Question Bank for 32011 – Version D

Chapter 1

1. A flat, or non-hierarchical, network design can suffer from a number of

problems. Briefly discuss these problems. In what cases may a flat
network design be appropriate? (Section 1.1.3)

• Traffic collisions increases as devices are added, reducing network

throughput.
• Broadcast traffic increases as devices are added to the network, causing
over-utilization of network resources.
• Isolating problems on a large flat network can be difficult.

Simple to install and configure, so it is a good fit for home networking and small
office. Downside is that it does not scale well as demands on the network
increase.

2. Describe what is meant by the term multilayer switching. List and briefly
describe several characteristics or advantages of the use of multilayer
switching in network design. (Section 1.1.6)

Multilayer switching is hardware-based switching and routing integrated into a

single platform. A multilayer switch does everything to a frame and packet that
a traditional switch and router do, including the following
• Provides multiple simultaneous switching paths
• Segments broadcast and failure domains
• Provides destination-specific frame forwarding based on layer 2 information
• Determines the forwarding path based on layer 3 information
• Validates the integrity of the layer 2 frame and layer packet via checksums
and other methods
• Verifies packet expiration and updates accordingly
• Processes and responds to any option information
• Updates forwarding statistics in the MIB
• Applies security and policy controls, if required
• Provides optimal path determination
• Can support a wide variety of media types and port densities
• Has ability to support QoS
• Has ability to support VoIP and inline power requirements

3. A hierarchical campus network may consist of a building access layer, a

building distribution layer and a building core layer. Describe the main
functions and characteristics of each of these layers. (Section 1.1.8)

• Building access layer: grants user access network devices, in a network

campus, it generally incorporates switched LAN devices with ports that
provide connectivity to workstations and servers. In the WAN environment,

1
 the building access layer at remote sites may provide access to the corporate
network across WAN technology.
• Building distribution layer: aggregates the wiring closets and use switches to
segment workgroups and isolate network problems.
• Building core layer: known as the campus backbone submodule, it is a high-
speed backbone and is designed to switch packet as fast as possible. Because
the core is critical for connectivity, it must provide a high level of
availability and adapt to changes very quickely.

4. Different models of Cisco switches may run different operating systems,

that is, Cisco IOS and CatOS. These OSs provide significantly different
user interfaces which may confuse and irritate administrators. Suggest a
reason for the existence of two operating systems on Cisco switch models.
Which OS will probably dominate in future Cisco switches? (Section
1.1.11)

Cisco CatOS was traditionally used to configure layer 2 parameters on the

modular switches.
Cisco IOS is standard software for most other switches and for layer 3
configurations on modular switches.

Chapter 2

1. What is an end-to-end VLAN? Briefly describe some of the characteristics

and possible problems with an end-to-end VLAN. (Section 2.1.6)

A single VLAN associated with switch posts that are widely dispersed
throughout an enterprise network.
• Geographically dispersed throughout the network
• User are grouped into the VLAN regardless of physical location
• As a user moves throughout a campus, the VLAN membership of the user
remains the same
• User are typically associated with a given VLAN for network management
reasons
• All devices on a given VLAN typically have addresses on the same IP
subnet.

Problems:
• Switch ports are provisioned for each user and associated with a given
VLAN.
Because users on an end to end VLAN may be anywhere in the network, all
switches must be aware of the VLAN.
• Flooded traffic for the VLAN is passed to every switch even if it does not
currently have any active ports in the particular end to end VLAN.
• Troubleshooting devices on a campus with end to end VLANs can be
challenging. Because the traffic for a single VLAN can traverse multiple
switches in a large area of campus.

2
2. What is a local VLAN? Briefly describe some of the characteristics of a
local VLAN. (Sections 2.1.7, 2.1.8)

VLANs that have boundaries based upon campus geography rather than
organizational function are called local VLANs. They are generally confined to
a wiring closet.

• Local vlans should be created with physical boundaries rather than the job
functions of the users on the end devices.
• Traffic from a local vlan is routed to reach destinations on other networks.
• A single vlan does not extend beyond the building distribution sub module.

Benefits of local vlan in Enterprise campus network module design:

• Deterministic traffic flow
• Active redundant paths
• High availability
• Finite failure domain
• Scalable design

3. Switch ports may be assigned to VLANs either statically or dynamically.

Briefly describe the differences, advantages and disadvantages of each
method. (Section 2.2.2)

Statically: an access port needs to manually assign a vlan and the valn must exist
in vlan database of the switch.

