SWITCH 300-115 Category

HSRP Questions 3

September 21st, 2017 certprepare No comments

Question 1

Explanation

The last two-digit hex value in the MAC address presents the HSRP group number.

Question 2

Explanation

Answer A and B are correct because they are the functions of HSRP. I just want to mention about answer D. In fact answer D is not totally correct, in SWITCH only GLBP has the load-balancing feature. HSRP can only load-sharing by configuring some different HSRP groups. But answer D is the only choice left in this question so we have to choose it.

StackWise Questions 2

September 19th, 2017 certprepare No comments

Question 1

Explanation

A higher priority value for a stack member increases its likelihood to be elected stack master and to retain its stack member number. The priority value can be 1 to 15. The default priority value is 1.

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/71925-cat3750-create-switch-stks.html

Question 2

Explanation

VSLs can be configured with up to eight links between the two switches across any combination of line cards or supervisor ports to provide a high level of redundancy. If for some rare reason all Virtual Switching Link (VSL) connections are lost between the virtual switch members leaving both the virtual switch members up, the VSS will transition to the dual active recovery mode.

In the dual active recovery mode, all interfaces except the VSL interfaces are in an operationally shut down state in the formerly active virtual switch member. The new active virtual switch continues to forward traffic on all links.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-virtual-switching-system-1440/prod_qas0900aecd806ed74b.html

Question 3

Explanation

If for some rare reason all Virtual Switching Link (VSL) connections are lost between the virtual switch members leaving both the virtual switch members up, the VSS will transition to the dual active recovery mode.

In the dual active recovery mode, all interfaces except the VSL interfaces are in an operationally shut down state in the formerly active virtual switch member. The new active virtual switch continues to forward traffic on all links.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-virtual-switching-system-1440/prod_qas0900aecd806ed74b.html

Question 4

Explanation

VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50 percent. This includes removing the need for Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP) -> D is correct.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-virtual-switching-system-1440/prod_qas0900aecd806ed74b.html

Question 5

Question 6

Explanation

When you add a switch to a stack, the stack master automatically changes the configuration of the new switch. The master switch revises the new member switch port numbers to conform to the current port numbering sequence in the stack. Any existing port-level configuration in the newly-added switch is automatically cleared or updated.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/troubleshooting/switch_stacks.pdf

Question 7

VLAN Trunking 3

September 18th, 2017 certprepare 3 comments

Question 1

Explanation

The “vlan dot1q tag native” command maintains the tagging on the native VLAN and drop untagged traffic -> B is correct.

Reference: http://www.cisco.com/web/techdoc/dc/reference/cli/nxos/commands/l2/vlan_dot1Q_tag_native.html

Question 2

Note: Answer F is not correct because VLAN 600 is the native VLAN on Gi6/2 does not mean untagged traffic is tagged with this VLAN. It only means “all untagged traffic belongs to VLAN 600”.

Question 3

Question 4

Question 5

Question 6

Explanation

Although Gi0/10 has been configured as trunk it it did not appear in the “show interfaces trunk” command so the most suitable reason is it is down (not administratively down but down for another reason).

Question 6

Explanation

By entering the command “switch port trunk allowed vlan 2,3,4”, vlan 5 would be removed from allowed VLAN list. Both Workstations A & B are on VLAN 5 so they cannot communicate any more.

Note: If we want to add vlan 2 to 4 to the allowed VLAN list then we should use the “switchport trunk allowed vlan add 2,3,4”.

HSRP Questions 2

September 18th, 2017 certprepare 1 comment

Question 1

Explanation

ICMP (Internet Control Message Protocol) redirect messages are automatically enabled on interfaces configured with HSRP (therefore answer A is not correct). This feature filters outgoing ICMP redirect messages through HSRP, in which the next hop IP address might be changed to an HSRP virtual IP address. ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing. ICMP provides diagnostic functions, such as sending and directing error packets to the host. When the switch is running HSRP, make sure hosts do not discover the interface (or real) MAC addresses of routers in the HSRP group. If a host is redirected by ICMP to the real MAC address of a router and that router later fails, packets from the host are lost.

Routers in an HSRP group can be any router interface that supports HSRP, including routed ports and switch virtual interfaces (SVIs) on the switch -> Answer B is correct.

In a group of router interfaces, the active router is the router of choice for routing packets; the standby router is the router that takes over the routing duties when an active router fails or when preset conditions are met -> Answer C is not correct.

When HSRP is configured on a network or segment, it provides a virtual MAC address and an IP address that is shared among a group of configured routers. HSRP allows two or more HSRP-configured routers to use the MAC address and IP network address of a virtual router -> Answer D is correct.

HSRP can be configured on a maximum of 32 VLAN or routing interfaces. So its support depends on VLAN or interface only, it does not depend on the number of router/switch.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swhsrp.pdf

Question 2

Question 3

Question 4

Question 5

Explanation

The configuration of many hundreds of subinterfaces on the same physical interface, with each subinterface having its own HSRP group, can cause the processes of negotiation and maintenance of multiple HSRP groups to have a detrimental impact on network traffic and CPU utilization.

Only one HSRP group is required on a physical interface for the purposes of electing active and standby devices. This group is known as the master group. Other HSRP groups may be created on each subinterface and linked to the master group via the group name. These linked HSRP groups are known as client or slave groups.

The HSRP group state of the client groups follows that of the master group. Client groups do not participate in any sort of device election mechanism.

Client groups send periodic messages in order to refresh their virtual MAC addresses in switches and learning bridges. The refresh message may be sent at a much lower frequency compared with the protocol election messages sent by the master group.

Perform this task to configure multiple HSRP client groups.

+ The standby follow command configures an HSRP group to become a slave of another HSRP group.
+ HSRP client groups follow the master HSRP with a slight, random delay so that all client groups do not change at the same time.
+ Use the standby mac-refresh seconds command to directly change the HSRP client group refresh interval. The default interval is 10 seconds and can be configured to as much as 255 seconds.

Note: A client group takes its state from the group it is following. Therefore, the client group does not use its timer, priority, or preemption settings.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp-mgo.html

For example:

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# ip address 10.0.0.1 255.255.255.0
Device(config-if)# standby mac-refresh 30
Device(config-if)# standby 1 follow HSRP1

Question 6

Explanation

With HSRP, members of the virtual router group continually exchange status messages. One router can assume the routing responsibility of another if a router goes out of commission for either planned or unplanned reasons.

+ Hello messages are sent to indicate that a router runs HSRP and is able to become the active router.
+ Coup messages are sent when a router wishes to become the active router.
+ Resign messages are sent when a router no longer wishes to be the active router.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/10583-62.html

Question 7

Explanation

HSRP has two authentication schemes:

+ Plain text authentication
+ MD5 authentication

HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Device A has a priority of 120 and is the active device. If a host sends spoof HSRP hello packets with a priority of 130, then Device A stops being the active device. If Device A has authentication configured such that the spoof HSRP hello packets are ignored, Device A will remain the active device.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/fhp-xe-3s-book/fhp-hsrp-md5.html

Question 8

Explanation

You can configure a tracked list of objects with a Boolean expression, a weight threshold, or a percentage threshold.

The example configures track list 1 to track by weight threshold.

Switch(config)# track 1 list threshold weight
Switch(config-track)# object 1 weight 15
Switch(config-track)# object 2 weight 20
Switch(config-track)# object 3 weight 30
Switch(config-track)# threshold weight up 30 down 10

If object 1, and object 2 are down, then track list 1 is up, because object 3 satisfies the up threshold value of up 30. But, if object 3 is down, both objects 1 and 2 must be up in order to satisfy the threshold weight.

This configuration can be useful if object 1 and object 2 represent two small bandwidth connections and object 3 represents one large bandwidth connection. The configured down 10 value means that once the tracked object is up, it will not go down until the threshold value is equal to or lower than 10, which in this example means that all connections are down.

The below example configures tracked list 2 with three objects and a specified percentages to measure the state of the list with an up threshold of 70 percent and a down threshold of 30 percent:

Switch(config)# track 2 list threshold percentage
Switch(config-track)# object 1
Switch(config-track)# object 2
Switch(config-track)# object 3
Switch(config-track)# threshold percentage up 51 down 10

This means as long as 51% or more of the objects are up, the list will be considered “up”. So in this case if two objects are up, track 2 is considered “up”.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/blades/3020/software/release/12-2_58_se/configuration/guide/3020_scg/swhsrp.pdf

Question 9

Explanation

In order to utilize both paths from the host network to the server network, you can configure Multigroup HSRP (MHSRP) between R1 and R2. Essentially, R1 is configured with two HSRP groups (for example, group 1 and group 2) and R2 is also configured with the same HSRP groups. For group 1, R1 is the active router and R2 is the standby router. For group 2, R2 is the active router and R1 is the standby router. Then you configure half of the hosts’ default gateways with the HSRP group 1 virtual IP address, and the other half of the hosts’ default gateways with the HSRP group 2 virtual IP address.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/13781-7.html

In general, unlike GLBP (which supports load-balancing), HSRP can only use a “trick” to share traffic loads by configuring multiple HSRP groups.

Question 9

Explanation

The Preemption is disabled so R2 cannot become the master router in any situation -> Answer A is not correct.

From the line “Track interface FastEthernet0/0 state Up decrement 10″ we learn that it is tracking Fa0/0 interface (current state is Up) and if it goes down the priority will be deduced by 10” -> Answer B is correct.

The default Hello and hold time of HSRP is 3 and 10 seconds, respectively so R2 is using the default values -> Answer D is correct.

Although the current master router is 10.10.1.3 but it has lower priority than R2 (85) -> Answer E is not correct.

Question 10

Explanation

HSRP is a Cisco-proprietary protocol developed to allow several routers or multilayer switches to appear as a single gateway IP address. This protocol is described in RFC 2281.

Question 11

Explanation

Switch_A is not configured standby track priority value so it will use the default track priority of 10 -> When Switch_A goes down, its priority is 200 – 10 = 190 so Switch_B must be configured with a priority higher than 190. Also Switch_B must have the “preempt” command configured to take over the active state -> C is correct.

Note: Answer A is not correct because Switch_B has the same priority value of Switch_A, but the Switch_B’s ip address on the HSRP interface is higher (10.10.10.2 is higher than 10.10.10.1) so Switch_B will take over the active state of Switch_A even when Switch_A is still operational.

EtherChannel Questions 4

September 14th, 2017 certprepare 1 comment

Question 1

Explanation

For this question please remember this:

The table below lists if an EtherChannel will be formed or not for LACP:

LACP Active Passive
Active Yes Yes
Passive Yes No

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP). According the two tables above we can see only “desirable” and “auto” (of PAgP) can form an Etherchannel bundle.

Note: If we want to use “on” mode, both ends must be configured in this “on” mode to create an Etherchannel bundle.

Question 2

Question 3

Explanation

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

Therefore we can see if one end is in “auto”, the other end must be in “desirable” mode to form an Etherchannel.

Question 4

Question 5

Question 6

SDM Questions

July 11th, 2017 certprepare 29 comments

Question 1

Explanation

SDM templates are used to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network. You can select a template to provide maximum system usage for some functions or use the default template to balance resources.

To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates prioritize system resources to optimize support for certain features. You can select SDM templates to optimize these features:
+ Access – The access template maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.
+ Default – The default template gives balance to all functions.
+ Routing – The routing template maximizes system resources for IPv4 unicast routing, typically required for a router or aggregator in the center of a network.
+ VLANs – The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

In addition, the dual IPv4 and IPv6 templates enable a dual stack environment.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swsdm.html

Question 2

Explanation

The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

Question 3

Explanation

The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

Question 4

Explanation

The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch only. But in this case this switch is also used for routing. The VLAN template disabled routing feature so all routing processing is sent to the CPU, seriously impacting switch performance, causing the CPU of the switch to spike, especially during peak hours.

Question 5

Question 6

Question 7

Explanation

In fact there are only three correct choices in this question but we listed here all four correct answers so that you can see which ones are not correct.

SDM templates are used to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network. You can select a template to provide maximum system usage for some functions or use the default template to balance resources.

To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates prioritize system resources to optimize support for certain features. You can select SDM templates to optimize these features:
+ Access – The access template maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.
+ Default – The default template gives balance to all functions.
+ Routing – The routing template maximizes system resources for IPv4 unicast routing, typically required for a router or aggregator in the center of a network.
+ VLANs – The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

In addition, the dual IPv4 and IPv6 templates enable a dual stack environment.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swsdm.html

Question 8

Question 9

Question 10

CDP & LLDP Questions

July 9th, 2017 certprepare 269 comments

Question 1

Explanation

Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help in finding information about neighboring devices. The default values are 60 seconds for advertisements. Each neighbor will keep the information contained in a packet for 180 seconds (holddown timer).

Question 2

Question 3

Explanation

CDP runs at Layer 2 so a router running CDP can see a Layer 2 switch that is directly connected to it, provided that the Layer 2 switch also runs CDP.

Question 4

Explanation

Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2 protocol used by network devices to share information about their identities and functionality with other network elements.

