CCNA 200-301 v2 (200-301) — Questions 10511125

1819 questions total · 25pages · All types, answers revealed

Page 14

Page 15 of 25

Page 16
1051
Matchingmedium

Match each management or monitoring concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted remote administration

Framework for authentication, authorization, and accounting

Centralized event and log reporting

Clock synchronization across devices

Why these pairings

SSH provides encrypted remote administration by encrypting the entire session, unlike unsecured protocols like Telnet. AAA is the foundational framework for network access control, covering who can authenticate, what operations they are authorized to perform, and what they did via accounting. Syslog enables centralized collection of event and log messages from multiple devices for monitoring and troubleshooting.

NTP synchronizes system clocks across network devices, ensuring consistent timestamps for logging and security functions.

Exam trap

Learners often confuse Syslog with SNMP; Syslog is for log collection only, not for device polling or real-time monitoring.

1052
Multi-Selectmedium

Which three features are used to mitigate Layer 2 security threats on a Cisco switch? (Choose three.)

Select 3 answers
.PortFast on all access ports to prevent STP convergence delays.
.Dynamic ARP Inspection (DAI) to prevent ARP spoofing.
.DHCP snooping to build a trusted binding database.
.BPDU guard to shut down ports receiving BPDUs on access ports.
.EtherChannel load balancing to increase bandwidth.
.VLAN 1 as the native VLAN on trunk ports for management.

Why this answer

Dynamic ARP Inspection (DAI) mitigates ARP spoofing attacks by intercepting ARP packets on untrusted ports and validating them against the DHCP snooping binding database, ensuring that only legitimate ARP responses are forwarded. DHCP snooping builds a trusted binding database by monitoring DHCP messages and recording IP-to-MAC address mappings, which is used by DAI and IP Source Guard to prevent IP and MAC spoofing. BPDU guard protects against STP manipulation attacks by error-disabling an access port if it receives a BPDU, preventing unauthorized switches from participating in the spanning tree topology.

EtherChannel load balancing is a method for increasing bandwidth and redundancy, not a Layer 2 security mitigation. Using VLAN 1 as the native VLAN is a known security risk that can facilitate VLAN hopping attacks, so it is not a mitigation feature.

Exam trap

Cisco often tests the distinction between features that improve STP convergence (like PortFast) and features that provide security (like BPDU guard), causing candidates to mistakenly select PortFast as a security feature.

1053
MCQmedium

Two switches are connected with EtherChannel using LACP. One side is configured with mode active and the other side with mode passive. What happens?

A.The channel forms successfully
B.The channel stays down because both sides must be active
C.The channel forms only if PAgP is also enabled
D.The channel becomes a static Port-Channel
AnswerA

Active initiates and passive responds.

Why this answer

LACP forms an EtherChannel when at least one side actively negotiates. Active plus passive is a valid combination, so the bundle comes up if the physical settings match.

Exam trap

A frequent exam trap is believing that both sides of an LACP EtherChannel must be configured in active mode for the channel to form. This misconception leads to the incorrect assumption that active-passive combinations will fail. In reality, LACP requires only one side to be active to initiate negotiation, while the other side can be passive and respond.

Another trap is confusing LACP with PAgP, expecting that enabling PAgP alongside LACP will help form the channel, which is false because these protocols are incompatible. Understanding these nuances prevents misinterpretation of EtherChannel negotiation behavior on the exam.

Why the other options are wrong

B

This option is incorrect because both sides do not need to be active. One side active and the other passive is sufficient for LACP negotiation and channel formation.

C

This option is incorrect because PAgP is a different, Cisco proprietary protocol and does not work alongside LACP. Enabling PAgP does not affect LACP negotiation.

D

This option is incorrect because configuring one side as active and the other as passive uses LACP negotiation, not a static Port-Channel. Static Port-Channels require manual configuration on both ends without negotiation.

1054
MCQhard

R1 and R2 are connected via Ethernet and are configured with OSPF, but they fail to form an adjacency. Upon checking the interface configurations, you see that R1’s interface is in OSPF area 0 while R2’s interface is in area 1, and both interfaces use default timers and are in the same subnet. What is the most likely reason?

A.The OSPF areas do not match on the shared segment.
B.The routers must use the same process ID.
C.The interfaces are in different IPv4 subnets.
D.OSPF cannot run on Ethernet interfaces.
AnswerA

This is correct because the same link is placed into area 0 on one side and area 1 on the other.

Why this answer

The most likely cause is an OSPF area mismatch on the shared segment. R1 and R2 are in the same IP subnet and use default hello/dead timers, so neither subnet mismatch nor timer mismatch is the problem. OSPF can run on Ethernet interfaces.

However, OSPF requires neighbors on the same link to agree on the area ID; here they differ, preventing adjacency. Option B is incorrect because OSPF process IDs are locally significant and do not need to match.

Exam trap

A common mistake is believing that OSPF process IDs must match between routers to form an adjacency; process IDs are locally significant and do not need to match.

Why the other options are wrong

B

This option is incorrect because OSPF process IDs are locally significant and do not need to match between routers. Different process IDs do not prevent adjacency formation.

C

This option is incorrect because the interfaces are in the same IPv4 subnet (10.1.50.0/24), which is a prerequisite for OSPF adjacency on broadcast networks.

D

This option is incorrect because OSPF commonly runs on Ethernet interfaces. Ethernet is a supported media type for OSPF neighbor discovery and adjacency formation.

1055
PBQhard

You are connected to R1, a multilayer switch acting as a DNS forwarder for two VLANs. Users on VLAN 10 report that they cannot resolve 'files.example.com' while VLAN 20 works fine. The DNS server 198.51.100.53 is reachable but returns SERVFAIL for queries from subnet 192.168.10.0/24, while server 203.0.113.53 responds correctly for both VLANs. Diagnose and fix the DNS resolution issue using nslookup and dig, then adjust the IOS-XE configuration to ensure proper name resolution. Choose the best fix that permanently resolves the problem.

Network Topology
G0/0/010.0.0.1/30198.51.100.53linkG0/0/1.10192.168.10.1/24G0/0/1.20192.168.20.1/24R1DNS ServersVLAN 10VLAN 20

Hints

  • The first DNS server returns SERVFAIL for the A record query.
  • The second DNS server resolves the name correctly.
  • Use 'no ip name-server <ip>' to remove a faulty server.
A.Remove the faulty primary DNS server using 'no ip name-server 198.51.100.53' and keep the working secondary server 203.0.113.53.
B.Add a static DNS entry for 'files.example.com' using 'ip host files.example.com 10.0.0.1' on R1.
C.Change the DNS server order so that the working server is primary using 'ip name-server 203.0.113.53 198.51.100.53'.
D.Configure the router to use only the faulty server by removing the working server with 'no ip name-server 203.0.113.53'.
AnswerA
solution
! R1
configure terminal
no ip name-server 198.51.100.53
end

Why this answer

The faulty DNS server 198.51.100.53 returns SERVFAIL for the A record query, indicating a misconfiguration or missing record on that server. Although reordering (Option C) would allow resolution to work by querying the functional server first, it is not the optimal fix because the broken server remains in the list and could still be used if the primary times out or for future queries. The best practice is to completely remove the faulty server using 'no ip name-server 198.51.100.53'.

Option B adds a static entry that only helps one domain and does not address the root cause. Option D would make the router use only the broken server, worsening the problem.

Exam trap

Do not confuse a reachable DNS server with a functional one. SERVFAIL means the server is responding but cannot resolve the query. The solution is to remove the faulty server, not reorder or add static entries.

Why the other options are wrong

C

Reordering the name servers works around the issue temporarily but leaves the faulty server in the configuration, which is not a permanent solution and violates best practice of removing misconfigured DNS servers.

1056
MCQeasy

A small office wants branch routers to automatically hand out IP addresses, default gateway values, and DNS servers to clients. Which service should be configured?

A.DNS
B.DHCP
C.NTP
D.TACACS+
AnswerB

DHCP supplies addressing parameters to clients.

Why this answer

DHCP is built for this exact job. It centrally provides addressing details so endpoints do not need to be configured by hand.

Exam trap

A common exam trap is confusing DHCP with other network services like DNS, NTP, or TACACS+. DNS only resolves domain names to IP addresses and does not assign IP addresses or default gateways. NTP synchronizes time across devices but does not handle IP addressing.

TACACS+ is an AAA protocol used for authentication and authorization, not for assigning IP addresses or network parameters. Selecting any of these instead of DHCP leads to incorrect answers because they do not fulfill the requirement of automatically handing out IP addresses and related network configuration to clients.

Why the other options are wrong

A

DNS resolves domain names to IP addresses but does not assign IP addresses, default gateways, or DNS server settings to clients. It is not responsible for automatic IP configuration, so it is incorrect for this question.

C

NTP synchronizes time across network devices and does not provide IP addressing or network configuration parameters to clients, making it irrelevant for this question.

D

TACACS+ is an AAA protocol used for authentication, authorization, and accounting. It does not handle IP address assignment or network parameter distribution, so it is not the correct service here.

1057
MCQhard

Two switches are connected using four Gigabit Ethernet interfaces configured as an EtherChannel with LACP. The network administrator notices that only two of the four interfaces are active in the port-channel, and the other two are in a suspended state. Upon further investigation, the administrator finds that the two inactive interfaces correspond to remote interfaces that are configured with the 'on' mode, while the active ones correspond to remote interfaces configured with LACP active/passive. The administrator also verifies that all local interfaces have the same speed, duplex, and VLAN. What is the most likely cause of the suspended interfaces?

A.The interfaces are in err-disabled state due to a spanning-tree loop.
B.The remote switch interfaces corresponding to the suspended local interfaces are configured with the 'on' mode instead of 'active' or 'passive' for LACP.
C.The port-channel interface is shutdown.
D.There is a mismatch in the allowed VLANs on the member interfaces.
AnswerB

When one switch has LACP active/passive and the other has 'on' (static), LACP negotiation fails, and the ports become suspended. Changing the remote switch to 'active' or 'passive' allows LACP to negotiate and bundle the ports.

Why this answer

LACP requires both ends of a link to be configured in either 'active' or 'passive' mode to negotiate an EtherChannel. If some remote interfaces are set to 'on' mode (static EtherChannel), LACP negotiation fails on those links, causing the corresponding local LACP-enabled interfaces to remain in a suspended state. The local switch detects that LACP PDUs are not received on those interfaces and suspends them to prevent misconfiguration.

The other two interfaces with correctly configured remote peers form the EtherChannel successfully.

Exam trap

Cisco often tests the misconception that all interfaces must match in speed, duplex, and VLAN to form an EtherChannel, but the trap here is that the LACP mode mismatch (active/passive vs. on) is the specific cause of suspended interfaces even when other parameters are consistent.

Why the other options are wrong

A

The exhibit shows the ports as suspended, not err-disabled. Spanning-tree loops typically cause err-disable, not suspension.

C

The port-channel is up (U), so it is not shutdown.

D

The scenario explicitly states that all interfaces are configured with the same VLAN, so this is not the cause.

1058
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the router's routing table lookup process for a destination IP address, including the best-path selection logic (longest prefix match, then administrative distance, then metric) and the final forwarding decision.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The router applies longest prefix match first, then administrative distance, then metric, in that order, to select the best path and forward the packet.

Exam trap

Do not confuse the order of tiebreakers: longest prefix match always comes first, then administrative distance, then metric. Many candidates mistakenly swap AD and metric or think metric is compared first.

1059
PBQhard

You are connected to R1. The inside network 192.168.1.0/24 must be able to reach the internet via PAT (overload) using the public IP 203.0.113.1 on interface GigabitEthernet0/1. Additionally, a web server at 192.168.1.10 must be reachable from the internet via static NAT to 203.0.113.10. The current configuration is not working. Identify and fix all issues.

Hints

  • Check the ACL for the correct inside network.
  • The PAT command is missing a keyword to enable port address translation.
  • Ensure the 'overload' keyword is present in the ip nat inside source list command.
A.Change ACL 100 to permit 192.168.1.0 0.0.0.255, add 'overload' to the ip nat inside source list command, and verify with 'show ip nat translations'.
B.Change ACL 100 to permit 192.168.1.0 0.0.0.255 and add the 'overload' keyword to the ip nat inside source list command.
C.Add the 'overload' keyword to the ip nat inside source list command and verify with 'show ip nat translations'.
D.Change ACL 100 to permit 192.168.1.0 0.0.0.255 and verify with 'show ip nat translations'.
AnswerA
solution
! R1
conf t
no access-list 100
access-list 100 permit 192.168.1.0 0.0.0.255
ip nat inside source list 100 interface GigabitEthernet0/1 overload
end

Why this answer

The configuration has two issues: (1) ACL 100 permits 192.168.2.0/24 instead of 192.168.1.0/24, so the inside traffic is not matched for PAT. (2) The 'ip nat inside source list' command lacks the 'overload' keyword, preventing port address translation. The static NAT entry for the web server is correctly configured and does not depend on the ACL; it will work once the ACL is fixed. To resolve: change ACL 100 to permit 192.168.1.0 0.0.0.255, add 'overload' to the ip nat inside source list command, and verify with 'show ip nat translations'.

Exam trap

Candidates often overlook that the ACL must match the inside network exactly, and that 'overload' is required for PAT. Additionally, they may forget to verify with 'show ip nat translations' to confirm the configuration is working.

Why the other options are wrong

B

The answer fails to include the verification step, which is a critical part of troubleshooting and ensuring the configuration is applied correctly.

C

The ACL must match the correct inside network; without fixing it, PAT will not apply to the intended traffic.

D

The 'overload' keyword is essential for PAT; omitting it means the router will perform dynamic NAT without port translation, which is insufficient for multiple hosts.

1060
PBQmedium

You are connected to SW1 via console. SW1 is a Layer 2 switch connected to two other switches (SW2 and SW3) via trunk links. The network administrator wants to ensure that SW1 becomes the root bridge for VLAN 10 and VLAN 20. Currently, SW2 is the root for both VLANs. Configure SW1 to become the root bridge for these VLANs using the Cisco-recommended macro STP commands.

Network Topology
trunktrunkSW2SW1SW3

Hints

  • Use the 'root primary' macro to set the bridge priority to 24576.
  • Ensure VLANs 10 and 20 exist on SW1.
A.spanning-tree vlan 10 root primary; spanning-tree vlan 20 root primary
B.spanning-tree vlan 10 root secondary; spanning-tree vlan 20 root secondary
C.spanning-tree vlan 10 priority 4096; spanning-tree vlan 20 priority 4096
D.spanning-tree vlan 10 root; spanning-tree vlan 20 root
AnswerA
solution
! SW1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary

Why this answer

The 'spanning-tree vlan <vlan> root primary' command is the Cisco-recommended macro that sets the bridge priority to 24576, which is lower than the default 32768, making SW1 the root bridge for those VLANs. Option A correctly uses this macro. Option C, while it could achieve the same goal by setting priority to 4096, is not the macro command and would be considered a static configuration; the question specifically asks for the appropriate macro commands.

Option B sets priority to 28672 as a secondary root, and Option D is invalid syntax.

