Question 1 VTP Mode VTP mode can be configured into three modes: server, client and transparent VTP

Server: advertise the VTP domain VLAN information to other VTP-enabled switches in the same VTP domain. VTP servers store the VLAN information for the entire domain in NVRAM. The server is where VLANs can be created, deleted, or renamed for the domain. VTP Client: VTP client function the same way as VTP servers, but you cannot create, delete or change VLANs on a VTP client. A VTP client only stores the VLAN information for the entire domain while the switch is on. A switch reset delete the VLAN information. Must configure VTP client mode on switch. VTP Transparent: Transparent switches forward VTP advertisements to VTP clients and VTP servers. Transparent switches do not participate in VTP. VLANs that are created, renamed, or deleted on transparent switches are local to that switch only. VLAN VLAN allows a network administrator to create groups of logically networked devices that act as if they are on their own independent network, even if they share a common infrastructure with other VLANs. VLAN is a logically separate IP subnetwork. VLANs allow multiple IP networks and subnets to exist on the same switched network. Benefit of VLAN: 1. Security: groups that have sensitive data are separated from the rest of the network, decresing the chances of confidential information breaches. Cost reduction: cost saving result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks. Higher performance: dividing flat layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance. Broadcast storm mitigation: reduces the number of devices that may participate in a broadcast storm Improved IT staff efficiency: easier to manage the network because users with similar network requirements share the same VLAN. Application management: VLANs aggregate users and network devices to support business or geographic requirement. Easier to determine the scope of the effect of upgrading network devices. [20m]

2.

3.

4. 5.

6.

Question 2 VLAN information STP Root Bridge Designated Port and Non Designated [15m]

STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. A port is considered blocked when network traffic is prevented from entering or leaving that port.

STP uses the Spanning Tree Algorithm (STA) to determine which switch ports on a network need to be configured for blocking to prevent loops from occurring. The STA designates a single switch as the root bridge and uses it as the reference point for all path calculations.

In the figure the root bridge, switch S1, is chosen through an election process. All switches participating in STP exchange BPDU frames to determine which switch has the lowest bridge ID (BID) on the network. The switch with the lowest BID automatically becomes the root bridge for the STA calculations.

The BPDU is the message frame exchanged by switches for STP. Each BPDU contains a BID that identifies the switch that sent the BPDU. The BID contains a priority value, the MAC address of the sending switch, and an optional extended system ID. The lowest BID value is determined by the combination of these three fields. After the root bridge has been determined, the STA calculates the shortest path to the root bridge. Each switch uses the STA to determine which ports to block. While the STA determines the best paths to the root bridge for all destinations in the broadcast domain, all traffic is prevented from forwarding through the network. The STA considers both path and port costs when determining which path to leave unblocked. The path costs are calculated using port cost values associated with port speeds for each switch port along a given path. The sum of the port cost values determines the overall path cost to the root bridge. If there is more than one path to choose from, STA chooses the path with the lowest path cost. You will learn more about path and port costs in later topics.

When the STA has determined which paths are to be left available, it configures the switch ports into distinct port roles. The port roles describe their relation in the network to the root bridge and whether they are allowed to forward traffic. Root ports - Switch ports closest to the root bridge. In the example, the root port on switch S2 is F0/1 configured for the trunk link between switch S2 and switch S1. The root port on switch S3 is F0/1, configured for the trunk link between switch S3 and switch S1.

Designated ports - All non-root ports that are still permitted to forward traffic on the network. In the example, switch ports F0/1 and F0/2 on switch S1 are designated ports. Switch S2 also has its port F0/2 configured as a designated port.

Non-designated ports - All ports configured to be in a blocking state to prevent loops. In the example, the STA configured port F0/2 on switch S3 in the non-designated role. Port F0/2 on switch S3 is in the blocking state. Question 3 WAN Protocol Frame Relay, Split Horizon, PPP, HDLC PPP One of the most common types of WAN connection is the point-to-point connection. Point-to-point connections are used to connect LANs to service provider WANs, and to connect LAN segments within an Enterprise network. A LAN-to-WAN point-to-point connection is also referred to as a serial connection or leased-line connection, because the lines are leased from a carrier (usually a telephone company) and are dedicated for use by the company leasing the lines. Companies pay for a continuous connection between two remote sites, and the line is continuously active and available. Understanding how point-to-point communication links function to provide access to a WAN is important to an overall understanding of how WANs function. Point-to-Point Protocol (PPP) provides multiprotocol LAN-to-WAN connections handling TCP/IP, Internetwork Packet Exchange (IPX), and AppleTalk simultaneously. It can be used over twisted pair, fiber-optic lines, and satellite transmission. PPP provides transport over ATM, Frame Relay, ISDN and optical links. In modern networks, security is a key concern. PPP allows you to authenticate connections using either Password Authentication Protocol (PAP) or the more effective Challenge Handshake Authentication Protocol (CHAP). [15m]

