CCNA 200-301 v2 (200-301) — Questions 826900

1819 questions total · 25pages · All types, answers revealed

Page 11

Page 12 of 25

Page 13
826
MCQhard

Based on the exhibit, why is the static route not being used for 172.18.9.10?

A.Because the connected /24 route is more specific than the static /16 route.
B.Because static routes are never used when a connected network exists anywhere in the table.
C.Because connected routes always have administrative distance 255.
D.Because static routes work only for default routing.
AnswerA

This is correct because longest-prefix match causes the connected /24 to be used for that destination.

Why this answer

The static route is not being used because the connected route is the more specific match. In practical terms, route selection starts with prefix specificity. The static route covers a broad /16, but the destination 172.18.9.10 also falls inside a connected /24. The /24 wins because it is more specific.

This is a classic routing interpretation question because it tests whether you apply longest-prefix logic before thinking about route source preference.

Exam trap

A common exam trap is assuming that static routes are always preferred over connected routes or that connected routes have a higher administrative distance. Candidates might overlook the longest-prefix match rule and focus only on administrative distance or route type. This leads to the incorrect conclusion that the static /16 route should be used for 172.18.9.10, ignoring that the connected /24 route is more specific and therefore preferred.

Misunderstanding this concept causes errors in interpreting routing tables and route selection behavior.

Why the other options are wrong

B

This is incorrect because static routes are still used when no connected route matches the destination. The presence of any connected route does not prevent static routes from being used if they are more specific or the only match.

C

This is wrong because connected routes have an administrative distance of 0, not 255. The issue here is route specificity, not administrative distance values.

D

This is incorrect because static routes can be configured for any prefix length, not just default routes. They are valid for specific subnets and are commonly used for precise routing control.

827
MCQmedium

Exhibit: A script sends an HTTP GET request to a controller API endpoint. What is the usual purpose of the GET method?

A.Retrieve information from the resource
B.Create a brand-new resource
C.Replace the entire resource configuration
D.Delete the resource
AnswerA

GET is used to read data.

Why this answer

In REST-style APIs, GET is normally used to retrieve data from a resource. It is not the standard method for creating or replacing resources.

Exam trap

Be careful not to confuse GET with other HTTP methods like POST, PUT, or DELETE, which have different purposes.

Why the other options are wrong

B

Creating a new resource is typically done using the POST method, not GET. GET is designed for safe and idempotent retrieval of data, not for creating resources.

C

Replacing the entire resource configuration is the purpose of the PUT method, which is idempotent and used for updates. GET is not intended for modifying resources.

D

Deleting a resource is performed using the DELETE method. GET is a safe method that should not have side effects like deletion.

828
MCQhard

A network administrator has configured Rapid PVST+ on all switches and globally enabled BPDU Guard. After connecting a new access switch to an existing distribution switch, the distribution switch interface goes into err-disabled state. The new switch is configured with PortFast on its uplink port. What is the most likely cause of the err-disabled state?

A.Disable Root Guard on the distribution switch interface
B.Disable BPDU Guard on the distribution switch interface
C.Remove PortFast from the new access switch uplink interface
D.Configure the interface as an access port instead of trunk
AnswerB

BPDU Guard err-disables a PortFast-enabled port upon receiving any BPDU. Since this is a trunk port expecting BPDUs, BPDU Guard should not be enabled. Removing it allows the port to stay up while Root Guard still protects against an unwanted root bridge.

Why this answer

The distribution switch interface entered err-disabled because it received a BPDU while BPDU Guard was enabled. BPDU Guard is not automatically enabled with PortFast; it must be explicitly turned on, and the scenario assumes it is active. When a BPDU arrives on a BPDU Guard–enabled port, the switch err-disables it to prevent loops.

Disabling BPDU Guard on that interface resolves the condition. Disabling Root Guard (option A) would not stop the BPDU Guard trigger; removing PortFast (option C) would not disable the already-enabled BPDU Guard; and changing the port to access mode (option D) is irrelevant to BPDU Guard behavior.

Exam trap

Many learners incorrectly assume BPDU Guard is enabled by default on PortFast ports; in reality, it requires explicit configuration, so the exam may present a scenario where BPDU Guard is already enabled to test this distinction.

Why the other options are wrong

A

Root Guard does not cause err-disable; it only prevents the port from becoming a root port. The err-disabled state is triggered by BPDU Guard, not Root Guard.

C

PortFast on the access switch's uplink does not cause err-disable on the distribution switch. PortFast only affects the access switch's port state, not the distribution switch's interface.

D

The err-disable is caused by BPDU Guard, not by trunking misconfiguration. Changing the port mode to access would not resolve the BPDU Guard issue and could disrupt connectivity.

829
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on Cisco IOS-XE switches.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global config mode. Then create the port-channel interface. Next, configure the channel-group mode on each physical interface to active for LACP.

Finally, verify the configuration.

Exam trap

A common trap is to configure the channel-group mode on physical interfaces before creating the port-channel interface, or to forget that global configuration mode is the first step. Always remember the sequence: global config -> port-channel interface -> physical interface channel-group -> verification.

830
MCQhard

A router is performing PAT for inside users. Which detail allows multiple inside sessions to share one public IPv4 address at the same time?

A.Use of transport-layer port numbers to distinguish sessions
B.Replacement of all MAC addresses with broadcast addresses
C.Automatic conversion of every subnet into a /32
D.Requirement that every inside host use the same private IP address
AnswerA

This is correct because PAT relies on port values to multiplex many sessions through one public address.

Why this answer

PAT works because it uses transport-layer port numbers to keep different conversations distinct even when they share the same public IP address. In plain language, the router rewrites and tracks port information so that return traffic can be matched back to the correct inside host and application session. That is what makes one public address usable for many simultaneous internal users.

This is a key difference between PAT and simple static NAT. Static NAT creates a fixed one-to-one relationship, while PAT creates many simultaneous translations differentiated by port values. The correct answer is the one that identifies port-based tracking as the reason the design scales beyond a single host.

Exam trap

Remember, PAT uses port numbers to differentiate sessions, not MAC addresses, IP addresses, or VLAN IDs.

Why the other options are wrong

B

PAT does not replace MAC addresses with broadcast addresses; MAC addresses are used for local network segment communication and are not involved in NAT/PAT operations. Broadcast addresses are used for sending packets to all hosts on a subnet, which would not help in distinguishing individual sessions.

C

PAT does not convert subnets into /32 addresses; it translates private IP addresses and port numbers to a single public IP address with different port numbers. Changing subnet masks to /32 would imply host-specific routing, which is not how PAT functions.

D

PAT does not require all inside hosts to use the same private IP address; in fact, each host typically has a unique private IP address. PAT translates these unique private addresses to the same public IP but with different port numbers to maintain session uniqueness.

831
Multi-Selectmedium

Which single OSI model layer is responsible for both end‑to‑end reliable data delivery and segmenting data into smaller units?

Select 2 answers
A.Transport layer (Layer 4)
B.Data Link layer (Layer 2)
C.Network layer (Layer 3)
D.Session layer (Layer 5)
E.Transport layer (Layer 4) and Network layer (Layer 3)
AnswersA, E

The Transport layer ensures end-to-end reliable data delivery (e.g., TCP) and segments data into segments (PDU name: segment).

Why this answer

The Transport layer (Layer 4) is the only layer that ensures end‑to‑end reliable delivery using protocols like TCP that provide acknowledgements, sequencing, and retransmissions. At the same time, it segments large application data streams into smaller segments suitable for transmission. The Data Link layer (Layer 2) handles hop‑by‑hop framing but not end‑to‑end reliability.

The Network layer (Layer 3) routes packets but does not guarantee delivery. The Session layer (Layer 5) manages sessions, not reliability or segmentation.

Exam trap

Many learners mistakenly pick the Network layer (Layer 3) because they associate it with IP and packet delivery; however, IP is connectionless and unreliable, while end‑to‑end reliable delivery is exclusively a function of the Transport layer.

Why the other options are wrong

B

The Data Link layer handles framing and error detection on a single link, not end‑to‑end reliability or segmentation across the entire network.

C

The Network layer provides routing and logical addressing but does not guarantee delivery or perform segmentation of data from applications.

D

The Session layer manages dialog control between applications, not data segmentation or reliable transport mechanisms.

832
MCQhard

Users in VLAN 60 on switch SW2 cannot reach the default gateway located on switch SW1. The trunk between SW1 and SW2 is operational and allows VLAN 60. What is the most likely reason for this issue?

A.VLAN 60 does not exist locally on SW2.
B.The native VLAN must be changed to 60 on both switches.
C.VLAN 60 is not allowed on the trunk link.
D.The default gateway must be configured as a loopback on SW2.
AnswerA

This is correct because trunk allowance alone is not enough if the VLAN is missing from the local switch.

Why this answer

VLAN 60 has not been created locally on SW2, even though the trunk can carry its traffic. A switch never processes VLAN traffic for a VLAN it doesn't know about; it discards tagged frames from the trunk destined for that VLAN and prevents access ports from assigning frames to it. (A) is correct. (B) is incorrect because native VLAN configuration only affects untagged frames—changing it to 60 is unnecessary for tagged VLAN 60 traffic. (C) is incorrect because the trunk is already configured to allow VLAN 60, so trunk filtering isn't the problem. (D) is incorrect because a default gateway is simply an IP address on a router or Layer 3 switch interface (like SVIs) and does not require a loopback on SW2.

Exam trap

Don't assume trunk configuration alone resolves VLAN issues; ensure VLANs exist on all relevant switches.

Why the other options are wrong

B

Native VLAN configuration does not affect tagged VLAN 60 traffic—native VLAN only matters for untagged frames.

C

The trunk is stated to allow VLAN 60, so VLAN filtering is not the problem; a student might misread the premise.

D

The default gateway resides on SW1, not SW2; configuring a loopback on SW2 does not create a gateway for VLAN 60.

833
MCQhard

A host can reach local devices but cannot reach the Internet. The host has a correct IP address and subnet mask, but no default gateway. What is the best explanation?

A.The host can reach only local subnet destinations because it lacks a next hop for remote networks
B.The host automatically uses ARP to reach all Internet destinations directly
C.The subnet mask alone should be enough to reach all networks
D.The host can still reach Internet destinations if proxy ARP is enabled on the router.
AnswerA

This is correct because without a default gateway, the host has no normal path for off-subnet traffic.

Why this answer

The host can communicate only within its own local subnet because it lacks the next-hop information needed for off-subnet traffic. A valid IP address and subnet mask are not enough by themselves when the destination lies on another network. Option D is incorrect because proxy ARP, while it may allow some off-subnet reachability in specific scenarios, is not a reliable replacement for a default gateway and does not enable general Internet access.

Exam trap

A frequent exam trap is to think that the subnet mask alone enables a host to reach all networks. Candidates may incorrectly believe that ARP or other mechanisms can resolve remote IP addresses without a default gateway. This mistake overlooks the fact that ARP operates only on the local subnet and cannot resolve IP addresses beyond it.

Without a default gateway, the host has no next-hop router to forward off-subnet traffic, so it cannot reach Internet destinations or other remote networks. Understanding this limitation is crucial to avoid selecting incorrect answers that confuse local address resolution with routing.

Why the other options are wrong

B

ARP operates only on the local subnet and cannot resolve IP addresses beyond it, so the host cannot use ARP to reach all Internet destinations directly.

C

The subnet mask defines the local network boundary but does not provide a route to other networks; a default gateway or specific route is required for off-subnet traffic.

D

Proxy ARP may allow a host without a default gateway to reach some off-subnet destinations if the router responds to ARP requests for remote IPs, but this is not a general solution and does not enable reliable Internet access.

834
MCQhard

After a hub was connected to interface Gi0/10, the interface immediately entered errdisable state. The following syslog message was generated: '%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred on interface Gi0/10.' What is the strongest explanation for why Gi0/10 shut down?

A.Port security detected more MAC addresses than allowed on the interface.
B.The interface received a superior BPDU and became the root port.
C.The hub forced the interface to become a routed port.
D.DHCP snooping always shuts a port when a hub is attached.
AnswerA

This is correct because the configuration allows only one secure MAC and the violation message confirms the policy breach.

Why this answer

The strongest explanation is a port-security violation caused by the switch seeing more secure MAC addresses than the interface allows. In practical terms, a hub or unmanaged device can cause multiple end hosts to appear behind one access port. If the interface is configured with a maximum of one secure MAC address, additional learned MACs trigger the violation action.

This is a realistic access-layer security scenario because the port does not fail randomly. It fails because the observed behavior violates the configured policy.

Exam trap

Remember that port security specifically deals with MAC address limits, not broadcast storms or spanning-tree issues.

Why the other options are wrong

B

The exhibit shows a port-security violation message, not an STP topology change. A superior BPDU would cause a root port election, not a port shutdown due to security policy.

C

Connecting a hub does not change the interface type; a switchport remains a Layer 2 interface unless explicitly configured with 'no switchport'. The exhibit shows a Layer 2 security violation, not a routed port conversion.

D

DHCP snooping does not automatically shut down a port when a hub is attached; it filters DHCP messages and can disable ports only if a DHCP server is detected on an untrusted port. The exhibit clearly shows a port-security violation message.

