Pin It

Widgets

Read Online: Implementing Cisco Switched Networkst Part1

Implementing Cisco Switched Networks Part 1
Exam Vendor: Cisco
Exam Code: Cisco-642-813
Exam Name: CCNA

Dumps, Free Dumps, VCP5 Dumps| VMware Dumps, VCP Dumps, VCP4 Dumps, VCAP Dumps, VCDX Dumps, Cisco Dumps, CCNA, CCNA640-802, CCNA Dumps, CCNP Dumps, CCIE Dumps, ITIL, Exin Dumps, ITIL Dumps, ITIL3 Dumps, ITIL4 Dumps, ITIL 2012 Dumps, CWNP Dumps, PW0-050, PW0-070, Microsoft, Microsoft Dumps, MCTS Dumps, MCP Dumps, MCSA Dumpe, MCITP Dumps, 70-640, 70-642, 70-643, Oracle, Oracle Dumps, CompTIA, Sun Dumps, RedHat Dumps, Other Dumps, Novell Dumps, Other Dumps, Citrix Dumps, 1Y0-A19, 1Y0-A20 ITIL V3, 

   

-->
   


-->
-->


QUESTION 1
Which statement is true about RSTP topology changes?
A. Any change in the state of the port generates a TC BPDU.
B. Only nonedge ports moving to the forwarding state generate a TC BPDU.
C. If either an edge port or a nonedge port moves to a block state, then a TC BPDU is generated.
D. Only edge ports moving to the blocking state generate a TC BPDU.
E. Any loss of connectivity generates a TC BPDU.
Correct Answer: B
Section: Module 3: STP, RSTP, MSTP
Explanation
Explanation/Reference:
Explanation:
The IEEE 802.1D Spanning Tree Protocol was designed to keep a switched or bridged network loop free, with
adjustments made to the network topology dynamically. A topology change typically takes 30 seconds, where a
port moves from the Blocking state to the Forwarding state after two intervals of the Forward Delay timer. As
technology has improved, 30 seconds has become an unbearable length of time to wait for a production
network to failover or "heal" itself during a problem.
Topology Changes and RSTP
Recall that when an 802.1D switch detects a port state change (either up or down), it signals the Root Bridge by
sending topology change notification (TCN) BPDUs. The Root Bridge must then signal a topology change by
sending out a TCN message that is relayed to all switches in the STP domain. RSTP detects a topology change
only when a nonedge port transitions to the Forwarding state. This might seem odd because a link failure is not
used as a trigger. RSTP uses all of its rapid convergence mechanisms to prevent bridging loops from forming.
Therefore, topology changes are detected only so that bridging tables can be updated and corrected as hosts
appear first on a failed port and then on a different functioning port. When a topology change is detected, a
switch must propagate news of the change to other switches in the network so they can correct their bridging
tables, too. This process is similar to the convergence and synchronization mechanism-topology change (TC)
messages propagate through the network in an everexpanding wave.
QUESTION 2
Refer to the exhibit.



Which four statements about this GLBP topology are true? (Choose four.)
A. Router A is responsible for answering ARP requests sent to the virtual IP address.
B. If router A becomes unavailable, router B forwards packets sent to the virtual MAC address of router A.
C. If another router is added to this GLBP group, there would be two backup AVGs.
D. Router B is in GLBP listen state.
E. Router A alternately responds to ARP requests with different virtual MAC addresses.
F. Router B transitions from blocking state to forwarding state when it becomes the AVG.
Correct Answer: ABDE
Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation:
With GLBP the following is true:
With GLB, there is 1 AVG and 1 standby VG. In this case Company1 is the AVG and Company2 is the standby.
Company2 would act as a VRF and would already be forwarding and routing packets.
Any additional routers would be in a listen state.
As the role of the Active VG and load balancing, Company1 responds to ARP requests with different virtual
MAC addresses.
In this scenario, Company2 is the Standby VF for the VMAC 0008.b400.0101 and would become the Active VF
if Company1 were down.
As the role of the Active VG, the primary responsibility is to answer ARP requests to the virtual IP address.
As an AVF router Company2 is already forwarding/routing packets



QUESTION 3
Refer to the exhibit.
Which VRRP statement about the roles of the master virtual router and the backup virtual router is true?
A. Router A is the master virtual router, and router B is the backup virtual router. When router A fails, router B
becomes the master virtual router. When router A recovers, router B maintains the role of master virtual
router.
B. Router A is the master virtual router, and router B is the backup virtual router. When router A fails, router B
becomes the master virtual router. When router A recovers, it regains the master virtual router role.
C. Router B is the master virtual router, and router A is the backup virtual router. When router B fails, router A
becomes the master virtual router. When router B recovers, router A maintains the role of master virtual
router.
D. Router B is the master virtual router, and router A is the backup virtual router. When router B fails, router A
becomes the master virtual router. When router B recovers, it regains the master virtual router role.
Correct Answer: B



Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation:
QUESTION 4
Which description correctly describes a MAC address flooding attack?
A. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking device
then becomes the destination address found in the Layer 2 frames sent by the valid network device.
B. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking device
then becomes the source address found in the Layer 2 frames sent by the valid network device.
C. The attacking device spoofs a destination MAC address of a valid host currently in the CAM table. The
switch then forwards frames destined for the valid host to the attacking device.
D. The attacking device spoofs a source MAC address of a valid host currently in the CAM table.
The switch then forwards frames destined for the valid host to the attacking device.
E. Frames with unique, invalid destination MAC addresses flood the switch and exhaust CAM table space. The
result is that new entries cannot be inserted because of the exhausted CAM table space, and traffic is
subsequently flooded out all ports.
F. Frames with unique, invalid source MAC addresses flood the switch and exhaust CAM table space. The
result is that new entries cannot be inserted because of the exhausted CAM table space, and traffic is
subsequently flooded out all ports.
Correct Answer: F
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 5
Refer to the exhibit.



An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP server for a
man-in-middle attack. Which recommendation, if followed, would mitigate this type of attack?
A. All switch ports in the Building Access block should be configured as DHCP trusted ports.
B. All switch ports in the Building Access block should be configured as DHCP untrusted ports.
C. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted
ports.
D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted
ports.
E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.
F. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted
ports.
Correct Answer: D
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
One of the ways that an attacker can gain access to network traffic is to spoof responses that would be sent by
a valid DHCP server. The DHCP spoofing device replies to client DHCP requests. The legitimate server may
reply also, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first.
The intruder's DHCP reply offers an IP address and supporting information that designates the intruder as the
default gateway or Domain Name System (DNS) server. In the case of a gateway, the clients will then forward
packets to the attacking device, which will in turn send them to the desired destination. This is referred to as a
"man-in-the-middle" attack, and it may go entirely undetected as the intruder intercepts the data flow through
the network. Untrusted ports are those that are not explicitly configured as trusted. A DHCP binding table is built



for untrusted ports. Each entry contains the client MAC address, IP address, lease time, binding type, VLAN
number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent
DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server
responses, such as DHCPOFFER, DHCPACK, DHCPNAK.
QUESTION 6
Refer to the exhibit.
The web servers WS_1 and WS_2 need to be accessed by external and internal users. For security reasons,
the servers should not communicate with each other, although they are located on the same subnet. However,
the servers do need to communicate with a database server located in the inside network. Which configuration
isolates the servers from each other?
A. The switch ports 3/1 and 3/2 are defined as secondary VLAN isolated ports. The ports connecting to the two
firewalls are defined as primary VLAN promiscuous ports.
B. The switch ports 3/1 and 3/2 are defined as secondary VLAN community ports. The ports connecting to the
two firewalls are defined as primary VLAN promiscuous ports.
C. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as primary VLAN
promiscuous ports.
D. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as primary VLAN
community ports.
Correct Answer: A
Section: Module 2: VLAN, PVLAN, Etherchannel
Explanation
Explanation/Reference:
Explanation:
Service providers often have devices from multiple clients, in addition to their own servers, on a single
Demilitarized Zone (DMZ) segment or VLAN. As security issues proliferate, it becomes necessary to provide
traffic isolation between devices, even though they may exist on the same Layer 3 segment and VLAN. Catalyst
6500/4500 switches implement PVLANs to keep some switch ports shared and some switch ports isolated,
although all ports exist on the same VLAN. The 2950 and 3550 support "protected ports," which are



functionality similar to PVLANs on a per- switch basis.
A port in a PVLAN can be one of three types:
Isolated: An isolated port has complete Layer 2 separation from other ports within the same PVLAN, except for
the promiscuous port. PVLANs block all traffic to isolated ports, except the traffic from promiscuous ports.
Traffic received from an isolated port is forwarded to only promiscuous ports.
Promiscuous: A promiscuous port can communicate with all ports within the PVLAN, including the community
and isolated ports. The default gateway for the segment would likely be hosted on a promiscuous port, given
that all devices in the PVLAN will need to communicate with that port. Community: Community ports
communicate among themselves and with their promiscuous ports. These interfaces are isolated at Layer 2
from all other interfaces in other communities, or in isolated ports within their PVLAN.
QUESTION 7
What does the command "udld reset" accomplish?
A. allows a UDLD port to automatically reset when it has been shut down
B. resets all UDLD enabled ports that have been shut down
C. removes all UDLD configurations from interfaces that were globally enabled
D. removes all UDLD configurations from interfaces that were enabled per-port
Correct Answer: B
Section: Module 3: STP, RSTP, MSTP
Explanation
Explanation/Reference:
Explanation:
QUESTION 8
Refer to the exhibit.



