CCNA3 Exploration Chapter 1. Study questions.

Answers

1.1
What are the three layers of the hierarchical network design model?

Access, distribution and core.

What are the advantages of designing LANs using the hierarchical model?

The hierarchical model separates out different functions of a network, giving a modular
design. This should make the network easier to manage and troubleshoot. It should be
easier to expand the network (scalability), and it should be easier to maximise
performance.

What is the purpose of the access layer?

It allows end devices to connect to the network and controls which devices may
connect.

What sort of devices are found at the access layer?

End devices, such as PCs, printers, and IP phones. Network devices such as routers,
switches, bridges, hubs, and wireless access points.

What is the purpose of the distribution layer?

It controls the flow of network traffic. In particular, it controls traffic between different
broadcast domains (subnetworks, VLANs). It aggregates traffic from the access layer
that needs to be passed to the core layer for longer distance transmission.

What sort of devices are found at the distribution layer?

High-performance switches. They should have high availability and redundancy to

ensure reliability

What is the purpose of the core layer?

It is the high speed backbone of the network. Its main task is to forward large amounts
of data quickly.

What is a collapsed core model and where might it be used?

The distribution layer and the core layer are combined. It is used for smaller networks.
What is a wiring closet?

A room designed to hold network devices such as switches and routers. It is a central
point where network cabling comes together.

Why is it not easy to see the logical hierarchical design of a network when looking at the
network layout in a building?

The devices operating at different layers may not be physically separated. For example,
switches operating at different layers may be kept in the same cabinet.

Why is redundancy important in a network?

It gives better availability and reliability. If one switch or link goes down then an
alternative path can be used.

Which layers normally have redundancy built in?

Core and distribution layers.

How can the hierarchical design help to give high performance?

Traffic (and particularly long distance traffic) is forwarded through distribution layer and
core layer switches that are designed to work at high speeds, and not through a series
of lower-speed access layer switches.

How can switches at the different layers contribute to network security?

Access layer switches can restrict the devices that are permitted to connect to their
ports. Distribution layer devices can be configured with access control policies that
restrict traffic according to IP addresses or application layer protocols. (The core layer is
optimised for speed. Security measures are not appropriate at this layer because they
slow things down.)

How does a hierarchical design help to make a network manageable?

Switches at a given layer have similar functions and therefore are likely to have similar
configurations. This makes it easier to check configurations and to configure new
switches.

Should the same type of switch be used at each layer of the hierarchical design?

No. The distribution and core layers need very fast switches. The access layer can use
less expensive switches.
What is “network diameter” in hierarchical network design?

Network diameter is the number of devices that a packet has to cross before it reaches
its destination.

What is network device latency?

Network device latency is the time spent by a device as it processes a packet or frame.

What sort of processing does a switch have to do on each packet?

The switch has to look in the frame header and find the destination MAC address. It
then looks this address up in its MAC address table and finds the matching exit port. It
then forwards the frame out of the port.

How can bandwidth aggregation be implemented?

Switches can be linked by more than one physical link. These physical links can be
combined into one logical link that makes use of the combined bandwidth.

Why is redundancy not normally provided at the access layer?

It would be too expensive. The advantage of improved reliability would not justify the
extra cost.

When designing a new network, at which layer would you start?

At the access layer. Make sure that all end devices will be able to connect to the
network.

What is a converged network?

A network that carries voice, video and data.

What factors have slowed the move towards converged networks?

Converged networks need special switching equipment that was originally affordable
only by big companies.
Converged networks need Quality of Service management to give voice and video
traffic priority over data.
Converged networks need people with expertise to set them up and manage them.
Where firms have existing separate networks that work well, the firms may be reluctant
to make a change.
What are the benefits of a converged network?

In a new build, there is only one set of cabling to install instead of two or three.
There is only one network to manage instead of two or three. This may mean having
one set of people to run the network instead of several sets of people, so the company
may employ fewer staff.
When changes are needed, there is only one network to change.
New communications options are possible. A PC can be used to make phone calls or
for videoconferencing by adding appropriate software and peripherals. There is no need
for a separate IP phone or videoconferencing equipment.

Why was videoconferencing equipment originally kept on a separate network from data
or phones, and what made it possible to combine videoconferencing with other
networks?

Videoconferencing requires large amounts of bandwidth and is sensitive to delays. It

was kept separate to avoid conflict with data traffic. Developments in network design,
using the hierarchical model and quality of service policies, have allowed
videoconferencing to share a network with voice and data without significant reduction
of quality.

1.2
What is traffic flow analysis, and why might you want to do it?

Traffic flow analysis is the measurement of bandwidth usage. It can show what
demands different sources of traffic are making on the network. You might do it to get
the information you need to improve network performance, plan network changes,
decide if you need to upgrade, and decide what type of new equipment is needed.

How can measurements be made in order to carry out a traffic flow analysis?

It can be done manually by monitoring switch ports, but this is time consuming and not
feasible for large networks. There are software analysis tools that take the
measurements and perform the analysis, giving a visual display

How can a User Communities Analysis help with network design?

Users are normally grouped by job function because they have similar requirements for
bandwidth, applications, access to servers etc. The User Communities Analysis shows
what demands the different groups of users make on the network. Some design
implications are:
The number of switch ports needed for each group of users, including possible growth.
The location of servers that the users access.
The bandwidth requirements of the users.
Which two types of traffic need to be considered when planning data storage facilities?

Client-server traffic and server-server traffic.

How can server-server traffic be optimised?

Servers and data stores should be kept physically close to each other and should be
connected by high performance switches. Businesses often keep their servers and data
stores in a secure data centre.

How might you deal with a bottleneck where there is insufficient bandwidth?

Use link aggregation (multiple links between switches) or install higher performance
switches.

Why is it important to produce a topology diagram as part of the network design

process?

It is difficult to produce a topology diagram later by examining the network itself, and the
diagram is necessary for the efficient management of the network. It shows all the
switches and how they are connected, including aggregated links and redundant links,
and the ports used. It shows how servers, storage devices and end user devices such
as workstations are connected.

How is the thickness of a switch (top to bottom) measured?

In rack units (U).

What is the difference between a fixed configuration switch and a modular switch?

A fixed configuration switch has a fixed number of ports and these cannot be changed.
A modular switch has a chassis that can take line cards. The line cards contain the
ports. A modular switch can therefore have different numbers or types of ports,
depending on the choice of line cards.

What are stackable switches?

Stackable switches are designed to be connected together and act as a single switch.
The connection between the switches is through a special high speed port and not
through the normal switch ports.

What is the port density of a switch?

The number of available access ports.

If 80 outlets need to be connected to a switch, why is a single large modular switch

likely to be a better choice than four fixed configuration switches with 24 ports each?
The four switches each need their own power supply, and they use ports to connect to
each other. They may need several ports for each link if aggregation is needed. The
single large switch needs a single power supply. No ports are needed for internal links,
and the switch’s internal backplane provides a higher speed connection than links
between switches.

What is wire speed, and what is forwarding rate?

Wire speed is the data rate that a switch port can attain. A port may be designed to
operate at 100 Mb/s Fast Ethernet or 1000 Mb/s Gigabit Ethernet. The forwarding rate
is the amount of data that the switch can process per second. If the forwarding rate is
less than the total wire speed of all the ports then it is not possible for all the ports to
operate simultaneously at their wire speed.

What is Etherchannel?

