CCENT/CCNA Sample Questions @ has a really good section with CCENT/CCNA sample test questions. They provoke you to think like a networking engineer, the way Cisco wants you to be thinking when you sit your exams. There are 4 sets of questions here, I suggest you try them out.

CCNA Sample Questions


Notes: CCENT – IOS Commands: Part 1

Notes: CCENT – IOS Commands: Part 1

Cisco IOS Technologies Official Website

!!!—Before I start ANYTHING, I would like you to remember to NEVER practice some of these commands on actual running production hardware, Routers, Switches, PIX/ASA devices, etc. You should be using either real lab hardware or a simulator like GNS3 or Packet Tracer. Using these commands will definitely cause problems in production networks, and you will most likely have a manager/boss/employee that will want run you over with their car or throw you in a wood chipper. (or probably fired and arrested.)—!!!

I will be using this router from GNS3 as an example for these notes:
Figure 1:

Here is the output for ‘show version’:

R1#show version
Cisco IOS Software, C2600 Software (C2600-IPBASEK9-M), Version 12.4(9)T, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 17-Jun-06 02:46 by prod_rel_team

ROM: ROMMON Emulation Microcode
ROM: C2600 Software (C2600-IPBASEK9-M), Version 12.4(9)T, RELEASE SOFTWARE (fc1)

R1 uptime is 1 minute
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://"

!!!!-----OUTPUT OMITTED-----!!!!

If you require further assistance please contact us by sending email to

Cisco 2621 (MPC860) processor (revision 2.2) with 56320K/9216K bytes of memory.
Processor board ID FTX0945W0MY
M860 processor: part number 0, mask 0
3 FastEthernet interfaces
2 Serial interfaces
128K bytes of NVRAM.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Here is the output for ‘show run’:

R1#show run
Building configuration...

Current configuration : 761 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
no aaa new-model
resource policy
memory-size iomem 15
ip cef
no ip domain lookup
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
interface Serial0/0
 no ip address
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
interface Serial0/1
 no ip address
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
no ip http server
no ip http secure-server
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4

Because GNS3 does not emulate a switch IOS (there is a way to emulate a switch using a router), I will be instead using this switch from Packet Tracer:
Figure 2:

Here is the output for SW1, ‘show version’:

SW1#show version
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by pt_team

ROM: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)

System returned to ROM by power-on

Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.

24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

63488K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 0060.3E17.6D9B
Motherboard assembly number     : 73-9832-06
Power supply part number        : 341-0097-02
Motherboard serial number       : FOC103248MJ
Power supply serial number      : DCA102133JA
Model revision number           : B0
Motherboard revision number     : C0
Model number                    : WS-C2960-24TT
System serial number            : FOC1033Z1EY
Top Assembly Part Number        : 800-26671-02
Top Assembly Revision Number    : B0
Version ID                      : V02
CLEI Code Number                : COM3K00BRA
Hardware Board Revision Number  : 0x01

Switch   Ports  Model              SW Version              SW Image
------   -----  -----              ----------              ----------
*    1   26     WS-C2960-24TT      12.2                    C2960-LANBASE-M

Configuration register is 0xF

Here is the output of SW1 for ‘show run’:

%SYS-5-CONFIG_I: Configured from console by console
show run
Building configuration...

Current configuration : 1006 bytes
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname SW1
interface FastEthernet0/1
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
 no ip address
line con 0
line vty 0 4
line vty 5 15

Some History:
As you may notice (or may not, that’s fine), Cisco’s IOS in, it’s earliest forms was actually based on Unix. This is because before Cisco, a lot of routers were actualy based on Unix in the first place.  As Cisco’s IOS started becoming more and more defined, it was later based on Linux.

There are lots and lots and lots of Cisco IOS versions developed by Cisco, and they all do a vast array of different things.
The version  we see on R1(Figure1), is C2600-IPBASEK9-M – Version 12.4(9)T.  Every part of a Cisco IOS’s version name has a meaning.
I’m not going to  delve deep into Versions and builds, because I really want to get to what these set of notes are all about.


  • ‘C2600’ – This is the hardware platform, meaning its an IOS developed for 2600 series routers.
  • ‘IPBASEK9’ – This is the feature set that shows the capabilities of the operating system. IPBase is the entry level IOS.
  • M’ – Indicates the memory location of the IOS.
  • ‘Version 12.4’ – Is the ‘Train Number’, the version release of IPBaseK9.
  • ‘(9)’ – Maintenance ID
  • ‘T’ – This the ‘Train ID’.

