Cisco 642-813 Practice Exam, Buy Best Cisco 642-813 Test Questions With High Quality

Most accurate The Cisco 642-813 Questions & Answers covers all the knowledge points of the real exam. We update our product frequently so our customer can always have the latest version of Cisco 642-813.We provide our customers with the excellent 7×24 hours customer service.We have the most professional Cisco 642-813 expert team to back up our grate quality products.If you still cannot make your decision on purchasing our product, please try our Cisco 642-813 free pdf practice test for you to free download.Cisco 642-813 is also an authenticated IT certifications site that offer all the new questions and answers timely.Visit the site Flydumps.com to get free Cisco 642-813 VCE test engine and PDF.

Question 1:
Answer: C

On the Fa0/2 interface we can see the type of connection is P2p Peer (STP) and Cisco says that: “!—
Type P2p Peer(STP) represents that the neighbor switch runs PVST.”
Please visit this link to understand more http://www.cisco.com/en/US/products/hw/switches/ps708/
products_configuration_example09186a00807b0670.shtml

Question 2:

Answer: A

Have a look at the output at VLAN0047:
Notice there are two “Cost” value in the picture, the above “Cost” is the total cost from the current switch to
the root bridge while the second “Cost” refers to the cost on that interface (Fa0/2). Both these “Cost” are
the same so we can deduce that the root bridge is connectly directly to this switch on Fa0/2 interface -> the
root bridge is Switch B, and the “Address” field shows its MAC address 000f.34f5.0138. Notice Bridge ID =
Bridge Priority + MAC address.

Question 3:

Answer: C
We learned that Switch B is the root bridge for VLAN 47 so port Fa0/1 on SwitchA and Fa0/2 on SwitchC should be the root ports, and from the output of SwitchC, we knew that port Fa0/1 of SwitchC is in blocking state. Therefore its opposite port on SwitchA must be in designated state (forwarding). So, can Fa0/2 of SW-A be in blocking state? The answer is no so that BPDU packets can be received on Fa0/1 of SW-C. It will remain in blocking state as long as a steady .ow of BPDUs is received.
Question 4:
Answer: D
As explained in question 2, we can deduce SW-A is the root bridge for VLANs 1 and 106 so ports Fa0/1 on SW-B and SW-C will be the root ports. From the output of SW-C for VLANs 1 and 106, port Fa0/2 of this switch is designated (forwarding) so we can deduce interface Fa0/2 of SW-B is in blocking status.
Question 5:
Answer: D
SW-A is the root bridge for VLANs 1 and 106 and we can easily find the MAC address of this root bridge from the output of SW-C, it is 000d.65db.0102. Notice that SW-A has 2 bridge IDs for VLANs 1 and 106, they are 32769.000d.65db.0102 and 24682.000d.65db.0102
QUESTION 5
AAAdot1x Lab Sim Acme is a small shipping company that has an existing enterprise network comprised of 2 switches DSW1 and ASW2. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that will be used to provide the shipping personnel access to the server. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:

-Users connecting to ASW1’s port must be authenticate before they are given access to the network.
-Authentication is to be done via a Radius server:

Radius server host: 172.120.39.46


Radius key: rad123
-Authentication should be implemented as close to the host device possible.
-Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.

Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.


Packets from devices in any other address range should be dropped on VLAN 20.
-Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with
implementing the above access control as a pre-condition to installing the servers.
You must use the available IOS switch features.

A.

B.

C.

D.

Correct Answer: Section: Labs Explanation

Explanation/Reference:
Step1: Console to ASW1 from PC console 1
ASW1(config)# aaa new-model
ASW1(config)# radius-server host 172.120.39.46 key rad123 ASW1(config)# aaa authentication dot1x default group radius ASW1(config)# dot1x system-auth-control
ASW1(config)# int fastEthernet 0/1 ASW1(config-if)# switchport mode access ASW1(config-if)# dot1x port-control auto ASW1(config-if)# end
ASW1# copy running-config startup-config
Step2: Console to DSW1 from PC console 2
DSW1(config)# ip access-list standard 10 DSW1(config-ext-nacl)# permit 172.120.40.0 0.0.0.255 DSW1(config-ext-nacl)# exit
DSW1(config)# vlan access-map PASS 10 DSW1(config-access-map)# match ip address 10 DSW1(config-access-map)# action forward DSW1(config-access-map)# exit
DSW1(config)# vlan access-map PASS 20 DSW1(config-access-map)# action drop DSW1(config-access-map)# exit
DSW1(config)# vlan filter PASS vlan-list 20 DSW1(config)# exit
DSW1# copy running-config startup-config
QUESTION 6
MLS and EIGRP Sim 1
Configure the Multilayer Switch so that PCs from VLAN 2 and VLAN 3 can communicate with the Server.

A.
B.
C.
D.

Correct Answer: Section: Labs Explanation
Explanation/Reference:
mls>enable mls# conf t
mls(config)# int gi 0/1 mls(config-if)# no switchport mls(config-if)# ip address 10.10.10.2 255.255.255.0 mls(config-if)# no shutdown mls(config-if)# exit
mls(config)# int vlan 2 mls(config-if)# ip address 190.200.250.33 255.255.255.224 mls(config-if)# no shutdown
mls(config-if)# int vlan 3 mls(config-if)# ip address 190.200.250.65 255.255.255.224 mls(config-if)# no shutdown mls(config-if)#exit
mls(config)# int gi 0/10
mls(config-if)# switchport mode access
mls(config-if)# switchport access vlan 2
mls(config-if)# no shutdown
mls(config-if)# exit

mls(config)# int gi 0/11
mls(config-if)# switchport mode access
mls(config-if)# switchport access vlan 3
mls(config-if)# no shutdown
mls(config-if)# exit

mls(config)# ip routing (Notice: MLS will not work without this command)

mls(config)# router eigrp 650
mls(config-router)# network 10.10.10.0 0.0.0.255
mls(config-router)# network 190.200.250.32 0.0.0.31
mls(config-router)# network 190.200.250.64 0.0.0.31
mls(config-router)# no auto-summary
mls(config-router)# end

mls# copy running-configuration startup-configuration

NOTE : THE ROUTER IS CORRECTLY CONFIGURED, so you will not miss within it in the exam , also
don’t modify/delete any port just do the above configuration. in order to complete the lab , you should
expect the ping to SERVER to succeed from the MLS , and from the PCs as well.
If the above configuration does not work, you should configure EIGRP with “no auto-summary” command.

QUESTION 7
MLS and EIGRP Sim 2
You have been tasked with configuring multilayer SwitchC, which has a partial configuration and has been attached to RouterC as shown in the topology diagram.

HOST 1:
HOST 2:
You need to configure SwitchC so that Hosts H1 and H2 can successful ping the server S1. Also SwitchC needs to be able to ping server S1. Due to administrative restrictions and requirements you should not add/delete vlans, changes VLAN port assignments or create trunk links Company policies forbid the use of static or default routing All routes must be learned via EIGRP 65010 routing protocol. You do not have access to RouteC, RouterC is correctly configured. No trunking has been configured on RouterC. Routed interfaces should use the lowest host on a subnet when possible. The following subnets are available to implement this solution: · 172.16.1.0/24 · 192.168.3.32/27 · 192.168.3.64/27 Hosts H1 and H2 are configured with the correct IP address and default gateway. SwitchC uses Cisco as the enable password. Routing must only be enabled for the specific subnets shown in the diagram.
A.
B.
C.
D.
Correct Answer: Section: Labs Explanation
Explanation/Reference:
On switch C:
SwitchC> enable SwitchC# conf t SwitchC(config)# int gi 0/1 SwitchC(config-if)# no switchport -> without this the simulator does not let you assign IP address on Gi0/1 interface. SwitchC(config-if)# ip address 172.16.1.1 255.255.255.0 SwitchC(config-if)# no shutdown SwitchC(config-if)# exit
SwitchC(config)# int vlan 2 SwitchC(config-if)# ip address 192.168.3.33 255.255.255.224 (default gateway address) SwitchC(config-if)# no shutdown SwitchC(config-if)# exit
SwitchC(config-if)# int vlan 3 SwitchC(config-if)# ip address 192.168.3.65 255.255.255.224 (default gateway address) SwitchC(config-if)# no shutdown SwitchC(config-if)# exit
SwitchC(config)# ip routing SwitchC(config-router)# router eigrp 65010 SwitchC(config-router)# network 172.16.1.0 0.0.0.255 SwitchC(config-router)# network 192.168.3.32 0.0.0.31 SwitchC(config-router)# network 192.168.3.64 0.0.0.31 SwitchC(config-router)# no auto-summary SwitchC(config-router)# end
SwitchC# copy running-config startup-config
Verification: We should be able to ping from SWITCHC to the gateway called “Server S1” [208.77.188.166]
You must obtain subnets and IP ADDRESS by yourself and this will be done by clicking on each host icon, then write ipconfig and you will obtain ip addresses of the host, default gateway & subnet mask. The default gateway address & subnet mask should be configured as SwitchC respective vlan ip’s
QUESTION 8
LACP with STP Sim 1

Each of these vlans has one host each on its ports SVI on vlan 1 – ip 192.168.1.11
Switch B –
Ports 3, 4 connected to ports 3 and 4 on Switch A
Port 15 connected to Port on Router.
Tasks to do:
1.
Use non proprietary mode of aggregation with Switch B being the initiator — Use LACP with B being in Active mode

2.
Use non proprietary trunking and no negotiation — Use switchport mode trunk and switchport trunk encapsulation dot1q

3.
Restrict only to the VLANs needed — Use either VTP pruning or allowed VLAN list. The preferred method is using allowed VLAN list

4.
SVI on VLAN 1 with some ip and subnet given

5.
Configure switch A so that nodes other side of Router C are accessible — on switch A the default gateway has to be configured.