Dynamically: switch ports can be dynamically associated with a given VLAN

based upon the MAC address of the device connecting on that port. It require
that the switch query a VLAN membership policy server (VMPS) to determine
which vlan to associate with a switch port which a specific source MAC address
is seen on the switch port.
It might be beneficial with a set of workstations that rove throughout the
enterprise. Some security situations may require dynamic VLAN association.
Dynamic vlans require additional equipment and are not consistent with the
ECNM.

4. VLAN traffic carried over trunk links may be identified as ISL

encapsulated or 802.1Q tagged. Compare and contrast these two methods
of frame marking. (Sections 2.3.1, 2.3.2, 2.3.3)

ISL: proprietary, encapsulated, protocol independent, encapsulated the old

frame in new frame

802.1Q: nonproprietary, tagged, protocol dependent, adds a field to the frame

header

ISL protocol: support multiple layer 2 protocols, supports PVST. Do not use
native VLAN so it encapsulates every frame. Encapsulation process leaves
original frame unmodified.

3
 When a switch port is configured as an ISL trunk port, the entire original layer 2
frames, including the header and FCS trailer, is encapsulated before it traverses
the trunk line. Encapsulation places an additional header in the front and a trailer
at the end of the original layer 2 frame.

802.1Q protocol: support Ethernet and token ring, support 4096 vlans, support
CST, MSTP and RSTP, point-to multipoint topology support, support for
untagged traffic over the trunk via native VLAN, extended QoS support,
growing standard for IP telephony links.

The 802.1Q protocol adds a tag, or field to the standard layer 2 ethernet data
frame, because inserting the tag alters the original frame, the switch must
recalculate and alter the FCS value for the original frame before sending it out
the 802.1Q trunk port.

5. Briefly describe the purpose and operation of Dynamic Trunking Protocol

(DTP). What is regarded as “best practice” with respect to interface
settings for DTP? (Section 2.3.6)

DTP, switch can automatically negotiate a trunk link. This cisco proprietary
protocol can determine an operational trunking mode and protocol on a switch
port when it is connected to another device that is also capable of dynamic trunk
negotiation.

The best practice is to set the interface to trunk and nonegotiate when a trunk
link is required. DTP should be turned off on links where trunking is not
intended.

6. Explain the purpose of VLAN Trunking Protocol (VTP) (Sections 2.4.1,

2.4.2)

VTP is designed to automate a consistent list of VLANs across switches and can
be administratively cumbersome and potentially error prone. VTP run s over
trunk links, allowing interconnected switches to distribute and synchronize a
single list of configured VLANs. This process reduces the manual configuration
required at each switch; vlans can be created on one switch and then propagated
to others.

7. A switch may operate in one of three VTP modes. List these modes.
Discuss significant differences between these modes. (Section 2.4.3)

• Server
o Creates, modifies and deletes vlans at CLI.
o Generate VTP advertisements and forwards advertisements from
other switches in the same management domain
o May update its own vlan database with information received from
other servers in the management domain
o Saves vlan configuration information “vlan.dat” file in flash memory
• Client

4
 o Cannot create, modify or delete vlans at CLI
o Forwards VTP advertisements received
o Synchronizes its own VLAN database with latest information
received from VTP server in the management domain
o Vlan information in RAM only, not stored in NVRAM or Flash
memory; must be repopulated from a VTP server if switch is power
cycled
• Transparent
o Create, modifies and delete vlans for the vlan database on the local
switch only
o Does not generate vtp advertisements
o Does not update its vlan database with information received from vtp
servers in the same management domain
o Forwards vtp advertisements received from vtp servers in the same
vtp domain
o Always has a configuration revision number of 0
o Save vlan configuration in NVRAM

Chapter 3

1. Explain the purpose of the Spanning Tree Protocol (STP). (Sections 3.1.2,
3.1.3)
A bridge loop occurs when there are no layer 2 mechanisms such as time to live
to manage the redundant paths and stop the frame from circulating endlessly.

STP resolves the problem: if there are alternative links to a destination on a

switch, only one link is used to forward data. The switch ports associated with
the alternative paths remain aware of the network topology and forward frames
over an alternative link if a failure occurs on a primary link.

