| 1. | When a VACL is implemented on a switch, how is the switching speed affected? |
| Answer: | It isn't; VACLs are implemented in hardware, so packets can be inspected as they are being switched, with no performance penalty. |
| 2. | What actions can be taken on packets matching a VACL? |
| Answer: | Packets can be forwarded, dropped, marked for capture, or redirected to a different Layer 2 switch port. |
| 3. | After a VACL is applied using the vlan filter command, how is the traffic direction (inbound or outbound) specified? |
| Answer: | It isn't; VACLs operate on packets as they are being forwarded within a VLAN. Therefore, there is no concept of direction within the VLAN. A direction can't be specified. |
| 4. | A secondary community VLAN is associated with a primary VLAN on a switch. Can hosts assigned to the community VLAN communicate with each other? |
| Answer: | Yes, they can. However, they can't communicate with any other community or isolated VLAN. |
| 5. | A secondary isolated VLAN is associated with a primary VLAN on a switch. Can hosts assigned to the isolated VLAN communicate with each other? |
| Answer: | No, hosts on an isolated VLAN can't communicate even among themselves. They can reach only the promiscuous host on the primary VLAN. |
| 6. | What command is needed to configure a promiscuous VLAN? |
| Answer: | This isn't possible. The primary VLAN can communicate with all the secondary VLANs that are associated with it. The only promiscuous objects that can be configured are promiscuous hosts, located on the primary VLAN. |
| 7. | A router is identified as the central gateway for a private VLAN. What command is needed to configure the switch port where a router is connected? |
| Answer: | switchport mode private-vlan promiscuous |
| 8. | How many actual VLANs must be configured to implement a common router with two community VLANs? |
| Answer: | Three VLANs must be used: one for the primary VLAN where the router is connected and two more for the secondary community VLANs. The primary VLAN will be logically associated with the two community VLANs, but all three must be configured. |
| 9. | In a switch spoofing attack, what is the attacker's goal? |
| Answer: | An attacker spoofs DTP messages on a normal access-layer switch port, hoping that the switch responds and will negotiate trunking mode. If that happens, the attacker can spoof VLAN ID tags to inject traffic onto any VLAN that is carried over the trunk. |
| 10. | What should be configured to prevent a switch spoofing attack? |
| Answer: | You always should configure every access-layer switch port to a fixed mode so that DTP is disabled, preventing the possibility of trunk negotiation with an attacker. Switch ports default to the switchport mode dynamic auto mode, allowing a connected device to actively negotiate the port into the trunking mode. You can use the switchport mode access command to force static access mode, thereby disabling DTP negotiation completely. |
| 11. | Describe some methods that can be used to prevent a VLAN hopping attack. |
| Answer: | You always should configure a trunk's native VLAN to an unused VLAN number and prune the native VLAN from each end of the trunk. This isolates the native VLAN completely so that no traffic can be injected onto it. In addition, you can configure Catalyst switches to require a tag on all VLANs carried over a trunk, including the native VLAN. |
| 12. | How is switching performance affected when several SPAN sessions are enabled? |
| Answer: | Switching performance is not affected. Packets simply are marked and copied into another switch port's queue during a SPAN session. The original traffic still is forwarded without being modified or affected. |
| 13. | What command can specify the source of a SPAN session as VLAN 100? |
| Answer: | monitor session 1 source vlan 100 |
| 14. | When a SPAN session is enabled, what direction of traffic flow (relative to the source port) is mirrored for analysis? |
| Answer: | By default, traffic in both directions is mirrored. |
| 15. | What two things can identify more granular traffic to be mirrored to a SPAN destination? |
| Answer: | A VLAN ACL (VACL) can match and mark packets for capture. A SPAN VLAN filter also can identify specific VLANs to mirror if the source is a trunk port. |
| 16. | Three switches are connected in series with trunk links. The RSPAN source is on the first switch and the destination is on the third. How does the intermediate (second) switch learn about the RSPAN's source and destination locations? |
| Answer: | It doesn't. The intermediate switch has no knowledge that RSPAN is being used. The only configuration needed is to define the RSPAN VLAN and to allow that VLAN on the trunk links. Beyond that, the intermediate switch can flood only the RSPAN packets to all ports carrying the RSPAN VLAN. |
| 17. | What must be configured on all switches connecting an RSPAN source and destination? What commands can be used? |
| Answer: | The special-purpose RSPAN VLAN must be configured. Define the VLAN number and then use the remote-span command. |
| 18. | One of the advantages of RSPAN is that mirrored traffic can be isolated in the RSPAN VLAN on a trunk. If a GigabitEthernet port is to be monitored on one switch, which is better to use as a transport for the RSPAN VLAN: a GigabitEthernet trunk already carrying user traffic in other VLANs, or an isolated GigabitEthernet trunk link set aside for RSPAN? |
| Answer: | The existing trunk will work fine because the RSPAN traffic will be isolated in its own VLAN. However, you must be careful not to place an excessive load on that trunk link. RSPAN traffic easily can add to the bandwidth burden on a link, considering that the source here is also a GigabitEthernet port. In this case, it might be better to transport the RSPAN mirrored traffic over its own trunk link, if one is available and cost-effective. |