835
PBQhard

You are connected to the multilayer switch MLS1 in a branch network. The DHCP server on router R1 is supposed to serve the 192.168.20.0/24 VLAN 20, but clients in VLAN 20 are not receiving IP addresses. Additionally, a rogue DHCP server has been detected on VLAN 20. Configure MLS1 to enable DHCP snooping on VLAN 20, set the trust state on the uplink port to R1, and limit the rate of DHCP packets on access ports. Then, on R1, correct the DHCP configuration so that the pool for VLAN 20 uses the correct default-router (192.168.20.1) and DNS server (8.8.8.8), and ensure that the excluded-address range is not too large (exclude only the first 10 addresses). Verify the solution.

Network Topology
G0/010.0.0.2/30G0/010.0.0.1/30linkG0/1 access VLAN 20192.168.20.0/24linkSiMLS1R1Clients

Hints

  • On MLS1, DHCP snooping must be globally enabled and then applied to VLAN 20.
  • The uplink to R1 must be trusted; access ports should have rate limiting to prevent DHCP starvation.
  • On R1, the excluded-address range was too broad; only exclude the first 10 addresses. The default-router and DNS server were incorrect.
A.On MLS1: ip dhcp snooping, ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8
B.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.254, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8
C.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.10.1 dns-server 4.4.4.4
D.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8, but no ip dhcp snooping enabled globally on MLS1
AnswerA
solution
! R1
configure terminal
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp pool VLAN20_POOL
default-router 192.168.20.1
dns-server 8.8.8.8
end

! MLS1
ip dhcp snooping
ip dhcp snooping vlan 20
interface GigabitEthernet0/0
ip dhcp snooping trust
exit
interface GigabitEthernet0/1
ip dhcp snooping limit rate 10
end

Why this answer

The problem had three faults: First, the DHCP pool on R1 had a wrong default-router (192.168.10.1 instead of 192.168.20.1) and an incorrect DNS server (4.4.4.4 instead of 8.8.8.8). Second, the excluded-address range was too large (excluding all addresses from .1 to .254 effectively blocked all dynamic assignments; corrected to exclude only .1 through .10). Third, DHCP snooping was disabled on MLS1, allowing a rogue DHCP server.

To enable DHCP snooping, both the global `ip dhcp snooping` command and the VLAN-specific `ip dhcp snooping vlan 20` command are required. With snooping enabled, the uplink port Gig0/0 was set as trusted and the access port Gig0/1 was configured with rate limiting to prevent DHCP starvation attacks.

Exam trap

Watch for three separate issues: DHCP pool misconfiguration (default-router, DNS, excluded range), DHCP snooping not enabled globally, and the need to set trust on the uplink. Candidates often forget the global 'ip dhcp snooping' command or misconfigure the excluded range.

Why the other options are wrong

B

The excluded-address range is too large; it should only exclude the first 10 addresses (1-10) to allow dynamic allocation from .11 onward.

C

The default-router must be the gateway for VLAN 20 (192.168.20.1), and the DNS server should be 8.8.8.8 as specified.

D

The global 'ip dhcp snooping' command is required to activate the feature; omitting it leaves DHCP snooping disabled entirely.

836
Drag & Dropmedium

What is the correct order of steps to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order for embedded packet capture on IOS-XE is to first define the capture point with the desired interface and optional filter, then start the capture, stop it after capturing the needed traffic, and finally export the file for analysis in Wireshark. Option A accurately reflects this sequence. Option B fails because the capture must be defined before starting.

Option C fails because exporting should occur after stopping the capture. Option D fails because analysis is performed externally, not on the router.

Exam trap

Do not confuse the order of operations: you must define the capture point before starting, and you must stop the capture before exporting. Also, remember that analysis is done externally, not on the router itself.

837
MCQmedium

Exhibit: A laptop has IP address 10.20.30.44/27. Which address is its directed broadcast for that subnet?

A.10.20.30.31
B.10.20.30.32
C.10.20.30.63
D.10.20.30.64
AnswerC

That is the directed broadcast address for 10.20.30.32/27.

Why this answer

A /27 gives a block size of 32 addresses. The host 10.20.30.44 falls in the 10.20.30.32 to 10.20.30.63 subnet, so the broadcast address is 10.20.30.63.

Exam trap

Avoid confusing the network address or a host address with the broadcast address. Remember, the broadcast address is the last address in the subnet.

Why the other options are wrong

A

10.20.30.31 is the broadcast address of the previous /27 subnet (10.20.30.0/27), not the subnet containing 10.20.30.44. The host 10.20.30.44 belongs to the 10.20.30.32/27 subnet, so its broadcast is 10.20.30.63.

B

10.20.30.32 is the network address (subnet ID) of the subnet 10.20.30.32/27, not the broadcast address. The network address is the first address in the subnet and is used to identify the subnet itself.

D

10.20.30.64 is the network address of the next /27 subnet (10.20.30.64/27), not the broadcast of the current subnet. The broadcast address for 10.20.30.32/27 is 10.20.30.63.

838
Multi-Selectmedium

Which two statements accurately describe software-defined networking and network virtualization concepts at a basic CCNA level?

Select 2 answers
A.SDN is associated with more centralized or programmable control of network behavior.
B.NFV is associated with delivering network functions in software or virtualized form.
C.Both terms are just new names for subnet masks.
D.Both terms replace the need for routing protocols completely.
E.Both terms refer only to wireless client roaming.
AnswersA, B

This is correct because that is the core SDN idea at this level.

Why this answer

At a basic level, these concepts point toward more abstracted, software-driven ways of controlling or delivering networking capabilities. SDN is associated with more centralized or programmable control behavior. NFV is associated with delivering network functions in virtualized software form instead of relying only on fixed-purpose hardware.

The goal here is conceptual recognition, not deep architectural implementation detail.

Exam trap

A frequent exam trap is mistaking SDN and NFV for basic network addressing concepts like subnet masks or for wireless client roaming features. Candidates might also incorrectly believe these technologies replace routing protocols entirely. However, SDN and NFV focus on centralized control and virtualized network functions, respectively, and do not eliminate the need for routing logic or relate directly to subnetting or wireless roaming.

Misunderstanding these distinctions can lead to selecting incorrect options that describe unrelated networking concepts.

Why the other options are wrong

C

Option C is incorrect because subnet masks are related to IP addressing and have no connection to SDN or NFV concepts, which focus on network control and virtualization.

D

Option D is wrong since SDN and NFV do not eliminate routing protocols; routing remains necessary for path determination and packet forwarding in networks.

E

Option E is incorrect because SDN and NFV are broad network architecture concepts and do not exclusively refer to wireless client roaming or mobility management.

839
MCQhard

An ACL permits only tcp 10.10.10.0/24 host 192.0.2.10 eq 443 and has no other permit entries. What happens to an ICMP echo request from 10.10.10.5 to 192.0.2.10?

A.It is permitted because the destination matches
B.It is denied by the implicit deny
C.It is permitted because the packet matches the source network stated in the ACE.
D.It is permitted only if the source port is 443
AnswerB

Correct. Traffic not explicitly permitted is denied.

Why this answer

ACLs end with an implicit deny. Since the only explicit permit is for HTTPS traffic, the ICMP packet is denied.

Exam trap

Remember that ACLs have an implicit deny all rule. Just because a source or destination is specified doesn't mean all traffic types are allowed.

Why the other options are wrong

A

The ACL only permits TCP traffic from 10.10.10.0/24 to host 192.0.2.10 on port 443. ICMP is not TCP, so even though the destination matches, the protocol does not match, and the packet is not permitted.

C

Although the source IP matches the ACE's source network, the ACE only permits TCP traffic; ICMP is a different protocol, so the packet is denied by the implicit deny.

D

ICMP does not use TCP ports; it uses ICMP type and code. The ACL entry specifies TCP port 443, which is irrelevant for ICMP traffic. Even if the source port were 443, ICMP packets do not have TCP ports.

840
Multi-Selectmedium

Which three statements about IPv6 routing are correct? (Choose three.)

Select 3 answers
.IPv6 static routes can be configured using the 'ipv6 route' command.
.The next-hop address for a directly attached IPv6 static route can be a link-local address.
.OSPFv3 uses the same basic algorithm as OSPFv2 but is designed for IPv6.
.IPv6 routing is enabled by default on all Cisco routers.
.The default route in IPv6 is represented as ::/128.
.EIGRP for IPv6 uses the same autonomous system number as EIGRP for IPv4 and shares the same routing table.

Why this answer

All three statements are correct. The 'ipv6 route' command is used to configure static routes in IPv6, similar to 'ip route' in IPv4. A directly attached IPv6 static route can indeed use a link-local address as the next hop, which is common for point-to-point interfaces.

OSPFv3 (OSPF for IPv6) uses the same fundamental SPF algorithm and link-state concepts as OSPFv2 but is designed to support IPv6 addressing and runs per-link rather than per-subnet.

Exam trap

Cisco often tests the nuance that a link-local address can be used as a next hop for a directly attached IPv6 static route only if the exit interface is explicitly specified, leading candidates to incorrectly think link-local addresses are never valid next hops.

841
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The bottom-up approach starts at Layer 1 (physical connectivity), then moves to Layer 3 (IP configuration and gateway ping), and finally to Layer 7 (DNS resolution). No Layer 2 step is included in these steps. Verifying IP configuration, such as DHCP and subnet mask, is a Layer 3 activity, not Layer 2.

This method ensures systematic isolation of the problem from the physical layer upward.

Exam trap

The trap is that candidates may skip Layer 1 and go straight to IP configuration or ping, thinking those are the most common issues. Remember: always start at the bottom of the OSI model to methodically isolate the problem.

842
MCQhard

Exhibit: Clients can see the corporate SSID but fail authentication after entering valid usernames and passwords. Which issue is the best explanation?

A.The AP is using the wrong RF channel
B.The RADIUS path or shared secret is failing
C.The SSID must be hidden for enterprise authentication
D.The clients need a voice VLAN assignment first
AnswerB

WPA2-Enterprise depends on successful RADIUS authentication.

Why this answer

WPA2-Enterprise relies on 802.1X with a RADIUS server. If the RADIUS server is unreachable or the shared secret is wrong, users can see the SSID and attempt to authenticate, but the login process fails. Option A is incorrect because RF channel issues would cause connectivity problems, not authentication failures after association.

Option C is incorrect because hiding the SSID is irrelevant to enterprise authentication; the issue is server-side. Option D is incorrect because a voice VLAN is not required for standard client authentication and would not cause login failure.

Exam trap

Remember that WPA2-Enterprise relies on a RADIUS server. Authentication issues often stem from server communication problems, not client-side settings.

Why the other options are wrong

A

RF channel issues cause connectivity or performance problems, not authentication failures after a successful association.

C

Hiding the SSID does not affect the 802.1X authentication process; the failure is likely due to RADIUS communication.

D

Voice VLAN assignment is unrelated to client authentication; clients do not need a voice VLAN to authenticate.

843
Multi-Selectmedium

Which three of the following statements about Network Address Translation (NAT) are correct? (Choose three.)

Select 3 answers
.Static NAT provides a one-to-one mapping between a private IP and a public IP.
.Dynamic NAT uses a pool of public IP addresses assigned on a first-come, first-served basis.
.PAT (Port Address Translation) allows multiple internal hosts to share a single public IP address.
.NAT eliminates the need for any routing in a network.
.Dynamic NAT always assigns the same public IP to a given internal host.
.PAT requires a unique public IP for every concurrent session.

Why this answer

Static NAT provides a one-to-one mapping between a private IP and a public IP, ensuring that a specific internal host always uses the same public address. Dynamic NAT uses a pool of public IP addresses assigned on a first-come, first-served basis, so internal hosts compete for available addresses. PAT (Port Address Translation) allows multiple internal hosts to share a single public IP by differentiating sessions via unique port numbers, which is the most common form of NAT used in home and small office routers.

Exam trap

Cisco often tests the misconception that dynamic NAT provides a fixed mapping like static NAT, or that PAT requires multiple public IPs, when in fact PAT is designed to share a single public IP among many hosts.

844
MCQmedium

Why is NTP especially useful when devices send logs to a centralized Syslog server?

A.It helps align device clocks so centralized log timestamps can be correlated more accurately.
B.It assigns the Syslog server an IP address.
C.It replaces the need for a Syslog server.
D.It encrypts every Syslog message automatically.
AnswerA

This is correct because consistent time improves the usefulness of centralized logs.

Why this answer

NTP is especially useful because synchronized clocks make the log timestamps more meaningful and easier to correlate. In plain language, if each device thinks the current time is different, the sequence of events in the centralized log becomes confusing. NTP helps align time across devices so the logs tell a more accurate story.

This is an operational best practice. Syslog collects the messages, and NTP makes their timing consistent. The correct answer is the one focused on timestamp correlation.

Exam trap

Avoid confusing NTP's function with security or data optimization features; focus on its role in time synchronization.

Why the other options are wrong

B

NTP is a protocol for clock synchronization, not for IP address assignment. IP addresses are assigned via DHCP or static configuration, and NTP operates at the application layer to synchronize time over the network. Therefore, NTP does not assign IP addresses to any device, including Syslog servers.

C

NTP and Syslog serve entirely different purposes. NTP synchronizes clocks, while Syslog is a protocol for sending log messages to a centralized server. NTP cannot replace Syslog because it does not collect, store, or forward log messages.

