Boson Flashcards
Difference between ‘switchport port-security violation [protect/shutdown/restrict]’. What is the default violation mode?
They all discard unauthorized traffic
Protect: only discards
Restrict and Shutdown: logs unauthorized entry and increments SecurityViolation counter
Restrict: sends SNMP trap
Shutdown: places port in err-disabled state (effectively shuts down port)
Which FHRP protocol is specified in RFC5798 ?
VRRP
What occurs when you enable UplinkFast on a switch?
What does UplinkFast do?
Port costs increase by 3000
If enabled on a switch with bridge priority less than 49152, the bridge priority is changed to 49152, if already greater the bridge priority remains at the higher value
UplinkFast increases convergence speed for an access layer switch that detects a failure on the root port
What is the default switch bridge priority and which bridge is most likely to become the root bridge?
32768 and the switch with the lowest bridge priority
Which commands or command sets will reset a port that has been shut down by UDLD?
- ‘udld reset‘
- ‘errdisable recovery cause udld’
- ‘no udld enable’, then ‘udld port’ or ‘udld aggressive’
- ‘no udld port’, then ‘udld port’ or ‘udld port aggressive’
- ‘shutdown’, then ‘no shutdown’
UDLD monitors a link to verify that both ends of the link are functioning
What traffic is untagged in regards to VLANs?
Native VLANs are untagged
What are PVLANs (private VLANs) for and what are they consisted of?
Helps isolate traffic within a VLAN
They include a primary VLAN and one or more secondary VLANs
What’s the difference between a host that connects to an isolated VLAN and a host connected to a community VLAN?
Host connected to an isolated VLAN can communicate with only the primary VLAN
A host connected to community VLAN can communicate with other hosts associated with the community VLAN as well as with the primary VLAN
Enable 802.1x port-based authentication
‘aaa new-model’
‘aaa authentication dot1q’
‘dot1x system-with-control’ (globally enables 802.1x on switch)
‘dot1x port-control {force-authorized/force-unauthorized/auto}’
Configure router to use EIGRP for AS 2
ip routing
router eigrp 2
An interface that should participate in EIGRP must have an IP address assigned
Which ports will Portfast be enabled if you issue the ‘spanning-tree portfast default’ command?
The command enabled Portfast by default on all access ports, trunk ports are not affected
What command makes an interface an access port?
‘switchport mode access’
How do you enable PortFast on individual ports?
‘spanning-tree portfast’
Name all the different ‘port-channel load-balance [~~~]’ commands. What are they used for? What is the default?
- ‘port-channel load-balance dst-mac’ : configures the EthernetChannel to loss balance based on the destination MAC address
- ‘port-channel load-balance src-ip’ : configures the EthernetChannel to loss balance based on the source IP address
- ‘port-channel load-balance dst-ip ’ : configures the EthernetChannel to loss balance based on the destination IP address
- ‘port-channel load-balance src-dst-mac’ : configures the EthernetChannel to loss balance based on the source and destination MAC addresses
- ‘port-channel load-balance src-dst-ip’ : configures the EthernetChannel to loss balance based on the source and IP addresses
‘port-channel load-balance src-mac’ is the default (load balancing based on source MAC address), issuing this command is the same as issuing ‘no port-channel load-balance’
What does ‘mac address-table static 000c.bacb.100d. vlan 10 drop’ do?
This filters frames in VLAN 10 with a source or destination MAC address of 000c.bacb.100d
Command provides a convenient method for implementing unicast MAC address filtering on a Cisco switch
What does ‘switchport port-security’ do?
Enables security features for a single switch interface
Interface with port security configured will shut down if the max number of allowed MAC addresses is learned on the interface
What does ‘switchport mode dynamic auto’ do?
Allows a neighbor port to determine whether a link should become a trunk
What does ‘switchport host’
Macro command used to enable Portfast while disabling EtherChannel
What does ‘switchport mode access’
Configures a port to carry information for a single VLAN
What is a VSS? What is required when configuring a VSS? What does the VSS consist of?
VSS (Virtual Switching System) is a Cisco proprietary technique to create a single logical switch out of two physical switches
Supervisor type and IOS version must be identical on each physical device. One of the supervisors is active, and the other is designated as hot-standby; the active supervisor manages the control plane.
What is PAgP?
A link aggregation protocol that creates and maintains adjacencies in a VSS. Especially when the VSS enters dual active recovery mode
What is VSLP?
Framework that provides for the creation and maintenance of a VSL link
Virtual Switch Link (VSL). A VSL facilitates communication between two switches. Within the VSS, one chassis supervisor is designated as active and the other as hot-standby.
A protocol that helps in providing for the creation and maintenance of the link between switches in a VSS configuration
Consists of LMP and RRP
What is RRP?
Registry Registrar Protocol. Determines the role of each member in the VSS
A protocol that helps in providing for the creation and maintenance of the link between switches in a VSS configuration
Which command can you issue to determine the native VLAN configured on a neighboring Cisco switch?
show cdp neighbors detail
You plan to add a TACACS+ server to SwitchA. You want vty connection attempts on SwitchA to be authenticated by the TACACS+ server. You will assign the TACACS+ server the 192.168.1.100 IP address, and you will use ‘boson’ as the encryption key.
Configure SwitchA with the following parameters.
