CCNA 200-301 v2 (200-301) — Questions 13511425

1819 questions total · 25pages · All types, answers revealed

Page 18

Page 19 of 25

Page 20
1351
MCQhard

Two directly connected routers running OSPFv3 do not form an adjacency. Both interfaces have valid IPv6 addresses and can ping each other using link-local addresses. What is the most likely cause?

A.The interfaces are assigned to different OSPFv3 areas.
B.The routers need global unicast addresses before OSPFv3 can run.
C.The router IDs must be identical before adjacency can form.
D.The link-local addresses must be learned from DHCPv6.
AnswerA

This is correct because OSPFv3 neighbors on the same link must agree on the area.

Why this answer

The most likely cause is an OSPFv3 area mismatch on the interface. In practical terms, OSPFv3 still requires neighbors on the same link to agree on the area assignment, just as OSPF for IPv4 does. Link-local reachability alone is not enough to form an adjacency. The protocol parameters still have to match.

This is an important IPv6 routing point because people sometimes assume that successful IPv6 ping means the routing protocol should automatically work. It does not. Adjacency depends on protocol alignment, not just basic connectivity.

Exam trap

A frequent exam trap is to assume that because two routers can ping each other using IPv6 link-local addresses, their OSPFv3 adjacency should automatically form. This mistake overlooks the critical requirement that both routers must be configured in the same OSPFv3 area. Candidates might also incorrectly believe that global unicast addresses are necessary for OSPFv3 adjacency or that router IDs must be identical.

These misconceptions lead to selecting incorrect answers, as adjacency depends on matching area IDs and unique router IDs, not on global addressing or identical IDs.

Why the other options are wrong

B

Incorrect. OSPFv3 forms adjacencies using IPv6 link-local addresses, so global unicast addresses are not mandatory for adjacency formation or neighbor discovery.

C

Incorrect. Router IDs must be unique identifiers for OSPF routers. Identical router IDs cause adjacency failure, but they do not need to be identical to form adjacency.

D

Incorrect. IPv6 link-local addresses are automatically configured on interfaces and do not require DHCPv6. OSPFv3 uses these link-local addresses for neighbor communication.

1352
PBQhard

You are connected to R1. The link between R1 and R2 is down. The output of 'show interfaces gigabitEthernet0/0' on R1 shows: 'GigabitEthernet0/0 is administratively down, line protocol is down (disabled)', with IP address 203.0.113.1/30, MTU 1500, and no input/output errors. Determine the root cause and configure the necessary fix to bring the interface up and restore connectivity.

Network Topology
G0/0203.0.113.1/30G0/0203.0.113.2/30linkR1R2

Hints

  • Check the interface status: 'show interfaces' reveals administratively down.
  • The 'shutdown' command disables the interface; use 'no shutdown' to enable it.
  • After enabling, verify with 'show ip interface brief'.
A.Enter interface configuration mode for GigabitEthernet0/0 and issue the 'no shutdown' command.
B.Enter interface configuration mode and issue the 'speed 100' command to match the remote interface speed.
C.Enter interface configuration mode and issue the 'duplex full' command to force full-duplex operation.
D.Enter interface configuration mode and issue the 'no keepalive' command to disable keepalives.
AnswerA
solution
! R1
configure terminal
interface gigabitethernet0/0
no shutdown

Why this answer

The interface status 'administratively down' means the interface was manually shut down using the 'shutdown' command. To bring it up, you must enter interface configuration mode and issue 'no shutdown', which administratively enables the interface. The other options are incorrect: setting speed to 100 Mbps or forcing full-duplex will not fix an administratively down state, and disabling keepalives is unrelated to the interface being disabled.

Exam trap

Candidates often miss the 'administratively down' keyword in show interfaces output and instead look for speed/duplex mismatches; always read the interface status first.

Why the other options are wrong

B

A speed mismatch would show 'up, line protocol down' and possibly increased input errors, but the interface here is 'administratively down'—manually disabled.

C

A duplex mismatch would cause late collisions or CRC errors, not an 'administratively down' status, which indicates a shutdown state.

D

Disabling keepalives has no effect on 'administratively down' because the interface is disabled at the administrative level, not because of a keepalive failure.

1353
PBQhard

You are connected to R1 via console. Configure OSPFv3 for IPv6 on R1 and R2 so that IPv6 loopback interfaces on both routers can communicate. R1's GigabitEthernet0/0 and R2's GigabitEthernet0/1 are directly connected. Ensure OSPFv3 is enabled on the correct interfaces and verify neighbors and routes.

Network Topology
G0/02001:db8:12::1/64G0/12001:db8:12::2/64linkR1R2

Hints

  • OSPFv3 must be enabled per-interface, not globally.
  • Use the same OSPFv3 process ID and area on both routers.
  • Check which interfaces are physically connected between the routers.
A.Enable OSPFv3 on R1's GigabitEthernet0/0 and Loopback0, and on R2's GigabitEthernet0/1 and Loopback0.
B.Enable OSPFv3 only on the loopback interfaces of both routers.
C.Enable OSPFv3 on R1's GigabitEthernet0/0 and R2's GigabitEthernet0/1 only, without loopbacks.
D.Enable OSPFv3 on R1's Loopback0 and R2's GigabitEthernet0/1 only.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 ospf 1 area 0
interface Loopback0
ipv6 ospf 1 area 0

! R2
interface GigabitEthernet0/1
ipv6 ospf 1 area 0
interface Loopback0
ipv6 ospf 1 area 0

Why this answer

The issue is that OSPFv3 is not enabled on the interfaces. On R1, OSPFv3 must be enabled on GigabitEthernet0/0 (the link to R2) and Loopback0 (to advertise the loopback). On R2, OSPFv3 must be enabled on GigabitEthernet0/1 (the link to R1) and Loopback0.

After enabling OSPFv3 on the correct interfaces, the neighbor adjacency forms and routes are exchanged.

Exam trap

A common trap is to enable OSPFv3 only on the link interfaces or only on the loopbacks. Remember that OSPFv3 must be enabled on every interface that needs to be advertised or that participates in neighbor discovery. Also, note that OSPFv3 uses 'ipv6 ospf <process-id> area <area-id>' under the interface, not the network statement used in OSPFv2.

Why the other options are wrong

B

OSPFv3 requires the link interface to be enabled to form neighbors; loopback-only configuration results in no neighbor relationship.

C

OSPFv3 must be enabled on the loopback interfaces to advertise their prefixes; otherwise, they remain unknown to the neighbor.

D

Both routers must have OSPFv3 enabled on the link interface to form an adjacency, and both loopbacks must be enabled to advertise their prefixes.

1354
MCQhard

A switch port connected to an end host is configured with both PortFast and BPDU Guard. What is the most likely outcome if a small switch is connected there and starts sending BPDUs?

A.The port is error-disabled by BPDU Guard.
B.The port automatically becomes the root port.
C.The port converts into a trunk for the attached switch.
D.The port ignores the BPDU because PortFast disables STP entirely.
AnswerA

This is correct because BPDU Guard disables the edge port when a BPDU is received.

Why this answer

BPDU Guard places the port into an error-disabled state upon receiving a BPDU, because PortFast defines the port as an edge port that should never receive BPDUs. Option B is incorrect because receiving a BPDU does not automatically make a port a root port; root port selection depends on bridge ID and path cost, and BPDU Guard prevents further STP processing by disabling the port. Option C is incorrect because a port cannot convert to a trunk solely by receiving a BPDU; trunking requires manual configuration or Dynamic Trunking Protocol (DTP).

Option D is incorrect because PortFast does not disable STP entirely; it only speeds up initial convergence, and BPDU Guard actively responds to BPDUs by error-disabling the port.

Exam trap

Remember, BPDU Guard is about protection, not ignoring or processing BPDUs. It disables the port to prevent loops.

Why the other options are wrong

B

This option is wrong because a port configured with PortFast and BPDU Guard will not automatically become the root port when it receives BPDUs; instead, it will be error-disabled due to BPDU Guard's protective mechanism.

C

This option is incorrect because a port configured with PortFast and BPDU Guard does not convert to a trunk when receiving BPDUs; instead, BPDU Guard will disable the port to prevent potential loops.

D

This option is incorrect because PortFast does not disable Spanning Tree Protocol (STP) entirely; it only allows the port to transition to the forwarding state immediately without waiting for STP convergence. BPDU Guard will still take effect if BPDUs are received on a PortFast-enabled port.

1355
Matchingmedium

Match each trunking or switchport term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A switch link that can carry multiple VLANs

A switchport that normally belongs to one VLAN for endpoint traffic

The VLAN associated with untagged traffic on an 802.1Q trunk

The setting that restricts which VLANs a trunk may carry

Why these pairings

These terms define how switchports handle VLAN traffic in trunking environments.

Exam trap

Candidates often confuse terms like 'access port' and 'trunk port' or mistake protocols (802.1Q) and properties (native VLAN) for port types. Focus on the function: trunk ports carry multiple VLANs; access ports carry one; 802.1Q is the tagging method; native VLAN is the untagged VLAN on a trunk.

1356
Multi-Selectmedium

Which three of the following are functions of the Spanning Tree Protocol (STP) in a switched network? (Choose three.)

Select 3 answers
.STP prevents loops by placing redundant ports into a blocking state, leaving only one active path between any two network segments.
.STP elects a root bridge based on the lowest bridge ID (priority + MAC address).
.STP ensures that all ports on a non-root bridge eventually become root ports.
.STP uses BPDUs to exchange topology information between switches.
.STP automatically load-balances traffic across all redundant links equally.
.STP transitions a port from blocking to forwarding immediately after the Max Age timer expires.

Why this answer

STP prevents loops by placing redundant ports into a blocking state, ensuring only one active logical path exists between any two network segments (option A). It elects a root bridge based on the lowest bridge ID (priority + MAC address) to serve as the reference for all path calculations (option B). STP uses Bridge Protocol Data Units (BPDUs) to exchange topology information between switches (option D).

Option C is false because only one port per non-root bridge becomes the root port; the others are designated or alternate/blocking ports. Option E is false because STP does not load-balance; it blocks redundant links to prevent loops, and load-balancing requires techniques like EtherChannel or Multiple Spanning Tree. Option F is false because after Max Age expires, a port transitions from blocking to listening, then learning, and finally forwarding (each with its own timer); it does not transition immediately to forwarding.

Exam trap

Cisco often tests the misconception that STP makes all ports on a non-root bridge become root ports, when in fact only one port per bridge is elected as the root port, and the rest become designated or alternate/blocking ports.

1357
MCQhard

A host is configured with 10.1.1.34/30. Which address is the broadcast address for its subnet?

A.10.1.1.31
B.10.1.1.35
C.10.1.1.32
D.10.1.1.36
AnswerB

This is correct because .34 is in the 32–35 subnet block.

Why this answer

A /30 subnet has a block size of 4. In practical terms, the last-octet blocks are 0–3, 4–7, 8–11, and so on. Because 34 falls within the 32–35 block, the broadcast address is the last address in that block: 10.1.1.35.

This question tests whether you can identify the correct subnet block before choosing the broadcast address.

Exam trap

Ensure you correctly identify the subnet range and understand the roles of network, host, and broadcast addresses.

Why the other options are wrong

A

The address 10.1.1.31 is incorrect as a broadcast address for the subnet 10.1.1.34/30; the correct broadcast address is 10.1.1.35, derived from the subnet mask which allows for only 4 IP addresses (10.1.1.34 to 10.1.1.37).

C

The address 10.1.1.32 is not the broadcast address for the subnet 10.1.1.34/30; instead, it is the network address for the subnet, which is 10.1.1.32 to 10.1.1.35.

D

The address 10.1.1.36 is incorrect because it exceeds the valid range for a /30 subnet, which only allows for four IP addresses (two usable hosts, one network, and one broadcast). The broadcast address for the subnet 10.1.1.34/30 is 10.1.1.35.

1358
MCQhard

A network technician connects a new Cisco switch to an existing access switch using a Category 5e copper patch cable. The link fails to come up, and the interface status shows 'err-disabled'. The technician checks the interface diagnostics and the running configuration. What action should the technician take to resolve the problem?

A.Replace the Category 5e cable with a Category 6 cable to support Gigabit Ethernet.
B.Configure the interface as a trunk port and disable spanning-tree BPDU guard.
C.Replace the copper SFP with a fiber SFP to increase the distance.
D.Manually set the speed and duplex to 1000 Mbps and full duplex on both switches.
AnswerB

The port is in err-disabled because bpduguard is enabled. Since this is a connection between two switches, the port should be configured as a trunk (or at least not as an access port with portfast) and bpduguard should be disabled to prevent the errdisable state.

Why this answer

The most likely reason for the err-disabled state is a spanning-tree BPDU guard violation on the access switch's port configured with PortFast. When another switch is connected, it sends BPDUs, triggering BPDU guard to error-disable the port. Configuring the interface as a trunk port and disabling BPDU guard (option B) resolves the issue by allowing BPDUs without triggering the protection.

Option A is unnecessary because Category 5e supports Gigabit Ethernet. Option C is irrelevant since the problem is not distance-related. Option D is risky because auto-negotiation is preferred and manual settings can cause mismatches.

Exam trap

Cisco often tests the misconception that err-disabled is always caused by speed/duplex mismatches or cable issues, but the trap here is that BPDU guard on a PortFast access port is a frequent and specific cause when connecting another switch.

Why the other options are wrong

A

The symptom is err-disabled, not a speed or duplex mismatch; cable type is not the issue.

C

The port is a built-in copper port, not an SFP-based interface; distance is not the issue.

D

The err-disabled state is due to BPDU guard, not speed/duplex mismatch; manual settings would not fix the root cause.

1359
Matchingeasy

Match each data format or API term to its best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lightweight structured data format often used in API responses

Data modeling language for network configuration and state

Architecture style that commonly uses HTTP methods such as GET and POST

Credential or value used to authorize API requests

Why these pairings

JSON, XML, and YAML are data formats; REST is an architectural style that commonly uses HTTP methods, while SOAP and gRPC are API protocols. Each has distinct characteristics: JSON is lightweight, XML is verbose, YAML is human-readable, REST uses HTTP verbs, SOAP is strict, and gRPC is high-performance.

Exam trap

The trap is confusing data formats with API protocols. Many candidates mistakenly think XML or JSON are protocols because they are used with REST/SOAP, but they are formats. Remember: formats describe data structure; protocols define communication rules.

1360
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure WPA3-Personal on a WLC, associate a wireless client, and complete the 802.11 authentication and DHCP process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first configure the WLAN with WPA3-Personal on the WLC, then the client completes 802.11 authentication (open system authentication followed by the SAE handshake), next the client associates with the AP, and finally the client obtains an IP address via DHCP. Option B correctly follows this sequence, while option A incorrectly reverses authentication and association, option C places WLAN configuration after client association, and option D erroneously performs DHCP before any wireless steps.

Exam trap

Watch out for the order of 802.11 authentication and DHCP. Many candidates mistakenly place DHCP before authentication, but authentication is a layer 2 process that must complete before the client can obtain an IP address.

1361
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure VLANs, assign access ports, set up 802.1Q trunks with a native VLAN, and verify the configuration using show commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence ensures VLANs exist before any port assignment or trunk configuration. Creating VLANs first is essential because both access and trunk ports depend on VLANs being present. Access port assignment and trunk configuration are independent steps that can occur in either order after VLANs are created.

Verification using 'show vlan brief', 'show interfaces trunk', and 'show interfaces switchport' is always the final step to confirm the setup.

