VLANs. What should be done to load balanceVLAN traffic between Switch A and Switch B?

A. Lower the port priority for VLAN 1 on port 0/1 for Switch A.B. Lower the port priority for VLAN 1 on port 0/2 for Switch A.C. Make the bridge ID of Switch B lower than the ID of Switch A.D. Enable HSRP on the access ports.


Explanation/Reference:Explanation:Load Sharing Using STP Port PrioritiesWhen two ports on the same switch form a loop, the STP port priority setting determines which port is enabledand which port is in a blocking state. The priorities on a parallel trunk port can be set so that the port carries allthe traffic for a given VLAN. The trunk port with the higher priority (lower values) for a VLAN is forwarding trafficfor that VLAN. The trunk port with the lower priority (higher values) for the same VLAN remains in a Blockingstate for that VLAN. One trunk port sends or receives all traffic for the VLAN.

QUESTION 42Which of the following technologies would an Internet Service Provider use to support overlapping customerVLAN ID's over transparent LAN services?

A. 802.1q tunnelingB. ATMC. SDHD. IP Over Optical NetworkingE. ISL


Explanation/Reference:Explanation:Understanding How 802.1Q Tunneling Works:The 802.1Q tunneling feature supports secure virtual private networks (VPNs). 802.1Q tunneling enables

service providers to keep traffic from different customers segregated in the service provider infrastructure whilesignificantly reducing the number of VLANs required to support the VPNs. 802.1Q tunneling allows multiplecustomer VLANs to be carried by a single VLAN on the Catalyst 6000 family switch without losing their uniqueVLAN IDs.When you configure 802.1Q tunneling on the Catalyst 6000 family switch, traffic to be tunneled comes into theswitch from an 802.1Q trunk port on a neighboring device and enters the switch through a port configured tosupport 802.1Q tunneling (a tunnel port). When the tunnel port receives traffic from an 802.1Q trunk port, itdoes not strip the 802.1Q tags from the frame header but, instead, leaves the 802.1Q tags intact and puts allthe received 802.1Q traffic into the VLAN assigned to the tunnel port. The VLAN assigned to the tunnel portthen carries the tunneled customer traffic to the other neighboring devices participating in the tunnel port VLAN.When the tunneled traffic is received by an 802.1Q trunk port on a neighboring device, the 802.1Q tag isstripped and the traffic is removed from the tunnel.Reference:http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_guide_chapter09186a008007fa06.html

QUESTION 43If you were to configure an ISL Ethernet trunk between two Cisco switches, named R1 and R2, what would youhave to include at the end of the link for the trunk to operate correctly? (Choose two)

A. An identical VTP mode.B. An identical speed/duplex.C. An identical trunk negotiation parameter.D. An identical trunk encapsulation parameter.


Explanation/Reference:Explanation:In order for a trunk to be operational, the speed and duplex settings must match at each end of the trunk, andboth switches must use the same trunking encapsulation (802.1Q or ISL).Incorrect Answers:A: It is common for switches to have trunk links operating, while the VTP modes differ. For example, a switchconfigured with VTP mode server can have a trunk connected to a switch with VTP mode client.C: This is incorrect, as there are a number of configurations that are supported where the trunk negotiationparameters differ between switches. For example, switch R1 could have the trunk configured for "on" whileswitch R2 could have the switch trunk configured for "desirable" and the trunk would be operational.

QUESTION 44You are the network administrator at Company and switch R1 is configured as shown below:

interface GigabitEthernet0/1 switchport mode trunk switchport trunk encapsulation dot1q switchport trunk native vlan 5

If untagged frames are arriving on interface GigabitEthernet0/1 of R1, which of the following statement arecorrect?

A. Untagged frames are automatically assumed to be in VLAN 5.B. Untagged frames are defaulted to VLAN 1 traffic.C. Untagged frames are dropped because all packets are tagged when dot1q trunked.D. Untagged frames are determined on the other switchE. Untagged frames are not supported on 802.1Q trunks.

Correct Answer: A


Explanation/Reference:Explanation:Each physical port has a parameter called PVID. Every 802.1Q port is assigned a PVID value that is of itsnative VLAN ID (default is VLAN 1). All untagged frames are assigned to the LAN specified in the PVIDparameter. When a tagged frame is received by a port, the tag is respected. If the frame is untagged, the valuecontained in the PVID is considered as a tag. All untagged frames will be assigned to the native VLAN. Thenative VLAN is 1 by default, but in this case the native VLAN is configured as VLAN 5 so choice A is correct.

QUESTION 45If you were to set up a VLAN trunk over a Fast Ethernet link on switch R1, which trunk mode would you set thelocal port to on R1 if you wanted it to respond to requests from its link partner (R2) and become a trunk?

A. AutoB. NegotiateC. DesignateD. Nonegotiate


Explanation/Reference:Explanation:Only ports in desirable and auto mode will negotiate a channel (either desirable-auto or desirable-desirable).Ports in on mode will only form a functional channel with other ports in on mode (they will not negotiate achannel with ports in desirable or auto mode).Reference: Cisco, Troubleshooting Tipshttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/trbl_ja.htm

QUESTION 46Which of the following trunking modes are unable to request their ports to convert their links into trunk links?(Choose two)

A. NegotiateB. DesignateC. NonegotiateD. AutoE. ManualF. Off

Correct Answer: CDSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:Auto is a trunking mode but does not actively negotiate a trunk. It requires opposite side to be trunk ordesirable, and will only respond to requests from the other trunk link. No-negotiate will configure the link to beunable to dynamically become a trunk; since no requests will be sent it will not respond to requests from othertrunk links from a different switch.Incorrect Answers:A, B, E, F: These choices are wrong because they are not valid trunking modes

QUESTION 47

ISL is being configured on a Company switch. Which of the following choices are true regarding the ISLprotocol? (Choose two)

A. It can be used between Cisco and non-Cisco switch devices.B. It calculates a new CRC field on top of the existing CRC field.C. It adds 4 bytes of protocol-specific information to the original Ethernet frame.D. It adds 30 bytes of protocol-specific information to the original Ethernet frame.


Explanation/Reference:Explanation:ISL adds a total of 30bytes to the Ethernet frame. A 26 byte header (10bytes identifies the VLAN ID) and a 4byte trailer (containing a separate CRC).Incorrect Answers:A: This is incorrect because ISL is Cisco proprietary and can only be used on Cisco devices. For configuring atrunk to a non-Cisco switch, 802.1Q encapsulation should be used.C: This is incorrect because it is contradictory to D. 30 byes are added with ISL, not 4 bytes. This choicedescribes what is used in 802.1Q frames, not ISL

QUESTION 48You are the network administrator tasked with designing a switching solution for the Company network. Whichof the following statements describing trunk links are INCORRECT? (Choose four)

A. The trunk link belongs to a specific VLAN.B. Multiple trunk links are used to connect multiple end user devices.C. A trunk link only supports native VLAN.D. Trunk links use 802.10 to identify a VLAN.E. The native VLAN of the trunk link is the VLAN that the trunk uses for untagged packets.

Correct Answer: ABCDSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:A trunk is a point-to-point link that transmits and receives traffic between switches or between switches androuters. Trunks carry the traffic of multiple VLANs and can extend VLANs across an entire network. 100BaseTand Gigabit Ethernet trunks use Cisco ISL (the default protocol) or industry-standard IEEE 802.1Q to carrytraffic for multiple VLANs over a single link. Frames received from users in the administratively-defined VLANsare identified or tagged for transmission to other devices. Based on rules you define, a unique identifier (thetag) is inserted in each frame header before it is forwarded. The tag is examined and understood by eachdevice before any broadcasts or transmission to other switches, routers, or end stations. When the framereaches the last switch or router, the tag is removed before the frame is transmitted to the target end station.Incorrect Answers:E: This statement is true, as untagged frames are always used with the native VLAN. The native VLAN is VLAN1 by default in Cisco switches.

QUESTION 49Switch R1 has been configured with the root guard feature. What statement is true if the spanning treeenhancement Root Guard is enabled?

A. If BPDUs are not received on a non-designated port, the port is moved into the STP loop-inconsistentblocked state

B. If BPDUs are received on a PortFast enabled port, the port is disabled.

C. If superior BPDUs are received on a designated port, the interface is placed into the root-inconsistentblocked state.

D. If inferior BPDUs are received on a root port, all blocked ports become alternate paths to the root bride.

Correct Answer: CSection: SpanningTreeExplanation

Explanation/Reference:Explanation:Root guard is configured on a per-port basis, and does not allow the port to become a STP root port. Thismeans that the port is always STP-designated. If there is a better BPDU received on this port, root guard willput the port into root-inconsistent STP state, rather than taking the BPDU into account and electing a new STProot. Root guard needs to be enabled on all ports where the root bridge should not appear. In a way one canconfigure a perimeter around part of network where STP root is allowed to be located.

If another switch advertises a superior BPDU, or one with a better Bridge ID, on a port where root guard isenabled, the local switch will not allow the new switch to become the root. As long as the superior BPDUs arebeing received on the port, the port will be kept in the root-inconsistent STP state.

Reference:http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

QUESTION 50What does the global command "udld enable" accomplish?

A. Enables all fiber-optic LAN ports for Unidirectioinal Link Detection (UDLD)B. Enables all copper media LAN ports for Unidirectioinal Link Detection (UDLD)C. Overrides the default UDLS setting for all portsD. Globally enables all ports on the device for Unidirectional Link Detection (UDLS)

Correct Answer: ASection: UDLDExplanation

Explanation/Reference:Explanation:Enabling UDLD GloballyBeginning in privileged EXEC mode, follow these steps to enable UDLD globally on all fiber-optic interfaces onthe switch:

To disable UDLD globally on fiber-optic interfaces, use the no udld enable global configuration command.Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_4_ea1/configuration/guide/swudld.html

QUESTION 51Which three statements about the MST protocol (IEEE 802.1S) are true? (Choose three)

A. To verify the MST configuration, the show pending command can be used in MST configuration mode.B. When RSTP and MSTP are configured; UplinkFast and BackboneFast must also be enabled.C. All switches in the same MST region must have the same VLAN-to-instance mapping, but different

configuration revision numbers.D. All switches in an MST region, except distribution layer switches, should have their priority lowered from the

default value 32768.E. An MST region is a group of MST switches that appear as a single virtual bridge to adjacent CST and MST

regions.F. Enabling MST with the "spanning-tree mode mst" global configuration command also enables RSTP.

Correct Answer: AEFSection: SpanningTreeExplanation

Explanation/Reference:Explanation:MST is built on the concept of mapping one or more VLANs to a single STP instance. Multiple instances of STP

can be used (hence the name MST), with each instance supporting a different group of VLANs.

Each could be tuned to result in a different topology, so that Instance 1 would forward on the left uplink, whileInstance 2 would forward on the right uplink. Therefore, VLAN A would be mapped to Instance 1,and VLAN B toInstance 2. To implement MST in a network, you need to determine the following:1. The number of STP instances needed to support the desired topologies.2. Whether to map a set of VLANs to each instance.

QUESTION 52Company uses MSTP within their switched LAN. What is the main purpose of Multiple Instance Spanning TreeProtocol (MSTP)?

A. To enhance Spanning Tree troubleshooting on multilayer switchesB. To reduce the total number of spanning tree instances necessary for a particular topologyC. To provide faster convergence when topology changes occur in a switched networkD. To provide protection for STP when a link is unidirectional and BPDUs are being sent but not received

Correct Answer: BSection: SpanningTreeExplanation

Explanation/Reference:Explanation:MST is built on the concept of mapping one or more VLANs to a single STP instance. Multiple instances of STPcan be used (hence the name MST), with each instance supporting a different group of VLANs.Each could be tuned to result in a different topology, so that Instance 1 would forward on the left uplink, whileInstance 2 would forward on the right uplink. Therefore, VLAN A would be mapped to Instance 1,and VLAN B toInstance 2. To implement MST in a network, you need to determine the following:1. The number of STP instances needed to support the desired topologies.2. Whether to map a set of VLANs to each instance.

QUESTION 53Which of the following specifications is a companion to the IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)algorithm, and warrants the use multiple spanning-trees?

A. IEEE 802.1s (MST)B. IEEE 802.1Q (CST)C. Cisco PVST+D. IEEE 802.1d (STP)

Correct Answer: ASection: SpanningTreeExplanation

Explanation/Reference:Explanation:MST uses the modified RSTP version called the Multiple Spanning Tree Protocol (MSTP). MST extends theIEEE 802.1w rapid spanning tree (RST) algorithm to multiple spanning trees. This extension provides bothrapid convergence and load balancing in a VLAN environment. MST converges faster than PVST+. MST isbackward compatible with 802.1D STP, 802.1w (rapid spanning tree protocol [RSTP]), and the Cisco PVST+architecture.MST allows you to build multiple spanning trees over trunks. You can group and associate VLANs to spanningtree instances. Each instance can have a topology independent of other spanning tree instances. This newarchitecture provides multiple forwarding paths for data traffic and enables load balancing. Network faulttolerance is improved because a failure in one instance (forwarding path) does not affect other instances(forwarding paths).In large networks, you can more easily administer the network and use redundant paths by locating differentVLAN and spanning tree instance assignments in different parts of the network. A spanningtree instance can

exist only on bridges that have compatible VLAN instance assignments. You must configure a set of bridgeswith the same MST configuration information, which allows them to participate in a specific set of spanning treeinstances. Interconnected bridges that have the same MST configuration are referred to as an MST region.Reference:http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e71a.html#wp1082480

QUESTION 54Which of the following specifications will allow you to associate VLAN groups to STP instances so you canprovide multiple forwarding paths for data traffic and enable load balancing?

A. IEEE 802.1d (STP)B. IEEE 802.1s (MST)C. IEEE 802.1q (CST)D. IEEE 802.1w (RSTP)


Explanation/Reference:Explanation:IEEE 802.1s MST OverviewMST extends the IEEE 802.1w rapid spanning tree (RST) algorithm to multiple spanning trees. This extensionprovides both rapid convergence and load balancing in a VLAN environment. MST converges faster than PVST+. MST is backward compatible with 802.1D STP, 802.1w (rapid spanning tree protocol [RSTP]), and the CiscoPVST+ architecture.Reference:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e71a.html#1050594

QUESTION 55Which three items are configured in MST configuration submode? (Choose three)

A. Region nameB. Configuration revision numberC. VLAN instance mapD. IST STP BPDU hello timerE. CST instance mapF. PVST+ instance map

Correct Answer: ABCSection: SpanningTreeExplanation

Explanation/Reference:Explanation:spanning-tree mst configuration:Use the spanning-tree mst configuration command to enter the MST configuration submode. Use the no formof this command to return to the default MST configuration.Defaults:The default value for the MST configuration is the default value for all its parameters:1. No VLANs are mapped to any MST instance (all VLANs are mapped to the CIST instance).2. The region name is an empty string.3. The revision number is 0.Usage Guidelines:

The MST configuration consists of three main parameters:1. Instance VLAN mapping (see the instance command)2. Region name (see the name command)3. Configuration revision number (see the revision command)

QUESTION 56By default, all VLANs will belong to which MST instance when using Multiple STP?

A. MST00B. MST01C. the last MST instance configuredD. none


Explanation/Reference:Explanation:Recall that the whole idea behind MST is the capability to map multiple VLANs to a smaller number of STPinstances. Inside a region, the actual MST instances (MSTIs) exist alongside the IST. Cisco supports amaximum of 16 MSTIs in each region. IST always exists as MSTI number 0, leaving MSTI 1 through 15available for use. By default all VLANs are belonged to MST00 instance.

QUESTION 57Which MST configuration statement is correct?

A. MST configurations can be propagated to other switches using VTP.B. After MST is configured on a Switch, PVST+ operations will also be enabled by default.C. MST configurations must be manually configured on each switch within the MST region.D. MST configurations only need to be manually configured on the Root Bridge.E. MST configurations are entered using the VLAN Database mode on Cisco Catalyst switches.


Explanation/Reference:Explanation:MST configuration must be manually be configured on each switch within the MST region.

QUESTION 58While logged into a Company switch you issue the following command:

CompanySwitch(config-mst)#instance 10 vlan 11-12

What does this command accomplish?

A. It enables a PVST+ instance of 10 for vlan 11 and vlan 12B. It enables vlan 11 and vlan 12 to be part of the MST region 10C. It maps vlan 11 and vlan 12 to the MST instance of 10.D. It creates an Internal Spanning Tree (IST) instance of 10 for vlan 11 and vlan 12E. It create a Common Spanning Tree (CST) instance of 10 for vlan 11 and vlan 12F. It starts two instances of MST, one instance for vlan 11 and another instance for vlan 12.

Correct Answer: C

Section: SpanningTreeExplanation

Explanation/Reference:Explanation:MST extends the IEEE 802.1w rapid spanning tree (RST) algorithm to multiple spanning trees. This extensionprovides both rapid convergence and load balancing in a VLAN environment. MST converges faster than PerVLAN Spanning Tree Plus (PVST+) and is backward compatible with 802.1D STP, 802.1w (Rapid SpanningTree Protocol [RSTP]), and the Cisco PVST+ architecture.MST allows you to build multiple spanning trees over trunks. You can group and associate VLANs to spanningtree instances. Each instance can have a topology independent of other spanning tree instances. Thisarchitecture provides multiple forwarding paths for data traffic and enables load balancing. Network faulttolerance is improved because a failure in one instance (forwarding path) does not affect other instances.

Map the VLANs to an MST instance.If you do not specify the vlan keyword, you can use the no keyword to unmap all the VLANs that were mappedto an MST instance.If you specify the vlan keyword, you can use the no keyword to unmap a specified VLAN from an MST instance.Switch(config-mst)# instance instance_number vlan vlan_range Reference:http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800dde9e.html#36881

QUESTION 59

Refer to the show spanning-tree mst configuration output shown in the exhibit. What should be changed in theconfiguration of the switch SW_2 in order for it to participate in the same MST region?

A. Switch SW_2 must be configured with the revision number of 2.B. Switch SW_2 must be configured with a different VLAN range.C. Switch SW_2 must be configured with the revision number of 1.D. Switch SW_2 must be configured with a different MST name.


Explanation/Reference:Explanation:MST is built on the concept of mapping one or more VLANs to a single STP instance.Multipleinstances of STP can be used (hence the name MST), with each instance supporting a differentgroup of VLANs.

In most networks, a single MST region is sufficient, although you can configure more than oneregion. Within the region, all switches must run the instance of MST that is defined by the followingattributes:MST configuration name (32 characters)MST configuration revision number (0 to 65535)MST instance-to-VLAN mapping table (4096 entries) Example of configuration of MST

Switch(config)# spanning-tree mode mstSwitch(config)# spanning-tree mst configurationSwitch(config-mst)# name nameSwitch(config-mst)# revision versionThe configuration revision number gives you a means to track changes to the MST region configuration. Eachtime you make changes to the configuration, you should increase the number by one. Remember that theregion configuration (including the revision number) must match on all switches in the region. Therefore, youalso need to update the revision numbers on the other switches to match.Switch(config-mst)# instance instance-id vlan vlan-list The instance-id (0 to 15) carries topology information forthe VLANs listed in vlan-list. The list can contain one or more VLANs separated by commas. You can also adda range of VLANs to the list by separating numbers with a hyphen. VLAN numbers can range from 1 to 4094.(Remember that by default, all VLANs are mapped to instance 0, the IST.) Switch(config-mst)# show pendingregion configuration:Switch(config-mst)# exit

So belong the routers in same MST region, MST attributes should be same, in SW_2 router revision number isnot same so to make belong the SW_2 router on same MST region, revision number should be 1.

QUESTION 60The network administrator maps VLAN 10 through 20 to MST instance 2. How will this information bepropagated to all appropriate switches?

A. Information will be carried in the RSTP BPDUs.B. It will be propagated in VTP updates.C. Information stored in the Forwarding Information Base and the switch will reply on query.D. Multiple Spanning Tree must be manually configured on the appropriate switches.

Correct Answer: DSection: SpanningTreeExplanation

Explanation/Reference:Explanation:Recall that the whole idea behind MST is the capability to map multiple VLANs to a smaller numberof STP instances. Inside a region, the actual MST instances (MSTIs) exist alongside the IST. Ciscosupports a maximum of 16 MSTIs in each region. IST always exists as MSTI number 0, leavingMSTI 1 through 15 available for use. MST must be manually configured on the all switch belongs to same MSTregion.

QUESTION 61Refer to the exhibit. Switch S2 contains the default configuration. Switches S1 and S3 both have had thecommand spanning-tree mode rapid-pvst issued on them. What will be the result?

A. IEEE 802.1D and IEEE 802.1w are incompatible. All three switches must use the same standard or notraffic will pass between any of the switches.

B. Switches S1, S2, and S3 will be able to pass traffic between themselves.C. Switches S1, S2, and S3 will be able to pass traffic between themselves. However, if there is a topology

change, Switch S2 will not receive notification of the change.D. Switches S1 and S3 will be able to exchange traffic but neither will be able to exchange traffic with Switch

S2



QUESTION 62

Refer to the exhibit. The user who is connected to interface FastEthernet 0/1 is on VLAN 10 and cannot accessnetwork resources. On the basis of the information in the exhibit, which command sequence would correct the problem?

A. SW1(config)# vlan 10SW1(config-vlan)# no shut

B. SW1(config)# interface fastethernet 0/1SW1(config-if)# switchport mode accessSW1(config-if)# switchport access vlan 10

C. SW1(config)# interface fastethernet 0/1SW1(config-if)# switchport mode access

D. SW1(config)# vlan 10SW1(config-vlan)# state active

E. SW1(config)# interface fastethernet 0/1SW1(config-if)# no shut


Explanation/Reference:Explanation:In Exhibit Operation Mode is down, it means interface is in down state. Just bring into up state using noshutdown command

QUESTION 63On a multilayer Catalyst switch, which interface command is used to convert a Layer 3 interface to a Layer 2interface?

A. switchport access vlan vlan-idB. switchportC. switchport mode accessD. no switchport


Explanation/Reference:Explanation:The switchport command puts the port in Layer 2 mode. Then, you can use other switchport commandkeywords to configure trunking, access VLANs, and so on.

QUESTION 64Refer to the following exhibits:Exhibit #1:

Exhibit #2:

Study the exhibits carefully. The switchport output in Exhibit #1 displays the default settings of interfaceFastEthernet 0/13 on switch TestKing1. Figure 2 displays the desired interface settings. Which commandsequence would configure interface FastEthernet 0/13 as displayed in Exhibit #2?

A. TestKing1(config-if)# switchport trunk encapsulation dot1q TestKing1(config-if)# switchport mode dynamic auto TestKing1(config-if)# switchport trunk native DATA TestKing1(config-if)# switchport trunk allowed vlan add 1,10,20

B. TestKing1(config-if)# switchport trunk encapsulation dot1q TestKing1(config-if)# switchport mode dynamic desirable TestKing1(config-if)# switchport trunk native vlan DATA TestKing1(config-if)# switchport trunk allowed vlan 1,10,20

C. TestKing1(config-if)# switchport trunk encapsulation dot1q TestKing1(config-if)# switchport mode trunkTestKing1(config-if)# switchport trunk native DATA TestKing1(config-if)# switchport trunk allowed vlan 1,10,20

D. TestKing1(config-if)# switchport trunk encapsulation dot1q TestKing1(config-if)# switchport mode dynamic desirable TestKing1(config-if)# switchport trunk native vlan 10

E. TestKing1(config-if)# switchport trunk encapsulation dot1q TestKing1(config-if)# switchport mode dynamic desirable TestKing1(config-if)# switchport trunk native vlan 10 TestKing1(config-if)# switchport trunk allowed vlan 1,10,20


Explanation/Reference:Explanation:The IEEE 802.1Q protocol can also carry VLAN associations over trunk links. However, this frame identificationmethod is standardized, allowing VLAN trunks to exist and operate between equipment from multiple vendors.In particular, the IEEE 802.1Q standard defines an architecture for VLAN use, services provided with VLANs,and protocols and algorithms used to provide VLAN services. Like Cisco ISL, IEEE 802.1Q can be used forVLAN identification with Ethernet trunks. Instead of encapsulating each frame with a VLAN ID header andtrailer, 802.1Q embeds its tagging information within the Layer 2 frame. This method is referred to as single-tagging or internal tagging.

802.1Q also introduces the concept of a native VLAN on a trunk. Frames belonging to this VLAN are notencapsulated with any tagging information. In the event that an end station is connected to an 802.1Q trunklink, the end station can receive and understand only the native VLAN frames. This provides a simple way tooffer full trunk encapsulation to the devices that can understand it, while giving normal access stations someinherent connectivity over the trunk.

You can manually configure trunk links on Catalyst switches for either ISL or 802.1Q mode. In addition, Ciscohas implemented a proprietary, point-to-point protocol called Dynamic Trunking Protocol (DTP) that negotiatesa common trunking mode between two switches. The negotiation covers the encapsulation (ISL or 802.1Q) aswell as whether the link becomes a trunk at all.

In the switchport mode command, you can set the trunking mode to any of the following:1. trunk-This setting places the port in permanent trunking mode. The corresponding switch port at the otherend of the trunk should be similarly configured because negotiation is not allowed. You should also manuallyconfigure the encapsulation mode.2. dynamic desirable (the default)-The port actively attempts to convert the link into trunking mode. If the far-end switch port is configured to trunk, dynamic desirable, or dynamic auto mode, trunking is successfullynegotiated.3. dynamic auto-The port converts the link into trunking mode. If the far-end switch port is configured to trunk ordynamic desirable, trunking is negotiated. Because of the passive negotiation behavior, the link never becomesa trunk if both ends of the link are left to the dynamic auto default. 802.1Q also introduces the concept of anative VLAN on a trunk. Frames belonging to this VLAN are not encapsulated with any tagging information. Inthe event that an end station is connected to an 802.1Q trunk link, the end station can receive and understandonly the native VLAN frames. This provides a simple way to offer full trunk encapsulation to the devices thatcan understand it, while giving normal access stations some inherent connectivity over the trunk.switchport trunk allowed vlan, defines which VLANs can be trunked over the link. By default, a switch transportsall active VLANs (1 to 4094) over a trunk link. There might be times when the trunk link should not carry allVLANs. For example, broadcasts are forwarded to every switch port on a VLAN-including the trunk linkbecause it, too, is a member of the VLAN. If the VLAN does not extend past the far end of the trunk link,propagating broadcasts across the trunk makes no sense.

QUESTION 65What command could you enter to display the trunking status of a module/port in the switch? (Type in theanswer below):

Correct Answer: show trunkSection: SimulationExplanation

Explanation/Reference:Answer: show trunk

Explanation:Use the show trunk command to display trunking information for the switch. show trunk [mod_num[/port_num]][detail]mod_num (Optional) Number of the module./port_num (Optional) Number of the port.detail (Optional) Keyword to show detailed information about the specified trunk port.

QUESTION 66What two pieces of information will the show vlan id 5 command display? (Choose two.)

A. Ports in VLAN 5B. UtilizationC. VLAN information on port 0/5D. FiltersE. MTU and type

Correct Answer: AE


Explanation/Reference:Explanation:#show vlan id 5 : Shows all ports belonging to VLAN 5 and MTU of ports and type.

QUESTION 67When you issue a command show port 3/1 on an Ethernet port, you observe the 'Giants' column has a non-zero entry.What could cause of this?

A. IEEE 802.1QB. IEEE 802.10C. Misconfigured NICD. User configurationE. All of the above


Explanation/Reference:The 802.1Q standard can create an interesting scenario on the network. Recalling that the maximum size foran Ethernet frame as specified by IEEE 802.3 is 1518 bytes, this means that if a maximum-sized Ethernetframe gets tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3 standard. Toresolve this issue, the 802.3 committee created a subgroup called 802.3ac to extend the maximum Ethernetsize to 1522 bytes. Note: The show port command is used to display port status and counters. Giants denotethe number of received giant frames (frames that exceed the maximum IEEE 802.3 frame size) on the port.Reference: Trunking between Catalyst 4000, 5000, and 6000 Family Switches Using 802.1q Encapsulationhttp://www.cisco.com/warp/public/473/27.html

QUESTION 68Refer to the show interface Gi0/1 switchport command output shown in the exhibit. Which two statements aretrue about this interface? (Choose two)

A. This interface is a member of a voice VLAN.B. This interface is configured for access mode.C. This interface is a dot1q trunk passing all configured VLANs.D. This interface is a member of VLAN 7.E. This interface is a member of VLAN 1.


Explanation/Reference:Explanation: In Exhibit, Operation mode is in static access and Access mode VLAN is 7 so it means this port isoperating on access mode as a member of VLAN 7.

QUESTION 69Refer to the exhibit. Switch P1S1 is not applying VLAN updates from switch P2S1. What are three reasons whythis is not occurring? (Choose three)

A. Switch P2S1 is in server mode.B. Switch P1S1 is in transparent mode. C. The MD5 digests do not match.D. The passwords do not match.E. The VTP domains are different.F. VTP trap generation is disabled on both switches.

Correct Answer: BDESection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:Determine the VTP mode of operation of the switch and include the mode when setting the VTP domain nameinformation on the switch. If you leave the switch in server mode, be sure to verify that the configuration revisionnumber is set to 0 before adding the switch to the VTP domain. It is generally recommended that you haveseveral servers in the domain, with all other switches set to client mode for purposes of controlling VTPinformation.It is also highly recommended that you use secure mode in your VTP domain. Assigning a password to thedomain will accomplish this. This will prevent unauthorized switches from participating in the VTP domain. Fromthe privileged mode or VLAN configuration mode, use the vtp password password command.

QUESTION 70Refer to the exhibit. Based upon the output of show vlan on switch CAT2, what can we conclude aboutinterfaces Fa0/13 and Fa0/14?

A. That interfaces Fa0/13 and Fa0/14 are in VLAN 1 B. That interfaces Fa0/13 and Fa0/14 are down C. That interfaces Fa0/13 and Fa0/14 are trunk interfacesD. That interfaces Fa0/13 and Fa0/14 have a domain mismatch with another switch E. That interfaces Fa0/13 and Fa0/14 have a duplex mismatch with another switch


Explanation/Reference:Explanation:trunk-This setting places the port in permanent trunking mode. The corresponding switch port at the other endof the trunk should be similarly configured because negotiation is not allowed. You should also manuallyconfigure the encapsulation mode. show vlan: This commands shows the vlan, ports belonging to VLAN meansthat port on access mode. It doesn't shows the port on trunk mode.

QUESTION 71Refer to the exhibit and the show interfaces fastethernet0/1 switchport outputs. Users in VLAN 5 on switchSW_A complain that they do not have connectivity to the users in VLAN 5 on switch SW_B. What should bedone to fix the problem?

A. Configure the same number of VLANs on both switches.B. Create switch virtual interfaces (SVI) on both switches to route the traffic.C. Define VLAN 5 in the allowed list for the trunk port on SW_A.D. Disable pruning for all VLANs in both switches.E. Define VLAN 5 in the allowed list for the trunk port on SW_B.


Explanation/Reference:Explanation:switchport trunk allowed vlan, defines which VLANs can be trunked over the link. By default, a switch transportsall active VLANs (1 to 4094) over a trunk link. There might be times when the trunk link should not carry allVLANs. For example, broadcasts are forwarded to every switch port on a VLAN-including the trunk linkbecause it, too, is a member of the VLAN.If the VLAN does not extend past the far end of the trunk link, propagating broadcasts across the trunk makesno sense.

QUESTION 72Refer to the exhibit. An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish aDHCP server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type ofattack?

A. All switch ports in the Building Access block should be configured as DHCP untrusted ports.B. All switch ports in the Building Access block should be configured as DHCP trusted ports. C. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted

ports. D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted

ports.E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.F. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted

ports.

Correct Answer: FSection: SecurityExplanation

Explanation/Reference:Explanation:One of the ways that an attacker can gain access to network traffic is to spoof responses that would be sent bya valid DHCP server. The DHCP spoofing device replies to client DHCP requests. The legitimate server mayreply also, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first.The intruder's DHCP reply offers an IP address and supporting information that designates the intruder as thedefault gateway or Domain Name System (DNS) server. In the case of a gateway, the clients will then forwardpackets to the attacking device, which will in turn send them to the desired destination. This is referred to as a"man-in-the-middle" attack, and it may go entirely undetected as the intruder intercepts the data flow throughthe network.Untrusted ports are those that are not explicitly configured as trusted. A DHCP binding table is built foruntrusted ports. Each entry contains the client MAC address, IP address, lease time, binding type, VLANnumber, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequentDHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP serverresponses, such as DHCPOFFER, DHCPACK, DHCPNAK.

QUESTION 73You are responsible for increasing the security within the Company LAN. Of the following choices listed below,which is true regarding layer 2 security and mitigation techniques?

A. Enable root guard to mitigate ARP address spoofing attacks.B. Configure DHCP spoofing to mitigate ARP address spoofing attacks.C. Configure PVLANs to mitigate MAC address flooding attacks.D. Enable root guard to mitigate DHCP spoofing attacks.E. Configure dynamic APR inspection (DAI) to mitigate IP address spoofing on DHCP untrusted ports.F. Configure port security to mitigate MAC address flooding


Explanation/Reference:Explanation:Use the port security commands to mitigate MAC-spoofing attacks. The port security command provides thecapability to specify the MAC address of the system connected to a particular port. The command also providesthe ability to specify an action to take if a port-security violation occurs. However, as with the CAM table-overflow attack mitigation, specifying a MAC address on every port is an unmanageable solution. Hold-downtimers in the interface configuration menu can be used to mitigate ARP spoofing attacks by setting the length oftime an entry will stay in the ARP cache. Reference: http://www.javvin.com/networksecurity/NetworkSecurity.html

QUESTION 74When an attacker is using switch spoofing to perform VLAN hopping, how is the attacker able to gatherinformation?

A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that isallowed on the trunk

B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch,regardless of the VLAN to which the data belongs.

C. The attacking station will generate frames with two 802.1Q headers to cause the switch to forward theframes to a VLAN that would be inaccessible to the attacker through legitimate means.

D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with thedomain information in order to capture the data.

Correct Answer: ASection: SecurityExplanation

Explanation/Reference:Explanation:DTP should be disabled for all user ports on a switch. If the port is left with DTP auto-configured (default onmany switches), an attacker can connect and arbitrarily cause the port to start trunking and therefore pass allVLAN information.Reference:http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance0900aecd800ebd1e.pdf

QUESTION 75Which two statements about layer 2 network attacks are true? (Choose two)

A. ARP spoofing attacks are attempts to redirect traffic to an attacking host by encapsulating a false 802.1Qheader on a frame and causing traffic to be delivered to the wrong VLAN.

B. ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending an ARP message witha forged identity to a transmitting host.

C. MAC address flooding is an attempt to force a switch to send all information out every port by overloadingthe MAC address table.

D. ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending an ARP packet that

contains the forged address of the next hop router.E. MAC address flooding is an attempt to redirect traffic to a single port by associating that port with all MAC

addresses in the VLAN.