- Configure AAA on the switch
- Configure the TACACS+ server parameters on the switch
- Create an authentication list named ‘primary’ that configures the TACACS+ server as the authentication method for users who remotely log in to the switch
- Configure the first vty lines to use the ‘primary’ authentication list
SwitchA(config)#aaa new-model
SwitchA(config)#tacacs-server host 192.168.1.100
SwitchA(config)#tacacs-server key boson
SwitchA(config)#aaa authentication login primary group tacacs+
SwitchA(config)#line vty 0 4
SwitchA(config-line)#login authentication primary
What are the prefixes for the following? Give the 10th group of each
- IPv4 VRRP virtual MAC address
- IPv6 VRRP virtual MAC address
- HSRPv1 virtual MAC address
- HSRPv2 virtual MAC address
- IPv4 VRRP virtual MAC address: 0000.5E00.01~~
- IPv6 VRRP virtual MAC address: 0000.5E00.02~~
- HSRPv1 virtual MAC address: 0000.0C07.AC~~
- HSRPv2 virtual MAC address: 0000.0C9F.F~~~
10th group of each
- IPv4 VRRP virtual MAC address: 0000.5E00.01 0A
- IPv6 VRRP virtual MAC address: 0000.5E00.02 0A
- HSRPv1 virtual MAC address: 0000.0C07.AC 0A
- HSRPv2 virtual MAC address: 0000.0C9F.F 00A
What is the default max # of devices that can connect to an interface with ‘switchport port-security’? What command can change that and to what?
1
‘switchport port-security maximum [value]’
value can be from [1] to [132]
How do you enable 802.1x authentication globally on a switch?
‘dot1x system-auth-control’
How do you enable 802.1x authentication on a single interface?
‘authentication port-control’
What are the 3 modes of 802.1x authentication on a single interface? What does each do?
auto, force-authorized, force-unauthorized
Auto: Any device connected to the port must undergo the authorization process before gaining access to the network
Force-authorized: any device connected to an 802.1x enabled port is automatically authorized and granted access to the network
Force-unauthorized: any connected device is automatically unauthorized and denied from accessing the network
What does ‘authentication host-mode multi-host’ do?
Used to prepare a single port to accept traffic from multiple hosts
What command restores the default 802.1x parameters on a device?
‘dot1x default’
What does a GLBP do and what does the group consist of? How is everything in a GLBP group elected?
Gateway Load Balancing Protocol feature provides automatic router backup for IP hosts configured with a single default gateway
Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. Other group members provide backup for the AVG in the event that the AVG becomes unavailable.
AVG (active virtual gateway) is elected based on which router is configured with the highest priority value…or highest IP address value if multiple routers are configured with the same high priority value
2nd highest priority is elected as SVG (standby virtual gateway)
Typically AVG and SVG function as AVFs within the group
Only AVG responds to ARP queries
What is the order of the election for the stackmaster? How do you change the priority?
- Switch with the highest priority is elected stack master.
- If many switches have same priority, switch with nondefault saved config is elected stack master
- Then other complex criteria (check notes)
‘switch [stack-id] priority [value]’
What is changed when a frame is encapsulated with an 802.1Q tag?
The original FCS
It needs to be recalculated
Which standards natively include PortFast, UplinkFast, and BackboneFast? Which standard can use them but does not include natively?
- 1w (RSTP)
802. 1D(STP)
How else can you call RSTP, STP, and MST?
- 1w (RSTP)
- 1D (STP)
- 1s (MST), Multiple Spanning Tree
What is the default priority value of a switch that has been configured with a Multiple Spanning Tree (MST) instance?
32768
What does ‘spanning-tree mst [instance #] root primary’ command do?
Configure local switch priority to a value that will ensure local switch will become new root for MST instance. Default is 24576, but will configure value 4096 less than the current root priority value
What does ‘spanning-tree mst [instance #] root secondary do?
Ensures switch is second lowest priority value. By default, configures switch to priority 28672. Lowest becomes root
What are the compatible modes for the channel groups in each switch to create a functional EtherChannel link? For PAgP and LACP, explain differences. How do you check what mode it’s in?
For PAgP (Cisco proprietary): Switch A and B have to be in desirable mode or auto mode. Desirable can be with both auto or desirable. Auto and auto pair don’t work.
For LACP (IEEE Standards): Switch A and B have to be in active mode or passive mode. Active can be with both active or passive. Passive and passive pair doesn’t work.
Image on iPad
‘show etherchannel summary’
Name all DTP configurations. Determine which switch port setting pairs make up a trunk or access interface.
What command changes the switch port mode setting.
‘switchport mode [~~~]’
Trunk [‘trunk’]: will only create trunk with any pair, except access (will make limited connectivity)
Dynamic desirable[‘desirable’]: will only crate trunk with all pairs except access (will make port access interface, nontrunking.)
Access [‘access’]: port is placed in nontrunking no matter the neighbor port pair
Dynamic auto [‘auto’]: put in trunk if pair is dynamic desirable or trunk. Place in access if dynamic auto (same) or access.
Image in IPad
What command will place port in a mode where the port does not transmit DTP frames? How would you create a trunk if the command is configured?
‘switchport nonegotiate’
To make trunk, the neighboring port must be set manually
What’s the DTP configuration recommended by Cisco?
desirable-desirable
What is the default switch port mode setting for DTP?
dynamic desirable
What are the 3 VTP(VLAN Trunking Protocol) modes and how do you configure? What is the default? What are the differences?
VTP server mode, VTP client mode, VTP transparent mode
‘vtp mode [server/client/transparent]’
‘vtp domain [‘domain-name’]’
VTP server mode is default
Switches in VTP server mode or VTP client mode will synchronize info with other VTP server mode and VTP client mode switches in the same VTP domain. You can modify VLAN and VTP configuration info on switches in VTP server mode.
Changes in a VTP server mode switch will propagate to other VTP server mode or client mode switches in VTP domain
Switches in VTP transparent mode do not participate in VTP synchronization but does forward VTP advertisements
What are the commands to set root bridge and secondary bridge?
‘spanning-tree vlan [primary/secondary] root’
What kind of connection is needed between two ports for VTP to work?
Trunk port connection
What is the default VTP domain name for a switch?
