CCNA 200-301 v2 (200-301) — Questions 11261200

1819 questions total · 25pages · All types, answers revealed

Page 15

Page 16 of 25

Page 17
1126
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and verify HSRP active/standby election, including priority, preempt, virtual IP, and failover verification.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The order ensures the interface is ready, then priority and preempt are set to influence the election, followed by the virtual IP and verification of failover behavior.

Exam trap

Do not configure the virtual IP before setting priority and preempt, as the router may become active with default priority and then preempt later, causing unnecessary flapping. Always configure the interface first, then priority/preempt, then virtual IP.

1127
MCQhard

A host uses the subnet mask 255.255.254.0. Which prefix length does this represent?

A./22
B./23
C./24
D./25
AnswerB

This is correct because 255.255.254.0 corresponds to 23 network bits.

Why this answer

The mask 255.255.254.0 represents /23. In plain language, the first two octets are fully network bits, the third octet contributes 7 more network bits because 254 in binary is 11111110, and the last octet contributes none. That totals 23 network bits.

This is a common prefix-conversion question because candidates often memorize the usual masks but hesitate when a non-/24 boundary appears. Recognizing that 255.255.254.0 equals /23 is important for subnetting and local-scope calculations.

Exam trap

Be cautious of common subnet masks like /24 and ensure you count the bits correctly, especially in non-standard masks.

Why the other options are wrong

A

Option A is incorrect because the subnet mask 255.255.254.0 corresponds to a prefix length of /23, not /22. A /22 prefix would indicate a subnet mask of 255.255.252.0.

C

The subnet mask 255.255.254.0 corresponds to a prefix length of /23, not /24. A /24 prefix length would indicate a subnet mask of 255.255.255.0, which allows for fewer hosts per subnet.

D

Option D is incorrect because a subnet mask of 255.255.254.0 corresponds to a prefix length of /23, not /25. A /25 subnet mask would allow for only 128 IP addresses, which is not applicable here.

1128
MCQhard

A switchport is configured as a trunk on one side and access on the other side of the same physical link. What is the most likely result?

A.The link roles are mismatched, so VLAN traffic will not be handled as intended across the link.
B.The access side automatically becomes a routed port.
C.The switches automatically synchronize their configurations.
D.The mismatch forces OSPF to choose a new router ID.
AnswerA

This is correct because trunk/access disagreement causes a logical mismatch on the connection.

Why this answer

A trunk/access mismatch prevents the link from carrying VLAN traffic as intended. Option A correctly identifies this mismatch. Option B is wrong because access ports remain Layer 2 switchports; there is no automatic conversion to a routed port.

Option C fails because switch configurations are never auto-synchronized due to a port role mismatch. Option D is incorrect: OSPF router ID is chosen based on loopback or highest IP address and is unaffected by a Layer 2 port mismatch.

Exam trap

Beware of assuming automatic negotiation fixes all mismatches; DTP cannot resolve a trunk/access mismatch.

Why the other options are wrong

B

Access ports do not automatically become routed ports; they remain Layer 2 switchports unless explicitly configured with 'no switchport'.

C

Switches do not automatically synchronize configurations; this is not a feature supported on Cisco switches to resolve mismatches.

D

OSPF router ID is determined by the highest loopback or IP address, not by Layer 2 port configuration mismatches.

1129
MCQmedium

Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry should appear first in the ACL?

A.permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
B.deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10
C.deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
D.deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
AnswerC

This is correct because HTTP uses TCP port 80, and the requirement is narrowly focused on blocking that traffic from one subnet to one host.

Why this answer

The requirement is specific: block HTTP traffic from one source subnet to one server, but allow everything else. In plain terms, you do not want to shut off all communication to the server or all communication from the users. You only want to stop normal web traffic that uses TCP port 80. That means the ACL should start with a deny statement that matches TCP from 10.10.10.0/24 to host 172.16.1.10 on destination port 80.

Using `deny ip` would block every IP-based protocol to that host, which is broader than the requirement. Using UDP port 80 does not match normal HTTP. And a permit statement would do the opposite of what is needed.

Exam trap

A frequent exam trap is selecting a deny ip statement to block HTTP traffic, which seems simpler but actually blocks all IP traffic from the source subnet to the destination host. This overbroad denial disrupts legitimate communications such as DNS, SSH, or other TCP/UDP services, violating the requirement to allow all other traffic. Another trap is denying UDP port 80, which is incorrect because HTTP uses TCP, not UDP.

Candidates may also mistakenly place a permit statement first, which would allow the HTTP traffic instead of blocking it. Recognizing the correct protocol and port and placing the deny statement first is critical to avoid these pitfalls.

Why the other options are wrong

A

This option permits TCP traffic from 10.10.10.0/24 to the web server on port 80, which is the exact traffic that must be blocked. Therefore, it contradicts the requirement and is incorrect.

B

This option denies all IP traffic from the source subnet to the destination host, which is too broad. It blocks all protocols and ports, not just HTTP, violating the requirement to allow other traffic.

D

This option denies UDP traffic on port 80, but HTTP uses TCP port 80. Denying UDP port 80 does not block HTTP traffic and therefore does not meet the requirement.

1130
Multi-Selecthard

A controller exposes a YANG-modeled interface configuration through an API. Which two statements correctly describe the purpose of YANG in that workflow?

Select 2 answers
A.It provides a structured data model for configuration and operational data
B.It helps standardize how network elements represent managed data
C.It replaces IP addressing on routed interfaces
D.It is a spanning-tree optimization mechanism
AnswersA, B

YANG defines how data is organized and described.

Why this answer

YANG is a modeling language. It defines the structure of network data so controllers and devices can exchange information consistently through APIs such as RESTCONF or NETCONF.

Exam trap

A frequent exam trap is mistaking YANG for a network protocol or function rather than a data modeling language. For example, options suggesting YANG replaces IP addressing or optimizes spanning-tree protocols are incorrect because YANG does not perform routing or Layer 2 operations. Candidates might confuse YANG’s role with actual network services instead of recognizing it as a schema that defines how configuration and state data are structured and exchanged.

This misunderstanding can lead to selecting incorrect answers that describe network functions rather than data modeling purposes.

Why the other options are wrong

C

Option C is incorrect because YANG does not replace IP addressing on routed interfaces. IP addressing is a network-layer function, while YANG models the data representing such configurations but does not perform addressing itself.

D

Option D is wrong as YANG has no role in spanning-tree optimization or Layer 2 loop prevention. YANG is a data modeling language and does not influence protocol operations like STP.

1131
Matchingmedium

Drag and drop the OSPFv2 commands on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables OSPF on interfaces with IP addresses in the 10.0.0.0/8 range

Manually assigns the OSPF router ID

Suppresses OSPF hello packets on the specified interface

Manually defines an OSPF neighbor for non-broadcast networks

Displays the OSPF neighbor adjacency table

Resets the OSPF routing process and re-establishes adjacencies

Why these pairings

The `network 10.0.0.0 0.255.255.255 area 0` command activates OSPF on any interface with an IP in the 10.0.0.0/8 range (wildcard mask 0.255.255.255) and assigns it to area 0. `router-id 1.1.1.1` manually overrides the default router ID selection, ensuring a persistent OSPF identifier. `passive-interface g0/0` suppresses OSPF hello packets on that interface, so no neighbors are formed but the connected subnet is still advertised. `neighbor 192.168.1.2` statically defines an OSPF neighbor IP for non-broadcast networks where multicast hellos cannot reach the peer. `show ip ospf neighbor` is an EXEC command that displays the current neighbor adjacency table, including neighbor state and interface. `clear ip ospf process` resets all OSPF processes, forcing router ID re-election and full re-adjacency.

Exam trap

Learners often mistakenly interpret the OSPF network command’s wildcard mask as a subnet mask (e.g., think 0.255.255.255 means a /8 subnet mask), and they may treat passive-interface as completely disabling OSPF on the interface rather than just suppressing hello packets.

1132
MCQhard

A network engineer is troubleshooting connectivity issues for hosts in VLAN 10. Hosts in VLAN 10 are unable to ping the default gateway at 192.168.10.1. The engineer checks the switch configuration and notices that the SVI for VLAN 10 is configured with an IP address, but the interface is in a down/down state. What is the most likely cause of this issue?

A.The interface is administratively shut down.
B.VLAN 10 does not exist in the VLAN database.
C.The IP address is not in the correct subnet for VLAN 10.
D.The switch does not have a default gateway configured.
AnswerB

The SVI for VLAN 10 is down/down because the VLAN is not created. Once VLAN 10 is created with the 'vlan 10' command in global configuration mode, the SVI will come up if there is at least one active port in that VLAN.

Why this answer

An SVI (Switch Virtual Interface) will remain in a down/down state if the corresponding VLAN does not exist in the switch's VLAN database. Even if the SVI is configured with an IP address, the interface cannot come up because there is no Layer 2 VLAN to associate with it. This is a common cause of SVI down/down issues when the VLAN has not been created or has been deleted.

Exam trap

Cisco often tests the distinction between an SVI being down due to a missing VLAN versus an administratively shutdown interface, leading candidates to mistakenly choose the administrative shutdown option when the interface status shows 'down/down' instead of 'administratively down'.

Why the other options are wrong

A

The running-config shows 'no shutdown', so this is not the cause.

C

The IP address and subnet mask are correctly configured for the VLAN.

D

The SVI status is not affected by the presence or absence of a default gateway.

1133
Multi-Selectmedium

Which TWO statements are true regarding VLAN configuration, 802.1Q trunking, and the native VLAN?

Select 2 answers
A.On an 802.1Q trunk, frames in the native VLAN are always tagged with a VLAN ID.
B.The native VLAN should be changed from the default VLAN 1 to an unused VLAN for security reasons.
C.802.1Q is a Cisco proprietary trunking protocol.
D.802.1Q supports up to 4094 VLANs (VLAN IDs 1–4094).
E.The native VLAN must be the same on both ends of an 802.1Q trunk for the trunk to operate.
AnswersB, D

Changing the native VLAN away from VLAN 1 is a security best practice to prevent VLAN hopping and reduce the risk of attacks that exploit the default native VLAN.

Why this answer

Option B is correct because changing the native VLAN from the default VLAN 1 to an unused VLAN is a recommended security best practice to prevent VLAN hopping attacks. Option D is correct because 802.1Q uses a 12-bit VLAN ID field, allowing VLAN IDs from 1 to 4094 (0 and 4095 are reserved). Option A is false: on an 802.1Q trunk, frames in the native VLAN are typically sent untagged.

Option C is false: 802.1Q is an IEEE standard, not Cisco proprietary (ISL is Cisco proprietary). Option E is false: the native VLAN does not have to match on both ends; mismatched native VLANs can cause traffic to be misclassified but the trunk will still operate.

Exam trap

Cisco often tests the misconception that 802.1Q is proprietary (it is not) and that native VLAN frames are always tagged (they are untagged by default), leading candidates to incorrectly select options A or C.

Why the other options are wrong

A

The native VLAN is specifically the VLAN that does not get a tag; all other VLANs are tagged.

C

802.1Q is an open standard, whereas ISL was Cisco proprietary.

E

Mismatched native VLANs can lead to security vulnerabilities and misrouting, but the trunk itself may still come up.

1134
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order begins by entering global configuration mode, then configuring the RADIUS server host and key before enabling AAA globally. Although AAA can be enabled without a RADIUS server, Cisco recommends defining the server before creating the authentication method list that references it to avoid configuration errors. After enabling AAA, define the authentication method list for 802.1X, then enter interface configuration mode, enable 802.1X port authentication, apply the method list to the interface, and finally verify the configuration.

Exam trap

A common mistake is defining the authentication method list before configuring the RADIUS server, which causes a reference error; the server must be defined before the method list that uses it, even though AAA itself can be enabled earlier.

1135
PBQhard

You are connected to R1. Configure AAA with a RADIUS server at 10.0.0.2 using key 'cisco123' for authentication. Then troubleshoot why 802.1X on interface GigabitEthernet0/1 remains in unauthorized state. Ensure that the default login authentication uses RADIUS first, then local fallback, and fix any configuration issues that prevent 802.1X from working.

Network Topology
G0/010.0.0.1/3010.0.0.2/30linkG0/1linkR1RADIUS ServerClient PC

Hints

  • Check the AAA authentication method for dot1x — it currently uses 'local' but no local users exist.
  • The default login authentication also uses 'local' — you need to add RADIUS as primary method.
  • Ensure the RADIUS server's IP and key are correct — but the issue is the authentication method list, not connectivity.
A.Configure 'aaa authentication dot1x default group radius' and 'aaa authentication login default group radius local' and ensure the RADIUS server is reachable with the correct key.
B.Configure 'aaa authentication dot1x default local' and 'aaa authentication login default local' and create a local user with the same credentials as the RADIUS server.
C.Configure 'aaa authentication dot1x default group radius' and 'aaa authentication login default local' and ensure the RADIUS server key is 'cisco123'.
D.Configure 'aaa authentication dot1x default group radius' and 'aaa authentication login default group radius local' and change the RADIUS server key to 'cisco'.
AnswerA
solution
! R1
configure terminal
aaa authentication login default group radius local
aaa authentication dot1x default group radius
end
write memory

Why this answer

The 802.1X port is stuck in UNAUTHORIZED because AAA authentication for dot1x is set to 'local' but there is no local user database configured. Additionally, the RADIUS server is configured but not used for dot1x or login. The fix is to change 'aaa authentication dot1x default' to use group radius, and 'aaa authentication login default' to group radius local for fallback.

Also ensure the RADIUS server is reachable and the key matches the server.

Exam trap

Candidates often forget that 802.1X requires a RADIUS server for authentication, not local, and that the login authentication method list must also be configured correctly. They may also overlook the need for the RADIUS key to match exactly.

Why the other options are wrong

B

The specific factual error is that 802.1X should use RADIUS for authentication, not local, and the login default should have RADIUS as the primary method.

C

The specific factual error is that the login default should be 'group radius local' to meet the requirement of RADIUS first then local fallback.

D

The specific factual error is that the key must match exactly; changing it to 'cisco' would break communication with the RADIUS server.

1136
Matchingmedium

Match each VLAN or trunk term to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link carrying multiple VLANs

VLAN assigned to a normal endpoint-facing port

VLAN associated with untagged traffic on an 802.1Q trunk

Setting that limits which VLANs may traverse a trunk

Why these pairings

Trunks enable multiple VLANs on one link; VLANs logically segment networks. 802.1Q is the tagging standard; native VLAN is untagged. VTP distributes VLAN database; inter-VLAN routing uses a router or Layer 3 switch to communicate between VLANs.

