CCNA 200-301 v2 (200-301) — Questions 12011275

1819 questions total · 25pages · All types, answers revealed

Page 16

Page 17 of 25

Page 18
1201
MCQmedium

A network administrator is troubleshooting a connectivity issue between two hosts on different subnets. The administrator captures packets on the source host and notices that the frames contain the correct source and destination MAC addresses but the encapsulated packets have incorrect source and destination IP addresses. According to the OSI model, which layer is most likely responsible for this issue?

A.Physical Layer (Layer 1)
B.Data Link Layer (Layer 2)
C.Network Layer (Layer 3)
D.Transport Layer (Layer 4)
AnswerC

The Network Layer is responsible for logical addressing (IP addresses) and routing. Incorrect IP addresses indicate a problem at this layer.

Why this answer

The Network Layer (Layer 3) is responsible for logical addressing (IP addresses) and routing packets between different subnets. Since the captured frames have correct MAC addresses (Layer 2) but incorrect source and destination IP addresses, the issue lies in how the IP headers are being constructed or assigned, which is a Layer 3 function. This could be caused by misconfigured IP addresses, subnet masks, or default gateways on the source host.

Exam trap

Cisco often tests the distinction between MAC addresses (Layer 2) and IP addresses (Layer 3) in troubleshooting scenarios, and the trap here is that candidates might incorrectly blame the Data Link Layer because they see 'frames' and 'MAC addresses' in the question, without recognizing that the IP address error points to the Network Layer.

Why the other options are wrong

A

The issue is with the IP addresses, which are not handled at Layer 1.

B

The MAC addresses are correct, so the Data Link Layer is functioning properly.

D

IP addresses are not part of the Transport Layer header; they belong to the Network Layer.

1202
MCQhard

A multilayer switch has working SVIs for VLAN 10 and VLAN 20, but traffic between the VLANs fails. Hosts can ping their own gateway interfaces. Which misconfiguration is most strongly suggested if the SVIs themselves are correct?

A.IP routing is not enabled on the multilayer switch.
B.Both VLANs need to use the same IP subnet.
C.All access ports must be converted into trunks.
D.The wireless controller must provide the default gateway.
AnswerA

This is correct because the switch needs Layer 3 forwarding enabled to route between VLAN interfaces.

Why this answer

The correct answer is A: IP routing is not enabled. The switch can ping SVIs locally because they are directly connected, but without `ip routing`, it cannot forward packets between VLANs. Option B is wrong because different VLANs require different subnets for routing.

Option C is wrong because access ports do not need to be trunks; SVIs handle routing at Layer 3. Option D is wrong because the wireless controller does not provide the default gateway for wired VLAN routing; the SVI does.

Exam trap

Remember that SVIs alone do not enable inter-VLAN routing; IP routing must be explicitly enabled on the switch.

Why the other options are wrong

B

Different VLANs must use different IP subnets for routing; using the same subnet would break Layer 3 separation.

C

Access ports remain as access ports; inter-VLAN routing requires SVIs with routing enabled, not trunk conversion of access ports.

D

The default gateway for each VLAN is the SVI IP address; a wireless controller is irrelevant to Layer 3 forwarding between wired VLANs.

1203
PBQhard

You are connected to R1 via the console. The routers R1 and R2 are directly connected using their GigabitEthernet0/0 interfaces, which are in VLAN 100 and use subnet 192.168.1.0/24. Both routers are currently showing as active for HSRP group 10. Configure HSRP on R1's GigabitEthernet0/0 to become the active router (priority 150, preempt enabled, virtual IP 192.168.1.254). Ensure that if R1's GigabitEthernet0/1 WAN interface goes down, its HSRP priority decrements by 30 so that R2 can take over. Also, correct any existing misconfiguration in the HSRP setup.

Hints

  • Check if preempt is actually enabled by looking for the 'P' flag in show standby brief.
  • Both routers being active often indicates a duplicate virtual IP or missing preempt.
  • Use 'standby 10 preempt' to enable preemption, and 'standby 10 priority 150' to set priority.
A.Configure: interface GigabitEthernet0/0, standby 10 ip 192.168.1.254, standby 10 priority 150, standby 10 preempt, standby 10 track GigabitEthernet0/1 decrement 30. Also, ensure preempt is enabled on R1 (currently missing) and correct any duplicate virtual IP.
B.Configure: interface GigabitEthernet0/0, standby 10 ip 192.168.1.254, standby 10 priority 150, standby 10 preempt, standby 10 track GigabitEthernet0/1 decrement 30. No other changes needed because preempt is already enabled.
C.Configure: interface GigabitEthernet0/0, standby 10 ip 192.168.1.254, standby 10 priority 150, standby 10 preempt, standby 10 track GigabitEthernet0/1 decrement 30. Also, change the virtual IP to 192.168.1.1 because the current one is wrong.
D.Configure: interface GigabitEthernet0/0, standby 10 ip 192.168.1.254, standby 10 priority 150, standby 10 preempt, standby 10 track GigabitEthernet0/1 decrement 30. Also, remove the standby 10 track command from R2 to prevent conflicts.
AnswerA
solution
! R1
interface GigabitEthernet0/0
standby 10 priority 150
standby 10 preempt
standby 10 track GigabitEthernet0/1 decrement 30
end

Why this answer

Both routers showing as active means either R2 has an equal or higher priority or preempt is missing, preventing a single active election. To fix this, on R1's GigabitEthernet0/0 interface, set standby priority 150 with preempt enabled. Add tracking of GigabitEthernet0/1 with decrement 30 so the priority drops to 120 if the WAN link fails, allowing R2 to become active.

The existing misconfiguration is that preempt is either absent or disabled, causing a split-brain scenario; this solution makes R1 the active router and provides correct failover.

Exam trap

Always verify HSRP preempt with 'show standby' to see the 'P' flag; configuration alone does not guarantee it is active. Also, remember that both routers showing as active is a symptom of missing preempt or duplicate virtual IP, not necessarily a tracking issue.

Why the other options are wrong

B

Preempt is not already enabled—otherwise both routers would not show as active. Failing to enable preempt leaves the split‑brain condition unresolved.

C

The virtual IP 192.168.1.254 is correctly assigned to the HSRP group; changing it would replace the default gateway for all hosts, breaking connectivity.

D

Removing tracking from R2 is irrelevant; the problem is R1's missing preempt and low priority, not R2's configuration. Both routers showing active is not caused by tracking on R2.

1204
MCQhard

A wireless site reports that users can connect to the SSID, but performance drops sharply around the conference area whenever the room fills up. Based on the exhibit, what is the most likely cause?

A.Adjacent-channel interference caused by overlapping 2.4 GHz channels
B.A DHCP exhaustion problem on the WLAN
C.An authentication mismatch between the APs and clients
D.A missing default route on the wireless controller
AnswerA

Channel 3 overlaps with both 1 and 6, which is a common performance problem.

Why this answer

The 2.4 GHz radios are using overlapping channels. In 2.4 GHz, the standard non-overlapping channels are 1, 6, and 11 in many regulatory domains. Using channels 1, 3, and 6 creates adjacent-channel interference, which hurts throughput especially in dense client areas.

Exam trap

A common exam trap is to confuse wireless connectivity issues caused by RF interference with DHCP or authentication problems. Because users can connect to the SSID, candidates might incorrectly suspect DHCP exhaustion or authentication mismatches. However, DHCP exhaustion prevents clients from obtaining IP addresses, not causing throughput drops.

Similarly, authentication mismatches prevent connection entirely. Another trap is to blame routing issues like a missing default route on the wireless controller, which affects network reachability but not local wireless signal quality. The key is to recognize that overlapping 2.4 GHz channels cause adjacent-channel interference, which degrades performance even when clients connect successfully.

Why the other options are wrong

B

Incorrect. DHCP exhaustion would prevent some clients from obtaining IP addresses, but it does not cause RF interference or a sharp drop in wireless throughput. Since users can connect, DHCP exhaustion is unlikely.

C

Incorrect. An authentication mismatch would prevent clients from connecting to the SSID. Since users can connect, authentication is working properly and is not the cause of performance degradation.

D

Incorrect. A missing default route on the wireless controller affects upstream network connectivity but does not cause local RF interference or throughput drops in the wireless environment.

1205
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the router's routing table lookup process for a destination IP address, including best-path selection using longest prefix match, administrative distance, and metric.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The order follows the router's decision process: longest prefix match first, then administrative distance, then metric, leading to the forwarding decision.

Exam trap

Students often confuse the order of AD and metric, thinking metric is compared before AD. Remember: AD is a tiebreaker between different routing protocols (e.g., OSPF vs. EIGRP), while metric is a tiebreaker within the same protocol.

Also, longest prefix match always comes first—never skip it.

1206
MCQmedium

Exhibit: Users report that they can see the corporate SSID but fail authentication immediately after entering credentials. Guest wireless works on the same access point. Which issue is most likely?

A.The AP is using the wrong channel width
B.The RADIUS or AAA server is unreachable for the enterprise WLAN
C.The corporate SSID has a mismatched RADIUS shared secret
D.The SSID must be configured as hidden
AnswerB

WPA2-Enterprise depends on AAA communication for user authentication.

Why this answer

When clients can see the SSID and associate at Layer 2 but fail right after entering credentials, a broken 802.1X or RADIUS path is a common cause. RF coverage is clearly not the main problem because the SSID is visible and guest service works.

Exam trap

Be careful not to confuse visibility and connectivity issues with authentication problems. The SSID is visible, so focus on authentication-related configurations.

Why the other options are wrong

A

The AP using the wrong channel width would not cause immediate authentication failures; it typically affects connectivity or performance rather than authentication processes. Since the guest wireless works, the channel width is likely not the issue.

C

A mismatched RADIUS shared secret would cause authentication failures, but guest wireless works on the same access point, indicating the AP itself is functional; the more likely cause is that the RADIUS server is completely unreachable, not just a shared secret mismatch.

D

Configuring the SSID as hidden would not cause immediate authentication failures; users would simply not see the SSID unless they manually entered it. The issue described involves users seeing the SSID but failing authentication, indicating a problem beyond SSID visibility.

1207
MCQhard

Two switches are connected by a trunk. VLAN 50 exists on both switches, but traffic still fails across the link. The allowed VLAN list is correct. Which additional item should be checked next?

A.Check for a trunk mismatch such as native VLAN inconsistency or other trunk-parameter problems.
B.Reset OSPF process IDs on both switches.
C.Add ip helper-address under every access interface.
D.Disable the MAC address table.
AnswerA

This is correct because VLAN permission alone does not guarantee the trunk is healthy end to end.

Why this answer

After confirming that the VLAN exists on both switches and is allowed on the trunk, another important item to verify is whether the trunk itself is actually operational with the expected encapsulation and whether there is a native VLAN or other trunk inconsistency. In plain language, just because the VLAN is listed does not guarantee the trunk is healthy in every relevant way. Trunking problems can still occur because of broader configuration mismatches.

This question is about disciplined troubleshooting. Once the obvious allowed-list issue is ruled out, the next step is to keep checking other trunk-related characteristics rather than jumping immediately to unrelated routing or service features. The correct answer is the one that stays grounded in trunk-specific verification.

Exam trap

Don't jump to unrelated issues like spanning tree or IP configuration when the problem is clearly trunk-related.

Why the other options are wrong

B

Resetting OSPF process IDs does not address VLAN traffic issues over a trunk link, as OSPF is a routing protocol and unrelated to Layer 2 VLAN configurations.

C

Adding an ip helper-address is irrelevant to VLAN traffic issues across a trunk link, as this command is used for forwarding DHCP requests, not for resolving VLAN connectivity problems.

D

Disabling the MAC address table would not resolve VLAN traffic issues across a trunk link, as it pertains to Layer 2 forwarding and would disrupt normal switch operations, leading to further connectivity problems.

1208
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on two Cisco switches using active mode.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

To configure an LACP EtherChannel in active mode, you must first enter interface configuration mode on the physical interfaces (e.g., using interface range). Next, assign those interfaces to a channel group using the channel-group command with the mode active keyword; this enables LACP negotiation and ensures the switch actively attempts to form a bundle. After the member ports are configured, you can optionally set parameters on the Port-Channel interface (such as switchport mode trunk).

Finally, verify the EtherChannel is operational with show etherchannel summary. Using mode passive, on, or desirable would not enable LACP active negotiation or would use a different protocol (PAgP), which does not meet the requirement.

Exam trap

Remember that LACP uses active and passive modes, while PAgP uses desirable and auto. Do not confuse the protocols or their modes.

1209
MCQhard

A network administrator is troubleshooting an issue where hosts on VLAN 10 cannot ping the default gateway at 192.168.10.1. The router (R1) has an SVI for VLAN 10 with IP 192.168.10.1/24. The administrator captures traffic on the router's G0/0/0 interface (trunk to the switch) and reviews the embedded packet capture output. What is the root cause of the problem?

A.The router's SVI for VLAN 10 is administratively down.
B.The switch port connecting the host is configured in the wrong VLAN (e.g., VLAN 20 instead of VLAN 10).
C.An inbound ACL on the router's SVI is blocking ICMP echo requests from the host.
D.The router has ICMP redirects enabled, causing it to ignore the pings.
AnswerB

The router is sending ARP requests, but the host never receives them because the switch port is in a different VLAN. This prevents the router from learning the host's MAC address, causing the ping to fail.

Why this answer

The captured traffic on the trunk shows that the router is not receiving any frames tagged with VLAN 10 from the host. If the switch port connecting the host is configured in VLAN 20 instead of VLAN 10, the host's frames will be tagged with VLAN 20 (or remain untagged in the access VLAN 20) and will not reach the router's SVI for VLAN 10, causing the ping to fail. This is the most direct cause given the symptom that the host cannot ping the default gateway.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 issues, and the trap here is that candidates assume the problem is on the router (e.g., ACL or interface state) when the packet capture reveals that the traffic never reaches the router's SVI due to a VLAN mismatch on the switch access port.

Why the other options are wrong

A

The SVI is operational, so this cannot be the root cause.

C

The router receives the ICMP requests, so an inbound ACL would have dropped them before they reached the capture buffer.

D

ICMP redirects do not prevent the router from responding to pings; they only send redirect messages when appropriate.

