300-420 : Designing Cisco Enterprise Networks (ENSLD) : Part 04
-
What attack technique attempts to fill a switching table so the attackers can capture traffic passing through a switch?
- VLAN hopping
- MAC spoofing
- Rogue device
- MAC flooding
Explanation:
MAC flooding is an attack technique in which frames with unique, but invalid, source MAC addresses flood the switch and exhaust the CAM table space. Eventually no more MAC addresses can be added because the table is full. When this occurs, any packets destined for a MAC address not in the table will be flooded to all other ports. This would allow the attacker to see the flooded traffic and capture information. The switch would be essentially functioning as a hub in this case.
Two methods of mitigating these attacks are:
- Implementing port security
- Implementing VLAN access maps
VLAN hopping is an attack that allows an attacker to access network resources on a different VLAN without passing through a router. The attacker can create a packet with two 802.1Q VLAN headers on it (called double tagging) and send it to a switch. The switch port will strip off the first header and leave the second. The second header will be seen as the originating VLAN, allowing the attacker access to a VLAN they are not connected to. Executing the switchport mode access command on all non-trunk ports can help prevent this attack. Pruning the native VLAN from a trunk link can also help.
VLAN hopping is a security concern because it can be accomplished without the packet passing through a router and its security access lists. For this reason, private VLANs and VACLs should be used to secure access between VLANs. Techniques to prevent these attacks are:
- Prevent automatic trunk configurations by explicitly turning off Dynamic Trunking Protocol on all unused ports
- Place unused ports in a common unrouted VLAN
MAC spoofing is an attack that allows an attacking device to receive frames intended for a different host by changing an assigned Media Access Control (MAC) address of a networked device to a different one. Changing the assigned MAC address may allow the device to bypass access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another computer.
A rogue device is a device attached to the network that is not under the control of the organization. This term is normally used to mean a wireless device, perhaps an access point that is not operating as a part of the company’s infrastructure. Employees may bring their own access points and connect them to the network so they can use their computer wirelessly. This creates a security gap since the device is probably not secured to protect the traffic. An attacker could connect a rogue access point to a company’s network and capture traffic from outside the company’s premises.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify switch administration -
A company has a following network infrastructure. Refer to the exhibit:
To enable inter-VLAN routing on the distribution layer switch, which of the following commands should be used?
-
dlswitch# switchport mode access
-
dlswitch (config) # switchport mode trunk
-
dlswitch(config-if) # switchport mode trunk
-
dlswitch(config-if) # switchport mode access
Explanation:
You should use switchport mode trunk command at the interface configuration prompt to enable inter-VLAN routing. This command sets the port as a trunk port. Trunks carry traffic from all VLANs to and from the switch by default, and can be configured to carry specific VLAN traffic as well.
A port on a Cisco switch is either an access port or a trunk port. An access port only carries traffic for the VLAN of which it is a member and does not tag or mark the frame with a VLAN ID. A trunk port carries traffic from multiple VLANs and tags or marks each frame with a VLAN ID so it can be determined where it goes when it gets to the other switch.
You can enable inter-VLAN routing by enabling trunking using the following command:
switchport mode trunk
You would not use the dlswitch# switchport mode access command to enable inter-VLAN routing. This command sets the port as an access port, which is capable of carrying only the traffic a single VLAN. Moreover, even if that were the intent, the command must be executed in interface mode and not global configuration mode.
You would not use the dlswitch (config) # switchport mode trunk command to enable inter-VLAN routing. This is the correct command, but is shown being executed in global configuration mode instead of interface mode.
You would not use the dlswitch(config-if)# switchport mode access command to enable inter-VLAN routing. This is both the wrong command and is being executed at an incorrect prompt.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify trunking -
-
What IOS VLAN commands would create a new VLAN and assign it to a port? (Choose two.)
