· 7 years ago · Nov 30, 2018, 01:08 AM
11000000000000000000000
2
3
41. Which of the following statements is not true with regard to
5layer 2 switching?
6A. Layer 2 switches and bridges are faster than routers because
7they don’t take up time looking at the Data Link layer header
8information.
9B. Layer 2 switches and bridges look at the frame’s hardware
10addresses before deciding to either forward, flood, or drop
11the frame.
12C. Switches create private, dedicated collision domains and
13provide independent bandwidth on each port.
14D. Switches use application-specific integrated circuits (ASICs)
15to build and maintain their MAC filter tables.
162. List the two commands that generated the last entry in the MAC
17address table shown.
18Mac Address Table
19-------------------------------------------
20Vlan Mac Address Type Ports
21---- ----------- -------- -----
22All 0100.0ccc.cccc STATIC CPU
23[output cut]
241 000e.83b2.e34b DYNAMIC Fa0/1
251 0011.1191.556f DYNAMIC Fa0/1
261 0011.3206.25cb DYNAMIC Fa0/1
271 001a.4d55.2f7e DYNAMIC Fa0/1
281 001b.d40a.0538 DYNAMIC Fa0/1
291 001c.575e.c891 DYNAMIC Fa0/1
301 aaaa.bbbb.0ccc STATIC Fa0/7
313. In the diagram shown, what will the switch do if a frame with a
32destination MAC address of 000a.f467.63b1 is received on
33Fa0/4? (Choose all that apply.)
34A. Drop the frame.
35B. Send the frame out of Fa0/3.
36C. Send the frame out of Fa0/4.
37D. Send the frame out of Fa0/5.
38E. Send the frame out of Fa0/6.
394. Write the command that generated the following output.
40Mac Address Table
41-------------------------------------------
42Vlan Mac Address Type Ports
43---- ----------- -------- -----
44All 0100.0ccc.cccc STATIC CPU
45[output cut]
461 000e.83b2.e34b DYNAMIC Fa0/1
471 0011.1191.556f DYNAMIC Fa0/1
481 0011.3206.25cb DYNAMIC Fa0/1
491 001a.2f55.c9e8 DYNAMIC Fa0/1
501 001a.4d55.2f7e DYNAMIC Fa0/1
511 001c.575e.c891 DYNAMIC Fa0/1
521 b414.89d9.1886 DYNAMIC Fa0/5
531 b414.89d9.1887 DYNAMIC Fa0/6
545. In the work area in the following graphic, draw the functions of a
55switch from the list on the left to the right.
566. What statement(s) is/are true about the output shown here?
57(Choose all that apply.)
58S3#sh port-security int f0/3
59Port Security : Enabled
60Port Status : Secure-shutdown
61Violation Mode : Shutdown
62Aging Time : 0 mins
63Aging Type : Absolute
64SecureStatic Address Aging : Disabled
65Maximum MAC Addresses : 1
66Total MAC Addresses : 2
67Configured MAC Addresses : 0
68Sticky MAC Addresses : 0
69Last Source Address:Vlan : 0013:0ca69:00bb3:00ba8:1
70Security Violation Count : 1
71A. The port light for F0/3 will be amber in color.
72B. The F0/3 port is forwarding frames.
73C. This problem will resolve itself in a few minutes.
74D. This port requires the shutdown command to function.
757. Write the command that would limit the number of MAC
76addresses allowed on a port to 2. Write only the command and
77not the prompt.
788. Which of the following commands in this configuration is a
79prerequisite for the other commands to function?
80S3#config t
81S(config)#int fa0/3
82S3(config-if#switchport port-security
83S3(config-if#switchport port-security maximum 3
84S3(config-if#switchport port-security violation restrict
85S3(config-if#Switchport mode-security aging time 10
86A. switchport mode-security aging time 10
87B. switchport port-security
88C. switchport port-security maximum 3
89D. switchport port-security violation restrict
909. Which if the following is not an issue addressed by STP?
91A. Broadcast storms
92B. Gateway redundancy
93C. A device receiving multiple copies of the same frame
94D. Constant updating of the MAC filter table
9510. What issue that arises when redundancy exists between switches
96is shown in the figure?
97A. Broadcast storm
98B. Routing loop
99C. Port violation
100D. Loss of gateway
10111. Which two of the following switch port violation modes will alert
102you via SNMP that a violation has occurred on a port?
103A. restrict
104B. protect
105C. shutdown
106D. err-disable
10712. ___________is the loop avoidance mechanism used by
108switches.
10913. Write the command that must be present on any switch that you
110need to manage from a different subnet.
11114. On which default interface have you configured an IP address for
112a switch?
113A. int fa0/0
114B. int vty 0 15
115C. int vlan 1
116D. int s/0/0
11715. Which Cisco IOS command is used to verify the port security
118configuration of a switch port?