One thing I really want to point out here, is that Cisco’s IOS has a hierarchical system of where commands can be used. There are modes that allow you to only do certain things on an IOS, and there are modes that can allow you to completely configure a Cisco device. Basically, what mode you are in, determines what commands are available to you. When you take your exam, you should definitely be able to point these out and tell them apart.

  • ‘Setup Mode’ – This mode usually appears when you first power on a router and a have no configuration in place. Here the router will walk you through basic configurations that you may use in your network. You will find admins hardly ever use the mode, because again, it’s very basic, and you’ll find you have a lot more power when you completely configure a router or switch from it’s basic defaults by yourself. When the router prompts you if you wish to ‘Continue with configuration dialog? [yes/no]:’ I usually input no. We don’t want to get involved with basic setup.
             --- System Configuration Dialog ---
    Continue with configuration dialog? [yes/no]: no
    Press RETURN to get started!
  • ‘User Exec’
    In this mode, you are not allowed to do too many things to the Cisco device itself. This is more of a restricted mode where you can’t make changes at all. You can however do things such as:
    -Show the memory statistics. (‘show memory’)
    Show the version of the IOS (‘show version’)
    Show the device’s clock (‘show clock’)
    Show the users that are currently logged into the device (show users)
    Initiate telnet or ssh sessions to other devices (‘telnet’ and ‘ssh’)
    Perform traceroutes (‘traceroute’ ip address or hostname)
    Perform pings (ICMP Echo requests) (‘ping’ ip address or hostname)What User Exec Mode looks like:


    The Commands you can find in Exec Mode:

    Exec commands:
      access-enable    Create a temporary Access-List entry
      access-profile   Apply user-profile to interface
      clear            Reset functions
      connect          Open a terminal connection
      crypto           Encryption related commands.
      disable          Turn off privileged commands
      disconnect       Disconnect an existing network connection
      enable           Turn on privileged commands
      exit             Exit from the EXEC
      help             Description of the interactive help system
      lock             Lock the terminal
      login            Log in as a particular user
      logout           Exit from the EXEC
      modemui          Start a modem-like user interface
      mrinfo           Request neighbor and version information from a multicast
      mstat            Show statistics after multiple multicast traceroutes
      mtrace           Trace reverse multicast path from destination to source
      name-connection  Name an existing network connection
      pad              Open a X.29 PAD connection
      ping             Send echo messages
      ppp              Start IETF Point-to-Point Protocol (PPP)
      release          Release a resource
      renew            Renew a resource
      resume           Resume an active network connection
      rlogin           Open an rlogin connection
      set              Set system parameter (not config)
      show             Show running system information
      slip             Start Serial-line IP (SLIP)
      ssh              Open a secure shell client connection
      systat           Display information about terminal lines
      telnet           Open a telnet connection
      terminal         Set terminal line parameters
      traceroute       Trace route to destination
      tunnel           Open a tunnel connection
      udptn            Open an udptn connection
      where            List active connections
      x28              Become an X.28 PAD
      x3               Set X.3 parameters on PAD

    You can see there are quite a plethora of commands here. Lots, and Cisco doesn’t expect you to know them all off by heart. Hence why you can use ‘?’ in the IOS.

  • ‘Privileged Mode’ – Privileged Mode is where you start getting into a part of the hierarchy in the IOS that allows you to actually manage features and configure  certain parameters.
    What privileged mode looks like:


    Now, I’ll tell you right now, that the list of available commands Privileged Mode will give you is just downright enormous, so there isn’t really a reason to show you the entire output. Instead I’ll go through and pick out the commands you need to concern yourself with.
    A list of available commands in privileged mode:

    Exec commands:
      configure        Enter configuration mode
      copy             Copy from one file to another
      debug            Debugging functions (see also 'undebug')
      disable          Turn off privileged commands
      enable           Turn on privileged commands
      erase            Erase a filesystem
      exit             Exit from the EXEC
      help             Description of the interactive help system
      lock             Lock the terminal
      login            Log in as a particular user
      logout           Exit from the EXEC
      ping             Send echo messages
      reload           Halt and perform a cold restart
      traceroute       Trace route to destination
      undebug          Disable debugging functions (see also 'debug')
      vlan             Configure VLAN parameters
      write            Write running configuration to memory, network, or terminal

    Yeah, quite scary I’m sure. Like I said, Cisco doesn’t expect you to know what each and every command does on a Cisco device. Just the basics of the IOS. Here you can see that you can do a lot of things you can do in the User Exec mode. But this is where it gets deeper, you can ‘show’ even more things here, such as the running config (refer to Figure1  and Figure2).

    The show list also gets extremely long, so what I’ll point out are the more important things you need to no about right now.

