Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network Services and Security practice sets

CCNA Network Services and Security • Complete Question Bank

CCNA Network Services and Security — All Questions With Answers

Complete CCNA Network Services and Security question bank — all 0 questions with answers and detailed explanations.

549
Questions
Free
No signup
Certifications/CCNA/Practice Test/Network Services and Security/All Questions
Question 1mediummultiple choice
Read the full Network Services and Security explanation →

What does switchport port-security primarily protect against on an access port?

Question 2easymultiple choice
Review the full routing breakdown →

What is the primary purpose of NTP in a routed network?

Question 3easymultiple choice
Read the full DNS explanation →

What is the primary function of DNS?

Question 4easymultiple choice
Read the full network assurance explanation →

What is the main purpose of a syslog server in a network?

Question 5easymultiple choice
Read the full NAT/PAT explanation →

What is the main benefit of Port Address Translation (PAT)?

Question 6easymultiple choice
Read the full Network Services and Security explanation →

What does the confidentiality objective of the CIA triad focus on?

Question 7easymultiple choice
Read the full DNS explanation →

What is the main function of DNS in an IP network?

Question 8mediummultiple choice
Read the full Network Services and Security explanation →

What is the main purpose of an allowlist-based firewall policy compared with a denylist-based one?

Question 9easymultiple choice
Study the full AAA explanation →

What does the second 'A' in AAA stand for?

Question 10mediummultiple choice
Read the full DNS explanation →

Which statement best describes the role of DNS in a network?

Question 11mediummultiple choice
Read the full DHCP explanation →

What is the primary purpose of a DHCP default gateway option provided to a host?

Question 12mediummultiple choice
Study the full AAA explanation →

Which statement best describes the purpose of accounting in AAA?

Question 13mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best explains why SSH is preferred over Telnet for remote administration?

Question 14mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes confidentiality in the CIA triad?

Question 15mediummultiple choice
Read the full DHCP explanation →

Which statement best describes the difference between DHCP and DNS?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

Which statement best describes the benefit of PAT compared with static NAT in a small office that has many internal users but only one public IPv4 address?

Question 17mediummultiple choice
Study the full AAA explanation →

Which statement best describes the purpose of authorization in AAA?

Question 18mediummultiple choice
Read the full DNS explanation →

What is the primary reason DNS is easier for humans to use than raw IP addressing?

Question 19mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes why disabling unused switch ports is considered a hardening measure?

Question 20mediummultiple choice
Read the full DHCP explanation →

Which statement best explains why a DHCP client typically also needs a subnet mask in addition to an IP address?

Question 21mediummultiple choice
Read the full Network Services and Security explanation →

What is the main security benefit of using the principle of least privilege?

Question 22mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes why a management network should prefer SSH over Telnet?

Question 23mediummultiple choice
Read the full network assurance explanation →

Which statement best describes Syslog in a network operations context?

Question 24mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes integrity in the CIA triad?

Question 25mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes why least privilege is useful even for trusted users?

Question 26mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best explains the purpose of confidentiality in the CIA triad?

Question 27mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best explains the security value of SSH for device management?

Question 28mediummultiple choice
Read the full DHCP explanation →

What is the main operational difference between DHCP and DNS?

Question 29mediummultiple choice
Read the full DNS explanation →

Which statement best describes why DNS improves usability for people using networks?

Question 30mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes why least privilege is useful for administrative accounts?

Question 31mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes why SSH is safer than Telnet for remote administration?

Question 32mediummultiple choice
Read the full DHCP explanation →

What is the primary function of DHCP on a normal client network?

Question 33mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes the security value of least privilege?

Question 34mediummultiple choice
Read the full DHCP explanation →

Which statement best describes the main operational difference between DNS and DHCP?

Question 35mediummultiple choice
Read the full Network Services and Security explanation →

What is the primary reason NTP is valuable in a network operations environment?

Question 36mediummultiple choice
Read the full DNS explanation →

What is the main operational benefit of DNS for users and applications?

Question 37mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes availability in the CIA triad?

Question 38mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best explains why SSH is safer than Telnet for remote management?

Question 39mediummultiple choice
Study the full QoS explanation →

Which statement best describes the general goal of QoS in a converged network?

Question 40mediummultiple choice
Read the full network assurance explanation →

Which statement best describes the purpose of SNMP in network operations?

Question 41mediummultiple choice
Read the full network assurance explanation →

Which statement best describes the difference between Syslog and SNMP traps?

Question 42mediummultiple choice
Study the full ACL explanation →

What is the main reason extended ACLs are often placed closer to the source of the traffic being filtered?

Question 43mediummultiple choice
Read the full network assurance explanation →

Which statement best describes a Syslog severity level at a CCNA level?

Question 44mediummultiple choice
Study the full ACL explanation →

Which statement best explains why an ACL that lacks a needed permit statement can block legitimate traffic even if no explicit deny for that traffic exists?

Question 45mediummultiple choice
Read the full network assurance explanation →

What is the main operational difference between Syslog and NetFlow?

Question 46mediummultiple choice
Study the full ACL explanation →

What is the main effect of the implicit deny at the end of an ACL?

Question 47mediummultiple choice
Read the full network assurance explanation →

Which statement best describes NetFlow at a CCNA level?

Question 48mediummultiple choice
Read the full network assurance explanation →

Which statement best describes an SNMP trap compared with SNMP polling?

Question 49mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best explains why using SSH alone is not always enough for strong management-plane security?

Question 50mediummultiple choice
Read the full network assurance explanation →

Which statement best describes why SNMP and Syslog are both useful in operations but not interchangeable?

Question 51mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best explains why least privilege remains important even when administrators already use SSH and named accounts?

Question 52mediummultiple choice
Read the full network assurance explanation →

Which statement best describes why NetFlow, Syslog, and SNMP are often all kept together in mature operations environments?

Question 53mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best explains why named user accounts plus logging provide better security operations than a shared admin account without activity records?

Question 54mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes why layered controls are preferred for administrative access instead of relying on only one mechanism?

Question 55mediummultiple choice
Study the full AAA explanation →

Which statement best describes why authorization is different from authentication in AAA?

Question 56mediummultiple choice
Read the full DHCP explanation →

Which statement best describes why DNS and DHCP are often discussed together in end-host troubleshooting?

Question 57hardmultiple choice
Study the full AAA explanation →

Which statement best describes why accounting in AAA is useful even when authentication and authorization are already configured?

Question 58mediummultiple choice
Read the full network assurance explanation →

Which statement best explains why NTP and Syslog are often configured together on network devices?

Question 59hardmultiple choice
Review the full subnetting walkthrough →

Which statement best describes why administrative access should ideally come from a dedicated management subnet rather than from general user subnets?

Question 60mediummultiple choice
Read the full network assurance explanation →

Which statement best describes why SNMPv3 is often preferred over older SNMP versions in security-conscious environments?

Question 61mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best explains why secure transport, identity verification, permission control, and logging are all useful together in device administration?

Question 62mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes why engineers often compare 'works by IP' versus 'works by name' during troubleshooting?

Question 63mediummultiple choice
Read the full network assurance explanation →

Which statement best describes why NetFlow, SNMP, and Syslog are often used together rather than treated as substitutes?

Question 64mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes why named accounts plus logging are stronger together than either control alone?

Question 65mediummultiple choice
Read the full Network Services and Security explanation →

Which statement best describes why source restriction does not replace the need for strong authentication?

Question 66mediummultiple choice
Read the full DHCP explanation →

Which statement best describes why a host might receive a correct IP address from DHCP but still fail to reach websites by name?

Question 67easymultiple choice
Read the full REST/YANG explanation →

What is the main purpose of a YANG data model in network automation?

Question 68mediummultiple choice
Read the full network assurance explanation →

Which statement best describes model-driven telemetry compared with traditional SNMP polling?

Question 69easymultiple choice
Read the full Network Services and Security explanation →

Which statement accurately describes JSON in a network automation workflow?

Question 70easymultiple choice
Read the full DHCP explanation →

Which statement about DHCP address exclusion is correct?

Question 71mediummultiple choice
Read the full network assurance explanation →

Which statement about NetFlow is correct?

Question 72hardmultiple choice
Study the full ACL explanation →

A router interface applies this ACL inbound:

10 deny tcp any any eq 80

20 permit ip any any

A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

Question 73hardmultiple choice
Read the full DHCP explanation →

A switch has DHCP snooping enabled, but users still experience IP-to-MAC spoofing attacks. Which additional feature should be considered to help address that specific problem?

Question 74mediummultiple choice
Read the full network assurance explanation →

What is a key difference between SNMPv3 and earlier SNMP versions?

Question 75mediummultiple choice
Study the full AAA explanation →

In AAA, what does the second A stand for?

Question 76mediummultiple choice
Study the full ACL explanation →

Which ACL type can filter using source and destination IP addresses as well as TCP or UDP port numbers?

Question 77mediummultiple choice
Read the full wireless explanation →

Which wireless security method is considered strongest among these choices for modern enterprise WLAN deployments?

Question 78mediummultiple choice
Study the full QoS explanation →

Which traffic type is typically most sensitive to delay and jitter and is commonly prioritized with QoS?

Question 79mediummultiple choice
Read the full Network Services and Security explanation →

Why might voice traffic be placed in a priority queue on a WAN link?

Question 80mediummultiple choice
Read the full DHCP explanation →

Which feature helps prevent a rogue DHCP server from handing out addresses on a campus switch network?

Question 81mediummultiple choice
Study the full AAA explanation →

A network engineer successfully logs in to a router, but cannot enter configuration mode because the command is rejected by policy. Which AAA function is controlling this behavior?

Question 82mediummultiple choice
Read the full DHCP explanation →

Which DHCP message does the client send to formally accept an offered address?

Question 83hardmultiple choice
Read the full DHCP explanation →

Which switch security feature uses DHCP snooping bindings to validate ARP packets and help stop ARP spoofing?

Question 84hardmultiple choice
Study the full ACL explanation →

An ACL permits only tcp 10.10.10.0/24 host 192.0.2.10 eq 443 and has no other permit entries. What happens to an ICMP echo request from 10.10.10.5 to 192.0.2.10?

Question 85mediummultiple choice
Read the full network assurance explanation →

Which syslog severity is more critical: level 2 or level 5?

Question 86easymultiple choice
Read the full Network Services and Security explanation →

Users can reach a server by IP address but not by hostname. Which service should be checked first?

Question 87mediummultiple choice
Read the full DHCP explanation →

What problem does DHCP snooping help prevent?

Question 88mediummultiple choice
Read the full NAT/PAT explanation →

A show ip nat translations command displays this entry:

Inside global 203.0.113.10:30001 Inside local 192.168.10.25:51514 Outside local 198.51.100.20:443 Outside global 198.51.100.20:443

Which statement is correct?

Question 89mediummultiple choice
Read the full network assurance explanation →

Which port-security violation mode drops frames from unauthorized MAC addresses but keeps the interface up and does not send an SNMP trap or syslog message?

Question 90mediummultiple choice
Read the full Network Services and Security explanation →

Why is SSH preferred over Telnet for remote device administration?

Question 91easymultiple choice
Study the full AAA explanation →

In AAA, which function determines what an authenticated user is allowed to do after login?

Question 92easymultiple choice
Read the full Network Services and Security explanation →

Which protocol is preferred over Telnet for remote CLI management because it encrypts the session?

Question 93mediummultiple choice
Open the full VLAN trunking answer →

A PC in VLAN 30 must obtain an address from a DHCP server in VLAN 99. Which feature is required on the Layer 3 interface for VLAN 30?

Question 94easymultiple choice
Read the full Network Services and Security explanation →

Why is Telnet generally discouraged for network device administration?

Question 95mediummultiple choice
Open the full VLAN trunking answer →

A DHCP server is located on a different VLAN from the clients. Which feature is required so the clients can still receive addresses?

Question 96mediummultiple choice
Study the full ACL explanation →

As a general rule, where should an extended ACL be placed?

Question 97hardmultiple choice
Study the full AAA explanation →

A switchport is configured for 802.1X authentication. What is the usual role of the RADIUS server in that design?

Question 98hardmultiple choice
Study the full ACL explanation →

Why is an extended ACL usually placed close to the source of the traffic being filtered?

Question 99mediummultiple choice
Open the full VLAN trunking answer →

A client on VLAN 20 must obtain an IPv4 lease from a DHCP server located on VLAN 100. Which feature is required on the Layer 3 interface for VLAN 20?

Question 100hardmultiple choice
Open the full VLAN trunking answer →

A switch has DHCP snooping enabled and Dynamic ARP Inspection enabled on VLAN 30. A printer with a static IP on VLAN 30 cannot communicate because its ARP packets are being dropped.

What is the best fix?

Question 101mediummultiple choice
Read the full Network Services and Security explanation →

Which security concept gives a user only the permissions required to perform assigned tasks and nothing more?

Question 102mediummulti select
Read the full Network Services and Security explanation →

Which two statements about NTP are correct? (Choose two.)

Question 103mediummultiple choice
Review the full routing breakdown →

Which field is modified by each router hop in an IPv4 packet to prevent endless forwarding loops?

Question 104hardmultiple choice
Read the full Network Services and Security explanation →

Dynamic ARP Inspection is most effective at preventing which attack?

Question 105hardmultiple choice
Review the full routing breakdown →

A packet is larger than the outgoing interface MTU and the DF bit is set in the IPv4 header. What should the router do?

Question 106hardmultiple choice
Read the full NAT/PAT explanation →

A router performing PAT is using a single public IPv4 address for many inside hosts. Which value most often distinguishes one inside flow from another on the same outside address?

Question 107mediummultiple choice
Read the full Network Services and Security explanation →

Why is multifactor authentication generally stronger than password-only access?

Question 108mediummulti select
Read the full Network Services and Security explanation →

Which two features commonly strengthen access-switch security for user-facing ports? (Choose two.)

Question 109hardmultiple choice
Read the full Network Services and Security explanation →

A switch port is configured with port security using these commands:

switchport port-security
switchport port-security maximum 1
switchport port-security violation restrict
switchport port-security mac-address sticky

A user unplugs a company laptop and connects a different unauthorized device. The interface stays up/up, but the new device has no connectivity.

Which statement best explains what happened?

Question 110hardmultiple choice
Review the full routing breakdown →

A host sends a packet larger than the outgoing interface MTU, and the IPv4 header has the Don't Fragment bit set.

What will a router do with the packet?

Question 111mediummultiple choice
Read the full DHCP explanation →

A router is configured as follows:

interface g0/1
 ip address 172.16.1.1 255.255.255.0
 ip helper-address 10.20.20.10

Hosts on 172.16.1.0/24 are not receiving addresses from the DHCP server at 10.20.20.10. The server is reachable by ping from the router.

What is the purpose of the ip helper-address command in this scenario?

Question 112mediummultiple choice
Read the full NAT/PAT explanation →

An engineer wants users to get fast link-up on access ports but also wants the switch to disable a port if another switch is connected and sends BPDUs.

Which combination of features best meets that requirement?

Question 113mediummulti select
Read the full DHCP explanation →

Which two statements accurately describe DNS and DHCP?

Question 114mediummultiple choice
Study the full ACL explanation →

Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry should appear first in the ACL?

Exhibit

access-list 110 ?
Question 115mediummultiple choice
Read the full NAT/PAT explanation →

A host at 192.168.50.10/24 needs to send traffic to 192.168.60.20. Which MAC address will it normally place in the Ethernet destination field for the first frame?

Question 116mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. Users on the inside network can browse the web, but return traffic is failing for some sessions. A partial configuration shows:

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside

!

interface GigabitEthernet0/1
 ip address 203.0.113.10 255.255.255.0
 ip nat inside

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.10.0 0.0.0.255

Based on this configuration, which change is required to make PAT work correctly?

Exhibit

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.10 255.255.255.252
 ip nat inside
!
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
Question 117hardmultiple choice
Read the full Network Services and Security explanation →

An administrator wants to permit SSH management access but block Telnet access to a device. Which statement best reflects that design goal?

Question 118easymatching
Read the full Network Services and Security explanation →

Match each IP service to its primary function.

Question 119mediummatching
Read the full Network Services and Security explanation →

Match each security concept to its most accurate purpose.

Question 120mediummultiple choice
Read the full Network Services and Security explanation →

Which protocol is most directly responsible for keeping device clocks synchronized across a network?

Question 121mediummultiple choice
Read the full NAT/PAT explanation →

A network team wants centralized logging and also wants log timestamps from different devices to line up accurately. Which combination best supports that goal?

Question 122hardmultiple choice
Read the full NAT/PAT explanation →

Users in a branch office can reach internal networks but cannot browse the Internet. The router has a correct default route and PAT is configured. Which missing item is the most likely cause if inside hosts are still using private source addresses on the WAN?

Exhibit

Observed symptom:
- Internal users can reach internal routes
- Internet browsing fails
- Private source addresses are still seen on outbound WAN traffic
Question 123mediummultiple choice
Read the full Network Services and Security explanation →

Which security concept is most closely associated with ensuring data has not been altered in an unauthorized way?

Question 124mediummulti select
Study the full ACL explanation →

Which two statements accurately describe ACL behavior on Cisco devices?

Question 125mediummulti select
Read the full network assurance explanation →

Which two statements accurately describe Syslog in a Cisco network environment?

Question 126hardmultiple choice
Read the full Network Services and Security explanation →

A company wants to reduce the chance that unused switch ports can be exploited. Which action best aligns with that goal?

Question 127mediummatching
Read the full NAT/PAT explanation →

Match each NAT or address-related term to its most accurate description.

Question 128hardmultiple choice
Read the full Network Services and Security explanation →

A switch should disable an edge port immediately if a BPDU is received on it. Which feature is intended for that specific behavior?

Question 129hardmultiple choice
Read the full NAT/PAT explanation →

A router has this command configured: `ip nat inside source static 192.168.1.50 203.0.113.50`. What is the main effect of this configuration?

Exhibit

`ip nat inside source static 192.168.1.50 203.0.113.50`
Question 130mediummultiple choice
Read the full network assurance explanation →

Why is NTP especially valuable when a network uses centralized Syslog servers?

Question 131hardmultiple choice
Read the full NAT/PAT explanation →

A router is performing PAT for inside users. Which detail allows multiple inside sessions to share one public IPv4 address at the same time?

Question 132mediummulti select
Read the full Network Services and Security explanation →

Which two actions are reasonable examples of basic device-hardening practice?

Question 133mediummultiple choice
Read the full Network Services and Security explanation →

Which service would a client most directly rely on to convert `server.example.com` into an IP address?

Question 134mediummatching
Read the full Network Services and Security explanation →

Match each service to the kind of problem it most directly helps solve.

Question 135mediummatching
Read the full Network Services and Security explanation →

Match each security term to its most accurate meaning.

Question 136mediummultiple choice
Read the full Network Services and Security explanation →

Which term in the CIA triad refers to ensuring systems and data remain accessible when needed?

Question 137hardmultiple choice
Read the full NAT/PAT explanation →

A host can reach local devices but cannot reach the Internet. The host has a correct IP address and subnet mask, but no default gateway. What is the best explanation?

Question 138mediummatching
Study the full AAA explanation →

Match each AAA component or related term to its most accurate meaning.

Question 139mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe basic WLAN security at the CCNA level?

Question 140easymatching
Read the full Network Services and Security explanation →

Match each common IP service to its primary purpose.

Question 141mediummultiple choice
Review the full routing breakdown →

A network administrator wants to secure remote CLI access to a Cisco router, moving beyond simple username/password authentication. Which approach best achieves this goal?

Question 142mediummatching
Read the full Network Services and Security explanation →

Match each security concept to its most accurate role.

Question 143hardmultiple choice
Read the full NAT/PAT explanation →

A company wants a server on the inside network to be reachable consistently from outside using one known public IP address. Which NAT approach best fits that goal?

Question 144mediummatching
Read the full Network Services and Security explanation →

Match each IP service symptom to the most likely service involved.

Question 145hardmultiple choice
Read the full Network Services and Security explanation →

An engineer wants remote administrative access to remain available but also wants session contents protected in transit. Which management choice best supports that goal?

Question 146hardmultiple choice
Read the full NAT/PAT explanation →

A router is configured for PAT using the WAN interface address. Which command element is most directly associated with allowing many internal users to share that single outside address?

Exhibit

`ip nat inside source list 1 interface GigabitEthernet0/1 overload`
Question 147hardmultiple choice
Read the full Network Services and Security explanation →

A host reaches websites by IP address but fails when using hostnames. Which service is the strongest suspect?

Question 148easymatching
Read the full Network Services and Security explanation →

Match each remote-management concept to its most accurate description.

Question 149mediummatching
Read the full Network Services and Security explanation →

Match each security term to the question it most directly answers.

Question 150hardmultiple choice
Read the full NAT/PAT explanation →

A branch router uses PAT for Internet access. Users can browse out, but the administrator wants a specific internal web server to be reachable from outside on a consistent public address. Which design fits that requirement best?

