CCNA 200-301 v2 (200-301) — Questions 76150

1819 questions total · 25pages · All types, answers revealed

Page 1

Page 2 of 25

Page 3
76
MCQmedium

Which tool type is most appropriate for turning a variable set of interface values into a reusable configuration template?

A.A packet sniffer
B.A templating engine
C.A DNS recursive resolver
D.An STP root bridge
AnswerB

Correct. Templates are built for reusable parameterized configurations.

Why this answer

A templating engine allows you to create a reusable configuration pattern and populate it with variable values, making it ideal for turning variable interface values into templates. A packet sniffer captures network traffic and analyzes packets but does not generate configuration templates. A DNS recursive resolver translates domain names to IP addresses, which is unrelated to configuration templating.

An STP root bridge manages loop-free topology in a switched network, not template creation.

Exam trap

Avoid confusing tools that manage or analyze configurations with those that generate them. Focus on the primary function of each tool.

Why the other options are wrong

A

A packet sniffer captures and analyzes network traffic, but it cannot generate or manipulate configuration templates. It is a monitoring tool, not a configuration automation tool.

C

A DNS recursive resolver translates domain names to IP addresses and has no capability to generate or manage configuration templates. It is a name resolution service, not a configuration tool.

D

An STP root bridge is a switch role in Spanning Tree Protocol that prevents loops in a network. It is a functional role, not a tool for creating reusable configuration templates.

77
MCQhard

A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?

A.The static route, because static routes always win
B.The OSPF route, because 110 is lower than 150
C.Both routes, because administrative distances are different
D.Neither route, because the static route is floating
AnswerB

Correct. OSPF is preferred here because AD 110 is lower than 150.

Why this answer

The route with the lower administrative distance is installed. A static route configured with a higher AD becomes a floating static route and remains as a backup until the preferred route disappears.

Exam trap

Don't assume static routes are always preferred; check the administrative distance.

Why the other options are wrong

A

Static routes do not always win; they have a default administrative distance of 1, but in this scenario the static route was configured with AD 150, which is higher than OSPF's AD 110. Therefore, the OSPF route is preferred.

C

A router installs only the best route (lowest AD) for a given prefix into the routing table. Different AD values do not cause both routes to be installed; the route with the lower AD is chosen.

D

A floating static route is a static route with a higher AD than the dynamic route, so it remains inactive as a backup. In this case, the static route is floating, but it is still valid and will be used if the OSPF route is lost. The question asks which route is installed, and the OSPF route is installed, not neither.

78
MCQhard

A network engineer configures OSPF on R1 and R2 over a point-to-point link. The interfaces are in the same OSPF area, with matching hello and dead timers, and are on the same IP subnet. However, the command show ip ospf neighbor on both routers shows no neighbors. A firewall sits between R1 and R2. What should the technician do next?

A.Check the firewall rules to verify that multicast address 224.0.0.5 is not being blocked.
B.Verify that the OSPF router IDs on R1 and R2 are unique.
C.Check the OSPF network type on the connecting interfaces.
D.Verify that the MTU on the connecting interfaces matches.
AnswerA

This is correct because OSPF multicast hellos (224.0.0.5) must be permitted through the firewall for neighbors to form. If blocked, routers will not see each other's hellos, resulting in an empty neighbor table.

Why this answer

OSPF uses multicast address 224.0.0.5 for hello packets on all OSPF network types except non-broadcast. With a firewall in the path, the most common reason for a complete lack of neighbor discovery, even when the interface-level OSPF parameters match, is that the firewall is blocking this multicast traffic. Checking the firewall rules directly addresses the most likely layer-3/layer-4 filtering issue and is a non-intrusive first step before examining deeper OSPF-specific settings.

Exam trap

Many candidates would jump to verifying the MTU, recalling that MTU mismatch is a classic OSPF issue. However, an MTU mismatch typically results in neighbors becoming stuck in the EXSTART or EXCHANGE state, not a complete absence of neighbors. The presence of a firewall and no neighbors at all strongly suggests the hellos are being dropped entirely, making the ACL check a higher priority.

Why the other options are wrong

B

Router ID duplication does not explain a completely empty neighbor table; neighbors would still be detected via hellos.

C

Network type mismatch would likely still result in hellos being received and a neighbor entry appearing, just not advancing to full adjacency. The complete absence of neighbors points to a transport issue.

D

Candidates often remember MTU mismatch as a frequent OSPF problem, but it manifests after neighbor discovery, not as a complete lack of neighbors.

79
MCQhard

Based on the exhibit, which route will be used for destination 192.168.10.130?

A.The static route to 192.168.10.128/25
B.The OSPF route to 192.168.10.0/24
C.The default route
D.No route at all
AnswerA

This is correct because 192.168.10.130 is inside the more specific /25 prefix.

Why this answer

The route used will be the one with the longest matching prefix. In practical terms, 192.168.10.130 matches both the /24 and the /25 prefixes shown, but the /25 is more specific. Because longest-prefix match comes first, the router uses the /25 route even though other matching routes are present.

This is a clean route-table interpretation question that is very close to real exam reasoning.

Exam trap

A common exam trap is to select the OSPF route to 192.168.10.0/24 because it appears as a valid route to the destination. Candidates may mistakenly believe that dynamic routing protocols override static routes or that the broader /24 subnet is sufficient. However, the router always prefers the longest prefix match, which is the /25 static route in this case.

Another trap is assuming the default route will be used when multiple routes exist, but default routes only apply when no specific routes match the destination. Misunderstanding these routing principles leads to incorrect answers.

Why the other options are wrong

B

This option is incorrect because the OSPF route to 192.168.10.0/24 has a shorter prefix length (/24) than the static /25 route, so it is less specific and will not be chosen for the destination IP.

C

This option is incorrect because the default route is only used when no other specific routes match the destination. Since both the /24 and /25 routes match, the default route is ignored.

D

This option is incorrect because the destination IP clearly matches multiple routes in the routing table, so the router will select the best match rather than having no route at all.

80
Multi-Selectmedium

Which three of the following are typical use cases for automation in network security operations? (Choose three.)

Select 3 answers
.Automated identification and blocking of previously unseen malware variants using behavioral analysis
.Correlating authentication logs with network flows to detect lateral movement by an attacker
.Dynamic micro-segmentation policy adjustment based on real-time risk scoring of endpoints
.Replacing all firewall rules with a single AI-generated rule that covers all traffic
.Guaranteeing zero false positives in intrusion detection by using deep learning
.Automatically disabling all network ports when any anomaly is detected

Why this answer

Correct options represent realistic, risk-aware automation in network security. Automated malware detection uses behavioral patterns to stop unknown threats. Log-flow correlation helps uncover attacker lateral movement by spotting unusual access patterns.

Dynamic micro-segmentation leverages automation to isolate risky endpoints instantly. In contrast, blindly deleting logs after 24 hours destroys critical forensic evidence. Applying one security config to all devices ignores differing roles and threats.

Opening all firewall ports for performance trades security for convenience, violating fundamental security principles.

Exam trap

Cisco often tests the candidate's ability to distinguish between AI-driven automation and traditional rule-based automation; the trap here is that all three options are correct, but candidates might second-guess themselves if they think one is too advanced for the exam scope.

Why the other options are wrong

D

Logs must be retained for security investigations; automatic deletion undermines forensics.

E

Network devices have diverse roles; a uniform configuration cannot address specific security needs.

F

Indiscriminately opening ports during peak hours exposes the network to unnecessary risk.

81
MCQhard

A network engineer replaces a failed 1000BASE-LX SFP on a core switch with a new transceiver of the same type. After connecting the single-mode fiber, the link remains down and a 'show interfaces gig1/0/49 transceiver' reveals an Rx power of –30 dBm, while the far-end SFP is transmitting at –3 dBm over a 2 km span. The fiber patch cord shows no visible damage.

A.The new SFP is a counterfeit Cisco transceiver that cannot establish a stable link.
B.The SFP is not fully seated in the switch port, causing an intermittent optical connection.
C.Excessive attenuation due to a dirty or damaged fiber connector is preventing the link from coming up.
D.The single-mode fiber distance exceeds the 10 km maximum for 1000BASE-LX, leading to severe signal dispersion.
AnswerC

A –30 dBm Rx power with a transmit level of –3 dBm over a 2 km single-mode span represents a 27 dB loss, far exceeding the expected 0.5–1 dB. Such high loss is typical of contaminated end faces, poor mating, or a tight bend, and it pushes the signal below the receiver sensitivity threshold (around –25 dBm), causing the link to stay down.

Why this answer

Option C is correct because the measured Rx power of –30 dBm is far below the receive sensitivity threshold for 1000BASE-LX (typically –19 to –22 dBm), even though the transmitter is outputting a healthy –3 dBm over only 2 km. This indicates excessive loss in the optical path, most commonly caused by a dirty or damaged fiber connector. Cleaning the connector ends with an appropriate fiber cleaning tool and inspecting with a microscope would likely resolve the issue.

Exam trap

Cisco often tests the concept that a link can fail due to excessive optical loss even when the fiber distance is well within the rated maximum, leading candidates to incorrectly blame distance or counterfeit hardware instead of connector cleanliness or damage.

Why the other options are wrong

A

Low Rx power points to a physical signal issue, not a counterfeit detection problem.

B

A partially seated SFP would likely prevent any light from entering, not show a measurable but weak signal.

D

Distance would not cause a 27 dB loss over such a short path, and dispersion is not measured as a reduction in optical power on the DOM readout.

82
MCQhard

R1 is not forming an OSPF adjacency with R2 on GigabitEthernet0/1. Which mismatch below is the most likely cause?

A.The routers are using different IP subnet masks on the shared link
B.OSPF cannot run on GigabitEthernet interfaces
C.Both routers are in area 0
D.The router IDs must match for adjacency to form
AnswerA

That mismatch can stop OSPF adjacency on the segment.

Why this answer

For OSPF neighbors to form, key settings on a shared segment must match. A subnet mask mismatch on a broadcast network often prevents proper neighbor formation because the routers do not agree on the local network.

Exam trap

A common exam trap is confusing the need for matching router IDs with adjacency formation. While router IDs must be unique within an OSPF domain, they do not need to match for adjacency to form. Another trap is assuming OSPF cannot run on GigabitEthernet interfaces, which is incorrect because OSPF supports all standard interface types.

The most tempting mistake is overlooking the subnet mask mismatch, which silently prevents adjacency by making routers believe they are on different networks, even if other parameters like area ID match. This subtle misconfiguration is often missed during troubleshooting.

Why the other options are wrong

B

Incorrect because OSPF fully supports GigabitEthernet interfaces. There is no restriction on running OSPF on these interfaces in Cisco IOS.

C

Incorrect because both routers being in area 0 is necessary for adjacency on that segment. Matching area IDs help form adjacency rather than prevent it.

D

Incorrect because router IDs must be unique, not identical. Matching router IDs do not cause adjacency to form; in fact, duplicate router IDs cause routing problems but not adjacency failure due to subnet mismatch.

83
Multi-Selectmedium

Which TWO statements correctly describe the behavior of Root Guard, Loop Guard, and BPDU Guard in a Rapid PVST+ environment?

Select 2 answers
A.Root Guard is applied to a port that should never become a root port; if a superior BPDU is received, the port is placed into a root-inconsistent state.
B.Loop Guard is used on root ports to monitor BPDU reception; if BPDUs stop, the port is immediately placed into forwarding mode to maintain connectivity.
C.BPDU Guard is typically configured on access ports and error-disables the port if a BPDU is received, protecting against unauthorized switch connections.
D.Root Guard and BPDU Guard can be enabled simultaneously on the same port to provide both root protection and BPDU filtering.
E.Loop Guard is only effective when configured on ports that are in a blocking state; it prevents them from transitioning to forwarding if BPDUs are not received.
AnswersA, C

Root Guard forces a port to be a designated port. When a superior BPDU is received, the port enters a root-inconsistent (blocked) state to prevent it from becoming a root port.

Why this answer

Option A is correct because Root Guard, applied to a port that should never become a root port, places that port into a root-inconsistent state upon receiving a superior BPDU, blocking traffic to prevent an unauthorized root bridge. Option C is correct because BPDU Guard is typically configured on access ports and error-disables the port if any BPDU is received, protecting against rogue switch connections. Option B is incorrect: when BPDUs stop on a port with Loop Guard, the port is placed into a loop-inconsistent state (blocked), not immediately forwarded, to prevent loops.

Option D is incorrect because Root Guard and BPDU Guard are mutually exclusive and cannot be enabled simultaneously on the same port due to conflicting protective behaviors. Option E is incorrect because Loop Guard is effective on any port that is expected to receive BPDUs, including root ports and alternate/backup ports; it is not limited to ports already in a blocking state, and the statement's use of 'only' makes it false.

Exam trap

Cisco often tests the misconception that Loop Guard immediately forwards traffic when BPDUs stop, but in reality it blocks the port to prevent loops, and that Root Guard and BPDU Guard can coexist on the same port, which they cannot due to conflicting behaviors.

Why the other options are wrong

B

Loop Guard is applied to non-designated ports (alternate or backup ports), not root ports. When BPDUs stop arriving, the port is placed into a loop-inconsistent state (blocked) to prevent loops, not into forwarding mode.

D

Root Guard and BPDU Guard have conflicting behaviors: Root Guard allows BPDU processing to detect superior BPDUs, while BPDU Guard disables the port upon receiving any BPDU. They cannot be enabled simultaneously on the same port because their actions are mutually exclusive.

E

Loop Guard is effective on ports that are in a blocking state (alternate or backup ports), but it does not prevent them from transitioning to forwarding; instead, if BPDUs stop, the port remains in a loop-inconsistent state (blocked) to prevent loops. The statement incorrectly implies that Loop Guard prevents transition, but it actually causes the port to stay blocked.