Exam trap

A common mistake is to attempt assigning ports to VLANs before the VLANs exist, which will be rejected. Additionally, some learners mistakenly think trunk configuration must follow access port assignment, but the order between these two steps is interchangeable as long as VLANs are created first.

1362
MCQhard

A network engineer is troubleshooting a link between two Cisco Catalyst 9300 switches that are connected via a single-mode fiber optic cable. The link is up, but the interface counters show a high number of CRC errors and frame check sequence (FCS) errors. The interface is configured for 1000 Mbps and full duplex on both ends. What is the most likely cause of these errors?

A.A speed or duplex mismatch between the two switches
B.Faulty or dirty fiber optic cable or connectors
C.Incorrect SFP+ module type inserted in the switch
D.Excessive cable length beyond the distance limit
AnswerB

The low received power (-20 dBm on SwitchA) indicates excessive loss, likely due to a damaged cable or dirty connectors.

Why this answer

CRC and FCS errors indicate corruption at the data-link layer, typically caused by physical-layer issues such as signal degradation. Since the link is up and both ends are configured for 1000 Mbps full duplex, a speed/duplex mismatch is ruled out. Dirty or faulty single-mode fiber connectors or the cable itself can introduce optical signal loss or reflections, leading to bit errors that manifest as CRC/FCS errors.

Exam trap

Cisco often tests the distinction between CRC errors (physical-layer signal integrity) and duplex mismatch symptoms (late collisions, runts), leading candidates to incorrectly choose a speed/duplex mismatch when the interface counters show CRC errors.

Why the other options are wrong

A

The exhibit confirms consistent speed and duplex settings.

C

The modules are correctly identified and match the fiber type.

D

There is no evidence of the cable length in the exhibit, and the low power is more indicative of a physical fault rather than simply exceeding distance limits.

1363
PBQhard

You are troubleshooting a wireless client association failure on a Cisco WLC. A client reports it can see the SSID 'GuestNet' but fails to connect, while another client using the same SSID connects fine. You must check the WLC configuration, identify the cause, and fix it so that both clients can associate successfully.

Network Topology
AP-1WLCClient-1

Hints

  • Check if the failing client supports WPA3. Legacy clients may only support WPA2.
  • WPA3 Transition Mode allows a WLAN to accept both WPA2 and WPA3 clients.
  • PMF (Protected Management Frames) set to 'Required' will reject clients that do not support it.
A.Change the WLAN security to WPA2-PSK only and disable PMF.
B.Enable WPA3 Transition Mode and set PMF to Optional.
C.Disable PMF on the WLAN and keep WPA3 enabled.
D.Change the WLAN to use WPA2-PSK with PMF Required.
AnswerB
solution
! WLC
config wlan 2
no security wpa3 pmf required
security wpa3 pmf optional
security wpa3 transition-mode enable
end

Why this answer

The client that cannot associate is likely a legacy client that does not support WPA3. The WLAN 'GuestNet' has WPA3 enabled with 'PMF Required', which forces all clients to support WPA3 and PMF. To fix this, enable WPA3 Transition Mode (which allows both WPA2 and WPA3 clients) and set PMF to Optional.

This will allow the older client to associate using WPA2 while newer clients can use WPA3.

Exam trap

The key trap is confusing PMF settings with authentication protocols. PMF Required is only valid with WPA3, and disabling PMF alone does not fix the protocol mismatch. Always consider that WPA3 Transition Mode is the feature designed to support mixed environments.

Why the other options are wrong

A

The specific factual error: Disabling PMF entirely is not necessary; PMF can be set to Optional to allow both PMF-capable and non-PMF clients.

C

The specific factual error: Disabling PMF alone does not allow a WPA2-only client to associate with a WPA3-only WLAN; the WLAN must also support WPA2.

D

The specific factual error: PMF Required is only supported with WPA3; WPA2 only supports PMF Optional. Additionally, this configuration would not support WPA3 clients.

1364
Multi-Selectmedium

Which TWO statements accurately describe the use of ipconfig, ping, and tracert when troubleshooting a client that cannot reach a remote server?

Select 2 answers
A.A successful ping to 127.0.0.1 confirms that the TCP/IP stack on the local host is functional.
B.If ping to the default gateway fails, the issue is certainly caused by a faulty Ethernet cable.
C.An ipconfig output showing an IPv4 address of 169.254.x.x indicates the DHCP client could not obtain an IP address and self-assigned an APIPA address.
D.A tracert that shows 'Request timed out' for the very first hop proves the local default gateway router is down or unreachable.
E.Running ipconfig /release followed by ipconfig /renew will always restore connectivity if the Ethernet cable is unplugged and re-plugged.
AnswersA, C

Pinging the loopback address tests the local host's TCP/IP protocol stack without sending traffic onto the network.

Why this answer

Option A is correct because pinging the loopback address 127.0.0.1 tests the local TCP/IP stack without sending any frames onto the network. A successful reply confirms that the IP protocol, routing table, and network interface driver are functioning correctly on the local host. This is a foundational step in troubleshooting, as it isolates the problem to the local machine if the ping fails.

Exam trap

Cisco often tests the misconception that a failed ping to the default gateway always points to a physical layer issue, when in fact it could be due to logical misconfigurations, firewall rules, or the gateway itself being operational but not responding to ICMP.

Why the other options are wrong

B

A single cable fault is only one of many possibilities; more testing is needed before concluding physical layer failure.

D

Timed-out hops in tracert do not directly prove the router is down; it may simply not be generating ICMP Time Exceeded messages.

E

These commands do not guarantee a lease; the DHCP server must be operational and reachable.

1365
Multi-Selectmedium

Which two statements accurately describe common uses of NTP in network operations?

Select 2 answers
A.It helps align device clocks across the network.
B.It improves the reliability of event timelines and log correlation.
C.It replaces the need for Syslog.
D.It assigns IP addresses to hosts.
E.It provides WLAN encryption.
AnswersA, B

This is correct because clock synchronization is NTP's core role.

Why this answer

NTP is widely used to keep device clocks aligned, which improves the reliability of event timelines and log correlation because timestamps from different systems can be compared meaningfully. NTP does not replace Syslog, assign IP addresses (DHCP), or provide WLAN encryption; those are separate functions. Its sole purpose is time synchronization.

Exam trap

A frequent exam trap is assuming that NTP performs functions beyond time synchronization, such as replacing Syslog or assigning IP addresses. Candidates might incorrectly select options suggesting NTP handles logging or DHCP tasks because these services are all related to network management. However, NTP’s sole purpose is to synchronize device clocks.

Confusing NTP with DHCP or Syslog overlooks their distinct roles and can lead to selecting incorrect answers. Understanding that NTP supports but does not replace logging or address assignment is crucial to avoid this trap.

Why the other options are wrong

C

This option is incorrect because NTP does not replace Syslog; Syslog is responsible for logging events, while NTP only synchronizes time.

D

This option is incorrect because IP address assignment is handled by DHCP, not NTP, which only manages time synchronization.

E

This option is incorrect because NTP has no role in providing WLAN encryption; encryption is managed by wireless security protocols like WPA2 or WPA3.

1366
Multi-Selectmedium

Which TWO statements about SFP transceivers and fiber optic cabling are correct?

Select 2 answers
A.SFP transceivers are permanently installed on the switch motherboard and cannot be replaced.
B.1000BASE-SX SFP transceivers are designed for multimode fiber and typically support distances up to 550 meters.
C.Multimode fiber typically uses laser-based transmitters for long-distance transmission.
D.Single-mode fiber (SMF) with 1000BASE-LX SFP transceivers can support distances up to 5 km.
E.Single-mode fiber has a larger core diameter than multimode fiber, allowing longer distances.
AnswersB, D

1000BASE-SX uses multimode fiber with a 850 nm wavelength and supports distances up to 550 m (depending on fiber grade).

Why this answer

Option B is correct because 1000BASE-SX SFP transceivers are designed for multimode fiber (MMF) and use short-wavelength lasers (850 nm). Over 50/125 µm MMF, they support up to 550 meters. Option D is correct because 1000BASE-LX SFP transceivers are designed for single-mode fiber (SMF) and support distances up to 5 km according to the IEEE 802.3 standard (not 10 km, which is typically a vendor-specific LH extension).

Option A is false because SFPs are hot-swappable pluggable modules, not permanently installed. Option C is false because multimode fiber typically uses LED or VCSEL transmitters for short distances, not lasers for long-haul. Option E is false because single-mode fiber has a smaller core diameter (8-10 µm) than multimode fiber (50-62.5 µm), which reduces modal dispersion and allows longer distances.

Exam trap

Cisco often tests the misconception that multimode fiber always uses lasers for long distances, when in fact multimode fiber is optimized for shorter runs with LED or VCSEL sources, while single-mode fiber uses lasers for extended reach.

Why the other options are wrong

A

This statement is false because SFP slots are designed for modular, replaceable transceivers.

C

Laser transmitters are used in single-mode fiber for longer distances; multimode uses LED/VCSEL.

E

Single-mode fiber has a smaller core, not larger. The smaller core reduces dispersion and allows longer reach.

1367
PBQhard

You are connected to R1 via the console. R1 has two directly connected interfaces: G0/0 to R2 (IPv4 only) and G0/1 to a LAN switch (dual stack). Your task: configure IPv4 and IPv6 default routes on R1 pointing to R2 (next-hop 10.0.0.2 and 2001:db8:1::2). Also configure a floating static route to 192.0.2.0/24 via R2 with an administrative distance of 10 (so it is used only if the directly connected route fails). The current running-config shows an incorrect static route that causes recursive routing failure. Identify and fix the issue.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1192.168.1.1/24R2R1switchLAN

Hints

  • Check the next-hop IP in the static route to 192.0.2.0/24 — is it a directly connected neighbor?
  • For a floating static route, the administrative distance must be higher than the primary route's AD.
  • Use 'show ip route 192.0.2.0' to see if the route is flagged as 'recursive failure'.
A.Remove the incorrect static route 192.0.2.0 255.255.255.0 10.0.0.1 and add ip route 192.0.2.0 255.255.255.0 10.0.0.2 10
B.Remove the incorrect static route 192.0.2.0 255.255.255.0 10.0.0.1 and add ip route 192.0.2.0 255.255.255.0 10.0.0.2 1
C.Keep the existing static route and add ip route 192.0.2.0 255.255.255.0 10.0.0.2 10
D.Remove the incorrect static route 192.0.2.0 255.255.255.0 10.0.0.1 and add ip route 192.0.2.0 255.255.255.0 g0/0
AnswerA
solution
! R1
no ip route 192.0.2.0 255.255.255.0 10.0.0.1
ip route 192.0.2.0 255.255.255.0 10.0.0.2 10

Why this answer

The static route to 192.0.2.0/24 uses next-hop 10.0.0.1, which is R1's own interface IP, not R2's. This causes recursive routing failure because the router tries to reach itself. The correct next-hop should be 10.0.0.2 (R2's G0/0 IP).

Additionally, the floating static route must have a higher AD (10) so it is less preferred than the directly connected route (AD 0). Remove the incorrect route and add the correct floating static route with AD 10.

Exam trap

Watch out for recursive routing failures caused by using the router's own interface IP as the next-hop. Also, remember that floating static routes require a higher administrative distance than the primary route to act as a backup.

Why the other options are wrong

B

The specific factual error: The AD of a floating static route must be higher than the primary route's AD to serve as a backup. Here AD 1 is lower than 0? Actually directly connected routes have AD 0, so AD 1 is higher than 0, but the question states the floating static route should be used only if the directly connected route fails, so AD must be higher than 0. AD 1 is higher than 0, so it would still be a backup? Wait, the primary route is directly connected (AD 0).

A floating static route with AD 1 would be less preferred than AD 0, so it would only be used if the directly connected route fails. That is correct behavior. However, the question says 'with an administrative distance of 10' so AD 1 is not 10.

The error is that the AD is not 10 as specified. Also, the explanation in the stem says 'the floating static route must have a higher AD (10) so it is less preferred than the directly connected route (AD 0).' Actually AD 1 is also higher than 0, so it would also be less preferred. But the question explicitly asks for AD 10.

So the answer is wrong because it uses AD 1 instead of 10.

C

The specific factual error: The incorrect static route remains in the routing table, causing recursive routing failure. The router will still try to resolve the next-hop 10.0.0.1, which is its own interface, leading to a loop.

D

The specific factual error: The route does not have an administrative distance of 10, and using an exit interface instead of a next-hop IP is not the intended configuration. Also, the route would be installed with default AD 1, not 10.

1368
PBQmedium

You are connected to R1 via the console. R1 is a Cisco ISR 4321 router running IOS-XE. The network manager wants to monitor interface utilization changes. Use RESTCONF to retrieve the operational state of GigabitEthernet0/0/0 on R1. The device has RESTCONF enabled with username 'admin' and password 'cisco'. The management IP is 192.168.1.1.

Hints

  • RESTCONF uses HTTPS on port 443 by default.
  • The interface name in the URI must be URL-encoded (e.g., '/' becomes '%2F').
  • Use the 'Accept' header to request JSON data.
A.curl -X GET -u admin:cisco https://192.168.1.1/restconf/data/ietf-interfaces:interfaces-state/interface=GigabitEthernet0%2F0%2F0
B.curl -X GET -u admin:cisco https://192.168.1.1/restconf/data/ietf-interfaces:interfaces/GigabitEthernet0/0/0
C.curl -X POST -u admin:cisco https://192.168.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0%2F0%2F0
D.curl -X GET -u admin:cisco https://192.168.1.1/restconf/data/Cisco-IOS-XE-interfaces-oper:interfaces/GigabitEthernet0/0/0
AnswerA
solution
! R1
curl -k -X GET https://192.168.1.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0%2F0%2F0 -u admin:cisco -H "Accept: application/yang-data+json"

Why this answer

RESTCONF uses GET to retrieve data. To retrieve operational state (including interface counters), the path must lead to the `interfaces-state` container, not `interfaces`. The correct YANG data model for operational interface state is `ietf-interfaces:interfaces-state`, and the interface name must be URL-encoded to replace slashes with `%2F`.

Option C uses POST, which is wrong. Option B lacks URL encoding and uses the config container. Option D uses a Cisco-specific module and unencoded slashes, and is not the standard operational state path.

Exam trap

The most common mistake is using the `ietf-interfaces:interfaces` configuration container instead of the `ietf-interfaces:interfaces-state` operational state container, causing retrieval of the running configuration rather than live interface counters and utilization.

Why the other options are wrong

B

The request uses unencoded slashes in the interface name and the configuration container `interfaces`, not `interfaces-state`, so it will not retrieve operational state.

C

RESTCONF uses GET for retrieval; POST is used to create new resources or invoke operations, not to read operational data.

D

This uses a Cisco-IOS-XE-specific module and unencoded slashes, while the task expects the standard ietf-interfaces operational state path.

1369
MCQhard

Refer to the exhibit. A network administrator connects an IP phone to interface GigabitEthernet1/0/1 on a Cisco Catalyst switch. The PC connected through the phone works normally on the data VLAN, but the phone cannot obtain an IP address and fails to register with the call server. Which action will resolve the problem?

