CCNA 200-301 v2 (200-301) — Questions 14261500

1819 questions total · 25pages · All types, answers revealed

Page 19

Page 20 of 25

Page 21
1426
MCQeasy

Which VLAN is used by default for most switch ports on a new Cisco switch?

A.VLAN 1
B.VLAN 99
C.VLAN 1002
D.No VLAN until the port is manually assigned
AnswerA

That is the default VLAN on most Cisco switches.

Why this answer

On a default Cisco switch, access ports belong to VLAN 1 until changed. Best practice is usually to move user ports away from VLAN 1, but the default is still VLAN 1.

Exam trap

Remember that VLAN 1 is the default VLAN on Cisco switches, despite being discouraged for use in production environments.

Why the other options are wrong

B

VLAN 99 is not the default VLAN for switch ports on a new Cisco switch; the default is VLAN 1. VLAN 99 is often used in specific configurations but is not the factory default setting.

C

VLAN 1002 is a reserved VLAN for Token Ring and FDDI, and it is not the default VLAN for switch ports on a new Cisco switch. Most switch ports default to VLAN 1 unless configured otherwise.

D

This option is incorrect because, by default, Cisco switches assign all ports to VLAN 1, not leaving them unassigned. Every port is part of VLAN 1 unless configured otherwise.

1427
PBQmedium

You are connected to R1 via console. R1 is a router that should restrict SSH access to only the management station at 192.168.1.100. Currently, SSH is enabled but any IP can connect. Configure a standard named ACL called 'SSH_ACL' to permit only the management station, and apply it to the VTY lines to filter incoming SSH connections. Ensure the VTY lines use SSH only (no Telnet). The SSH version should be set to 2.

Network Topology
G0/0192.168.1.1/24192.168.1.100LANR1Management Station

Hints

  • Create a standard ACL that permits only the management host.
  • Apply the ACL to the VTY lines with 'ip access-class'.
  • Use 'transport input ssh' to allow only SSH and 'ip ssh version 2' to enforce SSHv2.
A.R1(config)# ip access-list standard SSH_ACL R1(config-std-nacl)# permit host 192.168.1.100 R1(config-std-nacl)# deny any R1(config-std-nacl)# exit R1(config)# line vty 0 4 R1(config-line)# ip access-class SSH_ACL in R1(config-line)# transport input ssh R1(config)# ip ssh version 2
B.R1(config)# access-list SSH_ACL permit 192.168.1.100 R1(config)# line vty 0 4 R1(config-line)# access-group SSH_ACL in R1(config-line)# transport input ssh R1(config)# ip ssh version 2
C.R1(config)# ip access-list standard SSH_ACL R1(config-std-nacl)# permit 192.168.1.100 R1(config)# line vty 0 4 R1(config-line)# ip access-class SSH_ACL out R1(config-line)# transport input ssh R1(config)# ip ssh version 2
D.R1(config)# access-list SSH_ACL permit 192.168.1.100 R1(config)# line vty 0 4 R1(config-line)# ip access-class SSH_ACL in R1(config-line)# transport input all R1(config)# ip ssh version 2
AnswerA
solution
! R1
ip access-list standard SSH_ACL
permit host 192.168.1.100
deny any
line vty 0 4
ip access-class SSH_ACL in
transport input ssh
ip ssh version 2

Why this answer

The standard ACL restricts inbound connections to the VTY lines. Applying it with 'ip access-class in' filters incoming Telnet/SSH sessions. Setting 'transport input ssh' disables Telnet, and 'ip ssh version 2' ensures secure SSH version 2.

Exam trap

Be careful not to confuse 'access-group' (for interfaces) with 'access-class' (for VTY lines). Also, remember that 'in' on VTY lines filters incoming connections, while 'out' filters outgoing. Always verify the transport input setting to ensure only SSH is allowed.

Why the other options are wrong

B

The command 'access-group' is used on interfaces to filter traffic, not on VTY lines. VTY lines use 'ip access-class' to filter incoming Telnet/SSH sessions.

C

The direction 'out' on VTY lines filters traffic originating from the router (outgoing), not incoming SSH connections. The correct direction is 'in'.

D

The command 'transport input all' permits all protocols, including Telnet, which is insecure. The requirement specifies SSH only, so 'transport input ssh' is needed.

1428
PBQhard

You are troubleshooting a network connectivity issue on R1. The network 192.168.10.0/24 behind R2 must be reachable from R1 via the primary path through R2 (192.0.2.2). A backup path via R3 (198.51.100.2) should automatically take over if the primary fails. Currently, traffic to 192.168.10.0/24 is incorrectly using the backup path even though the primary path is operational. Analyze the routing table and configuration, then fix the issue so that the primary path is preferred when available.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30linkG0/1198.51.100.1/30G0/0198.51.100.2/30linkR1R2R3

Hints

  • Compare the Administrative Distance values in the routing table for the two paths.
  • The default AD for a static route is 1; a floating static uses a higher AD.
  • You need to swap the AD values between the primary and backup routes.
A.Remove the static route to 192.168.10.0/24 via 198.51.100.2 and add a floating static route via 198.51.100.2 with AD 200. Ensure the primary route via 192.0.2.2 uses default AD 1.
B.Change the AD of the static route via 192.0.2.2 to 200 and the AD of the route via 198.51.100.2 to 1.
C.Add a static route to 192.168.10.0/24 via 192.0.2.2 with AD 1 and remove the existing route via 198.51.100.2.
D.Configure a policy-based route to prefer the next-hop 192.0.2.2 for traffic to 192.168.10.0/24.
AnswerA
solution
! R1
no ip route 192.168.10.0 255.255.255.0 198.51.100.2
no ip route 192.168.10.0 255.255.255.0 192.0.2.2 200
ip route 192.168.10.0 255.255.255.0 192.0.2.2
ip route 192.168.10.0 255.255.255.0 198.51.100.2 200

Why this answer

The routing table shows a static route to 192.168.10.0/24 via 198.51.100.2 with Administrative Distance (AD) 1, which is the default for static routes. The intended primary path via 192.0.2.2 was configured with AD 200 (floating static), but because the default AD (1) is lower than 200, the backup route is preferred. The fix is to reconfigure the primary path with the default AD (1) and the backup path with a higher AD (e.g., 200).