-
switch(config)# vlan 10
-
switch(config)# vlan 10
-
switch(config)# vlan database 10
-
switch(config-if)# switchport vlan 10 enable
Explanation:
The commands necessary to create a VLAN and assign it to a port are switch(config)# vlan 10 and switch(config-if)# switchport access vlan 10. The global configuration mode is used to create VLANs with the command vlan {vlan_id}. VLANs can be removed with the no form of the command.
Ports are assigned as members of VLANs in the interface configuration mode with the command switchport access vlan {vlan_id}. At this point, if the port is in access mode, it will participate as a member of the VLAN. The mode of the port can be forced to be access in the interface configuration mode with the command switchport mode access.
The command vlan database 10 is not a valid command, but it is similar to a valid command. An optional, but not recommended, way to create a VLAN is in VLAN database mode. This is accessed from global configuration mode with the command vlan database. The prompt would be switch(vlan)#. At this prompt, a VLAN can be created with the command vlan 10. The problem with VLAN database mode is that the configurations issued here have to be applied with either the apply or exit commands. Using CTRL-Z to exit would cancel the changes made in this mode.
The command switchport vlan 10 enable is not correct due to invalid syntax.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify VLANs -
-
Which devices are required to provide connectivity between VLANs? (Choose two.)
- hub
- router
- bridge
- multilayer switch
- DSU/CSU
Explanation:
Routing between different VLANs can be accomplished using VLAN-capable multilayer switches or routers.
Devices within a single VLAN can communicate without the aid of a Layer 3 device, but as a rule, devices in different VLANs require a Layer 3 device for communication. The only situation where two computers in different VLANs located on different switches can ping one another is if they have addresses in the same subnet, and if the link between the two switches is an access port rather than trunk port.
Since traffic is sent untagged in an access link, if the link between the switches is an access link and the computers are in the same subnet, they will be able to ping one another. The following steps can be used to configure inter-VLAN routing on a multilayer switch:
1. Enable IP routing. switch(config)# ip routing
Note: Routing must be enabled on a Layer 3 switch for interVLAN routing to occur. This can be verified by examining the output of the show run command executed on the switch. The example below is output from the show run command executed on a switch that has IP routing enabled, as can be seen in the third line (ip routing):
2. Specify an IP routing protocol, such as RIP. switch(config)# router rip
3. Specify a VLAN interface. switch(config)# interface vlan vlanid
4. Assign an IP address to the VLAN. switch(config-if)# ip address address subnet-mask
Hubs operate at the Physical layer (Layer 1) and do not have the ability to route.
Bridges operate at the Data Link layer (Layer 2) and do not have the ability to route.
CSU/DSUs convert signals from a LAN to a type necessary for the telco. They do not have the ability to route.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify trunking -
Which redundancy mode for supervisor engine modules exhibits all of the following characteristics?
-
Static routes are maintained during a switchover
-
The Forwarding Information Base (FIB) is cleared during a switchover
-
Dynamic route information is cleared during a switchover
-
Route engine is initialized and switch modules are loaded
- RPR
- RPR+
- SSO
- NSF
Explanation:
Redundant supervisor engine modules can be configured in several modes. In route processor redundancy plus (RPR+) mode, the backup module is booted up and the supervisor and route engines initialize. However, no Layer 2 or Layer 3 functions are started, which means it will be necessary to start them after a failover. This also means the routing protocols must re-converge and the FIB table must be rebuilt, since it is derived from the routing table. The static routes are maintained in the running configuration, so they are not lost in the failover.
In route processor redundancy (RPR) mode, the module is booted, but the supervisor and route engines are not initialized.
In stateful switchover (SSO) mode, all functionality provided by RPR+ is available at failover, and the FIB table is not
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify other LAN switching technologies -
-
Which Cisco switch feature enables IP phones to be assigned IP addresses from a different subnet than the workstation attached to the same port?