Correct Answer: BCSection: SecurityExplanation

Explanation/Reference:Explanation:Content Addressable Memory (CAM) Table Overflow (MAC address Flooding) Content Addressable Memory(CAM) tables are limited in size. If enough entries are entered into the CAM table before other entries areexpired, the CAM table fills up to the point that no new entries can be accepted. Typically, a network intruderfloods the switch with a large number of invalid source Media Access Control (MAC) addresses until the CAMtable fills up. When that occurs, the switch floods all ports with incoming traffic because it cannot find the portnumber for a particular MAC address in the CAM table. The switch, in essence, acts like a hub. If the intruderdoes not maintain the flood of invalid-source MAC addresses, the switch eventually times out older MACaddress entries from the CAM table and begins to act like a switch again. CAM table overflow only floods trafficwithin the local VLAN so the intruder only sees traffic within the local VLAN to which he or she is connected.The CAM table overflow attack can be mitigated by configuring port security on the switch. This option providesfor either the specification of the MAC addresses on a particular switch port or the specification of the numberof MAC addresses that can be learned by a switch port. When an invalid MAC address is detected on the port,the switch can either block the offending MAC address or shut down the port. The specification of MACaddresses on switch ports is far too unmanageable a solution for a production environment. A limit of thenumber of MAC addresses on a switch port is manageable. A more administratively scalable solution is theimplementation of dynamic port security at the switch. In order to implement dynamic port security, specify amaximum number of MAC addresses that will be learned.Address Resolution Protocol (ARP) SpoofingARP is used to map IP addressing to MAC addresses in a local area network segment where hosts of the samesubnet reside. Normally, a host sends out a broadcast ARP request to find the MAC address of another hostwith a particular IP address, and an ARP response comes from the host whose address matches the request.The requesting host then caches this ARP response. Within the ARP protocol, another provision is made forhosts to perform unsolicited ARP replies. The unsolicited ARP replies are called Gratuitous ARP (GARP).GARP can be exploited maliciously by an attacker to spoof the identity of an IP address on a LAN segment.This is typically used to spoof the identity between two hosts or all traffic to and from a default gateway in a"man-in-the-middle" attack.When an ARP reply is crafted, a network attacker can make his or her system appear to be the destination hostsought by the sender. The ARP reply causes the sender to store the MAC address of the network attacker'ssystem in the ARP cache. This MAC address is also stored by the switch in its CAM table. In this way, thenetwork attacker has inserted the MAC address of his or her system into both the switch CAM table and theARP cache of the sender. This allows the network attacker to intercept frames destined for the host that he orshe is spoofing.Reference:http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807c4101.shtml

QUESTION 76Which statement is true about DHCP spoofing operation?

A. DHCP spoofing and SPAN cannot be used on the same port of a switch.B. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a

dynamic ARP packet.C. To prevent a DHCP spoofing, the switch must have DHCP server services disabled and a static entry

pointing towards the DHCP server.D. DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.

Correct Answer: BSection: Security

Explanation

Explanation/Reference:Explanation:About DHCP Spoofing:Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as that sameclient PC. Now when the client broadcasts its DHCP request, the rogue server could send a carefully craftedDHCP reply with its own IP address substituted as the default gateway.When the client receives the reply, it begins using the spoofed gateway address. Packets destined foraddresses outside the local subnet then go to the attacker's machine first. The attacker can forward thepackets to the correct destination, but in the meantime, it can examine every packet that it intercepts. In effect,this becomes a type of man-in-the-middle attack; the attacker is wedged into the path and the client doesn'trealize it.

About ARP:Hosts normally use the Address Resolution Protocol (ARP) to resolve an unknown MAC address when the IPaddress is known. If a MAC address is needed so that a packet can be forwarded at Layer 2, a host broadcastsan ARP request that contains the IP address of the target in question. If any other host is using that IP address,it responds with an ARP reply containing its MAC address.

To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by adynamic ARP packet

QUESTION 77Refer to the exhibit. What will happen to the traffic within VLAN 14 with a source address of 172.16.10.5?

A. The traffic will be forwarded to the router processor for further processing.B. The traffic will be dropped. C. The traffic will be forwarded to the TCAM for further processing.D. The traffic will be forwarded to without further processing.

Correct Answer: BSection: SecurityExplanation

Explanation/Reference:Explanation:Each VLAN access map can consist of one or more map sequences, each sequence with a match clause andan action clause. The match clause specifies traffic filtering and the action clause specifies the action to betaken when a match occurs. When a flow matches a permit ACL entry, the associated action is taken and theflow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be

checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACLentry and at least one ACL is configured for that packet type, the packet is denied, which is the result in theexample shown on this question. In this example, only traffic from the 100.0.0/8 subnet will be allowed.Reference:http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a008016113d.html

QUESTION 78In the use of 802.1X access control, which three protocols are allowed through the switch port beforeauthentication takes place? (Choose three)

A. EAP-over-LANB. EAP MD5C. STPD. protocols not filtered by an ACLE. CDPF. TACACS+

Correct Answer: ACESection: SecurityExplanation

Explanation/Reference:Explanation:The IEEE 802.1x standard defines a port-based access control and authentication protocol that restrictsunauthorized workstations from connecting to a LAN through publicly accessible switch ports. Theauthentication server authenticates each workstation that is connected to a switch port before making availableany services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access controlallows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which theworkstation is connected. After authentication succeeds, normal traffic can pass through the port.The Authentication server performs the actual authentication of the client. The authentication server validatesthe identity of the client and notifies the switch whether or not the client is authorized to access the LAN andswitch services. Because the switch acts as the proxy, the authentication service is transparent to the client. Inthis release, the Remote Authentication Dial-In User Service (RADIUS) security system with ExtensibleAuthentication Protocol (EAP) extensions is the only supported authentication server; it is available in CiscoSecure Access Control Server version 3.0. RADIUS operates in a client/server model in which secureauthentication information is exchanged between the RADIUS server and one or more RADIUS clients.Spanning-Tree Protocol (STP) is a Layer 2 protocol that utilizes a special-purpose algorithm to discoverphysical loops in a network and effect a logical loop-free topology. STP creates a loop-free tree structureconsisting of leaves and branches that span the entire Layer 2 network. The actual mechanics of how bridgescommunicate and how the STP algorithm works will be discussed at length in the following topics. Note that theterms bridge and switch are used interchangeably when discussing STP. In addition, unless otherwiseindicated, connections between switches are assumed to be trunks.

CDP is a Cisco proprietary protocol that operates at the Data Link layer. One unique feature about operating atLayer 2 is that CDP functions regardless of what Physical layer media you are using (UTP, fiber, and so on)and what Network layer routed protocols you are running (IP, IPX, AppleTalk, and so on). CDP is enabled on allCisco devices by default, and is multicast every 60 seconds out of all functioning interfaces, enabling neighborCisco devices to collect information about each other. Although this is a multicast message, Cisco switches donot flood that out to all their neighbors as they do a normal multicast or broadcast.For STP, CDP and EAP-over-LAN are allowed before Authentication.

QUESTION 79Refer to the exhibit. The web servers WS_1 and WS_2 need to be accessed by external and internal users. Forsecurity reasons, the servers should not communicate with each other, although they are located on the samesubnet. The servers do need, however, to communicate with a database server located in the inside network.What configuration will isolate the servers from each other?

A. The switch ports 3/1 and 3/2 will be defined as secondary VLAN community ports. The ports connecting tothe two firewalls will be defined as primary VLAN promiscuous ports.

B. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLANpromiscuous ports.

C. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLANcommunity ports.

D. The switch ports 3/1 and 3/2 will be defined as secondary VLAN isolated ports. The ports connecting to thetwo firewalls will be defined as primary VLAN promiscuous ports.

Correct Answer: DSection: SecurityExplanation

Explanation/Reference:Explanation:Service providers often have devices from multiple clients, in addition to their own servers, on a singleDemilitarized Zone (DMZ) segment or VLAN. As security issues proliferate, it becomes necessary to providetraffic isolation between devices, even though they may exist on the same Layer 3 segment and VLAN. Catalyst6500/4500 switches implement PVLANs to keep some switch ports shared and some switch ports isolated,although all ports exist on the same VLAN. The 2950 and 3550 support "protected ports," which arefunctionality similar to PVLANs on a per-switch basis.A port in a PVLAN can be one of three types:Isolated: An isolated port has complete Layer 2 separation from other ports within the same PVLAN, except forthe promiscuous port. PVLANs block all traffic to isolated ports, except the traffic from promiscuous ports.Traffic received from an isolated port is forwarded to only promiscuous ports.Promiscuous: A promiscuous port can communicate with all ports within the PVLAN, including the communityand isolated ports. The default gateway for the segment would likely be hosted on a promiscuous port, giventhat all devices in the PVLAN will need to communicate with that port.Community: Community ports communicate among themselves and with their promiscuous ports. Theseinterfaces are isolated at Layer 2 from all other interfaces in other communities, or in isolated ports within theirPVLAN.

QUESTION 80VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map thatdoes not contain a match clause?

A. Implicit deny feature at end of list.

B. Implicit deny feature at start of list.C. Implicit forward feature at end of listD. Implicit forward feature at start of list.


Explanation/Reference:Explanation:Each VLAN access map can consist of one or more map sequences, each sequence with a match clause andan action clause. The match clause specifies IP, IPX, or MAC ACLs for traffic filtering and the action clausespecifies the action to be taken when a match occurs. When a flow matches a permit ACL entry the associatedaction is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACLentry, it will be checked against the next ACL in the same sequence or the next sequence. If a flow does notmatch any ACL entry and at least one ACL is configured for that packet type, the packet is denied.Reference:http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_guide_chapter09186a008007f4d4.html

QUESTION 81Given the configuration on a switch interface, what happens when a host with the MAC address of0003.0003.0003 is directly connected to the switch port?

switchport mode accessswitchport port-securityswitchport port-security maximum 2switchport port-security mac-address 0002.0002.0002 switchport port-security violation shutdown

A. The host will be allowed to connect.B. The port will shut down.C. The host can only connect through a hub/switch where 0002.0002.0002 is already connected.D. The host will be refused access.


Explanation/Reference:Explanation:Steps of Implementing Port Security:

In Exhibit two MAC addresses are allowed so that host will be allowed to connect.

QUESTION 82Refer to the exhibit. Which interface or interfaces on switch SW_A can have the port security feature enabled?

A. Ports 0/1 and 0/2B. The trunk port 0/22 and the EtherChannel ports C. Ports 0/1, 0/2 and 0/3D. Ports 0/1, 0/2, 0/3, the trunk port 0/22 and the EtherChannel portsE. Port 0/1F. Ports 0/1, 0/2, 0/3 and the trunk port 0/22

Correct Answer: CSection: Security

Explanation

Explanation/Reference:Explanation:Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a specific set ornumber of MAC addresses. Those addresses can be learned dynamically or configured statically. The port willthen provide access to frames from only those addresses. If, however, the number of addresses is limited tofour but no specific MAC addresses are configured, the port will allow any four MAC addresses to be learneddynamically, and port access will be limited to those four dynamically learned addresses. A port security featurecalled "sticky learning," available on some switch platforms, combines the features of dynamically learned andstatically configured addresses. When this feature is configured on an interface, the interface convertsdynamically learned addresses to "sticky secure" addresses. This adds them to the running configuration as ifthey were configured using the switchport port-security mac-address command.

QUESTION 83Refer to the exhibit. Based on the running configuration that is shown for interface FastEthernet0/2, what twoconclusions can be deduced? (Choose two)

A. Connecting a host with MAC address 0000.0000.4147 will move interface FastEthernet0/2 into errordisabled state.

B. The host with address 0000.0000.4141 is removed from the secure address list after 5 seconds ofinactivity.

C. The sticky secure MAC addresses are treated as static secure MAC addresses after the runningconfiguration is saved to the startup configuration and the switch is restarted.

D. Interface FastEthernet0/2 is a voice VLAN port.E. The host with address 0000.0000.000b is removed from the secure address list after 300 seconds.

Correct Answer: CESection: SecurityExplanation

Explanation/Reference:Explanation:The time aging_time keyword specifies the aging time for this port. Valid range for aging_time is from 0 to 1440minutes. If the time is equal to 0, aging is disabled for this port. In this case, the aging time is set for 5 minutes,or 300 seconds. You can configure an interface to convert the dynamic MAC addresses to sticky secure MACaddresses and to add them to the running configuration by enabling sticky port security. To enable sticky portsecurity, enter the switchport port-security mac-address sticky command. When you enter this command, theinterface converts all the dynamic secure MAC addresses, including those that were dynamically learned beforesticky learning was enabled, to sticky secure MAC addresses. The sticky secure MAC addresses do notautomatically become part of the configuration file, which is the startup configuration used each time the switchrestarts. If you save the running config file to the configuration file, the interface does not need to relearn these

addresses when the switch restarts.Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25sg/configuration/guide/port_sec.html

QUESTION 84You need to configure port security on switch R1. Which two statements are true about this technology?(Choose two)

A. Port security can be configured for ports supporting VoIP.B. With port security configured, four MAC addresses are allowed by default.C. The network administrator must manually enter the MAC address for each device in order for the switch to

allow connectivity.D. With port security configured, only one MAC addresses is allowed by default.E. Port security cannot be configured for ports supporting VoIP.

Correct Answer: ADSection: SecurityExplanation

Explanation/Reference:Explanation:You can use the port security feature to restrict input to an interface by limiting and identifying MAC addressesof the workstations that are allowed to access the port. When you assign secure MAC addresses to a secureport, the port does not forward packets with source addresses outside the group of defined addresses. If youlimit the number of secure MAC addresses to one and assign a single secure MAC address, the workstationattached to that port is assured the full bandwidth of the port.

This feature is indeed supported on voice VLAN ports. If you enable port security on a port configured with avoice VLAN and if there is a PC connected to the CiscoIPPhone, Cisco tells us to set the maximum allowedsecure addresses on the port to at least 3.

The table below shows the default number of allowed MAC addresses is one.Default Port Security Configuration

Feature Default Setting

Port security Disabled on a port

Maximum number of secure MAC 1addresses

Violation mode Shutdown. The port shuts down when the maximum number of secure MACaddresses is exceeded, and an SNMPtrap notification is sent.

Reference: Configuring Port Security

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/port_sec.html#wpxref25516

QUESTION 85Refer to the exhibit. Port security has been configured on port Fa0/5. What would happen if another device isconnected to the Fa0/5 port after the maximum number of devices has been reached, even if one or more ofthe original MAC addresses are inactive?

A. The port will permit the new MAC address because one or more of the original MAC addresses are inactive.B. The port will permit the new MAC address because one or more of the original MAC addresses will age out.C. Because the new MAC address is not configured on the port, the port will not permit the new MAC address.D. Although one or more of the original MAC addresses are inactive, the port will not permit the new MAC

address.


Explanation/Reference:Explanation:In this example the switch is configured for Port Security with the maximum number ofalloweddevices set to 11. When configuring port security, note the following syntax informationabout portsecurity violation modes:•protect—Drops packets with unknown source addresses until you remove a sufficientnumber ofsecure MAC addresses to drop below the maximum value.•restrict—Drops packets with unknown source addresses until you remove a sufficientnumber ofsecure MAC addresses to drop below the maximum value and causes the SecurityViolationcounter to increment.•shutdown—Puts the interface into the error-disabled state immediately and sends anSNMP trapnotification.Normally, since the security violation has been set to protect, the switch indeed allow a newdeviceto be added after an original MAC address is inactive. However, the key to this question isthe

“aging time 0” command which has also been configured. This command disables aging, sotheoriginal MAC addresses would remain even when they were removed. Therefore the switchwillnot permit any new MAC addresses.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/port_sec.html#wp1036736

QUESTION 86Which statement is true about Layer 2 security threats?

A. MAC spoofing attacks allow an attacking device to receive frames intended for a different network host.B. Port scanners are the most effective defense against dynamic ARP inspection.C. MAC spoofing, in conjunction with ARP snooping, is the most effective counter-measure against

reconnaissance attacks that use dynamic ARP inspection (DAI) to determine vulnerable attack points.D. Dynamic ARP inspection in conjunction with ARP spoofing can be used to counter DHCP snooping attacks.E. DHCP snooping sends unauthorized replies to DHCP queries.F. ARP spoofing can be used to redirect traffic to counter dynamic ARP inspection.


Explanation/Reference:Explanation:First of all, MAC spoofing is not an effective counter-measure against any reconnaissance attack; it IS anattack! Furthermore, reconnaissance attacks don't use dynamic ARP inspection (DAI); DAI is a switch featureused to prevent attacks.

QUESTION 87An attacker is launching a DoS attack with a public domain hacking tool that is used to exhaust the IP addressspace available from the DHCP servers for a period of time. Which procedure would best defend against thistype of attack?

A. Configure only trusted interfaces with root guard.B. Implement private VLANs (PVLANs) to carry only user traffic.C. Implement private VLANs (PVLANs) to carry only DHCP traffic.D. Configure only untrusted interfaces with root guard.E. Configure DHCP spoofing on all ports that connect untrusted clients.F. Configure DHCP snooping only on ports that connect trusted DHCP servers.


Explanation/Reference:Explanation:Cisco Catalyst switches can use the DHCP snooping feature to help mitigate this type of attack. When DHCPsnooping is enabled, switch ports are categorized as trusted or untrusted. Legitimate DHCP servers can befound on trusted ports, whereas all other hosts sit behind untrusted ports.

By default, all switch ports are assumed to be untrusted so that DHCP replies are not expected or permitted.Only trusted ports are allowed to send DHCP replies. Therefore, you should identify only the ports whereknown, trusted DHCP servers are located. You can do this with the following interface configuration command:

Switch(config-if)#ip dhcp snooping trust

QUESTION 88Refer to the exhibit. How will interface FastEthernnet0/1 respond when an 802.1x-enabled client connects tothe port?

A. The switch will uniquely authorize the client by using the client MAC address.B. The switch will cause the port to remain in the unauthorized state, ignoring all attempts by the client to

authenticate.C. The switch port will disable 802.1x port-based authentication and cause the port to transition to the

authorized state without any further authentication exchange.D. The switch port will enable 802.1x port-based authentication and begin relaying authentication messages

between the client and the authentication server.

Correct Answer: CSection: SecurityExplanation

Explanation/Reference:Explanation:The IEEE 802.1x standard defines a port-based access control and authentication protocol that restrictsunauthorized workstations from connecting to a LAN through publicly accessible switch ports. Theauthentication server authenticates each workstation that is connected to a switch port before making availableany services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access controlallows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which theworkstation is connected. After authentication succeeds, normal traffic can pass through the port. You controlthe port authorization state by using the dot1x port-control interface configuration command and thesekeywords:force-authorized:Disables 802.1x port-based authentication and causes the port to transition to the authorized state without anyauthentication exchange required. The port transmits and receives normal traffic without 802.1x-basedauthentication of the client. This is the default setting.force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client toauthenticate. The switch cannot provide authentication services to the client through the interface.auto: Enables 802.1x port-based authentication and causes the port to begin in the unauthorized state, allowingonly EAPOL frames to be sent and received through the port. The authentication process begins when the linkstate of the port transitions from down to up (authenticator initiation) or when an EAPOL-start frame is received(supplicant initiation). The switch requests the identity of the client and begins relaying authentication messagesbetween the client and the authentication server. The switch uniquely identifies each client attempting to accessthe network by using the client MAC address.Example:

QUESTION 89In order to enhance security on the Company network, users must be authenticated using 802.1X. Whenauthentication is required, where must 802.1X be configured in order to connect a PC to a switch?

A. Switch port and local router portB. Switch port, client PC, and authentication serverC. Client PC onlyD. Switch port only


Explanation/Reference:Explanation:The IEEE 802.1x standard defines a port-based access control and authentication protocol that restrictsunauthorized workstations from connecting to a LAN through publicly accessible switch ports. Theauthentication server authenticates each workstation that is connected to a switch port before making availableany services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access controlallows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which theworkstation is connected. After authentication succeeds, normal traffic can pass through the port.With 802.1x port-based authentication, the devices in the network have specific roles, as follows:Client: The device (workstation) that requests access to the LAN and switch services, and responds to requestsfrom the switch. The workstation must be running 802.1x-compliant client software, such as what is offered inthe Microsoft Windows XP operating system. (The port that the client is attached to is the supplicant [client] inthe IEEE 802.1x specification.)Authentication server: Performs the actual authentication of the client. The authentication server validates theidentity of the client and notifies the switch whether or not the client is authorized to access the LAN and switchservices. Because the switch acts as the proxy, the authentication service is transparent to the client. TheRADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supportedauthentication server.Switch(also called the authenticator): Controls physical access to the network based on the authenticationstatus of the client. The switch acts as an intermediary (proxy) between the client (supplicant) and the

authentication server, requesting identifying information from the client, verifying that information with theauthentication server, and relaying a response to the client. The switch uses a RADIUS software agent, whichis responsible for encapsulating and decapsulating the EAP frames and interacting with the authenticationserver.

QUESTION 90Which statement is true about 802.1x port-based authentication?

A. TACACS+ is the only supported authentication server type.B. If a host initiates the authentication process and does not receive a response, it assumes it is not

authorized.C. RADIUS is the only supported authentication server type.D. Before transmitting data, an 802.1x host must determine the authorization state of the switch.E. Hosts are required to have a 802.1x authentication client or utilize PPPoE.


Explanation/Reference:Explanation:The IEEE 802.1x standard defines a port-based access control and authentication protocol that restrictsunauthorized workstations from connecting to a LAN through publicly accessible switch ports. Theauthentication server authenticates each workstation that is connected to a switch port before making availableany services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access controlallows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which theworkstation is connected. After authentication succeeds, normal traffic can pass through the port.Authentication server: Performs the actual authentication of the client. The authentication server validates theidentity of the client and notifies the switch whether or not the client is authorized to access the LAN and switchservices. Because the switch acts as the proxy, the authentication service is transparent to the client. TheRADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supportedauthentication server.

QUESTION 91Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)

A. DAI can be performed on ingress ports only.B. DAI can be performed on both ingress and egress ports.C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of

hosts in the domain.E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other

switches as trusted.F. DAI is supported on access and trunk ports only.


Explanation/Reference:Explanation:To prevent ARP spoofing or "poisoning," a switch must ensure that only valid ARP requests and responses arerelayed. DAI prevents these attacks by intercepting and validating all ARP requests and responses. Eachintercepted ARP reply is verified for valid MAC-address-to-IP-address bindings before it is forwarded to a PC toupdate the ARP cache. ARP replies coming from invalid devices are dropped. DAI determines the validity of anARP packet based on a valid MAC-address-to-IP-address bindings database built by DHCP snooping. Inaddition, to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against

user-configured ARP ACLs.To ensure that only valid ARP requests and responses are relayed, DAI takes these actions:* Forwards ARP packets received on a trusted interface without any checks* Intercepts all ARP packets on untrusted ports* Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets thatcan update the local ARP cache* Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings

QUESTION 92What are three required steps to configure DHCP snooping on a switch? (Choose three.)

A. Configure the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCPrequest messages.

B. Configure DHCP snooping globally.C. Configure the switch as a DHCP server.D. Configure DHCP snooping on an interface.E. Configure all interfaces as DHCP snooping trusted interfaces.F. Configure DHCP snooping on a VLAN or range of VLANs.

Correct Answer: BDFSection: SecurityExplanation

Explanation/Reference:Explanation:When you configure DHCP snooping on your switch, you are enabling the switch to differentiate untrustedinterfaces from trusted interfaces. You must enable DHCP snooping globally before you can use DHCPsnooping on a VLAN. You can enable DHCP snooping independently from other DHCP features.To enable DHCP snooping, follow this procedure:

You can configure DHCP snooping for a single VLAN or a range of VLANs.

Reference:www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/dhcp.html#wp1073367

QUESTION 93What does the global configuration command "ip arp inspection vlan 10-12,15" accomplish?

A. Discards ARP packets with invalid IP-to-MAC address bindings on trusted portsB. Validates outgoing ARP requests for interfaces configured on VLAN 10, 11, 12, or 15C. Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindingsD. Intercepts all ARP requests and responses on trusted ports



Explanation:The "ip arp inspection" command enables Dynamic ARP Inspection (DAI) for the specified VLANs. DAI is asecurity feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a networkadministrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. Thiscapability protects the network from certain "man-in-the-middle" attacks.Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/dynarp.html

QUESTION 94What is true about access control on bridged and routed VLAN traffic? (Choose three)

A. Router ACLs can be applied to the input and output directions of a VLAN interface.B. Bridged ACLs can be applied to the input and output directions of a VLAN interface.C. Only router ACLs can be applied to a VLAN interface.D. VLAN maps and router ACLs can be used in combination.E. VLAN maps can be applied to a VLAN interface

Correct Answer: ABDSection: SecurityExplanation

Explanation/Reference:Explanation:Router ACLs are applied on interfaces as either inbound or outbound. To filter both bridged and routed traffic,VLAN maps can be used by themselves or in conjunction with router ACLs.VLAN ACLs, also called VLAN maps, which filter both bridged and routed packets. VLAN maps can be used tofilter packets exchanged between devices in the same VLAN.

QUESTION 95A switch has been configured with Private VLANs. With that type of PVLAN port should the default gateway beconfigured?

A. TrunkB. IsolatedC. PrimaryD. CommunityE. Promiscuous

Correct Answer: ESection: SecurityExplanation

Explanation/Reference:Explanation:Promiscuous: The switch port connects to a router, firewall, or other common gateway device. This port cancommunicate with anything else connected to the primary or any secondary VLAN. In other words, the port is inpromiscuous mode, in which the rules of private VLANs are ignored.

QUESTION 96

Refer to the exhibit. The "show port-security interface fa0/1" command was issued on switch SW1. Given the output that was generated, which two security statements are true? (Choose two.)

A. Interface FastEthernet 0/1 was configured with the switchport port-security aging command.B. Interface FastEthernet 0/1 was configured with the switchport port-security protect command.C. Interface FastEthernet 0/1 was configured with the switchport port-security violation restrict command.D. When the number of secure IP addresses reaches 10, the interface will immediately shut down.E. When the number of secure MAC addresses reaches 10, the interface will immediately shut down and an

SNMP trap notification will be sent.

Correct Answer: BESection: SecurityExplanation

Explanation/Reference:Explanation:Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a specific set ornumber of MAC addresses. Those addresses can be learned dynamically or configured statically. The port willthen provide access to frames from only those addresses. If, however, the number of addresses is limited tofour but no specific MAC addresses are configured, the port will allow any four MAC addresses to be learneddynamically, and port access will be limited to those four dynamically learned addresses.Port Security Implementation:

When Switch port security rules violate different action can be applied:1. Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.2. Restrict: Frames from the nonallowed address are dropped, a log message is created, and a Simple NetworkManagement Protocol (SNMP) trap is sent.3. Shutdown: If any frames are seen from a nonallowed address, the interface is errdisabled, a log entry ismade, an SNMP trap is sent, and manual intervention or errdisable recovery must be used to make theinterface usable. The port will not be shutdown, because it is in protect mode -- not shutdown.

QUESTION 97Refer to the exhibit. What will happen when one more user is connected to interface FastEthernet 5/1?

A. The first address learned on the port will be removed from the secure address list and be replaced with thenew address.

B. All secure addresses will age out and be removed from the secure address list. This will cause the securityviolation counter to increment.

C. The packets with the new source addresses will be dropped until a sufficient number of secure MACaddresses are removed from the secure address list.

D. The interface will be placed into the error-disabled state immediately, and an SNMP trap notification will be

sent.



QUESTION 98Refer to the exhibit. What type of attack is being defended against?

A. Snooping attackB. Rogue device attackC. STP attackD. VLAN attackE. Spoofing attackF. MAC flooding attack


Explanation/Reference:Explanation:When DHCP snooping is configured, you can display its status with the following command:

Switch#show ip dhcp snooping [binding]

You can use the binding keyword to display all the known DHCP bindings that have been overheard. The switchmaintains these in its own database.

A switch can use the DHCP snooping bindings to prevent IP and MAC address spoofing attacks. MAC spoofingattacks consist of malicious clients generating traffic by using MAC addresses that do not belong to them. IPspoofing attacks are exactly like MAC spoofing attacks, except that the client uses an IP address that isn't his.

Reference: LAN Switch Security: What Hackers Know About Your Switches, by Eric Vyncke - CCIE No. 2659;Christopher Paggen - CCIE No. 2659, Cisco Press, Chapter 5.

QUESTION 99Which statement is true about the Forward Information Base (FIB) table?

A. The FIB is derived from the IP routing table and is optimized for maximum lookup throughput.B. The FIB table is derived from the Address Resolution Protocol table, and it contains Layer 2 rewrite (MAC)

information for the next hop.C. When the FIB table is full, a wildcard entry redirects traffic to the Layer 3 engine.D. The FIB lookup is based on the Layer 2 destination MAC address.


Explanation/Reference:Explanation:The Layer 3 engine (essentially a router) maintains routing information, whether from static routes or dynamicrouting protocols. Basically, the routing table is reformatted into an ordered list with the most specific route first,for each IP destination subnet in the table. The new format is called a Forwarding Information Base (FIB) andcontains routing or forwarding information that the network prefix can reference.

In other words, a route to 10.1.0.0/16 might be contained in the FIB, along with routes to 10.1.1.0/24 and10.1.1.128/25, if those exist. Notice that these examples are increasingly more specific subnets. In the FIB,these would be ordered with the most specific, or longest match, first, followed by less specific subnets. Whenthe switch receives a packet, it can easily examine the destination address and find the longest match entry inthe FIB. The FIB also contains the next-hop address for each entry. When a longest match entry is found in theFIB, the Layer 3 next-hop address is found, too.

QUESTION 100The Company network needs to pass traffic between VLANs. Which device should be used to accomplish this?

A. HubB. SwitchC. RouterD. Bridge

Correct Answer: CSection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation:A VLAN is a virtual LAN contained within a switch, so for it to pass information into a different VLAN within thesame switch it has to leave that switch and re-enter via a router. VLANs contain local traffic only, so in order toreach users in another VLAN the traffic must go through a router or a layer 3 routing processor.

QUESTION 101Inter-VLAN routing has been implemented in the Company network. In VLAN routing, what are some of thedisadvantages of designing a router-on-stick configuration? (Choose three)

A. InterVLAN routing cannot be filtered by the router.B. The router becomes a single point of failure for the network.C. Routers will not route STP BPDUs.D. There is a possibility of inadequate bandwidth for each VLAN.E. Additional overhead on the router can occur.F. NetFlow Switching is required for InterVLAN accounting.

Correct Answer: BDESection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation:A router connected to a switch via a single trunk link is better known as router-on-stick or even a one armedrouter. Since there's only one router, if that router were to go down there'd be no backup. Since there's only onerouter, that router would have to handle all the bandwidth of every VLAN so there's a chance it could beoverloaded, as with the overhead problems of being responsible for too much. Because traffic routed betweenthe VLANs traverse a single physical port, there is the potential to not provide for enough bandwidth for a VLANat any given time. Inter-VLAN routing also does indeed require additional configuration, management, andoverhead.Incorrect Answers:A: This is not true since routers can indeed filter traffic that is routed between the VLAN subinterfaces.C: This is not an advantage. Since BPDU's are local to the VLAN, there is generally no need to route this trafficbetween the VLANs.F: This does not apply as a disadvantage to inter-VLAN routing.

QUESTION 102Which of the following could be used to provide a Layer 3 data path between separate VLANs? (Choose two.)

A. VLAN trunkingB. An external routerC. An internal route processorD. VLAN capable bridgeE. EtherChannel

Correct Answer: BCSection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation:To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been arouter's function. The router must have a physical or logical connection to each VLAN so that it canforward packets between them. This is known as interVLAN routing.

InterVLAN routing can be performed by an external router that connects to each of the VLANs ona switch. Separate physical connections can be used, or the router can access each of the VLANsthrough a single trunk link.

QUESTION 103You are configuring a Cisco multilayer switch for the Company network. Which command would you use toconfigure a port to act as a routed interface?

A. ip routingB. switchport mode trunkC. no switchportD. switchport trunk native vlan 1



Explanation:

Physical switch ports can also operate as Layer 3 interfaces, where a Layer 3 network address is assigned androuting can occur. Figure 13-2 shows an example of this. By default, all switch ports on the Catalyst 6500(native IOS) platforms operate in the Layer 3 mode. For Layer 3 functionality, you must explicitly configureswitch ports with the following command sequence:Switch(config)# interface type mod/numSwitch(config-if)# no switchportSwitch(config-if)# ip address ip-address mask [secondary] The no switchport command takes the port out ofLayer 2 operation. You can then assign a network address to the port, as you would to a router interface.

QUESTION 104Refer to the exhibit. PCs in VLAN 2 are not able to communicate with PCs in VLAN 3. What could be thecause?

A. IP routing is not enabled.B. VTP is not configured correctly on the interfaces.C. The command "mls rp management-interface" is missing.D. The command "mls rp ip" must be disabled to enable the routing.


Explanation/Reference:Explanation:To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been a router'sfunction. The router must have a physical or logical connection to each VLAN so that it can forward packetsbetween them. This is known as interVLAN routing. Multilayer switches can perform both Layer 2 switching andinterVLAN routing, as appropriate. Layer 2 switching occurs between interfaces that are assigned to Layer 2VLANs or Layer 2 trunks. Layer 3 switching can occur between any type of interface, as long as the interfacecan have a Layer 3 address assigned to it.

The first step in troubleshooting Inter-VLAN routing is to ensure that routing is actually enabled using the showip route command. If no entries are seen in the routing table then IP routing needs to be enabled with thecommand:Switch(config)#ip routing

QUESTION 105Which two statements about VLAN hopping are true? (Choose two)

A. Attacks are prevented by utilizing the port-security feature.B. An end station attempts to gain access to all VLANs by transmitting Ethernet frames in the 802.1q

encapsulation. C. Configuring an interface with the "switchport mode dynamic" command will prevent VLAN hopping.D. An end station attempts to redirect VLAN traffic by transmitting Ethernet frames in the 802.1q

encapsulation.E. Configuring an interface with the "switchport mode access" command will prevent VLAN hopping.

Correct Answer: BESection: SecurityExplanation

Explanation/Reference:Explanation:When securing VLAN trunks, also consider the potential for an exploit called VLAN hopping. Here, an attackerpositioned on one access VLAN can craft and send frames with spoofed 802.1Q tags so that the packetpayloads ultimately appear on a totally different VLAN, all without the use of a router.

For this exploit to work, the following conditions must exist in the network configuration:? The attacker is connected to an access switch port.? The same switch must have an 802.1Q trunk.? The trunk must have the attacker's access VLAN as its native VLAN. To prevent from VLAN hopping turn offDynamic Trunking Protocol on all unused ports and specify the port be in access mode to limit the user to asingle VLAN.

QUESTION 106What is one method that can be used to prevent VLAN hopping on the network?

A. Configure VACLs.B. Configure all frames with two 802.1Q headers.C. Enforce username/password combinations.D. Explicitly turn off Dynamic Trunking Protocol (DTP) on all unused ports.E. All of the above



For this exploit to work, the following conditions must exist in the network configuration:? The attacker is connected to an access switch port.? The same switch must have an 802.1Q trunk.? The trunk must have the attacker's access VLAN as its native VLAN. To prevent from VLAN hopping turn offDynamic Trunking Protocol on all unused ports.

