Copyright © 2020 by John Wiley & Sons, Inc., Indianapolis, Indiana
ISBN: 978-1-119-65875-7
ISBN: 978-1-119-65882-5 (ebk.)
ISBN: 978-1-119-65880-1 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 6468600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2020935632
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CCNP is a registered trademark of Cisco Technology, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
I dedicate this book to the Lord Jesus Christ through Whom all things were created and in Whom all things hold together
I’d like to thank the following people who helped create this CCNP Enterprise Certification Study Guide: Exam 350-401. A special thanks to Kenyon Brown, senior acquisitions editor, for the opportunity to write this book. Thanks to John Sleeva, project editor, for pushing me to meet my deadlines. His suggestions and edits helped make this book more user friendly. Thanks also go to Christine O’Connor, production editor; Pete Gaughan, content enablement manager; and Louise Watson at Word One, proofreader. Jon Buhagiar reviewed the chapters and questions for technical accuracy. His comments guided by his expertise helped make this book more practical, accurate, and well rounded.
Ben Piper is a networking and cloud consultant who has authored multiple books including the AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam, Second Edition (Sybex, 2019), AWS Certified Cloud Practitioner Study Guide: Foundational CLF-C01 Exam (Sybex, 2019), and Learn Cisco Network Administration in a Month of Lunches (Manning, 2017). You can contact Ben by visiting his website https://benpiper.com.
Networking is uniquely challenging in that it's not a single technology, but a collection of interdependent technologies that every other aspect of IT depends on. Without networking, there are no connected applications and that means there are no IT employees. Even if you're not sure that you want networking to become your permanent career, becoming an expert at networking will open the doors for other in-demand areas of IT, including security, software development, and cloud computing.
In 2019, Cisco announced updates to its Cisco Certified Network Professional (CCNP) certification program. There are six professional level certifications to choose from:
Each certification requires passing one core exam and one concentration exam. The core exam for the CCNP Enterprise certification is 350-401 ENCOR, “Implementing Cisco Enterprise Network Core Technologies.” The concentration exams let you focus on a specific specialty, such as routing, wireless, network design, automation, or software-defined networking (SDN). Regardless of the concentration exam you choose, you must pass the ENCOR exam to attain your CCNP Enterprise certification.
Many who attain the Cisco Certified Network Associate (CCNA) don't go on to pursue more advanced Cisco certifications. So why should you consider the CCNP Enterprise certification, and is it right for you? It may be right for you if
Before taking the CCNP ENCOR exam, there are a few things to keep in mind. There's no reason that you can't pass the exam the first time. To help you do that, I want to share with you some study tips that have helped me pass several Cisco certification exams on the first try. One of the neglected skills required on any Cisco exam is speed. Being able to troubleshoot a 10-router Open Shortest Path First (OSPF) topology is good. Taking 15 minutes to do it is not so good. I can't stress enough the importance of spending quality time with the command-line interface (CLI). You should spend at least 50 percent of your study time on configuring and troubleshooting a variety of topologies and technologies.
There's an old Latin proverb that repetition is the mother of learning. Repetition—in terms of both study and practice—is going to be your best friend. Understanding networking requires making connections that aren't always obvious, and the more you practice and study, the more opportunities your mind has to make those connections. For years I've used SuperMemo (https://super-memory.com), a flashcard-like program that lets you create your own question-and-answer pairs, quizzes you, and shows you how well you're retaining the information. What makes SuperMemo superior to flashcards is that it identifies the information you've already retained, and it doesn't waste time continuing to quiz you on it. That means you can safely load your collection with hundreds of items while still using your time efficiently.
One last tip: As you read this study guide cover to cover, keep a running list of questions and things you're not sure about. Chances are if you find something confusing, a lot of other people did too, and that makes it good fodder for the exam. Be sure to visit https://benpiper.com/encor for book resources, updates, and errata.
The CCNA certification isn't required to attain the CCNP Enterprise certification. Nevertheless, I strongly recommend that you obtain your CCNA certification or the equivalent experience before embarking on your CCNP Enterprise journey. Refer to the CCNA exam blueprint (www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna.html) for a full list of topics you should already be familiar with. Because the CCNP Enterprise is a professional-level certification, I don't review some of the basics covered by the CCNA such as subnetting, IPv4, and IPv6 addressing.
You'll need a virtual or physical lab, which you should already have from your previous networking studies. Your lab should be able to support at least eight routers and two layer 3 switches running IOS version 15.2 or later. You should be able to configure your lab on your own by looking at layer 2 and layer 3 diagrams. Topology diagrams will be included in each chapter.