This ensures the primary path is used when available and the backup takes over only if the primary fails.

Exam trap

The trap is confusing which route is primary and which is backup. The route with lower AD is preferred, so the backup must have a higher AD. Candidates often misconfigure the AD values, setting the primary with a higher AD.

Why the other options are wrong

B

Swapping the ADs would keep the backup route preferred, failing to make the primary path active when available.

1429
MCQhard

A switch port connected to a workstation is configured with sticky MAC learning and a maximum secure MAC count of 1. What is the main operational benefit of sticky learning in this case?

A.It dynamically learns a secure MAC address and can preserve it if the configuration is saved.
B.It disables the maximum secure MAC limit on the interface.
C.It automatically saves the running configuration to the startup configuration after learning the MAC address.
D.It prevents the port from ever generating a security violation.
AnswerA

This is correct because sticky MAC learning records the observed address as a secure port-security entry.

Why this answer

Sticky learning gives the convenience of dynamic discovery while still treating the learned address as a secure port-security entry. In practical terms, the switch can observe the first legitimate MAC address on the port and record it as a secure address without the administrator having to type that address manually. If the running configuration is later saved, that sticky entry can persist after a reload.

This is useful because it balances ease of deployment with access control. The maximum secure MAC count still matters, and port security is still active. Sticky learning does not replace port security; it works within it.

Exam trap

Be careful not to confuse sticky learning with allowing multiple MAC addresses or automatic removal of unauthorized addresses.

Why the other options are wrong

B

Option B is incorrect because sticky MAC learning does not disable the maximum secure MAC limit; it simply allows the switch to learn and retain the MAC address within that limit. The maximum secure MAC count remains enforced regardless of sticky learning.

C

Sticky learning does not automatically save the running configuration; it only adds the learned MAC to the running configuration, which must be explicitly saved to the startup configuration to persist across reboots.

D

This option is incorrect because sticky MAC learning does not prevent security violations; it only allows the learned MAC address to be retained across reboots if saved. A security violation can still occur if an unauthorized MAC address is detected on the port.

1430
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to a WAN link to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN with hosts needing Internet access. The ISP has allocated public IP pool 203.0.113.16/28 (203.0.113.17-203.0.113.30). The internal LAN should use NAT overload (PAT) to translate all internal traffic to the public IP 203.0.113.18. The router currently has no NAT configuration. Configure NAT overload on R1 to allow internal hosts to access the Internet.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/30Internal HostsLANR1WANISP

Hints

  • Think about which interfaces are inside and outside the NAT domain.
  • The overload keyword enables PAT.
  • Use an ACL to define which internal addresses are eligible for translation.
A.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 overload interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
B.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/1 overload interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
C.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 pool ISP_POOL overload ip nat pool ISP_POOL 203.0.113.18 203.0.113.18 netmask 255.255.255.240 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
D.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
AnswerC
solution
! R1
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

The requirement is to translate all internal traffic to the specific public IP 203.0.113.18, not the physical interface's address. Option C achieves this with a NAT pool containing that IP and the overload keyword, enabling PAT. Option A translates to the interface's IP (10.0.0.1), contradicting the requirement.

Option B references the wrong interface in the translation command and lacks overload, while Option D omits the overload keyword entirely, providing only one-to-one NAT.

Exam trap

A common pitfall is assuming the outside interface's IP satisfies a translation requirement when a specific public IP from a pool is explicitly mandated.

Why the other options are wrong

A

Uses the outside interface IP (10.0.0.1) instead of the required 203.0.113.18.

B

The translation command uses the inside interface, which would not provide the correct source address for outbound traffic.

D

Missing the 'overload' keyword, so only one-to-one NAT occurs, preventing multiple hosts from sharing the IP.

1431
Matchingmedium

Match each JSON term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Field name

Content associated with a field

Group of key-value pairs

Ordered list of items

Why these pairings

JSON terms: Object is a collection of key/value pairs; Array is an ordered list; Key is the name; Value is the data; String is text in quotes; Boolean is true/false.

Exam trap

The trap is that candidates may misremember the definitions of JSON data types, especially confusing objects with arrays because both can contain multiple values. Remember: objects use curly braces and have named keys; arrays use square brackets and are ordered lists.

1432
PBQhard

You are connected to R1. The network uses private IP 10.10.10.0/24 on the inside and must reach the Internet via the outside interface G0/1 with public IP 203.0.113.1/29. Configure PAT (NAT overload) so that inside hosts can access the Internet, and also configure a static NAT for the internal server 10.10.10.100 to public IP 203.0.113.2. The current configuration has errors: the inside and outside interfaces are swapped, the ACL is incorrectly defined, and the overload keyword is missing. Fix all issues.

Network Topology
G0/0 inside10.10.10.1/2410.10.10.0/24G0/1 outside203.0.113.1/29Inside hostsswitchR1Internet

Hints

  • Check which interface is marked inside and which is outside — the private IP network should be inside.
  • The ACL must match the actual inside subnet, not a different network.
  • PAT requires the 'overload' keyword on the ip nat inside source command.
A.On G0/0: ip nat inside; on G0/1: ip nat outside; ACL 10 permit 10.10.10.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1 overload
B.On G0/0: ip nat outside; on G0/1: ip nat inside; ACL 10 permit 10.10.10.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1 overload
C.On G0/0: ip nat inside; on G0/1: ip nat outside; ACL 10 permit 192.168.1.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1 overload
D.On G0/0: ip nat inside; on G0/1: ip nat outside; ACL 10 permit 10.10.10.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1
AnswerA
solution
! R1
interface GigabitEthernet0/0
no ip nat outside
ip nat inside
exit
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
exit
no access-list 10
access-list 10 permit 10.10.10.0 0.0.0.255
ip nat inside source list 10 interface GigabitEthernet0/1 overload

Why this answer

The configuration had three faults: (1) The inside interface (G0/0 with private IP) was marked 'ip nat outside', and the outside interface (G0/1 with public IP) was marked 'ip nat inside' — these must be swapped. (2) The ACL 10 permitted 192.168.1.0/24 instead of the actual inside subnet 10.10.10.0/24. (3) The NAT command 'ip nat inside source list 10 interface GigabitEthernet0/1' was missing the 'overload' keyword, which is required for PAT. The static NAT was correctly defined. After fixing all three, inside hosts will be able to access the Internet using PAT.