NULL
What parameters must be met so that VTP servers and VTP clients can synchronize information over VTP?
VTP domain name, VTP password, VTP version
What is the default native VLAN?
1
Difference between 802.1Q and ISL?
802.1Q is IEEE. ISL(inter-switch link) is Cisco proprietary
How do you know when VLANs are being pruned in ‘show interfaces trunk’?
VLANs that are listed under the ‘vlans allowed and active in management domain’ section BUT not listed under ‘Vlans in spanning tree forwarding state and not pruned’ section are either pruned or blocked by STP
What are the 3 main components involved in EAP authentication? What does each do?
The supplicant: EAP-capable client, such as a user workstation
-Sends authentication credentials to an authenticator
Authenticator: an access switch
-Forwards authentication credentials to an authentication server
Authentication server: a RADIUS server
-Verifies the credentials using either a local or a remote user database
What are all the ‘show ip dhcp snooping’ commands and what do they show?
‘show ip dhcp snooping’: displays general info about the DHCP snooping config on a switch, such as virtual LANs for which DHCP snooping is enabled and the trusted state of each interface
‘show ip dhcp snooping binding’: shows the dynamic entries in the binding table, you can see the ‘lease (sec)’
‘show ip dhcp snooping statistics’: displays statistical info regarding the number of frames that have been forwarded or dropped by the DHCP snooping config on a switch
‘show ip dhcp snooping database’: displays status of the DHCP snooping binding table agent and statistics regarding the status of the binding table, such as the URL where the binding table can be found and how many successful writes have been committed to the table
IPad has the output screenshots
What are the Hash Values on each port in an EtherChannel bundle? What # of links in an EtherChannel bundle is most likely to result in an unequal distribution of traffic?
2 ports, 4:4 3 ports, 3:3:2 4 ports, 2:2:2:2 5 ports, 2:2:2:1:1 6 ports, 2:2:1:1:1:1 7 ports, 2:1:1:1:1:1:1 8 ports, 1:1:1:1:1:1:1:1
Six
What is monitored by default on a SPAN source port?
What does SPAN do?
Both egress and ingress traffic
SPAN enables you to monitor traffic on a switch by configuring 1 or more ports in 1 or more VLANs on the switch as the source port and a single port on the switch as the destination port. Traffic that arrives on the source ports is copied to the destination port for analysis
What are the 4 parameters defined by IEEE that should be considered when optimizing STP timers? What does each do and what are the recommended max values?
Transit halt delay: defines max amount of time required to transition a port to the blocking state after the STP algorithm has determined that the port should be blocked
-Max value = 1 sec
Bridge transit delay: defines the amount of time between a switch receiving and then sending the same frame (single frame)
-Max value= 1 sec
BPDU transmission delay: defines the amount of time between a switch receiving and then sending a BPDU
-Max value=1 sec
Medium access delay: the amount of time between the switch CPU making a forwarding decision and the frame physically leaving the switch
-Max vlaue=.5 sec
What are the three tunk encapsulation modes?
ISL, Dot1q, Negotiate
What addresses do CDP (Cisco Discovery Protocol), LLDP(Link Layer Discovery Protocol) and PVST+(Per-VLAN Spanning Tree Plus) use to send advertisements?
CDP, 01:00:0C:CC:CC:CC
LLDP, 01:80:C2:00:00:00, 01:80:C2:00:00:03, 01:80:C2:00:00:0E (used exclusively, others used on older versions)
PVST+, 01:00:0C:CC:CC:CD [for VLANs other than 1] and 01:80:C2:00:00:00 [for VLAN 1]
Which frames does 802.1Q encapsulation add a tag to? How many bits?
32 bits -or- 4 bytes to every frame except frames on the native VLAN
What is the default VTP domain name?
NULL
What command configures a switch to tag traffic from all VLANs, including the native VLAN?
vlan dot1q tag native
What command is issued from interface configuration mode to manually prune VLANs? What does it do?
- swithcport trunk allowed vlan{add/all/except/remove [‘vlan-list’/all/none]}
- specifies which VLANs are allowed or denied on a trunk port
By default which VLANs are allowed over a trunk?
All VLANs
How do you apply a VLAN access control list (VACL) named ‘blurb’ to VLAN 1
‘vlan filter blurb vlan-list 1’
What must happen so that two switches can successfully establish an EtherChannel link?
Both switches must be configured with matching aggregation protocols [pagp/lacp]
What are all the different SDM templates and how do you change them? What is the default SDM template?
sdm prefer [~~]
Access—maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.
Default—gives balance to all functions.
Routing—maximizes system resources for IPv4 unicast routing, decreases the number of unicast MAC addresses, but increases the number of indirect, unicast routes
VLAN—disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.
How do you verify SDM templates?
show sdm prefer
On which ports should the root guard feature of STP be enabled on a switch?
Ports connected to switches that should not become the root
On which ports should the root guard feature of STP be enabled on a switch? What is the config to enable root guard on port?
Ports connected to switches that should not become the root
‘spanning-tree root guard’
What does ‘standby 1 track fa0/2 15’ do if configured on interface Fa0/1 ln R1?
Configure the HSRP priority for router R1 to decrease or increase by 15 when Fa0/2 goes down or comes back up. If 15 was not specified, the default would be 10.
What happens if R2 has preempt enabled?
If R1 was the active router and the priority went below that of R2s, then R2 will send coup message and assume active router role. This happens in an HSRP standby group
How to verify trunk info?
‘show interfaces trunk’
How to verify VTP info? (such as mode, version, etc.)
‘show vtp status’
What is the max amount of time that can pass before the err-disabled port can attempt recovery? How can you verify err-disable reason or time remaining before recovery attempt?