Question 5

Explanation

Cisco Discovery Protocol Version 2 provides more intelligent, device-tracking features than those available in Version 1. One of the features available is an enhanced reporting mechanism for more rapid error tracking, which helps to reduce network downtime. Errors reported include mismatched native VLAN IDs (IEEE 802.1Q) on connected ports and mismatched port-duplex states between connected devices. Messages about reported errors can be sent to the console or to a logging server.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cdp/configuration/xe-3s/asr903/cdp-xe-3s-asr903-book/nm-cdp-discover.html

Question 6

Explanation

Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2 protocol used by network devices to share information about their identities and functionality with other network elements.

Question 7

Explanation

Cisco devices send periodic CDP announcements to the multicast destination address 01-00-0c-cc-cc-cc out each connected network interface. These multicast packets may be received by Cisco devices. This multicast destination is also used in other Cisco protocols such as VTP.

Question 8

Explanation

The information contained in Cisco Discovery Protocol announcements depends on the device type and the version of the operating system running on it. The following are examples of the types of information that can be contained in Cisco Discovery Protocol announcements:
+ Cisco IOS XE version running on a Cisco device
+ Duplex setting
+ Hardware platform of the device
+ Hostname
+ IP addresses of the interfaces on devices
+ Interfaces active on a Cisco device, including encapsulation type
+ Locally connected devices advertising Cisco Discovery Protocol
+ Native VLAN
+ VTP domain

Cisco Discovery Protocol Version 2 provides more intelligent device tracking features than Version 1.

Question 9

Explanation

Media Endpoint Discovery is an enhancement of LLDP, known as LLDP-MED, that provides the following facilities:
+ Auto-discovery of LAN policies such as VLAN, Layer 2 Priority and Differentiated services (Diffserv) settings, enabling plug and play networking.
+ Device location discovery to allow creation of location databases and, in the case of Voice over Internet Protocol (VoIP), Enhanced 911 services.
+ Extended and automated power management of Power over Ethernet (PoE) end points.
+ Inventory management, allowing network administrators to track their network devices, and determine their characteristics (manufacturer, software and hardware versions, serial or asset number).

The LLDP-MED protocol extension was formally approved and published as the standard ANSI/TIA-1057 by the Telecommunications Industry Association (TIA) in April 2006.

Question 10

Explanation

LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors. This protocol can advertise details such as configuration information, device capabilities, and device identity.
The switch supports these basic management TLVs. These are mandatory LLDP TLVs.
+ Port description TLV
+ System name TLV
+ System description TLV
+ System capabilities TLV
+ Management address TLV
These organizationally specific LLDP TLVs are also advertised to support LLDP-MED.
+ Port VLAN ID TLV ((IEEE 802.1 organizationally specific TLVs)
+ MAC/PHY configuration/status TLV(IEEE 802.3 organizationally specific TLVs)

-> No VTP information is supported in LLDP.

CDP & LLDP Questions 2

July 9th, 2017 certprepare No comments

Question 1

Explanation

Cisco Discovery Protocol Version 2 has three additional type, length, values (TLVs): VTP Management Domain Name, Native VLAN, and full/half-Duplex.

Question 2

Explanation

The default CDP timer (the frequency a router sends CDP packets) is 60 seconds and the hold time (the amount of time a receiving device retains the CDP information sent by other devices) is 180 seconds. In this case the question wants to ask about CDP timer. Therefore half of the default CDP timer is 30 seconds.

Question 3

Question 4

Question 5

Question 7

Explanation

The information contained in Cisco Discovery Protocol advertisements varies based on the type of device and the installed version of the operating system. Some of the information that Cisco Discovery Protocol can learn includes:
+ Cisco IOS version running on Cisco devices
+ Hardware platform of devices
+ IP addresses of interfaces on devices
+ Locally connected devices advertising Cisco Discovery Protocol
+ Interfaces active on Cisco devices, including encapsulation type
+ Hostname
+ Duplex setting
+ VLAN Trunking Protocol (VTP) domain
+ Native VLAN

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cdp/configuration/15-mt/cdp-15-mt-book/nm-cdp-discover.html

Question 8

Explanation

You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration to the phone (which includes the Voice VLAN to be used).

Question 9

Question 10

Question 11

Question 12

Question 13

Explanation

The information contained in Cisco Discovery Protocol advertisements varies based on the type of device and the installed version of the operating system. Some of the information that Cisco Discovery Protocol can learn includes:
+ Cisco IOS version running on Cisco devices
+ Hardware platform of devices
+ IP addresses of interfaces on devices
+ Locally connected devices advertising Cisco Discovery Protocol
+ Interfaces active on Cisco devices, including encapsulation type
+ Hostname
+ Duplex setting
+ VLAN Trunking Protocol (VTP) domain
+ Native VLAN

Type-Length-Value (TLV) fields are blocks of information embedded in Cisco Discovery Protocol advertisements. Information in advertisements varies, and the TLV frame format allows for extending advertisements when needed.

CDPv2 advertises IP Network Prefix TLV contains a list of network prefixes to which a sending device can forward IP packets. A prefix includes the interface protocol and the port number. For example, Ethernet 1/0. 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cdp/configuration/15-mt/cdp-15-mt-book/nm-cdp-discover.html

UDLD Questions

July 8th, 2017 certprepare 25 comments

Question 1

Explanation

UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect when a unidirectional link exists. All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a unidirectional link, it administratively shuts down the affected port and alerts you. Unidirectional links can cause a variety of problems, including spanning-tree topology loops.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swudld.html#wp1019932

Question 2

Explanation

A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device.

UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD can detect unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD can also detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to misconnected interfaces on fiber-optic links.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swudld.html

Question 3

Explanation

When unidirectional link occurs, UDLD can put that port into errdisable state (same as shutdown). The administrator must manually shut/no shut to bring that interface up. If we want the interface to automatically recover then configure the “errdisable autorecovery”. For example:

errdisable recovery cause udld
errdisable recovery interval 30

By doing so, the port will be place back in up state (no err-disabled state) after 30 seconds, if the port still has violation it will be placed again in “err-disabled” state, otherwise it will remain in up state.

Question 4

Explanation

UDLD aggressive mode is disabled by default. Configure UDLD aggressive mode only on point-to-point links between network devices that support UDLD aggressive mode. With UDLD aggressive mode enabled, when a port on a bidirectional link that has a UDLD neighbor relationship established stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After eight failed retries, the port is disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/udld.html#wp1027627

Question 5

Question 6

Question 7

Question 8

Question 9

Explanation

The Cisco-proprietary UDLD protocol monitors the physical configuration of the links between devices and ports that support UDLD. UDLD detects the existence of unidirectional links. When a unidirectional link is detected, UDLD puts the affected port into the errdisabled state and alerts the user. UDLD can operate in either normal or aggressive mode.

UDLD is a Layer 2 protocol that works with the Layer 1 protocols to determine the physical status of a link. At Layer 1, autonegotiation takes care of physical signaling and fault detection. UDLD performs tasks that autonegotiation cannot perform, such as detecting the identities of neighbors and shutting down misconnected LAN ports. When you enable both autonegotiation and UDLD, Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols.

UDLD aggressive mode is disabled by default. Configure UDLD aggressive mode only on point-to-point links between network devices that support UDLD aggressive mode. With UDLD aggressive mode enabled, when a port on a bidirectional link that has a UDLD neighbor relationship established stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After eight failed retries, the port is disabled -> C is correct.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/udld.html

Switch Questions

July 7th, 2017 certprepare 306 comments

Question 1

Explanation

The command “mac address-table aging-time 180” specifies the time before an entry ages out and is discarded from the MAC address table. The default is 300 seconds. Entering the value 0 disables the MAC aging.

Question 2

Question 3

Explanation

The switch learns which port the host is attaching by examining the source MAC address in frames received on a port. For example switch receives a frame with source MAC of 0000.0000.aaaa (abbreviated as “aaaa”) on port Fa0/1, it populates its MAC address-table with an entry like this “host aaaa on Fa0/1”. If the switch receives a frame with the same “aaaa” MAC from Fa0/2 then there will be a flap and the switch will log something like this:

%MAC_MOVE-SP-4-NOTIF: Host 0000.0000.aaaa in vlan 1 is flapping between port 0/1 and port 0/2

This flapping phenomenon may be the result of a Layer loop somewhere in your network, especially when STP is disabled for some reasons.

If you don’t want to see this message then issue the “no mac-address-table notification mac-move” or place a static entry with the “mac-address-table static 000.0000.aaaa vlan 1 interface fa0/1″on the switch. The command “mac-address-table notification mac-move” is disabled by default on 6500 & 7600 series but enabled by default on other series.

Question 4

Explanation

The command “show mac address-table” displays the MAC address table along with the port associated for the switch. The ‘show mac address-table address ” gives a more specific view of a specific MAC address.

Question 5

Question 6

Question 7

Question 8

Explanation

If an access port receives a tagged packet (Inter-Switch Link [ISL] or IEEE 802.1Q tagged), the packet is dropped, and the source address is not learned.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swint.html

Question 9

Question 10

Question 11

Explanation

The Portfast feature can be configured on both access or trunk port. This feature instructs the port to skip listening and learning state and move to forwarding state immediately.

The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. The simple example below shows how to configure voice VLAN on an interface:

interface fastethernet0/1
switchport access vlan 10
switchport voice vlan 20

Note: This is not a trunk port (although two VLANs are configured on an interface). Cisco calls this a Multi-Vlan access port.

Question 12

Explanation

An IP phone contains an integrated three-port 10/100 switch. The ports, which are dedicated connections, are described as follows:
* Port 1 connects to the Catalyst series switch or other device that supports Voice-over-IP (VoIP).
* Port 2 is an internal 10/100 interface that carries the phone traffic.
* Port 3 connects to a PC or other device.

ip_phone_2.jpg

To enhance the quality of the VoIP traffic, port 2 and port 3 are often placed in two different VLANs. The VLAN carries voice traffic to and from the IP Phone is often called auxiliary VLAN (Port 2 in this case) while the VLAN carries data traffic is often the native VLAN (Port 3 in this case).

In the picture below the auxiliary VLAN is VLAN 30 while the native VLAN is VLAN 20. To use the IP Phone these two VLANs will need to be configured on the switch.

Cisco_IP_Phone_data_voice_VLANs.jpg

To learn how to configure auxiliary VLAN please read: http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.1/configuration/guide/vlans.html#wp1048863.

To learn how to configure voice and data VLAN please read: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_example09186a0080722cdb.shtml.

VLAN Questions

July 6th, 2017 certprepare 61 comments

Question 1

Explanation

The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swvoip.html

Question 2

Explanation

802.1Q VLAN frames are distinguished from ordinary Ethernet frames by the insertion of a 4-byte VLAN tag into the Ethernet header.

802.1q_header.png

Question 3

Explanation

Because the 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you must configure all switches in the service-provider network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes.

Question 4

Explanation

The VLAN ID field inside an 802.1q frame consists of 12 bits. Therefore we have 212 = 4096 VLAN IDs, theoretically.

802.1q_header.png

Question 5

Explanation

Each access port can be only assigned to one VLAN via the “switchport access vlan ” command.

Question 6

Explanation

This command is used to enable tagging of native VLAN frames on all 802.1Q trunk ports.

Answer A is not correct because even when the native VLAN is set to 1, all of the frames of the native VLAN are tagged.

Answer B is not correct because the control traffic still passes via the default VLAN (VLAN 1).

Answer C is not correct because all the frames are tagged with 4-byte dot1q tag.

Only answer D is best choice because control traffic (like CDP, VTP, STP, DTP…) uses VLAN 1 for communication. When the native VLAN is tagged (VLAN 1 by default) all control traffic is tagged too. If the native VLAN is not VLAN 1 then all the control traffic on VLAN 1 is still tagged by default (without using above command).

Question 7

Explanation

When you delete a VLAN, any LAN ports configured as access ports assigned to that VLAN become inactive. The ports remain associated with the VLAN (and inactive) until you assign them to a new VLAN.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vlans.html

Question 8

Explanation

The PortFast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the PortFast feature is not automatically disabled.

Question 9

Question 10

Question 11

Explanation

First let’s review main characteristics of three layers in a campus network:

* Access layer:

+ Low cost per switch port
+ High port density
+ Scalable uplinks to higher layers
+ User access functions such as VLAN membership, traffic and protocol filtering, and quality of service (QoS)
+ Resiliency through multiple uplinks

* Distribution Layer:

+ Aggregation of multiple access-layer devices
+ High Layer 3 throughput for packet handling
+ Security and policy-based connectivity functions through access lists or packet filters
+ QoS features
+ Scalable and resilient high-speed links to the core and access layers

* Core layer:

+ Very high throughput at Layer 3
+ No costly or unnecessary packet manipulations (access lists, packet filtering)
+ Redundancy and resilience for high availability
+ Advanced QoS functions

We can see at Distribution and Core layers, Layer 3 throughput (routing) is very high -> B is correct.

Nowadays, end-to-end VLANs are not recommended in an enterprise network, unless there is a good reason. In an end-to-end VLAN, broadcast traffic is carried over from one end of the network to the other, creating the possibility for a broadcast storm or Layer 2 bridging
loop to spread across the whole extent of a VLAN. This can exhaust the bandwidth of distribution and core-layer links, as well as switch CPU resources. Now the storm or loop has disrupted users on the end-to-end VLAN, in addition to users on other VLANs that might
be crossing the core.

When such a problem occurs, troubleshooting becomes more difficult. In other words, the risks of end-to-end VLANs outweigh the convenience and benefits.