Both are often used together but are independent services.

D

NTP does not provide encryption for Syslog messages or any other data. NTP is solely responsible for time synchronization and does not include security features like encryption. Syslog messages are typically sent in clear text unless additional security measures like TLS or SSH are implemented.

845
Multi-Selectmedium

Which two actions are reasonable examples of basic device-hardening practice?

Select 2 answers
A.Disable unused services or interfaces where practical
B.Use SSH instead of Telnet for remote management
C.Allow anonymous administrative login for convenience
D.Place all traffic in VLAN 1 so it is easier to remember
E.Remove authentication from VTY lines
AnswersA, B

This is correct because reducing unnecessary exposure is a basic hardening principle.

Why this answer

Basic hardening is about reducing unnecessary exposure and making administrative access safer. In plain language, this usually means disabling services or interfaces that are not needed and preferring secure management protocols such as SSH. These choices shrink the attack surface and improve the security of routine device administration without requiring advanced security products.

The wrong answers in hardening questions often suggest convenience at the expense of security, such as leaving insecure access methods enabled or removing authentication. CCNA-level security expects you to recognize that strong fundamentals often come from disciplined configuration choices rather than from complex tools alone.

Exam trap

Avoid choosing convenience over security; protocols like Telnet and HTTP are easy but insecure for management.

Why the other options are wrong

C

Allowing anonymous administrative login means no authentication is required, which completely bypasses access control. This violates the principle of least privilege and exposes the device to unauthorized configuration changes.

D

VLAN 1 is the default VLAN and is often targeted in VLAN hopping attacks. Using VLAN 1 for all traffic violates the security best practice of segregating traffic and using dedicated VLANs for management, user data, and voice.

E

Removing authentication from VTY lines means anyone can connect to the device via Telnet or SSH without a password. This is a critical security flaw that allows unauthorized remote access.

846
MCQhard

A network engineer notices that an OSPF adjacency between R1 and R2 is flapping between FULL and DOWN state every 40 seconds. The dead interval on both routers is configured as 40 seconds. The hello interval on R1 is 10 seconds, and on R2 it is 30 seconds. What is the most likely cause?

A.Duplicate OSPF router IDs are causing the adjacency to reset each time the mismatched routers see each other's LSAs.
B.Mismatched hello intervals cause the dead timer on R1 to expire before receiving a hello from R2, tearing down the adjacency.
C.A network type mismatch between broadcast and point-to-point is causing periodic DR/BDR elections that reset the adjacency.
D.An OSPF authentication mismatch is causing periodic rejection of hello packets on one router.
AnswerB

R1 with a 10-second hello expects a hello within the 40-second dead interval. R2 sends hellos only every 30 seconds. Because of queuing or processing jitter, R1's dead timer can expire just before R2's hello arrives, dropping the adjacency. The dead interval restarting every 40 seconds aligns exactly with the observed flapping cycle.

Why this answer

The mismatched hello intervals cause the dead timer on R1 to expire before receiving a hello from R2. R1 sends hellos every 10 seconds and expects to hear from R2 at least once every 40 seconds (dead interval). R2, however, only sends hellos every 30 seconds.

Due to timing jitter and processing delays, R1's dead timer occasionally expires just before R2's hello arrives, leading to the adjacency being torn down. After the adjacency drops, OSPF attempts to re-establish it, resulting in a cyclical FULL-DOWN pattern every 40 seconds. The other options are real OSPF issues but do not produce this specific timing: duplicate router IDs would cause persistent instability without a regular interval; an authentication mismatch would prevent the adjacency from forming at all; a network type mismatch might cause DR/BDR election problems but would not flap with precise dead-interval regularity.

Exam trap

Many candidates immediately suspect an authentication mismatch because it is a common reason for OSPF adjacencies to fail. However, authentication problems prevent Hello exchange altogether, so the routers would never reach FULL state, eliminating the flapping symptom.

Why the other options are wrong

A

Candidates often recall that duplicate router IDs break adjacencies and assume any flapping must be caused by this. They miss the regular timing correlation with the dead interval.

C

Network type mismatch is a common OSPF troubleshooting topic, and candidates may attribute any flapping to mismatched types, overlooking the precise timer-derived timing.

D

Authentication problems are a frequent first guess for adjacency failures. The flapping behavior here contradicts a permanent rejection.

847
MCQhard

Two routers, R1 and R2, have been configured with HSRP for VLAN 10 to provide default gateway redundancy to hosts. The virtual IP address is 192.168.10.1. After configuration, end hosts report inconsistent connectivity to the gateway, and a failover test reveals that when the active router is shut down, connectivity is lost. The network administrator checks the HSRP status on both routers. Based on the output shown, what is the most likely cause of the redundancy failure?

A.R2 has a lower HSRP priority than R1, so it cannot become standby.
B.The HSRP group number is mismatched between R1 and R2.
C.The HSRP authentication strings do not match.
D.HSRP version 1 is used on R1 while version 2 is used on R2.
AnswerB

R1 uses group 10, while R2 uses group 20. This creates two isolated HSRP processes with no shared virtual MAC or failover capability, which directly explains the redundancy failure.

Why this answer

HSRP uses the group number to identify the virtual router instance. If the group numbers on R1 and R2 do not match, they will not form a neighbor relationship or exchange HSRP messages, so neither router will know the other exists. This prevents failover: when the active router goes down, the standby router does not take over because it never learned about the active router's state.

The output would show that each router believes it is the active router (or that no standby exists), confirming the mismatch.

Exam trap

Cisco often tests the HSRP group number mismatch as a subtle cause of redundancy failure because candidates focus on priority or authentication and overlook the fundamental requirement that the group number must be identical on all routers in the same virtual router group.

Why the other options are wrong

A

The output shows R2 is Active in its own group (20); priority only affects role election within the same group. The real problem is separate group numbers.

C

With mismatched authentication, the state would not be Active. The exhibit clearly shows Active on both routers, so authentication is not the cause.

D

Version mismatch would not change the displayed group number; the group number discrepancy is the direct evidence shown in the exhibit.

848
MCQmedium

Which service would a client most directly rely on to convert `server.example.com` into an IP address?

A.DNS
B.ARP
C.NTP
D.CDP
AnswerA

This is correct because DNS resolves hostnames into IP information.

Why this answer

The client relies on DNS for name resolution. In plain language, DNS is the service that lets devices and users use readable names instead of memorizing numeric IP addresses. When the client needs to reach `server.example.com`, DNS helps translate that hostname into the IP-related information needed for actual communication.

This is different from DHCP, which supplies address configuration, and from NTP, which synchronizes time. It is also different from ARP, which resolves local IPv4 addresses to MAC addresses. The correct answer is the one associated specifically with hostname resolution.

Exam trap

A frequent exam trap is mistaking ARP for DNS because both involve address resolution. However, ARP only resolves IPv4 addresses to MAC addresses within the same local network segment and does not translate hostnames to IP addresses. Candidates might also confuse NTP or CDP as name resolution services, but NTP is for time synchronization, and CDP discovers directly connected Cisco devices.

Misunderstanding these roles leads to selecting incorrect answers, especially since the question specifically asks about converting a hostname to an IP address, which only DNS performs.

Why the other options are wrong

B

ARP is incorrect because it only resolves IPv4 addresses to MAC addresses on the local network segment and does not translate hostnames to IP addresses.

C

NTP is incorrect since it is used for synchronizing time between devices and does not perform any form of hostname or IP address resolution.

D

CDP is incorrect because it is a Cisco proprietary protocol used for discovering directly connected Cisco devices, not for resolving hostnames to IP addresses.

849
MCQhard

Why is R1 not installing the floating static default route into the routing table?

A.Because the OSPF default route has a lower administrative distance than the floating static route.
B.Because static default routes can never be used when OSPF is enabled.
C.Because the static default route must use a /24 mask instead of 0.0.0.0.
D.Because the next hop of a floating route must be a loopback address.
AnswerA

This is correct because the backup static route is designed to lose while the lower-distance OSPF default remains active.

Why this answer

The floating static default route is not installed because the primary default route is already present and has a lower administrative distance. In practical terms, a floating static route is meant to sit in reserve and appear only when the preferred route is unavailable. Since the OSPF default route is active and has a better administrative distance, the backup route is not used yet.

This is a classic route-preference question. The key idea is not just that a static route exists, but that a higher-distance static route is intentionally designed to lose until the primary path disappears.

Exam trap

A frequent exam trap is assuming that a static default route must always appear in the routing table regardless of other routes. Candidates often think the floating static route is missing or misconfigured when it is simply suppressed due to its higher administrative distance compared to the OSPF default route. This misunderstanding leads to incorrect troubleshooting steps or answer choices.

Remember, floating static routes are designed to be backup routes and only become active when the primary route is unavailable, so their absence in the routing table under normal conditions is expected behavior.

Why the other options are wrong

B

Incorrect. Static default routes can coexist with OSPF routes. The router uses administrative distance to determine which route to install, so static routes are not automatically ignored when OSPF is enabled.

C

Incorrect. A default route must use the destination 0.0.0.0 with a mask of 0.0.0.0. Using a /24 mask is invalid for a default route and would not solve the issue of route selection.

D

Incorrect. Floating static routes do not require the next hop to be a loopback address. The next hop can be any reachable IP address, so this is not the reason the route is not installed.

850
Matchingmedium

Match each observation to the service area it most strongly suggests first.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

The given observations directly map to network services: 'Application works by IP but not by name' indicates the host can reach the destination but cannot resolve its name to an IP address, pointing to a DNS issue. 'Host does not receive IP settings automatically' means the DHCP process failed, so the host cannot obtain an IP address automatically, implicating the DHCP service. 'Device logs show inconsistent timestamps' reveals that time synchronization is broken, which is the role of NTP. Finally, 'Operations team cannot review centralized event messages' suggests that logging messages are not being sent to a central server, indicating a problem with the syslog service.

Exam trap

Do not confuse service functions: DNS resolves names to IPs, not IP assignment; DHCP provides automatic IP assignment, not name resolution; NTP synchronizes time, not event logs; syslog centralizes event messages, not time synchronization.

851
PBQhard

You are connected to the console of R1. The network uses IPv6 with EUI-64. R1's GigabitEthernet0/0 interface has MAC address 001e.4a7b.9c0d. You need to configure an IPv6 address on this interface using EUI-64, with the subnet 2001:db8:abcd:1::/64.

Hints

  • Enable IPv6 globally first if not already done.
  • Use the 'ipv6 address' command with the 'eui-64' keyword.
  • The interface must have IPv6 enabled to use EUI-64.
A.ipv6 address 2001:db8:abcd:1::/64 eui-64
B.ipv6 address 2001:db8:abcd:1::/64
C.ipv6 address 2001:db8:abcd:1::/64 link-local
D.ipv6 enable
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:db8:abcd:1::/64 eui-64
ipv6 enable

Why this answer

The 'ipv6 address 2001:db8:abcd:1::/64 eui-64' command configures the IPv6 address using EUI-64, which generates the interface ID from the MAC address. This command alone enables IPv6 on the interface and assigns the global address; the 'ipv6 enable' command is not strictly necessary and is only required if a link-local address is needed without a global address. Option B would configure a static interface ID, not EUI-64.

Option C incorrectly uses the 'link-local' keyword, which is not valid in this context. Option D only enables IPv6 for link-local addressing without assigning a global unicast address.

Exam trap

Remember that EUI-64 requires the 'eui-64' keyword after the prefix. Without it, the address is static. Also, 'ipv6 enable' only creates a link-local address, not a global one.

Why the other options are wrong

B

The command lacks the 'eui-64' keyword, so it does not generate the interface ID from the MAC address.

C

The 'link-local' keyword is used for link-local addresses (fe80::/10), not for global prefixes.

D

The command does not assign the specified subnet prefix; it only activates IPv6 processing.

852
Drag & Drophard

Drag and drop the following steps into the correct order for the router's routing table lookup process when forwarding a packet to a destination IP address, including the best-path selection logic.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The routing table lookup first matches the destination with the longest prefix, then applies tie-breakers: lowest administrative distance, then lowest metric, to determine the best path for forwarding.

Exam trap

Do not confuse the order of tie-breakers: administrative distance is always considered before metric. Also, remember that routing table lookup uses longest prefix match, not first match like ACLs.

853
MCQmedium

A port connected to an end-user PC should not send or expect VLAN tags from the endpoint. Which interface type is appropriate on the switch?

A.Access port
B.Trunk port
C.Routed port
D.Port-channel interface
AnswerA

This is correct because an access port is the normal single-VLAN switchport type for end devices such as PCs.

Why this answer

The appropriate interface type is an access port. In plain language, a normal user PC is expected to connect to one VLAN and send ordinary untagged Ethernet frames. The switch associates that traffic with the configured access VLAN.

This is different from a trunk, which is designed to carry multiple VLANs and commonly uses tagging to preserve VLAN identity across the link. Routed ports are Layer 3 interfaces used for routing between VLANs, not for attaching a single end-user PC. Port-channel interfaces aggregate multiple physical links for redundancy and bandwidth, but they do not determine whether VLAN tagging is used; the underlying port mode (access or trunk) still applies.

Therefore, access port is the only correct choice for an untagged, single-VLAN end-device connection.

Exam trap

Don't confuse the need for VLANs with the need for VLAN tagging. Access ports handle untagged traffic for single VLANs.

