CCNA 200-301 v2 (200-301) — Questions 9761050

1819 questions total · 25pages · All types, answers revealed

Page 13

Page 14 of 25

Page 15
976
Matchingmedium

Drag and drop the protocols/technologies on the left to the descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses XML-encoded RPCs over SSH for network device configuration

Uses HTTP/HTTPS methods (GET, POST, PUT, DELETE) with JSON or XML

Data modeling language that defines the structure of configuration and state data

High-performance RPC framework using Protocol Buffers and HTTP/2

Vendor-neutral YANG data models for network configuration and monitoring

Why these pairings

NETCONF uses XML-encoded RPCs over SSH (port 830) for device configuration. RESTCONF uses HTTP/HTTPS methods with JSON or XML. YANG is a data modeling language defining structure of configuration/state data. gRPC is a high-performance RPC framework using Protocol Buffers over HTTP/2.

OpenConfig provides vendor-neutral YANG models. These pairings reflect their primary characteristics as tested on the CCNA.

Exam trap

Candidates often confuse NETCONF with RESTCONF: both use structured data, but NETCONF uses SSH and XML-RPC, while RESTCONF uses HTTP/HTTPS and supports both JSON and XML.

977
MCQhard

Based on the exhibit, why are clients in VLAN 70 failing to resolve hostnames even though they can reach remote IP addresses?

A.The clients are missing valid DNS server information.
B.The default gateway must be removed from the DHCP scope.
C.The clients must use PPP before DNS works.
D.The VLAN must be converted to the native VLAN on all trunks.
AnswerA

This is correct because hostname-based access fails while direct IP access works, and the scope shown does not provide a DNS server option.

Why this answer

The strongest explanation is that the clients are missing valid DNS server information. In practical terms, successful reachability to remote IP addresses proves that Layer 3 forwarding is working. The failure occurs only when a hostname is used, which points to a naming service problem rather than a general connectivity problem. The DHCP scope shown provides an address and default gateway, but no DNS server option is defined.

This is a very realistic IP-services troubleshooting pattern because the network path works while application usability still fails.

Exam trap

A frequent exam trap is to mistake the inability to resolve hostnames as a routing or VLAN trunking problem. Candidates might incorrectly believe that removing the default gateway or converting the VLAN to the native VLAN on trunks will resolve the issue. However, these options do not address DNS resolution, which is an application-layer service independent of Layer 3 forwarding.

The trap arises because clients can reach remote IP addresses, misleading candidates to focus on routing or VLAN configuration rather than missing DNS server information in the DHCP scope.

Why the other options are wrong

B

Removing the default gateway from the DHCP scope is incorrect because the default gateway is essential for routing traffic outside the local VLAN. Its presence does not cause hostname resolution failures.

C

The suggestion that clients must use PPP before DNS works is incorrect because PPP is unrelated to DNS resolution in a typical VLAN and DHCP environment. DNS operates independently of PPP.

D

Converting the VLAN to the native VLAN on all trunks does not affect DNS resolution. This option addresses Layer 2 trunking issues, which are unrelated to the hostname resolution problem described.

978
Matchingmedium

Drag and drop the DNS record types on the left to their correct descriptions or purposes on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a hostname to an IPv4 address

Maps a hostname to an IPv6 address

Creates an alias from one domain name to another

Specifies the mail server responsible for accepting email on behalf of a domain

Identifies the authoritative name servers for a DNS zone

Used for reverse DNS lookup, mapping an IP address to a hostname

Why these pairings

These pairings correctly match each DNS record type to its function: A maps hostnames to IPv4, AAAA to IPv6, CNAME creates an alias, MX specifies mail servers, NS identifies authoritative name servers, and PTR enables reverse DNS lookup.

Exam trap

Be careful not to confuse A and AAAA records based on address family, or to mix up CNAME and MX records. Always associate the record type with its specific function.

979
MCQhard

A router learns 172.16.0.0/16 from OSPF and 172.16.10.0/24 from a static route. Which route is used for traffic to 172.16.10.55?

A.The OSPF /16 route
B.The static /24 route
C.The default route
D.Neither route because the prefixes overlap
AnswerB

This is correct because 172.16.10.55 falls within the more specific /24 route.

Why this answer

The static /24 route is used because it is more specific than the OSPF /16 route. In plain language, even though OSPF is a dynamic source and the /16 covers the destination broadly, the router prefers the entry that describes the exact destination range more precisely. Since 172.16.10.55 falls within 172.16.10.0/24, that route wins under longest-prefix match.

This is a classic example of route specificity taking priority before broader route-source comparisons would matter between equal prefix lengths.

Exam trap

A frequent exam trap is assuming that the dynamic OSPF route will always be preferred over a static route, regardless of prefix length. Many candidates overlook that the router prioritizes the longest-prefix match before considering administrative distance or route source. Because 172.16.10.0/24 is more specific than 172.16.0.0/16, the router uses the static route for traffic to 172.16.10.55.

Misunderstanding this can lead to incorrect answers, especially when both routes overlap. Remember, overlapping routes are common and resolved by prefix specificity, not by route type alone.

Why the other options are wrong

A

The OSPF /16 route is less specific than the static /24 route. Although OSPF is a dynamic routing protocol, the router prefers the route with the longer prefix length, so this option is incorrect.

C

The default route is only used when no specific matching route exists. Since both OSPF and static routes cover the destination, the default route is not used here, so this option is incorrect.

D

Overlapping prefixes are normal in routing tables and do not prevent route selection. The router resolves overlaps using longest-prefix match, so this option is incorrect.

980
Matchingmedium

Match each service or visibility technology to the most appropriate use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collecting device events and messages centrally

Reading interface status and counters from devices

Finding which hosts are using the most bandwidth

Keeping event timelines consistent across systems

Why these pairings

Syslog collects device events and messages centrally, providing a centralized log repository. SNMP reads interface status and counters from devices, offering real-time device monitoring. NetFlow analyzes network traffic to identify bandwidth usage by host, making it ideal for finding top talkers.

NTP synchronizes clocks across systems to maintain consistent event timelines. Each technology is matched to its primary use case.

Exam trap

The trap here is that many technologies have overlapping capabilities (e.g., SNMP can also monitor interface traffic, but it is not a traffic analysis tool like NetFlow). Candidates must focus on the primary, most specific use case for each technology as defined in Cisco documentation.

981
PBQhard

You are troubleshooting a client connectivity issue on VLAN 10. The client PC1 is connected to switch SW1, which is connected to router R1 acting as the default gateway. PC1 can ping its own IP and the default gateway (10.1.10.1) but cannot reach the internet. From the provided router outputs, identify the fault and apply the necessary fix on R1.

Network Topology
G0/0.1010.1.10.1/24G0/0.1010.1.10.1/24PC1SW1R1ISP

Hints

  • Check if R1 has a default route
  • Look at the Gateway of last resort in the routing table
  • The missing command is under global configuration mode
A.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 10.1.10.254
B.Configure a static route on R1: ip route 8.8.8.8 255.255.255.255 10.1.10.254
C.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 10.1.10.1
D.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
AnswerA
solution
! R1
configure terminal
ip route 0.0.0.0 0.0.0.0 10.1.10.254
end

Why this answer

PC1 can ping its own IP and the gateway (10.1.10.1) but not the internet (8.8.8.8). The router R1 has no default route to forward traffic to the internet. The fix is to configure a default route on R1 pointing to the next-hop IP address of the upstream router (e.g., 10.1.10.254) or an exit interface.

After adding the default route, R1 will be able to forward traffic outside the local subnet.

Exam trap

Trap: Candidates often confuse the client's default gateway with the router's next-hop for internet traffic. They may also think a host route to the specific destination is sufficient, or that using an exit interface alone is always valid. Remember: for internet access, a default route (0.0.0.0/0) is needed, and on Ethernet, always specify a next-hop IP.

Why the other options are wrong

B

The specific factual error is that a host route does not provide general internet access; it only covers the specified destination.

C

The specific factual error is that the next-hop must be a different device (upstream router), not the router's own interface IP.

D

The specific factual error is that on Ethernet interfaces, a next-hop IP is required to avoid potential ARP resolution problems; using only the exit interface is not the standard practice.

982
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and verify HSRP on a router interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order begins by entering interface configuration mode, because all HSRP commands are applied at the interface level. Next, assign a physical IPv4 address to the interface, as HSRP requires a Layer 3 interface with an IP address to function. Set HSRP version 2 before defining the HSRP group to ensure compatibility with extended group numbers and newer features.

Then configure the HSRP group number and virtual IP address to create the standby group. After that, set the router’s priority and enable preemption; these steps customize the active/standby election process. Finally, verify the configuration with the show standby command to confirm HSRP operation.

983
MCQhard

An internal server must always be reachable from outside using the same public IP address. Which translation approach is most appropriate?

A.Static NAT
B.PAT overload
C.No NAT
D.DHCP relay
AnswerA

This is correct because static NAT creates a fixed public-to-private mapping for the server.

Why this answer

A static NAT mapping is the most appropriate approach. In plain language, the outside world needs a stable public address that always represents the same internal server. Static NAT provides that fixed one-to-one relationship, which makes the service reachable predictably.

PAT is better suited for many outbound users sharing one public address, not for presenting one inside server with a consistent external identity. The correct answer is the one that provides a permanent mapping.

Exam trap

A common exam trap is selecting PAT overload instead of static NAT for a server that must be reachable from outside using the same public IP. PAT overload is designed for many internal hosts sharing a single public IP for outbound connections, not for providing a fixed public IP for inbound access. This misunderstanding leads to incorrect assumptions about how inbound traffic is handled.

The exam tests your ability to distinguish between dynamic port-based translation and static one-to-one mappings, so confusing these concepts can cause you to choose the wrong NAT approach.

Why the other options are wrong

B

PAT overload is incorrect because it allows multiple internal hosts to share a single public IP for outbound traffic but does not provide a stable public IP for inbound connections to a specific server.

C

No NAT is incorrect because private IP addresses are not routable on the Internet, so the internal server would not be reachable from outside without address translation.

D

DHCP relay is unrelated to NAT or external reachability; it only forwards DHCP requests between clients and servers across subnets and does not affect how the server is accessed externally.

984
PBQhard

You are connected to R1. The network uses HSRP for default gateway redundancy. Currently, both routers R1 and R2 are in the 'Active' state for HSRP group 10, causing traffic issues. Configure HSRP on R1 so that it becomes the Active router with a priority of 150, preempt enabled, a virtual IP of 192.168.1.254, and track interface GigabitEthernet0/1 so that if it goes down, the priority decrements by 20. Then verify the configuration with 'show standby brief'.

Network Topology
G0/0192.168.1.1/24G0/0192.168.1.2/24G0/110.0.0.1/30G0/110.0.0.2/30linkR1switchR2

Hints

  • HSRP virtual IP must be different from the interface IPs of both routers.
  • Preempt allows a router with higher priority to become Active after recovering.
  • Track interface decrements the priority when the tracked interface goes down.
A.standby 10 ip 192.168.1.254 standby 10 priority 150 standby 10 preempt standby 10 track GigabitEthernet0/1 20
B.standby 10 ip 192.168.1.254 standby 10 priority 150 standby 10 preempt standby 10 track GigabitEthernet0/1
C.standby 10 ip 192.168.1.254 standby 10 priority 150 standby 10 track GigabitEthernet0/1 20
D.standby 10 ip 192.168.1.254 standby 10 priority 150 standby 10 preempt standby 10 track GigabitEthernet0/1 10
AnswerA
solution
! R1
interface GigabitEthernet0/0
standby 10 ip 192.168.1.254
standby 10 priority 150
standby 10 preempt
standby 10 track GigabitEthernet0/1 20

Why this answer

The required HSRP configuration consists of all four commands: virtual IP, priority 150, preempt, and tracking with a decrement of 20. Option A lists them correctly. Option B fails because the track command is missing the decrement value.

Option C is incorrect because it omits the 'standby 10 preempt' command; without preempt, the router will not take over the active role even when its priority is higher. Option D uses a decrement of 10 instead of 20, which does not meet the requirement.

Exam trap

Watch out for the decrement value in the track command; it must match the requirement exactly. Also, ensure the virtual IP does not match any interface IP. Preempt must be enabled for the router to take over when it has higher priority.

Why the other options are wrong

B

The track command is missing the decrement value; without it, the router will not adjust its priority when the interface fails.

C

The preempt command is missing; without preempt, a router with higher priority cannot take over the active role.

D

The track command uses a decrement of 10 instead of the required 20, so the priority drop is incorrect.

985
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on two Cisco switches.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

To configure LACP EtherChannel, start by entering global configuration mode on both switches. Then create the port-channel interface using 'interface port-channel' (optional but good practice). Finally, assign physical interfaces to the port-channel with LACP active mode using the 'channel-group' command, which handles both port binding and mode setting in one step.

Verify with 'show etherchannel summary'.

Exam trap

A common mistake is to treat enabling LACP active as a separate configuration step after assigning interfaces; in reality, the mode is set as part of the 'channel-group' command itself.

986
Matchingmedium

Drag and drop the VLAN/trunking commands and terms on the left to their correct descriptions or functions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables 802.1Q trunking on a switch interface

Assigns an access port to VLAN 10

VLAN that carries untagged traffic on a trunk link; default is VLAN 1

Changes the native VLAN on a trunk to VLAN 99

Uses subinterfaces on a single router interface to route between VLANs

Why these pairings

These pairings match common VLAN/trunking commands and terms to their correct descriptions.

Exam trap

Do not confuse the commands for access and trunk ports. Remember that 'switchport mode access' places the port in access mode, while 'switchport mode trunk' places it in trunk mode. Also, the native VLAN and VLAN 1 are related to trunking and default settings, not to the configuration of an access port.

987
Multi-Selectmedium

Which three of the following are characteristics of wireless LAN (WLAN) operation in the 2.4 GHz and 5 GHz bands? (Choose three.)

Select 3 answers
.The 5 GHz band offers more non-overlapping channels than the 2.4 GHz band.
.The 2.4 GHz band generally provides longer range than 5 GHz for the same transmit power.
.Both bands can be used simultaneously by dual-band access points.
.The 2.4 GHz band supports higher data rates than the 5 GHz band.
.The 5 GHz band experiences more interference from Bluetooth devices.
.Both bands require a license for operation in enterprise environments.