From that we can infer VLAN traffic should be local to the switch -> D is correct.

(Reference: CCNP SWITCH 642-813 Official Certification Guide)

Question 12

Question 13

VLAN Trunking

July 5th, 2017 certprepare 59 comments

Question 1

Explanation

These errors are generated because the native VLAN is not matched on the two switches (the native VLAN on SW-1 is not the default native VLAN 1 while the native VLAN on the other side is VLAN 1). The errors indicate that spanning tree has detected mismatched native VLANs and has shut down VLAN 1 on the trunk.

We should verify that the configurations of the native VLAN ID is consistent on the interfaces on each end of the IEEE 802.1Q trunk connection. When the configurations are consistent, spanning tree automatically unblocks the interfaces.

Question 2

Explanation

In 802.1Q, the trunking device inserts a 4-byte tag into the original frame and recomputes the frame check sequence (FCS) before the device sends the frame over the trunk link. At the receiving end, the tag is removed and the frame is forwarded to the assigned VLAN. 802.1Q does not tag frames on the native VLAN. It tags all other frames that are transmitted and received on the trunk.

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/8021q/17056-741-4.html

Question 3

Explanation

802.1Q is a industry standards based implementation of carrying traffic for multiple VLANs on a single trunking interface between two Ethernet switches. 802.1Q is for Ethernet networks only.

Question 4

Explanation

We can use the “switchport trunk allowed vlan ” to specify which VLANs are allowed to go through. Other VLANs will be dropped.

Question 5

Explanation

Manually configure trunking with the “switchport mode trunk” command and manually configure access interfaces with the “switchport mode access” prevent auto trunking on that interface.

Disable DTP with the “switchport nonegotiate” so that DTP messages are not advertised out of the interface is also a good way to prevent auto trunking.

Question 6

Explanation

There are two protocols that can be used for trunking: Inter-Switch Link (ISL) and 802.1Q. We can choose which protocol to run by the “switchport trunk encapsulation “. After that we can configure trunking mode with the “switchport mode trunk” command.

In fact this question is not clear and may cause confusion because Dynamic Trunking Protocol (DTP) is the protocol that can automatically negotiate for trunking.

Note: The DTP options can be dynamic auto, dynamic desirable, and trunk.

Question 7

Explanation

By default all VLANs are allowed to go through a trunk but if we apply the “switchport trunk allowed vlan ” then only these VLANs are allowed to go through, other VLANs are dropped so be careful when limiting VLANs on the trunks with this command.

Question 8

Explanation

We can use the “switchport trunk allowed vlan ” to specify which VLANs are allowed to go through. Other VLANs will be dropped.

Question 9

Explanation

First we will explain these two commands:

switchport access vlan 10
switchport mode trunk

The first command is used for an access port whist the second is used for a trunk so why are they here at the same time? In fact this interface was set as a trunk. The “switchport access vlan 10” is still there but it does not affect the operational mode of the port -> Gi1/0/1 is a trunk port so it will not appear in the “show vlan” command.

The “switchport voice vlan 11” command here only tries to confuse you. But it does have an effect on the port: Cisco uses CDP to specify a Cisco IP Phone and will automatically place that traffic into the voice VLAN. For example if we configure like this:

interface fa0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 11

Then the voice traffic from a Cisco IP Phone will be placed into VLAN 11.

Cisco_IP_Phone_data_voice_VLANs.jpg

Note: In the above configuration, the data and voice use the same interface fa0/0 so it should be configured as a trunk link.

(Reference: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_example09186a0080722cdb.shtml)

Question 10

Explanation

VLAN 1 is always used for CDP, VTP, PAgP traffic (except DTP uses native VLAN) even if VLAN 1 is not the native VLAN. If VLAN 1 is not the native VLAN then CDP, VTP, PAgP traffic will be tagged on the trunk.

In this question, after changing the default native VLAN to 999 while keeping the standard configuration on the other end, we cause a “native VLAN mismatched” error. Besides, CDP, VTP traffic is tagged on the local switch (as VLAN 1 is no longer the native VLAN) so the other end cannot understand them -> CDP, VTP traffic is dropped.

Question 11

VLAN Trunking 2

July 4th, 2017 certprepare 5 comments

Question 1

Explanation

The 802.1q frame format is same as 802.3. The only change is the addition of 4 bytes (32 bits) fields. That additional header includes a field with which to identify the VLAN number. Because inserting this header changes the frame, 802.1Q encapsulation forces a recalculation of the original FCS field in the Ethernet trailer.

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Explanation

The “switchport mode trunk” is the most important command to identify if a port is configured in access or trunk mode. In this case because of the “switchport mode trunk” command, the “switchport access vlan 700” does not have any effect.

There is no “switchport trunk native vlan …” command so it is using the default native VLAN, which is 1.

VTP Questions

July 3rd, 2017 certprepare 89 comments

Question 1

Explanation

VTP updates can only be forwarded on trunk links.

Question 2

Explanation

VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vtp.html

Question 3

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN. In the below example, Server switch doesn’t send broadcast frame to Sw2 because Sw2 doesn’t have ports in VLAN 10.

VTP_Pruning_Enabled.jpg

Question 4

Explanation

Switch C can receive VLAN information from Switch A so Switch B can forward it to Switch C without updating its VLAN database -> Switch B is in VTP transparent mode.

Question 5

Explanation

VTP updates can only be forwarded on trunk links.

Question 6

Explanation

VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vtp.html

Question 7

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

Question 8

Explanation

VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

Question 9

Explanation

If a VTP client or server with a null domain receives a VTP message with the domain populated, it will assume the domain of the received message and add applicable VLANs to its database.

Question 10

Explanation

VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

VTP Questions 2

July 2nd, 2017 certprepare 29 comments

Question 1

Explanation

VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. Therefore VTP pruning can be applied only from VLAN 2 to 1001.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swvtp.html

Question 2

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

Question 3

Explanation

In Client mode we cannot create VLAN and Switch1 does not have any trunk links so it cannot receive any VTP updates. There is no answer with configure trunk links so we have to choose the solution “change VTP mode to server and enable 802.1q”. But this is a dangerous solution because this switch can “update” other switches with its VLAN database via VTP.

Question 4

Explanation

From the output above we see Switch Company A cannot receive VTP updates from Switch Company B. Therefore we should check the trunking links connecting two switches. Manually force trunking may be a good solution.

Question 5

Explanation

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

Question 6

Explanation

VLANs 2–1000 are eligible for pruning but VLAN 1 has a special meaning because it is normally used as a management VLAN and is not eligible for pruning. The only way we can remove VLAN 1 is through the “switchport trunk allowed vlan remove 1” command. But even when you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.

A good thing of clearing VLAN 1 is user data cannot travel via this VLAN anymore. BPDU traffic is also banned on this VLAN.

Note: The Cisco IOS-based Catalyst 2900XL/3500XL switches do not allow you to clear VLAN 1 from a trunk; however, the Catalyst 2950/3550, Cisco IOS 4000/4500, and native IOS 6000/6500 switches allow you to clear VLAN 1.

Question 7

Question 8

Explanation

If the revision number of the new switch is higher than other switches in the same VTP domain then it will overwrite other switches’ VLAN databases even if the new switch operates in VTP Client mode. So we should set the VTP mode of the new switch to Transparent (which will also reset its Revision Number to 0) before plugging to our network.

Question 9

Explanation

VTPv3 supports for extended VLAN range (VLANs 1006 to 4094). VTP versions 1 and 2 only supports VLANs 1 to 1005. If extended VLANs are configured, we cannot convert from VTP version 3 to version 1 or 2.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html

Question 10

Explanation

These switches are running VTPv1 so they cannot share the MST configuration with each other (only VTPv3 supports MST). Therefore in order to share the same MST with DSW2, DSW1 must be manually configured with the same region name, revision number and VLAN-to-instance mapping with DSW2.

VTP Questions 3

July 1st, 2017 certprepare 5 comments

Question 1

Explanation

During switch boot up, the switch compares the content in the vlan.dat file and the configuration in startup-config to determine if it should use the configuration in vlan.dat or startup-config. When you save VTP mode, domain name, and VLAN configurations in the switch startup configuration file and reboot the switch, the VTP and VLAN configurations are selected by these conditions:
+ If both the VLAN database and the configuration file show the VTP mode as transparent and the VTP domain names match, the VLAN database is ignored. The VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.
+ If the startup VTP mode is server mode, or the startup VTP mode or domain names do not match the VLAN database, VTP mode and VLAN configuration for the first 1005 VLANs are selected by VLAN database information, such as the vlan.dat file. VLANs greater than 1005 are configured from the switch configuration file (startup-config file).

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2940-series-switches/109304-manage-vlandat.html

Question 2

Question 3

Question 4

Explanation

VTP pruning should only be enabled on VTP servers, all the clients in the VTP domain will automatically enable VTP pruning -> C is correct.

Question 5

Question 6

Explanation

In addition to propagating VTP information, version 3 can propagate Multiple Spanning Tree (MST) protocol database information. A separate instance of the VTP protocol runs for each application that uses VTP -> Only VTPv3 supports multiple VTP instances -> Answer A is not correct.

VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). VTP version 3 supports the entire VLAN range (VLANs 1 to 4094). Extended range VLANs (VLANs 1006 to 4094) are supported only in VTP version 3. You cannot convert from VTP version 3 to VTP version 2 if extended VLANs are configured in the domain.

Only VTPv3 allows to turn on/off per-port basis -> Answers C, E are not correct.

Consistency Checks: In VTP version 2, VLAN consistency checks (such as VLAN names and values) are performed only when you enter new information through the CLI or SNMP. Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM. Therefore answer D is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html

Question 7

Explanation

In VTP versions 1 and 2, the switch must be in VTP transparent mode when you create extended-range VLANs. VTP version 3 also supports creating extended-range VLANs in client or server mode -> Answer A is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html

Extended-range VLANs range from 1006-4094, inclusive. However, if using VTPv1 or VTPv2, these additional VLANs cannot be configured in VLAN database mode, nor stored in the vlan.dat file, nor advertised through VTP (so answer E is not correct). In fact, to configure them, the switch must be in VTP transparent mode. VTPv3 removes these limitations: Both normal- and extended-range VLANs can be advertised by VTPv3. Also, with VTPv3, information about all VLANs is again stored in the vlan.dat file in Flash -> Therefore VTPv3 stores the extended-range VLAN in VLAN database (vlan.dat file).

Reference: CCIE Routing and Switching v5.0 Official Cert Guide, Volume 1, Fifth Edition

VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs greater than 1005) are also pruning-ineligible -> Answer D is correct.

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html

Private VLAN

June 30th, 2017 certprepare 31 comments

Quick review:

The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANs and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLANs inside VLAN”.

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

PVLAN_Promiscuous_Community_Isolated.jpg

For example, in the topology above:

+ Host A cannot communicate with Host B, C, D, E and F. It can only communicate with Promiscuous port to the router. Notice that even two Isolated ports in the same VLAN cannot communicate with each other.

+ Host C can communicate with Host D because they are in the same community but Host C cannot communicate with E and F because they are in a different community.

+ All hosts can go outside through promiscuous port.

Also I want to mention about the concept of “primary VLAN” and “secondary VLAN”. PVLAN can have only one primary VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs are isolated or community VLANs.

PVLAN_Primary_VLAN_Secondary_VLAN.jpg

Configuration of PVLAN:

1. Set VTP mode to transparent
2. Create secondary (isolated and community) VLANs and primary VLAN
3. Associate secondary VLANs to the primary VLAN
4. Configure interfaces as promiscuous interfaces
5. Configure interfaces to be isolated or community interfaces.

Sample configuration used the topology above:

//First set VTP to transparent mode
Switch(config)#vtp mode transparent

//Create secondary VLANs
Switch(config)#vlan 101
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#vlan 102
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#vlan 103
Switch(config-vlan)#private-vlan community

//Create primary VLAN
Switch(config-vlan)#vlan 100
Switch(config-vlan)#private-vlan primary

//Associate secondary (isolated, community) VLANs to the primary VLAN
Switch(config-vlan)#private-vlan association 101,102,103

//Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the secondary VLAN.
Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101,102,103

//Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate VLANs (A and B to isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN 103):
Switch(config)# interface range f0/2 – 0/3 //connect to host A and B
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

Switch(config-if)# interface range f0/3 -0/4 //connect to host C and D
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102

Switch(config-if)# interface f0/5 – 0/6 //connect to host E and F
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 103

To check the configuration, use this command:

Switch# show vlan private-vlan

Question 1

Explanation

Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do not support private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode still forwards other VTP updates to its neighbors.

Question 2

Explanation

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

Question 3

Explanation

Isolated VLAN is a secondary VLAN and it can only communicate with the promiscuous port. Also, there can be only 1 isolated VLAN per PVLAN (although this isolated VLAN can be configured to many ports, but these ports cannot communicate with each other).

Question 4

Explanation

Promiscuous port: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.

Question 5

Explanation

The default gateway is usually connected to promiscuous port so that all devices in PVLAN can go outside.

Question 6

Question 7

Question 8

Storm Control

June 29th, 2017 certprepare No comments

Question 1

Explanation

Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.