QUESTION 107Refer to the exhibit. Dynamic ARP inspection (DAI) is enabled on switch SW_A only. Both Host_A and Host_Bacquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be ifHost_B initiated an ARP spoof attack toward Host_A?

A. The spoof packets will be inspected at the ingress port of switch SW_A and will be permitted.B. The spoof packets will not be inspected at the ingress port of switch SW_A and will be permitted.C. The spoof packets will not be inspected at the ingress port of switch SW_A and will be dropped.D. The spoof packets will be inspected at the ingress port of switch SW_A and will be dropped.


Explanation/Reference:Explanation:When configuring DAI, follow these guidelines and restrictions:DAI is an ingress security feature; it does not perform any egress checking. DAI is not effective for hostsconnected to routers that do not support DAI or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from theone with no checking. This action secures the ARP caches of hosts in the domain enabled for DAI.DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings inincoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that

have dynamically assigned IP addresses. When DHCP snooping is disabled or in non-DHCP environments,use ARP ACLs to permit or to deny packets.DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.In our example, since SW_B does not have DAI enabled (bullet point 2 above) packets will not be inspectedand they will be permitted.Reference:http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dynarp.html

QUESTION 108Refer to the exhibit. Host A and Host B are connected to the Catalyst 3550 switch and have been assigned totheir respective VLANs. The rest of the 3550 configuration is the default configuration. Host A is able to ping itsdefault gateway, 10.10.10.1, but is unable to ping Host B. Given the output displayed in the exhibit, whichstatement is true?

A. A separate router is required to support interVLAN routing.B. VTP must be configured to support interVLAN routing.C. VLANs 10 and 15 must be created in the VLAN database mode.D. The global configuration command "ip routing" must be configured on the SW1 switch.E. HSRP must be configured on SW1.F. Interface VLAN 10 must be configured on the SW1 switch.

Correct Answer: DSection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation:To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been a router'sfunction. The router must have a physical or logical connection to each VLAN so that it can forward packetsbetween them. This is known as interVLAN routing. Multilayer switches can perform both Layer 2 switching andinterVLAN routing, as appropriate. Layer 2 switching occurs between interfaces that are assigned to Layer 2VLANs or Layer 2 trunks. Layer 3 switching can occur between any type of interface, as long as the interfacecan have a Layer 3 address assigned to it. Switch(config)#ip routing command enables the routing on Layer 3Swtich

QUESTION 109Refer to the exhibit. VLAN2, VLAN3, and VLAN10 are configured on the switch D-SW1. Host computers are onVLAN 2 (10.1.2.0), servers are on VLAN 3 (10.1.3.0), and the management VLAN is on VLAN10 (10.1.10.0).Hosts are able to ping each other but are unable to reach the servers. On the basis of the exhibited output,which configuration solution could rectify the problem?

A. Assign an IP address of 10.1.3.1/24 to VLAN3.B. Configure default gateways to IP address 10.1.10.1 on each host.C. Enable IP routing on the switch D-SW1.D. Configure a default route that points toward network 200.1.1.0/24.E. Configure default gateways to IP address 10.1.2.1 on each host.F. Configure default gateways to IP address 200.1.1.2 on each host.


Explanation/Reference:Explanation:Although a routed port is configured for connectivity with an external router, Inter-VLAN routing would mostlikely be achieved through the use of a virtual interface.Example:

To route between VLANs 10 and 20 which have been configured on the multilayer switch use the followingconfiguration:RouteSwitch(config)#interface vlan 10RouteSwitch(config-if)#ip address 10.0.10.1 255.255.255.0RouteSwitch(config)#interface vlan 20RouteSwitch(config-if)#ip address 10.0.20.1 255.255.255.0

QUESTION 110Based on the network diagram and routing table output in the exhibit, which of these statements is true?

A. InterVLAN routing will not occur since no routing protocol has been configured.B. InterVLAN routing has been configured properly, and the workstations have connectivity to each other.C. Although interVLAN routing is not enabled, both workstations will have connectivity to each other.D. Although interVLAN routing is enabled, the workstations will not have connectivity to each other.

Correct Answer: BSection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation:A Layer 2 network can also exist as a VLAN inside one or more switches. VLANs are essentially isolated fromeach other so that packets in one VLAN cannot cross into another VLAN.To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been a router'sfunction. The router must have a physical or logical connection to each VLAN so that it can forward packetsbetween them. This is known as interVLAN routing. InterVLAN routing can be performed by an external routerthat connects to each of the VLANs on a switch. Separate physical connections can be used, or the router canaccess each of the VLANs through a single trunk link.The Switch Port which is connected with Router should be trunk link, You need to configure like:Switch(config)#interface fa 0/1Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk encapsulation dot1q In Router you need to configure like:

Router(config)#interface fa 0/0Router(config-if)#description VLAN 1Router(config-if)#ip address 192.168.10.1 255.255.255.0 Router(config)#interface fa 0/0.10Router(config-subif)#description Management VLAN 10 Router(config-subif)#encapsulation dot1q 10Router(config-subif)#ip address 192.168.91.1 255.255.255.0 Router(config)#interface fa 0/0.20Router(config-subif)#description Engineering VLAN 20 Router(config-subif)#encapsulation dot1q 20Router(config-subif)#ip address 192.168.20.1 255.255.255.0

QUESTION 111

Refer to the exhibit. Both host stations are part of the same subnet but are in different VLANs. On the basis ofthe information presented in the exhibit, which statement is true about an attempt to ping from host to host?

A. The two different hosts will need to be in the same VLAN in order for the ping command to be successful.B. A Layer 3 device is needed for the ping command to be successful. C. The ping command will be successful without any further configuration changes. D. A trunk port will need to be configured on the link between SW_A and SW_B for the ping command to be

successful.


Explanation/Reference:Explanation:Normally, to transport packets between VLANs, you must use a Layer 3 device. However, in this case the"switchport mode access" command has been used for these ports so the VLAN information will be sent alonguntagged. Devices that are in different VLANs can ping each other as long as they are in the same subnetwhen the VLAN information is untagged.

QUESTION 112On a 3550 EMI switch, which three types of interfaces can be used to configure HSRP? (Choose three)

A. SVI interfaceB. Access port

C. EtherChannel port channelD. Loopback interfaceE. Routed portF. BVI interface

Correct Answer: ACESection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:This Hot Standby Router Protocol (HSRP) provides routing redundancy for routing IP traffic without beingdependent on the availability of any single router. To use this feature, you must have the enhanced multilayersoftware image installed on your switch. All Catalyst 3550 Gigabit Ethernet switches ship with the enhancedmultilayer software image (EMI) installed. Catalyst 3550 Fast Ethernet switches can be shipped with either thestandard multilayer software image (SMI) or EMI pre-installed. You can order the Enhanced Multilayer SoftwareImage Upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the SMI to the EMI.Only routed interfaces that provide access to hosts can be configured for HSRP. These interfaces include:routed Ethernet, routed fast Ethernet, routed Gigabit Ethernet, SVI, and EtherChannel.Reference:http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00800c9fec.html

QUESTION 113Which of the following protocols enables a group of routers to form a single virtual router, and then use the realIP address of a router as the gateway address?

A. HSRPB. IRDPC. Proxy ARPD. GLBPE. VRRP

Correct Answer: ESection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:The Virtual Router Redundancy Protocol (VRRP) feature enables a group of routers to form a single virtualrouter. The LAN clients can then be configured with the virtual router as their default gateway. The virtualrouter, representing a group of routers, is also known as a VRRP group. VRRP is defined in RFC 2338.Reference: http://www.faqs.org/rfcs/rfc2338.html

QUESTION 114Which router redundancy protocol cannot be configured for interface tracking?

A. GLBPB. HSRPC. RPRD. VRRPE. SLBF. RPR+

Correct Answer: DSection: HSRP, VRRP, GLBP

Explanation

Explanation/Reference:Explanation:The Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP, defined in IETFstandard RFC 2338. VRRP is so similar to HSRP that you need to learn only slightly different terminology and acouple of slight functional differences.1. VRRP provides one redundant gateway address from a group of routers. The active router is called themaster router, while all others are in the backup state. The master router is the one with the highest routerpriority in the VRRP group.2. VRRP group numbers range from 0 to 255; router priorities range from 1 to 254 (254 is the highest; 100 isthe default).3. The virtual router MAC address is of the form 0000.5e00.01xx, where xx is a two-digit hex VRRP groupnumber.4. VRRP advertisements are sent at 1-second intervals. Backup routers can optionally learn the advertisementinterval from the master router.5. By default, all VRRP routers are configured to preempt the current master router, if their priorities aregreater.6. VRRP has no mechanism for tracking interfaces to allow more capable routers to take over the master role.

QUESTION 115HSRP has been configured between two Company devices. Which of the following describe reasons fordeploying HSRP? (Choose three)

A. HSRP provides redundancy and fault toleranceB. HSRP allows one router to automatically assume the function of the second router if the second router failsC. HSRP allows one router to automatically assume the function of the second router if the second router

startsD. HSRP provides redundancy and load balancing

Correct Answer: ABDSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:One way to achieve near-100 percent network uptime is to use HSRP, which provides network redundancy forIP networks, ensuring that user traffic immediately and transparently recovers from first hop failures in networkedge devices or access circuits. By sharing an IP address and a MAC (Layer 2) address, two or more routerscan act as a single "virtual" router. The members of the virtual router group continually exchange statusmessages. This way, one router can assume the routing responsibility of another, should it go out ofcommission for either planned or unplanned reasons. Hosts continue to forward IP packets to a consistent IPand MAC address, and the changeover of devices doing the routing is transparent.Through the use of multiple HSRP standby groups, traffic can be load balanced between the HSRP routers. Forexample, users on one VLAN could use one router as the primary HSRP router, and users on another VLANcan use the other HSRP router as the primary.

QUESTION 116Which describes the default load balacing scheme used by the Gateway Load Balancing Protocol (GLBP)?

A. Per host using a strict priority schemeB. Per session using a round-robin schemeC. Per session using a strict priority schemeD. Per GLBP group using a strict priority schemeE. Per host basis using a round robin-schemeF. Per GLBP group using a round-robin scheme


Explanation/Reference:Explanation:The Gateway Load Balancing Protocol feature provides automatic router backup for IP hosts configured with asingle default gateway on an IEEE 802.3 LAN. Multiple first hop routers on the LAN combine to offer a singlevirtual first hop IP router while sharing the IP packet forwarding load. Other routers on the LAN may act asredundant GLBP routers that will become active if any of the existing forwarding routers fail. GLBP performs asimilar, but not identical, function for the user as the HSRP and the VRRP. HSRP and VRRP protocols allowmultiple routers to participate in a virtual router group configured with a virtual IP address. One member iselected to be the active router to forward packets sent to the virtual IP address for the group. The other routersin the group are redundant until the active router fails. These standby routers have unused bandwidth that theprotocol is not using. Although multiple virtual router groups can be configured for the same set of routers, thehosts must be configured for different default gateways, which results in an extra administrative burden. GLBPprovides load balancing over multiple routers (gateways) using a single virtual IP address and multiple virtualMAC addresses. Each host is configured with the same virtual IP address, and all routers in the virtual routergroup participate in forwarding packets. In this way, per host load balancing is achieved using a round robinmechanism.

QUESTION 117Which protocol specified by RFC 2281 provides network redundancy for IP networks, ensuring that user trafficimmediately and transparently recovers from first-hop failures in network edge devices or access circuits?

A. ICMPB. IRDPC. HSRPD. STP

Correct Answer: CSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:HSRP is defined in RFC 2281. The Hot Standby Router Protocol, HSRP, provides a mechanism which isdesigned to support non-disruptive failover of IP traffic in certain circumstances. In particular, the protocolprotects against the failure of the first hop router when the source host cannot learn the IP address of the firsthop router dynamically. The protocol is designed for use over multi-access, multicast or broadcast capableLANs (e.g., Ethernet). HSRP is not intended as a replacement for existing dynamic router discoverymechanisms and those protocols should be used instead whenever possible. A large class of legacy hostimplementations that do not support dynamic discovery are capable of configuring a default router. HSRPprovides failover services to those hosts.Reference: http://www.faqs.org/rfcs/rfc2281.html

QUESTION 118Which two statements are true about the Hot Standby Router Protocol (HSRP)? (Choose two)

A. Load sharing with HSRP is achieved by creating multiple subinterfaces on the HSRP routers.B. Routers configured for HSRP can belong to multiple groups and multiple VLANs.C. Load sharing with HSRP is achieved by creating HSRP groups on the HSRP routers.D. All routers configured for HSRP load balancing must be configured with the same priority.E. Routers configured for HSRP must belong to only one group per HSRP interface.

Correct Answer: BCSection: HSRP, VRRP, GLBP

Explanation

Explanation/Reference:Explanation:HSRP is a Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to appear as asingle gateway address. RFC 2281 describes this protocol in more detail. Basically, each of the routers thatprovides redundancy for a given gateway address is assigned to a common HSRP group. One router is electedas the primary, or active, HSRP router, another is elected as the standby HSRP router, and all the othersremain in the listen HSRP state. The routers exchange HSRP hello messages at regular intervals, so they canremain aware of each other's existence, as well as that of the active router.

An HSRP group can be assigned an arbitrary group number, from 0 to 255. If you configure HSRP groups onseveral VLAN interfaces, it can be handy to make the group number the same as the VLAN number. However,most Catalyst switches support only up to 16 unique HSRP group numbers. If you have more than 16 VLANs,you will quickly run out of group numbers. An alternative is to make the group number the same (that is,1) for every VLAN interface. This is perfectly valid because the HSRP groups are only locally significant on aninterface. HSRP Group 1 on interface VLAN 10 is unique from HSRP Group 1 on interface VLAN 11.

QUESTION 119Which two statements are true about HSRP, VRRP, and GLBP? (Choose two)

A. GLBP and VRRP allow for MD5 authentication, whereas HSRP does not.B. HSRP allows for multiple upstream active links being simultaneously used, whereas GLBP does not.C. GLBP allows for router load balancing of traffic from a network segment without the different host IP

configurations required to achieve the same results with HSRP.D. Unlike HSRP and VRRP, GLBP allows automatic selection and simultaneous use of multiple available

gateways.E. GLBP allows for router load balancing of traffic from a network segment by utilizing the creation of multiple

standby groups.

Correct Answer: CDSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:1. GLBPTo provide a virtual router, multiple switches (routers) are assigned to a common GLBP group. Rather thanhaving just one active router performing forwarding for the virtual router address, all routers in the group canparticipate and offer load balancing by forwarding a portion of the overall traffic.2. VRRPThe Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP, defined in IETFstandard RFC 2338. VRRP is so similar to HSRP that you need to learn only slightly different terminology and acouple of slight functional differences.1. VRRP provides one redundant gateway address from a group of routers. The active router is called themaster router, while all others are in the backup state. The master router is the one with the highest routerpriority in the VRRP group.2. VRRP group numbers range from 0 to 255; router priorities range from 1 to 254 (254 is the highest; 100 isthe default).3. The virtual router MAC address is of the form 0000.5e00.01xx, where xx is a two-digit hex VRRP groupnumber.4. VRRP advertisements are sent at 1-second intervals. Backup routers can optionally learn the advertisementinterval from the master router.5. By default, all VRRP routers are configured to preempt the current master router, if their priorities aregreater.6. VRRP has no mechanism for tracking interfaces to allow more capable routers to take over the master role.3. HSRPHSRP is a Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to appear as asingle gateway address. RFC 2281 describes this protocol in more detail. Basically, each of the routers that

provides redundancy for a given gateway address is assigned to a common HSRP group. One router is electedas the primary, or active, HSRP router, another is elected as the standby HSRP router, and all the othersremain in the listen HSRP state. The routers exchange HSRP hello messages at regular intervals, so they canremain aware of each other's existence, as well as that of the active router.

QUESTION 120Which protocol allows for the automatic selection and simultaneous use of multiple available gateways as wellas automatic failover between those gateways?

A. VRRPB. GLBPC. IRDPD. HSRP

Correct Answer: BSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:To provide a virtual router, multiple switches (routers) are assigned to a common GLBP group. Rather thanhaving just one active router performing forwarding for the virtual router address, all routers in the group canparticipate and offer load balancing by forwarding a portion of the overall traffic. The advantage is that none ofthe clients have to be pointed toward a specific gateway address-they can all have the same default gatewayset to the virtual router IP address. The load balancing is provided completely through the use of virtual routerMAC addresses in ARP replies returned to the clients. As a client sends an ARP request looking for the virtualrouter address, GLBP sends back an ARP reply with the virtual MAC address of a selected router in the group.The result is that all clients use the same gateway address but have differing MAC addresses for it.

QUESTION 121In which three HSRP states do routers send hello messages? (Choose three.)

A. LearnB. SpeakC. StandbyD. ListenE. ActiveF. Remove

Correct Answer: BCESection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:The various HSRP states are described below:Listen: The router knows the virtual IP address, but is neither the active router nor the standby router. It listensfor hello messages from those routers. Speak: The router sends periodic hello messages, and is activelyparticipating in the election of the active and/or standby router. A router cannot enter speak state unless it hasthe virtual IP address.Standby: The router is a candidate to become the next active router, and sends periodic hello messages.Excluding transient conditions, there would be at most one router in the group in standby state.Active: The router is currently forwarding packets that are sent to the group's virtual MAC address. The routersends periodic hello messages. Excluding transient conditions, there must be at most one router in active statein the group. Initial: This is the starting state, and indicates that HSRP is not running. This state is entered via aconfiguration change, or when an interface first comes up. Learn: The router has not determined the virtual IPaddress, and has not yet seen an authenticated hello message from the active router. In this state, the router is

still waiting to hear from the active router.

QUESTION 122What are three possible router states of HSRP routers on a LAN? (Choose three.)

A. StandbyB. EstablishedC. ActiveD. IdleE. BackupF. Init

Correct Answer: ACFSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:The valid HSRP states can be one of the following:Active-Indicates the current Hot Standby router.Standby-Indicates the router next in line to be the Hot Standby router. Speak-Router is sending packets to claimthe active or standby role. Listen-Router is not in the active nor standby state, but if no messages are receivedfrom the active or standby router, it will start to speak. Init or Disabled-Router is not yet ready or able toparticipate in HSRP, possibly because the associated interface is not up. HSRP groups configured on otherrouters on the network that are learned via snooping are displayed as being in the Init state. Locally configuredgroups with an interface that is down or groups without a specified interface IP address appear in the Init state.For these cases, the Active addr and Standby addr fields will show "unknown." The state is listed as disabled inthe fields when the standby ip command has not been specified.Reference: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/fthsrp.html

QUESTION 123HSRP has been configured between two Company devices. What kind of message does an HSRP configuredrouter send out every 3 seconds?

A. RetireB. CoupC. ResignD. SendE. Hello


Explanation/Reference:Explanation:Hello-The hello message conveys to other HSRP routers the router's HSRP priority and state information. Bydefault, an HSRP router sends hello messages every three seconds.Incorrect Answers:A, D: These messages are not used by HSRP.B: Coup-When a standby router assumes the function of the active router, it sends a coup message. Thismessage is used by HSRP, but it is not sent our every 3 seconds.C: Resign-A router that is the active router sends this message when it is about to shut down or when a routerthat has a higher priority sends a hello message. This message is only sent before it resigns, not every 3seconds.

QUESTION 124

Which one of the statements below correctly describes the Virtual Router Redundancy Protocol (VRRP), whichis being used in the Company network to provide redundancy?

A. A VRRP group has one active and one or more standby virtual routers.B. A VRRP group has one master and one or more backup virtual routers.C. A VRRP group has one master and one redundant virtual router.


Explanation/Reference:Explanation:The Virtual Router Redundancy Protocol (VRRP) feature can solve the static configuration problem. VRRPenables a group of routers to form a single virtual router. The LAN clients can then be configured with the virtualrouter as their default gateway. The virtual router, representing a group of routers, is also known as a VRRPgroup. In a topology where multiple virtual routers are configured on a router interface, the interface can act asa master for one virtual router and as a backup for one or more virtual routers.Reference:http://www.cisco.com/en/US/products/sw/iosswrel/ps1612/products_feature_guide09186a0080080a60.html

QUESTION 125In the hardware address 0000.0c07.ac0a, what does 07.ac represent?

A. HSRP well-known physical MAC addressB. Vendor codeC. HSRP router numberD. HSRP group numberE. HSRP well-known virtual MAC address


Explanation/Reference:Explanation:HSRP code (HSRP well-known virtual MAC address) - The fact that the MAC address is for an HSRP virtualrouter is indicated in the next two bytes of the address. The HSRP code is always 07.ac. The HSRP protocoluses a virtual MAC address, which always contains the 07.ac numerical value.Reference: Building Cisco Multilayer Switched Networks (Cisco Press) page 268

QUESTION 126Which first-hop redundancy solution listed would supply clients with MAC address 0000.0C07.AC0A for group10 in response to an ARP request for a default gateway?

A. IRDPB. Proxy ARPC. GLBPD. HSRPE. VRRPF. IP Redirects

Correct Answer: DSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:HSRP is a Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to appear as asingle gateway IP address. RFC 2281 describes this protocol in more detail.Each router keeps a unique MAC address for its interface. This MAC address is always associated with theunique IP address configured on the interface. For the virtual router address, HSRP defines a special MACaddress of the form 0000.0c07.acxx, where xx represents the HSRP group number as a two-digit hex value.For example, HSRP Group 1 appears as 0000.0c07.ac01, HSRP Group 16 appears as 0000.0c07.ac10, andso on.

QUESTION 127Regarding high availability, with the MAC address 0000.0c07.ac03, what does the "03" represent?

A. The GLBP group numberB. The type of encapsulationC. The HSRP router numberD. The VRRP group numberE. The HSRP group numberF. The active router number


Explanation/Reference:Explanation:Each router keeps a unique MAC address for its interface. This MAC address is always associated with theunique IP address configured on the interface. For the virtual router address, HSRP defines a special MACaddress of the form 0000.0c07.acxx, where xx represents the HSRP group number as a two-digit hex value.For example, HSRP Group 1 appears as 0000.0c07.ac01, HSRP Group 16 appears as 0000.0c07.ac10.

QUESTION 128Which two statements about the HSRP priority are true? (Choose two)

A. To assign the HSRP router priority in a standby group, the standby group-number priority priority-valueglobal configuration command must be used.

B. The default priority of a router is zero (0).C. The no standby priority command assigns a priority of 100 to the router.D. Assuming that preempting has also been configured, the router with the lowest priority in an HSRP group

would become the active router.E. When two routers in an HSRP standby group are configured with identical priorities, the router with the

highest configured IP address will become the active router.

Correct Answer: CESection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default,the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for thegroup. If all router priorities are equal or set to the default value, the router with the highest IP address on theHSRP interface becomes the active router.

QUESTION 129Which three protocols have been developed for IP routing redundancy to protect against first-hop router failure?(Choose three.)

A. GLBPB. ICMPC. MSTPD. HSRPE. VRRPF. NHRP

Correct Answer: ADESection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:If the gateway router for a subnet or VLAN goes down, packets have no way of being forwarded off the localsubnet. Several protocols (GLBP, HSRP,VRRP) are available that allow multiple routing devices to share acommon gateway address so that if one goes down, another automatically can pick up the active gateway role.

Cisco Hot-Standby Router Protocol (HSRP):1. Created by Cisco, for Cisco in 19942. Uses a default hello timer of 3 seconds with a hold timer of 10 seconds

Virtual Router Redundancy Protocol (VRRP)1. Created by the IETF in 19992. Works between multiple vendors3. Has faster timers than HSRP by default - hello of 1 second, hold timer of 3 seconds

Gateway Load Balancing Protocol (GLBP)1. Created by Cisco, for Cisco in 20052. Identical features to HSRP, but allows an active-active connection that adds load-balancing features

QUESTION 130Which three statements are true of a default HSRP configuration? (Choose three.)

A. The Standby hello time is 2 seconds.B. Two HSRP groups are configured.C. The Standby track interface priority decrement is 10.D. The Standby hold time is 10 secondsE. The Standby priority is 100.F. The Standby delay is 3 seconds.

Correct Answer: CDESection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:HSRP uses a priority scheme to determine which HSRP-configured router is to be the default active router. Toconfigure a router as the active router, you assign it a priority that is higher than the priority of all the otherHSRP-configured routers. The default priority is 100, so if you configure just one router to have a higher priority,that router will be the default active router.For both HSRP and MHSRP, you can use the tracking feature to adjust the Hot Standby priority of a routerbased on whether certain of the router's interfaces are available. When a tracked interface becomesunavailable, the HSRP priority of the router is decreased. The default decrement value is 10.Thestandby timers interface configuration command sets the interval in seconds between hello messages (calledthe hello time) to five seconds and sets the duration in seconds that a router waits before it declares the active

router to be down (called the hold time) to eight seconds. (The defaults are three and 10 seconds, respectively.)If you decide to modify the default values, you must configure each router to use the same hello time and holdtime.Reference: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs009.htm#wp3475

QUESTION 131Which command will need to be added to External_A to ensure that it will take over if serial 0/0 on External_Bfails?

A. standby 1 priority 130B. standby 1 preemptC. standby 1 track fastethernet 0/0D. standby 1 track 10.10.10.1


Explanation/Reference:Explanation:You can configure a router to preempt or immediately take over the active role if its priority is the highest at anytime. Use the following interface configuration command to allow preemption:Switch(config-if)# standby group preempt [delay seconds] By default, the router can preempt anotherimmediately, without delay. You can use the delay keyword to force it to wait for seconds before becomingactive. This is usually done if there are routing protocols that need time to converge.

QUESTION 132Refer to the exhibit. The Gateway Load Balancing Protocol has been configured on routers R1 and R2, andhosts A and B have been configured as shown. Which statement can be derived from the exhibit?

A. The host A default gateway has been configured as 10.88.1.10/24.B. The GLBP weighted load balancing mode has been configured.C. The GLBP round-robin, load-balancing mode has been configured.D. The GLBP host-dependent, load-balancing mode has been configured.E. The host A default gateway has been configured as 10.88.1.1/24.F. The host A default gateway has been configured as 10.88.1.4/24.

Correct Answer: ASection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:To provide a virtual router, multiple switches (routers) are assigned to a common GLBP group. Rather thanhaving just one active router performing forwarding for the virtual router address, all routers in the group canparticipate and offer load balancing by forwarding a portion of the overall traffic.The advantage is that none of the clients have to be pointed toward a specific gateway address-they can allhave the same default gateway set to the virtual router IP address. The load balancing is provided completelythrough the use of virtual router MAC addresses in ARP replies returned to the clients. As a client sends anARP request looking for the virtual router address, GLBP sends back an ARP reply with the virtual MACaddress of a selected router in the group. The result is that all clients use the same gateway address but havediffering MAC addresses for it.

QUESTION 133Refer to the exhibit. HSRP has been configured and Link A is the primary route to router R4. When Link A fails,router R2 (Link B) becomes the active router. Which router will assume the active role when Link A becomesoperational again?"

A. The primary router R1 will reassume the active role when it comes back online.B. The standby router R2 will remain active and will forward the active role to router R1 only in the event of its

own failure.C. The standby router R2 will remain active and will forward the active role to router R1 only in the event of

Link B failure.D. The third member of the HSRP group, router R3, will take over the active role only in event of router R2

failure.


Explanation/Reference:Explanation:HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default,the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for thegroup. If all router priorities are equal or set to the default value, the router with the highest IP address on theHSRP interface becomes the active router. To set the priority, use the following interface configurationcommand:Switch(config-if)# standby group priority priority

When HSRP is configured on an interface, the router progresses through a series of states before becomingactive. This forces a router to listen for others in a group and see where it fits into the pecking order. The HSRPstate sequence is Disabled, Init, Listen, Speak, Standby, and, finally, Active.Only the standby (second highest priority) router monitors the hello messages from the active router. By default,

hellos are sent every 3 seconds. If hellos are missed for the duration of the holdtime timer (default 10 seconds,or 3 times the hello timer), the active router is presumed down. The standby router is then clear to assume theactive role. If other routers are sitting in the Listen state, the next-highest priority router is allowed to becomethe new standby router.

QUESTION 134What three tasks must a network administrator perform to properly configure Hot Standby Routing Protocol(HSRP)? (Choose three)

A. Define the encapsulation type.B. Define the standby router.C. Define the standby IP address.D. Enable the standby priority.

Correct Answer: BCDSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:Three of the required configuration commands needed for enabling HSRP is to define the standby routingprocess, define the HSRP IP address, and configure the HSRP priority.Configuring HSRP:* Configuring an interface to participate in an HSRP standby group* Assigning HSRP standby priority* Configuring HSRP standby pre-empt* Configuring HSRP over trunk links* Configuring hello message timers* HSRP interface tracking* Displaying the status of HSRPIncorrect Answers:A: There are no encapsulation options for enabling HSRP. Reference: Building Cisco Multilayer SwitchedNetworks (Cisco Press) page 272

QUESTION 135You want to allow Router R1 to immediately become the active router if its priority is highest than the activerouter fails. What command would you use if you wanted to configure this?

A. en standby 1 preemptB. standby 1 preempt enableC. standby 1 preemptD. hot standby 1 preempt


Explanation/Reference:Explanation:The HSRP preemption feature enables the router with highest priority to immediately become the Active router.Priority is determined first by the priority value that you configure, and then by the IP address. In each case ahigher value is of greater priority. When a higher priority router preempts a lower priority router, it sends a coupmessage. When a lower priority active router receives a coup message or hello message from a higher priorityactive router, it changes to the speak state and sends a resign message. To configure preemption, use the"standby standby-number preempt" command.

QUESTION 136

Exhibit:

You work as a network engineer at Company.com. You study the exhibit carefully. Which GLBP device hostsreceive the MAC address assignment?

A. R1B. R2C. The AVGD. The AVF


Explanation/Reference:Explanation:GLBP differs from Cisco Hot Standby Redundancy Protocol (HSRP) and IETF RFC 3768 Virtual RouterRedundancy Protocol (VRRP) in that it has the ability to load balance over multiple gateways. Like HSRP andVRRP an election occurs, but rather than a single active router winning the election, GLBP elects an ActiveVirtual Gateway (AVG). The job of the AVG is to assign virtual MAC addresses to each of the other GLBProuters and to assign each network host to one of the GLBP routers. The routers that receive this MAC addressassignment are known as Active Virtual Forwarders (AVF).Reference:http://www.cisco.com/en/US/products/ps6600/products_data_sheet0900aecd803a546c.html

QUESTION 137Refer to the exhibit. Which Virtual Router Redundancy Protocol (VRRP) statement is true about the roles of themaster virtual router and the backup virtual router?

A. Router A is the master virtual router, and Router B is the backup virtual router. When Router A fails, RouterB will become the master virtual router. When Router A recovers, Router B will maintain the role of mastervirtual router.

B. Router A is the master virtual router, and Router B is the backup virtual router. When Router A fails, RouterB will become the master virtual router. When Router A recovers, it will regain the master virtual router role.

C. Router B is the master virtual router, and Router A is the backup virtual router. When Router B fails, RouterA will become the master virtual router. When Router B recovers, it will regain the master virtual router role.

D. Router B is the master virtual router, and Router A is the backup virtual router. When Router B fails, RouterA will become the master virtual router. When Router B recovers, Router A will maintain the role of mastervirtual router.



QUESTION 138Refer to the exhibit. What is this configuration an example of?

A. GLBP weightingB. Default AVF and AVG configurationC. GLBP MD5 authenticationD. GLBP text authenticationE. GLBP timer manipulation


Explanation/Reference:Explanation:Configuring GLBP Weighting: ExampleIn the following example, Router A, shown in Figure 1, is configured to track the IP routing state of the POSinterface 5/0 and 6/0, an initial GLBP weighting with upper and lower thresholds is set, and a weightingdecrement value of 10 is set. If POS interface 5/0 and 6/0 goes down, the weighting value of the router isreduced.track 1 interface POS 5/0 ip routingtrack 2 interface POS 6/0 ip routinginterface fastethernet 0/0glbp 10 weighting 110 lower 95 upper 105glbp 10 weighting track 1 decrement 10glbp 10 weighting track 2 decrement 10glbp 10 forwarder preempt delay minimum 60Reference:http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html#wp1040123

QUESTION 139Refer to the exhibit. GLBP has been configured on the network. When the interface serial0/0/1 on router R1goes down, how is the traffic coming from Host1 handled?

A. The traffic coming from Host2 is forwarded through router R2 with no disruption. The traffic from Host1 isdropped due to the disruption of the load balancing feature configured for the glbp group.

B. The traffic coming from both hosts is temporarily interrupted while the switchover to make R2 active occurs.C. The traffic coming from Host2 is forwarded through router R2 with no disruption. Host1 sends an ARP

request to resolve the MAC address for the new virtual gateway.D. The traffic coming from Host1 and Host2 is forwarded through router R2 with no disruption.


Explanation/Reference:Explanation:The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to overcome thelimitations of existing redundant router protocols. Some of the concepts are the same as with HSRP/VRRP, butthe terminology is different and the behavior is much more dynamic and robust and allows for load balancing.The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual gateway(AVG). This router has the highest priority value, or the highest IP address in the group, if there is no highestpriority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returnsdepends on which load-balancing algorithm it is configured to use. In any event, the virtual MAC addresssupported by one of the routers in the group is returned. According to exhibit, R1 is the active virtual gatewayand R2 is the standby virtual gateway. So, when R1 goes down, R2 will become active virtual gateway and alldata goes through R2.

QUESTION 140Refer to the exhibit. What is the result of setting GLBP weighting at 105 with lower threshold 90 and upperthreshold 100 on this router?

A. Only if both tracked objects are up will this router will be available as an AVF for group 1.B. Only if the state of both tracked objects goes down will this router release its status as an AVF for group 1.C. If both tracked objects go down and then one comes up, but the other remains down, this router will be

available as an AVF for group 1.D. This configuration is incorrect and will not have any effect on GLBP operation.E. If the state of one tracked object goes down then this router will release its status as an AVF for group 1.


Explanation/Reference:Explanation:To define the weighting thresholds for the interface with the following interface configuration command:

Switch(config-if)# glbp group weighting maximum [lower lower] [upper upper]

You must configure GLBP to know which objects to track so that the weighting can be adjusted with thefollowing interface configuration command:

Switch(config-if)# glbp group weighting track object-number [decrement value]

When the tracked object fails, the weighting is decremented by value (1 to 254, default10).

QUESTION 141With route processor redundancy (RPR+), the redundant supervisor engine is fully initialized and configured,which shortens the switchover time if the active supervisor engine fails. Which three statements are true aboutthe RPR+ operations when the redundant supervisor engine switched over the failed primary supervisorengine? (Choose three)

A. Static IP routes are maintained across a switchover because they are configured from entries in theconfiguration file.

B. Information about dynamic routing states, maintained on the active supervisor engine, is synchronized tothe redundant supervisor engine and is transferred during the switchover.

C. Information about dynamic routing states, maintained on the active supervisor engine, is not synchronizedto the redundant supervisor engine and is lost on switchover.

