300-115 Dump Free – 50 Practice Questions to Sharpen Your Exam Readiness.
Looking for a reliable way to prepare for your 300-115 certification? Our 300-115 Dump Free includes 50 exam-style practice questions designed to reflect real test scenarios—helping you study smarter and pass with confidence.
Using an 300-115 dump free set of questions can give you an edge in your exam prep by helping you:
Understand the format and types of questions you’ll face
Pinpoint weak areas and focus your study efforts
Boost your confidence with realistic question practice
Below, you will find 50 free questions from our 300-115 Dump Free collection. These cover key topics and are structured to simulate the difficulty level of the real exam, making them a valuable tool for review or final prep.
Which PVLAN port type can only send frames to promiscuous ports?
A. private
B. promiscuous
C. isolated
D. community
E. public C
Suggested Answer: Explanation
There are three types of ports in a private VLAN (PVLAN): promiscuous, isolated, and community. A PVLAN isolated port type can only send frames to promiscuous ports.
Consider the following graphic:
Host B is attached to a promiscuous mode port. In this mode, Host B can send and receive frames with other promiscuous, isolated, or community ports assigned to the same privateVLAN. Therefore, frames can be exchanged with Hosts A or C. Hosts A and C are attached to isolated ports. Isolated ports are able to send frames to promiscuous ports but not to each other.
Isolated and promiscuous ports can be combined to achieve a desired level of separation between particular machines while still allowing required access to services. As another example, suppose that security policy dictated that Host A and Host C cannot communicate with one another, but both computers needed to access a database on Host B. The isolated ports keep them from communicating with one another, while the use of a promiscuous port to Host B allows them to access the database. Any other resources in the network that either machine needs access to should be therefore connected with a promiscuous port.
The third type of port is a community port. A community port can communicate with other community ports of the same private VLAN or promiscuous ports.
Objective:
Infrastructure Security –
Sub-Objective:
Configure and verify switch security features
References:
Cisco > Home > Support > Product Support > End-of-Sale and End-of-Life Products > Cisco Catalyst 6000 Series Switches > Configure > Configuration Examples and Technotes > Securing Networks with Private VLANs and VLAN Access Control Lists
Given the configuration on a switch interface, what happens when a host with the MAC address of 0003.0003.0003 is directly connected to the switch port? switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address 0002.0002.0002 switchport port-security violation shutdown
A. The host will be allowed to connect.
B. The port will shut down.
C. The host can only connect through a hub/switch where 0002.0002.0002 is already connected.
DRAG DROP -
Select and Place:
Prioritize the traffic types by dragging them from the left to the appropriate Cisco priority level on the right. Put the highest priority at the bottom.
Select and Place:
What is the maximum number of 10 Gigabit Ethernet connections that can be utilized in an EtherChannel for the virtual switch link?
A. 4
B. 6
C. 8
D. 12
Suggested Answer: C
The VSS is made up of the following:
✑ Virtual switch members: Cisco Catalyst 6500 Series Switches (up to two switches with initial release) deployed with the Virtual Switching Supervisor 720 10GE
✑ Virtual switch link (VSL): 10 Gigabit Ethernet connections (up to eight using EtherChannel) between the virtual switch members.
Reference: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/prod_qas0900aecd806ed74b.html
You want to configure a switched internetwork with multiple VLANs as shown above. Which of the following commands should you issue on SwitchA for the port connected to SwitchB?
Which feature can you enable on a switch to prevent potential bridging loops caused by invalid configurations on PortFast-configured interfaces?
A. UDLD
B. Root Guard
C. BPDU Guard
D. Loop Guard
Suggested Answer: C
BPDU Guard prevents bridging loops caused by an invalid configuration on a PortFast-configured interface by shutting down the interface when it receives
BPDUs.
PortFast-configured interfaces should not receive BPDUs in a valid configuration because only end devices should be connected to the PortFast interfaces (only switches and bridges send BPDUs). However, if a switch were improperly connected to the PortFast-configured interface, it would begin to receive BPDUs from the switch at the other end of the link. The port would immediately go into the spanning-tree blocking state and the port would begin to send BPDUs, which could cause a bridging loop. BPDU Guard can prevent this situation by providing a secure response to BPDUs received on PortFast-configured interfaces. When enabled, BPDU Guard shuts down a PortFast-configured interface when it receives BPDUs. When BPDU Guard brings down an interface, the interface stays down until an administrator manually puts it back into service.
The following command enables BPDU Guard on an interface:
switch(config-if)# spanning-tree portfast bpduguard
To further enhance the ability of Root Guard to prevent the introduction of rogue switches in the network, PortFast can be used as well to shut down the port when a switch is connected to it. When you globally enable BPDU guard, STP shuts down ports that receive BPDUs. This is called STP PortFast BPDU Guard.
The following command enables STP PortFast BPDU Guard globally. switch(config)# spanning-tree portfast bpduguard default
Unidirectional Link Detection (UDLD) improves the stability of Layer 2 networks by detecting and shutting down unidirectional links.
Root Guard provides a mechanism for enforcing root-bridge placement in the network. When enabled on a Layer 2 access port, it forces the port to become a designated port. Root Guard prevents the port from becoming an STP root port.
Loop Guard provides protection against Layer 2 forwarding loops in a physically redundant topology by moving a non-designated port that has not received
BPDUs as expected into the STP loop-inconsistent blocking state, preventing the port from cycling through the normal STP listening, learning, and forwarding states. It cannot be used to force a Layer 2 access port to become a designated port. Loop guard can be implemented on a switch either globally or per interface with the following commands.
Globally. the command would be:
switch(config)# spanning-tree loopguard default
Per interface, the commands would be:
switch(config)# interface fastethernet0/1
switch(config-if)# spanning-tree guard loop
Objective:
Layer 2 Technologies –
Sub-Objective:
Configure and verify spanning tree
References:
Cisco > Cisco IOS LAN Switching Command Reference > show vlan through ssl-proxy module allowed-vlan > spanning-tree portfast bpduguard default
When you configure a private VLAN, which type of port must you configure the gateway router port as?