1210
PBQhard

You are connected to Multilayer Switch SW1. Configure LACP EtherChannel between SW1 and SW2 using ports GigabitEthernet0/1 and GigabitEthernet0/2. Ensure the channel is formed and active. The current configuration has mismatched VLAN assignments and speed/duplex settings preventing the channel from coming up. Verify the channel state using 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1LACP EtherChannelSW1SW2

Hints

  • Check that both physical ports have identical speed and duplex settings.
  • Ensure the allowed VLAN list on each member port matches the Port-channel interface.
  • Use 'show etherchannel summary' to see if ports are in a suspended (D) or bundled (P) state.
A.Configure both Gi0/1 and Gi0/2 with speed 1000, duplex full, and switchport trunk allowed vlan 10,20,30.
B.Configure both Gi0/1 and Gi0/2 with speed 100, duplex half, and switchport trunk allowed vlan 30.
C.Configure both Gi0/1 and Gi0/2 with speed 1000, duplex full, and switchport trunk allowed vlan 10,20.
D.Configure both Gi0/1 and Gi0/2 with speed 1000, duplex full, and switchport mode access.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk allowed vlan 10,20,30
exit
interface GigabitEthernet0/2
speed 1000
duplex full
switchport trunk allowed vlan 10,20,30
exit

Why this answer

The EtherChannel is down because the two member ports on SW1 have inconsistent configurations. GigabitEthernet0/1 is set to speed 1000 and duplex full with allowed VLANs 10,20, while GigabitEthernet0/2 is set to speed 100 and duplex half with allowed VLAN 30. LACP requires all member ports to have identical speed, duplex, and VLAN allowed lists.

To fix, on SW1 configure both Gi0/1 and Gi0/2 with the same speed (1000), duplex (full), and trunk allowed VLANs (10,20,30). The Port-channel interface already has the correct allowed VLANs. After correction, 'show etherchannel summary' should show both ports as bundled (P).

Exam trap

The exam trap is that candidates often focus only on speed/duplex mismatches and forget that VLAN allowed lists must also match. Additionally, they may assume that the Port-channel interface inherits settings from member ports, but in fact, the member ports must match the Port-channel configuration.

Why the other options are wrong

B

The specific factual error is that LACP requires all member ports to have identical configurations, and this option does not align with the existing Port-channel configuration.

C

The specific factual error is that the VLAN allowed list must match across all member ports and the Port-channel interface; omitting VLAN 30 will cause inconsistency.

D

The specific factual error is that LACP requires consistent switchport mode (access or trunk) across all member ports and the Port-channel interface.

1211
PBQhard

You are connected to switch SW1. Configure Rapid-PVST+ so that SW1 becomes the root bridge for VLAN 10 and VLAN 20. On interface GigabitEthernet0/2, enable PortFast and BPDUGuard. Then, a BPDU is received on that port, causing err-disable. Diagnose the issue and recover the interface without rebooting the switch.

Hints

  • Use 'spanning-tree vlan <vlan> root primary' to set priority to 24576 or 24596.
  • BPDUGuard will err-disable the port if a BPDU is received; use 'errdisable recovery cause bpduguard' to auto-recover.
  • After recovery, the port may need a manual shutdown/no shutdown to clear the err-disable state.
A.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'errdisable recovery cause bpduguard' to enable automatic recovery, or manually do 'shutdown' followed by 'no shutdown' on the interface.
B.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'clear spanning-tree detected-protocols' on the interface.
C.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'no spanning-tree bpduguard enable' on the interface, then re-enable it.
D.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'reload' on the switch to reset all interfaces.
AnswerA
solution
! SW1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary
interface GigabitEthernet0/2
spanning-tree portfast
spanning-tree bpduguard enable
errdisable recovery cause bpduguard
interface GigabitEthernet0/2
shutdown
no shutdown

Why this answer

First, configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. Then, on interface Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard defaults to shutting down a port when a BPDU is received.

To recover, use 'errdisable recovery cause bpduguard' to allow automatic recovery or 'shutdown' followed by 'no shutdown' on the interface. The blocking port is Gi0/2 in VLAN 20 because the current root has a higher priority than SW1's configured priority, but since SW1 becomes root, all ports are designated.

Exam trap

The exam trap is that candidates may confuse the recovery method for BPDUGuard err-disable with other STP commands. Remember: BPDUGuard err-disables the port; to recover, use 'errdisable recovery cause bpduguard' or manual shutdown/no shutdown. Do not use 'clear spanning-tree detected-protocols' or remove BPDUGuard alone.

Why the other options are wrong

B

The specific factual error is that 'clear spanning-tree detected-protocols' does not recover err-disabled ports; it only re-initiates STP negotiations.

C

The specific factual error is that disabling BPDUGuard does not automatically bring the port back up; the err-disable state must be cleared separately.

D

The specific factual error is that reloading is overkill and not the recommended recovery method; it disrupts all traffic unnecessarily.

1212
Matchingmedium

Drag and drop the monitoring technologies on the left to the correct data model and transport descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manager-agent model; UDP transport; MIB-based data

Flow-based model; UDP transport; template-based data

Subscription-based model; gRPC/TCP transport; structured data (YANG/JSON)

Event-based model; UDP transport; text-based messages

Probe-based model; UDP/TCP transport; latency/jitter metrics

Why these pairings

These pairings correctly match monitoring technologies with their typical data model and transport.

Exam trap

Be careful not to confuse the data models (MIB vs. YANG) and transports (UDP vs. TCP) between SNMP and NETCONF/RESTCONF.

Also, remember that gRPC uses protobufs, not XML or JSON. Flow-based technologies like NetFlow and IPFIX are not poll-based; they export flow data.

1213
MCQeasy

Based on the JSON snippet below, which statement is correct? { "device": { "hostname": "R1", "interfaces": [ {"name": "Gig0/0", "status": "up"}, {"name": "Gig0/1", "status": "down"} ] } }

A.interfaces is a JSON array containing two objects.
B.device is a JSON array.
C.status is a JSON array with two strings.
D.hostname is a nested array under interfaces.
AnswerA

Square brackets indicate an array, and each entry inside is an object.

Why this answer

The value associated with interfaces is an array because it is enclosed in square brackets and contains multiple objects. The device element itself is an object, and each interface entry inside the array is also an object.

Exam trap

A frequent exam trap is misidentifying the JSON structure by assuming that "interfaces" is an object rather than an array. Since "interfaces" contains multiple entries, it must be an array, indicated by square brackets. Another pitfall is thinking "device" is an array because it contains multiple keys, but it is actually an object enclosed in curly braces.

Misreading "status" as an array of strings instead of a string value inside each interface object can also cause confusion. These mistakes stem from not carefully noting the JSON syntax, which is critical for understanding device data representation in Cisco automation and APIs.

Why the other options are wrong

B

Incorrect. The device key is enclosed in curly braces, making it a JSON object, not an array. It groups hostname and interfaces under one entity.

C

Incorrect. The status field is a string within each interface object, not an array. Each interface has its own status string indicating up or down.

D

Incorrect. The hostname is a string property directly inside the device object and is not nested inside the interfaces array or any other array.

1214
MCQhard

A router interface is configured with 192.0.2.97/28. What is the network address of the subnet?

A.192.0.2.80
B.192.0.2.96
C.192.0.2.111
D.192.0.2.112
AnswerB

Correct. It is the first address in the 192.0.2.96/28 subnet.

Why this answer

A /28 uses blocks of 16 addresses. The block containing .97 runs from .96 through .111, so .96 is the network address.

Exam trap

Be careful not to confuse the given IP address or the broadcast address with the network address.

Why the other options are wrong

A

Option A (192.0.2.80) is incorrect because the subnet mask /28 indicates a block size of 16, making the valid network addresses range from 192.0.2.96 to 192.0.2.111. The network address for this subnet is 192.0.2.96.

C

The address 192.0.2.111 is not a valid network address for the subnet defined by 192.0.2.97/28, as it falls outside the range of usable addresses for that subnet, which spans from 192.0.2.96 to 192.0.2.111.

D

Option D, 192.0.2.112, is wrong because it does not represent the network address for the subnet defined by the IP address 192.0.2.97/28. The correct network address is 192.0.2.96, which is the first address in the subnet range.

1215
MCQhard

A network administrator has configured a Cisco switch as a DHCP server for the 192.168.1.0/24 subnet. Hosts in VLAN 10 are unable to obtain IP addresses via DHCP. The switch's SVI for VLAN 10 is up/up. What is the most likely cause of the problem?

A.The VLAN 10 SVI is not configured with an IP address in the 192.168.1.0/24 subnet.
B.The DHCP server is including the network and broadcast addresses in the pool, causing conflicts. Use the 'ip dhcp excluded-address' command to exclude them.
C.DHCP snooping is blocking DHCP messages on the switch port connected to the hosts.
D.The DHCP pool is not bound to VLAN 10. Use the 'vlan' command under the pool configuration.
AnswerB

The conflict detection shows that addresses 192.168.1.1 (network) and 192.168.1.254 (broadcast) are in conflict. These should be excluded to prevent the DHCP server from leasing them.

Why this answer

Option B is correct. The most likely cause is that the DHCP server pool includes the network (192.168.1.0) and broadcast (192.168.1.255) addresses, which are reserved and cannot be leased. When a host requests an IP, the server may attempt to assign one of these addresses, causing a conflict and preventing successful DHCP lease completion.

Using the 'ip dhcp excluded-address' command to exclude these addresses from the pool resolves the issue. Option A is not the best answer because the SVI for VLAN 10 is up/up and must already have an IP address in the 192.168.1.0/24 subnet for the DHCP server to offer addresses to that subnet; if it were missing, DHCP would fail completely, but the symptom would likely be no offers at all, not address conflicts. The problem described is consistent with the pool including reserved addresses, which is a common misconfiguration.

Exam trap

Learners often overlook that the DHCP pool's range must exclude network and broadcast addresses; they may incorrectly suspect DHCP snooping, an SVI misconfiguration, or a missing VLAN binding instead.

Why the other options are wrong

A

The SVI must have an IP address for routing, but the DHCP server can serve addresses from any pool regardless of the SVI's subnet. The issue is with the pool itself.

C

If DHCP snooping were blocking messages, the 'Malformed messages' counter might increase, but the server would still receive some messages. The zero count indicates no messages are reaching the server.

D

There is no 'vlan' command under a DHCP pool. The pool serves all hosts in the subnet regardless of VLAN association.

1216
MCQhard

A router has a static route to 10.20.20.0/24 and also has a default route. Which route is used for traffic to 10.20.20.8?

A.The static route to 10.20.20.0/24
B.The default route
C.Both routes are used equally
D.Neither route is valid
AnswerA

This is correct because the /24 route matches the destination more specifically than the default route.

Why this answer

The static route to 10.20.20.0/24 is used because it is more specific than the default route. In practical terms, the router always chooses the route that most precisely matches the destination before falling back to the default route.

This question reinforces the idea that the default route is a route of last resort, not a preferred choice when a better match already exists.

Exam trap

A frequent exam trap is assuming the default route is used whenever it exists, ignoring the presence of more specific static routes. This misunderstanding leads to incorrect answers because routers always prefer the route with the longest matching prefix, not the default route unless no other matches exist.

Why the other options are wrong

B

This option is incorrect because the default route is less specific and only used when no other matching routes exist. Here, a more specific static route is present.

C

This option is incorrect because routers do not load balance equally between a specific static route and a default route; they prefer the most specific route.

D

This option is incorrect because the static route to 10.20.20.0/24 clearly matches the destination, making it a valid route for forwarding traffic.

1217
PBQhard

You are connected to R1 via the console. Configure single-area OSPFv2 on R1 and R2 so that they form a full adjacency. The link between R1 and R2 uses 203.0.113.0/30. R1 has G0/0 203.0.113.1/30 and R2 has G0/0 203.0.113.2/30. R1's router-id must be 1.1.1.1, and R2's router-id must be 2.2.2.2. R1's GigabitEthernet0/0 interface is configured as a passive interface under OSPF, preventing OSPF hello messages from being sent out of that interface. Ensure that R1 does not send OSPF hellos out of its loopback0 interface (203.0.113.129/32). After configuration, verify the adjacency is established and OSPF routes are exchanged.

Hints

  • Check if G0/0 is passive on R1 using 'show ip ospf interface'
  • The passive-interface default command makes all interfaces passive unless explicitly excluded
  • Use 'no passive-interface <interface>' under router ospf to allow hellos on the link
A.The adjacency fails because R1's GigabitEthernet0/0 interface is configured as passive-interface. Remove the passive-interface command for G0/0.
B.The adjacency fails because the router-id 1.1.1.1 is not reachable from R2. Configure a static route for 1.1.1.1/32 on R2.
C.The adjacency fails because the subnet mask on the link is /30 but OSPF expects a /24. Change the mask to /24 on both interfaces.
D.The adjacency fails because OSPF is not enabled on R2's GigabitEthernet0/0 interface. Configure 'ip ospf 1 area 0' on R2's G0/0.
AnswerA
solution
! R1
router ospf 1
no passive-interface GigabitEthernet0/0

Why this answer

The adjacency fails because R1's GigabitEthernet0/0 interface is configured as passive-interface (the 'No Hellos' line in show ip ospf interface). This prevents R1 from sending OSPF hellos to R2. To fix, remove the passive-interface command for G0/0.

The loopback0 interface should remain passive. After removal, verify with 'show ip ospf neighbor' to see the neighbor state change to FULL and 'show ip route ospf' to see routes.

Exam trap

The trap is that candidates may overlook the 'passive-interface' command's effect on hello suppression. They might focus on router-id or subnet issues instead. Always check 'show ip ospf interface' for passive status when adjacency fails.

Why the other options are wrong

B

The router-id is used only for OSPF router identification and does not need to be reachable; adjacency uses interface IP addresses.

C

OSPF does not require a specific subnet mask; it uses the configured mask on the interface as the network type.

D

OSPF is enabled on R2's G0/0; the issue is on R1's side where the passive-interface prevents hellos.

1218
MCQhard

A branch router has two equal-cost static routes to the same destination network. Both routes are displayed in the output of the show ip route command, and pings from the router to both next-hop IP addresses succeed. Despite this, all traffic heading toward that destination is egressing only a single interface. The technician suspects Cisco Express Forwarding (CEF) is not performing load balancing as expected. What should the technician do next?

A.Issue the show ip cef <destination> detail command to inspect the CEF FIB entry and verify both adjacencies are present.
B.Check the interface output rates with show interface to see if both interfaces are transmitting traffic.
C.Display the routing table again with show ip route to ensure both static routes are still installed.
D.Verify the bandwidth configured on the outgoing interfaces using show interfaces or show running-config.
AnswerD

CEF load‑balances among equal‑cost paths based on the hash of packet headers, but when interface bandwidth values differ, CEF may internally adjust the load‑sharing weight (e.g., by creating unequal‑cost load‑sharing for otherwise equal routes). Confirming the bandwidth values are identical eliminates or identifies a hidden mismatch as the cause.