84
PBQhard

You are troubleshooting connectivity between R1 and R2. The link is up but users report intermittent packet loss. Examine the provided show interface output on R1, identify the root cause, and apply the necessary fix to restore normal operation.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30linkR1R2

Hints

  • Input errors without CRC or frame errors often indicate a duplex mismatch.
  • Check the duplex setting on both ends of the link.
  • Use 'duplex auto' and 'speed auto' to allow negotiation.
A.Configure 'duplex auto' and 'speed auto' on interface G0/0 of R1.
B.Replace the faulty cable between R1 and R2.
C.Increase the MTU size on interface G0/0 of R1.
D.Disable CDP on interface G0/0 of R1.
AnswerA
solution
! R1
interface GigabitEthernet0/0
duplex auto
speed auto

Why this answer

The interface shows 'input errors' (150) but zero CRC and zero frame errors. This combination, along with 'Full-duplex, 1000Mb/s' and the link being up/up, indicates the interface is manually set to full-duplex while the connected device (R2) is likely operating at half-duplex (duplex mismatch). Although CRC errors are zero, input errors can still occur due to collisions on a mismatched duplex link.

The fix is to set the interface to auto-negotiate duplex and speed, or to manually set both sides to the same duplex setting. The recommended command is 'duplex auto' and 'speed auto' on both ends. In this scenario, we will configure R1's G0/0 for auto-negotiation.

Exam trap

Do not confuse input errors with CRC errors. Input errors without CRC/frame errors often indicate a duplex mismatch, not a physical layer issue. Always check the duplex setting on both ends when you see input errors but no CRC errors.

Why the other options are wrong

B

A faulty cable would likely cause CRC errors, frame errors, or interface resets, not just input errors with zero CRC.

C

MTU size does not affect duplex negotiation or collisions; it is unrelated to the input errors caused by duplex mismatch.

D

CDP has no impact on duplex negotiation or error counters; it is unrelated to the problem.

85
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a Windows client that is unable to reach a remote server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order begins with ipconfig /all to verify the client's IP settings, then tests the local TCP/IP stack with ping 127.0.0.1. Next, pinging the client's own IP confirms the NIC and configuration. Pinging the default gateway checks local network connectivity, and pinging the remote server tests end-to-end.

Finally, tracert isolates the failure point if the remote ping fails. This layered approach narrows the problem scope from the host itself outward.

86
MCQhard

A switchport is configured as an access port in VLAN 10, but a user plugs in a small unmanaged switch and connects multiple devices behind it. Which security feature most directly limits that behavior at the switchport?

A.Port security
B.OSPF authentication
C.NetFlow
D.NTP
AnswerA

This is correct because port security can limit MAC addresses learned on the port.

Why this answer

Port security most directly limits that behavior because it can restrict how many MAC addresses are learned on the switchport. In practical terms, if the interface is supposed to support one endpoint but suddenly begins presenting multiple MAC addresses from a downstream mini-switch, port security can detect and react to that change.

This is a classic access-layer control question. VLAN assignment alone does not limit how many devices appear behind the port.

Exam trap

A frequent exam trap is assuming that VLAN assignment alone restricts the number of devices behind a switchport. VLANs only segregate traffic logically and do not prevent multiple MAC addresses from appearing on a port. Another common mistake is selecting unrelated options like OSPF authentication, which secures routing protocol exchanges but does not control Layer 2 access.

NetFlow and NTP are also unrelated to limiting connected devices. The key is recognizing that only port security directly limits how many MAC addresses can be learned on a port, thus controlling the number of connected devices.

Why the other options are wrong

B

OSPF authentication is unrelated to switchport security; it protects routing protocol exchanges but does not control physical or MAC-level access on a switchport.

C

NetFlow is a traffic monitoring tool that provides visibility into network flows but does not enforce any limits on the number of devices connected to a switchport.

D

NTP is used for time synchronization across network devices and does not provide any mechanism to restrict or control devices connected to a switchport.

87
PBQhard

You are connected to R1 in a small office network. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the public IP 203.0.113.1 (the IP assigned to interface G0/0). Also configure a static NAT for the internal web server at 192.168.1.10 to the public IP 203.0.113.6. The current configuration has errors: the inside/outside interface assignments are swapped, the ACL for PAT does not match the inside subnet, and the PAT rule points to the wrong ACL. Fix all issues so that both PAT and static NAT work correctly.

Network Topology
G0/0203.0.113.1/29G0/1192.168.1.0/24ISPInternetR1SwitchLAN

Hints

  • Check which interface is public and which is private — they are reversed.
  • The ACL used in the PAT command must match the inside subnet exactly.
  • The PAT command should reference the correct outside interface and the correct ACL.
A.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
B.Configure G0/0 as inside, G0/1 as outside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/1 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
C.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.2.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
D.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 2 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
AnswerA
solution
! R1
interface GigabitEthernet0/0
no ip nat inside
ip nat outside
exit
interface GigabitEthernet0/1
no ip nat outside
ip nat inside
exit
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
no ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 1 interface GigabitEthernet0/0 overload
no ip nat inside source list 2 interface GigabitEthernet0/0 overload

Why this answer

The main issues: (1) Interfaces were swapped — G0/0 (public) was inside and G0/1 (private) was outside. They should be reversed: G0/0 outside, G0/1 inside. (2) ACL 1 (used in the PAT command) permitted 192.168.2.0/24 instead of 192.168.1.0/24. (3) The PAT command for G0/0 used ACL 2, which was correct for the subnet but the interface was wrong. After fixing interface assignments and correcting ACL 1 to permit the inside subnet, the PAT command must use ACL 1 and the correct outside interface.

The static NAT was correctly configured but needed the correct inside interface. The PAT translation uses the IP address of the outside interface (interface overload), so after fixing the configuration, inside hosts will be translated to 203.0.113.1, the primary IP of G0/0, not 203.0.113.5.

Exam trap

Common traps include confusing inside/outside interface roles, mismatching ACL subnets, and referencing the wrong ACL number in the PAT command. Always verify interface assignments, ACL content, and command syntax step by step.

Why the other options are wrong

B

The specific factual error: The inside/outside interface roles are reversed; PAT is applied to the wrong interface.

C

The specific factual error: The ACL does not match the inside network, so PAT will not be applied to LAN traffic.

D

The specific factual error: The PAT command uses the wrong ACL number; it should use ACL 1, not ACL 2.

88
Matchingmedium

Match each programmability term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management or policy platform

Application-facing interface to the controller

Structured data format commonly exchanged

Credential-like value used to help control access

Why these pairings

Controller is the centralized management or policy platform that orchestrates network behavior. Northbound API is the application-facing interface that allows applications to communicate with the controller. JSON is a structured data format commonly used to exchange information between network devices and controllers.

Token is a credential-like value used to authenticate and authorize access to network resources.

Exam trap

Do not confuse northbound and southbound APIs: northbound is toward applications, southbound is toward devices. Also, remember that OpenFlow is for flow control, not configuration; configuration is done via NETCONF/RESTCONF.

89
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue. Use the OSI bottom-up method, starting with the lowest layer and moving up.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The bottom-up approach starts at Layer 1 and moves up to Layer 7, checking physical, network, and application layers in order.

Exam trap

Candidates often confuse bottom-up with top-down approaches or skip layers. Remember: bottom-up always starts at the physical layer and moves up one layer at a time.

90
MCQhard

A router has a static route for 172.16.10.128/25 and an OSPF-learned route for 172.16.10.0/24. When forwarding traffic to 172.16.10.130, why does the router use the static route instead of the OSPF route?

A.Because the static /25 route is more specific than the OSPF /24 route.
B.Because static routes always beat OSPF even when they are less specific.
C.Because OSPF routes cannot be used for Class B networks.
D.Because the OSPF metric is lower than the static administrative distance.
AnswerA

This is correct because longest-prefix match selects the /25 for 172.16.10.130.

Why this answer

The static route is used because it is the more specific match. In practical terms, route selection starts with prefix specificity. The destination 172.16.10.130 matches both routes shown, but the static /25 is more specific than the OSPF /24. Because longest-prefix match comes first, the static route is chosen regardless of the different route sources.

This is a classic route-selection interpretation question that tests whether you prioritize specificity correctly.

Exam trap

A common exam trap is to incorrectly assume that static routes always override OSPF routes due to their lower administrative distance, regardless of prefix length. Candidates might also believe that OSPF cannot handle Class B networks or that metrics alone determine route selection. The trap lies in ignoring the fundamental routing principle of longest-prefix match, which Cisco routers apply before considering administrative distance or metric.

This misunderstanding leads to incorrect answers and confusion about route selection behavior in Cisco routing tables.

Why the other options are wrong

B

Option B is incorrect because static routes do not always override OSPF routes regardless of specificity. Prefix length is evaluated before administrative distance, so a less specific static route would not override a more specific OSPF route.

C

Option C is incorrect because OSPF can route any IP address range, including Class B networks like 172.16.0.0/16. There is no limitation on OSPF routing based on IP class.

D

Option D is incorrect because the routing decision here is based on prefix length, not on comparing OSPF metric and static route administrative distance. The static route’s longer prefix length takes precedence.

91
MCQhard

A router receives a destination prefix from EIGRP with administrative distance 90 and also from OSPF with administrative distance 110. The prefix length is identical. Which route source is preferred?

A.EIGRP
B.OSPF
C.Both equally
D.Neither, because route sources cannot overlap
AnswerA

This is correct because EIGRP’s default administrative distance of 90 is lower than OSPF’s 110.

Why this answer

The EIGRP route is preferred because its administrative distance is lower. In practical terms, once the prefix length is the same, the router compares the trustworthiness of the route source. Lower administrative distance wins. Since 90 is lower than 110, EIGRP is preferred over OSPF for that destination.

This is an administrative-distance comparison question, not a longest-prefix question. The key is that the prefix length is equal, so source preference becomes the deciding factor.

Exam trap

A frequent exam trap is to assume that OSPF routes might be preferred over EIGRP routes simply because OSPF is a widely used IGP or because of metric comparisons within OSPF. Candidates often confuse administrative distance with routing metrics, mistakenly thinking that the lower metric route is preferred regardless of protocol. However, administrative distance is the first criterion when routes come from different protocols.

Another trap is to think that routes from different protocols cannot overlap or that prefix length alone determines preference. The key is that when prefix lengths are equal, the router uses administrative distance to select the best route, so EIGRP’s lower AD of 90 always beats OSPF’s 110.

Why the other options are wrong

B

This option is incorrect because OSPF’s administrative distance of 110 is higher than EIGRP’s 90, so OSPF routes are less preferred when both advertise the same prefix length.

C

This option is incorrect because routers do not treat routes from different protocols with equal administrative distance; they prefer the route with the lower administrative distance, so both routes are not equally preferred.

D

This option is incorrect because routers can and often do receive overlapping routes from multiple routing protocols and must compare administrative distance to choose the best route.

92
MCQmedium

An administrator wants a switchport connected to an end device to move to forwarding quickly but does not want that setting used on inter-switch links. Which feature is intended for that edge-port behavior?

A.PortFast
B.Root guard
C.Loop guard
D.UDLD aggressive
AnswerA

This is correct because PortFast is intended for host-facing edge ports to speed their transition to forwarding.

Why this answer

PortFast is intended for that exact edge-port behavior: it allows a host-facing access port to skip the usual listening and learning delays and transition directly to forwarding, enabling end devices to come online quickly. Root guard is used to protect the root bridge election by restricting which ports can become root ports; it is not designed for edge ports. Loop guard prevents alternate or root ports from becoming designated in the absence of BPDUs, which is a different STP protection mechanism.

UDLD aggressive mode detects and disables unidirectional links on point-to-point links, typically between switches, not for end-device connections. Therefore, only PortFast meets the requirement for fast forwarding on an edge port without affecting inter-switch links.

Exam trap

Be careful not to confuse PortFast with other STP-related features like BPDU Guard or Root Guard, which serve different purposes.

Why the other options are wrong

B

Root guard is used to protect the root bridge election by restricting ports that could become root ports, not to speed up edge-port forwarding.

C

Loop guard prevents alternate or root ports from becoming designated in the absence of BPDUs, which is unrelated to fast forwarding on host-facing ports.

D

UDLD aggressive mode detects and disables unidirectional links on point-to-point switch links, not for end-device connections.

93
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure inter‑VLAN routing between VLANs 10 and 20, using a router‑on‑a‑stick with VLAN 99 as the native VLAN on the trunk link.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order is: first create VLANs on the switch to define the VLAN database. Second, assign switch ports to the appropriate VLANs so that end hosts are placed in their correct broadcast domains. Third, configure the switch port facing the router as an 802.1Q trunk and set the native VLAN to 99 – this allows tagged traffic from multiple VLANs to traverse a single link while matching the native VLAN on both sides.

Fourth, enable the router's physical interface (no shutdown) so that subinterfaces can pass traffic. Next, create subinterfaces for each data VLAN, specifying the correct 802.1Q encapsulation and IP address for each VLAN's default gateway. Finally, configure the native VLAN subinterface with the native keyword to ensure that untagged frames from the trunk are handled correctly and that the native VLAN is explicitly defined on the router.

94
MCQhard

Switch SW1 sends traffic for VLAN 30 across a trunk to SW2, but hosts in VLAN 30 on SW2 cannot communicate with hosts in VLAN 30 on SW1. Other VLANs work across the trunk. Which trunk issue is most likely?

A.VLAN 30 is pruned or missing from the allowed VLAN list
B.The native VLAN is set to 1 on both switches
C.The trunk uses 802.1Q encapsulation
D.SW1 is the STP root bridge
AnswerA

Native VLAN settings can matter, but they do not best explain why other VLANs still work while VLAN 30 alone fails.

Why this answer

If only one VLAN fails across an otherwise healthy trunk, a missing or filtered VLAN in the allowed list is a common cause. Native VLAN matching and encapsulation would affect broader trunk behavior, not usually just one VLAN in this way.