Why this answer

The 5 GHz band offers more non-overlapping channels (up to 23 or 25, depending on regulatory domain) compared to the 2.4 GHz band, which has only three non-overlapping channels (1, 6, 11). The 2.4 GHz band generally provides longer range due to better propagation characteristics and lower attenuation through obstacles. Dual-band access points can operate simultaneously on both bands, allowing clients to connect on either frequency.

Exam trap

Cisco often tests the misconception that the 2.4 GHz band has more channels or that 5 GHz always provides longer range, but the correct understanding is that 5 GHz has more non-overlapping channels and 2.4 GHz offers better range due to lower frequency propagation.

988
Multi-Selectmedium

Which TWO statements accurately describe the characteristics and deployment considerations for fiber optic cabling in a modern enterprise network?

Select 2 answers
A.Single-mode fiber (SMF) typically uses a larger core diameter than multimode fiber (MMF).
B.Multimode fiber (MMF) is generally preferred for longer-distance links, such as between buildings on a campus network.
C.A 1000BASE-LX SFP transceiver operating over single-mode fiber can support distances up to 10 km.
D.When using a 10GBASE-SR SFP+ transceiver over OM3 multimode fiber, the maximum supported distance is 300 meters.
E.Fiber optic cabling is immune to electromagnetic interference (EMI), making it ideal for environments with high electrical noise.
AnswersD, E

10GBASE-SR over OM3 fiber (50/125 µm, 2000 MHz*km bandwidth) supports distances up to 300 meters. Over OM4 fiber, the distance increases to 400 meters.

Why this answer

The correct statements are that 10GBASE-SR over OM3 multimode fiber supports up to 300 meters and that fiber optic cabling is immune to electromagnetic interference (EMI), making it ideal for electrically noisy environments. Single-mode fiber actually has a smaller core diameter than multimode, making option A incorrect. Multimode fiber is designed for shorter links, so option B is wrong.

Standard 1000BASE-LX SFP transceivers over single-mode fiber are limited to 5 km, not 10 km, so option C is inaccurate.

Exam trap

Cisco often tests the misconception that single-mode fiber has a larger core diameter than multimode fiber, when in fact the opposite is true, and that multimode fiber is suitable for long-haul links, whereas it is actually limited to shorter distances due to modal dispersion.

Why the other options are wrong

A

Single-mode fiber has a smaller core diameter (typically 9 microns) than multimode (50 or 62.5 microns), so this reverses the relationship.

B

Multimode fiber’s larger core introduces modal dispersion, limiting it to shorter distances; long-distance links use single-mode fiber.

C

IEEE 1000BASE-LX specifies a maximum distance of 5 km over single-mode fiber; 10 km is beyond the standard CCNA curriculum.

989
MCQmedium

Why is JSON often preferred over completely unstructured text in API responses?

A.Because JSON provides structured, machine-readable data that software can parse consistently.
B.Because JSON automatically encrypts the payload.
C.Because JSON replaces the need for authentication.
D.Because JSON is the same thing as HTTPS.
AnswerA

This is correct because structure is JSON’s main advantage in automation workflows.

Why this answer

JSON is preferred because it gives software a predictable structure to parse. In practical terms, an application can look for keys, values, arrays, and objects instead of trying to interpret a free-form text paragraph meant mainly for human readers. That makes programmatic processing far more reliable.

This is one of the main reasons JSON is so common in controller APIs and automation tools. It is about structure and machine readability, not encryption, authentication, or HTTPS.

Exam trap

A frequent exam trap is assuming JSON automatically provides encryption or replaces authentication mechanisms. Candidates might incorrectly believe JSON secures data or manages access control, which is false. JSON is solely a structured data format and does not handle security functions.

Confusing JSON with HTTPS or other security protocols leads to misunderstandings about network automation and API behavior. This mistake can cause incorrect answers about how data is protected or transmitted in Cisco automation environments.

Why the other options are wrong

B

Option B is incorrect because JSON is a data format and does not provide encryption. Encryption is handled by protocols like TLS or HTTPS, not by JSON itself, so this option confuses data formatting with security.

C

Option C is wrong since JSON does not replace authentication. Authentication and access control are separate concerns managed by security protocols or API gateways, not by the data format used in responses.

D

Option D is false because JSON is a data format, whereas HTTPS is a transport and security protocol. They serve different purposes and are not interchangeable concepts.

990
MCQmedium

Exhibit: A wireless client can see the SSID and associates successfully, but it never gets network access. Other users on the same SSID work. Which issue is the best fit?

A.The AP is advertising the wrong channel width
B.The client failed to obtain a valid IP address from DHCP
C.The SSID must be changed from broadcast to hidden
D.WPA2 automatically blocks clients until NTP is configured
AnswerB

Association without a working IP configuration is a classic symptom.

Why this answer

Successful association means the radio connection is up. If only one client fails to get network access while others work, the most likely issue is a client-specific addressing problem such as not obtaining a valid DHCP lease. Option A is incorrect because channel width affects all clients, not just one.

Option C is incorrect because hiding the SSID does not affect network access after association. Option D is incorrect because WPA2 does not block clients due to NTP; NTP is unrelated to client authentication.

Exam trap

Don't confuse association issues with post-association network access problems. Ensure you understand the difference between connecting to the SSID and obtaining network access.

Why the other options are wrong

A

Channel width affects all clients on the AP, not just a single client.

C

Hiding the SSID only prevents the SSID from being broadcast; it does not impact network access after association.

D

WPA2 does not require NTP for client authentication; NTP is for time synchronization, not client access control.

991
MCQmedium

R1 has these static routes configured. When the primary WAN path is up, which route will be installed in the routing table for traffic to 172.16.50.0/24?

A.The route via 10.1.1.2
B.The route via 10.2.2.2
C.The default route via 10.3.3.2
D.Both routes load-balance automatically because the prefix is identical.
AnswerA

It has the lowest AD for that exact prefix.

Why this answer

The route with the lowest administrative distance wins when multiple routes to the same prefix exist. The route via 10.1.1.2 has AD 1, so it is preferred over the floating static route with AD 5. The default route is less specific and does not beat an exact /24 match.

Exam trap

A frequent exam trap is believing that both static routes to the same prefix will load-balance traffic simply because they share the same destination network. This misconception ignores the role of administrative distance, which Cisco uses to select a single best route. Since the two static routes have different AD values (1 and 5), the router will not load-balance but will prefer the route with AD 1 exclusively.

Misreading the floating static route as an active equal-cost path can lead to incorrect answers and misunderstandings about route failover behavior.

Why the other options are wrong

B

This option is incorrect because the route via 10.2.2.2 has a higher administrative distance (AD 5), making it a floating static route that only becomes active if the primary route fails.

C

This option is incorrect because the default route via 10.3.3.2 is less specific than the /24 static routes and will not be installed when a more specific route exists.

D

This option is incorrect because load balancing requires routes to have equal administrative distances and metrics. Since the static routes have different ADs, the router does not load-balance between them.

992
PBQhard

You are connected to SW1. This is a Layer 2 switch that connects multiple IP phones and an AP. The AP is on Gi0/3 and must receive PoE and be placed in VLAN 100 (native VLAN). IP phones on Gi0/1 and Gi0/2 must use VLAN 20 for voice and VLAN 10 for data, and must receive PoE. Currently, the AP cannot get an IP address and the phones have no voice connectivity. Configure SW1 to fix these issues.

Network Topology
Gi0/0trunkGi0/1Gi0/3SW1upstream switchIP phonesAP

Hints

  • IP phones need a separate voice VLAN configured under the access interface.
  • PoE must be explicitly enabled on each interface that needs to supply power.
  • Check the AP interface for PoE status using 'show power inline Gi0/3'.
A.interface Gi0/1; switchport voice vlan 20; power inline auto; interface Gi0/2; switchport voice vlan 20; power inline auto; interface Gi0/3; power inline auto
B.interface Gi0/1; switchport voice vlan 10; power inline auto; interface Gi0/2; switchport voice vlan 10; power inline auto; interface Gi0/3; switchport access vlan 100; power inline auto
C.interface Gi0/1; switchport voice vlan 20; interface Gi0/2; switchport voice vlan 20; interface Gi0/3; switchport access vlan 100
D.interface Gi0/1; power inline auto; interface Gi0/2; power inline auto; interface Gi0/3; power inline auto; switchport trunk native vlan 100
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport voice vlan 20
power inline auto
exit
interface GigabitEthernet0/2
switchport voice vlan 20
power inline auto
exit
interface GigabitEthernet0/3
power inline auto
exit

Why this answer

The AP on Gi0/3 requires PoE (power inline auto) and must be on a trunk port with native VLAN 100. The current configuration likely lacks PoE, and the port may be set as an access port instead of a trunk. For the IP phones on Gi0/1 and Gi0/2, the missing 'switchport voice vlan 20' command prevents voice traffic from using VLAN 20, and PoE must also be enabled.

The provided solution adds the necessary voice VLAN and PoE commands. Option A is correct because it applies voice VLAN 20 and PoE to the phone ports, and PoE to the AP port. Option B incorrectly assigns voice VLAN 10; Option C omits PoE on the AP port; Option D applies PoE globally but fails to set voice VLANs and incorrectly configures trunk native VLAN on all ports.

Exam trap

Trap: Candidates often forget to enable PoE on ports that need it, or they confuse the voice VLAN with the data VLAN. Always verify that both power and VLAN assignments are correct for IP phones and PoE devices.

Why the other options are wrong

B

The specific factual error is that the voice VLAN is set to VLAN 10 instead of VLAN 20, which contradicts the requirement that voice traffic uses VLAN 20.

C

The specific factual error is the failure to enable PoE on the interfaces, which is required for both the AP and IP phones to operate.

D

The specific factual error is the omission of the 'switchport voice vlan 20' command on the phone ports, leaving them without voice VLAN assignment.

993
Multi-Selectmedium

Which TWO statements correctly describe OSPFv2 router-id selection and verification in a single-area configuration?

Select 2 answers
A.The OSPF router-id is automatically derived from the MAC address of the first Ethernet interface.
B.If the router-id is changed using the 'router-id' command, the change takes effect immediately without any additional action.
C.The router-id must be the same on all routers in a single OSPF area.
D.When no 'router-id' is configured, a loopback interface with the highest IP address is preferred over a physical interface for the router-id.
E.The 'show ip ospf' command displays the current OSPF router-id.
AnswersD, E

Loopback interfaces are preferred due to their stability.

Why this answer

OSPFv2 selects the router-ID based on the highest IP address of any loopback interface when no explicit 'router-id' is configured, making D correct. The 'show ip ospf' command displays the current router-ID, verifying choice E. Option A is incorrect because the router-ID is derived from IP addresses, not MAC addresses.

Option B fails because changing the router-ID requires a reload or clearing the OSPF process to take effect. Option C is wrong because each router must have a unique router-ID; they do not need to match across the area.

Exam trap

Cisco often tests the misconception that changing the router-id takes effect immediately, but in reality, you must clear the OSPF process or reload the router for the change to apply.

Why the other options are wrong

A

The router-ID is derived from the highest IP address on a loopback or physical interface, never from a MAC address.

B

A router-id change does not take effect immediately; you must clear the OSPF process or reload the router.

C

Router-IDs must be unique per router, not identical across all routers in the area.

994
MCQmedium

A network engineer checks EtherChannel status on a switch and sees the following output: Group Port-channel Protocol Ports ------+-------------+---------+----------------------------- 1 Po1(SD) LACP Gi1/0/1(s) Gi1/0/2(I) What is the most likely reason the EtherChannel is not forwarding traffic?

A.The member interfaces have mismatched speed or duplex settings
B.The port channel is Layer 3 instead of Layer 2
C.At least one member interface is not bundled correctly, so the logical channel is down
D.LACP requires exactly four links to form a bundle
AnswerC

Correct. This is correct. The logical EtherChannel is down because the physical members are not properly bundled. The status display is telling you that the switch did not build a working aggregated link, so the port-channel cannot carry traffic as intended.

Why this answer

The safest conclusion from this output is that the member interfaces are not successfully participating in the bundle, so the logical port-channel is down. Cisco exam questions often test whether you can read the status flags without overcommitting to a very specific root cause that the exhibit does not explicitly prove. One member is suspended and another is not bundled into the channel correctly, so the EtherChannel never reaches a healthy forwarding state.

In the real world, that can happen because of trunk mismatches, allowed VLAN mismatches, native VLAN problems, inconsistent channel-group settings, or negotiation issues. The key exam skill is recognizing that the bundle itself failed, not guessing one hidden configuration line that is not shown.

Exam trap

Avoid assuming the problem is due to physical layer issues like speed or duplex when the output suggests a configuration mismatch.

Why the other options are wrong

A

The output shows individual port statuses (s) and (I), which indicate LACP negotiation states, not speed/duplex mismatches. While speed/duplex mismatches can cause EtherChannel issues, the specific flags in the exhibit point to a bundling problem, not a mismatch.

B

A Layer 3 port-channel can function correctly if configured properly. The output does not indicate any Layer 2 vs Layer 3 mismatch; the problem is that the member interfaces are not successfully bundling into the logical channel, as shown by the (s) and (I) status flags.

D

LACP does not require exactly four links; it can form bundles with 2 to 8 active links (and up to 16 total with standby). The exhibit shows only two member ports, which is perfectly valid for an EtherChannel.

995
MCQhard

A host address is 192.168.1.14/29. Which address is the broadcast address for that host’s subnet?

A.192.168.1.7
B.192.168.1.14
C.192.168.1.15
D.192.168.1.16
AnswerC

This is correct because the host is in the 8–15 /29 block, whose broadcast is .15.

Why this answer

A /29 uses blocks of 8 addresses. In plain language, the subnets in the last octet move in increments of 8: 0–7, 8–15, 16–23, and so on. Since the host address ends in 14, it belongs to the 8–15 block. In that block, the last address is the broadcast address, so the broadcast is 192.168.1.15.

This is a classic subnetting pattern because it requires you to place the host inside the correct block and then identify the last address in that block rather than guessing based on the host value itself.