A.Configure 'switchport trunk allowed vlan 10,20' on interface Gi1/0/1 and change the switchport mode to trunk.
B.Add 'switchport voice vlan 20' on interface GigabitEthernet1/0/1.
C.Issue 'switchport access vlan 20' and 'switchport voice vlan 10' on interface Gi1/0/1.
D.Enable 'switchport port-security mac-address sticky' on the interface and manually add the phone’s MAC address to the access VLAN.
AnswerB

This command enables the access port to support a voice VLAN, telling the phone to tag voice frames with VLAN 20 while leaving data in VLAN 10.

Why this answer

The PC works on the data VLAN, but the phone cannot obtain an IP address, indicating the phone is not receiving the correct VLAN assignment. The phone should be placed in the voice VLAN (VLAN 20) using the 'switchport voice vlan 20' command, which allows the switch to tag the phone's traffic with VLAN 20 via CDP/LLDP, enabling it to get an IP from the voice VLAN DHCP server.

Exam trap

Cisco often tests the distinction between 'switchport access vlan' (for data) and 'switchport voice vlan' (for voice), and the trap here is that candidates may confuse which VLAN is assigned to which device, or incorrectly think trunking is required for a phone connection.

Why the other options are wrong

A

A trunk port does not provide the voice VLAN advertisement mechanism to the phone; the PC would need to send tagged frames, which typical endpoint NICs do not do.

C

The phone requires access to VLAN 20 for voice services, and the PC must remain in VLAN 10 for data; this configuration does the opposite, failing to meet the requirement.

D

The phone still cannot learn the voice VLAN; port security does not provide a DHCP address or make the switch advertise VLAN 20 to the phone.

1370
Matchingeasy

Match each service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolves hostnames to IP addresses

Provides IP configuration to clients

Synchronizes device time

Collects and exports log messages

Why these pairings

DNS translates domain names into IP addresses, enabling clients to reach servers by name. DHCP automates the assignment of IP addresses, subnet masks, default gateways, and other parameters to clients. NTP synchronizes the clocks of network devices to a common time source.

Syslog collects and exports log messages from network devices to a centralized server for monitoring and troubleshooting.

Exam trap

The exam often tests your ability to differentiate between network services that are commonly confused, such as DNS and DHCP. Remember: DNS resolves names, DHCP assigns IPs. Do not mix up their primary functions.

1371
MCQhard

A user reports that they cannot access the company's internal web server at 'intranet.company.local' from their workstation. The workstation can ping the web server's IP address 192.168.10.50 successfully, and other internal services like email (mail.company.local) are reachable. Which DNS record issue is most likely causing this problem?

A.Add a CNAME record that aliases 'intranet.company.local' to 'webserver.company.local'
B.Add an A record mapping 'intranet.company.local' to IP address 192.168.10.50
C.Verify the PTR record for 192.168.10.50 points to 'intranet.company.local'
D.Check the NS records for the 'company.local' zone to ensure proper delegation
AnswerB

The nslookup shows that 'intranet.company.local' does not resolve, while the IP is reachable. Adding an A record directly associates the hostname with the correct IP, fixing the resolution failure.

Why this answer

The workstation can ping the web server's IP address (192.168.10.50), confirming network connectivity and that the server is online. However, the user cannot access the server by its hostname 'intranet.company.local', which indicates a DNS resolution failure. Since other internal services like email are reachable, the DNS zone is functioning, but there is no A record that maps the hostname 'intranet' to its IP address.

Adding an A record for 'intranet.company.local' pointing to 192.168.10.50 will resolve the issue.

Exam trap

Cisco often tests the distinction between forward DNS records (A/AAAA) and reverse DNS records (PTR), and candidates mistakenly choose PTR when the symptom is a forward resolution failure, confusing the direction of the lookup.

Why the other options are wrong

A

The root cause is a missing A record; a CNAME record would not resolve without an A record for the target.

C

PTR records are not used for forward name resolution; the issue is with the forward lookup zone.

D

The zone delegation is working (other records resolve), so NS records are not the cause.

1372
MCQhard

A network administrator is troubleshooting connectivity from the 192.168.10.0/24 subnet to the server at 10.10.10.10. Users report that they can reach the server initially, but after a few minutes, connectivity drops and only returns after the interface is cleared. The administrator reviews the router's running configuration and ACL configuration. What is the most likely cause of the intermittent connectivity loss?

A.Remove the 'established' keyword from the ACL to allow initial TCP connections.
B.Apply the ACL inbound on the interface instead of outbound.
C.Add a permit statement for UDP traffic to allow DNS resolution.
D.Change the wildcard mask to 0.0.0.255 to match the subnet more accurately.
AnswerA

The 'established' keyword only permits TCP packets with the ACK or RST bit set, which are responses to established sessions. The initial SYN packet does not have these bits, so it is denied. Removing 'established' allows the TCP three-way handshake to complete.

Why this answer

The 'established' keyword in an ACL permits TCP packets that have the ACK or RST bit set, which are responses to outbound connections. However, it does not permit the initial SYN packet from the client to the server. Since users can reach the server initially (likely due to a temporary permit or stateful inspection elsewhere), but connectivity drops after a few minutes, the issue is that the ACL is blocking the initial SYN packets needed to establish new TCP connections.

Removing the 'established' keyword (or adding a permit for the initial SYN) resolves this by allowing all TCP traffic from the source subnet.

Exam trap

Cisco often tests the misconception that the 'established' keyword permits all TCP traffic, when in fact it only permits packets with the ACK or RST bit set, blocking the initial SYN packet needed to start a new connection.

Why the other options are wrong

B

The direction does not change the fact that the 'established' keyword only permits packets with ACK/RST flags, which excludes the initial SYN.

C

The problem is specifically with TCP connections and ICMP echo-replies, not DNS or UDP.

D

The wildcard mask is already appropriate; the problem lies in the 'established' keyword.

1373
MCQhard

A network engineer notices that an uplink port on a distribution switch has moved to a root-inconsistent state and is blocking traffic. The port is configured with Root Guard and is connected to a new access switch. The new access switch has a lower bridge priority than the current root bridge. What is the most likely cause?

A.BPDU Guard has errdisabled the port because a BPDU was received on an access port.
B.BPDU Filter is blocking inbound BPDUs, causing the switch to fail to detect the topology change and isolate the port.
C.Root Guard has placed the port into root-inconsistent state because the new switch advertised a superior BPDU.
D.Loop Guard has detected a unidirectional link and placed the port in a blocking state to prevent a loop.
AnswerC

Root Guard is designed to prevent the port from becoming a root port. Upon receiving a superior BPDU (lower bridge ID), it places the port in root-inconsistent state, effectively blocking traffic. This directly matches the symptom described.

Why this answer

The port moved to root-inconsistent because Root Guard is enabled. Root Guard detects superior BPDUs (lower bridge ID) and immediately places the port in a broken state (root-inconsistent) to prevent the new switch from becoming the root bridge, thereby blocking traffic. This matches the symptom perfectly.

Other features would manifest differently.

Exam trap

Option A (BPDU Guard) is the most common trap because both BPDU Guard and Root Guard react to BPDUs, but BPDU Guard errdisables the port when any BPDU is received, not specifically causing a root-inconsistent state. Candidates often confuse these two features.

Why the other options are wrong

A

Candidates mistakenly equate BPDU Guard with any BPDU-induced blocking, but the state 'root-inconsistent' is specific to Root Guard.

B

Candidates may think that filtering BPDUs leads to port isolation, but BPDU Filter would not trigger a protective state like root-inconsistent.

D

Candidates often confuse Loop Guard and Root Guard because both can cause inconsistent states, but Loop Guard triggers loop-inconsistent, not root-inconsistent, and is triggered by BPDU loss, not receipt of superior BPDUs.

1374
MCQmedium

A PC connected to switch port Gi0/10 should be in VLAN 20 but receives broadcasts only from VLAN 1. Which switchport setting is most likely wrong?

A.switchport mode trunk
B.switchport access vlan 20 missing or incorrect
C.speed 1000
D.duplex full
AnswerB

Correct. The access VLAN setting most directly controls this behavior.

Why this answer

The PC is receiving broadcasts only from VLAN 1, which indicates the switchport is not correctly assigned to VLAN 20. The most likely cause is that the 'switchport access vlan 20' command is missing or incorrect, leaving the port in its default VLAN (VLAN 1). This prevents the PC from participating in VLAN 20 and receiving its broadcasts.

Exam trap

Cisco often tests the misconception that a trunk port is needed for VLAN membership, but for a single end device, an access port with the correct VLAN assignment is required.

Why the other options are wrong

A

The switchport mode trunk setting is incorrect because a trunk port allows multiple VLANs to pass, while the question indicates that the PC should only receive broadcasts from VLAN 20. Therefore, the issue lies with the access VLAN configuration.

C

The speed setting of 1000 Mbps (1 Gbps) does not influence VLAN membership or broadcast traffic; it only affects the data transfer rate. Therefore, this option does not address the issue of the PC receiving broadcasts only from VLAN 1.

D

The duplex setting of the switch port does not influence VLAN membership or broadcast traffic. Therefore, a duplex configuration of 'full' does not affect the ability of a PC to receive broadcasts from VLAN 20.

1375
Matchingmedium

Match each routing term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trust value assigned to a route source

Protocol-specific value used to compare paths

Fallback route used when no more specific match exists

Combining multiple routes into a broader advertisement

Why these pairings

Administrative distance (AD) is a trust value assigned to a route source (e.g., OSPF = 110, EIGRP = 90); it is not a metric or a default route. Metric is a protocol-specific value (e.g., hop count, bandwidth) used to compare paths within the same routing protocol; it is not a trust value. Default route is the fallback used when no more specific match exists in the routing table, not a summarization method.

Summarization combines multiple routes into a broader advertisement to reduce routing table size, not a fallback mechanism. These definitions align correctly, while common confusions (e.g., swapping AD and metric) would misassign the terms.

Exam trap

The key trap is confusing administrative distance with routing protocol metrics or timers. Remember: AD is about trustworthiness of the source, while metrics (like hop count, bandwidth) are about the quality of the path within a protocol. Timers manage route aging and convergence.

1376
MCQhard

After connecting a new switch to interface GigabitEthernet1/0/1 on a distribution switch, a network engineer notices that the interface is in err-disable state. The engineer checks the configuration and finds that spanning-tree portfast and spanning-tree bpduguard enable are applied to the interface. What is the most likely cause of the err-disable state?

A.BPDU Guard was incorrectly enabled on a port that should be a trunk link.
B.The connected switch is sending BPDUs with a lower bridge priority.
C.Spanning-tree PortFast is enabled on a port that connects to another switch.
D.The port is configured as an access port, but should be a trunk.
AnswerC

PortFast skips the listening and learning STP states and is designed for end hosts. When combined with BPDU Guard, the switch was instructed to disable the port upon receiving any BPDU. The downstream switch naturally sends BPDUs, causing BPDU Guard to react and place the port in err-disable. Removing PortFast (and leaving BPDU Guard alone, or disabling BPDU Guard on that link) would resolve the issue.

Why this answer

Option C is correct because PortFast is designed for end-host ports that should not receive BPDUs. When PortFast is enabled on a port connecting to another switch, the switch will immediately transition the port to forwarding state, but if it then receives a BPDU from the connected switch, BPDU Guard will error-disable the port. This is the most common cause of err-disable state when both PortFast and BPDU Guard are configured on an inter-switch link.

Exam trap

Cisco often tests the misconception that BPDU Guard alone causes err-disable, but the trap here is that PortFast must be enabled for BPDU Guard to trigger err-disable on a port receiving BPDUs from another switch.

Why the other options are wrong

A

Candidates often associate BPDU Guard exclusively with access ports and assume configuring it on a trunk is itself a misconfiguration, overlooking that PortFast is the real culprit.

B

Students may confuse root bridge placement with BPDU Guard operation, thinking that a BPDU from a superior switch might cause a port to be disabled, when in fact BPDU Guard is content-agnostic.

D

Candidates may think that because a link between switches should be a trunk, the access mode misconfiguration is the root cause. However, they miss the fact that BPDU Guard acts on the BPDU regardless of the port mode, and the real misconfiguration is PortFast.

1377
MCQmedium

A switch displays this output: Port Name Status Vlan Fa0/1 connected 10 Fa0/2 connected 10 Fa0/24 connected trunk Which port should be checked first if a user in VLAN 20 cannot reach the distribution switch over the uplink?

A.Fa0/1
B.Fa0/2
C.Fa0/24
D.Any access port in VLAN 1
AnswerC

Correct. The trunk carries inter-switch VLAN traffic.

Why this answer

If users in VLAN 20 must cross the uplink, the trunk port is the first place to verify allowed VLANs and tagging.

Exam trap

Don't confuse access ports with trunk ports; only trunk ports can carry multiple VLANs.

Why the other options are wrong

A

Fa0/1 is connected to VLAN 10, and since the user in VLAN 20 cannot reach the distribution switch, checking this port would not address the issue, as it is not part of the user's VLAN.

B

Fa0/2 is connected to VLAN 10, which means it cannot facilitate communication for a user in VLAN 20. The issue lies with the trunk port, which is responsible for carrying multiple VLANs, including VLAN 20.

D

Option D is incorrect because it suggests checking any access port in VLAN 1, which is not relevant to the user's issue in VLAN 20. The problem lies with the trunk port not allowing VLAN 20 traffic, not with access ports in VLAN 1.

1378
MCQeasy

A branch router should automatically learn the IP address of a time source so logs from all devices show matching timestamps. Which service provides that function?

A.DNS
B.NTP
C.TFTP
D.NetFlow
AnswerB

NTP synchronizes device clocks.

Why this answer

NTP synchronizes clocks across network devices. When timestamps line up, syslog messages and troubleshooting output become much more useful.

Exam trap

A common exam trap is selecting DNS as the answer because it involves IP addresses and network services, tempting candidates to confuse name resolution with time synchronization. Another trap is choosing TFTP, since it is a network protocol often associated with configuration and file transfers, misleading candidates to think it manages device settings including time. NetFlow might also confuse candidates because it deals with network traffic data, but it does not affect device clocks.

The key is to recognize that only NTP is designed specifically to synchronize time across devices, which is critical for matching timestamps in logs.

Why the other options are wrong

A

DNS resolves hostnames to IP addresses, enabling devices to locate servers and services by name. However, DNS does not synchronize device clocks or manage time, so it cannot ensure matching timestamps in logs.

C

TFTP is a simple protocol used for transferring files such as configurations and IOS images. It does not provide any time synchronization capabilities and cannot ensure matching timestamps in device logs.

D

NetFlow is a network protocol that collects and exports IP traffic flow information for analysis. It does not affect device clocks or time synchronization and thus cannot provide matching timestamps.

1379
MCQhard

A switch should automatically disable any access port that receives a BPDU from an attached device. Which feature directly provides that behavior?

A.Root Guard
B.Loop Guard
C.BPDU Guard
D.PortFast
AnswerC

BPDU Guard disables an edge port if it receives a BPDU.

Why this answer

BPDU Guard is designed for edge ports that should never see BPDUs. If a BPDU arrives, the port is placed into an err-disabled state to protect the topology. Root Guard and Loop Guard solve different STP problems.

Exam trap

A common exam trap is confusing BPDU Guard with Root Guard or Loop Guard. Candidates may incorrectly select Root Guard because it involves BPDUs and port blocking, but Root Guard only prevents a port from becoming a root port and does not err-disable the port. Loop Guard is often mistaken as it protects against unidirectional link failures but does not disable ports on BPDU receipt.

The key distinction is that BPDU Guard immediately disables the port upon receiving any BPDU, which is the behavior the question describes. Misunderstanding these differences can lead to incorrect answers.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port if superior BPDUs are received, maintaining the root bridge position, but it does not err-disable the port upon BPDU receipt. Therefore, it does not fulfill the requirement to disable access ports that receive BPDUs.

