CCNA 200-301 v2 (200-301) — Questions 751825

1819 questions total · 25pages · All types, answers revealed

Page 10

Page 11 of 25

Page 12
751
PBQhard

You are connected via the console to SW1, a Cisco Catalyst 2960 switch. The network administrator reports that users in VLAN 10 (Sales) cannot ping the default gateway 192.168.10.1, which is on R1's GigabitEthernet0/1 interface. SW1's interface GigabitEthernet0/1 connects to R1 and is configured as an access port in VLAN 10. R1's interface GigabitEthernet0/1 is configured with IP 192.168.10.1/24 and no shutdown. However, the link between them is up but the line protocol is down on both sides.

Network Topology
G0/1G0/1linkR1SW1

Hints

  • Check the interface status on both sides for speed/duplex mismatch.
  • Use 'show interfaces' to see if there are CRC errors or runts.
  • Manually set speed and duplex to the same values on both ends.
A.Configure the switchport to use the same speed and duplex settings as the router interface.
B.Change the switchport mode to trunk to allow VLAN 10 traffic to pass to the router.
C.Assign the IP address 192.168.10.1 to the switch's VLAN 10 interface.
D.Enable CDP on both devices to verify neighbor information.
AnswerA
solution
! R1
interface GigabitEthernet0/1
duplex full
speed 100

! SW1
interface GigabitEthernet0/1
duplex full
speed 100

Why this answer

The line protocol down indicates a Layer 1 or Layer 2 issue. The switch was likely set to auto-negotiate while the router defaulted to auto, but mismatch can occur. Setting both sides to 100 Mbps full duplex resolves the issue.

Exam trap

Do not confuse 'line protocol down' with IP addressing or VLAN issues. The line protocol down is a Layer 1/2 problem, often caused by speed/duplex mismatch. Always check physical and data link layer first.

Why the other options are wrong

B

The problem is Layer 1/2, not VLAN tagging. A trunk is used when multiple VLANs need to traverse the link, but the line protocol down indicates a physical or data link issue.

C

The switch's SVI (VLAN interface) is used for management, not for routing user traffic. The problem is at Layer 1/2, not Layer 3.

D

CDP requires the line protocol to be up to exchange information. Enabling CDP does not resolve speed/duplex mismatches.

752
Matchingmedium

Match each operations or assurance technology to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized event and message reporting

Monitoring and management information exchange

Visibility into traffic flows and conversations

Clock synchronization for consistent timing

Why these pairings

Each technology serves a specific assurance purpose: Syslog provides centralized event and message reporting, SNMP enables monitoring and management information exchange, NetFlow offers visibility into traffic flows and conversations, and NTP ensures clock synchronization for consistent timing across network devices.

Exam trap

Be careful not to confuse the functions of NetFlow (flow analysis) and IP SLA (performance measurement), or SNMP (management) and Syslog (logging). Also, remember that SPAN is for local mirroring and RSPAN for remote mirroring; the 'R' stands for remote.

753
Matchingmedium

Drag and drop the network monitoring technologies on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses community strings for authentication and supports Get/Set operations

Provides authentication and encryption via User-based Security Model (USM)

Cisco-proprietary flow monitoring that exports packet-level flow records

Standardized version of NetFlow defined in RFC 7011

Push-based model that continuously streams device operational data to a collector

Why these pairings

These pairings match network monitoring technologies to their correct descriptions.

Exam trap

Be careful not to confuse SNMP with other monitoring protocols. SNMP is for device management information (MIBs), while NetFlow is for traffic analysis, Syslog for logging, and IP SLA for performance measurement.

754
Multi-Selectmedium

Which three of the following are unique characteristics of RSTP (802.1w) compared to traditional STP (802.1D)? (Choose three.)

Select 3 answers
.RSTP provides faster convergence by actively negotiating port roles using proposal/agreement handshakes.
.RSTP introduces new port roles: alternate port and backup port, which are discarding but ready to transition.
.RSTP requires the use of a root bridge with a lower bridge priority than any other switch in the network.
.RSTP edge ports transition directly to the forwarding state with no delay.
.RSTP uses only three timer values (Hello, Max Age, Forward Delay) that must be identical across all switches.
.RSTP eliminates the need for BPDU messages by using link-local multicast for topology changes.

Why this answer

RSTP (802.1w) differs from traditional STP (802.1D) in three key ways:

It uses a proposal/agreement handshake to achieve rapid convergence without waiting for timers.

It introduces alternate and backup port roles—alternate ports provide a path to the root bridge via another switch, and backup ports provide a redundant path on the same segment; both are discarding but ready to transition.

Edge ports (connected only to end hosts) move directly to the forwarding state, bypassing listening and learning.

The incorrect options fail as differences:

Option C (root bridge with lower priority) is true for both STP and RSTP, so it is not a distinguishing characteristic.

Option E (only three timers) is also true for both; RSTP uses the same three timers (Hello, Max Age, Forward Delay).

Option F (eliminates BPDUs) is false—RSTP still uses BPDUs but with the Type field set to 2 and includes a flags byte for proposal/agreement.

Exam trap

Cisco often tests the misconception that RSTP eliminates the root bridge election or changes the bridge priority requirement, when in fact the root bridge selection process is identical to 802.1D.

Why the other options are wrong

C

This is not a difference; both RSTP and STP require a root bridge with a lower bridge priority than all other switches.

E

Both RSTP and STP use the same three timers (Hello, Max Age, Forward Delay); RSTP does not reduce or eliminate them.

F

RSTP still uses BPDUs—it does not eliminate them; it enhances BPDUs with new flags for faster convergence.

755
MCQeasy

Which OSI layer is responsible for end-to-end segmentation, port numbers, and reliability functions such as acknowledgments?

A.Network
B.Data Link
C.Transport
D.Session
AnswerC

Correct. TCP and UDP operate at the transport layer.

Why this answer

The Transport layer (Layer 4) is responsible for end-to-end segmentation, port numbers for identifying applications, and reliability functions like acknowledgments and retransmission. The Network layer (Layer 3) handles logical addressing and routing between networks. The Data Link layer (Layer 2) manages local frame delivery and error detection.

The Session layer (Layer 5) controls dialog management and synchronization, not segmentation or ports.

Exam trap

Don't confuse the Transport Layer's end-to-end functions with the Network Layer's routing or the Data Link Layer's local communication roles.

Why the other options are wrong

A

The Network layer provides logical addressing and routing, not end-to-end segmentation or port numbers.

B

The Data Link layer handles local frame delivery and error detection, not end-to-end reliability or port numbers.

D

The Session layer manages dialog control and synchronization, not segmentation, port numbers, or reliability acknowledgments.

756
MCQhard

A network engineer notices that an NMS at 10.1.1.200 cannot poll a router that has SNMPv2c configured with community string 'public'. What is causing this issue?

A.SNMPv2c is not enabled on the router.
B.The SNMP community 'public' has an access list that only permits host 10.1.1.100.
C.The NMS is using the wrong community string.
D.The router's SNMP agent is not listening on the interface facing 10.1.1.200.
AnswerB

The ACL applied to the community string restricts inbound SNMP requests to the permitted IP address. Since the NMS is 10.1.1.200, the router discards its polls, preventing a response.

Why this answer

The SNMP community 'public' has an ACL that permits only host 10.1.1.100, so the NMS at 10.1.1.200 is explicitly denied. No other condition explains the symptom because the community string matches, SNMPv2c is enabled by the configuration, and the agent listens on all interfaces by default.

Exam trap

Candidates often assume the NMS has the wrong community string when polling fails, but here the string matches; the ACL restriction produces the same timeout behavior as a community mismatch, making C a tempting misconception.

Why the other options are wrong

A

Many believe SNMP requires an additional global command to start; on Cisco IOS, a community string entry enables the agent.

C

Polling failures are often attributed to community string errors, but when the string matches, an ACL restriction produces identical symptoms.

D

Candidates may assume the agent must be bound to an interface, but Cisco IOS SNMP agents respond on any interface unless limited by an ACL or VRF.

757
Multi-Selectmedium

Which two statements accurately describe JSON arrays?

Select 2 answers
A.A JSON array is an ordered list of items.
B.A JSON array is typically enclosed in square brackets.
C.A JSON array is the same thing as an OSPF area.
D.A JSON array must always contain exactly one item.
E.A JSON array replaces the need for all keys in structured data.
AnswersA, B

This is correct because arrays are used to represent ordered collections.

Why this answer

JSON arrays are ordered lists enclosed in square brackets. In plain language, they are commonly used when an API needs to return multiple similar items such as interfaces, VLANs, or routes. Each element in the array might be a simple value or a more complex object. Arrays are therefore a normal structure for lists in automation and API payloads.

The wrong answers usually confuse arrays with objects or claim properties they do not have. The two correct answers are the ones that preserve the ideas of list structure and square-bracket notation.

Exam trap

A frequent exam trap is mistaking JSON arrays for networking concepts like OSPF areas or assuming they must contain exactly one item. Candidates might confuse arrays with objects or routing constructs, leading to incorrect answers. Another pitfall is thinking arrays replace keys in structured data, which is false because arrays and keys serve different purposes.

This confusion arises from mixing data structure syntax with network protocol terminology. Understanding that JSON arrays are simply ordered lists enclosed in square brackets helps avoid these traps and ensures clarity when working with automation payloads in Cisco environments.

Why the other options are wrong

C

Option C is incorrect because JSON arrays are data structures for organizing information, whereas OSPF areas are routing domains; they are unrelated concepts in networking and automation.

D

Option D is incorrect because JSON arrays can contain any number of items, including zero or many, not just exactly one item; this flexibility is important in API responses and configurations.

E

Option E is incorrect because arrays do not replace keys; keys are used in JSON objects to define named values, while arrays represent ordered collections without keys.

758
MCQmedium

A network team wants centralized logging and also wants log timestamps from different devices to line up accurately. Which combination best supports that goal?

A.Syslog and NTP
B.DHCP and STP
C.PAT and EtherChannel
D.ARP and CDP
AnswerA

This is correct because Syslog centralizes log collection and NTP aligns timestamps across devices.

Why this answer

The right combination is Syslog plus NTP. In plain language, Syslog gives the team a central place to collect and review device messages, while NTP makes sure the timestamps on those messages are consistent across the network. Centralized logs are useful on their own, but without synchronized clocks, incident timelines can become confusing and misleading.

This pairing is a common operational best practice. Syslog handles the collection side, and NTP handles the time-correlation side. Other services such as DHCP, STP, or NAT do not solve this combination of requirements. The best answer is the one that recognizes that centralized logging and time synchronization are complementary, not competing, services.

Exam trap

Don't confuse network management protocols like DHCP or NAT with logging and time synchronization functions.

Why the other options are wrong

B

DHCP dynamically assigns IP addresses and STP prevents loops in Layer 2 networks; neither provides centralized logging or time synchronization. Without NTP, timestamps from different devices would not align, making log correlation impossible.

C

PAT (a form of NAT) translates private IP addresses to public ones, and EtherChannel bundles multiple links for redundancy and bandwidth; neither offers centralized logging or time synchronization. These technologies are unrelated to the goal.

D

ARP resolves IP addresses to MAC addresses, and CDP discovers directly connected Cisco devices; neither provides centralized logging or time synchronization. These protocols are for neighbor discovery and Layer 2 resolution, not for log management.

759
Matchingmedium

Drag and drop the STP/Rapid PVST+ terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Used to elect the root bridge; consists of priority and MAC address

Port on a non-root bridge with the best path to the root bridge

Port that is in forwarding state on a given LAN segment

Feature that immediately transitions an access port to forwarding state

Feature that err-disables a PortFast port upon receiving a BPDU

Command to force a switch to become the root bridge for VLAN 1

Why these pairings

These definitions match standard STP/Rapid PVST+ terminology.

Exam trap

Do not confuse the root bridge with other STP roles like designated port or alternate port. The root bridge is a switch, not a port. Also, Rapid PVST+ is a protocol, not a role.

760
PBQhard

You are connected to R1. The network has R1, R2, and a multilayer switch MLS1. Configure IPv4 and IPv6 addressing on R1's interfaces so that R1 can ping both R2 (198.51.100.2) and MLS1 (203.0.113.2) via IPv4. Additionally, configure IPv6 on G0/1 using EUI-64 with prefix 2001:db8:1::/64 and verify that R1 can ping the IPv6 address of MLS1 (2001:db8:1::2). The current configuration has incorrect subnet masks and missing IPv6 settings, causing reachability failures.

Hints

  • The subnet mask on both interfaces is too large; it should be /30.
  • IPv6 is not enabled on G0/1 yet; use the 'ipv6 address' command with EUI-64.
  • After changing the mask, the ping should work because the devices will be on the same subnet.
A.Change the subnet mask on G0/0 to 255.255.255.252, change G0/1 to 255.255.255.252, then configure IPv6 on G0/1 with the EUI-64 address using the prefix 2001:db8:1::/64.
B.Change the subnet mask on G0/0 to 255.255.255.0, change G0/1 to 255.255.255.0, then configure IPv6 on G0/1 with the EUI-64 address using the prefix 2001:db8:1::/64.
C.Change the subnet mask on G0/0 to 255.255.255.252, change G0/1 to 255.255.255.252, then configure IPv6 on G0/1 with the static address 2001:db8:1::1/64.
D.Change the subnet mask on G0/0 to 255.255.255.252, change G0/1 to 255.255.255.252, then configure IPv6 on G0/1 with the EUI-64 address using the prefix 2001:db8:1::/32.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 198.51.100.1 255.255.255.252
exit
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.252
ipv6 address 2001:db8:1::/64 eui-64
exit

Why this answer

The interfaces on R1 were configured with subnet masks that were not /30, which is required for these point-to-point links. With an incorrect mask, R1 does not consider the neighboring IPs (198.51.100.2 and 203.0.113.2) as directly connected, preventing ARP resolution and IPv4 reachability. Additionally, IPv6 was missing on G0/1.

