ICND2 CH1 - Virtual LANs

Question 1

Native VLAN - why must all switches agree on the native VLAN ID?

Answer 1

802.1Q header not added to native VLAN (default VLAN ID 1), untagged packets received on trunk are assigned to native VLAN, that’s why all switches must agree (have set) the same native VLAN.

Question 2

How are VLANs and subnets different?

Answer 2

VLAN - Layer 2 concept.

Subnet - Layer 3 concept.

Question 3

Most common reasons for using VLANs (five)

Answer 3

1. Flexibility, not limited by physical location.
2. Smaller LANs (broadcast domains), reduce overhead to each host.
3. Reduce workload for Spanning Tree Protocol (STP) - limit VLAN to single access switch.
4. Security, keep hosts with sensitive data on separate VLAN.
5. PC <-> Phone <-> Switch: separate traffic.

Question 4

Can Cisco switches disable VTP? (VLAN Trunking Protocol)

Answer 4

No.

Closest option: user transparent mode - switch ignores VTP but forwards VTP messages to other switches.

Question 5

What determines if a VTP update will cause a switch in server or client mode to update it’s VTP database?

Answer 5

If the VTP update has a higher database configuration revision number (each update +1).

Question 6

What ports are used to send VTP messages sent to other switches?

Answer 6

VTP messages are sent out on all trunks!

Process is called synchronization.

Question 7

Three requirements for VTP to work between two switches.

Answer 7

1. VLAN trunk (ISL or 802.1Q)
2. VTP domain name must match (case sensitive)
3. VTP password must match (case sensitive), if configured!

Question 8

Where is VLAN configuration actually stored on a switch?

Answer 8

In a file called vlan.dat, stored in FLASH MEMORY!

Switches in transparent mode store VLAN configuration in both running-config and vlan.dat.

Question 9

What is the command to remove VLAN and VTP configuration from a switch?

Answer 9

delete flash:vlan.dat

Question 10

VTP: Server | Client | Transparent

Which only sends VTP messages out ISL or 802.1Q trunks?

Answer 10

Server: Yes
Client: Yes
Transparent: Yes

Question 11

VTP: Server | Client | Transparent

Which supports CLI configuration of VLANs?

Answer 11

Server: Yes
Client: No
Transparent: Yes (because it’s autonomous, can have independent VLANs)

Question 12

VTP: Server | Client | Transparent

Which can use normal-range VLANs (1-1005)?

Answer 12

Server: Yes
Client: Yes
Transparent: Yes

Question 13

VTP: Server | Client | Transparent

Which can use extended-range VLANs (1006-4095)

Answer 13

Server: No
Client: No
Transparent: Yes

Question 14

VTP: Server | Client | Transparent

Which synchronizes (updates) its own config database when receiving VTP messages with a higher revision number?

Answer 14

Server: Yes
Client: Yes
Transparent: No

Question 15

VTP: Server | Client | Transparent

Which creates and sends periodic VTP updates every 5 minutes?

Answer 15

Server: Yes
Client: Yes
Transparent: No

Question 16

VTP: Server | Client | Transparent

Which does not process received VTP updates but does forward received VTP updates out other trunks?

Answer 16

Server: No
Client: No
Transparent: Yes

Question 17

VTP: Server | Client | Transparent

Which places VLAN ID, VLAN name, and VTP configuration into the running-config file?

Answer 17

Server: No
Client: No
Transparent: Yes

Question 18

VTP: Server | Client | Transparent

Which places the VLAN ID, VLAN name, and VTP configuration into the vlan.dat file in flash?

Answer 18

Server: Yes
Client: Yes
Transparent: Yes

Question 19

Steps to configure a new VLAN (two):

Answer 19

1. ! create VLAN and move into VLAN configuration mode
   (config) # vlan vlan-id
2. ! optional, assign name to VLAN, default VLAN####

(config-vlan)# name name

Question 20

Steps to configure a VLAN for each access interface (three):

Answer 20

1. ! move into interface configuration mode for desired interface
   (config) # interface fa0/1
2. ! specify the VLAN number associated with this interface

(config-if)# switchport access vlan id-number

3. ! optional, disable trunking on interface, ensuring access interface

(config-if)# switchport mode access

Question 21

Default VTP configuration for a switch (four settings):

Answer 21

• VTP server mode.
• No VTP domain name.
• VLAN 1 and 1002-1005 automatically configured, can’t be deleted.
• All access interfaces assigned to VLAN 1.

Question 22

What does the optional interface subcommand switchport mode access do?

Answer 22

Force access mode ONLY.

Otherwise, interface could negociate to use trunking, becoming a trunk.

Question 23

Explain trunking administrative mode options with the interface subcommand

switchport mode

access

trunk

dynamic desirable

dynamic auto

Answer 23

switchport mode access <- prevent trunking, force access mode

switchport mode trunk <- force trunking

switchport mode dynamic desirable <- initiate and respond to negotiation messages, establish trunk

switchport mode dynamic auto <- passively wait and respond to negotiation messages, establish trunk

Question 24

Describe the terms Administrative and Operational as it referes to switches.

Answer 24

Administrative - referes to what is configured.

Operational - refers to what is currently happening.

Question 25

What VLAN IDs allowed by default on a trunk port?

Answer 25

**1-4094** **2¹²** = 4096, VLAN ID field has 12 bits, VLAN ID 0 and 4095 reserved.

Question 26

What **FOUR** reasons exist that prevent a particular VLAN's traffic from crossing a trunk?

Answer 26

1. VLAN not in trunk's ***allowed VLAN*** list. 2. VLAN does not exist or **not active**. 3. VLAN automatically **pruned by VTP**. 4. VLAN **STP** instance blocked trunk.

Question 27

Cisco recommendations for how to protect ***unused*** switch ports (three).

Answer 27

1. **shutdown** interface (administratively disable) 2. Prevent trunking negotiation (use **switchport nonegociate** or **switchport mode access**) 3. Assign port to unused VLAN (*parking lot VLAN*) Note: Shutting down interface eliminates security issue but the other two tasks prevent any immediate problems if someone enables interface with no shutdown command.

Question 28

What is Cisco's recommendation for **trunk negotiation** on all in-use ***access interfaces***?

Answer 28

Disable trunk negociation on access interfaces. Use **switchport nonegociate** interface subcommand. Note: Thinking is that an attacker could disconnect a ligitimate user's computer from RJ-45 port and try trunk negociation with attacker's PC.

Question 29

What can all the switches in the same VTP domain learn from each other?

Answer 29

VLAN configuration information.

Question 30

Steps to configure VTP on a switch (six).

Answer 30

1. **(config)# vtp mode {server | client}** 2. **(config)# vtp domain** ***domain-name ** * ! case-sensitive 3. **(config)# vtp password *password-value*** ! (optional) case-sensitive 4. **(config)# vtp prunning** ! (optional) 5. **(config)# vtp version 2 ** ! (optional) 6. Bring up trunks between the switches.

Question 31

Two commands to verify VTP configuration since these settings are only stored in **vlan.dat** file in flash when in **server** and **client** mode:

Answer 31

**show vtp status** **show vlan** NOTE: Any analysis of VTP and VLANs on Cisco switches depends on these two commands.

Question 32

What **VLAN ID** is used to send **VTP** and **CDP** messages on trunks?

Answer 32

**VLAN 1**