B

Loop Guard protects against unidirectional link failures by preventing a port from transitioning to forwarding state if BPDUs stop arriving on non-designated ports. It does not disable ports upon receiving BPDUs, so it does not meet the behavior described in the question.

D

PortFast is a feature that allows ports to transition quickly to forwarding state, bypassing the usual STP listening and learning states. It does not disable ports upon receiving BPDUs and therefore does not provide the behavior described.

1380
Matchingeasy

Match each basic automation term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Software interface used for communication

Structured data format

Secure transport for the communication

Credential-like value used to help control access

Why these pairings

An API is a software interface that allows applications to communicate by defining how requests and responses are handled. JSON is a structured data format using key-value pairs, making it easy for machines to parse and generate. HTTPS provides secure transport by encrypting HTTP traffic with TLS, ensuring data confidentiality and integrity.

A token acts as a credential-like value, often a bearer token, used to authenticate and authorize access to resources.

Exam trap

Be careful not to confuse JSON with a programming language or script; JSON is a data format, not executable code. Also, remember HTTPS is the secure transport, not the data payload, and a token is an access-control artifact, not the actual credential itself.

1381
Multi-Selectmedium

Which TWO statements correctly describe the OSI model layers and their corresponding PDU names during encapsulation?

Select 2 answers
A.The Transport layer encapsulates data into segments.
B.The Network layer encapsulates segments into packets.
C.The Data Link layer encapsulates packets into bits.
D.The Session layer encapsulates segments into sessions.
E.The Physical layer encapsulates frames into bits.
AnswersA, B

The Transport layer adds a TCP or UDP header to upper-layer data to create segments, making this statement correct.

Why this answer

Both A and B are correct. During encapsulation, the Transport layer (Layer 4) adds a header to upper-layer data to form segments, and the Network layer (Layer 3) encapsulates those segments into packets by adding a network-layer header (e.g., IP). Option C is incorrect because the Data Link layer encapsulates packets into frames, not bits; bits are the raw transmission unit at the Physical layer.

Option D is incorrect because the Session layer manages sessions but does not produce a PDU called 'sessions'; encapsulation of segments only occurs at Layers 4 and below. Option E is incorrect because the Physical layer transmits frames as bits but does not perform encapsulation; encapsulation ends at the Data Link layer.

Exam trap

Cisco often tests the specific PDU names at each layer (e.g., segment vs. packet vs. frame vs. bit) and the order of encapsulation, so the trap here is confusing the Data Link layer PDU (frame) with bits or mixing up the Session layer's role with encapsulation.

Why the other options are wrong

C

The Data Link layer encapsulates packets into frames, not bits; bits are the PDU of the Physical layer.

D

The Session layer handles session management and does not perform encapsulation into 'sessions'; encapsulation at this layer is not defined.

E

The Physical layer transmits frames as bits but does not encapsulate frames into bits; encapsulation ends at Layer 2.

1382
Matchingmedium

Match each term to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lightweight data-interchange format

Data modeling language for structured configuration and state

Architectural style using HTTP methods such as GET and POST

Streaming operational data from devices to collectors

Why these pairings

These terms are correctly matched with their definitions in the context of network programmability and SDN.

Exam trap

Do not confuse northbound and southbound APIs: northbound is for applications, southbound is for devices. Also, avoid invented terms like eastbound or westbound for these roles.

1383
PBQhard

You are connected to R1. The inside network 192.168.1.0/24 must be able to access the internet using PAT (NAT overload) with the outside interface G0/1 IP 203.0.113.1. Additionally, the internal server at 192.168.1.10 must be reachable from the internet via static NAT to 203.0.113.10. The current configuration is incomplete and contains errors. Identify and fix all issues so that both PAT and static NAT work correctly.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/24LANinsideR1outsideInternet

Hints

  • Check which interfaces are marked as inside/outside — they may be reversed.
  • Look at the ACL used for dynamic NAT — does it match the correct inside subnet?
  • Is the 'overload' keyword present on the ip nat inside source command?
A.Swap ip nat inside/outside on interfaces, add 'overload' to the dynamic NAT rule, and correct ACL 1 to permit 192.168.1.0/24.
B.Change the static NAT inside address to 192.168.1.1 and add 'overload' to the dynamic NAT rule.
C.Remove the static NAT configuration and rely solely on PAT for the server.
D.Add the 'overload' keyword to the dynamic NAT rule and correct ACL 1 to permit 192.168.1.0/24.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip nat inside
exit
interface GigabitEthernet0/1
ip nat outside
exit
no ip nat inside source list 1 pool GLOBAL
ip nat inside source list 1 pool GLOBAL overload
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255

Why this answer

The configuration had multiple faults: 1) Inside/outside interfaces were swapped – G0/0 (LAN) should be inside, G0/1 (WAN) should be outside. 2) The PAT command was missing the 'overload' keyword. 3) ACL 1 permitted the wrong subnet (192.168.2.0/24 instead of 192.168.1.0/24). 4) The static NAT configuration was correct, but the interface misconfiguration prevented it from working. Fixes: swap ip nat inside/outside on the interfaces, add 'overload' to the dynamic NAT rule, and correct ACL 1 to permit 192.168.1.0/24.

Exam trap

This question tests your ability to identify multiple simultaneous NAT configuration errors. Common traps include forgetting the 'overload' keyword, misconfiguring ACLs, and swapping inside/outside interfaces. Always verify interface NAT directions first, as they are foundational.

Why the other options are wrong

B

The specific factual error is that the static NAT inside address is already correct; altering it is unnecessary and incorrect.

C

The specific factual error is that static NAT is required for inbound access; PAT alone cannot provide a fixed public-to-private mapping.

D

The specific factual error is that interface NAT direction is fundamental; if inside/outside are reversed, NAT translations will not be applied correctly.

1384
MCQhard

A switch trunk is carrying several VLANs, but VLAN 99 traffic is failing. The trunk allowed list includes VLAN 99 on both sides. Which statement best explains why a VLAN can still fail even when it is allowed?

A.Because the VLAN may still be absent, inactive, or otherwise not operational locally even if it is allowed on the trunk
B.Because allowing a VLAN on a trunk automatically disables it
C.Because VLANs can cross trunks only when PAT is enabled
D.Because VLAN 99 must always be the native VLAN
AnswerA

This is correct because an allowed-list entry alone does not guarantee that the VLAN exists and operates correctly end to end.

Why this answer

A VLAN can still fail across a trunk even when it is allowed because the allowed list is only one part of the overall design. In plain language, a switch may permit the VLAN on the link, but if the VLAN does not actually exist locally, is not active, or if some other trunk characteristic is inconsistent, traffic can still fail. This is an important CCNA troubleshooting principle: one correct line of configuration does not guarantee the full end-to-end condition is correct.

Candidates often stop at the allowed VLAN list because it is visible in common show commands. However, VLAN presence, local status, and other trunk parameters still matter. The best answer is the one recognizing that permission on the trunk does not automatically prove the entire VLAN path is healthy.

Exam trap

A common exam trap is assuming that simply including VLAN 99 in the trunk allowed list guarantees that VLAN 99 traffic will pass. Many candidates stop troubleshooting once they see the VLAN is allowed on the trunk, neglecting to verify if VLAN 99 is actually created and active on each switch. This mistake leads to incorrect conclusions, as the allowed list only controls trunk forwarding permissions, not VLAN existence or operational status.

The exam tests your understanding that VLAN configuration and status are equally critical for successful VLAN traffic flow.

Why the other options are wrong

B

Incorrect. Allowing a VLAN on a trunk does not disable it; this option contradicts how VLANs and trunks operate in Cisco switches.

C

Incorrect. Port Address Translation (PAT) is unrelated to VLAN trunking. VLANs do not require PAT to cross trunks.

D

Incorrect. VLAN 99 does not have to be the native VLAN to function on a trunk. The native VLAN is independent of VLAN allowance and operation.

1385
PBQhard

You are connected to a multilayer switch MLS1. Configure a static default route for IPv4 that points to next-hop 192.0.2.2, but also configure a floating static default route with an administrative distance of 10 that uses next-hop 198.51.100.2. Additionally, configure a static host route for IPv6 host 2001:db8:1::10/128 via next-hop 2001:db8:1::1. The current configuration has a recursive routing failure for the IPv4 default route because the next-hop 192.0.2.2 is not reachable; you must first fix that by adding a directly connected static route. Ensure the floating route becomes active only when the primary route fails.

Network Topology
192.0.2.2/30G0/0SiMLS1R2

Hints

  • The default route fails because the next-hop is not directly connected and there is no route to reach it.
  • You need a static route to the network containing 192.0.2.2, specifying the outgoing interface.
  • Use the command 'ip route 192.0.2.0 255.255.255.252 GigabitEthernet0/0 192.0.2.2' to fix recursive routing.
A.ip route 0.0.0.0 0.0.0.0 192.0.2.2 ip route 0.0.0.0 0.0.0.0 198.51.100.2 10 ip route 192.0.2.0 255.255.255.252 GigabitEthernet0/0 192.0.2.2 ipv6 route 2001:db8:1::10/128 2001:db8:1::1
B.ip route 0.0.0.0 0.0.0.0 192.0.2.2 ip route 0.0.0.0 0.0.0.0 198.51.100.2 10 ip route 192.0.2.0 255.255.255.0 GigabitEthernet0/0 ipv6 route 2001:db8:1::10/128 2001:db8:1::1
C.ip route 0.0.0.0 0.0.0.0 192.0.2.2 ip route 0.0.0.0 0.0.0.0 198.51.100.2 10 ip route 192.0.2.2 255.255.255.255 GigabitEthernet0/0 ipv6 route 2001:db8:1::10/128 2001:db8:1::1
D.ip route 0.0.0.0 0.0.0.0 192.0.2.2 ip route 0.0.0.0 0.0.0.0 198.51.100.2 10 ip route 192.0.2.0 255.255.255.252 198.51.100.2 ipv6 route 2001:db8:1::10/128 2001:db8:1::1
AnswerA
solution
! MLS1
configure terminal
ip route 192.0.2.0 255.255.255.252 GigabitEthernet0/0 192.0.2.2

Why this answer

The IPv4 primary default route fails because next-hop 192.0.2.2 is not directly connected and no recursive route exists to it. The floating static route with next-hop 198.51.100.2 is in the directly connected Vlan20 subnet (198.51.100.1/30), so it installs without issue. To fix the primary default route, add a directly connected static route for the network containing 192.0.2.2, e.g., ip route 192.0.2.0 255.255.255.252 GigabitEthernet0/0 192.0.2.2.

The IPv6 host route is correct if next-hop 2001:db8:1::1 is reachable.

Exam trap

Be careful with recursive routing failures: a static route with a next-hop that is not directly connected requires a route to that next-hop in the routing table. Always ensure the next-hop is reachable, either by a directly connected route or another static/dynamic route. Also, remember that a floating static route uses a higher administrative distance than the primary route, so it only becomes active when the primary route is removed.

Why the other options are wrong

B

The specific factual error is using an incorrect subnet mask and omitting the next-hop IP in the directly connected static route. The mask should match the point-to-point link (typically /30 or /31), and the next-hop must be specified to ensure the route is directly connected.

C

The specific factual error is using a /32 mask instead of the subnet mask of the link. A /32 route to the next-hop IP is a valid workaround but is not the standard practice; the question expects a directly connected route to the network containing the next-hop, not a host route.

D

The specific factual error is using the floating route's next-hop as the next-hop for the directly connected route. The directly connected route must be to the network containing 192.0.2.2, not to the backup next-hop.

1386
MCQhard

An administrator wants to permit HTTP and HTTPS from 10.1.10.0/24 to a web server at 198.51.100.20 and deny everything else from that subnet. Which ACL type is required?

A.Named standard ACL
B.Extended ACL
C.Prefix list
D.MAC access-list
AnswerB

Correct choice.

Why this answer

A standard ACL can match only the source address. To permit specific protocols and ports such as TCP 80 and 443 to a specific destination, the administrator must use an extended ACL.

Exam trap

A frequent exam trap is selecting a standard ACL when the question requires filtering by both source and destination IP addresses plus specific protocols or ports. Standard ACLs only filter by source IP, so they cannot distinguish HTTP or HTTPS traffic to a particular destination. Another trap is confusing prefix lists or MAC access-lists as suitable options; prefix lists filter routes, not traffic by port, and MAC access-lists filter Layer 2 addresses, not Layer 3 or 4 information.

Misunderstanding these differences leads to incorrect ACL type selection and exam failure.

Why the other options are wrong

A

Named standard ACLs filter traffic only by source IP address and cannot filter by destination IP or specific TCP ports like 80 or 443, making them unsuitable for permitting HTTP and HTTPS to a specific server.

C

Prefix lists are used to filter routes based on IP prefixes in routing protocols and cannot filter traffic by protocol or port, so they cannot meet the requirement to permit HTTP and HTTPS traffic specifically.

D

MAC access-lists filter traffic based on Layer 2 MAC addresses and cannot filter by Layer 3 IP addresses or Layer 4 ports, so they cannot selectively permit HTTP and HTTPS traffic to a specific IP address.

1387
PBQhard

You are connected to R1. Configure R1 as a DHCP server for VLAN 20 clients (192.168.20.0/24) with DNS server 203.0.113.10 and default gateway 192.168.20.1. On switch SW1, enable DHCP snooping globally and on VLAN 20, configure the uplink to R1 as trusted, and ensure that the DHCP server is reachable via ip helper-address on the VLAN 20 SVI. Currently, clients are not receiving IP addresses because of misconfigurations: the excluded-address range on R1 is too large (excluding the entire subnet), the helper-address on SW1 points to a wrong IP (192.0.2.99), and a rogue DHCP server is connected to port Fa0/3 on SW1. Fix all issues so that clients can get addresses securely.

Hints

  • The excluded-address range is too broad; narrow it to only the gateway and a small reserved range.
  • The helper-address must point to the DHCP server's IP, which is on a different subnet.
  • DHCP snooping must be enabled globally and per VLAN, and the port connecting to the legitimate DHCP server must be trusted.
A.On R1, change the excluded-address range to 192.168.20.1 192.168.20.1; on SW1, configure ip helper-address 10.0.0.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
B.On R1, remove the excluded-address range entirely; on SW1, configure ip helper-address 192.168.20.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
C.On R1, change the excluded-address range to 192.168.20.1 192.168.20.254; on SW1, configure ip helper-address 192.0.2.99 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
D.On R1, change the excluded-address range to 192.168.20.1 192.168.20.1; on SW1, configure ip helper-address 10.0.0.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, but do not configure any trusted ports.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.20.0 192.168.20.255
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.20.2 192.168.20.10

! SW1
ip dhcp snooping
ip dhcp snooping vlan 20
interface FastEthernet0/1
ip dhcp snooping trust
exit
interface Vlan20
no ip helper-address 192.0.2.99
ip helper-address 10.0.0.1

Why this answer

The DHCP server had an excluded-address range covering the entire subnet (192.168.20.0–255), which prevented any IP from being assigned. Fix: change the excluded range to only include the gateway (192.168.20.1) and optionally other reserved addresses. The helper-address on SW1 pointed to 192.0.2.99 (nonexistent) instead of the DHCP server at 10.0.0.1; correct it.

