Switch With Ans &expl

Ccnp switching
CDP & LLDP Questions

Question 1
What is the default interval at which Cisco devices send Cisco Discovery Protocol advertisements?
A. 30 seconds
B. 60 seconds
C. 120 seconds
D. 300 seconds
Answer: B
Explanation
Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help in finding information about
neighboring devices. The default values are 60 seconds for advertisements. Each neighbor will keep the information
contained in a packet for 180 seconds (holddown timer).
Question 2
Which statement about Cisco Discovery Protocol configuration on a Cisco switch is true?
A. CDP is enabled by default and can be disabled globally with the command
B. CDP is disabled by default and can be enabled globally with the command
C. CDP is enabled by default and can be disabled globally with the command
D. CDP is disabled by default and can be enabled globally with the command
no cdp run.
cdp enable.
no cdp enable.
cdp run.
Answer: A
Question 3
A network engineer notices inconsistent Cisco Discovery Protocol neighbors according to the diagram that
is provided. The engineer notices only a single neighbor that uses Cisco Discovery Protocol, but it has
several routing neighbor relationships. What would cause the output to show only the single neighbor?
A. The routers are connected via a Layer 2 switch.
B. IP routing is disabled on neighboring devices.
C. Cisco Express Forwarding is enabled locally.
D. Cisco Discovery Protocol advertisements are inconsistent between the local and remote devices.
Answer: A
Explanation
CDP runs at Layer 2 so a router running CDP can see a Layer 2 switch that is directly connected to it, provided that
the Layer 2 switch also runs CDP.
Question 4
After the implementation of several different types of switches from different vendors, a network
engineer notices that directly connected devices that use Cisco Discovery Protocol are not visible. Which
vendor-neutral protocol could be used to resolve this issue?
A. Local Area Mobility
B. Link Layer Discovery Protocol
C. NetFlow
D. Directed Response Protocol
Answer: B
Explanation
Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2 protocol used by
network devices to share information about their identities and functionality with other network elements.
Question 5
While doing network discovery using Cisco Discovery Protocol, it is found that rapid error tracking is not
currently enabled. Which option must be enabled to allow for enhanced reporting mechanisms using Cisco
Discovery Protocol?
A. Cisco Discovery Protocol version 2
B. Cisco IOS Embedded Event Manager
C. logging buffered
D. Cisco Discovery Protocol source interface
E. Cisco Discovery Protocol logging options
Answer: A
Explanation
Cisco Discovery Protocol Version 2 provides more intelligent, device-tracking features than those available in Version
1. One of the features available is an enhanced reporting mechanism for more rapid error tracking, which helps to
reduce network downtime. Errors reported include mismatched native VLAN IDs (IEEE 802.1Q) on connected ports
and mismatched port-duplex states between connected devices. Messages about reported errors can be sent to the
console or to a logging server.
Question 6
A network engineer has just deployed a non-Cisco device in the network and wants to get information
about it from a connected device. Cisco Discovery Protocol is not supported, so the open standard
protocol must be configured. Which protocol does the network engineer configure on both devices to
accomplish this?
A. IRDP
B. LLDP
C. NDP
D. LLTD
Answer: B
Explanation
Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2 protocol used by
network devices to share information about their identities and functionality with other network elements.
Question 7
Which statement about Cisco devices learning about each other through Cisco Discovery Protocol is true?
A. Each device sends periodic advertisements to multicast address 01:00:0C:CC:CC:CC.
B. Each device broadcasts periodic advertisements to all of its neighbors.
C. Each device sends periodic advertisements to a central device that builds the network topology.
D. Each device sends periodic advertisements to all IP addresses in its ARP table.
Answer: A
Explanation
Cisco devices send periodic CDP announcements to the multicast destination address 01-00-0c-cc-cc-cc out each
connected network interface. These multicast packets may be received by Cisco devices. This multicast destination is
also used in other Cisco protocols such as VTP.
Question 8
Which option lists the information that is contained in a Cisco Discovery Protocol advertisement?
A. native VLAN IDs, port-duplex, hardware platform
B. native VLAN IDs, port-duplex, memory errors
C. native VLAN IDs, memory errors, hardware platform
D. port-duplex, hardware platform, memory errors
Answer: A
Explanation
The information contained in Cisco Discovery Protocol announcements depends on the device type and the version of
the operating system running on it. The following are examples of the types of information that can be contained in
Cisco Discovery Protocol announcements:
+ Cisco IOS XE version running on a Cisco device
+ Duplex setting
+ Hardware platform of the device
+ Hostname
+ IP addresses of the interfaces on devices
+ Interfaces active on a Cisco device, including encapsulation type
+ Locally connected devices advertising Cisco Discovery Protocol
+ Native VLAN
+ VTP domain
Cisco Discovery Protocol Version 2 provides more intelligent device tracking features than Version 1.
Question 9
Which statement about LLDP-MED is true?
A. LLDP-MED is an extension to LLDP that operates between endpoint devices and network devices.
B. LLDP-MED is an extension to LLDP that operates only between network devices.
C. LLDP-MED is an extension to LLDP that operates only between endpoint devices.
D. LLDP-MED is an extension to LLDP that operates between routers that run BGP.
Answer: A
Explanation
Media Endpoint Discovery is an enhancement of LLDP, known as LLDP-MED, that provides the following facilities:
+ Auto-discovery of LAN policies such as VLAN, Layer 2 Priority and Differentiated services (Diffserv) settings,
enabling plug and play networking.
+ Device location discovery to allow creation of location databases and, in the case of Voice over Internet Protocol
(VoIP), Enhanced 911 services.
+ Extended and automated power management of Power over Ethernet (PoE) end points.
+ Inventory management, allowing network administrators to track their network devices, and determine their
characteristics (manufacturer, software and hardware versions, serial or asset number).
The LLDP-MED protocol extension was formally approved and published as the standard ANSI/TIA-1057 by the
Telecommunications Industry Association (TIA) in April 2006.
Question 10
Which option describes a limitation of LLDP?
A. LLDP cannot provide information about VTP.
B. LLDP does not support TLVs.
C. LLDP can discover only Windows servers.
D. LLDP can discover up to two devices per port.
Answer: A
Explanation
LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and
value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information
to their neighbors. This protocol can advertise details such as configuration information, device capabilities, and device
identity.
The switch supports these basic management TLVs. These are mandatory LLDP TLVs.
+ Port description TLV
+ System name TLV
+ System description TLV
+ System capabilities TLV
+ Management address TLV
These organizationally specific LLDP TLVs are also advertised to support LLDP-MED.
+ Port VLAN ID TLV ((IEEE 802.1 organizationally specific TLVs)
+ MAC/PHY configuration/status TLV(IEEE 802.3 organizationally specific TLVs)
-> No VTP information is supported in LLDP.
Question 11
Which statement about using native VLANs to carry untagged frames is true?
A. Cisco Discovery Protocol version 2 carries native VLAN information, but version 1 does not.
B. Cisco Discovery Protocol version 1 carries native VLAN information, but version 2 does not.
C. Cisco Discovery Protocol version 1 and version 2 carry native VLAN information.
D. Cisco Discovery Protocol version 3 carries native VLAN information, but versions 1 and 2 do not.
Answer: A
Explanation
Cisco Discovery Protocol Version 2 has three additional type, length, values (TLVs): VTP Management Domain Name,
Native VLAN, and full/half-Duplex.
Switch Questions
Question 1
What effect does the mac address-table aging-time 180 command have on the MAC address-table?
A. This is how long a dynamic MAC address will remain in the CAM table.
B. The MAC address-table will be flushed every 3 minutes.
C. The default timeout period will be 360 seconds.
D. ARP requests will be processed less frequently by the switch.
E. The MAC address-table will hold addresses 180 seconds longer than the default of 10 minutes.
Answer: A
Explanation
The command mac address-table aging-time 180 specifies the time before an entry ages out and is discarded from
the MAC address table. The default is 300 seconds. Entering the value 0 disables the MAC aging.
Question 2
In a Cisco switch, what is the default period of time after which a MAC address ages out and is discarded?
A. 100 seconds
B. 180 seconds
C. 300 seconds
D. 600 seconds
Answer: C
Question 3
If a network engineer applies the command mac-address-table notification mac-move on a Cisco switch
port, when is a syslog message generated?
A. A MAC address or host moves between different switch ports.
B. A new MAC address is added to the content-addressable memory.
C. A new MAC address is removed from the content-addressable memory.
D. More than 64 MAC addresses are added to the content-addressable memory.
Answer: A
Explanation
The switch learns which port the host is attaching by examining the source MAC address in frames received on a port.
For example switch receives a frame with source MAC of 0000.0000.aaaa (abbreviated as aaaa) on port Fa0/1, it
populates its MAC address-table with an entry like this host aaaa on Fa0/1. If the switch receives a frame with the
same aaaa MAC from Fa0/2 then there will be a flap and the switch will log something like this:
%MAC_MOVE-SP-4-NOTIF: Host 0000.0000.aaaa in vlan 1 is flapping between port 0/1 and port 0/2
This flapping phenomenon may be the result of a Layer loop somewhere in your network, especially when STP is
disabled for some reasons.
If you dont want to see this message then issue the no mac-address-table notification mac-move or place a static
entry with the mac-address-table static 000.0000.aaaa vlan 1 interface fa0/1on the switch. The command macaddress-table notification mac-move is disabled by default on 6500 & 7600 series but enabled by default on other
series.
Question 4
The command storm-control broadcast level 75 65 is configured under the switch port connected to the
corporate mail server. In which three ways does this command impact the traffic? (Choose three)
A. SNMP traps are sent by default when broadcast traffic reaches 65% of the lower-level threshold.
B. The switchport is disabled when unicast traffic reaches 75% of the total interface bandwidth.
C. The switch resumes forwarding broadcasts when they are below 65% of bandwidth.
D. Only broadcast traffic is limited by this particular storm control configuration.
E. Multicast traffic is dropped at 65% and broadcast traffic is dropped at 75% of the total interface bandwidth.
F. The switch drops broadcasts when they reach 75% of bandwidth.
Answer: C D F
Explanation
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the
physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network
performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a
denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines
if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received
within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.
Storm control uses one of these methods to measure traffic activity:
+ Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast,
multicast, or unicast traffic
+ Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
+ Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received
With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the
traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling
suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression
level. In general, the higher the level, the less effective the protection against broadcast storms.
The command storm-control broadcast level 75 65 limits the broadcast traffic up to 75% of the bandwidth (75% is
called the rising threshold). The port will start forwarding broadcast traffic again when it drops below 65% of the
bandwidth (65% is called the falling threshold).
Note: If you dont configure the falling threshold, it will use the same value of the rising threshold.
Question 5
While troubleshooting a network outage, a network engineer discovered an unusually high level of
broadcast traffic coming from one of the switch interfaces. Which option decreases consumption of
bandwidth used by broadcast traffic?
A. storm control
B. SDM routing
C. Cisco IOS parser
D. integrated routing and bridging
E. Dynamic ARP Inspection
Answer: A
Explanation
By using the storm-control broadcast level [falling-threshold] we can limit the broadcast traffic on the switch.
Question 6
The network monitoring application alerts a network engineer of a client PC that is acting as a rogue
DHCP server. Which two commands help trace this PC when the MAC address is known? (Choose two)
A. switch# show mac address-table

B. switch# show port-security
C. switch# show ip verify source
D. switch# show ip arp inspection
E. switch# show mac address-table address
Answer: A E
Explanation
The command show mac address-table displays the MAC address table along with the port associated for the switch.
The show mac address-table address gives a more specific view of a specific MAC address.
Question 7
Which switch feature prevents traffic on a LAN from being overwhelmed by continuous multicast or
broadcast traffic?
A. storm control
B. port security
C. VTP pruning
D. VLAN trunking
Answer: A
Question 8
Which command would a network engineer apply to error-disable a switchport when a packet-storm is
detected?
A. router(config-if)#storm-control action shutdown
B. router(config-if)#storm-control action trap
C. router(config-if)#storm-control action error
D. router(config-if)#storm-control action enable
Answer: A
Explanation
The command storm-control action {shutdown | trap} specifies the action to be taken when a storm is detected.
The default is to filter out the traffic and not to send traps.
+ Select the shutdown keyword to error-disable the port during a storm.
+ Select the trap keyword to generate an SNMP trap when a storm is detected.
Ether-Channel Questions
Notes:
The Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) facilitate the automatic creation of
EtherChannels by exchanging packets between Ethernet interfaces. The Port Aggregation Protocol (PAgP) is a Ciscoproprietary solution, and the Link Aggregation Control Protocol (LACP) is standards based.
LACP modes:
+ on: the link aggregation is forced to be formed without any LACP negotiation. A port-channel is formed only if the
peer port is also in on mode.
+ off: disable LACP and prevent ports to form a port-channel
+ passive: the switch does not initiate the channel, but does understand incoming LACP packets
+ active: send LACP packets and willing to form a port-channel
The table below lists if an EtherChannel will be formed or not for LACP:
LACP
Active
Passive
Active
Yes
Yes
Passive
Yes
No
PAgP modes:
+ on: The link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed only if the
peer port is also in on mode.
+ off: disable PAgP and prevent ports to form a port-channel
+ desirable: send PAgP packets and willing to form a port-channel
+ auto: does not start PAgP packet negotiation but responds to PAgP packets it receives
The table below lists if an EtherChannel will be formed or not for PAgP:
PAgP
Desirable
Auto
Desirable
Yes
Yes
Auto
Yes
No
An EtherChannel in Cisco can be defined as a Layer 2 EtherChannel or a Layer 3 EtherChannel.

