1

True. Applying security in the multilayer switched network is crucial to provide a secured environment.

2

True. Security is the most important aspect of building multilayer switched networks today.

3

True. Hardware-switching of frames scales the number of wire-speed ports by implementing features such as distributed CEF.

4

True. The Enterprise Composite Network Model adds modularity to the hierarchical network design.

5

True. The Data Center is evolving as its own functional area of the enterprise network.

6

Answers:

7

e. DSCP values are contained within the IP header.

8

Answers:

1-b. The Enterprise Edge functional area interconnects the Enterprise Campus to the Service Provider Edge and contains the Remote Access and VPN module.

2-a. The Enterprise Campus functional area contains the Building Access, Building Distribution, and Campus Backbone submodules that are used to build a campus infrastructure that offers high performance, scalability, and availability.

3-c. The Service Provider Edge functional area integrates ISP services into the enterprise network.

9

Answers:

1-a. The Edge Distribution module connects the Enterprise Campus module with Enterprise Edge services and modules.

2-d. The Network Management module monitors the network for performance, system alerts, and anomalous events, all of which are useful in troubleshooting.

3-c. The Campus Infrastructure module provides many services and functions, including connecting the Server Farm and Edge Distribution modules.

4-b. The Data Center module contains many types of Internet servers, including e-mail and DNS servers.

10

Answers:

1-c. The E-Commerce module integrates the applications and services for Internet-based commerce and information.

2-d. The Internet Connectivity module consists of servers, including e-mail servers for exchanging e-mail globally.

3-b. The Remote Access and VPN module terminates VPN and remote-access traffic from remote users or remote sites.

4-a. The WAN module consists of routers and switches that connect remote sites with central sites over point-to-point connections.

11

Answers:

1-c. The PSTN module uses legacy phone technologies such as POTS and ISDN to provide for remote access to the enterprise network.

2-b. The Frame Relay/ATM/PPP module includes WAN technologies for connecting remote sites or users using permanent, point-to-point connections.

3-a. The ISP module connects the enterprise network to the Internet and includes components for security.

12

a, b, and c. The Catalyst 2950 family of switches is the only Cisco Catalyst switch listed that does not support IP routing.

13

b. The Catalyst 4500 family of switches offers specialized line modules of high port density for high-speed metro Ethernet deployment over long distances. The Catalyst 2950 LRE switch also provides for metro Ethernet functionality but is limited in port density and speed.

14

a, b, c, and d. All Catalyst families of switches in the list support power redundancy either via dual internal power supplies or via external RPSs.

15

a and b. The Catalyst 3550 and 3760 are families of switches are the only switches in the list that are not modular and that are of fixed port density.

16

a. The Catalyst 6500 family of switches is the only switch in the list that supports ATM interfaces through special modules.

17

a. The Catalyst 6500 family of switches supports any role within the Enterprise Composite Network Model because of its versatility, its available interface types, and its performance, scalability, and availability features.

18

a, b, and c. Using modular switches rather than fixed port density switches provides for additional performance, scalability, and availability. Modular switches generally use higher-performance ASICs, including ASICs at specific line modules for increased performance. Modular switches achieve scalability because of their ability to swap line modules for different interface types and increased port density. With regard to availability, modular switches generally support redundant supervisors.

19

b. Stacking applies a few modular switch benefits to the fixed port density switches, such as link redundancy and scalability.

20

The destination MAC address of the frame at Location A is 0000.0cbb.000a because Workstation A sends frames to its default gateway to be routed to other subnets.

21

The source MAC address, the destination MAC address, and the destination IP address of the frame at Location B are 0000.0cbb.001a, 0000.0cbb.001b, and 10.1.2.2, respectively. Routers rewrite the MAC address in the path from source to destination at each Layer 3 boundary. The IP address does not change from source to destination in this topology.

22

The source MAC address, the destination MAC address, and the destination IP address of the frame at Location C are 0000.0cbb.000b, 0000.0c00.0012, and 10.1.1.2, respectively. Routers rewrite the MAC address in the path from source to destination at each Layer 3 boundary. The IP address does not change from source to destination in this topology.

1

False. If both link partners are operating at full duplex, collisions cannot occur.

2

False. Per the IEEE 802.3ab specification, auto-negotiation with Gigabit Ethernet over copper is required.

