CCNA – Switch Questions
Here you will find answers about Switch Questions – Part 1
Question 1
Which two commands can be used to verify a trunk link configuration status on a Cisco switch? (choose two)
A. show interfaces trunk
B. show interfaces switchport
C. show ip interface brief
D. show interfaces vlan
Answer: A B
Explanation
The “show interfaces trunk” command and “show interfaces switchport” command can be used to verify the status of an interface (trunking or not). The outputs of these commands are shown below (port Ethernet 1/0 has been configured as trunk):
The “show ip interface brief” command only gives us information about the IP address, the status (up/down) of an interface:
The “show interfaces vlan” command only gives us information about that VLAN, not about which ports are the trunk links:
Question 2
Refer to the exhibit. The following commands are executed on interface fa0/1 of 2950Switch.
2950Switch(config-if)#switchport port-security
2950Switch(config-if)#switchport port-security mac-address sticky
2950Switch(config-if)#switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two)
A. The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
E. Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.
Answer: B D
Explanation
Please read the explanation at http://www.9tut.net/icnd2/icnd2-operations
Question 3
Which Cisco Catalyst feature automatically disables the port in an operational PortFast upon receipt of a BPDU?
A. BackboneFast
B. UplinkFast
C. Root Guard
D. BPDU Guard
E. BPDU Filter
Answer: D
Explanation
We only enable PortFast feature on access ports (ports connected to end stations). But if someone does not know he can accidentally plug that port to another switch and a loop may occur when BPDUs are being transmitted and received on these ports.
With BPDU Guard, when a PortFast receives a BPDU, it will be shut down to prevent a loop -> D is correct.
Question 4
Why will a switch never learn a broadcast address?
A. Broadcast frames are never sent to switches.
B. Broadcast addresses use an incorrect format for the switching table.
C. A broadcast address will never be the source address of a frame.
D. Broadcasts only use network layer addressing.
E. A broadcast frame is never forwarded by a switch.
Answer: C
Question 5
Which three statements accurately describe layer 2 Ethernet switches? (choose three)
A. Microsegmentation decreases the number of collisions on the network.
B. If a switch receives a frame for an unknown destination, it uses ARP to resolve the address.
C. Spanning Tree Protocol allows switches to automatically share vlan information.
D. In a property functioning network with redundant switched paths, each switched segment will contain one root bridge with all its ports in the forwarding state. All other switches in that broadcast domain will have only one root port.
E. Establishing vlans increases the number of broadcast domains.
F. Switches that are configured with vlans make forwarding decisions based on both layer 2 and layer 3 address information.
Answer: A D E
Explanation
Microsegmentation is a network design (functionality) where each workstation or device on a network gets its own dedicated segment (collision domain) to the switch. Each network device gets the full bandwidth of the segment and does not have to share the segment with other devices. Microsegmentation reduces and can even eliminate collisions because each segment is its own collision domain -> A is correct.
Note: Microsegmentation decreases the number of collisions but it increases the number of collision domains.
D and E are correct based on the theory of STP and VLAN.
Question 6
Switch ports operating in which two roles will forward traffic according to the IEEE 802.1w standard? (Choose two)
A. alternate
B. backup
C. designated
D. disabled
E. root
Answer: C E
Explanation
IEEE 802.1w is the standard of Rapid Spanning Tree Protocol (RSTP). There are 5 port roles in this standard: Root port, Designated port, Alternative port, Backup port and Disabled port. In these 5 port roles, only Root port and Designated port can forward traffic.
Question 7
Select the action that results from executing these commands:
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
A. A dynamically learned MAC address is saved in the startup-configuration file.
B. A dynamically learned MAC address is saved in the running-configuration file.
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.
Answer: B
Explanation
The full syntax of the second command is:
switchport port-security mac-address sticky [MAC]
If we don’t specify the MAC address (like in this question) then the switch will dynamically learn the attached MAC Address and place it into your running-configuration -> B is correct.
