Chapter 1

1. C. Interface VLAN 1 is the default management SVI.

2. A and B. The Switch prompt typically occurs after a switch boots normally but does not have or has failed to load a startup configuration file.

3. A and E. In full-duplex operation, the NIC does not process frames any faster, the data flow is bidirectional, and there are no collisions.

4. C. The port speed LED indicates that the port speed mode is selected. When selected, the port LEDs will display colors with different meanings. If the LED is off, the port is operating at 10 Mbps. If the LED is green, the port is operating at 100 Mbps. If the LED is blinking green, the port is operating at 1000 Mbps.

5. B. The switch boot loader environment is presented when the switch cannot locate a valid operating system. The boot loader environment provides a few basic commands that allow a network administrator to reload the operating system or provide an alternate location of the operating system.

6. C. The show interfaces command is useful to detect media errors, to see if packets are being sent and received, and to determine if any runts, giants, CRCs, interface resets, or other errors have occurred. Problems with reachability to a remote network would likely be caused by a misconfigured default gateway or other routing issue, not a switch issue. The show mac address-table command shows the MAC address of a directly attached device.

7. B. SSH provides security for remote management connections to a network device. SSH does so through encryption for session authentication (username and password) as well as for data transmission. Telnet sends a username and password in plain text, which can be targeted to obtain the username and password through data capture. Both Telnet and SSH use TCP, support authentication, and connect to hosts in CLI.

8. A. The loopback interface is a logical interface internal to the router and is automatically placed in an UP state, as long as the router is functioning. It is not assigned to a physical port and can therefore never be connected to any other device. Multiple loopback interfaces can be enabled on a router.

9. A and B. The show ip interface brief command displays the IPv4 address of each interface, as well as the operational status of the interfaces at both Layer 1 and Layer 2. In order to see interface descriptions and speed and duplex settings, use the show running-config interface command. Next-hop addresses are displayed in the routing table with the show ip route command, and the MAC address of an interface can be seen with the show interfaces command.

10. D. When connecting to switches without the auto-MDIX feature, straight-through cables must be used to connect to devices such as servers, workstations, or routers. Crossover cables must be used to connect to other switches or repeaters.

11. A. The loopback interface is useful in testing and managing a Cisco IOS device because it ensures that at least one interface will always be available. For example, it can be used for testing purposes, such as testing internal routing processes, by emulating networks behind the router.

12. D. When authenticating SSH users with the login local command, a username and password pair must be created and added to the local database. Otherwise, authentication would never be successful.

Chapter 2

1. A. A switch builds a MAC address table of MAC addresses and associated Ethernet switch port numbers by examining the source MAC address found in inbound frames. To forward a frame onward, the switch makes its forwarding decision on Layer 2 information; therefore, the switch examines the destination MAC address, looks in the MAC address for a port number associated with that destination MAC address, and sends it to the specific port. If the destination MAC address is not in the table, the switch forwards the frame out all ports except the inbound port that originated the frame.

2. B. Cisco LAN switches use the MAC address table to make traffic forwarding decisions. The decisions are based on the ingress port and the destination MAC address of the frame. The ingress port information is important because it carries the VLAN to which the port belongs.

3. D. When a switch receives a frame with a source MAC address that is not in the MAC address table, the switch will add that MAC address to the table and map that address to a specific port. Switches do not use IP addressing in the MAC address table.

4. D and F. A switch has the ability to create temporary point-to-point connections between the directly-attached transmitting and receiving network devices. The two devices have full-bandwidth, full-duplex connectivity during the transmission. Segmenting adds collision domains to reduce collisions.

5. D. If the destination MAC address is in the table, it will forward the frame out of the specified port.

6. C. If the destination MAC address is not in the table, the switch will forward the frame out all ports except the incoming port. This is called an unknown unicast.

7. C. If the destination MAC address is a broadcast or a multicast, the frame is also flooded out all ports except the incoming port.

8. D. In store-and-forward switching, the switch compares the frame check sequence (FCS) value in the last field of the datagram against its own FCS calculations. If the frame is error free, the switch forwards the frame. Otherwise, the frame is dropped.

9. B. Cut-through switching has the ability to perform rapid frame switching, which means the switch can make a forwarding decision as soon as it has looked up the destination MAC address of the frame in its MAC address table.

10. B. Full-duplex communication allows both ends to transmit and receive simultaneously, offering 100 percent efficiency in both directions for a 200 percent potential use of stated bandwidth. Half-duplex communication is unidirectional, or one direction at a time. Gigabit Ethernet and 10 Gbps NICs require full-duplex to operate and do not support half-duplex operation.