Exam trap

Watch out for three common NAT configuration mistakes: swapping inside/outside interface designations, using an ACL that does not match the actual inside network, and forgetting the 'overload' keyword for PAT. Always verify the interface IP addresses and the ACL permit statement.

Why the other options are wrong

B

The specific factual error is that the 'ip nat inside' and 'ip nat outside' commands are applied to the wrong interfaces. The inside interface must be the one facing the internal network, and the outside interface must be the one facing the external network.

C

The specific factual error is that the ACL does not match the correct inside network. The ACL in the NAT configuration must permit the exact private IP range used on the inside network.

D

The specific factual error is the omission of the 'overload' keyword. PAT (overload) is required to allow multiple inside hosts to share a single public IP address by using different source ports.

1433
MCQhard

A network engineer is troubleshooting a link between two Cisco switches that are connected via a 1000BASE-LX SFP transceiver. Hosts on VLAN 10 on Switch A cannot ping the default gateway on Switch B. The interface on Switch A is up, but the engineer notices CRC errors incrementing. What should the engineer do to resolve this issue?

A.Replace the SFP with a 1000BASE-SX transceiver
B.Use a mode-conditioning patch cable between the SFP and the fiber patch panel
C.Configure the same VLAN on both switch interfaces
D.Replace the fiber cable with a single-mode fiber cable
AnswerB

A mode-conditioning patch cable corrects the mismatch when using a single-mode transceiver over multimode fiber, preventing signal dispersion.

Why this answer

The 1000BASE-LX SFP transceiver operates at 1310 nm over single-mode fiber (SMF). When connected to multimode fiber (MMF), the larger core diameter causes excessive modal dispersion, leading to CRC errors. A mode-conditioning patch cable (mode-conditioning patch cord) launches the laser off-center into the MMF core, reducing differential mode delay and restoring proper signal integrity.

This is a known Cisco best practice for LX transceivers on MMF links.

Exam trap

Cisco often tests the misconception that CRC errors always indicate a bad cable or transceiver, when in fact the root cause can be a mode mismatch between LX optics and multimode fiber that is fixed with a mode-conditioning patch cable rather than replacing the fiber or transceiver.

Why the other options are wrong

A

Using SX would not fix the issue because the fiber is multimode and LX is designed for longer distances; the problem is the cable type mismatch, not the transceiver type.

C

The interface is up/up, so VLAN mismatch is not the issue.

D

Although replacing with single-mode fiber would work, the exhibit does not show CRC errors, so the problem is more likely a mode-conditioning issue.

1434
Multi-Selectmedium

Which TWO statements accurately describe wireless LAN fundamentals for CCNA 200-301 v2.0? (Choose two.)

Select 2 answers
A.802.11ax uses MU‑MIMO only for downlink transmissions.
B.802.11ac operates only in the 5 GHz frequency band.
C.Overlapping channels in the 2.4 GHz band are used to maximize non-overlapping channel availability.
D.WPA3 uses Simultaneous Authentication of Equals (SAE) to provide stronger password-based authentication.
E.A wireless LAN controller (WLC) is typically managed via its console port for day-to-day operations.
AnswersB, D

802.11ac is a 5 GHz-only standard, providing wider channels and higher data rates compared to 2.4 GHz.

Why this answer

Option B is correct: 802.11ac (Wi‑Fi 5) operates exclusively in the 5 GHz band, leveraging wider channels (up to 160 MHz) and reduced interference. Option D is correct: WPA3 introduces Simultaneous Authentication of Equals (SAE) for robust password‑based authentication, replacing the weaker WPA2 four‑way handshake. Option A is wrong: 802.11ax (Wi‑Fi 6) supports MU‑MIMO for both uplink and downlink, not only downlink.

Option C is wrong: Overlapping channels in the 2.4 GHz band reduce throughput and are not used to maximize availability; instead, non‑overlapping channels (1, 6, 11) are recommended. Option E is wrong: A WLC is typically managed via a web GUI, SSH, or SNMP, not via its console port for routine operations; console access is used for initial setup or troubleshooting.

Exam trap

Cisco often tests the misconception that 802.11ac operates in both 2.4 GHz and 5 GHz bands, or that MU-MIMO in 802.11ax is exclusive to uplink, when in fact 802.11ax supports MU-MIMO bidirectionally and 802.11ac is strictly 5 GHz.

Why the other options are wrong

A

MU-MIMO is a feature of 802.11ac and 802.11ax, but 802.11ax primarily relies on OFDMA for multi-user support.

C

Overlapping channels reduce performance due to co-channel interference, not maximize non-overlapping channels.

E

Console port is used for initial configuration or troubleshooting, not for routine management.

1435
Multi-Selectmedium

Which two statements accurately describe why BGP is often relevant at an Internet or multi-provider edge?

Select 2 answers
A.It is associated with routing between autonomous systems.
B.It is used for routing between organizations and providers at the network edge.
C.It is mainly used to replace STP on access switches.
D.It is required before DHCP relay can function.
E.It is the protocol used by CAPWAP for AP discovery.
AnswersA, B

This is correct because inter-AS routing is the classic BGP scope.

Why this answer

BGP is often relevant at the edge because it is associated with route exchange between autonomous systems and large external routing domains. In practical terms, this makes it a natural protocol to discuss where organizations connect to providers or exchange external reachability. It is not just another interior campus protocol.

The question is about conceptual fit, not deep BGP attribute tuning.