2. Outline the process by which Spanning Tree Protocol (STP) converts a

network containing loops into a loop-free network. (Section 3.1.4)

1. STP communicates layer 2 information between adjacent switches by

exchanging bridge protocol data unit (BPDU) message
2. A single root is chosen to serve as the reference point from which a loop
free topology is built for all switches exchanging BPDUs.
3. Each switch, except for the root bridge, selects a root port that provides
the best path to the root bridge.
4. On the link between the two nonroot switch ports, a port on one switch
becomes a designated port, and the port on the other switch is in a
blocking state and does not forward frames. Typically, the designated
port is on the switch with the best path to the root bridge.

3. The operation of Spanning Tree Protocol (STP) requires the election of a

root bridge. Explain the method by which the root bridge is chosen.
(Section 3.1.5)

5
 1. Upon startup, each switch transmits BPDUs out all enabled interfaces on
a per-vlan basis. at startup, each switch set the root ID equal to its own
BID. During this time, the switch ports are not used to forward standard
data frames.
2. As the BPDU goes out through the network, each switch compares the
root BPDU it sent out to the one it received.
3. If the received root ID is superior, the switch will propagate it;
otherwise, it will continue to send its own BID as the root BID in
transmitted BPDUs.
4. On the root bridge, all ports are designated ports in a forwarding state.
5. Nonroot bridges must determine an optimal path to the root.

4. In a switched network, each switch has a bridge ID (BID), which is

instrumental in the root bridge election process. What elements compose
the BID? How can the network administrator influence the root bridge
election? Why would the administrator want to do so anyway? (Section
3.1.5)

Lower BID values are preferred; the priority field value help determine which
bridge is going to be the root and can be manually altered. The priority field is
set at 32768 by default, when default priority field is the same for all bridges,
selecting the root bridge is based on lowest MAC address.

Administrator can influence the root bridge election by following commands

“spanning-tree vlan 1 root primary” and “spanning-tree vlan 1 root secondare”
and “spanning-tree vlan 1 priority #” to manipulate root bridge selection.

5. For the operation of Spanning Tree Protocol (STP), ports employed in

inter-switch links may take up or pass through several of four states (also
called roles). Name these states, and briefly describe what the port is doing
in each of these states. (Section 3.1.6)

o Root port - this port exists on nonroot bridges and is the switch port with
the best path to the root bridge. Root ports forward traffic toward the
root bridge and the source MAC address of frames received on the root
port is capable of populating the MAC table. Only one root port is
allowed per bridge
o Designated port – it exists on root and nonroot Bridge. For root bridges,
all switch ports are designated ports. For nonroot bridges, a designated
port is the switch port that will receive and forward frames toward the
root bridge as needed. Only one designated port is allowed per segment.
If multiple switches exist on the same segment, an election process
determines the designated switch, and the corresponding switch port
begins forwarding frames for the segment. Designated ports are capable
of populating the MAC table.
o Nondesignated port – it is a switch port that is no forwarding (blocking)
data frames and not populating the MAC address table with the SAs of
the frames seen on that segment.
o Disabled port – is a switch port that is shut down.

6
6. In a switched network, one of the functions of Spanning Tree Protocol
(STP) is to find a least-cost path from a switch to the root bridge. How is
the cost determined? Can an administrator modify the default cost? List
the default costs most recently recommended by the IEEE. (Section 3.1.6)
Each bridge advertises the spanning tree path cost in the BPDU, this spanning
tree path cost is the cumulative cost of all the links from the root bridge to the
switch sending the BPDU. The receiving switch use this cost to determine the
best path to the root bridge. The lowest cost is considered to be the best path.

The lower values are associated with higher bandwidth and therefore, are the
more desirable path.

Administrator can modify the default cost

10 Gbps – 2; 1Gbps – 4; 100 Mbps – 19; 10 Mbps - 100

7. The original Spanning Tree Protocol (STP) created a single tree for each
and every VLAN in a switched network. Per-VLAN Spanning Tree (PVST)
and Multiple Spanning Tree Protocol were later developments. Briefly
discuss advantages and disadvantages of STP, PVST and MSTP. (Sections
3.1.7, 3.3.1)