Chapter 3

1. B, C, and D. A management VLAN is a VLAN that is configured to manage features of the switch. By default, all ports are members of the default VLAN. An 802.1Q trunk port supports both tagged and untagged traffic.

2. C. A native VLAN is the VLAN that does not receive a VLAN tag in the IEEE 802.1Q frame header. Cisco best practices recommend the use of an unused VLAN (not a data VLAN, the default VLAN of VLAN 1, or the management VLAN) as the native VLAN whenever possible.

3. B and C. Cost reduction and improved IT staff efficiency are all benefits of using VLANs, along with higher performance, broadcast storm mitigation, and simpler project and application management. End users are not usually aware of VLANs, and VLANs do require configuration. Because VLANs are assigned to access ports, they do not reduce the number of trunk links. VLANs increase security by segmenting traffic.

4. A. The show interfaces switchport command displays the following information for a given port: Switchport, Administrative Mode, Operational Mode, Administrative Trunking Encapsulation, Operational Trunking Encapsulation, Negotiation of Trunking, Access Mode VLAN, Trunking Native Mode VLAN, Administrative Native VLAN tagging, Voice VLAN.

5. C. Entering the switchport access vlan 3 interface config command on Fa0/1 replaces the current port VLAN assignment from VLAN 2 to VLAN 3.

6. B. To restore a Catalyst switch to its factory default condition, unplug all cables except the console and power cable from the switch. Then enter the erase startup-config privileged EXEC mode command followed by the delete vlan.dat command and reboot the switch.

7. C and D. Extended range VLANs are stored in the running-configuration file by default and must be saved after being configured. Extended VLANs use the VLAN IDs from 1006 to 4094.

8. D. Any ports that are not moved to an active VLAN cannot communicate with other hosts after the VLAN is deleted. They must be assigned to an active VLAN or their VLAN must be created.

9. D and E. To enable trunking from a Cisco switch to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration mode commands. This causes the interface to become a trunk, but it will not generate DTP frames.

Chapter 4

1. B. Using legacy inter-VLAN routing to interconnect four VLANs would require four separate physical interfaces. Therefore, the best router-based solution is to configure a router-on-a-stick.

2. C. Router-on-a-stick requires one interface configured as subinterfaces for each VLAN.

3. A. The subinterface must be assigned to VLAN 10 using the encapsulation dot1q 10 command. The encapsulation vlan 10 option is not a valid command and the switchport mode options are switch configuration commands.

4. A. host must have a default gateway configured. Hosts on VLANs must have their default gateway configured on a router subinterface to provide inter-VLAN routing services.

5. D. The switch port must be configured as a trunk, and the VLANs on the switch must have users connected to them.

6. A and B. Legacy (traditional) inter-VLAN routing would require more ports, and the configuration can be more complex than a router-on-a-stick solution.

7. D. The encapsulation dot1q vlan_id [native] command configures the subinterface to respond to 802.1Q encapsulated traffic from the specified vlan-id. The native keyword option is only appended to set the native VLAN to something other than VLAN 1.

8. A and B. The router-on-a-stick method requires one physical Ethernet router interface to route traffic between multiple VLANs on a network. The router interface is configured using software-based virtual subinterfaces to identify routable VLANs. Modern, enterprise networks rarely use router-on-a-stick because it does not scale easily to meet requirements, and multiple subinterfaces may impact the traffic flow speed. In these very large networks, network administrators use Layer 3 switches to configure inter-VLAN routing.

9. A and B. A routed port is created on a Layer 3 switch by disabling the switchport feature on a Layer 2 port using the no switchport interface configuration command. Then the interface can be configured with an IPv4 configuration to connect to a router or another Layer 3 switch. Only Layer 2 ports can be assigned to a VLAN or support trunking.

10. A and B. Modern, enterprise networks rarely implement inter-VLAN routing using the router-on-a-stick method. Instead, they use faster Layer 3 switches because they use hardware-based switching to achieve higher-packet processing rates than routers. Layer 3 switches provide a much more scalable method to provide inter-VLAN routing.

Chapter 5

1. A, C, and E. The three components that are combined to form a bridge ID are bridge priority, extended system ID, and MAC address.

2. D. The root port is the port with the lowest cost to reach the root bridge. Every non-root switch must have a root port.

3. C. Cisco switches running IOS 15.0 or later run PVST+ by default. Cisco Catalyst switches support PVST+, Rapid PVST+, and MSTP. However, only one version can be active at any time.