D. The Forwarding Information Base (FIB) tables are cleared on a switchover. As a result, routed traffic isinterrupted until route tables reconverge.

E. Static IP routes are cleared across a switchover and recreated from entries in the configuration file on theredundant supervisor engine.

F. The Forwarding Information Base (FIB) tables are maintained during the switchover. As a result, routedtraffic continues without any interruption when the failover occurs.

Correct Answer: ACDSection: RPR, RPR+, SSO, NSFExplanation

Explanation/Reference:Explanation:The following guidelines and restrictions apply to RPR+:RPR+ redundancy does not support configuration entered in VLAN database mode. Use global configurationmode with RPR+ redundancy. Configuration changes made through SNMP are not synchronized to theredundant supervisor engine. Enter a "copy running-config startup-config" command to synchronize theconfiguration on the redundant supervisor engine. Supervisor engine redundancy does not provide supervisorengine mirroring or supervisor engine load balancing. Only one supervisor engine is active. Network servicesare disrupted until the redundant supervisor engine takes over and the switch recovers. With RPR+, bothsupervisor engines must run the same version of Cisco IOS software. If the supervisor engines are not runningthe same version of Cisco IOS software, the redundant supervisor engine comes online in RPR mode. TheForwarding Information Base (FIB) tables are cleared on a switchover. As a result, routed traffic is interrupteduntil route tables reconverge. Static IP routes are maintained across a switchover because they are configuredfrom entries in the configuration file. Information about dynamic states maintained on the active supervisorengine is not synchronized to the redundant supervisor engine and is lost on switchover.Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/redund.html

QUESTION 142Which statement best describes Cisco supervisor engine redundancy using Stateful Switchover?

A. Switchover ensures that Layer 2 through Layer 4 traffic is not interrupted.B. Redundancy requires BGP, OSPF, EIGRP, or IS-IS.C. Redundancy provides fast supervisor switchover for all Cisco Catalyst 6500 series switches.D. Switchover can be caused by clock synchronization failure between supervisors.

Correct Answer: DSection: RPR, RPR+, SSO, NSFExplanation


QUESTION 143Refer to the exhibit. Which two statements are true about the output from the "show standby vlan 50"command? (Choose two)

A. Catalyst_A is load sharing traffic in VLAN 50.B. Hosts using the default gateway address of 192.168.1.2 will have their traffic sent to Catalyst_A.C. The command standby 1 preempt was added to Catalyst_A.D. Hosts using the default gateway address of 192.168.1.1 will have their traffic sent to 192.168.1.11 even

after Catalyst_A becomes available again.

Correct Answer: ACSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:The output shows that the Catalyst_A switch is the active router for HSRP group 1 and the standby router forHSRP group 2 on interface VLAN 50. This means that another switch is the active router for HSRP group 2 oninterface VLAN 50 -> A is correct, Catalyst_A is load sharing traffic in VLAN 50.

B is not correct, only hosts using the default gateway address of 192.168.1.1 will have their traffic sent toCatalyst_A

From the output, we notice that there is a line showing that “Local State is Active, priority 200 may preempt”.This indicates the command “standby 1 preempt” was added to Catalyst_A. If the active router (this router) fails,another router takes over its active role. The original active router is not allowed to resume the active role whenit is restored until the new active router fails. Pre-empting allows a higher-priority router to take over the activerole immediately.

Explanation from certprepare.com

QUESTION 144Refer to the exhibit. Based on the debug output shown in the exhibit, which three statements about HSRP aretrue? (Choose three.)

A. The router with IP address 172.16.11.111 has preempt configured.B. The final active router is the router with IP address 172.16.11.111.C. The router with IP address 172.16.11.112 has nonpreempt configured.D. The priority of the router with IP address 172.16.11.112 is preferred over the router with IP address

172.16.11.111.E. The router with IP address 172.16.11.112 is using default HSRP priority.F. The IP address 172.16.11.115 is the virtual HSRP IP address.

Correct Answer: ABFSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:Each router in an HSRP group has its own unique IP address assigned to an interface. This address is used forall routing protocol and management traffic initiated by or destined to the router. In addition, each router has acommon gateway IP address, the virtual router address, that is kept alive by HSRP. This address is alsoreferred to as the HSRP address or the standby address. Clients can point to that virtual router address as theirdefault gateway, knowing that a router always keeps that address active. Keep in mind that the actual interfaceaddress and the virtual (standby) address must be configured to be in the same IP subnet. You can assign theHSRP address with the following interface command:

Switch(config-if)# standby group ip ip-address [secondary]

When HSRP is used on an interface that has secondary IP addresses, you can add the secondarykeyword sothat HSRP can provide a redundant secondary gateway address.

You can configure a router to preempt or immediately take over the active role if its priority is the highest at anytime. Use the following interface configuration command to allow preemption:Switch(config-if)# standby group preempt [delay seconds] By default, the router can preempt anotherimmediately, without delay. You can use the delay keyword to force it to wait for seconds before becomingactive. This is usually done if there are routing protocols that need time to converge.

QUESTION 145What can be determined about the HSRP relationship from the displayed debug output?

A. Router 172.16.11.112 will be the active router because its HSRP priority is preferred over router172.16.11.111.

B. Router 172.16.11.111 will be the active router because its HSRP priority is preferred over router172.16.11.112.

C. The IP address 172.16.11.111 is the virtual HSRP router IP address.D. The IP address 172.16.11.112 is the virtual HSRP router IP address.E. The nonpreempt feature is enabled on the 172.16.11.112 router.F. The preempt feature is not enabled on the 172.16.11.111 router.

Correct Answer: FSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:The standby preempt interface configuration command allows the router to become the active router when itspriority is higher than all other HSRP-configured routers in this Hot Standby group. The configurations of bothrouters include this command so that each router can be the standby router for the other router. The 1 indicatesthat this command applies to Hot Standby group 1. If you do not use the standby preempt command in theconfiguration for a router, that router cannot become the active router.

QUESTION 146

Examine the router output above. Which two items are correct? (Choose two.)

A. The local IP address of Router A is 10.1.0.6.B. The local IP address of Router A is 10.1.0.20.C. If Ethernet 0/2 goes down, the standby router will take over.D. When Ethernet 0/3 of RouterA comes back up, the priority will become 105.E. Router A will assume the active state if its priority is the highest.

Correct Answer: DESection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:Since preemption has been configured, we know that when any router comes back up, it will become the activerouter as long as it has a higher priority value. In this example, the current priority shows it to be 95. If theinterface were to come up, it would now be 95 + 10 (which is the default value) so the total value would thenbecome 105. If fast0/2 were to come up as well, it would then be 105 + 15 (special override as seen in thecommand) = 120.Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/configuration/guide/swhsrp.html

QUESTION 147Refer to the exhibit. Which two problems are the most likely cause of the exhibited output? (Choose two.)

A. Transport layer issuesB. VRRP misconfigurationC. HSRP misconfigurationD. Physical layer issuesE. Spanning tree issues


Explanation/Reference:Explanation:Each router in an HSRP group has its own unique IP address assigned to an interface. This address is used forall routing protocol and management traffic initiated by or destined to the router. In addition, each router has acommon gateway IP address, the virtual router address, that is kept alive by HSRP. This address is alsoreferred to as the HSRP address or the standby address. Clients can point to that virtual router address as theirdefault gateway, knowing that a router always keeps that address active. Keep in mind that the actual interfaceaddress and the virtual (standby) address must be configured to be in the same IP subnet. You can assign theHSRP address with the following interface command:Switch(config-if)# standby group ip ip-address [secondary]

When HSRP is used on an interface that has secondary IP addresses, you can add the secondary keyword sothat HSRP can provide a redundant secondary gateway address.

QUESTION 148Which three of the following network features are methods used to achieve high availability? (Choose three)

A. Spanning Tree Protocol (STP)B. Delay reductionC. Hot Standby Routing Protocol (HSRP)D. Dynamic routing protocolsE. Quality of Service (QoS)F. Jitter management

Correct Answer: ACDSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:Because the importance of high availability networks is increasingly being recognized, many organizations arebeginning to make reliability/availability features a key selection criteria for network infrastructure products. Withthis in mind, Cisco Systems engaged ZD Tag to observe and confirm the results of a series of testsdemonstrating the high availability features of Cisco Catalyst Layer 2/Layer 3 switches. In order to maximize therelevance of the results, the demonstration was based on a model of a "real world" campus (in one of Cisco'sEnterprise Solution Center labs in San Jose, California). This switched internetwork consisted of wiring closet,wiring center, and backbone switches and conformed to Cisco's modular three-tier (Access/Distribution/Core)design philosophy. The testing demonstrated the following high availability and resilience features of Catalystswitches:1. per-VLAN Spanning Tree (PVST) using Cisco's InterSwitch Link (ISL) and 802.1Q VLAN Trunking2. Cisco Spanning Tree Enhancements, including UplinkFast and PortFast3. Cisco Hot Standby Router Protocol (HSRP) and HSRP Track4. Cisco IOS per-destination load balancing over equal cost OSPF paths5. Cisco IOS fast convergence for OSPFReference:http://www.cisco.com/warp/public/779/largeent/learn/technologies/campuslan.pdf

QUESTION 149Refer to the exhibit. Assume that Host A can ping the corporate headquarters and that HSRP is configured onDSw1, which is then reloaded. Assume that DSw2 is then configured and reloaded. On the basis of thisinformation, what conclusion can be drawn?

A. DSw1 will be the active router because it has the lower priority configured.B. DSw1 will be the standby router because it has the lower IP address.C. DSw2 will be the active router because it booted last.D. DSw1 will be the active router because it booted first.E. DSw2 will be the active router because it has the higher priority that is configured.F. DSw2 will be the standby router because it has the higher IP address.


Explanation/Reference:Explanation:Even though router Company2 has a higher priority, it will not become the active routerbecausethe HSRP preemption was not configured. Since the “standby 62 preempt” command wasnotconfigured, the first HSRP router to boot up will become the active router and remain theactiverouter even when another device with a higher priority is added.

QUESTION 150Refer to the exhibit. Based on the "debug standby" output in the exhibit, which HSRP statement is true?

A. DSW111 is the active router because it is the only HSRP-enabled router on that segment.B. DSW111 is the active router because the standby timer has been incorrectly configured.C. DSW111 is the active router because it has a lower priority on that VLAN.D. DSW111 is the active router because it has a lower IP address on that VLAN.E. DSW111 is the active router and is advertising the virtual IP address 10.10.10.111 on VLAN 11.


Explanation/Reference:Explanation:In the output shown, it can be seen that the standby router is unknown, and the active timerisexpired meaning that this router was unable to locate any other HSRP enabled routers ontheLAN. It then became the active router, with no standby router.

QUESTION 151Refer to the exhibit. Host A has sent an ARP message to the default gateway IP address 10.10.10.1. Whichstatement is true?

A. DSw2 will reply with the IP address of the next AVF.B. DSw1 will reply with the MAC address of the next AVF.C. Because of the invalid timers that are configured, DSw1 will not reply.D. DSw1 will reply with the IP address of the next AVF.E. Because of the invalid timers that are configured, DSw2 will not reply.F. DSw2 will reply with the MAC address of the next AVF.

Correct Answer: FSection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to overcome thelimitations of existing redundant router protocols. Some of the concepts are the same as with HSRP/VRRP, butthe terminology is different and the behavior is much more dynamic and robust.The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual gateway(AVG). This router has the highest priority value, or the highest IP address in the group, if there is no highestpriority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returnsdepends on which load-balancing algorithm it is configured to use. In any event, the virtual MAC addresssupported by one of the routers in the group is returned. According to exhibit, Router DSw2 is the Active VirtualGateway (AVG) router because it has highest IP address even having equal priority. When router DSw1 sendsthe ARP message to 10.10.10.1 Router DSw2 will reply to DSw1 as a Active Virtual Router.

QUESTION 152Refer to the exhibit and the partial configuration on routers R1 and R2. Hot Standby Routing Protocol (HSRP) isconfigured on the network to provide network redundancy for the IP traffic. The network administrator noticedthat R2 does not became active when the R1 serial0 interface goes down. What should be changed in theconfiguration to fix the problem?

A. The Serial0 interface on router R2 should be configured with a decrement value of 20.B. The Serial0 interface on router R1 should be configured with a decrement value of 20.C. R2 should be configured with a standby priority of 100.D. R2 should be configured with a HSRP virtual address.


Explanation/Reference:Explanation:You can configure a router to preempt or immediately take over the active role if its priority is the highest at anytime. Use the following interface configuration command to allow preemption:Switch(config-if)# standby group preempt [delay seconds] By default, the router can preempt anotherimmediately, without delay. You can use the delay keyword to force it to wait for seconds before becomingactive. This is usually done if there are routing protocols that need time to converge.

QUESTION 153Refer to the exhibit. What statement is true based upon the configuration of router R1 and router R2?

A. Router R2 will become the master for Virtual Router 1, and router R1 will become the backup for VirtualRouter 2.

B. Router R1 will become the master for Virtual Router 1, and router R2 will become the backup for VirtualRouter 2.

C. Router R1 will become the active virtual gateway.D. Router R2 will become the active virtual gateway.E. The hello and hold timers are incompatible with OSPF type 5 LSAs.F. The hello and hold timers are incompatible with multi-homed BGP.


Explanation/Reference:Explanation:GLBP gateway priority determines the role that each GLBP gateway plays and what happens if the AVG fails.Priority also determines if a GLBP router functions as a backup virtual gateway and the order of ascendancy tobecoming an AVG if the current AVG fails. You can configure the priority of each backup virtual gateway with avalue of 1 through 255 using the glbp priority command. The default priority value is 100. In this case, sincerouter R1 has a configured priority of 150, it will become the active gateway.Reference:http://www.cisco.com/en/US/docs/ios/12_4/ip_appl/configuration/guide/haipglbp.html#wp1048194

QUESTION 154Which command will ensure that R2 will be the primary router for traffic using the gateway address of172.16.15.20?

A. On R2 add the command standby 1 priority 80B. On R1 add the command standby 1 priority 110C. On R1 add the command standby 1 priority 80D. On R2 remove the command standby 1 preempt


Explanation/Reference:Explanation:HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default,the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for thegroup. If all router priorities are equal or set to the default value, the router with the highest IP address on theHSRP interface becomes the active router. To set the priority, use the following interface configurationcommand:Switch(config-if)# standby group priority priority

When HSRP is configured on an interface, the router progresses through a series of states before becomingactive. This forces a router to listen for others in a group and see where it fits into the pecking order. The HSRPstate sequence is Disabled, Init, Listen, Speak, Standby, and, finally, Active.

QUESTION 155Routers R1 and R2 are configured for HSRP as shown below:

Router R1:interface ethernet 0 ip address 20.6.2.1 255.255.255.0 standby 35 ip 20.6.2.21 standby 35 priority 100interface ethernet 1 ip address 20.6.1.1.2 255.255.255.0 standby 34 ip 20.6.1.21

Router R2:interface ethernet 0 ip address 20.6.2.2 255.255.255.0 standby 35 ip 20.6.2.21interface ethernet 1 ip address 20.6.1.1.1 255.255.255.0 standby 34 ip 20.6.1.21 standby 34 priority 100

You have configured the routers R1 & R2 with HSRP. While debugging router R2 you notice very frequentHSRP group state transitions. What is the most likely cause of this?

A. physical layer issuesB. no spanning tree loopsC. use of non-default HSRP timersD. failure to set the command standby 35 preempt


Explanation/Reference:Explanation: R2 is not able to from the standby state to reach the active state. This could be caused by missingHSRP hello messages. There are several possible causes for HSRP packets to get lost between the peers.The most common problems are Physical Layer Problems or excessive network traffic caused by Spanning-Tree Issues.Note:Hot Standby Routing Protocol (HSRP) is a Cisco proprietary protocol used for allowing redundant connections.It can keep core connectivity if the primary routing process fails. HSRP defines six states in which an HSRProuter may run: initial, learn, listen, speak, standby, and active.Incorrect Answers:B: Spanning tree loops does not affect this problem.C: Not a likely cause. Besides, in the example here the default values were indeed used.

QUESTION 156Refer to the exhibit. Which four statements accurately describe this GLBP topology? (Choose four.) *

A. Router A is responsible for answering ARP requests sent to the virtual IP address.B. If Router A becomes unavailable, Router B will forward packets sent to the virtual MAC address of Router

A.C. Router A alternately responds to ARP requests with different virtual MAC addresses.D. Router B will transition from blocking state to forwarding state when it becomes the AVG.E. If another router were added to this GLBP group, there would be two backup AVGs.F. Router B is in GLBP listen state.

Correct Answer: ABCESection: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Explanation:With GLBP the following is true:With GLB, there is 1 AVG and 1 standby VG. In this case Router A is the AVG and Router B is the standby.Router B would act as a VRF and would already be forwarding and routing packets. Any additional routerswould be in a listen state. As the role of the Active VG and load balancing, Router A responds to ARP requestswith different virtual MAC addresses.In this scenario, Router B is the Standby VF for the VMAC 0008.b400.0101 and would become the Active VF ifRouter A were down.As the role of the Active VG, the primary responsibility is to answer ARP requests to the virtual IP address.As an AVF router Router B is already forwarding/routing packets

QUESTION 157Refer to the exhibit. Both routers are configured for the Gateway Load Balancing Protocol (GLBP). Whichstatement is true?

A. The default gateway addresses of both hosts should be set to the IP addresses of both routers.B. The default gateway address of each host should be set to the virtual IP address.C. The hosts will learn the proper default gateway IP address from Router A.D. The hosts will have different default gateway IP addresses and different MAC addresses for each router.


Explanation/Reference:If the gateway router for a subnet or VLAN goes down, packets have no way of beingforwardedoff the local subnet. Several protocols (GLBP, HSRP,VRRP) are available that allowmultiplerouting devices to share a common gateway address so that if one goes down, anotherautomatically can pick up the active gateway role. On any of the redundancy protocolsGLBP,HSRP, or VRRP the default gateway on host should be configured to be the virtual IPaddress.

QUESTION 158Which three WLAN statements are true? (Choose three)

A. A lightweight AP receives control and configuration from a WLAN controller to which it is associated.B. A wireless client operating at a lower data rate in a particular WLAN will delay all clients in that same WLANC. Ad hoc mode allows mobile clients to connect directly without an intermediate AP.D. Another term for infrastructure mode is independent service set (IBSS).E. The Aironet 1230 access point is an example of an access point that operates solely as a lightweight

access point.F. WLANs are designed to share the medium and can easily handle an increased demand of channel

contention.

Correct Answer: ABCSection: WirelessExplanation

Explanation/Reference:Explanation:Lightweight access points first search for a WLAN controller using LWAPP in Layer 2 mode. Then the accesspoint searches for a WLAN in Layer 3 mode. The control traffic between the access point and the controller isencapsulated with the LWAPP. The control traffic is encrypted via the Advanced Encryption Standard (AES).

Lightweight APs need configuration and control information from a WLAN controller Incorrect Answers:D: Ad hoc mode: This mode is called Independent Basic Service Set (IBSS). Mobile clients connect directlywithout an intermediate access point

Original answer B. A WLAN client that is operating in half-duplex mode will delay all clients in that WLAN. - Ithink there is error in question

http://www.cisco.com/en/US/docs/wireless/technology/1140/deployment/guide/1140dep.htmlThe problem with clients operating at low data rates (example, 1Mbps) is that each packet takes up more`airtime' compared to clients utilizing high data rates such as 36Mbps to 54Mbps. In simpler terms, a clientutilizing a 1Mbps rate is essentially `talking' slower than other clients and therefore drags down aggregateperformance. Since WLANs operate with the guideline that only one device, be it AP or client, can utilize thechannel at any one moment, overall system performance drops when a large percentage of low data rateframes monopolize the airtime. By designing Access Point density for capacity and disabling lower data rates,aggregate system capacity can be increased.

QUESTION 159Refer to the exhibit. The command spanning-tree guard root is configured on interface Gi0/0 on both switch S2and S5. The global configuration command spanning-tree uplinkfast has been configured on both switch S2and S5. The link between switch S4 and S5 fails. Will Host A be able to reach Host B?

A. Yes. Traffic can pass either from switch S6 to S3 to S2 to S1, or, from switch S6 to S5 to S2 to S1.B. No. Traffic will pass from switch S6 to S5 and dead-end at interface Gi 0/0.C. No. Traffic will loop back and forth between switch S5 and S2.D. Yes. Traffic will pass from switch S6 to S3 to S2 to S1.E. No. Traffic will either pass from switch S6 to S5 and dead-end, or traffic will pass from switch S6 to S3 to S2

and dead-end.


Explanation/Reference:Explanation:The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but thefeature operates with some differences. At the global level, you can enable BPDU filtering on Port Fast-enabledports by using the spanning-tree portfast bpdufilter default global configuration command. This commandprevents ports that are in a Port Fast-operational state from sending or receiving BPDUs. The ports still send afew BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDUfiltering on a switch so that hosts connected to these ports do not receive BPDUs. If a BPDU is received on aPort Fast-enabled port, the port loses its Port Fast-operational status, and BPDU filtering is disabled.At the interface level, you can enable BPDU filtering on any port by using the spanning-tree bpdufilter enableinterface configuration command without also enabling the Port Fast feature. This command prevents the port

from sending or receiving BPDUs.

QUESTION 160Refer to the exhibit. The service provider wants to ensure that switch S1 is the root switch for its own networkand the network of the customer. On which interfaces should root guard be configured to ensure that thishappens?

A. interfaces 1 and 2B. interfaces 1, 2, 3, and 4C. interfaces 1, 3, 5, and 6D. interfaces 5 and 6E. interfaces 5, 6, 7, and 8F. interfaces 11 and 12


Explanation/Reference:Explanation:The traditional STP does not provide any means for the network administrator to securely enforce the topologyof the switched Layer 2 network. This may become especially important in networks with shared administrativecontrol. For example, one switched network controlled by different administrative entities or companies.Forwarding topology of the switched network is calculated, based among other parameters, on the root bridgeposition. Although any switch can be Root Bridge in the network, it is better to place the root bridge manually,(somewhere in the core layer) so the forwarding topology will be optimal. The standard STP does not allow theadministrator to enforce the position of the root bridge. If a bridge is introduced into the network with lowerbridge priority, it will take the role of the root bridge. The root guard ensures that the port on which it is enabledis the designated port (normally, root bridge ports are all designated, unless two or more ports of the root bridgeare connected together). If the bridge receives superior STP Bridge Port Data Units (BPDUs) on a root guardenabled port, this port will be moved to a root-inconsistent STP state (effectively equal to listening state), andno traffic will be forwarded across this port. The position of the root bridge will be enforced.Configuring Root Guard

QUESTION 161Which description correctly describes a MAC address flooding attack?

A. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking devicethen becomes the destination address found in the Layer 2 frames sent by the valid network device.

B. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking devicethen becomes the source address found in the Layer 2 frames sent by the valid network device.

C. The attacking device spoofs a destination MAC address of a valid host currently in the CAM table. Theswitch then forwards frames destined for the valid host to the attacking device.

D. The attacking device spoofs a source MAC address of a valid host currently in the CAM table. The switchthen forwards frames destined for the valid host to the attacking device.

E. Frames with unique, invalid destination MAC addresses flood the switch and exhaust CAM table space. Theresult is that new entries cannot be inserted because of the exhausted CAM table space, and traffic issubsequently flooded out all ports.

F. Frames with unique, invalid source MAC addresses flood the switch and exhaust CAM table space. Theresult is that new entries cannot be inserted because of the exhausted CAM table space, and traffic issubsequently flooded out all ports.


Explanation/Reference:Explanation:A common Layer 2 or switch attack is MAC flooding, resulting in a switch's CAM table overflow, which causesflooding of regular data frames out all switch ports. This attack can be launched for the malicious purpose ofcollecting a broad sample of traffic or as a denial of service (DoS) attack.A switch's CAM tables are limited in size and therefore can contain only a limited number of entries at any onetime. A network intruder can maliciously flood a switch with a large number of frames from a range of invalidsource MAC addresses. If enough new entries are made before old ones expire, new valid entries will not beaccepted. Then, when traffic arrives at the switch for a legitimate device that is located on one of the switchports that was not able to create a CAM table entry, the switch must flood frames to that address out all ports.This has two adverse effects:1. The switch traffic forwarding is inefficient and voluminous.2. An intruding device can be connected to any switch port and capture traffic that is not normally seen on thatport.If the attack is launched before the beginning of the day, the CAM table would be full when the majority ofdevices are powered on. Then frames from those legitimate devices are unable to create CAM table entries asthey power on. If this represents a large number of network devices, the number of MAC addresses for whichtraffic will be flooded will be high, and any switch port will carry flooded frames from a large number of devices.

QUESTION 162What are two methods of mitigating MAC address flooding attacks? (Choose two.)

A. Place unused ports in a common VLAN.B. Implement private VLANs.C. Implement DHCP snooping.D. Implement port security.E. Implement VLAN access maps.

Correct Answer: DESection: SecurityExplanation


QUESTION 163Refer to the exhibit. What can be concluded about VLANs 200 and 202?

A. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in thesame VLAN. VLAN 200 carries traffic between community ports and to promiscuous ports.

B. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in thesame VLAN. VLAN 200 carries traffic from isolated ports to a promiscuous port.

C. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in thesame VLAN. VLAN 202 carries traffic between community ports and to promiscuous ports.

D. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in thesame VLAN. VLAN 202 carries traffic from isolated ports to a promiscuous port.


Explanation/Reference:Explanation: As a Primary VLAN carries traffic from promiscuous ports to isolated, community, and otherpromiscuous ports in the same primary VLAN

As an isolated VLAN carries traffic from isolated ports to a promiscuous port.

QUESTION 164Refer to the exhibit. What information can be derived from the output?

A. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a superiorroot bridge parameter and no traffic is forwarded across the ports. Once inaccurate BPDUs have beenstopped, the interfaces will need to be administratively shut down, and brought back up, to resume normaloperation.

B. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a superiorroot bridge parameter, but traffic is still forwarded across the ports.

C. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a superiorroot bridge parameter and no traffic is forwarded across the ports. Once inaccurate BPDUs have beenstopped, the interfaces automatically recover and resume normal operation.

D. Interfaces FastEthernet3/1 and FastEthernet3/2 are candidate for becoming the STP root port, but neithercan realize that role until BPDUs with a superior root bridge parameter are no longer received on at leastone of the interfaces.


Explanation/Reference:Explanation: Root guard is configured on a per-port basis. If a superior BPDU is received on the port, rootguard does not take the BPDU into account and so puts the port into a root-inconsistent sate. When devicesconnected on FastEthernet3/1 and FastEthernet3/2 stops sending superior BPDUs, the port will be unblockedagain and will transition through STP states like any other port.

QUESTION 165Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering the spanning-treetopology of a network?

A. BPDU guard can guarantee proper selection of the root bridge.B. BPDU guard can be utilized along with PortFast to shut down ports when a switch is connected to the port.C. BPDU guard can be utilized to prevent the switch from transmitteing BPDUs and incorrectly altering the root

bridge election.D. BPDU guard can be used to prevent invalid BPDUs from propagating throughout the network.


Explanation/Reference:Explanation:As long as a port participates in STP, some device can assume the root bridge function and affect active STP

topology. To assume the root bridge function, the device would be attached to the port and would run STP witha lower bridge priority than that of the current root bridge. If another device assumes the root bridge function inthis way, it renders the network suboptimal. This is a simple form of a denial of service (DoS) attack on thenetwork. The temporary introduction and subsequent removal of STP devices with low (0) bridge priority causea permanent STP recalculation. The STP PortFast BPDU guard enhancement allows network designers toenforce the STP domain borders and keep the active topology predictable. The devices behind the ports thathave STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDUguard operation disables the port that has PortFast configured. The BPDU guard transitions the port intoerrdisable state, and a message appears on the console.Reference: Spanning Tree PortFast BPDU Guard Enhancement

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

QUESTION 166What two steps can be taken to help prevent VLAN hopping? (Choose two.)

A. Place unused ports in a common unrouted VLANB. Enable BPDU guardC. Implement port securityD. Prevent automatic trunk configurationE. Disable CDP on ports where it is not necessary


Explanation/Reference:Explanation:To prevent VLAN hoping you should disable unused ports and put them in an unused VLAN, or a separateunrouted VLAN. By not granting connectivity or by placing a device into a VLAN not in use, unauthorized accesscan be thwarted through fundamental physical and logical barriers.Another method used to prevent VLAN hopping is to prevent automatic trunk configuration. Hackers used802.1Q and ISL tagging attacks, which are malicious schemes that allow a user on a VLAN to get unauthorizedaccess to another VLAN. For example, if a switch port were configured as DTP auto and were to receive a fakeDTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN. Therefore,a malicious user could start communicating with other VLANs through that compromised port.Reference: VLAN Security White Paper, Cisco Systems http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

QUESTION 167Refer to the exhibit. What type of attack would be mitigated by this configuration?

A. ARP spoofingB. MAC spoofingC. VLAN hoppingD. CDP manipulationE. MAC flood attackF. spanning tree compromises



QUESTION 168Which statement is true about voice VLANs? *

A. The voice VLAN feature is enabled by default.B. When the voice VLAN feature is enabled, all untagged voice and data traffic is sent through the voice

VLAN.C. The default CoS value is 1 for incoming voice and data traffic.D. The IP phone overrides the priority of all incoming data traffic (tagged and untagged) and sets the CoS

value to 0.

Correct Answer: DSection: VoIPExplanation

Explanation/Reference:Explanation:By default, a switch instructs an attached IP Phone to consider the PC port as untrusted. The phone willoverwrite the CoS values to 0.

You can change the default CoS value using following command.

Switch(config-if)# switchport priority extend {cos <value> or trust}

QUESTION 169Refer to the exhibit. Which configuration on the HSRP neighboring device ensures that it becomes the activeHSRP device in the event that port fa1/1 on Switch_A goes down?

A. Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0 Switch_B(config-if)#standby 1 priority 200Switch_B(config-if)#standby 1 preemptSwitch_B(config-if)#standby 1 ip 10.10.10.10Switch_B(config-if)#standby 1 track interface fa 1/1

B. Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0 Switch_B(config-if)#standby 1 priority 200Switch_B(config-if)#standby 1 ip 10.10.10.10

C. Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0 Switch_B(config-if)#standby 1 priority 195Switch_B(config-if)#standby 1 preemptSwitch_B(config-if)#standby 1 ip 10.10.10.10

D. Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0 Switch_B(config-if)#standby 1 priority 190Switch_B(config-if)#standby 1 ip 10.10.10.10Switch_B(config-if)#standby 1 track interface fa 1/1


Explanation/Reference:Explanation:Switch_B need to ensure that its HSRP standby group 1 priority is lower than Switch_A 's priority i.e. less than200. This is so that it does not become the Active router while the network is healthy. However, Switch_A istracking its interface fa1/1 interface and will decrement its priority by 10 to 190 if it fails. therefore, Switch_Bmust ensure its priority is higher than 190 to enable it to become the HSRP active device in this instance.Switch_B must also NOT be tracking its own fa1/1 interface otherwise its own priority will simultaneouslydecrement and will not become the HSRP active device even after a failure of the interface.

(B) is correct as it matches the above criteria.

(A) and (C) are not correct as Preempt must be configured for failover to occur on the basis of a change in

HSRP priorities. (seehttp://www.cisco.com/en/US/tech/tk648/tk362/technologies_q_and_a_item09186a00800a9679.shtml#q6)

(D) is incorrect on the basis that fa1/1 on Switch_A is connected to fa1/1 on Switch_B meaning both wouldreduce their priorites to 190 simultaneously in the event of an interface failure. As their relative priorities remainequal, the HSRP status will remain the same.

QUESTION 170Refer to the exhibit. DHCP snooping is enabled for selected VLANs to provide security on the network. How dothe switch ports handle the DHCP messages? *

A. Ports Fa2/1 and Fa2/2 source DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages andrespond to DHCP requests.

B. Ports Fa2/1 and Fa2/2 respond to DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages.C. Ports Fa2/1 and Fa2/2 are eligible to source all DHCP messages and respond to DHCP requests. Port

Fa3/1 can source DHCP requests only.D. All three ports, Fa2/1, Fa2/2, and Fa3/1, are eligible to source all DHCP messages and respond to DHCP

requests.


Explanation/Reference:# For Dhcp source and req messages, terminology used are OFFER, REQUEST etc. (cant recollect the optionscompletely)

QUESTION 171Which three statements are true about routed ports on a multilayer switch? (Choose three)

A. A routed port can support VLAN subinterfaces.B. A routed port will take an IP address assignment.C. A routed port can be configured with routing protocols.D. A routed port is a virtual interface on the multilayer switch.E. A routed port is a only associated with one VLAN.F. A routed port is a physical interface on the multilayer switch.

Correct Answer: BCFSection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation: The router must have a separate logical connection (subinterface) for each VLAN that is running

between the switch and the router and ISL, or 802.1Q trunking must be enable on the single physicalconnection between the router and switch.

QUESTION 172Which three statements are true about CEF? (Choose three.)

A. The FIB table is derived from the IP routing table.B. The adjacent table is derived from the ARP table.C. CEF IP destination prefixes are stored in the TCAM table, from the least specific to the most specific entry.D. When the CEF TCAM table is full, packets are dropped.E. When the adjacency table is full, a CEF TCAM table entry points to the Layer 3 engine to redirect the

adjacency.F. The FIB lookup is based on the Layer 3 destination address prefix (shortest match).

Correct Answer: ABESection: Layer 3, ip routingExplanation


QUESTION 173With CEF, prefixes that require exception processing can be cached with one of which four specialadjacencies? (Choose four)

A. ForwardB. NullC. GleanD. KickE. DiscardF. Drop

Correct Answer: BCEFSection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation:

Reference:http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdcef.html

QUESTION 174Refer to the exhibit. Why are users from VLAN 100 unable to ping users on VLAN 200?

A. Encapsulation on the switch is wrong.B. Trunking needs to be enabled on Fa0/1.C. The native VLAN is wrong.D. VLAN 1 needs the no shutdown command.E. IP routing needs to be enabled on the switch.


Explanation/Reference:Explanation:Switch supports multiple VLAN but have no Layer3 capability to route packets between those VLANs, theswitch must be connected to router external to the switch. This setup is most efficiently accomplished byproviding a single trunk link between the switch and the router that can carry the traffic of multiple VLANs,which can in turn be routed by the router. For that trunk require between Router & Switch. So trunking need tobe enable on Fa0/1.

QUESTION 175Refer to the exhibit. What problem is preventing users on VLAN 100 from pinging addresses on VLAN 200?

A. No default route on DLS1.B. Encapsulation mismatch between switches.C. Native VLAN mismatch.D. Subinterfaces should be created on Fa0/7 and Fa0/8 on DLS1.E. Trunking needs to be enabled.F. The ip routing command is missing on DLS1.

Correct Answer: FSection: Layer 3, ip routingExplanation


QUESTION 176Which two statements are true about trust boundaries? (Choose two.)