Storm control uses one of these methods to measure traffic activity:
+ Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic
+ Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
+ Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

The command “storm-control broadcast level 75 65” limits the broadcast traffic up to 75% of the bandwidth (75% is called the rising threshold). The port will start forwarding broadcast traffic again when it drops below 65% of the bandwidth (65% is called the falling threshold).

Note: If you don’t configure the falling threshold, it will use the same value of the rising threshold.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_25_fx/configuration/guide/2960scg/swtrafc.html#wp1063295

Question 2

Explanation

By using the “storm-control broadcast level [falling-threshold]” we can limit the broadcast traffic on the switch.

Question 3

Explanation

The command “storm-control action {shutdown | trap} ” specifies the action to be taken when a storm is detected. The default is to filter out the traffic and not to send traps.
+ Select the shutdown keyword to error-disable the port during a storm.
+ Select the trap keyword to generate an SNMP trap when a storm is detected.

Question 4

Question 5

Question 6

Question 7

Explanation

There are various reasons for the interface to go into errdisable. The reason can be:
+ Duplex mismatch
+ Port channel misconfiguration
+ BPDU guard violation
+ UniDirectional Link Detection (UDLD) condition
+ Late-collision detection
+ Link-flap detection
+ Security violation
+ Port Aggregation Protocol (PAgP) flap
+ Layer 2 Tunneling Protocol (L2TP) guard
+ DHCP snooping rate-limit
+ Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
+ Address Resolution Protocol (ARP) inspection
+ Inline power

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/69980-errdisable-recovery.html

Although the above reference does not mention about storm control can cause err-disable state but we can see it with the “show errdisable recovery” command:

show_errdisable_recovery.jpg

Therefore in this question maybe you will only see three correct answers.

More information about storm control:

Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.

When a storm is detected, the interfaces configured with the shutdown action of the storm control command are brought down (err-disable state).

EtherChannel Questions

June 29th, 2017 certprepare 102 comments

Notes:

The Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) facilitate the automatic creation of EtherChannels by exchanging packets between Ethernet interfaces. The Port Aggregation Protocol (PAgP) is a Cisco-proprietary solution, and the Link Aggregation Control Protocol (LACP) is standards based.

LACP modes:

+ on: the link aggregation is forced to be formed without any LACP negotiation. A port-channel is formed only if the peer port is also in “on” mode.
+ off: disable LACP and prevent ports to form a port-channel
+ passive: the switch does not initiate the channel, but does understand incoming LACP packets
+ active: send LACP packets and willing to form a port-channel

The table below lists if an EtherChannel will be formed or not for LACP:

LACP Active Passive
Active Yes Yes
Passive Yes No

PAgP modes:

+ on: The link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed only if the peer port is also in “on” mode.
+ off: disable PAgP and prevent ports to form a port-channel
+ desirable: send PAgP packets and willing to form a port-channel
+ auto: does not start PAgP packet negotiation but responds to PAgP packets it receives

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

An EtherChannel in Cisco can be defined as a Layer 2 EtherChannel or a Layer 3 EtherChannel.
+ For Layer 2 EtherChannel, physical ports are placed into an EtherChannel group. A logical port-channel interface will be created automatically. An example of configuring Layer 2 EtherChannel can be found in Question 1 in this article.

+ For Layer 3 EtherChannel, a Layer 3 Switch Virtual Interface (SVI) is created and then the physical ports are bound into this Layer 3 SVI.

For more information about EtherChannel, please read our EtherChannel tutorial.

Question 1

Explanation

The table below lists if an EtherChannel will be formed or not for LACP:

LACP Active Passive
Active Yes Yes
Passive Yes No

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP). According the two tables above we can see only “desirable” and “auto” (of PAgP) can form an Etherchannel bundle.

Note: If we want to use “on” mode, both ends must be configured in this “on” mode to create an Etherchannel bundle.

Question 2

Explanation

To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP).

Question 3

Explanation

In this case the EtherChannel bundle was configured to load-balance based on the destination IP address but there is only one web server (means one destination IP address). Therefore only one of the EtherChannel links is being utilized to reach the web server. To solve this problem we should configure load-balancing based on source IP address so that traffic to the web server would be shared among the links in the EtherChannel bundle with different hosts.

Question 4

Question 5

Explanation

If one end is passive and another end is active then the EtherChannel will be formed regardless the two interfaces in the same switch use different modes and different load-balancing method. Switch 1 will load-balance based on destination IP while Switch2 will load-balance based on source MAC address.

Question 6

Explanation

When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces. In the “show etherchannel” command output, The storm control settings appear on the EtherChannel but not on the physical port of the channel.

Note: You cannot configure storm control on the individual ports of that EtherChannel.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_22ea/SCG/scg/swtrafc.html

Question 7

Explanation

Issue the port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | src-port | dst-port | src-dst-port | mpls} global configuration command in order to configure the load balancing.

Question 8

Explanation

A LACP port priority is configured on each port using LACP. The port priority can be configured automatically or through the CLI. LACP uses the port priority with the port number to form the port identifier. The port priority determines which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.

The syntax of LACP port priority is (configured under interface mode):

lacp port-priority priority-value

The lower the range, the more likely that the interface will be used for LACP transmission.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/gigeth.html

Question 9

Explanation

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

For “on” mode, the link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed only if the peer port is also in “on” mode.

Question 10

Explanation

Interfaces Fa0/13 to Fa0/15 are bundled into Port-channel 12 and it is running with “desirable” mode -> it is using PAgP.

EtherChannel Questions 2

June 28th, 2017 certprepare 53 comments

Question 1

Explanation

From the output we see currently the Server_Switch is load balancing via source MAC address. By changing load-balance to another method the problem can be solved. In this case C is the best choice because other answers are surely incorrect.

Question 2

Explanation

Configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.

Note: If we only change the parameters on a physical port of the port-channel, the port-channel may go down because of parameter mismatch. For example, if you only configure “switchport trunk allowed vlan …” on a physical port, the port-channel will go down.

Question 3

Explanation

The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit EtherChannel) between your switch and another switch or host.

Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each EtherChannel must be the same speed, and all must be configured as either Layer 2 or Layer 3 interfaces.

Note: 800 Mbps full-duplex means data can be transmitted at 800 Mbps and received at 800 Mbps (1600 Mbps in total).

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_13_ea1/configuration/guide/3550scg/swethchl.html

Question 4

Explanation

From the last line of the output, we learn physical ports Fa0/13, Fa0/14, and Fa0/15 are bundled into Port-channel 1 and use LACP which is an open standard protocol.

Question 5

Explanation

The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit EtherChannel) between your switch and another switch or host. Therefore if we have 10 Gigabit Ethernet connections, only 8 links will be used.

Question 6

Explanation

Multichassis LACP (mLACP) is also supported on 7600 and ASR9000 series -> A is not correct.

mLACP supports both FastEthernet & GigabitEthernet -> B is not correct.

VSS mode does not support the mLACP for server access feature only. But mLACP is available in Virtual Switching Systems (VSS). An example of combination of VSS and mLACP is shown below:

mLACP_VSS.jpg

In the topology above, the mLACP is a port channel that spans the two chassis of a VSS. Notice that the two chassis of this VSS is connected via a Virtual Switch Link (VSL). VSL is a special link that carries control and data traffic between the two chassis of a VSS. In this case the VSL is implemented as an EtherChannel with two links.

Some of the restrictions for mLACP are mentioned at http://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/lanswitch/lanswitch-ethernet-channel-xe-3s-asr920-book/lsw_mlacp.html

+ mLACP does not support Fast Ethernet.
+ mLACP does not support half-duplex links.
+ mLACP does not support multiple neighbors.
+ Converting a port channel to mLACP can cause a service disruption (in a short time) -> D is not correct.

Question 7

Explanation

When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place.
If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority. The software assigns to every link between systems that operate LACP a unique priority made up of these elements (in priority order):
+ LACP system priority
+ System ID (a combination of the LACP system priority and the switch MAC address)
+ LACP port priority
+ Port number
In priority comparisons, numerically lower values have higher priority. The priority decides which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.
Ports are considered for active use in aggregation in link-priority order starting with the port attached to the highest priority link. Each port is selected for active use if the preceding higher priority selections can also be maintained. Otherwise, the port is selected for standby mode.

(Reference: http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swethchl.html#wp1144010)

Question 8

Explanation

The table below lists if an EtherChannel will be formed or not for LACP:

LACP Active Passive
Active Yes Yes
Passive Yes No

Therefore if switch 1 is configured LACP in active mode, the other end must be configured as Active or Passive mode.

Note: If the other end is configure with “On” mode, the EtherChannel will not be formed because in “On” mode, no negotiation is sent so the neighbor cannot receive any EtherChannel information.

Question 9

Explanation

When an EtherChannel is created, a logical interface will be created on the switches or routers representing for that EtherChannel. You can configure this logical interface the way you want. For example, assign access/trunk mode on switches or assign IP address for the logical interface on routers/Layer 3 switches… An example of a Layer 3 Etherchannel port is shown below:

interface PortChannel12
description Link to R2
ip address 10.2.4.13 255.255.255.252

Question 10

Explanation

To configure EtherChannel load balancing, “issue the port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | src-port | dst-port | src-dst-port | mpls} global configuration command in order to configure the load balancing”. Therefore only the “source MAC address and destination MAC address” answer is correct.

Reference this link: http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html

Question 11

Explanation

You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel.

If the switch detects a misconfiguration on the other device, EtherChannel guard places the switch interfaces in the error-disabled state, and displays an error message.

You can enable this feature by using the “spanning-tree etherchannel guard misconfig” global configuration command.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swstpopt.html

Question 12

Explanation

You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running PVST+, rapid PVST+, or MSTP.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swstpopt.html

Question 13

Explanation

Follow these guidelines and restrictions when configuring EtherChannel interfaces:
+ EtherChannel support: All Ethernet interfaces on all modules support EtherChannel, with no requirement that interfaces be physically contiguous or on the same module.
+ Speed and duplex: Configure all interfaces in an EtherChannel to operate at the same speed and in the same duplex mode. Also, if one interface in the bundle is shut down, it is treated as a link failure, and traffic will traverse other links in the bundle.
+ VLAN match: All interfaces in the EtherChannel bundle must be assigned to the same VLAN or be configured as a trunk.
+ Range of VLANs: An EtherChannel supports the same allowed range of VLANs on all the interfaces in a trunking Layer 2 EtherChannel.

If the allowed range of VLANs is not the same, the interfaces do not form an EtherChannel, even when set to auto or desirable mode.

Reference: http://www.ciscopress.com/articles/article.asp?p=2348266&seqNum=3

Question 14

Explanation

If all devices sends traffic to only one destination MAC address then we should load-balance with source MAC

if the traffic on a channel is going only to a single MAC address, using the destination MAC address always chooses the same link in the channel; using source addresses or IP addresses might result in better load balancing.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/54sg/configuration/guide/config/channel.html

Note: The answer “dest-source-MAC” is acceptabe but as we know there is only one destination MAC address so this answer is the same as “destination-MAC”. Therefore the answer “source-IP” is better.

EtherChannel Questions 3

June 27th, 2017 certprepare 5 comments

Question 1

Explanation

From the outputs of the “show etherchannel summary” commands we learn that Switch1 is configuring EtherChannel with LACP while Switch2 is configuring with EtherChannel “on” mode -> the EtherChannel bundle does not go up.

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Explanation

By default, when an LACP channel is configured, the LACP channel mode is passive.

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/19642-126.html

Question 10

Explanation

From the output above, we see the “Protocol” field is empty (with a “-” sign). Therefore we can conclude it does not run any EtherChannel protocol (mode “on”). This EtherChannel is up with “(SU)” keywords (“S” means “Layer 2” and “U” means “up”) -> This is an Layer 2 EtherChannel mode “on”.

STP Questions

June 26th, 2017 certprepare 58 comments

Question 1

Explanation

If we want to view the spanning-tree status of a specific VLAN, use the “spanning-tree vlan ” command. An example of the output of this command is shown below:

show_spanning-tree_vlan_30.jpg

Question 2

Explanation

SW3 needs to block one of its ports to SW2 to avoid a bridging loop between the two switches. But how does SW3 select its blocked port? Well, the answer is based on the BPDUs it receives from SW2. A BPDU is superior than another if it has:
1. A lower Root Bridge ID
2. A lower path cost to the Root
3. A lower Sending Bridge ID
4. A lower Sending Port ID

These four parameters are examined in order. In this specific case, all the BPDUs sent by SW2 have the same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only parameter left to select the best one is the Sending Port ID (Port ID = port priority + port index). The lower value of port priority, the higher priority that port has. Therefore we must change the port-priority on F1/1 to a lower value than that of Fa1/0. Zero is the lowest value we can assign to a port so we can assign this value to SW2 F1/1 and configure a higher value on Fa1/0. This is the command to complete this task:

SW2(config)#interface f1/1
SW2(config-if)#spanning-tree vlan port-priority 0

Note: If we don’t change the port priority, SW3 will compare port index values, which are unique to each port on the switch, and because Fa1/0 is inferior to Fa1/1, SW3 will select Fa1/0 as its root port and block the other port.