4. B. PVST+ results in optimum load balancing. However, this is accomplished by manually configuring switches to be elected as root bridges for different VLANs on the network. The root bridges are not automatically selected. Furthermore, having spanning tree instances for each VLAN actually consumes more bandwidth, and it increases the CPU cycles for all the switches in the network.

5. C and D. Switches learn MAC addresses at the learning and forwarding port states. They receive and process BPDUs at the blocking, listening, learning, and forwarding port states.

6. C and D. Spanning Tree Protocol (STP) is required to ensure correct network operation when designing a network with multiple interconnected Layer 2 switches or using redundant links to eliminate single points of failure between Layer 2 switches. Routing is a Layer 3 function and does not relate to STP. VLANs do reduce the number of broadcast domains but relate to Layer 3 subnets, not STP.

7. E. When all switches are configured with the same default bridge priority (that is, 32,768), the lowest MAC address becomes the deciding factor for the election of the root bridge.

8. A. If switch access ports are configured as edge ports using PortFast, BPDUs should never be received on those ports. Cisco switches support a feature called BPDU guard. When it is enabled, BPDU guard will put an edge port in an error-disabled state if a BPDU is received by the port. This will prevent a Layer 2 loop occurring.

9. D. STP allows redundant physical connections between Layer 2 devices without creating Layer 2 loops by disabling ports that could create a loop.

10. A and E. PortFast-enabled ports immediately transition from blocking to forwarding state. PortFast should be enabled only on access ports connecting end devices. No BPDUs should ever be received through a port that is configured with PortFast.

Chapter 6

1. B. Increasing the link speed does not scale very well. Adding more VLANs will not reduce the amount of traffic that is flowing across the link. Inserting a router between the switches will not improve congestion.

2. E and F. Source MAC and destination MAC load balancing and source IP and destination IP load balancing are two implementation methods used in EtherChannel technology.

3. B. PAgP is used to automatically aggregate multiple ports into an EtherChannel bundle, but it works only between Cisco devices. LACP can be used for the same purpose between Cisco and non-Cisco devices. PAgP must have the same duplex mode at both ends and can use two ports or more. The number of ports depends on the switch platform or module. An EtherChannel aggregated link is seen as one port by the spanning tree algorithm.

4. A and C. The two protocols that can be used to form an EtherChannel are PAgP (Cisco proprietary) and LACP, also known as IEEE 802.3ad. STP (Spanning Tree Protocol) or RSTP (Rapid Spanning Tree Protocol) is used to avoid loops in a Layer 2 network. EtherChannel is the term that describes the bundling of two or more links that are treated as a single link for spanning tree and configuration.

5. C. Switch 1 and switch 2 will establish an EtherChannel if both sides are set to desirable, because both sides will negotiate the link. A channel can also be established if both sides are set to on, or if one side is set to auto and the other to desirable. Setting one switch to on will prevent that switch from negotiating the formation of an EtherChannel bundle.

6. A. The channel-group mode active command enables LACP unconditionally, and the channel-group mode passive command enables LACP only if the port receives an LACP packet from another device. The channel-group mode desirable command enables PAgP unconditionally, and the channel-group mode auto command enables PAgP only if the port receives a PAgP packet from another device.

7. B. The channel-group mode active command enables LACP unconditionally, and the channel-group mode passive command enables LACP only if the port receives an LACP packet from another device. The channel-group mode desirable command enables PAgP unconditionally, and the channel-group mode auto command enables PAgP only if the port receives a PAgP packet from another device.

8. D. An EtherChannel is formed by combining multiple (same type) Ethernet physical links so they are seen and configured as one logical link. It provides an aggregated link between two switches. Currently each EtherChannel can consist of up to eight compatibly configured Ethernet ports.

9. A and B. LACP is part of an IEEE specification (802.3ad) that enables several physical ports to automatically be bundled to form a single EtherChannel logical channel. LACP allows a switch to negotiate an automatic bundle by sending LACP packets to the peer. It performs a function similar to PAgP with Cisco EtherChannel, but it can be used to facilitate EtherChannels in multivendor environments. Cisco devices support both PAgP and LACP configurations.

10. A, C, and F. Speed and duplex settings must match for all interfaces in an EtherChannel. All interfaces in the EtherChannel must be in the same VLAN if the ports are not configured as trunks. Any ports may be used to establish an EtherChannel. SNMP community strings and port security settings are not relevant to EtherChannel.