Why the other options are wrong

B

A trunk port is designed to carry traffic for multiple VLANs using 802.1Q tagging, which is not expected from a standard PC. Using a trunk port for a PC would cause the switch to expect tagged frames, leading to communication failures.

C

A routed port is a Layer 3 interface used for routing between VLANs or connecting to routers, not for connecting end-user PCs. It does not operate as a Layer 2 switchport and would not handle VLAN tagging as required.

D

A port-channel interface is a logical bundling of multiple physical links for increased bandwidth and redundancy, not a single connection to an end-user PC. It is used between switches or to servers, not for typical PC access.

854
Multi-Selectmedium

Which two statements accurately describe OSPF route selection or behavior at the CCNA level?

Select 2 answers
A.OSPF uses cost as its metric for choosing paths within OSPF.
B.OSPF compares its metric directly against EIGRP metrics across protocols.
C.OSPF route preference versus other route sources involves administrative distance.
D.OSPF process IDs must match between all neighboring routers.
E.OSPF can never install equal-cost paths.
AnswersA, C

This is correct because cost is the standard OSPF metric.

Why this answer

OSPF uses cost as its metric for path selection within the protocol, and OSPF routes are compared against other route sources using administrative distance when cross-protocol decisions are needed. OSPF supports equal-cost multi-path (ECMP), meaning it can install multiple equal-cost paths to the same destination, so option E is incorrect. The wrong answers confuse cost with administrative distance, treat process IDs as globally significant, or incorrectly direct cross-protocol metric comparisons.

Exam trap

A frequent exam trap is confusing OSPF’s cost metric with administrative distance or thinking that OSPF process IDs must match between neighbors. Many candidates incorrectly believe that OSPF compares its metric directly against EIGRP metrics or that process IDs are globally significant. This misunderstanding leads to wrong answers because OSPF cost is only used internally within OSPF to select the best path, while administrative distance is used to compare routes from different protocols.

Also, OSPF process IDs are locally significant identifiers and do not need to match for adjacency to form.

Why the other options are wrong

B

Option B is incorrect because OSPF does not compare its metric directly against EIGRP metrics. Metrics are protocol-specific and only administrative distance is used to compare routes across different protocols.

D

Option D is incorrect because OSPF process IDs are locally significant and do not need to match between neighboring routers. Adjacency forms based on matching parameters like area ID and authentication, not process ID.

E

Option E is incorrect because OSPF supports equal-cost multipath (ECMP) routing, allowing multiple routes with the same cost to be installed and used simultaneously for load balancing.

855
PBQeasy

You are connected to SW1 via the console. SW1 is a Layer 2 switch with an access port G0/1 connected to a server. The network administrator has noticed that the server is sending BPDUs, which could cause network instability. You need to configure PortFast and BPDU Guard on port G0/1 to prevent BPDU-related issues and ensure the port transitions to forwarding state immediately.

Network Topology
G0/1ServerSW1

Hints

  • PortFast enables immediate transition from blocking to forwarding state.
  • BPDU Guard disables the port if a BPDU is received.
  • These features are typically applied to access ports connected to end devices.
A.interface G0/1 spanning-tree portfast spanning-tree bpduguard enable
B.interface G0/1 spanning-tree portfast spanning-tree guard root
C.interface G0/1 spanning-tree portfast spanning-tree bpdufilter enable
D.interface G0/1 spanning-tree portfast spanning-tree bpduguard default
AnswerA
solution
! SW1
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

PortFast allows an access port to bypass STP listening/learning states, providing immediate connectivity. BPDU Guard protects the network by shutting down the port if a BPDU is received, preventing potential loops from unauthorized switches.

Exam trap

Cisco exams often test the exact syntax for STP features. Remember that BPDU Guard uses 'enable' at the interface level, while BPDU Filter uses 'enable' as well. Root Guard uses 'guard root'.

Do not confuse these or use global commands on interfaces.

Why the other options are wrong

B

The specific factual error is confusing Root Guard with BPDU Guard. Root Guard is used to enforce the root bridge position, not to protect against BPDUs.

C

The specific factual error is that BPDU Filter silently drops BPDUs instead of taking action, which can allow loops to form if an unauthorized switch is connected.

D

The specific factual error is using the global configuration command on an interface. The global command enables BPDU Guard on all PortFast-enabled ports, but the question asks to configure it on a specific port.

856
MCQhard

A controller-based WLAN uses 5 GHz in an open office. Clients keep disconnecting when users roam between APs, but signal strength remains strong. Based on the exhibit, what is the most likely problem?

A.A transmit power mismatch is creating asymmetric coverage around AP-3.
B.The SSID must use 2.4 GHz only for roaming to work.
C.WPA2 cannot support roaming between APs.
D.The WLAN needs a different DHCP scope on each AP.
AnswerA

One AP is far louder than the rest, which often causes roaming instability.

Why this answer

The APs are transmitting at much higher power than the clients, creating a coverage imbalance. Clients may hear the AP well enough to stay associated too long, while the AP cannot reliably hear the weaker client at the same cell edge. That leads to sticky-client and roaming issues even when RSSI looks strong.

Exam trap

A common exam trap is assuming that roaming issues are caused by encryption protocols like WPA2 or by requiring 2.4 GHz operation only. Candidates may also mistakenly believe that DHCP scopes must be unique per AP to support roaming. These misconceptions distract from the real issue: transmit power mismatch causing asymmetric coverage.

The APs transmitting at much higher power than clients cause sticky client problems, where clients do not roam properly despite strong signal strength. Understanding this subtle power imbalance is critical to avoid selecting incorrect answers related to encryption or DHCP.

Why the other options are wrong

B

Incorrect because roaming works on 5 GHz and is often preferred there; restricting SSID to 2.4 GHz is unnecessary and unrelated to the problem.

C

Incorrect because WPA2 supports roaming; encryption type does not cause clients to disconnect when roaming between APs.

D

Incorrect because DHCP scopes are shared in controller-based WLANs; separate DHCP scopes per AP are not required for roaming functionality.

857
Matchingeasy

Match each STP-related term or feature to its most accurate function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The central reference switch for STP path calculation

The best path on a non-root switch toward the root bridge

Feature that speeds an edge port into forwarding

Feature that disables an edge port if a BPDU is received

Why these pairings

In STP, the root bridge is elected as the central reference switch for path calculation. The root port on a non-root switch is the port with the lowest cost path toward the root bridge. PortFast allows an edge port to immediately transition to the forwarding state, bypassing listening and learning.

BPDU Guard protects the network by placing an edge port into errdisable state if a BPDU is received, preventing accidental loops.

Exam trap

Be careful not to confuse the roles of root port and designated port. The root port is the port on a non-root bridge with the lowest cost to the root bridge, while the designated port is the port on a segment with the lowest cost to the root bridge. Also, remember that the Bridge ID is priority + MAC, not just priority.

858
MCQmedium

Which syslog severity is more critical: level 2 or level 5?

A.Level 5
B.Level 2
C.They are equal
D.It depends on platform model
AnswerB

Correct. Lower number means higher urgency.

Why this answer

In syslog, lower numeric values indicate higher severity. Level 2 is therefore more critical than level 5.

Exam trap

Remember, in syslog, lower numbers mean higher severity. Don't confuse this with other systems where higher numbers might indicate higher priority.

Why the other options are wrong

A

Level 5 (notice) is less critical than level 2 (critical) because in syslog, lower numbers indicate higher severity. Level 5 is closer to informational messages, while level 2 indicates a critical condition that requires immediate action.

C

Syslog severity levels are strictly ordered from 0 (most critical) to 7 (least critical). Level 2 and level 5 are distinct values with different meanings, so they are not equal in severity.

D

The syslog severity level numbering is standardized across all platforms that implement syslog (RFC 5424). The ordering from 0 (emergency) to 7 (debugging) is consistent regardless of the device vendor or model.

859
PBQhard

You are connected to R1. Configure inter-VLAN routing on R1 using router-on-a-stick so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can communicate. The switch SW1 is already configured with VLANs and trunking, but R1's current configuration prevents traffic. Identify and fix the issues.

Network Topology
G0/0trunkR1SW1

Hints

  • Check if the physical interface is administratively down.
  • Verify that the trunk is allowing VLANs 10 and 20.
  • Ensure 'ip routing' is enabled (it is by default).
A.Enable the physical interface with the 'no shutdown' command on R1.
B.Change the encapsulation on the subinterfaces to use dot1Q with native VLAN 10 and 20 respectively.
C.Enable IP routing globally with the 'ip routing' command on R1.
D.Remove the 'no shutdown' from the subinterfaces and apply it only to the physical interface.
AnswerA
solution
! R1
interface GigabitEthernet0/0
no shutdown
exit
show interfaces trunk

Why this answer

The issue was that the physical interface GigabitEthernet0/0 on R1 was administratively down, causing all subinterfaces for VLANs 10 and 20 to be in a down state. Enabling it with 'no shutdown' brings the trunk up, allowing inter-VLAN routing because the switch already has trunking configured. The other options are incorrect because they suggest steps that are either already in place (IP routing) or not needed (changing encapsulation or moving no shutdown to subinterfaces).

Exam trap

A common mistake is overlooking that router-on-a-stick requires the physical interface to be administratively up, as subinterfaces cannot function independently.

Why the other options are wrong

B

Changing encapsulation is unnecessary because the subinterfaces already use the correct dot1Q encapsulation for VLANs 10 and 20.

C

The 'ip routing' command is already enabled by default on routers, and global routing is not the problem here.

D

Subinterfaces do not support a 'no shutdown' command; their operational state is determined solely by the physical interface.

860
MCQmedium

Why is BPDU Guard commonly enabled on PortFast-enabled access ports?

A.To make STP root election happen faster
B.To disable STP permanently on access ports
C.To err-disable a port if it receives unexpected BPDUs
D.To allow only one MAC address on the access port
AnswerC

That is the core purpose of BPDU Guard.

Why this answer

PortFast ports are meant for end devices, not for switches. BPDU Guard protects the LAN by shutting down a PortFast port that unexpectedly starts receiving BPDUs, which usually means an unauthorized switch was connected.

Exam trap

Don't confuse BPDU Guard with PortFast or BPDU filtering; each has distinct roles.

Why the other options are wrong

A

BPDU Guard is a security feature that err-disables a port upon receiving BPDUs; it does not accelerate root election. Root election speed is influenced by STP timers and bridge priorities, not BPDU Guard.

B

BPDU Guard does not disable STP permanently; it only reacts to BPDU reception by err-disabling the port. STP remains active on other ports, and the port can be re-enabled after the violation is resolved.

D

Limiting MAC addresses on a port is the function of port security, not BPDU Guard. BPDU Guard specifically monitors for BPDU frames and takes action if any are received.

861
MCQhard

A host address is 192.168.14.222/28. Which address is the broadcast address of its subnet?

A.192.168.14.207
B.192.168.14.223
C.192.168.14.208
D.192.168.14.224
AnswerB

This is correct because .222 belongs to the 208-223 /28 subnet.

Why this answer

A /28 subnet has a block size of 16. In practical terms, the fourth-octet blocks are 0-15, 16-31, and so on. Because 222 falls within the 208-223 block, the broadcast address is the last address in that block: 192.168.14.223.

This is a subnet-boundary question that depends on identifying the correct /28 block before choosing the broadcast address.

Exam trap

Be careful not to confuse the broadcast address with the network address of the next subnet or a host address within the subnet.

Why the other options are wrong

A

192.168.14.207 is the broadcast address of the previous /28 subnet (192.168.14.192/28), not the subnet containing 192.168.14.222.

C

192.168.14.208 is the network address (subnet ID) of the /28 subnet containing .222, not the broadcast address.

D

192.168.14.224 is the network address of the next /28 subnet (192.168.14.224/28), not the broadcast of the current subnet.

862
Drag & Dropmedium

Drag and drop the following OSPFv2 neighbor state transitions into the correct order, starting from the initial Down state on a broadcast or point-to-point network (non-NBMA).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The standard OSPF neighbor state machine on broadcast and point-to-point networks proceeds: Down, Init, 2-Way, ExStart, Exchange, Loading, Full. The Attempt state exists only on NBMA networks and is not used here. Option D correctly lists the first five states in order: Down → Init → 2-Way → ExStart → Exchange.

Other options incorrectly include the NBMA-only Attempt state or misorder the states like Loading before Exchange.

Exam trap

Do not confuse the standard OSPF neighbor states with the NBMA-specific Attempt state; unless the network type is explicitly NBMA, assume the common broadcast/point-to-point order omitting Attempt.

863
MCQhard

An administrator wants to block all Telnet access to a router’s VTY lines and allow only SSH. Which change most directly supports that goal?

A.Configure the VTY lines to accept SSH and not Telnet.
B.Enable PortFast on the VTY lines.
C.Use DHCP snooping to protect the VTY lines.
D.Increase the OSPF hello interval.
AnswerA

This is correct because it directly restricts the management protocol accepted on the router.

Why this answer

The most direct change is to configure the VTY lines to accept only SSH, which removes Telnet as an accepted protocol. Option B (PortFast) is a spanning-tree feature that speeds up port transition on access ports and has nothing to do with VTY access. Option C (DHCP snooping) is a Layer 2 security feature to prevent rogue DHCP servers; it does not affect VTY line protocols.