Exam trap

Do not confuse 'root primary' with 'root secondary'. 'root primary' sets priority to 24576 to become root; 'root secondary' sets priority to 28672 to act as backup. Also, remember that the 'root' keyword must be followed by 'primary' or 'secondary'.

Why the other options are wrong

B

Option B uses 'root secondary', which sets the priority to 28672, making SW1 a backup root, not the primary root bridge.

C

Option C uses a static priority assignment of 4096, which would also make SW1 root, but the question expects the Cisco-recommended macro command 'root primary'.

D

Option D uses incomplete syntax 'spanning-tree vlan 10 root' without 'primary' or 'secondary', which is invalid.

1061
MCQhard

A router has a connected route to 192.168.1.0/24 and also has a default route. Which route is used for traffic to 192.168.1.55?

A.The connected route to 192.168.1.0/24
B.The default route
C.Both routes equally
D.Neither route
AnswerA

This is correct because the destination falls within the directly connected subnet.

Why this answer

The connected route is used because it is both directly attached and more specific than the default route. In plain language, the router already knows that the destination belongs to one of its local interface networks, so it has no reason to send that traffic to a fallback route.

This is one of the most basic route-selection behaviors. Default routes matter only when no better match exists. Here, a directly connected, exact matching network is already present.

Exam trap

A common exam trap is assuming that the default route will be used for all traffic not explicitly configured, including traffic destined for directly connected subnets. Candidates may mistakenly select the default route because it appears as a fallback path, ignoring that connected routes always take precedence due to their specificity and administrative distance. Another trap is thinking that both routes could be used simultaneously or load-balanced, which is incorrect because the router selects only the best matching route based on prefix length and administrative distance.

Why the other options are wrong

B

Incorrect. The default route is less specific and only used when no matching connected or static route exists. Since a connected route matches, the default route is ignored.

C

Incorrect. The router does not load-balance equally between a connected route and a default route. It selects the single best route based on prefix length and administrative distance.

D

Incorrect. The router clearly has a matching connected route for the destination subnet, so it will use that route rather than discarding the traffic.

1062
Multi-Selectmedium

Which three of the following are common challenges when deploying AI in network operations? (Choose three.)

Select 3 answers
.Ensuring high-quality, clean training data for machine learning models
.Integrating AI tools with existing legacy network management systems
.Avoiding false positives that can lead to unnecessary operational alarms
.AI models always requiring cloud connectivity to function
.AI completely replacing the need for network engineers
.AI automatically resolving all network congestion issues without human input

Why this answer

Ensuring high-quality, clean training data is a fundamental challenge because AI/ML models depend on accurate, labeled data to learn patterns; poor data leads to unreliable predictions. Integrating AI tools with legacy systems is difficult due to proprietary APIs and outdated protocols, often requiring custom middleware. Avoiding false positives is critical because excessive alarms desensitize operators and waste resources.

The three incorrect options are not real deployment challenges: 'AI models always requiring cloud connectivity' is false because on-premise and edge AI can function offline; 'AI completely replacing network engineers' is a misconception—AI augments, not replaces, engineers; and 'AI automatically resolving all congestion without human input' is an unrealistic expectation, not a common challenge in practice.

Exam trap

Cisco often tests the misconception that AI is a fully autonomous replacement for human engineers, when in reality AI is a tool for augmentation and automation that still requires human oversight and intervention.

1063
Drag & Dropmedium

Drag and drop the following steps into the correct order to install a new fiber optic link between two switches, including SFP insertion and basic troubleshooting.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is Option A: Insert SFP into Switch A, connect fiber cable, then repeat for Switch B, and finally verify link on both switches. This follows best practice to insert the SFP before attaching the fiber cable, which helps prevent dust contamination and ESD damage. Option B is incorrect because inserting both SFPs first leaves them exposed and increases risk of damage.

Option C is wrong because connecting the cable before inserting the SFP can strain the connector and risk contamination. Option D is incorrect because verifying link on one switch before the other end is connected is futile – the link will not be up until both ends are properly installed.

Exam trap

The exam trap is that candidates may think it is acceptable to insert both SFPs first or to verify the link on one switch before the other end is connected. Remember that fiber optic installation requires careful handling: insert SFP, then cable, and only verify after both ends are complete.

1064
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a DHCP server on a Cisco IOS-XE router and enable DHCP relay on a remote subnet, following Cisco's recommended configuration sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The recommended order is to first create the DHCP pool with network and default-router, then exclude addresses, and finally enable DHCP relay on the remote interface. While the 'ip dhcp excluded-address' command can technically be issued before or after the pool definition, Cisco documentation typically shows the pool created first. The critical requirement is that DHCP relay is configured last, after the DHCP server is fully configured.

Options B and D place relay first, which is incorrect.

Exam trap

A common mistake is to configure DHCP relay before the DHCP server, or to think the order of pool and exclusion is irrelevant for the exam. While both orders are technically valid, the question expects the standard order of pool first, then exclusion.

1065
PBQhard

You are connected to a multilayer switch MLS1. Configure Root Guard on switchport GigabitEthernet 0/1 (connected to an unauthorized switch) so that if a superior BPDU is received, the port is blocked instead of causing a topology change. Also enable Loop Guard on uplink GigabitEthernet 0/2 (connected to the root bridge) to prevent unidirectional link issues. Finally, enable BPDU Guard on PortFast-enabled access port GigabitEthernet 0/3 (connected to a host) so that if a BPDU is received, the port goes err-disabled. After configuration, a superior BPDU is received on G0/1 and the port is blocked; a BPDU is received on G0/3 and the port goes err-disabled. Verify these protections are active.

Hints

  • Root Guard is configured per interface under interface configuration mode using 'spanning-tree guard root'.
  • Loop Guard is configured per interface using 'spanning-tree guard loop'.
  • BPDU Guard is enabled on PortFast ports with 'spanning-tree bpduguard enable'.
A.Root Guard on G0/1, Loop Guard on G0/2, BPDU Guard on G0/3
B.Root Guard on G0/1, UplinkFast on G0/2, BPDU Guard on G0/3
C.BPDU Guard on G0/1, Loop Guard on G0/2, Root Guard on G0/3
D.Root Guard on G0/1, Loop Guard on G0/2, PortFast on G0/3
AnswerA
solution
! MLS1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

Root Guard was correctly configured on G0/1, so when a superior BPDU arrived, the port entered root-inconsistent state instead of becoming root port. Loop Guard on G0/2 prevents alternate port from becoming root if BPDUs stop. BPDU Guard on G0/3 correctly triggered err-disable upon receiving a BPDU on a PortFast port.

To restore G0/3, use 'shutdown' then 'no shutdown' after removing the BPDU source. Verification commands confirm the protections are working.

Exam trap

Trap: Mixing up which protection goes where. Root Guard is for ports that should never become root (e.g., facing unauthorized switches). Loop Guard is for ports that are alternate or root ports (uplinks).

BPDU Guard is for PortFast-enabled access ports. Also, remember that BPDU Guard triggers err-disable, while Root Guard triggers root-inconsistent (blocking) state.

Why the other options are wrong

B

UplinkFast is not designed to detect or prevent unidirectional links; it only accelerates failover.

C

The protections are applied to the wrong ports: BPDU Guard should be on access ports, Root Guard on ports facing potential rogue switches, and Loop Guard on uplinks.

D

PortFast does not prevent BPDU reception; it only skips the listening and learning states. Without BPDU Guard, the port would still process BPDUs and could become a root port.

1066
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot and resolve excessive interface errors caused by a duplex mismatch on a Cisco switch interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with identifying symptoms using show interfaces to see error counters like CRC and late collisions. Next, check the local interface speed and duplex with show interfaces status. Then discover the neighbor's speed and duplex, for instance via show cdp neighbors detail, to confirm a mismatch.

After identifying the mismatch, configure the interface with the correct settings (e.g., speed and duplex commands). Finally, verify the resolution by running show interfaces again to ensure errors are no longer incrementing.

1067
PBQeasy

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to multiple PCs. The network administrator wants to implement port security on port G0/1 to allow only one MAC address and to shut down the port if a violation occurs. Additionally, the administrator wants the MAC address to be learned dynamically and added to the running configuration as sticky. Configure port security on G0/1 accordingly.

Network Topology
G0/1PC1SW1

Hints

  • Port security must be enabled on the interface first.
  • Sticky MAC automatically adds learned MAC addresses to the running config.
  • The violation mode 'shutdown' places the port in err-disabled state.
A.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation shutdown
B.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation protect
C.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address 0000.1111.2222 SW1(config-if)# switchport port-security violation shutdown
D.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation restrict
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky

Why this answer

Port security restricts access by limiting MAC addresses. With sticky learning, the first dynamically learned MAC is saved to the config. If another MAC attempts to connect, the port shuts down, preventing unauthorized access.

Exam trap

Pay close attention to the specific violation modes: 'shutdown' disables the port, 'restrict' drops frames and logs, 'protect' drops frames silently. Also, distinguish between static MAC assignment and sticky learning: sticky uses the 'mac-address sticky' command, not a manual MAC address.

Why the other options are wrong

B

The violation mode 'protect' silently drops frames from unknown MACs without disabling the port, which contradicts the requirement to shut down the port.

C

The 'mac-address' command with a specific address statically assigns that MAC, which is not dynamic. Sticky learning uses the 'mac-address sticky' command to dynamically learn and save the first MAC.

D

The 'restrict' mode does not disable the port; it only drops offending frames and logs the violation. The requirement explicitly states to shut down the port, which requires the 'shutdown' violation mode.

1068
PBQhard

You are connected to Switch1. Configure an LACP EtherChannel between Switch1 and Switch2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. The channel must be in active mode on both sides, and the port-channel interface must have VLAN 10 as the access VLAN. The current configuration has a speed/duplex mismatch and inconsistent VLAN assignments preventing the channel from forming. Verify the channel is up using 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1EtherChannelSwitch1Switch2

Hints

  • Check that all member interfaces have the same speed and duplex settings.
  • Ensure all interfaces (including the port-channel) are in the same VLAN.
  • Both sides must use LACP active mode for the channel to form.
A.Set speed auto on Gi0/1 and Gi0/2, set duplex auto on both, change access VLAN on Gi0/2 to 10, change access VLAN on Port-channel1 to 10, and set channel-group mode active on both interfaces.
B.Set speed 1000 on Gi0/1, set duplex full on Gi0/1, change access VLAN on Gi0/1 to 20, change access VLAN on Port-channel1 to 20, and set channel-group mode passive on both interfaces.
C.Set speed 100 on Gi0/2, set duplex half on Gi0/2, change access VLAN on Gi0/1 to 20, change access VLAN on Port-channel1 to 20, and set channel-group mode desirable on both interfaces.
D.Set speed auto on Gi0/1 and Gi0/2, set duplex auto on both, change access VLAN on Gi0/1 to 10, change access VLAN on Port-channel1 to 10, and set channel-group mode active on Gi0/1 and passive on Gi0/2.
AnswerA
solution
! Switch1
interface gigabitethernet0/1
speed auto
duplex auto
channel-group 1 mode active
exit
interface gigabitethernet0/2
speed auto
duplex auto
switchport access vlan 10
channel-group 1 mode active
exit
interface port-channel 1
switchport access vlan 10
end

Why this answer

The EtherChannel is not forming due to three issues: (1) Speed mismatch: Gi0/1 is set to 100 Mbps while Gi0/2 is 1000 Mbps; both must match (e.g., auto). (2) Duplex mismatch: Gi0/1 is half-duplex, Gi0/2 is full-duplex; both must be the same (e.g., full). (3) VLAN mismatch: Gi0/1 is in VLAN 10, Gi0/2 in VLAN 20, and Port-channel1 is in VLAN 1; all access VLANs must be consistent (set to VLAN 10). Additionally, the channel-group mode should be 'active' on both interfaces for LACP. The solution involves setting speed and duplex to auto, changing the access VLAN on Gi0/2 and the port-channel to VLAN 10, and setting channel-group mode to active.

Exam trap

The exam trap here is that candidates may focus only on resolving the speed/duplex and VLAN mismatches but forget to check the LACP mode requirement. Also, they might confuse LACP modes (active/passive) with PAgP modes (desirable/auto). Always verify that the mode matches the protocol and the requirement.

Why the other options are wrong

B

The specific factual error: passive mode on both sides will not form an LACP EtherChannel because neither side initiates negotiation; at least one side must be active.

C

The specific factual error: 'desirable' is a PAgP mode; LACP uses 'active' or 'passive'. Using 'desirable' would not form an LACP EtherChannel.

D

The specific factual error: the requirement explicitly states 'active mode on both sides', so setting one side to passive violates the requirement, even though the channel might still form.

1069
MCQhard

Refer to the exhibit. A network administrator is troubleshooting an NTP synchronization issue on R1. The router is configured with the command ntp server 10.1.1.100, but the clock remains unsynchronized. The administrator issues the show ntp status command. What is the most likely cause of the problem?

A.The NTP authentication key configured on R1 does not match the one on the server.
B.The system time on R1 is set to an epoch that is too far from the server's time, causing NTP to refuse to synchronize.
C.The NTP service is not enabled on R1; the 'ntp server' command only defines a server but does not start the NTP process.
D.The router cannot reach the NTP server 10.1.1.100 at UDP port 123 due to a routing issue or an access list.
AnswerD

The exhibit clearly shows 'no reference clock' and stratum 16, which indicates that R1 has not received any NTP packets from the configured server. This is a classic symptom of network unreachability—the router’s NTP requests are not making it to the server or responses are not coming back, often caused by a missing route or an ACL filtering UDP 123.

Why this answer

The output shows 'Clock is unsynchronized, stratum 16, no reference clock,' which means the router has not received any valid NTP updates from the configured server. This state is typical when the NTP server 10.1.1.100 is unreachable at the network layer—either because of a missing route or an ACL blocking UDP port 123. If the server were reachable but authentication failed, the output might still show a reference clock (but unsynchronized) or show reachability in the NTP associations table, which is absent here.

Exam trap

Many candidates mistakenly believe that any NTP unsynchronized state is caused by authentication mismatch. However, authentication failures allow packets to be received; they are dropped after auth check, so the router might still see the server as reachable (but not usable) in show ntp associations. The complete absence of a reference clock strongly suggests a reachability issue, not an authentication problem.

Why the other options are wrong

A

Candidates often confuse unsynchronized status with authentication issues, but authentication failures do not prevent reception of packets; they just discard them after arrival.

B

A common myth is that NTP cannot sync if the clocks are too far apart. While extreme offsets may delay sync, they do not prevent the router from hearing the server, so the reference clock field would still show the server’s IP or clock ID.

C

Some candidates mistakenly believe that a separate 'ntp enable' command is required. In IOS, configuring an ntp server automatically enables NTP, so the service is active.