Exam trap

A frequent exam trap is mistaking BGP for an internal protocol or confusing it with unrelated network functions. For example, some might incorrectly believe BGP replaces STP on access switches or is necessary for DHCP relay to work. These are incorrect because BGP operates between autonomous systems for external routing, while STP manages Layer 2 loops and DHCP relay forwards broadcast requests.

Misunderstanding BGP’s scope leads to selecting wrong answers that describe internal or unrelated protocols, so it’s important to focus on BGP’s role in inter-AS routing and external route exchange at the Internet or multi-provider edge.

Why the other options are wrong

C

Option C is incorrect because BGP does not replace Spanning Tree Protocol (STP). STP is a Layer 2 protocol used to prevent loops in Ethernet networks, whereas BGP is a Layer 3 routing protocol used for inter-AS routing.

D

Option D is incorrect since DHCP relay functions independently of BGP. DHCP relay forwards DHCP requests across subnet boundaries and does not rely on BGP routing information or sessions to operate.

E

Option E is incorrect because CAPWAP is a wireless control protocol used for managing access points and is unrelated to BGP or routing protocols used at the Internet edge.

1436
Multi-Selecthard

A technician reports that users on a guest wireless SSID can reach the internet but can also browse internal file shares, which should be blocked. Which two design actions most directly address that issue?

Select 2 answers
A.Place guest clients in a separate VLAN or VRF from internal users
B.Apply ACL policy that denies guest access to internal subnets while permitting internet access
C.Increase the AP transmit power
D.Disable DHCP on the guest WLAN
AnswersA, B

Segmentation is the core control that isolates guest traffic from corporate resources.

Why this answer

Guest access should be isolated through segmentation and policy enforcement. Separate broadcast domains and ACLs are the practical way to allow internet-only access.

Exam trap

A common exam trap is to confuse wireless coverage or connectivity settings with security controls. For example, disabling DHCP on the guest WLAN might seem like a way to block guest access to internal resources, but it actually prevents guests from obtaining IP addresses, breaking their internet connectivity rather than isolating internal file shares. Similarly, increasing AP transmit power affects signal reach but does nothing to separate guest traffic from internal users.

The trap is to overlook the necessity of logical segmentation and explicit ACL policies, which are the correct mechanisms to enforce access restrictions in Cisco wireless networks.

Why the other options are wrong

C

Incorrect. Increasing AP transmit power only affects wireless coverage and does not provide any mechanism to isolate guest traffic or block access to internal resources.

D

Incorrect. Disabling DHCP on the guest WLAN disrupts guest connectivity by preventing IP address assignment and does not effectively isolate guest traffic from internal networks.

1437
Multi-Selectmedium

Which TWO commands are required to configure a switch port to support both a desktop PC and a VoIP phone using voice VLAN?

Select 2 answers
A.switchport mode access
B.switchport mode trunk
C.switchport voice vlan <vlan-id>
D.switchport access vlan <vlan-id>
E.switchport port-security maximum 1
AnswersA, C

This command configures the port as an access port, which is required for connecting a desktop PC and a VoIP phone (the phone typically uses the access port for data and a separate voice VLAN).

Why this answer

Option A, 'switchport mode access,' is required because voice VLAN only operates on an access port. Option C, 'switchport voice vlan <vlan-id>,' is the command that actually assigns the voice VLAN ID. Option B is incorrect because a trunk port would not properly separate voice and data traffic as the phone expects an access port.

Option D is a common data VLAN configuration but is not strictly necessary for voice VLAN operation; the access VLAN can be left as the default or configured separately. Option E is wrong because 'switchport port-security maximum 1' would allow only a single MAC address, while the port must support two devices (the phone and the PC), second MAC being the phone's internal switch.

Exam trap

Candidates often mistakenly include 'switchport access vlan' as one of the two required commands, but the question specifically asks for voice VLAN configuration, not the full port setup.

Why the other options are wrong

B

Trunk mode is incompatible because the phone expects an access port, and the voice VLAN is tagged internally by the phone, not by switch port trunking.

D

Configuring an access VLAN is not mandatory for voice VLAN; the question targets only the commands unique to enabling the voice feature.

E

Limiting the port to one MAC address would block the PC's MAC, breaking dual-device support provided by the phone's internal switch.

1438
MCQhard

A router has routes to 172.20.0.0/16, 172.20.10.0/24, and 172.20.10.64/26. Which route is used for traffic to 172.20.10.70?

A.172.20.0.0/16
B.172.20.10.0/24
C.172.20.10.64/26
D.The default route
AnswerC

This is correct because .70 falls within the 172.20.10.64/26 range.

Why this answer

The /26 route is used because it is the most specific matching prefix. In practical terms, 172.20.10.70 falls inside the 172.20.10.64/26 range, so that route narrows the destination more precisely than the broader /24 and /16 routes. Longest-prefix match therefore selects the /26 entry.

This question is designed to reinforce that specificity comes first in route lookup. Broader routes remain useful, but they lose when a more exact route matches.

Exam trap

A common exam trap is to select a less specific route such as 172.20.0.0/16 or 172.20.10.0/24 because they appear to cover the destination IP 172.20.10.70. Candidates may overlook that the router always prefers the most specific route, which in this case is the /26 subnet. Choosing a broader subnet ignores the longest prefix match principle and leads to incorrect routing decisions.

This trap tests your understanding of how subnet masks influence route selection and the importance of prefix length in Cisco routing tables.

Why the other options are wrong

A

172.20.0.0/16 is the least specific route covering a large address range. Although it includes 172.20.10.70, it is overridden by more specific subnets like /24 and /26, so it is not used for this destination.

B

172.20.10.0/24 is more specific than /16 but less specific than /26. Since 172.20.10.70 falls within the /26 subnet, the router prefers the /26 route over this /24 route.

D

The default route is only used when no other routes match the destination IP. Since multiple specific routes match 172.20.10.70, the default route is not selected.

1439
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the TCP three-way handshake between a client and a server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The TCP three-way handshake starts with the client sending a SYN, followed by the server responding with SYN-ACK, and finally the client sending an ACK to establish the connection.