     R1#show ?
      access-lists              List access lists
      adjacency                 Adjacent nodes
      cdp                       CDP information
      clock                     Display the system clock
      configuration             Configuration details
      controllers               Interface controller status
      flash:                    display information about flash: file system
      frame-relay               Frame-Relay information
      history                   Display the session command history
      hosts                     IP domain-name, lookup style, nameservers, and host
      interfaces                Interface status and configuration
      inventory                 Show the physical inventory
      ip                        IP information
      logging                   Show the contents of logging buffers
      mac-address-table         MAC forwarding table
      memory                    Memory statistics
      processes                 Active process statistics
      protocols                 Active network routing protocols
      running-config            Current operating configuration
      sessions                  Information about Telnet connections
      spanning-tree             Spanning tree topology
      startup-config            Contents of startup configuration
      trunk                     Trunk info
      version                   System hardware and software status
      vlans                     Virtual LANs Information
      vtp                       VTP information

  • ‘Global Config’ – Global config is the mode in IOS where all of your configurations are made. As well as moving into it’s sub-configuration modes for routing protocols, interfaces, and a lot of key configurations that “globally” affect the router are made here. In this mode you have the power to do everything basically. (With power comes responsibility.)
    What global config looks like:


    Because the global config level lets you configure just about every parameter in the Cisco IOS, this mode has a huge plethora of switch options. Here are some of  the commands you need to be concerned with:

    Configure commands:
      access-list                 Add an access list entry
      banner                      Define a login banner
      boot                        Modify system boot parameters
      cdp                         Global CDP configuration subcommands
      clock                       Configure time-of-day clock
      crypto                      Encryption module
      do                          To run exec commands in config mode
      enable                      Modify enable password parameters
      end                         Exit from configure mode
      frame-relay                 global frame relay configuration commands
      ftp-server                  FTP Server configuration commands
      help                        Description of the interactive help system
      hostname                    Set system's network name
      interface                   Select an interface to configure
      ip                          Global IP configuration subcommands
      line                        Configure a terminal line
      logging                     Modify message logging facilities
      login                       Enable secure login checking
      password                    Configure encryption password (key)
      shutdown                    Shutdown system elements
      spanning-tree               Spanning Tree Subsystem
      trunk                       Global trunk configuration
      username                    Establish User Name Authentication
      vlan                        VLAN commands
      vtp                         Configure global VTP state
  • ‘Interface Level (config-if)’ – This is a mode used to configure interface parameters. You find you are in a certain interface’s configuration when you see this: (for instance, here we entered the configuration mode for the router’s ethernet interface.)
    R1(config)#interface fastEthernet 0/0

    In this mode you will be configuring all sorts of parameters for interfaces, they couldahh be Ethernet, Serial, Fiber, Sub-interfaces, loopbacks, etc. These are parameters you should be concerned with at this point: (All these commands are grouped together for multiple interface types):

    Interface configuration commands:
      cdp                     CDP interface subcommands
      clock                   Configure serial interface clock
      duplex                  Configure duplex operation.
      exit                    Exit from interface configuration mode
      encapsulation           Set encapsulation type for an interface
      ip                      Interface Internet Protocol config commands
      logging                 Configure logging for interface
      shutdown                Shutdown the selected interface
      speed                   Configure speed operation.
  • Line (config-line) – This is where you configure the parameters for telnet, such as the password, privilege level, timeout, etc.
    Line configuration commands:
      exec-banner                 Enable the display of the EXEC banner
      exec-timeout                Set the EXEC timeout
      exit                        Exit from line configuration mode
      history                     Enable and control the command history function
      logging                     Modify message logging facilities
      login                       Enable password checking
      motd-banner                 Enable the display of the MOTD banner
      no                          Negate a command or set its defaults
      password                    Set a password
      privilege                   Change privilege level for line
      session-timeout             Set interval for closing connection when there is
                                  no input traffic
      telnet                      Telnet protocol-specific configuration
      terminal-type               Set the terminal type
      timeout                     Timeouts for the line
  • ‘Protocol Level (config-router)’ – This mode is when you’re adding network statements for which subnets you want the router to advertise out it’s interfaces. There are  quite a plethora of switches to configure routing parameters. For the CCNA the ones you should really be concerned with is, RIP, RIPv2, EIGRP, and OSPF. Other protocols are for more advanced studies.
    R1(config)#router ?
      bgp       Border Gateway Protocol (BGP)
      eigrp     Enhanced Interior Gateway Routing Protocol (EIGRP)
      isis      ISO IS-IS
      iso-igrp  IGRP for OSI networks
      mobile    Mobile routes
      odr       On Demand stub Routes
      ospf      Open Shortest Path First (OSPF)
      rip       Routing Information Protocol (RIP)
    R1(config)#router rip

Notes: CCENT – Switching – Part 3

Notes: Switching: STP and basic Switch Security.