6.
Make switch B the root
A.
B.
C.
D.

Correct Answer: Section: Labs Explanation
Explanation/Reference:
SW-A: verify with show run if you need to create vlans 21-23 and verify trunk’s native vlan (remove if not 99)
SW-A# int vlan 1 SW-A(config-if)# ip address 192.168.1.11 255.255.255.0 SW-A(config-if)# no shut SW-A(config-if)# exit
SW-A(config)# int range fa 0/9 – 10 SW-A(config-if)# switchport mode access SW-A(config-if)# switchport access vlan 21 SW-A(config-if)# spanning-tree portfast SW-A(config-if)# no shut SW-A(config-if)# exit
SW-A(config)# int range fa 0/13 – 14 SW-A(config-if)# switchport mode access SW-A(config-if)# switchport access vlan 22 SW-A(config-if)# spanning-tree portfast SW-A(config-if)# no shut SW-A(config-if)# exit
SW-A(config)# int range fa 0/15 – 16 SW-A(config-if)# switchport mode access SW-A(config-if)# switchport access vlan 23 SW-A(config-if)# spanning-tree portfast SW-A(config-if)# no shut SW-A(config-if)# exit SW-A(config)# int range fa 0/3 – 4 SW-A(config-if)# channel-protocol lacp SW-A(config-if)# channel group 1 mode passive SW-A(config-if)# no shut SW-A(config-if)# exit
SW-A(config)# int port-channel 1 SW-A(config-if)# switchport trunk encapsulation dot1q SW-A(config-if)# switchport mode trunk SW-A(config-if)# switchport trunk native vlan 99 SW-A(config-if)# switchport trunk allowed vlans 1,21-23 SW-A(config-if)# no shut SW-A(config-if)# end
SW-A# copy running-configuration startup-configuration
SW B
SW-B# conf t
Create vlan: SW-B(config)# vlan 21 SW-B(config-vlan)# vlan 22 SW-B(config-vlan)# vlan 23 SW-B(config-vlan)# exit
SW-B(config)# spanning-tree vlan 1,21-23,99 root primary
SW-B(config)# int range fa 0/3 – 4 SW-B(config-if)# channel-protocol lacp SW-B(config-if)# channel-group 1 mode active SW-B(config-if)# no shut SW-B(config-if)# exit
SW-B(config)# int port-channel 1 SW-B(config-if)# switchport trunk encapsulation dot1q SW-B(config-if)# switchport mode trunk SW-B(config-if)# switchport trunk native vlan 99 (I did a sh vlan and saw vlan 99 named as “TrunkNative” so I used this as the native VLAN for both switches) SW-B(config-if)# switchport trunk allowed vlan 1,21-23 SW-B(config-if)# no shut SW-B(config-if)# end
SW-B# copy running-configuration startup-configuration
QUESTION 9
LACP with STP Sim 2
Scenario:
You work for SWITCH.com. They have just added a new switch (SwitchB) to the existing network as shown in the topology diagram.

RouterA is currently configured correctly and is providing the routing function for devices on SwitchA and SwitchB. SwitchA is currently configured correctly, but will need to be modified to support the addition of SwitchB. SwitchB has a minimal configuration. You have been tasked with competing the configuration of SwitchA and SwitchB. SwitchA and SwitchB use Cisco as the enable password.
Configuration Requirements for SwitchA
The VTP and STP configuration modes on SwitchA should not be modified.
Steps · SwitchA needs to be the root switch for vlans 11, 12, 13, 21, 22 and 23. All other vlans should be left are their default values.
Configuration Requirements for SwitchB

Vlan 21, Name: Marketing, will support two servers attached to fa0/9 and fa0/10


Vlan 22, Name: Sales, will support two servers attached to fa0/13 and fa0/14


Vlan 23, Name: Engineering, will support two servers attached to fa0/15 and fa0/16
· Access ports that connect to server should transition immediately transition to forwarding state upon detecting the connection of a device. · SwitchB VTP mode needs to be the same as SwitchA. · SwitchB must operate in the same spanning tree mode as SwitchA · No routing is to be configured on SwitchB · Only the SVI vlan 1 is to be configured and it is to use address 192.168.1.11/24
Inter-switch Connectivity Configuration Requirements:
· For operational and security reasons trunking should be unconditional and Vlans 1, 21, 22 and 23 should tagged when traversing the trunk link.
· The two trunks between SwitchA and SwitchB need to be configured in a mode that allows for the maximum use of their bandwidth for all vlans. This mode should be done with a non- proprietary protocol, with SwitchA controlling activation.
· Propagation of unnecessary broadcasts should be limited using manual pruning on this trunk link.
A.
B.
C.
D.

Correct Answer: Section: Labs Explanation
Explanation/Reference:
SwitchA
SwitchA# conf t
Create vlan: SwitchA(config)# vlan 21 SwitchA(config-vlan)# name Marketing SwitchA(config-vlan)# vlan 22 SwitchA(config-vlan)# name Sales SwitchA(config-vlan)# vlan 23 SwitchA(config-vlan)# name Engineering SwitchA(config-vlan)# exit
SwitchA(config)# spanning-tree vlan 1,11-13,21-23,99 root primary
SwitchA(config)# int range fa 0/3 – 4 SwitchA(config-if)# channel-protocol lacp SwitchA(config-if)# channel-group 1 mode active SwitchA(config-if)# no shut SwitchA(config-if)# exit
SwitchA(config)# int port-channel 1 SwitchA(config-if)# switchport trunk encapsulation dot1q SwitchA(config-if)# switchport mode trunk SwitchA(config-if)# switchport trunk native vlan 99 SwitchA(config-if)# switchport trunk allowed vlan 1,21-23 SwitchA(config-if)# no shut SwitchA(config-if)# end
SwitchA# copy running-configuration startup-configuration
SwitchB: verify with show run if you need to create vlans 21-23 and verify trunk’s native vlan (remove the wrong native if not 99)
SwitchB# conf t SwitchB(config-if)# int vlan 1 SwitchB(config-if)# ip address 192.168.1.11 255.255.255.0 SwitchB(config-if)# no shut SwitchB(config-if)# exit
SwitchB(config)# vtp mode transparent SwitchB(config)# spanning-tree mode rapid-pvst
SwitchB(config)# int range fa 0/9 – 10 SwitchB(config-if)# switchport mode access SwitchB(config-if)# switchport access vlan 21 SwitchB(config-if)# spanning-tree portfast SwitchB(config-if)# no shut SwitchB(config-if)# exit
SwitchB(config)# int range fa 0/13 – 14 SwitchB(config-if)# switchport mode access SwitchB(config-if)# switchport access vlan 22 SwitchB(config-if)# spanning-tree portfast SwitchB(config-if)# no shut SwitchB(config-if)# exit
SwitchB(config)# int range fa 0/15 – 16 SwitchB(config-if)# switchport mode access SwitchB(config-if)# switchport access vlan 23 SwitchB(config-if)# spanning-tree portfast SwitchB(config-if)# no shut SwitchB(config-if)# exit
SwitchB(config)# int range fa 0/3 – 4 SwitchB(config-if)# channel-protocol lacp SwitchB(config-if)# channel group 1 mode passive SwitchB(config-if)# no shut SwitchB(config-if)# exit
SwitchB(config)# int port-channel 1 SwitchB(config-if)# switchport trunk encapsulation dot1q SwitchB(config-if)# switchport mode trunk SwitchB(config-if)# switchport trunk native vlan 99 SwitchB(config-if)# switchport trunk allowed vlans 1,21-23 SwitchB(config-if)# no shut SwitchB(config-if)# end
SwitchB# copy running-configuration startup-configuration
QUESTION 10
HSRP HOTSPOT Sim
During routine maintenance, G1/0/1 on DSW1 was shutdown. All other interface were up. DSW2 became the active HSRP device for Vlan101 as desired. However, after G1/0/1 on DSW1 was reactivated. DSW1 did not become the active HSRP device as desired. What need to be done to make the group for Vlan101 function properly?

Interface VLAN 101 exhibit:

A. Enable preempt on DS1’s Vlan101 HSRP group
B. Disable preempt on DS1’s Vlan101 HSRP group
C. Decrease DS1’s priority value for Vlan101 HSRP group to a value that is less than priority value configured on DS2’s HSRP group for Vlan101
D. Decrease the decrement in the track command for DS1’s Vlan 101 HSRP group to a value less than the value in the track command for DS2’s Vlan 101 HSRP group.
Correct Answer: A Section: HSRP Explanation
Explanation/Reference:
Explanation:
A is correct. All other answers is incorrect. Because Vlan101 on DS1 ( left ) disable preempt. We need enable preempt to after it reactive , it will be active device. If not this command, it never become active device.
QUESTION 11
HSRP HOTSPOT Sim
During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1. All other interface were up. During this time, DSW1 remained the active device for Vlan 102′s HSRP group. You have determined that there is an issue with the decrement value in the track command in Vlan 102′s HSRP group. What need to be done to make the group function properly?

Interface VLAN 102 exhibit:

A. The DS1’s decrement value should be configured with a value from 5 to 15
B. The DS1’s decrement value should be configured with a value from 9 to 15
C. The DS1’s decrement value should be configured with a value from 11 to 18
D. The DS1’s decrement value should be configured with a value from 195 to less than 205
E. The DS1’s decrement value should be configured with a value from 200 to less than 205
F. The DS1’s decrement value should be greater than 190 and less 200
Correct Answer: C Section: HSRP Explanation
Explanation/Reference:
Explanation:
Use “show run” command to show. The left Vlan102 is console1 of DS1. Priority value is 200, we should decrement value in the track command from 11 to 18. Because 200 11 = 189 < 190( priority of Vlan102 on DS2 ).
QUESTION 12
HSRP HOTSPOT Sim
DSW2 has not become the active device for Vlan103′s HSRP group even though all interfaces are active. As related to Vlan103′s HSRP group. What can be done to make the group function properly?