Question 151mediummatching
Read the full NAT/PAT explanation →

Match each NAT term to its most accurate description.

Question 152mediummultiple choice
Read the full Network Services and Security explanation →

A host receives its IP address automatically but cannot resolve hostnames. Which additional service information is most likely missing from its configuration?

Question 153mediummatching
Read the full Network Services and Security explanation →

Match each security control idea to its most accurate purpose.

Question 154hardmultiple choice
Read the full NAT/PAT explanation →

A router is configured with a static NAT mapping for an internal server. What is the main operational advantage of this design for outside clients?

Question 155mediummulti select
Read the full DNS explanation →

Which two statements accurately describe DNS in normal network operation?

Question 156hardmultiple choice
Read the full Network Services and Security explanation →

A switchport is configured with sticky MAC learning and a maximum secure MAC value of 2. What is the main benefit of sticky learning in this situation?

Question 157mediummatching
Read the full Network Services and Security explanation →

Match each service or protocol to the problem it most directly helps solve.

Question 158mediummultiple choice
Read the full network assurance explanation →

Why is NTP especially useful when devices send logs to a centralized Syslog server?

Question 159mediummatching
Read the full Network Services and Security explanation →

Match each access-control concept to its most accurate meaning.

Question 160hardmultiple choice
Read the full Network Services and Security explanation →

An internal server must always be reachable from outside using the same public IP address. Which translation approach is most appropriate?

Question 161hardmultiple choice
Read the full NAT/PAT explanation →

A small office uses PAT for user Internet access. What mechanism does PAT use to allow many users to share one public address while keeping their sessions distinct?

Question 162mediummultiple choice
Read the full Network Services and Security explanation →

A user can reach a remote web server by IP address but not by hostname. Which service should be checked first?

Question 163mediummulti select
Read the full Network Services and Security explanation →

Select the options that correctly pair the security principle or control with its meaning.

Question 164hardmultiple choice
Read the full NAT/PAT explanation →

A company wants internal users to share one public IPv4 address for outbound Internet access, while keeping sessions separate. Which NAT approach best meets that requirement?

Question 165mediummatching
Read the full Network Services and Security explanation →

Match each security-related term to its most accurate meaning.

Question 166mediummatching
Read the full Network Services and Security explanation →

Match each infrastructure service to the operational problem it most directly addresses.

Question 167hardmultiple choice
Read the full DHCP explanation →

A host has a valid IP address and subnet mask from DHCP but cannot reach remote networks because no gateway was provided. What is the best explanation?

Question 168hardmultiple choice
Read the full NAT/PAT explanation →

A router is configured with PAT for inside users. Which symptom most strongly suggests the NAT inside/outside roles are reversed on the interfaces?

Question 169hardmultiple choice
Read the full NAT/PAT explanation →

Why is the combination of strong authentication and centralized logging generally better than using either one alone?

Question 170mediummultiple choice
Read the full Network Services and Security explanation →

A host can reach remote websites by IP address but fails when using their hostnames. Which missing configuration item is the strongest suspect?

Question 171mediummulti select
Read the full DNS explanation →

Which two statements accurately describe DNS in everyday network use?

Question 172hardmultiple choice
Read the full Network Services and Security explanation →

Users on the inside network can browse the web, but the company now needs an internal web server at 192.168.10.50 to be reachable consistently from outside using one public IP address. Which design is most appropriate?

Question 173hardmultiple choice
Read the full Network Services and Security explanation →

A company wants unauthorized devices plugged into unused wall ports to have as little chance of gaining access as possible. Which action most directly supports that goal?

Question 174easymatching
Read the full Network Services and Security explanation →

Match each basic security term to its most accurate meaning.

Question 175mediummatching
Read the full Network Services and Security explanation →

Match each access-control term to its most accurate meaning.

Question 176mediummultiple choice
Read the full Network Services and Security explanation →

Why is centralized logging especially useful when combined with NTP?

Question 177hardmultiple choice
Read the full Network Services and Security explanation →

Why is administratively shutting down unused switch ports considered a useful hardening practice?

Question 178mediummultiple choice
Read the full DHCP explanation →

Why is DHCP often preferred over manual addressing on larger user networks?

Question 179hardmultiple choice
Review the full subnetting walkthrough →

If a host has a valid IP address and subnet mask but no default gateway, what is the most likely result?

Question 180hardmultiple choice
Read the full NAT/PAT explanation →

A company wants an internal web server to be reachable consistently from the Internet using one known public IPv4 address. Which NAT approach best fits that requirement?

Question 181hardmultiple choice
Read the full NAT/PAT explanation →

Why is the combination of strong authentication and centralized logging better than either control by itself?

Question 182mediummatching
Read the full Network Services and Security explanation →

Match each management or monitoring concept to its most accurate role.

Question 183mediummultiple choice
Read the full Network Services and Security explanation →

A user reports that websites can be opened by IP address but not by hostname. Which service is the strongest suspect?

Question 184hardmultiple choice
Read the full NAT/PAT explanation →

A branch office uses PAT for user Internet access. The administrator notices that inside users can browse out, but an internal server still cannot be reached consistently from outside. Which change is most appropriate?

Question 185mediummultiple choice
Review the full subnetting walkthrough →

A host can reach other devices on its local subnet, but it cannot reach remote networks. The host has a valid IP address and subnet mask. Which missing item is the strongest suspect?

Question 186hardmultiple choice
Read the full Network Services and Security explanation →

Why is shutting down unused switch ports considered a useful hardening measure?

Question 187hardmultiple choice
Read the full NAT/PAT explanation →

Which NAT design is most appropriate when many inside users need outbound Internet access through one public IPv4 address, but no inbound server publishing is required?

Question 188mediummulti select
Read the full DHCP explanation →

Which two statements accurately describe DHCP?

Question 189mediummatching
Read the full Network Services and Security explanation →

Match each service to the issue it most directly addresses.

Question 190mediummatching
Read the full Network Services and Security explanation →

Match each term to the question it most directly answers.

Question 191hardmultiple choice
Read the full DHCP explanation →

A host receives a correct IP address and subnet mask from DHCP but still cannot reach remote networks. Local subnet communication works. Which missing DHCP option is the strongest suspect?

Question 192hardmultiple choice
Read the full NAT/PAT explanation →

Users on the inside network can browse the Internet through PAT, but an internal web server must now be reachable from outside on a predictable public IP. Which change best fits the requirement?

Question 193hardmultiple choice
Read the full Network Services and Security explanation →

Why is administratively shutting down unused switch ports considered a useful hardening measure?

Question 194mediummultiple choice
Read the full DNS explanation →

Why does DNS make networks easier for people to use?

Question 195mediummultiple choice
Read the full network assurance explanation →

Why is NTP especially valuable when a company uses a centralized Syslog server?

Question 196mediummatching
Read the full Network Services and Security explanation →

Match each operations or assurance technology to its most accurate purpose.

Question 197hardmultiple choice
Study the full ACL explanation →

Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry best matches the requirement?

Question 198mediummatching
Study the full ACL explanation →

Match each ACL-related term to its most accurate description.

Question 199hardmultiple choice
Review the full subnetting walkthrough →

A network team wants visibility into which flows are consuming the most bandwidth between internal subnets. Which technology is most directly associated with that goal?

Question 200mediummatching
Read the full Network Services and Security explanation →

Match each security concept to its most accurate meaning.

Question 201hardmultiple choice
Study the full ACL explanation →

An ACL is intended to block Telnet from 10.1.1.0/24 to router VTY access while still allowing SSH from the same subnet. Which statement best explains why an extended ACL is appropriate here?

Question 202mediummatching
Read the full Network Services and Security explanation →

Match each network-assurance item to its most accurate role.

Question 203hardmultiple choice
Read the full network assurance explanation →

A network administrator wants to receive an immediate notification from a device when a significant event occurs, rather than polling the device repeatedly. Which SNMP feature is most associated with that requirement?

Question 204hardmultiple choice
Study the full ACL explanation →

A standard ACL and an extended ACL are both available for a design. Which requirement most strongly indicates that an extended ACL is needed?

Question 205hardmultiple choice
Review the full subnetting walkthrough →

A security policy requires that only one management subnet be able to initiate SSH to a router. Which approach most directly supports that requirement?

Question 206mediummultiple choice
Read the full Network Services and Security explanation →

Why is disabling unused services on network devices considered a sound security practice?

Question 207hardmultiple choice
Review the full routing breakdown →

An administrator wants to block all Telnet access to a router’s VTY lines and allow only SSH. Which change most directly supports that goal?

Question 208mediummatching
Read the full Network Services and Security explanation →

Match each service to the symptom it most directly relates to when troubleshooting.

Question 209mediummatching
Read the full Network Services and Security explanation →

Match each management-plane security item to its most accurate purpose.

Question 210hardmultiple choice
Review the full routing breakdown →

An operations team wants a monitoring platform to periodically read interface counters and CPU statistics from routers. Which technology is most closely associated with that requirement?

Question 211mediummatching
Read the full Network Services and Security explanation →

Match each operations term to its most accurate meaning.

Question 212hardmultiple choice
Study the full ACL explanation →

An administrator wants to allow HTTPS traffic from a source subnet to a server but deny all Telnet traffic from that same subnet to the same server. Which ACL capability is required to express that policy accurately?

Question 213hardmultiple choice
Review the full subnetting walkthrough →

A router allows SSH management from anywhere on the internal network. A new policy requires that only the management subnet 10.50.50.0/24 be allowed to initiate SSH to the device. Which approach best enforces that requirement?

Question 214mediummatching
Read the full Network Services and Security explanation →

Match each service or visibility technology to the most appropriate use case.

Question 215mediummultiple choice
Review the full subnetting walkthrough →

A team wants to know which internal hosts are sending the most traffic to a specific data center subnet. Which technology is most directly associated with that visibility goal?

Question 216hardmultiple choice
Read the full network assurance explanation →

An administrator sees high interface utilization through SNMP graphs but wants to identify which conversations are responsible. Which addition best closes that visibility gap?

Question 217mediummatching
Read the full Network Services and Security explanation →

Match each operational symptom to the technology most likely associated with investigating it.

Question 218mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe good management-plane security practice on network devices?

Question 219hardmultiple choice
Study the full ACL explanation →

An administrator wants to prevent a specific subnet from using Telnet to reach network devices, while still allowing SSH from that same subnet. What is the strongest reason a standard ACL is not enough by itself?

Question 220hardmultiple choice
Read the full Network Services and Security explanation →

A security team wants device administrators to log in with individual named accounts instead of sharing one generic admin account. Which security objective does that most directly improve?

Question 221mediummatching
Read the full Network Services and Security explanation →

Match each security control or idea to its most accurate purpose.

Question 222hardmultiple choice
Study the full ACL explanation →

An administrator wants to prevent users from browsing to one specific web server while still allowing them to reach other web destinations. Which ACL design principle is most important here?

Question 223mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe common uses of NTP in network operations?

Question 224mediummatching
Read the full Network Services and Security explanation →

Match each technology to the kind of visibility or function it most directly provides.

Question 225hardmultiple choice
Read the full network assurance explanation →

A monitoring system already collects Syslog and SNMP data. The network team now wants visibility into which applications or host conversations are driving link utilization. What is the strongest addition?

Question 226mediummulti select
Read the full network assurance explanation →

Which two statements accurately describe why NetFlow is useful for operations teams?

Question 227hardmultiple choice
Read the full Network Services and Security explanation →

Users can reach an internal server by IP address but not by hostname. What is the most likely cause?

Exhibit

User test results:
- ping 10.20.30.40 = success
- open http://10.20.30.40 = success
- open http://intranet.corp.local = fail
Question 228hardmultiple choice
Read the full DNS explanation →

A host receives an IP address, subnet mask, default gateway, and DNS server automatically when it joins the network. Which service is most directly responsible for delivering that bundle of settings?

Question 229mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe why SSH is preferred over Telnet for device administration?

Question 230hardmultiple choice
Read the full DHCP explanation →

A switch is configured with DHCP snooping and Dynamic ARP Inspection. Hosts suddenly lose connectivity after changing IP settings manually. Which explanation is strongest?

Question 231hardmultiple choice
Study the full AAA explanation →

An engineer is allowed to log in to a router but cannot enter configuration mode. Which AAA function most directly explains that outcome?

Question 232mediummulti select
Read the full DNS explanation →

Which two statements accurately describe why DNS issues can look like general connectivity problems to users?

Question 233mediummatching
Read the full Network Services and Security explanation →

Match each service to the problem it most directly helps solve.

Question 234mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe why logs and accounting records both matter in secure operations?

Question 235hardmultiple choice
Read the full Network Services and Security explanation →

A device administrator can log in securely over SSH, but the organization still insists on restricting source IP ranges and keeping detailed logs. Which statement best explains that decision?

Question 236hardmultiple choice
Open the full VLAN trunking answer →

Based on the exhibit, which configuration should be added to restore DHCP service for clients in VLAN 30?

Exhibit

interface Vlan30
 ip address 10.30.30.1 255.255.255.0
 no shutdown

interface Vlan99
 ip address 10.99.99.1 255.255.255.0
 no shutdown

Remote DHCP server: 10.99.99.20
Question 237hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what is the most likely reason PAT is not working correctly?

Exhibit

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.10 255.255.255.252
 ip nat inside
!
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
Question 238mediummatching
Read the full Network Services and Security explanation →

Match each troubleshooting observation to the most likely primary area to investigate first.

Question 239mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe the purpose of least privilege in administration and operations?

Question 240hardmultiple choice
Study the full ACL explanation →

An administrator needs to configure an ACL to block HTTP traffic from subnet 10.10.10.0/24 to the web server at 172.16.1.10 while permitting all other traffic. Which ACL entry should be placed first?

Exhibit

Requirement:
- Block HTTP from 10.10.10.0/24 to 172.16.1.10
- Permit all other traffic

access-list 110 ?
Question 241mediummatching
Read the full Network Services and Security explanation →

Match each symptom to the first service area most likely involved.

Question 242hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what is the strongest explanation for why clients can browse by IP address but not by hostname?

Exhibit

Client tests:
- ping 172.16.20.50 = success
- open http://172.16.20.50 = success
- open http://portal.corp.example = fail
Question 243hardmultiple choice
Study the full ACL explanation →

Based on the exhibit, why is the ACL not meeting the requirement to block only HTTPS traffic to the server?

Exhibit

Requirement:
- Block HTTPS from 10.20.20.0/24 to 172.16.5.10
- Allow all other traffic

Configured entry:
deny ip 10.20.20.0 0.0.0.255 host 172.16.5.10
Question 244mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe the value of source restriction on administrative access?

Question 245hardmultiple choice
Read the full Network Services and Security explanation →

Based on the exhibit, what is the strongest next troubleshooting focus?

Exhibit

User tests:
- ping 192.168.200.50 = success
- HTTP to 192.168.200.50 = success
- HTTP to app.internal.lab = fail
Question 246mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe why least privilege and source restriction work well together for administrative access?

Question 247hardmultiple choice
Read the full Network Services and Security explanation →

A user can authenticate successfully to a network device but is denied access to certain commands. Which statement best explains the situation?

Question 248mediummatching
Read the full Network Services and Security explanation →

Match each operational tool to the kind of question it most directly helps answer.

Question 249hardmultiple choice
Study the full ACL explanation →

Based on the exhibit, why is the ACL blocking more traffic than intended?

Exhibit

Requirement:
- Block Telnet from 10.30.30.0/24 to 172.16.9.9
- Allow all other traffic

Configured ACL entry:
deny tcp 10.30.30.0 0.0.0.255 host 172.16.9.9
Question 250hardmultiple choice
Study the full ACL explanation →

Based on the exhibit, why does the ACL still allow HTTPS traffic from the branch subnet to the server?

Exhibit

Requirement:
- Block HTTPS from 10.44.44.0/24 to 172.16.8.20

Configured ACL entry:
deny tcp 10.44.44.0 0.0.0.255 host 172.16.8.20 eq 80
Question 251mediummatching
Read the full Network Services and Security explanation →

Match each observation to the service area it most strongly suggests first.

Question 252mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe the value of named administrative accounts?

Question 253hardmultiple choice
Open the full VLAN trunking answer →

Based on the exhibit, why are clients in VLAN 70 failing to resolve hostnames even though they can reach remote IP addresses?

Exhibit

VLAN 70 DHCP scope:
 network 10.70.70.0 255.255.255.0
 default-router 10.70.70.1

Client tests:
- ping 192.0.2.50 = success
- open http://192.0.2.50 = success
- open http://portal.branch.lab = fail
Question 254mediummulti select
Read the full network assurance explanation →

Which two statements accurately describe why NTP and Syslog are often configured together?

Question 255mediummulti select
Read the full Network Services and Security explanation →

Which two statements accurately describe why source restriction and logging are often used together for administrative access?

Question 256mediummatching
Read the full Network Services and Security explanation →

Match each user or host symptom to the service most directly suggested first.

Question 257hardmultiple choice
Open the full VLAN trunking answer →

What is the strongest explanation for why hosts in VLAN 40 are receiving addresses from the wrong DHCP scope?

Exhibit

interface Vlan40
 ip address 10.40.40.1 255.255.255.0
 ip helper-address 10.99.99.30

Expected VLAN 40 scope: 10.40.40.0/24
Observed client address range: 10.50.50.0/24
Question 258mediummultiple choice
Open the full VLAN trunking answer →

Two switches are connected by an 802.1Q trunk. CDP reports a native VLAN mismatch. Which issue is most likely to appear because of this?

Question 259mediummatching
Read the full Network Services and Security explanation →

Match each REST API method to the action it most closely represents in a typical network automation workflow.

Question 260hardmultiple choice
Review the full routing breakdown →

R1 has the following routes installed:

O    10.10.10.0/24 via 192.0.2.2
S    10.10.10.128/25 via 198.51.100.2

S* 0.0.0.0/0 via 203.0.113.1

A packet destined for 10.10.10.200 arrives at R1. Which route is used?

Question 261mediummultiple choice
Review the full routing breakdown →

A branch router has only one WAN link connected to an Ethernet handoff from the provider. Which static default route is generally the better choice?

Question 262easymatching
Read the full DHCP explanation →

Match each DHCPv4 message in the DORA process to its role.

Question 263mediummultiple choice
Read the full Network Services and Security explanation →

An engineer successfully authenticates to a controller and receives a token. What is the usual reason for including that token in later API requests?

Question 264mediummultiple choice
Read the full Network Services and Security explanation →

A user reports that their desk port stopped working immediately after they connected a small switch. The interface shows err-disabled, and the log mentions BPDU Guard. What most likely happened?

Question 265mediummultiple choice
Read the full Network Services and Security explanation →

On a user access port, port security is configured with a maximum of 2 MAC addresses and violation mode restrict. A third unauthorized device is connected through a small unmanaged switch. What happens?

Question 266mediummultiple choice
Study the full ACL explanation →

An ACL entry reads:

access-list 25 permit 192.168.8.0 0.0.0.15

Which address range does this statement match?

Question 267mediummultiple choice
Read the full NAT/PAT explanation →

R1 has these static routes configured. When the primary WAN path is up, which route will be installed in the routing table for traffic to 172.16.50.0/24?

Exhibit

ip route 172.16.50.0 255.255.255.0 10.1.1.2
ip route 172.16.50.0 255.255.255.0 10.2.2.2 5
ip route 0.0.0.0 0.0.0.0 10.3.3.2
Question 268hardmultiple choice
Open the full VLAN trunking answer →

SW2 receives the following STP details for VLAN 10: The root bridge ID is 32768:0001.0001.0001 (SW1), and SW2's bridge ID is 32768:0002.0002.0002. Its interface Gi0/1 has a path cost of 4 to the root, while Gi0/2 has a path cost of 19. Based on this information, which statement is correct?

Exhibit

SW2# show spanning-tree vlan 10

Root ID    Priority    32778
           Address     0011.1111.1111
           Cost        4
           Port        1 (GigabitEthernet0/1)

Bridge ID  Priority    32778
           Address     00aa.aaaa.aaaa
Question 269hardmultiple choice
Review the full OSPF breakdown →

R1 and R2 should form an OSPF adjacency on their shared GigabitEthernet link, but they remain stuck in EXSTART. What is the most likely cause?

Exhibit

R1 Gi0/0:
 ip address 10.10.12.1 255.255.255.252
 ip ospf 10 area 0
 ip mtu 1500

R2 Gi0/0:
 ip address 10.10.12.2 255.255.255.252
 ip ospf 10 area 0
 ip mtu 1400

Both interfaces are up/up.
show ip ospf neighbor on both routers:
Neighbor ID     Pri   State      Dead Time   Address      Interface
2.2.2.2           1   EXSTART    00:00:31    10.10.12.2   Gi0/0
Question 270hardmultiple choice
Review the full OSPF breakdown →

R1 learns three OSPF routes to different destinations:

O 10.10.10.0/24

O IA 10.20.20.0/24 O E2 10.30.30.0/24

Which statement is correct about these route types?

