CCNA 200-301 v2 (200-301) — Questions 676750

1819 questions total · 25pages · All types, answers revealed

Page 9

Page 10 of 25

Page 11
676
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method. The client is unable to access a web server by its FQDN.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The OSI bottom-up approach starts at Layer 1 (physical), then Layer 2 (data link), Layer 3 (network), and finally Layer 7 (application) for DNS/FQDN resolution. The given sequence follows this principle by checking physical connectivity and link status before IP configuration, then testing DNS and HTTP access.

Exam trap

The trap is that candidates may start troubleshooting at the application layer because the symptom involves DNS/FQDN, but the bottom-up method requires starting at Layer 1. Always follow the specified troubleshooting model exactly.

677
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The OSI bottom-up method starts at physical layer and moves up. This ensures that lower-layer issues are resolved before higher-layer troubleshooting, preventing wasted effort on symptoms caused by underlying problems.

Exam trap

The exam trap is that candidates may confuse bottom-up with top-down troubleshooting or think that checking the network layer first is more efficient. Remember: bottom-up always starts at the physical layer and proceeds sequentially upward.

678
Multi-Selectmedium

Which three of the following are required to implement inter-VLAN routing on a Cisco switch using a router-on-a-stick configuration? (Choose three.)

Select 3 answers
.A trunk link between the switch and the router, carrying multiple VLANs.
.Subinterfaces on the router, each configured with an IP address in the respective VLAN subnet.
.The switchport mode trunk command on the switch port connecting to the router.
.A separate physical router interface for each VLAN.
.IP routing enabled on the switch.
.A Layer 3 switch with routed ports.

Why this answer

In a router-on-a-stick configuration, inter-VLAN routing is achieved by connecting a single router to a switch via a trunk link. The trunk carries multiple VLANs (using 802.1Q tagging), and the router uses subinterfaces—each configured with an IP address in the respective VLAN subnet—to route traffic between VLANs. The switch port connecting to the router must be configured as a trunk (e.g., with the `switchport mode trunk` command) to allow all VLAN traffic to reach the router.

Exam trap

Cisco often tests the distinction between router-on-a-stick (which requires a trunk and subinterfaces on an external router) and inter-VLAN routing using a Layer 3 switch (which requires IP routing enabled on the switch and SVIs), leading candidates to incorrectly select options that apply to the Layer 3 switch method.

679
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Rapid PVST+ with a designated root bridge, PortFast, and BPDU Guard on access ports.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Set the spanning-tree mode to Rapid PVST+: This enables Rapid PVST+ globally, a prerequisite for the root primary command to function correctly. 2. Configure the switch as the root bridge for VLAN 1: Lowers the bridge priority to guarantee this switch becomes the root, defining the STP topology. 3.

Enter interface configuration mode for the access ports: Prepares the specific ports where PortFast and BPDU Guard are applied. 4. Enable PortFast on the interfaces: Allows immediate transition to forwarding state, bypassing listening/learning phases. 5. Enable BPDU Guard on the interfaces: Protects the network by err-disabling the port if a BPDU is received, which should occur only after PortFast is enabled on access ports.

680
Multi-Selecthard

A trunk link between two switches is up, but hosts in VLAN 30 on opposite switches cannot communicate. VLAN 10 works across the same trunk. Which two causes are the most likely?

Select 2 answers
A.VLAN 30 is not allowed on the trunk on one side
B.VLAN 30 may not exist in the VLAN database on the affected switch
C.The trunk native VLAN should always be 30
D.PortFast must be disabled on the access ports in VLAN 30
AnswersA, B

If the VLAN is missing from the allowed list on one side, traffic for that VLAN will not traverse the link.

Why this answer

When one VLAN fails but others work across the same trunk, the problem is likely VLAN-specific. VLAN 30 may not exist on one switch or may not be allowed on the trunk. Option C is incorrect because the native VLAN does not need to be 30; a native VLAN mismatch would typically cause connectivity issues on all VLANs, not just VLAN 30.

Option D is incorrect because PortFast only affects the speed at which an access port enters the forwarding state and does not impact communication across an already-up trunk.

Exam trap

Don't assume trunk issues affect all VLANs equally; check for VLAN-specific settings.

Why the other options are wrong

C

The native VLAN is used for untagged traffic on a trunk and is typically VLAN 1 by default. It has no bearing on whether a specific tagged VLAN like VLAN 30 is carried; the allowed VLAN list controls that.

D

PortFast is a feature that speeds up the transition of an access port to the forwarding state, bypassing STP listening/learning. It does not affect trunk operation or whether a VLAN is carried on a trunk.

681
Matchingmedium

Drag and drop the items on the left to match the descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables a port as an 802.1Q trunk port

The VLAN that carries untagged frames on a trunk link

Open standard for VLAN tagging on Ethernet frames

Process of forwarding traffic between different VLANs

Displays a summary of VLANs and their assigned ports

Why these pairings

VLANs segment a switch into multiple broadcast domains. 802.1Q trunking encapsulates frames with a VLAN tag, while the native VLAN carries untagged traffic. 'switchport mode trunk' configures a trunk port, 'show vlan brief' lists VLAN assignments, and inter-VLAN routing enables communication between VLANs typically using a router or Layer 3 switch.

682
Drag & Dropmedium

Drag and drop the following steps into the correct order to replace a faulty fiber optic SFP module and verify the interface on a Cisco IOS-XE switch. Assume the fiber cable is already disconnected from the SFP module.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order assumes the fiber cable is already disconnected as a safety prerequisite. After removal of the old SFP, insert the new SFP, then reconnect the fiber cable. Finally, verify the interface status with 'show interfaces' and check for errors with 'show interfaces counters errors' to ensure proper operation.

Exam trap

The trap is that candidates may think the cable can be connected at any point, but the correct order requires the module to be inserted before the cable, and the cable must be connected before verification. Also, some may skip the error-checking step, but it is essential for complete verification.

683
Multi-Selectmedium

Which three options are valid steps for configuring a router-on-a-stick inter-VLAN routing setup? (Choose three.)

Select 3 answers
.Create subinterfaces on the router for each VLAN.
.Assign an IP address to each subinterface that matches the VLAN’s default gateway.
.Enable IP routing on the router with the 'ip routing' command.
.Configure the switch ports that connect to the router as access ports in a single VLAN.
.Set the native VLAN on the trunk to match the management VLAN on the switch.
.Use the 'switchport mode access' command on the router-facing switch port.

Why this answer

In a router-on-a-stick configuration, the router uses subinterfaces to connect to multiple VLANs over a single physical interface. Each subinterface must be assigned an IP address that serves as the default gateway for its respective VLAN, and the router must have IP routing enabled (via the 'ip routing' command) to forward traffic between these subinterfaces. The three incorrect options fail because: configuring switch ports as access ports in a single VLAN would restrict connectivity to only that VLAN, breaking inter-VLAN routing; setting the native VLAN on the trunk to match the management VLAN is not required and is unrelated to router-on-a-stick functionality; and using 'switchport mode access' on the router-facing switch port would turn the link into a non-trunk access link, preventing multiple VLANs from reaching the router.

Exam trap

Cisco often tests the requirement to explicitly enable IP routing with the 'ip routing' command, as it is disabled by default on some router platforms, leading candidates to assume routing is automatically active.

684
MCQhard

A switch port is configured with `switchport voice vlan 150` and `switchport access vlan 20`. Which statement best explains the design purpose?

A.It separates voice and data traffic on the same edge port by assigning them to different VLANs.
B.It turns the port into a routed WAN interface.
C.It forces the phone to use CAPWAP before receiving power.
D.It makes VLAN 150 the native VLAN on all trunks automatically.
AnswerA

This is correct because that is the classic voice-VLAN access-port design.

Why this answer

The design purpose is to let the switch support a phone and an attached workstation on the same physical access port while placing their traffic into different VLANs. In practical terms, the phone can use the voice VLAN while the user's data traffic uses the access VLAN. This is a common enterprise edge design for IP telephony.

The key idea is role separation on one port, not trunking the port as a normal inter-switch link.

Exam trap

Avoid confusing voice VLAN configurations with trunking or prioritization settings.

Why the other options are wrong

B

The commands `switchport voice vlan 150` and `switchport access vlan 20` are used on a Layer 2 switch port, not a routed interface. A routed WAN interface would require `no switchport` and an IP address configuration, which is not present here.

C

CAPWAP (Control and Provisioning of Wireless Access Points) is a protocol used for wireless LAN controller and access point communication, not for voice VLAN configuration. The voice VLAN feature is unrelated to CAPWAP.

D

The `switchport voice vlan` command only affects the specific access port where it is configured, not all trunk ports. The native VLAN on trunks is configured separately with `switchport trunk native vlan`.

685
MCQhard

Inside hosts can reach the internet only one at a time. What is the most likely NAT issue?

A.The NAT statement is missing the overload keyword
B.The access list should deny the inside subnet
C.The inside and outside interface roles are reversed in the exhibit
D.NAT cannot be used with RFC1918 addresses
AnswerA

PAT requires overload when multiple hosts share one public address.

Why this answer

Without overload, dynamic NAT uses one public address per internal session mapping. PAT with overload is what lets many inside hosts share a single outside interface address at the same time.

Exam trap

A frequent exam trap is assuming that reversing the inside and outside interface roles causes the symptom of only one host accessing the internet at a time. While interface roles are critical for NAT operation, reversing them typically prevents translation altogether rather than limiting it to a single host. Another trap is thinking that the ACL should deny the inside subnet to fix the issue, but denying the inside subnet in the ACL stops all translations, causing no internet access.

The real cause is missing the overload keyword, which is essential for PAT to allow multiple hosts to share one public IP simultaneously.

Why the other options are wrong

B

Denying the inside subnet in the ACL would prevent any NAT translation from occurring, which would block all inside hosts from reaching the internet, not just limit access to one at a time.

C

Reversing inside and outside interface roles typically stops NAT from functioning entirely rather than allowing only one host at a time. The symptom points more directly to missing overload.

D

NAT is specifically designed to translate RFC1918 private IP addresses to public IP addresses. Saying NAT cannot be used with RFC1918 addresses is incorrect and contradicts common practice.

686
MCQhard

Two static routes exist for the 203.0.113.0/24 network: one pointing to ISP-A with an administrative distance of 10, and another pointing to ISP-B with an administrative distance of 5. Packets for that subnet are leaving through ISP-B. What explains this behavior?

A.The ISP-B route has a lower administrative distance.
B.Static routes with a higher next-hop IP are preferred.
C.The router always prefers the route configured last.
D.The route names force policy-based routing.
AnswerA

AD 5 beats AD 10 for the same prefix.

Why this answer

The route via ISP-B has a lower administrative distance, so it wins for the identical /24 prefix. For routes to the same destination and mask, the router compares AD before considering anything else between different route sources.

Exam trap

A frequent exam trap is assuming that the next-hop IP address or the order in which static routes are configured affects route selection. Candidates might incorrectly believe that a higher next-hop IP or the last configured route is preferred, but Cisco routers do not use these factors in route preference. Another common mistake is thinking that route names or descriptions influence routing decisions or enforce policy-based routing, which they do not.

The key is to remember that administrative distance is the primary factor in route selection when multiple routes to the same prefix exist.

Why the other options are wrong

B

This option is incorrect because the next-hop IP address does not influence route preference. Cisco routers do not consider the numeric value of the next-hop IP when selecting routes.

C

This option is incorrect because the router does not prefer routes based on the order they were configured. Route selection depends on administrative distance and metrics, not configuration sequence.

D

This option is incorrect because route names or descriptions are only for human readability and do not enforce policy-based routing. Policy-based routing requires explicit configuration beyond naming.

687
Matchingmedium

Match each API security or access term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Credential-like value used to help control API access

Encrypted transport commonly used for secure API communication

Verification of identity

Determination of allowed actions after identity is verified

Why these pairings

These terms are common in API security and access control. Each pairing matches the term with its standard definition in IT certification contexts.

Exam trap

Be careful not to confuse authentication with authorization. API keys are for authentication, while OAuth is for authorization. Also, distinguish between a token format (JWT) and a security mechanism.

688
PBQhard

You are connected to R1. The network consists of R1, a router, and SW1, a Layer 2 switch. VLANs 10 (192.168.10.0/24) and 20 (192.168.20.0/24) are configured on SW1 with hosts in each VLAN. R1 must perform inter-VLAN routing using a router-on-a-stick configuration on interface G0/0. Currently, hosts in VLAN 10 cannot ping hosts in VLAN 20. Configure R1 and identify and resolve the issue.

Hints

  • Check if IP routing is enabled globally on the router.
  • Ensure the physical interface is not administratively down.
  • Verify that the subinterface encapsulation matches the VLANs on the switch.
A.Enable IP routing on R1 with the 'ip routing' global configuration command.
B.Configure the physical interface G0/0 with an IP address and enable trunking with 'switchport mode trunk'.
C.Ensure the trunk between R1 and SW1 is configured with 'switchport trunk allowed vlan 10,20' on SW1.
D.Add the 'no shutdown' command on R1's subinterfaces G0/0.10 and G0/0.20.
AnswerA
solution
! R1
configure terminal
ip routing
interface GigabitEthernet0/0
no shutdown

Why this answer

The problem is that R1 is missing the 'ip routing' command, which is required to enable IP routing on a router. Without it, R1 cannot forward packets between the subinterfaces. Additionally, the trunk between R1 and SW1 may not be operational because R1's physical interface G0/0 has no IP address and is not set to trunk mode (though subinterfaces handle encapsulation).

The solution is to enable IP routing globally and ensure the physical interface is up (no shutdown).

Exam trap

Do not assume that a router automatically routes between its interfaces; the 'ip routing' command must be explicitly enabled. Also, remember that subinterfaces do not have their own shutdown state.

Why the other options are wrong

B

Assigning an IP to the physical interface would prevent subinterfaces from working, and 'switchport mode trunk' is invalid on a router interface.

C

The problem is specifically that R1 cannot route between VLANs due to missing 'ip routing', not a trunk pruning issue.