+ For Layer 2 EtherChannel, physical ports are placed into an EtherChannel group. A logical port-channel interface will
be created automatically. An example of configuring Layer 2 EtherChannel can be found in Question 1 in this article.
+ For Layer 3 EtherChannel, a Layer 3 Switch Virtual Interface (SVI) is created and then the physical ports are bound
into this Layer 3 SVI.
Question 1
Refer to the exhibit.
Which set of configurations will result in all ports on both switches successfully bundling into an
EtherChannel?
A. switch1
channel-group
switch2
channel-group
B. switch1
channel-group
switch2
channel-group
C. switch1
channel-group
switch2
channel-group
D. switch1
channel-group
switch2
channel-group
1 mode active
1 mode auto
1 mode desirable
1 mode passive
1 mode on
1 mode auto
1 mode desirable
1 mode auto
Answer: D
Explanation
The table below lists if an EtherChannel will be formed or not for LACP:
LACP
Active
Passive
Active
Yes
Yes
Passive
Yes
No
PAgP
Desirable
Auto
Desirable
Yes
Yes
Auto
Yes
No
To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP). According the two
tables above we can see only desirable and auto (of PAgP) can form an Etherchannel bundle.
Note: If we want to use on mode, both ends must be configured in this on mode to create an Etherchannel bundle.
Question 2
After an EtherChannel is configured between two Cisco switches, interface port channel 1 is in the
down/down state. Switch A is configured with channel-group 1 mode active, while Switch B is
configured with channel-group 1 mode desirable. Why is the EtherChannel bundle not working?
A. The switches are using mismatched EtherChannel negotiation modes.
B. The switch ports are not configured in trunking mode.
C. LACP priority must be configured on both switches.
D. The channel group identifier must be different for Switch A and Switch B.
Answer: A
Explanation
To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP).
Question 3
An EtherChannel bundle has been established between a Cisco switch and a corporate web server. The
network administrator noticed that only one of the EtherChannel links is being utilized to reach the web
server. What should be done on the Cisco switch to allow for better EtherChannel utilization to the
corporate web server?
A. Enable Cisco Express Forwarding to allow for more effective traffic sharing over the EtherChannel bundle.
B. Adjust the EtherChannel load-balancing method based on destination IP addresses.
C. Disable spanning tree on all interfaces that are participating in the EtherChannel bundle.
D. Use link-state tracking to allow for improved load balancing of traffic upon link failure to the server.
E. Adjust the EtherChannel load-balancing method based on source IP addresses.
Answer: E
Explanation
In this case the EtherChannel bundle was configured to load-balance based on the destination IP address but there is
only one web server (means one destination IP address). Therefore only one of the EtherChannel links is being utilized
to reach the web server. To solve this problem we should configure load-balancing based on source IP address so that
traffic to the web server would be shared among the links in the EtherChannel bundle with different hosts.
Question 4
An access switch has been configured with an EtherChannel port. After configuring SPAN to monitor this
port, the network administrator notices that not all traffic is being replicated to the management server.
What is a cause for this issue?
A. VLAN filters are required to ensure traffic mirrors effectively.
B. SPAN encapsulation replication must be enabled to capture EtherChannel destination traffic.
C. The port channel can be used as a SPAN source, but not a destination.
D. RSPAN must be used to capture EtherChannel bidirectional traffic.
Answer: C
Question 5
What is the result of the configuration?

A. The EtherChannels would not form because the load-balancing method must match on the devices.
B. The EtherChannels would form and function properly even though the load-balancing and EtherChannel modes do
not match.
C. The EtherChannels would form, but network loops would occur because the load-balancing methods do not match.
D. The EtherChannels would form and both devices would use the dst-ip load-balancing method because Switch1 is
configured with EtherChannel mode active.
Answer: B
Explanation
If one end is passive and another end is active then the EtherChannel will be formed regardless the two interfaces in
the same switch use different modes and different load-balancing method. Switch 1 will load-balance based on
destination IP while Switch2 will load-balance based on source MAC address.
Question 6
A network engineer tries to configure storm control on an EtherChannel bundle. What is the result of the
configuration?
A. The storm control settings will appear on the EtherChannel, but not on the associated physical ports.
B. The configuration will be rejected because storm control is not supported for EtherChannel.
C. The storm control configuration will be accepted, but will only be present on the physical interfaces.
D. The settings will be applied to the EtherChannel bundle and all associated physical interfaces.
Answer: D
Explanation
When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel
physical interfaces. In the show etherchannel command output, The storm control settings appear on the
EtherChannel but not on the physical port of the channel.
Note: You cannot configure storm control on the individual ports of that EtherChannel.
Question 7
A network engineer must set the load balance method on an existing port channel. Which action must be
done to apply a new load balancing method?
A. Configure the new load balancing method using port-channel load-balance.
B. Adjust the switch SDM back to default.
C. Ensure that IP CEF is enabled globally to support all load balancing methods.
D. Upgrade the PFC to support the latest load balancing methods.
Answer: A
Explanation
Issue the port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | srcport | dst-port | src-dst-port | mpls}global configuration command in order to configure the load balancing.
Question 8
A network engineer configured a fault-tolerance link on Gigabit Ethernet links G0/1, G0/2, G0/3, and
G0/4 between two switches using Ethernet port-channel. Which action allows interface G0/1 to always
actively forward traffic in the port-channel?
A. Configure G0/1 as half duplex and G0/2 as full duplex.
B. Configure LACP port-priority on G0/1 to 1.
C. Configure LACP port-priority on G0/1 to 65535.
D. LACP traffic goes through G0/4 because it is the highest interface ID.
Answer: B
Explanation
A LACP port priority is configured on each port using LACP. The port priority can be configured automatically or
through the CLI. LACP uses the port priority with the port number to form the port identifier. The port priority
determines which ports should be put in standby mode when there is a hardware limitation that prevents all
compatible ports from aggregating.
The syntax of LACP port priority is (configured under interface mode):
lacp port-priority priority-value
The lower the range, the more likely that the interface will be used for LACP transmission.
Question 9
Which statement about the use of PAgP link aggregation on a Cisco switch that is running Cisco IOS
Software is true?
A. PAgP modes are off, auto, desirable, and on. Only the combinations auto-desirable, desirable- desirable, and on-on
allow the formation of a channel.
B. PAgP modes are active, desirable, and on. Only the combinations active-desirable, desirable- desirable, and on-on
C. PAgP modes are active, desirable, and on. Only the combinations active-active, desirable- desirable, and on-on
D. PAgP modes are off, active, desirable, and on. Only the combinations auto-auto, desirable- desirable, and on-on
Answer: A
Explanation
PAgP
Desirable
Auto
Desirable
Yes
Yes
Auto
Yes
No
For on mode, the link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed
only if the peer port is also in on mode.
Question 10
Which EtherChannel negotiation protocol is configured on the interface f0/13 f0/15?

A. Link Combination Control Protocol
B. Port Aggregation Protocol
C. Port Combination Protocol
D. Link Aggregation Control Protocol
Answer: B
Explanation
Interfaces Fa0/13 to Fa0/15 are bundled into Port-channel 12 and it is running with desirable mode -> it is using
PAgP.
Question 11
Users of PC-1 experience slow connection when a webpage is requested from the server. To increase
bandwidth, the network engineer configured an EtherChannel on interfaces Fa1/0 and Fa0/1 of the server
farm switch, as shown here:
Server_Switch#sh etherchannel load-balance
EtherChannel Load-Balancing Operational State (src-mac):
Non-IP: Source MAC address
IPv4: Source MAC address
IPv6: Source IP address
Server_Switch#
However, traffic is still slow. Which action can the engineer take to resolve this issue?
A. Disable EtherChannel load balancing.
B. Upgrade the switch IOS to IP services image.
C. Change the load-balance method to dst-mac.
D. Contact Cisco TAC to report a bug on the switch.
Answer: C
Explanation
From the output we see currently the Server_Switch is load balancing via source MAC address. By changing loadbalance to another method the problem can be solved. In this case C is the best choice because other answers are
surely incorrect.
Question 12
A network engineer changed the port speed and duplex setting of an existing EtherChannel bundle that
uses the PAgP protocol. Which statement describes what happens to all ports in the bundle?
A. PAgP changes the port speed and duplex for all ports in the bundle.
B. PAgP drops the ports that do not match the configuration.
C. PAgP does not change the port speed and duplex for all ports in the bundle until the switch is rebooted.
D. PAgP changes the port speed but not the duplex for all ports in the bundle.
Answer: A
Explanation
Configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel
interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To
change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface,
for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.
Note: If we only change the parameters on a physical port of the port-channel, the port-channel may go down
because of parameter mismatch. For example, if you only configure switchport trunk allowed vlan on a physical
port, the port-channel will go down.
Question 13
Which statement about using EtherChannel on Cisco IOS switches is true?

A. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel
provides full-duplex bandwidth up to 800 Mbps only for Fast EtherChannel or 8 Gbps only for Gigabit EtherChannel.
B. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel
C. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel
D. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel
Answer: A
Explanation
The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit
EtherChannel) between your switch and another switch or host.
Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each
EtherChannel must be the same speed, and all must be configured as either Layer 2 or Layer 3 interfaces.
Note: 800 Mbps full-duplex means data can be transmitted at 800 Mbps and received at 800 Mbps (1600 Mbps in
total).
Question 14
Which statement about switch S1 is true?

A. Physical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 2 port-channel interface using an open
standard protocol.
B. Logical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 2 physical port-channel interface using a Cisco
proprietary protocol.
C. Physical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 3 port-channel interface using a Cisco
proprietary protocol.
D. Logical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 3 physical port-channel interface using an
open standard protocol.
Answer: A
Explanation
From the last line of the output, we learn physical ports Fa0/13, Fa0/14, and Fa0/15 are bundled into Port-channel 1
and use LACP which is an open standard protocol.
Question 15
What is the maximum number of 10 Gigabit Ethernet connections that can be utilized in an EtherChannel
for the virtual switch link?
A. 4
B. 6
C. 8
D. 12
Answer: C
Explanation
The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit
EtherChannel) between your switch and another switch or host. Therefore if we have 10 Gigabit Ethernet
connections, only 8 links will be used.
Question 16
Which statement about restrictions for multichassis LACP is true?
A. It is available only on a Cisco Catalyst 6500 Series chassis.
B. It does not support 1Gb links.
C. Converting a port channel to mLACP can cause a service disruption.
D. It is not available in VSS.
Answer: C
Explanation
Multichassis LACP (mLACP) is also supported on 7600 and ASR9000 series -> A is not correct.
mLACP supports both FastEthernet & GigabitEthernet -> B is not correct.
VSS mode does not support the mLACP for server access feature only. But mLACP is available in Virtual Switching
Systems (VSS). An example of combination of VSS and mLACP is shown below:
In the topology above, the mLACP is a port channel that spans the two chassis of a VSS. Notice that the two chassis of
this VSS is connected via a Virtual Switch Link (VSL). VSL is a special link that carries control and data traffic between
the two chassis of a VSS. In this case the VSL is implemented as an EtherChannel with two links.
+
+
+
+
mLACP does not support Fast Ethernet.