Exam trap

Do not confuse the purpose of a VLAN (segmentation) with trunk tagging (802.1Q) or VLAN distribution (VTP). Also, remember that the native VLAN is not used for routing; it is for untagged traffic on a trunk.

1137
PBQhard

You are connected to a multilayer switch MLS1. Configure Root Guard on the designated port facing another switch SW2 to prevent it from becoming root, configure Loop Guard on the uplink port to the core, and configure BPDU Guard on a PortFast-enabled access port. After configuration, a superior BPDU arrives on the designated port—confirm it is blocked by Root Guard. Then, simulate a BPDU on the access port to verify it goes err-disabled due to BPDU Guard.

Hints

  • Root Guard is configured per interface under the interface configuration mode.
  • Loop Guard uses the same command but with 'loop' keyword.
  • BPDU Guard on PortFast ports can be enabled globally or per interface; use per-interface for this task.
A.Root Guard on Gi0/2, Loop Guard on Gi0/1, BPDU Guard on Gi0/0
B.Root Guard on Gi0/1, Loop Guard on Gi0/2, BPDU Guard on Gi0/0
C.Root Guard on Gi0/0, Loop Guard on Gi0/1, BPDU Guard on Gi0/2
D.Root Guard on Gi0/2, Loop Guard on Gi0/0, BPDU Guard on Gi0/1
AnswerA
solution
! MLS1
interface GigabitEthernet0/2
spanning-tree guard root
exit
interface GigabitEthernet0/1
spanning-tree guard loop
exit
interface GigabitEthernet0/0
spanning-tree bpduguard enable
exit

Why this answer

First, Root Guard was applied on Gi0/2 (the designated port) with 'spanning-tree guard root' to prevent SW2 from becoming root. Second, Loop Guard was applied on the uplink Gi0/1 with 'spanning-tree guard loop' to protect against unidirectional links. Third, BPDU Guard was applied on the PortFast-enabled access port Gi0/0 with 'spanning-tree bpduguard enable'.

When a superior BPDU arrives on Gi0/2, Root Guard transitions it to a root-inconsistent (blocked) state. If a BPDU is received on Gi0/0, BPDU Guard err-disables the port. Verification shows the blocked state on Gi0/2 and err-disabled on Gi0/0.

Exam trap

Do not confuse the purposes of Root Guard, Loop Guard, and BPDU Guard. Root Guard blocks superior BPDUs on designated ports; Loop Guard prevents loops on root/alternate ports; BPDU Guard err-disables PortFast ports upon BPDU reception. Pay attention to port roles: designated, root, and access.

Why the other options are wrong

B

Root Guard is intended for ports that should not become root; applying it on the uplink would block legitimate superior BPDUs from the core. Loop Guard on the designated port would not protect against unidirectional links on the uplink.

C

Root Guard on an access port is unnecessary and would not prevent the switch from becoming root via other ports. BPDU Guard on the designated port would disable it instead of blocking the BPDU.

D

Loop Guard on an access port does not protect against unidirectional links on the uplink. BPDU Guard on the uplink would err-disable the core connection if a BPDU is received, which is undesirable.

1138
MCQmedium

A host can reach other devices on its local subnet, but it cannot reach remote networks. The host has a valid IP address and subnet mask. Which missing item is the strongest suspect?

A.Default gateway information
B.STP priority information
C.A voice VLAN setting
D.An OSPF process ID
AnswerA

This is correct because the host needs a next hop for off-subnet traffic.

Why this answer

The strongest suspect is a missing default gateway. In practical terms, the host can still identify and reach local addresses because it has its own IP and subnet mask. But without a default gateway, it has no next hop for destinations outside the local subnet. That is why local communication works while remote communication fails.

This is one of the most common host-configuration troubleshooting patterns on the exam and in real networks.

Exam trap

A common exam trap is selecting options related to routing protocols like OSPF or Layer 2 technologies such as STP or VLANs when the issue is actually a missing default gateway. Candidates might incorrectly assume that the host needs an OSPF process ID or STP priority to reach remote networks. However, hosts do not run routing protocols and do not participate in STP decisions.

The real problem is the absence of default gateway information, which prevents the host from forwarding packets beyond its local subnet. Misunderstanding this leads to incorrect answers that focus on advanced protocols rather than basic IP configuration.

Why the other options are wrong

B

Incorrect because STP priority is a Layer 2 switch parameter that does not affect host IP routing or the ability to reach remote networks. Hosts do not participate in STP decisions.

C

Incorrect because voice VLAN settings relate to Layer 2 segmentation for voice traffic and do not impact the host’s IP routing or default gateway configuration needed for remote communication.

D

Incorrect because hosts do not run routing protocols like OSPF and do not require an OSPF process ID. Routing protocols are configured on routers, not end hosts.

1139
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a suspected duplex mismatch and CRC errors on a Cisco switch interface using CLI commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start by examining current interface stats, then fix the mismatch, and finally clear and recheck counters.

Exam trap

The trap is that candidates often clear counters before fixing the issue, thinking they need a clean baseline. However, you must first see the errors to confirm the problem. Also, some may try to fix before inspecting, which is not systematic troubleshooting.

1140
MCQhard

After enabling Dynamic ARP Inspection on VLAN 20, a network engineer notices that some hosts lose connectivity. The affected hosts have correct IP addresses and MAC addresses, but they cannot ping the default gateway. All other hosts on the same VLAN work fine. Further investigation reveals that the non-functioning hosts are using static IP configurations, while the working hosts are DHCP clients. What is the most likely cause?

A.The DHCP snooping binding table is exhausted and cannot accept new bindings for the static hosts.
B.IP Source Guard is also enabled on VLAN 20 and is blocking traffic from hosts that have no DHCP snooping binding.
C.DAI is dropping ARP packets from the static hosts because they do not have a corresponding entry in the DHCP snooping binding table.
D.The switch is detecting ARP spoofing from the static hosts and has shut down their switchport interfaces for security.
AnswerC

When DAI is enabled, it checks every ARP packet on untrusted ports against the DHCP snooping binding table. Since the static hosts have no DHCP lease, no binding exists, and DAI drops their ARP packets, preventing them from learning the gateway MAC address and causing loss of connectivity.

Why this answer

Dynamic ARP Inspection (DAI) uses the DHCP snooping binding table to validate ARP packets. Hosts with statically assigned IP addresses have no DHCP binding entry, so DAI considers their ARP packets invalid and drops them, preventing these hosts from resolving MAC addresses and thus causing loss of connectivity.

Exam trap

Option B (IP Source Guard) is tempting because both features rely on the DHCP snooping binding table, but IP Source Guard filters IP data traffic, not ARP packets. The specific symptom of failed ARP resolution after enabling DAI points directly to DAI's ARP validation, not IP traffic filtering.

Why the other options are wrong

A

Candidates may think that a large number of untrusted hosts could overwhelm the binding table, but static hosts do not interact with DHCP and would not fill the table or be rejected.

B

Candidates often confuse DAI and IP Source Guard since both use DHCP snooping; however, DAI specifically validates ARP packets, which matches the symptom of connectivity loss due to ARP resolution failure.

D

Some candidates might associate ARP security features with port shutdown, but standard DAI operation does not disable ports, and the symptom does not indicate interface down events.

1141
Multi-Selectmedium

Which three of the following are benefits of integrating AI into network operations? (Choose three.)

Select 3 answers
.Reduced mean time to repair (MTTR) through faster incident diagnosis
.Improved accuracy in capacity planning by predicting traffic trends
.Automated enforcement of security policies based on real-time risk analysis
.Complete elimination of network downtime
.Zero configuration required for new network devices
.Total removal of human network engineers from operations

Why this answer

AI reduces mean time to repair (MTTR) by rapidly diagnosing incidents through automated correlation of telemetry and logs. It improves capacity planning by analyzing traffic patterns and predicting future demands, enabling proactive scaling. Automated security policy enforcement uses real-time risk analysis to adjust rules dynamically.

The three distractors are wrong because AI cannot guarantee complete elimination of network downtime (unexpected hardware failures still occur), zero configuration for new devices (initial setup and integration still require human input), or total removal of human engineers (AI augments but does not replace strategic oversight and complex problem-solving).

Exam trap

Candidates often mistake AI's ability to automate specific tasks for a complete replacement of human roles or an unrealistic promise of absolute network reliability—AI enhances operations, it does not make them foolproof.

Why the other options are wrong

D

AI-driven operations can minimize downtime but cannot eliminate it entirely due to unpredictable hardware failures and external factors.

E

New network devices still require initial configuration and policy assignment; AI may assist but cannot achieve zero configuration.

F

Human engineers remain essential for strategic planning, complex troubleshooting, and overseeing AI-driven processes.

1142
MCQhard

Why is a northbound API especially useful in a controller-based network architecture?

A.It allows external software to interact programmatically with the controller.
B.It is the cable standard used to connect access points.
C.It replaces all need for authentication and authorization.
D.It makes VLAN tagging unnecessary.
AnswerA

This is correct because northbound APIs provide the application-facing interface into the controller.

Why this answer

A northbound API is especially useful because it gives external applications and automation tools a defined way to communicate with the controller. In plain language, it allows software above the controller to request information, apply policies, or trigger changes without manual per-device interaction. That is one of the main reasons controller-based networking fits well with orchestration and automation.

Option C is incorrect because a northbound API does not replace authentication and authorization; it is an interface that uses existing security mechanisms. Option D is incorrect because VLAN tagging is a data‑plane function unaffected by the northbound API; the API does not eliminate the need for VLANs. The controller is the centralized system, and the northbound API is the software-facing interface that exposes it.

The correct answer is the one centered on application integration rather than on physical connectivity or device forwarding.

Exam trap

Avoid confusing northbound APIs with hardware configuration or physical connectivity functions.

Why the other options are wrong

C

A northbound API does not replace authentication or authorization; it relies on those mechanisms to secure API access.

D

VLAN tagging is a data‑plane feature independent of the northbound API; the API does not make VLAN tagging unnecessary.

1143
PBQhard

You are connected to R1 via console. R1 and R2 are directly connected via GigabitEthernet0/0. Configure OSPF process 1 on both routers so that they form a full adjacency. R1's router-id must be 1.1.1.1, and R2's router-id must be 2.2.2.2. Use network statements to advertise the direct link. Ensure that R1 does not send OSPF hellos out of its GigabitEthernet0/1 interface. The current configuration on R1 has mismatched hello and dead timers, and an incorrect network type, preventing adjacency. Fix all issues.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30linkR1R2

Hints

  • Check the hello and dead timer values on R1 vs R2 using show ip ospf interface.
  • The default hello timer for broadcast networks is 10 seconds, dead timer 40 seconds.
  • Use interface configuration mode to change OSPF timers.
A.On R1, configure 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40' under interface GigabitEthernet0/0, and ensure network type is broadcast. On R2, configure 'router-id 2.2.2.2' under router ospf 1. Also, on R1, add 'passive-interface GigabitEthernet0/1' under router ospf 1.
B.On R1, configure 'ip ospf hello-interval 30' and 'ip ospf dead-interval 120' under interface GigabitEthernet0/0, and set network type to point-to-point. On R2, configure 'router-id 2.2.2.2' under router ospf 1. Also, on R1, add 'passive-interface default' under router ospf 1.
C.On R1, configure 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40' under interface GigabitEthernet0/0, and set network type to point-to-point. On R2, configure 'router-id 2.2.2.2' under router ospf 1. Also, on R1, add 'passive-interface GigabitEthernet0/1' under router ospf 1.
D.On R1, configure 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40' under interface GigabitEthernet0/0, and ensure network type is broadcast. On R2, configure 'router-id 2.2.2.2' under router ospf 1. Also, on R1, add 'network 10.0.0.0 0.255.255.255 area 0' under router ospf 1.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip ospf hello-interval 10
ip ospf dead-interval 40

Why this answer

The adjacency was failing because R1 had incorrect hello (30) and dead (120) timers, while R2 used defaults (10/40). Additionally, R1’s network type was set to a non-broadcast type, causing a mismatch. To fix, on R1’s GigabitEthernet0/0, set hello-interval 10, dead-interval 40, and network type broadcast.

In OSPF process 1 on R1, configure passive-interface GigabitEthernet0/1 to suppress hellos on that interface. On R2, under router ospf 1, set router-id 2.2.2.2. Option A addresses all requirements.

Option B uses wrong timers and passive-interface default, which blocks hellos on all interfaces, breaking adjacency. Option C sets network type point-to-point, creating a type mismatch with R2’s broadcast, preventing adjacency. Option D omits the passive-interface command, failing to suppress hellos on GigabitEthernet0/1 as required.

Exam trap

The exam trap is that candidates may focus on the network type or extra network statements, but the primary issue is the timer mismatch. OSPF requires hello and dead timers to match for adjacency. Also, remember that 'passive-interface default' suppresses hellos on all interfaces, which would break the adjacency; use specific passive-interface commands.

Why the other options are wrong

B

Incorrect timers (30/120) break adjacency, and 'passive-interface default' suppresses hellos on all interfaces, including the transit link.

C

Network type point-to-point on R1 does not match R2's default broadcast, causing a type mismatch that prevents OSPF adjacency.

D

Omits the required 'passive-interface GigabitEthernet0/1' command, leaving hellos sending on that interface.

1144
Drag & Dropmedium

Which of the following correctly describes the sequence of the TCP three-way handshake between a client and a server?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The TCP three-way handshake establishes a reliable connection in three steps: the client sends a SYN, the server replies with SYN-ACK, and the client acknowledges with an ACK. Option A correctly depicts this. Option B omits the server's SYN, leaving synchronization incomplete.

Option C reverses the roles by having the server initiate, which never occurs in a standard handshake. Option D begins with a SYN-ACK, which is not a valid initial packet; the handshake must start with a SYN.

Exam trap

Do not confuse the roles: the client always initiates with a SYN, the server responds with SYN-ACK, and the client finishes with an ACK. Watch out for options that reverse the order or swap the flags.

1145
MCQhard

A host is configured as 10.20.30.95/27. Which address is the network address of its subnet?

A.10.20.30.32
B.10.20.30.64
C.10.20.30.95
D.10.20.30.96
AnswerB

This is correct because the host falls within the 64–95 /27 block.