Interface VLAN 103 exhibit: A. On DS1, disable preempt

B. On DS1, decrease the priority value to a value less than 190 and greater than 150
C. On DS2, increase the priority value to a value greater 241 and less than 249
D. On DS2, increase the decrement value in the track command to a value greater than 10 and less than
50.
Correct Answer: C Section: HSRP Explanation
Explanation/Reference:
Explanation:
The reason DSW2 has not become the active switch for Vlan103 is because the priority value of DSW1 is higher than that of DSW2. In order to make DSW2 become the active switch, we need to increase DSW2′s priority (to higher than 200) or decrease DSW1′s priority (to lower than 190).
QUESTION 13
HSRP HOTSPOT Sim
During routine maintenance, it became necessary to shutdown G1/0/1 on DSW1 and DSW2. All other interface were up. During this time, DSW1 became the active device for Vlan104′s HSRP group. As related to Vlan104′s HSRP group, what can be done to make the group function properly?

Interface VLAN 104 exhibit:

A. On DS1, disable preempt
B. On DS2, decrease the priority value to a value less than 150
C. On DS1, increase the decrement value in the track command to a value greater than 6
D. On DS1, disable track command.

Correct Answer: C Section: HSRP Explanation
Explanation/Reference:
Explanation:
We should NOT disable preempt on DS1. By do that, you will make Vlan104’s HSRP group fail function. Example: if we are disable preempt on DS1. It can not become active device when G1/0/1 on DS2 fail. In this question, G0/1/0 on DS1 & DS2 is shutdown. Vlan104 (left) : 150 1 = 149. Vlan104 (right) : 200 155 =
145. Result is priority 149 > 145 ( Vlan104 on DS1 is active). If increase the decrement in the track value to a value greater than 6 ( > or = 6). Vlan104 (left) : 150 6 = 144. Result is priority 144 < 145 ( vlan104 on DS2 is active).
QUESTION 14
HSRP HOTSPOT Sim
If G1/0/1 on DSW1 is shutdown, what will be the current priority value of the Vlan105′s group on DSW1?

Interface VLAN 105 exhibit:

A. 95
B. 100
C. 150
D. 200

Correct Answer: A Section: HSRP
Explanation Explanation/Reference:
Explanation:
Priority is configured 150, Track is 55. So, if shutdown interface G1/0/1 > 150 55 = 95.

QUESTION 15
HSRP HOTSPOT Sim
What is the configured priority value of the Vlan105′s group on DSW2 ?
Interface VLAN 105 exhibit: B. 100

C. 150
D. 200
Correct Answer: B Section: HSRP Explanation
Explanation/Reference:
Explanation:
Use “show standby brief” command on console2 . Very easy to see priority of Vlan105 is 100.
QUESTION 16
STP HOTSPOT Sim
Online Incorporated is an internet game provide. The game service network had recently added an additional switch block with multiple VLANs configured. Unfortunately, system administrators neglected to document the spanning-tree topology during configuration. For baseline purpose, you will be required to identify the spanning-tree topology for the switch block. Using the output of “show spanning-tree” command on switch SW-C and the provided physical topology, answer the following questions:
Beware: VLAN number can change.
Question 1:
Which spanning Tree Protocol has been implemented on SW-B?
A. STP/IEEE 802.1D
B. MSTP/IEEE 802.1s
C. PVST+
D. PVRST
E. None of the above
A.
B.
C.
D.
E.
Correct Answer: C Section: STP Explanation
Explanation/Reference:
Answer: C

On the Fa0/2 interface we can see the type of connection is P2p Peer (STP) and Cisco says that: “!—
Type P2p Peer(STP) represents that the neighbor switch runs PVST.”
Please visit this link to understand more http://www.cisco.com/en/US/products/hw/switches/ps708/
products_configuration_example09186a00807b0670.shtml

QUESTION 17
STP HOTSPOT Sim
Online Incorporated is an internet game provide. The game service network had recently added an additional switch block with multiple VLANs configured. Unfortunately, system administrators neglected to document the spanning-tree topology during configuration. For baseline purpose, you will be required to identify the spanning-tree topology for the switch block. Using the output of “show spanning-tree” command on switch SW-C and the provided physical topology, answer the following questions:
Beware: VLAN number can change.
Which bridge ID belongs to SW-B?
A. 24623.000f.34f5.0138
B. 32768.000d.bd03.0380
C. 32768.000d.65db.0102
D. 32769.000d.65db.0102
E. 32874.000d.db03.0380
F. 32815.000d.db03.0380
A.
B.
C.
D.
E.
F.
Correct Answer: A Section: STP Explanation
Explanation/Reference:
Answer: A

Have a look at the output at VLAN0047:
Notice there are two “Cost” value in the picture, the above “Cost” is the total cost from the current switch to
the root bridge while the second “Cost” refers to the cost on that interface (Fa0/2). Both these “Cost” are
the same so we can deduce that the root bridge is connectly directly to this switch on Fa0/2 interface -> the
root bridge is Switch B, and the “Address” field shows its MAC address 000f.34f5.0138. Notice Bridge ID =
Bridge Priority + MAC address.
QUESTION 18
STP HOTSPOT Sim
Online Incorporated is an internet game provide. The game service network had recently added an additional switch block with multiple VLANs configured. Unfortunately, system administrators neglected to document the spanning-tree topology during configuration. For baseline purpose, you will be required to identify the spanning-tree topology for the switch block. Using the output of “show spanning-tree” command on switch SW-C and the provided physical topology, answer the following questions:
Beware: VLAN number can change.
Which port role has interface Fa0/2 of SW-A adopted for VLAN 47?
A. Root port
B. Nondesigned port
C. Designated port
D. Backup port
E. Alternate port
A.
B.
C.
D.
E.
Correct Answer: C Section: STP Explanation
Explanation/Reference:
Answer: C
We learned that Switch B is the root bridge for VLAN 47 so port Fa0/1 on SwitchA and Fa0/2 on SwitchC should be the root ports, and from the output of SwitchC, we knew that port Fa0/1 of SwitchC is in blocking state. Therefore its opposite port on SwitchA must be in designated state (forwarding). So, can Fa0/2 of SW-A be in blocking state? The answer is no so that BPDU packets can be received on Fa0/1 of SW-C. It will remain in blocking state as long as a steady .ow of BPDUs is received.
QUESTION 19
STP HOTSPOT Sim
Online Incorporated is an internet game provide. The game service network had recently added an additional switch block with multiple VLANs configured. Unfortunately, system administrators neglected to document the spanning-tree topology during configuration. For baseline purpose, you will be required to identify the spanning-tree topology for the switch block. Using the output of “show spanning-tree” command on switch SW-C and the provided physical topology, answer the following questions:
Beware: VLAN number can change.
Which port state is interface Fa0/2 of SW-B in for VLANs 1 and 106?
A. Listening
B. Learning
C. Disabled
D. Blocking
E. Forwarding
F. Discarding
A.
B.
C.
D.
E.
F.
Correct Answer: D Section: STP Explanation
Explanation/Reference:
Answer: D
As explained in question 2, we can deduce SW-A is the root bridge for VLANs 1 and 106 so ports Fa0/1 on SW-B and SW-C will be the root ports. From the output of SW-C for VLANs 1 and 106, port Fa0/2 of this switch is designated (forwarding) so we can deduce interface Fa0/2 of SW-B is in blocking status.
QUESTION 20
STP HOTSPOT Sim
Online Incorporated is an internet game provide. The game service network had recently added an additional switch block with multiple VLANs configured. Unfortunately, system administrators neglected to document the spanning-tree topology during configuration. For baseline purpose, you will be required to identify the spanning-tree topology for the switch block. Using the output of “show spanning-tree” command on switch SW-C and the provided physical topology, answer the following questions:
Beware: VLAN number can change.
Which bridge ID belongs to SW-A?
A. 24623.000f.34f5.0138
B. 32768.000d.bd03.0380
C. 32768.000d.65db.0102
D. 32769.000d.65db.0102
E. 32874.000d.db03.0380
F. 32815.000d.db03.0380
A.
B.
C.
D.
E.
F.
Correct Answer: D Section: STP Explanation
Explanation/Reference:
Answer: D
SW-A is the root bridge for VLANs 1 and 106 and we can easily find the MAC address of this root bridge from the output of SW-C, it is 000d.65db.0102. Notice that SW-A has 2 bridge IDs for VLANs 1 and 106, they are 32769.000d.65db.0102 and 24682.000d.65db.0102

Exam E
QUESTION 1
Which statement is true about RSTP topology changes?
A. Any change in the state of the port generates a TC BPDU.
B. Only nonedge ports moving to the forwarding state generate a TC BPDU.
C. If either an edge port or a nonedge port moves to a block state, then a TC BPDU is generated.
D. Only edge ports moving to the blocking state generate a TC BPDU.
E. Any loss of connectivity generates a TC BPDU.
Correct Answer: B Section: RSTP, MST Explanation
Explanation/Reference:
Explanation:
The IEEE 802.1D Spanning Tree Protocol was designed to keep a switched or bridged network loop free,
with adjustments made to the network topology dynamically. A topology change typically takes 30
seconds, where a port moves from the Blocking state to the Forwarding state after two intervals of the
Forward Delay timer. As technology has improved, 30 seconds has become an unbearable length of time
to wait for a production network to failover or “heal” itself during a problem.

Topology Changes and RSTP
Recall that when an 802.1D switch detects a port state change (either up or down), it signals the Root
Bridge by sending topology change notification (TCN) BPDUs. The Root Bridge must then signal a
topology change by sending out a TCN message that is relayed to all switches in the STP domain. RSTP
detects a topology change only when a nonedge port transitions to the Forwarding state. This might seem
odd because a link failure is not used as a trigger. RSTP uses all of its rapid convergence mechanisms to
prevent bridging loops from forming.