D

Subinterfaces cannot be individually shut down; the physical interface controls the link state.

689
Matchingmedium

Match each access-control term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of allowed actions

Limiting access to only what is necessary

Credential store maintained on the device itself

Why these pairings

AAA is a framework for controlling access. Authentication verifies identity, authorization grants permissions, and accounting logs activities. Identification is the initial claim, and auditing is the review of logs.

Exam trap

The exam often tests the distinction between authentication (verifying identity) and authorization (granting permissions). Many candidates mix these up. Also, remember that accounting is about logging, not access decisions.

690
MCQmedium

On a user access port, port security is configured with a maximum of 2 MAC addresses and violation mode restrict. A third unauthorized device is connected through a small unmanaged switch. What happens?

A.The port goes err-disabled immediately.
B.Traffic from the unauthorized MAC is dropped, but the interface stays up.
C.The switch learns the third MAC after aging out the first one instantly.
D.All traffic from the port is flooded to the VLAN for analysis.
AnswerB

That is the expected behavior in restrict mode.

Why this answer

In restrict mode, frames from unknown MAC addresses are dropped, the violation counter increments, and logging or SNMP traps can be generated. Unlike shutdown mode, the interface does not go err-disabled.

Exam trap

A common exam trap is confusing the restrict violation mode with shutdown mode. Candidates often mistakenly believe that any violation causes the port to go err-disabled immediately. However, restrict mode only drops unauthorized traffic and keeps the interface up, allowing legitimate devices to continue communicating.

This misunderstanding can lead to selecting the wrong answer, especially when the question specifies restrict mode. Remember that shutdown mode is the one that disables the port on violation, not restrict mode. Misreading the violation mode or assuming default behavior without verification is a frequent pitfall.

Why the other options are wrong

A

Option A states that the port goes err-disabled immediately, which matches the shutdown violation mode behavior, not restrict mode. Since the question specifies restrict mode, this option is incorrect.

C

Option C suggests that the switch instantly ages out the first learned MAC address to learn the third one, which is incorrect. Port security does not age out addresses immediately upon violation; the maximum limit is strictly enforced.

D

Option D claims that all traffic from the port is flooded to the VLAN for analysis, which is not how port security functions. Port security drops unauthorized traffic rather than flooding it, making this option invalid.

691
PBQhard

You are connected to R1. The network uses OSPF between R1 and R2. Configure an extended ACL on R1 so that hosts in VLAN 10 (192.168.10.0/24) can reach the web server at 203.0.113.100 only via HTTP/HTTPS, and hosts in VLAN 20 (192.168.20.0/24) can reach it via any TCP service except HTTP/HTTPS. All other traffic to the server must be denied. Apply the ACL outbound on the interface facing the server. Currently, the ACL is missing the permit for VLAN 20 traffic, causing connectivity loss.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30linkG0/1203.0.113.1/24203.0.113.100/24linkR2R1Web Server

Hints

  • The current ACL blocks HTTP/HTTPS from all sources, but VLAN 20 should be allowed to use those ports.
  • Use the 'range' keyword to permit a contiguous set of ports for VLAN 20, excluding ports 80 and 443.
  • Remember to deny all other traffic to the server after the permits.
A.Remove the two deny statements and add: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 79, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 81 442, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 444 65535, then deny ip any any
B.Add a permit statement for VLAN 20 before the deny statements: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 65535
C.Remove the two deny statements and add: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq www, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq 443
D.Add a deny statement for VLAN 20 HTTP/HTTPS before the existing permit statements: deny tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq www, deny tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq 443, then add a permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 65535
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_HTTP
ip access-list extended BLOCK_HTTP
permit tcp 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 80
permit tcp 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 443
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 1 79
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 81 442
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 444 65535
deny ip any 203.0.113.100 0.0.0.0
end
clear access-list counters BLOCK_HTTP

Why this answer

The ACL BLOCK_HTTP is applied inbound on G0/0, which is the interface toward the server. The first two deny statements incorrectly block HTTP/HTTPS from any source, including VLAN 20 which should be allowed. The correct approach is to permit HTTP/HTTPS only for VLAN 10, and permit all other TCP services (except HTTP/HTTPS) for VLAN 20, then deny all other traffic.

The solution removes the overly broad deny statements and adds specific permits for VLAN 20 to reach the server on any TCP port except 80 and 443, followed by an explicit deny ip any any to enforce the implicit deny.

Exam trap

The trap is that the existing deny statements for HTTP/HTTPS are too broad; they block VLAN 20's required access. Candidates might think they need to add permits before the denies, but they must also ensure the permits for VLAN 20 exclude HTTP/HTTPS. Another trap is forgetting to add an explicit deny at the end, though the implicit deny exists, the question explicitly states 'All other traffic to the server must be denied' so an explicit deny is good practice.

Why the other options are wrong

B

The specific factual error is that the permit statement does not exclude ports 80 and 443. It allows all TCP ports, which is too permissive.

C

The specific factual error is that the permit statements allow the very ports that should be denied for VLAN 20. This misinterprets the requirement.

D

The specific factual error is that the permit statement is too broad and overrides the deny statements. The correct approach is to permit only non-HTTP/HTTPS ports, not all ports.

692
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a local subnet and enable a DHCP relay agent on a different interface to forward client requests to that server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The DHCP server must be configured first on the local subnet, then the relay agent on the remote interface to forward requests; verification ensures both server and relay function correctly.

Exam trap

Do not confuse the order of configuration: the DHCP server must be configured first, then the relay agent. Verification should be performed after both are configured to test end-to-end functionality.

693
PBQhard

You are connected to the console of switch SW1. A user on VLAN 10 reports they cannot reach the internet (203.0.113.1). The switch is configured as a Layer 3 switch with SVIs. Identify and correct the misconfiguration that prevents the user's default gateway from functioning. The user's PC has IP address 192.168.10.50/24 and uses 192.168.10.1 as its default gateway.

Network Topology
192.168.10.50/24198.51.100.1198.51.100.1203.0.113.1PCSW1R1Internet

Hints

  • Check the SVI configuration for any 'no' commands that might affect ARP behavior.
  • The switch has a default route, but the client may not be able to resolve the gateway MAC address.
  • Proxy ARP is disabled on the SVI; re-enable it.
A.The SVI for VLAN 10 has 'no ip proxy-arp' configured, and there is no default route on the switch.
B.The SVI for VLAN 10 has the wrong IP address configured; it should be 192.168.10.254 instead of 192.168.10.1.
C.The switch has a default route pointing to 203.0.113.1, but the SVI for VLAN 10 is missing the 'ip helper-address' command.
D.The VLAN 10 interface is administratively down, and the switch needs to be reloaded to apply the configuration.
AnswerA
solution
! SW1
interface Vlan10
ip proxy-arp

Why this answer

The switch's SVI for VLAN 10 has the correct IP address (192.168.10.1) and will always respond to ARP requests for that address regardless of the proxy‑arp setting. The real problem is the absence of a default route, so the switch cannot forward traffic destined for the Internet (203.0.113.1). Option A correctly points to the missing default route as the root cause; the 'no ip proxy-arp' line is present but irrelevant to the SVI's own ARP behavior.

The solution is to configure a default route toward the next‑hop router (198.51.100.1).

Exam trap

Candidates often assume that an SVI needs proxy ARP enabled to answer ARP for its own IP address, overlooking that a Layer 3 switch always responds to ARP requests for its interface addresses. The more critical oversight is forgetting that a Layer 3 switch, like a router, requires a default route to reach external networks.

Why the other options are wrong

B

The specific factual error is that the SVI IP must match the default gateway configured on the client; changing it to a different address would not fix the issue.

C

The specific factual error is confusing DHCP relay with routing; 'ip helper-address' does not affect the default gateway's ability to forward traffic.

D

The specific factual error is that an administratively down interface would cause complete loss of connectivity, not just internet access, and reloading is not a standard troubleshooting step for configuration issues.

694
PBQhard

You are connected to SW1. The network has experienced a spanning-tree topology change, and the new root bridge is not the intended core switch. Configure SW1 with a root primary priority, enable PortFast and BPDU Guard on interface GigabitEthernet0/3 (an edge port connected to a server), and verify that a specific port in the topology is blocking. Then, after a BPDU violation occurs on G0/3, recover the interface from err-disable state without reloading the switch.

Network Topology
G0/0G0/0G0/1G0/0G0/2G0/0G0/3SW1SW2SW3SW4Server

Hints

  • Use 'spanning-tree vlan 1 root primary' to set priority to 24576.
  • PortFast and BPDU Guard are configured under the interface.
  • To recover from err-disable, you can use 'shutdown' and 'no shutdown' on the interface.
A.spanning-tree vlan 1 root primary; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpduguard enable; interface GigabitEthernet0/3; shutdown; no shutdown
B.spanning-tree vlan 1 priority 4096; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpduguard enable; interface GigabitEthernet0/3; errdisable recovery cause bpduguard
C.spanning-tree vlan 1 root secondary; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpduguard enable; interface GigabitEthernet0/3; no shutdown
D.spanning-tree vlan 1 root primary; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpdufilter enable; interface GigabitEthernet0/3; shutdown; no shutdown
AnswerA
solution
! SW1
configure terminal
spanning-tree vlan 1 root primary
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable
end
configure terminal
interface GigabitEthernet0/3
shutdown
no shutdown
end

Why this answer

The current root bridge has priority 32769, but the intended root should be SW1 with a lower priority. First, configure SW1 as root primary using 'spanning-tree vlan 1 root primary' or manually set priority to 24576. For edge port Gi0/3, enable PortFast with 'spanning-tree portfast' and BPDU Guard with 'spanning-tree bpduguard enable'.

After the BPDU violation, the port is err-disabled. To recover, first shut down and then no shut the interface, or use 'errdisable recovery cause bpduguard' and wait for the recovery interval, but the most direct method is to manually bounce the interface.

Exam trap

Watch out for confusing root primary vs root secondary, BPDU Guard vs BPDU filter, and the correct method to recover an err-disabled port. Manual shutdown/no shutdown is immediate, while errdisable recovery relies on a timer.

Why the other options are wrong

B

The priority value 4096 is not used by the root primary command; it sets priority to 24576. Additionally, errdisable recovery does not immediately recover the port; it requires a timer.

C

Root secondary makes the switch a secondary root, not primary. An err-disabled port requires a shutdown before no shutdown to clear the error state.

D

BPDU filter does not trigger err-disable on BPDU reception; it silently drops BPDUs. BPDU Guard is needed to protect edge ports.

695
Matchingmedium

Match each Layer 2 protection feature to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits and controls MAC address use on a switch port

Disables an edge port if a BPDU is received

Helps block rogue DHCP activity and build trusted bindings

Validates ARP traffic using trusted information

Why these pairings

Storm Control limits excessive traffic. Port Security limits MAC addresses. DHCP Snooping blocks unauthorized DHCP servers.

DAI validates ARP packets. IP Source Guard filters IP traffic based on DHCP snooping. 802.1X authenticates devices before granting access.

696
Multi-Selecteasy

Which two statements correctly describe syslog severity levels?

Select 2 answers
A.Level 0 is the most severe
B.Level 7 is debugging
C.Higher numbers always mean more critical issues
D.Severity levels are used only by NTP
E.Syslog has only four severity levels
AnswersA, B

Emergency is the highest severity.

Why this answer

Syslog uses numbered severity levels where lower numbers indicate more critical events. Level 0 (Emergency) is the most severe, and Level 7 (Debugging) is the least. Option D is incorrect because severity levels are a syslog function, not specific to NTP.

Option E is wrong because syslog defines eight severity levels (0–7), not four.

Exam trap

A common mistake is assuming that higher syslog severity numbers mean more critical issues, but the opposite is true—lower numbers indicate higher severity.

Why the other options are wrong

D

Severity levels are a fundamental part of the syslog protocol and are not limited to or used only by NTP.

E

Syslog defines eight severity levels (0 through 7), not four.

697
Matchingmedium

Match each wireless or edge-switch concept on the left to the description on the right that best fits it. Not all descriptions will be used. Concepts: • SSID • CAPWAP • Voice VLANPortFast Descriptions: A. Name of the wireless LAN shown to clients B. Communication relationship between lightweight APs and controller C. Separates phone traffic from ordinary data on an edge port D. Allows an endpoint-facing switchport to move quickly toward forwarding E. Delivers power to devices over Ethernet (PoE) F. Authenticates users before granting network access (802.1X) G. Aggregates multiple physical links for increased bandwidth (LACP/EtherChannel)

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Name of the wireless LAN shown to clients

Communication relationship between lightweight APs and controller

Separates phone traffic from ordinary data on an edge port

Allows an endpoint-facing switchport to move quickly toward forwarding

Why these pairings

SSID is the service set identifier, the human-readable name broadcast by access points so clients can identify the WLAN. CAPWAP (Control and Provisioning of Wireless Access Points) defines the split-MAC architecture and communication between lightweight APs and a wireless LAN controller. Voice VLAN is an access port feature that dynamically assigns IP phone traffic to a separate VLAN, isolating it from data traffic.

PortFast is a spanning-tree enhancement that bypasses listening and learning states on access ports to allow immediate forwarding, preventing connectivity delays for endpoints. Distractor E refers to Power over Ethernet, not a wireless or edge-switch naming concept; F describes 802.1X authentication, not a WLAN name or AP-controller protocol; G refers to link aggregation, not a VLAN or spanning-tree feature.

Exam trap

Do not confuse Voice VLAN with a trunk port that carries multiple VLANs — Voice VLAN actually uses the access port in conjunction with a voice VLAN ID, and PortFast is often mistaken for disabling spanning tree entirely rather than accelerating convergence.

698
MCQhard

Refer to the exhibit. A network administrator notices that newly connected devices on the 192.168.1.0/24 subnet are failing to obtain IP addresses via DHCP and are instead assigning themselves APIPA addresses. The administrator issues the show ip dhcp pool command on the router and receives the output shown. What is the most likely cause of this issue?