119A. show interfaces port-security
120B. show port-security interface
121C. show ip interface
122D. show interfaces switchport
12316. Write the command that will save a dynamically learned MAC
124address in the running-configuration of a Cisco switch?
12517. Which of the following methods will ensure that only one
126specific host can connect to port F0/3 on a switch? (Choose two.
127Each correct answer is a separate solution.)
128A. Configure port security on F0/3 to accept traffic other than
129that of the MAC address of the host.
130B. Configure the MAC address of the host as a static entry
131associated with port F0/3.
132C. Configure an inbound access control list on port F0/3
133limiting traffic to the IP address of the host.
134D. Configure port security on F0/3 to accept traffic only from
135the MAC address of the host.
13618. What will be the effect of executing the following command on
137port F0/1?
138switch(config-if)# switchport port-security mac-address
13900C0.35F0.8301
140A. The command configures an inbound access control list on
141port F0/1, limiting traffic to the IP address of the host.
142B. The command expressly prohibits the MAC address of
14300c0.35F0.8301 as an allowed host on the switch port.
144C. The command encrypts all traffic on the port from the MAC
145address of 00c0.35F0.8301.
146D. The command statically defines the MAC address of
14700c0.35F0.8301 as an allowed host on the switch port.
14819. The conference room has a switch port available for use by the
149presenter during classes, and each presenter uses the same PC
150attached to the port. You would like to prevent other PCs from
151using that port. You have completely removed the former
152configuration in order to start anew. Which of the following
153steps is not required to prevent any other PCs from using that
154port?
155A. Enable port security.
156B. Assign the MAC address of the PC to the port.
157C. Make the port an access port.
158D. Make the port a trunk port.
15920. Write the command required to disable the port if a security
160violation occurs. Write only the command and not the prompt.
161
162
163100000A))AA)A)A)A)A)A)A)00000a0aaa0a0a0a0a00a0a0aa0a0a0
164
1651. A. Layer 2 switches and bridges are faster than routers because
166they don’t take up time looking at the Network Layer header
167information. They do make use of the Data Link layer
168information.
1692. mac address-table static aaaa.bbbb.cccc vlan 1 int fa0/7
170You can set a static MAC address in the MAC address table, and
171when done, it will appear as a static entry in the table.
1723. B, D, E. Since the MAC address is not present in the table, it will
173send the frame out of all ports in the same VLAN with the
174exception of the port on which it was received.
1754. show mac address-table
176This command displays the forward filter table, also called a
177Content Addressable Memory (CAM) table.
1785. The three functions are address learning, forward/filter
179decisions, and loop avoidance.
1806. A, D. In the output shown, you can see that the port is in Secure-
181shutdown mode and the light for the port would be amber. To
182enable the port again, you’d need to do the following:
183S3(config-if)#shutdown
184S3(config-if)#no shutdown
1857. switchport port-security maximum 2
186The maximum setting of 2 means only two MAC addresses can
187be used on that port; if the user tries to add another host on that
188segment, the switch port will take the action specified. In the
189port-security violationcommand.
1908. B. The switchport port-security command enables port
191security, which is a prerequisite for the other commands to
192function.
1939. B. Gateway redundancy is not an issue addressed by STP.
19410. A. If no loop avoidance schemes are put in place, the switches
195will flood broadcasts endlessly throughout the internetwork.
196This is sometimes referred to as a broadcast storm.
19711. B, C. Shutdown and protect mode will alert you via SNMP that a
198violation has occurred on a port.
19912. Spanning Tree Protocol (STP) STP is a switching loop avoidance
200scheme use by switches.
20113. ip default-gateway
202If you want to manage your switches from outside your LAN, you
203need to set a default gateway on the switches, just as you would
204with a host.
20514. C. The IP address is configured under a logical interface, called a
206management domain or VLAN 1.
20715. B. The show port-security interface command displays the
208current port security and status of a switch port, as in this
209sample output:
210Switch# show port-security interface fastethernet0/1
211Port Security: Enabled
212Port status: SecureUp
213Violation mode: Shutdown
214Maximum MAC Addresses: 2
215Total MAC Addresses: 2
216Configured MAC Addresses: 2
217Aging Time: 30 mins
218Aging Type: Inactivity
219SecureStatic address aging: Enabled
220Security Violation count: 0
22116. switchport port-security mac-address sticky
222Issuing the switchport port-security mac-address sticky
223command will allow a switch to save a dynamically learned MAC
224address in the running-configuration of the switch, which
225prevents the administrator from having to document or
226configure specific MAC addresses.
22717. B, D. To limit connections to a specific host, you should
228configure the MAC address of the host as a static entry
229associated with the port, although be aware that this host can
230still connect to any other port, but no other port can connect to
231F0/3, in this example. Another solution would be to configure
232port security to accept traffic only from the MAC address of the
233host. By default, an unlimited number of MAC addresses can be
234learned on a single switch port, whether it is configured as an
235access port or a trunk port. Switch ports can be secured by
236defining one or more specific MAC addresses that should be
237allowed to connect and by defining violation policies (such as
238disabling the port) to be enacted if additional hosts try to gain a
239connection.
