• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/133

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

133 Cards in this Set

  • Front
  • Back

QUESTION 1
Which optional feature of an Ethernet switch disables a port on a point-to-point link if the port does
not receive traffic while Layer 1 status is up?
A. BackboneFast
B. UplinkFast
C. Loop Guard
D. UDLD aggressive mode
E. Fast Link Pulse bursts
F. Link Control Word

Answer: D
Explanation:
UDLD aggressive mode is disabled by default. Configure UDLD aggressive mode only on point-topoint
links between network devices that support UDLD aggressive mode. With UDLD aggressive
mode enabled when a port on a bidirectional link that has a UDLD neighbor relationship
established stops receiving UDLD packets UDLD tries to reestablish the connection with the
neighbor. After eight failed retries the port is disabled.
QUESTION 3
Which three statements about Dynamic ARP Inspection are true? (Choose three.)
A. It determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings
stored in the DHCP snooping database.
B. It forwards all ARP packets received on a trusted interface without any checks.
C. It determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings
stored in the CAM table.
D. It forwards all ARP packets received on a trusted interface after verifying and inspecting the packet
against the Dynamic ARP Inspection table.
E. It intercepts all ARP packets on untrusted ports.
F. It is used to prevent against a DHCP snooping attack.
Answer: ABE
Explanation:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example0918
6a00807c4101.shtml (background information 3rd bulleted point)
QUESTION 4
A network administrator wants to configure 802.1x port-based authentication however the client
workstation is not 802.1x compliant. What is the only supported authentication server that can be
used?
A. TACACS with LEAP extensions
B. TACACS+
C. RADIUS with EAP extensions
D. LDAP
Answer: C
Explanation:
The IEEE 8021x standard defines a port-based access control and authentication protocol that
restricts unauthorized workstations from connecting to a LAN through publicly accessible switch
ports. The authentication server authenticates each workstation that is connected to a switch port
before making available any services offered by the switch or the LAN.
Until the workstation is authenticated 802.1x access control allows only Extensible Authentication
Protocol over LAN (EAPOL) traffic through the port to which the workstation is connected. After
authentication succeeds normal traffic can pass through the port.
With 802.1x port-based authentication the devices in the network have specific roles as as
follows:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configu
ration/guide/Sw8021x.html
QUESTION 5
Refer to the exhibit. Why are users from VLAN 100 unable to ping users on VLAN 200?
A. Encapsulation on the switch is wrong.
B. Trunking needs to be enabled on Fa0/1.
C. The native VLAN is wrong.
D. VLAN 1 needs the no shutdown command.
E. IP routing needs to be enabled on the switch.
Answer: B
Explanation:
Switch supports multiple VLAN but have no Layer3 capability to route packets between those
VLANs the switch must be connected to router external to the switch. This setup is most efficiently
accomplished by providing a single trunk link between the switch and the router that can carry the
traffic of multiple VLANs which can in turn be routed by the router. For that trunk require between
Router & Switch. So trunking need to be enable on Fa0/1.
QUESTION 6
The following command was issued on a router that is being configured as the active HSRP router.
standby ip 10.2.1.1
Which statement about this command is true?
A. This command will not work because the HSRP group information is missing.
B. The HSRP MAC address will be 0000.0c07.ac00.
C. The HSRP MAC address will be 0000.0c07.ac01.
D. The HSRP MAC address will be 0000.070c.ac11.
E. This command will not work because the active parameter is missing.
Answer: B
Explanation:
The full syntax of the command above is:
standby [group-number] ip [ip-address [secondary]]
Therefore in the command "standby ip 10.2.1.1 we recognize it is using the default group-number
which is 0 -> The last two-digit hex value of HSRP MAC address should be "00.
QUESTION 7
What does the interface subcommand "switchport voice vlan 222" indicate?
A. The port is configured for data and voice traffic.
B. The port is fully dedicated to forwarding voice traffic.
C. The port operates as an FXS telephony port.
D. Voice traffic is directed to VLAN 222.
Answer: A
Explanation:
The interface subcommand:
Switch(config-if)# switchport voice vlan {vlan-id | dot1p | untagged | none}
is used to select the voice VLAN mode that will be used when PC is connected to the switch port
through Cisco IP phone.
QUESTION 8
Which statement is a characteristic of multi-VLAN access ports?
A. The port has to support STP PortFast.
B. The auxiliary VLAN is for data service and is identified by the PVID.
C. The port hardware is set as an 802.1Q trunk.
D. The voice service and data service use the same trust boundary.
Answer: C
Explanation:
The integration of 802.1x and IP phones is based on the switch configuration of multi-VLAN
access ports. Multi-VLAN ports belong to two VLANs: native VLAN (PVID) and auxiliary VLAN
(VVID). This allows the separation of voice and data traffic and enables 802.1x authentication only
on the PVID.
QUESTION 9
Refer to the exhibit. BPDUGuard is enabled on both ports of SwitchA. Initially LinkA is connected
and forwarding traffic. A new LinkB is then attached between SwitchA and HubA. Which two
statements about the possible result of attaching the second link are true? (Choose two.)
A. The switch port attached to LinkB does not transition to up.
B. One or both of the two switch ports attached to the hub goes into the err-disabled state when a
BPDU is received.
C. Both switch ports attached to the hub transitions to the blocking state.
D. A heavy traffic load could cause BPDU transmissions to be blocked and leave a switching loop.
E. The switch port attached to LinkA immediately transitions to the blocking state.
Answer: BD
Explanation:
we know that there will have only one Designated port for each segment (notice that the two ports
of SwitchA are on the same segment as they are connected to a hub). The other port will be in
Blocking state. But how does SwitchA select its Designated and Blocking port? The decision
process involves the following parameters inside the BPDU:
* Lowest path cost to the Root
* Lowest Sender Bridge ID (BID)
* Lowest Port ID
In this case both interfaces of SwitchA have the same "path cost to the root" and "sender bridge
ID" so the third parameter "lowest port ID" will be used. Suppose two interfaces of SwitchA are
fa0/1 & fa0/2 then SwitchA will select fa0/1 as its Designated port (because fa0/1 is inferior to fa0/2)
-> B is correct.
Suppose the port on LinkA (named portA) is in forwarding state and the port on LinkB (named
portB) is in blocking state. In blocking state port B still listens to the BPDUs. If the traffic passing
through LinkA is too heavy and the BPDUs can not reach portB portB will move to listening state
(after 20 seconds for STP) then learning state (after 15 seconds) and forwarding state (after 15
seconds). At this time both portA & portB are in forwarding state so a switching loop will occur ->
D is correct.
QUESTION 10
Which two statements are true about recommended practices that are to be used in a local VLAN
solution design where layer 2 traffic is to be kept to a minimum? (Choose two.)
A. Routing should occur at the access layer if voice VLANs are utilized. Otherwise routing should occur
at the distribution layer.
B. Routing may be performed at all layers but is most commonly done at the core and distribution layers.
C. Routing should not be performed between VLANs located on separate switches.
D. VLANs should be local to a switch.
E. VLANs should be localized to a single switch unless voice VLANs are being utilized.
Answer: BD
Explanation:
Routing is performed at all layers but it is most commonly done at the core and distribution layers.
Secondly the VLANs should be local to a switch.
QUESTION 11
What action should a network administrator take to enable VTP pruning on an entire management
domain?
A. Enable VTP pruning on any client switch in the domain.
B. Enable VTP pruning on every switch in the domain.
C. Enable VTP pruning on any switch in the management domain.
D. Enable VTP pruning on a VTP server in the management domain.
Answer: D
Explanation:
Enabling VTP pruning on a VTP server allows pruning for the entire management domain.
Enabling this on the VTP server will mean that the VTP pruning configuration will be propagated to
all VTP client switches within the domain. VTP pruning takes effect several seconds after you
enable it. By default VLANs 2 through 1000 are pruning-eligible.
QUESTION 12
How does VTP pruning enhance network bandwidth?
A. by restricting unicast traffic across VTP domains
B. by reducing unnecessary flooding of traffic to inactive VLANs
C. by limiting the spreading of VLAN information
D. by disabling periodic VTP updates
Answer: B
Explanation:
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown
unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that
VLAN.
QUESTION 13
In the hardware address 0000.0c07.ac0a what does 07.ac represent?
A. vendor code
B. HSRP group number
C. HSRP router number
D. HSRP well-known physical MAC address
E. HSRP well-known virtual MAC address
Answer: E
Explanation:
HSRP code (HSRP well-known virtual MAC address) ?The fact that the MAC address is for an
HSRP virtual router is indicated in the next two bytes of the address. The HSRP code is always
07.ac. The HSRP protocol uses a virtual MAC address which always contains the 07.ac numerical
value.
QUESTION 14
Refer to the exhibit. The network operations center has received a call stating that users in VLAN
107 are unable to access resources through router 1. What is the cause of this problem?
The network operations center has received a call stating that users in VLAN 107 are unable to
access resources through router 1. What is the cause of this problem?
A. VLAN 107 does not exist on switch A.
B. VTP is pruning VLAN 107.
C. VLAN 107 is not configured on the trunk.
D. Spanning tree is not enabled on VLAN 107.
Answer: B
Explanation:
In this example VLAN 7 101 106 and 107 are being pruned. VLAN 107 is being pruned
incorrectly in this case. By disabling VTP pruning VLAN 107 should be able to once again gain
access to the network resources.
QUESTION 15
Which protocol will enable a group of routers to form a single virtual router and will use the real IP
address of a router as the gateway address?
A. Proxy ARP
B. HSRP
C. IRDP
D. VRRP
E. GLBP

Answer: D
Explanation:
The correct Answer is VRRP whereby either a virtual or physical address can be chosen as the
gateway address. If the physical address of R2 is the gateway address then R2 will become the
gateway. If R2 goes down R3 (or R4 etc) will become the gateway and will assume the IP address
which to it will be a virtual one as none of its interfaces are configured with that address. In this
scenario R2 R3 and R4 form one virtual router whereby R1's physical address is used as the
gateway address. HSRP does not use physical addresses for the gateway at all.