Chapter 7

1. B. When a DHCP client receives DHCPOFFER messages, it will send a broadcast DHCPREQUEST message for two purposes. First, it indicates to the offering DHCP server that it would like to accept the offer and bind the IPv4 address. Second, it notifies any other responding DHCP servers that their offers are declined.

2. C. The DHCPREQUEST message is broadcast to inform other DHCP servers that an IPv4 address has been leased.

3. B. When a DHCPv4 client does not have an IPv4 address, a DHCPv4 server will reply with a broadcast DHCPOFFER or a unicast DHCPOFFER message back to the DHCPv4 client MAC address.

4. D. When a DHCP client lease is about to expire, the client sends a DHCPREQUEST message to the DHCPv4 server that originally provided the IPv4 address. This allows the client to request that the lease be extended.

5. B. By default, the ip helper-address command forwards the following eight UDP services:

Port 37: Time

Port 49: TACACS

Port 53: DNS

Port 67: DHCP/BOOTP client

Port 68: DHCP/BOOTP server

Port 69: TFTP

Port 137: NetBIOS name service

Port 138: NetBIOS datagram service

6. C. The ip address dhcp command activates the DHCPv4 client on a given interface. By doing this, the router will obtain the IPv4 parameters from a DHCPv4 server.

7. B and D. SOHO routers are frequently required by the ISP to be configured as DHCPv4 clients in order to be connected to the provider.

8. C. The DHCP server is not on the same network as the hosts, so DHCP relay agent is required. This is achieved by issuing the ip helper-address command on the interface of the router that contains the DHCPv4 clients, in order to direct DHCP messages to the DHCPv4 server IPv4 address.

9. B. The router functioning as the DHCPv4 server assigns all IPv4 addresses in a DHCPv4 address pool except addresses specified by the ip dhcp excluded-address low-address [high-address] global config command.

10. D. The ipconfig /release Windows command releases the current host IPv4 configuration and the ipconfig /renew Windows command attempts to renew the IPv4 addressing with the DHCPv4 server.

11. A. The show ip dhcp binding command will show the leases, including IPv4 addresses, MAC addresses, lease expiration, type of lease, client ID, and username.

12. D. The client broadcasts a DHCPDISCOVER message to identify any available DHCP servers on the network. A DHCP server replies with a DHCPOFFER message. This message offers to the client a lease that contains such information as the IPv4 address and subnet mask to be assigned, the IPv4 address of the DNS server, and the IPv4 address of the default gateway. After the client receives the lease, the received information must be renewed through another DHCPREQUEST message prior to the lease expiration.

Chapter 8

1. C. When a PC is configured to use the SLAAC method for configuring IPv6 addresses, it will use the prefix and prefix-length information that is contained in the RA message, combined with a 64-bit interface ID (obtained by using the EUI-64 process or by using a random number that is generated by the client operating system), to form an IPv6 address. It uses the link-local address of the router interface that is attached to the LAN segment as its IPv6 default gateway address.

2. C. ICMPv6 RA messages contain flags to indicate whether a workstation should use SLAAC, a DHCPv6 server, or a combination to configure its IPv6 address. The A flag determines whether to use SLAAC. The O flag indicates whether to use a stateless DHCPv6 server. The M flag indicates whether to use stateful DHCPv6. The M and O flags are independent of SLAAC.

3. B. In stateless DHCPv6 configuration, a client configures its IPv6 address by using the prefix and prefix length in the RA message, combined with a self-generated interface ID. It then contacts a DHCPv6 server for additional configuration information via an INFORMATION-REQUEST message. The DHCPv6 SOLICIT message is used by a client to locate a DHCPv6 server. The DHCPv6 ADVERTISE message is used by DHCPv6 servers to indicate their availability for DHCPv6 service. The DHCPv6 REQUEST message is used by a client, in the stateful DHCPv6 configuration, to request ALL configuration information from a DHCPv6 server.

4. D. SLAAC and stateless DHCPv6 enable clients to use ICMPv6 Router Advertisement (RA) messages to automatically assign IPv6 addresses to themselves, and also allow these clients to contact a stateless DHCPv6 server to obtain additional information, such as the domain name and address of DNS servers. Because the M flag is 0 by default, stateful DHCPv6 will not be used. RA messages are used to automatically create an interface IPv6 address.

5. D. SLAAC is a stateless allocation method and does not use a DHCP server to manage the IPv6 addresses. When a host generates an IPv6 address, it must verify that it is unique. The host will send an ICMPv6 Neighbor Solicitation message with its own IPv6 address as the target. As long as no other device responds with a Neighbor Advertisement message, the address is unique.

