CCNA 200-301 v2 (200-301) — Questions 901975

1819 questions total · 25pages · All types, answers revealed

Page 12

Page 13 of 25

Page 14
901
MCQhard

A network engineer connects a new switch to an existing Rapid PVST+ campus network. The new switch is intended to serve as an additional access-layer switch, but after connecting its uplinks, the engineer discovers that the root bridge for VLAN 10 has changed to this new switch, and several access ports on other switches with PortFast and BPDU Guard enabled are now in err-disabled state. Some users report intermittent connectivity loss.

A.The new switch was connected to a port configured as a trunk with a native VLAN mismatch.
B.The new switch’s bridge priority is lower than the existing root bridge, and it was connected to a port with BPDU Guard enabled.
C.The new switch has PortFast enabled on its uplinks.
D.The BPDU Guard feature was globally enabled on all ports, including trunk ports.
AnswerB

A lower bridge priority causes the new switch to become the root for VLAN 10. Plugging it into a BPDU Guard-enabled port (which is normally an edge port with PortFast) results in the port receiving BPDUs and going err-disabled. This perfectly explains both symptoms.

Why this answer

The new switch's bridge priority is lower (numerically smaller) than the existing root bridge, so it becomes the new root for VLAN 10. When it sends superior BPDUs out its uplinks, the neighboring switch's access ports with PortFast and BPDU Guard enabled receive these BPDUs, triggering err-disable state on those ports, causing connectivity loss.

Exam trap

Cisco often tests the misconception that BPDU Guard only applies to access ports or that it prevents root bridge changes, when in fact it reacts to any BPDU received on a PortFast port, regardless of the BPDU's source or priority.

Why the other options are wrong

A

Attributing the issue to a native VLAN mismatch overlooks the root election change and the BPDU Guard-triggered err-disable state.

C

This answer ignores the root election shift and the BPDU Guard events; PortFast misconfiguration alone would not cause these symptoms.

D

This fails to account for the selective err-disable of only access ports and the concurrent root bridge change, which points to a targeted misconfiguration rather than a blanket global setting.

902
MCQmedium

Why is a default route useful on a small branch router connected to a single upstream provider?

A.It provides a simple next hop for unknown destinations toward the upstream connection.
B.It makes every route more specific.
C.It replaces the need for any interface addressing.
D.It forces all users into one VLAN.
AnswerA

This is correct because that is the classic role of a default route at the branch edge.

Why this answer

A default route is useful because it gives the branch a simple fallback next hop for destinations the router does not know specifically. In practical terms, the branch router does not need a full table of every external destination if all unknown traffic should go upstream. That keeps the design simple and efficient.

This is one of the most practical default-route use cases in small or edge networks.

Exam trap

A frequent exam trap is assuming that a default route makes every route more specific or that it replaces the need for interface addressing. Some candidates mistakenly believe the default route refines routing granularity, but it actually represents the least specific route, catching all unknown destinations. Others incorrectly think default routes eliminate the need for IP addresses on interfaces, which is false because interfaces must always have valid IP configurations for routing to function.

Misunderstanding these points can lead to incorrect answers about routing behavior and network design.

Why the other options are wrong

B

Incorrect because a default route is the least specific route and does not make routes more specific; it serves as a catch-all for unknown destinations.

C

Incorrect because interface addressing is mandatory for routing to function properly; a default route does not replace the need for IP addresses on interfaces.

D

Incorrect because default routes influence packet forwarding decisions and have no impact on VLAN assignments, which are Layer 2 configurations.

903
MCQhard

A network technician is troubleshooting connectivity between two directly connected Cisco switches. Hosts on VLAN 10 connected to SwitchA cannot ping the default gateway on SwitchB. The interface on SwitchB shows up/up, but the interface on SwitchA shows up/down. The technician examines the interface configuration and status on SwitchA. What is the most likely cause of this issue?

A.Replace the Ethernet cable because it is faulty.
B.Configure both interfaces with the same duplex and speed settings, either both auto or both manually set to full-duplex and 1000 Mbps.
C.Issue the 'shutdown' and 'no shutdown' commands on the interface to recover from err-disabled state.
D.Check the VLAN configuration on SwitchA because the interface is administratively down.
AnswerB

The line protocol being down with up/up on the remote suggests a duplex mismatch, which can occur when one side is manually set and the other is auto-negotiating. Setting both sides consistently resolves the issue.

Why this answer

The interface on SwitchA shows up/down, meaning Layer 1 is active but the line protocol is down. This is commonly caused by a speed mismatch between the two ends. A duplex mismatch, in contrast, typically results in both interfaces showing up/up with CRC errors.

Therefore, the most likely cause is that the speed settings differ—for example, one interface is set to auto-negotiate while the other is hard-coded to a specific speed. Configuring both interfaces with identical speed and duplex settings, either both auto or both manually configured, resolves the issue.

Exam trap

The trap is that up/down is often misinterpreted as a faulty cable or an err-disabled state, but it actually points to a speed mismatch or auto-negotiation failure, not a duplex mismatch.

Why the other options are wrong

A

The interface status shows 'up, line protocol is down', which indicates a Layer 2 issue, not a physical cable fault. Additionally, no CRC, runts, giants, or collisions are reported, so the cable is likely not faulty.

C

The interface status is 'up, line protocol is down', not 'err-disabled'. The err-disabled state would show 'err-disabled' in the interface status, and a shutdown/no shutdown would be appropriate only for err-disabled recovery.

D

The interface status is 'up', not 'administratively down'. An administratively down interface would show 'administratively down, line protocol is down'. VLAN configuration issues typically cause the interface to be up/up but unable to forward traffic, not up/down.

904
PBQmedium

You are connected to the console of R1. The network administrator reports that hosts on VLAN 10 cannot ping the default gateway (192.168.10.1). R1's GigabitEthernet0/1 is connected to a switch with trunk port allowing VLAN 10 and 20. The interface configuration on R1 appears correct, but the VLAN 10 interface is not operational.

Network Topology
G0/1 .1trunkR1SW1

Hints

  • Check the status of the subinterface.
  • Verify that the physical interface is not administratively down.
  • Confirm that the encapsulation command is correct.
A.The physical interface GigabitEthernet0/1 was administratively down.
B.The VLAN 10 subinterface was configured with the wrong encapsulation dot1q VLAN ID.
C.The switch port connected to R1 was not configured as a trunk.
D.The VLAN 10 subinterface was missing the 'no shutdown' command.
AnswerA
solution
! R1
interface GigabitEthernet0/1
no shutdown
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0

Why this answer

The GigabitEthernet0/1 interface was administratively down (missing 'no shutdown' in the initial config). Although the subinterface had 'no shutdown', the physical interface must also be up. Bringing up the physical interface resolved the issue.

Exam trap

Do not assume that subinterfaces can be independently brought up; always check the physical interface state first. A common trap is to focus on subinterface configuration while ignoring the parent interface.

Why the other options are wrong

B

The specific factual error is that the subinterface would still show as up/up (though traffic would not be forwarded) if the encapsulation were wrong; the problem is the physical interface being down.

C

The specific factual error is that the switch trunk configuration is given as correct; the problem is on the router side, not the switch.

D

The specific factual error is that subinterfaces do not have an independent administrative state; they rely on the physical interface being up.

905
Drag & Dropmedium

Drag and drop the following steps into the correct order to replace a faulty SFP on a Cisco switch and verify the fiber link.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to physically replace the SFP first because installing the new module before connecting the cable prevents potential damage to the connector or fiber from inserting the cable into an empty port. After the SFP is seated, you connect the cable to establish the physical link. Finally, you verify the link status and check for errors (using commands like show interface) to confirm the replacement was successful and the link is operational.

Wrong orders either verify before the change (making the verification meaningless) or connect the cable before installing the SFP, which can damage the equipment.

Exam trap

Candidates often confuse the order of operations when replacing hardware. Remember: always install the hardware first, then connect cables, and finally verify. Do not verify before the change is complete.

906
PBQmedium

You are connected to R1 via console. R1's GigabitEthernet0/0 (203.0.113.1/30) connects to the internet, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The internal LAN hosts need to access the internet using PAT (overload) with the public IP 203.0.113.1 assigned to GigabitEthernet0/0. An internal web server at 192.168.1.100 must be accessible from the internet via static NAT to 203.0.113.5. Your task is to configure NAT/PAT on R1.

Network Topology
G0/010.0.0.1/30G0/010.0.0.1/30G0/1192.168.1.1/24linkG0/1192.168.1.1/24InternetR1Internal LAN

Hints

  • First define which internal addresses should be translated using an access list.
  • Use a NAT pool with a single IP for PAT overload.
  • Apply the nat inside and outside commands on the correct interfaces.
A.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252 ip nat inside source list NAT_ACL pool PUBLIC overload ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
B.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
C.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252 ip nat inside source list NAT_ACL pool PUBLIC ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
D.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252 ip nat inside source list NAT_ACL pool PUBLIC overload ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside
AnswerA
solution
! R1
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252
ip nat inside source list 1 pool PUBLIC overload
ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80
interface GigabitEthernet0/0
ip nat outside
interface GigabitEthernet0/1
ip nat inside

Why this answer

The access list selects the internal LAN traffic. The NAT pool uses the single public IP for overload. The static NAT translates the internal web server's HTTP traffic to a second public IP.

The interface commands mark inside and outside for NAT processing.

Exam trap

Pay close attention to the specific public IP address requirement. Using 'ip nat inside source list ... interface ... overload' uses the interface's IP, which may not be the exact IP specified. Also, remember that 'overload' is required for PAT, and inside/outside must be correctly assigned.

Why the other options are wrong

B

The command 'ip nat inside source list ... interface ... overload' uses the interface's IP address for translation, not the pool address 203.0.113.1. The requirement specifies using the public IP 203.0.113.1, which is assigned to the interface but may not be the interface's primary IP if multiple IPs are configured.

C

Without 'overload', the router will attempt to allocate a unique public IP for each internal session, but the pool has only one IP, so only one translation can exist at a time. PAT (overload) is required to allow multiple internal hosts to share the single public IP.

D

The 'ip nat inside' command should be on the LAN interface (GigabitEthernet0/1) and 'ip nat outside' on the internet-facing interface (GigabitEthernet0/0). Reversing them causes NAT to fail because the router does not know which traffic is internal.

907
PBQmedium

You are connected to R1 via the console. R1 and R2 are configured with EIGRP AS 100. R1 has two paths to the 172.16.1.0/24 network: one via a FastEthernet link to R2 (bandwidth 100 Mbps, delay 100 microseconds) and another via a serial link to R2 (bandwidth 1.544 Mbps, delay 20000 microseconds). The EIGRP metric is calculated using the default K-values. The FastEthernet link is preferred, but you need to make the serial link the backup by adjusting the administrative distance.

Network Topology
Fa0/0 10.0.0.1/30Fa0/0 10.0.0.2/30R1R2

Hints

  • The default administrative distance for EIGRP is 90 for internal routes.
  • Use an administrative distance value greater than 90 to make the static route less preferred.
  • The command uses 'ip route' with an AD value at the end.
A.Configure a static route to 172.16.1.0/24 with next-hop 10.0.0.6 and administrative distance 170.
B.Configure a static route to 172.16.1.0/24 with next-hop 10.0.0.6 and administrative distance 90.
C.Configure a static route to 172.16.1.0/24 with next-hop 10.0.0.6 and administrative distance 1.
D.Configure a static route to 172.16.1.0/24 with next-hop 10.0.0.6 and administrative distance 255.
AnswerA
solution
! R1
ip route 172.16.1.0 255.255.255.0 10.0.0.6 170

Why this answer

A floating static route is configured with an administrative distance of 170, which is higher than EIGRP's default distance of 90. This ensures that the static route is only used when the EIGRP route is not available. The static route points to the next-hop IP address of R2's serial interface.

Exam trap

Remember that a floating static route must have an administrative distance higher than the dynamic protocol's AD. EIGRP's default AD is 90, so choose an AD like 170. Avoid using AD 255, as it means the route is not installed.

Why the other options are wrong

B

The specific factual error is that an AD of 90 does not make the static route less preferred than EIGRP; it creates equal preference.

C

The specific factual error is that a lower AD makes the route more preferred, so the static route would override EIGRP.

D

The specific factual error is that AD 255 means the route is not trusted and is effectively ignored.

908
MCQhard

A host is configured as 192.168.50.130/25. Which address is the broadcast address for its subnet?

A.192.168.50.127
B.192.168.50.128
C.192.168.50.255
D.192.168.50.254
AnswerC

This is correct because the upper /25 block runs through .255, which is the broadcast address.

Why this answer

A /25 divides the /24 into two blocks: 0–127 and 128–255. In plain language, because the host ends in 130, it belongs to the upper half, which starts at 128 and ends at 255. The last address in that block is the broadcast address, so the broadcast is 192.168.50.255.

This is a classic subnetting pattern because it tests whether you can identify not just the subnet, but also the reserved last address in that subnet.

Exam trap

A frequent exam trap is mistaking the network address or a high usable host address for the broadcast address. Candidates often select 192.168.50.128, confusing it as the broadcast because it is the start of the upper subnet, or 192.168.50.254, assuming it is the broadcast since it is near the subnet's end. The trap lies in not recognizing that the broadcast address is always the highest address in the subnet, which in this case is 192.168.50.255.

Misidentifying these addresses leads to incorrect subnet calculations and can cause network communication failures in real scenarios.

Why the other options are wrong

A

192.168.50.127 is the broadcast address for the lower /25 subnet (192.168.50.0/25), not the subnet containing 192.168.50.130. Since the host IP is in the upper subnet, this option is incorrect.

B

192.168.50.128 is the network address of the upper /25 subnet (192.168.50.128/25), not the broadcast address. Network addresses cannot be assigned to hosts or used as broadcast addresses, so this option is incorrect.

D

192.168.50.254 is a valid usable host address within the upper /25 subnet. It is not the broadcast address, so this option is incorrect.

909
Matchingmedium

Drag and drop the OSI layer names on the left to the correct PDU names on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Segment

Packet

Frame

Bits

Data

Why these pairings

OSI layers and their PDUs: Physical=bits, Data Link=frames, Network=packets, Transport=segments, Session=data (or upper layer data).

Exam trap

A common trap is confusing the PDU names between layers, especially mixing up frames and packets or segments and packets. Remember the order: bits (Layer 1), frames (Layer 2), packets (Layer 3), segments (Layer 4).

910
MCQmedium

A network engineer queries a REST API and receives data in JSON format. Which statement about JSON is correct?

A.JSON is a transport protocol that replaces HTTPS
B.JSON stores data as key-value pairs and arrays
C.JSON can be used only with Cisco DNA Center
D.JSON requires XML tags around each object
AnswerB

That is the core structure used in JSON.