PPP contains three main components: 1. 2. 3. HDLC protocol for encapsulating datagrams over point-to-point links. Extensible Link Control Protocol (LCP) to establish, configure, and test the data link connection. Family of Network Control Protocols (NCPs) for establishing and configuring different Network layer protocols. PPP allows the simultaneous use of multiple Network layer protocols. Some of the more common NCPs are Internet Protocol Control Protocol, Appletalk Control Protocol, Novell IPX Control Protocol, Cisco Systems Control Protocol, SNA Control Protocol, and Compression Control Protocol.

HDLC HDLC is a synchronous Data Link layer bit-oriented protocol developed by the International Organization for Standardization (ISO). The current standard for HDLC is ISO 13239. HDLC was developed from the Synchronous Data Link Control (SDLC) standard proposed in the 1970s. HDLC provides both connectionoriented and connectionless service. HDLC uses synchronous serial transmission to provide error-free communication between two points. HDLC defines a Layer 2 framing structure that allows for flow control and error control through the use of acknowledgments. Each frame has the same format, whether it is a data frame or a control frame. When you want to transmit frames over synchronous or asynchronous links, you must remember that those links have no mechanism to mark the beginnings or ends of frames. HDLC uses a frame delimiter, or flag, to mark the beginning and the end of each frame.

Cisco has developed an extension to the HDLC protocol to solve the inability to provide multiprotocol support. Although Cisco HDLC (also referred to as cHDLC) is proprietary, Cisco has allowed many other network equipment vendors to implement it. Cisco HDLC frames contain a field for identifying the network protocol being encapsulated. The figure compares HDLC to Cisco HDLC.

Frame Relay When you build a WAN, regardless of the transport you choose, there is always a minimum of three basic components, or groups of components, connecting any two sites. Each site needs its own equipment (DTE) to access the telephone company's CO serving the area (DCE). The third component sits in the middle, joining the two access points. In the figure, this is the portion supplied by the Frame Relay backbone. Frame Relay has lower overhead than X.25 because it has fewer capabilities. For example, Frame Relay does not provide error correction, modern WAN facilities offer more reliable connection services and a higher degree of reliability than older facilities. The Frame Relay node simply drops packets without notification when it detects errors. Any necessary error correction, such as retransmission of data, is left to the endpoints. This makes propagation from customer end to customer end through the network very fast. Frame Relay handles volume and speed efficiently by combining the necessary functions of the data link and Network layers into one simple protocol. As a data link protocol, Frame Relay provides access to a network, delimits and delivers frames in proper order, and recognizes transmission errors through a standard Cyclic Redundancy Check. As a network protocol, Frame Relay provides multiple logical connections over a single physical circuit and allows the network to route data over those connections to its intended destinations. Frame Relay operates between an end-user device, such as a LAN bridge or router, and a network. The network itself can use any transmission method that is compatible with the speed and efficiency that Frame Relay applications require. Some networks use Frame Relay itself, but others use digital circuit switching or ATM cell relay systems.

Split Horizon Another method used to prevent routing loops caused by slow convergence of a distance vector routing protocol is split horizon. The split horizon rule says that a router should not advertise a network through the interface from which the update came. Applying split horizon to the previous example of route 10.4.0.0 produces the following actions: R3 advertises the 10.4.0.0 network to R2. R2 receives the information and updates its routing table. R2 then advertises the 10.4.0.0 network to R1 out S0/0/0. R2 does not advertise 10.4.0.0 to R3 out S0/0/1, because the route originated from that interface. R1 receives the information and updates its routing table. Because of split horizon, R1 also does not advertise the information about network 10.4.0.0 back to R2. Complete routing updates are exchanged, with the exception of routes that violate the split horizon rule. The results look like this: R2 advertises networks 10.3.0.0 and 10.4.0.0 to R1. R2 advertises networks 10.1.0.0 and 10.2.0.0 to R3. R1 advertises network 10.1.0.0 to R2. R3 advertises network 10.4.0.0 to R2.