Option D (OSPF hello interval) is an OSPF timer adjustment, unrelated to remote access security. Therefore, only option A directly achieves the goal.

Exam trap

Avoid assuming that ACLs or global commands can replace specific VTY line configurations for protocol restriction.

Why the other options are wrong

B

PortFast is a spanning-tree feature for switch ports, not related to VTY line protocols.

C

DHCP snooping is a Layer 2 security feature against rogue DHCP servers, irrelevant to Telnet/SSH access.

D

Increasing the OSPF hello interval affects OSPF neighbor discovery, not remote access to the router.

864
MCQhard

A network engineer configures a primary default route via Gi0/0 (next-hop 192.168.12.2) and a floating static default route via Gi0/1 (next-hop 192.168.12.6) with AD 200. To test failover, the engineer issues the shutdown command on Gi0/0. After this, the router does not have a default route in the routing table. Which problem explains this behavior?

A.The backup interface Gi0/1 is administratively down, making the next-hop unreachable.
B.The floating static route uses an administrative distance of 200, which is too low to replace the primary route.
C.The primary default route remains in the routing table because shutting down Gi0/0 does not remove the static route.
D.The floating static route is missing a track object, so the router cannot detect the primary path failure.
AnswerA

With both interfaces down, the router cannot reach either next-hop, so no default route is installed.

Why this answer

A floating static route is installed only if its next-hop is reachable and the primary route (with lower AD) is absent. Shutting down Gi0/0 removes the primary route. However, backup interface Gi0/1 is also administratively down, so the next-hop 192.168.12.6 is unreachable, and the floating route is not installed.

Option A correctly identifies the interface status as the root cause. Option B is wrong because a higher AD (200) correctly designates this as a backup; a lower AD would make it primary. Option C is false; shutting down an interface removes connected routes, which causes the recursive static route to be purged.

Option D is incorrect because floating static routes do not require a track object—the AD difference alone dictates failover when the primary is removed.

Exam trap

The most common mistake is assuming a floating static route will automatically be installed when the primary route disappears, forgetting that the next-hop must be reachable.

Why the other options are wrong

B

A lower AD would make it preferred, defeating the purpose of a floating route.

C

The primary route is removed from the table when the interface goes down.

D

Track objects are optional enhancements for faster failover but not mandatory for floating static operation.

865
Multi-Selectmedium

Which TWO of the following are correct regarding Cisco SFP/SFP+ transceivers and their supported cable types?

Select 2 answers
A.A standard SFP+ fiber transceiver can be used with Category 6a UTP cable to achieve 10 Gbps over 100 meters.
B.A 1000BASE-T SFP transceiver can operate over Category 5e UTP cable up to 100 meters.
C.A 10GBASE-LR SFP+ transceiver supports distances up to 10 kilometers over single-mode fiber.
D.An SFP transceiver for 1000BASE-SX can achieve distances up to 5 kilometers over multimode fiber.
E.SFP+ transceivers are backward compatible with SFP slots and can operate at 1 Gbps if the module supports it.
AnswersB, C

The 1000BASE-T standard uses twisted-pair copper cabling (Category 5e or better) and supports distances up to 100 meters. SFP transceivers for 1000BASE-T are available and widely used.

Why this answer

Correct answers are B and C. A 1000BASE-T SFP transceiver operates over Cat 5e or better UTP up to 100 meters as defined by IEEE 802.3ab, making B true. A 10GBASE-LR SFP+ transceiver supports up to 10 km over single-mode fiber, making C true.

Option A is false because standard SFP+ fiber transceivers are not designed for UTP cabling; they require fiber or direct‑attach copper cables. (10GBASE‑T copper SFP+ modules exist but are rarely used in CCNA contexts and are not the typical SFP+ referenced.) Option D is false because 1000BASE‑SX has a maximum distance of 550 meters over multimode fiber, not 5 km. Option E is false because SFP+ transceivers have a larger form factor and do not fit into SFP slots; only SFP modules can fit into SFP+ slots (backward compatibility works the other way).

Exam trap

Cisco often tests the misconception that SFP/SFP+ transceivers are exclusively fiber-optic, causing candidates to forget that 1000BASE-T copper SFPs exist and operate over standard UTP cabling, or they confuse the distance limits of 1000BASE-SX (multimode) with those of 1000BASE-LX (single-mode).

Why the other options are wrong

A

Standard SFP+ fiber transceivers are not designed for copper UTP cabling; they require fiber or direct-attach copper cables.

D

1000BASE-SX (short wavelength) uses multimode fiber and typically supports distances up to 220m (with 62.5/125µm fiber) or 550m (with 50/125µm fiber), not 5 km. Longer distances require single-mode fiber and 1000BASE-LX.

E

SFP+ transceivers themselves are not backward compatible with SFP slots; rather, SFP+ slots can accept SFP modules. The statement is misleading because it suggests SFP+ transceivers can be used in SFP slots, which is generally not true as SFP slots are designed for 1 Gbps modules.

866
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and verify OSPFv3 neighbor adjacency using link-local addresses in area 0.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order enables IPv6 unicast routing globally, creates the OSPFv3 process, enters interface configuration, assigns the interface to the OSPFv3 process in area 0 (which activates OSPFv3 on the link), and finally verifies the neighbor relationship. IPv6 unicast routing must be enabled first because OSPFv3 requires IPv6 packet forwarding. The router process must exist before an interface can be associated with it.

Assigning the interface to area 0 triggers Hello packet exchange over link-local addresses. The show command confirms the adjacency formed.

867
MCQmedium

A network administrator is troubleshooting a Windows 10 workstation that cannot access the internet. The workstation receives an IPv4 address starting with 169.254.x.x. The network uses DHCP, and other workstations on the same subnet are working correctly. What is the most likely cause of this issue?

A.The workstation's DNS server settings are incorrect.
B.The workstation's network cable is unplugged or faulty, preventing DHCP communication.
C.The DHCP server has exhausted its address pool.
D.The workstation's default gateway is misconfigured.
AnswerB

A physical connectivity issue (e.g., unplugged or faulty cable) prevents the workstation from reaching the DHCP server, causing it to fall back to APIPA. This is the most common cause when only one workstation is affected.

Why this answer

The 169.254.x.x address is an Automatic Private IP Addressing (APIPA) address assigned by Windows when DHCP fails. Since other workstations on the same subnet work correctly, the DHCP server and network are functional, isolating the issue to the specific workstation. A faulty or unplugged network cable would prevent the workstation from sending DHCP Discover messages, causing it to fall back to APIPA.

Exam trap

Cisco often tests the distinction between DHCP failure symptoms (APIPA) and other connectivity issues, trapping candidates who confuse DNS or gateway misconfigurations with the inability to obtain an IP lease.

Why the other options are wrong

A

Incorrect DNS settings prevent name resolution but do not affect IP address assignment. The workstation would still receive a valid IP from DHCP, not an APIPA address.

C

If the DHCP pool were exhausted, all workstations would fail to obtain addresses and use APIPA. The scenario states other workstations are working correctly, so pool exhaustion is not the cause.

D

A misconfigured default gateway would prevent internet access but the workstation would still receive a valid IP from DHCP. APIPA addresses are only assigned when DHCP fails entirely.

868
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure inter-VLAN routing using a router-on-a-stick topology.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Inter-VLAN routing via router-on-a-stick requires creating VLANs on the switch, placing access ports in those VLANs, configuring a trunk to the router with the correct native VLAN to avoid mismatch, enabling the physical router interface, and then defining subinterfaces per VLAN with 802.1Q encapsulation and IP addresses. This ensures traffic from different VLANs can be routed.

869
MCQeasy

Which static route on R1 sends all unknown IPv4 destinations to next-hop address 192.0.2.1?

A.ip route 0.0.0.0 255.255.255.255 192.0.2.1
B.ip route 0.0.0.0 0.0.0.0 192.0.2.1
C.ip route 255.255.255.255 0.0.0.0 192.0.2.1
D.ip default-gateway 192.0.2.1
AnswerB

Correct. 0.0.0.0/0 is the standard IPv4 default route.

Why this answer

A quad-zero route is the IPv4 default route. It matches destinations that do not have a more specific entry in the routing table.

Exam trap

A frequent exam trap is selecting a static route with the destination 0.0.0.0 but an incorrect subnet mask like 255.255.255.255, which matches only the single host 0.0.0.0 rather than all unknown destinations. Another common mistake is confusing the 'ip default-gateway' command with a default route; the former is used only on devices that do not perform routing, such as Layer 2 switches, and does not influence routing decisions on routers. Candidates must recognize that the default route requires both destination and mask to be 0.0.0.0 to function correctly as a catch-all route for unknown IPv4 destinations.

Why the other options are wrong

A

The route 'ip route 0.0.0.0 255.255.255.255 192.0.2.1' incorrectly uses a subnet mask of 255.255.255.255, which matches only the single host 0.0.0.0, not all unknown destinations. Therefore, it does not serve as a default route.

C

The route 'ip route 255.255.255.255 0.0.0.0 192.0.2.1' reverses the destination and mask fields, creating an invalid route that does not function as a default route or any valid static route.

D

'ip default-gateway 192.0.2.1' sets the default gateway for devices that do not perform routing, such as Layer 2 switches. It does not create a routing entry on routers and therefore cannot be used to send unknown IPv4 destinations.

870
Matchingmedium

Match each service to the kind of problem it most directly helps solve.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hostname works incorrectly or cannot be resolved into IP information

Clients need automatic IP configuration

Device timestamps do not line up consistently

Administrators need centralized event and log collection

Why these pairings

DNS solves the problem of remembering IP addresses. DHCP eliminates manual IP configuration. FTP enables file transfers.

SSH provides encrypted remote access. RADIUS and TACACS+ are AAA protocols, with RADIUS commonly used for network access and TACACS+ for device administration.

Exam trap

A common trap is confusing the roles of RADIUS and TACACS+, or thinking that services like DNS or DHCP have overlapping functions. Remember that DNS resolves names, DHCP assigns IPs, FTP transfers files, SSH secures remote access, RADIUS handles network access, and TACACS+ handles device administration.

871
MCQhard

A trunk link has a native VLAN mismatch between two switches. What is the most likely result?

A.All VLANs except the native VLAN stop forwarding immediately.
B.Untagged frames can be interpreted as belonging to different VLANs on each switch.
C.The trunk automatically converts to an access port.
D.STP is disabled on the trunk until the mismatch is corrected.
AnswerB

Correct. That is the classic native VLAN mismatch issue.

Why this answer

Untagged traffic may be placed into different VLANs on each side of the trunk, causing traffic leakage or connectivity problems.

Exam trap

Be careful not to confuse native VLAN mismatches with issues that affect tagged traffic or automatic switch behavior.

Why the other options are wrong

A

A native VLAN mismatch does not cause all other VLANs to stop forwarding. The trunk continues to forward frames for all VLANs, but untagged frames (native VLAN) are miscommunicated.

C

A trunk port does not automatically convert to an access port due to a native VLAN mismatch. The trunk remains operational, but the native VLAN mismatch causes problems for untagged traffic.

D

STP continues to run normally on the trunk link despite a native VLAN mismatch. The mismatch does not disable STP; it only affects the handling of untagged frames.

872
Multi-Selectmedium

Which two statements accurately describe subnet masks in IPv4?

Select 2 answers
A.It identifies the network-versus-host split in an IPv4 address.
B.It helps a host determine whether a destination is local or remote.
C.It resolves hostnames into IP addresses.
D.It encrypts packets before they leave the host.
E.It replaces the need for a default gateway.
AnswersA, B

This is correct because that is the primary function of the subnet mask.

Why this answer

A subnet mask tells the host which part of the IPv4 address refers to the network and which part refers to the host. In plain language, it helps the device determine whether a destination is local or remote. That decision is essential because it affects whether the host uses ARP directly or forwards traffic to the default gateway.

The wrong answers usually attribute unrelated behaviors to the subnet mask, such as encryption or hostname resolution. The two correct answers are the ones that preserve its role in defining local scope and address structure.

Exam trap

Avoid confusing subnet mask functions with encryption or DNS, as these are unrelated to IP address segmentation.

Why the other options are wrong

C

Subnet masks are used solely for IP addressing and routing purposes, not for name resolution. Hostname-to-IP-address resolution is performed by the Domain Name System (DNS), which is a completely different protocol and service.

D

Subnet masks do not provide any encryption or security functionality. Encryption of packets is performed by protocols such as IPsec, TLS, or other cryptographic mechanisms, which operate independently of subnet masking.

E

A default gateway is still required for any traffic destined to a different subnet. The subnet mask only defines the local network boundary; it does not provide routing to other networks. Without a default gateway, a host cannot send packets off its subnet.

873
Drag & Dropmedium

A network troubleshooter is using Cisco IOS-XE's embedded packet capture feature to capture traffic on an interface and then analyze it in Wireshark to isolate a Layer 2 or Layer 3 fault. Which of the following sequences represents the correct order of steps?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct workflow is to first define the capture point (interface and any filters), then start the capture, stop it when sufficient data is collected, export the captured packets to a file, and finally open that file in Wireshark for analysis. Starting the capture before defining the point, exporting before stopping, or defining the point after stopping all result in an invalid or incomplete capture process.

