LAN and WAN, Cisco Routing and Switching Pro Chapter 4, CCNA2 LS CH9, CCNA, Practice Exam 1

To remove the ACL, the global configuration no access-list command is used. Issuing the show access-list command confirms that access list 10 has been removed.

# no access-list

To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.

#ip access-group

Answer: B,C,E Explanation: For switches such as the 2950, the process is much the same as a router, but you should delete the VLAN.DAT file before reloading the router. This file contains VLAN information and is kept in flash, so it will still be present after a reload. switch1#delete vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] switch1#reload Make sure to hit for the two questions regarding the deletion - if you answer "y" instead, the switch thinks you're trying to erase a file named "y"! After the reload is complete, you'll be prompted to enter setup mode. As you did with the router, enter "N" and begin to configure the router from user exec mode.

A Catalyst 2950 needs to be reconfigured. What steps will ensure that the old configuration is erased? (Choose three.) A. Erase flash. B. Restart the switch. C. Delete the VLAN database. D. Erase the running configuration. E. Erase the startup configuration. F. Modify the configuration register

When a client requests data from a web server, IP manages the communication between the PC (source) and the server (destination). TCP manages the communication between the web browser (application) and the network server software. TCP also manages assembling the data from the segments when they arrive. The TCP process is very much like a conversation in which two nodes on a network agree to pass data between one another. TCP provides a connection-oriented, reliable, byte stream service.

A TCP Conversation

Answer: C Explanation: The Data Link layer provides the physical transmission of the data and handles error notification, network topology, and flow control. The Data Link layer formats the message into pieces, each called a data frame, and adds a customized header containing the hardware destination and source address. Protocols Data Unit (PDU) on Datalink layer is called frame. According to this question the frame is damaged and discarded which will happen at the Data Link layer. Section 4: Describe common networked applications including web applications (4 questions)

A receiving host computes the checksum on a frame and determines that the frame is damaged. The frame is then discarded. At which OSI layer did this happen? A. physical B. session C. data link D. transport E. network

Answer: B

ActualTests.com A network administrator must configure 200 switch ports to accept traffic from only the currently attached host devices. What would be the most efficient way to configure MAC-level security on all these ports? A. Visually verify the MAC addresses and then telnet to the switches to enter the switchport-port security mac-address command. B. Have end users e-mail their MAC addresses. Telnet to the switch to enter the switchport-port security mac-address command. C. Use the switchport port-security MAC address sticky command on all the switch ports that have end devices connected to them. D. Use show mac-address-table to determine the addresses that are associated with each port and then enter the commands on each switch for MAC address port-security. Answer: C

Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }

After a standard ACL is configured, it is linked to an interface:

Answer: A Explanation: PDU, Protocol Data Unit, is a kind of communication data unit, bit for Data layer, frame for data link layer, PDU for network layer, and message for transport layer

As a CCNA candidate, you need to know OSI model very well, a packet is the protocol data unit for which layer of the OSI model? A. network B. presentation C. session D. data link

Border Gateway Protocol

BGP

Bridge Identifier

BID

Bridge Protocol Data Unit

BPDU

Filtering unwanted traffic at the source prevents transmission of the traffic before it consumes bandwidth on the path to a destination. This is especially important in low bandwidth networks.

Bandwidth of the networks involved

2001:6789:9078:ABCE:AFFF:FE98:0001 Global Unicast FD00::8907:FF:FE76:ABC Unique Local FEA0::AB89:9FF:FE77:1234 Link-Local FF00:98BD:6532::1 Multicast FF02::1:2 Multicast

Based on the address prefix, for each IPv6 address on the right, identify the address type from the list on the left. Addresses used might not represent actual addresses used in production)

Cisco Discovery Protocol

CDP

Cisco Express Forwarding

CEF

Challenge-Handshake Authentication Protocol

CHAP

carrier sense multiple access collision detect

CSMA/CD

channel service unit/data service unit

CSU / DSU

There are three basic steps to configure an IPv6 ACL: Step 1. From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. Like IPv4 named ACLs, IPv6 names are alphanumeric, case sensitive, and must be unique. Unlike IPv4, there is no need for a standard or extended option. Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions to determine if a packet is forwarded or dropped. Step 3. Return to privileged EXEC mode with the end command.

Configuring IPv6 ACLs

To use numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface.

Configuring Standard ACLs

means that the two applications must establish a TCP connection prior to exchanging data

Connection-oriented

Global routing Prefix 2001:0BEF:0BAD Subnet ID 2001:0BEF:0BAD:0006 Interface ID ::32 Prefix Length /64 Global ID Blank

Consider the following IPv6 address 2001:0BEF:0BAD:0006::32/64 Drag the component part of this address on the left to the corresponding description on the right. Not all descriptions on the right have corresponding components on the left.

Global Routing Prefix Blank Subnet ID FD01:0001:0001:005 Interface ID ::7 Prefix length /64 Global ID 01:0001:0001 Unique Local Unicast Prefix FD

Consider the following IPv6 address FD01:0001:0001:005::7/64 Drag the component part of this address on the left to the corresponding description on the right. Not all descriptions on the right have corresponding components on the left.

FE80:55:0000:0000:A:AB00 FE80:0000:0000:0055::000A:AB00

Consider the following IPv6 address FE80:55:0000:0000:A:AB00 Which of the following valid shortened forms of this address? select two

data communications equipment

DCE

dynamic host configuration protocol

DHCP

domain name system

DNS

Designated Router/Backup Designated Router

DR/BDR

data terminal equipment

DTE

Dynamic Trunking protocol

DTP

A single-entry ACL with only one deny entry has the effect of denying all traffic. At least one permit ACE must be configured in an ACL or all traffic is blocked.

Deny Entry

Enhanced Interior Gateway Routing Protocol

EIGRP

If a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination. The disadvantage is that traffic from these networks will use bandwidth unnecessarily. An extended ACL could be used on each router where the traffic originated. This will save bandwidth by filtering the traffic at the source but requires creating extended ACLs on multiple routers.

Ease of configuration

An extended ACL can be modified using: Method 1 Text editor - Using this method, the ACL is copied and pasted into the text editor where the changes are made. The current access list is removed using the no access-list command. The modified ACL is then pasted back into the configuration. Method 2 Sequence numbers - Sequence numbers can be used to delete or insert an ACL statement. The ip access-list extended name command is used to enter named-ACL configuration mode. If the ACL is numbered instead of named, the ACL number is used in the name parameter. ACEs can be inserted or removed.

Editing Extended ACLs

When configuring a standard ACL, the statements are added to the running-config. However, there is no built-in editing feature that allows you to edit a change in an ACL.

Editing Numbered ACLs

When traffic enters the router, the traffic is compared to all ACEs in the order that the entries occur in the ACL. The router continues to process the ACEs until it finds a match. The router will process the packet based on the first match found and no other ACEs will be examined. If no matches are found when the router reaches the end of the list, the traffic is denied. This is because, by default, there is an implied deny at the end of all ACLs for traffic that was not matched to a configured entry.

Entering Criteria Statements

In the figure, host 192.168.10.10 has no connectivity with 192.168.30.12. When viewing the output of the show access-lists command, matches are shown for the first deny statement. This is an indicator that this statement has been matched by traffic. Solution - Look at the order of the ACEs. Host 192.168.10.10 has no connectivity with 192.168.30.12 because of the order of rule 10 in the access list. Because the router processes ACLs from the top down, statement 10 denies host 192.168.10.10, so statement 20 can never be matched. Statements 10 and 20 should be reversed. The last line allows all other non-TCP traffic that falls under IP (ICMP, UDP, etc.).

Error Example 1

In the figure, the 192.168.10.0/24 network cannot use TFTP to connect to the 192.168.30.0/24 network. Solution - The 192.168.10.0/24 network cannot use TFTP to connect to the 192.168.30.0/24 network because TFTP uses the transport protocol UDP. Statement 30 in access list 120 allows all other TCP traffic. However, because TFTP uses UDP instead of TCP, it is implicitly denied. Recall that the implied deny any statement does not appear in show access-lists output and therefore matches are not shown. Statement 30 should be ip any any. This ACL works whether it is applied to G0/0 of R1, or S0/0/1 of R3, or S0/0/0 of R2 in the incoming direction. However, based on the rule about placing extended ACLs closest to the source, the best option is to place it inbound on G0/0 of R1 because it allows undesirable traffic to be filtered without crossing the network infrastructure.

Error Example 2

Extended ACLs filter IPv4 packets based on several attributes: - Protocol type - Source IPv4 address - Destination IPv4 address - Source TCP or UDP ports - Destination TCP or UDP ports - Optional protocol type information for finer control

Extended ACLs

Forwarding Information Base

FIB

The internet is a local area network. True or False?

False

The internet is the same as the world wide web. True or False?

False

Software that only allows authorised access to a network

Firewall

Answer: A,E Explanation: Section 3: Explain network segmentation and basic traffic management concepts (6 questions)

For what two purposes does the Ethernet protocol use physical addresses? (Choose two.) A. to uniquely identify devices at Layer 2 B. to allow communication with devices on a different network C. to differentiate a Layer 2 frame from a Layer 3 packet D. to establish a priority system to determine which device gets to transmit first E. to allow communication between different devices on the same network F. to allow detection of a remote device when its physical address is unknown

- Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. - Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. - Configure ACLs on border routers, that is, routers situated at the edges of your networks. - This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. - Configure ACLs for each network protocol configured on the border router interfaces.

General Guidelines for Using ACLs

hypertext transfer protocol

HTTP

The range statements are displayed after the host statements. These statements are listed in the order in which they were entered. Recall that standard and numbered ACLs can be editing using sequence numbers. The sequence number shown in the show access-lists command output is the number used when deleting an individual statement from the list. When inserting a new ACL statement, the sequence number will only affect the location of a range statement in the list. Host statements will always be put in order using the hashing function.

Host statements.

Internet control message protocol

ICMP

Interswitch Link

ISL

#access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 20 #access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 21 Note: The examples in Figures 1 and 2 both use the permit ip any any statement at the end of the ACL. For greater security the permit 192.168.11.0 0.0.0.255 any command may be used.

If using port numbers instead of port names, the commands would be written as:

Answer: D Explanation: The subnet mask /30 is usually used for point-to-point serial links

In the implementation of VLSM techniques on a network using a single Class C IP address, which subnet mask is the most efficient for point-to-point serial links? A. 255.255.255.240 B. 255.255.255.254 C. 255.255.255.0 D. 255.255.255.252 E. 255.255.255.248

Cisco IOS applies an internal logic when accepting and processing standard ACEs. As discussed previously, ACEs are processed sequentially. Therefore, the order in which ACEs are entered is important. The IOS internal logic for standard access lists rejects the second statement and returns an error message because it is a subset of the previous statement. Note: The order in which standard ACEs are entered may not be the order that they are stored, displayed, or processed by the router. This will be discussed in a later section

Internal Logic

Answer: B,D Explanation: A WAN is a data communications network that covers a relatively broad geographic area and that often uses transmission facilities provided by common carriers, such as telephone companies. WAN technologies generally function at the lower two layers of the OSI reference model: the physical layer and the data link layer as shown below.

It is known that the OSI model has seven layers. Can you tell me at which layers of the OSI model WANs operate? (Choose two.) A. session layer B. datalink layer C. transport layer D. physical layer

Link Aggregation Control Protocol

LACP

A network that includes all the computers in a building. LAN or WAN?

LAN

Local Area Network

LAN

Link Layer Discovery Protocol

LLDP

maximum transmission unit

MTU

Link-Local FE80::/10 Multicast FF00::/8 Unique Local FC00::/7

Match the IPv6 prefix on the left with its description on the right.

Step 1. Display the ACL using the show running-config command. The example in the figure uses the include keyword to display only the ACEs. Step 2. Highlight the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as required. After the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it. Step 3. In global configuration mode, remove the access list using the no access-list 1 command. Otherwise, the new statements would be appended to the existing ACL. Then paste the new ACL into the configuration of the router. Step 4. Using the show running-config command, verify the changes It should be mentioned that when using the no access-list command, different IOS software releases act differently. If the ACL that has been deleted is still applied to an interface, some IOS versions act as if no ACL is protecting your network while others deny all traffic. For this reason it is good practice to remove the reference to the access list from the interface before modifying the access list.

Method 1: Configuration

are encapsulated in IPv6 packets and require the services of the IPv6 network layer while ARP for IPv4 does not use Layer 3. Because IPv6 uses the Layer 3 service for neighbor discovery, IPv6 ACLs need to implicitly permit ND packets to be sent and received on an interface. Specifically, both Neighbor Discovery - Neighbor Advertisement (nd-na) and Neighbor Discovery - Neighbor Solicitation (nd-ns) messages are permitted.

ND messages

Non-Volatile Random Access Memory

NVRAM

Password authentication protocol

PAP

Port Aggregation Protocol

PAgP

Answer: C,E Explanation: VTP minimizes the possible configuration inconsistencies that arise when changes are made. These inconsistencies can result in security violations, because VLANs can crossconnect when duplicate names are used. They also could become internally disconnected when they are mapped from one LAN type to another, for example, Ethernet to ATM LANE ELANs or FDDI 802.10 VLANs. VTP provides a mapping scheme that enables seamless trunking within a network employing mixed-media technologies. VTP provides the following benefits: VLAN configuration consistency across the network Mapping scheme that allows a VLAN to be trunked over mixed media Accurate tracking and monitoring of VLANs Dynamic reporting of added VLANs across the network Plug-and-play configuration when adding new VLANs

QUESTION NO: 159 What are two benefits of using VTP in a switching environment? (Choose two.) A. It allows switches to read frame tags. B. It allows ports to be assigned to VLANs automatically. C. It maintains VLAN consistency across a switched network. D. It allows frames from multiple VLANs to use a single interface. E. It allows VLAN information to be automatically propagated throughout the switching environment.

Routing Information Protocol

RIPv1

Rapid Spanning Tree Protocol

RSTP

Secure Shell

SSH

Spanning Tree Protocol

STP

The decision process for a standard ACL is mapped in the figure. Cisco IOS software tests addresses against the conditions in the ACL one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the address is rejected.

Standard ACL Decision Process

The ability to filter on protocol and port number allows network administrators to build very specific extended ACLs. An application can be specified by configuring either the port number or the name of a well-known port.

Testing for Ports and Services

Router(config-line)# access-class access-list-number { in [ vrf-also ] | out }

The command syntax of the access-class command is:

Placement of the ACL can depend on whether or not the network administrator has control of both the source and destination networks.

The extent of the network administrator's control

Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]

The full syntax of the standard ACL command is as follows:

R1(config)# access-list 10 permit host 192.168.10.10

To create a host statement in numbered ACL 10 that permits a specific host with the IP address 192.168.10.10, you would enter:

With IPv6, there is only one type of ACL, which is equivalent to an IPv4 extended named ACL. There are no numbered ACLs in IPv6. To summarize, IPv6 ACLs are: Named ACLs only Equivalent to the functionality of an IPv4 Extended ACL An IPv4 ACL and an IPv6 ACL cannot share the same name.

Type of IPv6 ACLs

The two types of Cisco IPv4 ACLs are standard and extended. Note: Cisco IPv6 ACLs are similar to IPv4 extended ACLs and are discussed in a later section.

Types of Cisco IPv4 ACLs

VLAN Trunking Protocol

VTP

Wide Area Network

WAN

::1

Which of the following IPv6 addresses is equivalent to the IPv4 loopback address of 127.0.0.1?

What is WAN short for?

Wide Area Network

FE80::1201:64FF:FEAB:7896

You are on a workstation with the following mac address: 10-01-64-AB-78-96 Which of the following will be the link-local address using the modified EUI-64 format?

Computers on a wired network are connected by

cables

This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. Because of this implicit deny, an ACL that does not have at least one permit statement will block all traffic.

implicit deny

Needed for each computer to connect to a network

network adapter

uses rules to determine whether to permit or deny traffic. A router can also perform packet filtering at Layer 4, the transport layer. The router can filter packets based on the source port and destination port of the TCP or UDP segment. These rules are defined using ACLs.

packet-filtering router

This should be strong and changed regulary

password

A LAN usually has a file

server

The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters. The ACL in Figure 3, although fairly simple, is used to provide an example. When reviewing the ACL in the configuration using the show running-config command, the remark is also displayed.

# remark

Answer: A Explanation: Understanding How Port Security Works : You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses specified for that port. Alternatively, you can use port security to filter traffic destined to or received from a specific host based on the host MAC address. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host. The port's behavior depends on how you configure it to respond to a security violation. If a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security violation.

A network administrator wants to control which user hosts can access the network based on their MAC address. What will prevent workstations with unauthorized MAC addresses from connecting to the network through a switch? A. port security B. RSTP C. STP D. BPDU

also commonly called ACL statements. ACEs can be created to filter traffic based on certain criteria such as: the source address, destination address, the protocol, and port numbers. When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the statements. If a match is found, the packet is processed accordingly.

ACEs

Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service. Before configuring an ACL, basic planning is required. The figure presents guidelines that form the basis of an ACL best practices list.

ACL Best Practices

ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. ACLs are configured to apply to inbound traffic or to apply to outbound traffic.

ACL Operation

the show access-lists command will show statistics for each statement that has been matched. Once the ACL has been applied to an interface and some testing has occurred, the show access-lists command will show statistics for each statement that has been matched. In the output in Figure 1, note that some of the statements have been matched. When traffic is generated that should match an ACL statement, the matches shown in the show access-lists command output should increase. This statement will not appear in the show access-lists command, therefore, statistics for that statement will not appear. To view statistics for the implied deny any statement, the statement can be configured manually and will appear in the output. Extreme caution should be taken when manually configuring the deny any statement, as it will match all traffic. If this statement is not configured as the last statement in the ACL, it could cause unexpected results. During testing of an ACL, the counters can be cleared using the clear access-list counters command. This command can be used alone or with the number or name of a specific ACL.

ACL Statistics

When a packet arrives at a router interface, the router process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame. If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, the packet is either permitted or denied. If the packet is accepted, it is then checked against routing table entries to determine the destination interface. If a routing table entry exists for the destination, the packet is then switched to the outgoing interface, otherwise the packet is dropped. Next, the router checks whether the outgoing interface has an ACL. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, it is either permitted or denied. If there is no ACL or the packet is permitted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.