A. promiscuous port
B. isolated port
C. community port
D. access port
Suggested Answer: A
There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host port further divides in two types Isolated port (I-Port) and
Community port (C-port).
✑ Promiscuous port (P-Port): The switch port connects to a router, firewall or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the
VLAN.
✑ Host Ports:
– Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports.
– Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.
Reference: http://en.wikipedia.org/wiki/Private_VLAN
Your network consists of one HSRP group of six routers. All of the routers are functioning properly. The network has been stable for several days.
In which HSRP state are most of the routers?
A. Learn
B. Listen
C. Standby
D. Active
Suggested Answer: B
If all of the routers in the Hot Standby Routing Protocol (HSRP) group are functioning properly, then most of the routers in the group are in the listen state. Four routers will be in the listen state, one router will be in the standby state, and one router will be in the active state.
HSRP is used by a group of routers to create the appearance of a virtual router with which end stations can communicate in the event that the default gateway becomes unavailable. The active router is responsible for forwarding packets that are sent to the virtual router. The standby router is responsible for assuming the role of active router should the active router fail or become unavailable. All other HSRP routers monitor the hello messages sent by the active and standby routers.
Should the active and standby routers both become unavailable, the HSRP router with the highest priority is elected to become the active router by default. For routers with equal priority values, the router with the highest IP address becomes the active router.
HSRP routers can exist in one of the following six states:
Initial –
Learn –
Listen –
Speak –
Standby –
Active –
All HSRP routers start in the initial state. A router in the learn state is waiting for its first hello message from the active router so that it can learn the virtual router’s
IP address. When the hello message is received and the virtual router’s IP address is discovered, the HSRP router is in the listen state. A router in the listen state listens for hello messages from the active and standby routers. If an election for a new active router and a new standby router is required, then an HSRP router will enter the speak state and begin transmitting hello messages. The standby state is reserved for the standby router, and the active state is reserved for the active router. Only routers in speak, standby, and active states will transmit hello packets.
Objective:
Infrastructure Services –
Sub-Objective:
Configure and verify first-hop redundancy protocols
References:
Cisco > Home > Technology Support > IP > IP Application Services > Design > Design Technotes > Hot Standby Router Protocol Features and Functionality
Cisco > Cisco IOS IP Application Services Configuration Guide, Release 12.4 > Part 1: First Hop Redundancy Protocols > Configuring HSRP
When you configure private VLANs on a switch, which port type connects the switch to the gateway router?
A. promiscuous
B. community
C. isolated
D. trunked
Suggested Answer: Explanation
There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host port further divides in two types Isolated port (I-Port) and
Community port (C-port). Promiscuous port (P-Port): The switch port connects to a router, firewall or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.
Host Ports:
o Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports. o Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.
Reference: http://en.wikipedia.org/wiki/Private_VLAN
Refer to the exhibit. Which configuration on the HSRP neighboring device ensures that it becomes the active HSRP device in the event that port fa1/1 on Switch_A goes down?
A.
B.
C.
D.
A Cisco Catalyst switch that is prone to reboots continues to rebuild the DHCP snooping database. What is the solution to avoid the snooping database from being rebuilt after every device reboot?
A. A DHCP snooping database agent should be configured.
B. Enable DHCP snooping for all VLANs that are associated with the switch.
C. Disable Option 82 for DHCP data insertion.
D. Use IP Source Guard to protect the DHCP binding table entries from being lost upon rebooting.
E. Apply ip dhcp snooping trust on all interfaces with dynamic addresses.
Suggested Answer: A
Minimum DHCP Snooping Configuration
The minimum configuration steps for the DHCP snooping feature are as follows:
1. Define and configure the DHCP server.
2. Enable DHCP snooping on at least one VLAN.
By default, DHCP snooping is inactive on all VLANs.
3. Ensure that DHCP server is connected through a trusted interface.
By default, the trust state of all interfaces is untrusted.
4. Configure the DHCP snooping database agent.
This step ensures that database entries are restored after a restart or switchover.
5. Enable DHCP snooping globally.
The feature is not active until you complete this step.
Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html#wp1090479
Which Catalyst 6500 feature provides network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN?
A. NAM
B. SPAN
C. VACL
D. 802.1X
Suggested Answer: C
VLAN access control lists (VACLs) provide network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN.
VACLs can be used to provide security based on MAC address, source and destination IP address, Layer 4 protocols, or port numbers. The VACL will act on all traffic of a select VLAN whether bridged or switched. The actions performed on a packet can include permit, redirect, or deny. The VACL entries are checked in sequence, which is similar in concept to route-map structures. The following procedure is used to create VACLs:
Define a VLAN access map:
switch(config)# vlan access-map name [seq#]
Configure a match clause:
switch(config-access-map)# match {ip address {1-99 | 1300-2699 | acl_name} | mac address acl_name}
Configure an action clause:
switch(config-access-map)# action {drop | forward | redirect}
Apply the map to a VLAN:
switch(config)# vlan filter map_name vlan-list list
Once created, you should verify the VACLs using the following commands: switch# show vlan access-map map_name switch# show vlan filter
In the sample configuration shown below, all VLAN traffic in VLANS 1 through 3 that match access list SAFE will be forwarded. All other traffic will be dropped. switch(config)# vlan access-map cisco 10 switch(config-access-map)# match ip-address SAFE switch(config-access-map)# action forward switch(config)# vlan filter cisco vlan-list 1-3
If access list cisco were configured as shown below, for example, traffic with a source address of 172.16.10.8 would be dropped.