24018. D. The command statically defines the MAC address of
24100c0.35F0.8301 as an allowed host on the switch port. By
242default, an unlimited number of MAC addresses can be learned
243on a single switch port, whether it is configured as an access port
244or a trunk port. Switch ports can be secured by defining one or
245more specific MAC addresses that should be allowed to connect,
246and violation policies (such as disabling the port) if additional
247hosts try to gain a connection.
24819. D. You would not make the port a trunk. In this example, this
249switchport is a member of one VLAN. However, you can
250configure port security on a trunk port, but again, that’s not
251valid for this question.
25220. switchport port-security violation shutdown
253This command is used to set the reaction of the switch to a port
254violation of shutdown.
255
256
257
2581111111111111111111111111111
259
2601. Which of the following statements is true with regard to VLANs?
261A. VLANs greatly reduce network security.
262B. VLANs increase the number of collision domains while
263decreasing their size.
264C. VLANs decrease the number of broadcast domains while
265decreasing their size.
266D. Network adds, moves, and changes are achieved with ease by
267just configuring a port into the appropriate VLAN.
2682. Write the command that must be present for this layer 3 switch
269to provide inter-VLAN routing between the two VLANs created
270with these commands:
271S1(config)#int vlan 10
272S1(config-if)#ip address 192.168.10.1 255.255.255.0
273S1(config-if)#int vlan 20
274S1(config-if)#ip address 192.168.20.1 255.255.255.0
2753. In the following diagram, how must the port on each end of the
276line be configured to carry traffic between the four hosts?
277A. Access port
278B. 10 GB
279C. Trunk
280D. Spanning
2814. What is the only type of second VLAN of which an access port
282can be a member?
283A. Secondary
284B. Voice
285C. Primary
286D. Trunk
2875. In the following configuration, what command is missing in the
288creation of the VLAN interface?
2892960#config t
2902960(config)#int vlan 1
2912960(config-if)#ip address 192.168.10.2 255.255.255.0
2922960(config-if)#exit
2932960(config)#ip default-gateway 192.168.10.1
294A. no shutdown under int vlan 1
295B. encapsulation dot1q 1 under int vlan 1
296C. switchport access vlan 1
297D. passive-interface
2986. Which of the following statements is true with regard to ISL and
299802.1q?
300A. 802.1q encapsulates the frame with control information; ISL
301inserts an ISL field along with tag control information.
302B. 802.1q is Cisco proprietary.
303C. ISL encapsulates the frame with control information; 802.1q
304inserts an 802.1q field along with tag control information.
305D. ISL is a standard.
3067. What concept is depicted in the diagram?
307A. Multiprotocol routing
308B. Passive interface
309C. Gateway redundancy
310D. Router on a stick
3118. Write the command that places an interface into VLAN 2. Write
312only the command and not the prompt.
3139. Write the command that generated the following output:
314VLAN Name Status Ports
315---- ------------------------- --------- ------------------
316------
3171 default active Fa0/1, Fa0/2,
318Fa0/3, Fa0/4
319Fa0/5, Fa0/6,
320Fa0/7, Fa0/8
321Fa0/9, Fa0/10,
322Fa0/11, Fa0/12
323Fa0/13, Fa0/14,
324Fa0/19, Fa0/20
325Fa0/21, Fa0/22,
326Fa0/23, Gi0/1
327Gi0/2
3282 Sales active
3293 Marketing active
3304 Accounting active
331[output cut]
33210. In the configuration and diagram shown, what command is
333missing to enable inter-VLAN routing between VLAN 2 and
334VLAN 3?
335A. encapsulation dot1q 3 under int f0/0.2
336B. encapsulation dot1q 2 under int f0/0.2
337C. no shutdown under int f0/0.2
338D. no shutdown under int f0/0.3
339
34011. Based on the configuration shown here, what statement is true?
341S1(config)#ip routing
342S1(config)#int vlan 10
343S1(config-if)#ip address 192.168.10.1 255.255.255.0
344S1(config-if)#int vlan 20
345S1(config-if)#ip address 192.168.20.1 255.255.255.0
346A. This is a multilayer switch.
347B. The two VLANs are in the same subnet.
348C. Encapsulation must be configured.
349D. VLAN 10 is the management VLAN.
35012. What is true of the output shown here?
351S1#sh vlan
352VLAN Name Status Ports
353---- ---------------------- --------- ---------------------
354----------
3551 default active Fa0/1, Fa0/2, Fa0/3,
356Fa0/4
357Fa0/5, Fa0/6, Fa0/7,
358Fa0/8
359Fa0/9, Fa0/10,
360Fa0/11, Fa0/12
361Fa0/13, Fa0/14,
362Fa0/19, Fa0/20,
363Fa0/22, Fa0/23,
364Gi0/1, Gi0/2
3652 Sales active
3663 Marketing active Fa0/21
3674 Accounting active
368[output cut]
369A. Interface F0/15 is a trunk port.