Dynamic ARP Inspection is enabled only on switch SW_A. Host_A and Host_B acquire their IP addresses from
the DHCP server connected to switch SW_A. What would the outcome be if Host_B initiated an ARP spoof
attack toward Host_A ?
A. The spoof packets are inspected at the ingress port of switch SW_A and are permitted.
B. The spoof packets are inspected at the ingress port of switch SW_A and are dropped.
C. The spoof packets are not inspected at the ingress port of switch SW_A and are permitted.
D. The spoof packets are not inspected at the ingress port of switch SW_A and are dropped.



Correct Answer: C
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
When configuring DAI, follow these guidelines and restrictions:
• DAI is an ingress security feature; it does not perform any egress checking. • DAI is not effective for hosts
connected to routers that do not support DAI or that do not have this feature enabled. Because man-in-the-
middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from the
one with no checking. This action secures the ARP caches of hosts in the domain enabled for DAI. • DAI
depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in
incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that
have dynamically assigned IP addresses. • When DHCP snooping is disabled or in non-DHCP environments,
use ARP ACLs to permit or to deny packets.
• DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports. In our example,
since Company2 does not have DAI enabled (bullet point 2 above) packets will not be inspected and they will
be permitted.
Reference:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dynarp.html
QUESTION 9
Which statement is true about Layer 2 security threats?
A. MAC spoofing, in conjunction with ARP snooping, is the most effective counter-measure against
reconnaissance attacks that use Dynamic ARP Inspection to determine vulnerable attack points.
B. DHCP snooping sends unauthorized replies to DHCP queries.
C. ARP spoofing can be used to redirect traffic to counter Dynamic ARP Inspection.
D. Dynamic ARP Inspection in conjunction with ARP spoofing can be used to counter DHCP snooping attacks.
E. MAC spoofing attacks allow an attacking device to receive frames intended for a different network host.
F. Port scanners are the most effective defense against Dynamic ARP Inspection.
Correct Answer: E
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
First of all, MAC spoofing is not an effective counter-measure against any reconnaissance attack; it IS an
attack! Furthermore, reconnaissance attacks don't use dynamic ARP inspection (DAI); DAI is a switch feature
used to prevent attacks.
QUESTION 10
What does the global configuration command "ip arp inspection vlan 10-12,15" accomplish?
A. validates outgoing ARP requests for interfaces configured on VLAN 10, 11, 12, or 15
B. intercepts all ARP requests and responses on trusted ports
C. intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D. discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
Correct Answer: C
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:



Explanation:
The "ip arp inspection" command enables Dynamic ARP Inspection (DAI) for the specified VLANs. DAI is a
security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network
administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This
capability protects the network from certain "man-in-the- middle" attacks.
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/dynarp .html
QUESTION 11
Refer to the exhibit.
Host A has sent an ARP message to the default gateway IP address 10.10.10.1. Which statement is true?
A. Because of the invalid timers that are configured, DSw1 does not reply.
B. DSw1 replies with the IP address of the next AVF.
C. DSw1 replies with the MAC address of the next AVF.
D. Because of the invalid timers that are configured, DSw2 does not reply.
E. DSw2 replies with the IP address of the next AVF.
F. DSw2 replies with the MAC address of the next AVF.
Correct Answer: F



Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation:
The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to overcome the
limitations of existing redundant router protocols. Some of the concepts are the same as with HSRP/VRRP, but
the terminology is different and the behavior is much more dynamic and robust.
The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual gateway
(AVG). This router has the highest priority value, or the highest IP address in the group, if there is no highest
priority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returns
depends on which load-balancing algorithm it is configured to use. In any event, the virtual MAC address
supported by one of the routers in the group is returned. According to exhibit, Router Company2 is the Active
Virtual Gateway (AVG) router because it has highest IP address even having equal priority. When router
Company1 sends the ARP message to 10.10.10.1 Router Company2 will reply to Company1 as a Active Virtual
Router.
QUESTION 12
What are two methods of mitigating MAC address flooding attacks? (Choose two.)
A. Place unused ports in a common VLAN.
B. Implement private VLANs.
C. Implement DHCP snooping.
D. Implement port security.
E. Implement VLAN access maps
Correct Answer: DE
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 13
Refer to the exhibit.



What information can be derived from the output?
A. Interfaces FastEthernet3/1 and FastEthernet3/2 are connected to devices that are sending BPDUs with a
superior root bridge parameter and no traffic is forwarded across the ports. After the sending of BPDUs has
stopped, the interfaces must be shut down administratively, and brought back up, to resume normal
operation.
B. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a superior
root bridge parameter, but traffic is still forwarded across the ports.
C. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a superior
root bridge parameter and no traffic is forwarded across the ports. After the inaccurate BPDUs have been
stopped, the interfaces automatically recover and resume normal operation.
D. Interfaces FastEthernet3/1 and FastEthernet3/2 are candidates for becoming the STP root port, but neither
can realize that role until BPDUs with a superior root bridge parameter are no longer received on at least
one of the interfaces.
Correct Answer: C
Section: Module 3: STP, RSTP, MSTP
Explanation
Explanation/Reference:
Explanation:
QUESTION 14
What is one method that can be used to prevent VLAN hopping?
A. Configure ACLs.
B. Enforce username and password combinations.