Switch# show ip access-list cisco 10
Extended ip access list cisco 10
10 permit 10.0.0.0 255.255.255.0 any
Objective:
Infrastructure Security –
Sub-Objective:
Configure and verify switch security features
References:
Cisco > Home > Support > Product Support > End-of-Sale and End-of-Life Products > Cisco Catalyst 6000 Series Switches > Configure > Configuration Examples and Technotes > Securing Networks with Private VLANs and VLAN Access Control Lists
Cisco > Cisco IOS LAN Switching Command Reference > vlan access-map
Cisco > Cisco IOS LAN Switching Command Reference > match (vlan access-map)
What is accomplished by the command switchport port-security violation protect?
A. The switch will generate a log message but will not block any packets
B. The switch will drop packets that are in violation and generate a log message
C. The switch will drop packets that are in violation, but not generate a log message
D. The switch will shut down the interface when packets in violation are detected C
Suggested Answer: Explanation
The command switchport port-security port violation protect will cause the switch to drop packets that are in violation, but does not generate a log message. The complete syntax of the command is: switch(config-if)# switchport port-security violation protect
The port-security command is used to lock a port to a specific MAC addresses. Port security can be used to limit access to a port by MACaddress. It can be applied to: access ports
VoIP ports –
ports where multiple MAC addresses are expected, such as a port connecting to a hub
It cannot be applied to trunk ports or to ports that are part of an Etherchannel.
Three keywords can be used with this command: protect, restrict and shutdown. The restrict keyword tells the port to drop packets and generate a log message for packets that are in violation. The protect keyword tells the port to drop packets without generating a log message for packets that are in violation. The shutdown keyword causes the port to be place into the errdisable state if a violation is detected.
The following configuration, generated from a partial output of the show run command, would apply port security to the Fa0/1 interface. It would allow five addresses to access the interface at time. This count includes addresses that have been seen by the port but are currently inactive. Therefore, if five addresses have been seen and three are inactive, then a sixth address would not be allowed. If the port security maximum command has not been issued, the default behavior will only allow one address on the port.
The aging command can be used to force inactive addresses to be dropped from the list of addresses seen, thereby allowing active addresses access to the port.
The above configuration also includes a static entry for the MAC address 0006.0006.0006. This means that this address is always in the list, and so in effect, this configuration leaves only four other dynamic MAC addresses that can connect at a time.
There is no option to generate a log message but not block any packets.
Objective:
Infrastructure Security –
Sub-Objective:
Configure and verify switch security features
References:
Cisco > Catalyst 6500 Release 15.0SY Software Configuration Guide > Security > Port Security > How to Configure Port Security
You want to configure your Catalyst 6500 switch to redirect certain IP traffic from VLANs 22 through 33 to the Gigabit Ethernet interface that resides at slot 4, port
1. The IP traffic to be redirected must match an ACL named tn1.
Which of the following sets of commands should you issue?
A. vlan access-map 22-33match ip address tn1action redirect gigabitethernet 4/1vlan filter tn1
B. vlan access-map ge1match ip address tn1action redirect gigabitethernet 4/1vlan filter ge1 vlan-list 22-33
C. vlan access-map tn1match ip address ge1action redirect gigabitethernet 4/1vlan filter tn1 vlan-list 22 33
D. vlan access-map ge1match ip address tn1action redirect gigabitethernet 4/1vlan filter ge1 vlan-list 22 33
Suggested Answer: B
To appropriately configure your Catalyst 6500 switch in this scenario, you should issue the following commands:
Switch(config) vlan access-map ge1
Switch(config-access-map) match ip address tn1
Switch(config-access-map) action redirect gigabitethernet 4/1
Switch(config-access-map) exit –
Switch(config) vlan filter ge1 vlan-list 22-33
VLAN access control lists (VACLs) are used to control how packets are switched within a virtual local area network (VLAN). To configure a VACL, you shouldperform the following actions:
Define the VLAN access map by issuing the vlan access-map command.
Define the configured ACL that traffic must match for an action to be triggered by issuing the match command; any traffic that does not match the conditions specified by the configured ACL or ACLs is dropped.
Define the action that will be triggered when traffic matches the configured ACL by issuing the action command.
Apply the VACL to one or more VLANs by issuing the vlan filter command.
The syntax for the vlan access-map command is vlan access-map map-name [sequence-number], where map-name is the name assigned to the VLAN access map. The optional sequence-number parameter defines the order in which the access map statements are checked. Therefore, the command vlan access-map ge1 creates a VLAN access map named ge1 with no sequence number.
The match command can filter traffic based on IP address, IPX address or Media Access Control (MAC) address. The syntax for the match command is match {ip address {acl-number | acl-name} | ipx address {acl-number | acl-name} | mac address acl-name}, where acl-number and acl-name are the number and name of the access list, respectively. Therefore, the commandmatch ip address tn1 specifies that only traffic that matches ACL tn1 will trigger the action specified in the action command.
The action command will configure the VACL to drop, forward, or redirect traffic that matches the access list specified in the match command. The syntax for the action command is action {drop | forward | redirect interface slot/port}. Therefore, the command action redirect gigabitethernet 4/1 will redirect traffic that matches the access list to Gigabit Ethernet interface 4-1.
The syntax for the vlan filter command is vlan filter map-name {vlan-list vlan-list}, where map-name is the name of the VLAN access map and vlan-list is the VLAN or VLANs that should be filtered by the VACL. Therefore, the command vlan filter ge1 vlan-list 22-33 applies the VLAN access map named ge1 to VLANs 22 through 33.