370B. Interface F0/17 is an access port.
371loading...
372A. 192.168.10.1
373B. 192.168.1.65
374C. 192.168.1.129
375D. 192.168.1.2
37617. What is the purpose of frame tagging in virtual LAN (VLAN)
377configurations?
378A. Inter-VLAN routing
379B. Encryption of network packets
380C. Frame identification over trunk links
381D. Frame identification over access links
38218. Write the command to create VLAN 2 on a layer 2 switch. Write
383only the command and not the prompt.
38419. Which statement is true regarding 802.1q frame tagging?
385A. 802.1q adds a 26-byte trailer and 4-byte header.
386B. 802.1q uses a native VLAN.
387C. The original Ethernet frame is not modified.
388D. 802.1q only works with Cisco switches.
38920. Write the command that prevents an interface from generating
390DTP frames. Write only the command and not the prompt.
391
392
3931111aa1aa1a1a1a1a1a1aa1a1a1a1a1a1a1a1aa1a1a1a
394
395
396 1. D. Here’s a list of ways VLANs simplify network management:
397Network adds, moves, and changes are achieved with ease by
398just configuring a port into the appropriate VLAN.
399A group of users that need an unusually high level of security
400can be put into its own VLAN so that users outside of the
401VLAN can’t communicate with them.
402As a logical grouping of users by function, VLANs can be
403considered independent from their physical or geographic
404locations.
405VLANs greatly enhance network security if implemented
406correctly.
407VLANs increase the number of broadcast domains while
408decreasing their size.
4092. ip routing
410Routing must be enabled on the layer 3 switch.
4113. C. VLANs can span across multiple switches by using trunk
412links, which carry traffic for multiple VLANs.
4134. B. While in all other cases access ports can be a member of only
414one VLAN, most switches will allow you to add a second VLAN
415to an access port on a switch port for your voice traffic; it’s called
416the voice VLAN. The voice VLAN used to be called the auxiliary
417VLAN, which allowed it to be overlaid on top of the data VLAN,
418enabling both types of traffic through the same port.
4195. A. Yes, you have to do a no shutdown on the VLAN interface.
4206. C. Unlike ISL which encapsulates the frame with control
421information, 802.1q inserts an 802.1q field along with tag
422control information.
4237. D. Instead of using a router interface for each VLAN, you can use
424one FastEthernet interface and run ISL or 802.1q trunking. This
425allows all VLANs to communicate through one interface. Cisco
426calls this a “router on a stick.â€
4278. switchport access vlan 2
428This command is executed under the interface (switch port) that
429is being placed in the VLAN.
4309. show vlan
431After you create the VLANs that you want, you can use the show
432vlan command to check them out.
43310. B. The encapsulation command specifying the VLAN for the
434subinterface must be present under both subinterfaces.
43511. A. With a multilayer switch, enable IP routing and create one
436logical interface for each VLAN using the interface vlan number
437command and you’re now doing inter-VLAN routing on the
438backplane of the switch!
43912. A. Ports Fa0/15–18 are not present in any VLANs. They are
440trunk ports.
44113. C. Untagged frames are members of the native VLAN, which by
442default is VLAN 1.
44314. sh interfaces fastEthernet 0/15 switchport
444This show interfaces interface switchport command shows us
445the administrative mode of dynamic desirable and that the port
446is a trunk port, DTP was used to negotiate the frame tagging
447method of ISL, and the native VLAN is the default of 1
44815. C. A VLAN is a broadcast domain on a layer 2 switch. You need a
449separate address space (subnet) for each VLAN. There are four
450VLANs, so that means four broadcast domains/subnets.
45116. B. The host’s default gateway should be set to the IP address of
452the subinterface that is associated with the VLAN of which the
453host is a member, in this case VLAN 2.
45417. C. Frame tagging is used when VLAN traffic travels over a trunk
455link. Trunk links carry frames for multiple VLANs. Therefore,
456frame tags are used for identification of frames from different
457VLANs.
45818. vlan 2
459To configure VLANs on a Cisco Catalyst switch, use the global
460config vlan command.
46119. B. 802.1q uses the native VLAN.
46220. switchport nonegotiate
463You can use this command only when the interface switchport
464mode is access or trunk. You must manually configure the
465neighboring interface as a trunk interface to establish a trunk
466link.
467
468
469
4701212121211212121211122121212
471
4721. Which of the following statements is false when a packet is being
473compared to an access list?
474A. It’s always compared with each line of the access list in
475sequential order.
476B. Once the packet matches the condition on a line of the access
477list, the packet is acted upon and no further comparisons
478take place.