Why this answer

A /27 uses blocks of 32 addresses. In plain language, the ranges in the last octet are 0–31, 32–63, 64–95, 96–127, and so on. Since the host address ends in 95, it belongs to the 64–95 block. The first address in that block is the network address, which is 10.20.30.64.

This is a classic subnet-boundary question because it tests whether you can identify the containing block and then choose the first address in that block as the network address.

Exam trap

A frequent exam trap is mistaking the host IP address for the network address or incorrectly identifying the subnet block boundaries. Candidates often select the host IP itself or the next block's starting address as the network address. For example, choosing 10.20.30.95 or 10.20.30.96 instead of 10.20.30.64.

This happens because the subnet mask’s block size (32 addresses for /27) is overlooked, leading to confusion about which block the host belongs to. Misunderstanding this can cause incorrect subnetting and routing errors in real networks.

Why the other options are wrong

A

10.20.30.32 is incorrect because the host IP 10.20.30.95 does not fall within the 32–63 subnet block. This address belongs to a different subnet block and cannot be the network address for the given host.

C

10.20.30.95 is incorrect because it is the host IP address itself, not the network address. The network address must be the first address in the subnet block, not a host address.

D

10.20.30.96 is incorrect because it is the first address of the next subnet block (96–127). The host IP 10.20.30.95 belongs to the previous block, so 10.20.30.96 cannot be its network address.

1146
Matchingmedium

Match each user or host symptom to the service most directly suggested first.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

DNS translates domain names to IP addresses; when a device reaches sites by IP but not by name, the most direct cause is DNS failure. DHCP automatically assigns IP configurations; a host not receiving an IP configuration automatically points directly to a DHCP issue. NTP synchronizes clocks across devices; event timelines from multiple devices not aligning indicates an NTP problem.

Syslog centralizes device logs; administrators cannot see centralized events suggests Syslog is misconfigured or unreachable.

Exam trap

The trap is to associate 'host does not receive IP configuration' with DNS or NTP, but the most direct service is DHCP.

1147
PBQhard

You are connected to R1. Configure an extended ACL on R1 to permit HTTP traffic from the 192.168.1.0/24 network to the 10.0.0.0/30 network, and deny all other IP traffic. Apply the ACL inbound on the interface facing the 192.168.1.0/24 network. The current configuration has an ACL that is too permissive; you must explicitly remove the existing ACL before applying the new one. Correct the configuration.

Network Topology
G0/0192.168.1.1/24192.168.1.0/24G0/110.0.0.1/3010.0.0.0/30R1HostsR2

Hints

  • The existing ACL allows all IP traffic; you need to restrict it to HTTP only.
  • Use a wildcard mask of 0.0.0.255 for the source network and 0.0.0.3 for the destination /30 network.
  • Apply the ACL inbound on the interface that receives traffic from the 192.168.1.0/24 network.
A.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 interface gigabitEthernet0/0 no ip access-group PERMIT_ALL in ip access-group HTTP_ONLY in
B.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 deny ip any any interface gigabitEthernet0/0 no ip access-group PERMIT_ALL in ip access-group HTTP_ONLY in
C.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 interface gigabitEthernet0/0 ip access-group HTTP_ONLY in
D.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 permit ip any any interface gigabitEthernet0/0 no ip access-group PERMIT_ALL in ip access-group HTTP_ONLY in
AnswerA
solution
! R1
configure terminal
ip access-list extended HTTP_ONLY
permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80
exit
interface gigabitEthernet0/0
no ip access-group PERMIT_ALL in
ip access-group HTTP_ONLY in
end

Why this answer

The existing ACL PERMIT_ALL allows all IP traffic, which must be replaced by a new ACL that permits only TCP port 80 (HTTP) from 192.168.1.0/24 to 10.0.0.0/30 and denies everything else. Because the requirement specifies explicit removal of the old ACL, you must first issue 'no ip access-group PERMIT_ALL in' under the interface before applying the new ACL. The extended ACL has an implicit deny at the end, so no separate deny statement is needed.

Therefore, the correct sequence is: create the ACL HTTP_ONLY with the permit statement, enter the interface, remove the old ACL, and apply the new one inbound.

Exam trap

Many learners forget that an explicit 'no ip access-group' command is required if the task demands explicit removal. Simply applying a new ACL over an existing one replaces it, but that does not fulfill a requirement to explicitly remove the old ACL.

Why the other options are wrong

C

Option C applies the new ACL without explicitly removing the old one, which violates the explicit removal requirement.

1148
PBQmedium

You are connected to R1 via the console. R1 is a router that connects to the internet via GigabitEthernet0/0 (198.51.100.1/30) and to the internal network via GigabitEthernet0/1 (10.1.1.1/24). You need to implement a security policy that permits HTTP traffic (port 80) from the internal network to a web server at 10.1.1.100, and denies all other traffic from internal hosts to the internet. The ACL should be named 'INTERNET-FILTER' and applied inbound on GigabitEthernet0/1.

Network Topology
G0/110.1.1.1/24G0/0198.51.100.1/30Web ServerInternalR1ISPInternet

Hints

  • The ACL should be applied to the interface facing the internal network.
  • The permit statement must be before the deny statement.
  • Use the 'eq' keyword to specify port 80.
A.ip access-list extended INTERNET-FILTER permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.100 eq 80 deny ip 10.1.1.0 0.0.0.255 any ! interface GigabitEthernet0/1 ip access-group INTERNET-FILTER in
B.ip access-list standard INTERNET-FILTER permit 10.1.1.0 0.0.0.255 ! interface GigabitEthernet0/1 ip access-group INTERNET-FILTER in
C.ip access-list extended INTERNET-FILTER permit tcp host 10.1.1.100 10.1.1.0 0.0.0.255 eq 80 deny ip any any ! interface GigabitEthernet0/1 ip access-group INTERNET-FILTER in
D.ip access-list extended INTERNET-FILTER permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.100 eq 80 deny ip any any ! interface GigabitEthernet0/0 ip access-group INTERNET-FILTER in
AnswerA
solution
! R1
ip access-list extended INTERNET-FILTER
permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.100 eq 80
deny ip 10.1.1.0 0.0.0.255 any
interface GigabitEthernet0/1
ip access-group INTERNET-FILTER in

Why this answer

The named extended ACL filters traffic based on source, destination, and protocol. The permit allows HTTP from internal to the web server. The deny blocks all other internal-to-internet traffic.

Applying it inbound on the internal interface filters traffic as it enters the router.

Exam trap

Watch out for the direction of the ACL application: inbound on the internal interface filters traffic entering the router from the internal network. Also, remember that extended ACLs are needed when filtering by destination or port.

Why the other options are wrong

B

Standard ACLs cannot match destination IP addresses or port numbers; they only match source IP addresses.

C

The ACL entry incorrectly specifies the web server as the source and the internal network as the destination, which is the opposite of the required direction.

D

Applying the ACL inbound on the external interface filters traffic entering from the internet, not traffic from the internal network. The correct placement is inbound on the internal interface.

1149
MCQmedium

Exhibit: After PAT is configured, inside users can browse the internet, but the engineer wants to verify that translations are actually being created. Which command is the best choice?

A.show access-lists
B.show ip nat translations
C.show ip route
D.debug ip packet detail
AnswerB

This directly displays the current NAT entries.

Why this answer

The NAT translation table shows the inside local and inside global addresses and confirms whether active translations are being built.

Exam trap

A common exam trap is choosing 'show access-lists' or 'show ip route' to verify NAT translations. While ACLs and routing tables are important for network security and path selection, they do not display active NAT translation entries. Another tempting but incorrect choice is 'debug ip packet detail', which provides excessive information and can overwhelm the candidate, making it unsuitable for simple verification.

The correct command, 'show ip nat translations', directly reveals the current NAT table, confirming whether PAT translations are being created and maintained.

Why the other options are wrong

A

'show access-lists' displays the configured ACLs and their hit counts but does not show active NAT translation entries. It cannot confirm whether PAT translations are being created or maintained.

C

'show ip route' shows the routing table with network paths and next hops but does not provide any information about NAT translation sessions or port mappings, making it unsuitable for verifying PAT.

D

'debug ip packet detail' provides detailed packet-level debugging information, which is more intrusive and verbose than necessary for basic NAT verification, and can impact device performance.

1150
Matchingmedium

Match each NAT or address-related term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The private address used by the host on the internal network

The address representing the internal host to outside networks

A fixed one-to-one address mapping

A many-to-one translation approach using ports

Why these pairings

Inside local is the private IP address assigned to a host inside the internal network. Inside global is the public IP address that represents that internal host to external networks. Static NAT creates a permanent one-to-one mapping between an inside local and an inside global address.

PAT (Port Address Translation) extends NAT by using port numbers to map multiple inside local addresses to a single inside global address.

Exam trap

The trap is that all options involve IP address translation or special addresses, but only static NAT is a one-to-one manual mapping. Candidates often confuse static NAT with PAT or dynamic NAT, or mistakenly think loopback is a NAT term.

1151
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits web traffic from the 10.1.1.0/24 network to the server 192.168.2.10 while blocking all other traffic inbound on GigabitEthernet0/1.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

ACL configuration requires defining permit/deny statements first, then applying to the interface inbound, and finally verification.

Exam trap

A common trap is to think that you can apply an ACL to an interface before defining it, or that verification should be done before application. Always remember: define, apply, then verify.

1152
Multi-Selectmedium

Which TWO DHCP snooping trust states are valid on a Cisco switch? (Choose two.)

Select 2 answers
A.Trusted
B.Untrusted
C.Secure
D.Authorized
E.Relay
AnswersA, B

A trusted port is configured using 'ip dhcp snooping trust' and is allowed to forward all DHCP messages, including server responses. This is typically applied to ports connecting to DHCP servers or upstream relay agents.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages on a switch. The only two valid trust states are 'trusted' and 'untrusted'. A trusted port is typically an uplink to a legitimate DHCP server, while an untrusted port is a downstream port where DHCP client messages are expected and server-originated messages are blocked.

Exam trap

Cisco often tests the exact terminology of DHCP snooping trust states, and the trap here is that candidates confuse 'trusted' and 'untrusted' with other security terms like 'secure' or 'authorized' from different features (e.g., port security or 802.1X).

Why the other options are wrong

C

This is a distractor term that does not exist in the DHCP snooping configuration. The correct states are trusted and untrusted.

D

This term is borrowed from other security contexts and is not applicable to DHCP snooping trust states.

E

This confuses the DHCP relay agent feature with DHCP snooping trust states. They are different mechanisms.

1153
MCQhard

Based on the exhibit, why is traffic to 192.168.40.200 using the default route instead of the intended static route?

A.The static route next hop is unreachable or invalid for forwarding.
B.Default routes always override static routes.
C.The destination must be configured as a /16, not a /24.
D.Static routes can be used only if OSPF is disabled.
AnswerA

This is correct because the configured next hop does not appear as a reachable remote path for the route to use.

Why this answer

The intended static route is not being used because the next hop for that static route is not reachable from the current routing table. In practical terms, a route can be configured, but the router still needs a way to resolve and forward to the next-hop address. If that next hop is unreachable, the route may not be installed or usable, so traffic falls back to the default route instead.

This is a realistic troubleshooting pattern because the configuration line alone can look correct until you compare it with actual reachability.

Exam trap

Be cautious of confusing administrative distance with reachability issues. Always verify the next hop's reachability.

Why the other options are wrong

B

This option is incorrect because static routes do not inherently get overridden by default routes; rather, the routing table prioritizes routes based on their specificity and administrative distance.

C

This option is incorrect because the subnet mask of the destination IP does not affect the functionality of static routes in this context; static routes can operate with various subnet masks without being limited to /16 or /24.

D

This option is incorrect because static routes can coexist with dynamic routing protocols like OSPF; they do not require OSPF to be disabled to function properly.

1154
MCQhard

An administrator notices that hosts in VLAN 30 on SW1 cannot communicate with hosts in VLAN 30 on SW2, even though both switches are connected via an 802.1Q trunk. Traffic for VLANs 10 and 20 passes without issues across the same trunk. The trunk is configured to allow all VLANs, and the allowed VLAN list explicitly includes VLAN 30. What is the most likely cause of the problem?

A.The native VLAN is mismatched between SW1 and SW2, and VLAN 30 is the native VLAN on one side.
B.The trunk encapsulation is set to ISL on one switch and 802.1Q on the other.
C.Spanning Tree Protocol has placed VLAN 30 in a blocking state on the trunk link.
D.The switched virtual interface (SVI) for VLAN 30 on SW1 is administratively down.
AnswerA

A native VLAN mismatch causes one switch to send untagged frames for VLAN 30 while the other expects tagged frames, so the receiving switch cannot associate the untagged traffic with VLAN 30, leading to a communication failure only for that VLAN.

Why this answer

The most likely cause is a native VLAN mismatch. When the native VLAN is mismatched on an 802.1Q trunk, traffic for the native VLAN is not tagged, so frames from VLAN 30 on one switch are received as untagged frames on the other switch and placed into the switch's configured native VLAN. If the native VLAN on one side is VLAN 30 and on the other side is a different VLAN (e.g., VLAN 1), the hosts in VLAN 30 cannot communicate because the frames are interpreted as belonging to different VLANs.

Traffic for VLANs 10 and 20 passes because they are not the native VLAN and are properly tagged.

Exam trap

Cisco often tests the native VLAN mismatch scenario by describing a trunk that works for most VLANs but fails for one specific VLAN, leading candidates to incorrectly suspect STP blocking or SVI issues instead of recognizing the native VLAN mismatch.

Why the other options are wrong

B

This would cause a complete trunk failure, not a failure limited to a single VLAN.

C

STP would not randomly block one VLAN on a point-to-point trunk while the rest are forwarding; this is not a typical behavior.

D

Layer 2 switching within the same VLAN does not require an SVI; an SVI is only needed for routing between VLANs or management.

1155
Drag & Dropmedium

Drag and drop the following steps into the correct order for an agentic AI system that receives a network intent, decomposes it into sub-tasks, calls tools, validates output, and applies closed-loop remediation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The agentic AI system starts by understanding the intent, then splits it into manageable tasks, invokes tools, checks the outcome, and corrects any issues automatically.

Exam trap

Do not confuse the order of operations: the system must first understand the intent before breaking it down, and validation always comes after execution. Look for the logical flow from input to output.