Exam trap

Beware of assuming that common trunk issues like native VLAN mismatches affect only one VLAN; they typically affect all VLANs.

Why the other options are wrong

B

The native VLAN mismatch or setting does not cause a single VLAN to fail while others work. Native VLAN issues typically cause all traffic to be mis-tagged or dropped, not just one specific VLAN. Here, other VLANs work fine, so native VLAN is not the problem.

C

802.1Q is the standard trunking encapsulation used in modern networks. Using 802.1Q is correct and does not cause a single VLAN to fail. Both switches must use the same encapsulation, but that is not the issue here.

D

STP root bridge status does not affect which VLANs are allowed on a trunk. STP prevents loops but does not block specific VLANs unless configured with VLAN-based STP (like PVST+). Even then, being the root does not block a VLAN; it only influences port roles.

95
MCQhard

A network engineer notices that a switch port connected to a legacy server is experiencing late collisions and the server reports excessive retransmissions. The switch port is configured for auto-negotiation and shows a negotiated speed of 100 Mbps and duplex full. The server's NIC is manually set to 100 Mbps and half-duplex. What is the most likely cause?

A.The switch port is incorrectly configured for auto-negotiation and should be manually set to match the server's NIC.
B.The server's NIC is failing, causing cyclic redundancy check (CRC) errors and forcing retransmissions.
C.A duplex mismatch exists between the switch port and the server NIC.
D.The switch port is overloaded by a broadcast storm, causing an excessive number of collisions.
AnswerC

The switch port negotiated full-duplex at 100 Mbps (as shown in the switch output), while the server NIC is hard-coded to half-duplex. This mismatch causes exactly the observed symptoms: late collisions on the full-duplex switch port and excessive retransmissions on the half-duplex server.

Why this answer

Option C is correct because the switch port is auto-negotiating to full-duplex while the server's NIC is manually set to half-duplex. This creates a duplex mismatch: the switch transmits expecting no collisions (full-duplex), but the server, operating in half-duplex, detects collisions when the switch sends frames while the server is transmitting. Late collisions occur because the collision is detected after the first 64 bytes of the frame, and the server's half-duplex CSMA/CD logic forces retransmissions, matching the symptoms described.

Exam trap

Cisco often tests the concept that auto-negotiation mismatches (e.g., one side set to manual) cause duplex mismatches, and candidates mistakenly think the issue is speed mismatch or that both sides must be manually set, but the trap here is that the server's manual half-duplex setting overrides the auto-negotiation result, creating a duplex mismatch that produces late collisions.

Why the other options are wrong

A

Misunderstanding that auto-negotiation always causes duplex mismatches, when in fact a mismatch occurs because one side is manually configured while the other uses auto-negotiation to negotiate an incompatible mode.

B

Confusing CRC errors with late collisions. Late collisions are a layer-1 timing issue, not a data integrity problem.

D

Attributing all network performance problems to broadcast storms, ignoring the specific error counter 'late collisions' that points directly to a duplex mismatch.

96
MCQhard

A network administrator has configured dynamic NAT on a Cisco router to allow internal hosts to access the Internet. Internal hosts can ping external servers, but external hosts cannot initiate connections to any internal host. The administrator checks the NAT translations. What is the most likely cause of this behavior?

A.The NAT pool is exhausted because it contains only 21 addresses, and more than 21 internal hosts are trying to access the Internet simultaneously.
B.The router is configured for dynamic NAT without overload (PAT), so it assigns one public IP per inside host and does not allow inbound connections without a static mapping.
C.The inside local addresses are not in the same subnet as the inside interface, causing asymmetric routing.
D.The outside global addresses are not routable on the Internet, so external hosts cannot send return traffic.
AnswerB

The absence of protocol/port in the translations indicates one-to-one dynamic NAT without overload. This explains why internal hosts can initiate outbound traffic (they get a public IP) but external hosts cannot reach internal hosts (no return path).

Why this answer

Option B is correct because dynamic NAT without overload maps each inside host to a unique public IP from the pool, but it does not allow external hosts to initiate connections because there is no static mapping or port forwarding to direct inbound traffic. The described behavior—internal hosts reaching the Internet while external hosts cannot initiate connections—is typical of dynamic NAT without PAT. With PAT (overload), many internal hosts share a single public IP and inbound connections would still require explicit port forwarding; without overload, the router simply does not know how to translate incoming requests back to the correct inside host.

Exam trap

Candidates often confuse dynamic NAT with Port Address Translation (PAT). The trap is assuming that any dynamic NAT configuration automatically allows inbound connections, but without overload, external hosts cannot reach internal hosts unless static NAT or port forwarding is configured.

Why the other options are wrong

A

The symptom described is that external hosts cannot initiate connections to internal hosts. Even if the NAT pool were exhausted, internal hosts would still be able to initiate outbound connections (using PAT if configured), and external hosts would still be unable to initiate inbound connections unless static NAT or port forwarding is configured. Pool exhaustion would cause outbound failures, not specifically inbound failures.

C

The inside local addresses (192.168.1.x) are private IPs that are typically configured on the inside interface. The NAT translations show them mapping to public IPs, indicating that the router is correctly performing NAT. Asymmetric routing would cause connectivity issues in both directions, not just inbound, and is not indicated by the given symptoms.

D

The question states that internal hosts can ping external servers, which means return traffic is reaching the internal hosts. If the outside global addresses were not routable, the ping would fail because the external server would not be able to send a reply. Therefore, the addresses must be routable in this scenario.

97
MCQhard

A security policy requires that only one management subnet be able to initiate SSH to a router. Which approach most directly supports that requirement?

A.Use an ACL to permit SSH access only from the approved management subnet.
B.Enable PortFast on the router interfaces.
C.Disable all logging on the router.
D.Replace SSH with Telnet for easier filtering.
AnswerA

This is correct because the policy is specifically about restricting management access by source subnet.

Why this answer

The most direct approach is to use an ACL that restricts which source subnet is permitted to reach SSH management access on the router. In practical terms, SSH can remain enabled as the secure protocol, but access to it should still be limited to trusted management sources. That is a classic example of combining secure protocol choice with source restriction.

Options B and C are incorrect because PortFast is a spanning-tree feature unrelated to access control, and disabling logging does not restrict who can initiate SSH. Option D is wrong because Telnet does not filter by subnet and is less secure than SSH.

Exam trap

Don't confuse securing the protocol (SSH) with controlling access by source subnet. They are complementary but distinct actions.

Why the other options are wrong

B

PortFast is a spanning-tree optimization that speeds up the transition of an access port to forwarding; it does not control which sources can initiate SSH.

C

Disabling logging prevents the router from recording events, but it does not prevent unauthorized subnets from attempting SSH access.

D

Replacing SSH with Telnet does not add source filtering and actually reduces security; Telnet transmits credentials in clear text.

98
MCQmedium

A host receives its IP address automatically but cannot resolve hostnames. Which additional service information is most likely missing from its configuration?

A.A DNS server address
B.A new MAC address
C.A trunk native VLAN
D.An OSPF router ID
AnswerA

This is correct because DNS service information is needed for hostname resolution.

Why this answer

If the host receives an IP address but cannot resolve hostnames, the most likely missing information is a DNS server setting. In plain language, the device has enough configuration to join the network but not enough to ask where hostnames map in IP terms. DHCP can provide this DNS server information automatically, and if it is missing, the host may still communicate by IP while failing on names.

This is a common service-troubleshooting pattern because it separates address configuration from name resolution. The correct answer is the missing DNS-related setting rather than the IP address itself or the subnet mask.

Exam trap

A frequent exam trap is assuming that if a host receives an IP address via DHCP, it automatically has all necessary network information, including DNS server addresses. This mistake overlooks that DHCP can provide IP address and subnet mask without DNS settings. Candidates might incorrectly select options related to MAC address changes, VLAN configurations, or routing protocols like OSPF, which do not affect hostname resolution.

The trap is confusing IP connectivity with name resolution, leading to wrong answers that ignore the essential role of DNS in translating hostnames to IP addresses.

Why the other options are wrong

B

Incorrect because changing the MAC address does not affect DNS or hostname resolution. MAC addresses operate at Layer 2 and are unrelated to IP services like DNS.

C

Incorrect because a trunk native VLAN setting relates to VLAN tagging on switches and does not impact a host’s ability to resolve hostnames or DNS functionality.

D

Incorrect because OSPF router ID is a routing protocol parameter used by routers and does not influence DNS or hostname resolution on end hosts.

99
Matchingmedium

Drag and drop the ACL commands and concepts on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Extended ACL that permits HTTP traffic

Standard ACL that permits a subnet

Wildcard mask that matches only the last octet

Applies ACL 10 inbound on an interface

Creates a named extended ACL

Wildcard mask that matches all IP addresses

Why these pairings

Standard ACLs filter only by source IP. Extended ACLs offer more granular filtering. Named ACLs use names for identification.

Implicit deny is the default deny-all at the end. Inbound ACLs process traffic before routing, outbound after routing.

Exam trap

Do not confuse the filtering criteria of standard vs. extended ACLs. Standard ACLs only use source IP; extended ACLs use source/destination IP, protocol, and port. Also, remember that named ACLs are just a naming method, not a different filtering type.

100
MCQhard

A router learns the same destination prefix from OSPF and from a static route configured with administrative distance 90. Which route is preferred by default?

A.The static route with distance 90
B.The OSPF route, because dynamic routes always beat static routes
C.Both routes equally, because the prefix is identical
D.Neither route, because duplicate information is dropped
AnswerA

This is correct because 90 is lower than OSPF’s default administrative distance of 110.

Why this answer

The static route is preferred because its administrative distance of 90 is lower than OSPF’s default administrative distance of 110. In practical terms, when the prefix length is the same, the router compares route-source trust next. The lower administrative distance wins.

This question is important because many learners remember that static routes are often strong choices but forget that administrative distance can be tuned. Here, that tuning explicitly makes the static route more preferred than OSPF.

Exam trap

A frequent exam trap is believing that dynamic routing protocols like OSPF always take precedence over static routes. Many candidates mistakenly think that dynamic routes inherently override static routes regardless of administrative distance. However, Cisco routers use administrative distance as the primary factor in route selection, not the route source type.

Since the static route in this question has an AD of 90, which is lower than OSPF’s default 110, the static route is preferred. Misunderstanding this can lead to incorrect answers and confusion about route installation in the routing table.

Why the other options are wrong

B

This option is incorrect because route preference is determined by administrative distance, not by a blanket rule that dynamic routes always beat static routes.

C

This option is incorrect because identical prefix length alone does not guarantee equal route preference; administrative distance is the deciding factor.

D

This option is incorrect because routers do not drop duplicate routing information; instead, they choose the best route based on administrative distance.

101
PBQmedium

You are connected to R1 via console. R1 has two paths to the Internet: primary via ISP1 (G0/0) and backup via ISP2 (G0/1). The primary route has an administrative distance of 1, and the backup should only be used if the primary fails. Currently, both routes are active. You need to configure a floating static route for the backup.

Network Topology
G0/0198.51.100.1/30linkG0/1203.0.113.1/30linkR1ISP1ISP2

Hints

  • The existing default route has AD 1.
  • Use a higher administrative distance for the backup route.
  • The backup route should point to the ISP2 next-hop.
A.ip route 0.0.0.0 0.0.0.0 G0/1 200
B.ip route 0.0.0.0 0.0.0.0 G0/1 1
C.ip route 0.0.0.0 0.0.0.0 G0/1 0
D.ip route 0.0.0.0 0.0.0.0 G0/1 255
AnswerA
solution
! R1
ip route 0.0.0.0 0.0.0.0 203.0.113.2 200
end

Why this answer

A floating static route with a higher administrative distance (200) than the primary route (1) ensures it is only used when the primary route is removed from the routing table, providing redundancy.

Exam trap

Remember that a floating static route must have a higher administrative distance than the primary route. Do not confuse 'higher' with 'lower' or use extreme values like 0 or 255. Also, ensure the backup route is configured with the correct next-hop interface or IP address.

Why the other options are wrong

B

The specific factual error is that an AD of 1 does not create a floating static route; it matches the primary route's AD, so both routes are used.

C

The specific factual error is that AD 0 is used for directly connected routes; using it for a static route would override the primary route.

D

The specific factual error is that AD 255 means the route is not trusted and will not be installed; it cannot serve as a backup.

102
Drag & Dropmedium

Drag and drop the following steps into the correct order to send a RESTCONF GET request to retrieve interface configuration from a Cisco IOS-XE device and apply a configuration change based on the response.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct workflow is to first retrieve the current configuration with a GET request, then analyze the response to understand what changes are needed, create the updated payload in JSON or XML, and finally apply the change using PUT or PATCH.

Exam trap

Do not confuse the order of operations: you must retrieve the current configuration before analyzing or modifying it. The GET request is always the first step in a read-modify-write workflow.

103
MCQeasy

In a REST-style API, which method is most commonly associated with retrieving information?

A.GET
B.DELETE
C.POST
D.PUT
AnswerA

This is correct because GET is commonly used for reading information from an API.

Why this answer

GET is the method most commonly associated with retrieving information. In practical terms, when a client wants to read state, inventory, or configuration details from an API endpoint without modifying the resource, GET is the expected choice.

This is a core automation vocabulary question and works well as an easier confidence-building item.

Exam trap

Avoid confusing GET with other HTTP methods like POST, PUT, or DELETE, which are used for modifying resources.

Why the other options are wrong

B

The DELETE method is used to remove a resource from the server, not to retrieve information. Using DELETE for retrieval would violate REST principles and could lead to unintended data loss.

C

POST is used to create a new resource or submit data to be processed, not to retrieve information. It is not idempotent and often changes server state, making it unsuitable for simple retrieval.