479C. There is an implicit “deny†at the end of each access list.
480D. Until all lines have been analyzed, the comparison is not
481over.
4822. You need to create an access list that will prevent hosts in the
483network range of 192.168.160.0 to 192.168.191.0. Which of the
484following lists will you use?
485A. access-list 10 deny 192.168.160.0 255.255.224.0
486B. access-list 10 deny 192.168.160.0 0.0.191.255
487C. access-list 10 deny 192.168.160.0 0.0.31.255
488D. access-list 10 deny 192.168.0.0 0.0.31.255
4893. You have created a named access list called BlockSales. Which of
490the following is a valid command for applying this to packets
491trying to enter interface Fa0/0 of your router?
492A. (config)#ip access-group 110 in
493B. (config-if)#ip access-group 110 in
494C. (config-if)#ip access-group Blocksales in
495D. (config-if)#BlockSales ip access-list in
4964. Which access list statement will permit all HTTP sessions to
497network 192.168.144.0/24 containing web servers?
498A. access-list 110 permit tcp 192.168.144.0 0.0.0.255 any
499eq 80
500B. access-list 110 permit tcp any 192.168.144.0 0.0.0.255
501eq 80
502C. access-list 110 permit tcp 192.168.144.0 0.0.0.255
503192.168.144.0 0.0.0.255 any eq 80
504D. access-list 110 permit udp any 192.168.144.0 eq 80
5055. Which of the following access lists will allow only HTTP traffic
506into network 196.15.7.0?
507A. access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq
508www
509B. access-list 10 deny tcp any 196.15.7.0 eq www
510C. access-list 100 permit 196.15.7.0 0.0.0.255 eq www
511D. access-list 110 permit ip any 196.15.7.0 0.0.0.255
512E. access-list 110 permit www 196.15.7.0 0.0.0.255
5136. What router command allows you to determine whether an IP
514access list is enabled on a particular interface?
515A. show ip port
516B. show access-lists
517C. show ip interface
518D. show access-lists interface
5197. In the work area, connect the show command to its function on
520the right.
521show
522access-
523list
524Shows only the parameters for the access list 110. This
525command does not show you the interface the list is
526set on.
527show
528access-
529list 110
530Shows only the IP access lists configured on the
531router.
532show ip
533access-
534list
535Shows which interfaces have access lists set.
536show ip
537interface
538Displays all access lists and their parameters
539configured on the router. This command does not
540show you which interface the list is set on.
5418. If you wanted to deny all Telnet connections to only network
542192.168.10.0, which command could you use?
543A. access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq
544telnet
545B. access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq
546telnet
547C. access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq
54823
549D. access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23
5509. If you wanted to deny FTP access from network 200.200.10.0 to
551network 200.199.11.0 but allow everything else, which of the
552following command strings is valid?
553A. access-list 110 deny 200.200.10.0 to network
554200.199.11.0 eq ftp
555B. access-list 111 permit ip any 0.0.0.0 255.255.255.255
556C. access-list 1 deny ftp 200.200.10.0 200.199.11.0 any any
557D. access-list 100 deny tcp 200.200.10.0 0.0.0.255
558200.199.11.0 0.0.0.255 eq ftp
559E. access-list 198 deny tcp 200.200.10.0 0.0.0.255
560200.199.11.0 0.0.0.255 eq ftp
561access-list 198 permit ip any 0.0.0.0 255.255.255.255
56210. You want to create an extended access list that denies the subnet
563of the following host: 172.16.50.172/20. Which of the following
564would you start your list with?
565A. access-list 110 deny ip 172.16.48.0 255.255.240.0 any
566B. access-list 110 udp deny 172.16.0.0 0.0.255.255 ip any
567C. access-list 110 deny tcp 172.16.64.0 0.0.31.255 any eq
56880
569D. access-list 110 deny ip 172.16.48.0 0.0.15.255 any
57011. Which of the following is the wildcard (inverse) version of a /27
571mask?
572A. 0.0.0.7
573B. 0.0.0.31
574C. 0.0.0.27
575D. 0.0.31.255
57612. You want to create an extended access list that denies the subnet
577of the following host: 172.16.198.94/19. Which of the following
578would you start your list with?
579A. access-list 110 deny ip 172.16.192.0 0.0.31.255 any
580B. access-list 110 deny ip 172.16.0.0 0.0.255.255 any
581C. access-list 10 deny ip 172.16.172.0 0.0.31.255 any
582D. access-list 110 deny ip 172.16.188.0 0.0.15.255 any
58313. The following access list has been applied to an interface on a
584router:
585access-list 101 deny tcp 199.111.16.32 0.0.0.31 host
586199.168.5.60
587Which of the following IP addresses will be blocked because of
588this single rule in the list? (Choose all that apply.)