6. D. The EUI-64 process uses the MAC address of an Ethernet interface to construct an interface ID (IID). Because the MAC address is only 48 bits in length, 16 additional bits (FF:FE) must be added to the MAC address to create the full 64-bit interface ID. The 7th bit is flipped, which modifies the second hex digit of the interface id.

7. A. Under stateful DHCPv6 configuration, which is indicated by setting M flag as 1 (through the ipv6 nd managed-config-flag interface command), the dynamic IPv6 address assignments are managed by the DHCPv6 server. Clients must obtain all configuration information from a DHCPv6 server. The A flag determines whether to use SLAAC.

8. B. For a router to be able to send RA messages, it must be enabled as an IPv6 router using the ipv6 unicast-routing global config command.

9. C. When the A flag is set to 1 (default) the client will use SLAAC to configure its GUA address. When M flag is 0 and O flag is 1, a client will look for other configuration parameters (such as DNS server addresses) from a stateless DHCPv6 server.

10. B. Unless a device has been configured statically with a default gateway address, the device can only obtain its default gateway dynamically from the Router Advertisement message. The device will use the link-local address of the router interface, the source IPv6 address of the RA, that is attached to the LAN segment as its IPv6 default gateway address.

Chapter 9

1. B. Hosts send traffic to their default gateways, which is the virtual IP address and the virtual MAC address. The virtual IP address is assigned by the administrator, whereas the virtual MAC address is created automatically by HSRP. The virtual IPv4 and MAC addresses provide consistent default gateway addressing for the end devices. Only the HSRP active router responds to the virtual IP and virtual MAC address.

2. B. Hosts send traffic to their default gateway, which is the virtual IP address and the virtual MAC address. The virtual IP address is assigned by the administrator, whereas the virtual MAC address is created automatically by HSRP. The virtual IPv4 and MAC addresses provide consistent default gateway addressing for the end devices. Only the HSRP active router responds to the virtual IP and virtual MAC address.

3. A. VRRP selects a master router and one or more other routers as backup router. Backup VRRP backup routers monitor the VRRP master router.

4. A. HSRP and GLBP are Cisco proprietary protocols, and VRRP is an IEEE non-proprietary open standard protocol.

5. D. HSRP is a FHRP that provides Layer 3 default gateway redundancy.

6. C. In the Learn state, the router has not determined the virtual IP address and has not yet seen a hello message from the active router. In this state, the router waits to hear from the active router.

7. D. VRRP is a non-proprietary election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on an IPv4 LAN.

8. D. When frames are sent from HSRP host devices to the default gateway, the destination MAC address of the frame is the virtual router MAC address.

9. D. When the active router fails, the standby router stops seeing hello messages, assumes the role of the forwarding router, and the host devices see no disruption in service.

10. A. GLBP is a Cisco proprietary FHRP protocol that provides redundancy and load balancing (also called load sharing) between a group of redundant routers.

11. C. To force a new HSRP election process when a higher priority router comes online, preemption must be enabled using the standby preempt interface command.

Chapter 10

1. B. Ransomware encrypts the data on a host and locks access to it until a ransom is paid.

2. A. An ESA is a network security device that is specifically designed to monitor and secure SMTP traffic.

3. D. Authorization determines which resources the user can access and which operations the user is allowed to perform.

4. A. Local AAA stores usernames and passwords locally in the Cisco router, and users authenticate against the local database. Local AAA is ideal for small networks.

5. A. A switch or wireless access point are 802.1X authenticators in between the client and the authentication server. Authenticators request identifying information from the client, verify that information with the authentication server, and relay a response to the client.

6. D. The supplicant is the client that is requesting network access.

7. C. Port security prevents many types of attacks, including MAC address table overflow.

8. A. Dynamic ARP Inspection (DAI) prevents ARP spoofing and ARP poisoning attacks.

9. D. IP Source Guard (IPSG) prevents MAC and IP address spoofing.

10. C. A MAC address table attack will fill the MAC address table. When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.

11. A. MAC address table attacks are conducted to overwhelm a switch to disregard the MAC address table entries and instead forward incoming traffic out all ports. Threat actors connected to the LAN can then capture traffic using a protocol analyzer such as Wireshark.

12. D. DHCP starvation attacks occur when a threat actor requests and receives all the available IP addresses for a subnet.

13. E. A threat actor sending BPDU messages with a priority of 0 is trying to become the root bridge in the STP topology.