Exam trap

Be careful not to confuse the network address or the next subnet's network address with the broadcast address.

Why the other options are wrong

A

192.168.1.7 is the broadcast address for the /29 block 0–7, which does not contain host .14. The host .14 is in the block 8–15, so its broadcast is .15.

B

192.168.1.14 is the host address itself, not the broadcast address. The broadcast address is always the last address in the subnet, which is .15 for the block 8–15.

D

192.168.1.16 is the network address of the next /29 block (16–23), not the broadcast address for the block containing .14. The broadcast address must be the last address in the same block as the host.

996
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure OSPFv3 for IPv6 on a Cisco router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After entering global config, create the OSPFv3 process, set a router ID, then enable OSPFv3 on the desired interfaces under interface configuration.

Exam trap

Remember that OSPFv3 requires a router ID to be explicitly configured (or derived from an IPv4 address) before enabling it on interfaces. The process must be created first, then the router ID, then interface enablement.

997
MCQhard

A host receives a correct IP address and subnet mask from DHCP but still cannot reach remote networks. Local subnet communication works. Which missing DHCP option is the strongest suspect?

A.Default gateway information
B.An STP root bridge ID
C.A voice VLAN value
D.A router ID
AnswerA

This is correct because the host needs a default gateway for off-subnet traffic.

Why this answer

The strongest suspect is the default gateway option. In practical terms, the host can already identify local destinations because the subnet mask is present. That is why local communication still works. What it does not have is the next hop needed for off-subnet traffic. Without a default gateway, remote communication usually fails.

This is a very common host-troubleshooting scenario. It separates basic local addressing from the additional information required for off-subnet reachability.

Exam trap

A common exam trap is selecting options like STP root bridge ID or voice VLAN as the cause of remote connectivity failure. These options relate to Layer 2 switching or voice VLAN segmentation and do not affect IP routing or host reachability to remote networks. Candidates might confuse DHCP options that influence Layer 2 behavior with those critical for Layer 3 routing.

The key mistake is overlooking the default gateway option, which is essential for off-subnet traffic forwarding. This trap tests the candidate’s understanding of DHCP’s role in providing routing information, not just IP addressing.

Why the other options are wrong

B

An STP root bridge ID is irrelevant to host IP reachability because it pertains to Layer 2 spanning tree topology and does not affect IP routing or DHCP configuration for hosts.

C

A voice VLAN value is specific to voice traffic segmentation on switches and does not influence a host’s ability to route IP packets to remote networks, making it unrelated to the connectivity issue.

D

A router ID is a concept used in routing protocols like OSPF and does not apply to DHCP or host IP configuration, so it cannot cause the described connectivity problem.

998
PBQhard

You are troubleshooting a wireless client association failure on a Cisco WLC. The client is unable to connect to the corporate SSID 'CorpNet' and reports an authentication error. Review the WLC configuration and fix the issue so that the client can associate and obtain an IP address from VLAN 100. The WLC management IP is 192.168.1.10/24.

Hints

  • Check the security settings — the client may not support WPA3.
  • Verify if the SSID is hidden — the client cannot scan for it.
  • Ensure the VLAN assigned to the WLAN matches the client's subnet.
A.Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.
B.Change the WLAN security to WPA3 only, enable SSID broadcast, and change the management interface IP to 192.168.100.10/24.
C.Keep WPA3, disable SSID broadcast for security, and configure the WLAN interface to use VLAN 100 with a DHCP scope on VLAN 1.
D.Change the WLAN security to WPA2, keep SSID broadcast disabled, and configure the WLAN interface to use VLAN 1.
AnswerA
solution
! WLC
configure terminal
wlan CorpNet 1 CorpNet
security wpa2
security wpa akm psk
security wpa psk ascii 7 1234567890abcdef
no security wpa3-sae
broadcast-ssid enable
interface wlan 1
vlan 100
end

Why this answer

The client authentication and DHCP issues are caused by: (1) WPA3 being configured while the client only supports WPA2, (2) SSID broadcast disabled, preventing client discovery, and (3) the WLAN's client VLAN (100) lacking a DHCP server or scope. The management interface VLAN (1) does not interfere with client DHCP. To resolve, change security to WPA2, enable SSID broadcast, and ensure the WLAN is associated with the correct VLAN (100) and a DHCP scope exists on that VLAN.

Exam trap

Be careful not to confuse the management interface VLAN with the client data VLAN. Also, remember that SSID broadcast must be enabled for clients to discover the network, and security settings must match client capabilities. Always verify DHCP scope placement matches the client VLAN.

Why the other options are wrong

B

The specific factual error is that WPA3-only security may not be supported by the client, and changing the management interface IP does not resolve the client VLAN assignment issue.

C

The specific factual errors are: WPA3 may not be compatible, disabling SSID broadcast hides the network, and DHCP scope must be on the same VLAN as the client (VLAN 100).

D

The specific factual errors are: SSID broadcast must be enabled for client discovery, and the WLAN interface must be mapped to VLAN 100, not VLAN 1.

999
MCQhard

A network engineer is troubleshooting an issue where a Windows 10 workstation (Host-A) cannot reach the internet, but can ping the local default gateway. The engineer runs 'ipconfig /all' on Host-A and reviews the output. What is the most likely cause of the problem?

A.The subnet mask is incorrect.
B.The default gateway is missing or incorrect.
C.The DNS server is configured as a public DNS server that may be unreachable due to network policy or firewall.
D.The host has obtained an APIPA address (169.254.x.x).
AnswerC

The DNS server 8.8.8.8 is a public server; if not reachable from the local network, name resolution fails.

Why this answer

Host-A can ping the default gateway, which confirms that Layer 3 connectivity to the local network is working and that the subnet mask and default gateway are correctly configured. The inability to reach the internet despite this connectivity points to a name resolution failure, likely caused by an incorrect or unreachable DNS server. A public DNS server (e.g., 8.8.8.8) may be blocked by corporate firewall policy, preventing Host-A from resolving internet domain names.

Exam trap

The trap here is that candidates assume a successful ping to the gateway means all Layer 3 connectivity is fine, overlooking that DNS is a separate service that can fail even when IP connectivity is intact.

Why the other options are wrong

A

The subnet mask 255.255.255.0 is correct for a /24 network, so it is not the cause of the problem.

B

The default gateway is correctly set to 192.168.1.1, and the host can ping it, so the gateway is not missing or incorrect.

D

The IPv4 address is 192.168.1.100, which is a valid private address, not an APIPA address (169.254.x.x). APIPA addresses are used when DHCP fails, but here the host has a proper address.

1000
MCQmedium

Why are tokens commonly used in API workflows instead of sending raw credentials with every request?

A.They allow controlled repeated API access without resending raw credentials on every request.
B.They replace the need for HTTPS.
C.They automatically assign IP addresses to controllers.
D.They convert API data into VLAN tags.
AnswerA

This is correct because token-based access is practical for automation workflows.

Why this answer

Tokens are commonly used because they provide a more controlled and practical way to manage repeated API access. In practical terms, a client can authenticate, receive a token, and then present that token on later requests instead of resending a username and password every time. That makes automation workflows easier to operate while still fitting into an access-control model.

This does not eliminate the need for transport security or authorization. It simply provides a common mechanism for controlled repeated API access.

Exam trap

A common exam trap is selecting an answer that claims tokens replace HTTPS or perform network functions like IP address assignment or VLAN tagging. Candidates may incorrectly believe tokens provide transport security or network infrastructure services. However, tokens only manage authentication and authorization at the application layer and do not replace encryption or secure transport protocols.

Misunderstanding this distinction leads to choosing incorrect options that confuse token functionality with unrelated network operations.

Why the other options are wrong

B

Incorrect because tokens do not replace HTTPS; transport security remains necessary to protect data and tokens during transmission.

C

Incorrect as token usage is unrelated to IP address assignment, which is managed by protocols like DHCP or static configuration, not authentication tokens.

D

Incorrect because tokens do not convert API data into VLAN tags; VLAN tagging is a Layer 2 network function unrelated to API authentication mechanisms.

1001
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two links to SW2 configured as an EtherChannel using LACP. The EtherChannel is not coming up. Interface G0/2 was accidentally configured as an access port in VLAN 10, while G0/1 is configured as a trunk. The administrator wants to use LACP to bundle the links. Troubleshoot and fix the configuration to bring up the EtherChannel.

Hints

  • All interfaces in an EtherChannel must have identical configuration.
  • Check if the interfaces are in the same VLAN or trunk mode.
  • LACP active mode requires matching configurations on both ends.
A.Change interface G0/2 to trunk mode and ensure both interfaces have the same allowed VLAN list.
B.Change interface G0/1 to access VLAN 10 to match G0/2.
C.Remove the access VLAN configuration from G0/2 and leave it as a default switchport (dynamic desirable).
D.Change the EtherChannel mode from LACP to PAgP on both switches.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
no switchport access vlan 10
switchport mode trunk

Why this answer

The EtherChannel was down because interface G0/2 was an access port in VLAN 10, while G0/1 was a trunk. For LACP to bundle the links, all member interfaces must have the same configuration, including VLAN and trunk settings. Changing G0/2 to trunk mode resolved the issue.

Exam trap

Do not confuse the requirement for consistent interface configurations with the negotiation protocol. The most common cause of EtherChannel failure is mismatched VLAN or trunk settings, not the protocol (LACP vs PAgP). Always verify that all member ports have identical configurations.

Why the other options are wrong

B

The specific factual error is that changing G0/1 to access VLAN 10 would not resolve the mismatch if the intended configuration is trunking. It would only create a different mismatch if the other side expects trunking.

C

The specific factual error is that dynamic desirable mode does not ensure trunking; it relies on DTP negotiation, which may fail if the other side is set to trunk. Additionally, the VLAN mismatch (access vs trunk) would still prevent EtherChannel formation.

D

The specific factual error is that the protocol does not affect the requirement for consistent interface configurations. Both LACP and PAgP require identical VLAN and trunk settings on all member ports.

1002
PBQhard

You are connected to R1. The link between R1 and R2 is experiencing intermittent connectivity and poor performance. Review the provided show interface output to identify the root cause(s) of the issue, then apply the necessary configuration changes to resolve the problem and restore full connectivity. Output from R1: ``` GigabitEthernet0/0 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is aaaa.bbbb.cccc (bia aaaa.bbbb.cccc) Internet address is 192.168.1.1/30 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, link type is auto, media type is RJ45 output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:01, output hang never Last clearing of "show interface" counters 00:01:23 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 150 packets input, 1500 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 150 input errors, 150 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 200 packets output, 2000 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out ```

Hints

  • CRC errors often indicate a duplex mismatch between the two connected devices.
  • Check the current duplex setting on R1's interface—it is set to auto, but the high error count suggests the other end is not negotiating correctly.
  • To fix, manually set both speed and duplex on the interface to match the expected settings of the neighbor.
A.Configure the interface with 'speed 1000' and 'duplex full' to match R2's settings, then clear counters.
B.Replace the faulty cable between R1 and R2 to eliminate CRC errors caused by physical layer issues.
C.Disable autonegotiation on the interface with 'no negotiation auto' to force the link to use the configured speed and duplex.
D.Increase the interface MTU to reduce fragmentation and improve performance on the link.
AnswerA
solution
! R1
interface GigabitEthernet0/0
speed 1000
duplex full

Why this answer

The show interface output reveals that R1's GigabitEthernet0/0 is operating at half-duplex, 100 Mb/s, yet it is accumulating a high number of CRC errors (150 in 1 minute 23 seconds). This indicates a speed/duplex mismatch with R2, which is likely set to full-duplex at 1000 Mb/s. To resolve, you must manually configure R1 to match R2's proper settings by issuing the 'speed 1000' and 'duplex full' commands, then clearing the counters to start fresh monitoring.

The other options are incorrect because they do not address the mismatch: replacing the cable would not fix a configuration issue; disabling autonegotiation alone may not fix the mismatch if the hard-coded values are still wrong; and increasing the MTU does not affect CRC errors caused by duplex mismatch.

Exam trap

CRC errors on a link are often misinterpreted as faulty cabling, but the presence of CRC errors on an interface that is up/up but operating at a mismatched speed or duplex strongly indicates a configuration mismatch between the two ends.

Why the other options are wrong

B

Replacing the cable does not solve a duplex/speed mismatch because the errors are caused by configuration, not physical layer damage.

C

Disabling autonegotiation alone does not guarantee the interface will use the correct speed and duplex; it still requires manual configuration of the correct values.

D

Increasing the MTU addresses fragmentation issues, not CRC errors resulting from duplex or speed mismatches.

1003
MCQmedium

A network team wants routers and switches to have consistent timestamps in logs so event correlation is accurate during an outage. Which service should they verify first?

A.DNS
B.NTP
C.SNMP
D.CDP
AnswerB

Correct choice.

Why this answer

Consistent timestamps depend on synchronized clocks. NTP is the service used to keep network devices aligned to the same time reference, which makes syslog analysis and troubleshooting much more reliable.

Exam trap

Don't confuse protocols with similar acronyms or those related to network management. Focus on the specific function of time synchronization.

Why the other options are wrong

A

DNS (Domain Name System) resolves hostnames to IP addresses and has no role in time synchronization. DNS does not provide timestamp information or clock setting capabilities. Verifying DNS would not help ensure consistent timestamps in logs.

C

SNMP (Simple Network Management Protocol) is used for monitoring and managing network devices, not for time synchronization. While SNMP can retrieve device uptime or timestamps from MIBs, it does not set or synchronize clocks. Relying on SNMP for time consistency would not correct clock drift.

D

CDP (Cisco Discovery Protocol) is a Layer 2 protocol used to discover neighboring Cisco devices and their capabilities. It does not provide time synchronization or affect timestamps in logs. CDP is irrelevant for ensuring consistent timestamps.

1004
PBQhard

You are connected to the console of R1. The network uses IPv6 with EUI-64. R1's GigabitEthernet0/0 has MAC address 0011.2233.4455. You need to configure an IPv6 global unicast address on this interface using EUI-64 format, based on the prefix 2001:db8:acad:1::/64. The interface is currently configured with an IPv4 address only.