Exam trap

A common trap is confusing the order of the handshake or thinking the server initiates the connection. Remember: the client always sends the first SYN, and the server's response is a SYN-ACK (not a separate SYN and ACK).

1440
PBQhard

You are connected to R1. R1 has OSPF configured on GigabitEthernet0/0 with network 10.0.0.0 0.0.0.3 area 1, ip ospf hello-interval 10, and ip ospf dead-interval 40. R2 has OSPF configured on its GigabitEthernet0/0 with network 10.0.0.0 0.0.0.3 area 0, ip ospf hello-interval 5, and ip ospf dead-interval 20. Correct these mismatches so that R1 and R2 become OSPF neighbors.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Check the OSPF area configuration on both routers.
  • Use 'show ip ospf interface' to compare hello and dead timers.
  • The timers must match exactly on both sides of the link.
A.On R1, change the network statement to area 0 and set ip ospf hello-interval 5 and ip ospf dead-interval 20 under the interface.
B.On R2, change the network statement to area 1 and set ip ospf hello-interval 10 and ip ospf dead-interval 40 under the interface.
C.On R1, change the network statement to area 0 and set ip ospf hello-interval 10 and ip ospf dead-interval 40 under the interface.
D.On R2, change the network statement to area 0 and set ip ospf hello-interval 10 and ip ospf dead-interval 40 under the interface.
AnswerA
solution
! R1
configure terminal
router ospf 1
no network 10.0.0.0 0.0.0.3 area 1
network 10.0.0.0 0.0.0.3 area 0
interface gigabitethernet 0/0
ip ospf hello-interval 5
ip ospf dead-interval 20
end

Why this answer

The OSPF adjacency fails due to two mismatches. First, the area is mismatched: R1 uses area 1, R2 uses area 0 (both must be the same area, typically area 0). Second, the hello and dead timers are mismatched: R1 uses Hello 10/Dead 40, R2 uses Hello 5/Dead 20.

To fix, on R1 change the network statement to area 0 and adjust timers to match R2 (or vice versa). The solution below changes R1's area to 0 and sets hello to 5 and dead to 20 to match R2.

Exam trap

The exam trap is that candidates may focus on only one mismatch (area or timers) and forget that both must match. Additionally, they might assume that the router they are connected to should not be changed, or that default timers are always correct. Always verify all OSPF parameters that must match: area ID, hello/dead intervals, network type, and authentication.

Why the other options are wrong

B

The specific factual error is that the question implies you are connected to R1, so configuring R1 is the expected action. Additionally, using area 1 instead of area 0 is not recommended for a single-area design.

C

The specific factual error is that the timers are not changed to match R2; they remain at the original values.

D

The specific factual error is that R2's area is already 0, so changing it to area 0 is redundant. Changing R2's timers to match R1's original timers would still leave a mismatch because R1's timers are not changed.

1441
Multi-Selectmedium

Which TWO statements about fiber optic cable types and SFP transceivers are correct?

Select 2 answers
A.Single-mode fiber uses a larger core (typically 62.5/125 µm) and supports longer distances than multimode fiber.
B.Multimode fiber is commonly used in campus and data center environments for distances up to several hundred meters.
C.SFP+ transceivers support data rates up to 1 Gbps and are backward compatible with standard SFP modules.
D.Single-mode fiber typically uses laser-based transceivers and can support distances exceeding 10 km.
E.Fiber optic cables must be run with EMI shielding when deployed in environments with high electromagnetic interference.
AnswersB, D

Multimode fiber (e.g., OM3/OM4) is designed for shorter distances and is widely deployed in campus and data center backbones, typically up to 300-550 meters for 10 Gbps.

Why this answer

Multimode fiber (MMF) has a larger core (typically 50/125 µm or 62.5/125 µm) and is used for short-reach, cost-effective connections up to a few hundred meters, making option B correct. Single-mode fiber (SMF) uses a much smaller core (~9 µm) and laser-based optics to achieve distances of 10 km or more, so option D is correct. Option A is wrong because it reverses the core size characteristic: SMF has a smaller core, and the given dimensions (62.5/125 µm) refer to multimode.

Option C is wrong because SFP+ is a 10 Gbps form factor and is not inherently backward compatible with 1 Gbps SFP modules unless the switch port explicitly supports dual-rate operation. Option E is incorrect because fiber optic cables are inherently immune to electromagnetic interference (EMI) and therefore never require EMI shielding in any environment; the false statement claims they need shielding.

Exam trap

Cisco often tests the misconception that SFP+ is backward compatible with SFP at the same speed, when in fact SFP+ is a 10 Gbps standard and requires specific port support or auto-negotiation to operate with 1 Gbps SFP modules.

Why the other options are wrong

A

Single-mode fiber uses a smaller core (~9 µm); the larger core dimensions (62.5/125 µm) belong to multimode fiber.

C

SFP+ transceivers support 10 Gbps speeds, not 1 Gbps, and are not universally backward compatible with standard SFP modules.

E

Fiber optic cables are immune to EMI and do not require any shielding; the claim that they need EMI shielding is false.

1442
MCQhard

A host is configured as 192.168.100.65/26. What is the valid host range for its subnet?

A.192.168.100.65 to 192.168.100.126
B.192.168.100.64 to 192.168.100.127
C.192.168.100.1 to 192.168.100.62
D.192.168.100.66 to 192.168.100.127
AnswerA

This is correct because the subnet is 192.168.100.64/26, leaving .65 through .126 as usable hosts.

Why this answer

A /26 creates blocks of 64 addresses. In plain language, the subnets in the last octet are 0–63, 64–127, 128–191, and 192–255. Because the host address is 192.168.100.65, it belongs to the 64–127 block. In that block, 192.168.100.64 is the network address and 192.168.100.127 is the broadcast address. That leaves 192.168.100.65 through 192.168.100.126 as the valid host range.

This checks whether you can identify both the subnet boundary and the usable range.