1156
MCQhard

Exhibit: A switch interface connected to an IP phone and PC is configured as an access port in VLAN 10. The PC works, but the phone does not register. What additional configuration is most likely needed?

A.switchport trunk encapsulation dot1q
B.switchport voice vlan <voice-vlan-id>
C.channel-group 1 mode active
D.ip helper-address on the switchport
AnswerB

Correct choice.

Why this answer

An IP phone commonly requires a voice VLAN so tagged voice traffic is separated from the data VLAN used by the attached PC. Without a voice VLAN, the PC can still work on the access VLAN while the phone fails to register properly.

Exam trap

Don't confuse portfast or trunk mode with the need for a voice VLAN. Focus on the specific requirements of IP phones.

Why the other options are wrong

A

This option is incorrect because the question specifies an access port configuration, which does not require trunk encapsulation. Access ports do not use trunking protocols like dot1q, as they are meant for single VLAN traffic only.

C

This option is wrong because the channel-group command is used for configuring EtherChannel, which is not relevant to the issue of the IP phone not registering on an access port. The problem lies in the VLAN configuration for voice traffic, not in link aggregation.

D

The 'ip helper-address' command is used to forward DHCP requests from clients to a DHCP server, but it does not address the registration issue of the IP phone in this scenario, which is related to VLAN configuration.

1157
MCQhard

Two directly connected routers, R1 and R2, are configured with single-area OSPF in Area 0. The administrator notices that they are not forming a full OSPF neighbor adjacency. The exhibit displays relevant portions of the running configurations. What is the most likely cause of the problem?

A.The network command on R1 does not include the correct subnet mask.
B.R1's passive-interface default prevents OSPF hello packets from being sent on GigabitEthernet0/0.
C.The GigabitEthernet0/0 interface on R2 is administratively down.
D.The routers are configured with different OSPF area IDs.
AnswerB

The passive-interface default command makes all interfaces passive, disabling hello transmission, which is necessary for neighbor adjacency. Without hellos, no adjacency forms.

Why this answer

The passive-interface default command on R1 sets all interfaces to passive by default, which prevents OSPF hello packets from being sent out GigabitEthernet0/0. Without hello packets, R1 cannot discover R2 or form a neighbor adjacency, even though the network command is correctly configured. This is the most likely cause because the exhibit shows R1's configuration includes passive-interface default without a corresponding no passive-interface GigabitEthernet0/0 statement.

Exam trap

Cisco often tests the passive-interface default command as a trap, because candidates may overlook that it applies to all interfaces unless explicitly overridden, leading them to incorrectly focus on network command mismatches or area ID issues.

Why the other options are wrong

A

The network statement is syntactically correct and covers the interface IP address, so it does enable OSPF process on that interface (subject to the passive-interface setting).

C

The configuration shows 'no shutdown', indicating the interface is enabled. Administrative down would require the 'shutdown' command or lack of 'no shutdown'.

D

The output clearly shows 'area 0' in both routers' OSPF configurations, so area mismatch is not the cause.

1158
MCQhard

A network engineer is troubleshooting intermittent connectivity on an access switch port connected to a server. The output of 'show interfaces gigabitEthernet 1/0/24' shows an increasing number of runts and giants, but no CRC errors. The 'show interfaces status' command indicates the port is in 'err-disabled' state every few hours and must be manually re-enabled. What is the most likely cause of this issue?

A.Duplex mismatch between the switch port and the server NIC
B.Faulty cable or connector causing physical layer errors
C.Incorrect VLAN configuration on the switch port
D.Speed mismatch between the switch port and the server NIC
AnswerB

Runts and giants without CRC errors often indicate physical layer issues like a bad cable, connector, or excessive noise. The cable length at maximum (100 meters) and MDIX off suggest potential signal degradation, leading to intermittent flapping and err-disabled state.

Why this answer

Runts and giants without CRC errors indicate a physical-layer issue that corrupts the frame preamble or interframe gap but not the actual data payload. A faulty cable or connector can cause signal degradation leading to these framing errors. The intermittent err-disabled state is typically triggered by link-flap (repeated link up/down events) caused by the unstable physical connection, not directly by alignment or frame-check error counters.

Exam trap

Cisco often tests the distinction between CRC errors (data corruption) and runts/giants (framing errors) to mislead candidates into thinking duplex mismatch is the cause, but duplex mismatch produces CRC errors and collisions, not runts/giants without CRC errors.

Why the other options are wrong

A

Duplex mismatch would cause CRC errors and late collisions, which are not present in the exhibit.

C

VLAN mismatch does not cause runts or giants; it causes Layer 2 issues like no connectivity.

D

Speed mismatch would prevent the link from coming up or cause CRC errors, but the link is up at 1000 Mb/s.

1159
Matchingmedium

Match each service with the best operational purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Translates hostnames into IP addresses

Automatically assigns host addressing information

Sends event and logging messages to a collector

Monitors and manages devices using managed objects

Why these pairings

DNS resolves hostnames to IP addresses, DHCP automatically assigns IP addressing information, Syslog forwards event and log messages to a central collector, and SNMP monitors and manages network devices using managed objects. Each matching pair reflects the primary function of the service without introducing unrelated protocols.

Exam trap

Avoid confusing DNS with DHCP or other services. DNS resolves names; DHCP assigns IPs. Remember that each service has a unique primary purpose.

1160
PBQhard

You are connected to R1 via console. R1 is a router-on-a-stick connecting VLAN 10 and VLAN 20 on a single link to switch SW1. Currently, hosts in VLAN 10 cannot ping hosts in VLAN 20, and some VLAN 10 hosts report intermittent connectivity. Examine the provided configuration and output, then fix all issues to restore full inter-VLAN routing and stable trunk operation.

Network Topology
G0/0 trunkG0/1 trunkR1SW1

Hints

  • Check the physical interface configuration on R1 for trunking and native VLAN.
  • Examine R1's global configuration for the 'ip routing' command.
  • Compare the native VLAN on SW1 (99) with R1's subinterface encapsulation.
A.On R1, configure 'ip routing', add subinterface G0/0.99 with 'encapsulation dot1Q 99 native' and an IP address, and ensure G0/0 is not shutdown.
B.On R1, configure 'ip routing' and change the encapsulation on the VLAN 10 subinterface to 'encapsulation dot1Q 10 native'.
C.On R1, configure 'ip routing' and add an IP address to the physical interface GigabitEthernet0/0.
D.On R1, configure 'ip routing' and change the encapsulation on the VLAN 20 subinterface to 'encapsulation dot1Q 20 native'.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.99
encapsulation dot1Q 99 native
ip address 10.0.0.1 255.255.255.252
exit
ip routing

Why this answer

Three issues prevent inter-VLAN routing and cause intermittent connectivity. First, R1 lacks a subinterface configured for the native VLAN (VLAN 99) with the 'encapsulation dot1Q 99 native' command; this subinterface is needed because SW1 expects the native VLAN to be tagged on the router side for consistency. Second, the global command 'ip routing' is missing, which disables routing between VLANs.

Third, the physical interface GigabitEthernet0/0 might be administratively down; ensure 'no shutdown' is applied. Option A correctly fixes all issues: it adds the native VLAN subinterface, enables routing, and ensures the interface is up. The other options fail because they either misconfigure the native VLAN encapsulation on the wrong subinterface or apply an IP address to the physical interface (which does not support routing on a router-on-a-stick).

Exam trap

Watch for missing 'ip routing' command in router-on-a-stick scenarios; without it, inter-VLAN routing fails. Also, ensure native VLANs match on both ends of a trunk; a mismatch can cause intermittent connectivity or complete failure for the native VLAN.

Why the other options are wrong

B

The native VLAN must match on both ends; SW1 uses VLAN 99 as native, so R1 must use VLAN 99 as native, not VLAN 10.

C

Router-on-a-stick uses subinterfaces, not the physical interface IP. The physical interface only needs to be up and trunking.

D

The native VLAN must be consistent across the trunk; SW1 uses VLAN 99, so R1 must use VLAN 99 as native.

1161
MCQhard

Exhibit: A client can ping 8.8.8.8 but cannot browse to www.example.com. Which service is most likely failing?

A.NTP
B.DNS
C.DHCP snooping
D.HSRP
AnswerB

Correct choice.

Why this answer

The client has IP connectivity because it can reach 8.8.8.8 directly. The problem appears only when using a hostname, which points to a DNS resolution issue rather than a routing issue.

Exam trap

A frequent exam trap is assuming that successful ping to an IP address means all network services are functioning correctly. Candidates often overlook that ping uses numeric IP addresses and does not test DNS resolution. This leads to the incorrect conclusion that the network is fully operational, causing them to eliminate DNS as a problem.

The trap is reinforced by the presence of other options like DHCP snooping or HSRP, which are unrelated to hostname resolution but may seem plausible. Recognizing that DNS specifically enables hostname-to-IP translation is essential to avoid this mistake.

Why the other options are wrong

A

NTP (Network Time Protocol) synchronizes clocks across devices but does not affect the ability to resolve domain names or browse websites. Since the client can ping an IP address, time synchronization issues are unlikely to cause the browsing failure.

C

DHCP snooping is a security feature that prevents rogue DHCP servers but does not directly impact DNS resolution or hostname-based browsing. The client already has IP connectivity, so DHCP snooping is not the issue.

D

HSRP provides gateway redundancy and failover but does not influence DNS or hostname resolution. Since the client can reach an external IP, the default gateway is functioning, so HSRP failure is unlikely.

1162
MCQhard

Based on the exhibit, what is the strongest explanation for why clients can browse by IP address but not by hostname?

A.Name resolution is failing even though IP connectivity works.
B.The client has the wrong default gateway.
C.The switch trunk native VLAN is wrong.
D.The server must run PPP before hostnames can work.
AnswerA

This is correct because the difference between IP success and hostname failure points to DNS.

Why this answer

The strongest explanation is a DNS failure or DNS configuration problem. In practical terms, successful browsing by IP address shows that the client can already reach the destination over the network path. When the same service fails only by hostname, the issue is much more likely in name resolution than in routing, switching, or raw connectivity.

This is one of the most useful support patterns because it quickly separates path problems from naming problems.

Exam trap

A frequent exam trap is assuming that if hostname resolution fails, the problem must be with routing or VLAN configurations such as the default gateway or switch trunk native VLAN. However, since clients can browse by IP address, these path elements are functioning correctly. Misattributing the failure to routing or VLAN issues wastes time and leads to incorrect answers.

The key mistake is not recognizing that DNS operates at a higher layer and that name resolution failures are distinct from IP connectivity problems.

Why the other options are wrong

B

Option B is incorrect because the client can already reach the server by IP address, proving the default gateway is functioning properly and not the cause of hostname resolution failure.

C

Option C is wrong since a switch trunk native VLAN mismatch would cause broader connectivity issues, not just hostname resolution failures. The symptom is specific to name-based access, not total path failure.

D

Option D is incorrect because PPP is unrelated to DNS or hostname resolution in this context. PPP is a WAN protocol and does not affect LAN-based DNS name resolution.

1163
MCQmedium

A small office network uses a single public IP address on its router's WAN interface. The network administrator needs to allow all internal hosts to access the internet, but must also ensure that an internal web server with a private IP address is reachable from the internet. Which NAT configuration should the administrator implement to meet both requirements?

A.Configure dynamic NAT with a pool of public IPs and static NAT for the web server.
B.Configure PAT (overload) for internal hosts and static NAT for the web server.
C.Configure only PAT (overload) for all internal hosts including the web server.
D.Configure static NAT for the web server and use only the public IP for internal hosts.
AnswerB

PAT allows multiple internal hosts to share the single public IP for outbound traffic, while static NAT provides a permanent mapping for inbound traffic to the web server.

Why this answer

Option B is correct because PAT (Port Address Translation), also known as NAT overload, allows multiple internal hosts to share a single public IP address by mapping each session to a unique port number, satisfying the requirement for internet access. Static NAT is then used to create a one-to-one mapping from the public IP (on a specific port) to the private IP of the internal web server, making it reachable from the internet. This combination meets both outbound connectivity for all hosts and inbound access to the web server without needing additional public IPs.

Exam trap

Cisco often tests the misconception that PAT alone can handle inbound traffic, but the trap here is that PAT only translates outbound sessions unless a static entry is explicitly configured for the server, leading candidates to incorrectly select option C.

Why the other options are wrong

A

Only one public IP is available, so a pool cannot be created.

C

Inbound access to the web server would not be possible without a static mapping.

D

Internal hosts would not be able to access the internet because they lack public IP assignments.

1164
Matchingmedium

Match each infrastructure service to the operational problem it most directly addresses.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hosts can reach services by IP but not by hostname

Clients are not receiving IP settings automatically

Device time and log timestamps are inconsistent

Administrators need one place to collect device events

Why these pairings

DNS resolves names; DHCP assigns IPs; NTP syncs time; SNMP monitors devices; Syslog centralizes logs; NetFlow analyzes traffic.

Exam trap

The trap is confusing the roles of DNS and DHCP. Both involve IP addresses, but DNS resolves names, while DHCP assigns addresses. Also, avoid associating DNS with time sync (NTP) or monitoring (SNMP).

1165
MCQhard

A host is physically connected to switch port Gi0/3. The technician runs 'show mac address-table' but does not find the host's MAC address for Gi0/3. The port status shows 'up/up', and the host was connected only a few minutes ago. What should the technician do next?

A.Clear the MAC address table with 'clear mac address-table dynamic' to force immediate relearning.
B.Verify the VLAN assignment on Gi0/3 using 'show vlan brief' or 'show interfaces Gi0/3 switchport'.
C.Check the STP state of Gi0/3 with 'show spanning-tree interface Gi0/3' to ensure it is not blocking.
D.Inspect the ARP cache with 'show ip arp' to check for duplicate IP addresses.
AnswerB

The switch learns MAC addresses per VLAN. If Gi0/3 is in an unexpected VLAN, the MAC address will be learned in that VLAN's table and not visible in the default or expected VLAN view. Checking the VLAN membership directly confirms whether the host is in the correct Layer 2 broadcast domain.

Why this answer

The MAC address table is learned per VLAN. If the port is assigned to a VLAN different from the one the technician expects, the host's MAC will be learned in that different VLAN and may not appear in the output shown. Checking the VLAN membership with 'show vlan' or 'show interfaces switchport' verifies the Layer 2 broadcast domain, which is the most likely reason the MAC is missing from the expected view.