A.DHCP snooping is blocking DHCP Offer messages on the VLAN.
B.The DHCP pool has an address conflict, causing all addresses to be marked as ineligible.
C.The lease time is set to 7 days, causing old devices to hold IP addresses long after disconnecting.
D.The pool's subnet mask is incorrectly configured as /24 instead of /25, limiting available addresses.
AnswerC

The 'Lease expiration' of 7 days combined with 'Current bindings: 253' reveals that the pool stays exhausted because leases take a week to expire, starving new clients of addresses.

Why this answer

The exhibit shows 'Current bindings: 253' out of 'Total addresses: 254', meaning only one free IP remains. 'Lease expiration' is 7 days, indicating that devices that have disconnected still hold their bindings for up to a week, preventing new clients from obtaining addresses. This explains the APIPA fallback.

Exam trap

Many candidates choose option A, suspecting DHCP snooping blocks Offer messages, but the exhibit contains no reference to snooping or blocked traffic—the straightforward cause is pool exhaustion due to a long lease time.

Why the other options are wrong

A

Candidates often prematurely blame security features when DHCP fails, ignoring the pool statistics right in front of them.

B

A common mistake is assuming that conflicts always fill up a pool, but the zero value directly disproves this.

D

Misunderstanding subnet sizing often leads candidates to blame the mask, but the exhibit confirms the mask is appropriate for the pool size.

699
MCQmedium

In a controller-based network architecture, what is a southbound API typically used for?

A.To communicate from the controller to network devices
B.To provide dashboards to end users in a browser
C.To translate DNS names into IP addresses
D.To synchronize switch clocks with NTP
AnswerA

Correct. Southbound APIs face the infrastructure layer.

Why this answer

Southbound APIs are used by the controller to communicate with and program network devices or the infrastructure below it.

Exam trap

A frequent exam trap is mistaking southbound APIs for functions unrelated to device management, such as providing user dashboards (option B), translating DNS names (option C), or synchronizing clocks with NTP (option D). These options describe roles outside the scope of southbound APIs. Southbound APIs specifically enable the controller to communicate with and program network devices, not to serve end-user interfaces or perform network services like DNS or time synchronization.

Confusing these roles can lead to selecting incorrect answers, as the exam expects precise understanding of the controller’s interaction layers.

Why the other options are wrong

B

Incorrect. Providing dashboards to end users is a function related to northbound APIs or management applications, not southbound APIs that interface with network devices.

C

Incorrect. DNS name resolution is unrelated to southbound APIs, which focus on device communication and management rather than network services like DNS.

D

Incorrect. Synchronizing switch clocks with NTP is a network service function independent of southbound APIs, which do not handle time synchronization tasks.

700
MCQhard

Based on the exhibit, why is traffic to host 198.51.100.70 using the OSPF route instead of the static route?

A.Because the OSPF /26 route is more specific than the static /24 route.
B.Because OSPF always overrides static routing, regardless of prefix length.
C.Because the static route must have an administrative distance of 255 to be considered.
D.Because the destination 198.51.100.70 is outside both listed routes.
AnswerA

This is correct because longest-prefix match causes the /26 route to be chosen for 198.51.100.70.

Why this answer

The traffic uses the OSPF route because it is the more specific match. In practical terms, the router evaluates destination-prefix specificity before comparing route source preference. The static route points to a broader /24, while the OSPF entry points to a narrower /26 that still contains the destination. Because longest-prefix match comes first, the /26 route wins.

This is a good reminder that static routes do not automatically beat dynamic routes when the prefixes are different. Specificity matters first, then source preference only when the prefix length is the same.

Exam trap

A frequent exam trap is believing that static routes always take precedence over OSPF routes because static routes have a lower administrative distance. This misconception ignores the fundamental routing principle of longest-prefix match, which prioritizes the most specific subnet mask regardless of route source. Candidates may incorrectly select the static route simply because it is static, missing that the OSPF route’s /26 mask is more specific than the static /24.

This leads to incorrect answers and confusion about route selection behavior in Cisco routers.

Why the other options are wrong

B

Incorrect because OSPF does not always override static routes. Administrative distance matters only when prefix lengths are equal, and longest-prefix match takes precedence over route source.

C

Incorrect because the static route does not have an administrative distance of 255; it is valid and installed in the routing table. The issue is the static route’s broader prefix, not its administrative distance.

D

Incorrect because the destination IP 198.51.100.70 falls within both the /24 static route and the /26 OSPF route. The router chooses based on prefix specificity, not exclusion from the routes.

701
MCQhard

A network engineer is troubleshooting a connectivity issue between two switches, SW1 and SW2, which are connected via four GigabitEthernet links configured as an LACP EtherChannel. Hosts on VLAN 10 connected to SW1 can ping the management IP of SW2, but cannot reach hosts on VLAN 10 connected to SW2. The engineer runs a show command on SW1. What is the most likely cause of the problem?

A.The interface Gi0/0/3 is in err-disabled state due to a spanning-tree BPDU guard violation.
B.The interface Gi0/0/3 has a different LACP port priority or is configured with 'channel-group 1 mode passive' while the other ports use 'active'.
C.The port-channel interface is down (not in use), causing all member ports to be stand-alone.
D.The switch is running out of MAC addresses for the EtherChannel, so one port cannot be added.
AnswerB

A mismatch in LACP mode (active vs. passive) or port priority can cause a port to remain in stand-alone mode. The 'I' flag indicates the port is not negotiating LACP successfully.

Why this answer

The issue is that hosts on VLAN 10 can ping the management IP of SW2 but cannot reach other hosts on the same VLAN. This indicates Layer 2 connectivity is broken for data traffic, while Layer 3 (management) traffic works. Since the EtherChannel uses LACP, if one member port (Gi0/0/3) has a different LACP port priority or is in 'passive' mode while others are 'active', LACP negotiation will fail on that link, causing it to be excluded from the channel.

The remaining three ports may still form the EtherChannel, but the missing link can cause load-balancing issues or, more critically, if the channel requires all four links for STP to forward traffic on VLAN 10, the VLAN may be blocked or the port-channel may not pass data correctly for that VLAN.

Exam trap

Cisco often tests the distinction between Layer 3 reachability (management IP) and Layer 2 data-plane issues, leading candidates to focus on STP or err-disabled states instead of LACP negotiation mismatches that cause partial channel membership.

Why the other options are wrong

A

The 'I' flag in the show command output indicates the port is in stand-alone mode, not err-disabled. An err-disabled interface would show as 'err-disabled' or have a 'D' flag, and BPDU guard violation would cause the port to be in err-disabled state, not stand-alone.

C

The show command output shows the port-channel interface as 'SU' (Layer2, in use), meaning it is operational. If the port-channel were down, all member ports would be affected, not just one. The issue is isolated to a single member port.

D

EtherChannel does not have a MAC address limit; each physical port retains its own MAC address. LACP can bundle up to 16 ports (8 active) without any MAC address exhaustion issue. This is not a realistic failure scenario.

702
MCQmedium

A router is configured as follows: interface g0/1 ip address 172.16.1.1 255.255.255.0 ip helper-address 10.20.20.10 Hosts on 172.16.1.0/24 are not receiving addresses from the DHCP server at 10.20.20.10. The server is reachable by ping from the router. What is the purpose of the ip helper-address command in this scenario?

A.It converts DHCP unicast replies into broadcasts on the client segment
B.It forwards certain UDP broadcasts, including DHCP requests, to a remote server
C.It provides DNS resolution for DHCP clients before they receive an address
D.It creates a static route to the DHCP server
AnswerB

Correct. This is correct. The command relays certain UDP broadcasts, including DHCP client requests, to a server on another subnet. That is why DHCP can work even when the server is not local to the client VLAN.

Why this answer

The ip helper-address command exists to solve a broadcast-boundary problem. DHCP clients begin by sending broadcast traffic because they do not yet have a valid IP configuration. Routers normally do not forward broadcasts between subnets, so if the DHCP server lives on a different network, the client request would stop at the router.

The helper-address function listens for that local broadcast and relays it as unicast traffic to the remote DHCP server. In plain language, it lets a client on one VLAN ask a DHCP server on another VLAN for an address. The command is not a routing statement and it is not a DNS feature.

It is a relay mechanism for broadcast-based UDP services such as DHCP.

Exam trap

A frequent exam trap is confusing the ip helper-address command as a feature that converts DHCP unicast replies into broadcasts on the client segment. In reality, the router forwards DHCP client broadcasts as unicast to the server, not the other way around. Another mistake is assuming the command creates static routes or provides DNS resolution, which it does not.

Misunderstanding these functions leads to incorrect troubleshooting and answer choices, especially when the DHCP server is reachable by ping but clients still fail to get addresses due to missing broadcast relay.

Why the other options are wrong

A

Option A incorrectly states that the ip helper-address converts DHCP unicast replies into broadcasts. The command actually relays client broadcast requests as unicast to the server, not the reverse. This reverses the direction of the relay function and misunderstands the broadcast boundary issue.

C

Option C incorrectly claims the command provides DNS resolution for DHCP clients before they receive an address. DNS resolution is unrelated to the ip helper-address function, which only relays UDP broadcasts like DHCP requests and does not perform name resolution.

D

Option D mistakenly suggests that the command creates a static route to the DHCP server. Routing and static routes are separate functions; the ip helper-address does not affect routing tables but only relays broadcast traffic as unicast.

703
MCQhard

Refer to the exhibit. A network engineer is troubleshooting an issue where syslog messages at severity 6 (informational) and severity 7 (debugging) are not being sent to the syslog server at 192.168.100.50, even though the device appears to generate these messages locally. Based on the exhibit, what is the most likely cause?

A.The logging buffer is full, preventing new informational and debug messages from being sent to the syslog server.
B.The syslog server IP address 192.168.100.50 is unreachable from the router.
C.The trap logging level is set to errors (severity 3), filtering out informational and debug messages.
D.Console logging is disabled, so only severity 3 and lower messages appear.
AnswerC

The 'Trap logging: level errors (3)' line in the exhibit explicitly limits syslog messages sent to the syslog server to severity 0–3. Informational (6) and debug (7) are higher in numeric value (less severe) and are dropped by this filter.

Why this answer

The exhibit shows 'Trap logging: level errors (3)'. This filter level means only syslog messages with severity 0 (emergency) through 3 (errors) are forwarded to the syslog server. Severity 6 (informational) and 7 (debugging) are above this threshold and are therefore excluded.

The log buffer, however, is set to 'debugging' level, so those messages appear locally but are not sent to the server.

Exam trap

The presence of informational and debug messages in the local buffer (like %SYS-6-CLOCKUPDATE and %SYS-7-DEBUG) might mislead candidates into thinking the server connection is faulty or that the buffer is the issue. In reality, the trap logging level (errors) filters them out before transmission.

Why the other options are wrong

A

Candidates may associate local buffer behavior with remote logging, but the buffer is just local storage, independent of trap forwarding.

B

A reachability problem would affect all severities equally, not selectively filter only informational and debug messages.

D

Candidates may confuse console and trap logging, but each destination has its own independent severity level.

704
Matchingmedium

Match each security control or idea to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Secures remote management sessions

Provides authentication, authorization, and accounting framework

Limits access to only what is necessary

Centralizes visibility into device events and messages

Why these pairings

SSH encrypts remote CLI sessions, ensuring secure management access. AAA is a framework that defines how users are authenticated, what they are authorized to do, and how their actions are accounted for. The least privilege principle restricts users to only the permissions essential for their role, minimizing potential damage.

Syslog collects and centralizes log messages from devices, providing visibility into network events and aiding in troubleshooting and security monitoring.

Exam trap

Candidates often confuse SSH with Telnet or other remote-access methods; SSH is specifically for encrypted management sessions, not generic remote connectivity. Additionally, AAA is sometimes misinterpreted as only authentication, but it encompasses authorization and accounting as well.

705
MCQmedium

Exhibit: An administrator wants inside hosts in 192.168.10.0/24 to reach the internet using one public IP address on the edge router. Which feature is being used?

A.Static NAT
B.Policy-based routing
C.PAT overload
D.Port security
AnswerC

The overload keyword indicates PAT using one outside interface address.

Why this answer

When many inside private addresses share one public address and are differentiated by Layer 4 port numbers, the router is using PAT. Cisco documentation often calls this NAT overload.

Exam trap

Be careful not to confuse the different types of NAT. Remember, PAT is specifically for sharing one public IP among many devices using port numbers.

Why the other options are wrong

A

Static NAT requires a one-to-one mapping between an inside local address and an inside global address, which would consume multiple public IPs if multiple hosts need internet access. It does not allow multiple inside hosts to share a single public IP.

B

Policy-based routing (PBR) is used to override the routing table based on policies (e.g., source/destination IP, protocol), not to perform address translation. It does not modify IP addresses or enable multiple hosts to share a single public IP.

D

Port security is a switchport security feature that restricts MAC addresses allowed on a port to prevent unauthorized access. It does not perform IP address translation or enable internet access for multiple hosts.

706
PBQhard

You are connected to R1, a branch router connected to a central NTP server at 203.0.113.10 and a syslog server at 198.51.100.20. Configure R1 as an NTP client using its Loopback0 interface (192.168.1.1/32) as the source, and ensure syslog messages of severity 'informational' and above are sent to the syslog server. Currently, R1 shows 'Clock is unsynchronized, stratum 16'. Identify and fix the NTP issue, then apply the syslog configuration.

Network Topology
G0/010.0.0.2/30linkR1R2

Hints

  • NTP shows stratum 16 and uses a local pseudo-clock — the server is configured but not used.
  • Check if the NTP source interface is set to a reachable IP.
  • Syslog is only sending warnings and above — change the trap level to allow informational.
A.Configure 'ntp source Loopback0' and 'logging trap informational'.
B.Configure 'ntp server 203.0.113.10 source Loopback0' and 'logging trap warnings'.
C.Configure 'ntp source Loopback0' and 'logging trap debugging'.
D.Configure 'ntp source Loopback0' and 'logging host 198.51.100.20' without changing the trap level.
AnswerA
solution
! R1
configure terminal
ntp source Loopback0
logging trap informational
end
write memory

Why this answer

The NTP client was configured but the source interface was not specified, causing the router to use a default source that may not be reachable. Additionally, the syslog trap level was set to 'warnings' (severity 4), which filters out informational (severity 6) messages. To fix: configure 'ntp source Loopback0' to use a consistent source IP, and change 'logging trap informational' to allow all messages severity 6 and above.