A. Classifying and marking traffic should be done as close to the traffic source as possible.B. Classifying and marking traffic should be done at the distribution layer.C. Traffic is classified and marked as it travels through the network.D. If untrusted traffic enters a switch, it can be marked with a new QoS value appropriate for the policy in

place.E. The trust boundary moves depending on the type of traffic entering the network.

Correct Answer: ADSection: CommonExplanation


QUESTION 177Which three statements are true about DAI? (Choose three.)

A. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindingsstored in the DHCP Snooping database.

B. DAI forwards all ARP packets received on a trusted interface without any checks.C. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings

stored in the CAM table.D. DAI forwards all ARP packets received on a trusted interface after verifying and inspecting the packet

against the DAI table.E. DAI intercepts all ARP packets on untrusted portsF. DAI is used to prevent against a DHCP Snooping attack.

Correct Answer: ABESection: SecurityExplanation

Explanation/Reference:Explanation:An attacker could send its own crafted ARP reply when it overhears an ARP request being broadcast. The replycould contain its own MAC address, causing the original requester to think that it is bound to the IP address inquestion. The requester would add the bogus ARP entry into its own ARP cache, only to begin forwardingpackets to the spoofed MAC address. This type of attack is known as ARP spoofing.

DAI (Dynamic ARP Inspection) works like DHCP snooping. All switch ports are classified as trusted oruntrusted. The switch intercepts and inspects all ARP packets that arrive on an untrusted port; no inspection isdone on trusted ports.

When an ARP reply is received on an untrusted port, the switch checks the MAC and IP addresses reported inthe reply packet against known and trusted values.

QUESTION 178Refer to the exhibit. Which two statements are true? (Choose two.)

A. It is displaying the AutoQos configuration that was initially applied.B. The switch does not trust the CoS values of a Cisco IP phone attached to port Fa0/3.C. The show auto qos command shows the user-defined QoS settings.

D. The show auto qos command does not display user configuration changes currently in effect.E. Interface Fa0/3 trusts all CoS values.F. The trust boundary is not on this switch.

Correct Answer: ADSection: VoIPExplanation


QUESTION 179A network administrator would like to configure 802.1x port-based authentication, however, the clientworkstation is not 802.1x compliant. What is the only supported authentication server that can be used?

A. TACACS with LEAP extensionsB. TACACS+C. RADIUS with EAP extensionsD. LDAP


Explanation/Reference:Explanation:The IEEE 8021x standard defines a port-based access control and authentication protocol that restrictsunauthorized workstations from connecting to a LAN through publicly accessible switch ports. Theauthentication server authenticates each workstation that is connected to a switch port before making availableany services offered by the switch or the LAN.

Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol overLAN (EAPOL) traffic through the port to which the workstation is connected. After authentication succeeds,normal traffic can pass through the port.

With 802.1x port-based authentication, the devices in the network have specific roles as, as follows:

1. Client: The device (workstation) that requests access to the LAN and switch services, and responds torequests from the switch. The workstations must be running 802.1x-compliant client software, such as what isoffered in Microsoft Windows XP operating systems.2. Authentication server: Performs the actual authentication of the client. The authentication server validates theidentity of the client and notifies the switch whether or not client is authorized to access the LAN and switchservices. Because the switch acts as the proxy, the authentication service is transparent to the client. TheRADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supportedauthentication server.

QUESTION 180Refer to the exhibit. What happens when the switch SW2 is connected to the rest of the network in the VTPdomain Lab_Network?

A. The recently introduced switch SW2 adds one more VLAN to the VLAN database in the VTP domain.B. The recently introduced switch SW2 creates a STP loop in the VTP domain.C. The recently introduced switch SW2 removes all configured VLANs throughout the VTP domain.D. The recently introduced switch SW2 switches over to VTP transparent mode in order to be included into the

VTP domain.E. A trunk should be configured between the two switches in order to integrate SW2 into the VTP domain.



QUESTION 181A standalone wireless AP solution is being installed into the campus infrastructure. The access points appear toboot correctly, however, wireless clients are not obtaining correct access. You verify that the local switchconfiguration connected to the access point appears as the following:

interface ethernet 0/1 switchport access vlan 10 switchport mode access spanning-tree portfast mls qos trust dscp

What is the most likely issue causing the problem? *

A. QoS trust should not be configured on a port attached to a standalone AP.B. QoS trust for switchport mode access should be defined as "cos".C. switchport mode should be defined as "trunk" with respective QoS.D. switchport access vlan should be defined as "1".

Correct Answer: CSection: WirelessExplanation


QUESTION 182Wireless has been operating correctly in the campus infrastructure. After the wireless controllers are upgradedfrom LWAPP to CAPWAP, access points no longer boot and operate normally. What is the most likely issuecausing this problem?

A. VLAN assignmentsB. DHCP option 43C. PoED. ACLE. QoS

Correct Answer: DSection: WirelessExplanation


QUESTION 183A network is deployed using best practices of the enterprise campus network model, including users withdesktop computers connected via IP phones. Given that all components are QoS-capable, where are the twooptimal locations for trust boundaries to be configured by the network administrator? (Choose two.) *

A. hostB. IP phoneC. access layer switchD. distribution layer switchE. core layer switch

Correct Answer: BCSection: VoIPExplanation

Explanation/Reference:verified to be on test 9/30/2011

QUESTION 184During voice implementation, which two required items are configured at an access layer switch connected toan IP phone to provide VoIP communication? (Choose two.) *

A. allowed codecsB. native VLANC. auxiliary VLAND. Cisco Unified Communications Manager IP addressE. RSTP



QUESTION 185Which two items are most important for managing the long-term success of high availability? (Choose two.)

A. completing aggressive implementation scheduleB. Stateful SwitchoverC. company and user expectations

D. Nonstop ForwardingE. change control processesF. dual devices and dual links

Correct Answer: CESection: CommonExplanation


QUESTION 186When planning high availability, which two components are important to minimize the effect of outages?(Choose two.)

A. work staff attributes, such as skills and communicationB. redundancy, to prevent single points of failureC. processes, such as documentation, change control, and labsD. appropriate technology, such as hardware and softwareE. tools, such as those for monitoring and reporting

Correct Answer: BDSection: CommonExplanation


QUESTION 187Which item is the most important factor during deployment of high-availability features?

A. Test major changes before deployment and defer minor changes until during deployment.B. Document and verify rollback procedures.C. Ensure consistency of code versions across the network.D. Progressively modify procedures and documentation during implementation.

Correct Answer: BSection: CommonExplanation


QUESTION 188Which two statements best describe Cisco IOS IP SLA? (Choose two.) *

A. only implemented between Cisco source and destination-capable devicesB. statistics provided by syslog, CLI, and SNMPC. measures delay, jitter, packet loss, and voice qualityD. only monitors VoIP traffic flowsE. provides active monitoringF. provides passive monitoring

Correct Answer: CE

Section: VoIPExplanation


QUESTION 189Which two items best describe a Cisco IOS IP SLA responder? (Choose two.)

A. required at the destination to implement Cisco IOS IP SLA servicesB. improves measurement accuracyC. required for VoIP jitter measurementsD. provides security on Cisco IOS IP SLA messages via LEAP or EAP-FAST authenticationE. responds to one Cisco IOS IP SLA operation per portF. stores the resulting test statistics



QUESTION 190To initiate testing, which port does a Cisco IOS IP SLA source use to send a control message to an IP SLAresponder?

A. UDP port 2020B. UDP port 1967C. TCP port 2020D. ICMP port 1967

Correct Answer: BSection: VoIPExplanation


QUESTION 191Cat6500(config)# router ospf 1Cat6500(config-router)# network 0.0.0.0 255.255.255.255 area 0 Cat6500(config-router)# nsfCat6500(config-router)# end

Refer to the exhibit. The configuration is used to enable nonstop forwarding for OSPF on a Catalyst 6500Series Switch with redundant supervisor engines.

The default CEF configuration is unchanged. After testing, user traffic is interrupted and NSF is not operational.What is the most likely reason?

A. CEF was not properly configured.B. OSPF was not properly configured for graceful restart.C. Stateful switchover was not correctly configured.D. NSF for OSPF is only supported in area 0.



QUESTION 192You are tasked with designing a security solution for your network. What information should be gathered priorto designing the solution?

A. IP addressing design plans so that the network can be appropriately segmented to mitigate potentialnetwork threats

B. a list of the customer requirementsC. detailed security device specificationsD. results from pilot network testing




A. IP addressing design plans so that the network can be appropriately segmented to mitigate potentialnetwork threats

B. detailed security device specificationsC. results from pilot network testingD. results from a network audit

Correct Answer: DSection: CommonExplanation



A. a list of applications currently in use in the networkB. IP addressing design plans so that the network can be appropriately segmented to mitigate potential

network threatsC. detailed security device specificationsD. results from pilot network testing

Correct Answer: ASection: CommonExplanation


QUESTION 195Which two are needed components when designing and implementing a security solution? (Choose two.)

A. detailed VLAN informationB. an incident response planC. results of testing the new network configurationD. an existing hierarchical network topologyE. a security policy for your organization

Correct Answer: BESection: CommonExplanation


QUESTION 196Which two components should be part of a security implementation plan? (Choose two.)

A. detailed list of personnel assigned to each task within the planB. a Layer 2 spanning tree design topologyC. rollback guidelinesD. placing all unused access ports in VLAN 1 to proactively manage port securityE. enabling SNMP access to Cisco Discovery Protocol data for logging and forensic analysis

Correct Answer: BCSection: CommonExplanation


QUESTION 197When creating a network security solution, which two pieces of information should you have previously obtainedto assist in designing the solution? (Choose two.)

A. a list of existing network applications currently in use on the networkB. network audit results to uncover any potential security holesC. a planned Layer 2 design solutionD. a proof-of-concept planE. device configuration templates

Correct Answer: ABSection: CommonExplanation


QUESTION 198What action should you be prepared to take when verifying a security solution?

A. having alternative addressing and VLAN schemes

B. having a rollback plan in case of unwanted or unexpected resultsC. running a test script against all possible security threats to insure that the solution will mitigate all potential

threatsD. isolating and testing each security domain individually to insure that the security design will meet overall

requirements when placed into production as an entire system



QUESTION 199What is needed to verify that a newly implemented security solution is performing as expected?

A. a detailed physical and logical topologyB. a cost analysis of the implemented solutionC. detailed logs from the AAA and SNMP serversD. results from audit testing of the implemented solution



QUESTION 200What is an important step to take when verifying a newly proposed network security solution?

A. Test the design on a pilot network for expected results prior to implementing on the production network.B. Run a network audit to determine types of traffic in use on the network.C. Launch campus updates into the production network and monitor impact to see if configuration changes are

needed.D. Create an interruption of data flow to determine test "back-door" access methods.



QUESTION 201When configuring port security on a Cisco Catalyst switch port, what is the default action taken by the switch if aviolation occurs?

A. protect (drop packets with unknown source addresses)B. restrict (increment SecurityViolation counter)C. shutdown (access or trunk port)D. transition (the access port to a trunking port)

Correct Answer: CSection: Security

Explanation


QUESTION 202When you enable port security on an interface that is also configured with a voice VLAN, what is the maximumnumber of secure MAC addresses that should be set on the port?

A. No more than one secure MAC address should be set.B. The default will be set.C. The IP phone should use a dedicated port, therefore only one MAC address is needed per port.D. No value is needed if the switchport priority extend command is configured.E. No more than two secure MAC addresses should be set.


Explanation/Reference:personaly verified on production equipment -nonentity

QUESTION 203Refer to the exhibit. From the configuration shown, what can be determined?

A. The sticky addresses will only be those manually configured MAC addresses enabled with the stickykeyword.

B. The remaining secure MAC addresses will be dynamically learned, converted to sticky secure MACaddresses, and added to the running configuration.

C. Since a voice VLAN is configured in this example, port security should be set for a maximum of 2.D. A security violation will restrict the number of addresses to a maximum of 10 addresses per access VLAN

and voice VLAN. The port will be shut down if more than 10 devices per VLAN attempt to access the port.



QUESTION 204hostname Switch1interface Vlan10 ip address 172.16.10.32 255.255.255.0

no ip redirects standby 1 ip 172.16.10.110 standby 1 timers 1 5 standby 1 priority 130

hostname Switch2interface Vlan10 ip address 172.16.10.33 255.255.255.0 no ip redirects standby 1 ip 172.16.10.110 standby 1 timers 1 5 standby 1 priority 120

HSRP was implemented and configured on two switches while scheduled network maintenance wasperformed.

After the two switches have finished rebooting, you notice via show commands that Switch2 is the HSRP activerouter. Which two items are most likely the cause of Switch1 not becoming the active router? (Choose two.) *

A. booting delaysB. standby group number does not match VLAN numberC. IP addressing is incorrectD. premption is disabledE. incorrect standby timersF. IP redirect is disabled

Correct Answer: ADSection: HSRP, VRRP, GLBPExplanation


QUESTION 205hostname Switch1interface Vlan10 ip address 172.16.10.32 255.255.255.0 no ip redirects standby 1 ip 172.16.10.110 standby 1 timers msec 200 msec 700 standby 1 preempt

hostname Switch2interface Vlan10 ip address 172.16.10.33 255.255.255.0 no ip redirects standby 1 ip 172.16.10.110 standby 1 timers msec 200 msec 750 standby 1 priority 110 standby 1 preempt

hostname Switch3interface Vlan10ip address 172.16.10.34 255.255.255.0 no ip redirects standby 1 ip 172.16.10.110 standby 1 timers msec 200 msec 750 standby 1 priority 150 standby 1 preempt

Refer to the exhibit. Three switches are configured for HSRP. Switch1 remains in the HSRP listen state. Whatis the most likely cause of this status?

A. this is normal operationB. standby group number does not match VLAN numberC. IP addressing is incorrectD. incorrect priority commandsE. incorrect standby timers



QUESTION 206Three Cisco Catalyst switches have been configured with a first-hop redundancy protocol. While reviewingsome show commands, debug output, and the syslog, you discover the following information:

Jan 9 08:00:42.623: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Standby -> ActiveJan 9 08:00:56.011: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Active -> SpeakJan 9 08:01:03.011: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Speak -> StandbyJan 9 08:01:29.427: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Standby -> ActiveJan 9 08:01:36.808: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Active -> SpeakJan 9 08:01:43.808: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Speak -> Standby

What conclusion can you infer from this information?

A. VRRP is initializing and operating correctly.B. HSRP is initializing and operating correctly.C. GLBP is initializing and operating correctly.D. VRRP is not properly exchanging three hello messages.E. HSRP is not properly exchanging three hello messages.F. GLBP is not properly exchanging three hello messages.


Explanation/Reference:Explanation:Devices that are running HSRP send and receive multicast UDP based hello messages to detect router failureand to designate active and standby routers. Active, Standby, Speak, Listen and init or disabled etc are thestates of HSRP.

Each HSRP router maintains three timers that are used for timing hello messages: an active timer, a standbytimer, and a hello timer. When a timer expires, the router changes to a new HSRP state. The error shown inexhibit is due to some mismatch configuration so not properly exchanging the HSRP hello messages to selectthe active and standby router.

QUESTION 207By itself, what does the command aaa new-model enable?

A. It globally enables AAA on the switch, with default lists applied to the VTYs.B. Nothing; you must also specify which protocol (RADIUS or TACACS) will be used for AAA.C. Enables AAA on all dot1x ports.D. Nothing; you must also specify where (console, TTY, VTY, dot1x) AAA is being applied.



QUESTION 208You are implementing basic switch security best practices. Which of these is a tactic that you can use tomitigate compromises from being launched through the switch?

A. Make all ports private VLAN ports.B. Place all unused ports in native VLAN 1 until needed.C. Proactively configure unused switch ports as access ports.D. Disable Cisco Discovery Protocol globally.



QUESTION 209What are three results of issuing the "switchport host" command? (Choose three.) *

A. disables EtherChannelB. enables port securityC. disables Cisco Discovery ProtocolD. enables PortFastE. disables trunkingF. enables loopguard

Correct Answer: ADESection: Layer 2, VTP, VLAN designExplanation


QUESTION 210Private VLANS can be configured as which three of these port types? (Choose three.)

A. isolatedB. protectedC. private

D. associatedE. promiscuousF. community

Correct Answer: AEFSection: SecurityExplanation


QUESTION 211When configuring private VLANs, which configuration task must you do first?

A. Configure the private VLAN port parameters.B. Configure and map the secondary VLAN to the primary VLAN.C. Disable IGMP snooping.D. Set the VTP mode to transparent.



QUESTION 212Refer to the exhibit. From the configuration shown, what can you determine about the private VLANconfiguration? *

A. Only VLAN 503 will be the community PVLAN because multiple community PVLANs are notallowed.B. Users of VLANs 501 and 503 will be able to communicate.C. VLAN 502 is a secondary VLAN.

D. VLAN 502 will be a standalone VLAN because it is not associated with any other VLANs.



QUESTION 213Refer to the exhibit.

Consider the following scenario:Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port. Assumingthat this ACL is properly applied on the switch, if this packet is fragmented, which two of the followingstatements are true, based on the configuration shown in the exhibit? (Choose two.)

A. The first fragment matches the first ACE (access control entry) because it contains all the Layer 3information required by the ACE.

B. The first fragment matches the first ACE (access control entry) as if it were a complete packet because allLayer 4 information is present.

C. The remaining fragments also contain the needed Layer 4 information and will be permitted.D. The remaining fragments also match the first ACE, even though they do not contain the Layer 4 port

information, because the first ACE (access control entry) only checks Layer 3 information when applied tofragments.

E. The remaining fragments will be dropped because the needed Layer 4 information is missing in fragmentedpackets. An additional established keyword needs to be added to the ACE.

Correct Answer: BDSection: SecurityExplanation


QUESTION 214Refer to the exhibit.

Consider the following scenario:A packet sourced from host 10.2.2.2, port 65001, is going to host 10.1.1.2 on the Telnet port. Assuming thatthis ACL is properly applied on the switch, if this packet is fragmented, which of the following conditions willresult, based upon the access list shown in the exhibit?

A. Because the first fragment is denied, host 10.1.1.2 cannot reassemble a complete packet, and a TCP resetis sent to the source host, informing the host to stop sending additional traffic.

B. All fragments will be denied due to the Layer 4 requirement of the ACE.

C. The remaining fragments in the packet do not match the second ACE because they are missing Layer 4information. Instead, they match the third ACE (a permit).

D. The source host on 10.2.2.2 will not receive an acknowledgement reply to the initial Telnet packet from host10.1.1.2. Therefore, the host will abort the attempted Telnet session.



QUESTION 215Which of these is true regarding the configuration and application of port access control lists?

A. PACLs can be applied in the inbound or outbound direction of a Layer 2 physical interface.B. At Layer 2, a MAC address PACL will take precedence over any existing Layer 3 PACL.C. When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.D. PACLs are not supported on EtherChannel interfaces.



QUESTION 216Refer to the exhibit. Which of these is true based upon the output shown in the command?

A. If the number of devices attempting to access the port exceeds 11, the port will shut down for 20 minutes,as configured.

B. The port has security enabled and has shut down due to a security violation.C. The port is operational and has reached its configured maximum allowed number of MAC addresses.

D. The port will allow access for 11 MAC addresses in addition to the 3 configured MAC addresses.



QUESTION 217Switch# show ip sla applicationIP SLAs

Version: 2.2.0 Round Trip Time MIB, Infrastructure Engine-II Time of last changein whole IP SLAs: 22:17:39.117 UTC Fri Jun Estimated system max number ofentries:15801

Estimated number of configurable operations: 15801 Number of Entries configured:0Number of active Entries: 0Number of pending Entries: 0Number of inactive Entries: 0

Supported Operation TypesType of Operation to Perform: 802.1agEchoType of Operation to Perform: 802.1agJitterType of Operation to Perform: dhcpType of Operation to Perform: dnsType of Operation to Perform: echoType of Operation to Perform: ftpType of Operation to Perform: httpType of Operation to Perform: jitterType of Operation to Perform: pathEchoType of Operation to Perform: pathJitterType of Operation to Perform: tcpConnectType of Operation to Perform: udpEcho

IP SLAs low memory water mark: 21741224

Refer to the exhibit. What best describes the Cisco IOS IP SLA command and output in the exhibit?

A. verifies which operation types have been enabled for IP SLA responder.B. verifies which operation types have been enabled for IP SLA source.C. verifies which operation types are supported in software.D. verifies enabled operation types that are not running.



QUESTION 218Which statement best describes first-hop redundancy protocol status, given the command output in the exhibit?*

Switch# show ip arp

Protocol AddressAge(min) Hardware Addr Type Interface

Internet 172.16.233.229 0000.0c59.f892 ARPA Vlan10Internet 172.16.233.218 0000.0c63.1300 ARPA Vlan10Internet 172.16.233.19 0000.0c07.ac0b ARPA Vlan10

A. The first-hop redundancy protocol is not configured for this interface.B. HSRP is configured for group 10.C. HSRP is configured for group 11.D. VRRP is configured for group 10.E. VRRP is configured for group 11.F. GLBP is configured with a single AVF.


Explanation/Reference:Explanation:MAC address will be a virtual MAC address composed of 0000.0C07.ACxy, where xy is the HSRP groupnumber in hexadecimal based on the respective interface. When examining the following line: xy value is 0bmeans the virtual group is 11.Internet172.16.233.19-0000.0c07.ac0b ARPA Vlan10

So answer "HSRP is configured for group 11"is correct.

QUESTION 219Which statement best describes implementing a Layer 3 EtherChannel?

A. EtherChannel is a Layer 2 and not a Layer 3 feature.B. Implementation requires switchport mode trunk and matching parameters between switches.C. Implementation requires disabling switchport mode.D. A Layer 3 address is assigned to the channel-group interface.

Correct Answer: CSection: EtherchannelExplanation


QUESTION 220What benefit results from implementation of Layer 3 switching versus Layer 2 switching in a fully meshedcampus network?

A. ease of IP address assignment versus use of external routersB. redundancy from trunking between distribution layer switchesC. provides first-hop redundancy to clientsD. allows inter-VLAN communication without requiring complexity of routing protocols

Correct Answer: CSection: CommonExplanation


QUESTION 221

When configuring a routed port on a Cisco multilayer switch, which of these is a required configuration task thatyou must perform to enable that port to function as a routed port?

A. Enable the switch to participate in routing updates from external devices with the router command in globalconfiguration mode.

B. Enter the no switchport command to disable Layer 2 functionality at the interface level.C. Each port participating in routing of Layer 3 packets must have an IP routing protocol assigned on a

perinterface level.D. Routing is enabled by default on a multilayer switch, so the port can become a Layer 3 routing interface by

assigning the appropriate IP address and subnet information.



QUESTION 222What is true of standard access control lists when applied to an interface to control inbound or outbound traffic?

A. The best match of the ACL entries will be used for granularity of control.B. They use source IP information for matching operations.C. They use source and destination IP information for matching operations.D. They use source IP information along with protocol-type information for finer granularity of control.



QUESTION 223You have configured a Cisco Catalyst switch to perform Layer 3 routing via an SVI and have assigned thatinterface to VLAN 20. To check the status of the SVI, you issue the show interfaces vlan 20 command at theCLI prompt. You see from the output display that the interface is in an "up/up" state. What must be true in anSVI configuration to bring the VLAN and line protocol up? *

A. The port must be physically connected to another Layer 3 device.B. At least one port in VLAN 20 must be active.C. The Layer 3 routing protocol must be operational and receiving routing updates from neighboring peer

devices.D. Because this is a virtual interface, the operational status will always be in an "up/up" state.



QUESTION 224Refer to the exhibit. You have configured an interface to be an SVI for Layer 3 routing capabilities. Assumingthat all VLANs have been correctly configured and based on the configuration example shown, what can bedetermined?

A. Interface gigabitethernet0/2 will be excluded from Layer 2 switching and enabled for Layer 3 routing.B. The command switchport autostate exclude should be entered in global configuration mode, not sub-

interface mode, to enable a Layer 2 port to be configured for Layer 3 routing.C. The configured port is excluded in the calculation of the status of the SVI.D. The interface is missing IP configuration parameters; therefore, it will only function at Layer 2.



QUESTION 225A new building has been added to the enterprise campus network, providing client access for desktop PCs,laptops, and IP phones for employees and guests. During verification, only a few laptops using wireless arereported to have problems, while other desktops, IP phones, and most other wireless laptops are fullyoperational. Additional information received about the problem indicates that, while the problematic wirelesslaptops cannot reach internal corporate websites, they can reach the Internet.

Where should troubleshooting about this connectivity issue be focused?

A. client network configurationB. VLAN mappingC. routing protocolsD. first-hop redundancy protocol



QUESTION 226A new floor has been added to the enterprise campus network, providing client access for desktop PCs,laptops, and IP phones for employees and guests. During verification, a few desktop PCs have limitedcorporate access but not Internet access. Most other desktop PCs, all laptops, and IP phones are workingcorrectly. Additional information indicates that the desktop PCs are obtaining IP host addresses from the DHCPserver, which is intended for only the IP phones.

Where should troubleshooting about this connectivity issue be focused?

A. client network configurationB. VLAN mappingC. DHCP server and optionsD. DNS

E. routing protocolsF. first-hop redundancy protocol


Explanation/Reference:Explanation:The private vlan mapping maps the secondary VLANs to the Layer 3 VLAN interface of a primary VLAN to allowLayer 3 switching of private-VLAN ingress traffic.

QUESTION 227Refer to the exhibit. From the configuration sample shown of a Cisco Catalyst 3560 Series Switch,what can youdetermine regarding Layer 3 routing functionality of the interface?

A. The interface is configured correctly for Layer 3 routing capabilities.B. The interface needs an additional configuration entry to enable IP routing protocols.C. The interface subcommand ip routing is required to enable IP routing on the interface.D. An SVI interface is required to enable IP routing for network 192.20.135.0.



QUESTION 228Refer to the exhibit. Based on the configuration shown, which two statements are correct regarding this Layer 3security configuration example? (Choose two.)

A. Static IP source binding can only be configured on a routed port.B. Source IP and MAC filtering on VLANs 10 and 11 will occur.

C. DHCP snooping will be automatically enabled on the access VLANs.D. IP Source Guard is enabled.E. The switch will drop the configured MAC and IP address source bindings and forward all other traffic.

Correct Answer: BDSection: SecurityExplanation


QUESTION 229Refer to the exhibit. Based upon the output shown, what can you determine?

A. Cisco Express Forwarding load balancing has been disabled.B. SVI VLAN 30 connects directly to the 10.1.30.0/24 network due to a valid glean adjacency.C. VLAN 30 is not operational due to the fact that there are no packet or byte counts indicated.D. The IP Cisco Express Forwarding configuration is capable of supporting IPv6.



QUESTION 230Refer to the exhibit. Based on the output of the show command, what can you determine regarding EIGRProuting being performed by the switch? *

A. There are 20 neighbors in the EIGRP neigbor table.B. EIGRP is running normally and receiving IPv4 routing updates.C. EIGRP status cannot be determined. The command show ip eigrp topology would determine the routing

protocol status.D. The switch has not established any neighbor relationships. Further network testing and troubleshooting

must be performed to determine the cause of the problem.



QUESTION 231Which three of the following are organizational objectives that should be addressed when developing a newVLAN implementation plan? (Choose three.)

A. determining budgetB. improving customer supportC. improving QoSD. increasing competitivenessE. network managementF. reducing costs

Correct Answer: BDFSection: CommonExplanation


QUESTION 232What is the result of entering the command "port-channel load-balance src-dst-ip" on an EtherChannel link?

A. Packets are distributed across the ports in the channel based on both the source and destination MACaddresses.

B. Packets are distributed across the ports in the channel based on both the source and destination IPaddresses.

C. Packets are balanced across the ports in the channel based first on the source MAC address, then on thedestination MAC address, then on the IP address.

D. Packets are distributed across the access ports in the channel based first on the source IP address andthen the destination IP addresses.

Correct Answer: BSection: EtherchannelExplanation


QUESTION 233What is the result of entering the command spanning-tree loopguard default?

A. The command enables both loop guard and root guard.B. The command changes the status of loop guard from the default of disabled to enabled.C. The command activates loop guard on point-to-multipoint links in the switched network.D. The command will disable EtherChannel guard.



QUESTION 234A remote host can be pinged from all switches except one. Which of the following is the most likely reason forthis failure?

A. VTP pruning has isolated the switch.B. IP routing is disabled on the switch.C. PoE is failing on the remote port.D. There is a loop in the topology.



QUESTION 235What does the interface subcommand "switchport voice vlan 222" indicate?

A. The port is configured for both data and voice traffic.B. The port is fully dedicated to forwarding voice traffic.C. The port will operate as an FXS telephony port.D. Voice traffic will be redirected to VLAN 222.

Correct Answer: ASection: VoIPExplanation


QUESTION 236Which Cisco IOS command globally enables port-based authentication on a switch?

A. aaa port-auth enableB. radius port-control enableC. dot1x system-auth-control

D. switchport aaa-control enable



QUESTION 237During testing of network redundancy in a fully meshed enterprise campus, a problem has been reported. Bothdistribution multilayer switches are fully configured for redundancy; clients operate normally when the primarymultilayer distribution switch is operating. All clients drop connections outside of their respective access layergroup when the primary distribution switch is shut down and the secondary distribution switch is still operational.Additional information indicates that the secondary distribution switch is able to ping major corporate andInternet locations. Which item would be the best point of troubleshooting for this connectivity issue?

A. client network configurationB. VLAN mappingC. inter-switch trunk configurationD. UDLD configurationE. first-hop redundancy protocol

Correct Answer: ESection: CommonExplanation


QUESTION 238What network information do you need when you plan to implement a VLAN-based solution?

A. default VLAN information for all unused switch portsB. 802.1x configuration parametersC. number of IP subnets neededD. IP routing protocol information

Correct Answer: CSection: CommonExplanation


QUESTION 239You are planning a new VLAN-based network solution. What is one item you should consider when creatingyour implementation plan as it concerns VLANs?

A. generic router and switch configuration parametersB. end-to-end test plan after all components have been installed and configuredC. administrator assignmentsD. rollback plan

Correct Answer: D

Section: CommonExplanation


QUESTION 240When you create a network implementation VLAN solution, what is one procedure that you should include inyour plan? *

A. Perform an incremental implementation of components.B. Following the PPDIOO model, implement the entire solution and then test end-to-end to make sure that it is

performing as designed.C. Implement trunking of all VLANs to ensure that traffic is crossing the network as needed before performing

any pruning of VLANs.D. Test the solution on a segmented portion of a lab network prior to rolling out across the entire network.



QUESTION 241What is a critical piece of information that you should have when creating a VLAN-based implementation plan?

A. approval from senior managementB. end-user requirementsC. IEEE 802.1X authentication parametersD. a summary implementation plan



QUESTION 242You have just created a new VLAN on your network. What is one step that you should include in your VLANbased implementation and verification plan?

A. Verify that different native VLANs exist between two switches for security purposes.B. Verify that the VLAN was added on all switches with the use of the show vlan command.C. Verify that the switch is configured to allow for trunking on the switch ports.D. Verify that each switch port has the correct IP address space assigned to it for the new VLAN.



QUESTION 243

You have just created a new VLAN on your network. What is one step that you should include in your VLANbased implementation and verification plan?

A. Verify that trunked links are configured to allow the VLAN traffic.B. Verify that the switch is configured to allow for trunking on the switch ports.C. Verify that each switch port has the correct IP address space assigned to it for the new VLAN.D. Verify that different native VLANs exist between two switches for security purposes.



QUESTION 244You have just created a new VLAN on your network for inter-VLAN routing. What is one step that you shouldinclude in your VLAN-based implementation and verification plan?

A. Verify that different native VLANs exist between two switches for security purposes.B. Verify that the switch is configured to allow for trunking on the switch ports.C. Verify that each switch port has the proper IP address space assigned to it for the new VLAN.D. Verify that the VLAN virtual interface has been correctly created and enabled.



QUESTION 245A switch that is to be added to the production network has been preconfigured (trunks, VLANs, VTP, and STP)and was tested in your lab. After installing the switch into the network, the entire network went down. Whatmight explain what happened?

A. The new switch happened to be running Cisco Catalyst operating system, while the other network switcheswere running Cisco IOS Software.

B. The configuration revision of the new switch was higher than the configuration revision of the productionVTP domain.

C. The link costs on the new switch are set to a high value, causing all ports on the new switch to go into aforwarding mode and none into blocking mode, thereby causing a spanning-tree loop.

D. The ports connecting to the two switches have been configured incorrectly. One side has the commandswitchport mode access and the other switchport mode trunk.



QUESTION 246Which two of the following steps are necessary to configure inter-VLAN routing between multilayer switches?(Choose two.) *

A. Configure a dynamic routing protocol.B. Configure SVI interfaces with IP addresses and subnet masks.C. Configure switch ports with network addresses.D. Configure switch ports with the autostate exclude command.E. Document the MAC addresses of the switch ports.

Correct Answer: ABSection: Layer 3, ip routingExplanation


QUESTION 247Which two of the following statements describe a routed switch port on a multilayer switch? (Choose two.)

A. Layer 2 switching and Layer 3 routing are mutually supported.B. The port will not be associated with any VLAN.C. The routed switch port supports VLAN subinterfaces.D. The routed switch port is used when a switch has only one port per VLAN or subnet.E. The routed switch port ensures that STP remains in the forwarding state.

Correct Answer: BDSection: Layer 3, ip routingExplanation


QUESTION 248Which two statements correctly describe VTP? (Choose two.) *

A. Transparent mode always has a configuration revision number of 0.B. Transparent mode cannot modify a VLAN database.C. Client mode cannot forward received VTP advertisements.D. Client mode synchronizes its VLAN database from VTP advertisements.E. Server mode can synchronize across VTP domains.



QUESTION 249Which two DTP modes will permit trunking between directly connected switches? (Choose two.)

A. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain A)B. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain B)C. dynamic auto (VTP domain A) to dynamic auto (VTP domain A)D. dynamic auto (VTP domain A) to dynamic auto (VTP domain B)E. dynamic auto (VTP domain A) to nonegotiate (VTP domain A)F. nonegotiate (VTP domain A) to nonegotiate (VTP domain B)

Correct Answer: AFSection: Layer 2, VTP, VLAN designExplanation


QUESTION 250Which two RSTP port roles include the port as part of the active topology? (Choose two.)

A. rootB. designatedC. alternateD. backupE. forwardingF. learning

Correct Answer: ABSection: SpanningTreeExplanation


QUESTION 251Which two statements correctly describe characteristics of the PortFast feature? (Choose two.) *

A. STP will be disabled on the port.B. PortFast can also be configured on trunk ports.C. PortFast is required to enable port-based BPDU guard.D. PortFast is used for both STP and RSTP host ports.E. PortFast is used for STP-only host ports.

Correct Answer: BDSection: SpanningTreeExplanation


QUESTION 252Which statement correctly describes enabling BPDU guard on an access port that is also enabled for PortFast?*

A. Upon startup, the port transmits 10 BPDUs. If the port receives a BPDU, PortFast and BPDU guard aredisabled on that port and it assumes normal STP operation.

B. The access port ignores any received BPDU.C. If the port receives a BPDU, it is placed into the error-disable state.D. BPDU guard is only configured globally and the BPDU filter is required for port-level configuration.