mLACP does not support half-duplex links.
mLACP does not support multiple neighbors.
Converting a port channel to mLACP can cause a service disruption (in a short time) -> D is not correct.
Question 17
Which four LACP components are used to determine which hot-standby links
become active after an interface failure within an EtherChannel bundle? (Choose
four)
A. LACP system priority
B. hot-standby link identification
C. system ID
D. interface bandwidth
E. LACP port priority
F. port number
G. interface MAC address
Answer:
number
ACEF
Explanation
When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a
maximum of 16 ports. Only eight LACP links can be active at one time. The software places any additional links in a
hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active
in its place.
If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hotstandby ports to make active based on the LACP priority. The software assigns to every link between systems that
operate LACP a unique priority made up of these elements (in priority order):
+ LACP system priority
+ System ID (a combination of the LACP system priority and the switch MAC address)
+ LACP port priority
+ Port number
In priority comparisons, numerically lower values have higher priority. The priority decides which ports should be put
in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.
Ports are considered for active use in aggregation in link-priority order starting with the port attached to the highest
priority link. Each port is selected for active use if the preceding higher priority selections can also be maintained.
Otherwise, the port is selected for standby mode.
VLAN Questions
Question 1
Which feature is automatically enabled when a voice VLAN is configured, but not automatically disabled
when a voice VLAN is removed?
A. portfast
B. port-security
C. spanning tree
D. storm control
Answer: A
Explanation
The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port
Fast feature is not automatically disabled.
Question 2
In which portion of the frame is the 802.1q header found?
A. within the Ethernet header
B. within the Ethernet payload
C. within the Ethernet FCS
D. within the Ethernet source MAC address
Answer: A
Explanation
802.1Q VLAN frames are distinguished from ordinary Ethernet frames by the insertion of a 4-byte VLAN tag into the
Ethernet header.
Question 3
What is required for a LAN switch to support 802.1q Q-in-Q encapsulation?
A. Support less than 1500 MTU
B. Support 1504 MTU or higher
C. Support 1522 layer 3 IP and IPX packet
D. Support 1547 MTU only
Answer: B
Explanation
Because the 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you must
configure all switches in the service-provider network to be able to process maximum frames by increasing the switch
system MTU size to at least 1504 bytes.
Question 4
What is the size of the VLAN field inside an 802.1q frame?
A. 8-bit
B. 12-bit
C. 16-bit
D. 32-bit
Answer: B
Explanation
The VLAN ID field inside an 802.1q frame consists of 12 bits. Therefore we have 2 12 = 4096 VLAN IDs, theoretically.
Question 5
What is the maximum number of VLANs that can be assigned to an access switchport without a voice
VLAN?
A. 0
B. 1
C. 2
D. 1024
Answer: B
Explanation
Each access port can be only assigned to one VLAN via the switchport access vlan command.
Question 6
What does the command vlan dot1q tag native accomplish when configured under global configuration?
A. All frames within the native VLAN are tagged, except when the native VLAN is set to 1.
B. It allows control traffic to pass using the non-default VLAN.
C. It removes the 4-byte dot1q tag from every frame that traverses the trunk interface(s).
D. Control traffic is tagged.
Answer: D
Explanation
This command is used to enable tagging of native VLAN frames on all 802.1Q trunk ports.
Answer A is not correct because even when the native VLAN is set to 1, all of the frames of the native VLAN are
tagged.
Answer B is not correct because the control traffic still passes via the default VLAN (VLAN 1).
Answer C is not correct because all the frames are tagged with 4-byte dot1q tag.
Only answer D is best choice because control traffic (like CDP, VTP, STP, DTP) uses VLAN 1 for communication. When
the native VLAN is tagged (VLAN 1 by default) all control traffic is tagged too. If the native VLAN is not VLAN 1 then all
the control traffic on VLAN 1 is still tagged by default (without using above command).
VLAN Trunking
Question 1
SW-1#sh logging
%SPANTREE-SP-2-RECV_PVID_ERR: Received BPDU with inconsistent peer
Vlan id 1 on GigabitEthernet1/2 VLAN2013.
%SPANTREE-SP-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/2 on
VLAN0001. Inconsistent peer vlan.
A multilayer switch has been configured to send and receive encapsulated and tagged frames. VLAN 2013
on the multilayer switch is configured as the native VLAN. Which option is the cause of the spanning-tree
error?
A. VLAN spanning-tree in SW-2 is configured.
B. spanning-tree bpdu-filter is enabled.
C. 802.1q trunks are on both sides, both with native VLAN mismatch.
D. VLAN ID 1 should not be used for management traffic because its unsafe.
Answer: C
Explanation
These errors are generated because the native VLAN is not matched on the two switches (the native VLAN on SW-1 is
not the default native VLAN 1 while the native VLAN on the other side is VLAN 1). The errors indicate that spanning
tree has detected mismatched native VLANs and has shut down VLAN 1 on the trunk.
We should verify that the configurations of the native VLAN ID is consistent on the interfaces on each end of the IEEE
802.1Q trunk connection. When the configurations are consistent, spanning tree automatically unblocks the interfaces.
Question 2
3512xl(config)#int fastEthernet 0/1

3512xl(config-if)#switchport mode trunk
3512xl(config-if)#switchport trunk encapsulation dot1q
How many bytes are added to each frame as a result of the configuration?
A. 4-bytes except the native VLAN
B. 8-bytes except the native VLAN
C. 4-bytes including native VLAN
D. 8-bytes including native VLAN
Answer: A
Explanation
In 802.1Q, the trunking device inserts a 4-byte tag into the original frame and recomputes the frame check sequence
(FCS) before the device sends the frame over the trunk link. At the receiving end, the tag is removed and the frame is
forwarded to the assigned VLAN. 802.1Q does not tag frames on the native VLAN. It tags all other frames that
are transmitted and received on the trunk.
Question 3
A network engineer must implement Ethernet links that are capable of transporting frames and IP traffic
for different broadcast domains that are mutually isolated. Consider that this is a multivendor
environment. Which Cisco IOS switching feature can be used to achieve the task?
A. PPP encapsulation with a virtual template
B. Link Aggregation Protocol at the access layer
C. dot1q VLAN trunking
D. Inter-Switch Link
Answer: C
Explanation
802.1Q is a industry standards based implementation of carrying traffic for multiple VLANs on a single trunking
interface between two Ethernet switches. 802.1Q is for Ethernet networks only.
Question 4
Which technique allows specific VLANs to be strictly permitted by the administrator?
A. VTP pruning
B. transparent bridging
C. trunk allowed VLANs
D. VLAN access-list
E. L2P tunneling
Answer: C
Explanation
We can use the switchport trunk allowed vlan to specify which VLANs are allowed to go through. Other VLANs will
be dropped.
Question 5
For security reasons, the IT manager has prohibited users from dynamically establishing trunks with their
associated upstream switch. Which two actions can prevent interface trunking? (Choose two)
A. Configure trunk and access interfaces manually.
B. Disable DTP on a per interface basis.
C. Apply BPDU guard and BPDU filter.
D. Enable switchport block on access ports.
Answer: A B
Explanation
Manually configure trunking with the switchport mode trunk command and manually configure access interfaces with
the switchport mode access prevent auto trunking on that interface.
Disable DTP with the switchport nonegotiate so that DTP messages are not advertised out of the interface is also a
good way to prevent auto trunking.
Question 6
Which two protocols can be automatically negotiated between switches for trunking? (Choose two)
A. PPP
B. DTP
C. ISL
D. HDLC
E. DLCI
F. DOT1Q
Answer: C F
Explanation
There are two protocols that can be used for trunking: Inter-Switch Link (ISL) and 802.1Q. We can choose which
protocol to run by the switchport trunk encapsulation . After that we can configure trunking mode with the
switchport mode trunk command.
In fact this question is not clear and may cause confusion because Dynamic Trunking Protocol (DTP) is the protocol
that can automatically negotiate for trunking.
Note: The DTP options can be dynamic auto, dynamic desirable, and trunk.
Question 7
The network manager has requested that several new VLANs (VLAN 10, 20, and 30) are allowed to
traverse the switch trunk interface. After the command switchport trunk allowed vlan 10,20,30 is
issued, all other existing VLANs no longer pass traffic over the trunk. What is the root cause of the
problem?
A. The command effectively removed all other working VLANs and replaced them with the new VLANs.
B. VTP pruning removed all unused VLANs.
C. ISL was unable to encapsulate more than the already permitted VLANs across the trunk.
D. Allowing additional VLANs across the trunk introduced a loop in the network.
Answer: A
Explanation
By default all VLANs are allowed to go through a trunk but if we apply the switchport trunk allowed vlan then only
these VLANs are allowed to go through, other VLANs are dropped so be careful when limiting VLANs on the trunks
with this command.
Question 8
A manager tells the network engineer to permit only certain VLANs across a specific trunk interface.
Which option can be configured to accomplish this?
A. allowed VLAN list
B. VTP pruning
C. VACL
D. L2P tunneling
Answer: A
Explanation
We can use the switchport trunk allowed vlan to specify which VLANs are allowed to go through. Other VLANs will
be dropped.
Question 9
interface GigabitEthernet 1/0/1

switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 11
spanning-tree portfast
!
Which option shows the expected result if a show vlan command is issued?
A.
B.
C.
D.
A. Exhibit A
B. Exhibit B
C. Exhibit C
D. Exhibit D
Answer: A
Explanation
First we will explain these two commands:
switchport access vlan 10

The first command is used for an access port whist the second is used for a trunk so why are they here at the same
time? In fact this interface was set as a trunk. The switchport access vlan 10 is still there but it does not affect the
operational mode of the port -> Gi1/0/1 is a trunk port so it will not appear in the show vlan command.
The switchport voice vlan 11 command here only tries to confuse you. But it does have an effect on the port: Cisco
uses CDP to specify a Cisco IP Phone and will automatically place that traffic into the voice VLAN. For example if we
configure like this:
interface fa0/0
switchport trunk encapsulation dot1q
switchport voice vlan 11
Then the voice traffic from a Cisco IP Phone will be placed into VLAN 11.
Note: In the above configuration, the data and voice use the same interface fa0/0 so it should be configured as a
trunk link.
VTP Questions
Question 1
Several new switches have been added to the existing network as VTP clients. All of the new switches
have been configured with the same VTP domain, password, and version. However, VLANs are not passing
from the VTP server (existing network) to the VTP clients. What must be done to fix this?
A. Remove the VTP domain name from all switches with null and then replace it with the new domain name.
B. Configure a different native VLAN on all new switches that are configured as VTP clients.
C. Provision one of the new switches to be the VTP server and duplicate information from the existing network.
D. Ensure that all switch interconnects are configured as trunks to allow VTP information to be transferred.
Answer: D
Explanation
VTP updates can only be forwarded on trunk links.
Question 2
After implementing VTP, the extended VLANs are not being propagated to other VTP switches. What
should be configured for extended VLANs?
A. VTP does not support extended VLANs and should be manually added to all switches.
B. Enable VTP version 3, which supports extended VLAN propagation.
C. VTP authentication is required when using extended VLANs because of their ability to cause network instability.
D. Ensure that all switches run the same Cisco IOS version. Extended VLANs will not propagate to different IOS
versions when extended VLANs are in use.
Answer: B
Explanation
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version
3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.
Question 3
Which technique automatically limits VLAN traffic to only the switches that require it?
A. access lists
B. DTP in nonegotiate
C. VTP pruning
D. PBR
Answer: C
Explanation
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a
VLAN only if the switch on the receiving end of the trunk has ports in that VLAN. In the below example, Server switch
doesnt send broadcast frame to Sw2 because Sw2 doesnt have ports in VLAN 10.
Question 4
Switch A, B, and C are trunked together and have been properly configured for VTP. Switch C receives
VLAN information from the VTP server Switch A, but Switch B does not receive any VLAN information.
What is the most probable cause of this behavior?
A. Switch B is configured in transparent mode.
B. Switch B is configured with an access port to Switch A, while Switch C is configured with a trunk port to Switch B.
C. The VTP revision number of the Switch B is higher than that of Switch A.
D. The trunk between Switch A and Switch B is misconfigured.
Answer: A
Explanation
Switch C can receive VLAN information from Switch A so Switch B can forward it to Switch C without updating its VLAN
database -> Switch B is in VTP transparent mode.
Question 5
A network is running VTPv2. After verifying all VTP settings, the network engineer notices that the new
switch is not receiving the list of VLANs from the server. Which action resolves this problem?
A. Reload the new switch.
B. Restart the VTP process on the new switch.
C. Reload the VTP server.
D. Verify connected trunk ports.
Answer: D
Explanation
VTP updates can only be forwarded on trunk links.
Question 6
After configuring new data VLANs 1020 through 1030 on the VTP server, a network engineer notices that
none of the VTP clients are receiving the updates. What is the problem?
A. The VTP server must be reloaded.
B. The VTP version number must be set to version 3.
C. After each update to the VTP server, it takes up to 4 hours propagate.
D. VTP must be stopped and restarted on the server.
E. Another switch in the domain has a higher revision number than the server.
Answer: B
Explanation
Question 7
A network engineer is extending a LAN segment between two geographically separated data centers.
Which enhancement to a spanning-tree design prevents unnecessary traffic from crossing the extended
LAN segment?
A. Modify the spanning-tree priorities to dictate the traffic flow.
B. Create a Layer 3 transit VLAN to segment the traffic between the sites.
C. Use VTP pruning on the trunk interfaces.
D. Configure manual trunk pruning between the two locations.
Answer: C
Explanation
VLAN only if the switch on the receiving end of the trunk has ports in that VLAN
Question 8
When you design a switched network using VTPv2, how many VLANs can be used to carry user traffic?
A. 1000
B. 1001
C. 1024
D. 2048
E. 4095
F. 4096
Answer: B
Explanation
Question 9
A new network that consists of several switches has been connected together via trunking interfaces. If
all switches currently have the default VTP domain name null, which statement describes what happens
when a domain name is configured on one of the switches?
A. The switch with the non-default domain name restores back to null upon reboot.
B. Switches with higher revision numbers does not accept the new domain name.
C. VTP summary advertisements are sent out of all ports with the new domain name.
D. All other switches with the default domain name become VTP clients.
Answer: C
Explanation
If a VTP client or server with a null domain receives a VTP message with the domain populated, it will assume the
domain of the received message and add applicable VLANs to its database.
Question 10
Which VTP mode is needed to configure an extended VLAN, when a switch is configured to use VTP
versions 1 or 2?
A. transparent
B. client
C. server
D. Extended VLANs are only supported in version 3 and not in versions 1 or 2.
Answer: D
Explanation
Question 11
Which VLAN range is eligible to be pruned when a network engineer enables VTP pruning on a switch?
A. VLANs 1-1001
B. VLANs 1-4094
C. VLANs 2-1001
D. VLANs 2-4094
Answer: C
Explanation
VTP pruning still applies only to VLANs 1 to 1005, and VLANs 1002 to 1005 are still reserved and cannot be modified.
Question 12
Which feature must be enabled to eliminate the broadcasting of all unknown traffic to switches that are
not participating in the specific VLAN?
A. VTP pruning
B. port-security
C. storm control
D. bpdguard
Answer: A
Explanation
Question 13
Switch1(config)#vlan 10
VTP vlan configuration not allowed when device is in CLIENT mode.
Switch1#show interfaces trunk
Switch1#
The users in an engineering department that connect to the same access switch cannot access the
network. The network engineer found that the engineering VLAN is missing from the database. Which
action resolves this problem?
A. Disable VTP pruning and disable 802.1q.
B. Update the VTP revision number.
C. Change VTP mode to server and enable 802.1q.
D. Enable VTP pruning and disable 802.1q.
Answer: C
Explanation
In Client mode we cannot create VLAN and Switch1 does not have any trunk links so it cannot receive any VTP
updates. There is no answer with configure trunk links so we have to choose the solution change VTP mode to server
and enable 802.1q. But this is a dangerous solution because this switch can update other switches with its VLAN
database via VTP.
Question 14
The network switches for two companies have been connected and manually configured for the required
VLANs, but users in company A are not able to access network resources in company B when DTP is
enabled. Which action resolves this problem?
A. Delete vlan.dat and ensure that the switch with lowest MAC address is the VTP server.
B. Disable DTP and document the VTP domain mismatch.
C. Manually force trunking with switchport mode trunk on both switches.
D. Enable the company B switch with the vtp mode server command.
Answer: C
Explanation
From the output above we see Switch Company A cannot receive VTP updates from Switch Company B. Therefore we
should check the trunking links connecting two switches. Manually force trunking may be a good solution.
Question 15
A network engineer must improve bandwidth and resource utilization on the switches by stopping the
inefficient flooding of frames on trunk ports where the frames are not needed. Which Cisco IOS feature
can be used to achieve this task?
A. VTP pruning
B. access list
C. switchport trunk allowed VLAN
D. VLAN access-map
Answer: A
Explanation
Question 16
Which action allows a network engineer to limit a default VLAN from being propagated across all trunks?
A. Upgrade to VTP version 3 for advanced feature set support.
B. Enable VTP pruning on the VTP server.
C. Manually prune default VLAN with switchport trunk allowed vlans remove.
D. Use trunk pruning vlan 1.
Answer: C
Explanation
VLANs 21000 are eligible for pruning but VLAN 1 has a special meaning because it is normally used as a
management VLAN and is not eligible for pruning. The only way we can remove VLAN 1 is through the switchport
trunk allowed vlan remove 1 command. But even when you remove VLAN 1 from a trunk port, the interface
continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation
Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1. A good thing of clearing VLAN 1 is
user data cannot travel via this VLAN anymore. BPDU traffic is also banned on this VLAN.
Note: The Cisco IOS-based Catalyst 2900XL/3500XL switches do not allow you to clear VLAN 1 from a trunk; however,
the Catalyst 2950/3550, Cisco IOS 4000/4500, and native IOS 6000/6500 switches allow you to clear VLAN 1.
Question 17
Switch A, B, and C are trunked together and have been properly configured for VTP. Switch B has all
VLANs, but Switch C is not receiving traffic from certain VLANs. What would cause this issue?
A. A VTP authentication mismatch occurred between Switch A and Switch B.
B. The VTP revision number of Switch B is higher than that of Switch A.
C. VTP pruning is configured globally on all switches and it removed VLANs from the trunk interface that is connected
to Switch C.
D. The trunk between Switch A and Switch B is misconfigured.
Answer: C
STP Questions
Question 1
Which command does a network engineer use to verify the spanning-tree status for VLAN 10?
A. switch# show spanning-tree vlan 10
B. switch# show spanning-tree bridge
C. switch# show spanning-tree brief
D. switch# show spanning-tree summary
E. switch# show spanning-tree vlan 10 brief
Answer: A
Explanation
If we want to view the spanning-tree status of a specific VLAN, use the spanning-tree vlan command. An example
of the output of this command is shown below:
Question 2
f1/0 and f1/1 have the same end-to-end path cost to the designated bridge. Which action is needed to
modify the Layer 2 spanning-tree network so that traffic for PC1 VLAN from switch SW3 uses switchport
f1/1 as a primary port?
A. Modify the spanning-tree port-priority on SW1 f1/1 to 0 and f1/0 to 16.