Where Switches are:
Transport<- Segments
Network <- Routers /Packets / IP addresses
Data Link <- Switches, Bridges / Frames / MAC Addresses
Physical < – Hubs, Repeaters / Bits / Ethernet

I will be using this network I built in Packet Tracer as an example for these notes:
Figure 1:


STP, IEEE 802.1d or Spanning Tree Protocol is used on switches to prevent switching loops. Switching loops occur when frames are constantly “looped” through redundant links that connect switches to one another.

When you look at Figure1, you’ll notice a triangle topology where all the switches are connected to each other.

Well lets say that there was no STP running on these switches. Host sends out a broadcast frame (ffff.ffff.ffff). Maybe it was sending out a DHCP request. Well, what happens with broadcast frames? They are flooded of course. This means the switch will send out a copy of that frame out every port. This means, the broadcast would also be sent out the trunk ports of SW5 to SW3 and SW4. Well, SW3 and SW4 will see that this is a broadcast frame.
What will those switches do? They will also flood this frame as well. It’s destination is ffff.ffff.ffff, so it is sent out every port. The rule of switching is that it will never send a frame back out the same port it received it on. Well, this means SW3 won’t send the broadcast back to SW5, instead, it will send it to SW4. The same thing goes with S4, it won’t send the broadcast back to SW5, instead it will be sent to SW3. This is where your problem becomes more noticeable, the broadcast, that was once originating from SW5, has gone to SW4 and SW3, and those switches are send each other those broadcasts. Those switches will then take the broadcast it just received from each other, and guess what? They’re broadcast frames! They’re going to keep flooding them out and now SW5 is going to get that broadcast back! What is SW5 going to do with the broadcast it just received from SW3 and SW4? Hey, its a broadcast! Gotta send these broadcasts out! They’re destined for ffff.ffff.ffff! (Remember, a group of switches (layer2 network) is still a broadcast domain.)

This is were insanity starts, and this all happens in about a second. And this will keep happening until either the redundant links are disconnected, or worse… the switches crash. Then office pandemonium ensues.

This is the reason STP was invented, and runs on switches by default. To close redundant links to keep switching loops from occurring. The broadcast that sent out won’t be able to cross the link from SW5 to SW4, so it stops the loop from occuring. Notice in the switch topology in Figure1, that there are green dots and an orange dot. That orange dot indicates the link that STP has closed off. When redundant links are closed by STP, it means they have been placed into “blocking mode”.

This is SW4’s output of ‘show spanning-tree’:

SW4#show spanning-tree
  Spanning tree enabled protocol ieee
  Root ID    Priority    1
             Address     0002.4A11.C0A3
             Cost        4
             Port        25(GigabitEthernet1/1)
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8193  (priority 8192 sys-id-ext 1)
             Address     0006.2A99.5DA7
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi1/1            Root FWD 4         128.25   P2p
Gi1/2            Altn BLK 4         128.26   P2p

You will notice here, that Gi1/2, the ‘Sts’ (Status), is ‘BLK'(Blocking). This is the redundant link that STP decided to close off.

STP also calculates the best path to hosts according to it’s MAC table based on how fast the links are. You could have a switched network with 5 switches, and you could have a path that a frame would have to traverse of 2 links(path1), and a path of 3 links(path2). But based on whether a port is 10mbps, 100mbps, or 1000mpbs (even 10gb), stp will always choose the fastest. Path1 could be 2 links of 100mbps, but path2 could be 3 links of 1000mbps. Well, it would prefer path2 over path1 because those three gigabit hops actually provide a faster data throughput than the two 100mbps hops. (Once I get to my CCNA portion, there will be a lot more about STP Mechanics, how it determines cost, the costs of links, what it does while it is busy converging, rootbridges, election, etc. What you’re seeing here is only the CCENT (ICND1) portion.)


  • STP is a mechanism on switches to prevent switching loops
  • STP stops switching loops by closing off redundant links
  • It determines optimal paths across it’s destination based on cost
  • STP, Spanning-Tree Protocol, 802.1d
  • Runs on switches by default.
  • Switching loops are bad mmmkay?

Basic Switch Security

There are plenty of reasons you need to take your switch security seriously. Actually, you should take every bit of network security seriously. Never undermine the importance of security, because if you do, you’re going to have a hell of a time dealing with security problems. Security isn’t just there to keep intruders out, its also there to keep someone who has no idea what they are doing from messing up your configurations.