1070
PBQhard

You are connected to R1 via console. R1 is directly connected to R2 over a 1000BASE-T link that is failing to come up. Configure interface GigabitEthernet0/0 on R1 with the correct speed and duplex settings to match R2's configuration, and then verify the link is operational. Additionally, determine the appropriate SFP type for a new 40 km fiber link between R1 and R2.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Check R2's running config to see if speed and duplex are manually set.
  • Auto-negotiation failure can occur when one side is set to auto and the other to fixed settings.
  • For distances over 10 km on fiber, you typically need a 1000BASE-ZX SFP.
A.Configure interface GigabitEthernet0/0 with 'speed 1000' and 'duplex full'. For the new fiber link, use a 1000BASE-ZX SFP.
B.Configure interface GigabitEthernet0/0 with 'speed auto' and 'duplex auto'. For the new fiber link, use a 1000BASE-SX SFP.
C.Configure interface GigabitEthernet0/0 with 'speed 1000' and 'duplex half'. For the new fiber link, use a 1000BASE-LX SFP.
D.Configure interface GigabitEthernet0/0 with 'speed 100' and 'duplex full'. For the new fiber link, use a 1000BASE-EX SFP.
AnswerA
solution
! R1
interface GigabitEthernet0/0
speed 1000
duplex full

Why this answer

The link is down because R1 is set to auto-negotiate speed and duplex while R2 is hardcoded to 1000 Mbps full duplex. This mismatch causes the link to fail. To fix, configure R1's GigabitEthernet0/0 with 'speed 1000' and 'duplex full'.

For the new 40 km fiber link, a 1000BASE-ZX SFP is required as it supports distances up to 70 km. (1000BASE-LX supports only up to 10 km and is insufficient for 40 km.) Verify with 'show interfaces GigabitEthernet0/0' to see the link state change to up/up.

Exam trap

Do not assume auto-negotiation always works; when one side is hardcoded, the other must match. Also, know the distance limitations of SFP types: SX (short), LX (long, 10 km), ZX (extended, 70 km).

Why the other options are wrong

B

Auto-negotiation cannot match a hardcoded speed/duplex; 1000BASE-SX is for short distances (up to 550 m).

C

Gigabit Ethernet does not support half duplex; 1000BASE-LX maximum distance is 10 km.

D

Speed mismatch (100 vs 1000) will cause link failure; 1000BASE-EX is not an IEEE standard (ZX is used for extended reach).

1071
MCQmedium

Which security concept gives a user only the permissions required to perform assigned tasks and nothing more?

A.Defense in depth
B.Least privilege
C.Segmentation
D.Availability
AnswerB

Correct. Users receive only the access they need.

Why this answer

Least privilege is the security principle that grants users only the specific permissions necessary to perform their job functions, minimizing potential damage from errors or malicious actions. Defense in depth is a layered security strategy using multiple controls, not a principle of limiting permissions. Segmentation divides a network into isolated segments to contain threats, but does not directly govern individual user permissions.

Availability ensures systems and data are accessible when needed, which is unrelated to restricting access rights.

Exam trap

Don't confuse access control methods like RBAC, DAC, or MAC with the principle of least privilege, which specifically minimizes permissions.

Why the other options are wrong

A

Defense in depth refers to a layered security approach that employs multiple security measures to protect information. It does not specifically address the principle of granting users only the necessary permissions for their tasks.

C

Segmentation refers to dividing a network into segments to enhance security and manageability, rather than limiting user permissions. It does not directly address the concept of granting only necessary permissions to users.

D

Availability refers to ensuring that systems and data are accessible when needed, which does not relate to limiting user permissions for task completion. This option does not address the principle of restricting access based on necessity.

1072
PBQhard

You are managing a Cisco WLC (192.168.1.10) via its web UI. The wireless network 'CorpSecure' has been configured but clients cannot associate. Some report 'wrong password' errors; others see the SSID but fail to connect. Additionally, management access to the WLC web UI is intermittent. Identify and resolve the issues so that wireless clients can successfully associate with 'CorpSecure' using WPA3-Personal and the WLC web UI is reliably accessible from the management VLAN (VLAN 10).

Hints

  • Check the security settings on the WLAN; clients expecting WPA3 will fail with WPA2 configured.
  • An SSID that is hidden (Broadcast disabled) may not appear in client scans unless manually entered.
  • Management access issues might be unrelated to the WLAN config; verify the management interface IP and default gateway are correct.
A.Configure the SSID with WPA3-Personal; verify management interface is on VLAN 10 with correct gateway.
B.Change the SSID security to WPA2-PSK and disable SSID broadcast; reset the WLC to factory defaults.
C.Update the WLC firmware to the latest version and change the management VLAN to VLAN 1.
D.Reconfigure the SSID with WPA3-Enterprise and enable SSID broadcast; set the management interface to use DHCP.
AnswerA
solution
! WLC
Navigate to WLANs > Edit CorpSecure > Security > Layer 2 > Select WPA3-Personal (AES) > Apply
Navigate to WLANs > Edit CorpSecure > SSID > Enable Broadcast SSID > Apply

Why this answer

The primary issue is a security mismatch: the SSID is set to WPA2-PSK while clients expect WPA3, causing 'wrong password' errors. Since clients can see the SSID, broadcast is already enabled; the secondary connection failures may be due to incompatible devices, but the correct fix is to change the security to WPA3-Personal (AES). Additionally, verify that the management interface is on VLAN 10 with the correct gateway to ensure reliable WLC web UI access.

Exam trap

Candidates might mistakenly conclude the SSID broadcast is disabled and enable it unnecessarily, overlooking that the visible SSID indicates broadcast is already on, or they might ignore the management VLAN configuration.

Why the other options are wrong

B

The specific factual error: WPA2-PSK is not compatible with clients expecting WPA3-Personal, and hiding the SSID prevents clients from seeing it.

C

The specific factual error: VLAN 1 is the default and often discouraged for management; the issue is not firmware-related but configuration-based.

D

The specific factual error: WPA3-Enterprise is not appropriate without a RADIUS server, and DHCP for management can lead to unreliable access.

1073
MCQhard

An EtherChannel between two switches is configured for LACP. One switch shows the member interfaces as bundled, while the other shows them as individual interfaces. Which explanation is most likely if both sides are using LACP?

A.The member interface settings do not match closely enough for bundling, even though both sides use LACP.
B.LACP always requires one side to use PAgP as a backup.
C.EtherChannel cannot operate on switch trunks.
D.One switch must disable STP before EtherChannel can form.
AnswerA

This is correct because EtherChannel depends on compatible member settings as well as the protocol.

Why this answer

The most likely explanation is that some other interface settings do not match, even though both sides are using the same EtherChannel protocol. In practical terms, LACP alone is not enough. The candidate member interfaces also need to agree on characteristics such as speed, duplex, switchport mode, allowed VLANs where relevant, and other channel-related settings. If they do not, one side may treat the links as separate instead of bundling them.

This is a common troubleshooting pattern because it tests whether you know that EtherChannel success depends on more than just the negotiation protocol name.

Exam trap

Don't assume LACP alone ensures bundling; check all interface settings for consistency.

Why the other options are wrong

B

This option is incorrect because LACP (Link Aggregation Control Protocol) does not require PAgP (Port Aggregation Protocol) as a backup; they are separate protocols. LACP can operate independently without needing PAgP on either side of the EtherChannel.

C

This option is incorrect because EtherChannel can indeed operate on switch trunks, allowing multiple VLANs to be carried over a single logical link. The issue in the question pertains to LACP configuration mismatches, not trunking capabilities.

D

This option is incorrect because Spanning Tree Protocol (STP) does not need to be disabled for EtherChannel to form; EtherChannel can operate alongside STP. Disabling STP can lead to network loops and is not a requirement for EtherChannel functionality.

1074
Multi-Selectmedium

Which three of the following statements about the routing table lookup process on a Cisco router are true? (Choose three.)

Select 3 answers
A.The router performs a longest prefix match to select the most specific route for a destination IP.
B.If an exact match is found for the destination network, the router will forward the packet regardless of any more specific routes.
C.A default route (0.0.0.0/0) is used only when no other route matches the destination IP.
D.The router does not perform recursive resolution when the next-hop IP address is not directly connected.
E.The router always prefers routes with a higher administrative distance over those with a lower administrative distance.
F.A directly connected route is automatically installed in the routing table when an interface is configured with an IP address and is up/up.
AnswersA, C, F

Why this answer

The routing table uses longest prefix match (A) to find the most specific route. The default route (C) is used only when no other route matches. Directly connected routes (F) are automatically installed when the interface is up/up.

Option D is incorrect because the router does recursively resolve the next‑hop IP when it is not directly connected.

Exam trap

Cisco often tests the misconception that an exact match overrides a more specific route, but the longest prefix match rule always selects the route with the longest subnet mask, regardless of administrative distance or metric.

Why the other options are wrong

D

When the next-hop IP is not directly connected, the router does recursively resolve the address to determine the outgoing interface.

1075
MCQhard

Exhibit: SW2 receives superior BPDUs on both uplinks. One uplink becomes the root port and the other becomes alternate. Which factor is considered first when SW2 chooses the root port?

A.Lowest local interface MAC address
B.Lowest root path cost
C.Highest duplex setting
D.Lowest configured VLAN number
AnswerB

That is the first major comparison.

Why this answer

STP chooses the best path to the root bridge based first on the lowest root path cost. If the cost ties, it then checks the sender bridge ID and sender port ID as tie-breakers.

Exam trap

Remember that STP prioritizes root path cost first, not bridge or port IDs. Misunderstanding the order of evaluation can lead to incorrect answers.

Why the other options are wrong

A

This option is wrong because the selection of the root port is based on the lowest root path cost, not the local interface MAC address. The MAC address is not a factor in determining the root port in the Spanning Tree Protocol (STP) process.

C

This option is wrong because the selection of the root port in Spanning Tree Protocol (STP) is based on the lowest root path cost, not the duplex settings of the interfaces. Duplex settings do not influence the port selection process in STP.

D

The lowest configured VLAN number is not a factor in determining the root port in Spanning Tree Protocol (STP). The selection process prioritizes path cost, not VLAN configuration.

1076
Matchingmedium

Match each service to the symptom it most directly relates to when troubleshooting.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Users can reach resources by IP but not by hostname

Hosts are not receiving IP settings automatically

Logs from different devices do not line up in time

Operations team needs visibility into traffic conversations

Why these pairings

Each service is paired with a symptom directly related to its malfunction.

Exam trap

Be careful not to confuse symptoms that often occur together (like congestion causing both drops and latency) with direct cause-and-effect relationships. The question asks for the most direct symptom, not a correlated one.

1077
PBQhard

You are connected to R1, a Cisco router that must establish OSPFv3 adjacency with R2 over its GigabitEthernet0/0 link. The link uses IPv6 addresses 2001:db8:1:1::1/64 on R1 and 2001:db8:1:1::2/64 on R2. R1 currently has IPv6 unicast routing enabled but no OSPFv3 process configured. Configure R1 so that it forms a full OSPFv3 neighbor relationship with R2 and installs the loopback network 2001:db8:2:2::/64 (advertised by R2) into its IPv6 routing table.

Network Topology
G0/02001:db8:1:1::1/64G0/02001:db8:1:1::2/64linkR1R2

Hints

  • OSPFv3 requires a router-id; use 1.1.1.1 for simplicity.
  • Activate OSPFv3 on the interface with the correct process ID and area.
  • Verify adjacency shows FULL state and the route appears in the IPv6 routing table.
A.ipv6 router ospf 1 router-id 1.1.1.1 interface GigabitEthernet0/0 ipv6 ospf 1 area 0
B.ipv6 router ospf 1 router-id 1.1.1.1 interface GigabitEthernet0/0 ipv6 ospf 1 area 0 network 2001:db8:1:1::0/64 area 0
C.ipv6 router ospf 1 router-id 1.1.1.1 interface GigabitEthernet0/0 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point
D.ipv6 router ospf 1 router-id 1.1.1.1 interface GigabitEthernet0/0 ipv6 ospf 1 area 0 ipv6 ospf hello-interval 5
AnswerA
solution
! R1
ipv6 router ospf 1
router-id 1.1.1.1
interface GigabitEthernet0/0
ipv6 ospf 1 area 0

Why this answer

R1 requires OSPFv3 configuration: enable the process with 'ipv6 router ospf 1', set a router-id, then enable OSPFv3 on the interface with 'ipv6 ospf 1 area 0'. Option B incorrectly attempts to use a network command (OSPFv2 syntax). Option C sets a point-to-point network type, which on a broadcast link will mismatch with R2's default broadcast type and prevent adjacency.

Option D changes the hello interval to 5, causing a timer mismatch and adjacency failure.

Exam trap

Do not confuse OSPFv2 'network' commands with OSPFv3 interface configuration. Also, avoid adding unnecessary interface parameters that may disrupt adjacency.

Why the other options are wrong

B

The 'network' command is for OSPFv2 and does not exist in OSPFv3; interface configuration is done via interface commands.

C

Setting the network type to point-to-point changes the OSPF link type; without matching configuration on R2, adjacency will fail.

D

Mismatched hello intervals prevent OSPF neighbor relationships from forming.

1078
MCQhard

Exhibit: R1 has the static route 'ip route 0.0.0.0 0.0.0.0 192.0.2.2 200' and also learns a default route from OSPF. Which default route will be installed while the OSPF route is present?

A.The static default route
B.The OSPF default route
C.Both default routes with per-packet load balancing
D.Neither route because floating statics suppress dynamic defaults
AnswerB

Correct choice.

Why this answer

The OSPF external default route wins because its administrative distance is 110, which is lower than the floating static route's distance of 200. The static route is intentionally given a higher AD so it is used only as a backup.

Exam trap

A common exam trap is assuming that static routes always override dynamic routes because static routes have a default administrative distance of 1. However, in this question, the static route is configured with an administrative distance of 200, making it less preferred than the OSPF route with an AD of 110. This floating static route is intended as a backup and will not be installed while the OSPF route is present.

Misreading the static route’s AD or ignoring it leads to the incorrect conclusion that the static route will be used, which is a frequent mistake in CCNA routing questions.

Why the other options are wrong

A

The static default route has an administrative distance of 200, which is higher than OSPF’s 110. Therefore, it is less preferred and will not be installed while the OSPF route is present, making this option incorrect.

C

Cisco routers do not perform per-packet load balancing between routes with different administrative distances. The route with the lowest AD is installed exclusively, so this option is incorrect.

D

Floating static routes do not suppress dynamic routes; instead, they serve as backups when dynamic routes are unavailable. Therefore, neither route is not installed is incorrect because the OSPF route will be installed.

1079
Matchingmedium

Match each automation transport or interaction term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted transport commonly used for API communication

Architectural style often using HTTP methods

Structured data format commonly used in API payloads

Credential-like value often used to control API access

Why these pairings

These are common automation transport or interaction patterns. Each pairing correctly describes the term as used in system integration and API design.

Exam trap

Be careful not to confuse RESTCONF (stateless) with NETCONF (stateful). Also, remember that gRPC and SSH are stateful protocols.