Question 271hardmultiple choice
Read the full wireless explanation →

A wireless site reports that users can connect to the SSID, but performance drops sharply around the conference area whenever the room fills up. Based on the exhibit, what is the most likely cause?

Exhibit

AP-1 channel: 1
AP-2 channel: 3
AP-3 channel: 6

All three APs cover the same conference area on 2.4 GHz.
Transmit power is set to high on all APs.
Question 272easymultiple choice
Read the full Network Services and Security explanation →

Based on the JSON snippet below, which statement is correct?

{
  "device": {
    "hostname": "R1",
    "interfaces": [
      {"name": "Gig0/0", "status": "up"},
      {"name": "Gig0/1", "status": "down"}
    ]
  }
}
Question 273hardmultiple choice
Read the full NAT/PAT explanation →

Hosts on the inside network can reach the internet, but return traffic is failing after a new router was installed. The router's configuration shows that the LAN-facing interface has been configured with 'ip nat outside' and the WAN-facing interface with 'ip nat inside'. What configuration mistake is the most likely cause?

Exhibit

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside

interface GigabitEthernet0/1
 ip address 203.0.113.2 255.255.255.252
 ip nat inside

access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
Question 274easymultiple choice
Study the full ACL explanation →

An ACL on R1 contains only these entries:

access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443
access-list 
101 permit icmp any any

What happens to an HTTP packet sourced from 10.10.10.25 and destined for 198.51.100.10 if ACL 101 is applied in the traffic path?

Question 275easymultiple choice
Read the full network assurance explanation →

Which Syslog severity level represents an emergency condition, the most critical level?

Question 276easymatching
Read the full Network Services and Security explanation →

Match each IP service to the transport protocol and default port it commonly uses in a basic CCNA context.

Question 277hardmultiple choice
Read the full DHCP explanation →

Clients can join the Guest SSID and authenticate successfully, but they never receive an IP address. The DHCP scope for the guest network exists on the server. Based on the exhibit, what is the most likely cause?

Exhibit

WLAN: Guest
Mapped VLAN: 300

Switch interface Gi1/0/24 toward AP:
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
Question 278mediummultiple choice
Open the full VLAN trunking answer →

Users on VLAN 20 are not receiving IPv4 addresses from the centralized DHCP server at 10.50.0.10. Users in other VLANs are working normally. Based on the exhibit, which change should fix the issue for VLAN 20 clients?

Exhibit

interface Vlan20
 ip address 10.20.20.1 255.255.255.0
 ip helper-address 10.50.0.100

interface Vlan30
 ip address 10.30.30.1 255.255.255.0
 ip helper-address 10.50.0.10

DHCP server address: 10.50.0.10
Question 279mediummultiple choice
Read the full EtherChannel explanation →

Two switches are configured to form an EtherChannel, but the bundle never comes up. Which explanation best describes this scenario?

Exhibit

SW1:
interface range g1/0/1-2
 channel-group 5 mode active

SW2:
interface range g1/0/1-2
 channel-group 5 mode on
Question 280easymultiple choice
Review the full OSPF breakdown →

Which OSPF neighbor state indicates that the routers have already exchanged full link-state databases?

Question 281mediummatching
Review the full routing breakdown →

Match each route source to its default administrative distance on a Cisco router.

Question 282hardmulti select
Review the full OSPF breakdown →

R1 learns the route 192.0.2.0/24 via OSPF, RIP, and a static route configured with an administrative distance of 130. Based on this information, which two statements are correct?

Exhibit

show ip route 192.0.2.0
Routing entry for 192.0.2.0/24
  Known via "ospf 1", distance 110, metric 20, type intra area
  Last update from 10.1.12.2 on GigabitEthernet0/0

Configured routes:
ip route 192.0.2.0 255.255.255.0 10.1.13.3 130

RIP also advertises 192.0.2.0/24 with distance 120.
Question 283mediummatching
Read the full Network Services and Security explanation →

Match each management or monitoring technology to its primary purpose.

Question 284hardmulti select
Read the full Network Services and Security explanation →

A switch interface connected to a Cisco IP phone with a PC behind it must carry voice and data correctly. Which two switchport commands are appropriate on that access port?

Question 285mediummultiple choice
Read the full Network Services and Security explanation →

An automation script needs to send a bearer token when calling a controller REST API over HTTPS. Where is that token most commonly included?

Question 286mediummultiple choice
Open the full VLAN trunking answer →

A switch stack is running PVST+. Users on VLAN 40 lose connectivity for roughly 30 seconds every time the uplink on SW2 flaps. Based on the exhibit, which change would most directly improve convergence for this VLAN?

Exhibit

show spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001 VLAN0010 VLAN0020
Extended system ID is enabled
Portfast Default is disabled

show spanning-tree vlan 40
Spanning tree enabled protocol ieee
Root ID    Priority    327...
Question 287hardmultiple choice
Review the full subnetting walkthrough →

Two static routes exist for the 203.0.113.0/24 network: one pointing to ISP-A with an administrative distance of 10, and another pointing to ISP-B with an administrative distance of 5. Packets for that subnet are leaving through ISP-B. What explains this behavior?

Exhibit

show ip route 203.0.113.0
Routing entry for 203.0.113.0/24
  Known via "static", distance 5, metric 0
  * 198.51.100.2

Configured route:
ip route 203.0.113.0 255.255.255.0 192.0.2.2 10 name ISP-A
ip route 203.0.113.0 255.255.255.0 198.51.100.2 5 name ISP-B
Question 288hardmultiple choice
Read the full Network Services and Security explanation →

A controller-based WLAN uses 5 GHz in an open office. Clients keep disconnecting when users roam between APs, but signal strength remains strong. Based on the exhibit, what is the most likely problem?

Exhibit

AP-1 5 GHz power: 8 dBm
AP-2 5 GHz power: 8 dBm
AP-3 5 GHz power: 23 dBm
AP-4 5 GHz power: 8 dBm

Users report problems mainly near AP-3's area boundary.
Question 289hardmultiple choice
Review the full routing breakdown →

A collector is not receiving flow records from a branch router. Based on the exhibit, what is the most likely issue?

Exhibit

ip flow-export destination 10.99.99.50 2055
ip flow-export source Loopback0

interface Loopback0
 ip address 172.16.255.1 255.255.255.255

interface GigabitEthernet0/0
 ip address 10.99.99.2 255.255.255.0

Collector subnet: 10.99.99.0/24
Collector accepts exports only from 10.99.99.2
Question 290hardmultiple choice
Read the full NAT/PAT explanation →

A branch router is configured for NAT overload. The inside interface Gi0/0 is correctly marked ip nat inside, and the outside interface Gi0/1 is ip nat outside. The NAT statement uses access-list 1 permit 10.1.1.0 0.0.0.255 with ip nat inside source list 1 interface Gi0/1 overload. Inside hosts are in the 192.168.1.0/24 subnet and still reach the ISP with their private addresses. What is the most likely reason?

Exhibit

access-list 1 permit 10.10.20.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload

interface GigabitEthernet0/0
 ip address 198.51.100.2 255.255.255.252
 ip nat outside

interface GigabitEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

Users are in 10.10.10.0/24.
Question 291mediummulti select
Study the full ACL explanation →

Which two statements about standard and extended IPv4 ACLs are correct?

Question 292hardmultiple choice
Read the full Network Services and Security explanation →

Clients on a network can browse the internet by IP address but fail when using hostnames. What is the most likely problem?

Exhibit

PC1 ipconfig
IPv4 Address . . . . . . . . . : 10.40.40.25
Subnet Mask  . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . .  : 10.40.40.1
DNS Server . . . . . . . . . . : 10.4.4.4

PC1> ping 8.8.8.8   success
PC1> ping www.example.com   failed

Correct internal DNS server: 10.40.10.53
Question 293hardmultiple choice
Read the full Network Services and Security explanation →

A switch should automatically disable any access port that receives a BPDU from an attached device. Which feature directly provides that behavior?

Question 294hardmultiple choice
Open the full VLAN trunking answer →

A network administrator is configuring a Layer 2 EtherChannel between two switches. Switch A uses 'channel-group 1 mode active', and Switch B uses 'channel-group 1 mode desirable'. All member interfaces are trunk ports with identical allowed VLANs. The EtherChannel fails to form. What is the most likely cause?

Exhibit

SW1:
interface range g1/0/1-2
 switchport mode trunk
 channel-group 5 mode active

SW2:
interface range g1/0/1-2
 switchport mode trunk
 channel-group 5 mode desirable
Question 295mediummultiple choice
Review the full routing breakdown →

A network team wants all devices to timestamp logs consistently so event correlation works across routers, switches, and firewalls. Which service should they configure first?

Question 296easymatching
Read the full Network Services and Security explanation →

Match each security concept to its description.

Question 297mediummultiple choice
Read the full Network Services and Security explanation →

An engineer applies this command on an access interface connected to a user PC: switchport port-security violation restrict. What happens if a second unauthorized MAC address appears on the port?

Question 298easymatching
Read the full Network Services and Security explanation →

Match each HTTP method to its common REST API action.

Question 299mediummultiple choice
Review the full OSPF breakdown →

R1 receives an OSPF route to 10.55.0.0/16 and already has a static route to 10.55.10.0/24. Which route will be used for traffic sent to 10.55.10.25?

Question 300easymultiple choice
Open the full STP breakdown →

Which STP role identifies the port on a non-root switch that has the best path back to the root bridge?

Question 301mediummultiple choice
Open the full VLAN trunking answer →

Users on a new access switch can reach devices in their own VLAN but cannot reach the default gateway on the distribution switch. Based on the exhibit, what is the most likely cause?

Exhibit

Access-SW uplink:
interface g0/24
 switchport mode trunk
 switchport trunk allowed vlan 10,20

User ports:
interface range g0/1-12
 switchport mode access
 switchport access vlan 30

Distribution switch SVI:
interface vlan 30
 ip address 10.30.30.1 255.255.255.0
Question 302hardmultiple choice
Open the full VLAN trunking answer →

PCs in VLAN 40 are not receiving addresses from the centralized DHCP server at 172.16.1.10. What should be configured on the VLAN 40 default gateway interface?

Exhibit

Clients: 10.40.40.0/24 in VLAN 40
SVI on distribution switch: 10.40.40.1/24
DHCP server: 172.16.1.10/24 reachable by routing
Clients keep sending DHCPDISCOVER and receive no offer.
Question 303mediummultiple choice
Read the full Network Services and Security explanation →

An administrator wants an access-layer interface to shut down immediately if another switch is connected accidentally. Which feature best meets that requirement?

Question 304mediummultiple choice
Read the full NAT/PAT explanation →

An engineer configures NAT overload on a router for inside users. Which resource is primarily used to let many internal hosts share one public IPv4 address?

Question 305mediummultiple choice
Review the full routing breakdown →

A network team wants routers and switches to have consistent timestamps in logs so event correlation is accurate during an outage. Which service should they verify first?

Question 306hardmultiple choice
Study the full ACL explanation →

Exhibit: A standard ACL meant to block host 10.10.10.50 from reaching any remote network was applied inbound on the branch router's LAN interface, but users report that all local traffic from that host is now blocked. What is the better placement?

Exhibit

ACL 15:
access-list 15 deny 10.10.10.50
access-list 15 permit any
Applied inbound on G0/0, the user LAN interface.
Question 307hardmultiple choice
Read the full Network Services and Security explanation →

Exhibit: A client can ping 8.8.8.8 but cannot browse to www.example.com. Which service is most likely failing?

Exhibit

PC output:
C:\> ping 8.8.8.8  -> success
C:\> ping www.example.com -> Ping request could not find host www.example.com
Question 308hardmultiple choice
Study the full ACL explanation →

An administrator wants to permit HTTP and HTTPS from 10.1.10.0/24 to a web server at 198.51.100.20 and deny everything else from that subnet. Which ACL type is required?

Exhibit

Requirement:
Allow 10.1.10.0/24 to reach 198.51.100.20 on TCP ports 80 and 443 only.
Block all other traffic from 10.1.10.0/24.
Question 309hardmultiple choice
Read the full NAT/PAT explanation →

Exhibit: Users report no internet access after PAT was configured. The inside and outside interfaces are marked correctly. Which missing configuration is the most likely cause?

Exhibit

Configured:
interface G0/0
 ip nat inside
interface G0/1
 ip nat outside
No translations appear in 'show ip nat translations'.
Question 310mediummultiple choice
Read the full NAT/PAT explanation →

Exhibit: A collector is receiving traffic metadata from a router, including source IP, destination IP, protocol, and byte counts. Which feature is being used?

Question 311easymultiple choice
Read the full Network Services and Security explanation →

A user types www.example.com into a browser. Which service is used first to resolve that name into an IP address?

Question 312mediummultiple choice
Study the full ACL explanation →

Which ACL statement permits only SSH from host 10.10.10.50 to server 192.168.1.10?

Question 313easymatching
Read the full Network Services and Security explanation →

Match each network service to its primary purpose.

Question 314hardmultiple choice
Open the full VLAN trunking answer →

The SVI for VLAN 20 has `ip nat outside` and the WAN interface has `ip nat inside`. Hosts in VLAN 20 must reach the internet through PAT, but users report no external connectivity. Which configuration issue best explains the problem?

Exhibit

interface g0/0
 ip address 192.168.20.1 255.255.255.0
 ip nat outside
!
interface g0/1
 ip address 203.0.113.2 255.255.255.252
 ip nat inside
!
ip nat inside source list 10 interface g0/1 overload
access-list 10 permit 192.168.20.0 0.0.0.255
Question 315mediummultiple choice
Read the full NAT/PAT explanation →

Exhibit: After PAT is configured, inside users can browse the internet, but the engineer wants to verify that translations are actually being created. Which command is the best choice?

Question 316mediummultiple choice
Read the full DHCP explanation →

A client receives an IP address but cannot reach remote networks. Which DHCP option is most likely missing or incorrect?

Exhibit

Client IP address: 192.168.50.23/24
Ping to 192.168.50.1 succeeds
Ping to 8.8.8.8 fails
DHCP pool intended for VLAN 50 users
Question 317hardmultiple choice
Study the full ACL explanation →

Exhibit: Users on the inside network can open connections to a web server in the DMZ, but return traffic is denied by an ACL on the outside interface. Which statement best explains the issue?

Exhibit

access-list 101 permit tcp any any eq 80
interface g0/1
 ip access-group 101 in
DMZ web server: 172.16.100.10
Question 318mediummultiple choice
Read the full Network Services and Security explanation →

Users in 10.20.30.0/24 should be allowed to browse the web but should not be able to open Telnet sessions to any remote device. Which access list entry best meets the requirement?

Exhibit

Source subnet: 10.20.30.0/24
Requirement: block Telnet, allow HTTP and HTTPS
Question 319easymatching
Read the full Network Services and Security explanation →

Match each network service to its primary function.

Question 320hardmultiple choice
Read the full NAT/PAT explanation →

Inside hosts can reach the internet only one at a time. What is the most likely NAT issue?

Exhibit

ip nat inside source list 10 interface g0/1
access-list 10 permit 10.10.10.0 0.0.0.255
G0/0 = inside
G0/1 = outside
Question 321easymultiple choice
Read the full Network Services and Security explanation →

Why is SSH preferred over Telnet for device management?

Question 322mediummultiple choice
Open the full VLAN trunking answer →

Exhibit: PCs in VLAN 20 are not receiving addresses from a DHCP server in another subnet. The switch SVI for VLAN 20 is up, and routing is working. Which configuration is most likely missing on the gateway for VLAN 20?

Exhibit

VLAN 20 clients: 10.20.20.0/24
DHCP server: 10.99.99.10
Clients and server are in different subnets
Question 323mediummultiple choice
Read the full NAT/PAT explanation →

On a router performing NAT, where should ip nat inside be applied?

Question 324hardmultiple choice
Read the full Network Services and Security explanation →

A switch shows a clock that is several minutes off from other devices even though an NTP server has been configured. Which issue is the most likely cause?

Exhibit

show ntp associations
 address         ref clock     st when poll reach delay offset disp
*~10.10.50.5     .INIT.        16   -   64    0  0.000  0.000 16000
Configured server: 10.10.50.5
Question 325mediummultiple choice
Read the full network assurance explanation →

Exhibit: An engineer wants a device to send only warning messages and more critical events to a syslog server. Which logging level should be configured?

Exhibit

Requirement: send warnings, errors, critical, alerts, and emergencies
Question 326mediummultiple choice
Study the full ACL explanation →

Exhibit: An engineer applies an ACL inbound on the VTY lines to permit SSH only from 10.5.5.0/24. Users from that subnet still cannot connect. What is the most likely reason?

Exhibit

line vty 0 4
 access-class 12 in
 transport input ssh

access-list 12 permit 10.5.5.0 0.0.0.255
Question 327mediummultiple choice
Read the full Network Services and Security explanation →

Exhibit: A user can ping 8.8.8.8 successfully but cannot browse to www.example.com by name. Which service is the most likely failing component?

Exhibit

User can ping 8.8.8.8
User cannot resolve www.example.com
Question 328mediummultiple choice
Review the full routing breakdown →

Exhibit: An administrator wants inside hosts in 192.168.10.0/24 to reach the internet using one public IP address on the edge router. Which feature is being used?

Exhibit

show run | section nat
ip nat inside source list 10 interface g0/0 overload
access-list 10 permit 192.168.10.0 0.0.0.255
Question 329hardmulti select
Read the full Network Services and Security explanation →

An engineer wants all devices to send logs to 10.10.10.50 and also stamp those logs with consistent time from 10.10.10.60. Which two configurations are required on a Cisco device?

Exhibit

Targets:
Log collector 10.10.10.50
Time source 10.10.10.60
Question 330mediummatching
Read the full Network Services and Security explanation →

Match each service with the best operational purpose.

Question 331hardmultiple choice
Open the full VLAN trunking answer →

A DHCP client on VLAN 30 is not receiving an IP address from a DHCP server (10.99.99.20) on another subnet. The SVI for VLAN 30 is configured with an IP address and is up, but the DHCP relay command is missing. Which command should be added to the SVI configuration?

Exhibit

interface vlan 30
 ip address 10.30.30.1 255.255.255.0
 no shutdown

DHCP server: 10.99.99.20
Question 332easymultiple choice
Review the full routing breakdown →

A branch router should automatically learn the IP address of a time source so logs from all devices show matching timestamps. Which service provides that function?

Question 333mediummulti select
Study the full ACL explanation →

A network team wants an ACL that permits HTTPS from 10.1.50.0/24 to a web server at 203.0.113.10 and denies all Telnet traffic from that subnet to any destination. Which two ACEs are required?

Question 334hardmultiple choice
Read the full NAT/PAT explanation →

Exhibit: Hosts on the inside network can reach the internet, but inbound connections to a published web server fail. Static NAT is configured. What is the most likely missing piece?

Exhibit

ip nat inside source static 192.168.20.10 198.51.100.10
interface g0/0
 ip nat outside
 ip access-group OUTSIDE-IN in
Question 335mediummultiple choice
Review the full routing breakdown →

Exhibit: A network engineer wants to identify which applications are consuming most WAN bandwidth over time. Which feature should be enabled on the router?

Exhibit

Requirement: report top applications and source-destination flows on WAN links
Question 336mediummultiple choice
Read the full Network Services and Security explanation →

Port security is enabled with a maximum of 2 MAC addresses, but a third device connected through a small hub causes a violation. Which result is expected in restrict mode?

Exhibit

SW1# show port-security interface gi1/0/5
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Maximum MAC Addresses      : 2
Current MAC Addresses      : 2
Question 337mediummultiple choice
Read the full Network Services and Security explanation →

An access switch port shuts down as soon as a user connects a small unmanaged switch under the desk. Which feature caused that behavior?

Exhibit

SW1# show errdisable recovery
ErrDisable Reason            Timer Status
bpduguard                    Enabled

SW1# show interface status err-disabled
Port      Name               Status       Reason
Gi1/0/11                     err-disabled bpduguard
Question 338mediummultiple choice
Read the full NAT/PAT explanation →

A router is configured for NAT overload, but translations never appear when inside users browse the internet. Which issue is most likely?

Exhibit

ip nat inside source list 10 interface g0/0 overload
access-list 10 permit 192.168.10.0 0.0.0.255
!
interface g0/0
 ip address 203.0.113.2 255.255.255.252
!
interface g0/1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
Question 339mediummultiple choice
Review the full routing breakdown →

A router is configured with an access list intended to block Telnet from 192.168.10.0/24 to 10.1.1.10, but Telnet still works. What is the most likely reason?

Exhibit

access-list 101 deny tcp 192.168.10.0 0.0.0.255 host 10.1.1.10 eq 23
access-list 101 permit ip any any
!
interface g0/1
 ip access-group 101 out
Question 340mediummultiple choice
Read the full NAT/PAT explanation →

Users receive addresses from the correct subnet and can reach destinations by IP address, but they cannot browse by hostname.