To fix, change the subnet mask on G0/0 to 255.255.255.252, change G0/1 to 255.255.255.252, then configure IPv6 on G0/1 with the EUI-64 address using the prefix 2001:db8:1::/64. After these changes, pings succeed.

Exam trap

This question tests your understanding of subnet masks and their impact on Layer 3 reachability. A common trap is to focus only on IPv6 and forget that incorrect IPv4 subnet masks can prevent ARP resolution, even if IPv6 is configured correctly. Also, pay close attention to the exact requirements: EUI-64 and the correct prefix length.

Why the other options are wrong

B

The specific factual error is that /24 masks are too large for point-to-point links and do not match the expected subnets for R2 and MLS1.

C

The specific factual error is that the IPv6 address should be configured with the EUI-64 keyword, not a static address.

D

The specific factual error is that the prefix length must be /64 as specified in the question; a /32 prefix is incorrect for this scenario.

761
MCQhard

R1 and R2 are directly connected and running OSPF. They can ping each other, the area matches, and the timers match, but they still do not become neighbors. What is the most likely cause?

A.The OSPF authentication keys do not match.
B.The subnet mask is too small for OSPF to operate.
C.The routers must use different process IDs.
D.The interfaces must be configured as switch trunks.
AnswerA

This is correct because mismatched OSPF MD5 authentication prevents neighbor formation even when addressing and area values are correct.

Why this answer

The most likely cause is a mismatch in OSPF authentication keys. Even though the routers have IP connectivity, matching area IDs, and identical timers, OSPF adjacency requires that authentication parameters also match. If authentication is enabled on both sides but the keys differ, OSPF packets are silently rejected, preventing neighbor formation.

Exam trap

A frequent exam trap is to overlook OSPF authentication mismatches when routers have IP connectivity and matching area IDs. Candidates may incorrectly assume that because the routers can ping each other and timers match, adjacency must form. However, if OSPF authentication keys differ, routers silently reject OSPF packets, preventing neighbor formation.

This trap exploits the misconception that IP reachability alone ensures OSPF adjacency, ignoring the critical role of matching authentication parameters in the OSPF neighbor negotiation process.

Why the other options are wrong

B

This is incorrect because OSPF operates normally on /30 subnets commonly used for point-to-point links. Subnet mask size does not prevent OSPF adjacency.

C

This is incorrect because OSPF process IDs are locally significant identifiers and do not need to match between routers to form neighbors.

D

This is incorrect because OSPF runs over routed interfaces and does not require interfaces to be configured as switch trunks, which are used for VLAN tagging.

762
MCQhard

A switchport on one side of a link is configured as a trunk, but the peer side is configured as an access port. The physical link is up, but VLAN traffic behaves unexpectedly. What is the most likely cause?

A.The two ends disagree on whether the link is a trunk or an access port.
B.The switches must both use the same hostname.
C.The native VLAN must be set to 1 on both sides first.
D.The ports need OSPF enabled.
AnswerA

This is correct because trunk/access mismatch causes VLAN handling problems.

Why this answer

The most likely cause is a switchport mode mismatch. In practical terms, one side expects the link to carry multiple VLANs with tagging behavior, while the other side treats it as a normal one-VLAN endpoint-style access connection. The physical interface can still come up, but the two ends do not agree on how the traffic should be handled.

This is a classic Layer 2 troubleshooting pattern. The link may not be fully down, but the configuration disagreement causes logical forwarding problems.

Exam trap

Be cautious of assuming all VLAN issues are due to allowed lists or STP. Consider mode mismatches when the link is physically up but traffic is disrupted.

Why the other options are wrong

B

OSPF is a Layer 3 routing protocol used for exchanging routes between routers, not for resolving Layer 2 switchport mismatches. This issue is purely about trunk/access configuration, which is unrelated to OSPF.

C

While native VLAN mismatch can cause issues on a trunk link, the primary problem here is that one side is configured as access, not trunk. Even if native VLAN is set to 1 on both sides, the access port will still not process tagged frames correctly.

D

Hostnames are purely for identification and have no impact on switchport operation or VLAN tagging. The trunk/access mismatch is a Layer 2 configuration issue independent of hostnames.

763
MCQmedium

A switch port and a host NIC have a duplex mismatch. Which symptom is most likely?

A.Increased late collisions and poor performance
B.Incorrect VLAN tagging on trunks
C.OSPF area mismatch errors
D.A change in the subnet mask on the host
AnswerA

Correct. Duplex mismatch commonly leads to collisions and poor performance.

Why this answer

A duplex mismatch often causes collisions, frame errors, and degraded throughput, especially on the half-duplex side. It is a classic physical/link layer performance problem.

Exam trap

Don't confuse duplex mismatch symptoms with total connectivity loss or latency-only issues; focus on error and collision symptoms.

Why the other options are wrong

B

VLAN tagging on trunks is a Layer 2 function that deals with VLAN identification using 802.1Q tags. Duplex mismatch is a physical-layer issue affecting how data is sent and received (simultaneous vs. one direction at a time) and has no impact on VLAN tagging.

C

OSPF area mismatch errors are Layer 3 routing protocol issues that prevent OSPF neighbors from forming. Duplex mismatch is a Layer 1/2 problem that affects frame delivery and collision detection, not routing protocol adjacency.

D

A change in subnet mask is a Layer 3 IP configuration change that affects network/host identification. Duplex mismatch is a physical-layer issue and does not alter IP addressing or subnet masks.

764
Multi-Selectmedium

Which TWO interface errors are most likely caused by a mismatch in duplex settings between two connected switches?

Select 2 answers
A.Runts
B.Giants
C.CRC errors
D.Input errors
E.Output errors
F.Flaps
AnswersA, C

Runts are frames smaller than 64 bytes, often caused by collisions on a half-duplex link due to a duplex mismatch.

Why this answer

A duplex mismatch occurs when one switch operates at full duplex while the other operates at half duplex. On the half-duplex side, frames arriving while the interface is transmitting are considered collisions, causing the frame to be truncated into fragments (runts). On the full-duplex side, the switch does not detect collisions but may receive incomplete frames, which are counted as runts if they are less than 64 bytes.

CRC errors also spike because the truncated or corrupted frames fail the Frame Check Sequence (FCS) validation.

Exam trap

Cisco often tests the distinction between runts and giants, where candidates mistakenly think giants are caused by duplex mismatch, but giants are actually linked to jumbo frames or faulty hardware, not duplex negotiation issues.

Why the other options are wrong

B

Giants are frames exceeding the maximum size (typically 1518 bytes) and are caused by MTU misconfiguration, faulty NICs, or software errors, not by duplex mismatch. Duplex mismatch does not affect frame size; it causes collisions and CRC errors.

D

Input errors is a broad counter that includes runts, CRC errors, frame errors, and others. While duplex mismatch can contribute to some input errors, it is not a specific error type. The question asks for 'interface errors' most likely caused by duplex mismatch, and input errors is too generic.

E

Output errors include collisions, late collisions, and underruns. While collisions can occur due to duplex mismatch, output errors are not exclusively caused by duplex mismatch; they can result from other issues like cable faults or interface congestion. The question asks for errors 'most likely' caused by duplex mismatch, and runts and CRC errors are more directly linked.

F

Flaps refer to an interface repeatedly going up and down, typically due to physical layer issues like loose cables, faulty transceivers, or power fluctuations. Duplex mismatch does not cause interface flaps; it causes errors on the link but the interface remains up.

765
MCQhard

A network administrator configures OSPF on two routers, R1 and R2, connected via their Serial0/0/0 interfaces (IP addresses 10.1.1.1/30 and 10.1.1.2/30). They verify that both routers use the same OSPF process ID and area 0, but R1's 'show ip ospf neighbor' shows no adjacencies. Given the partial exhibit from R1, what is the most likely cause of the adjacency failure and its correct solution?

A.Configure 'no passive-interface Serial0/0/0' under router ospf 1 on R1.
B.Replace the network statement with 'network 10.1.1.0 0.0.0.255 area 0' to cover a larger range.
C.Change the OSPF process ID on R1 to match R2, using 'router ospf 100' and re-entering the network command.
D.Issue 'clear ip ospf process' on R1 to restart OSPF and reattempt neighbor discovery.
AnswerA

This command lifts the passive restriction on Serial0/0/0, allowing OSPF hello packets to be sent and received, enabling the adjacency to form.

Why this answer

The most likely cause is that R1's Serial0/0/0 interface is configured as a passive interface under OSPF. When an interface is set as passive, OSPF does not send Hello packets out of it, preventing neighbor discovery and adjacency formation. The solution is to use the 'no passive-interface Serial0/0/0' command under router ospf 1 on R1, which allows Hello packets to be transmitted and the adjacency to establish.

Exam trap

Cisco often tests the misconception that OSPF process IDs must match between routers, leading candidates to choose option C, when in fact process IDs are locally significant and only area IDs and authentication must match.

Why the other options are wrong

B

A larger wildcard mask does not override the passive-interface setting; adjacency still fails.

C

Adjacency depends on area and authentication, not on the router-local process ID; passive-interface is the real issue.

D

The root cause is a configuration that blocks hellos, not a transient state; the reset is ineffective.

766
MCQhard

A user reports intermittent connectivity to the corporate web server at 10.1.1.100. The user's PC (IP 192.168.1.50/24, gateway 192.168.1.1) can ping the gateway and other local hosts, but pings to the web server time out every few seconds. The network administrator runs a traceroute from the PC and checks the local ARP cache. What is the most likely cause of the intermittent connectivity?

A.The default gateway 192.168.1.1 is not configured to route traffic to the 10.1.1.0/24 network.
B.The web server at 10.1.1.100 has a duplicate IP address conflict with another device on the same subnet.
C.The user's PC has an incorrect subnet mask configured, preventing communication with the web server.
D.The web server is powered off or has a faulty network interface card.
AnswerB

The ARP cache shows an entry for 192.168.1.100, which is the web server's IP but on the wrong subnet (should be 10.1.1.x). This indicates that a device on the local subnet (192.168.1.0/24) is using the IP 192.168.1.100, causing the user's PC to associate the web server's IP with a local MAC address. This leads to intermittent connectivity as the PC may send traffic to the wrong device.

Why this answer

The intermittent connectivity and successful pings to the gateway and local hosts, combined with a traceroute that likely shows the first hop succeeding but subsequent hops failing, point to a duplicate IP address conflict on the web server's subnet. When two devices share the same IP address (10.1.1.100), the switch's MAC address table flips between the two MAC addresses, causing packets to reach the correct server only intermittently. This explains why pings time out every few seconds rather than failing consistently.

Exam trap

Cisco often tests the distinction between consistent failures (e.g., routing misconfiguration or server down) and intermittent failures (e.g., duplicate IP or STP convergence), and the trap here is assuming a routing issue (Option A) when the symptom is intermittent, not constant.

Why the other options are wrong

A

The traceroute shows the first hop (gateway) responds, indicating the gateway is reachable and routing is functioning. If the gateway lacked a route to 10.1.1.0/24, it would typically send an ICMP Destination Unreachable (Network Unreachable) message, not cause intermittent timeouts. The issue is more specific to ARP confusion at the local subnet.

C

The ipconfig /all output shows the correct subnet mask (255.255.255.0) and gateway (192.168.1.1). The PC can ping the gateway and other local hosts, confirming the subnet mask is correct. An incorrect subnet mask would prevent communication with the gateway or local hosts, not just the remote server.

D

If the web server were powered off or had a faulty NIC, the traceroute would likely show no response from any hop beyond the gateway, and the ARP cache would not show an entry for 192.168.1.100. The presence of an ARP entry for that IP indicates that a device is responding to ARP requests, contradicting a complete hardware failure.

767
Multi-Selectmedium

Which TWO statements correctly describe the configuration and effect of Root Guard and BPDU Guard on a Cisco switch?

Select 2 answers
A.Root Guard is configured on a per-port basis and causes the port to become root-inconsistent if a superior BPDU is received.
B.BPDU Guard prevents loops by disabling a trunk port that receives a BPDU from an unauthorized switch.
C.Root Guard places a port in errdisable state when a superior BPDU is received.
D.BPDU Guard is commonly enabled on ports where PortFast is configured to prevent unexpected BPDUs from causing a bridging loop.
E.Both Root Guard and BPDU Guard filter BPDUs to prevent them from being processed by the switch CPU.
AnswersA, D

Root Guard is applied to a port (usually a designated port) and if a better BPDU arrives, the port enters a root-inconsistent state, blocking traffic and preventing the switch from becoming root.