Exam trap

Remember that the capture point must be defined before starting the capture, and the capture must be stopped before exporting. Do not confuse the order of these steps.

874
Multi-Selectmedium

Which two statements accurately describe why organizations use separate employee and guest WLANs?

Select 2 answers
A.They allow different access policies and trust boundaries for different user groups.
B.They help isolate guest access from internal corporate resources.
C.They eliminate the need for wireless security.
D.They make all roaming problems disappear automatically.
E.They replace the need for VLANs or policy controls behind the scenes.
AnswersA, B

This is correct because policy separation is a key reason for distinct WLANs.

Why this answer

Organizations use separate WLANs because different user groups usually require different trust levels, policies, and access rights. In practical terms, employees may need access to internal business systems, while guests usually need a more limited and isolated experience. Separate WLANs make that segmentation and policy enforcement easier.

This is a design and security decision, not just a naming preference.

Exam trap

Avoid assuming that separate WLANs are used for performance improvements or marketing purposes; focus on security and access control.

Why the other options are wrong

C

Separate WLANs do not eliminate the need for wireless security; both employee and guest WLANs require encryption (e.g., WPA2/WPA3) and authentication mechanisms to protect data in transit and prevent unauthorized access.

D

Roaming problems, such as handoff delays or authentication re-requirements, are not automatically resolved by having separate WLANs; they depend on factors like controller configuration, AP placement, and roaming protocols (e.g., 802.11r).

E

Separate WLANs do not replace the need for VLANs or policy controls; in fact, they often rely on VLANs to segregate traffic and on additional policies (e.g., ACLs, firewall rules) to enforce access restrictions between the WLANs and the network.

875
MCQhard

A host address is 192.168.50.158/27. Which address is the network address of its subnet?

A.192.168.50.128
B.192.168.50.159
C.192.168.50.160
D.192.168.50.96
AnswerA

This is correct because 158 belongs to the 128-159 /27 subnet.

Why this answer

A /27 subnet has a block size of 32. In practical terms, the relevant ranges in the last octet are 0-31, 32-63, 64-95, 96-127, 128-159, and so on. Because 158 falls in the 128-159 block, the network address is 192.168.50.128.

This is a block-identification question. Once you identify the correct /27 block, the network address is the first address in that range.

Exam trap

Ensure you calculate the correct block range for the subnet mask given, not just any multiple of the block size.

Why the other options are wrong

B

192.168.50.159 is the broadcast address for the 192.168.50.128/27 subnet, not the network address. The broadcast address is used to send packets to all hosts in the subnet and cannot be assigned to a host.

C

192.168.50.160 is the network address of the next /27 subnet (160-191), not the subnet containing 158. The /27 mask creates subnets with a block size of 32, so the subnet boundaries are multiples of 32.

D

192.168.50.96 is the network address of the 96-127 /27 subnet, which is an earlier subnet. The address 158 falls in the 128-159 range, not the 96-127 range.

876
Matchingmedium

Match each HTTP method to the action it most commonly represents in a REST-style API.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve existing information

Submit or create data

Update or replace an existing resource

Remove a resource

Why these pairings

These HTTP methods correspond to standard CRUD operations in RESTful APIs. Each pairing matches the method with its typical action as defined in HTTP specifications.

Exam trap

Watch out for confusing POST with update; remember POST is primarily for creation, while PUT and PATCH handle updates.

877
MCQhard

A device administrator can log in securely over SSH, but the organization still insists on restricting source IP ranges and keeping detailed logs. Which statement best explains that decision?

A.Because secure transport alone does not remove the need for source restriction and accountability controls.
B.Because SSH is less secure than Telnet and must be compensated for.
C.Because logs automatically enforce ACL policy.
D.Because source IP restriction replaces the need for authentication.
AnswerA

This is correct because layered controls address different management-plane risks.

Why this answer

The decision reflects defense in depth. SSH encrypts the session and authenticates users, but it does not limit which source IPs can connect or provide audit trails. Source IP restriction reduces the attack surface by allowing only trusted hosts, and logging provides accountability and forensic evidence.

Option B is incorrect because SSH is more secure than Telnet, not less. Option C is incorrect because logs record events but do not enforce ACLs. Option D is incorrect because source IP restriction complements authentication rather than replacing it.

Exam trap

A frequent exam trap is to believe that using SSH alone fully secures remote device access, leading to the mistaken idea that source IP restrictions and logging are redundant. This overlooks that SSH only encrypts the session and authenticates users but does not limit which hosts can connect or provide audit trails. Ignoring source IP filtering increases exposure to brute-force or credential compromise attacks from unauthorized IPs.

Similarly, neglecting logging removes visibility into who accessed the device and when, hindering incident response. The trap is confusing transport security with comprehensive access control and accountability.

Why the other options are wrong

B

SSH is more secure than Telnet, so this option incorrectly suggests it is less secure and requires compensation.

C

Logs record activity but do not automatically enforce ACL policy; enforcement is a separate function.

D

Source IP restriction limits allowed hosts but does not replace the need for user authentication.

878
PBQmedium

You are connected to the console of R1. The network uses IPv6 with EUI-64. R1's GigabitEthernet0/0 interface has MAC address 0011.2233.4455. You must configure the interface to generate an IPv6 link-local address using the 'ipv6 enable' command, and also assign a global unicast address 2001:db8:1::/64 using EUI-64. The interface is currently administratively down.

Network Topology
G0/0linkR1SW1

Hints

  • EUI-64 derives the interface ID from the MAC address.
  • The 'ipv6 enable' command generates a link-local address.
  • The interface must be administratively brought up.
A.R1(config-if)# ipv6 enable R1(config-if)# ipv6 address 2001:db8:1::/64 eui-64 R1(config-if)# no shutdown
B.R1(config-if)# ipv6 address fe80::/10 eui-64 R1(config-if)# ipv6 address 2001:db8:1::/64 eui-64 R1(config-if)# no shutdown
C.R1(config-if)# ipv6 address 2001:db8:1::/64 eui-64 R1(config-if)# no shutdown
D.R1(config-if)# ipv6 enable R1(config-if)# ipv6 address 2001:db8:1::1/64 R1(config-if)# no shutdown
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 enable
ipv6 address 2001:db8:1::/64 eui-64
no shutdown

Why this answer

The ipv6 enable command explicitly creates a link-local address as required by the scenario. The global unicast address with the eui-64 keyword automatically derives the interface ID from the MAC address. Option B is incorrect because it tries to manually configure a link-local address with eui-64, which is unnecessary and invalid.

Option C omits the ipv6 enable command, failing the explicit requirement. Option D assigns a static host portion instead of using eui-64.

Exam trap

When the question specifically mandates the ipv6 enable command for link-local generation, do not omit it; simply configuring a global unicast address will also create a link-local address, but it does not meet the stated objective.

Why the other options are wrong

B

Manually configuring a link-local address with the eui-64 keyword is invalid; link-local addresses are automatically generated.

C

This option does not include the required ipv6 enable command, so it does not satisfy the explicit scenario requirement.

D

Uses a static host address (::1/64) instead of the eui-64 keyword, so the interface ID will not be generated from the MAC address.

879
PBQhard

You are connected to R1 via the console. R1 is configured as an NTP client that should synchronize with the NTP server at 203.0.113.1. You need to verify that R1 is synchronizing correctly and also ensure that the system clock is updated. Additionally, configure R1 to act as an NTP server for downstream devices on the internal network 192.168.1.0/24.

Network Topology
G0/0192.168.1.1/24G0/110.0.0.1/30PCsInternalR1WANNTP server

Hints

  • Check if the NTP server is reachable and the clock is synchronized.
  • The 'master' command sets the stratum level for downstream clients.
  • Use broadcast on the internal interface to distribute time.
A.Use 'show ntp status' to verify synchronization, 'clock set' to update the system clock, and configure 'ntp master' and 'ntp broadcast' on the interface facing 192.168.1.0/24.
B.Use 'show ntp associations' to verify synchronization, 'clock update' to update the system clock, and configure 'ntp server' and 'ntp broadcast' on the interface facing 192.168.1.0/24.
C.Use 'show ntp status' to verify synchronization, 'clock set' to update the system clock, and configure 'ntp server' and 'ntp broadcast' on the interface facing 192.168.1.0/24.
D.Use 'show ntp associations' to verify synchronization, 'clock set' to update the system clock, and configure 'ntp master' and 'ntp broadcast' on the interface facing 192.168.1.0/24.
AnswerA
solution
! R1
ntp server 203.0.113.1
ntp master 4
interface GigabitEthernet0/0
ntp broadcast

Why this answer

The correct verification command is 'show ntp status' because it displays the synchronization state and stratum level. 'show ntp associations' shows configured peers but not the sync state. After NTP sync is established, the system clock is automatically updated; 'clock set' is not typically required but remains a valid command to manually adjust the clock. 'clock update' is not a valid IOS command. To make R1 an NTP server for downstream devices, use the global command 'ntp master 4', not 'ntp server' (which makes the router a client).

Then, on the interface facing 192.168.1.0/24 (G0/0), apply 'ntp broadcast' to send NTP broadcasts so clients can synchronize without polling. Option A correctly combines these steps while other options mix incorrect commands or verification methods.

Exam trap

Be careful to distinguish 'show ntp status' (synchronization state) from 'show ntp associations' (peer list); also remember that 'ntp master' is a global command, while 'ntp broadcast' is applied per interface.

Why the other options are wrong

B

Uses invalid 'clock update' command and incorrectly uses 'ntp server' instead of 'ntp master' to make R1 an NTP server for downstream.

C

Uses 'ntp server' instead of 'ntp master' to make R1 an NTP server; 'ntp server' configures R1 as a client, not a server.

D

Uses 'show ntp associations' which does not show synchronization status; 'show ntp status' is needed for that.

880
Multi-Selectmedium

Which two statements accurately describe DNS and DHCP?

Select 2 answers
A.DNS resolves names to IP information, while DHCP dynamically assigns addressing information to clients.
B.DHCP is used primarily to translate private addresses into public addresses.
C.DNS can help users reach services by hostname instead of remembering numeric IP addresses.
D.DHCP replaces the need for subnet masks and default gateways.
E.DNS and DHCP are both Layer 1 technologies.
AnswersA, C

This is correct because it states the core job of each service accurately.

Why this answer

DNS and DHCP solve very different problems, even though both are common infrastructure services. DNS helps devices and users find systems by name. In simple terms, it means people can type a hostname rather than memorizing numeric IP addresses. DHCP automatically gives clients important IP settings such as an address, subnet mask, default gateway, and often DNS server information.

The trick in comparison questions is not to blend their roles together. DHCP does not perform NAT, and it does not eliminate the need for addressing details; it actually supplies them.

Exam trap

A frequent exam trap is confusing DHCP with NAT or assuming DHCP replaces the need for subnet masks and default gateways. Some candidates mistakenly believe DHCP translates private IP addresses to public ones, but this is the role of NAT, not DHCP. Additionally, DHCP does not remove the need for subnet masks or default gateways; instead, it provides these parameters automatically to clients.

Misunderstanding these distinctions can lead to incorrect answers, especially when questions ask about the functions of IP services. Carefully distinguishing DHCP’s role in dynamic addressing from NAT’s role in address translation is essential to avoid this trap.

Why the other options are wrong

B

DHCP does not translate private addresses to public; that is the function of NAT.

D

DHCP does not replace the need for subnet masks and default gateways; it actually provides them automatically.

E

DNS and DHCP operate at the Application Layer (Layer 7), not Layer 1.

881
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and verify HSRP with priority and preemption on an interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

First, enter interface configuration mode to start configuring the specific interface. Next, assign an IP address because HSRP requires a real IP on the interface for communication between HSRP routers. After that, define the HSRP group and virtual IP, which clients use as their default gateway.

Then set a higher priority to influence the active router election; priority must be configured before enabling preemption, as preemption relies on priority to determine when to take over. Finally, exit configuration mode and verify with show standby to confirm the HSRP state.

882
MCQhard

An administrator connects a new access-layer switch to a distribution switch. The link comes up but remains in a blocking state and does not forward frames. The administrator issues the show command shown in the exhibit. What is the most likely reason the link is blocked?

A.BPDU Guard is enabled on the port, and the new switch's BPDUs caused the port to enter err-disable state.
B.Loop Guard is enabled, and the port has stopped receiving BPDUs, leading to a loop-inconsistent state.
C.Root Guard is configured on the port, and the new access switch is sending superior BPDUs, triggering a root-inconsistent state.
D.The port is configured with PortFast, and the new switch's BPDU triggered a loop, causing the port to err-disable.
AnswerC

Root Guard intentionally places a port into root-inconsistent (blocking) state when it receives a superior BPDU, preventing an unwanted switch from becoming the root bridge. The show spanning-tree inconsistentports output confirms a root-inconsistent condition.

Why this answer

The link is blocked because Root Guard is configured on the distribution switch port. When the new access-layer switch sends superior BPDUs (with a lower bridge priority), Root Guard transitions the port to a root-inconsistent (blocking) state to protect the current root bridge from being usurped. This prevents the new switch from becoming the root bridge, which would disrupt the spanning-tree topology.

Exam trap

Cisco often tests the distinction between err-disable states (BPDU Guard) and blocking states (Root Guard, Loop Guard), so the trap here is assuming any BPDU-related protection causes err-disable, when Root Guard specifically causes a blocking state without err-disable.