DHCP snooping was disabled; enable it globally and on VLAN 20, then configure the uplink to R1 (port connecting to R1) as trusted and the port connecting the rogue server (Fa0/3) as untrusted (or simply leave it untrusted by default, but the rogue server will be blocked).

Exam trap

A common trap is forgetting that the excluded-address range should only reserve specific addresses, not the whole subnet. Another trap is confusing the helper-address with the default gateway or leaving the incorrect IP. Also, many candidates enable DHCP snooping but forget to configure the trusted port, which breaks legitimate DHCP traffic.

Why the other options are wrong

B

The helper-address must point to the DHCP server, not the default gateway. The excluded-address range should include the gateway to prevent conflicts.

C

The excluded-address range must be limited to reserved addresses only, not the entire usable range. The helper-address must be corrected to 10.0.0.1.

D

DHCP snooping requires the port connected to the legitimate DHCP server to be explicitly trusted; otherwise, all DHCP server messages are discarded.

1388
MCQhard

A host is configured as 172.16.20.190/26. Which range contains the usable host addresses for that subnet?

A.172.16.20.129 to 172.16.20.190
B.172.16.20.128 to 172.16.20.191
C.172.16.20.130 to 172.16.20.191
D.172.16.20.193 to 172.16.20.254
AnswerA

This is correct because .128 is the network and .191 is the broadcast.

Why this answer

A /26 uses blocks of 64 addresses. In practical terms, the fourth-octet ranges are 0–63, 64–127, 128–191, and 192–255. Since 190 falls inside the 128–191 block, the network address is .128 and the broadcast address is .191. That leaves .129 through .190 as the usable range.

This is a strong test of whether you can identify the correct block and then exclude the reserved boundary addresses correctly.

Exam trap

A frequent exam trap is selecting an answer range that includes the network or broadcast address as usable hosts. For example, option B lists 172.16.20.128 to 172.16.20.191, which incorrectly includes the network (.128) and broadcast (.191) addresses. These addresses are reserved and cannot be assigned to hosts.

Another trap is excluding valid host addresses or including addresses from adjacent subnets, as seen in options C and D. Misidentifying subnet boundaries or forgetting to exclude reserved addresses causes these errors, leading to incorrect subnetting answers.

Why the other options are wrong

B

Option B incorrectly includes the network address (172.16.20.128) and broadcast address (172.16.20.191) as usable hosts, which are reserved and cannot be assigned to devices, making this option invalid.

C

Option C excludes the first usable host address (172.16.20.129) and incorrectly includes the broadcast address (172.16.20.191), which is not assignable to hosts, thus making it an incorrect range.

D

Option D lists a range starting at 172.16.20.193, which belongs to the next subnet block (192–255) and does not include the IP 172.16.20.190, so it is unrelated and incorrect for this question.

1389
PBQhard

You are connected to SW1. The network has three switches (SW1, SW2, SW3) running Rapid-PVST+. SW1 should be the root bridge for VLAN 10. PortFast and BPDU Guard must be enabled on all edge ports connected to end hosts. An err-disabled port (G0/1) has occurred due to a BPDU violation on an edge port. Recover the port and ensure it is configured correctly to prevent recurrence.

Network Topology
Gi0/0Gi0/0Gi0/2Gi0/0Gi0/1SW1SW2SW3Host

Hints

  • The port is in err-disabled state. You need to manually recover it by cycling the interface.
  • After recovery, verify the port is forwarding and still has PortFast and BPDU Guard enabled.
  • If the err-disabled condition recurs, the connected device may be sending BPDUs; consider removing BPDU Guard from that port if it is not truly an edge port.
A.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree bpduguard disable' on the interface.
B.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable' on the interface.
C.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree guard root' on the interface.
D.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then verify that the connected device is not a switch or remove it from the network.
AnswerD
solution
! SW1
configure terminal
interface gigabitEthernet 0/1
shutdown
no shutdown
end

Why this answer

The port Gi0/1 is in err-disabled state because BPDU Guard disabled it after receiving a BPDU on a PortFast edge port. First, shut down the interface and then re-enable it with 'no shutdown' to recover from err-disabled. However, to prevent recurrence, the root cause must be addressed: the connected device (likely another switch) should not be sending BPDUs on an edge port.

Optionally, you can disable BPDU Guard on that specific port if it is not truly an edge port, but the task requires PortFast and BPDU Guard on edge ports. The correct fix is to ensure no BPDUs are sent from the downstream device or use 'spanning-tree bpduguard disable' on that port if it is not an edge port (but the task mandates BPDU Guard). Since the scenario requires BPDU Guard, the candidate should recover the port and then verify that the connected device is not a switch (or remove it from the topology).

Exam trap

The exam trap is that candidates may focus on recovering the port (shutdown/no shutdown) but forget to address why the BPDU was received. Simply re-enabling BPDU Guard or reapplying PortFast will not prevent recurrence. The key is to ensure the connected device is not sending BPDUs, either by removing it or reclassifying the port.

Why the other options are wrong

A

The specific factual error is that BPDU Guard should not be disabled on a port that is supposed to be an edge port with BPDU Guard enabled.

B

The specific factual error is that simply re-enabling the same features does not prevent recurrence; the source of BPDUs must be removed or the port must be reconfigured as a non-edge port.

C

The specific factual error is that Root Guard and BPDU Guard serve different purposes; Root Guard does not stop BPDU Guard from disabling the port.

1390
PBQhard

You are connected to R1, a multilayer switch acting as a DNS client for internal name resolution. The network uses a private DNS server at 192.168.1.100. Users report that resolving the hostname 'server01.courseiva.local' fails intermittently. Diagnose and fix the DNS resolution issue by examining the current configuration and using appropriate show commands to verify.

Network Topology
192.168.1.100/24switchR1DNS Server

Hints

  • Check if the DNS server IP is actually present in the running config under 'ip name-server'.
  • Use 'show ip dns' to see if any name servers are configured.
  • The configuration may appear in the running config but not be active due to a missing 'ip name-server' command in the correct order.
A.Re-enter the 'ip name-server 192.168.1.100' command and verify with 'show ip dns'.
B.Configure 'ip domain lookup' to enable DNS resolution on the switch.
C.Change the 'ip domain name' to 'courseiva.local' to match the hostname being resolved.
D.Use 'debug ip dns' to monitor DNS queries and identify the problem.
AnswerA
solution
! R1
configure terminal
ip name-server 192.168.1.100
end
nslookup server01.courseiva.local

Why this answer

The 'ip name-server' command was missing from the configuration, causing the switch to use broadcast DNS queries (to 255.255.255.255) instead of a specific server. Broadcast queries may occasionally succeed if a DNS server on the network answers them, producing the reported intermittent failures. Re-entering the 'ip name-server 192.168.1.100' command forces directed queries, ensuring reliable resolution.

After configuration, a 'ping server01.courseiva.local' will trigger DNS and confirm success if the server is reachable.

Exam trap

Do not confuse 'ip domain lookup' (enables DNS client) with 'ip name-server' (specifies DNS server). A common trap is to assume that enabling DNS lookup is sufficient, but without a configured name-server, the device will use broadcast queries, which often fail in real networks.

Why the other options are wrong

B

The specific factual error is that 'ip domain lookup' enables DNS client functionality but does not specify which DNS server to use. The command is already present, so reconfiguring it does not fix the missing server IP.

C

The specific factual error is that the domain name is already configured correctly; changing it would not address the empty name-server list.

D

The specific factual error is that debugging is a diagnostic tool, not a corrective action. The question asks to 'fix' the issue, not just diagnose it.

1391
Drag & Dropmedium

Drag and drop the following steps into the correct order to interpret packet capture output for L2/L3 troubleshooting.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct sequence follows a bottom-up troubleshooting approach, starting at the data link layer and progressing to the transport layer. Verifying MAC addresses first confirms that Layer 2 framing and delivery are working. Checking ARP ensures that IP-to-MAC resolution is successful, which is a prerequisite for Layer 3 communication.

Analyzing IP headers validates network-layer addressing and routing. ICMP error messages often indicate specific routing or reachability problems. Finally, inspecting transport-layer details (ports, flags, and session states) provides insight into application connectivity without being misled by lower-layer issues.

1392
Multi-Selectmedium

Which three statements accurately describe the role of Cisco's AI-powered security features (such as Cisco AI Network Analytics, Stealthwatch, or DNA Center's AI-Enhanced Analytics) in network security operations? (Choose three.)

Select 3 answers
.AI models can detect zero-day exploits by analyzing behavioral anomalies
.AI-powered systems can correlate logs from multiple sources to identify complex attack chains
.AI can automate the response to certain security incidents, such as blocking malicious IPs
.AI is only effective against known, signature-based threats
.AI eliminates the need for firewall rules and access control lists
.AI security models require no human oversight once deployed

Why this answer

Cisco's AI-powered security features detect zero-day exploits by analyzing behavioral anomalies and deviations from learned baselines, without relying on signatures. These systems correlate logs from multiple Cisco products (e.g., firewalls, endpoints, cloud) to uncover multi-step attack chains. AI can also automate responses such as blocking malicious IPs via Cisco security controls, reducing mean time to respond (MTTR).

However, AI complements but does not replace traditional security tools like firewall rules or ACLs, and it requires ongoing human oversight for validation and tuning.

Exam trap

Cisco often tests the misconception that AI is only for signature-based detection or that it fully replaces traditional security controls, when in reality AI complements existing tools and still requires human oversight.

1393
MCQhard

A router has the following routes in its routing table: a static route to 10.60.4.16/28, an OSPF route to 10.60.4.0/24, and an EIGRP route to 10.60.0.0/16. Which route will be used for a packet destined to 10.60.4.17?

A.The static route to 10.60.4.16/28
B.The OSPF route to 10.60.4.0/24
C.The EIGRP route to 10.60.0.0/16
D.No route at all
AnswerA

This is correct because the destination falls inside the more specific /28 prefix.

Why this answer

The route used will be the route with the longest matching prefix. In practical terms, 10.60.4.17 falls inside the /28 route shown, and that is more specific than the broader /24 and /16 alternatives. Because specificity comes first, the /28 route wins.

This is a clean route-table interpretation problem that mirrors actual exam-style thinking very closely.

Exam trap

Remember, the longest prefix match rule is crucial; don't assume broader prefixes are better.

Why the other options are wrong

B

This option is wrong because the OSPF route to 10.60.4.0/24 does not directly match the destination 10.60.4.17, which falls under the static route to 10.60.4.16/28. OSPF would not be preferred if a more specific static route exists.

C

The EIGRP route to 10.60.0.0/16 is not used for the destination 10.60.4.17 because it does not match the more specific subnet of 10.60.4.16/28, which is preferred in routing decisions.

D

This option is wrong because there is a valid static route to the destination 10.60.4.17 via the static route to 10.60.4.16/28, making it reachable. Therefore, stating 'no route at all' is incorrect in this context.

1394
MCQmedium

A network operations team is implementing an automated system to detect and remediate interface flapping on core switches. The system must be able to query the network device for interface status and execute commands to disable or reconfigure the interface if a pattern of flapping is detected. Which protocol or technology enables the system to programmatically interact with the network device for both monitoring and configuration changes?

A.SNMP
B.NETCONF
C.CLI scripting
D.Syslog
AnswerB

NETCONF is a network management protocol that provides mechanisms to install, manipulate, and delete configuration of network devices using structured XML, making it ideal for automated remediation tasks.

Why this answer

NETCONF is the correct choice because it is a standardized network configuration protocol that allows automated systems to retrieve operational data and push configuration changes securely. In this scenario, the system would use NETCONF to query interface status and then apply remediation configurations. SNMP can monitor but has limited configuration capabilities, CLI scripting is non-programmatic and error-prone, and Syslog is only for logging.

Exam trap

Many candidates confuse SNMP with configuration protocols, but SNMP is not designed for robust configuration management; NETCONF and RESTCONF are the modern programmatic interfaces emphasized in CCNA automation topics.

Why the other options are wrong

A

SNMP is limited to monitoring and basic sets, not suited for complex remediation workflows.

C

CLI scripting lacks structured programmability and is error-prone for automation.

D

Syslog is a logging protocol and cannot be used to push configuration changes.

1395
PBQhard

You are connected to R1 via console. R1 is a Cisco ISR 4321 running IOS-XE 17.3. The initial configuration on R1 already includes the SNMPv2c community string 'CourseivaRO' with read-only access and a corresponding SNMPv2c trap host for 192.0.2.100 (these are already in place and do not need to be reconfigured). Your task is to add the following additional configurations: (a) [already configured] (b) Create an SNMPv3 user 'monitor' with SHA authentication and AES 128-bit encryption, using authentication password 'AuthPass123' and privacy password 'PrivPass456'; (c) Configure SNMP traps (linkUp, linkDown, authenticationFailure) to be sent to the NMS server at 192.0.2.100 using SNMPv3 with only authentication (no privacy). (d) Enable NetFlow on GigabitEthernet0/0/0, with flow export to collector 203.0.113.50 using UDP port 2055, NetFlow version 9, and set the source interface to Loopback0 (IP 10.0.0.1/32). Finally, verify your configuration with show snmp and show ip cache flow.

Network Topology
G0/0192.168.1.1/30192.0.2.100InternetR1NMS

Hints

  • The SNMPv3 user must be configured before the trap host for v3, and the user must reference the v3 group (use the community string as the group name).
  • NetFlow requires both global export parameters and interface-level ip flow ingress (or egress) command.
  • Use 'show run | section snmp' to verify SNMP configs and 'show run | include flow' for NetFlow.
A.snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456 snmp-server host 192.0.2.100 version 3 auth monitor interface GigabitEthernet0/0/0 ip flow ingress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 9
B.snmp-server user monitor CourseivaRO v3 auth md5 AuthPass123 priv des56 PrivPass456 snmp-server host 192.0.2.100 version 3 priv monitor interface GigabitEthernet0/0/0 ip flow egress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 5
C.snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456 snmp-server host 192.0.2.100 version 3 priv monitor interface GigabitEthernet0/0/0 ip flow ingress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 9
D.snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456 snmp-server host 192.0.2.100 version 3 auth monitor interface GigabitEthernet0/0/0 ip flow ingress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 5
AnswerA
solution
! R1
snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456
snmp-server host 192.0.2.100 version 3 auth monitor
ip flow-export destination 203.0.113.50 2055
ip flow-export source loopback0
ip flow-export version 9
interface GigabitEthernet0/0/0
ip flow ingress

Why this answer

Option A is correct because it uses the correct SNMPv3 user creation with SHA and AES 128, and the trap host command specifies 'auth' (authentication only) as required by the updated stem. Option B is wrong because it uses MD5/DES and egress flow, and version 5. Option C is wrong because it uses 'priv' for traps, which would include encryption – the stem requires only authentication.

Option D is wrong because it uses version 5 for NetFlow and B also uses incorrect auth/priv algorithms.

Exam trap

Pay close attention to the exact security level for traps: 'auth' means authentication only, while 'priv' includes encryption. Also, ensure NetFlow is enabled on the correct direction (ingress) and that the version is explicitly set to 9. Do not assume default values.

Why the other options are wrong

B

The specific factual errors: MD5 and DES are not the required algorithms; 'priv' level requires encryption but the question specifies 'auth' level; NetFlow egress is not the default and not requested; version 5 is not version 9.

C

The specific factual error: The trap host command specifies 'priv' security level, which requires the user to have a privacy password and sends encrypted traps, but the requirement is for 'auth' only.