B. Modify the spanning-tree port-priority on SW1 f1/1 to 16 and f1/0 to 0.
C. Modify the spanning-tree port-priority on SW2 f1/1 to 0 and f1/0 to 16.
D. Modify the spanning-tree port-priority on SW2 f1/1 to 16 and f1/0 to 0.
Answer: C
Explanation
SW3 needs to block one of its ports to SW2 to avoid a bridging loop between the two switches. But how does SW3
select its blocked port? Well, the answer is based on the BPDUs it receives from SW2. A BPDU is superior than another
if it has:
1. A lower Root Bridge ID
2. A lower path cost to the Root
3. A lower Sending Bridge ID
4. A lower Sending Port ID
These four parameters are examined in order. In this specific case, all the BPDUs sent by SW2 have the same Root
Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only parameter left to select the best
one is the Sending Port ID (Port ID = port priority + port index). The lower value of port priority, the higher priority
that port has. Therefore we must change the port-priority on F1/1 to a lower value than that of Fa1/0. Zero is the
lowest value we can assign to a port so we can assign this value to SW2 F1/1 and configure a higher value on Fa1/0.
This is the command to complete this task:
SW2(config)#interface f1/1
SW2(config-if)#spanning-tree vlan port-priority 0
Note: If we dont change the port priority, SW3 will compare port index values, which are unique to each port on the
switch, and because Fa1/0 is inferior to Fa1/1, SW3 will select Fa1/0 as its root port and block the other port.
Question 3
Why would the switch be considered as a root bridge?

A. The bridge priority is 1 and all ports are forwarding.
B. The switch priority for VLAN 1 and the macro specifies This Bridge is the root.
C. The bridge priority is 128.19 and all ports are forwarding.
D. The switch priority value is zero, it has the lowest priority value for VLAN 1.
Answer: D
Explanation
After powered on, the switches start sending BPDUs to elect a root bridge. A BPDU is superior than another if it has:
1.
2.
3.
4.
A
A
A
A
lower
lower
lower
lower
Root Bridge ID
path cost to the Root
Sending Bridge ID
Sending Port ID
From the output above, we learn that SW1 is the root bridge for VLAN 1 (from this bridge is the root line). SW1 has
the Bridge ID Priority of 1 because SW1 has been configured with switch priority value of 0, which is also the lowest
priority value (highest priority). This value is then added with the VLAN ID (VLAN 1 in this case) so the final value is 1.
Question 4
All ports are members of VLAN 10. Considering the default cost of upstream bridges to the root bridge is
equal, which option will be the new root port for VLAN 10?
A. interface f0/13
B. interface f0/14
C. interface f0/15
D. interface f0/21
Answer: D
Explanation
After receiving BPDUs from upstream bridges, the switch add the STP cost of that port and choose the lowest value as
its root port -> the STP cost of Fa0/21 is smallest so it is chosen as root port.
Question 5
A network engineer is trying to deploy a PC on a network. The engineer observes that when the PC is
connected to the network, it takes 30 to 60 seconds for the PC to see any activity on the network
interface card. Which Layer 2 enhancement can be used to eliminate this delay?
A. Configure port duplex and speed to auto negotiation.
B. Configure port to duplex full and speed 1000.
C. Configure spanning-tree portfast.
D. Configure no switchport.
Answer: C
Explanation
Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to
forwarding state immediately without passing the listening and learning state. Therefore it can save about 30 to 45
seconds to transition through these states. To enable this feature, configure this command under interface mode:
Switch(config-if)#spanning-tree portfast
Question 6
A network engineer configured an Ethernet switch using these commands.
Switch1(config) # spanning-tree portfast bpdufilter default
Which statement about the spanning-tree portfast feature on the switch is true?
A. If an interface is enabled for portfast receives BDPU, the port goes through the spanning-tree listening, learning,
and forwarding states.
B. If an interface is enabled for portfast receives BDPU, the port does not go through the spanning-tree listening,
learning, and forwarding states.
C. If an interface is enabled for portfast receives BDPU, the port is shut down immediately.
D. If an interface is enabled for portfast receives BDPU, the port goes into the spanning-tree inconsistent state.
Answer: A
Explanation
The spanning-tree portfast bpdufilter default command enables BPDU filtering on Portfast-enabled interfaces. This
command prevents interfaces that are in a Portfast-operational state from sending BPDUs. If a BPDU is received on a
Port Fast-enabled interface, the interface loses its Portfast-operational status, and BPDU filtering is disabled.
In conclusion, above command only affects ports that were configured with Portfast. It prevents these ports from
sending BPDUs (notice that Portfast interfaces still send BPDUs) but the funny thing is that if it receives a BPDU, it will
disable BPDU filtering and Portfast features.
Question 7
Which statement describes what happens when a port configured with root guard receives a superior
BPDU?
A. The port goes into errdisabled state and stops forwarding traffic.
B. The port goes into BPDU-inconsistent state and stops forwarding traffic.
C. The port goes into loop-inconsistent state and stops forwarding traffic.
D. The port goes into root-inconsistent state and stops forwarding traffic.
Answer: D
Explanation
Root guard does not allow the port to become a STP root port, so the port is always STP-designated. If a better BPDU
arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard
puts the port into the root-inconsistent STP state which is equal to a listening state. No traffic is forwarded across this
port. Below is an example of where to configure Root Guard on the ports. Notice that Root Guard is always configure
on designated ports.
To configure Root Guard use this command:

Switch(config-if)# spanning-tree guard root
Question 8
An administrator recently configured all ports for rapid transition using PortFast. After testing, it has been
determined that several ports are not transitioning as they should. What is the reason for this?
A. RSTP has been enabled per interface and not globally.
B. The STP root bridge selection is forcing key ports to remain in non-rapid transitioning mode.
C. STP is unable to achieve rapid transition for trunk links.
D. The switch does not have the processing power to ensure rapid transition for all ports.
Answer: C
Explanation
Although RSTP was configured on all ports but only edge-ports allow to run RSTP. RSTP cannot work on a trunk port.
If we try to configure RSTP on a trunk port (support Fa0/24) we will receive this message:
%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs,
concentrators, switches, bridges, etc to this interface when portfast is enabled, can cause temporary
bridging loops. Use with CAUTION
%Portfast has been configured on FastEthernet0/24 but will only have effect when the interface is in a nontrunking mode.
Question 9
Pilot testing of the new switching infrastructure finds that when the root port is lost, STP immediately
replaces the root port with an alternative root port. Which spanning-tree technology is used to accomplish
backup root port selection?
A. PVST+
B. PortFast
C. BackboneFast
D. UplinkFast
E. Loop Guard
F. UDLD
Answer: D
Explanation
UplinkFast is a Cisco specific feature that improves the convergence time of the Spanning-Tree Protocol (STP) in the
event of the failure of an uplink. The UplinkFast feature is designed to run in a switched environment when the switch
has at least one alternate/backup root port (port in blocking state), that is why Cisco recommends that UplinkFast be
enabled only for switches with blocked ports, typically at the access-layer.
For example in the topology below:
Suppose S1 is the root bridge in the topology above. S3 is connected to S1 via two paths: one direct path and another
goes through S2. Suppose the port directly connected to S1 is root port -> port connected to S2 will be in Blocking
state. If the primary link goes down, the blocked port will need about 50 seconds to move from Blocking -> Listening
-> Learning -> Forwarding to be used.
To shorten the downtime, a feature called Uplink Fast can be used. When the primary (root) link fails, another blocked
link can be brought up immediately for use. When UplinkFast is enabled, it is enabled for the entire switch and all
VLANs. It cannot be enabled for individual VLANs.
Question 10
A network engineer must adjust the STP interface attributes to influence root port selection. Which two
elements are used to accomplish this? (Choose two)
A. port-priority
B. cost
C. forward-timers
D. link type
E. root guard
Answer: A B
Explanation
Every non-root bridge needs to elect a root port. The election of root port is as follows:
1) Based on lowest cost path to the root bridge
2) Then based on lowest upstream Bridge ID (Bridge ID = Bridge Priority + MAC)
3) Then based on lowest upstream Port ID (Port ID = Port Priority + Port Index)
Therefore we can use STP cost and port-priority to select the root port.
Question 11
For client server failover purposes, the application server team has indicated that they must not have the
standard 30 second delay before their switchport enters a forwarding state. For their disaster recovery
feature to operate successfully, they require the switchport to enter a forwarding state immediately.
Which spanning-tree feature satisfies this requirement?
A. Rapid Spanning-Tree
B. Spanning-Tree Timers
C. Spanning-Tree FastPort
D. Spanning-Tree PortFast
E. Spanning-Tree Fast Forward
Answer: D
Explanation
Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to
forwarding state immediately without passing the listening and learning state. Therefore it can save about 30 to 45
seconds to transition through these states. To enable this feature, configure this command under interface mode:
Switch(config-if)#spanning-tree portfast
Question 12
A network engineer is installing a switch for temporary workers to connect to. The
engineer does not want this switch participating in Spanning Tree with the rest of
the network; however, end user connectivity is still required. Which spanning-tree
feature accomplishes this?
A. BPDU ignore
B. BPDU guard
C. BPDU block
D. BPDU disable
E. BPDU filter
Answer: E
Explanation
BPDUFilter is designed to suppress the sending and receiving of BPDUs on an interface. There are two ways of
configuring BPDUFilter: under global configuration mode or under interface mode but they have subtle difference.
If BPDUFilter is configured globally via this command:
Switch(config)#spanning-tree portfast bpdufilter default
BPDUFilter will be enabled on all PortFast-enabled interfaces and will suppress the interface from sending or receiving
BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some startup time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the
received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.
If BPDUFilter is configured under interface mode like this:
Switch(config-if)#spanning-tree bpdufilter enable
It will suppress the sending and receiving of BPDUs. This is the same as disabling spanning tree on the interface. This
choice is risky and should only be used when you are sure that port only connects to host devices.
Question 13
When troubleshooting a network problem, a network analyzer is connected to Port f0/1 of a LAN switch.
Which command can prevent BPDU transmission on this port?
A. spanning-tree portfast bpdufilter default