Why this answer

Option A is correct because Root Guard is configured per interface using the 'spanning-tree guard root' command. When a port with Root Guard enabled receives a superior BPDU (one that would cause the switch to become a non-root bridge), the port is placed into a root-inconsistent state, effectively blocking traffic on that port and preventing the switch from accepting a new root bridge from that direction. This protects the spanning-tree topology from unauthorized or misconfigured switches attempting to become the root bridge.

Option D is correct because BPDU Guard is commonly enabled on ports with PortFast (typically access ports connected to end devices). When a BPDU is received on such a port, BPDU Guard places the port into errdisable state, preventing potential bridging loops that could result from an unauthorized switch connecting to the network. Option B is incorrect because BPDU Guard does not prevent loops by disabling a trunk port; it is typically used on access ports (often with PortFast) and disables the port upon receiving any BPDU, not just on trunk ports.

Option C is incorrect because Root Guard places the port into root-inconsistent state (not errdisable) when a superior BPDU is received; BPDU Guard uses errdisable. Option E is incorrect because neither Root Guard nor BPDU Guard filters BPDUs; Root Guard reacts to superior BPDUs by blocking the port, and BPDU Guard reacts to any BPDU by disabling the port. Both features allow BPDUs to be processed but then take action based on the received BPDUs.

Exam trap

Cisco often tests the distinction between the states triggered by Root Guard (root-inconsistent) versus BPDU Guard (errdisable), and candidates frequently confuse the two, assuming both place the port into errdisable or that Root Guard uses errdisable.

Why the other options are wrong

B

BPDU Guard does not prevent loops by disabling a trunk port; it is typically used on access ports with PortFast and disables the port upon receiving any BPDU.

C

Root Guard places the port into root-inconsistent state, not errdisable; errdisable is the state used by BPDU Guard.

E

Neither Root Guard nor BPDU Guard filters BPDUs; they both process received BPDUs and then take action (root-inconsistent for Root Guard, errdisable for BPDU Guard).

768
Multi-Selectmedium

Which TWO statements accurately describe OSPFv3 configuration and verification for IPv6?

Select 2 answers
A.OSPFv3 uses IPv6 link-local addresses for neighbor discovery and next-hop addresses.
B.The 'network' command under 'ipv6 router ospf' is used to advertise subnets into OSPFv3.
C.The 'ipv6 ospf <process-id> area <area-id>' command is used to enable OSPFv3 on an interface.
D.The 'ipv6 router ospf <process-id>' command is used on an interface to enable OSPFv3.
E.The 'show ipv6 ospf neighbor' command displays the OSPFv3 link-state database.
AnswersA, C

In OSPFv3, routers form adjacencies using their IPv6 link-local addresses, and these addresses are used as next-hop addresses in routing updates.

Why this answer

Option A is correct because OSPFv3 uses IPv6 link-local addresses for neighbor discovery and next-hop addresses. Option C is correct because the 'ipv6 ospf <process-id> area <area-id>' interface command enables OSPFv3 on that interface. Option B is incorrect: OSPFv3 does not use the 'network' command; instead, it relies on interface-level configuration.

Option D is incorrect: 'ipv6 router ospf <process-id>' is a global configuration command to enter OSPFv3 router configuration mode, not an interface command. Option E is incorrect: 'show ipv6 ospf neighbor' displays neighbor adjacencies, not the link-state database; use 'show ipv6 ospf database' for that.

Exam trap

Cisco often tests the misconception that OSPFv3 uses the same 'network' command as OSPFv2, when in fact OSPFv3 requires interface-level configuration with the 'ipv6 ospf <process-id> area <area-id>' command.

Why the other options are wrong

D

'ipv6 router ospf <process-id>' is a global configuration command, not an interface command; enabling OSPFv3 on an interface requires the 'ipv6 ospf <process-id> area <area-id>' command.

E

'show ipv6 ospf neighbor' displays OSPFv3 neighbor adjacencies, not the link-state database; to view the LSDB, use 'show ipv6 ospf database'.

769
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure IPv4 and IPv6 static routes, a default route, and a floating static route with a higher administrative distance, then verify with show ip route and show ipv6 route.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start in global config, then configure static routes for IPv4, then IPv6, then default and floating static routes. Finally verify with show commands.

Exam trap

Do not confuse the order of configuration with the order of route preference. The default route is not configured first; it is configured after specific routes. Also, while IPv4 and IPv6 can be configured in any order, the question expects IPv4 before IPv6 based on the stem.

770
PBQhard

You are connected to SW1. A LACP EtherChannel between SW1 and SW2 has already been configured using interfaces GigabitEthernet0/1 and GigabitEthernet0/2 with channel-group 1 mode active on both sides and assigned to VLAN 100. However, the channel is not forming because of a speed/duplex mismatch. The correct interface settings for this network are speed 1000 and duplex full. Interface GigabitEthernet0/1 is already configured with these settings. Only interface GigabitEthernet0/2 needs to be corrected. Identify the configuration change needed to resolve the mismatch and verify the EtherChannel is up with 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1EtherChannelSW1SW2

Hints

  • Check the speed and duplex settings on both member interfaces.
  • LACP requires all ports in the channel to have identical configuration.
  • Use the 'show interfaces status' command to quickly see speed/duplex mismatches.
A.Configure interface GigabitEthernet0/2 with 'speed 1000' and 'duplex full', then verify the EtherChannel is up.
B.Configure interface GigabitEthernet0/1 with 'speed 100' and 'duplex half', then verify the EtherChannel is up.
C.Configure interface GigabitEthernet0/2 with 'speed auto' and 'duplex auto', then verify the EtherChannel is up.
D.Configure interface GigabitEthernet0/2 with 'channel-group 1 mode active' and 'switchport access vlan 100', then verify the EtherChannel is up.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full
end
show etherchannel summary

Why this answer

The EtherChannel is not forming because GigabitEthernet0/2 is configured with speed 100 and duplex half, while GigabitEthernet0/1 is speed 1000 and duplex full. LACP requires all member ports to have identical speed and duplex settings. To fix this, configure GigabitEthernet0/2 with speed 1000 and duplex full, matching GigabitEthernet0/1.

After correction, the ports should bundle in Port-channel1 and show as bundled (P) in 'show etherchannel summary'.

Exam trap

The trap is that candidates may overlook the speed/duplex mismatch and focus only on the LACP mode or VLAN configuration. Always verify that all physical parameters match before troubleshooting EtherChannel formation.

Why the other options are wrong

B

The specific factual error is that the question implies the correct configuration should use speed 1000 and duplex full, not downgrade to 100/half. Also, LACP requires identical settings, but the goal is to match the higher speed.

C

The specific factual error is that auto-negotiation does not guarantee matching settings when one side is manually configured. The mismatch would persist.

D

The specific factual error is that the question explicitly states a speed/duplex mismatch prevents the channel from forming, and this option does not correct that mismatch.

771
PBQhard

You are connected to a multilayer switch SW1 via console. SW1 has an IP phone and an access point connected to interfaces GigabitEthernet0/1 and GigabitEthernet0/2 respectively. Configure the access ports so that the IP phone receives a voice VLAN (VLAN 110) and PoE priority critical, and the access point receives PoE priority high. Verify your configuration using show interfaces switchport and show power inline.

Network Topology
G0/1G0/2SW1IP PhoneAccess Point

Hints

  • Voice VLAN is configured under the access port interface with the 'switchport voice vlan' command.
  • PoE priority is set per interface using 'power inline priority'.
  • Use 'show interfaces switchport' to verify voice VLAN assignment.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline priority critical ! interface GigabitEthernet0/2 switchport mode access power inline priority high
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,110 power inline priority critical ! interface GigabitEthernet0/2 switchport mode access power inline priority high
C.interface GigabitEthernet0/1 switchport mode access switchport access vlan 110 switchport voice vlan 10 power inline priority critical ! interface GigabitEthernet0/2 switchport mode access power inline priority high
D.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline priority high ! interface GigabitEthernet0/2 switchport mode access power inline priority critical
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport voice vlan 110
power inline priority critical
exit
interface GigabitEthernet0/2
power inline priority high
end

Why this answer

The IP phone requires a voice VLAN configured with the switchport voice vlan command. PoE priority is set per interface using power inline priority. For the phone, the priority is critical; for the AP, it is high.

Verification with show interfaces switchport confirms voice VLAN, and show power inline shows priority settings.

Exam trap

The exam trap is mixing up the voice VLAN and access VLAN assignments, or confusing PoE priority levels. Remember that the voice VLAN is configured with switchport voice vlan, not as the access VLAN. Also, note that IP phones typically use access ports with voice VLAN, not trunks.

PoE priority critical is reserved for critical devices like phones, while high is for other important devices like APs.

Why the other options are wrong

B

The specific factual error is using trunk mode for an IP phone port instead of access mode with voice VLAN.

C

The specific factual error is reversing the VLAN assignments: the access VLAN should be data, and the voice VLAN should be voice.

D

The specific factual error is swapping the PoE priority values: the phone should be critical, the AP high.

772
MCQhard

Refer to the exhibit. A network engineer expects SW1 to be the root bridge for VLAN 1, but the show spanning-tree vlan 1 output on SW2 shows that SW2 is the root. What is the most likely cause of this issue?

A.SW1 is configured with a priority of 32769 but has a higher MAC address than SW2.
B.Spanning tree is disabled on SW1 for VLAN 1.
C.SW1 has a bridge priority of 4096, but BPDU guard is configured on SW2's port to SW1, causing the port to be err-disabled.
D.The trunk link between SW1 and SW2 is down.
AnswerD

The missing root port and the fact that SW2 sees itself as root confirm that SW2 is not receiving any BPDUs from SW1. This is exactly the behavior when the inter-switch trunk is physically down, breaking the spanning-tree topology.

Why this answer

SW2 shows itself as the root (Root ID and Bridge ID are identical, and the text 'This bridge is the root'), and there is no root port listed. In a stable spanning-tree topology, a non-root switch must have a root port to reach the root. The absence of any root port indicates that SW2 is not receiving superior BPDUs from SW1.

The most likely cause is that the trunk link between SW1 and SW2 is down, preventing BPDU exchange.

Exam trap

Many candidates select option A because they notice both priority values are 32769 and assume a MAC-address tiebreaker makes SW2 root, but they fail to see that SW2 has no root port, which would exist if the link to SW1 were operational.

Why the other options are wrong

A

Candidates focus on the matching priority numbers and overlook the missing root port that indicates a complete loss of BPDUs.

B

Candidates may assume no BPDUs means STP is off, but the intended root designation suggests STP is on and a physical disconnect is the primary suspect.

C

Candidates recall that BPDU guard can block ports, but they fail to differentiate between a missing port due to err-disable and a missing port due to a physically down link, which looks identical in this output.

773
PBQhard

You are connected to R1, a Cisco IOS-XE router acting as the network's DNS client. The network uses a local DNS server at 203.0.113.10 for internal name resolution. Users report that the hostname 'fileserver.courseiva.local' cannot be resolved, while other names work fine. Diagnose and fix the DNS resolution failure so that 'fileserver.courseiva.local' resolves correctly.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/010.0.0.2/30203.0.113.10/24linkR2R1DNS Server

Hints

  • Check if the DNS server is reachable and if other names resolve.
  • The NXDOMAIN status means the domain name does not exist in the DNS zone.
  • The router configuration appears correct; the problem is on the DNS server.
A.Add an A record for 'fileserver' on the DNS server.
B.Configure the 'ip domain-lookup' command on R1 to enable DNS resolution.
C.Change the DNS server address on R1 to 8.8.8.8.
D.Add a static host entry on R1 using 'ip host fileserver.courseiva.local 192.0.2.10'.
AnswerA
solution
! R1

Why this answer

The DNS server is reachable (ping successful) and resolves other names (e.g., webserver.courseiva.local) correctly. However, 'fileserver.courseiva.local' returns NXDOMAIN, indicating the A record is missing from the DNS zone. Since the router is not the DNS server, the fix must be applied on the DNS server itself — not on R1.

The candidate should understand that the problem is a missing DNS record, not a router configuration issue. The solution involves adding an A record for 'fileserver' (with the appropriate IP address) on the DNS server. On R1, verify connectivity to the DNS server and confirm that the domain lookup and name-server settings are correct, which they are.

No router CLI changes are needed.

Exam trap

Candidates often confuse client-side DNS configuration issues with server-side record problems. Remember: if some names resolve but others don't, the DNS server is reachable and functional; the missing record is the culprit. Do not change router settings unnecessarily.

Why the other options are wrong

B

The specific factual error is that 'ip domain-lookup' is a global command that enables DNS resolution; if it were disabled, no names would resolve.

C

The specific factual error is that the DNS server is functioning for other records; the problem is specific to one hostname, not the server address.

D

The specific factual error is that static entries bypass DNS but do not address the root cause; the DNS server should have the record for all clients.

774
Multi-Selectmedium

Which two statements accurately describe a controller-based WLAN compared with a set of independently managed APs?

Select 2 answers
A.It centralizes management and policy across multiple access points.
B.It can improve consistency when deploying WLAN settings across many APs.
C.It removes the need for access points entirely.
D.It replaces the need for DHCP on all client devices.
E.It is the same thing as WPA3.
AnswersA, B

This is correct because centralized management is a main architectural benefit.