Question 3

Explanation

After powered on, the switches start sending BPDUs to elect a root bridge. A BPDU is superior than another if it has:

1. A lower Root Bridge ID
2. A lower path cost to the Root
3. A lower Sending Bridge ID
4. A lower Sending Port ID

From the output above, we learn that SW1 is the root bridge for VLAN 1 (from “this bridge is the root” line). SW1 has the “Bridge ID Priority” of 1 because SW1 has been configured with switch priority value of 0, which is also the lowest priority value (highest priority). This value is then added with the VLAN ID (VLAN 1 in this case) so the final value is 1.

Question 4

Explanation

After receiving BPDUs from upstream bridges, the switch add the STP cost of that port and choose the lowest value as its root port -> the STP cost of Fa0/21 is smallest so it is chosen as root port.

Question 5

Explanation

Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to forwarding state immediately without passing the listening and learning state. Therefore it can save about 30 to 45 seconds to transition through these states. To enable this feature, configure this command under interface mode:

Switch(config-if)#spanning-tree portfast

Question 6

Explanation

Although RSTP was configured on all ports but only edge-ports allow to run RSTP. RSTP cannot work on a trunk port. If we try to configure RSTP on a trunk port (support Fa0/24) we will receive this message:

%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc… to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION

%Portfast has been configured on FastEthernet0/24 but will only have effect when the interface is in a non-trunking mode.

Question 7

Explanation

UplinkFast is a Cisco specific feature that improves the convergence time of the Spanning-Tree Protocol (STP) in the event of the failure of an uplink. The UplinkFast feature is designed to run in a switched environment when the switch has at least one alternate/backup root port (port in blocking state), that is why Cisco recommends that UplinkFast be enabled only for switches with blocked ports, typically at the access-layer.

For example in the topology below:

STP_simple.jpg

Suppose S1 is the root bridge in the topology above. S3 is connected to S1 via two paths: one direct path and another goes through S2. Suppose the port directly connected to S1 is root port -> port connected to S2 will be in Blocking state. If the primary link goes down, the blocked port will need about 50 seconds to move from Blocking -> Listening -> Learning -> Forwarding to be used.

To shorten the downtime, a feature called Uplink Fast can be used. When the primary (root) link fails, another blocked link can be brought up immediately for use. When UplinkFast is enabled, it is enabled for the entire switch and all VLANs. It cannot be enabled for individual VLANs.

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10575-51.html

Question 8

Explanation

Every non-root bridge needs to elect a root port. The election of root port is as follows:

1) Based on lowest cost path to the root bridge
2) Then based on lowest upstream Bridge ID (Bridge ID = Bridge Priority + MAC)
3) Then based on lowest upstream Port ID (Port ID = Port Priority + Port Index)

Therefore we can use STP cost and port-priority to select the root port.

Question 9

Explanation

Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to forwarding state immediately without passing the listening and learning state. Therefore it can save about 30 to 45 seconds to transition through these states. To enable this feature, configure this command under interface mode:

Switch(config-if)#spanning-tree portfast

Question 10

Question 11

Explanation

If there are more than one connection between two switches, STP will automatically block one of them to prevent a loop. In particular, STP will block the link with higher priority value. Therefore if we want to force traffic to the secondary link we can lower the priority of the secondary link. For example:

Switch(config-if)#spanning-tree port-priority 48

Remember for switch (Layer 2 device), lower value is preferred over higher value. For router (Layer 3 device), higher value is preferred over lower value.

Question 12

Explanation

Spanning Tree Protocol elects a root bridge based on the Bridge IDs. The root bridge is the bridge with the lowest bridge ID. And Bridge ID = Bridge Priority + MAC Address. Therefore to prevent a switch from becoming the root bridge we can adjust STP priority to the maximum value.

STP Questions 2

June 25th, 2017 certprepare 7 comments

Question 1

Explanation

With the use of dot1q (802.1Q) encapsulation, control frames (include STP, CDP, VTP…) are tagged with VLAN 1 if the switch native VLAN is changed -> that means STP BPDU is tagged with VLAN 1 when the native VLAN is set to VLAN 99 -> Answer A is correct.

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches

Control traffic continues to be accepted as untagged on the native VLAN on a trunked port, even when the “vlan dot1q tag native” command is enabled (the native VLAN is tagged with this command) -> Answer D is correct.

Reference: http://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/l2/vlan-dot1q-tag-native.html

Note: Control traffic always sent on VLAN 1 when trunking.

Question 2

Question 3

Question 4

Question 5

Explanation

If PortFast is configured on a port and it receives a BPDU the port will disable the PortFast feature (and the BPDUs are processed normally).

The “spanning-tree portfast trunk” command makes a trunk port become Forwarding immediately after coming up. Therefore this command is suitable only on trunk ports leading to Layer3 devices, e.g. routers or servers

Question 6

STP Questions 3

June 24th, 2017 certprepare 10 comments

Question 1

Explanation

The command “spanning-tree port priority 0” is better than the command “spanning-tree port priority 16” as interface G1/0 is preferred over other interfaces with lowest priority port ID. So answer E is better than B. But maybe there is something different in the exam.

Question 2

Question 3

Explanation

If you configure “spanning-tree portfast” then it will only takes effect on access ports (portfast is still disabled on trunk ports). To enable portfast on a trunk port you need the trunk keyword (“spanning-tree portfast trunk”).

Question 4

Explanation

The full macro command is “spanning-tree vlan <vlan-id> root primary”. This command will adjust its priority to a lower value (than the value of the current root bridge), so it will become the new root bridge for the specified VLAN, so this command basically generates a macro. But this keyword does not adjust STP timers so maybe this requirement does not exist in the exam.

Question 5

Question 6

Explanation

From the second command output (show spanning-tree mst) we learn that MST1 includes VLANs 10 & 20. Therefore if we want DSW1 to become root bridge for these VLANs we need to set the MST 1 region to root -> The command “spanning-tree mst 1 root primary” can do the trick. In fact, this command runs a macro and sets the priority lower than the current root.

Also we can see the current root bridge for these VLANs has the priority of 32769 (default value + sysid) so we can set the priority of DSW1 to a specific lower value. But notice that the priority must be a multiple of 4096. Therefore D is a correct answer.

Question 7

Explanation

By calculating and assigning the port cost of the switch ports, you can ensure that the shortest (lowest cost) distance to the root switch is used to transmit data. You can calculate and assign lower path cost values (port costs) to higher bandwidth ports by using either the short method (which is the default) or the long method. The short method uses a 16-bit format that yields values from 1-65535. The long method uses a 32-bit format that yields values from 1-200,000,000.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/spantree.html

The port cost depends on the port speed; the faster interface speeds indicate smaller costs. MST always uses long path costs.

Reference: http://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/l2/spanning-tree-mst-cost.html

Question 8

Question 9

Question 10

Explanation

In this question DSW2 is the root bridge because of lowest priority value (24576) so all traffic must pass through it. For STP, the cost of 10Gbps is 2 while the cost of 1Gbps is 4 so the paths from ASW1 -> DSW1 -> DSW2 and ASW1 -> DSW2 have the same accumulate STP Path cost (= 4). Therefore the 1Gbps port on ASW1 will be chosen as Root port -> traffic will go from ASW1 -> DSW2 -> core.

Note: If multiple paths are available to reach the Root Bridge (Root Switch) with the same accumulated Spanning Tree Path Cost in a Non-Root Switch, select the port connected to the neighbor switch which has the lowest Switch ID value as the Root Port.

Question 11

Explanation

BPDU Guard feature allows STP to shut an access port in the event of receiving a BPDU.

Root Guard ensures that the port on which root guard is enabled is the designated port. If the bridge receives superior BPDUs on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state (which is equal to STP listening state). No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

Loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs.

When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop.

The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening/learning/forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.

So all three features above do not support STP to transition between states. How about BPDU Filter?

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

The first and second underlined sentences are very contradictory. The first one says it prevents an interface from receiving BPDUs while the second one says when it receives BPDUs, BPDU filtering is disabled!

The fact is this command will prevent an interface from sending BPDUs only. But if it receives BPDUs, it will lose its Port Fast feature and return to a normal switching port (with STP enabled).

There are two ways to configure BPDU filtering feature, one in global configuration mode and one under a specific interface:

Configuring BPDU filter globally:
Switch(config)#spanning-tree portfast bpdufilter default

Configure BPDU Filter on the interface:
Switch(config-if)#spanning-tree bpdufilter enable (this overrides the global bpdufilter command above)

But the effect of these two commands are different and you should remember:
+ When BPDU filtering is enabled globally; and if BPDUs are seen, the port loses its PortFast status, BPDU filtering is disabled, the port returns to normal state
+ When BPDU filtering is enabled on a specific port, it prevents this port from sending or receiving BPDUs (so if BPDUs are seen, they will be dropped)

Therefore in this question we can only think about the BPDU Filter under global configuration mode. In this mode the port can transit between STP states.

Question 12

Question 13

 

BPDUGuard & BPDUFilter

June 23rd, 2017 certprepare 1 comment

Question 1

Question 2

Question 3

Explanation

There are two ways to re-enable a BPDU guard port in disabled state. The first way is issue the “shut” and “no shut” command on that port. The second way is to use the command “errdisable recovery cause bpduguard” command.

Question 4

Explanation

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

The first and second underlined sentences are very contradictory. The first one says it prevents an interface from receiving BPDUs while the second one says when it receives BPDUs, BPDU filtering is disabled!

The fact is this command will prevent an interface from sending BPDUs only. But if it receives BPDUs, it will lose its Port Fast feature and return to a normal switching port (with STP enabled).

Note: There is another important thing we want to mention here: there are two ways to configure BPDU filtering feature, one in global configuration mode and one under a specific interface:

Configuring BPDU filter globally:
Switch(config)#spanning-tree portfast bpdufilter default
 
Configure BPDU Filter on the interface:
Switch(config-if)#spanning-tree bpdufilter enable (this overrides the global bpdufilter command above)

But the effect of these two commands are different and you should remember:
+ When BPDU filtering is enabled globally; and if BPDUs are seen, the port loses its PortFast status, BPDU filtering is disabled, the port returns to normal state
+ When BPDU filtering is enabled on a specific port, it prevents this port from sending or receiving BPDUs (so if BPDUs are seen, they will be dropped)

Question 5

Explanation

BPDUFilter is designed to suppress the sending and receiving of BPDUs on an interface. There are two ways of configuring BPDUFilter: under global configuration mode or under interface mode but they have subtle difference.

If BPDUFilter is configured globally via this command:

Switch(config)#spanning-tree portfast bpdufilter default

BPDUFilter will be enabled on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

If BPDUFilter is configured under interface mode like this:

Switch(config-if)#spanning-tree bpdufilter enable

It will suppress the sending and receiving of BPDUs. This is the same as disabling spanning tree on the interface. This choice is risky and should only be used when you are sure that port only connects to host devices.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

Question 6

Explanation

The “spanning-tree portfast bpdufilter default” command is configured under global configuration mode. To stop receiving unwanted BPDUs (for easier troubleshooting), he can issue the “spanning-tree portfast bpdufilter default” under global configuration mode. This will enable BPDUFilter on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

Question 7

Root Guard

June 23rd, 2017 certprepare 1 comment

Question 1

Explanation

Root guard does not allow the port to become a STP root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root-inconsistent STP state which is equal to a listening state. No traffic is forwarded across this port.

Below is an example of where to configure Root Guard on the ports. Notice that Root Guard is always configure on designated ports.

Root_Guard_Location.jpg

To configure Root Guard use this command:

Switch(config-if)# spanning-tree guard root

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

Question 2

Question 3

Question 4

Question 5

Question 6

RSTP Questions

June 23rd, 2017 certprepare 23 comments

Question 1

Explanation

There are five port roles in RSTP:

* Root port – A forwarding port that is the closest to the root bridge in terms of path cost
* Designated port – A forwarding port for every LAN segment
* Alternate port – A best alternate path to the root bridge. This path is different than using the root port. The alternative port moves to the forwarding state if there is a failure on the designated port for the segment.
* Backup port – A backup/redundant path to a segment where another bridge port already connects. The backup port applies only when a single switch has two links to the same segment (collision domain). To have two links to the same collision domain, the switch must be attached to a hub.
* Disabled port – Not strictly part of STP, a network administrator can manually disable a port

There is no “blocking” port role like STP. The “alternative” and “backup” roles are only in RSTP.

Question 2

Explanation

RSTP is backward compatible with STP 802.1D. If a RSTP enabled port receives a (legacy) 802.1d BPDU, it will automatically configure itself to behave like a legacy port. It sends and receives 802.1d BPDUs only.

Question 3

Explanation

When a Switch (Bridge) discovers topology change, it generates a TCN (Topology Change Notification) BPDU (Bridge Protocol Data Unit) and sends the TCN BPDU on its root port. The upstream Switch (Bridge) responds back the sender with TCA (Topology Change Acknowledgment) BPDU (Bridge Protocol Data Unit) and TCA (Topology Change Acknowledgment) BPDU (Bridge Protocol Data Unit)
The upstream Switch (Bridge) (bridge which received the TCN BPDU) generates another TCN BPDU and sends out via its Root Port. The process continues until the Root Switch (Bridge) receives the TCN BPDU.
When the Root Switch (Bridge) is aware that there is a topology change in the network, it starts to send out its Configuration BPDUs with the topology change (TC) bit set. Configuration BPDUs are received by every Switch (Bridge) in the network and all bridges become aware of the network topology change.