A system that uses link aggregation to provide high bandwidth between switches. Up to
8 ports can be bound together so that they act as a single link.

What is PoE and what are its advantage and disadvantage?

Power over Ethernet is a feature that lets a switch provide a power supply to a device
such as an IP phone or a wireless access point. The power is supplied over the
Ethernet cable. The advantage is that the devices do not need a separate power
supply, so it may be possible to position them more flexibly. The disadvantage is that
the feature makes the switch much more expensive.

At which OSI layer to typical traditional switches operate?

Layer 2.

What is a multilayer switch?

A switch that operates at layer 3 as well as at layer 2. For example, it can forward
packets based on IP addressing, not just on MAC addressing.

What features are required for access layer switches?

Port security, VLANs, Fast Ethernet/Gigabit Ethernet, PoE, and link aggregation.
Quality of Service is needed for converged networks.

What features are required for distribution layer switches?

High forwarding rate to allow all ports to operate to their full bandwidth
High bandwidth links (possibly 10Gbps) and link aggregation
Redundancy to ensure reliability and availability
Multiple, hot-swappable power supplies
Quality of service to maintain priority for video and voice traffic
Inter-VLAN routing (layer 3 function)
Access control lists for security (layer 3 function)

What features are required for core layer switches?

Very high forwarding rates as this is the high speed backbone of the network.
High bandwidth ports, preferably 10Gbps. Support for link aggregation.
Redundancy to give reliability and availability.
Redundant power supplies.
Efficient cooling.
Hot-swappable hardware components to avoid downtime for maintenance.
Support for quality of service. (Particularly important where there are links to lower
bandwidth WANs.)
Layer 3 features.

Which Cisco Catalyst switch does not provide a command line interface?

Catalyst Express 500

Which Catalyst switch is suitable for access level use in small organisations, provides
up to 48 ports, but does not provide PoE?

Catalyst 2960

What does the Catalyst 3560E switch provide that the 3560 switch does not?

10 Gbps connectivity.

Which catalyst switch has forwarding rates up to 720 Gbps?

Catalyst 6500

Which type of catalyst switch can be stacked so that up to 9 switches can operate as a
single logical switch?

Catalyst 3750

What is special about the Catalyst 4900 series switches?

They are designed for use in data centres for linking servers and data stores.

CCNA3 Exploration Chapter 2. Study questions. Answers

2.1
How does CSMA/CD work?

A device that needs to transmit must listen for traffic on the shared medium. If there is
traffic then it waits. If there is no traffic then it sends.
The device continues to listen while sending.
If another device also sends then the signals will meet and there is a collision. The
device detects a collision if it receives signals while it is transmitting.
On detecting a collision, the transmitting devices send out a jamming signal to warn all
devices on the network that there is a collision.
All devices stop transmissions and run the backoff algorithm that gives them a random
time to wait before attempting to transmit again.
Any device may be the first to transmit after the backoff period. The devices that were
transmitting at the time of the collision do not have any priority.

What are unicast, broadcast and multicast transmissions?

A unicast transmission is addressed to one host. The majority of transmissions are

unicast. A broadcast transmission is addressed to all hosts on the network, e.g. ARP
request, RIPv1 updates. A multicast transmission is addressed to a specific group of
devices. RIPv2 updates are multicast and processed only by routers running RIPv2.
Videoconferencing between a group of hosts would use multicast messages.

In an Ethernet frame, which field comes immediately after the start frame delimiter, and
how long is this field?

The Destination MAC Address field, which is 6 bytes long.

What is the purpose of the Length/Type field?

If the value in the Length/Type field is less than 0x0600 then it gives the length of the
frame’s data field. If the value is 0x0600 or more then it is a code to identify the type of
protocol running at OSI layer 3.

How long is the data field, and why is a pad sometimes needed?

The data field can be anything from 46 to 1500 bytes. A data field of 46 bytes would
give a total frame length of 64 bytes, and this is the smallest frame allowed in order for
collisions to be detected in time for the CSMA/CD process to work properly. If the
amount of data is less than 46 bytes then a pad is added to make the length up to 46
bytes.
What is the purpose of the field in the frame trailer?

The trailer contains the Frame Check Sequence Field. The sending device carries out a
cyclic redundancy check calculation based on the contents of the frame, and stores the
result in this field. The receiving device carried out the same calculation and compares
the result with the contents of the field. If they are different then the frame has been
corrupted in transmission and should be discarded.

How long is a MAC address and how is it written?

48 bits. It is written as 12 hexadecimal digits in one of three formats:

00-05-9A-3C-78-00, 00:05:9A:3C:78:00, or 0005.9A3C.7800.

How does the NIC of a receiving PC use the destination MAC address?

If the destination MAC address is the address of the Ethernet port of the NIC, or is a
broadcast address or a multicast address being used by the device, then the frame is
passed up to the network layer for further processing. If not, then the frame is
discarded.

What is the Organizational Unique Identifier?

The first 24 bits of a MAC address. It identifies the manufacturer of the NIC or device.

Where must half duplex transmission be used on an Ethernet network?

Where there is a shared medium, for example where devices are connected by a hub.
Ports set to use full duplex have their collision detection capabilities disabled, so full
duplex must not be used on a shared medium.

What are the conditions for collision-free operation on an Ethernet network?

Fully switched and full duplex so that each end device has a dedicated link in each
direction to the switch.

What is the advantage of having a switch port set to auto, rather than full or half, and
what is a potential problem?

A switch port set to auto will attempt to negotiate with the device at the other end of the
link on whether the link should operate using full or half duplex. If the other device is
also able to autonegotiate then they will choose the best option that they can both
manage, which should be full duplex. There is no need for manual configuration. There
could be a problem if the other device is not able to autonegotiate, but is set to use full
duplex. When autonegotiation fails, the switch will default to half duplex and there will
be a mismatch leading to errors.
What is the advantage of having the auto-MDIX feature enabled on a switch port?

You can use either a straight-through or a crossover cable. The switch will detect which
is in use and compensate accordingly.

What is the purpose of a switch MAC address table?

It contains a list of switch ports with the MAC address of the device connected to each
port. When a frame arrives, the switch reads the destination MAC address and forwards
the frame out of the correct port.

How does a switch build its MAC address table?

It reads the source MAC address in each incoming frame and matches it to the entry
port. It adds the information to its table. (Or refreshes the information if it is already
there.)

What does a switch do if a frame arrives and the destination MAC address is not in its
MAC address table?

It floods the frame out of all ports except the incoming port.

What does a switch do with a broadcast frame?

It floods the frame out of all ports except the incoming port.

You replace a hub with a layer 2 switch. How does this affect collision domains?

It replaces a large collision domain with many small collision domains. (This should
reduce the number of collisions and improve performance.)

You replace a hub with a layer 2 switch. How does this affect broadcast domains?

It has no effect on broadcast domains.

Why can switch based latency be a problem if cheap switches are used on a busy
network?

Entry level switches (the cheaper models) may not have enough internal processing
power to cope with all their ports operating simultaneously at their maximum bandwidth.
This can cause delays. More expensive models of switch should have enough internal
throughput to work at “wire speed” so that switch based latency is not an issue.

Why do routers typically add more latency than switches?

Routers work with layer 3 data, which is more deeply encapsulated and takes longer to
extract from a frame, and they carry out more complicated processing on the data.
Why does a router split a network into separate broadcast domains?

Because a router does not forward broadcasts by default.

Which forwarding method is used on current models of Cisco switch?