B. spanning-tree portfast bpduguard enable
C. no spanning-tree link-type shared
D. spanning-tree bpduguard default
Answer: A
Explanation
The spanning-tree portfast bpdufilter default command is configured under global configuration mode. To stop
receiving unwanted BPDUs (for easier troubleshooting), he can issue the spanning-tree portfast bpdufilter default
under global configuration mode. This will enable BPDUFilter on all PortFast-enabled interfaces and will suppress the
interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable
PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not
participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from
being transmitted to host devices.
RSTP Questions
Question 1
After the recent upgrade of the switching infrastructure, the network engineer notices that the port roles
that were once blocking are now defined as alternate and backup. What is the reason for this
change?
A. The new switches are using RSTP instead of legacy IEEE 802.1D STP.
B. IEEE 802.1D STP and PortFast have been configured by default on all newly implemented Cisco Catalyst switches.
C. The administrator has defined the switch as the root in the STP domain.
D. The port roles have been adjusted based on the interface bandwidth and timers of the new Cisco Catalyst switches.
Answer: A
Explanation
There are five port roles in RSTP:
* Root port A forwarding port that is the closest to the root bridge in terms of path cost
* Designated port A forwarding port for every LAN segment
* Alternate port A best alternate path to the root bridge. This path is different than using the root port. The
alternative port moves to the forwarding state if there is a failure on the designated port for the segment.
* Backup port A backup/redundant path to a segment where another bridge port already connects. The backup
port applies only when a single switch has two links to the same segment (collision domain). To have two links to the
same collision domain, the switch must be attached to a hub.
* Disabled port Not strictly part of STP, a network administrator can manually disable a port
There is no blocking port role like STP. The alternative and backup roles are only in RSTP.
Question 2
What happens on a Cisco switch that runs Cisco IOS when an RSTP-configured switch receives 802.1d
BPDU?
A. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch receives an
802.1d BPDU, it responds with an 802.1d BPDU and eventually the two switches run 802.1d to communicate.
B. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a 802.1d
BPDU, it responds with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.
C. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch receives a
802.1d BPDU, it does not respond with a 802.1d BPDU.
D. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a 802.1d
BPDU, it does not respond with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.
Answer: A
Explanation
RSTP is backward compatible with STP 802.1D. If a RSTP enabled port receives a (legacy) 802.1d BPDU, it will
automatically configure itself to behave like a legacy port. It sends and receives 802.1d BPDUs only.
MST Questions
Question 1
A network engineer is setting up a new switched network. The network is expected to grow and add many
new VLANs in the future. Which Spanning Tree Protocol should be used to reduce switch resources and
managerial burdens that are associated with multiple spanning-tree instances?
A. RSTP
B. PVST
C. MST
D. PVST+
E. RPVST+
Answer: C
Explanation
Instead of using Per-VLAN Spanning Tree (PVST) or Rapid PVST which runs a separate STP instance for each active
VLAN (there will have 20 STP instances for 20 VLANs), Multiple Spanning Tree (MST) maps multiple VLANs into a
spanning tree instance, thereby reducing the number of spanning-tree instances needed. MST also reduces switch
resources and managerial burdens.
Question 2
When two MST instances (MST 1 and MST 2) are created on a switch, what is the total number of
spanning-tree instances running on the switch?
A. 1
B. 2
C. 3
D. 4
Answer: C
Explanation
Besides two MST instances 1 & 2, Instance 0 is a special instance for a region, known as the Internal Spanning Tree
(IST). The IST always exists on all ports; you cannot delete the IST. By default, all VLANs are assigned to the IST. All
other MST instances are numbered from 1 to 4094. The IST is the only STP instance that sends and receives BPDUs.
All of the other MSTI information is contained in MST records (M-records), which are encapsulated within MST BPDUs.
Note:
+ The Common Spanning Tree (CST) interconnects the MST regions and any instance of 802.1D and 802.1w STP that
may be running on the network
+ A Common and Internal Spanning Tree (CIST) is a collection of the ISTs in each MST region.
Question 3
To follow the Layer 2 switching guidelines, a network engineer decides to create a

separate spanning tree for every group of 10 VLANs. Which version of spanning
tree is appropriate to meet the company policy?
A. PVST+
B. STP
C. MST
D. RSTP
E. RPVST+
Answer: C
Explanation
Besides two MST instances 1 & 2, Instance 0 is a special instance for a region, known as the Internal Spanning Tree
(IST). The IST always exists on all ports; you cannot delete the IST. By default, all VLANs are assigned to the IST. All
other MST instances are numbered from 1 to 4094. The IST is the only STP instance that sends and receives BPDUs.
All of the other MSTI information is contained in MST records (M-records), which are encapsulated within MST BPDUs.
Note:
+ The Common Spanning Tree (CST) interconnects the MST regions and any instance of 802.1D and 802.1w STP that
may be running on the network
+ A Common and Internal Spanning Tree (CIST) is a collection of the ISTs in each MST region.
Private VLAN
Quick review:
The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead of Layer 3. As
you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast
domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into
separate domains so that they cant access each other, they have to assign them into different VLANs and use
different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs
(PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be
considered VLANs inside VLAN.
There are three types of ports in PVLAN:
* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated
port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that
all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot
communicate with other communities. There can be multiple community VLANs per PVLAN.
For example, in the topology above:

+ Host A cannot communicate with Host B, C, D, E and F. It can only communicate with Promiscuous port to the
router. Notice that even two Isolated ports in the same VLAN cannot communicate with each other.
+ Host C can communicate with Host D because they are in the same community but Host C cannot communicate
with E and F because they are in a different community.
+ All hosts can go outside through promiscuous port.
Also I want to mention about the concept of primary VLAN and secondary VLAN. PVLAN can have only one primary
VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs are isolated or community
VLANs.
Configuration of PVLAN:
1.
2.
3.
4.
5.
Set VTP mode to transparent

Create secondary (isolated and community) VLANs and primary VLAN
Associate secondary VLANs to the primary VLAN
Configure interfaces as promiscuous interfaces
Configure interfaces to be isolated or community interfaces.
Sample configuration used the topology above:

//First set VTP to transparent mode
Switch(config)#vtp mode transparent
//Create secondary VLANs
Switch(config)#vlan 101
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#vlan 102
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#private-vlan community
//Create primary VLAN
Switch(config-vlan)#private-vlan primary
//Associate secondary (isolated, community) VLANs to the primary VLAN
Switch(config-vlan)#private-vlan association 101,102,103
//Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the secondary VLAN.
Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101,102,103
//Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate VLANs (A and B to
isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN 103):
Switch(config)# interface range f0/2 0/3 //connect to host A and B
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101
Switch(config-if)# interface range f0/3 -0/4 //connect to host C and D

Switch(config-if)# interface f0/5 0/6 //connect to host E and F
To check the configuration, use this command:
Switch# show vlan private-vlan
Question 1
A network engineer wants to ensure Layer 2 isolation of customer traffic using a private VLAN. Which
configuration must be made before the private VLAN is configured?
A. Disable VTP and manually assign VLANs.
B. Ensure all switches are configured as VTP server mode.
C. Configure VTP Transparent Mode.
D. Enable VTP version 3.
Answer: C
Explanation
Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do not support
private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode still forwards other
VTP updates to its neighbors.
Question 2
Which private VLAN access port belongs to the primary VLAN and can communicate with all interfaces,
including the community and isolated host ports?
A. promiscuous port
B. isolated port
C. community port
D. trunk port
Answer: A
Explanation
There are three types of ports in PVLAN:
* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated
port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that
all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot
communicate with other communities. There can be multiple community VLANs per PVLAN.
Question 3
Which private VLAN can have only one VLAN and be a secondary VLAN that carries unidirectional traffic
upstream from the hosts toward the promiscuous ports and the gateway?
A. isolated VLAN
B. primary VLAN
C. community VLAN
D. promiscuous VLAN
Answer: A
Explanation
Isolated VLAN is a secondary VLAN and it can only communicate with the promiscuous port. Also, there can be only 1
isolated VLAN per PVLAN (although this isolated VLAN can be configured to many ports, but these ports cannot
communicate with each other).
Question 4
When you configure private VLANs on a switch, which port type connects the switch to the gateway
router?
A. promiscuous
B. community
C. isolated
D. trunked
Answer: A
Explanation
Promiscuous port: can communicate with all other ports. The default gateway is usually connected to this port so
that all devices in PVLAN can go outside.
Question 5
When you configure a private VLAN, which type of port must you configure the gateway router port as?
A. promiscuous port
B. isolated port
C. community port
D. access port
Answer: A
Explanation
The default gateway is usually connected to promiscuous port so that all devices in PVLAN can go outside.
HSRP & VRRP & GLBP Questions

Question 1
Which configuration command ties the router hot standby priority to the availability of its interfaces?
A. standby group
B. standby priority
C. backup interface
D. standby track
Answer: D
Explanation
The standby track command allows you to specify another interface on the router for the HSRP process to monitor in
order to alter the HSRP priority for a given group. If the line protocol of the specified interface goes down, the HSRP
priority is reduced. This means that another HSRP router with higher priority can become the active router if that
router has standby preempt enabled.An example of using this command is shown below:
interface Ethernet0
ip address 171.16.6.5 255.255.255.0
standby 1 ip 171.16.6.100
standby 1 priority 105
standby 1 preempt
standby 1 track Serial0
Question 2
What is the default HSRP priority?
A. 50
B. 100
C. 120
D. 1024
Answer: B
Question 3
Which command correctly configures standby tracking for group 1 using the default decrement priority
value?
A. standby 1 track 100
B. standby 1 track 100 decrement 1
C. standby 1 track 100 decrement 5
D. standby 1 track 100 decrement 20
Answer: A
Explanation
The default decrement priority value of HSRP is 10 so 1,5,20 are wrong values -> B, C and D are not correct.
In standby 1 track 100 command, 100 is the tracked object number, not the decrement value. Here we dont
specify a decrement value so the default value will be used -> Answer A is correct. An example of configuring tracked
object number with HSRP is shown below:
Switch(config)# track 100 interface GigabitEthernet 0/0/0 line-protocol