ACL and Routing and ACL Processes on a Router

If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACEs that are associated with that interface. Based on the ACL tests, the packet is permitted or denied.

ACL applied to the interface:

Administrators use ACLs to stop traffic or permit only specified traffic on their networks. An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. ACLs provide a powerful way to control traffic into and out of a network. ACLs can be configured for all routed network protocols. By default, a router does not have ACLs configured. when an ACL is applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded. An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs).

ACLs

Packet Filtering works at Transport and Network Layer. ACL extracts the following information from the Layer 3 packet header: - Source IP address - Destination IP address - ICMP message type The ACL can also extract upper layer information from the Layer 4 header, including: - TCP/UDP source port - TCP/UDP destination port

ACLs evaluate network traffic.

- Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance. - Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. - Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to authorized users. - Filter traffic based on traffic type. For example, an ACL can permit email traffic, but block all Telnet traffic. - Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.

ACLs perform the following tasks:

Address resolution protocol

ARP

Signed by LAN users as part of their contract to ensure they do not put data at risk of corruption and to abide by data protection laws.

Acceptable Use Policy

Router(config-if)# ipv6 traffic-filter access-list-name { in | out }

After an IPv6 ACL is configured, it is linked to an interface using the ipv6 traffic-filter command:

Answer: B,D Explanation: The Open Systems Interconnection Basic Reference Model (OSI Reference Model or OSI Model) is an abstract description for layered communications and computer network protocol design. It was developed as part of the Open Systems Interconnection (OSI) initiative. In its most basic form, it divides network architecture into seven layers which, from top to bottom, are the Application, Presentation, Session, Transport, Network, Data-Link, and Physical Layers. It is therefore often referred to as the OSI Seven Layer Model. A layer is a collection of conceptually similar functions that provide services to the layer above it and receives service from the layer below it. For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of the path. The OSI (Open System Interconnection) reference model was created as a reference point for communications devices. A layered approach is used to segment the entire telecommunications process into a series of smaller steps. A is correct because it encourages a level of standardization by encouraging that functions be compared to known layers. D is also correct because it allows engineers to focus on the development, refining, and perfection of simpler components.

As a CCNA candidate, you will be expected to know the OSI model very well. Why does the data communication industry use the layered OSI reference model? (Choose two.) A. It provides a means by which changes in functionality in one layer require changes in other layers. B. It encourages industry standardization by defining what functions occur at each layer of the model. C. It supports the evolution of multiple competing standards, and thus provides business opportunities for equipment manufacturers. D. It divides the network communication process into smaller and simpler components, thus aiding component development, design, and troubleshooting

Answer: C Explanation: Layer 2 data link layer: This layer implements data sub-frame and deals with flow control. The layer also designates topology and provides hardware addressing; Layer 3 network layer: This layer creates links between two nodes by addressing, including the routing and data trunking through interconnected network; Layer 4 transport layer: routine data transmission, connected or non-connected, Includes fullduplex or half-duplex, flow control and error recovery services; Layer 5 Session Layer: create links in-between two nodes. This service includes the establishment connection in manners of half-duplex or full-duplex, although full-duplex can be dealt with in layer 4.

As a CCNA candidate, you will be expected to know the OSI model very well. Acknowledgements, sequencing, and flow control are characteristics of which OSI layer? A. Layer 3 B. Layer 5 C. Layer 4 D. Layer 2 E. Layer 7 F. Layer 6

Answer: A,B,C Explanation: Buffering, including receive buffer and send buffer, is a temporary data storage area. Windowing is used for flow control, to prevent the flooding of data from sending end to receiving end, and thus avoid over flow of receiving end buffer. The size of window use packet byte as a unit, not packet amount. Windowing belongs to TCP flow control. Supported by monitoring network communications loading, congestion avoiding mechanism is able to predict and avoid congestion of common network bottlenecks point. With the use of complex algorithms (rather than simply discarding Tail Drop) to discard the packet, switches can avoid congestion

As a teacher in Cisco academe, you need to describe the various types of flow control to your students. Which of the following are types of flow control that can be used in a network? (Choose three) A. congestion avoidance B. buffering C. windowing D. load balancing

Answer: B Explanation: The OSI is the Open System Interconnection reference model for communications. As illustrated in Figure 1.1, the OSI reference model consists of seven layers, each of which can have several sublayers. The upper layers of the OSI reference model define functions focused on the application, while the lower three layers define functions focused on end-to-end delivery of the data.

As data passes downward through the layers of the OSI model, it is encapsulated into various formats. Which of the following is the correct order of encapsulation? A. Bit, frame, packet, segment B. Segment, packet, frame, bit C. Segment, frame, packet, bit D. Bit, packet, frame, segment

Answer: B Explanation: The Network Layer (Layer 3) defines end-to-end delivery of packets and defines logical addressing to accomplish this. It also defines how routing works and how routes are learned; and how to fragment a packet into smaller packets to accommodate media with smaller maximum transmission unit sizes. Examples include: IP, IPX, AppleTalk DDP, and ICMP. Both IP and IPX define logical addressing, routing, the learning of routing information, and end-to-end delivery rules. The IP and IPX protocols most closely match the OSI network layer (Layer 3) and are called Layer 3 protocols because their functions most closely match OSI's Layer 3.

At which OSI layer is a logical path created between two host systems? A. transport B. network C. session D. physical E. data link

You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters. The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the statements. #access-list access-list_number remark remark

Commenting ACLs

Applying an IPv6 ACL The first difference is the command used to apply an IPv6 ACL to an interface. IPv4 uses the command ip access-group to apply an IPv4 ACL to an IPv4 interface. IPv6 uses the ipv6 traffic-filter command to perform the same function for IPv6 interfaces. No Wildcard Masks Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched. Additional Default Statements The last major difference has to with the addition of two implicit permit statements at the end of each IPv6 access list. At the end of every IPv4 standard or extended ACL is an implicit deny any or deny ip any any. IPv6 includes a similar deny ipv6 any any statement at the end of each IPv6 ACL. The difference is IPv6 also includes two other implicit statements by default: permit icmp any any nd-na permit icmp any any nd-ns These two statements allow the router to participate in the IPv6 equivalent of ARP for IPv4. Recall that ARP is used in IPv4 to resolve Layer 3 addresses to Layer 2 MAC addresses. As shown in the figure, IPv6 uses ICMP Neighbor Discovery (ND) messages to accomplish the same thing. ND uses Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages.

Comparing IPv4 and IPv6 ACLs

The procedural steps for configuring extended ACLs are the same as for standard ACLs. The extended ACL is first configured, and then it is activated on an interface. However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs. Note: The internal logic applied to the ordering of standard ACL statement does not apply to extended ACLs. The order in which the statements are entered during configuration is the order they are displayed and processed.

Configuring Extended ACLs

Step 1. From global configuration mode, use the ip access-list extended name command to define a name for the extended ACL. Step 2. In named ACL configuration mode, specify the conditions to permit or deny. Step 3. Return to privileged EXEC mode and verify the ACL with the show access-lists name command. Step 4. Save the entries in the configuration file with the copy running-config startup-config command. To remove a named extended ACL, use the no ip access-list extended name global configuration command.

Creating Named Extended ACLs

Naming an ACL makes it easier to understand its function. For example, an ACL configured to deny FTP could be called NO_FTP. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different. Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, case sensitive, and must be unique. The ip access-list standard name is used to create a standard named ACL, whereas the command ip access-list extended name is for an extended access list. After entering the command, the router is in named standard ACL configuration mode as indicated by the prompt. Note: Numbered ACLs use the global configuration command access-list whereas named IPv4 ACLs use the ip access-list command. Step 2. From the named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped. Step 3. Apply the ACL to an interface using the ip access-group command. Specify if the ACL should be applied to packets as they enter into the interface (in) or applied to packets as they exit the interface (out).

Creating Named Standard ACLs

Inserting a line to a named ACL. - In the first show command output, you can see that the ACL named NO_ACCESS has two numbered lines indicating access rules for a workstation with the IPv4 address 192.168.11.10. - The ip access-list standard command used to configure named ACLs. From named access list configuration mode statements can be inserted or removed. - The no sequence-number command is used to delete individual statements. - To add a statement to deny another workstation requires inserting a numbered line. In the example, the workstation with the IPv4 address 192.168.11.11 is being added using a new sequence number of 15. - The final show command output verifies that the new workstation is now denied access.

Editing Standard Named ACLs

In the figure, the 192.168.11.0/24 network can use Telnet to connect to 192.168.30.0/24, but according to company policy, this connection should not be allowed. The results of the show access-lists 130 command indicate that the permit statement has been matched. Solution - The 192.168.11.0/24 network can use Telnet to connect to the 192.168.30.0/24 network, because the Telnet port number in statement 10 of access list 130 is listed in the wrong position in the ACL statement. Statement 10 currently denies any source packet with a port number that is equal to Telnet. To deny Telnet traffic inbound on G0/1, deny the destination port number that is equal to Telnet, for example, deny tcp any any eq telnet.

Error Example 3

In the figure, host 192.168.30.12 is able to Telnet to connect to 192.168.31.12, but company policy states that this connection should not be allowed. Output from the show access-lists 140 command indicate that the permit statement has been matched. Solution - Host 192.168.30.12 can use Telnet to connect to 192.168.31.12 because there are no rules that deny host 192.168.30.12 or its network as the source. Statement 10 of access list 140 denies the router interface on which traffic enters the router. The host IPv4 address in statement 10 should be 192.168.30.12.

Error Example 4

In the figure, host 192.168.30.12 can use Telnet to connect to 192.168.31.12, but according to the security policy, this connection should not be allowed. Output from the show access-lists 150 command indicate that no matches have occurred for the deny statement as expected. Solution - Host 192.168.30.12 can use Telnet to connect to 192.168.31.12 because of the direction in which access list 150 is applied to the G0/1 interface. Statement 10 denies any source address to connect to host 192.168.31.12 using telnet. However, this filter should be applied outbound on G0/1 to filter correctly.

Error Example 5

Logical decision path used by an extended ACL built to filter on source and destination addresses, and protocol and port numbers. In this example, the ACL first filters on the source address, then on the port and protocol of the source. It then filters on the destination address, then on the port and protocol of the destination, and makes a final permit or deny decision.

Extended ACL Decision Process

An extended ACL can filter traffic based on the source address. However, an extended ACL can also filter traffic based on the destination address, protocol, and port number. This allows network administrators more flexibility in the type of traffic that can be filtered and where to place the ACL. The basic rule for placing an extended ACL is to place it as close to the source as possible. This prevents unwanted traffic from being sent across multiple networks only to be denied when it reaches its destination.

Extended ACL Placement

Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.

Extended ACLs

File Transfer Protocol

FTP

Answer: B Explanation: If all network segments in the Ethernet connect with repeaters, because they can not avoid conflict, they remain in the same conflict domain. Switches can be used effectively prevent conflict, but not HUB. Because switch can choose route using physical address, each of its port is a conflict domain. But HUB has no such ability, it will only send out the received data through broadcast, which will easily cause broadcasting storm. All of its ports are in a single conflict domain. Ethernet hubs use a process with the name carrier sense multiple access collision detect (CSMA/CD) to communicate across the network. Under CSMA/CD, a node does not send out a packet unless the network is clear of traffic. If two nodes send out packets at the same time, a collision occurs and the packets are lost. Then, both nodes wait for a random amount of time and retransmit the packets. Any part of the network where packets from two or more nodes can interfere with each other is a collision domain. A network with a large number of nodes on the same segment often has a lot of collisions and, therefore, a large collision domain. Switching on the other hand allows a network to maintain full-duplex Ethernet. Before switching existed, Ethernet was half duplex. Half duplex means that only one device on the network can transmit at any given time. In a fully switched network, nodes only communicate with the switch and never directly with each other. In the road analogy, half duplex is similar to the problem of a single lane, when road construction closes one lane of a two-lane road. Traffic attempts to use the same lane in both directions. Traffic that comes one way must wait until traffic from the other direction stops in order to avoid collision. Fully switched networks employ either twisted pair or fiber-optic cable setups. Both twisted pair and fiber-optic cable systems use separate conductors to send and receive data. In this type of environment, Ethernet nodes can forgo the collision detection process and transmit at will; these nodes are the only devices with the potential to access the medium. In other words, the network dedicates a separate lane to traffic that flows in each direction. This dedication allows nodes to transmit to the switch at the same time that the switch transmits to the nodes. Thus, the environment is collision-free.

How does replacing a hub with a switch affect CSMA/CD behavior in an Ethernet network? A. In increases the size of the collision domain by allowing more devices to be connected at once. B. It effectively eliminates collisions. C. It reduces the total amount of bandwidth available to each device. D. It decreases the amount of time that a jam signal must be sent to reach all network devices.

R1(config)# access-list 101 permit tcp any any eq ?

How to display a list of port numbers and keywords that can be used when building an ACL using the command:

Answer: B Explanation: A redundant topology eliminates single points of failure, but it also causes broadcast storms, multiple frame copies, and MAC address table instability problems. Multiple Frame Copies--when a new switch is added, the other switches may not have learned its correct MAC address. The host may send a unicast frame to the new switch. The frame is sent through several paths at the same time. The new switch will receive several copies of the frame. This causes MAC database instability. MAC database instability results when multiple copies of a frame arrive on different ports of a switch. Layer 2 has no mechanism to stop the loop. This is the main reason for the Spanning Tree Protocol(STP) IEEE 802.1d which was developed to prevent routing loops. If multiple connections between switches are created for redundancy purposes, network loops can occur in an improperly designed topology. Spanning Tree Protocol (STP) is used to stop network loops while still permitting redundancy

In which circumstance are multiple copies of the same unicast frame likely to be transmitted in a switched LAN? A. when a dual ring topology is in use B. in an improperly implemented redundant topology C. after broken links are re-established D. when upper-layer protocols require high reliability E. during high traffic periods

If the information in a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as specified by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. At the end of every ACL is a statement is an implicit deny any statement. This statement is not shown in output. This final implied statement applied to all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" action.

Inbound ACL Logic

Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of the packets needed to be examined. The last statement of an ACL is always an implicit deny.

Inbound ACLs

it may be easier to construct the ACL using a text editor such as Microsoft Notepad. This allows you to create or edit the ACL and then paste it into the router. For an existing ACL, you can use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and paste it back in.

Method 1: Using a Text Editor

Step 1. Display the current ACL using the show access-lists 1 command. The output from this command will be discussed in more detail later in this section. The sequence number is displayed at the beginning of each statement. The sequence number was automatically assigned when the access list statement was entered. Notice that the misconfigured statement has the sequence number 10. Step 2. Enter the ip access-lists standard command that is used to configure named ACLs. The ACL number, 1, is used as the name. First the misconfigured statement needs to be deleted using the no 10 command with 10 referring to the sequence number. Next, a new sequence number 10 statement is added using the command, 10 deny host 192.168.10.10. Note: Statements cannot be overwritten using the same sequence number as an existing statement. The current statement must be deleted first, and then the new one can be added. Step 3. Verify the changes using the show access-lists command. As discussed previously, Cisco IOS implements an internal logic to standard access lists. The order in which standard ACEs are entered may not be the order in which they are stored, displayed or processed by the router. The show access-lists command displays the ACEs with their sequence numbers.

Method 2: Using the Sequence Number

If the outbound interface is not grouped to an outbound ACL, the packet is sent directly to the outbound interface.

No ACL applied to the interface:

Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not provide information about the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, a name can be used to identify a Cisco ACL. Regarding numbered ACLs, numbers 200 to 1299 are skipped because those numbers are used by other protocols, many of which are legacy or obsolete. This course focuses only on IP ACLs. Examples of legacy ACL protocol numbers are 600 to 699 used by AppleTalk, and numbers 800 to 899 used by IPX.

Numbering and Naming ACLs

Open Shortest Path First

OSPF

the logic for an outbound ACL. Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable. If the packet is not routable, it is dropped and is not tested against the ACEs. Next, the router checks to see whether the outbound interface is grouped to an ACL. If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer.

Outbound ACL Logic

Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.

Outbound ACLs

Point-to-Point Protocol

PPP

sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or dropping them based on given criteria, such as the source IP address, destination IP addresses, and the protocol carried within the packet. When a packet arrives at the packet-filtering router, the router extracts certain information from the packet header. Using this information, the router makes decisions, based on configured filter rules, as to whether the packet can pass through or be discarded. As shown in the figure, packet filtering can work at different layers of the OSI model, or at the internet layer of TCP/IP.

Packet Filtering

To understand the concept of how a router uses packet filtering, imagine that a guard has been posted at a locked door. The guard's instructions are to allow only people whose names appear on a list to pass through the door. The guard is filtering people based on the criterion of having their names on the authorized list. An ACL works in a similar manner, making decisions based on set criteria. An ACL could be configured to logically, "Permit web access to users from network A but deny all other services to network A users.

Packet Filtering Example

Answer: A,B Explanation: The primary functions of a router are: Packet Switching and Path Selection. It is the routers job to determine the best method for delivering the data, and switching that data as quickly as possible. (1)Intercept datagrams sent to remote network segments between networks, playing a translated role. (2)Select the most reasonable route to guide communications. In order to achieve this function, the router will check the routing table based on certain routing communication protocol, and the routing table lists all the nodes contained in the entire internet , the path conditions between nodes and transmission costs associated with them. If a specific node has more than one path, then select the optimal path based on pre-determined specifications. Because a variety of network segments and their mutual connection situations may change, the routing information needs to be updated in time, which is completed by timing update or updating according to changes determined by the routing information protocol used. Each router in the network dynamically updates its routing table according to this rule to maintain effective routing information. (3)When forwarding datagrams, in order to facilitate transferring datagrams between networks, routers will divide large data packets into appropriate sized data packets according to predetermined specifications, and those appropriate sized data packets will be turned into their original form when reaching the destination. (4)Multi-protocol routers can connect and use network segments of different communication protocols , they can be used as communication connecting platforms of network segments of different communication protocols. (5)The main task of router is to guide the communications to the destination network, and then reach the addresses of the specific node station. Another function is completed through the decomposition of internet address. For example, assign parts of the network address to specific network, subnet and a group of regional nodes , while the rest can be used to specify the particular station of subnet. Hierarchical addressing allows routers to store addressing information of networks with many node stations.