589A. 199.111.16.67
590B. 199.111.16.38
591C. 199.111.16.65
592D. 199.11.16.54
59314. Which of the following commands connects access list 110
594inbound to interface Ethernet0?
595A. Router(config)#ip access-group 110 in
596B. Router(config)#ip access-list 110 in
597C. Router(config-if)#ip access-group 110 in
598D. Router(config-if)#ip access-list 110 in
59915. What is the effect of this single-line access list?
600access-list 110 deny ip 172.16.10.0 0.0.0.255 host 1.1.1.1
601A. Denies only the computer at 172.16.10
602B. Denies all traffic
603C. Denies the subnet 172.16.10.0/26
604D. Denies the subnet 172.16.10.0/25
60516. You configure the following access list. What will the result of
606this access list be?
607access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp
608access-list 110 deny tcp any any eq 23
609int ethernet 0
610ip access-group 110 out
611A. Email and Telnet will be allowed out E0.
612B. Email and Telnet will be allowed in E0.
613C. Everything but email and Telnet will be allowed out E0.
614D. No IP traffic will be allowed out E0.
61517. Which of the following series of commands will restrict Telnet
616access to the router?
617A. Lab_A(config)#access-list 10 permit 172.16.1.1
618Lab_A(config)#line con 0
619Lab_A(config-line)#ip access-group 10 in
620B. Lab_A(config)#access-list 10 permit 172.16.1.1
621Lab_A(config)#line vty 0 4
622Lab_A(config-line)#access-class 10 out
623C. Lab_A(config)#access-list 10 permit 172.16.1.1
624Lab_A(config)#line vty 0 4
625Lab_A(config-line)#access-class 10 in
626D. Lab_A(config)#access-list 10 permit 172.16.1.1
627Lab_A(config)#line vty 0 4
628Lab_A(config-line)#ip access-group 10 in
62918. Which of the following is true regarding access lists applied to an
630interface?
631A. You can place as many access lists as you want on any
632interface until you run out of memory.
633B. You can apply only one access list on any interface.
634C. One access list may be configured, per direction, for each
635layer 3 protocol configured on an interface.
636D. You can apply two access lists to any interface.
63719. What is the most common attack on a network today?
638A. Lock picking
639B. Naggle
640C. DoS
641D. auto secure
64220. You need to stop DoS attacks in real time and have a log of
643anyone who has tried to attack your network. What should you
644do your network?
645A. Add more routers.
646B. Use the auto secure command.
647C. Implement IDS/IPS.
648D. Configure Naggle.
649
6501212121a2a1a1a1a1a21a1a1a121a2a12a1a21a21a2a21a12a1aa
651
6521. D. It’s compared with lines of the access list only until a match is
653made. Once the packet matches the condition on a line of the
654access list, the packet is acted upon and no further comparisons
655take place.
6562. C. The range of 192.168.160.0 to 192.168.191.0 is a block size of
65732. The network address is 192.168.160.0 and the mask would be
658255.255.224.0, which for an access list must be a wildcard
659format of 0.0.31.255. The 31 is used for a block size of 32. The
660wildcard is always one less than the block size.
6613. C. Using a named access list just replaces the number used when
662applying the list to the router’s interface. ip access-group
663Blocksales in is correct.
6644. B. The list must specify TCP as the Transport layer protocol and
665use a correct wildcard mask (in this case 0.0.0.255), and it must
666specify the destination port (80). It also should specify any as the
667set of computers allowed to have this access.
6685. A. The first thing to check in a question like this is the access-list
669number. Right away, you can see that the second option is wrong
670because it is using a standard IP access-list number. The second
671thing to check is the protocol. If you are filtering by upper-layer
672protocol, then you must be using either UDP or TCP; this
673eliminates the fourth option. The third and last answers have the
674wrong syntax.
6756. C. Of the available choices, only the show ip interface
676command will tell you which interfaces have access lists applied.
677show access-lists will not show you which interfaces have an
678access list applied.
679loading...
680loading...
681the interface because of the implicit deny any at the end of every
682list.
68317. C. Telnet access to the router is restricted by using either a
684standard or extended IP access list inbound on the VTY lines of
685the router. The command access-class is used to apply the
686access list to the VTY lines.
68718. C. A Cisco router has rules regarding the placement of access
688lists on a router interface. You can place one access list per
689direction for each layer 3 protocol configured on an interface.
69019. C. The most common attack on a network today is a denial of
691service (DoS) because it is the easiest attack to achieve.
69220. C. Implementing intrusion detection services and intrusion
693prevention services will help notify you and stop attacks in real
694time.
695
696
697
698
69915155515151551515151151515155115151515151515151515151551
700
7011. You receive the following output from a switch:
702S2#sh spanning-tree
703VLAN0001
704Spanning tree enabled protocol rstp
705Root ID Priority 32769
706Address 0001.42A7.A603
707Cost 4
708Port 26(GigabitEthernet1/2)
709Hello Time 2 sec Max Age 20 sec Forward
710Delay 15 sec
711[output cut]
712Which are true regarding this switch? (Choose two.)