Why this answer

JSON is a lightweight data-interchange format that represents data as key-value pairs and arrays. Option A is incorrect because JSON is not a transport protocol; it is a data format exchanged over HTTPS. Option C is incorrect because JSON is platform-agnostic and used by many APIs, not limited to Cisco DNA Center.

Option D is incorrect because JSON uses a flexible syntax with colons and brackets, not XML tags.

Exam trap

Avoid confusing JSON with binary formats or assuming it requires a schema like XML.

Why the other options are wrong

A

JSON is a lightweight data-interchange format, not a transport protocol. HTTPS is a secure version of HTTP used for communication, and JSON does not replace it; instead, JSON data is often transmitted over HTTPS.

C

JSON is a platform-independent data format used by many APIs and services, not just Cisco DNA Center. It is supported by virtually all programming languages and is a standard for web APIs across different vendors.

D

JSON does not use XML tags; it uses a syntax of curly braces, colons, and commas to define objects and arrays. XML uses angle brackets for tags, which is a different markup language.

911
Matchingmedium

Match each REST-style method to the most common intent.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve information

Create or submit data

Update or replace a resource

Remove a resource

Why these pairings

RESTful methods map to CRUD operations: GET retrieves, POST creates, PUT replaces, PATCH partially updates, DELETE removes, and OPTIONS returns allowed methods.

Exam trap

The exam tests your understanding of the specific intent of each HTTP method. Common traps include confusing GET with POST for creation, or PUT with PATCH for updates. Remember: GET is read-only, POST creates, PUT replaces, PATCH modifies partially.

912
Multi-Selectmedium

Which two statements accurately describe WPA2 and WPA3 in wireless security?

Select 2 answers
A.Both are wireless security standards used to help protect WLAN access and traffic.
B.WPA3 is the newer standard relative to WPA2.
C.Both are names for specific 802.11 radio frequencies.
D.WPA2 and WPA3 are types of trunk ports.
E.WPA3 eliminates the need for SSIDs.
AnswersA, B

This is correct because WPA2 and WPA3 are both WLAN security standards.

Why this answer

WPA2 and WPA3 are wireless security standards used to protect WLAN access and traffic. In practical terms, both are associated with securing wireless communication, but WPA3 is generally positioned as the newer standard with security improvements over WPA2. The key idea at CCNA level is recognizing them as WLAN security standards rather than confusing them with SSIDs, controllers, or radio bands.

You do not need deep protocol internals here. You need the role and relative positioning right.

Exam trap

Avoid assuming WPA3 is limited to specific frequency bands or that WPA2 offers superior security features.

Why the other options are wrong

C

WPA2 and WPA3 are security protocols, not radio frequencies. 802.11 radio frequencies refer to bands like 2.4 GHz and 5 GHz, which are unrelated to security standards.

D

Trunk ports are a concept in switched networks for carrying multiple VLANs, typically using 802.1Q tagging. WPA2 and WPA3 have nothing to do with switch port configuration.

E

WPA3 does not eliminate the need for SSIDs; SSIDs are still required to identify and differentiate wireless networks. WPA3 focuses on authentication and encryption, not network identification.

913
PBQhard

You are connected to R1. The network uses a router-on-a-stick design with a single switch (SW1) and two VLANs (10 and 20). Currently, hosts in VLAN 10 cannot ping hosts in VLAN 20, and the trunk between R1 and SW1 shows a native VLAN mismatch. Examine the provided configuration and output, then apply the necessary corrections to R1 so that inter-VLAN routing works correctly.

Hints

  • Check the native VLAN on the trunk — it might not match the switch.
  • Examine each subinterface's encapsulation — one may have the wrong VLAN ID.
  • Is IP routing enabled? The router needs to forward between VLANs.
A.Change the native VLAN on R1's trunk interface to 99, correct the encapsulation on G0/0.20 to dot1Q 20, and enable IP routing globally.
B.Change the native VLAN on R1's trunk interface to 99, correct the encapsulation on G0/0.20 to dot1Q 20, but do not enable IP routing because it is enabled by default.
C.Change the native VLAN on R1's trunk interface to 1, correct the encapsulation on G0/0.20 to dot1Q 20, and enable IP routing globally.
D.Change the native VLAN on R1's trunk interface to 99, correct the encapsulation on G0/0.10 to dot1Q 10, and enable IP routing globally.
AnswerA
solution
! R1
interface GigabitEthernet0/0
switchport trunk native vlan 99
exit
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
exit
ip routing

Why this answer

The configuration has three issues: 1) The native VLAN on the trunk is VLAN 1, but the switch expects VLAN 99 (common mismatch scenario). 2) Subinterface G0/0.20 uses encapsulation dot1Q 10 instead of 20, causing VLAN 20 traffic to be mis-tagged. 3) The 'ip routing' command is missing globally, so R1 cannot route between subinterfaces. To fix, configure the main interface G0/0 with 'encapsulation dot1Q 99 native' to set the native VLAN to 99, correct the encapsulation on G0/0.20 to 'dot1Q 20', and enable IP routing with 'ip routing'.

Exam trap

Candidates often forget to enable 'ip routing' globally, assuming it is on by default. They may also overlook the native VLAN mismatch or incorrectly use a Layer 2 switchport command instead of 'encapsulation dot1Q 99 native' on the router interface.

Why the other options are wrong

B

The specific factual error is that IP routing is not enabled by default; it requires the 'ip routing' global command.

C

The specific factual error is that the native VLAN must match on both sides; changing R1's native VLAN to 1 does not match the switch's native VLAN 99.

D

The specific factual error is that the subinterface G0/0.20 is associated with VLAN 20, so its encapsulation must be dot1Q 20, not 10.

914
PBQhard

You are connected to R1. Configure NTP client so that R1 synchronizes with the NTP server at 198.51.100.10, using its Loopback0 (10.0.0.1/32) as the source interface. Also configure syslog to send messages of severity 5 (notifications) and above to 192.0.2.20. The current configuration shows a misconfigured NTP server address and an incorrect logging trap level. Verify with 'show ntp status' (stratum should not be 16) and 'show logging'.

Hints

  • Check the NTP server address in running-config — it might point to a wrong IP.
  • Verify that the source interface for NTP is configured; otherwise R1 may use an unreachable interface.
  • The logging trap level is set too high (debugging) — change it to notifications (level 5) to filter out lower severity messages.
A.ntp server 198.51.100.10 source Loopback0 logging trap notifications
B.ntp server 198.51.100.10 source Loopback0 logging trap 4
C.ntp server 198.51.100.10 logging trap notifications
D.ntp server 203.0.113.5 source Loopback0 logging trap 7
AnswerA
solution
! R1
configure terminal
no ntp server 203.0.113.5
ntp server 198.51.100.10
ntp source Loopback0
no logging trap debugging
logging trap notifications
end
write memory

Why this answer

The misconfigured NTP server address (203.0.113.5) and the debug-level logging trap (7) must be corrected to meet requirements. The correct commands are 'ntp server 198.51.100.10 source Loopback0' to use the specified server and Loopback0 as source, and 'logging trap notifications' (severity 5) to send only notifications and more severe messages. Option B is wrong because 'logging trap 4' sets the trap level to warning, which would not forward notifications.

Option C misses the source interface, and Option D uses the wrong NTP server and an overly verbose trap level.

Exam trap

Candidates often confuse the numeric severity levels with the keyword equivalents for logging trap. Also, they may forget to specify the source interface for NTP, assuming the router will use the loopback automatically. Always verify that the NTP source interface is explicitly configured when required.

Why the other options are wrong

B

logging trap 4 sets the severity to warning (4), so it does not include notifications (5).

C

The missing source interface causes NTP to use an incorrect source address, likely resulting in unsynchronized status.

D

The NTP server address is incorrect and 'logging trap 7' sends all debug messages instead of limiting to notifications and above.

915
Matchingmedium

Match each term to the question it most directly answers.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Who are you?

What are you allowed to do?

What happened during the session?

Can the service or data be used when needed?

Why these pairings

Authentication verifies a user's identity, answering 'Who are you?'. Authorization defines what an authenticated user is permitted to do, answering 'What are you allowed to do?'. Accounting records the actions and resources used during a session, answering 'What happened during the session?'.

Availability ensures that services and data are accessible when required, answering 'Can the service or data be used when needed?'.

Exam trap

Learners often confuse authentication with authorization. Authentication proves identity, while authorization defines what that identity is permitted to do.

916
MCQhard

A router has an OSPF-learned route to a destination prefix and also a directly connected route to a broader supernet that includes that destination. The OSPF route is more specific. Which route is used for the destination?

A.The more specific OSPF route
B.The directly connected broader route
C.Both routes equally
D.Neither route can be used because the sources differ
AnswerA

This is correct because the most specific matching prefix is preferred first.

Why this answer

The more specific OSPF route is used. In practical terms, route specificity is checked before broader route-source considerations when the prefixes are different. Even though the connected route is a directly attached source and often strongly trusted, it still loses if it is less specific than another matching route.

This is a subtle route-selection question because it combines source type and specificity. The key is that longest-prefix match comes first.

Exam trap

A common exam trap is assuming that directly connected routes always take precedence over OSPF routes because they have a lower administrative distance. Candidates may incorrectly select the broader directly connected route, forgetting that routers first apply longest prefix match before considering administrative distance. This leads to the mistaken belief that a less specific connected route overrides a more specific OSPF route.

The trap is confusing route source preference with prefix specificity, which can cause incorrect answers on routing questions involving multiple route sources.

Why the other options are wrong

B

This option is incorrect because a directly connected route, even though it has a lower administrative distance, does not override a more specific OSPF route due to prefix length precedence.

C

This option is incorrect because routers do not use multiple routes equally when one route is a more specific match; only the best matching route is used for forwarding.

D

This option is incorrect because routers can compare and select routes from different sources; differing sources do not prevent route usage if one route is the best match.

917
Matchingmedium

Match each network-assurance item to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized event and message reporting

Monitoring and management data exchange

Traffic-flow visibility

Clock synchronization for reliable timelines

Why these pairings

Syslog provides a centralized mechanism for collecting and storing event logs and system messages from network devices, making it ideal for event and message reporting. SNMP allows network management systems to query devices and receive traps, enabling monitoring and management data exchange. NetFlow captures traffic flow details such as source, destination, and volume, offering visibility into how traffic moves through the network.

NTP synchronizes device clocks to a reference source, ensuring accurate timestamps in logs and flow data for reliable correlation and troubleshooting.

Exam trap

Do not confuse uptime with time-based performance metrics like latency or jitter. Uptime is strictly about operational continuity, not packet timing.

918
Multi-Selectmedium

Which two tasks are strong candidates for network automation? (Choose two.)

Select 2 answers
A.Polling many devices for interface status on a schedule
B.Replacing a failed power supply in a branch switch
C.Pushing a standard NTP configuration to many routers
D.Tracing one cable through a crowded rack by hand
E.Listening for fan noise in a wiring closet
AnswersA, C

Correct. Scheduled state collection is a strong automation use case.

Why this answer

Automation works best for repetitive, rule-based tasks such as gathering state information or pushing standard configuration changes across many devices.

Exam trap

Avoid assuming that all network tasks can be automated. Focus on repetitive and rule-based tasks.

Why the other options are wrong

B

Replacing a failed power supply is a physical hardware task that requires hands-on intervention, not a software-based or configuration task that network automation tools can perform.

D

Tracing a cable by hand is a physical, manual task that cannot be automated with network automation tools, which focus on software-based configuration and monitoring.

E

Listening for fan noise is a physical inspection task that relies on human senses and cannot be performed by network automation software, which deals with digital data and configurations.

919
MCQeasy

Users can reach a server by IP address but not by hostname. Which service should be checked first?

A.NTP
B.DNS
C.QoS
D.HSRP
AnswerB

Correct. This symptom strongly suggests a DNS issue.

Why this answer

If the server is reachable by IP but not by name, the likely issue is name resolution, which points to DNS.

Exam trap

A common exam trap is selecting NTP, QoS, or HSRP as the cause when users cannot reach a server by hostname. NTP synchronizes time and does not affect name resolution. QoS prioritizes traffic but does not translate hostnames to IP addresses.

HSRP provides gateway redundancy and does not influence DNS functionality. Choosing any of these distractors wastes time and leads to incorrect troubleshooting. The key is to recognize that hostname resolution depends solely on DNS, so DNS must be the first service checked when IP connectivity exists but hostname access fails.

Why the other options are wrong

A

NTP (Network Time Protocol) is responsible for synchronizing clocks across devices but does not handle hostname resolution or IP address translation, so it cannot cause hostname access failures.

C

QoS (Quality of Service) manages traffic prioritization and bandwidth allocation but does not perform any function related to hostname resolution or IP address translation.

D

HSRP (Hot Standby Router Protocol) provides gateway redundancy and failover but does not influence DNS or the ability to resolve hostnames to IP addresses.

920
MCQmedium

Why is a default route often described as a route of last resort?

A.Because it is used only when no more specific route matches.
B.Because it always has the lowest bandwidth.
C.Because it is more specific than any other route.
D.Because it can be learned only through OSPF.
AnswerA

This is correct because the default route is the fallback choice.

Why this answer

It is described that way because it is used only when no more specific route matches the destination. In practical terms, the router checks for connected, static, or dynamic routes that describe the destination more precisely. If it finds none, the default route becomes the fallback path.

This phrase captures the default route’s purpose exactly. It is not the fastest route or the most specific route. It is simply the catch-all route for otherwise unknown destinations.

Exam trap

A frequent exam trap is assuming the default route is the most specific or fastest route, or that it is exclusively learned through OSPF. Candidates may confuse the default route with routes learned dynamically or with specific metrics. The default route is actually the least specific route, matching all destinations not covered by other entries.

Misunderstanding this can lead to incorrect answers about routing behavior and protocol dependencies, especially since default routes can be configured statically or learned via multiple protocols, not just OSPF.

Why the other options are wrong

B

This option is incorrect because bandwidth does not determine whether a route is a default route. Default routes are about specificity and fallback behavior, not link speed or bandwidth.

C

This option is incorrect because the default route is the least specific route, not more specific than others. It matches all destinations not covered by other routes, so it cannot be more specific.

D

This option is incorrect because default routes can be learned through various routing protocols such as OSPF, EIGRP, or configured statically. It is not exclusive to OSPF.

921
MCQhard

A network engineer notices that a newly connected switch-to-switch link is up, but traffic from multiple VLANs is not passing. When issuing the show interfaces trunk command, no trunk ports are listed. Both switch ports are configured with switchport mode dynamic auto. What is the most likely cause?