QUESTION NO: 1 What functions do routers perform in a network? (Choose two.) A. path selection B. packet switching C. VLAN membership assignment D. microsegmentation of broadcast domains

Answer: A,B Explanation: PING (Packet Internet Grope) is program to test network connection amount. Ping sends an ICMP echo request message to the destination and reports whether an expected ICMP echo response is received or not. It is a command used to check whether the network is connected or network connection speed. As a network administrator or a hacker, ping is the first DOS command that one should master. Its operation principle is: the machines on the network are identified by unique IP addresses; when we send a data packet to our destination IP address, it will return a same-sized data packet. With this packet, we can determine the existence of the target host, and the operating system of the host. ARP finds the hardware address of a host from a known IP address. Here's how it works: when IP has a datagram to send, it must inform a Network Access protocol, such as Ethernet or Token Ring, of the destination's hardware address on the local network. (It has already been informed by upper-layer protocols of the destination's IP address.) If IP doesn't find the destination host's hardware address in the ARP cache, it uses ARP to find this information. ICMP works at the Network layer and is used by IP for many different services. ICMP is a management protocol and messaging service provider for IP. Its messages are carried as IP datagrams. RFC 1256 is an annex to ICMP, which affords hosts' extended capability in discovering routes to gateways. Periodically, router advertisements are announced over the network, reporting IP addresses for the router's network interfaces. Hosts listen for these network infomercials to acquire route information. A router solicitation is a request for immediate advertisements and may be sent by a host when it starts up.

QUESTION NO: 102 A network administrator issues the ping 192.168.2.5 command and successfully tests connectivity to a host that has been newly connected to the network. Which protocols were used during the test? (Choose two.) A. ICMP B. ARP C. DHCP D. DNS

Answer: C,D Explanation: Use the command "show arp" to display the MAC addresses of Layer2 and the IP addresses of Layer3 contained in the ARP table: Router # show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.0.2 0 0005.dc0c.ffab ARPA Ethernet01 Internet 10.0.0.4 - 0005.dc0c.ff76 ARPA Ethernet0 In the same way, use the command "show interface" on router to display the related information of the MAC addresses of Layer2 and the IP addresses of Layer3 Router# show interfaces Ethernet 0 is up, line protocol is up Hardware is MCI Ethernet, address is 0000.0d00.640c (bia 0000.0d00.640c) Internet address is 10.112.12.85, subnet mask is 255.255.255.0 MTU 1500 bytes, BW 10000 Kbit, DLY 100000 usec, rely 255/255, load 1/255 ----more---- The "show arp" command Displays the entries in the ARP table, including their layer 2 MAC address and layer 3 IP address. Example: The following is the output for the show arp command on Router 1: TK1 # show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.0.3 0 0004.dd0c.ffcb ARPA Ethernet01 Internet 10.0.0.1 - 0004.dd0c.ff86 ARPA Ethernet0 To see the MAC (hardware) address of the router interfaces as well as their IP addresses, use the "show interfaces" command as shown in the example below: TK1# show interfaces Ethernet 0 is up, line protocol is up Hardware is MCI Ethernet, address is 0000.0c00.750c (bia 0000.0c00.750c) Internet address is 10.108.28.8 , subnet mask is 255.255.255.0 MTU 1500 bytes, BW 10000 Kbit, DLY 100000 usec, rely 255/255, load 1/255

QUESTION NO: 103 As the network administrator, you are troubleshooting network issues, which following commands will allow you to find the ip address associated with each MAC address? (Choose two) A. show hosts B. show address C. show interface D. show arp

Answer: B

QUESTION NO: 104 While troubleshooting a connectivity problem, a network administrator notices that a port status LED on a Cisco Catalyst series switch is alternating green and amber. Which condition could this indicate? A. The port is blocked by spanning tree. B. The port is experiencing errors. C. The port is administratively disabled. D. The port has an active link with normal traffic activity

Answer: C Explanation: The traceroute command traces the network path of Internet routers that packets take as they are forwarded from your computer to a destination address. The "length" of the network connection is indicated by the number of Internet routers in the traceroute path. This command is useful for troubleshooting purposes and shows the router hops as well as the latency

QUESTION NO: 105 What is the purpose of using the traceroute command? A. to display the current TCP/IP configuration values B. to see how a device MAC address is mapped to its IP address C. to see the path a packet will take when traveling to a specified destination D. to display the MTU values for each router in a specified network path from a source to a destination E. to map all the devices on a network

Answer: A,D,F

QUESTION NO: 108 Which router IOS commands can be used to troubleshoot LAN connectivity problems? (Choose three.) A. ping B. tracert C. ipconfig D. show ip route E. winipcfg F. show interfaces

Answer: C Explanation: Section 7: Identify, prescribe, and resolve common switched network media issues, configuration issues, auto negotiation, and switch hardware failures (4 questions)

QUESTION NO: 109 Which command is used to see the path taken by packets across an IP network? A. show ip route B. show route C. traceroute D. trace ip route

Answer: B Explanation: A duplex mismatch may result in performance issues, intermittent connectivity, and loss of communication. When troubleshooting NIC issues, verify that the NIC and switch are using a valid configuration. Some third-party NIC cards may fall back to half-duplex operation mode, even though both the switchport and NIC configuration have been manually configured for 100 Mbps, full-duplex. This behavior is due to the fact that NIC autonegotiation link detection is still operating when the NIC has been manually configured. This causes duplex inconsistency between the switchport and the NIC. Symptoms include poor port performance and frame check sequence (FCS) errors that increment on the switchport. To troubleshoot this issue, try manually configuring the switchport to 100 Mbps, half-duplex. If this action resolves the connectivity problems,you may be running into this NIC issue. Try updating to the latest drivers for your NIC, or contact your NIC card vendor for additional support. Reference: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800a7af0. shtml

QUESTION NO: 110 Recently, associates have noticed extremely slow network performance, intermittent connectivity, and connection losses. After entering the "show interfaces" command, you notice that the Ethernet interface is configured as 100 Mbps full-duplex and that there is evidence of late collisions. What could be the cause of this problem? A. A routing loop B. Duplex mismatch C. Trunking mode mismatch D. Improperly configured root bridge

Answer: B,C,D Explanation: Both the auto and on modes can be automatically switched to the desirable mode based on the topology.

QUESTION NO: 112 Which are valid modes for a switch port used as a VLAN trunk? (Choose three.) A. transparent B. auto C. desirable D. on E. forwarding F. blocking

Answer: E Explanation: CSMA/CD is the basic way that the traditional Ethernet operates. 10M interface is the way that an Ethernet operates at half duplex. Section 8: Describe enhanced switching technologies (including: VTP, RSTP, VLAN, PVSTP, 802.1q) (17 questions)

QUESTION NO: 113 A network interface port has collision detection and carrier sensing enabled on a shared twisted pair network. From this statement, what is known about the network interface port? A. This is a port on a network interface card in a PC. B. This is a 100 Mb/s switch port. C. This is a 10 Mb/s switch port. D. This is an Ethernet port operating at full duplex. E. This is an Ethernet port operating at half duplex.

Answer: B Explanation: A VLAN is a group of hosts with a common set of requirements that communicate as if they were attached to the same wire, regardless of their physical location. A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same LAN segment. Networks that use the campus-wide or end-to-end VLANs logically segment a switched network based on the functions of an organization, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup can be connected to the same VLAN, regardless of their physical network connections or interaction with other workgroups. Network reconfiguration can be done through software instead of physically relocating devices. Cisco recommends the use of local or geographic VLANs that segment the network based on IP subnets. Each wiring closet switch is on its own VLAN or subnet and traffic between each switch is routed by the router. The reasons for the Distribution Layer 3 switch and examples of a larger network using both the campus-wide and local VLAN models will be discussed later. A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. Ports on a switch can be grouped into VLANs in order to limit unicast, multicast, and broadcast traffic flooding. Flooded traffic originating from a particular VLAN is only flooded out ports belonging to that VLAN, including trunk ports, so a switch that connects to another switch will normally introduce an additional broadcast domain. VLAN (Virtual Local Area Network) technology is to solve the problem that switches can't limit broadcast within the LAN interconnection. This technology can divide a LAN into more logical LAN- VLAN, each VLAN is a broadcast domain, the communication between the hosts within a VLAN is like that of the hosts in a LAN, while the communication can't be achieved between VLANs directly. Thus the broadcast datagram is limited within a LAN. So, creating a new VLAN on switch is the same as adding a new broadcast domain.

QUESTION NO: 115 A switch is configured with all ports assigned to VLAN 2. In addition, all ports are configured as full-duplex FastEthernet. What is the effect of adding switch ports to a new VLAN on this switch? A. The additions will create more collisions domains. B. An additional broadcast domain will be created. C. More bandwidth will be required than was needed previously. D. IP address utilization will be more efficient.

Answer: B,C Explanation: 802.1Q protocol, or Virtual Bridged Local Area Networks protocol, mainly stipulates the realization of the VLAN. 802.1Q is a standardized relay method that inserts 4 bytes field into the original Ethernet frame and re-calculate the FCS. 802.1Q frame relay supports two types of frame: marked and non-marked. Non-marked frame carries no VLAN identification information.

QUESTION NO: 116 Which two of these are characteristics of the 802.1Q protocol? (Choose two.) A. It is a Layer 2 messaging protocol which maintains VLAN configurations across networks. B. It is a trunking protocol capable of carrying untagged frames. C. It modifies the 802.3 frame header, and thus requires that the FCS be recomputed. D. It includes an 8-bit field which specifies the priority of a frame.

Answer: A Explanation: Trunking Protocol (VTP) are to manage all configured VLANs across a switched internetwork and to maintain consistency throughout that network VTP allows you to add, delete, and rename VLANs-information that is then propagated to all other switches in the VTP domain. Here's a list of some features of VTP: * Consistent VLAN configuration across all switches in the network * VLAN trunking over mixed networks, such as Ethernet to ATM LANE or even FDDI * Accurate tracking and monitoring of VLANs * Dynamic reporting of added VLANs to all switches in the VTP domain * Plug and Play VLAN adding Administration of network environments that consists of many interconnected switches is complicated. Cisco has developed a propriety solution to manage VLANs across such networks using the VLAN Trunking Protocol (VTP) to exchange VLAN configuration information between switches. VTP uses Layer 2 trunk frames to exchange VLAN information so that the VLAN configuration stays consistent throughout a network. VTP also manages the additions, deletions, and name changes of VLANs across multiple switches from a central point, minimizing misconfigurations and configuration inconsistencies that can cause problems, such as duplicate VLAN names or incorrect VLANtype settings. VTP is organized into management domains or areas with common VLAN requirements. A switch can belong to only one VTP domain. Switches in different VTP domains do not share VTP information. Switches in a VTP domain advertise several attributes to their domain neighbors. Each advertisement contains information about the VTP management domain, VTP configuration revision number, known VLANs, and specific VLAN parameters. The VTP process begins with VLAN creation on a switch called a VTP server. VTP floods advertisements throughout the VTP domain every 5 minutes, or whenever there is a change in VLAN configuration. The VTP advertisement includes a configuration revision number, VLAN names and numbers, and information about which switches have ports assigned to each VLAN. By configuring the details on one or more VTP server and propagating the information through advertisements, all switches configuration know the names and numbers of all VLANs.

QUESTION NO: 118 Which statement accurately describes a benefit provided by VTP? A. VTP allows switches to share VLAN configuration information. B. VTP allows physically redundant links while preventing switching loops. C. VTP allows a single port to carry information to more than one VLAN. D. VTP allows routing between VLANs.

Answer: D Explanation: VLAN Trunking Protocol (VTP) is Cisco level 2 information transfer protocol, mainly controls the VLANs add, delete, and rename within network. VTP reduce the management services in switch network. When a user prepares to configure new VLAN for VTP server, he may implement VLAN distribution through all the switches, to avoid identical VLAN configuration. VTP is a Cisco private protocol, which support the majority of Cisco Catalyst Series products. Through VTP, all switches within its domain have a clear idea of all the VLANs, except when VTP can create extra traffic. At this time, all unknown unicast and broadcast spread throughout the VLAN, making all the switches in the network receive all broadcasts, even if no user is connected in the VLAN, the situation is no exception. And VTP Pruning is able remove the extra traffic.

QUESTION NO: 119 As the network administrator. You need to configure two switches to exchange VLAN information. Which protocol provides a method of sharing VLAN configuration information between these two switches? A. 802.1Q B. STP C. VLSM D. VTP

Answer: B,C,D Explanation: By default, 802.1Q trunk defined Native VLAN in order to forward unmarked frame. Switches can forward Layer 2 frame from Native VLAN on unmarked trunks port. Receiver switches will transmit all unmarked packets to Native VLAN. Native VLAN is the default VLAN configuration of port. Note: for the 802.1Q trunk ports between two devices, the same Native VLAN configuration is required on both sides of the link. If the Native VLAN in 802.1Q trunk ports on same trunk link is properly configured, it could lead to layer 2 loops. The 802.1Q trunk link transmits VLAN information through Ethernet.

QUESTION NO: 121 Which three of these statements regarding 802.1Q trunking are correct? (Choose three.) A. 802.1Q trunking ports can also be secure ports. B. 802.1Q trunks can use 10 Mb/s Ethernet interfaces. C. 802.1Q trunks should have native VLANs that are the same at both ends. D. 802.1Q native VLAN frames are untagged by default.

Answer: E Explanation: For all switches in a network to agree on a loop-free topology, a common frame of reference must exist. This reference point is called the Root Bridge . The Root Bridge is chosen by an election process among all connected switches. Each switch has a unique Bridge ID (also known as the bridge priority) that it uses to identify itself to other switches. The Bridge ID is an 8-byte value. 2 bytes of the Bridge ID is used for a Bridge Priority field, which is the priority or weight of a switch in relation to all other switches. The other 6 bytes of the Bridge ID is used for the MAC Address field, which can come from the Supervisor module, the backplane, or a pool of 1024 addresses that are assigned to every Supervisor or backplane depending on the switch model. This address is hard coded, unique, and cannot be changed. The election process begins with every switch sending out BPDUs with a Root Bridge ID equal to its own Bridge ID as well as a Sender Bridge ID. The latter is used to identify the source of the BPDU message. Received BPDU messages are analyzed for a lower Root Bridge ID value. If the BPDU message has a Root Bridge ID (priority) of the lower value than the switch's own Root Bridge ID, it replaces its own Root Bridge ID with the Root Bridge ID announced in the BPDU. If two Bridge Priority values are equal, then the lower MAC address takes preference.

QUESTION NO: 122 A network administrator needs to force a high-performance switch that is located in the MDF to become the root bridge for a redundant path switched network. What can be done to ensure that this switch assumes the role as root bridge? A. Connect the switch directly to the MDF router, which will force the switch to assume the role of root bridge. B. Configure the switch for full-duplex operation and configure the other switches for half-duplex operation. C. Establish a direct link from the switch to all other switches in the network. D. Assign the switch a higher MAC address than the other switches in the network have. E. Configure the switch so that it has a lower priority than other switches in the network

Answer: B Explanation: STP (Spanning Tree protocol) is able to overcome transparent bridge in network redundancy. Through the use of non-loop path, STP is able to avoid and eliminate network loops. It may locate the loop and cut off link redundancy. STP's main task is to stop network loops from occurring on your Layer 2 network (bridges or switches). It vigilantly monitors the network to find all links, making sure that no loops occur by shutting down any redundant ones. STP uses the spanning-tree algorithm (STA) to first create a topology database, then search out and destroy redundant links. With STP running, frames will only be forwarded on the premium, STP-picked links.

QUESTION NO: 124 What is the purpose of Spanning Tree Protocol? A. to provide multiple gateways for hosts B. to maintain a loop-free Layer 2 network topology C. to prevent routing loops D. to create a default route

Answer: D Explanation: A Layer 2 switch, which functions as a transparent bridge, offers no additional links for redundancy purposes. To add redundancy, a second switch must be added. Now two switches offer the transparent bridging function in parallel. LAN designs with redundant links introduce the possibility that frames might loop around the network forever. These looping frames would cause network performance problems. For example, when the switches receive an unknown unicast, both will flood the frame out all their available ports, including the ports that link to the other switch, resulting in what is known as a bridging loop, as the frame is forwarded around and around between two switches. This occurs because parallel switches are unaware of each other. The Spanning Tree Protocol (STP), which allows the redundant LAN links to be used while preventing frames from looping around the LAN indefinitely through those redundant links, was developed to overcome the possibility of bridging loops. It enables switches to become aware of each other so that they can negotiate a loop-free path through the network. Loops are discovered before they are opened for use, and redundant links are shut down to prevent the loops from forming. STP is communicated between all connected switches on a network. Each switch executes the Spanning- Tree Algorithm (STA) based on information received from other neighboring switches. The algorithm chooses a reference point in the network and calculates all the redundant paths to that reference point. When redundant paths are found, STA picks one path to forward frames with and disables or blocks forwarding on the other redundant paths. STP computes a tree structure that spans all switches in a subnet or network. Redundant paths are placed in a blocking or standby state to prevent frame forwarding. The switched network is then in a loop-free condition. However, if a forwarding port fails or becomes disconnected, the STA will run again to recompute the Spanning-Tree topology so that blocked links can be reactivated. STP (spanning tree protocol) operates on layer 2 to prevent loops in switches and bridges. Incorrect Answers: A: VTP is the VLAN Trunking Protocol, used to pass VLAN information through switches. It relies on the STP mechanism to provide a loop free network. B: RIP and IGRP are routing protocols, which are used at layer 3 to maintain a loop free routed environment. C: RIP and IGRP are routing protocols, which are used at layer 3 to maintain a loop free routed environment.

QUESTION NO: 126 Which of the protocols operates at Layer 2 of the OSI model, and is used to maintain a loop-free network? A. VTP B. IGRP C. RIP D. STP

Answer: A,B Explanation: When network topology changes, rapid spanning tree protocol (IEEE802.1W, referred to as RSTP) will speed up significantly the speed to re-calculate spanning tree. RSTP not only defines the role of other ports: alternative port and backup port, but also defines status of 3 ports: discarding status, learning status, forwarding status. RSTP is 802.1D standard evolution, not revolution. It retains most of the parameters, and makes no changes.

QUESTION NO: 127 Which two of these statements regarding RSTP are correct? (Choose two.) A. RSTP defines new port roles. B. RSTP is compatible with the original IEEE 802.1D STP. C. RSTP defines no new port states. D. RSTP cannot operate with PVST+.

