Skip to main content

Switching and Routing Final Exam Mock Review: Key Insights and Essential Preparation Tips for Success?

 Author: Loh Yu En

Prepare to ace Switching and Routing final exam with this detailed mock review, covering crucial network configurations, VLAN setups, EtherChannel issues, and Layer 2 security defenses. This guide breaks down common exam questions and offers insights to ensure ready for every challenge.



In this blog post, we’ll walk you through four key topics often seen in Switching and Routing final exams, offering a comprehensive mock review. You’ll learn how to:

  1. Identify the root cause of connectivity issues in network setups.
  2. Troubleshoot and rectify VLAN communication problems.
  3. Handle EtherChannel configurations and prevent link failures.
  4. Understand and mitigate common Layer 2 security threats.

Each section provides valuable insights and preparation tips to help you tackle these topics confidently and improve your chances of exam success.

---------------------------------------------------------------------------------------------------------------------------

Q1 Network Troubleshooting and Connectivity Issues
Explore the typical problems that arise in network configurations and learn how to diagnose and solve them effectively.

a) Given the following exhibit above, label/identify the following terms: Root Bridge Designated Ports Root Port Alternate Port 

(10 Marks) 

Root Bridge:

  • SWITCH-1 is the Root Bridge because its Bridge ID is higher (32769:1111:1111:1111) compared to SWITCH-5 (32769:1111:1111:1110).

Designated Ports:

  • The Designated Port is the one on each segment (link) with the best path to the root bridge.
    • SWITCH-1: Fa0/10 and SWITCH-5: Fa0/4 are Designated Ports.

Root Port:

  • The Root Port is the port with the best path to the Root Bridge from each switch.
    • SWITCH-5: Fa0/5 is the Root Port since it's the best path from SWITCH-5 to SWITCH-1 (the Root Bridge).

Alternate Port:

  • An Alternate Port is a backup port that provides a redundant path to the Root Bridge if the root port fails.
    • SWITCH-5: Fa0/9 is the Alternate Port, as it offers an alternative path to the Root Bridge if Fa0/5 becomes unavailable.

 b) Briefly explain why the specified switch in the exhibit above is chosen as the "Root Bridge". 

(4 Marks)

SWITCH-1 is chosen as the Root Bridge because its Bridge ID (32769:1111:1111:1111) is higher than the Bridge ID of SWITCH-5 (32769:1111:1111:1110). In Spanning Tree Protocol (STP), the switch with the lowest Bridge ID becomes the Root Bridge. Since the Bridge Priority is the same for both switches (32769), the tiebreaker is the MAC address portion. SWITCH-1 has the numerically lower MAC address (1111:1111) compared to SWITCH-5 (1111:1110), making SWITCH-1 the Root Bridge.


 c) Discuss how root port and alternate port are being elected in the exhibit above. 

(6 Marks)

Root Port Election: The Root Port is elected based on the path cost to the Root Bridge. SWITCH-5 selects Fa0/5 as the Root Port because it offers the lowest path cost to the Root Bridge (SWITCH-1) through the direct connection between Fa0/4 on SWITCH-1 and Fa0/5 on SWITCH-5.

Alternate Port Election: The Alternate Port is the second-best path to the Root Bridge. Since Fa0/9 on SWITCH-5 is another path to SWITCH-1 through Fa0/10, it becomes the Alternate Port. Fa0/5 is preferred because it offers a lower path cost compared to Fa0/9, which leads to the election of Fa0/9 as the Alternate Port.

---------------------------------------------------------------------------------------------------------------------------

Q2 Mastering VLAN Configurations and Inter-VLAN Communication

Understand the nuances of VLAN setup, identify network issues, and apply solutions for seamless communication between VLANs.



a) Given the following exhibit above, identify the problem and consequence of the above configuration and state the possible solution to rectify the issue. 

(10 Marks) 

Problem:

The configuration in the exhibit indicates the creation of an EtherChannel on S1 by bundling multiple Fast Ethernet interfaces (Fa0/1 to Fa0/4). However, there is no evidence that similar EtherChannel configurations are made on S2 and S3. EtherChannel requires symmetric configurations on both ends of the link. If EtherChannel is configured on only one switch (S1 in this case) and not on the others (S2 and S3), it leads to mismatch.

Consequence:

If the EtherChannel configuration is asymmetric, STP (Spanning Tree Protocol) will treat the bundled links as individual links on S2 and S3, causing port flapping, STP loops, or traffic being sent to the wrong port, resulting in network instability and packet loss.

Solution:

The solution is to configure EtherChannel on both sides of the connection, ensuring that the same interfaces on S2 and S3 are also grouped into the same EtherChannel (channel-group) using the appropriate protocol, such as LACP or PAgP, or by using on mode for static configuration. This ensures that both switches treat the link as a single logical connection.


b) As a new network administrator, you have been asked to configure the EtherChannel in one of the network sections. Discuss FOUR (4) current conditions that you need to verify before you start with the configurations. 