14. A. Address spoofing attacks occur when the threat actor changes the MAC and/or IP address of the threat actor’s device to pose as another legitimate device, such as the default gateway.

15. F. A threat actor can send a gratuitous ARP reply causing all devices to believe that the threat actor’s device is a legitimate device, such as the default gateway.

16. C. A threat actor can use packet sniffing software, such as Wireshark, to view the contents of CDP messages, which are sent unencrypted and include a variety of device information, including the IOS version and IP addresses. CDP and LLDP should not be enabled on edge devices and should be disabled globally or on a per-interface basis if not required.

Chapter 11

1. A. Port security can be configured on switches to assist in preventing the MAC address table from being overwhelmed with invalid MAC addresses. ACLs will not assist a switch in filtering broadcast traffic, and increasing the size of the CAM table or the speed of switch ports will not resolve this issue.

2. B. When a violation occurs on a switch port that is configured for port security with the shutdown violation action, it is put into the error-disabled state. It can be brought back up by shutting down the interface and then issuing the no shutdown command.

3. B and C. Dynamically learned secure MAC addresses are lost when the switch reboots. Sticky MAC addresses are learned and added to the running config. These addressess can be retained if the configuration is saved and then rebooted. MAC addresses may also be configured statically (that is, manually). If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.

4. B. In port security implementation, an interface can be configured for one of three violation modes: Protect—a port security violation causes the interface to drop packets with unknown source addresses and no notification is sent that a security violation has occurred. Restrict—a port security violation causes the interface to drop packets with unknown source addresses and to send a notification that a security violation has occurred. Shutdown—a port security violation causes the interface to immediately become error-disabled and turns off the port LED. No notification is sent that a security violation has occurred.

5. A. BPDU guard immediately error-disables a port that receives a BPDU. This prevents rogue switches from being added to the network. BPDU guard should be applied only to all end-user ports.

6. D. With sticky secure MAC addressing, the MAC addresses can be either dynamically learned or manually configured and then stored in the address table and added to the running configuration file. In contrast, dynamic secure MAC addressing provides for dynamically learned MAC addressing that is stored only in the address table.

7. D. BPDU guard can be enabled on all PortFast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Alternatively, BPDU guard can be enabled on a PortFast-enabled port through the use of the spanning-tree bpduguard enable interface configuration command.

8. D. DAI can be configured to check for both destination or source MAC and IPv4 addresses. Destination MAC checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. Source MAC checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

9. A. When DHCP snooping is being configured, the number of DHCP discovery messages that untrusted ports can receive per second should be rate-limited by using the ip dhcp snooping limit rate interface configuration command. When a port receives more messages than the rate allows, the extra messages will be dropped.

10. D. If no violation mode is specified when port security is enabled on a switch port, the security violation mode defaults to “shutdown”.

11. A, D, and E. Mitigating a VLAN attack can be done by disabling Dynamic Trunking Protocol (DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links to VLANs not in use.

12. D. A Port Status of Secure-down means there are no hosts connected. Secure-up means there is at least one host connected to the port. Secure-shutdown means the port is error-disabled.

Chapter 12

1. B. Beacons are the only management frame that may regularly be broadcast by an AP. Probing, authentication, and association frames are used only during the association (or reassociation) process.

2. B. Omnidirectional antennas send the radio signals in a 360 degree pattern around the antenna. This provides coverage to devices situated anywhere around the access point. Dishes, directional, and Yagi antennas focus the radio signals in a single direction, making them less suitable for covering large, open areas.

3. C. SSID cloaking is a weak security feature that is performed by APs and some wireless routers by allowing the SSID beacon frame to be disabled. Although clients have to manually identify the SSID to be connected to the network, the SSID can be easily discovered.

4. C and E. Two methods can be used by a wireless device to discover and register with an access point: passive mode and active mode. In passive mode, the AP sends a broadcast beacon frame that contains the SSID and other wireless settings. In active mode, the wireless device must be manually configured for the SSID, and then the device broadcasts a probe request.

5. C. Ad hoc mode (also known as independent basic service set or IBSS) is used in a peer-to-peer wireless network, such as when Bluetooth is used. A variation of the ad hoc topology exists when a smart phone or tablet with cellular data access is enabled to create a personal wireless hotspot. Mixed mode allows older wireless NICs to attach to an access point that can use a newer wireless standard.

6. B and C. The 802.11a and 802.11ac standards operate only in the 5 GHZ range. The 802.11b and 802.11g standards operate only in the 2.4 GHz range. The 802.11n standard operates in both the 2.4 and 5 GHz ranges. The 802.11ad standard operates in the 2.4, 5, and 60 GHz ranges.