300 seconds
‘show log’
‘show errdisable recovery’
Which SDM template is most likely to result in an increase in CPU utilization during periods of high traffic?
VLAN SDM Template
When an unauthorized MAC address triggers a security violation on an interface with the default port security settings, which level of syslog message is generated?
critical
Which switches in an RSPAN environment require VLANs configured for monitored traffic?
Source, intermediate, and destination
What must be true so that RSPAN VLANs can be dynamically created?
VTP must be enabled and source, intermediate, and destination switches must reside in the VTP domain
Differences between SPAN and RSPAN?
One of them is that SPAN is limited to a single, local device, RSPAN enables you to monitor traffic on a network by capturing and sending traffic from a source port on one device to a destination port on a different device on a nonrouted network
What is true about RSPAN VLANs in regard to trunk/access interfaces?
RSPAN VLANs should only contain trunk interfaces. Any access interfaces will be put into suspended state.
How do you see vlan information?
‘show vlan’
How do you see trunk information?
‘show interfaces trunk’
What is true about trunk and access ports in regard to VLANs?
Only access ports are shown in the ‘show vlan’ command
Name the four switchport voice vlan commands and describe what each does. Which is the default?
‘switchport voice vlan dot1p’ , sends voice traffic with default 802.1p priority of 5 and uses VLAN 0, requires a VLAN ID but does not require a unique voice VLAN to be created
Voice: tagged as VLAN 0
Data: Untagged, Native VLAN
‘switchport voice vlan none’ , enables the IP phone to use its configuration to send untagged voice traffic and untagged data traffic over the access VLAN. Voice traffic transmitted with data traffic.
Voice & Data: Untagged; Access VLAN
‘switchport voice vlan ~’ , sends vocie traffic over VLAN ~, which is a unique VLAN. Voice traffic is carried on unique voice VLAN and data traffic carried over native VLAN
Voice: Tagged as VLAN ~
Data: Untagged: Native VLAN
‘switchport voice vlan untagged’ ,configures IP phone to send both untagged voice traffic and untagged data traffic over the native VLAN
Voice & Data: untagged; Native VLAN
What command allows you to configure an authentication string for a specified HSRP standby group? Indicate both ways
‘standby [group number] text authentication [key-string]’ for plain-text, key-string can be up to 8 characters
For MD5:
‘standby [group number] authentiction md5 key-string [0 | 7] [key-string]’
0 keyword indicates a plain-text value or 7 keyword to indicate a value that has been encrypted by using Cisco’s internal encryption algorithm
How do you enable LLDP and what are the different commands available? How do you verify LLDP?
‘lldp run’ to enable
‘lldp transmit’ and ‘lldp receive’ if a ‘no lldp transmit/receive’ command is configured
verify with ‘show lldp’ to see LLDP configuration
Default for interface to send and receive LLDP packets if LLDP is enabled
If SwithcA fa0/1 port is configured to use 802.1w and it’s connected to fa0/2 port of SwitchB, what scenarios will cause the fa 0/1 port on SwitchA to revert to 802.1D mode?
- If SwitchB is configured to use 802.1D (STP)
- If fe0/2 port of SwitchB is discarding (blocking)
- If fe0/1 port of SwitchA is designated port and fe0/2 port of SwitchB is blocking
If switch is configured to use MST, it would also be configured to use RSTP
What VTP mode should switch be in before you can configure PVLANs?
Transparent, in VTP v1 and v2. In v3 you can do in client and server mode
In an 802.1Q-tagged Ethernet frame, what is used to identify the frame as an 802.1Q-tagged frame?
The TPID (Tag Protocol Identifier) field
In an 802.1Q-tagged Ethernet frame, what does the Priority field indicate?
Indicates the 802.1p frame priority level from 0 through 7
In an 802.1Q-tagged Ethernet frame, what does the Canonical Format Indicator (CFI) field indicate?
Indicates whether the MAC address is in canonical format or noncanonical format, 0 or 1 respectively
In an 802.1Q-tagged Ethernet frame, what does the VLAN Identifier (VID) field indicate?
Identifies VLAN from 0 through 4095
What is an SVI and how you create & configure an SVI on VLAN 2 that has been assigned a network address of 192.168.2.0/24?
An SVI is a switched virtual interface (SVI), a logical interface that represents the physical interfaces in a VLAN.
#'interface vlan 2' #'ip address 192.168.2.1 255.255.255.0 #'no shutdown'
What is true about a SPAN source port and SPAN destination in regards to SPAN sessions?
Multiple SPAN sessions can monitor traffic from a single SPAN source port, only a single session can be associated with a SPAN destination
What happens when a SPAN destination port is part of an active SPAN session?
The port is placed into an ‘up/down’ interface state to indicate it is no longer capable of operating as a normal switch port.
The SPAN destination port no longer participates in Layer 2 protocols and can no longer be the destination of other SPAN sessions.
Also, if the SPAN destination port is a member of a VLAN that is included as the source for another SPAN session, the port is excluded from the source list for that session.
What must be the same in every switch port in an EtherChannel bundle (channel group)?
Speed and duplex settings must be the same
What should each link in a Layer 2 EtherChannel bundle be?
They should be in the same VLAN
What is the stackwise stack master election process?
- ) Switch with highest priority
- )
- Switch with IP Services with cryptographic image
- Switch with IP Services with NO cryptographic image
- Switch with IP base with cryptographic image
- Switch with IP base with NO cryptographic image - ) Non-default configured switch
- ) Switch with longest uptime
- ) Switch with the lowest MAC address
What is used to determine the physical link in an EtherChannel bundle that a flow will use?
A hash algorithm
What does a port security-enabled interface use to authorize incoming traffic?
Source MAC address
What is a stack ID? What is the default stack ID for switches? What if two switches attempt to use the same stack ID?