D

PUT is used to update or replace an existing resource, or create one at a specific URI. It is idempotent but modifies server state, so it is not appropriate for retrieving information.

104
MCQmedium

What is a main operational benefit of a controller-based networking architecture?

A.It removes the need for IP addressing
B.It centralizes policy and can simplify network-wide changes
C.It eliminates the data plane on switches
D.It forces all routes to become static
AnswerB

Correct. Centralized policy is a major benefit.

Why this answer

Controller-based architectures centralize the control plane, enabling network-wide policy management and simplifying changes. This is the correct answer because it accurately describes the primary operational benefit. Option A is wrong because controller-based architectures still require IP addressing for management and communication.

Option C is wrong because the data plane on switches remains operational for local forwarding; only the control plane may be centralized. Option D is wrong because dynamic routing protocols can still be used, and routes are not forced to be static.

Exam trap

A common exam trap is selecting answers that incorrectly claim controller-based architectures remove the need for IP addressing or eliminate the data plane on switches. While controllers centralize control functions, switches still perform local forwarding (data plane) and require IP addresses for management and routing. Another trap is believing that all routes become static under controller control; dynamic routing protocols continue to operate normally.

Misunderstanding these distinctions can lead to choosing incorrect options that overstate the controller's role, so focus on the controller’s role in centralizing policy rather than replacing fundamental network functions.

Why the other options are wrong

A

Option A is incorrect because controller-based architectures do not remove the need for IP addressing. IP addresses remain essential for device identification, management, and routing functions within the network.

C

Option C is incorrect since the data plane on switches is not eliminated. Switches continue to forward traffic locally based on instructions from the controller, maintaining essential forwarding functions.

D

Option D is incorrect because controller-based networks do not force all routes to become static. Dynamic routing protocols such as OSPF and EIGRP still operate under centralized policy control.

105
Multi-Selecthard

Which two statements accurately describe REST-based APIs in a network automation context?

Select 2 answers
A.They commonly use HTTP methods such as GET, POST, PUT, and DELETE.
B.They require Telnet to exchange structured data.
C.They often exchange structured data in formats such as JSON.
D.They can be used only on physical routers and never on controllers.
E.They eliminate the need for authentication or authorization.
AnswersA, C

This is correct because REST APIs typically use familiar HTTP verbs to represent operations.

Why this answer

REST APIs are a modern way for software tools to interact with networking systems. In plain language, they let one application ask another application for information or tell it to make a change using standard web-style requests. That is why methods such as GET, POST, PUT, and DELETE show up so often in automation examples. REST APIs also commonly exchange structured data, and JSON is one of the most common formats because it is compact and easy to process programmatically.

They do not depend on Telnet, and they absolutely do not remove the need for security controls. In real deployments, authentication and authorization are often critical. REST APIs are also not limited to one device category. They can exist on routers, switches, wireless controllers, cloud platforms, and many other systems.

Exam trap

A common exam trap is assuming that REST-based APIs require Telnet or similar legacy protocols for communication. This misconception arises because Telnet was historically used for device management, but REST APIs exclusively use HTTP or HTTPS. Another trap is believing REST APIs remove the need for authentication or authorization; in fact, security controls are mandatory to protect network devices from unauthorized access.

Misunderstanding the device scope is also frequent, as some think REST APIs only apply to physical routers, ignoring their availability on controllers and other network elements. Recognizing these pitfalls is essential to avoid incorrect answers.

Why the other options are wrong

B

Option B is incorrect because REST APIs do not use Telnet; they rely on HTTP or HTTPS protocols for communication, making Telnet irrelevant in this context.

D

Option D is incorrect since REST APIs are not limited to physical routers; they are also implemented on controllers, switches, and other network devices, enabling broad automation capabilities.

E

Option E is incorrect because REST APIs require authentication and authorization to secure access, so they do not eliminate the need for security controls in network automation.

106
MCQhard

A network technician replaced a faulty SFP transceiver on a switch port. After replacement, the port remains in a down/down state. The technician verifies the fiber cable is securely connected at both ends and observes that the remote switch port is also in a down/down state. What should the technician do next?

A.Verify that the speed and duplex settings are set to auto-negotiation.
B.Check whether the SFP module type is incompatible with the switch.
C.Verify the VLAN assignment on the port.
D.Check the running configuration for the no shutdown command on the interface.
AnswerD

This is the most immediate and logical next step. A shut-down interface displays as down/down (or administratively down/down), and without verifying the administrative state, all other troubleshooting is premature. The technician has already addressed physical connectivity, so a configuration oversight must be ruled out.

Why this answer

The correct answer is D because the most common cause of a port remaining in a down/down state after replacing a faulty SFP is that the interface is administratively down. The 'no shutdown' command must be applied to bring the interface up. Since the technician already verified physical connectivity and both ends show down/down, the issue is likely at the configuration layer, not the physical layer.

Exam trap

Cisco often tests the distinction between physical layer issues (cable, SFP) and administrative state issues (shutdown), where candidates mistakenly focus on hardware compatibility or VLAN settings when the port is simply disabled via configuration.

Why the other options are wrong

A

Candidates assume a speed mismatch must be the problem due to the down/down state, overlooking that a shutdown interface also appears down/down (without the 'administratively' prefix in some outputs) and that the physical check was already done.

B

The urgency to blame the newly installed hardware leads many to skip the quick-win config check, potentially wasting time on hardware replacement when the fix is a single command.

C

Candidates often confuse link status with connectivity issues that occur after the link is up, mistakenly targeting a Layer 2 problem for a Layer 1 symptom.

107
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose client connectivity using the OSI bottom-up method.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Following the OSI bottom-up model, we begin with Layer 1 physical connectivity (cabling and link lights), then Layer 2 data link (VLAN and switchport configuration), Layer 3 network (IP configuration and default gateway), and finally Layer 7 application (DNS resolution and application settings).

Exam trap

The trap is that candidates may jump to common higher-layer issues (like IP or DNS) without first verifying the physical and data link layers. Always start at Layer 1 in the bottom-up method.

108
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two redundant links to SW2 (G0/1 and G0/2). The network administrator wants to use both links for load balancing and redundancy by configuring EtherChannel. You need to configure a Layer 2 EtherChannel using LACP on both switches. The port-channel should be in VLAN 1.

Network Topology
G0/1G0/1EtherChannelSW1SW2

Hints

  • LACP uses modes active or passive; both sides must be active or one active and one passive.
  • The physical interfaces must have the same configuration before being added to the port-channel.
  • The port-channel interface inherits the configuration applied to it, not the physical interfaces.
A.interface port-channel 1 switchport mode access switchport access vlan 1 interface range GigabitEthernet0/1-2 channel-group 1 mode active
B.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1 interface range g0/1-2 channel-group 1 mode desirable
C.interface port-channel 1 switchport mode access switchport access vlan 1 interface range g0/1-2 channel-group 1 mode passive
D.interface port-channel 1 switchport mode access switchport access vlan 1 interface g0/1 channel-group 1 mode active interface g0/2 channel-group 2 mode active
AnswerA
solution
! SW1
interface GigabitEthernet0/1
channel-group 1 mode active
interface GigabitEthernet0/2
channel-group 1 mode active
interface Port-channel1
switchport mode access
switchport access vlan 1

! SW2
interface GigabitEthernet0/1
channel-group 1 mode active
interface GigabitEthernet0/2
channel-group 1 mode active
interface Port-channel1
switchport mode access
switchport access vlan 1

Why this answer

EtherChannel bundles multiple physical links into a single logical link for load balancing and redundancy. LACP (mode active) negotiates the bundle automatically. The port-channel interface must be configured with the desired switchport settings.

Exam trap

Be careful to distinguish between LACP modes (active/passive) and PAgP modes (desirable/auto). Also, remember that all interfaces in an EtherChannel must use the same channel-group number and have consistent switchport settings. A common mistake is to configure trunk when an access port is needed, or to use passive on both sides, which prevents the bundle from forming.

Why the other options are wrong

B

Uses PAgP mode 'desirable' instead of LACP mode 'active'. Additionally, configuring trunk is unnecessary for a single VLAN access port.

C

Using 'passive' on both sides would prevent the EtherChannel from forming because neither side sends LACP packets.

D

Using different channel-group numbers creates separate EtherChannels, not a single bundle. Both interfaces must be in the same channel-group to form one logical link.

109
Multi-Selectmedium

Which four of the following are characteristics of 802.1Q trunking? (Choose four.)

Select 3 answers
.The native VLAN frames are transmitted untagged on the trunk.
.The 802.1Q tag is inserted after the Source MAC address and before the EtherType/Length field.
.VLANs can be pruned from a trunk to restrict unnecessary traffic.
.802.1Q encapsulates the entire Ethernet frame with a new header.
.The 802.1Q tag increases the maximum frame size to 1522 bytes.
.Dynamic Trunking Protocol (DTP) is required for 802.1Q to function.

Why this answer

802.1Q trunking uses a single native VLAN per trunk, and frames belonging to that VLAN are transmitted without an 802.1Q tag, allowing interoperability with devices that do not understand trunking. The 802.1Q tag is inserted between the Source MAC address and the EtherType/Length field, adding a 4-byte tag that includes the VLAN ID and priority information. VLAN pruning, such as via VTP pruning or manual configuration, allows a switch to restrict unnecessary VLAN traffic from being sent over a trunk, reducing bandwidth waste.

Additionally, the 802.1Q tag increases the maximum Ethernet frame size from 1518 bytes to 1522 bytes, due to the extra 4 bytes inserted.

Exam trap

Candidates often forget that the 802.1Q tag adds 4 bytes to the frame, increasing the maximum Ethernet frame size to 1522 bytes (including the FCS), and may confuse this with the standard 1518-byte limit or think the tag is part of the payload.

Why the other options are wrong

D

802.1Q does not encapsulate the entire Ethernet frame; it inserts a 4-byte tag into the existing frame header, not around it.

F

Dynamic Trunking Protocol (DTP) is not required for 802.1Q to function; trunks can be configured manually without using DTP.

110
Multi-Selectmedium

Which THREE statements correctly describe the configuration and verification of NAT, PAT, and static NAT?

Select 3 answers
A.To configure static NAT, use the command 'ip nat inside source static <inside-local> <inside-global>'.
B.PAT uses the command 'ip nat inside source list <acl> interface <interface> overload' to translate multiple inside addresses to the interface's IP using different port numbers.
C.The command 'show ip nat statistics' displays the current active translations including inside and outside addresses.
D.When configuring dynamic NAT, you must define a NAT pool using the command 'ip nat pool <name> <start-ip> <end-ip> netmask <mask>' and then use an ACL to match inside traffic.
E.To verify that static NAT is working, you should check the output of 'show ip interface brief' and look for the translated IP.
AnswersA, B, D

This command creates a one-to-one mapping between a private (inside local) and a public (inside global) IP address.

Why this answer

Option A is correct because the 'ip nat inside source static' command creates a one-to-one permanent NAT mapping. Option B is correct because PAT is configured by adding the 'overload' keyword to a dynamic NAT statement that references an ACL and an interface, allowing many private addresses to share a single public IP with different port numbers. Option D is correct: dynamic NAT requires a NAT pool defined with 'ip nat pool' and an access list to identify the inside traffic to be translated.

Option C is incorrect because 'show ip nat statistics' only displays counters and summary information, not the active translation entries; those are shown with 'show ip nat translations'. Option E is incorrect because 'show ip interface brief' does not show NAT translation mappings; verification of static NAT requires 'show ip nat translations'.

Exam trap

Cisco often tests the distinction between 'show ip nat statistics' (counters and summary) and 'show ip nat translations' (active mappings), leading candidates to mistakenly believe that statistics shows the actual translation entries.

Why the other options are wrong

C

The command 'show ip nat statistics' provides summary statistics such as total translations, hits, misses, and expired translations, but it does not list the actual translation entries. To view active translations, you must use 'show ip nat translations'.

E

The command 'show ip interface brief' displays the status and IP addresses of interfaces, but it does not show NAT translations. To verify static NAT, you should use 'show ip nat translations' or 'show ip nat statistics' to confirm the mapping is active.

111
Drag & Dropmedium

Drag and drop the following steps into the correct order to replace a faulty SFP module on a Cisco switch and verify the fiber interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The faulty SFP must be removed first, then the new SFP installed, cable connected, and finally verification steps performed to confirm link and transceiver status using 'show interfaces' and 'show interfaces transceiver' commands.

Exam trap

The trap is that candidates may confuse the order of installation and verification. Remember: always remove the faulty module first, then install, then connect cables, and finally verify. Do not skip the removal step or verify before installation.

112
MCQmedium

An access switch port shuts down as soon as a user connects a small unmanaged switch under the desk. Which feature caused that behavior?

A.Root Guard
B.BPDU Guard
C.Loop Guard
D.Storm control
AnswerB

BPDU Guard shuts an edge port down if it receives a BPDU.

Why this answer

BPDU Guard is meant to protect access ports by shutting them down if BPDUs are received. That usually means someone connected another switch where only an endpoint should exist.

Exam trap

A frequent exam trap is mistaking BPDU Guard for Root Guard or Loop Guard. Candidates often confuse Root Guard’s role in blocking superior BPDUs with BPDU Guard’s immediate port shutdown on any BPDU reception. Similarly, Loop Guard protects against missing BPDUs but does not err-disable ports.

This confusion leads to selecting incorrect answers that do not cause the port to shut down when a small unmanaged switch is connected. Remember, only BPDU Guard err-disables the port upon receiving BPDUs on an access port, which is the exact behavior described in the question.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port by blocking superior BPDUs but does not err-disable or shut down the port upon receiving BPDUs. It is designed to maintain root bridge stability rather than protect edge ports from unauthorized switches.