C. Configure all frames with two 802.1Q headers.
D. Explicitly turn off DTP on all unused ports.
E. Configure VACLs.
Correct Answer: D
Section: Module 2: VLAN, PVLAN, Etherchannel
Explanation
Explanation/Reference:
Explanation:
When securing VLAN trunks, also consider the potential for an exploit called VLAN hopping. Here, an attacker
positioned on one access VLAN can craft and send frames with spoofed 802.1Q tags so that the packet
payloads ultimately appear on a totally different VLAN, all without the use of a router.
For this exploit to work, the following conditions must exist in the network configuration:
The attacker is connected to an access switch port.
The same switch must have an 802.1Q trunk.
The trunk must have the attacker's access VLAN as its native VLAN. To prevent from VLAN hopping turn off
Dynamic Trunking Protocol on all unused ports.
QUESTION 15
Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering the spanning-tree
topology of a network?
A. BPDU guard can guarantee proper selection of the root bridge.
B. BPDU guard can be utilized along with PortFast to shut down ports when a switch is connected to the port.
C. BPDU guard can be utilized to prevent the switch from transmitting BPDUs and incorrectly altering the root
bridge election.
D. BPDU guard can be used to prevent invalid BPDUs from propagating throughout the network.
Correct Answer: B
Section: Module 3: STP, RSTP, MSTP
Explanation
Explanation/Reference:
Explanation:
QUESTION 16
What two steps can be taken to help prevent VLAN hopping? (Choose two.)
A. Place unused ports in a common unrouted VLAN.
B. Enable BPDU guard.
C. Implement port security.
D. Prevent automatic trunk configurations.
E. Disable Cisco Discovery Protocol on ports where it is not necessary.
Correct Answer: AD
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 17
Refer to the exhibit.



Assume that Switch_A is active for the standby group and the standby device has only the default HSRP
configuration. Which statement is true?
A. If port Fa1/1 on Switch_A goes down, the standby device takes over as active.
B. If the current standby device had the higher priority value, it would take over the role of active for the HSRP
group.
C. If port Fa1/1 on Switch_A goes down, the new priority value for the switch would be 190.
D. If Switch_A had the highest priority number, it would not take over as active router.
Correct Answer: C
Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation:
QUESTION 18
When an attacker is using switch spoofing to perform VLAN hopping, how is the attacker able to gather
information?
A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that is
allowed on the trunk.
B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch,
regardless of the VLAN to which the data belongs.
C. The attacking station generates frames with two 802.1Q headers to cause the switch to forward the frames
to a VLAN that would be inaccessible to the attacker through legitimate means.
D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with the
domain information to capture the data.
Correct Answer: A
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
DTP should be disabled for all user ports on a switch. If the port is left with DTP auto-configured (default on
many switches), an attacker can connect and arbitrarily cause the port to start trunking and therefore pass all
VLAN information.
Reference:
http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance0900aecd8 00ebd1e.pdf
QUESTION 19
Refer to the exhibit.



GLBP has been configured on the network. When the interface serial0/0/1 on router R1 goes down, how is the
traffic coming from Host1 handled?
A. The traffic coming from Host1 and Host2 is forwarded through router R2 with no disruption.
B. The traffic coming from Host2 is forwarded through router R2 with no disruption. Host1 sends an ARP
request to resolve the MAC address for the new virtual gateway.
C. The traffic coming from both hosts is temporarily interrupted while the switchover to make R2 active occurs.
D. The traffic coming from Host2 is forwarded through router R2 with no disruption. The traffic from Host1 is
dropped due to the disruption of the load balancing feature configured for the GLBP group.
Correct Answer: A
Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation: The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to



overcome the limitations of existing redundant router protocols. Some of the concepts are the same as with
HSRP/VRRP, but the terminology is different and the behavior is much more dynamic and robust and allows for
load balancing.
The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual gateway
(AVG). This router has the highest priority value, or the highest IP address in the group, if there is no highest
priority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returns
depends on which load-balancing algorithm it is configured to use. In any event, the virtual MAC address
supported by one of the routers in the group is returned. According to exhibit, Company1 is the active virtual
gateway and Company2 is the standby virtual gateway. So, when Company1 goes down, Company2 will
become active virtual gateway and all data goes through Company2.
QUESTION 20
Refer to the exhibit.
DHCP snooping is enabled for selected VLANs to provide security on the network. How do the switch ports
handle the DHCP messages?
A. A DHCPOFFER packet from a DHCP server received on Ports Fa2/1 and Fa2/2 is dropped.
B. A DHCP packet received on ports Fa2/1 and Fa2/2 is dropped if the source MAC address and the DHCP
client hardware address does not match Snooping database.
C. A DHCP packet received on ports Fa2/1 and Fa2/2 is forwarded without being tested.
D. A DHCPRELEASE message received on ports Fa2/1 and Fa2/2 has a MAC address in the DHCP snooping
binding database, but the interface information in the binding database does not match the interface on
which the message was received and is dropped.
Correct Answer: C
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 21
Refer to the exhibit and the partial configuration on routers R1 and R2.



