CCNA 200-301 v2 (200-301) — Questions 12761350

1819 questions total · 25pages · All types, answers revealed

Page 17

Page 18 of 25

Page 19
1276
MCQhard

A network administrator has several access points. All APs except one have successfully joined the wireless controller. The administrator verifies the failing AP’s IP address, subnet mask, and controller IP address are correctly configured. What is the most likely reason the AP cannot join the controller?

A.The AP has an incorrect default gateway for its subnet.
B.CAPWAP can be used only if the AP has no IP address.
C.The AP must use PPP instead of Ethernet to reach the controller.
D.The controller can support only 14 APs maximum.
AnswerA

If the AP's default gateway is wrong, it cannot send packets to the controller that resides on a different subnet, even if the IP address and controller discovery settings are correct.

Why this answer

The most likely cause is that the AP has an incorrect default gateway. For the AP to reach the controller (which may be on a different subnet), it needs a correct default gateway to route traffic. The other APs joined successfully, eliminating a controller-wide issue.

Option B is incorrect because CAPWAP requires an IP address; it does not work without one. Option C is incorrect because CAPWAP uses IP/UDP, not PPP. Option D is unlikely because there is no indication that the controller is at its AP limit; the problem affects only one AP, suggesting an individual misconfiguration.

Exam trap

Avoid assuming global issues when only one AP is affected; focus on individual AP configuration and connectivity.

Why the other options are wrong

B

CAPWAP tunnels require the AP to have an IP address; the statement is false.

C

CAPWAP operates over IP using UDP ports, not PPP.

D

The controller may have an AP capacity limit, but with only one AP failing and no evidence that the limit is 14, this is not the strongest explanation.

1277
Matchingmedium

Match each trunking term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link carrying multiple VLANs

Setting that restricts which VLANs may cross the trunk

VLAN associated with untagged traffic on the trunk

VLAN assigned to a normal endpoint-facing port

Why these pairings

These pairings match common trunking terms with their accurate definitions in networking.

Exam trap

Be careful not to confuse the native VLAN with tagged VLANs: native VLAN frames are untagged on a trunk. Also, remember that DTP is used for negotiation, not for configuration of native VLAN or allowed VLANs.

1278
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of AAA with RADIUS/TACACS+ and 802.1X port-based authentication on IOS-XE?

Select 2 answers
A.The switch port must be configured as an access port and the command 'authentication port-control auto' must be applied.
B.AAA authentication for 802.1X must be configured using TACACS+ as the protocol of choice.
C.The global command 'aaa new-model' is sufficient to enable 802.1X on all interfaces.
D.RADIUS is the recommended protocol for 802.1X authentication because it supports EAP and is widely used in network access control.
E.802.1X can be configured on a trunk port to authenticate multiple VLANs simultaneously.
AnswersA, D

This is correct because 802.1X requires the port to be an access port and the 'auto' setting places the port in the unauthorized state initially, triggering the authentication process.

Why this answer

Option A is correct because 802.1X requires the switch port to be an access port (not trunk or dynamic) and the 'authentication port-control auto' command enables EAPoL-based authentication. Option D is correct because RADIUS is the recommended protocol for 802.1X; it natively supports EAP extensions and is widely used for network access control, whereas TACACS+ does not support EAP and is more suited for device administration. Option B is false because AAA authentication for 802.1X should use RADIUS, not TACACS+.

Option C is false because 'aaa new-model' only activates the AAA framework; 802.1X requires additional global commands like 'dot1x system-auth-control' and per-interface configuration. Option E is false because 802.1X is typically configured on access ports and cannot be used on trunk ports to authenticate multiple VLANs; the port must be in access mode.

Exam trap

Cisco often tests the misconception that 'aaa new-model' alone enables all AAA features, including 802.1X, when in fact it only activates the AAA framework and separate interface-level commands are required.

Why the other options are wrong

B

TACACS+ encrypts only the password and is designed for device administration, not for 802.1X authentication which requires EAP support—RADIUS is the correct choice.

C

The global command 'aaa new-model' enables the AAA architecture but does not automatically enable 802.1X on interfaces; additional commands like 'dot1x system-auth-control' and per-interface 'authentication port-control auto' are needed.

E

802.1X requires the switch port to be in access mode, not trunk mode; trunk ports do not support 802.1X because multiple VLANs would conflict with the authentication process.

1279
Multi-Selectmedium

Which three of the following are valid features of Enhanced Interior Gateway Routing Protocol (EIGRP)? (Choose three.)

Select 3 answers
.EIGRP maintains a topology table containing all routes learned from neighbors.
.EIGRP uses the Diffusing Update Algorithm (DUAL) to ensure loop-free paths.
.EIGRP supports unequal-cost load balancing using the 'variance' command.
.EIGRP is a link-state routing protocol similar to OSPF.
.EIGRP uses multicast address 224.0.0.5 for all neighbor communications.
.EIGRP automatically summarizes routes at classful boundaries by default on all interfaces.

Why this answer

All three statements are correct features of EIGRP. EIGRP maintains a topology table that stores all routes learned from directly connected neighbors, including feasible successors. It uses the Diffusing Update Algorithm (DUAL) to guarantee loop-free paths by performing a diffusing computation when a route is lost.

Additionally, EIGRP supports unequal-cost load balancing by using the 'variance' command, which allows traffic to be distributed across multiple paths with different metrics, as long as the metric of the alternate path is within the variance multiplier times the best metric.

Exam trap

Cisco often tests the distinction between EIGRP's topology table (which stores all learned routes) and its routing table (which stores only the best routes), and candidates may confuse the 'variance' command with equal-cost load balancing only, forgetting that it enables unequal-cost load balancing.

1280
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: enter global configuration mode, designate inside and outside interfaces, create the NAT pool, and then enable overload on the pool. Interfaces must be designated first so that NAT translation can identify which interfaces are inside/outside. The pool must exist before you apply overload to it; otherwise the overload command will refer to an undefined pool.

The other options incorrectly place the pool creation or overload instruction before interface designation or in an impossible order.

Exam trap

The exam trap is that candidates often confuse the order of NAT configuration steps. Remember: interfaces first (inside/outside), then pool, then overload. Do not create the pool before designating interfaces, and do not enable overload before the pool exists.

1281
MCQhard

Refer to the exhibit. A network engineer notices that a user connected to GigabitEthernet0/5 cannot access the network. The engineer issues the show port-security interface GigabitEthernet0/5 command. Based on the output, what is the most likely cause of the issue?

A.The interface is administratively shut down.
B.An unauthorized device with a different MAC address was connected, triggering a port-security violation and placing the port in an error-disabled state.
C.The sticky MAC address feature is disabled, allowing any MAC address to cause a violation.
D.The maximum number of secure MAC addresses has been exceeded, causing the port to err-disable.
AnswerB

The output shows 'Port Status: Secure-shutdown' after a violation, a violation count of 3, and the 'Last Source Address' (aaaa.bbbb.cccc) differing from the sticky MAC. This confirms an unauthorized MAC triggered the violation and shut down the port.

Why this answer

The exhibit shows the port status as 'Secure-shutdown', which indicates the port has been error-disabled due to a port-security violation. The 'Last Source Address' (aaaa.bbbb.cccc) is different from the sticky MAC address, and the violation count is 3, proving an unauthorized device attempted to connect, causing the shutdown.

Exam trap

Many candidates incorrectly assume that the violation occurred because the maximum number of MAC addresses was exceeded, but the output shows Maximum MAC Addresses set to 1 and Total MAC Addresses also at 1, meaning the limit was not exceeded. The real trigger is the mismatched source MAC address.

Why the other options are wrong

A

A common misconception is that any down state is an admin shutdown, but Cisco IOS distinguishes 'Secure-shutdown' for port-security errdisable from 'administratively down'.

C

Some candidates misread the output and assume sticky is off, but the presence of a sticky MAC count proves it is active.

D

It is tempting to assume any violation with maximum 1 is due to exceeding the limit, but in this case the secure MAC is the original sticky address, and the violation is from a different unauthorized MAC, which still respects the limit count but fails the authorization check.

1282
Multi-Selectmedium

An engineer is comparing data serialization formats used by controllers and automation tools. Which two statements correctly describe JSON?

Select 2 answers
A.It represents data as key-value pairs and arrays
B.It is commonly used in REST API payloads
C.It requires closing tags like XML
D.It can only represent numeric values
AnswersA, B

Objects and arrays are core JSON structures.

Why this answer

Option A is correct because JSON structures data using key-value pairs (objects) and ordered lists (arrays), which are fundamental to its syntax. Option B is correct as JSON is the standard payload format for REST API requests and responses due to its lightweight nature and ease of parsing. Option C is incorrect because JSON does not use closing tags; instead, it relies on curly braces {} for objects and square brackets [] for arrays.

Option D is incorrect because JSON supports multiple data types beyond numeric values, including strings, booleans, null, arrays, and nested objects.

Exam trap

A frequent exam trap is assuming JSON requires closing tags similar to XML, which is incorrect. JSON uses braces and brackets to define objects and arrays without paired tags, so confusing these formats can lead to wrong answers. Another common mistake is believing JSON only supports numeric values, ignoring that it also supports strings, booleans, null, arrays, and nested objects.

Misunderstanding these details can cause candidates to incorrectly reject JSON as a serialization format in automation scenarios, especially when comparing it to XML or other data formats.

Why the other options are wrong

C

Option C is incorrect because JSON does not require closing tags like XML; it uses braces and brackets to delimit data structures, making this statement false.

D

Option D is incorrect as JSON supports a variety of data types beyond numeric values, including strings, booleans, arrays, objects, and null, so it is not limited to numbers.

1283
Matchingmedium

Match each operational tool to the kind of question it most directly helps answer.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

What events or messages occurred?

What are the counters or current status values?

Which conversations are using the bandwidth?

Are device clocks aligned for accurate timelines?

Why these pairings

Syslog collects and stores log messages from network devices, directly answering 'What events or messages occurred?' SNMP queries device MIBs for counters and status values, answering 'What are the counters or current status values?' NetFlow provides traffic flow records showing source/destination pairs, protocols, and bandwidth usage, answering 'Which conversations are using the bandwidth?' NTP synchronizes clocks across devices, answering 'Are device clocks aligned for accurate timelines?' The tools are standard network management protocols, not specific to any cloud platform.

Exam trap

The trap is confusing the purpose of NetFlow with other monitoring tools like SNMP or IP SLA. NetFlow is specifically for traffic flow data, not device metrics or performance testing.

1284
MCQmedium

A router has these routes in its routing table: O 172.16.0.0/16 O 172.16.20.0/24 S 172.16.20.128/25 A packet destined for 172.16.20.200 arrives. Which route will the router use?

A.172.16.0.0/16
B.172.16.20.0/24
C.172.16.20.128/25
D.The default route
AnswerC

Correct. Longest prefix match takes precedence over route source and less specific entries.

Why this answer

Routers choose the most specific matching route. The destination 172.16.20.200 falls within 172.16.20.128/25, so that static route is used even though broader matches also exist.

Exam trap

A frequent exam trap is to select the route with the lowest administrative distance or the route learned via OSPF simply because it is dynamic. Candidates often overlook that the router first applies the longest prefix match rule before considering administrative distance. In this question, the static route 172.16.20.128/25 is more specific than the OSPF routes, so it is chosen despite static routes typically having a lower administrative distance.

Misunderstanding this can lead to incorrect answers, especially when multiple routes overlap in the routing table.

Why the other options are wrong

A

The route 172.16.0.0/16 matches the destination IP but is the least specific route with a /16 mask. Since more specific routes exist, the router will not select this route.

B

The route 172.16.20.0/24 also matches the destination but is less specific than the /25 static route. The router prefers the longer prefix match, so this route is not chosen.

D

The default route is only used when no other routes match the destination IP. Since multiple specific routes exist, the default route is not used in this case.

1285
PBQhard

You are connected to R1, a router that must establish OSPFv3 adjacency with R2 over the directly connected link G0/0. The current configuration is incomplete: OSPFv3 process is configured but not enabled on the interface, and global IPv6 unicast routing is missing. Configure R1 so that it becomes an OSPFv3 neighbor with R2 and learns the loopback route 2001:db8:1:2::/64 via OSPFv3. Then verify neighbor state and routing table.

Network Topology
G0/02001:db8:0:1::1/64G0/02001:db8:0:1::2/64linkR1R2

Hints

  • OSPFv3 requires IPv6 unicast routing to be enabled globally before it can operate.
  • OSPFv3 is enabled on an interface using the 'ipv6 ospf <process-id> area <area-id>' command.
  • Without the interface-level command, the router will not send hellos and will not form an adjacency.
A.Enable IPv6 unicast routing globally and activate OSPFv3 on GigabitEthernet0/0 with the command 'ipv6 ospf 1 area 0'.
B.Enable IPv6 unicast routing globally and configure OSPFv3 process 1 with the 'network' command under the OSPFv3 router configuration mode.
C.Enable IPv6 unicast routing globally and configure OSPFv3 process 1 with the 'router-id' command to ensure adjacency.
D.Enable IPv6 unicast routing globally and configure OSPFv3 process 1 with the 'passive-interface default' command to allow adjacency.
AnswerA
solution
! R1
ipv6 unicast-routing
interface GigabitEthernet0/0
ipv6 ospf 1 area 0

Why this answer

R1 is missing two critical configurations: global IPv6 unicast routing must be enabled with 'ipv6 unicast-routing', and OSPFv3 must be activated on GigabitEthernet0/0 using 'ipv6 ospf 1 area 0' under the interface. Without these, R1 cannot send or receive OSPFv3 hellos, so no adjacency forms and routes are not exchanged. After applying both commands, the neighbor state becomes FULL and the remote loopback appears in the IPv6 routing table.

