Cisco¶
18 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard
🟢 Easy (3)¶
1. What is the difference between a Cisco IOS prompt ending with > and one ending with #?
Show answer
> means user EXEC mode (read-only, can only look). # means privileged EXEC mode (can make changes and run all show commands). You enter privileged mode with the "enable" command.Remember: Cisco IOS modes: User > Privileged (enable) > Global Config (configure terminal) > Interface Config (interface gi0/1). Each mode has different command access.
Remember: nc (netcat) = 'network Swiss Army knife.' Test TCP: nc -zv host 80. Listen: nc -l 8080. Transfer files: nc -l 9999 > file on receiver, nc host 9999 < file on sender.
2. What is the difference between an access port and a trunk port on a Cisco switch?
Show answer
An access port belongs to exactly one VLAN and connects to end devices (servers, workstations). A trunk port carries multiple VLANs tagged with 802.1Q headers and connects switches together or to hypervisors.Remember: trunk ports carry multiple VLANs using 802.1Q tagging. Native VLAN traffic is untagged. Change native VLAN from 1 for security.
3. What does "show vlan brief" display on a Cisco switch?
Show answer
It shows the VLAN list and which ports are assigned to each VLAN. This is the go-to command for verifying port VLAN membership.Remember: VLAN = Virtual LAN. Segments a physical switch into logical broadcast domains. VLAN 1 is the default (and a security risk if left unmanaged).
Example: switchport access vlan 10 assigns a port to VLAN 10. Trunk ports carry multiple VLANs between switches.
🟡 Medium (4)¶
1. What is PortFast on a Cisco switch, and what happens if it is missing on server ports?
Show answer
PortFast causes a port to skip the STP Listening and Learning states (which take 30 seconds on classic STP) and go directly to Forwarding. Without PortFast on server ports, servers may time out during DHCP or PXE boot because the port is not forwarding traffic for 30 seconds after link-up.2. In the output of "show etherchannel summary," what do the flags (P), (I), and (s) mean for member ports?
Show answer
(P) means the port is bundled in the port-channel and working. (I) means the port is stand-alone and NOT bundled — this is a problem indicator. (s) means the port is suspended, usually due to a configuration mismatch (e.g., VLAN or speed/duplex difference between member ports).3. How do Cisco ACLs process packets, and what happens when no rule matches?
Show answer
ACLs process packets top-to-bottom; the first matching rule wins. If no explicit rule matches, an implicit deny at the end drops the packet silently. Always add an explicit deny with the "log" keyword at the end to make drops visible.Remember: ACLs filter traffic. Standard ACLs (1-99) match source IP only. Extended ACLs (100-199) match source, destination, port, protocol.
4. What does "is up, line protocol is down" indicate on a Cisco interface, and what is the most common cause?
Show answer
It means Layer 1 (physical link) is up but Layer 2 negotiation failed. The most common cause is a speed/duplex mismatch between the two ends of the link. Both sides should be auto-negotiation or both hardcoded to the same values.🔴 Hard (3)¶
1. What is a unidirectional link failure in STP, and how does it cause a loop?
Show answer
A unidirectional link occurs when one strand of a fiber breaks — Switch A sends BPDUs but Switch B never receives them. Switch B concludes it is the root bridge and starts forwarding on ports that should be blocking, creating a Layer 2 loop and broadcast storm. The fix is enabling UDLD (UniDirectional Link Detection).Remember: STP prevents Layer 2 loops. Root bridge election, port states: Disabled -> Blocking -> Listening -> Learning -> Forwarding. Mnemonic: 'Don't Buy Lousy Laptops, Friend.'
2. In a Cisco ACL, what does the wildcard mask 0.0.255.255 mean, and how does it differ from a subnet mask?
Show answer
A wildcard mask is the inverse of a subnet mask. 0.0.255.255 means "match the first two octets exactly, ignore the last two," equivalent to a /16 subnet mask (255.255.0.0). Wildcard bits set to 0 must match; bits set to 1 are "don't care."Remember: ACLs filter traffic. Standard ACLs (1-99) match source IP only. Extended ACLs (100-199) match source, destination, port, protocol.
3. Why is configuring a Cisco switch port-channel with LACP while the Linux server uses bonding mode 1 (active-backup) a misconfiguration?