HSRP is configured on the network to provide network redundancy for the IP traffic. The network administrator
noticed that R2 does not become active when the R1 serial0 interface goes down. What should be changed in
the configuration to fix the problem?
A. R2 should be configured with an HSRP virtual address.
B. R2 should be configured with a standby priority of 100.
C. The Serial0 interface on router R2 should be configured with a decrement value of 20.
D. The Serial0 interface on router R1 should be configured with a decrement value of 20.
Correct Answer: D
Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation:
You can configure a router to preempt or immediately take over the active role if its priority is the highest at any
time. Use the following interface configuration command to allow preemption:
Switch(config-if)# standby group preempt [delay seconds] By default, the router can preempt another
immediately, without delay. You can use the delay keyword to force it to wait for seconds before becoming
active. This is usually done if there are routing protocols that need time to converge.
QUESTION 22
Which optional feature of an Ethernet switch disables a port on a point-to-point link if the port does not receive
traffic while Layer 1 status is up?
A. BackboneFast
B. UplinkFast



C. Loop Guard
D. UDLD aggressive mode
E. Fast Link Pulse bursts
F. Link Control Word
Correct Answer: D
Section: Module 3: STP, RSTP, MSTP
Explanation
Explanation/Reference:
Explanation:
QUESTION 23
Which three statements about routed ports on a multilayer switch are true? (Choose three.)
A. A routed port can support VLAN subinterfaces.
B. A routed port takes an IP address assignment.
C. A routed port can be configured with routing protocols.
D. A routed port is a virtual interface on the multilayer switch.
E. A routed port is associated only with one VLAN.
F. A routed port is a physical interface on the multilayer switch.
Correct Answer: BCF
Section: Module 4: InterVLAN Routing, CEF
Explanation
Explanation/Reference:
Explanation:
QUESTION 24
Refer to the exhibit.



Why are users from VLAN 100 unable to ping users on VLAN 200?
A. Encapsulation on the switch is wrong.
B. Trunking must be enabled on Fa0/1.
C. The native VLAN is wrong.
D. VLAN 1 needs the no shutdown command.
E. IP routing must be enabled on the switch.
Correct Answer: B
Section: Module 4: InterVLAN Routing, CEF
Explanation
Explanation/Reference:
Explanation:
QUESTION 25
Which three statements about Dynamic ARP Inspection are true? (Choose three.)
A. It determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored
in the DHCP snooping database.
B. It forwards all ARP packets received on a trusted interface without any checks.
C. It determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored
in the CAM table.
D. It forwards all ARP packets received on a trusted interface after verifying and inspecting the packet against
the Dynamic ARP Inspection table.
E. It intercepts all ARP packets on untrusted ports.
F. It is used to prevent against a DHCP snooping attack.



Correct Answer: ABE
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 26
A network administrator wants to configure 802.1x port-based authentication, however, the client workstation is
not 802.1x compliant. What is the only supported authentication server that can be used?
A. TACACS with LEAP extensions
B. TACACS+
C. RADIUS with EAP extensions
D. LDAP
Correct Answer: C
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 27
The following command was issued on a router that is being configured as the active HSRP router.
standby ip 10.2.1.1
Which statement about this command is true?
A. This command will not work because the HSRP group information is missing.
B. The HSRP MAC address will be 0000.0c07.ac00.
C. The HSRP MAC address will be 0000.0c07.ac01.
D. The HSRP MAC address will be 0000.070c.ac11.
E. This command will not work because the active parameter is missing.
Correct Answer: B
Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation:
QUESTION 28
Refer to the exhibit.



The link between switch SW1 and switch SW2 is configured as a trunk, but the trunk failed to establish
connectivity between the switches. Based on the configurations and the error messages received on the
console of SW1, what is the cause of the problem?
A. The two ends of the trunk have different duplex settings.
B. The two ends of the trunk have different EtherChannel configurations.
C. The two ends of the trunk have different native VLAN configurations.
D. The two ends of the trunk allow different VLANs on the trunk.
Correct Answer: C
Section: Module 2: VLAN, PVLAN, Etherchannel
Explanation
Explanation/Reference:
Explanation:
QUESTION 29
A campus infrastructure supports wireless clients via Cisco Aironet AG Series 1230, 1240, and 1250 access
points. With DNS and DHCP configured, the 1230 and 1240 access points appear to boot and operate
normally. However, the 1250 access points do not seem to operate correctly.
What is the most likely cause of this problem?
A. DHCP with option 150
B. DHCP with option 43
C. PoE
D. DNS