Exam trap

Remember to exclude the network and broadcast addresses when determining the valid host range.

Why the other options are wrong

B

This option is incorrect because it includes the network address (192.168.100.64) and the broadcast address (192.168.100.127) for the subnet, which are not valid host addresses. The valid host range for a /26 subnet starts from 192.168.100.65 to 192.168.100.126.

C

Option C is incorrect because it suggests a host range that does not align with the subnet mask /26, which allows for a range of 192.168.100.64 to 192.168.100.127, but excludes the actual valid hosts for the specified IP address.

D

Option D is incorrect because it suggests a host range that starts from 192.168.100.66, which is outside the valid range for the subnet 192.168.100.64/26. The correct range should include all hosts from 192.168.100.65 to 192.168.100.126.

1443
Multi-Selecthard

Which two statements accurately describe UDP compared with TCP?

Select 2 answers
A.UDP is connectionless.
B.UDP always guarantees delivery and sequencing.
C.UDP has lower overhead because it uses a simpler header and no session establishment.
D.UDP requires a three-way handshake before application data can be sent.
E.UDP cannot be used by DNS.
AnswersA, C

This is correct because UDP does not establish a connection before sending data.

Why this answer

UDP is designed for simplicity and speed rather than built-in reliability. In plain terms, it sends data without creating a formal conversation first. That is why it is called connectionless. Because it does not perform the same reliability features as TCP, its header is smaller and the protocol adds less overhead. This makes UDP a good fit for applications that care more about speed or low delay than guaranteed delivery at the transport layer.

UDP does not perform a three-way handshake, and it does not guarantee delivery. It is also used by many real services, including DNS in common query scenarios.

Exam trap

Be careful not to confuse the connection-oriented features of TCP with UDP, which is connectionless and does not guarantee delivery.

Why the other options are wrong

B

This option is wrong because UDP does not guarantee delivery or sequencing; it is designed for speed and efficiency, sacrificing reliability. TCP, on the other hand, ensures that data is delivered in order and without loss.

D

This option is wrong because UDP is a connectionless protocol that does not require a three-way handshake for data transmission, unlike TCP, which establishes a connection before sending data.

E

This option is wrong because UDP is widely used by DNS for its quick query-response nature, allowing for faster resolution of domain names without the overhead of connection establishment.

1444
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on two Cisco switches.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start in global config, select interfaces, set channel-group mode to active on each interface (at least one side must be active; the other can be active or passive), then verify. This order ensures consistent negotiation and correct channel formation.

Exam trap

The exam trap is that candidates often confuse the order of steps or try to set channel-group mode globally. Remember: you must first enter global config, then select interfaces, then set the mode per interface. Also, LACP can form with one side active and the other passive; both active is not strictly required.

1445
MCQhard

A network administrator is configuring a Layer 2 EtherChannel between two switches. Switch A uses 'channel-group 1 mode active', and Switch B uses 'channel-group 1 mode desirable'. All member interfaces are trunk ports with identical allowed VLANs. The EtherChannel fails to form. What is the most likely cause?

A.The switches are using different EtherChannel negotiation protocols.
B.A Layer 2 EtherChannel cannot carry trunk links.
C.The channel-group number must be different on each switch.
D.The member interfaces must be in access mode before the bundle can form.
AnswerA

LACP active cannot form a channel with PAgP desirable.

Why this answer

The two switches are using different negotiation protocols: LACP (active) on one side and PAgP (desirable) on the other. EtherChannel requires both sides to use the same protocol, so this protocol mismatch prevents the bundle from forming. The other settings—trunking, VLAN configuration, and channel-group number—are correctly configured and do not cause the failure.

Exam trap

Ensure both sides of an EtherChannel use the same negotiation protocol; mismatches are a common setup error.

Why the other options are wrong

B

This option is incorrect because a Layer 2 EtherChannel can indeed carry trunk links, allowing multiple VLANs to be transmitted over the same logical link. The issue with the EtherChannel not forming is more likely related to mismatched negotiation protocols or other configuration errors.

C

This option is wrong because the channel-group number must be the same on both switches for an EtherChannel to form. Different numbers would prevent the aggregation of the links.

D

This option is wrong because a Layer 2 EtherChannel can indeed carry trunk links, allowing multiple VLANs to be transmitted over the same link. Therefore, the inability to form the EtherChannel is not due to the mode of the member interfaces.

1446
Multi-Selectmedium

Which four of the following are true statements regarding the operation of DHCP snooping on a Cisco switch? (Choose all that apply. There are four correct answers.)

Select 4 answers
.DHCP snooping distinguishes trusted and untrusted ports.
.By default, all ports are considered untrusted for DHCP snooping.
.DHCP snooping can rate-limit DHCP messages to prevent denial-of-service attacks.
.DHCP snooping builds and maintains a DHCP snooping binding database (also called a binding table).
.DHCP snooping prevents rogue DHCP servers by allowing only authorized servers on any port.
.DHCP snooping requires an external DHCP server to be configured on the switch.

Why this answer

The four correct statements are true because DHCP snooping is a security feature that operates by classifying switch ports as trusted or untrusted. By default, all ports are untrusted, meaning they cannot send DHCP server messages (OFFER, ACK, NAK) unless explicitly configured as trusted. Rate-limiting DHCP messages on untrusted ports mitigates DHCP starvation attacks, and the binding database (MAC-to-IP mapping) is built from DHCP ACK messages to prevent IP spoofing.

The incorrect statement "DHCP snooping requires an external DHCP server to be configured on the switch" is false because DHCP snooping itself does not require the switch to act as a DHCP server; it simply relies on DHCP messages from a legitimate server reachable through a trusted port.

Exam trap

Cisco often tests the misconception that DHCP snooping can be configured to allow authorized servers on any port, but the feature strictly enforces that only trusted ports can source DHCP server messages, regardless of the server's IP or MAC address.

1447
Matchingmedium

Match each switchport or trunking concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Endpoint-facing port that normally belongs to one VLAN

Link that carries multiple VLANs

Restriction controlling which VLANs traverse the trunk

VLAN associated with untagged traffic on the trunk

Why these pairings

Access port: carries traffic for a single VLAN (usually to an endpoint).