- Auxiliary VLAN
- 802.1P
- 802.1Q
- in-line power
Explanation:
Auxiliary VLANs can assist in the deployment of Cisco IP telephones by allowing a Catalyst switch access port to support the data device on one VLAN and have the IP telephone assigned to a different VLAN. The auxiliary VLAN ID is not required to match the native VLAN associated with the access port of the switch. Therefore, the two port attached devices (the phone and the workstation) can be on two different broadcast domains or IP subnets. Some Cisco Catalyst switches provide the auxiliary VLAN feature that provides the automatic assignment of an IP telephone to a VLAN. This auxiliary VLAN feature is also known as the voice VLAN feature.
IP telephones typically have a built in 3-port 10/100 hub. One port internally attaches to the phone, one port is attached to the switch access port, and the last port is used to connect to the workstation. The switch uses CDP on a port on which an auxiliary VLAN has been configured to advertise 802.1Q and 802.1P information. The attached IP telephone can use the advertised information to learn which VLAN ID and priority tag to use. The default Class of Service (CoS) value for incoming traffic is 0.
Having the telephone and the data device use different frame types and belong to different VLANs allows the administrator to place the telephones on their own subnet. Voice traffic on a separate VLAN is less likely to contend with the data devices.
To configure the interface on the switch to support auxiliary VLANs, use the following commands:
- switchport voice vlan VVID: This command is used to enable the access port to forward 802.1Q packets received tagged with the ID of the voice VLAN (VVID) to the VLAN defined as the voice VLAN. By default, 802.1Q packets are sent by IP phones with a QoS priority of 5.
- switchport voice vlan dot1p: This command is used to instruct the attached IP telephone to send packets using the VLAN ID of the port’s native VLAN with a dot1p priority of 5.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify VLANs -
Which command do you use on a switch to put an interface that is in Layer 3 mode into Layer 2 mode?
- vlan
- no vlan
- switchport
- no switchport
Explanation:
Use the switchport command to put an interface that is in Layer 3 mode into Layer 2 mode.
switch(config-if)# switchport
Use the no switchport command to remove Layer 2 configurations and return an interface to Layer 3 mode.
switch(config-if)# no switchport
The enhanced multilayer switch image must be installed on the switch to use this command.
The vlan vlan-id configuration command is used to configure VLAN characteristics for a specific VLAN. Use the no keyword without additional parameters to delete a VLAN.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify switch administration -
What information is displayed by the command switch# show ip interface brief?
- a summary of the IP addresses and subnet mask on the interface
- a summary of the IP addresses on the interface and the interface’s status
- the IP packet statistics for the interfaces
- the IP addresses for the interface and the routing protocol advertising the network
Explanation:
The command show ip interface brief displays a summary of the IP address on the interface and the interface’s status. The status means whether the interface is up. This command is useful whenyou are connected a router or switch with which you are not familiar, because it allows you to obtain the state of all interfaces or switch ports. Sample output is shown below:
This command does not display subnet mask information. Use other commands, such as show ip interface or show run interface, to verify the subnet mask.
IP statistics about the interface are displayed with the command show ip interface. Adding the brief keyword tells the switch to leave out everything but the state of the interface and its IP address.
To view the routing protocol advertising an interfaces network, you would use the command show ip protocol.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
Which characteristics apply to multilayer switching? (Choose three.)
- Uses CPU-based packet forwarding
- Performs collision detection
- Provides isolation of the collision domain
- Provides Network-layer and Transport-layer access controls
- Determines the forwarding path based on the Network layer address
Explanation:
Multilayer switching characteristics include determining the forwarding path based on the Network layer address (Layer 3), providing isolation of the collision domain (Layer 2); and providing Network-layer and Transport-layer access controls (Layers 3 and 4).
Multilayer switching combines the functionalities of Layer 2 switching and Layer 3 switching. Layer 3 switching is routing performed by hardware, specifically by utilizing application-specific integrated circuits (ASICs). The Layer 3 switch can perform all of the basic operations of traditional routers, including the following:
- Path selection based on the packet’s Layer 3 protocol information
- Layer 3 packet validation
- Flow accounting (Layers 3 and 4)
- Layer 3-based access controls and security
In contrast to Layer 2 switches, which provide the benefits of bridging, Layer 3 switches offer another high-performance packet switching solution.