The following command set incorrectly specifies the VLAN access map and filter:
Switch(config)vlan access-map 22-33
Switch(config-access-map) match ip address tn1
Switch(config-access-map) action redirect gigabitethernet 4/1
Switch(config-access-map) exit –
Switch(config) vlan filter tn1 –
The following command set incorrectly specifies the VLAN access map and the match statement. This command is also missing the required hyphen in the list of
VLANs specified after the vlan-list keyword:
Switch(config) vlan access-map tn1
Switch(config-access-map) match ip address ge1
Switch(config-access-map) action redirect gigabitethernet 4/1
Switch(config-access-map) exit –
Switch(config) vlan filter tn1 vlan-list 22 33
This following command is missing the required hyphen in the list of VLANs specified after the vlan-list keyword:
Switch(config) vlan access-map ge1
Switch(config-access-map) match ip address tn1
Switch(config-access-map) action redirect gigabitethernet 4/1
Switch(config-access-map) exit –
Switch(config) vlan filter ge1 vlan-list 22 33
Objective:
Infrastructure Security –
Sub-Objective:
Configure and verify switch security features
References:
Cisco > Home > Support > Product Support > End-of-Sale and End-of-Life Products > Cisco Catalyst 6000 Series Switches > Configure > Configuration Examples and Technotes > Securing Networks with Private VLANs and VLAN Access Control Lists
Cisco > Catalyst 4500 Series Switch Cisco IOS Command Reference, 12.2(52)SG > snmp ifindex clear through vtp v2-mode > vlan access-map
Cisco > Catalyst 4500 Series Switch Cisco IOS Command Reference, 12.2(52)SG > interface port-channel through shape > match
Cisco > Catalyst 4500 Series Switch Cisco IOS Command Reference, 12.2(52)SG > snmp ifindex clear through vtp v2-mode > vlan filter
Cisco > Catalyst 4500 Series Switch Cisco IOS Command Reference, 12.2(52)SG > aaa accounting dot1x default start-stop group radius through instance > action
What is accomplished by the command switchport port-security violation restrict?
A. The switch will generate a log message but will not block any packets.
B. The switch will drop packets that are in violation and generate a log message.
C. The switch will drop packets that are in violation, but not generate a log message.
D. The switch will shut down the interface when packets in violation are detected.
Suggested Answer: B
The command switchport port-security violation restrict drops packets that are in violation and generates a log message. The complete syntax of the command is: switch(config-if)# switchport port-security violation restrict
The port security command is used to lock a port down to specific MAC addresses. The three keywords that can be used with this command are protect, restrict, and shutdown. The protect keyword tells the port to drop packets without generating a log message for packets that are in violation. The restrict keyword tells the port to drop packets and generates a log message for packets that are in violation. The shutdown keyword causes the port to be disabled if a violation is detected.
There is no option to generate a log message but not block any packets.
Objective:
Infrastructure Security –
Sub-Objective:
Configure and verify switch security features
References:
Cisco > Catalyst 6500 Release 15.0SY Software Configuration Guide > Security > Port Security > How to Configure Port Security
You have been asked to install and configure a new switch in a customer network. Use the console access to the existing and new switches to configure and verify correct device configuration.
Examine the VTP configuration. You are required to configure private VLANs for a new server deployment connecting to the SW4 switch. Which of the following configuration steps will allow creating private VLANs?
A. Disable VTP pruning on SW1 only
B. Disable VTP pruning on SW2 only
C. Disable VTP pruning on SW4 only
D. Disable VTP pruning on SW2, SW4 and New_Switch
E. Disable VTP pruning on New_Switch and SW4 only.
Suggested Answer: C
To create private VLANs, you will need to only disable pruning on the switch that contains the private VLANs. In this case, only SW4 will connect to servers in a private VLAN.
Which command configures an HSRP group to become a slave of another HSRP group?
A. standby slave
B. standby group track
C. standby follow
D. standby group backup
Suggested Answer: C
Perform this task to configure multiple HSRP client groups.
The “standby follow” command configures an HSRP group to become a slave of another HSRP group.
HSRP client groups follow the master HSRP with a slight, random delay so that all client groups do not change at the same time.
Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-hsrp-mgo.html
SIMULATION -
Instructions -
To configure a switch click on the console host icon in the topology.
You can click on the buttons below to view the different windows.
Each of the windows can be minimized by clicking on the [-]. You can also reposition a window by dragging it by the title bar.
Most commands that use the "Control" or "Escape" keys are not supported and are not necessary to complete this simulation. The help command does not display all commands of the help system.
Scenario:
You work for SWITCH.com. They have just added a new switch (SwitchB) to the existing network as shown in the topology diagram. You have been tasked with completing the needed configuring of SwitchA and SwitchB.
RouterA is currently configured correctly and is providing the routing function for devices on SwitchA and SwitchB. SwitchA is currently configured correctly, but will need to be modified to support the addition of SwitchB. SwitchB has a minimal configuration. SwitchA and SwitchB use Cisco as the enable password.
All interface commands must be entered at the physical interface level.
When entering the range command, add a space between the interface numbers (e.g., fa0/1-2)
Configuration Requirements for SwitchA
✑ The VTP and STP configuration models on Switch A should not be modified.
✑ SwitchA needs to be the root switch for vlans 11, 12, 13, 21, 22, and 23.
✑ All other vlans should be left at their default values.
Configuration Requirements for SwitchB
✑ Vlan21
- Name: Marketing
- will support two servers attached to fa0/9 and fa0/10
✑ Vlan22
- Name: Sales
- will support two servers attached to fa0/13 and fa0/14
✑ Vlan23
- Name: Engineering
- will support two servers attached to fa0/15 and fa0/16
✑ Access ports that connect to server should transition immediately to forwarding state upon detecting the connection of a device
✑ SwitchB VTP mode needs to be the same as SwitchA.
✑ SwitchB must operate in the same spanning tree mode as SwitchA.
✑ No routing is to be configured on SwitchB.
✑ Only the SVI Vlan 1 is to be configured and it is to use address 192.168.1.11/24.
Inter-switch Connectivity Configuration Requirements
✑ For operational and security reasons trunking should be unconditional and Vlans 1, 21, 22 and23 should be tagged when traversing the trunk link.
✑ The two trunks between SwitchA and SwitchB need to be configured in a mode that allows for the maximum use of their bandwidth for all vlans. This mode should be done with a non-proprietary protocol, with SwitchA controlling activation.
✑ Propagation of unnecessary broadcasts should be limited using manual pruning on this trunk link.