Question 4

ACLs inbound or outbound traffic NAT Static and Dynamic ACL

[15m]

An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. If you do not use ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment. ACLs are configured either to apply to inbound traffic or to apply to outbound traffic. Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time.

INBOUND ACL

Question 5

[15m]

NAT

There are two types of NAT translation: dynamic and static. Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP address from the pool that is not already in use by another host. This is the mapping described so far. Static NAT uses a one-to-one mapping of local and global addresses, and these mappings remain constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices. Both static and dynamic NAT require that enough public addresses are available to satisfy the total number of simultaneous user sessions.

The Network Security policy required that only one host be permitted to attached Dynamically to each switch interface. If that policy is violated the interface should Shutdown. Write TWO (2) commands to enforce the switch. Dynamic secure MAC addressesThese are dynamically learned, stored only in the address table, and removed when the switch restarts.

Sticky secure MAC addressesThese can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, we do not recommend it.You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky interface configuration command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost.If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration When configuring port security violation modes, note the following information: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface fastethernet 5/12 Router(config-if)# switchport Router(config-if)# switchport mode access Router(config-if)# switchport port-security Router(config-if)# do show port-security interface fastethernet 5/12 | Router(config-if)# switchport port-security violation{protect| restrict| shutdown} protect Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value. restrict Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment. shutdown Puts the interface into the error-disabled state immediately and sends an SNMP trap notification. No connection between TWO Cisco routers. Reviewing the command output of both Routers and Identify the most likely cause of the problems.

Configure the usernames and passwords. To do so, issue the username username password password command, where username is the hostname of the peer (neighbor). Ensure that: Passwords are identical at both ends. The router name and password are exactly the same, because they are case-sensitive. Example config on RtrA and RtrB would be RtrA(config)#username RtrB password cisco RtrB(config)#username RtrA password cisco OR Use the no shutdown command Why Switch not been elected as the Root Bridge?

It has a higher bridge ID than the elected root bridge. depend on the priority high priority is set root bridge

Host 1 cannot receive packet from Host 2. Assuming a type of Routing protocol in use identify problem with the IP Configuration. A. The fa0/1 interface of router R2 has been assigned a broadcast address. B. The fa0/1 network on router R2 overlaps with the LAN attached to R1. C. Host 2 has been assigned the incorrect subnet mask. D. Host 1 has been configured with the 255.255.248.0 subnet mask. E. Host 2 on router R2 is on a different subnet than its gateway.

Explanation The fa0/1 interface of R2 is assigned an IP address of 10.1.40.255/20. It seems to be a broadcast address but it is not. If we calculate the range of this network we will understand why: Network 10.1.40.255/20 Increment: 16 (/20 = 1111 1111.1111 1111.1111 0000.0000 0000) Network address: 10.1.32.0 Broadcast address: 10.1.47.255 -> 10.1.40.255/20 is an usable host address -> A is not correct. The IP address of host 1 (10.1.32.48) belongs to the range of interface fa0/1 on R2 as shown above -> B is correct. In the topology above, all subnet masks are /20 (255.255.240.0) excepting the subnet mask of Host 2 (255.255.252.0) so C can be incorrect. The subnet mask of Host 1 is 255.255.240.0, not 255.255.248.0 -> D is not correct. Host 2 is not on a different subnet than its gateway even if the subnet mask 255.255.252.0 is used. Lets analyze the range of Host 2 network: Network 10.1.40.96/22 Increment: 4 Network address: 10.1.40.0 Broadcast address: 10.1.43.255

Its gateway (10.1.40.255) is still belongs to this range -> E is not correct. Note: In this question, C is the best suitable answer after eliminating A, D, E answers. But in fact Host 2 can ping its gateway because they are on the same subnet.

Which destination address would Host A used to send Data to Host B. Write command Static and Dynamic The simple syntax of static route: ip route destination-network-address subnet-mask {next-hop-IP-address | exit-interface} + destination-network-address: destination network address of the remote network + subnet mask: subnet mask of the destination network + next-hop-IP-address: the IP address of the receiving interface on the next-hop router + exit-interface: the local interface of this router where the packets will go out Higher-level protocols (OSPF, EIGRP) calculate the best route mainly based on bandwidth so it must be set correctly

End of Question Paper