Store and forward is used on current switch models.

What are the two varieties of cut-through switching, and how do they work?

Fast forward reads an incoming frame only as far as the end of the destination MAC
address and then immediately starts to transmit on the outgoing port while the
remainder of the frame is still being received. It does not carry out any kind of checking
of the frame.
Fragment free reads the first 64 bytes of the frame before starting to forward it. This
ensures that the frame is at least 64 bytes long and therefore not a collision fragment.
There is no other checking.

How does store and forward switching work?

The switch stores the whole of an incoming frame into a buffer, reads the whole frame
and carries out a cyclic redundancy check. Damaged frames are discarded. The frame
is then forwarded through the appropriate port.

What is the main advantage of cut-through switching?

Low and predictable latency.

What are the advantages of store and forward switching?

All frames are checked so that corrupted frames are not forwarded to take up
bandwidth and processing time on other devices.
It is possible to carry out quality of service (QoS) processing to give priority to voice and
video traffic, so this form of switching is necessary on converged networks.
It is possible to read a frame entering at one bandwidth and transmit it at a different
bandwidth.

What is the difference between a symmetric switch and an asymmetric switch?

A symmetric switch has all ports working at the same bandwidth. An asymmetric switch
is capable of operating with ports working at different bandwidths. Most modern
switches are asymmetric.

How is shared memory buffering better than port-based memory buffering?

Port-based memory buffering has a separate buffer of fixed capacity for each incoming
port. Shared memory buffering puts all incoming frames into the same buffer so that the
memory can be allocated dynamically as required. This can allow larger frames to be
processed.
Port-based memory buffering keeps frames entering by each port in a separate queue.
If the frame at the front of the queue needs an exit port that is busy, then the frames
behind it have to wait even if their exit ports are available. In shared memory buffering,
each frame can leave as soon as its exit port is available.
Where ports are operating at different bandwidths, shared memory buffering is
particularly important.

How does a layer 3 switch differ from a layer 2 switch?

The traditional Ethernet switch is a layer 2 switch, which processes layer 2 MAC
addresses in order to determine how to forward frames. A layer 3 switch can do this,
but it can also process layer 3 IP addresses and use them to make switching decisions.
This enables layer 3 switches to carry out some routing operations that would
traditionally be carried out by a router.

What factors would you take into account when choosing between a layer 3 switch and
a router?

The need for speed – the switch is faster.

The need for WAN connections – router is normally better.
The need for advanced layer 3 services – need a router.

Switch>enable
What are you doing if you give this command? What prompt will you see next?

Changing from user exec mode to privileged exec mode.

Switch#

Which commands would you give in order to enter interface configuration mode for
interface Fa0/1, starting with the following prompt?
Switch>

Switch>enable
Switch#configure terminal
Switch(config)#interface fa0/1
Switch(config-if)#

What is Cisco Network Assistant?

Cisco Network Assistant is an application that can be downloaded from Cisco if you
have a valid CCO account. It lets you manage single switches or groups of switches by
using a graphical user interface rather than the command line interface.

What is Cisco Device Manager?

Cisco Device Manager is software that lets you configure and manage a switch using a
web browser from anywhere in the network. This software is provided with the switch.

What are the two ways of using ? to obtain help when using the command line
interface?

Start entering a command word and type ? without a space in front of it. You should see
a list of possible ways of completing the word.
Type ? with a space in front of it. You should be given a list of words that can be
entered next.

What is the command history buffer, and how can you show its contents?

It stores the last 10 commands that were entered. (By default. You can change the
number.) Each mode has its own buffer.
show history is the command to list the contents. You need to give it at the right
prompt, depending on which mode’s commands you want to list.

What happens when you power up a switch?

Boot loader software loaded from NVRAM.

CPU initialisation and POST.
Flash initialised.
Operating system found and loaded.
Configuration file loaded.
Prompt displayed.

How do you know whether a switch has passed or failed the POST?

The SYST LED will blink green if the POST was successfully completed, but turn amber
if it was not.
POST messages are also displayed if you have a console connection active as you
start the switch.

Does a switch need an IP address?

A switch will operate without an IP address. If you want to access the switch remotely
by Telnet or using the web based interface or if you want to be able to ping it for test
purposes then you need to give it an IP address.

Which switch interface(s) should be configured with an IP address, and do you need a
different IP address for each interface?

Unlike a router, a switch is configured with just one IP address. This address is not
configured on any of the physical interfaces. Instead it is configured on a virtual
interface: a VLAN interface. At least one of the physical interfaces needs to be assigned
to the VLAN that has the IP address.
By default, which VLAN is used for switch management, and is it considered good
practice to keep to this default?

By default, VLAN 1 is used. This can lead to security problems so it is advisable to use
a different VLAN for management purposes. (In the example, VLAN 99 is used, but this
does not have to be the case.)

Starting from privileged exec mode on switch SW1, how would you configure the ip
address 192.168.1.2/24 on VLAN 99 and associate the physical FastEthernet 0/24
interface with this VLAN? Go on to configure the default gateway 192.168.1.1 and save
the configuration.

SW1#configure terminal
SW1(config)#interface vlan 99
SW1(config-if)#ip address 192.168.1.2 255.255.255.0
SW1(config-if)#no shutdown
SW1(config-if)#exit
SW1(config)#interface fa 0/24
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 99
SW1(config-if)#exit
SW1(config)#ip default-gateway 192.168.1.1
SW1(config)#exit
SW1#copy run start

What is the effect of the commands duplex auto and speed auto given in interface
configuration mode on a switch?

That switch port will attempt to autonegotiate the duplex setting and the bandwidth with
the attached device. (This is the default condition on most switches, so you should not
need to give these commands if you want autonegotiation.)

What is the advantage of including the command ip http server in the switch
configuration?

It allows you to use the web based GUI interface for configuring the switch if you access
the switch remotely.

How does a dynamic address get into the switch MAC address table?

The switch learns it by inspecting the source MAC address of an incoming frame.

What is the advantage of using static addresses?

It provides security. Only the device with the specified MAC address can connect to the
switch port. Also, static addresses are not aged out and removed from the table.
What command would you give to map the MAC address 000c.7671.7d90 to interface
fa 0/6 on VLAN 3?

mac-address-table static 000c.7671.7d90 vlan 3 interface fa 0/6

Which command would display the saved configuration?

Show startup-config

Which command would display the configuration currently in RAM?

Show running-config

Which command would give information about the hardware and the operating system?

Show version

Which command would display the table of MAC addresses and associated ports?

Show mac-address-table

Which command would tell you if ports are operational, and give their duplex and speed
settings?

Show interfaces

You can save a switch configuration by entering copy run start

but what is the full formal version of this command? What assumptions are made when
you use the short version?

Copy system:running-config flash:startup-config

The short version assumes that the running configuration is in RAM (system) and that
you want to save the configuration to flash NVRAM memory.

How would you make a copy of your saved configuration to a file called backupJan08 in
flash memory?

Copy startup-config flash:backupJan08

(Or shorten to Copy start flash:backupJan08 )

You want to go back to the saved configuration. Why is it better to reload the switch
rather than using the command copy start run?

Copy start run will read the saved configuration into RAM, but it will not remove the
commands already in RAM, it will just add to the existing running configuration. This
may not be what you want.
Which command would you use to make a copy of the running configuration to a file
called SW1config on a PC with IP address 192.168.13.6 that is running TFTP server
software?

copy system:running-config tftp://192.168.13.6/SW1config

(copy run tftp://192.168.13.6/SW1config)
If you just enter copy run tftp then the system will prompt you for the IP address and
the file name.