Answer: B Explanation: The basic goals of the VLAN Trunking Protocol (VTP) are to manage all configured VLANs across a switched internetwork and to maintain consistency throughout that network VTP allows you to add, delete, and rename VLANs-information that is then propagated to all other switches in the VTP domain.

QUESTION NO: 129 What is the purpose of the Cisco VLAN Trunking Protocol? A. to provide a mechanism to dynamically assign VLAN membership to switch ports B. to allow for managing the additions, deletions, and changes of VLANs between switches C. to provide a mechanism to manually assign VLAN membership to switch ports D. to allow native VLAN information to be carried over a trunk link E. to allow traffic to be carried from multiple VLANs over a single link between switches

Answer: B,D,E

QUESTION NO: 132 Which three statements are typical characteristics of VLAN arrangements? (Choose three.) A. A new switch has no VLANs configured. B. Connectivity between VLANs requires a Layer 3 device. C. VLANs typically decrease the number of collision domains. D. Each VLAN uses a separate address space. E. A switch maintains a separate bridging table for each VLAN. F. VLANs cannot span multiple switches.

Answer: B,C,D

QUESTION NO: 133 Which three benefits are of VLANs? (Choose three.) A. They increase the size of collision domains. B. They allow logical grouping of users by function. C. They can enhance network security. D. They increase the number of broadcast domains while decreasing the size of the broadcast domains.

Answer: A,E,F Explanation: Section 10: Configure, verify, and troubleshoot VLANs (4 questions)

QUESTION NO: 134 What are three advantages of VLANs? (Choose three.) A. VLANs establish broadcast domains in switched networks. B. VLANs utilize packet filtering to enhance network security. C. VLANs provide a method of conserving IP addresses in large networks. D. VLANs provide a low-latency internetworking alternative to routed networks. E. VLANs allow access to network services based on department, not physical location. F. VLANs can greatly simplify adding, moving, or changing hosts on the network.

Answer: A,B`

QUESTION NO: 137 Which two statements describe the Cisco implementation of VLANs? (Choose two.) A. VLAN 1 is the default Ethernet VLAN. B. VLANs 1002 through 1005 are automatically created and cannot be deleted. C. CDP advertisements are only sent on VLAN 1002. D. By default, the switch IP address is in VLAN 1005.

Answer: B,D Explanation: Section 11: Configure, verify, and troubleshoot trunking on Cisco switches (8 questions)

QUESTION NO: 138 To configure the VLAN trunking protocol to communicate VLAN information between two switches, what two requirements must be met? (Choose two.) A. Each end of the trunk line must be set to IEEE 802.1E encapsulation. B. The VTP management domain name of both switches must be set the same. C. All ports on both the switches must be set as access ports. D. One of the two switches must be configured as a VTP server. E. A rollover cable is required to connect the two switches together. F. A router must be used to forward VTP traffic between VLANs.

Answer: D Explanation: The question does not state that there are multiple VTP Domains meaning that all defined VLANs are allowed on the trunk until a vtp domain command is issued. Trunk is a kind of port aggregating protocol, mainly used to undertake multi-VLAN flux link. Thus the device in the newly designed network allows only default vlan and vlans that are defined to be allowed on this trunk.

QUESTION NO: 139 As the network administrator, you are required to redesign the network. You choice a new switch to install into an existing LAN and a new VTP trunk is set up with an existing switch. Which VLANs will be allowed on this new trunk? A. Each single VLAN, or VLAN range, must be specified with the switch port mode command. B. Each single VLAN, or VLAN range, must be specified with the vtp domain command. C. Each single VLAN, or VLAN range, must be specified with the vlan dataBased command. D. By default, all defined VLANs are allowed on the trunk

Answer: B Explanation: By default, all VLANs are allowed over the trunk link. Trunk ports send and receive information from all VLANs by default, and if a frame is untagged, it's sent to the management VLAN. This applies to the extended range VLANs as well. But we can remove VLANs from the allowed list to prevent traffic from certain VLANs from traversing a trunked link. Here is example: RouterA(config)#int f0/1 RouterA(config-if)# switchport mode trunk RouterA(config-if)#switchport trunk allowed vlan VLANID RouterA(config-if)#switchport trunk allowed vlan remove VLANID

QUESTION NO: 142 When a new trunk is configured on a 2950 switch, which VLANs by default are allowed over the trunk link? A. no VLANs B. all VLANs C. only VLANs 1 - 64 D. only the VLANs that are specified when creating the trunk

Answer: B,C

QUESTION NO: 144 Which interface commands would you enter on a Catalyst 2900 switch, if your goal was to bring all VLAN traffic to another directly connected switch?(Choose two) A. Switch(config-if)# switchport access vlan all B. Switch(config-if)# switchport mode trunk C. Switch(config-if)# switchport trunk encapsulation dot1q D. Switch(config-if)# vlan all

Answer: A Explanation: All VLANs are allowed over the trunk link regardless of the switch mode. Section 12: Configure, verify, and troubleshoot interVLAN routing (4 questions) Cisco 640-802: Practice Exam "

QUESTION NO: 146 When a new trunk link is configured on an IOS based switch, which VLANs are allowed over the link? A. By default, all defined VLANs are allowed on the trunk. B. Each single VLAN, or VLAN range, must be specified with the switchport mode command. C. Each single VLAN, or VLAN range, must be specified with the vtp domain command. D. Each single VLAN, or VLAN range, must be specified with the vlan database command

Answer: D Explanation: When you create the VTP domain, you have a bunch of options, including setting the domain name, password, operating mode, and pruning capabilities of the switch. Use the vtp global configuration mode command to set all this information. The purpose of setting password on VTP is to validate the sources of VTP advertisements sent between switches belonging to same VTP domain. VTP password is used to authenticate the VTP members in the same VTP domain. When VTP Server sends VTP advertise to VTP client, it is required that the VTP domain name of the VTP server and the VTP client agree with VTP password. VTP: VTP is organized into management domains or areas with common VLAN requirements. A switch can belong to only one VTP domain. Switches in different VTP domains do not share VTP information. Switches in a VTP domain advertise several attributes to their domain neighbors. Each advertisement contains information about the VTP management domain, VTP configuration revision number, known VLANs, and specific VLAN parameters. The VTP process begins with VLAN creation on a switch called a VTP server. VTP floods advertisements throughout the VTP domain every 5 minutes, or whenever there is a change in VLAN configuration. The VTP advertisement includes a configuration revision number, VLAN names and numbers, and information about which switches have ports assigned to each VLAN. By configuring the details on one or more VTP server and propagating the information through advertisements, all switches configuration know the names and numbers of all VLANs.

QUESTION NO: 153 What is the purpose of the command shown below? vtp password Fl0r1da A. It is the password required when promoting a switch from VTP client mode to VTP server mode. B. It is used to access the VTP server to make changes to the VTP configuration. C. It is used to prevent a switch newly added to the network from sending incorrect VLAN information to the other switches in the domain. D. It is used to validate the sources of VTP advertisements sent between switches. E. It allows two VTP servers to exist in the same domain, each configured with different passwords

Answer: B,D Explanation: Server Mode Once VTP is configured on a Cisco switch, the default mode used is Server Mode. In any given VTP management domain, at least one switch must be in Server Mode. When in Server Mode, a switch can be used to add, delete, and modify VLANs, and this information will be passed to all other switches in the VTP management domain. Client Mode When a switch is configured to use VTP Client Mode, it is simply the recipient of any VLANs added, deleted, or modified by a switch in Server Mode within the same management domain. A switch in VTP client mode cannot make any changes to VLAN information. Transparent Mode A switch in VTP Transparent Mode will pass VTP updates received by switches in Server Mode to other switches in the VTP management domain, but will not actually process the contents of these messages. When individual VLANs are added, deleted, or modified on a switch running in transparent mode, the changes are local to that particular switch only, and are not passed to other switches in the VTP management domain. Based on the roles of each VTP mode, the use of each should be more or less obvious. For example, if you had 15 Cisco switches on your network, you could configure each of them to be in the same VTP management domain. Although each could theoretically be left in the default Server Mode, it would probably be easier to leave only one switch in this configuration, and then configure all remaining switches for VTP Client Mode. Then, when you need to add, delete, or modify a VLAN, that change can be carried out on the VTP Server Mode switch and passed to all Client Mode switches automatically. In cases where you need a switch to act in a relatively standalone manner, or dont want it to propagate information about its configured VLANs, use Transparent Mode.

QUESTION NO: 158 What are two results of entering the Switch(config)# vtp mode client command on a Catalyst switch? (Choose two.) A. The switch will originate VTP summary advertisements. B. The switch will process VTP summary advertisements. C. The switch will ignore VTP summary advertisements. D. The switch will forward VTP summary advertisements.

Answer: A,B,D

QUESTION NO: 160 A network administrator is explaining VTP configuration to a new technician. What should the network administrator tell VTP configuration? (Choose three.) A. A switch in the VTP client modecannot update its local VLAN database. B. A trunk link must be configured between the switches to forward VTP updates. C. A switch in the VTP server mode can update a switch in the VTP transparent mode. D. A switch in the VTP transparent mode will forward updates that it receives to other switches. E. A switch in the VTP server mode only updates switches in the VTP client mode that have a higher VTP revision number. F. A switch in the VTP server mode will update switches in the VTP client mode regardless of the configured VTP domain membership.

Answer: D,E Explanation: Section 14: Configure, verify, and troubleshoot RSTP operation (10 questions)

QUESTION NO: 161 Which statements describe two of the benefits of VLAN Trunking Protocol? (Choose two.) A. VTP allows routing between VLANs. B. VTP allows a single switch port to carry information to more than one VLAN. C. VTP allows physically redundant links while preventing switching loops. D. VTP simplifies switch administration by allowing switches to automatically share VLAN configuration information. E. VTP helps to limit configuration errors by keeping VLAN naming consistent across the VTP domain. F. VTP enhances security by preventing unauthorized hosts from connecting to the VTP domain.

Answer: A,B

QUESTION NO: 167 Switch ports operating in which two roles will forward traffic according to the IEEE 802.1w standard? (Choose two.) A. root B. designated C. backup D. alternate

Answer: C,D

QUESTION NO: 170 Which two functions of switch ports will forward traffic on the basis of the IEEE 802.1w standard? (Choose two.) A. alternate B. backup C. designated D. root

Explanation: Network administrators can statically set up the legitimate MAC addresses which each port is allowed to connect through port security function to achieve device-level security authorization. Dynamic port security is set up to allow for the number of legitimate MAC addresses and regards the addresses learnt at a certain period as legitimate MAC addresses. Through configuring Port Security to control the maximum number of MAC addresses across the port ,the MAC addresses learnt by port or cross port, handling with the access devices that exceed the number specified properly. You can define the MAC addresses which will be allowed to access by ports through static manual configuration and switches learning automatically. The switch will learn the MAC addresses of new access devices until reaching the desired number of MAC addresses, the MAC addresses that exceed the desired number will be denied. After being restarted , the switch will learn again. There are three methods to deal with the exceeded MAC addresses: Shutdown (shutdown port ); Protect (discard illegal traffic without alarm); Restrict (discard illegal traffic with alarm). You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged.

QUESTION NO: 174 Why would a network administrator configure port security on a switch? A. to prevent unauthorized Telnet access to a switch port B. to limit the number of Layer 2 broadcasts on a particular switch port C. to prevent unauthorized hosts from accessing the LAN D. to block unauthorized access to the switch management interfaces over common TCP ports E. to protect the IP and MAC address of the switch and associated ports Answer: C

Answer: B,C Explanation: 1. Configure the static MAC address of the server on the switch to bind the MAC address of the server to the switch Fa0/1 port. In this way, even if another PC is plugged into this port, this PC cannot communicate with other devices. 2. Configure port security on Fa0/1 to restrict the number of PCs that can be bound to this port. When the number of plugged PCs exceeds the number, the PCs that are not recorded on the switch cannot communicate with other devices. Both methods can improve security of a Layer 2 network.

QUESTION NO: 175 A network administrator wants to ensure that only the server can connect to port Fa0/1 on a Catalyst switch. The server is plugged into the switch Fa0/1 port and the network administrator is about to bring the server online. What can the administrator do to ensure that only the MAC address of the server is allowed by switch port Fa0/1? (Choose two.) A. Employ a proprietary connector type on Fa0/1 that is incompatible with other host connectors. B. Configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server. C. Configure the MAC address of the server as a static entry associated with port Fa0/1. D. Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address. E. Configure port Fa0/1 to accept connections only from the static IP address of the server. F. Configure an access list on the switch to deny server traffic from entering any port other than Fa0/1.

Answer: A,C Explanation: Catalyst switches offer the port security feature to control port access based on MAC addresses. To configure port security on an access layer switch port, begin by enabling it with the following interface configuration command: Switch(config-if)# switchport port-security Next, you must identify a set of allowed MAC addresses so that the port can grant them access. You can explicitly configure addresses or they can be dynamically learned from port traffic. On each interface that uses port security, specify the maximum number of MAC addresses that will be allowed access using the following interface configuration command: Switch(config-if)# switchport port-security maximum max-addr Finally, you must define how each interface using port security should react if a MAC address is in violation by using the following interface configuration command: Switch(config-if)# switchport port-security violation {shutdown | restrict | protect} A violation occurs if more than the maximum number of MAC addresses are learned, or if an unknown (not statically defined) MAC address attempts to transmit on the port. The switch port takes one of the following configured actions when a violation is detected: shutdown -The port is immediately put into the errdisable state, which effectively shuts it down. It must be re-enabled manually or through errdisable recovery to be used again. restrict -The port is allowed to stay up, but all packets from violating MAC addresses are dropped.The switch keeps a running count of the number of violating packets and can send an SNMP trap and a syslog message as an alert of the violation. protect -The port is allowed to stay up, as in the restrict mode. Although packets from violating addresses are dropped, no record of the violation is kept.

QUESTION NO: 176 The network security policy requires that only one host be permitted to attach dynamically to each switch interface. If that policy is violated, the interface should shut down. Which two commands must the network administrator configure on the 2950 Catalyst switch to meet this policy? (Choose two.) A. Switch1(config-if)# switchport port-security violation shutdown B. Switch1(config)# mac-address-table secure C. Switch1(config-if)# switchport port-security maximum 1 D. Switch1(config)# access-list 10 permit ip host E. Switch1(config-if)# ip access-group 10

Answer: B,D Explanation: With the popularity and constantly deepening of network applications, the users?? requirements for Layer 2 switches are not only limited to data forwarding performance and quality of service (QoS), but also philosophy of network security which is becoming an increasingly important consideration of networking products. How to filter user communications and ensure safe and effective data transmission? How to block the illegal users and make network work safely? How to execute secure network management and detect illegal users, illegal activities and security performance of remote network management information in time? The following methods can accomplish network Layer 2 security by working on switches. Layer 2 filtering. Now , most new-style switches can achieve various filtering demands by establishing specifications . There are two modes to setup specifications: one is the MAC mode which can effectively achieve data isolation according to the source MAC address or the destination MAC address based on users?? needs; the other is the IP mode(this mode does not belong to Layer2 filtering),which can filter data packets by use of the source IP, the destination IP, protocols, the source ports and the destination ports; the specifications established must be attached to the appropriate receiving or sending port so that when receiving or forwarding data on this port, the switch can filter data packets based on filtering rules and decide to transmit or discard. Traffic control. The traffic control of switches can prevent abnormal load of switch bandwidth caused by excessive traffic of broadcast data packets, multicast data packet or the wrong destination address of unicast data packet. The traffic control of switches can also improve the whole system performance and maintain security and stability of the network running. SNMP v3 and SSH SNMP v3 proposed completely new architecture, concentrating all SNMP standards of various versions together to enhance network management security. The security mode proposed by SNMP v3 is based on the User Security Mode, that is USM. SNMP v3 can effectively prevent nonauthorized users from modifying, disguising and eavesdropping management information. As for the remote network management through the Telnet, because the Telnet services have a fatal weakness it transfers user name and password in the form of plaintext , so it is very easy to steal passwords for those people with ulterior motives. But by use of SSH to communicate, both user name and password are encrypted to effectively prevent eavesdropping the password ,in this way, network administrators can manage remote security network easily.

QUESTION NO: 177 You are a network administrator. In order to improve the security of your company's switching network , refer to the following options. Which two methods are examples of implementing Layer 2 security on a Cisco switch? (Choose two.) A. enable HTTP access to the switch for security troubleshooting B. disable trunk negotiation on the switch C. use only protected Telnet sessions to connect to the Cisco device D. configure a switch port host where appropriate

Answer: A,D Explanation: Basically speaking, the function of Port Security is to remember the MAC address of the NIC connected to the switch port and allows this MAC address to use this port. If other NICs attempt to cross this port to connect to the switch, Port Security function will disable this port. switchport port-security maximum {max # of MAC addresses allowed}: This parameter will allow each port to bind more MAC addresses, not only one. switchport port-security violation {shutdown | restrict | protect}: This command tells the switch that how to deal with the situation when the number of MAC addresses accessed exceeds the desired maximum number. This port is disabled by default

QUESTION NO: 178 As the network administrator, you are required to configure the network security policy, And the policy requires that only one host be permitted to attach dynamically to each switch interface. If that policy is violated, the interface should shut down. Which two commands must the network administrator configure on the 2950 Catalyst switch to meet this policy? Select two. A. Switch1(config-if)# switchport port-security maximum 1 B. Switch1(config)# mac-address-table secure C. Switch1(config)# access-list 10 permit ip host D. Switch1(config-if)# switchport port-security violation shutdown E. Switch1(config-if)# ip access-group 10

Answer: C

QUESTION NO: 180 A network administrator must configure 200 switch ports to accept traffic from only the currently attached host devices. What would be the most efficient way to configure MAC-level security on all these ports? A. Visually verify the MAC addresses and then telnet to the switches to enter the switchport-port security mac-address command. B. Have end users e-mail their MAC addresses. Telnet to the switch to enter the switchport-port security mac-address command. C. Use the switchport port-security MAC address sticky command on all the switch ports that have end devices connected to them. D. Use show mac-address-table to determine the addresses that are associated with each port and then enter the commands on each switch for MAC address port-security.

Answer: C,D Explanation: Private IP address space has been allocated via RFC 1918. This means the addresses are available for any use by anyone and therefore the same private IP addresses can be reused. However they are defined as not routable on the public Internet. They are used extensively in private networks due to the shortage of publicly registered IP address space and therefore network address translation is required to connect those networks to the Internet.