QUESTION 16
On a multilayer Cisco Catalyst switch which interface command is used to convert a Layer 3
interface to a Layer 2 interface?
A. switchport
B. no switchport
C. switchport mode access
D. switchport access vlan vlan-id
Answer: A
Explanation:
The switchport command puts the port in Layer 2 mode. Then you can use other switchport
command keywords to configure trunking access VLANs and so on.
QUESTION 17
Refer to the exhibit. What can be determined about the HSRP relationship from the displayed
debug output?
A. The preempt feature is not enabled on the 172.16.11.111 router.
B. The nonpreempt feature is enabled on the 172.16.11.112 router.
C. Router 172.16.11.111 will be the active router because its HSRP priority is preferred over router
172.16.11.112.
D. Router 172.16.11.112 will be the active router because its HSRP priority is preferred over router
172.16.11.111.
E. The IP address 172.16.11.111 is the virtual HSRP router IP address.
F. The IP address 172.16.11.112 is the virtual HSRP router IP address.
Answer: A
Explanation:
The standby preempt interface configuration command allows the router to become the active
router when its priority is higher than all other HSRP-configured routers in this Hot Standby group.
The configurations of both routers include this command so that each router can be the standby
router for the other router. The 1 indicates that this command applies to Hot Standby group 1. If
you do not use the standby preempt command in the configuration for a router that router cannot
become the active router.
QUESTION 18
Refer to the exhibit. All network links are FastEthernet. Although there is complete connectivity
throughout the network Front Line users report that they experience slower network performance
when accessing the server farm than the Reception office experiences. Which two statements are
true? (Choose two.)
A. Changing the bridge priority of S1 to 4096 would improve network performance.
B. Changing the bridge priority of S1 to 36864 would improve network performance.
C. Changing the bridge priority of S2 to 36864 would improve network performance.
D. Changing the bridge priority of S3 to 4096 would improve network performance.
E. Disabling the Spanning Tree Protocol would improve network performance.
F. Upgrading the link between S2 and S3 to Gigabit Ethernet would improve performance.
Answer: BD
Explanation:
As the switch S1 has the better bridge priority it is selected as root bridge. As the consequence of
this the link between S2 and S3 is disabled and traffic from Front Line Users to Server Farm goes
through the root bridge S1. To improve network performance you have to make S2 or S3 to
become root bridge. You can do it by changing the bridge priority of S1 to 36864 or by changing
the bridge priority of S3 to 4096. In any case the traffic from Front Line Users to Server Farm will
go through the direct link between S2 and S3.
QUESTION 19
What two things occur when an RSTP edge port receives a BPDU? (Choose two.)
A. The port immediately transitions to the forwarding state.
B. The switch generates a Topology Change Notification BPDU.
C. The port immediately transitions to the err-disable state.
D. The port becomes a normal STP switch port.
Answer: BD
QUESTION 20
What is the effect of configuring the following command on a switch?
Switch(config) # spanning-tree portfast bpdufilter default
A. If BPDUs are received by a port configured for PortFast then PortFast is disabled and the BPDUs
are processed normally.
B. If BPDUs are received by a port configured for PortFast they are ignored and none are sent.
C. If BPDUs are received by a port configured for PortFast the port transitions to the forwarding state.
D. The command enables BPDU filtering on all ports regardless of whether they are configured for BPDU
filtering at the interface level.
Answer: A
Explanation:
Ordinarily STP operates on all switch ports in an effort to eliminate bridging loops before they can
form. BPDUs are sent on all switch ports--even ports where PortFast has been enabled. BPDUs
also can be received and processed if any are sent by neighboring switches. You always should
allow STP to run on a switch to prevent loops. However in special cases when you need to
prevent BPDUs from being sent or processed on one or more switch ports you can use BPDU
filtering to effectively disable STP on those ports. By default BPDU filtering is disabled on all
QUESTION 21
Refer to the exhibit. Based on the debug output which three statements about HSRP are true?
(Choose three.)
A. The final active router is the router with IP address 172.16.11.111.
B. The router with IP address 172.16.11.111 has preempt configured.
C. The priority of the router with IP address 172.16.11.112 is preferred over the router with IP address
172.16.11.111.
D. The IP address 172.16.11.115 is the virtual HSRP IP address.
E. The router with IP address 172.16.11.112 has nonpreempt configured.
F. The router with IP address 172.16.11.112 is using default HSRP priority.
Answer: ABD
Explanation:
Each router in an HSRP group has its own unique IP address assigned to an interface. This
address is used for all routing protocol and management traffic initiated by or destined to the router.
In addition each router has a common gateway IP address the virtual router address that is kept
alive by HSRP. This address is also referred to as the HSRP address or the standby address.
Clients can point to that virtual router address as their default gateway knowing that a router
always keeps that address active. Keep in mind that the actual interface address and the virtual
(standby) address must be configured to be in the same IP subnet. You can assign the HSRP
address with the following interface command:
Switch(config-if)# standby group ip ip-address [secondary]
When HSRP is used on an interface that has secondary IP addresses you can add the
secondarykeyword so that HSRP can provide a redundant secondary gateway address.
You can configure a router to preempt or immediately take over the active role if its priority is the
highest at any time. Use the following interface configuration command to allow preemption:
Switch(config-if)# standby group preempt [delay seconds] By default the router can preempt
another immediately without delay. You can use the delay keyword to force it to wait for seconds
before becoming active. This is usually done if there are routing protocols that need time to
converge.
QUESTION 22
Which two statements about HSRP VRRP and GLBP are true? (Choose two.)
A. GLBP allows for router load balancing of traffic from a network segment without the different host
IP configurations needed to achieve the same results with HSRP.
B. GLBP allows for router load balancing of traffic from a network segment by utilizing the creation of
multiple standby groups.
C. GLBP and VRRP allow for MD5 authentication whereas HSRP does not.
D. Unlike HSRP and VRRP GLBP allows automatic selection and simultaneous use of multiple available
gateways.
E. HSRP allows for multiple upstream active links being simultaneously used whereas GLBP does not.
Answer: AD
Explanation:
1. GLBP
To provide a virtual router multiple switches (routers) are assigned to a common GLBP group.
Rather than having just one active router performing forwarding for the virtual router address all
routers in the group can participate and offer load balancing by forwarding a portion of the overall
traffic.
2. VRRP
The Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP
defined in IETF standard RFC 2338. VRRP is so similar to HSRP that you need to learn only
slightly different terminology and a couple of slight functional differences. ?VRRP provides one
redundant gateway address from a group of routers. The active router is called the master router
while all others are in the backup state. The master router is the one with the highest router priority
in the VRRP group.
VRRP group numbers range from 0 to 255 router priorities range from 1 to 254 (254 is the highest
100 is the default).
The virtual router MAC address is of the form 0000.5e00.01xx where xx is a two-digit hex VRRP
group number.
VRRP advertisements are sent at 1-second intervals. Backup routers can optionally learn the
advertisement interval from the master router.
By default all VRRP routers are configured to preempt the current master router if their priorities
are greater.
VRRP has no mechanism for tracking interfaces to allow more capable routers to take over the
master role.
3. HSRP
HSRP is a Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to
appear as a single gateway address. RFC 2281 describes this protocol in more detail. Basically
each of the routers that provides redundancy for a given gateway address is assigned to a
common HSRP group. One router is elected as the primary or active HSRP router another is
elected as the standby HSRP router and all the others remain in the listen HSRP state. The
routers exchange HSRP hello messages at regular intervals so they can remain aware of each
other's existence as well as that of the active router.
QUESTION 23
Refer to the exhibit. What does the command channel-group 1 mode desirable do?
A. enables LACP unconditionally
B. enables PAgP only if a PAgP device is detected
C. enables PAgP unconditionally
D. enables EtherChannel only
E. enables LACP only if an LACP device is detected
Answer: C
Explanation:
The command channel-group 1 mode desirable enables PAgP unconditionally on the interface
FastEthernet 0/13:
Switch (config-if)#channel-group 1 mode ?
Active Enable LACP unconditionally
Auto Enable PAgP only if a PAgP device is detected
Desirable Enable PAgP unconditionally
On Enable Etherchannel only
Passive Enable LACP only if a LACP device is detected
QUESTION 24
Refer to the exhibit. Which two problems are the most likely cause of the exhibited output?
(Choose two.)
A. spanning tree issues
B. HSRP misconfiguration
C. VRRP misconfiguration
D. physical layer issues
E. transport layer issues
Answer: BD
Explanation:
When you see this error it means the local router fails to receive HSRP hellos from neighbor
router. Two things you should check first are the physical layer connectivity and verify the HSRP
configuration. An example of HSRP misconfiguration is the mismatched of HSRP standby group
and standby IP address.
Another thing you should check is the mismatched VTP modes.
QUESTION 25
Refer to the exhibit. Which two statements are true? (Choose two.)
A. Interface gigabitethernet 0/1 has been configured as Layer 3 ports.
B. Interface gigabitethernet 0/1 does not appear in the show vlan output because switchport is enabled.
C. Interface gigabitethernet 0/1 does not appear in the show vlan output because it is configured as a
trunk interface.
D. VLAN2 has been configured as the native VLAN for the 802.1q trunk on interface gigabitethernet 0/1.
E. Traffic on VLAN 1 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.
F. Traffic on VLAN 2 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.
Answer: CF
Explanation:
From the output of show interface gigabitethernet 0/1 switchport command we can see this port is
currently configured as trunked port (Operational Mode: trunk) and uses 802.1q encapsulation. So
surely the "show vlan" command will not list this port -> C is correct.
Also from the first output we learned the native VLAN is VLAN 1 (Trunking Native Mode VLAN:1)
so only traffic from this VLAN is sent untagged -> traffic sent from VLAN 2 out this port will have an
802.1q header applied -> F is correct.
QUESTION 26
Refer to the exhibit and the partial configuration of switch SW_A and SW_B.
STP is configured on all switches in the network. SW_B receives this error message on the
console port:
00:06:34: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on
FastEthernet0/5 (not half duplex) with SW_A FastEthernet0/4 (half duplex)
with TBA05071417(Cat6K-B) 0/4 (half duplex).
What is the possible outcome of the problem?
A. The root port on switch SW_A will automatically transition to full-duplex mode.
B. The root port on switch SW_B will fall back to full-duplex mode.
C. The interfaces between switches SW_A and SW_B will transition to a blocking state.
D. Interface Fa 0/6 on switch SW_B will transition to a forwarding state and create a bridging loop.
Answer: D
Explanation:
If switch B misses several BPDUs on the port Fa0/5 due to the duplex mismatch it will assume the
path to the root via Fa0/5 is lost and it will put the port Fa0/6 in forwarding state.
QUESTION 27
Refer to the exhibit. Which statement is true?
A. IP traffic matching access list ABC is forwarded through VLANs 5-10.
B. IP traffic matching VLAN list 5-10 is forwarded and all other traffic is dropped.
C. All VLAN traffic matching VLAN list 5-10 is forwarded and all traffic matching access list ABC
is dropped.
D. All VLAN traffic in VLANs 5-10 that match access list ABC is forwarded and all other traffic is
dropped.
Answer: D
Explanation:
VLAN maps also known as VLAN ACLs or VACLs can filter all traffic traversing a switch. VLAN
maps can be configured on the switch to filter all packets that are routed into or out of a VLAN or
are bridged within a VLAN. VLAN maps are used strictly for security packet filtering. Unlike router
ACLs VLAN maps are not defined by direction (input or output).
QUESTION 28
Which two statements about HSRP are true? (Choose two.)
A. Load sharing with HSRP is achieved by creating multiple subinterfaces on the HSRP routers.
B. Load sharing with HSRP is achieved by creating HSRP groups on the HSRP routers.
C. Routers configured for HSRP must belong only to one group per HSRP interface.
D. Routers configured for HSRP can belong to multiple groups and multiple VLANs.
E. All routers configured for HSRP load balancing must be configured with the same priority.
Answer: BD
Explanation:
HSRP is a Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to
appear as a single gateway address. RFC 2281 describes this protocol in more detail. Basically
each of the routers that provides redundancy for a given gateway address is assigned to a
common HSRP group. One router is elected as the primary or active HSRP router another is
elected as the standby HSRP router and all the others remain in the listen HSRP state. The
routers exchange HSRP hello messages at regular intervals so they can remain aware of each
other's existence as well as that of the active router.
An HSRP group can be assigned an arbitrary group number from 0 to 255. If you configure HSRP
groups on several VLAN interfaces it can be handy to make the group number the same as the
VLAN number. However most Catalyst switches support only up to 16 unique HSRP group
numbers. If you have more than 16 VLANs you will quickly run out of group numbers. An
alternative is to make the group number the same (that is 1) for every VLAN interface. This is
perfectly valid because the HSRP groups are only locally significant on an interface. HSRP Group
1 on interface VLAN 10 is unique from HSRP Group 1 on interface VLAN 11.
QUESTION 29
Which statement about 802.1x port-based authentication is true?
A. Hosts are required to have an 802.1x authentication client or utilize PPPoE.
B. Before transmitting data an 802.1x host must determine the authorization state of the switch.
C. RADIUS is the only supported authentication server type.
D. If a host initiates the authentication process and does not receive a response it assumes it is
not authorized.
Answer: C
Explanation:
The IEEE 802.1x standard defines a port-based access control and authentication protocol that
restricts unauthorized workstations from connecting to a LAN through publicly accessible switch
ports. The authentication server authenticates each workstation that is connected to a switch port
before making available any services offered by the switch or the LAN. Until the workstation is
authenticated 802.1x access control allows only Extensible Authentication Protocol over LAN
(EAPOL) traffic through the port to which the workstation is connected. After authentication
succeeds normal traffic can pass through the port.
Authentication server: Performs the actual authentication of the client. The authentication server
validates the identity of the client and notifies the switch whether or not the client is authorized to
access the LAN and switch services. Because the switch acts as the proxy the authentication
service is transparent to the client. The RADIUS security system with Extensible Authentication
Protocol (EAP) extensions is the only supported authentication server.
QUESTION 30
Refer to the exhibit. Switch S1 has been configured with the command spanning-tree mode
rapid-pvst. Switch S3 has been configured with the command spanning-tree mode mst. Switch S2
is running the IEEE 802.1D instance of Spanning Tree. What is the result?
A. IEEE 802.1w and IEEE 802.1s are compatible. IEEE 802.1d is incompatible. Switches S1 and S3
can pass traffic between themselves. Neither can pass traffic to switch S2.
B. Switches S1 S2 and S3 can pass traffic between themselves.
C. Switches S1 S2 and S3 can pass traffic between themselves. However if the topology is changed
switch S2 does not receive notification of the change.
D. IEEE 802.1d IEEE 802.1w and IEEE 802.1s are incompatible. All three switches must use the
same standard or no traffic can pass between any of the switches.
Answer: B
Explanation:
A switch running both MSTP and RSTP supports a built-in protocol migration mechanism that
enables it to interoperate with legacy 802.1D switches. If this switch receives a legacy 802.1D
configuration BPDU (a BPDU with the protocol version set to 0) it sends only 802.1D BPDUs on
that port. An MST switch can also detect that a port is at the boundary of a region when it receives
a legacy BPDU an MST BPDU (version 3) associated with a different region or an RST BPDU
(version 2).
However the switch does not automatically revert to the MSTP mode if it no longer receives
802.1D BPDUs because it cannot determine whether the legacy switch has been removed from
the link unless the legacy switch is the designated switch
QUESTION 31
Which protocol allows for the automatic selection and simultaneous use of multiple available
gateways as well as automatic failover between those gateways?
A. IRDP
B. HSRP
C. GLBP
D. VRRP
Answer: C
Explanation:
To provide a virtual router multiple switches (routers) are assigned to a common GLBP group.
Rather than having just one active router performing forwarding for the virtual router address all
routers in the group can participate and offer load balancing by forwarding a portion of the overall
traffic. The advantage is that none of the clients have to be pointed toward a specific gateway
address--they can all have the same default gateway set to the virtual router IP address. The load
balancing is provided completely through the use of virtual router MAC addresses in ARP replies
returned to the clients. As a client sends an ARP request looking for the virtual router address
GLBP sends back an ARP reply with the virtual MAC address of a selected router in the group.
The result is that all clients use the same gateway address but have differing MAC addresses for
it.
QUESTION 32
You are the administrator of a switch and currently all host-connected ports are configured with the
portfast command. You have received a new directive from your manager that states that in the
future any host-connected port that receives a BPDU should automatically disable PortFast and
begin transmitting BPDUs. Which command will support this new requirement?
A. Switch(config)#spanning-tree portfast bpduguard default
B. Switch(config-if)#spanning-tree bpduguard enable
C. Switch(config-if)#spanning-tree bpdufilter enable
D. Switch(config)#spanning-tree portfast bpdufilter default
Answer: D
Explanation:
When spanning-tree bpdufilter enable either on interface configuration or on global configuration
mode prevents from sending or receiving Bridge Protocol Data Units on portfast enabled interface.
To enable bpdufilter global configuration mode:
Device1(Config)#spanning-tree portfast bpdufilter default
Be careful when enabling BPDU filtering. Functionality is different when enabling on a per-port
basis or globally. When enabled globally BPDU filtering is applied only on ports that are in an
operational PortFast state. Ports still send a few BPDUs at linkup before they effectively filter
outbound BPDUs. If a BPDU is received on an edge port it immediately loses its operational
PortFast status and BPDU filtering is disabled.
QUESTION 33
Which two statements about the HSRP priority are true? (Choose two)
A. To assign the HSRP router priority in a standby group the standby group-number priority priority-value
global configuration command must be used.
B. The default priority of a router is zero (0).
C. The no standby priority command assigns a priority of 100 to the router.
D. Assuming that preempting has also been configured the router with the lowest priority in an HSRP
group would become the active router.
E. When two routers in an HSRP standby group are configured with identical priorities the router with
the highest configured IP address will become the active router.
Answer: CE
QUESTION 34
Which command can be issued without interfering with the operation of loop guard?
A. Switch(config-if)#spanning-tree guard root
B. Switch(config-if)#spanning-tree portfast
C. Switch(config-if)#switchport mode trunk
D. Switch(config-if)#switchport mode access
Answer: C
Explanation:
The spanning-tree guard root cannot be enabled together with loop guard. The loop guard feature
is supposed to be used on the port receiving BPDU and guard root will shutdown the port as soon
as the first BPDU comes to that port.
Configuring portfast on the port connected to the other switch can create temporal loop.
Configuring access mode on the port can filter BPDU from other VLANs from coming to the port
and force loop guard feature to put this port into error-disabled state. So the only command that
can be issued without interfering with the operation of loop guard is "switchport mode trunk".
QUESTION 35
Refer to the exhibit. On the basis of the information provided in the exhibit which two sets of
procedures are best practices for Layer 2 and 3 failover alignment? (Choose two.)
A. Configure the D-SW1 switch as the active HSRP router and the STP root for all VLANs.
Configure the D-SW2 switch as the standby HSRP router and backup STP root for all VLANs.
B. Configure the D-SW1 switch as the standby HSRP router and the STP root for VLANs 11 and 110.
Configure the D-SW2 switch as the standby HSRP router and the STP root for VLANs 12 and 120.
C. Configure the D-SW1 switch as the active HSRP router and the STP root for VLANs 11 and 110.
Configure the D-SW2 switch as the active HSRP router and the STP root for VLANs 12 and 120.
D. Configure the D-SW2 switch as the active HSRP router and the STP root for all VLANs.
Configure the D-SW1 switch as the standby HSRP router and backup STP root for all VLANs.
E. Configure the D-SW1 switch as the active HSRP router and the backup STP root for VLANs 11 and 110.
Configure the D-SW2 switch as the active HSRP router and the backup STP root for VLANs 12 and 120.
F. Configure the D-SW1 switch as the standby HSRP router and the backup STP root for VLANs 12 and 120.
Configure the D-SW2 switch as the standby HSRP router and the backup STP root for VLANs 11 and 110.
Answer: CD
Explanation:
The "best practices for Layer 2 and 3 failover alignment" here means using load sharing of HSRP
where different VLANs use different active routers to load balance the traffic.
To load sharing with HSRP we can divide traffic into two HSRP groups where one group assigns
the active state for one switch and the other group assigns the active state for the other switch