Switch(config-track)#exit
Switch(config)#interface GigabitEthernet 0/0/0
Switch(config-if)# standby 1 track 100
If you want to specify a decrement value, we can use the standby 1 track 100 decrement command instead.
Question 4
Which command configures an HSRP group to become a slave of another HSRP group?
A. standby slave
B. standby group track
C. standby follow
D. standby group backup
Answer: C
Explanation
The configuration of many hundreds of subinterfaces on the same physical interface, with each subinterface having its
own HSRP group, can cause the processes of negotiation and maintenance of multiple HSRP groups to have a
detrimental impact on network traffic and CPU utilization.
Only one HSRP group is required on a physical interface for the purposes of electing active and standby devices. This
group is known as the master group. Other HSRP groups may be created on each subinterface and linked to the
master group via the group name. These linked HSRP groups are known as client or slave groups.
The HSRP group state of the client groups follows that of the master group. Client groups do not participate in any
sort of device election mechanism.
Client groups send periodic messages in order to refresh their virtual MAC addresses in switches and learning bridges.
The refresh message may be sent at a much lower frequency compared with the protocol election messages sent by
the master group.
The standby follow command configures an HSRP group to become an IP redundancy client of another HSRP group.
Client or slave groups must be on the same physical interface as the master group.
A client group takes its state from the master group it is following. Therefore, the client group does not use its timer,
priority, or preemption settings. A warning is displayed if these settings are configured on a client group.
The following example shows how to configure HSRP group 2 as a client to the HSRP1 master group:
Router(config-if)# standby 2 follow HSRP1
Question 5
What is the default amount by which the hot standby priority for the router is decremented or
incremented when the interface goes down or comes back up?
A. 1
B. 5
C. 10
D. 15
Answer: C
Question 6
Which First Hop Redundancy Protocol is an IEEE Standard?
A. GLBP
B. HSRP
C. VRRP
D. OSPF
Answer: C
Explanation
Unlike HSRP or GLBP, VRPP is an open standard.
Question 7
Which VRRP router is responsible for forwarding packets that are sent to the IP addresses of the virtual
router?
A. virtual router master
B. virtual router backup
C. virtual router active
D. virtual router standby
Answer: A
Explanation
In VRRP, the active router is referred to as the master virtual router.
Question 8
%GLBP-4-DUPADDR:Duplicate address
Which option describes the reason for this message in a GLBP configuration?
A. Unavailable GLBP active forwarder
B. Incorrect GLBP IP address
C. HSRP configured on same interface as GLBP
D. Layer 2 loop
Answer: D
Explanation
The error message indicates a possible layer2 loop and STP configuration issues. Notice that the duplicate address
here means the MAC address.
In order to resolve this issue, issue the show interface command to verify the MAC address of the interface. If the
MAC address of the interface is the same as the one reported in the error message, then it indicates that this router is
receiving its own hello packets sent. Verify the spanning-tree topology and check if there is any layer2 loop. If the
interface MAC address is different from the one reported in the error message, then some other device with a MAC
address reports this error message.
Question 9
Which gateway role is responsible for answering ARP requests for the virtual IP address in GLBP?
A. active virtual forwarder
B. active virtual router
C. active virtual gateway
D. designated router
Answer: C
Explanation
The active virtual gateway (AVG) is responsible for answering the ARP Request for the virtual IP address. Load sharing
is achieved by the AVG replying to the ARP requests with different virtual MAC addresses.
Question 10
What is the maximum number of virtual MAC addresses that GLBP allows per group?
A. 2
B. 4
C. 6
D. 8
Answer: B
Explanation
A GLBP group only has a maximum of four AVFs (means four virtual MAC addresses). If there are more than 4
gateways in a GLBP group then the rest will become Standby Virtual Forwarder (SVF) which will take the place of a
AVF in case of failure.
HSRP Hotspot
DSW1( Distribute switch 1) is the primary device for Vlan 101, 102, 105
DSW2 ( Distribute switch 2) is the primary device for Vlan 103 and 104
A failure on gig1/0/1 on primary device should cause the primary device to release its
status as the primary device, unless GigabitEthernet 1/0/1 on backup device has also failed.
For your information, the show running-config commands are posted below for your reference but please notice in
the exam you have to issue this command to get the output:
DSW1#show running-config
interface Vlan101
ip address 192.168.101.1 255.255.255.0
standby 1 ip 192.168.101.254
standby 1 track GigabitEthernet1/0/1 55
!
interface Vlan102
ip address 192.168.102.1 255.255.255.0
standby 2 ip 192.168.102.254
standby 2 preempt
!
interface Vlan103
ip address 192.168.103.1 255.255.255.0
standby 3 ip 192.168.103.254
standby 3 preempt
standby 3 track GigabitEthernet1/0/1
!
interface Vlan104
ip address 192.168.104.1 255.255.255.0
standby 4 ip 192.168.104.254
standby 4 preempt
!
interface Vlan105
ip address 192.168.105.1 255.255.255.0
standby 5 ip 192.168.105.254
standby 5 preempt
interface Vlan101
ip address 192.168.101.2 255.255.255.0
standby 1 ip 192.168.101.254
standby 1 preempt
!
interface Vlan102
ip address 192.168.102.2 255.255.255.0
standby 2 ip 192.168.102.254
standby 2 preempt
!
interface Vlan103
ip address 192.168.103.2 255.255.255.0
standby 3 ip 192.168.103.254
standby 3 preempt
!
interface Vlan104
ip address 192.168.104.2 255.255.255.0
standby 4 ip 192.168.104.254
standby 4 preempt
!
interface Vlan105
ip address 192.168.105.2 255.255.255.0
standby 5 ip 192.168.105.254
standby 5 preempt
Question 1
During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1. All other interface were up.
During this time, DSW1 remained the active device for Vlan 102s HSRP group. You have determined that
there is an issue with the decrement value in the track command in Vlan 102s HSRP group. What need to be
done to make the group function properly?
A. The DSW1s decrement value should be configured with a value from 5 to 15
B. The DSW1s decrement value should be configured with a value from 9 to 15
C. The DSW1s decrement value should be configured with a value from 11 to 18
D. The DSW1s decrement value should be configured with a value from 195 to less than 205
E. The DSW1s decrement value should be configured with a value from 200 to less than 205
F. The DSW1s decrement value should be greater than 190 and less 200
Answer: C
Explanation
The question clearly stated that there was an issue with the decrement value in VLAN 102 so we should check VLAN
102 on both DSW1 and DSW2 switches first. Click on the PC Console1 and PC Console2 to access these switches then
use the show running-config command on both switches
DSW1>enable
DSW2>enable
As shown in the outputs, the DSW1s priority is 200 and is higher than that of DSW2 so DSW1 becomes active switch
for the group. Notice that the interface Gig1/0/1 on DSW1 is being tracked so when this interface goes down, HSRP
automatically reduces the routers priority by a congurable amount, in this case 5. Therefore the priority of DSW1
goes down from 200 to 195. But this value is still higher than that of DSW2 (190) so DSW1 remains the active switch
for the group. To make DSW2 takes over this role, we have to configure DSW1s decrement value with a value equal
or greater than 11 so that its result is smaller than that of DSW2 (200 11 < 190). Therefore C is the correct answer.
Question 2
During routine maintenance, G1/0/1 on DSW1 was shutdown. All other interface
were up. DSW2 became the active HSRP device for Vlan101 as desired. However,
after G1/0/1 on DSW1 was reactivated. DSW1 did not become the active HSRP
device as desired. What need to be done to make the group for Vlan101 function
properly?
A. Enable preempt on DSW1s Vlan101 HSRP group
B. Disable preempt on DSW1s Vlan101 HSRP group
C. Decrease DSW1s priority value for Vlan101 HSRP group to a value that is less than
priority value configured on DSW2s HSRP group for Vlan101
D. Decrease the decrement in the track command for DSW1s Vlan 101 HSRP group to a
value less than the value in the track command for DSW2s Vlan 101 HSRP group.
Answer: A
Explanation
Continue to check VLAN 101 on both switches
We learned that DSW1 doesnt have the standby 1 preempt command so it cant take over the active role again
even if its priority is the highest. So we need to enable this command on VLAN 101 of DSW1.
Question 3
DSW2 has not become the active device for Vlan103s HSRP group even though all
interfaces are active. As related to Vlan103s HSRP group. What can be done to
make the group function properly?
A. On DSW1, disable preempt
B. On DSW1, decrease the priority value to a value less than 190 and greater than 150
C. On DSW2, increase the priority value to a value greater 200 and less than 250
D. On DSW2, increase the decrement value in the track command to a value greater than 10
and less than 50.
Answer: C
Explanation:
The reason DSW2 has not become the active switch for Vlan103 is because the priority value of DSW1 is higher than
that of DSW2. In order to make DSW2 become the active switch, we need to increase DSW2s priority (to higher than
200) or decrease DSW1s priority (to lower than 190) -> B and C are correct.
But there is another requirement from this question that A failure on gig1/0/1 on primary device should cause the
primary device to release its status as the primary device, unless GigabitEthernet 1/0/1 on backup device has also
failed. This requirement makes answer B incorrect. For example, we choose to decrease the priority value on DSW1
to 160 (according to answer B) then DSW2 will become active switch (that is good). When Gi1/0/1 on DSW2 goes
down, the priority of DSW2 will be 190 50 = 140 < 160 -> DSW1 will become new active switch (it is good, too).
But when Gi1/0/1 on DSW1 also goes down, the priority of DSW1 will be 160 10 = 150 and it is still greater than
140 of DSW2 -> DSW2 cannot retake the active role as the requirement of this question.
Question 4
If G1/0/1 on DSW1 is shutdown, what will be the current priority value of the Vlan105s group on DSW1?
A. 95
B. 100
C. 150
D. 200
Answer: A
Explanation
Below is the output of VLAN 105:
If G1/0/1 on DSW1 is shutdown, its priority will decrease 55 so, its value will be 150 55 = 95
Question 5
What is the configured priority value of the Vlan105s group on DSW2 ?

A. 50
B. 100
C. 150
D. 200
Answer: B
Explanation
Below is the output of VLAN 105 of DSW2:
We dont see the priority of DSW2 so it is using the default value (100).
Question 6
During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1

and DSW2. All other interface were up. During this time, DSW1 became the active
device for Vlan104s HSRP group. As related to Vlan104s HSRP group, what can
be done to make the group function properly?
A. On DSW1, disable preempt
B. On DSW2, decrease the priority value to a value less than 150
C. On DSW1, increase the decrement value in the track command to a value greater than 6
D. On DSW1, disable track command.
Answer: C
Explanation
The question asks us how to keep the active role of DSW2. From the outputs, we learned that if both interfaces
G1/0/1 of DSW1 and DSW2 are shutdown, the priority of DSW1 will be 150 1 = 149 and that of DSW2 will be 200
55 = 145 -> DSW1 will become the active switch.
The main point here is that we have to configure so in such a way that when both interfaces G1/0/1 of DSW1 and
DSW2 are shutdown, the priority of DSW2 is still greater than that of DSW1. Therefore the priority value of DSW1
should be smaller than 145, or we have to configure the decrement value of DSW1 to a value greater than 6 ( 6 =
150 144) -> C is the correct answer.
Notice: To keep the active role of DSW2, we can disable preempt on DSW1 (answer A) so that it will not take over
the active role when DSW2 is downed but it also means that VLAN 104 will not have active switch -> VLAN104 will
fail.
I gave the exam last week. The answer for Q.3 is C. The option C is changed to On DSW2, increase the priority value to a value
greater 200 and less than 250. Please update it. I got full 1000 marks, thanks to certprepare and JackCross
SPAN Questions
Question 1
interface GigabitEthernet0/1
switchport
switchport trunk allowed vlan 1-100
!
interface GigabitEthernet0/48
switchport
switchport mode access
!
monitor session 1 source interface GigabitEthernet0/1
monitor session 1 destination interface GigabitEthernet0/48
How can the traffic that is mirrored out the GigabitEthernet0/48 port be limited to only traffic that is
received or transmitted in VLAN 10 on the GigabitEthernet0/1 port?
A. Change the configuration for GigabitEthernet0/48 so that it is a member of VLAN 10.
B. Add an access list to GigabitEthernet0/48 to filter out traffic that is not in VLAN 10.
C. Apply the monitor session filter globally to allow only traffic from VLAN 10.
D. Change the monitor session source to VLAN 10 instead of the physical interface.
Answer: C
Explanation
We can add the monitor session 1 filter vlan 10 command to limit monitored trafic from VLAN 10 only.
Question 2
A network engineer wants to analyze all incoming and outgoing packets for an interface that is connected
to an access switch. Which three items must be configured to mirror traffic to a packet sniffer that is
connected to the distribution switch? (Choose three)
A. A monitor session on the distribution switch with a physical interface as the source and the remote SPAN VLAN as
the destination
B. A remote SPAN VLAN on the distribution and access layer switch
C. A monitor session on the access switch with a physical interface source and the remote SPAN VLAN as the
destination
D. A monitor session on the distribution switch with a remote SPAN VLAN as the source and physical interface as the
destination
E. A monitor session on the access switch with a remote SPAN VLAN source and the physical interface as the
destination
F. A monitor session on the distribution switch with a physical interface as the source and a physical interface as the
destination
Answer: B C D
Explanation
The network engineer is connecting to the Distribution switch but he wants to monitor an access switch -> remote
SPAN must be used. An example of configuring remote SPAN which uses vlan 40 is shown below:
Access-Switch(config)# monitor session 1 source interface FastEthernet 0/1

Access-Switch(config)# monitor session 1 destination remote vlan 40
Distribution-Switch(config)#monitor session 2 source remote vlan 40
Distribution-Switch(config)# monitor session 2 destination interface FastEthernet 0/5
Question 3
Interface FastEthernet0/1 is configured as a trunk interface that allows all VLANs. This command is
configured globally:
monitor session 2 filter vlan 1 8, 39, 52