C

Loop Guard protects against loops caused by unidirectional link failures by preventing ports from transitioning to forwarding state when BPDUs are missing. It does not err-disable ports upon receiving BPDUs and therefore does not cause the port shutdown described.

D

Storm Control monitors traffic levels to prevent broadcast, multicast, or unicast storms by blocking traffic when thresholds are exceeded. It does not react to BPDUs or cause ports to shut down upon BPDU reception, so it is unrelated to the described behavior.

113
Matchingmedium

Match each automation-related term to the description that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Structured data format

Data-modeling language

Access-related value used by a client

Secure transport for API communication

Why these pairings

JSON is a lightweight structured data format commonly used in REST APIs for data interchange, so it matches 'Structured data format'. YANG is a data-modeling language used to define the structure of configuration and state data in NETCONF/YANG models. A token is an access-related value (e.g., API token) used by a client to authenticate and authorize requests.

HTTPS (HTTP over TLS) provides secure, encrypted transport for API communication. The other terms listed in the original explanation (idempotent, declarative, etc.) are unrelated to these specific pairings; they describe different automation concepts.

Exam trap

Do not confuse 'agentless' with 'declarative' or 'automation' in general. Ansible is the only major agentless configuration management tool that uses SSH; other tools may be agentless but not for SSH-based device management.

114
MCQhard

An engineer is troubleshooting an OSPFv3 adjacency issue between two routers R1 and R2 connected over a serial link. The link is up/up on both sides, and IPv6 is enabled on the interfaces. However, the 'show ipv6 ospf neighbor' command shows no neighbors. The engineer checks the OSPFv3 configuration. What is the most likely cause of the missing adjacency?

A.The serial interface on R2 is administratively down.
B.OSPFv3 authentication is configured on R1 but not on R2.
C.The IPv6 address on R2 is in a different subnet than R1.
D.The OSPFv3 router-id is not configured on R2.
AnswerB

R1 has IPsec authentication under router ospfv3, but R2 does not. This mismatch prevents adjacency formation.

Why this answer

Option B is correct because OSPFv3 uses IPsec for authentication, unlike OSPFv2 which uses plaintext or MD5 authentication. If authentication is configured on one router but not the other, the OSPFv3 Hello packets will be dropped, preventing neighbor adjacency from forming. The 'show ipv6 ospf neighbor' command will show no neighbors because the routers cannot exchange Hello packets successfully.

Exam trap

Cisco often tests the misconception that OSPFv3 requires matching subnets (like OSPFv2) or that authentication is optional, when in fact OSPFv3 uses IPsec and any mismatch breaks adjacency silently.

Why the other options are wrong

A

The question states the serial link is up/up on both sides, meaning the interface is not administratively down. An administratively down interface would show as 'administratively down' in the interface status, not 'up/up'.

C

Both interfaces have IPv6 addresses in the 2001:DB8:1:1::/64 subnet, so the subnet matches. OSPFv3 does not require interfaces to be in the same subnet for adjacency, but it does require link-local addresses to be reachable. However, the given addresses are global unicast, and the subnet match is not the issue here.

D

The router-id is configured on R2 as 2.2.2.2, as stated in the existing explanation. OSPFv3 requires a router-id, and it is present, so this is not the cause.

115
PBQmedium

You are connected via the console to R1, a Cisco ISR 4331 router. The network administrator reports that the link between R1's GigabitEthernet0/0 and a switch is experiencing high error rates and intermittent connectivity. Upon inspection, you notice that the interface is configured with speed 1000 and duplex full. The switch port is set to auto-negotiate. Your task is to resolve the duplex mismatch by configuring the router interface to match the switch's settings.

Network Topology
G0/0G0/1linkR1SW1

Hints

  • The switch port is set to auto-negotiate.
  • Duplex mismatch occurs when one side is set manually and the other auto.
  • Use the 'speed auto' and 'duplex auto' commands.
A.Configure the router interface with 'speed 1000' and 'duplex full'.
B.Configure the router interface with 'no speed' and 'no duplex' to restore defaults, then set 'speed 1000' and 'duplex full'.
C.Configure the router interface with 'no speed' and 'no duplex' to restore defaults, then set 'speed 1000' and 'duplex half'.
D.Configure the router interface with 'no speed' and 'no duplex' to restore defaults, then set 'speed auto' and 'duplex auto'.
AnswerD
solution
! R1
interface GigabitEthernet0/0
speed auto
duplex auto

Why this answer

The duplex mismatch was caused by manually forcing speed and duplex on the router while the switch was set to auto-negotiate. Changing the router to auto-negotiate allows both sides to negotiate the best duplex (full duplex) and speed, eliminating errors.

Exam trap

A common trap is to think that manually setting the router to the same speed and duplex as the switch's negotiated settings will fix the issue. However, if the switch is set to auto-negotiate, it will not successfully negotiate with a manually configured interface. The only way to ensure a match is to enable auto-negotiation on both sides.

Why the other options are wrong

A

The specific factual error is that manually setting speed and duplex on one side while the other side is set to auto-negotiate can lead to a duplex mismatch because auto-negotiation relies on both ends participating.

B

The specific factual error is that manually setting speed and duplex after restoring defaults still disables auto-negotiation on the router, which does not resolve the mismatch.

C

The specific factual error is that setting duplex half on the router while the switch auto-negotiates will likely result in the switch negotiating to full duplex, causing a mismatch.

116
MCQmedium

What is a common requirement for interfaces to successfully bundle into an EtherChannel?

A.All member interfaces must use matching speed, duplex, and trunk/access settings
B.Each interface must belong to a different VLAN
C.Only odd-numbered switch ports can be bundled
D.Each interface must have a different STP path cost
AnswerA

Correct. Mismatched settings commonly prevent bundling.

Why this answer

EtherChannel members must have compatible operational and administrative settings, including speed, duplex, and switchport mode.

Exam trap

Remember that EtherChannel is concerned with Layer 2 settings like speed and duplex, not Layer 3 settings like IP addresses.

Why the other options are wrong

B

EtherChannel does not require interfaces to be in different VLANs; in fact, all member interfaces must have the same VLAN configuration (either all access ports in the same VLAN or all trunk ports with the same allowed VLAN list). Placing interfaces in different VLANs would violate the consistency requirement and prevent bundling.

C

Port numbering (odd or even) has no bearing on EtherChannel eligibility; any physical ports on a switch can be bundled as long as they meet the configuration consistency requirements. The restriction is based on hardware capabilities, not port numbers.

D

STP path cost is a per-interface value used by Spanning Tree Protocol to determine the best path to the root bridge; it is not a requirement for EtherChannel bundling. In fact, when interfaces are bundled, STP treats the EtherChannel as a single logical link, and all member interfaces share the same STP state.

117
MCQhard

A host has the address 10.10.10.94/27. Which subnet contains that host?

A.10.10.10.32/27
B.10.10.10.64/27
C.10.10.10.96/27
D.10.10.10.0/27
AnswerB

This is correct because 94 falls within the 64 through 95 range.

Why this answer

A /27 mask creates subnets in blocks of 32 addresses. In plain language, that means the fourth-octet ranges are 0–31, 32–63, 64–95, 96–127, and so on. Since the host address ends in 94, it falls inside the 64–95 block. That means the subnet is 10.10.10.64/27.

This is a classic subnetting task because it checks whether you can move from prefix length to block size and then locate the host inside the correct range. The key skill is recognizing the increment boundary and not guessing based only on the nearest familiar address.

Exam trap

Avoid guessing based on familiar numbers; calculate the subnet range using the block size.

Why the other options are wrong

A

The subnet 10.10.10.32/27 covers addresses 10.10.10.32 through 10.10.10.63. The host address 10.10.10.94 is not within this range, so this subnet is incorrect.

C

The subnet 10.10.10.96/27 covers addresses 10.10.10.96 through 10.10.10.127. The host address 10.10.10.94 is below the starting address of this subnet, so it is not included.

D

The subnet 10.10.10.0/27 covers addresses 10.10.10.0 through 10.10.10.31. The host address 10.10.10.94 is far outside this range, so this subnet is incorrect.

118
MCQmedium

Exhibit: A collector is receiving traffic metadata from a router, including source IP, destination IP, protocol, and byte counts. Which feature is being used?

A.Syslog
B.SNMP trap
C.NetFlow
D.NTP
AnswerC

NetFlow describes traffic flows and counters.

Why this answer

NetFlow exports flow records that summarize traffic conversations. It does not carry full packet payloads, but it does provide useful metadata for analysis and capacity planning.

Exam trap

A frequent exam trap is mistaking Syslog or SNMP traps for the feature that exports traffic metadata. Syslog messages only report system events and errors, not detailed flow data. SNMP traps notify about specific device events or threshold breaches but do not provide conversation-level traffic summaries.

Another trap is confusing NTP, which only synchronizes device clocks, with traffic monitoring features. Candidates must recognize that only NetFlow exports detailed flow records including source IP, destination IP, protocol, and byte counts, which are essential for traffic analysis and capacity planning.

Why the other options are wrong

A

Syslog is designed to send event messages and system logs, not detailed traffic flow summaries. It cannot provide source and destination IP addresses with byte counts, so it is incorrect for this question.

B

SNMP traps are notifications about specific device events or threshold conditions, not detailed records of traffic conversations. They do not include flow metadata like source/destination IP and byte counts, making this option incorrect.

D

NTP is used solely for synchronizing time across network devices and does not provide any traffic metadata or flow information, so it is not the correct feature in this context.

119
Multi-Selectmedium

Which TWO statements correctly describe the configuration and behavior of a router-on-a-stick setup for inter-VLAN routing?

Select 2 answers
A.Each subinterface on the router must be configured with an IP address that belongs to the corresponding VLAN's subnet.
B.The switch port connecting to the router must be configured as an access port in VLAN 1.
C.The native VLAN on the trunk must be the same VLAN as the one used for management traffic.
D.The router's physical interface must be in 'no shutdown' state, but subinterfaces do not require a separate 'no shutdown' command.
E.The router's subinterface for the native VLAN must use the 'encapsulation dot1q <vlan-id> native' command.
AnswersA, D

For the router to route traffic for a VLAN, the subinterface must have an IP address in the same subnet as that VLAN. This allows the router to act as the default gateway for hosts in that VLAN.

Why this answer

Option A is correct because each subinterface is assigned an IP address in the subnet of its corresponding VLAN, enabling the router to act as the default gateway and route between VLANs using 802.1Q tags. Option D is correct because the physical interface must be 'no shutdown' to pass traffic, and subinterfaces inherit this state; they do not have their own shutdown command. Option B is incorrect because the switch port connecting to the router must be configured as a trunk port, not an access port, to carry multiple VLANs.

Option C is incorrect because the native VLAN on the trunk does not have to be the same as the management VLAN; they are separate concepts. Option E is incorrect because the 'encapsulation dot1q <vlan-id> native' command is only needed on the subinterface for the native VLAN to tag or untag frames appropriately; it is not required for all native VLAN configurations (e.g., if the native VLAN is left at default 1, the command may be optional).

Exam trap

The trap here is that candidates often think subinterfaces need a separate 'no shutdown' command, but Cisco tests that the physical interface must be 'no shutdown' and subinterfaces inherit that state, making option D correct.

Why the other options are wrong

B

The switch port must be a trunk port to carry multiple VLANs, not an access port assigned to VLAN 1.

C

The native VLAN on the trunk is used for untagged traffic and does not have to match the management VLAN.

E

The 'encapsulation dot1q <vlan-id> native' command is not always required for the native VLAN; it depends on whether the native VLAN is used for a subinterface.

120
PBQhard

You are connected to R1. Configure AAA with RADIUS authentication so that SSH users are authenticated first against the RADIUS server (198.51.100.10) and fall back to the local user database if the server is unreachable. Additionally, troubleshoot why an 802.1X-enabled interface (GigabitEthernet0/1) remains in the unauthorized state. The RADIUS server shares a key of 'cisco123' and uses UDP port 1812. The local user 'admin' with secret 'adminpass' must be available as a fallback.

Hints

  • The dot1x authentication list is missing a fallback method.
  • Use the 'aaa authentication dot1x default' command to add 'local' after 'group radius'.
  • After fixing, the port may need to re-authenticate; you can test by shutting/no shutting the interface.
A.[CORRECT] The RADIUS server is unreachable, but the 802.1X port remains unauthorized because the AAA authentication list for dot1x is configured to use only RADIUS without local fallback. The fix is to modify the dot1x authentication list to include 'local' as a fallback method.
B.The RADIUS server is unreachable because the shared key 'cisco123' is incorrect, causing the port to stay unauthorized.
C.The 802.1X port remains unauthorized because the RADIUS server uses UDP port 1812, but the switch expects port 1645.
D.The SSH authentication fails because the local user 'admin' is not configured with the correct privilege level, so fallback does not work.
AnswerA
solution
! R1
configure terminal
aaa authentication dot1x default group radius local
end
write memory

Why this answer

The RADIUS server is unreachable (not reachable), but the 802.1X port remains unauthorized because the AAA authentication list for dot1x is configured to use only RADIUS without local fallback. When the server cannot be reached (e.g., timeout), no fallback exists, so the port stays unauthorized. The fix is to modify the dot1x authentication list to include 'local' as a fallback method.

Adding local fallback allows the switch to authenticate the supplicant using the local database when the RADIUS server is unreachable.

Exam trap

Do not confuse authentication list configuration for different services (login vs dot1x). SSH uses 'login' list, while 802.1X uses 'dot1x' list. Also, ensure fallback methods are included for network access authentication to avoid permanent unauthorized state.

Why the other options are wrong

B

The specific factual error: The shared key is used for encrypting RADIUS traffic, but server reachability is confirmed; the key mismatch would cause authentication failures, not port unauthorized state due to missing fallback.

C

The specific factual error: The question states the server uses UDP port 1812, which is correct. The switch would need explicit configuration to use 1645; default is 1812.