Why this answer

CEF load balancing can be influenced by the bandwidth values configured on the egress interfaces. Even when the routing table shows equal-cost paths, CEF may assign different load shares if the interfaces have mismatched bandwidth (e.g., if one interface has a manually lowered bandwidth). Verifying the interface bandwidth reveals whether an asymmetric configuration is causing CEF to favor one link over the other.

This check targets the data‑plane forwarding behavior directly, before inspecting FIB entries or traffic counters.

Exam trap

Many candidates immediately reach for show ip cef to examine the Forwarding Information Base, assuming that will expose a missing adjacency. However, show ip cef only displays the installed paths—it would show both adjacencies in this case—and does not indicate why CEF is not splitting traffic. The real culprit is often a bandwidth mismatch that silently distorts the load‑sharing ratio.

Why the other options are wrong

A

Candidates often believe that a missing FIB adjacency is the root cause, but in this scenario both paths are reachable and installed; the issue lies in how CEF weights the paths, which is influenced by interface parameters.

B

Exam‑takers may confuse verifying the symptom with identifying the root cause. Seeing only one interface transmitting confirms the problem but offers no corrective insight.

C

A common reflex is to re‑verify the obvious; however, the question states the routes are present and next‑hops are reachable, so revisiting the RIB is redundant.

1219
Multi-Selectmedium

Which two statements accurately describe route summarization?

Select 2 answers
A.It can reduce the number of individual routes that must be advertised.
B.It can help improve routing scalability by simplifying route information.
C.It forces every router to use only a default route.
D.It is the same thing as PAT overload.
E.It automatically encrypts routing updates.
AnswersA, B

This is correct because summarization aggregates routes into fewer advertisements.

Why this answer

Route summarization combines multiple specific routes into a smaller number of broader advertisements. In plain language, it lets a router describe a group of networks with one shorter, more general route instead of announcing each one individually. This can reduce routing-table size and improve scalability. It can also reduce the amount of routing information that must be exchanged across certain boundaries.

The wrong answers often confuse summarization with default routing or encryption. The two correct statements are the ones that preserve its aggregation and scaling purpose.

Exam trap

A frequent exam trap is mistaking route summarization for default routing or NAT-related functions. Some candidates incorrectly believe summarization forces routers to use only a default route, which is false because summarization still advertises specific aggregated routes, not just a default. Others confuse summarization with PAT overload, a NAT feature unrelated to routing.

Additionally, some think summarization automatically encrypts routing updates, which it does not. These misconceptions can lead to incorrect answers and misunderstandings about routing behavior in Cisco networks.

Why the other options are wrong

C

Option C is incorrect because summarization does not force routers to use only a default route; it aggregates routes but still allows routers to use more specific routes within the summary when available.

D

Option D is incorrect since route summarization is a routing optimization technique and is unrelated to PAT overload, which is a NAT function that translates multiple private IP addresses to a single public IP address with port differentiation.

E

Option E is incorrect because route summarization does not involve encryption of routing updates; encryption is a separate security feature not related to summarization.

1220
MCQhard

Refer to the exhibit. A network engineer notices that traffic from R1 to the 10.1.0.0/16 network is taking a longer path than expected despite OSPF being the only routing protocol. The engineer examines the OSPF LSDB on R1 to investigate. Based on the output, what is the most likely cause of the suboptimal routing?

A.The reference bandwidth has been misconfigured on R1, causing the OSPF cost calculation to be inflated for some links.
B.The ABR is filtering the 10.1.0.0/16 route from Area 1 into Area 0, causing the router to recalculate the metric higher.
C.The ABR is configured with the 'area 1 range 10.1.0.0 255.255.0.0 cost 1000' command.
D.The metric-type for OSPF external routes has been set to type 2, causing the metric to be inflated to 1000 for the 10.1.0.0/16 prefix.
AnswerC

The ABR (10.1.1.1) is advertising a Type 3 summary LSA for 10.1.0.0/16 with a metric of 1000. This matches the behavior of the 'area range' command with the 'cost' keyword, which overrides the default metric calculation for inter-area summaries and injects the specified cost. The other LSAs from the same ABR use normal metrics, confirming the summary-specific configuration.

Why this answer

The exhibit shows three Type 3 summary LSAs from the same ABR (10.1.1.1). Two of them have metrics 10 and 20, which are consistent with normal OSPF intra-area path costs. The LSA for 10.1.0.0/16 has metric 1000, an abnormally high value.

This indicates that the ABR is injecting this summary with a manually configured cost, typically done with the 'area <id> range <network> <mask> cost <value>' command. Global reference bandwidth changes would affect all metrics equally, and route filtering does not alter metric values. External route metric types are unrelated to Type 3 inter-area summaries.

Exam trap

Candidates often choose misconfigured reference bandwidth (Option A) when they see an unexpected metric, but the fact that only one summary LSA has a high value while others are normal proves the cause is specific to that prefix, not a global parameter.

Why the other options are wrong

A

Candidates may attribute arbitrary high metrics to a bandwidth calculation error, without noticing that only one LSA is affected.

B

A misunderstanding that filtering can somehow alter the metric rather than block the advertisement completely.

D

Confusion between external and inter-area route types leads candidates to think that metric-type manipulation could affect an internal summary LSA.

1221
MCQmedium

A network engineer is automating the configuration of a new branch office router. The engineer needs a protocol that uses a YANG data model, supports both configuration and operational state retrieval, and operates over SSH for secure transport. Which protocol should the engineer use?

A.SNMP
B.NETCONF
C.RESTCONF
D.CLI scripting
AnswerB

NETCONF uses YANG data models, supports both configuration and operational state retrieval, and operates over SSH for secure transport. It is the ideal choice for automating network device configuration in a secure manner.

Why this answer

NETCONF (Network Configuration Protocol) is the correct choice because it uses YANG data models for configuration and operational state retrieval, and it operates over SSH (RFC 6242) for secure transport. Unlike SNMP, NETCONF provides transactional configuration changes and separates configuration from operational state data, making it ideal for automated router configuration.

Exam trap

Cisco often tests the distinction between NETCONF and RESTCONF, where the trap is that both use YANG, but candidates forget that NETCONF specifically requires SSH transport, while RESTCONF uses HTTP/HTTPS, making NETCONF the only correct answer when the question specifies 'operates over SSH'.

Why the other options are wrong

A

SNMP does not use YANG data models and typically operates over UDP, not SSH.

C

RESTCONF uses HTTP/HTTPS for transport, not SSH, so it does not meet the requirement of operating over SSH.

D

CLI scripting lacks a standardized data model like YANG and is not a protocol that operates over SSH in the same structured manner as NETCONF.

1222
MCQhard

A user reports that the corporate SSID is visible and accepts the correct password, but the client always lands in a quarantined remediation network. Which troubleshooting area is strongest?

A.Post-authentication policy, role, or VLAN assignment logic
B.Whether the SSID is hidden instead of broadcast
C.Whether the AP uplink uses PPP encapsulation
D.Whether OSPF designated routers are elected correctly
AnswerA

This is correct because the symptom points to how the authenticated client is being classified after joining.

Why this answer

The strongest troubleshooting area is post-authentication policy or role assignment. The client already sees the SSID and successfully authenticates, so the problem is not RF visibility or password failure. Landing in a remediation network indicates a policy decision after authentication, such as a mismatched VLAN assignment or client role.

Option B (hidden SSID) is irrelevant because the SSID is visible. Option C (PPP encapsulation) does not affect post-authentication network placement. Option D (OSPF DR election) is unrelated to client VLAN assignment.

Exam trap

Don't confuse initial connectivity problems with post-authentication issues. Focus on what happens after the connection is established.

Why the other options are wrong

B

A hidden SSID would prevent the SSID from appearing, but the user reports the SSID is visible, so this does not match the symptom.

C

PPP encapsulation on an AP uplink concerns Layer 2 framing, not the post-authentication VLAN or policy assignment that causes quarantine.

D

OSPF designated router election occurs at Layer 3 within routing, while the issue is about client VLAN placement after authentication, which is a Layer 2 access-control function.

1223
MCQhard

Why is administratively shutting down unused switch ports considered a useful hardening practice?

A.Because it reduces attack surface by removing unused active connection points.
B.Because it forces all users to manage devices with SSH.
C.Because it converts remaining ports into trunks.
D.Because it replaces VLAN segmentation.
AnswerA

This is correct because unused enabled ports are avoidable exposure points.

Why this answer

Unused active ports create unnecessary exposure. In practical terms, if a port is not needed, leaving it active gives someone an opportunity to connect a device where no legitimate business need exists. Shutting the port down removes that access point and reduces attack surface.

This is a simple but effective hardening measure. It does not replace other controls, but it removes a risk that does not need to exist in the first place.

Exam trap

Do not confuse port shutdown with performance improvements or VLAN configuration changes; focus on security implications.

Why the other options are wrong

B

This option is incorrect because administratively shutting down unused switch ports does not enforce SSH for device management; it simply disables unused ports to enhance security.

C

This option is wrong because administratively shutting down unused switch ports does not convert remaining ports into trunk ports; it simply disables access ports to enhance security.

D

This option is wrong because administratively shutting down unused switch ports does not directly replace VLAN segmentation; rather, it focuses on reducing the number of active ports to mitigate security risks.

1224
MCQmedium

A user reports that websites can be opened by IP address but not by hostname. Which service is the strongest suspect?

A.DNS
B.STP
C.PAT
D.Port security
AnswerA

This is correct because DNS is responsible for hostname resolution.

Why this answer

DNS is the strongest suspect because the network path clearly works at the IP layer. In practical terms, if the user can reach the site by numeric address, then routing and basic connectivity are functioning. The missing piece is name resolution, and that is exactly what DNS provides.

This is one of the clearest troubleshooting patterns in networking. If names fail but IP works, start with DNS.

Exam trap

A common exam trap is selecting PAT or port security as the cause of hostname resolution failure. PAT manages IP address translation for outbound connections but does not resolve hostnames, so it cannot cause DNS failures. Similarly, port security restricts switch port access based on MAC addresses and does not affect DNS or name resolution.

Another tempting but incorrect choice is STP, which operates at Layer 2 to prevent loops and has no role in IP name resolution. Candidates must avoid confusing these distinct network services and focus on DNS when hostname resolution fails but IP connectivity works.

Why the other options are wrong

B

STP (Spanning Tree Protocol) is incorrect because it operates at Layer 2 to prevent network loops and does not handle hostname resolution or IP services.

C

PAT (Port Address Translation) is incorrect because it translates private IP addresses to public IPs for outbound traffic but does not affect DNS or hostname resolution.

D

Port security is incorrect because it controls access to switch ports based on MAC addresses and does not provide or affect hostname resolution services.

1225
MCQhard

Hosts on the inside network can reach the internet, but return traffic is failing after a new router was installed. The router's configuration shows that the LAN-facing interface has been configured with 'ip nat outside' and the WAN-facing interface with 'ip nat inside'. What configuration mistake is the most likely cause?

A.The NAT inside and outside interface roles are reversed.
B.The ACL must deny RFC1918 traffic before NAT can work.
C.PAT cannot use an interface address for overload.
D.The inside subnet must be configured as /24 on both interfaces.
AnswerA

That is the key problem shown.

Why this answer

NAT overload requires the LAN-facing interface to be marked as ip nat inside and the WAN-facing interface as ip nat outside. The exhibit shows those roles reversed, so translations will not occur correctly. The ACL itself is fine for matching the inside subnet.

Exam trap

A frequent exam trap is reversing the NAT inside and outside interface roles. Candidates may see that hosts can initiate traffic to the internet and mistakenly assume NAT is correctly configured. However, if the router’s interfaces are misassigned, return traffic from the internet will not be translated back to the inside hosts, causing connectivity failures.

This trap exploits the partial functionality of NAT where outbound packets appear to succeed but inbound packets fail, leading to confusion during troubleshooting and exam scenarios.

Why the other options are wrong

B

Incorrect. The ACL in NAT configurations is used to identify which inside addresses to translate, not to filter or deny traffic. Denying RFC1918 traffic in the ACL is unnecessary and unrelated to the NAT failure described.

C

Incorrect. Using the outside interface IP address for PAT overload is a standard and supported practice in Cisco NAT configurations. This option does not explain the return traffic failure.

D

Incorrect. The inside subnet should only be configured on the LAN interface. The WAN interface typically uses a different subnet and should not share the inside subnet.

This misconfiguration would cause routing issues but is not the primary cause of NAT return traffic failure here.

1226
Multi-Selecthard

Which two statements about AAA on Cisco devices are correct? Choose two.

Select 2 answers
A.Authentication verifies identity
B.Authorization determines what an authenticated user is allowed to do
C.Accounting replaces the need for local usernames entirely
D.AAA can only be used with RADIUS and not TACACS+
AnswersA, B

Authentication answers who the user is.

Why this answer

AAA breaks access control into authentication, authorization, and accounting. TACACS+ is commonly preferred for device administration because it separates all three functions and encrypts the full payload.

Exam trap

A common exam trap is assuming that accounting replaces the need for local usernames or authentication sources. Accounting only logs user activities and does not authenticate or authorize users. Another frequent mistake is believing AAA supports only RADIUS and not TACACS+.

Cisco AAA supports both protocols, with TACACS+ often preferred for device administration due to its full payload encryption and separation of AAA functions. Misunderstanding these roles can lead to incorrect answer choices and confusion during the exam.

Why the other options are wrong

C

Option C is incorrect because accounting only logs user activities and does not replace the need for local usernames or authentication sources on Cisco devices.

D

Option D is incorrect as AAA supports both RADIUS and TACACS+ protocols; it is not limited to RADIUS, and TACACS+ is commonly used for device administration.

1227
MCQhard

A host uses the subnet mask 255.255.255.240. How many usable host addresses exist in each subnet?

A.12
B.14
C.16
D.30
AnswerB

This is correct because a /28 has 16 total addresses minus 2 reserved equals 14 usable hosts.

Why this answer

The mask 255.255.255.240 corresponds to /28. In practical terms, that leaves 4 host bits, which gives 16 total addresses in each subnet. After subtracting the network and broadcast addresses, 14 usable hosts remain.

This is a classic host-capacity calculation and a very common subnetting pattern on the exam.