Why this answer

A controller-based WLAN centralizes operational control and helps apply policies more consistently across many APs. In practical terms, this improves scalability and reduces the burden of touching each AP individually when changes are needed. The APs still provide the radio service, but they are coordinated under a shared management model.

This question is about architecture, not about claiming that a controller replaces APs or that it removes all other network services.

Exam trap

A common exam trap is assuming that a controller-based WLAN eliminates the need for access points or other network services like DHCP. Some candidates mistakenly believe the controller replaces APs entirely, but APs remain essential for providing wireless connectivity. Others confuse controller-based management with wireless security protocols such as WPA3, which are unrelated concepts.

Misunderstanding these distinctions can lead to incorrect answers by conflating architecture roles with security features or network services.

Why the other options are wrong

C

Option C is incorrect because access points are still required to provide the actual wireless radio connectivity; the controller does not replace APs.

D

Option D is incorrect since DHCP or other IP configuration methods are still needed for client devices; the controller does not replace these network services.

E

Option E is incorrect because WPA3 is a wireless security standard and does not relate to the architectural concept of controller-based WLAN management.

775
Drag & Dropmedium

Drag and drop the following steps into the recommended order to configure a switch port for a VoIP phone (voice VLAN + data VLAN), an AP trunk, and a PoE-powered IoT device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Although the switch does not enforce a strict sequence for these commands, the recommended workflow for clarity and consistency is to first enter global configuration mode, then interface configuration mode, then set trunking to support multiple VLANs, assign the voice VLAN, and finally configure PoE. Option D incorrectly omits global configuration mode. Option B places PoE before trunking and voice VLAN, which is less logical.

Option C configures the voice VLAN before setting the trunk mode, which can be confusing.

Exam trap

A common trap is to think that the switch enforces a rigid order (e.g., voice VLAN requires trunk mode). In reality, all command sequences except D produce a working config, but the exam expects the most logical and recommended order: trunk, voice VLAN, then PoE.

776
Multi-Selecthard

Which two practices most improve safety when automating network changes? (Choose two.)

Select 2 answers
A.Testing changes in a lab or staging environment first
B.Running scripts directly in production without validation
C.Using version control and peer review for automation code
D.Disabling backups so changes apply faster
AnswersA, C

Correct. Predeployment testing reduces production risk.

Why this answer

Testing and validation reduce risk before wide deployment, and version control with review/rollback supports controlled operations.

Exam trap

Avoid assuming that immediate deployment without testing is safe. Always prioritize testing and controlled deployments.

Why the other options are wrong

B

Running scripts directly in production without validation bypasses all safety checks, increasing the likelihood of misconfigurations that can cause outages or security breaches. This practice directly contradicts the principle of minimizing risk during network changes.

D

Disabling backups removes the ability to restore the network to a known good state after a failed change, significantly increasing risk. Backups are a fundamental safety net, and disabling them for speed is never justified.

777
PBQhard

You are connected to SW1. Two switches, SW1 and SW2, are connected via four GigabitEthernet links. Configure LACP EtherChannel between them using interfaces GigabitEthernet0/1 through GigabitEthernet0/4 on SW1. Set the channel-group mode to active on SW1. The port-channel interface must be configured as a trunk, allowing VLANs 10, 20, 30. However, the EtherChannel is not forming. The current configuration is shown below. Identify and fix the issue, then verify the EtherChannel is operational.

Network Topology
Gi0/1-4Gi0/1-44x linksSW1SW2

Hints

  • Compare the Layer 2/Layer 3 status of the port-channel interface with the member interfaces.
  • Check the 'show etherchannel summary' flags: 'SD' means Layer 3 and down; 'SU' means Layer 2 and up.
  • The port-channel interface must match the operational mode (Layer 2) of the member switchports.
A.Remove 'no switchport' and IP address from Port-channel1, then configure 'switchport mode trunk' and 'switchport trunk allowed vlan 10,20,30'.
B.Change the channel-group mode on the member interfaces from active to passive.
C.Add the 'switchport nonegotiate' command to the member interfaces.
D.Configure the member interfaces with 'channel-group 1 mode on' instead of active.
AnswerA
solution
! SW1
interface Port-channel1
no ip address 192.168.1.1 255.255.255.0
no no switchport
switchport mode trunk
switchport trunk allowed vlan 10,20,30

Why this answer

The EtherChannel is not forming because the Port-channel1 interface is configured as a Layer 3 interface (no switchport, IP address), while the member interfaces are Layer 2 switchports (switchport mode trunk). This mismatch prevents the channel from bundling. To fix this, configure Port-channel1 as a Layer 2 trunk interface with the same allowed VLANs.

The solution: remove the no switchport command and the IP address, then apply switchport mode trunk and switchport trunk allowed vlan 10,20,30. After correction, the ports should bundle and the show etherchannel summary will show the ports as bundled (P) and the port-channel as Layer 2 (S).

Exam trap

The exam trap is that candidates often focus on LACP modes or trunk negotiation but overlook the Layer 2/Layer 3 mismatch between the port-channel interface and member interfaces. Always ensure the port-channel interface is configured as either Layer 2 or Layer 3 to match the member ports.

Why the other options are wrong

B

The specific factual error: The problem is a Layer 2/Layer 3 mismatch, not the LACP mode. Active mode is valid and commonly used.

C

The specific factual error: 'switchport nonegotiate' affects trunk negotiation, not EtherChannel bundling.

D

The specific factual error: The mode change does not fix the interface type mismatch; the port-channel must be Layer 2 to match the member ports.

778
MCQmedium

An ACL entry reads: access-list 25 permit 192.168.8.0 0.0.0.15 Which address range does this statement match?

A.192.168.8.0 through 192.168.8.15
B.192.168.8.0 through 192.168.8.31
C.192.168.8.0 through 192.168.8.7
D.Only host 192.168.8.15
AnswerA

That is the correct range for a wildcard of 0.0.0.15.

Why this answer

A wildcard of 0.0.0.15 means the last 4 bits can vary, which corresponds to a block size of 16 addresses. Starting at 192.168.8.0, the range is 192.168.8.0 through 192.168.8.15.

Exam trap

Be careful not to confuse the block size determined by the wildcard mask with a full subnet or miscalculate the starting address.

Why the other options are wrong

C

This range uses a wildcard mask of 0.0.0.7, not 0.0.0.15.

779
Matchingmedium

Drag and drop the YANG, NETCONF, and RESTCONF terms on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A data modeling language used to define the structure of configuration and state data for network devices

A protocol that uses XML and SSH to transport configuration and state data between a client and a network device

A protocol that uses HTTP methods (GET, PUT, POST, DELETE) to access YANG-defined data on a network device

A file that defines the schema, including data types, groupings, and constraints for network configuration

A node in a YANG data model that groups related leaf nodes and other containers together

A NETCONF operation used to modify the configuration of a network device

Why these pairings

YANG is the modeling language, NETCONF uses XML RPCs over SSH, RESTCONF uses HTTP and YANG models. The pairs match each term to its core function.

Exam trap

Be careful not to confuse the roles of YANG, NETCONF, and RESTCONF. YANG is a modeling language, not a protocol. NETCONF uses SSH and XML, while RESTCONF uses HTTP and supports JSON/XML.

Many candidates mistakenly attribute HTTP/JSON to NETCONF or SSH to RESTCONF.

780
Drag & Dropmedium

Drag and drop the following OSPFv2 neighbor state transitions into the correct order, starting from the initial state after an adjacency is attempted and ending with the fully adjacent state.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

OSPF neighbor states progress from Down to Init, then 2-Way, ExStart, Exchange, and finally Full (not listed).

Exam trap

Do not confuse the initial state with the first state where communication occurs. Down is the starting point, even though no communication has happened yet. Remember the full sequence: Down, Init, 2-Way, ExStart, Exchange, Loading, Full.

781
MCQmedium

A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?

A.The OSPF route because OSPF is link-state
B.The EIGRP route because it has the lower administrative distance
C.The route with the lower metric value regardless of protocol
D.Both routes are always installed
AnswerB

Correct. Lower AD wins between different routing protocols.

Why this answer

When identical prefixes are learned from different routing protocols, the router compares administrative distance first. EIGRP internal routes use AD 90, while OSPF uses AD 110.

Exam trap

Remember that lower administrative distance values indicate higher preference. Don't confuse protocol complexity with route preference.

Why the other options are wrong

A

The type of routing protocol (link-state vs. distance vector) does not determine route preference when comparing routes from different protocols. Route selection is based on administrative distance, not protocol characteristics.

C

Metrics are only comparable within the same routing protocol. Different protocols use different metrics (e.g., OSPF uses cost, EIGRP uses composite metric), so they cannot be directly compared. Administrative distance is used to choose between protocols.

D

By default, a router installs only the best route (lowest AD) for a given prefix into the routing table. Both routes are not installed unless features like equal-cost multipath or policy routing are configured, which is not the case here.

782
MCQhard

R1 and R2 are connected via a GigabitEthernet link in the same IPv4 subnet, and both routers have OSPF configured in the same area. However, R1 is not learning any OSPF routes from R2. What is the most likely cause?

A.GigabitEthernet0/0 is configured as a passive OSPF interface on R1.
B.The routers must use different OSPF process IDs to exchange routes.
C.The routers are in different IPv4 subnets.
D.OSPF can advertise routes only across serial links.
AnswerA

This is correct because a passive OSPF interface does not send hellos and therefore will not form a neighbor adjacency on that link.

Why this answer

The most likely reason is that one side has the interface configured as passive, which prevents OSPF hello packets from being sent on that interface. In practical terms, the network statement alone does not guarantee neighbor formation. OSPF still needs active neighbor discovery on the link. If the interface is passive, the router advertises the connected network into OSPF but does not attempt to form an adjacency there.

This is a realistic routing troubleshooting pattern because the configuration can look mostly correct until you inspect the passive-interface setting.

Exam trap

A frequent exam trap is to incorrectly believe that OSPF process IDs must match between routers to exchange routes or that OSPF only works on serial links. Candidates may also overlook the passive-interface setting, assuming that the presence of correct network statements guarantees neighbor formation. The passive-interface command disables hello packets, which are essential for OSPF adjacency.

This subtle configuration detail often causes confusion because the router still advertises the network but refuses to form neighbors, leading to missing routes despite seemingly correct OSPF setup.

Why the other options are wrong

B

Incorrect because OSPF process IDs are locally significant and do not need to match between routers for adjacency or route exchange.

C

Incorrect because both routers' interfaces are in the same subnet 10.20.12.0/24, so subnet mismatch is not the cause of missing routes.

D

Incorrect because OSPF supports multiple link types including Ethernet; it is not limited to serial links only.

783
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco switch with an IPv4 management address 192.168.1.10/24, an IPv6 address 2001:db8:1::1/64, and a default gateway 192.168.1.1.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

Correct order:

Enter global configuration mode – all subsequent configuration commands require this mode.

Enter interface configuration mode for VLAN 1 – the management SVI must be selected to apply IP settings.

Assign the IPv4 address 192.168.1.10 255.255.255.0 – sets the switch's management IPv4 address and subnet mask.

Enable the interface with the no shutdown command – activates the SVI so it can send and receive traffic.

Assign the IPv6 address 2001:db8:1::1/64 – enables IPv6 processing and statically configures a global unicast address.

Exit interface configuration mode to return to global configuration mode – required because the default gateway command is a global configuration command, not an interface subcommand.

Set the default gateway to 192.168.1.1 using the ip default-gateway command – provides the next-hop router for IPv4 traffic leaving the local subnet.

784
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a primary default static route and a floating default static route on a Cisco router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enter global configuration mode. Then configure the primary default route (no administrative distance specified, default 1). Next, configure the floating default route with a higher administrative distance (e.g., 5).

Exit configuration mode, and finally verify the static routes in the routing table.

785
Multi-Selectmedium

Which TWO statements correctly describe how a router selects the best path for a destination network when multiple routing table entries exist?

Select 2 answers
A.Routes with the longest prefix length (most specific) are preferred over routes with a shorter prefix.
B.If two routes have the same prefix length, the route with the higher administrative distance is selected.
C.When the administrative distance is identical, the router compares the metric and selects the route with the lowest metric.
D.A directly connected route has an administrative distance of 1, making it more trustworthy than any dynamic route.
E.Dynamic routes are always preferred over directly connected routes because they can adapt to network changes.
AnswersA, C

The router always uses the longest-prefix match first. A /24 route is preferred over a /16 route for the same destination.

Why this answer

Routers select the best path by first applying the longest prefix match rule (most specific subnet mask), so option A is correct. If two routes have the same prefix length, the router then compares administrative distance (AD) and prefers the lower AD; option B is incorrect because it says higher AD is selected. When AD is equal, the router uses metric and chooses the lowest metric, making option C correct.

Option D is false because directly connected routes have an AD of 0, not 1, and they are indeed more trustworthy than dynamic routes but not due to AD 1. Option E is wrong because directly connected routes are always preferred over dynamic routes regardless of adaptability.

Exam trap

Cisco often tests the exact administrative distance values (e.g., directly connected = 0, static = 1) and the correct comparison order (prefix length first, then AD, then metric) to catch candidates who confuse AD with metric or misremember default values.

Why the other options are wrong

B

The router selects the route with the lower administrative distance, not higher. Administrative distance is a measure of trustworthiness; a lower value indicates a more reliable source. For example, a static route (AD 1) is preferred over an OSPF route (AD 110).