D

The specific factual error: Privilege level is not required for authentication; it affects authorization. The local user exists and can authenticate, so SSH fallback is fine.

121
Matchingmedium

Drag and drop the items on the left to match the descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sets the switch port to permanent access mode

Configures the port as an 802.1Q trunk

Assigns VLAN 10 to the access port for data traffic

Specifies VLAN 20 for voice traffic on the port

Restricts the trunk to carry only VLANs 10 and 20

Why these pairings

Access ports carry traffic for a single VLAN and are configured with switchport mode access. Voice VLANs are added to an access port with switchport voice vlan to separate voice and data traffic. Trunk ports carry multiple VLANs and are set with switchport mode trunk; allowed VLANs can be restricted with switchport trunk allowed vlan.

122
MCQmedium

A junior network engineer is configuring a new Windows 10 workstation to connect to the corporate network. The network uses a /24 subnet mask and has a default gateway of 192.168.1.1. The workstation obtains its IP address automatically from a DHCP server, but the engineer needs to manually set a static IPv4 address of 192.168.1.50 and ensure the workstation can reach the internet. Which configuration step must the engineer take to satisfy these requirements?

A.Set the subnet mask to 255.255.0.0 and the default gateway to 192.168.1.1
B.Set the subnet mask to 255.255.255.0 and the default gateway to 192.168.1.1
C.Set the subnet mask to 255.255.255.0 and leave the default gateway blank
D.Set the subnet mask to 255.255.255.0 and the default gateway to 192.168.1.50
AnswerB

This is the correct configuration. The subnet mask 255.255.255.0 corresponds to a /24 prefix, which matches the network. The default gateway 192.168.1.1 is the router's IP on the same subnet, allowing the workstation to reach the internet.

Why this answer

Option B is correct because a /24 subnet mask (255.255.255.0) matches the network prefix of the default gateway 192.168.1.1, ensuring the workstation can route traffic to the internet via that gateway. Option A fails because a /16 mask (255.255.0.0) does not match the corporate /24 network, causing incorrect network identification and potential routing issues. Option C fails because leaving the default gateway blank means the host cannot reach any network beyond its local subnet, so internet access is impossible.

Option D fails because using the host's own IP (192.168.1.50) as the default gateway would cause the host to attempt to route traffic to itself, never reaching the actual gateway.

Exam trap

Cisco often tests the requirement that the default gateway must be on the same subnet as the host's IP address, and a common trap is to confuse the gateway address with the host's own IP or to use an incorrect subnet mask that still allows local communication but breaks routing.

Why the other options are wrong

A

Using a /16 subnet mask (255.255.0.0) does not match the corporate /24 network, leading to incorrect network identification and potential routing issues.

C

Leaving the default gateway blank prevents the host from reaching any network beyond its own subnet, so internet access is impossible.

D

Setting the default gateway to the host's own IP address (192.168.1.50) would cause traffic to be sent to itself, never reaching the actual gateway.

123
PBQhard

You are connected to R1. The network administrator reports that the link between R1 and R2 is flapping and performance is poor. Examine the provided show interface output on R1, identify the root cause of the issue, and apply the necessary configuration fix to resolve the problem permanently.

Network Topology
G0/110.0.0.5/30G0/110.0.0.6/30linkR1R2

Hints

  • Check the duplex setting on the interface; it should match the connected device.
  • CRC errors and input errors often indicate a duplex mismatch.
  • The line protocol being down suggests a Layer 1 or Layer 2 issue.
A.Configure the interface with the 'duplex full' command.
B.Configure the interface with the 'speed 100' command.
C.Configure the interface with the 'no shutdown' command.
D.Configure the interface with the 'duplex auto' command.
AnswerA
solution
! R1
configure terminal
interface gigabitEthernet 0/1
duplex full
end

Why this answer

The show interface output on R1 indicates the interface is operating in half-duplex with high CRC errors and input errors, classic symptoms of a duplex mismatch when the remote side (R2) is set to full-duplex. The root cause is that R1’s duplex setting does not match R2’s, causing collisions and flapping. Configuring 'duplex full' on R1’s GigabitEthernet0/1 forces full-duplex, which resolves the mismatch if the remote side is already forced full.

Option B (speed 100) only configures speed—it does not change duplex, so the mismatch persists. Option C (no shutdown) is irrelevant because the interface is administratively up (the issue is operational). Option D (duplex auto) would set R1 to autonegotiate, but if R2 is forced full, autonegotiation fails and defaults to half-duplex, recreating the mismatch.

Therefore, only 'duplex full' permanently fixes the issue.

Exam trap

The exam trap is that candidates often confuse symptoms of duplex mismatch with speed mismatch or cable issues. Remember that CRC errors and flapping are classic signs of duplex mismatch. Always check the duplex setting first.

Why the other options are wrong

B

The specific factual error is that speed mismatch is not the root cause; duplex mismatch is indicated by CRC errors and flapping.

C

The specific factual error is that 'no shutdown' only brings an interface up administratively; it does not fix duplex or speed issues.

D

The specific factual error is that auto-negotiation can fail if one side is manually set; the fix is to manually set both sides to the same duplex.

124
Multi-Selectmedium

Which three of the following statements about distance vector routing protocols (e.g., RIP, EIGRP) are correct? (Choose all that apply. There are three correct answers.)

Select 4 answers
.They rely on the Bellman-Ford algorithm for route computation.
.RIPv2 uses multicast address 224.0.0.9 to send routing updates.
.EIGRP maintains separate feasible distance and advertised distance values for each route.
.They require a full topological map of the network to calculate the best path.
.EIGRP supports both equal-cost and unequal-cost load balancing by default.
.Split horizon prevents routing loops by not advertising a route back out the interface from which it was learned.

Why this answer

RIPv2 sends updates to the multicast address 224.0.0.9, ensuring only RIPv2 routers process them. EIGRP maintains both feasible distance (best metric to a destination) and advertised distance (metric reported by the next-hop router) to support its loop-free DUAL algorithm. Split horizon prevents routing loops by not advertising a route back out the interface from which it was learned.

The statement about reliance on Bellman‑Ford is false because EIGRP uses DUAL, not Bellman‑Ford; the other two wrong options confuse distance vector behavior with link-state (full topology map) or assume unequal-cost load balancing is default when it requires the variance command.

Exam trap

Cisco often tests the distinction between default behavior and optional features, so the trap here is assuming that EIGRP's unequal-cost load balancing is enabled by default when it actually requires the 'variance' command to activate.

Why the other options are wrong

A

EIGRP, a distance vector protocol listed as an example, uses DUAL, not Bellman-Ford, making the statement inaccurate.

D

Requiring a full topological map is characteristic of link-state protocols, not distance vector protocols.

E

EIGRP does not support unequal-cost load balancing by default; it must be explicitly enabled with the 'variance' command.

125
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure VLANs, assign access ports, set up 802.1Q trunking with a native VLAN, and verify the configuration on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

VLAN creation precedes port assignment; trunking configuration follows access port assignment; verification is last.

Exam trap

The exam trap is that candidates may confuse the order of VLAN creation and port assignment, or think trunking should be configured before access ports. Remember: VLANs must exist first, then assign ports, then configure trunking, then verify.

126
Matchingmedium

Match each routing concept to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Value used to compare trust between route sources

Value used to compare candidate paths within a route source or protocol

Indicator of route specificity

Fallback route used when no better match exists

Why these pairings

Administrative Distance measures route source trustworthiness; Metric determines best path within a protocol; Convergence is the time to reach consistent routing; Route Summarization reduces routing table size; Floating Static Route acts as a backup; ECMP enables load balancing.

Exam trap

The exam often tests your ability to distinguish between Administrative Distance and metric. Remember: AD compares routes from different sources (inter-protocol), while metrics compare routes from the same source (intra-protocol). Also, AD is not a measure of time or hop count.

127
PBQhard

You are connected to SW1. Configure an LACP EtherChannel between SW1 and SW2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. The port-channel interface must be configured as a trunk allowing VLANs 10, 20, and 30. Currently, the channel is not forming due to a mismatch in speed/duplex and VLAN configuration on SW2. Troubleshoot and resolve the issue so that the EtherChannel comes up as a Layer 2 trunk.

Network Topology
Gi0/1Gi0/1LACP EtherChannelSW1SW2

Hints

  • Check the speed and duplex settings on SW2's physical interfaces.
  • Compare the allowed VLAN list on SW2's physical interfaces to the port-channel trunk.
  • Use 'show etherchannel summary' to see if ports are bundled or down.
A.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 1000, duplex full, and on the port-channel interface, set allowed VLANs to 10,20,30.
B.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 100, duplex half, and on the port-channel interface, set allowed VLANs to 10,20,30.
C.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 1000, duplex full, and on the port-channel interface, set allowed VLANs to 10,20.
D.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 1000, duplex full, and on the port-channel interface, set allowed VLANs to 1-4094.
AnswerA
solution
! SW2
interface gigabitEthernet0/1
speed 1000
duplex full
switchport trunk allowed vlan 10,20,30
interface gigabitEthernet0/2
speed 1000
duplex full
switchport trunk allowed vlan 10,20,30

Why this answer

The EtherChannel is not forming because SW2's interfaces have speed 100 and duplex half, while SW1's interfaces have speed 1000 and duplex full. Additionally, the allowed VLANs on SW2's trunk must include VLAN 30, and this should be configured on the port-channel interface, not the physical interfaces. To fix, on SW2, set the speed to 1000 and duplex to full on Gi0/1 and Gi0/2, then on the port-channel interface, configure allowed VLANs 10,20,30.

After these changes, the channel will come up as a Layer 2 trunk.

Exam trap

The exam trap is that candidates may focus solely on the speed/duplex mismatch and forget to verify the VLAN allowed list on the trunk. Also, they might incorrectly try to match by lowering SW1's settings instead of raising SW2's.

Why the other options are wrong

B

The specific factual error is that LACP requires all member interfaces to have identical speed and duplex settings; changing SW2 to 100/half does not match SW1's 1000/full.

C

The specific factual error is that the trunk must allow all required VLANs; omitting VLAN 30 violates the requirement.

D

The specific factual error is that the configuration does not match the requirement to allow only VLANs 10, 20, and 30; it allows all VLANs instead.

128
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure IPv4 and IPv6 static routes, a default route, and a floating static route with higher administrative distance, then verify the routing tables.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The order first configures specific static routes, then the default route and floating static route (which can be done in any order but typically after specific routes), and finally verification. The floating static route is configured with a higher AD so it is less preferred.

Exam trap

Do not confuse the order of configuration with the order of preference. Specific routes should be configured first, then the default route and floating static route can be configured in any order (though typically default is configured before floating static). Verification is always the last step.

129
MCQmedium

A network engineer wants a static route to be used only when the OSPF-learned route disappears. Which configuration approach meets that goal?

A.Use a static route with administrative distance 1
B.Use a static route with administrative distance higher than 110
C.Use a static route with metric 0
D.Redistribute the static route into OSPF
AnswerB

OSPF uses AD 110, so the backup static route must be higher.

Why this answer

That is a floating static route. You configure the static route with an administrative distance higher than the OSPF route so it stays in reserve until the dynamic path is lost.

Exam trap

A frequent exam trap is selecting a static route with a default or lower administrative distance than OSPF, such as AD 1, which causes the static route to be preferred immediately, overriding the OSPF route. Another common mistake is thinking that adjusting the metric of the static route or redistributing it into OSPF will create a backup route. Metrics influence path selection within routing protocols but do not affect route preference between static and OSPF routes.

Redistribution simply advertises the static route dynamically and does not provide failover control. These misunderstandings lead to incorrect configurations that do not meet the requirement of using the static route only when the OSPF route disappears.

Why the other options are wrong

A

Using a static route with administrative distance 1 makes it the most preferred route immediately, overriding the OSPF-learned route. This does not meet the requirement of using the static route only when the OSPF route disappears.

C

Setting a static route with metric 0 does not influence route preference between static and OSPF routes because metrics affect path selection within routing protocols, not across different route sources.

D

Redistributing the static route into OSPF advertises it dynamically but does not create a backup route that activates only when the OSPF route disappears. Redistribution is unnecessary for this backup behavior.

130
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order for embedded packet capture on IOS-XE is: configure the capture point first (to define the traffic filter), then define the capture buffer, start the capture, stop the capture, and finally export the capture. Starting the capture after configuring both the point and buffer ensures that traffic is captured correctly. Exporting before stopping may result in incomplete data.

Exam trap

Do not confuse the order of configuring the capture point and defining the buffer. The capture point must be configured first because it defines the traffic filter, and the buffer is associated with that capture point. Also, always stop the capture before exporting to avoid incomplete data.

131
MCQhard

A subnet uses network address 192.168.200.96/28. Which range contains the usable host addresses?

A.192.168.200.97 to 192.168.200.110
B.192.168.200.96 to 192.168.200.111
C.192.168.200.98 to 192.168.200.111
D.192.168.200.81 to 192.168.200.94
AnswerA

This is correct because .96 is the network and .111 is the broadcast.

Why this answer

A /28 block contains 16 addresses. In practical terms, the block starting at 192.168.200.96 runs through 192.168.200.111. The first address is the network address and the last address is the broadcast address. That means the usable host range is 192.168.200.97 through 192.168.200.110.

This question checks whether you can calculate the correct block and then exclude the two reserved boundary addresses.

Exam trap

Remember to exclude the network and broadcast addresses when determining usable host ranges.

Why the other options are wrong

B

This range includes the network address (.96) and the broadcast address (.111), which cannot be assigned to hosts. Usable host addresses must exclude these two addresses.

C

This range starts at .98, which excludes the valid host .97, and ends at .111, which includes the broadcast address. The correct usable range is .97 to .110.