Network Topology
G0/0192.168.1.1/24R1SW1

Hints

  • EUI-64 uses the MAC address to form the interface ID.
  • The prefix length is /64.
  • Use the 'ipv6 address' command with the eui-64 option.
A.R1(config-if)# ipv6 address 2001:db8:acad:1:0211:22ff:fe33:4455/64
B.R1(config-if)# ipv6 address 2001:db8:acad:1:0011:22ff:fe33:4455/64
C.R1(config-if)# ipv6 address 2001:db8:acad:1:0211:2233:4455:5566/64
D.R1(config-if)# ipv6 address 2001:db8:acad:1::/64 eui-64
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:db8:acad:1::/64 eui-64

Why this answer

The EUI-64 process inserts FF:FE in the middle of the MAC and flips the U/L bit. The command configures the IPv6 address automatically based on the prefix and the interface MAC.

Exam trap

The exam trap is that candidates often forget to flip the U/L bit or confuse the EUI-64 process with simply inserting FF:FE. Also, some may provide the configuration command instead of the actual address. Always remember: flip the seventh bit of the first byte (change 00 to 02, 01 to 03, etc.) and insert FF:FE after the first 24 bits.

Why the other options are wrong

B

The specific factual error is that the U/L bit was not flipped. The EUI-64 process requires flipping the seventh bit of the first byte of the MAC address.

C

The specific factual error is that FF:FE was not inserted between the first and second halves of the MAC address. The EUI-64 format requires the insertion of FF:FE.

D

The specific factual error is that the question asks for the resulting IPv6 address, not the configuration command. The command 'ipv6 address ... eui-64' is used to enable EUI-64, but the answer should be the actual address.

1005
MCQmedium

A network engineer is evaluating monitoring technologies for a large enterprise network that requires high-frequency, low-latency traffic data collection with support for custom fields. The solution must also support encryption and authentication to prevent tampering. Which technology best meets these requirements?

A.Configure SNMPv2c with community strings and polling every 30 seconds.
B.Implement streaming telemetry using gRPC with TLS and YANG data models.
C.Deploy NetFlow v9 with custom flow records and SNMPv3 for encryption.
D.Use IPFIX with UDP export and add authentication via MD5 hashing.
AnswerB

Streaming telemetry pushes data at high frequency with low latency, supports custom fields via YANG models, and can be secured with TLS encryption and authentication.

Why this answer

Streaming telemetry using gRPC with TLS and YANG data models is correct because it provides high-frequency, low-latency push-based data collection, supports custom fields via YANG models, and ensures encryption and authentication through TLS. This meets all the requirements, unlike polling-based or unencrypted alternatives.

Exam trap

Cisco often tests the misconception that SNMPv3 or NetFlow with custom records can provide both high-frequency push data and encryption, when in fact streaming telemetry with gRPC and TLS is the only solution that natively combines push-based collection, custom fields, and transport-layer security.

Why the other options are wrong

A

SNMPv2c uses community strings transmitted in plain text, lacking encryption and authentication. Polling every 30 seconds is low-frequency and cannot provide high-frequency, low-latency data collection required for real-time monitoring.

C

NetFlow v9 is export-based and not a real-time push mechanism; it typically sends data in batches, introducing latency. SNMPv3 encryption does not apply to NetFlow data, so the combination does not provide secure, high-frequency streaming.

D

IPFIX over UDP lacks built-in encryption, making data vulnerable to interception. MD5 hashing provides integrity but not encryption or authentication for the entire data stream, failing to meet the security requirements.

1006
Multi-Selectmedium

Which three of the following are true regarding the configuration and operation of a Cisco switch port in access mode? (Choose three.)

Select 3 answers
.An access port belongs to a single VLAN and carries traffic for that VLAN only.
.By default, all switch ports are in VLAN 1 unless explicitly changed.
.The 'switchport mode access' command is required before assigning a VLAN to the port.
.Voice VLAN can be configured on an access port to carry both data (native VLAN) and voice (voice VLAN) traffic.
.An access port will drop any frames that are received with an 802.1Q tag.
.The 'switchport access vlan' command automatically creates the VLAN if it does not already exist in the VLAN database.

Why this answer

An access port is configured to belong to a single VLAN and carries traffic for that VLAN only. By default, all switch ports are placed in VLAN 1. The 'switchport mode access' command is not strictly required before assigning a VLAN; however, for a port to operate as a dedicated access port, the command is necessary to prevent it from forming a trunk via DTP.

Option 5 is incorrect because an access port with a voice VLAN does accept tagged frames for the voice VLAN; it does not drop all tagged frames. Option 6 is incorrect because the 'switchport access vlan' command does not automatically create the VLAN; the VLAN must already exist in the VLAN database or be created manually.

Exam trap

Cisco often tests the misconception that assigning a VLAN to a port automatically puts it in access mode, but in reality, the port's mode must be explicitly set with 'switchport mode access' to prevent it from becoming a trunk via DTP.

1007
Matchingmedium

Match each security term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of permitted actions after identity is verified

Recording of activity or usage information

Protection against unauthorized modification

Why these pairings

These are common security threats. Phishing, ransomware, DDoS, man-in-the-middle, zero-day, and social engineering each have distinct meanings as described.

Exam trap

The exam often tests your ability to differentiate between attack types that share common delivery methods (e.g., email) but have different objectives and mechanisms. Focus on the primary goal of each attack: phishing aims to steal credentials, ransomware aims to extort money, DDoS aims to disrupt availability, and MitM aims to intercept data.

1008
MCQhard

A router is configured with a static NAT mapping for an internal server. What is the main operational advantage of this design for outside clients?

A.The server is represented by a fixed public address that outside clients can reach predictably
B.The server automatically shares its public address with all inside users through overload
C.The server no longer needs an IP address on the internal network
D.The mapping removes the need for routing to the server
AnswerA

This is correct because static NAT creates a stable one-to-one mapping.

Why this answer

The main operational advantage is predictability. In plain language, outside clients always know which public IP address represents the internal server. That stable one-to-one mapping makes the server easier to reach consistently from external networks. This is exactly why static NAT is commonly used for inside services that need outside reachability.

This differs from PAT, which is optimized for many outbound user sessions sharing fewer public addresses. Static NAT is valuable when a specific device or service must have a stable external identity.

Exam trap

A frequent exam trap is confusing static NAT with PAT (Port Address Translation). While PAT allows many internal devices to share one public IP by using different port numbers, static NAT assigns a fixed public IP to a single internal device. Selecting an answer that suggests the server shares its public address with all inside users (like option B) is incorrect because static NAT does not perform address overload.

Another trap is assuming static NAT removes the need for routing; however, routing is still required to forward packets to the internal server. Misunderstanding these differences can lead to incorrect answers about NAT behavior and design advantages.

Why the other options are wrong

B

This option is incorrect because it describes PAT behavior, where multiple inside users share a public IP via port overload. Static NAT does not share the public address among users.

C

This option is incorrect because the internal server still requires a valid IP address on the internal network for routing and communication; static NAT does not remove this requirement.

D

This option is incorrect because NAT translates addresses but does not eliminate the need for routing. Proper routing is still necessary to deliver packets to the internal server.

1009
Multi-Selectmedium

Which TWO statements correctly describe aspects of interpreting packet capture output for Layer 2/3 troubleshooting using Wireshark or embedded packet capture on IOS-XE?

Select 2 answers
A.A DHCP Discover packet in a Wireshark capture shows a unicast destination MAC address to the DHCP server.
B.A large number of ARP requests for the same IP address in a packet capture suggests a possible Layer 3 connectivity issue, such as a missing default gateway.
C.A TCP SYN-ACK packet in a capture indicates that the three-way handshake failed and the destination is unreachable.
D.When using embedded packet capture on IOS-XE, you can capture packets on both ingress and egress directions to see if a router is dropping or modifying packets.
E.The TTL value in a captured IP packet always shows the original TTL set by the source host.
AnswersB, D

Repeated ARP requests for the same IP indicate that the device cannot resolve the MAC address, often because the destination is unreachable or the gateway is misconfigured.

Why this answer

Option B is correct because a large number of ARP requests for the same IP address indicates that the device is repeatedly trying to resolve the Layer 3 address to a Layer 2 MAC address, but no device is responding. This often happens when the target IP (e.g., the default gateway) is unreachable or misconfigured, pointing to a Layer 3 connectivity issue. Option D is correct because IOS-XE embedded packet capture supports both ingress and egress capture directions, allowing you to verify whether a router is dropping or modifying packets as they transit.

Option A is incorrect: DHCP Discover is broadcast, not unicast, because the client does not yet know the server’s MAC address. Option C is incorrect: a SYN-ACK is part of a successful three-way handshake (SYN, SYN-ACK, ACK) and indicates the server is reachable; if the handshake failed, you would see only SYN packets or RST packets. Option E is incorrect: the TTL value in a captured packet shows the current TTL after decrementing by each hop; the original TTL is not preserved in the packet.

Exam trap

Cisco often tests the distinction between broadcast and unicast in DHCP and ARP operations, and the trap here is that candidates may assume DHCP Discover is unicast to the server or that a SYN-ACK indicates failure, when in fact it confirms reachability.

Why the other options are wrong

A

DHCP Discover is always broadcast (destination FF:FF:FF:FF:FF:FF), not unicast, because the client does not know the DHCP server's MAC address.

C

A TCP SYN-ACK indicates the server received the SYN and is willing to establish the connection; it is part of a successful three-way handshake, not a failure.

E

The TTL in a captured packet is the value after decrementing at each hop; the original TTL is set by the source but is not preserved in the packet header.

1010
MCQhard

Refer to the exhibit. A network engineer is troubleshooting DHCP issues on a branch office network. Several users report that new devices are unable to obtain IP addresses, even though the DHCP pool configured on R1 appears to have sufficient free addresses. The engineer executes the show ip dhcp conflict command and observes the output. Based on the output, what is the most likely cause of the problem?

A.The DHCP scope is misconfigured with an exclusion range that includes 192.168.1.50 to 192.168.1.59.
B.The ping timeout on the DHCP server is set too low, causing it to falsely detect conflicts.
C.Several hosts on the network are using static IP addresses from the DHCP pool range, causing the DHCP server to mark those addresses as conflicts and depleting the available pool.
D.The DHCP server is not properly releasing expired leases, causing the conflict table to fill up.
AnswerC

Each conflict entry with detection method 'Ping' indicates the server attempted to verify the address and received a reply, meaning a device is already using that IP statically or from another source. The server then marks it as a conflict and withdraws it from the pool, shrinking the pool until no addresses remain free.

Why this answer

The exhibit lists ten IP addresses (192.168.1.50 through .59) that have been detected as conflicts via Ping. This means the DHCP server sent ICMP echo requests to these addresses before offering them and received replies, confirming that hosts with those IPs already exist on the network—likely devices with static IP configurations. The server then marks them as conflicts and excludes them from the pool, reducing the number of available addresses.

With multiple static hosts consuming the address space, the DHCP pool becomes effectively exhausted, preventing new devices from obtaining IPs.

Exam trap

Candidates often mistakenly believe the ping timeout on the server is too short, causing false conflict detections. However, the output explicitly shows successful detection via Ping, meaning the server received a reply, so the conflicts are real and the addresses are genuinely in use.

Why the other options are wrong

A

Candidates may confuse administratively excluded addresses with dynamically detected conflicts.

B

The misconception is that aggressive ping settings create false conflicts, when in fact a conflict entry proves a reply was received.

D

Candidates might think that conflicts represent stale entries, but a conflict is a permanent record of a detected collision, not a lease state.

1011
MCQhard

SW2 receives the following STP details for VLAN 10: The root bridge ID is 32768:0001.0001.0001 (SW1), and SW2's bridge ID is 32768:0002.0002.0002. Its interface Gi0/1 has a path cost of 4 to the root, while Gi0/2 has a path cost of 19. Based on this information, which statement is correct?

A.SW2 is the root bridge for VLAN 10.
B.Gi0/1 on SW2 is the root port.
C.All SW2 ports in VLAN 10 must be designated ports.
D.STP is disabled because the priorities are equal.
AnswerB

The output states that the root is reached through Port 1, which maps to Gi0/1.

Why this answer

The root bridge has the lowest bridge ID. SW1 is the root because its bridge ID is lower than SW2's local bridge ID. On a non-root switch, the port with the best path toward the root becomes the root port, so Gi0/1 is the root port here.

Exam trap

A common exam trap is to incorrectly conclude that STP is disabled when bridge priorities are equal. Candidates may mistakenly believe that equal priorities cause STP to fail or not elect a root bridge. However, STP always elects a root bridge by comparing the MAC addresses as a tiebreaker when priorities match.

Another trap is assuming all ports on a non-root switch must be designated ports, ignoring the existence of a root port that leads toward the root bridge. Misreading the root port can lead to incorrect answers about port roles and network topology.

Why the other options are wrong

A

This option is incorrect because the root bridge ID shown in the STP details differs from SW2's local bridge ID, indicating SW2 is not the root bridge for VLAN 10.

C

This option is wrong since a non-root switch does not have all ports as designated ports; it must have one root port and may have other ports as designated or blocked.

D

This is incorrect because equal priorities do not disable STP; the protocol uses the MAC address portion of the bridge ID to break ties and continue operation.

1012
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to two other switches (SW2 and SW3) via redundant links. All switches run IEEE 802.1D Spanning Tree Protocol. The network administrator wants SW1 to become the root bridge for VLAN 1. Currently, the root bridge is SW2. Configure SW1 to achieve this and ensure that port G0/1, which connects to an end device, immediately transitions to forwarding state upon link up and is protected from BPDU attacks.

Network Topology
G0/1 to PCSW2SW1SW3

Hints

  • The 'root primary' macro sets the priority lower than any other switch.
  • PortFast allows a port to skip listening/learning states.
  • BPDU Guard err-disables the port if a BPDU is received.
A.Configure 'spanning-tree vlan 1 root primary' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.
B.Configure 'spanning-tree vlan 1 priority 4096' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree guard root'.
C.Configure 'spanning-tree vlan 1 root secondary' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.
D.Configure 'spanning-tree vlan 1 priority 32768' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpdufilter enable'.
AnswerA
solution
! SW1
spanning-tree vlan 1 root primary
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

The 'spanning-tree vlan 1 root primary' command reduces the bridge priority to 24576 (or lower) to ensure SW1 becomes root for VLAN 1. PortFast on G0/1 speeds up access port convergence, and BPDU Guard protects against rogue switches by disabling the port upon BPDU reception.