QUESTION NO: 183 Which of the following describe private IP addresses? (Choose two.) A. addresses licensed to enterprises or ISPs by an Internet registry organization B. addresses that can be routed through the public Internet C. a scheme to conserve public addresses D. addresses that cannot be routed through the public Internet E. addresses chosen by a company to communicate with the Internet

Answer: B,C,D

QUESTION NO: 185 Which host addresses are members of networks that can be routed across the public Internet? (Choose three.) A. 172.16.223.125 B. 172.64.12.29 C. 198.234.12.95 D. 212.193.48.254

Answer: A,C,E Explanation: Default gateway refers to router default gateway, which is used to realize access between vlans. When a router receives a destination unknown address packet, it will be sent to the default gateway (such as a router's interface) if default gateway exists, otherwise the packet will be discarded. DNS is Domain Name Server. The conversion between Domain names and IP addresses is called domain analysis, and DNS is the server to process domain analysis. IP addresses use network number and host number to mark network host, and only computers under the same network number can intercommunicate "directly", computers with different networks may intercommunicate only through Gateway. Thus IP networks are divided into smaller networks, known as subnet. Subnet mask is used to determine whether two IP addresses are in the same subnet, then only computers under the same subnet can intercommunicate "directly". DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup. Since each host needs an IP address to communicate in an IP network, DHCP eases the administrative burden of manually configuring each host with an IP address. Furthermore, if a host moves to a different IP subnet, it has to use a different IP address than the one it was previously using. DHCP takes care of this automatically, by allowing the host to choose an IP address in the correct IP subnet.

QUESTION NO: 186 What TCP/IP stack configuration features can DHCP provide, in addition to assigning an IP address? (Choose three.) A. DNS servers B. helper address C. subnet mask D. TFTP server E. default gateway F. FTP server

Answer: E

QUESTION NO: 187 Which statement is correct regarding the operation of DHCP? A. A DHCP client uses a ping to detect address conficts. B. A DHCP server uses a gratuitous ARP to detect DHCP clients. C. A DHCP client uses a gratuitous ARP to detect a DHCP server. D. If an address conflict is detected, the address is removed from the pool and an administrator must resolve the conflict. E. If an address conflict is detected, the address is removed from the pool for an amount of time configurable by the administrator. F. If an address conflict is detected, the address is removed from the pool and will not be reused until the server is rebooted.

Answer: B Explanation: The purpose of DNS is to resolve host names into IP addresses, which is called forward lookup; and IP address to name is called reverse lookup. ip name-server <DNS Server> This command is used to configure the IP address of the DNS server on Cisco router. This will allow you to ping, telnet, etc, using the host name instead of the IP address.

QUESTION NO: 192 DNS servers provide what service? A. They map individual hosts to their specific IP addresses. B. They convert domain names into IP addresses. C. They run a spell check on host names to ensure accurate routing. D. Given an IP address, they determine the name of the host that is sought.

Answer: C Explanation: As you know, DHCP clients lease their IP addresses from DHCP servers. When this lease expires, that IP address can no longer be utilized by the DHCP client. For that reason, DHCP client must periodically renew their IP address leases, preferably before the lease has expired or is about to expire. TDHCP client passes through the renewing and rebinding states to renew its IP address lease. Renewing state: The DHCP client first attempts to renew its lease when 50 percent of the lease time has expired. To renew its lease, the DHCP client sends a directed DHCPREQUEST message to the DHCP server that provided the original lease. If renewal is allowed, the DHCP server automatically renews the lease by responding with a DHCPACK message. This new IP address lease contains not only the original IP address if still available (or another IP address otherwise) but any TCP/IP client configuration information. Rebinding state: If, for whatever reason, the DHCP client is not able to communicate with the original DHCP server the executed its lease, it attempts another approach called rebinding . Here the DHCP client attempts to contact any available DHCP server when 87.5 percent of the lease time has expired. The leasing process is akin to that detailed over the last several pages.

QUESTION NO: 193 How does a DHCP server dynamically assign IP addresses to hosts? A. Addresses are permanently assigned so that the host uses the same address at all times. B. Addresses are assigned for a fixed period of time. At the end of the period, a new request for an address must be made, and another address is then assigned. C. Addresses are leased to hosts. A keep the host will usually same address by periodically contacting the DHCP server to renew the lease. D. Addresses are allocated after a negotiation between the server and the host to determine the length of the agreement.

Answer: F

QUESTION NO: 197 Which command would correctly configure a serial port on a router with the last usable host address in the 192.216.32.32/29 subnet? A. router (config-if)# ip address 192.216.32.38 255.255.255.240 B. router (config-if)# ip address 192.216.32.39 255.255.255.224 C. router (config-if)# ip address 192.216.32.63 255.255.255.248 D. router (config-if)# ip address 192.216.32.39 255.255.255.248 E. router (config-if)# ip address 192.216.32.63 255.255.255.248 F. router (config-if)# ip address 192.216.32.38 255.255.255.248

Answer: C

QUESTION NO: 198 The network default gateway applying to a host by DHCP is 192.168.5.33/28. Which option is the valid IP address of this host? A. 192.168.5.55 B. 192.168.5.47 C. 192.168.5.40 D. 192.168.5.32 E. 192.168.5.14

Answer: B,D Explanation: Section 5: Calculate and apply an addressing scheme including VLSM IP addressing design to a network (13 questions)

QUESTION NO: 199 Which two addresses can be assigned to a host with a subnet mask of 255.255.254.0? (Choose two.) A. 113.10.4.0 B. 186.54.3.0 C. 175.33.3.255 D. 26.35.2.255 E. 17.35.36.0

Answer: C Explanation: A hub is a broadcast domain and a collision domain, while a switch is a broadcast domain, each interface is a collision domain. The switch is a device of data link layer, forwards and floods data frames based on the MAC address. The hub adopts the shared bandwidth working mode, while the switch adopts dedicated bandwidth. Switches increases the number of collisions domains in the network. Switches that are configured with VLANs will reduce the size of the collision domains by increasing the number of collision domains in a network, but making them smaller than that of one big, flat network. Incorrect Answers: A: Switches and hubs can be equally efficient in processing frames, in theory. In practice, switches are generally more efficient as they usually have more CPU and memory allocated to them, and are generally much more expensive than a simple hub. B: Switches are capable of VLAN configurations, but hubs are not. E: Switches forward broadcasts and multicasts, by default, to all ports within the same VLAN. Only routers block all broadcast traffic by default.

QUESTION NO: 2 Which of the following is true regarding the use of switches and hubs for network connectivity? A. Using hubs can increase the amount of bandwidth available to hosts. B. Hubs can filter frames. C. Switches increase the number of collision domains in the network. D. Switches do not forward broadcasts. E. Switches take less time to process frames than hubs take.

Answer: C

QUESTION NO: 202 How many subnets can be gained by subnetting 172.17.32.0/23 into a /27 mask, and how many usable host addresses will there be per subnet? A. 8 subnets, 31 hosts B. 8 subnets, 32 hosts C. 16 subnets, 30 hosts D. A Class B address can't be subnetted into the fourth octet. E. 16 subnets, 32 hosts

Answer: C Explanation: By default, 172.16.112.1/20 is a Class B address. A Class B address can allow 65534 hosts. 32-16=16 216=65536 65536-2=65534 172.16.112.1 is subnetted. The network can allow 4094 hosts. 32-20=12 212=4096 4096-2=4094 IP addresses with all 0s or all 1s in the host part cannot be used as host addresses; therefore, these two addresses are excluded. Since a /20 equates to 12 bits used for the subnet mask, 4094 hosts can be uniquely addressed.

QUESTION NO: 204 If an ethernet port on a router was assigned an IP address of 172.16.112.1/20, what is the maximum number of hosts allowed on this subnet? A. 8190 B. 4096 C. 4094 D. 1024 E. 2046

Answer: A

QUESTION NO: 205 Which subnet mask would be appropriate for a network address range to be subnetted for up to eight LANs, with each LAN containing 5 to 26 hosts? A. 255.255.255.224 B. 0.0.0.240 C. 255.255.255.252

Answer: A,C Explanation: 30 bits IP network has relatively small quantities of addresses available, which can not meet the requirements of network design.

QUESTION NO: 206 As the network administrator of your company, you have been assigned the task of designing a new Office internetwork. So you need to consider IP addressing scheme, Which two subnetworks would be included in the summarized address of 172.31.80.0 /20? (Choose two.) A. 172.31.92.0 /22 B. 172.31.51.16 /30 C. 172.31.80.0 /22 D. 172.31.17.4 /30

Answer: B,E

QUESTION NO: 208 A national retail chain needs to design an IP addressing scheme to support a nationwide network. The company needs a minimum of 300 sub-networks and a maximum of 50 host addresses per subnet. Working with only one Class B address, which of the following subnet masks will support an appropriate addressing scheme? (Choose two.) A. 255.255.255.0 B. 255.255.255.128 C. 255.255.252.0 D. 255.255.255.224 E. 255.255.255.192 F. 255.255.248.0

Answer: D,E Explanation: We need to find the range for the 172.31.80.0/20 network. 1) Since this is a /20, convert the third octet to binary: 172.31.0101 0000.0 2) Segregate the network and host address: 172.31. 0101 0000 .0 3) The network address will be: 172.31.80.0 4) The broadcast address will be: [convert all the blue to one (1) plus the red colored] 172.31.95.255 That is now your range 172.31.80.0 - 172.31.95.255

QUESTION NO: 209 Which two subnetworks would be included in the summarized address of 172.31.80.0/20? (Choose two.) A. 172.31.17.4/30 B. 172.31.51.16/30 C. 172.31.64.0/18 D. 172.31.80.0/22 E. 172.31.92.0/22 F. 172.31.192.0/18

Answer: A,C

QUESTION NO: 210 Given the address 192.168.20.19/28, which host addresses are valid on this subnet? (Choose two.) A. 192.168.20.29 B. 192.168.20.31 C. 192.168.20.17 D. 192.168.20.0

Answer: B,D Explanation: The mask 255.255.255.0 shows it limits the subnet range to 1-255. Since 255 is broadcast address, so the actual range is 254.

QUESTION NO: 214 You have a class B network with a 255.255.255.0 mask. Which of the statements below are true of this network? (Choose two) A. There are 24 usable hosts per subnet.. B. There are 254 usable subnets. C. There are 256 usable hosts per subnet. D. There are 254 usable hosts per subnet

Answer: A,C,D

QUESTION NO: 217 Assume that the subnet mask is /27 and subnet zero is usable, which three of the following IP addresses will be assigned to hosts? (Choose three.) A. 10.15.32.17 B. 17.15.66.128 C. 66.55.128.1 D. 135.1.64.34

Answer: D

QUESTION NO: 218 A mediumsized company has a Class C IP address. It has two Cisco routers and one nonCisco router. All three routers are using RIP version 1. The company network is using the block of 198.133.219.0/24. The company has decided it would be a good idea to split the network into three smaller subnets and create the option of conserving addresses with VLSM. What is the best course of action if the company wants to have 40 hosts in each of the three subnets? A. Convert all the routers to EIGRP and use 198.133.219.32/27, 198.133.219.64/27, and 198.133.219.92/27 as the new subnetworks. B. Maintain the use of RIP version 1 and use 198.133.219.32/27, 198.133.219.64/27, and 198.133.219.92/27 as the new subnetworks. C. Convert all the routers to EIGRP and use 198.133.219.64/26, 198.133.219.128/26, and 198.133.219.192/26 as the new subnetworks. D. Convert all the routers to RIP version 2 and use 198.133.219.64/26, 198.133.219.128/26, and 198.133.219.192/26 as the new subnetworks. E. Convert all the routers to OSPF and use 198.133.219.16/28, 198.133.219.32/28, and 198.133.219.48/28 as the new subnetworks. F. Convert all the routers to static routes and use 98.133.219.16/28, 198.133.219.32/28, and 198.133.219.48/28 as the new subnetworks.

Answer: B,C,E

QUESTION NO: 219 Which of the following IP addresses fall into the CIDR block of 115.64.4.0/22? (Choose three.) A. 115.64.8.32 B. 115.64.7.64 C. 115.64.6.255 D. 115.64.3.255 E. 115.64.5.128 F. 115.64.12.128

Answer: D Explanation: One technique for transitioning to IPv6 is by using dual IPv4 and IPv6 protocol stacks. Using dual stacks enables gradual, one-by-one upgrades to applications running on nodes. Applications that are upgraded to IPv6 use the IPv6 protocol stack, and applications that are not upgraded and support only IPv4 can coexist with upgraded applications on the same node. New and upgraded applications can use both IPv4 and IPv6 protocol stacks. This approach is described in RFC 4213.

QUESTION NO: 221 Running both IPv4 and IPv6 on a router simultaneously is known as what? A. 4to6 routing B. 6to4 routing C. binary routing D. dual-stack routing E. NextGen routing

Answer: A,D,F Explanation: Section 8: Describe IPv6 addresses

QUESTION NO: 222 What are three IPv6 transition mechanisms? (Choose three.) A. 6to4 tunneling B. VPN tunneling C. GRE tunneling D. ISATAP tunneling E. PPP tunneling F. Teredo tunneling

Answer: C

QUESTION NO: 223 How is an EUI-64 format interface ID created from a 48-bit MAC address? A. by prefixing the MAC address with 0xFF and appending 0xFF to it B. by appending 0xFF to the MAC address C. by inserting 0xFFFE between the upper three bytes and the lower three bytes of the MAC address D. by prefixing the MAC address with 0xFFEE

Answer: A,B

QUESTION NO: 225 Which two are correct about ipv6 addressing? A. 2000::/3 is a global unicast address B. cool.gif ther is only one loopback address ::1 C. FF00::/ is the Link-local address D. FE00::/ is the unique-local address

Answer: A,D

QUESTION NO: 226 Which two statements describe characteristics of IPv6 unicast addressing? (Choose two.) A. Global addresses start with 2000::/3. B. Link-local addresses start with FE00:/12. C. Link-local addresses start with FF00::/10. D. There is only one loopback address and it is ::1. E. If a global address is assigned to an interface, then that is the only allowable address for the interface

Answer: A,B,C,D Explanation: Section 9: Identify and correct common problems associated with IP addressing and host configurations (5 questions)

QUESTION NO: 227 Select the valid IPv6 addresses. (Choose all apply) A. :: B. ::192:168:0:1 C. 2002:c0a8:101::42 D. 2003:dead:beef:4dad:23:46:bb:101

Answer: F Explanation: Administrative distance refers to the reliability of one routing protocol. Each routing protocol is specified a reliability level from high to low depending on the administrative distance. For the routing information of two different routing protocols to the same destination, the router will make decision on the basis of the administrative distance

QUESTION NO: 237 A router receives information about network 192.168.10.0/24 from multiple sources. What will the router consider the most reliable information about the path to that network? A. a static route to network 192.168.10.0/24 with a local serial interface configured as the next hop B. a default route with a next hop address of 192.168.10.1 C. a static route to network 192.168.10.0/24 D. a RIP update for network 192.168.10.0/24 E. an OSPF update for network 192.168.0.0/16 F. a directly connected interface with an address of 192.168.10.254/24

Answer: D Explanation: This question tests how a Cisco router is started. Step 1 The router is booting. Step 2 The router completes the POST process. Step 3 The router finds and loads an IOS image. Step 4 The router checks the configuration register and decides how to load start configuration based on the value of the configuration register.

QUESTION NO: 243 As a CCNA candidate, you will be expected to know the POST process very well. A Cisco router is booting and has just completed the POST process. It is now ready to find and load an IOS image. What function does the router perform next? A. It inspects the configuration file in NVRAM for boot instructions. B. It attempts to boot from a TFTP server. C. It loads the first image file in flash memory. D. It checks the configuration register.

Answer: C Explanation: The boot sequence of a Cisco router is shown below: Booting up the router and locating the Cisco IOS 1. POST (power on self test) 2. Bootstrap code executed 3. Check Configuration Register value (NVRAM) which can be modified using the configregister command 0 = ROM Monitor mode 1 = ROM IOS 2 - 15 = startup-config in NVRAM 4. Startup-config file: Check for boot system commands (NVRAM) If boot system commands in startup-config a. Run boot system commands in order they appear in startup-config to locate the IOS b. [If boot system commands fail, use default fallback sequence to locate the IOS (Flash, TFTP, ROM)?] If no boot system commands in startup-config use the default fallback sequence in locating the IOS: a. Flash (sequential) b. TFTP server (netboot) c. ROM (partial IOS) or keep retrying TFTP depending upon router model 5. If IOS is loaded, but there is no startup-config file, the router will use the default fallback sequence for locating the IOS and then it will enter setup mode or the setup dialogue. 6. If no IOS can be loaded, the router will get the partial IOS version from ROM

QUESTION NO: 245 During startup, the router displays the following error message: boot: cannot open "flash:" What will the router do next? A. It will attempt to locate the configuration file from a TFTP server. If this fails, it will initiate the setup dialog. B. It will attempt to locate the configuration file from a TFTP server. If this fails, it will load a limited configuration fromROM. C. It will attempt to locate the IOS from a TFTP server. If this fails, it will load a limited IOS fromROM. D. Because of damaged flash memory, the router will fail the POST. E. It will attempt to locate the IOS from a TFTP server. If this fails, it will initiate the setup dialog.