Why the other options are wrong

A

BPDU Guard results in err-disable, which is not reflected in the show spanning-tree inconsistentports output. The exhibit clearly shows Root Inconsistent, indicating Root Guard, not BPDU Guard.

B

Loop Guard creates a loop-inconsistent listing, not root-inconsistent. The command output explicitly indicates Root Inconsistent, ruling out Loop Guard.

D

Without BPDU Guard, PortFast does not react to BPDUs with a blocking state. The exhibit's root-inconsistent inconsistency is specific to Root Guard, not PortFast or BPDU Guard.

883
MCQhard

A router has routes to 192.168.0.0/16 and 192.168.50.0/24. Which route is used for traffic to 192.168.50.99?

A.192.168.0.0/16
B.192.168.50.0/24
C.The default route
D.Both routes equally
AnswerB

This is correct because it is the more specific route for the destination.

Why this answer

The 192.168.50.0/24 route is used because it is more specific. In practical terms, even though the /16 also matches, the router always prefers the route that describes the destination more narrowly. Since 192.168.50.99 falls inside the /24, longest-prefix match chooses that entry.

This is a basic but essential routing rule. The broader /16 still matters for other destinations in 192.168.0.0/16, but not for this one.

Exam trap

Remember that routers prefer the most specific route, not the broadest. Always look for the longest prefix match.

Why the other options are wrong

A

The route 192.168.0.0/16 is less specific (larger subnet) than the matching /24 route. In longest prefix match routing, the more specific route (192.168.50.0/24) is always preferred for the destination 192.168.50.99.

C

A default route (0.0.0.0/0) is only used when no more specific route matches the destination. Since both 192.168.0.0/16 and 192.168.50.0/24 match 192.168.50.99, the default route is not considered.

D

Routers do not load balance between routes of different prefix lengths for the same destination. The longest prefix match rule selects a single best route. Both routes are not used equally; the /24 route is chosen.

884
MCQmedium

After a switch replacement, users in VLAN 30 cannot reach devices in other VLANs. The replacement switch has a trunk link to the distribution switch that shows as up/up. What is the most likely cause?

A.The native VLAN must be changed to 30
B.VLAN 30 is not permitted on the trunk link
C.The uplink should be configured as an access port
D.STP must be disabled on VLAN 30
AnswerB

The trunk allowed list does not include VLAN 30.

Why this answer

The trunk is up, but VLAN 30 is not allowed on it. Traffic from that VLAN never crosses the uplink, so inter-VLAN reachability fails for users in VLAN 30 even though the local access ports may still look fine.

Exam trap

Ensure you distinguish between management settings and VLAN configuration. Focus on trunk settings when inter-VLAN issues arise.

Why the other options are wrong

A

Changing the native VLAN to 30 would not resolve the issue because the native VLAN is used for untagged traffic on a trunk, and the problem is that VLAN 30 traffic is not being allowed at all. Additionally, native VLAN mismatch can cause connectivity issues, but it does not specifically prevent only VLAN 30 from reaching other VLANs.

C

Configuring the uplink as an access port would place it in a single VLAN, preventing traffic from multiple VLANs (including VLAN 30) from traversing the link. Since the switch needs to carry traffic for multiple VLANs, the uplink must remain a trunk port.

D

Disabling STP on VLAN 30 would be dangerous as it could cause bridging loops and network instability. Moreover, STP does not control whether a VLAN is allowed on a trunk; it only prevents loops. The issue is a missing VLAN in the trunk allowed list, not a spanning-tree problem.

885
Matchingmedium

Match each automation or API term to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management or policy platform

Defined software interface used for communication

Secure transport commonly used for the interaction

Structured data format carried in API messages

Why these pairings

These pairings correctly associate each automation/API term with its primary role.

Exam trap

Do not confuse the configuration languages of Puppet (manifests) and Chef (recipes). Also, remember that YAML is a data format, not an automation tool. Webhooks are for notifications, not traffic management.

886
Matchingmedium

Match each troubleshooting command focus to what it most directly helps verify.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Routing-table contents

OSPF adjacency status

Trunk forwarding and allowed VLAN status

EtherChannel bundle status

Why these pairings

'show ip route' directly displays the routing table, allowing verification of known routes and next-hop paths. 'show ip ospf neighbor' shows OSPF neighbor relationships and their states, confirming adjacency formation. 'show interfaces trunk' reveals trunk status, encapsulation, and allowed VLANs on a trunk link. 'show etherchannel summary' lists all EtherChannel bundles, their member ports, and the bundle's operational status. Each command targets a distinct verification area: routing table contents, OSPF neighbor adjacencies, trunk forwarding details, and EtherChannel bundle status.

Exam trap

Do not confuse commands that test connectivity or show interface status with those that display the routing table. 'show ip route' is the only command that directly shows routing table entries.

887
MCQhard

Based on the exhibit, which configuration should be added to restore DHCP service for clients in VLAN 30?

A.ip helper-address 10.99.99.20 under interface Vlan30
B.switchport mode trunk under interface Vlan30
C.ip default-gateway 10.99.99.20 under interface Vlan30
D.spanning-tree portfast under interface Vlan30
AnswerA

This is correct because the VLAN 30 SVI must relay DHCP requests toward the remote server.

Why this answer

The correct fix is to add an IP helper address pointing to the remote DHCP server on the Layer 3 interface for VLAN 30. In practical terms, the clients are sending DHCP discovery as a broadcast, and the server is on another subnet. The SVI for VLAN 30 is the local gateway that must relay those requests toward the server.

This is one of the most exam-realistic campus troubleshooting scenarios because it tests both subnet boundaries and the role of the local gateway interface.

Exam trap

A common exam trap is confusing the ip helper-address command with ip default-gateway or Layer 2 commands like switchport mode trunk. Candidates might incorrectly apply switchport commands to an SVI, which is a Layer 3 interface, or think setting ip default-gateway will relay DHCP requests. These mistakes cause DHCP broadcasts to fail reaching the remote server, leading to no IP address assignment for clients.

Understanding that ip helper-address is the DHCP relay mechanism on Layer 3 interfaces is critical to avoid this trap.

Why the other options are wrong

B

Incorrect. The command switchport mode trunk is a Layer 2 switchport configuration and cannot be applied to an SVI, which is a Layer 3 interface. This does not affect DHCP relay.

C

Incorrect. The ip default-gateway command sets the default gateway for management traffic on a Layer 2 device and does not relay DHCP broadcasts. It does not restore DHCP service for clients.

D

Incorrect. The spanning-tree portfast command is used on physical Layer 2 switchports to speed up port transitions and has no effect on DHCP relay or SVIs.

888
MCQhard

Refer to the exhibit. A network administrator is troubleshooting why not all OSPF neighbors are fully adjacent on a multi-access broadcast segment. After issuing the show ip ospf neighbor command on R1, the output is displayed. What is the most likely cause of the 2WAY/DROTHER state for neighbor 172.16.1.1?

A.The neighbor is a DROther and a full adjacency with another DROther is not required; adjacency is formed only with the DR and BDR.
B.The OSPF hello and dead timers are mismatched between R1 and neighbor 172.16.1.1.
C.The network type is configured as point-to-point on one side and broadcast on the other, causing a DR/BDR election failure.
D.The neighbor's router ID 172.16.1.1 is not reachable, preventing the completion of the adjacency process.
AnswerA

The exhibit shows neighbor 172.16.1.1 in state 2WAY/DROTHER. In a broadcast multi-access OSPF network, DROthers exchange hellos and reach 2-Way state with each other but stop at that stage, establishing full adjacency only with the DR and BDR. This is standard OSPF behavior and the most likely reason for the state.

Why this answer

The output shows neighbor 172.16.1.1 in state 2WAY/DROTHER. On a broadcast multi-access network (indicated by the presence of DR and BDR roles), OSPF routers that are not the DR or BDR become DROthers. DROthers reach the 2-Way state with one another but do not form full adjacencies; full adjacency is established only with the DR and BDR.

Therefore, the 2WAY state is normal and expected for two DROthers. The output explicitly displays the neighbor role as DROTHER, confirming this interpretation.

Exam trap

Candidates often misinterpret 2WAY as a fault. The most common wrong choice is option B (timer mismatch) because they assume any non-FULL state indicates a parameter mismatch, but 2WAY is a correct operational state for DROthers on a broadcast network.

Why the other options are wrong

B

Candidates mistakenly think any non-FULL state implies a timer mismatch, overlooking that timer issues prevent even reaching 2WAY.

C

Some candidates assume any DR/BDR-related issue indicates a network type mismatch, but the exhibit clearly shows successful DR/BDR formation, ruling out this option.

D

Candidates may confuse LSA reachability with neighbor adjacency requirements. The 2WAY state proves basic connectivity is intact.

889
MCQmedium

A switch administrator enters the following commands on interface GigabitEthernet1/0/10: interface g1/0/10 switchport mode access switchport access vlan 30 spanning-tree portfast spanning-tree bpduguard enable A user connects a small managed switch to this port, and the access port immediately changes to an err-disabled state. Which feature caused the port to shut down?

A.PortFast
B.BPDU Guard
C.Access VLAN 30 assignment
D.The interface being in access mode
AnswerB

Correct. BPDU Guard is correct because it is specifically designed to shut down an edge port that should not receive BPDUs. In plain terms, the switch sees evidence that another switch was attached and decides to protect the topology by disabling the port instead of allowing a possible loop or unexpected spanning-tree participation.

Why this answer

BPDU Guard is the feature that caused the shutdown. This question is really about separating two features that are often configured together on user-facing ports: PortFast and BPDU Guard. PortFast helps an edge port come up quickly, which is useful for PCs and phones.

BPDU Guard adds protection by watching for BPDUs on that same port. If a switch is connected where only an end device should exist, the newly connected switch may send BPDUs. The local switch interprets that as a topology risk and disables the port to protect the Layer 2 network.

The clues are the err-disabled state and the fact that another switch was connected. VLAN assignment and access mode are normal here and do not explain the shutdown.

Exam trap

Remember that BPDU Guard, not PortFast, causes a port to shut down when BPDUs are received. PortFast only affects port transition speed.

Why the other options are wrong

A

PortFast is a feature that allows a port to transition immediately to the forwarding state, bypassing the usual spanning-tree listening and learning phases. It does not cause a port to shut down or enter an err-disabled state; it only speeds up convergence for end-user devices.

C

Assigning an access VLAN (VLAN 30) simply places the port into a specific broadcast domain for user traffic. It has no mechanism to detect or react to BPDUs, and it does not cause a port to enter an err-disabled state. The port would remain operational regardless of the VLAN assignment.

D

Configuring a port as an access port is a standard practice for connecting end devices. It does not inherently cause any shutdown or err-disabled condition. The port remains up and forwarding traffic unless another feature, such as BPDU Guard, triggers a protective action.

890
MCQhard

A network engineer configures a static route: ip route 192.168.10.0 255.255.255.0 10.1.1.2. The next hop 10.1.1.2 is reachable via OSPF. Later, the engineer notices that the route to 192.168.10.0/24 has disappeared from the routing table. What is the most likely cause?

A.The OSPF route to 10.1.1.0/30 has been lost, making the next-hop address 10.1.1.2 unresolvable.
B.The static route has a higher administrative distance than OSPF, so OSPF's route to 192.168.10.0/24 replaced it.
C.The static route uses a next-hop IP address that is not directly connected, which is unsupported on this platform.
D.A routing loop caused by recursive lookups has suppressed the static route to prevent loops.
AnswerA

A recursive static route requires a next-hop that is resolvable via an existing route. Without the OSPF route to the subnet containing 10.1.1.2, the router cannot reach the next hop and removes the static route from the routing table.

Why this answer

A recursive static route uses a next-hop IP address; the router must have a route that resolves that next hop. If the OSPF route to the 10.1.1.0/30 network is lost, the next-hop 10.1.1.2 becomes unreachable, and the static route is withdrawn from the routing table. None of the other explanations account for the route disappearance given the scenario.

Exam trap

The static route has a higher administrative distance than OSPF, so OSPF's route is used instead. This is tempting because many candidates believe that a static route is removed when a better route exists, but in reality the static route remains in the table (inactive) if its next hop is still reachable. The prompt states the route disappeared, not that it was overridden.

Why the other options are wrong

B

Believing that a static route is removed from the routing table when a better route exists, rather than understanding it remains but is inactive.

C

Assuming that a static route's next-hop must be directly attached, ignoring that recursive routing via another routing protocol or static route is allowed.

D

Thinking that recursive static routes are prone to loop suppression, rather than understanding that the route is simply withdrawn when the next-hop is no longer reachable.

891
Multi-Selectmedium

Which two statements accurately describe the value of named administrative accounts?

Select 2 answers
A.They improve accountability by tying actions to specific individuals.
B.They improve traceability during audits or incident reviews.
C.They replace the need for authorization controls.
D.They can be used only with Telnet and not SSH.
E.They exist only for wireless guest administration.
AnswersA, B

This is correct because named identities make it easier to attribute actions accurately.

Why this answer

Named administrative accounts are valuable because they tie actions to individual identities and make access review more meaningful. In practical terms, when multiple people share one generic admin account, accountability becomes weaker. Named identities improve traceability and support auditing, investigations, and operational review.