Explanation/Reference:The PortFast BPDU guard feature prevents loops by moving a nontrunking (access) port into an errdisablestate when a BPDU is received on that port.

QUESTION 253Which two statements correctly describe UDLD? (Choose two.)

A. Unidirectional link detection is achieved through monitoring STP BPDUs.B. It is recommended that it be enabled globally rather than on an individual port.C. It is recommended that it be used with the loop guard feature.D. It is recommended that it be enabled in normal mode.E. When an error is detected, normal mode will disable a port.

Correct Answer: BCSection: UDLDExplanation

Explanation/Reference:Explanation:UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cablesto monitor the physical configuration of the cables and detect when a unidirectional link exists. You can enablethe UDLD either globally or on particular interface only. But the best way to enable the UDLD is in globalconfiguration mode:Example:R1(Config)#udld enable

UDLD recommended to use with the loop guard feature. The purpose of loop guard is to prevent the alternateand root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternateports.

Loop guard configuration example:R1(Config)# spanning-tree loopguard default

QUESTION 254Which statement correctly describes the Cisco implementation of RSTP? *

A. PortFast, UplinkFast, and BackboneFast specific configurations are ignored in Rapid PVST mode.B. RSTP is enabled globally and uses existing STP configuration.C. Root and alternative ports transition immediately to the forwarding state.D. Convergence is improved by using sub-second timers for the blocking, listening, learning, and forwarding

port states.



QUESTION 255What is the effect of applying the "switchport trunk encapsulation dot1q" command to a port on a Cisco Catalystswitch?

A. By default, native VLAN packets going out this port will be tagged.B. Without an encapsulation command, 802.1Q will be the default encapsulation if DTP fails to negotiate a

trunking protocol.

C. The interface will support the reception of tagged and untagged traffic.D. If the device connected to this port is not 802.1Q-enabled, it will not be able to handle 802.1Q packets.



QUESTION 256Which configuration option will cause the link between two Cisco 3600 Series Multiservice Platforms to becomea functional trunk?

A. switchport dynamic autoswitchport dynamic auto

B. switchport access vlan 10switchport mode dynamic desireable

C. switchport mode trunkswitchport nonegotiate

D. Leave both ports with the default trunk settings.



QUESTION 257Which command alone will disable trunking on a Layer 2 switch port?

A. no switchport trunk native vlan vlan-idB. switchport nonegotiateC. no switchport mode dynamic desirableD. switchport mode access



QUESTION 258Which statement is true regarding the Port Aggregation Protocol?

A. Configuration changes made on the port-channel interface apply to all physical ports assigned to theportchannel interface.

B. Configuration changes made on a physical port that is a member of a port-channel interface apply to theport-channel interface.

C. Configuration changes are not permitted with Port Aggregation Protocol; instead, the standardized LinkAggregation Control Protocol should be used if configuration changes are required.

D. The physical port must first be disassociated from the port-channel interface before any configurationchanges can be made.

Correct Answer: ASection: EtherchannelExplanation


QUESTION 259Which of the following conditions guarantees that a broadcast storm cannot occur?

A. a native VLAN mismatch on either side of an 802.1Q linkB. BPDU filter configured on a link to another switchC. Spanning Tree Protocol enabled on both Layer 2 and multilayer switchesD. PortFast enabled on all access and trunk ports



QUESTION 260You are the administrator of a switch and currently all host-connected ports are configured with the portfastcommand. You have received a new directive from your manager that states that, in the future, any host-connected port that receives a BPDU should automatically disable PortFast and begin transmitting BPDUs.Which of the following commands will support this new requirement?

A. Switch(config)# spanning-tree portfast bpduguard defaultB. Switch(config-if)# spanning-tree bpduguard enableC. Switch(config-if)# spanning-tree bpdufilter enableD. Switch(config)# spanning-tree portfast bpdufilter default


Explanation/Reference:Explanation:This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs.The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You shouldglobally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. Ifa BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status,and BPDU filtering is disabled.

To enable bpdufilter global configuration mode:R1(Config)#spanning-tree portfast bpdufilter default

QUESTION 261A port in a redundant topology is currently in the blocking state and is not receiving BPDUs. To ensure that thisport does not erroneously transition to the forwarding state, which command should be configured to satisfy therequirement?

A. Switch(config)#spanning-tree loopguard defaultB. Switch(config-if)#spanning-tree bpdufilterC. Switch(config)#udld aggressive

D. Switch(config-if)#spanning-tree bpduguard



QUESTION 262Which of the following commands can be issued without interfering with the operation of loop guard?

A. Switch(config-if)#spanning-tree guard rootB. Switch(config-if)#spanning-tree portfastC. Switch(config-if)#switchport mode trunkD. Switch(config-if)#switchport mode access


Explanation/Reference:You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failurethat leads to a unidirectional link. This feature is most effective when it is enabled on the entire switchednetwork. Loop guard prevents alternate and root ports from becoming designated ports, and spanning treedoes not send BPDUs on root or alternate ports.

You can enable this feature by using the spanning-tree loopguard default global configuration command.

When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root portsfrom becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.

When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface isblocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MSTinstances.

QUESTION 263What is a characteristic of multi-VLAN access ports?

A. The port has to support STP PortFast.B. The auxiliary VLAN is for data service and is identified by the PVID.C. The port hardware is set as an 802.1Q trunk.D. Both the voice service and data service use the same trust boundary.


Explanation/Reference:Multiservice switches supports a new parameter for IP Telephony support that makes the access port a multi-VLAN access port. The new parameter is called an auxiliary VLAN. Every Ethernet 10/100/1000 port in theswitch is associated with two VLANs

- A Native VLAN for data service that is identified by the port VLAN identifier or PVID- An Auxiliary VLAN for voice service that is identified by the voice VLAN identified or VVID.- During the initial CDP exchange with the access switch, the IP phone is configured with a VVID.- The IP phone also supplied with a QoS configuration using Cisco Discovery Protocol.

- Voice traffic is separated from data, and supports a different trust boundary.

The multi-VLAN access ports are not trunk ports, even though the hardware is set to dot1q trunk. The hardwaresetting is used to carry more than two VLANs, but the port is still considered an access port that is able to carryone native VLAN and the Auxiliary VLAN. The ‘switchport host’ command can be applied to a multi-VLANaccess port on the access switch.

QUESTION 264Which process plays a major role in the creation of the CEF adjacency table?

A. Address Resolution Protocol (ARP)B. PDU header rewriteC. NetFlow switchingD. hello packet exchange



QUESTION 265The network operations center has received a call stating that users in VLAN 107 are unable to accessresources through Router 1. From the information contained in the graphic, what is the cause of this problem?

A. VLAN 107 does not exist on switch A.B. VTP is pruning VLAN 107.C. VLAN 107 is not configured on the trunk.D. Spanning tree is not enabled on VLAN 107.


Explanation/Reference:Explanation:In this example, VLAN 7, 101, 106, and 107 are being pruned. VLAN 107 is being pruned incorrectly in thiscase. By disabling VTP pruning, VLAN 107 should be able to once again gain access to the network resources.Incorrect Answers:A, B: Based on the output shown above, VLAN 107 is known and active within the management domain.Therefore, it must have been configured and the VLAN is indeed allowed to traverse the trunk. Only VLAN 101has been configured to not pass along this trunk.D: By default, STP is enabled on all VLANs.

QUESTION 266Which two table types are CEF components?(Choose two.)

A. forwarding information baseB. adjacency tablesC. neighbor tablesD. caching tablesE. route tables

Correct Answer: ABSection: Layer 3, ip routingExplanation


QUESTION 267Which statement is correct about 802.1Q trunking?

A. Both switches must be in the same VTP domain.B. The encapsulation type of both ends of the trunk does not have to match.C. The native VLAN on both ends of the trunk must be VLAN 1.D. 802.1Q trunking can only be configured on a Layer 2 port.E. In 802.1Q trunking, all VLAN packets are tagged on the trunk link, except the native VLAN.


Explanation/Reference:Explanation:E is correct because, "frames from the native VLAN of an 802.1Q trunk are not tagged with the VLAN number."Incorrect Answers:A: This is true for VTP information to be propagated, but it is not necessary for two switches to be trunkedtogether.B: This is incorrect because the encapsulations types do have to match or it won't work properly. You can't use802.1Q on one side and ISL on the other. C is incorrect because the native VLAN doesn't necessarily have tobe VLAN 1.C: By default, the native VLAN is VLAN 1 but this can be effectively changed to a different VLAN and the trunkwill still be functional.D: Trunks can be established with router interfaces using sub-interfaces, which are layer 3.Reference: http://www.cisco.com/warp/public/473/27.html

QUESTION 268Which set of statements about Spanning Tree Protocol default timers is true?

A. The hello time is 2 seconds.The forward delay is 10 seconds.The max_age timer is 15 seconds.

B. The hello time is 2 seconds.The forward delay is 15 seconds.The max_age timer is 20 seconds.

C. The hello time is 2 seconds.The forward delay is 20 seconds.The max_age timer is 30 seconds.

D. The hello time is 5 seconds.The forward delay is 10 seconds.The max_age timer is 15 seconds.

E. The hello time is 5 seconds.The forward delay is 15 seconds.The max_age timer is 20 seconds.


Explanation/Reference:Explanation:The STP timers are:1. hello-The hello time is the time between each bridge protocol data unit (BPDU) that is sent on a port. Thistime is equal to 2 seconds (sec) by default, but you can tune the time to be between 1 and 10 sec.2. forward delay-The forward delay is the time that is spent in the listening and learning state. This time is equalto 15 sec by default, but you can tune the time to be between 4 and 30 sec.3. max age-The max age timer controls the maximum length of time that passes before a bridge port saves itsconfiguration BPDU information. This time is 20 sec by default, but you can tune the time to be between 6 and40 sec. Reference: http://www.cisco.com/warp/public/473/122.html#stp_timers

QUESTION 269Refer to the exhibit. An administrator is verifying that a CEF FIB entry exists to destination network192.168.150.0. Given the output generated by the show ip cef and show adjacency detail commands, whichthree statements are true? (Choose three.)

A. There is a valid CEF entry for the destination network 192.168.150.0.B. The "valid cached adjacency" entry indicates that CEF will put all packets going to such an adjacency to the

next best switching mode.C. The counters (0 packets, 0 bytes) indicate a problem with the 192.168.199.3 next hop IP address.D. There is an adjacency for the 192.168.199.3 next hop IP address.E. The number 003071506800 is the MAC address of the 192.168.199.3 next hop IP address.F. The number 003071506800 is the MAC address of the source IP address.

Correct Answer: ADESection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation:The adjacency table contents are fundamentally a function of the ARP process, whereby Layer 2 addresses aremapped to corresponding Layer 3 addresses. When the router issues an ARP request, a corresponding reply isreceived, and a host entry is added to the adjacency table to reflect this. In addition, the router can also glean

next hop routers from routing updates and make entries in the adjacency table to reflect this. This lets therouter build the next hop rewrite information necessary for Layer 3 packet forwarding. By having this dataalready stored in a table, CEF can perform highly efficient and consistent forwarding, because no discoveryprocess is required. The command show ip cef is used to view the contents of the CEF adjacency table fromthe MSFC2. The command show ip cef summary gives a brief overview of the CEF process. It showsinformation such as the total number of adjacencies and routes.

Each time an adjacency entry is created, a Layer 2 data link layer header for that adjacent node is precomputedand stored in the adjacency table. This information is subsequently used for encapsulation during CEFswitching of packets. Output from the command show adjacency detail displays the content of the informationto be used during this Layer 2 encapsulation. Verify that the header information is displayed as would beexpected during Layer 2 operations, not using precomputed encapsulation from the adjacency table. Adjacencystatistics are updated approximately every 60 seconds. Also, the show cef drops command will display anindication of packets that are being dropped due to adjacencies that are either incomplete or nonexistent. Thereare two known reasons for incomplete or nonexistent adjacencies. The router cannot use ARP successfully forthe next-hop interface. After a clear ip arp or a clear adjacency command, the router marks the adjacency asincomplete, and then it fails to clear the entry. The symptoms of an incomplete adjacency include randompacket drops during a ping test. Use the debug ip cef command to view CEF drops caused by an incompleteadjacency.

QUESTION 270Which two statements are true about a switched virtual interface (SVI)? (Choose two.)

A. An SVI is created by entering the no switchport command in interface configuration mode.B. An SVI is normally created for the default VLAN (VLAN1) to permit remote switch administration.C. An SVI provides a default gateway for a VLAN.D. Multiple SVIs can be associated with a VLAN.E. SVI is another name for a routed port.


Explanation/Reference:Explanation:On a multilayer switch, you can also enable Layer 3 functionality for an entire VLAN on the switch. This allows anetwork address to be assigned to a logical interface-that of the VLAN itself. This is useful when the switch hasmany ports assigned to a common VLAN, and routing is needed in and out of that VLAN. The logical Layer 3interface is known as an SVI. However, when it is configured, it uses the much more intuitive interface namevlan vlan-id, as if the VLAN itself is a physical interface. First, define or identify the VLAN interface, and thenassign any Layer 3 functionality to it with the following configuration commands:

Switch(config)# interface vlan vlan-idSwitch(config-if)# ip address ip-address mask [secondary] The VLAN must be defined and active on the switchbefore the SVI can be used. Make sure the new VLAN interface is also enabled with the no shutdown interfaceconfiguration command.

QUESTION 271What is the effect of configuring the following command on a switch?

Switch(config)# spanning-tree portfast bpdufilter default

A. If BPDUs are received by a port configured for PortFast, then PortFast is disabled and the BPDUs areprocessed normally.

B. If BPDUs are received by a port configured for PortFast, they are ignored and none are sent.C. If BPDUs are received by a port configured for Portfast, the port will transition to forwarding state.D. The command will enable BPDU filtering on all ports regardless of whether they are configured for BPDU

filtering at the interface level.


Explanation/Reference:Explanation:Spanning tree PortFast is a Catalyst feature that causes a switch or trunk port to enter the spanning treeForwarding state immediately, bypassing the Listening and Learning states. IOS-based switches only usePortFast on access ports connected to end stations. When a device is connected to a port, the port normallyenters the spanning tree Listening state. When the Forward Delay timer expires, the port enters the Learningstate. When the Forward Delay timer expires a second time, the port is transitioned to the Forwarding orBlocking state. When PortFast is enabled on a switch or trunk port, the port is immediately transitioned to theForwarding state. As soon as the switch detects the link, the port is transitioned to the Forwarding state (lessthan 2 seconds after the cable is plugged in).

QUESTION 272Refer to the exhibit. Which statement is true?

A. IP traffic matching access list ABC is forwarded through VLANs 5-10.B. IP traffic matching VLAN list 5-10 will be forwarded, and all other traffic will be dropped.C. All VLAN traffic matching VLAN list 5-10 will be forwarded, and all traffic matching access list ABC is

dropped.D. All VLAN traffic in VLANs 5-10 that match access list ABC will be forwarded, and all else will be dropped.



QUESTION 273Which statement is correct about the use of the virtual interface on a WLC?

A. Used to relay DHCP messagesB. Used to communicate with LAPsC. Used to bring up LWAPP tunnelsD. Used to extend into the wireless client VLAN

Correct Answer: ASection: Wireless

Explanation


QUESTION 274You administer a network that uses two routers, R1 and R2, configured as an HSRP group to provideredundancy for the gateway. Router R1 is the active router and has been configured as follows:

R1#configure terminalR1(config)#interface fa0/0R1(config-if)#ip address 10.10.0.5 255.255.255.0R1(config-if)#standby 1 priority 150R1(config-if)#standby preempt delay minimum 50R1(config-if)#standby 1 track interface fa0/2 15R1(config-if)#standby 1 ip 10.10.0.20

Which of the following describes the effect the "standby preempt delay minimum 50" command will have onrouter R1? (Select the best answer.)

A. The HSRP priority for router R1 will increase to 200.B. Router R1 will become the standby router if the priority drops below 50.C. The HSRP priority for router R1 will decrease to 50 points when Fa0/2 goes down.D. Router R1 will wait 50 seconds before attempting to preempt the active router.



QUESTION 275

Refer to the exhibit.Which of the following should you do to configure the IP phone to override the priority of the data packets itreceives from the host? (Select the best answer.)

A. Issue the mls qos trust cos command on the switch port connected to the IP phone.B. Issue the switchport priority extend cos command on the switch port connected to the IP phone.C. Issue the switchport priority extend cos command on the IP phone.D. Issue the mls qos trust cos command on the IP phone.

Correct Answer: BSection: VoIPExplanation


QUESTION 276

You want to configure a switched internetwork with multiple VLANs as shown above. Which of the followingcommands should you issue on SwitchA for the port connected to SwitchB? (Select the best answer.)

A. switchport mode trunkB. switchport access vlan 5C. switchport mode access vlan 5D. switchport trunk native vlan 5



QUESTION 277

You administer the network shown above. You issue the show interfaces trunk command on SwitchA andreceive the following output:

SwitchA#show interfaces trunk

Port Mode Encapsulation Status Native vlanFa0/1 desirable 802.1q trunking 1

Port Vlans allowed on trunk Fa0/1 1-4094

Port Vlans allowed and active in management domainFa0/1 1-9,31-37

Port Vlans in spanning tree forwarding state and not prunedFa0/1 1-9,31,33-37

Which of the following statements is true regarding VLAN 32? (Select the best answer.)

A. VLAN 32 is not allowed on the trunk port.B. VLAN 32 is not active on the switch.C. Traffic from VLAN 32 is not being sent over the trunk port.D. Traffic from VLAN 32 is not restricted to only the trunk ports that require it.



QUESTION 278Which of the following HSRP router states does an active router enter when it is preempted by a higher priorityrouter? (Select the best answer.)

A. activeB. speakC. learnD. listenE. initF. standby



QUESTION 279Which of the following will generate an RSTP topology change notification? (Select the best answer.) *

A. an edge port that transitions to the forwarding stateB. a non-edge port that transitions to the blocking stateC. a non-edge port that transitions to the forwarding stateD. an edge port that transitions to the blocking stateE. any port that transitions to the blocking stateF. any port that transitions to the forwarding state


Explanation/Reference:Explanation:The IEEE 802.1D Spanning Tree Protocol was designed to keep a switched or bridged network loop free, withadjustments made to the network topology dynamically. A topology change typically takes 30 seconds, where aport moves from the Blocking state to the Forwarding state after two intervals of the Forward Delay timer. Astechnology has improved, 30 seconds has become an unbearable length of time to wait for a productionnetwork to failover or "heal" itself during a problem.

Topology Changes and RSTPRecall that when an 802.1D switch detects a port state change (either up or down), it signals the Root Bridge bysending topology change notification (TCN) BPDUs. The Root Bridge must then signal a topology change bysending out a TCN message that is relayed to all switches in the STP domain. RSTP detects a topology changeonly when a nonedge port transitions to the Forwarding state. This might seem odd because a link failure is notused as a trigger. RSTP uses all of its rapid convergence mechanisms to prevent bridging loops from forming.Therefore, topology changes are detected only so that bridging tables can be updated and corrected as hostsappear first on a failed port and then on a different functioning port.

When a topology change is detected, a switch must propagate news of the change to other switches in thenetwork so they can correct their bridging tables, too. This process is similar to the convergence andsynchronization mechanism-topology change notification (TCN) messages propagate through the network in anever-expanding wave.

QUESTION 280You are adding an additional LAP to your current wireless network, which uses LWAPP. The LAP is configuredwith a static IP address. Which of the following steps is the first step when the LAP attempts to register with aWLC?

A. The WLC sends an LWAPP join response message.B. The LAP broadcasts a Layer 2 LWAPP discovery request message.C. The LAP registers with the WLC.D. The WLC sends an LWAPP discovery response message.E. The LAP sends an LWAPP join request message to a WLC.F. The LAP broadcasts a Layer 3 LWAPP discovery request message.

Correct Answer: BSection: WirelessExplanation


QUESTION 281You are configuring a fiber connection between two Cisco Catalyst 3750 switches on which UDLD is disabled.You connect both the transmit and receive connectors on one end of the cable to port 1/0/9 on SwitchA.However, you accidentally connect the transmit connector from SwitchA to the receive connector on port 1/0/7on SwitchB and the receive connector from SwitchA to the transmit connector on port 1/0/8 on SwitchB.

Which of the following statements are true? (Choose two.)

A. Issuing the show cdp neighbors command on SwitchA and SwitchB will indicate that none of the ports areconnected.

B. Issuing the show cdp neighbors command on SwitchB will indicate that port 1/0/7 on SwitchB is connectedto port 1/0/9 on SwitchA.

C. Issuing the show cdp neighbors command on SwitchA will indicate that port 1/0/9 on SwitchA is connectedto port 1/0/7 on SwitchB.

D. Issuing the show cdp neighbors command on SwitchB will indicate that port 1/0/8 on SwitchB is connectedto port 1/0/9 on SwitchA.

E. Issuing the show cdp neighbors command on SwitchA will indicate that port 1/0/9 on SwitchA is connectedto port 1/0/8 on SwitchB.

Correct Answer: BESection: UDLDExplanation


QUESTION 282Which of the following is not information provided from an IP phone to a Catalyst switch using CDP? (Select thebest answer.)

A. device PoE requirementsB. device IP addressC. device voice VLAN IDD. device platform

Correct Answer: CSection: VoIPExplanation


QUESTION 283Which of the following should you enable to prevent a switch from forwarding packets with source addressesthat are outside an administratively defined group? (Select the best answer.)

A. DAIB. STPC. PVLAND. port security



QUESTION 284Which two statements are true about the configuration of voice VLANs? (Choose two.)

A. Static secure MAC addresses can be configured in conjunction with voice VLANs.B. PortFast is automatically enabled when voice VLANs are configured.C. PortFast must be manually configured when voice VLANs are configured.D. Voice VLANs are typically configured on uplink ports.E. Voice VLANs are typically configured on access ports.

Correct Answer: BESection: VoIPExplanation


QUESTION 285Refer to the exhibit. Which statement is true about the display of the command "show pagp 1 neighbor"command?

A. STP packets are sent out the Gi0/1 interface only.B. STP packets are sent out both the Gi0/1 and Gi0/2 interfaces.C. CDP packets are sent out the Gi0/1 interface only.D. CDP packets are sent out the Gi0/2 interface only.

Correct Answer: ASection: EtherchannelExplanation


QUESTION 286Which two statements are true about network voice traffic? (Choose two.)

A. Voice traffic is affected more by link speed than FTP traffic is.B. Voice traffic is affected more by packet delays than FTP traffic is.C. Voice streams involve larger packet sizes than most TCP network traffic involves.D. Voice traffic is more sensitive to packet loss than TCP network traffic is.E. Voice traffic requires QOS mechanisms only in heavily loaded network segments.

Correct Answer: BDSection: VoIPExplanation


QUESTION 287Which two statements about voice VLANs are correct? (Choose two.)

A. Voice VLANs eliminate the need for QoS configuration.B. Voice VLANs are used on trunk links to eliminate the need for QoS CoS markings.C. Voice VLANs are mainly used to reduce the number of access switch ports that are used in the network.D. Voice VLANs can be configured to forward existing CoS priorities or override them.E. Voice VLANs are mainly used between access layer switches and distribution layer switches.F. Voice VLANs can be configured on Layer 2 ports only.

Correct Answer: DFSection: VoIPExplanation


QUESTION 288Which two statements are true about voice VLANs? (Choose two.)

A. Voice VLANs are only used when connecting an IP phone and a host to distinct switch ports.B. Access ports that are configured with voice VLANs will always trust the CoS that is received from IP

phones.C. Access ports that are configured with voice VLANs may or may not override the CoS value that is received

from an IP phone.D. Voice VLANs are configured using the switchport voice vlan vlan-ID interface configuration command.E. Voice VLANs provide a trunking interface between an IP phone and an access port on a switch to allow

traffic from multiple devices that are connected to the port.F. Enabling Voice VLAN on a switch port will automatically configure the port to trust the incoming CoS

markings.

Correct Answer: CDSection: VoIPExplanation


QUESTION 289What does the command "udld reset" accomplish?

A. allows an UDLD port to automatically reset when it has been shutdownB. resets all UDLD enabled ports that have been shutdownC. removes all UDLD configurations from interfaces that were globally enabledD. removes all UDLD configurations from interfaces that were enabled per-port

Correct Answer: BSection: UDLDExplanation


QUESTION 290Refer to the exhibit. The command spanning-tree guard root is configured on interface Gi0/0 on both switch S2and S5. The global configuration command spanning-tree uplinkfast has been configured on both switch S2and S5. The link between switch S4 and S5 fails. Will Host A be able to reach Host B?

A. Fifty percent of the traffic will successfully reach Host B, and fifty percent will dead-end at switch S3because of a partial spanning-tree loop.

B. No. Traffic will pass from switch S6 to S2 and dead-end at S2.C. No. Traffic will loop back and forth between switch S6 and Host A.D. No. Traffic will loop back and forth between switches S2 and S3.E. Yes. Traffic will pass from switch S6 to S2 to S1.

Correct Answer: ESection: SpanningTreeExplanation


QUESTION 291Which statement is correct about RSTP port roles?

A. The designated port is the switch port on every nonroot bridge that is the chosen path to the root bridge.There can be only one designated port on every switch. The designated port assumes the forwarding statein a stable active topology. All switches connected to a given segment listen to all BPDUs and determine theswitch that will be the root switch for a particular segment.

B. The disabled port is an additional switch port on the designated switch with a redundant link to the segmentfor which the switch is designated. A disabled port has a higher port ID than the disabled port on thedesignated switch. The disabled port assumes the discarding state in a stable active topology.

C. The backup port is a switch port that offers an alternate path toward the root bridge. The backup portassumes a discarding state in a stable, active topology. The backup port will be present on nondesignatedswitches and will make a transition to a designated port if the current designated path fails.

D. The root port is the switch port on every nonroot bridge that is the chosen path to the root bridge. There canbe only one root port on every switch. The root port assumes the forwarding state in a stable activetopology.



QUESTION 292Refer to the exhibit. Based on the output of the show spanning-tree command, which statement is true?

A. Switch SW1 has been configured with the spanning-tree vlan 1 root primary global configuration command.B. Switch SW1 has been configured with the spanning-tree vlan 1 root secondary global configuration

command.C. Switch SW1 has been configured with the spanning-tree vlan 1 priority 24577 global configuration

command.D. Switch SW1 has been configured with the spanning-tree vlan 1 hello-time 2 global configuration command.E. The root bridge has been configured with the spanning-tree vlan 1 root secondary global configuration

command.



QUESTION 293Refer to the exhibit. On the basis of the output of the show spanning-tree inconsistentports command, whichstatement about interfaces FastEthernet 0/1 and FastEthernet 0/2 is true?

A. They have been configured with the spanning-tree bpdufilter disable command.B. They have been configured with the spanning-tree bpdufilter enable command.C. They have been configured with the spanning-tree bpduguard disable command.D. They have been configured with the spanning-tree bpduguard enable command.

E. They have been configured with the spanning-tree guard loop command.F. They have been configured with the spanning-tree guard root command.

Correct Answer: FSection: SpanningTreeExplanation

Explanation/Reference:If another switch advertises a superior BPDU, or one with a better Bridge ID, on a port where root guard isenabled, the local switch will not allow the new switch to become the root. As long as the superior BPDUs arebeing received on the port, the port will be kept in the root-inconsistent STP state.

QUESTION 294Refer to the exhibit. STP has been implemented in the network. Switch SW_A is the root switch for the defaultVLAN. To reduce the broadcast domain, the network administrator decides to split users on the network intoVLAN 2 and VLAN 10. The administrator issues the command spanning-tree vlan 2 root primary on switchSW_A. What will happen as a result of this change?

A. All ports of the root switch SW_A will remain in forwarding mode throughout the reconvergence of thespanning tree domain.

B. Switch SW_A will change its spanning tree priority to become root for VLAN 2 only.C. Switch SW_A will remain root for the default VLAN and will become root for VLAN 2.D. No other switch in the network will be able to become root as long as switch SW_A is up and running.



QUESTION 295Refer to the exhibit. The command switchport mode access is issued on interface FastEthernet0/13 on switchCAT1. What will be the result?

A. The command will be rejected by the switch.B. Interfaces FastEthernet0/13 and FastEthernet0/14 will no longer be bundled.C. Dynamic Trunking Protocol will be turned off on interfaces FastEthernet0/13 and FastEthernet0/14.D. Interfaces FastEthernet0/13 and FastEthernet0/14 will only allow traffic from the native VLAN.E. Interfaces FastEthernet0/13 and FastEthernet0/14 will continue to pass traffic for VLANs 88,100,360.



QUESTION 296Refer to the exhibit. LACP has been configured on Switch1 as shown. Which is the correct command set toconfigure LACP on Switch2?

A. Switch2# configure terminalSwitch2(config)# interface range gigabitethernet3/1 -2Switch2(config-if)# channel-group 5 mode auto

B. Switch2# configure terminalSwitch2(config)# interface range gigabitethernet3/1 -2Switch2(config-if)# channel-group 5 mode passive

C. Switch2# configure terminalSwitch2(config)# interface range gigabitethernet3/1 -2Switch2(config-if)# channel-group 5 mode desirable

D. Switch2# configure terminalSwitch2(config)# interface range gigabitethernet3/1 -2Switch2(config-if)# channel-group 5 mode on



QUESTION 297Refer to the exhibit. On the basis of the information that is generated by the show commands, which twoEtherChannel statements are true? (Choose two.)

A. Interfaces FastEthernet 0/1 and 0/2 have been configured with the channel-group 1 mode desirablecommand.

B. Interfaces FastEthernet 0/3 and 0/4 have been configured with the no switchport command.C. Interface Port-Channels 1 and 2 have been assigned IP addresses with the ip address commands.D. Port-Channels 1 and 2 are providing two 400 Mbps EtherChannels.E. Port-Channels 1 and 2 are capable of combining up to 8 FastEthernet ports to provide full-duplex bandwidth

of up to 16 Gbps between a switch and another switch or host.F. Switch SW1 has been configured with a Layer 3 EtherChannel.

Correct Answer: ADSection: EtherchannelExplanation


QUESTION 298Refer to the exhibit. What command was issued on the Layer 3 switch Sw1 between Exhibit #1 and Exhibit #2?

A. ip routingB. no ip routingC. router eigrp 1D. no router eigrp 1E. mls qosF. no mls qos



QUESTION 299What must be the same to make multiple switches part of the same Multiple Spanning Tree (MST)?

A. VLAN instance mapping and revision numberB. VLAN instance mapping and member listC. VLAN instance mapping, revision number, and member listD. VLAN instance mapping, revision number, member list, and timers



QUESTION 300Refer to the exhibit. Switch 15 is configured as the root switch for VLAN 10 but not for VLAN 20. If the STPconfiguration is correct, what will be true about Switch 15?

A. All ports will be in forwarding mode.B. All ports in VLAN 10 will be in forwarding mode.C. All ports in VLAN 10 will be in forwarding mode and all ports in VLAN 20 will be in blocking mode.D. All ports in VLAN 10 will be in forwarding mode and all ports in VLAN 20 will be in standby mode.



QUESTION 301Which two statements are true about port BPDU Guard and BPDU filtering? (Choose two.)

A. BPDU guard can be enabled globally, whereas BPDU filtering must be enabled on a per-interface basis.B. When globally enabled, BPDU port-guard and BPDU filtering apply only to PortFast enabled ports.C. When globally enabled, BPDU port-guard and BPDU filtering apply only to trunking-enabled ports.D. When a BPDU is received on a BPDU port-guard enabled port, the interface goes into the err-disabled

state.E. When a BPDU is received on a BPDU filtering enabled port, the interface goes into the err-disabled state.F. When a BPDU is received on a BPDU filtering enabled port, the interface goes into the STP blocking state.



QUESTION 302Refer to the exhibit and the partial configuration of switch SW_A and SW_B. STP is configured on all switchesin the network. SW_B receives this error message on the console port:

00:06:34: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/5(not half duplex), with SW_A FastEthernet0/4 (half duplex) ,with TBA05071417(Cat6K-B) 0/4 (half duplex).

What would be the possible outcome of the problem? *

A. The root port on switch SW_A will automatically transition to full-duplex mode.B. The root port on switch SW_B will fallback to full-duplex mode.

C. The interfaces between switches SW_A and SW_B will transition to a blocking state.D. Interface Fa 0/6 on switch SW_B will transition to a forwarding state and create a bridging loop.



QUESTION 303Which two statements about the various implementations of STP are true? (Choose two.)

A. Common Spanning Tree maintains a separate spanning-tree instance for each VLAN configured in thenetwork.

B. The Spanning Tree Protocol (STP) is an evolution of the IEEE 802.1w standard.C. Per-VLAN Spanning Tree (PVST) supports 802.1Q trunking.D. Per-VLAN Spanning Tree Plus(PVST+) is an enhancement to 802.1Q specification and is supported only on

Cisco devices.E. Rapid Spanning Tree Protocol (RSTP) includes features equivalent to Cisco PortFast, UplinkFast, and

BackboneFast for faster network reconvergence.F. Multiple Spanning Tree (MST) assumes one spanning-tree instance for the entire Layer 2 network,

regardless of the multiple number of VLANs.

Correct Answer: DESection: SpanningTreeExplanation


QUESTION 304Refer to the exhibit. For what purpose is the command show ip cef used?

A. to display rewritten IP unicast packetsB. to display ARP resolution packetsC. to display ARP throttlingD. to display TCAM matchesE. to display CEF-based MLS lookupsF. to display entries in the Forwarding Information Base (FIB)

Correct Answer: FSection: Layer 3, ip routingExplanation


QUESTION 305Refer to the exhibit. Which statement is true about the output?

A. The port on switch CAT1 is forwarding and sending BPDUs correctly.B. The port on switch CAT1 is blocking and sending BPDUs correctly.C. The port on switch CAT2 is forwarding and receiving BPDUs correctly.D. The port on switch CAT2 is blocking and sending BPDUs correctly.E. The port on switch CAT3 is forwarding and receiving BPDUs correctly.

F. The port on switch CAT3 is forwarding, sending, and receiving BPDUs correctly.



QUESTION 306Refer to the exhibit. What does the command channel-group 1 mode desirable do? *

A. enables LACP unconditionallyB. enables PAgP only if a PAgP device is detectedC. enables PAgP unconditionallyD. enables Etherchannel onlyE. enables LACP only if a LACP device is detected

Correct Answer: CSection: EtherchannelExplanation


QUESTION 307Refer to the exhibit. Initially, LinkA is connected and forwarding traffic. A new LinkB is then attached betweenSwitchA and HubA. Which two statements are true about the possible result of attaching the second link?(Choose two.)

A. The switch port attached to LinkB will not transistion to up.B. One of the two switch ports attached to the hub will go into blocking mode when a BPDU is received.C. Both switch ports attached to the hub will transition to the blocking state.D. A heavy traffic load could cause BPDU transmissions to be blocked and leave a switching loop.E. The switch port attached to LinkA will immediately transition to the blocking state.