7. C. 802.11ac provides data rates up to 1.3 Gbps and is still backward compatible with 802.11a/b/g/n devices. 802.11g and 802.11n are older standards that cannot reach speeds over 1 Gbps.

8. A. (MIMO) uses multiple antennas to increase available bandwidth for IEEE 802.11n/ac/ax wireless networks, such as the one in Figure 12-13. Up to eight transmit and receive antennas can be used to increase throughput.

9. B, D, and F. Interference occurs when one signal overlaps a channel reserved for another signal, causing possible distortion. The best practice for 2.4 GHz WLANs that require multiple APs is to use the non-overlapping channels 1, 6, and 11. These are selected because they are 5 channels apart and therefore minimize the interference with adjacent channels.

10. B. WPA and WPA2 Personal are intended for home or small office networks where users authenticate using a pre-shared key (PSK). WPA and WPA2 Enterprise is intended for enterprise networks but requires a RADIUS authentication server which provides additional security. WEP Enterprise is not a valid option.

11. D. When an access point is configured in passive mode, the SSID is broadcast so that the name of wireless network will appear in the listing of available networks for clients. Active is a mode used to configure an access point so that clients must know the SSID to connect to the access point. APs and wireless routers can operate in a mixed mode, meaning that that multiple wireless standards are supported. Open is an authentication mode for an access point that has no impact on the listing of available wireless networks for a client.

Chapter 13

1. A. The first action that should be taken is to secure administrative access to the wireless router. The next action would usually be to configure encryption. Then after the initial group of wireless hosts have connected to the network, MAC address filtering would be enabled and SSID broadcast disabled. This will prevent new unauthorized hosts from finding and connecting to the wireless network.

2. C. By default, dual-band routers and APs use the same network name on both the 2.4 GHz band and the 5 GHz band. The simplest way to segment traffic is to rename one of the wireless networks.

3. C. The Cisco 3504 WLC dashboard displays when a user logs in to the WLC. It provides some basic settings and menus that users can quickly access to implement a variety of common configurations. The Network Summary page is a dashboard that provides a quick overview of the number of configured wireless networks, associated access points (APs), and active clients. You can also see the number of rogue access points and clients. The Advanced button displays the advanced Summary page providing access to all the features of the WLC.

4. C. Simple Network Management Protocol (SNMP) is used to monitor the network.

5. D. Any private IPv4 address cannot be routed on the Internet. The wireless router will use a service called Network Address Translation (NAT) to convert private IPv4 addresses to Internet-routable IPv4 addresses for wireless devices to gain access to the Internet.

6. D. Many wireless routers have an option for configuring quality of service (QoS). By configuring QoS, certain time-sensitive traffic types, such as voice and video, are prioritized over traffic that is not as time-sensitive, such as email and web browsing.

7. D. Each new WLAN configured on a Cisco 3500 series WLC needs its own VLAN interface. Therefore, it is required that a new VLAN interface be created first before a new WLAN can be created.

8. D. The 2.4 GHz band may be suitable for basic Internet traffic that is not time-sensitive. The 5 GHz band is much less crowded than the 2.4 GHz band; ideal for streaming multimedia. The 5 GHz band has more channels; therefore, the channel chosen is likely interference-free.

9. D. The RADIUS protocol uses security features to protect communications between the RADIUS server and clients. A shared secret is the password used between the WLC and the RADIUS server. It is not for end users.

10. D. Extending a WLAN in a small office or home has become increasingly easier. Manufacturers have made creating a wireless mesh network (WMN) simple through smartphone apps. You buy the system, disperse the access points, plug them in, download the app, and configure your WMN in a few steps.

Chapter 14

1. A and E. Static routing requires a thorough understanding of the entire network for proper implementation. It can be prone to errors and does not scale well for large networks. Static routing uses fewer router resources because no computing is required for updating routes. Static routing can also be more secure because it does not advertise over the network.

2. A. A static default route is a catch-all route for all unmatched networks.

3. C. The route will appear in the routing with a code of S (Static).

4. D. When the interface associated with a static route goes down, the router will remove the route because it is no longer valid.

5. A. A default static route is a route that matches all packets. It identifies the gateway IP address to which the router sends all IP packets for which it does not have a learned or static route. A default static route is simply a static route with 0.0.0.0/0 as the destination IPv4 address or ::/0 for IPv6. Configuring a default static route creates a gateway of last resort.