The switch never generates a TCN when a port configured for PortFast goes up or down -> it means no TC will be created for PortFast (or Edge Port) -> D is correct.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094797.shtml)

MST Questions

June 22nd, 2017 certprepare 13 comments

Question 1

Explanation

Instead of using Per-VLAN Spanning Tree (PVST) or Rapid PVST which runs a separate STP instance for each active VLAN (there will have 20 STP instances for 20 VLANs), Multiple Spanning Tree (MST) maps multiple VLANs into a spanning tree instance, thereby reducing the number of spanning-tree instances needed. MST also reduces switch resources and managerial burdens.

Question 2

Explanation

Besides two MST instances 1 & 2, Instance 0 is a special instance for a region, known as the Internal Spanning Tree (IST). The IST always exists on all ports; you cannot delete the IST. By default, all VLANs are assigned to the IST. All other MST instances are numbered from 1 to 4094. The IST is the only STP instance that sends and receives BPDUs. All of the other MSTI information is contained in MST records (M-records), which are encapsulated within MST BPDUs.

Note:
+ The Common Spanning Tree (CST) interconnects the MST regions and any instance of 802.1D and 802.1w STP that may be running on the network
+ A Common and Internal Spanning Tree (CIST) is a collection of the ISTs in each MST region.

Question 3

Explanation

Unlike Per-VLAN Spanning Tree (PVST) which maintains a spanning tree instance for each VLAN configured in the network, Multiple Spanning Tree (MST) maps multiple VLANs into a spanning tree instance, thereby reducing the number of spanning-tree instances needed. MST also reduces switch resources and managerial burdens.

Question 4

Question 5

SPAN Questions

June 22nd, 2017 certprepare 40 comments

Question 1

Explanation

We can add the “monitor session 1 filter vlan 10” command to limit monitored trafic from VLAN 10 only.

Question 2

Explanation

The network engineer is connecting to the Distribution switch but he wants to monitor an access switch -> remote SPAN must be used. An example of configuring remote SPAN which uses vlan 40 is shown below:

Access-Switch(config)# monitor session 1 source interface FastEthernet 0/1
Access-Switch(config)# monitor session 1 destination remote vlan 40
Distribution-Switch(config)#monitor session 2 source remote vlan 40
Distribution-Switch(config)# monitor session 2 destination interface FastEthernet 0/5

Question 3

Explanation

This command limits the monitored trafic on VLAN 1 to 8, 39, 52 only

Question 4

Explanation

From the output we see the status of gi0/12 is “monitoring”. It means this port is currently the destination of a SPAN session.

Question 5

Explanation

This is how to configure Remote SPAN (RSPAN) feature on two switches. Traffic on FastEthernet0/1 of Switch 1 will be sent to Fa0/10 of Switch2 via VLAN 40.

+ Configure on both switches
Switch1,2(config)#vlan 40
Switch1,2(config-vlan)#remote-span
+ Configure on Switch1
Switch1(config)# monitor session 1 source interface FastEthernet 0/1
Switch1(config)# monitor session 1 destination remote vlan 40
+ Configure on Switch2
Switch2(config)#monitor session 5 source remote vlan 40
Switch2(config)# monitor session 5 destination interface FastEthernet 0/10

So without the command “remote-span” on both switches, RSPAN cannot works properly.

Question 6

Explanation

The first command points out the source interface and the direction to be monitored, which is Gi0/4 and inbound traffic (rx) in this case. The second command tells our device to monitor only VLAN 3 running on Gi0/4 (notice that Gi0/4 is a trunk link). The last command requests monitored traffic to be sent to the destination port Gi0/5.

Question 7

Explanation

A source port can be monitored by some SPAN sessions but a destination port can be used for one session only. A destination port or a reflector port does not participate in STP while its SPAN session is active.

For more limitations of configuring SPAN please visit this link: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_14span.html#wp1239658

Question 8

Explanation

From the outputs we learn that the SPAN session 1 is incomplete because only source port is configured:

monitor session 1 source remote vlan 50

-> It needs to specify the destination port

while SPAN session 2 is configured correctly with source and destination ports:

monitor session 2 source interface fa0/14 (both)
monitor session 2 destination interface fa0/15

Question 9

Question 10

Question 11

SPAN Questions 2

June 21st, 2017 certprepare 1 comment

Question 1

Question 2

Question 3

Explanation

A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured as a SPAN destination, it is removed from the group.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html

Question 4

Explanation

Remote SPAN (RSPAN) is used when source ports are not located on the same switch as the Destination port. RSPAN is an advanced feature that requires a special VLAN to carry the monitored traffic and is not supported by all switches.

The Configuring SPAN and RSPAN link (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg/swspan.pdf) mentions about two things:

+ We recommend that you configure an RSPAN VLAN before you configure an RSPAN source or a destination session.
+ First create a new VLAN to be the RSPAN VLAN for the RSPAN session

But this question asks about “Cisco recommendation” so answer C is the better one.

Question 5

Question 6

Explanation

The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics:
+ All traffic in the RSPAN VLAN is always flooded.
+ No MAC address learning occurs on the RSPAN VLAN.
+ RSPAN VLAN traffic only flows on trunk ports.
+ RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command.
+ STP can run on RSPAN VLAN trunks but not on SPAN destination ports.
+ An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750e_3560e/software/release/12-2_55_se/configuration/guide/3750escg/swspan.pdf

 

Question 8

Explanation

RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches (therefore answer B is correct). The SPAN traffic from the sources is copied onto the RSPAN VLAN through a reflector port and then forwarded over trunk ports that are carrying the RSPAN VLAN to any RSPAN destination session monitoring the RSPAN VLAN.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_11_yj4/configuration/guide/lrescg/swspan.html

The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. One of the special characteristics is “No MAC address learning occurs on the RSPAN VLAN”.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750e_3560e/software/release/12-2_55_se/configuration/guide/3750escg/swspan.pdf

Question 9

Explanation

A destination port has these characteristics:

+ …
+ It does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html

StackWise Questions

June 20th, 2017 certprepare 19 comments

Question 1

Explanation

The switches are united into a single logical unit using special stack interconnect cables that create a bidirectional closed-loop path. This bidirectional path acts as a switch fabric for all the connected switches. Network topology and routing information is updated continuously through the stack interconnect. All stack members have full access to the stack interconnect bandwidth. The stack is managed as a single unit by a master switch, which is elected from one of the stack member switches.

Each switch in the stack has the capability to behave as a master or subordinate (member) in the hierarchy. The master switch is elected and serves as the control center for the stack. Both the master member switches act as forwarding processors. Each switch is assigned a number. Up to nine separate switches can be joined together. The stack can have switches added and removed without affecting stack performance.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/prod_white_paper09186a00801b096a.html

Question 2

Explanation

When we add a new switch to an existing switch stack, the election will take place automatically to choose a master switch. We don’t have to configure anything on the newly added switch. In the case you want the newly added switch to become the master, use this command then reload it:

switch(config)# switch 1 priority 15

Note: Turn off the switch before connecting the stackwise cables. Only turn it on after finishing connecting stackwise cables.

Question 3

Explanation

The picture below shows how StackWise cables are connected between switches:

stack_wise.jpg

When the stackwise cables are fully connected (as shown above), the stack ring speed is 32Gbps full-duplex. To efficiently load balance the traffic, the stackwise cables function bi-directionally with two 16 Gbps counter-rotating rings. It means packets are allocated between two logical counter-rotating paths. Each counter-rotating path supports 16 Gbps in both directions, yielding a traffic total of 32 Gbps bidirectionally.

A break in any one of the cables will result in the stack bandwidth being reduced to half (16 Gbps) of its full capacity.

Question 4

Question 5

Explanation

Subordinate switches keep their own spanning trees for each VLAN that they support. The master switch keeps a copy of all spanning tree tables for each VLAN in the stack. When a new VLAN is added or removed, all the existing switches will receive a notification of this event and update their tables accordingly.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/prod_white_paper09186a00801b096a.html

Question 6

Question 7

Question 8

Explanation

mLACP_VSS.jpg

Notice that the two chassis of this VSS is connected via a Virtual Switch Link (VSL). VSL is a special link that carries control and data traffic between the two chassis of a VSS. In this case the VSL is implemented as an EtherChannel with two links.

DHCP Snooping

June 19th, 2017 certprepare 63 comments

Quick review of DHCP Spoofing:

DHCP_Spoofing_Attack.jpg

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

DHCP_Spoofing_Attack_Trust_Untrust_Ports.jpg

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

Question 1

Explanation

To retain the bindings across switch reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon switch reload. Connectivity is lost as well.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dhcp.html#wp1090370

Question 2

Explanation

Static DHCP snooping binding defines a mapping between a fixed IP address and the client’s MAC address. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. This is how to configure a static DHCP snooping binding entry:

Switch#ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface expiry seconds

Question 3

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Therefore if the switch receives a packet that does not match any entries found in the DHCP binding database, that packet is assumed to be spoofed and will be discarded.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Question 4

Explanation

The command “ip verify source port-security” enables IP source guard with source IP and MAC address filtering. When using this command, there are two caveats:
+ The DHCP server must support option 82, or the client is not assigned an IP address.
+ The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swdhcp82.html

Question 5

Explanation

The following restrictions apply to IP source guard:
+ Supported only on ingress Layer 2 ports (including access and trunk ports)
+ Supported only in hardware; not applied to any traffic that is processed in software.
+ Does not support filtering of traffic based on MAC address.
+ Is not supported on private VLANs.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.pdf

Question 6

Explanation

The DHCP snooping binding database contains information about untrusted hosts with leased IP addresses. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, the VLAN number and interface information associated with the host.

Question 7

Explanation

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

Question 8

Explanation

DHCP snooping database contains MAC address-to-IP address bindings which Dynamic ARP Inspection (DAI) uses to determine the validity of an ARP packet.

Question 9

Explanation

When IP Source Guard with source IP filtering is enabled on an untrusted interface, DHCP snooping must be enabled because it filters traffic based on IP information stored in the corresponding DHCP binding table entry.

Question 10

Explanation

The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.

Question 11

Explanation

The DHCP snooping database stores at least 8,000 bindings.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Question 12

Explanation

IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.html

Before enabling IP Source Guard, DHCP Snooping must be enabled as a prerequisite. Let’s see an example of how to configure IP Source Guard.

IP_Source_Guard.jpg

Enable DHCP Snooping first:

Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1
Switch(config)#int fa0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config)#int fa0/14
Switch(config-if)#ip dhcp snooping limit rate 20

Next we can start configuring IP Source Guard.

Switch(config)#int fa0/14
Switch(config-if)#ip verify source

IP Source Guard is configured at the access layer (in this case under interface Fa0/14) and uses the DHCP Snooping database, or static IP binding entries, to dynamically create ACLs on a per-port basis. Any traffic which doesn’t match the binding entries is dropped in hardware.

If we want to enable IP source guard with source IP and MAC address filtering, use the command “ip verify source port-security” instead (Port security and option 82 is not necessary if you are not using MAC verification).

Well now maybe you understand about IP source guard. Let’s learn about option 82.

When a client initially connects to a port protected by IP source guard (Fa0/14 of the switch in the above case) only DHCP discover and request messages are allowed, everything else is dropped. An important point to keep in mind is that at this point no traffic, including DHCP, will cause the switch to add an entry for the client in the CAM table and therefore when the DHCP server responds with an offer the switch will not know where to send the packet. And when DHCP snooping is enabled, replies from the DHCP server are not flooded out all ports if there is no entry in the CAM, so the DHCP offer will be dropped. To get around this, DHCP option 82 (or Relay Agent Information) is necessary. Option 82 is a frequently misunderstood value, likely because unlike other options it is not set by the DHCP server, rather it is set by an intermediary device such as a DHCP relay agent or a switch. Option 82 is made up of two fields, the circuit ID and remote ID.

When a DHCP packet is received on an untrusted port the switch adds the option 82 information and sends it on it’s way, if the option 82 field already exists the packet will be dropped (this behavior can be changed by using the ‘ip dhcp snooping information option allow-untrusted’ command under interface configuration). When the DHCP server receives the discover it is expected to return the values in option 82 with it’s offer. Assuming that the server does support option 82 and returns an offer with the information intact, the switch will determine whether it is the originator of the option 82 information by checking whether the MAC address in the remote ID field matches it’s own, it then looks at the VLAN, module, and port carried in the circuit ID field to find out which port the packet should be sent out, the switch then strips option 82 out of the packet and forwards it to the specified port. The same process will occur with the request and ack portion of DHCP. If the offer is sent back from the DHCP server without the option 82 information the switch is unable to determine where the packet should be sent and drops it.

Reference: http://vcabbage.com/networking/2010/08/07/ip-source-guard.html

Question 13

Question 14

Explanation

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

+ Validates DHCP messages received from untrusted sources and filters out invalid messages.
+ Rate-limits DHCP traffic from trusted and untrusted sources.
+ Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
+ Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html

AAA Questions

June 18th, 2017 certprepare 35 comments

Question 1

Explanation

AAA security provides the following services:
+ Authentication – Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
+ Authorization – Provides access control.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
+ Accounting – Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.

In conclusion, authorization specifies which resources the users are allowed to access.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html

Question 2

Explanation

In the “aaa authentication login login radius local” command, the first “login” is a keyword which authenticates users who want exec access into the access server (tty, vty, console and aux). The second “login” is a list name. “radius local” part indicates the RADIUS authentication should be used first. If the RADIUS server does not reply then use the local database to authenticate.