Therefore, topology changes are detected only so that bridging tables can be updated and corrected as
hosts appear first on a failed port and then on a different functioning port. When a topology change is
detected, a switch must propagate news of the change to other switches in the network so they can correct
their bridging tables, too. This process is similar to the convergence and synchronization mechanism-
topology change (TC) messages propagate through the network in an everexpanding wave.

QUESTION 2
Refer to the exhibit.

Which four statements about this GLBP topology are true? (Choose four.)
A. Router A is responsible for answering ARP requests sent to the virtual IP address.
B. If router A becomes unavailable, router B forwards packets sent to the virtual MAC address of router A.
C. If another router is added to this GLBP group, there would be two backup AVGs.
D. Router B is in GLBP listen state.
E. Router A alternately responds to ARP requests with different virtual MAC addresses.
F. Router B transitions from blocking state to forwarding state when it becomes the AVG.

Correct Answer: ABDE Section: GLBP Explanation
Explanation/Reference:
Explanation:
With GLBP the following is true:
With GLB, there is 1 AVG and 1 standby VG. In this case Company1 is the AVG and Company2 is the
standby. Company2 would act as a VRF and would already be forwarding and routing packets.
Any additional routers would be in a listen state.
As the role of the Active VG and load balancing, Company1 responds to ARP requests with different virtual
MAC addresses.
In this scenario, Company2 is the Standby VF for the VMAC 0008.b400.0101 and would become the
Active VF if Company1 were down.
As the role of the Active VG, the primary responsibility is to answer ARP requests to the virtual IP address.
As an AVF router Company2 is already forwarding/routing packets

QUESTION 3
Refer to the exhibit.

Which VRRP statement about the roles of the master virtual router and the backup virtual router is true?
A. Router A is the master virtual router, and router B is the backup virtual router. When router A fails, router B becomes the master virtual router. When router A recovers, router B maintains the role of master virtual router.
B. Router A is the master virtual router, and router B is the backup virtual router. When router A fails, router B becomes the master virtual router. When router A recovers, it regains the master virtual router role.
C. Router B is the master virtual router, and router A is the backup virtual router. When router B fails, router A becomes the master virtual router. When router B recovers, router A maintains the role of master virtual router.
D. Router B is the master virtual router, and router A is the backup virtual router. When router B fails, router A becomes the master virtual router. When router B recovers, it regains the master virtual router role.

Correct Answer: B Section: VRRP Explanation
Explanation/Reference:
Explanation:
QUESTION 4
Which description correctly describes a MAC address flooding attack?
A. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking device then becomes the destination address found in the Layer 2 frames sent by the valid network device.
B. The attacking device crafts ARP replies intended for valid hosts. The MAC address of the attacking device then becomes the source address found in the Layer 2 frames sent by the valid network device.
C. The attacking device spoofs a destination MAC address of a valid host currently in the CAM table. The switch then forwards frames destined for the valid host to the attacking device.
D. The attacking device spoofs a source MAC address of a valid host currently in the CAM table. The switch then forwards frames destined for the valid host to the attacking device.
E. Frames with unique, invalid destination MAC addresses flood the switch and exhaust CAM table space. The result is that new entries cannot be inserted because of the exhausted CAM table space, and traffic is subsequently flooded out all ports.
F. Frames with unique, invalid source MAC addresses flood the switch and exhaust CAM table space. The result is that new entries cannot be inserted because of the exhausted CAM table space, and traffic is subsequently flooded out all ports.
Correct Answer: F Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 5
Refer to the exhibit.

An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type of attack?
A. All switch ports in the Building Access block should be configured as DHCP trusted ports.
B. All switch ports in the Building Access block should be configured as DHCP untrusted ports.
C. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted ports.
D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted ports.
E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.
F. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted ports.

Correct Answer: D Section: Access Security Explanation
Explanation/Reference:
Explanation: One of the ways that an attacker can gain access to network traffic is to spoof responses that would be sent by a valid DHCP server. The DHCP spoofing device replies to client DHCP requests. The legitimate server may reply also, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first. The intruder’s DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server. In the case of a gateway, the clients will then forward packets to the attacking device, which will in turn send them to the desired destination. This is referred to as a “man-in-the-middle” attack, and it may go entirely undetected as the intruder intercepts the data flow through the network. Untrusted ports are those that are not explicitly configured as trusted. A DHCP binding table is built for untrusted ports. Each entry contains the client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOFFER, DHCPACK, DHCPNAK.
QUESTION 6
Refer to the exhibit.

The web servers WS_1 and WS_2 need to be accessed by external and internal users. For security reasons, the servers should not communicate with each other, although they are located on the same subnet. However, the servers do need to communicate with a database server located in the inside
network. Which configuration isolates the servers from each other?
A. The switch ports 3/1 and 3/2 are defined as secondary VLAN isolated ports. The ports connecting to the two firewalls are defined as primary VLAN promiscuous ports.
B. The switch ports 3/1 and 3/2 are defined as secondary VLAN community ports. The ports connecting to the two firewalls are defined as primary VLAN promiscuous ports.
C. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as primary VLAN promiscuous ports.
D. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as primary VLAN community ports.

Correct Answer: A Section: VLANs Security Explanation
Explanation/Reference:
Explanation:
Service providers often have devices from multiple clients, in addition to their own servers, on a single
Demilitarized Zone (DMZ) segment or VLAN. As security issues proliferate, it becomes necessary to
provide traffic isolation between devices, even though they may exist on the same Layer 3 segment and
VLAN. Catalyst 6500/4500 switches implement PVLANs to keep some switch ports shared and some
switch ports isolated, although all ports exist on the same VLAN. The 2950 and 3550 support “protected
ports,” which are functionality similar to PVLANs on a per- switch basis.

A port in a PVLAN can be one of three types:
Isolated: An isolated port has complete Layer 2 separation from other ports within the same PVLAN,
except for the promiscuous port. PVLANs block all traffic to isolated ports, except the traffic from
promiscuous ports. Traffic received from an isolated port is forwarded to only promiscuous ports.
Promiscuous: A promiscuous port can communicate with all ports within the PVLAN, including the
community and isolated ports. The default gateway for the segment would likely be hosted on a
promiscuous port, given that all devices in the PVLAN will need to communicate with that port. Community:
Community ports communicate among themselves and with their promiscuous ports. These interfaces are
isolated at Layer 2 from all other interfaces in other communities, or in isolated ports within their PVLAN.

QUESTION 7
What does the command “udld reset” accomplish?
A. allows a UDLD port to automatically reset when it has been shut down
B. resets all UDLD enabled ports that have been shut down
C. removes all UDLD configurations from interfaces that were globally enabled
D. removes all UDLD configurations from interfaces that were enabled per-port
Correct Answer: B Section: STP Protection Explanation
Explanation/Reference:
Explanation:
QUESTION 8
Refer to the exhibit.

Dynamic ARP Inspection is enabled only on switch SW_A. Host_A and Host_B acquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A ?
A. The spoof packets are inspected at the ingress port of switch SW_A and are permitted.
B. The spoof packets are inspected at the ingress port of switch SW_A and are dropped.
C. The spoof packets are not inspected at the ingress port of switch SW_A and are permitted.
D. The spoof packets are not inspected at the ingress port of switch SW_A and are dropped.

Correct Answer: C Section: Access Security Explanation Explanation/Reference:
Explanation:
When configuring DAI, follow these guidelines and restrictions:

· DAI is an ingress security feature; it does not perform any egress checking. · DAI is not effective for hosts
connected to routers that do not support DAI or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from
the one with no checking. This action secures the ARP caches of hosts in the domain enabled for DAI. ·
DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings
in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP
packets that have dynamically assigned IP addresses. · When DHCP snooping is disabled or in non-DHCP
environments, use ARP ACLs to permit or to deny packets.
· DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports. In our
example, since Company2 does not have DAI enabled (bullet point 2 above) packets will not be inspected
and they will be permitted.

Reference:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dynarp.html

QUESTION 9
Which statement is true about Layer 2 security threats?
A. MAC spoofing, in conjunction with ARP snooping, is the most effective counter-measure against reconnaissance attacks that use Dynamic ARP Inspection to determine vulnerable attack points.
B. DHCP snooping sends unauthorized replies to DHCP queries.
C. ARP spoofing can be used to redirect traffic to counter Dynamic ARP Inspection.
D. Dynamic ARP Inspection in conjunction with ARP spoofing can be used to counter DHCP snooping attacks.
E. MAC spoofing attacks allow an attacking device to receive frames intended for a different network host.
F. Port scanners are the most effective defense against Dynamic ARP Inspection.
Correct Answer: E Section: Access Security Explanation
Explanation/Reference:
Explanation:
First of all, MAC spoofing is not an effective counter-measure against any reconnaissance attack; it IS an
attack! Furthermore, reconnaissance attacks don’t use dynamic ARP inspection (DAI); DAI is a switch
feature used to prevent attacks.

QUESTION 10
What does the global configuration command “ip arp inspection vlan 10-12,15” accomplish?
A. validates outgoing ARP requests for interfaces configured on VLAN 10, 11, 12, or 15
B. intercepts all ARP requests and responses on trusted ports
C. intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D. discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
Correct Answer: C Section: Access Security Explanation
Explanation/Reference:
Explanation: The “ip arp inspection” command enables Dynamic ARP Inspection (DAI) for the specified VLANs. DAI is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain “man-in-the- middle” attacks.
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/dynarp .html
QUESTION 11
Refer to the exhibit.