1080
Matchingmedium

Match each OSPF adjacency requirement or concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Must align between neighbors for stable adjacency formation

Must match on the shared OSPF segment

Identifies the router within the OSPF process

Stops hello exchange on that interface while still allowing advertisement of the connected network

Why these pairings

Hello/Dead timers must match between neighbors to form a stable OSPF adjacency; mismatched timers cause neighbor relationships to fail. Area must be identical on the shared OSPF segment because routers in different areas do not establish full adjacencies. Router ID uniquely identifies the router within the OSPF process, used for DR/BDR election and LSA origination.

Passive interface suppresses hello packets, preventing neighbor formation on that link, while still allowing the connected network to be advertised via the router's LSA.

Exam trap

Do not confuse the purpose of Hello packets with other OSPF mechanisms. Hello packets are for neighbor discovery and keepalives, not for exchanging routing information or computing routes.

1081
MCQhard

R1 and R2 should form an OSPF adjacency on their shared GigabitEthernet link, but they remain stuck in EXSTART. What is the most likely cause?

A.The routers are using different OSPF areas.
B.The interface MTU values do not match.
C.One side is configured as passive-interface.
D.The subnet mask on the link is incorrect.
AnswerB

This is the classic cause of OSPF neighbors getting stuck in EXSTART or EXCHANGE.

Why this answer

The MTU values do not match. OSPF neighbors can discover each other and even move through earlier states, but an MTU mismatch commonly leaves them stuck in EXSTART or EXCHANGE because the routers do not agree on database description packet sizing. Area mismatch, network mismatch, and passive-interface issues usually prevent a much earlier stage of adjacency formation.

Exam trap

A common exam trap is selecting area mismatch or passive-interface as the cause of OSPF adjacency stuck in ExStart. While area mismatch prevents neighbor formation entirely, and passive-interface stops hello packets, these issues cause earlier failures, not ExStart stalls. The ExStart state specifically involves negotiating database description packets, which requires matching MTU values.

Candidates often overlook MTU mismatches because neighbors appear in the topology, misleading them to suspect other configuration errors. Understanding that MTU mismatch allows neighbor discovery but blocks database synchronization is key to avoiding this trap.

Why the other options are wrong

A

Both routers are configured in area 0, so area mismatch is not the cause. Area mismatches prevent neighbor discovery, which would stop adjacency formation before ExStart.

C

If one interface is passive, OSPF hello packets are not sent, preventing neighbor formation altogether. This would stop adjacency formation earlier than ExStart.

D

The subnet mask is consistent on both sides, allowing neighbor discovery. Incorrect subnet masks would prevent neighbors from recognizing each other, blocking adjacency before ExStart.

1082
PBQhard

You are connected to WLC-1 via SSH. A new SSID 'CorpSecure' must be configured for 5 GHz clients using WPA3-Personal. However, after creation, clients can see the SSID but fail to associate. Review the WLC configuration and fix the issue so that clients can successfully associate and obtain an IP address from VLAN 100 (subnet 10.0.100.0/24).

Network Topology
G0/0192.168.1.10/24G0/110.0.0.1/30G0/210.0.100.1/24SwitchManagementWLC-1Upstream RouterClient VLAN 100

Hints

  • Check the current security settings on the WLAN; they are using WPA2, not WPA3.
  • The radio policy is not set — clients may try to connect on 2.4 GHz, but the SSID should be 5 GHz only.
  • Ensure the WLAN is enabled after changes.
A.Change the WLAN security to WPA3-Personal, enable AES-CCMP for WPA3, set the radio policy to 5 GHz, and ensure the WLAN is mapped to the dynamic interface for VLAN 100.
B.Change the WLAN security to WPA2-Personal, enable TKIP encryption, and set the radio policy to 5 GHz.
C.Change the WLAN security to WPA3-Personal, enable AES-CCMP, but leave the radio policy as 'All' (both 2.4 GHz and 5 GHz).
D.Change the WLAN security to WPA3-Personal, enable AES-CCMP, set the radio policy to 5 GHz, but do not enable the WLAN after changes.
AnswerA
solution
! WLC-1
config wlan security wpa3 1 enable
config wlan security wpa3 psk 1 set ascii CorpSecurePass123
config wlan radio-policy 1 5ghz
config wlan enable 1
config wlan security wpa3 ciphers 1 aes-ccmp

Why this answer

The SSID was configured with WPA2 instead of WPA3. The WLC also had no radio policy set for 5 GHz only. To fix, change the WLAN security to WPA3-Personal, enable AES-CCMP for WPA3, and set the radio policy to 5 GHz.

Additionally, ensure the WLAN is mapped to the appropriate dynamic interface for VLAN 100, not the management interface, and that client VLAN 100 is reachable. The commands to modify the WLAN are: config wlan security wpa3 1 enable, config wlan security wpa3 psk ascii CorpSecurePass123 1, config wlan radio policy 802.11a-only 1, and config wlan enable 1.

Exam trap

Students often forget to change the radio policy from 'All' to a specific band, or they confuse WPA2 with WPA3. Also, they may overlook enabling the WLAN after configuration. Ensure you understand the specific requirements for WPA3 and the need to match the radio policy to the client band.

Why the other options are wrong

B

The specific factual error is that WPA2-Personal with TKIP does not meet the WPA3-Personal requirement; WPA3 mandates AES-CCMP.

C

The specific factual error is that the radio policy must be set to 5 GHz only, not 'All', to restrict access to 5 GHz clients.

D

The specific factual error is that the WLAN remains disabled, so clients cannot associate even if other settings are correct.

1083
MCQhard

A router shows the following route: O 10.10.40.0/24 [110/20] via 192.0.2.2, 00:00:12, GigabitEthernet0/0 What does the value 110 represent?

A.The OSPF cost to the destination
B.The administrative distance of OSPF
C.The number of hops to the destination
D.The route age in seconds
AnswerB

Correct. OSPF has a default administrative distance of 110.

Why this answer

In Cisco route output, the value in brackets is [administrative distance/metric].

Exam trap

A frequent exam trap is mistaking the administrative distance value for the OSPF cost or metric. The number 110 in the route output is the administrative distance, not the cost to reach the destination. The OSPF cost is the second number inside the brackets, which in this example is 20.

Confusing these values can lead to incorrect assumptions about route preference and path selection. Remember, administrative distance compares trustworthiness between routing protocols, while the metric determines the best path within a single protocol.

Why the other options are wrong

A

The OSPF cost to the destination is not represented by the first number in brackets; it is the second number. Therefore, 110 cannot be the OSPF cost.

C

The number of hops is not indicated by the value 110. OSPF does not use hop count as its metric, so this option is incorrect.

D

The route age is shown separately after the next-hop IP address and interface, not inside the brackets. Thus, 110 does not represent route age.

1084
Multi-Selectmedium

Which two statements about NTP are correct? (Choose two.)

Select 2 answers
A.Accurate time helps correlate log messages across multiple devices.
B.NTP replaces the need for DNS in enterprise networks.
C.NTP synchronizes clocks between network devices and time sources.
D.NTP is used to negotiate EtherChannel parameters.
AnswersA, C

Correct. Synchronized timestamps improve troubleshooting.

Why this answer

NTP synchronizes time across devices, which is important for logging, certificates, and event correlation.

Exam trap

A common exam trap is mistaking NTP for a service that replaces DNS or manages link aggregation like EtherChannel. Some candidates incorrectly believe NTP handles domain name resolution or negotiates EtherChannel parameters because these are also fundamental network services. However, NTP’s sole purpose is to synchronize time across devices.

Selecting options that confuse NTP with DNS or EtherChannel leads to incorrect answers. Understanding that NTP only manages time synchronization helps avoid this trap and ensures accurate selection of correct options related to time correlation and clock synchronization.

Why the other options are wrong

B

This option is incorrect because NTP does not replace DNS. DNS resolves domain names to IP addresses, while NTP only synchronizes time across devices.

D

This option is incorrect because NTP does not negotiate EtherChannel parameters. EtherChannel negotiation is handled by protocols like PAgP or LACP, unrelated to time synchronization.

1085
MCQhard

A network engineer notices that R1 is using the static route to 192.168.10.0/24 via next-hop 10.1.1.2 instead of the OSPF route via 10.2.2.2, even though the OSPF path has lower latency. What is the most likely cause?

A.The static route has a lower administrative distance than the OSPF route.
B.The OSPF route has a higher metric than the static route.
C.Equal-cost multi-path (ECMP) is disabled for OSPF.
D.The static route is configured with a higher next-hop IP address, so it is preferred.
AnswerA

Administrative distance is the first criterion used to select routes from different routing protocols. A static route has an AD of 1, while OSPF has an AD of 110. The lower AD wins, so the static route is installed in the routing table and used for forwarding, regardless of the OSPF path's better performance.

Why this answer

The static route is preferred because it has an administrative distance (AD) of 1, which is lower than OSPF's AD of 110. When multiple routes to the same destination exist from different routing sources, the route with the lowest AD is selected first. The static route's path might be slower, but AD comparison happens before any metric comparison.

To use the OSPF path, the static route must be removed or given a higher AD.

Exam trap

Many candidates mistakenly believe that the best path is determined solely by metric, and they might select option B, assuming the static route’s lower metric causes it to be preferred. However, administrative distance is evaluated before metrics.

Why the other options are wrong

B

Common misconception that metrics are compared across different routing protocols. In reality, AD is evaluated first, and only routes from the same protocol with equal AD are compared by metric.

C

Mistaking ECMP as the mechanism for selecting between two routes from different sources; in this scenario, the static route's AD disqualifies the OSPF route entirely.

D

Misunderstanding that IP addresses, not administrative distance or metrics, influence path selection.

1086
MCQmedium

Given the JSON snippet below, what is the value of hostname? { "device": { "hostname": "R1", "mgmt_ip": "192.0.2.10" } }

A.device
B.hostname
C.R1
D.192.0.2.10
AnswerC

Correct. R1 is the value assigned to hostname.

Why this answer

The key hostname inside the device object has the value R1.

Exam trap

Be careful not to confuse keys with their values in JSON objects. Ensure you are extracting the correct value by identifying the correct key.

Why the other options are wrong

A

The option 'device' is incorrect because it refers to the key in the JSON structure, not the value associated with the 'hostname' key. The question specifically asks for the value of 'hostname'.

B

Option B is incorrect because it simply repeats the key 'hostname' from the JSON structure without providing the actual value associated with it, which is what the question asks for.

D

This option is wrong because the question specifically asks for the value of 'hostname', which is defined as 'R1' in the JSON snippet. '192.0.2.10' is the value of 'mgmt_ip', not 'hostname'.

1087
MCQhard

A network administrator is troubleshooting connectivity issues between two switches. Hosts connected to Switch A cannot ping hosts on Switch B. The link between the switches shows as up/up on both ends, but interface error counters (CRC, runts) are increasing rapidly. What should the administrator do to resolve the issue?

A.Replace the faulty cable between the two switches.
B.Change the duplex setting on SwitchA's interface to auto-negotiation.
C.Replace the SFP module on SwitchA's GigabitEthernet0/1 port.
D.Enable the interface with 'no shutdown' command.
AnswerB

The interface is manually set to full-duplex, but the remote side is likely auto-negotiating. Setting both to auto or both to full-duplex resolves the mismatch.

Why this answer

The increasing CRC and runts errors on an up/up link indicate a duplex mismatch, where one side is using full duplex and the other half duplex. Assuming SwitchB is using auto-negotiation (the default on Cisco switches), changing SwitchA's interface to auto-negotiation will allow both ends to negotiate the correct duplex setting, resolving the mismatch and stopping the errors.

Exam trap

Cisco often tests the misconception that a link showing 'up/up' means the physical layer is perfect, when in reality duplex mismatch causes high error rates while keeping the interface up, leading candidates to incorrectly suspect cable or hardware faults.

Why the other options are wrong

A

Cable issues would manifest as input errors or interface flapping, but the counters show zero errors.

C

No errors are reported, so the SFP is functioning correctly.

D

The 'show interface' output clearly shows the interface is up, so no shutdown is not needed.

1088
Multi-Selectmedium

Which two statements about standard and extended IPv4 ACLs are correct?

Select 2 answers
A.A standard ACL matches only the source IPv4 address.
B.An extended ACL can match protocol information and Layer 4 ports.
C.A standard ACL is normally placed as close to the source as possible.
D.An extended ACL cannot filter ICMP traffic.
E.Both ACL types require named ACL syntax to match traffic.
AnswersA, B

That is the key limitation of a standard ACL.

Why this answer

Standard ACLs match only the source IPv4 address, while extended ACLs can match protocol and source and destination details including ports. Because standard ACLs are less granular, they are usually placed closer to the destination. Extended ACLs are usually placed closer to the source.

Exam trap

A frequent exam trap is assuming that standard ACLs can filter traffic based on protocol types or Layer 4 ports, which they cannot. This misconception leads to incorrect placement decisions, such as placing standard ACLs near the source, which risks blocking legitimate traffic from other sources. Another trap is believing extended ACLs cannot filter ICMP traffic, but extended ACLs do support ICMP filtering.

Misunderstanding these facts can cause confusion in both exam scenarios and real-world network design, resulting in incorrect ACL configurations and ineffective traffic control.

Why the other options are wrong

C

This option is incorrect because standard ACLs are usually placed closer to the destination, not the source, to avoid blocking legitimate traffic from other sources.

D

This option is incorrect since extended ACLs can filter ICMP traffic by specifying the ICMP protocol in the ACL configuration.

E

This option is incorrect because both numbered and named ACLs are valid for standard and extended ACLs; named ACL syntax is not required.

1089
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and recover from a BPDU guard violation on a PortFast-enabled access port.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

PortFast and BPDU guard are configured first; violation is induced; recovery requires an interface shutdown/no shutdown; verification confirms the fix.

Exam trap

The trap is that candidates may confuse the order of configuration, violation, recovery, and verification. Remember that configuration always comes first, then the event, then recovery, then verification.

1090
Multi-Selectmedium

Which two statements accurately describe why source restriction and logging are often used together for administrative access?

Select 2 answers
A.Source restriction narrows the allowed origin space for administrative sessions.
B.Logging improves visibility and accountability for what happened during administrative access.
C.Logging removes the need for authentication.
D.Source restriction works only when Syslog is disabled.
E.Both controls exist only for guest wireless networks.
AnswersA, B

This is correct because source filtering reduces where management traffic is permitted from.

Why this answer

Source restriction and logging are often used together because they help answer two different security questions. In practical terms, source restriction limits where administrative sessions may originate, while logging helps show what happened once access was attempted or granted. This combination improves both exposure reduction and post-event visibility.

This is a strong layered-security reasoning item because it focuses on complementary controls rather than one-control thinking.

Exam trap

A frequent exam trap is to believe that logging can replace source restriction or that source restriction only works if logging is disabled. Candidates may incorrectly think that visibility through logs is enough to secure administrative access, ignoring the importance of limiting where management sessions can originate. Another mistake is to assume these controls are only relevant for guest wireless networks, which is false because they apply broadly to all management-plane security.

Understanding that source restriction and logging serve distinct but complementary roles is critical to avoid this trap.

Why the other options are wrong

C

Logging provides visibility but does not replace authentication; authentication is still required for access.

D

Source restriction operates independently of Syslog; it does not require Syslog to be disabled or enabled.