3

c. A duplex mismatch will occur if the manually configured link partner is set to 100 Mbps, full duplex. This is because the auto-negotiation link partner does not see auto-negotiation parameters from its peer and defaults to 100-Mbps, half-duplex operation.

4

b, c, and f. Layer 3 switches and routers differ only in physical aspects such as design, implementation, and port density.

5

b, e, and f. 10-Gigabit Ethernet is an emerging technology currently limited to connecting clusters of servers, high-speed switches, and multiple campuses.

6

c. The Data Center module connects to the Campus Backbone submodule with more than one connection for high-availability purposes.

7

b. Servers connect to switches via two autonomous NICs to protect against failure of internal components of the NIC, which is not the case with a single NIC with dual ports.

8

a and b. Servers in the Data Center module may reach storage devices with the iSCSI protocol over TCP/IP or via Fibre Channel using HBAs. It is not common for intranet servers to communicate with storage devices via web access.

9

d and e. Switches in the E-Commerce module are deployed to interconnect servers and storage devices and to switch traffic between edge routers and the rest of the module.

10

a. The best Cisco solution for this small company involves a small-scale network design consisting of Catalyst 3560s because these switches support inline power and work as well as access layer and distribution layer switches.

11

b. Because of the large size of the corporate network and the growth projections, a large-scale network design with Catalyst 6500 in every module is the best choice for the listed requirements.

12

c. The best Cisco solution for this network is a medium-scale network. The company has only 1000 employees but requires a vast storage infrastructure with moderate bandwidth requirements. For such large storage requirements, a SAN works best for this network.

13

Layer 3 routing in the distribution layer is needed in all medium-sized and large networks. Layer 3 routing in the distribution layer is quickly becoming an important design criterion for all networks.

14

SANs integrate in the Campus Infrastructure module when using FCIP to connect remote SANs with Fibre Channel running over TCP/IP or using iSCSI to allow for storage hosts to directly attach to Fibre Channel storage devices.

1

True. Telnet sends passwords in clear-text. Use SSH instead of Telnet for in-band access.

2

False. Layer 3 switches configured for routing may use a gateway of last resort and routing protocols to reach remote subnets.

3

True. Despite major attempts by hardware and software manufacturers and standards organizations, hackers always seem to find new vulnerabilities in protocols and features.

4

False. Default gateways are necessary only for Layer 2–only switches or Layer 3 switches with IP routing disabled. Layer 3 switches with routing enabled use the IP routing table to reach non-local subnets.

5

True. TFTP is neither a reliable nor a secure protocol for transferring images to and from Catalyst switches.

6

b. The no shutdown command administratively enables an interface.

7

c and d. The show ip interface brief and show interface status commands display a port’s link state.

8

e. The only listed file system not supported in any Catalyst switch is the NFS file system.

9

d. The Catalyst 6500 with a Supervisor Engine 720 with MSFC3 and PFC3 uses a unique prefix for the Cisco IOS Software image of s72033.

10

a and c. Both the undebug all and no debug all commands immediately disable all running debugs.

11

b and c. The rollover cable and the straight-through cable are the only cable types used on Catalyst switch console ports depending on platform and console port settings. Legacy Catalyst switches such as the Catalyst 1900 used a null modem cable for console port connectivity.

12

The strings public and private are used commonly as default read-only and read-write community strings. For security purposes, recommended practice is to use different strings if SNMPv3 is not a possible option.

13

The default console baud rate is 9600, and it can be changed. If 9600 baud does not work when connecting to a Cisco router, switch, or device, attempt to use a baud rate of 38400 instead. Occasionally, the baud rate is used for special debugging purposes.

14

The show module command shows the hardware modules installed in a Cisco Catalyst switch.

15

The show tech command is generally required for all Cisco TAC cases.

16

Both the dir device and the show flash commands illustrate the contents of the IFS and the remaining space available.

17

The show version command displays the current software version and the uptime of a switch.

18

The copy running-config startup-config command saves the running configuration to NVRAM.

19

The copy ftp disk0: command copies an image from an FTP server to the disk0:. Note that Cisco IOS requires global configuration of the FTP username and password prior to executing this form of the command.

20

The copy tftp: running-config command copies a configuration file from TFTP and merges it with the running configuration.