D

The specific factual error: NetFlow version 5 is an older version that does not support templates and is not the required version 9.

1396
MCQhard

A switch port connected to a user PC is configured as a trunk. The PC cannot communicate normally. What is the best explanation?

A.The port role is wrong because a normal PC-facing switchport should usually be an access port, not a trunk
B.A user PC requires EtherChannel to function
C.Trunk mode disables MAC address learning automatically
D.Trunk mode forces the switch to stop using IP addressing
AnswerA

This is correct because a standard PC is normally connected to an access port in one VLAN.

Why this answer

The best explanation is that the port role is wrong: a PC-facing port should be an access port, not a trunk, because PCs normally send untagged frames and cannot process VLAN tags. Option B is incorrect because EtherChannel is used for link aggregation, not required for a single PC. Option C is wrong because trunk mode does not disable MAC address learning.

Option D is irrelevant, as switches do not stop using IP addressing in trunk mode.

Exam trap

Be careful not to confuse physical link issues with logical configuration mismatches. A trunk port on a user PC is a logical mismatch, not a hardware failure.

Why the other options are wrong

B

A user PC does not require EtherChannel to function; EtherChannel is a method for bundling multiple physical links into a single logical link, which is not necessary for standard PC connectivity.

C

Trunk mode does not disable MAC address learning; it actually allows the switch to learn MAC addresses from multiple VLANs. Therefore, a switch port configured as a trunk can still learn MAC addresses normally.

D

Trunk mode does not disable IP addressing; it allows multiple VLANs to be carried over a single link, and IP addressing is still applicable to the switch interfaces. Therefore, the user PC's inability to communicate is not due to trunk mode disabling IP addressing.

1397
MCQhard

A host is assigned 192.168.10.33/28. Which subnet contains that host?

A.192.168.10.16/28
B.192.168.10.32/28
C.192.168.10.48/28
D.192.168.10.0/28
AnswerB

This is correct because 33 falls within the 32 through 47 range.

Why this answer

A /28 subnet uses blocks of 16 addresses. In plain language, the last octet ranges move in increments of 16: 0–15, 16–31, 32–47, 48–63, and so on. Since the host address ends in 33, it belongs to the 32–47 block. That means the containing subnet is 192.168.10.32/28.

This style of subnetting question is common because it tests whether you can identify the correct network boundary quickly. The key is to recognize the block size from the prefix and then place the address inside the correct interval without confusing the host with the network address.

Exam trap

Be careful not to confuse the host address with the network address or miscalculate the subnet boundaries.

Why the other options are wrong

A

Option A (192.168.10.16/28) is incorrect because it represents a different subnet, specifically the range 192.168.10.16 to 192.168.10.31, which does not include the host 192.168.10.33.

C

Option C is wrong because the host IP 192.168.10.33/28 falls within the subnet range of 192.168.10.32 to 192.168.10.47, making 192.168.10.48/28 an entirely different subnet that does not include the host.

D

Option D (192.168.10.0/28) is incorrect because it represents a different subnet than the one containing the host 192.168.10.33. The subnet for 192.168.10.33/28 is 192.168.10.32/28, which includes IPs from 192.168.10.32 to 192.168.10.47.

1398
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to R2 (10.0.0.2/30). Hosts on the LAN (192.168.1.0/24) need DHCP services. The DHCP server is located at 172.16.1.100 on a different subnet reachable via R2. Configure R1 to forward DHCP broadcasts to the DHCP server.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/3010.0.0.2/30link10.0.0.2/30PCsLANR1R2DHCP server

Hints

  • The ip helper-address command is used to forward DHCP broadcasts.
  • Apply it on the interface facing the DHCP clients.
A.ip helper-address 172.16.1.100
B.ip dhcp relay information option
C.ip forward-protocol udp 67
D.ip dhcp-server 172.16.1.100
AnswerA
solution
! R1
interface GigabitEthernet0/1
ip helper-address 172.16.1.100

Why this answer

The ip helper-address command on the LAN interface forwards DHCP broadcast requests to the DHCP server at 172.16.1.100, allowing clients to obtain IP addresses across subnets.

Exam trap

Do not confuse the ip helper-address command with other DHCP-related commands like ip dhcp relay information option or ip forward-protocol. The key is to remember that ip helper-address is the command that actually forwards broadcasts to a specific server.

Why the other options are wrong

B

It is a supporting feature for relay agents, not the primary command to forward DHCP broadcasts.

C

It is a prerequisite but not sufficient; the ip helper-address is still needed to direct the traffic.

D

The command does not exist; it is a fabrication.

1399
MCQhard

An operations team wants a monitoring platform to periodically read interface counters and CPU statistics from routers. Which technology is most closely associated with that requirement?

A.SNMP
B.Syslog
C.NetFlow
D.Port security
AnswerA

This is correct because SNMP is commonly used for polling counters, status, and device statistics.

Why this answer

SNMP is the best fit for that requirement. In practical terms, periodic reading of counters and statistics is polling-style monitoring, which is one of the classic SNMP use cases. A management system can query devices for interface status, utilization data, and other measurable values over time.

This is different from Syslog, which is event-message oriented, and from NetFlow, which focuses on traffic-flow visibility rather than general device statistics. The question is really about routine monitoring and polling.

Exam trap

A common exam trap is selecting Syslog or NetFlow as the answer because they are also monitoring-related technologies. Syslog is tempting because it deals with messages from devices, but it only reports events and logs rather than polling counters periodically. NetFlow is often confused with SNMP because it provides traffic visibility, but it focuses on flow data, not general device statistics like CPU or interface counters.

Another trap is port security, which is unrelated to monitoring and instead controls MAC address access on switch ports. Recognizing that SNMP uniquely supports periodic polling of device metrics helps avoid these mistakes.

Why the other options are wrong

B

Syslog is incorrect because it focuses on logging event messages and alerts rather than routinely polling device counters or CPU statistics, so it does not meet the periodic monitoring requirement.

C

NetFlow is incorrect because it provides detailed traffic flow analysis and visibility but does not poll general device statistics like CPU usage or interface counters, which are needed here.

D

Port security is incorrect because it is a Layer 2 feature that restricts MAC addresses on switch ports and does not provide any monitoring or polling capabilities for device statistics.

1400
PBQhard

You are connected to R1. The network team reports intermittent connectivity between R1 and R2. Examine the following `show interface` output from R1 to identify the root cause of the issue. Then apply the necessary configuration commands on R1 to resolve the problem. GigabitEthernet0/0 is up, line protocol is up Internet address is 10.0.0.1/30 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is RJ45 output flow-control is unsupported, input flow-control is unsupported Last input 00:00:01, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 100 packets input, 8000 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 100 input errors, 100 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • CRC errors often indicate a duplex mismatch or faulty cabling.
  • Check if the interface has manual speed/duplex settings that may conflict with the remote device.
  • The remote device likely uses auto-negotiation; match its settings.
A.Enter interface configuration mode for the problematic interface and issue the 'no speed' and 'no duplex' commands to revert to auto-negotiation.
B.Enter interface configuration mode and issue the 'speed 100' and 'duplex full' commands to ensure both sides are set to the same values.
C.Enter interface configuration mode and issue the 'no shutdown' command to bring the interface up.
D.Enter interface configuration mode and issue the 'duplex half' command to match the remote side's duplex setting.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no speed
no duplex
end

Why this answer

The show interface output reveals 100 CRC errors and 100 input errors, indicating a physical layer problem. Additionally, the interface is manually configured for full-duplex and 100 Mb/s. CRC errors often point to a duplex mismatch or faulty cable.

Since R1 is set to full-duplex, if R2 is set to auto-negotiation (or half-duplex), a mismatch occurs. The fix is to set both sides to auto-negotiation by removing manual speed and duplex settings. On R1, enter interface configuration mode and issue 'no speed' and 'no duplex' to revert to auto-negotiation, then verify with 'show interfaces' that the interface negotiates to full-duplex and errors stop incrementing.

Exam trap

Do not assume that manually setting speed and duplex is always correct. CRC errors often point to a duplex mismatch, and the standard fix is to enable auto-negotiation on both ends. Also, remember that 'no shutdown' is for administratively down interfaces, not for error conditions.

Why the other options are wrong

B

The specific factual error is that reapplying the same manual settings does not resolve a duplex mismatch; it may even perpetuate the mismatch if the remote side is set to auto-negotiation.

C

The specific factual error is that 'no shutdown' is used to enable an interface that is administratively down, but the interface is already up.

D

The specific factual error is that forcing half-duplex is unlikely to resolve the issue; it may worsen performance and still cause errors if the remote side is full-duplex.

1401
MCQhard

A network technician is troubleshooting a router that cannot be accessed via SSH. The router responds to Telnet but SSH attempts return 'connection refused'. The technician confirmed that 'ip ssh version 2' is configured and 'show ip ssh' indicates SSH is enabled. The output of 'show line vty 0 4' shows 'transport input telnet'. What should the technician do next?

A.Generate a new RSA key pair and restart the SSH service.
B.Add the 'transport input ssh' command to the VTY lines.
C.Configure 'ip ssh version 1' to enable backward compatibility.
D.Configure AAA authentication on the VTY lines.
AnswerB

The show line vty output indicates only Telnet is permitted. Adding 'transport input ssh' (or 'transport input all') modifies the VTY configuration to accept both Telnet and SSH, directly fixing the protocol restriction causing the connection refused.

Why this answer

The VTY lines are configured with 'transport input telnet', which explicitly allows only Telnet sessions. SSH is enabled globally, but because it is not listed in the VTY transport input, the router rejects SSH connection attempts. Adding 'transport input ssh' (or 'transport input all') under the VTY lines permits SSH connections without disrupting Telnet, solving the mismatch at the application layer.

Exam trap

Generating a new RSA key pair is a common but incorrect next step because SSH is already enabled and operational; the 'connection refused' message stems from the VTY transport configuration, not from missing or corrupted keys.

Why the other options are wrong

A

Administrators often mistake 'connection refused' for a key issue, but the VTY lines restrict the allowed protocols, not the validity of the keys.

C

Candidates may think a version mismatch causes the refusal, but the VTY transport setting is the actual filter; downgrading security is unnecessary and ineffective.

D

Some technicians equate 'connection refused' with authentication failure and jump to AAA, but in this case the VTY lines never allow the SSH session to reach the authentication stage.

1402
PBQhard

You are connected to R1 via the console. R1 is a router acting as an NTP client to an external NTP server at 203.0.113.10. The NTP source interface must be Loopback0 (192.0.2.1/32). Additionally, configure R1 to send syslog messages of severity 'critical' and higher to a syslog server at 198.51.100.50. Currently, R1 shows 'Clock is unsynchronized, stratum 16'. Verify that NTP synchronizes and that only critical syslog messages are sent. The existing running configuration already has some NTP and syslog commands that need correction.

Network Topology
203.0.113.10198.51.100.50NetworkR1NTP ServerSyslog Server

Hints

  • The NTP source interface is not set; the router may be using an unreachable interface.
  • Check the logging trap level; it is currently set to 'debugging', which sends all messages.
  • Use 'ntp source' followed by the loopback interface name.
A.Configure 'ntp source Loopback0' and 'logging trap critical'
B.Configure 'ntp server 203.0.113.10 source Loopback0' and 'logging trap 2'
C.Configure 'ntp source Loopback0' and 'logging trap 7'
D.Configure 'ntp server 203.0.113.10' and 'logging host 198.51.100.50'
AnswerA
solution
! R1
ntp source Loopback0
logging trap critical

Why this answer

The NTP client was not synchronizing because the NTP source interface was not specified; the router uses the outgoing interface which may not be reachable or consistent. The 'ntp source Loopback0' command ensures NTP packets use a stable, routable IP address. For syslog, the logging trap was set to 'debugging', which sends all messages (severity 7).

The requirement is to send only 'critical' (severity 2) and higher. The command 'logging trap critical' changes the filter. After both fixes, 'show ntp status' should show synchronized, stratum <16, and 'show logging' should show 'level critical' for trap logging.

Exam trap

Be careful: NTP source interface is configured with a separate 'ntp source' command, not as a parameter of 'ntp server'. Also, remember syslog severity levels: lower numbers are more severe (0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=informational, 7=debugging). 'logging trap critical' is equivalent to 'logging trap 2'.

Why the other options are wrong

B

The NTP command syntax is incorrect; 'ntp server' does not accept a 'source' parameter. The correct approach is a separate 'ntp source' command.

C

The logging trap level 7 corresponds to debugging, which is the most verbose level. The requirement is for critical (severity 2) and higher, so this would send too many messages.

D

The commands listed are already configured and do not fix the synchronization issue or the syslog filtering. The NTP source interface is missing, and the logging trap level is still debugging.

1403
Matchingmedium

Match each IP service symptom to the most likely service involved.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

Hostnames fail but direct IP access works because DNS resolves names to IP addresses; without DNS, name resolution stops while IP connectivity remains intact. Clients not receiving IP configuration automatically indicates a DHCP failure, since DHCP is the service responsible for dynamic address assignment. Log timestamps differing noticeably between devices points to an NTP issue, as NTP synchronizes clocks across the network.

Administrators wanting one place to collect device events rely on Syslog, which centralizes event messages from multiple devices.

Exam trap

Be careful not to confuse symptoms (like packet loss, jitter) with services. The question asks for the 'service involved,' so look for a specific service name (e.g., DNS, SMTP, DHCP) rather than a general network condition.

1404
Multi-Selectmedium

Which two STP facts are correct? Choose two.

Select 2 answers
A.The root bridge is elected using the lowest bridge ID
B.STP is designed to prevent Layer 2 switching loops
C.A lower path cost makes a port less likely to become root port
D.All blocked ports are designated ports
AnswersA, B

That is how the root bridge is selected.

Why this answer

STP prevents Layer 2 loops by placing some ports into a non-forwarding role. The root bridge is chosen by the lowest bridge ID, and all ports on the root bridge itself are designated ports for their segments.

Exam trap

Be careful not to confuse root ports with designated ports, and remember that STP uses path cost, not hop count.

Why the other options are wrong

C

STP uses path cost to determine the root port, where a lower path cost is more desirable and makes a port more likely to become the root port, not less.

D

In STP, blocked ports are alternate or backup ports, not designated ports. Designated ports are in forwarding state on each segment, while blocked ports are non-designated.

1405
MCQhard

A subnet has the network address 192.168.30.0/26. What is the broadcast address?

A.192.168.30.63
B.192.168.30.64
C.192.168.30.255
D.192.168.30.31
AnswerA

This is correct because the .0/26 block ends at .63.

Why this answer

A /26 subnet contains 64 addresses. In plain language, the block that starts at 192.168.30.0 runs through 192.168.30.63. The first address is the network address and the last address is the broadcast address, so the broadcast for this subnet is 192.168.30.63.

This is a standard subnet-boundary calculation. Once the block size is identified, the broadcast address is simply the final address in that block.

Exam trap

Remember that the broadcast address is the last address in the subnet, not the first address of the next subnet or the last usable host address.

Why the other options are wrong

B

Option B is incorrect because the broadcast address for the subnet 192.168.30.0/26 is 192.168.30.63, not 192.168.30.64. The address 192.168.30.64 is actually the first address of the next subnet (192.168.30.64/26).

C

The address 192.168.30.255 is incorrect as the broadcast address for the subnet 192.168.30.0/26, which only spans IPs from 192.168.30.0 to 192.168.30.63. The broadcast address for this subnet is 192.168.30.63.