D

Directly connected routes have an administrative distance of 0, not 1. An AD of 0 is the most trustworthy and cannot be overridden by any dynamic route. The value 1 is used for static routes.

E

Directly connected routes have an AD of 0, which is lower than any dynamic routing protocol (e.g., OSPF AD 110, EIGRP AD 90). Therefore, directly connected routes are always preferred over dynamic routes, not the other way around.

786
Matchingmedium

Drag and drop the DNS record types on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a hostname to an IPv4 address

Maps a hostname to an IPv6 address

Aliases one hostname to another canonical name

Specifies mail exchange servers for a domain

Lists authoritative name servers for a zone

Maps an IP address to a hostname (reverse lookup)

Why these pairings

These are standard DNS record types as defined in RFCs and tested in networking certifications like CCNA.

Exam trap

Be careful not to confuse A and AAAA records (IPv4 vs IPv6) or to think that CNAME or MX records directly map names to IP addresses. The A record is the only one that directly maps a name to an IPv4 address.

787
MCQhard

A user on VLAN 10 reports that they cannot ping the default gateway at 192.168.10.1 from their PC with IP 192.168.10.50/24. The switch interface connecting to the PC is up/up, and the PC shows a valid IP configuration. What is the most likely cause of this connectivity failure?

A.Change the switchport mode to trunk to allow VLAN 10 traffic.
B.Configure an SVI for VLAN 10 with an IP address in the 192.168.10.0/24 subnet.
C.Change the PC's IP address to a different subnet, such as 192.168.20.0/24.
D.Recreate VLAN 10 and reassign the port to it.
AnswerB

This creates a Layer 3 interface on the switch that can serve as the default gateway for hosts in VLAN 10.

Why this answer

The PC and default gateway are on the same subnet (192.168.10.0/24), but the switch lacks a Layer 3 interface for VLAN 10. Without an SVI (Switch Virtual Interface) configured with an IP address in that subnet, the switch cannot route traffic to the gateway or respond to ARP requests from the PC, breaking connectivity even though the access port is up/up.

Exam trap

Cisco often tests the misconception that a VLAN alone provides Layer 3 connectivity, when in fact an SVI or a separate router-on-a-stick configuration is required for inter-VLAN routing and default gateway functionality.

Why the other options are wrong

A

A trunk port is used to carry multiple VLANs between switches, not to connect an end device like a PC. Configuring the switchport as trunk would break connectivity because the PC expects an access port.

C

Changing the PC's IP subnet would not resolve the issue because the PC would still need a default gateway on its new subnet. The root cause is the missing SVI on the switch, not the PC's IP address.

D

Recreating VLAN 10 and reassigning the port does not address the missing SVI. The VLAN already exists and the port is correctly assigned; the issue is at Layer 3, not Layer 2.

788
Matchingmedium

Match each term to the role it most directly plays in an API workflow.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Describes the intended action such as retrieve or delete

Identifies the target resource path

Supports access control for the request

Provides the structured payload format

Why these pairings

Each term is correctly paired with its role in an API workflow.

Exam trap

Be careful not to confuse the role of the URI with the HTTP method or other components. The URI's primary function is identification, not action or data carriage.

789
MCQmedium

A network engineer is troubleshooting a connectivity issue between two hosts on different VLANs. The engineer captures traffic on an IOS-XE router's GigabitEthernet0/1 interface using embedded packet capture (EPC). The output shows ARP requests from Host A (192.168.1.10) but no ARP replies from Host B (192.168.2.20). What is the most likely cause of this issue?

A.The router's interface is configured as an access port instead of a trunk.
B.The router's interface does not have an IP address configured in the VLAN 2 subnet.
C.Host A is in a different VLAN than the router's interface.
D.The router's interface has a duplex mismatch with the switch.
AnswerB

For inter-VLAN routing, the router must have an IP address in each VLAN's subnet to act as the default gateway and respond to ARP requests. Without an IP in VLAN 2, it cannot reply to ARP requests for 192.168.2.20.

Why this answer

The router's GigabitEthernet0/1 interface must have an IP address in the same subnet as Host B (192.168.2.20) to act as the default gateway for VLAN 2. Without an IP address in the VLAN 2 subnet, the router cannot respond to ARP requests for that subnet, so Host A's ARP requests for Host B go unanswered. This is the most likely cause because the router performs inter-VLAN routing only when it has an interface (or subinterface) with an IP address in the destination VLAN's subnet.

Exam trap

Cisco often tests the misconception that a router automatically routes between VLANs if it is connected to a switch via a trunk, but the router must have an IP address in each VLAN's subnet to respond to ARP and forward traffic.

Why the other options are wrong

A

The router's interface is a routed port, not a switchport; access/trunk concepts apply to switch interfaces. Even if it were a switch interface, the issue is about ARP replies, which require Layer 3 addressing, not trunking.

C

ARP requests are Layer 2 broadcasts; if the router's interface is in the same VLAN as Host A, it will receive the request. The problem is that the router does not reply, indicating it lacks an IP in the destination subnet.

D

Duplex mismatch causes CRC errors and collisions, but ARP requests would still be received and could be replied to. The capture shows clean ARP requests with no replies, pointing to a Layer 3 issue, not physical layer.

790
MCQmedium

Why is centralized logging especially useful when combined with NTP?

A.Because synchronized clocks make centralized log timelines easier to analyze accurately.
B.Because NTP assigns the Syslog server its IP address.
C.Because Syslog replaces authentication when NTP is present.
D.Because centralized logging blocks unauthorized traffic automatically.
AnswerA

This is correct because NTP improves the usefulness of centralized logs by aligning timestamps.

Why this answer

Centralized logging is much more useful when device clocks are synchronized because the timestamps can be correlated properly. In practical terms, collecting messages in one place is valuable, but if one router thinks it is 9:00 and another thinks it is 9:17, the event sequence becomes confusing. NTP solves that time-alignment problem.

This is a common operations best practice. Syslog provides the central visibility, and NTP makes the timeline trustworthy.

Exam trap

A common exam trap is to mistakenly believe that NTP provides IP addressing or security functions such as blocking unauthorized traffic. Some may also incorrectly assume that syslog replaces authentication mechanisms when NTP is present. These misconceptions arise because candidates confuse the distinct roles of NTP and syslog.

NTP strictly synchronizes time, while syslog collects logs. Neither assigns IP addresses nor enforces access control. Understanding this separation is crucial to avoid selecting incorrect answers that attribute unrelated functions to NTP or centralized logging.

Why the other options are wrong

B

Option B is incorrect because NTP does not assign IP addresses to syslog servers or any devices. IP addressing is handled by DHCP or manual configuration, not by NTP.

C

Option C is incorrect because syslog does not replace authentication mechanisms. NTP and syslog are unrelated to access control or authentication processes in Cisco networks.

D

Option D is incorrect because centralized logging improves visibility into network events but does not block unauthorized traffic. Traffic enforcement is managed by firewalls, ACLs, or other security features.

791
Multi-Selectmedium

A switchport connected to an employee PC must allow the normal endpoint to connect but immediately err-disable the port if a switch is plugged in. Which two features should be configured on that access port?

Select 2 answers
A.spanning-tree bpduguard enable
B.switchport port-security maximum 1
C.spanning-tree portfast
D.storm-control broadcast level 5.00
AnswersA, C

BPDU Guard shuts down an access port that unexpectedly receives BPDUs from another switch.

Why this answer

For edge access ports, PortFast brings the port up quickly for end devices, and BPDU Guard protects against someone connecting a switch by err-disabling the interface when BPDUs arrive.

Exam trap

A frequent exam trap is selecting 'switchport port-security maximum 1' as a solution to prevent unauthorized switches. While port security limits MAC addresses, it does not detect BPDUs or immediately disable the port if a switch is connected. This can allow a switch to connect and cause Layer 2 loops.

Another trap is confusing storm control with BPDU Guard; storm control only limits broadcast traffic rates and does not err-disable ports on BPDU reception. Candidates must understand that only BPDU Guard combined with PortFast provides the immediate err-disable protection for access ports against switch connections.

Why the other options are wrong

B

'switchport port-security maximum 1' limits MAC addresses but does not detect BPDUs or err-disable the port on switch connections, so it does not meet the requirement to immediately disable the port on switch attachment.

D

'storm-control broadcast level 5.00' limits broadcast traffic but does not err-disable the port upon detecting a switch or BPDUs, so it does not fulfill the requirement to disable the port immediately if a switch is plugged in.

792
MCQmedium

A router learns 203.0.113.0/24 through OSPF and 203.0.113.0/25 through a static route. Which route is used for traffic destined to 203.0.113.10?

A.The OSPF /24 route
B.The static /25 route
C.Both routes equally
D.Neither route because the prefixes overlap
AnswerB

Correct. The /25 is more specific and matches the destination.

Why this answer

Routers prefer the most specific matching route first. The /25 route is more specific than the /24 and includes 203.0.113.10.

Exam trap

Remember that the most specific route (longest prefix) is always preferred, regardless of the routing protocol.

Why the other options are wrong

A

The OSPF /24 route is less specific than the static /25 route. The longest prefix match rule dictates that the /25 route is preferred for destination 203.0.113.10, which falls within the /25 range.

C

Equal-cost load balancing only applies when multiple routes have the same prefix length and metric. Here, the prefix lengths differ (/24 vs /25), so the longest prefix match selects the /25 route exclusively.

D

Overlapping routes are common in routing tables and do not cause a problem. The router always selects the most specific match (longest prefix) for forwarding, so both routes can coexist.

793
MCQhard

A switch port connected to a user PC should be placed in VLAN 20 and must not negotiate trunking. Which configuration is the most appropriate?

A.switchport mode access switchport access vlan 20
B.switchport mode trunk switchport trunk native vlan 20
C.switchport mode dynamic desirable switchport trunk allowed vlan 20
D.no switchport ip address 192.168.20.1 255.255.255.0
AnswerA

This is correct because it explicitly makes the port an access port in VLAN 20.

Why this answer

The most appropriate configuration is to force the interface into access mode and assign it to VLAN 20. In practical terms, a normal user-facing switch port is supposed to carry one VLAN only. There is no reason to rely on dynamic trunk negotiation for a desktop or laptop connection. Explicit access-port configuration is cleaner, more predictable, and safer.

This is a common switching best-practice question. The wrong answers usually leave room for unwanted trunking behavior or move the interface into a completely different role. The right answer combines the correct port role with the correct VLAN membership.

Exam trap

Avoid assuming 'auto' mode is always safe; it can lead to unintended trunking.

Why the other options are wrong

B

This configuration makes the port a trunk port, which is used to carry multiple VLANs between switches, not for a single user PC. The 'switchport trunk native vlan 20' command sets the native VLAN for untagged traffic on the trunk, but the port still actively negotiates trunking via DTP, violating the requirement to not negotiate trunking.

C

The 'switchport mode dynamic desirable' command actively attempts to form a trunk with the connected device via DTP, which contradicts the requirement to not negotiate trunking. Additionally, 'switchport trunk allowed vlan 20' only restricts which VLANs are allowed on the trunk, but the port is still in trunking mode, not an access port.

D

The 'no switchport' command converts the Layer 2 switch port into a Layer 3 routed interface, which cannot be assigned to a VLAN. This configuration is used for routing between VLANs or connecting to routers, not for connecting a user PC to a specific VLAN.

794
Matchingmedium

Match each automation concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management and policy platform

Defined software interface for communication between systems

Architectural style commonly using HTTP methods

Lightweight structured data format

Why these pairings

Controller provides centralized management and policy enforcement across network devices. API (Application Programming Interface) defines a standardized software interface for communication between systems. REST (Representational State Transfer) is an architectural style that commonly uses HTTP methods like GET, POST, PUT, DELETE.

JSON (JavaScript Object Notation) is a lightweight, human-readable data format used for data interchange. Each pairing correctly matches the concept to its core characteristic.

Exam trap

Be careful not to confuse declarative and imperative models: declarative says 'what' (desired state), imperative says 'how' (steps). Also, configuration drift is always unintentional, not a planned change.

795
MCQhard

A host is configured with IP address 192.168.50.94/27. Which subnet contains that host?

A.192.168.50.32/27
B.192.168.50.64/27
C.192.168.50.96/27
D.192.168.50.0/27
AnswerB

This is correct because .94 falls within the .64 through .95 block.

Why this answer

A /27 subnet has a block size of 32. In simple terms, the fourth-octet ranges are 0–31, 32–63, 64–95, 96–127, and so on. Because 94 falls inside the 64–95 range, the network address for the host’s subnet is 192.168.50.64/27.

This kind of question tests whether you can move from prefix length to block size and then place the host inside the correct interval. The most common mistake is choosing a nearby boundary like 96 or 32 without calculating the actual block that contains the address.

Exam trap

Always calculate the subnet range using the block size derived from the prefix length to avoid choosing incorrect boundaries.

Why the other options are wrong

A

The subnet 192.168.50.32/27 covers addresses 192.168.50.32 to 192.168.50.63. The host address 192.168.50.94 is outside this range, so it does not belong to this subnet.

C

The subnet 192.168.50.96/27 covers addresses 192.168.50.96 to 192.168.50.127. The host address 192.168.50.94 is below this range, so it does not belong to this subnet.