Exam trap

The exam trap is that OSPFv3 configuration differs from OSPFv2: OSPFv3 does not use network statements under the router process; instead, it is enabled directly on the interface. Additionally, IPv6 unicast routing must be globally enabled before OSPFv3 can function. Candidates often forget one of these two steps.

Why the other options are wrong

B

The specific factual error is that OSPFv3 uses interface-level configuration, not network statements under the OSPF process.

C

The specific factual error is that setting a router ID alone does not activate OSPFv3 on an interface; OSPFv3 must be explicitly enabled on the interface.

D

The specific factual error is that 'passive-interface default' would actually prevent adjacency, not help form it.

1286
Multi-Selecthard

Exhibit: An OSPFv2 adjacency between two routers on Ethernet is not forming. Which two mismatches would directly prevent the routers from becoming neighbors?

Select 2 answers
A.Different OSPF area assignments on the interfaces
B.Authentication mismatch between the interfaces
C.Different hostnames on the routers
D.Different loopback addresses used for management
E.One router using SSH version 2
AnswersA, B

Neighbors on the same link must agree on the area.

Why this answer

On an OSPFv2 network, area mismatch and authentication mismatch both directly prevent adjacency formation. Mismatched timers (such as hello or dead intervals) also block adjacency on all network types, including Ethernet. In this scenario, the correct choices are area mismatch (A) and authentication mismatch (B).

Exam trap

A common exam trap is selecting options like different hostnames or loopback addresses as causes for OSPF adjacency failure. Candidates may mistakenly believe that router identification parameters affect neighbor formation. However, OSPF adjacency strictly depends on protocol parameters such as area ID and authentication.

Hostnames and loopback interfaces are used for management or router ID purposes but do not block adjacency. Misunderstanding this can lead to incorrect troubleshooting steps or exam answers, wasting valuable time and causing confusion.

Why the other options are wrong

C

Different hostnames do not affect OSPF adjacency since hostnames are used only for identification and management, not neighbor formation.

D

Different loopback addresses used for management do not influence OSPF adjacency on Ethernet interfaces, so they do not block neighbor relationships.

E

One router using SSH version 2 is unrelated to OSPF adjacency because SSH is a management protocol and does not impact routing protocol neighbor formation.

1287
MCQhard

Refer to the exhibit. A network administrator is troubleshooting an OSPF adjacency on R1's GigabitEthernet0/0 interface connected directly to R2. R2 is powered on and shows correct OSPF configuration, but the adjacency is stuck in the INIT or DOWN state. Based on the output, what is the most likely cause of the failure?

A.The OSPF network type on R1's GigabitEthernet0/0 does not match the network type on R2.
B.The OSPF hello and dead timers on R1 do not match those configured on R2.
C.The GigabitEthernet0/0 interface on R1 has been assigned to a different OSPF area than R2's connected interface.
D.The OSPF passive-interface command has been applied to GigabitEthernet0/0, preventing hello packets from being sent.
AnswerD

The line 'No Hellos (Passive interface)' in the output directly indicates that the interface has been configured as passive, which suppresses all OSPF hello messages and blocks adjacency formation.

Why this answer

The command output explicitly shows 'No Hellos (Passive interface)', confirming that the passive-interface command has been applied to GigabitEthernet0/0. With this configuration, OSPF does not send or receive hello packets on the interface, preventing any adjacency from forming with the directly connected neighbor R2.

Exam trap

Many candidates immediately suspect a Hello/Dead timer mismatch (Option B) because mismatched timers are a common cause of adjacency failures. However, the output clearly states that no hellos are being sent at all due to the passive state, making B incorrect.

Why the other options are wrong

A

Candidates may think network type mismatch when they see no adjacency, but the exhibit does not indicate a mismatch and explicitly shows the passive state.

B

Timer mismatch is a classic troubleshooting trap, but the 'No Hellos (Passive interface)' message overrides any timer considerations.

C

Candidates may guess area mismatch as a cause, but the exhibit provides no evidence of it, while the passive-interface message is a direct cause.

1288
Drag & Dropmedium

Drag and drop the following steps into the correct order to implement a basic network monitoring workflow using telemetry and streaming analytics on Cisco IOS-XE.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The workflow begins with collecting telemetry data from devices, then streams it to an analytics platform for processing. The data is visualized on dashboards for monitoring, and finally alerts are generated when predefined thresholds are exceeded to enable a response.

Exam trap

Students often reverse the order of streaming and monitoring; data must be streamed before it can be visualized.

1289
Drag & Dropmedium

Drag and drop the following steps into the correct order to set up gRPC streaming telemetry subscription on a Cisco IOS-XE device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence starts by entering global configuration mode. Next, create a telemetry subscription because the subscription provides the sub-mode where the remaining elements are configured. Within the subscription, configure the receiver to specify the destination, protocol, and encoding.

Then, define the sensor path to select the YANG data nodes to be streamed. Finally, associate the sensor group to bind the sensor path to the subscription. While the order of configuring the receiver and defining the sensor path is flexible inside the subscription—neither depends on the other—the subscription itself must exist before any subcomponent.

Exam trap

A common mistake is trying to define a sensor path or associate a sensor group before the telemetry subscription has been created; the subscription must be established first to host those elements.

1290
MCQhard

A host has a valid IP address and subnet mask from DHCP but cannot reach remote networks because no gateway was provided. What is the best explanation?

A.The host has no next-hop gateway for traffic destined outside its local subnet.
B.The host cannot use ARP on the local network anymore.
C.The host automatically becomes part of every remote subnet.
D.The host must convert its access port into a trunk.
AnswerA

This is correct because a default gateway is needed for off-subnet traffic.

Why this answer

The best explanation is that the host has no next-hop path for off-subnet traffic. In plain language, the device knows what its own local network looks like, but it does not know where to send packets when the destination is outside that local range. Without a default gateway, remote communication usually fails even though local communication can still work.

This is a core host-configuration concept. The correct answer is the one focused on the absence of a next hop for remote destinations.

Exam trap

A common exam trap is assuming that a host without a default gateway cannot communicate at all. Many candidates mistakenly believe that missing a gateway disables all network communication, but in reality, the host can still communicate with devices on its local subnet using ARP. The trap lies in confusing local subnet communication with remote network access.

The question specifically tests understanding that the lack of a gateway prevents forwarding to remote networks, not local connectivity. Misreading this can lead to selecting incorrect options that focus on ARP or subnet expansion rather than the gateway role.

Why the other options are wrong

B

This option is incorrect because ARP is used for local subnet communication and does not depend on the presence of a default gateway. The host can still use ARP to communicate locally.

C

This option is wrong because a host does not automatically become part of every remote subnet without a gateway. The subnet mask defines the local subnet boundaries, and gateway absence does not change this.

D

This option is unrelated to the problem. Converting an access port to a trunk port affects VLAN tagging on switches but does not impact a host’s ability to have or use a default gateway.

1291
PBQmedium

You are connected to R1 via console. R1 is connected to three routers (R2, R3, R4) over Ethernet links, all in OSPF area 0. Due to network topology, R1 should not become the Designated Router (DR) or Backup Designated Router (BDR) on any of its interfaces. You need to configure R1's OSPF priority appropriately to ensure it never participates in DR/BDR elections.

Network Topology
G0/010.0.0.1/24G0/110.0.1.1/24G0/210.0.2.1/24R1R2R3R4

Hints

  • The DR/BDR election is based on the highest OSPF priority, with a tiebreaker on router ID.
  • Setting the priority to 0 on an interface means the router cannot become DR or BDR.
  • The command is configured under the interface.
A.Set the OSPF priority to 0 on all interfaces of R1.
B.Set the OSPF priority to 255 on all interfaces of R1.
C.Set the OSPF priority to 1 on all interfaces of R1.
D.Set the OSPF priority to 0 on the loopback interface of R1.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip ospf priority 0
interface GigabitEthernet0/1
ip ospf priority 0
interface GigabitEthernet0/2
ip ospf priority 0

Why this answer

Setting the OSPF priority to 0 on each Ethernet interface excludes R1 from DR/BDR elections entirely, as a priority of 0 signals that the router is ineligible. In contrast, option B (priority 255) is incorrect because the highest priority makes a router the most likely to become DR/BDR, not prevent it. Option C (priority 1) allows the router to participate in elections and could still become DR/BDR if no higher-priority router exists.

Option D is wrong because setting priority to 0 on the loopback interface does not affect the physical Ethernet interfaces where elections occur.

Exam trap

Remember that only a priority of 0 prevents a router from being elected as DR or BDR. Do not confuse priority with other OSPF parameters like cost or hello interval. Also, priority must be set on the actual interfaces facing the multiaccess network, not on loopback or other logical interfaces.

Why the other options are wrong

B

A priority of 255 is the highest possible value, ensuring the router becomes the DR or BDR, not excluding it.

C

Priority 1 is the default and allows the router to be elected if it has the highest priority or Router ID.

D

Loopback interfaces are not used for DR/BDR elections; they are logical interfaces. The priority must be set on the physical interfaces connecting to other routers.

1292
MCQeasy

An ACL on R1 contains only these entries: access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443 access-list 101 permit icmp any any What happens to an HTTP packet sourced from 10.10.10.25 and destined for 198.51.100.10 if ACL 101 is applied in the traffic path?

A.It is permitted because the source subnet is allowed.
B.It is denied by the implicit deny.
C.It is translated by NAT before the ACL is checked.
D.It is converted to HTTPS automatically.
AnswerB

The packet does not match either permit entry, so the implicit deny drops it.

Why this answer

HTTP uses TCP port 80, not 443. Because the ACL does not include a permit for that traffic, it is dropped by the implicit deny at the end of the ACL. The ICMP entry is irrelevant because the packet is TCP.

Exam trap

Be careful not to confuse TCP with ICMP or overlook the specific port numbers in ACL entries.

Why the other options are wrong

A

This option is wrong because the ACL only permits TCP traffic on port 443 and ICMP traffic, so an HTTP packet (port 80) from the specified source would be denied by the implicit deny rule at the end of the ACL.

C

This option is wrong because NAT does not occur before ACL evaluation; the ACL is applied directly to the packet as it arrives at the interface. Therefore, the HTTP packet is evaluated against the ACL without any translation taking place.

D

This option is wrong because the ACL does not automatically convert HTTP traffic to HTTPS; it only permits or denies traffic based on the defined rules. The packet from 10.10.10.25 is not permitted by the ACL since it is not targeting port 443.

1293
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco switch as a DHCP relay agent with DHCP snooping, where the DHCP server is located on a remote router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the DHCP server must be properly configured on the router. Next, DHCP snooping is enabled globally on the switch to protect against rogue servers. Then, the specific client VLANs must be added to the snooping database.

After that, the uplink interface to the DHCP server must be trusted to allow legitimate server responses. Finally, the ip helper-address command is placed on the client's SVI to forward DHCP broadcasts to the remote server.

1294
Drag & Dropmedium

Arrange the following steps in a valid configuration order. Note: VLANs must be created first, verification last. The access-port assignment and trunk configuration (steps B and C) can be performed in any order after VLAN creation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The only mandatory ordering is to create VLANs first (step A) and verify last (step D). Steps B (assign access ports) and C (configure trunking with native VLAN) have no technical dependency on each other—both require VLANs to exist, but either can be done before the other. The explanation must not imply a fixed B→C sequence, as it is arbitrary and could mislead candidates.

Exam trap

Candidates often confuse the order of VLAN creation and port assignment. Remember: VLANs must exist before they can be assigned to any port. Also, verification is always the last step.

1295
PBQhard

You are connected to R1 via console. R1 connects two networks: GigabitEthernet0/0 (10.0.0.1/30) to the ISP, and GigabitEthernet0/1 (172.16.1.1/24) to an internal network. The internal hosts (172.16.1.0/24) need to communicate with a server at 10.0.0.2 (ISP side) using a static NAT mapping. Configure static NAT so that internal host 172.16.1.100 is mapped to public IP 10.0.0.3 (which is not assigned to any interface; assume ISP routes 10.0.0.3 to R1). Also configure a static route to reach 10.0.0.3 via the ISP router (next-hop 10.0.0.2).

Network Topology
G0/1172.16.1.1/24172.16.1.100G0/010.0.0.1/30HostLANR1ISPServer (10.0.0.2,

Hints

  • Static NAT uses 'ip nat inside source static' mapping private to public.
  • Designate inside and outside interfaces correctly.
  • A static route is needed for the public IP because it is not directly connected.
A.ip nat inside source static 172.16.1.100 10.0.0.3 interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside ip route 10.0.0.3 255.255.255.255 10.0.0.2
B.ip nat inside source static 10.0.0.3 172.16.1.100 interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside ip route 10.0.0.3 255.255.255.255 10.0.0.2
C.ip nat inside source static 172.16.1.100 10.0.0.3 interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside ip route 10.0.0.3 255.255.255.255 10.0.0.2
D.ip nat outside source static 172.16.1.100 10.0.0.3 interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside ip route 10.0.0.3 255.255.255.255 10.0.0.2
AnswerA
solution
! R1
ip nat inside source static 172.16.1.100 10.0.0.3
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside
ip route 10.0.0.3 255.255.255.255 10.0.0.2

Why this answer

Static NAT provides a one-to-one mapping between a private and public IP. The inside/outside interface designations are critical for NAT to function. The static route ensures that return traffic to 10.0.0.3 is routed via the ISP.