D

This range (192.168.200.81 to .94) belongs to a different subnet. For a /28 subnet starting at .96, the valid host range is .97 to .110. This range is from a previous subnet (e.g., 192.168.200.80/28).

132
MCQhard

A switch has DHCP snooping enabled, but users still experience IP-to-MAC spoofing attacks. Which additional feature should be considered to help address that specific problem?

A.PortFast
B.Dynamic ARP Inspection
C.EtherChannel
D.NetFlow
AnswerB

Correct. DAI directly targets ARP spoofing.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets against trusted binding information learned through DHCP snooping, directly preventing IP-to-MAC spoofing. PortFast is used to speed up STP convergence and does not provide ARP security. EtherChannel aggregates multiple links for bandwidth and redundancy but does not inspect ARP traffic.

NetFlow is a traffic accounting and monitoring tool, not a security control for ARP spoofing. Therefore, DAI is the correct additional feature to address IP-to-MAC spoofing.

Exam trap

Don't confuse general security features with those specifically designed to prevent ARP spoofing.

Why the other options are wrong

A

PortFast is a Spanning Tree Protocol feature that immediately transitions a port to forwarding state, bypassing listening and learning states. It does not perform any validation of ARP packets or prevent IP-to-MAC spoofing attacks.

C

EtherChannel is a link aggregation technology that combines multiple physical links into a single logical link to increase bandwidth and provide redundancy. It does not inspect or validate ARP packets, so it cannot prevent IP-to-MAC spoofing.

D

NetFlow is a network monitoring protocol that collects IP traffic statistics for analysis and troubleshooting. It provides visibility into traffic patterns but does not actively block or validate ARP packets, so it cannot prevent spoofing attacks.

133
MCQhard

A switch trunk must carry VLANs 10, 20, and 30, but traffic for VLAN 20 is failing. The trunk allowed list on one side is `10,30`. What is the most likely cause?

A.VLAN 20 is missing from the allowed VLAN list on one side of the trunk.
B.The trunk must be converted to an access port for VLAN 20 to work.
C.VLAN 20 must always be the native VLAN.
D.The switches must both use ISL instead of 802.1Q.
AnswerA

This is correct because the trunk is explicitly not permitting VLAN 20 on that side.

Why this answer

The most likely cause is that VLAN 20 is not in the allowed VLAN list on one side of the trunk. Option B is incorrect because converting the trunk to an access port would block all other VLANs, not just fix VLAN 20. Option C is incorrect because there is no requirement that VLAN 20 must be the native VLAN; native VLAN is unrelated to allowed list filtration.

Option D is incorrect because ISL vs 802.1Q does not affect per-VLAN filtering; the allowed list is a separate configuration independent of the encapsulation type.

Exam trap

Focus on the allowed list configuration, not on VLAN existence or trunk mode. Misconfigurations in allowed lists are a common trap.

Why the other options are wrong

B

Converting the trunk to an access port would remove all other VLANs, not solve the selective failure for VLAN 20.

C

There is no requirement that VLAN 20 must be the native VLAN; the native VLAN is used for untagged traffic and is unrelated to the allowed VLAN list.

D

The encapsulation type (ISL vs 802.1Q) does not affect per-VLAN allowed lists; the issue is purely about the allowed list configuration.

134
MCQhard

A switch port is configured with port security using these commands: switchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security mac-address sticky A user unplugs a company laptop and connects a different unauthorized device. The interface stays up/up, but the new device has no connectivity. Which statement best explains what happened?

A.The port shut down because restrict mode always causes err-disable
B.Traffic from the unauthorized MAC address is being dropped while the interface remains up
C.The switch learned the new MAC address automatically and replaced the old sticky entry
D.Port security affects only management traffic, not user traffic
AnswerB

Correct. This is correct. Restrict mode drops unauthorized traffic but does not take the whole interface down. That is why the user sees a live port with no connectivity for the replacement device.

Why this answer

With a maximum of 1 secure MAC address, the switch learns only the company laptop's MAC via sticky learning. When the unauthorized device is plugged in, it attempts to send traffic with a new source MAC address. Since the maximum is already reached, this triggers a port security violation.

In restrict mode, the switch drops frames from the violating source but leaves the interface operational, matching the observed behavior: the interface stays up/up while the unauthorized device cannot pass traffic.

Exam trap

A common exam trap is assuming that any port security violation immediately disables the port. Candidates often confuse 'restrict' mode with 'shutdown' mode. In 'shutdown' mode, the port goes into an error-disabled state and the interface status changes to down, but in 'restrict' mode, the port remains up and only blocks unauthorized traffic.

This subtle difference can mislead test takers into selecting answers that describe the port shutting down, which contradicts the scenario where the interface stays up/up. Recognizing the behavior of each violation mode is crucial to avoid this mistake.

Why the other options are wrong

A

Option A incorrectly states that restrict mode always causes the port to shut down. In reality, restrict mode blocks unauthorized traffic but keeps the interface up. Shutdown mode is the one that disables the port and causes an error-disabled state, which contradicts the scenario where the port remains up/up.

C

Option C is incorrect because sticky MAC addresses are not automatically replaced when a new device connects. Instead, the switch enforces the violation action when an unauthorized MAC address appears, rather than overwriting the existing sticky entries.

D

Option D is false because port security controls all user data traffic on access ports by filtering frames based on source MAC addresses. It is not limited to management traffic, so this option misrepresents the scope of port security.

135
MCQmedium

A host can reach remote websites by IP address but fails when using their hostnames. Which missing configuration item is the strongest suspect?

A.A DNS server address
B.A new MAC address
C.A trunk native VLAN
D.An OSPF router ID
AnswerA

This is correct because the host needs DNS information to resolve hostnames.

Why this answer

When a host can reach remote websites by IP address but not by hostname, the issue is that the host cannot resolve the hostname to an IP address. DNS (Domain Name System) is responsible for this resolution, and if the DNS server address is missing or misconfigured on the host, name resolution fails. This is the strongest suspect because all other network connectivity (routing, switching) is functional, as proven by successful IP-based access.

Exam trap

Cisco often tests the distinction between Layer 3 connectivity (IP reachability) and application-layer services (DNS), so the trap here is that candidates might suspect a routing or switching issue (like a missing default gateway or VLAN mismatch) when the symptom clearly isolates the problem to name resolution.

Why the other options are wrong

B

A MAC address is a hardware identifier used for local network communication at Layer 2, and it has no role in hostname resolution. Changing the MAC address would not affect the ability to resolve hostnames to IP addresses.

C

A trunk native VLAN is a configuration for switch ports that carry multiple VLANs, and it is unrelated to hostname resolution. The symptom described is a DNS issue, not a VLAN or trunking problem.

D

OSPF router IDs are used by routers in OSPF routing protocol operations, not by end hosts. End hosts do not participate in OSPF and do not require a router ID for any function, including name resolution.

136
Drag & Dropmedium

Drag and drop the following steps into the correct order to diagnose and resolve a duplex/speed mismatch causing interface errors on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct diagnostic process begins by collecting interface statistics with 'show interfaces' to detect anomalies (step 1). If CRC errors, runts, and late collisions are present, these indicate a duplex mismatch (step 2). Next, check the current duplex and speed configuration for that interface using 'show interfaces <int>' (step 3).

Compare this setting with the expected configuration or with the remote device's interface (step 4) to confirm the mismatch. Based on the findings, apply the correct duplex and speed commands to align both ends (step 5). Finally, verify that the error counters stop incrementing after the fix (step 6).

137
MCQhard

What is the main purpose of this configuration? ipv6 route 2001:db8:100::/64 GigabitEthernet0/0

A.It creates a specific IPv6 static route to 2001:db8:100::/64 out GigabitEthernet0/0.
B.It enables OSPFv3 on GigabitEthernet0/0.
C.It creates an IPv6 default route.
D.It converts the interface into a tunnel.
AnswerA

This is correct because the command defines a manual route to that destination prefix.

Why this answer

This configuration creates an IPv6 static route to a specific destination prefix through the named outgoing interface. In practical terms, the router is being told exactly how to reach that remote IPv6 network. This is not a default route and not a dynamic-routing statement. It is a manually defined path to one destination prefix.

The key concept is recognizing the difference between a specific static route and a default route.

Exam trap

A frequent exam trap is mistaking the static route command for enabling a routing protocol such as OSPFv3 or assuming it creates a default route. Candidates may also confuse static routes with tunnel interfaces. The command shown explicitly configures a static route to a specific IPv6 prefix via an interface, not a dynamic routing process or a default (::/0) route.

Misreading the prefix or interface can lead to selecting incorrect answers. Recognizing that static routes are manual, precise entries that do not activate protocols or tunnels is essential to avoid this trap.

Why the other options are wrong

B

This option is incorrect because the command shown is a static route configuration, not a command to enable OSPFv3 on an interface. OSPFv3 requires separate routing protocol configuration commands.

C

This option is incorrect because the prefix specified is a specific network (2001:db8:100::/64), not the default IPv6 route (::/0). Therefore, it does not create a default route.

D

This option is incorrect because static route commands do not convert interfaces into tunnels. Tunnel interfaces require explicit tunnel configuration commands, which are not present here.

138
MCQhard

A client PC is receiving an APIPA address (169.254.x.x) instead of a valid IP from the DHCP server. The DHCP server is on the same subnet as the client. The technician runs the command 'show ip dhcp binding' and confirms that the correct scope is configured. The command 'show ip dhcp pool' shows that there are plenty of addresses remaining in the pool. The client's NIC status shows 'connected'. What should the technician do next?

A.Check the DHCP snooping configuration on the access switch.
B.Verify that no firewall is blocking UDP ports 67 and 68 on the local network.
C.Run the ipconfig /release and /renew commands on the client.
D.Check for a rogue DHCP server on the network.
AnswerD

Given that the legitimate DHCP server is reachable, has a correct scope, and addresses are available, the most probable reason for persistent APIPA assignment is interference from an unauthorized DHCP server. A rogue server could be responding to DHCP Discover messages, preventing the client from obtaining a proper lease. The technician should use tools like packet captures or DHCP logs to detect any other DHCP Offer messages.

Why this answer

When a client on the same subnet as the DHCP server still receives an APIPA address, the problem is often that the client's DHCP Discover broadcasts are not reaching the legitimate DHCP server or the server's offers are not reaching the client. Since the technician has already verified the DHCP server configuration (scope exists, addresses available) and the client's physical connectivity (NIC connected), the most logical next step is to check for a rogue DHCP server. A rogue server can intercept DHCP Discover messages and respond with invalid or malicious offers, causing the client to disregard legitimate offers, or it might respond with offers that conflict and confuse the client.

This addresses the DHCP application layer (Layer 7) and ensures that only the authorized server is responding. Identifying a rogue server can be done via packet capture or by inspecting DHCP lease database inconsistencies.

Exam trap

Many candidates choose to run 'ipconfig /release' and 'ipconfig /renew' (Option C) as a first step, but doing so does not identify the root cause and can waste time if a rogue server is present. The APIPA assignment is a symptom, not a lease renewal issue, and the DHCP server has already been confirmed operational.

Why the other options are wrong

A

Candidates often jump to switch security features when they see DHCP issues, but without evidence of a switch misconfiguration, it is not the most direct next action.

B

Test-takers often consider firewalls as universal blockers, forgetting that in a flat Layer 2 domain, broadcast traffic such as DHCP Discover is not filtered by a firewall.

C

Candidates prefer simple client-side fixes, but CCNA troubleshooting emphasises identifying root causes before applying band-aid solutions.

139
MCQmedium

A network administrator receives a call from a user who cannot access any external websites from their wired workstation. The user can ping the default gateway successfully, but fails to ping 8.8.8.8. The administrator runs ipconfig /all on the workstation and sees an IP address of 192.168.1.50, subnet mask 255.255.255.0, and default gateway 192.168.1.1. What is the most likely cause of this issue?

A.The workstation has an incorrect default gateway configured.
B.The workstation has a duplicate IP address on the network.
C.The workstation is connected to the wrong VLAN.
D.The workstation has a DNS misconfiguration.
AnswerA

The user can ping the default gateway (192.168.1.1) but cannot ping 8.8.8.8, indicating local connectivity works but external routing fails. If the actual network gateway is different (e.g., 192.168.1.254), the workstation's configured gateway would be incorrect, preventing traffic from being forwarded to external networks.

Why this answer

The user can successfully ping 192.168.1.1, proving local IP connectivity to that device. However, the device at 192.168.1.1 may not be the correct default gateway for reaching external networks; the actual gateway router might be at a different IP (e.g., 192.168.1.254). This misconfiguration explains why pings to 8.8.8.8 fail even though the local gateway responds, as the workstation sends external traffic to the wrong next-hop address.

Exam trap

This question tests the ability to differentiate between local connectivity issues and routing issues. A common trap is to assume DNS is the problem when users cannot access websites, but the failure to ping an external IP indicates a routing problem, not a name resolution problem. Also, successful ping to the gateway eliminates many Layer 2 or IP configuration issues.

Why the other options are wrong

B

A duplicate IP would cause intermittent or lost connectivity and likely prevent a consistent reply from the gateway.

C

Being on the wrong VLAN would typically prevent the workstation from receiving an IP in the 192.168.1.0/24 subnet and reaching the gateway at 192.168.1.1.

D

DNS is only used for name resolution; pinging an IP address directly does not involve DNS, so a DNS misconfiguration cannot cause the ping failure to 8.8.8.8.

140
Matchingeasy

Match each data format or model with the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lightweight key-value data representation

Tag-based markup format

Data modeling language for network configuration and state

Uses HTTP methods such as GET and POST to work with resources

Why these pairings

JSON is a lightweight key-value data representation. XML uses tags to define structured data. YANG is a data modeling language for network configuration and state.

REST APIs use HTTP methods such as GET and POST to work with resources.