E. switch port does not support gigabit speeds
Correct Answer: C
Section: Module 8: VoIP, QoS
Explanation
Explanation/Reference:
Explanation:
QUESTION 30
A standalone wireless AP solution is being installed into the campus infrastructure. The access points appear to
boot correctly, but wireless clients are not obtaining correct access. You verify that this is the local switch
configuration connected to the access point:
interface ethernet 0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
mls qos trust dscp
What is the most likely cause of the problem?
A. QoS trust should not be configured on a port attached to a standalone AP.
B. QoS trust for switchport mode access should be defined as "cos".
C. switchport mode should be defined as "trunk" with respective QoS.
D. switchport access vlan should be defined as "1".
Correct Answer: C
Section: Module 9: Wireless LAN
Explanation
Explanation/Reference:
Explanation:
QUESTION 31
During the implementation of a voice solution, which two required items are configured at an access layer
switch that will be connected to an IP phone to provide VoIP communication? (Choose two.)
A. allowed codecs
B. untagged VLAN
C. auxiliary VLAN
D. Cisco Unified Communications Manager IP address
E. RSTP
Correct Answer: BC
Section: Module 8: VoIP, QoS
Explanation
Explanation/Reference:
Explanation:
QUESTION 32
Which two statements best describe Cisco IOS IP SLA? (Choose two.)
A. only implemented between Cisco source and destination-capable devices
B. statistics provided by syslog, CLI, and SNMP



C. measures delay, jitter, packet loss, and voice quality
D. only monitors VoIP traffic flows
E. provides active monitoring
Correct Answer: CE
Section: Module 5: HA, Syslog, IP SLA
Explanation
Explanation/Reference:
Explanation:
QUESTION 33
Which two items best describe a Cisco IOS IP SLA responder? (Choose two.)
A. required at the destination to implement Cisco IOS IP SLA services
B. improves measurement accuracy
C. required for VoIP jitter measurements
D. provides security on Cisco IOS IP SLA messages via LEAP or EAP-FAST authentication
E. responds to one Cisco IOS IP SLA operation per port
F. stores the resulting test statistics
Correct Answer: BC
Section: Module 5: HA, Syslog, IP SLA
Explanation
Explanation/Reference:
Explanation:
QUESTION 34
Which two characteristics apply to Cisco Catalyst 6500 Series Switch supervisor redundancy using NSF?
(Choose two.)
A. supported by RIPv2, OSPF, IS-IS, and EIGRP
B. uses the FIB table
C. supports IPv4 and IPv6 multicast
D. prevents route flapping
E. independent of SSO
F. NSF combined with SSO enables supervisor engine load balancing
Correct Answer: BD
Section: Module 4: InterVLAN Routing, CEF
Explanation
Explanation/Reference:
Explanation:
QUESTION 35
You are tasked with designing a security solution for your network. What information should be gathered before
you design the solution?
A. IP addressing design plans, so that the network can be appropriately segmented to mitigate potential
network threats
B. a list of the customer requirements
C. detailed security device specifications



D. results from pilot network testing
Correct Answer: B
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 36
Which two components should be part of a security implementation plan? (Choose two.)
A. detailed list of personnel assigned to each task within the plan
B. a Layer 2 spanning-tree design topology
C. rollback guidelines
D. placing all unused access ports in VLAN 1 to proactively manage port security
E. enabling SNMP access to Cisco Discovery Protocol data for logging and forensic analysis
Correct Answer: BC
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 37
When creating a network security solution, which two pieces of information should you have obtained previously
to assist in designing the solution? (Choose two.)
A. a list of existing network applications currently in use on the network
B. network audit results to uncover any potential security holes
C. a planned Layer 2 design solution
D. a proof-of-concept plan
E. device configuration templates
Correct Answer: AB
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 38
What action should you be prepared to take when verifying a security solution?
A. having alternative addressing and VLAN schemes
B. having a rollback plan in case of unwanted or unexpected results
C. running a test script against all possible security threats to insure that the solution will mitigate all potential
threats
D. isolating and testing each security domain individually to insure that the security design will meet overall
requirements when placed into production as an entire system
Correct Answer: B
Section: Module 7: Security, Dot1X
Explanation



Explanation/Reference:
Explanation:
QUESTION 39
When you enable port security on an interface that is also configured with a voice VLAN, what is the maximum
number of secure MAC addresses that should be set on the port?
A. No more than one secure MAC address should be set.
B. The default is set.
C. The IP phone should use a dedicated port, therefore only one MAC address is needed per port.
D. No value is needed if the switchport priority extend command is configured.
E. No more than two secure MAC addresses should be set.
Correct Answer: B
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 40
Refer to the exhibit.
From the configuration shown, what can be determined?
A. The sticky addresses are only those manually configured MAC addresses enabled with the sticky keyword.
B. The remaining secure MAC addresses are learned dynamically, converted to sticky secure MAC addresses,
and added to the running configuration.
C. A voice VLAN is configured in this example, so port security should be set for a maximum of 2.
D. A security violation restricts the number of addresses to a maximum of 10 addresses per access VLAN and
voice VLAN. The port is shut down if more than 10 devices per VLAN attempt to access the port.
Correct Answer: B
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:



QUESTION 41
hostname Switch1
interface Vlan10
ip address 172.16.10.32 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers msec 200 msec 700
standby 1 preempt
hostname Switch2
interface Vlan10
ip address 172.16.10.33 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers msec 200 msec 750
standby 1 priority 110
standby 1 preempt
hostname Switch3
interface Vlan10
ip address 172.16.10.34 255.255.255.0
no ip redirects
standby 1 ip 172.16.10.110
standby 1 timers msec 200 msec 750
standby 1 priority 150
standby 1 preempt
Refer to the above. Three switches are configured for HSRP.
Switch1 remains in the HSRP listen state. What is the most likely cause of this status?
A. This is normal operation.
B. The standby group number does not match the VLAN number.
C. IP addressing is incorrect.
D. Priority commands are incorrect.
E. Standby timers are incorrect.
Correct Answer: A
Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation:
QUESTION 42
Three Cisco Catalyst switches have been configured with a first-hop redundancy protocol. While reviewing
some show commands, debug output, and the syslog, you discover the following information:
Jan 9 08:00:42.623: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Standby -> Active
Jan 9 08:00:56.011: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Active -> Speak
Jan 9 08:01:03.011: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Speak -> Standby
Jan 9 08:01:29.427: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Standby -> Active
Jan 9 08:01:36.808: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Active -> Speak
Jan 9 08:01:43.808: %STANDBY-6-STATECHANGF. Standby: 49:Vlan149 state Speak -> Standby
What conclusion can you infer from this information?



A. VRRP is initializing and operating correctly.
B. HSRP is initializing and operating correctly.
C. GLBP is initializing and operating correctly.
D. VRRP is not exchanging three hello messages properly.
E. HSRP is not exchanging three hello messages properly.
F. GLBP is not exchanging three hello messages properly.
Correct Answer: E
Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation:
QUESTION 43
By itself, what does the command "aaa new-model" enable?
A. It globally enables AAA on the switch, with default lists applied to the VTYs.
B. Nothing; you must also specify which protocol (RADIUS or TACACS) will be used for AAA.
C. It enables AAA on all dot1x ports.
D. Nothing; you must also specify where (console, TTY, VTY, dot1x) AAA is being applied.
Correct Answer: A
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 44
What are three results of issuing the "switchport host" command? (Choose three.)
A. disables EtherChannel
B. enables port security
C. disables Cisco Discovery Protocol
D. enables PortFast
E. disables trunking
F. enables loopguard
Correct Answer: ADE
Section: Module 3: STP, RSTP, MSTP
Explanation
Explanation/Reference:
Explanation:
QUESTION 45
When configuring private VLANs, which configuration task must you do first?
A. Configure the private VLAN port parameters.
B. Configure and map the secondary VLAN to the primary VLAN.
C. Disable IGMP snooping.
D. Set the VTP mode to transparent.



Correct Answer: D
Section: Module 2: VLAN, PVLAN, Etherchannel
Explanation
Explanation/Reference:
Explanation:
QUESTION 46
Which statement about the configuration and application of port access control lists is true?
A. PACLs can be applied in the inbound or outbound direction of a Layer 2 physical interface.
B. At Layer 2, a MAC address PACL takes precedence over any existing Layer 3 PACL.
C. When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
D. PACLs are not supported on EtherChannel interfaces.
Correct Answer: C
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 47
Refer to the exhibit.
Which statement about the command output is true?
A. If the number of devices attempting to access the port exceeds 11, the port shuts down for 20 minutes, as



configured.
B. The port has security enabled and has shut down due to a security violation.
C. The port is operational and has reached its configured maximum allowed number of MAC addresses.
D. The port allows access for 11 MAC addresses in addition to the three configured MAC addresses.
Correct Answer: C
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 48
Refer to the exhibit.
Which statement best describes first-hop redundancy protocol status?
A. The first-hop redundancy protocol is not configured for this interface.
B. HSRP is configured for group 10.
C. HSRP is configured for group 11.
D. VRRP is configured for group 10.
E. VRRP is configured for group 11.
F. GLBP is configured with a single AVF.
Correct Answer: C
Section: Module 6: HSRP, VRRP, GLBP
Explanation
Explanation/Reference:
Explanation:
QUESTION 49
Which statement best describes implementing a Layer 3 EtherChannel?
A. EtherChannel is a Layer 2 feature and not a Layer 3 feature.
B. Implementation requires switchport mode trunk and matching parameters between switches.
C. Implementation requires disabling switchport mode.
D. A Layer 3 address is assigned to the physical interface.
Correct Answer: C
Section: Module 2: VLAN, PVLAN, Etherchannel
Explanation