A.There is a native VLAN mismatch between the two switches.
B.The connecting cable is a straight-through Ethernet cable rather than a crossover cable.
C.One switch lacks a VLAN that exists on the other switch.
D.Both ports are set to dynamic auto, so neither switch initiates DTP negotiation.
AnswerD

In dynamic auto mode, a switch port passively waits for DTP negotiation requests. When both ends are dynamic auto, no side initiates the negotiation, so the ports default to access mode. This perfectly matches the symptom: the link is up, but no trunk appears under show interfaces trunk, and multi-VLAN traffic is not passing.

Why this answer

When both ends of a link are set to switchport mode dynamic auto, neither switch will initiate DTP negotiation. Dynamic auto responds only to DTP requests; it never sends them. Therefore, no DTP messages are exchanged, and both ports silently remain in access mode.

This explains why the link is up and passing traffic only for the access VLAN, and no trunk ports appear in the output. Other issues (native VLAN mismatch, straight-through cable, missing VLANs) do not prevent trunk formation—they affect operational behavior or management reporting but would still show a trunk interface if DTP negotiation succeeded.

Exam trap

Many candidates incorrectly believe a native VLAN mismatch prevents trunk formation because they confuse DTP negotiation failure with CDP/STP native VLAN mismatch errors. In reality, DTP does not check native VLAN compatibility; a trunk will still form and then generate log messages about the mismatch.

Why the other options are wrong

A

Confusing DTP trunk negotiation with the operational consequences of a native VLAN mismatch.

B

Assuming that a crossover cable is mandatory for switch-to-switch connections, ignoring auto-MDIX.

C

Mistaking the ability to forward traffic for a specific VLAN with the ability to negotiate a trunk.

922
PBQhard

You are connected to R1. The network has three routers: R1, R2, and R3. R1's G0/0 is connected to R2's G0/0, and R1's G0/1 is connected to R3's G0/1. The goal is to configure R1 so that it can ping both R2 (192.0.2.2/30) and R3 (2001:db8:1::2/64). Currently, R1 cannot ping R2 due to a wrong subnet mask on R1's G0/0, and R3 is using an IPv6 EUI-64 address but R1 has been given a static IPv6 address that conflicts. Fix both issues and verify connectivity.

Hints

  • Check the subnet mask on G0/0; it should be /30, not /24.
  • R3 uses EUI-64; to avoid duplicate address, R1 should also use EUI-64 on G0/1.
  • After changing the mask, verify the interface is still up and the route is correct.
A.On G0/0, change the subnet mask to 255.255.255.252; on G0/1, remove the static IPv6 address and configure an EUI-64 address.
B.On G0/0, change the IP address to 192.0.2.2/30; on G0/1, change the IPv6 address to 2001:db8:1::2/64.
C.On G0/0, change the subnet mask to 255.255.255.0; on G0/1, change the IPv6 address to 2001:db8:1::1/64 with EUI-64.
D.On G0/0, change the IP address to 192.0.2.2/30; on G0/1, remove the static IPv6 address and configure an EUI-64 address.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 192.0.2.1 255.255.255.252
exit
interface GigabitEthernet0/1
no ipv6 address 2001:db8:1::1/64
ipv6 address 2001:db8:1::/64 eui-64
end

Why this answer

The problem has two issues. First, R1's G0/0 has IP 192.0.2.1 but its subnet mask is incorrectly set to 255.255.255.0 (/24) instead of the required 255.255.255.252 (/30) that matches R2's /30. This mask mismatch causes R1 to misclassify the subnet, preventing successful ping to R2.

The fix is to change the mask to 255.255.255.252. Second, R1's G0/1 is configured with a static IPv6 address 2001:db8:1::1/64, but R3 uses EUI-64 and generates its address as 2001:db8:1::2. This duplicate address risk breaks communication.

The correct solution is to remove the static IPv6 address and enable EUI-64 on G0/1, allowing R1 to derive a unique address from the prefix. Options B and D incorrectly change R1's IPv4 address to 192.0.2.2, which duplicates R2's address. Option B also sets a static IPv6 address of ::2, duplicating R3's address.

Option C changes the mask to /24, which would temporarily allow communication but violates the intended point-to-point /30 design and does not adopt best practices; it also incorrectly applies a static IPv6 address with EUI-64, which is unnecessary and could still conflict.

Exam trap

Trap: Candidates often confuse IP address conflicts with subnet mask mismatches. Here, the mask on G0/0 is wrong, not the IP. For IPv6, they may think any static address works, but EUI-64 is needed to avoid duplication when the neighbor uses it.

Always verify subnet masks match on point-to-point links and use EUI-64 when the neighbor does.

Why the other options are wrong

B

The specific factual error: 192.0.2.2 is already used by R2, causing an IP conflict; static assignment on G0/1 does not guarantee uniqueness.

C

The specific factual error: /24 mask is too large and does not match the /30 subnet; EUI-64 cannot be applied alongside a static address—it replaces the interface ID.

D

The specific factual error: 192.0.2.2 is already assigned to R2, so R1 cannot use it; the correct fix is to adjust the mask, not the IP.

923
MCQhard

Two switches, SW1 and SW2, are connected via a trunk link. Hosts in VLAN 50 on SW1 cannot communicate with hosts in VLAN 50 on SW2, while hosts in other VLANs communicate normally. What is the most likely cause?

A.VLAN 50 is not allowed on the trunk from SW1.
B.The native VLAN must be changed to 50 on both switches.
C.The trunk must be changed to an access port.
D.The switches must run PPP on the uplink.
AnswerA

This is correct because VLAN 50 is missing from the allowed list on SW1.

Why this answer

The strongest explanation is that VLAN 50 is missing from the allowed VLAN list on one side of the trunk. In practical terms, the trunk is up and carrying other VLANs, so the problem is selective rather than total. When one VLAN is omitted from the allowed list, only that VLAN fails while others continue to work normally.

This is a high-value switching troubleshooting pattern because it rewards careful reading of operational output rather than generic trunk theory.

Exam trap

Be careful to distinguish between total trunk failures and selective VLAN issues. Check the allowed VLAN list on trunk links when only one VLAN is affected.

Why the other options are wrong

B

The native VLAN is used for untagged traffic on a trunk and does not affect the forwarding of tagged frames for other VLANs. Changing the native VLAN to 50 would not resolve the issue because VLAN 50 frames are still tagged and require inclusion in the allowed VLAN list.

C

An access port can only carry a single VLAN, so changing the trunk to an access port would prevent the link from carrying multiple VLANs, including VLAN 50. The link is intended to carry multiple VLANs, so a trunk is required.

D

PPP (Point-to-Point Protocol) is a WAN protocol used on serial links, not on Ethernet trunks. Ethernet trunks use 802.1Q or ISL encapsulation, and PPP has no relevance to VLAN trunking issues.

924
PBQhard

You have console access to both R1 and R2. Configure OSPFv2 on both routers to establish a single-area adjacency in area 0. The link between R1 and R2 uses 10.0.0.0/30. Currently, OSPF is not configured on either router. After configuration, verify the adjacency forms and routes are exchanged.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/3010.0.0.0/30R1R2

Hints

  • Use 'router ospf <process-id>' to enter OSPF configuration mode.
  • The network statement uses a wildcard mask, not a subnet mask. For a /30, use 0.0.0.3.
  • Remember to set a router-id; it can be any IP address, but must be unique per router.
A.Configure 'router ospf 1' on R1 and R2, set router-id, and use 'network 10.0.0.0 0.0.0.3 area 0' on both routers.
B.Configure 'router ospf 1' on R1 only, and use 'network 10.0.0.0 0.0.0.3 area 0' on R1; R2 does not need OSPF configuration because it will learn routes via the directly connected interface.
C.Configure 'router ospf 1' on both routers, set router-id, and use 'network 10.0.0.0 255.255.255.252 area 0' on both routers.
D.Configure 'router ospf 1' on both routers, set router-id, and use 'network 10.0.0.0 0.0.0.0 area 0' on both routers.
AnswerA
solution
! R1
configure terminal
router ospf 1
router-id 1.1.1.1
network 10.0.0.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
network 10.1.1.1 0.0.0.0 area 0
passive-interface GigabitEthernet0/1
passive-interface Loopback0
end

Why this answer

The essential requirement is enabling OSPFv2 on both routers with matching area 0 on the 10.0.0.0/30 link. On R1 and R2, enter 'router ospf 1', set a unique router-id, and use 'network 10.0.0.0 0.0.0.3 area 0' to advertise the link. The solution commands include optional networks (192.168.1.0/24 and Loopback0) that are not required for the adjacency and are shown only as examples; candidates should focus on the link network.

After configuration, 'show ip ospf neighbor' should show a FULL state. Common mistakes include using a subnet mask instead of a wildcard mask (option C) or a /32 wildcard (option D), and not configuring OSPF on R2 (option B).

Exam trap

Remember that OSPF network statements use wildcard masks, not subnet masks. Also, both routers must be configured; OSPF does not automatically enable on all interfaces. Use 'show ip ospf neighbor' to verify adjacency formation.

Why the other options are wrong

B

The specific factual error is that OSPF is a dynamic routing protocol that must be enabled on both ends of a link for adjacency to form; one-sided configuration does not work.

C

The specific factual error is confusing subnet masks with wildcard masks; OSPF uses inverse masks in network statements.

D

The specific factual error is using a host wildcard mask that does not cover the actual interface IPs; the correct wildcard mask must include the range of IPs on the link.

925
Multi-Selectmedium

Which two statements accurately describe APIs in controller-based networking?

Select 2 answers
A.They provide a defined interface through which software can communicate with the controller.
B.They can be used by automation tools to retrieve data or request changes.
C.They replace all need for forwarding devices.
D.They remove the need for authentication and authorization.
E.They are Ethernet cabling standards.
AnswersA, B

This is correct because APIs are the software interface for controlled interaction.

Why this answer

APIs are important in controller-based networking because they give external software a defined way to request data or trigger changes on the controller. In plain language, they make the controller accessible to automation tools, dashboards, orchestration systems, and custom scripts. This helps integrate the controller into broader workflows. APIs do not eliminate the need for security controls, but they do make software-driven operations possible.

The wrong answers usually confuse APIs with physical interfaces or claim that they remove the need for authentication. The two correct answers are the ones focused on programmatic access and software integration.

Exam trap

Avoid confusing APIs with physical interfaces or assuming they bypass security protocols.

Why the other options are wrong

C

APIs are software interfaces that enable communication with the controller, but they do not replace forwarding devices like switches and routers. These devices still handle packet forwarding based on policies set via the controller; the controller does not eliminate the need for physical or virtual forwarding hardware.

D

APIs do not remove the need for authentication and authorization. In fact, secure API access typically requires credentials, tokens, or certificates to ensure only authorized users or systems can interact with the controller. Removing these controls would create severe security vulnerabilities.

E

APIs are software interfaces, not physical cabling standards. Ethernet cabling standards like Cat5e, Cat6, or fiber optics define physical layer specifications for wired network connections. Confusing APIs with cabling is a fundamental category error.

926
MCQhard

R1 and R2 are directly connected and both configured for OSPF area 0. The IP addresses are correct, but the routers do not become neighbors. What is the most likely cause?

A.The OSPF network types on the interfaces do not match.
B.The routers need matching hostnames to exchange LSAs.
C.The /30 subnet is too small for OSPF to operate.
D.The interfaces must be converted into switch trunks.
AnswerA

This is correct because OSPF network type mismatch can prevent normal adjacency formation.

Why this answer

The most likely cause is an OSPF network type mismatch. In practical terms, both routers are on the same IP segment and both are trying to use OSPF in the same area, but they do not agree on the type of OSPF network the interface represents. That matters because OSPF behavior changes depending on the network type, including how neighbors are discovered and how adjacencies are formed.

This is a classic exam-style troubleshooting case because the obvious items look correct: IP addressing works and the area matches. But a mismatch between point-to-point and broadcast expectations can still stop the relationship from forming cleanly. That makes network type mismatch the strongest answer here.

Exam trap

A frequent exam trap is to overlook the importance of matching OSPF network types on connected interfaces. Candidates might assume that correct IP addressing and area numbers are sufficient for adjacency. However, if one router uses a broadcast network type and the other uses point-to-point, they will not become neighbors despite appearing correctly configured.

This subtle mismatch is often missed because it does not generate explicit errors, leading to confusion and incorrect troubleshooting steps.

Why the other options are wrong

B

This option is incorrect because OSPF neighbor relationships do not depend on matching hostnames. Hostnames are administrative identifiers and do not affect OSPF protocol operations or LSA exchanges.

C

This option is incorrect because a /30 subnet is a standard subnet size for point-to-point links and does not prevent OSPF from operating or forming adjacencies. OSPF works normally over /30 subnets.

D

This option is incorrect because OSPF runs over routed interfaces and does not require interfaces to be configured as switch trunks. Trunking is related to VLAN tagging and switching, not OSPF adjacency.

927
MCQhard

Why are data models such as YANG important in network automation?

A.They define a structured way to represent configuration and state data
B.They replace IPv4 and IPv6 addressing
C.They remove the need for routing protocols
D.They are used only for naming wireless SSIDs
AnswerA

Correct. Structured data models are foundational to automation workflows.

Why this answer

Data models such as YANG standardize how configuration and operational data are described, which improves consistency for automation systems and APIs.

Exam trap

A common exam trap is to mistakenly believe that YANG data models replace fundamental network functions such as IPv4/IPv6 addressing or routing protocols. Some candidates incorrectly assume that because YANG structures configuration data, it eliminates the need for routing protocols like OSPF or EIGRP, or that it changes how IP addresses function. However, YANG is strictly a modeling language that describes how configuration and state data are represented for automation purposes.

It does not alter core networking protocols or addressing schemes. Confusing these roles can lead to selecting incorrect answers that misattribute YANG’s purpose.

Why the other options are wrong

B

Option B is incorrect because YANG does not replace IPv4 or IPv6 addressing schemes. IP addressing remains a core network function independent of data modeling languages.

C

Option C is wrong since YANG does not remove the need for routing protocols. Routing protocols like OSPF and EIGRP continue to operate and are configured using data models but are not replaced by them.

D

Option D is false because YANG’s scope is much broader than naming wireless SSIDs. It models a wide range of network configurations and operational data beyond wireless settings.

928
MCQhard

Users report that their PCs take over 30 seconds to obtain IP addresses and reach the network after being powered on. A network technician checks a switch port connected to a PC and observes that the port transitions through blocking, listening, learning, and then forwarding states, taking about 30 seconds to complete. The switch is running standard 802.1D STP. The technician confirms the port is an access port and only connects to a PC. What should the technician do next?