Exhibit

Client output:
IP address: 192.168.50.22/24
Default gateway: 192.168.50.1
DNS server: 0.0.0.0
Question 341easymultiple choice
Read the full DNS explanation →

A small office wants branch routers to automatically hand out IP addresses, default gateway values, and DNS servers to clients. Which service should be configured?

Question 342hardmulti select
Study the full AAA explanation →

Which two statements about AAA on Cisco devices are correct? Choose two.

Question 343easymatching
Read the full Network Services and Security explanation →

Match each service to its primary function.

Question 344mediummultiple choice
Review the full routing breakdown →

Exhibit: A branch router receives time from an NTP server, but the show output marks the server with a tilde instead of an asterisk. What does that mean?

Exhibit

R1# show ntp associations
  address         ref clock     st   when   poll reach  delay  offset   disp
~192.0.2.50      203.0.113.1    3     12     64   377   22.1    0.8    1.2
*198.51.100.20   .GPS.          1     14     64   377   18.3    0.4    0.9
Question 345easymultiple choice
Read the full NAT/PAT explanation →

Which NAT feature allows many inside hosts to share one public IPv4 address by using unique source port numbers?

Question 346mediummulti select
Read the full Network Services and Security explanation →

A switch port is configured with port-security violation mode restrict. Which two statements are true when an unauthorized MAC address appears?

Question 347hardmultiple choice
Study the full ACL explanation →

A named standard ACL is configured to permit only the 192.168.30.0/24 subnet, but users from 192.168.31.0/24 are still passing traffic. What is the most likely reason?

Exhibit

ip access-list standard USERS_ONLY
 permit 192.168.30.0 0.0.0.255
 deny any

interface g0/1
 ip access-group USERS_ONLY out
Question 348mediummultiple choice
Read the full NAT/PAT explanation →

A router is configured for PAT overload. What does the inside global address represent for an internal PC?

Exhibit

R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)# ip nat inside source list 1 interface g0/1 overload

R1# show ip nat translations
Pro  Inside global      Inside local       Outside local      Outside global
udp  203.0.113.10:1054  192.168.10.25:1054 8.8.8.8:53         8.8.8.8:53
Question 349mediummulti select
Review the full routing breakdown →

Users complain that log timestamps from several routers do not line up with one another. Which two actions are most appropriate?

Exhibit

R2# show clock
*00:12:11.123 UTC Mon Mar 1 1993

R3# show logging | include %LINEPROTO
Mar  1 00:12:17.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface G0/0, changed state to up
Question 350hardmulti select
Review the full routing breakdown →

Exhibit: A company wants to export traffic statistics from routers to a collector for visibility into top talkers and application usage. Which two statements are accurate?

Exhibit

Router(config)# ip flow-export destination 192.0.2.50 2055
Router(config)# ip flow-export version 9
Question 351easymulti select
Read the full network assurance explanation →

Which two statements correctly describe syslog severity levels?

Question 352mediummulti select
Read the full DHCP explanation →

Which two actions help protect access-layer switch ports from rogue DHCP servers?

Question 353easymultiple choice
Read the full Network Services and Security explanation →

Which protocol is used to resolve a hostname such as www.example.com into an IP address?

Question 354mediummulti select
Read the full DHCP explanation →

A branch router is acting as a DHCP server. Which two parameters can it provide directly to clients through DHCP?

Question 355mediummulti select
Open the full VLAN trunking answer →

A router is configured as a DHCP server for VLAN 20. Clients on the VLAN can reach the default gateway, but they do not receive leases. Which two configuration issues on the router would directly prevent successful address assignment?

Exhibit

Relevant config:
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.20.20.1 255.255.255.0
!
ip dhcp excluded-address 10.20.20.1 10.20.20.254
ip dhcp pool USERS20
 network 10.20.20.0 255.255.255.0
 default-router 10.20.20.1
Question 356easymulti select
Review the full routing breakdown →

A company wants all routers and switches to use a common time source so log timestamps line up during incident review. Which two statements about NTP are correct?

Question 357mediummulti select
Read the full Network Services and Security explanation →

A security policy requires administrators to permit SSH to network devices but block insecure remote CLI access. Which two actions support that goal?

Question 358mediummulti select
Read the full Network Services and Security explanation →

A switchport connected to an employee PC must allow the normal endpoint to connect but immediately err-disable the port if a switch is plugged in. Which two features should be configured on that access port?

Question 359hardmulti select
Read the full Network Services and Security explanation →

Users can browse websites by IP address but not by hostname. The default gateway is reachable and general internet connectivity works. Which two causes are the most likely?

Question 360mediummulti select
Study the full ACL explanation →

A standard numbered ACL is applied close to the destination, but it is blocking traffic from one host while still allowing all other users on the subnet. Which two facts about standard ACLs are relevant in this design?

Question 361hardmulti select
Read the full wireless explanation →

A technician reports that users on a guest wireless SSID can reach the internet but can also browse internal file shares, which should be blocked. Which two design actions most directly address that issue?

Question 362mediummulti select
Read the full network assurance explanation →

A network team wants to collect flow-level traffic statistics from routers to identify top talkers and bandwidth consumers. Which two statements about NetFlow are correct?

Question 363mediummulti select
Read the full NAT/PAT explanation →

A branch office uses PAT overload on the edge router. Inside users can reach the internet, but return traffic for a newly deployed server must be mapped to a specific inside host. Which two statements are correct?

Exhibit

Current NAT:
ip nat inside source list 10 interface GigabitEthernet0/0 overload
Question 364mediummulti select
Read the full network assurance explanation →

A network operations team wants centralized logging from routers and switches and also wants meaningful severity filtering. Which two statements about syslog are correct?

Exhibit

Example message:
%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
Question 365hardmultiple choice
Open the full VLAN trunking answer →

An engineer configures 802.1X port-based authentication on a Cisco IOS-XE switch for a voice VLAN deployment. After applying the configuration, IP phones on interface GigabitEthernet1/0/1 fail to receive a voice VLAN and remain in an unauthenticated state. The switchport is configured as an access port with voice VLAN 10. What is the most likely cause of the failure?

Exhibit

Interface: GigabitEthernet1/0/1
MAC Address: aaaa.bbbb.cccc
IP Address: Unknown
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A1B2C3D4E5F6G7H8I9J
Acct Session ID: 0x00000001
Handle: 0x81000001

Current Policy: DEFAULT

Server Policies:
    Vlan Group: Vlan: 10

Method status list:
   Method           State
   dot1x            Authc Success
Question 366hardmultiple choice
Read the full Network Services and Security explanation →

A network administrator has configured 802.1X port-based authentication on a Cisco IOS-XE switch for a new access port connected to a user workstation. The workstation is failing to gain network access. The switch port is in the 'authorized' state, but the workstation cannot ping the default gateway. The administrator checks the running configuration and the authentication session details. What is the most likely cause of the issue?

Exhibit

Switch# show running-config interface GigabitEthernet1/0/1
Building configuration...

Current configuration : 250 bytes
!
interface GigabitEthernet1/0/1
 switchport mode access
 switchport access vlan 10
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 3600
 dot1x pae authenticator
 dot1x timeout tx-period 3
 spanning-tree portfast
end

Switch# show authentication sessions interface GigabitEthernet1/0/1 details
            Interface:  GigabitEthernet1/0/1
          MAC Address:  aaaa.bbbb.cccc
           IP Address:  192.168.10.25
            User-Name:  host/workstation
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
        Session timeout:  3600s
    Common Session ID:  0A1B2C3D4E5F6G7H8I9J0K
      Acct Session ID:  0x00000001
               Handle:  0x00000001
Runnable methods list:
       Method   State
       dot1x    Authz Success

Switch# show dot1x all details
Sysauthcontrol                 ENABLED
Dot1x Protocol Version                3

Supplicant aaaa.bbbb.cccc, GigabitEthernet1/0/1
  PAE = AUTHENTICATOR
  quietPeriod = 60
  serverTimeout = 30
  maxReq = 2
  reAuthMax = 2
  allowAuthOn = [all]
  startPeriod = 30
  handshakePeriod = 15
  txPeriod = 3
  guestVlan = 999
  authVlan = 100
  criticalVlan = 200
  hostMode = SINGLE_HOST
  port-control = AUTO
  control-direction = BOTH
  host-auth = [success]
  re-authentication = ENABLED
  re-authperiod = 3600
  server-timeout = 30
  supp-timeout = 30
  server-retries = 2
  supp-retries = 2
  max-reauth-req = 2
  lastrx = 0
  cap = 0
  status = AUTHORIZED
  state = HELD
  backend-state = HELD
  method = dot1x
  timeout = 30
Question 367hardmultiple choice
Study the full AAA explanation →

A network administrator has configured 802.1X port-based authentication on a Cisco IOS-XE switch port connected to a single PC. The port is in the 'authorized' state, but the PC cannot reach any network resources beyond its directly connected switch. The switch is configured to use RADIUS for authentication. What is the most likely cause of this issue?

Exhibit

SW1#show authentication sessions interface GigabitEthernet0/1 details

Interface:  GigabitEthernet0/1
MAC Address:  aaaa.bbbb.cccc
IP Address:  192.168.1.100
Status:      Authorized
Domain:      DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A1234567890ABCDEF123456
Acct Session ID: 0x00000001
Handle: 0x00000001

Runnable methods list:
  Method   State
  dot1x     Authc Success

SW1#show dot1x interface GigabitEthernet0/1 details

Dot1x Info for GigabitEthernet0/1
-----------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
PortStatus                = AUTHORIZED
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

SW1#show running-config interface GigabitEthernet0/1
Building configuration...

Current configuration : 200 bytes
!
interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
end
Question 368mediummulti select
Study the full AAA explanation →

Which TWO statements correctly describe the differences between RADIUS and TACACS+ when configuring AAA on IOS-XE?

Question 369mediummulti select
Study the full AAA explanation →

Which TWO statements correctly describe the configuration and verification of AAA with RADIUS/TACACS+ and 802.1X port-based authentication on IOS-XE?

Question 370mediummatching
Study the full AAA explanation →

Drag and drop the AAA and 802.1X terms on the left to the correct descriptions on the right.

Question 371hardmultiple choice
Study the full ACL explanation →

A network administrator is troubleshooting connectivity from the 192.168.10.0/24 subnet to the server at 10.10.10.10. Users report that they can reach the server initially, but after a few minutes, connectivity drops and only returns after the interface is cleared. The administrator reviews the router's running configuration and ACL configuration. What is the most likely cause of the intermittent connectivity loss?

Exhibit

Router# show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
 ip address 192.168.10.1 255.255.255.0
 ip access-group OUTBOUND_FILTER out
 duplex auto
 speed auto
!
Router# show running-config | section ip access-list extended OUTBOUND_FILTER
ip access-list extended OUTBOUND_FILTER
 permit tcp 192.168.10.0 0.0.0.255 host 10.10.10.10 established
 permit icmp 192.168.10.0 0.0.0.255 host 10.10.10.10 echo-request
 deny   ip any any
Question 372mediummulti select
Study the full ACL explanation →

Which TWO statements correctly describe the behavior of standard ACLs and their placement on interfaces?

Question 373mediummulti select
Study the full ACL explanation →

Which TWO statements correctly describe the behavior of standard ACLs when applied to an interface?

Question 374mediummatching
Study the full ACL explanation →

Drag and drop the ACL commands and concepts on the left to their correct descriptions on the right.

Question 375hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer notices that internal hosts (192.168.1.0/24) can reach external servers on the internet, but replies from external servers never reach the internal hosts. The router R1 is configured with dynamic NAT to translate the internal subnet to a pool of public IPs (203.0.113.10-203.0.113.20). The engineer runs 'show ip nat translations' and sees only a few stale translations. What is the most likely cause of the issue?

Exhibit

R1# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.10       192.168.1.10       198.51.100.1       198.51.100.1
--- 203.0.113.11       192.168.1.20       198.51.100.2       198.51.100.2

R1# show ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Pool translations: 2
Outside interfaces: GigabitEthernet0/0
Inside interfaces: GigabitEthernet0/1
Hits: 5  Misses: 0
CEF Translated packets: 5, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id] ip nat pool POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
   access-list NAT permit 192.168.1.0 0.0.0.255
Refcount: 2
Question 376hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator has configured dynamic NAT on a Cisco router to allow internal hosts to access the Internet. Internal hosts can ping external servers, but external hosts cannot initiate connections to any internal host. The administrator checks the NAT translations. What is the most likely cause of this behavior?

Exhibit

R1# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.10       192.168.1.10       ---                ---
--- 203.0.113.11       192.168.1.11       ---                ---
--- 203.0.113.12       192.168.1.12       ---                ---
--- 203.0.113.13       192.168.1.13       ---                ---
--- 203.0.113.14       192.168.1.14       ---                ---
--- 203.0.113.15       192.168.1.15       ---                ---
--- 203.0.113.16       192.168.1.16       ---                ---
--- 203.0.113.17       192.168.1.17       ---                ---
--- 203.0.113.18       192.168.1.18       ---                ---
--- 203.0.113.19       192.168.1.19       ---                ---
--- 203.0.113.20       192.168.1.20       ---                ---
--- 203.0.113.21       192.168.1.21       ---                ---
--- 203.0.113.22       192.168.1.22       ---                ---
--- 203.0.113.23       192.168.1.23       ---                ---
--- 203.0.113.24       192.168.1.24       ---                ---
--- 203.0.113.25       192.168.1.25       ---                ---
--- 203.0.113.26       192.168.1.26       ---                ---
--- 203.0.113.27       192.168.1.27       ---                ---
--- 203.0.113.28       192.168.1.28       ---                ---
--- 203.0.113.29       192.168.1.29       ---                ---
--- 203.0.113.30       192.168.1.30       ---                ---
Question 377hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator configured dynamic NAT on a Cisco router to allow internal hosts to access the internet. After the configuration, users report that they can access some websites but not others. The administrator checks the router and discovers that the NAT translation table is full, and new connection attempts are being dropped. What is the most likely cause of this issue?

Exhibit

R1# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.0.2.10         10.0.0.10          ---                ---
--- 192.0.2.11         10.0.0.11          ---                ---
--- 192.0.2.12         10.0.0.12          ---                ---
--- 192.0.2.13         10.0.0.13          ---                ---
--- 192.0.2.14         10.0.0.14          ---                ---
--- 192.0.2.15         10.0.0.15          ---                ---
--- 192.0.2.16         10.0.0.16          ---                ---
--- 192.0.2.17         10.0.0.17          ---                ---
--- 192.0.2.18         10.0.0.18          ---                ---
--- 192.0.2.19         10.0.0.19          ---                ---

R1# show running-config | include ip nat
ip nat pool MYPOOL 192.0.2.10 192.0.2.19 netmask 255.255.255.240
ip nat inside source list 1 pool MYPOOL
Question 378mediummulti select
Read the full NAT/PAT explanation →

Which TWO statements correctly describe the behavior of PAT (Port Address Translation) as configured on a Cisco router?

Question 379mediummultiple choice
Read the full NAT/PAT explanation →

A small office network uses a single public IP address on its router's WAN interface. The network administrator needs to allow all internal hosts to access the internet, but must also ensure that an internal web server with a private IP address is reachable from the internet. Which NAT configuration should the administrator implement to meet both requirements?

Question 380hardmultiple choice
Read the full DNS explanation →

A user reports that they cannot access the company's internal web server at 'intranet.company.local' from their workstation. The workstation can ping the web server's IP address 192.168.10.50 successfully, and other internal services like email (mail.company.local) are reachable. Which DNS record issue is most likely causing this problem?

Exhibit

C:\Users\User1> nslookup intranet.company.local
Server:  dc01.company.local
Address:  192.168.10.10

*** dc01.company.local can't find intranet.company.local: Non-existent domain

C:\Users\User1> nslookup mail.company.local
Server:  dc01.company.local
Address:  192.168.10.10

Name:    mail.company.local
Address:  192.168.10.55

C:\Users\User1> nslookup 192.168.10.50
Server:  dc01.company.local
Address:  192.168.10.10

Name:    webserver.company.local
Address:  192.168.10.50
Question 381hardmultiple choice
Read the full DNS explanation →

A network administrator is troubleshooting an issue where internal hosts can ping the company's web server by IP address (192.0.2.10) but cannot access it using the fully qualified domain name www.example.com. The DNS server (192.0.2.5) is reachable and responds to queries. The administrator runs nslookup www.example.com from a host and receives the following output:

C:\> nslookup www.example.com

Server: UnKnown Address: 192.0.2.5

Name: www.example.com Address: 192.0.2.20

Based on the output, what is the most likely cause of the problem?

Exhibit

C:\Users\admin> nslookup www.example.com
Server:  dns.example.com
Address:  192.0.2.5

Name:    www.example.com
Address:  198.51.100.1

C:\Users\admin> ping 198.51.100.1
Pinging 198.51.100.1 with 32 bytes of data:
Reply from 192.0.2.10: Destination host unreachable.

C:\Users\admin> ping 192.0.2.10
Pinging 192.0.2.10 with 32 bytes of data:
Reply from 192.0.2.10: bytes=32 time<1ms TTL=128
Question 382mediummulti select
Read the full DNS explanation →

Which TWO DNS record types are most commonly used together to verify both forward and reverse DNS mappings for an IPv6 address?

Question 383mediummatching
Read the full DNS explanation →

Drag and drop the DNS record types on the left to their correct descriptions or purposes on the right.

Question 384mediummatching
Read the full DNS explanation →

Drag and drop the DNS record types on the left to the correct descriptions on the right.

Question 385hardmultiple choice
Open the full VLAN trunking answer →

A network administrator has configured a Cisco switch as a DHCP server for the 192.168.1.0/24 subnet. Hosts in VLAN 10 are unable to obtain IP addresses via DHCP. The switch's SVI for VLAN 10 is up/up. What is the most likely cause of the problem?

Exhibit

Switch# show ip dhcp pool VLAN10
Pool VLAN10 :
  Utilization mark (high/low)    : 100 / 0
  Subnet size (first/next)        : 192.168.1.0 / 24
  Total addresses                 : 254
  Leased addresses                : 0
  Pending event                   : none
  Automatic bindings              :
  Lease time                      : 1 day
  Next network numbers            :
    192.168.1.0

Switch# show ip dhcp server statistics
Memory usage          : 26740
Address pools         : 1
Database agents       : 0
Automatic bindings    : 0
Manual bindings       : 0
Expired bindings      : 0
Malformed messages    : 0
Message Received:
  BOOTREQUEST         : 0
  DHCPDISCOVER        : 0
  DHCPREQUEST         : 0
  DHCPDECLINE         : 0
  DHCPRELEASE         : 0
  DHCPINFORM          : 0

Switch# show ip dhcp conflict
IP address      Detection method   Detection time
192.168.1.1     Ping               Jan 1 00:00:00.000
192.168.1.254   Ping               Jan 1 00:00:00.000
Question 386hardmultiple choice
Open the full VLAN trunking answer →

A network administrator has configured a DHCP server on VLAN 100 with an IP address of 192.168.100.10/24. Clients on VLAN 200 (192.168.200.0/24) report that they cannot obtain an IP address via DHCP. The router is configured with a DHCP relay on the VLAN 200 interface. The administrator checks the router configuration and verifies that the relay is in place, but clients still fail to get an address. The switch that the router and clients connect to has DHCP snooping enabled. What is the most likely cause of this issue?

Exhibit

Router# show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
 description VLAN 200
 ip address 192.168.200.1 255.255.255.0
 ip helper-address 192.168.100.10
 no shutdown
!
Router# show ip dhcp relay information trusted
DHCP relay information trusted: Not configured
Router# show ip dhcp server statistics
Memory usage: 12345
Address pools: 1
Database agents: 0
Automatic bindings: 0
Manual bindings: 0
Expired bindings: 0
Malformed messages: 0
Message received:
  BOOTREQUEST: 0
  DHCPDISCOVER: 0
  DHCPREQUEST: 0
  DHCPDECLINE: 0
  DHCPRELEASE: 0
  DHCPINFORM: 0
Message sent:
  BOOTREPLY: 0
  DHCPOFFER: 0
  DHCPACK: 0
  DHCPNAK: 0
Question 387mediummulti select
Read the full DHCP explanation →

Which TWO DHCP snooping trust states are valid on a Cisco switch? (Choose two.)

Question 388mediummultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting a new branch office where hosts in VLAN 20 on switch SW1 cannot obtain IP addresses from the DHCP server located at 192.168.10.5 in the main data center. The router R1 is configured as the default gateway for VLAN 20 with interface GigabitEthernet0/1.20. The administrator verifies that the DHCP server is reachable and has available addresses. What configuration change should the administrator make to resolve the issue?

Question 389mediumdrag order
Study the full AAA explanation →

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Question 390mediumdrag order
Study the full AAA explanation →

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Question 391mediumdrag order
Study the full AAA explanation →

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on a Cisco IOS-XE switch.

Question 392mediumdrag order
Study the full AAA explanation →

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Question 393mediumdrag order
Study the full AAA explanation →

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on an IOS-XE switch.