1

False. ISL trunking doesn’t require the same Native VLAN because it encapsulates all the VLANs, including the Native VLAN.

2

False. The Catalyst 6500 family of switches supports up to 4094 VLANs in recent Cisco IOS Software versions.

3

False. If you remove the VLAN 1 from the trunk, it still carries CDP, PAgP, and DTP on VLAN 1, and it only removes the data traffic from VLAN 1.

4

False. All members of same community pVLANs can communicate with all other members of the same community pVLAN.

5

False. Switches can add or delete VLANs only in the VTP server or transparent mode.

6

False. Token Ring support is available starting in VTP version 2.

7

a. Native VLAN is always 1 by default in Cisco IOS.

8

d. The interface is manually configured for 801.1Q trunking.

9

c. The interface is a member of access VLAN and may negotiate to a trunk port.

10

b. VLAN 2 is the trunk native VLAN based on the configuration shown in Example 4-32.

11

c. The interface can negotiate to become a trunk port if the peer interface is configured for dynamic, desirable, or trunk.

12

a. VLAN 1 is the access mode VLAN as indicated by the access mode VLAN output in configuration Example 4-32.

13

b. One of the benefits of implementing VLANs is that doing so constrains broadcast traffic.

14

a and c. Local VLANs, typically used in the Building Access submodule, are easier to manage and conceptualize than VLANs that span different areas of the network.

15

b. Switch(vlan)# indicates that the switch is in the VLAN database configuration mode of Cisco IOS.

16

a. Access ports do not listen to or send DTP packets.

17

a. ISL-encapsulated frames have a 4-byte FCS field. This field contains a 32-bit CRC value, based on header information in the ISL frame.

18

b. 802.1Q trunking adds a tag in the standard Layer 2 Ethernet header after the SA (source MAC address) field and before the Type (ethertype) field.

19

c. The switchport trunk encapsulation isl command is used to configure trunks for ISL encapsulation.

20

d. The command switchport trunk native vlan vlan-id is used to configure the native VLAN when an interface is operating as a trunk.

21

a and e. Trunks are only established between link partners operating in auto trunk or dynamic desirable modes.

22

c. All Cisco Catalyst products operate in VTP server mode by default.

23

d. In VTP version 2, the switch performs consistency checks on new information entered through CLI or SNMP.

24

d. The vtp version 1 or no vtp version 2 command can be used to configure VTP version 1 in Cisco IOS.

25

b, c, and d. VTP versions 1 and 2 support server, client, and transparent mode.

26

a. The show vtp status command is the command to verify the VTP configuration in Cisco IOS.

27

d. The vtp password password-string command is used to configure or change VTP passwords.

28

VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic needlessly.

29

pVLANs provide security and reduce the use of IP subnets by isolating traffic between the end stations even though they are in the same VLAN.

30

If workstations A and B are members of the same community pVLAN, they can communicate with each other, but they cannot communicate if each workstation is a member of a different community pVLAN or a member of the same isolated pVLAN. In any case, all ports that are members of either isolated or community pVLANs can communicate with promiscuous ports.

1

False. If redundant paths exist, a Layer 2 loop will occur if STP is disabled. STP prevents loops in such scenarios by blocking redundant paths, providing a single, loop-free topology.

2

False. If you have only a few VLANs, the amount of CPU resource usage saved with MST is not significant enough to warrant changes from default STP mode.

3

False. Secondary root bridges typically have a higher bridge priority than the primary root bridge.

4

a. The lowest bridge priority possible is zero and hence is the best possible bridge priority for a root switch.

5

e. The show spanning-tree root Cisco IOS command shows the root bridge information for all VLANs configured on a switch.

6

b. The spanning-tree vlan vlan-id root primary command configures a distribution switch to be the primary root switch.

7

c. Refer to Figure 5-22. RSTP has three operational states: discarding, learning, and forwarding.

8

b. STP operates on Layer 2 of the OSI model and operates independent of the upper-level protocols.

9

e. The time it takes for the proposal and agreement to be exchanged between the two switches on a link is less than 1 second.

10

d. The default message interval for BPDUs in RSTP remains at 2 seconds, identical to the 802.1D hello interval. The hello interval can be modified by a CLI command.