E

Source restriction and logging apply to all administrative access, not just guest wireless networks, which is too narrow of a context.

1091
PBQhard

You are connected to a multilayer switch MLS1. Configure it so that IP phones connected to FastEthernet 0/1 and FastEthernet 0/2 use voice VLAN 20 and receive power via PoE. Additionally, FastEthernet 0/3 must be configured as an access port for a wireless access point (AP) on VLAN 30, with PoE enabled. Verify your configuration using 'show interfaces switchport' and 'show power inline'.

Hints

  • Voice VLAN is configured on the access port interface, not globally.
  • The command 'switchport voice vlan <vlan-id>' does not change the access VLAN; it adds a separate VLAN for voice traffic.
  • PoE is already enabled by default with 'power inline auto' — verify it is not disabled.
A.Configure 'switchport voice vlan 20' on Fa0/1 and Fa0/2; ensure PoE is enabled (auto) on all three ports.
B.Configure 'switchport mode trunk' on Fa0/1 and Fa0/2, and set the native VLAN to 20; enable PoE on Fa0/3.
C.Configure 'switchport access vlan 20' on Fa0/1 and Fa0/2, and 'switchport voice vlan 30' on Fa0/3; enable PoE globally.
D.Configure 'power inline never' on Fa0/1 and Fa0/2, and 'switchport voice vlan 20' on Fa0/3; ensure Fa0/3 is in trunk mode.
AnswerA
solution
! MLS1
interface FastEthernet0/1
switchport voice vlan 20
exit
interface FastEthernet0/2
switchport voice vlan 20
exit

Why this answer

The switch ports Fa0/1 and Fa0/2 are currently configured as access ports on VLAN 10, with no voice VLAN. To support IP phones, you must configure a voice VLAN (VLAN 20) on these interfaces. Additionally, PoE is already enabled (auto) but needs to remain active.

For Fa0/3, it is already an access port on VLAN 30, which is correct for an AP, but you must ensure PoE is enabled (it is). The missing configuration for Fa0/1 and Fa0/2 is the 'switchport voice vlan 20' command. After applying, verify using 'show interfaces switchport' to see the voice VLAN set, and 'show power inline' to confirm PoE delivery.

Exam trap

The exam trap is that candidates may think they need to change the access VLAN to the voice VLAN, or that they need to configure trunk ports for IP phones. Remember that IP phones use a special access port configuration with a separate voice VLAN. Also, PoE is enabled by default; do not disable it.

Why the other options are wrong

B

The specific factual error: IP phones connect to access ports with a voice VLAN, not trunk ports. The native VLAN concept is misapplied here.

C

The specific factual error: Changing the access VLAN to 20 would place the PC on the voice VLAN, which is wrong. The AP does not need a voice VLAN. PoE is per-interface.

D

The specific factual error: Disabling PoE on IP phone ports prevents them from powering on. The voice VLAN is applied to the wrong interfaces. Trunk mode is unnecessary for an AP.

1092
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP relay agent and verify the DHCP DORA process for a client on a remote subnet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The relay agent must be configured first by setting the ip helper-address on the client-facing interface, then verifying connectivity to the DHCP server. The DORA process should be observed using a relay-specific debug command such as debug ip dhcp relay; the originally listed debug ip dhcp server packet would show no output on a pure relay agent, making it incorrect for verification.

Exam trap

A common trap is placing the ip helper-address on the wrong interface or using the wrong debug command. Always place the helper address on the client-facing interface, and verify relay operation with debug ip dhcp relay, not debug ip dhcp server packet.

1093
MCQmedium

Which field is modified by each router hop in an IPv4 packet to prevent endless forwarding loops?

A.Source port
B.TTL
C.Sequence number
D.CRC in the Ethernet trailer
AnswerB

Correct. TTL is reduced each time the packet crosses a router.

Why this answer

The Time to Live field is decremented at each hop.

Exam trap

A frequent exam trap is selecting transport-layer fields like source port or sequence number as the field modified by each router hop. These fields are part of TCP or UDP headers and remain unchanged by routers during forwarding. Another common mistake is confusing the Ethernet frame CRC with the TTL; while the CRC is recalculated on each link to verify frame integrity, it does not control packet lifetime or prevent routing loops.

Misunderstanding these distinctions can lead to incorrect answers about how routers manage packet forwarding and loop prevention.

Why the other options are wrong

A

Source port is a transport-layer field used by TCP/UDP to identify application endpoints and is not modified by routers during forwarding, so it cannot prevent forwarding loops.

C

Sequence number is part of the transport layer used for ordering segments in TCP and is not altered by routers, so it does not affect packet forwarding or loop prevention.

D

CRC in the Ethernet trailer is recalculated on each link to verify frame integrity but does not influence IP packet forwarding decisions or prevent routing loops.

1094
MCQmedium

Which spanning-tree port role receives the best BPDU toward the root bridge on a nonroot switch?

A.Designated port
B.Alternate port
C.Root port
D.Disabled port
AnswerC

Correct. The root port points toward the root bridge.

Why this answer

The root port is the port on a nonroot switch with the lowest path cost to the root bridge.

Exam trap

Be careful not to confuse port roles. Remember, the root port is specifically for receiving the best BPDU toward the root bridge, not for forwarding or redundancy.

Why the other options are wrong

A

The designated port is responsible for forwarding traffic to and from a network segment and does not receive the best BPDU toward the root bridge; instead, it sends BPDUs to other ports. Therefore, it cannot be the correct answer for identifying the port role that receives the best BPDU on a nonroot switch.

B

The alternate port does not receive the best BPDU toward the root bridge; instead, it serves as a backup path to the root bridge when the primary path fails. It is in a blocking state and does not forward traffic.

D

A Disabled port does not participate in the Spanning Tree Protocol (STP) and does not receive any BPDUs, making it incapable of receiving the best BPDU toward the root bridge.

1095
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to router R1 via trunk link G0/1. R1 performs inter-VLAN routing using subinterfaces. VLANs 10, 20, and 30 exist on SW1. Hosts in VLAN 10 (192.168.10.0/24) can ping R1's subinterface, but cannot communicate with hosts in VLAN 20. You suspect the trunk is not allowing VLAN 20 traffic.

Network Topology
G0/0.10192.168.10.1G0/1trunkR1SW1

Hints

  • Check which VLANs are allowed on the trunk.
  • The 'allowed vlan' command can be used to add or remove VLANs.
  • Verify that VLAN 20 exists on the switch.
A.Configure 'switchport trunk allowed vlan add 20' on SW1's G0/1 interface.
B.Configure 'switchport mode access' on SW1's G0/1 interface.
C.Configure 'switchport trunk native vlan 20' on SW1's G0/1 interface.
D.Configure 'switchport trunk allowed vlan except 20' on SW1's G0/1 interface.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk allowed vlan add 20

Why this answer

Trunks carry traffic for multiple VLANs. The 'switchport trunk allowed vlan' command restricts which VLANs are permitted. Initially, VLAN 20 was not in the allowed list, so traffic was dropped.

Adding VLAN 20 to the allowed list resolves the issue.

Exam trap

Be careful with the syntax of 'switchport trunk allowed vlan'. The 'add' keyword is necessary to include a VLAN without removing others; omitting 'add' replaces the entire list. Also, 'except' excludes the specified VLAN, which is the opposite of what you want.

Why the other options are wrong

B

Access mode carries only a single VLAN, so it would stop inter-VLAN routing entirely.

C

The native VLAN is for untagged frames; changing it does not add VLAN 20 to the allowed list.

D

The 'except' keyword excludes the specified VLAN, so it would prevent VLAN 20 from being carried.

1096
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two VLANs: VLAN 10 (Sales) and VLAN 20 (Engineering). A router R1 is connected to port G0/1 on SW1 for inter-VLAN routing. Currently, the router is not routing between VLANs because the trunk is not configured correctly. Configure the switch port as a trunk and ensure the router can route between VLANs using subinterfaces (Router-on-a-Stick).

Network Topology
G0/0R1SW1 G0/1

Hints

  • The router expects a trunk link to carry multiple VLANs.
  • Allowed VLAN list must include only the VLANs that need routing.
  • The switch port must be in trunk mode, not access.
A.Configure the switch port as a trunk with 802.1Q encapsulation and allow VLANs 10 and 20.
B.Configure the switch port as an access port in VLAN 10 and add VLAN 20 as a secondary VLAN.
C.Configure the switch port as a trunk with ISL encapsulation and allow all VLANs.
D.Configure the switch port as a trunk with 802.1Q encapsulation and allow VLANs 1, 10, and 20.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20

Why this answer

The switch port was in access mode, which only carries one VLAN. Changing it to trunk with 802.1Q encapsulation allows multiple VLANs to traverse to the router. The allowed VLAN list restricts to VLANs 10 and 20 for security.

Exam trap

The trap is that candidates may confuse trunking with access ports, use outdated encapsulation (ISL), or include unnecessary VLANs like VLAN 1. Always remember that for Router-on-a-Stick, the switch port must be a trunk with 802.1Q and only allow the required VLANs.

Why the other options are wrong

B

Access ports cannot carry multiple VLANs; they are assigned to a single VLAN. The concept of secondary VLAN does not exist for access ports.

C

ISL encapsulation is deprecated in favor of 802.1Q, which is the industry standard. Allowing all VLANs violates the principle of least privilege.

D

Including VLAN 1 is unnecessary and can be a security concern. The allowed VLAN list should be restricted to only the VLANs that need to be routed.

1097
MCQhard

The SVI for VLAN 20 has `ip nat outside` and the WAN interface has `ip nat inside`. Hosts in VLAN 20 must reach the internet through PAT, but users report no external connectivity. Which configuration issue best explains the problem?

A.The ACL should deny 192.168.20.0/24 instead of permit it
B.The interfaces are marked with inside and outside in the wrong places
C.PAT cannot be used with a /30 WAN link
D.NAT overload requires a route-map instead of an ACL
AnswerB

Reversed NAT roles stop the expected translations.

Why this answer

NAT overload works only when the inside and outside interfaces are identified correctly. Here the roles are reversed, so translations are not built in the right direction.

Exam trap

A frequent exam trap is assuming that the ACL or the subnet mask is the cause of NAT failure when the real issue is reversed inside and outside interface roles. Candidates often overlook the importance of interface designation commands (ip nat inside and ip nat outside), which are crucial for NAT operation. Without correct interface roles, the router cannot translate addresses properly, causing hosts to lose external connectivity even if ACLs and routing are correct.

This trap is tempting because ACLs and subnetting are more familiar concepts, but interface roles are equally critical for NAT to function.

Why the other options are wrong

A

Option A is incorrect because the ACL used for NAT must permit the inside local subnet (192.168.20.0/24) to allow translation. Denying this subnet would block NAT translation, but the question states the ACL permits it, so this is not the cause.

C

Option C is incorrect because a /30 WAN link is commonly used in point-to-point connections and does not prevent PAT from functioning. PAT works independently of the WAN subnet size.

D

Option D is incorrect because NAT overload can be configured using a standard ACL; a route-map is optional and not required. The absence of a route-map does not cause the connectivity issue described.

1098
Multi-Selectmedium

Which three of the following are key applications of AI and machine learning in modern network operations? (Choose three.)

Select 4 answers
.Automated anomaly detection and root cause analysis
.Predictive capacity planning based on traffic trends
.Dynamic routing protocol configuration using reinforcement learning
.Real-time security threat identification via behavioral analysis
.Replacing all manual network configuration with fully autonomous AI
.Static threshold-based alerting for interface errors

Why this answer

Automated anomaly detection and root cause analysis are key AI/ML applications because they continuously analyze telemetry data to spot deviations and pinpoint failures without manual intervention, a core AIOps capability. Predictive capacity planning uses ML on traffic trends to forecast bandwidth needs and avoid congestion before it occurs. Real-time security threat identification via behavioral analysis applies machine learning to baseline normal traffic and flag unusual patterns indicative of attacks.

In contrast, fully autonomous AI replacing all manual configuration is not an operational reality—human oversight remains essential. Static threshold-based alerting is a simple rule-based method that does not involve ML. Dynamic routing protocol configuration using reinforcement learning remains experimental and is not a standard or production‑ready AI/ML application in modern networks.

Exam trap

Candidates often confuse experimental AI research (like reinforcement learning for routing) with the operational AI/ML tools already deployed in platforms such as Cisco DNA Center, leading them to select options that are not practical CCNA‑level applications.

Why the other options are wrong

C

While reinforcement learning has been studied for routing optimization, it is not a mainstream, production‑grade AI/ML application in today's enterprise networks and is considered experimental.

E

Fully autonomous AI that replaces all manual configuration is aspirational, not a current operational reality; network engineers still design, validate, and override AI suggestions.

F

Static threshold-based alerting uses fixed numerical triggers and does not employ machine learning algorithms, making it a legacy monitoring approach, not an AI/ML application.

1099
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure spanning-tree protection features including BPDU Guard, Root Guard, and Loop Guard on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order is: (1) Identify edge ports connected to end devices. (2) Configure spanning-tree portfast on those interfaces. (3) Enable BPDU Guard using the spanning-tree portfast bpduguard default global command. (4) Identify ports connected to other switches that should never become the root bridge. (5) Enable Root Guard on those interfaces with spanning-tree guard root. (6) Identify point-to-point non-edge ports susceptible to unidirectional link failures. (7) Enable Loop Guard on those interfaces with spanning-tree guard loop. This sequence first secures edge ports with PortFast and BPDU Guard to prevent accidental network loops and BPDU-based attacks, then applies Root Guard on ports where a superior BPDU should never be received to protect the root bridge placement, and finally implements Loop Guard on non-edge point-to-point links to guard against unidirectional link failures that could cause bridging loops. Identifying the ports before applying configurations ensures proper placement of each protection mechanism.

1100
PBQmedium

You are connected to R1 via console. R1 connects three subnets: 10.0.1.0/24 (area 0), 10.0.2.0/24 (area 0), and 10.0.3.0/24 (area 0). The serial link to R2 uses IP subnet 10.0.0.0/30 and is in OSPF area 1. The network administrator wants to advertise a single summary route for these three subnets to R2, reducing the OSPF link-state database size in area 1. R1 is already running OSPF with network statements for its connected subnets in their respective areas. You need to configure route summarization on R1 so that only the summary route is advertised to R2 via the serial link.

Hints

  • Summarization in OSPF is configured under the router ospf process using the area range command.
  • The summary route must cover all subnets with a single prefix.
  • Verify that the summary route appears in the OSPF database as a type 3 summary LSA.
A.router ospf 1 area 0 range 10.0.0.0 255.255.252.0
B.router ospf 1 summary-address 10.0.0.0 255.255.252.0
C.interface serial 0/0/0 ip summary-address ospf 1 10.0.0.0 255.255.252.0
D.router ospf 1 area 0 range 10.0.0.0 255.255.255.0
AnswerA
solution
! R1
router ospf 1
area 0 range 10.0.0.0 255.255.252.0

Why this answer

The 'area 0 range' command creates a summary route for the specified range, which is then advertised as a type 3 summary LSA to other areas. This reduces routing table size and prevents flapping.

