Scenario 1 Answers | 1. | The link is still an access link, with no trunking established, because both switches are set to auto mode. The switches are passively waiting for the other to initiate trunking. | | 2. | Trunking is still not established. Catalyst A is waiting to be asked to trunk, and Catalyst B is set to nonegotiate. Catalyst B will never try to negotiate trunking because its DTP packets have been silenced. | | 3. | Trunking finally has been established. Both switches A and B will use DTP, and B will effectively ask A to bring up a trunk link. | | 4. | Trunking. Catalyst A expects trunking on the link, while Catalyst C actively tries to negotiate trunking. | | 5. | No. The two PC devices are connected to different VLANs. Without a router or Layer 3 device connecting the VLANs, no traffic will cross between them. | | 6. | All hosts on VLAN 1 (PC-1, PC-2, and PC-3) will experience the broadcast storm. All trunk links between switches will transport the broadcast frames. In addition, all switch supervisor CPUs will receive and process the broadcasts because each switch has an IP address for management assigned to VLAN 1. (For this reason, it is recommended to reserve VLAN 1 for control protocol traffic only. User-generated broadcasts can overload the switch supervisor to the extent that it no longer can keep track of its control or "overhead" protocols, such as VTP, CDP, and so forth. Instead, all user traffic should be kept off VLAN 1.) |
Scenario 2 Answers | 1. | Yes. PC-1 and PC-2 are connected to access VLAN switch ports, VLAN 2 and VLAN 10, respectively. Normally, if these were assigned to different VLANs, they could not ping each other unless a Layer 3 device were present to route between the Layer 2 VLANs. In this case, however, the link between Catalyst A and B is the key. On one switch, the link is an access VLAN port on VLAN 2; on the other end, it is an access VLAN port on VLAN 10. These are physically connected, and each switch has no knowledge of what VLAN the other has assigned to the link. Therefore, data can pass across the link freely, connecting the two VLANs. | | 2. | No. Again, the key is the link between Catalyst B and C. Catalyst B has the link configured as an ISL trunk, whereas Catalyst C has it configured as an 802.1Q trunk. Because the trunk encapsulations are different, no data will pass between them. | | 3. | Yes, the trunk link on each switch will come up successfully, even though the trunk will not work end to end because of the encapsulation mismatch. This is because DTP packets will be exchanged, but both ends of the link are configured to trunk unconditionally. As a side note, DTP and CDP packets will be exchanged between the switches. Both of these protocols are sent over VLAN 1 in ISL encapsulation and over the native VLAN (VLAN 1, by default) in dot1Q encapsulation. Because the trunk encapsulation is different on each end of the link, each switch will tag VLAN 1 differently. Therefore, VLAN 1 will not be contiguous across the link, and these protocols will not pass successfully. | | 4. | VLAN 1 will not be pruned. Although VLAN 1 is present on all switches, it is not pruned because VLAN 1 is ineligible for pruning by definition. | | 5. | Only Catalyst C creates VLAN 14 in response to VTP advertisements. Catalyst B in transparent mode relays only the VTP information, without interpreting the information. | | 6. | Only Catalyst B creates VLAN 15. Because it is in transparent mode, no VLAN activity will be advertised to other neighboring switches. However, Catalyst B is allowed to create, delete, and rename VLANs freely. These VLANs are significant only to the local switch. | | 7. | Catalyst C will not allow any VLANs to be created unless they are learned from a VTP server in the bermuda domain. Because it is in VTP client mode, no VLAN changes can be performed from the console. |
Scenario 3 Answers | 1. | All bundled ports must have the same set of allowed VLANs, the same native VLAN, the same trunk encapsulation, and the same trunk mode. (In addition, the switch ports all must have identical speed and duplex settings.) | | 2. | You can use the following configuration commands: CatalystA(config)# interface range gigabitethernet 3/1 - 4 CatalystA(config-if)# channel-protocol pagp CatalystA(config-if)# channel-group 1 mode desirable
| | 3. | The Catalyst 6500 default algorithm is the XOR of the source and destination IP addresses, using the port-channel load-balance src-dst-ip command. | | 4. | Most of the traffic crossing the EtherChannel will have the same two MAC addresses as source or destinationthat of the two Layer 3 interfaces. Therefore, the src-dst-mac algorithm always will use only one of the four links within the EtherChannel. The source and destination IP addresses, however, probably will be varied and will yield the best distribution. |