Exam trap

A frequent exam trap is selecting the total number of addresses in the subnet (16) instead of the usable host addresses (14). Candidates often forget to subtract the network and broadcast addresses, which are reserved and cannot be assigned to hosts. Another common mistake is confusing the /28 subnet mask with /27, which offers 30 usable hosts, leading to incorrect answers like 30.

This confusion arises because both subnet masks are close in size but differ significantly in host capacity. Always remember that usable hosts equal total addresses minus two reserved addresses.

Why the other options are wrong

A

Option A states 12 usable hosts, which is incorrect because a /28 subnet provides 16 total addresses. Subtracting the network and broadcast addresses leaves 14 usable hosts, not 12. This option underestimates the host capacity.

C

Option C claims 16 usable hosts, which is incorrect because 16 represents the total number of addresses in the subnet, including network and broadcast addresses. Usable hosts must exclude these two reserved addresses.

D

Option D suggests 30 usable hosts, which corresponds to a /27 subnet mask (255.255.255.224), not /28. This overestimates the host count for the given subnet mask and is therefore incorrect.

1228
MCQhard

An enterprise network uses an IPv6 dual-stack design. Router R1 has a primary default route ::/0 via 2001:db8:1::1 with AD 1 and a floating default route with AD 10 via link-local address fe80::2. After the primary link fails, the floating route fails to install, and R1 loses all external connectivity. The administrator confirms the backup interface is up/up.

A.The administrative distance of the backup route is 10, so it is not installed while the primary route still exists.
B.The floating static route uses a link-local next-hop but does not specify an exit interface, making the route incomplete.
C.The floating static route will be installed only if the primary link is administratively shut down, not after a physical failure.
D.The next-hop fe80::2 is unreachable because IPv6 neighbor discovery is disabled on the backup interface.
AnswerB

A static route with a link-local next-hop requires an exit interface to be valid; omitting it causes the route to stay out of the routing table.

Why this answer

Option B is correct because a floating static route using a link-local next-hop (fe80::2) must also specify an exit interface (e.g., GigabitEthernet0/1) to be considered complete. Without the exit interface, the router cannot determine which interface to use for neighbor discovery, leaving the route incomplete and unable to be installed into the routing table. This is a common requirement for IPv6 static routes with link-local addresses, as the next-hop is not globally unique.

Exam trap

Cisco often tests the requirement that IPv6 static routes with link-local next-hops must include an exit interface, tricking candidates into thinking the route is valid without it or misattributing the failure to administrative distance or interface status.

Why the other options are wrong

A

A floating static route with a higher AD is installed when the lower AD route is removed because of interface failure.

C

Floating static routes do not distinguish between physical and administrative interface down events; the primary route is removed in both cases.

D

The immediate cause is the missing exit interface; neighbor discovery configuration does not make an incomplete static route valid.

1229
PBQhard

You are connected to R1. Configure IPv4 and IPv6 static routes so that R1 can reach the loopback networks on R2 (192.0.2.0/24 and 2001:db8:1::/32) via G0/0. Also, configure a floating static default route via G0/1 (next-hop 203.0.113.2) with an administrative distance of 200 so that it is only used if the directly connected default route fails. The current configuration has a recursive routing failure for the IPv6 route and a missing default route.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Check the IPv6 next-hop: is it directly connected?
  • Floating static routes require a higher administrative distance than the primary route.
  • Use the exit interface for the IPv6 static route to avoid recursive lookup failure.
A.ip route 0.0.0.0 0.0.0.0 203.0.113.2 200 ipv6 route 2001:db8:1::/32 GigabitEthernet0/0
B.ip route 0.0.0.0 0.0.0.0 203.0.113.2 200 ipv6 route 2001:db8:1::/32 2001:db8:0:1::2
C.ip route 0.0.0.0 0.0.0.0 203.0.113.2 ipv6 route 2001:db8:1::/32 GigabitEthernet0/0
D.ip route 0.0.0.0 0.0.0.0 203.0.113.2 200 ipv6 route 2001:db8:1::/32 2001:db8:0:1::2 200
AnswerA
solution
! R1
no ipv6 route 2001:db8:1::/32 2001:db8:0:1::2
ipv6 route 2001:db8:1::/32 GigabitEthernet0/0
no ip route 0.0.0.0 0.0.0.0 203.0.113.2
ip route 0.0.0.0 0.0.0.0 203.0.113.2 200

Why this answer

The IPv6 static route uses a next-hop address (2001:db8:0:1::2) that is not directly connected; the router will attempt recursive lookup but fails because there is no route to that subnet. The fix is to use the exit interface (GigabitEthernet0/0) instead. The IPv4 default route is present but has AD 1, which prevents it from being a floating route; change it to AD 200 so it only activates when the connected default route (if any) is down.

The task did not require a connected default route, so the floating static is the only default.

Exam trap

Watch out for recursive routing failures when using a next-hop address that is not directly connected. For floating static routes, always specify a higher AD than the primary route's AD.

Why the other options are wrong

B

The IPv6 next-hop 2001:db8:0:1::2 is not reachable via a directly connected network; the router cannot resolve it.

C

The administrative distance must be set to a higher value (e.g., 200) to make it a floating route.

D

The IPv6 route fails due to recursive lookup failure; adding AD does not fix the next-hop issue.

1230
PBQhard

You are connected to R1, a router acting as a network access server for 802.1X authentication on interface GigabitEthernet0/1. Configure AAA with a RADIUS server at 192.0.2.10 (key 'cisco123') so that the default login authentication uses RADIUS first, then local fallback. Additionally, troubleshoot why a connected supplicant on G0/1 remains in the unauthorized state even though RADIUS is reachable and the supplicant credentials are correct.

Hints

  • Check if AAA is enabled globally.
  • The RADIUS server configuration must include the correct IP address and shared secret.
  • The default authentication list must specify RADIUS first, then local fallback.
A.Enable AAA with 'aaa new-model', configure RADIUS server 'RADIUS_SERVER' with key 'cisco123', and apply 'aaa authentication login default group radius local'.
B.Configure 'aaa authentication login default local' and add the RADIUS server with 'radius-server host 192.0.2.10 key cisco123'.
C.Enable AAA with 'aaa new-model' and configure 'aaa authentication login default group radius' without local fallback.
D.Configure 'aaa new-model', then apply 'dot1x system-auth-control' and 'aaa authentication dot1x default group radius'.
AnswerA
solution
! R1
configure terminal
aaa new-model
radius server RADIUS_SERVER
address ipv4 192.0.2.10 auth-port 1812 acct-port 1813
key cisco123
aaa authentication login default group radius local
end
write memory

Why this answer

The problem is that AAA is not enabled (no aaa new-model) and no RADIUS server is configured; thus the 802.1X authentication fails because the router does not know how to communicate with the RADIUS server. The fix requires enabling AAA with 'aaa new-model', configuring the RADIUS server with 'radius server RADIUS_SERVER' and its key, then applying a default authentication list that uses RADIUS with local fallback via 'aaa authentication login default group radius local'. After these commands, the port should transition to authorized state for valid credentials.

Exam trap

The exam trap is confusing the different AAA authentication types: 'login' for management access (console, SSH, etc.) versus 'dot1x' for port-based network access control. Also, ensure that the RADIUS server is referenced in the authentication list; simply configuring the server does not make it active.

Why the other options are wrong

B

The specific factual error is that the authentication list must include 'group radius' to use RADIUS; 'local' alone bypasses RADIUS.

C

The specific factual error is omitting 'local' from the authentication list, which violates the requirement for fallback.

D

The specific factual error is confusing 'aaa authentication login' with 'aaa authentication dot1x'. They serve different purposes.

1231
MCQmedium

A network administrator needs to configure VLANs and access ports on 200 managed switches across multiple locations. The administrator requires a solution that uses a push‑based deployment model, does not require any agent software to be installed on the switches, and can be executed from a central control node. Which automation tool is most suitable for this task?

A.Puppet
B.Chef
C.Ansible
D.Python scripts
AnswerC

Ansible operates in a push mode over SSH, requiring no agents on managed devices.

Why this answer

Ansible is the most suitable tool because it uses a push-based model (SSH) to apply configurations directly to network devices without requiring any agent software. It operates from a central control node, making it ideal for managing 200 switches across multiple locations with a single playbook execution.

Exam trap

Cisco often tests the distinction between push-based (Ansible) and pull-based (Puppet, Chef) models, and the trap here is assuming that any scripting language like Python is a complete automation tool rather than a component that requires additional orchestration.

Why the other options are wrong

A

Requires agents and is pull‑based, failing both the agentless and push requirements.

B

Agents are mandatory, and the pull mechanism contradicts the push requirement.

D

Lacks built‑in push‑based orchestration, idempotency, and agentless design without significant custom development, making it less suitable than a purpose‑built tool.

1232
MCQhard

Refer to the exhibit. A network technician is troubleshooting router R1, which cannot reach hosts on the internet. R1 is connected to an ISP router at 203.0.113.1. The exhibit shows the output of the show ip route command. What is the most likely cause of the issue?

A.A static default route is not configured on R1, and OSPF is not advertising a default route.
B.The OSPF neighbor relationship with the ISP router is down.
C.The interface connecting to the ISP router is in a shutdown state.
D.An incorrect next-hop address was specified in the static default route, making the route invalid.
AnswerA

The output explicitly shows 'Gateway of last resort is not set' and no 0.0.0.0/0 route. A default route is required to reach external networks like the internet. The OSPF-learned route proves OSPF adjacency, but the absence of O*E2 or similar default route indicates default-information originate is not configured.

Why this answer

The exhibit shows 'Gateway of last resort is not set' and no route entry for 0.0.0.0/0 (default route). Without a default route, R1 has no path to forward unknown destinations, such as internet hosts. The OSPF neighbor is active (192.168.2.0/24 learned via OSPF), but no default route is being originated by OSPF.

Therefore, a static default route or OSPF default-information originate command is missing.

Exam trap

Candidates may incorrectly think that the OSPF neighbor relationship with the ISP router is down, but the exhibit shows an OSPF-learned route (192.168.2.0/24), proving the OSPF adjacency is up. They might also assume a static default route exists but is invalid, but the absence of any S* entry and the 'Gateway of last resort is not set' indicate no default route is configured at all.

Why the other options are wrong

B

Candidates often assume OSPF is not working at all when a default route is missing, ignoring other OSPF routes in the table.

C

Candidates may assume any connectivity failure means an interface is disabled, but the routing table would show no connected network if the interface were shut down.

D

Candidates might think a misconfigured static route would cause the problem, but they overlook that the route would still appear in the table, just with a different next-hop.

1233
MCQhard

Dynamic ARP Inspection is most effective at preventing which attack?

A.SYN flood
B.ARP spoofing
C.Route summarization error
D.Rogue DHCP relay
AnswerB

Correct. DAI is designed to stop forged ARP information.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets on a per-interface basis, dropping invalid ARP replies and thus preventing ARP spoofing and poisoning attacks. Option A (SYN flood) is a Layer 4 TCP attack mitigated by TCP flood protection or SYN cookies, not DAI. Option C (route summarization error) is a routing misconfiguration unrelated to ARP security.

Option D (rogue DHCP relay) is prevented by DHCP snooping, which works alongside DAI but DAI itself does not block rogue DHCP relays.

Exam trap

Be careful not to confuse ARP spoofing with other types of spoofing attacks like IP or DNS spoofing.

Why the other options are wrong

A

SYN flood is a Layer 4 TCP attack that is blocked by flood guards, not by DAI.

C

Route summarization error is a routing protocol misconfiguration and is unrelated to ARP packet validation.

D

Rogue DHCP relay is mitigated by DHCP snooping, not by Dynamic ARP Inspection.

1234
PBQhard

You are connected to R1. The network consists of R1, SW1, and two VLANs (10 and 20). SW1 has hosts in VLAN 10 and VLAN 20 connected to its access ports. Configure R1 for router-on-a-stick inter-VLAN routing using subinterfaces on G0/0. The physical interface G0/0 is administratively up (no shutdown). The current configuration is incomplete and has errors preventing communication between the VLANs. Fix the configuration so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can ping each other through R1.

Hints

  • Check the global configuration for the 'ip routing' command.
  • Verify that the subinterfaces have correct encapsulation and IP addresses.
  • Ensure the trunk between R1 and SW1 allows VLANs 10 and 20, and native VLAN matches.
A.Enable IP routing with the 'ip routing' global configuration command.
B.Change the encapsulation on subinterface G0/0.10 to dot1Q 20 and on G0/0.20 to dot1Q 10.
C.Add the 'no shutdown' command on the physical interface G0/0.
D.Configure the native VLAN on the trunk to match the subinterface for VLAN 1.
AnswerA
solution
! R1
configure terminal
ip routing
end

Why this answer

The primary fault is that IP routing is disabled globally on R1 (missing 'ip routing' command), so even though subinterfaces are correctly configured, the router cannot route between VLANs. The physical interface G0/0 is already administratively up, so issuing 'no shutdown' would not fix the problem. Thus, enabling 'ip routing' resolves the inter-VLAN communication issue.

The other options either incorrectly swap encapsulation or address a native VLAN scenario not indicated in the exhibit.

Exam trap

Do not assume that configuring subinterfaces and IP addresses is sufficient for inter-VLAN routing. The 'ip routing' command is required to enable the router's forwarding capability. Many candidates forget this global command and waste time troubleshooting other aspects.

Why the other options are wrong

B

Swapping the encapsulation would map VLAN 10 to the wrong VLAN ID, breaking connectivity.

C

The physical interface is already up; adding 'no shutdown' is redundant and does not resolve the missing routing capability.

D

The native VLAN on the trunk is not the cause of the problem, and the subinterface for VLAN 1 is not required for inter-VLAN routing.

1235
MCQhard

A network technician applies an extended ACL outbound on the WAN interface Gi0/0 to block traffic from the 10.0.0.0/8 network to internet hosts. After applying the ACL, internal users report they cannot access any web pages because return traffic from internet hosts is being dropped. The technician verifies the ACL entries and finds only statements controlling outbound traffic. What is the most appropriate next action?

A.Add the established keyword to the ACL to permit return traffic for existing sessions.
B.Add a new access-list entry permitting all traffic from internet hosts to the 10.0.0.0/8 network.
C.Remove the outbound ACL and apply a new inbound ACL on the same interface.
D.Replace the ACL with a stateful firewall rule set.
AnswerA

The established keyword allows TCP return traffic that matches sessions originated from the internal network. It is the standard method to handle stateful return traffic with a stateless ACL.

Why this answer

Extended ACLs are stateless; they inspect each packet individually without tracking session state. When an outbound ACL permits outbound traffic from the inside network to the internet, the return traffic is not automatically allowed. The established keyword in a TCP access-list entry matches packets that have the ACK or RST bits set, indicating they belong to an established session.