Exam trap

The trap is confusing data formats (JSON, XML, YAML) with data modeling languages (YANG) and protocols (NETCONF, RESTCONF). Remember that YANG is a modeling language that defines data structures, while formats like JSON and XML are used to serialize that data, and protocols like NETCONF and RESTCONF transport it.

141
MCQhard

Two switches are bundled with LACP, but only one physical link is forwarding traffic in the port-channel. What is the most likely reason?

A.One member interface has a trunk configuration mismatch
B.LACP requires exactly one active and one passive side only
C.STP blocks all but one interface inside every EtherChannel
D.EtherChannel cannot be used on trunk ports
AnswerA

A mismatch in Layer 2 settings is a classic reason a link is suspended or left out of the channel.

Why this answer

For an EtherChannel to form correctly, the member interfaces must match on key settings such as speed, duplex, trunking, and allowed VLAN list. A mismatch keeps one link from bundling even if LACP is enabled on both sides.

Exam trap

Be careful not to confuse individual link issues with overall port-channel configuration problems. Ensure all settings match across member interfaces.

Why the other options are wrong

B

LACP supports active-active mode where both sides are configured as active, which is a common and valid configuration. The statement that LACP requires exactly one active and one passive side is incorrect; active-passive is just one possible combination.

C

STP treats the entire EtherChannel as a single logical interface, so it does not block individual member links. STP will only block the port-channel itself if there is a loop, but it does not block all but one interface inside the channel.

D

EtherChannel is commonly used on trunk ports to increase bandwidth and provide redundancy between switches. There is no restriction that prevents EtherChannel from being used on trunk ports; in fact, it is a best practice for inter-switch links.

142
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order for AAA with RADIUS and 802.1X is: global config, enable AAA, configure RADIUS server, define authentication method list, then enable 802.1X on the interface.

Exam trap

Candidates often confuse the order of AAA configuration steps, especially whether to configure the RADIUS server before or after defining the method list. Remember: AAA must be enabled first, then the server, then the method list, then interface configuration.

143
PBQhard

You are troubleshooting connectivity between R1 and R2. R1's GigabitEthernet0/0 interface is configured with a static IP of 10.0.0.1/30 but cannot ping its neighbor R2 at 10.0.0.2/30. R1 is using a 1000BASE-T SFP module to connect to a 1000BASE-LX/LH SFP on R2, but the link is down. Diagnose and resolve the issue by adjusting interface speed and duplex settings, and ensure the correct SFP is used for the 2 km fiber run.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/302 km fiberR1R2

Hints

  • Auto-negotiation is not supported on fiber SFPs; it must be disabled.
  • The 1000BASE-T SFP is for copper cables (max 100m), not for fiber runs of 2 km.
  • Check the SFP type using 'show interfaces gigabitethernet 0/0 transceiver' after replacement.
A.Replace the 1000BASE-T SFP with a 1000BASE-LX/LH SFP, then on R1 configure 'no negotiation auto', 'speed 1000', and 'duplex full'.
B.Keep the 1000BASE-T SFP and configure 'no negotiation auto', 'speed 1000', and 'duplex full' on R1.
C.Replace the 1000BASE-T SFP with a 1000BASE-LX/LH SFP, then configure 'speed 1000' and 'duplex full' on R1 without disabling auto-negotiation.
D.Replace the 1000BASE-T SFP with a 1000BASE-LX/LH SFP, then configure 'no negotiation auto' on R1 without setting speed and duplex.
AnswerA
solution
! R1
configure terminal
interface gigabitEthernet 0/0
no negotiation auto
speed 1000
duplex full
end

Why this answer

The link is down because auto-negotiation is enabled on R1's SFP port (which uses a 1000BASE-T SFP) while R2's port uses a 1000BASE-LX/LH SFP. Auto-negotiation must be disabled on both sides for fiber SFPs. Additionally, the 1000BASE-T SFP is for copper twisted-pair and cannot connect to a fiber SFP; it must be replaced with a 1000BASE-LX/LH SFP to match the 2 km distance.

Commands to fix: on R1, 'no negotiation auto' disables auto-negotiation; 'speed 1000' and 'duplex full' set the correct parameters; then the SFP must be physically replaced with a 1000BASE-LX/LH module.

Exam trap

This question tests your understanding of SFP compatibility and the need to disable auto-negotiation on fiber interfaces. A common trap is to focus only on the auto-negotiation issue while ignoring the media mismatch, or to forget that speed and duplex must be manually set when auto-negotiation is disabled.

Why the other options are wrong

B

The specific factual error is that 1000BASE-T SFPs use copper cabling and cannot interface with fiber SFPs; they are incompatible.

C

The specific factual error is that auto-negotiation must be disabled on fiber SFPs; leaving it enabled can prevent the link from coming up.

D

The specific factual error is that disabling auto-negotiation does not automatically set speed and duplex; they must be configured manually.

144
Multi-Selectmedium

Which TWO of the following statements about Spanning Tree Protocol (STP) and Rapid PVST+ are true?

Select 2 answers
A.The root bridge in STP is elected based on the lowest bridge ID.
B.The root bridge in STP is elected based on the highest bridge ID.
C.PortFast automatically enables BPDU Guard on an interface.
D.BPDU Guard places a PortFast-enabled port into an error-disabled state if a BPDU is received.
E.Rapid PVST+ uses a different root bridge election process than traditional STP.
AnswersA, D

The bridge ID consists of priority and MAC address; the switch with the lowest bridge ID becomes the root bridge.

Why this answer

Option A is correct because the root bridge in STP is elected based on the numerically smallest bridge ID (priority + MAC address). Option D is correct because BPDU Guard, when enabled on a PortFast-enabled port, immediately error-disables the port if a BPDU is received, protecting against accidental loops. Option B is incorrect because the root bridge is chosen by the lowest bridge ID, not the highest.

Option C is incorrect because PortFast and BPDU Guard are independent features; PortFast does not automatically enable BPDU Guard. Option E is incorrect because both traditional STP (802.1D) and Rapid PVST+ (RSTP-based) use the same root bridge election process—lowest bridge ID.

Exam trap

Cisco often tests the misconception that PortFast and BPDU Guard are automatically linked, when in fact they are separate features that must be configured independently, and the trap is that candidates assume enabling PortFast also enables BPDU Guard.

Why the other options are wrong

B

The root bridge is elected based on the lowest bridge ID, not the highest.

C

PortFast does not automatically enable BPDU Guard; they must be configured separately.

E

Rapid PVST+ uses the same root bridge election process (lowest bridge ID) as traditional STP.

145
Multi-Selectmedium

A switch port was configured for sticky MAC learning. Which two statements accurately describe how the feature behaves?

Select 2 answers
A.The switch can dynamically learn MAC addresses and add them to the running configuration as secure MAC addresses.
B.Sticky learning removes the need to enable port security on the interface.
C.Saved sticky addresses can become part of the startup configuration if the running configuration is saved.
D.Sticky learning automatically converts the interface into a trunk port.
E.Sticky learning prevents the maximum secure MAC limit from being enforced.
AnswersA, C

This is correct because sticky MAC learning lets the switch observe source MAC addresses arriving on the port and then record them as secure MAC entries. That gives the convenience of dynamic discovery with the control of port security.

Why this answer

Sticky MAC learning is Cisco’s way of letting a port learn device MAC addresses automatically, while still treating them as secure addresses under port security. In everyday language, it saves the administrator from typing each allowed MAC address by hand. As devices connect, the switch can learn their MAC addresses and place them into the running configuration as sticky secure MACs.

If the administrator later saves the configuration, those learned entries can also be written into startup-config and survive a reboot. The feature does not replace port security; it works as part of port security. It also does not change the port into a trunk or disable the maximum address count.

So the two correct ideas are dynamic secure learning and the ability to preserve those learned MACs by saving the configuration.

Exam trap

Remember, sticky MAC learning is a feature of port security, not a replacement or a mode change.

Why the other options are wrong

B

Sticky MAC learning is a feature of port security and cannot function without port security being enabled on the interface. The command 'switchport port-security' must be configured first, and then 'switchport port-security mac-address sticky' enables sticky learning.

D

Sticky MAC learning is a port security feature that operates on access ports and does not affect the interface's operational mode. Trunk ports are configured separately using 'switchport mode trunk' and are used for carrying multiple VLANs, which is unrelated to MAC address learning behavior.

E

Sticky MAC learning does not override the maximum secure MAC address limit configured with 'switchport port-security maximum'. If the number of learned sticky addresses reaches the limit, additional MAC addresses will trigger a security violation, just like with dynamically learned addresses.

146
Matchingmedium

Match each security concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protection against unauthorized disclosure

Protection against unauthorized modification

Ensuring systems and data remain accessible when needed

Verification of identity

Why these pairings

Confidentiality, integrity, and availability are the CIA triad. Authentication verifies identity, authorization grants permissions, and accounting logs actions.

Exam trap

Be careful not to confuse the three components of the CIA triad. Each has a distinct role: confidentiality (secrecy), integrity (accuracy), availability (uptime). Also, authentication is not part of the CIA triad but is a related security function.

147
Matchingmedium

Match each REST API method to the action it most closely represents in a typical network automation workflow.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource

Create a new resource

Update or replace a resource

Remove a resource

Why these pairings

GET retrieves data, POST creates new resources, PUT updates/replaces, PATCH partially updates, DELETE removes, and OPTIONS queries available methods. These correspond to common network automation workflows.

Exam trap

Be careful not to confuse PUT and PATCH: PUT replaces the entire resource, while PATCH applies a partial update. Also, remember that POST is for creating new resources, not for updating. These are common traps in CCNA automation questions.

148
Multi-Selectmedium

Which TWO interface error counters indicate a Layer 1 issue?

Select 2 answers
A.CRC errors
B.Output queue drops
C.Runts
D.Input errors
E.Ignored packets
AnswersA, C

CRC errors indicate a mismatch in the frame check sequence, commonly due to physical layer issues like bad cabling or electromagnetic interference.

Why this answer

CRC errors occur when the cyclic redundancy check computed at the receiver does not match the value appended by the sender, indicating that the frame was corrupted during transmission. This corruption is typically caused by physical-layer problems such as faulty cabling, bad connectors, or excessive electrical noise. Runts are frames that are smaller than the minimum Ethernet frame size of 64 bytes (excluding preamble), and they often result from collisions or transceiver issues that are Layer 1 phenomena.

Both counters directly point to physical-layer impairments rather than logical or congestion-related issues.

Exam trap

Cisco often tests the distinction between Layer 1 errors (CRC, runts, giants, frame errors) and Layer 2/3 congestion indicators (output drops, input drops, ignored counts), so the trap is that candidates mistakenly associate any 'drop' or 'error' counter with the physical layer without understanding the underlying cause.

Why the other options are wrong

B

Output queue drops occur when the transmit queue is full due to congestion, typically at Layer 3 (IP) or Layer 2 (switching). They are not caused by physical layer issues but by traffic overload or insufficient buffer space.

D

Input errors is a catch-all counter that includes CRC, runts, giants, and framing errors. While it can indicate Layer 1 issues, it is not specific to Layer 1 because it also includes errors from higher layers (e.g., alignment errors). The question asks for counters that indicate a Layer 1 issue, and input errors is too broad.

E

Ignored packets are dropped due to buffer overflow, often from high traffic or hardware limitations, not specifically a Layer 1 error. They are typically caused by congestion at Layer 2 or Layer 3, not physical layer faults.

149
Matchingmedium

Drag and drop the items on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Tool employing a pull mechanism for node configuration using a proprietary DSL

Framework that uses Ruby-coded recipes within a client-server deployment model

Solution providing agentless orchestration via SSH and YAML-written playbooks

High-level programming language utilized for scripting network automation tasks

Web-based interface for programmatic device management using HTTP methods

Why these pairings

Puppet is a tool employing a pull mechanism for node configuration using a proprietary DSL. Chef is a framework that uses Ruby-coded recipes within a client-server deployment model. Ansible is a solution providing agentless orchestration via SSH and YAML-written playbooks.

Python is a high-level programming language utilized for scripting network automation tasks. REST API is a web-based interface for programmatic device management using HTTP methods.

150
MCQhard

A network administrator has configured HSRP between RouterA and RouterB for VLAN 10. End hosts using the virtual IP 192.168.1.1 as their default gateway experience intermittent connectivity losses, and pings to 192.168.1.1 often fail. The output of 'show standby brief' on both routers shows the state as Active. What is the most likely cause?

A.The virtual IP address is configured on only one router.
B.The routers are configured with mismatched HSRP authentication methods.
C.The HSRP group number on one router is set to 0.
D.The priority on both routers is configured to the same value.
AnswerB

Mismatched authentication (e.g., MD5 vs. text) causes each router to disregard the other's HSRP hellos. Each then assumes no peers exist and becomes Active, leading to both routers claiming the virtual IP and MAC, which results in ARP table flapping and intermittent connectivity.

Why this answer

When both routers show the HSRP state as Active, a 'dual-active' scenario exists, which causes intermittent connectivity because both routers forward traffic for the virtual IP. Mismatched HSRP authentication methods (e.g., one router using plain-text authentication and the other using MD5) prevent the routers from exchanging proper Hello messages, so they fail to negotiate a single Active router. This is the most likely cause because authentication mismatches break the HSRP adjacency, leading to both routers assuming the Active role.

Exam trap

Cisco often tests the concept that HSRP authentication mismatches cause a dual-active failure, while candidates may incorrectly assume that equal priorities or group number 0 are the root cause.

Why the other options are wrong

A

A missing virtual IP on one router does not cause both to be Active; the router without the virtual IP cannot claim the Active role for that address.

C

A group number mismatch does not cause both routers to appear as Active for the same virtual IP; they would be in separate groups.

D

Equal priority does not lead to multiple Active routers; HSRP uses the interface IP address as a tiebreaker to elect a single Active router.

Page 1

Page 2 of 25

Page 3