(8 Marks) 

  • Port Configurations Consistency: Ensure that all ports in the EtherChannel have the same configuration. This includes speed, duplex, VLAN membership, and STP settings. If these settings differ between ports, EtherChannel will fail to form or operate inconsistently.

  • Supported Interfaces: Verify that the interfaces being bundled support EtherChannel. Not all interfaces may be eligible, especially if they are part of different hardware modules or if they have incompatible features (e.g., mismatched speeds or technologies like copper vs. fiber).

  • Same EtherChannel Protocol: Ensure both ends are configured with the same EtherChannel protocol—either LACP (Link Aggregation Control Protocol) or PAgP (Port Aggregation Protocol). If EtherChannel is configured to use a protocol on one end and not on the other, the channel won’t form.

  • Maximum Number of Links: Check the switch’s hardware specifications to verify the maximum number of physical links that can be bundled into one EtherChannel group. Most switches have a limit (typically 8 links) that can be aggregated per EtherChannel.


c) The administrator has combined "3 Cat-5" cables in one EtherChannel port that links between S1 and S2. He then noticed that one of the physical interfaces of the trunk link has changed to "down" state. Briefly explain what will happen to the EtherChannel creation. 

(7 Marks)

  • EtherChannel Still Operational: The EtherChannel remains active, as long as at least one physical link in the bundle is operational. The traffic that was previously assigned to the downed link will be load-balanced across the remaining active links.

  • Reduced Bandwidth: Since one link is down, the available bandwidth is reduced. If each link provides 100 Mbps, and one link goes down, the total EtherChannel bandwidth will drop from 300 Mbps to 200 Mbps.

  • Auto-Detection and Recovery: If the downed link comes back up, EtherChannel will automatically add it back into the bundle, restoring full bandwidth without manual intervention.

    • EtherChannel is designed to be resilient and provide fault tolerance, so the down state of one link does not bring down the entire channel.

---------------------------------------------------------------------------------------------------------------------------

Q3 EtherChannel Configuration: Avoiding Pitfalls and Link Failures

Delve into EtherChannel configurations, learn to prevent common interface issues, and ensure your network remains stable.



a) SW1 has been configured correctly but the end devices in exhibit above cannot access each other. Based on the configuration above discuss the issue that cause this problem.
 (7 Marks) 

The issue likely lies in trunking misconfiguration or VLAN misassociation between SW1 (switch) and RT1 (router). The configuration on RT1 shows subinterfaces with the dot1Q encapsulation, which is correct for handling Inter-VLAN routing. However, if the Fa0/5 port on SW1 connecting to the router is not configured as a trunk port, the router will not receive tagged frames from VLANs 20, 30, and 40, preventing inter-VLAN communication.

This configuration requires the switch port connected to the router (Fa0/5) to be in trunk mode to carry multiple VLAN traffic between SW1 and RT1. If it’s in access mode, the router won’t receive VLAN-tagged traffic, causing communication failure between the VLANs.


b) State the correct command to overcome the issue and identify the network ID for the three Vians above. 
(10 Marks) 

  • SW1(config)# interface Fa0/5
  • SW1(config-if)# switchport mode trunk
  • SW1(config-if)# switchport trunk encapsulation dot1q
  • SW1(config-if)# no shutdown

This will allow VLAN-tagged traffic to pass between the switch and the router, enabling communication between the VLANs.

Network IDs for VLANs:

  1. VLAN 20: Network ID = 172.18.1.0/27
  2. VLAN 30: Network ID = 172.18.1.32/27
  3. VLAN 40: Network ID = 172.18.1.64/27


c) Discuss another practical method that can be used to establish inter-Vlan communication in the exhibit above. 
(8 Marks)

Steps:

  1. Configure SVIs for each VLAN on the Layer 3 switch:SW1(config)# interface vlan 20

    SW1(config-if)# ip address 172.18.1.20 255.255.255.224

    SW1(config-if)# no shutdown


    SW1(config)# interface vlan 30

    SW1(config-if)# ip address 172.18.1.30 255.255.255.224

    SW1(config-if)# no shutdown


    SW1(config)# interface vlan 40

    SW1(config-if)# ip address 172.18.1.40 255.255.255.224

    SW1(config-if)# no shutdown

  2. Enable IP routing on the Layer 3 switch: SW1(config)# ip routing

---------------------------------------------------------------------------------------------------------------------------
Q4 Layer 2 Security: Defending Against Network Attacks
Discover common Layer 2 attacks and the best methods to secure your network's vulnerabilities, protecting your infrastructure from threats.

a) Four Types of Layer 2 Attacks and Mitigation Methods:

  1. MAC Address Flooding Attack:

    • Description: In this attack, an attacker sends numerous fake MAC addresses to the switch, filling its MAC address table. Once the table is full, the switch begins to flood traffic out of all ports, allowing the attacker to sniff packets on other VLANs or network segments.
    • Mitigation Methods:
      • Port Security: Limit the number of MAC addresses that can be learned on a switch port and specify static MAC addresses for critical devices.
      • MAC Address Aging: Reduce the aging time for MAC addresses in the table so they are cleared more quickly.
      • Dynamic ARP Inspection (DAI): Protects from ARP spoofing attacks by verifying the integrity of ARP packets.