Question 8
What is valid reason for a switch to deny port access to new devices when port security is enabled?
A. The denied MAC addresses have already been learned or configured on another secure interface in the same VLAN.
B. The denied MAC address are statically configured on the port.
C. The minimum MAC threshold has been reached.
D. The absolute aging times for the denied MAC addresses have expired.
Answer: A
Explanation
A security violation occurs in either of these situations:
* When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port security applies the configured violation mode.
* If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, applies the configured violation mode.
From the second statement we can figure out A is the correct answer. But for your information we will discuss other answers as well.
Answer B is not correct because we can’t configured which MAC address will be denied. We can only configure which MAC is allowed.
We can only configure the maximum MAC threshold, not the minimum threshold -> C is not correct.
The aging times are only configured for allowed MAC addresses, not for denied MAC -> D is correct.
For your information about aging time:
When the aging type is configured with the absolute keyword, all the dynamically learned secure addresses age out when the aging time expires
This is how to configure the secure MAC address aging type on the port:
Router(config-if)# switchport port-security aging type absolute
and configure the aging time (aging time = 120 minutes)
Router(config-if)# switchport port-security aging time 120
When this command is used, all the dynamically learned secure addresses age out when the aging time expires
(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)
Question 9
A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two)
A. The network administrator can apply port security to dynamic access ports
B. The network administrator can configure static secure or sticky secure mac addresses in the voice vlan.
C. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.
D. The network administrator can apply port security to EtherChannels.
E. When dynamic mac address learning is enabled on an interface, the switch can learn new addresses up to the maximum defined.
Answer: C E
Explanation
Follow these guidelines when configuring port security:
+ Port security can only be configured on static access ports, trunk ports, or 802.1Q tunnel ports.
+ A secure port cannot be a dynamic access port.
+ A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
+ A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
+ You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.
+ When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.
+ If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.
+ When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses.
+ The switch does not support port security aging of sticky secure MAC addresses.
+ The protect and restrict options cannot be simultaneously enabled on an interface.
Question 10
Refer to the exhibit. Which statement is true?
A. The Fa0/11 role confirms that SwitchA is the root bridge for VLAN 20.
B. VLAN 20 is running the Per VLAN Spanning Tree Protocol.
C. The MAC address of the root bridge is 0017.596d.1580.
D. SwitchA is not the root bridge, because not all of the interface roles are designated.
Answer: D
Explanation
Only non-root bridge can have root port. Fa0/11 is the root port so we can confirm this switch is not the root bridge -> A is not correct.
From the output we learn this switch is running Rapid STP, not PVST -> B is not correct.
0017.596d.1580 is the MAC address of this switch, not of the root bridge. The MAC address of the root bridge is 0017.596d.2a00 -> C is not correct.
All of the interface roles of the root bridge are designated. SwitchA has one Root port and 1 Alternative port so it is not the root bridge -> D is correct.
Question 11
A technician has installed SwithchB and needs to configure it for remote access from the management workstation connected SwitchA. Which set of commands is required to accomplish this task?
A.
SwitchB(config)#interface FastEthernet 0/1
SwitchB(config)#ip address 192.168.8.252 255.255.255.0
SwitchB(config)#no shutdown
B.
SwitchB(config)#ip default-gateway 192.168.8.254
SwitchB(config)#interface vlan 1
SwitchB(config)#ip address 192.168.8.252 255.255.255.0
SwitchB(config)#no shutdown
C.
SwitchB(config)#interface vlan 1
SwitchB(config)#ip address 192.168.8.252 255.255.255.0
SwitchB(config)#ip default-gateway 192.168.8.254 255.255.255.0
SwitchB(config)#no shutdown
D.