You have used the command erase start to remove a saved startup configuration.
Which command has the same effect?

erase nvram:

How would you remove a file called backupJan08 from flash memory?

delete flash:backupJan08
(Be very careful when deleting files from flash. The IOS is held there with other vital
files.)

How would you configure switch SW1 so that console access and telnet access are
protected by a password? Start in privileged exec mode and return there. Assume that
the switch has 16 vty lines. Use cisco as the password in every case as you would in
the lab (though of course you would not use this password on a “real” network).

SW1#configure terminal
SW1(config)#line con 0
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#line vty 0 15
SW1(config-line)# password cisco
SW1(config-line)# login
SW1(config-line)#end

Which password is encrypted by default?

Enable secret, which protects access to privileged exec mode.

How can the login passwords, which are not normally encrypted, be given weak
encryption?

service password-encryption

You want to establish a console connection with a 2960 switch, but you have forgotten
the login password. You want to keep the existing saved switch configuration. What do
you do?

• Set up a Hyperterminal connection in the usual way.

 • Power the switch off.
• Power the switch on, and press the Mode button within 15 seconds while the
SYS LED is still flashing green. Hold the mode button down until the LED goes
amber then solid green.
• Give the following commands:
flash_init
load_helper
dir flash (to show the files in flash memory)
• Check that the configuration file is there. It should be called config.text.
• Rename the configuration file so that the switch cannot find and load it. The
suggestion is to call it config.text.old, though you could call it anything you like.
rename flash:config.text flash:config.text.old
• Give the command to boot the switch so that it loads its operating system. It will
also try and fail to find a saved configuration to load.
boot
• There is no configuration in force and therefore no passwords. You have access
to the switch. Do not enter the setup dialogue.
• You see the user exec prompt. Go to privileged exec mode. You are now safely
in past any passwords, so you can restore the configuration.
• Give the configuration file its original name back.
rename flash:config.text.old flash:config.text
• Copy the configuration into RAM
flash:config.text system:running-config
and confirm this when prompted.
• Set new passwords as required and save the new configuration.

If you configure both a login banner and a motd banner, which will display first?

The motd banner.

Why should SSH be preferred to Telnet for remote access whenever possible?

SSH messages are encrypted but Telnet messages are not.

What is happening here?

SW1(config)#ip domain-name ourdomain.com
SW1(config)#crypto key generate rsa
SW1(config)#ip ssh version 2
SW1(config)#line vty 0 15
SW1(config-line)#transport input SSH

The switch is being configured to use SSH instead of Telnet on the vty lines.

Which command would allow either SSH or Telnet to be used?

SW1(config-line)#transport input all

What is a MAC flooding attack?

This attack depends on the facts that a switch MAC address table is limited in size, and
that a switch will flood frames whose destination MAC address is unknown. The
attacker makes a connection to the switch and sends the switch a large number of
frames with fake source MAC addresses by using a network attack tool. This fills the
table up. The switch then floods all incoming frames (fail-open mode). The attacker
therefore receives all frames addressed to any host on the network.

What is a DHCP spoofing attack?

The attacker introduces a rogue DHCP server that is on the network segment under
attack and therefore likely to be closer than the genuine DHCP server. When a host
requests an IP address, the rogue DHCP server replies first and gives the host an IP
address and a default gateway which directs traffic to the attacker’s device. Traffic from
the host that should go to a remote network will go to the attacker instead.

What is DHCP snooping?

It is a security feature on a Cisco catalyst switch. It allows certain ports to be configured

as trusted. Only devices connected to these ports are allowed to provide DHCP
information to clients. All devices can still request IP addresses. It can also limit the rate
at which DHCP requests can be sent.

Why is CDP a security risk?

An attacker using Wireshark (or similar) could inspect the contents of CDP packets and
find out about devices. The attacker could also fake CDP packets to give false
information to neighbour devices. CDP should therefore be disabled unless it is
required.

What are the three types of secure MAC address that can be configured on a switch
port?

Static, dynamic and sticky.

By default, what is the security violation mode of a switch port?

Shutdown.

Which type of port security is being configured here?

SW1(config)#int fa 0/12
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security

Dynamic
How would you configure switch port 0/13 to learn and accept the first four MAC
addresses that connect to it, as secure sticky addresses, but then reject any other MAC
addresses?
Start at the prompt SW1(config)#

SW1(config)#int fa 0/13
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)# switchport port-security maximum 4
SW1(config-if)# switchport port-security mac-address sticky
SW1(config-if)#end

Your switch has 24 ports but you are only using 14 ports at present. What should you
do to enhance security?

Disable all the unused ports using the shutdown command.

CCNA3 Exploration Chapter 3. Study questions. Answers

3.1
Why is it generally a good idea to split up a large network into smaller networks?

Splits up broadcast domains, which cuts down traffic and should improve performance.
Allows different groups of users to have different facilities and security regimes.

What is the advantage of implementing subnets as VLANs rather than using routers to
separate subnets?

VLANs can be implemented using switches, which are cheaper and operate more
quickly that routers. (Though a layer 3 device such as a router is still needed to route
traffic between VLANs.) A VLAN can be implemented across several switches in
different locations, so that a group of users with the same requirements does not have
to be all together in the same place.

How many VLANs can there be on a Catalyst 2600 series switch?

255

Which VLANs exist by default on a Catalyst 2600 switch, and which of these are
intended for Ethernet networks?

VLAN 1 is for Ethernet. VLANs 1002 to 1005 also exist, but are for use on Token Ring
or FDDI networks.

If you create a normal range VLAN, where will the information about it be stored?
In a file called vlan.dat which is in flash memory. (Not in the running or startup
configuration.)

A new Catalyst switch has not yet been configured. Are the Ethernet ports associated
with any VLAN? If so, which one?

By default, all Ethernet ports are in VLAN 1.

Should you configure the switch IP address on VLAN 1?

You could, but it is better for security reasons to create another VLAN to be the
management VLAN and assign the IP address to it. This management VLAN will be
used only for managing the switch via Telnet, SSH or the web based interface.

What name is given to the type of VLAN that carries normal user traffic such as files,
downloads and e-mails?

Data VLAN or User VLAN.

Which type of VLAN needs special configuration so that its traffic has priority over other
traffic?

Voice VLAN.

What are the two methods of assigning an end device to a VLAN, and which method is
more common? (Assume that voice traffic is not required.)

Port based or static VLANs are configured on switch ports and a device connecting to a
port belongs to the VLAN configured on that port. Dynamic VLANs assign devices to
VLANs using the MAC addresses of the devices, and these VLAN to MAC address
matches need to be stored on a server. Static VLANs are more common.

A PC attached to a switch sends out a broadcast ARP request. Which devices will
receive the ARP request?

Devices on the same VLAN as the PC.

Which devices allow inter-VLAN communication?

Routers or layer 3 switches.

What is a VLAN trunk?

A link that carries traffic for more than one VLAN. It is a point to point link between two
switches or between a switch and a router.

What is frame tagging?

It is a method of adding information to a frame to show which VLAN the frame belongs
to. It is used only on VLAN trunk links.

Which protocol is now most commonly used for frame tagging, and which other protocol
may still be in use?