Question 394mediumdrag order
Study the full AAA explanation →

Drag and drop the following IOS-XE CLI commands into the correct order to configure AAA with a RADIUS server and then enable 802.1X port authentication on an interface.

Question 395mediumdrag order
Study the full AAA explanation →

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on a Cisco IOS-XE switch.

Question 396harddrag order
Study the full AAA explanation →

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on an IOS-XE switch.

Question 397mediummulti select
Study the full AAA explanation →

Which THREE statements correctly describe the configuration of AAA with RADIUS or TACACS+ on Cisco IOS-XE?

Question 398mediummatching
Study the full AAA explanation →

Drag and drop the AAA terms on the left to their correct definitions on the right.

Question 399mediumdrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that denies Telnet from a specific host to a server subnet, then verify the configuration.

Question 400mediumdrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to configure and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server at 10.0.0.1, with the ACL applied inbound on the router's GigabitEthernet0/0 interface, and then verify the configuration.

Question 401mediumdrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server at 10.0.0.100, and then verify the configuration.

Question 402mediumdrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that blocks Telnet traffic from the 192.168.1.0/24 network to the 10.0.0.0/24 network, applied inbound on the router's G0/0 interface.

Question 403mediumdrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits web traffic from the 10.1.1.0/24 network to the server 192.168.2.10 while blocking all other traffic inbound on GigabitEthernet0/1.

Question 404mediumdrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server 10.0.0.10, applied inbound on interface GigabitEthernet0/1.

Question 405mediumdrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that blocks Telnet traffic from the 192.168.1.0/24 network to the 10.0.0.0/24 network, applied inbound on the interface facing the source.

Question 406mediumdrag order
Study the full ACL explanation →

Which of the following sequences correctly orders the steps to plan, configure, and apply an extended ACL that permits HTTP traffic from the 192.168.1.0/24 subnet to the server at 10.0.0.1, and deny all other IP traffic, applied inbound on interface GigabitEthernet0/1?

Question 407mediummulti select
Study the full ACL explanation →

Which TWO statements are true regarding the configuration and placement of standard and extended ACLs on a router?

Question 408mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router for outbound traffic from a private network to the Internet.

Question 409mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router and describe the translation process for an outbound packet.

Question 410harddrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router for outbound traffic, including ACL creation, NAT statement, interface marking, and the translation process for an outbound packet.

Question 411mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router.

Question 412mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the following steps into the correct order to configure PAT (NAT overload) on a Cisco IOS-XE router so that internal hosts can share a single public IP when accessing the internet. Note: The NAT overload command is applied globally, not on the interface.

Question 413mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the configuration steps into the correct order to configure Port Address Translation (PAT) on a Cisco router.

Question 414mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the following steps into the correct order to configure PAT (overload) on a Cisco router using a single public IP address on the outside interface.

Question 415mediummulti select
Read the full NAT/PAT explanation →

Which THREE statements correctly describe the configuration and verification of NAT, PAT, and static NAT?

Question 416mediumdrag order
Read the full DNS explanation →

Drag and drop the following steps into the correct order to sequence the DNS resolution process from a client query to receiving an A-record response, including the use of nslookup and dig for diagnosis.

Question 417mediumdrag order
Read the full DNS explanation →

Drag and drop the following steps into the correct order to sequence the DNS resolution process from a client query to receiving an A-record response, followed by the diagnostic workflow using nslookup and dig to identify a missing or incorrect A-record.

Question 418mediumdrag order
Read the full DNS explanation →

Drag and drop the following steps into the correct order to trace the DNS resolution process from a client query to receiving an A-record response.

Question 419mediumdrag order
Read the full DNS explanation →

Drag and drop the following steps into the correct order to sequence the DNS resolution process from a client query to receiving an A-record response, followed by the nslookup and dig diagnostic workflow for troubleshooting missing or wrong DNS records.

Question 420harddrag order
Read the full DHCP explanation →

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP relay agent and verify the DHCP DORA process for a client on a remote subnet.

Question 421harddrag order
Open the full VLAN trunking answer →

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a client VLAN and then enable a DHCP relay agent on a different interface to forward client requests to a remote server.

Question 422mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a VLAN 10 subnet and enable DHCP relay for a remote client on VLAN 20.

Question 423mediumdrag order
Read the full DHCP explanation →

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP relay agent and verify the DHCP DORA process for a client on a different subnet.

Question 424harddrag order
Read the full DHCP explanation →

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a local subnet and enable a DHCP relay agent on a different interface to forward client requests to that server.

Question 425mediumdrag order
Read the full DHCP explanation →

Drag and drop the following steps into the correct order to configure a DHCP server on a Cisco IOS-XE router and enable DHCP relay on a remote subnet, following Cisco's recommended configuration sequence.

Question 426mediummulti select
Read the full DHCP explanation →

Which TWO statements correctly describe the operation of the ip helper-address command in a DHCP relay agent configuration?

Question 427hardScenario
Study the full AAA explanation →

You are connected to R1. Configure AAA with a RADIUS server at 10.0.0.2 using key 'cisco123' for authentication. Then troubleshoot why 802.1X on interface GigabitEthernet0/1 remains in unauthorized state. Ensure that the default login authentication uses RADIUS first, then local fallback, and fix any configuration issues that prevent 802.1X from working.

Exhibit

R1# show running-config | section aaa
aaa new-model
aaa authentication login default local
aaa authentication dot1x default local
aaa authorization network default local
!
radius server RADIUS
 address ipv4 10.0.0.2 auth-port 1812 acct-port 1813
 key cisco123
!
interface GigabitEthernet0/1
 switchport mode access
 dot1x pae authenticator
 spanning-tree portfast
!
R1# show dot1x interface GigabitEthernet0/1
dot1x status for interface Gi0/1
  PAE = AUTHENTICATOR
  portControl = AUTO
  controlDirection = Both
  hostMode = SINGLE_HOST
  reAuthentication = Disabled
  quietPeriod = 60
  serverTimeout = 30
  suppTimeout = 30
  reAuthPeriod = 3600 (Locally configured)
  reAuthMax = 2
  maxReq = 2
  txPeriod = 30
  rateLimitPeriod = 0
  Session:
  Authen Method = NONE
  Auth SM State = DISCONNECTED
  Auth BEND SM State = IDLE
  Port Status = UNAUTHORIZED
  Wait Client = TRUE
Question 428hardScenario
Study the full AAA explanation →

You are connected to R1. Configure AAA with RADIUS authentication on R1 so that SSH login attempts first contact the RADIUS server at 192.0.2.10 (key 'cisco123'), and if the server is unreachable, fall back to the local database. Additionally, troubleshoot why an 802.1X-enabled switch port (GigabitEthernet0/1) on a connected switch remains in the 'unauthorized' state despite RADIUS being functional; identify and fix the misconfiguration on the switch (SW1).

Exhibit

R1# show running-config | section aaa
aaa new-model
aaa authentication login default group radius local
radius server RADIUS
 address ipv4 192.0.2.10
 key cisco123
!
R1# show aaa servers
RADIUS: id 1, priority 1, host 192.0.2.10, auth-port 1812, acct-port 1813
 State: current UP, duration 120s, previous duration 0s
 Dead: total 0, retransmit 0

SW1# show running-config | section dot1x
dot1x system-auth-control
dot1x port-control auto
interface GigabitEthernet0/1
 switchport mode access
 dot1x pae authenticator
 dot1x timeout reauth-period 3600
!
SW1# show authentication sessions interface GigabitEthernet0/1
Interface: GigabitEthernet0/1
 MAC Address: Unknown
 IP Address: Unknown
 Status: Unauthorized
 Domain: DATA
 Oper host mode: single-host
 Session timeout: N/A
 Common Session ID: 0000000000000000000000
 Acct Session ID: 0x00000000
 Auth Method: dot1x
SW1# show dot1x all summary
Interface       PAE        Authenticator     Supplicant                Server
Gi0/1           AUTH       UNAUTHORIZED      N/A                       N/A
Question 429hardScenario
Study the full AAA explanation →

You are connected to R1. Configure AAA with RADIUS authentication so that SSH users are authenticated first against the RADIUS server (198.51.100.10) and fall back to the local user database if the server is unreachable. Additionally, troubleshoot why an 802.1X-enabled interface (GigabitEthernet0/1) remains in the unauthorized state. The RADIUS server shares a key of 'cisco123' and uses UDP port 1812. The local user 'admin' with secret 'adminpass' must be available as a fallback.

Exhibit

R1# show running-config | section aaa|radius|interface|line|username
username admin secret 5 $1$abc$defghijklmnopqrstuvwxyz12345
!
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
!
radius server RADIUS
 address ipv4 198.51.100.10 auth-port 1812 acct-port 1813
 key cisco123
!
interface GigabitEthernet0/1
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
!
line vty 0 4
 login authentication default
 transport input ssh
!
end

R1# show dot1x interface GigabitEthernet0/1 details
Dot1x Info for GigabitEthernet0/1
-----------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
PortStatus                = UNAUTHORIZED
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
AuthPeriod                = 30

R1# show radius server-group all
Server group radius
  Type: Standard
  Member servers: RADIUS
  VRF: default

R1# show radius server RADIUS
Radius server: RADIUS
  Address: 198.51.100.10
  Auth Port: 1812
  Acct Port: 1813
  Timeout: 5 seconds
  Retransmit: 3
  Key: cisco123
  State: current UP
  Dead: 0
  Authentication: 0 requests, 0 timeouts, 0 failures
  Accounting: 0 requests, 0 timeouts, 0 failures
Question 430hardScenario
Study the full AAA explanation →

You are connected to R1. Configure AAA with RADIUS authentication for all login methods. The RADIUS server is at 203.0.113.10 with key 'CiscoKey123'. Then troubleshoot why the 802.1X port on interface GigabitEthernet0/1 remains in unauthorized state. The port is configured for dot1x port-control auto, but authentication fails. Ensure that the AAA authentication default method uses RADIUS first, then local fallback, and that the RADIUS server is correctly reachable and configured for authentication.

Exhibit

R1# show running-config | section aaa
aaa new-model
!
!
R1# show running-config | include radius
!
R1# show running-config interface GigabitEthernet0/1
interface GigabitEthernet0/1
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
!
R1# show authentication sessions interface GigabitEthernet0/1 details
            Interface:  GigabitEthernet0/1
          MAC Address:  0050.7966.6800
           IP Address:  Unknown
            User-Name:  host-1
               Status:  Unauthorized
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
   Session timeout:     N/A
    Common Session ID:  0A1B2C3D4E5F6G7H8I9J
      Acct Session ID:  0x00000001
         Handle:  0x81000001
Runnable methods list:
       Method list:  dot1x
Question 431hardScenario
Study the full AAA explanation →

You are connected to R1. Configure AAA with a RADIUS server at 10.0.0.2/30 (key 'cisco123') so that console and VTY login use RADIUS first, then local authentication. Additionally, troubleshoot why an 802.1X-enabled switch port (GigabitEthernet0/1) on R1 is stuck in the unauthorized state. The RADIUS server is reachable but authentication fails. Verify using 'show aaa servers' and 'show dot1x interface GigabitEthernet0/1 details'.

Exhibit

R1# show running-config | section aaa
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
!
radius server RADIUS
 address ipv4 10.0.0.2 auth-port 1812 acct-port 1813
 key cisco123
!
interface GigabitEthernet0/1
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
!
R1# show aaa servers
RADIUS: id 1, priority 1, host 10.0.0.2, auth-port 1812, acct-port 1813
 State: current UP, duration 120s, previous duration 0s
 Dead: total time 0s, count 0
R1# show dot1x interface GigabitEthernet0/1 details
Dot1x Info for GigabitEthernet0/1
-------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
PortStatus                = UNAUTHORIZED
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
AuthMethod                = Open
Critical                  = no
Critical Recovery         = no
Guest VLAN                = no
Host Mode                 = Single
Auth-Fail VLAN            = no
Vlan Group                = no
Capability                = n/a
Client Status             = not authenticated
Client Mac                = 0000.0000.0000
Client IP                 = 0.0.0.0
Client Username           = unknown
Client Auth Protocol      = unknown
Client VLAN               = 0
Client Session ID         = 0
Question 432hardScenario
Study the full AAA explanation →

You are connected to R1, a router acting as a network access server for 802.1X authentication on interface GigabitEthernet0/1. Configure AAA with a RADIUS server at 192.0.2.10 (key 'cisco123') so that the default login authentication uses RADIUS first, then local fallback. Additionally, troubleshoot why a connected supplicant on G0/1 remains in the unauthorized state even though RADIUS is reachable and the supplicant credentials are correct.

Exhibit

R1# show running-config | section aaa
no aaa new-model
!
R1# show running-config | section radius
!
R1# show running-config interface GigabitEthernet0/1
interface GigabitEthernet0/1
 description 802.1X port
 switchport mode access
 switchport access vlan 10
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
!
R1# show authentication sessions interface GigabitEthernet0/1
Interface: GigabitEthernet0/1
  MAC Address: aaaa.bbbb.cccc
  IP Address: unknown
  Status: Unauthorized
  Domain: DATA
  Oper host mode: single-host
  Oper control dir: both
  Session timeout: N/A
  Common Session ID: 0A0000010000000100000001
  Acct Session ID: 0x00000001
  Handle: 0x51000001

R1# test aaa group radius legacy aaaa.bbbb.cccc password cisco123
Trying to authenticate with server group radius
User authentication request was rejected by server

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     203.0.113.1     YES NVRAM  up                    up
GigabitEthernet0/1     unassigned      YES unset  up                    up
Loopback0              10.10.10.1      YES NVRAM  up                    up
Question 433hardScenario
Study the full AAA explanation →

You are connected to R1. Configure AAA with RADIUS server at 192.0.2.10 (key = Cisco123) so that console login uses local authentication as fallback. Then troubleshoot why a host connected to R1's GigabitEthernet0/1 (802.1X enabled) remains in unauthorized state. The RADIUS server is reachable. Fix the issue so the port authorizes successfully.

Exhibit

R1# show running-config | section aaa|radius|dot1x|interface GigabitEthernet0/1
aaa new-model
aaa authentication login default group radius local
radius server RADIUS_SERVER
 address ipv4 192.0.2.10 auth-port 1812 acct-port 1813
 key Cisco123
!
interface GigabitEthernet0/1
 description 802.1X Port
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
!
R1# show authentication sessions interface GigabitEthernet0/1
Interface: GigabitEthernet0/1
MAC Address: 0050.7966.6800
IP Address: Unknown
Status: Unauthorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000010000000B00000001
Acct Session ID: 0x00000001
Handle: 0x81000001

R1# ping 192.0.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)

R1# show radius server-group

Server group radius: not defined
Question 434hardScenario
Study the full ACL explanation →

You are connected to R1. The network has two routers (R1 and R2) connected via a serial link (S0/0/0). R1's GigabitEthernet0/0 connects to the 192.168.1.0/24 LAN. An extended ACL must be configured on R1 to permit only HTTPS traffic (TCP port 443) from host 192.168.1.10 to server 203.0.113.5 (reachable via R2), and deny all other traffic from the LAN to the server. Currently, the ACL is applied inbound on G0/0 but valid HTTPS traffic is being blocked. Troubleshoot and fix the configuration.

Exhibit

R1# show running-config | section interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group BLOCK_SERVER in
 duplex auto
 speed auto
!
R1# show running-config | section ip access-list
ip access-list extended BLOCK_SERVER
 deny tcp any host 203.0.113.5 eq 80
 permit ip any any
!
Question 435hardScenario
Study the full ACL explanation →

You are connected to R1. The network has two routers (R1, R2) and a switch (SW1) in between. R1's G0/0 connects to SW1 (192.168.1.1/24), SW1 connects to R2's G0/0 (192.168.1.2/24). R2 has a loopback (Lo0: 203.0.113.1/32) used as a management address. Configure an extended ACL on R1 so that only SSH (TCP/22) traffic from the 10.0.0.0/24 network is permitted to reach R2's loopback; all other traffic to that loopback must be denied. Then apply the ACL in the correct direction on the correct interface.

Exhibit

R1# show running-config | section interface
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.0
 no shutdown
!
R1# show ip route
Codes: L - local, C - connected, S - static
      10.0.0.0/24 is subnetted, 1 subnets
C        10.0.0.0/24 is directly connected, GigabitEthernet0/1
      192.168.1.0/24 is subnetted, 1 subnets
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
      203.0.113.1/32 [1/0] via 192.168.1.2
Question 436hardScenario
Study the full ACL explanation →

You are connected to R1. The network currently permits all HTTP traffic from hosts on the 192.168.1.0/24 LAN to reach the web server at 203.0.113.10, but SSH traffic (TCP port 22) from the same LAN is being blocked. Additionally, you must ensure that no other traffic from the LAN reaches the server. Configure an extended ACL on R1 to allow only HTTP and SSH from the LAN to the server, and apply it inbound on the correct interface. Verify your solution.

Exhibit

R1#show running-config | section interface
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group BLOCK_SSH in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.252
 duplex auto
 speed auto
!
R1#show access-lists
Extended IP access list BLOCK_SSH
    10 deny tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 22
    20 permit ip any any
Question 437hardScenario
Study the full ACL explanation →

You are connected to R1. The network consists of three routers: R1, R2, and R3. R1's G0/0 connects to R2 (10.0.0.0/30), and R1's G0/1 connects to R3 (10.0.1.0/30). A server at 203.0.113.100 on R2's LAN must be reachable from R3's LAN (203.0.113.0/24) via ICMP, but all other traffic from R3 to R2 must be blocked. The current ACL on R1 is too permissive, allowing all traffic. Configure and apply a standard ACL to permit only ICMP echo requests from R3 to the server, with the implicit deny blocking everything else.

Exhibit

R1# show running-config | section interface
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.252
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.0.1.1 255.255.255.252
 duplex auto
 speed auto
!
R1# show running-config | section access-list
access-list 10 permit any
!
interface GigabitEthernet0/0
 ip access-group 10 in
!
Question 438hardScenario
Review the full OSPF breakdown →

You are connected to R1. The network uses OSPF between R1 and R2. Configure an extended ACL on R1 so that hosts in VLAN 10 (192.168.10.0/24) can reach the web server at 203.0.113.100 only via HTTP/HTTPS, and hosts in VLAN 20 (192.168.20.0/24) can reach it via any TCP service except HTTP/HTTPS. All other traffic to the server must be denied. Apply the ACL outbound on the interface facing the server. Currently, the ACL is missing the permit for VLAN 20 traffic, causing connectivity loss.

Exhibit

R1# show running-config | section interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 192.0.2.1 255.255.255.252
 ip access-group BLOCK_HTTP in
 duplex auto
 speed auto
!
R1# show running-config | section access-list
ip access-list extended BLOCK_HTTP
 deny tcp any 203.0.113.100 0.0.0.0 eq 80
 deny tcp any 203.0.113.100 0.0.0.0 eq 443
 permit ip 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0
 permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 22
 permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 23
 permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 443
 permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 80
!
Question 439hardScenario
Study the full ACL explanation →

You are connected to R1 via the console. An extended ACL named BLOCK_SMTP has been applied inbound on interface GigabitEthernet0/1, but users on the 192.168.10.0/24 network cannot send email to the SMTP server at 203.0.113.10. Additionally, the ACL is blocking all other traffic that should be permitted. Examine the running configuration and fix the ACL so that SMTP traffic (TCP port 25) from the 192.168.10.0/24 network to the SMTP server is permitted, and all other IP traffic is allowed.

Exhibit

R1# show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
 ip address 192.168.10.1 255.255.255.0
 ip access-group BLOCK_SMTP in
 duplex auto
 speed auto
!
R1# show access-lists BLOCK_SMTP
Extended IP access list BLOCK_SMTP
    10 deny tcp any any eq 25
    20 permit ip any any
Question 440hardScenario
Study the full ACL explanation →

You are connected to R1. The network uses a single router with two subnets: 192.168.1.0/24 (connected to GigabitEthernet0/0) and 10.0.0.0/30 (connected to GigabitEthernet0/1). Configure an extended named ACL called 'FILTER_HTTP' that permits HTTP traffic (TCP port 80) from the 192.168.1.0/24 subnet to any destination, and includes an explicit deny statement to deny all other IP traffic. Apply the ACL inbound on GigabitEthernet0/0. Then verify that HTTP traffic is allowed and all other traffic is blocked.

Exhibit

R1# show running-config | section interface
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.252
 duplex auto
 speed auto
!

R1# show access-lists
(no output – no ACLs configured)
Question 441hardScenario
Study the full ACL explanation →

You are connected to R1. The network has a web server at 203.0.113.10 and a DNS server at 203.0.113.20. Hosts in the 192.168.1.0/24 subnet should be able to access HTTP to the web server and DNS queries to the DNS server, but all other traffic from that subnet to the servers must be blocked. Configure an extended ACL on R1 to achieve this, and apply it inbound on the correct interface. The current configuration is shown below.