A.Reduce the STP forward delay timer globally on the switch.
B.Enable PortFast on the access port.
C.Disable STP on the access VLAN assigned to the port.
D.Enable Rapid PVST+ on the switch.
AnswerB

PortFast is designed for ports that connect to end hosts. It forces the port to transition directly to the forwarding state, skipping the normal STP listening and learning phases, which is exactly what is needed to eliminate the 30-second boot-time delay.

Why this answer

The correct next action is to enable PortFast on the access port. PortFast allows a port to immediately transition to the forwarding state, bypassing the listening and learning phases, which is safe because the port connects only to an end device and cannot create a bridging loop. This directly resolves the 30-second boot-time delay without making network-wide changes.

Exam trap

Many candidates select 'Enable Rapid PVST+' under the mistaken belief that upgrading the STP protocol eliminates the 30-second forwarding delay. However, even with Rapid PVST+, an edge port must be explicitly configured with PortFast (or edge port) to skip the learning/listening phases; otherwise, it still undergoes a similar convergence process.

Why the other options are wrong

A

This action is too drastic and impacts all ports, whereas the issue is specific to access ports connected to end devices. PortFast is the standard, safe method for eliminating delay on edge ports.

C

Candidates might think that turning off STP on a single VLAN is a quick fix, but it removes the safety net against loops and is not a recommended network practice. PortFast provides the immediate-forwarding benefit while preserving STP loop protection.

D

Candidates often assume that Rapid PVST+ immediately forwards on all access ports, but the edge port behavior must be configured. The scenario explicitly mentions the port is an access port connected only to a PC; the immediate fix is to enable PortFast, not change the entire STP mode.

929
Matchingmedium

Match each access-control concept to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of allowed actions

Limiting access to only what is necessary

Credential store used directly on the device

Why these pairings

Authentication is correctly matched with 'Verification of identity' because it confirms who the user is. Authorization is correctly matched with 'Determination of allowed actions' because it defines what the user can do. Least privilege is correctly matched with 'Limiting access to only what is necessary' as it enforces minimal permissions.

Local database is correctly matched with 'Credential store used directly on the device' as it stores credentials locally for authentication.

Exam trap

Do not confuse 'subject' with 'object' or 'ACL'. Remember: subjects act, objects are acted upon. The subject is the 'who' requesting access, not the 'what' being accessed or the rules governing access.

930
PBQmedium

You are connected to the console of R1. The output of 'show interfaces serial0/0/0' displays that the interface is administratively down (status: administratively down, line protocol is down). The network administrator reports that the serial link between R1 and R2 was recently configured but is not working. You need to troubleshoot and restore connectivity. The serial interface on R1 is Serial0/0/0, and the link is a point-to-point HDLC connection.

Network Topology
S0/0/0S0/0/0serial cableR1R2

Hints

  • Check the interface status with show interfaces.
  • Look for 'administratively down' in the output.
  • Use the no shutdown command to enable the interface.
A.Enter interface configuration mode for Serial0/0/0 and issue the 'no shutdown' command.
B.Enter global configuration mode and issue the 'clock rate 64000' command.
C.Enter interface configuration mode for Serial0/0/0 and issue the 'encapsulation ppp' command.
D.Enter privileged EXEC mode and issue the 'clear interface serial0/0/0' command.
AnswerA
solution
! R1
interface Serial0/0/0
no shutdown

Why this answer

The interface status 'administratively down' indicates the interface has been manually shut down with the 'shutdown' command. Issuing 'no shutdown' in interface configuration mode re-enables it, bringing the line protocol up and restoring connectivity. Option B is incorrect because clock rate configuration is necessary only if R1 is the DCE and clocking is missing; the issue here is the administrative state, not clocking.

Option C is incorrect because changing the encapsulation to PPP would not resolve an administratively down state and could create a mismatch. Option D is wrong because 'clear interface' only resets counters and does not change the interface's administrative status.

Exam trap

The trap is that candidates may overlook the 'administratively down' status and instead focus on clocking or encapsulation issues. Always check the interface status first; if it says 'administratively down', the fix is 'no shutdown'.

Why the other options are wrong

B

The specific factual error: The 'clock rate' command configures the clocking rate on a DCE serial interface, not the administrative state.

C

The specific factual error: The encapsulation command changes the Layer 2 protocol but does not affect the administrative state of the interface.

D

The specific factual error: The 'clear interface' command does not enable an administratively down interface; it only resets statistics.

931
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a connectivity issue between two routers connected via a serial link. The engineer runs the show interfaces Serial0/0/0 command on R1. Based on the output, what is the most likely cause of the problem?

A.The interface is configured with the wrong encapsulation type.
B.The interface is administratively shut down.
C.The serial cable is disconnected or has a physical fault.
D.The DCE end of the serial link is missing a clock rate configuration.
AnswerD

The output explicitly states 'DCE, no clock rate set'. On a serial WAN link, the data communications equipment (DCE) must supply the clock signal. Without the clock rate command, the line protocol cannot come up, regardless of all other settings being correct.

Why this answer

The output shows that the interface is up (line protocol is down), and the serial cable is physically connected. The absence of a clock rate on the DCE end of a serial link causes the line protocol to remain down because the receiving router cannot synchronize bit timing. Option D is correct because the DCE device must provide a clock signal for the serial link to establish Layer 2 connectivity.

Exam trap

Cisco often tests the distinction between 'interface is up, line protocol is down' (Layer 1 up, Layer 2 down) and 'interface is down, line protocol is down' (Layer 1 fault), tricking candidates into thinking a physical cable issue is the cause when the real problem is a missing clock rate on the DCE.

Why the other options are wrong

A

Many candidates assume that a Layer 2 protocol down on a serial link is always caused by an encapsulation mismatch, overlooking the explicit clocking issue displayed in the output.

B

Novice engineers might misinterpret 'line protocol is down' as an indication that the interface is disabled, without reading the full status line.

C

The trap: candidates see 'line protocol is down' and immediately think of a physical problem, missing the clear distinction that the interface itself is 'up'.

932
Drag & Dropmedium

Drag and drop the following steps into the correct order to enable a third-party SFP transceiver and verify its diagnostics on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Cisco switches by default only support Cisco-branded SFP transceivers. To use a third-party transceiver, the command `service unsupported-transceiver` must be enabled in global configuration mode. After configuring the interface, the `show interfaces transceiver` command displays diagnostic information including temperature, voltage, and optical power, which helps verify proper operation.

933
MCQhard

A phone and PC share one switchport. The phone works, but the PC cannot reach its normal data resources. The switchport voice VLAN is configured, and the access VLAN is incorrect. Which explanation is strongest?

A.The PC is likely in the wrong data VLAN even though the phone still uses the correct voice VLAN.
B.If the phone works, the PC must also work because both use the same VLAN always.
C.The issue must be BGP because phones cannot use VLANs.
D.The access VLAN becomes irrelevant whenever a voice VLAN is configured.
AnswerA

This is correct because voice and data use different VLAN roles on the same physical port.

Why this answer

Option A is correct because the switchport is configured with a voice VLAN for the phone and an access VLAN for the PC. If the access VLAN is incorrect, the PC will be placed in the wrong data VLAN, preventing it from reaching its normal data resources, while the phone continues to operate correctly on its designated voice VLAN. This is a common misconfiguration where the data VLAN ID does not match the network segment the PC expects.

Exam trap

Cisco often tests the misconception that a working phone implies the PC is also correctly configured, but the trap here is that voice and data VLANs are independent, so a misconfigured access VLAN only affects the PC.

Why the other options are wrong

B

This statement is incorrect because the phone and PC can operate on different VLANs on the same port. The phone uses the voice VLAN, while the PC uses the access (data) VLAN. They are not required to use the same VLAN, and misconfiguration of the access VLAN can cause the PC to fail while the phone works.

C

BGP (Border Gateway Protocol) is a routing protocol used between autonomous systems, not related to VLAN configuration on a switchport. The issue described is about Layer 2 VLAN assignment, not Layer 3 routing. BGP has no role in this scenario.

D

The access VLAN remains relevant even when a voice VLAN is configured. The access VLAN is used for the PC's data traffic, while the voice VLAN is used for the phone's traffic. If the access VLAN is incorrect, the PC will not be able to communicate on the correct data network.

934
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure HSRP version 2 on a pair of routers, set the active router via priority and preempt, then verify the election and failover process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is: first configure HSRP version 2 on both routers to ensure they use the same protocol version. Then configure the virtual IP address; the virtual IP must be set before priority and preempt because priority and preempt reference the HSRP group that already has a virtual IP. Next, set the priority on the desired active router; priority determines which router becomes active when both have equal preempt settings.

Finally, enable preempt to allow the higher-priority router to take over if it recovers after a failure. The verify step confirms the active router and failover behavior.

Exam trap

Do not confuse the order of HSRP configuration steps. Always set the version first, then the virtual IP, then priority, then preempt. Many candidates mistakenly configure priority or preempt before the virtual IP, which leads to errors.

935
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure HSRP on a router and verify the active/standby election process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The order begins with interface and HSRP group configuration, then priority and preempt. Verification shows the current state, and failover testing validates the election process works correctly.

Exam trap

A common mistake is to think that preemption must be configured after priority; however, the CLI does not enforce this order. The real trap is placing verification after failover testing, as verification should first confirm the initial HSRP state, then failover can be tested.

936
PBQmedium

You are connected to R1 via console. R1 is connected to R2 via GigabitEthernet0/0 (10.0.0.1/30) and to R3 via GigabitEthernet0/1 (10.0.0.5/30). R1 has a management subnet 192.168.1.0/24 connected to GigabitEthernet0/2. The network administrator wants to ensure that traffic from the management subnet to the Internet (203.0.113.0/24) uses R2 as the primary path and R3 as a backup. Currently, OSPF is running with default metrics. You must configure a floating static route that will be used only if the OSPF route fails.

Network Topology
G0/010.0.0.1/30G0/110.0.0.5/30G0/2192.168.1.1/24R1R2R3Management subnet

Hints

  • Floating static route has a higher administrative distance than the dynamic route you want to back up.
  • The next-hop IP for the backup route is R3's interface IP connected to R1.
  • Check the OSPF administrative distance (default 110) and set the static route's AD accordingly.
A.ip route 203.0.113.0 255.255.255.0 10.0.0.6 150
B.ip route 203.0.113.0 255.255.255.0 10.0.0.2 150
C.ip route 203.0.113.0 255.255.255.0 10.0.0.6 110
D.ip route 0.0.0.0 0.0.0.0 10.0.0.6 150
AnswerA
solution
! R1
ip route 203.0.113.0 255.255.255.0 10.0.0.6 150

Why this answer

The floating static route is configured with an administrative distance of 150, which is higher than OSPF's default AD of 110. This ensures that the static route is only installed in the routing table when the OSPF route is not present (e.g., due to a failure). The next-hop is R3's IP on the directly connected link.

Exam trap

Remember that a floating static route requires an administrative distance higher than the dynamic protocol's default. Also, ensure the next-hop is the backup router's IP, not the primary. Do not confuse the destination network with a default route unless the question asks for Internet access in general.

Why the other options are wrong

B

The next-hop should be R3 (10.0.0.6), not R2 (10.0.0.2).

C

The AD must be higher than OSPF's 110 (e.g., 150) to act as a floating static route.

D

The destination network should be 203.0.113.0/24, not a default route.

937
Multi-Selectmedium

Which TWO statements correctly describe the behavior of Rapid PVST+ in a Layer 2 network?

Select 2 answers
A.Rapid PVST+ runs a separate instance of RSTP for each VLAN.
B.Rapid PVST+ is an enhancement of PVST+ and uses the same timer-based convergence as standard 802.1D.
C.Rapid PVST+ uses the 802.1D standard to compute the spanning tree for each VLAN.
D.PortFast and BPDU Guard are commonly configured on access ports to prevent loops and speed up convergence.
E.Rapid PVST+ uses the 802.1Q trunking protocol to reduce the number of spanning-tree instances.
AnswersA, D

Rapid PVST+ is a per-VLAN implementation of RSTP (802.1w). Each VLAN runs its own RSTP instance, allowing independent root bridge election and port roles per VLAN. This enables load balancing across VLANs.

Why this answer

Rapid PVST+ runs a separate instance of RSTP (802.1w) for each VLAN, enabling per-VLAN rapid convergence and load balancing. Option D is correct because PortFast allows access ports to transition to forwarding immediately, while BPDU Guard prevents loops by disabling a port that receives a BPDU. Option B is incorrect because Rapid PVST+ uses RSTP's handshake mechanism, not timer-based convergence like 802.1D.

Option C is wrong: Rapid PVST+ is based on 802.1w, not 802.1D. Option E is false because Rapid PVST+ does not use 802.1Q to reduce instances; it maintains a separate spanning-tree instance per VLAN.

Exam trap

Cisco often tests the distinction between PVST+ (802.1D-based) and Rapid PVST+ (802.1w-based), and the trap here is assuming Rapid PVST+ still relies on timer-based convergence like standard 802.1D, when in fact it uses the faster RSTP handshake mechanism.

Why the other options are wrong

B

Rapid PVST+ uses RSTP's rapid handshake process, not timer-based convergence like standard 802.1D.

C

Rapid PVST+ is based on the 802.1w standard (RSTP), not 802.1D.

E

Rapid PVST+ runs a separate instance per VLAN and does not use 802.1Q to consolidate instances.

938
Multi-Selectmedium

Which two actions help protect access-layer switch ports from rogue DHCP servers?

Select 2 answers
A.Enable DHCP snooping globally and for the needed VLANs
B.Trust the uplink toward the legitimate DHCP server path
C.Enable PortFast on all trunks to block rogue servers
D.Disable ARP on access ports
E.Set every access port as trusted
AnswersA, B

That turns on the feature and applies it to selected VLANs.

Why this answer

DHCP snooping marks trusted and untrusted interfaces and filters server-type DHCP messages on untrusted ports. Uplink ports toward the real DHCP server or relay are typically trusted, while user-facing ports stay untrusted. Option C is incorrect because PortFast does not filter DHCP messages; it only speeds up spanning tree convergence.

Option D is incorrect because disabling ARP breaks normal communication and does not block DHCP. Option E is incorrect because marking all access ports as trusted would permit rogue DHCP servers on those ports.

Exam trap

Do not confuse port security with DHCP snooping; they address different security concerns.

Why the other options are wrong

C

PortFast is used to speed up the transition of a port to forwarding state in spanning tree, typically for end-user devices. It does not filter DHCP messages or prevent rogue DHCP servers; DHCP snooping is the correct mechanism.

D

ARP is essential for IP communication and disabling it would break network connectivity. DHCP snooping does not involve ARP; it operates at the DHCP protocol level to validate messages.