QUESTION 36
Which statement is true about RSTP topology changes?
A. Any change in the state of the port generates a TC BPDU.
B. Only nonedge ports moving to the forwarding state generate a TC BPDU.
C. If either an edge port or a nonedge port moves to a block state then a TC BPDU is generated.
D. Only edge ports moving to the blocking state generate a TC BPDU.
E. Any loss of connectivity generates a TC BPDU.

Answer: B
Explanation:
The IEEE 802.1D Spanning Tree Protocol was designed to keep a switched or bridged network
loop free with adjustments made to the network topology dynamically. A topology change typically
takes 30 seconds where a port moves from the Blocking state to the Forwarding state after two
intervals of the Forward Delay timer. As technology has improved 30 seconds has become an
unbearable length of time to wait for a production network to failover or "heal" itself during a
problem.
Topology Changes and RSTP
Recall that when an 802.1D switch detects a port state change (either up or down) it signals the
Root Bridge by sending topology change notification (TCN) BPDUs. The Root Bridge must then
signal a topology change by sending out a TCN message that is relayed to all switches in the STP
domain. RSTP detects a topology change only when a nonedge port transitions to the Forwarding
state. This might seem odd because a link failure is not used as a trigger. RSTP uses all of its
rapid convergence mechanisms to prevent bridging loops from forming. Therefore topology
changes are detected only so that bridging tables can be updated and corrected as hosts appear
first on a failed port and then on a different functioning port. When a topology change is detected
a switch must propagate news of the change to other switches in the network so they can correct
their bridging tables too. This process is similar to the convergence and synchronization
mechanism-topology change (TC) messages propagate through the network in an everexpanding
wave.

QUESTION 37
Refer to the exhibit. Which four statements about this GLBP topology are true? (Choose four.)
A. Router A is responsible for Answering ARP requests sent to the virtual IP address.
B. If router A becomes unavailable router B forwards packets sent to the virtual MAC address of router A.
C. If another router is added to this GLBP group there would be two backup AVGs.
D. Router B is in GLBP listen state.
E. Router A alternately responds to ARP requests with different virtual MAC addresses.
F. Router B transitions from blocking state to forwarding state when it becomes the AVG.

Answer: ABCE
Explanation:
With GLBP the following is true:
With GLB there is 1 AVG and 1 standby VG. In this case Company1 is the AVG and Company2 is
the standby. Company2 would act as a VRF and would already be forwarding and routing packets.
Any additional routers would be in a listen state.
As the role of the Active VG and load balancing Company1 responds to ARP requests with
different virtual MAC addresses.
In this scenario Company2 is the Standby VF for the VMAC 0008.b400.0101 and would become
the Active VF if Company1 were down.
As the role of the Active VG the primary responsibility is to

QUESTION 38
Which description correctly describes a MAC address flooding attack?
A. The attacking device crafts ARP replies intended for valid hosts.
The MAC address of the attacking device then becomes the destination address found in the
Layer 2 frames sent by the valid network device.
B. The attacking device crafts ARP replies intended for valid hosts.
The MAC address of the attacking device then becomes the source address found in the Layer 2
frames sent by the valid network device.
C. The attacking device spoofs a destination MAC address of a valid host currently in the CAM table.
The switch then forwards frames destined for the valid host to the attacking device.
D. The attacking device spoofs a source MAC address of a valid host currently in the CAM table.
The switch then forwards frames destined for the valid host to the attacking device.
E. Frames with unique invalid destination MAC addresses flood the switch and exhaust CAM table space.
The result is that new entries cannot be inserted because of the exhausted CAM table space and
traffic is subsequently flooded out all ports.
F. Frames with unique invalid source MAC addresses flood the switch and exhaust CAM table space.
The result is that new entries cannot be inserted because of the exhausted CAM table space and traffic
is subsequently flooded out all ports.
Answer: F
Explanation:
A common Layer 2 or switch attack is MAC flooding resulting in a switch's CAM table overflow
which causes flooding of regular data frames out all switch ports. This attack can be launched for
the malicious purpose of collecting a broad sample of traffic or as a denial of service (DoS) attack.
A switch's CAM tables are limited in size and therefore can contain only a limited number of
entries at any one time. A network intruder can maliciously flood a switch with a large number of
frames from a range of invalid source MAC addresses. If enough new entries are made before old
ones expire new valid entries will not be accepted. Then when traffic arrives at the switch for a
legitimate device that is located on one of the switch ports that was not able to create a CAM table
entry the switch must flood frames to that address out all ports. This has two adverse effects:
The switch traffic forwarding is inefficient and voluminous.
An intruding device can be connected to any switch port and capture traffic that is not normally
seen on that port.
If the attack is launched before the beginning of the day the CAM table would be full when the
majority of devices are powered on. Then frames from those legitimate devices are unable to
create CAM table entries as they power on. If this represents a large number of network devices
the number of MAC addresses for which traffic will be flooded will be high and any switch port will
carry flooded frames from a large number of devices.
QUESTION 39
Refer to the exhibit. Which VRRP statement about the roles of the master virtual router and the
backup virtual router is true?
A. Router A is the master virtual router and router B is the backup virtual router.
When router A fails router B becomes the master virtual router.
When router A recovers router B maintains the role of master virtual router.
B. Router A is the master virtual router and router B is the backup virtual router.
When router A fails router B becomes the master virtual router.
When router A recovers it regains the master virtual router role.
C. Router B is the master virtual router and router A is the backup virtual router.
When router B fails router A becomes the master virtual router.
When router B recovers router A maintains the role of master virtual router.
D. Router B is the master virtual router and router A is the backup virtual router.
When router B fails router A becomes the master virtual router.
When router B recovers it regains the master virtual router role.
Answer: B
Explanation:
An important aspect of the VRRP redundancy scheme is VRRP router priority. Priority determines
the role that each VRRP router plays and what happens if the master virtual router fails.
If a VRRP router owns the IP address of the virtual router and the IP address of the physical
interface this router functions as a master virtual router. Priority also determines if a VRRP router
functions as a backup virtual router and determines the order of ascendancy to becoming a master
virtual router if the master virtual router fails. You can configure the priority of each backup virtual
router with a value of 1 through 254 using the vrrp priority command.
For example if Router A the master virtual router in a LAN topology fails an election process
takes place to determine if backup virtual Routers B or C should take over. If Routers B and C are
configured with the priorities of 101 and 100 respectively Router B is elected to become master
virtual router because it has the higher priority. If Routers B and C are both configured with the
priority of 100 the backup virtual router with the higher IP address is elected to become the master
virtual router.
By default a preemptive scheme is enabled whereby a higher-priority backup virtual router that
becomes available takes over for the backup virtual router that was elected to become master
virtual router. You can disable this preemptive scheme using the no vrrp preempt command. If
preemption is disabled the backup virtual router that is elected to become master virtual router
remains the master until the original master virtual router recovers and becomes master again.
QUESTION 40
Refer to the exhibit. An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to
establish a DHCP server for a man-in-middle attack. Which recommendation if followed would
mitigate this type of attack?
A. All switch ports in the Building Access block should be configured as DHCP trusted ports.
B. All switch ports in the Building Access block should be configured as DHCP untrusted ports.
C. All switch ports connecting to hosts in the Building Access block should be configured as DHCP
trusted ports.
D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP
untrusted ports.
E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.
F. All switch ports connecting to servers in the Server Farm block should be configured as DHCP
untrusted ports.
Answer: D
Explanation:
One of the ways that an attacker can gain access to network traffic is to spoof responses that
would be sent by a valid DHCP server. The DHCP spoofing device replies to client DHCP requests.
The legitimate server may reply also but if the spoofing device is on the same segment as the
client its reply to the client may arrive first. The intruder's DHCP reply offers an IP address and
supporting information that designates the intruder as the default gateway or Domain Name
System (DNS) server. In the case of a gateway the clients will then forward packets to the
attacking device which will in turn send them to the desired destination. This is referred to as a
"man-in-the-middle" attack and it may go entirely undetected as the intruder intercepts the data
flow through the network. Untrusted ports are those that are not explicitly configured as trusted. A
DHCP binding table is built for untrusted ports. Each entry contains the client MAC address IP
address lease time binding type VLAN number and port ID recorded as clients make DHCP
requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping
perspective untrusted access ports should not send any DHCP server responses such as
DHCPOFFER DHCPACK DHCPNAK.
QUESTION 41
Refer to the exhibit. The web servers WS_1 and WS_2 need to be accessed by external and
internal users. For security reasons the servers should not communicate with each other
although they are located on the same subnet. However the servers do need to communicate with
a database server located in the inside network. Which configuration isolates the servers from
each other?
A. The switch ports 3/1 and 3/2 are defined as secondary VLAN isolated ports. The ports connecting to
the two firewalls are defined as primary VLAN promiscuous ports.
B. The switch ports 3/1 and 3/2 are defined as secondary VLAN community ports. The ports connecting
to the two firewalls are defined as primary VLAN promiscuous ports.
C. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as primary VLAN
promiscuous ports.
D. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as primary VLAN
community ports.
Answer: A
Explanation:
Service providers often have devices from multiple clients in addition to their own servers on a
single Demilitarized Zone (DMZ) segment or VLAN. As security issues proliferate it becomes
necessary to provide traffic isolation between devices even though they may exist on the same
Layer 3 segment and VLAN. Catalyst 6500/4500 switches implement PVLANs to keep some
switch ports shared and some switch ports isolated although all ports exist on the same VLAN.
The 2950 and 3550 support "protected ports " which are functionality similar to PVLANs on a
per-switch basis.
A port in a PVLAN can be one of three types:
IsolateD. An isolated port has complete Layer 2 separation from other ports within the same
PVLAN except for the promiscuous port. PVLANs block all traffic to isolated ports except the
traffic from promiscuous ports. Traffic received from an isolated port is forwarded to only
promiscuous ports.
Promiscuous: A promiscuous port can communicate with all ports within the PVLAN including the
community and isolated ports. The default gateway for the segment would likely be hosted on a
promiscuous port given that all devices in the PVLAN will need to communicate with that port.
Community: Community ports communicate among themselves and with their promiscuous ports.
These interfaces are isolated at Layer 2 from all other interfaces in other communities or in
isolated ports within their PVLAN.
QUESTION 42
What does the command "udld reset" accomplish?
A. allows a UDLD port to automatically reset when it has been shut down
B. resets all UDLD enabled ports that have been shut down
C. removes all UDLD configurations from interfaces that were globally enabled
D. removes all UDLD configurations from interfaces that were enabled per-port
Answer: B
Explanation:
When unidirectional link condition is detected the UDLD set port in error-disabled state. To
reinable all ports that UDLD has errdiabled the command:
Switch# udld reset is used.
QUESTION 43
Which statement is true about Layer 2 security threats?
A. MAC spoofing in conjunction with ARP snooping is the most effective counter-measure against
reconnaissance attacks that use Dynamic ARP Inspection to determine vulnerable attack points.
B. DHCP snooping sends unauthorized replies to DHCP queries.
C. ARP spoofing can be used to redirect traffic to counter Dynamic ARP Inspection.
D. Dynamic ARP Inspection in conjunction with ARP spoofing can be used to counter DHCP snooping
attacks.
E. MAC spoofing attacks allow an attacking device to receive frames intended for a different network host.
F. Port scanners are the most effective defense against Dynamic ARP Inspection.
Answer: E
Explanation:
First of all MAC spoofing is not an effective counter-measure against any reconnaissance attack
it IS an attack! Furthermore reconnaissance attacks don't use dynamic ARP inspection (DAI) DAI
is a switch feature used to prevent attacks.
QUESTION 44
Refer to the exhibit. Dynamic ARP Inspection is enabled only on switch SW_A. Host_A and
Host_B acquire their IP addresses from the DHCP server connected to switch SW_A. What would
the outcome be if Host_B initiated an ARP spoof attack toward Host_A ?
A. The spoof packets are inspected at the ingress port of switch SW_A and are permitted.
B. The spoof packets are inspected at the ingress port of switch SW_A and are dropped.
C. The spoof packets are not inspected at the ingress port of switch SW_A and are permitted.
D. The spoof packets are not inspected at the ingress port of switch SW_A and are dropped.
Answer: C
Explanation:
When configuring DAI follow these guidelines and restrictions:
DAI is an ingress security feature it does not perform any egress checking.
DAI is not effective for hosts connected to routers that do not support DAI or that do not have this
feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast
domain separate the domain with DAI checks from the one with no checking. This action secures
the ARP caches of hosts in the domain enabled for DAI. ?DAI depends on the entries in the DHCP
snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and
ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have
dynamically assigned IP addresses.
When DHCP snooping is disabled or in non-DHCP environments use ARP ACLs to permit or to
deny packets.
DAI is supported on access ports trunk ports EtherChannel ports and private VLAN ports. In our
example since Company2 does not have DAI enabled (bullet point 2 above) packets will not be
inspected and they will be permitted.
QUESTION 45
What does the global configuration command "ip arp inspection vlan 10-12 15" accomplish?
A. validates outgoing ARP requests for interfaces configured on VLAN 10 11 12 or 15
B. intercepts all ARP requests and responses on trusted ports
C. intercepts logs and discards ARP packets with invalid IP-to-MAC address bindings
D. discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
Answer: C
Explanation:
The "ip arp inspection" command enables Dynamic ARP Inspection (DAI) for the specified VLANs.
DAI is a security feature that validates Address Resolution Protocol (ARP) packets in a network.
DAI allows a network administrator to intercept log and discard ARP packets with invalid MAC
address to IP address bindings. This capability protects the network from certain "man-in-themiddle"
attacks.
QUESTION 46
Refer to the exhibit. Host A has sent an ARP message to the default gateway IP address
10.10.10.1. Which statement is true?
A. Because of the invalid timers that are configured DSw1 does not reply.
B. DSw1 replies with the IP address of the next AVF.
C. DSw1 replies with the MAC address of the next AVF.
D. Because of the invalid timers that are configured DSw2 does not reply.
E. DSw2 replies with the IP address of the next AVF.
F. DSw2 replies with the MAC address of the next AVF.