Exam trap

Many candidates think the table entry aged out prematurely and try to clear the MAC address table, but the default aging timer is 300 seconds and the host was just connected. This skips the basic Layer 2 configuration check.

Why the other options are wrong

A

This is a drastic action that does not address a VLAN mismatch; the same symptom would recur.

C

Jumping to STP before confirming basic Layer 2 VLAN membership is not the most efficient next step.

D

This option confuses Layer 2 MAC learning with Layer 3 ARP resolution, and does not help locate the MAC entry in the address table.

1166
MCQhard

Refer to the exhibit. A network engineer is troubleshooting an OSPF adjacency issue between R1 and R2. The output of the show ip ospf neighbor command on R1 shows the neighbor relationship with R2 stuck in the EXSTART/DROTHER state. What is the most likely cause?

A.OSPF network type mismatch between R1 and R2, preventing full adjacency.
B.Duplicate OSPF Router IDs on R1 and R2, causing DBD packet rejection.
C.OSPF authentication mismatch on the link, causing DBD packets to be rejected.
D.MTU mismatch on the link between R1 and R2, causing DBD packets to be dropped.
AnswerD

The EXSTART/DROTHER state in the exhibit indicates that OSPF is stuck in the DBD exchange phase. This is a classic symptom of an MTU mismatch, where one side creates DBD packets larger than the other's MTU, leading to silent drops. The output directly confirms the neighbor is in EXSTART, not EXCHANGE or FULL.

Why this answer

The output specifically shows neighbor 10.0.0.2 in the EXSTART/DROTHER state. This state indicates that the Database Description (DBD) packet exchange phase has not completed. The most common cause for a neighbor to remain stuck in EXSTART is an MTU mismatch on the link, causing DBD packets (which are larger than the MTU) to be silently dropped.

Exam trap

Many candidates incorrectly select authentication mismatch or network type mismatch. However, an authentication mismatch would prevent Hello processing and the neighbor would not appear in the table at all; a network type mismatch would typically result in a 2-WAY/DROTHER state, not EXSTART.

Why the other options are wrong

A

Candidates may confuse adjacency failures with DBD exchange problems, but network type mismatch leads to a different state (2-WAY).

B

Candidates think duplicate Router IDs might cause DBD exchange failure, but duplicate IDs prevent neighbor discovery entirely.

C

Many associate EXSTART with any adjacency issue, but authentication errors prevent the neighbor from being listed at all.

1167
MCQhard

Exhibit: A script sends an API request and receives HTTP status code 401. What does that code indicate?

A.The requested resource was not found
B.The client is not authenticated successfully
C.The server completed the request successfully
D.The server rejected the request because the JSON body was too large
AnswerB

401 Unauthorized points to an authentication problem.

Why this answer

HTTP 401 means the request was not accepted because authentication is required or the provided credentials or token were invalid. In practice, the first thing to check is the token, username, password, or auth header format.

Exam trap

Don't confuse authentication errors with server errors or resource availability issues. Focus on the specific meaning of each HTTP status code.

Why the other options are wrong

A

HTTP status code 401 specifically indicates unauthorized access due to missing or invalid authentication. A 'resource not found' is indicated by 404, not 401.

C

HTTP 401 indicates authentication failure, not successful completion. A 200-level code would indicate success.

D

HTTP 401 indicates authentication failure, not a request entity too large. The '413 Payload Too Large' status code is used when the request body exceeds the server's limit.

1168
PBQmedium

You are connected to R1 via console. R1 has three directly connected subnets: 192.168.1.0/24 (G0/0), 192.168.2.0/24 (G0/1), and 192.168.3.0/24 (G0/2). You need to configure a summary route to be advertised to a neighbor via a static route pointing to Null0 to prevent routing loops. The summary should cover all three subnets.

Hints

  • Determine the smallest subnet mask that can summarize the three /24 networks.
  • The summary route should be a single prefix that covers all three subnets.
  • Use Null0 as the next-hop to drop traffic that does not match a more specific route.
A.ip route 192.168.0.0 255.255.252.0 Null0
B.ip route 192.168.1.0 255.255.252.0 Null0
C.ip route 192.168.0.0 255.255.255.0 Null0
D.ip route 192.168.0.0 255.255.254.0 Null0
AnswerA
solution
! R1
ip route 192.168.0.0 255.255.252.0 Null0

Why this answer

The three subnets 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 can be summarized as 192.168.0.0/22, which covers 192.168.0.0 to 192.168.3.255. A static route to Null0 ensures that traffic matching the summary but not a more specific route is dropped, preventing routing loops.

Exam trap

When summarizing, ensure the summary network address is the first address in the block (aligned to the subnet boundary) and the mask is calculated correctly. A common mistake is to start the summary at the first subnet address (192.168.1.0) instead of the network address (192.168.0.0). Also, verify the mask covers all subnets without including extra networks.

Why the other options are wrong

B

The network address is wrong; the summary must start at 192.168.0.0, not 192.168.1.0.

C

The subnet mask /24 is too small; it does not summarize the three subnets.

D

The subnet mask /23 is too specific; it only covers two of the three subnets.

1169
MCQmedium

A branch router learns a route to 10.20.30.0/24 from OSPF with metric 30 and also has a static route to the same prefix with an administrative distance of 5. Which route will appear in the routing table?

A.The OSPF route because metric 30 is lower than the static route metric
B.The static route because its administrative distance is lower
C.Both routes with equal preference because they point to the same prefix
D.Neither route until the router performs a full SPF recalculation
AnswerB

Correct choice.

Why this answer

The router installs the static route because administrative distance is compared before metric when two different routing sources advertise the same prefix. OSPF metric matters only against other OSPF choices, not against a lower-AD static route.

Exam trap

A common exam trap is to confuse the OSPF metric with administrative distance and assume the route with the lower metric is preferred. Since OSPF’s metric is 30 and the static route’s metric is not applicable or higher, candidates may incorrectly select the OSPF route. However, Cisco routers first compare administrative distance, which is a measure of route trustworthiness across different routing sources.

Because the static route has a lower administrative distance (5) than OSPF (110), the static route is preferred and installed in the routing table. Misunderstanding this leads to incorrect route selection and exam errors.

Why the other options are wrong

A

This option is incorrect because metric values are only compared among routes learned from the same routing protocol. The OSPF metric of 30 is irrelevant when compared to a static route, which is a different routing source with a lower administrative distance.

C

This option is incorrect because routers do not install multiple routes to the same prefix from different routing protocols unless they have equal administrative distance and are configured for load balancing. Here, the static route’s lower AD prevents the OSPF route from being installed.

D

This option is incorrect because the router does not delay route installation until a full SPF recalculation. Route selection is immediate based on administrative distance and metric rules. SPF recalculation only affects OSPF route selection, not cross-protocol comparisons.

1170
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence NTP stratum hierarchy and configure an IOS-XE NTP client with syslog message processing from event to log server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

NTP time flows from lower stratum numbers (most accurate) to higher stratum numbers. The correct order is Stratum 0 (atomic clock) → Stratum 1 (primary server) → Stratum 2 (secondary server). After configuring the NTP client and enabling logging, syslog messages are accurately timestamped with the synchronized time.

Exam trap

Do not confuse the direction of stratum numbers: lower stratum number means higher accuracy. Also, remember that NTP configuration must precede logging to ensure accurate timestamps.

1171
MCQmedium

Hosts in VLAN 10 need to communicate with hosts in VLAN 20. What is required for that communication to work?

A.A DHCP server
B.A DNS server
C.A Layer 3 routing function
D.A second access switch
AnswerC

Correct. Layer 3 routing is required.

Why this answer

Traffic between VLANs must be routed. A router or multilayer switch provides the Layer 3 function needed for inter-VLAN communication.

Exam trap

Do not confuse trunk links or access ports with routing functions; they serve different purposes in VLAN configurations.

Why the other options are wrong

A

A DHCP server is not required for communication between VLANs; it only assigns IP addresses to devices within a network. VLAN communication requires routing, which a DHCP server does not provide.

B

A DNS server is not required for VLAN communication, as DNS resolves domain names to IP addresses, which does not facilitate inter-VLAN routing. Communication between VLANs requires Layer 3 routing, not name resolution.

D

A second access switch is not required for VLAN communication; VLANs can communicate through a Layer 3 device such as a router or a Layer 3 switch. The existing switch infrastructure can handle VLANs without needing additional switches.

1172
MCQhard

A multilayer switch must route traffic between VLAN 10 and VLAN 20. Which condition is required for that to happen?

A.SVIs for the VLANs plus Layer 3 routing enabled on the switch
B.All ports in both VLANs configured as trunks
C.A separate OSPF process on every access port
D.Port security disabled on every edge port
AnswerA

This is correct because inter-VLAN routing on a multilayer switch requires routed VLAN interfaces and IP routing capability.

Why this answer

Inter-VLAN routing on a multilayer switch depends on having functional Layer 3 gateway interfaces for the VLANs and routing enabled on the switch. In plain language, the switch needs a routed brain for each VLAN, usually in the form of SVIs, and it must actually be operating as a Layer 3 device rather than only as a pure Layer 2 switch. Without those conditions, traffic may switch inside a VLAN but cannot be routed between different VLANs.

This is a core CCNA design idea because people often assume creating VLANs alone automatically gives them inter-VLAN communication. In reality, VLANs create separation, and routing is what reconnects them under controlled conditions. A trunk between switches can carry VLAN traffic, but it does not itself perform Layer 3 routing between the VLANs. The correct answer is the requirement that makes the switch act as the gateway between VLANs.

Exam trap

Don't confuse trunking with routing; trunk ports carry VLAN traffic but don't route it.

Why the other options are wrong

B

This option is wrong because configuring all ports as trunks does not facilitate inter-VLAN routing; SVIs and Layer 3 routing are necessary for that functionality.

C

This option is wrong because OSPF is a routing protocol used for dynamic routing, and access ports do not participate in routing processes. Routing between VLANs requires SVIs and Layer 3 capabilities, not OSPF on access ports.

D

Port security being disabled on every edge port is not a requirement for routing traffic between VLANs; it pertains to security configurations rather than routing functionality. VLAN routing can occur regardless of port security settings.

1173
MCQhard

A network engineer is troubleshooting a link between two Cisco Catalyst 9300 switches that are connected via a 10GBASE-SR SFP+ module on each end over OM3 multimode fiber. The link is up, but the interface counters show a high number of CRC errors and runts. The engineer runs 'show interfaces Gi1/0/1' and 'show interfaces Gi1/0/1 transceiver details'. What is the most likely cause of the errors?

A.The SFP+ module is faulty and needs replacement.
B.The fiber patch cables are too long, exceeding the 300-meter distance limit for 10GBASE-SR over OM3 fiber.
C.The interface speed is mismatched; the switch interface shows 1000Mb/s but the SFP+ is 10GBASE-SR.
D.The receive optical power is too low, indicating a fiber or connector issue.
AnswerD

The receive power of -15.1 dBm is below the typical receive sensitivity for 10GBASE-SR (about -12.6 dBm). This causes bit errors that appear as CRC errors and runts. The transmit power is normal, so the issue is on the receive side, likely dirty connectors or a damaged fiber.

Why this answer

The high CRC errors and runts on a 10GBASE-SR link over OM3 fiber, combined with the 'show interfaces transceiver details' command, point to a physical-layer issue. Low receive optical power (below the receiver sensitivity threshold) causes bit errors that manifest as CRC errors and runts, even though the link is up. This is the most common cause when the fiber and transceivers are otherwise compatible.

Exam trap

Cisco often tests the misconception that CRC errors always indicate a faulty transceiver or cable length issue, when in reality low optical power from dirty or damaged connectors is a more common and subtle cause on fiber links.

Why the other options are wrong

A

The transceiver diagnostics show no fault flags, and the module is reporting nominal bit rate and other values within range.

B

The distance itself is within spec; the issue is the receive power being too low, not the distance exceeding the limit.

C

This is a configuration mismatch, but it does not directly cause CRC errors. The CRC errors are due to low receive power.

1174
PBQhard

You are connected to R1 via console. The network consists of R1, R2, and a multilayer switch MLS1. R1's GigabitEthernet0/0 connects to MLS1's GigabitEthernet1/0/1 (VLAN 10), and MLS1's GigabitEthernet1/0/2 connects to R2's GigabitEthernet0/0. The goal is to enable IPv6 communication between R1 and R2 across the layer-3 switch. Currently, R1 and R2 cannot ping each other's IPv6 addresses. Configure R1's G0/0 with the IPv6 prefix 2001:db8:1:10::/64 using EUI-64, and R2's G0/0 with static IPv6 address 2001:db8:1:10::2/64. Also ensure MLS1 has IPv6 routing enabled and an IPv6 address on VLAN 10 (2001:db8:1:10::3/64). Troubleshoot and fix any layer-2 or layer-3 issues preventing connectivity.

Network Topology
G0/0G1/0/1G1/0/1G0/0SiMLS1R1R2

Hints

  • R1's G0/0 has no IPv6 address configured.
  • The correct command uses the 'eui-64' keyword to generate the interface ID from the MAC.
  • After configuration, R1 should be able to ping the other IPv6 addresses.
A.Configure 'ipv6 address 2001:db8:1:10::/64 eui-64' on R1's G0/0 interface.
B.Enable IPv6 routing on R1 with 'ipv6 unicast-routing'.
C.Configure 'ipv6 address 2001:db8:1:10::1/64' on R1's G0/0 interface (without EUI-64).
D.Change the VLAN on MLS1's G1/0/1 to match R1's VLAN.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:db8:1:10::1/64 eui-64
end

Why this answer

R1 has no IPv6 address configured on G0/0. The required prefix is 2001:db8:1:10::/64 using EUI-64, which generates the interface ID from the MAC address. The command 'ipv6 address 2001:db8:1:10::/64 eui-64' must be entered in interface configuration mode.

Additionally, MLS1 has IPv6 routing enabled (as seen by the connected route), but R1's interface is missing the IPv6 address. After configuration, R1 will be able to ping R2 and MLS1. No other changes are needed because R2 and MLS1 are correctly configured.

Exam trap

Do not confuse global IPv6 routing enablement with interface address configuration. The presence of a connected route indicates routing is enabled; the missing piece is the interface address. Also, pay attention to specific requirements like EUI-64.

Why the other options are wrong

B

IPv6 unicast-routing is already enabled; the problem is at the interface level.