Exam trap

Trap: Candidates may confuse the 'ntp server' command syntax with the global 'ntp source' command, or assume the default syslog trap level already includes informational messages. Remember: NTP source is set globally, and syslog trap levels must be explicitly configured to match the required severity.

Why the other options are wrong

B

The specific factual error: The 'ntp server' command does not have a 'source' parameter; source is set globally. Also, 'logging trap warnings' does not meet the requirement to send informational messages.

C

The specific factual error: 'logging trap debugging' sends all messages, including debugging (severity 7), which is unnecessary and can cause excessive log traffic. The requirement is for informational and above, which is severity 6, not 7.

D

The specific factual error: The default trap level may not be 'informational'; it is often 'warnings' or 'debugging' depending on the IOS version. The requirement to send informational messages necessitates explicit configuration of 'logging trap informational'.

707
Drag & Dropmedium

Which of the following sequences correctly orders the steps to plan, configure, and apply an extended ACL that permits HTTP traffic from the 192.168.1.0/24 subnet to the server at 10.0.0.1, and deny all other IP traffic, applied inbound on interface GigabitEthernet0/1?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then create ACL with permit statement, then deny all, then enter interface, then apply ACL inbound.

Exam trap

Be careful with the order of ACL entries: always place more specific permits before general denies. Also, remember that ACLs must be created before they can be applied, and the direction (inbound/outbound) must match the requirement.

708
Matchingmedium

Match each security-related term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protection against unauthorized disclosure

Protection against unauthorized modification

Ensuring systems and data can be accessed when needed

Recording activity or usage details

Why these pairings

Confidentiality ensures data is only accessible to authorized parties, directly matching 'protection against unauthorized disclosure.' Integrity safeguards data from tampering, aligning with 'protection against unauthorized modification.' Availability guarantees that systems and data are reachable when required, fitting 'ensuring systems and data can be accessed when needed.' Accounting provides a trail of user activity, corresponding to 'recording activity or usage details.' Each term maps precisely to its defined security objective in the CIA triad and operational security.

Exam trap

Students often confuse Accounting with Authentication or Authorization; Accounting specifically involves recording what actions were taken, not granting or denying access.

709
MCQhard

A network engineer configures an EtherChannel between two switches. Switch A's interface is set with channel-group 1 mode active, while Switch B's identical interface is set with channel-group 1 mode auto. When verifying with show etherchannel summary, the engineer observes that the port-channel interface is down and the physical interfaces are not bundled. What is the most likely cause of the problem?

A.The LACP system priority on the active side must be lower than the auto side.
B.The mode 'auto' is a PAgP negotiation mode that is incompatible with the LACP active mode.
C.LACP requires one side to be active and the other passive; two active interfaces will not bundle.
D.The physical interfaces must be shut down and then re-enabled after configuring LACP for the bundle to form.
AnswerB

Mode auto is part of Cisco's PAgP, not LACP. It cannot negotiate with an interface using LACP active mode, so the bundle fails.

Why this answer

Option B is correct because 'active' is an LACP mode that initiates negotiations, while 'auto' is a PAgP mode that passively waits for PAgP packets. Since LACP and PAgP are incompatible protocols, the interfaces will never negotiate a bundle, leaving the port-channel down. The engineer must use matching protocol modes (e.g., both LACP active/passive or both PAgP desirable/auto) for EtherChannel to form.

Exam trap

Cisco often tests the confusion between LACP and PAgP mode keywords, especially the similarity between 'active' (LACP) and 'auto' (PAgP), leading candidates to assume they are compatible or to focus on priority or interface state rather than protocol mismatch.

Why the other options are wrong

A

LACP priority is not required for basic negotiation and does not cause a failure to bundle.

C

Active/active LACP successfully negotiates, so this is not the cause.

D

Bouncing interfaces is not required to trigger LACP negotiation.

710
MCQhard

What is the best explanation for why a router chooses the OSPF route to 10.50.0.0/16 instead of the RIP route?

A.Because OSPF has a lower administrative distance than RIP for the same prefix.
B.Because RIP routes are never installed when OSPF is running.
C.Because OSPF always has a longer prefix than RIP.
D.Because the RIP metric is lower than the OSPF metric.
AnswerA

This is correct because both routes are /16, so source trust becomes decisive and OSPF wins.

Why this answer

The router chooses the OSPF route because when the prefix length is the same, source preference is considered, and OSPF has a lower administrative distance than RIP. In practical terms, both routes describe the same destination size, so longest-prefix match does not separate them. The router then trusts the OSPF source more than RIP by default.

This is a classic administrative-distance comparison question and a very important route-selection concept.

Exam trap

A frequent exam trap is believing that RIP routes are never installed when OSPF is running or that the router always prefers the route with the lowest metric regardless of protocol. This is incorrect because RIP routes can remain in the routing table alongside OSPF routes. The router actually uses administrative distance, not metric, to choose between routes learned from different protocols.

Confusing metric with administrative distance leads to wrong answers, especially when both protocols advertise the same prefix length. Remember, cross-protocol route selection depends on administrative distance, not metric comparison.

Why the other options are wrong

B

Option B is incorrect because RIP routes can still be installed in the routing table even when OSPF is running; the router does not automatically suppress RIP routes.

C

Option C is wrong because both OSPF and RIP routes shown have the same prefix length (/16), so prefix length does not influence the choice here.

D

Option D is incorrect because cross-protocol route selection is based on administrative distance, not metric comparison; RIP's metric being lower does not make it preferred over OSPF.

711
PBQhard

You are connected to R1 via the console. R1 and R2 are directly connected via their GigabitEthernet0/0 interfaces. The link between them is down. Your task is to diagnose and fix the issue: R1's interface is configured for 100 Mbps full-duplex, but R2 is using auto-negotiation. Additionally, the link requires a Gigabit Ethernet connection over a distance of 5 km. Configure R1's interface to match R2's settings (auto-negotiation) and then select and install the correct SFP module to support the 5 km distance requirement.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30SFP linkR1R2

Hints

  • Check the current speed and duplex settings on R1's interface.
  • Auto-negotiation requires both sides to be set to 'auto' to succeed.
  • For distances up to 5 km, use a 1000BASE-LX SFP (single-mode fiber).
A.Configure R1 with 'no speed', 'no duplex', and 'negotiation auto' on GigabitEthernet0/0, then replace the SFP module with a 1000BASE-LX SFP.
B.Configure R1 with 'speed 1000' and 'duplex full' on GigabitEthernet0/0, then replace the SFP module with a 1000BASE-SX SFP.
C.Configure R1 with 'no speed', 'no duplex', and 'negotiation auto' on GigabitEthernet0/0, then replace the SFP module with a 1000BASE-SX SFP.
D.Configure R1 with 'speed 100' and 'duplex full' on GigabitEthernet0/0, then replace the SFP module with a 1000BASE-LX SFP.
AnswerA
solution
! R1
configure terminal
interface gigabitethernet 0/0
no speed 100
no duplex full
negotiation auto
end

Why this answer

The link is down because R1 is forcing speed 100 and full-duplex while R2 is using auto-negotiation. When one side is hard-coded and the other is set to auto, auto-negotiation fails and the link does not come up. The fix is to enable auto-negotiation on R1 by removing the manual speed and duplex settings with the 'no speed' and 'no duplex' commands, and then using 'negotiation auto'.

For the 5 km distance, a standard 1000BASE-SX SFP (550 m) is insufficient; a 1000BASE-LX SFP (up to 10 km) is required. The candidate must also replace the SFP module with a compatible LX SFP.

Exam trap

Students often forget that auto-negotiation must be enabled on both sides for Gigabit Ethernet; hard-coding one side breaks the link. Also, they may confuse SFP types: SX for short range, LX for long range. Always verify distance requirements when selecting fiber optics.

Why the other options are wrong

B

The specific factual error is that hard-coding speed and duplex on one side while the other uses auto-negotiation prevents the link from coming up, and 1000BASE-SX cannot reach 5 km.

C

The specific factual error is that 1000BASE-SX is designed for short-range multimode fiber, not long distances.

D

The specific factual error is that GigabitEthernet interfaces can operate at 100 Mbps, but the SFP module requires 1000 Mbps; additionally, the speed/duplex mismatch prevents the link from coming up.

712
MCQmedium

Why is RIP rarely chosen for large modern enterprise networks?

A.It does not support IPv4
B.It scales poorly due to slow convergence and hop-count limitations
C.It cannot run on routers and only works on switches
D.It requires link-state advertisements
AnswerB

Correct. Limited scale and slower convergence are major reasons RIP is rarely used in large environments.

Why this answer

RIP is simple but has important scalability limits, including a maximum metric of 15 and relatively slow convergence compared with more modern protocols such as OSPF and EIGRP.

Exam trap

Don't confuse RIP's limitations with features of other protocols; remember RIP's maximum hop count and distance-vector nature.

Why the other options are wrong

A

RIP supports both IPv4 and IPv6 (RIPng). The statement is factually incorrect because RIP has been used for IPv4 routing since its inception.

C

RIP is a routing protocol that runs on routers, not switches. While some multilayer switches can run routing protocols, RIP is not exclusive to switches.

D

RIP is a distance-vector protocol, not a link-state protocol. It uses hop count as its metric and exchanges entire routing tables, not link-state advertisements (LSAs) like OSPF.

713
PBQhard

You are connected to SW1 via console. SW1 is a Layer 2 switch connected to SW2 via three links (G0/1, G0/2, G0/3) that should form an EtherChannel using LACP. Currently, the interfaces are configured as access ports in VLAN 1. Configure the three interfaces as a LACP EtherChannel trunk that carries VLANs 1-100, and ensure the port-channel interface is operational.

Network Topology
G0/1G0/1linksSW1SW2

Hints

  • Create the port-channel interface first, then assign physical ports with 'channel-group'.
  • Use 'mode active' for LACP.
A.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1-100 interface range g0/1-3 channel-group 1 mode active switchport mode trunk
B.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1-100 interface range g0/1-3 channel-group 1 mode passive switchport mode trunk
C.interface port-channel 1 switchport mode access switchport access vlan 1 interface range g0/1-3 channel-group 1 mode active switchport mode trunk
D.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1-100 interface range g0/1-3 channel-group 1 mode on switchport mode trunk
AnswerA
solution
! SW1
interface port-channel 1
switchport mode trunk
switchport trunk allowed vlan 1-100
interface gigabitethernet0/1
channel-group 1 mode active
interface gigabitethernet0/2
channel-group 1 mode active
interface gigabitethernet0/3
channel-group 1 mode active

Why this answer

The port-channel interface is created and configured as a trunk with allowed VLANs. Physical interfaces are assigned to the channel-group with LACP active mode, which negotiates the EtherChannel with the peer. The trunk is then operational for VLANs 1-100.

Exam trap

Remember that LACP requires at least one side to be in active mode to initiate negotiation. Also, the port-channel interface configuration must match the physical interfaces' switchport mode. Do not confuse 'mode on' (static) with LACP modes.

Why the other options are wrong

B

The specific factual error: LACP passive mode does not initiate negotiation; it only responds. For the EtherChannel to form, at least one side must be active.

C

The specific factual error: The port-channel interface and physical interfaces must have consistent switchport mode configuration. Here, the port-channel is access while physical are trunk, causing a mismatch.

D

The specific factual error: 'channel-group mode on' creates a static EtherChannel without LACP. The question requires LACP, so this does not meet the requirement.

714
Matchingmedium

Match each security control idea to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits access to only what is necessary

Provides encrypted remote administration

Disables an edge port if a BPDU is received

Limits and controls MAC address learning on a switch port

Why these pairings

Least privilege restricts users and processes to only the access rights necessary for their tasks, reducing the attack surface. SSH provides encrypted remote management, preventing eavesdropping and credential theft during administrative sessions. BPDU Guard immediately disables an edge port if a BPDU is received, safeguarding the network from unauthorized switches and potential loops.

Port security limits the number and identity of allowed MAC addresses on a switch port, blocking MAC flooding and unauthorized device access.

Exam trap

The exam often tests your ability to differentiate between security controls that sound similar but have distinct functions. Do not assume that a firewall can do everything; each control has a specific role.

715
MCQmedium

Which DHCP message does the client send to formally accept an offered address?

A.DISCOVER
B.OFFER
C.REQUEST
D.ACK
AnswerC

Correct. REQUEST is the client's acceptance step.

Why this answer

In the DORA process, the client sends DHCPREQUEST after receiving an offer. The server then responds with DHCPACK if the lease is granted.

Exam trap

Be careful not to confuse the direction of messages in the DHCP process. Remember which messages are client-initiated and which are server responses.

Why the other options are wrong

A

The DISCOVER message is used by the client to locate available DHCP servers, not to accept an offered address. It is the first step in the DORA process.

B

The OFFER message is sent by the DHCP server to propose an IP address to the client, not by the client to accept it. The client cannot send an OFFER.

D

The ACK message is sent by the DHCP server to confirm the lease after receiving the REQUEST, not by the client. The client does not send ACK.

716
PBQhard

You are connected to WLC-1 via the management interface (192.168.1.100/24). The wireless network 'CustomerNet' uses WPA3-Personal, but clients are failing to associate. The SSID is hidden and the correct VLAN is 30. Configure the WLAN and SSID parameters to allow successful client associations and verify the configuration.