Answer: F
Explanation:
The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to
overcome the limitations of existing redundant router protocols. Some of the concepts are the
same as with HSRP/VRRP but the terminology is different and the behavior is much more
dynamic and robust.
The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual
gateway (AVG). This router has the highest priority value or the highest IP address in the group if
there is no highest priority. The AVG Answers all ARP requests for the virtual router address.
Which MAC address it returns depends on which load-balancing algorithm it is configured to use.
In any event the virtual MAC address supported by one of the routers in the group is returned.
According to exhibit Router Company2 is the Active Virtual Gateway (AVG) router because it has
highest IP address even having equal priority. When router Company1 sends the ARP message to
10.10.10.1 Router Company2 will reply to Company1 as a Active Virtual Router.

QUESTION 47
When configuring private VLANs which configuration task must you do first?
A. Configure the private VLAN port parameters.
B. Configure and map the secondary VLAN to the primary VLAN.
C. Disable IGMP snooping.
D. Set the VTP mode to transparent.

Answer: D
Explanation:
When you configure private VLANs the switch must be in VTP transparent mode. Because VTP
does not support private VLANs you must manually configure private VLANs on all switches in the
Layer 2 network. If you do not configure the primary and secondary VLAN association in some
switches in the network the Layer 2 databases in these switches are not merged. This can result
in unnecessary flooding of private-VLAN traffic on those switches.

QUESTION 48
Which statement about the configuration and application of port access control lists is true?
A. PACLs can be applied in the inbound or outbound direction of a Layer 2 physical interface.
B. At Layer 2 a MAC address PACL takes precedence over any existing Layer 3 PACL.
C. When you apply a port ACL to a trunk port the ACL filters traffic on all VLANs present on the trunk port.
D. PACLs are not supported on EtherChannel interfaces.
Answer: C
Explanation:
The PACL feature provides the ability to perform access control on specific Layer 2 ports. A Layer
2 port is a physical LAN or trunk port that belongs to a VLAN. PACLs are applied only on the
ingress traffic. The PACL feature is supported only in hardware (PACLs are not applied to any
packets routed in software). When you create a PACL an entry is created in the ACL TCAM. You
can use the show tcam counts command to see how much TCAM space is available. The PACL
feature does not affect Layer 2 control packets received on the port.
QUESTION 49
Refer to the exhibit. Which statement about the command output is true?
A. If the number of devices attempting to access the port exceeds 11 the port shuts down for 20 minutes
as configured.
B. The port has security enabled and has shut down due to a security violation.
C. The port is operational and has reached its configured maximum allowed number of MAC addresses.
D. The port allows access for 11 MAC addresses in addition to the three configured MAC addresses.
Answer: C
Explanation:
The port is operational (Port status: SecureUp) and has reached its configured maximum allowed
number of MAC addresses (Maximum MAC addresses: 11 Total MAC addresses: 11).
QUESTION 50
Which statement best describes implementing a Layer 3 EtherChannel?
A. EtherChannel is a Layer 2 feature and not a Layer 3 feature.
B. Implementation requires switchport mode trunk and matching parameters between switches.
C. Implementation requires disabling switchport mode.
D. A Layer 3 address is assigned to the physical interface.
Answer: C
Explanation:
To enable Layer 3 EtherChannel all interfaces participating in channel creation must be in routing
mode. To move interface from switching mode to routing mode one uses the command no
switchport.
QUESTION 51
Refer to the exhibit. Which statement best describes first-hop redundancy protocol status?
A. The first-hop redundancy protocol is not configured for this interface.
B. HSRP is configured for group 10.
C. HSRP is configured for group 11.
D. VRRP is configured for group 10.
E. VRRP is configured for group 11.
F. GLBP is configured with a single AVF.

Answer: C
Explanation:
MAC address will be a virtual MAC address composed of 0000.0C07.ACxy where xy is the HSRP
group number in hexadecimal based on the respective interface. When examining the following
line: xy value is 0b means the virtual group is 11. Internet 172.16.233.19 0000.0c07.ac0b ARPA
Vlan10. So Answer "HSRP is configured for group 11"is correct.