C

The requirement specifies EUI-64; omitting it results in a static address that does not match the intended configuration.

D

The VLAN configuration is correct; no change is needed.

1175
PBQhard

You are connected to switch SW1. The network uses Rapid-PVST+ and SW1 has been accidentally configured with a low spanning-tree priority, causing it to become the root bridge for VLAN 10 even though it should not be. Additionally, an edge port connected to a server is repeatedly receiving BPDUs, causing it to go into err-disabled state. Configure SW1 so that it is never the root bridge for VLAN 10, and configure the edge port so that it automatically recovers from err-disabled state after 300 seconds. Finally, verify that SW1 is not the root bridge for VLAN 10.

Network Topology
Gi0/0Gi0/0Gi0/1SW1SW2Server

Hints

  • To prevent a switch from becoming root, set its priority to a value higher than the current root's priority (e.g., 32768).
  • The errdisable recovery cause command enables automatic recovery; the interval command sets the timeout.
  • After configuration, verify with 'show spanning-tree vlan 10' that the bridge ID priority is not the lowest.
A.spanning-tree vlan 10 priority 36864; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
B.spanning-tree vlan 10 priority 4096; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
C.spanning-tree vlan 10 root secondary; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
D.spanning-tree vlan 10 priority 32768; errdisable recovery cause all; errdisable recovery interval 300; show spanning-tree vlan 10
AnswerA
solution
! SW1
no spanning-tree vlan 10 priority 4096
spanning-tree vlan 10 priority 32768
errdisable recovery cause bpduguard
errdisable recovery interval 300

Why this answer

The issue is that SW1 has the spanning-tree priority for VLAN 10 set to 4096, which makes it the root bridge. To prevent this, you must set the priority higher than the current root bridge's priority (e.g., 32768 or higher). Additionally, the edge port (G0/1) is in err-disabled state because it received a BPDU while PortFast was enabled (BPDU Guard triggered).

To automatically recover from err-disabled, you need to configure errdisable recovery cause bpduguard and set the interval to 300 seconds. After configuration, verify with 'show spanning-tree vlan 10' that SW1 is no longer the root and 'show errdisable recovery' to confirm the recovery settings.

Exam trap

Students often confuse the priority values: lower priority is better to become root. To prevent a switch from becoming root, set its priority higher than the current root's. Also, remember that 'root secondary' sets a low priority (28672) and does not prevent root election.

For errdisable recovery, use the specific cause (bpduguard) rather than 'all'.

Why the other options are wrong

B

The priority 4096 is too low and would still result in SW1 being the root bridge.

C

The 'root secondary' command does not prevent the switch from becoming root; it only makes it the backup root.

D

Using 'cause all' is not the best practice; the requirement is to recover from bpduguard specifically.

1176
MCQhard

Refer to the exhibit. A network administrator runs the show vlan brief command on SW2. Interface GigabitEthernet0/2 is intended to be an access port in VLAN 10, but it does not appear in the output. What is the most likely cause?

A.The interface is configured with switchport mode dynamic auto and no trunk has been negotiated, causing it to be hidden.
B.The interface is administratively shut down, and down ports are excluded from the show vlan brief output.
C.The interface is configured as a trunk port and therefore does not appear under any VLAN in show vlan brief.
D.VLAN 10 is not active, so the port assigned to it is not displayed in the listing.
AnswerC

show vlan brief only displays ports that are in access mode. Trunk ports are not included because they belong to all VLANs allowed on the trunk. The output shows VLAN 10 with members Gi0/9–Gi0/11 but not Gi0/2, confirming it is not an access port.

Why this answer

The show vlan brief command lists only access ports that are statically or dynamically assigned to a VLAN. Trunk ports carry traffic for multiple VLANs and are not displayed in this table. The absence of GigabitEthernet0/2, despite VLAN 10 being active and containing other ports, indicates that the interface is likely operating as a trunk port.

Exam trap

Candidates often mistakenly believe that a shutdown interface will not appear in show vlan brief. In reality, an access port assigned to a VLAN appears in the output regardless of its administrative or operational state.

Why the other options are wrong

A

Confusion about how dynamic trunking protocol (DTP) modes interact with VLAN membership display.

B

Misconception that only operational interfaces are shown in VLAN membership tables.

D

Overlooking the explicit 'active' status and port list for VLAN 10 in the output.

1177
PBQmedium

You are connected to R1 via the console. R1 is a new router that connects to three subnets: 192.168.1.0/24 (connected to GigabitEthernet0/0), 192.168.2.0/24 (connected to GigabitEthernet0/1), and 192.168.3.0/24 (connected to GigabitEthernet0/2). R1 must be able to ping the loopback0 interface of R2 (192.168.100.1/32) which is reachable via R2's Serial0/0/0 interface (10.0.0.2/30). The link between R1 and R2 is 10.0.0.0/30, with R1's interface being 10.0.0.1/30. No dynamic routing protocols are configured. Configure R1 to reach the loopback address of R2 using a host-specific static route (not a default route).

Network Topology
G0/0192.168.1.1/24S0/0/010.0.0.2/30R1R2

Hints

  • The destination is a single host address.
  • Use the next-hop IP address of R2's serial interface.
  • The command starts with 'ip route'.
A.ip route 192.168.100.1 255.255.255.255 10.0.0.2
B.ip route 192.168.100.0 255.255.255.0 10.0.0.2
C.ip route 192.168.100.1 255.255.255.255 192.168.1.1
D.ip route 0.0.0.0 0.0.0.0 10.0.0.2
AnswerA
solution
! R1
ip route 192.168.100.1 255.255.255.255 10.0.0.2

Why this answer

Option A is correct because it configures a host route (mask /32) to destination 192.168.100.1 with next-hop 10.0.0.2, directly matching the loopback address and providing exact reachability. Option B is incorrect because it uses a /24 mask, which does not match the /32 loopback and would cause routing issues. Option C is incorrect because it uses next-hop 192.168.1.1, which is not the directly connected neighbor; packets would be forwarded to a local interface, not across the serial link.

Option D is incorrect because it creates a default route (0.0.0.0/0) rather than the required host-specific route, failing to meet the specific task requirement.

Exam trap

Pay close attention to the prefix length of the destination. The loopback is a /32 host route, so the mask must be 255.255.255.255. Also, ensure the next-hop IP is directly connected to R1.

Why the other options are wrong

B

Uses a /24 mask, which does not match the /32 loopback address, potentially leading to incorrect routing.

C

Uses next-hop 192.168.1.1, which is not directly reachable over the serial link to R2.

D

Creates a default route, which is not a host-specific static route as required.

1178
MCQeasy

Which protocol is used to resolve a hostname such as www.example.com into an IP address?

A.DNS
B.DHCP
C.NTP
D.SNMP
AnswerA

DNS maps hostnames to IP addresses.

Why this answer

DNS resolves names to addresses. DHCP hands out addressing parameters, NTP synchronizes time, and SNMP is used for management and monitoring.

Exam trap

A frequent exam trap is mistaking DHCP for DNS because both protocols are essential IP services and often appear together in network configurations. Candidates may incorrectly select DHCP, thinking it resolves hostnames, but DHCP only assigns IP addresses and network parameters, not name resolution. Another trap is confusing NTP or SNMP with DNS due to their roles in network operations; however, NTP synchronizes time and SNMP manages devices, neither resolving hostnames.

Understanding that DNS specifically maps domain names to IP addresses prevents this common mistake.

Why the other options are wrong

B

DHCP is incorrect because it only leases IP addressing information and other network parameters to clients; it does not translate hostnames to IP addresses, which is the core function of DNS.

C

NTP is incorrect as it is used solely for synchronizing clocks across network devices and does not handle any form of hostname or IP address resolution.

D

SNMP is incorrect because it is a protocol for monitoring and managing network devices, not for resolving hostnames or IP addresses.

1179
Multi-Selectmedium

Which two statements accurately describe DNS in normal network operation?

Select 2 answers
A.DNS helps resolve hostnames into IP-related information.
B.DNS makes networks easier for humans to use by allowing names instead of raw IP addresses.
C.DNS dynamically assigns host IP addresses like DHCP.
D.DNS replaces the need for default gateways.
E.DNS is the spanning-tree protocol used on VLAN trunks.
AnswersA, B

This is correct because name resolution is the main purpose of DNS.

Why this answer

DNS helps translate human-friendly names into IP-related information. In plain language, it allows users and applications to work with names instead of memorizing numeric addresses. It also means that a network can change the underlying IP address of a service while keeping the public-facing name the same. DNS is therefore both a usability service and an important abstraction layer.

The wrong answers often confuse DNS with DHCP or routing protocols. The two correct answers are the ones that preserve its role in name resolution and human-friendly network use.

Exam trap

A frequent exam trap is mistaking DNS for DHCP or routing protocols. Some candidates incorrectly believe DNS dynamically assigns IP addresses like DHCP or that it replaces the need for default gateways. This confusion arises because both DNS and DHCP are IP services but serve fundamentally different roles.

DNS strictly resolves hostnames to IP addresses and does not handle IP address allocation or routing decisions. Misinterpreting DNS’s function can lead to selecting incorrect answers that describe DHCP’s role or routing concepts, which do not apply to DNS.

Why the other options are wrong

C

Option C is incorrect because DNS does not assign IP addresses; this is the role of DHCP. Confusing these two services is a common error, but they serve distinct purposes in IP networking.

D

Option D is wrong because DNS does not replace default gateways. Default gateways are necessary for routing traffic between different networks, a function unrelated to DNS name resolution.

E

Option E is incorrect as DNS is unrelated to the Spanning Tree Protocol (STP), which manages Layer 2 loop prevention on VLAN trunks. DNS operates at higher layers for name resolution.

1180
MCQmedium

What problem does DHCP snooping help prevent?

A.Unauthorized DHCP server responses from user-facing ports
B.Layer 3 route loops
C.Trunk encapsulation mismatch
D.Weak SSH ciphers
AnswerA

Correct. This is the main value of DHCP snooping.

Why this answer

DHCP snooping marks interfaces as trusted or untrusted and blocks rogue DHCP server messages arriving on untrusted ports.

Exam trap

A frequent exam trap is selecting options related to Layer 3 routing issues or encryption weaknesses, such as route loops or weak SSH ciphers, when asked about DHCP snooping. Candidates may mistakenly think DHCP snooping prevents routing problems or secures SSH sessions. However, DHCP snooping specifically targets unauthorized DHCP server messages at Layer 2 and does not affect routing protocols or encryption.

Misunderstanding this scope leads to incorrect answers. Remember, DHCP snooping’s primary function is to block rogue DHCP servers on untrusted ports, not to solve routing or encryption problems.

Why the other options are wrong

B

Incorrect. Layer 3 route loops are routing protocol issues and are not addressed by DHCP snooping, which operates at Layer 2 for DHCP message validation.

C

Incorrect. Trunk encapsulation mismatches relate to VLAN tagging and trunk negotiation, which DHCP snooping does not influence or prevent.

D

Incorrect. Weak SSH ciphers pertain to encryption security and have no connection to DHCP snooping, which focuses solely on DHCP message filtering.

1181
PBQhard

You are connected to the console of R1. The network administrator reports that hosts in VLAN 10 cannot reach the server at 192.168.1.100. R1 is the default gateway for VLAN 10 via subinterface G0/0.10. The link between R1 and the switch SW1 appears to be up, but pings fail. Your task is to identify and resolve the issue.

Network Topology
G0/0.10192.168.10.1/24G0/1trunkG0/1R1SW1access port VLAN10PC1

Hints

  • Check the interface status and error counters on the link.
  • Auto-negotiation might have failed; try manually setting speed and duplex.
  • The trunk link must be operational for inter-VLAN routing.
A.Check the interface status on R1's G0/0.10 subinterface; it may be administratively down.
B.Verify that the VLAN 10 SVI on SW1 has an IP address in the correct subnet.
C.Check the duplex and speed settings on the physical interface G0/0 of R1 and the corresponding switchport on SW1; they may be mismatched.
D.Ensure that the native VLAN on the trunk between R1 and SW1 is VLAN 1.
AnswerC
solution
! R1
interface GigabitEthernet0/0
duplex full
speed 100
no shutdown

! SW1
interface GigabitEthernet0/1
duplex full
speed 100
no shutdown

Why this answer

The link between R1 and SW1 had mismatched duplex/speed settings because auto-negotiation failed, causing excessive CRC errors and packet loss. Manually setting both sides to 100/full resolves the issue.

Exam trap

Do not assume that a link showing 'up/up' means error-free communication. Always check for CRC errors and duplex mismatches when pings fail despite the interface being up. Subinterfaces depend on the physical interface; troubleshoot the physical layer first.

Why the other options are wrong

A

The specific factual error is that subinterfaces do not have an independent line protocol state; they depend on the physical interface. The problem is likely a physical layer issue like duplex mismatch.

B

The specific factual error is that the SVI is not involved in this scenario; the router's subinterface handles routing for VLAN 10. The link between R1 and SW1 is the bottleneck.

D

The specific factual error is that native VLAN mismatch causes different symptoms (e.g., CDP/STP issues) and does not cause line protocol down or CRC errors.

1182
MCQhard

Users on the inside network can browse the web, but the company now needs an internal web server at 192.168.10.50 to be reachable consistently from outside using one public IP address. Which design is most appropriate?

A.Use static NAT for the server and continue using PAT for user outbound access.
B.Use PAT only for everything, including the published server.
C.Disable NAT because private IPv4 addresses are Internet-routable.
D.Use DHCP relay for the server to make it reachable from outside.
AnswerA

This is correct because static NAT provides a stable public mapping for the server, while PAT still supports many outbound users.

Why this answer

The best design is static NAT for the server while continuing to use PAT for general user outbound traffic. In plain language, user browsing and server publishing are two different requirements. PAT is great for letting many inside users share one public address for outbound access. But a server that outside clients must find reliably needs a fixed one-to-one public identity. That is exactly what static NAT provides.

This is an important design distinction. PAT solves address conservation for many clients. Static NAT solves predictability for inbound access to a specific internal system. The strongest answer is the one that uses each NAT method for the job it fits best.

Exam trap

A common exam trap is selecting PAT for both outbound and inbound traffic, mistakenly believing PAT can provide a stable public IP for a server. PAT dynamically assigns ports for outbound sessions but does not guarantee a fixed public IP and port combination for inbound connections. This leads to unpredictable external access to the internal server, which fails the requirement for consistent reachability.