Stack ID is used to uniquely identify a switch in a StackWise switch stack. By default, all switches use stack ID 1. If two switches attempt to use the same stack ID, the switch with the higher priority will retain the stack ID number and the other switch will automatically be assigned a new stack ID
What is used to create a PVST+ BID (bridge ID)? What is it and what is it used for?
The switch priority, dynamically allocated STP MAC address and extended system ID (if enabled on switch) create the BID.
The BID uniquely identifies a switch, a switch must have a unique BID for every configured VLAN
What happens if a trunk port is specified as a SPAN source? How do you prevent ____ from happening?
All traffic on the trunk is mirrored to the SPAN destination as untagged traffic. However, you can use the ‘encapsulation replicate’ keywords when configuring a SPAN destination to ensure that the encapsulation used by packets on the trunk is preserved
What commands do you issue to monitor only VLAN 10 and 20 in SPAN session 1? Why would you do this?
‘monitor session 1 filter vlan 10, 20’ , you do this because all VLAN traffic is monitored by default on a SPAN source trunk port so you must use methods, such as VLAN filtering, if you want to limit the number of monitored VLANs to a subset of those active on the trunk(that is specified as a SPAN source)
Q. 44 Boson C
When EtherChannel Guard detects a misconfiguration, into which state will it place the ports in the local channel group?
err-disabled
What is a root guard used for? How does it work?
If a port receives superior BPDU, root guard will place port into root-inconsistent state and block all data flowing through the port until the port stops receiving superior BPDUs
They are used to prevent newly introduced switches from being elected the new root
What is a loop guard used for? How does it work?
If the port has loop guard enabled and the port stops receiving BPDUs, the port will go into loop-inconsistent state
Loop guard prevents a switch from transitioning to the forwarding state when it stops receiving BPDUs, which prevents switching loops from occurring. By placing inconsistent ports into blocking state.
Are routing protocols available to all stack members in a StackWise switch stack?
Yes, routing protocols are available to all stack members as long as the stack master is running the appropriate software image
How does a StackWise switch stack appear in an STP topology?
It appears as a single node in an STP topology
Differences between TACACS+ and RADIUS. Also similarities
Similar:
- Both supported by non-Cisco devices
- Both AAA protocols
TACACS+:
- Cisco proprietary protocol
- TCP
- Port number 49
- A, A, A separated
- All AAA packet encrypted
- Multiprotocol support
- For device administration
- Provides router command authorization capabilities
RADIUS:
- Open standard protocol
- UDP
- Port 1812,1813
- Authentication & Authorization is combined
- Only passwords are encrypted (in Access-request)
- No multiprotocol support
- For network access
- Developed as an IETF standard protocol
What are the normal-range VLANs and what are the extended VLANs? What must be true in a switch to support extended VLANs
Normal-range VLANs are numbered 1 to 1005. Extended VLANs are numbered from 1006 to 4094. A switch must use either transparent mode or VTP version 3 to support extended VLANs.
What is so important about the configuration revision number on a switch? How do you reset the configuration revision number?
It tracks which VTP configuration is the latest version. Switches ignore advertisements with a configuration revision number lower than their own. So, before you add a switch to a VTP domain, you should always ensure that the conf. rev. #is lower than the configuration revision number on switches currently in the VTP domain or else the info on the new switch will propagate to the other switches in the VTP domain.
You reset configuration number on a switch to 0 by changing the VTP domain name ‘vtp domain [name]’. Change VTP mode to transparent mode (switches in transparent mode always have a conf. rev. number of 0) and then back to server or client mode. If switch is in client mode, you can reboot it.
Which switches store VTP and VLAN information in the NVRAM?
Switches in VTP server or transparent mode, NOT VTP client mode
What does pruning do? What command enables it?
Pruning conserves bandwidth by preventing the flooding of traffic to VLANs that do not require the traffic
‘vtp pruning’ to enable
What potential problems does SPAN cause, why does Cisco recommend using it sparingly?
Because the traffic mirroring process creates an added burden on the switch CPU. When SPAN is enabled, both internal traffic and forwarding engine traffic are doubled. In addition, the traffic across the switch fabric is increased; if multiple SPAN sources are mirrored to a single SPAN destination, the destination could become oversaturated
What does a SPAN destination port no longer participates in?
In 802.1x port-based authentication, port security, STP, VTP,DTP, private VLANs, and 802.1Q tunneling
Can an EtherChannel interface be a SPAN destination port? If so how is it possible?
You can specify an EtherChannel interface as a destination port, but only the on mode is supported. PAgP and LACP are not supported on a SPAN destination port
How do you set FastEthernet 1/0 as a SPAN destination port for SPAN session 1?
‘monitor session 1 destination interface fastethernet 1/0’
What command do you put if you want storm control to block broadcast traffic when broadcasts consume 80 percent of the interface’s bandwidth and resume sending broadcast traffic only when broadcasts consume less than 60 percent of the interface’s bandwidth?
‘(config-if)#storm-control broadcast level 80 60’
What command do you put if you want storm control to block all multicast traffic?
‘(config-if)#storm-control multicast level 0 0’
What storm control command places no limit on unicast traffic?
‘(config-if)#storm-control unicast level 100’
You want to enable port security on an interface and configure the interface so that the device that uses 1111.2222.3333 MAC address can send traffic through the port-security enabled interface. If any other device attempts to send traffic through the interface, the interface will shut down.
What command would you configure?
‘switchport port-security
switchport port-security mac-address 1111.2222.3333’
How do you configure primary and secondary VLANs?
Primary: ‘private-vlan primary’
Secondary: ‘private-vlan [isolated|community]’
Only secondary VLANs can be configured as isolated or community VLANs
What command do you use to configure a port to participate in a PVLAN? What do the different options mean?