If your existing lab doesn't meet the requirement, Cisco Virtual Internet Routing Lab (http://virl.cisco.com) includes virtual machine images for a variety of switches and routers. These images are virtual machines that run using QEMU and are light on CPU and memory, so you don't need a beast of a server to run simulations, although more resources always help. Other options, although not blessed by Cisco, are GNS3 (https://gns3.com) and EVE-NG (www.eve-ng.net).
Hands-on experience is crucial for exam success. Each chapter in this study guide contains hands-on exercises that you should strive to complete during or immediately after your reading of the chapter. The exercises are there to test your understanding, and not to cover every possible permutation of configurations. The exercises are your foundation, and you should build on them by experimenting with them, breaking things, and then figuring out how to fix them.
Each chapter contains review questions to thoroughly test your understanding of the services and concepts covered in that chapter. They also test your ability to integrate the concepts with information from preceding chapters. I've designed the questions to help you realistically gauge your understanding and identify your blind spots. Once you complete the assessment in each chapter, referring to the answer key will give you not only the correct answers but a detailed explanation as to why they're correct. Even if you feel comfortable on a certain topic, resist the urge to skip over the pertinent chapter. I strongly encourage you to carefully read this book from cover to cover so that you can discover your strengths and weaknesses—particularly the ones you may not be aware of. Remember, even though you can't learn networking just by reading a book, it's equally true that you can't learn without reading a book.
The book also contains a self-assessment exam with 36 questions, two practice exams with 50 questions each to help you gauge your readiness to take the exam, and flashcards to help you learn and retain key facts needed to prepare for the exam.
This book covers topics you need to know to prepare for the CCNP ENCOR exam:
Chapter 1: Networking Fundamentals This chapter overviews the fundamentals of networking theory and network design.
Chapter 2: Spanning Tree Protocols This chapter covers Spanning Tree protocols, including Rapid Spanning Tree and Multiple Instance Spanning Tree. We also cover VLANs, trunking, and pruning.
Chapter 3: Enterprise Network Design In this chapter, you'll learn the advantages and disadvantages of different physical and layer 2 network designs. We also dive into EtherChannels and first-hop redundancy protocols.
Chapter 4: Wireless LAN (WLAN) This chapter explains the fundamentals of radio frequency, WLAN 802.11 standards, wireless security, and WLAN controller (WLC) design and deployment considerations.
Chapter 5: Open Shortest Path First (OSPF) In this chapter, you'll learn how to configure and troubleshoot OSPF adjacencies, authentication, route filtering, summarization, and more.
Chapter 6: Enhanced Interior Gateway Routing Protocol (EIGRP) This chapter covers advanced EIGRP concepts, including redistribution, multipathing, and path control.
Chapter 7: The Border Gateway Protocol (BGP) In this chapter, you'll learn all about BGP, including path selection, redistribution, summarization, and filtering.
Chapter 8: Network Address Translation and Multicast This two-for-the-price-of-one chapter gives you complete coverage of network address translation and multicast.
Chapter 9: Quality of Service This chapter covers QoS concepts, including queuing, policing, shaping, and classification.
Chapter 10: Network Virtualization This chapter dives deep into virtualization concepts such as server virtualization, network virtualization, generic routing encapsulation, IPsec, LISP, and VXLAN.
Chapter 11: Software-Defined Networking and Network Programmability In this chapter, you'll learn about Cisco's software-defined networking (SDN) solutions, SD-Access, Cisco DNA Center, and SD-WAN. You'll also learn about network automation tools such as Python, RESTCONF, NETCONF, Ansible, Chef, Puppet, and SaltStack.
Chapter 12: Network Security and Monitoring This chapter will show you how to implement infrastructure security best practices and wireless security configurations. You'll also learn about Cisco security products and how to monitor your network using NetFlow, IPSLA, debugs, Syslog, SNMP, and more.
The interactive online learning environment that accompanies this CCNP Enterprise Certification Study Guide: Exam 350-401 provides a test bank with study tools to help you prepare for the certification exam—and increase your chances of passing it the first time! The test bank includes the following:
Sample Tests All the questions in this book are provided, including the assessment test at the end of this introduction and the chapter tests that include the review questions at the end of each chapter. In addition, there are two practice exams with 50 questions each. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.
Flashcards The online text banks include 100 flashcards specifically written to hit you hard, so don't get discouraged if you don't ace your way through them at first. They're there to ensure that you're really ready for the exam. And no worries—armed with the review questions, practice exams, and flashcards, you'll be more than prepared when exam day comes. Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam.
Other Study Tools A glossary of key terms from this book is available as a fully searchable PDF.
Go to www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.