Exam trap

Be careful not to confuse OSPF summarization commands with those of other routing protocols. OSPF uses 'area range' for internal summarization and 'summary-address' for external routes, while EIGRP uses 'summary-address' on interfaces. Also, ensure you calculate the correct summary mask that covers all subnets without being too broad or too specific.

Why the other options are wrong

B

The 'summary-address' command is not valid for OSPF; it is used in EIGRP and BGP.

C

The 'ip summary-address ospf' command is used for external route summarization, not for summarizing internal OSPF routes within an area.

D

The mask 255.255.255.0 is too specific and only covers a single /24 network, not the required range.

1101
Matchingeasy

Match each automation-related term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lightweight structured data format often used in API payloads

Architectural style commonly using HTTP methods for software interaction

Defined interface that allows software systems to communicate

Data modeling language used to describe network information

Why these pairings

JSON is a lightweight data-interchange format commonly used to structure API request and response payloads. REST is an architectural style that uses HTTP methods to enable stateless interactions between software systems. An API is a defined set of rules and protocols that allows different software applications to communicate with each other.

YANG is a data modeling language specifically designed to model configuration and state data for network devices, often used with NETCONF and RESTCONF.

Exam trap

The most common mistake is confusing YANG with data serialization formats like JSON or XML; candidates misidentify YANG as a data format rather than a modeling language used to describe network information structures.

1102
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the DNS resolution process from a client query to receiving an A-record response, followed by the nslookup and dig diagnostic workflow for troubleshooting missing or wrong DNS records.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The DNS resolution process starts with the client query, server response, and client use. Troubleshooting follows with nslookup for basic queries and dig for detailed diagnostics.

Exam trap

Do not confuse the order of DNS resolution with the troubleshooting workflow. The client uses the IP address immediately after receiving the response; troubleshooting tools are used only when there is a problem.

1103
PBQhard

You are connected to R1 via the console. R1 is a Cisco ISR 4331 router. Your task is to configure SNMPv2c and SNMPv3 traps, and NetFlow export, so that SNMP traps are sent to the NMS at 192.0.2.100 using SNMPv2c with community string 'PublicTrap', and also using SNMPv3 with user 'Admin' (authentication SHA, encryption AES) to the same NMS. Additionally, configure NetFlow to export version 9 flow records to 192.0.2.200 on UDP port 2055. Finally, verify your configurations.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/010.0.0.2/30192.0.2.100/24linkR2R1NMS

Hints

  • SNMPv3 requires a group with 'priv' keyword for encryption.
  • NetFlow export is not active unless applied to an interface with 'ip flow ingress'.
  • Use 'show running-config | section snmp' to verify SNMP commands.
A.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth SHA priv AES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 9, apply exporter to an interface, and verify with 'show snmp' and 'show ip cache flow'.
B.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth MD5 priv DES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 5, apply exporter to an interface, and verify with 'show snmp' and 'show ip cache flow'.
C.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth SHA priv AES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 9, and verify with 'show snmp' and 'show ip flow export'.
D.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth SHA priv AES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 9, apply exporter to an interface, and verify with 'show snmp' and 'show ip flow export'.
AnswerA
solution
! R1
snmp-server community PublicTrap RO
snmp-server host 192.0.2.100 version 2c PublicTrap
snmp-server group AdminGroup v3 priv
snmp-server user Admin AdminGroup v3 auth sha Cisco123 priv aes 128 Cisco123
snmp-server host 192.0.2.100 version 3 priv Admin
ip flow-export destination 192.0.2.200 2055
ip flow-export version 9
interface GigabitEthernet0/0
ip flow ingress
exit
interface GigabitEthernet0/1
ip flow ingress

Why this answer

The router had only a basic SNMP read-only community configured. To send SNMPv2c traps, you need to configure the trap community and destination. For SNMPv3, you must create the user with authentication and privacy parameters, then configure the trap destination with that user.

NetFlow export requires defining the destination IP and UDP port, enabling version 9, and optionally applying the flow exporter to an interface. The 'show snmp' command confirms SNMP configuration, and 'show ip cache flow' shows NetFlow statistics.

Exam trap

Watch out for incorrect SNMPv3 authentication/privacy algorithms (e.g., MD5/DES instead of SHA/AES) and NetFlow version (version 5 vs 9). Also, remember that NetFlow exporter must be applied to an interface, and verification commands must be exact.

Why the other options are wrong

B

Uses outdated security algorithms MD5/DES for SNMPv3 and sets NetFlow version 5 instead of 9.

C

Omits the critical step of applying the NetFlow exporter to an interface, so flows are not captured.

D

Incorrectly uses 'show ip flow export' for verification; the correct command to view NetFlow cache is 'show ip cache flow'.

1104
Multi-Selectmedium

Which TWO of the following statements accurately describe the configuration and behavior of Root Guard, Loop Guard, and BPDU Guard in Rapid PVST+ environments?

Select 2 answers
A.Root Guard, when enabled on a port, prevents that port from becoming the root port by placing it in a root-inconsistent state if a superior BPDU is received.
B.Root Guard automatically shuts down the port when a superior BPDU is received, similar to BPDU Guard.
C.Loop Guard, when enabled, disables a port if BPDUs are no longer received on it, preventing a unidirectional link failure.
D.BPDU Guard, when enabled, puts the port in an errdisable state if a BPDU is received, which is typically used on access ports to prevent unauthorized switches from connecting.
E.BPDU Guard places the port in a blocking state (loop-inconsistent) when a BPDU is received, similar to Loop Guard.
AnswersA, D

Root Guard ensures the designated port does not become a root port. Upon receiving a superior BPDU, the port enters a root-inconsistent state, blocking traffic until the superior BPDUs stop.

Why this answer

Option A is correct because Root Guard prevents a port from becoming a root port by placing it in a root-inconsistent (blocking) state upon receiving a superior BPDU, protecting the root bridge placement. Option D is correct because BPDU Guard errdisables a port upon receiving a BPDU, a feature typically applied to access ports to block unauthorized switches. Option B is wrong: Root Guard does not shut down the port; it places it in a blocked state, unlike BPDU Guard's errdisable action.

Option C is wrong: Loop Guard does not disable a port when BPDUs stop being received; instead, it moves the port to a loop-inconsistent (blocking) state to guard against unidirectional link failures. Option E is wrong: BPDU Guard errdisables ports, whereas the loop-inconsistent blocking state is used by Loop Guard or Root Guard, not BPDU Guard.

Exam trap

Cisco often tests the distinction between 'shutdown' (errdisable) and 'blocking' (inconsistent state) — candidates confuse BPDU Guard's errdisable behavior with Root Guard's or Loop Guard's blocking behavior, leading them to incorrectly select Option B.

Why the other options are wrong

B

Root Guard does not shut down the port; it places the port in a root-inconsistent state, which effectively blocks traffic but does not disable the port. BPDU Guard, on the other hand, errdisables the port.

C

Loop Guard does not disable the port; it places the port into a loop-inconsistent state, blocking traffic on that port until BPDUs are received again. The port remains administratively up.

E

BPDU Guard errdisables the port, not just blocks it. Loop Guard uses a loop-inconsistent state, which is different from errdisable. BPDU Guard is a more severe reaction.

1105
MCQhard

After hardening SSH by disabling password authentication and restricting access to an ACL permitting only the management subnet 10.1.10.0/24, configuring RADIUS AAA authentication, enabling port security with a maximum of two MAC addresses on all access ports, and implementing DHCP snooping and DAI on VLAN 10, the administrator finds that users in VLAN 10 obtain DHCP addresses and access the network normally, but SSH from the management workstation (10.1.10.20) to the switch fails with timeouts.

A.The SSH ACL is misconfigured and denies port 22 from the management subnet.
B.The management workstation’s IP-to-MAC binding is missing from the DHCP snooping binding table, causing DAI to drop its ARP traffic.
C.Port security on the switch interface connected to the management workstation has learned two MAC addresses and shut down the port.
D.RADIUS AAA authentication is missing the shared secret on the switch, causing SSH login timeouts.
AnswerB

DAI relies on DHCP snooping bindings to validate ARP packets. The static IP of the workstation means no binding was learned, so DAI considers the ARP reply invalid and drops it, breaking L2 reachability.

Why this answer

The management workstation (10.1.10.20) is on the same VLAN 10 where DHCP snooping and DAI are enabled. DAI validates ARP packets against the DHCP snooping binding table. Since the workstation uses a static IP address, its IP-to-MAC binding is not automatically added to the DHCP snooping database.

DAI will drop the workstation's ARP replies, preventing the switch from learning its MAC address and causing SSH timeouts.

Exam trap

Cisco often tests the interaction between security features like DAI and static IP hosts, where candidates overlook that DAI requires explicit static bindings for non-DHCP clients, leading to connectivity failures that appear as timeouts rather than explicit denials.

Why the other options are wrong

A

Misunderstanding ACL processing—assumes a simple subnet permit ACL would block port 22 by default, but the ACL entry permits all traffic from the subnet, not just specific ports.

C

Assumes port security is the first cause of connectivity failure when MAC limits are configured, but the symptom does not indicate a port security violation; the port would need to go into err-disabled, which is not mentioned.

D

AAA failures manifest as authentication errors or prompts that time out after attempting RADIUS, but they typically affect all attempts, not a single source, unless combined with ACLs that permit other hosts but block this one.

1106
PBQhard

You are connected to R1 (192.0.2.1/24, management IP). The network team needs to automate interface configuration using RESTCONF. Construct a valid RESTCONF GET request to retrieve the operational status of GigabitEthernet0/1 using the ietf-interfaces YANG module, and a PATCH request to set the description of that interface to 'Link to R2' using the Cisco-IOS-XE-native YANG module. Identify the error that occurs if the Accept header is set to application/json instead of application/yang-data+json.

Network Topology
G0/0192.0.2.1/24G0/010.0.0.2/30G0/1 (10.0.0.1/30)R1R2

Hints

  • RESTCONF uses a specific media type for YANG data; check the Accept header.
  • The YANG module paths differ between ietf-interfaces and Cisco-IOS-XE-native.
  • The interface name must be URL-encoded if it contains special characters; GigabitEthernet0/1 is safe.
A.The server returns a 406 Not Acceptable error because RESTCONF requires the Accept header to be 'application/yang-data+json'.
B.The server returns a 400 Bad Request error because the Accept header must be 'application/json' for RESTCONF.
C.The server returns a 415 Unsupported Media Type error because the Accept header is set incorrectly.
D.The server returns a 200 OK response but ignores the Accept header and returns data in XML format.
AnswerA
solution
! R1
GET request: GET https://192.0.2.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1 HTTP/1.1
Headers: Host: 192.0.2.1, Accept: application/yang-data+json
PATCH request: PATCH https://192.0.2.1/restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=0/1/description HTTP/1.1
Headers: Host: 192.0.2.1, Content-Type: application/yang-data+json, Accept: application/yang-data+json
Body: {"description": "Link to R2"}

Why this answer

The correct base URI for RESTCONF on Cisco IOS-XE is https://<device-ip>/restconf/data. For the ietf-interfaces module, the YANG path is /ietf-interfaces:interfaces/interface=GigabitEthernet0%2F1 (note the percent-encoded slash in the key). For the Cisco-IOS-XE-native module, the path is /Cisco-IOS-XE-native:native/interface/GigabitEthernet=0%2F1/description.

The Accept header must be 'application/yang-data+json'; using 'application/json' returns a 406 Not Acceptable error. The PATCH request body must contain the new description in JSON format. Failing to percent-encode the interface name will result in an invalid URI.

Exam trap

The exam tests your knowledge of RESTCONF media types and URL encoding: remember to percent-encode the slash in interface names (e.g., GigabitEthernet0%2F1) and distinguish between 406 (Accept error) and 415 (Content-Type error).

Why the other options are wrong

B

The specific factual error: RESTCONF requires 'application/yang-data+json', not 'application/json'.

C

The specific factual error: 415 relates to Content-Type, not Accept. Accept errors yield 406.

D

The specific factual error: RESTCONF does not silently fall back; it returns a 406 error.

1107
MCQhard

Exhibit: SW1 is configured for EtherChannel with LACP, but the bundle does not form. What is the most likely cause?

A.The interfaces should use PAgP instead of LACP on both ends
B.One side is using LACP and the other side is using a static EtherChannel mode
C.The links must be routed ports before EtherChannel can form
D.EtherChannel requires three or more member links
AnswerB

Mode active expects LACP, while mode on does not negotiate.

Why this answer

For an LACP EtherChannel to form, both sides must negotiate with LACP using active or passive mode. One side here is set to channel-group mode on, which creates a static channel and does not speak LACP. That mismatch prevents the bundle from forming.

Exam trap

Ensure both sides of the EtherChannel are set to negotiate with LACP; avoid static channel settings.

Why the other options are wrong

A

This option is incorrect because the question specifies that LACP is being used, which is incompatible with PAgP. EtherChannel can operate with either LACP or PAgP, but not both simultaneously.

C

This option is wrong because EtherChannel can form with access ports or trunk ports, and there is no requirement for the interfaces to be routed ports for EtherChannel to function.

D

EtherChannel can function with as few as two member links; therefore, requiring three or more member links is not a valid reason for the bundle not forming in this scenario.

1108
PBQhard

You are connected to R1 via the console. The network currently uses EIGRP as its IGP, but you recently configured a static default route toward R2 (next-hop 203.0.113.2) to reach the Internet. However, traffic from R1 to the Internet is not taking the expected path. Examine the provided routing table and partial configuration, then fix the issue so that the static default route is used only when the EIGRP-learned default route is unavailable.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30G0/1203.0.113.1/30203.0.113.2/30R1R2ISP

Hints

  • Compare the administrative distances of the two default routes in the routing table.
  • The static route currently has a lower AD (1) than EIGRP (90), so it is not acting as a backup.
  • To make a static route a floating static, you need to configure an AD higher than the dynamic protocol's AD.
A.Configure the static route with an administrative distance of 100 using 'ip route 0.0.0.0 0.0.0.0 203.0.113.2 100'.
B.Remove the EIGRP default route by configuring 'no network 0.0.0.0' under the EIGRP process.
C.Increase the metric of the EIGRP default route to make it less preferred than the static route.
D.Configure the static route with a next-hop of 203.0.113.2 and a metric of 100.
AnswerA
solution
! R1
configure terminal
no ip route 0.0.0.0 0.0.0.0 203.0.113.2 10
ip route 0.0.0.0 0.0.0.0 203.0.113.2 100
end
write memory

Why this answer

The static default route was configured with an administrative distance (AD) of 10, which is lower than the EIGRP‑learned default route's AD of 90. This made the static route the preferred path, overriding the intended primary EIGRP route. To create a floating static route that only activates when the EIGRP route disappears, the static AD must be raised above 90—using 'ip route 0.0.0.0 0.0.0.0 203.0.113.2 100' ensures the EIGRP route is primary.

Option B is wrong because removing the EIGRP route eliminates the preferred path entirely, defeating the backup purpose. Option C fails because EIGRP metrics are irrelevant against a lower‑AD static route; AD dictates route source preference. Option D is incorrect because static routes do not accept a metric parameter—the trailing number sets the AD, not a metric.