SwitchB(config)#ip default-network 192.168.8.254
SwitchB(config)#interface vlan 1
SwitchB(config)#ip address 192.168.8.252 255.255.255.0
SwitchB(config)#no shutdown
Answer: B
Explanation
To remote access to SwitchB, it must have a management IP address on a VLAN on that switch. Traditionally, we often use VLAN 1 as the management VLAN (but in fact it is not secure).
In the exhibit, we can recognize that the Management Workstation is in a different subnet from the SwitchB. For intersubnetwork communication to occur, you must configure at least one default gateway. This default gateway is used to forward traffic originating from the switch only, not to forward traffic sent by devices connected to the switch.
Question 12
A network administrator wants to ensure that only the server can connect to port Fa0/1 on a Catalyst switch. The server is plugged into the switch Fa0/1 port and the network administrator is about to bring the server online. What can the administrator do to ensure that only the MAC address of the server is allowed by switch port Fa0/1? (Choose two)
A. Configure port Fa0/1 to accept connections only from the static IP address of the server.
B. Employ a proprietary connector type on Fa0/1 that is incompatible with other host connectors.
C. Configure the MAC address of the server as a static entry associated with port Fa0/1.
D. Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.
E. Configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server.
F. Configure an access list on the switch to deny server traffic from entering any port other than Fa0/1.
Answer: C E
Explanation
We can”configure the MAC address of the server as a static entry associated with port Fa0/1″ with this command:
Switch(config-if)#switchport port-security mac-address sticky 0000.00AA.AAAA.AAAA
and “configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server” with these commands:
Switch(config-if)#switchport port-security maximum 1 (only allow 1 MAC address and that is the static MAC address)
Also we often define what will the switch do if the security is violated:
Switch(config-if)#switchport port-security violation shutdown
Question 13
The network security policy requires that only one host be permitted to attach dynamically to each switch interface. If that policy is violated, the interface should shut down. Which two commands must the network administrator configure on the 2950 Catalyst switch to meet this policy? (Choose two)
A. Switch1(config-if)#switchport port-security maximum 1
B. Switch1(config)#mac-address-table secure
C. Switch1(config)#access-list 10 permit ip host
D. Switch1(config-if)#switchport port-security violation shutdown
E. Switch1(config-if)#ip access-group 10
Answer: A D
@xallax
thnxxxx
Hii … i m goin to give the exam in this week ….cn anyone tell me …are these simulations still valid???
Question 8. Answer A
B Incorrect:
Switch(config)#mac-address-table static 0009.7c99.cb08 vlan 1 interface f1/1
Switch(config)#int f1/1
Switch(config-if)#switchport port-security
Command rejected: FastEthernet1/1 has static addresses.
Question 7 answer is wrong.
Agree if the switch learns a normal mac dynamically it will only store it in the RAM e.g. running config. However you have made the question refer to sticky. This means your are refering to the address learnt dynamically and storing it sticky.
Cisco quotes Sticky Method
If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in non-volatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface.
Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, the device stops dynamic learning and performs sticky learning instead. If you disable sticky learning, the device resumes dynamic learning.
The device does not age sticky secure MAC addresses.
Therefore a poorly worded question but the answer should be that the address is learned dynamically and stored in the Startup config which is the NVRAM.
Answer should be A.
For Q7, I’m not sure is right answer A-startup-configuration file, or B-running-configuration file?
Because, Cisco says in Nexus guides: ”If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in non-volatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart.”
And in other Cisco guides, it’s written – in running config…
@9tut.in qtn 11 here to assign default gate way used” ip default gateway” command,but in qtn5 in ip routing part 1 used “ip default network”…..wats the diff.b/w these 2?
can anyone please tell me the difference between a switch and a layer2 ethernet switch?
@uday
they are one and the same thing…
Hi 9tut… Hi Guys! Can you please help me… I will take exam this Feb. Please send me latest dump so that I will have an idea for the exam.. rico.blake@ymail.com
Thanks Guys!
I have one confusion regarding the Explanation you have given for Q. 10. As per your explanation “0017.596d.1580 is the MAC address of this switch, not of the root bridge. The MAC address of the root bridge is 0017.596d.2a00 -> C is not correct.”