Exam trap

Be careful with the order of addresses in the static NAT command: inside local (private) first, then inside global (public). Also, remember that the inside interface is the one facing your internal network, and the outside interface faces the external network. The static route is needed for the public IP that is not directly connected.

Why the other options are wrong

B

The static NAT command syntax is 'ip nat inside source static [inside-local] [inside-global]'. Here, the inside local (private) should be 172.16.1.100 and inside global (public) should be 10.0.0.3. Also, the inside interface is the one facing the internal network (G0/1) and outside is facing the ISP (G0/0).

C

NAT requires that the interface facing the internal network be marked as 'ip nat inside' and the interface facing the external network be marked as 'ip nat outside'. Here, G0/0 connects to the ISP (outside) and G0/1 connects to the internal network (inside).

D

The command 'ip nat outside source static' translates the source address of packets arriving on the outside interface. For translating internal host addresses to a public IP, 'ip nat inside source static' must be used.

1296
MCQhard

A network engineer notices that traffic from the router to server 192.168.10.5 is being sent over a slow backup link, even though the primary high-speed link is up. The routing table has an OSPF route for 192.168.10.0/24 via the primary link and a static host route to 192.168.10.5/32 via the backup link. Why is the backup link used for traffic to the server?

A.The static route has an administrative distance of 1, which is lower than OSPF's 110, so it is always preferred.
B.The router is load-balancing between the two routes, and traffic is being hashed to the backup link for this particular flow.
C.The OSPF route is not installed in the routing table because the static route has a better AD.
D.The static /32 route is a more specific match than the OSPF /24 route, so it is selected regardless of administrative distance.
AnswerD

The router always picks the route with the longest prefix match. The /32 route matches 192.168.10.5 exactly, while the /24 route matches a broader range. Therefore, the /32 route is used.

Why this answer

The router uses the most specific matching route in the routing table to forward traffic. The static host route to 192.168.10.5/32 has a longer prefix length (32 bits) than the OSPF route for 192.168.10.0/24 (24 bits), making it a more specific match. Even though OSPF has a higher administrative distance, the longest prefix match rule takes precedence over administrative distance when both routes are present in the routing table.

Exam trap

Cisco often tests the misconception that administrative distance is the sole factor in route selection, when in fact the longest prefix match rule is evaluated first and takes priority over AD for any routes that are already in the routing table.

Why the other options are wrong

A

Administrative distance is only compared when two routes have the same prefix length. Here, the /32 route has a longer prefix, so it is chosen first.

B

Load balancing requires routes with identical prefix lengths and metrics. The /32 and /24 routes are treated as different destinations.

C

AD is only compared when routes have the exact same prefix length. The routing table can hold multiple overlapping routes as long as they differ in prefix length.

1297
MCQhard

An OSPF-enabled router has two paths to the same destination network, and both paths have the same OSPF cost. What is the most likely default behavior?

A.Install both routes and use equal-cost multipath forwarding
B.Discard both routes because OSPF cannot handle duplicates
C.Always keep only the route learned first
D.Replace both routes with a default route
AnswerA

This is correct because OSPF can install multiple equal-cost paths to the same destination.

Why this answer

When OSPF learns two equally good paths to the same destination, the router can install both and perform equal-cost multipath forwarding. In plain language, the router does not have to throw one away simply because there are two valid answers. If the routes are truly equal from OSPF’s perspective, it can use both paths to improve resilience and share traffic.

This is a classic routing behavior question because many candidates assume the router must always choose only one best path. In reality, equal-cost multipath is a normal feature in many routing environments. The key is that the paths must be equally good according to the protocol’s metric logic.

Exam trap

A frequent exam trap is believing that OSPF must select only one best route when multiple paths have the same cost. Many candidates mistakenly think OSPF discards duplicates or keeps only the first learned route. This misunderstanding leads to incorrect answers suggesting route discarding or default route replacement.

The trap arises because some routing protocols or older implementations do not support equal-cost multipath. However, OSPF explicitly supports installing multiple equal-cost routes to improve load balancing and fault tolerance, so assuming otherwise causes errors in exam scenarios.

Why the other options are wrong

B

Incorrect because OSPF can handle multiple equal-cost routes and does not discard them; it uses all equal-cost paths to improve traffic distribution.

C

Incorrect since OSPF does not keep only the first learned route when multiple equal-cost paths exist; it installs all such routes for load balancing.

D

Incorrect because OSPF does not replace multiple valid equal-cost routes with a default route; default routes are used only when no specific routes exist.

1298
MCQhard

Refer to the exhibit. An administrator has configured PAT for internal hosts to access the internet, but users report that they cannot reach external websites. The administrator suspects a NAT issue and runs the show ip nat statistics command. What is the most likely cause of the problem?

A.The NAT overload pool is incorrectly configured with the inside interface Gi0/1 instead of the outside interface Gi0/0.
B.The access-list 1 used in the NAT statement is not matching any traffic.
C.CEF switching is disabled, causing all packets to be punted to the process level and NAT to fail.
D.The maximum number of NAT translations has been reached, causing new translations to be denied.
AnswerA

The dynamic mapping line explicitly shows 'interface GigabitEthernet0/1', which is an inside interface according to the output. Overload must be tied to the outside interface.

Why this answer

The Dynamic mappings section reveals an inside source overload entry bound to interface GigabitEthernet0/1, which is listed under Inside interfaces. For PAT to work, the overload rule must use an outside (WAN) interface (here GigabitEthernet0/0), not an inside interface. This misconfiguration causes all translation attempts to fail, reflected in Hits: 0 and Misses: 15042.

Exam trap

Many candidates will suspect a misconfigured access list because Hits are 0 and Misses are high; however, the exhibit directly indicates the wrong interface binding in the dynamic mapping.

Why the other options are wrong

B

Candidates may focus on Hits: 0 and Misses: 15042 as typical of an ACL issue, but the explicit interface binding in the dynamic mapping is the direct evidence of misconfiguration.

C

The high CEF Punted count mirrors the misses, leading some to believe CEF is the problem, but the exhibit does not indicate CEF is disabled.

D

Candidates might assume that a high miss count reflects a full translation table, but the total active translations show 0.

1299
Matchingmedium

Match each switch security or protection feature to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits and controls MAC address use on a switch port

Disables an edge port if a BPDU is received

Helps block rogue DHCP behavior and build trusted bindings

Validates ARP traffic using trusted information

Why these pairings

Each security feature protects against specific threats: port security limits MAC addresses, DHCP snooping blocks rogue DHCP servers, DAI validates ARP, storm control limits traffic storms, root guard enforces STP root placement, and BPDU guard protects against rogue BPDUs on access ports.

Exam trap

Do not confuse Port Security with other security features. Port Security limits MAC addresses; it does not inspect DHCP, ARP, or BPDU packets. Each feature has a distinct purpose.

1300
MCQhard

Which command output would be the best next step to verify whether the port-channel is operational after configuration changes?

A.show etherchannel summary
B.show ip ospf neighbor
C.show ip route
D.show access-lists
AnswerA

This is correct because it directly verifies bundle status and member participation.

Why this answer

The best next step is to check EtherChannel status directly. In practical terms, after fixing the member-link configuration, the quickest verification is to inspect the summary output that shows whether the bundle exists and whether the member ports are actively participating. That is more direct than checking unrelated switching or routing tables.

This is a simulation-style 'what do you verify next' question, which is important for realistic CCNA prep.

Exam trap

Avoid confusing general interface or trunk status with specific EtherChannel status. Always use the command that directly addresses the feature in question.

Why the other options are wrong

B

The command 'show ip ospf neighbor' is used to display OSPF neighbor relationships, which is not directly related to verifying the operational status of a port-channel. This command would not provide information about the port-channel configuration or status.

C

The command 'show ip route' is used to display the routing table of a device, which does not provide information about the operational status of a port-channel after configuration changes.

D

The command 'show access-lists' is not relevant for verifying the operational status of a port-channel; it focuses on access control lists rather than link aggregation status.

1301
MCQmedium

An API call returns HTTP status code 401. What does that usually mean?

A.The resource was moved permanently
B.The request was successful but no content was returned
C.Authentication is required or the credentials are invalid
D.The server cannot parse JSON
AnswerC

401 points to an authentication problem.

Why this answer

A 401 response means the request lacks valid authentication credentials. The token may be missing, expired, or invalid.

Exam trap

A frequent exam trap is confusing the 401 Unauthorized status code with other HTTP errors such as 403 Forbidden or 400 Bad Request. Candidates might incorrectly assume a 401 means the server cannot parse the request or that the resource was moved, which are actually indicated by 400 and 301 status codes respectively. This misunderstanding leads to incorrect troubleshooting steps in automation scenarios.

Remember, 401 always points to missing or invalid authentication credentials, not to resource relocation or malformed requests.

Why the other options are wrong

A

Option A is incorrect because a 301 status code indicates that the requested resource has been moved permanently to a new URL, not an authentication issue. Confusing 301 with 401 can lead to misdiagnosing API errors.

B

Option B is incorrect since a 204 status code means the request was successful but no content was returned. It does not indicate any authentication problem, unlike 401 which specifically relates to authorization failures.

D

Option D is incorrect because a server's inability to parse JSON usually results in a 400 Bad Request error, not a 401 Unauthorized. The 401 code is strictly about authentication, not parsing or syntax errors.

1302
Matchingmedium

Match each API or automation concept to the most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Credential-like value used to help control API access

Secure transport commonly used for API communication

Centralized management and policy platform

Application-facing interface used to communicate with the controller

Why these pairings

These pairings accurately describe common API and automation concepts.

Exam trap

Do not confuse API architectural styles (REST) with protocols (SOAP), automation mechanisms (webhooks), or networking architectures (SDN). Focus on the defining characteristics of each concept.

1303
MCQhard

Exhibit: R1 has a default route pointing to 10.1.1.2. Users lose internet access when that next hop fails, even though a floating static backup exists. Why is the backup not installed?

A.The backup route has a higher administrative distance and therefore is never considered
B.The primary static route remains installed because there is no tracking to remove it
C.Floating statics work only with dynamic routing protocols
D.The backup route must use the same next hop as the primary route
AnswerB

Without IP SLA or object tracking, the router may keep the primary route.

Why this answer

A floating static route is used only when the primary route disappears from the routing table. If the primary interface stays up and the next hop becomes unreachable beyond that segment, the route can remain installed unless tracking or another detection mechanism removes it.

Exam trap

A frequent exam trap is believing that a floating static route activates automatically when the primary next hop fails. Many candidates overlook that the router only removes the primary static route if it detects the route is invalid or unreachable. Without IP SLA or object tracking, the router sees the primary route as valid because the interface remains up, so it never installs the backup route.

This misunderstanding causes confusion about why users lose internet access despite a floating static backup being configured. The exam tests your knowledge of how Cisco routers handle administrative distance and route tracking, not just static route configuration.

Why the other options are wrong

A

Option A incorrectly states that the backup route is never considered because of its higher administrative distance. In reality, the higher AD is intentional to make it a floating static route that only activates when the primary route is removed.

C

Option C is incorrect because floating static routes do not require dynamic routing protocols to work. They are static routes with adjusted administrative distance and can function independently.

D

Option D is wrong because backup routes typically use a different next hop to provide true redundancy. Using the same next hop would not protect against next-hop failure.

1304
MCQmedium

A host with IP address 172.16.50.130 and mask 255.255.255.192 needs to reach 172.16.50.190. Which statement is correct?

A.The destination is on a remote subnet, so the host must send to the default gateway.
B.The destination is local, so the host ARPs for 172.16.50.190 directly.
C.The destination is a directed broadcast for the local subnet.
D.The source host is using the network address of the subnet.
AnswerB

Correct. Same-subnet traffic is sent directly to the destination MAC.

Why this answer

Both 172.16.50.130 and 172.16.50.190 fall within the 172.16.50.128/26 subnet (range .128 to .191). Therefore, the destination is local, and the host will use ARP to resolve the destination IP directly. Option A is incorrect because the destination is not remote.

Option C is incorrect because the directed broadcast address for this subnet is 172.16.50.191, not .190. Option D is incorrect because 172.16.50.130 is a valid host address, not the network address (.128).

Exam trap

Be cautious of subnet mask calculations and ensure you understand the IP range it defines.

Why the other options are wrong

A

The destination is local to the same /26 subnet, so it does not need to go through the default gateway.

C

The subnet directed broadcast is 172.16.50.191 (the last address in the .128/26 range), not .190.

D

The source address 172.16.50.130 is a usable host address, not the network address of the subnet.

1305
Multi-Selectmedium

Which TWO statements about fiber optic cables and SFP/SFP+ transceivers are correct?

Select 2 answers
A.Single-mode fiber (SMF) uses a smaller core diameter than multimode fiber (MMF).
B.Multimode fiber supports longer distances than single-mode fiber.
C.SFP+ transceivers are commonly used for 10 Gigabit Ethernet connections.
D.SFP modules support data rates up to 10 Gbps.
E.Multimode fiber typically has a core diameter of 9 microns.
AnswersA, C

SMF typically has a 9-micron core, while MMF has a 50- or 62.5-micron core, allowing SMF to support longer distances.