Exam trap

Don't confuse administrative distance with metric. When comparing routes from different sources (static vs. EIGRP), AD is the deciding factor.

Also, remember that static routes use AD, not metric, to influence preference. The 'ip route' command syntax does not include a metric parameter.

Why the other options are wrong

B

The specific factual error: EIGRP does not use 'network 0.0.0.0' to advertise a default route; default routes are typically redistributed or generated via 'ip default-network' or redistribution. Removing the EIGRP default route would break the intended primary path.

C

The specific factual error: Administrative distance is the primary factor for route selection between different routing protocols or sources. Changing the EIGRP metric does not affect the comparison with a static route.

D

The specific factual error: The 'ip route' command syntax is 'ip route prefix mask {next-hop | interface} [distance] [name] [permanent] [tag tag]'. There is no metric parameter. The correct way to make a static route less preferred is to set a higher administrative distance.

1109
Multi-Selectmedium

Which TWO statements correctly describe the encapsulation process at the OSI model Transport layer?

Select 2 answers
A.It adds source and destination IP addresses to the data.
B.It breaks data into smaller units called segments (for TCP) or datagrams (for UDP).
C.It adds a header that includes source and destination MAC addresses.
D.It adds a header that includes source and destination port numbers.
E.It converts data into bits for transmission over the physical medium.
AnswersB, D

The Transport layer segments upper-layer data into manageable units. For TCP, these are called segments; for UDP, they are called datagrams.

Why this answer

At the Transport layer (Layer 4), TCP segments data into segments and UDP segments data into datagrams. This segmentation allows efficient transmission and reassembly at the destination. The Transport layer header includes source and destination port numbers to identify the communicating applications, not IP or MAC addresses.

Exam trap

Cisco often tests the distinction between OSI model layers, and the trap here is confusing the Transport layer's port numbers and segmentation with the Network layer's IP addressing or the Data Link layer's MAC addressing.

Why the other options are wrong

A

The Transport layer uses port numbers, not IP addresses. IP addresses are added during Network layer encapsulation.

C

MAC addresses are used for local delivery on a network segment and are part of Layer 2 encapsulation.

E

The Physical layer handles the actual transmission of raw bits over the network medium.

1110
Multi-Selectmedium

Which TWO statements correctly describe the differences between RADIUS and TACACS+ when configuring AAA on IOS-XE?

Select 2 answers
A.RADIUS encrypts the entire packet body, while TACACS+ encrypts only the password.
B.TACACS+ uses TCP port 49, while RADIUS uses UDP ports 1812 and 1813.
C.RADIUS supports command-level authorization, whereas TACACS+ does not.
D.TACACS+ separates authentication, authorization, and accounting into distinct processes, while RADIUS combines authentication and authorization.
E.Both RADIUS and TACACS+ can be used for 802.1X port-based authentication on IOS-XE.
AnswersB, D

TACACS+ uses TCP for reliable transport on port 49, while RADIUS uses UDP (port 1812 for authentication/authorization, 1813 for accounting).

Why this answer

Options B and D are correct. TACACS+ uses TCP port 49, while RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting). TACACS+ separates authentication, authorization, and accounting into three distinct processes, whereas RADIUS combines authentication and authorization.

Option A is incorrect because TACACS+ encrypts the entire packet body, while RADIUS encrypts only the password. Option C is incorrect because TACACS+ supports command-level authorization, while RADIUS does not. Option E is incorrect because 802.1X port-based authentication uses RADIUS, not TACACS+.

Exam trap

Cisco often tests the encryption behavior (Option A) as a trap, because candidates confuse which protocol encrypts the entire packet versus just the password, and they also test the authorization granularity (Option C) to see if you know that TACACS+ supports command-level authorization while RADIUS does not.

Why the other options are wrong

A

TACACS+ encrypts the entire packet, while RADIUS encrypts only the password – the opposite of what this option states.

C

TACACS+ supports command-level authorization, whereas RADIUS does not – this option reverses the capabilities.

E

802.1X port-based authentication uses RADIUS, not TACACS+, as specified by the IEEE 802.1X standard.

1111
PBQhard

You are connected to R1. The network has two routers (R1 and R2) connected via a serial link (S0/0/0). R1's GigabitEthernet0/0 connects to the 192.168.1.0/24 LAN. An extended ACL must be configured on R1 to permit only HTTPS traffic (TCP port 443) from host 192.168.1.10 to server 203.0.113.5 (reachable via R2), and deny all other traffic from the LAN to the server. Currently, the ACL is applied inbound on G0/0 but valid HTTPS traffic is being blocked. Troubleshoot and fix the configuration.

Hints

  • The current ACL uses 'any' source, but the requirement is to restrict to a specific host.
  • The order of ACL entries matters; the first match is applied.
  • The implicit deny at the end blocks all traffic that does not match a permit statement.
A.The ACL is missing an explicit permit statement for HTTPS traffic from host 192.168.1.10 to server 203.0.113.5, and the current permit ip any any allows all traffic, including HTTP, which violates the requirement to deny HTTP.
B.The ACL is applied inbound on G0/0, but it should be applied outbound on G0/0 to filter traffic leaving the LAN.
C.The ACL should be applied to the serial interface S0/0/0 instead of G0/0 to filter traffic going to R2.
D.The ACL is missing a deny statement for all other traffic from the LAN to the server, and the permit ip any any allows everything, including unwanted traffic.
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_SERVER
ip access-list extended BLOCK_SERVER
permit tcp host 192.168.1.10 host 203.0.113.5 eq 443
deny tcp host 192.168.1.10 host 203.0.113.5 eq 80
deny ip any host 203.0.113.5
permit ip any any
end

Why this answer

The ACL BLOCK_SERVER is intended to block HTTP (port 80) to the server but permit HTTPS (port 443). However, the ACL denies TCP traffic to port 80 from any source, but the permit ip any any statement permits all IP traffic, including HTTPS. The implicit deny at the end would block HTTPS only if the permit were removed.

The actual fault is that the ACL is applied inbound on G0/0, but the source address for traffic from the LAN is 192.168.1.10 (not any), and the destination port is 443 (not 80). The current ACL permits all traffic, including HTTPS, so the problem must be that the ACL is too permissive (allowing HTTP) or that the implicit deny is blocking HTTPS due to a misordering. In this case, the ACL is actually permitting everything (including HTTP) because of permit ip any any.

To fix, the ACL should explicitly permit HTTPS from host 192.168.1.10, deny HTTP from that host, and deny all other traffic to the server, with a permit ip any any only for other destinations. The correct sequence: permit tcp host 192.168.1.10 host 203.0.113.5 eq 443, deny tcp host 192.168.1.10 host 203.0.113.5 eq 80, permit ip any any.

Exam trap

Be careful not to assume that an ACL with a permit ip any any will automatically block specific traffic; it actually permits everything. The implicit deny only applies if there is no matching permit statement. Also, pay attention to the specific requirements: the ACL must deny HTTP but permit HTTPS from the host.

Why the other options are wrong

B

The direction of ACL application is correct; inbound on the interface where traffic enters the router is standard for filtering traffic from the LAN.

C

ACLs should be applied as close to the source as possible to deny traffic early. Applying on the serial interface would still work but is less efficient and not the best practice.

D

The permit ip any any allows all traffic, so HTTPS should be allowed. The problem says HTTPS is blocked, so the issue must be something else, like a missing explicit permit or a misordering.

1112
Drag & Dropmedium

Drag and drop the following steps into the correct order to retrieve network device information using a REST API call that requires authentication and returns JSON data.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct sequence follows the standard REST API client workflow. First, you must identify the API endpoint and the HTTP method corresponding to the desired CRUD operation (READ → GET). Then, you must provide valid authentication credentials to gain access.

Next, setting the Accept header ensures the response is in the required data format (JSON). Only after preparing the request can you send it. Once the response is received, you verify the status code to confirm success before parsing the data.

Skipping any step or reordering them would break the logic (e.g., you cannot parse data before verifying the response was successful).

1113
MCQmedium

Which IPv6 protocol function replaces ARP?

A.DHCPv6
B.Neighbor Discovery
C.EUI-64
D.SLAAC
AnswerB

Correct. Neighbor Discovery replaces ARP in IPv6 networks.

Why this answer

IPv6 uses Neighbor Discovery Protocol to resolve Layer 3-to-Layer 2 information and perform related local-link functions such as router discovery and address resolution.

Exam trap

Be careful not to confuse protocols that manage IP addresses or routing with those that resolve addresses.

Why the other options are wrong

A

DHCPv6 is not a protocol that replaces ARP; instead, it is used for assigning IP addresses and configuration information to IPv6 devices. ARP is replaced by the Neighbor Discovery Protocol in IPv6, which performs similar functions for address resolution.

C

EUI-64 is not a protocol but a method for generating IPv6 interface identifiers. It does not perform the function of resolving link-layer addresses like ARP does in IPv4.

D

SLAAC (Stateless Address Autoconfiguration) is a method for automatically configuring IPv6 addresses but does not perform the function of resolving link-layer addresses like ARP does in IPv4. Therefore, it cannot replace ARP in IPv6.

1114
PBQhard

You are connected to a multilayer switch MLS1. The network has two other switches: SW2 and SW3. The interface GigabitEthernet0/1 already has PortFast and BPDU Guard enabled. Configure MLS1 as the root bridge for VLAN 10 and VLAN 20 using the root primary command. After configuration, verify that the interface is not in err-disabled state and that the root bridge role is correctly assigned.

Network Topology
Gi0/1Gi0/2Gi0/3SiMLS1PCSW2SW3

Hints

  • Use spanning-tree vlan root primary to set the switch as root for specified VLANs.
  • Verify with show spanning-tree vlan <vlan> to confirm root bridge priority is 24576.
  • Check interface status with show interfaces gigabitethernet 0/1 status to ensure it is not err-disabled.
A.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
B.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root secondary' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
C.Configure 'spanning-tree vlan 10 priority 4096' and 'spanning-tree vlan 20 priority 4096' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
D.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' on MLS1. Then configure 'spanning-tree portfast default' and 'spanning-tree bpduguard default' globally. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
AnswerA
solution
! MLS1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary

Why this answer

The interface Gi0/1 already has PortFast and BPDU Guard configured, so no additional configuration is needed for that step. Using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' sets the priority to 24576, ensuring MLS1 becomes root for both VLANs. Verify with 'show spanning-tree vlan 10' to see the priority changed and 'show interfaces gigabitEthernet0/1 status' to confirm the port is not err-disabled.

Exam trap

Do not confuse 'root primary' with 'root secondary' or manual priority settings. The 'root primary' command automatically sets the priority to 24576, which is the recommended value. Also, avoid adding unnecessary global commands when the interface already has the required features configured.

Why the other options are wrong

B

Using 'root secondary' for VLAN 20 sets priority to 28672, leaving MLS1 as backup root, not the primary root.

C

Manually setting priority to 4096 is valid but not the recommended method; 'root primary' is simpler and ensures proper value.

D

Global portfast and bpduguard are not required because the interface is already configured with those features; this adds unnecessary commands.

1115
MCQhard

A network engineer is troubleshooting a workstation that cannot access the internet. The workstation is connected to a switch port configured for access VLAN 10. The switch is a Cisco 2960-X running IOS-XE. The engineer runs 'ipconfig /all' on the workstation and sees an IPv4 address of 169.254.123.45 with a subnet mask of 255.255.0.0. The engineer then connects to the switch and issues 'show interfaces vlan 10'. What is the most likely cause of the issue?

A.The workstation is not configured to use DHCP.
B.The switch's VLAN 10 SVI is administratively down.
C.The switch port connecting the workstation is in a different VLAN.
D.The DHCP server is not configured on the network.
AnswerB

The 'administratively down' state on the SVI indicates it was manually disabled with the 'shutdown' command. This prevents the switch from routing or providing DHCP services for that VLAN, causing the workstation to get an APIPA address.

Why this answer

The workstation has an APIPA address (169.254.x.x), which indicates it failed to obtain a DHCP lease. Since the switch's VLAN 10 SVI is administratively down, the workstation cannot reach the DHCP server (which may be on a different subnet or the SVI itself), causing the DHCP request to time out and the workstation to self-assign an APIPA address. Option B is correct because an administratively down SVI breaks Layer 3 connectivity for that VLAN, preventing DHCP traffic from being routed.

Exam trap

Cisco often tests the distinction between a Layer 2 connectivity issue (like VLAN mismatch) and a Layer 3 issue (like an SVI being down), where candidates incorrectly assume a VLAN mismatch because the workstation gets an APIPA address, but the APIPA address actually points to a DHCP failure, not a VLAN mismatch.

Why the other options are wrong

A

The workstation likely has DHCP enabled, but the switch's SVI being down prevents DHCP discovery from reaching a server.

C

A VLAN mismatch would likely result in a different IP address or no connectivity, but the SVI being down is a more direct cause.

D

The absence of a DHCP server is a possible cause, but the exhibit clearly shows the SVI is administratively down, which is a more specific and immediate issue.

1116
Multi-Selectmedium

Which two statements accurately describe APIs in network automation?

Select 2 answers
A.APIs provide a defined way for software systems to interact.
B.APIs can be used by automation tools to retrieve data or request changes.
C.APIs eliminate all need for authentication.
D.APIs are a form of Ethernet duplex setting.
E.APIs are only valid on devices running Telnet.
AnswersA, B

This is correct because an API is an interface that enables controlled software communication.

Why this answer

APIs (Application Programming Interfaces) define a standardized, structured method for software systems to communicate, enabling network automation tools to programmatically retrieve operational data or push configuration changes. This eliminates the need for manual CLI or SNMP interactions, allowing scalable and repeatable automation workflows. Options A and B correctly describe this.

Option C is false because APIs require authentication; they do not bypass security. Option D is false because APIs are software interfaces, not Ethernet duplex settings. Option E is false because APIs work over various protocols (e.g., HTTP/HTTPS), not just Telnet.

Exam trap

Cisco often tests the misconception that APIs bypass security, but in reality, APIs enforce authentication and authorization just as strictly as CLI or SNMP.

Why the other options are wrong

C

This option is incorrect because APIs typically require authentication to ensure secure access and prevent unauthorized use, which is a fundamental aspect of API design.

D

APIs are not related to Ethernet duplex settings; they are software interfaces that enable communication between different applications or systems. This option misrepresents the fundamental purpose of APIs in network automation.

E

APIs are not limited to devices running Telnet; they can be implemented on various platforms and protocols, including HTTP and REST, which are widely used in modern network automation.