‘switchport mode private-vlan [promiscuous|host]’
Promiscuous: configures port to communicate with any secondary VLAN. Devices (such as a router, firewall, or gateway) that should be reachable from any secondary VLAN should be connected to promiscuous ports.
Host: devices connected to isolated or community VLANs should be connected to host ports
What is DTP used for?
Dynamic Trunking Protocol (DTP) is used to negotiate whether to establish a trunk and to negotiate the encapsulation used on the trunk.
Trunk links between switches can be either set either manually or automatically configured by using DTP
How do you configure 802.1X port-based authentication on FastEthernet 0/1? What are the different options?
‘(config)#aaa terminal
(config)#aaa authentication dot1x default group radius
(config)#dot1x system-auth-control
(config)#interface fastethernet 0/1
(config-if)#dot1x port-control [force-authorized|force-unauthorized|auto]’
Force-authorized:
How do you configure 802.1X port-based authentication? What are the different options?
‘(config)#aaa terminal
(config)#aaa authentication dot1x default group radius
(config)#dot1x system-auth-control
(config)#interface fastethernet 0/1
(config-if)#dot1x port-control [force-authorized | force-unauthorized | auto]’
Force-authorized: configures port to authorize any host that connects to the port; no 802.1x authentication process will take place. Any host connected to port will be able to send traffic through switch.
Force-unauthorized: configures the port to never allow authentication for a connected host. Host will be unable to send traffic through port
Auto: enable 802.1X authentication on the port. If the host is configured with 802.1X authentication, the host will be authenticated and will be able to send traffic through the switch
What are SDM templates? How do you configure and what are the different options? How do you verify?
SDM template can be used to maximize support for individual switch features depending on how the switch is used.
Template of stack master will propagate to all switches in stack
‘sdm prefer [access/default/routing/vlan]’
Access: provides for using a large number of ACLs by optimizing resources for ACLs
Default: balances system resources for use in all features
Routing: optimizes resources for use with IP version 4 (IPv4) unicast-routing
VLAN: is typically used on Layer 2 switches to support the max number of unicast MAC addresses; disables routing in hardware
‘show sdm prefer’ to verify
If partial output is
‘vlan filter boson vlan-list 17, 19-22
!
ip access-list extended ip-hosts
permit ip 172.16.0.0 0.0.255.255 any’
What configuration do you issue to prevent only the hosts with an IP address in the 172.16.0.0/16 network from communicating on VLAN 17 and VLAN 19-22 and why did you choose those configs?
‘(config)#vlan access-map boson 10
(config-access-map)#match ip address ip-hosts
(config-access-map)#action drop
(config-access-map)#vlan access-map boson 20
(config-access-map)#action forward’
vlan access-map [name] [sequence #] : creates a VACL with name [name] and places switch into access map config mode for sequence [seq. #] of the VACL.
Every VACL sequence has an associated action that is taken if a packet satisfies all of the match criteria defined in sequence.
The valid options for a VACL sequence action is: forward, drop, and redirect
For example, ‘action drop’ specifies that sequence 10 will discard any packet that satisfies all the criteria listed in the match statements
Later, since there were no match statements in sequence 20 (a random number after 10) all packets that reach the sequence will be forwarded normally.
Sequence 20 is necessary because the default action for a VACL is to discard any packets that have not been explicitly forwarded or redirected by an access map sequence
What happens when a voice VLAN is enabled on a port in regards to Port Fast?
PortFast is automatically enabled. However, PortFast is not automatically disabled when the same voice VLAN is disabled
What is the default frequency that a Cisco switch will send LLDP advertisements when LLDP (Link Layer Discovery Protocol) is enabled on an interface? How do you change this frequency?
30 seconds
‘lldp timer [5 to 65534]’
How do you enable MST? What else does it do?
‘spanning-tree mode mst’
It enables RSTP, which slows the transition of an STP port to the forwarding state, thereby increasing convergence speed
What attributes must match on switches in an MST region? How do you configure the attributes?
The region name, the configuration revision number, and the VLAN-to-instance mapping table must match
First, enter MST configuration mode:
‘spanning-tree mst configuration’
Then,
For MST region name: ‘name [region name]
MST configuration revision number: ‘revision [revision-number]’
To map VLANs to an instance: ‘instance [instance-number] vlan [vlan-range]’
How many AVFs are supported in a GLBP group?
Four
What is true about storm control? What is the command for storm control?
By default, storm control is disabled on Cisco switches
It blocks a certain traffic type [unicast | multicast | broadcast] if the rising threshold is exceeded for the traffic type
Storm control is supported on EtherChannel. You must configure storm control on the EtherChannel bundle
Rising and falling threshold values can be expressed in terms of packets per second, bits per second, or as a percentage of available bandwidth
‘storm-control [broadcast | multicast | unicast] level { [percent-rising [percent-falling]] bps [bps-rising[bps-falling] | pps [pps-rising [pps-falling]] } ‘
What is true about storm control? What is the command for storm control?
By default, storm control is disabled on Cisco switches
It blocks a certain traffic type [unicast | multicast | broadcast] if the rising threshold is exceeded for the traffic type until the traffic rate falls below another threshold value called the falling threshold
Storm control is supported on EtherChannel. You must configure storm control on the EtherChannel bundle
Rising and falling threshold values can be expressed in terms of packets per second, bits per second, or as a percentage of available bandwidth
‘storm-control [broadcast | multicast | unicast] level { [percent-rising [percent-falling]] bps [bps-rising[bps-falling] | pps [pps-rising [pps-falling]] } ‘
Commands to configure a switch port to use a particular aggregation protocol? Also, command to configure a particular mode
‘channel-protocol [pagp | lacp]
‘channel-group [group #] mode [desirable | auto | active | passive]’
What is true about 802.1Q tunneling regarding ingress and egress traffic?