Lock up your switches, routers, or any networking hardware. You definitely don’t want someone walking in on your network and thinking “hmm what does this mode button do?” Oh look, the lights are flashing in a neat pattern now. Seriously, you need to keep networking hardware safe. Keep it in a locked room. Keep faceplates over your network racks. Lock your network/server cabinets. This is common sense. Would you go park your car in a parking lot downtown and just leave the keys in your car with all your windows rolled down?

There are many well known defaults on switches that need to be addressed upon completion of configuration. These are things that people look for when they intend to break into your network. There are tons of security parameters on switches, but basically, these are what you need to know for the CCENT.


  • By Default, they are turned on. On routers they aren’t. When you are finished with a switch, you should shutdown all your unused ports using the ‘shutdown’ command at the specified interface:
    SW5#conf t
    SW5(config)#interface fastEthernet 0/5
    %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down
  • Another default posing a security risk is that they are all set to ‘dynamic‘, meaning they are actively either going to trunk, or they are going become an access port to an end device. This means someone can use one of their own switches and gain access this way. Some hackers also know how to get the NIC on a PC to try and trunk with a switch, this can cause lots of problems as well.:
    SW5(config)#interface fastEthernet 0/5
    SW5(config-if)#switchport mode ?
      access   Set trunking mode to ACCESS unconditionally
      dynamic  Set trunking mode to dynamically negotiate access or trunk mode
      trunk    Set trunking mode to TRUNK unconditionally
    SW5(config-if)#switchport mode access
  • By default, they are part of a well-known VLAN. They are in VLAN1. This can also pose as a security risk. Unused ports should be moved to fake VLANs that lead to nowhere.:
    SW5(config-if)#switchport access ?
      vlan  Set VLAN when interface is in access mode
    SW5(config-if)#switchport access vlan ?
      <1-1005>  VLAN ID of the VLAN when this port is in access mode
    SW5(config-if)#switchport access vlan 321


MAC Addresses: There are a few ways to tighten a switch’s security by managing the MAC Addresses that are allowed on the switch. Doing this will allow you to configure parameters for each port on a switch to only allow one MAC from a host to be plugged into that port. This is to keep people from plugging other devices into, lets say, their cubicle’s ethernet port. Or it will stop people with malicious intent to try and plug in other switches even. This is done through the ‘switchport port-security’ at the interface level on switches.

SW5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW5(config)#interface fastethernet 0/5
SW5(config-if)#switchport port-security ?
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode

Now, before you can even use this feature, you need to go in and switch the port’s mode from ‘dynamic’ to ‘access’. This tells the switch there will be an end device on this port and not another switch. Then, you need to enable the feature on the switch first. You need to go to the interface level to add this option.

SW5(config-if)#interface fastEthernet 0/5
SW5(config-if)#switchport ?
  access         Set access mode characteristics of the interface
  mode           Set trunking mode of the interface
  native         Set trunking native characteristics when interface is in
                 trunking mode
  nonegotiate    Device will not engage in negotiation protocol on this
  port-security  Security related command
  priority       Set appliance 802.1p priority
  trunk          Set trunking characteristics of the interface
  voice          Voice appliance attributes
SW5(config-if)#switchport mode access
SW5(config-if)#switchport port-security

Simply by entering ‘switchport port-security’, you’ll enable the option on this switch to use this feature on the specified port.

Here I will be talking about the options.

  • mac-address: – This parameter is where you can either manually add an end device’s or host’s ethernet MAC address.
    SW5(config-if)#switchport port-security mac-address ?
      H.H.H   48 bit mac address
      sticky  Configure dynamic secure addresses as sticky

    -H.H.H is where you would add the host’s MAC address. Now, of course, if you were working IT in a large company this would be a bit of a pain because would have to go to each individual interface, grab the mac address and input them yourself. But your threat of an enormous workload is taken away with ‘sticky’. This switch in the syntax allows you to use the mac that  is currently connected to the switch, it will automatically add it for you.

    I would really only use this feature if you know your company has a strict policy for end users to not fiddle with their workstations or plug anything else in.

  • maximum – This parameter is used to specify the quantity of allowed mac addresses on a given interface. This means you could say a port can only be allowed to have a maximum of 2 devices on it because maybe the end user also brings, say, a laptop from home and they want to plug it in. This could also be because the end user also has an IP Phone in their office as well, and the PC has to connect to the IP phone to get connectivity to the switch.
    SW5(config-if)#switchport port-security maximum ?
      <1-132>  Maximum addresses
  • violation – This is a parameter that you can specify what a switch must do if it detects an unauthorized mac address on a port.  This is a rather powerful part of  switchport security.
    SW5(config-if)#switchport port-security violation ?
      protect   Security violation protect mode
      restrict  Security violation restrict mode
      shutdown  Security violation shutdown mode

    As you can see there are three switches for this syntax. ‘Protect’, ‘restrict’, and ‘shutdown’.