Network Topology
Cisco APWLC-1Clients

Hints

  • Remember to create the interface before assigning it to the WLAN.
  • WPA3-Personal uses a pre-shared key (PSK) but the command is 'security wpa3'.
  • The SSID broadcast must be enabled ('broadcast-ssid enable') for clients to discover it.
A.Create a new interface 'vlan30' with VLAN 30, then create a new WLAN with SSID 'CustomerNet', set security to WPA3-Personal, enable SSID broadcast, and assign the 'vlan30' interface.
B.Modify the existing GuestNet WLAN: change security to WPA3-Personal, enable SSID broadcast, and change the interface to 'guest' (VLAN 20).
C.Create a new WLAN with SSID 'CustomerNet', set security to WPA2-PSK, enable SSID broadcast, and assign the 'guest' interface (VLAN 20).
D.Modify the GuestNet WLAN: change security to WPA3-Personal, keep SSID broadcast disabled, and change the interface to a new interface mapped to VLAN 30.
AnswerA
solution
! WLC-1
config terminal
interface customer
vlan 30
ip address 192.168.30.1 255.255.255.0
exit
wlan 3
ssid CustomerNet
broadcast-ssid enable
security wpa3
security wpa akm psk set-key ascii 0 CiscoSecure123
interface customer
no shutdown
end

Why this answer

The GuestNet WLAN (ID 2) currently uses WPA2 with PSK, but clients expect WPA3-Personal. Additionally, the SSID is hidden (broadcast disabled) and the interface is set to guest (VLAN 20) instead of the required VLAN 30. To fix, create a new WLAN (or modify WLAN 2) to use WPA3-Personal, enable SSID broadcast, and assign it to a new interface mapped to VLAN 30.

Configure the interface first, then apply to the WLAN.

Exam trap

A common trap is to assume that modifying the existing WLAN is sufficient, but you must also ensure the correct VLAN interface exists and is assigned. Additionally, candidates often forget that a hidden SSID must be broadcast for clients to discover it, especially when clients are failing to associate.

Why the other options are wrong

B

The specific factual error is that the interface remains set to 'guest' (VLAN 20) instead of being changed to VLAN 30 as required.

C

The specific factual errors are using WPA2-PSK (clients expect WPA3-Personal) and assigning the wrong VLAN (20 instead of 30).

D

The specific factual error is that the SSID broadcast remains disabled, which means clients cannot see the SSID and will not attempt to associate.

717
MCQmedium

Why is a default route often called a route of last resort?

A.Because it is used only when no more specific route matches the destination.
B.Because it always has the lowest bandwidth.
C.Because it must be learned from OSPF only.
D.Because it is more specific than every other route.
AnswerA

This is correct because the default route is a fallback path.

Why this answer

Option A correctly identifies the default route as a route of last resort because it is used only when no more specific route matches the destination. Option B is incorrect because bandwidth is not a defining characteristic of a default route; it is simply a fallback path. Option C is wrong because default routes can be configured statically or learned via any routing protocol (e.g., OSPF, EIGRP, RIP), not exclusively OSPF.

Option D is false because the default route is the least specific route (0.0.0.0/0), not more specific than any other route.

Exam trap

A common exam trap is assuming the default route is learned only via OSPF or that it always has the lowest bandwidth, when in fact it is simply the least specific route used as a fallback.

Why the other options are wrong

B

Bandwidth is not a defining characteristic of a default route; the route is chosen based on prefix length and administrative distance, not bandwidth.

C

Default routes can be statically configured or learned from any routing protocol (including OSPF, EIGRP, RIP), so they are not OSPF-specific.

D

The default route (0.0.0.0/0) is the least specific route, not more specific; specificity is determined by the subnet mask length.

718
MCQhard

Based on the exhibit, which command is the best next step to verify whether the floating static route becomes active after the primary route is lost?

A.show ip route
B.show vlan brief
C.show spanning-tree
D.show power inline
AnswerA

This is correct because it directly shows whether the backup default route has been installed after the primary route disappears.

Why this answer

The best next step is to examine the routing table directly after removing or losing the primary route. In practical terms, the purpose of a floating static route is to appear when the better route disappears. The clearest way to verify that behavior is to inspect the route table for the default route after the failure condition.

This is a simulation-style verification question. It is not asking how to configure the route, but how to confirm failover actually happened.

Exam trap

A common exam trap is selecting commands unrelated to routing table verification, such as "show vlan brief" or "show spanning-tree." These commands provide information about VLAN configurations or Spanning Tree Protocol status but do not show whether a floating static route has become active. Candidates may mistakenly think these outputs indicate network failover status, but only the routing table output confirms if the backup route is installed after the primary route fails. Misunderstanding the purpose of these commands leads to incorrect answers.

Why the other options are wrong

B

"Show vlan brief" shows VLAN status and port assignments but does not provide any information about routing or route failover, so it cannot verify if the floating static route is active.

C

"Show spanning-tree" displays Spanning Tree Protocol information related to Layer 2 loop prevention, which is unrelated to routing table contents or route failover verification.

D

"Show power inline" displays Power over Ethernet (PoE) status and power consumption on switch ports, which has no relevance to routing or verifying floating static route activation.

719
MCQhard

A network engineer notices that after issuing the no shutdown command on interface GigabitEthernet0/0 of a router, the interface remains down. The output of show interfaces GigabitEthernet0/0 displays 'GigabitEthernet0/0 is up, line protocol is down'. The physically connected switch port is also administratively down. What is the most likely cause?

A.The connected switch port is administratively down.
B.Mismatched encapsulation types on the router and switch.
C.Speed and duplex mismatch between the router and switch.
D.Incorrect native VLAN configuration on the trunk link.
AnswerA

The switch port in administratively down state causes the router's line protocol to stay down because no Layer 2 connectivity can be established.

Why this answer

The show interfaces output indicates that the router interface is physically up (Layer 1 is functional) but the line protocol is down (Layer 2 is not active). The most common cause for this specific combination is that the connected switch port is administratively down (shutdown), which prevents the switch from sending any keepalive frames or establishing a link. Since the switch port is not forwarding traffic, the router's line protocol cannot come up, even though the router interface itself is no longer in shutdown mode.

Exam trap

Cisco often tests the distinction between 'administratively down' on the local device versus the remote device; candidates may mistakenly think that issuing 'no shutdown' on the router is sufficient, overlooking that the remote switch port must also be enabled for the line protocol to come up.

Why the other options are wrong

B

Candidates often attribute line protocol down to encapsulation issues, missing the clear indication that the switch port is shut down.

C

Duplex mismatch is a common cause of interface issues, so candidates may assume it without considering the explicitly stated admin-down condition.

D

Candidates may recall VLAN mismatch as a cause for line protocol down on trunk links, forgetting that the scenario gives a clear admin-down state.

720
Drag & Drophard

Drag and drop the following steps into the correct order for an agentic AI system to remediate a network performance issue using Cisco IOS-XE CLI commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The agent first enters configuration mode, then diagnoses the interface, applies QoS, enables monitoring, and finally verifies the changes.

Exam trap

The trap is that candidates may confuse the order of diagnosis and action, or think monitoring should be enabled first. Remember: diagnose first, then act, then monitor, then verify.

721
PBQhard

You are connected to R1. Configure DHCP services so that hosts on VLAN 10 (192.168.10.0/24) can obtain IP addresses from R1. Additionally, configure the switch SW1 to prevent rogue DHCP server attacks on that VLAN. The current configuration has a misconfigured helper-address and an excluded-address range that is too broad.

Network Topology
G0/0.10192.168.10.1/24SW1R1Hosts

Hints

  • The helper-address should point to the DHCP server itself, not an external address.
  • The excluded-address range is too wide; leave room for hosts to get IPs.
  • On the switch, only the port connecting to the legitimate DHCP server should be trusted.
A.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as trusted.
B.On R1, change the helper-address to 192.168.10.255 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set all ports as trusted.
C.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.254. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as untrusted.
D.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as untrusted.
AnswerA
solution
! R1
configure terminal
no ip dhcp excluded-address 192.168.10.1 192.168.10.254
ip dhcp excluded-address 192.168.10.1 192.168.10.10
interface GigabitEthernet0/0.10
no ip helper-address 10.0.0.2
ip helper-address 192.168.10.1
end

! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trust
interface GigabitEthernet0/2
no ip dhcp snooping limit rate 10
ip dhcp snooping limit rate 15
end

Why this answer

The helper-address on R1's subinterface points to 10.0.0.2 instead of the DHCP server's IP (R1 itself, which is the server). The excluded-address range excludes all addresses in the subnet, preventing any host from getting an IP. The fix: change helper-address to 192.168.10.1 (loopback or interface IP of R1), and narrow the excluded range to the first 10 addresses (or just the gateway).

On SW1, enable DHCP snooping globally and for VLAN 10, and mark the port facing R1 (G0/1) as trusted; other ports should be untrusted to block rogue servers.

Exam trap

Watch out for two common traps: (1) The helper-address must be the DHCP server's unicast IP, not a broadcast address. (2) DHCP snooping trusted ports are for server connections; untrusted ports are for clients. Misplacing these will break DHCP or security.

Why the other options are wrong

B

The helper-address must be a unicast IP address of the DHCP server, not a broadcast address. Additionally, only ports connected to legitimate DHCP servers should be trusted; all other ports must be untrusted to block rogue servers.

C

The excluded-address range should only reserve a few addresses (e.g., for the gateway and static assignments), not the entire subnet. The port connected to the DHCP server must be trusted to allow DHCP server messages; untrusted ports block such messages.

D

DHCP snooping requires that ports connected to legitimate DHCP servers be configured as trusted. Untrusted ports are for client-facing ports where rogue servers might appear; they drop DHCP server messages.

722
Drag & Dropmedium

Drag and drop the following steps into the correct order to explicitly configure OSPFv3 for IPv6 on a Cisco IOS-XE router, assuming no OSPFv3 routing process exists beforehand.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

To configure OSPFv3, first globally enable IPv6 unicast routing (A). Next, create the OSPFv3 routing process (C) so that it is defined before interfaces try to use it. Then, configure OSPFv3 on the relevant interfaces (B) to activate routing.

Finally, verify the OSPFv3 adjacency (D) to confirm neighbors are formed. This sequence avoids automatic process creation and ensures all steps are explicitly controlled.

Exam trap

Cisco exams often test the order of configuration steps. A common trap is to think that OSPFv3 interface configuration comes before creating the OSPFv3 process, or that verification can be done early. Remember that global IPv6 routing must be enabled first, as OSPFv3 depends on it.

723
PBQhard

You are managing a Cisco WLC (WLC-1) with IP 10.10.10.10. A wireless client reports it can see the SSID 'CorpNet' but fails to associate. The SSID is configured for WPA3, but the client only supports WPA2. Additionally, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a mismatch. Your task: reconfigure the WLAN to use WPA2-PSK with AES encryption, correct the VLAN assignment to 10, and ensure the SSID is hidden. Also, verify that management access via the WLC web UI is restricted to the 192.168.1.0/24 subnet.

Network Topology
APWLC-1Client

Hints

  • The client cannot join because WPA3 is required but the client only supports WPA2.
  • The WLAN is on VLAN 100, but the AP is on VLAN 10 — this mismatch prevents client traffic from being properly bridged.
  • Management access is open to all; restrict it to the subnet that contains your admin workstation.
A.Change security to WPA2-PSK with AES, disable PMF, map WLAN to management interface (VLAN 10), disable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
B.Change security to WPA2-PSK with TKIP, enable PMF, map WLAN to VLAN 100, enable SSID broadcast, restrict HTTP access to 192.168.1.0/24.
C.Change security to WPA3-PSK with AES, disable PMF, map WLAN to VLAN 10, disable SSID broadcast, restrict HTTP/HTTPS access to 10.10.10.0/24.
D.Change security to WPA2-PSK with AES, enable PMF, map WLAN to VLAN 10, enable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
AnswerA
solution
! WLC-1
config wlan 1
no security wpa3
security wpa2
security wpa2 akm psk
security wpa2 encryption aes
no security wpa3 pmf
interface VLAN10
no broadcast-ssid
end
config management
management http subnet 192.168.1.0 255.255.255.0
management https subnet 192.168.1.0 255.255.255.0
end

Why this answer

The client cannot associate because the WLAN requires WPA3 (PMF required) but the client only supports WPA2. Also, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a VLAN mismatch that prevents client traffic from reaching the correct subnet. The SSID is broadcast (visible), and management access is open to all subnets.

To fix: change the WLAN security to WPA2-PSK with AES, disable PMF, map the WLAN to the management interface (VLAN 10), disable SSID broadcast, and restrict HTTP/HTTPS access to subnet 192.168.1.0/24.

Exam trap

The exam trap is that candidates may overlook the VLAN mismatch or the requirement to disable PMF when switching from WPA3 to WPA2. Also, they might forget to restrict both HTTP and HTTPS, or confuse the management subnet with the WLC IP address. Always verify client capabilities and VLAN assignments.

Why the other options are wrong

B

The specific factual error: TKIP is deprecated and not used with WPA2-PSK; PMF must be disabled for WPA2-only clients; VLAN 100 is incorrect; SSID broadcast should be disabled; HTTPS access must also be restricted.

C

The specific factual error: WPA3-PSK requires PMF and is incompatible with WPA2-only clients; the allowed subnet for management is 192.168.1.0/24, not 10.10.10.0/24.

D

The specific factual error: PMF is not supported by all WPA2 clients and can cause association issues; SSID broadcast should be disabled to hide the SSID.

724
MCQhard

A network engineer notices that hosts in the 192.168.2.0/24 network connected to router R1's GigabitEthernet0/1 interface cannot reach the Internet. R1 has a standard ACL 10 configured as 'access-list 10 permit 192.168.1.0 0.0.0.255' and applied inbound on interface GigabitEthernet0/0, which connects to the 192.168.1.0/24 LAN. What is the most likely cause?

A.The implicit deny at the end of ACL 10 is blocking all outbound traffic from the 192.168.2.0/24 network.
B.The ACL is filtering return traffic from the Internet that enters G0/0, because it is applied inbound on that interface instead of outbound.
C.The router is not performing inter-VLAN routing between the 192.168.1.0 and 192.168.2.0 networks.
D.The ACL is missing a permit statement for the 192.168.2.0/24 network to allow traffic from that subnet.
AnswerB

Inbound ACLs on G0/0 inspect packets arriving from the Internet. The ACL permits only source 192.168.1.0/24, so return packets from Internet hosts with random source IPs are denied by the implicit deny, breaking connectivity for 192.168.2.0/24 hosts.