Why this answer

Option A is correct because single-mode fiber (SMF) has a core diameter of about 9 microns, which is smaller than multimode fiber (MMF) cores of 50 or 62.5 microns. Option C is correct because SFP+ transceivers are indeed designed for 10 Gigabit Ethernet, supporting data rates up to 10 Gbps. Option B is wrong because multimode fiber is used for shorter distances (up to a few hundred meters) due to higher modal dispersion, while single-mode fiber supports longer distances (tens of kilometers).

Option D is wrong because standard SFP modules support up to 1 Gbps, not 10 Gbps; SFP+ modules handle 10 Gbps. Option E is wrong because a 9-micron core is characteristic of single-mode fiber, not multimode fiber.

Exam trap

Cisco often tests the misconception that 'multimode' implies longer reach due to its name, but the opposite is true because of modal dispersion limits.

Why the other options are wrong

B

Single-mode fiber supports much longer distances (up to 10 km or more) than multimode fiber (typically up to 550 m for 10 Gbps).

D

SFP is limited to 1 Gbps; for 10 Gbps, SFP+ is required.

E

This describes single-mode fiber, not multimode.

1306
MCQhard

A subnet must support at least 62 usable IPv4 host addresses. Which prefix is the most restrictive that meets the requirement?

A./27
B./26
C./25
D./24
AnswerB

This is correct because /26 provides 62 usable host addresses.

Why this answer

A /26 is the smallest valid answer. In practical terms, a /26 provides 64 total addresses and 62 usable host addresses after subtracting the network and broadcast addresses. A /27 would be too small because it provides only 30 usable hosts.

This is a standard minimum-prefix question because it checks whether you can work backward from the host requirement and choose the smallest subnet that fits.

Exam trap

Avoid confusing total addresses with usable ones; remember to subtract network and broadcast addresses.

Why the other options are wrong

A

A /27 subnet provides only 30 usable host addresses (32 total minus 2 for network and broadcast), which does not meet the requirement of at least 62 usable addresses.

C

Option C: /25 provides 126 usable host addresses, which exceeds the requirement of at least 62 usable addresses. However, it is not the smallest prefix that meets the requirement, as /26 suffices with 62 usable addresses.

D

Option D: /24 provides 256 total addresses, with 254 usable, which exceeds the requirement of at least 62 usable addresses. However, it is not the smallest prefix that meets the requirement.

1307
Multi-Selectmedium

Which four of the following correctly describe characteristics or best practices for VLAN trunking and Layer 2 switch configuration? (Choose four.)

Select 4 answers
.802.1Q trunking uses a native VLAN that carries untagged traffic; both ends of the trunk must agree on the native VLAN.
.Dynamic Trunking Protocol (DTP) can be used to negotiate trunking between Cisco switches if both ports are set to dynamic desirable or trunk mode.
.VLAN 1 is the default native VLAN on Cisco switches and is considered a best practice to use for all user traffic to simplify management.
.A switchport configured as an access port can belong to multiple VLANs simultaneously if using VLAN pruning.
.VLAN Trunking Protocol (VTP) in transparent mode allows a switch to forward VTP advertisements but does not synchronize its VLAN database.
.When connecting two switches, it is recommended to manually set the trunk mode to avoid DTP negotiation errors and security risks.

Why this answer

802.1Q trunking defines a native VLAN that carries untagged traffic; both ends must agree on the native VLAN to prevent misdirection and security issues. DTP can negotiate trunking between Cisco switches when ports are set to dynamic desirable or trunk mode, allowing automatic trunk establishment. VTP in transparent mode forwards VTP advertisements to other switches but does not synchronize its VLAN database, making it safe for maintaining local VLAN control.

Manually setting trunk mode is a best practice to avoid DTP negotiation errors and security risks, as DTP can be exploited. Option 3 is incorrect because using VLAN 1 for user traffic is a security vulnerability; it is recommended to change the native VLAN and prune VLAN 1. Option 4 is incorrect because an access port belongs to only one VLAN; VLAN pruning is used on trunk links to restrict VLAN traffic, not to allow an access port to carry multiple VLANs.

Exam trap

Cisco often tests the misconception that VLAN 1 is a best practice for user traffic, when in fact it is a well-known security vulnerability and should be changed or pruned.

1308
MCQmedium

A network administrator is configuring a new Windows 10 workstation on a network that uses DHCP. The workstation receives an IPv4 address of 169.254.10.20 with a subnet mask of 255.255.0.0 and no default gateway. The user cannot access the internet or other subnets. What is the most likely cause of this issue?

A.The workstation has a duplicate IP address conflict.
B.The workstation's DNS server configuration is incorrect.
C.The workstation's subnet mask is misconfigured.
D.The DHCP server is unreachable or not responding.
AnswerD

When a DHCP client fails to receive an IP address from a DHCP server, it self-assigns an APIPA address from the 169.254.0.0/16 range. This explains the observed address and the absence of a default gateway.

Why this answer

The IP address 169.254.10.20 with a /16 subnet mask is an Automatic Private IP Addressing (APIPA) address, which Windows assigns when a DHCP discovery broadcast (DHCPDISCOVER) fails to receive a response from a DHCP server. Without a valid DHCP lease, the workstation has no default gateway, so it cannot communicate outside its local subnet, explaining the lack of internet or inter-subnet access. The most likely cause is that the DHCP server is unreachable or not responding, forcing the client to self-assign an APIPA address.

Exam trap

Cisco often tests the misconception that a 169.254.x.x address indicates a duplicate IP or a subnet mask issue, but the real trap is that APIPA is a direct symptom of DHCP server unavailability, not a configuration error on the client.

Why the other options are wrong

A

Duplicate IP conflicts typically result in a warning but do not cause the system to assign a 169.254.x.x address.

B

DNS issues do not affect IP address assignment via DHCP.

C

The subnet mask is correct for the APIPA range; the problem is the lack of a DHCP server response.

1309
PBQhard

You are connected to SW1. Configure an LACP EtherChannel between SW1 and SW2 using ports GigabitEthernet0/1 and GigabitEthernet0/2. Set the channel-group mode to active on both sides. The port-channel interface should be configured as a trunk allowing VLANs 10, 20, and 30. Initially, the EtherChannel fails to form due to mismatched speed/duplex on one link. Identify and correct the issue, then verify the channel is up and operational.

Network Topology
Gi0/1-Gi0/2Gi0/1-Gi0/2EtherChannelSW1SW2

Hints

  • Check the speed and duplex settings on each member interface.
  • LACP requires all ports in the channel to have identical speed and duplex.
  • Use 'show interfaces status' to quickly see speed/duplex mismatches.
A.Change speed and duplex on Gi0/2 to 1000 and full, then verify with 'show etherchannel summary'.
B.Change the channel-group mode on Gi0/2 to passive, then verify with 'show etherchannel summary'.
C.Change the allowed VLANs on the port-channel to include only VLAN 1, then verify with 'show etherchannel summary'.
D.Change the port-channel interface to access mode, then verify with 'show etherchannel summary'.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full

Why this answer

The EtherChannel fails because GigabitEthernet0/2 has speed 100 and duplex half, while GigabitEthernet0/1 has speed 1000 and duplex full. LACP requires all member ports to have identical speed and duplex settings. To resolve, change the speed and duplex on Gi0/2 to match Gi0/1: 'speed 1000' and 'duplex full'.

After correction, the channel will bundle. Verify with 'show etherchannel summary' to see both ports in the 'P' (bundled) state.

Exam trap

Do not confuse Layer 1 issues (speed/duplex) with Layer 2 configuration (VLANs, trunking) or LACP mode settings. Always check physical parameters first when an EtherChannel fails to form.

Why the other options are wrong

B

The specific factual error is that LACP modes must be compatible (active-active or active-passive), but the question states both sides are active, so mode is not the issue.

C

The specific factual error is that VLAN settings are irrelevant to the physical bundling of ports in an EtherChannel.

D

The specific factual error is that interface mode is a Layer 2 property unrelated to the physical bundling process.

1310
Multi-Selectmedium

Which three of the following are characteristics of IP Source Guard on a Cisco switch? (Choose three.)

Select 3 answers
.It filters IP traffic based on the source IP address and the DHCP snooping binding.
.It can be configured with a static IP source binding for hosts with fixed addresses.
.It is typically applied on untrusted access ports to prevent IP spoofing.
.It inspects the destination IP address of all incoming packets.
.It dynamically updates the MAC address table for each detected host.
.It replaces the routing table to enforce security policies.

Why this answer

IP Source Guard (IPSG) filters IP traffic on a per-port basis by validating the source IP address of incoming packets against the DHCP snooping binding database or a manually configured static IP source binding. This prevents IP spoofing attacks by dropping any packet whose source IP does not match a legitimate binding for that port. It is typically enabled on untrusted access ports where DHCP snooping is also active, ensuring that only assigned IP addresses are allowed.

Exam trap

Cisco often tests the distinction between what IP Source Guard inspects (source IP) versus what Dynamic ARP Inspection inspects (ARP packets), leading candidates to confuse the two or think IPSG checks destination addresses.

1311
MCQhard

Users can reach an internal server by IP address but not by hostname. What is the most likely cause?

A.Name resolution is failing even though IP connectivity to the server works.
B.The server must be in the wrong VLAN because IP works.
C.The default gateway is missing on the client.
D.A GRE tunnel is required for hostname access.
AnswerA

This is correct because the symptom points directly to a DNS-related problem.

Why this answer

The strongest explanation is a DNS problem rather than a raw IP connectivity problem. In practical terms, successful access by IP address shows that Layer 3 reachability to the server exists. Failure only when using the hostname strongly suggests name resolution is missing, incorrect, or unavailable.

This is a classic symptom-based troubleshooting question. The network path works, but the naming service does not.

Exam trap

A common exam trap is to confuse IP connectivity problems with DNS resolution issues. Candidates often select options related to VLAN misconfigurations or missing default gateways because they assume network path problems cause hostname failures. However, if users can reach the server by IP address, Layer 3 routing and VLAN membership are correct.

The trap is ignoring the DNS layer, which is responsible for translating hostnames. Misinterpreting this leads to incorrect troubleshooting steps and wrong exam answers.

Why the other options are wrong

B

Incorrect because if the server were in the wrong VLAN, users would not be able to reach it by IP address. Successful IP access proves VLAN membership is correct.

C

Incorrect because a missing default gateway would prevent IP connectivity to the server if it were on a different subnet. Since IP access works, the default gateway is present and functional.

D

Incorrect because GRE tunnels are unrelated to hostname resolution. Hostname access depends on DNS, not tunneling protocols like GRE.

1312
Multi-Selectmedium

Which three of the following are characteristics of a distance-vector routing protocol? (Choose three.)

Select 3 answers
.Routers send their entire routing table to directly connected neighbors at regular intervals.
.Routers have a limited view of the network topology and rely on hop count or other metrics to determine the best path.
.Routers converge more slowly than link-state protocols in large networks.
.Routers maintain a complete map of the entire network topology.
.Routers use the Shortest Path First (SPF) algorithm to calculate routes.
.Routers flood link-state advertisements (LSAs) to all routers in the area.

Why this answer

Distance-vector routing protocols are characterized by periodic full routing table updates to directly connected neighbors, as seen in classic protocols like RIP. However, advanced distance-vector protocols such as EIGRP do not send their full routing table at regular intervals; they perform a one-time full exchange during neighbor formation and then send only partial, triggered updates. Regardless of this distinction, all distance-vector protocols have a limited view of the network topology (often called 'routing by rumor'), rely on hop count or composite metrics, and converge more slowly than link-state protocols in large networks.

The correct options highlight these general characteristics of distance-vector protocols.

Exam trap

A common mistake is to assume that all distance-vector protocols, including EIGRP, send their full routing table periodically; in reality, EIGRP only does a full exchange once and then uses partial updates.

1313
MCQhard

R1 loses its route to 192.168.20.0/24 whenever R2's GigabitEthernet0/0 interface flaps. The network engineer has configured a floating static route with an administrative distance of 200. The OSPF route has an AD of 110. After R2's G0/0 interface recovers, the floating static route appears in the routing table instead of the OSPF route. What should the technician do next?

A.Adjust the administrative distance of the floating static route to 201.
B.Check the carrier delay timers on R2's GigabitEthernet0/0 interface.
C.Clear the IP routing table and reset the OSPF process on R1.
D.Verify that the MTU on R1 and R2's GigabitEthernet0/0 interfaces match.
AnswerB

A high carrier-delay (interface debounce) timer can keep the link down for too long after a flap, delaying OSPF neighbor formation. While the interface remains down, the floating static route stays in the table. Checking this timer is a logical, non‑destructive next step.

Why this answer

The next step is to check the carrier delay timers on R2's G0/0 interface. If a high debounce (carrier-delay) timer is configured, the interface remains down for several seconds after physical link recovery. During this time OSPF neighbor adjacency cannot form, so the floating static route (which is already installed) remains in the table.

This is a Layer 2/Layer 1 timing issue that directly impacts OSPF convergence.

Exam trap

Many candidates will jump to adjusting the static route's AD or clearing the routing table, which skips the proper diagnostic sequence. They may incorrectly assume OSPF is misconfigured rather than verifying link‑level timers first.

Why the other options are wrong

A

Misunderstanding of route preference: a higher AD value does not keep a floating static installed when a better OSPF route becomes available.