All untagged ingress traffic on trunk links should be dropped
All egress traffic on trunk links should be tagged
How do you disable root guard or loop guard on an interface? Why would an interface be marked as inconsistent?
‘spanning-tree guard none’
A root guard or loop guard is enabled on an interface
How do you verify inconsistent port and other info?
‘show spanning-tree inconsistentports’
What command do you use to specify RSPAN session 1 and capture traffic from VLANs 4, 10, 11,12, 15? What is RSPAN?
‘monitor session 1 source/destination remote vlan 4, 10-12, 15’
remote vlan is the keyword
RSPAN enables you to monitor traffic on a network by capturing and sending traffic from a source port on one device to a destination port on a different device on a nonrouted network
What tasks do you need to perform to monitor traffic on a port on a neighboring switch?
- Create an RSPAN VLAN on both switches
- Create a monitor session on the neighboring switch with the monitored port as the source and the RSPAN VLAN as the destination
- Create a monitor session on the local switch with the RSPAN VLAN as the source and the monitoring port as the destination
How many bits long are each field in an 802.1Q tag/header?
TPID (16 bits) Priority field (3 bits) CFI field (1 bit) VID field (12 bits)
What is the virtual MAC address for the second AVF in GLBP Group 1?
007.B400.0102
GLBP Virtual MAC address starts with the prefix 0007.B4, the next four hexadecimal values represent the group number, and the final two hexadecimal values represent the gateway number.
What is MST, what is it used for?
Multiple Spanning Tree (MST), used to create a spanning tree instance for each group of virtual LANs (VLANs). Although MST can be used to define a spanning tree instance for each VLAN, it is best used to define a spanning tree instance for each set of VLANs along a redundant path.
What is MST, what is it used for?
Multiple Spanning Tree (MST), used to create a spanning tree instance for each group of virtual LANs (VLANs). Altough MST can be used to define a spanning tree instance for each VLAN, it is best used to define a spanning tree instance for each set of VLANs along a redundant path.
What is PVST+, what else is necessary for it to work?
PVST+ always creates a spanning tree instance for each VLAN. PVST+ is a Cisco-proprietary form of STP. When implemented, 802.1Q encapsulation must be used. If ISL encapsulation is used, PVST must be used instead of PVST+
What is LDAP and what ports does it use?
It is an authorization protocol that enables access to an existing directory, such as Microsoft Active Directory Domain Services (AD DS).
It uses Transmission Control Protocol (TCP) port 389 by default.
What is Kerberos, what port does it use?
It’s a standards-based authentication protocol that can use TCP port number 88 or UDP port number 88
What is LLDP?
LLDP is a Layer 2 open-standard discovery protocol that is used to facilitate interoperability between Cisco devices and non-Cisco devices. It only operates between network devices (such as routers, switches, and access server, not between endpoint)
What is LLDP-MED?
It is an extension of LLDP. It operates between endpoints devices (such as PC or VoIP phone) and vendor-neutral network devices
What is CDP and CDPv2?
CDP is a Layer 2 Cisco-proprietary protocol that is used to advertise and discover only directly connected Cisco devices on a local network. For example, a Cisco switch would use CDP in order to determine whether an attached VoIP phone is a Cisco device.
CDPv2 is an enhancement to CDP that reduces downtime through a feature that allows for rapid error tracking.
What happens to a switch port( with the PortFast feature enabled) when BPDU guard is also enabled?
If the port receives a BPDU, the port will go into err-disabled state
What are two ways of achieving interVLAN routing? How do you configure?
- ) A layer 3 switch with IP routing enabled and SVIs configured
(config) #ip routing
(config) #interface vlan 2
(config-if)#ip address 192.168.2.1 255.255.255.0 [could be anything, pretty sure]
(config-if)#no shutdown
(config-if)#interface vlan 3
(config-if)#ip address 192.168.3.1 255.255.255.0[could be anything, pretty sure]
(config-if)#no shutdown
- ) A layer 2 switch connected via a trunk link to a router with subinterfaces configured
* Boson for config*
What do you have to make sure you do if you want to limit the command output of ‘show mac address-table interface fastethernet 0/2’ to only the dynamically learned addresses on FastEthernet 0/2? Type command
‘show mac address-table interface fastethernet 0/2 | include DYNAMIC’
Make sure dynamic is capitalized because it’s case sensitive, also for STATIC
Other options are exclude and begin instead of include
SDM templates are used to manage ___________
memory partitions in TCAM memory, only on switches with single TCAM chips. Guidelines to how to divide memory.
What are valid reasons that could cause a port to go into the errdisable state?
- Broadcast storms are detected by the Storm Control feature
- ARP inspection violations
- A flapping of trunking encapsulation types
- BPDUGuard
What happens when you configure ‘errdisable recovery cause [cause such as BPDUguard]’
The port will go back up after 300( 5 minutes) by default if the port was sent to errdisable by BPDU or other cause(. If you want to to change, you have to put ‘errdisable recovery interval [30 to 65535]’
What are the modes of UDLD?
UDLD has two modes - Normal and Aggressive.
Normal just prints out a syslog message, while aggressive pushes violations into error-disabled mode after 3 misses.
What would make a port that is configured with UDLD aggressive mode to set it to errdisable mode?
If the port goes from bi-direction to unidirectional
If interface is placed in a VLAN other than VLAN 1 and that specific VLAN is removed, what happens?
The specific VLAN goes to inactive mode (inactive in Access Mode) and the interface does not go back to the native VLAN, it just doesn’t work
How do you create a new VLAN on a switch [VLAN-5] and assign that VLAN to interface FastEthernet0/5 and ensure that the switch will never be allowed to form a VLAN trunk with another Cisco switch.