IEEE 802.1Q is now the common protocol. Inter Switch Link (ISL) is a Cisco proprietary
protocol that is no longer supported by newer Cisco switches, but may still be in use.

What is the purpose of the EtherType field in a frame, which is set to the hexadecimal
value of 0x8100?

It signals to the device receiving the frame that this is a tagged IEEE 802.1Q frame
containing VLAN information. If the frame were untagged then the device would find the
length/type field in this position.

What does a switch port on a trunk link do if it receives a frame without a tag?

Forwards it on to the native VLAN. By default this is VLAN 1, but usually a different
native VLAN is configured on a trunk link.

Why can native VLANs and VLAN trunks give problems when Cisco devices and non-
Cisco devices are mixed on a network?

Cisco devices do not tag frames from the native VLAN when forwarding them on a trunk
link, but some non-Cisco devices do tag them. By default, Cisco switches drop tagged
frames destined for the native VLAN, so frames from non-Cisco devices may be
dropped.

How can you configure the fastethernet interface fa0/1 of switch SW1 to be a trunk
port?

SW1(config)#int fa0/1
SW1(config-if)#switchport mode trunk

How can you configure the fastethernet interface fa0/2 of switch SW1 to be a port that
handles traffic from one VLAN only?

SW1(config)#int fa0/2
SW1(config-if)#switchport mode access

What is the purpose of Dynamic Trunking Protocol?

It allows linked switches to negotiate on whether or not the link between them is a trunk
link.

Two switches are connected. If both ends of the link are ports in dynamic auto mode,
will the link be a trunk or not?
No, it will be an access link.

Two switches are connected. If both ends of the link are ports in dynamic desirable
mode, will the link be a trunk or not?

Yes, it will be a trunk link.

What is the currently approved method of creating a VLAN, number 6, called Finance,
on switch SW1?

SW1(config)#vlan 6
SW1(config-vlan)#name Finance
SW1(config-vlan)#end

Which other mode could be used for creating a VLAN?

Database configuration mode. (You don’t go into global configuration mode. Starting
from privileged exec, you go straight into VLAN database mode. No longer
recommended.)

Which command will let you see a list of all existing VLANs and the ports that are
associated with each one?

Show vlan brief (or show vlan)

What information does the command “show vlan summary” give you?

It tells you how many VLANs there are on the switch. No VLAN numbers, names or
detail.

Which command would show you whether or not VLAN 4 is up?

Show int vlan 4

What is the effect of the commands:

SW1(config)#int fa0/12
SW1(config-if)#no switchport access vlan
SW1(config-if)#end

Interface fa 0/12 will be removed from its existing VLAN and returned to the default
VLAN. (VLAN 1 unless this has been changed.)

What is the effect of the commands:

SW1(config)#no vlan 7
SW1(config)#exit
VLAN 7 is deleted. If any ports are assigned to VLAN 7 then they will become inactive.
They need to be assigned to another VLAN before they can be used again.

What is the effect of the command:

SW1(config)#delete flash:vlan.dat

The VLAN database in flash memory is deleted. When the switch is reloaded, all
configured VLAN information will have disappeared (you hope!).

You configure interface Fa0/1 as follows:

SW1(config-if)#switchport mode trunk

Which is the native VLAN, and which VLANs can this interface handle?

VLAN 1 is the native VLAN. The trunk can handle traffic belonging to all VLANs.

Which additional commands would you give to make VLAN 90 the native VLAN and to
permit traffic belonging to VLANs 3, 4 and 5 only?

SW1(config-if)#switchport trunk native vlan 90

SW1(config-if)#switchport trunk allowed vlan add 3,4,5

Which command would show you how interface Fa0/1 has been configured for
trunking?

SW1# show interfaces fa0/1 switchport

You give the commands:

SW1(config)#int fa0/1
SW1(config-if)#no switchport trunk allowed vlan
SW1(config-if)#end

Which VLAN traffic can now pass over the trunk link?

Traffic for all VLANs. (Default condition is restored.)

How can you stop interface Fa0/1 from being a trunk link?

SW1(config)#int fa0/1
SW1(config-if)#switchport mode access
SW1(config-if)#end

A trunk link is not working correctly. What should you check?

Have the ports at both ends of the link been configured with the same native VLAN?
Are the ports at both ends of the link working as trunk links or is there a problem with
their modes? (E.g. one of them configured as an access port or both of them in dynamic
auto mode.)
Are all the required VLANs allowed on the trunk at both ends?
Do all the devices on a VLAN have addresses on the same subnet? (Easy to get this
wrong.)

CCNA3 Exploration Chapter 4. Study questions. Answers

4.1
What is the purpose of VTP?

To make the management of VLANs easier by allowing switches to learn about VLANs
from each other.

What sort of link between switches is needed to transmit VTP advertisements?

A trunk link.

What are the three VTP modes that a switch could take?

Server, client and transparent.

What name is given to a group of switches that share VLAN information using VTP?

A VTP domain.

Which VTP modes allow switches to save VLAN information in the vlan database?

Server mode switches store VLAN information for their domain. Transparent mode
switches store information about their own VLANs.

Which VTP versions can be used on a Catalyst 2960 switch, and which is the default
version?

Versions 1 and 2 can be used. Version 1 is the default. There is a version 3 that can be
used on some switches, but no on the Catalyst 2960.

How is a VTP domain identified?

By its domain name.

Which command is commonly used to display information about VTP?

Show vtp status

How is a VTP message encapsulated?

It is encapsulated inside an Ethernet frame that is tagged using 802.1Q or ISL.

What destination MAC address is used for VTP messages?

The multicast address 01-00-0C-CC-CC-CC

What does a server switch do to the configuration revision number when a new VLAN is
added?

Increases it by 1.

What is the purpose of including the configuration revision number in a VTP

advertisement?

It shows the receiving switch whether the advertisement contains more up to date
information than the information that it already has.

Which type of VTP advertisement contains information about VLANs?

The subset advertisement.

How often does a switch send out summary advertisements?

Every 5 minutes, or when the VLAN configuration is changed.

A client switch is reset. How does it obtain VLAN information?

It does not have any vlan database of its own, so it needs to obtain VLAN information
from a server switch in its domain. It sends out a VTP request advertisement and
receives information in a subset advertisement from the server.

A client switch receives a summary advertisement with a lower configuration revision

number than its own. What does it do?

It will forward the summary advertisement to any other switches, but do nothing else
about it. There is no newer VLAN information available.

A client switch receives a summary advertisement with a higher configuration revision

number than its own. What does it do?

It sends out a VTP request advertisement and receives information in a subset

advertisement from the server.

A transparent switch receives a summary advertisement. What does it do?

It will forward the summary advertisement to other switches but ignore its contents.
Which modes of switch will allow you to create new VLANs?

Server switches (for the domain) and Transparent switches (for local use only).

Is it possible to have more than one server switch on a domain?

Yes. It is a good idea to have more than one server. If there was only one server and it
failed, then the VLAN information would be lost.

Is a transparent switch able to obtain VLAN information when it reboots?

If the switch has any VLANs configured then they will be saved in the switch’s own
VLAN database, and they will be retrieved. The switch stays in transparent mode
(assuming that the configuration has been saved.)

Does any VLAN configuration have to be carried out on a client switch?

Switchports need to be assigned to VLANs. This is not done centrally, but is done on
each switch.

What is the effect of giving the vtp pruning command on a server switch?

VTP pruning is enabled for the whole domain. VLAN flood traffic will be sent only where
it is needed – in the direction of devices on that VLAN.