C

Troubleshooting should follow the OSI model bottom‑up; immediately resetting processes skips basic interface‑level verification.

D

It targets a different root cause (OSPF adjacency failure due to MTU) that would manifest constantly, not only after interface recovery.

1314
Matchingmedium

Drag and drop the OSI layer names on the left to the correct PDU names and example protocols on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Bits; e.g., electrical signals

Frame; e.g., Ethernet

Packet; e.g., IP

Segment; e.g., TCP

Data; e.g., HTTP

Why these pairings

The OSI model layers map to specific PDUs and example protocols: Physical layer deals with bits and electrical signals; Data Link with frames (e.g., Ethernet); Network with packets (e.g., IP); Transport with segments (e.g., TCP); and Application with data (e.g., HTTP). Each layer encapsulates data from above, and the PDU names reflect how data is packaged at that layer.

Exam trap

Be careful not to confuse the PDUs and protocols between adjacent layers, especially Data Link vs. Network (frames vs. packets, MAC vs. IP) and Network vs.

Transport (packets vs. segments, IP vs. TCP). Remember the encapsulation order: data, segment, packet, frame, bits.

1315
MCQhard

A network requires at least 500 usable host addresses in one IPv4 subnet. Which prefix is the smallest that meets the requirement?

A./24
B./23
C./22
D./25
AnswerB

This is correct because a /23 provides 510 usable host addresses.

Why this answer

To support at least 500 usable hosts, the subnet must provide at least 502 total addresses when the network and broadcast addresses are included. In plain language, that means 256 total addresses in a /24 are not enough, so the next larger power-of-two block is required. A /23 provides 512 total addresses and 510 usable host addresses, which satisfies the requirement while remaining the smallest valid option.

This is a classic host-capacity question because it checks whether you can work backward from a required usable host count and choose the smallest prefix that works without wasting more space than necessary.

Exam trap

Be careful not to confuse the total number of addresses with the number of usable host addresses. Remember to account for network and broadcast addresses.

Why the other options are wrong

A

A /24 subnet provides only 256 usable host addresses, which is insufficient for the requirement of at least 500 usable addresses. Therefore, it cannot be the correct answer.

C

Option C (/22) provides 1022 usable addresses, which exceeds the requirement of 500 usable addresses, but it is not the smallest prefix that meets the requirement. The correct answer is /23, which provides exactly 510 usable addresses.

D

Option D: /25 provides only 126 usable host addresses, which is insufficient for a requirement of at least 500 usable addresses in a single subnet.

1316
Multi-Selecteasy

An engineer is reviewing transport protocols for a new application. Which two characteristics are associated with TCP rather than UDP?

Select 2 answers
A.Connection establishment before data transfer
B.Best-effort delivery with no acknowledgments
C.Sequencing and retransmission support
D.Lower overhead because no session state is tracked
AnswersA, C

TCP uses a session setup process before exchanging application data.

Why this answer

TCP is connection-oriented and provides reliability with sequence numbers, acknowledgments, and retransmissions. UDP is lighter but does not guarantee delivery.

Exam trap

Don't confuse reliability with speed; TCP's reliability features add overhead, making it slower than UDP.

1317
MCQhard

A packet is larger than the outgoing interface MTU and the DF bit is set in the IPv4 header. What should the router do?

A.Fragment the packet anyway and forward all fragments.
B.Drop the packet and send an ICMP message indicating fragmentation was needed.
C.Clear the DF bit and then fragment the packet.
D.Encapsulate the packet in GRE automatically.
AnswerB

Correct. That behavior supports Path MTU Discovery.

Why this answer

If fragmentation is required but DF is set, the router drops the packet and returns an ICMP unreachable message indicating fragmentation was needed.

Exam trap

A common exam trap is selecting option A, assuming the router will fragment the packet despite the DF bit. Remember, the DF (Don't Fragment) bit explicitly prevents fragmentation. Another trap is option C, thinking the router can clear the DF bit and fragment, which routers do not do.

Option D is unrelated to MTU handling and can mislead if you confuse GRE tunneling with fragmentation behavior.

Why the other options are wrong

A

Incorrect because the DF bit explicitly forbids fragmentation; the router cannot fragment the packet if DF is set.

C

Incorrect because routers do not clear the DF bit to fragment packets; they respect the DF bit as set by the source.

D

Incorrect because GRE encapsulation is unrelated to MTU handling and fragmentation behavior.

1318
PBQhard

You are connected to R1. Configure DHCP server on R1 to assign addresses from 192.168.50.0/24 to hosts on VLAN 50, excluding 192.168.50.1-192.168.50.20, with default-router 192.168.50.1 and DNS server 8.8.8.8. On switch SW1, configure DHCP snooping globally and on VLAN 50, and enable trusted ports on the uplink to R1. Then, a host on VLAN 50 reports it received an incorrect IP address; troubleshoot and fix the issue: the wrong helper-address is configured on SW1, the excluded range is too large, and a rogue DHCP server is present on port Fa0/5.

Hints

  • Check the DHCP snooping configuration first — is it enabled and on the correct VLAN?
  • Look at the helper-address: the DHCP server is on the SVI, not on the point-to-point link.
  • The excluded range on R1 is too large; it should only exclude the first 20 addresses.
A.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, correct the excluded range on R1 to 192.168.50.1-192.168.50.20, and change the helper-address on SW1's G0/1 to 192.168.50.1.
B.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 10.0.0.1.
C.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and correct the excluded range on R1 to 192.168.50.1-192.168.50.20.
D.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 192.168.50.1.
AnswerA
solution
! R1
configure terminal
no ip dhcp excluded-address 192.168.50.1 192.168.50.100
ip dhcp excluded-address 192.168.50.1 192.168.50.20
end
write memory

! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 50
interface GigabitEthernet0/1
ip dhcp snooping trust
no ip helper-address 10.0.0.1
ip helper-address 192.168.50.1
interface FastEthernet0/5
shutdown
end
write memory

Why this answer

The host received a wrong IP because a rogue DHCP server on Fa0/5 was responding. First, enable DHCP snooping globally with 'ip dhcp snooping' and on VLAN 50 with 'ip dhcp snooping vlan 50'. Then, trust the uplink port to R1 (G0/1) with 'ip dhcp snooping trust'.

Next, fix the excluded range on R1: change it to exclude only the first 20 addresses (192.168.50.1-192.168.50.20) so that hosts can obtain other addresses. Finally, correct the helper-address on SW1's G0/1: change 'ip helper-address 10.0.0.1' to 'ip helper-address 192.168.50.1' because the DHCP server is on the VLAN 50 SVI, not on the point-to-point link.

Exam trap

This question tests your ability to troubleshoot a multi-faceted DHCP issue. Common traps include: (1) forgetting that DHCP snooping must be enabled both globally and per VLAN, (2) assuming the helper-address should be the router's link IP instead of the server's SVI IP, (3) overlooking the excluded range configuration, and (4) thinking that only one of the issues needs to be fixed. Always verify all components: snooping, trust, helper-address, and pool configuration.

Why the other options are wrong

B

The helper-address must be the IP of the DHCP server, which is the SVI address 192.168.50.1, not the link address 10.0.0.1.

C

The helper-address misconfiguration prevents DHCP requests from being forwarded to the correct server, so fixing only the excluded range is insufficient.

D

The excluded range must be corrected to allow hosts to receive addresses from the pool; otherwise, the DHCP server will not assign addresses.

1319
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the actions an automation system performs when automating the remediation of a network configuration drift detected via NETCONF/YANG.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The automation system first detects the drift, then analyzes and plans remediation, executes the fix, and finally verifies the change.

Exam trap

This question tests your understanding of the logical sequence in automated remediation workflows. A common trap is to think that analysis or execution might come before detection, but detection is always the first step in any monitoring-based automation. Remember: you can't fix what you haven't detected.

1320
MCQhard

If a host has a valid IP address and subnet mask but no default gateway, what is the most likely result?

A.The host can usually reach only local-subnet destinations and not remote networks.
B.The host cannot use ARP at all.
C.The host automatically joins every subnet in the LAN.
D.The host becomes the default gateway for other devices.
AnswerA

This is correct because the host has no next hop for off-subnet traffic.

Why this answer

The host will normally reach local destinations but fail to reach remote networks. In practical terms, the subnet mask still lets the host identify what is local, but without a default gateway it has no next hop for off-subnet traffic. That means local ARP-based communication can still work, while remote communication usually fails.

This is a core host-configuration concept and a very common certification question. The missing gateway does not break all communication — it breaks off-subnet communication.

Exam trap

A common exam trap is assuming that a host without a default gateway cannot use ARP or communicate at all. This is incorrect because ARP is used for local Layer 2 address resolution and remains functional. Another trap is believing the host automatically joins other subnets or becomes a gateway for others, which does not happen.

The key mistake is confusing local subnet communication with remote network access. The default gateway only affects off-subnet traffic, so the host can still communicate locally but fails to reach remote destinations.

Why the other options are wrong

B

This option is incorrect because ARP is used for local Layer 2 address resolution and remains functional even if the default gateway is missing; the host can still resolve MAC addresses on the local subnet.

C

This option is incorrect because the host’s subnet membership is determined by its IP address and subnet mask, not by the presence or absence of a default gateway; it does not join other subnets automatically.

D

This option is incorrect because a host does not become a default gateway for other devices simply by lacking a configured gateway; routing and gateway roles require explicit configuration on routers.

1321
MCQeasy

An AP broadcasts the correct SSID, but many clients on one floor experience poor performance while the same SSID works well on another floor. Which category of issue is most strongly suggested first?

A.A radio-frequency or local wireless environment issue on that floor
B.The SSID name must be misspelled only on that floor
C.BGP autonomous system mismatch
D.IPv6 loopback addressing on the clients
AnswerA

This is correct because the problem is location-specific while the SSID itself works elsewhere.

Why this answer

The issue is location-specific, with performance problems only on one floor. This strongly suggests a local radio frequency (RF) or wireless environment issue such as interference, signal attenuation, or channel congestion on that floor. The SSID is correctly broadcast because clients on other floors connect successfully, so option B (misspelling) is not plausible.

Options C and D are unrelated to wireless performance: BGP is a routing protocol not used in basic WLAN deployments, and IPv6 loopback addressing does not affect client connectivity or throughput. Therefore, the most direct and likely first suspect is an RF or environmental issue on that specific floor.

Exam trap

Avoid assuming that SSID issues are always configuration-related; consider environmental factors when performance issues are location-specific.

Why the other options are wrong

B

An SSID misspelling would prevent all clients from seeing the SSID, but since clients on other floors connect successfully, this cannot be the issue.

C

BGP autonomous system mismatch is a routing protocol concept unrelated to wireless LAN performance issues and would not cause performance problems on a single floor.

D

IPv6 loopback addressing is a configuration detail that does not impact wireless client performance or connectivity in a local-area network context.

1322
MCQhard

Why might a controller return interface information as a JSON array instead of a single JSON object?

A.Because an array is the appropriate structure for an ordered list of multiple interface entries.
B.Because a JSON object cannot contain fields.
C.Because arrays are used only for IPv6 interfaces.
D.Because arrays eliminate the need for API authentication.
AnswerA

This is correct because arrays are used to represent lists of repeated items.

Why this answer

A controller might return interface information as a JSON array because there are multiple interface records to present as a list. In practical terms, an array is the correct structure when the response includes several similar items, such as multiple interfaces, routes, or VLANs. Each element in the array can then be its own object with fields like name, status, or IP address.

This is a data-structure recognition question. It is not about networking behavior directly, but about understanding how automation systems represent repeated information.

Exam trap

A frequent exam trap is believing that JSON objects cannot contain multiple fields or that arrays are only used for specific interface types like IPv6. This misunderstanding leads to incorrect assumptions about data representation in network automation. Candidates might also confuse data structure choices with unrelated concepts like API authentication, mistakenly thinking arrays affect security.

The trap lies in conflating the purpose of JSON arrays as a data structure for multiple similar items with other unrelated networking or security concepts. Understanding that arrays simply represent ordered lists of items, such as multiple interfaces, is crucial to avoid this confusion.

Why the other options are wrong

B

This option is incorrect because JSON objects do contain fields; they are collections of key-value pairs representing attributes of a single entity, so the claim that objects cannot contain fields is false.

C

This option is wrong because JSON arrays are a general data structure used for any list of items, not exclusively for IPv6 interfaces; interface type does not dictate JSON structure.

D

This option is incorrect because the choice of JSON data structure (array vs. object) does not affect API authentication or security; these are separate concerns unrelated to data formatting.

1323
MCQhard

A host uses address 192.168.5.126/25. Which address is the broadcast address for its subnet?

A.192.168.5.63
B.192.168.5.127
C.192.168.5.128
D.192.168.5.255
AnswerB

This is correct because the lower /25 block runs from .0 through .127.

Why this answer

A /25 divides the /24 into two halves: 0–127 and 128–255. In plain language, the host address 192.168.5.126 is in the lower half, which runs from .0 through .127. The last address in that block is the broadcast address, so the broadcast is 192.168.5.127.

This is a classic subnetting question because it checks whether you can identify the correct block and then select the last address in that block as the broadcast address.

Exam trap

Remember that the broadcast address is the last address in the subnet, not the first address of the next subnet or the broadcast for the entire /24.