Question 3

Question 4

Explanation

Method lists are specific to the authorization type requested:
+ Auth-proxy – Applies specific security policies on a per-user basis. For detailed information on the authentication proxy feature, refer to the chapter “Configuring Authentication Proxy” in the “Traffic Filtering and Firewalls” part of this book.
+ Commands – Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
+ EXEC – Applies to the attributes associated with a user EXEC terminal session.
+ Network – Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
+ Reverse Access – Applies to reverse Telnet sessions.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named “default”). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.

Question 5

Explanation

For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html)

Question 6

Explanation

The console port is authenticated with NO_AUTH list. But this list does not contain any authentication method (it uses “none”) so no authentication is required when connecting to the console port.

Question 7

Explanation

The VTY line can be accessed via Telnet and SSH by default. It is authenticated by “default” list which is defined with the “aaa authentication login default group radius local line” command. Therefore users who access via Telnet or SSH are authenticated via RADIUS first, then local database and finally line VTY password.

Note: The “group” keyword provides a way to group existing server hosts. The feature allows the user to select a subset of the configured server hosts and use them for a particular service. Therefore we can understand “group radius” here means “some pre-defined radius servers”.

Question 8

Explanation

You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.

When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:
+ Single host mode—Port security learns the MAC address of the authenticated host.
+ Multiple host mode—Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.

If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.

The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.

If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.

Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_portsec.html#wp1258157

Question 9

Question 10

Explanation

The client/server packet exchange consists primarily of the following types of RADIUS messages:
+ Access-Request – sent by the client (NAS) requesting access
+ Access-Reject – sent by the RADIUS server rejecting access
+ Access-Accept – sent by the RADIUS server allowing access
+ Access-Challenge – sent by the RADIUS server requesting more information in order to allow access. The NAS, after communicating with the user, responds with another Access-Request.

When you use RADIUS accounting, the client and server can also exchange the following two types of messages:
+ Accounting-Request—sent by the client (NAS) requesting accounting
+ Accounting-Response—sent by the RADIUS server acknowledging accounting

Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/access_registrar/1-7/concepts/guide/radius.html

Question 11

Question 12

Explanation

“aaa authentication login” specifies that you want to use authentication. You need to give the authentication parameters a list name, either default or some other name you define:

aaa authentication login {default | list-name} group {group-name | radius | tacacs+} [method 2…3…4]

Two of the methods are:
+ “local-case” which uses case-sensitive local username authentication
+ “if-authenticated” which allows the user to access the requested function if the user is authenticated. 

Note: The purpose of “if-authenticated” method here is where the router can not communicate with the TACACS server the router will authenticate the user and then the router will say the user is authorized (because he was previously authenticated) and the user login is successful.

Let’s find out the meaning of the command “aaa authentication login default group tacacs+ local-case if-authenticated”. It means that to authenticate to this router for logins use the default group which is tacacs+. If tacacs+ fails then use the local user account configured on the router (make sure you have a local user configured on your router).

Notice the “if-authenticated” keyword at the end of this line. This is saying that if we are authenticated we will immediately be dropped into exec (enable) mode.

HSRP Questions

June 17th, 2017 certprepare 32 comments

If you are not sure about HSRP, please read our HSRP tutorial.

Question 1

Explanation

The “standby track” command allows you to specify another interface on the router for the HSRP process to monitor in order to alter the HSRP priority for a given group. If the line protocol of the specified interface goes down, the HSRP priority is reduced. This means that another HSRP router with higher priority can become the active router if that router has standby preempt enabled.An example of using this command is shown below:

interface Ethernet0
ip address 171.16.6.5 255.255.255.0
standby 1 ip 171.16.6.100
standby 1 priority 105
standby 1 preempt
standby 1 track Serial0

Question 2

Question 3

Explanation

The default decrement priority value of HSRP is 10 so 1,5,20 are wrong values -> B, C and D are not correct.

In “standby 1 track 100” command, “100” is the tracked object number, not the decrement value. Here we don’t specify a decrement value so the default value will be used -> Answer A is correct. An example of configuring tracked object number with HSRP is shown below:

Switch(config)# track 100 interface GigabitEthernet 0/0/0 line-protocol
Switch(config-track)#exit
Switch(config)#interface GigabitEthernet 0/0/0
Switch(config-if)# standby 1 track 100

If you want to specify a decrement value, we can use the “standby 1 track 100 decrement ” command instead.

Question 4

Explanation

The configuration of many hundreds of subinterfaces on the same physical interface, with each subinterface having its own HSRP group, can cause the processes of negotiation and maintenance of multiple HSRP groups to have a detrimental impact on network traffic and CPU utilization.

Only one HSRP group is required on a physical interface for the purposes of electing active and standby devices. This group is known as the master group. Other HSRP groups may be created on each subinterface and linked to the master group via the group name. These linked HSRP groups are known as client or slave groups.

The HSRP group state of the client groups follows that of the master group. Client groups do not participate in any sort of device election mechanism.

Client groups send periodic messages in order to refresh their virtual MAC addresses in switches and learning bridges. The refresh message may be sent at a much lower frequency compared with the protocol election messages sent by the master group.

The standby follow command configures an HSRP group to become an IP redundancy client of another HSRP group.
Client or slave groups must be on the same physical interface as the master group.
A client group takes its state from the master group it is following. Therefore, the client group does not use its timer, priority, or preemption settings. A warning is displayed if these settings are configured on a client group.

The following example shows how to configure HSRP group 2 as a client to the HSRP1 master group:
Router(config-if)# standby 2 follow HSRP1

Reference:
+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp-mgo.html
+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/command/fhp-cr-book/fhp-s2.html#wp6905113930

Question 5

Question 6

Question 7

Explanation

From the output, we learn that the “Standby router is unknown” so we can conclude R2 cannot see other HSRP routers in this group. The problem can be a spanning-tree loop or a HSRP misconfiguration (for example another router is configured with virtual IP address of 10.10.1.1 but in different HSRP group). But from the error message we see R2 can still communicate via its Fa1/0 so the problem may not be a spanning-tree loop.

Question 8

Question 9

Question 10

HSRP Hotspot

June 16th, 2017 certprepare 80 comments

Question

 —————————————————————————————————————————————————————–

For your information, the “show running-config” commands are posted below for your reference but please notice in the exam you have to issue this command to get the output:

DSW1#show running-config

interface Vlan101
 ip address 192.168.101.1 255.255.255.0
 standby 1 ip 192.168.101.254
 standby 1 priority 200
 standby 1 track GigabitEthernet1/0/1 55
!
interface Vlan102
 ip address 192.168.102.1 255.255.255.0
 standby 2 ip 192.168.102.254
 standby 2 priority 200
 standby 2 preempt
 standby 2 track GigabitEthernet1/0/1 5
!
interface Vlan103
 ip address 192.168.103.1 255.255.255.0
 standby 3 ip 192.168.103.254
 standby 3 priority 200
 standby 3 preempt
 standby 3 track GigabitEthernet1/0/1
!
interface Vlan104
 ip address 192.168.104.1 255.255.255.0
 standby 4 ip 192.168.104.254
 standby 4 priority 150
 standby 4 preempt
 standby 4 track GigabitEthernet1/0/1 1
!
interface Vlan105
 ip address 192.168.105.1 255.255.255.0
 standby 5 ip 192.168.105.254
 standby 5 priority 150
 standby 5 preempt
 standby 5 track GigabitEthernet1/0/1 55
DSW2#show running-config

interface Vlan101
 ip address 192.168.101.2 255.255.255.0
 standby 1 ip 192.168.101.254
 standby 1 priority 150
 standby 1 preempt
 standby 1 track GigabitEthernet1/0/1
!
interface Vlan102
 ip address 192.168.102.2 255.255.255.0
 standby 2 ip 192.168.102.254
 standby 2 priority 190
 standby 2 preempt
 standby 2 track GigabitEthernet1/0/1
!
interface Vlan103
 ip address 192.168.103.2 255.255.255.0
 standby 3 ip 192.168.103.254
 standby 3 priority 190
 standby 3 preempt
 standby 3 track GigabitEthernet1/0/1 50
!
interface Vlan104
 ip address 192.168.104.2 255.255.255.0
 standby 4 ip 192.168.104.254
 standby 4 priority 200
 standby 4 preempt
 standby 4 track GigabitEthernet1/0/1 55
!
interface Vlan105
 ip address 192.168.105.2 255.255.255.0
 standby 5 ip 192.168.105.254
 standby 5 preempt
 standby 5 track GigabitEthernet1/0/1

Read more…

VRRP Questions

June 15th, 2017 certprepare 5 comments

Question 1

Explanation

Unlike HSRP or GLBP, VRPP is an open standard.

Question 2

Explanation

In VRRP, the active router is referred to as the master virtual router.

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Explanation

VRRP has three authentication schemes:
+ No authentication
+ Plain text authentication
+ MD5 authentication

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-vrrp.html

Question 9

GLBP Questions

June 14th, 2017 certprepare 12 comments

Note: If you are not sure about GLBP, please read our GLBP tutorial.

Question 1

Explanation

The error message indicates a possible layer2 loop and STP configuration issues. Notice that the “duplicate address” here means the MAC address.

In order to resolve this issue, issue the show interface command to verify the MAC address of the interface. If the MAC address of the interface is the same as the one reported in the error message, then it indicates that this router is receiving its own hello packets sent. Verify the spanning-tree topology and check if there is any layer2 loop. If the interface MAC address is different from the one reported in the error message, then some other device with a MAC address reports this error message.

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/81565-glbp-cat65k.html#dr

Question 2

Explanation

The active virtual gateway (AVG) is responsible for answering the ARP Request for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses.

Question 3

Explanation

A GLBP group only has a maximum of four AVFs (means four virtual MAC addresses). If there are more than 4 gateways in a GLBP group then the rest will become Standby Virtual Forwarder (SVF) which will take the place of a AVF in case of failure.

Question 4

Question 5

Question 6

Explanation

GLBP members communicate between each other through hello messages sent every 3 seconds to the multicast address 224.0.0.102, User Datagram Protocol (UDP) port 3222 (source and destination).

Reference: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html

Question 8

Question 9

Explanation

GLBP has three authentication schemes:

+ No authentication
+ Plain text authentication
+ MD5 authentication

Port Security

June 13th, 2017 certprepare 29 comments

Question 1

Explanation

The “sticky” keyword in switchport port-security mac-address sticky command converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds to the running configuration.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swtrafc.html)

Question 2

Explanation

Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static trunk port is shown below:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport port-security

We cannot configure port security on a dynamic interface. For example we will see an error when try it:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode dynamic desirable
Switch(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

Question 3

Explanation

When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state. The “errdisable recovery cause psecure-violation” command brings a secure port out of error-disabled state.

Note: There is a similar command: “errdisable recovery cause security-violation” but it recovers a port from 802.1x violation disable state.

Question 4

Explanation

When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state.

Question 5

Explanation

If any one of the errdisable recovery conditions is enabled, the ports with this condition are reenabled after 300 seconds. You can also change this default of 300 seconds if you issue this command:

Switch(config)#errdisable recovery interval timer_interval_in_seconds

Question 6

Explanation

A sticky MAC address can be learned automatically or configured manually. When it is dynamically learned, the MAC address is automatically entered into the running configuration as a static MAC address; the address is then kept in the running configuration until a reboot. On reboot, the MAC address will be lost; if we want to keep the MAC address after a reboot, we need to save the running config (with the command copy running-config startup-config)

To turn on sticky feature on a switch, use the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky MAC addresses.

Question 7

Question 8

Question 9

Question 10

Port Security 2

June 12th, 2017 certprepare 2 comments

Question 1

Question 2

Explanation

The new network switch port keeps going back into err-disabled mode so we can deduce port security is still enabled on this port -> A is correct but B is not correct.

In this questions we know that all access ports have port security sticky enabled so port security is still enabled on the older switch port (as we only removed the PC and clear the port security on the new one) -> E is correct (although D is also correct but E is better).

Answer C is not correct as other access ports do not have any effect on these two ports.

Question 3

Explanation

There are three port security violation modes:
+ protect – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
+ restrict – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
+ shutdown – Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

The default behavior for a security violation is to shut down that port permanently.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)

Question 4

Explanation

This is the paragraph which describes about the “show errdisable recovery” command on Cisco website:

“If you have enabled errdisable recovery, you can determine the reason for the errdisable status if you issue the “show errdisable recovery” command. An example of the output of this command is shown below:

Switch#show errdisable recovery
ErrDisable Reason    Timer Status
-----------------    --------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
l2ptguard            Enabled
psecure-violation    Enabled
gbic-invalid         Enabled
dhcp-rate-limit      Enabled
mac-limit            Enabled
unicast-flood        Enabled
arp-inspection       Enabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

Interface      Errdisable reason      Time left(sec)
---------    ---------------------    --------------
  Fa2/4                bpduguard          273

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/69980-errdisable-recovery.html

So answer A seems to be correct but the above quote is very misleading. In fact, this command is used to verify which services/features were enabled for err-disable recovery (notice that the err-disable recovery feature is disabled by default for all services and features and we have to manually turn them on if we want to use via the command “errdisable recovery cause …”). If we allows all above services/features to automatically recover then we will not know the reason a port was error-disabled.