Trunk: carries traffic for multiple VLANs between switches.

Allowed VLAN list: controls which VLANs are permitted to traverse the trunk.

Native VLAN: carries untagged frames on the trunk (typically VLAN 1).

The other terms (Dynamic Desirable, Dynamic Auto, Trunking, DTP) are related to trunk negotiation or generic concepts, not directly matched to these roles.

Exam trap

Do not confuse DTP negotiation modes (Dynamic Desirable, Dynamic Auto) with port roles (access, trunk). Access ports are statically assigned to one VLAN, while trunk ports carry multiple VLANs.

1448
MCQmedium

What problem do first-hop redundancy protocols such as HSRP solve?

A.They prevent duplicate MAC addresses on a LAN
B.They provide a backup default gateway for end hosts
C.They replace spanning tree on switched networks
D.They encrypt traffic between users and the default gateway
AnswerB

Correct. FHRPs provide gateway redundancy for hosts.

Why this answer

First-hop redundancy protocols allow hosts to use a virtual default gateway that can remain available even if one physical router fails.

Exam trap

A frequent exam trap is mistaking HSRP for a protocol that prevents duplicate MAC addresses or replaces Spanning Tree Protocol (STP). While STP prevents Layer 2 loops by blocking redundant paths, HSRP operates at Layer 3 to provide gateway redundancy. Another trap is assuming HSRP encrypts traffic between hosts and routers, which it does not.

Candidates might also confuse HSRP with routing protocols like OSPF or EIGRP, but HSRP only manages default gateway availability, not routing decisions. Understanding these distinctions is crucial to avoid selecting incorrect options that describe unrelated network functions.

Why the other options are wrong

A

Option A incorrectly states that HSRP prevents duplicate MAC addresses on a LAN. Duplicate MAC address prevention is a function of Layer 2 protocols and network design, not HSRP, which operates at Layer 3 to provide gateway redundancy.

C

Option C incorrectly claims that HSRP replaces Spanning Tree Protocol (STP). STP prevents Layer 2 switching loops, while HSRP provides Layer 3 gateway redundancy; they serve distinct purposes and coexist in networks.

D

Option D incorrectly suggests that HSRP encrypts traffic between users and the default gateway. HSRP does not provide encryption; it only manages gateway availability and failover.

1449
MCQmedium

A router has routes for 10.10.0.0/16, 10.10.20.0/24, and a default route. Which route is used for destination 10.10.20.55?

A.The 10.10.0.0/16 route
B.The default route
C.The 10.10.20.0/24 route
D.The router load-balances across all matching routes
AnswerC

Correct. The /24 route is chosen.

Why this answer

The destination matches multiple routes, but the /24 is the most specific match and wins by longest prefix match.

Exam trap

Remember that routers use the longest prefix match rule, not the most general or default route, when multiple routes are available.

Why the other options are wrong

A

The 10.10.0.0/16 route is broader and encompasses the 10.10.20.0/24 subnet, but it is not the most specific match for the destination 10.10.20.55, which falls under the more specific 10.10.20.0/24 route.

B

The default route is used only when no more specific routes match the destination address. Since 10.10.20.55 falls within the 10.10.20.0/24 subnet, the default route is not applicable in this case.

D

This option is wrong because routers do not load-balance across routes unless configured to do so with specific routing protocols or settings. In this case, the most specific route, 10.10.20.0/24, is the only applicable choice for the destination 10.10.20.55.

1450
MCQhard

A router has a static route to 10.30.5.128/25, an OSPF route to 10.30.5.0/24, and a default route 0.0.0.0/0 in its routing table. Which route will the router use for destination 10.30.5.130?

A.The static route to 10.30.5.128/25
B.The OSPF route to 10.30.5.0/24
C.The default route
D.No route, because the destination is outside all prefixes shown.
AnswerA

This is correct because 10.30.5.130 falls inside the more specific /25 route.

Why this answer

The router selects the route with the longest prefix match between the destination IP and the prefixes in the routing table. 10.30.5.130 matches both 10.30.5.0/24 (prefix length 24) and 10.30.5.128/25 (prefix length 25); the /25 is more specific and wins. Option D is wrong because 10.30.5.130 falls within the subnet range of 10.30.5.128/25 (hosts .129–.254), so a valid route does exist.

Exam trap

Always prioritize the longest prefix match over broader subnets or default routes.

Why the other options are wrong

B

The OSPF route to 10.30.5.0/24 is less specific than the /25 static route, so the router prefers the longest mask.

C

The default route (0.0.0.0/0) has the shortest prefix length and would be used only if no other route matches.

D

10.30.5.130 is inside the 10.30.5.128/25 subnet range, meaning a route exists for this destination.

1451
MCQeasy

Which wireless design objective is achieved by using nonoverlapping channels in adjacent cells?

A.It increases PoE budget for the access points
B.It reduces interference between nearby APs
C.It removes the need for authentication
D.It forces all clients to use 5 GHz only
AnswerB

That is the main reason for careful channel planning.

Why this answer

The correct answer is B because using nonoverlapping channels minimizes interference between adjacent APs, improving wireless performance in dense environments. Option A is wrong because nonoverlapping channels have no effect on PoE budget, which is determined by the switch and cable specifications. Option C is wrong because authentication mechanisms operate independently of channel assignment and are still required.

Option D is wrong because nonoverlapping channels are used in both the 2.4 GHz and 5 GHz bands, and they do not mandate client use of a specific frequency.

Exam trap

Avoid confusing interference reduction with bandwidth or range improvements.

Why the other options are wrong

A

This option is incorrect because using nonoverlapping channels does not impact the Power over Ethernet (PoE) budget for access points; PoE budget is determined by the power supply and the devices connected, not by channel selection.

C

This option is incorrect because using nonoverlapping channels does not eliminate the need for authentication in wireless networks; authentication is a separate security measure that ensures only authorized users can connect.