    Shutdown – This is the default of ‘switchport port-security’. When an un-authorized mac address is detected on that port, the switch will shutdown the port adds an entry to the log stating that it shut that port down. When you go to check on the status of that port, it won’t say ‘administratively down’ rather it will say ‘err-disabled’. If the port goes into ‘err-disabled’ mode, you have to log into the switch and manually turn the port back on.

    Protect – This tells the switch to drop the frames that are coming in on that port. Nothing more, none of the traffic from the un-authorized mac address is allowed to traverse the switch.

    Restrict – This tells the switch to drop the frames that are coming in on that port. None of the traffic from the un-authorized mac address is allowed to traverse the switch. Additionally, the switch will then add an entry to the log stating that there has been an un-authorized mac address on that port.

Checking The Parameters:

So you’ve gone through and set all these options, and you need to make sure you have configured everything correctly. Well, there is a nice, quick and simple way to make sure you’ve set everything.
The output below is ‘show port-security interface fastEthernet 0/5’ after configuring a maximum of one allowed mac address, shutdown is the violation mode, and is set to authorize the first and only mac address it first learns about on fastethernet 0/5. If you look to Figure1, you can see that host is on that port.:

SW5#show port-security interface fastEthernet 0/5
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0060.47BA.7250:10
Security Violation Count   : 0

What Happens?:

Lets say that the switch does actually detect an un-authorized mac address on that port. Say for instance, that user (yeah, I know, I’m not being really creative for names at the moment.), tries to plug in a different device into that ethernet port in his cubicle. Maybe its his laptop. Well, from the output shown above ‘Maximum MAC Addresses : 1’ means, there is one and only one mac address allowed, and currently authorized on that port. And the violation mode is to shutdown that port. So what will the switch show if it actually happens?:

Well, first you would see in the log:

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

Then, when we check on the port-security status:

SW5#show port-security interface fastEthernet 0/5
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0007.EC6D.C364:10
Security Violation Count   : 1

Notice in the field ‘Security Violation Count’, the value has changed from 0 to 1. The ‘Last Source Address’ has changed as well. Port security has been triggered on this port and is now shutdown.

This is the output of ‘show interfaces fastEthernet 0/5’:

FastEthernet0/5 is down, line protocol is down (err-disabled)
  Hardware is Lance, address is 00d0.9740.9e01 (bia 00d0.9740.9e01)
 BW 100000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
------------OUTPUT OMITTED------------

Here you can see the port is now down, next to ‘line protocol’ you see ‘(err-disabled), this means the switch brought this port down on it’s own because of a certain error. There are parameters on Cisco’s switches that can cause it to be shutdown because of errors.
Again, once a port is shutdown because of an error, an administrator has to go in and manually  turn the port back on with ‘no shutdown’ on the interface level.

A Note about Notes – #2

So if there are any of you that are already certified (CCNAs/CCNPs/CCIEs), or busy working in the field, and find something inaccurate, or have a comment about something, chime in!

Comment below on any of the notes you see if there is anything you think should be changed or things you think should be added.
(I will however do a bit more research into what subject you are querying to.)

Notes: CCENT – Switching – Part 2

Notes: CCENT – Switching, & VLANS Pt 2:

Where Switches are:
Transport<- Segments
Network <- Routers /Packets / IP addresses
Data Link <- Switches, Bridges / Frames / MAC Addresses
Physical < – Hubs, Repeaters / Bits / Ethernet

I will be using this network I built in Packet Tracer as an example for these notes:
Figure 1:

On a Cisco switch, showing the MAC address table is as easy as:

SW4#show mac-address-table
          Mac Address Table

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

   1    0001.4250.0901    DYNAMIC     Gig1/1
   1    0001.638c.5a01    DYNAMIC     Gig1/1
  10    0001.4250.0901    DYNAMIC     Gig1/1
  10    0001.638c.5a01    DYNAMIC     Gig1/1
  10    0090.2b46.aa2a    DYNAMIC     Fa0/1
  20    0001.4250.0901    DYNAMIC     Gig1/1
  20    0001.638c.5a01    DYNAMIC     Gig1/1
  20    0001.c7a1.1843    DYNAMIC     Fa0/10

This is switch 4’s (SW4) output.

As you can see here, there are two hosts currently on this switch. 0090.2b46.aa2a in VLAN10 ( off port 1 (Fa0/1), and 0001.c7a1.1843 in VLAN 20 ( off port 10 (Fa0/10)
You’ll also notice that 0001.638c.5a01 is showing multiple entries as being off Gig1/1. Well that is because this is actually a trunk link to SW3 that is opened by STP and acting as a trunk for VLAN 1,10, and 20. Notice another trunk link in there? The trunk link between SW4 and SW5 has been closed off by STP to prevent switching loops. (More about STP and VLANs will come later.