Exam trap

Do not confuse 'root primary' with 'root secondary' or manual priority settings. Also, remember that BPDU Guard is for access port security, while Root Guard protects the root bridge position. BPDU Filter suppresses BPDUs and is not a security feature.

Why the other options are wrong

B

The specific factual error: 'spanning-tree guard root' is a root guard feature, not BPDU guard. Also, manually setting priority to 4096 may not guarantee root if another switch has lower priority.

C

The specific factual error: 'root secondary' is for backup root, not primary. It sets priority to 28672, which is higher than the default priority of 32768 but not low enough to become root if another switch has a lower priority.

D

The specific factual error: priority 32768 is default and does not change root status. BPDU filter is not a security feature against BPDU attacks; it suppresses BPDUs entirely.

1013
PBQhard

You are troubleshooting connectivity between R1 and R2. The link is down, and you need to identify and fix the issue. Examine the provided 'show interfaces' output and running configuration, then apply the necessary commands to restore connectivity.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Check the running configuration for the 'shutdown' command.
  • The interface status shows 'administratively down' if it is shutdown.
  • Use the 'no shutdown' command under the interface configuration mode.
A.Enter interface configuration mode for the down interface and issue the 'no shutdown' command.
B.Enter global configuration mode and issue the 'interface reset' command to reset the interface counters.
C.Enter interface configuration mode and issue the 'speed' command to set the interface speed to match the connected device.
D.Enter interface configuration mode and issue the 'no keepalive' command to disable keepalives.
AnswerA
solution
! R1
interface gigabitEthernet 0/0
no shutdown

Why this answer

The interface is administratively down because the 'shutdown' command is present. The line protocol is down because the interface is disabled. To fix this, you must issue the 'no shutdown' command on the interface.

After that, the interface will come up, and the line protocol will become up if the other side is properly configured.

Exam trap

The trap is that candidates may focus on physical layer issues (speed/duplex) or protocol issues (keepalives) instead of recognizing the clear 'administratively down' indication. Always check the interface status first: if it says 'administratively down', the solution is 'no shutdown'.

Why the other options are wrong

B

The specific factual error: 'interface reset' is not a real command; the correct command to reset counters is 'clear counters'.

C

The specific factual error: speed mismatch causes line protocol issues but not administrative down state.

D

The specific factual error: 'no keepalive' affects line protocol detection but does not change administrative state.

1014
Multi-Selectmedium

Which two statements accurately describe why NTP and Syslog are often configured together?

Select 2 answers
A.Syslog provides event visibility, while NTP helps keep timestamps consistent across devices.
B.Consistent time improves the usefulness of centralized logs and event correlation.
C.NTP replaces the need for any event logging.
D.Syslog automatically assigns the NTP server address to all devices.
E.Both services can be used only on routers, not switches.
AnswersA, B

This is correct because the two services complement each other operationally.

Why this answer

NTP and Syslog are often configured together because logs become much more useful when the device clocks are aligned. In practical terms, Syslog provides the event messages, while NTP helps ensure that the timestamps on those messages are consistent across the environment. That makes troubleshooting and incident analysis more reliable.

This is a very practical operations concept and comes up often in real troubleshooting workflows.

Exam trap

A common exam trap is selecting the option that NTP replaces the need for event logging or that Syslog automatically configures NTP server addresses. Candidates might confuse time synchronization with logging functionality, but NTP only provides accurate time, not event data. Similarly, Syslog collects logs but does not manage NTP settings.

Misunderstanding these roles can lead to incorrect answers, as the two services complement each other but serve distinct purposes in network management.

Why the other options are wrong

C

This option is incorrect because NTP only synchronizes time and does not replace the need for event logging, which is handled by Syslog or other logging mechanisms.

D

This option is incorrect because Syslog does not configure NTP server addresses or manage time synchronization; these are separate configuration tasks.

E

This option is incorrect because both NTP and Syslog are widely used on various network devices, including routers and switches, not limited to routers alone.

1015
Matchingmedium

Match each troubleshooting observation to the most likely primary area to investigate first.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

When users can reach servers by IP but not by hostname, DNS resolution is failing. Hosts not receiving addresses automatically indicate DHCP server or relay issues. Device logs with mismatched timestamps point to NTP misconfiguration.

If engineers cannot see centralized events, syslog forwarding or collector configuration is likely at fault.

Exam trap

Candidates may confuse DHCP and DNS symptoms, or mistakenly suspect routing when reachability by IP works but hostname fails.

1016
Multi-Selectmedium

Which of the following statements about VLAN configuration and trunking on a Cisco switch are correct? (Choose all that apply.)

Select 4 answers
.The native VLAN on a trunk link is used for untagged traffic and should match on both ends of the link.
.The default VLAN 1 cannot be deleted or removed from a switch.
.A switchport configured as an access port can carry multiple VLANs.
.Dynamic Trunking Protocol (DTP) can automatically negotiate trunking between two Cisco switches.
.The 'switchport trunk allowed vlan' command can be used to restrict which VLANs are permitted on a trunk.
.A trunk link can only carry VLANs that are globally created on the switch.

Why this answer

The native VLAN on a trunk carries untagged traffic, and mismatched native VLANs can cause spanning-tree issues, VLAN hopping, and misdirected control traffic, so both ends must match. VLAN 1 is a system-defined VLAN that cannot be deleted or shut down, making it always available. Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol that can automatically negotiate trunk links when interfaces are set to desirable or auto.

The 'switchport trunk allowed vlan' command prunes VLANs on a trunk, restricting which VLANs are permitted. A trunk link forwards traffic only for VLANs that exist in the local VLAN database, so the statement that it can only carry globally created VLANs is correct. The incorrect option is that an access port can carry multiple VLANs; in reality, an access port is assigned to a single VLAN and cannot carry traffic for multiple VLANs like a trunk.

Exam trap

A common mistake is thinking an access port can carry multiple VLANs like a trunk, or that a trunk automatically forwards all VLANs without requiring them to be locally defined.

1017
MCQmedium

Exhibit: PCs in VLAN 20 are not receiving addresses from a DHCP server in another subnet. The switch SVI for VLAN 20 is up, and routing is working. Which configuration is most likely missing on the gateway for VLAN 20?

A.ip default-gateway 10.20.20.1
B.ip helper-address 10.99.99.10
C.switchport trunk allowed vlan 20
D.spanning-tree portfast default
AnswerB

That forwards DHCP broadcasts to the remote server.

Why this answer

DHCP Discover messages are broadcasts and do not cross routers by default. An ip helper-address on the client gateway interface relays those requests to a remote DHCP server.

Exam trap

A frequent exam trap is selecting the ip default-gateway command as the solution for DHCP relay issues. This command only applies to Layer 2 switches for their own management traffic and does not forward DHCP broadcasts across routed interfaces. Candidates may also mistakenly focus on VLAN trunking or spanning-tree settings, which do not affect DHCP relay functionality.

The key is to recognize that DHCP broadcasts must be explicitly forwarded by the router or Layer 3 switch interface using ip helper-address to reach a DHCP server in another subnet.

Why the other options are wrong

A

The ip default-gateway command configures the default gateway for a Layer 2 switch’s management interface and does not forward DHCP broadcasts. Since the question involves DHCP relay across routed VLANs, this command is irrelevant.

C

The switchport trunk allowed vlan 20 command controls VLAN traffic allowed on a trunk link but does not influence DHCP relay or routing between VLANs. The issue is DHCP relay, not VLAN trunk configuration.

D

The spanning-tree portfast default command enables PortFast on switch ports to speed up STP convergence and does not affect DHCP relay or routing. It is unrelated to the problem of clients not receiving DHCP addresses.

1018
MCQhard

A network engineer notices that a critical link between two Cisco Catalyst 9300 switches is flapping every few minutes. The link uses a 10GBASE-SR SFP+ module on one end and a 10GBASE-LR SFP+ module on the other. The interface logs show 'Link error recovery - will restart'. The distance between the switches is 500 meters. Which command output best confirms the root cause of the flapping?

A.show interfaces status
B.show interfaces transceiver
C.show interfaces gigabitethernet1/0/1
D.show logging
AnswerB

This command displays the transceiver type, diagnostic monitoring, and can confirm the SFP+ mismatch (e.g., 10GBASE-SR vs 10GBASE-LR).

Why this answer

The correct answer is B because the 'show interfaces transceiver' command displays the optical parameters (e.g., transmit power, receive power, temperature) of the SFP+ modules. The mismatch between a 10GBASE-SR (multimode, 300m max) and a 10GBASE-LR (single-mode, 10km max) over 500 meters causes excessive attenuation and signal loss, triggering the 'Link error recovery - will restart' flapping. This command confirms the root cause by showing abnormal receive power levels or a missing/different transceiver type.

Exam trap

Cisco often tests the distinction between symptom-identifying commands (like 'show logging') and root-cause-identifying commands (like 'show interfaces transceiver'), trapping candidates who stop at seeing the error message without investigating the physical layer mismatch.

Why the other options are wrong

A

It does not show the transceiver type or diagnostic information.

C

It only shows the interface is err-disabled due to link-flap, not the root cause.

D

It indicates a problem but does not provide the specific transceiver details.

1019
MCQhard

Refer to the exhibit. An administrator is trying to access a web server in the DMZ at 192.168.1.10 using HTTPS, but the connection times out. The web server is confirmed to be running and listening on both port 80 and port 443. The administrator examines the access list configuration on the perimeter router. Based on the output of the show access-lists command, what is the most likely cause of the failure?

A.The access list does not include a permit statement for TCP port 443.
B.The access list is applied in the wrong direction on the interface.
C.The web server is not actually listening on TCP port 443, despite the configuration.
D.The 'deny ip any any log' statement at the end of the access list is blocking the HTTPS traffic, so it must be removed.
AnswerA

The only permit entry for the 192.168.1.0/24 network is for 'eq www' (TCP port 80). No entry exists for port 443, so HTTPS traffic is denied by the explicit or implicit deny.

Why this answer

Line 10 of ACL 100 explicitly permits only TCP traffic with destination port 80 ('eq www'). HTTPS relies on TCP port 443, which is not matched by any permit entry. Consequently, HTTPS traffic from any source to any host in 192.168.1.0/24 hits the explicit deny at line 20 (or the implicit deny) and is dropped.

The high match count on the deny statement (1356) confirms that traffic other than HTTP is being blocked, including HTTPS.

Exam trap

Many candidates incorrectly select option D because they see the explicit deny at the end of the ACL and think removing it will solve the problem. However, even without that explicit deny, the implicit deny-all at the end of any ACL would still drop the HTTPS traffic. The real fix is to add a permit statement for TCP port 443 before the deny.

Why the other options are wrong

B

Candidates may assume the ACL is not applied correctly, but without interface details this conclusion cannot be drawn from the given output.

C

Candidates might blame the server configuration rather than the network ACL, but the question stem provides the server state to rule this out.

D

This is a common misconception: the explicit deny is not the root cause; the missing permit is the real issue. Removing the deny without adding a permit for HTTPS would still result in the traffic being blocked by the implicit deny.

1020
MCQhard

An administrator wants to prevent users from browsing to one specific web server while still allowing them to reach other web destinations. Which ACL design principle is most important here?

A.Use the narrowest possible match so only the intended traffic is denied.
B.Always deny all IP traffic to the destination subnet first.
C.Use a standard ACL because destination details never matter.
D.Place the ACL only where no routing exists.
AnswerA

This is correct because precise ACL design reduces unintended side effects.

Why this answer

The most important principle is to write the ACL as narrowly as possible so it matches only the unwanted traffic and does not overblock unrelated traffic. In practical terms, the rule should target the specific destination and service being denied rather than using a broader deny that unintentionally blocks other communication.

This is a precision-and-scope question. Good ACL design is as much about what you avoid blocking as what you intend to block.

Exam trap

Avoid using broad deny statements that block more than necessary. Focus on precision by targeting both IP and port.

Why the other options are wrong

B

This option is wrong because denying all IP traffic to the destination subnet would block all traffic to that subnet, not just the specific web server, which contradicts the requirement to allow access to other web destinations.

C

Using a standard ACL ignores the importance of destination details, which are crucial for selectively denying access to one specific web server while allowing others. This approach would lead to broader access restrictions than intended.

D

Placing the ACL only where no routing exists is incorrect because it does not address the requirement of selectively blocking traffic to a specific web server while allowing access to others. ACLs must be strategically placed to control traffic flow effectively based on routing paths.

1021
Multi-Selectmedium

A router learns a route to 172.16.0.0/16 via OSPF (administrative distance 110) and a route to 172.16.10.0/24 via EIGRP (administrative distance 90). No other overlapping routes exist. Which TWO statements about how the router handles these routes are correct?

Select 2 answers
A.The router installs only the EIGRP route because it has a lower administrative distance.
B.Both the OSPF and EIGRP routes are installed in the routing table.
C.Traffic to 172.16.10.100 is forwarded using the OSPF route.
D.The EIGRP route is used for all traffic destined to any address within 172.16.0.0/16.
E.The OSPF route is used for destinations within 172.16.0.0/16 that are not part of the 172.16.10.0/24 subnet.
AnswersB, E

Since the routes have different prefix lengths, they are treated as separate destinations and both are installed.

Why this answer

B is correct because the router installs both routes in the routing table when they have different prefix lengths. The EIGRP route to 172.16.10.0/24 (AD 90) is more specific than the OSPF route to 172.16.0.0/16 (AD 110). The router uses the longest prefix match rule for forwarding, so both routes coexist without conflict.

Exam trap

Cisco often tests the misconception that administrative distance alone determines which route is installed, ignoring the critical role of prefix length in the longest prefix match rule.

Why the other options are wrong

A

The router does not discard the OSPF route; it installs both /16 and /24 entries because they represent different network-specific entries.

C

The traffic matches the /24 route, not the /16, so it would be forwarded via the EIGRP next-hop.

D

The /24 is a subset; traffic outside 172.16.10.0/24 matches only the /16 OSPF route.