Answer: D Explanation: Cisco routers can boot Cisco IOS software from these locations: 1. Flash memory 2. TFTP server 3. ROM (not full Cisco IOS) Multiple source options provide flexibility and fallback alternatives Locating the Cisco IOS Software Default boot sequence for Cisco IOS software: 1. NVRAM 2. Flash (sequential) 3. TFTP server (network boot) 4. ROM (partial IOS) Note: boot system commands can be used to specify the primary IOS source and fallback sequences. Booting up the router and locating the Cisco IOS 1. POST (power on self test) 2. Bootstrap code executed 3. Check Configuration Register value (NVRAM) which can be modified using the config-register command 0 = ROM Monitor mode 1 = ROM IOS 2 - 15 = startup-config in NVRAM 4.Startup-config file: Check for boot system commands (NVRAM) If boot system commands in startup-config a. Run boot system commands in order they appear in startup-config to locate the IOS b. [If boot system commands fail, use default fallback sequence to locate the IOS (Flash, TFTP, ROM)?] If no boot system commands in startup-config use the default fallback sequence in locating the IOS: a. Flash (sequential) b. TFTP server (netboot) c. ROM (partial IOS) or keep retrying TFTP depending upon router model 5. If IOS is loaded, but there is no startup-config file, the router will use the default fallback sequence for locating the IOS and then it will enter setup mode or the setup dialogue. 6. If no IOS can be loaded, the router will get the partial IOS version from ROM Default (normal) Boot Sequence Power on Router - Router does POST - Bootstrap starts IOS load - Check configuration register to see what mode the router should boot up in (usually 0x102 to 0x10F to look in NVRAM) - check the startup-config file in NVRAM for boot-system commands (normally there aren't any) - load IOS from Flash. Boot System Commands Router(config)# boot system flash IOS filename - boot from FLASH memory Router(config)# boot system tftp IOS filename tftp server ip address - boot from a TFTP server Router(config)# boot system rom - boot from system ROM Configuration Register Command Router(config)# config-register 0x10x (where that last x is 0-F in hex) When the last x is: 0 = boot into ROM Monitor mode 1 = boot the ROM IOS 2 - 15 = look in startup config file in NVRAM

QUESTION NO: 247 There are no boot system commands in the router configuration in NVRAM router. What is the fallback sequence that the router will use to find an IOS during reload? A. TFTP server, Flash, NVRAM B. ROM, NVRAM, TFTP server C. NVRAM, TFTP server, ROM D. Flash, TFTP server, ROM

Answer: C Explanation: When a router boots and is able to locate the IOS it begins to load the configuration file. The configuration file, saved in NVRAM, is loaded into main memory and executed one line at a time. These configuration commands start routing processes, supply addresses for interfaces, and set media characteristics. If no configuration file exists in NVRAM, the router attempts a network boot and sends a broadcast request for the file on a TFTP server. If this is also not found, the operating system executes a question-driven initial configuration routine called the system configuration dialog.

QUESTION NO: 248 What will a new router do during startup if a configuration file is not located in NVRAM? A. It will search for the configuration file in flash and if no configuration file is found there, it will enter the setup dialog. B. It will search for the configuration file on a TFTP server and if no configuration file is found there, it will load a limited configuration file fromROM. C. It will search for the configuration file on a TFTP server and if no configuration file is found there, it will enter the setup dialog. D. It will search for the configuration file in flash and if no configuration file is found there, it will load a limited configuration file from ROM.

Answer: B,D

QUESTION NO: 250 A network administrator changes the configuration register to 0x2142 and reboots the router. What are two results of making this change? (Choose two.) A. The IOS image will be ignored. B. The router will prompt to enter initial configuration mode. C. The router will boot toROM. D. Any configuration entries in NVRAM will be ignored. E. The configuration in flash memory will be booted.

Answer: C,E Explanation: Section 3: Select the appropriate media, cables, ports, and connectors to connect routers to other network devices and hosts (2 questions)

QUESTION NO: 251 Which two locations can be configured as a source for the IOS image in the boot system command? (Choose two.) A. RAM B. NVRAM C. flash memory D. HTTP server E. TFTP server F. Telnet server

Answer: A,B,E Explanation: RIPV2 has the maximum hop count as RIPV1(15). RIPV2 uses multicast for its routing updates while RIPV1 uses broadcast for its routing updates. RIPV2 has a higher security than RIPV1 because RIPV2 supports authentication. RIPV2, rather than RIPV1, sends the subnet mask in updates. RIPV1 is a classful routing protocol , it sends update packets which does not contain subnet mask information every 30 seconds , it does not support VLSM and performs border automatic route summary by default, it can't be shut down, so it does not support non-consecutive networks and authentication, it uses hop counts as metric, the administrative distance is 120. Each packet contains 25 routing information at most , and routing update is broadcast. RIPV2 is a classless routing protocol, whose transmitted packets contain subnet mask information , it supports VLSM and enables the function of auto-summary . So , it is needed to manually shut down the function of auto-summary in order to send subnet information to the main network . RIPV2 only supports summarizing routing to the main network instead of summarizing different main networks. So it does not support CIDR. RIPV2 updates routing by use of the multicast address 224.0.0.9, only the corresponding multicast MAC address can reply to packets. Whether reply to packets and support authentication or not can be distinguished at the MAC layer. Note : Refer to the classful routing protocol, when the subnet of the interface sending routing packets is in the same main network as the subnet associated with the packets, the router can transmit subnet information through this interface assuming that the interface and the subnet of packets use the same subnet mask. What is the consecutive subnet: Consecutive subnets belong to the same main network and use the same subnet mask, otherwise it is not. Using the manual summary command on the interface: ip summary-address rip to summarize subnet and subnet mask . RIP uses UDP(User Datagram Protocol)520 port to transmit routing update packets .

QUESTION NO: 254 The Company WAN is migrating from RIPv1 to RIPv2. Which three statements are correct about RIP version 2? (Choose three) A. It is a classless routing protocol. B. It supports authentication. C. It has a lower default administrative distance than RIP version 1. D. It uses broadcasts for its routing updates. E. It has the same maximum hop count as version 1.

Answer: B Explanation: The fact that RIP only records one route for each destination requires RIP to actively maintain the integrity of the routing tables, which can be achieved by asking all active RIP routers to broadcast contents of routing table to adjacent RIP routers in a fixed time interval. All received updated information automatically replaces the information included in the routing table. RIP maintains routing table depending on three timers. Update timer. Routing-timeout timer. Routing-refresh timer. Update timer can be used to update initialized routing table on a node. Each RIP node only uses one update timer. On the contrary, both routing-timeout timer and routing-refresh timer are that each router maintains one. RIP router triggers update every 30 seconds . Update timer is used to record the amount of time. Once the time is up, RIP node will produce a series of datagrams including its own routing table. These datagrams are broadcast to each adjacent node. Therefore, each RIP router will receive update about every 30 seconds from each RIP adjacent node.

QUESTION NO: 255 The Routing Information Protocol (RIP) is a dynamic routing protocol used in local area networks. What is the default routing update period for RIPv2? A. 180 seconds B. 30 seconds C. 240 seconds D. 15 seconds

Answer: A,B,F Explanation: RIP version 1 broadcasts updates whereas RIP version 2 uses multicasts. RIP Version 2 is a classless routing protocol whereas RIP version 1 is a classful routing protocol. RIP version 2 sends the subnet mask in updates and RIP version 1 does not.

QUESTION NO: 264 Which three statements describe the differences between RIP version 1 and RIP version 2? (Choose three.) A. RIP version 2 sends the subnet mask in updates and RIP version 1 does not. B. RIP version 1 broadcasts updates whereas RIP version 2 uses multicasts. C. RIP version 1 multicasts updates while RIP version 2 uses broadcasts. D. Both RIP version 1 and RIP version 2 are classless routing protocols. E. Both RIP version 1 and version 2 support authentication. F. RIP Version 2 is a classless routing protocol whereas RIP version 1 is a classful routing protocol.

Answer: D

QUESTION NO: 269 In order to allow the establishment of a Telnet session with a router, which set of commands must be configured? A. router(config)# line console 0 router(config-line)# enable secret cisco router(config-line)# login B. router(config)# line console 0 router(config-line)# enable password cisco C. router(config)# line console 0 router(config-line)# password cisco router(config-line)# login D. router(config)# line vty 0 router(config-line)# password cisco router(config-line)# login E. router(config)# line vty 0 router(config-line)# enable password cisco F. router(config)# line vty 0 router(config-line)# enable secret cisco router(config-line)# login

Answer: B

QUESTION NO: 273 An administrator issues the command ping 127.0.0.1 from the command line prompt on a PC. If a reply is received, what does this confirm? A. The PC has connectivity up to Layer 5 of the OSI model. B. The PC has the TCP/IP protocol stack correctly installed. C. The PC has connectivity with a local host. D. The PC has connectivity with a Layer 3 device. E. The PC has a default gateway correctly configured.

Answer: A Explanation: The ICMP protocol uses Echo request and Echo reply with the Ping command. The PING utility is the most commonly used message to verify connectivity to a remote device within the network.

QUESTION NO: 278 When you use the ping command to send ICMP messages across a network, what's the most common request/reply pair you'll see? A. Echo request and Echo reply B. ICMP hold and ICMP send C. Echo off and Echo on D. ICMP request and ICMP reply

Answer: B

QUESTION NO: 279 The network administrator has asked you to check the status of the workstation's IP stack by pinging the loopback address. Which address would you ping to perform this task? A. 10.1.1.1 B. 127.0.0.1 C. 192.168.0.1 D. 239.1.1.1

Answer: B

QUESTION NO: 280 Which protocol should be used to establish a secure terminal connection to a remote network device? Select the best response. A. ARP B. SSH C. Telnet D. WEP E. SNMPv1 F. SNMPv2

Answer: A,C Explanation: Routers use default routing as a last resort when all other methods (directly connected, static, or dynamic) have been exhausted. For stub networks, a single default static route could be used to provide connectivity to the entire network. This is desirable for stub networks where only a single link connects the remote location to the rest of the networks. Because all of the traffic only has one link to use, a single default route will make the routing table as small as possible, while providing for connectivity to networks not in the routing table, since as traffic destined for the Internet. Incorrect Answers: B: To influence the way incoming traffic from the Internet gets to a corporation, BGP routing would be used, not default routing. D: Using static routes, including default routes, is the least CPU-intensive method of routing. E: Although default routes are normally statically assigned, these routes can still go down. If the interface used as the default route should go down, or the next hop IP address of the default route become unreachable, the static default route will go down.

QUESTION NO: 281 Some of the company routers have been configured with default routes. What are some of the advantages of using default routes?(Choose two.) A. The allow connectivity to remote networks that are not in the routing table. B. They direct traffic from the Internet into corporate networks. C. The keep routing tables small. D. They require a great deal of CPU power. E. They establish routes that will never go down.

Answer: E,F Explanation: The user can specify the path for accessing certain network by configuring static route. In a relatively simple network architecture, and the route to a certain network is unique, the static route will be used. ip route prefix mask {address | interface} [distance] [tag tag] [permanent] Prefix :the destination network mask :subnet mask address :The IP address of the next hop, that is the address of port on the adjacent router interface :local network interface distance : administrative distance(optional) tag tag : tag value(optional) permanent :The router is designed as follows : would rather to shut down this port than move.

QUESTION NO: 282 Which two statements are true about the command ip route 172.16.3.0 255.255.255.0 192.168.2.4? (Choose two.) A. It configures the router to send any traffic for an unknown destination out the interface with the address 192.168.2.4. B. It is a route that would be used last if other routes to the same destination exist. C. It establishes a static route to the 192.168.2.0 network. D. It configures the router to send any traffic for an unknown destination to the 172.16.3.0 network. E. It uses the default administrative distance. F. It establishes a static route to the 172.16.3.0 network.

Answer: A Explanation: The command "IP route 0.0.0.0 0.0.0.0 <ip-address of the interface>" command is used to configure a default route on a router. In this case, a default route with a next hop IP address of 10.1.1.1 was configured. Incorrect Answers: B: These commands are invalid. The command "ip default-network" could be used, but not "ip default-route" or "ip default-gateway". IP default-gateway is used on switches, not routers. C: These commands are invalid. The command "ip default-network" could be used, but not "ip default-route" or "ip default-gateway". IP default-gateway is used on switches, not routers. D: This will be an invalid route, since the "10.1.1.0" value will specify the network mask, which in this case is invalid.

QUESTION NO: 283 You need to configure a default route on a router. Which command will configure a default route on a router? A. Router(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 B. Router config)# ip default-gateway 10.1.1.0 C. Router(config)# ip default-route 10.1.1.0 D. Router(config)# ip route 0.0.0.0 10.1.1.0 10.1.1.1

Answer: A,B Explanation: There are two ways to specify a default static route. One is to specify the interface to use for forwarding packets, like the example in A. The other way is to specify the IP address of the next hop router, such as the example in D. The ip route 0.0.0.0 0.0.0.0 command uses the fact that network 0.0.0.0 is used by Cisco IOS software to represent the default network. Reference: CCNA ICND Exam Certification Guide By Wendell Odem Pg.524 Incorrect Answers: C: The default route is made in global configuration mode. D: All zero's must used for the subnet mask of a default route, not all 1's.

QUESTION NO: 288 Which of the commands below can you use to configure a default route on router2?(Choose two) A. ROUTER2(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.21 B. ROUTER2(config)# ip route 0.0.0.0 0.0.0.0 E0 C. ROUTER2(config-interface)# ip route 255.255.255.255 0.0.0.0 192.168.1.21 D. ROUTER2(config)# ip route 0.0.0.0 255.255.255.255 S0

Answer: D Explanation: Section 9: Manage IOS configuration files. (

QUESTION NO: 291 What is an appropriate use of a default route? A. to provide routing to a local web server B. to provide routing from an ISP to a stub network C. to provide routing that will override the configured dynamic routing protocol D. to provide routing to a destination that is not specified in the routing table and which is outside the local network

Answer: A Explanation: By default, a Cisco IOS router will normally boot up from flash where the IOS is stored. If the IOS in not found or has become corrupted, the router will then send an all hosts broadcast (255.255.255.255) to find a TFTP server to download the IOS from. Should that fail, the router will boot up in ROM Monitor mode as a last resort.

QUESTION NO: 292 Which is the correct fallback sequence for loading the Cisco IOS? A. Flash, TFTP server, ROM B. ROM, Flash, NVRAM C. Flash, NVRAM, RAM D. ROM, TFTP server, Flash

Answer: A,D Explanation: Before the upgrade of IOS, you have to check its current version (you may use show version to check); at the same time you have to ensure that there is sufficient space to store IOS upgrade (you may use the amount of available flash and RAM memory to check). To upgrade the IOS, the first two steps are: Download the Cisco IOS software image to your workstation or PC. Install the new Cisco IOS software image in the outbound directory of the TFTP server. The TFTP server looks for the router's Cisco IOS software image in this directory. Make sure that the image you want to copy to your Flash is in this directory. Check the memory requirements needed for the Software image being upgraded, which is mentioned in the Downloads download page. Using the show version command, verify that you have enough memory

QUESTION NO: 294 Before installing a new, upgraded version of the IOS, what should be checked on the router, and which command should be used to gather this information? (Choose two.) A. show version B. the amount of available ROM C. the version of the bootstrap software present on the router D. the amount of available flash and RAM memory

Answer: C Explanation: We can keep multiple IOS files on flash memory if there is enough space. When you try to copy the IOS to flash memory, it will ask you to erase current contents of flash memory. If there is enough free space to copy IOS you can type no to erase the contents of flash. If there is not enough space the router will require that the current file is erased first. Section 10: Manage Cisco IOS. (3 questions

QUESTION NO: 296 Why is flash memory erased prior to upgrading the IOS image from the TFTP server? A. In order for the router to use the new image as the default, it must be the only IOS image in flash. B. Flash memory on Cisco routers can contain only a single IOS image. C. Erasing current flash content is requested during the copy dialog. D. The router cannot verify that the Cisco IOS image currently in flash is valid.

Answer: B Explanation: To display the configuration of the system hardware, the software version, the names and sources of configuration files, and the boot images, use the show version command in EXEC mode.

QUESTION NO: 297 Which of the commands below would you enter if you wanted to see the configuration register of your router? A. show boot B. show version C. show register D. show config E. show flash

Answer: A,B,C Explanation: More often than not, when backing up IOS files, first , using the command PING to test whether the server is reachable or not and whether the server has enough space to store the IOS backup files or not. When the two needs are satisfied, you can use the command "copy flash tftp" to backup on the router. Router>enable Router#copy flash tftp ip address of remote host:[255.255.255.255]?129.0.0.3 filename to write on tftp hose?c4500-l writing c4500-l !!!!!!!!!!!!!!!!!!!!!!!! successful tftp write After inputting the command "copy flash tftp", the router will require you to input the IP address of the remote TFTP server and IOS mapping name of the server. The router will remind you that backup is successfully completed by a string of exclamation points. In order to properly back up the Cisco IOS image onto a Windows server, you should ensure that the server is reachable and that you have the proper permissions to save files to the server. In addition to this, the server will need enough space to hold the backup file.

QUESTION NO: 298 You are a trainee technician. Your instructor tells you to backup an IOS image of a Cisco device to a Windows 2003 server on the network. What should you do first? (Choose three) A. Assure that the network server has adequate space for the code image. B. Make sure that the network server can be accessed. C. Verify any file naming and path requirements. D. Check that the authentication for access is set.

Answer: C Explanation: The "show flash" command is used to display the layout and contents of the flash memory file system. It will show name of the file system, as well as the number of bytes used and the number available within the flash memory. Section 11: Compare and contrast methods of routing and routing protocols (16 questions)

QUESTION NO: 299 You wish to upgrade the IOS of a router without removing the image currently installed. What command will display the amount of memory that is being used by the current IOS image and whether there is enough room available to hold both the current and new images? A. Router# show version B. Router# show buffers C. Router# show flash D. Router# show memory

Answer: A,B Explanation: Bridge is a Layer2 device, which is designed to create two or more LAN segments. Each segment is an independent collision domain. Bridge is also created to provide more available bandwidth, Its purpose is to filter the LAN traffic, making local traffic be in the local area, and those directed to other parts of the LAN (sub) be forwarded there. Each NIC on each device has a unique MAC address. Bridge will record the MAC address of each port and then make forwarding decisions based on this MAC address table. Switch is a device of the data link layer, it combines multiple physical LAN segments into a large network.. Similar to bridge, the switch will transfer and flood the communication frames based on the MAC address. Because the switching process is performed in hardware, the switching speed of the switch is faster than that of a bridge performed by software. Regarding each switching port as a mini-bridge, then each switching port will work as an independent bridge to provide full medium??s bandwidth to each host. The number of ports of bridges and switches are the same as that of collision domains. All ports are in the same broadcast domain. Both bridges and switches build the bridge table by listening to incoming frames and examining the source MAC address in the frame. Switches are multiport bridges that allow you to create multiple broadcast domains. Each broadcast domain is like a distinct virtual bridge within a switch. Incorrect Answers: D: Switches are generally faster than bridges. Bridges also do not necessarily have fewer ports than switches.