Host A has sent an ARP message to the default gateway IP address 10.10.10.1. Which statement is true?
A. Because of the invalid timers that are configured, DSw1 does not reply.
B. DSw1 replies with the IP address of the next AVF.
C. DSw1 replies with the MAC address of the next AVF.
D. Because of the invalid timers that are configured, DSw2 does not reply.
E. DSw2 replies with the IP address of the next AVF.
F. DSw2 replies with the MAC address of the next AVF.
Correct Answer: F Section: HSRP Explanation
Explanation/Reference:
Explanation:
The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to overcome the
limitations of existing redundant router protocols. Some of the concepts are the same as with HSRP/
VRRP, but the terminology is different and the behavior is much more dynamic and robust.

The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual gateway
(AVG). This router has the highest priority value, or the highest IP address in the group, if there is no

highest priority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returns depends on which load-balancing algorithm it is configured to use. In any event, the virtual MAC address supported by one of the routers in the group is returned. According to exhibit, Router Company2 is the Active Virtual Gateway (AVG) router because it has highest IP address even having equal priority. When router Company1 sends the ARP message to 10.10.10.1 Router Company2 will reply to Company1 as a Active Virtual Router.
QUESTION 12
What are two methods of mitigating MAC address flooding attacks? (Choose two.)
A. Place unused ports in a common VLAN.
B. Implement private VLANs.
C. Implement DHCP snooping.
D. Implement port security.
E. Implement VLAN access maps
Correct Answer: DE Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 13
Refer to the exhibit.

What information can be derived from the output?
A. Interfaces FastEthernet3/1 and FastEthernet3/2 are connected to devices that are sending BPDUs with a superior root bridge parameter and no traffic is forwarded across the ports. After the sending of BPDUs has stopped, the interfaces must be shut down administratively, and brought back up, to resume normal operation.
B. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a superior root bridge parameter, but traffic is still forwarded across the ports.
C. Devices connected to interfaces FastEthernet3/1 and FastEthernet3/2 are sending BPDUs with a superior root bridge parameter and no traffic is forwarded across the ports. After the inaccurate BPDUs have been stopped, the interfaces automatically recover and resume normal operation.
D. Interfaces FastEthernet3/1 and FastEthernet3/2 are candidates for becoming the STP root port, but neither can realize that role until BPDUs with a superior root bridge parameter are no longer received on at least one of the interfaces.

Correct Answer: C Section: STP Protection Explanation
Explanation/Reference:
Explanation:
QUESTION 14
What is one method that can be used to prevent VLAN hopping?
A. Configure ACLs.
B. Enforce username and password combinations.
C. Configure all frames with two 802.1Q headers.
D. Explicitly turn off DTP on all unused ports.
E. Configure VACLs.
Correct Answer: D Section: VLANs Security Explanation
Explanation/Reference:
Explanation:
When securing VLAN trunks, also consider the potential for an exploit called VLAN hopping. Here, an
attacker positioned on one access VLAN can craft and send frames with spoofed 802.1Q tags so that the
packet payloads ultimately appear on a totally different VLAN, all without the use of a router.

For this exploit to work, the following conditions must exist in the network configuration:
The attacker is connected to an access switch port.
The same switch must have an 802.1Q trunk.
The trunk must have the attacker’s access VLAN as its native VLAN. To prevent from VLAN hopping turn
off Dynamic Trunking Protocol on all unused ports.

QUESTION 15
Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering the spanning-tree topology of a network?
A. BPDU guard can guarantee proper selection of the root bridge.
B. BPDU guard can be utilized along with PortFast to shut down ports when a switch is connected to the port.
C. BPDU guard can be utilized to prevent the switch from transmitting BPDUs and incorrectly altering the root bridge election.
D. BPDU guard can be used to prevent invalid BPDUs from propagating throughout the network.
Correct Answer: B Section: STP Protection Explanation
Explanation/Reference:
Explanation:
QUESTION 16
What two steps can be taken to help prevent VLAN hopping? (Choose two.)
A. Place unused ports in a common unrouted VLAN.
B. Enable BPDU guard.
C. Implement port security.
D. Prevent automatic trunk configurations.
E. Disable Cisco Discovery Protocol on ports where it is not necessary.

Correct Answer: AD Section: VLANs Security Explanation
Explanation/Reference:
Explanation:
QUESTION 17
Refer to the exhibit.

Assume that Switch_A is active for the standby group and the standby device has only the default HSRP configuration. Which statement is true?
A. If port Fa1/1 on Switch_A goes down, the standby device takes over as active.
B. If the current standby device had the higher priority value, it would take over the role of active for the HSRP group.
C. If port Fa1/1 on Switch_A goes down, the new priority value for the switch would be 190.
D. If Switch_A had the highest priority number, it would not take over as active router.
Correct Answer: C Section: HSRP Explanation
Explanation/Reference:
Explanation:
QUESTION 18
When an attacker is using switch spoofing to perform VLAN hopping, how is the attacker able to gather information?
A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that is allowed on the trunk.
B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch, regardless of the VLAN to which the data belongs.
C. The attacking station generates frames with two 802.1Q headers to cause the switch to forward the frames to a VLAN that would be inaccessible to the attacker through legitimate means.
D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with the domain information to capture the data.
Correct Answer: A Section: VLANs Security Explanation
Explanation/Reference:
Explanation:
DTP should be disabled for all user ports on a switch. If the port is left with DTP auto-configured (default on
many switches), an attacker can connect and arbitrarily cause the port to start trunking and therefore pass
all VLAN information.

Reference:
http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance0900aecd8
00ebd1e.pdf

QUESTION 19
Refer to the exhibit.

GLBP has been configured on the network. When the interface serial0/0/1 on router R1 goes down, how is the traffic coming from Host1 handled?
A. The traffic coming from Host1 and Host2 is forwarded through router R2 with no disruption.
B. The traffic coming from Host2 is forwarded through router R2 with no disruption. Host1 sends an ARP request to resolve the MAC address for the new virtual gateway.
C. The traffic coming from both hosts is temporarily interrupted while the switchover to make R2 active occurs.
D. The traffic coming from Host2 is forwarded through router R2 with no disruption. The traffic from Host1 is dropped due to the disruption of the load balancing feature configured for the GLBP group.

Correct Answer: A Section: GLBP Explanation
Explanation/Reference:
Explanation: The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to overcome the limitations of existing redundant router protocols. Some of the concepts are the same as with HSRP/VRRP, but the terminology is different and the behavior is much more dynamic and robust and allows for load balancing. The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual gateway (AVG). This router has the highest priority value, or the highest IP address in the group, if there is no highest priority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returns depends on which load-balancing algorithm it is configured to use. In any event, the virtual MAC address supported by one of the routers in the group is returned. According to exhibit, Company1 is the active virtual gateway and Company2 is the standby virtual gateway. So, when Company1 goes down, Company2 will become active virtual gateway and all data goes through Company2.
QUESTION 20
Refer to the exhibit.

DHCP snooping is enabled for selected VLANs to provide security on the network. How do the switch ports handle the DHCP messages?
A. A DHCPOFFER packet from a DHCP server received on Ports Fa2/1 and Fa2/2 is dropped.
B. A DHCP packet received on ports Fa2/1 and Fa2/2 is dropped if the source MAC address and the DHCP client hardware address does not match Snooping database.
C. A DHCP packet received on ports Fa2/1 and Fa2/2 is forwarded without being tested.
D. A DHCPRELEASE message received on ports Fa2/1 and Fa2/2 has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received and is dropped.
Correct Answer: C Section: Access Security Explanation
Explanation/Reference:
Explanation:

Exam F QUESTION 1
Refer to the exhibit and the partial configuration on routers R1 and R2.

HSRP is configured on the network to provide network redundancy for the IP traffic. The network administrator noticed that R2 does not become active when the R1 serial0 interface goes down. What should be changed in the configuration to fix the problem?
A. R2 should be configured with an HSRP virtual address.
B. R2 should be configured with a standby priority of 100.
C. The Serial0 interface on router R2 should be configured with a decrement value of 20.
D. The Serial0 interface on router R1 should be configured with a decrement value of 20.

Correct Answer: D Section: HSRP Explanation
Explanation/Reference:
Explanation:
You can configure a router to preempt or immediately take over the active role if its priority is the highest at
any time. Use the following interface configuration command to allow preemption:
Switch(config-if)# standby group preempt [delay seconds] By default, the router can preempt another
immediately, without delay. You can use the delay keyword to force it to wait for seconds before becoming
active. This is usually done if there are routing protocols that need time to converge.

QUESTION 2
Which optional feature of an Ethernet switch disables a port on a point-to-point link if the port does not receive traffic while Layer 1 status is up?
A. BackboneFast
B. UplinkFast
C. Loop Guard
D. UDLD aggressive mode
E. Fast Link Pulse bursts
F. Link Control Word
Correct Answer: D Section: STP Protection Explanation
Explanation/Reference:
Explanation:
QUESTION 3
Which three statements about routed ports on a multilayer switch are true? (Choose three.)
A. A routed port can support VLAN subinterfaces.
B. A routed port takes an IP address assignment.
C. A routed port can be configured with routing protocols.
D. A routed port is a virtual interface on the multilayer switch.
E. A routed port is associated only with one VLAN.
F. A routed port is a physical interface on the multilayer switch.
Correct Answer: BCF Section: MultiLayer Switching Explanation
Explanation/Reference:
Explanation:
QUESTION 4
Refer to the exhibit.

Why are users from VLAN 100 unable to ping users on VLAN 200?
A. Encapsulation on the switch is wrong.
B. Trunking must be enabled on Fa0/1.
C. The native VLAN is wrong.
D. VLAN 1 needs the no shutdown command.
E. IP routing must be enabled on the switch.