Correct Answer: BDSection: SpanningTree

Explanation


QUESTION 308How are STP timers and state transitions affected when a topology change occurs in an STP environment?

A. All ports will temporarily transition to the learning state for a period equal to the max age timer plus theforward delay interval.

B. All ports will transition temporarily to the learning state for a period equal to the forward delay interval.C. The default aging time for MAC address entries will be reduced for a period of the max age timer plus the

forward delay interval.D. The default hello time for configuration BPDUs will be reduced for the period of the max age timer.



QUESTION 309What two things will occur when an edge port receives a BPDU? (Choose two.)

A. The port immediately transitions to the Forwarding state.B. The switch generates a Topology Change Notification (TCN) BPDU.C. The port immediately transitions to the err-disable state.D. The port becomes a normal STP switch port.


Explanation/Reference:An edge port that receives a BPDU immediately loses edge port status and thus becomes a normal port in thespanning-tree topology going through the Discarding -> Learning -> Forwarding stages.TCN only gets sent when the topology has converged.... thus meaning the port must be in forwarding state for aTCN to be sent.

QUESTION 310What will occur when a nonedge switch port that is configured for Rapid Spanning Tree does not receive aBPDU from its neighbor for three consecutive hello time intervals?

A. RSTP information is automatically aged out.B. The port sends a TCN to the root bridge.C. The port moves to listening state.D. The port becomes a normal spanning tree port.



QUESTION 311Which option correctly identifies the Cisco IOS switching methods in descending order from the fastest methodto the slowest method?

A. CEF, distributed CEF (dCEF), fast switching, process switchingB. distributed CEF (dCEF), CEF, fast switching, process switchingC. fast switching, process switching, distributed CEF (dCEF), CEFD. process switching, fast switching, distributed CEF (dCEF), CEFE. process switching, distributed CEF (dCEF), CEF, fast switchingF. process switching, CEF, distributed CEF (dCEF), fast switching



QUESTION 312Which three statements are true of the Link Aggregation Control Protocol (LACP)? (Choose three.)

A. LACP is used to connect to non-Cisco devices.B. LACP packets are sent with the command channel-group 1 mode desirable.C. LACP packets are sent with the command channel-group 1 mode active.D. Standby interfaces should be configured with a higher priority.E. Standby interfaces should be configured with a lower priority.

Correct Answer: ACDSection: EtherchannelExplanation


QUESTION 313Refer to the exhibit. All network links are FastEthernet. Although there is complete connectivity throughout thenetwork, Front Line users have been complaining that they experience slower network performance whenaccessing the server farm than the Reception office experiences. Based on the exhibit, which two statementsare true? (Choose two.)

A. Changing the bridge priority of S1 to 4096 would improve network performance.B. Changing the bridge priority of S1 to 36864 would improve network performance.C. Changing the bridge priority of S2 to 36864 would improve network performance.D. Changing the bridge priority of S3 to 4096 would improve network performance.E. Disabling the Spanning Tree Protocol would improve network performance.F. Upgrading the link between S2 and S3 to Gigabit Ethernet would improve performance.



QUESTION 314Which two statements are true when the extended system ID feature is enabled? (Choose two.)

A. The BID is made up of the bridge priority value (2 bytes) and bridge MAC address (6 bytes).B. The BID is made up of the bridge priority (4 bits), the system ID (12 bits), and a bridge MAC address (48

bits).C. The BID is made up of the system ID (6 bytes) and bridge priority value (2 bytes).D. The system ID value is the VLAN ID (VID).E. The system ID value is a unique MAC address allocated from a pool of MAC addresses assigned to the

switch or module.F. The system ID value is a hex number used to measure the preference of a bridge in the spanning-tree

algorithm.

Correct Answer: BD

Section: SpanningTreeExplanation


QUESTION 315Based on the show spanning-tree vlan 200 output shown in the exhibit, which two statements about the STPprocess for VLAN 200 are true? (Choose two.)

A. BPDUs will be sent out every two seconds.B. The time spent in the listening state will be 30 seconds.C. The time spent in the learning state will be 15 seconds.D. The maximum length of time that the BPDU information will be saved is 30 seconds.E. This switch is the root bridge for VLAN 200.F. BPDUs will be sent out every 10 seconds.

Correct Answer: BFSection: SpanningTreeExplanation


QUESTION 316Which three statements about STP timers are true? (Choose three.)

A. STP timers values (hello, forward delay, max age) are included in each BPDU.B. A switch is not concerned about its local configuration of the STP timers values. It will only consider the

value of the STP timers contained in the BPDU it is receiving.C. To successfully exchange BPDUs between two switches, their STP timers value (hello, forward delay, max

age) must be the same.D. If any STP timer value (hello, forward delay, max age) needs to be changed, it should at least be changed

on the root bridge and backup root bridge.E. On a switched network with a small network diameter, the STP hello timer can be tuned to a lower value to

decrease the load on the switch CPU.F. The root bridge passes the timer information in BPDUs to all routers in the Layer 3 configuration.

Correct Answer: ABDSection: SpanningTreeExplanation


QUESTION 317Examine the diagram. A network administrator has recently installed the above switched network using 3550sand would like to control the selection of the root bridge. Which switch should the administrator configure as theroot bridge and which configuration command must the administrator enter to accomplish this?

A. DSW11(config)# spanning-tree vlan 1 priority 4096B. DSW12(config)# set spanning-tree priority 4096C. ASW13(config)# spanning-tree vlan 1 priority 4096D. DSW11(config)# set spanning-tree priority 4096E. DSW12(config)# spanning-tree vlan 1 priority 4096F. ASW13(config)# set spanning-tree priority 4096

Correct Answer: ESection: SpanningTreeExplanation


QUESTION 318Given the diagram and assuming that STP is enabled on all switch devices, which two statements are true?(Choose two.)

A. DSW11 will be elected the root bridge.B. DSW12 will be elected the root bridge.C. ASW13 will be elected the root bridge.D. P3/1 will be elected the nondesignated port.E. P2/2 will be elected the nondesignated port.F. P3/2 will be elected the nondesignated port.

Correct Answer: ADSection: SpanningTreeExplanation

Explanation/Reference:Nondesignatedport port is blocked port. ASW13 root port is P3/2 bacause root path cost will be 19 + 19 = 38. DSW11 will be designated, so ASW13P3/1 will be blocked.

QUESTION 319Which two statements concerning STP state changes are true? (Choose two.)

A. Upon bootup, a port transitions from blocking to forwarding because it assumes itself as root.B. Upon bootup, a port transitions from blocking to listening because it assumes itself as root.C. Upon bootup, a port transitions from listening to forwarding because it assumes itself as root.D. If a forwarding port receives no BPDUs by the max_age time limit, it will transition to listening.E. If a forwarding port receives an inferior BPDU, it will transition to listening.F. If a blocked port receives no BPDUs by the max_age time limit, it will transition to listening.

Correct Answer: BFSection: SpanningTreeExplanation


QUESTION 320In a customer's network, VLAN Trunking Protocol (VTP) is running with a domain named main1. VLANs1,2,3,4,5,10,20 are active on the network. Suddenly the whole network goes down. No traffic is being passedon VLANs 2,3,4,5,10,20, however traffic passes on VLAN 1 and indicates all switches are operational. Rightbefore the network problem occurred, a switch named TEST1 was added to the network. What threeconfiguration issues on TEST1 could be causing the network outage? (Choose three.)

A. TEST1 is configured as a VTP server with a different domain name.B. TEST1 is not configured to participate in VTP.C. TEST1 is configured as a VTP server with the domain name main1.D. TEST1 has a lower VTP configuration revision than the current VTP revision.E. TEST1 has a higher VTP configuration revision than the current VTP revision.F. TEST1 is configured with only VLAN1.

Correct Answer: CEFSection: Layer 2, VTP, VLAN designExplanation


QUESTION 321Which statement is true about RSTP topology changes?

A. Only nonedge ports moving to the blocking state generate a TC BPDU.B. Any loss of connectivity generates a TC BPDU.C. Any change in the state of the port generates a TC BPDU.D. Only nonedge ports moving to the forwarding state generate a TC BPDU.E. If either an edge port or a nonedge port moves to a block state, then a TC BPDU is generated.


Explanation/Reference:Explanation:The IEEE 802.1D Spanning Tree Protocol was designed to keep a switched or bridged networkloop free, with adjustments made to the network topology dynamically. A topology change typicallytakes 30 seconds, where a port moves from the Blocking state to the Forwarding state after twointervals of the Forward Delay timer. As technology has improved, 30 seconds has become anunbearable length of time to wait for a production network to failover or "heal" itself during aproblem.Topology Changes and RSTPRecall that when an 802.1D switch detects a port state change (either up or down), it signals theRoot Bridge by sending topology change notification (TCN) BPDUs. The Root Bridge must thensignal a topology change by sending out a TCN message that is relayed to all switches in the STPdomain. RSTP detects a topology change only when a nonedge port transitions to the Forwardingstate. This might seem odd because a link failure is not used as a trigger. RSTP uses all of itsrapid convergence mechanisms to prevent bridging loops from forming.Therefore, topology changes are detected only so that bridging tables can be updated andcorrected as hosts appear first on a failed port and then on a different functioning port.When a topology change is detected, a switch must propagate news of the change to otherswitches in the network so they can correct their bridging tables, too. This process is similar to theconvergence and synchronization mechanism-topology change (TC) messages propagate throughthe network in an everexpanding wave.

QUESTION 322Which optional feature of an Ethernet switch disables a port on a point-to-point link if the port does not receivetraffic while Layer 1 status is up?

A. BackboneFastB. UpLinkFastC. Loop Guard

D. UDLD aggressive modeE. Fast Link Pulse burstsF. Link Control Word

Correct Answer: DSection: UDLDExplanation


QUESTION 323Which two characteristics apply to Cisco Catalyst 6500 Series Switch supervisor redundancy using NSF?(Choose two.) *

A. supported by RIPv2, OSPF, IS-IS, and EIGRPB. dependent on FIB tablesC. supports IPv4 and IPv6 multicastD. prevents route flappingE. independent of SSOF. NSF combined with SSO enables supervisor engine load balancing

Correct Answer: BDSection: RPR, RPR+, SSO, NSFExplanation

Explanation/Reference:Explanation:The purpose of NSF is to enable the Layer 3 switch to continue forwarding packets from an NSF-capableneighboring router when the primary route processor (RP) is failing and the backup RP is taking over. So itprevents the route flapping and it depends on FIB (Forwarding Information Base) table.

QUESTION 324Which two statements are true about best practices in VLAN design? (Choose two.) *

A. Routing should occur at the access layer if voice VLANs are utilized. Otherwise, routing should occur at thedistribution layer.

B. Routing may be performed at all layers but is most commonly done at the core and distribution layers.C. Routing should not be performed between VLANs located on separate switches.D. VLANs should be local to a switch.E. VLANs should be localized to a single switch unless voice VLANs are being utilized.


Explanation/Reference:Explanation:In the distribution layer, uplinks from all access layer devices are aggregated, or come together. The distributionlayer switches must be capable of processing the total volume of traffic from all the connected devices. Theseswitches should have a port density of high-speed links to support the collection of access layer switches.VLANs and broadcast domains converge at the distribution layer, requiring routing, filtering, and security. Theswitches at this layer must be capable of performing multilayer switching with high throughput. Only certainCatalyst switch models can provide multilayer switching; be sure to understand which ones can do this.

A switched environment offers the technology to overcome flat network limitations. Switched networks can be

subdivided into VLANs. By definition, a VLAN is a single broadcast domain. All devices connected to the VLANreceive broadcasts from other VLAN members. However, devices connected to a different VLAN will notreceive those same broadcasts. (Naturally, VLAN members also receive unicast packets directed toward themfrom other VLAN members.)

A VLAN consists of defined members communicating as a logical network segment. In contrast, a physicalsegment consists of devices that must be connected to a physical cable segment. A VLAN can have connectedmembers located anywhere in the campus network, as long as VLAN connectivity is provided between allmembers. Layer 2 switches are configured with a VLAN mapping and provide the logical connectivity betweenthe VLAN members.

QUESTION 325The following command was issued on a router that is being configured as the active HSRP router.

standby ip 10.2.1.1

Which statement is true about this command?

A. This command will not work because the HSRP group information is missingB. The HSRP MAC address will be 0000 0c07 ac00C. The HSRP MAC address will be 0000 0c07 ac01.D. The HSRP MAC address will be 0000.070c ad01.E. This command will not work because the active parameter is missing


Explanation/Reference:Naturally, each router keeps a unique MAC address for its interface. This MAC address isalways associated with the unique IP address configured on the interface. For the virtualrouter address, HSRP defines a special MAC address of the form 0000.0c07.acxx, wherexx represents the HSRP group number as a two-digit hex value. For example, HSRPGroup 1 appears as 0000.0c07.ac01, HSRP Group 16 appears as 0000.0c07.ac10, and so on.

Official Cert Guide page 273

without a group specified it will default to group 0. xx would be 00 or 0000.0c07.ac00

QUESTION 326How does VTP pruning enhance network bandwidth?

A. by restricting unicast traffic to across VTP domainsB. by reducing unnecessary flooding of traffic to inactive VLANsC. by limiting the spreading of VLAN informationD. by disabling periodic VTP updates



QUESTION 327Refer to the exhibit. Assume that Switch_ A is active for the standby group and the standby device has only thedefault HSRP configuration. What conclusion is valid?

A. If port Fa1/1 on Switch_ A goes down, the standby device will take over as active.B. If the current standby device were to have the higher priority value, it would take over the role of active for

the HSRP group.C. If port Fa1/1 on Switch_ A goes down, the new priority value for the switch would be 190.D. If Switch_ A had the highest priority number, it would not take over as active router.



QUESTION 328Refer to the exhibit. On the basis of the output generated by the show commands, which two statements aretrue? (Choose two)

A. Interface gigabitethernter 0/1 has been configured as Layer 3 ports.B. Interface gigabitethernter 0/1 does not appear in the show vlan output because swithport is enabled.C. Interface gigabitethernter 0/1 does not appear in the show vlan output because it is configured as a trunk

interface.D. VLAN2 has been configured as the native VLAN for the 802.1q trunk on interface gigabitethernet 0/1.E. Traffic on VLAN 1 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.F. Traffic on VLAN 2 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.

Correct Answer: CFSection: Layer 2, VTP, VLAN designExplanation


QUESTION 329Assume that a host sends a packet to a destination IP address and that the CEF-based switch does not yethave a valid MAC address for the destination. How is the ARP entry (MAC address) of the next-hop destinationin the FIB get?

A. The sending host must send an ARP request for it

B. All packets to the destination are droppedC. The Layer 3 forwarding engine (CEF hardware) must send an ARP request for itD. CEF must wait until the Layer 3 engine sends an ARP request for it


Explanation/Reference:If a valid MAC address for the destination is not found, the Layer 3 forwarding engine can’t forward the packetin hardware due to the missing Layer 2 next-hop address. Therefore the packet is sent to the Layer 3 Engine sothat it can generate an ARP request (this is called the “CEF glean” state)

QUESTION 330During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1. All other interface were up.During this time, DSW1 remained the active device for Vlan 102′s HSRP group. You have determined thatthere is an issue with the decrement value in the track command in Vlan 102′s HSRP group. What need to bedone to make the group function properly?

Interface VLAN 102 exhibit:

A. The DS1's decrement value should be configured with a value from 5 to 15B. The DS1's decrement value should be configured with a value from 9 to 15C. The DS1's decrement value should be configured with a value from 11 to 18D. The DS1's decrement value should be configured with a value from 195 to less than 205E. The DS1's decrement value should be configured with a value from 200 to less than 205F. The DS1's decrement value should be greater than 190 and less 200


Explanation/Reference:Answer CExplanation:

Use "show run" command to show. The left Vlan102 is console1 of DS1. Priority value is 200, we shoulddecrement value in the track command from 11 to 18. Because 200 11 = 189 < 190( priority of Vlan102 onDS2 ).

QUESTION 331During routine maintenance, G1/0/1 on DSW1 was shutdown. All other interface were up. DSW2 became theactive HSRP device for Vlan101 as desired. However, after G1/0/1 on DSW1 was reactivated. DSW1 did notbecome the active HSRP device as desired. What need to be done to make the group for Vlan101 functionproperly?


A. Enable preempt on DS1's Vlan101 HSRP groupB. Disable preempt on DS1's Vlan101 HSRP groupC. Decrease DS1's priority value for Vlan101 HSRP group to a value that is less than priority value configured

on DS2's HSRP group for Vlan101D. Decrease the decrement in the track command for DS1's Vlan 101 HSRP group to a value less than the

value in the track command for DS2's Vlan 101 HSRP group.


Explanation/Reference:Answer AExplanation:

A is correct. All other answers is incorrect. Because Vlan101 on DS1 ( left ) disable preempt. We need enablepreempt to after it reactive , it will be active device. If not this command, it never become active device.

QUESTION 332DSW2 has not become the active device for Vlan103′s HSRP group even though all interfaces are active. Asrelated to Vlan103′s HSRP group. What can be done to make the group function properly?


A. On DS1, disable preemptB. On DS1, decrease the priority value to a value less than 190 and greater than 150C. On DS2, increase the priority value to a value greater 241 and less than 249D. On DS2, increase the decrement value in the track command to a value greater than 10 and less than 50.



QUESTION 333If G1/0/1 on DSW1 is shutdown, what will be the current priority value of the Vlan105′s group on DSW1?


A. 95B. 100C. 150D. 200

Correct Answer: A

Section: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Answer:AExplanation:

Priority is configured 150, Track is 55. So, if shutdown interface G1/0/1 > 150 55 = 95.

QUESTION 334What is the configured priority value of the Vlan105′s group on DSW2 ?


A. 50B. 100C. 150D. 200


Explanation/Reference:Answer: B

Explanation:

Use "show standby brief" command on console2 . Very easy to see priority of Vlan105 is 100.

QUESTION 335During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1 and DSW2. All other interfacewere up. During this time, DSW1 became the active device for Vlan104′s HSRP group. As related to Vlan104′sHSRP group, what can be done to make the group function properly?


A. On DS1, disable preemptB. On DS2, decrease the priority value to a value less than 150C. On DS1, increase the decrement value in the track command to a value greater than 6D. On DS1, disable track command.


Explanation/Reference:Answer: C

Explanation:

We should NOT disable preempt on DS1. By do that, you will make Vlan104's HSRP group fail function.Example: if we are disable preempt on DS1. It can not become active device when G1/0/1 on DS2 fail. In this

question, G0/1/0 on DS1 & DS2 is shutdown. Vlan104 (left) : 150 1 = 149. Vlan104 (right) : 200 155 = 145.Result is priority 149 > 145 ( Vlan104 on DS1 is active). If increase the decrement in the track value to a valuegreater than 6 ( > or = 6). Vlan104 (left) : 150 6 = 144. Result is priority 144 < 145 ( vlan104 on DS2 is active).

QUESTION 336Drag the choices on the left to the boxes on the right that should be included when creating a VLAN-basedimplementation plan.Not all choices will be used.

Select and Place:

Correct Answer:

Section: Drag&DropExplanation


QUESTION 337

Match the Attributes on the left with the types of VLAN designs on right.

Select and Place:

Correct Answer:



QUESTION 338Categorize the high availability network resource or feature with the management level, network level, orsystem level used.

Select and Place:

Correct Answer:



QUESTION 339Place the DTP mode with its correct description.

Select and Place:

Correct Answer:


Explanation/Reference:1. trunk: This setting places the port in permanent trunking mode. The corresponding switch port at the otherend of the trunk should be similarly configured because negotiation is not allowed. You should also manuallyconfigure the encapsulation mode.2. dynamic desirable: The port actively attempts to convert the link into trunking mode. If the far-end switch portis configured to trunk, dynamic desirable, or dynamic auto mode, trunking is successfully negotiated.3. dynamic auto: The port converts the link into trunking mode. If the far-end switch port is configured to trunkor dynamic desirable, trunking is negotiated. Because of the passive negotiation behavior, the link neverbecomes a trunk if both ends of the link are left to the dynamic auto default.4. Negotiate: The encapsulation is negotiated to select either ISL or IEEE 802.1Q, whichever is supported byboth ends of the trunk. If both ends support both types, ISL is favored.5. Access: Puts the interface into access mode that mean interface is in non-trunking mode.6. Nonegotiate: Forces the port to permanently trunk but not send DTP frames. For use when the DTP framesconfuse the neighboring (non-Cisco) 802.1q switch. You must manually set the neighboring switch to trunking.

QUESTION 340You have a VLAN implementation that requires inter-vlan routing using layer 3 switches. Drag the steps on theleft that should be part of the verification plan to the spaces on the right. Not all choices will be used.

Select and Place:

Correct Answer:



QUESTION 341You have been tasked with planning a VLAN solution that will connect a server in one buliding to several hostsin another building. The solution should be built using the local vlan model and layer 3 switching at thedistribution layer. Identify the questions related to this vlan solution that would ask the network administratorbefore you start the planning by dragging them into the target zone one the right. Not all questions will be used.

Select and Place:

Correct Answer:


Explanation/Reference:In local vlan solition common VTP mode is transparent

CREATE A VLAN BASED IMPLEMENTATION PLANFoundation Learning Guide Chapter 2 pg. 58-59Subnets and associated VLANsVLAN NumberVLAN NameVLAN PurposeVLAN to IP Address SchemePhysical location of VLANs (determine which switch has which VLANs)Assignment method (dot1x etc.)Placement of trunks, native VLAN for trunks, and allowed VLANs on trunksVTP configurationQuick Reference Guide Chapter 2 pg. 14VLAN numbering, naming, and IP addressing scheme

VLAN placement (local or multiple switches)Trunk requirementsVTP parametersTest and verification plan

From Foundation Learning GuideThe following steps outline the considerations you need to make with regards to using an SVI:1) On your L3 switch identify the VLANs that require a default gateway.2) For any SVI's not already present on your L3 switch you will need to create then. As such you will need todecide on suitable numbering for the SVI (should be the VLAN ID number) plus an IP address to associate withit. Don't forget to No Shutdown the interface.3) To perform L3 routing functions you need to set the L3 switch to be able to perform the routing. To achievethis use the global command - #ip routing - this will enable to switch to route between your VLANs4) Define any appropriate dynamic routing protocols. Typically required if you are configuring a larger enterprisenetwork that may be subject to change. You can deploy RIP, EIGRP, OSPF which ever you feel is appropriate.5) Finally with the information above gathered consider if you require any given SVI to be excluded fromcontributing to the SVI state Up-Down calculation. Do this using the 'Autostate' feature

QUESTION 342Drag the port states on the left, to their correct description on the right.

Select and Place:

Correct Answer:


Explanation/Reference:After the bridges have determined which ports are Root Ports, Designated Ports, and non-Designated Ports,STP is ready to create a loop-free topology. To do this, STP configures Root Ports and Designated Ports to

forward traffic. STP sets non-Designated Ports to block traffic. Although Forwarding and Blocking are the onlytwo states commonly seen in a stable network, there are actually five STP states. This list can be viewedhierarchically in that bridge ports start at the Blocking state and work their way up to the Forwarding state. TheDisabled state is the administratively shutdown STP state. It is not part of the normal STP port processing. Afterthe switch is initialized, ports start in the Blocking state. The Blocking state is the STP state in which a bridgelistens for BPDUs.

A port in the Blocking state does the following:

1. Discards frames received from the attached segment or internally forwarded through switching2. Receives BPDUs and directs them to the system module3. Has no address database4. Does not transmit BPDUs received from the system module5. Receives and responds to network management messages but does not transmit them If a bridge thinks it isthe Root Bridge immediately after booting or in the absence of BPDUs for a certain period of time, the porttransitions into the Listening state. The Listening state is the STP state in which no user data is being passed,but the port is sending and receiving BPDUs in an effort to determine the active topology.

A port in the Listening state does the following:

1. Discards frames received from the attached segment or frames switched from another port2. Has no address database3. Receives BPDUs and directs them to the system module4. Processes BPDUs received from the system module (Processing BPDUs is a separate action from receivingor transmitting BPDUs)5. Receives and responds to network management messages

It is during the Listening state that the three initial convergence steps take place - elect a Root Bridge, electRoot Ports, and elect Designated Ports. Ports that lose the Designated Port election become non-DesignatedPorts and drop back to the Blocking state. Ports that remain Designated Ports or Root Ports after 15 seconds -the default Forward Delay STP timer value - progress into the Learning state. The lifetime of the Learning stateis also governed by the Forward Delay timer of 15 seconds, the default setting. The Learning state is the STPstate in which the bridge is not passing user data frames but is building the bridging table and gatheringinformation, such as the source VLANs of data frames. As the bridge receives a frame, it places the sourceMAC address and port into the bridging table. The Learning state reduces the amount of flooding required whendata forwarding begins.

A port in the Learning state does the following:

1. Discards frames received from the attached segment2. Discards frames switched from another port for forwarding3. Incorporates station location into its address database4. Receives BPDUs and directs them to the system module5. Receives, processes, and transmits BPDUs received from the system module6. Receives and responds to network management messages

If a port is still a Designated Port or Root Port after the Forward Delay timer expires for the Learning state, theport transitions into the Forwarding state. The Forwarding state is the STP state in which data traffic is bothsent and received on a port. It is the "last" STP state. At this stage, it finally starts forwarding user data frames.

A port in the Forwarding state does the following:

1. Forwards frames received from the attached segment2. Forwards frames switched from another port for forwarding3. Incorporates station location information into its address database4. Receives BPDUs and directs them to the system module5. Processes BPDUs received from the system module6. Receives and responds to network management messages

QUESTION 343

Match the HSRP states on the left with the correct definition on the right.

Select and Place:

Correct Answer:


Explanation/Reference:HSRP defines six states in which an HSRP-enabled router can exist:1. Initial - This is the state from which the routers begin the HSRP process. This state indicates that HSRP isnot running. It is entered via a configuration change or when an interface first comes up.2. Learn - The router has not determined the virtual IP address, and has not yet seen an authenticated hellomessage from the active router. In this state the router is still waiting to hear from the active router.3. Listen - The router knows the virtual IP address, but is neither the active router nor the standby router. Itlistens for hello messages from those routers. Routers other than the active and standby router remain in thelisten state.4. Speak - The router sends periodic hello messages and is actively participating in the election of the active orstandby router. A router cannot enter Speak state unless it has the virtual IP address.5. Standby - The router is a candidate to become the next active router and sends periodic hello messages.Excluding transient conditions, there must be at most one router in the group in Standby state.6. Active - The router is currently forwarding packets that are sent to the group virtual MAC address. The routersends periodic hello messages. Excluding transient conditions, there must be at most one router in Active statein the HSRP group.

QUESTION 344

Select and Place:

Correct Answer:


Explanation/Reference:http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3

QUESTION 345

Select and Place:

Correct Answer:



QUESTION 346

Select and Place:

Correct Answer:












Exam B

QUESTION 1You have been tasked with planning a VLAN solution that will connect a server in one buliding to several hostsin another building. The solution should be built using the local vlan model and layer 3 switching at thedistribution layer. Identify the questions related to this vlan solution that would ask the network administratorbefore you start the planning by dragging them into the target zone one the right. Not all questions will be used.

Select and Place:

Correct Answer:


Explanation/Reference:In local vlan solition common VTP mode is transparent

CREATE A VLAN BASED IMPLEMENTATION PLANFoundation Learning Guide Chapter 2 pg. 58-59Subnets and associated VLANsVLAN NumberVLAN NameVLAN PurposeVLAN to IP Address SchemePhysical location of VLANs (determine which switch has which VLANs)Assignment method (dot1x etc.)Placement of trunks, native VLAN for trunks, and allowed VLANs on trunksVTP configurationQuick Reference Guide Chapter 2 pg. 14VLAN numbering, naming, and IP addressing scheme

VLAN placement (local or multiple switches)Trunk requirementsVTP parametersTest and verification plan

From Foundation Learning GuideThe following steps outline the considerations you need to make with regards to using an SVI:1) On your L3 switch identify the VLANs that require a default gateway.2) For any SVI's not already present on your L3 switch you will need to create then. As such you will need todecide on suitable numbering for the SVI (should be the VLAN ID number) plus an IP address to associate withit. Don't forget to No Shutdown the interface.3) To perform L3 routing functions you need to set the L3 switch to be able to perform the routing. To achievethis use the global command - #ip routing - this will enable to switch to route between your VLANs4) Define any appropriate dynamic routing protocols. Typically required if you are configuring a larger enterprisenetwork that may be subject to change. You can deploy RIP, EIGRP, OSPF which ever you feel is appropriate.5) Finally with the information above gathered consider if you require any given SVI to be excluded fromcontributing to the SVI state Up-Down calculation. Do this using the 'Autostate' feature

QUESTION 2Place the DTP mode with its correct description.

Select and Place:

Correct Answer:


Explanation/Reference:1. trunk: This setting places the port in permanent trunking mode. The corresponding switch port at the otherend of the trunk should be similarly configured because negotiation is not allowed. You should also manually

configure the encapsulation mode.2. dynamic desirable: The port actively attempts to convert the link into trunking mode. If the far-end switch portis configured to trunk, dynamic desirable, or dynamic auto mode, trunking is successfully negotiated.3. dynamic auto: The port converts the link into trunking mode. If the far-end switch port is configured to trunkor dynamic desirable, trunking is negotiated. Because of the passive negotiation behavior, the link neverbecomes a trunk if both ends of the link are left to the dynamic auto default.4. Negotiate: The encapsulation is negotiated to select either ISL or IEEE 802.1Q, whichever is supported byboth ends of the trunk. If both ends support both types, ISL is favored.5. Access: Puts the interface into access mode that mean interface is in non-trunking mode.6. Nonegotiate: Forces the port to permanently trunk but not send DTP frames. For use when the DTP framesconfuse the neighboring (non-Cisco) 802.1q switch. You must manually set the neighboring switch to trunking.

QUESTION 3Categorize the high availability network resource or feature with the management level, network level, orsystem level used.

Select and Place:

Correct Answer:



QUESTION 4During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1. All other interface were up.During this time, DSW1 remained the active device for Vlan 102′s HSRP group. You have determined thatthere is an issue with the decrement value in the track command in Vlan 102′s HSRP group. What need to bedone to make the group function properly?


A. The DS1's decrement value should be configured with a value from 5 to 15B. The DS1's decrement value should be configured with a value from 9 to 15C. The DS1's decrement value should be configured with a value from 11 to 18D. The DS1's decrement value should be configured with a value from 195 to less than 205E. The DS1's decrement value should be configured with a value from 200 to less than 205F. The DS1's decrement value should be greater than 190 and less 200


Explanation/Reference:Answer CExplanation:

Use "show run" command to show. The left Vlan102 is console1 of DS1. Priority value is 200, we shoulddecrement value in the track command from 11 to 18. Because 200 11 = 189 < 190( priority of Vlan102 onDS2 ).

QUESTION 5During routine maintenance, G1/0/1 on DSW1 was shutdown. All other interface were up. DSW2 became theactive HSRP device for Vlan101 as desired. However, after G1/0/1 on DSW1 was reactivated. DSW1 did notbecome the active HSRP device as desired. What need to be done to make the group for Vlan101 functionproperly?


A. Enable preempt on DS1's Vlan101 HSRP groupB. Disable preempt on DS1's Vlan101 HSRP groupC. Decrease DS1's priority value for Vlan101 HSRP group to a value that is less than priority value configured

on DS2's HSRP group for Vlan101D. Decrease the decrement in the track command for DS1's Vlan 101 HSRP group to a value less than the

value in the track command for DS2's Vlan 101 HSRP group.


Explanation/Reference:Answer AExplanation:

A is correct. All other answers is incorrect. Because Vlan101 on DS1 ( left ) disable preempt. We need enablepreempt to after it reactive , it will be active device. If not this command, it never become active device.






QUESTION 7If G1/0/1 on DSW1 is shutdown, what will be the current priority value of the Vlan105′s group on DSW1?


A. 95B. 100C. 150D. 200

Correct Answer: A

Section: HSRP, VRRP, GLBPExplanation

Explanation/Reference:Answer:AExplanation:

Priority is configured 150, Track is 55. So, if shutdown interface G1/0/1 > 150 55 = 95.

QUESTION 8What is the configured priority value of the Vlan105′s group on DSW2 ?


A. 50B. 100C. 150D. 200


Explanation/Reference:Answer: B

Explanation:

Use "show standby brief" command on console2 . Very easy to see priority of Vlan105 is 100.

QUESTION 9During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1 and DSW2. All other interfacewere up. During this time, DSW1 became the active device for Vlan104′s HSRP group. As related to Vlan104′sHSRP group, what can be done to make the group function properly?


A. On DS1, disable preemptB. On DS2, decrease the priority value to a value less than 150C. On DS1, increase the decrement value in the track command to a value greater than 6D. On DS1, disable track command.


Explanation/Reference:Answer: C

Explanation:

We should NOT disable preempt on DS1. By do that, you will make Vlan104's HSRP group fail function.Example: if we are disable preempt on DS1. It can not become active device when G1/0/1 on DS2 fail. In this

question, G0/1/0 on DS1 & DS2 is shutdown. Vlan104 (left) : 150 1 = 149. Vlan104 (right) : 200 155 = 145.Result is priority 149 > 145 ( Vlan104 on DS1 is active). If increase the decrement in the track value to a valuegreater than 6 ( > or = 6). Vlan104 (left) : 150 6 = 144. Result is priority 144 < 145 ( vlan104 on DS2 is active).

QUESTION 10Refer to the exhibit. On the basis of the output generated by the show commands, which two statements aretrue? (Choose two)

A. Interface gigabitethernter 0/1 has been configured as Layer 3 ports.B. Interface gigabitethernter 0/1 does not appear in the show vlan output because swithport is enabled.C. Interface gigabitethernter 0/1 does not appear in the show vlan output because it is configured as a trunk

interface.D. VLAN2 has been configured as the native VLAN for the 802.1q trunk on interface gigabitethernet 0/1.E. Traffic on VLAN 1 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.F. Traffic on VLAN 2 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.

Correct Answer: CFSection: Layer 2, VTP, VLAN designExplanation


QUESTION 11How does VTP pruning enhance network bandwidth?

A. by restricting unicast traffic to across VTP domainsB. by reducing unnecessary flooding of traffic to inactive VLANsC. by limiting the spreading of VLAN informationD. by disabling periodic VTP updates



QUESTION 12Which two statements are true about best practices in VLAN design? (Choose two.) *

A. Routing should occur at the access layer if voice VLANs are utilized. Otherwise, routing should occur at thedistribution layer.

B. Routing may be performed at all layers but is most commonly done at the core and distribution layers.C. Routing should not be performed between VLANs located on separate switches.D. VLANs should be local to a switch.E. VLANs should be localized to a single switch unless voice VLANs are being utilized.


Explanation/Reference:Explanation:In the distribution layer, uplinks from all access layer devices are aggregated, or come together. The distributionlayer switches must be capable of processing the total volume of traffic from all the connected devices. Theseswitches should have a port density of high-speed links to support the collection of access layer switches.VLANs and broadcast domains converge at the distribution layer, requiring routing, filtering, and security. Theswitches at this layer must be capable of performing multilayer switching with high throughput. Only certainCatalyst switch models can provide multilayer switching; be sure to understand which ones can do this.