E

Setting every access port as trusted would allow any device connected to those ports to act as a DHCP server, defeating the purpose of DHCP snooping. Only ports connected to legitimate DHCP servers should be trusted.

939
MCQhard

A network administrator is troubleshooting connectivity issues in a switched network. Users on VLAN 10 report intermittent connectivity to the server farm. The network uses Rapid PVST+ as the spanning-tree protocol. The administrator examines the switch that is the root bridge for VLAN 10 and notices that one of the uplink interfaces to an access switch is in a blocking state. What is the most likely cause of this issue?

A.Change the port type of Gi0/3 to trunk to allow multiple VLANs.
B.Configure spanning-tree portfast on Gi0/3 to speed up convergence.
C.Check the spanning-tree priority on other switches to ensure the intended root bridge has the lowest priority for VLAN 10.
D.Enable BPDU guard on Gi0/3 to prevent unauthorized switches from affecting the network.
AnswerC

The root bridge is elected based on the lowest bridge priority. If another switch has a lower priority, it becomes the root, causing ports on the current root to block. Verifying and adjusting priorities will ensure the correct root bridge election.

Why this answer

In Rapid PVST+, the root bridge for a VLAN should have all its ports in a forwarding state. If an uplink interface on the root bridge is blocking, it indicates that another switch is being elected as the root bridge for VLAN 10, likely because it has a lower spanning-tree priority. By checking and adjusting the priority on other switches, the administrator can ensure the intended switch becomes the root bridge, resolving the intermittent connectivity caused by suboptimal path selection.

Exam trap

Cisco often tests the misconception that a blocking port on a root bridge indicates a physical or configuration issue with that specific port, when in fact it signals that the switch is not the root bridge due to a lower priority on another switch.

Why the other options are wrong

A

Changing the port type to trunk does not affect spanning-tree root bridge election or port roles. The blocking state is determined by spanning-tree topology, not by trunk configuration.

B

Portfast is intended for access ports connected to end devices to bypass listening/learning states; it is not used on uplinks and does not resolve a blocking state caused by spanning-tree topology.

D

BPDU guard is used on access ports to protect against rogue switches by disabling the port if a BPDU is received. It does not affect root bridge election or port roles on uplinks.

940
MCQhard

A network engineer notices that clients in the 192.168.10.0/24 subnet are receiving the IP address 192.168.10.1 from the DHCP server, causing a duplicate IP conflict with the router’s own interface. What is the most likely cause?

A.The DHCP pool does not exclude the router’s own interface IP address.
B.The DHCP conflict logging feature is disabled on the router.
C.The DHCP lease time is set too low, causing frequent re-issuing of addresses.
D.The DHCP pool’s default-router address is misconfigured, so the client uses the router’s IP as its own.
AnswerA

When no excluded-address is configured for the router’s IP, the DHCP server treats it as available from the pool and can offer it to clients, creating a conflict. Adding 'ip dhcp excluded-address 192.168.10.1' prevents the server from offering that address.

Why this answer

The DHCP server is handing out 192.168.10.1, which is the router’s interface IP, because the pool includes the entire subnet without excluding that address. The correct fix is to configure 'ip dhcp excluded-address 192.168.10.1'. The other options describe features that do not control whether the server offers a specific address: conflict logging, lease time, and default-router settings do not prevent assignment of a duplicate address.

Exam trap

Candidates often assume that enabling DHCP conflict detection ('ip dhcp conflict logging' or 'ip address dhcp conflict') will prevent the server from assigning an address that is already in use. In reality, the server offers the address regardless; conflict detection only helps log or send notifications after the fact.

Why the other options are wrong

B

Many candidates confuse conflict detection with a preventive mechanism, thinking that enabling it would stop the assignment of an already-used address.

C

Candidates may associate short leases with instability, but the root cause is the missing exclusion, not the lease timer.

D

Beginners often conflate the default gateway with the assigned IP address, believing a mistake in the default-router setting could cause an address conflict.

941
Matchingmedium

Match each switchport or VLAN term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Switchport that normally carries one VLAN for an endpoint

Link that carries multiple VLANs

Setting that restricts which VLANs may traverse the trunk

VLAN associated with untagged traffic on an 802.1Q trunk

Why these pairings

Access ports are in one VLAN; trunk ports carry multiple VLANs with tags. Switchport mode commands set the port type. VLANs create separate broadcast domains; SVIs provide Layer 3 routing for VLANs.

Exam trap

The exam trap here is confusing the definitions of access ports and trunk ports, or associating an access port with the concept of a VLAN or SVI. Remember that an access port is a Layer 2 port that belongs to exactly one VLAN and does not tag frames.

942
MCQmedium

A network engineer at a large enterprise observes repeated spikes in latency on the core network every weekday at 10:00 AM, but no corresponding increase in overall bandwidth utilization. The engineer wants to use AI/ML to automatically identify the root cause and take corrective action without manual intervention. Which concept best describes this approach?

A.Anomaly detection
B.Intent-based networking
C.Predictive analytics
D.Machine learning classification
AnswerB

Intent-based networking (IBN) uses closed-loop automation to continuously monitor the network, detect when the actual state deviates from the intended state (e.g., latency spikes), and automatically reconfigure the network to restore the intent. This matches the scenario of automatic identification and correction.

Why this answer

Intent-based networking (IBN) is correct because it describes a closed-loop system where the network continuously validates that its operational state matches the desired business intent. In this scenario, the engineer wants the network to automatically detect the latency anomaly, correlate it with other telemetry (e.g., routing changes, queue drops), and take corrective action (e.g., reroute traffic, adjust QoS) without human intervention — which is the core promise of IBN, often implemented via Cisco's DNA Center with Assurance and AI/ML capabilities.

Exam trap

Cisco often tests the distinction between a single AI/ML technique (like anomaly detection) and the full closed-loop automation framework (IBN), leading candidates to pick the narrower answer when the question explicitly requires both detection and automated corrective action.

Why the other options are wrong

A

Anomaly detection identifies unusual patterns like latency spikes, but it does not include automatic corrective action. The scenario requires both detection and automated response, which anomaly detection alone cannot provide.

C

Predictive analytics forecasts future events (e.g., predicting when a link will fail), but it does not automatically take corrective action. The scenario involves detecting and correcting an existing anomaly, not predicting a future one.

D

Machine learning classification categorizes data (e.g., classifying traffic as normal or anomalous), but it does not inherently include automated corrective actions. The scenario requires a system that both detects and corrects.

943
MCQhard

A network administrator is troubleshooting an issue where internal hosts can ping the company's web server by IP address (192.0.2.10) but cannot access it using the fully qualified domain name www.example.com. The DNS server (192.0.2.5) is reachable and responds to queries. The administrator runs nslookup www.example.com from a host and receives the following output: C:\> nslookup www.example.com Server: UnKnown Address: 192.0.2.5 Name: www.example.com Address: 192.0.2.20 Based on the output, what is the most likely cause of the problem?

A.The host's DNS cache is corrupted; flush it using ipconfig /flushdns.
B.The DNS A record for www.example.com is incorrect; update it to point to 192.0.2.10.
C.The web server's firewall is blocking traffic from the host; add an allow rule.
D.The DNS server is not authoritative for the example.com zone; delegate the zone to a different server.
AnswerB

The nslookup shows the DNS server returns 198.51.100.1, but the actual server is at 192.0.2.10. Correcting the A record resolves the mismatch.

Why this answer

The nslookup output shows that www.example.com resolves to 192.0.2.20, but the web server is at 192.0.2.10. This indicates the DNS A record is incorrect and must be updated to point to the correct IP. Pinging by IP works because it bypasses DNS, confirming network connectivity.

The host's DNS cache is not the issue because nslookup queries the server directly and still returns the wrong address. The firewall is not involved since pinging by IP succeeds, and the DNS server is authoritative (the response is received).

Exam trap

The trap here is that candidates may assume a DNS server that responds to queries is functioning correctly, overlooking that the response itself can contain an incorrect A record, which is the actual cause of the resolution failure.

Why the other options are wrong

A

The nslookup output shows the DNS server is returning an incorrect IP address (198.51.100.1) for www.example.com, not a local cache issue. Flushing the DNS cache would not resolve the problem because the host is querying the DNS server and receiving the wrong answer.

C

The host can successfully ping the web server at 192.0.2.10, which indicates that ICMP traffic is not blocked by the firewall. The problem is that the host is trying to reach the wrong IP address (198.51.100.1) due to DNS resolution, not that the correct IP is being blocked.

D

The nslookup response includes the server name 'dns.example.com', which indicates that the DNS server is authoritative for the example.com zone. If it were not authoritative, the response would typically show a non-authoritative answer or refer to another server. Delegation is not needed because the server is already authoritative.

944
Matchingmedium

Match each EtherChannel term or state to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Standards-based protocol used to negotiate an EtherChannel bundle

Indicates a port is bundled in the channel

Indicates a port is operating individually and not bundled

Indicates the port-channel is Layer 2 and in use

Why these pairings

LACP is a standards-based protocol (IEEE 802.3ad) that dynamically negotiates an EtherChannel bundle. In the port state output, 'P' (Port is in Active Port Mode) means the port is bundled into the channel. 'I' (Port is in Individual Mode) indicates the port is operating alone and not part of any bundle. 'SU' (Layer 2, In-Use) shown in the port-channel interface status confirms the logical bundle is Layer 2 and administratively up. These terms directly map to the given meanings.

Exam trap

Be careful not to confuse PAgP and LACP modes. PAgP uses Desirable and Auto; LACP uses Active and Passive. Also, remember that 'On' is not a negotiation protocol but a static configuration.

945
PBQmedium

You are connected to R1 via the console. R1 is a Cisco ISR 4321 router running IOS-XE 17.3. The network team has reported intermittent connectivity issues between VLAN 10 hosts and the server at 10.0.0.100. You suspect a routing problem and need to analyze the IP routing table, ARP cache, and interface status to identify the cause. Use the provided outputs to diagnose the issue.

Network Topology
G0/0192.168.10.1/24G0/110.0.0.1/30G0/010.0.0.2/30linkG0/010.0.0.2/3010.0.0.100linkHostsVLAN 10R1R2Server

Hints

  • Check the IP routing table for a default route or specific route to 10.0.0.100.
  • Examine the ARP cache to see if the MAC address of the next hop (10.0.0.2) is present.
  • Verify that both interfaces are up/up and have correct IP addresses.
A.The routing table shows a default route via 192.168.1.1, but the ARP cache has an incomplete entry for that next-hop IP, indicating a Layer 2 connectivity issue.
B.The routing table has a static route to 10.0.0.0/24 via 192.168.1.2, but the interface GigabitEthernet0/0/0 is administratively down.
C.The routing table shows a route to 10.0.0.0/16 via 192.168.1.1, but the ARP cache has a complete entry for 192.168.1.1, indicating the issue is at Layer 3.
D.The routing table has no route to 10.0.0.100, and the ARP cache is empty for all entries, indicating a complete routing failure.
AnswerA
solution
! R1
show ip route
show ip arp
show interfaces GigabitEthernet0/0
show interfaces GigabitEthernet0/1

Why this answer

The issue is likely a missing or incorrect route, an incomplete ARP entry, or an interface problem. By checking the routing table, you can confirm if a route to 10.0.0.100 exists. The ARP cache shows whether the next-hop MAC is learned.

Interface status indicates if the link is operational. The solution commands reveal these details, allowing you to pinpoint the cause (e.g., default route missing, ARP timeout, or interface down).

Exam trap

The exam trap is that candidates often jump to routing table issues first, but the question emphasizes 'intermittent' connectivity, which typically indicates Layer 2 problems like ARP failures or flapping interfaces. Always correlate routing table, ARP cache, and interface status together.

Why the other options are wrong

B

The specific factual error is that an administratively down interface results in a hard failure, not intermittent connectivity.

C

The specific factual error is that a complete ARP entry indicates no Layer 2 problem, contradicting the symptom of intermittent connectivity.

D

The specific factual error is that a missing route results in consistent unreachability, not intermittent problems.

946
MCQhard

Based on the exhibit, what is the most likely reason PAT is not working correctly?

A.The inside and outside NAT interface roles are reversed.
B.PAT requires OSPF to be enabled on the WAN link.
C.The ACL must be numbered 100 instead of 1.
D.The router must use GRE before PAT can overload.
AnswerA

This is correct because the private interface should be inside and the public interface should be outside.

Why this answer

PAT is not working correctly because the inside and outside NAT roles are reversed on the interfaces. In practical terms, the private LAN-facing interface should be marked as inside, and the public-facing WAN interface should be marked as outside. In the exhibit, the router has those roles backwards, so translation logic is applied in the wrong direction.

This is a very realistic NAT troubleshooting item because the configuration is close to correct and the failure comes from one directional mistake.

Exam trap

A common exam trap is confusing the NAT inside and outside interface roles. Candidates might overlook that reversing these roles causes PAT to fail silently, as translation direction depends on correct interface designation. Misunderstanding this can lead to incorrect troubleshooting steps, such as focusing on routing protocols or ACL numbering, which do not impact PAT functionality directly.

Why the other options are wrong

B

Incorrect because PAT does not depend on OSPF or any routing protocol to function; enabling OSPF on the WAN link is unrelated.

C

Incorrect because the ACL number does not have to be 100; standard ACLs like 1 are valid for NAT configurations.

D

Incorrect because GRE tunneling is not required for PAT; PAT operates independently of GRE.

947
MCQhard

A host address is 192.168.88.66/27. Which address is the network address of the subnet?

A.192.168.88.32
B.192.168.88.64
C.192.168.88.95
D.192.168.88.96
AnswerB

This is correct because .66 is in the 64-95 /27 subnet.

Why this answer

A /27 subnet has a block size of 32. In practical terms, the fourth-octet ranges are 0-31, 32-63, 64-95, and so on. Because 66 falls within the 64-95 block, the network address is 192.168.88.64.

This is a classic subnet-boundary calculation. The key step is identifying the correct block first.

Exam trap

Avoid assuming the host address is in the first or last subnet without calculating the correct range.

Why the other options are wrong

A

192.168.88.32 is the network address of the previous /27 subnet (32-63). Since the host address 192.168.88.66 falls in the 64-95 range, the correct network address is 192.168.88.64, not 192.168.88.32.

C

192.168.88.95 is the broadcast address for the /27 subnet that starts at 192.168.88.64. The broadcast address is the last address in the subnet, used to send packets to all hosts in that subnet, not the network address.

D

192.168.88.96 is the network address of the next /27 subnet (96-127). The host 192.168.88.66 is not in that range; it belongs to the subnet starting at 192.168.88.64.