Suggested Answer: Here are steps
(some lines have been removed)
Initial Configuration –
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n44073700004.png” alt=”Reference Image” />
Solution –
SW-A (close to router)
Note: If Sw-A does not have Vlan 11, 12, 13 we have to create them first with command “SW-A(config)#vlan 11,12,13”
SW-A(config)#spanning-tree vlan 11-13,21-23 root primary
SW-A(config)#vlan 21 –
SW-A(config-vlan)#name Marketing
SW-A(config-vlan)#exit –
SW-A(config)#vlan 22 –
SW-A(config-vlan)#name Sales –
SW-A(config-vlan)#exit –
SW-A(config)#vlan 23 –
SW-A(config-vlan)#name Engineering
SW-A(config-vlan)#exit –
SW-A(config)#interface range fa0/3 “” 4
SW-A(config-if-range)#no switchport mode access
SW-A(config-if-range)#no switchport access vlan 98 (These two commands must be deleted to form a trunking link)
SW-A(config-if-range)#channel-group 1 mode active
SW-A(config-if-range)#channel-protocol lacp
SW-A(config-if-range)#no shutdown
SW-A(config-if)#interface port-channel 1
SW-A(config-if)#switchport mode trunk
SW-A(config-if)#switchport trunk native vlan 99 //this command will prevent the “Native VLAN mismatched” error on both switches
SW-A(config-if)#switchport trunk allowed vlan 1,21-23
SW-A(config-if)#no shut –
When you apply commands under “interface port-channel 1”, the same commands will be automatically applied to the physical member interfaces (of port-
Note:
channel 1) so you don’t need to type them under physical member interfaces again. “”””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””
SW-B (far from router)
SW-B(config)#vlan 21 –
SW-B(config-vlan)#name Marketing
SW-B(config-vlan)#exit –
SW-B(config)#vlan 22 –
SW-B(config-vlan)#name Sales –
SW-B(config-vlan)#exit –
SW-B(config)#vlan 23 –
SW-B(config-vlan)#name Engineering
SW-B(config-vlan)#exit –
SW-B(config)#vlan 99 –
SW-B(config-vlan)#name TrunkNative // not necessary to name it but just name it same as SwitchA
SW-B(config-vlan)#exit –
SW-B(config)#interface range fa0/9 “” 10
SW-B(config-if-range)#switchport mode access
SW-B(config-if-range)#switchport access vlan 21
SW-B(config-if-range)#spanning-tree portfast
SW-B(config-if-range)#no shutdown
SW-B(config-if-range)#exit –
SW-B(config)#interface range fa0/13 “” 14
SW-B(config-if-range)#switchport mode access
SW-B(config-if-range)#switchport access vlan 22
SW-B(config-if-range)#spanning-tree portfast
SW-B(config-if-range)#no shutdown
SW-B(config-if-range)#exit –
SW-B(config)#interface range fa0/15 “” 16
SW-B(config-if-range)#switchport mode access
SW-B(config-if-range)#switchport access vlan 23
SW-B(config-if-range)#spanning-tree portfast
SW-B(config-if-range)#no shutdown
SW-B(config-if-range)#exit –
SW-B(config)#vtp mode transparent
SW-B(config)#spanning-tree mode rapid-pvst //Same as Sw-A
SW-B(config)#ip default-gateway 192.168.1.1 (you can get this IP from SW-A with command show cdp neighbour detail)
SW-B(config)#interface vlan 1 –
SW-B(config-if)#ip address 192.168.1.11 255.255.255.0
SW-B(config-if)#no shutdown –
SW-B(config-if)#exit –
SW-B(config)#interface range fa0/3 “” 4
SW-B(config-if-range)#channel-group 1 mode passive //mode passive because “SwitchA controlling activation”
SW-B(config-if-range)#channel-protocol lacp
SW-B(config-if-range)#no shutdown
SW-B(config-if)#interface port-channel 1
SW-B(config-if)#switchport trunk encapsulation dot1q
SW-B(config-if)#switchport mode trunk
SW-B(config-if)#switchport trunk native vlan 99 //this command will prevent the “Native VLAN mismatched” error on both switches
SW-B(config-if)#switchport trunk allowed vlan 1,21-23
SW-B(config-if)#no shut –
Note: For Sw-B we have to set the 802.1q trunking protocol (switchport trunk encapsulation dot1q) before converting it into a trunk because it is a 3500 series (or higher) switch which supports both ISL and 802.1Q and we have to explicitly set which trunking protocol to be used. Sw-A is a 2900x series (or lower) switch and does not support ISL trunking protocol (802.1Q is the only supported trunking protocol) so we can apply “switchport mode trunk” directly. “”””””””””””””””””””””””””””””””””””””
Some guidelines for configuring SwitchA & SwitchB:
Configuration Requirements for SwitchA
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n44073700001.png” alt=”Reference Image” />
Configuration Requirements for SwitchB
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n44073700006.png” alt=”Reference Image” />
Inter-switch Connectivity Configuration Requirements:
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n44073700005.png” alt=”Reference Image” />
Some notes for this sim:
+ You should check the initial status of both switches with these commands: show vtp status (transparent mode on switchA and we have to set the same mode on switchB), show spanning-tree [summary] (rapid-pvst mode on switchA and we have to set the same mode on switchB), show vlan (check the native vlan and the existence of vlan99), show etherchannel 1 port-channel and show ip int brief(check if Port-channel 1 has been created and make sure it is up),show
(to check everything again).
run
+ When using “int range f0/x “” y” command hit space bar before and after “-” otherwise the simulator does not accept it.
+ You must create vlan 99 for the switchB. SwitchA already have vlan 99 configured.
+ At the end, you can try to ping from SwitchB to RouterA (you can get the IP on RouterA via the show cdp neighbors detail on SwitchA), not sure if it can ping or not. If not, you can use the “ip default-gateway 192.168.1.1” on SwitchB.
+ The name of SwitchA and SwitchB can be swapped or changed so be careful to put your configuration into appropriate switch.