D

The subnet 192.168.50.0/27 covers addresses 192.168.50.0 to 192.168.50.31. The host address 192.168.50.94 is far above this range, so it does not belong to this subnet.

796
PBQhard

You are connected to R1, a Cisco ISR 4321 running IOS-XE. Configure SNMPv2c with a read-only community string 'public' and SNMPv3 with user 'admin' using SHA authentication and AES encryption. Ensure SNMP traps are sent to the management server at 203.0.113.10. Additionally, configure NetFlow export to destination 203.0.113.20 on UDP port 2055 using version 9. Verify your configuration with appropriate show commands. The current running-config is incomplete; you must add the missing commands.

Network Topology
G0/0192.168.1.1/24Management NetworkR1Server

Hints

  • SNMPv3 user configuration requires both auth and priv algorithms and passwords.
  • For SNMP traps, specify the trap receiver IP and community string.
  • NetFlow export configuration uses global commands; no interface-level configuration is needed for basic export setup.
A.snmp-server community public ro snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco snmp-server host 203.0.113.10 traps version 2c public ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
B.snmp-server community public ro snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco snmp-server host 203.0.113.10 traps version 3 auth public ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
C.snmp-server community public ro snmp-server user admin snmp-group v3 auth md5 cisco priv des56 cisco snmp-server host 203.0.113.10 traps version 2c public ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
D.snmp-server community public ro snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco snmp-server host 203.0.113.10 traps version 2c public ip flow-export destination 203.0.113.20 2055 ip flow-export version 5
AnswerA
solution
! R1
snmp-server user admin auth sha cisco priv aes 128 cisco
snmp-server host 203.0.113.10 traps version 2c public
ip flow-export destination 203.0.113.20 2055
ip flow-export version 9

Why this answer

The initial config has only a basic SNMPv2c community string. To meet requirements: enable SNMPv3 with a user 'admin' using SHA authentication and AES 128-bit encryption. The correct command requires a group name and the 'v3' keyword, e.g., 'snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco'.

Configure SNMP trap destination with 'snmp-server host 203.0.113.10 traps version 2c public'. For NetFlow, use 'ip flow-export destination 203.0.113.20 2055' and 'ip flow-export version 9'. Verify with 'show snmp' and 'show ip cache flow'.

Option B incorrectly uses version 3 traps with a community string; version 3 requires a security name. Option C uses insecure MD5/DES56 instead of SHA/AES. Option D uses NetFlow version 5 instead of version 9.

Exam trap

Forgetting to include a group name and the 'v3' keyword in the 'snmp-server user' command is a common syntax error that will cause the configuration to be rejected on real devices.

Why the other options are wrong

B

The trap host line uses 'version 3' and a community string ('public'), but SNMPv3 traps require a security name (the user) and an authentication level, not a community.

C

The SNMPv3 user is configured with MD5 and DES56, while the requirement is SHA authentication and AES 128‑bit encryption.

D

The NetFlow export version is set to 5 instead of the required version 9.

797
Drag & Dropmedium

A network engineer is configuring a new access switch that will connect to a distribution switch. The engineer must ensure that local hosts are placed in the correct VLANs before enabling trunking to the distribution switch to prevent VLAN mismatches and broadcast issues. Drag and drop the steps into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to create VLANs first, then assign access ports to those VLANs so local hosts are properly placed and operational. Only then should 802.1Q trunks be configured to extend VLANs to other switches, because trunking before access port assignment could lead to operational inconsistencies. Options B and D would require access ports before VLANs exist, and Option C configures trunks prematurely in this scenario.

Exam trap

The exam trap is that candidates may confuse the order of creating VLANs and assigning ports. Always remember that VLANs must exist before they can be used. Also, trunk configuration typically comes after access port assignment in a logical workflow, though it is not strictly required.

798
MCQhard

Refer to the exhibit. A network engineer is troubleshooting connectivity to server 10.10.10.130. The routing table contains both a static route and an OSPF route for overlapping prefixes. The engineer examines the specific routing entry for 10.10.10.130. Based on the output, why does the router choose the route via 10.1.1.2 instead of the OSPF route via 10.2.2.2 (for 10.10.10.0/24)?

A.The static route has a lower administrative distance (1) than the OSPF route (110).
B.The OSPF route is inactive because its next-hop 10.2.2.2 is down.
C.The static route has a longer prefix length (/26) than the OSPF route (/24), making it a more specific match.
D.The router prefers the static route because it has a metric of 0, which is better than the OSPF metric.
AnswerC

The routing entry explicitly shows the subnet mask /26. Longest prefix match is the first rule in IP routing, so the /26 is preferred despite AD or metric.

Why this answer

The exhibit shows "Routing entry for 10.10.10.128/26", a /26 prefix. The router uses longest prefix match as the first step in route selection, so a /26 is more specific than the OSPF /24 and chosen regardless of AD or metric.

Exam trap

Many candidates incorrectly think the static route wins because of its lower administrative distance (1 vs 110), overlooking that prefix length always takes precedence in the routing decision process.

Why the other options are wrong

A

This reflects a common misunderstanding that AD is the sole tie-breaker between routes from different sources, ignoring prefix length priority.

B

Candidates might assume that if the OSPF route is not used, it must be inactive; however, the exhibit does not show this.

D

Candidates may mistake metric for the primary selection criterion, not realizing prefix length dominates all other route comparison steps.

799
Matchingmedium

Match each service or protocol to the problem it most directly helps solve.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Users can reach a service by IP but not by hostname

Clients do not receive IP settings automatically

Device clocks and log timestamps do not line up

Administrators need centralized event and message collection

Why these pairings

Each service or protocol directly addresses a specific networking problem as described.

Exam trap

Be careful not to confuse the primary function of each protocol. For example, DHCP can provide additional options like NTP server, but its core purpose is IP address assignment. Similarly, SNMP monitors devices but does not perform traffic analysis.

Focus on the most direct problem each service solves.

800
Multi-Selectmedium

Which three of the following are characteristics of DHCP snooping on a Cisco switch? (Choose three.)

Select 3 answers
.It differentiates trusted and untrusted ports to filter DHCP messages.
.It builds and maintains a DHCP snooping binding database.
.It prevents DHCP starvation attacks by rate-limiting DHCP messages on untrusted ports.
.It encrypts DHCP traffic between the client and the server.
.It replaces the DHCP server's IP address with a static route.
.It requires all DHCP servers to be connected to untrusted ports.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages by differentiating trusted and untrusted ports. It builds and maintains a DHCP snooping binding database to track valid IP-to-MAC address assignments. Additionally, it prevents DHCP starvation attacks by rate-limiting DHCP messages on untrusted ports, typically using the 'ip dhcp snooping limit rate' command.

Exam trap

Cisco often tests that DHCP snooping's rate-limiting feature specifically targets DHCP starvation attacks, not rogue server attacks, and that the binding database is used for both IP source guard and dynamic ARP inspection integration.

801
Multi-Selectmedium

Which four of the following are common use cases or features of AI and Machine Learning in network operations? (Choose all that apply.)

Select 4 answers
.Anomaly detection for security threats
.Automated root cause analysis of network faults
.Predictive maintenance of network hardware
.Dynamic optimization of traffic routing based on real-time patterns
.Manual configuration of static VLANs on access switches
.Replacing all network engineers with fully autonomous AI

Why this answer

Anomaly detection for security threats uses ML to identify deviations from normal traffic patterns, enabling proactive threat identification. Automated root cause analysis leverages AI to correlate events and faults across the network to quickly pinpoint the source of issues. Predictive maintenance applies ML models to historical hardware data (e.g., error logs, temperature) to forecast failures before they occur.

Dynamic traffic routing uses reinforcement learning or other AI techniques to adapt routing decisions in real time based on changing network conditions. The two incorrect options are not AI/ML use cases: manual VLAN configuration is a static, rule-based task that does not involve learning or adaptation, and replacing all network engineers with fully autonomous AI is an unrealistic, futuristic concept not representative of current AI/ML applications in network operations.

Exam trap

Cisco often tests the distinction between tasks that are deterministic and manually configured (like static VLANs) versus those that benefit from adaptive, pattern-based automation (like anomaly detection), so candidates mistakenly think any automation feature qualifies as AI/ML, but manual configuration is not an AI/ML use case.

802
Matchingmedium

Drag and drop the PDU names on the left to the correct OSI model layers on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Transport layer PDU (TCP)

Data Link layer PDU

Network layer PDU

Physical layer PDU

Application layer PDU

Why these pairings

The correct matches are: Segment → Transport layer PDU, Packet → Network layer PDU, Frame → Data Link layer PDU, Bits → Physical layer PDU, and Data → Application layer PDU. No encapsulation term is included in this exercise.

Exam trap

Be careful not to confuse the PDU names (segment vs. packet) and the direction of encapsulation. Many candidates mistakenly think encapsulation adds headers when going up the stack, but it actually adds them when going down.

803
Multi-Selectmedium

Which TWO statements accurately describe characteristics of copper and fiber optic cabling used in modern Ethernet networks?

Select 2 answers
A.Copper UTP cables can reliably transmit data up to 500 meters without a repeater.
B.Fiber optic cables are immune to electromagnetic interference (EMI).
C.Multi-mode fiber typically uses laser-based transmitters for short-range communication.
D.Single-mode fiber is designed for long-distance transmission with a narrow core.
E.Fiber optic cabling is generally less expensive per meter than copper cabling.
AnswersB, D

Fiber uses light, not electricity, so it is not affected by EMI, making it suitable for noisy environments.

Why this answer

Option B is correct because fiber optic cables transmit data as light pulses through glass or plastic cores, which are completely unaffected by electromagnetic interference (EMI), unlike copper cables that rely on electrical signals and are susceptible to EMI. Option D is correct because single-mode fiber uses a narrow core (typically 9 microns) and laser transmitters to support long-distance transmission (up to tens of kilometers) with low signal loss. Option A is wrong because copper UTP cables are limited to 100 meters without a repeater, not 500 meters.

Option C is wrong because multi-mode fiber typically uses LED or VCSEL transmitters for short-range communication, while laser-based transmitters are used with single-mode fiber. Option E is wrong because fiber optic cabling is generally more expensive per meter than copper cabling, though installation and equipment costs may differ.

Exam trap

Cisco often tests the distinction between multi-mode and single-mode fiber transmitters, where candidates mistakenly associate laser-based transmitters with multi-mode fiber instead of correctly identifying them with single-mode fiber's long-distance, narrow-core design.

Why the other options are wrong

A

Copper UTP cables have a maximum segment length of 100 meters for Ethernet, not 500 meters without a repeater.

C

Multi-mode fiber typically uses LED or VCSEL transmitters, not laser-based transmitters; lasers are used with single-mode fiber for long distances.

E

Fiber optic cabling is generally more expensive per meter than copper cabling, not less expensive.

804
Multi-Selectmedium

Which THREE statements about STP and Rapid PVST+ are correct?

Select 3 answers
A.Rapid PVST+ creates a separate spanning-tree instance for each VLAN, enabling per-VLAN load balancing.
B.PortFast should be configured on trunk ports to quickly transition them to forwarding state.
C.Rapid PVST+ uses a proposal/agreement process to quickly transition ports to forwarding.
D.BPDU Guard places a port in the error-disabled state if a BPDU is received, protecting against unexpected switches.
E.To make a switch the root bridge, you should assign it the highest bridge priority value among all switches.
AnswersA, C, D

Rapid PVST+ is Cisco's implementation of RSTP that runs one STP instance per VLAN. This allows the network to use different root bridges and forwarding paths per VLAN, distributing traffic across redundant links.

Why this answer

Rapid PVST+ is Cisco's per-VLAN implementation of the Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w). It creates a separate spanning-tree instance for each VLAN, which allows each instance to converge independently and enables per-VLAN load balancing by blocking different ports in different VLANs. This is a key advantage over classic STP (802.1D), which runs a single instance for all VLANs.

Exam trap

Cisco often tests the misconception that PortFast can be applied to trunk ports or that it accelerates STP convergence on trunks, but PortFast is only for edge ports and does not participate in the spanning-tree algorithm.

Why the other options are wrong

B

PortFast is unsafe on trunk ports; it is intended only for edge access ports.

E

The root bridge is determined by the lowest bridge priority, not the highest.

805
PBQhard

You are connected to R1. The network has two routers: R1 (192.168.1.0/24 LAN) and R2 (Internet gateway). R1's inside LAN (192.168.1.0/24) must be translated to the public IP 203.0.113.1 using PAT (NAT overload) for Internet access. Additionally, the server at 192.168.1.100 must be reachable from the Internet via static NAT to 203.0.113.5. The current configuration is broken. Identify and fix the issues so that both PAT and static NAT work correctly.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.2/29S0/0/010.0.0.1/30inside hostsLANR1InternetWANR2

Hints

  • Check which interfaces are marked as inside and outside — the public IP interface should be outside.
  • The ACL used for PAT must match the inside local network, not a different subnet.
  • The PAT command must include the keyword 'overload' to enable port address translation.
A.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat outside', and ensure the PAT command includes 'overload'.
B.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat inside', and ensure the PAT command includes 'overload'.
C.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat outside', and remove the 'overload' keyword from the PAT command.
D.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat inside', and remove the 'overload' keyword from the PAT command.
AnswerA
solution
! R1
configure terminal
no ip nat inside source list 10 interface GigabitEthernet0/1
ip nat inside source list 10 interface GigabitEthernet0/1 overload
no access-list 10
access-list 10 permit 192.168.1.0 0.0.0.255
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
end

Why this answer

The configuration had three issues: 1) ACL 10 permitted 10.0.0.0/8 instead of the actual inside subnet 192.168.1.0/24, so no traffic matched PAT. 2) The PAT command was missing the 'overload' keyword, which is required for Port Address Translation; without it, the device attempts one-to-one dynamic NAT. 3) The interface facing the public network (G0/1) was incorrectly configured as 'ip nat inside' instead of 'ip nat outside'. The fix is to correct the ACL to permit 192.168.1.0 0.0.0.255, ensure the PAT command includes 'overload', and change G0/1 to 'ip nat outside'.