STP PVST MSTP

Advantages Simpler in design Allows separateReduce total
and place a lighter instances ofnumber of spanning
load on the CPU spanning tree and tree instances to
include ciscomatch the physical
proprietary featuretopology of
such as PortFast network and thus
and UplineFast. reduce the CPU
loading of a switch.
MSTP allows you
to build multiple
spanning trees over
trunkins by
grouping VLANs
and associating
them with spanning
tree instances.
Disadvantages Precludes load Each vlan create More complicate
balancing and can one spanning tree
lead to incomplete instance even some
connectivity in vlans are designed
certain vlan. in same topology
Chapter 4

1. Inter-VLAN communication can be achieved by use of an external router.

This has both advantages and disadvantages. Briefly discuss the
advantages and disadvantages. (Section 4.1.1)

7
 Advantages:
o Implementation is simple
o Layer 3 services are not required on the switch
o The router provides communications between VLANs
Disadvantages:
o The router is a single point of failure
o The single traffic path between the switch and ther outer may become
congested
o Latency is higher than on a layer 3 switch

2. A Layer 3 switch may handle an incoming frame by either performing

Layer 2 switching or Layer 3 routing. Briefly explain how the switch
decides between Layer 2 and 3 processing for an incoming frame. (Section
4.1.4)

Layer 2 forwarding in hardware in based on the destination MAC address. The

layer 2 switch learns and records the source MAC address from all frames that it
receives. The MAC address table lists MAC address paired with the associated
vlans and interfaces. When a frame is received on an interface, the interfaces
that belong to that vlan for the destination MAC, and forwards the frame out the
appropriate interface.

Layer 3 forwarding is based on the destination IP address. Layer 3 forwarding

occurs when a packet is routed from a source in one subnt to a destination in
another subnet. When a multilayer switch (MLS) sees its own mac address in
the layer 2 header, it recognizes that the packet is either destined for itself or is
to be routed. If the packet is not destined for the MLS, the destination ip address
is compared against the layer 3 forwarding table for the longest match. In
addition router ACL checks are performed. In this case the frame header needs
to be rewritten with new source and destination mac addresses.

3. In configuring frame encapsulation for trunk ports, most administrators

prefer to use IEEE 802.1Q, rather than ISL. Briefly suggest reasons for
this preference. (Section 4.1.3 mentions encapsulation, but students may
need to look elsewhere for an answer.)

Non proprietary. Open standards.

ISL only available on Cisco

4. Briefly describe what is meant by the term switch virtual interface (SVI).
(Section 4.2.1)

An SVI is a virtual layer 3 interfaces that can be configured for any VLAN that
exists on a layer 3 switch. It is virtual in that there is no physical interface for
the vlan, and yet it can accept configuration parameters applied to layer 3 router
interface. The SVI for the vlan provides layer 3 processing for packets from all
switch ports associated with that vlan. Only one SVI can be associated with a
VLAN.

8
5. An administrator may configure one or more switch virtual interfaces
(SVI) on a switch. Give several reasons why the administrator might do
this. (Section 4.2.1)

o to provide a default gateway for a vlan so that traffic can be routed

between vlans
o to provide fallback bridging if it is required for non-routable protocols
o to provide layer 3 IP connectivity to the switch
o to support routing protocol and bridging configurations

6. A multilayer switch may be configured with one or more routed ports.

What is a routed port? What configuration command is required to
convert a port into a routed port? (Sections 4.2.4, 4.2.5, 4.2.6)

a routed switch port is a physical switch port on a multilayer switch that is

capable of layer 3 packet processing. A routed port is not associated with a
particular vlan, as contrasted with an access port or SVI. The switch port
functionality is removed from the interface. A route port behaves like a regular
router interface, except that it does not support VLAN subinterface.

A routed port has following characteristics and functions:

o physical switch port with layer capability
o not associated with any vlan
o serves as the default gateway for devices out that switch port
o layer 2 port functionality must be removed before it can be configured

1. switch(config)#ip routing
2. switch(config-if)#no switchport
3. switch(config-if)#ip address …..
4. switch(config)#router …..

Chapter 5

1. Briefly describe the purpose and operation of Hot Standby Router Protocol
(HSRP). (Sections 5.1.2, 5.1.4)

HSRP defines a standby group, with each router assigned to a specific role
within the group. HSRP provides gateway redundancy by sharing IP and MAC
address between redundant gateways. The protocol transmits virtual MAC and
IP address information between two routers belonging to the same HSRP group.