You have been asked to install and configure a new switch in a customer network. Use the console access to the existing and new switches to configure and verify correct device configuration.
You are adding new VLANs. VLAN500 and VLAN600 to the topology in such way that you need to configure SW1 as primary root for VLAN 500 and secondary for
VLAN 600 and SW2 as primary root for VLAN 600 and secondary for VLAN 500. Which configuration step is valid?
A. Configure VLAN 500 & VLAN 600 on both SW1 & SW2
B. Configure VLAN 500 and VLAN 600 on SW1 only
C. Configure VLAN 500 and VLAN 600 on SW2 only
D. Configure VLAN 500 and VLAN 600 on SW1 ,SW2 and SW4
E. On SW2; configure vtp mode as off and configure VLAN 500 and VLAN 600; configure back to vtp server mode.
Suggested Answer: Explanation
By issuing the “show vtp status command on SW2, SW2, and SW4 we see that both SW1 and SW2 are operating in VTP server mode, but SW4 is a client, so we will need to add both VLANs to SW1 and SW2.
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n18888200003.jpg” alt=”Reference Image” />
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n18888200002.jpg” alt=”Reference Image” />
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n18888200005.jpg” alt=”Reference Image” />
If a switch that is configured globally with DHCP snooping receives a packet that has DHCP option-82 set to 192.168.1.254, how does the switch handle the packet?
A. It forwards the packet normally
B. It sends a proxy ARP request for the MAC address of 192.168.1.254
C. It replaces the source IP address of the packet with its own management IP address and forwards the packet
D. It drops the packet
E. It removes the Option-82 information from the packet and forwards the packet
F. It replaces the source MAC address of the packet with its own MAC address and forwards the packet
The exhibit displays the output of the show port-security command. This command is useful in verifying the reaction set for packets in violation. In the exhibit,
Fa5/1 is configured to shut down if a violating packet is received. Port Fa5/5 is configured to drop violating packets and port Fa5/11 is configured to drop packets and generate a log message.
The output also indicates the number of secure MAC addresses permitted on each interface, the number of secure MAC addresses currently in use on the port, and how many security violations there have been.
The show port-security interface command shows the port security configuration on the specified interface. Below is an example of the command and its output:
In the example, seven MAC addresses are allowed on this interface. It can be seen that seven are now connected. Therefore, if one more user connects to the hub or switch connected to this port, the port will be placed into the err-disabled state and an SMTP trap message will be sent.
The show vlan private-vlan type command displays the private VLANs on the switch and indicates whether they are primary, isolated, or community VLANs. An example of the output is below:
In the output, VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 303 carries traffic from isolated ports to a promiscuous port.
The show ip dhcp snooping command displays whether DHCP snooping is enabled, what VLANs it is configured for, and what ports are trusted DHCP ports. An example of the output is below:
The output indicates that:
The switch is defending against a DHCP spoofing attack (indicated by lines 2 and 3)
Two ports are trusted and one is not (shown in bottom table)
Option 82 (relay agent information) is only allowed on trusted ports (indicated by lines 4 and 5)
ARP spoofing is being monitored (indicated by line 6)
Objective:
Infrastructure Security –
Sub-Objective:
Configure and verify switch security features
References:
Cisco > Support > show multicast protocols status through show rif > show port-security
You have been asked to install and configure a new switch in a customer network. Use the console access to the existing and new switches to configure and verify correct device configuration.
Refer to the configuration. For which configured VLAN are untagged frames sent over trunk between SW1 and SW2?
A. VLAN1
B. VLAN 99
C. VLAN 999
D. VLAN 40
E. VLAN 50
F. VLAN 200
G. VLAN 300
Suggested Answer: B
The native VLAN is used for untagged frames sent along a trunk. By issuing the “show interface trunk” command on SW1 and SW2 we see the native VLAN is 99.
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n27501400000.jpg” alt=”Reference Image” />
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n27501400005.jpg” alt=”Reference Image” />
What happens on a Cisco switch that runs Cisco IOS when an RSTP-configured switch receives 802.1d BPDU?
A. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch receives an 802.1d BPDU, it responds with an 802.1d BPDU and eventually the two switches run 802.1d to communicate.
B. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a 802.1d BPDU, it responds with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.
C. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch receives a 802.1d BPDU, it does not respond with a 802.1d BPDU.
D. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a 802.1d BPDU, it does not respond with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.
Suggested Answer: A
For backward compatibility with 802.1D switches, RSTP selectively sends 802.1D configuration BPDUs and TCN BPDUs on a per-port basis.
When a port is initialized, the migrate-delay timer is started (specifies the minimum time during which RSTP BPDUs are sent), and RSTP BPDUs are sent. While this timer is active, the switch processes all BPDUs received on that port and ignores the protocol type.
If the switch receives an 802.1D BPDU after the port migration-delay timer has expired, it assumes that it is connected to an 802.1D switch and starts using only
802.1D BPDUs. However, if the RSTP switch is using 802.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired, it restarts the timer and starts using RSTP BPDUs on that port.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/spantree.html
A network engineer wants to add a new switch to an existing switch stack. Which configuration must be added to the new switch before it can be added to the switch stack?
A. No configuration must be added.
B. stack ID
C. IP address
D. VLAN information
E. VTP information
Suggested Answer: A
Switch Stack Offline Configuration
(to supply a configuration to) a new switch before it joins the switch stack. You can configure in advance the stack member number, the switch type, and the interfaces associated with a switch that is not currently part of the stack. The configuration that you create on
.
global configuration command. The provisioned
configuration is automatically created when a switch is added to a switch stack and when no provisioned configuration exists.
When you configure the interfaces associated with a provisioned switch (for example, as part of a VLAN), the switch stack accepts the configuration, and the information appears in the running configuration. The interface associated with the provisioned switch is not active, operates as if it is administratively shut down, and the no shutdown interface configuration command does not return it to active service. The interface associated with the provisioned switch does not appear in the display of the specific feature; for example, it does not appear in the show vlan user EXEC command output.