Why this answer

The ACL 10 is applied inbound on the G0/0 interface that faces the 192.168.1.0/24 LAN and the Internet. Inbound ACLs on that interface examine packets entering the router on G0/0, such as return traffic from the Internet. Since the ACL permits only source IPs from 192.168.1.0/24, all return traffic from the Internet destined for 192.168.2.0/24 hosts is denied by the implicit deny.

This blocks replies, preventing connectivity. The ACL direction is incorrect for filtering egress traffic; an outbound ACL would be needed to filter packets leaving G0/0, and even then the source would still be denied unless explicitly permitted.

Exam trap

Many candidates assume that adding a permit statement for the 192.168.2.0/24 source subnet would fix the issue, overlooking that the ACL direction determines which traffic is inspected. The ACL is applied inbound on the LAN-facing interface, which filters packets entering the router from that interface, not packets exiting it.

Why the other options are wrong

A

Misunderstanding of ACL direction leads candidates to think that the implicit deny blocks any traffic leaving the interface.

C

Confusing ACL filtering with routing functionality; ACLs do not prevent the router from routing between connected subnets unless they explicitly deny the traffic on the appropriate interface and direction.

D

Candidates often try to add a permit for the source subnet of the initiating traffic, neglecting the direction of the ACL. Because the ACL is inbound on the egress interface, outbound traffic is not filtered.

725
PBQhard

You are connected to R1. The link between R1's GigabitEthernet0/0 and R2's GigabitEthernet0/0 should operate at 1 Gbps full duplex, but the interface is showing errors and only negotiating at 100 Mbps half duplex. Diagnose and fix the fault, then verify the link is stable at the correct speed and duplex.

Network Topology
Gi0/010.1.1.1/30Gi0/010.1.1.2/30Cat6 cableR1R2

Hints

  • The interface is manually forced to 100 Mbps half duplex; check the duplex and speed configuration.
  • Auto-negotiation requires both 'duplex' and 'speed' to be in default (no explicit command).
  • CRC errors indicate a duplex mismatch; R2 is likely set to auto-negotiate.
A.Remove the manual speed and duplex settings on R1's GigabitEthernet0/0 with 'no speed' and 'no duplex' to allow auto-negotiation.
B.Change the duplex setting to 'full' and speed to '1000' on R1's GigabitEthernet0/0.
C.Replace the cable between R1 and R2 with a crossover cable.
D.Configure R2's GigabitEthernet0/0 with 'speed 100' and 'duplex half' to match R1's settings.
AnswerA
solution
! R1
enable
configure terminal
interface gigabitEthernet 0/0
no duplex
no speed
end
copy running-config startup-config

Why this answer

The interface was manually configured with 'duplex half' and 'speed 100', which forced the link to 100 Mbps half duplex, causing CRC errors due to duplex mismatch. The correct fix is to remove these manual settings and allow auto-negotiation, or explicitly set both sides to 'speed 1000' and 'duplex full'. Since the remote side (R2) is set to auto (default), the simplest correction is to use 'no duplex' and 'no speed' on R1 to re-enable auto-negotiation.

After the commands are applied, the interface should show 'Full-duplex, 1000Mb/s' and CRC errors should stop incrementing.

Exam trap

The exam trap is that candidates may think manually setting the correct speed and duplex is always the best approach, but they must consider the remote device's configuration. Auto-negotiation is the default and preferred method for Gigabit Ethernet; manual settings should be used consistently on both ends.

Why the other options are wrong

B

The specific factual error is that manually setting speed and duplex on one side while the other side is set to auto can lead to a mismatch; auto-negotiation is required for proper link establishment.

C

The specific factual error is that Auto-MDIX eliminates the need for crossover cables on modern interfaces; cable type is not the cause of the problem.

D

The specific factual error is that matching the incorrect settings does not achieve the desired speed and duplex; it only prevents errors at a lower performance level.

726
MCQhard

You are verifying OSPF operation on router R1. After confirming that OSPF is configured on the correct interfaces, which command should you use next to directly check whether R1 has established a neighbor adjacency with another OSPF router?

A.show ip ospf neighbor
B.show vlan brief
C.show spanning-tree
D.show mac address-table
AnswerA

This is correct because it directly shows OSPF adjacency and neighbor state.

Why this answer

The command show ip ospf neighbor directly displays the OSPF neighbor table, showing whether an adjacency has formed, the neighbor's Router ID, and the current state (e.g., FULL). This is the quickest verification step after confirming configurations. The other commands are unrelated to OSPF: show vlan brief displays VLAN assignments, show spanning-tree shows STP topology, and show mac address-table shows the MAC address table.

None of these provide any OSPF neighbor information and would only delay troubleshooting.

Exam trap

Avoid confusing route visibility with neighbor status; they are related but distinct concepts.

Why the other options are wrong

B

Displays VLAN port membership; irrelevant to OSPF verification.

C

Shows STP topology; does not provide OSPF neighbor status.

D

Displays the switch's MAC address table; no OSPF information.

727
MCQmedium

Exhibit: R1 can ping 10.1.23.2 but cannot ping 192.168.3.10 behind R3. The routing table on R1 lacks 192.168.3.0/24. What is the best next check?

A.Verify whether the remote LAN is being advertised into the routing process
B.Replace the Ethernet cable between R1 and R2
C.Change the OSPF router ID on R1 immediately
D.Disable CEF so the route can be learned
AnswerA

That is the most direct next troubleshooting step.

Why this answer

Because the directly connected next router is reachable, the problem is likely missing routing information for the remote LAN. The best next check is whether R3 is advertising 192.168.3.0/24 or whether that network is present in the routing domain at all.

Exam trap

A frequent exam trap is to confuse physical connectivity with routing issues. Because R1 can ping 10.1.23.2 (likely the next-hop router), candidates might mistakenly try to fix cables or interfaces instead of checking routing advertisements. Another trap is to focus on router ID changes or disabling features like CEF, which do not affect route learning.

The key mistake is ignoring the routing table contents and assuming that reachability to the next-hop router guarantees full path reachability. This leads to wasted time and incorrect troubleshooting steps.

Why the other options are wrong

B

Replacing the Ethernet cable between R1 and R2 is unnecessary because R1 can already ping 10.1.23.2, indicating that the physical link and Layer 3 connectivity to the next-hop router are functioning correctly.

C

Changing the OSPF router ID on R1 is irrelevant here because the problem is not related to router ID conflicts or OSPF neighbor relationships but to missing route advertisements for the remote LAN.

D

Disabling CEF (Cisco Express Forwarding) will not help because CEF does not prevent routes from being learned or advertised; it only affects packet forwarding efficiency, so this option does not address the root cause.

728
Multi-Selectmedium

Which three of the following are true regarding the forwarding decision process in a router? (Choose three.)

Select 3 answers
.The router performs a recursive route lookup if the next-hop address in a static route is not directly connected.
.The router uses the Forwarding Information Base (FIB) for fast packet switching in CEF mode.
.When a packet arrives, the router first checks the routing table for the best match.
.The router always performs an ARP request for every destination IP address in a packet.
.If the destination IP is on the same subnet as an interface, the router forwards the packet directly without checking the routing table.
.The router rewrites the source MAC address to the MAC address of the next-hop router for every forwarded packet.

Why this answer

A router performs a recursive route lookup when the next-hop address in a static route is not directly connected, meaning the router must find a route to that next-hop address before forwarding. The Forwarding Information Base (FIB) is used in Cisco Express Forwarding (CEF) mode to provide fast, hardware-based packet switching by pre-populating the forwarding table from the routing table. When a packet arrives, the router first checks the routing table (RIB) for the best matching route, which is the longest prefix match, to determine the next-hop and outgoing interface.

Exam trap

Cisco often tests the misconception that a router always performs an ARP request for every destination IP or that it skips the routing table for directly connected subnets, but in reality, the routing table is always consulted first, and ARP is only used for next-hop addresses on the same subnet.

729
Multi-Selectmedium

Which two statements accurately describe longest-prefix match?

Select 2 answers
A.The most specific matching route is preferred over broader matching routes.
B.A /24 is more specific than a /16.
C.The default route is always preferred over a matching specific route.
D.Administrative distance replaces the need for longest-prefix match.
E.A /16 is more specific than a /24.
AnswersA, B

This is correct because specificity is the core rule in longest-prefix match.

Why this answer

Longest-prefix match means the router prefers the most specific route that matches the destination. In plain language, if several routes could all work, the router chooses the one that describes the destination range most precisely. That is why a /25 wins over a /24, and a /24 wins over a /16, when all of them match the same destination.

This is a foundational routing rule. The wrong answers usually confuse route specificity with route-source trust or assume the default route is considered first. The two correct answers are the ones that keep the focus on specificity.

Exam trap

A frequent exam trap is assuming that the default route (0.0.0.0/0) is preferred over more specific routes. Many candidates mistakenly believe the default route is always the first choice, but in reality, it is the least specific and only used when no other matching route exists. Another trap is confusing administrative distance with longest-prefix match; administrative distance only applies when choosing between routes learned from different sources, not when selecting the most specific prefix.

Misunderstanding these concepts can lead to incorrect answers about routing behavior in Cisco devices.

Why the other options are wrong

C

Option C is incorrect because the default route is the least specific and is only used when no other matching route exists, not preferred over specific routes.

D

Option D is incorrect as administrative distance is a separate concept used to select between routes from different protocols, not to replace longest-prefix match.

E

Option E is incorrect because a /16 is less specific than a /24; the longer the prefix length, the more specific the route.

730
Matchingmedium

Match each automation term to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data modeling language for structured network data

Lightweight text format for structured data exchange

Programmatic interface exposed by a system

Credential presented to authenticate or authorize a request

Why these pairings

YANG is a data modeling language used to define data structures and configuration models for network devices. JSON is a lightweight text format for storing and exchanging structured data. An API is a programmatic interface that allows applications to communicate with a system.

A Token is a credential used for authentication or authorization when making API requests.

Exam trap

Don't confuse YANG with JSON or XML; YANG is a modeling language, not a data format.

731
Multi-Selectmedium

Which THREE of the following best describe how agentic AI is used in network automation, specifically regarding AI agents, tool-calling, and closed-loop remediation workflows?

Select 3 answers
A.AI agents can autonomously decide which network troubleshooting steps to perform and invoke appropriate tools via APIs.
B.AI agents only monitor network traffic and alert humans for any remediation actions.
C.Tool-calling in agentic AI allows the agent to execute network commands or scripts to collect data and implement changes.
D.A closed-loop remediation workflow continuously monitors network state, detects anomalies, triggers an AI agent to diagnose, and applies corrective actions automatically.
E.Closed-loop remediation always requires a human to approve each corrective action before it is executed.
AnswersA, C, D

This is a key feature of agentic AI: agents use reasoning to select and call tools (e.g., show commands, configuration APIs) to gather data or make changes.

Why this answer

Options A, C, and D are correct because agentic AI in network automation involves autonomous decision-making (A), tool-calling to execute network commands or gather data (C), and closed-loop remediation that continuously monitors, diagnoses, and applies fixes automatically (D). Options B and E are incorrect because they contradict the autonomous nature of agentic AI: B describes a passive monitoring system with human-only remediation, and E states that closed-loop remediation always requires human approval, which is not true for full closed-loop automation.

Exam trap

Cisco often tests the distinction between passive monitoring and active autonomous remediation; the trap here is that candidates may confuse agentic AI with simple alerting systems, forgetting that agentic AI must include decision-making and tool execution, not just notification.

Why the other options are wrong

B

This option describes traditional monitoring systems that only alert humans, not agentic AI which takes autonomous actions. Agentic AI agents do not just alert; they actively diagnose and remediate issues.

E

Closed-loop remediation implies full automation without manual approval; requiring human approval breaks the loop and defeats the purpose of autonomous remediation. The workflow is designed to act automatically.

732
Multi-Selectmedium

Which four of the following are characteristics or configuration requirements of NTP client/server operation in a secure enterprise network? (Choose all that apply. There are four correct answers.)

Select 4 answers
.An NTP client can synchronize time with multiple NTP servers for redundancy.
.NTP uses UDP port 123 for communication between clients and servers.
.NTP authentication can be used to verify that time updates come from a trusted source.
.The NTP server must be in the same subnet as the NTP client to synchronize.
.NTP stratum levels indicate the distance from the reference clock; a lower stratum number is more accurate.
.A Cisco device configured as an NTP server will automatically become the stratum 1 server for all clients.

Why this answer

NTP clients can synchronize with multiple servers to provide redundancy and improve accuracy through algorithms like Marzullo's algorithm. NTP uses UDP port 123 for all communication, as specified in RFC 5905. NTP authentication (using symmetric keys or MD5 hashes) ensures that time updates originate from a trusted source, preventing spoofing attacks.

The stratum level indicates the distance from the primary reference clock; a lower stratum number (e.g., 1) is closer to the authoritative time source and thus more accurate.

Exam trap

Cisco often tests the misconception that NTP requires same-subnet connectivity or that a Cisco router can automatically become stratum 1, when in fact NTP works across routed networks and stratum 1 requires a dedicated reference clock.

733
Matchingmedium

Drag and drop the PDU names on the left to the correct OSI model layers on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Application Layer (Layer 7)

Transport Layer (Layer 4)

Network Layer (Layer 3)

Data Link Layer (Layer 2)

Physical Layer (Layer 1)

Why these pairings

In the OSI model, each layer processes a specific Protocol Data Unit (PDU): Data is the term for application information at Layer 7, a segment is the Transport layer (Layer 4) PDU, a packet belongs to the Network layer (Layer 3), a frame is the Data Link layer (Layer 2) PDU, and bits are transmitted at the Physical layer (Layer 1). This pairing follows the standard OSI terminology without involving other layers.

Exam trap

Be careful not to swap the PDU names for Transport (segment) and Network (packet). Also, remember that 'Message' is the Application layer PDU, not 'Data'.