MAC ADDRESS:0017.596d.2a00 is the switch which have root port i.e. Switch A, but 0017.596d.1580 is the MAC address of Root Bridge so Answer C is correct as my point of view.
kindly explain if i am wrong..!!
@Arpit
Question: Refer to the exhibit. Which statement is true?
C. The MAC address of the root bridge is 0017.596d.1580 <—- This answer is false.
Why is C the correct answer for the dump below?
http://i1061.photobucket.com/albums/t464/hanselbelen/Switch1.jpg
Confused on this one too why D is the answer..
http://i1061.photobucket.com/albums/t464/hanselbelen/Switch2.jpg
@Arpit
No not this MAC address “0017.596d.2a00″ is for switch which have root port, This is for ROOT ID with lower priority
you can get it from lower priority and know that this switch is the root OR always root switch has two designated ports not one FWD & other Alt (BLK)
hope it is clear for you
hello guys Please send me latest dumps
hossam.saber4@gmail.com
thanks in advance
Q5)
what is the meaning of Microsegmentation, in option a.
@uday: 1 switch port = 1 separate segment/microsegment (L2 segment)
Switches divide LAN to a lot of separate segments.
@DimS
thanks dud……….
Q5
A. Microsegmentation decreases the number of collisions on the network.
Not INCREASE? switch makes more collision domains (per port) –> it seems not to decrease…
I am confused…
and with vlans sw increases the number of broadcast domains…
@levy
no, less collisions, more collision domains
pls send me the latest Dump for CCNA
@xallax
ohhhhh, i lost in the words….thx
sorry
Q8
I don’t understand why is the answer A or D
i think D
what the answer in question 8
Q12
I known that answer C is the second best choice but it’s not completely right
If you configure the MAC address of the server as a static entry associated with port Fa0/1 that doesn’t mean that only server can connect to that port
It only means that you can’t connect server to any other port than fa0/1
Please correct me if I’m wrong
Can anyone tell me Collisio.486q is still valid?
please tell me about exam 20 feb my final exam which dumps are 100% valid i am very thankful to you….
Hi John,
Cisco Acme 640-802 v2012-01-21 by Jericho 576q.vce – This is the valid dump now
Maybe too late I have my exam tomorrow but, configuring a switch on packet tracer, with A I get the MAC address, with B dont. So Why is B the correct answer in all dumps?
Which command will show the MAC address of stations connected to switch ports?
a. show mac-address this command wrong show mac-address table
b. show arp this command wrong show ip arp (Displays arp cache)
c. show tabl
d. show switchport
right ans A or B
@9tut: @Xallax: regarding Q7. what happened, after dynamically MAC address read by the switch and saved in running configuration, if we supply ” copy run start”.. ??? I think that mac-address will become permenantly stored in the switch database. and switch will not allow any othe MAC.
what is your opinion??
@arpit
semantics. “is save” and “could be saved”. it isnt saved by default in the startup-config
Q4 was there in today’s exam.
how come option B incorrect in Question 5 . pLease explain..
@Dimon Vettichira if show arp shows cached MAC and some times it doesn’t show anything, i consider it wrong,
show mac-address is a short form and work as intended, cisco recognizes short commands thats why even their trusted instructors teach as it.. so for me answer A.
Q 5
How is b and f wrong?
@him
wrt Q 5 -option f is incorrect bcoz layer 2 switches operate in the datalink layer of osi model. They use layer 2 address(ie MAC Address) to make forwarding decisions( NOT layer 3 address, ie IP Address)
not sure about option B though; somebody plz explain..