A MAC Table has other names as well:

  • CAM Table (Acronym for ‘content addressable memory’
  • MAC Table
  • Bridging Table
  • Switching Table

MAC addresses in MAC tables do have an age to them, and will actually delete the entry for a MAC address if nothing is heard from it in 300 seconds.

Yes its 5 minutes, but Cisco Switches like to use seconds. Cisco’s equipment likes using base measurements for just about everything. Instead of kilobits, you’ll find yourself using bits, instead of minutes, you’ll be breaking those down to seconds. i.e. 256kbs to a Cisco device is usually projected as 250,000bps. Or clock rates for instance on serial links, you would normally think of 128k, but it’s actually expressed in the command line as “128000”. One thing you need to watch out for is consistency however, because it’s not always true across all of IOS. This is why it’s important to use the IOS help feature, ALL the time. This will usually display whether you need to specify seconds, or bits, or minutes, or kilobits, etc.

Properties of MAC Tables:

  • When there is a change in the network, and new hosts are found on other ports, it will add them as well.
  • If a host is moved from one port to another, it will dynamically update it’s MAC Table to accommodate the change. It will notice that the mac address that was once coming out one port is now coming out of another, it will update it’s table accordingly.
  • It’s always best use dynamic entries, it’s better for the switch to update itself rather than have to do it every time you make a change on the network.


There are 3 methods a switch uses (depending on what the switch is configured to do) once it’s decided what to do with a frame. (Filter, Flood, or Forward.)

  1. Store-And-Forward – Highest level of error detection, Highest Latency- A switch will store an entire frame before it is forwarded. While this method is best for error checking, its the slowest of the three. This gives the switch a chance to inspect and detect any errors in the frame before sending it to it’s destination. The switch does this by checking the FCS (Frame Check Sequence) of the frame.
  2. Cut-Through – No Error Detection, lowest latency. – Faster than store and forward. Does not check for bad frames, it completely ignores the FCS, all it reads of the frame is the Destination MAC Address.
  3. Fragment-Free – Not as slow as Store-And-Forward, but still slower that Cut-Through. This method is more of a middle ground for the other two methods by storing the first 64-bytes of a frame and checking for any type of corruption. If it sees no problems in those first 64bytes, it will forward the frame.


Broadcast Storm – A Broadcast storm is usually when there are too many hosts sending out broadcasts into a broadcast domain, bogging down the CPU and memory. This is where VLANs can come in. When you have about 20 hosts in a broadcast domain, its no big deal. A switch worth it’s weight can easily handle that. But when you’ve got a broadcast domain or an entire filled /24 subnet for example with 254 devices, the switch is eventually going to crash because it simply can’t handle all that.

Switching Loop – A switching loop occurs when packets (usually broadcast) are repeatedly sent through redundant links that connect routers. If you take 2 regular un-managed switches, and connect them to each other with 2 cables, and you plug in an end device that sends out broadcasts, you will see a switching loop in action. Frames are constantly sent back and forth between the switches because what does a switch do with broadcasts? It floods them out every port. Because both switches are considered to be in the same broadcast domain, the broadcast is going to reach every host plugged into those switches. A frame will go out the port connected to the other switch, and the other switch will send it out the redundant connection back to the first switch, and it will keep returning, back and forth. This will bring a network to a crawl and eventually crash all the switches. If you are working with a production network, don’t cause one.

There is however a mechanism in place to stop this sort of thing and close down redundant links to switches, STP and RSTP. These are enabled by default on Cisco switches for the obvious reasons. There will be more on this later.

[If you are working with two redundant connections to a switch however, why not just bundle them with Etherchannel? Super fast convergence upon link failure, and the added benefit of extra bandwidth all while keeping your redundancy in place. 🙂 ]



VLAN stands for “Virtual Local Area Network” This is where a broadcast domain is segmented, into logical broadcast domains. There are many uses for VLANs, such as in networks using VOIP phones and PCs, they like to move all VOIP traffic into it’s own VLAN. Companies also like to move different departments into VLANs as well. A VLAN for Engineering, another for Sales, another for Quality Control, another for customer service, etc. They are also used for security purposes, such as hiding hosts from the outside.

Hosts in separate VLANs cannot communicate with each other without Layer 3 intervention, such as a router. Switches do not allow broadcasts to bleed into other VLANs. If you have a group of hosts in different VLANs, and nothing to ‘route’ them, or ‘intervlan routing’, they can’t communicate with each other. You can’t ping, ARP won’t reach into other VLANs, etc. Its basically logical grouping of hosts that are usually in the same geographic location.