Scenario 4 Answers | 1. | The spanning-tree topology should look like the diagram in Figure 19-9. Catalyst A is the root bridge, and only the 1000-Mbps link is forwarding. The root ports (RP) and designated ports (DP) are labeled on the diagram. Figure 19-9. Resulting Spanning-Tree Topology for Scenario 4 
| | 2. | Because the 100-Mbps link is in the Blocking state on Catalyst B, no major change in the topology occurs. Effectively, this link already was "disconnected." However, after the physical link status goes down, both Catalyst A and Catalyst B sense the change and begin sending TCN BPDUs to notify each other of the topology change. Because Catalyst A is the root bridge, it acknowledges the TCN to Catalyst B. Both switches age out their MAC address tables in Forward Delay seconds. | | 3. | Disconnecting the 1000-Mbps link causes Catalyst B to immediately find another root port. Ports 1/1 and 1/2 go into the Listening state, waiting to receive BPDUs. Port 1/2, with a cost of 19, becomes the next root port as soon as Catalyst B computes the root path cost (0+19) for it. Port 1/2 stays in the Listening state for Forward Delay (15 seconds), and then in the Learning state for Forward Delay (15 seconds). Port 1/2 moves into the Forwarding state, restoring connectivity in 30 seconds. (If PAgP is operating on the port, an additional delay of 20 seconds occurs.) | | 4. | Because the 1000-Mbps link's status stays up, neither Catalyst detects a link failure. Therefore, no immediate attempt to find another root port occurs. Instead, Catalyst B will not receive BPDUs from Catalyst A over link GigabitEthernet 2/1 because they are being filtered out. After the MaxAge Timer expires (20 seconds), Catalyst B ages out the stored BPDU for Catalyst A on port GigabitEthernet 2/1. Catalyst B moves ports FastEthernet 1/1 and 1/2 into the Listening state to determine a new root port. As in step 3, port FastEthernet 1/2 becomes the root port with a lower root path cost than port FastEthernet 1/1. The port moves through the Listening (15 seconds) and Learning (15 seconds) states and into the Forwarding state. The total time that has elapsed before connectivity restores is 20 + 15 + 15 = 50 seconds. (Again, if PAgP is active on the port, an additional 20 seconds can be added to the delay.) |
Scenario 5 Answers | 1. | The Unidirectional Link Detection (UDLD) feature can be used. You can use the udld aggressive global-configuration command to enable UDLD on all fiber-optic ports. UDLD must be enabled on both ends of a link, so it should be enabled on switches A1 and also C1 and C2. | | 2. | The BPDU Guard feature can be used to detect and stop unexpected BPDUs from being received on access layer ports. You can use the following interface-configuration command to enable this feature: Switch(config-if)# spanning-tree bpduguard enable
| | 3. | The spanning-tree portfast interface-configuration command defines an edge port. | | 4. | You can use the following global configuration command to enable rapid PVST+: Switch(config)# spanning-tree mode rapid-pvst
| | 5. | A minimum of two MST instances are needed so that traffic can be load-balanced. One instance can support VLANs 100 through 104; the other can support VLANs 200 through 204. To load-balance, traffic from one instance must be carried over one uplink while the other instance is carried over the second uplink. | | 6. | You can use these configuration commands: Switch(config)# spanning-tree mode mst Switch(config)# spanning-tree mst configuration Switch(config-mst)# name NorthWestDivision Switch(config-mst)# revision 1 Switch(config-mst)# instance 1 vlan 100,101,102,103,104,99 Switch(config-mst)# instance 2 vlan 200,201,202,203,204 Switch(config-mst)# exit
Notice that VLAN 99, used for switch-management traffic, also is mapped to an MST instance. It is sometimes easy to forget about nonuser or nonaccess VLANs. | | 7. | This command makes C1 become the MST root bridge for instance 1: Switch(config)# spanning-tree mst 1 root primary
This causes the uplink from C1 to A1 to be used for instance 1 by keeping it in the Forwarding state. Switch C2 also should be configured as the root for MST instance 2 so that the other uplink can be used for those VLANs. |
Scenario 6 Answers | 1. | You can configure HSRP load balancing with the following Catalyst configuration commands: Switch(config)# interface vlan 101 Switch(config-if)# ip address 192.168.101.2 255.255.255.0 Switch(config-if)# standby 101 priority 110 Switch(config-if)# standby 101 preempt Switch(config-if)# standby 101 ip 192.168.101.1 Switch(config-if)# interface vlan 102 Switch(config-if)# ip address 192.168.102.2 255.255.255.0 Switch(config-if)# standby 102 priority 100 Switch(config-if)# standby 102 preempt Switch(config-if)# standby 102 ip 192.168.102.1