D

Option D, 192.168.30.31, is incorrect because it represents the last usable IP address in the subnet 192.168.30.0/26, not the broadcast address. The broadcast address for this subnet is 192.168.30.63.

1406
PBQhard

You are connected to SW1 via the console. The network has three switches connected in a triangle: SW1 (G0/1 to SW2 G0/1), SW1 (G0/2 to SW3 G0/1), and SW2 (G0/2 to SW3 G0/2). SW1 is the root bridge. A PC is connected to SW3's G0/3 port, which should be an edge port. However, the PC has been sending BPDUs, causing the port to go err-disabled. Configure SW3 to prevent this in the future: enable PortFast and BPDU Guard on G0/3. Then, verify that the port recovers from err-disabled state and that a specific blocked port on SW2 is identified. Use the provided show output to determine the current state and necessary commands.

Network Topology
G0/1 to SW2 G0/1G0/2 to SW3 G0/2G0/2 to SW3 G0/2G0/3 to PCSW2SW1SW3

Hints

  • The err-disabled port must be manually recovered with shutdown/no shutdown.
  • PortFast is configured at the interface level.
  • BPDU Guard is also configured at the interface level using 'spanning-tree bpduguard enable'.
A.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable shutdown no shutdown
B.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable no shutdown
C.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable end copy running-config startup-config
D.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable shutdown
AnswerA
solution
! SW3
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable
shutdown
no shutdown

Why this answer

The PC connected to SW3's G0/3 was sending BPDUs, causing the port to go err-disabled due to BPDU Guard. To prevent this, enable PortFast and BPDU Guard on that interface. First, move to interface configuration mode for G0/3, then issue 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.

After configuration, the port will remain err-disabled until manually recovered by issuing 'shutdown' followed by 'no shutdown'. The blocked port on SW2 is G0/2, as shown by the 'Altn BLK' role/status in its spanning-tree output.

Exam trap

A common trap is forgetting that err-disabled ports require a manual shutdown/no shutdown cycle to recover. Simply enabling BPDU Guard or saving the configuration does not restore the port. Always remember to reset the interface after correcting the cause.

Why the other options are wrong

B

The err-disabled state requires a manual interface reset (shutdown followed by no shutdown) to recover; a single 'no shutdown' command is insufficient.

C

Saving the configuration preserves the settings but does not affect the current operational state of the interface; the port stays err-disabled.

D

The shutdown command disables the interface but does not automatically re-enable it; the err-disabled state is cleared only after a shutdown/no shutdown cycle.

1407
PBQhard

You are connected to R1. Configure IPv4 and IPv6 static routes, default routes, and floating static routes so that R1 can reach the Internet via R2 (IPv4 and IPv6). The primary route to the Internet should use next-hop 203.0.113.2 (IPv4) and 2001:db8:203:0:113::2 (IPv6). A backup floating static route with administrative distance 200 must exist for IPv4 only, using next-hop 198.51.100.2. Ensure the default routes are correctly configured and troubleshoot any recursive routing failure. Note: R1 currently has an incorrect IPv6 default route pointing to 2001:db8:198:51:100::2 that must be removed.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1198.51.100.1/30G0/1198.51.100.2/30linkG0/2203.0.113.1/30G0/2203.0.113.2/30linkR1R2R3R4

Hints

  • The IPv4 primary default route is missing; only the floating route exists.
  • The IPv6 default route points to the wrong next-hop (should be via 2001:db8:203:0:113::2).
  • Floating static route AD must be higher than the primary route's AD to act as backup.
A.Remove the incorrect IPv6 default route: no ipv6 route ::/0 2001:db8:198:51:100::2; configure the primary default route: ip route 0.0.0.0 0.0.0.0 203.0.113.2; the floating route is already configured with AD 200; add IPv6 default route: ipv6 route ::/0 2001:db8:203:0:113::2
B.Configure the primary default route: ip route 0.0.0.0 0.0.0.0 203.0.113.2; change the floating route AD to 1; add IPv6 default route: ipv6 route ::/0 2001:db8:203:0:113::2
C.Configure the primary default route: ip route 0.0.0.0 0.0.0.0 203.0.113.2 200; the floating route is already configured with AD 200; add IPv6 default route: ipv6 route ::/0 2001:db8:203:0:113::2
D.Configure the primary default route: ip route 0.0.0.0 0.0.0.0 203.0.113.2; the floating route is already configured with AD 200; no IPv6 route is needed because IPv6 is not required.
AnswerA
solution
! R1
ip route 0.0.0.0 0.0.0.0 203.0.113.2
ip route 0.0.0.0 0.0.0.0 198.51.100.2 200
no ipv6 route ::/0 2001:db8:198:51:100::2
ipv6 route ::/0 2001:db8:203:0:113::2

Why this answer

The IPv4 floating route is already correctly pre-configured with AD 200 to serve as a backup. To meet the requirements, you must add the primary IPv4 default route with default AD 1, remove the existing incorrect IPv6 default route, and add the correct IPv6 default route. Option A correctly identifies these steps, while other options either omit the removal, assign a wrong AD to the primary route, or neglect IPv6 entirely.

Exam trap

The trap is that candidates may think the floating route needs to be modified or that the primary route should also have a high AD. Remember: a floating static route must have a higher AD than the primary route to act as a backup. Also, do not forget IPv6 if the question specifies it.

Why the other options are wrong

B

Setting the floating route AD to 1 makes it equal to the primary route's AD, defeating the purpose of a floating static route.

C

The primary route must have a lower AD than the floating route to be preferred. Setting it to 200 makes it equal to the backup, causing ambiguity.

D

The question states 'IPv4 and IPv6 static routes, default routes' and specifies an IPv6 next-hop. Ignoring IPv6 is a direct violation of the requirements.

1408
MCQmedium

A controller-based WLAN is deployed across multiple floors. Users can associate to the SSID on both floors, but their experience improves when moving between APs compared with a poorly designed standalone deployment. Which wireless concept is most closely related to that client movement experience?

A.Roaming between access points
B.NetFlow export
C.DHCP snooping
D.Route summarization
AnswerA

This is correct because the question is about client movement between AP coverage areas.

Why this answer

The concept most closely related is roaming between access points. In practical terms, client mobility experience depends on how smoothly a device can move from one AP coverage area to another while staying on the WLAN. Controller-based designs often help manage this more consistently than fragmented independent configurations.

The key point is that the question is about movement between APs while remaining on the wireless network, not about VLAN trunks or routing protocol neighbors.

Exam trap

Be careful not to confuse network performance improvements like channel bonding with client mobility improvements like roaming.

Why the other options are wrong

B

NetFlow export is related to network traffic analysis and monitoring, not directly to client movement or experience between access points in a WLAN. It does not address the seamless connectivity aspect of roaming.

C

DHCP snooping is a security feature that helps prevent unauthorized DHCP servers from distributing IP addresses on a network. It does not directly relate to the user experience of roaming between access points in a WLAN deployment.

D

Route summarization is a technique used in routing protocols to reduce the size of routing tables by aggregating multiple routes into a single route. It does not pertain to client movement or wireless connectivity between access points.

1409
Matchingmedium

Drag and drop the routing concepts on the left to the matching descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trustworthiness of a routing source; OSPF uses 110

Cost used by OSPF based on bandwidth

Route with the most specific subnet mask wins

Route with AD of 0, added when interface IP is configured

IP address of the next router to forward packets to

Route learned via OSPF or EIGRP

Why these pairings

Administrative distance (AD) indicates the trustworthiness of a routing source; OSPF is assigned AD 110. Metric is the cost used by OSPF, calculated based on bandwidth. Longest-prefix match selects the route with the most specific (longest) subnet mask.

Directly connected routes have an AD of 0 and are added automatically when an interface IP is configured. Next-hop is the IP address of the next router to forward packets to. Dynamic routes are learned through routing protocols like OSPF or EIGRP.

Exam trap

Be careful not to confuse administrative distance with metric: AD compares different routing protocols to determine trustworthiness, while metric compares routes within the same protocol based on cost or other criteria.

1410
MCQhard

A network administrator is troubleshooting connectivity from a PC (192.168.1.10/24) to a server at 10.0.0.5/24. The PC's default gateway is 192.168.1.1. Router R1 has a directly connected route to 10.0.0.0/24 via interface GigabitEthernet0/1, which is connected to another VLAN. The server is actually located on the 10.0.0.0/16 network, reachable via a static route through 192.168.1.2. What is the most likely cause of the connectivity issue?

A.The route to 10.0.0.0/16 has a lower administrative distance than the directly connected route.
B.The directly connected route to 10.0.0.0/24 is the most specific match but is incorrect for the destination.
C.The route to 10.0.0.0/8 has a higher metric, so it is not used.
D.The router does not have a default route, so traffic to 10.0.0.5 is dropped.
AnswerB

The longest-prefix match algorithm selects 10.0.0.0/24 over /16 or /8, but this route points to an interface that cannot reach 10.0.0.5.

Why this answer

Option B is correct because the router's routing table contains a directly connected route to 10.0.0.0/24, which is the most specific match (longest prefix) for the destination 10.0.0.5. However, if that directly connected subnet is not actually the network where the server resides (e.g., it points to a different interface or VLAN), traffic will be forwarded incorrectly. The router always prefers the most specific prefix, even if another route (like a summary) is administratively preferred or has a lower metric.

Exam trap

Cisco often tests the concept that the longest prefix match overrides administrative distance and metric, leading candidates to incorrectly assume that a lower AD or metric route will be chosen when a more specific but incorrect route exists.

Why the other options are wrong

A

You might think that OSPF routes are more reliable, but directly connected routes are always preferred regardless of AD.

C

You might confuse metric with prefix length; metric only matters when prefix lengths are equal.

D

A default route is only used when no more specific route exists; here a specific route exists.

1411
PBQhard

You are troubleshooting connectivity for a wireless client connected to the home network shown below. The client has obtained an APIPA address (169.254.x.x), indicating DHCP failure. Verify the DHCP server configuration on R1 and correct the issue so that the client receives a valid IP address from the 192.168.1.0/24 subnet.

Network Topology
G0/0192.168.1.1/24switchR1Wireless Client

Hints

  • Check if the DHCP service is enabled globally on R1.
  • APIPA addresses indicate that the client did not receive a DHCP offer.
  • The DHCP pool and interface configuration are correct; the missing piece is the global DHCP service.
A.Enable the DHCP service globally using the 'service dhcp' command on R1.
B.Remove the 'ip dhcp excluded-address 192.168.1.1 192.168.1.10' command because it excludes too many addresses.
C.Change the DHCP pool network to 192.168.1.0/24 and add the default-router 192.168.1.1 command.
D.Configure the 'ip helper-address' command on the client's VLAN interface to forward DHCP requests to the server.
AnswerA
solution
! R1
configure terminal
service dhcp
end

Why this answer

The client obtained an APIPA address (169.254.x.x) because DHCP was not assigning addresses. The DHCP pool is correctly configured, but the global DHCP service must be enabled with the 'service dhcp' command on R1. The excluded-address range (192.168.1.1–192.168.1.10) uses only a small fraction of the /24 subnet, so it is not the issue.

Enabling 'service dhcp' allows the router to process DHCP requests and assign addresses from the pool.

Exam trap

Trap: Candidates often focus on pool configuration (network, default-router, excluded-address) when troubleshooting DHCP failures, but they forget that the DHCP service must be enabled globally with 'service dhcp'. Always check if the service is running before modifying pool parameters.

Why the other options are wrong

B

The specific factual error: Excluding 10 addresses does not exhaust the pool; the pool still has 244 addresses available.

C

The specific factual error: The pool configuration is already correct; modifying it does not address the disabled DHCP service.

D

The specific factual error: 'ip helper-address' is for DHCP relay across subnets; it is not needed when the server is local.

1412
PBQhard

You are troubleshooting a link between R1 (G0/0) and R2 (G0/0). The link is up but experiencing packet loss. You suspect an interface speed/duplex mismatch or SFP issue. Configure R1's interface to match the correct speed and duplex, and replace the SFP module if necessary to support a required distance of 40 km over single-mode fiber.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30SMF linkR1R2

Hints

  • Check the current speed and duplex configuration under the interface.
  • Check the SFP module distance rating using 'show interfaces transceiver'.
  • Remove explicit speed and duplex commands to allow auto-negotiation.
A.Remove manual speed/duplex settings, enable auto-negotiation, and replace the SFP with a long-reach module (e.g., 1000BASE-ZX) that supports 40 km over single-mode fiber.
B.Change the duplex to full and speed to 1000 Mbps manually, and keep the existing SFP.
C.Keep the manual speed/duplex settings but replace the SFP with a 1000BASE-SX module.
D.Enable auto-negotiation on both ends but keep the existing SFP.
AnswerA
solution
! R1
interface gigabitethernet 0/0
no speed
no duplex
end
copy running-config startup-config

Why this answer

The link is experiencing packet loss, likely due to a speed/duplex mismatch between the manually configured interface and the peer (which may use auto-negotiation) and/or an SFP module that cannot support the required 40 km distance over single-mode fiber. To resolve both potential issues, remove any manual speed and duplex settings to restore default auto-negotiation (using 'no speed' and 'no duplex'), and replace the SFP with a module rated for 40 km or more on SMF, such as a 1000BASE-ZX (or 1000BASE-EX) transceiver. Standard 1000BASE-LX/LH only reaches up to 10 km on SMF, so it is insufficient for this scenario.

Exam trap

This question tests your ability to identify and resolve both a speed/duplex mismatch and an SFP distance limitation. A common trap is to focus on only one issue (e.g., only fixing the mismatch or only replacing the SFP) while ignoring the other. Always verify that the SFP supports the required distance and fiber type.

Why the other options are wrong

B

The specific factual error is that manually setting speed/duplex does not guarantee compatibility with the remote end and does not address the SFP distance limitation.

C

The specific factual error is that 1000BASE-SX is for multimode fiber and short distances, not single-mode fiber at 40 km.

D

The specific factual error is that the SFP distance limitation is not addressed; auto-negotiation alone does not change the physical layer capability.

1413
Matchingmedium

Match each technology to the kind of visibility or function it most directly provides.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Device events and log messages

Management data and monitored values

Traffic conversation visibility

Automatic host IP configuration

Why these pairings

Each technology is matched to the primary visibility or function it provides in a security architecture.

Exam trap

The exam trap is confusing the functions of similar-sounding technologies, especially NetFlow vs. SPAN (both deal with traffic) and SNMP vs. Syslog (both deal with monitoring).

Remember: NetFlow = flow records, SPAN = packet copies, SNMP = polling/health, Syslog = logs.

1414
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After entering privileged EXEC mode, enable capture on the interface, define buffer/filter, start capture, then export for Wireshark analysis; starting before configuring buffer would fail.

Exam trap

The exam trap is that candidates may confuse the order of steps, especially thinking that defining the buffer/filter should come before enabling the capture on the interface, or that starting the capture can be done early. Remember: enable the capture on the interface first, then configure buffer/filter, then start.

1415
Matchingeasy

Match each IP service to the transport protocol and default port it commonly uses in a basic CCNA context.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

UDP 53

UDP 67

UDP 123

UDP 514

Why these pairings

DNS primarily uses UDP port 53 for standard queries due to low overhead; TCP 53 is used for zone transfers but not in basic CCNA context. DHCPv4 server uses UDP port 67 because the protocol relies on broadcasts and does not require a connection-oriented transport. NTP uses UDP port 123 to keep time synchronization lightweight and efficient.