QUESTION 52
Which statement about when standard access control lists are applied to an interface to control
inbound or outbound traffic is true?
A. The best match of the ACL entries is used for granularity of control.
B. They use source IP information for matching operations.
C. They use source and destination IP information for matching operations.
D. They use source IP information along with protocol-type information for finer granularity of control.
Answer: B
Explanation:
http://www.cs.odu.edu/~csi/cisco/router_configuration/access_list.html (see create standard
access lists)
QUESTION 53
Refer to the exhibit. You have configured an interface to be an SVI for Layer 3 routing capabilities.
Assuming that all VLANs have been correctly configured what can be determined?
A. Interface gigabitethernet0/2 will be excluded from Layer 2 switching and enabled for Layer 3 routing.
B. The command switchport autostate exclude should be entered in global configuration mode not
subinterface mode to enable a Layer 2 port to be configured for Layer 3 routing.
C. The configured port is excluded in the calculation of the status of the SVI.
D. The interface is missing IP configuration parameters therefore it will only function at Layer 2.
Answer: C
Explanation:
The SVI Autostate exclude feature shuts down (or brings up) the Layer 3 interfaces of a switch
when the following port configuration changes occur:
When the last port on a VLAN goes down the Layer 3 interface on that VLAN is shut down (SVIautostated).
When the first port on the VLAN is brought back up the Layer 3 interface on the VLAN that was
previously shut down is brought up.
SVI Autostate exclude enables you to exclude the access ports/trunks in defining the status of the
SVI (up or down) even if it belongs to the same VLAN. Moreover even if the excluded access
port/trunk is in up state and other ports are in down state in the VLAN the SVI state is changed to
down. At least one port in the VLAN should be up and not excluded to make the SVI state "up."
This will help to exclude the monitoring port status when you are determining the status of the SVI.
QUESTION 54
Refer to the exhibit. Which two statements about this Layer 3 security configuration example are
true? (Choose two.)
A. Static IP source binding can be configured only on a routed port.
B. Source IP and MAC filtering on VLANs 10 and 11 will occur.
C. DHCP snooping will be enabled automatically on the access VLANs.
D. IP Source Guard is enabled.
E. The switch will drop the configured MAC and IP address source bindings and forward all other traffic.
Answer: BD
Explanation:
Cisco Catalyst switches can use the IP source guard feature to detect and suppress address
spoofing attacks--even if they occur within the same subnet. IP source guard does this by making
use of the DHCP snooping database as well as static IP source binding entries. If DHCP snooping
is configured and enabled the switch learns the MAC and IP addresses of hosts that use DHCP.
Packets arriving on a switch port can be tested for one of the following conditions:
The source IP address must be identical to the IP address learned by DHCP snooping or a static
entry. A dynamic port ACL is used to filter traffic. The switch automatically creates this ACL adds
the learned source IP address to the ACL and applies the ACL to the interface where the address
is learned.
The source MAC address must be identical to the MAC address learned on the switch port and by
DHCP snooping. Port security is used to filter traffic. For the hosts that don't use DHCP you can
configure a static IP source binding with the following configuration command:
Switch(config)#ip source binding mac-address vlan vlan-id ip-address interface type mod/num
Here the host's MAC address is bound to a specific VLAN and IP address and is expected to be
found on a specific switch interface. Next enable IP source guard on one or more switch
interfaces with the following configuration commands:
Switch(config)#interface type mod/num
Switch(config-if)#ip verify source [port-security]
The ip verify source command will inspect the source IP address only. You can add the portsecurity
keyword to inspect the source MAC address too.
QUESTION 55
Refer to the exhibit. Which statement is true?
A. Cisco Express Forwarding load balancing has been disabled.
B. SVI VLAN 30 connects directly to the 10.1.30.0/24 network due to a valid glean adjacency.
C. VLAN 30 is not operational because no packet or byte counts are indicated.
D. The IP Cisco Express Forwarding configuration is capable of supporting IPv6.
Answer: B
Explanation:
Based on the output shown the VLAN 30 connects directly to the 10.1.30.0/24 network and glean
adjacency is valid. When a router is connected directly to several hosts the FIB table on the router
maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix
points to a glean adjacency. When packets need to be forwarded to a specific host the adjacency
database is gleaned for the specific prefix.
QUESTION 56
Which two components should be part of a security implementation plan? (Choose two.)
A. detailed list of personnel assigned to each task within the plan
B. a Layer 2 spanning-tree design topology
C. rollback guidelines
D. placing all unused access ports in VLAN 1 to proactively manage port security
E. enabling SNMP access to Cisco Discovery Protocol data for logging and forensic analysis
Answer: BC
Explanation:
Cisco recommendation for the security implementation plan includes two components:
A documented rollback plan should be part of any implementation plan
A Layer 2 spanning tree design topology should be part of a security implementation plan
QUESTION 57
When creating a network security solution which two pieces of information should you have
obtained previously to assist in designing the solution? (Choose two.)
A. a list of existing network applications currently in use on the network
B. network audit results to uncover any potential security holes
C. a planned Layer 2 design solution
D. a proof-of-concept plan
E. device configuration templates
Answer: AB
Explanation:
Cisco specific recommendations for designing a security solution for a network include the two
points:
Make sure you have a list of the applications running in the environment
Have a network audit
QUESTION 58
What action should you be prepared to take when verifying a security solution?
A. having alternative addressing and VLAN schemes
B. having a rollback plan in case of unwanted or unexpected results
C. running a test script against all possible security threats to insure that the solution will mitigate all
potential threats
D. isolating and testing each security domain individually to insure that the security design will meet
overall requirements when placed into production as an entire system
Answer: B
Explanation:
Verifying a security solution includes two points:
Verification of an implemented security solution requires results from audit testing of the
implemented solution
Verifying a documentation for rollback plan
QUESTION 59
When you enable port security on an interface that is also configured with a voice VLAN what is
the maximum number of secure MAC addresses that should be set on the port?
A. No more than one secure MAC address should be set.
B. The default is set.
C. The IP phone should use a dedicated port therefore only one MAC address is needed per port.
D. No value is needed if the switchport priority extend command is configured.
E. No more than two secure MAC addresses should be set.
Answer: E
Explanation:
Usually an IP Phone needs two MAC addresses one for the voice vlan and one for the access
vlan. If you don't want other devices to access this port then you should not set more than two
secure MAC addresses.
Below is an example for this configuration:
Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1 vlan voice
Switch(config-if)# switchport port-security maximum 1 vlan access
//Configure static MAC addresses for these VLANs
Switch(config-if)#switchport port-security mac-address sticky
0000.0000.0001
Switch(config-if)#switchport port-security mac-address sticky
0000.0000.0002 vlan voice
QUESTION 60
Refer to the exhibit. From the configuration shown what can be determined?
A. The sticky addresses are only those manually configured MAC addresses enabled with the sticky
keyword.
B. The remaining secure MAC addresses are learned dynamically converted to sticky secure MAC
addresses and added to the running configuration.
C. A voice VLAN is configured in this example so port security should be set for a maximum of 2.
D. A security violation restricts the number of addresses to a maximum of 10 addresses per access VLAN
and voice VLAN. The port is shut down if more than 10 devices per VLAN attempt to access the port.
Answer: B
Explanation:
By enabling sticky port security you can configure an interface to convert the dynamic MAC
addresses to sticky secure MAC addresses and to add them to the running configuration. You
might want to do this if you do not expect the user to move to another port and you want to avoid
statically configuring a MAC address on every port. To enable sticky port security enter the
switchport port-security mac-address sticky command. When you enter this command the
interface converts all the dynamic secure MAC addresses including those that were dynamically
learned before sticky learning was enabled to sticky secure MAC addresses. The sticky secure
MAC addresses do not automatically become part of the configuration file which is the startup
configuration used each time the switch restarts. If you save the running config file to the
configuration file the interface does not need to relearn these addresses when the switch restarts.
If you do not save the configuration they are lost.
QUESTION 61
hostname Switch1
interface Vlan10
ip address 172.16.10.32 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers msec 200 msec 700
standby 1 preempt
hostname Switch2
interface Vlan10
ip address 172.16.10.33 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers msec 200 msec 750
standby 1 priority 110
standby 1 preempt
hostname Switch3
interface Vlan10
ip address 172.16.10.34 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers msec 200 msec 750
standby 1 priority 150
standby 1 preempt
Refer to the above. Three switches are configured for HSRP.
Switch1 remains in the HSRP listen state. What is the most likely cause of this status?
A. This is normal operation.
B. The standby group number does not match the VLAN number.
C. IP addressing is incorrect.
D. Priority commands are incorrect.
E. Standby timers are incorrect.
Answer: A
Explanation:
This is expected behavior. When HSRP is configured on an interface the router progresses
through a series of states before becoming active. This forces a router to listen for others in a
group and see where it fits into the pecking order. Devices participating in HSRP must progress
their interfaces through the following state sequence:
1. Disabled
2. Init
3. Listen
4. Speak
5. Standby
6. Active
Only the standby (the one with the second-highest priority) router monitors the hello message from
the active router. By default hellos are sent every 3 seconds. If hellos are missed for the duration
of the holdtime timer (default 10 seconds or three times the hello timer) the active router is
presumed to be down. The standby router is then clear to assume the active role. At that point if
other routers are sitting in the Listen state the next-highest priority router is allowed to become the
new standby router.
QUESTION 62
Three Cisco Catalyst switches have been configured with a first-hop redundancy protocol. While
reviewing some show commands debug output and the syslog you discover the following
information:
Jan 9 08:00:42.623: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Standby -> Active
Jan 9 08:00:56.011: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Active -> Speak
Jan 9 08:01:03.011: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Speak -> Standby
Jan 9 08:01:29.427: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Standby -> Active
Jan 9 08:01:36.808: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Active -> Speak
Jan 9 08:01:43.808: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Speak -> Standby
What conclusion can you infer from this information?
A. VRRP is initializing and operating correctly.
B. HSRP is initializing and operating correctly.
C. GLBP is initializing and operating correctly.
D. VRRP is not exchanging three hello messages properly.
E. HSRP is not exchanging three hello messages properly.
F. GLBP is not exchanging three hello messages properly.
Answer: E
Explanation:
These error messages describe a situation in which a standby HSRP router did not receive three
successive HSRP hello packets from its HSRP peer. The output shows that the standby router
moves from the standby state to the active state. Shortly thereafter the router returns to the
standby state. Unless this error message occurs during the initial installation an HSRP issue
probably does not cause the error message. The error messages signify the loss of HSRP hellos
between the peers. When you troubleshoot this issue you must verify the communication between
the HSRP peers. A random momentary loss of data communication between the peers is the
most common problem that results in these messages. HSRP state changes are often due to High
CPU Utilization. If the error message is due to high CPU utilization put a sniffer on the network
and the trace the system that causes the high CPU utilization. There are several possible causes
for the loss of HSRP packets between the peers. The most common problems are physical layer
problems excessive network traffic caused by spanning tree issues or excessive traffic caused by
each Vlan.
QUESTION 63
By itself what does the command "aaa new-model" enable?
A. It globally enables AAA on the switch with default lists applied to the VTYs.
B. Nothing you must also specify which protocol (RADIUS or TACACS) will be used for AAA.
C. It enables AAA on all dot1x ports.
D. Nothing you must also specify where (console TTY VTY dot1x) AAA is being applied.
Answer: A
Explanation:
aaa new-model enable the AAA access control model. Access control is the way you control who
is allowed access to the network server and what services they are allowed to use once they have
access. Authentication authorization and accounting (AAA) network security services provide the
primary framework through which you set up access control on your router or access server.
QUESTION 64
Refer to the exhibit. The link between switch SW1 and switch SW2 is configured as a trunk but the
trunk failed to establish connectivity between the switches. Based on the configurations and the
error messages received on the console of SW1 what is the cause of the problem?
A. The two ends of the trunk have different duplex settings.
B. The two ends of the trunk have different EtherChannel configurations.
C. The two ends of the trunk have different native VLAN configurations.
D. The two ends of the trunk allow different VLANs on the trunk.
Answer: C
Explanation:
The native VLAN if not explicitly configured will default to the default VLAN (VLAN1). The Native
VLAN is configured for an 802.1Q Trunk port. 802.1Q trunks carry traffic from multiple VLANs by
tagging the traffic with VLAN identifiers (Tagged Traffic) which identifies which packets are
associated with which VLANs and they can also carry non VLAN traffic from legacy switches or
non 802.1Q compliant switches (Untagged Traffic). The switch will place untagged traffic on the
Native VLAN by using a PVID identifier. Native VLAN traffic is not tagged by the switch. It is a best
practice to configure the Native VLAN to be different than VLAN1 and to configure it on both ends
of the trunk.
QUESTION 65
A campus infrastructure supports wireless clients via Cisco Aironet AG Series 1230 1240 and
1250 access points. With DNS and DHCP configured the 1230 and 1240 access points appear to
boot and operate normally. However the 1250 access points do not seem to operate correctly.
What is the most likely cause of this problem?
A. DHCP with option 150
B. DHCP with option 43
C. PoE
D. DNS
E. switch port does not support gigabit speeds
Answer: C
Explanation:
Cisco Aironet 1250 Series Access Point can be powered locally by the 1250 DC power module or
an IEEE 802.3af compliant Power-over-Ethernet (PoE) power source. However if the access point
is powered by an 802.3af source only one radio is supported because the two radio operation
requires 18.5 watts. Two radio operation is supported only by the 1250 series power injector and
an 802.at compliant PoE switch.
QUESTION 66
A standalone wireless AP solution is being installed into the campus infrastructure. The access
points appear to boot correctly but wireless clients are not obtaining correct access. You verify
that this is the local switch configuration connected to the access point:
interface ethernet 0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
mls qos trust dscp
What is the most likely cause of the problem?
A. QoS trust should not be configured on a port attached to a standalone AP.
B. QoS trust for switchport mode access should be defined as "cos".
C. switchport mode should be defined as "trunk" with respective QoS.
D. switchport access vlan should be defined as "1".
Answer: C
VLANs could be extended into a wireless LAN by adding IEEE 802.11Q tag awareness to the
access point. Frames destined for different VLANs are transmitted by the access point wirelessly
on different SSIDs with different WEP keys. Only the clients associated with that VLAN receive
those packets. Conversely packets coming from a client associated with a certain VLAN are
802.11Q tagged before they are forwarded onto the wired network. If 802.1q is configured on the
FastEthernet interface of an access point the access point always sends keepalives on VLAN1
even if VLAN 1 is not defined on the access point. As a result the Ethernet switch connects to the
access point and generates a warning message. There is no loss of function on both the access
point and the switch. However the switch log contains meaningless messages that may cause
more important messages to be wrapped and not be seen. This behavior creates a problem when
all SSIDs on an access point are associated to mobility networks. If all SSIDs are associated to
mobility networks the Ethernet switch port the access point is connected to can be configured as
an access port. The access port is normally assigned to the native VLAN of the access point
which is not necessarily VLAN1 which causes the Ethernet switch to generate warning messages
saying that traffic with an 802.1q tag is sent from the access point.
QUESTION 67
During the implementation of a voice solution which two required items are configured at an
access layer switch that will be connected to an IP phone to provide VoIP communication?
(Choose two.)
A. allowed codecs
B. untagged VLAN
C. auxiliary VLAN
D. Cisco Unified Communications Manager IP address
E. RSTP
Answer: BC
QUESTION 68
Which two statements best describe Cisco IOS IP SLA? (Choose two.)
A. only implemented between Cisco source and destination-capable devices
B. statistics provided by syslog CLI and SNMP
C. measures delay jitter packet loss and voice quality
D. only monitors VoIP traffic flows
E. provides active monitoring
Answer: CE
Explanation:
Cisco IOS IP SLAs allows you to montior analyze and verify IP service levels for IP applications
and services to increase productivity to lower operational costs and to reduce occurances of
network congestion or outages. IP SLAs uses active traffic monitoring for measuring network
performance. IP SLAs can be configured to react to certain measured network conditions. For
example if IP SLAs measures too much jitter on a connection IP SLAs can generate a notification
to a network management application or trigger another IP SLAs operation to gather more data.
IP SLAs includes the capability for triggering SNMP notifications based on defined thresholds.
This allows for proactive monitoring in an environment where IT departments can be alerted to
potential network problems rather than having to manually examine data. IP SLAs supports
threshold monitoring for performance parameters such as average jitter unidirectional latency and
bidirectional round trip time and connectivity. This proactive monitoring capability provides options
for configuring reaction thresholds for important VoIP related parameters including unidirectional
jitter unidirectional packet loss and unidirectional VoIP voice quality scoring (MOS scores). For
packet loss and jitter notifications can be generated for violations in either direction (source to
destination and destination to source) or for round trip values. Packet loss jitter and MOS
