Testking_640-802_V13
.pdf
Section 15: Interpret the output of various show and debug commands to verify the operational status of a Cisco switched network. (3 questions)
QUESTION NO: 1
The "show interfaces" command was issued on a TestKing router as shown below:
Assume that the router is configured with the default settings. Based on the information shown above, what type of router interface is this?
A.Ethernet
B.Gigabit Ethernet
C.FastEthernet
D.Synchronous Serial
E.Asynchronous Serial
Answer: C
Explanation:
See the output of a serial interface shown below and compare:
RouterA#show interfaces serial 0
Serial0 is down, line protocol is down
Hardware is HD64570
Internet address is 192.168.0.1/24
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec,
Leading the way in IT testing and certification tools, www.testking.com
- 251 -
reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec)
Last input never, output never, output hang never Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=down DSR=down DTR=up RTS=up CTS=down
In this exhibit the BW=10000Kbit and the encapsulation type is ARPA which means it could only be a Fast Ethernet interface.
QUESTION NO: 2
The following output was displayed on a TestKing device:
Leading the way in IT testing and certification tools, www.testking.com
- 252 -
Study the exhibit above. Switch-TestKing1 needs to send data to host with a MAC address of 00b0.d056.efa4. What will Switch-TestKing1 do with this data?
A.Switch-TestKing1 will send an ARP request out all its ports except the port from which the data originated
B.Switch-TestKing1 will drop the data because it does not have an entry for the MAC address
C.Switch-TestKing1 will forward the data to its default gateway
D.Switch-TestKing1 will flood the data out all of its ports except the port from which the data originated
E.None of the above
Answer: D
Explanation:
Switches work as follows:
switch ports by examining the source address of frames that are received on that port.
the same switch or a different switch.
all ports except the source to find out the destination host.
Leading the way in IT testing and certification tools, www.testking.com
- 253 -
In output there is no MAC address of give host so switch floods to all ports except the source port.
QUESTION NO: 3
Some TestKing devices are connected as shown below:
Leading the way in IT testing and certification tools, www.testking.com
- 254 -
The router shows the FastEthernet port as being up, and the computer on VLAN 3 can ping all of the FastEthernet IP addresses on the router.
Computer 1 is used to console into switch TestKingA. From the command prompt of switch TestKingA, the switch cannot ping the computer on VLAN 3. The switch configuration shown in the exhibit lists only the commands that are different from the default configuration. What is the problem, based on the information shown?
A.Computer 1 must be connected to a switch port in order to communicate with a device located on VLAN 3.
B.Switch TestKing A does not have a default gateway assigned.
C.The router is not routing VLAN 3 information.
D.The computer on VLAN 3 is assigned an incorrect IP address.
E.Switch A does not have an IP address assigned to the management VLAN.
Answer: B Explanation:
This scenario requires inter-VLAN routing, which requires a layer three device. Based on the information above, a trunk has indeed been set up to route traffic between VLAN's so the problem is that default gateway has been specified in the switch, so traffic will not be forwarded to the router from the switch from one VLAN to the other.
Section 16: Implement basic switch security (including: port security, trunk access, management vlan other than vlan1, etc.) (6 questions)
QUESTION NO: 1
The TestKing network administrator wants to ensure that only a single web server can connect to pot Fa0/1 on a catalyst switch. The server is plugged into the switch's Fast Eth. 0/1 port and the network administrator is about to bring the server online. What can the administrator do to ensure that only the MAC address of this server is allowed by switch port Fa0/1? (Choose two)
A.Configure port Fa0/1 to accept connections only from the static IP address of the server
B.Configure the MAC address of the server as a static entry associated with port Fa0/1
Leading the way in IT testing and certification tools, www.testking.com
- 255 -
C.Employ a proprietary connector type on Fa0/1 that is incomputable with other host connectors
D.Configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server
E.Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address
Answer: B, D
Explanation:
You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses specified for that port.
When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host. The port's behavior depends on how you configure it to respond to a security violation. When a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security violation.
QUESTION NO: 2
The network administrator has configured port security on a TestKing switch. Why would a network administrator configure port security on this TestKing device?