Syslog uses UDP port 514 to send system messages without requiring a session, prioritizing speed over reliability.

Exam trap

Be careful not to confuse FTP control (21) with FTP data (20). Also, remember that DNS primarily uses UDP, not TCP, even though it can use TCP in certain scenarios. HTTP/HTTPS always use TCP in a basic CCNA context; do not be misled by newer protocols like QUIC.

1416
Multi-Selectmedium

Which two statements correctly describe a RESTful API used by network controllers? Choose two.

Select 2 answers
A.It commonly uses HTTP methods such as GET and POST
B.It requires SNMP traps for every successful request
C.It is typically stateless between client requests
D.It can only return XML, never JSON
AnswersA, C

That is a core part of REST-style APIs.

Why this answer

REST commonly uses HTTP methods such as GET, POST, PUT, PATCH, and DELETE. It is also stateless, which means each request includes the information needed for the server to process it.

Exam trap

Be careful not to confuse RESTful APIs with protocols that maintain state or require specific data formats like XML.

Why the other options are wrong

B

RESTful APIs do not require SNMP traps; they use HTTP methods for communication, and SNMP traps are unrelated to REST API operations.

D

RESTful APIs are format-agnostic and commonly support both XML and JSON, with JSON being the more prevalent format due to its lightweight nature. The statement that RESTful APIs can only return XML is incorrect.

1417
Matchingmedium

Match each networking concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines network versus host portions of the address

Next hop used for off-subnet traffic

Local Layer 2 address for frame delivery

Data structure used to choose packet-forwarding paths

Why these pairings

A subnet mask distinguishes network and host portions of an IP address, enabling proper local and remote delivery decisions. The default gateway is the router's interface on the local subnet, serving as the exit point for traffic destined outside the local network. A MAC address is a hardware identifier used at Layer 2 to deliver frames to the correct next-hop device on the same link.

The routing table contains network prefixes and next hops, allowing a router to select the best path for forwarding packets.

Exam trap

Learners often confuse the default gateway (a next-hop IP) with the subnet mask (a bit mask defining network boundaries), especially when configuring IP settings; remember that the gateway is where off-subnet packets are sent, while the mask determines if the destination is on the same subnet.

1418
MCQhard

A network engineer configures OSPF between R1 and R2, but the routers never become neighbors on GigabitEthernet0/0. Based on the exhibit, what is the most likely cause?

A.The routers are using different OSPF areas.
B.The OSPF interface timers do not match.
C.The routers must use the same hostname to become neighbors.
D.The subnet mask prevents multicast OSPF traffic.
AnswerB

This is correct because OSPF neighbors on the same segment must agree on hello/dead intervals.

Why this answer

The most likely cause is a hello/dead timer mismatch. In practical terms, both routers are on the same subnet and both are trying to run OSPF in area 0, so the obvious items look correct. But OSPF does not form adjacency based on IP reachability alone. It also checks whether key interface parameters agree. Hello and dead intervals are among those required parameters.

On R1, the hello interval is 10 seconds and the dead interval is 40 seconds. On R2, the hello interval is 5 seconds and the dead interval is 20 seconds. That mismatch is enough to prevent the neighbor relationship from forming. This is a common CCNA troubleshooting pattern because the interfaces can still ping each other, which makes the failure look less obvious at first glance.

Exam trap

A frequent exam trap is assuming that OSPF adjacency forms as long as routers are in the same area and can ping each other. Candidates often overlook the necessity for matching hello and dead intervals, which are critical for neighbor discovery and maintenance. Because routers can still exchange ICMP packets, it may appear that the link is fully operational, leading to the mistaken belief that OSPF should work.

This misunderstanding causes candidates to select incorrect answers related to area mismatches or subnet masks, ignoring the timer mismatch that actually prevents adjacency.

Why the other options are wrong

A

This option is incorrect because both routers are configured to use the same OSPF area 0, so area mismatch is not the cause of adjacency failure.

C

Hostnames do not influence OSPF neighbor relationships; routers form adjacencies based on protocol parameters, not device names, so this option is invalid.

D

A /24 subnet mask does not block OSPF multicast traffic; OSPF uses multicast addresses that function normally on standard subnet masks, so this option is incorrect.

1419
Multi-Selectmedium

A network team wants an ACL that permits HTTPS from 10.1.50.0/24 to a web server at 203.0.113.10 and denies all Telnet traffic from that subnet to any destination. Which two ACEs are required?

Select 2 answers
A.permit tcp 10.1.50.0 0.0.0.255 host 203.0.113.10 eq 443
B.deny tcp 10.1.50.0 0.0.0.255 any eq 23
C.permit udp 10.1.50.0 0.0.0.255 host 203.0.113.10 eq 443
D.deny tcp any 10.1.50.0 0.0.0.255 eq 23
E.permit ip any any
AnswersA, B

This permits HTTPS from that subnet to the specific web server.

Why this answer

To meet the requirement, one ACE must explicitly permit TCP destination port 443 to the web server, and another must deny TCP destination port 23 to any destination. Option C is wrong because HTTPS (port 443) uses TCP, not UDP. Option D reverses source and destination; the deny should apply from 10.1.50.0/24 to any, not from any to that subnet.

Option E permits all IP traffic, which would override the deny for Telnet, making it ineffective.

Exam trap

Be careful to match both the source and destination criteria in ACLs, not just the destination.

Why the other options are wrong

C

HTTPS uses TCP, not UDP, so a UDP permit for port 443 would not match HTTPS traffic.

D

The ACL reverses source and destination; it denies Telnet from any to 10.1.50.0/24, not from 10.1.50.0/24 to any.

E

Permitting all IP traffic would allow Telnet, negating the required deny rule.

1420
MCQhard

A router has a static route and a RIP route for the same destination prefix. What is the primary reason the static route is preferred over the RIP route?

A.Because the static route has a lower administrative distance for the same prefix.
B.Because RIP can never be installed when static routing is configured anywhere.
C.Because RIP is valid only for host routes.
D.Because static routes are always more specific than RIP routes.
AnswerA

This is correct because both routes are /16, so source preference is decisive and static wins.

Why this answer

The static route is preferred because both routes describe the same destination prefix and the static route has the lower administrative distance. In practical terms, longest-prefix match does not break the tie because the prefixes are equal. The router then compares source trust, and static routing wins over RIP by default.

This is a core route-selection concept and a very exam-relevant comparison.

Exam trap

Do not confuse administrative distance with metrics or prefix length; administrative distance is the deciding factor here.

Why the other options are wrong

B

This option is incorrect because RIP can coexist with static routes in a routing table; static routes do not prevent RIP routes from being installed. Both routing protocols can be used simultaneously, and the routing decision is based on administrative distance.

C

This option is incorrect because RIP can coexist with static routes in a routing table; static routes do not prevent RIP routes from being installed. Both routing protocols can be used simultaneously in a network.

D

This option is wrong because static routes are not inherently more specific than RIP routes; both can have varying levels of specificity depending on the configuration. The preference of static routes over RIP is determined by administrative distance, not specificity.

1421
PBQhard

You are connected to R1, a multilayer switch acting as an HSRP active gateway for VLAN 100. The network requires R1 to be the active router with a virtual IP of 192.168.100.1. Currently, both R1 and the peer router R2 show as active in 'show standby brief', and the virtual IP is misconfigured. Configure HSRP on R1 to fix these issues: set priority to 110, enable preempt, correct the virtual IP, and track interface GigabitEthernet0/1 (decrement priority by 20 if it goes down).

Network Topology
linkG0/1:10.0.0.1/30linkR1R2upstream router

Hints

  • Check the virtual IP address configured under the standby group — it should match the expected virtual IP.
  • Preempt is disabled by default; verify if it's configured to allow R1 to become active after a failure.
  • Use 'show standby' to see all details including tracking status.
A.interface Vlan100 standby 100 ip 192.168.100.1 standby 100 priority 110 standby 100 preempt standby 100 track GigabitEthernet0/1 20
B.interface Vlan100 standby 100 ip 192.168.100.254 standby 100 priority 110 standby 100 preempt standby 100 track GigabitEthernet0/1 20
C.interface Vlan100 standby 100 ip 192.168.100.1 standby 100 priority 100 standby 100 preempt standby 100 track GigabitEthernet0/1 20
D.interface Vlan100 standby 100 ip 192.168.100.1 standby 100 priority 110 standby 100 track GigabitEthernet0/1 20
AnswerA
solution
! R1
interface Vlan100
standby 100 ip 192.168.100.1
standby 100 priority 110
standby 100 preempt
standby 100 track GigabitEthernet0/1 20

Why this answer

The problem had multiple issues: the virtual IP was wrong (192.168.100.254 instead of 192.168.100.1), preempt was not enabled (both routers could claim active), and priority was default (100). Additionally, interface tracking was missing to decrement priority if the upstream link failed. The solution consists of four commands: 'standby 100 ip 192.168.100.1' to set the correct virtual IP, 'standby 100 priority 110' to make R1 the active router, 'standby 100 preempt' to allow R1 to reclaim active role after recovery, and 'standby 100 track GigabitEthernet0/1 20' to reduce priority by 20 if that interface goes down.

Exam trap

Watch out for three common HSRP pitfalls: (1) virtual IP must match the configured gateway, (2) preempt is required for a router to reclaim active role after recovery, and (3) priority must be higher than the peer to be preferred. Also, remember that interface tracking decrements priority, so the tracked interface must be specified correctly.

Why the other options are wrong

B

The virtual IP address is wrong; it should be 192.168.100.1, not 192.168.100.254.

C

Priority must be higher than the default (100) to ensure R1 becomes the active router; 110 is required.

D

Preempt is required to allow R1 to reclaim the active role when its priority becomes higher again after a failure.

1422
Matchingmedium

Drag and drop the interface error types on the left to the corresponding descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frames that fail the cyclic redundancy check due to noise or faulty cabling

Frames smaller than 64 bytes, often caused by collisions

Frames exceeding the maximum frame size, often due to a faulty NIC

Repeated link up/down transitions, often from loose cables or hardware issues

Total receive-side errors including CRC, runts, giants, and framing errors

Why these pairings

CRC errors occur when a frame fails the cyclic redundancy check (checksum mismatch) due to noise or faulty cabling. Runts are frames smaller than 64 bytes, typically caused by collisions. Giants are frames exceeding the maximum frame size, often from a faulty NIC.

Flaps are repeated link up/down transitions, usually from loose cables or hardware issues. Input errors is a catch-all counter for all receive-side errors including CRC, runts, giants, and framing errors. Each match is correct because the description aligns with the standard definition; for example, CRC errors specifically involve checksum failure, not frame size or link flapping.

Exam trap

Do not confuse CRC errors with other frame errors. CRC errors are about checksum mismatches, not frame size (runts/giants) or timing (collisions). Focus on the specific description: 'checksum failure' or 'CRC mismatch'.

1423
MCQhard

After configuring a static discard route with the command 'ip route 0.0.0.0 0.0.0.0 Null0 254' on R1, a network engineer finds that traffic to destinations that are not in the routing table is still being forwarded out to the ISP instead of being dropped. What is the most likely cause?

A.The Null0 interface is administratively shut down.
B.The address 0.0.0.0/0 is an invalid destination for a static route because it is not a real network.
C.The static discard route must include a next-hop IP address instead of specifying Null0 as the interface.
D.The ISP static default route has an administrative distance of 1, which is lower than the administrative distance of 254 set for the Null0 route.
AnswerD

When a router has multiple routes for the same 0.0.0.0/0 prefix, it selects the one with the lowest administrative distance. The ISP route with AD 1 wins, so traffic never matches the AD 254 Null0 discard route.

Why this answer

The static default route via the ISP has an administrative distance of 1 (either explicitly configured or inherited as a static route), which is lower than the Null0 route's AD of 254. Because the router always prefers the route with the lowest administrative distance for the same destination, the ISP route is installed in the forwarding table, and the discard route is never used. For the discard route to be selected, its AD would need to be less than or equal to the ISP route's AD, or the ISP route must be removed.

Exam trap

Many candidates think the Null0 interface must be ‘up/up’ for the route to work and mistakenly assume it is down, but Null0 is a virtual interface that is always up. The real issue is the administrative distance preference.

Why the other options are wrong

A

Candidates often assume that a route pointing to an interface requires that interface to be up, but Null0 is always available.

B

A misconception that the default route is special and cannot be used with Null0, but any valid IP prefix can be directed to Null0 to create a discard route.

C

Confusing Null0 routes with Ethernet interface routes, which require a next hop, leads to the incorrect belief that a next hop is mandatory for all static routes.

1424
Matchingmedium

Drag and drop the AI/ML concepts on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identifies deviations from normal network behavior, such as sudden traffic spikes or unusual login attempts.

Uses historical data and machine learning to forecast future network events, such as capacity needs or potential failures.

Translates high-level business intent into automated network configurations and policies, ensuring continuous alignment.

Trains a model on labeled data to classify or predict outcomes, e.g., identifying known attack signatures.

Discovers hidden patterns or clusters in unlabeled data, e.g., grouping similar traffic flows.

Learns optimal actions through trial-and-error interactions with the network environment, e.g., dynamic routing adjustments.

Why these pairings

These pairs correctly match fundamental AI/ML concepts with their definitions, as commonly tested in Cisco/IT certifications.

Exam trap

Be careful not to confuse the hierarchy: AI is the broadest, then machine learning, then deep learning. Also, avoid literal interpretations of 'neural' as mimicking the brain.

1425
MCQhard

A router is configured with PAT for inside users. Which symptom most strongly suggests the NAT inside/outside roles are reversed on the interfaces?

A.Outbound traffic still shows private inside source addresses where translated public addresses should appear.
B.The NAT translation table is empty even though internal users are browsing the internet.
C.Internal hosts cannot reach the internet at all.
D.External hosts can connect to internal servers using their private IP addresses.
AnswerA

This is correct because reversed inside/outside roles break the normal PAT translation direction.

Why this answer

When NAT inside/outside roles are reversed, the router applies translation logic in the wrong direction, causing traffic from the inside network to leave the outside interface with untranslated private source addresses. The correct answer (A) directly demonstrates this failure: outbound traffic still shows private IPs where a public address should appear after PAT. The other options describe symptoms that could occur with other NAT misconfigurations but do not strongly indicate reversed roles: an empty translation table (B) suggests no NAT processing at all, possibly due to missing ACL or overload configuration; total lack of internet access (C) may result from many connectivity issues, not specifically reversed interface roles; and external hosts reaching internal servers by private IP (D) points more to a missing or incorrect static NAT rule rather than direction reversal.

Exam trap

A common exam trap is assuming that NAT translation problems are caused by ACL or overload command errors, while overlooking the inside/outside interface roles. Candidates may see private IP addresses in outbound traffic and mistakenly focus on ACL syntax or NAT pool definitions. However, the root cause is often reversed interface roles, which prevent the router from applying PAT correctly.

This trap leads to wasted time troubleshooting unrelated configurations and missing the fundamental NAT directionality requirement.

Why the other options are wrong

B

An empty NAT table indicates no translation is happening at all, which is not the expected outcome of simply reversing inside/outside roles—NAT still processes packets but incorrectly.

C

Complete internet unreachability is a generic connectivity symptom that could be caused by routing, firewall, or other NAT issues, but does not strongly signal a role reversal.

D

External hosts connecting to a private IP without translation is a typical sign of a missing static NAT or PAT rule, not of reversed interface direction assignments.

Page 18

Page 19 of 25

Page 20