948
PBQhard

You are connected to R1. Using RESTCONF, you need to retrieve the current IP address of interface GigabitEthernet0/0 using the ietf-interfaces YANG model, then change it to 192.0.2.1/24 using a PATCH request. The device is reachable at 10.1.1.1 with port 443 and credentials admin/cisco. Identify the correct URIs and required HTTP headers, and explain why a GET with Accept: application/json would fail.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • RESTCONF requires the media type application/yang-data+json in Accept and Content-Type headers.
  • The ietf-interfaces YANG module path for an interface is /ietf-interfaces:interfaces/interface=<name>.
  • The Cisco-IOS-XE-native module uses a different hierarchy; using it for ietf-interfaces data will result in a 404 error.
A.GET https://10.1.1.1:443/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0 with Accept: application/yang-data+json; PATCH same URI with Content-Type: application/yang-data+json and body {"ietf-interfaces:interface":{"name":"GigabitEthernet0/0","ipv4":{"address":[{"ip":"192.0.2.1","netmask":"255.255.255.0"}]}}}
B.GET https://10.1.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0 with Accept: application/json; PATCH same URI with Content-Type: application/json and body {"interface":{"ip":"192.0.2.1","mask":"255.255.255.0"}}
C.GET https://10.1.1.1:443/restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=0/0/ip/address with Accept: application/yang-data+json; PATCH same URI with Content-Type: application/yang-data+json and body {"address":{"primary":{"address":"192.0.2.1","mask":"255.255.255.0"}}}
D.GET https://10.1.1.1:443/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0 with Accept: application/xml; PATCH same URI with Content-Type: application/xml and body <interface><ipv4><address><ip>192.0.2.1</ip><netmask>255.255.255.0</netmask></address></ipv4></interface>
AnswerA
solution
! R1
GET URI: https://10.1.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0
Request headers: Accept: application/yang-data+json
PATCH URI: https://10.1.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0
PATCH headers: Content-Type: application/yang-data+json, Accept: application/yang-data+json
PATCH body: { "ietf-interfaces:interface": { "name": "GigabitEthernet0/0", "ipv4": { "address": [ { "ip": "192.0.2.1", "netmask": "255.255.255.0" } ] } } }

Why this answer

The correct base URI for RESTCONF is /restconf/data. The YANG path uses /ietf-interfaces:interfaces/interface=GigabitEthernet0/0. The Accept header must specify application/yang-data+json; generic application/json causes a 406 error.

For PATCH, the same URI is used with Content-Type: application/yang-data+json. Crucially, the PATCH body must contain the key leaf 'name' ('GigabitEthernet0/0') inside the container to identify the list instance per RFC 8040; omitting it can cause failure. A wrong YANG path like Cisco-IOS-XE-native would yield 404.

Exam trap

The key trap is that RESTCONF does not accept generic application/json; it requires application/yang-data+json. Many candidates mistakenly use application/json and expect it to work. Also, ensure the YANG path matches the specified model (ietf-interfaces) and that the JSON body follows the YANG data hierarchy.

Why the other options are wrong

B

The specific factual error: RESTCONF mandates the use of application/yang-data+json for Accept and Content-Type headers; application/json is not supported. Also, the JSON body must follow the YANG data structure.

C

The specific factual error: The question explicitly requires the ietf-interfaces YANG model, not the Cisco-native model. Using the wrong model will not retrieve or modify the intended data.

D

The specific factual error: The question context indicates JSON is the target format (since it mentions Accept: application/json would fail). Using XML is a different format and would require different media types.

949
MCQhard

A branch router is configured for NAT overload. The inside interface Gi0/0 is correctly marked ip nat inside, and the outside interface Gi0/1 is ip nat outside. The NAT statement uses access-list 1 permit 10.1.1.0 0.0.0.255 with ip nat inside source list 1 interface Gi0/1 overload. Inside hosts are in the 192.168.1.0/24 subnet and still reach the ISP with their private addresses. What is the most likely reason?

A.The ACL used for NAT does not match the inside client subnet.
B.GigabitEthernet0/0 should be configured as ip nat inside.
C.PAT cannot use an interface address as the translated source.
D.The router must run OSPF before NAT overload can function.
AnswerA

The overload statement references ACL 1, but ACL 1 permits 10.10.20.0/24 instead of 10.10.10.0/24.

Why this answer

The ACL matches the wrong inside subnet. NAT overload will only translate traffic that matches the source list or route map tied to the NAT statement. The interfaces are marked inside and outside correctly, so the bad match criteria is the most likely failure point.

Exam trap

A frequent exam trap is assuming that NAT overload requires routing protocols such as OSPF to function or that the outside interface cannot be used as the source address for translation. Some candidates also mistakenly believe that misconfigured interface NAT designations cause the problem when the real issue is the ACL mismatch. The trap lies in overlooking the ACL's role in defining which inside addresses are translated.

If the ACL does not include the correct inside subnet, NAT will not translate those packets, causing inside hosts to leak private IPs to the ISP. This subtle misconfiguration is often missed under exam pressure.

Why the other options are wrong

B

This option is incorrect because the ISP-facing interface is correctly configured as ip nat outside. The problem is not with the interface NAT designation but with the ACL mismatch. Changing the inside interface designation would not fix the translation issue.

C

This option is incorrect because NAT overload commonly uses the IP address of the outside interface as the translated source address. This is standard Cisco NAT behavior and not a cause of failure in this scenario.

D

This option is incorrect because NAT does not depend on routing protocols like OSPF to function. NAT translation is independent of routing protocols, so running OSPF is not required for NAT overload to work.

950
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a suspected duplex mismatch and CRC errors on a Cisco switch interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Troubleshooting starts from privileged EXEC, checking errors, identifying the problematic interface, then configuring the correct duplex setting.

Exam trap

The exam trap is that candidates often skip the initial step of entering privileged EXEC mode, thinking they can directly check errors or configure. Remember that 'show' and 'configure' commands require the appropriate mode.

951
PBQmedium

You are connected to R1 via the console. R1 is a Cisco IOS-XE router. The network manager wants to use an Ansible playbook to configure a loopback interface with IP address 10.0.0.1/24 on R1. You need to write the Ansible YAML playbook that connects to R1 and configures this interface. The playbook must not use the 'parents' argument in the ios_config module.

Hints

  • Ansible uses the 'cisco.ios.ios_config' module for configuration.
  • Specify the lines parameter with a list of CLI commands.
  • Set provider or vars for connection details.
A.- name: Configure Loopback hosts: R1 gather_facts: no connection: network_cli tasks: - name: Configure interface ios_config: lines: - interface Loopback0 - ip address 10.0.0.1 255.255.255.0 - no shutdown
B.- name: Configure Loopback hosts: R1 gather_facts: no connection: ssh tasks: - name: Configure interface ios_config: lines: - interface Loopback0 - ip address 10.0.0.1/24 - no shutdown
C.- name: Configure Loopback hosts: R1 gather_facts: no connection: network_cli tasks: - name: Configure interface ios_config: lines: - interface Loopback0 - ip address 10.0.0.1 255.255.255.0 - shutdown
D.- name: Configure Loopback hosts: R1 gather_facts: no connection: network_cli tasks: - name: Configure interface ios_config: lines: - interface Loopback0 - ip address 10.0.0.1 255.255.255.0 - no shutdown parents: interface Loopback0
AnswerA
solution
! R1
interface Loopback0
ip address 10.0.0.1 255.255.255.0
no shutdown

Why this answer

Option A is correct because it uses the network_cli connection type, applies the correct subnet mask (255.255.255.0), includes 'no shutdown' to enable the interface, and does not use the 'parents' argument, meeting the requirement. Option B is wrong because it uses an 'ssh' connection (not network_cli) and writes the IP address in CIDR notation (/24) instead of the required dotted-decimal mask. Option C is wrong because it uses 'shutdown' instead of 'no shutdown', which disables the interface.

Option D is wrong because it uses the 'parents' argument, which the stem explicitly forbids, even though the configuration would otherwise be valid.

Exam trap

Be careful with the connection type for network devices: use 'network_cli', not 'ssh'. Also, remember that Cisco IOS uses subnet masks (e.g., 255.255.255.0) in the 'ip address' command, not CIDR notation. Finally, ensure you use 'no shutdown' to enable an interface, not 'shutdown'.

Why the other options are wrong

B

Incorrect connection type 'ssh' and uses CIDR notation /24 instead of subnet mask.

C

Uses 'shutdown' command, which disables the interface instead of enabling it.

D

Uses the 'parents' argument, which is explicitly prohibited by the requirement.

952
MCQmedium

Why does traceroute reveal each router hop along a path?

A.Each router appends its hostname to the packet payload
B.Each router sends an ARP response back to the source
C.Each router decrements TTL or hop limit, and expired packets trigger ICMP messages
D.Each switch on the path sends a syslog message to the source host
AnswerC

Correct. TTL or hop-limit expiry creates the hop-by-hop responses.

Why this answer

Traceroute sends packets with increasing TTL or hop-limit values. When the value expires, the router that drops the packet returns an ICMP message, identifying that hop.

Exam trap

Don't confuse traceroute's use of TTL and ICMP Time Exceeded messages with ping's use of ICMP Echo Requests.

Why the other options are wrong

A

Routers do not modify packet payloads to add hostnames during normal forwarding. Traceroute relies on ICMP Time Exceeded messages generated by routers when TTL expires, not on payload modifications. Adding hostnames would violate IP packet integrity and is not a standard function.

B

ARP (Address Resolution Protocol) operates only within a local network segment to map IP addresses to MAC addresses. It is not used for path discovery across multiple routed hops. Traceroute uses TTL expiry to trigger ICMP responses, not ARP replies.

D

Switches operate at Layer 2 and do not decrement TTL or generate ICMP Time Exceeded messages for traceroute. Syslog is a logging protocol used for network device event reporting, not for hop-by-hop path discovery. Traceroute relies on ICMP or UDP/TCP probes, not syslog messages.

953
Multi-Selectmedium

Which THREE statements correctly describe the configuration of AAA with RADIUS or TACACS+ on Cisco IOS-XE?

Select 3 answers
A.RADIUS encrypts the entire packet payload, including all attributes.
B.TACACS+ encrypts the entire body of the packet but leaves the standard TCP header unencrypted.
C.TACACS+ uses UDP as its transport protocol, while RADIUS uses TCP.
D.TACACS+ separates authentication, authorization, and accounting into three distinct functions, allowing independent server configuration for each.
E.RADIUS combines authentication and authorization into a single process, meaning an access-accept packet includes both authentication success and authorization attributes.
F.When configuring 802.1X on IOS-XE, the switch acts as the authentication server and validates client credentials locally.
AnswersB, D, E

TACACS+ encrypts the entire payload (body) of the packet, ensuring confidentiality of all attributes, while the TCP header remains unencrypted for routing purposes.

Why this answer

Option B is correct: TACACS+ encrypts the entire body of the packet (including all attributes) but leaves the TCP header unencrypted. Option D is correct: TACACS+ separates authentication, authorization, and accounting into three distinct functions, allowing independent server configuration for each. Option E is correct: RADIUS combines authentication and authorization into a single process, so an access-accept packet includes both authentication success and authorization attributes.

Option A is wrong: RADIUS only encrypts the password in the Access-Request packet, not the entire payload. Option C is wrong: TACACS+ uses TCP (port 49), while RADIUS uses UDP (ports 1812/1645 for authentication, 1813/1646 for accounting). Option F is wrong: In 802.1X on IOS-XE, the switch acts as an authenticator (not the authentication server) and forwards credentials to an external RADIUS server.

Exam trap

Cisco often tests the confusion between RADIUS and TACACS+ encryption scope and transport protocols, where candidates mistakenly think RADIUS encrypts the entire payload or that TACACS+ uses UDP, when in fact RADIUS only encrypts the password and uses UDP, while TACACS+ encrypts the full body and uses TCP.

Why the other options are wrong

A

RADIUS only encrypts the password attribute in the access-request packet; the rest of the packet, including other attributes like username and authorization data, is sent in clear text. This is a key security limitation of RADIUS compared to TACACS+.

C

TACACS+ uses TCP (port 49) as its transport protocol, while RADIUS uses UDP (ports 1812/1813). This is a fundamental difference: TCP provides reliable, connection-oriented delivery, whereas UDP is connectionless and faster but less reliable.

F

In 802.1X, the switch acts as an authenticator (passing EAP messages between the client and the authentication server), not as the authentication server itself. The authentication server is typically a RADIUS server that validates client credentials.

954
MCQhard

Why is HTTPS usually preferred over HTTP when accessing controller APIs?

A.Because HTTPS provides encrypted transport for sensitive API communication.
B.Because HTTPS provides better throughput for API responses
C.Because HTTPS replaces the need for authentication.
D.Because HTTPS is the only protocol that can carry JSON.
AnswerA

This is correct because encryption in transit is the main reason HTTPS is preferred.

Why this answer

HTTPS is preferred because it protects the API traffic in transit with encryption. In plain language, controller APIs may carry credentials, tokens, device state, or configuration data, and sending that information in clear text over plain HTTP would expose it to interception. HTTPS helps protect that communication channel.

This does not make HTTPS a data format or an access policy by itself, but it is a major transport-security improvement. The correct answer is the one focused on secure transport for sensitive API traffic.

Exam trap

Don't confuse HTTPS with data formats or access policies; it's about securing data in transit.

Why the other options are wrong

B

HTTPS adds encryption overhead, which can reduce throughput compared to HTTP, not improve it.

C

HTTPS provides transport-layer encryption but does not replace authentication. API access still requires authentication mechanisms such as API keys, OAuth tokens, or certificates to verify the identity of the client.

D

JSON is a data format that can be carried over any transport protocol, including HTTP, HTTPS, or even raw TCP. HTTPS is not required for JSON; it is used to secure the transport, not to enable a specific data format.

955
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a client PC that cannot connect to a remote web server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order follows Cisco's bottom-up troubleshooting methodology: first verify local IP configuration with ipconfig, then confirm the local TCP/IP stack with a loopback ping, then verify the NIC and IP binding by pinging the assigned address. Next, test connectivity to the default gateway to ensure the local subnet and router are reachable. After that, attempt to reach the remote server's IP address with ping.

If that fails, use traceroute to identify where along the path the packets are lost. This sequence efficiently isolates the fault domain from the local device to the internetwork.

956
MCQmedium

Which command places a switch port into access mode directly?

A.switchport mode access
B.switchport trunk allowed vlan 10
C.switchport mode dynamic desirable
D.no switchport
AnswerA

This is correct because it directly forces the interface into access mode.

Why this answer

A switch port is placed into access mode with the `switchport mode access` command. In plain language, this tells the switch that the interface should behave as a single-VLAN user-facing access port rather than as a trunk or a negotiation-based port. This is the normal choice for an endpoint such as a PC, printer, or IP camera that should belong to one VLAN.