Why the other options are wrong

A

Option A (192.168.5.63) is incorrect because it does not fall within the subnet defined by the address 192.168.5.126/25, which has a valid range of 192.168.5.128 to 192.168.5.255 for host addresses.

C

The address 192.168.5.128 is incorrect because it falls outside the subnet defined by 192.168.5.126/25, which includes addresses from 192.168.5.0 to 192.168.5.127. The broadcast address for this subnet is 192.168.5.127.

D

Option D, 192.168.5.255, is incorrect because it is the broadcast address for the entire 192.168.5.0/24 subnet, not the /25 subnet specified in the question.

1324
Matchingmedium

Match each routing concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trust comparison between route sources

Protocol-specific path comparison value

Fallback route used when no more specific route matches

Backup static route configured with higher administrative distance

Why these pairings

Administrative distance is used by a router to select the best path when multiple routing protocols provide route information for the same destination; a lower AD is preferred. Metric is a value used by a specific routing protocol (e.g., OSPF cost, EIGRP composite metric) to compare routes within that protocol; a lower metric is preferred. A default route (0.0.0.0/0) is the entry used when no other more specific route matches the destination.

A floating static route is a static route configured with a higher administrative distance than the primary route, so it becomes active only when the primary route fails.

Exam trap

Learners often confuse administrative distance with metric: AD compares trust between protocols, while metric compares path quality within a single protocol.

1325
MCQhard

A trunk is up between two switches, but traffic for VLAN 40 fails while other VLANs work. Which output item should be checked first?

A.Whether VLAN 40 is included in the allowed VLAN list on the trunk
B.Whether the router ID matches on both switches
C.Whether NetFlow is enabled on the VLAN
D.Whether NTP is synchronized on the switches
AnswerA

This is correct because a missing VLAN in the allowed list is a common cause of one-VLAN failure on an otherwise working trunk.

Why this answer

The first thing to check is whether VLAN 40 appears in the trunk’s allowed VLAN list. In practical terms, this is a selective failure, not a total trunk failure. Since other VLANs are crossing successfully, the link is operational. That strongly suggests one VLAN is being excluded rather than the trunk being generally broken.

This is one of the most common VLAN troubleshooting patterns in switching.

Exam trap

Avoid assuming a total trunk failure when only one VLAN is affected. Focus on VLAN-specific configurations.

Why the other options are wrong

B

This option is wrong because the router ID is relevant for routing protocols, not for VLAN traffic issues on a trunk link. The problem specifically pertains to VLAN 40 traffic, which is not influenced by router IDs.

C

NetFlow is a network protocol used for collecting IP traffic information, but it does not directly affect VLAN traffic flow on a trunk link. Therefore, checking if NetFlow is enabled does not address the issue of VLAN 40 traffic failure.

D

NTP synchronization is not directly related to VLAN traffic issues on a trunk link; it primarily affects time-sensitive protocols. Therefore, checking NTP synchronization would not help diagnose why VLAN 40 traffic is failing.

1326
MCQhard

An engineer wants a static route to be used only if the OSPF route to the same network disappears. What should be configured?

A.A static route with lower administrative distance than OSPF
B.A static route with higher administrative distance than OSPF
C.A second OSPF route with a lower metric
D.A default route with no next hop
AnswerB

Correct. Higher-AD static routes provide backup behavior.

Why this answer

A floating static route is given a higher administrative distance than the preferred dynamic route so it stays out of the routing table unless the dynamic route is lost.

Exam trap

Remember, administrative distance determines route preference across different protocols, not metrics.

Why the other options are wrong

A

This option is wrong because a static route with a lower administrative distance than OSPF would take precedence over OSPF routes, making it active even when OSPF is available, contrary to the requirement of using the static route only when the OSPF route is unavailable.

C

This option is wrong because a second OSPF route with a lower metric would not serve as a backup to the existing OSPF route; instead, it would be preferred over the static route, which contradicts the requirement for the static route to be used only if the OSPF route disappears.

D

A default route with no next hop would not serve as a backup for an OSPF route because it lacks specificity and cannot direct traffic to a specific network. It would be ineffective in scenarios where a specific static route is needed when OSPF fails.

1327
MCQeasy

Which Syslog severity level represents an emergency condition, the most critical level?

A.0
B.3
C.5
D.7
AnswerA

Emergency is severity level 0.

Why this answer

Syslog severity 0 is Emergency, the highest severity. The levels then increase numerically as urgency decreases, with 7 being Debugging.

Exam trap

A frequent exam trap is mistaking severity level 3 (Error) or level 5 (Notification) as the most critical syslog severity. Candidates may assume that higher numbers mean higher severity, but in syslog, lower numbers indicate higher urgency. Confusing these levels can lead to incorrect answers because level 0 (Emergency) is the only severity that signals a system-wide failure requiring immediate action.

Misreading the severity scale order or relying on the textual description without recalling the numeric hierarchy often causes this mistake.

Why the other options are wrong

B

Option B incorrectly identifies severity level 3 as Emergency; level 3 actually represents Error, which is serious but less critical than Emergency (0).

C

Option C incorrectly identifies severity level 5 as Emergency; level 5 is Notification, which indicates normal but significant conditions, not emergencies.

D

Option D incorrectly identifies severity level 7 as Emergency; level 7 is Debugging, the lowest severity level used for detailed troubleshooting information.

1328
MCQhard

Users in a branch office can reach internal networks but cannot browse the Internet. The router has a correct default route and PAT is configured. Which missing item is the most likely cause if inside hosts are still using private source addresses on the WAN?

A.A correct ACL or source match identifying inside local addresses for NAT
B.An STP root bridge election on the WAN side
C.A voice VLAN on the branch access switches
D.A loopback interface with a higher IP address
AnswerA

This is correct because PAT needs to know which inside addresses should be translated. Without a correct match, the router can forward traffic but leave the source private.

Why this answer

If inside hosts are still appearing with private source addresses on the WAN side, the most likely missing element is a correct NAT inside source match for the internal subnet. In plain language, the router knows where Internet traffic should go because the default route exists, but it is not actually translating the private addresses before sending the traffic out. That means upstream devices see RFC 1918 private addresses that are not valid on the public Internet and return traffic fails.

This is a common CCNA troubleshooting pattern: routing and NAT are separate functions. A valid default route only tells the router where to send packets. It does not automatically translate them. PAT also depends on a correct ACL or source match identifying which inside addresses should be translated. If that match is missing or wrong, the router forwards the traffic but without performing the necessary translation. That is why the missing or incorrect NAT match is the most likely root cause.

Exam trap

A common exam trap is assuming that configuring a default route and enabling PAT alone guarantees Internet access for inside hosts. Candidates often overlook the necessity of a correct NAT ACL or source match that explicitly identifies which inside local addresses should be translated. Without this ACL, the router forwards packets with private IP addresses unchanged, causing return traffic to fail because upstream devices reject packets with non-routable source addresses.

This mistake leads to the false conclusion that routing or PAT is misconfigured, when the real issue is the missing or incorrect NAT match.

Why the other options are wrong

B

Incorrect because Spanning Tree Protocol (STP) root bridge election affects Layer 2 switching topology, not Layer 3 NAT translation or routing on the WAN interface.

C

Incorrect because voice VLAN configuration on branch access switches does not influence NAT translation or whether private IP addresses are translated on the WAN interface.

D

Incorrect because a loopback interface IP address does not affect PAT translation of inside user traffic; PAT depends on NAT ACLs and routing, not loopback IP addresses.

1329
MCQmedium

A client receives an IP address but cannot reach remote networks. Which DHCP option is most likely missing or incorrect?

A.DNS server option
B.Lease time option
C.Default gateway option
D.TFTP server option
AnswerC

Without the correct gateway, off-subnet traffic fails.

Why this answer

The client can obtain an IP address but cannot reach remote networks, which indicates that the DHCP server is not providing the default gateway (option 3). Without a default gateway, the client has no route to destinations outside its local subnet, so traffic to remote networks is dropped. The DHCP server must be configured to supply the router's IP address as the default gateway for clients to forward inter-network traffic.

Exam trap

Cisco often tests the distinction between DHCP options by presenting a symptom like 'can't reach the internet' and expecting candidates to recognize that the default gateway (option 3) is the critical missing piece, not DNS or lease time.

Why the other options are wrong

A

The DNS server option is not critical for basic connectivity to remote networks; it primarily affects name resolution. If a client can obtain an IP address but cannot reach remote networks, the issue is more likely related to the default gateway configuration.

B

The lease time option specifies how long a DHCP lease is valid, but it does not affect the ability to reach remote networks. Therefore, a missing or incorrect lease time would not directly cause connectivity issues.

D

The TFTP server option is not necessary for a client to reach remote networks, as it primarily facilitates file transfers and does not impact routing or network accessibility. Therefore, its absence would not directly cause connectivity issues to remote networks.

1330
MCQmedium

A network automation script sends this HTTP request to a controller API: POST /api/v1/devices What does the POST method typically indicate in a RESTful API?

A.It retrieves an existing resource without changing it
B.It creates a new resource or submits data to be processed
C.It deletes the targeted resource permanently
D.It replaces the entire existing resource in an idempotent way
AnswerB

Correct. This is correct. POST commonly creates a new resource or submits data to the API for processing. In automation questions, that usually means the script is asking the controller to add something or perform an action using the payload it sends.

Why this answer

POST usually means the client is submitting information to create a new resource or asking the server to process the provided payload. In a controller-based networking context, that often means onboarding a device, creating an object, or starting a workflow. This question is testing method recognition rather than deep programming skill.

GET is commonly used for retrieval, DELETE for removal, and PUT for full replacement or update behavior that is typically idempotent. POST is different because repeating the same POST can create multiple objects or trigger repeated actions, depending on the API design. For CCNA purposes, the plain-English takeaway is simple: POST is generally associated with create-or-submit behavior, not read-only retrieval.

Exam trap

Remember that POST is for creating resources, not retrieving, deleting, or updating them.

Why the other options are wrong

A

Option A is incorrect because the POST method is not used for retrieving resources; instead, it is intended for creating new resources or submitting data for processing in a RESTful API context.

C

The POST method is used to create or submit data, not to delete resources. Option C incorrectly describes the function of the DELETE method in RESTful APIs, which is responsible for removing resources.

D

Option D is incorrect because the POST method is not idempotent and does not replace an existing resource; it is primarily used to create new resources or submit data.

1331
MCQhard

A company wants unauthorized devices plugged into unused wall ports to have as little chance of gaining access as possible. Which action most directly supports that goal?

A.Administratively disable unused switch ports.
B.Convert every unused port into a trunk.
C.Enable Telnet on unused ports for monitoring.
D.Remove all VLAN assignments from active user ports.
AnswerA

This is correct because unused active ports are unnecessary exposure points.

Why this answer

Administratively shutting down unused switch ports most directly supports the goal because it eliminates the access point entirely. Option B, converting unused ports into trunks, would actually increase risk by potentially allowing VLAN hopping and unauthorized traffic. Option D, removing VLAN assignments from active user ports, does not address unused ports and could disrupt legitimate users by forcing them into the default VLAN.

Disabling unused ports is a simple and effective hardening measure that reduces attack surface.

Exam trap

Don't confuse methods that limit or monitor access with those that completely prevent it. Focus on actions that eliminate the risk entirely.

Why the other options are wrong

B

Converting unused ports into a trunk does not prevent unauthorized access; it actually allows multiple VLANs to be carried over a single link, potentially exposing sensitive data. This action could inadvertently grant access to unauthorized devices if they connect to these trunked ports.

C

Enabling Telnet on unused ports does not prevent unauthorized access; instead, it creates a potential security vulnerability by allowing remote access to those ports. This action could expose the network to unauthorized monitoring or control.

D

Removing VLAN assignments from active user ports does not prevent unauthorized devices from accessing the network; it could disrupt legitimate user access instead. The goal is to secure unused ports, not impact active ones.

1332
MCQhard

A switchport connected to another switch is configured with `switchport mode dynamic auto` on both ends. What is the most likely outcome if neither side actively negotiates trunking?

A.The link is likely to remain non-trunking because both sides are waiting passively.
B.The link always becomes a trunk immediately.
C.The link becomes a routed Layer 3 link.
D.All VLANs are deleted from both switches.
AnswerA

This is correct because dynamic auto on both ends does not normally force trunk formation.

Why this answer

If both ends are set to dynamic auto, the most likely outcome is that the link does not become a trunk automatically. In plain language, both interfaces are waiting passively for the other side to initiate the negotiation. Since neither side is actively trying to form the trunk, the link typically remains non-trunking unless one side is changed to a more active mode or trunk is configured directly.

This is a classic DTP behavior question because it tests whether you understand the difference between active and passive negotiation roles. The correct answer is the one that reflects the passive nature of dynamic auto on both sides.

Exam trap

Be careful not to confuse dynamic auto with dynamic desirable. Only dynamic desirable actively negotiates trunking.

Why the other options are wrong

B

This option is wrong because `switchport mode dynamic auto` does not force immediate trunking; it relies on negotiation, and if neither side actively negotiates, the link remains non-trunking.

C

This option is wrong because a switchport configured with `switchport mode dynamic auto` does not automatically convert to a routed Layer 3 link unless explicitly configured to do so. The default behavior is to remain in access mode unless trunking is negotiated.

D

Option D is incorrect because configuring `switchport mode dynamic auto` does not delete VLANs; it merely affects trunk negotiation. VLANs remain configured on the switches regardless of trunking status.