Another trap is disabling NAT entirely, which ignores that private IPv4 addresses are not routable on the public Internet, making the server unreachable externally. Misunderstanding DHCP relay as a solution for public reachability is also a frequent error, as DHCP relay only forwards DHCP requests and does not affect NAT or routing.

Why the other options are wrong

B

Option B is incorrect because using PAT alone cannot guarantee a fixed public IP and port for the internal server. PAT dynamically assigns ports for outbound sessions, which prevents predictable inbound access to the server from outside.

C

Option C is incorrect because private IPv4 addresses are not routable on the public Internet. Disabling NAT would make the internal server unreachable externally, violating the requirement for consistent outside access.

D

Option D is incorrect because DHCP relay only forwards DHCP requests between clients and servers and does not affect NAT or the server's public reachability. It does not solve the problem of making the internal web server accessible from outside.

1183
MCQmedium

A show ip nat translations command displays this entry: Inside global 203.0.113.10:30001 Inside local 192.168.10.25:51514 Outside local 198.51.100.20:443 Outside global 198.51.100.20:443 Which statement is correct?

A.192.168.10.25 is the inside local address of the host
B.203.0.113.10 is the inside local address of the host
C.198.51.100.20 is the translated private address of the internal client
D.The entry proves static NAT is being used without port translation
AnswerA

Correct. 192.168.10.25 is the real private address of the inside host.

Why this answer

Inside local is the actual address assigned to the inside host before translation. The inside global address is the public representation used after NAT, and the port values show PAT is in use.

Exam trap

Be careful not to confuse inside local with inside global addresses, and understand the difference between local and global in NAT terminology.

Why the other options are wrong

B

This option is wrong because 203.0.113.10 is the inside global address, not the inside local address. The inside local address is 192.168.10.25, which is correctly identified in option A.

C

This option is incorrect because 198.51.100.20 is the outside local address, not a translated private address. The inside local address is specifically 192.168.10.25, as indicated in the NAT translation entry.

D

This option is incorrect because the entry shows that 203.0.113.10 is the inside global address, not the inside local address. The inside local address is 192.168.10.25, which is correctly identified in option A.

1184
MCQhard

A network engineer is troubleshooting connectivity between two hosts in different VLANs on the same switch. Host A in VLAN 10 (10.10.10.5/24) cannot ping Host B in VLAN 20 (10.10.20.5/24). The switch is configured as a router-on-a-stick with a trunk port to an external router. The trunk port is up/up, but inter-VLAN routing fails. What is the most likely cause?

A.The trunk port is not in trunking mode; it is in dynamic desirable mode.
B.The native VLAN on the switch trunk is VLAN 1, but the router subinterface for VLAN 1 is not configured with the 'native' keyword or is missing.
C.The VLANs are not allowed on the trunk; the allowed VLAN list is missing VLAN 10 and 20.
D.The switch ports Gi0/4 and Gi0/5 are in access mode but not assigned to the correct VLANs.
AnswerC

When an allowed VLAN list on a trunk is configured and does not include VLAN 10 and VLAN 20, all tagged frames from those VLANs are dropped, causing inter-VLAN routing failure even though the trunk is up/up.

Why this answer

The most likely cause is that the allowed VLAN list on the trunk is missing VLAN 10 and 20. Even though the trunk port is up/up, if the switch's allowed VLAN list has been restricted (for example, using the switchport trunk allowed vlan command) and does not include those VLANs, all frames tagged with VLAN 10 or 20 will be discarded at the trunk. This directly prevents inter-VLAN routing despite the trunk being operational, whereas a native VLAN mismatch only affects untagged traffic and would not impact the tagged frames between the two hosts.

Exam trap

A common trap is assuming an up/up trunk automatically passes traffic for all VLANs, overlooking that the allowed VLAN list can be manually pruned and must include every VLAN that needs to traverse the trunk.

Why the other options are wrong

A

Dynamic desirable mode can still form a trunk if the other side is willing; the trunk is already up/up, so the port mode is not the issue.

B

A native VLAN mismatch or missing native subinterface only affects untagged frames; the hosts in VLAN 10 and VLAN 20 send tagged traffic, so this would not break their routing.

D

The hosts' access port configurations would prevent intra-VLAN communication if misassigned, but the question describes an inter-VLAN routing failure through the trunk, not a problem with the access ports themselves.

1185
MCQhard

Which summary route best represents these four networks? 10.20.0.0/24 10.20.1.0/24 10.20.2.0/24 10.20.3.0/24

A.10.20.0.0/22
B.10.20.0.0/23
C.10.20.0.0/24
D.10.20.0.0/21
AnswerA

Correct. /22 is the smallest summary that covers exactly those four /24 networks.

Why this answer

Four contiguous /24 networks starting at 10.20.0.0 summarize cleanly into 10.20.0.0/22. That block covers 10.20.0.0 through 10.20.3.255.

Exam trap

Be careful to calculate the correct subnet mask that covers all given networks without including unnecessary additional ranges.

Why the other options are wrong

B

Option B, 10.20.0.0/23, is incorrect because it only encompasses two of the four specified networks (10.20.0.0/24 and 10.20.1.0/24), failing to include the other two networks (10.20.2.0/24 and 10.20.3.0/24).

C

Option C is incorrect because it only summarizes a single network (10.20.0.0/24) and does not encompass the other three networks (10.20.1.0/24, 10.20.2.0/24, 10.20.3.0/24) that need to be included in the summary route.

D

Option D (10.20.0.0/21) is incorrect because it encompasses a larger range of addresses than required, including networks that are not part of the specified four networks, which are only within the /24 range of 10.20.0.0 to 10.20.3.0.

1186
MCQhard

A user on a wireless guest network can associate successfully, obtains an IP address, but cannot reach the Internet. Which troubleshooting area should be examined first if the WLAN itself is working?

A.The post-association forwarding or policy path, such as guest routing or Internet access policy
B.The SSID broadcast name, because it must be wrong
C.The AP radio antenna type only
D.OSPFv3 area configuration on the laptop
AnswerA

This is correct because WLAN join and IP assignment have already succeeded.

Why this answer

If association and addressing are already successful, the first area to examine is the forwarding or policy path beyond simple WLAN join behavior. In practical terms, the client has passed the discovery, authentication, and addressing stages. The problem is now more likely to involve routing, gateway reachability, NAT, firewall policy, or guest-access restrictions rather than the SSID itself.

This question is about understanding which stage of the workflow has already succeeded.

Exam trap

Avoid assuming issues with association or IP assignment when these steps have already succeeded.

Why the other options are wrong

B

The SSID broadcast name is not relevant in this scenario because the user has already associated successfully and obtained an IP address, indicating that the SSID is correct and functioning.

C

The AP radio antenna type does not directly impact a user's ability to obtain an IP address or reach the Internet after successful association. This option is irrelevant since the user is already connected to the network.

D

OSPFv3 area configuration is related to routing protocols and is not directly relevant to a user's inability to access the Internet on a guest network after successfully associating. The issue is likely related to network policies or forwarding paths rather than routing configurations on the user's device.

1187
MCQhard

A DHCP client on VLAN 30 is not receiving an IP address from a DHCP server (10.99.99.20) on another subnet. The SVI for VLAN 30 is configured with an IP address and is up, but the DHCP relay command is missing. Which command should be added to the SVI configuration?

A.ip directed-broadcast
B.ip helper-address 10.99.99.20
C.service dhcp-server 10.99.99.20
D.default-router 10.99.99.20
AnswerB

The helper address forwards DHCP broadcasts as unicast to the server.

Why this answer

DHCP Discover messages are broadcasts and do not cross routers by default. On an SVI or routed interface facing the clients, an ip helper-address relays those broadcasts to the DHCP server on another subnet.

Exam trap

A frequent exam trap is selecting ip directed-broadcast or default-router as the solution for DHCP relay issues. ip directed-broadcast only enables forwarding of directed broadcasts but does not relay DHCP requests to servers on other subnets. default-router is a DHCP pool parameter that assigns a gateway to clients but does not affect how DHCP broadcasts are forwarded. Another trap is assuming service dhcp-server is an interface command for relay, which it is not. These distractors test your understanding of DHCP relay mechanisms and Cisco IOS command usage.

Why the other options are wrong

A

The ip directed-broadcast command enables forwarding of directed broadcasts but does not relay DHCP requests. It is unrelated to DHCP relay and will not solve the problem of clients not receiving addresses from a remote DHCP server.

C

service dhcp-server is not a valid Cisco IOS interface command for DHCP relay. It does not configure the router to forward DHCP broadcasts and thus will not resolve the issue.

D

default-router is a DHCP pool parameter used to assign the default gateway IP address to clients. It does not configure the interface to relay DHCP broadcasts and is not relevant to the relay configuration.

1188
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a Cisco switch interface, then recover after a BPDU violation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enable PortFast to allow immediate transition to forwarding, then enable BPDU Guard to protect against BPDU reception. Recovery steps are configured last to automatically restore the port after a violation.

Exam trap

Do not confuse the order: PortFast must come before BPDU Guard. Also, recovery is configured last, not first. Remember that BPDU Guard requires PortFast to be enabled on the interface.

1189
Multi-Selectmedium

Which TWO of the following statements correctly describe REST API operations?

Select 2 answers
A.The HTTP PUT method is used to retrieve a resource representation.
B.JSON is the only data format supported by REST APIs.
C.API keys and OAuth tokens are common methods for authenticating REST API requests.
D.The HTTP DELETE method corresponds to the Update operation in CRUD.
E.REST APIs commonly use HTTP status codes to indicate the result of a request.
AnswersC, E

Authentication in REST APIs frequently uses API keys (sent in headers or query parameters) or token-based schemes like OAuth2 to verify client identity.

Why this answer

Option C is correct because REST APIs commonly use API keys and OAuth tokens for authentication. API keys are simple, static tokens passed in headers or query strings, while OAuth 2.0 provides token-based authorization with scoped access, both widely supported in RESTful services for securing endpoints.

Exam trap

Cisco often tests the mapping of HTTP methods to CRUD operations, where candidates confuse PUT (Update) with GET (Read) or DELETE (Delete) with Update, and assume JSON exclusivity despite REST's format-agnostic design.

Why the other options are wrong

A

Retrieval is performed by the GET method, not PUT.

B

JSON is popular but not exclusive; XML is widely used, and many REST implementations support both.

D

DELETE is used to remove a resource, which maps to the Delete operation, not Update.

1190
MCQmedium

A network engineer must summarize the following routes before advertising them upstream: 172.16.32.0/24 172.16.33.0/24 172.16.34.0/24 172.16.35.0/24 Which summary route should be used?

A.172.16.32.0/22
B.172.16.32.0/23
C.172.16.32.0/21
D.172.16.34.0/22
AnswerA

Correct. This is correct. A /22 beginning at 172.16.32.0 cleanly includes 172.16.32.0 through 172.16.35.255, which matches the four listed /24 networks exactly.

Why this answer

The correct summary is 172.16.32.0/22 because a /22 covers exactly four consecutive /24 networks when the starting boundary is aligned correctly. This is the part many people miss: summarization is not only about how many networks fit into a block, but also where that block starts. Here the four /24 networks begin neatly at 172.16.32.0 and continue through 172.16.35.255, which is the exact range a /22 covers.

A /23 would be too small, while a /21 would be unnecessarily broad and could advertise addresses you do not intend to include. The /22 beginning at 172.16.34.0 is not on a valid /22 boundary, so that option is misaligned.

Exam trap

Ensure the summary route starts on the correct boundary and covers exactly the intended range without including extra networks.

Why the other options are wrong

B

Option B, 172.16.32.0/23, is incorrect because it only summarizes two of the four provided routes (172.16.32.0/24 and 172.16.33.0/24), failing to include the other two routes (172.16.34.0/24 and 172.16.35.0/24).

C

Option C (172.16.32.0/21) includes a broader range of addresses than necessary, covering 172.16.32.0 to 172.16.39.255, which exceeds the specified routes and could lead to incorrect routing information being advertised.

D

Option D is incorrect because the summary route 172.16.34.0/22 would only cover the addresses from 172.16.34.0 to 172.16.35.255, missing the routes 172.16.32.0/24 and 172.16.33.0/24.

1191
MCQhard

Users on the inside network can browse the Internet through PAT, but an internal web server must now be reachable from outside on a predictable public IP. Which change best fits the requirement?

A.Add static NAT for the server and continue using PAT for user browsing.
B.Replace PAT entirely with DHCP relay.
C.Disable NAT because the server already has a private address.
D.Move the server into the native VLAN.
AnswerA

This is correct because static NAT gives the server a stable public identity while PAT still serves outbound users.

Why this answer

The best change is to add a static NAT mapping for the internal web server while keeping PAT in place for ordinary users. In practical terms, PAT is excellent for many internal clients sharing one public address for outbound traffic, but it does not give an internal server the stable one-to-one public identity that outside clients expect for predictable inbound access.

This is a standard NAT design distinction. User browsing and published server access are different requirements, and the best design often uses PAT for one and static NAT for the other.

Exam trap

A frequent exam trap is selecting DHCP relay or VLAN changes as solutions for making an internal server reachable from outside. DHCP relay only forwards DHCP requests across subnets and does not provide any public IP mapping or NAT functionality. Similarly, moving a server into the native VLAN does not affect its public IP address or NAT translation.

Another common mistake is disabling NAT entirely, which breaks Internet connectivity because private IP addresses cannot be routed on the public Internet. Understanding that static NAT is required for predictable inbound access while PAT supports outbound user browsing is critical to avoid these traps.

Why the other options are wrong

B

Incorrect because DHCP relay only forwards DHCP requests and does not provide any mechanism for publishing an internal server to the Internet or managing NAT translations.

C

Incorrect because disabling NAT leaves the internal server with a private IP address that is not routable on the Internet, making it unreachable from outside networks.

D

Incorrect because moving the server into the native VLAN affects only Layer 2 segmentation and does not provide a public IP address or NAT translation necessary for Internet access.

1192
MCQeasy

Which term describes a string or credential passed to an API to prove the client is allowed to access a resource?

A.Metric
B.Token
C.Lease
D.Tuple
AnswerB

That is the authorization credential described.

Why this answer

A token is commonly used for API authorization. It is often included in an HTTP header and lets the server verify the caller has permission.