A set of routers works in concert to present the illusion of a single virtual router
to the hosts on the LAN. By sharing a IP and MAC address, two or more routers
can act as a single “virtual” router. The virtual route’s IP address is configured
as the default gateway for the workstations on a specific IP segment. When
frames are to be sent from the workstation to the default gateway, the
workstation uses ARP to resolve the MAC address associated with the IP
address of the default gateway. ARP return the MAC address of the virtual

9
 router. Frame sent to the virtual router’s MAC address can then by physically
processed by any active or standby router that is part of that virtual router group.

2. Briefly describe the purpose of configuring multiple HSRP groups is a LAN

segment. (Section 5.2.3)

With a single HSRP group on a subnet, the active router is forwarding all the
packets off that subnet while the standby router is not forwarding any packets.
To facilitate load sharing, a single router may be a member of multiple HSRP
groups on the same segment. Multiple standby groups further enable redundancy
and load sharing. While a router is actively forwarding traffic for one HSRP
group, the router can be in standby or listen state for another group. Each
standby group emulates a single virtual router.

3. Compare the similarities and differences between Hot Standby Router

Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP).
(Section 5.3.1)

Similarities: one router is elected to handle all requests sent to the virtual IP
address.

Differences:
o VRRP is an IEEE standard for router redundancy; HSRP is a cisco
proprietary protocol
o The virtual router represents a group of routers, knows as VRRP group or
virtual router group
o The active router is referred to as the master virtual router
o The master virtual router may have the same IP address as virtual router
group
o Multiple router can function as back routers
o VRRP is supported on Ethernet, fast Ethernet, gigabit Ethernet interfaces
and with MPLS, VPN and VLANs.

4. Briefly describe the main functions of Gateway Load Balancing Protocol

(GLBP). (Section 5.3.4)

GLBP allow automatic selection, simultaneous use of multiple gateways, and

automatic failover between those gateways. Multiple routers share the load of
frames that, from a client perspective, are sent to a single default gateway
address.

GLBP has following functions:

o Active virtual gateway (AVG): members of a GLBP group elect one
gateway to be the AVG for that group. Other group members provide
backup for the AVG if the AVG becomes unavailable. The AVG assigns a
virtual MAC address to each member of the group
o Active virtual forwarder (AVF): each gateway assumes responsibility for
forwarding packets sent to the virtual MAC address assigned to it by the
AVG. these gateways are known as AVFs for their virtual MAC address.

10
 o Communication: GLBP members communicate with each other using hello
message sent every 3 seconds to the multicast address 224.0.0.102, UDP
port 3222.

5. Briefly describe the main features of Gateway Load Balancing Protocol

(GLBP). (Section 5.3.4)

GLBP has following features:

o Load sharing: traffic from LAN clients can be shared by multiple
routers.
o Multiple virtual routers: up to 1024 virtual router can be on each
physical interface of a router, and there can be up to four virtual
forwarders per group.
o Preemption: you can preempt an AVG with a higher priority backup
virtual gateway. Forwarder preemption works in a similar way, except
that it uses weighting instead of priority and is enabled by default
o Efficient resource utilization: any router in a group can serve as a
backup, which eliminates the need for a dedicated backup router because
all available routers can support network traffic.

Chapter 8

1. What is a rogue access point? Describe several ways in which a rogue

access point may be introduced into a network. (Section 8.1.2)

Rogue access; because unauthorized rogue access points are inexpensive and
readily available, employees sometimes plug them into existing LANs and build
ad hoc wireless network without IT department knowledge or consent. There
rough access points can be a serious breach of network security because they
can be plugged into a network port behind the corporate firewall.

2. Attacks on switched networks can be categorized as MAC Layer, VLAN,

Spoofing and Switch device attacks. Describe several possible attacks
which may be included in these categories. Indicate steps which may
mitigate these attacks. (Sections 8.1.3, 8.1.x)

MAC layer attacks

o mac address flooding – frames with unique, invalid source mac address
flood the switch, exhausting content addressable memory (CAM) table
space, disallowing new entries from valid host. Traffic to valid host is
subsequently flooded out all ports. (port security. Mac address vlan access
maps)
VLAN attack
o vlan hopping – by altering the vlan id on packets encapsulated for
trunking, an attacking device can send or receive packets on various valns,
bypassing layer 3 security measures. (tighten up trunk configurations and
the negotiation state of unused ports. Place unused ports in a common
vlan)