713A. The switch is a root bridge.
714B. The switch is a non-root bridge.
715C. The root bridge is four switches away.
716D. The switch is running 802.1w.
717E. The switch is running STP PVST+.
7182. You have configured your switches with the spanning-tree vlan
719x root primary and spanning-tree vlan x root
720secondarycommands. Which of the following tertiary switch will
721take over if both switches fail?
722A. A switch with priority 4096
723B. A switch with priority 8192
724C. A switch with priority 12288
725D. A switch with priority 20480
7263. Which of the following would you use to find the VLANs for
727which your switch is the root bridge? (Choose two.)
728A. show spanning-tree
729B. show root all
730C. show spanning-tree port root VLAN
731D. show spanning-tree summary
7324. You want to run the new 802.1w on your switches. Which of the
733following would enable this protocol?
734A. Switch(config)#spanning-tree mode rapid-pvst
735B. Switch#spanning-tree mode rapid-pvst
736C. Switch(config)#spanning-tree mode 802.1w
737D. Switch#spanning-tree mode 802.1w
7385. Which of the following is a layer 2 protocol used to maintain a
739loop-free network?
740A. VTP
741B. STP
742C. RIP
743D. CDP
7446. Which statement describes a spanning-tree network that has
745converged?
746A. All switch and bridge ports are in the forwarding state.
747B. All switch and bridge ports are assigned as either root or
748designated ports.
749C. All switch and bridge ports are in either the forwarding or
750blocking state.
751D. All switch and bridge ports are either blocking or looping.
7527. Which of the following modes enable LACP EtherChannel?
753(Choose two.)
754A. On
755B. Prevent
756C. Passive
757D. Auto
758E. Active
759F. Desirable
7608. Which of the following are true regarding RSTP? (Choose three.)
761A. RSTP speeds the recalculation of the spanning tree when the
762layer 2 network topology changes.
763B. RSTP is an IEEE standard that redefines STP port roles,
764states, and BPDUs.
765C. RSTP is extremely proactive and very quick, and therefore it
766absolutely needs the 802.1 delay timers.
767D. RSTP (802.1w) supersedes 802.1d while remaining
768proprietary.
769E. All of the 802.1d terminology and most parameters have
770been changed.
771F. 802.1w is capable of reverting to 802.1d to interoperate with
772traditional switches on a per-port basis.
7739. What does BPDU Guard perform?
774A. Makes sure the port is receiving BPDUs from the correct
775upstream switch.
776B. Makes sure the port is not receiving BPDUs from the
777upstream switch, only the root.
778C. If a BPDU is received on a BPDU Guard port, PortFast is
779used to shut down the port.
780D. Shuts down a port if a BPDU is seen on that port.
781
78210. How many bits is the sys-id-ext field in a BPDU?
783A. 4
784B. 8
785C. 12
786D. 16
78711. There are four connections between two switches running RSTP
788PVST+ and you want to figure out how to achieve higher
789bandwidth without sacrificing the resiliency that RSTP provides.
790What can you configure between these two switches to achieve
791higher bandwidth than the default configuration is already
792providing?
793A. Set PortFast and BPDU Guard, which provides faster
794convergence.
795B. Configure unequal cost load balancing with RSTP PVST+.
796C. Place all four links into the same EtherChannel bundle.
797D. Configure PPP and use multilink.
79812. In which circumstance are multiple copies of the same unicast
799loading...
800loading...
801root bridge for VLAN 30? (Choose two.)
802A. spanning-tree vlan 30 priority 0
803B. spanning-tree vlan 30 priority 16384
804C. spanning-tree vlan 30 root guarantee
805D. spanning-tree vlan 30 root primary
80618. Why does Cisco use its proprietary extension of PVST+ with STP
807and RSTP?
808A. Root bridge placement enables faster convergence as well as
809optimal path determination.
810B. Non-root bridge placement clearly enables faster
811convergence as well as optimal path determination.
812C. PVST+ allows for faster discarding of non-IP frames.
813D. PVST+ is actually an IEEE standard called 802.1w.
81419. Which are states in 802.1d? (Choose all that apply.)
815A. Blocking
816B. Discarding
817C. Listening
818D. Learning
819E. Forwarding
820F. Alternate
82120. Which of the following are roles in STP? (Choose all that apply.)
822A. Blocking
823B. Discarding
824C. Root
825D. Non-designated
826E. Forwarding
827F. Designated
828
829
830111515a5a5aa151515a5a151551515a151a51a5
831
8321. B, D. The switch is not the root bridge for VLAN 1 or the output
833would tell us exactly that. The root bridge for VLAN 1 is off of
834interface G1/2 with a cost of 4, meaning it is directly connected.