‘(Config)#vlan 5
(Config-vlan)#interface FastEthernet0/5
(Config-if)#switchport mode access
(Config-if)#switchport access vlan 5’
Won’t form VLAN trunk because of mode access command
Which VLANs are not stored in the VLAN database?
Extended VLANs, 1006 to 4094
Difference between local VLAN and end-to-end VLAN and what is best practice for network design implementation
Local VLAN pretty much just stays in building or department, end-to-end is to a wider area per say. Local VLANs should only be designed into network that traffic is expected to follow the 20/80 rule(80% of traffic will leave the VLAN). For end-to-end, it’s 80/20 rule (80% of traffic stays in VLAN)
What is true about the 802.1Q encapsulation method and user workstations?
By default, laptops and PCs can not understand 802.1Q tags. So it could be useful in certain scenarios, opposed to using ISL.
In VTPv3, what switch propagates the info? What problems could happen if it’s connected to a switch that is using VTPv2?
Switch with the “primary server” operating mode
If the VTPv3 switch is VTP Operating Mode; Primary Server while the VTPv2 switch on Server mode, they won’t be able to update each other because each switch will think it’s the leader. Also, the Configuration revision number could mismatch
How do you convert a switch to VTP version 3 and then configure VLAN-999 on that switch. You also wish this switch to propagate that VLAN to other switches.
(Config)#vtp domain ‘name’ (Config)#end #vtp version 3 #vtp primary #config t (Config)#vlan 999
What is pruning and how do you configure it and also for only VLANs 4 and 9? What other command would affect the pruning command and how?
The ‘switchport trunk pruning vlan 4, 9’ . The command is a prune eligibility list. The vlans listed in this command are the VLANs eligible for pruning. By default, all VLANs are allowed on a trunk and all VLANs (between 2 and 1001, inclusive) are eligible for pruning if pruning is enabled globally with the ‘vtp pruning’ command. Once you manually configure an eligibility list then only those VLANs on the list are eligible for pruning
If ‘switchport trunk allowed vlan 3’ , then VLAN 3 will never be pruned
How do you configure a Layer 2 EtherChannel? How do you verify?
(config)#interface ‘interface #’
(config-if)#no ip address
(config-if)#channel-protocol [lacp/pagp]
(config-if)#channel-group ‘#’ mode [active | passive | desirable | auto | on ]
Verify:
show running-config interface ‘interface’
show interfaces ‘interface’ etherchannel
How do you configure a Layer 3 EtherChannel with 1.1.1.1/28 IP address? How do you verify?
(config)# interface port-channel ‘group #’
(config-if)#ip address 1.1.1.1 255.255.255.0
(config-if)#no shutdown
(config-if)#end
(config)#interface ‘interface’ -or- (config)#interface range ‘interface range’
(config-if)#channel-group # mode [active | passive | desirable | auto | on]
Verify:
show running-config interface ‘interface’
show interfaces ‘interface’ etherchannel
How do you load balance an EtherChannel?
(config)#port-channel load-balance
What is the command to check EtherChannel info? What does stand-alone mean in the output?
‘show etherchannel summary’
It means that EtherChannel is not fully functional and not bundled in an EtherChannel
What, exactly, is the EtherChannel Guard feature looking for, in order to detect a problem?
When a switch configured for EtherChannel receives Spanning-Tree BPDUs from a remote switch with unique STP Sending Port-IDs, this will trigger EtherChannel Misconfiguration Guard
What are the different timers and stages from when a port goes to a designated port?
Max-age timer: 20 seconds, time after a root port receives a BPDU, after it goes to listening stage
Forwarding-Delay timer: 15 seconds, after this the port will go from Listening to Learning stage
Forwarding-Delay timer: 15 seconds (again), after this the port will go from learning to forwarding (designated port)
50 seconds total
If all interfaces on the switch are in VLAN 2 and the switch is running STP. What happens when the switch receives a Topology Change BPDU from the Root Bridge?
All dynamic MAC addresses learned in VLAN-2 will have their Aging Timer modified to match the value of the Spanning-Tree Forwarding Delay
What is a benefit Rapid-PVST has over PVST+?
Rapid-PVST allows any Bridge to send a Topology Change BPDU whereas PVST+ restricts this action solely to the Root Bridge
What is needed for Rapid-PVST to use its full capability? How fast does it go?
If two switches are connected directly with full-duplex the ports converge to final state in 2 seconds
A customer who has just enabled 802.1s on her switch, wants to know why a few ports on her switch are being displayed as “Boundary” ports. Which of the following answers could explain this?
- That switch is connected to another switch running 802.1w
- That switch is connected to another switch in a different MST Region
- That switch is connected to another switch running 802.1d
How do you check for Mrecords and how many of them does each 802.1s BPDU contain?
With ‘show interface trunk’
The number of instances (other than instance 0) determiens number of Mrecords
Which configuration will, if copied-and-pasted into Switch 1 and Switch 2 (which are directly connected to each other) will result in the successful formation of an MST Region between these two switches?
Config t Spanning-tree mst config name ‘name’ Revision 1 Instance 1 vlan ‘range vlan’ Instance 2 vlan ‘range vlan’ Exit Spanning-tree mode mst
What is true regarding the utilization of SPAN feature on a switch?
- The RSPAN destination interface will be placed in ‘monitoring’ mode by default
- A SPAN session requires that the destination be a physical interface on the same switch as the SPAN source
In HSRP, which router becomes the active router and which router becomes the standby router? How often are HSRP hello packets and by who?
The router with the highest IP address becomes the active router and the second-highest becomes the standby router. They will be sending HSRP hello packets every 2 seconds. If there are 3 or more routers, the others will be in the listening state.