11

Bridge A is elected root because it has a lower MAC address compared to the other switches with equal priority values.

12

The port on root bridge A would be the designated port. The designated port is the port sending the best BPDU on a segment. Because root bridge A has the best BPDU, its port would act as the designated port.

13

The primary root switch needs to be centrally located in the network with enough switching capacity to accommodate all the packets that need to pass through the root switch between different building distribution and access layer switches. In addition, the CPU power of the primary root switch needs to be sufficiently high to handle all functions needed.

1

False. You should enable the PortFast feature only on host ports. Enabling PortFast on ports connected to switching devices can cause bridging loops.

2

False. Loop Guard and UDLD aggressive-mode are complementary features and could both be enabled on the same interface.

3

True. STP actually tries to prevent bridging loops. If STP is disabled, you would always see a bridging loop if there are redundant paths or there is a physical loop in the network. If there is no redundancy in the network, then a bridging loop will not occur.

4

d. Without BackboneFast enabled, switches take 50 seconds to change to the forwarding state. This is in part because during the first 20 seconds (equal to max age), the switch ignores the inferior BPDU from the connected switch.

5

c. UplinkFast is the feature used to detect and recover from direct link failures.

6

a. PortFast must be enabled for BPDU Guard to work.

7

e. With UplinkFast enabled, the switch will start forwarding traffic over the backup link typically in less than 1 second.

8

a. The port unblocks and moves through the STP transition after it stops receiving superior BPDUs.

9

a. BPDU filtering causes the switch not to send BPDUs out the PortFast-enabled port; hence, it is recommended that the feature be enabled, if needed, only on host ports to prevent STP loops or undesired behavior.

10

c. Rebooting the root switch or secondary root switch is not a recommended activity when troubleshooting STP issues or Layer 2 issues. Rebooting a switch results in the loss of statistics or syslog data stored on that switch. Identifying the root cause of any issue after a reboot is difficult.

11

e. The correct command to enable STP events debugging is the debug spanning-tree events command.

1

False. Aggressive mode UDLD has additional benefits to detect UDLD conditions when one side of the link is up and the other side is down. Also, aggressive mode UDLD detects situations where a link remains up but the port is not communicating due to a software or hardware anomaly.

2

False. LACP is the implementation of the IEEE 803.2ad link aggregation protocol; hence, LACP can be used to form an EtherChannel between Catalyst switches and non-Cisco devices. PAgP, on the other hand, can only be used between Cisco switches. Cisco has licensed PAgP to some NIC vendors.

3

c. The IEEE version of the port channeling protocol, 803.2ad, is referred to in Cisco Catalyst switches as LACP.

4

b. UDLD operates at Layer 2 of the OSI model because it sends frames. UDLD does use Layer 1 mechanisms.

5

d. The maximum default size of Ethernet frames, including the Ethernet header and CRC (FCS), is 1518 bytes.

6

b. The 802.1Q tag is 4 bytes in length; along with the standard Ethernet frame size of 1518 bytes, the total frame size of an 802.1Q tagged frame is 1522 bytes.

7

e. The size of CRC (FCS) in 802.3 Ethernet is 4 bytes. The total header plus CRC overhead is 18 bytes. The maximum payload or data portion of an Ethernet frame is 1500 bytes.

8

d. The default message interval setting of UDLD is 15 seconds, and detection of an UDLD condition is three times the message interval.

9

d. The desirable mode of operation belongs exclusively to Cisco EtherChannel using PAgP.

10

Aggressive mode UDLD offers additional benefits over UDLD, as described in Table 7-6.

11

c. The default recovery time is 300 seconds.

12

d. Route flap is not an error condition that the error-disable feature would act upon.

13

d. IEEE 802.3 defines the standard for the flow control protocol, which is followed between two devices when the downstream switch receiver buffer is congested.

14

CDP sends various information about the sending device as described in the “CDP” section of this chapter, such as the IP addresses of the sending interface, routing or switching platform type, software version, and so on. This information, when exchanged on a public interface, could divulge enough information for an attacker to attack this device with traffic destined to management addresses or exploit any known software vulnerabilities existing in the Cisco IOS version. Hence, it is strongly recommended to turn off CDP on public interfaces.

1

False. A routed port is a Layer 3 interface similar to interfaces on Cisco IOS routers, whereas an SVI is a virtual VLAN (Layer 3) interface.