11
 o Attacks between device on a common vlan – device may need protection
from one another, even through they are on a common vlan. This is
especially true on service provider segments supporting devices from
multiple customers. (implement private vlan)
Spoof attacks
o DHCP starvation and DHCP spoofing – an attacking device can exhaust
the address space available to dhcp server for a period of time or establish
itself as a dhcp server in man in the middle attack. (using dhcp snooping)
o Mac spoofing – attacking device spoofs the mac address of a valid host
currently in the CAM table. Switch then forwards frames destined for th
valid host to the attacking device (use dhcp snooping, port security)
o ….
Switch device attack
o SSH and telnet attacks – telnet packets can be read in clear text. Ssh is an
option but has security issues in version 1 (use ssh version 2. use telnet
with virtual terminal (vty) ACLs)

3. What is meant by the term sticky MAC address? How does use of this
configuration option ease the burden of network administration? (Section
8.1.7)

Port security has a feature called “sticky mac address” that can limit switch port
access to single, specific mac address without the network admin having to
determine the mac address of every legitimate device and manually associate it
with a particular switch port.

When sticky mac address are used, the switch port converts dynamically learned
mac addresses to sticky mac addresses, and adds them to the running
configuration as if they were static entries for a single mac address allowed by
port security. Sticky secure mac address is added to the running configuration
but do not become part of the startup configuration file. Unless the running
configuration is copied to the startup configuration after addresses have been
learned. If they are saved in the startup configuration, they do not have to be
relearned when the switch is rebooted, which provide a higher level of network
security.

4. Briefly describe 802.1x port-based authentication. (Section 8.1.10)

The 802.1x standard defines a port based access control and authentication
protocol that restricts unauthorized workstations from connecting to a LAN
through publicly accessible switch ports. The authentication server authenticates
each workstation connected to a switch port before making available any service
offered by the switch or the LAN.

Until the workstation is authenticated, 802.1x access control allows only

extensible authentication protocol over LAN (EAPOL) traffic through the prot
to which the work station is connected.

5. Briefly explain the switch VLAN attack using the double-tag exploit.
(Section 8.2.1)

12
 Double tagging allows a frame to be forwarded to a destination vlan other the
source’s vlan. The switch remove outer tag and the inner tag will use be used to
forward frame. This attack will cause the attacker to forward frame to any vlans
that is inaccessible from it’s vlan.

6. List and briefly describe “best practice” to protect against VLAN hopping
attacks. (Section 8.2.2)

o Configure all unused ports as access ports so that trunking cannot be

negotiated across those links.
o Place all unused ports in the shutdown state and associate with a vlan
designated only for unused ports, carrying no user data traffic
o When establishing a trunk link, configure the following:
o Make the native vlan different from any data vlans
o Set trunking as “on” rather than negotiated
o Specify the vlan range to be carried on the trun

7. Switched networks may be attacked by DHCP spoofing and ARP spoofing.

Briefly describe how these attacks are mounted. What steps may be taken
to protect against these exploits. (Sections 8.3.x)

o DHCP spoofing – spoof responses that would be sent by a valid dhcp

server. The dhcp spoofing device replies to client dhcp requests.
1. configure global dhcp snooping
2. configure trusted port
3. configure option-82 insertion off
4. configure rate limiting on untrusted ports
5. configure dhcp snooping for the selected vlans

o ARP spoofing – by spoofing an ARP reply from a legitimate device with a

gratuitous ARP, an attacking device appears to be the destination host
sought by the senders. The arp reply from the attacker causes the sender to
store the mac address of the attacking system in its arp cache. All packets
destined for those ip addresses are forwarded through the attacker system.
1. implement protention against dhcp spoofing
2. enable dynamic arp inspection

8. There are many “best practice” recommendations for switched network

security. Choose two of these and describe how and why they are put into
operation. (Section 8.6.6)

Use CDP only as needed: cdp does not reveal security-specific information,
but it is possible for an attacker to exploit this information in a reconnaissance
attack, where by an attacker learns device and IP address information for the
purpose of launching other types of attacks.

Secure spanning tree.

Take precautions for trunk links

13
Minimize physical port access
Establish standard access port configuration for both unused and used ports

Secure switch access: set system passwords, secure physical access to the
console, secure access via telnet, use ssh when possible, configure warning
banners, use syslog if available.

14