The switch stack retains the provisioned configuration in the running configuration whether or not the provisioned switch is part of the stack. You can save the provisioned configuration to the startup configuration file by entering the copy running-config startup-config privileged EXEC command. The startup configuration file ensures that the switch stack can reload and can use the saved information whether or not the provisioned switch is part of the switch stack.
Effects of Adding a Provisioned Switch to a Switch Stack
When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration.
Table 5-1 –
lists the events
that occur when the switch stack compares the provisioned configuration with the provisioned switch.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swstack.html
Your customer has asked you to come in and verify the operation of routers R1 and R2 which are configured to use HSRP. They have questions about how these two devices will perform in the event of a device failure.
What percentage of the outgoing traffic from the 172.16.10.0/24 subnet is being forwarded through R1?
A. R1-0%
B. R1-50 %, R2-50%
C. R2-100%
D. R1-100%
Suggested Answer: D
Based on the following output, we see that R1 is the active standby router for the Ethernet 0/0 link, so all outgoing traffic will be forwarded to R1.
<img src=”https://www.examtopics.com/assets/media/exam-media/01585/n27517500001.jpg” alt=”Reference Image” />
You have been asked to install and configure a new switch in a customer network. Use the console access to the existing and new switches to configure and verify correct device configuration.
Examine the VTP configuration. You are required to configure private VLANs for a new server deployment connecting to the SW4 switch. Which of the following configuration steps will allow creating private VLANs?
A. Disable VTP pruning on SW1 only
B. Disable VTP pruning on SW2 only
C. Disable VTP pruning on SW4 only
D. Disable VTP pruning on SW2, SW4 and New_Switch
E. Disable VTP pruning on New_Switch and SW4 only.
Suggested Answer: C
To create private VLANs, you will need to only disable pruning on the switch that contains the private VLANs. In this case, only SW4 will connect to servers in a private VLAN.
Topic 2, Infrastructure Security
Which port will the spanning-tree algorithm select as a bridge's root port?
A. The first port on the root bridge to receive an STP packet
B. The port through which the root bridge can be reached with the lowest-cost path
C. The port through which the root bridge can be reached with the lowest-value interface identifier
D. The port through which the root bridge can be reached with the highest-value interface identifier
Suggested Answer: B
Root ports are ports that are in the forwarding state and provide connectivity to the root bridge. The port through which the root bridge can be reached with the lowest-cost path is the root port. All the ports on the root bridge (the bridge with the lowest bridge ID) are in the forwarding state and are referred to as designated ports.
Bridges and switches use the Spanning-Tree Protocol (STP) to prevent network loops. Without a loop-avoidance service on the network, Layer 2 devices, in certain situations, will endlessly flood broadcasts. An STP-enabled device recognizes a loop in the topology and blocks one or more redundant paths, preventing the loop. STP allows the switches to continually explore the network so that the loss or addition of a switch or bridge is also quickly discovered. STP is enabled by default on Catalyst switches.
For example, if two switches have an active connection between them that is forwarding traffic and a second link is connected between the same two switches, one of the two switch ports will go into a blocking state when BPDUs are received on the link. This helps to ensure that a loop does not form using the redundant connections. In some situations, heavy traffic may prevent the reception of BPDUs when the second link is put in place, and in that case, a loop may still form.
The root port is not selected based on the first port to receive an STP packet on the root bridge. Neither is it based on the lowest or highest interface identifier values.
Note: In some situations, there may be two ports with equal cost to the root bridge. When this occurs, the port with the lowest port number becomes the root port.
Objective:
Layer 2 Technologies –
Sub-Objective:
Configure and verify spanning tree
References:
Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide > Configuring STP and IEEE 802.1s MST > Creating the Spanning Tree Topology
Cisco > Support > Configuring Spanning Tree Protocol > How STP Works
Which of the following statements best describes the purpose of ARP with respect to CEF?
A. ARP is used to build the FIB.
B. ARP is used to reindex the routing table.
C. ARP is used to build the adjacency table.
D. ARP is used to decrease the amount of time spent searching for an entry within a routing table.
Suggested Answer: C
Address Resolution Protocol (ARP) is used by Cisco Express Forwarding (CEF) to build the adjacency table. CEF is the switching method used by Catalyst switches. Unlike traditional multilayer switching (MLS), which merely caches Layer 3 information received when traffic passes through a switch, CEF attempts to optimize the routing process by reindexing the routing table and then building an adjacency table based on the routing table information. The type of MLS performed by CEF is called topology-based switching; traditional MLS is known as route caching, demand-based switching, and flow-based switching.
The routing table is reindexed by using a binary search method. The reindexed routing table is called the forwarding information base (FIB). Reindexing the routing table reduces the amount of time spent searching for an entry within a routing table.
After the FIB is created, an adjacency table is created to map the appropriate Layer 2 next-hop address or addresses to each FIB entry. ARP is used to retrieve the Layer 2 address information. If multiple Layer 2 next-hop addresses are available for an entry in the FIB, then CEF can employ load balancing for packets headed to that destination.
The final result is a single database of routing information (FIB) is built for the switching hardware.
Two extremely useful commands for verifying CEF are:
show ip cef network address – displays entries in the forwarding information base (FIB) show adjacency detail | begin adjacency address – shows information about a specific adjacency in the adjacency table
Both commands are shown below with explanations.
SwitchA# show ip cef 192.168.6.0
192.168.6.0/24, version 302, cached adjacency 192.168.166.5, 0 packets, 0 bytes
Via 192.168.166.5, VLAN 185, 0 dependencies
Next-hop 192.168.166.5, VLAN 185
Valid cached adjacency –
Above it can be determined that there is a valid CEF entry for the destination network 192.168.6.0 and that there is a valid cached adjacency to the 192.168.166.5 next hop IP address.