2

True. Multilayer switches use hardware switching to route and switch frames. Hardware switching achieves line-rate performance.

3

True. Routers can forward DHCP requests across Layer 3 boundaries using the DHCP relay agent feature.

4

a. Hosts on VLAN 20 can communicate with the hosts on VLAN 10 if both have the proper default gateway defined.

5

b. If a host that resides in VLAN 20 doesn’t have a default gateway set to 200.1.1.1, the response packets from the host on VLAN 20 will be dropped because the host does not know where to send the packets.

6

c. The command switchport enables an interface for Layer 2 switching. To change an interface from a Layer 2 interface to a Layer 3 interface, use the command no switchport.

7

a. Use the ip routing command to enable routing on Cisco Catalyst switches.

8

With BVIs, routable traffic is routed across Layer 3 interfaces and bridge-groups, whereas local and nonroutable traffic is bridged among multiple routed domains or VLANs within the same bridge-group. This configuration creates a large, single spanning-tree domain across multiple VLANs. This type of practice complicates spanning-tree troubleshooting and may adversely affect the performance, scalability, and availability of the network.

9

DHCP is a client-server application, in which the DHCP client contacts a DHCP server for configuration parameters using a broadcast request. If a client is in a different subnet than a server, the broadcast is forwarded using the DHCP relay agent feature by the local router or multilayer switch.

10

b and c. The ip helper-address feature forwards DNS, NetBIOS, Time, TCP/IP over NetBIOS, TFTP, and BOOTP UDP broadcasts, in addition to DHCP.

1

False. CEF-based MLS Catalyst switches prepopulate IP CEF FIB and adjacency tables in hardware.

2

True. Distributed switching uses multiple forwarding engines, where the sum of all forwarding engines is the total available bandwidth of the switch.

3

b. Punt adjacencies are used to send frames requiring special handling to the Layer 3 engine.

4

c. The TCAM mask associated with the access list is 16 bits of the source address because the remaining 16 bits are wildcard bits.

5

d. Because the IP routing table and the ARP table build the CEF FIB and adjacency tables, respectively, those tables should be verified as a first step in troubleshooting issues with CEF-based MLS.

6

a. CEF-based MLS Catalyst switches use the IP CEF FIB and adjacency tables to build FIB and adjacency tables in TCAM for hardware switching. CEF-based MLS does not use the IP routing or ARP tables directly to build the FIB and adjacency tables in hardware, nor is CEF-based MLS an on-demand technology.

7

See the section entitled “Sample CEF-Based MLS Operation” earlier in Chapter 9.

1

True. Always apply QoS as close to the network device as possible, preferably in the access layer.

2

False. RED, WRED, and tail drop are congestion-avoidance QoS features.

3

d. The mls qos cos 1 command configures an interface to classify and mark the CoS value of ingress frames to 1.

4

d. It is an administrative configuration where Layer 2 or Layer 3 priority designations of frames are either accepted or not.

5

b. Marking only the video-related frames from the server using an ACL would be the best method to prioritize only video traffic from the server.

6

b. IntServ works by deploying QoS mechanisms end-to-end by allocating bandwidth specifically from network resources.

7

a. Shaping is a better choice for TCP traffic.

8

b. It is pointless to buffer VoIP because it is extremely delay sensitive; policing is the obvious choice for conditioning VoIP traffic.

9

b. Because the switch is configured for trusting DSCP and the switch is using the default mapping tables, the internal DSCP is 46.

10

c. Because the switch is configured for trusting CoS, the switch maps the ingress CoS value to an internal DSCP using the CoS-to-DSCP mapping table. By default, an ingress CoS value of 5 maps to an internal DSCP value of 40.

11

d. Because the switch interface is untrusted, the switch associates all incoming frames with an ingress CoS and DSCP value of 0. As a result, the internal DSCP is 0.

12

b. The police 1536000 20000 exceed-action drop command defines the action to be taken by the switch for the respective class of traffic.

13

a. For packets that conform to the policing rate, the switch transmits the packets. For packets that do not conform to the policing rate, the switch drops the packets.

1

True. For the IGMPv2 membership query, the default value is 10 seconds.

2

False. IGMPv1 does not support host membership leave messages.