A switched environment offers the technology to overcome flat network limitations. Switched networks can besubdivided into VLANs. By definition, a VLAN is a single broadcast domain. All devices connected to the VLANreceive broadcasts from other VLAN members. However, devices connected to a different VLAN will notreceive those same broadcasts. (Naturally, VLAN members also receive unicast packets directed toward themfrom other VLAN members.)

A VLAN consists of defined members communicating as a logical network segment. In contrast, a physicalsegment consists of devices that must be connected to a physical cable segment. A VLAN can have connectedmembers located anywhere in the campus network, as long as VLAN connectivity is provided between allmembers. Layer 2 switches are configured with a VLAN mapping and provide the logical connectivity betweenthe VLAN members.

QUESTION 13Which optional feature of an Ethernet switch disables a port on a point-to-point link if the port does not receivetraffic while Layer 1 status is up?

A. BackboneFastB. UpLinkFast

C. Loop GuardD. UDLD aggressive modeE. Fast Link Pulse burstsF. Link Control Word

Correct Answer: DSection: UDLDExplanation


QUESTION 14Which two characteristics apply to Cisco Catalyst 6500 Series Switch supervisor redundancy using NSF?(Choose two.) *

A. supported by RIPv2, OSPF, IS-IS, and EIGRPB. dependent on FIB tablesC. supports IPv4 and IPv6 multicastD. prevents route flappingE. independent of SSOF. NSF combined with SSO enables supervisor engine load balancing

Correct Answer: BDSection: RPR, RPR+, SSO, NSFExplanation

Explanation/Reference:Explanation:The purpose of NSF is to enable the Layer 3 switch to continue forwarding packets from an NSF-capableneighboring router when the primary route processor (RP) is failing and the backup RP is taking over. So itprevents the route flapping and it depends on FIB (Forwarding Information Base) table.

QUESTION 15Refer to the exhibit. All network links are FastEthernet. Although there is complete connectivity throughout thenetwork, Front Line users have been complaining that they experience slower network performance whenaccessing the server farm than the Reception office experiences. Based on the exhibit, which two statementsare true? (Choose two.)

A. Changing the bridge priority of S1 to 4096 would improve network performance.B. Changing the bridge priority of S1 to 36864 would improve network performance.C. Changing the bridge priority of S2 to 36864 would improve network performance.D. Changing the bridge priority of S3 to 4096 would improve network performance.E. Disabling the Spanning Tree Protocol would improve network performance.F. Upgrading the link between S2 and S3 to Gigabit Ethernet would improve performance.



QUESTION 16What two things will occur when an edge port receives a BPDU? (Choose two.)

A. The port immediately transitions to the Forwarding state.B. The switch generates a Topology Change Notification (TCN) BPDU.C. The port immediately transitions to the err-disable state.D. The port becomes a normal STP switch port.


Explanation/Reference:An edge port that receives a BPDU immediately loses edge port status and thus becomes a normal port in thespanning-tree topology going through the Discarding -> Learning -> Forwarding stages.

TCN only gets sent when the topology has converged.... thus meaning the port must be in forwarding state for aTCN to be sent.

QUESTION 17What does the command "udld reset" accomplish?

A. allows an UDLD port to automatically reset when it has been shutdownB. resets all UDLD enabled ports that have been shutdownC. removes all UDLD configurations from interfaces that were globally enabledD. removes all UDLD configurations from interfaces that were enabled per-port

Correct Answer: BSection: UDLDExplanation


QUESTION 18Which two statements are true about the configuration of voice VLANs? (Choose two.)

A. Static secure MAC addresses can be configured in conjunction with voice VLANs.B. PortFast is automatically enabled when voice VLANs are configured.C. PortFast must be manually configured when voice VLANs are configured.D. Voice VLANs are typically configured on uplink ports.E. Voice VLANs are typically configured on access ports.

Correct Answer: BESection: VoIPExplanation


QUESTION 19Refer to the exhibit. Which statement is true?

A. IP traffic matching access list ABC is forwarded through VLANs 5-10.B. IP traffic matching VLAN list 5-10 will be forwarded, and all other traffic will be dropped.C. All VLAN traffic matching VLAN list 5-10 will be forwarded, and all traffic matching access list ABC is

dropped.D. All VLAN traffic in VLANs 5-10 that match access list ABC will be forwarded, and all else will be dropped.



QUESTION 20Which statement is correct about 802.1Q trunking?

A. Both switches must be in the same VTP domain.B. The encapsulation type of both ends of the trunk does not have to match.C. The native VLAN on both ends of the trunk must be VLAN 1.D. 802.1Q trunking can only be configured on a Layer 2 port.E. In 802.1Q trunking, all VLAN packets are tagged on the trunk link, except the native VLAN.


Explanation/Reference:Explanation:E is correct because, "frames from the native VLAN of an 802.1Q trunk are not tagged with the VLAN number."Incorrect Answers:A: This is true for VTP information to be propagated, but it is not necessary for two switches to be trunkedtogether.B: This is incorrect because the encapsulations types do have to match or it won't work properly. You can't use802.1Q on one side and ISL on the other. C is incorrect because the native VLAN doesn't necessarily have tobe VLAN 1.C: By default, the native VLAN is VLAN 1 but this can be effectively changed to a different VLAN and the trunkwill still be functional.D: Trunks can be established with router interfaces using sub-interfaces, which are layer 3.Reference: http://www.cisco.com/warp/public/473/27.html

QUESTION 21The network operations center has received a call stating that users in VLAN 107 are unable to accessresources through Router 1. From the information contained in the graphic, what is the cause of this problem?

A. VLAN 107 does not exist on switch A.B. VTP is pruning VLAN 107.C. VLAN 107 is not configured on the trunk.D. Spanning tree is not enabled on VLAN 107.


Explanation/Reference:Explanation:In this example, VLAN 7, 101, 106, and 107 are being pruned. VLAN 107 is being pruned incorrectly in thiscase. By disabling VTP pruning, VLAN 107 should be able to once again gain access to the network resources.Incorrect Answers:A, B: Based on the output shown above, VLAN 107 is known and active within the management domain.Therefore, it must have been configured and the VLAN is indeed allowed to traverse the trunk. Only VLAN 101has been configured to not pass along this trunk.D: By default, STP is enabled on all VLANs.

QUESTION 22What is a characteristic of multi-VLAN access ports?

A. The port has to support STP PortFast.B. The auxiliary VLAN is for data service and is identified by the PVID.C. The port hardware is set as an 802.1Q trunk.D. Both the voice service and data service use the same trust boundary.


Explanation/Reference:Multiservice switches supports a new parameter for IP Telephony support that makes the access port a multi-VLAN access port. The new parameter is called an auxiliary VLAN. Every Ethernet 10/100/1000 port in theswitch is associated with two VLANs

- A Native VLAN for data service that is identified by the port VLAN identifier or PVID- An Auxiliary VLAN for voice service that is identified by the voice VLAN identified or VVID.- During the initial CDP exchange with the access switch, the IP phone is configured with a VVID.- The IP phone also supplied with a QoS configuration using Cisco Discovery Protocol. - Voice traffic is separated from data, and supports a different trust boundary.

The multi-VLAN access ports are not trunk ports, even though the hardware is set to dot1q trunk. The hardwaresetting is used to carry more than two VLANs, but the port is still considered an access port that is able to carryone native VLAN and the Auxiliary VLAN. The ‘switchport host’ command can be applied to a multi-VLANaccess port on the access switch.

QUESTION 23Which protocol allows for the automatic selection and simultaneous use of multiple available gateways as wellas automatic failover between those gateways?

A. VRRPB. GLBPC. IRDPD. HSRP


Explanation/Reference:Explanation:To provide a virtual router, multiple switches (routers) are assigned to a common GLBP group. Rather thanhaving just one active router performing forwarding for the virtual router address, all routers in the group canparticipate and offer load balancing by forwarding a portion of the overall traffic. The advantage is that none ofthe clients have to be pointed toward a specific gateway address-they can all have the same default gatewayset to the virtual router IP address. The load balancing is provided completely through the use of virtual routerMAC addresses in ARP replies returned to the clients. As a client sends an ARP request looking for the virtualrouter address, GLBP sends back an ARP reply with the virtual MAC address of a selected router in the group.The result is that all clients use the same gateway address but have differing MAC addresses for it.

QUESTION 24What is the effect of applying the "switchport trunk encapsulation dot1q" command to a port on a Cisco Catalystswitch?

A. By default, native VLAN packets going out this port will be tagged.B. Without an encapsulation command, 802.1Q will be the default encapsulation if DTP fails to negotiate a

trunking protocol.

C. The interface will support the reception of tagged and untagged traffic.D. If the device connected to this port is not 802.1Q-enabled, it will not be able to handle 802.1Q packets.



QUESTION 25Which statement correctly describes the Cisco implementation of RSTP? *

A. PortFast, UplinkFast, and BackboneFast specific configurations are ignored in Rapid PVST mode.B. RSTP is enabled globally and uses existing STP configuration.C. Root and alternative ports transition immediately to the forwarding state.D. Convergence is improved by using sub-second timers for the blocking, listening, learning, and forwarding

port states.



QUESTION 26Which statement correctly describes enabling BPDU guard on an access port that is also enabled for PortFast?*

A. Upon startup, the port transmits 10 BPDUs. If the port receives a BPDU, PortFast and BPDU guard aredisabled on that port and it assumes normal STP operation.

B. The access port ignores any received BPDU.C. If the port receives a BPDU, it is placed into the error-disable state.D. BPDU guard is only configured globally and the BPDU filter is required for port-level configuration.


Explanation/Reference:The PortFast BPDU guard feature prevents loops by moving a nontrunking (access) port into an errdisablestate when a BPDU is received on that port.

QUESTION 27Which two statements correctly describe characteristics of the PortFast feature? (Choose two.) *

A. STP will be disabled on the port.B. PortFast can also be configured on trunk ports.C. PortFast is required to enable port-based BPDU guard.D. PortFast is used for both STP and RSTP host ports.E. PortFast is used for STP-only host ports.

Correct Answer: BDSection: SpanningTree

Explanation


QUESTION 28You have just created a new VLAN on your network. What is one step that you should include in your VLANbased implementation and verification plan?

A. Verify that different native VLANs exist between two switches for security purposes.B. Verify that the VLAN was added on all switches with the use of the show vlan command.C. Verify that the switch is configured to allow for trunking on the switch ports.D. Verify that each switch port has the correct IP address space assigned to it for the new VLAN.



QUESTION 29When you create a network implementation VLAN solution, what is one procedure that you should include inyour plan? *

A. Perform an incremental implementation of components.B. Following the PPDIOO model, implement the entire solution and then test end-to-end to make sure that it is

performing as designed.C. Implement trunking of all VLANs to ensure that traffic is crossing the network as needed before performing

any pruning of VLANs.D. Test the solution on a segmented portion of a lab network prior to rolling out across the entire network.



QUESTION 30What is the result of entering the command spanning-tree loopguard default?

A. The command enables both loop guard and root guard.B. The command changes the status of loop guard from the default of disabled to enabled.C. The command activates loop guard on point-to-multipoint links in the switched network.D. The command will disable EtherChannel guard.



QUESTION 31What is the result of entering the command "port-channel load-balance src-dst-ip" on an EtherChannel link?

A. Packets are distributed across the ports in the channel based on both the source and destination MACaddresses.

B. Packets are distributed across the ports in the channel based on both the source and destination IPaddresses.

C. Packets are balanced across the ports in the channel based first on the source MAC address, then on thedestination MAC address, then on the IP address.

D. Packets are distributed across the access ports in the channel based first on the source IP address andthen the destination IP addresses.



QUESTION 32Refer to the exhibit. You have configured an interface to be an SVI for Layer 3 routing capabilities. Assumingthat all VLANs have been correctly configured and based on the configuration example shown, what can bedetermined?

A. Interface gigabitethernet0/2 will be excluded from Layer 2 switching and enabled for Layer 3 routing.B. The command switchport autostate exclude should be entered in global configuration mode, not sub-

interface mode, to enable a Layer 2 port to be configured for Layer 3 routing.C. The configured port is excluded in the calculation of the status of the SVI.D. The interface is missing IP configuration parameters; therefore, it will only function at Layer 2.



QUESTION 33What is true of standard access control lists when applied to an interface to control inbound or outbound traffic?

A. The best match of the ACL entries will be used for granularity of control.B. They use source IP information for matching operations.C. They use source and destination IP information for matching operations.D. They use source IP information along with protocol-type information for finer granularity of control.



QUESTION 34What are three results of issuing the "switchport host" command? (Choose three.) *

A. disables EtherChannelB. enables port securityC. disables Cisco Discovery ProtocolD. enables PortFastE. disables trunkingF. enables loopguard

Correct Answer: ADESection: Layer 2, VTP, VLAN designExplanation


QUESTION 35You are implementing basic switch security best practices. Which of these is a tactic that you can use tomitigate compromises from being launched through the switch?

A. Make all ports private VLAN ports.B. Place all unused ports in native VLAN 1 until needed.C. Proactively configure unused switch ports as access ports.D. Disable Cisco Discovery Protocol globally.



QUESTION 36Three Cisco Catalyst switches have been configured with a first-hop redundancy protocol. While reviewingsome show commands, debug output, and the syslog, you discover the following information:

Jan 9 08:00:42.623: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Standby -> ActiveJan 9 08:00:56.011: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Active -> SpeakJan 9 08:01:03.011: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Speak -> StandbyJan 9 08:01:29.427: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Standby -> ActiveJan 9 08:01:36.808: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Active -> SpeakJan 9 08:01:43.808: %STANDBY-6-STATECHANGE: Standby: 49:Vlan149 state Speak -> Standby

What conclusion can you infer from this information?

A. VRRP is initializing and operating correctly.B. HSRP is initializing and operating correctly.C. GLBP is initializing and operating correctly.

D. VRRP is not properly exchanging three hello messages.E. HSRP is not properly exchanging three hello messages.F. GLBP is not properly exchanging three hello messages.


Explanation/Reference:Explanation:Devices that are running HSRP send and receive multicast UDP based hello messages to detect router failureand to designate active and standby routers. Active, Standby, Speak, Listen and init or disabled etc are thestates of HSRP.

Each HSRP router maintains three timers that are used for timing hello messages: an active timer, a standbytimer, and a hello timer. When a timer expires, the router changes to a new HSRP state. The error shown inexhibit is due to some mismatch configuration so not properly exchanging the HSRP hello messages to selectthe active and standby router.

QUESTION 37What is needed to verify that a newly implemented security solution is performing as expected?

A. a detailed physical and logical topologyB. a cost analysis of the implemented solutionC. detailed logs from the AAA and SNMP serversD. results from audit testing of the implemented solution



QUESTION 38Which two items best describe a Cisco IOS IP SLA responder? (Choose two.)

A. required at the destination to implement Cisco IOS IP SLA servicesB. improves measurement accuracyC. required for VoIP jitter measurementsD. provides security on Cisco IOS IP SLA messages via LEAP or EAP-FAST authenticationE. responds to one Cisco IOS IP SLA operation per portF. stores the resulting test statistics



QUESTION 39Which two statements best describe Cisco IOS IP SLA? (Choose two.) *

A. only implemented between Cisco source and destination-capable devices

B. statistics provided by syslog, CLI, and SNMPC. measures delay, jitter, packet loss, and voice qualityD. only monitors VoIP traffic flowsE. provides active monitoringF. provides passive monitoring

Correct Answer: CESection: VoIPExplanation


QUESTION 40When planning high availability, which two components are important to minimize the effect of outages?(Choose two.)

A. work staff attributes, such as skills and communicationB. redundancy, to prevent single points of failureC. processes, such as documentation, change control, and labsD. appropriate technology, such as hardware and softwareE. tools, such as those for monitoring and reporting

Correct Answer: BDSection: CommonExplanation


QUESTION 41A network is deployed using best practices of the enterprise campus network model, including users withdesktop computers connected via IP phones. Given that all components are QoS-capable, where are the twooptimal locations for trust boundaries to be configured by the network administrator? (Choose two.) *

A. hostB. IP phoneC. access layer switchD. distribution layer switchE. core layer switch



QUESTION 42A standalone wireless AP solution is being installed into the campus infrastructure. The access points appear toboot correctly, however, wireless clients are not obtaining correct access. You verify that the local switchconfiguration connected to the access point appears as the following:

interface ethernet 0/1 switchport access vlan 10 switchport mode access

spanning-tree portfast mls qos trust dscp

What is the most likely issue causing the problem? *

A. QoS trust should not be configured on a port attached to a standalone AP.B. QoS trust for switchport mode access should be defined as "cos".C. switchport mode should be defined as "trunk" with respective QoS.D. switchport access vlan should be defined as "1".

Correct Answer: CSection: WirelessExplanation


QUESTION 43Refer to the exhibit. What problem is preventing users on VLAN 100 from pinging addresses on VLAN 200?

A. No default route on DLS1.B. Encapsulation mismatch between switches.C. Native VLAN mismatch.D. Subinterfaces should be created on Fa0/7 and Fa0/8 on DLS1.E. Trunking needs to be enabled.F. The ip routing command is missing on DLS1.

Correct Answer: FSection: Layer 3, ip routing

Explanation






QUESTION 45Which three statements are true about routed ports on a multilayer switch? (Choose three)

A. A routed port can support VLAN subinterfaces.

B. A routed port will take an IP address assignment.C. A routed port can be configured with routing protocols.D. A routed port is a virtual interface on the multilayer switch.E. A routed port is a only associated with one VLAN.F. A routed port is a physical interface on the multilayer switch.

Correct Answer: BCFSection: Layer 3, ip routingExplanation

Explanation/Reference:Explanation: The router must have a separate logical connection (subinterface) for each VLAN that is runningbetween the switch and the router and ISL, or 802.1Q trunking must be enable on the single physicalconnection between the router and switch.

QUESTION 46Which statement is true about voice VLANs? *

A. The voice VLAN feature is enabled by default.B. When the voice VLAN feature is enabled, all untagged voice and data traffic is sent through the voice

VLAN.C. The default CoS value is 1 for incoming voice and data traffic.D. The IP phone overrides the priority of all incoming data traffic (tagged and untagged) and sets the CoS

value to 0.

Correct Answer: DSection: VoIPExplanation

Explanation/Reference:Explanation:By default, a switch instructs an attached IP Phone to consider the PC port as untrusted. The phone willoverwrite the CoS values to 0.

You can change the default CoS value using following command.

Switch(config-if)# switchport priority extend {cos <value> or trust}

QUESTION 47What two steps can be taken to help prevent VLAN hopping? (Choose two.)

A. Place unused ports in a common unrouted VLANB. Enable BPDU guardC. Implement port securityD. Prevent automatic trunk configurationE. Disable CDP on ports where it is not necessary


Explanation/Reference:Explanation:To prevent VLAN hoping you should disable unused ports and put them in an unused VLAN, or a separateunrouted VLAN. By not granting connectivity or by placing a device into a VLAN not in use, unauthorized accesscan be thwarted through fundamental physical and logical barriers.

Another method used to prevent VLAN hopping is to prevent automatic trunk configuration. Hackers used802.1Q and ISL tagging attacks, which are malicious schemes that allow a user on a VLAN to get unauthorizedaccess to another VLAN. For example, if a switch port were configured as DTP auto and were to receive a fakeDTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN. Therefore,a malicious user could start communicating with other VLANs through that compromised port.Reference: VLAN Security White Paper, Cisco Systems http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

QUESTION 48Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering the spanning-treetopology of a network?

A. BPDU guard can guarantee proper selection of the root bridge.B. BPDU guard can be utilized along with PortFast to shut down ports when a switch is connected to the port.C. BPDU guard can be utilized to prevent the switch from transmitteing BPDUs and incorrectly altering the root

bridge election.D. BPDU guard can be used to prevent invalid BPDUs from propagating throughout the network.


Explanation/Reference:Explanation:As long as a port participates in STP, some device can assume the root bridge function and affect active STPtopology. To assume the root bridge function, the device would be attached to the port and would run STP witha lower bridge priority than that of the current root bridge. If another device assumes the root bridge function inthis way, it renders the network suboptimal. This is a simple form of a denial of service (DoS) attack on thenetwork. The temporary introduction and subsequent removal of STP devices with low (0) bridge priority causea permanent STP recalculation. The STP PortFast BPDU guard enhancement allows network designers toenforce the STP domain borders and keep the active topology predictable. The devices behind the ports thathave STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDUguard operation disables the port that has PortFast configured. The BPDU guard transitions the port intoerrdisable state, and a message appears on the console.Reference: Spanning Tree PortFast BPDU Guard Enhancement

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

QUESTION 49What are two methods of mitigating MAC address flooding attacks? (Choose two.)

A. Place unused ports in a common VLAN.B. Implement private VLANs.C. Implement DHCP snooping.D. Implement port security.E. Implement VLAN access maps.

Correct Answer: DESection: SecurityExplanation


QUESTION 50Refer to the exhibit. Which two problems are the most likely cause of the exhibited output? (Choose two.)

A. Transport layer issuesB. VRRP misconfigurationC. HSRP misconfigurationD. Physical layer issuesE. Spanning tree issues


Explanation/Reference:Explanation:Each router in an HSRP group has its own unique IP address assigned to an interface. This address is used forall routing protocol and management traffic initiated by or destined to the router. In addition, each router has acommon gateway IP address, the virtual router address, that is kept alive by HSRP. This address is alsoreferred to as the HSRP address or the standby address. Clients can point to that virtual router address as theirdefault gateway, knowing that a router always keeps that address active. Keep in mind that the actual interfaceaddress and the virtual (standby) address must be configured to be in the same IP subnet. You can assign theHSRP address with the following interface command:Switch(config-if)# standby group ip ip-address [secondary]

When HSRP is used on an interface that has secondary IP addresses, you can add the secondary keyword sothat HSRP can provide a redundant secondary gateway address.

QUESTION 51Refer to the exhibit. Which Virtual Router Redundancy Protocol (VRRP) statement is true about the roles of themaster virtual router and the backup virtual router?

A. Router A is the master virtual router, and Router B is the backup virtual router. When Router A fails, RouterB will become the master virtual router. When Router A recovers, Router B will maintain the role of mastervirtual router.

B. Router A is the master virtual router, and Router B is the backup virtual router. When Router A fails, RouterB will become the master virtual router. When Router A recovers, it will regain the master virtual router role.

C. Router B is the master virtual router, and Router A is the backup virtual router. When Router B fails, RouterA will become the master virtual router. When Router B recovers, it will regain the master virtual router role.

D. Router B is the master virtual router, and Router A is the backup virtual router. When Router B fails, RouterA will become the master virtual router. When Router B recovers, Router A will maintain the role of mastervirtual router.



QUESTION 52In the hardware address 0000.0c07.ac0a, what does 07.ac represent?

A. HSRP well-known physical MAC addressB. Vendor codeC. HSRP router numberD. HSRP group number

E. HSRP well-known virtual MAC address


Explanation/Reference:Explanation:HSRP code (HSRP well-known virtual MAC address) - The fact that the MAC address is for an HSRP virtualrouter is indicated in the next two bytes of the address. The HSRP code is always 07.ac. The HSRP protocoluses a virtual MAC address, which always contains the 07.ac numerical value.Reference: Building Cisco Multilayer Switched Networks (Cisco Press) page 268

QUESTION 53You are configuring a Cisco multilayer switch for the Company network. Which command would you use toconfigure a port to act as a routed interface?

A. ip routingB. switchport mode trunkC. no switchportD. switchport trunk native vlan 1



Physical switch ports can also operate as Layer 3 interfaces, where a Layer 3 network address is assigned androuting can occur. Figure 13-2 shows an example of this. By default, all switch ports on the Catalyst 6500(native IOS) platforms operate in the Layer 3 mode. For Layer 3 functionality, you must explicitly configureswitch ports with the following command sequence:Switch(config)# interface type mod/numSwitch(config-if)# no switchportSwitch(config-if)# ip address ip-address mask [secondary] The no switchport command takes the port out ofLayer 2 operation. You can then assign a network address to the port, as you would to a router interface.

QUESTION 54Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)

A. DAI can be performed on ingress ports only.B. DAI can be performed on both ingress and egress ports.C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of

hosts in the domain.E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other

switches as trusted.F. DAI is supported on access and trunk ports only.



To prevent ARP spoofing or "poisoning," a switch must ensure that only valid ARP requests and responses arerelayed. DAI prevents these attacks by intercepting and validating all ARP requests and responses. Eachintercepted ARP reply is verified for valid MAC-address-to-IP-address bindings before it is forwarded to a PC toupdate the ARP cache. ARP replies coming from invalid devices are dropped. DAI determines the validity of anARP packet based on a valid MAC-address-to-IP-address bindings database built by DHCP snooping. Inaddition, to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets againstuser-configured ARP ACLs.To ensure that only valid ARP requests and responses are relayed, DAI takes these actions:* Forwards ARP packets received on a trusted interface without any checks* Intercepts all ARP packets on untrusted ports* Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets thatcan update the local ARP cache* Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings

QUESTION 55Which statement is true about 802.1x port-based authentication?

A. TACACS+ is the only supported authentication server type.B. If a host initiates the authentication process and does not receive a response, it assumes it is not

authorized.C. RADIUS with EAP extensions is the only supported authentication server type.D. Before transmitting data, an 802.1x host must determine the authorization state of the switch.E. Hosts are required to have a 802.1x authentication client or utilize PPPoE.


Explanation/Reference:Explanation:The IEEE 802.1x standard defines a port-based access control and authentication protocol that restrictsunauthorized workstations from connecting to a LAN through publicly accessible switch ports. Theauthentication server authenticates each workstation that is connected to a switch port before making availableany services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access controlallows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which theworkstation is connected. After authentication succeeds, normal traffic can pass through the port.Authentication server: Performs the actual authentication of the client. The authentication server validates theidentity of the client and notifies the switch whether or not the client is authorized to access the LAN and switchservices. Because the switch acts as the proxy, the authentication service is transparent to the client. TheRADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supportedauthentication server.

QUESTION 56Which statement is true about Layer 2 security threats?

A. MAC spoofing attacks allow an attacking device to receive frames intended for a different network host.B. Port scanners are the most effective defense against dynamic ARP inspection.C. MAC spoofing, in conjunction with ARP snooping, is the most effective counter-measure against

reconnaissance attacks that use dynamic ARP inspection (DAI) to determine vulnerable attack points.D. Dynamic ARP inspection in conjunction with ARP spoofing can be used to counter DHCP snooping attacks.E. DHCP snooping sends unauthorized replies to DHCP queries.F. ARP spoofing can be used to redirect traffic to counter dynamic ARP inspection.


Explanation/Reference:Explanation:First of all, MAC spoofing is not an effective counter-measure against any reconnaissance attack; it IS anattack! Furthermore, reconnaissance attacks don't use dynamic ARP inspection (DAI); DAI is a switch featureused to prevent attacks.

QUESTION 57VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map thatdoes not contain a match clause?

A. Implicit deny feature at end of list.B. Implicit deny feature at start of list.C. Implicit forward feature at end of listD. Implicit forward feature at start of list.


Explanation/Reference:Explanation:Each VLAN access map can consist of one or more map sequences, each sequence with a match clause andan action clause. The match clause specifies IP, IPX, or MAC ACLs for traffic filtering and the action clausespecifies the action to be taken when a match occurs. When a flow matches a permit ACL entry the associatedaction is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACLentry, it will be checked against the next ACL in the same sequence or the next sequence. If a flow does notmatch any ACL entry and at least one ACL is configured for that packet type, the packet is denied.Reference:http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_guide_chapter09186a008007f4d4.html

QUESTION 58When an attacker is using switch spoofing to perform VLAN hopping, how is the attacker able to gatherinformation?

A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that isallowed on the trunk

B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch,regardless of the VLAN to which the data belongs.

C. The attacking station will generate frames with two 802.1Q headers to cause the switch to forward theframes to a VLAN that would be inaccessible to the attacker through legitimate means.

D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with thedomain information in order to capture the data.


Explanation/Reference:Explanation:DTP should be disabled for all user ports on a switch. If the port is left with DTP auto-configured (default onmany switches), an attacker can connect and arbitrarily cause the port to start trunking and therefore pass allVLAN information.Reference:http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance0900aecd800ebd1e.pdf

QUESTION 59

Refer to the show interface Gi0/1 switchport command output shown in the exhibit. Which two statements aretrue about this interface? (Choose two)

A. This interface is a member of a voice VLAN.B. This interface is configured for access mode.C. This interface is a dot1q trunk passing all configured VLANs.D. This interface is a member of VLAN 7.E. This interface is a member of VLAN 1.


Explanation/Reference:Explanation: In Exhibit, Operation mode is in static access and Access mode VLAN is 7 so it means this port isoperating on access mode as a member of VLAN 7.

QUESTION 60Refer to the exhibit. Switch S1 is running mst IEEE 802.1s. Switch S2 contains the default configuration runningIEEE 802.1D. Switch S3 has had the command spanning-tree mode rapid-pvst running IEEE 802.1w. What will

be the result?

A. IEEE 802.1D and IEEE 802.1w are incompatible. All three switches must use the same standard or notraffic will pass between any of the switches.

B. Switches S1, S2, and S3 will be able to pass traffic between themselves.C. Switches S1, S2, and S3 will be able to pass traffic between themselves. However, if there is a topology

change, Switch S2 will not receive notification of the change.D. Switches S1 and S3 will be able to exchange traffic but neither will be able to exchange traffic with Switch

S2



QUESTION 61

Which three statements are true regarding the above diagram? (Choose three.)

A. DTP packets are sent from Switch B.B. The native VLAN for Switch B is vlan 1.C. A trunk link will be formed.D. DTP is not running on Switch A.E. Only VLANs 1-1001 will travel across the trunk link.

Correct Answer: ABCSection: Layer 2, VTP, VLAN designExplanation

Explanation/Reference:Explanation:You can manually configure trunk links on Catalyst switches for either ISL or 802.1Q mode. In addition, Ciscohas implemented a proprietary, point-to-point protocol called Dynamic Trunking Protocol (DTP) that negotiatesa common trunking mode between two switches. The negotiation covers the encapsulation (ISL or 802.1Q) aswell as whether the link becomes a trunk at all.You can configure the trunk encapsulation with the switchport trunk encapsulation command, as one of thefollowing:1. isl-VLANs are tagged by encapsulating each frame using the Cisco ISL protocol.2. dot1q-VLANs are tagged in each frame using the IEEE 802.1Q standard protocol. The only exception is thenative VLAN, which is sent normally and not tagged at all.1. negotiate (the default)-The encapsulation is negotiated to select either ISL or IEEE 802.1Q, whichever issupported by both ends of the trunk. If both ends support both types, ISL is favored. (The Catalyst 2950 switchdoes not support ISL encapsulation.) In the switchport mode command, you can set the trunking mode to anyof the following:1. trunk-This setting places the port in permanent trunking mode. The corresponding switch port at the otherend of the trunk should be similarly configured because negotiation is not allowed. You should also manuallyconfigure the encapsulation mode.2. dynamic desirable (the default)-The port actively attempts to convert the link into trunking mode. If the far-end switch port is configured to trunk, dynamic desirable, or dynamic auto mode, trunking is successfullynegotiated.3. dynamic auto-The port converts the link into trunking mode. If the far-end switch port is configured to trunk ordynamic desirable, trunking is negotiated. Because of the passive negotiation behavior, the link never becomes

a trunk if both ends of the link are left to the dynamic auto default.

QUESTION 62Which of the following statements is true about the 80/20 rule (Choose two)?

A. 20 percent of the traffic on a network segment should be localB. no more than 20 percent of the network traffic should be able to move across a backbone.C. no more than 80 percent of the network traffic should be able to move across a backbone.D. 80 percent of the traffic on a network segment should be local


Explanation/Reference:Explanation:The 80/20 rule in network design originated from the idea that most of the traffic should remain local to theLAN, since bandwidth is plentiful compared to WAN links, and a great deal of broadcast traffic that is evident atthe LAN is not passed over the backbone. Note: With the availability of inexpensive bandwidth and centralizeddata centers, this rule appears to have become obsolete. In fact, most networks have taken on the 20/80 rules,as opposed to the legacy 80/20 rule.

QUESTION 63Company uses MSTP within their switched LAN. What is the main purpose of Multiple Instance Spanning TreeProtocol (MSTP)?

A. To enhance Spanning Tree troubleshooting on multilayer switchesB. To reduce the total number of spanning tree instances necessary for a particular topologyC. To provide faster convergence when topology changes occur in a switched networkD. To provide protection for STP when a link is unidirectional and BPDUs are being sent but not received


Explanation/Reference:Explanation:MST is built on the concept of mapping one or more VLANs to a single STP instance. Multiple instances of STPcan be used (hence the name MST), with each instance supporting a different group of VLANs.Each could be tuned to result in a different topology, so that Instance 1 would forward on the left uplink, whileInstance 2 would forward on the right uplink. Therefore, VLAN A would be mapped to Instance 1,and VLAN B toInstance 2. To implement MST in a network, you need to determine the following:1. The number of STP instances needed to support the desired topologies.2. Whether to map a set of VLANs to each instance.

QUESTION 64What is one method that can be used to prevent VLAN hopping on the network?

A. Configure VACLs.B. Configure all frames with two 802.1Q headers.C. Enforce username/password combinations.D. Explicitly turn off Dynamic Trunking Protocol (DTP) on all unused ports.E. All of the above

Correct Answer: DSection: Security

Explanation


For this exploit to work, the following conditions must exist in the network configuration:? The attacker is connected to an access switch port.? The same switch must have an 802.1Q trunk.? The trunk must have the attacker's access VLAN as its native VLAN. To prevent from VLAN hopping turn offDynamic Trunking Protocol on all unused ports.

QUESTION 65The Company LAN switches are being configured to support the use of Dynamic VLANs. What should beconsidered when implementing a dynamic VLAN solution? (Choose two)

A. Each switch port is assigned to a specific VLAN.B. Dynamic VLANs require a VLAN Membership Policy Server.C. Devices are in the same VLAN regardless of which port they attach to.D. Dynamic VLAN assignments are made through the command line interface.


Explanation/Reference:Explanation:With VLAN Membership Policy Server (VMPS), you can assign switch ports to VLANs dynamically, based onthe source Media Access Control (MAC) address of the device connected to the port. When you move a hostfrom a port on one switch in the network to a port on another switch in the network, the switch assigns the newport to the proper VLAN for that host dynamically.Note: There are two types of VLAN port configurations: static and dynamic.Incorrect AnswersA: In a static VLAN, the administrator assigns switch ports to the VLAN, and the association does not changeuntil the administrator changes the port assignment.However, this is not the case of dynamic VLANs.D: The Command Line Interface is not used for dynamic VLAN assignments. Reference: Cisco Online,Configuring Dynamic Port VLAN Membership with VMPS


Documents

PrepKing - GRATIS EXAM · 2012. 3. 16. · B: The Spanning Tree Protocol (STP) is used to prevent loops within a bridged network. Each VLAN runs a separate instance of the STP and