Explanation/Reference:
Explanation:
QUESTION 50
Which statement about when standard access control lists are applied to an interface to control inbound or
outbound traffic is true?
A. The best match of the ACL entries is used for granularity of control.
B. They use source IP information for matching operations.
C. They use source and destination IP information for matching operations.
D. They use source IP information along with protocol-type information for finer granularity of control.
Correct Answer: B
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 51
Refer to the exhibit.
You have configured an interface to be an SVI for Layer 3 routing capabilities. Assuming that all VLANs have
been correctly configured, what can be determined?
A. Interface gigabitethernet0/2 will be excluded from Layer 2 switching and enabled for Layer 3 routing.
B. The command switchport autostate exclude should be entered in global configuration mode, not
subinterface mode, to enable a Layer 2 port to be configured for Layer 3 routing.
C. The configured port is excluded in the calculation of the status of the SVI.
D. The interface is missing IP configuration parameters; therefore, it will only function at Layer 2.
Correct Answer: C
Section: Module 4: InterVLAN Routing, CEF
Explanation
Explanation/Reference:
Explanation:
QUESTION 52
Refer to the exhibit.



Which two statements about this Layer 3 security configuration example are true? (Choose two.)
A. Static IP source binding can be configured only on a routed port.
B. Source IP and MAC filtering on VLANs 10 and 11 will occur.
C. DHCP snooping will be enabled automatically on the access VLANs.
D. IP Source Guard is enabled.
E. The switch will drop the configured MAC and IP address source bindings and forward all other traffic.
Correct Answer: BD
Section: Module 7: Security, Dot1X
Explanation
Explanation/Reference:
Explanation:
QUESTION 53
Refer to the exhibit.



Which statement is true?
A. Cisco Express Forwarding load balancing has been disabled.
B. SVI VLAN 30 connects directly to the 10.1.30.0/24 network due to a valid glean adjacency.
C. VLAN 30 is not operational because no packet or byte counts are indicated.
D. The IP Cisco Express Forwarding configuration is capable of supporting IPv6.
Correct Answer: B
Section: Module 4: InterVLAN Routing, CEF
Explanation
Explanation/Reference:
Explanation:
QUESTION 54
Which statement about the EIGRP routing being performed by the switch is true?
A. The EIGRP neighbor table contains 20 neighbors.
B. EIGRP is running normally and receiving IPv4 routing updates.
C. EIGRP status cannot be determined. The command show ip eigrp topology would determine the routing
protocol status.



D. The switch has not established any neighbor relationships. Further network testing and troubleshooting
must be performed to determine the cause of the problem.
Correct Answer: D
Section: Module 4: InterVLAN Routing, CEF
Explanation
Explanation/Reference:
Explanation:
QUESTION 55
What is the result of entering the command "spanning-tree loopguard default" ?
A. The command enables loop guard and root guard.
B. The command changes the status of loop guard from the default of disabled to enabled.
C. The command activates loop guard on point-to-multipoint links in the switched network.
D. The command disables EtherChannel guard.
Correct Answer: B
Section: Module 3: STP, RSTP, MSTP
Explanation
Explanation/Reference:
Explanation:
QUESTION 56
What does the interface subcommand "switchport voice vlan 222" indicate?
A. The port is configured for data and voice traffic.
B. The port is fully dedicated to forwarding voice traffic.
C. The port operates as an FXS telephony port.
D. Voice traffic is directed to VLAN 222.
Correct Answer: A
Section: Module 8: VoIP, QoS
Explanation
Explanation/Reference:
Explanation:
QUESTION 57
Which statement is a characteristic of multi-VLAN access ports?
A. The port has to support STP PortFast.
B. The auxiliary VLAN is for data service and is identified by the PVID.
C. The port hardware is set as an 802.1Q trunk.
D. The voice service and data service use the same trust boundary.
Correct Answer: C
Section: Module 2: VLAN, PVLAN, Etherchannel
Explanation
Explanation/Reference:
Explanation:
QUESTION 58



Which two statements are true about recommended practices that are to be used in a local VLAN solution
design where layer 2 traffic is to be kept to a minimum? (Choose two.)
A. Routing should occur at the access layer if voice VLANs are utilized. Otherwise, routing should occur at the
distribution layer.
B. Routing may be performed at all layers but is most commonly done at the core and distribution layers.
C. Routing should not be performed between VLANs located on separate switches.
D. VLANs should be local to a switch.
E. VLANs should be localized to a single switch unless voice VLANs are being utilized.
Correct Answer: BD
Section: Module 1: Design
Explanation
Explanation/Reference:
Explanation:
  -->