(There are L3 switches that can do interVLAN routing, but we’re not concerned with them, that is out of the scope of the CCENT/CCNA)

Through the magic of VTP (Virtual Trunking Protocol), you can have a group of switches using the same VLANs, across an entire ‘VTP Domain’.

You’ll notice from Figure 1 that I have three switches connected to each other. Well these 3 switches are participating in a VTP domain. The name for this VTP domain is CEREALGUY (yes, ok, I used memes for names, go ahead and laugh it all out, I’m too busy to be creative elsewhere.) I have two VLANs here, VLAN 10 and 20, but lets not forget the switch’s default VLAN1, VLAN1002-1005. 1002-1005 are there by default, but are not covered in the CCNA.

VLAN1 is Cisco’s default VLAN. In the output below, you’ll find that VLAN1 is labeled default. This VLAN is primarily used as the management VLAN on most switches today. Usually by setting up Telnet Access, a default gateway (ip default-gateway) and assigning VLAN1 an IP, you can remote in. (all this is covered in later notes)

This however, does present a security issue that you need to watch out for. By default, all ports on a switch are assigned to VLAN1. They are all set to “dynamic” by default, meaning that ALL switchports are actively trying to either negotiate trunks to other switches, or negotiating access to end devices:

SW3(config-if-range)#switchport mode ?
  access   Set trunking mode to ACCESS unconditionally
  dynamic  Set trunking mode to dynamically negotiate access or trunk mode
  trunk    Set trunking mode to TRUNK unconditionally

And this is also known a switch’s default management VLAN. Its best practice, that after you have finished configuring a switch, that you reassign all non used ports to another random vlan, and shut them all down. I’ll cover more about switch security in later notes.

This is SW3’s output for “show vtp status”:

SW3#show vtp status
VTP Version                     : 2
Configuration Revision          : 5
Maximum VLANs supported locally : 255
Number of existing VLANs        : 7
VTP Operating Mode              : Server
VTP Domain Name                 : CEREALGUY
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xCB 0xC6 0x46 0x4F 0xDA 0x22 0x09 0xAB
Configuration last modified by at 3-1-93 00:02:02
Local updater ID is on interface Vl1 (lowest numbered VLAN interface found)

Also, the output for “show vlan brief”:

SW3#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23
10   MEGUSTA                          active
20   Y_U_NO_GUY                       active
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active


SW4#show vtp status
VTP Version                     : 2
Configuration Revision          : 5
Maximum VLANs supported locally : 255
Number of existing VLANs        : 7
VTP Operating Mode              : Client
VTP Domain Name                 : CEREALGUY
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xCB 0xC6 0x46 0x4F 0xDA 0x22 0x09 0xAB
Configuration last modified by at 3-1-93 00:02:02
SW4#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   MEGUSTA                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
20   Y_U_NO_GUY                       active    Fa0/10, Fa0/11, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

We are using SW4’s output for reference here, you can see the topology in  Figure1.

As you can see, on this switch, as opposed from the output of SW3, all the ports are in different VLANs. However,  when you look at “show VTP status”, you can see that the VTP domain name is the same as SW3.  Notice “VTP Operating Mode” as Client, and in SW3, it was Server, this is because SW4 is a client in the domain of “CEREALGUY”. (VTP will be talked about later.)

Moving ports on switches around to VLANs is pretty easy. These settings are simply changed at the interface level:

SW4#conf t
SW4(config)#interface fastethernet 0/1
OR SW4(config)#interface range fastethernet 0/1 - 5
SW4(config-if-range)#switchport access ?
  vlan  Set VLAN when interface is in access mode
SW4(config-if-range)#switchport access vlan ?
  <1-1005>  VLAN ID of the VLAN when this port is in access mode

(Noticed how I used “range” there, well, in Cisco’s IOS for switches, to go to each individual port and change it’s parameters, that are going to be identical to others, its pretty time consuming. This is why Cisco’s switch IOS has the “range” switch on the syntax. This allows you to make configurations to a “range” of ports, not just one individual one.)

A note about notes.

One thing people need to be aware of, the reason I titled these posts “Notes”, is because its exactly what it is.
I have been emailed about them, asking if I’m writing some sort of text book or something. No, I am not. I am simply displaying them here because I am using them for my own learning. These can be used by others as notes, something to skim over, something to help re-enforce their knowledge.

These notes should NOT be your primary source of learning. Again, they’re just NOTES. Pick up a text book, listen to your instructor, watch your instructor videos.