734
MCQhard

A network technician is troubleshooting a router-on-a-stick configuration. R1 has sub-interface G0/0.10 with encapsulation dot1q 10 and IP 192.168.10.1/24, and sub-interface G0/0.20 with encapsulation dot1q 20 and IP 192.168.20.1/24. Hosts in VLAN 10 cannot reach hosts in VLAN 20. The physical interface G0/0 is up and no shutdown. Both sub-interfaces show up/up. What should the technician do next?

A.Verify the switch port connected to R1 is configured as a trunk and allows VLANs 10 and 20.
B.Verify the encapsulation dot1Q numbers on the sub-interfaces match the VLAN assignments.
C.Verify the default gateway settings on hosts in VLANs 10 and 20.
D.Check the physical interface G0/0 for interface errors or duplex mismatches.
AnswerA

This directly addresses the most probable cause: a missing or misconfigured trunk on the switch side. Even with router sub-interfaces up/up, the link must be a trunk carrying the correct VLANs for inter-VLAN routing to function.

Why this answer

The router's sub-interfaces being 'up/up' only confirms the physical link and Layer 2 protocol (using the native VLAN untagged, often VLAN 1) are active. It does not prove that the switch port is a trunk, nor that VLANs 10 and 20 are allowed across the link. Without a properly configured trunk, tagged frames for those VLANs will not traverse.

Verifying the switch port trunk configuration and allowed VLANs is the most logical next step to resolve inter-VLAN communication at Layer 2 before investigating Layer 3 settings.

Exam trap

Verifying the default gateway on hosts (option C) – candidates often skip the trunk verification and assume the router's config is correct because the sub-interfaces are up. However, 'up/up' status does not guarantee VLAN-tagged traffic can pass; it only indicates a working physical link and protocol on the native VLAN.

Why the other options are wrong

B

Candidates may think the encapsulation numbers might be swapped, but the stem confirms they are correctly assigned to the respective VLAN IDs.

C

Many candidates jump to end-host configuration, assuming the router is fully reachable because interfaces are up/up, but the trunk is the prerequisite for any communication between VLANs.

D

Candidates might think any communication loss warrants a physical layer check, but here the symptoms point strongly toward a Layer 2 trunking issue.

735
Matchingmedium

Match the network management function to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sends event and log messages to a logging server

Synchronizes device clocks

Provides a framework for monitoring and management information exchange

Transfers files such as configurations or IOS images without strong built-in security

Why these pairings

Syslog is used to send event and log messages to a logging server for centralized monitoring. NTP synchronizes device clocks to ensure consistent timestamps across the network. SNMP provides a framework for monitoring and exchanging management information between network devices and management systems.

TFTP transfers files such as configurations or IOS images but lacks strong built-in security, making it suitable for simple file transfers in controlled environments. The other protocols (NetFlow, RADIUS) are not part of this matching exercise.

Exam trap

Cisco exams often test the specific purposes of these tools—avoid confusing TFTP with more secure file transfer protocols (SCP/FTP) or mixing up Syslog (logging) with SNMP (monitoring).

736
PBQhard

You are connected to R1. The network currently uses a static default route pointing to ISP1 (198.51.100.1) via GigabitEthernet0/0. However, the backup link to ISP2 (203.0.113.1) via Serial0/0/0 has a floating static default route with an administrative distance of 130. The backup route is not taking over when the primary link fails. Configure the floating static route correctly so that it becomes active when the primary route is lost, and verify that the routing table shows the backup default route with the appropriate next-hop.

Network Topology
G0/0198.51.100.2/30198.51.100.1S0/0/0203.0.113.2/30203.0.113.1R1ISP1ISP2

Hints

  • Examine the primary static route configuration for any unusual keywords.
  • A static route with the 'permanent' keyword remains in the routing table even if the interface goes down.
  • The floating static route has a higher AD (130) so it will only be used when the primary route is absent.
A.Remove the primary static route and reconfigure it without the 'permanent' keyword, then verify the backup route appears in the routing table.
B.Change the administrative distance of the floating static route to 1 so it is preferred over the primary route.
C.Add the 'permanent' keyword to the floating static route to ensure it remains in the routing table.
D.Configure a static route with a next-hop of 203.0.113.1 and an administrative distance of 130, but also add the 'track' command to monitor the primary link.
AnswerA
solution
! R1
conf t
no ip route 0.0.0.0 0.0.0.0 198.51.100.1 permanent
ip route 0.0.0.0 0.0.0.0 198.51.100.1
end

Why this answer

The primary static default route was configured with the 'permanent' keyword, which keeps the route in the routing table even when the GigabitEthernet0/0 interface goes down. This prevents the floating static route (AD 130) from becoming active. The solution is to remove the primary route (no ip route 0.0.0.0 0.0.0.0 198.51.100.1 permanent) and reconfigure it without the 'permanent' keyword.

After that, when the primary link fails, the route is removed, and the backup route (AD 130) enters the routing table. Option A is correct. Option B would make the backup preferred over the primary, which is not the intended behavior.

Option C (adding permanent to the backup) would not help and could cause issues. Option D (track) is an alternative but not the required configuration here.

Exam trap

Be careful: The 'permanent' keyword on a static route keeps it in the routing table even if the interface is down. This can prevent floating static routes from becoming active. Always check for 'permanent' when troubleshooting backup route issues.

Why the other options are wrong

B

The specific factual error: Administrative distance determines route preference; a lower AD is preferred. Setting the backup to AD 1 would make it the primary route, not a backup.

C

The specific factual error: The 'permanent' keyword prevents route removal when the interface goes down, which is not the solution here. The backup route needs to become active when the primary fails, not be forced to stay.

D

The specific factual error: The track command is used to conditionally remove a static route based on reachability, but it is not necessary if the primary route is correctly configured without 'permanent'. The existing backup route should work once the primary route is removed.

737
MCQhard

Based on the exhibit, what is the most likely reason the PPP link is down?

A.The serial interfaces use different encapsulations.
B.PPP requires CAPWAP on both routers.
C.The routers must run BGP before PPP can establish.
D.Serial links can use only OSPF, not PPP.
AnswerA

This is correct because PPP on one side and HDLC on the other will prevent normal link operation.

Why this answer

The PPP link is down because the two ends are configured for different encapsulations. In practical terms, one side is using PPP and the other is using HDLC, so the devices are not speaking the same data-link protocol on the serial link. Until those encapsulations match, the link cannot come up correctly at the data-link layer.

This is a classic WAN troubleshooting pattern that fits well into simulation-style exam coverage.

Exam trap

A frequent exam trap is to assume that routing protocols such as BGP or OSPF must be configured before a PPP link can establish, or that PPP requires additional protocols like CAPWAP. This is incorrect because PPP operates at Layer 2 and must first establish the data link before any routing protocol can function. Another common mistake is to believe that serial links cannot use PPP and only support OSPF or other routing protocols, which confuses encapsulation with routing.

The key is to recognize that mismatched encapsulation protocols like PPP versus HDLC prevent the link from coming up, regardless of routing configuration.

Why the other options are wrong

B

Incorrect because CAPWAP is a wireless protocol unrelated to serial link encapsulation. PPP does not require CAPWAP for operation on serial interfaces.

C

Incorrect because routing protocols like BGP are Layer 3 protocols and do not affect the Layer 2 establishment of a PPP link. The link must be up before routing protocols can run.

D

Incorrect because serial links can use PPP encapsulation. Cisco routers default to HDLC, but PPP is a supported and common WAN encapsulation protocol.

738
PBQhard

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The security policy requires that only SSH traffic (TCP port 22) from the internal network (192.168.1.0/24) be permitted to reach the router itself, and all other inbound traffic to the router from internal hosts should be blocked. Additionally, the router must be hardened for SSH access: generate RSA keys of 2048 bits, set SSH version 2, enable SSH on vty lines, and disable Telnet. Currently, there is no security configuration. Configure R1 to meet these requirements.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/30Internal HostsLANR1WANISP

Hints

  • Use an extended ACL to filter traffic destined to the router itself (not through it).
  • The access-class command applies the ACL to VTY lines.
  • Generate RSA keys only after setting a domain name.
A.ip access-list extended VTY_ACL permit tcp 192.168.1.0 0.0.0.255 any eq 22 deny ip any any ! line vty 0 4 access-class VTY_ACL in transport input ssh login local ! username admin secret cisco ip domain-name example.com crypto key generate rsa modulus 2048 ip ssh version 2
B.ip access-list standard VTY_ACL permit 192.168.1.0 0.0.0.255 deny any ! line vty 0 4 access-class VTY_ACL in transport input ssh login local ! username admin secret cisco crypto key generate rsa modulus 2048 ip ssh version 2
C.ip access-list extended VTY_ACL permit tcp any any eq 22 deny ip any any ! line vty 0 4 access-class VTY_ACL in transport input ssh login local ! username admin secret cisco crypto key generate rsa modulus 2048 ip ssh version 2
D.ip access-list extended VTY_ACL permit tcp 192.168.1.0 0.0.0.255 any eq 22 deny ip any any ! line vty 0 4 access-class VTY_ACL out transport input ssh login local ! username admin secret cisco crypto key generate rsa modulus 2048 ip ssh version 2
AnswerA
solution
! R1
ip access-list extended VTY_ACL
permit tcp 192.168.1.0 0.0.0.255 any eq 22
deny ip any any
line vty 0 4
access-class VTY_ACL in
transport input ssh
ip domain-name example.com
crypto key generate rsa modulus 2048
ip ssh version 2
username admin secret cisco

Why this answer

The extended ACL VTY_ACL permits SSH from the internal subnet and denies all other IP traffic. The access-class command applies it inbound to VTY lines. SSH hardening includes generating 2048-bit RSA keys, setting SSH version 2, and disabling Telnet by specifying transport input ssh.

A local username is required for SSH authentication. Note that a domain name (e.g., ip domain-name example.com) must be configured before generating RSA keys; without it, the crypto key generation fails or requires interactive input.

Exam trap

Pay attention to the direction of the access-class on VTY lines: it must be 'in' to filter incoming connections. Also, remember that standard ACLs cannot filter by port; you need an extended ACL for that. Finally, always specify the source network in the ACL to restrict access to the intended subnet.

Why the other options are wrong

B

Standard ACLs lack the ability to filter by protocol or port number, making them unsuitable for this requirement.

C

The source address in the permit statement is 'any', which allows SSH from all networks, including the ISP side, which is not desired.

D

Applying access-class outbound on VTY lines would filter traffic going out from the router to the user, which is not the intended direction for controlling who can connect to the router.

739
MCQhard

An engineer is deploying a new Cisco Catalyst 9300 switch in a campus wiring closet. The uplink to the distribution switch uses a 1000BASE-LX SFP module. After connecting the fiber, the interface shows 'up/up' but the engineer notices that the 'input errors' counter is incrementing rapidly, with many CRC errors, runts, and giants being reported. What is the most likely cause of these input errors?

A.Replace the SFP with a 1000BASE-SX module.
B.Check the fiber distance and ensure it is within the 5 km limit for 1000BASE-LX; if over, use a single-mode fiber extender.
C.Configure the interface with 'speed 100' and 'duplex full' to match the SFP capabilities.
D.Replace the fiber patch cable with a CAT6a copper cable and use a 1000BASE-T SFP.
AnswerB

The 1000BASE-LX SFP supports up to 5 km over single-mode fiber. If the distance exceeds this, signal attenuation causes errors. A fiber extender or different optics would be needed.

Why this answer

The 1000BASE-LX standard uses long-wavelength laser optics (1300 nm) over single-mode fiber with a maximum distance of 5 km. Exceeding this limit causes signal attenuation and dispersion, generating bit errors that corrupt the frame check sequence (FCS). Cisco IOS counts these as CRC errors.

Runts (frames shorter than 64 bytes) and giants (frames longer than 1518 bytes) also appear because the damaged frames are misinterpreted. Option B correctly identifies the distance limit as the root cause and recommends verifying it or using a fiber extender. Options A and D propose incorrect media, and option C would break the link since 1000BASE-LX operates at fixed 1000/full speed.

Exam trap

Learners often misdiagnose runts and giants as a duplex mismatch, but when CRC errors are present alongside them, the issue is a physical-layer impairment—such as excessive fiber distance—rather than a configuration error.

Why the other options are wrong

A

1000BASE-SX uses multimode fiber with a maximum 550 m distance, which is far shorter than 1000BASE-LX and would not resolve a distance issue.

C

The SFP is fixed at 1000 Mbps full-duplex; manually setting 'speed 100' and 'duplex full' would cause a speed mismatch and prevent the link from coming up.

D

Copper cabling (CAT6a) and a 1000BASE-T SFP are limited to 100 m and cannot solve a fiber distance problem.

740
PBQhard

You are connected to R1. Configure AAA with RADIUS authentication for all login methods. The RADIUS server is at 203.0.113.10 with key 'CiscoKey123'. Then troubleshoot why the 802.1X port on interface GigabitEthernet0/1 remains in unauthorized state. The port is configured for dot1x port-control auto, but authentication fails. Ensure that the AAA authentication default method uses RADIUS first, then local fallback, and that the RADIUS server is correctly reachable and configured for authentication.

Network Topology
G0/0192.0.2.1/30203.0.113.10linkR1RADIUS Server

Hints

  • The RADIUS server configuration is missing entirely.
  • AAA authentication method list must be defined to use RADIUS first.
  • Check that the RADIUS server is reachable via ping 203.0.113.10.
A.Configure RADIUS server with IP 203.0.113.10 and key 'CiscoKey123', then configure AAA authentication login default group radius local.
B.Change the interface port-control to 'force-authorized' to bypass authentication and bring the port up.
C.Configure AAA authentication login default local radius to use local authentication first, then RADIUS.
D.Add the command 'aaa new-model' and configure the RADIUS server with IP 203.0.113.10 and key 'CiscoKey123'.
AnswerA
solution
! R1
radius server RADIUS-SERVER
address ipv4 203.0.113.10 auth-port 1812 acct-port 1813
key CiscoKey123
exit
aaa authentication login default group radius local

Why this answer

The issue is twofold: First, AAA is not fully configured — 'aaa new-model' is present but no RADIUS server or authentication method list is defined. Second, the RADIUS server configuration is missing. To fix, configure the RADIUS server with IP and key using the 'radius server' block, then create an AAA authentication login default list that uses RADIUS first then local fallback (e.g., 'aaa authentication login default group radius local').