Correct Answer: B Section: VLANs, Trunks Explanation
Explanation/Reference:
Explanation:
QUESTION 5
Which three statements about Dynamic ARP Inspection are true? (Choose three.)
A. It determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the DHCP snooping database.
B. It forwards all ARP packets received on a trusted interface without any checks.
C. It determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the CAM table.
D. It forwards all ARP packets received on a trusted interface after verifying and inspecting the packet against the Dynamic ARP Inspection table.
E. It intercepts all ARP packets on untrusted ports.
F. It is used to prevent against a DHCP snooping attack.
Correct Answer: ABE Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 6
A network administrator wants to configure 802.1x port-based authentication, however, the client workstation is not 802.1x compliant. What is the only supported authentication server that can be used?
A. TACACS with LEAP extensions
B. TACACS+
C. RADIUS with EAP extensions
D. LDAP
Correct Answer: C Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 7
The following command was issued on a router that is being configured as the active HSRP router.
standby ip 10.2.1.1
Which statement about this command is true?
A. This command will not work because the HSRP group information is missing.
B. The HSRP MAC address will be 0000.0c07.ac00.
C. The HSRP MAC address will be 0000.0c07.ac01.
D. The HSRP MAC address will be 0000.070c.ac11.
E. This command will not work because the active parameter is missing.

Correct Answer: B Section: HSRP Explanation
Explanation/Reference:
Explanation:
QUESTION 8
Refer to the exhibit.

The link between switch SW1 and switch SW2 is configured as a trunk, but the trunk failed to establish connectivity between the switches. Based on the configurations and the error messages received on the console of SW1, what is the cause of the problem?
A. The two ends of the trunk have different duplex settings.
B. The two ends of the trunk have different EtherChannel configurations.
C. The two ends of the trunk have different native VLAN configurations.
D. The two ends of the trunk allow different VLANs on the trunk.
Correct Answer: C Section: VLANs, Trunks Explanation
Explanation/Reference:
Explanation:
QUESTION 9
A campus infrastructure supports wireless clients via Cisco Aironet AG Series 1230, 1240, and 1250
access points. With DNS and DHCP configured, the 1230 and 1240 access points appear to boot and
operate normally. However, the 1250 access points do not seem to operate correctly.
What is the most likely cause of this problem?

A. DHCP with option 150
B. DHCP with option 43
C. PoE
D. DNS
E. switch port does not support gigabit speeds
Correct Answer: C Section: WLANs Explanation
Explanation/Reference:
Explanation:
QUESTION 10
A standalone wireless AP solution is being installed into the campus infrastructure. The access points appear to boot correctly, but wireless clients are not obtaining correct access. You verify that this is the local switch configuration connected to the access point:
interface ethernet 0/1 switchport access vlan 10 switchport mode access spanning-tree portfast mls qos trust dscp
What is the most likely cause of the problem?
A. QoS trust should not be configured on a port attached to a standalone AP.
B. QoS trust for switchport mode access should be defined as “cos”.
C. switchport mode should be defined as “trunk” with respective QoS.
D. switchport access vlan should be defined as “1”.
Correct Answer: C Section: WLANs Explanation
Explanation/Reference:
Explanation:
QUESTION 11
During the implementation of a voice solution, which two required items are configured at an access layer switch that will be connected to an IP phone to provide VoIP communication? (Choose two.)
A. allowed codecs
B. untagged VLAN
C. auxiliary VLAN
D. Cisco Unified Communications Manager IP address
E. RSTP
Correct Answer: BC Section: IP Telephony Explanation Explanation/Reference:
Explanation:
QUESTION 12
Which two statements best describe Cisco IOS IP SLA? (Choose two.)
A. only implemented between Cisco source and destination-capable devices
B. statistics provided by syslog, CLI, and SNMP
C. measures delay, jitter, packet loss, and voice quality
D. only monitors VoIP traffic flows
E. provides active monitoring
Correct Answer: CE Section: Network Monitoring Explanation
Explanation/Reference:
Explanation:
QUESTION 13
Which two items best describe a Cisco IOS IP SLA responder? (Choose two.)
A. required at the destination to implement Cisco IOS IP SLA services
B. improves measurement accuracy
C. required for VoIP jitter measurements
D. provides security on Cisco IOS IP SLA messages via LEAP or EAP-FAST authentication
E. responds to one Cisco IOS IP SLA operation per port
F. stores the resulting test statistics
Correct Answer: BC Section: Network Monitoring Explanation
Explanation/Reference:
Explanation:
QUESTION 14
Which two characteristics apply to Cisco Catalyst 6500 Series Switch supervisor redundancy using NSF? (Choose two.)
A. supported by RIPv2, OSPF, IS-IS, and EIGRP
B. uses the FIB table
C. supports IPv4 and IPv6 multicast
D. prevents route flapping
E. independent of SSO
F. NSF combined with SSO enables supervisor engine load balancing
Correct Answer: BD Section: Supervisor and Route Processor Redundancy Explanation
Explanation/Reference:
Explanation:
QUESTION 15
You are tasked with designing a security solution for your network. What information should be gathered before you design the solution?
A. IP addressing design plans, so that the network can be appropriately segmented to mitigate potential network threats
B. a list of the customer requirements
C. detailed security device specifications
D. results from pilot network testing
Correct Answer: B Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 16
Which two components should be part of a security implementation plan? (Choose two.)
A. detailed list of personnel assigned to each task within the plan
B. a Layer 2 spanning-tree design topology
C. rollback guidelines
D. placing all unused access ports in VLAN 1 to proactively manage port security
E. enabling SNMP access to Cisco Discovery Protocol data for logging and forensic analysis
Correct Answer: BC Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 17
When creating a network security solution, which two pieces of information should you have obtained previously to assist in designing the solution? (Choose two.)
A. a list of existing network applications currently in use on the network
B. network audit results to uncover any potential security holes
C. a planned Layer 2 design solution
D. a proof-of-concept plan
E. device configuration templates
Correct Answer: AB Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 18
What action should you be prepared to take when verifying a security solution?
A. having alternative addressing and VLAN schemes
B. having a rollback plan in case of unwanted or unexpected results
C. running a test script against all possible security threats to insure that the solution will mitigate all potential threats
D. isolating and testing each security domain individually to insure that the security design will meet overall requirements when placed into production as an entire system
Correct Answer: B Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 19
When you enable port security on an interface that is also configured with a voice VLAN, what is the maximum number of secure MAC addresses that should be set on the port?
A. No more than one secure MAC address should be set.
B. The default is set.
C. The IP phone should use a dedicated port, therefore only one MAC address is needed per port.
D. No value is needed if the switchport priority extend command is configured.
E. No more than two secure MAC addresses should be set.
Correct Answer: B Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 20
Refer to the exhibit.

From the configuration shown, what can be determined?
A. The sticky addresses are only those manually configured MAC addresses enabled with the sticky keyword.
B. The remaining secure MAC addresses are learned dynamically, converted to sticky secure MAC addresses, and added to the running configuration.
C. A voice VLAN is configured in this example, so port security should be set for a maximum of 2.
D. A security violation restricts the number of addresses to a maximum of 10 addresses per access VLAN and voice VLAN. The port is shut down if more than 10 devices per VLAN attempt to access the port.
Correct Answer: B Section: Access Security Explanation
Explanation/Reference:
Explanation:

Exam G QUESTION 1
Refer to the exhibit.

BPDUGuard is enabled on both ports of SwitchA. Initially, LinkA is connected and forwarding traffic. A new LinkB is then attached between SwitchA and HubA. Which two statements about the possible result of attaching the second link are true? (Choose two.)
A. The switch port attached to LinkB does not transition to up.
B. One or both of the two switch ports attached to the hub goes into the err-disabled state when a BPDU is received.
C. Both switch ports attached to the hub transitions to the blocking state.
D. A heavy traffic load could cause BPDU transmissions to be blocked and leave a switching loop.
E. The switch port attached to LinkA immediately transitions to the blocking state.

Correct Answer: BD Section: STP Protection Explanation
Explanation/Reference:
Explanation:
QUESTION 2
What action should a network administrator take to enable VTP pruning on an entire management domain?
A. Enable VTP pruning on any client switch in the domain.
B. Enable VTP pruning on every switch in the domain.
C. Enable VTP pruning on any switch in the management domain.
D. Enable VTP pruning on a VTP server in the management domain.
Correct Answer: D Section: VTP Explanation
Explanation/Reference:
Explanation:
VTP pruning should only be enabled on VTP servers, all the clients in the VTP domain will automatically enable VTP pruning -> C is correct.
QUESTION 3
How does VTP pruning enhance network bandwidth?
A. by restricting unicast traffic across VTP domains
B. by reducing unnecessary flooding of traffic to inactive VLANs
C. by limiting the spreading of VLAN information
D. by disabling periodic VTP updates
Correct Answer: B Section: VTP Explanation
Explanation/Reference:
Answer B. Explanation VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN. The following example shows the operation of a VTP domain without and with VTP Pruning.
Without VTP Pruning:

VTP domain without VTP Pruning
When PC A sends a broadcast frame on VLAN 10, it travels across all trunk links in the VTP domain. Switches Server, Sw2, and Sw3 all receive broadcast frames from PC A. But only Sw3 has user on VLAN 10 and it is a waste of bandwidth on Sw2. Moreover, that broadcast traffic also consumes processor time on Sw2. The link between switches Server and Sw2 does not carry any VLAN 10 traffic so it can be “pruned”.