In fact, the best way to determine why a port is in the err-disabled state is to view the Syslog messages. For example:

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

This means Fa0/1 is put in err-disabled state because of a port security violation.

Note: The command “show errdisable detect” is used to identify which services are enabled for Errdisable only (for example, services like “arp-inspection”, bpduguard, UDLD,…)

Question 5

Question 6

Explanation

Port Security Guidelines and Restrictions

Follow these guidelines when configuring port security:
+ A secure port cannot be a trunk port.
+ A secure port cannot be a destination port for Switch Port Analyzer (SPAN) -> Answer E is not correct.
+ A secure port cannot belong to an EtherChannel port-channel interface -> Answer C is correct.
+ A secure port and static MAC address configuration are mutually exclusive.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

+ Port security supports private VLAN (PVLAN) ports -> Answer B is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/port_security.pdf

Sticky MAC addresses can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. There is no document mentioning about the maximum of sticky MAC addresses can be configured on a device but surely it can be greater than three -> D is not correct.

We are not sure about answer A but port security does support “static secure MAC addresses” (by using the “switchport port-security mac-address mac_address” interface configuration command).

Question 7

Explanation

A switchport violation occurs in one of two situations:
+ When the maximum number of secure MAC addresses has been reached (by default, the maximum number of secure MAC addresses per switchport is limited to 1)
+ An address learned or configured on one secure interface is seen on another secure interface in the same VLAN

Reference: http://www.ciscopress.com/articles/article.asp?p=1722561

We have to admit that we have never tested the second violation rule stated above ^^.

Question 8

Explanation

You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone -> Therefore we can configure two VLANs in total.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg/swvoip.pdf

Question 9

Miscellaneous Questions

June 11th, 2017 certprepare 57 comments

Question 1

Explanation

Nonstop Forwarding (NSF) works with Stateful switchover (SSO) to minimize the amount of time a network is unavailable to its users following a switchover. The main objective of Cisco NSF is to continue forwarding IP packets following a route processor (RP) switchover.

Usually, when a networking device restarts, all routing peers of that device detect that the device went down and then came back up. This transition results in what is called a routing flap, which could spread across multiple routing domains. Routing flaps caused by routing restarts create routing instabilities, which are detrimental to the overall network performance. Cisco NSF helps to suppress routing flaps in SSO-enabled devices, thus reducing network instability.

Cisco NSF allows for the forwarding of data packets to continue along known routes while the routing protocol information is being restored following a switchover. With Cisco NSF, peer networking devices do not experience routing flaps. Data traffic is forwarded through intelligent line cards while the standby RP assumes control from the failed active RP during a switchover. The ability of line cards to remain up through a switchover and to be kept current with the Forwarding Information Base (FIB) on the active RP is key to Cisco NSF operation.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/nonstop_forwarding.html#wp1102552

Question 2

Explanation

If a BPDU is received on a port where BPDU guard is configured, that port is put into errdisable state (nearly the same as shutdown state) immediately. BPDU Guard is often configured on a PortFast-enabled port to prevent a switch from connecting to. When that switch begins to send BPDU to a BPDU guard port, it will be blocked immediately.

Question 3

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Question 4

Explanation

Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.

Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs these activities:
+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before it updates the local ARP cache or before it forwards the packet to the appropriate destination
+ Drops invalid ARP packets

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

Question 5

Explanation

This example shows how to enable DAI on VLANs 10 through 12:

Router# configure terminal
Router(config)# ip arp inspection vlan 10-12

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html

Question 6

Question 7

Question 8

Drag and Drop

June 10th, 2017 certprepare 176 comments

Question 1

Question 2

Question 3

Question 4

Explanation

There are several STP timers, as this list shows:
+ Hello – is the time between each bridge protocol data unit (BPDU) that is sent on a port. This time is equal to 2 seconds (sec) by default, but you can tune the time to be between 1 and 10 sec.
+ Forward delay – The forward delay is the time that is spent in the listening and learning state. This time is equal to 15 sec by default, but you can tune the time to be between 4 and 30 sec.
+ Max Age – controls the maximum length of time that passes before a bridge port saves its configuration BPDU information. This time is 20 sec by default, but you can tune the time to be between 6 and 40 sec.

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/19120-122.html

Question 5

Question 6

Explanation

Bridge transit delay (transit delay)This value is the time that elapsed between the reception and the transmission of the same frame by the bridge. This is logically the latency through the bridge. The IEEE recommendation is to consider 1 sec as the maximum bridge transit delay.

Medium access delay (med_access_delay)—This value is the time that is necessary for a device to gain access to the media for initial transmission. It is the time between the CPU decision to send a frame and the moment when the frame effectively begins to leave the bridge. The IEEE recommendation is to use 0.5 sec as the maximum time.

Question 7

Question 8

Question 9

Question 10

Question 11

Drag and drop about VSS and Stack

VSS_Stack.jpg

Answer:

VSS:
+ can be used even in geographically distributed equipment
+ is supported only on line 4500 and 6500
+ uses 10Gbps interfaces

Stack:
+ can be connected in up to 9 devices
+ is supported only on line 3750 and (2960/3650/3850/3750+)
+ uses proprietary cable for connection[/am4show]

Question 12

Explanation

A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic analysis. In a local SPAN session or RSPAN source session, you can monitor source ports or VLANs for traffic in one or both directions.

A source port has these characteristics:
+ It can be monitored in multiple SPAN sessions.
+ Each source port can be configured with a direction (ingress, egress, or both) to monitor.
+ It can be any port type (for example, EtherChannel, Gigabit Ethernet, and so forth).
+ For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a physical port as it participates in the port channel.
+ It can be an access port, trunk port, routed port, or voice VLAN port.
+ It cannot be a destination port.
+ Source ports can be in the same or different VLANs.
+ You can monitor multiple source ports in a single session.

The two last characteristics mean that multiple VLANs can be included in a single session.

A destination port has these characteristics:
+ For a local SPAN session, the destination port must reside on the same switch or switch stack as the source port. For an RSPAN session, it is located on the switch containing the RSPAN destination session. There is no destination port on a switch or switch stack running only an RSPAN source session.
+ When a port is configured as a SPAN destination port, the configuration overwrites the original port configuration. When the SPAN destination configuration is removed, the port reverts to its previous configuration. If a configuration change is made to the port while it is acting as a SPAN destination port, the change does not take effect until the SPAN destination configuration had been removed.
+ If the port was in an EtherChannel group, it is removed from the group while it is a destination port. If it was a routed port, it is no longer a routed port.
+ It can be any Ethernet physical port.
+ It cannot be a secure port.
+ It cannot be a source port.
+ It cannot be an EtherChannel group or a VLAN.
+ It can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be a destination port for a second SPAN session).
+ When it is active, incoming traffic is disabled. The port does not transmit any traffic except that required for the SPAN session. Incoming traffic is never learned or forwarded on a destination port.
+ If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
+ It does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).
+ A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html

Question 13

HSRP Sim

March 23rd, 2017 certprepare 1,374 comments

Refer to the topology below. R1 and R2 are configured to run HSRP. The network administrator wants to ask you about how HSRP operates in the vent of a device failure.

HSRP_Topology.jpg

Read more…

LACP with STP Sim

March 12th, 2017 certprepare 2,764 comments

Question

You work for SWITCH.com. They have just added a new switch (SwitchB) to the existing network as shown in the topology diagram.

LACP_STP_topology.jpg

RouterA is currently configured correctly and is providing the routing function for devices on SwitchA and SwitchB. SwitchA is currently configured correctly, but will need to be modified to support the addition of SwitchB. SwitchB has a minimal configuration. You have been tasked with competing the needed configuring of SwitchA and SwitchB. SwitchA and SwitchB use Cisco as the enable password.

Configuration Requirements for SwitchA

– The VTP and STP configuration modes on SwitchA should not be modified.
– SwitchA needs to be the root switch for vlans 11, 12, 13, 21, 22 and 23. All other vlans should be left are their default values.

Configuration Requirements for SwitchB

– Vlan 21, Name: Marketing, will support two servers attached to fa0/9 and fa0/10
– Vlan 22, Name: Sales, will support two servers attached to fa0/13 and fa0/14
– Vlan 23, Name: Engineering, will support two servers attached to fa0/15 and fa0/16
– Access ports that connect to server should transition immediately to forwarding state upon detecting the connection of a device.
– SwitchB VTP mode needs to be the same as SwitchA.
– SwitchB must operate in the same spanning tree mode as SwitchA.
– No routing is to be configured on SwitchB.
– Only the SVI vlan 1 is to be configured and it is to use address 192.168.1.11/24.

Inter-switch Connectivity Configuration Requirements:

– For operational and security reasons trunking should be unconditional and Vlans 1, 21, 22 and 23 should tagged when traversing the trunk link.
– The two trunks between SwitchA and SwitchB need to be configured in a mode that allows for the maximum use of their bandwidth for all vlans. This mode should be done with a non-proprietary protocol, with SwitchA controlling activation.
– Propagation of unnecessary broadcasts should be limited using manual pruning on this trunk link.

Answer and Explanation:

Read more…

MLS and EIGRP Sim

March 10th, 2017 certprepare 200 comments

Question

You have been tasked with configuring multilayer SwitchC, which has a partial configuration and has been attached to RouterC as shown in the topology diagram.

You need to configure SwitchC so that Hosts H1 and H2 can successful ping the server S1. Also SwitchC needs to be able to ping server S1. Due to administrative restrictions and requirements you should not add/delete VLANs, changes VLAN port assignments or create trunk links. Company policies forbid the use of static or default routing. All routes must be learned via EIGRP 650 routing protocol.

You do not have access to RouterC, RouterC is correctly configured. No trunking has been configured on RouterC.
Routed interfaces should use the lowest host on a subnet when possible. The following subnets are available to implement this solution:
– 10.10.10.0/24
– 190.200.250.32/27
– 190.200.250.64/27
Hosts H1 and H2 are configured with the correct IP address and default gateway.
SwitchC uses Cisco as the enable password.
Routing must only be enabled for the specific subnets shown in the diagram.

EIGRP_MLS_sim.jpg

Answer and Explanation

Read more…

VTP Lab 2

March 9th, 2017 certprepare 107 comments

Question

Answer and Explanation

Read more…

AAAdot1x Lab Sim

March 3rd, 2017 certprepare 1,979 comments

Question

Answer and Explanation

Read more…

VTPv3 Sim

February 11th, 2017 certprepare 347 comments

You have been asked to install and configure a new switch in a customer network. Use the console access to the existing and new switches to configure and verify correct device configuration.

VTP_Topology.jpg

Read more…

SWITCH FAQs & Tips

February 8th, 2015 certprepare 240 comments

In this article, I will try to summarize all the Frequently Asked Questions in the SWITCH 642-813 Exam. Hope it will save you some time searching through the Internet and asking your friends & teachers.

1. Please tell me how many questions in the real SWITCH exam, and how much time to answer them?

There are 45 questions, including 3 lab-sims. You have 120 minutes to answer them but if your native language is not English, Cisco allows you a 30-minute exam time extension.

2. How much does the SWITCH 300-115 cost? And how many points I need to pass the exam?

This exam costs $300. You need at least 790/1000 points to pass this exam.

3. I passed the SWITCH exam, will I get a certificate for it?

No, Cisco does not ship SWITCH Exam certificate, it only ships you a certificate after completing the full CCNP track of 3 exams (ROUTE, SWITCH & TSHOOT).

4. Which sims will I see in the SWITCH exam?

The popular sims now are LACP with STP Sim, HSRP Sim, AAAdot1x Lab Sim and please notice that the IP addresses, switch names may be different (it is also true for Drag and Drop questions)

5. How many points will I get for one sim?

Maybe you will get about 80 to 100 points for each sim, just like the CCNA exam.

6. In the real exam, I clicked “Next” after choosing the answer, can I go back for reviewing?

No, you can’t go back so you can’t re-check your answers after clicking the “Next” button.

7. I understand I will get CCNP certificate after completing 3 exams ROUTE, SWITCH and TSHOOT but can I take them in any order I like?

Yes, you can take these 3 exams in any order you like but the most popular “roadmap” is ROUTE then SWITCH and TSHOOT.

8. What are your recommended materials for SWITCH exam?

There are many options you can choose, but below are materials used and recommended by many candidates:

Books:

  • CCNP SWITCH 300-115 Official Certification Guide
  • CCNP SWITCH Portable Command Guide
  • SWITCH 300-115 Student Guide (Volume 1 & 2)
  • SWITCH 300-115 Quick Reference

Video Training:

  • CCNP SWITCH 300-115 CBT Nuggets
  • SWITCH 300-115 Cisco Video Mentor

 

9. Why don’t I see any questions and answers on certprepare.com? I only see the explanation…

Because of copyrighted issues, we had to remove all the questions and answers. You can download a PDF file to see the questions at this link https://www.certprepare.com/switch-questions-and-answers

Share your SWITCH v2.0 Experience

February 7th, 2015 certprepare
Fatal error: Allowed memory size of 268435456 bytes exhausted (tried to allocate 262144 bytes) in /home/ninsoftw/public_html/certprepare.com/wp-includes/meta.php on line 847