The default gateway address that is shared between the switches is configured as 192.168.101.1 for VLAN 101 and 192.168.102.1 for VLAN 102. In VLAN 101, the virtual interface has an IP address of 192.168.101.2. Two HSRP groups are defined, one for each VLAN. Interface VLAN 101 will be the active router for VLAN 101 because of its higher priority of 110 (over a default of 100 on the other Catalyst). If control is passed to the standby router, this router can assume control again through the use of the preempt command. For VLAN 102, the roles are reversed. This router becomes the standby router in Group 102, with its lower priority of 100. (The other switch will be configured with priority 110 for VLAN 102 to take the active router role.) | | 2. | Functionally, VRRP is very similar to HSRP. The following commands can be used to configure VRRP. No commands are necessary to enable the router to pre-empt for VRRP; pre-emption is the default. Switch(config)# interface vlan 101 Switch(config-if)# ip address 192.168.101.2 255.255.255.0 Switch(config-if)# vrrp 101 priority 110 Switch(config-if)# vrrp 101 ip 192.168.101.1 Switch(config-if)# interface vlan 102 Switch(config-if)# ip address 192.168.102.2 255.255.255.0 Switch(config-if)# vrrp 102 priority 100 Switch(config-if)# vrrp 102 ip 192.168.102.1
| | 3. | The four-part answers to question 2 are as follows: By default, all switches have a GLBP priority of 100. Catalyst B's priority can be raised with the glbp 10 priority 200 command. Only the AVG switch, Catalyst B, needs to be configured with the gateway address. It will inform all other members of the group. You should use the glbp 10 ip 192.168.10.1 command. glbp 10 load-balancing round-robin Each AVF switch should receive the glbp 10 ip interface-configuration command. No IP address is needed here because the virtual gateway address is learned from the group's AVG.
|
Scenario 7 Answers | 1. | With IGMP snooping, a switch can listen to IGMP activity for itself. Although this burdens the switch supervisor with examining IGMP reports from multicast group members, the learning process does not require a router or multilayer switch. However, if a switch does not have hardware capable of IGMP snooping natively, CGMP and help from an external router are required. | | 2. | By default, a switch must forward broadcast and multicast frames out all available ports on a VLAN. The multicast traffic will be seen on all VLAN 101 ports on Catalyst A. In addition, Catalyst C and Catalyst D bridge the multicast traffic over the trunk links between them. Finally, all VLAN 101 ports on Catalyst B also forward the multicasts. | | 3. | In this network, CGMP configuration is needed on both types of switches, whether or not IGMP snooping can be used. You can use the following commands on one of the multilayer switches: Switch(config)# ip multicast-routing Switch(config)# interface vlan 101 Switch(config-if)# ip pim dense-mode Switch(config-if)# ip cgmp Switch(config-if)# interface vlan 102 Switch(config-if)# ip pim dense-mode Switch(config-if)# ip cgmp
On Catalyst A and B, only the following global-configuration command cgmp is needed. |
Scenario 8 Answers | 1. | In the default configuration, PoE will automatically be supplied if a powered device is detected. If someone has disabled PoE on that interface, you can re-enable it by using the power inline auto interface-configuration command. | | 2. | The QoS domain should consist of the two Catalyst switches, A and B. QoS trust should be extended to the IP Phone connected to Catalyst B. QoS information should be trusted on the ports connecting switches A and B. QoS information should not be trusted on Catalyst A port Gig1/0/1 (the public network), Catalyst B port Fa1/0/2 (PC), or the IP Phone's PC data port. At these locations, incoming QoS information should be overwritten to known and trusted values, such as COS 0 or DSCP 0. | | 3. | The following commands define VLAN 17 as the voice VLAN (VVID) and the IP Phone's data port as untrusted: Switch(config)# interface fastethernet 3/1 Switch(config-if)# switchport voice vlan 17 Switch(config-if)# switchport priority extend cos 0
| | 4. | To enable trust on the uplink, you can use the following commands: CatalystB(config)# interface gigabitethernet 1/0/1 CatalystB(config-if)# mls qos trust cos
Then to disable trust on Fa 1/0/2, you can use these commands: CatalystB(config)# interface fastethernet 1/0/2 CatalystB(config-if)# no mls qos trust
|