3

True. Multicast IP addresses are in the range of 224.0.0.0 to 239.255.255.255.

4

False. Multicast IP addresses are always mapped to MAC addresses starting with 0x01-00-5E.

5

b. The group 224.2.125.254 is learned via PIM sparse mode, as indicated by the presence of an RP and the flag S.

6

d. The IP address of the RP for group 224.2.125.254 is 10.69.100.13.

7

c. There are six sources for multicast group 224.2.125.254, as shown under the group (*.224.10.125.254).

8

b. IP multicast sends packets from the source to specific groups of hosts that registered through IGMP.

9

b. Source trees have the advantage of creating the optimal path between the source and the receivers but maintain large databases of source and group mappings.

10

c. PIM sparse mode is not based on flooding, and it is optimal for multilayer switched networks when trying to conserve bandwidth where hosts are widely spread across the network.

11

c. IGMPv3 is the only IGMP version to support source filtering.

12

c. A switch running IGMP snooping must examine every multicast data packet to determine whether it contains any pertinent IGMP control information. If IGMP snooping were implemented on a low-end switch with a slow CPU, this could have a severe performance impact when data is transmitted at high rates due to increase in latency.

13

c. PIM sparse-dense mode is the preferred method, because it works in dense mode if there is no RP present for a specific group.

14

c. BSR is used to automate the RP distribution in a multicast network with the fault-tolerant automated discovery method.

15

b. Use show ip mroute to see the multicast routing table.

16

a and c. Auto-RP and BSR are the two mechanisms used to automate the distribution of RP in sparse mode.

17

c. Only in PIM sparse mode do you have to manually specify the RP on each router in the network.

18

a. IGMP snooping looks for IGMP leave and join messages sent between hosts and the first-hop multicast router.

1

True. SRM on hybrid mode Catalyst 6500 switches allows configuration only on the designated MSFC. Configuration is possible in both designated and nondesignated MSFCs in dual-router mode.

2

False. The use of redundancy within network devices, only, does not guarantee that there will be a single point of failure. Using a combination of device redundancy, link redundancy, and design redundancy is necessary for a highly available network.

3

False. VRRP allows only one master router in a VRRP group. Only GLBP allows the simultaneous use of multiple available gateways.

4

c. The standby router takes 10 seconds to detect active router failure in HSRP. This value is equal to the holdtime value.

5

b. The default advertisement time for the VRRP master router is 1 second.

6

d. Valid SLB redirection modes are directed mode and dispatched mode.

7

a. The GLBP default load-balancing method is round-robin. Weighted and host-dependent are two other methods available for load balancing. Dispatched and directed are two SLB redirecting modes and do not relate to GLBP.

8

a. Four routers can act as forwarding gateways in a GLBP group.

9

b. Expected failover time on the Catalyst 6500 family of switches with the NSF with SSO feature is about 0 to 3 seconds.

10

e. RIP is not a supported routing protocol of NSF.

11

d. Catalyst 4500 in SSO mode provides for subsecond switchover.

1

False. Deploying QoS is highly recommended in multilayer switched networks, regardless of interface bandwidth.

2.

b and c. Voice VLANs separate workstation (data) traffic and IP phone (voice) traffic into separate VLANs. This separation of data and voice traffic also aids in troubleshooting.

3

b. In Example 13-2, the switch is configured for an access VLAN of 2. Therefore, the switch associates the received frames with VLAN 2 and transmits frames to the workstation without an 802.1Q VLAN tag, because VLAN 2 is the access VLAN.

4

b. VLAN 2 is configured as the access VLAN.

5

b. VoIP uses UDP because a retransmission of a VoIP packet is not necessary, as the voice frame is no longer important by the time of retransmission, and UDP has slightly less overhead.

6

a. Although answer b appears to be the correct answer, there is no specific mechanism in the configuration to strictly trust CoS of attached IP phones.

7

d. 802.1Q packet tagging is used to distinguish voice VLAN traffic from the native VLAN.

8

c. Voice traffic is marked at Layer 3 using DSCP values.

9

c. The STP PortFast feature, enabled on a per-port basis, speeds availability of a Cisco IP Phone after reboot because the Catalyst switch ports move immediately into the forwarding state, allowing frames to pass faster than if the feature were not enabled. See Chapters 5 and 6 for more details on the STP PortFast feature.