1022
PBQhard

You are connected to R1 (192.168.1.1). Using RESTCONF, you need to retrieve the current operational status of GigabitEthernet0/0 using the ietf-interfaces YANG module, then change its description to 'WAN Link to R2' via a PATCH request. The device is reachable via HTTPS on port 443, with credentials admin/admin. Identify the correct base URI, YANG path, HTTP headers, and interpret the JSON response. Also, diagnose the error when an incorrect Content-Type or YANG path is used.

Network Topology
G0/0192.168.1.1/30G0/0192.168.1.2/30linkR1R2

Hints

  • RESTCONF base URI always starts with /restconf
  • The ietf-interfaces module uses 'interface' as list node, not 'interfaces-state'
  • The correct media type for YANG data in JSON is application/yang-data+json
A.Base URI: https://192.168.1.1/restconf, YANG path: /data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0, Accept: application/yang-data+json, PATCH body: {"ietf-interfaces:description": "WAN Link to R2"}
B.Base URI: https://192.168.1.1/restconf, YANG path: /data/ietf-interfaces:interfaces-state/interface=GigabitEthernet0/0, Accept: application/yang-data+json, PATCH body: {"description": "WAN Link to R2"}
C.Base URI: https://192.168.1.1/restconf, YANG path: /data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0, Accept: application/json, PATCH body: {"description": "WAN Link to R2"}
D.Base URI: https://192.168.1.1/restconf, YANG path: /data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0, Accept: application/yang-data+json, PATCH body: {"description": "WAN Link to R2"}
AnswerA
solution
! R1
GET URI: https://192.168.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0
GET Headers: Accept: application/yang-data+json
PATCH URI: https://192.168.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0
PATCH Headers: Content-Type: application/yang-data+json, Accept: application/yang-data+json
PATCH Body: {"ietf-interfaces:interface": [{"name": "GigabitEthernet0/0", "description": "WAN Link to R2"}]}
Error 1: Using Accept: application/json returns 406 Not Acceptable
Error 2: Using Content-Type: application/json returns 415 Unsupported Media Type
Error 3: Using YANG path /data/ietf-interfaces:interfaces-state returns 404 Not Found (operational state, not config)

Why this answer

The correct RESTCONF base URI is https://192.168.1.1/restconf. For the ietf-interfaces module, the YANG path for an interface is /data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0. The required Accept header is application/yang-data+json.

A PATCH request to change just the description must include the module prefix in the JSON key: {"ietf-interfaces:description": "WAN Link to R2"}. Using application/json for Content-Type returns a 415 Unsupported Media Type error. Using the wrong YANG path (e.g., /data/ietf-interfaces:interfaces-state) returns a 404 Not Found because that path is for operational state, not configurable data.

Exam trap

Watch out for the need to include the YANG module prefix (ietf-interfaces:) in JSON keys for RESTCONF PATCH requests, even for individual leaves. Also, differentiate between configuration data (/data) and operational state (/data/...-state) paths.

Why the other options are wrong

B

The specific factual error is that interfaces-state is an operational data node, not configurable. RESTCONF requires the /data path for configuration and /operations for RPCs.

C

The specific factual error is that RESTCONF requires the media type application/yang-data+json for JSON encoding of YANG data, not generic application/json.

D

The specific factual error is that in RESTCONF, when modifying data from a specific YANG module, the JSON key must include the module prefix to avoid ambiguity.

1023
Matchingmedium

Match each controller or automation term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central platform used to coordinate policy and management

Application-facing interface used to communicate with the controller

Lightweight structured data format used in API payloads

Secure transport commonly used for API communication

Why these pairings

The Controller is the central platform that coordinates policy and management, typically in software-defined networking (SDN). The Northbound API is the application-facing interface that lets external applications communicate with the controller to request services. JSON (JavaScript Object Notation) is a lightweight, structured data format commonly used in API payloads for its human-readable and machine-parseable syntax.

HTTPS is the secure transport protocol that encrypts API communication to protect data in transit.

Exam trap

Cisco exams often test the specific language or syntax each automation tool uses. Do not confuse Puppet's declarative DSL with Chef's Ruby-based recipes, and remember that Ansible uses YAML playbooks.

1024
Multi-Selecthard

An engineer wants all devices to send logs to 10.10.10.50 and also stamp those logs with consistent time from 10.10.10.60. Which two configurations are required on a Cisco device?

Select 2 answers
A.logging host 10.10.10.50
B.ntp server 10.10.10.60
C.ip helper-address 10.10.10.50
D.snmp-server host 10.10.10.60
E.service timestamps log localtime
AnswersA, B

This sends syslog messages to the collector.

Why this answer

One configuration points the device to the syslog collector, and the other points it to the NTP server. The requirement is about centralized logging and accurate timestamps, so both services must be configured. Option E, 'service timestamps log localtime', is a valid command but it only sets the timestamp format to local time; without an NTP server, timestamps will not be consistent across devices.

Exam trap

A common exam trap is selecting commands related to SNMP or DHCP relay, such as 'snmp-server host' or 'ip helper-address', mistakenly believing they configure logging or time synchronization. Candidates may also choose 'service timestamps log localtime' expecting it to standardize timestamps, but without NTP synchronization, timestamps remain inconsistent across devices. The trap lies in confusing the purpose of these commands with syslog and NTP functions.

The question specifically requires centralized logging and consistent timestamps, which only 'logging host' and 'ntp server' commands fulfill together.

Why the other options are wrong

C

'ip helper-address 10.10.10.50' is incorrect because it is used to relay broadcast traffic like DHCP requests, not for syslog or time synchronization.

D

'snmp-server host 10.10.10.60' is incorrect because SNMP manages network monitoring and traps, but does not synchronize device time or configure syslog destinations.

E

'service timestamps local' is insufficient alone because it adds timestamps but does not synchronize time across devices, so timestamps may remain inconsistent without NTP.

1025
MCQhard

A user can authenticate successfully to a network device but is denied access to certain commands. Which statement best explains the situation?

A.Authentication succeeded, but authorization limits the user's command access.
B.The device lost all routing information after login.
C.The subnet mask on the user workstation is incorrect.
D.Syslog is blocking the commands for security reasons.
AnswerA

This is correct because permission scope after login is an authorization function.

Why this answer

The situation is best explained by authorization controls. In practical terms, authentication confirms who the user is, but authorization determines what that user can do after login. A successful login followed by restricted command access means the identity is valid but the permission set is limited.

This is one of the most important practical distinctions within AAA.

Exam trap

A common exam trap is assuming that successful authentication means unrestricted access to all device commands. Candidates often confuse authentication with authorization, thinking that if a user can log in, they should have full command privileges. This misunderstanding leads to incorrect answers suggesting routing issues or workstation configuration problems as causes for command denial.

However, Cisco devices distinctly separate authentication (identity verification) from authorization (permission enforcement). Authorization policies can restrict command access even after a successful login, which is the correct explanation in this scenario.

Why the other options are wrong

B

This option is incorrect because losing routing information after login does not selectively deny commands. Routing issues affect packet forwarding, not user command permissions, so it does not explain the selective command denial.

C

This option is invalid because an incorrect subnet mask on the user's workstation would affect network connectivity, not command access on the device after successful login. It does not relate to authorization or command restrictions.

D

This option is wrong since Syslog is a logging mechanism that records events but does not block or restrict user commands. It provides visibility but does not enforce command authorization or deny access.

1026
MCQmedium

A network technician is troubleshooting a connectivity issue where a host cannot communicate with a remote server. The technician notices that frames are being dropped at an intermediate switch. At which OSI model layer does the switch primarily operate, and what is the Protocol Data Unit (PDU) used at that layer?

A.Layer 1; bits
B.Layer 2; frames
C.Layer 3; packets
D.Layer 4; segments
AnswerB

Switches operate at Layer 2 (Data Link) and use frames, which contain source and destination MAC addresses, to make forwarding decisions.

Why this answer

Switches primarily operate at Layer 2 (Data Link layer) of the OSI model, where they make forwarding decisions based on MAC addresses. The Protocol Data Unit (PDU) at this layer is the frame, which includes the MAC header, payload, and trailer. When frames are dropped at an intermediate switch, it indicates a Layer 2 issue such as a MAC address table problem, VLAN mismatch, or duplex mismatch.

Exam trap

Cisco often tests the distinction that a standard switch operates at Layer 2, but candidates may incorrectly choose Layer 3 because they associate switches with VLANs or IP routing, forgetting that basic switching is a Layer 2 function.

Why the other options are wrong

A

Switches do not operate at Layer 1; hubs and repeaters do.

C

While some multilayer switches can route, the basic switch in this scenario operates at Layer 2.

D

Segments are used by transport layer protocols, not by switches.

1027
Multi-Selectmedium

Which TWO statements about IPv4 and IPv6 static routes, including floating static routes, are correct?

Select 2 answers
A.A floating static route uses a higher administrative distance than the primary route to provide backup connectivity.
B.An IPv6 static route using a link-local next-hop address must include both the next-hop address and the outgoing interface.
C.In IPv6, the default route prefix is 0.0.0.0/0.
D.For a floating static route to be installed in the routing table, it must have an administrative distance lower than that of the primary route.
E.An IPv4 static route will only be inserted into the routing table if its next-hop IP address belongs to a directly connected subnet.
AnswersA, B

Floating static routes are backup routes; they are configured with an AD higher than the primary route so they are only used when the primary fails.

Why this answer

Option A is correct because a floating static route is configured with a higher administrative distance (AD) than the primary route. This ensures the floating route is only used when the primary route fails, as the router prefers routes with lower AD values. For example, if the primary route has an AD of 1 (static route default), the floating static route might be set to AD 200, making it a backup.

Exam trap

Cisco often tests the distinction between IPv4 and IPv6 default route prefixes (0.0.0.0/0 vs ::/0) and the requirement for specifying the outgoing interface with IPv6 link-local next-hop addresses, which candidates frequently confuse.

Why the other options are wrong

C

0.0.0.0/0 is the IPv4 default route; the correct IPv6 default prefix is ::/0.

D

A floating static route must have a higher AD, not lower, so that it is less preferred and only installed when the primary (lower AD) route is lost.

E

Cisco IOS requires the next-hop to be reachable, but it does not have to be directly connected. As long as a route exists to reach that next-hop (even recursively), the static route can be installed.

1028
Matchingmedium

Match each AAA component or related term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of allowed actions

Recording of activity or usage details

Credential store on the device used for local checks

Why these pairings

In AAA, Authentication verifies identity (who you are), Authorization determines allowed actions (what you can do), Accounting records activity for auditing. A local database stores credentials on the device for local authentication checks. These definitions directly match the pairs in the question.

Exam trap

Learners often confuse the roles of Authentication (identity), Authorization (permissions), and Accounting (logging), or mix them with AAA protocols like RADIUS or TACACS+.

1029
MCQhard

A switch receives superior BPDUs on a port where the design requires that no downstream device ever become the root path for that segment. Which feature is the best fit for that requirement?

A.Root guard
B.BPDU Guard
C.Port security
D.DHCP Snooping
AnswerA

This is correct because root guard prevents the port from becoming a root path when superior BPDUs appear.

Why this answer

Root guard is the best fit because it is designed to prevent a port from becoming the path toward a new root bridge when superior BPDUs are received. In practical terms, it protects the intended STP topology by keeping that port from taking on a root-related forwarding role when the design says it should not.

This is different from BPDU Guard, which is more commonly used on edge ports to disable them entirely if BPDUs appear. Root guard is about protecting topology roles, not just edge-port assumptions.

Exam trap

A common exam trap is selecting BPDU guard instead of root guard because both involve BPDU handling. BPDU guard disables a port immediately upon receiving any BPDU, which is suitable for edge ports but not for ports where topology control is required. Root guard, on the other hand, only blocks ports that receive superior BPDUs, allowing normal BPDUs from the current root bridge.

Confusing these features can lead to incorrect answers, as BPDU guard does not protect the root path role but rather protects against unauthorized devices on edge ports.

Why the other options are wrong

B

BPDU guard is incorrect because it disables a port upon receiving any BPDU, which is suitable for edge ports but does not control root path roles or topology changes.

C

Port security is unrelated to STP root path control; it manages MAC address access on a port and does not affect BPDU processing or root bridge election.

D

DHCP snooping protects against rogue DHCP servers by filtering DHCP messages and does not interact with STP or root bridge election mechanisms.

1030
MCQhard

A network administrator wants to receive an immediate notification from a device when a significant event occurs, rather than polling the device repeatedly. Which SNMP feature is most associated with that requirement?

A.SNMP traps
B.Syslog severity 7
C.DHCP relay
D.NetFlow exporters
AnswerA

This is correct because traps are unsolicited event notifications sent by the device.

Why this answer

SNMP traps are the correct answer because they are an SNMP feature that sends unsolicited, event-driven notifications from the device to the management system when a significant event occurs, eliminating the need for polling. Option B (syslog severity 7) is incorrect because syslog is a separate protocol for logging; while syslog messages are also sent unsolicited, the question specifically asks for an SNMP feature. Options C (DHCP relay) and D (NetFlow exporters) are unrelated to immediate event notifications: DHCP relay forwards broadcast requests, and NetFlow exports traffic flow data for analysis.

Exam trap

A frequent exam trap is mistaking syslog messages or NetFlow exporters as the mechanism for immediate event notifications in SNMP. Syslog severity levels, such as severity 7, relate to logging detail but do not trigger unsolicited alerts to management stations. Similarly, NetFlow exporters focus on traffic flow analysis rather than event-driven notifications.

Candidates may also confuse DHCP relay, which is unrelated to SNMP, with notification features. The key is to remember that only SNMP traps send unsolicited, immediate notifications, distinguishing them from polling or other monitoring tools.

Why the other options are wrong

B

Syslog severity 7 refers to debug-level logging detail but does not trigger unsolicited alerts; syslog messages require polling or log monitoring and are not part of SNMP's event-driven notification.

C

DHCP relay is a mechanism to forward DHCP requests across networks and has no role in SNMP or event-driven notifications, making it irrelevant to the question.

D

NetFlow exporters provide detailed traffic flow information for analysis but do not send immediate event notifications; they are unrelated to SNMP traps or polling mechanisms.