1333
MCQhard

Refer to the exhibit. A network engineer is troubleshooting an ACL that is not filtering traffic as expected. The engineer runs the show access-lists 110 command and notices that all access control entries (ACEs) show zero matches, even though traffic that should match the permit or deny statements is traversing the network. The engineer then checks the interface configuration. What is the most likely cause?

A.The ACL is applied to the interface in the wrong direction (inbound instead of outbound).
B.The access-list 110 syntax has incorrect subnet masks causing no matches.
C.The ACL 110 is not applied to any interface.
D.The interface GigabitEthernet0/0 is administratively down, preventing ACL processing.
AnswerC

The 'Inbound access list is not set' and 'Outgoing access list is not set' lines in the exhibit directly prove that no ACL has been applied to GigabitEthernet0/0. Since ACL 110 exists but isn't attached to any interface, it never processes traffic and shows zero hit counts.

Why this answer

The exhibit shows 'Inbound access list is not set' and 'Outgoing access list is not set' under GigabitEthernet0/0. This confirms that no access list has been applied to this interface, so access list 110, though defined, is not filtering any traffic. Zero matches are observed because the ACL is never consulted.

Exam trap

Candidates often assume the ACL must be applied somewhere on the router, so they choose 'wrong direction' (inbound vs outbound), but the output clearly shows no ACL is assigned at all.

Why the other options are wrong

A

A common mistake is to try to explain zero matches by directional misapplication without first checking whether an ACL is actually present. The exhibit explicitly shows no ACL is bound.

B

Some candidates fixate on ACL configuration details instead of verifying interface assignment. The output confirms the interface has no ACL, not that an ACL is configured incorrectly.

D

Candidates sometimes misread interface status. This output clearly shows the interface is enabled and up, so a down state is not the issue.

1334
MCQhard

Why is administratively shutting down unused switch ports considered a useful hardening measure?

A.It reduces the attack surface by removing unnecessary network entry points.
B.It increases available bandwidth on the switch backplane.
C.It enables 802.1Q trunking on all remaining ports.
D.It forces port security to activate automatically.
AnswerA

This is correct because an unused enabled port is an unnecessary risk that can be eliminated by shutting it down.

Why this answer

Unused active ports create unnecessary opportunity for unauthorized connection. Disabling them reduces the attack surface and makes opportunistic access much harder. Option B is incorrect because administratively shutting down a port does not increase backplane bandwidth; bandwidth is a fixed hardware characteristic.

Option C is incorrect because shutting down ports does not enable 802.1Q trunking; trunking is configured separately. Option D is incorrect because port security must be explicitly enabled; it is not activated automatically by shutting down ports.

Exam trap

Do not confuse port shutdown with network performance improvements or IP address management. Focus on security implications.

Why the other options are wrong

B

This option is incorrect because shutting down unused switch ports does not directly increase available bandwidth; rather, it is a security measure to minimize potential vulnerabilities. Bandwidth on the switch backplane is determined by the overall switch architecture and the active ports' configurations, not by disabling unused ports.

C

This option is wrong because administratively shutting down unused switch ports does not enable 802.1Q trunking; trunking is a configuration that allows multiple VLANs to traverse a single physical link, which is unrelated to the status of unused ports.

D

This option is wrong because administratively shutting down unused switch ports does not automatically activate port security; it is a separate configuration that must be enabled explicitly on the switch.

1335
MCQhard

A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?

A.Alternate port
B.Root port
C.Designated port
D.Disabled port
AnswerB

Correct. Lowest-cost path to the root becomes the root port.

Why this answer

On a non-root switch, the port with the lowest path cost toward the root bridge becomes the root port. The higher-cost uplink would become an alternate (blocked) port. A designated port is found on the upstream switch toward this switch, not on the non-root switch itself.

A disabled port is administratively shut down, which does not apply here.

Exam trap

Remember, the root port is determined by the lowest path cost to the root bridge, not by any other criteria.

Why the other options are wrong

A

The higher-cost uplink becomes an alternate (blocked) port, not the lower-cost one.

C

A designated port exists on the upstream switch toward this switch, not on the non-root switch.

D

A disabled port is administratively shut down, not a port with a lower STP cost.

1336
PBQhard

You are connected to R1 (192.0.2.1/24). Use RESTCONF to query the operational state of GigabitEthernet0/0 using the ietf-interfaces YANG module. Then, send a PATCH request to disable the interface (set 'enabled' to false) using the Cisco-IOS-XE-native YANG module. Identify the error when a PATCH request is sent with the wrong Content-Type header (application/json instead of application/yang-data+json) and when the PATCH URI uses an incorrect YANG path (ietf-interfaces instead of Cisco-IOS-XE-native).

Hints

  • RESTCONF requires Content-Type: application/yang-data+json for write operations.
  • The ietf-interfaces module is read-only for operational state; use Cisco-IOS-XE-native for configuration changes.
  • Check the URI path: /restconf/data/ followed by the YANG module and container/leaf.
A.The PATCH request fails with a 415 Unsupported Media Type error because the Content-Type header must be application/yang-data+json, not application/json.
B.The PATCH request fails with a 404 Not Found error because the URI uses ietf-interfaces, which is a read-only module for operational state; the server cannot write to it.
C.The PATCH request succeeds but the interface is not disabled because the body must use 'shutdown' instead of 'enabled'.
D.The PATCH request fails with a 400 Bad Request error because the body must be XML, not JSON.
AnswerA
solution
! R1
GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0 --header 'Accept: application/yang-data+json'
PATCH /restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=0/0 --header 'Content-Type: application/yang-data+json' -d '{"Cisco-IOS-XE-native:interface":{"GigabitEthernet":[{"name":"0/0","shutdown":true}]}}'

Why this answer

The correct GET request uses the ietf-interfaces YANG module path to retrieve interface state. For the PATCH, the Cisco-IOS-XE-native module is used because it supports writing native configuration (including shutdown). Sending PATCH with Content-Type: application/json is rejected because RESTCONF requires application/yang-data+json.

Using ietf-interfaces in the PATCH URI fails because that module is read-only for operational state; the server returns 404 or 405. The correct PATCH body sets 'shutdown' to true within the native interface container.

Exam trap

The trap is that candidates may focus on the YANG module path error (ietf-interfaces vs Cisco-IOS-XE-native) and miss that the question explicitly asks about the error when the Content-Type header is wrong. Always read the question carefully to identify the specific condition being tested.

Why the other options are wrong

B

The specific factual error is that the question asks about the error when the Content-Type header is wrong, not the URI path. The URI path error is a separate issue.

C

The specific factual error is that a wrong Content-Type header causes a rejection before any body parsing, so the request does not succeed.

D

The specific factual error is that RESTCONF does accept JSON; the issue is the exact media type string, not the format.

1337
MCQhard

Clients in VLAN 30 are not receiving addresses from the DHCP server located in VLAN 99. Which configuration change should be made on the Layer 3 interface for VLAN 30?

A.Add ip dhcp snooping trust under interface Vlan30.
B.Add switchport mode trunk under interface Vlan30.
C.Add ip default-gateway 10.99.99.20 under interface Vlan30.
D.Add ip helper-address 10.99.99.20 under interface Vlan30.
AnswerD

This is correct because the SVI for VLAN 30 is the interface that receives the client DHCP broadcasts. By adding `ip helper-address 10.99.99.20`, the Layer 3 device forwards the request as a unicast packet to the DHCP server in VLAN 99.

Why this answer

The DHCP server is on a different subnet, so the client broadcast messages from VLAN 30 will not naturally cross the Layer 3 boundary. In simple terms, the clients are asking for an address by shouting on their own floor of the building, but the server lives on another floor and cannot hear that broadcast directly. The router or Layer 3 switch must relay the request for them. On Cisco devices, that relay function is usually configured with `ip helper-address` on the interface that receives the client broadcasts.

Here, that receiving interface is Vlan30, because that is the default gateway for the clients in VLAN 30. Pointing `ip helper-address` to 10.99.99.20 tells the Layer 3 device to forward DHCP requests to the remote server. DHCP snooping trust is a separate security feature, trunk mode is unrelated to an SVI, and `ip default-gateway` is not the correct solution for relaying DHCP across subnets.

Exam trap

Remember that DHCP snooping and trunk mode do not facilitate DHCP relay. Focus on the purpose of `ip helper-address` for relaying requests across VLANs.

Why the other options are wrong

A

This option is wrong because enabling DHCP snooping trust on VLAN 30 does not facilitate communication with the DHCP server in VLAN 99; it only protects against rogue DHCP servers.

B

Adding 'switchport mode trunk' under interface Vlan30 is incorrect because VLAN 30 is already configured as a Layer 3 interface, and trunking is not applicable to Layer 3 interfaces. This command is used for Layer 2 interfaces to allow multiple VLANs over a single link.

C

This option is wrong because the command 'ip default-gateway' is used to set a default gateway for a Layer 2 device, not for enabling DHCP relay on a Layer 3 interface. Clients in VLAN 30 need a helper address to reach the DHCP server in VLAN 99.

1338
Matchingmedium

Drag and drop the route types on the left to the correct administrative distance and use case descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

AD 1; manually configured path

AD 5; backup route when primary fails

AD 1; catch-all for unknown destinations

AD 110; used for internal routing within an AS

AD 0; network directly attached to router interface

Why these pairings

Floating static routes do not have a fixed administrative distance; they are manually configured with an AD higher than the primary dynamic routing protocol's AD (e.g., higher than OSPF's 110 or EIGRP's 90) to serve as backup. Using AD 5 would make the route preferred over most dynamic protocols, defeating its backup purpose. The other pairings are correct: static and connected routes have AD 0/1, OSPF has AD 110, and a default route is a static route with AD 1 for unknown destinations.

Exam trap

The most common trap is confusing the AD values of connected (0) and static (1). Remember that connected routes are automatically generated and have the highest preference. Also, note that EIGRP internal (90) and OSPF (110) are both IGPs, but their ADs differ.

1339
PBQmedium

You are connected to R1 via console. R1 is a new router connecting two subnets: 192.168.1.0/24 on G0/0 and 192.168.2.0/24 on G0/1. You need to configure IPv6 static routes so that hosts on these subnets can reach the IPv6 Internet via R2 (2001:db8:1::2). R1's G0/0 has IPv6 address 2001:db8:1::1/64, and R2 is the next-hop. Also configure a default IPv6 route toward R2.

Network Topology
G0/02001:db8:1::1/64G0/02001:db8:1::2/64G0/12001:db8:2::1/64R1R2internal

Hints

  • The default IPv6 route uses the prefix ::/0.
  • The next-hop address must be reachable via a directly connected interface.
  • No need to create static routes for directly connected networks.
A.ipv6 route ::/0 2001:db8:1::2
B.ipv6 route 2001:db8:1::/64 2001:db8:1::2
C.ipv6 route ::/0 g0/0
D.ipv6 route 2001:db8:1::2/128 g0/0
AnswerA
solution
! R1
ipv6 route ::/0 2001:db8:1::2

Why this answer

A default IPv6 static route with prefix ::/0 points to the next-hop 2001:db8:1::2, which correctly forwards all traffic not in the local routing table to R2 for Internet reachability. Option B is wrong because it creates a static route for the directly connected network 2001:db8:1::/64, which is already in the routing table and unnecessary. Option C fails because on Ethernet interfaces, a static route must specify a next-hop IP address, not just an exit interface.

Option D is incorrect because it creates a host route to 2001:db8:1::2, which is a directly connected address, and does not provide a default route.

Exam trap

Be careful to distinguish between a default route (::/0) and a specific route. Also, remember that on Ethernet interfaces, static routes must specify a next-hop IP address, not just an exit interface. Directly connected networks do not require static routes.

Why the other options are wrong

B

Creates a static route for a directly connected network that is already in the routing table, which is unnecessary.

C

On Ethernet interfaces, a static route must specify a next-hop IP address; specifying only an exit interface does not work for multi-access networks.

D

Creates a host route for the next-hop address itself, which is directly connected and already reachable, and does not provide a default route.

1340
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router and describe the translation process for an outbound packet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter config mode. Then mark the inside and outside interfaces. Create a pool of global addresses.

Finally, enable PAT with overload to allow multiple inside hosts to share the pool addresses.

Exam trap

Candidates often confuse the order of steps, especially thinking that creating the pool or marking interfaces can be done before entering global configuration mode. Remember: you must always be in global configuration mode before issuing any configuration commands. Also, the global address pool must be created before it can be referenced in the ip nat inside source list overload command.

1341
MCQhard

A subnet has the network address 192.168.20.128/26. What is the broadcast address?

A.192.168.20.159
B.192.168.20.191
C.192.168.20.192
D.192.168.20.255
AnswerB

This is correct because .128/26 covers .128 through .191.

Why this answer

A /26 subnet uses blocks of 64 addresses. In plain language, the block that starts at 192.168.20.128 runs through 192.168.20.191. The first address in that block is the network address, and the last address is the broadcast address. That means the broadcast address is 192.168.20.191.

This is a standard subnetting calculation. Once the block size is identified, the broadcast address is simply the last address in the block.

Exam trap

Be careful not to confuse the broadcast address with the first address of the next subnet or with the broadcast address of a different subnet mask.

Why the other options are wrong

A

Option A (192.168.20.159) is incorrect because the broadcast address for the subnet 192.168.20.128/26 is 192.168.20.191, calculated as the highest address in the subnet range from 192.168.20.128 to 192.168.20.191.