What is the result of the implemented command?
A. All VLAN traffic is sent to the SPAN destination interface.
B. Traffic from VLAN 4 is not sent to the SPAN destination interface.
C. Filtering a trunked SPAN port effectively disables SPAN operations for all VLANs.
D. The trunks native VLAN must be changed to something other than VLAN 1.
E. Traffic from VLANs 1 to 8, 39, and 52 is replicated to the SPAN destination port.
Answer: E
Explanation
This command limits the monitored trafic on VLAN 1 to 8, 39, 52 only
Question 4
A network engineer investigates a recent network failure and notices that one of the interfaces on the
switch is still down. What is causing the line protocol on this interface to be shown as down?
A. There is a layer 1 physical issue.
B. There is a speed mismatch on the interface.
C. The interface is configured as the target of the SPAN session.
D. The interface is configured as the source of the SPAN session.
E. There is a duplex mismatch on the interface.
Answer: C
Explanation
From the output we see the status of gi0/12 is monitoring. It means this port is currently the destination of a SPAN
session.
Question 5
RSPAN has been configured on a Cisco Catalyst switch; however, traffic is not
being replicated to the remote switch. Which type of misconfiguration is a cause?
A. The local switch is overloaded with the amount of sourced traffic that must be replicated
to the remote switch.
B.
The RSPAN designated VLAN is missing the remote span command.
C.
The local and remote RSPAN switches are configured using different session IDs.
D.
The local RSPAN switch is replicating only Rx traffic to the remote switch.
Answer: B
Explanation
This is how to configure Remote SPAN (RSPAN) feature on two switches. Traffic on FastEthernet0/1 of Switch 1 will be
sent to Fa0/10 of Switch2 via VLAN 40.
+ Configure on both switches
Switch1,2(config)#vlan 40
Switch1,2(config-vlan)#remote-span
+ Configure on Switch1
Switch1(config)# monitor session 1 source interface FastEthernet 0/1
Switch1(config)# monitor session 1 destination remote vlan 40
+ Configure on Switch2
Switch2(config)#monitor session 5 source remote vlan 40
Switch2(config)# monitor session 5 destination interface FastEthernet 0/10
So without the command remote-span on both switches, RSPAN cannot works properly.
Question 6
What is the result of the SPAN configuration on a Cisco switch?
A. Configure a SPAN session to monitor the received traffic on interface g0/4 only for VLAN 3
B. Configure a SPAN session to monitor the received traffic on interface g0/5 only for VLAN 3
C. Configure a SPAN session to monitor the received traffic on interface g0/5 for all VLANs
except VLAN 3
D. Configure a SPAN session to monitor the received traffic on interface g0/4 for all VLANs
except VLAN 3
Answer: A
Explanation
The first command points out the source interface and the direction to be monitored, which is Gi0/4 and inbound
traffic (rx) in this case. The second command tells our device to monitor only VLAN 3 running on Gi0/4 (notice that
Gi0/4 is a trunk link). The last command requests monitored traffic to be sent to the destination port Gi0/5.
AAA Questions
Question 1
Which portion of AAA looks at what a user has access to?
A. authorization
B. authentication
C. accounting
D. auditing
Answer: A
Explanation
AAA security provides the following services:
+ Authentication Identifies users, including login and password dialog, challenge and response, messaging
support, and, depending on the security protocol that you select, encryption.
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which
is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device.
Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote
authentication (using one or more RADIUS or TACACS+ servers).
+ Authorization Provides access control.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to
perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers.
Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attributevalue (AV) pairs, which define those rights with the appropriate user.
+ Accounting Provides the method for collecting information, logging the information locally, and sending the
information to the AAA server for billing, auditing, and reporting.
In conclusion, authorization specifies which resources the users are allowed to access.
Question 2
Which command creates a login authentication method named login that will primarily use RADIUS and
fail over to the local user database?
A. (config)# aaa authentication login default radius local
B. (config)# aaa authentication login login radius local
C. (config)# aaa authentication login default local radius
D. (config)# aaa authentication login radius local
Answer: B
Explanation
In the aaa authentication login login radius local command, the first login is a keyword which authenticates users
who want exec access into the access server (tty, vty, console and aux). The second login is a list name. radius
local part indicates the RADIUS authentication should be used first. If the RADIUS server does not reply then use the
local database to authenticate.
Question 3
Which command globally enables AAA on a device?
A. aaa new-model
B. aaa authentication
C. aaa authorization
D. aaa accounting
Answer: A
Question 4
Which AAA Authorization type includes PPP, SLIP, and ARAP connections?
A. network
B. IP mobile
C. EXEC
D. auth-proxy
Answer: A
Explanation
Method lists are specific to the authorization type requested:
+ Auth-proxy Applies specific security policies on a per-user basis. For detailed information on the authentication
proxy feature, refer to the chapter Configuring Authentication Proxy in the Traffic Filtering and Firewalls part of this
book.
+ Commands Applies to the EXEC mode commands a user issues. Command authorization attempts authorization
for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
+ EXEC Applies to the attributes associated with a user EXEC terminal session.
+ Network Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
+ Reverse Access Applies to reverse Telnet sessions.
When you create a named method list, you are defining a particular list of authorization methods for the indicated
authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be
performed. The only exception is the default method list (which is named default). If the aaa authorization
command for a particular authorization type is issued without a named method list specified, the default method list is
automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A
defined method list overrides the default method list.) If no default method list is defined, local authorization takes
place by default.
Question 5
Which authentication service is needed to configure 802.1x?
A. RADIUS with EAP Extension
B. TACACS+
C. RADIUS with CoA
D. RADIUS using VSA
Answer: A
Explanation
For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with
Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco
Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication
information is exchanged between the RADIUS server and one or more RADIUS clients.
Question 6
username cisco password cisco

!
aaa new-model
!
radius-server host 10.1.1.50 auth-port 1812 key C1sc0123
aaa authentication login default group radius local line
aaa authentication login NO_AUTH none
!
line vty 0 15
login authentication default
password linepass
line console 0
login authentication NO_AUTH
Which login credentials are required when connecting to the console port in this output?
A. none required
B. username cisco with password cisco
C. no username with password linepass
D. login authentication default
Answer: A
Explanation
The console port is authenticated with NO_AUTH list. But this list does not contain any authentication method (it uses
none) so no authentication is required when connecting to the console port.
Question 7
username cisco password cisco

!
aaa new-model
!
radius-server host 10.1.1.50 auth-port 1812 key C1sc0123
aaa authentication login default group radius local line
aaa authentication loging NO_AUTH none
!
line vty 0 15
login authentication default
password linepass
line console 0
login authentication NO_AUTH
When a network administrator is attempting an SSH connection to the device, in which order does the
device check the login credentials?
A. RADIUS server, local username, line password
B. RADIUS server, line password, local username
C. Line password, local username, RADIUS server
D. Line password, RADIUS server, local username
Answer: A
Explanation
The VTY line can be accessed via Telnet and SSH by default. It is authenticated by default list which is defined with
the aaa authentication login default group radius local line command. Therefore users who access via Telnet or
SSH are authenticated via RADIUS first, then local database and finally line VTY password.
Note: The group keyword provides a way to group existing server hosts. The feature allows the user to select a
subset of the configured server hosts and use them for a particular service. Therefore we can understand group
radius here means some pre-defined radius servers.
Question 8
A network engineer configures port security and 802.1x on the same interface. Which option describes
what this configuration allows?
A. It allows port security to secure the MAC address that 802.1x authenticates.
B. It allows port security to secure the IP address that 802.1x authenticates.
C. It allows 802.1x to secure the MAC address that port security authenticates.
D. It allows 802.1x to secure the IP address that port security authenticates.
Answer: A
Explanation
You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that
802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an
interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.
When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by
the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host
mode or multiple-host mode, one of the following occurs:
+ Single host modePort security learns the MAC address of the authenticated host.
+ Multiple host modePort security drops any MAC addresses learned for this interface by the dynamic method and
learns the MAC address of the first host authenticated by 802.1X.
If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC
addresses, the device sends an authentication failure message to the host.
The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even
if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC
address that has been authenticated by 802.1X, the address remains secure.
If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as
if it were learned by the dynamic method, and you cannot delete the MAC address manually.
Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the
host reaches its port security age limit.
Port Security
Question 1
Which feature describes MAC addresses that are dynamically learned or manually configured, stored in
the address table, and added to the running configuration?
A. sticky
B. dynamic
C. static
D. secure
Answer: A
Explanation
The sticky keyword in switchport port-security mac-address sticky command converts all the dynamic secure
MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure
MAC addresses and adds to the running configuration.
Question 2
On which interface can port security be configured?
A. static trunk ports
B. destination port for SPAN
C. EtherChannel port group
D. dynamic access point
Answer: A
Explanation
Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static
trunk port is shown below:
Switch(config)# interface fastethernet 0/1

Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport port-security
We cannot configure port security on a dynamic interface. For example we will see an error when try it:
Switch(config)# interface fastethernet 0/1

Switch(config-if)# switchport
Switch(config-if)# switchport mode dynamic desirable
Switch(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
Question 3
After port security is deployed throughout an enterprise campus, the network team has been
overwhelmed with port reset requests. They decide to configure the network to automate the process of
re-enabling user ports. Which command accomplishes this task?
A. switch(config)# errdisable recovery interval 180

B. switch(config)# errdisable recovery cause psecure-violation
C. switch(config)# switchport port-security protect
D. switch(config)# switchport port-security aging type inactivity
E. switch(config)# errdisable recovery cause security-violation
Answer: B
Explanation
When a port security violation is detected, the switch automatically places the port in the err-disabled shutdown
state. The errdisable recovery cause psecure-violation command brings a secure port out of error-disabled state.
Note: There is a similar command: errdisable recovery cause security-violation but it recovers a port from 802.1x
violation disable state.
Question 4
Which option is a possible cause for an errdisabled interface?
A. routing loop
B. cable unplugged
C. STP loop guard
D. security violation
Answer: D
Explanation
When a port security violation is detected, the switch automatically places the port in the err-disabled shutdown
state.
Question 5
What is the default value for the errdisable recovery interval in a Cisco switch?
A. 30 seconds
B. 100 seconds
C. 300 seconds
D. 600 seconds
Answer: C
Explanation
If any one of the errdisable recovery conditions is enabled, the ports with this condition are reenabled after 300
seconds. You can also change this default of 300 seconds if you issue this command:
Switch(config)#errdisable recovery interval timer_interval_in_seconds
DHCP Snooping
Quick review of DHCP Spoofing:
DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with
fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives
its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer,
the attacker becomes a man-in-the-middle.
The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is closer
than the DHCP Server then he doesnt need to do anything. Or he can DoS the DHCP Server so that it cant send the
DHCP Response.
DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which
switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.
Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages.
All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an
untrusted port, the port is shut down.
Question 1
A Cisco Catalyst switch that is prone to reboots continues to rebuild the DHCP snooping database. What is
the solution to avoid the snooping database from being rebuilt after every device reboot?
A. A DHCP snooping database agent should be configured.
B. Enable DHCP snooping for all VLANs that are associated with the switch.
C. Disable Option 82 for DHCP data insertion.
D. Use IP Source Guard to protect the DHCP binding table entries from being lost upon rebooting.
E. Apply ip dhcp snooping trust on all interfaces with dynamic addresses.
Answer: A
Explanation
To retain the bindings across switch reloads, you must use the DHCP snooping database agent. Without this agent, the
bindings established by DHCP snooping are lost upon switch reload. Connectivity is lost as well.
Question 2
A server with a statically assigned IP address is attached to a switch that is provisioned for DHCP
snooping. For more protection against malicious attacks, the network team is considering enabling
dynamic ARP inspection alongside DHCP snooping. Which solution ensures that the server maintains
network reachability in the future?
A. Disable DHCP snooping information option.
B. Configure a static DHCP snooping binding entry on the switch.
C. Trust the interface that is connected to the server with the ip dhcp snooping trust command.
D. Verify the source MAC address of all untrusted interfaces with ip dhcp snooping verify mac-address command.
Answer: B
Explanation
Static DHCP snooping binding defines a mapping between a fixed IP address and the clients MAC address. Each entry
in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time,
the binding type, and the VLAN number and interface information associated with the host. This is how to configure a
static DHCP snooping binding entry:
Switch#ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface expiry seconds
Question 3
DHCP snooping and IP Source Guard have been configured on a switch that connects to several client
workstations. The IP address of one of the workstations does not match any entries found in the DHCP
binding database. Which statement describes the outcome of this scenario?
A. Packets from the workstation will be rate limited according to the default values set on the switch.
B. The interface that is connected to the workstation in question will be put into the errdisabled state.
C. Traffic will pass accordingly after the new IP address is populated into the binding database.
D. The packets originating from the workstation are assumed to be spoofed and will be discarded.
Answer: D
Explanation
IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating
a legitimate host by assuming the legitimate hosts IP address. The feature uses dynamic DHCP snooping and static IP
source binding to match IP addresses to hosts on untrusted Layer 2 access ports.
Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address
from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source
address is permitted from that client. Traffic from other hosts is denied. This filtering limits a hosts ability to attack
the network by claiming a neighbor hosts IP address.
Therefore if the switch receives a packet that does not match any entries found in the DHCP binding database, that
packet is assumed to be spoofed and will be discarded.
Question 4
A DHCP configured router is connected directly to a switch that has been provisioned with DHCP snooping.
IP Source Guard with the ip verify source port-security command is configured under the interfaces that
connect to all DHCP clients on the switch. However, clients are not receiving an IP address via the DHCP
server.
Which option is the cause of this issue?
A. The DHCP server does not support information option 82.
B. The DHCP client interfaces have storm control configured.
C. Static DHCP bindings are not configured on the switch.
D. DHCP snooping must be enabled on all VLANs, even if they are not utilized for dynamic address allocation.
Answer: A
Explanation
The command ip verify source port-security enables IP source guard with source IP and MAC address filtering. When
using this command, there are two caveats:
+ The DHCP server must support option 82, or the client is not assigned an IP address.
+ The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is
learned as a secure address only when the switch receives non-DHCP data traffic.
Question 5
A switch is added into the production network to increase port capacity. A network engineer is
configuring the switch for DHCP snooping and IP Source Guard, but is unable to configure ip verify
source under several of the interfaces. Which option is the cause of the problem?
A. The local DHCP server is disabled prior to enabling IP Source Guard.
B. The interfaces are configured as Layer 3 using the no switchport command.
C. No VLANs exist on the switch and/or the switch is configured in VTP transparent mode.
D. The switch is configured for sdm prefer routing as the switched database management template.
E. The configured SVIs on the switch have been removed for the associated interfaces.
Answer: B
Explanation
The following restrictions apply to IP source guard:
+ Supported only on ingress Layer 2 ports (including access and trunk ports)
+ Supported only in hardware; not applied to any traffic that is processed in software.
+ Does not support filtering of traffic based on MAC address.
+ Is not supported on private VLANs.
Question 6
Which type of information does the DHCP snooping binding database contain?
A. untrusted hosts with leased IP addresses
B. trusted hosts with leased IP addresses
C. untrusted hosts with available IP addresses
D. trusted hosts with available IP addresses
Answer: A
Explanation
The DHCP snooping binding database contains information about untrusted hosts with leased IP addresses. Each entry
in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time,
the binding type, the VLAN number and interface information associated with the host.
Question 7
Which command is needed to enable DHCP snooping if a switchport is connected to a DHCP server?
A. ip dhcp snooping trust
B. ip dhcp snooping
C. ip dhcp trust
D. ip dhcp snooping information
Answer: A
Explanation
The port connected to a DHCP server should be configured as trusted port with the ip dhcp snooping trust command.
Other ports connecting to hosts are untrusted ports by default.
Question 8
Which database is used to determine the validity of an ARP packet based on a valid IP-to-MAC address
binding?
A. DHCP snooping database
B. dynamic ARP database
C. dynamic routing database
D. static ARP database
Answer: A
Explanation
DHCP snooping database contains MAC address-to-IP address bindings which Dynamic ARP Inspection (DAI) uses to
determine the validity of an ARP packet.
Question 9
When IP Source Guard with source IP filtering is enabled on an interface, which feature must be enabled
on the access VLAN for that interface?
A. DHCP snooping
B. storm control
C. spanning-tree portfast
D. private VLAN
Answer: A
Explanation
When IP Source Guard with source IP filtering is enabled on an untrusted interface, DHCP snooping must be enabled
because it filters traffic based on IP information stored in the corresponding DHCP binding table entry.
Question 10
Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a
trusted database?
A. Dynamic ARP Inspection
B. storm control
C. VTP pruning
D. DHCP snooping
Answer: A
Explanation
The function of DAI is:
+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP
cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets
On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source
Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP
packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which
differs from what was given by the DHCP server.
UDLD Questions
Question 1
Which statement about the UDLD protocol is true?
A. UDLD is a Cisco-proprietary Layer 2 protocol that enables devices to monitor the physical status of links and detect
unidirectional failures.
B. UDLD is a Cisco-proprietary Layer 2 protocol that enables devices to advertise their identity, capabilities, and
neighbors on a local area network.
C. UDLD is a standardized Layer 2 protocol that enables devices to monitor the physical status of links and detect
unidirectional failures.
D. UDLD is a standardized Layer 2 protocol that enables devices to advertise their identity, capabilities, and neighbors
on a local area network.
Answer: A
Explanation
UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cables to
monitor the physical configuration of the cables and detect when a unidirectional link exists. All connected devices
must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a
unidirectional link, it administratively shuts down the affected port and alerts you. Unidirectional links can cause a
variety of problems, including spanning-tree topology loops.
Question 2
Which option lists the modes that are available for configuring UDLD on a Cisco switch?
A. normal and aggressive
B. active and aggressive
C. normal and active
D. normal and passive
E. normal and standby
Answer: A
Explanation
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the
neighbor is not received by the local device.
UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD can detect
unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD can also
detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to misconnected interfaces
on fiber-optic links.
Question 3
While working in the core network building, a technician accidently bumps the fiber connection between
two core switches and damages one of the pairs of fiber. As designed, the link was placed into a nonforwarding state due to a fault with UDLD. After the damaged cable was replaced, the link did not recover.
What solution allows the network switch to automatically recover from such an issue?
A. macros
B. errdisable autorecovery
C. IP Event Dampening
D. command aliases
E. Bidirectional Forwarding Detection
Answer: B
Explanation
When unidirectional link occurs, UDLD can put that port into errdisable state (same as shutdown). The administrator
must manually shut/no shut to bring that interface up. If we want the interface to automatically recover then
configure the errdisable autorecovery. For example:
errdisable recovery cause udld