@xallax – plz help buddy
@him @bav
let’s go line by line :)
Which three statements accurately describe layer 2 Ethernet switches? (choose three)
A. Microsegmentation decreases the number of collisions on the network.
false, it INCREASES the number of collision domains (more collision domains, less chances to get collisions, this is a good thing)
B. If a switch receives a frame for an unknown destination.it uses ARP to resolve the address.
nope, the switch will just forward the frame out all interfaces within that same VLAN (except the one it came on of course)
C. Spanning Tree Protocol allows switches to automatically share vlan information.
no, STP helps the traffic by choosing the shortest path and closing down redundant ones (less chances for abnormal traffic, good thing). should read 9tut’s tutorial on STP :)
D. In a property functioning network with redundant switched paths, each switched segment will contain one root bridge with all its ports in the forwarding state. All other switches in that broadcast domain will have only one root port.
yeap, everything is sent towards that root bridge, everything comes from it too.
E. Establishing vlans increases the number of broadcast domains.
yeap, each VLAN acts as a logical network on which devices are grouped by their function. brilliant thing
F. Switches that are configured with vlans make forwarding decisions based on both layer 2 and layer 3 address information.
possible yes, but no. if it were asking about a Layer 3 switch (which is expensive) then this were correct. but the question is about a normal Layer 2 switch (that deals only with frames). this option is FALSE (on this scenario)
thank you for asking :)
@ xallax
Thank you dude!
A. Microsegmentation decreases the number of collisions on the network.
you mentioned this option false, must be a typo; plz correct it..
@bav
i read it wrong, was thinking of “collision domains”… im only human
yes, you are right, my bad :)
ADE are correct
Hi guys. I desperately need your help. I have to do the following and I have absolutely no idea how to do it.. Please help me out. my e-mail is antonisbigman@yahoo.gr
Outline:
ABC is currently re-locating to a new office in the city centre of London. The IT Manager has convinced the management of the company for enough budget for a new state-of-the-art IT implementation/solution.
The new premises consist of a building with 4 floors that all 80 employees of the company will be based there. Each floor has its own ITF room and the main computer room is located in the first floor. All servers and core devices will be placed there.
Your first task is to propose the design of the network infrastructure, take into consideration that the company is willing advanced technologies to be implemented. Your proposal should cover all the necessary architectures that should be followed for a modern, expandable, easy to manage network infrastructure, including cutting-edge technologies, helpful for any organization in our days. Then your design should include the addressing scheme of the company, taking into consideration the different types of traffic that you have proposed. Finally all technologies and devices should be implemented on a virtual tool.
Your work will be presented to the senior management of the company.
Tasks:
A. Design the logical diagram of the company’s network infrastructure (visio).
B. Propose all necessary Subnets and Protocols to use (table)
C. Implement the configuration of all the protocols and the technologies that you have identified (VLANs, Interfaces, etc) on a simulator (packet tracer).
D. Analyze the network infrastructure and the benefits of your proposal.
Q11 in exam with different ip address scheme. Great collection 9tut.
xallax
A. Microsegmentation decreases the number of collisions on the network.
false, it INCREASES the number of collision domains (more collision domains, less chances to get collisions, this is a good thing) —
if it is false, why you chose A for an answer?
@jay
as i said above, was thinking of “collision domains” when wrote that explanation.
A is true here
my bad :)
@xalax
ohh.. thank you.. :)
Can anyone tell me why question 5 the answers B n C are not correct?
Hi…C is no correct because we use VTP not STP for sharing Vlan information. About B, I think that It is a host(PC) who uses ARP to resolve the address layer 2, MAC, but not the switch, it only forwards the frame. Make sense?. I hope that helps.
I am unable to configure port security on packet tracer . it’a always show port security is not enable.
so how to enable port security plz inform me
gec.bits@gmail.com
@naresh
just type in “switchport port-security” before setting up any other options :)
switchport port-security
switchport port-security mac-address sticky
…
About to take the exam… on 9th of April , please send me latest dumps for ccna exam ,
my e- mail , altorabi_28@hotmail.com
@9tut
What is the difference between B and C? Cannot comprehend.
Thanks