Home » SWITCH 642-813 Q&As » Section 3 - Layer 3 Services » 642-813 Q&A – Implement Switch based Layer 3 services (11-15)

642-813 Q&A – Implement Switch based Layer 3 services (11-15)

Section 3 – Implement Switch based Layer 3 services, given a network design and a set of requirements

QUESTION NO: 11
Which statement is true about the Forward Information Base (FIB) table?
A. The FIB is derived from the IP routing table and is optimized for maximum lookup throughput.
B. The FIB table is derived from the Address Resolution Protocol table, and it contains Layer 2 rewrite (MAC) information for the next hop.
C. When the FIB table is full, a wildcard entry redirects traffic to the Layer 3 engine.
D. The FIB lookup is based on the Layer 2 destination MAC address.
Answer: A

Explanation:
The Layer 3 engine (essentially a router) maintains routing information, whether from static routes or dynamic routing protocols. Basically, the routing table is reformatted into an ordered list with the most specific route first, for each IP destination subnet in the table. The new format is called a
Forwarding Information Base (FIB) and contains routing or forwarding information that the network prefix can reference.
In other words, a route to 10.1.0.0/16 might be contained in the FIB, along with routes to 10.1.1.0/24 and 10.1.1.128/25, if those exist. Notice that these examples are increasingly more specific subnets. In the FIB, these would be ordered with the most specific or longest match, first, followed by less specific subnets. When the switch receives a packet, it can easily examine the destination address and find the longest match entry in the FIB.
The FIB also contains the next-hop address for each entry. When a longest match entry is found in the FIB, the Layer 3 next-hop address is found, too.

QUESTION NO: 12
Refer to the exhibit. Host A and Host B are connected to the Catalyst 3550 switch and have been assigned to their respective VLANs. The rest of the 3550 configuration is the default configuration. Host A is able to ping its default gateway, 10.10.10.1, but is unable to ping Host B. Given the output displayed in the exhibit, which statement is true?

12
A.HSRP must be configured on SW1.
B.A separate router is required to support interVLAN routing.
C.Interface VLAN 10 must be configured on the SW1 switch.
D.The global config command ip routing must be configured on the SW1 switch.
E.VLANs 10 and 15 must be created in the VLAN database mode.
F.VTP must be configured to support interVLAN routing.
Answer: D
Explanation:
To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been a router’s function. The router must have a physical or logical connection to each VLAN so that it can forward packets between them. This is known as interVLAN routing. Multilayer switches can perform both Layer 2 switching and interVLAN routing, as appropriate.
Layer 2 switching occurs between interfaces that are assigned to Layer 2 VLANs or Layer 2 trunks. Layer 3 switching can occur between any type of interface, as long as the interface can have a Layer 3 address assigned to it.
Switch(config)# ip routing command enables the routing on Layer 3 Swtich

QUESTION NO: 13
Which of the following could be used to provide a Layer 3 data path between separate VLANs? (Choose two.)
A. VLAN trunking
B. An external router
C. An internal route processor
D. VLAN capable bridge
E. EtherChannel
Answer: BC
Explanation:
To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been A router’s function. The router must have a physical or logical connection to each VLAN so that it can forward packets between them. This is known as interVLAN routing.
InterVLAN routing can be performed by an external router that connects to each of the VLANs on a switch. Separate physical connections can be used, or the router can access each of the VLANs through a single trunk link.

QUESTION NO: 14
You are configuring a Cisco multilayer switch for the Pass4sure network. Which command would you use to configure a port to act as a routed interface?
A. ip routing
B. switchport mode trunk
C. no switchport
D. switchport trunk native vlan 1
E. None of the other alternatives apply
Answer: C
Explanation:
Physical switch ports can also operate as Layer 3 interfaces, where a Layer 3 network address is assigned and routing can occur. Figure 13-2 shows an example of this. By default, all switch ports on the Catalyst 6500 (native IOS) platforms operate in the Layer 3 mode. For Layer 3 functionality, you must explicitly configure switch ports with the following command sequence:

Switch(config)# interface type mod/num
Switch(config-if)# no switchport
Switch(config-if)# ip address ip-address mask [secondary]

The no switchport command takes the port out of Layer 2 operation. You can then assign a network address to the port, as you would to a router interface.

QUESTION NO: 15
What is one method that can be used to prevent VLAN hopping?
A.Configure ACLs.
B.Enforce username/password combinations.
C.Configure all frames with two 802.1Q headers.
D.Explicitly turn off Dynamic Trunking Protocol (DTP) on all unused ports.
E.Configure VACLs.
Answer: D
Explanation:
When securing VLAN trunks, also consider the potential for an exploit called VLAN hopping. Here, an attacker positioned on one access VLAN can craft and send frames with spoofed 802.1Q tags so that the packet payloads ultimately appear on a totally different VLAN, all without the use of a router.
For this exploit to work, the following conditions must exist in the network configuration:
The attacker is connected to an access switch port.
The same switch must have an 802.1Q trunk.
The trunk must have the attacker’s access VLAN as its native VLAN.
To prevent from VLAN hopping turn off Dynamic Trunking Protocol on all unused ports.

4 thoughts on “642-813 Q&A – Implement Switch based Layer 3 services (11-15)

  1. bquantz1981 says:

    Shouldn’t question 15 be E? DTP would be off if it was an access port.

    1. Buzzark says:

      No, D is correct. The question doesn’t give any config information about the switch, so an access port cannot be assumed.
      The default config for a port unless specifically set is that a switchport will try and negotiate as a trunk. A PC plugged into the port can emulate a trunking port and use this to VLAN hop by tagging packets accordingly thereby sending data into any VLAN available. As the originating port is layer 2, the switch will return responses back out of this trunk assuming it is just passing packets onto another switch to reach the host. The attacker is both the “switch” and the host.

  2. bquantz1981 says:

    I believe this would apply with questions 1 and 5 also

Comments are closed.