statistics are specific to IP SLAs Jitter operations. Notifications can also be triggered for other
events such as round-trip-time violations for most IP SLAs monitoring operations.
QUESTION 69
Which two items best describe a Cisco IOS IP SLA responder? (Choose two.)
A. required at the destination to implement Cisco IOS IP SLA services
B. improves measurement accuracy
C. required for VoIP jitter measurements
D. provides security on Cisco IOS IP SLA messages via LEAP or EAP-FAST authentication
E. responds to one Cisco IOS IP SLA operation per port
F. stores the resulting test statistics
Answer: BC
Explanation:
The Cisco IOS IP SLAs Responder is a component embedded in the destination Cisco routing
device that allows the system to anticipate and respond to Cisco IOS IP SLAs request packets.
The Cisco IOS IP SLAs Responder provides an enormous advantage with accurate
measurements without the need for dedicated probes and additional statistics not available via
standard ICMP-based measurements. The patented Cisco IOS IP SLAs Control Protocol is used
by the Cisco IOS IP SLAs Responder providing a mechanism through which the responder can be
notified on which port it should listen and respond. Only a Cisco IOS device can be a source for a
destination IP SLAs Responder. Fr IP SLAs VoIP UDP Jitter Operations your networking devices
on both ends of the connection must support Cisco IOS IP SLAs.
QUESTION 70
Which two characteristics apply to Cisco Catalyst 6500 Series Switch supervisor redundancy
using NSF? (Choose two.)
A. supported by RIPv2 OSPF IS-IS and EIGRP
B. uses the FIB table
C. supports IPv4 and IPv6 multicast
D. prevents route flapping
E. independent of SSO
F. NSF combined with SSO enables supervisor engine load balancing
Answer: BD
Explanation:
A key element of NSF is packet forwarding. In a Cisco networking device packet forwarding is
provided by Cisco Express Forwarding (CEF). CEF maintains the FIB and uses the FIB
information that was current at the time of the switchover to continue forwarding packets during a
switchover. This feature reduces traffic interruption during the switchover.
During normal NSF operation CEF on the active supervisor engine synchronizes its current FIB
and adjacency databases with the FIB and adjacency databases on the redundant supervisor
engine. Upon switchover of the active supervisor engine the redundant supervisor engine initially
has FIB and adjacency databases that are mirror images of those that were current on the active
supervisor engine. For platforms with intelligent modules the modules will maintain the current
forwarding information over a switchover. For platforms with forwarding engines CEF will keep the
forwarding engine on the redundant supervisor engine current with changes that are sent to it by
CEF on the active supervisor engine. The modules or forwarding engines will be able to continue
forwarding after a switchover as soon as the interfaces and a data path are available.
As the routing protocols start to repopulate the RIB on a prefix-by-prefix basis the updates will
cause prefix-by-prefix updates to CEF which it uses to update the FIB and adjacency databases.
Existing and new entries will receive the new version ("epoch") number indicating that they have
been refreshed. The forwarding information is updated on the modules or forwarding engine
during convergence. The supervisor engine signals when the RIB has converged. The software
removes all FIB and adjacency entries that have an epoch older than the current switchover epoch.
The FIB now represents the newest routing protocol forwarding information.
QUESTION 71
You are tasked with designing a security solution for your network. What information should be
gathered before you design the solution?
A. IP addressing design plans so that the network can be appropriately segmented to mitigate potential
network threats
B. a list of the customer requirements
C. detailed security device specifications
D. results from pilot network testing
Answer: B
Explanation:
Cisco specific recommendations for designing a security solution for a network include the two
points:
Make sure you have a list of the applications running in the environment
Have a network audit
And each network application has some requirements for the network in which it works.
QUESTION 72
What are three results of issuing the "switchport host" command? (Choose three.)
A. disables EtherChannel
B. enables port security
C. disables Cisco Discovery Protocol
D. enables PortFast
E. disables trunking
F. enables loopguard
Answer: ADE
QUESTION 73
Which statement about the EIGRP routing being performed by the switch is true?
A. The EIGRP neighbor table contains 20 neighbors.
B. EIGRP is running normally and receiving IPv4 routing updates.
C. EIGRP status cannot be determined. The command show ip eigrp topology would determine the
routing protocol status.
D. The switch has not established any neighbor relationships. Further network testing and troubleshooting
must be performed to determine the cause of the problem.
Answer: D
Explanation:
There is no record for EIGRP neighbor in the output of the command. It means that the switch has
not established any neighbor relationships and further network testing and troubleshooting must
be performed to determine the cause of the problem.
QUESTION 74
What is the result of entering the command "spanning-tree loopguard default" ?
A. The command enables loop guard and root guard.
B. The command changes the status of loop guard from the default of disabled to enabled.
C. The command activates loop guard on point-to-multipoint links in the switched network.
D. The command disables EtherChannel guard.
Answer: B
Explanation:
By default loop guard is disabled on all switch ports. You can enable loop guard as a global
default affecting all switch ports with the following global configuration command:
Switch(config)# spanning-tree loopguard default
You also can enable or disable loop guard on a specific switch port by using the following
interface-configuration command:
Switch(config-if)# [no] spanning-tree guard loop
Although loop guard is configured on a switch port its corrective blocking action is taken on a per-
VLAN basis. In other words loop guard doesn't block the entire port only the offending VLANs are
blocked. You can enable loop guard on all switch ports regardless of their functions. The switch
figures out which ports are nondesignated and monitors the BPDU activity to keep them
nondesignated. Nondesignated ports are generally the root port alternate root ports and ports
that normally are blocking.
QUESTION 75
Refer to the exhibit. What can be concluded about VLANs 200 and 202?
A. VLAN 202 carries traffic from promiscuous ports to isolated community and other promiscuous ports
in the same VLAN. VLAN 200 carries traffic between community ports and to promiscuous ports.
B. VLAN 202 carries traffic from promiscuous ports to isolated community and other promiscuous ports
in the same VLAN. VLAN 200 carries traffic from isolated ports to a promiscuous port.
C. VLAN 200 carries traffic from promiscuous ports to isolated community and other promiscuous ports
in the same VLAN. VLAN 202 carries traffic between community ports and to promiscuous ports.
D. VLAN 200 carries traffic from promiscuous ports to isolated community and other promiscuous ports
in the same VLAN. VLAN 202 carries traffic from isolated ports to a promiscuous port.
Answer: B
Explanation:
As a Primary VLAN carries traffic from promiscuous ports to isolated community and other
promiscuous ports in the same primary VLAN as an isolated VLAN carries traffic from isolated
ports to a promiscuous port.
QUESTION 76
A switch has been configured with PVLANs. With what type of PVLAN port should the default
gateway be configured?
A. isolated
B. promiscuous
C. community
D. primary
E. trunk
Answer: B
Explanation:
Promiscuous: The switch port connects to a router firewall or other common gateway device.
This port can communicate with anything else connected to the primary or any secondary VLAN.
In other words the port is in promiscuous mode in which the rules of private VLANs are ignored.
QUESTION 77
Refer to the exhibit. Both routers are configured for the GLBP. Which statement is true?
A. The default gateway addresses of both hosts should be set to the IP addresses of both routers.
B. The default gateway address of each host should be set to the virtual IP address.
C. The hosts learn the proper default gateway IP address from router A.
D. The hosts have different default gateway IP addresses and different MAC addresses for each router.
Answer: B
Explanation:
GLBP performs a similar but not identical function for the user as the HSRP and VRRP. Both
HSRP and VRRP protocols allow multiple routers to participate in a virtual router group configured
with a virtual IP address. One member is elected to be the active router to forward packets sent to
the virtual IP address for the group. The other routers in the group are redundant until the active
router fails. With standard HSRP and VRRP these standby routers pass no traffic in normal
operation - which is wasteful. Therefore the concept cam about for using multiple virtual router
groups which are configured for the same set of routers. But to share the load the hosts must be
configured for different default gateways which results in an extra administrative burden of going
around and configuring every host and creating 2 or more groups of hosts that each use a different
default gateway.
GLBP is similar in that it provides load balancing over multiple routers (gateways) - but it can do
this using only ONE virtual IP address!!! Underneath that one virtual IP address is multiple virtual
MAC addresses and this is how the load is balanced between the routers. Instead of the hassle of
configuring all the hosts with a static Default Gateway you can lket them use ARP's to find their
own. Multiple gateways in a "GLBP redundancy group" respond to client Address Resolution
Protocol (ARP) requests in a shared and ordered fashion each with their own unique virtual MAC
addresses. As such workstation traffic is divided across all possible gateways. Each host is
configured with the same virtual IP address and all routers in the virtual router group participate in
forwarding packets
QUESTION 78
In the MAC address 0000.0c07.ac03 what does the "03" represent?
A. HSRP router number 3
B. Type of encapsulation
C. HSRP group number
D. VRRP group number
E. GLBP group number
Answer: C
Explanation:
Each router keeps a unique MAC address for its interface. This MAC address is always associated
with the unique IP address configured on the interface. For the virtual router address HSRP
defines a special MAC address of the form 0000.0c07.acxx where xx represents the HSRP group
number as a two-digit hex value. For example HSRP Group 1 appears as 0000.0c07.ac01 HSRP
Group 16 appears as 0000.0c07.ac10.
QUESTION 79
A network is deployed using recommended practices of the enterprise campus network model
including users with desktop computers connected via IP phones. Given that all components are
QoS-capable where are the two optimal locations for trust boundaries to be configured by the
network administrator? (Choose two.)
A. host
B. IP phone
C. access layer switch
D. distribution layer switch
E. core layer switch
Answer: BC
QUESTION 80
What is needed to verify that a newly implemented security solution is performing as expected?
A. a detailed physical and logical topology
B. a cost analysis of the implemented solution
C. detailed logs from the AAA and SNMP servers
D. results from audit testing of the implemented solution
Answer: D
Explanation:
Recommended by Cisco verification plan for designing a security solution includes verification of
an implemented security solution requires results from audit testing of the implemented solution.
QUESTION 81
When configuring port security on a Cisco Catalyst switch port what is the default action taken by
the switch if a violation occurs?
A. protect (drop packets with unknown source addresses)
B. restrict (increment SecurityViolation counter)
C. shut down (access or trunk port)
D. transition (the access port to a trunking port)
Answer: C
Explanation:
When configuring port security the following options for port security violation modes are
available:
protect--Drops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value.
restrict--Drops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value and causes the SecurityViolation
counter to increment.
shutdown--Puts the interface into the error-disabled state immediately and sends an SNMP trap
notification.
The default violation mode is shutdown.
QUESTION 82
hostname Switch1
interface Vlan10
ip address 172.16.10.32 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers 1 5
standby 1 priority 130
hostname Switch2
interface Vlan10
آip address 172.16.10.33 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers 1 5
standby 1 priority 120
Refer to the above. HSRP was implemented and configured on two switches while scheduled
network maintenance was performed.
After the two switches have finished rebooting you notice via show commands that Switch2 is the
HSRP active router. Which two items are the most likely cause of Switch1 not becoming the active
router? (Choose two.)
A. Booting has been delayed.
B. The standby group number does not match the VLAN number.
C. IP addressing is incorrect.
D. Preemption is disabled.
E. Standby timers are incorrect.
F. IP redirect is disabled.
Answer: AD
Explanation:
If Switch2 starts before Switch1 it becomes the active HSRP router. When Switch1 start to works it
does not preempt the active status from the Switch2 also Switch1 has better HSRP priority. This is
expected behavior in the absence of the standby 1 preempt command.
QUESTION 83
Private VLANs can be configured as which three port types? (Choose three.)
A. isolated
B. protected
C. private
D. associated
E. promiscuous
F. community
Answer: AEF
Explanation:
Primary VLAN can be logically associated with special unidirectional or secondary VLANs. Hosts
associated with a secondary VLAN can communicate with ports on the primary VLAN (a router for
example) but not with another secondary VLAN. A secondary VLAN is configured as one of the
following types:
Isolated--Any switch ports associated with an isolated VLAN can reach the primary VLAN but not
any other secondary VLAN. In addition hosts associated with the same isolated VLAN cannot
reach each other. They are in effect isolated from everything except the primary VLAN.
Community--Any switch ports associated with a common community VLAN can communicate with
each other and with the primary VLAN but not with any other secondary VLAN. This provides the
basis for server farms and workgroups within an organization while giving isolation between
organizations.
You must configure each physical switch port that uses a private VLAN with a VLAN association.
You also must define the port with one of the following modes:
Promiscuous--The switch port connects to a router firewall or other common gateway device.
This port can communicate with anything else connected to the primary or any secondary VLAN.
In other words the port is in promiscuous mode in which the rules of private VLANs are ignored.
Host--The switch port connects to a regular host that resides on an isolated or community VLAN.
The port communicates only with a promiscuous port or ports on the same community VLAN.
QUESTION 84
Refer to the exhibit. Which statement about the private VLAN configuration is true?
A. Only VLAN 503 will be the community PVLAN because multiple community PVLANs are not allowed.
B. Users of VLANs 501 and 503 will be able to communicate.
C. VLAN 502 is a secondary VLAN.
D. VLAN 502 will be a standalone VLAN because it is not associated with any other VLANs.
Answer: C
Explanation:
VLAN 502 has been configured as private-vlan community. So it is a secondary PVLAN
QUESTION 85
When configuring a routed port on a Cisco multilayer switch which configuration task is needed to
enable that port to function as a routed port?
A. Enable the switch to participate in routing updates from external devices with the router command in
global configuration mode.
B. Enter the no switchport command to disable Layer 2 functionality at the interface level.
C. Each port participating in routing of Layer 3 packets must have an IP routing protocol assigned on
a per-interface level.
D. Routing is enabled by default on a multilayer switch so the port can become a Layer 3 routing interface
by assigning the appropriate IP address and subnet information.
Answer: B
Explanation:
Traffic in an EtherChannel is distributed across the individual bundled links in a deterministic
fashion however the load is not necessarily balanced equally across all the links. Instead frames
are forwarded on a specific link as a result of a hashing algorithm. The algorithm can use source
IP address destination IP address or a combination of source and destination IP addresses
source and destination MAC addresses or TCP/UDP port numbers. The hash algorithm computes
a binary pattern that selects a link number in the bundle to carry each frame. The hashing
operation can be performed on either MAC or IP addresses and can be based solely on source or
destination addresses or both. Use the following command to configure frame distribution for all
EtherChannel switch links:
Switch(config)# port-channel load-balance method
The default configuration is to use source XOR destination IP addresses or the src-dst-ip method.
QUESTION 86
You have configured a Cisco Catalyst switch to perform Layer 3 routing via an SVI and you have
assigned that interface to VLAN 20. To check the status of the SVI you issue the show interfaces
vlan 20 command at the CLI prompt. You see from the output display that the interface is in an
up/up state. What must be true in an SVI configuration to bring the VLAN and line protocol up?
A. The port must be physically connected to another Layer 3 device.
B. At least one port in VLAN 20 must be active.
C. The Layer 3 routing protocol must be operational and receiving routing updates from neighboring peer
devices.
D. Because this is a virtual interface the operational status is always in an "up/up" state.
Answer: B
Explanation:
The SVI interfaces have to fulfill the following general conditions to be up/up:
VLAN exists and is in active status on the switch VLAN database. ?VLAN interface exists on the
router and is not administratively down. ?At least one L2 (access port or trunk) port exists and has
a link up on this VLAN. The latest implementation of the autostate feature allows synchronization
to Spanning-Tree Protocol (STP) port status.
A VLAN interface will be brought up after the L2 port has had time to converge (that is transition
from listening-learning to forwarding). This will prevent routing protocols and other features from
using the VLAN interface as if it were fully operational. This also prevents other problems such as
routing black holes from occurring.
At least one L2 (access port or trunk) port is in spanning-tree forwarding state on the VLAN. So for
SVI to bring the vlan and line protocol up at least one port in that vlan must be active.
QUESTION 87
Refer to the exhibit which is from a Cisco Catalyst 3560 Series Switch.
Which statement about the Layer 3 routing functionality of the interface is true?
A. The interface is configured correctly for Layer 3 routing capabilities.
B. The interface needs an additional configuration entry to enable IP routing protocols.
C. Since the interface is connected to a host device the spanning-tree portfast command must be added
to the interface.
D. An SVI interface is needed to enable IP routing for network 192.20.135.0.
Answer: A
Explanation:
The command "no switchport" indicates that interface gi0/2 is configured correctly for Layer 3
routing capability.
QUESTION 88
What is the result of entering the command "port-channel load-balance src-dst-ip" on an
EtherChannel link?
A. Packets are distributed across the ports in the channel based on the source and destination MAC
addresses.
B. Packets are distributed across the ports in the channel based on the source and destination IP
addresses.
C. Packets are balanced across the ports in the channel based first on the source MAC address then
on the destination MAC address then on the IP address.
D. Packets are distributed across the access ports in the channel based first on the source IP address
and then on the destination IP addresses.
Answer: B
QUESTION 89
Which Cisco IOS command globally enables port-based authentication on a switch?
A. aaa port-auth enable
B. radius port-control enable
C. dot1x system-auth-control
D. switchport aaa-control enable
Answer: C

