CCNP 642-811 BCMSN Exam Certification Guide - Cisco press
.pdf
576 Appendix A: Answers to Chapter “Do I Know This Already?” Quizzes and Q&A Sections
11.What command can verify the QoS trust relationship between an IP Phone and its attached PC? show mls qos interface
-OR-
show interface switchport
Chapter 19
“Do I Know This Already?”
1.b
2.d
3.b
4.c
5.d
6.b
7.b
The trick is in the “maximum 3” keywords. This sets the maximum number of addresses that can be learned on a port. If only one static address is configured, two more addresses can be learned dynamically.
8.c
9.a
10.b
11.c
12.c
Because of the variety of user host platforms, port-based authentication (802.1x) cannot be used. The problem also states that the goal is to restrict access to physical switch ports, so AAA is of no benefit. Port security can do the job by restricting access according to the end users’ MAC addresses.
Q&A
1.What does the acronym “AAA” stand for? Authentication, authorization, and accounting
Chapter 19 577
2.What external methods of authentication does a Catalyst switch support? RADIUS and TACACS+
3.A RADIUS server is located at IP address 192.168.199.10. What command can be used to configure a Catalyst switch to find the server?
radius-server host 192.168.199.10
4.A Catalyst switch should be configured to authenticate users against RADIUS servers first, followed by TACACS+ servers. What command can define the authentication methods? Make sure users can still authenticate if none of the servers are available.
aaa authentication login default radius tacacs+ local
5.What is the purpose of authorization? What happens if authorization is not used?
It allows an external server to decide if the authenticated user can gain access to specific resources or switch commands. If it is not used, the default behavior is that all users must authenticate as they move to the appropriate privilege level to run switch commands.
6.Is it possible to use different methods to authorize users to run switch commands instead of making configuration changes?
Yes; The aaa authorization command separates these functions so that each can have its own method list.
7.When might the command switchport port-security maximum 2 be used?
The switchport port-security maximum 2 command might be used if it is too much trouble to manually configure MAC addresses into the port security feature. Up to two MAC addresses would then be dynamically learned. The network administrator might also want to control what is connected to that switch port. If another switch or a hub were connected, the total number of active stations could easily rise above two.
8.After port-based authentication is configured and enabled, can any host connect as long as the user can authenticate?
No, only hosts that have 802.1x-capable applications can communicate with the switch port to properly authenticate at all.
9.When the 802.1x force-authorized keyword is used, how does the switch react to users attempting to connect?
The switch always authorizes any connecting user, without any authentication.
578 Appendix A: Answers to Chapter “Do I Know This Already?” Quizzes and Q&A Sections
10.Can more than one host be authenticated on a single switch port with port-based authentication? Yes, if the dot1x multi-hosts command is configured on the switch port interface.
Chapter 20
“Do I Know This Already?”
1.c
2.d
3.d
4.a
5.b
6.a
7.c
8.a
9.c
10.d
11.a
12.b
Q&A
1.When a VACL is implemented on a switch, how is the switching speed affected?
It isn’t; VACLs are implemented in hardware, so packets can be inspected as they are being switched with no performance penalty.
2.What actions can be taken on packets matching a VACL?
Packets can be forwarded, dropped, marked for capture, or redirected to a different Layer 2 switch port.
3.After a VACL is applied using the vlan filter command, how is the traffic direction (inbound or outbound) specified?
It isn’t; VACLs operate on packets as they are being forwarded within a VLAN. Therefore, there is no concept of direction within the VLAN. A direction can’t be specified.
Chapter 20 579
4.A secondary community VLAN is associated with a primary VLAN on a switch. Can hosts assigned to the community VLAN communicate with each other?
Yes, they can. However, they can’t communicate with any other community or isolated VLAN.
5.A secondary isolated VLAN is associated with a primary VLAN on a switch. Can hosts assigned to the isolated VLAN communicate with each other?
No, hosts on an isolated VLAN can’t even communicate among themselves. They can reach only the promiscuous host on the primary VLAN.
6.What command is needed to configure a promiscuous VLAN?
This isn’t possible. The primary VLAN can communicate with all the secondary VLANs that are associated with it. The only promiscuous objects that can be configured are promiscuous hosts, located on the primary VLAN.
7.A router is identifed as the central gatewawy for a private VLAN. What command is needed to configure the switch port where a router is connected?
switchport mode private-vlan promiscuous
8.How many actual VLANs must be configured to implement a common router with two community VLANs?
Three VLANs must be used: one for the primary VLAN where the router is connected and two more for the secondary community VLANs. The primary VLAN will be logically associated with the two community VLANs, but all three must be configured.
9.How is switching performance affected when several SPAN sessions are enabled?
Switching performance is not affected. Packets are simply marked and copied into another switch port’s queue during a SPAN session. The original traffic is still forwarded without being modified or affected.
10.What command can specify the source of a SPAN session as VLAN 100? monitor session 1 source vlan 100
580Appendix A: Answers to Chapter “Do I Know This Already?” Quizzes and Q&A Sections
11.When a SPAN session is enabled, what direction of traffic flow (relative to the source port) is mirrored for analysis?
By default, traffic in both directions is mirrored.
12.What two things can identify more granular traffic to be mirrored to a SPAN destination?
A VLAN ACL (VACL) can match and mark packets for capture. A SPAN VLAN filter can also identify specific VLANs to mirror, if the source is a trunk port.
13.Three switches are connected in series with trunk links. The RSPAN source is on the first switch and the destination is on the third. How does the intermediate (second) switch learn about the RSPAN’s source and destination locations?
It doesn’t. The intermediate switch has no knowledge that RSPAN is being used. The only configuration needed is to define the RSPAN VLAN and to allow that VLAN on the trunk links. Beyond that, the intermediate switch can flood only the RSPAN packets to all ports carrying the RSPAN VLAN.
14.What must be configured on all switches connecting an RSPAN source and destination? What commands can be used?
The special-purpose RSPAN VLAN must be configured. Define the VLAN number and then use the remote-span command.
15.One of the advantages of RSPAN is that mirrored traffic can be isolated in the RSPAN VLAN on a trunk. If a GigabitEthernet port is to be monitored on one switch, which is better to use as a transport for the RSPAN VLAN: a GigabitEthernet trunk already carrying user traffic in other VLANs, or an isolated GigabitEthernet trunk link set aside for RSPAN?
The existing trunk will work fine because the RSPAN traffic will be isolated in its own VLAN. However, you must be careful not to place an excessive load on that trunk link. RSPAN traffic can easily add to the bandwidth burden on a link, considering that the source here is also a GigabitEthernet port. In this case, it might be better to transport the RSPAN mirrored traffic over its own trunk link, if one is available and cost-effective.