CPU- based packet forwarding and collision detection are not unique characteristics of multilayer switching. CPU-based packet forwarding is not a concept used by routers or switches. Collision detection is a characteristic of Ethernet, which is not unique to multilayer switching.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify switch administration -
Which IOS command do you use to remove Layer 2 configurations and return an interface to Layer 3 mode?
- vlan
- no vlan
- switchport
- no switchport
Explanation:
Use the no switchport command to remove Layer 2 configurations and return an interface to Layer 3 mode. The syntax of the command is:
switch(config-if)# no switchport
The enhanced multilayer switch image must be installed on the switch to use this command.
The switchport command without the no keyword converts the port back to a Layer 2-switched interface.
switch(config-if)# switchport
The vlan vlan-id configuration command is used to configure VLAN characteristics for a specific VLAN. Use the no keyword without additional parameters to delete a VLAN.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify switch administration -
You made changes to a VLAN, but the changes were not propagated to the other switches in the VTP domain. You enter a show vtp command at the switch where the changes were made, which displays the following output:
What should you do to solve this problem?
- Disable VTP pruning.
- Change the VTP operating mode to server.
- Upgrade the VTP version to version 2.
- Upgrade the VTP version to version 3.
Explanation:
The output of the show vtp command shows that the VTP operating mode is transparent mode. This means that you can make VLAN changes on the switch, but they will only affect that switch. Changes will not be propagated to other switches in the Layer 2 network. You will need to change the operating mode to server if you want to VLAN changes to be propagated to other switches.
To change the VTP operating mode to server, you would enter the vtp server global command as shown:
switch1#(config) vtp server
You should not disable VTP pruning. This will have no effect on the propagation. You must change the mode of the switch.
You should not upgrade the VTP version to version 2 or version 3. This will have no effect on the propagation. You must change the mode of the switch.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify trunking -
Which Catalyst 6500 feature provides network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN?
- NAM
- SPAN
- VACL
- 802.1X
Explanation:
VLAN access control lists (VACLs) provide network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN.
VACLs can be used to provide security based on MAC address, source and destination IP address, Layer 4 protocols, or port numbers. The VACL will act on all traffic of a select VLAN whether bridged or switched. The actions performed on a packet can include permit, redirect, or deny. The VACL entries are checked in sequence, which is similar in concept to route-map structures. The following procedure is used to create VACLs:
Define a VLAN access map: switch(config)# vlan access-map name [seq#]
Configure a match clause: switch(config-access-map)# match {ip address {1-99 | 1300-2699 | acl_name} | mac address acl_name}
Configure an action clause: switch(config-access-map)# action {drop | forward | redirect}
Apply the map to a VLAN: switch(config)# vlan filter map_name vlan-list list
Once created, you should verify the VACLs using the following commands:
switch# show vlan access-map map_name switch# show vlan filter
In the sample configuration shown below, all VLAN traffic in VLANS 1 through 3 that match access list SAFE will be forwarded. All other traffic will be dropped.
switch(config)# vlan access-map cisco 10 switch(config-access-map)# match ip-address SAFE switch(config-access-map)# action forward switch(config)# vlan filter cisco vlan-list 1-3
If access list cisco were configured as shown below, for example, traffic with a source address of 172.16.10.8 would be dropped.
Switch# show ip access-list cisco 10 Extended ip access list cisco 10 10 permit 10.0.0.0 255.255.255.0 any
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features -
What are the three RSTP port states? (Choose three.)
- Initializing
- Blocking
- Learning
- Listening
- Forwarding
- Discarding
Explanation:
Rapid Spanning Tree Protocol (RSTP) uses only three port states: discarding, learning, and forwarding. The learning and forwarding states are the same as the original STP standard, but the discarding state performs the functions originally performed in the disabled, blocking, and listening STP states.