QUESTION 90
Which two steps are necessary to configure inter-VLAN routing between multilayer switches?
(Choose two.)
A. Configure a dynamic routing protocol.
B. Configure SVI interfaces with IP addresses and subnet masks.
C. Configure access ports with network addresses.
D. Configure switch ports with the autostate exclude command.
E. Document the MAC addresses of the switch ports.

Answer: AB
Explanation:
To be honest configuration of dynamic routing protocol is no necessary to enable inter VLAN
routing between multilayer switches. The static routing would be enough. But as QUESTION requires
choosing two Answers you are constrained to choose Answer A beside the obvious

QUESTION 91
Which statement correctly describes enabling BPDU guard on an access port that is also enabled
for PortFast?
A. Upon startup the port transmits 10 BPDUs. If the port receives a BPDU PortFast and BPDU guard
are disabled on that port and it assumes normal STP operation.
B. The access port ignores any received BPDU.
C. If the port receives a BPDU it is placed into the error-disable state.
D. BPDU guard is configured only globally and the BPDU filter is required for port-level configuration.
Answer: C
Explanation:
When enabled on a port BPDU Guard shuts down a port that receives a BPDU. When configured
globally BPDU Guard is only effective on ports in the operational PortFast state. In a valid
configuration PortFast Layer 2 LAN interfaces do not receive BPDUs. Reception of a BPDU by a
PortFast Layer 2 LAN interface signals an invalid configuration such as connection of an
unauthorized device. BPDU Guard provides a secure response to invalid configurations because
the administrator must manually put the Layer 2 LAN interface back in service. With release
12.1(11b)E BPDU Guard can also be configured at the interface level. When configured at the
interface level BPDU Guard shuts the port down as soon as the port receives a BPDU regardless
of the PortFast configuration.
QUESTION 92
Which statement about the Port Aggregation Protocol is true?
A. Configuration changes made on the port-channel interface apply to all physical ports assigned to the
port-channel interface.
B. Configuration changes made on a physical port that is a member of a port-channel interface apply to
the port-channel interface.
C. Configuration changes are not permitted with Port Aggregation Protocol. Instead the standardized
Link Aggregation Control Protocol should be used if configuration changes are required.
D. The physical port must first be disassociated from the port-channel interface before any configuration
changes can be made.
Answer: A
Explanation:
The port-channel interface is a logical interface that encompasses the all physical port members of
the EtherChannel. So configuration changes made on the port-channel interface apply to all
physical ports assigned to the port-channel interface.
QUESTION 93
In which three HSRP states do routers send hello messages? (Choose three.)
A. standby
B. learn
C. listen
D. speak
E. active
Answer: ADE
Explanation:
When HSRP is configured on an interface the router progresses through a series of states before
becoming active. This forces a router to listen for others in a group and see where it fits into the
pecking order. The HSRP state sequence is Disabled Init Listen Speak Standby and finally
Active.
Only the standby (second highest priority) router monitors the hello messages from the active
router. By default hellos are sent every 3 seconds. If hellos are missed for the duration of the
holdtime timer (default 10 seconds or 3 times the hello timer) the active router is presumed down.
The standby router is then clear to assume the active role. If other routers are sitting in the Listen
state the next-highest priority router is allowed to become the new standby router.
QUESTION 94
Refer to the exhibit. Which three statements are true? (Choose three.)
A. A trunk link will be formed.
B. Only VLANs 1-1001 will travel across the trunk link.
C. The native VLAN for switch B is VLAN 1.
D. DTP is not running on switch A.
E. DTP packets are sent from switch B.
Answer: ACE
Explanation:
You can manually configure trunk links on Catalyst switches for either ISL or 802.1Q mode. In
addition Cisco has implemented a proprietary point-to-point protocol called Dynamic Trunking
Protocol (DTP) that negotiates a common trunking mode between two switches. The negotiation
covers the encapsulation (ISL or 802.1Q) as well as whether the link becomes a trunk at all. You
can configure the trunk encapsulation with the switchport trunk encapsulation command as one of
the following:
isl--VLANs are tagged by encapsulating each frame using the Cisco ISL protocol.
dot1q--VLANs are tagged in each frame using the IEEE 802.1Q standard protocol. The only
exception is the native VLAN which is sent normally and not tagged at all.
negotiate (the default)--The encapsulation is negotiated to select either ISL or IEEE 802.1Q
whichever is supported by both ends of the trunk. If both ends support both types ISL is favored.
(The Catalyst 2950 switch does not support ISL encapsulation.) In the switchport mode command
you can set the trunking mode to any of the following:
trunk--This setting places the port in permanent trunking mode. The corresponding switch port at
the other end of the trunk should be similarly configured because negotiation is not allowed. You
should also manually configure the encapsulation mode.
dynamic desirable (the default)--The port actively attempts to convert the link into trunking mode. If
the far-end switch port is configured to trunk dynamic desirable or dynamic auto mode trunking
is successfully negotiated.
dynamic auto--The port converts the link into trunking mode. If the far-end switch port is configured
to trunk or dynamic desirable trunking is negotiated. Because of the passive negotiation behavior
the link never becomes a trunk if both ends of the link are left to the dynamic auto default.
QUESTION 95
Which statement about 802.1Q trunking is true?
A. Both switches must be in the same VTP domain.
B. The encapsulation type on both ends of the trunk does not have to match.
C. The native VLAN on both ends of the trunk must be VLAN 1.
D. In 802.1Q trunking all VLAN packets are tagged on the trunk link except the native VLAN.
Answer: D
Explanation:
D is correct because "frames from the native VLAN of an 802.1Q trunk are not tagged with the
VLAN number."
QUESTION 96
Refer to the exhibit. Host A and Host B are connected to the Cisco Catalyst 3550 switch and have
been assigned to their respective VLANs. The rest of the 3550 configuration is the default
configuration. Host A is able to ping its default gateway 10.10.10.1 but is unable to ping Host B.
Given the output in the exhibit which statement is true?
A. HSRP must be configured on SW1.
B. A separate router is needed to support inter-VLAN routing.
C. Interface VLAN 10 must be configured on the SW1 switch.
D. The global configuration command ip routing must be configured on the SW1 switch.
E. VLANs 10 and 15 must be created in the VLAN database mode.
F. VTP must be configured to support inter-VLAN routing.
Answer: D
Explanation:
To transport packets between VLANs you must use a Layer 3 device. Traditionally this has been
a router's function. The router must have a physical or logical connection to each VLAN so that it
can forward packets between them. This is known as interVLAN routing. Multilayer switches can
perform both Layer 2 switching and interVLAN routing as appropriate. Layer 2 switching occurs
between interfaces that are assigned to Layer 2 VLANs or Layer 2 trunks. Layer 3 switching can
occur between any type of interface as long as the interface can have a Layer 3 address assigned
to it.
Switch(config)#ip routing command enables the routing on Layer 3 Swtich
QUESTION 97
Refer to the exhibit. What happens when one more user is connected to interface FastEthernet
5/1?
A. All secure addresses age out and are removed from the secure address list. The security violation
counter increments.
B. The first address learned on the port is removed from the secure address list and is replaced with
the new address.
C. The interface is placed into the error-disabled state immediately and an SNMP trap notification is sent.
D. The packets with the new source addresses are dropped until a sufficient number of secure MAC
addresses are removed from the secure address list.
Answer: C
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_s
ec.pdf
QUESTION 98
What are two methods of mitigating MAC address flooding attacks? (Choose two.)
A. Place unused ports in a common VLAN.
B. Implement private VLANs.
C. Implement DHCP snooping.
D. Implement port security.
E. Implement VLAN access maps
Answer: DE
Explanation:
You can use the port security feature to limit and identify MAC addresses of the stations allowed to
access the port. This restricts input to an interface. When you assign secure MAC addresses to a
secure port the port does not forward packets with source addresses outside the group of defined
addresses. If you limit the number of secure MAC addresses to one and assign a single secure
MAC address the workstation attached to that port is assured the full bandwidth of the port. If a
port is configured as a secure port and the maximum number of secure MAC addresses is
reached when the MAC address of a station that attempts to access the port is different from any
of the identified secure MAC addresses a security violation occurs. Also if a station with a secure
MAC address configured or learned on one secure port attempts to access another secure port a
violation is flagged. By default the port shuts down when the maximum number of secure MAC
addresses is exceeded.
Vlan accesss-map can match frame by MAC addresses and in combination with vlan filter it can
be used to mitigate MAC flooding attacks.
QUESTION 99
Refer to the exhibit. What happens to traffic within VLAN 14 with a source address of 172.16.10.5?
A. The traffic is forwarded to the TCAM for further processing.
B. The traffic is forwarded to the router processor for further processing.
C. The traffic is dropped.
D. The traffic is forwarded without further processing.
Answer: C
Explanation:
Root guard is configured on a per-port basis. If a superior BPDU is received on the port root guard
does not take the BPDU into account and so puts the port into a root-inconsistent sate. When
devices connected on FastEthernet3/1 and FastEthernet3/2 stops sending superior BPDUs the
port will be unblocked again and will transition through STP states like any other port.
QUESTION 100
Refer to the exhibit. What information can be derived from the output?
A. Interfaces FastEthernet3/1 and FastEthernet3/2 are connected to devices that are sending BPDUs
with a superior root bridge parameter and no traffic is forwarded across the ports. After the sending
of BPDUs has stopped the interfaces must be shut
down administratively and brought back up to resume normal operation.
B. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a
superior root bridge parameter but traffic is still forwarded across the ports.
C. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a
superior root bridge parameter and no traffic is forwarded across the ports. After the inaccurate BPDUs
have been stopped the interfaces automatically recover and resume normal operation.
D. Interfaces FastEthernet3/1 and FastEthernet3/2 are candidates for becoming the STP root port but
neither can realize that role until BPDUs with a superior root bridge parameter are no longer received
on at least one of the interfaces.
Answer: C
QUESTION 101
What is one method that can be used to prevent VLAN hopping?
A. Configure ACLs.
B. Enforce username and password combinations.
C. Configure all frames with two 802.1Q headers.
D. Explicitly turn off DTP on all unused ports.
E. Configure VACLs.
Answer: D
Explanation:
When securing VLAN trunks also consider the potential for an exploit called VLAN hopping. Here
an attacker positioned on one access VLAN can craft and send frames with spoofed 802.1Q tags
so that the packet payloads ultimately appear on a totally different VLAN all without the use of a
router.
For this exploit to work the following conditions must exist in the network configuration:
The attacker is connected to an access switch port.
The same switch must have an 802.1Q trunk.
The trunk must have the attacker's access VLAN as its native VLAN. To prevent from VLAN
hopping turn off Dynamic Trunking Protocol on all unused ports.
QUESTION 102
Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering the
spanning-tree topology of a network?
A. BPDU guard can guarantee proper selection of the root bridge.
B. BPDU guard can be utilized along with PortFast to shut down ports when a switch is connected to
the port.
C. BPDU guard can be utilized to prevent the switch from transmitting BPDUs and incorrectly altering
the root bridge election.
D. BPDU guard can be used to prevent invalid BPDUs from propagating throughout the network.
Answer: B
Explanation:
As long as a port participates in STP some device can assume the root bridge function and affect
active STP topology. To assume the root bridge function the device would be attached to the port
and would run STP with a lower bridge priority than that of the current root bridge. If another
device assumes the root bridge function in this way it renders the network suboptimal. This is a
simple form of a denial of service (DoS) attack on the network. The temporary introduction and
subsequent removal of STP devices with low (0) bridge priority cause a permanent STP
recalculation.
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP
domain borders and keep the active topology predictable. The devices behind the ports that have
STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs the
BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions
the port into errdisable state and a message appears on the console.
QUESTION 103
What two steps can be taken to help prevent VLAN hopping? (Choose two.)
A. Place unused ports in a common unrouted VLAN.
B. Enable BPDU guard.
C. Implement port security.
D. Prevent automatic trunk configurations.
E. Disable Cisco Discovery Protocol on ports where it is not necessary.
Answer: AD
Explanation:
To prevent VLAN hoping you should disable unused ports and put them in an unused VLAN or a
separate unrouted VLAN. By not granting connectivity or by placing a device into a VLAN not in
use unauthorized access can be thwarted through fundamental physical and logical barriers.
Another method used to prevent VLAN hopping is to prevent automatic trunk configuration.
Hackers used 802.1Q and ISL tagging attacks which are malicious schemes that allow a user on
a VLAN to get unauthorized access to another VLAN. For example if a switch port were
configured as DTP auto and were to receive a fake DTP packet it might become a trunk port and it
might start accepting traffic destined for any VLAN. Therefore a malicious user could start
communicating with other VLANs through that compromised port.
QUESTION 104
Refer to the exhibit. Assume that Switch_A is active for the standby group and the standby device
has only the default HSRP configuration. Which statement is true?
A. If port Fa1/1 on Switch_A goes down the standby device takes over as active.
B. If the current standby device had the higher priority value it would take over the role of active for
the HSRP group.
C. If port Fa1/1 on Switch_A goes down the new priority value for the switch would be 190.
D. If Switch_A had the highest priority number it would not take over as active router.
Answer: C
Explanation:
Switch_A is not configured standby track priority value so it will use the default track priority of 10 - >
When Switch_A goes down its priority is 200 - 10 = 190
QUESTION 105
When an attacker is using switch spoofing to perform VLAN hopping how is the attacker able to
gather information?
A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that is
allowed on the trunk.
B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch
regardless of the VLAN to which the data belongs.
C. The attacking station generates frames with two 802.1Q headers to cause the switch to forward the
frames to a VLAN that would be inaccessible to the attacker through legitimate means.
D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with
the domain information to capture the data.
Answer: A
Explanation:
DTP should be disabled for all user ports on a switch. If the port is left with DTP auto configured
(default on many switches) an attacker can connect and arbitrarily cause the port to start trunking
and therefore pass all VLAN information.
QUESTION 106
When you create a network implementation for a VLAN solution what is one procedure that you
should include in your plan?
A. Perform an incremental implementation of components.
B. Implement the entire solution and then test end-to-end to make sure that it is performing as designed.
C. Implement trunking of all VLANs to ensure that traffic is crossing the network as needed before performing
any pruning of VLANs.
D. Test the solution on the production network in off hours.
Answer: A
Explanation:
Cisco recommendations for implementation plan have the following items:
Some examples of organizational objectives when developing a VLAN implementation plan could
include: improving customer support increasing competitiveness and reducing costs.
When creating a VLAN implementation plan it is critical to have a summary implementation plan
that lays out the implementation overview.
Incremental implementation of components is the recommended approach when defining a VLAN
implementation plan.
QUESTION 107
You have just created a new VLAN on your network. What is one step that you should include in
your VLAN-based implementation and verification plan?
A. Verify that different native VLANs exist between two switches for security purposes.
B. Verify that the VLAN was added on all switches with the use of the show vlan command.
C. Verify that the switch is configured to allow for trunking on the switch ports.
D. Verify that each switch port has the correct IP address space assigned to it for the new VLAN.
Answer: B
Explanation:
As part of verification plan you have to verify that the VLAN was added on all switches. The
command show vlan can be used for this purpose.
http://www.ccnpguide.com/design-documentation/
QUESTION 108
Which two statements describe a routed switch port on a multilayer switch? (Choose two.)
A. Layer 2 switching and Layer 3 routing are mutually supported.
B. The port is not associated with any VLAN.
C. The routed switch port supports VLAN subinterfaces.
D. The routed switch port is used when a switch has only one port per VLAN or subnet.
E. The routed switch port ensures that STP remains in the forwarding state.
Answer: BD
Explanation:
A routed port is a physical port that acts like a port on a router it does not have to be connected to
a router. A routed port is not associated with a particular VLAN as is an access port. A routed port
behaves like a regular router interface except that it does not support VLAN subinterfaces.
Routed ports can be configured with a Layer 3 routing protocol. A routed port is a Layer 3 interface
only and does not support Layer 2 protocols such as DTP and STP. You can configure routed
ports by putting the interface into Layer 3 mode with the no switchport interface configuration
command. Then you have to assign an IP address to the port enable routing and assign routing
protocol characteristics by using the ip routing and router protocol global configuration commands.
QUESTION 109
Which two statements correctly describe VTP? (Choose two.)
A. Transparent mode always has a configuration revision number of 0.
B. Transparent mode cannot modify a VLAN database.
C. Client mode cannot forward received VTP advertisements.
D. Client mode synchronizes its VLAN database from VTP advertisements.
E. Server mode can synchronize across VTP domains.
Answer: AD
Explanation:
VTP enabled switch resets revision number to 0 when VTP mode is set to transparent. The switch
in the both client and server mode synchronizes its VLAN database from VTP advertisements.
QUESTION 110
Which two DTP modes permit trunking between directly connected switches? (Choose two.)
A. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain A)
B. dynamic desirable (VTP domain A) to dynamic desirable (VTP domain B)
C. dynamic auto (VTP domain A) to dynamic auto (VTP domain A)
D. dynamic auto (VTP domain A) to dynamic auto (VTP domain B)
E. dynamic auto (VTP domain A) to nonegotiate (VTP domain A)
F. nonegotiate (VTP domain A) to nonegotiate (VTP domain B)
Answer: AF
Explanation:
There are three DTP modes of operation:
Trunk
Dynamic desirable
Dynamic auto
For dynamic trunking to be successful VTP domain names at the both sides of the trunk must
matches. Also DTP could be switched off by the command switchport nonegotiate. In the later
case the matching of VTP domain names is not required. From the three DTP modes the one (the
dynamic auto) is passive. The trunk will not be created if at the both sides passive mode is used.
QUESTION 111
Which two RSTP port roles include the port as part of the active topology? (Choose two.)
A. root
B. designated
C. alternate
D. backup
E. forwarding
F. learning
Answer: AB
Explanation:
RSTP defines four port roles:
Root port
Designated port
Alternate port
Backup port and three port states:
Discarding
Learning
Forwarding
Only the root ports and designated ports belong to the active STP topology.