835Use the command show cdp nei to find your root bridge at this
836point. Also, the switch is running RSTP (802.1w), not STP.
8372. D. Option A seems like the best answer, and had switches not
838been configured with the primary and secondary command, then
839the switch configured with priority 4096 would have been root.
840However, since the primary and secondary both had a priority of
84116384, then the tertiary switch would be a switch with a higher
842priority in this case.
8433. A, D. It is important that you can find your root bridge, and the
844show spanning-tree command will help you do this. To quickly
845find out which VLANs your switch is the root bridge for, use the
846show spanning-tree summary command.
8474. A. 802.1w is the also called Rapid Spanning Tree Protocol. It is
848not enabled by default on Cisco switches, but it is a better STP to
849run because it has all the fixes that the Cisco extensions provide
850with 802.1d. Remember, Cisco runs RSTP PVST+, not just
851RSTP.
8525. B. The Spanning Tree Protocol is used to stop switching loops in
853a layer 2 switched network with redundant paths.
8546. C. Convergence occurs when all ports on bridges and switches
855have transitioned to either the forwarding or blocking states. No
856data is forwarded until convergence is complete. Before data can
857be forwarded again, all devices must be updated.
8587. C, E. There are two types of EtherChannel: Cisco’s PAgP and the
859IEEE’s LACP. They are basically the same, and there is little
860difference to configuring them. For PAgP, use auto or desirable
861mode, and with LACP use passive or active. These modes decide
862which method you are using, and they must be configured the
863same on both sides of the EtherChannel bundle.
8648. A, B, F. RSTP helps with convergence issues that plague
865traditional STP. Rapid PVST+ is based on the 802.1w standard
866in the same way that PVST+ is based on 802.1d. The operation
867of Rapid PVST+ is simply a separate instance of 802.1w for each
868VLAN.
8699. D. BPDU Guard is used when a port is configured for PortFast,
870or it should be used, because if that port receives a BPDU from
871another switch, BPDU Guard will shut that port down to stop a
872loop from occurring.
87310. C. To allow for the PVST+ to operate, there’s a field inserted into
874the BPDU to accommodate the extended system ID so that
875PVST+ can have a root bridge configured on a per-STP instance.
876The extended system ID (VLAN ID) is a 12-bit field, and we can
877even see what this field is carrying via the show spanning-tree
878command output.
87911. C. PortFast and BPDU Guard allow a port to transition to the
880forwarding state quickly, which is great for a switch port but not
881for load balancing. You can somewhat load balance with RSTP,
882but that is out of the scope of our objectives, and although you
883can use PPP to configure multilink (bundle links), this is
884performed on asynchronous or synchronous serial links. Cisco’s
885EtherChannel can bundle up to eight ports between switches.
88612. D. If the Spanning Tree Protocol is not running on your switches
887and you connect them together with redundant links, you will
888have broadcast storms and multiple frame copies being received
889by the same destination device.
89013. B, C, E. All the ports on both sides of every link must be
891configured exactly the same or it will not work. Speed, duplex,
892and allowed VLANs must match.
89314. D, F. There are two types of EtherChannel: Cisco’s PAgP and the
894IEEE’s LACP. They are basically the same, and there is little
895difference to configure them. For PAgP, use the auto or desirable
896mode, and with LACP use the passive or active mode. These
897modes decide which method you are using, and they must be
898configured the same on both sides of the EtherChannel bundle.
89915. D. You can’t answer this question if you don’t know who the root
900bridge is. SC has a bridge priority of 4,096, so that is the root
901bridge. The cost for SB was 4, with the direct link, but that link
902went down. If SB goes through SA to SC, the cost would be 4 +
90319, or 23. If SB goes to SA to SD to SC, the cost is 4 + 4 + 4 = 12.
90416. A, D. To configure EtherChannel, create the port channel from
905global configuration mode, and then assign the group number
906on each interface using the active mode to enable LACP. Just
907configuring the channel-group command under your interfaces
908will enable the bundle, but options A and D are the best Cisco
909objective answers.
91017. A, D. You can set the priority to any value from 0 through 61,440
911in increments of 4,096. Setting it to zero (0) means that the
912switch will always be a root as long as it has a lower MAC than
913another switch with its bridge ID also set to 0. You can also force
914a switch to be a root for a VLAN with the spanning-tree vlan
915vlan primary command.
91618. A. By using per-VLAN spanning tree, the root bridge can be
917placed in the center of where all the resources are for a particular
918VLAN, which enables optimal path determination.
91919. A, C, D, E. Each 802.1d port transitions through blocking,
920listening, learning, and finally forwarding after 50 seconds, by
921default. RSTP uses discarding, learning, and forwarding only.
92220. A, C, D, E, F. The roles a switch port can play in STP are root,
923non-root, designated, non-designated, forwarding, and blocking.
924Discarding is used in RSTP, and disabled could be a role, but it’s
925not listed as a possible answer.