With STP, you can safely assume that a listening port is either designated or root, and is on its way to the forwarding state. Unfortunately, once a port is in the forwarding state, there is no way to tell whether the port is root or designated. There is no difference in the operation of a port in blocking state and a port in listening state, since they both discard frames and do not learn MAC addresses. The real difference is in the role the spanning tree assigns to the port. RSTP decouples the role and the state of a port.
With RSTP, a role is assigned to a port. The root port and designated port roles are the same as with STP, while the blocking port role is split into the backup and alternative port roles. The Spanning Tree Algorithm (STA) determines the role of a port based on Bridge Protocol Data Units (BPDUs). The RSTP roles can be defined as follows:
- Root port: The port receiving the best BPDU on a bridge (lowest-cost path to the root bridge) is the root port.
- Designated port: The port that has the best path to the root bridge on a given segment is the designated port. The bridges connected to a given segment listen to each other’s BPDUs and agree on the bridge sending the best BPDU as the designated bridge for the segment. The corresponding port on that bridge is the designated port.
- Alternative port: An alternative port is a port blocked by receiving more useful BPDUs from another bridge. It becomes the root port if the active port fails.
- Backup port: A backup port is a port blocked by receiving more useful BPDUs originating from the same bridge. It becomes the designated port if the existing designated port fails.
Ports on the switch can also be classified as edge ports and non-edge ports. Access ports or edge ports are those that attach to devices such as workstations or printers. Non-edge ports are those that connect to other switches. If a non-edge port transitions to a forwarding state, a TC BPDU will be generated. On the other hand, when an edge ports transitions to the forwarding state, such as after a computer boots up or a device is connected to the port, no TC BPDU is generated.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify spanning tree -
Which of the following statements best describes the purpose of ARP with respect to CEF?
- ARP is used to build the FIB.
- ARP is used to reindex the routing table.
- ARP is used to build the adjacency table.
- ARP is used to decrease the amount of time spent searching for an entry within a routing table.
Explanation:
Address Resolution Protocol (ARP) is used by Cisco Express Forwarding (CEF) to build the adjacency table. CEF is the switching method used by Catalyst switches. Unlike traditional multilayer switching (MLS), which merely caches Layer 3 information received when traffic passes through a switch, CEF attempts to optimize the routing process by reindexing the routing table and then building an adjacency table based on the routing table information. The type of MLS performed by CEF is called topology-based switching; traditional MLS is known as route caching, demand-based switching, and flow-based switching.
The routing table is reindexed by using a binary search method. The reindexed routing table is called the forwarding information base (FIB). Reindexing the routing table reduces the amount of time spent searching for an entry within a routing table.
After the FIB is created, an adjacency table is created to map the appropriate Layer 2 next-hop address or addresses to each FIB entry. ARP is used to retrieve the Layer 2 address information. If multiple Layer 2 next-hop addresses are available for an entry in the FIB, then CEF can employ load balancing for packets headed to that destination.
The final result is a single database of routing information (FIB) is built for the switching hardware.
Two extremely useful commands for verifying CEF are:
- show ip cef network address – displays entries in the forwarding information base (FIB)
- show adjacency detail | begin adjacency address – shows information about a specific adjacency in the adjacency table
Both commands are shown below with explanations.
SwitchA# show ip cef 192.168.6.0 192.168.6.0/24, version 302, cached adjacency 192.168.166.5, 0 packets, 0 bytes Via 192.168.166.5, VLAN 185, 0 dependencies Next-hop 192.168.166.5, VLAN 185 Valid cached adjacency
Above it can be determined that there is a valid CEF entry for the destination network 192.168.6.0 and that there is a valid cached adjacency to the 192.168.166.5 next hop IP address.