6. B. Dynamic routing protocols consume more router resources, are suitable for larger networks, and are more useful on networks that are growing and changing.

7. B. A metric is used by a routing protocol to compare routes received from the routing protocol. An exit interface is the interface used to send a packet in the direction of the destination network. A routing protocol is used to exchange routing updates between two or more adjacent routers. The administrative distance represents the trustworthiness of a particular route. The lower an administrative distance, the more trustworthy the learned route is. When a router learns multiple routes toward the same destination, the router uses the administrative distance value to determine which route to place into the routing table.

8. A and C. The code identifies how the route was learned. For instance, L identifies the address assigned to a router interface. This allows the router to efficiently determine when it receives a packet for the interface instead of being forwarded. C identifies a directly connected network. S identifies a static route created to reach a specific network. And O identifies a dynamically learned network from another router using the OSPF routing protocol.

9. C. A directly connected network will be added to the routing table when these three conditions are met: (1) the interface is configured with a valid IP address; (2) it is activated with the no shutdown command; and (3) it receives a carrier signal from another device that is connected to the interface. An incorrect subnet mask for an IPv4 address will not prevent its appearance in the routing table, although the error may prevent successful communications.

Chapter 15

1. B. A floating static route is a backup route that only appears in the routing table when the interface used with the primary route is down. To test a floating static route, the route must be in the routing table. Therefore, shutting down the interface used as a primary route would allow the floating static route to appear in the routing table.

2. C. The most believable route or the route with the lowest administrative distance is one that is directly connected to a router. In order of trustworthiness is A (AD = 0), D (Static route AD = 1), B (EIGRP AD = 90), and C (OSPF AD = 110). Therefore, the OSPF routes are considered to be the least trustworthy.

3. D. Even though OSPF has a higher administrative distance value (less trustworthy), the best match is the route in the routing table that has the greatest number of far-left matching bits.

4. B. When only the exit interface is used, the route is a directly connected static route. When the next-hop IP address is used, the route is a recursive static route. When both are used, it is a fully specified static route.

5. A. A fully specified static route can be used to avoid recursive routing table lookups by the router. A fully specified static route contains both the IP address of the next-hop router and the ID of the exit interface.

6. B. By default, dynamic routing protocols have a higher administrative distance than static routes. Configuring a static route with a higher administrative distance than that of the dynamic routing protocol will result in the dynamic route being used instead of the static route. However, should the dynamically learned route fail, the static route will be used as a backup.

7. D. Floating static routes are used as backup routes, often to routes learned from dynamic routing protocols. To be a floating static route, the configured route must have a higher administrative distance than the primary route. For example, if the primary route is learned through OSPF, a floating static route that serves as a backup to the OSPF route must have an administrative distance greater than 110. In this example, the administrative distance of 120 is put at the end of the static route: ip route 209.165.200.228 255.255.255.248 10.0.0.1 120.

8. C. A stub router or an edge router connected to an ISP has only one other router as a connection. A default static route works in those situations because all traffic will be sent to one destination. The destination router is the gateway of last resort. The default route is not configured on the gateway, but on the router sending traffic to the gateway.

9. A. A default static route configured for IPv6 is a network prefix of all zeros and a prefix mask of 0, which is expressed as ::/0.

10. B. A floating static route is a backup route that only appears in the routing table when the interface used with the primary route is down. To test a floating static route, the route must be in the routing table. Therefore, shutting down the interface used as a primary route would allow the floating static route to appear in the routing table.

Chapter 16

1. A, C, and D. The ping, show ip route, and show ip interface brief commands provide information to help troubleshoot static routes. The show version command does not provide any routing information. The tracert command is used at the Windows command prompt and is not an IOS command. The show arp command displays learned IP address to MAC address mappings contained in the Address Resolution Protocol (ARP) table.

2. C. When the interface associated with a static route goes down, the router will remove the route because it is no longer valid.

3. C. A router looks up the ARP table entry for the destination IP address to find the Layer 2 Media Access Control (MAC) address of the host. If no entry exists, the router sends an Address Resolution Protocol (ARP) request out of network interface, and the host responds with an ARP reply, which includes its MAC address.

4. B. The show cdp neighbors command provides a list of directly connected Cisco devices. This command validates Layer 2 (and therefore Layer 1) connectivity. For example, if a neighbor device is listed in the command output, but it cannot be pinged, Layer 3 addressing should be investigated.

5. C. The show ip interface brief command provides a quick status of all interfaces on the router.