In the command output below, it can be determined that 005565946856 is the MAC address of the 192.168.166.5 next-hop address:
SwitchA# show adjacency detail | begin 192.168.166.5
IP VLAN 185 192.168.166.5(6) 0 packets, 0 bytes
005565946856
Objective:
Layer 2 Technologies –
Sub-Objective:
Configure and verify switch administration
References:
Cisco > Cisco IOS IP Switching Configuration Guide, Release 12.4 > Part 1: Cisco Express Forwarding > Cisco Express Forwarding Overview > Cisco Express
Forwarding Adjacency Tables Overview
Cisco > Cisco IOS IP Switching Command Reference > show adjacency through show ipv6 cef with source > show adjacency
Cisco > Cisco IOS IP Switching Command Reference > show adjacency through show ipv6 cef with source > show ip cef
By default, which VLAN is the Cisco management VLAN?
A. 1
B. 0
C. 1001
D. 1005
Suggested Answer: A
Cisco uses VLAN1 as the default management VLAN.
All ports are automatically assigned to VLAN1. Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol (VTP) advertisements are transmitted on VLAN1.
VLAN1 is the management VLAN and is used for administration. It cannot be deleted or pruned from a trunk line.
VLAN Ids that are implemented can vary based on whether the trunk implementation is Cisco’s Inter-Switch Link (ISL) or the IEEE 802.1Q standard.
The following is a summary of the VLAN IDs:
0 and 4095 – Reserved
1 – Cisco default management
2-1001 – Available for Ethernet VLANs
1002-1005 – Defaults for FDDI and Token Ring VLANs
1006-4094 – Extended range available for Ethernet VLANs (802.1Q only)
Objective:
Layer 2 Technologies –
Sub-Objective:
Configure and verify VLANs –
References:
Cisco > Support > Technology Support > LAN Switching > Layer-Three Switching and Forwarding > Configure > Configuration Examples and Technotes > How
To Configure InterVLAN Routing on Layer 3 Switches
Which three methods can be used to manage Cisco APs that are running autonomously? (Choose three.)
A. WLSE
B. WLC
C. WCS
D. CLI
E. Web interface
Suggested Answer: ADE
The three methods that can be used to manage autonomous APs are WLSE, CLI, and web interfaces. Autonomous access points (APs) maintain their management functionality and can be connected directly and configured. The wireless LAN solution engine (WLSE) allows for centralized coordination of autonomous APs. The WLSE can also work in coordination with another Cisco service, wireless domain services (WDS). The WDS enables the APs to provide fast, secure roaming between APs. The WDS registers all client devices in the subnet, establishes session keys for them, and caches their security credentials.
When a client roams to another access point, the WDS device forwards the client’s security credentials to the new access point
Wireless LAN controller (WLC) is a physical controller that provides centralized control of a WLAN environment. APs that are being managed by a WLC function in lightweight mode.
Wireless control system (WCS) is a software package that allows for management of a WLAN environment, managing one or multiple WLCs. APs managed by
WCS function in lightweight mode.
Objective:
Layer 2 Technologies –
Sub-Objective:
Configure and verify other LAN switching technologies
References:
Cisco > Products and Services > Cloud and Systems Management>End-of-sale and End-of-life products>Ciscoworks Wireless Lan Solution E(WLSE>Data sheets and literature>Data sheets>Ciscoworks Wireless Lan Solution engine 2.13
Which three restrictions of port security features are true? (Choose three.)
A. It is not supported on EtherChannel port-channel interfaces.
B. Static MAC address assignments are not supported.
C. It is not supported on destination SPAN ports.
D. It is not supported on PVLAN ports.
E. A single device supports up to two sticky MAC addresses.
Suggested Answer: ABC
Follow these guidelines when configuring port security:
“¢ A secure port cannot be a trunk port.
“¢ A secure port cannot be a destination port for Switch Port Analyzer (SPAN). “¢ A secure port cannot belong to an EtherChannel port-channel interface. “¢ A secure port and static MAC address configuration are mutually exclusive
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.pdf
A network engineer must implement Ethernet links that are capable of transporting frames and IP traffic for different broadcast domains that are mutually isolated.
Consider that this is a multivendor environment. Which Cisco IOS switching feature can be used to achieve the task?
A. PPP encapsulation with a virtual template
B. Link Aggregation Protocol at the access layer
C. dot1q VLAN trunking
D. Inter-Switch Link
Suggested Answer: C
Here the question asks for transporting “frames and IP traffic for different broadcast domains that are mutually isolated” which is basically a long way of saying
VLANs so trunking is needed to carry VLAN information. There are 2 different methods for trunking, 802.1Q and ISL. Of these, only 802.1Q is supported by multiple vendors since ISL is a Cisco proprietary protocol.
Access Full 300-115 Dump Free
Looking for even more practice questions? Click here to access the complete 300-115 Dump Free collection, offering hundreds of questions across all exam objectives.
We regularly update our content to ensure accuracy and relevance—so be sure to check back for new material.
Begin your certification journey today with our 300-115 dump free questions — and get one step closer to exam success!
B.
C.
D.
Examine the VTP configuration. You are required to configure private VLANs for a new server deployment connecting to the SW4 switch. Which of the following configuration steps will allow creating private VLANs?
You are adding new VLANs. VLAN500 and VLAN600 to the topology in such way that you need to configure SW1 as primary root for VLAN 500 and secondary for VLAN 600 and SW2 as primary root for VLAN 600 and secondary for VLAN 500. Which configuration step is valid?
Refer to the configuration. For which configured VLAN are untagged frames sent over trunk between SW1 and SW2?
What percentage of the outgoing traffic from the 172.16.10.0/24 subnet is being forwarded through R1?
Examine the VTP configuration. You are required to configure private VLANs for a new server deployment connecting to the SW4 switch. Which of the following configuration steps will allow creating private VLANs?
Refer the exhibit. Which two statements about the spanning-tree operation of this switch are true? (Choose two.)