Exhibit

hostname R1
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
Question 442hardScenario
Study the full ACL explanation →

You are connected to R1 via console. R1 is a router that connects two internal subnets (192.168.1.0/24 and 192.168.2.0/24) to the internet via a serial link to ISP. Currently, no ACL is applied. Your task is to configure an extended named ACL on R1 that permits only HTTP (TCP/80) and HTTPS (TCP/443) traffic from the 192.168.1.0/24 subnet to the internet, and denies all other traffic from that subnet. Traffic from 192.168.2.0/24 must be permitted without restriction. Apply the ACL inbound on the interface facing the internal subnets. Additionally, verify that the implicit deny is not blocking necessary traffic by ensuring that the ACL correctly handles the traffic.

Exhibit

R1# show running-config | section interface
interface GigabitEthernet0/0
 description LAN - 192.168.1.0/24
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 description LAN - 192.168.2.0/24
 ip address 192.168.2.1 255.255.255.0
 no shutdown
!
interface Serial0/0/0
 description WAN to ISP
 ip address 203.0.113.1 255.255.255.252
 no shutdown
Question 443hardScenario
Study the full ACL explanation →

You are connected to R1. The network administrator wants to permit only HTTPS traffic (TCP port 443) from the 192.0.2.0/24 network to the 203.0.113.0/24 network, while denying all other IP traffic. Currently, an ACL applied inbound on G0/1 is blocking all traffic, including HTTPS. Identify the issue and correct the ACL configuration so that only HTTPS traffic is permitted.

Exhibit

R1# show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
 ip address 192.0.2.1 255.255.255.0
 ip access-group BLOCK_IN in
 duplex auto
 speed auto

R1# show access-lists
Extended IP access list BLOCK_IN
    10 deny ip any any

R1# show ip interface GigabitEthernet0/1 | include access
  Inbound access list is BLOCK_IN
Question 444hardScenario
Study the full ACL explanation →

You are connected to R1. Configure an extended ACL on R1 to permit HTTP traffic from the 192.168.1.0/24 network to the 10.0.0.0/30 network, and deny all other IP traffic. Apply the ACL inbound on the interface facing the 192.168.1.0/24 network. The current configuration has an ACL that is too permissive; you must explicitly remove the existing ACL before applying the new one. Correct the configuration.

Exhibit

R1# show running-config | section interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group PERMIT_ALL in
!
R1# show running-config | section ip access-list
ip access-list extended PERMIT_ALL
 permit ip any any
Question 445hardScenario
Study the full ACL explanation →

You are connected to R1, a branch router. Configure an extended ACL named BRANCH_IN that permits only HTTP (TCP port 80) traffic from the internal network 192.168.1.0/24 to the web server at 203.0.113.10, and permits ICMP echo-reply from any source to any destination. Apply the ACL inbound on the interface facing the internal network. Then verify that only the specified traffic is allowed.

Exhibit

R1# show running-config | section interface
interface GigabitEthernet0/0
 description Link to Internal LAN
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Link to ISP
 ip address 203.0.113.2 255.255.255.252
 duplex auto
 speed auto
!
ip access-list extended BRANCH_IN
 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80
 permit icmp any any echo-reply
Question 446hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. The network uses 192.168.1.0/24 for internal hosts and 203.0.113.0/29 for the public IP pool (203.0.113.2 is the outside interface). Configure PAT so that inside hosts can reach the Internet using the pool address 203.0.113.2. Also configure static NAT to map internal server 192.168.1.10 to 203.0.113.3. The initial config has errors; identify and fix them.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.3 80 extendable
!
access-list 10 permit 10.0.0.0 0.255.255.255
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 203.0.113.2 255.255.255.248
 ip nat outside
!
Question 447hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. Configure static NAT for a public web server (198.51.100.10 to 192.168.1.10) and PAT for the 192.168.1.0/24 LAN to use interface GigabitEthernet0/1 with overload. The current configuration has misconfigured NAT that prevents both types from working. Identify and fix the issues so that internal hosts can access the internet and external hosts can reach the internal web server.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 1 interface GigabitEthernet0/1
ip nat inside source static tcp 192.168.1.10 80 198.51.100.10 80 extendable
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.252
 ip nat inside
!
access-list 1 permit 192.168.2.0 0.0.0.255
Question 448hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 inside network can reach the Internet through the outside interface GigabitEthernet0/1 using the IP address 203.0.113.1. Additionally, configure static NAT to map internal server 192.168.1.10 to public IP 203.0.113.5. The current configuration has several errors. Identify and correct them.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 100 interface GigabitEthernet0/1
ip nat inside source static 192.168.1.10 203.0.113.5
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 ip nat inside
!
Question 449hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. The internal network 192.168.1.0/24 must be able to access the Internet via PAT (NAT overload) using the outside interface G0/1 with IP 203.0.113.1. Additionally, a web server at 192.168.1.100 must be reachable from the Internet via static NAT to the same outside interface. The current configuration has errors. Correct the NAT configuration so that inside hosts can browse the web and the server is reachable from outside.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 100 interface GigabitEthernet0/1
ip nat inside source static tcp 192.168.1.100 80 interface GigabitEthernet0/1 80
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.248
 ip nat inside
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
Question 450hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the outside interface GigabitEthernet 0/1 with IP 203.0.113.2/29. The current configuration has an incorrect inside/outside interface assignment and a missing overload keyword. Fix all issues.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list NAT_POOL interface GigabitEthernet0/1
ip nat inside source static tcp 192.168.1.10 80 203.0.113.3 80 extendable
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.2 255.255.255.248
 ip nat inside
!
access-list 10 permit 10.0.0.0 0.255.255.255
Question 451hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. The inside network 192.168.1.0/24 must be able to reach the internet via PAT (overload) using the public IP 203.0.113.1 on interface GigabitEthernet0/1. Additionally, a web server at 192.168.1.10 must be reachable from the internet via static NAT to 203.0.113.10. The current configuration is not working. Identify and fix all issues.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 100 interface GigabitEthernet0/1
ip nat inside source static 192.168.1.10 203.0.113.10
!
R1# show running-config | section interface
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 ip nat outside
!
R1# show access-lists 100
Standard IP access list 100
    10 permit 192.168.2.0 0.0.0.255
Question 452hardScenario
Study the full ACL explanation →

You are connected to R1. The network uses private IP 10.10.10.0/24 on the inside and must reach the Internet via the outside interface G0/1 with public IP 203.0.113.1/29. Configure PAT (NAT overload) so that inside hosts can access the Internet, and also configure a static NAT for the internal server 10.10.10.100 to public IP 203.0.113.2. The current configuration has errors: the inside and outside interfaces are swapped, the ACL is incorrectly defined, and the overload keyword is missing. Fix all issues.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 10 interface GigabitEthernet0/1
ip nat inside source static tcp 10.10.10.100 80 203.0.113.2 80
!
interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.248
 ip nat inside
!
access-list 10 permit 192.168.1.0 0.0.0.255
Question 453hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. The inside network 192.168.1.0/24 must be translated to the outside interface IP (198.51.100.1) using PAT (NAT overload). Additionally, a static NAT entry must map host 192.168.1.10 to 203.0.113.10. The current configuration is incomplete and contains errors. Correct the configuration so that both translations work properly.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 1 interface GigabitEthernet0/1
ip nat inside source static 192.168.1.10 203.0.113.10
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 198.51.100.1 255.255.255.0
 ip nat inside
!
access-list 1 permit 10.0.0.0 0.255.255.255
Question 454hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. The network has two routers: R1 (192.168.1.0/24 LAN) and R2 (Internet gateway). R1's inside LAN (192.168.1.0/24) must be translated to the public IP 203.0.113.1 using PAT (NAT overload) for Internet access. Additionally, the server at 192.168.1.100 must be reachable from the Internet via static NAT to 203.0.113.5. The current configuration is broken. Identify and fix the issues so that both PAT and static NAT work correctly.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.1.100 203.0.113.5
!
access-list 10 permit 10.0.0.0 0.255.255.255
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 203.0.113.2 255.255.255.248
 ip nat inside
!
interface Serial0/0/0
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
!
Question 455hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. The inside network 192.168.10.0/24 must be able to reach the Internet via PAT (NAT overload) using the outside interface G0/1 with IP 203.0.113.2/30. Additionally, the internal server at 192.168.10.100 must be statically mapped to public IP 203.0.113.10. The current configuration is incomplete and contains errors. Fix the NAT configuration on R1 so that both requirements are met.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 100 interface GigabitEthernet0/1
ip nat inside source static 192.168.10.100 203.0.113.10
!
access-list 100 permit ip host 192.168.10.100 any
!
interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 203.0.113.2 255.255.255.252
 ip nat inside
!
interface GigabitEthernet0/2
 ip address 10.0.0.1 255.255.255.252
 no ip nat
Question 456hardScenario
Read the full NAT/PAT explanation →

You are troubleshooting PAT and static NAT on R1. The inside network 192.168.10.0/24 must be translated to the public IP 203.0.113.1 (interface G0/1) using port address translation. Additionally, the server at 192.168.10.100 must be reachable from the outside via static NAT to 203.0.113.5. The current configuration is not working. Identify and correct the errors in the running config on R1.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 100 interface GigabitEthernet0/1
ip nat inside source static tcp 192.168.10.100 80 203.0.113.5 80 extendable
!
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
!
interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 ip nat outside
!
Question 457hardScenario
Study the full ACL explanation →

You are connected to R1 in a small office network. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the public IP 203.0.113.1 (the IP assigned to interface G0/0). Also configure a static NAT for the internal web server at 192.168.1.10 to the public IP 203.0.113.6. The current configuration has errors: the inside/outside interface assignments are swapped, the ACL for PAT does not match the inside subnet, and the PAT rule points to the wrong ACL. Fix all issues so that both PAT and static NAT work correctly.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.6 80
!
ip nat inside source list 2 interface GigabitEthernet0/0 overload
!
interface GigabitEthernet0/0
 ip address 203.0.113.1 255.255.255.248
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
Question 458hardScenario
Read the full NAT/PAT explanation →

You are connected to R1. The inside network 192.168.1.0/24 must be able to access the internet using PAT (NAT overload) with the outside interface G0/1 IP 203.0.113.1. Additionally, the internal server at 192.168.1.10 must be reachable from the internet via static NAT to 203.0.113.10. The current configuration is incomplete and contains errors. Identify and fix all issues so that both PAT and static NAT work correctly.

Exhibit

R1# show running-config | section ip nat
ip nat pool GLOBAL 203.0.113.1 203.0.113.1 netmask 255.255.255.0
ip nat inside source list 1 pool GLOBAL
ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.168.2.0 0.0.0.255
Question 459hardScenario
Read the full DNS explanation →

You are connected to R1 via the console. The network has a DNS server at 203.0.113.10 that should resolve www.example.com to 203.0.113.100. However, when you ping www.example.com, it fails. Diagnose and resolve the DNS resolution issue. The DNS server is reachable via ping, but nslookup from R1 returns a server failure. Configure R1 so that it can successfully resolve www.example.com. Additionally, verify that the DNS server is correctly configured for forward and reverse lookups.

Exhibit

R1# show running-config | section ip domain
ip domain lookup
ip name-server 10.0.0.2
ip domain timeout 3
ip domain retry 2
!
R1# ping 203.0.113.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1# nslookup www.example.com
Server:         10.0.0.2
Address:        10.0.0.2#53
** server can't find www.example.com: SERVFAIL

R1# dig www.example.com @203.0.113.10

; <<>> DiG 9.11.3 <<>> www.example.com @203.0.113.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.               IN      A

;; Query time: 2 msec
;; SERVER: 203.0.113.10#53(203.0.113.10)
;; WHEN: Mon Jan 01 00:00:00 UTC 2024
;; MSG SIZE  rcvd: 45

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     10.0.0.1        YES NVRAM  up                    up
GigabitEthernet0/1     203.0.113.2     YES NVRAM  up                    up
Loopback0              192.0.2.1       YES NVRAM  up                    up
Question 460hardScenario
Read the full DNS explanation →

You are connected to R1, a Cisco IOS-XE router acting as the network's DNS client. The network uses a local DNS server at 203.0.113.10 for internal name resolution. Users report that the hostname 'fileserver.courseiva.local' cannot be resolved, while other names work fine. Diagnose and fix the DNS resolution failure so that 'fileserver.courseiva.local' resolves correctly.

Exhibit

R1# show running-config | section ip domain
ip domain lookup
ip domain name courseiva.local
ip name-server 203.0.113.10
!
R1# nslookup fileserver.courseiva.local
Server:   203.0.113.10
Address:  203.0.113.10#53

** server can't find fileserver.courseiva.local: NXDOMAIN

R1# nslookup webserver.courseiva.local
Server:   203.0.113.10
Address:  203.0.113.10#53

Name: webserver.courseiva.local
Address: 192.0.2.5

R1# dig fileserver.courseiva.local

; <<>> DiG 9.11.3 <<>> fileserver.courseiva.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;fileserver.courseiva.local. IN A

;; AUTHORITY SECTION:
courseiva.local. 86400 IN SOA ns1.courseiva.local. admin.courseiva.local. 2025032101 3600 900 86400 3600

;; Query time: 12 msec
;; SERVER: 203.0.113.10#53(203.0.113.10)
;; WHEN: Fri Mar 21 10:00:00 UTC 2025
;; MSG SIZE  rcvd: 98

R1# ping 203.0.113.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Question 461hardScenario
Read the full DNS explanation →

You are connected to R1. The network uses DNS to resolve hostnames for remote device management. Currently, R1 cannot resolve the hostname 'ServerA' via DNS. Using the nslookup and dig commands, you have gathered the following outputs:

nslookup ServerA Server: 203.0.113.1 Address: 203.0.113.1#53

Name: ServerA.example.com Address: 203.0.113.10

dig ServerA ... ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ... ...

The show running-config command shows that 'ip domain-lookup' is enabled, the name-server is 203.0.113.1, and no static host entries are configured. Diagnose and fix the DNS resolution failure. Ensure that R1 can successfully resolve 'ServerA' to its intended IP address 198.51.100.10.

Exhibit

R1# show running-config | section ip domain
ip domain lookup
ip name-server 203.0.113.1
ip domain name example.com
!
R1# show ip dns server
DNS server: 203.0.113.1
Default domain: example.com

R1# nslookup ServerA
Server:   203.0.113.1
Address 1: 203.0.113.1

Name:      ServerA.example.com
Address 1: 203.0.113.10

R1# dig ServerA
; <<>> DiG 9.8.3 <<>> ServerA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1234
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ServerA.            IN    A

;; Query time: 10 msec
;; SERVER: 203.0.113.1#53(203.0.113.1)
;; WHEN: Thu Jan 18 12:00:00 2024
;; MSG SIZE  rcvd: 28

R1# ping ServerA
Translating "ServerA"...domain server (203.0.113.1)
% Unrecognized host or address, or protocol not running.
Question 462hardScenario
Read the full DNS explanation →

You are connected to R1, a Cisco IOS-XE router. The network uses a DNS server at 203.0.113.10 for name resolution. Users report that 'ping server.example.com' fails, but 'ping 203.0.113.50' succeeds. Assume proper routing is configured between R1 and the DNS server. Diagnose and resolve the DNS resolution issue so that the hostname resolves correctly, and verify the fix using appropriate Cisco IOS commands (e.g., ping, show hosts, debug domain).

Exhibit

R1# show running-config | section ip domain
ip domain lookup
ip name-server 203.0.113.10
ip domain timeout 1
!
R1# show ip dns
DNS lookup is enabled
DNS server 203.0.113.10
DNS timeout 1 seconds
Default domain name: example.com
!
R1# nslookup server.example.com
Server:   203.0.113.10
Address 1: 203.0.113.10
Name:    server.example.com
Address 1: 203.0.113.50
!
R1# dig server.example.com
; <<>> DiG 9.8.3 <<>> server.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;server.example.com.   IN   A

;; ANSWER SECTION:
(empty)

;; AUTHORITY SECTION:
(empty)

;; ADDITIONAL SECTION:
(empty)

;; Query time: 1 msec
;; SERVER: 203.0.113.10#53(203.0.113.10)
;; WHEN: Thu Jan 11 12:34:56 2024
;; MSG SIZE  rcvd: 34
Question 463hardScenario
Read the full DNS explanation →

You are connected to R1, a router that serves as the DNS resolver for the local network 192.168.10.0/24. Users report that they cannot resolve the hostname 'webserver.internal' to its IP address (192.168.10.50), and reverse DNS lookups for that IP return a different name. Additionally, some queries to an external domain 'example.com' time out. Diagnose and fix the DNS configuration on R1 using nslookup and dig commands where applicable, ensuring proper forward and reverse resolution for internal hosts and reachability to external DNS servers.

Exhibit

R1# show running-config | section ip domain
ip domain lookup
ip domain name internal
ip name-server 192.0.2.53
ip name-server 203.0.113.53
!
R1# show ip dns
DNS lookup enabled
Default domain: internal
Name-server list:
  192.0.2.53 (unreachable)
  203.0.113.53
R1# nslookup webserver.internal
Server:   203.0.113.53
Address:  203.0.113.53#53
** server can't find webserver.internal: NXDOMAIN
R1# nslookup 192.168.10.50
Server:   203.0.113.53
Address:  203.0.113.53#53
50.10.168.192.in-addr.arpa	name = mail.internal.
R1# dig @203.0.113.53 example.com
; <<>> DiG 9.11.3 <<>> @203.0.113.53 example.com
;; connection timed out; no servers could be reached
Question 464hardScenario
Read the full DNS explanation →

You are connected to R1, a multilayer switch acting as a DNS client and DNS server for the local network. The network uses 192.168.1.0/24 for internal hosts. Users report that hostnames like 'server1.example.com' fail to resolve. Diagnose and fix the DNS resolution issue using nslookup and dig. Ensure that R1 can resolve both forward and reverse DNS queries correctly.

Exhibit

R1# show running-config | section ip domain
ip domain lookup
ip domain name example.com
ip name-server 192.0.2.53
!
R1# show ip dns server
DNS server is enabled
Forwarding: enabled
Forwarder: 192.0.2.53 (unreachable)

R1# nslookup server1.example.com
Server: 192.0.2.53
Address: 192.0.2.53#53
** server can't find server1.example.com: NXDOMAIN

R1# dig -x 192.168.1.10
; <<>> DiG 9.11.4-P1 <<>> -x 192.168.1.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345
;; QUESTION SECTION:
;10.1.168.192.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
0.in-addr.arpa. 86400 IN SOA ns.example.com. admin.example.com. 1 3600 900 604800 86400

;; Query time: 1 msec
;; SERVER: 192.0.2.53#53(192.0.2.53)
;; WHEN: Mon Jan 15 10:00:00 UTC 2024
;; MSG SIZE  rcvd: 96
Question 465hardScenario
Read the full DNS explanation →

You are connected to R1, a Cisco IOS-XE router that serves as the DNS resolver for the local network. The router can reach the DNS server at 198.51.100.53, but internal hosts cannot resolve the hostname 'fileserver.courseiva.com' (expected IP 203.0.113.10). Which configuration will resolve the issue?

Exhibit

R1#show running-config | section ip domain
ip domain lookup
ip domain name courseiva.com
ip name-server 198.51.100.53
!
R1#ping 198.51.100.53
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.53, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)
R1#nslookup fileserver.courseiva.com
Server:         198.51.100.53
Address:        198.51.100.53#53

** server can't find fileserver.courseiva.com: NXDOMAIN

R1#nslookup 203.0.113.10
Server:         198.51.100.53
Address:        198.51.100.53#53

** server can't find 203.0.113.10.in-addr.arpa: NXDOMAIN

R1#dig fileserver.courseiva.com

; <<>> DiG 9.16.1 <<>> fileserver.courseiva.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; AUTHORITY SECTION:
courseiva.com.          3600    SOA    ns1.courseiva.com. admin.courseiva.com. 2025030101 3600 900 86400 3600

R1#dig -x 203.0.113.10

; <<>> DiG 9.16.1 <<>> -x 203.0.113.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12346
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; AUTHORITY SECTION:
113.0.203.in-addr.arpa. 3600 SOA ns1.courseiva.com. admin.courseiva.com. 2025030101 3600 900 86400 3600

R1#
Question 466hardScenario
Open the full VLAN trunking answer →

You are connected to R1, a multilayer switch acting as a DNS forwarder for two VLANs. Users on VLAN 10 report that they cannot resolve 'files.example.com' while VLAN 20 works fine. The DNS server 198.51.100.53 is reachable but returns SERVFAIL for queries from subnet 192.168.10.0/24, while server 203.0.113.53 responds correctly for both VLANs. Diagnose and fix the DNS resolution issue using nslookup and dig, then adjust the IOS-XE configuration to ensure proper name resolution. Choose the best fix that permanently resolves the problem.