This command matters because it makes the intended role of the interface explicit. That clarity is useful operationally and helps avoid accidental trunking behavior. The correct answer is the command that directly defines the switchport as access rather than assigning a VLAN without setting the role or relying on negotiation.

Exam trap

Be careful not to confuse VLAN assignment or negotiation commands with those that explicitly set port modes.

Why the other options are wrong

B

The command 'switchport trunk allowed vlan 10' is used on a trunk port to specify which VLANs are allowed to traverse the trunk link. It does not change the port mode to access; instead, it assumes the port is already a trunk. Therefore, it is incorrect for placing a switch port into access mode.

C

The command 'switchport mode dynamic desirable' enables Dynamic Trunking Protocol (DTP) to actively negotiate trunking with the connected device. This does not directly place the port into access mode; instead, it allows the port to become a trunk if the neighbor agrees. The port remains in a dynamic state until negotiation completes.

D

The command 'no switchport' converts a Layer 2 switch port into a Layer 3 routed port, which is used for routing between VLANs or connecting to routers. This removes all Layer 2 switching functionality, including VLAN assignment, and is the opposite of placing the port into access mode.

957
Multi-Selectmedium

Which two statements accurately describe JSON?

Select 2 answers
A.JSON is a structured data format commonly used by APIs.
B.JSON uses square brackets for arrays.
C.JSON is the same thing as HTTPS.
D.JSON is required only for IPv6 networks.
E.JSON is a spanning-tree mode.
AnswersA, B

This is correct because JSON is widely used to represent structured information in API payloads.

Why this answer

JSON is a lightweight structured data format commonly used in APIs and automation workflows. In plain language, it provides a readable way to represent data as key-value pairs, objects, and arrays so software can exchange information consistently. It is popular in network automation because it is compact and widely supported by tools, controllers, and web-based interfaces.

CCNA questions on JSON usually test recognition, not coding expertise. You should be able to identify that JSON is a data format, not a transport protocol, and that arrays are shown with square brackets. The correct answers in this question focus on those recognition skills rather than on advanced programming details.

Exam trap

A frequent exam trap is confusing JSON with network protocols or features, such as HTTPS or spanning-tree modes. Candidates might incorrectly assume JSON is a transport protocol or a network technology because it is often mentioned alongside APIs and automation. This misunderstanding leads to selecting incorrect answers that describe JSON as a protocol or network mode.

The key is to remember that JSON is strictly a data format used to represent structured information, not a protocol or network operation. Misreading JSON’s role can cause errors in questions testing automation and programmability concepts.

Why the other options are wrong

C

Option C is incorrect because JSON is not a protocol like HTTPS. HTTPS is a secure transport protocol, whereas JSON is a data format used within protocols or APIs for data representation, not for transport or security.

D

Option D is wrong since JSON is not tied to IPv6 networks or any specific IP version. JSON is a general-purpose data format used across various network environments and protocols, independent of IP addressing schemes.

E

Option E is incorrect because JSON has no relation to spanning-tree modes or any Layer 2 network protocol functions. JSON is purely a data format and does not influence or configure network protocols like STP.

958
Multi-Selecthard

Two switches are connected with an EtherChannel using LACP. The bundle stays down and the physical interfaces show individual links, not a port-channel member state. Which two conditions must match on both sides for the channel to form successfully?

Select 2 answers
A.The member interfaces must have compatible speed and duplex settings
B.The trunk native VLAN must always be VLAN 1
C.The interfaces must use the same channel protocol and compatible LACP settings
D.The STP priority values on both switches must be identical
AnswersA, C

Mismatched operational characteristics can prevent EtherChannel formation.

Why this answer

LACP active/passive is valid, but the interfaces still have to match operationally and be configured compatibly for the same bundle. Speed, duplex, trunking, and channel protocol consistency all matter.

Exam trap

Remember that VLAN and trunking settings are important for trunk links but not specifically required for EtherChannel formation.

Why the other options are wrong

B

The native VLAN does not have to be VLAN 1; it can be any VLAN as long as both sides of the trunk agree. The requirement for EtherChannel is that the native VLAN must match on both sides, but it does not have to be VLAN 1.

D

STP priority values do not affect EtherChannel formation; STP operates on the logical port-channel interface after the bundle is formed. EtherChannel requirements focus on physical and protocol compatibility, not spanning-tree parameters.

959
PBQhard

You are connected to R1 via the console. The network has a DNS server at 203.0.113.10 that should resolve www.example.com to 203.0.113.100. However, when you ping www.example.com, it fails. Diagnose and resolve the DNS resolution issue. The DNS server is reachable via ping, but nslookup from R1 returns a server failure. Configure R1 so that it can successfully resolve www.example.com. Additionally, verify that the DNS server is correctly configured for forward and reverse lookups.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1203.0.113.2/24203.0.113.10/24linkR1R2DNS Server

Hints

  • Check the configured name-server IP address in the running-config.
  • The DNS server is reachable, but the router is querying the wrong server.
  • After fixing the name-server, ensure the DNS server has the correct A record for the domain.
A.Configure 'ip name-server 203.0.113.10' under global configuration and ensure the DNS server has an A record for www.example.com pointing to 203.0.113.100.
B.Configure 'ip domain-lookup' and 'ip name-server 10.0.0.2' under global configuration, then verify with ping www.example.com.
C.Configure 'ip domain-lookup' and 'ip host www.example.com 203.0.113.100' under global configuration, then verify with ping www.example.com.
D.Configure 'ip dns server' under global configuration to make R1 act as a DNS server, then add an A record for www.example.com.
AnswerA
solution
! R1
configure terminal
no ip name-server 10.0.0.2
ip name-server 203.0.113.10
end
write memory

Why this answer

The issue is that the DNS server IP address configured under 'ip name-server' is incorrect (10.0.0.2) instead of the actual DNS server (203.0.113.10). Additionally, the DNS server itself is not configured with the proper A record for www.example.com. The fix involves correcting the name-server address and ensuring the DNS server has the correct forward mapping.

After correcting the name-server, nslookup and dig should return the IP address 203.0.113.100. For reverse lookup, a PTR record for 203.0.113.100 pointing to www.example.com must exist on the DNS server.

Exam trap

The exam trap is that candidates may confuse the 'ip name-server' command with 'ip host' or 'ip dns server'. They might also overlook the need to verify the DNS server's records. Always check the configured name-server IP first when DNS resolution fails.

Why the other options are wrong

B

The specific factual error: The name-server address must match the actual DNS server; using 10.0.0.2 will not resolve the hostname.

C

The specific factual error: The 'ip host' command creates a static mapping, not a DNS resolution. The question requires DNS resolution to work, not a static override.

D

The specific factual error: The 'ip dns server' command enables DNS server services on the router, but the router is not meant to be a DNS server in this scenario. The fix is to point to the existing DNS server.

960
PBQhard

You are connected to R1. Configure IPv4 and IPv6 static routes so that R1 can reach the loopback networks on R2 and R3 (203.0.113.0/24 and 2001:db8:1::/48) with proper failover. Ensure that the primary link (G0/0 to R2) is preferred over the backup link (G0/1 to R3) using a floating static route with an appropriate administrative distance. Additionally, configure a default route on R1 for IPv4 and IPv6 so that traffic to unknown destinations is forwarded via the primary link. Troubleshoot the existing configuration to identify and fix a recursive routing failure caused by a wrong next-hop address in one of the static routes.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30G0/110.0.1.1/30G0/010.0.1.2/30R1R2R3

Hints

  • Check if the next-hop IP address for the IPv4 static route is reachable via a directly connected interface.
  • The recursive routing failure occurs because the route uses a next-hop that is not in the routing table; consider using an exit interface in the static route.
  • Verify the administrative distance of the floating static route is higher than the primary route's default AD of 1.
A.The recursive routing failure is caused by a missing route to the next-hop network; correct by changing the static route to use an exit interface: `ip route 203.0.113.0 255.255.255.0 GigabitEthernet0/0 10.0.0.2`
B.The floating static route for IPv4 should have an administrative distance of 1 to ensure it is preferred over the primary route.
C.The IPv6 static route to 2001:db8:1::/48 should use a next-hop of 2001:db8:0:1::1 (R1's own interface) to ensure reachability.
D.The default route for IPv4 should be configured with an administrative distance of 200 to match the floating static route.
AnswerA
solution
! R1
configure terminal
ip route 203.0.113.0 255.255.255.0 GigabitEthernet0/0 10.0.0.2
end
copy running-config startup-config

Why this answer

The recursive routing failure occurs because the static route `ip route 203.0.113.0 255.255.255.0 10.0.0.2` requires R1 to have a route to the next-hop network (10.0.0.0/30) in its routing table. Since 10.0.0.0/30 is directly connected via G0/0, the route should install, but if the interface is down or misconfigured, recursion fails. The fix is to specify both the exit interface and next-hop: `ip route 203.0.113.0 255.255.255.0 GigabitEthernet0/0 10.0.0.2`, which avoids recursive lookup.

Option B is wrong because an administrative distance of 1 would make the floating static route equal to the default AD of the primary static route, defeating failover; the floating route should have a higher AD (e.g., 200). Option C is wrong because using R1's own interface address (2001:db8:0:1::1) as next-hop would point the route back to itself, not to R2; the correct next-hop is R2's link-local or global address on G0/0. Option D is wrong because the default route for IPv4 should have the default AD of 1 to be preferred over the floating static route; setting it to 200 would make it equally preferred and could cause routing loops.

Exam trap

The key trap is that candidates may not realize that a static route with a next-hop address will fail if the router does not have a route to that next-hop network. Always verify that the next-hop is reachable via a connected route or use an exit interface to avoid recursive routing issues.

Why the other options are wrong

B

Administrative distance of 1 matches the default AD of a static route, so the floating route would not be less preferred; it needs a higher AD (e.g., 200) to act as a backup.

C

Using R1's own interface IPv6 address as next-hop would create a route pointing to itself, not to R2, and would not reach the loopback network.

D

The default route should use the default administrative distance (1) to remain the primary route; setting it to 200 would make it equal to the floating static route, causing unpredictable behavior.

961
MCQeasy

Why is SSH preferred over Telnet for device management?

A.SSH uses UDP and is therefore faster
B.SSH encrypts the session traffic
C.SSH works only on Layer 2 networks
D.SSH does not require user authentication
AnswerB

That is the main security advantage.

Why this answer

SSH encrypts the management session, including usernames, passwords, and commands. Telnet sends traffic in clear text, which makes it unsafe on modern networks.

Exam trap

A frequent exam trap is the misconception that SSH uses UDP or does not require user authentication. Some candidates mistakenly believe SSH is faster because it uses UDP, but SSH actually uses TCP to ensure reliable, ordered delivery of encrypted data. Another trap is thinking SSH works only on Layer 2 networks, whereas it operates over IP and can be used across routed networks.

Additionally, assuming SSH does not require authentication is incorrect; SSH mandates authentication to establish a secure session. Recognizing these facts helps avoid selecting incorrect options related to SSH’s protocol and security features.

Why the other options are wrong

A

Option A incorrectly states that SSH uses UDP and is therefore faster. SSH actually uses TCP to ensure reliable and secure delivery of encrypted data, so this option is false.

C

Option C incorrectly claims SSH works only on Layer 2 networks. SSH operates over IP (Layer 3) and can be used across routed networks, so this option is false.

D

Option D falsely asserts that SSH does not require user authentication. SSH requires authentication to establish a secure session, making this option incorrect.

962
MCQhard

Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry best matches the requirement?

A.deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
B.deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10
C.deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
D.permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
AnswerA

This is correct because it blocks only TCP port 80 traffic from the source subnet to the web server.

Why this answer

The correct ACL entry is an extended ACL deny statement that matches TCP from the source subnet to the destination host on port 80. In practical terms, the requirement is narrow: block HTTP only, from one source network to one server, while allowing everything else. That means using `deny tcp` with the right source, destination, and port is more accurate than using a broad `deny ip`.

This is a classic ACL precision question. The exam is testing whether you can match the requirement exactly rather than overblocking.

Exam trap

A common exam trap is selecting a deny statement that blocks all IP traffic (option B) instead of just HTTP traffic. This overblocking disrupts legitimate services beyond HTTP, violating the requirement to allow all other traffic. Another trap is denying UDP port 80 (option C), which is ineffective because HTTP uses TCP, not UDP.

Additionally, mistakenly permitting TCP port 80 traffic (option D) contradicts the goal of blocking HTTP access. Understanding the difference between protocol types and the impact of broad versus specific ACL entries is essential to avoid these pitfalls.

Why the other options are wrong

B

Option B denies all IP traffic from the source subnet to the destination host, which is too broad and blocks all services, not just HTTP, violating the requirement to allow other traffic.

C

Option C denies UDP traffic on port 80, but HTTP uses TCP, so this entry would not block HTTP traffic and fails to meet the requirement.

D

Option D permits TCP traffic on port 80, which contradicts the requirement to block HTTP traffic from the source subnet to the web server.

963
Drag & Dropmedium

Drag and drop the following steps into the correct order to trace the DNS resolution process from a client query to receiving an A-record response.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The client first sends its query to a recursive resolver (often provided by the ISP or a public DNS service). The resolver then queries a root name server to find the TLD server for the domain's top-level domain (e.g., .com). Next, the resolver queries the TLD server to learn the authoritative name server for the specific domain.

Finally, the resolver queries that authoritative server, which responds with the A record containing the IP address. Each step depends on the previous one because higher-level servers only delegate to lower levels, not store final records. The resolver then caches the response and returns it to the client, completing the process.

Nslookup and dig are diagnostic tools used after this resolution if records are missing or incorrect, but they are not part of the resolution steps themselves.

Exam trap

Do not confuse the order of root and TLD queries. The root server is always queried first to find the TLD server. Also, remember that the recursive resolver caches responses, so not every query goes through the full hierarchy.

964
Matchingmedium

Match the security feature to its main purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic based on defined permit and deny rules

Helps block rogue DHCP servers and build trusted binding information

Validates ARP traffic against trusted information to reduce ARP spoofing

Limits and controls MAC addresses learned on a switch port

Why these pairings

ACLs are correct because they use permit and deny statements to filter traffic based on source/destination IP, protocol, or port. DHCP Snooping is correct because it identifies trusted ports and builds a DHCP binding table to block rogue DHCP servers and prevent spoofed DHCP messages. DAI is correct because it leverages the DHCP Snooping binding table to validate ARP packets, dropping those that do not match trusted bindings and thus preventing ARP spoofing attacks.

Port Security is correct because it restricts the number and specific MAC addresses learned on a switch port, mitigating MAC flooding and unauthorized device access.