1117
PBQhard

You are connected to R1. Configure OSPFv2 on R1 and R2 so that they form a full adjacency and can exchange routes. The current configuration has mismatched hello/dead timers blocking the adjacency. Adjust only the necessary settings on R1 to match R2's OSPF timers.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30linkR1R2

Hints

  • Check the OSPF interface timers on both routers using 'show ip ospf interface'.
  • The dead interval must be exactly four times the hello interval unless manually set.
  • Use the 'ip ospf hello-interval' and 'ip ospf dead-interval' commands under the interface configuration.
A.Configure 'ip ospf hello-interval 5' and 'ip ospf dead-interval 20' on R1's GigabitEthernet0/0 interface.
B.Configure 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40' on R2's interface to match R1's default timers.
C.Configure 'ip ospf hello-interval 5' on R1's GigabitEthernet0/0 interface only; the dead interval will adjust automatically.
D.Configure 'ip ospf dead-interval 20' on R1's GigabitEthernet0/0 interface only; the hello interval will adjust automatically.
AnswerA
solution
! R1
interface gigabitethernet0/0
ip ospf hello-interval 5
ip ospf dead-interval 20

Why this answer

The adjacency between R1 and R2 is not forming because the OSPF hello and dead timers are mismatched. R1 has default timers (Hello 10, Dead 40) while R2 has custom timers (Hello 5, Dead 20). To form an adjacency, OSPF timers must match on both ends.

On R1, you need to configure the OSPF interface timers to match R2 by issuing 'ip ospf hello-interval 5' and 'ip ospf dead-interval 20' on interface GigabitEthernet0/0. After applying these commands, the adjacency should come up.

Exam trap

A common trap is assuming that changing only the hello interval will automatically adjust the dead interval, or vice versa. In Cisco IOS, these timers are independent and must be set explicitly. Also, note that the dead interval must be at least four times the hello interval, but that relationship is not enforced automatically.

Why the other options are wrong

B

The specific factual error is that the instruction limits changes to R1 only; modifying R2 is not allowed.

C

The specific factual error is that the dead interval is not automatically derived from the hello interval; it must be set separately.

D

The specific factual error is that the hello interval is not automatically derived from the dead interval; both must be set explicitly.

1118
MCQeasy

An engineer receives API output that starts with curly braces and contains name-value pairs. Which data format is being used?

A.YANG
B.JSON
C.Syslog
D.SMTP
AnswerB

The structure described is JSON.

Why this answer

JSON represents data as objects and arrays using braces, brackets, and name-value pairs. It is the most common format you will see in modern network APIs.

Exam trap

A frequent exam trap is mistaking YANG for the data format when seeing curly braces and name-value pairs. YANG is a modeling language that defines the structure and constraints of network data but does not represent the actual data payload. Candidates might also confuse Syslog or SMTP with JSON due to their familiarity with network protocols, but these protocols do not use JSON’s syntax.

This confusion leads to selecting incorrect answers, especially under time pressure. Recognizing that JSON is the payload format commonly used in Cisco APIs helps avoid this mistake and correctly interpret automation output.

Why the other options are wrong

A

YANG is a modeling language used to define the structure and constraints of network data but does not represent the actual data payload format. The question describes data output starting with curly braces and name-value pairs, which is a data format, not a model, so YANG is incorrect.

C

Syslog is a protocol used for sending event messages and logs from network devices. Its message format does not use curly braces or name-value pairs as JSON does, so it does not match the described API output format.

D

SMTP is a protocol for sending email messages and does not relate to network device data formats or API outputs. It does not use curly braces or name-value pairs in its message structure, making it irrelevant to the question.

1119
Multi-Selectmedium

Which TWO statements about floating static routes and default routes are correct?

Select 2 answers
A.A floating static route uses an administrative distance higher than that of the primary route to act as a backup.
B.A floating static route must have a lower administrative distance than the primary route to ensure faster convergence.
C.A default route can be configured as a static route with destination 0.0.0.0/0 for IPv4 and ::/0 for IPv6.
D.Floating static routes are supported only for IPv6, not for IPv4.
E.A default static route cannot be configured as a floating static route.
AnswersA, C

Correct: The higher AD makes it less preferred than the primary route, so it is only used if the primary becomes unreachable.

Why this answer

Option A is correct because a floating static route is configured with a higher administrative distance (AD) than the primary route. This ensures the floating route remains inactive in the routing table unless the primary route fails, at which point the router installs the floating static route as a backup. The higher AD makes it less preferred than the primary dynamic or static route.

Exam trap

Cisco often tests the misconception that a floating static route must have a lower AD to be 'faster,' when in fact it requires a higher AD to serve as a backup; candidates also mistakenly think default routes cannot be made floating or that floating routes are IPv6-only.

Why the other options are wrong

B

Floating static routes require a higher AD, not lower, to be less preferred than the primary route.

D

Both IPv4 and IPv6 static routes can be configured as floating routes by setting a higher AD.

E

You can have multiple default static routes with different ADs, making the higher AD one a floating backup.

1120
PBQhard

You are connected to R1, a multilayer switch with three directly connected switches. Configure Root Guard on the designated port to prevent an unauthorized switch from becoming root. Configure Loop Guard on the uplink to protect against unidirectional links. Configure BPDU Guard on all PortFast-enabled ports. Troubleshoot the scenario where a port receives a superior BPDU and is blocked by Root Guard, and another port goes err-disabled after BPDU Guard triggers.

Network Topology
Gi0/010.0.0.0/30Gi0/1Gi0/2Gi0/3R1R2SwitchASwitchBSwitchC

Hints

  • Root Guard is configured per interface with 'spanning-tree guard root'.
  • Loop Guard is configured per interface with 'spanning-tree guard loop'.
  • BPDU Guard can be enabled per PortFast port with 'spanning-tree bpduguard enable'.
A.Configure Root Guard on Gi0/2, Loop Guard on Gi0/2, and BPDU Guard on Gi0/1 and Gi0/3.
B.Configure Root Guard on Gi0/1 and Gi0/3, Loop Guard on Gi0/2, and BPDU Guard on Gi0/2.
C.Configure Root Guard on Gi0/1, Loop Guard on Gi0/3, and BPDU Guard on Gi0/2.
D.Configure Root Guard on Gi0/3, Loop Guard on Gi0/1, and BPDU Guard on Gi0/2.
AnswerA
solution
! R1
interface GigabitEthernet0/2
spanning-tree guard root
spanning-tree guard loop
exit
interface GigabitEthernet0/1
spanning-tree bpduguard enable
exit
interface GigabitEthernet0/3
spanning-tree bpduguard enable
exit

Why this answer

The scenario requires three STP protection features. Root Guard should be applied on designated port Gi0/2 (uplink) to prevent an external switch from becoming root if it sends superior BPDUs. Loop Guard should be applied on the same uplink to protect against unidirectional link failure.

BPDU Guard must be enabled on all PortFast ports (Gi0/1 and Gi0/3) to immediately err-disable them if a BPDU is received. After configuration, if a superior BPDU arrives on Gi0/2, Root Guard will block it (root-inconsistent state). If a BPDU arrives on Gi0/1 or Gi0/3, BPDU Guard will put the port in err-disable state, requiring manual or automatic recovery.

Exam trap

Candidates often confuse where to apply each STP feature. Remember: Root Guard on designated ports (uplinks), Loop Guard on root or alternate ports (uplinks), BPDU Guard on PortFast ports (access ports). Also, Root Guard and Loop Guard can be applied on the same port, but BPDU Guard is exclusive to PortFast.

Why the other options are wrong

B

Root Guard is only effective on designated ports; applying it to access ports does not prevent an external switch from becoming root via the uplink. BPDU Guard on an uplink would err-disable it unnecessarily.

C

Root Guard on an access port does not protect against superior BPDUs from an external switch on the uplink. Loop Guard on an access port is unnecessary as unidirectional links typically affect trunk links.

D

Root Guard on an access port does not prevent an external switch from becoming root via the uplink. Loop Guard on an access port is not standard practice. BPDU Guard on the uplink would cause unnecessary err-disable.

1121
MCQhard

A switchport on one side of a link is configured as a trunk, but the peer side is configured as an access port. What is the most likely result?

A.The link roles are mismatched, so VLAN traffic will not be handled as intended.
B.The access side automatically becomes a routed port.
C.Both switches automatically synchronize their switchport settings.
D.The mismatch forces OSPF to change router IDs.
AnswerA

This is correct because trunk/access disagreement creates a logical mismatch.

Why this answer

The most likely result is a logical mismatch that prevents VLAN traffic from crossing the link as intended. In practical terms, one side is trying to carry multiple VLANs with tagging behavior, while the other side is treating the connection as a normal one-VLAN endpoint port. That disagreement usually leads to unexpected or failed traffic behavior.

This is a classic switching mismatch scenario. The link may still be physically up, but the two sides do not agree on how the traffic should be handled.

Exam trap

Don't assume mismatches always result in physical link failure; focus on logical traffic handling issues.

Why the other options are wrong

B

This option is incorrect because an access port does not automatically convert to a routed port when connected to a trunk port; it remains an access port and will not participate in Layer 3 routing.

C

This option is wrong because switchport settings do not automatically synchronize between devices; each port retains its configuration independently, leading to a mismatch in link roles.

D

This option is incorrect because the configuration mismatch between a trunk and an access port does not directly affect OSPF router IDs, which are determined by the OSPF process itself and not by switchport configurations.

1122
PBQhard

You are connected to R1. The network uses DNS to resolve hostnames for remote device management. Currently, R1 cannot resolve the hostname 'ServerA' via DNS. Using the nslookup and dig commands, you have gathered the following outputs: nslookup ServerA Server: 203.0.113.1 Address: 203.0.113.1#53 Name: ServerA.example.com Address: 203.0.113.10 dig ServerA ... ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ... ... The show running-config command shows that 'ip domain-lookup' is enabled, the name-server is 203.0.113.1, and no static host entries are configured. Diagnose and fix the DNS resolution failure. Ensure that R1 can successfully resolve 'ServerA' to its intended IP address 198.51.100.10.

Hints

  • Check the output of 'nslookup' and 'dig' carefully; nslookup may show a different IP than expected.
  • The DNS server returns a response but with an incorrect record — consider using a static host entry or a different DNS server.
  • Verify that the DNS server's A record for ServerA actually points to 198.51.100.10, not 203.0.113.10.
A.Add a static host entry: 'ip host ServerA 198.51.100.10'
B.Change the DNS server to 8.8.8.8 using 'ip name-server 8.8.8.8'
C.Enable 'ip domain lookup' with 'ip domain-lookup' command
D.Configure the correct domain name using 'ip domain-name example.com'
AnswerA
solution
! R1
! Remove the incorrect static host entry if present (optional, but to force DNS resolution)
no ip host ServerA
! Alternatively, correct the DNS server or add a correct static entry:
ip host ServerA 198.51.100.10
! Or configure a different DNS server that has the correct A record:
ip name-server 198.51.100.1

Why this answer

The nslookup output misleadingly shows a response with IP 203.0.113.10, but the dig output reveals NXDOMAIN, indicating the DNS server has no valid A record for ServerA. The returned address is a default domain record that does not point to the correct device. Since the external DNS server cannot be modified, the quickest and valid fix is to add a static host entry on R1 using 'ip host ServerA 198.51.100.10', which overrides DNS and ensures correct resolution.

Option B is incorrect because changing to 8.8.8.8 would still depend on a remote server having the correct record, which is not guaranteed. Option C is wrong because 'ip domain-lookup' is already enabled, so disabling/enabling it has no effect. Option D is wrong because modifying the domain name only affects how FQDN is built but does not fix the missing A record or wrong IP issue.

Exam trap

Do not assume that a DNS server that responds is correctly configured. Always verify the actual record returned. The nslookup output may show a response, but the IP could be wrong.

Use 'dig' to see the exact answer section. Also, remember that static host entries override DNS and are useful for troubleshooting.

Why the other options are wrong

B

The DNS server is reachable and responds, but with incorrect data. Simply changing the server may not fix the issue if the new server also lacks the correct record.

C

The command 'ip domain-lookup' enables DNS resolution, but it is enabled by default. The problem is the incorrect DNS record, not the feature being disabled.

D

The domain name is already being used in the query (ServerA.example.com). Configuring a different domain name would change the query but not fix the incorrect record for ServerA.

1123
MCQhard

Clients on a network can browse the internet by IP address but fail when using hostnames. What is the most likely problem?

A.The default gateway on the PC is incorrect.
B.The client is using the wrong DNS server address.
C.NAT overload is failing on the edge router.
D.The switchport must be converted to a routed port.
AnswerB

That is the direct cause of hostname resolution failure here.

Why this answer

The client can browse by IP address but not by hostname, which indicates that IP connectivity and routing are functional, but name resolution is failing. Since DNS translates hostnames to IP addresses, the most likely fault is that the client is configured with an incorrect DNS server address, preventing it from resolving domain names.

Exam trap

Cisco often tests the distinction between IP connectivity issues and name resolution issues, and the trap here is that candidates may incorrectly blame the default gateway or NAT when the symptom clearly isolates the problem to DNS.

Why the other options are wrong

A

This option is wrong because if the default gateway on the PC were incorrect, the client would not be able to reach any external IP addresses, not just hostnames. The issue specifically pertains to DNS resolution, not routing.

C

NAT overload failing on the edge router would typically affect the ability to connect to the internet entirely, not just when using hostnames. Since clients can browse by IP, this indicates NAT is functioning correctly.

D

This option is wrong because the issue described pertains to DNS resolution, not layer 2 switching or routing. The problem is related to hostname resolution failures, which are not affected by the switchport type.

1124
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure OSPFv3 for IPv6 on a Cisco IOS-XE router, including enabling IPv6 routing, setting up the OSPFv3 process, enabling it on an interface, and verifying the adjacency and routes.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

This order follows the logical workflow: first enable IPv6 globally, then configure the OSPFv3 process, apply it to the interface, and finally verify the results.

Exam trap

Students often forget to enable 'ipv6 unicast-routing' globally or try to enable OSPFv3 on an interface before explicitly creating the OSPF process, which may not fail but can result in an automatically assigned router ID.

1125
MCQmedium

On a router performing NAT, where should ip nat inside be applied?

A.On the interface facing the internal private network
B.On the interface facing the ISP only
C.On every routed interface on the router
D.Only on loopback interfaces
AnswerA

That is the inside side of the translation boundary.

Why this answer

The inside designation belongs on the interface facing the private internal network. The outside designation belongs on the interface facing the public or external network.

Exam trap

A frequent exam trap is misapplying the ip nat inside command to the interface facing the ISP or external network. This mistake reverses the NAT boundary, causing translation to fail because the router expects private addresses on the inside interface only. Another trap is assuming all interfaces require NAT configuration, leading to unnecessary or incorrect commands on unrelated interfaces.

Additionally, some candidates incorrectly think loopback interfaces should be marked inside or outside, but NAT operates on interfaces connected to actual networks. Recognizing that ip nat inside must be on the internal private network interface prevents these common errors.

Why the other options are wrong

B

Incorrect. The interface facing the ISP is typically marked with ip nat outside, not ip nat inside, because it represents the public or external side of the NAT boundary.

C

Incorrect. Not every routed interface requires NAT configuration. Only interfaces that participate in NAT translation should be marked as inside or outside to define the translation boundaries.

D

Incorrect. NAT is not limited to loopback interfaces, and loopbacks are generally not used for NAT inside or outside designation since NAT operates on interfaces connected to real networks.

Page 14

Page 15 of 25

Page 16