1031
MCQhard

Refer to the exhibit. A network engineer notices packet loss and sluggish application performance on a branch-office uplink. While troubleshooting, the engineer executes the show interfaces GigabitEthernet0/1 command on the router. Based on the output, what is the most likely cause of the performance issue?

A.The interface is experiencing excessive collisions due to a duplex mismatch.
B.An upstream device is sending traffic at a rate higher than this interface can transmit, causing the output queue to overflow.
C.The interface is receiving corrupted frames, indicated by the zero input errors on the interface.
D.The output queue is full because its size is too small, and increasing the queue depth will resolve the packet loss.
AnswerB

The output queue is maxed (40/40) and output drops are very high (12450). The 5-minute output rate of 10 Mbps is far below the interface bandwidth of 100 Mbps, yet the queue is overflowing, which indicates microbursts from a faster upstream link overwhelming the slower interface. This is the classic signature of a speed mismatch.

Why this answer

The exhibit shows 12,450 output drops and an output queue that is completely full (40/40). The interface is up, operating at 100 Mb/s full-duplex, and shows zero input errors or CRC errors, ruling out physical layer corruption. The high output drops with a maxed-out output queue typically indicate that an upstream device is transmitting at a rate that exceeds the interface’s egress capacity, causing tail drops.

This is a classic symptom of a speed mismatch where, for example, a distribution switch is forwarding traffic at 1 Gbps toward a 100 Mbps uplink.

Exam trap

Candidates often try to increase the output queue size or enable QoS queuing (option D) to absorb bursts, but increasing the queue does not fix the underlying speed mismatch and can introduce excessive bufferbloat, worsening latency. The correct root cause is a mismatch in forwarding rates between the upstream device and the local interface.

Why the other options are wrong

A

Candidates sometimes associate packet loss with duplex mismatches, but a duplex mismatch would also show collisions and typically input errors, both of which are zero here.

C

Zero input errors means no physical-layer receiving problems; the candidate may misinterpret the absence of errors as a sign of some other problem, which is logically incorrect.

D

Increasing the queue size is a common workaround that masks the real problem, but the underlying mismatch in forwarding rates remains. CCNA candidates may incorrectly focus on the queue size rather than the relationship between the 100 Mb/s interface speed and a faster upstream sender.

1032
PBQmedium

You are connected to SW1, a Cisco switch that is experiencing intermittent connectivity issues. The network administrator suspects a duplex mismatch between SW1 and the connected router R1. Use CDP to verify the status and check interface statistics.

Network Topology
G0/0G0/1linkR1SW1

Hints

  • CDP shows the remote device's capabilities and interface details.
  • Look at the duplex settings on both sides; a mismatch often causes CRC errors.
  • The interface counters show late collisions if duplex mismatch exists.
A.The switch port is set to half duplex, and the router is set to full duplex, causing CRC errors and late collisions.
B.The switch port is set to full duplex, and the router is set to half duplex, causing runts and FCS errors.
C.The switch port and router are both set to half duplex, but the cable is faulty, causing CRC errors.
D.The switch port is set to auto-negotiation, and the router is set to half duplex, causing late collisions.
AnswerA
solution
! SW1
show cdp neighbors GigabitEthernet0/1 detail
show interfaces GigabitEthernet0/1
show interfaces GigabitEthernet0/1 counters errors

Why this answer

The switch port is manually set to half duplex while the router likely negotiates to full duplex, causing a mismatch. CDP output from the switch will show the router's duplex as full. Interface statistics will show increasing CRC errors and late collisions.

The solution is to set the switch port to auto-negotiation or match the duplex setting with the router.

Exam trap

The exam trap is that candidates may confuse the symptoms of duplex mismatch (CRC errors and late collisions) with other issues like cable faults or speed mismatches. Also, they might forget that CDP can be used to verify the duplex setting of a neighbor. Always check CDP output and interface error counters when troubleshooting connectivity issues.

Why the other options are wrong

B

The specific factual error is that the switch port is manually set to half duplex, not full duplex. Also, runts and FCS errors are not the primary indicators of a duplex mismatch.

C

The specific factual error is that a duplex mismatch requires different duplex settings; both half duplex would not cause a mismatch. Faulty cables are a different issue.

D

The specific factual error is that auto-negotiation would likely result in half duplex on both sides, avoiding a mismatch. The scenario states the switch port is manually set to half duplex, not auto.

1033
Matchingmedium

Drag and drop the cable issue symptoms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frames that failed the cyclic redundancy check, often due to faulty cabling or electromagnetic interference

Total of all receive-side errors, including runts, giants, CRC, and frame errors

Packets that could not be transmitted successfully, often due to collisions or buffer overruns

Frames smaller than 64 bytes, typically caused by collisions or faulty hardware

Frames larger than the maximum allowed size, often due to a malfunctioning NIC or duplex mismatch

Why these pairings

Each interface counter describes a specific type of packet failure. CRC errors occur when the frame check sequence fails, pointing to physical issues like bad cabling or interference. Input errors is a broader counter that sums all receive-side anomalies, including CRC errors, runts, and giants.

Output errors represents transmit-side failures, often from collisions, buffer overruns, or late collisions. Runts are frames shorter than the 64-byte minimum, commonly caused by collisions or defective hardware, while giants exceed the maximum frame size and usually indicate a duplex mismatch or faulty NIC. Understanding these categories helps pinpoint whether the problem is receive-side, transmit-side, or due to physical layer faults.

Exam trap

Do not confuse the symptom (crosstalk) with its causes (split pair) or other issues (attenuation, impedance mismatch). Focus on the definition of the symptom.

1034
MCQhard

R1 cannot reach host 10.3.3.1 on R3. The technician checks routing: R1 has a route to 10.3.3.0/24 via next-hop 10.1.1.2 (R2). R2 has a route to 10.3.3.0/24 via next-hop 10.2.2.2 (R3). A ping from R1 to 10.3.3.1 times out. A ping from R2 to 10.3.3.1 succeeds. What should the technician do next?

A.Verify that R3 has a route back to R1’s subnet.
B.Check whether an inbound ACL on R3 is blocking packets with R1’s source IP address.
C.Verify the OSPF neighbor adjacency between R2 and R3.
D.Test for an MTU mismatch along the path from R1 to R3.
AnswerB

The symptom is that pings from R1 fail while pings from R2 succeed. This points to a packet filter that treats the two source addresses differently. An ACL applied to the interface on R3 that receives the pings could be permitting traffic from R2 but denying traffic from R1. Inspecting the ACL directly tests this hypothesis and is a precise next troubleshooting step.

Why this answer

Because R2 can successfully ping R3, we know that R3 is reachable, the path from R2 to R3 is functional, OSPF (or whatever IGP) is working between them, and R3 has a route back to R2's subnet. The failure is isolated to traffic sourced from R1. This strongly suggests a filtering issue that specifically denies R1's source IP address.

Checking for an inbound ACL on R3’s receiving interface is the logical next step at the transport/application layer; it directly tests the hypothesis that R3 is receiving R1’s pings but discarding them due to a security policy. It avoids unnecessary investigation of routing or link-layer problems that have already been ruled out.

Exam trap

Many candidates will choose to check the return route to R1’s subnet on R3 (Option A). They assume that a missing route back to the source is causing the one-way ping failure, ignoring that R2’s successful ping implies R3 already has a route to that entire stub network via R2.

Why the other options are wrong

A

It skips the more targeted hypothesis that an access control list is selectively blocking R1. The candidate mistakenly assumes that a unidirectional reachability problem is always caused by a missing return route.

C

This option investigates a Layer 3 adjacency that the successful R2-to-R3 ping has already validated. Candidates often default to checking neighbor state without considering the evidence that rules it out.

D

Candidates may recall MTU as a cause of intermittent connectivity issues, but here the symptom is a total failure from one source, making MTU a low-probability next step.

1035
MCQmedium

A switchport should automatically disable itself if too many MAC addresses are learned beyond the configured secure limit. Which port-security violation mode causes that behavior?

A.shutdown
B.protect
C.restrict
D.dynamic
AnswerA

This is correct because shutdown mode places the port into an error-disabled state when a violation occurs.

Why this answer

Shutdown is the violation mode that error-disables the port. In plain language, when the switch sees a port-security violation under shutdown mode, it reacts by taking the interface out of service rather than simply dropping frames quietly. That behavior is useful when the administrator wants a clear and strong response to unauthorized devices.

This matters because port security has several violation modes and they do not behave the same way. Restrict and protect can keep the interface up, while shutdown is the mode associated with the most visible response.

Exam trap

Be aware that not all port-security violation modes disable the port. Only Shutdown mode does this.

Why the other options are wrong

B

The 'protect' mode does not disable the port when the secure MAC address limit is exceeded; instead, it drops packets from unknown MAC addresses without generating a notification. This behavior does not match the requirement of the question.

C

The 'restrict' mode allows traffic to pass but drops packets from unknown MAC addresses, without disabling the port. This does not meet the requirement of automatically disabling the port when the MAC address limit is exceeded.

D

The 'dynamic' option is incorrect because it does not refer to a specific port-security violation mode that disables the port when the MAC address limit is exceeded. Instead, it implies the dynamic learning of MAC addresses without enforcing a security limit.

1036
MCQhard

A user can connect to the employee SSID and receive the correct employee IP subnet, but access to one internal application fails only for that WLAN while wired users succeed. Which troubleshooting area is the strongest first focus?

A.A WLAN-specific policy or filtering rule affecting access to that application
B.The SSID broadcast setting
C.Whether the access point has a valid hostname
D.Whether the client is using PPP instead of Ethernet
AnswerA

This is correct because the failure is selective by WLAN and application, not a total connectivity problem.

Why this answer

The strongest first focus is the policy or filtering path specific to that WLAN or traffic class. In practical terms, the user has already shown that the correct WLAN join, authentication, and subnet assignment are working. Because wired users succeed and only one application fails from that WLAN, the most likely issue is a WLAN-specific policy, ACL, firewall rule, or path treatment affecting that application.

This is a realistic selective-access troubleshooting scenario and tests whether the candidate narrows the fault domain correctly.

Exam trap

Avoid assuming the problem is with the user's device or general network settings when the issue is isolated to a specific WLAN.

Why the other options are wrong

B

The SSID broadcast setting does not directly impact the ability of users to connect to an internal application once they are authenticated and assigned an IP address. Since wired users can access the application, the issue is likely related to WLAN-specific configurations rather than SSID visibility.

C

The access point's hostname does not directly impact application access; it primarily affects network identification and management. Since the issue is specific to WLAN access and not present for wired users, the hostname is unlikely to be the cause.

D

This option is wrong because the issue pertains to application access over a specific WLAN, not the type of connection (PPP vs. Ethernet). The problem likely lies in WLAN configuration rather than the protocol used by the client device.

1037
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the ARP resolution process when a host needs to send data to another host on the same Ethernet network.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

ARP resolution begins with checking the cache, then broadcasting a request if needed, the target replies with its MAC, and the source updates its cache to send data directly.

Exam trap

The most common trap is to assume that ARP always starts with a broadcast. Remember that the cache check is always the first step to avoid unnecessary broadcasts.

1038
PBQhard

You are connected to R1. Configure NTP client to synchronize with the NTP server at 203.0.113.10, using the loopback0 interface (192.168.1.1/32) as the source. Also configure syslog to send messages of severity level 5 (notifications) and below to the syslog server at 198.51.100.20. Currently, NTP shows stratum 16 (unsynchronized) and important syslog messages are being missed.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2Syslog server 198.51.100.20 via R2

Hints

  • NTP uses the source IP address of outgoing packets; ensure the NTP server can reach your source IP.
  • Syslog trap levels are hierarchical; 'informational' includes all messages. 'notifications' excludes debug and informational.
  • Use 'show ntp associations' to see if the server is reachable and its stratum.
A.ntp server 203.0.113.10 source Loopback0 logging trap notifications
B.ntp server 203.0.113.10 source Loopback0 logging trap informational
C.ntp server 203.0.113.10 logging trap notifications
D.ntp server 203.0.113.10 source Loopback0 logging trap debugging
AnswerA
solution
! R1
configure terminal
ntp source Loopback0
logging trap notifications
end
copy running-config startup-config

Why this answer

The NTP client is not synchronizing because the source interface is not specified; by default, the router uses the outgoing interface IP which may not be reachable by the NTP server for replies. Adding 'ntp source Loopback0' ensures NTP packets have a consistent source IP. The syslog trap level was set to 'informational' (level 6), which includes too many messages; to capture only notifications (level 5) and below (i.e., severity 0–5), change the trap level to 'notifications' using 'logging trap notifications'.

This filters out lower-severity messages while retaining those that are notifications or more critical.

Exam trap

Watch out for two common traps: 1) Forgetting to specify the NTP source interface when the router has multiple interfaces, leading to synchronization failure. 2) Confusing syslog severity levels: 'informational' (level 6) does NOT include 'notifications' (level 5); you need 'notifications' to capture level 5 and above. Always remember that lower severity numbers mean higher importance.

Why the other options are wrong

B

The trap level 'informational' captures messages of severity 6 and lower, but notifications are severity 5, which is higher and thus not included.

C

The NTP source interface must be explicitly set to ensure the server can reply to the correct IP; omitting it can lead to unsynchronized state.

D

The debugging level includes all severities, which is too broad; the requirement is to capture only notifications (level 5) and above, which requires 'notifications' level.

1039
MCQhard

A subnet must support 30 usable IPv4 host addresses. Which prefix is the smallest that meets the requirement?

A./28
B./27
C./26
D./25
AnswerB

This is correct because a /27 provides 30 usable host addresses.

Why this answer

A /27 is the smallest valid prefix. In plain language, a /27 provides 32 total addresses, and after subtracting the network and broadcast addresses, 30 usable host addresses remain. A /28 would be too small because it provides only 14 usable hosts.

This is a classic minimum-prefix question because it checks whether you can work backward from a host requirement and choose the smallest subnet that fits without over-allocating more space than necessary.

Exam trap

A frequent exam trap is choosing a /28 prefix because it appears to be the closest to supporting 30 hosts. However, a /28 subnet only provides 16 total addresses, of which 14 are usable for hosts after excluding the network and broadcast addresses. This mistake arises from confusing total addresses with usable hosts or failing to subtract the reserved addresses.