  2. VLAN Hopping Attack:

    • Description: An attacker manipulates switch configurations to send traffic across VLANs without proper routing, often exploiting the switch’s native VLAN or trunking configurations to gain access to unauthorized VLANs.
    • Mitigation Methods:
      • Disable Auto-Trunking (DTP): Manually configure interfaces to trunk or access mode to prevent automatic negotiation of trunking.
      • Native VLAN Misuse Prevention: Assign an unused VLAN as the native VLAN on trunk ports to prevent VLAN hopping attacks.
      • VLAN Pruning: Manually prune unnecessary VLANs from trunk links to restrict traffic to required VLANs only.

  3. ARP Spoofing/Poisoning Attack:

    • Description: An attacker sends fake ARP messages to associate their MAC address with the IP address of another device (e.g., the gateway), allowing them to intercept, modify, or drop traffic.
    • Mitigation Methods:
      • Dynamic ARP Inspection (DAI): Checks the validity of ARP packets using a trusted ARP list to block any spoofed ARP messages.
      • IP Source Guard: Filters traffic based on IP-MAC address pairs learned via DHCP, preventing ARP spoofing.
      • Static ARP Entries: Manually configure ARP entries for critical devices such as gateways to prevent ARP poisoning.

  4. Spanning Tree Protocol (STP) Manipulation Attack:

    • Description: An attacker introduces a rogue switch into the network or manipulates STP to become the root bridge, potentially causing network instability and directing traffic to the attacker.
    • Mitigation Methods:
      • BPDU Guard: Prevents any unauthorized device from participating in STP by disabling a port if it receives a BPDU (Bridge Protocol Data Unit).
      • Root Guard: Ensures that the root bridge of the network does not change by blocking a port if it receives a superior BPDU.
      • PortFast: Configure PortFast on ports where no switches are expected (such as end-user devices) to prevent accidental participation in STP.

b) Strategies to Secure Management Protocols:

  1. Use of Secure Protocols (SSH over Telnet):

    • Explanation: Switch from using Telnet, which sends data in clear text, to SSH (Secure Shell) for encrypted remote management. SSH ensures that all data, including login credentials, is encrypted.

  2. Role-Based Access Control (RBAC):

    • Explanation: Implement RBAC to limit access to the management plane. By assigning roles to users with different levels of access (e.g., admin, read-only), you can restrict what each user can configure or monitor.

  3. Access Control Lists (ACLs):

    • Explanation: Use ACLs to restrict management access to trusted IP addresses or networks. This ensures that only authorized devices or administrators can access the management interface.

  4. Management Traffic Encryption (SNMPv3, HTTPS):

    • Explanation: Use SNMPv3 instead of older versions (SNMPv1/v2c), which do not support encryption. Similarly, use HTTPS instead of HTTP for web-based management to ensure all communication is encrypted.

  5. Network Time Protocol (NTP) with Authentication:

    • Explanation: Use NTP with authentication to ensure that all devices are synchronized to the same time source, which is important for log integrity and to prevent replay attacks during management sessions.

Author: Loh Yu En


Comments

Post a Comment

Popular posts from this blog

Mastering VLANs in Switching and Routing: A Comprehensive Guide to Network Segmentation, Security, and 30 Essential Exam Questions

In today's interconnected world, network segmentation and security are more critical than ever. Virtual Local Area Networks (VLANs) play a key role in optimizing network performance, reducing congestion, and enhancing security. This comprehensive guide will walk you through the fundamentals of VLANs, their benefits, types, configurations, and security features. Additionally, you'll find 30 essential exam questions that are tailored for university-level understanding, helping you grasp the core concepts and prepare for your exams on Switching and Routing Essentials. VLANs and Switching Concepts Explain the concept of VLANs and their purpose in network segmentation. What are the benefits of VLANs in a network environment? Describe how VLANs reduce broadcast domains in a network. Explain the significance of the default VLAN and its limitations. How does the IEEE 802.1Q standard enable VLAN tagging on Ethernet frames? What is a native VLAN, and how does it function in a trunk link?...
Post a Comment
Read more