10

a and c. A-UDLD and QoS are required in every submodule of the Enterprise Composite Network Model for IP telephony deployments. HSRP and VRRP are specific to Layer 3 routing, and spanning-tree features are specific to Layer 2 regions.

1

False. SNMP version 3 is the SNMP version that supports encrypted passwords.

2

True. The 802.1X access control feature is a standards-based feature that supports centralized management via RADIUS.

3

False. DCHP snooping trust is enabled only on ports connected to an authentic DHCP server or uplink port connecting to a distribution server (providing path to the DHCP server).

4

e. Remote access to switches is necessary for troubleshooting and management purposes regardless of security concerns.

5

b. The aaa new-model command configures Catalyst switches to enact AAA configurations.

6

c. The if-authenticated option allows access to specific functions based on whether the user was authenticated by AAA.

7

d. The desirable state is not a valid 802.1X port authorization state.

8

b. DHCP snooping is required for DAI to function.

9

b. Turning off trunk negotiation can prevent a single tag VLAN hopping attack.

10

a. Port security will prevent MAC address spoofing, assuming that the proper configuration has been made.

11

c. IPSG is similar to uRPF, but for Layer 2 interfaces, IPSG requires DHCP snooping or manual bindings to work.

12

b, c. QACLs (through service policy) and PACLs can be applied to Layer 2 interfaces. RACLs are applied to Layer 3 interfaces only, and VACLs are applied to entire VLANs.

13

c. DAI (Dynamic ARP Inspection) is used to prevent ARP spoofing attacks.

14

True. Sticky port security features allow the switch to dynamically secure a MAC address and simultaneously store the MAC address as part of the running configuration. The administrator can just save the configuration to permanently secure that address on the learned ports. Without this feature, the administrator has to manually enter the MAC address as part of the port security configuration, a laborious task in a large network.

15

c. NAC (Network Admission Control) is used to prevent infected hosts from joining the network. The infected host is put in a remediation VLAN, where the host can secure the necessary virus patches to clean itself.

1

True. The Catalyst 3560 family of switches does offer Layer 3 functionality using the EMI software releases.

2

False. The Catalyst 2960 family of switches does offer QoS features, such as ingress classification, policing, marking, and egress scheduling and queuing.

3

False. The Catalyst 4500 family of switches does not support WAN interfaces.

4

c. BGP is not supported in the Cisco IOS IP base feature set on the Catalyst 3560 family of switches.

5

d. Catalyst 4500 Supervisor Engine V-10GE supports up to 108 Mpps of forwarding rate with a 136-Gbps switching fabric.

6

d. Catalyst 4500 supports redundancy on the 4507R and 4510R chassis.

7

e. Supervisor Engine 720 can reside in slot 7 or 8 on the Catalyst 6513 chassis.

8

c. The maximum forwarding rate of Catalyst 6500 with Supervisor Engine 720 with all distributed 720-Gbps fabric-enabled cards is about 400 Mpps.

9

b. If all modules in the Catalyst 6500 switch are fabric enabled, the fabric operates in compact mode. If all the fabric-enabled modules are equipped with DFC-enabled line cards, then the system would operate in dCEF mode.

10

d. As many as nine Catalyst 3750 switches can exist in a stack. A Catalyst 3750 can also operate as a standalone switch.

11

b. The Catalyst 3750 utilizes the Cisco StackWise technology to stack up to 9 switches together.

12

d. The WS-SVC-NAM-2 (Network Analysis Module) provides integrated packet monitoring up to the application layer level.

1

False. CDWM solutions do not support amplification.

2

a, b. Internal 50-ms failover mechanisms and general availability through service providers are advantages to using SONET, which is very expensive in implementing new core equipment and does not natively support load balancing.

3

e. SONET base signal, STS-1, operates at 51.84 Mbps.

4

c. Transponders for current DWDM systems convert optical signals from the 850-nm or 1310-nm bands into the 1550-nm band.

5

c. Ethernet over SONET and Ethernet over DWDM do not support statistical multiplexing.

6

b. CDWM does not support amplification and thus is limited to 100 km with a 30-dB fiber budget.

1

c. The default direction of traffic capture in a SPAN session is both ingress and egress.

2

b. Only one destination port is allowed for local SPAN.