Exam trap

A common exam trap is mistaking the term 'token' for other networking terms such as 'metric,' 'lease,' or 'tuple.' Candidates might confuse 'metric' as a general value related to network performance or 'lease' as a temporary credential, but these terms do not relate to API authorization. Another trap is assuming that any credential passed to an API is called a 'lease' or 'tuple,' which are unrelated concepts. Recognizing that a token specifically serves as an authorization credential passed to prove client access rights is critical to avoid this confusion.

Why the other options are wrong

A

Metric is a routing concept representing route cost and does not relate to API access or authorization credentials, so it is incorrect.

C

Lease refers to DHCP IP address assignment duration and is unrelated to API credentials or authorization, making it incorrect.

D

Tuple is a data structure term and does not describe any form of authorization credential for API access, so it is incorrect.

1193
MCQmedium

On an 802.1Q trunk, which VLAN is sent untagged by default on many Cisco switches unless changed?

A.VLAN 10
B.VLAN 20
C.VLAN 1
D.The highest configured VLAN
AnswerC

Correct. VLAN 1 is the default native VLAN on many platforms.

Why this answer

On many Cisco platforms, VLAN 1 is the default native VLAN. Native VLAN traffic is sent untagged unless the native VLAN is changed.

Exam trap

Be cautious not to confuse commonly used VLANs in practice with the default native VLAN set by Cisco.

Why the other options are wrong

A

VLAN 10 is not the default untagged VLAN on Cisco switches; instead, VLAN 1 is typically used for this purpose unless configured otherwise. Therefore, selecting VLAN 10 would be incorrect in the context of the question.

B

VLAN 20 is not the default untagged VLAN on Cisco switches; instead, VLAN 1 is typically sent untagged on 802.1Q trunks unless configured otherwise. Therefore, selecting VLAN 20 does not align with the standard behavior of Cisco switch configurations.

D

This option is incorrect because the default untagged VLAN on many Cisco switches is VLAN 1, not the highest configured VLAN. The highest configured VLAN can vary based on the network setup and does not have a default status in this context.

1194
Matchingmedium

Drag and drop the cable or transceiver types on the left to the corresponding distance limits or characteristics on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

100 meters (328 ft) at 1 Gbps

400 meters (1312 ft) at 10 Gbps

10 kilometers (6.2 miles) at 10 Gbps

100 meters (328 ft) at 10 Gbps

5 kilometers (3.1 miles) over single-mode fiber

Why these pairings

These pairings match common Ethernet cable and transceiver types to their standard maximum distances. Cat5e UTP (1000BASE-T) and Cat6a UTP (10GBASE-T) both support 100 meters at their respective speeds, limited by copper signal attenuation. Multimode fiber with SFP+ SR (10GBASE-SR) distance depends on fiber grade: 300 meters on OM3, 400 meters on OM4; the CCNA often uses 300 meters, but 400 meters is valid for OM4.

Single-mode fiber with SFP+ LR (10GBASE-LR) supports 10 kilometers, using longer wavelength lasers. SFP (1000BASE-LX) over single-mode fiber reaches 5 kilometers, a standard distance for Gigabit Ethernet over SMF.

Exam trap

Be mindful that fiber distances vary by cable grade—CCNA often tests 300 m for 10GBASE-SR over OM3, not 400 m—and distinguish IEEE standards from vendor-specific claims; also note that 1000BASE-LX can reach 5 km over single-mode but only 550 m over multimode.

1195
Multi-Selectmedium

Which TWO statements correctly describe IPv4 and IPv6 host configuration?

Select 2 answers
A.APIPA assigns an IPv4 address in the 169.254.0.0/16 range when a DHCP server is unavailable.
B.IPv6 link-local addresses are always assigned using EUI-64 and start with FE80::/10.
C.EUI-64 is used to generate the network prefix of an IPv6 address from the interface's MAC address.
D.A host can have only one default gateway configured at a time for both IPv4 and IPv6.
E.The ipconfig command on Windows can display both IPv4 and IPv6 addresses, subnet masks, default gateways, and DNS servers.
AnswersA, E

APIPA (Automatic Private IP Addressing) automatically assigns an address from 169.254.0.0/16 when DHCP fails, allowing local communication without a DHCP server.

Why this answer

Option A is correct because APIPA (Automatic Private IP Addressing) automatically assigns an IPv4 address from the 169.254.0.0/16 range when a DHCP server is unavailable, enabling local subnet communication without manual configuration. Option E is correct because the ipconfig command on Windows displays both IPv4 and IPv6 addresses, subnet masks, default gateways, and DNS servers. Option B is incorrect because while IPv6 link-local addresses start with FE80::/10, they are not always assigned using EUI-64; they can also be randomly generated (privacy extensions) or manually configured.

Option C is incorrect because EUI-64 generates the interface identifier (host portion) of an IPv6 address from the MAC address, not the network prefix — the prefix is provided via SLAAC, DHCPv6, or manual configuration. Option D is incorrect because a host can have multiple default gateways configured for redundancy, though only one is active at a time per routing table; additionally, IPv4 and IPv6 default gateways are independent and can coexist.

Exam trap

Cisco often tests the misconception that EUI-64 generates the network prefix of an IPv6 address, when in fact it generates only the interface identifier (host portion), while the network prefix is assigned via SLAAC, DHCPv6, or manual configuration.

Why the other options are wrong

B

The statement incorrectly claims that link-local addresses are always assigned using EUI-64.

C

The statement confuses the role of EUI-64; it creates the interface ID, not the network prefix.

D

The statement is too restrictive; multiple default gateways can be configured, especially in multi-homed hosts.

1196
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The network has an NTP server at 192.168.1.200. R1 must be configured as an NTP client to synchronize its time with the server. Additionally, R1 should serve as an NTP server for internal devices on the LAN with a stratum of 5 to maintain proper hierarchy. The time zone is UTC. No NTP configuration exists. Configure NTP on R1 as specified.

Network Topology
G0/1192.168.1.1/24192.168.1.200G0/010.0.0.1/30NTP ServerLANR1WANISP

Hints

  • The ntp server command configures the router as a client.
  • The ntp master command enables the router to act as a server for other devices.
  • Time zone should be set before NTP synchronization.
A.R1(config)# ntp server 192.168.1.200 R1(config)# ntp master 5 R1(config)# clock timezone UTC 0
B.R1(config)# ntp server 192.168.1.200 R1(config)# ntp master R1(config)# clock timezone UTC 0
C.R1(config)# ntp server 192.168.1.200 R1(config)# ntp master 5 R1(config)# clock timezone EST 5
D.R1(config)# ntp server 10.0.0.2 R1(config)# ntp master 5 R1(config)# clock timezone UTC 0
AnswerA
solution
! R1
ntp server 192.168.1.200
ntp master
clock timezone UTC 0

Why this answer

Option A correctly configures R1 as an NTP client pointing to the NTP server at 192.168.1.200, enables R1 to serve time to LAN devices using `ntp master 5` which sets the required stratum to 5, and sets the accurate UTC time zone. Option B fails because `ntp master` without a stratum number defaults to stratum 8, which does not satisfy the explicit stratum 5 requirement. Option C uses an incorrect time zone (EST) instead of the required UTC.

Option D points to an IP (10.0.0.2) that is not the NTP server—the correct server is at 192.168.1.200.

Exam trap

Watch for forgetting to specify the stratum number when the `ntp master` command is required; without it, the router defaults to stratum 8, which may not meet design requirements.

Why the other options are wrong

B

Uses `ntp master` without a stratum number, defaulting to stratum 8 instead of the required stratum 5.

C

Sets the wrong time zone (EST) instead of UTC.

D

Points to the ISP IP 10.0.0.2 instead of the actual NTP server at 192.168.1.200.

1197
Multi-Selectmedium

Which TWO statements about IPv4 and IPv6 ACLs are true?

Select 2 answers
A.Standard IPv4 ACLs use numbers in the range 100-199.
B.Extended IPv4 ACLs should be placed as close to the source as possible to minimize unnecessary traffic on the network.
C.IPv6 ACLs are always named and can filter traffic based on source and destination IPv6 addresses, as well as protocol types.
D.Standard IPv4 ACLs filter only the source IP address and are best placed close to the source to be most effective.
E.Numbered ACLs allow individual access control entries (ACEs) to be deleted without removing the entire ACL.
AnswersB, C

Extended ACLs can match traffic with great specificity (source, destination, protocol, ports). Placing them near the source drops unwanted packets early, saving bandwidth and processing on downstream devices.

Why this answer

Option B is correct because extended IPv4 ACLs filter on source and destination IP addresses, ports, and protocols, so placing them as close to the source as possible prevents unwanted traffic from traversing the network, reducing bandwidth waste and security risks. This is a best practice for extended ACLs, unlike standard ACLs which should be placed close to the destination.

Exam trap

Cisco often tests the placement rule reversal—candidates confuse standard ACL placement (close to destination) with extended ACL placement (close to source), or mix up the number ranges for standard vs. extended ACLs.

Why the other options are wrong

A

The number range 100–199 is used for extended ACLs, not standard ones.

D

The placement advice is reversed: standard ACLs belong near the destination, not the source.

E

This is a common misconception; the ability to delete individual ACEs is a feature of named ACLs, not numbered.

1198
MCQhard

A company wants a server on the inside network to be reachable consistently from outside using one known public IP address. Which NAT approach best fits that goal?

A.Static NAT
B.PAT overload only
C.No NAT at all, because private IPv4 addresses are Internet-routable
D.DHCP relay
AnswerA

This is correct because static NAT provides a permanent one-to-one mapping suitable for a reachable internal server.

Why this answer

Static NAT best fits that goal because it creates a fixed, predictable one-to-one mapping between the internal server and a public address. In plain language, outside systems always know which public IP represents that server. This predictability is exactly what is needed when a service must be reachable consistently from the outside.

PAT is better suited for many outbound clients sharing one address, not for presenting one inside server with a permanent public identity. Dynamic NAT from a pool can also vary depending on design. The correct answer is the one that provides the most stable and direct one-to-one mapping.

Exam trap

A frequent exam trap is selecting PAT overload as the solution for making an internal server reachable from outside. PAT is designed for multiple internal clients to share a single public IP for outbound connections, not for providing a fixed public IP to a server. Another common mistake is thinking private IP addresses can be accessed directly from the Internet without NAT, which is incorrect because private IPs are non-routable externally.

Misunderstanding DHCP relay as related to NAT or public reachability is also a trap; DHCP relay only forwards DHCP requests and does not affect NAT mappings or external accessibility.

Why the other options are wrong

B

PAT overload is incorrect because it is designed for many internal clients sharing a single public IP for outbound traffic, not for providing a fixed public IP to a server.

C

No NAT is incorrect since private IPv4 addresses are not routable on the Internet and require NAT to be accessible externally.

D

DHCP relay is unrelated to NAT or public reachability; it only forwards DHCP requests and does not affect how internal servers are accessed from outside.

1199
MCQhard

R1 learns three OSPF routes to different destinations: O 10.10.10.0/24 O IA 10.20.20.0/24 O E2 10.30.30.0/24 Which statement is correct about these route types?

A.O IA is an external route redistributed from another routing protocol.
B.O E2 is an OSPF external type 2 route.
C.O means the route was learned through EIGRP.
D.All three routes were learned from the same OSPF area type.
AnswerB

That is exactly what the code means.

Why this answer

An O route is intra-area, O IA is interarea, and O E2 is an external type 2 route redistributed into OSPF. The codes describe route origin, not just preference. CCNA expects you to identify them quickly when reading the routing table.

Exam trap

A frequent exam trap is confusing the OSPF route codes, especially mistaking 'O IA' (inter-area) for an external route redistributed from another protocol. Candidates often incorrectly assume that 'O IA' means external, but it actually represents routes learned from a different OSPF area within the same autonomous system. Another common mistake is thinking the 'O' code indicates EIGRP routes, which it does not; EIGRP uses different codes such as 'D'.

This confusion can cause candidates to select incorrect answers about route origins or types. Carefully distinguishing between intra-area, inter-area, and external routes based on OSPF codes is essential to avoid this pitfall.

Why the other options are wrong

A

Option A incorrectly states that 'O IA' is an external route redistributed from another routing protocol. In reality, 'O IA' stands for inter-area routes within OSPF, not external routes. External routes use 'O E1' or 'O E2' codes.

C

Option C incorrectly claims that 'O' means the route was learned through EIGRP. The 'O' code is exclusive to OSPF intra-area routes. EIGRP routes use the code 'D' in Cisco routing tables.

D

Option D is incorrect because the three routes represent different OSPF route types: intra-area (O), inter-area (O IA), and external (O E2). They do not all come from the same OSPF area type.

1200
MCQhard

A switch should disable an edge port immediately if a BPDU is received on it. Which feature is intended for that specific behavior?

A.BPDU Guard
B.Loop Guard
C.Root Guard
D.UDLD
AnswerA

This is correct because BPDU Guard disables the edge port when a BPDU is received.

Why this answer

The feature is BPDU Guard. In plain language, the administrator is treating the port as an end-device-only edge interface and wants the switch to react aggressively if it ever sees spanning-tree control traffic there. BPDU Guard does exactly that: if a BPDU appears on a protected edge port, the switch places the interface into an err-disabled state to help prevent accidental loops or rogue switch connections.

This is different from root guard and loop guard, which solve other spanning-tree control problems. BPDU Guard is the specific answer when the requirement is “if you ever hear a BPDU here, shut the port down quickly.”

Exam trap

A common exam trap is confusing BPDU Guard with Root Guard or Loop Guard. Candidates may incorrectly select Root Guard because it also deals with BPDUs, but Root Guard only blocks ports from becoming root ports and does not disable the port immediately. Loop Guard protects against unidirectional link failures and does not shut down ports upon BPDU receipt.

Another mistake is thinking UDLD handles BPDU protection; however, UDLD only detects unidirectional physical link failures and is unrelated to STP BPDU processing. Understanding that BPDU Guard uniquely disables edge ports upon BPDU detection is critical to avoid this trap.

Why the other options are wrong

B

Loop Guard is incorrect because it protects against unidirectional link failures by preventing a port from transitioning to forwarding when BPDUs stop, but it does not disable a port upon BPDU receipt.

C

Root Guard is incorrect because it prevents a port from becoming a root port by blocking superior BPDUs but does not disable the port immediately when a BPDU is received on an edge port.

D

UDLD is incorrect because it detects unidirectional physical link failures and does not interact with BPDU processing or disable ports based on BPDU reception.

Page 15

Page 16 of 25

Page 17