The CCNP ENCOR exam is intended for people who have experience implementing enterprise network technologies including IPv4 and IPv6 architecture, virtualization, monitoring, security, and automation. In general, you should have the following before taking the exam:
The exam covers six different domains, with each domain broken down into objectives.
The following table lists each domain and its weighting in the exam, along with the chapters in the book where that domain's objectives are covered.
| Domain | Percentage of exam | Chapter |
| Domain 1: Architecture | 15% | |
| 1.1 Explain the different design principles used in an enterprise network | 1, 3 | |
| 1.2 Analyze design principles of a WLAN deployment | 4 | |
| 1.3 Differentiate between on-premises and cloud infrastructure deployments | 11 | |
| 1.4 Explain the working principles of the Cisco SD-WAN solution | 11 | |
| 1.5 Explain the working principles of the Cisco SD-Access solution | 11 | |
| 1.6 Describe concepts of wired and wireless QoS | 9 | |
| 1.7 Differentiate hardware and software switching mechanisms | 1 | |
| Domain 2: Virtualization | 10% | |
| 2.1 Describe device virtualization technologies | 10 | |
| 2.2 Configure and verify data path virtualization technologies | 10 | |
| 2.3 Describe network virtualization concepts | 10 | |
| Domain 3: Infrastructure | 30% | |
| 3.1 Layer 2 | 1, 2, 3 | |
| 3.2 Layer 3 | 1, 5, 6, 7 | |
| 3.3 Wireless | 4 | |
| 3.4 IP Services | 3, 8, 12 | |
| Domain 4: Network Assurance | 10% | |
| 4.1 Diagnose network problems using tools such as debugs, conditional debugs, trace route, ping, SNMP, and syslog | 12 | |
| 4.2 Configure and verify device monitoring using syslog for remote logging | 12 | |
| 4.3 Configure and verify NetFlow and Flexible NetFlow | 12 | |
| 4.4 Configure and verify SPAN/RSPAN/ERSPAN | 12 | |
| 4.5 Configure and verify IPSLA | 12 | |
| 4.6 Describe Cisco DNA Center workflows to apply network configuration, monitoring, and management | 11 | |
| 4.7 Configure and verify NETCONF and RESTCONF | 11 | |
| Domain 5: Security | 20% | |
| 5.1 Configure and verify device access control | 12 | |
| 5.2 Configure and verify infrastructure security features | 12 | |
| 5.3 Describe REST API security | 11 | |
| 5.4 Configure and verify wireless security features | 4, 12 | |
| 5.5 Describe the components of network security design | 4, 12 | |
| Domain 6: Automation | 15% | |
| 6.1 Interpret basic Python components and scripts | 11 | |
| 6.2 Construct valid JSON encoded file | 11 | |
| 6.3 Describe the high-level principles and benefits of a data modeling language, such as YANG | 11 | |
| 6.4 Describe APIs for Cisco DNA Center and vManage | 11 | |
| 6.5 Interpret REST API response codes and results in payload using Cisco DNA Center and RESTCONF | 11 | |
| 6.6 Construct EEM applet to automate configuration, troubleshooting, or data collection | 11 | |
| 6.7 Compare agent vs. agentless orchestration tools, such as Chef, Puppet, Ansible, and SaltStack | 11 |
IP depends on which of the following?
Which is not a function of a bridge?
What are the purposes of TCP sequence numbers? (Choose two.)
Three switches are connected via 802.1Q trunk links. You need to prevent VLAN 25 traffic from reaching two of the switches. Which of the following can accomplish this? (Choose two.)
Switch SW1 is running RPVST+ and is connected via a routed interface to SW2, which is running Multiple Spanning Tree. If you add VLAN 2 to both switches and map VLAN 2 to MST1 on SW2, which switch will necessarily be the root for VLAN 2?
Which of the following can effectively prune a VLAN from a trunk?
Which of the following is the most scalable physical architecture for East-West traffic patterns?
What are two reasons to choose a routed topology over a switched topology?
Which protocol does not use multicast?
An access point running in lightweight mode has clients connected to two SSIDs. The total number of connected clients is 25. How many CAPWAP tunnels are there between the AP and its WLAN controller (WLC)?
A client performs an intra-controller roam, keeping its IP address. Which of the following is true of this roam?
What are two disadvantages of 5 GHz Wi-Fi versus 2.4 GHz Wi-Fi?
There are three OSPF routers connected to the same subnet. Which is the designated router?
Two OSPF routers are connected to each other. One router's interface is configured as a broadcast network type, whereas the other router's interface is configured as a point-to-point network type. Which of the following is true of this configuration? (Choose two.)