Exam trap

Avoid confusing the general term 'security' with specific functions. Firewalls filter traffic; they do not encrypt, detect endpoint malware, or provide centralized log analysis. Each security tool has a defined purpose.

965
Multi-Selectmedium

Which three of the following are true about the operation of DHCP snooping? (Choose three.)

Select 3 answers
.DHCP snooping builds a binding database of trusted DHCP clients.
.Interfaces connected to DHCP servers are configured as trusted ports.
.DHCP snooping can prevent DHCP starvation attacks.
.DHCP snooping is enabled globally and requires no per-VLAN configuration.
.DHCP snooping automatically blocks all BOOTP traffic.
.DHCP snooping only works with DHCPv6.

Why this answer

DHCP snooping is a security feature that builds and maintains a DHCP snooping binding database by monitoring DHCP messages exchanged on trusted and untrusted ports. It prevents rogue DHCP servers and DHCP starvation attacks by filtering DHCP messages based on the trust state of the interface. The binding database records the IP address, MAC address, VLAN, and port information for each DHCP client that successfully obtains a lease through a trusted DHCP server.

Exam trap

Cisco often tests the misconception that DHCP snooping is automatically applied to all VLANs once enabled globally, but in reality you must explicitly enable it on each VLAN with the 'ip dhcp snooping vlan' command.

966
MCQhard

Exhibit: OSPF neighbors are not reaching FULL state on an Ethernet segment with multiple routers. The output of show ip ospf neighbor on R2 shows a neighbor in the 2WAY/DROTHER state. What is the most likely reason?

A.Authentication mismatch between R2 and 3.3.3.3
B.The 2WAY state with another DROTHER on a broadcast segment is normal
C.R2 must be configured as a point-to-point network type
D.R2 has a duplicate router ID
AnswerB

DROTHER routers do not form full adjacency with every other DROTHER.

Why this answer

On a broadcast Ethernet network, two routers normally become fully adjacent through the DR or BDR. If the local router is stuck in 2WAY with another DROTHER, that is normal behavior. It is not a fault by itself.

Exam trap

A common exam trap is assuming that neighbors stuck in the 2-Way state indicate a problem requiring troubleshooting or configuration changes. Many candidates mistakenly believe that all OSPF neighbors on a broadcast segment must reach the FULL state with each other. However, OSPF’s design limits full adjacency to DR and BDR routers only.

DROTHER routers remain in 2-Way state with each other, which is normal and expected. Misinterpreting this behavior can lead to incorrect answers such as blaming authentication or router ID issues when the output actually reflects standard OSPF operation.

Why the other options are wrong

A

Authentication mismatches prevent OSPF neighbors from reaching the 2-Way state by blocking bidirectional communication. Since the neighbors here have reached 2-Way, authentication mismatch is unlikely the cause.

C

Configuring the network type as point-to-point is not required on Ethernet segments and would change the adjacency formation behavior rather than explain the current normal 2-Way state with DROTHER routers.

D

Duplicate router IDs cause adjacency failures and routing problems but do not cause neighbors to remain in the 2-Way state with DROTHER routers. The output does not indicate a router ID conflict.

967
Matchingeasy

Match each basic controller or API term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Management or policy platform

Software interface for communication

Structured data format

Secure transport for the communication

Why these pairings

These pairs match controller or API terms correctly. REST API uses HTTP, controller centralizes management, northbound/southbound interfaces define directions, JSON is common data format, and YANG models network data.

Exam trap

Do not confuse the tool (REST API) with its common data format (JSON) or the architectural components (controller, northbound interface). Focus on the core definition of each term.

968
MCQeasy

What problem does Spanning Tree Protocol solve in a switched network?

A.IP address exhaustion
B.Layer 2 switching loops
C.Slow DNS lookups
D.Weak wireless encryption
AnswerB

Correct. Loop prevention is the core purpose of STP.

Why this answer

STP prevents Layer 2 loops by blocking redundant paths when necessary, which avoids broadcast storms and MAC table instability.

Exam trap

Avoid confusing STP with technologies like EtherChannel, IPsec, or QoS, which address different network concerns.

Why the other options are wrong

A

Spanning Tree Protocol (STP) operates at Layer 2 and has no mechanism to manage or allocate IP addresses; IP address exhaustion is addressed by protocols like DHCP or IPv6 transition technologies.

C

DNS lookups are application-layer processes that rely on IP connectivity and name resolution servers; STP does not influence DNS performance or resolution speed.

D

Wireless encryption is a security feature implemented at the data link layer (e.g., WPA2/3) and is unrelated to STP, which deals with physical topology loop prevention.

969
MCQhard

An engineer configures a floating static route to 0.0.0.0/0 with an administrative distance of 200 while OSPF is providing a default route. What is the intended behavior?

A.The static default route acts as a backup and becomes active only if the OSPF default route is lost.
B.The static default route overrides OSPF immediately because it is manually configured.
C.Both default routes must always load-balance together.
D.The router ignores both defaults because they overlap.
AnswerA

This is correct because the higher administrative distance makes the static route float behind OSPF.

Why this answer

The intended behavior is that the static default route stays in reserve and becomes active only if the OSPF-learned default route disappears. In plain language, the administrator wants a backup path, not a replacement for the normal OSPF path. By assigning the static route a higher administrative distance than OSPF, the router treats it as less trustworthy during normal operation.

This is a standard floating-static design. The static route is still configured, but it does not normally appear as the preferred forwarding choice until the lower-distance route is lost. That is the key operational purpose of the configuration.

Exam trap

Don't assume static routes always take precedence over dynamic ones; administrative distance dictates preference.

Why the other options are wrong

B

The static default route has an administrative distance of 200, which is higher than OSPF's default distance of 110. Therefore, OSPF's route is preferred, and the static route does not override it. Manual configuration does not bypass administrative distance; the router always prefers the lower distance.

C

Load balancing requires multiple routes with equal administrative distance and metric. Here, OSPF and the static route have different administrative distances (110 vs. 200), so they are not equal. The router will only use the best route (OSPF) and not load-balance.

D

Overlapping default routes are common and do not cause the router to ignore them. The router uses the route with the lowest administrative distance (OSPF) and ignores the static route unless OSPF fails. There is no conflict that would cause both to be ignored.

970
Matchingmedium

Match each trunk or VLAN term to its most accurate function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link carrying traffic for multiple VLANs

VLAN assigned to a normal endpoint-facing port

VLAN associated with untagged traffic on an 802.1Q trunk

Setting that restricts which VLANs may cross a trunk

Why these pairings

Access ports carry traffic for one VLAN only; trunk ports carry multiple VLANs using tagging. The native VLAN is untagged on a trunk; VLAN 1 is the default. 802.1Q is the standard for tagging, and voice VLAN separates voice traffic.

Exam trap

Be careful not to confuse the native VLAN (untagged) with other VLANs (tagged) on a trunk. Also, remember that VLAN 1 is the default data VLAN, not the voice VLAN.

971
Multi-Selectmedium

Which two statements accurately describe controller-based networking?

Select 2 answers
A.It can centralize management and policy decisions.
B.It commonly exposes APIs for software and automation tools to interact with the controller.
C.It eliminates the need for network devices such as switches and routers.
D.It removes the need for authentication and authorization.
E.It works only on wireless networks.
AnswersA, B

This is correct because centralization is one of the main features of controller-based networking.

Why this answer

Controller-based networking centralizes certain management and policy functions and commonly exposes APIs for software interaction. In practical terms, the controller becomes the coordination point while outside applications or automation tools can talk to it through structured interfaces. This does not eliminate the need for actual forwarding devices, but it changes how the network is managed.

The wrong answers usually go too far and pretend the controller replaces everything. The two correct answers are the ones that keep centralization and programmability as the core ideas.

Exam trap

A common exam trap is to incorrectly believe that controller-based networking eliminates the need for physical network devices like switches and routers. Some candidates assume the controller replaces all hardware, which is false because forwarding devices remain essential for data traffic. Another trap is thinking that controller-based networking removes the need for authentication and authorization; however, secure access controls to the controller are still mandatory.

These misconceptions can lead to selecting incorrect answers that overstate the controller’s role or ignore security requirements.

Why the other options are wrong

C

This option is incorrect because controller-based networking does not eliminate the need for physical network devices like switches and routers; these devices still forward traffic.

D

This option is incorrect since authentication and authorization remain necessary to secure access to the controller and protect network integrity.

E

This option is incorrect because controller-based networking applies to both wired and wireless networks and is not limited to wireless environments.

972
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Windows 10 host with a static IPv4 address, subnet mask, and default gateway.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order begins with opening Network and Sharing Center to access network settings. Then, you must click 'Change adapter settings' to see the list of network connections. Right-clicking the appropriate adapter and selecting Properties opens its configuration.

Selecting IPv4 and clicking Properties allows you to set the IP parameters. Choosing 'Use the following IP address' enables the fields for static input. Finally, entering the IP address, subnet mask, and default gateway followed by OK/Close applies the configuration.

This sequence follows the logical navigation of the Windows GUI to reach the static IP assignment interface.

973
MCQmedium

SW1 is the root bridge for VLAN 10. A user switch receives a BPDU on an access port connected to a desk-side unmanaged switch. What should happen if BPDU Guard is enabled on that port?

A.The port transitions to forwarding more quickly
B.The port is moved to err-disabled state
C.The switch elects a new root bridge
D.The port becomes a trunk automatically
AnswerB

BPDU Guard shuts the port down when a BPDU is seen on an edge port.

Why this answer

BPDU Guard is designed to protect edge ports. If a BPDU is received on a PortFast access port, the switch places the interface into the err-disabled state to stop a potential Layer 2 loop or rogue switch.

Exam trap

Remember that BPDU Guard actively disables ports, it doesn't just log or ignore BPDUs.

Why the other options are wrong

A

PortFast allows a port to transition to forwarding immediately upon link up, but it does not react to BPDU reception. BPDU Guard is a separate feature that disables the port upon receiving a BPDU, not accelerate forwarding.

C

Receiving a BPDU on a single edge port does not trigger a root bridge election. Root bridge election is based on bridge ID comparison across the entire spanning-tree domain, not on a single BPDU on a port.

D

BPDU Guard does not change the port mode; it only reacts to BPDU reception by disabling the port. Port mode (access or trunk) is configured separately and is not affected by STP protection features.

974
PBQhard

You are connected to R1. The network administrator reports that hosts on VLAN 10 cannot communicate with the server attached to R2's GigabitEthernet0/1 interface. Troubleshoot and resolve the issue. Identify the root cause and apply the necessary fix on R1.

Network Topology
G0/0192.168.1.1/30linkG0/1192.168.1.5/30G0/1192.168.1.6/30linklinkR2R1Switch1Hosts in VLAN10

Hints

  • The high input error count on G0/0 suggests a Layer 1 issue, possibly duplex mismatch.
  • Compare the configured duplex on R1's G0/0 with the typical auto-negotiation settings on a switch.
  • Reverting to auto-negotiation on both speed and duplex is often the solution for such mismatches.
A.Configure 'no duplex' and 'no speed' under interface GigabitEthernet0/0 to enable auto-negotiation.
B.Change the duplex setting on GigabitEthernet0/0 to half-duplex using 'duplex half'.
C.Apply 'speed 100' and 'duplex full' on GigabitEthernet0/0 to match a common switch configuration.
D.Clear the interface counters on GigabitEthernet0/0 with 'clear counters gigabitethernet0/0' without changing any configuration.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no duplex
no speed
end
clear counters GigabitEthernet0/0

Why this answer

The issue is a duplex mismatch on GigabitEthernet0/0. R1 is configured with 'duplex full' and 'speed 1000', but the connected switch port is likely set to auto-negotiate or is set to half-duplex. This causes high input errors (1500) and degraded performance.

The fix is to set R1's G0/0 to auto-negotiate both speed and duplex, matching the switch's configuration. Enter interface configuration mode for G0/0, issue 'no duplex' and 'no speed' to revert to auto, then clear the interface counters with 'clear counters gigabitethernet0/0'.

Exam trap

The exam trap is that candidates often focus on speed mismatches or clearing counters, but the real issue is duplex mismatch. Remember that on GigabitEthernet interfaces, auto-negotiation is the default and recommended setting; static duplex/speed settings can cause mismatches and errors.

Why the other options are wrong

B

The specific factual error is that manually setting half-duplex does not resolve a mismatch; it may create a new mismatch or degrade performance further.

C

The specific factual error is that GigabitEthernet interfaces usually operate at 1000 Mbps; setting speed to 100 may cause the interface to not come up or to underperform.

D

The specific factual error is that clearing counters is a diagnostic step, not a fix. The root cause (duplex mismatch) remains unaddressed.

975
MCQhard

A router learns the same destination from EIGRP and OSPF. The EIGRP route has a metric of 1000, and the OSPF route has a metric of 10. Which route is installed by default?

A.The OSPF route, because 10 is lower than 1000
B.The EIGRP route, because its source has a lower default administrative distance
C.Both routes automatically install for load balancing
D.Neither route installs until the administrator chooses manually
AnswerB

This is correct because EIGRP is preferred over OSPF by default due to administrative distance.

Why this answer

The EIGRP route is installed by default because route selection between different routing protocols is based on administrative distance before the protocol-specific metric is compared across sources. In plain language, the router does not compare an OSPF metric of 10 directly against an EIGRP metric of 1000 because those metrics come from different systems and are not numerically comparable in a meaningful cross-protocol way. Instead, the router first looks at the trustworthiness of the source.

By default, internal EIGRP routes have a lower administrative distance than OSPF routes, so EIGRP wins even though the OSPF metric value appears lower. This is a classic CCNA trap designed to catch people who compare metrics across different protocols without considering administrative distance first.

Exam trap

A common exam trap is to assume that the route with the numerically lowest metric is always preferred, regardless of the routing protocol. In this question, the OSPF route has a metric of 10, which looks better than the EIGRP metric of 1000. However, metrics from different protocols are not directly comparable.

The router first compares administrative distance, which rates the trustworthiness of the routing source. Since EIGRP’s default administrative distance (90) is lower than OSPF’s (110), the router installs the EIGRP route despite its higher metric. This trap tests your understanding of routing protocol preference, not just metric values.

Why the other options are wrong

A

This option is incorrect because it assumes the router compares OSPF and EIGRP metrics directly. Metrics from different protocols are not comparable until administrative distance is considered, so the lower OSPF metric does not guarantee route installation.

C

This option is incorrect because load balancing occurs only when multiple equal-cost routes exist within the same routing protocol. Routes from different protocols are not automatically load-balanced simply because they reach the same destination.

D

This option is incorrect because the router automatically selects the best route using its decision process based on administrative distance and metric. Manual intervention is not required for route installation in this scenario.

Page 12

Page 13 of 25

Page 14