C

The option C, 192.168.20.192, is incorrect because it falls outside the range of the subnet defined by 192.168.20.128/26, which has a valid broadcast address of 192.168.20.191.

D

The broadcast address for the subnet 192.168.20.128/26 is 192.168.20.191, not 192.168.20.255. The address 192.168.20.255 is the broadcast address for the entire 192.168.20.0/24 network, which is not relevant to the specified subnet.

1342
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure BPDU Guard, Loop Guard, and Root Guard on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order starts by entering global configuration mode, then globally enabling PortFast on all access ports to allow immediate transition to forwarding state. BPDU Guard is then enabled globally on all PortFast-enabled ports to protect against unauthorized switches. Next, Loop Guard is enabled globally to prevent loops from unidirectional links.

Afterwards, the specific uplink interface is selected and Root Guard is applied to prevent a rogue switch from becoming the root bridge. This sequence follows Cisco best practices: apply fast convergence first, then protect the edge with BPDU Guard, apply loop prevention globally, and finally secure core links with Root Guard.

1343
MCQmedium

A host at 192.168.50.10/24 needs to send traffic to 192.168.60.20. Which MAC address will it normally place in the Ethernet destination field for the first frame?

A.The MAC address of the remote host at 192.168.60.20
B.The broadcast MAC address only
C.The MAC address of its configured default gateway
D.Its own source MAC address
AnswerC

This is correct because the default gateway is the local next-hop device for off-subnet traffic.

Why this answer

When a host wants to send traffic to a different IP subnet, it does not send the frame directly to the remote device’s MAC address. In plain language, the host knows the destination IP is off its local network, so it hands the traffic to the local router. That means the Ethernet frame is addressed to the default gateway’s MAC address, while the IP packet inside still carries the final remote IP destination.

A host uses ARP to learn MAC addresses on its own LAN. Since the remote host is not local, the sender does not ARP for the remote host’s MAC. Instead, it ARPs for the gateway interface on the same subnet.

Exam trap

A frequent exam trap is selecting the remote host’s MAC address as the Ethernet destination for off-subnet traffic. This is incorrect because ARP requests cannot resolve MAC addresses beyond the local subnet. Candidates may confuse IP routing with MAC addressing and assume direct frame delivery to the remote device.

The trap lies in overlooking the default gateway’s role as the local next-hop device that receives frames destined for remote IPs. Remember, the host always sends the frame to the gateway’s MAC, not the remote host’s MAC, when the destination is outside the local subnet.

Why the other options are wrong

A

Incorrect because the remote host’s MAC address is not known to the sender and cannot be resolved via ARP across subnets. The host must send to the gateway’s MAC instead.

B

Incorrect because broadcast MAC addresses are used only for ARP requests or broadcast traffic, not for normal unicast data frames to a specific remote IP.

D

Incorrect because a device’s own MAC address is used as the source MAC in frames it sends, never as the destination MAC.

1344
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a missing route on R1. The router R3 is configured to advertise network 192.168.30.0/24 via OSPF, but the route is not present in the OSPF routing table of R1 when issuing the show ip route ospf command. What is the most likely cause?

A.R3 has not enabled OSPF on the network 192.168.30.0/24 using the network command.
B.R3 has passive-interface default configured and has not issued the no passive-interface command on the interface facing the OSPF neighbor.
C.R1 has an inbound ACL applied to GigabitEthernet0/1 that blocks OSPF multicast traffic to 224.0.0.5 and 224.0.0.6.
D.R3's OSPF router ID is duplicated with another OSPF router, causing the SPF algorithm to drop routes.
AnswerB

Passive-interface default suppresses OSPF hello packets on all interfaces unless explicitly enabled. Without hellos, an adjacency cannot form, so R1 never learns the 192.168.30.0/24 route. The exhibit shows OSPF working with another neighbor, confirming the problem is isolated to R3’s interface configuration.

Why this answer

The exhibit from R1# show ip route ospf displays OSPF routes for 192.168.10.0/24 and 192.168.20.0/24 learned via 10.1.1.2 on GigabitEthernet0/1, proving that OSPF is functioning with neighbor R2. The route 192.168.30.0/24 that R3 is supposed to advertise is missing, indicating that R1 has not formed an OSPF adjacency with R3. When 'passive-interface default' is configured, OSPF hello packets are suppressed on all interfaces unless explicitly overridden with 'no passive-interface'.

As a result, R3 does not send hellos, preventing adjacency and route advertisement. This directly explains why the exhibit lacks the 192.168.30.0/24 entry.

Exam trap

Candidates often jump to answer A, thinking that a missing route means the network command is missing under OSPF. However, the scenario explicitly states R3 is configured to advertise the network, so the real issue is an adjacency problem caused by passive-interface default, which stops hellos from being exchanged.

Why the other options are wrong

A

The question says R3 advertises the network via OSPF; a missing network command would contradict that, so the failure must be in adjacency formation.

C

The presence of other OSPF routes on the same interface disproves a blanket multicast ACL; the issue is specific to R3’s adjacency.

D

A duplicate router ID could prevent adjacency, but the scenario’s focus on passive-interface default provides a more common and direct cause for a total lack of adjacency when OSPF is correctly configured on the network.

1345
MCQhard

Refer to the exhibit. A network administrator is troubleshooting connectivity issues for hosts on VLAN 50 on SW1. The hosts on VLAN 50 cannot reach any devices outside SW1, even though the trunk link between SW1 and SW2 is up. The administrator issues the 'show interfaces GigabitEthernet0/1 trunk' command on SW1. Based on the output, what is the most likely cause of the issue?

A.The native VLAN on the trunk is misconfigured, causing VLAN 50 traffic to be dropped.
B.The trunk is operating in access mode instead of trunk mode, preventing VLAN 50 traffic.
C.VLAN 50 is not in the allowed VLAN list on the trunk.
D.Spanning tree protocol has blocked the trunk port for VLAN 50, isolating the hosts.
AnswerC

The exhibit explicitly shows the allowed VLANs as '1-49,60-4094', which omits VLAN 50. This prevents traffic for VLAN 50 from traversing the trunk.

Why this answer

The 'show interfaces GigabitEthernet0/1 trunk' output would list the allowed VLANs on the trunk. If VLAN 50 is not included in the allowed VLAN list, traffic from VLAN 50 will be dropped at the trunk, preventing hosts on SW1 from reaching devices outside SW1. This is the most likely cause because the trunk is up but VLAN 50 traffic is not forwarded.

Exam trap

Cisco often tests the distinction between native VLAN misconfiguration and allowed VLAN list misconfiguration, where candidates mistakenly attribute all trunk issues to native VLAN mismatches rather than checking the allowed VLAN list.

Why the other options are wrong

A

The assumption that a native VLAN mismatch can drop tagged VLAN traffic is a common misunderstanding.

B

Misreading the output may lead to believing the trunk is not in trunking mode.

D

Confusing spanning tree blocking with allowed VLAN filtering; the output shows no block state, only absence of the VLAN.

1346
PBQmedium

You are connected to the console of SW1. The network administrator reports that a workstation connected to interface FastEthernet0/1 cannot communicate with the rest of the network. The workstation is configured for VLAN 10, but the interface is in VLAN 1.

Hints

  • Use 'show vlan brief' to see VLAN assignments.
  • The interface is currently in VLAN 1.
  • Change the access VLAN to 10.
A.Configure the interface as a trunk port.
B.Configure the interface as an access port and assign it to VLAN 10.
C.Configure the interface as a trunk port and allow VLAN 10.
D.Configure the interface as a dynamic desirable port.
AnswerB
solution
! SW1
interface FastEthernet0/1
switchport access vlan 10

Why this answer

The port was in VLAN 1 instead of VLAN 10. By configuring 'switchport access vlan 10', the workstation is now in the correct VLAN and can communicate with the rest of the network.

Exam trap

This question tests your understanding of access ports versus trunk ports and how to assign a VLAN to an access port. A common trap is to think that trunking is needed to carry VLAN traffic, but for end devices, access ports are used. Remember that 'switchport access vlan' is the command to assign a VLAN to an access port.

Why the other options are wrong

A

Trunk ports are used to carry multiple VLANs between switches, not to assign a single workstation to a specific VLAN.

C

Trunk ports are designed to carry multiple VLANs and are typically used between switches, not for end-user devices.

D

DTP modes control whether a port becomes a trunk or remains an access port; they do not change the access VLAN.

1347
MCQhard

Refer to the exhibit. An administrator is troubleshooting connectivity from a branch router R1 to the internet. A ping to 8.8.8.8 from R1 fails. The output of the show ip route command is shown. What is the most likely cause?

A.The default route is missing from the routing table.
B.The next-hop IP address for the default route is not reachable.
C.The static route has an incorrect administrative distance.
D.The ip routing process has not been enabled.
AnswerB

The default route via 203.0.113.1 is present, but the routing table contains no connected or static route to reach 203.0.113.1. Without a route to the next-hop, the default route cannot be used, causing the ping failure.

Why this answer

The routing table shows the static default route 'S* 0.0.0.0/0 [1/0] via 203.0.113.1', but there is no connected or static route to network 203.0.113.0/24 (or any subnet containing 203.0.113.1). Without a route to the next-hop, the default route is unreachable, so the router cannot forward traffic to the internet, causing ping failures.

Exam trap

Candidates often see that a default route is present and assume it is sufficient, ignoring the requirement that the next-hop address must be directly reachable via another route in the table. The trap answer would be to think the default route is missing or misconfigured, but the real issue is its next-hop unreachability.

Why the other options are wrong

A

Candidates may misinterpret a failed ping as indicating no default route exists, overlooking that the route is present but unusable.

C

Candidates may think a higher AD is blocking the route, but the AD is standard and not the issue.

D

A common troubleshooting step is to verify ip routing, but the exhibit clearly shows an active routing table.

1348
MCQmedium

Why is SSH preferred over Telnet for remote device administration?

A.SSH uses less bandwidth because it removes the TCP header
B.SSH encrypts management traffic, while Telnet sends data in clear text
C.SSH works only on console ports, which are more secure
D.SSH does not require user authentication
AnswerB

Correct. Encryption is the key reason SSH is preferred.

Why this answer

SSH protects credentials and management traffic by encrypting the session. Telnet does not provide encryption, so usernames, passwords, and commands can be exposed in transit.

Exam trap

Don't confuse ease of configuration or bandwidth usage with security features. Focus on the encryption aspect of SSH.

Why the other options are wrong

A

This option is incorrect because SSH does not inherently use less bandwidth than Telnet; both protocols utilize TCP, and SSH's encryption actually adds overhead, potentially increasing bandwidth usage.

C

This option is incorrect because SSH can operate over various types of connections, including console ports, but it is not limited to them. Telnet can also be used over console ports, making this statement misleading.

D

This option is incorrect because SSH does require user authentication, typically through passwords or public key authentication, which is essential for secure access. In contrast, Telnet does not enforce strong authentication mechanisms.

1349
Multi-Selectmedium

A standard numbered ACL is applied close to the destination, but it is blocking traffic from one host while still allowing all other users on the subnet. Which two facts about standard ACLs are relevant in this design?

Select 2 answers
A.They filter based on source address only
B.They are best placed near the source in most cases
C.They can match TCP and UDP port numbers
D.They automatically create a permit any at the end
AnswersA, B

Standard ACLs do not inspect destination addresses or ports.

Why this answer

Standard ACLs only match the source IP address. For that reason, they are usually placed near the source so they do not block more traffic than intended.

Exam trap

A common exam trap is assuming that standard ACLs can filter traffic based on destination IP addresses or port numbers. Candidates may incorrectly place standard ACLs near the destination to control traffic more granularly, but since standard ACLs only match source IPs, this placement can block unintended hosts. This misunderstanding leads to unexpected network outages or partial connectivity, especially when trying to block a single host but inadvertently affecting others in the subnet.

Recognizing the source-only filtering nature of standard ACLs is essential to avoid this pitfall.

Why the other options are wrong

C

Incorrect. Standard ACLs cannot match TCP or UDP port numbers; this capability belongs to extended ACLs, which provide more granular filtering.

D

Incorrect. ACLs do not automatically create a 'permit any' at the end; instead, they have an implicit deny all statement that blocks any traffic not explicitly permitted.

1350
MCQmedium

A branch LAN requires 50 usable IPv4 host addresses. What is the most efficient subnet mask that provides at least 50 usable hosts?

A./27
B./26
C./25
D./24
AnswerB

Correct. A /26 supports 62 usable hosts.

Why this answer

A /26 provides 64 total addresses and 62 usable host addresses, which is the smallest subnet mask (largest prefix length) that fits 50 hosts, making it the most efficient choice.

Exam trap

Read the requirement carefully. Cisco often uses subtle wording like 'most efficient' or 'industry standard' to eliminate technically correct but non-optimal answers.

Why the other options are wrong

A

A /27 subnet provides only 30 usable host addresses, which is insufficient for the requirement of 50 usable addresses. Therefore, it does not meet the needs of the branch LAN.

C

Option C: /25 provides 126 usable addresses, which exceeds the requirement of 50 usable addresses. However, it is not the smallest prefix that meets the requirement.

D

Option D, /24, provides 256 total addresses, which exceeds the requirement of 50 usable addresses. However, it is not the smallest prefix that meets the requirement, as /26 provides 64 addresses, which is sufficient and more efficient.

Page 17

Page 18 of 25

Page 19