The port configuration is correct for 802.1X, but without AAA and RADIUS, authentication cannot proceed; the switch will not contact the RADIUS server, causing the port to remain unauthorized. Option D is incorrect because while 'aaa new-model' and RADIUS server configuration are necessary steps, they alone do not create an authentication method list; without 'aaa authentication login default group radius local', the RADIUS server is never referenced for login authentication.

Exam trap

Trap: Candidates often forget that configuring a RADIUS server alone is not enough; you must also create an AAA authentication method list that references RADIUS. Additionally, the order of methods in the list matters: 'radius local' means RADIUS first, local fallback; 'local radius' means local first, which would not meet the requirement.

Why the other options are wrong

D

Configuring 'aaa new-model' and a RADIUS server alone does not create an authentication method list; the AAA authentication default must explicitly reference the RADIUS server group.

741
MCQhard

Which switch security feature uses DHCP snooping bindings to validate ARP packets and help stop ARP spoofing?

A.PortFast
B.Dynamic ARP Inspection
C.UDLD
D.HSRP preemption
AnswerB

Correct. DAI is designed to mitigate ARP spoofing.

Why this answer

Dynamic ARP Inspection compares ARP information to trusted bindings, often learned through DHCP snooping, to block forged ARP packets.

Exam trap

A common exam trap is selecting PortFast, UDLD, or HSRP preemption as the answer because these features are well-known switch security or stability mechanisms. However, PortFast only speeds up STP port transitions and does not inspect ARP packets. UDLD focuses on detecting unidirectional links and does not validate ARP traffic.

HSRP preemption deals with gateway redundancy and has no role in ARP security. The key to avoiding this trap is recognizing that only Dynamic ARP Inspection uses DHCP snooping bindings to validate ARP packets and stop ARP spoofing.

Why the other options are wrong

A

PortFast is a feature that allows switch ports to bypass the usual STP listening and learning states to quickly transition to forwarding. It does not perform any ARP packet validation or security checks, so it cannot prevent ARP spoofing.

C

UDLD (Unidirectional Link Detection) is designed to detect and disable unidirectional links between switches to prevent network loops or blackholes. It does not inspect or validate ARP packets and thus does not stop ARP spoofing.

D

HSRP preemption is a feature related to first-hop redundancy protocols that allows a higher priority router to take over as the active gateway. It does not provide any ARP packet validation or protection against ARP spoofing.

742
Matchingmedium

Drag and drop the STP-related terms on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Switch with the lowest bridge ID in the topology

Port that is in forwarding state on each LAN segment

Port that provides an alternative path to the root bridge and is in blocking state

Feature that brings a port directly into forwarding state for access ports

Feature that disables a port if a BPDU is received on a PortFast-enabled port

Why these pairings

These pairings correctly match STP terms with their standard definitions as used in networking certifications.

Exam trap

Be careful not to confuse the roles: the root bridge has no root port; root ports are only on non-root switches. Also, designated ports are per segment, not per switch. Alternate ports are blocking, not forwarding.

743
MCQmedium

A network technician is troubleshooting a connectivity issue between two hosts on different subnets. During the analysis, the technician captures packets and observes that the data link layer frames are being stripped and rebuilt at each router hop. Which layer of the OSI model is responsible for encapsulating the original data into segments before transmission from the source host?

A.Network layer
B.Transport layer
C.Data Link layer
D.Application layer
AnswerB

The Transport layer (Layer 4) is responsible for segmenting upper-layer data and adding a header to create segments (TCP) or datagrams (UDP), enabling reliable or connectionless communication.

Why this answer

The Transport layer (Layer 4) is responsible for encapsulating the original data into segments. Protocols such as TCP (RFC 793) or UDP (RFC 768) add a header containing source and destination port numbers, sequence numbers, and other control information to form a segment. This segmentation occurs at the source host before the data is passed down to the Network layer for routing.

Exam trap

Cisco often tests the distinction between encapsulation layers by describing a Layer 2 behavior (frame stripping/rebuilding) in the scenario to mislead candidates into selecting the Data Link layer, when the question specifically asks about the layer that creates segments at the source host.

Why the other options are wrong

A

The Network layer (Layer 3) encapsulates segments into packets and adds logical addressing (IP addresses) for routing across networks, but it does not perform the initial segmentation of data into segments.

C

The Data Link layer (Layer 2) encapsulates packets into frames and adds physical addressing (MAC addresses) for delivery on a local network segment, but it does not perform segmentation of data into segments.

D

The Application layer (Layer 7) provides the interface for applications to generate data, but it does not perform segmentation or encapsulation into segments. Segmentation occurs at the Transport layer.

744
MCQeasy

What metric does RIP use to choose the best path?

A.Bandwidth
B.Cost
C.Hop count
D.Delay
AnswerC

Correct. RIP uses hop count.

Why this answer

RIP uses hop count as its metric. Lower hop count paths are preferred, up to the protocol maximum of 15 usable hops.

Exam trap

Don't confuse RIP's hop count metric with metrics used by other protocols like OSPF or EIGRP.

Why the other options are wrong

A

RIP does not use bandwidth as a metric; it relies solely on hop count. Bandwidth is used by EIGRP in its composite metric calculation, not by RIP.

B

Cost is the metric used by OSPF, not RIP. RIP uses hop count as its sole metric, making cost an incorrect choice for this question.

D

Delay is not a metric used by RIP; RIP only considers hop count. Delay is a component in the EIGRP composite metric, but not in RIP.

745
Matchingmedium

Match each wireless concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The network name that clients see when identifying a wireless LAN

A wireless security standard that commonly uses AES encryption

A device that provides wireless connectivity to clients

A design in which centralized devices manage access points

Why these pairings

SSID is the Service Set Identifier, the network name that clients see when scanning for Wi-Fi. WPA2 is a Wi-Fi Protected Access 2 security standard that commonly uses AES encryption to secure traffic. An AP (Access Point) is a device that bridges wired and wireless networks, providing connectivity to clients.

A controller-based WLAN uses a centralized controller to manage configuration, roaming, and security across multiple APs.

Exam trap

The exam often tests the difference between BSS, ESS, and IBSS. Remember: BSS = one AP, ESS = multiple APs, IBSS = no AP. Also, do not confuse BSS with BSSID; BSSID is the AP's MAC address, not the network itself.

746
Matchingmedium

Match each route source or concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Present because the network is directly attached to an interface

Manually configured route

Dynamic route source that learns paths through the protocol

Backup static route configured with higher administrative distance

Why these pairings

These are fundamental routing concepts and sources. Each pairing matches the route source with its accurate description as taught in Cisco certification exams.

Exam trap

Be careful not to confuse the descriptions of different route types. The question asks for the most accurate description for each route source or concept. Ensure you know the exact definitions: directly connected routes are automatic, static routes are manual, default routes are catch-all, and floating static routes are backup routes with higher AD.

747
MCQhard

An IP phone connected to switch port Gi0/4 is working and receiving calls, but the PC connected to the phone's data port cannot obtain an IP address. The technician confirms that interface Gi0/4 has switchport mode access and shows switchport access vlan 10 and switchport voice vlan 100. What should the technician do next?

A.Verify the DHCP scope for VLAN 10 on the DHCP server.
B.Verify that CDP is enabled on the IP phone.
C.Verify the QoS trust state on the switch port.
D.Verify the IP phone's passthrough mode for the PC port.
AnswerD

The IP phone acts as a switch; if the phone's PC port is not configured to pass traffic untagged on the correct VLAN (passthrough mode), the PC's frames will be dropped or placed in the wrong VLAN. Checking this setting directly addresses the path from PC to switch.

Why this answer

The switch port is correctly configured with the appropriate access VLAN (10) for data and voice VLAN (100). Since the phone itself is functional, the issue is likely in how the phone tags or forwards the PC's untagged frames. The phone's internal switch must be set to passthrough mode to bridge the PC traffic onto the access VLAN.

Verifying this setting will identify if the phone is misconfigured, causing the PC to be placed in the wrong VLAN or isolated.

Exam trap

Many candidates would verify the DHCP scope for VLAN 10, mistakenly assuming the switch configuration is sufficient and the problem is a server-side issue. However, the phone itself is a layer-2 device that must be configured to pass the PC traffic correctly, making the phone's passthrough mode the most direct next step.

Why the other options are wrong

A

Assumes the switch port configuration alone guarantees proper VLAN delivery to the PC, ignoring the phone's role as a transparent bridge.

B

Confuses the mechanism for voice VLAN assignment with the requirement for data passthrough; CDP's role is only for the phone's own voice VLAN, not for the PC's data VLAN.

C

Misapplies QoS as a potential cause for a connectivity issue; it is a quality-of-service feature and does not block DHCP or initial network access.

748
PBQhard

You are troubleshooting inter-VLAN routing on a router-on-a-stick setup. R1 is connected to SW1 via trunk port G0/0. VLANs 10, 20, and 30 exist on SW1, and R1 should route between them. Currently, hosts in VLAN 10 can communicate with VLAN 20 but cannot reach VLAN 30. Review the provided configuration and fix the issue.

Network Topology
G0/0trunkR1SW1

Hints

  • Check the VLAN ID used in the encapsulation on each subinterface.
  • Compare the subinterface VLAN ID with the actual VLAN number for that subnet.
  • Use 'show interfaces trunk' on the switch to confirm which VLANs are active.
A.Change the encapsulation on subinterface G0/0.30 to dot1Q 30 and reapply the IP address.
B.Add a subinterface for native VLAN 1 on R1 and assign an IP address.
C.Enable IP routing on R1 with the 'ip routing' command.
D.Change the allowed VLAN list on the trunk to include VLAN 30.
AnswerA
solution
! R1
interface GigabitEthernet0/0.30
no encapsulation dot1Q 100
encapsulation dot1Q 30
no ip address 192.168.30.1 255.255.255.0
ip address 192.168.30.1 255.255.255.0
end

Why this answer

The subinterface for VLAN 30 (G0/0.30) is misconfigured with encapsulation dot1Q 100 instead of dot1Q 30, so R1 cannot forward packets to VLAN 30. VLAN 20 is correctly set up, which is why VLAN 10-to-VLAN 20 pings succeed. Changing the encapsulation to dot1Q 30 and reapplying the IP address restores full inter-VLAN routing.

IP routing is enabled by default, so no additional command is needed; the native VLAN does not require a subinterface because no hosts are in that VLAN.

Exam trap

Do not confuse the subinterface number with the VLAN ID; they can be different, but the encapsulation must match the actual VLAN. Also, remember that IP routing is enabled by default on routers, and the native VLAN does not require a subinterface unless routing for that VLAN is needed.

Why the other options are wrong

B

The native VLAN is untagged on the trunk, and R1 can handle it via the physical interface if needed, but a missing subinterface for native VLAN 1 is not the cause of the issue.

C

IP routing is already enabled; the issue is a configuration error on the subinterface, not a missing global command.

D

The trunk configuration is correct; the problem is the encapsulation mismatch on the router subinterface.

749
Multi-Selectmedium

Which two statements accurately describe the role of a default gateway on an IPv4 host?

Select 2 answers
A.It is the next-hop path used for destinations outside the local subnet.
B.It is typically an IP address on the same local subnet as the host.
C.It replaces the need for a subnet mask.
D.It is the same thing as a DNS server.
E.It is used only for broadcast traffic.
AnswersA, B

This is correct because that is the core purpose of a default gateway.

Why this answer

A default gateway gives the host a next hop for traffic that is not destined for the local subnet. In plain language, it is the local router or Layer 3 interface the host uses when the destination is somewhere else. The host still needs its IP address and subnet mask to decide what is local, but once it decides something is remote, the default gateway becomes the path out.

The most common mistake is treating the default gateway like a DNS server or assuming it replaces the subnet mask. It does not. The two correct answers are the ones focused on off-subnet forwarding and the fact that the gateway must be reachable on the host’s own local network.

Exam trap

Avoid confusing the default gateway with DNS functions or thinking it replaces the subnet mask.

Why the other options are wrong

C

The subnet mask is still required for the host to determine whether a destination is local or remote. The default gateway only comes into play for remote destinations; without the subnet mask, the host cannot make that determination.

D

A DNS server resolves domain names to IP addresses, while a default gateway forwards packets to other networks. They are separate services; a host can have a default gateway without a DNS server and vice versa.

E

The default gateway is used for unicast traffic destined to other subnets, not just broadcast. Broadcast traffic is typically confined to the local subnet and does not require a gateway.

750
MCQmedium

Exhibit: Consider the following ACL applied inbound on interface G0/0: access-list 100 deny ip host 10.10.10.10 any access-list 100 deny tcp any host 10.10.10.10 eq 23 access-list 100 permit ip any any The intent is to block only Telnet (TCP port 23) to server 10.10.10.10 while permitting everything else. However, users cannot reach any service on that server. Why?

A.The ACL must be applied outbound, not inbound
B.The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluated
C.Extended ACLs cannot match TCP port 23
D.Telnet uses UDP, so the ACE should reference udp
AnswerB

The first matching ACE wins.

Why this answer

ACLs are processed top-down, and the first match is applied. The first line denies all IP traffic to the host (any protocol, any port). This matches all packets destined for 10.10.10.10 before the Telnet-specific line is ever reached, effectively blocking every service, not just Telnet.

Exam trap

A common mistake is assuming the ACL evaluates all lines before deciding to block or permit; in reality, it stops at the first match, so a broad deny earlier in the list overrides more specific denies later.

Why the other options are wrong

A

Applying the ACL outbound would not change the order of lines; the same logic applies—the first match still blocks all traffic.

C

Extended ACLs can match TCP port 23 using the keyword 'eq telnet' or 'eq 23'; this is not a limitation.

D

Telnet uses TCP, not UDP; referencing udp would never match Telnet traffic.

Page 9

Page 10 of 25

Page 11