errdisable recovery interval 30
By doing so, the port will be place back in up state (no err-disabled state) after 30 seconds, if the port still has
violation it will be placed again in err-disabled state, otherwise it will remain in up state.
Question 4
After UDLD is implemented, a Network Administrator noticed that one port stops receiving UDLD packets.
This port continues to reestablish until after eight failed retries. The port then transitions into the
errdisable state. Which option describes what causes the port to go into the errdisable state?
A. Normal UDLD operations that prevent traffic loops.
B. UDLD port is configured in aggressive mode.
C. UDLD is enabled globally.
D. UDLD timers are inconsistent.
Answer: B
Explanation
UDLD aggressive mode is disabled by default. Configure UDLD aggressive mode only on point-to-point links between
network devices that support UDLD aggressive mode. With UDLD aggressive mode enabled, when a port on a
bidirectional link that has a UDLD neighbor relationship established stops receiving UDLD packets, UDLD tries to
reestablish the connection with the neighbor. After eight failed retries, the port is disabled.
Question 5
After reviewing UDLD status on switch ports, an engineer notices that the switch LEDs are green. Which
statement describes what this indicates about the status of the port?
A. The port is fully operational and no known issues are detected.
B. The bidirectional status of unknown indicates that the port will go into the disabled state because it stopped
receiving UDLD packets from its neighbor.
C. UDLD moved into aggressive mode after inconsistent acknowledgements were detected.
D. The UDLD port is placed in the unknown state for 5 seconds until the next UDLD packet is received on the
interface.
Answer: A
SDM Questions
Question 1
Which statement about the use of SDM templates in a Cisco switch is true?
A. SDM templates are used to configure system resources in the switch to optimize support for specific features,
depending on how the switch is used in the network.
B. SDM templates are used to create Layer 3 interfaces (switch virtual interfaces) to permit hosts in one VLAN to
communicate with hosts in another VLAN.
C. SDM templates are used to configure ACLs that protect networks and specific hosts from unnecessary or unwanted
traffic.
D. SDM templates are used to configure a set of ACLs that allows the users to manage the flow of traffic handled by
the route processor.
E. SDM templates are configured by accessing the switch using the web interface.
Answer: A
Explanation
SDM templates are used to configure system resources in the switch to optimize support for specific features,
depending on how the switch is used in the network. You can select a template to provide maximum system usage for
some functions or use the default template to balance resources.
To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates
prioritize system resources to optimize support for certain features. You can select SDM templates to optimize these
features:
+ Access The access template maximizes system resources for access control lists (ACLs) to accommodate a large
number of ACLs.
+ Default The default template gives balance to all functions.
+ Routing The routing template maximizes system resources for IPv4 unicast routing, typically required for a router
or aggregator in the center of a network.
+ VLANs The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It
would typically be selected for a Layer 2 switch.
In addition, the dual IPv4 and IPv6 templates enable a dual stack environment.
Question 2
Which SDM template disables routing and supports the maximum number of unicast MAC addresses?
A. VLAN
B. access
C. default
D. routing
Answer: A
Explanation
The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically
be selected for a Layer 2 switch.
Question 3
Which SDM template is the most appropriate for a Layer 2 switch that provides connectivity to a large
number of clients?
A. VLAN
B. default
C. access
D. routing
Answer: A
Explanation
Question 4
A network engineer deployed a switch that operates the LAN base feature set and decides to use the SDM
VLAN template. The SDM template is causing the CPU of the switch to spike during peak working hours.
What is the root cause of this issue?
A. The VLAN receives additional frames from neighboring switches.
B. The SDM VLAN template causes the MAC address-table to overflow.
C. The VLAN template disables routing in hardware.
D. The switch needs to be rebooted before the SDM template takes effect.
Answer: C
Explanation
StackWise Questions
Question 1
What is the maximum number of switches that can be stacked using Cisco StackWise?
A. 4
B. 5
C. 8
D. 9
E. 10
F. 13
Answer: D
Explanation
The switches are united into a single logical unit using special stack interconnect cables that create a bidirectional
closed-loop path. This bidirectional path acts as a switch fabric for all the connected switches. Network topology and
routing information is updated continuously through the stack interconnect. All stack members have full access to the
stack interconnect bandwidth. The stack is managed as a single unit by a master switch, which is elected from one of
the stack member switches.
Each switch in the stack has the capability to behave as a master or subordinate (member) in the hierarchy. The
master switch is elected and serves as the control center for the stack. Both the master member switches act as
forwarding processors. Each switch is assigned a number. Up to nine separate switches can be joined together.
The stack can have switches added and removed without affecting stack performance.
Question 2
A network engineer wants to add a new switch to an existing switch stack. Which configuration must be
added to the new switch before it can be added to the switch stack?
A. No configuration must be added.
B. stack ID
C. IP address
D. VLAN information
E. VTP information
Answer: A
Explanation
When we add a new switch to an existing switch stack, the election will take place automatically to choose a master
switch. We dont have to configure anything on the newly added switch. In the case you want the newly added switch
to become the master, use this command then reload it:
switch(config)# switch 1 priority 15

Note: Turn off the switch before connecting the stackwise cables. Only turn it on after finishing connecting stackwise
cables.
Question 3
What percentage of bandwidth is reduced when a stack cable is broken?
A. 0
B. 25
C. 50
D. 75
E. 100
Answer: C
Explanation
The picture below shows how StackWise cables are connected between switches:
When the stackwise cables are fully connected (as shown above), the stack ring speed is 32Gbps full-duplex. To
efficiently load balance the traffic, the stackwise cables function bi-directionally with two 16 Gbps counter-rotating
rings. It means packets are allocated between two logical counter-rotating paths. Each counter-rotating path supports
16 Gbps in both directions, yielding a traffic total of 32 Gbps bidirectionally.
A break in any one of the cables will result in the stack bandwidth being reduced to half (16 Gbps) of its
full capacity.
Miscellaneous Questions
Question 1
What is the function of NSF?
A. forward traffic simultaneously using both supervisors
B. forward traffic based on Cisco Express Forwarding
C. provide automatic failover to back up supervisor in VSS mode
D. provide nonstop forwarding in the event of failure of one of the member supervisors
Answer: D
Explanation
Nonstop Forwarding (NSF) works with Stateful switchover (SSO) to minimize the amount of time a network is
unavailable to its users following a switchover. The main objective of Cisco NSF is to continue forwarding IP packets
following a route processor (RP) switchover.
Usually, when a networking device restarts, all routing peers of that device detect that the device went down and then
came back up. This transition results in what is called a routing flap, which could spread across multiple routing
domains. Routing flaps caused by routing restarts create routing instabilities, which are detrimental to the overall
network performance. Cisco NSF helps to suppress routing flaps in SSO-enabled devices, thus reducing network
instability.
Cisco NSF allows for the forwarding of data packets to continue along known routes while the routing protocol
information is being restored following a switchover. With Cisco NSF, peer networking devices do not experience
routing flaps. Data traffic is forwarded through intelligent line cards while the standby RP assumes control from the
failed active RP during a switchover. The ability of line cards to remain up through a switchover and to be kept current
with the Forwarding Information Base (FIB) on the active RP is key to Cisco NSF operation.
Question 2
Which statement describes what happens if all VSL connections between the virtual switch members are
lost?
A. Both virtual switch members cease to forward traffic.
B. The VSS transitions to the dual active recovery mode, and both virtual switch members continue to forward traffic
independently.
C. The virtual switch members reload.
D. The VSS transitions to the dual active recovery mode, and only the new active virtual switch continues to forward
traffic.
Answer: D
Explanation
VSLs can be configured with up to eight links between the two switches across any combination of line cards or
supervisor ports to provide a high level of redundancy. If for some rare reason all Virtual Switching Link (VSL)
connections are lost between the virtual switch members leaving both the virtual switch members up, the VSS will
transition to the dual active recovery mode.
In the dual active recovery mode, all interfaces except the VSL interfaces are in an operationally shut down state in
the formerly active virtual switch member. The new active virtual switch continues to forward traffic on all links.
Question 3
Which statement describes what happens when a switch enters dual active recovery mode?
A. The switch shuts down and waits for the VSL link to be restored before sending traffic.
B. All interfaces are shut down in the formerly active virtual switch member, but the new active virtual switch forwards
traffic on all links.
C. The switch continues to forward traffic out all links and enables spanning tree on VSL link and all other links to
prevent loops.
D. The VSS detects which system was last in active state and shuts down the other switch.
Answer: B
Explanation
If for some rare reason all Virtual Switching Link (VSL) connections are lost between the virtual switch members
leaving both the virtual switch members up, the VSS will transition to the dual active recovery mode.
In the dual active recovery mode, all interfaces except the VSL interfaces are in an operationally shut down state in
the formerly active virtual switch member. The new active virtual switch continues to forward traffic on all links.
Question 4
Which option is a benefit of using VSS?
A. reduces cost
B. simplifies configuration
C. provides two independent supervisors with two different control planes
D. removes the need for a First Hop Redundancy Protocol
Answer: D
Explanation
VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50
percent. This includes removing the need for Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol
(VRRP), and Gateway Load Balancing Protocol (GLBP) -> D is correct.

Switch With Ans &expl

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Switch With Ans &expl

Uploaded by

Copyright:

Available Formats

Ccnp switching

CDP & LLDP Questions

A. switch# show mac address-table

An EtherChannel in Cisco can be defined as a Layer 2 EtherChannel or a Layer 3 EtherChannel.

What is the result of the configuration?

Which EtherChannel negotiation protocol is configured on the interface f0/13 f0/15?

Refer to the exhibit.

Which statement about using EtherChannel on Cisco IOS switches is true?

Which statement about switch S1 is true?

mLACP does not support Fast Ethernet.

3512xl(config)#int fastEthernet 0/1

interface GigabitEthernet 1/0/1

switchport access vlan 10

A. Modify the spanning-tree port-priority on SW1 f1/1 to 0 and f1/0 to 16.

Why would the switch be considered as a root bridge?

To configure Root Guard use this command:

A. spanning-tree portfast bpdufilter default

To follow the Layer 2 switching guidelines, a network engineer decides to create a

For example, in the topology above:

Set VTP mode to transparent

Sample configuration used the topology above:

Switch(config-if)# interface range f0/3 -0/4 //connect to host C and D

HSRP & VRRP & GLBP Questions

Switch(config)# track 100 interface GigabitEthernet 0/0/0 line-protocol

What is the configured priority value of the Vlan105s group on DSW2 ?

During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1

Access-Switch(config)# monitor session 1 source interface FastEthernet 0/1

monitor session 2 filter vlan 1 8, 39, 52

The RSPAN designated VLAN is missing the remote span command.

What is the result of the SPAN configuration on a Cisco switch?

username cisco password cisco

username cisco password cisco

Switch(config)# interface fastethernet 0/1

Switch(config)# interface fastethernet 0/1

A. switch(config)# errdisable recovery interval 180

errdisable recovery cause udld

switch(config)# switch 1 priority 15

You might also like