VTP domain with VTP Pruning
QUESTION 4
In the hardware address 0000.0c07.ac0a, what does 07.ac represent?
A. vendor code
B. HSRP group number
C. HSRP router number
D. HSRP well-known physical MAC address
E. HSRP well-known virtual MAC address
Correct Answer: E Section: HSRP Explanation
Explanation/Reference:
Explanation: HSRP code (HSRP well-known virtual MAC address) The fact that the MAC address is for an HSRP virtual router is indicated in the next two bytes of the address. The HSRP code is always 07.ac. The HSRP protocol uses a virtual MAC address, which always contains the 07.ac numerical value. Reference: Building Cisco Multilayer Switched Networks (Cisco Press) page 268
QUESTION 5
Refer to the exhibit.
The network operations center has received a call stating that users in VLAN 107 are unable to access
resources through router 1. What is the cause of this problem?
The network operations center has received a call stating that users in VLAN 107 are unable to access resources through router 1. What is the cause of this problem?
A. VLAN 107 does not exist on switch A.
B. VTP is pruning VLAN 107.
C. VLAN 107 is not configured on the trunk.
D. Spanning tree is not enabled on VLAN 107.
Correct Answer: B Section: VTP
Explanation Explanation/Reference:
Answer: B

“VLAN allowed on trunk” – Each trunk allows all VLANs by default. However,
administrator can remove or add to the list by using the “switchport trunk allowed”
command.
“VLANs allowed and active in management” – To be active, a VLAN must be in this list.
“VLANs in spanning tree forwarding state and not pruned” – This list is a subset of the
“allowed and active” list but with any VTP-pruned VLANs removed.
All VLANs were configured except VLAN 101 so D is not correct. VLAN 107 exists in the
“allowed and active” section so A and C are not correct, too. In the “forwarding state and
not pruned” we don’t see VLAN 107 so the administrator had wrongly configured this
VLAN as pruned.

QUESTION 6
Which protocol will enable a group of routers to form a single virtual router and will use the real IP address of a router as the gateway address?
A. Proxy ARP
B. HSRP
C. IRDP
D. VRRP
E. GLBP
Correct Answer: D Section: VRRP Explanation
Explanation/Reference:
Explanation:
The Virtual Router Redundancy Protocol (VRRP) feature enables a group of routers to form a single virtual

router. The LAN clients can then be configured with the virtual router as their default gateway. The virtual
router, representing a group of routers, is also known as a VRRP group.
VRRP is defined in RFC 2338.
Reference: http://www.faqs.org/rfcs/rfc2338.html

QUESTION 7
On a multilayer Cisco Catalyst switch, which interface command is used to convert a Layer 3 interface to a Layer 2 interface?
A. switchport
B. no switchport
C. switchport mode access
D. switchport access vlan vlan-id
Correct Answer: A Section: MultiLayer Switching Explanation
Explanation/Reference:
Explanation:
The switchport command puts the port in Layer 2 mode. Then, you can use other switchport command
keywords to configure trunking, access VLANs, and so on.

QUESTION 8
Refer to the exhibit.

What can be determined about the HSRP relationship from the displayed debug output?
A. The preempt feature is not enabled on the 172.16.11.111 router.
B. The nonpreempt feature is enabled on the 172.16.11.112 router.
C. Router 172.16.11.111 will be the active router because its HSRP priority is preferred over router
172.16.11.112.
D. Router 172.16.11.112 will be the active router because its HSRP priority is preferred over router
172.16.11.111.
E. The IP address 172.16.11.111 is the virtual HSRP router IP address.
F. The IP address 172.16.11.112 is the virtual HSRP router IP address.

Correct Answer: A Section: HSRP Explanation
Explanation/Reference:
Explanation: The standby preempt interface configuration command allows the router to become the active router when its priority is higher than all other HSRP-configured routers in this Hot Standby group. The configurations of both routers include this command so that each router can be the standby router for the other router. The 1 indicates that this command applies to Hot Standby group 1. If you do not use the standby preempt command in the configuration for a router, that router cannot become the active router.
QUESTION 9
Refer to the exhibit.

All network links are FastEthernet. Although there is complete connectivity throughout the network, Front Line users report that they experience slower network performance when accessing the server farm than the Reception office experiences. Which two statements are true? (Choose two.)
A. Changing the bridge priority of S1 to 4096 would improve network performance.
B. Changing the bridge priority of S1 to 36864 would improve network performance.
C. Changing the bridge priority of S2 to 36864 would improve network performance.
D. Changing the bridge priority of S3 to 4096 would improve network performance.
E. Disabling the Spanning Tree Protocol would improve network performance.
F. Upgrading the link between S2 and S3 to Gigabit Ethernet would improve performance.

Correct Answer: BD Section: STP Explanation
Explanation/Reference:
Explanation:
QUESTION 10
What two things occur when an RSTP edge port receives a BPDU? (Choose two.)
A. The port immediately transitions to the forwarding state.
B. The switch generates a Topology Change Notification BPDU.
C. The port immediately transitions to the err-disable state.
D. The port becomes a normal STP switch port.
Correct Answer: BD Section: RSTP, MST Explanation
Explanation/Reference:
Explanation:
QUESTION 11
What is the effect of configuring the following command on a switch?
Switch(config) # spanning-tree portfast bpdufilter default
A. If BPDUs are received by a port configured for PortFast, then PortFast is disabled and the BPDUs are processed normally.
B. If BPDUs are received by a port configured for PortFast, they are ignored and none are sent.
C. If BPDUs are received by a port configured for PortFast, the port transitions to the forwarding state.
D. The command enables BPDU filtering on all ports regardless of whether they are configured for BPDU filtering at the interface level.
Correct Answer: A Section: STP Protection Explanation
Explanation/Reference:
Explanation:
QUESTION 12
Refer to the exhibit.

Based on the debug output, which three statements about HSRP are true? (Choose three.)
A. The final active router is the router with IP address 172.16.11.111.
B. The router with IP address 172.16.11.111 has preempt configured.
C. The priority of the router with IP address 172.16.11.112 is preferred over the router with IP address
172.16.11.111.
D. The IP address 172.16.11.115 is the virtual HSRP IP address.
E. The router with IP address 172.16.11.112 has nonpreempt configured.
F. The router with IP address 172.16.11.112 is using default HSRP priority.

Correct Answer: ABD Section: HSRP Explanation
Explanation/Reference:
Explanation:
QUESTION 13
Refer to the exhibit.

Which two problems are the most likely cause of the exhibited output? (Choose two.)
A. spanning tree issues
B. HSRP misconfiguration
C. VRRP misconfiguration
D. physical layer issues
E. transport layer issues

Correct Answer: BD Section: HSRP Explanation
Explanation/Reference:
Explanation:
QUESTION 14
Refer to the exhibit.

What does the command channel-group 1 mode desirable do?
A. enables LACP unconditionally
B. enables PAgP only if a PAgP device is detected
C. enables PAgP unconditionally
D. enables EtherChannel only
E. enables LACP only if an LACP device is detected
Correct Answer: C Section: EtherChannels Explanation
Explanation/Reference:
Explanation:
QUESTION 15
Refer to the exhibit.

Which two statements are true? (Choose two.)
A. Interface gigabitethernet 0/1 has been configured as Layer 3 ports.
B. Interface gigabitethernet 0/1 does not appear in the show vlan output because switchport is enabled.
C. Interface gigabitethernet 0/1 does not appear in the show vlan output because it is configured as a trunk interface.
D. VLAN2 has been configured as the native VLAN for the 802.1q trunk on interface gigabitethernet 0/1.
E. Traffic on VLAN 1 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.
F. Traffic on VLAN 2 that is sent out gigabitethernet 0/1 will have an 802.1q header applied.
Correct Answer: CF Section: VLANs, Trunks Explanation
Explanation/Reference:
Explanation:
QUESTION 16
Which two statements about HSRP, VRRP, and GLBP are true? (Choose two.)
A. GLBP allows for router load balancing of traffic from a network segment without the different host IP configurations needed to achieve the same results with HSRP.
B. GLBP allows for router load balancing of traffic from a network segment by utilizing the creation of multiple standby groups.
C. GLBP and VRRP allow for MD5 authentication, whereas HSRP does not.
D. Unlike HSRP and VRRP, GLBP allows automatic selection and simultaneous use of multiple available gateways.
E. HSRP allows for multiple upstream active links being simultaneously used, whereas GLBP does not.
Correct Answer: AD Section: GLBP Explanation
Explanation/Reference:
Explanation:
QUESTION 17
Refer to the exhibit and the partial configuration of switch SW_A and SW_B.

STP is configured on all switches in the network. SW_B receives this error message on the console port:
00:06:34: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/5 (not half duplex), with SW_A FastEthernet0/4 (half duplex), with TBA05071417(Cat6K-B) 0/4 (half duplex).
What is the possible outcome of the problem?
A. The root port on switch SW_A will automatically transition to full-duplex mode.
B. The root port on switch SW_B will fall back to full-duplex mode.
C. The interfaces between switches SW_A and SW_B will transition to a blocking state.
D. Interface Fa 0/6 on switch SW_B will transition to a forwarding state and create a bridging loop.

Correct Answer: D Section: STP Explanation
Explanation/Reference:
Explanation:
QUESTION 18
Refer to the exhibit.

Which statement is true?
A. IP traffic matching access list ABC is forwarded through VLANs 5-10.
B. IP traffic matching VLAN list 5-10 is forwarded, and all other traffic is dropped.
C. All VLAN traffic matching VLAN list 5-10 is forwarded, and all traffic matching access list ABC is dropped.
D. All VLAN traffic in VLANs 5-10 that match access list ABC is forwarded, and all other traffic is dropped.
Correct Answer: D Section: VLANs Security Explanation
Explanation/Reference:
Explanation:
QUESTION 19
Which two statements about HSRP are true? (Choose two.)
A. Load sharing with HSRP is achieved by creating multiple subinterfaces on the HSRP routers.
B. Load sharing with HSRP is achieved by creating HSRP groups on the HSRP routers.
C. Routers configured for HSRP must belong only to one group per HSRP interface.
D. Routers configured for HSRP can belong to multiple groups and multiple VLANs.
E. All routers configured for HSRP load balancing must be configured with the same priority.
Correct Answer: BD Section: HSRP Explanation
Explanation/Reference:
Explanation:
QUESTION 20
Which statement about 802.1x port-based authentication is true?
A. Hosts are required to have an 802.1x authentication client or utilize PPPoE.
B. Before transmitting data, an 802.1x host must determine the authorization state of the switch.
C. RADIUS is the only supported authentication server type.
D. If a host initiates the authentication process and does not receive a response, it assumes it is not authorized.
Correct Answer: C Section: Access Security Explanation
Explanation/Reference:
Explanation: The IEEE 802.1x standard defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the workstation is connected. After authentication succeeds, normal traffic can pass through the port.
Authentication server: Performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. The RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. New Questions

Exam H QUESTION 1
Refer to the exhibit.

