Practice Q's - DTP Flashcards
Which IOS commands are entered in interface configuration mode to configure a switch port to actively negotiate to be an 802.1Q trunk port? (Choose two.)
A. switchport trunk dot1q
B. switchport mode dynamic auto
C. switchport trunk allowed vlan
D. switchport mode trunk
E. switchport trunk encapsulation dot1q
Answer: D,E
Explanation:
Entering the IOS commands switchport mode trunk and switchport trunk encapsulation dot1q in interface configuration mode will allow a switch port to actively negotiate to be an 802.1Q trunk port. This allows Dynamic Trunking Protocol (DTP) to actively negotiate to be a trunk if the other side is set to trunk, desirable, or auto.
Use the following steps to configure a port as an 802.1Q trunk:
- Enter the interface configuration. switch(config)# interface interface-id
- Configure the port to use 802.1Q encapsulation. switch(config-if)# switchport trunk encapsulation dot1q
- Configure the port as a trunk port. switch(config-if)# switchport mode trunk
Note: Trunking modes can be configured as dynamic desirable, dynamic auto, trunk, access, and nonegotiate. If both sides are set to auto, no negotiations will occur.
Verification of the configuration can be done by executing the show run command on both switches. An example partial output for two switches is shown below:
In the above partial output, the following can be determined:
The switchport allowed vlan command is also valid for configuring dot1q trunks, but is not required. By default, all VLANs are allowed on the trunk.
Which IOS interface configuration commands are required to configure a switch port to actively negotiate to be an 802.1Q trunk port that, when active, will send packets destined for VLAN 3 untagged? (Choose three.)
A. switchport mode trunk
B. switchport trunk dot1q 3
C. switchport native vlan 3
D. switchport trunk mode dot1q
E. switchport mode dynamic auto
F. switchport trunk native vlan 3
G. switchport trunk encapsulation dot1q
Answer: A,F,G
Explanation:
Entering the IOS commands switchport mode trunk and switchport trunk encapsulation dot1q in interface configuration mode will allow a switch port to actively negotiate to be an 802.1Q trunk port. Setting the trunk native VLAN to 3 with the command switchport trunk native vlan 3 will allow VLAN 3 traffic to be sent and received untagged over the trunk port.
The command switchport mode trunk instructs DTP to actively negotiate to be a trunk if the other side is set to trunk, desirable, or auto.
Use the following steps to configure a port as an 802.1Q trunk:
- Enter the interface configuration. switch(config)# interface interface-id
- Configure the port to using 802.1Q encapsulation. switch(config-if)# switchport trunk encapsulation dot1q
- Configure the port as a trunk port. switch(config-if)# switchport mode trunk
(Optional) Set the native VLAN number. switchport trunk native vlan number
If the native VLAN is changed as above, it must be changed on both ends of the link. Failure to do so will cause the link to not be successfully built because the native VLAN numbers must match. When left to the default (VLAN 1) the issue takes care of itself. If a native VLAN mismatch occurs, it will be reflected in the debug command output of one of the switches, as shown below.
2009 Aug 11 16:36:11 %SPNTREE-2-RX_IQPVIDERR:Rcvd pvid_inc BPDU on 1Q port 0/2 vlan3
2009 Aug 11 16:36:11 %SPNTREE-2-TX_BLKPORTPVID:Block 0/2 on xmitting vlan 1 for inc peer vlan
2009 Aug 11 16:36:11 %SPNTREE-2-RX_BLKPORTPVID:Block 0/2 on rcving vlan 3 for inc peer
vlan 1
Note: Trunking modes can be configured as access, dynamic desirable, dynamic auto, trunk, and nonegotiate. If both sides are set to auto, no negotiations will occur.
The switchport allowed vlan command is also valid for configuring dot1q trunks, but is not required. By default, all VLANs are allowed on the trunk.
Which IOS commands are entered in interface configuration mode to configure a switch port to unconditionally be an 802.1Q trunk port and not generate DTP packets? (Choose two.)
A. trunk dot1q
B. switchport trunk dot1q
C. switchport nonegotiate
D. switchport trunk allowed vlan
E. switchport trunk encapsulation dot1q
Answer: C,E
Explanation:
Entering the IOS commands switchport nonegotiate and switchport trunk encapsulation dot1q in interface configuration mode will only allow a switch port to be an 802.1Q trunk port. This disables the generation of dynamic trunking protocol (DTP) negotiation packets. Since DTP also negotiates encapsulation type, the encapsulation type must be identified (for example, dot1q).
Use the following steps to configure a port as an 802.1Q trunk:
Enter the interface configuration:
switch(config)# interface interface-id
Configure the port to using 802.1Q encapsulation:
switch(config-if)# switchport trunk encapsulation dot1q
Configure the port as a trunk port:
switch(config-if)# switchport nonegotiate
Note: Trunking modes can be configured as trunk, dynamic auto, dynamic desirable, nonegotiate, and access.
The switchport allowed vlan command is also valid for configuring dot1q trunks, but is not required. By default, all VLANs are allowed on the trunk.
Which type of network attack takes advantage of the Dynamic Trunking Protocol (DTP)?
A. VLAN hopping
B. MAC flooding
C. DHCP spoofing
D. Rogue access points
Answer: A
Explanation:
VLAN hopping is an attack deigned to gain unauthorized access to a VLAN by using DTP to negotiate a trunk link with another switch. If a switch port configured as DTP auto was toreceive a fake DTP packet, it might become a trunk port and begin accepting traffic destined for any VLAN. Therefore, a malicious user could start communicating with other VLANs through that compromised port.
A MAC flooding attack does not use DTP as a part of its operation. This attack floods the switch with fake MAC addresses until the MAC table is full. When this happens, the switch starts sending all frames out all ports, allowing the hacker to capture data from all ports.
DHCP snooping does not use DTP as a part of its operation. It is not an attack but a security measure. DHCP snooping filters un-trusted DHCP messages using a DHCP snooping binding database. A DHCP snooping binding database is also referred to as a DHCP snooping binding table. This can be used to prevent a rouge DHCP server from assigning configuration information to clients.
Rogue access points do not use DTP as a part of their operation. These are unauthorized access points connected to an open switch port or wall outlet for the purpose of gaining access to the wired network wirelessly.