What happens to the vtp configuration revision number of a switch if you change its vtp
domain name?

It is reset to the default value of 0.

Why might you want to change the domain name of a switch temporarily before adding
it to an existing VTP domain?

If the new switch has a configuration revision number of 0 then there is no danger of the
new switch altering the VLAN information in the VTP domain and updating it with the
wrong information.

Which should you do first on a server, configure the VTP domain name or create the
VLANs?

Configure the domain name first because this will remove existing VLANs.

Which command will make a switch into a VTP client?

vtp mode client

If VTP is not working correctly, what should you check?

VTP Version. It needs to be the same on all switches in the domain.
Domain name. Is it exactly the same on all switches?
VTP Password if any. Is it exactly the same on all switches?
Check that there is at least one server. Better to have at least two.
If you recently added a new switch, had its revision number been set to 0?

Is it possible to have a VTP domain where all the switches are in server mode?

Yes.

CCNA3 Exploration Chapter 5. Study questions. Answers

5.1
Why is it an advantage to have redundancy in a switched Ethernet network?

The additional devices and links provide alternative paths for data if some paths
become unavailable because of equipment failure. This increases the reliability and
availability of the network.

What is the purpose of Spanning Tree Protocol?

To prevent loops in a level 2 switched network where there is redundancy.

What mechanism is available in the packet header to prevent endless routing loops, but
is not available in the frame header to do the same for switching loops.

Time to live field.

If frames are caught in a loop, how can you break the loop?

You need to break the loop physically by removing a connection or powering off a
switch.

What is a broadcast storm?

A large number of broadcasts looping endlessly in a network, taking all the bandwidth
so that normal traffic cannot be sent.

What are the consequences of having a switching loop?

Broadcast storms, duplicate unicast frames arriving, discrepancies in switch MAC

address tables.

How can a physical loop occur?

It may be created on purpose to give redundancy, or it may be created by accident if
there is a confusion with cables.

How does Spanning Tree Protocol manage physical loops to allow redundancy without
allowing frames to travel in loops?

It shuts down certain ports so that no loops are active. If a link fails and the blocked port
is needed, then Spanning Tree Protocol will recalculate and unblock ports as required.

What is the name of the type of frame that STP sends in order to carry out its function?

Bridge Protocol Data Unit (BPDU)

What is the Root Bridge in a switched network?

The switch that is used as a starting point for the STP calculations. It is chosen by an
election.

What is a BID and what does it consist of?

A bridge identifier. It identifies a switch for STP purposes. It consists of a priority

number, the switch’s base MAC address, and it may also include an extended system
ID.

How is the BID used in the choice of a root bridge?

The switch with the lowest BID becomes the root bridge. The switches exchange BID
information in their BPDUs.

What is a root port?

Every switch except the root bridge has one root port. It is the port closest to the root
bridge – the one with the lowest cost route to the root bridge. Root ports are allowed to
forward frames.

What is a designated port?

A port that is allowed to forward frames, but is not a root port.

What happens to a non-designated port?

It is closed down by STP. It enters the blocking state.

How often, by default, does a switch send out BPDUs?

Every 2 seconds.

When a switch first starts up, which BID does it put in its BPDU as the root ID?
Its own BID. It is saying that it is the root bridge.

What would make a switch change the root ID that it puts in its BPDUs?

If it receives a BPDU that has a lower value as the root ID then it uses this lower value.
It is saying that it is not the root bridge, another switch is the root bridge.

If there are several switches between a certain port and the root bridge, how is the cost
to the root bridge worked out?

It is the sum of the costs of all the links on the route. The cost for a link depends on the
bandwidth of the link.

What is the revised IEEE value for the cost of a Fast Ethernet link?

19

How can you configure a switch so that it wins the election for root bridge?

Change its priority so that it has the lowest priority value of any switch on the network.

Why was the extended system ID added to the BID?

It allows STP to support VLANs by running a separate process for each VLAN. The
extended system ID contains the VLAN number.

How is the root bridge chosen if all the switches have the default priority?

The switch with the lowest base MAC address is chosen.

If the default priority of a switch is 32768, why may the priority be shown as 32769?

The VLAN number is added on.

What does the command spanning-tree vlan 1 root primary do?

It sets the switch priority to 24576, or to 4096 less than the lowest priority detected on
the network – whichever of these is lower. The effect is to make this the switch with the
lowest priority so that it becomes root bridge.

Why do priority values go up in increments of 4096?

Originally they went up in increments of 1 from 1 to 65536, using 16 bits. When the
extended system ID was introduced, it took 12 of the original 16 bits. Only 4 bits
remained. In order to keep the same maximum value, the priority needs to go up in
steps of 4096 (212) You could try it out and see.
Why might you use the command spanning-tree vlan 1 root secondary?

It sets the switch priority to 24576. Assuming that you have used spanning-tree vlan 1
root primary on your chosen root bridge, and that all the other switches are left with
the default priority, this switch will win the election if the root bridge fails. It therefore lets
you choose a backup root bridge.

What is a disabled port?

A port that has been administratively shut down. It does not participate in STP.

If a switch has two ports with the same cost route to the root bridge, which of these
ports will become the root port?

Each port has a port priority that can be configured, and the one with the lower priority
becomes root port. If both have the same priority then the one with the lower port ID
becomes root port. (E.g. Fa0/1 would win over Fa0/2.)

If port Fa0/6 has the default port priority, how would its priority be written?

128.6

Why do all active ports on the root bridge become designated ports?

Each segment has a designated port, and this is the port closer to the root bridge. If one
of the ports on a segment is on the root bridge then it has to be the closer port, so it is
designated.

What are the five port states in the original STP?

Blocking, listening, learning, forwarding, disabled.

Which of these states are temporary and are not seen once the network has
converged?

Listening and learning.

What is a port doing while it is in the Learning state?

Learning MAC addresses and building up its switching table.

What are the purposes of the Hello, Forward delay and Maximum age timers?

The Hello timer, default 2 seconds, controls the interval at which BPDUs are sent out.
The Forward delay timer, default 15 seconds, controls the time the switch spends in the
listening and learning states. The Maximum age timer, default 20 seconds, controls the
time BPDU information is kept. After 20 seconds with no BPDU received, the switch will
assume that the link is down and STP calculations will have to be run again.

Can the timers be changed?

They can, but it is not recommended. They are optimized for a network diameter of 7. If
it is really necessary then the network diameter can be changed and the timers will
automatically change with it, Even this is not recommended in normal conditions.

What is PortFast?

It is a Cisco proprietary method of speeding up STP convergence. Access ports that are
connected to end devices, such as workstations, can never be involved in loops. It
makes sense to bring them to the forwarding state immediately without spending time in
listening and learning. A port configured with PortFast will do this. It is important not to
configure a port as PortFast if it is connected to another switch,

What are the three steps in STP convergence?

1. Elect a root bridge

2. Elect root ports
3. Elect designated and non-designated ports

Why does STP use timers to keep switches in the blocking, listening and learning states
for given lengths of time?

It allows the network time to converge before user data frames are forwarded. This is
based on a network diameter of 7 switches.

Once a network has converged, BPDUs are normally sent outwards from the root bridge
but not back towards it. How do switches inform the root bridge if a link goes down?

They send a topology change notification (TCN) frame, which is a special BPDU.

Why did Cisco introduce PVST and PVST+ as variations of STP?