QUESTION 112
Which two statements correctly describe characteristics of the PortFast feature? (Choose two.)
A. STP is disabled on the port.
B. PortFast can also be configured on trunk ports.
C. PortFast is needed to enable port-based BPDU guard.
D. PortFast is used for STP and RSTP host ports.
E. PortFast is used for STP-only host ports.

Answer: BD
Explanation:
Catalyst switches offer the PortFast feature which shortens the Listening and Learning states to a
negligible amount of time. When a workstation link comes up the switch immediately moves the
PortFast port into the Forwarding state. Spanning-tree loop detection is still in operation however
and the port moves into the Blocking state if a loop is ever detected on the port. You can use
PortFast to connect a single end station or a switch port to a switch port. If you enable PortFast on
a port that is connected to another Layer 2 device such as a switch you might create network
loops. When PortFast is enabled between two switches the system will verify that there are no
loops in the network before bringing the blocking trunk to a forwarding state.

QUESTION 114
Which statement correctly describes the Cisco implementation of RSTP?
A. PortFast UplinkFast and BackboneFast specific configurations are ignored in Rapid PVST mode.
B. RSTP is enabled globally and uses existing STP configuration.
C. Root and alternative ports transition immediately to the forwarding state.
D. Convergence is improved by using subsecond timers for the blocking listening learning and forwarding
port states.

Answer: B
Explanation:
By default a switch operates in Per-VLAN Spanning Tree Plus (PVST+) mode using traditional
802.1D STP. Therefore RSTP cannot be used until a different spanning-tree mode (MST or
RPVST+) is enabled. Remember that RSTP is just the underlying mechanism that a spanning-tree
mode can use to detect topology changes and converge a network into a loop-free topology.

QUESTION 115
What is the effect of applying the "switchport trunk encapsulation dot1q" command to a port on a
Cisco Catalyst switch?
A. By default native VLAN packets going out this port are tagged.
B. Without an encapsulation command 802.1Q is the default encapsulation if DTP fails to negotiate a
trunking protocol.
C. The interface supports the reception of tagged and untagged traffic.
D. If the device connected to this port is not 802.1Q-enabled it is unable to handle 802.1Q packets.
Answer: C
QUESTION 116
Refer to the exhibit. DHCP snooping is enabled for selected VLANs to provide security on the
network. How do the switch ports handle the DHCP messages?
A. A DHCPOFFER packet from a DHCP server received on Ports Fa2/1 and Fa2/2 is dropped.
B. A DHCP packet received on ports Fa2/1 and Fa2/2 is dropped if the source MAC address and the
DHCP client hardware address does not match Snooping database.
C. A DHCP packet received on ports Fa2/1 and Fa2/2 is forwarded without being tested.
D. A DHCPRELEASE message received on ports Fa2/1 and Fa2/2 has a MAC address in the DHCP
snooping binding database but the interface information in the binding database does not match
the interface on which the message was received and is dropped.
Answer: C
Explanation:
Trusted ports are allowed to send all types of DHCP messages. Untrusted ports can send only
DHCP requests. If a DHCP response is seen on an untrusted port the port is shut down. In this
case Fa2/1 & Fa2/2 are trusted (can send all types of DHCP messages) while Fa3/1 is untrusted
(can only send DHCP requests).
QUESTION 117
Refer to the exhibit and the partial configuration on routers R1 and R2. HSRP is configured on the
network to provide network redundancy for the IP traffic. The network administrator noticed that
R2 does not become active when the R1 serial0 interface goes down. What should be changed in
the configuration to fix the problem?
A. R2 should be configured with an HSRP virtual address.
B. R2 should be configured with a standby priority of 100.
C. The Serial0 interface on router R2 should be configured with a decrement value of 20.
D. The Serial0 interface on router R1 should be configured with a decrement value of 20.

Answer: D
Explanation:
You can configure a router to preempt or immediately take over the active role if its priority is the
highest at any time. Use the following interface configuration command to allow preemption:
Switch(config-if)# standby group preempt [delay seconds] By default the router can preempt
another immediately without delay. You can use the delay keyword to force it to wait for seconds
before becoming active. This is usually done if there are routing protocols that need time to
converge.

QUESTION 118
Which two statements concerning STP state changes are true? (Choose two.)
A. Upon bootup a port transitions from blocking to forwarding because it assumes itself as root.
B. Upon bootup a port transitions from blocking to listening because it assumes itself as root.
C. Upon bootup a port transitions from listening to forwarding because it assumes itself as root.
D. If a forwarding port receives no BPDUs by the max_age time limit it will transition to listening.
E. If a forwarding port receives an inferior BPDU it will transition to listening.
F. If a blocked port receives no BPDUs by the max_age time limit it will transition to listening.
Answer: BF
QUESTION 119
Refer to the exhibit. For what purpose is the command show ip cef used?
A. to display rewritten IP unicast packets
B. to display ARP resolution packets
C. to display ARP throttling
D. to display TCAM matches
E. to display CEF-based MLS lookups
F. to display entries in the Forwarding Information Base (FIB)
Answer: F
QUESTION 120
What will occur when a nonedge switch port that is configured for Rapid Spanning Tree does not
receive a BPDU from its neighbor for three consecutive hello time intervals?
A. RSTP information is automatically aged out.
B. The port sends a TCN to the root bridge.
C. The port moves to listening state.
D. The port becomes a normal spanning tree port.
Answer: A
QUESTION 121
Refer to the exhibit. Which statement is true about the output?
A. The port on switch CAT1 is forwarding and sending BPDUs correctly.
B. The port on switch CAT1 is blocking and sending BPDUs correctly.
C. The port on switch CAT2 is forwarding and receiving BPDUs correctly.
D. The port on switch CAT2 is blocking and sending BPDUs correctly.
E. The port on switch CAT3 is forwarding and receiving BPDUs correctly.
F. The port on switch CAT3 is forwarding sending and receiving BPDUs correctly.
Answer: A
QUESTION 122
Which three statements about STP timers are true? (Choose three.)
A. STP timers values (hello forward delay max age) are included in each BPDU.
B. A switch is not concerned about its local configuration of the STP timers values. It will only
consider the value of the STP timers contained in the BPDU it is receiving.
C. To successfully exchange BPDUs between two switches their STP timers value (hello forward
delay max age) must be the same.
D. If any STP timer value (hello forward delay max age) needs to be changed it should at least be
changed on the root bridge and backup root bridge.
E. On a switched network with a small network diameter the STP hello timer can be tuned to a lower
value to decrease the load on the switch CPU.
F. The root bridge passes the timer information in BPDUs to all routers in the Layer 3 configuration.
Answer: ABD
QUESTION 123
Based on the show spanning-tree vlan 200 output shown in the exhibit which two statements
about the STP process for VLAN 200 are true? (Choose two.)
A. BPDUs will be sent out every two seconds.
B. The time spent in the listening state will be 30 seconds.
C. The time spent in the learning state will be 15 seconds.
D. The maximum length of time that the BPDU information will be saved is 30 seconds.
E. This switch is the root bridge for VLAN 200.
F. BPDUs will be sent out every 10 seconds.
Answer: BF
QUESTION 124
Which three statements about the MST protocol (IEEE 802.1S) are true? (Choose three)
A. To verify the MST configuration the show pending command can be used in MST configuration mode.
B. When RSTP and MSTP are configured UplinkFast and BackboneFast must also be enabled.
C. All switches in the same MST region must have the same VLAN-to-instance mapping but different
configuration revision numbers.
D. All switches in an MST region except distribution layer switches should have their priority lowered from
the default value 32768.
E. An MST region is a group of MST switches that appear as a single virtual bridge to adjacent CST and
MST regions.
F. Enabling MST with the "spanning-tree mode mst" global configuration command also enables RSTP.
Answer: AEF
QUESTION 125
Refer to the show spanning-tree mst configuration output shown in the exhibit. What should be
changed in the configuration of the switch SW_2 in order for it to participate in the same MST
region?
A. Switch SW_2 must be configured with the revision number of 2.
B. Switch SW_2 must be configured with a different VLAN range.
C. Switch SW_2 must be configured with the revision number of 1.
D. Switch SW_2 must be configured with a different MST name.
Answer: C
QUESTION 126
Refer to the exhibit. Which interface or interfaces on switch SW_A can have the port security
feature enabled?
A. Ports 0/1 and 0/2
B. The trunk port 0/22 and the EtherChannel ports
C. Ports 0/1 0/2 and 0/3
D. Ports 0/1 0/2 0/3 the trunk port 0/22 and the EtherChannel ports
E. Port 0/1
F. Ports 0/1 0/2 0/3 and the trunk port 0/22
Answer: C
QUESTION 127
Which two statements about the HSRP priority are true? (Choose two)
A. To assign the HSRP router priority in a standby group the standby group-number priority priority-value
global configuration command must be used.
B. The default priority of a router is zero (0).
C. The no standby priority command assigns a priority of 100 to the router.
D. Assuming that preempting has also been configured the router with the lowest priority in an HSRP
group would become the active router.
E. When two routers in an HSRP standby group are configured with identical priorities the router with
the highest configured IP address will become the active router.
Answer: CE
QUESTION 128
Refer to the exhibit. The Gateway Load Balancing Protocol has been configured on routers R1
and R2 and hosts A and B have been configured as shown. Which statement can be derived from
the exhibit?
A. The host A default gateway has been configured as 10.88.1.10/24.
B. The GLBP weighted load balancing mode has been configured.
C. The GLBP round-robin load-balancing mode has been configured.
D. The GLBP host-dependent load-balancing mode has been configured.
E. The host A default gateway has been configured as 10.88.1.1/24.
F. The host A default gateway has been configured as 10.88.1.4/24.
Answer: A
QUESTION 129
Refer to the exhibit. What is the result of setting GLBP weighting at 105 with lower threshold 90
and upper threshold 100 on this router?
A. Only if both tracked objects are up will this router will be available as an AVF for group 1.
B. Only if the state of both tracked objects goes down will this router release its status as an AVF for
group 1.
C. If both tracked objects go down and then one comes up but the other remains down this router
will be available as an AVF for group 1.
D. This configuration is incorrect and will not have any effect on GLBP operation.
E. If the state of one tracked object goes down then this router will release its status as an AVF for group 1.
Answer: B
QUESTION 130
Which three statements are true about CEF? (Choose three.)
A. The FIB table is derived from the IP routing table.
B. The adjacent table is derived from the ARP table.
C. CEF IP destination prefixes are stored in the TCAM table from the least specific to the most
specific entry.
D. When the CEF TCAM table is full packets are dropped.
E. When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect
the adjacency.
F. The FIB lookup is based on the Layer 3 destination address prefix (shortest match).
Answer: ABE
QUESTION 131
Refer to the exhibit. Which two statements are true about the output from the "show standby vlan
50" command? (Choose two)
A. Catalyst_A is load sharing traffic in VLAN 50.
B. Hosts using the default gateway address of 192.168.1.2 will have their traffic sent to Catalyst_A.
C. The command standby 1 preempt was added to Catalyst_A.
D. Hosts using the default gateway address of 192.168.1.1 will have their traffic sent to 192.168.1.11
even after Catalyst_A becomes available again.
Answer: AC
QUESTION 132
Refer to the exhibit. Which two statements are true? (Choose two.)
A. It is displaying the AutoQos configuration that was initially applied.
B. The switch does not trust the CoS values of a Cisco IP phone attached to port Fa0/3.
C. The show auto qos command shows the user-defined QoS settings.
D. The show auto qos command does not display user configuration changes currently in effect.
E. Interface Fa0/3 trusts all CoS values.
F. The trust boundary is not on this switch.
Answer: AD
QUESTION 133
A switch that is to be added to the production network has been preconfigured (trunks VLANs
VTP and STP) and was tested in your lab. After installing the switch into the network the entire
network went down. What might explain what happened?
A. The new switch happened to be running Cisco Catalyst operating system while the other network
switches were running Cisco IOS Software.
B. The configuration revision of the new switch was higher than the configuration revision of the
production VTP domain.
C. The link costs on the new switch are set to a high value causing all ports on the new switch to
go into a forwarding mode and none into blocking mode thereby causing a spanning-tree loop.
D. The ports connecting to the two switches have been configured incorrectly. One side has the
command switchport mode access and the other switchport mode trunk.
Answer: B
QUESTION 134
Refer to the exhibit. Based on the output of the show spanning-tree command which statement is
true?
A. Switch SW1 has been configured with the spanning-tree vlan 1 root primary global configuration
command.
B. Switch SW1 has been configured with the spanning-tree vlan 1 root secondary global configuration
command.
C. Switch SW1 has been configured with the spanning-tree vlan 1 priority 24577 global configuration
command.
D. Switch SW1 has been configured with the spanning-tree vlan 1 hello-time 2 global configuration
command.
E. The root bridge has been configured with the spanning-tree vlan 1 root secondary global configuration
command.
Answer: B
QUESTION 135
Refer to the exhibit. On the basis of the output of the show spanning-tree inconsistentports
command which statement about interfaces FastEthernet 0/1 and FastEthernet 0/2 is true?
A. They have been configured with the spanning-tree bpdufilter disable command.
B. They have been configured with the spanning-tree bpdufilter enable command.
C. They have been configured with the spanning-tree bpduguard disable command.
D. They have been configured with the spanning-tree bpduguard enable command.
E. They have been configured with the spanning-tree guard loop command.
F. They have been configured with the spanning-tree guard root command.

Answer: F