Exam trap

A common trap is confusing inside and outside interface designations. Remember: the interface facing the private network is 'ip nat inside', and the interface facing the public network is 'ip nat outside'. Also, PAT requires the 'overload' keyword; without it, you get dynamic NAT (one-to-one).

Why the other options are wrong

B

The specific factual error is that the interface with the public IP (203.0.113.1) must be configured as 'ip nat outside', not 'ip nat inside'. Marking it as inside would cause asymmetric NAT behavior and break translation.

C

The specific factual error is that PAT requires the 'overload' keyword. Without it, the router performs dynamic NAT (one-to-one translation), which would not support multiple hosts sharing a single public IP.

D

The specific factual errors are: (1) the interface with the public IP must be 'ip nat outside', and (2) PAT requires the 'overload' keyword. Both are violated here.

806
Multi-Selectmedium

Which TWO DNS record types are most commonly used together to verify both forward and reverse DNS mappings for an IPv6 address?

Select 2 answers
A.A record
B.AAAA record
C.CNAME record
D.PTR record
E.MX record
AnswersB, D

The AAAA record is the standard record type for mapping a domain name to an IPv6 address.

Why this answer

The AAAA record (Quad-A record) maps a domain name to an IPv6 address, making it the standard type for forward IPv6 lookups. The PTR record performs the reverse mapping—from an IPv6 address back to a domain name. Administrators routinely check both records with tools like nslookup or dig to ensure forward and reverse DNS consistency, which is critical for services such as email and security logging.

The other options (A, CNAME, MX) do not directly provide a domain-to-IPv6 mapping or its reverse verification.

Exam trap

Cisco often tests the misconception that an A record can be used for IPv6 addresses, but the A record is strictly for IPv4 (RFC 1035), while the AAAA record is the correct type for IPv6 (RFC 3596).

Why the other options are wrong

A

An A record maps a hostname to an IPv4 address, not an IPv6 address. Since the question specifically asks about IPv6, this record type is incorrect.

C

A CNAME record creates an alias from one domain name to another, not a direct mapping to an IP address. It does not provide the IP address itself, so it cannot verify the mapping to an IPv6 address.

E

MX records specify mail exchange servers for a domain and are used for email routing, not for mapping domain names to IP addresses. They do not provide IPv6 address mappings.

807
Drag & Dropmedium

Which of the following shows the correct order of steps to troubleshoot a suspected duplex mismatch and CRC errors on a Cisco IOS-XE interface?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The proper troubleshooting flow requires moving through the correct configuration hierarchy: from privileged EXEC mode you first enter global configuration mode. Then you specify the affected interface to enter interface configuration mode, where the duplex and speed settings are applied. After making the changes, you exit all configuration modes back to privileged EXEC and use show commands to verify the interface status.

Option A follows this exact sequence. Option B is wrong because it tries to enter interface configuration without global config. Option C mistakenly attempts to set duplex/speed globally, which is not allowed.

Option D not only omits global config but also exits to the wrong mode, leaving you in global configuration instead of privileged EXEC for verification.

Exam trap

A common trap is to forget that you must enter global configuration mode before interface configuration mode. Another trap is to think that duplex and speed can be set globally, but they are interface-specific. Always remember the correct hierarchy: privileged EXEC -> global config -> interface config.

808
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, including the recovery steps when a port enters err-disabled.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is Option A because: 1) Root Guard is applied to designated ports to protect the root bridge election; 2) Loop Guard is applied to non-designated ports to prevent loops caused by unidirectional links; 3) BPDU Guard is applied to PortFast-enabled ports to shut down ports that receive BPDUs unexpectedly. Options B, C, and D incorrectly assign these guards to the wrong port roles (e.g., Option B places BPDU Guard on designated ports and Root Guard on non-designated ports, which violates the intended protection). Steps 4 and 5 apply only to BPDU Guard, as it transitions the port to err-disabled state upon BPDU reception; Root Guard and Loop Guard cause blocking states (root-inconsistent or loop-inconsistent), not err-disabled.

Therefore, the recovery steps (errdisable recovery and manual re-enable) are only relevant for ports configured with BPDU Guard.

Exam trap

Do not confuse the port roles: Root Guard is for designated ports, Loop Guard for non-designated, and BPDU Guard for PortFast. Also remember that errdisable recovery requires both global configuration and manual interface re-enablement.

809
Drag & Dropmedium

Drag and drop the following steps into the correct order to retrieve a specific interface's configuration via RESTCONF and apply a change to the interface description.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First retrieve the config, parse it, modify the description, apply the change, then verify.

Exam trap

The key trap is confusing the order of operations: you must retrieve before modifying, and apply before verifying. Candidates often mix up the sequence, especially placing verification too early or modification before retrieval.

810
MCQhard

An IPv6 host successfully reaches neighbors on its local segment, but it cannot reach remote IPv6 destinations. The host has a global unicast address and a correct prefix length. Which missing item is the strongest suspect?

A.A usable default router or next-hop route for off-link IPv6 traffic
B.A NAT rule translating IPv6 to IPv4
C.A VLAN trunk on the host NIC
D.A second global unicast address on the same interface
AnswerA

This is correct because the host needs a next hop to reach remote IPv6 destinations.

Why this answer

The strongest suspect is the absence of a usable default router learned through IPv6 router advertisements or equivalent configuration. While local connectivity works because the host can communicate on its own link, remote IPv6 destinations require a next hop off the local segment. Option B is wrong because IPv6-to-IPv4 NAT is unnecessary for native IPv6 communication and would not be the primary cause of off-link failure.

Option C is wrong because a VLAN trunk on the host NIC is for carrying multiple VLANs, not for enabling off-link routing. Option D is wrong because a second global unicast address does not provide a default route; it only adds another local address.

Exam trap

Don't confuse local connectivity success with overall network configuration correctness. Always check for a default route when remote communication fails.

Why the other options are wrong

B

NAT rules are not required for native IPv6 communication and would not be the first suspect when a host cannot reach remote IPv6 destinations.

C

A VLAN trunk on the host NIC relates to Layer 2 segmentation, not to providing a default route for off-link IPv6 traffic.

D

A second global unicast address on the same interface does not supply the missing default route needed to reach off-link destinations.

811
PBQhard

You are connected to the Cisco WLC (WLC-1) via its management IP 192.168.1.10. The wireless network 'CorpNet' is configured but clients cannot associate. Troubleshoot and resolve the issue: clients report 'Association failed' and the SSID is not visible in site surveys. Ensure that after your fix, the SSID is broadcast, WPA3 is used, and the WLAN is mapped to VLAN 20. Also, verify the WLC management interface is accessible over HTTPS.

Network Topology
switchWLC-1clients

Hints

  • Check if the WLAN is enabled and broadcasting the SSID.
  • Verify that the WLAN is mapped to a user VLAN, not the management interface.
  • Ensure HTTPS is enabled for web management access.
A.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
B.Enable the WLAN, set Broadcast SSID to Enabled, change the interface to the management interface, and enable the HTTPS server.
C.Enable the WLAN, keep Broadcast SSID Disabled for security, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
D.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, but leave HTTPS disabled for security.
AnswerA
solution
! WLC-1
config wlan 1 enable
config wlan 1 broadcast-ssid enable
config wlan 1 interface vlan20
config interface create vlan20 20
config interface address vlan20 192.168.20.1 255.255.255.0
config wlan 1 interface vlan20
ip http secure-server

Why this answer

The WLAN was disabled, the SSID was hidden (Broadcast SSID Disabled), and it was incorrectly mapped to the management interface instead of a user VLAN. Additionally, HTTPS access was disabled. The solution: enable the WLAN, enable SSID broadcast, change the interface to a VLAN 20 interface (e.g., create a dynamic interface 'vlan20' with VLAN 20), and enable the HTTPS server for management access.

Note: On an AireOS WLC, the correct commands use `config wlan enable <wlan_id>`, `config wlan broadcast-ssid enable <wlan_id>`, and `config network secureweb enable` for HTTPS.

Exam trap

This question tests your ability to identify multiple misconfigurations simultaneously. Common traps: confusing management interface with user VLANs, thinking hidden SSID is acceptable when broadcast is required, and overlooking the HTTPS requirement. Also, ensure you use AireOS-specific commands, not IOS commands like `ip http secure-server`.

Always verify all requirements in the question.

Why the other options are wrong

B

The specific factual error: The management interface is for WLC management traffic, not client data. Client traffic should be on a separate user VLAN.

C

The specific factual error: Broadcast SSID must be enabled for the SSID to be visible. Disabling it hides the SSID, which contradicts the requirement to make it visible.

D

The specific factual error: HTTPS must be enabled for management access. Disabling it would block HTTPS connections to the WLC.

812
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of IPv4 and IPv6 parameters for host connectivity, including default gateway, DNS, and subnet masks?

Select 2 answers
A.The subnet mask determines the DNS server address used by the host.
B.The default gateway must be on the same subnet as the host's IP address.
C.IPv6 hosts can only obtain their IP address via DHCPv6.
D.The command 'ipconfig /all' displays both IPv4 and IPv6 configuration details.
E.A host can reach any remote network if its default gateway is configured with any IP address.
AnswersB, D

For a host to send traffic to a remote network, it must use a default gateway that is reachable on its local subnet.

Why this answer

Option B is correct because a host's default gateway must be on the same subnet to be reachable at Layer 2; otherwise, a circular dependency occurs. Option D is correct because the 'ipconfig /all' command displays both IPv4 and IPv6 configuration details, including IP address, subnet mask, default gateway, and DNS servers. Option A is wrong because the subnet mask determines the network and host portions of an IP address, not the DNS server address.

Option C is wrong because IPv6 hosts can obtain their IP address via SLAAC, DHCPv6, or static configuration; the phrase 'can only' makes it incorrect. Option E is wrong because the default gateway must be reachable (on the same subnet) and configured with an IP address that belongs to a router interface on that subnet, not just any IP address.

Exam trap

Cisco often tests the misconception that IPv6 hosts require DHCPv6 for address assignment, when in fact SLAAC is a common and valid method, and the question's wording 'can only' is the trap that eliminates Option C.

Why the other options are wrong

A

The subnet mask is used to determine the network portion of an IP address and the host portion, not the DNS server address. DNS server addresses are configured separately, either manually or via DHCP.

C

IPv6 hosts can obtain their IP address via Stateless Address Autoconfiguration (SLAAC), which does not require DHCPv6. DHCPv6 is optional and used for stateful configuration or to provide additional parameters.

E

The default gateway must be on the same subnet as the host's IP address; otherwise, the host cannot send Ethernet frames to it because the gateway's MAC address would not be reachable via ARP. An arbitrary IP address would not work.

813
MCQhard

Two switches should form an EtherChannel with LACP. One side is set to active and the other is set to passive. If the remaining interface settings match, what is the expected result?

A.The EtherChannel should form successfully.
B.The EtherChannel fails because both sides must be active.
C.The interfaces automatically become routed ports.
D.The switches delete the port-channel automatically.
AnswerA

This is correct because active/passive is a valid LACP negotiation pairing.

Why this answer

The EtherChannel should form successfully. In practical terms, active mode initiates LACP negotiation and passive mode listens and responds. Because one side is actively starting the negotiation, the bundle can come up if the interfaces also match in operational settings such as speed, duplex, switchport mode, and VLAN characteristics.

This is a classic LACP pairing question. Active/passive works. Passive/passive is the combination that usually fails to start the bundle.

Exam trap

Remember, LACP requires only one side to be active; passive mode will still respond.

Why the other options are wrong

B

LACP allows an active port to form a bundle with a passive port; the passive side simply waits for LACP packets from the active side. Therefore, both sides do not need to be active.

C

LACP mode does not change the Layer 2 or Layer 3 status of interfaces; it only controls the negotiation of EtherChannel bundling. Interfaces remain as switchports unless explicitly configured as routed ports.

D

LACP negotiation failure does not automatically delete the port-channel interface or its configuration. The port-channel remains, but the member ports will not bundle and will operate as individual ports.

814
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of IPv4 and IPv6 parameters for host connectivity?

Select 2 answers
A.On a Windows host, the default gateway IPv4 address must be on the same subnet as the host's IPv4 address.
B.The IPv6 default gateway can be any global unicast address on the internet.
C.The subnet mask is used to define the host portion of an IPv4 address.
D.A DNS server address can be statically configured on a host or obtained dynamically via DHCP.
E.Configuring a DNS server is mandatory for a host to communicate with any other device on the same subnet.
AnswersA, D

The default gateway must be reachable directly via Layer 2; therefore it must share the same network/subnet as the host.