In the command output below, it can be determined that 005565946856 is the MAC address of the 192.168.166.5 next-hop address:
SwitchA# show adjacency detail | begin 192.168.166.5
IP VLAN 185 192.168.166.5(6) 0 packets, 0 bytes
005565946856Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify switch administration -
You want to create a VTP domain named myvtpdomain and define this switch as one that can be configured with VLANs and advertises VLAN changes to other switches.
What commands should you use? (Choose two.)
-
switch(config)# vtp mode server
-
switch(config)# vtp domain myvtpdomain
-
switch(config)# vtp domain server
-
switch(config)# vtp server myvtpdomain
Explanation:
To create a VTP domain and configure the switch so it can configure and advertise VLANs (server mode), use the global configuration commands vtp mode server and vtp domain myvtpdomain. The VTP domain is created with the command switch(config)# vtp domain {domainname}. The mode of the switch is defined with the command switch(config)# vtp mode {mode}. The possible modes are server, client, and transparent. Server means that the switch can be used to create, delete, and modify VLANs; and send and receive advertisements about VLAN changes. Client means that the switch cannot be used to create or change VLANs, but only send and receive advertisements, adjusting its own database to match advertisements that it hears. Transparent means that the switch can be used to create, delete, and modify VLANs; but does not advertise those changes to other switches. Any advertisements that a transparent switch receives are forwarded on to other switches, but not applied by the switch.
The commands vtp domain server and vtp server myvtpdomain are not valid due to incorrect syntax.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify trunking -
-
Which parameters are found in VTP advertisements? (Choose three.)
- Password
- VTP mode
- IP address
- Switch name
- Revision number
- Management domain name
Explanation:
The management domain name, password, and revision number are all checked before the VTP frame is processed. To propagate VTP information between switches, both switches must have a trunk port configured and must have a matching native VLAN, which is VLAN 1 by default.
VTP advertisements are flooded throughout the management domain every five minutes or whenever there is a change. These advertisements are originated from a switch that is in server mode and are propagated by switches that are in either client or transparent mode. Before a client or another server accepts or incorporates the information sent in the advertisement, it checks the management domain name and password (if defined) against its own configuration. The revision number is checked. If the revision number is higher than the last value store in the receiving switch, the receiving switch will overwrite its VLAN database with the information in the advertisement.
A VTP switch in transparent mode will receive and forward VTP advertisements. It will not use the contents of the advertisement to synchronize with its own VLAN database.
The VTP mode, IP address, and switch name are not found in VTP advertisements.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify trunking -
In what mode does an LWAPP-enabled access point operate?
- lightweight mode
- autonomous mode
- WGB
- ad hoc mode
Explanation:
Lightweight access point protocol (LWAPP)-enabled access points operate in lightweight mode. LWAPP is a protocol used to allow centralized management of APs. The management components are removed from the APs, and a WLAN controller provides a single point of management. This controller coordinates WLAN access, managing the load on the APs and user movement between APs. Upon starting, an LWAPP-enabled access point must obtain an IP address. It can then discover the controller using DHCP, DNS, or a subnet broadcast. When multiple wireless controllers are detected by an AP, it chooses to associate with the controller that has the fewest existing associated APs.
Individually configured APs that operate without central management are operating in autonomous mode. This would be the opposite of lightweight mode, which is made possible by LWAPP. Autonomous access points can be upgraded to lightweight. If they are upgraded, they will only function in conjunction with a WLAN controller. Moreover, when an autonomous access point is upgraded to lightweight, the console port only provides read access to the unit.
Characteristics that autonomous and lightweight access points have in common:
- Both support Power over Ethernet (PoE)
- Both can use a Cisco Secure Access Control server (ACS) for security
A wireless gateway bridge (WGB) is used to connect a computer without a wireless network card to a wireless network, but not separate WLANs. The WGB can connect up to eight computers to a WLAN. The WGB connects to the root AP through a wireless interface.
Ad hoc is a WLAN mode used for peer-to-peer connectivity. Ad hoc mode allows wireless-enabled computers to communicate with each other without having an AP involved.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify other LAN switching technologies -
Which command produced the following output?