QUESTION NO: 3 When comparing and contrasting the similarities and differences between bridges and switches, which of the following are valid statements? (Choose two) A. Bridges and switches learn MAC addresses by examining the source MAC address of each frame received. B. A switch is a multiport bridge C. Bridges and switches increase the size of a collision domain. D. Bridges are faster than switches because they have fewer ports.

Answer: C Explanation: EIGRP is CISCO private agreement, which will not support non-CISCO devices; RIPv1 and RIPv2 are distance vector protocol, supporting up to 15 hop, and 16 hop is inaccessible. RIPv1 does not support routing update verification. Although the convergence rate of OSPF is slower than EIGRP, but OSPF has better expansibility. And OSPF supports multi-vendor devices, and is applicable to large networks.

QUESTION NO: 300 A routing protocol is required that supports: 1) routing update authentication 2) an addressing scheme that conserves IP addresses 3) multiple vendors 4) a network with over 50 routers Which routing protocol fulfills these requirements? A. RIPv2 B. RIPv1 C. OSPF D. EIGRP

Answer: A Explanation: When a router learns about the same network via multiple sources, the router will choose the source with the lowest administrative distance (AD). By default, the AD for these routing protocols are: Connected Interface has 0 AD Static Route : 1 EIGRP : 90 OSPF : 110 So, the static route will be chosen since it has the lowest AD.

QUESTION NO: 304 A router learns about a remote network from EIGRP, OSPF, and a static route. Assuming all routing protocols are using their default administrative distance, which route will the router use to forward data to the remote network? A. The router will use the static route. B. The router will use the OSPF route. C. The router will load balance and use all three routes. D. The router will use the EIGRP route.

Answer: B,C,D Explanation: The reason for regional structure division in OSPF network is: In a small network, the structure of router is not complicated, it is easy to identify routes to different destinations. However, in large networks, the link structure is complex, the number of the potential paths for different destinations is large. Therefore, the SPF algorithm which compares all possible routes is very complex and requires a very long time. Link State Routing Protocol often divides network into area structures to reduce the amount of SPF algorithm. The number of routers within the area and diffusing LSA is less, which means that the link-state database is small. The result is that the amount of SPF algorithm is smaller and the time needed is shorter . An OSPF network designed in a hierarchical fashion with different areas is used because a small change in the topology of a single area won't force every router to run the SPF algorithm. Changes in one area are limited to that area only, not to every router within the entire network. Confining the topology changes to one area reduces the overhead and speeds the convergence of the network. Reference: CCNA Self-Study CCNA ICND exam certification Guide (Cisco Press, ISBN 1-58720- 083-X) Page 194 Incorrect Answers: A: This choice is incorrect because a hierarchical design actually adds complexity to the router configuration.

QUESTION NO: 306 When designing OSPF networks; what is the purpose of using a hierarchical design?(Choose three) A. To reduce the complexity of router configuration B. To confine network instability to single areas of the network C. To reduce routing overhead D. To speed up convergence

Answer: D,E

QUESTION NO: 307 What are two drawbacks of implementing a link-state routing protocol? (Choose two.) A. the high volume of link-state advertisements in a converged network B. the large size of the topology table listing all advertised routes in the converged network C. the sequencing and acknowledgment of link-state packets D. the high demand on router resources to run the link-state routing algorithm E. the requirement for a hierarchical IP addressing scheme for optimal functionality

Answer: B

QUESTION NO: 308 A router has learned three possible routes that could be used to reach a destination network. One route is from EIGRP and has a composite metr of 20514560. Another route is from OSPF with a metric of 782. The last is from RIPv2 and has a metric of 4. Which route or routes will the router install in the routing table? A. the OSPF route B. the EIGRP route C. the RIPv2 route D. all three routes E. the OSPF and RIPv2 routes

Answer: A Explanation: This question tests the metrics of various routing protocols. RIP uses hop-count as metrics; BGP uses complicated path attributes as metrics; OSPF uses bandwidth as metrics; and EIGRP uses bandwidth and delay as metrics by default.

QUESTION NO: 313 Which routing protocol by default uses bandwidth and delay as metrics? A. EIGRP B. RIP C. BGP D. OSPF

Answer: A,C,D

QUESTION NO: 314 Which characteristics are representative of a link-state routing protocol? (Choose three.) A. provides common view of entire topology B. exchanges routing tables with neighbors C. calculates shortest path D. utilizes event-triggered updates E. utilizes frequent periodic updates

Answer: B,D,E

QUESTION NO: 315 Which routing protocols will support the following IP addressing scheme? (Choose three.) Network 1 - 192.168.10.0 /26 Network 2 - 192.168.10.64 /27 Network 3 - 192.168.10.96 /27 Network 4 - 192.168.10.128 /30 Network 5 - 192.168.10.132 /30 A. RIP version 1 B. RIP version 2 C. IGRP D. EIGRP E. OSPF

Answer: A,B

QUESTION NO: 317 Which of the following describe the process identifier that is used to run OSPF on a router? (Choose two.) A. It is locally significant. B. It is needed to identify a unique instance of an OSPF database. C. All routers in the same OSPF area must have the same process ID if they are to exchange routing information. D. It is globally significant. E. It is an optional parameter required only if multiple OSPF processes are running on the router.

Answer: E Explanation: When selecting DR and BDR in the NBMA network, OSPF will use the unicast mode. By adjusting the hello/dead timers you can make non-compatible OSPF network types appear as neighbors via the "show ip ospf neighbor" but they won't become "adjacent" with each other. OSPF network types that use a DR (broadcast and non-broadcast) can neighbor with each other and function properly. Likewise OSPF network types (point-to-point and point-to-multipoint) that do not use a DR can neighbor with each other and function properly. But if you mix DR types with non-DR types they will not function properly (i.e. not fully adjacent). You should see in the OSPF database "Adv Router is not-reachable" messages when you've mixed DR and non-DR types. OSPF has different Network Types Point-to-Point Point-to-Multipoint Broadcast Multi-Access Non- Broadcast Multi-Access OSPF will elect a DR and a BDR on Broadcast Multi-Access and Non-broadcast Access.

QUESTION NO: 319 Which one of the following OSPF network types needs to select a BDR? A. point-to-multipoint and multiaccess B. nonbroadcast and broadcast multipoint C. point-to-point and point-to-multipoint D. point-to-point and multi-access E. nonbroadcast and broadcast multiaccess

Answer: B,D,E Explanation: Layer 2 switching is considered hardware-based bridging because it uses specialized hardware called an application-specific integrated circuit (ASIC). ASICs can run up to gigabit speeds with very low latency rates. A router is commonly considered to be a DTE device, while a CSU/DSU is considered the DCE device. Switches usually have higher port number then bridge. Generally bridges have two ports. Both operates on Data link layer.

QUESTION NO: 4 As a network administrator, you will need to decide on the appropriate network devices to use. Which of the following correctly describes the roles of devices in a WAN? (Choose three) A. A modem terminates a digital local loop. B. A CSU/DSU terminates a digital local loop. C. A CSU/DSU terminates an analog local loop. D. A modem terminates an analog local loop. E. A router is commonly considered a DTE device.

Answer: C Explanation: While the switch powers on, it begins POST, a series of tests. POST runs automatically to verify that the switch functions properly. When the switch begins POST, the system LED is off. If POST completes successfully, the LED turns green. If POST fails, the LED turns amber. Note : POST failures are usually fatal. Call Cisco Systems if your switch does not pass POST.

QUESTION NO: 77 The system LED is amber on a Cisco Catalyst 2950 series switch. What does this indicate? A. The system is powered up and operational. B. The system is forwarding traffic. C. The system is malfunctioning. D. The system is not powered up.

Answer: B,D Explanation: For switches such as the 2950, the process is much the same as a router, but you should delete the VLAN.DAT file before reloading the router. This file contains VLAN information and is kept in flash, so it will still be present after a reload. switch1#delete vlan.dat Delete filename [vlan.dat]? Delete flash:vlan. Make sure to hit for the two questions regarding the deletion - if you answer "y" instead, the switch thinks you're trying to erase a file named "y"! After the reload is complete, you'll be prompted to enter setup mode. As you did with the router, enter "N" and begin to configure the router from user exec mode.

QUESTION NO: 78 A Catalyst 2950 needs to be reconfigured. What steps will ensure that the old configuration is erased? A. Erase the running configuration. B. Restart the switch. C. Modify the configuration register. D. Delete the VLAN database.

Answer: D Explanation: Switches use port address table to find locations of the receiving station. When a port receives a frame, switch will first study and then forward. Switches will check destination MAC addresses on the frame head, and search for the corresponding entries in port address table. If matching entry is found, switch will forward the frame from the designated port. If the port is the same port that receives this frame (sending and receiving stations are connected to the same port), switch will discard the frame. If no entry is found, or destination MAC address is broadcast address or multicast address, switch will flood out the frame from all the rest ports.

QUESTION NO: 84 What does a Layer 2 switch use to decide where to forward a received frame? A. source switch port B. destination IP address C. destination port address D. destination MAC address

Answer: A Explanation: Section 5: Perform and verify initial switch configuration tasks including remote access management (10 questions)

QUESTION NO: 86 The network administrator has discovered that the power supply has failed on a switch in the company LAN and that the switch has stopped functioning. It has been replaced with a Cisco Catalyst 2950 series switch. What must be done to ensure that this new switch becomes the root bridge on the network? A. Lower the bridge priority number. B. Change the MAC address of the switch. C. Increase the VTP revision number for the domain. D. Lower the root path cost on the switch ports. E. Assign the switch an IP address with the lowest value.

Answer: D Explanation: Switch is a layer 2 device and doesn't use network layer for packet forwarding. The IP address may be used only for administrative purposes such as Telnet access or for network management purposes.

QUESTION NO: 87 What is the purpose of assigning an IP address to a switch? A. To ensure that hosts on the same LAN can communicate with each other. B. To provide local hosts with a default gateway address C. To allow the switch to respond to ARP requests between two hosts D. To allow remote management of the switch.

Answer: B Explanation: Use the "ip default-gateway" command to enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. The default gateway receives IP packets with unresolved destination IP addresses from the switch. Once the default gateway is configured, the switch has connectivity to the remote networks with which a host needs to communicate.

QUESTION NO: 89 As a trainee you are required to set the default gateway on a Cisco switch to the IP address of 192.168.1.115. Which IOS command should you use? A. switch(config)# ip default-network 192.168.1.115 B. switch(config)# ip default-gateway 192.168.1.115 C. switch(config)# ip route-default 192.168.1.115 D. switch(config)# ip route 192.168.1.115 0.0.0.0

Answer: A,B,C Explanation: Here, the trunk link is identified by its physical location as the switch module number and port number. The trunking mode can be set to any of the following: on -This setting places the port in permanent trunking mode. The corresponding switch port at the other end of the trunk should be similarly configured because negotiation is not allowed. The encapsulation or identification mode should also be manually configured. off -Th is setting places the port in permanent non-trunking mode. The port will attempt to convert the link to non-trunking mode. desirable -Selecting this port will actively attempt to convert the link into trunking mode. If the far end switch port is configured to on , desirable , or auto mode, trunking will be successfully negotiated. auto -The port will be willing to convert the link into trunking mode. If the far end switch port is configured to on or desirable , trunking will be negotiated. By default, all Fast Ethernet and Gigabit Ethernet links that are capable of negotiating using DTP are configured to this mode. Because of the passive negotiation behavior, the link will never become a trunk, if both ends of the link are left to the auto default. nonegotiate -The port is placed in permanent trunking mode, but no DTP frames are generated for negotiation. The far end switch port must be manually configured for trunking mode.

QUESTION NO: 92 What are the possible trunking modes for a switch port? (Choose three) A. Auto B. Desirable C. On D. Transparent

Answer: A,C Explanation: Section 6: Verify network status and switch operation using basic utilities (including: ping, traceroute, telnet, SSH, arp, ipconfig), SHOW & DEBUG commands (12 questions)

QUESTION NO: 96 An administrator would like to configure a switch over a virtual terminal connection from locations outside of the local LAN. Which of the following are required in order for the switch to be configured from a remote location? (Choose two.) A. The switch must be configured with an IP address, subnet mask, and default gateway. B. The switch must be connected to a router over a VLAN trunk. C. The switch must be reachable through a port connected to its management VLAN. D. The switch console port must be connected to the Ethernet LAN. E. The switch management VLAN must be created and have a membership of at least one switch port. F. The switch must be fully configured as an SNMP agent.

Answer: B,D Explanation: The extended ping command works only at the privileged EXEC command line. Some of the extended ping command values include the datagram size and timeout value as shown: Datagram size [100]: Size of the ping packet (in bytes). Default: 100 bytes. Timeout in seconds [2]: Timeout interval. Default: 2 (seconds). The ping is declared successful only if the ECHO REPLY packet is received before this time interval. The extended ping command works only at the privileged EXEC command line. Some of the extended ping command values include the datagram size and timeout value as shown: Datagram size [100]: Size of the ping packet (in bytes). Default: 100 bytes. Timeout in seconds [2]: Timeout interval. Default: 2 (seconds). The ping is declared successful only if the ECHO REPLY packet is received before this time interval. Incorrect Answers: A: Ports can not be specified. C: Regular pings are available in both user and privileged mode, but not extended pings

Regarding the extended ping command; which of the statements below are true?(Choose two) A. With the extended ping command you can specify the TCP and UDP port to be pinged. B. With the extended ping command you can specify the timeout value. C. The extended ping command is supported from user EXEC mode. D. The extended ping command is available from privileged EXEC mode.

The following features have been labelled in the ACL: 1. The first two permit statements allow access from any device to the web server at 2001:DB8:CAFE:10::10. 2. All other devices are denied access to the 2001:DB8:CAFE:10::/64 network. 3. PC3 at 2001:DB8:CAFE:30::12 is permitted Telnet access to PC2 which has the IPv6 address 2001:DB8:CAFE:11::11. 4. All other devices are denied Telnet access to PC2. 5. All other IPv6 traffic is permitted to all other destinations. 6. The IPv6 access list is applied to interface G0/0 in the inbound direction, so only the 2001:DB8:CAFE:30::/64 network is affected.

Restricted Access

A standard ACL can only filter traffic based on a source address. The basic rule for placement of a standard ACL is to place the ACL as close as possible to the destination network. This allows the traffic to reach all other networks except the network where the packets will be filtered.

Standard ACL Placement

Cisco IOS implements an internal logic to standard ACLs. Another part of the IOS internal logic involves the internal sequencing of standard ACEs. The show running-config command is used to verify the ACL configuration. Notice that the statements are listed in a different order than they were entered. We will use the show access-lists command to understand the logic behind this.

Standard ACL Sequence Numbers

Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.

Standard ACLs

Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated.

Standard ACLs

TCP segments are marked with flags that denote their purpose: a SYN starts (synchronizes) the session; an ACK is an acknowledgment that an expected segment was received, and a FIN finishes the session. A SYN/ACK acknowledges that the transfer is synchronized. TCP data segments include the higher level protocol needed to direct the application data to the correct application. The TCP data segment also identifies the port which matches the requested service. For example, HTTP is port 80, SMTP is port 25, and FTP is port 20 and port 21. Figure 2 shows ranges of UDP and TCP ports.

TCP conversation Process

meaning that each TCP connection supports a pair of byte streams, each stream flowing in one direction. TCP includes a flow-control mechanism for each byte stream that allows the receiver to limit how much data the sender can transmit. TCP also implements a congestion-control mechanism.

TCP is a full-duplex protocol

Extended ACLs are used more often than standard ACLs because they provide a greater degree of control. extended ACLs check source addresses of packets, but they also check the destination address, protocols, and port numbers (or services). This provides a greater range of criteria on which to base the ACL. For example, an extended ACL can simultaneously allow email traffic from a network to a specific destination while denying file transfers and web browsing.

Testing Packets with Extended ACLs

A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can configure one ACL per protocol, per direction, per interface: One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.

The Three Ps

R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255

To create a statement that will permit a range of IPv4 addresses in a numbered ACL 10 that permits all IPv4 addresses in the network 192.168.10.0/24, you would enter:

#no ipv6 traffic-filter command on the interface, and then enter the global no ipv6 access-list command to remove the access list. Note: IPv4 and IPv6 both use the access-class command to apply an access list to VTY ports.

To remove an ACL from an interface

The internet is a network of many different networks. True or False?

True

Restricting VTY access is a technique that allows you to define which IP addresses are allowed Telnet access to the router EXEC process. The following should be considered when configuring access lists on VTYs: - Both named and numbered access lists can be applied to VTYs. - Identical restrictions should be set on all the VTYs, because a user can attempt to connect to any of them.

Using an ACL to Control VTY Access

The show ip interface command is used to verify the ACL on the interface. The output from this command includes the number or name of the access list and the direction in which the ACL was applied. To view an individual access list use the show access-lists command followed by the access list number or name. The NO_ACCESS statements may look strange.

Verifying ACLs

Answer: A,E Explanation: By using a router to segment the network, we can 1. Control the traffic across Layer 3 and filter data based on Layer 3 information. 2. Reduce broadcasts to save on network resources and improve efficiency. When the router's interface receives the broadcast, it discard the broadcast without forwarding it on to other networks. Even though routers are known for breaking up broadcast domains by default, it's important to remember that they break up collision domains as well. There are two advantages of using routers in your network: * They don't forward broadcasts by default. * They can filter the network based on layer 3 (Network layer) information (e.g., IP address) by using IOS based firewall ie. ACL Four router functions in your network can be listed as follows: * Packet switching * Packet filtering * Internetwork communication * Path selection

What are some of the advantages of using a router to segment the network? (Choose two.) A. Filtering can occur based on Layer 3 information. B. Broadcasts are eliminated. C. Routers generally cost less than switches. D. Adding a router to the network decreases latency. E. Broadcasts are not forwarded across the router

Answer: E,F Explanation: Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. CDP can also be used to show information about the interfaces your router uses. CDP is an independent media protocol and runs on all Cisco-manufactured devices including routers, bridges, access servers, and switches. It should be noted that CDP is a protocol which works on the layer2. By default, multicast advertise is sent every 60 seconds to 01-00-0 c-cc-cc-cc as the destination address . When reaching the holdtime of 180 seconds , if not receiving the advertise from neighboring devices yet, the information of neighboring devices will be cleared. Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help administrators collect information about both locally attached and remote devices. By using CDP, you can gather hardware and protocol information about neighbor devices, which is useful info for troubleshooting and documenting the network. You can use: Show cdp neighbor Show cdp neighbor details Commands to gather the information of connected neighbors.