A.To prevent unauthorized hosts from getting access to the LAN
B.To limit the number of Layer 2 broadcasts on a particular switch port
C.To prevent unauthorized Telnet or SSH access to a switch port
D.To prevent the IP and MAC address of the switch and associated ports
E.None of the above
Answer: A
Explanation:
You can use the port
Leading the way in IT testing and certification tools, www.testking.com
- 256 -
security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged.
Reference: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008
QUESTION NO: 3
The network security policy for TestKing requires that only one host be permitted to attach dynamically to each switch interface. If that policy is violated, the interface should be automatically disabled. Which two commands must the TestKing network administrator configure on the 2950 Catalyst switch to meet this policy? (Choose two)
A.SWTestKing1(config-if)# switchport port-security maximum 1
B.SWTestKing1(config)# mac-address-table secure
C.SWTestKing1(config)# access-list 10 permit ip host
D.SWTestKing1(config-if)# switchport port-security violation shutdown
E.SWTestKing1(config-if)# ip access-group 10
Answer: A, D
Explanation
Catalyst switches offer the port security feature to control port access based on MAC addresses. To configure port security on an access layer switch port, begin by enabling it with the following interface configuration command:
Switch(config-if)# switchport port-security
Next, you must identify a set of allowed MAC addresses so that the port can grant them access. You can explicitly configure addresses or they can be dynamically learned from port traffic. On each interface that uses port security, specify the maximum number of MAC addresses that will be allowed access using the following interface configuration command:
Leading the way in IT testing and certification tools, www.testking.com
- 257 -
Switch(config-if)# switchport port-security maximum max-addr
Finally, you must define how each interface using port security should react if a MAC address is in violation by using the following interface configuration command:
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
A violation occurs if more than the maximum number of MAC addresses are learned, or if an unknown (not statically defined) MAC address attempts to transmit on the port. The switch port takes one of the following configured actions when a violation is detected:
shutdown-The port is immediately put into the errdisable state, which effectively shuts it down. It must be re-enabled manually or through errdisable recovery to be used again.
restrict-The port is allowed to stay up, but all packets from violating MAC addresses are dropped. The switch keeps a running count of the number of violating packets and can send an SNMP trap and a syslog message as an alert of the violation.
mode. Although packets from
violating addresses are dropped, no record of the violation is kept.
QUESTION NO: 4
Three hosts connect to a TestKing switch as shown below:
TestKing3 Mac Address Table Exhibit:
Leading the way in IT testing and certification tools, www.testking.com
- 258 -
Ethernet FrameExhibit:
You work as a network technician at TestKing and are working on the network shown above. You are administering the 2950 Cisco switch named TestKing3 and you enter the following commands on interface fa0/1 of the switch.
TestKing3(config-if)# switchport port-security TestKing3(config-if)# switchport port-security mac-address sticky TestKing3(config-if)# switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/1. Based on the information provided, what two functions will occur when this frame is received by TestKing3? (Choose two)
A.All frames arriving on TestKing3 with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
B.Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
C.Only frames from source 0000.00bb.bbbb, the first learned MAC address of TestKing3, will be forwarded out fa0/1.
D.This frame will be discarded when it is received by TestKing3.
E.Only host A will be allowed to transmit frames on fa0/1.
F.The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
Answer: A, E
Explanation:
Leading the way in IT testing and certification tools, www.testking.com
- 259 -
The configuration shown here is an example of port security, specifically port security using sticky addresses. You can use port security with dynamically learned and static MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.
Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.
If you enter a write memory or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file and the port does not have to learn addresses from ingress traffic after bootup or a restart.
Since the maximum number of MAC addresses has been configured to 1, only host A will be able to send frames on interface fa 0/1, making choice E correct.
QUESTION NO: 5
You have configured a TestKing switch as shown below:
TestKing3(config-if)# switchport port-security TestKing3(config-if)# switchport port-security mac-address sticky
Select the action below that results from executing these commands.
A.A dynamically learned MAC address is saved in the VLAN database.
B.A dynamically learned MAC address is saved in the startup-configuration file.
C.Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
D.A dynamically learned MAC address is saved in the running-configuration file.
E.Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.
F.None of the above
Answer: D Explanation:
With port security, the switch supports these types of secure MAC addresses:
Leading the way in IT testing and certification tools, www.testking.com
- 260 -