Adding this keyword to a permit statement for return traffic allows the router to dynamically permit responses to internally initiated connections without opening the network to all inbound traffic. This addresses the transport layer (Layer 4) state required for bidirectional communication.

Exam trap

Many candidates choose to add a specific permit ACE for return traffic (e.g., permitting all traffic from any internet host to the 10.0.0.0/8 network). This option is a trap because it opens a blanket inbound rule that is administratively unscalable and insecure, whereas the established keyword granularly allows only return flows for sessions initiated from the trusted side.

Why the other options are wrong

B

Candidates assume that any missing traffic must be explicitly permitted, but this ignores the need for stateful inspection and leads to an overly permissive rule.

C

Candidates mistakenly think that moving the ACL to inbound direction will inherently permit return traffic because it inspects packets entering the interface, but the ACL still processes each packet individually without keeping state.

D

Candidates may think that only a stateful firewall can handle return traffic, overlooking the established keyword's capability to emulate stateful behavior for TCP traffic on an ACL.

1236
MCQmedium

An automation script must retrieve the current configuration state of a device from a REST API without modifying anything. Which HTTP method should it use?

A.DELETE
B.GET
C.PUT
D.POST
AnswerB

This is correct because GET is the standard HTTP method for retrieving data without changing the resource.

Why this answer

When a script only needs to read information, the normal REST choice is GET. In plain terms, GET asks the server, “Show me the current data,” without telling it to create, replace, or delete anything. That is why GET is the standard method for retrieving device state, configuration details, statistics, or inventory information from an API endpoint.

The other methods imply change. POST commonly creates or submits data. PUT commonly updates an existing resource. DELETE removes something. For a read-only query, GET is the clean and expected method.

Exam trap

Avoid confusing HTTP methods that modify data (POST, PUT, DELETE) with GET, which is read-only.

Why the other options are wrong

A

The DELETE method is used to remove a resource from the server, which directly modifies the state of the device's configuration. Since the question specifies that the script must retrieve the configuration without making any modifications, DELETE is not appropriate.

C

The PUT method is used to update or replace a resource on a server, which contradicts the requirement of retrieving the current configuration state without making any modifications.

D

The POST method is used to send data to a server to create or update a resource, which contradicts the requirement of retrieving the current configuration state without modifying anything.

1237
MCQhard

A network administrator notices that file transfers to a server are extremely slow, and on the switch interface connecting to the server, the output of 'show interfaces' indicates a high number of runts and CRC errors, but no collisions. Which of the following is the most likely cause?

A.The cable connecting the server to the switch is faulty.
B.The switch port is configured for full-duplex, but the server's NIC is set to half-duplex.
C.The switch port speed is set to 100 Mbps, but the server NIC is set to 10 Mbps.
D.The server's NIC driver is outdated, causing packet loss.
AnswerB

A duplex mismatch where the switch uses full-duplex and the server uses half-duplex results in the full-duplex side (switch) showing runts and CRC errors without collisions, while the half-duplex side sees collisions. This matches the 'show interfaces' output and explains the slow transfers due to excessive retransmissions.

Why this answer

The combination of runts (frames smaller than 64 bytes) and CRC errors with zero collisions is a classic symptom of a duplex mismatch. When one side operates at full-duplex and the other at half-duplex, the half-duplex side will detect collisions and invoke its backoff algorithm, causing the full-duplex side to receive truncated frames (runts) and frames with invalid FCS (CRC errors). The switch interface statistics show no collisions because the switch port is full-duplex and does not detect collisions, while the server's half-duplex NIC is causing the corruption.

Exam trap

Cisco often tests the distinction between symptoms of duplex mismatch versus cable faults, where candidates mistakenly attribute runts and CRC errors to a bad cable, ignoring the critical clue of zero collisions that points to a mismatch.

Why the other options are wrong

A

While a faulty cable could cause CRC errors, it would likely produce other error types and might not exhibit the specific pattern of only runts and CRC errors with no collisions. This pattern strongly points to a duplex mismatch.

C

A speed mismatch would generally cause the link to fail entirely; you wouldn't see interface errors because there would be no connectivity. The scenario describes connectivity with errors, so this is unlikely.

D

Outdated drivers may cause performance problems, but they do not produce the specific interface error counters on the switch. The recorded runts and CRC errors point to a physical or data-link layer issue, not a driver problem.

1238
MCQhard

A router has this command configured: `ip nat inside source static 192.168.1.50 203.0.113.50`. What is the main effect of this configuration?

A.It creates a permanent one-to-one translation between the inside host and a public address
B.It enables PAT overload for all internal users
C.It blocks inbound access to the inside host permanently
D.It changes the host subnet mask to a public prefix
AnswerA

This is correct because static NAT builds a fixed mapping from one inside local address to one inside global address.

Why this answer

This command creates a static NAT mapping between one inside local address and one inside global address. In plain language, the internal device at 192.168.1.50 will always appear as 203.0.113.50 to the outside world. That fixed relationship is useful when a particular internal host or service must be reachable consistently from outside networks.

This is different from PAT, which shares one public address across many sessions using ports. Static NAT is one-to-one and predictable. It does not dynamically pull from a pool in this syntax. The key idea is permanence: the same inside device is always mapped to the same outside address.

Exam trap

A common exam trap is mistaking static NAT for PAT or dynamic NAT. Candidates may incorrectly assume that the command enables PAT overload, allowing many internal users to share one public IP, but static NAT provides a fixed one-to-one mapping without port translation. Another trap is thinking static NAT blocks inbound traffic; in reality, it enables inbound access to the mapped inside host.

Misunderstanding these differences can lead to selecting incorrect answers about NAT behavior and configuration.

Why the other options are wrong

B

This option is incorrect because PAT overload uses a different command syntax involving 'overload' and allows many internal hosts to share one public IP, which is not the case here.

C

This option is wrong since static NAT does not inherently block inbound access; instead, it enables external hosts to reach the inside host via the mapped public IP.

D

This option is incorrect because NAT translation does not modify the subnet mask of the inside host; it only changes the IP address seen externally.

1239
MCQmedium

Which port-security violation mode drops frames from unauthorized MAC addresses but keeps the interface up and does not send an SNMP trap or syslog message?

A.protect
B.restrict
C.shutdown
D.shutdown vlan
AnswerA

Correct. Protect is the quietest enforcement mode.

Why this answer

Protect silently drops frames from unauthorized sources while leaving the interface up. Restrict also drops frames but increments the violation counter and can generate notifications.

Exam trap

Be careful not to confuse Protect with Restrict, as both drop frames but only Restrict sends notifications.

Why the other options are wrong

B

The 'restrict' mode allows frames from unauthorized MAC addresses to be dropped while sending SNMP traps and syslog messages, which contradicts the requirement of keeping the interface up without notifications.

C

The 'shutdown' mode disables the interface when a violation occurs, which is contrary to the requirement of keeping the interface up. It also does not align with the need to drop frames without sending SNMP traps or syslog messages.

D

The 'shutdown vlan' mode disables the entire VLAN when a violation occurs, which is not aligned with the requirement to keep the interface up. This option also typically sends SNMP traps or syslog messages, which contradicts the question's criteria.

1240
Matchingmedium

Match each management-plane security item to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted remote administration

Framework for authentication, authorization, and accounting

Centralized event and message visibility

Traffic-filtering mechanism that can restrict management access sources

Why these pairings

SSH provides encrypted remote administration, ensuring confidentiality of management traffic. AAA is a framework that handles authentication, authorization, and accounting for user access. Syslog enables centralized logging and event visibility from network devices.

ACLs can filter traffic and be used to restrict which source IPs are allowed for management access. Each item directly maps to its described purpose without overlapping concepts.

Exam trap

Do not confuse encryption (SSH) with access control (AAA) or traffic filtering (ACLs). SSH is the only option that directly encrypts remote management traffic.

1241
MCQhard

R1 has routes to 172.16.10.0/24 from multiple sources. Which route will be installed?

A.The OSPF route with metric 20
B.The EIGRP internal route
C.The RIP route because hop count is lowest
D.The static route with administrative distance 95
AnswerB

EIGRP internal AD 90 is the lowest among the listed candidates.

Why this answer

Routers compare route source trust first using administrative distance. EIGRP internal routes have an AD of 90, which is lower than OSPF (110), RIP (120), and a static route with AD 95. Therefore, the EIGRP internal route is installed, regardless of metrics.

Exam trap

A common trap is confusing administrative distance with routing metric, causing candidates to choose OSPF due to its lower metric or the static route with AD 95 over the correct EIGRP route.

Why the other options are wrong

A

The OSPF route (AD 110) has a lower metric but a higher administrative distance than EIGRP, so it loses.

C

The RIP route (AD 120) has the highest administrative distance and loses regardless of its hop count metric.

D

The static route with AD 95 loses to the EIGRP internal route (AD 90) because a lower AD is preferred.

1242
Drag & Drophard

Drag and drop the following steps into the correct order to configure a new WLAN on a Cisco WLC using IOS-XE CLI, including WPA3-Personal security, and to complete a wireless client association with DHCP.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The configuration order follows the Cisco IOS-XE WLC CLI: first enter global config, create the WLAN profile, set security (WPA3-Personal/SAE), enable the WLAN, then the client associates and gets an IP via DHCP.

Exam trap

Be careful with the order of operations: you must create the WLAN profile first, then configure security, then enable the WLAN. Also, remember that DHCP IP assignment occurs after the client associates, not before.

1243
Matchingeasy

Match each common IP service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolution of names into IP-related information

Automatic assignment of IP configuration to clients

Synchronization of time across devices

Centralized collection of event and log messages

Why these pairings

DNS maps domain names to IP addresses. DHCP automates IP configuration. NTP synchronizes clocks across network devices.

Syslog collects and stores event messages from network devices for monitoring and troubleshooting.

Exam trap

Be careful not to confuse SSH with Telnet (unencrypted), DNS with DHCP (IP address assignment), or AAA with encryption or logging. Also, remember that NTP is for time synchronization, not file transfer.

1244
Multi-Selecthard

Which two conditions must match on two switch ports before they can successfully form a Layer 2 EtherChannel? (Choose two.)

Select 2 answers
A.The switchport mode and VLAN settings
B.The STP root bridge ID on both switches
C.The speed and duplex settings
D.The interface description
E.The ARP timeout value
AnswersA, C

Correct. Access/trunk mode and related VLAN settings must match across the member links.

Why this answer

Layer 2 EtherChannel members must have compatible Layer 2 configuration. Port mode, VLAN-related settings, speed, and duplex all need to align for the bundle to form correctly.

Exam trap

Remember that EtherChannel requires consistent speed and duplex settings, and also consistent switchport mode (access or trunk) and allowed VLANs.

Why the other options are wrong

B

This option is wrong because the STP root bridge ID does not directly affect the formation of an EtherChannel; EtherChannel requires matching port configurations, not spanning tree parameters.

D

The interface description does not affect the formation of an EtherChannel, as it is merely a label for identification purposes and does not influence Layer 2 connectivity or protocol negotiation.

E

The ARP timeout value does not affect the formation of a Layer 2 EtherChannel, as EtherChannel operates at Layer 2 and is concerned with port configurations, not Layer 3 settings like ARP.

1245
MCQmedium

A network technician is troubleshooting a connectivity issue between two hosts. Host A sends a web request to Host B. The technician captures packets on the link between the two hosts and sees the data as '01010101...'. At which layer of the OSI model is this data being transmitted, and what is the correct PDU name for this layer?

A.Data Link layer; frames
B.Physical layer; bits
C.Network layer; packets
D.Transport layer; segments
AnswerB

At the Physical layer (Layer 1), data is transmitted as a stream of bits. The PDU is called 'bits'. This matches the capture of '01010101...'.

Why this answer

The data shown as '01010101...' represents raw binary bits being transmitted over the physical medium. At the Physical layer (Layer 1), data is encoded as electrical signals, light pulses, or radio waves, and the PDU is called bits. This matches the description of the captured data.

Exam trap

Cisco often tests the distinction between the Physical layer's raw bits and the Data Link layer's frames, expecting candidates to recognize that binary sequences without structure belong to Layer 1, not Layer 2.

Why the other options are wrong

A

The technician sees raw bits before framing, so this is not the Data Link layer.

C

The Network layer deals with logical addressing and routing, not the physical transmission of bits.

D

The Transport layer is above the Physical layer and does not deal with bit-level transmission.

1246
Multi-Selectmedium

Which three options are true regarding the operation of Dynamic ARP Inspection (DAI) on a Cisco switch? (Choose three.)

Select 3 answers
.DAI validates ARP packets based on the DHCP snooping binding database.
.DAI can be configured to drop ARP packets with invalid MAC-to-IP address bindings.
.DAI is typically enabled on untrusted ports that face end hosts.
.DAI encrypts ARP replies to prevent eavesdropping.
.DAI relies on the MAC address table to validate ARP requests.
.DAI prevents rogue DHCP server attacks by inspecting DHCP offers.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets by intercepting them on untrusted ports and checking the MAC-to-IP address binding against the DHCP snooping binding database. If the binding is invalid or missing, DAI drops the packet, preventing ARP spoofing attacks. This is why all three statements are correct: DAI relies on the DHCP snooping database, drops invalid bindings, and is enabled on untrusted ports facing end hosts.

Exam trap

Cisco often tests the misconception that DAI validates ARP packets using the MAC address table or ARP cache, when in fact it strictly relies on the DHCP snooping binding database.

1247
MCQhard

Refer to the exhibit. A network engineer is troubleshooting an OSPFv2 neighbor adjacency that remains in the DOWN state between R1 and R2. The engineer issues the show cdp neighbors detail command on R1 and confirms that R1's GigabitEthernet0/1 interface is configured with IP address 192.168.1.1/30. What is the most likely cause of the problem?

A.The OSPF area IDs configured on R1 and R2 do not match.
B.There is an MTU mismatch between the two routers.
C.The IP addresses on the connected interfaces are in different subnets.
D.OSPF authentication is configured incorrectly on one of the routers.
AnswerC

The CDP entry for R2 shows an IP address of 10.1.1.2, while the local interface on R1 has 192.168.1.1/30, which is a different subnet. OSPF requires both ends of a link to share a common subnet.