Selecting a /28 leads to insufficient host capacity, causing network issues or exam failure. Always remember that usable hosts equal total addresses minus two, which is critical when calculating subnet sizes for CCNA questions.

Why the other options are wrong

A

Option A (/28) is incorrect because a /28 subnet provides only 16 total addresses, which results in 14 usable host addresses after subtracting the network and broadcast addresses. This is insufficient to support 30 hosts.

C

Option C (/26) is incorrect because although it supports 62 usable hosts, it is larger than necessary for 30 hosts, leading to inefficient IP address allocation.

D

Option D (/25) is incorrect because it provides 126 usable host addresses, which is far more than required, resulting in significant address space waste.

1040
Matchingmedium

Drag and drop the syslog and NTP items on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Alert: immediate action needed

Notification: normal but significant condition

Reference clock (e.g., atomic clock or GPS)

NTP client synchronized to a stratum 1 server

Configures the device as an NTP client

Displays syslog messages in the buffer

Why these pairings

These pairings match syslog and NTP items to their correct descriptions.

Exam trap

Watch out for mixing up syslog severity levels (0-7) and their descriptions. Also, ensure you are matching the correct category (syslog vs NTP) to the description provided.

1041
MCQhard

Exhibit: A standard ACL meant to block host 10.10.10.50 from reaching any remote network was applied inbound on the branch router's LAN interface, but users report that all local traffic from that host is now blocked. What is the better placement?

A.Leave it inbound on the LAN because standard ACLs belong near the source
B.Move it outbound on the WAN-facing interface closer to the destination
C.Convert it to a VTY access-class
D.Apply it inbound on all switch access ports
AnswerB

Correct choice.

Why this answer

A standard ACL matches only the source address. If it is placed near the source, it can block that host from reaching destinations you did not intend to affect. Standard ACLs are best placed close to the destination.

Exam trap

A frequent exam trap is believing that standard ACLs should always be applied inbound near the source to block unwanted traffic early. Since standard ACLs filter only by source IP, placing them inbound on a LAN interface can block all traffic from that host, including local communications within the LAN. This leads to unintended network outages and user complaints.

The trap is confusing the ACL placement rule for extended ACLs, which are placed near the source, with the rule for standard ACLs, which should be placed near the destination to avoid over-blocking.

Why the other options are wrong

A

Leaving the standard ACL inbound on the LAN interface is incorrect because standard ACLs filter only by source IP, which causes all traffic from that host, including local LAN traffic, to be blocked. This disrupts local communications and is not best practice.

C

Converting the ACL to a VTY access-class is irrelevant to the question because VTY access-classes control remote management access to the router, not general traffic filtering from a host to remote networks.

D

Applying the ACL inbound on all switch access ports is impractical and inefficient. It would block traffic at multiple points unnecessarily and does not address the specific need to filter traffic from the host to remote networks.

1042
MCQmedium

R1 has the following static route configured: ip route 0.0.0.0 0.0.0.0 203.0.113.1 What does this route accomplish?

A.It blocks unknown destinations from leaving the router.
B.It creates a host route to 203.0.113.1 only.
C.It advertises all connected routes into OSPF.
D.It creates a default route used when no more specific route exists.
AnswerD

This is correct because `0.0.0.0 0.0.0.0` defines a default route.

Why this answer

This command creates a default static route. In everyday terms, it tells the router, “If you do not know a more specific way to reach a destination, send the traffic to 203.0.113.1.” That next-hop address usually points toward an upstream router or ISP edge. The command does not describe one specific remote network; it represents every destination not otherwise matched by a more specific entry.

At the routing-table level, `0.0.0.0 0.0.0.0` is the broadest possible IPv4 prefix. Because it matches everything, it is used only when nothing more specific exists.

Exam trap

Do not confuse default routes with specific network routes or access control lists; focus on the 0.0.0.0/0 prefix.

Why the other options are wrong

A

This option is incorrect because static routes do not inherently block traffic; they simply define paths for routing packets. A static route allows traffic to specific destinations, rather than blocking unknown ones.

B

This option is wrong because the static route configured does not limit routing to a single host; instead, it typically defines a broader range or a default route for multiple destinations.

C

This option is wrong because static routes do not inherently advertise routes into OSPF; they simply define a path to a specific destination. The question specifically asks about the function of a static route, which does not involve OSPF route advertisement.

1043
MCQhard

Why is the combination of strong authentication and centralized logging better than either control by itself?

A.Authentication improves prevention, while centralized logging improves visibility and investigation.
B.They are redundant because both perform exactly the same task.
C.Centralized logging makes authentication unnecessary.
D.Strong authentication removes the need for any event records.
AnswerA

This is correct because the two controls complement each other.

Why this answer

The combination is better because strong authentication helps prevent unauthorized access, while centralized logging helps detect, review, and investigate what happened across the environment. In practical terms, one control is stronger on prevention, and the other is stronger on visibility and accountability. Together they provide broader protection than either one alone.

This reflects a real security principle: mature security depends on layers of control, not one mechanism trying to do every job.

Exam trap

A common exam trap is believing that strong authentication alone is enough to secure a network, leading to the misconception that event logging is unnecessary. Candidates may also incorrectly assume that centralized logging can replace authentication by simply recording events without preventing unauthorized access. This misunderstanding overlooks the complementary roles these controls play: authentication stops unauthorized users upfront, while logging provides the visibility needed to detect and investigate incidents.

Ignoring either control weakens overall security and can cause candidates to select incorrect answers that underestimate the importance of layered defenses.

Why the other options are wrong

B

This option is incorrect because authentication and logging serve different purposes; authentication controls access, while logging records events. They are not redundant but complementary.

C

This option is wrong because centralized logging only records events and does not prevent unauthorized access, so it cannot replace strong authentication.

D

This option is incorrect because even with strong authentication, event records remain essential for auditing, troubleshooting, and investigating security incidents.

1044
Multi-Selectmedium

Which three options describe how AI contributes to network automation and orchestration? (Choose three.)

Select 3 answers
.AI can optimize routing paths dynamically based on real-time traffic analysis
.AI can automatically adjust QoS policies to prioritize critical application traffic
.AI can predict link failures and trigger preemptive rerouting
.AI eliminates the need for any intent-based networking (IBN) frameworks
.AI can replace all configuration templates with entirely self-generated configs
.AI ensures that every network change is 100% error-free without testing

Why this answer

AI contributes to network automation and orchestration by enabling dynamic optimization of routing paths based on real-time traffic analysis, automatically adjusting QoS policies to prioritize critical application traffic, and predicting link failures to trigger preemptive rerouting. These capabilities leverage machine learning models to analyze network telemetry data, such as NetFlow or SNMP, and make automated decisions that improve performance, reliability, and efficiency without manual intervention.

Exam trap

Cisco often tests the misconception that AI completely replaces existing frameworks or guarantees perfection, when in reality AI augments and enhances traditional automation tools but still requires human oversight, validation, and structured baselines like templates and IBN.

1045
MCQmedium

A phone and a PC are attached to the same switchport. The intended data VLAN is VLAN 10, and the phone uses voice VLAN 20. The switchport currently has `switchport voice vlan 20` configured. The phone works, but the PC cannot reach the data network. Which command is most likely missing?

A.switchport mode dynamic auto
B.switchport voice vlan 20
C.switchport access vlan 10
D.spanning-tree guard root
AnswerC

The PC needs the correct data VLAN assignment on the access side.

Why this answer

When a Cisco IP phone and a PC share one port, the switchport often needs both a data VLAN and a voice VLAN. If the voice VLAN exists but the data access VLAN is wrong or missing, the phone can work while the PC fails.

Exam trap

Ensure both data and voice VLANs are configured when devices share a port. Don't confuse duplex or trunk settings with VLAN issues.

Why the other options are wrong

A

The phone works but the PC cannot reach the data network, indicating the PC is not in the correct VLAN. 'switchport mode dynamic auto' sets the port to negotiate trunking via DTP, which does not assign a data VLAN to the PC.

B

The PC cannot reach the data network because the switchport is likely configured as a voice VLAN only, but the data VLAN (access VLAN) is missing. Option B configures the voice VLAN, which is correct for the phone, but does not set the access VLAN for the PC.

D

The issue is that the PC cannot reach the data network, which is typically configured via the access VLAN. Spanning-tree guard root is unrelated to VLAN assignment; it prevents a switch from becoming the root bridge, not connectivity issues on a specific VLAN.

1046
Multi-Selectmedium

Which two statements accurately describe basic WLAN security at the CCNA level?

Select 2 answers
A.WPA2 is generally considered stronger than WEP for wireless security.
B.Open wireless access provides meaningful default encryption.
C.Open wireless access does not provide the same protection as a secured WLAN.
D.A longer SSID makes WEP cryptographically strong.
E.WPA2 relies on TKIP encryption
AnswersA, C

This is correct because WPA2 provides significantly better security than WEP.

Why this answer

WPA2 uses AES-CCMP encryption and is much stronger than WEP, which uses weak RC4. Open wireless networks (no security) provide no encryption, so they are less secure than a secured WLAN. Option B is false because open networks have no default encryption.

Option D is false because SSID length does not affect WEP's cryptographic strength; WEP is inherently weak regardless of SSID. Option E is false because WPA2 is a security protocol, not a duplex mode.

Exam trap

Avoid confusing open networks with secured ones and remember that WEP is outdated and insecure.

Why the other options are wrong

B

Open wireless access does not provide any default encryption, so it is not secure.

D

A longer SSID does not strengthen WEP; WEP's vulnerability is due to its use of static keys and weak RC4 algorithm, not SSID length.

E

WPA2 is a wireless security standard (Wi-Fi Protected Access 2), unrelated to Ethernet duplex modes.

1047
Matchingmedium

Match each subnetting term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Number of bits used for the network portion of the address

Increment between subnet boundaries

Address that identifies the subnet itself

Address used to reach all hosts in the subnet

Why these pairings

Prefix length refers to the number of bits used for the network portion, so it correctly maps to 'Number of bits used for the network portion of the address.' Block size is the increment between subnet boundaries, matching its assigned meaning. Network address identifies the subnet itself, not a host, so it maps to 'Address that identifies the subnet itself.' Broadcast address is used to reach all hosts in the subnet, aligning with 'Address used to reach all hosts in the subnet.' Each term is directly tied to its definition without introducing unrelated concepts.

Exam trap

Be careful not to confuse the subnet mask's role with other subnetting concepts. The subnet mask defines boundaries, not the actual addresses or counts. Always remember that the mask is used in conjunction with an IP address to compute network, broadcast, and host ranges.

1048
Multi-Selecthard

Users can browse websites by IP address but not by hostname. The default gateway is reachable and general internet connectivity works. Which two causes are the most likely?

Select 2 answers
A.The clients are missing a valid DNS server setting
B.DNS queries may be blocked somewhere along the path
C.The routers are missing NTP configuration
D.The switch access ports should be changed to dynamic desirable
AnswersA, B

Name resolution will fail if clients do not know where to send DNS queries.

Why this answer

If IP connectivity works but hostnames fail, the problem is usually DNS configuration or DNS reachability, not general routing.

Exam trap

A frequent exam trap is to assume that if users cannot browse websites by hostname, the problem must be with routing or the default gateway. However, the question states the default gateway is reachable and general internet connectivity works, which rules out routing issues. Another trap is to confuse unrelated configurations like NTP or switch port settings as causes for DNS failures.

The key is to focus on DNS-specific causes: missing DNS server settings on clients or DNS traffic being blocked. Misinterpreting these symptoms leads to incorrect answers that do not address the root cause of hostname resolution failure.

Why the other options are wrong

C

Incorrect. NTP configuration affects time synchronization but does not impact DNS resolution or hostname-based browsing, so it is unrelated to this issue.

D

Incorrect. Changing switch access ports to dynamic desirable affects VLAN trunk negotiation (DTP) but does not influence DNS resolution or hostname connectivity.

1049
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a suspected duplex mismatch and CRC errors on an interface using Cisco IOS-XE CLI commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, access the device and enter privileged mode, then run 'show interfaces' to diagnose CRC errors and confirm a duplex mismatch. Next, enter configuration mode and set the speed manually before duplex; setting speed first prevents the duplex from reverting to auto. Finally, exit configuration mode and save the running config to ensure the change persists.

Exam trap

Configuring duplex before speed can cause the duplex to reset to auto-negotiation, so always set speed first when manually fixing a duplex mismatch.

1050
Multi-Selectmedium

Which two statements accurately describe why DNS issues can look like general connectivity problems to users?

Select 2 answers
A.Users often access services by name, so failed name resolution can feel like total connectivity loss.
B.Testing by IP address versus hostname can help distinguish DNS issues from raw path issues.
C.DNS failure automatically means the default gateway is missing.
D.If DNS fails, DHCP and NTP must also fail immediately.
E.DNS replaces the need for routing between subnets.
AnswersA, B

This is correct because users usually experience services through names rather than raw IP addresses.

Why this answer

DNS issues can look like general connectivity problems because many users think in terms of names, not IP addresses. In practical terms, they may report that 'the network is down' when the actual routed path works but hostname resolution does not. That is why testing by IP versus name is such a useful troubleshooting step.

The distinction between transport reachability and naming is critical in user-facing support.

Exam trap

A common exam trap is assuming that DNS failure means the default gateway or other network infrastructure is missing or malfunctioning. Candidates might incorrectly link DNS issues to routing failures or DHCP and NTP outages, which are separate services. This misunderstanding leads to wasted troubleshooting effort on routing tables or gateway configurations when the real problem lies in DNS server availability or client resolver settings.

The exam tests your ability to isolate DNS as an application-layer service distinct from network-layer connectivity.

Why the other options are wrong

C

Incorrect because DNS failure does not imply the default gateway is missing. Routing and DNS are separate functions, and gateway issues are unrelated to DNS resolution.

D

Incorrect because DHCP and NTP are independent IP services. DNS failure does not cause these services to fail immediately or automatically.

E

Incorrect because DNS does not replace routing. DNS resolves names to IP addresses, while routing protocols determine packet forwarding between subnets.

Page 13

Page 14 of 25

Page 15