Why this answer

Option A is correct because for a host to reach outside its subnet, the default gateway's IP must be in the same subnet; otherwise the host cannot ARP for the gateway's MAC and traffic will fail. Option D is correct because DNS server addresses can be set manually or assigned via DHCP. Option B is wrong because IPv6 gateways must be on the same local link, not any global unicast address on the internet.

Option C is wrong because the subnet mask defines the network/subnet portion of an IPv4 address, not the host portion. Option E is wrong because DNS is used for name resolution; local IP communication on the same subnet works without DNS.

Exam trap

Cisco often tests the misconception that a default gateway can be any routable address, but the trap here is that both IPv4 and IPv6 default gateways must be on the same local subnet as the host for Layer 2 reachability.

Why the other options are wrong

B

An IPv6 default gateway must be on the same local link, not just any globally routable address.

C

The subnet mask identifies the network bits, not the host bits; the host portion is the inverse of the mask.

E

DNS resolves names to IPs; hosts on the same subnet can communicate with IP addressing alone, making DNS optional.

815
MCQhard

A switch receives BPDUs on a user-facing port configured as an edge port, but instead of just blocking the port role it fully error-disables it. Which protection feature most likely explains that behavior?

A.BPDU Guard
B.Root guard
C.Port security
D.DHCP snooping
AnswerA

This is correct because BPDU Guard typically error-disables an edge port that receives BPDUs.

Why this answer

BPDU Guard most likely explains that behavior. In practical terms, BPDU Guard is used to protect ports that are expected to face ordinary endpoints, not other switches. If BPDUs appear on such a port, the device treats that as a serious topology-policy violation and shuts the port down.

This is different from features that merely influence spanning-tree role choice without fully error-disabling the interface.

Exam trap

Be careful not to confuse BPDU Guard with other spanning tree protection features that do not disable ports upon receiving BPDUs.

Why the other options are wrong

B

Root guard does not error-disable a port; instead, it places the port into a root-inconsistent state if a superior BPDU is received, preventing the port from becoming a root port. It is used to enforce the root bridge location, not to disable ports upon BPDU reception.

C

Port security restricts the number of MAC addresses learned on a port and can error-disable the port if a violation occurs (e.g., too many MAC addresses). It does not react to BPDUs; its focus is on MAC address learning, not spanning-tree BPDUs.

D

DHCP snooping is a security feature that filters DHCP messages and can error-disable a port if a DHCP violation occurs (e.g., rogue DHCP server). It does not inspect or react to BPDUs, which are layer 2 spanning-tree frames.

816
MCQhard

A host address is 172.16.8.70/26. What is the network address of its subnet?

A.172.16.8.0
B.172.16.8.64
C.172.16.8.70
D.172.16.8.128
AnswerB

This is correct because 70 falls within the 64–127 /26 block.

Why this answer

A /26 uses blocks of 64 addresses. In plain language, the fourth-octet subnet ranges are 0–63, 64–127, 128–191, and 192–255. Since the host address ends in 70, it belongs to the 64–127 block. That means the network address of the subnet is 172.16.8.64.

This is a standard subnetting calculation. The key is to identify the correct block based on the prefix and then choose the first address in that block as the network address.

Exam trap

A frequent exam trap is mistaking the host IP address for the network address or selecting the wrong subnet block based on the subnet mask. Candidates often pick 172.16.8.0 because it looks like a common network address or 172.16.8.128 assuming it’s the next block, but these do not contain the host 172.16.8.70 under a /26 mask. The trap arises from not calculating subnet ranges correctly or misunderstanding how subnet masks segment the address space into fixed blocks.

This mistake leads to incorrect subnet identification and can cause routing or addressing errors in real networks.

Why the other options are wrong

A

172.16.8.0 is incorrect because the /26 subnet blocks cover 0–63, 64–127, etc., and the host address 70 does not fall within the 0–63 range. Selecting this ignores the actual subnet boundaries defined by the mask.

C

172.16.8.70 is incorrect because this is the host address itself, not the network address. The network address must be the first address in the subnet block, not a host address within it.

D

172.16.8.128 is incorrect because this subnet block starts at 128, which is above the host address 70. The host does not belong to this subnet, so this cannot be the network address.

817
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the DNS resolution process from a client query to receiving an A-record response, followed by the diagnostic workflow using nslookup and dig to identify a missing or incorrect A-record.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The standard DNS resolution sequence ends with the client receiving the A-record. Troubleshooting uses nslookup first for basic checks, then dig +trace for detailed path analysis.

Exam trap

Do not confuse the client's initial query destination (configured DNS server, not root) and remember the troubleshooting order: nslookup before dig +trace. Also, avoid inserting extra steps like explicit cache returns.

818
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a switch port for data and voice traffic.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order is: 1) Enter interface configuration mode, because all port-specific commands must be applied under the interface. 2) Set the port as an access port with 'switchport mode access'—a voice VLAN can only be assigned on an access port. 3) Assign the data VLAN with 'switchport access vlan' to ensure proper Layer 2 forwarding for data traffic. 4) Assign the voice VLAN with 'switchport voice vlan' so the IP phone's voice frames are tagged with the voice VLAN. 5) Enable PortFast with 'spanning-tree portfast' to immediately transition the port to forwarding, preventing DHCP timeouts for the phone and host.

819
Matchingmedium

Drag and drop the cable types and transceivers on the left to their corresponding distance limits or interface diagnostics on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

100 meters maximum segment length

550 meters maximum segment length

5 km maximum segment length

300 meters over multimode fiber

Displays interface errors, speed, and duplex

Why these pairings

Each cable type or transceiver has a specified maximum distance based on IEEE standards and fiber-optic characteristics. Cat5e UTP supporting 1000BASE-T is limited to 100 meters due to signal attenuation and the 1000BASE-T standard. Multimode fiber OM3 with 1000BASE-SX (short wavelength) reaches up to 550 meters because of modal dispersion and the SX transceiver's power budget.

Singlemode fiber with 1000BASE-LX (long wavelength) can transmit up to 5 kilometers due to lower attenuation and reduced dispersion in single-mode fiber. The SFP-10G-SR (short-reach 10 Gigabit) transceiver over OM3 multimode fiber has a maximum distance of 300 meters per the 10GBASE-SR standard. The 'show interfaces' command displays critical interface diagnostics such as input/output errors, speed, duplex settings, and CRC errors, which are essential for troubleshooting link issues.

Exam trap

Be careful not to confuse the distance limits of multimode vs. single-mode fiber. Remember: SX = short reach (hundreds of meters), LX = long reach (kilometers), ER = extended reach (tens of kilometers). Copper is always 100m.

820
Matchingmedium

Drag and drop the syslog severity levels and NTP concepts on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Emergency: system is unusable

Debugging: detailed debug messages

Reference clock (e.g., atomic clock or GPS)

Unsynchronized or maximum usable stratum

Configures an IOS-XE device as an NTP client

Displays NTP synchronization state and stratum

Why these pairings

Syslog severity levels range from 0 (Emergency) to 7 (Debug), with 0 being the most critical. NTP stratum indicates clock accuracy: stratum 0 is the reference clock, stratum 1 is directly connected to a reference, and so on up to stratum 15, which is the maximum usable synchronized stratum. Stratum 16 means the device is unsynchronized.

The ntp server command configures a device as a client, and show ntp status displays synchronization state and current stratum.

Exam trap

Be careful not to confuse the severity order of syslog levels: lower numbers (0) are more severe, higher numbers (7) are less severe. Also, remember that NTP stratum numbers work inversely to accuracy: lower stratum numbers indicate higher accuracy, with Stratum 0 being the most accurate reference clock.

821
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the TCP three-way handshake between a PC (192.168.1.10) and a web server (192.168.2.20). Note: Only three of the four steps are part of the actual handshake. Omit the step that is not part of the three-way handshake.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The three-way handshake between specific IP addresses follows the same SYN, SYN-ACK, ACK sequence, with the client (PC) initiating and the server responding, leading to a connection ready for application data.

Exam trap

Remember that the client always initiates the handshake with a SYN, and the final ACK comes from the client. The server never sends a standalone ACK; it combines SYN and ACK in one segment.

822
MCQmedium

Which rule does a router apply first when selecting a route for a destination packet?

A.Lowest metric across all protocols
B.Oldest route in the routing table
C.Longest prefix match
D.Default route if one exists
AnswerC

Correct. Most-specific route wins first.

Why this answer

Routers first look for the most specific matching prefix. Administrative distance and metrics matter when competing routes exist for the same destination prefix length.

Exam trap

Remember, prefix length is the primary factor in route selection, not administrative distance or metrics.

Why the other options are wrong

A

The router first uses the longest prefix match to select a route; metrics are only compared among routes from the same routing protocol or when administrative distance is equal. Comparing metrics across different protocols is not the first step.

B

Route age is not a primary selection criterion; routers use longest prefix match first, then administrative distance, then metric. Older routes are not preferred over newer ones in the selection process.

D

A default route is only used when no other route matches the destination; the router first checks for more specific matches using the longest prefix match. The default route is the least preferred.

823
MCQeasy

A switchport should allow only one learned MAC address and shut down if a different device is connected later. Which port security violation mode and limit combination best fits that goal?

A.maximum 1 with violation shutdown
B.maximum 10 with violation protect
C.maximum 1 with violation restrict and no logging
D.maximum unlimited with violation shutdown
AnswerA

This is the strict option that disables the port after a violation.

Why this answer

The usual setup is maximum 1 MAC address with violation mode shutdown. That way the port is disabled when an unauthorized device appears.

Exam trap

Be careful not to confuse the different port security violation modes. Only shutdown mode disables the port upon a violation.

Why the other options are wrong

B

The maximum limit of 10 MAC addresses is too high for the requirement of allowing only one learned MAC address. Additionally, protect mode drops frames from unknown MACs but does not shut down the port, so the port remains active even after a violation.

C

Restrict mode does not shut down the port; it only logs and drops frames from unknown MACs. The requirement explicitly states the port should shut down, which restrict does not achieve.

D

Setting the maximum to unlimited defeats the purpose of limiting MAC addresses to one. Even though violation mode is shutdown, the port will never trigger a violation because there is no limit, so it will never shut down due to port security.

824
Matchingmedium

Drag and drop the AI/automation concepts on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Autonomous entity that perceives its environment and takes actions to achieve goals

Mechanism that allows an AI agent to invoke external functions or APIs

Workflow that automatically detects, diagnoses, and corrects network issues without human intervention

Technique that combines LLMs with external knowledge retrieval for accurate responses

Approach that translates high-level business intent into network configuration and assurance

Training method where an agent learns optimal actions through rewards and penalties

Why these pairings

AI Agent is correctly matched because it is defined as an autonomous entity that perceives its environment and takes actions to achieve goals. Tool-calling enables AI agents to invoke external functions or APIs, which aligns with the given description. Closed-loop remediation is accurately paired with the workflow that automatically detects, diagnoses, and corrects network issues without human intervention.

Retrieval-Augmented Generation (RAG) is the technique that combines large language models with external knowledge retrieval to produce more accurate responses. Intent-based Networking (IBN) translates high-level business intent into network configuration and assurance, matching the description. Finally, Reinforcement Learning (RL) is the training method where an agent learns optimal actions through rewards and penalties, which perfectly fits its definition.

Exam trap

Cisco exams often test the precise definitions of AI subsets and their applications. Avoid confusing the hierarchy (ML is broader than deep learning) and the specific tasks of NLP vs. computer vision. Also, remember that reinforcement learning uses rewards, not labeled data.

825
MCQhard

A router has routes to 192.168.100.0/24 and 192.168.100.128/25. Which route is used for traffic to 192.168.100.140?

A.192.168.100.0/24
B.192.168.100.128/25
C.The default route
D.Neither route, because the prefixes overlap
AnswerB

This is correct because .140 falls within the 192.168.100.128/25 range.

Why this answer

The /25 route is used because it is the most specific matching prefix. In practical terms, 192.168.100.140 falls inside the upper half of the /24, which is exactly what the 192.168.100.128/25 route describes. Even though the /24 also matches, the router always prefers the narrower route when both are valid.

This is a direct longest-prefix-match question. It reinforces that specificity is checked before broader route-source preferences matter.

Exam trap

A frequent exam trap is assuming that the less specific route (192.168.100.0/24) will be used simply because it covers the entire subnet range or because it might have a better administrative distance. Candidates might also think overlapping prefixes cause routing conflicts that prevent either route from being used. However, Cisco routers resolve overlapping routes by always selecting the longest prefix match, which is the most specific subnet.

Ignoring this rule leads to incorrect answers and misunderstanding of routing behavior.

Why the other options are wrong

A

The 192.168.100.0/24 route is less specific than the 192.168.100.128/25 route. Although it matches the destination IP, the router prefers the more specific /25 route, so this option is incorrect.

C

The default route is only used when no more specific routes match the destination IP. Since both /24 and /25 routes match, the default route is not used, making this option incorrect.

D

Although the prefixes overlap, this is a normal and expected behavior in routing. The router resolves overlapping prefixes using longest prefix match, so traffic is forwarded correctly. Therefore, this option is incorrect.

Page 10

Page 11 of 25

Page 12