Why this answer

The correct answer is C because OSPFv2 requires that neighboring interfaces share a common subnet to form an adjacency. The show cdp neighbors detail output confirms R1's GigabitEthernet0/1 is configured with IP address 192.168.1.1/30, but if R2's interface is on a different subnet (e.g., 192.168.2.0/30), the routers will not be able to communicate OSPF Hello packets, leaving the neighbor state in DOWN. This is a fundamental OSPF neighbor formation requirement, and a subnet mismatch will prevent the adjacency from progressing past the DOWN state.

Exam trap

Cisco often tests the specific OSPF neighbor state where a subnet mismatch causes the adjacency to remain in DOWN, tricking candidates into thinking it would cause a later state issue like EXSTART/EXCHANGE, which is actually associated with MTU or area ID mismatches.

Why the other options are wrong

A

Area mismatch is a valid cause but not supported by the given data; the IP addresses are on different subnets, which logically precedes area negotiation.

B

MTU is not shown; candidates may recall that mismatched MTU can cause OSPF problems but the scenario explicitly reveals an IP addressing inconsistency.

D

Authentication issues are common OSPF traps, but they are not indicated here; the IP address difference is explicitly observed.

1248
Multi-Selectmedium

Which two statements accurately describe controller-based networking at the CCNA level?

Select 2 answers
A.A controller can centralize management and policy logic.
B.Northbound APIs can allow external applications to communicate with the controller.
C.Controllers eliminate all need for switches and routers.
D.Controllers are unrelated to automation.
E.Controllers require Telnet for all communication.
AnswersA, B

This is correct because centralization is a core feature of controller-based networking.

Why this answer

Option A is correct because a software-defined networking (SDN) controller centralizes management, policy logic, and network intelligence, reducing manual per-device configuration. Option B is correct because northbound APIs (e.g., REST APIs) allow external applications, orchestration tools, and automation scripts to interact with the controller for dynamic network control. Option C is wrong because controllers do not eliminate switches and routers; these devices still forward packets based on instructions from the controller.

Option D is wrong because controllers are fundamental to network automation—they provide programmable interfaces and centralized logic that enable automated provisioning and policy enforcement. Option E is wrong because modern controllers use secure communication channels such as HTTPS, SSH, or TLS, not Telnet (which is insecure and rarely used in controller architectures).

Exam trap

A frequent exam trap is selecting answers that imply controllers replace all network devices or that they are unrelated to automation. Some candidates mistakenly believe that controller-based networking removes the need for switches and routers, which is incorrect because these devices still perform actual packet forwarding. Others overlook the role of controllers in automation, ignoring that controllers expose northbound APIs specifically to enable external applications and automation tools to interact with the network.

Misunderstanding these points can lead to choosing incorrect options that overstate or understate the controller’s role.

Why the other options are wrong

C

This option is incorrect because controllers do not eliminate the need for switches and routers; these devices still perform the actual packet forwarding in the network.

D

This option is incorrect since controllers are highly relevant to automation, providing APIs and centralized control that enable automated network management workflows.

E

This option is incorrect because controller communication is not universally based on Telnet; modern controllers use secure protocols and APIs rather than relying solely on Telnet.

1249
PBQhard

Which option performs the RESTCONF operations correctly?

Network Topology
G0/0192.168.1.1/30G0/0192.168.1.2/30linkR1R2

Hints

  • Check the YANG module path: ietf-interfaces vs Cisco-IOS-XE-native
  • Ensure the Accept header matches the data format (yang-data+json)
  • For PATCH, the Content-Type must be application/yang-data+json, not application/json
A.GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0 with Accept: application/yang-data+json; then PATCH same URI with Content-Type: application/yang-data+json and body {"ietf-interfaces:interface":{"duplex":"full"}}; expect 204 No Content.
B.GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0 with Accept: application/json; then PATCH same URI with Content-Type: application/json and body {"duplex":"full"}; expect 204 No Content.
C.GET /restconf/data/Cisco-IOS-XE-native:interface/GigabitEthernet0/0 with Accept: application/yang-data+json; then PATCH same URI with Content-Type: application/yang-data+json and body {"Cisco-IOS-XE-native:interface":{"duplex":"full"}}; expect 204 No Content.
D.GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0 with Accept: application/yang-data+json; then PATCH same URI with Content-Type: application/yang-data+json and body {"duplex":"full"}; expect 200 OK.
AnswerA
solution
! R1
GET request URI: /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0
GET headers: Accept: application/yang-data+json
PATCH request URI: /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0
PATCH headers: Content-Type: application/yang-data+json
PATCH body: {"ietf-interfaces:interface": {"duplex": "full"}}

Why this answer

The correct base URI for RESTCONF is /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0. The Accept header must be application/yang-data+json. If the Content-Type header is incorrect (e.g., application/json), the router will return a 415 Unsupported Media Type error.

Using the wrong YANG module path, such as Cisco-IOS-XE-native:interface/GigabitEthernet0/0, will result in a 404 Not Found because the data model does not match. After a successful GET, the PATCH request must include the same URI with Content-Type: application/yang-data+json and a JSON body specifying "duplex": "full". The response should be a 204 No Content if successful.

Exam trap

Watch out for the required media type: RESTCONF uses application/yang-data+json, not generic application/json. Also, the YANG path must match the data model; for standard interface settings, use ietf-interfaces, not Cisco-IOS-XE-native. Finally, remember that a successful PATCH returns 204 No Content, not 200 OK.

Why the other options are wrong

B

The specific factual error is that RESTCONF requires the media type application/yang-data+json for YANG data, not generic application/json.

C

The specific factual error is that the duplex setting is defined in the ietf-interfaces YANG model, not in Cisco-IOS-XE-native. The URI path must match the data model.

D

The specific factual errors are: (1) The PATCH body must be structured as {"ietf-interfaces:interface":{"duplex":"full"}} to match the YANG data tree; (2) The success response for PATCH is 204 No Content, not 200 OK.

1250
Matchingmedium

Match each WAN or interdomain concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Point-to-point WAN encapsulation

PPP-style session behavior over Ethernet access

Tunneling mechanism across another network

Path-vector routing protocol associated with autonomous systems

Why these pairings

PPP is the standard Layer 2 encapsulation for point-to-point WAN links. PPPoE adapts PPP’s authentication and session features for Ethernet-based broadband networks. GRE provides a simple tunneling mechanism that encapsulates any protocol across another network.

BGP is the path-vector routing protocol used to exchange routes between autonomous systems.

Exam trap

Learners often mistake PPPoE as merely PPP over Ethernet media, overlooking that it establishes a distinct PPP session; similarly, they may treat GRE as a secured VPN when it is only a tunnel, and confuse BGP’s interdomain role with an IGP like OSPF.

1251
MCQmedium

A user says the phone connected to a switch port works, but the attached PC does not get network access. What is the most likely switch-side issue?

A.The access VLAN for the PC is misconfigured
B.The voice VLAN should always match the access VLAN
C.PortFast blocks the PC from sending traffic
D.The phone requires the switch to be in trunk mode
AnswerA

The PC uses the access VLAN, not the voice VLAN.

Why this answer

An IP phone can use a voice VLAN while the attached PC uses the access VLAN. If the access VLAN is missing or wrong, the phone may still work while the PC fails.

Exam trap

Ensure you understand the difference between voice and access VLANs and how they affect different devices on the same port.

How to eliminate wrong answers

Eliminate B because a trunk port should allow both devices access. Eliminate C because an administratively down port would disable both devices. Eliminate D because the phone is working, indicating the voice VLAN is configured.

A is correct because it explains why the PC lacks connectivity while the phone works.

1252
MCQhard

A host uses subnet mask 255.255.255.224. How many total addresses exist in each subnet block?

A.16
B.32
C.30
D.64
AnswerB

This is correct because /27 yields 32 total addresses per subnet.

Why this answer

The subnet mask 255.255.255.224 (/27) has 5 host bits, so each subnet has 2^5 = 32 total addresses. Option A (16) results from confusing /27 with /28 (4 host bits = 16). Option D (64) results from confusing /27 with /26 (6 host bits = 64).

Option C (30) is the number of usable host addresses (32 - 2 = 30), not the total addresses asked for in the question.

Exam trap

Be careful to distinguish between total addresses and usable addresses. Many candidates automatically think of usable addresses when subnetting.

Why the other options are wrong

A

16 would be the total addresses for a /28 mask (4 host bits), not the /27 mask specified.

C

30 is the number of usable host addresses (total addresses minus network and broadcast), not the total addresses.

D

64 would be the total addresses for a /26 mask (6 host bits), not the /27 mask specified.

1253
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the router's routing table lookup process from receiving a packet with a destination IP address to making the forwarding decision, including best-path selection criteria.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The process starts with packet arrival, then longest prefix match, followed by tie-breaking using administrative distance and metric, culminating in forwarding.

Exam trap

Do not confuse the order of longest prefix match and administrative distance. Longest prefix match is always performed first; administrative distance and metric are tie-breakers applied only when multiple routes match the same prefix length.

1254
Multi-Selectmedium

Which TWO statements correctly describe differences between 802.11ac (Wi-Fi 5) and 802.11ax (Wi-Fi 6)?

Select 2 answers
A.802.11ac uses OFDMA, while 802.11ax uses only OFDM.
B.802.11ax supports 1024-QAM modulation, whereas 802.11ac supports up to 256-QAM.
C.Both 802.11ac and 802.11ax operate exclusively in the 5 GHz band.
D.802.11ax operates in both the 2.4 GHz and 5 GHz bands, while 802.11ac operates only in the 5 GHz band.
E.802.11ac introduces target wake time (TWT) for improved power saving, but 802.11ax does not support it.
AnswersB, D

802.11ax supports 1024-QAM for higher data rates; 802.11ac maximum is 256-QAM.

Why this answer

Options B and D are correct. 802.11ax (Wi-Fi 6) introduces 1024-QAM for higher data rates (B), while 802.11ac maxes at 256-QAM. Additionally, 802.11ax supports both 2.4 GHz and 5 GHz bands, whereas 802.11ac is limited to 5 GHz only (D). Option A is incorrect because it reverses the roles: 802.11ac uses OFDM, and 802.11ax uses OFDMA.

Option C is incorrect because 802.11ax also operates in 2.4 GHz. Option E is incorrect because Target Wake Time (TWT) is introduced in 802.11ax, not 802.11ac.

Exam trap

Cisco often tests the misconception that 802.11ac also uses OFDMA or that both standards operate in the same frequency bands, so candidates must remember that OFDMA is exclusive to 802.11ax and that 802.11ac is 5 GHz only.

Why the other options are wrong

A

This statement reverses the technologies: 802.11ac uses OFDM, and 802.11ax uses OFDMA.

C

802.11ax adds 2.4 GHz support for backward compatibility and better range.

E

TWT is a feature of 802.11ax, not 802.11ac.

1255
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a WPA3 SSID on a Cisco WLC and complete a wireless client association.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The steps follow the standard WLC configuration sequence: create the WLAN, set WPA3-Personal security, enable it, then the client associates and gets an IP.

Exam trap

The trap is that candidates may think security can be configured after enabling the WLAN, or that client IP assignment occurs before association. Remember: always configure all settings before enabling the WLAN, and client DHCP occurs after association.

1256
Multi-Selectmedium

Which TWO statements correctly describe the behavior of standard ACLs when applied to an interface?

Select 2 answers
A.Standard ACLs filter traffic based on source and destination IP addresses.
B.Standard ACLs should be placed as close to the destination as possible.
C.Standard ACLs can filter traffic based on protocol type (TCP, UDP, ICMP).
D.Standard ACLs use an implicit deny any statement at the end.
E.Standard ACLs are applied to interfaces in the inbound direction only.
AnswersB, D

Because standard ACLs only filter by source IP, placing them near the destination minimizes the risk of blocking legitimate traffic that should only be filtered near the target.

Why this answer

Standard ACLs filter traffic based solely on the source IP address, not the destination. Because they do not consider destination addresses, placing them as close to the destination as possible prevents them from inadvertently blocking traffic that should reach other parts of the network. This placement ensures that only the intended traffic is filtered at the final hop before the destination.

Exam trap

Cisco often tests the misconception that standard ACLs can filter on destination addresses or protocols, leading candidates to choose option A or C, when in fact standard ACLs only match source IP addresses and always end with an implicit deny any.

Why the other options are wrong

A

This describes the capability of extended ACLs, not standard ACLs.

C

Protocol filtering is a feature of extended ACLs, not standard ACLs.

E

Both inbound and outbound application are possible, though placement depends on the filtering strategy.

1257
MCQeasy

Which data format is commonly used with REST APIs to represent objects, arrays, and key-value pairs?

A.JSON
B.STP
C.EIGRP
D.802.1Q
AnswerA

Correct. JSON is the API data format being described.

Why this answer

JSON is a common data-interchange format used in APIs and automation systems.

Exam trap

Avoid assuming older technologies like XML are still the most common choice for modern REST APIs.

Why the other options are wrong

B

STP (Spanning Tree Protocol) is a network protocol used for preventing loops in Ethernet networks, and it is not a data format used with REST APIs. Therefore, it does not represent objects, arrays, or key-value pairs.

C

EIGRP (Enhanced Interior Gateway Routing Protocol) is a routing protocol used for exchanging routing information within an autonomous system, not a data format for representing objects or key-value pairs in APIs.

D

802.1Q is a networking standard used for VLAN tagging in Ethernet frames, not a data format for representing objects or key-value pairs in APIs. It does not relate to REST API data representation.

1258
MCQhard

A technician is troubleshooting an issue where internal hosts can successfully ping internet addresses but cannot establish HTTP sessions. The router is configured with PAT (overload) and uses an access list to define the inside local addresses. Recently, the internal network was renumbered from 192.168.0.0/24 to 10.0.0.0/24. What is the most likely cause?

A.The router's HTTP inspection rule is blocking outbound TCP port 80.
B.The NAT access list still permits 192.168.0.0/24 and does not match the new 10.0.0.0/24 addresses.
C.The outside interface access list is blocking TCP packets from the new 10.0.0.0/24 subnet.
D.The default route has been changed to point to the wrong next-hop address, causing only HTTP packets to be dropped.
AnswerB

Because the ACL that defines inside local addresses for PAT was never updated after renumbering, no dynamic translations are created for HTTP sourced from 10.0.0.0/24.

Why this answer

PAT translates private addresses to a single public IP by matching the source against a NAT access list. The ACL permits only 192.168.0.0/24, so packets from the new 10.0.0.0/24 addresses are not translated. ICMP may still succeed due to an existing static NAT entry for ICMP echo or a separate rule, but HTTP requires new dynamic translations that the ACL blocks.

The other options are plausible but do not align as directly with the recent renumbering and the configured NAT ACL.