-
switch# show spanning-tree vlan 100
-
switch# show vlan 100
-
switch# show spanning-tree summary
-
switch# show interface vlan 100
-
switch# show spanning-tree inconsistentports
Explanation:
The command show spanning-tree vlan 100 was used to provide the output in the exhibit. This output helps to identify the state of each port on the switch that is a member of VLAN 100. It is also used to identify the root bridge in the spanning tree.
The command show vlan 100 will provide basic information about VLAN 100, such as what ports are assigned to it, but will not display the STP information about the VLAN as the exhibit shows.
The command show spanning-tree summary can be used to verify the enabling of the extended system ID. This command is not used to provide the output in the exhibit.
The command show interface vlan 100 displays the same kind of information as would be displayed for any other interface, including the IP address configuration and whether the interface is up. It does not provide STP information about the switch as displayed in the exhibit.
The command show spanning-tree inconsistent port is used to identify inconsistent ports on a switch. This can occur as a result of implementing the Root Guard feature on a switch. Root Guard can be implemented on a port to prevent the reception of superior BPDUs from causing a new root bridge from being elected. This can sometimes occur when a new switch is introduced with an unknown bridge ID. When a port is configured with Root Guard and it receives a superior BPDU, it will block the port, discard the BPDU, and assign a state of inconsistent to the port.
Below is an example of the partial output of the show spanning-tree inconsistent ports command:
The output shows that devices connected to ports Fa0/1 and Fa0/2 are sending superior BPDUs (perhaps from a new switch). Because of this, no traffic will be forwarded across the ports. Once these superior BPDUs are stopped by changing the priority of the new switch, the interfaces will recover and resume normal operation.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify spanning tree -
-
In which VTP modes can you create and delete local VLANs? (Choose two.)
- User
- Host
- Client
- Server
- Transparent
Explanation:
There are three modes in VTP: server, client, and transparent. The main differentiator among the three modes is whether a switch can create or delete VLANs. You can create local VLANs in server and transparent VTP modes. However, VLANs created on a switch in transparent mode apply only to that switch, and information about these VLANs is not propagated throughout the VTP domain.
VTP server mode sends or forwards VTP advertisements, synchronizes VLAN configuration information with other switches, and saves the VLAN in NVRAM. To propagate VLAN information, the switch must be configured with a VTP domain name.
VTP transparent mode forwards VTP advertisements and saves the VLAN configuration in NVRAM. It does not synchronize VLAN configuration information. A switch in transparent mode can create, delete, and modify VLANs, but changes are not transmitted to other switches in the domain. Changes only affect the local switch.
VTP client mode sends or forwards VTP advertisements and synchronizes VLAN configuration information with other switches. It does not save VLAN information in NVRAM. In client mode, VTP clients only can receive VLAN information from VTP servers. A Catalyst switch can create, modify, and delete VLANs in server or transparent modes, but not in client mode.
VTP user and host modes do not exist.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify trunking -
How is a VLAN best described?
- subnet
- segment
- collision domain
- broadcast domain
Explanation:
A VLAN can best be described as a broadcast domain. A broadcast domain is a group of devices such that when one device in the group sends a broadcast, all the other devices in the group will receive that broadcast. Switching can segment a flat network into many smaller collision domains, but all stations must process all broadcasts. VLANs solve this problem by creating separate broadcast domains.
A subnet is an IP-addressing division where one subnet’s broadcasts are isolated to only that subnet, and no broadcast traffic crosses the subnet divisions without being routed. While in most cases each VLAN may be its own subnet, this is not always the case.
A LAN segment is a general term for a subnet or broadcast domain.
A collision domain is a domain where two or more devices in the domain could cause a collision by sending frames at the same time. Each port on a switch will host a collision domain.
Objective:
Layer 2 Technologies
Sub-Objective:
Configure and verify VLANs