You have a router with an interface that's connected to a subnet dedicated to servers. You want to advertise this subnet into OSPF but don't want any servers running OSPF software to form an adjacency with the router. How can you accomplish this?
An OSPF autonomous system boundary router (ASBR) is redistributing the prefix 192.168.0.0/16 into EIGRP AS 1. What is the administrative distance of the route?
Which of the following are considered in calculating an EIGRP metric? (Choose all that apply.)
Consider the following EIGRP output.
What occurs when an eBGP router receives a route that already has its own AS number in the path?
R1 has the prefix 172.16.0.0/16 in its IP routing table, learned from EIGRP AS 16. There are no other BGP, IGP, or static routes in the routing table. You execute the following BGP router configuration commands on R1:
Consider the following prefix list and route map on router R1:
Consider the following output from a NAT router:
A router running PIM has a single multicast RIB entry marked (223.3.2.1, 239.8.7.6). What does this indicate?
Which of the following commands individually configures port address translation?
Which QoS Class Selector has the lowest priority?
Which of the following prevent TCP global synchronization? (Choose two.)
Which of the following queues can never exceed its bandwidth allocation during times of congestion?
What is another term for reflective relay?
Which of the following might you need to allow in order to use IPsec in transport mode? (Choose two.)
By default, what does VXLAN use for MAC address learning? (Choose two.)
What type of encapsulation does SD-Access use?
Which of the following is not a component of SD-WAN?
Which of the following HTTP response codes indicates successful authentication using a GET or PUT request?
You want to control which commands administrators can run on a router. Which of the following should you configure?
Which of the following can authenticate only a machine but not a user?
Which of the following can't be used to block ARP packets or Spanning Tree BPDUs? (Choose two.)
B. The Data Link layer facilitates data transfer between two nodes. IP addresses are logical addresses based on an abstraction of the Data Link layer. See Chapter 1 for more information.
C. A bridge maintains a Media Access Control (MAC) address table that it uses to perform a crude form of routing. This reduces the need for flooding but doesn't reduce the size of the broadcast domain. Bridges forward received frames, thus simulating some of the properties of a shared physical Ethernet cable. Bridges discard frames that fail frame check sequence validation. See Chapter 1 for more information.
B, D. Transmission Control Protocol (TCP) uses sequence numbers for ordering and ensuring reliable delivery by detecting lost packets. See Chapter 1 for more information.
A, B. You can block VLAN 25 from reaching the switches in two ways. First, you can prune the virtual LAN (VLAN) from the trunk. Second, instead of running a trunk between switches, you can use routed links. See Chapter 2 for more information.
D. Because SW1 and SW2 are connected via routed interfaces, they are in separate broadcast domains and hence form separate Spanning Trees. See Chapter 2 for more information.
C. Loop Guard will block a VLAN on a port if it doesn't receive Bridge Protocol Data Units (BPDUs) for that VLAN. Unidirectional Link Detection (UDLD) and BPDU Guard can shut down an entire port. BPDU Filter doesn't block traffic. See Chapter 2 for more information.
B. Leaf-and-spine architecture is the most scalable choice for networks with predominantly East-West traffic patterns such as data center networks. Routed is not a physical architecture, but rather a layer 2 architecture. See Chapter 3 for more information.
A, D. Routed topologies scale better and converge faster than switched topologies, but they require consuming more IP address space. See Chapter 3 for more information.
B. EtherChannel doesn't use multicast. Link Aggregation Control Protocol (LACP), which negotiates EtherChannels, and Virtual Router Redundancy Protocol (VRRP) and Hot Standby Router Protocol (HSRP), which are first-hop redundancy protocols (FHRPs), do use multicast. See Chapter 3 for more information.
A. An access point (AP) forms a single Control and Provisioning of Wireless Access Points (CAPWAP) tunnel with a wireless LAN controller (WLC). See Chapter 4 for more information.
C. In an intracontroller roam, the client associates with a different AP that's connected to the same WLAN controller. Neither the VLAN nor the Service Set Identifier (SSID) changes. Because the client's IP address didn't change, you can conclude this is a layer 2 roam. See Chapter 4 for more information.
A, C. 5.4 GHz Wi-Fi standards include 802.11n and 802.11ac, but not 802.11g. 5.4 GHz offers higher throughput, but at the price of increased free space path loss. See Chapter 4 for more information.
B. The first Open Shortest Path First (OSPF) router to become active on a subnet becomes the designated router (DR) for the subnet. It's commonly taught that the DR is chosen based on the highest router ID, but the first OSPF router to become active always becomes the DR. A DR election occurs only when the existing DR and backup DR fail. See Chapter 5 for more information.