Exam trap

Option C (outside interface access list blocking TCP port 80) is tempting because many candidates first suspect ACL-based filtering when one protocol fails and another succeeds. However, the explicit mention of the renumbering and the PAT ACL mismatch makes B the more direct cause.

Why the other options are wrong

A

Candidates may confuse security inspection with NAT translation, assuming that a protocol‑specific inspection is needed for HTTP.

C

Tempting because an ACL could selectively block TCP; however, the question provides context about the renumbering, which directly points to the NAT configuration.

D

Candidates may assume that different protocols might take different paths, but a single default route applies uniformly to all IP traffic.

1259
Matchingmedium

Drag and drop the wireless terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses OFDM and supports up to 160 MHz channel bonding in 5 GHz only

Uses OFDMA and supports both 2.4 GHz and 5 GHz bands

Uses SAE (Simultaneous Authentication of Equals) for secure pre-shared key authentication

Uses 192-bit minimum strength security suite and EAP authentication

Independently handles all wireless functions without a central controller

Why these pairings

802.11ac (Wi-Fi 5) uses OFDM and can bond channels up to 160 MHz, but operates exclusively in the 5 GHz band. 802.11ax (Wi-Fi 6) uses OFDMA for more efficient multi-user access and works in both 2.4 GHz and 5 GHz. WPA3-Personal secures pre-shared keys with SAE, replacing WPA2’s PSK, while WPA3-Enterprise uses 192-bit encryption and EAP for strong authentication. An autonomous AP functions standalone without a wireless controller.

Exam trap

Many learners confuse OFDM (802.11ac) with OFDMA (802.11ax) and WPA3-Personal’s SAE with WPA3-Enterprise’s EAP; remember that SAE is for personal mode and EAP is for enterprise.

1260
MCQhard

A switch has a root port and an alternate port for the same VLAN. Which statement best explains the operational role of the alternate port?

A.It is a backup path toward the root bridge and normally does not forward while the active root path is healthy.
B.It always forwards traffic at the same time as the root port for load balancing.
C.It is the port that elects the root bridge for the VLAN.
D.It is a special routed port used for inter-VLAN communication.
AnswerA

This is correct because an alternate port is a standby path in STP.

Why this answer

The alternate port acts as a backup path toward the root bridge and stays in a non-forwarding state under normal conditions. In practical terms, STP keeps it ready in case the active path fails, but it does not allow it to forward frames while the primary root path is healthy. That is how STP preserves redundancy without creating loops.

This question is useful because many learners understand root ports and designated ports but do not clearly understand what the alternate role represents.

Exam trap

Don't confuse STP's redundancy roles with load balancing or congestion management. Remember, alternate ports are for backup, not active traffic routing.

Why the other options are wrong

B

Option B is incorrect because an alternate port does not forward traffic while the root port is active; it serves as a backup path and only becomes active if the root port fails.

C

This option is wrong because the alternate port does not participate in the election process for the root bridge; it only serves as a backup path to the root bridge once it is established.

D

Option D is incorrect because an alternate port is not a routed port; it operates at Layer 2 and is part of the Spanning Tree Protocol, which does not involve routing functionalities for inter-VLAN communication.

1261
MCQhard

An IPv6 host has a global unicast address and a correct default route learned from a router advertisement, but the next-hop entry shown on the host uses a link-local address rather than a global unicast address. What is the best explanation?

A.IPv6 hosts commonly use the router’s link-local address as the next hop on the local segment.
B.The host has learned the wrong default route because IPv6 gateways must always be global unicast.
C.The host can reach only local destinations when the next hop is link-local.
D.The router advertisement has failed because it did not provide a MAC address.
AnswerA

This is correct because IPv6 next-hop behavior often relies on the router’s link-local address on the local link.

Why this answer

That behavior is normal in IPv6. In practical terms, the host only needs to reach the router on the local segment, so it uses the router’s link-local address as the next-hop target. The packet still leaves the local link toward remote destinations, but the immediate neighbor on that link is identified by link-local addressing.

This is an important IPv6 concept because many people assume the default gateway must be a globally routable address. It does not. On the local link, the host is really forwarding to its directly attached router interface, and the router’s link-local address is enough for that local handoff.

Exam trap

Don't assume that a default gateway must be a global unicast address in IPv6; link-local addresses are used for local communication.

Why the other options are wrong

B

This option is incorrect because IPv6 gateways do not have to be global unicast; link-local addresses are valid for routing within the local network segment. The host can use the link-local address of the router as the next hop for packets destined to other networks.

C

This option is incorrect because a host with a link-local next hop can still reach global unicast addresses, as link-local addresses are used only for communication within the same local network segment.

D

This option is wrong because a router advertisement does not need to provide a MAC address for the next-hop link-local address to be valid; link-local addresses are inherently usable for local communication without MAC address specification.

1262
Drag & Dropmedium

You need to configure a new switch. According to Cisco’s recommended workflow, you should assign access ports to their VLANs before configuring trunk links to ensure that end devices are functional before inter-switch connectivity is tested. Drag and drop the following steps into the correct order to configure VLANs, assign access ports, set up 802.1Q trunking with a native VLAN, and verify the configuration on a Cisco switch running IOS-XE.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first create VLANs so they exist, then assign access ports to those VLANs to make end devices operational, then configure the trunk link with a native VLAN to connect to another switch, and finally verify with show commands. This sequence follows Cisco best practices by getting access ports functional before establishing trunking. Option C is incorrect because configuring the trunk before assigning access ports could leave end devices in the wrong VLAN while the trunk is already active, potentially causing unexpected broadcast domain behavior.

Options B and D are wrong because they attempt to assign ports or configure a trunk before the VLANs are created, which would fail.

Exam trap

The exam trap is that candidates may try to assign ports to VLANs before creating them, or configure trunk native VLAN before the VLAN exists. Always create VLANs first, then assign ports, then configure trunking.

1263
Matchingmedium

Match each operational symptom to the technology most likely associated with investigating it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Syslog

SNMP

NetFlow

NTP

Why these pairings

Syslog is specifically designed to collect device-generated log messages, including warnings and interface state changes, making it the natural tool for reviewing such events. SNMP allows a management station to actively poll device data such as interface counters and operational status, providing real-time statistics and alerts. NetFlow exports flow-level records that detail source, destination, and application conversations, enabling identification of the specific flows consuming bandwidth.

NTP synchronizes the clocks of network devices, ensuring that timestamps in logs, alerts, and flow data are consistent across the network for accurate correlation and troubleshooting.

Exam trap

The trap is that many symptoms can be interrelated, but the question asks for the technology most likely associated with investigating the specific symptom. Focus on the direct cause rather than secondary effects.

1264
MCQhard

Based on the exhibit, why is the ACL not meeting the requirement to block only HTTPS traffic to the server?

A.Because the ACL entry is too broad and blocks all IP traffic to the host.
B.Because HTTPS uses UDP, not TCP.
C.Because standard ACLs are required for HTTPS filtering.
D.Because the destination must always be a wildcarded subnet, not a host.
AnswerA

This is correct because `deny ip` blocks far more than only HTTPS.

Why this answer

The ACL fails because it uses 'deny ip' which blocks all IP traffic to the server, not just HTTPS. To block only HTTPS, the ACL should match TCP port 443 with 'deny tcp eq 443'. Option B is wrong because HTTPS uses TCP, not UDP.

Option C is wrong because extended ACLs (not standard) are required to filter by port. Option D is wrong because a host destination is perfectly valid in extended ACLs; a wildcard subnet is not required.

Exam trap

Ensure you understand the difference between blocking specific ports and blocking all traffic. Misconfiguring an ACL by using 'deny ip' instead of 'deny tcp eq 443' is a common mistake.

Why the other options are wrong

B

HTTPS uses TCP, not UDP.

C

Standard ACLs cannot filter by port; extended ACLs are required.

D

Extended ACLs support host destinations; a wildcard subnet is not required for a specific host.

1265
MCQhard

Refer to the exhibit. An engineer is troubleshooting a connectivity issue where packets from the local network destined to host 192.168.1.200 are being dropped. The host 192.168.1.200 is configured with IP address 192.168.1.200/25, while the router’s GigabitEthernet0/0 interface is on the same physical segment. Based on the output, what is the most likely cause of the problem?

A.The host 192.168.1.200 has an incorrect default gateway set, preventing it from communicating with the router.
B.The router interface Gi0/0 is using a /24 subnet mask while the host is in a /25 subnet, making 192.168.1.200 appear as a local address to the router but off-subnet to the host.
C.An inbound access list on GigabitEthernet0/0 is blocking ICMP traffic from host 192.168.1.200.
D.The GigabitEthernet0/0 interface is in a shutdown state, preventing traffic from being forwarded to the host.
AnswerB

The output shows 'Internet address is 192.168.1.2/24'. With this mask, the router treats 192.168.1.200 as directly connected and sends ARP requests for it. The host, configured with a /25 mask, sees 192.168.1.2 as outside its /25 subnet (192.168.1.128/25), so it does not process the ARP request or respond, breaking connectivity.

Why this answer

The router's GigabitEthernet0/0 interface is configured with a /24 subnet mask, which means its directly connected network is 192.168.1.0/24. The host 192.168.1.200/25 has a subnet mask of /25, so its local network is 192.168.1.128/25. When the router receives a packet destined for 192.168.1.200, it considers the address to be within its own directly connected /24 subnet and attempts to forward it locally via ARP.

However, the host's /25 mask causes it to treat 192.168.1.200 as a local address, but the router's /24 mask means the router expects the host to be on the same subnet without a gateway. The mismatch prevents the host from responding to ARP requests from the router for addresses outside its /25 range, leading to dropped packets.

Exam trap

Cisco often tests the concept that a router will ARP for any destination IP within its directly connected network, regardless of the host's subnet mask, leading candidates to overlook the subnet mask mismatch and instead blame the default gateway or interface status.

Why the other options are wrong

A

Candidates often think connectivity problems are caused by gateway misconfiguration, ignoring the subnet mask mismatch that actually prevents Layer 2 communication.

C

Candidates may glance at the output and assume an access list is blocking traffic, but the output clearly shows no ACL is applied.

D

A common troubleshooting mistake is to assume an interface is down, but the state is clearly shown as up in the exhibit.

1266
Multi-Selectmedium

Which statement correctly describes a feature of WPA3 security in wireless LANs?

Select 1 answer
A.WPA3 uses TKIP encryption for backward compatibility with legacy devices.
B.WPA3 introduces Simultaneous Authentication of Equals (SAE) to resist offline dictionary attacks.
C.WPA3 relies solely on 802.1X/EAP authentication for both personal and enterprise modes.
D.WPA3 mandates the use of GCMP-256 encryption for enhanced security.
E.WPA3 makes Protected Management Frames (PMF) optional to support older clients.
AnswersB

SAE replaces WPA2's PSK handshake, providing a secure key exchange that prevents attackers from cracking the password offline.

Why this answer

Option B is correct. WPA3 introduces Simultaneous Authentication of Equals (SAE), which uses a Dragonfly key exchange to resist offline dictionary attacks and provide forward secrecy. Option A is wrong because WPA3 does not use or support TKIP encryption; it mandates AES.

Option C is wrong because WPA3-Personal uses SAE, not 802.1X/EAP. Option D is wrong because GCMP-256 is only mandatory in the optional WPA3-Enterprise 192-bit security mode, not across all WPA3 deployments; standard WPA3-Personal uses AES-GCMP with 128-bit keys. Option E is wrong because WPA3 requires Protected Management Frames (PMF) by default, unlike WPA2.

Exam trap

Many candidates incorrectly assume WPA3 universally uses GCMP-256 encryption, confusing the optional enterprise mode with the baseline WPA3-Personal requirement.

Why the other options are wrong

A

WPA3 mandates AES encryption and does not include TKIP for any compatibility; TKIP was deprecated in WPA2.

C

WPA3-Personal uses SAE, not 802.1X/EAP; only WPA3-Enterprise relies on 802.1X.

D

GCMP-256 is only mandated in the optional WPA3-Enterprise 192-bit mode; standard WPA3 uses GCMP with 128-bit keys.

E

Protected Management Frames (PMF) are required, not optional, in WPA3 to mitigate management frame attacks.

1267
MCQhard

A router shows the following routing table entries for the same destination: O 10.10.50.0/24 [110/20] via 192.168.12.2, GigabitEthernet0/0 D 10.10.50.0/24 [90/30720] via 192.168.13.2, GigabitEthernet0/1 Which route will become the active route in the routing table?

A.The OSPF route, because its metric is lower
B.The EIGRP route, because its administrative distance is lower
C.Both routes, because the prefixes are identical
D.Neither route, because the metrics use different scales
AnswerB

Correct. This is correct. EIGRP wins here because its default administrative distance of 90 is lower than OSPF's 110, so the router trusts the EIGRP route more when both advertise the same destination prefix.

Why this answer

The EIGRP route becomes active because the router compares administrative distance first when the same destination is learned from different routing protocols. This is one of the most common Cisco exam traps: candidates compare the OSPF metric value of 20 to the EIGRP metric value and assume the smaller number must win. That is not how route selection works across different protocols.

OSPF metrics and EIGRP metrics are calculated differently, so the router does not compare them directly. Instead it checks administrative distance. EIGRP internal routes default to 90, while OSPF routes default to 110.

Since 90 is lower than 110, the EIGRP route is trusted more and is installed as the active path.

Exam trap

Avoid comparing metric values directly between different protocols; focus on administrative distance first.

Why the other options are wrong

A

This option is incorrect because the active route is determined by the administrative distance, not the metric. In this case, the EIGRP route has a lower administrative distance than the OSPF route, making it the active route.

C

This option is incorrect because only one route can be active for a given destination in a routing table, and having identical prefixes does not mean both routes can be active simultaneously. The router will select the route with the lower administrative distance, which is not addressed here.

D

This option is wrong because both routes are valid, and the router will select the route with the lower administrative distance, not the metric. The administrative distance of the EIGRP route is lower than that of the OSPF route, making it the active route.

1268
MCQhard

A trunk between two switches is up, but users in VLAN 40 cannot communicate across it. The output shows both sides allow VLAN 40. What is another likely trunk-related cause to check next?

A.Native VLAN mismatch between the two trunk ends
B.Missing router ID in OSPF
C.Incorrect NTP source interface
D.Lack of PAT overload on the WAN router
AnswerA

This is correct because a native VLAN mismatch is a common trunk-related issue worth checking after allowed VLANs have been verified.