What are two reasons a network administrator would use CDP? (Choose two.) A. to obtain VLAN information from directly connected switches B. to determine the status of network services on a remote device C. to determine the status of the routing protocols between directly connected routers D. to verify the type of cable interconnecting two devices E. to verify Layer 2 connectivity between two devices when Layer 3 fails F. to obtain the IP address of a connected device in order to telnet to the device

Answer: A Explanation: When an Ethernet switch receives a unicast frame with a destination MAC that is listed in the switch table, the switch will search its own MAC address table for the specific port mapping the MAC address. The switch won't forward the frame to all the ports. Thus, resources are saved and efficiency is improved. How Does the Switch Find Host MACs? Let's use the diagram below to help us understand how address learning process takes place.

What will an Ethernet switch do if it receives a unicast frame with a destination MAC that is listed in the switch table? A. The switch will forward the frame to a specific port. B. The switch will forward the frame to all ports except the port on which it was received. C. The switch will return a copy of the frame out the source port. D. The switch will remove the destination MAC from the switch table. E. The switch will not forward unicast frames.

Answer: C,D Explanation: A single device could not be sending a frame and receiving a frame at the same time because it would mean that a collision was occurring. So, devices simply chose not to send a frame while receiving a frame. That logic is called half-duplex logic. Ethernet switches allow multiple frames to be sent over different ports at the same time. Additionally, if only one device is connected to a switch port, there is never a possibility that a collision could occur. So, LAN switches with only one device cabled to each port of the switch allow the use of full-duplex operation. Full duplex means that an Ethernet card can send and receive concurrently. Incorrect Answers: A: Full duplex effectively doubles the throughput of half-duplex operation, because data can be both sent and received at the full 10/100 speed. B: In half duplex operation, the network is shared between all devices in the collision

When you consider half-duplex and full-duplex Ethernet, what are unique for half-duplex Ethernet? (Choose two.) A. Half-duplex Ethernet operates in an exclusive broadcast domain. B. Half-duplex Ethernet has efficient throughput. C. Half-duplex Ethernet operates in a shared collision domain D. Half-duplex Ethernet has lower effective throughput

The proper placement of an ACL can make the network operate more efficiently. An ACL can be placed to reduce unnecessary traffic. For example, traffic that will be denied at a remote destination should not be forwarded using network resources along the route to that destination. Every ACL should be placed where it has the greatest impact on efficiency. Note: For CCNA certification the general rule is that extended ACLs are placed as close as possible to the source and standard ACLs are placed as close as possible to the destination. Network administrators can only place ACLs on devices that they control. Therefore, placement must be determined in the context of where the control of the network administrator extends.

Where to Place ACLs

Link-local

Which IPv6 address type is only valid within a subnet?

Answer: B Explanation: Section 11: Differentiate between LAN/WAN operation and features (2 questions)

Which line from the output of the show ip interface command indicates a layer 1 problem? A. Serial0/1 is up, line protocol is down B. Serial0/1 is down, line protocol is down C. Serial0/1 is up, line protocol is up D. Serial0/1 is administratively down, line protocol is down

FF02::1:2

Which of the following IPv6 addresses is used by a host to contact a DHCP server?

Answer: B,D Explanation: Ping operates at the network layer; TCP operates at the transportation layer; and IP operates at the network layer. Section 5: Describe the purpose and basic operation of the protocols in the OSI and TCP models (7 questions)

Which of the following are associated with the application layer of the OSI model? (Choose two.) A. IP B. Telnet C. TCP D. FTP E. ping

Works through NAT Tunnel endpoints configured on routers Dual stack routers

Which of the following are characteristics of 6-to-4 tunneling? select three

Dual stack routers Dual stack host

Which of the following are characteristics of ISATAP for IPv6 tunneling? select two

Works through NAT Dual stack host Tunnel endpoints configured on hosts

Which of the following are characteristics of Teredo tunneling? select three

::DAFC:8904 2001::78:ABC:891F FE80::AB01:7894

Which of the following are correctly-formatted IPv6 addresses? select three

Answer: B,D Explanation: The Application Layer (Layer 7) refers to communications services to applications and is the interface between the network and the application. Examples include: Telnet, HTTP, FTP, Internet browsers, NFS, SMTP gateways, SNMP, X.400 mail, and FTAM. The Presentation Layer (Layer 6) defining data formats, such as ASCII text, EBCDIC text, binary, BCD, and JPEG. Encryption also is defined as a presentation layer service. Examples include: Cisco 640-802: Practice Exam "Pass Any Exam. Any Time." - www.actualtests.com 13 ActualTests.com JPEG, ASCII, EBCDIC, TIFF, GIF, PICT, encryption, MPEG, and MIDI . The Session Layer (Layer 5) defines how to start, control, and end communication sessions. This includes the control and management of multiple bidirectional messages so that the application can be notified if only some of a series of messages are completed. This allows the presentation layer to have a seamless view of an incoming stream of data. The presentation layer can be presented with data if all flows occur in some cases. Examples include: RPC, SQL, NFS, NetBios names, AppleTalk ASP, and DECnet SCP The Transport Layer (Layer 4) defines several functions, including the choice of protocols. The most important Layer 4 functions are error recovery and flow control. The transport layer may provide for retransmission, i.e., error recovery, and may use flow control to prevent unnecessary congestion by attempting to send data at a rate that the network can accommodate, or it might not, depending on the choice of protocols. Multiplexing of incoming data for different flows to applications on the same host is also performed. Reordering of the incoming data stream when packets arrive out of order is included. Examples include: TCP, UDP, and SPX. The Network Layer (Layer 3) defines end-to-end delivery of packets and defines logical addressing to accomplish this. It also defines how routing works and how routes are learned; and how to fragment a packet into smaller packets to accommodate media with smaller maximum transmission unit sizes. Examples include: IP, IPX, AppleTalk DDP, and ICMP. Both IP and IPX define logical addressing, routing, the learning of routing information, and end-to-end delivery rules. The IP and IPX protocols most closely match the OSI network layer (Layer 3) and are called Layer 3 protocols because their functions most closely match OSI's Layer 3. The Data Link Layer (Layer 2) is concerned with getting data across one particular link or medium. The data link protocols define delivery across an individual link. These protocols are necessarily concerned with the type of media in use. Examples include: IEEE 802.3/802.2, HDLC, Frame Relay, PPP, FDDI, ATM, and IEEE 802.5/802.2. The Physical Layer (Layer 1) deals with the physical characteristics of the transmission medium. Connectors, pins, use of pins, electrical currents, encoding, and light modulation are all part of different physical layer specifications. Examples includes: EIA/TIA-232, V.35, EIA/TIA-449, V.24, RJ-45, Ethernet, 802.3, 802.5, FDDI, NRZI, NRZ, and B8ZS. The Transport Layer : You can think of the transport layer of the OSI model as a boundary between the upper and lower protocols. The transport layer provides a data transport service that shields the upper layers from transport implementation issues such as the reliability of a connection. The transport layer provides mechanisms for: Segmenting upper layer applications The establishment, maintenance, and orderly termination of virtual circuits Information flow control and reliability via TCP. Transport fault detection and recovery The Network Layer : Layer three of the OSI model is the network layer. The network layer creates and sends packets from source network to destination network. Cisco 640-802: Practice Exam "Pass Any Exam. Any Time." - www.actualtests.com 14 ActualTests.com It provides consistent end-to-end packet delivery services and control information. It creates and uses layer 3 addresses for use in path determination and to forward packets. Incorrect Answers: A: Although the data link layer adds physical (MAC) source and destination addresses, it adds it to a frame, not a segment. C: This correctly describes the physical layer, not the presentation layer

Which of the following correctly describe steps in the OSI data encapsulation process? (Choose two) A. The data link layer adds physical source and destination addresses and an FCS to the segment. B. The transport layer divides a data stream into segments and adds reliability and flow control information. C. The presentation layer translates bits into voltages for transmission across the physical link. D. Packets are created when the network layer adds Layer 3 addresses and control information to a segment

Answer: B,C,D Explanation: Common TCP/UDP ports: TCP ports: 20 FTP data 21 FTP control 23 Telnet 25 SMTP 53 DNS 80 WWW 100 POP3 UDP ports: 53 DNS 69 TFTP 161 SNMP Note: DNS use TCP for regional transmission, and use UDP for name inquiry.

Which of the following services use UDP? (Choose three.) A. Telnet B. TFTP C. SNMP D. DNS

Answer: A,B,D Explanation: Both bridges and switches operate at the second layer of the OSI model, processing and forwarding frames from the data-link layer. Bridges are software based and switches are hardware based. Switches have more ports than bridges. Both bridges and switches forward frames based on MAC addresses.

Which of the following statements are true regarding bridges and switches? (Choose 3.) A. Both bridges and switches make forwarding decisions based on Layer 2 addresses. B. Switches have a higher number of ports than most bridges. C. Switches are primarily software based while bridges are hardware based. D. Both bridges and switches forward Layer 2 broadcasts. E. Bridges define broadcast domains while switches define collision domains. F. Bridges are frequently faster than switches. G. Both bridges and switches make forwarding decisions based on Layer 2 addresses.

Answer: B Explanation: Carrier Sense Multiple Access/Collision Detect (CSMA/CD) is the protocol for carrier transmission access in 10/100/1000 Ethernet networks. On Ethernet, any device can try to send a frame at any time. Each device senses whether the line is idle and therefore available to be used. If it is, the device begins to transmit its first frame. If another device has tried to send at the same time, a collision is said to occur and the frames are discarded. Each device then waits a random amount of time and retries until successful in getting its transmission sent. CSMA/CD is specified in the IEEE 802.3 standard. Reference: http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213869,00.html

Which one of the following statements is the media access method that Gigabit Ethernet uses? A. CSMA/CA B. CSMA/CD C. point-to-point D. token passing

Answer: B Explanation: Full-duplex Ethernet uses two pairs of wires instead of one wire pair like half duplex. And full duplex uses a point-to-point connection between the transmitter of the transmitting device and the receiver of the receiving device. This means that with full-duplex data transfer, you get a faster data transfer compared to half duplex. Full-duplex mode: when data sending and receiving split stream, and transmit through two different transmission lines, both communication sides are able to send and receive at the same time, this kind of transmission is called full-duplex; Half duplex manner: If a single transmission line is used both for sending and receiving, although the data can be transmitted in two directions, but the two sides can not simultaneously send and receive data, such transmission is half-duplex. CSMA/CD is used to detect whether conflict protocol exists in half-duplex Ethernet. It is a halfduplex Ethernet work mode. Full-duplex mode will use two links to distinguish between send and receive action, and thus avoid conflict domain. To use full-duplex, the following requirements are required: 1. P2P Link, or point-to-point connection; 2. Both nodes support full-duplex; 3. Close conflict detection (CSMA/CD).

Which statement is true about full-duplex Ethernet in comparison to half-duplex Ethernet? A. Full-duplex Ethernet uses a loopback circuit to detect collisions. Half-duplex Ethernet uses a jam signal. B. Full-duplex Ethernet can provide higher throughput than can half-duplex Ethernet of the same bandwidth. C. Full-duplex Ethernet consists of a shared cable segment. Half-duplex Ethernet provides a pointto- point link. D. Full-duplex Ethernet uses two wires to send and receive. Half-duplex Ethernet uses one wire to send and receive.

Answer: A,B

Which two of these statements are true of IPV6 address representation? (Choose two) A. A single interface may be assigned multiple IPV6 addresses of any type B. Every IPV6 interface contains at least one loopback address. C. Leading zeros in an IPV6 16 bit hexadecimal field are mandatory. D. The first 64 bits represent the dynamically created interface ID

Answer: A,C Explanation: Two values are compared to elect a root bridge in STP: bridge priority and MAC address. Switch having lowest bridge ID will become the root bridge. The bridge ID is how STP keeps track of all the switches in the network. It is determined by a combination of the bridge priority (32,768 by default on all Cisco switches) and the base MAC address. The bridge with the lowest bridge ID becomes the root bridge in the network.

Which two values are used by Spanning Tree Protocol to elect a root bridge? (Choose two.) A. bridge priority B. IP address C. MAC address D. IOS version E. amount of RAM F. speed of the links

Answer: C Explanation: The ICMP protocol operates at the network layer.

While troubleshooting a network connectivity problem, a technician observes steady link lights on both the workstation NIC and the switch port to which the workstation is connected. However, when the ping command is issued from the workstation, the output message "Request timed out." is displayed. At which layer of the OSI model does the problem most likely exist? A. the access layer B. the application layer C. the network layer D. the session layer E. the data link layer F. the protocol layer

Answer: C Explanation: Switches build the MAC address table by listening to incoming frames and examining the source MAC address in the frame. Broadcast addresses are not source addresses in the broadcasts. There are three different address types: * Unicast : One source to One destination * Broadcast: One source to multiple destination * Multicast: One source to multiple destination joined to group On unicast or broadcast or multicast communication, the source address is always the unicast address but the destination address can be unicast, broadcast or multicast.

Why will a switch never learn a broadcast address? A. Broadcasts only use network layer addressing. B. Broadcast addresses use an incorrect format for the switching table. C. A broadcast address will never be the source address of a frame. D. Broadcast frames are never sent to switches. E. A broadcast frame is never forwarded by a switch.

Keywords host and any help identify the most common uses of wildcard masking. These keywords eliminate entering wildcard masks when identifying a specific host or an entire network. These keywords also make it easier to read an ACL by providing visual clues as to the source or destination of the criteria. The host keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match or only one host is matched. The any option substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.

Wildcard Bit Mask Keywords

IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. Note: Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched. IPv6 ACLs are discussed later in this chapter. As with subnet masks, the numbers 1 and 0 in the wildcard mask identify how to treat the corresponding IP address bits. However, in a wildcard mask, these bits are used for different purposes and follow different rules. Note: Wildcard masks are often referred to as an inverse mask. The reason is that, unlike a subnet mask in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask the reverse is true. Wildcard masks are also used when configuring some IPv4 routing protocols, such as OSPF, to enable the protocol on specific interfaces.

Wildcard Masking

instead of entering # 0.0.0.0 255.255.255.255, you can use the keyword #any by itself.

Wildcard Masking Process with a Match Any IP Address

instead of entering #192.168.10.10 0.0.0.0, you can use #host 192.168.10.10.

Wildcard Masking Process with a Single IP Address

Wildcard masks use binary 1s and 0s to filter individual IP addresses or groups of IP addresses to permit or deny access to resources. Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following rules to match binary 1s and 0s: Wildcard mask bit 0 - Match the corresponding bit value in the address. Wildcard mask bit 1 - Ignore the corresponding bit value in the address.

Wildcard masks use binary 1s and 0s

Teredo

You have a special server at work with a custom application installed. Connections to the server that use custom applications must use IPv6. The server is currently running IPv4. You are the only person who connects to the server, and you always use your laptop for the connections. Your laptop supports both IPv4 and IPv6. The rest of your company networks runs only IPv4. You need a cost-effective solution to allow your laptop to connect to the server. Your solution must also support communications through NAT servers. Which method should you use?

Global Unicast Addressing

You need to design an IPv6 addressing scheme for your network. The following are key requirements for your design. *infrastructure hosts, such as routers and servers, will be assigned static interface IDs while workstations, netbooks, tablets, and phones will be assigned interface IDs dynamically. *Internet access must be available to all hosts through an ISP *Site-to-Site WAN connections will be created using leased lines. Which type of IPv6 addressing is most appropriate for hosts in this network?

NAT-PT

Your company has just started contracting with the government. As part of the contract, you have to configure a special server for funning custom application. Contract terms dictate that this server use only IPv6. You have several hosts that need to communicate with this server. Host run only IPv4 and cannot be configured. Which solution would you use to allow the IPv4 clients to communicate with the IPv6 server?

ISATAP

Your company wants to begin the transition from IPv4 to IPv6. You want to stage the implementation on a host-by-host basis. You will enable IPv6 on existing hosts as time and budget allows. During the transition, all hosts in your site need to communicate with all other hosts. IPv6 should be used between hosts when both hosts support IPv. NAT support is not required. Which method should you use?

IPv6 address 2001:FEED:BEEF:0003::1/64

Your organization has been assigned a registered global routing prefix of 2001:FEED:BEEF::/48 by an ISP. Using your organizations IPv6 addressing scheme, you've used the next 16 bits beyond the global routing prefix to define the following subnets: *2001:FEED:BEEF:0001::/64 *2001:FEED:BEEF:0002::/64 *2001:FEED:BEEF:0003::/64 *2001:FEED:BEEF:0004::/64 Which interface configuration command would you use to do this?

IPv6 address FD01:A001:0001:0003::/64 eui-64

Your organization has decided to implement unique local unicast IPv6 addressing. A global ID of FD01:A001:0001::/48 been selected for the organizations IPv6 addressing scheme. The next 16 bits beyond the global ID have been used to define the following subnets: FD01:A001:0001:0001::/64 FD01:A001:0001:0002::/64 FD01:A001:0001:0003::/64 FD01:A001:0001:0004::/64 Which interface configuration command would you use to do this?

When different users are given different rights to data according to their responsibility.

access levels

global configuration command defines a standard ACL with a number in the range of 1 through 99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to be used for standard ACLs. This allows for a maximum of 798 possible standard ACLs. These additional numbers are referred to as expanded IP ACLs.

access-list

A LAN with a server is sometimes called a

client server network

Another advantage of a LAN is that you can share an internet

connection

Another advantage of a LAN is that users can communicate using

email

The process of converting data into a code, especially to prevent unauthorised access on a network.

encryption

The established parameter allows only responses to traffic that originates from the 192.168.10.0/24 network to return to that network. A match occurs if the returning TCP segment has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. Without the established parameter in the ACL statement, clients could send traffic to a web server, but not receive traffic returning from the web server.

established parameter

Another advantage of a LAN is that you can access the same

files

A network without a file server is called a

peer to peer network

Putting a file server in a locked room is an example of a

physical security measure

Needed to connect a network to the internet

router

A computer that is not connected to a network is called a

standalone computer

The layout of a network is called a

topology

Wi-Fi Protected Access (WPA) is a type of

wireless security

A computer attached to a network is sometimes called a

workstation