They provide support for VLANs, so that each VLAN can have its own instance of STP.
Ports may be blocking for some VLANs but not for others. PVST used only ISL for
trunking, but PVST+ supports both ISL and IEEE802.1Q.

Why was RSTP introduced?

Rapid STP was introduced to avoid having to wait up to 50 seconds for the network to
converge.

What three port types are defined by RSTP?

Discarding, Learning and Forwarding.

What happens if you have some switches running STP and some running RSTP?

They are compatible and will work correctly together.

How does the BPDU for RSTP compare with the BPDU for STP?

They have the same format – same fields of the same length. RSTP has the version
field set to 2.

A switch running STP waits for 20 seconds (10 missed BPDUs) before assuming that
the link is down. How long does a switch running RSTP wait?

3 missed BPDUs or 6 seconds by default.

What is an edge port in RSTP?

A port that is not intended to be connected to another switching device. It will only be
connected to an end device such as a workstation.

What is the advantage of having a port configured as an edge port?

It will change to the forwarding state at once when it is enabled, and will not spend time
in intermediate states.

Which Cisco proprietary enhancement to STP is similar to the edge port in RSTP?

PortFast

What happens if an RSTP edge port receives a BPDU? Is its behaviour the same as
that of a PortFast port used with STP?

If an RSTP edge port receives a BPDU, this means that it has been connected to a
switch. It immediately stops being an edge port. It reverts to normal and takes part in
spanning tree activities. A PortFast port does not do this by default, though there is a
feature that can allow it to do so.

On a Cisco switch, what is the command that configures a port as an RSTP edge port,
and why was this command chosen?

spanning-tree portfast
This command was chosen to make the transition from STP to RSTP easier because
the command is unchanged from the old PortFast configuring command.

How can non-edge ports be classified?

It depends on the type of link. They can be point-to-point or shared. The type can be
found automatically or it can be configured.
Which type of port makes most use of this classification?

Designated ports.

RSTP has a discarding port state that is not found in STP. Which STP port states
correspond to the discarding port state?

Blocking, listening and disabled.

In STP, root ports and designated ports are able to forward frames. RSTP has these
port roles, but it introduces roles for ports that are not forwarding. What are these roles
and what is their purpose?

Alternate ports are discarding (closed down) but can take over from designated ports
quickly when necessary. Backup ports are discarding, but can take over from root ports
quickly when necessary.

How can RSTP converge more quickly than STP, and without the use of timers?

It works on one link at a time, closing it down briefly and determining the port roles,
using a proposal and agreement process. Then it moves on to the next link.

What is Rapid PVST+ ?

It is Cisco’s implementation of RSTP. It supports the use of VLANs.

Do all the switches in a network have to be running Rapid PVST+ ?

Not necessarily. At least one switch on each loop in a VLAN must be running it,
otherwise there will be a broadcast storm.

If a switch is running PVST+ by default, how can it be configured to run Rapid PVST+ ?

S1(config)#spanning-tree mode rapid-pvst

What is the best choice of a root bridge?

A powerful switch in the middle of the network with a direct connection to the servers
and routers. This keeps the average distance traveled by frames as small as possible.

What is the advantage of using some layer 3 switches in a network?

They break up broadcast domains (as routers do), so there can be redundant links
without forming switching loops that cause broadcast storms. They keep the advantage
of forwarding very quickly (unlike routers).
You have designed a network without switching loops. Should you disable STP?

No. There is too much risk that a loop could be created by accident and cause a
broadcast storm. It is better to leave STP running as it does not make too much
demand on processing or bandwidth.

Why is it essential for the network administrator to know the topology of the network,
including all redundant links, which switch is the root bridge, and which ports are closed
down by STP?

If there is a problem, this information is required for troubleshooting.

CCNA3 Exploration Chapter 6. Study questions. Answers

6.1
How are VLANs and subnets related?

Each VLAN is associated with a different subnet, so each VLAN has its own group of IP
addresses.

How do hosts on one VLAN communicate with hosts on another VLAN?

The packets have to be routed from one VLAN (subnet) to another by using a router (or
a multilayer switch).

In traditional inter-VLAN routing, how is the switch linked to the router?

There is a separate link, switch port and router port for each VLAN. The switch ports
connected to the router are in access mode, not trunk mode.

What is “router on a stick” inter-VLAN routing?

There is one trunked link connecting the router to the switch, so that all the VLANs use
the same physical router port.

Can all routers make a trunked link to a switch?

Not all. It depends on the router IOS.

Each VLAN is a separate subnet, so each VLAN will need a different IP address on the
router. How can all the VLANs share one interface?

Several subinterfaces, one for each VLAN, are configured on one physical interface,
and each subinterface is given a different IP address.
Suppose that a PC is on VLAN 2. What default gateway should be configured on the
PC?

The address of the router interface connected to that VLAN, if traditional inter-VLAN
routing is used, or the address of the router subinterface assigned to that VLAN if router
on a stick is used.

What is the VLAN number if a router subinterface is configured as follows?

R1(config)#int f0/0.2
R1(config-subif)#encapsulation dot1q 20
R1(config-subif)#ip address 172.17.2.1 255.255.255.0
R1(config-subif)#end

The VLAN number is 20

Do you need to use the no shutdown command when configuring a router

subinterface?

No. The no shutdown command goes on the physical interface, not on the
subinterface.

What are the advantages and disadvantages of using “router on a stick” rather than
traditional inter-VLAN routing?

Using a single trunk link allows more VLANs to be added without the need for extra
physical interfaces. It is cheaper to use a single trunk link, because routers with many
interfaces are expensive. The physical cabling is simpler.
Subinterfaces share the interface bandwidth and this might create a bottleneck. Not all
routers are able to have subinterfaces configured for VLANs. The configuration for a
trunk link is a bit more complicated than configuring separate interfaces.

6.2.1
Do you need to configure a routing protocol on a router that is used for inter-VLAN
routing?

No. If all the VLANs are directly connected then it will not need a routing protocol to
route between them. Directly connected networks go into the routing table
automatically. A routing protocol will only be needed if more than one router is involved.

When inter-VLAN routing is used, how are the switchports that link to the router
configured?

If traditional inter-VLAN routing is used, with a separate link for each VLAN, then the
switch port is in access mode and assigned to the appropriate VLAN. If “router on a
stick” is used, then the switch port is configured for trunking.
Which show command produces this type of output?

show interface fa0/4 switchport

CCNA3 Exploration Chapter 7. Study questions. Answers

7.1
What are the advantages of wireless networks over cabled networks?

People can stay in contact with their work while they are travelling. People can move
within a building without cables having to be moved. A business can move into a new
building that does not have network cabling, and it is not necessary to run cables to
each workstation, which saves on cost, though some cabling will still be needed.

Over what range of distance would Bluetooth technology be used?

Short range, for example between a peripheral device and a PC.

Over what range of distance would the 802.11 standard be used?

Medium, in LANs (on one site) and MANs (on sites within the same town/city).

At which OSI layers is the difference between cabled and wireless networks important?

Layers 1 and 2 (physical and data link).

What potential problems of a wireless LAN are not significant on a cabled LAN?

Interference, and the ability of anyone to receive a transmission if they have a receiver
within range. Wireless is also subject to regulation which may vary from country to
country,

Does the 802.11 standard use CSMA/CD?

No. It uses collision avoidance rather than collision detection and recovery.

How could a wireless-enabled laptop make a connection to a wired Ethernet network?