Why this answer

If VLAN 40 is allowed on both ends and the trunk is up, a native VLAN mismatch is still worth checking because trunk problems are not limited to the allowed VLAN list. In plain language, the link may be carrying traffic, but if the two switches disagree on how untagged traffic should be treated, behavior can still become unpredictable. Native VLAN mismatches are a well-known source of warnings and unexpected traffic handling on 802.1Q trunks.

That does not mean every VLAN problem is caused by the native VLAN, but once the obvious allowed-list issue has been ruled out, it becomes a logical next trunk-specific item to verify.

Exam trap

Don't assume that allowed VLANs are the only trunk-related issue; native VLAN mismatches can also disrupt communication.

Why the other options are wrong

B

This option is wrong because the question specifically addresses VLAN communication issues over a trunk link, which are unrelated to OSPF router ID configuration. OSPF router ID affects routing protocols, not VLAN traffic directly.

C

NTP source interface is unrelated to VLAN communication issues over a trunk link; it primarily affects time synchronization across devices. Since the question focuses on VLAN connectivity, this option does not address the core problem.

D

Lack of PAT overload on the WAN router is unrelated to VLAN communication issues between switches. This option pertains to address translation for outbound traffic, not VLAN trunking problems.

1269
PBQhard

You are connected to a multilayer switch MLS1. The network has two other switches SW1 and SW2 forming a triangle topology. Currently, SW1 is the root bridge but it should be SW2. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/2 of MLS1, which connects to a host. Simulate a BPDU violation on that port and then recover the port from err-disabled state.

Network Topology
Gi0/0Gi0/0Gi0/1Gi0/1Gi0/2Gi0/2Gi0/2SiMLS1SW1SW2Host

Hints

  • Check which switch is currently root and change the priority on MLS1 to allow SW2 to become root.
  • The err-disabled port needs to be re-enabled with 'no shutdown' after the cause is removed.
  • Ensure PortFast and BPDU Guard are configured on the edge port.
A.On MLS1, remove 'spanning-tree vlan 1 root primary' and set priority to 4096; on SW2, set priority to 0. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover with 'shutdown' then 'no shutdown'.
B.On MLS1, set priority to 0 to make it root; on SW2, set priority to 4096. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover by removing BPDU Guard.
C.On MLS1, remove 'spanning-tree vlan 1 root primary' and set priority to 4096; on SW2, set priority to 0. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover by reloading MLS1.
D.On MLS1, set priority to 0; on SW2, set priority to 4096. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover with 'no shutdown'.
AnswerA
solution
! MLS1
configure terminal
no spanning-tree vlan 1 root primary
spanning-tree vlan 1 priority 4096
interface gigabitEthernet 0/2
no shutdown

Why this answer

Currently, SW1 is the root bridge per the topology, but the goal is to make SW2 the root. On MLS1, removing the 'spanning-tree vlan 1 root primary' command and setting a higher priority (4096) ensures it does not interfere. On SW2, set priority to 0 to make it root.

On MLS1 Gi0/2, configure PortFast and BPDU Guard. If a BPDU is received, the port goes err-disabled; to recover, issue 'shutdown' then 'no shutdown' after resolving the BPDU source.

Exam trap

Trap: Candidates may forget that the root bridge is determined by lowest priority. They might set the wrong switch to lower priority or use incorrect recovery methods like reloading or removing BPDU Guard.

Why the other options are wrong

B

The specific factual error: Setting MLS1 priority to 0 makes it root, opposite of the requirement. Removing BPDU Guard does not recover the port; 'no shutdown' is needed.

C

The specific factual error: Reloading the switch is not the standard recovery for an err-disabled port; 'no shutdown' is the proper command.

D

The specific factual error: MLS1 should have a higher priority (e.g., 4096) and SW2 a lower priority (e.g., 0) to make SW2 root. The option does the opposite.

1270
PBQhard

You are connected to R1. The link between R1 and R2 is experiencing packet loss and slow performance. Examine the following partial show interface output: R1# show interfaces gigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Duplex: Full, Speed: Auto, 100Mb/s Input errors: 12345, CRC: 5000, frame: 0, overrun: 0, ignored: 0 R2# show interfaces gigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Duplex: Half, Speed: Auto, 100Mb/s Input errors: 0, CRC: 0, collisions: 5000, late collisions: 0 Identify the root cause of the issue, and apply the necessary fix on R1 to resolve the problem.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Look at the number of input errors versus CRC errors.
  • Check the duplex setting on both interfaces.
  • A high number of input errors without CRC often indicates a duplex mismatch.
A.Configure the interface with 'duplex half' to match the half-duplex setting on R2.
B.Configure the interface with 'speed 100' to force the link speed to 100 Mbps.
C.Replace the Ethernet cable with a new one to fix the physical layer issue.
D.Configure the interface with 'no shutdown' to bring the interface up.
AnswerA
solution
! R1
interface gigabitethernet0/0
duplex half

Why this answer

The output reveals a duplex mismatch. R1 is operating in full‑duplex mode, while R2 is in half‑duplex mode. On the full‑duplex side (R1), simultaneous transmissions from both ends result in corrupted frames, visible as a high count of CRC errors.

On the half‑duplex side (R2), ordinary collisions occur because R2 uses CSMA/CD, but no CRC errors are seen because it detects collisions and retransmits. The only immediate fix from R1—since R2 is fixed at half‑duplex—is to change R1's interface to half‑duplex using the command 'duplex half', which matches the settings and stops the corrupted frames. (Long‑term, both sides should ideally be set to full‑duplex, but that requires access to R2.)

Exam trap

Do not confuse input errors with CRC errors. High input errors without CRC errors strongly indicate a duplex mismatch, not a cable fault. Always check duplex settings on both ends when you see this pattern.

Why the other options are wrong

B

The specific factual error is that speed mismatch does not cause the high input error count without CRC errors; duplex mismatch does.

C

The specific factual error is that cable issues produce CRC errors, not just input errors; the absence of CRC errors rules out cable problems.

D

The specific factual error is that 'no shutdown' is used to enable an interface that is administratively down; here the interface is up and passing traffic.

1271
PBQhard

You are connected to R1. Configure IPv4 and IPv6 addressing on R1's interfaces so that R1 can reach R2's loopback0 (192.0.2.1/32) and R2's IPv6 loopback0 (2001:db8:1::1/64). R1 has a misconfigured subnet mask on G0/0 and is missing its default gateway. Additionally, R1 has a duplicate IPv4 address on G0/1 that must be corrected. Use EUI-64 for R1's IPv6 link-local address on G0/0 and static IPv6 for the global unicast address on G0/1.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Check the subnet mask on G0/0 — it should match the link between R1 and R2.
  • R1 needs a default route to reach networks beyond R2.
  • G0/1's IP address conflicts with R2's G0/1 — use a different subnet.
A.Change G0/0 mask to /30, add default route via 10.0.0.2, change G0/1 IP to 192.0.2.2/30, enable IPv6 on G0/0 with EUI-64 link-local, assign 2001:db8:2::1/64 to G0/1
B.Change G0/0 mask to /24, add default route via 10.0.0.1, change G0/1 IP to 10.0.0.6/30, enable IPv6 on G0/0 with EUI-64 link-local, assign 2001:db8:1::1/64 to G0/1
C.Change G0/0 mask to /30, add default route via 10.0.0.1, change G0/1 IP to 192.0.2.2/30, enable IPv6 on G0/0 with EUI-64 link-local, assign 2001:db8:2::1/64 to G0/1
D.Change G0/0 mask to /30, add default route via 10.0.0.2, change G0/1 IP to 10.0.0.6/30, enable IPv6 on G0/0 with EUI-64 link-local, assign 2001:db8:2::1/64 to G0/1
AnswerA
solution
! R1
interface gigabitethernet0/0
ip address 10.0.0.1 255.255.255.252
ipv6 enable
ipv6 address fe80::/64 eui-64
exit
interface gigabitethernet0/1
ip address 192.0.2.2 255.255.255.252
ipv6 address 2001:db8:2::1/64
exit
ip route 0.0.0.0 0.0.0.0 10.0.0.2

Why this answer

R1 cannot reach R2 because G0/0 has a wrong subnet mask (/24 instead of /30) and no default gateway. Also, G0/1 has a duplicate IPv4 address (10.0.0.5/30 conflicts with R2's G0/1). To fix: change G0/0 mask to /30, add a default route via 10.0.0.2, assign a unique IP to G0/1 (e.g., 192.0.2.2/30), enable IPv6 on G0/0 with EUI-64 link-local, and assign a static global unicast address to G0/1 (2001:db8:2::1/64).

Exam trap

Watch out for common mistakes: using the wrong subnet mask (e.g., /24 instead of /30), pointing the default gateway to the wrong next-hop (e.g., 10.0.0.1 instead of 10.0.0.2), and failing to resolve duplicate IPs by moving to a different subnet. Also, ensure IPv6 addresses are unique and not conflicting with other devices.

Why the other options are wrong

B

The subnet mask on G0/0 must match the connected network (/30), not /24. The default gateway should point to the neighbor's IP (10.0.0.2). The new G0/1 IP must be in a different subnet to avoid duplication.

The IPv6 global unicast address on G0/1 must be unique and not conflict with R2's loopback.

C

The default gateway must be the IP address of the directly connected neighbor (R2's G0/0), which is 10.0.0.2, not 10.0.0.1.

D

The IP address 10.0.0.6/30 is in the same subnet as R2's G0/1 (10.0.0.5/30), so it does not resolve the duplicate address conflict. A different subnet must be used.

1272
Multi-Selecthard

A static default route is configured on R1 toward ISP-A, and a second default route toward ISP-B is configured with a higher administrative distance. Which two statements are correct during normal operation and after ISP-A failure?

Select 2 answers
A.The route through ISP-A is preferred during normal operation
B.The route through ISP-B acts as a floating backup
C.Both defaults are always installed and used equally
D.The backup route is ignored permanently because only one default route can exist
AnswersA, B

It has the default static administrative distance and is preferred over AD 200.

Why this answer

This is a classic floating static design. The lower-AD default route is primary, and the higher-AD default waits in reserve.

Exam trap

A frequent exam trap is assuming that both default routes are simultaneously active and load-balanced, or that the backup route is permanently ignored because only one default route can exist. The trap lies in misunderstanding administrative distance behavior: the higher AD route is not used until the primary route fails. Misreading this can lead to incorrect answers claiming equal usage or permanent backup route exclusion.

Remember, Cisco routers always prefer the route with the lowest administrative distance and only switch to the floating static route when the primary path is lost.

Why the other options are wrong

C

This option is incorrect because Cisco routers do not install multiple default routes with different administrative distances simultaneously; only the route with the lowest AD is installed and used.

D

This option is incorrect because the backup route is not ignored permanently; it becomes active when the primary default route toward ISP-A fails, ensuring continuous connectivity.

1273
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server at 10.0.0.100, and then verify the configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter config mode. Then create the ACL allowing HTTP from the source network to the destination host. Apply it inbound on the appropriate interface.

Save and verify the configuration.

Exam trap

Remember that ACLs are created in global configuration mode, not interface mode. Also, apply ACLs inbound on the interface closest to the source for efficiency. Pay attention to whether the requirement is to permit or deny traffic.

1274
MCQmedium

Why is DHCP often preferred over manual addressing on larger user networks?

A.It automates host IP configuration and reduces manual effort and mistakes.
B.It replaces DNS completely.
C.It removes the need for default gateways.
D.It is required by all routing protocols.
AnswerA

This is correct because DHCP improves consistency and reduces administrative overhead.

Why this answer

DHCP is often preferred because it automates host configuration and reduces both manual work and configuration mistakes. In practical terms, it is far easier to let endpoints receive addresses, masks, gateways, and DNS settings automatically than to configure each device by hand.

This improves scale, consistency, and operational efficiency. That is why DHCP is such a common service in enterprise access networks.

Exam trap

A common exam trap is selecting options that confuse DHCP with DNS or routing protocols. Some candidates mistakenly believe DHCP replaces DNS or removes the need for default gateways. However, DHCP only automates IP configuration; it does not perform name resolution like DNS, nor does it eliminate the requirement for a default gateway.

Another trap is assuming routing protocols depend on DHCP, which is incorrect because routing protocols operate independently of IP address assignment methods. Understanding these distinctions is essential to avoid incorrect answers related to IP services in the CCNA exam.

Why the other options are wrong

B

This option is incorrect because DHCP does not replace DNS. DNS is a separate service responsible for name resolution, while DHCP only provides IP configuration parameters including DNS server addresses.

C

This option is wrong because DHCP does not remove the need for default gateways. Hosts still require gateway information to communicate outside their subnet, and DHCP typically provides this information during configuration.

D

This option is incorrect because routing protocols do not depend on DHCP. Routing protocols function independently of IP address assignment methods and do not require DHCP to operate on user networks.

1275
MCQhard

Exhibit: Users on SW2 in VLAN 30 can reach local devices but not hosts in VLAN 30 on SW1. What is the most likely reason?

A.The trunk native VLAN is 1 on both sides
B.VLAN 30 is not allowed on the trunk
C.SW2 must run VTP server mode
D.Spanning tree blocks all user VLANs by default
AnswerB

Correct choice.

Why this answer

The trunk is allowing only VLANs 10 and 20. Even though both switches have VLAN 30 defined locally, VLAN 30 traffic cannot cross the trunk unless that VLAN is allowed on the link. Option A is incorrect because the native VLAN (default 1) does not affect tagged VLAN 30 traffic, and native VLAN mismatch causes different issues.

Option C is incorrect because VTP is used for VLAN database synchronization, not for forwarding traffic over a trunk; switches do not need to be VTP servers to pass VLAN traffic. Option D is incorrect because spanning tree only blocks redundant paths to prevent loops, not all user VLANs by default.

Exam trap

Ensure you verify trunk configurations when VLAN traffic is not passing between switches, even if VLANs are correctly configured locally.

Why the other options are wrong

A

This option is incorrect because the native VLAN being set to 1 does not prevent VLAN 30 traffic from being transmitted across the trunk link. The issue lies in VLAN 30 not being allowed on the trunk, which is not addressed by the native VLAN setting.

C

This option is incorrect because VTP server mode is not required for VLANs to communicate across switches; VLAN configuration can be done independently on each switch. The issue in the question is related to trunking and VLAN allowance, not VTP mode.

D

Spanning Tree Protocol (STP) does not block all user VLANs by default; it only blocks specific ports to prevent loops. In this case, the issue is related to VLAN 30 not being allowed on the trunk, not STP blocking the VLAN.

Page 16

Page 17 of 25

Page 18