Scenario 9 Answers | 1. | On a Catalyst 3750, you can use the following commands: Switch(config)# interface range fastethernet 1/0/1 48 Switch(config-if)# switchport port-security
| | 2. | On a Catalyst 3750, you can use the following commands: Switch(config)# interface fastethernet 1/0/18 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 24 Switch(config-if)# switchport port-security violation restrict
The first command line enables port-level security on the switch port. The second line configures port security to learn up to 24 MAC addresses dynamically on that port. The last line configures the switch to restrict any MAC addresses found to be in violation (any additional addresses learned beyond the 24). The port stays up, allowing the other users to communicate. | | 3. | You can use the following commands: Switch(config)# access-list 101 permit tcp 192.168.191.0 0.0.0.255 host 192.168.191.199 eq www Switch(config)# vlan access-map myfilter Switch(config-access-map)# match ip address 101 Switch(config-access-map)# action forward Switch(config-access-map)# match Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# vlan filter myfilter vlan-list 180
The first line configures an access list that will be used only to match against traffic being forwarded on a VLAN. The permit keyword causes matching traffic only to be eligible for an action by the VACL; it does not cause the matching traffic to be forwarded or not. The VACL is configured to first match traffic with access list 101; this traffic is forwarded as normal. Then a simple match statement is given so that all other traffic is matched; this remaining traffic is dropped so that it does not reach its destination. The VACL then is applied to VLAN 180. | | 4. | In the default configuration, a switch port uses the switchport mode dynamic auto command. Therefore, it passively waits for a switch on the far end to initiate DTP negotiation to enter trunking mode. A malicious user could spoof the DTP exchange, causing the switch to bring the port into trunking mode. You can use the following commands to prevent unexpected trunk negotiation: Switch(config)# interface range fastethernet 1/0/1 48 Switch(config-if)# switchport mode access
In addition, you should disable any unused access ports and set the access VLAN to an unused or isolated VLAN ID. | | 5. | The trunk configuration does have a weakness that could allow attackers to inject packets that essentially "hop" from one VLAN to another. The trunk has VLAN 100 as its native VLANa VLAN that also is used for user traffic elsewhere in the network. The solution is to configure the trunk to have an unused VLAN ID for its native VLAN. Then the native VLAN should be manually pruned or disallowed from entering the trunk. By adding the shaded command to the following interface configuration, the native VLAN becomes VLAN 9, which is not allowed on the trunk: Switch(config)# interface gigabitethernet 1/0/1 Switch(config-if)# switchport Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport trunk native vlan 9 Switch(config-if)# switchport trunk allowed vlan 100-300 Switch(config-if)# switchport mode trunk
| | 6. | You can use the following commands to enable DHCP snooping on the switch: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 50 Switch(config)# interface range fastethernet 1/0/40 41 Switch(config-if)# ip dhcp snooping trust
Only the two ports where legitimate DHCP servers are connected are configured as trusted ports. All other ports are considered to be untrusted, by default. If the switch has an uplink to other switches, you also should use the ip dhcp snooping trust command to configure the uplink as trusted. This assumes that the upstream switches have DHCP snooping configured also; it's wise to extend trust to an uplink only if the trusted domain also extends to the neighboring switches. | | 7. | The following commands can configure a local SPAN session on the Catalyst 6500: Switch(config)# monitor session 1 source interface gigabitethernet 3/3 both Switch(config)# monitor session 1 destination interface gigabitethernet 5/8
| | 8. | The only potential problem is with the mismatch in connection speeds. The server has a Gigabit Ethernet connection, while the analyzer is limited by its Fast Ethernet connection. If the server has a low utilization on its connection, the network analysis might turn out fine. Otherwise, if the server's connection is using most of the available 1000 Mbps of bandwidth, the analyzer misses a large portion of the mirrored packets. The server and its connection will not suffer from the speed mismatch. The Catalyst switch continues to forward packets to and from the server as if no port mirroring was occurring. Only when the packets are being copied to the monitor port queue can they potentially be dropped. |
|