B, C. Network types don't have to match in order to form an adjacency, but they do need to match in order for the routers to exchange routes. See Chapter 5 for more information.
D. When an interface is configured as a passive interface, OSPF will advertise the prefix for that interface, but will not form an adjacency with other routers on the subnet. See Chapter 5 for more information.
C. The route is an external Enhanced Interior Gateway Routing Protocol (EIGRP) route, so it has an administrative distance of 170. See Chapter 6 for more information.
A, B. By default, only bandwidth and delay are used in calculating the metric. See Chapter 6 for more information.
B. 10.0.56.6 is the feasible successor. See Chapter 6 for more information.
C. Border Gateway Protocol (BGP) uses the autonomous system (AS) path for loop prevention. Upon receiving a route with its own AS in the AS path, an exterior Border Gateway Protocol (eBGP) router will discard the route, meaning it won't install it in its BGP Routing Information Base (RIB) or IP routing table, nor will it advertise the route. See Chapter 7 for more information.
A. 172.16.0.0/24 doesn't exist in R1's routing table, so the network command will have no effect. Instead, the redistribute eigrp 16 command will redistribute the 172.16.0.0/16 prefix into BGP with an incomplete origin type. See Chapter 7 for more information.
C. The prefix list matches any prefix with a subnet falling into the 10.0.0.0/8 range with a prefix length from 8 to 32. This includes 10.0.0.0/8, 10.0.0.0/32, and 10.255.255.0/24. The first sequence in the route map is a deny sequence that matches the IP prefix list. Hence, these prefixes will match the sequence and will be denied. The second sequence in the route map is a permit sequence that matches all prefixes that don't match the first sequence. See Chapter 7 for more information.
A. R2 is translating the source address 7.0.0.12 to 2.0.0.2; therefore 7.0.0.12 is the inside local address and 2.0.0.2 is the inside global address. See Chapter 8 for more information.
C. Multicast RIB entries take the form (source, group). The entry indicates that the source—223.3.2.1—has sent multicast traffic to the multicast group address 239.8.7.6. See Chapter 8 for more information.
D. Port address translation—also known as network address translation (NAT) overload—translates multiple inside local source addresses to a single global address. The global address can come from an outside interface or from a pool. See Chapter 8 for more information.
B. CS1 gets a lower priority than CS0. CS0 is the default class and is for best-effort traffic. CS1 is the bottom-of-the-barrel traffic that you may not even want on your network, such as torrents, gaming, or cat videos. See Chapter 9 for more information.
A, C. TCP global synchronization occurs when multiple TCP flows back off, then ramp up simultaneously. This can happen when a queue fills and excess packets are tail-dropped. Weighted random early detection (WRED) randomly drops packets as the queue fills. Explicit congestion notification (ECN) works by getting a TCP sender to slow down the rate at which it sends by reducing its congestion window. See Chapter 9 for more information.
A. The low-latency queuing (LLQ) is serviced before any other queues, so packets in the LLQ won't wait any longer than necessary. The LLQ has a limited bandwidth. See Chapter 9 for more information.
D. The term edge virtual bridging (EVB) describes using a physical switch to pass layer 2 traffic between VMs running on the same host. The IEEE 802.1Qbg standard calls this reflective relay. See Chapter 10 for more information.
B, C. Internet Key Exchange (IKE) uses User Datagram Protocol (UDP) port 500, whereas Encapsulating Security Payload (ESP) uses IP protocol 50. See Chapter 10 for more information.
A, C. By default, Virtual Extensible LAN (VXLAN) uses multicast to flood unknown unicasts, allowing it to perform data plane learning. See Chapter 10 for more information.
C. SD-Access uses VXLAN encapsulation because it can carry Ethernet frames. The others can't. See Chapter 11 for more information.
B. Software-defined networking in a wide area network (SD-WAN) doesn't use BGP. See Chapter 11 for more information.
A. When authenticating using a GET or PUT request, you should get a 200 response code if authentication succeeds. See Chapter 11 for more information.
A. Terminal Access Controller Access-Control System Plus (TACACS+) supports authorization, authentication, and accounting. Remote Authentication Dial-In User Service (RADIUS) doesn't support command authorization. See Chapter 12 for more information.
C. MAC authentication bypass is the only option that can authenticate a machine but not a user. See Chapter 12 for more information.
A, D. You can't use a port access control list (ACL) to block certain control plane traffic, including ARP and Spanning Tree BPDUs. You also can't use an extended IP ACL because ARP and Spanning Tree Protocol (STP) don't use IP. See Chapter 12 for more information.