It can connect through a wireless access point (AP) that is attached to the network by a
cable.

What were the advantages and disadvantages of using the 802.11b standard rather
than the 802.11a standard?

802.11b was cheaper, it was less easily obstructed by walls etc, and it could have a
longer range. On the other hand, it was slower, maximum rate 11 Mbps as opposed to
54 Mbps. It used the 2.4 GHz band rather then the 5 GHz band, which led to more
interference as many appliances use the 2.4 GHz band.

How does the current 802.11g standard compare with 802.11a and 802.11b?

It uses the 2.4 GHz band like 802.11b. It is compatible with either of the earlier
standards because it can use DSSS modulation like 802.11b with speeds up to 11
Mbps, or it can use OFDM modulation like 802.11a with speeds up to 54 Mbps. It has a
similar range to the earlier standards.

How is the planned 802.11n standard expected to provide higher data rates?

It will use MIMO (multiple input/multiple output) technology. A high rate data stream will
be split into two or more lower data rate streams. These streams will be sent at the
same time using multiple antennae.

Why is WiFi certification important?

The IEEE standards cover modulation methods but not manufacture. Manufacturers
could interpret the standards differently so that devices would not be compatible. The
WiFi alliance is an association of vendors. They certify that vendors are keeping to
industry norms and standards so that their devices should work with devices from other
vendors.

How can a desktop PC be enabled to connect to a wireless access point?

It can have a wireless NIC installed as an expansion card, or it can have a removable
USB device.

How can RTS/CTS help with the hidden node problem?

Wireless is a shared medium and therefore subject to collisions. Stations sense

transmissions and wait until the medium is clear before sending. The hidden node
problem occurs when stations are unable to sense each other and so may transmit at
the same time. RTS/CTS is a system where stations request the use of the medium,
and the access point allocates time to them. Other stations have to wait before sending
their own requests.

What three roles are commonly combined in a wireless router?

Router, Ethernet switch and wireless access point

What is the purpose of the shared service set identifier (SSID)?

It identifies the wireless network.

The 2.4 GHz band is split into 13 channels for Europe. How far apart are the central
points of these channels, and how wide are the channels?

The channels have a centre frequency separation of 5 MHz. Each channel occupies 22
MHz of bandwidth so that they overlap.

How can you ensure that adjacent access points use channels that do not overlap?

Choose channels that are 5 channels apart, e.g. channels 1 and 6.

What is an ad-hoc topology?

Wireless enabled devices do not have an access point. They connect directly to each
other and negotiate the wireless parameters with each other. An ad hoc network is also
known as an independent basic service set (IBSS).

What is a basic service area (BSA)?

The area covered by a basic service set (BSS).

What is an Extended service set topology?

A topology with more than one access point.

When planning a wireless LAN, you will need to draw coverage circles on a floor plan,
but what other factors should you take into account when locating access points?

Place the access point above obstructions and not near to metal obstructions.
Place the access point vertically and high up, perhaps near the ceiling.
Place access points in locations where users will be making use of them.

7.2

What are the three major categories of security threat to a wireless LAN?

War drivers who look for an unsecured network that will provide Internet access.
Hackers (Crackers) who enter systems to steal data or cause harm. They can often get
past weak security.
Employees may install rogue access points without permission and without
implementing the necessary security.
What is the problem of having wireless devices with default settings ready to be used?

The default settings are known. If the defaults are not changed then anyone can break
into the system.

A NIC on a shared medium will receive all transmissions but discard those that are not
addressed to it. What would a “man in the middle” attacker do to make a wireless laptop
accept transmissions addressed to another client?

Use special software to adapt the NIC of the laptop so that it accepts all transmissions.
The NIC then acts like an access point.

How can denial of service attacks be carried out on a wireless network?

Use common devices to create interference. (cordless phone, microwave, baby

monitor)
Flood the network with clear-to-send (CTS) messages. Clients then send
simultaneously and cause a constant stream of collisions.
Send a series of disassociate commands so that clients repeatedly disconnect then try
to reassociate.

What authentication was included with the original 802.11 standard and why was this
unsatisfactory?

Open authentication provided no security at all. The client requested authentication and
the access point provided it without making any checks. WEP authentication was
designed to provide some privacy by using shared key encryption. This method was too
weak because the encryption algorithm could be cracked. Also, the 32 bit keys had to
be entered by hand and this led to errors.

What authentication standard should be used now?

802.11i should be used. The Wi-Fi Alliance WPA2 standard is an implementation of

802.11i.

What is 802.1x ?

A standard specifying authentication protocols such as EAP (extensible authentication

protocol.)

Interim security measures included MAC filtering and turning off SSID broadcasts. Why
are these not considered to be adequate security measures/

It is easy for attackers to get round MAC address filtering by using software to modify
MAC addresses attached to adapters. SSIDs can be discovered by using a packet
sniffer to monitor traffic.

What is an AAA server and what protocol does it run?

An Authentication, Authorization, and Accounting server. It stores authentication
information. It runs a RADIUS protocol. (Remote Authentication Dial In User Service)

What two enterprise-level encryption mechanisms specified by 802.11i are certified by

the WiFi Alliance, and which of them is preferred?

Temporal Key Integrity Protocol (TKIP) is the method certified as WPA and Advanced
Encryption Standard (AES)is certified as WPA2. AES is preferred. TKIP can be used on
legacy equipment.

While configuring a wireless access point, you see a reference to PSK2. Which
encryption method does this refer to?

If neither TKIP nor AES is mentioned then WPA2 is used (AES). If PSK2 with TKIP is
specified then WPA is used.

How can you add depth to your security system on a wireless network?

You should configure WLAN security, preferably WPA2.

Then add extra safeguards that are not sufficient in themselves:
Disable SSID broadcasts from access points. (SSID cloaking).
Set up a manual table of allowed client MAC addresses on the access point. (MAC
address filtering)
Try to restrict access to the network to within or near a building if possible, by giving
access points near the outer walls a lower power setting than access points in the
middle of the building.

7.3
What should you do before starting to install a wireless access point?

Check the wired portion of the network, including Internet access and DHCP operation.

What should you do before configuring security on a wireless access point?

Check that at least one wireless host is able to make contact with the access point
without security, that it can obtain an IP address and that it can ping the local router.

What type of interface do wireless access points commonly offer for configuration?

Web based interface.

When configuring the access point, which mode should you choose if you have both
wireless-G and wireless-N devices?

Mixed.

What should you remember when choosing the SSID?

It is case sensitive. It can have up to 32 characters. All the devices in the wireless
network must use the same SSID. It should be changed from the default for security.

What radio band should you choose if your have only Wireless-G and Wireless-B
clients?

Standard - 20MHz Channel.

What radio band should you choose if your have only Wireless-N clients?

Wide - 40MHz Channel.

What radio band should you choose if your have Wireless-G, Wireless-B and Wireless-
N clients?

Keep the default Auto.

Which is the preferred security option?

PSK2 (Same as WPA2 or IEEE 802.11i).

Why are other, less good, security modes offered?

Older client devices may not have the best security option available. All devices must
use the same security option.

Which is the stronger encryption algorithm – TKIP or AES?

AES.

What parameters might you need to set on the wireless host?

The SSID, the authentication method, the encryption method and the network key.

Which OSI layer is the recommended starting point for troubleshooting?

Layer 1, the physical layer.

If a client is having problems connecting to a wireless network, which device should be

investigated first?

The client itself.