Exhibit

R1# show running-config | section ip domain
ip domain lookup
ip name-server 198.51.100.53 203.0.113.53
ip domain list example.com

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   10.0.0.1        YES NVRAM  up                    up
GigabitEthernet0/0/1.10 192.168.10.1   YES NVRAM  up                    up
GigabitEthernet0/0/1.20 192.168.20.1   YES NVRAM  up                    up

R1# ping 198.51.100.53
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.53, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)

R1# nslookup files.example.com
Server:         198.51.100.53
Address:        198.51.100.53#53
** server can't find files.example.com: NXDOMAIN

R1# nslookup files.example.com 203.0.113.53
Server:         203.0.113.53
Address:        203.0.113.53#53
Name:   files.example.com
Address: 203.0.113.100

R1# dig @198.51.100.53 files.example.com A

; <<>> DiG 9.16.1 <<>> @198.51.100.53 files.example.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;files.example.com.             IN      A

;; Query time: 100 msec
;; SERVER: 198.51.100.53#53(198.51.100.53)
;; WHEN: Thu Jan 01 00:00:00 UTC 2024
;; MSG SIZE  rcvd: 42

R1# dig @203.0.113.53 files.example.com A

; <<>> DiG 9.16.1 <<>> @203.0.113.53 files.example.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54321
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;files.example.com.             IN      A

;; ANSWER SECTION:
files.example.com.      3600    IN      A       203.0.113.100

;; Query time: 50 msec
;; SERVER: 203.0.113.53#53(203.0.113.53)
;; WHEN: Thu Jan 01 00:00:00 UTC 2024
;; MSG SIZE  rcvd: 60
Question 467hardScenario
Read the full DNS explanation →

You are troubleshooting DNS resolution issues from R1. Using nslookup and dig commands, diagnose why the router cannot resolve the hostname 'fileserver.courseiva.com' to an IP address, and why reverse lookup for IP address 198.51.100.10 fails. Determine the appropriate fix to ensure successful forward and reverse DNS resolution.

Exhibit

R1# show running-config | section ip domain
ip domain lookup
ip name-server 203.0.113.1
ip domain timeout 3
ip domain retry 2

R1# nslookup fileserver.courseiva.com
Translating "fileserver.courseiva.com"...% Unrecognized host or address, or protocol not running.

R1# nslookup 198.51.100.10
Server:   203.0.113.1
Address:  203.0.113.1#53

** server can't find 10.100.51.198.in-addr.arpa: NXDOMAIN

R1# dig fileserver.courseiva.com

; <<>> DiG 9.8.3-P1 <<>> fileserver.courseiva.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1234
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;fileserver.courseiva.com. IN A

;; AUTHORITY SECTION:
courseiva.com. 3600 IN SOA ns1.courseiva.com. admin.courseiva.com. 2025032101 3600 900 86400 3600

R1# dig -x 198.51.100.10

; <<>> DiG 9.8.3-P1 <<>> -x 198.51.100.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5678
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;10.100.51.198.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
100.51.198.in-addr.arpa. 3600 IN SOA ns1.courseiva.com. admin.courseiva.com. 2025032101 3600 900 86400 3600
Question 468hardScenario
Read the full DNS explanation →

You are connected to R1, a multilayer switch acting as a DNS client for internal name resolution. The network uses a private DNS server at 192.168.1.100. Users report that resolving the hostname 'server01.courseiva.local' fails intermittently. Diagnose and fix the DNS resolution issue by examining the current configuration and using appropriate show commands to verify.

Exhibit

R1#show running-config | section ip domain
ip domain lookup
ip domain name courseiva.local
ip name-server 192.168.1.100
!
R1#show ip dns
No DNS servers configured
R1#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)
R1#nslookup server01.courseiva.local
Translating "server01.courseiva.local"...domain server (255.255.255.255)
% Unrecognized host or address, or protocol not running.
Question 469hardScenario
Read the full DHCP explanation →

You are connected to R1. Configure R1 as a DHCP server for the 192.168.100.0/24 subnet, reserving the first 10 addresses and the address 192.168.100.254 for static assignments, with default gateway 192.168.100.1 and DNS server 8.8.8.8. Then, on the same router, enable DHCP relay for the 10.1.1.0/24 subnet by configuring the helper address pointing to the DHCP server at 192.168.100.1. Finally, verify that the DHCP pool is correctly configured and that the helper address is set.

Exhibit

R1#show running-config | section dhcp
ip dhcp excluded-address 192.168.100.1 192.168.100.10
ip dhcp excluded-address 192.168.100.254
!
ip dhcp pool POOL_100
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.254
 dns-server 8.8.8.8
!
interface GigabitEthernet0/0
 ip address 192.168.100.1 255.255.255.0
 no shut
!
interface GigabitEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 ip helper-address 192.168.100.254
 no shut
Question 470hardScenario
Open the full VLAN trunking answer →

You are connected to R1 via the console. R1 is the DHCP server for the 192.168.50.0/24 LAN. Configure DHCP on R1 to assign addresses from 192.168.50.10 to 192.168.50.200, with default gateway 192.168.50.1 and DNS server 8.8.8.8. Also, configure R1 to act as a DHCP relay agent for the 10.0.0.0/30 link to reach a remote DHCP server at 203.0.113.10. Then, troubleshoot and fix a misconfiguration that causes clients on VLAN 50 to not receive IP addresses.

Exhibit

R1#show running-config | section dhcp
ip dhcp excluded-address 192.168.50.1 192.168.50.200
ip dhcp pool LAN50
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.1
 dns-server 8.8.8.8
!
interface GigabitEthernet0/0
 ip address 192.168.50.1 255.255.255.0
 ip helper-address 203.0.113.10
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.252
 no shutdown
!
Question 471hardScenario
Open the full VLAN trunking answer →

You are connected to R1 (a router acting as DHCP server) via the console. Configure R1 to provide DHCP addresses for VLAN 10 (192.168.10.0/24) on the switch SW1, which is connected via R1's G0/0. Exclude the first 10 addresses (192.168.10.1-10) and the last address (192.168.10.254). Set the default gateway to 192.168.10.1 and DNS server to 203.0.113.10. On SW1, enable DHCP snooping globally and for VLAN 10, configure G0/1 as trusted toward R1, and ensure the ip helper-address on the switch's VLAN 10 SVI points to R1's G0/0 IP. The current config has a wrong helper-address and an oversized excluded range; identify and fix all issues.

Exhibit

SW1#show running-config | section interface vlan 10
interface Vlan10
 ip address 192.168.10.254 255.255.255.0
 ip helper-address 192.168.20.1
!
SW1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is disabled
   Interface                 Trusted    Rate limit (pps)
-----------------------      -------    -----------------
GigabitEthernet0/1           no         unlimited
GigabitEthernet0/2           no         unlimited
R1#show running-config | section dhcp
ip dhcp excluded-address 192.168.10.1 192.168.10.254
!
ip dhcp pool VLAN10
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 203.0.113.10
!
Question 472hardScenario
Open the full VLAN trunking answer →

You are connected to R1. Configure R1 as a DHCP server for VLAN 20 clients (192.168.20.0/24) with DNS server 203.0.113.10 and default gateway 192.168.20.1. On switch SW1, enable DHCP snooping globally and on VLAN 20, configure the uplink to R1 as trusted, and ensure that the DHCP server is reachable via ip helper-address on the VLAN 20 SVI. Currently, clients are not receiving IP addresses because of misconfigurations: the excluded-address range on R1 is too large (excluding the entire subnet), the helper-address on SW1 points to a wrong IP (192.0.2.99), and a rogue DHCP server is connected to port Fa0/3 on SW1. Fix all issues so that clients can get addresses securely.

Exhibit

R1#show running-config | section dhcp
ip dhcp excluded-address 192.168.20.0 192.168.20.255
ip dhcp pool VLAN20_POOL
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 203.0.113.10
!
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.252
 no shutdown

SW1#show running-config | section interface vlan 20
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.0.2.99

SW1#show ip dhcp snooping
Global DHCP Snooping is disabled
DHCP Snooping is configured on following vlans:
No VLANs configured

SW1#show interfaces status | include Fa0/3
Fa0/3   connected   1    auto   auto   10/100BaseTX
Question 473hardScenario
Open the full VLAN trunking answer →

You are connected to R1. Configure DHCP services so that hosts on VLAN 10 (192.168.10.0/24) can obtain IP addresses from R1. Additionally, configure the switch SW1 to prevent rogue DHCP server attacks on that VLAN. The current configuration has a misconfigured helper-address and an excluded-address range that is too broad.

Exhibit

R1#show running-config | section dhcp
ip dhcp excluded-address 192.168.10.1 192.168.10.254
ip dhcp pool VLAN10_POOL
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 8.8.8.8
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 10.0.0.2
!

SW1#show running-config | section dhcp
ip dhcp snooping
ip dhcp snooping vlan 10
no ip dhcp snooping information option
interface GigabitEthernet0/1
 ip dhcp snooping trust
!
interface GigabitEthernet0/2
 ip dhcp snooping limit rate 10
!
Question 474hardScenario
Open the full VLAN trunking answer →

You are connected to SW1, a multilayer switch. Configure DHCP snooping and an IP helper-address so that clients in VLAN 20 receive IP addresses from the DHCP server at 10.0.0.2. The DHCP server is already configured with a pool for 192.168.20.0/24, but clients are not getting addresses. Identify and correct the issues in the current configuration.

Exhibit

SW1#show running-config | section interface
interface GigabitEthernet0/0
 description to DHCP Server
 ip address 10.0.0.1 255.255.255.252
 no switchport
!
interface GigabitEthernet0/1
 switchport access vlan 20
 spanning-tree portfast
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 10.0.0.3
!
SW1#show ip dhcp snooping
Switch DHCP snooping is disabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
 circuit-id default format: vlan-mod-port
 remote-id: 00e0.f711.2233 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
Check for address on untrusted interfaces is enabled
Custom option 82 strings are disabled
Question 475hardScenario
Open the full VLAN trunking answer →

You are connected to R1. Configure DHCP server on R1 to assign addresses from 192.168.50.0/24 to hosts on VLAN 50, excluding 192.168.50.1-192.168.50.20, with default-router 192.168.50.1 and DNS server 8.8.8.8. On switch SW1, configure DHCP snooping globally and on VLAN 50, and enable trusted ports on the uplink to R1. Then, a host on VLAN 50 reports it received an incorrect IP address; troubleshoot and fix the issue: the wrong helper-address is configured on SW1, the excluded range is too large, and a rogue DHCP server is present on port Fa0/5.

Exhibit

R1# show running-config | section dhcp
ip dhcp excluded-address 192.168.50.1 192.168.50.100
ip dhcp pool VLAN50
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.1
 dns-server 8.8.8.8
!
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.252
 no shutdown
!

SW1# show running-config | section interface
interface GigabitEthernet0/1
 description uplink to R1
 ip address 10.0.0.2 255.255.255.252
 ip helper-address 10.0.0.1
!
interface VLAN50
 ip address 192.168.50.1 255.255.255.0
!
interface FastEthernet0/5
 description rogue server
 switchport mode access
 switchport access vlan 50
!

SW1# show ip dhcp snooping
Switch DHCP snooping is disabled
DHCP snooping is configured on the following VLANs:
none
DHCP snooping trust/untrusted ports:
   Trusted ports:
   Untrusted ports:
Question 476hardScenario
Open the full VLAN trunking answer →

You are connected to the multilayer switch MLS1 in a branch network. The DHCP server on router R1 is supposed to serve the 192.168.20.0/24 VLAN 20, but clients in VLAN 20 are not receiving IP addresses. Additionally, a rogue DHCP server has been detected on VLAN 20. Configure MLS1 to enable DHCP snooping on VLAN 20, set the trust state on the uplink port to R1, and limit the rate of DHCP packets on access ports. Then, on R1, correct the DHCP configuration so that the pool for VLAN 20 uses the correct default-router (192.168.20.1) and DNS server (8.8.8.8), and ensure that the excluded-address range is not too large (exclude only the first 10 addresses). Verify the solution.

Exhibit

MLS1# show running-config | section interface
interface GigabitEthernet0/0
 description Link to R1
 ip address 10.0.0.2 255.255.255.252
 no switchport
!
interface GigabitEthernet0/1
 description Access port VLAN 20
 switchport mode access
 switchport access vlan 20
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
!

MLS1# show ip dhcp snooping
Switch DHCP snooping is disabled

R1# show running-config | section dhcp
ip dhcp excluded-address 192.168.20.1 192.168.20.254
!
ip dhcp pool VLAN20_POOL
 network 192.168.20.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 4.4.4.4
!

R1# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.0.0.1        YES manual up                    up
Question 477hardScenario
Read the full NAT/PAT explanation →

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to an ISP router at 10.0.0.2/30. The internal network has a web server at 192.168.1.10 and a mail server at 192.168.1.20. You need to configure NAT so that internal hosts can access the internet (PAT overload) and external users can reach the web server via public IP 203.0.113.10 and the mail server via public IP 203.0.113.11. The inside interface is GigabitEthernet0/1 (192.168.1.1/24) and the outside interface is GigabitEthernet0/0.

Question 478mediumScenario
Read the full DHCP explanation →

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to R2 (10.0.0.2/30). Hosts on the LAN (192.168.1.0/24) need DHCP services. The DHCP server is located at 172.16.1.100 on a different subnet reachable via R2. Configure R1 to forward DHCP broadcasts to the DHCP server.

Question 479mediumScenario
Review the full routing breakdown →

You are connected to R1 via the console. R1 is an NTP client that should synchronize its clock with NTP server 192.168.1.100. The timezone is UTC-5 (Eastern Standard Time). Configure NTP on R1 so that it becomes an NTP client. Additionally, configure the router to log NTP synchronization status messages to the console and buffer logging using the numeric severity level 6 (informational).

Question 480mediumScenario
Study the full ACL explanation →

You are connected to R1 via the console. R1 connects two networks: GigabitEthernet0/0 (192.168.1.1/24) and GigabitEthernet0/1 (192.168.2.1/24). Create an extended ACL named BLOCK_HTTP that denies HTTP traffic (tcp port 80) from the 192.168.1.0/24 network to the 192.168.2.0/24 network, but permits all other IP traffic. Apply this ACL inbound on GigabitEthernet0/0.

Question 481mediumScenario
Read the full NAT/PAT explanation →

You are connected to R1 via console. R1 has two interfaces: GigabitEthernet0/0 (10.0.0.1/30, connected to ISP) and GigabitEthernet0/1 (192.168.1.1/24, connected to internal LAN). The LAN hosts (192.168.1.0/24) need to access the internet. Configure dynamic NAT with PAT (overload) on R1 using a NAT pool so that internal hosts share the public IP 10.0.0.1 when accessing the internet. Assume the ISP router is already configured and reachable.

Question 482mediumScenario
Open the full VLAN trunking answer →

You are connected to R1 via console. R1 is a router that needs to provide DHCP services to hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The router has two subinterfaces on GigabitEthernet0/0: G0/0.10 (192.168.10.1/24) and G0/0.20 (192.168.20.1/24) with 802.1Q encapsulation. Configure R1 as a DHCP server for both VLANs, excluding addresses 192.168.10.1-10 and 192.168.20.1-10, with a lease of 1 day. Ensure DNS server 8.8.8.8 is provided.

Question 483mediumScenario
Study the full ACL explanation →

You are connected to R1 via console. R1 is a router that should restrict SSH access to only the management station at 192.168.1.100. Currently, SSH is enabled but any IP can connect. Configure a standard named ACL called 'SSH_ACL' to permit only the management station, and apply it to the VTY lines to filter incoming SSH connections. Ensure the VTY lines use SSH only (no Telnet). The SSH version should be set to 2.

Question 484mediumScenario
Read the full network assurance explanation →

You are connected to R1 via console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to an ISP, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The network administrator needs to monitor R1's system messages. Configure R1 to send syslog messages with severity level 5 (notifications) and above to the syslog server at 10.0.0.2. Also, ensure that logging is enabled and that messages include the timestamp and source interface.

Question 485hardScenario
Read the full NAT/PAT explanation →

You are connected to R1 via console. R1 connects two networks: GigabitEthernet0/0 (10.0.0.1/30) to the ISP, and GigabitEthernet0/1 (172.16.1.1/24) to an internal network. The internal hosts (172.16.1.0/24) need to communicate with a server at 10.0.0.2 (ISP side) using a static NAT mapping. Configure static NAT so that internal host 172.16.1.100 is mapped to public IP 10.0.0.3 (which is not assigned to any interface; assume ISP routes 10.0.0.3 to R1). Also configure a static route to reach 10.0.0.3 via the ISP router (next-hop 10.0.0.2).

Question 486mediumScenario
Read the full NAT/PAT explanation →

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to ISP router, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The internal network uses 192.168.1.0/24 and needs to access the internet. Configure NAT overload on R1 so that internal hosts are translated to the IP address of GigabitEthernet0/0 when accessing the internet.

Question 487mediumScenario
Open the full VLAN trunking answer →

You are connected to R1 via the console. R1 is a router that needs to provide DHCP services for hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The DHCP server is located on VLAN 10 at 192.168.10.100, but hosts on VLAN 20 cannot reach it directly. Configure R1 to forward DHCP broadcasts from VLAN 20 to the DHCP server.

Question 488hardScenario
Review the full subnetting walkthrough →

You are connected to R1 via the console. R1's GigabitEthernet0/0 (192.168.1.1/24) connects to the management network, and GigabitEthernet0/1 (10.0.0.1/30) connects to the core. You need to restrict SSH access to R1 from only the management subnet 192.168.1.0/24. Additionally, SSH should be configured with a domain name 'example.com' and a modulus of 2048 bits. The username 'admin' with password 'Cisco123' should be created for SSH login.

Question 489hardScenario
Read the full Network Services and Security explanation →

You are connected to R1 via the console. R1 is configured as an NTP client that should synchronize with the NTP server at 203.0.113.1. You need to verify that R1 is synchronizing correctly and also ensure that the system clock is updated. Additionally, configure R1 to act as an NTP server for downstream devices on the internal network 192.168.1.0/24.

Question 490mediumScenario
Study the full ACL explanation →

You are connected to R1 via the console. R1 is a router that connects to the internet via GigabitEthernet0/0 (198.51.100.1/30) and to the internal network via GigabitEthernet0/1 (10.1.1.1/24). You need to implement a security policy that permits HTTP traffic (port 80) from the internal network to a web server at 10.1.1.100, and denies all other traffic from internal hosts to the internet. The ACL should be named 'INTERNET-FILTER' and applied inbound on GigabitEthernet0/1.

Question 491mediumScenario
Read the full NAT/PAT explanation →

You are connected to R1 via console. R1's GigabitEthernet0/0 (203.0.113.1/30) connects to the internet, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The internal LAN hosts need to access the internet using PAT (overload) with the public IP 203.0.113.1 assigned to GigabitEthernet0/0. An internal web server at 192.168.1.100 must be accessible from the internet via static NAT to 203.0.113.5. Your task is to configure NAT/PAT on R1.

Question 492mediumScenario
Read the full NAT/PAT explanation →

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to a WAN link to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN with hosts needing Internet access. The ISP has allocated public IP pool 203.0.113.16/28 (203.0.113.17-203.0.113.30). The internal LAN should use NAT overload (PAT) to translate all internal traffic to the public IP 203.0.113.18. The router currently has no NAT configuration. Configure NAT overload on R1 to allow internal hosts to access the Internet.

Question 493hardScenario
Review the full routing breakdown →

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The security policy requires that only SSH traffic (TCP port 22) from the internal network (192.168.1.0/24) be permitted to reach the router itself, and all other inbound traffic to the router from internal hosts should be blocked. Additionally, the router must be hardened for SSH access: generate RSA keys of 2048 bits, set SSH version 2, enable SSH on vty lines, and disable Telnet. Currently, there is no security configuration. Configure R1 to meet these requirements.

Question 494mediumScenario
Read the full Network Services and Security explanation →

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The network has an NTP server at 192.168.1.200. R1 must be configured as an NTP client to synchronize its time with the server. Additionally, R1 should serve as an NTP server for internal devices on the LAN with a stratum of 5 to maintain proper hierarchy. The time zone is UTC. No NTP configuration exists. Configure NTP on R1 as specified.

Question 495mediummulti select
Read the full DHCP explanation →

Which three of the following are characteristics of DHCP snooping on a Cisco switch? (Choose three.)

Question 496mediummulti select
Read the full Network Services and Security explanation →

Which three options are true regarding the operation of Dynamic ARP Inspection (DAI) on a Cisco switch? (Choose three.)

Question 497mediummulti select
Read the full NAT/PAT explanation →

Which three of the following statements about Network Address Translation (NAT) are correct? (Choose three.)

Question 498mediummulti select
Read the full Network Services and Security explanation →

Which three of the following are characteristics of IP Source Guard on a Cisco switch? (Choose three.)

Question 499mediummulti select
Read the full Network Services and Security explanation →

Which three of the following are considered best practices for securing device access in a Cisco network? (Choose three.)

Question 500mediummulti select
Read the full DHCP explanation →

Which four of the following are true statements regarding the operation of DHCP snooping on a Cisco switch? (Choose all that apply. There are four correct answers.)