Switch S1 has been configured with the command spanning-tree mode rapid-pvst. Switch S3 has been configured with the command spanning-tree mode mst. Switch S2 is running the IEEE 802.1D instance of Spanning Tree. What is the result?
A. IEEE 802.1w and IEEE 802.1s are compatible. IEEE 802.1d is incompatible. Switches S1 and S3 can pass traffic between themselves. Neither can pass traffic to switch S2.
B. Switches S1, S2, and S3 can pass traffic between themselves.
C. Switches S1, S2, and S3 can pass traffic between themselves. However, if the topology is changed, switch S2 does not receive notification of the change.
D. IEEE 802.1d, IEEE 802.1w, and IEEE 802.1s are incompatible. All three switches must use the same standard or no traffic can pass between any of the switches.

Correct Answer: B Section: RSTP, MST Explanation
Explanation/Reference:
Explanation:
QUESTION 2
Refer to the exhibit.

What can be concluded about VLANs 200 and 202?
A. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 200 carries traffic between community ports and to promiscuous ports.
B. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 200 carries traffic from isolated ports to a promiscuous port.
C. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 202 carries traffic between community ports and to promiscuous ports.
D. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 202 carries traffic from isolated ports to a promiscuous port.

Correct Answer: B Section: VLANs Security Explanation
Explanation/Reference:
Explanation:
QUESTION 3
Refer to the exhibit.

Both routers are configured for the GLBP. Which statement is true?
A. The default gateway addresses of both hosts should be set to the IP addresses of both routers.
B. The default gateway address of each host should be set to the virtual IP address.
C. The hosts learn the proper default gateway IP address from router A.
D. The hosts have different default gateway IP addresses and different MAC addresses for each router.
Correct Answer: B Section: GLBP Explanation
Explanation/Reference:
Explanation: GLBP performs a similar, but not identical, function for the user as the HSRP and VRRP. Both HSRP and VRRP protocols allow multiple routers to participate in a virtual router group configured with a virtual IP address. One member is elected to be the active router to forward packets sent to the virtual IP address for the group. The other routers in the group are redundant until the active router fails. With standard HSRP and VRRP, these standby routers pass no traffic in normal operation – which is wasteful. Therefore the concept cam about for using multiple virtual router groups, which are configured for the same set of routers. But to share the load, the hosts must be configured for different default gateways, which results in an extra administrative burden of going around and configuring every host and creating 2 or more groups of hosts that each use a different default gateway. GLBP is similar in that it provides load balancing over multiple routers (gateways) – but it can do this using only ONE virtual IP address!!! Underneath that one virtual IP address is multiple virtual MAC addresses, and this is how the load is balanced between the routers. Instead of the hassle of configuring all the hosts with a static Default Gateway, you can lket them use ARP’s to find their own. Multiple gateways in a “GLBP redundancy group” respond to client Address Resolution Protocol (ARP) requests in a shared and ordered fashion, each with their own unique virtual MAC addresses. As such, workstation traffic is divided across all possible gateways. Each host is configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets Reference: http://www.infocellar.com/networks/Routers/HSRP-GLBP-VRRP.htm
QUESTION 4
A switch has been configured with PVLANs. With what type of PVLAN port should the default gateway be configured?
A. isolated
B. promiscuous
C. community
D. primary
E. trunk
Correct Answer: B Section: VLANs Security Explanation
Explanation/Reference:
Explanation:
Promiscuous: The switch port connects to a router, firewall, or other common gateway device. This port
can communicate with anything else connected to the primary or any secondary VLAN. In other words, the
port is in promiscuous mode, in which the rules of private VLANs are ignored.

QUESTION 5
In the MAC address 0000.0c07.ac03, what does the “03” represent?
A. HSRP router number 3
B. Type of encapsulation
C. HSRP group number
D. VRRP group number
E. GLBP group number
Correct Answer: C Section: HSRP Explanation
Explanation/Reference:
Explanation: Each router keeps a unique MAC address for its interface. This MAC address is always associated with the unique IP address configured on the interface. For the virtual router address, HSRP defines a special MAC address of the form 0000.0c07.acxx, where xx represents the HSRP group number as a two-digit hex value. For example, HSRP Group 1 appears as 0000.0c07.ac01, HSRP Group 16 appears as 0000.0c07.ac10.
QUESTION 6
A network is deployed using recommended practices of the enterprise campus network model, including users with desktop computers connected via IP phones. Given that all components are QoS-capable, where are the two optimal locations for trust boundaries to be configured by the network administrator? (Choose two.)
A. host
B. IP phone
C. access layer switch
D. distribution layer switch
E. core layer switch
Correct Answer: BC Section: IP Telephony Explanation Explanation/Reference:
Explanation:
QUESTION 7
What is needed to verify that a newly implemented security solution is performing as expected?
A. a detailed physical and logical topology
B. a cost analysis of the implemented solution
C. detailed logs from the AAA and SNMP servers
D. results from audit testing of the implemented solution
Correct Answer: D Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 8
When configuring port security on a Cisco Catalyst switch port, what is the default action taken by the switch if a violation occurs?
A. protect (drop packets with unknown source addresses)
B. restrict (increment SecurityViolation counter)
C. shut down (access or trunk port)
D. transition (the access port to a trunking port)
Correct Answer: C Section: Access Security Explanation
Explanation/Reference:
Explanation:
QUESTION 9
hostname Switch1 interface Vlan10 ip address 172.16.10.32 255.255.255.0 no ip redirects standby 1 ip 172.16.10.110 standby 1 timers 1 5 standby 1 priority 130
hostname Switch2 interface Vlan10
ip address 172.16.10.33 255.255.255.0 .

no ip redirects standby 1 ip 172.16.10.110 standby 1 timers 1 5 standby 1 priority 120
Refer to the above. HSRP was implemented and configured on two switches while scheduled network maintenance was performed.
After the two switches have finished rebooting, you notice via show commands that Switch2 is the HSRP active router. Which two items are the most likely cause of Switch1 not becoming the active router? (Choose two.)
A. Booting has been delayed.
B. The standby group number does not match the VLAN number.
C. IP addressing is incorrect.
D. Preemption is disabled.
E. Standby timers are incorrect.
F. IP redirect is disabled.
Correct Answer: AD Section: HSRP Explanation
Explanation/Reference:
Explanation:
QUESTION 10
Private VLANs can be configured as which three port types? (Choose three.)
A. isolated
B. protected
C. private
D. associated
E. promiscuous
F. community
Correct Answer: AEF Section: VLANs Security Explanation
Explanation/Reference:
Explanation:
QUESTION 11
Refer to the exhibit.

Which statement about the private VLAN configuration is true?
A. Only VLAN 503 will be the community PVLAN, because multiple community PVLANs are not allowed.
B. Users of VLANs 501 and 503 will be able to communicate.
C. VLAN 502 is a secondary VLAN.
D. VLAN 502 will be a standalone VLAN, because it is not associated with any other VLANs.

Correct Answer: C Section: VLANs Security Explanation
Explanation/Reference:
Explanation:
QUESTION 12
When configuring a routed port on a Cisco multilayer switch, which configuration task is needed to enable that port to function as a routed port?
A. Enable the switch to participate in routing updates from external devices with the router command in global configuration mode.
B. Enter the no switchport command to disable Layer 2 functionality at the interface level.
C. Each port participating in routing of Layer 3 packets must have an IP routing protocol assigned on a per-interface level.
D. Routing is enabled by default on a multilayer switch, so the port can become a Layer 3 routing interface by assigning the appropriate IP address and subnet information.
Correct Answer: B Section: MultiLayer Switching Explanation
Explanation/Reference:
Explanation:
QUESTION 13
You have configured a Cisco Catalyst switch to perform Layer 3 routing via an SVI and you have assigned that interface to VLAN 20. To check the status of the SVI, you issue the show interfaces vlan 20 command at the CLI prompt. You see from the output display that the interface is in an up/up state. What must be true in an SVI configuration to bring the VLAN and line protocol up?
A. The port must be physically connected to another Layer 3 device.
B. At least one port in VLAN 20 must be active.
C. The Layer 3 routing protocol must be operational and receiving routing updates from neighboring peer devices.
D. Because this is a virtual interface, the operational status is always in an “up/up” state.
Correct Answer: B Section: MultiLayer Switching Explanation
Explanation/Reference:
Explanation:
QUESTION 14
Refer to the exhibit, which is from a Cisco Catalyst 3560 Series Switch.

Which statement about the Layer 3 routing functionality of the interface is true?
A. The interface is configured correctly for Layer 3 routing capabilities.
B. The interface needs an additional configuration entry to enable IP routing protocols.
C. Since the interface is connected to a host device, the spanning-tree portfast command must be added to the interface.
D. An SVI interface is needed to enable IP routing for network 192.20.135.0.

Correct Answer: A Section: MultiLayer Switching Explanation
Explanation/Reference:
Explanation:

Both PDF and software format demos for Cisco 642-813 exam dumps are offered by Flydumps for free.You can try Cisco 642-813 free demo before you decide to buy the full version practice test.Cisco 642-813 exam dumps details are researched and produced by our Professional Certification Experts who are constantly using industry experience to produce precise, and logical.Cisco 642-813 dumps will not only help you pass in one attempt,but also save your valuable time.