This is a core secure-administration concept and a good reasoning item rather than just a memorization exercise.

Exam trap

Beware of confusing named accounts with other security measures like password policies or role-based access control.

Why the other options are wrong

C

Named accounts provide identification and authentication, but authorization (what actions an account can perform) is a separate control typically enforced via privilege levels, role-based access control (RBAC), or command authorization (e.g., using TACACS+). Replacing authorization with identity alone would violate the principle of least privilege.

D

Named accounts are protocol-agnostic and work with any management protocol, including SSH, HTTPS, and SNMPv3. Telnet is insecure and rarely used in modern networks; named accounts are actually more important with secure protocols to maintain accountability without compromising security.

E

Named administrative accounts are used across all network device administration, including routers, switches, firewalls, and wireless controllers. Wireless guest administration typically uses separate guest accounts or captive portal authentication, not administrative accounts.

892
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a connectivity issue on R1. The serial link to R2 on interface Serial0/1 is using HDLC encapsulation, and the physical cable has been verified as good. The engineer has confirmed that the encapsulation type matches on both routers and that the clock rate is correctly configured on the DCE end. Based on the output, what is the most likely cause of the line protocol down state on Serial0/1?

A.The encapsulation type is mismatched between R1 and R2.
B.The clock rate has not been configured on the DCE end of the serial link.
C.The IP address configured on Serial0/1 conflicts with another interface.
D.The keepalive packets are not being received, causing the protocol to stay down.
AnswerD

With encapsulation and clocking confirmed, the up/down state on a serial link running HDLC points to a keepalive failure—the router is not receiving keepalive messages from the other end.

Why this answer

The exhibit shows Serial0/1 with status 'up' and protocol 'down' (up/down). This indicates Layer 1 is operational but the Layer 2 Data Link layer is not. Since the engineer already verified that encapsulation (HDLC) matches on both ends and the clock rate is correctly set, the only remaining common cause for a serial interface in up/down state is a keepalive failure.

HDLC sends periodic keepalive messages across the link; if they are not received, the line protocol remains down.

Exam trap

Candidates often see 'up/down' on a serial interface and immediately diagnose encapsulation mismatch or clocking issues. However, the scenario explicitly states that encapsulation is matched and clocking is correct, so the trap is an encapsulation mismatch. Test-takers who overlook this detail will select option A.

Why the other options are wrong

A

Candidates might fixate on the up/down status and assume encapsulation mismatch without considering the explicitly stated troubleshooting steps.

B

Students often associate up/down with missing clock rate, but the question precludes this by confirming correct configuration.

C

Some learners confuse Layer 3 problems (IP issues) with the line protocol status that reflects Layer 2 health.

893
Drag & Dropmedium

Drag and drop the following steps into the recommended order (best practice) to configure IPv4 and IPv6 static routes, a default route, and a floating static route with higher AD as a backup for the default route, then verify with show ip route and show ipv6 route.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The recommended best-practice order is to configure specific static routes first, then the default route, and finally the floating static route with a higher AD (e.g., 200) so it acts as a backup for the default route. Verification using show ip route and show ipv6 route confirms the routing table. Options that place the default route before specific routes or the floating route before the default are still operational but may cause temporary routing issues or violate the typical progression from specific to general.

Exam trap

The exam trap is that candidates may confuse the order of configuration, especially placing the default route or floating static route before specific static routes. Remember: specific routes first, then default, then backup (floating) with higher AD.

894
MCQhard

A collector is not receiving flow records from a branch router. Based on the exhibit, what is the most likely issue?

A.The export destination port 2055 is invalid for flow export.
B.The exporter source interface does not match what the collector expects.
C.NetFlow can run only on serial interfaces.
D.The router must use TCP instead of UDP to export flows.
AnswerB

Exports are sourced from Loopback0 instead of the accepted 10.99.99.2 address.

Why this answer

The exporter is configured to send records out the wrong interface. NetFlow exports must use a source interface that has a valid path to the collector and typically matches the interface the collector expects. The collector IP itself is correct in the example, but the source interface selection is wrong.

Exam trap

A common exam trap is to focus on the export destination port or protocol when flow records are not received. Since UDP port 2055 is the default and valid port for NetFlow exports, candidates might incorrectly assume the port is wrong. Another trap is thinking NetFlow only works on serial interfaces, leading to confusion when Ethernet interfaces are used.

The real issue often lies in the source interface configuration, where the router exports flow records from an interface IP address that the collector does not expect or trust, causing the collector to drop the data silently.

Why the other options are wrong

A

Option A is incorrect because UDP port 2055 is the standard and valid port for NetFlow exports. Changing the port is possible but not necessary if the collector is configured to listen on 2055, so the port is unlikely the issue.

C

Option C is incorrect because NetFlow can run on various interface types, including Ethernet and serial. Limiting NetFlow to serial interfaces is a misconception and does not explain why the collector is not receiving data.

D

Option D is incorrect because NetFlow exports use UDP, not TCP. Changing the transport protocol to TCP is not supported for NetFlow exports and would not resolve the issue of missing flow records.

895
MCQmedium

A router advertises its LAN network into OSPF, but no OSPF Hellos should be sent toward end-user devices on that LAN. Which configuration approach solves this cleanly?

A.Use ip ospf cost 65535 on the LAN interface
B.Configure the LAN interface as a passive interface in OSPF
C.Disable OSPF globally and redistribute connected routes
D.Convert the LAN interface to a loopback
AnswerB

Passive interface stops Hellos while still advertising the subnet.

Why this answer

A passive interface advertises the connected subnet into OSPF without sending or processing Hellos on that interface. That is exactly what you want for user-facing LANs with no OSPF neighbors.

Exam trap

A frequent exam trap is selecting the option to increase the OSPF cost on the LAN interface to prevent Hello packets. While adjusting the cost changes the metric used for route selection, it does not stop the router from sending or receiving OSPF Hellos. Another common mistake is to disable OSPF globally and redistribute connected routes, which is unnecessarily complex and does not address the problem of suppressing Hellos on a specific interface.

Additionally, converting the LAN interface to a loopback is irrelevant because loopbacks are logical interfaces used for router IDs and testing, not for controlling OSPF Hello behavior on physical LAN interfaces.

Why the other options are wrong

A

Using 'ip ospf cost 65535' on the LAN interface only changes the OSPF metric for that interface. It does not prevent the router from sending or receiving OSPF Hello packets, so neighbor adjacencies can still form, which is not the desired behavior.

C

Disabling OSPF globally and redistributing connected routes is an overly complex and unnecessary approach. It does not selectively stop Hello packets on the LAN interface and can introduce routing complexity and instability.

D

Converting the LAN interface to a loopback interface changes the interface type entirely and is not a standard or practical solution for suppressing OSPF Hellos on a LAN. Loopbacks are logical interfaces used for router IDs and testing, not for controlling OSPF Hello behavior.

896
Matchingmedium

Match each route source or route type to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Present because the network is directly attached

Manually configured route

Learned dynamically through the routing protocol

Backup static route with higher administrative distance

Why these pairings

Connected routes are automatically added when an interface is active and has an IP address configured; static routes are manually entered by an administrator; OSPF routes are dynamically learned through the OSPF link-state routing protocol; floating static routes are static routes configured with a higher administrative distance than the primary route, serving as a backup.

Exam trap

The exam often tests the automatic nature of connected routes. Do not confuse them with static or dynamic routes. Remember that connected routes appear only when the interface is up/up.

897
MCQmedium

Which OSPF network type on Ethernet performs a DR and BDR election by default?

A.Point-to-point
B.Broadcast
C.Point-to-multipoint nonbroadcast
D.Loopback
AnswerB

Correct. Ethernet defaults to the broadcast network type.

Why this answer

Broadcast multiaccess networks such as Ethernet elect a DR and BDR by default.

Exam trap

A frequent exam trap is selecting point-to-point or point-to-multipoint nonbroadcast as the network type that performs DR/BDR elections. Candidates often assume any multi-router link requires DR/BDR, but OSPF only elects DR/BDR on broadcast and NBMA networks. Point-to-point links connect exactly two routers and do not need DR/BDR, while point-to-multipoint nonbroadcast requires manual neighbor configuration and does not elect DR/BDR by default.

Misunderstanding these distinctions leads to incorrect answers. Remember, Ethernet interfaces default to broadcast network type, which triggers DR/BDR elections automatically.

Why the other options are wrong

A

Point-to-point links connect only two routers directly and do not require or perform DR/BDR elections because there is no need to reduce flooding on a single link. Selecting this option is incorrect for Ethernet interfaces that default to broadcast.

C

Point-to-multipoint nonbroadcast network type requires manual neighbor configuration and does not perform DR/BDR elections by default. This does not match the default behavior of Ethernet interfaces.

D

Loopback interfaces are virtual interfaces used for router identification and do not participate in OSPF DR/BDR elections because they are not multiaccess networks.

898
Multi-Selectmedium

Which two statements accurately describe why NetFlow is useful for operations teams?

Select 2 answers
A.It helps identify which conversations or applications contribute to link utilization.
B.It can provide more detail than simple interface counters alone.
C.It replaces the need for all routing protocols.
D.It is the main wireless encryption protocol for guest access.
E.It eliminates the usefulness of Syslog.
AnswersA, B

This is correct because NetFlow provides flow-level visibility.

Why this answer

NetFlow is useful because it helps teams move beyond simple interface utilization and see which traffic conversations are responsible for usage. In practical terms, it can reveal which hosts, protocols, or applications are contributing to the traffic profile, making it valuable for troubleshooting, capacity planning, and security investigations. Option E is incorrect because NetFlow does not eliminate the usefulness of Syslog; Syslog provides device event logging while NetFlow provides traffic flow data, and both tools complement each other in network operations.

Exam trap

A frequent exam trap is mistaking NetFlow for a routing protocol, a security mechanism, or a replacement for Syslog.

Why the other options are wrong

C

Option C is incorrect because NetFlow does not replace routing protocols; it is a monitoring technology that provides visibility into traffic flows but does not perform routing functions or influence path selection.

D

Option D is incorrect as NetFlow is unrelated to wireless encryption protocols. Wireless encryption standards like WPA2 or WPA3 handle security, whereas NetFlow focuses on traffic flow monitoring.

E

Option E is incorrect because NetFlow does not eliminate the usefulness of Syslog. Syslog provides event logging and system messages, which complement NetFlow’s traffic flow data for comprehensive network monitoring.

899
MCQhard

An administrator sees high interface utilization through SNMP graphs but wants to identify which conversations are responsible. Which addition best closes that visibility gap?

A.NetFlow
B.Another DHCP scope
C.A new STP priority
D.A larger OSPF metric
AnswerA

This is correct because NetFlow adds detailed visibility into traffic conversations behind utilization.

Why this answer

NetFlow provides conversation-level visibility into which hosts and applications are consuming bandwidth, closing the gap left by SNMP's interface totals. A new DHCP scope assigns IP addresses but offers no traffic insight. An STP priority manages loop-free topology and does not affect monitoring.

A larger OSPF metric influences routing path selection, not traffic analysis.

Exam trap

Avoid assuming all network monitoring tools provide the same level of detail. Understand the specific capabilities of each tool.

Why the other options are wrong

B

A DHCP scope handles address assignment and has no role in traffic conversation visibility.

C

An STP priority manages spanning-tree topology and does not provide bandwidth usage details.

D

A larger OSPF metric affects routing path selection but does not reveal which conversations are using bandwidth.

900
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of EtherChannel with LACP?

Select 2 answers
A.LACP uses the 'active' and 'passive' modes to negotiate an EtherChannel.
B.The 'show etherchannel summary' command displays the channel group number, port-channel interface, member ports, and their status.
C.LACP uses the 'auto' and 'desirable' modes to negotiate an EtherChannel.
D.The 'show etherchannel summary' command shows the LACP system priority for each channel.
E.An EtherChannel can be formed only if all member ports use the same LACP mode.
AnswersA, B

LACP defines two modes: 'active' (initiates negotiation) and 'passive' (responds to negotiation). At least one side must be active for the channel to form.

Why this answer

Option A is correct because LACP (IEEE 802.3ad) uses 'active' and 'passive' modes to negotiate an EtherChannel. Option B is correct because the 'show etherchannel summary' command displays the channel group number, port-channel interface, member ports, and their status flags (e.g., P for in port-channel, S for suspended). Option C is incorrect because 'auto' and 'desirable' are PAgP modes, not LACP modes.

Option D is incorrect because 'show etherchannel summary' does not show LACP system priority; that is displayed with 'show lacp sys-id' or 'show etherchannel detail'. Option E is incorrect because an EtherChannel can be formed with mismatched LACP modes as long as at least one side is 'active'; for example, 'active' + 'passive' works.

Exam trap

Cisco often tests the distinction between LACP modes ('active'/'passive') and PAgP modes ('auto'/'desirable'), and candidates frequently confuse which protocol uses which set of modes.

Why the other options are wrong

C

LACP does not use 'auto' and 'desirable' modes; those are PAgP modes.

D

The 'show etherchannel summary' command does not display LACP system priority; that is shown via 'show lacp sys-id' or 'show etherchannel detail'.

E

An EtherChannel can be formed even if member ports use different LACP modes (e.g., active and passive), as long as at least one side is active.

Page 11

Page 12 of 25

Page 13