3

c. The destination port needs to be configured as a trunk port to be able to receive multiple VLAN packets and to distinguish the various VLAN packets.

4

d. The IPS is typically connected to the destination port. Upon detection of an intrusion, the IPS may take actions to stop the attack and send alarms. For the IPS to perform the function, the inpkts option for Cisco CatOS–based switches or the ingress vlan option for Cisco IOS–based switches needs to be enabled.

5

False. The RSPAN VLAN carries only RSPAN traffic; hence, user ports can be configured for that VLAN.

6

a. The show ip command can be used to verify the status of the HTTP server.

7

d. If the sniffer device is not in the same location as the switch being monitored, RSPAN could be used so that monitored traffic is switched to the location where the sniffer device is available.

8

c. L2 traceroute can use the IP address as an argument to identify the port of the server if the server is connected to the same VLAN as the sc0 interface in Cisco CatOS–based switches or in the same subnet as SVIs defined on the Cisco IOS–based switches. Otherwise, the administrator needs to know the MAC address of the server to be used with L2 traceroute. The MAC address is typically obtained from the ARP table of the default gateway.

9

c. Catalyst 6500 NAM is an in-build module on the switch that can be configured easily to gather information such as top talker, conversation statistics, and so on as desired by the network administrator.

10

e. The Cisco IOS command to configure VSPAN with the source as VLAN 10 in the receive direction only is monitor session 1 source vlan 10 rx.

11

d. The Cisco IOS command to configure RSPAN with the source as RSPAN VLAN 10 is monitor session 1 source remote vlan 10.

12

e. The Cisco IOS command to configure RSPAN with the destination as RSPAN VLAN 10 is monitor session 1 destination remote vlan 10.

13

c. GRE is the encapsulation method used in the ERSPAN feature.

14

b. TCL scripting language is supported with the EEM feature.

1

DSSS stands for Direct Sequence Spread Spectrum.

2

Wireless mostly uses 2.4 GHz for 802.11b and 802.11g and 5 GHz for 802.11a.

3

Bluetooth falls under the personal-area network (PAN) technology group.

4

Carrier sense multiple access with collision avoidance (CSMA/CA) is used in wireless to avoid collisions.

5

Environmental factors such as reflections, refractions, and diffractions can degrade a signal between the transmitter and receiver and cause multipath interference.

6

Privacy is addressed by 802.11 by an optional service called Wired Equivalent Privacy (WEP).

7

Japan permits all 14 channels within the 2.4-GHZ spectrum.

8

A lightweight AP receives control and configuration from a WLAN controller to which it is associated.

9

The Cisco Unified Wireless Network addresses the deployment, management, and RF challenges associated with building business-critical WLANs.

10

Wireless networks have two main implementation categories: WLANs (in-building or mesh) and wireless bridges (building-to-building).

11

Independent (ad hoc) and infrastructure are the two BSS modes.

12

dBi is the gain that a given antenna has over a theoretical isotropic (point source) antenna.

13

A 3-dB loss will reduce 100 mW by half for a new result of 50 mW.

14

The three antenna types are omnidirectional, semidirectional, and highly directional.

15

A channel reuse plan is required in the 2.4-GHz spectrum because only three nonoverlapping channels exist: 1 (2412 MHz), 6 (2437 MHz), and 11 (2462 MHz).

16

Only one bridge in a WLAN can be set as the root bridge.

17

Twenty users for 2.4-GHz 802.11g is the best practice based on general office users limited by bandwidth.

18

Inline power, or Power over Ethernet (PoE), provides source operating current from the Ethernet port, over the Category 5 cable.

19

True: Lightweight APs can be managed with Cisco WLAN controllers and the Cisco Wireless Control System (WCS).

20

The two methods employed to discover APs are passive and active scanning.

21

Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) are both elements of the Wi-Fi Protected Access (WPA) standard, which is intended to secure a system against all known WEP key vulnerabilities.

22

The Cisco Compatible Extensions (CCX) program helps to ensure that client devices from a variety of suppliers can leverage Cisco-based WLANs.

23

Dynamic interfaces, also known as VLAN interfaces, are created by users and are designed to be analogous to VLANs for WLAN clients.

24

To display basic 802.11a options and settings, use the show 802.11a command.