Question 501mediummulti select
Read the full Network Services and Security explanation →

Which four of the following are characteristics or configuration requirements of NTP client/server operation in a secure enterprise network? (Choose all that apply. There are four correct answers.)

Question 502mediummulti select
Read the full DHCP explanation →

Which three of the following are characteristics of DHCP snooping? (Choose three.)

Question 503mediummulti select
Read the full Network Services and Security explanation →

Which three options are valid ways to secure administrative access to a Cisco IOS device? (Choose three.)

Question 504mediummulti select
Read the full NAT/PAT explanation →

Which three of the following are functions of Network Address Translation (NAT) overload (PAT)? (Choose three.)

Question 505mediummulti select
Study the full AAA explanation →

Which three of the following are security best practices for implementing AAA on a Cisco router? (Choose three.)

Question 506mediummulti select
Read the full Network Services and Security explanation →

Which three features are used to mitigate Layer 2 security threats on a Cisco switch? (Choose three.)

Question 507mediummulti select
Study the full ACL explanation →

Which four of the following are characteristics or functions of a stateless firewall, such as an extended access control list (ACL) on a Cisco router? (Choose four.)

Question 508mediummulti select
Read the full Network Services and Security explanation →

Which four of the following are best practices for securing network services and devices? (Choose four.)

Question 509hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator is troubleshooting an issue where hosts in the 192.168.20.0/24 subnet cannot reach the Internet, while hosts in 192.168.10.0/24 can. The router is configured for PAT overload using a dynamic pool on the outside interface. The administrator collects the configuration shown in the exhibit. What is the most likely cause of the connectivity problem for the 192.168.20.0/24 subnet?

Exhibit

R1#show running-config | section access-list|ip nat|interface GigabitEthernet0/1|interface GigabitEthernet0/2|interface GigabitEthernet0/0
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 20 permit 192.168.20.0 0.0.0.0
ip nat pool NAT-POOL 200.1.1.1 200.1.1.2 netmask 255.255.255.252
ip nat inside source list 10 pool NAT-POOL overload
ip nat inside source list 20 pool NAT-POOL overload
interface GigabitEthernet0/0
 ip address 200.1.1.1 255.255.255.252
 ip nat outside
interface GigabitEthernet0/1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
interface GigabitEthernet0/2
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
Question 510mediumdrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to configure and apply an extended IPv4 ACL on a Cisco router to block Telnet traffic from subnet 192.168.1.0/24 to host 10.0.0.1 and permit all other IP traffic.

Question 511mediumdrag order
Review the full routing breakdown →

Drag and drop the following steps into the correct order to configure NTP with authentication on a Cisco router.

Question 512mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the following steps into the correct order to implement DHCP services for clients in VLAN 10 using a centralized DHCP server in VLAN 20 and to protect the network with DHCP snooping.

Question 513mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the following steps into the correct order to configure dynamic NAT with overload (PAT) using a pool of public IP addresses.

Question 514mediumdrag order
Read the full Network Services and Security explanation →

Drag and drop the following steps into the correct order to configure a secure Cisco switch, from enabling secure management access to implementing advanced dynamic ARP inspection.

Question 515mediumdrag order
Read the full DHCP explanation →

Drag and drop the following steps into the correct order to configure a Layer 3 switch to perform DHCP relay agent and DHCP snooping for a remote DHCP server.

Question 516mediummulti select
Read the full NAT/PAT explanation →

Which TWO statements accurately describe Network Address Translation (NAT) types?

Question 517mediummulti select
Study the full ACL explanation →

Which TWO statements about IPv4 and IPv6 ACLs are true?

Question 518hardmultiple choice
Open the full VLAN trunking answer →

A network engineer has implemented DHCP snooping on a Cisco switch to prevent unauthorized DHCP servers. The switch's VLAN 100 SVI is configured with ip helper-address to relay DHCP requests to a legitimate server in VLAN 200. Clients in VLAN 100 cannot obtain IP leases, even though the DHCP server is reachable from the switch and has available addresses.

Question 519hardmultiple choice
Read the full network assurance explanation →

A network administrator notices that syslog messages from a core router are arriving at the syslog server with timestamps that are hours behind other devices. The router’s NetFlow exports also show incorrect start and end times for flows, making traffic analysis unreliable. The administrator verifies that all router interfaces are up and that the SNMP community strings on the router match the NMS.

Question 520hardmultiple choice
Open the full VLAN trunking answer →

After hardening SSH by disabling password authentication and restricting access to an ACL permitting only the management subnet 10.1.10.0/24, configuring RADIUS AAA authentication, enabling port security with a maximum of two MAC addresses on all access ports, and implementing DHCP snooping and DAI on VLAN 10, the administrator finds that users in VLAN 10 obtain DHCP addresses and access the network normally, but SSH from the management workstation (10.1.10.20) to the switch fails with timeouts.

Question 521hardmultiple choice
Open the full VLAN trunking answer →

A network engineer has enabled DHCP snooping on a Catalyst switch to prevent rogue DHCP servers. All access ports in VLAN 10 are untrusted. A router attached to a trunk port on the switch acts as the default gateway for VLAN 10 and is configured with the ip helper-address 10.1.2.5, which points to a remote DHCP server. After enabling DHCP snooping, hosts in VLAN 10 cannot obtain IP addresses; packet captures show DHCPDISCOVER messages are sent, but no DHCPOFFER is received. What is the most likely cause?

Question 522hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator configures PAT on a router to allow internal hosts in the 10.10.10.0/24 subnet to access the Internet. Afterward, users report that they can ping public IP addresses but cannot access any websites. The administrator verifies that the access list for NAT matches the correct subnet, and the 'ip nat inside source list 1 interface GigabitEthernet0/1 overload' command is applied. What is the most likely cause of this issue?

Question 523mediumdrag order
Read the full DHCP explanation →

Drag and drop the following steps into the correct order to configure a Cisco switch as a DHCP relay agent with DHCP snooping, where the DHCP server is located on a remote router.

Question 524mediummulti select
Read the full DHCP explanation →

Which TWO actions does DHCP snooping perform by default on a Cisco switch?

Question 525hardmultiple choice
Read the full DHCP explanation →

Refer to the exhibit. A network engineer is troubleshooting a DHCP issue where DHCP clients on the LAN subnet are sending DHCPDISCOVER messages but the DHCP server does not receive them. The output of the show ip dhcp binding command on R1 is shown. What is the most likely cause of the problem?

Exhibit

R1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address      Client-ID/               Lease expiration        Type
                Hardware address
Total number of bindings = 0
Current number of high bindings = 0
Maximum number of high bindings = 256
Question 526hardmultiple choice
Read the full DHCP explanation →

A client PC is receiving an APIPA address (169.254.x.x) instead of a valid IP from the DHCP server. The DHCP server is on the same subnet as the client. The technician runs the command 'show ip dhcp binding' and confirms that the correct scope is configured. The command 'show ip dhcp pool' shows that there are plenty of addresses remaining in the pool. The client's NIC status shows 'connected'. What should the technician do next?

Question 527hardmultiple choice
Read the full DHCP explanation →

A network engineer notices that clients in the 192.168.10.0/24 subnet are receiving the IP address 192.168.10.1 from the DHCP server, causing a duplicate IP conflict with the router’s own interface. What is the most likely cause?

Question 528hardmultiple choice
Study the full ACL explanation →

A network technician has configured static NAT with the command ip nat inside source static 192.168.1.10 203.0.113.10. The web server at 192.168.1.10 is accessible from the internet on TCP port 80 but not on TCP port 443. The ACL applied to the outside interface permits all IP traffic. What is the most appropriate next step to troubleshoot this issue?

Question 529hardmultiple choice
Review the full routing breakdown →

Refer to the exhibit. A network administrator is troubleshooting connectivity issues. Hosts on the 192.168.10.0/24 network cannot reach servers on the 192.168.20.0/24 network, but they can successfully reach other networks, including the Internet. The administrator runs the show ip access-lists command on the router (output shown). What is the most likely cause?

Exhibit

R1# show ip access-lists
Extended IP access list 110
    10 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 (145 matches)
    20 permit ip 192.168.10.0 0.0.0.255 any (95 matches)
Extended IP access list BLOCK_WEB
    10 deny tcp any any eq 80
    20 deny tcp any any eq 443
    30 permit ip any any (5 matches)
Standard IP access list 10
    10 permit 192.168.10.0 0.0.0.255 (21 matches)
    20 deny any (8 matches)
Question 530hardmultiple choice
Open the full VLAN trunking answer →

After enabling DHCP snooping on VLAN 10, a technician finds that clients in that VLAN are no longer receiving IP addresses from the DHCP server. The server is connected to port Gi0/24. What is the most likely cause?

Question 531hardmultiple choice
Read the full DHCP explanation →

Refer to the exhibit. A network administrator notices that newly connected devices on the 192.168.1.0/24 subnet are failing to obtain IP addresses via DHCP and are instead assigning themselves APIPA addresses. The administrator issues the show ip dhcp pool command on the router and receives the output shown. What is the most likely cause of this issue?

Exhibit

R1# show ip dhcp pool

Pool LAN-POOL :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 254
 Leased addresses               : 253
 Excluded addresses             : 0
 Pending events                 : 0

 Subnet                         : 192.168.1.0/24
 Current bindings               : 253
 Lease expiration               : 7 days 0 hours 0 minutes
 Automatic bindings             : 253
 Manual bindings                : 0
 Conflict reservations          : 0
Question 532hardmultiple choice
Study the full ACL explanation →

A network technician applies an extended ACL outbound on the WAN interface Gi0/0 to block traffic from the 10.0.0.0/8 network to internet hosts. After applying the ACL, internal users report they cannot access any web pages because return traffic from internet hosts is being dropped. The technician verifies the ACL entries and finds only statements controlling outbound traffic. What is the most appropriate next action?

Question 533hardmultiple choice
Review the full routing breakdown →

A network technician is troubleshooting a router that cannot be accessed via SSH. The router responds to Telnet but SSH attempts return 'connection refused'. The technician confirmed that 'ip ssh version 2' is configured and 'show ip ssh' indicates SSH is enabled. The output of 'show line vty 0 4' shows 'transport input telnet'. What should the technician do next?

Question 534hardmultiple choice
Study the full ACL explanation →

A network technician is troubleshooting a DHCP relay issue. The router at the branch office is supposed to forward DHCP requests from local clients to a central DHCP server. Clients connected to Gi0/1 are not receiving IP addresses. The technician verifies that the DHCP server is reachable from the router, that no ACLs are blocking DHCP traffic, and that the DHCP scope on the server has available leases. Upon checking the running configuration, the technician notices that the ip helper-address command is applied to interface Gi0/0 (the WAN link toward the server) instead of Gi0/1. What should the technician do next?

Question 535hardmultiple choice
Open the full VLAN trunking answer →

After enabling Dynamic ARP Inspection on VLAN 20, a network engineer notices that some hosts lose connectivity. The affected hosts have correct IP addresses and MAC addresses, but they cannot ping the default gateway. All other hosts on the same VLAN work fine. Further investigation reveals that the non-functioning hosts are using static IP configurations, while the working hosts are DHCP clients. What is the most likely cause?

Question 536hardmultiple choice
Read the full network assurance explanation →

A network engineer notices that an NMS at 10.1.1.200 cannot poll a router that has SNMPv2c configured with community string 'public'. What is causing this issue?

Question 537hardmultiple choice
Read the full network assurance explanation →

Refer to the exhibit. A network engineer is troubleshooting an issue where syslog messages at severity 6 (informational) and severity 7 (debugging) are not being sent to the syslog server at 192.168.100.50, even though the device appears to generate these messages locally. Based on the exhibit, what is the most likely cause?

Exhibit

R1# show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 355 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 355 messages logged
    Trap logging: level errors (3), 150 messages logged
        Logging to 192.168.100.50
Log Buffer (4096 bytes):
*Feb 28 10:14:55.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
*Feb 28 10:15:22.123: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:15:22 UTC Feb 28 2025 to 10:15:22 UTC Feb 28 2025, configured from console by vty0 (192.168.1.10)
*Feb 28 10:15:24.456: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to down
*Feb 28 10:16:01.789: %SYS-7-DEBUG: Message from debug command interface GigabitEthernet0/0/1 held down
*Feb 28 10:16:10.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up
*Feb 28 10:16:15.222: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to up
*Feb 28 10:16:30.333: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.100.50 stopped
Question 538hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network engineer is troubleshooting an ACL that is not filtering traffic as expected. The engineer runs the show access-lists 110 command and notices that all access control entries (ACEs) show zero matches, even though traffic that should match the permit or deny statements is traversing the network. The engineer then checks the interface configuration. What is the most likely cause?

Exhibit

R1# show ip interface GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 192.168.1.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.251 224.0.0.252
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
Question 539hardmultiple choice
Read the full Network Services and Security explanation →

After securing a switch by running 'ip ssh version 2' and generating RSA keys with 'crypto key generate rsa modulus 1024', remote SSH connections fail with a 'key exchange error'. A check of the SSH client’s documentation reveals it requires a minimum 2048-bit RSA key for SSH version 2. What should the technician do next?

Question 540hardmultiple choice
Study the full ACL explanation →

A network engineer notices that after removing a standard ACL that was applied inbound on the internet-facing interface, the router is now receiving IP packets from the internet with source IP addresses in the 10.0.0.0/8 range, which were previously blocked. What is the most likely cause?

Question 541hardmultiple choice
Read the full NAT/PAT explanation →

A technician is troubleshooting an issue where internal hosts can successfully ping internet addresses but cannot establish HTTP sessions. The router is configured with PAT (overload) and uses an access list to define the inside local addresses. Recently, the internal network was renumbered from 192.168.0.0/24 to 10.0.0.0/24. What is the most likely cause?

Question 542hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator has configured PAT for internal hosts to access the internet, but users report that they cannot reach external websites. The administrator suspects a NAT issue and runs the show ip nat statistics command. What is the most likely cause of the problem?

Exhibit

R1# show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0, occurred 00:00:00 ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1
Hits: 0  Misses: 15042
CEF Translated packets: 0, CEF Punted packets: 15042
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0/1 refcount 0
pool: (none)  refcount: 0
Question 543hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator has configured NAT on router R1 to allow hosts on the 192.168.1.0/24 LAN to access the Internet. However, users report that they cannot reach external websites. The administrator runs the show ip nat translations command. What is the most likely reason for the problem?

Exhibit

R1# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 209.165.200.225    192.168.1.10       ---                ---
--- 209.165.200.226    192.168.1.11       ---                ---
--- 209.165.200.227    192.168.1.12       ---                ---
--- 209.165.200.228    192.168.1.13       ---                ---
--- 209.165.200.229    192.168.1.14       ---                ---
--- 209.165.200.230    192.168.1.15       ---                ---
--- 209.165.200.231    192.168.1.16       ---                ---
--- 209.165.200.232    192.168.1.17       ---                ---
Question 544hardmultiple choice
Read the full DHCP explanation →

Refer to the exhibit. A network engineer is troubleshooting DHCP issues on a branch office network. Several users report that new devices are unable to obtain IP addresses, even though the DHCP pool configured on R1 appears to have sufficient free addresses. The engineer executes the show ip dhcp conflict command and observes the output. Based on the output, what is the most likely cause of the problem?

Exhibit

R1# show ip dhcp conflict

IP address        Detection method   Detection time         VRF
192.168.1.50      Ping                Mar 01 2025 10:23 AM  
192.168.1.51      Ping                Mar 01 2025 10:24 AM  
192.168.1.52      Ping                Mar 01 2025 10:25 AM  
192.168.1.53      Ping                Mar 01 2025 10:26 AM  
192.168.1.54      Ping                Mar 01 2025 10:27 AM  
192.168.1.55      Ping                Mar 01 2025 10:28 AM  
192.168.1.56      Ping                Mar 01 2025 10:29 AM  
192.168.1.57      Ping                Mar 01 2025 10:30 AM  
192.168.1.58      Ping                Mar 01 2025 10:31 AM  
192.168.1.59      Ping                Mar 01 2025 10:32 AM
Question 545hardmultiple choice
Review the full routing breakdown →

Refer to the exhibit. An administrator is trying to access a web server in the DMZ at 192.168.1.10 using HTTPS, but the connection times out. The web server is confirmed to be running and listening on both port 80 and port 443. The administrator examines the access list configuration on the perimeter router. Based on the output of the show access-lists command, what is the most likely cause of the failure?

Exhibit

R1# show access-lists
Standard IP access list 10
    10 permit 192.168.1.0 0.0.0.255 (5 matches)
Extended IP access list 100
    remark Allow HTTP to DMZ web servers
    10 permit tcp any 192.168.1.0 0.0.0.255 eq www (234 matches)
    remark Deny all other traffic and log
    20 deny ip any any log (1356 matches)
Question 546hardmultiple choice
Study the full ACL explanation →

A network engineer notices that hosts in the 192.168.2.0/24 network connected to router R1's GigabitEthernet0/1 interface cannot reach the Internet. R1 has a standard ACL 10 configured as 'access-list 10 permit 192.168.1.0 0.0.0.255' and applied inbound on interface GigabitEthernet0/0, which connects to the 192.168.1.0/24 LAN. What is the most likely cause?

Question 547hardmultiple choice
Review the full routing breakdown →

Refer to the exhibit. A network administrator is troubleshooting an NTP synchronization issue on R1. The router is configured with the command ntp server 10.1.1.100, but the clock remains unsynchronized. The administrator issues the show ntp status command. What is the most likely cause of the problem?

Exhibit

R1# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
ntp uptime is 15000 (4.1 hours)
reference time is 00000000.00000000 (00:00:00.000 UTC Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 0 sec ago.
Question 548hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A network administrator is reviewing the NAT translations on router R1 and notices that the internal host 192.168.1.10 appears in both a static NAT entry (for ports 80 and 443) using global address 203.0.113.10, and a dynamic PAT entry (port 49152) using global address 203.0.113.1. The administrator is concerned this might indicate a misconfiguration. Based on the output, which statement is correct?

Exhibit

R1# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 203.0.113.10:80    192.168.1.10:80    ---                ---
tcp 203.0.113.10:443   192.168.1.10:443   ---                ---
tcp 203.0.113.1:49152  192.168.1.10:49152 198.51.100.5:80   198.51.100.5:80
tcp 203.0.113.1:49153  192.168.1.11:49153 198.51.100.6:443  198.51.100.6:443
udp 203.0.113.1:49154  192.168.1.11:49154 8.8.8.8:53        8.8.8.8:53
icmp 203.0.113.1:3     192.168.1.12:3     8.8.4.4:3         8.8.4.4:3
tcp 203.0.113.1:49155  192.168.1.12:49155 203.0.113.50:22  203.0.113.50:22
Total number of translations: 7
Question 549hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A network administrator configures NAT overload on R1 to allow internal hosts in the 10.1.1.0/24 subnet to access the Internet. After the configuration, the administrator runs the show ip nat translations verbose command and notices that several internal sessions all appear to use the same inside global port 1024. The administrator is concerned that port conflicts will occur. Based on the output, which statement is correct?

Exhibit

R1# show ip nat translations verbose
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.5         10.1.1.0/24       ---                ---
udp 203.0.113.5:1024   10.1.1.10:5000     198.51.100.10:53   198.51.100.10:53
  create 00:03:45, use 00:00:10 timeout: 300000, flags: extended
  dynamic, mapping-id: 2
udp 203.0.113.5:1024   10.1.1.11:5001     198.51.100.10:53   198.51.100.10:53
  create 00:03:45, use 00:00:10 timeout: 300000, flags: extended
  dynamic, mapping-id: 2
tcp 203.0.113.5:1024   10.1.1.12:34567    203.0.113.100:443  203.0.113.100:443
  create 00:01:22, use 00:00:05 timeout: 86400, flags: extended
  dynamic, mapping-id: 2
tcp 203.0.113.5:1024   10.1.1.13:45678    203.0.113.200:22   203.0.113.200:22
  create 00:00:55, use 00:00:03 timeout: 86400, flags: extended
  dynamic, mapping-id: 2

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCNA Practice Test 1 — 10 Questions→CCNA Practice Test 2 — 10 Questions→CCNA Practice Test 3 — 10 Questions→CCNA Practice Test 4 — 10 Questions→CCNA Practice Test 5 — 10 Questions→CCNA Practice Exam 1 — 20 Questions→CCNA Practice Exam 2 — 20 Questions→CCNA Practice Exam 3 — 20 Questions→CCNA Practice Exam 4 — 20 Questions→Free CCNA Practice Test 1 — 30 Questions→Free CCNA Practice Test 2 — 30 Questions→Free CCNA Practice Test 3 — 30 Questions→CCNA Practice Questions 1 — 50 Questions→CCNA Practice Questions 2 — 50 Questions→CCNA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Network Infrastructure and ConnectivitySwitching and Network AccessIP RoutingNetwork Services and SecurityAI and Network Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network Services and Security setsAll Network Services and Security questionsCCNA Practice Hub