D

This option is wrong because using nonoverlapping channels does not force clients to operate exclusively on the 5 GHz band; it simply allows for better channel management to reduce interference. Clients can still connect on both 2.4 GHz and 5 GHz bands based on their capabilities and network configuration.

1452
PBQhard

You are connected to SW1. The current configurations of interfaces GigabitEthernet0/1 and GigabitEthernet0/2 are as follows: Gi0/1: speed 100, duplex half, switchport access vlan 10 Gi0/2: speed 1000, duplex full, switchport access vlan 20 The port-channel interface 1 does not exist. Configure a LACP EtherChannel between SW1 and SW2 using these two interfaces, with port-channel 1 and mode active on both sides. Ensure the channel forms by resolving any speed/duplex or VLAN mismatches. After configuration, verify with 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1LACPSW1SW2

Hints

  • Check speed and duplex consistency between member interfaces.
  • All member interfaces must be in the same VLAN.
  • The port-channel interface VLAN must match the physical interfaces.
A.The EtherChannel will not form because the physical interfaces have mismatched speed/duplex and VLAN assignments. You must configure both interfaces with the same speed (1000), duplex (full), and access VLAN (10), then apply channel-group 1 mode active on each.
B.The EtherChannel will form successfully because LACP active mode negotiates the channel regardless of speed/duplex or VLAN differences.
C.The EtherChannel will not form because the port-channel interface must be configured with the same VLAN as the physical interfaces, but the physical interfaces can have different speeds.
D.The EtherChannel will form successfully because the port-channel interface inherits the VLAN from the first physical interface added, so no additional configuration is needed.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
speed 1000
duplex full
switchport access vlan 10
channel-group 1 mode active
interface GigabitEthernet0/2
speed 1000
duplex full
switchport access vlan 10
channel-group 1 mode active
interface Port-channel1
switchport access vlan 10

Why this answer

The EtherChannel fails because member interfaces have mismatched speed/duplex (Gi0/1 is 100/half, Gi0/2 is 1000/full) and different VLANs (VLAN 10 vs 20). Additionally, the port-channel interface and physical interfaces must have matching VLAN assignments. To fix, unify both physical interfaces to the same speed (1000), duplex (full), and access VLAN (10).

Then set channel-group mode active on each physical interface. Finally, ensure the port-channel interface also uses VLAN 10. Verify with 'show etherchannel summary' which should show the port-channel as SU (in use).

Exam trap

Cisco exam traps often test the requirement for identical speed, duplex, and VLAN on all EtherChannel member interfaces. Do not assume LACP can negotiate mismatches; it only handles aggregation, not physical or VLAN parameters.

Why the other options are wrong

B

LACP active mode only enables negotiation, but it does not resolve underlying parameter mismatches. The interfaces must still have consistent speed, duplex, and VLAN configuration.

C

All member interfaces must have identical speed and duplex settings. Even if VLANs match, speed mismatch will cause the channel to fail.

D

The port-channel interface is a logical interface that requires its own VLAN configuration. Physical interfaces must have identical VLAN assignments; otherwise, the channel will not form.

1453
PBQhard

You are connected to R1 via the console. The link between R1 and R2 is experiencing intermittent connectivity. A 'show interfaces GigabitEthernet0/0' output shows the interface is up/up, line protocol up, Full-duplex, 1000Mb/s, but there are 1234 input errors, including 567 CRC errors. Identify the root cause of the issue, and apply the necessary configuration fix to restore full connectivity.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Check the duplex and speed settings on both ends of the link.
  • High CRC errors often indicate a duplex mismatch.
  • Auto-negotiation can resolve duplex mismatches if both devices support it.
A.Configure the interface with 'duplex full' and 'speed 1000'.
B.Configure the interface with 'duplex half' and 'speed 100'.
C.Configure the interface with 'no shutdown' to re-enable the interface.
D.Configure the interface with 'duplex auto' and 'speed auto'.
AnswerD
solution
! R1
interface GigabitEthernet0/0
duplex auto
speed auto

Why this answer

The output indicates high CRC errors on a GigabitEthernet interface operating at 1000 Mb/s and full-duplex. Since 1000BASE-T does not support half-duplex, a duplex mismatch is not possible. The CRC errors likely result from a speed or duplex negotiation mismatch where one side uses forced settings (e.g., speed 1000 duplex full) and the other uses auto-negotiation, causing physical layer instability.

Setting both sides to auto-negotiation ('duplex auto' and 'speed auto') allows them to properly agree on the highest common speed and duplex, resolving the errors. Option A forces full and 1000, which may not match R2 if it is set to auto, so it is not a reliable fix. Option B uses 'duplex half', which is invalid on Gigabit links and would break connectivity.

Option C's 'no shutdown' is irrelevant because the interface is already administratively up.

Exam trap

Do not assume that high CRC errors on a GigabitEthernet link indicate a duplex mismatch; at 1000 Mbps, half-duplex is not supported, so look for mismatched forced versus auto-negotiation settings instead.

Why the other options are wrong

A

Forcing full duplex and speed 1000 may not match R2 if it is set to auto-negotiation, potentially worsening the mismatch and not resolving CRC errors.

B

Half-duplex is not a valid mode for GigabitEthernet (1000BASE-T only supports full-duplex), so this configuration would prevent the link from working.

C

The interface is already up/up, so re-enabling it with 'no shutdown' has no effect and does not address the underlying CRC errors.

1454
Matchingmedium

Drag and drop the cable types, transceivers, and diagnostic commands on the left to the correct descriptions or specifications on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Copper cable supporting 10GBASE-T up to 100 meters

Fiber with 9-micron core, used for long distances up to 40 km

Fiber with 50- or 62.5-micron core, used for distances up to 550 meters

Hot-swappable module for connecting fiber or copper to a switch port

Command to view CRC errors and interface status

Command to view optical power levels and temperature

Why these pairings

Cat6a copper cable supports 10GBASE-T at 100 meters due to its enhanced specification. Single-mode fiber uses a narrow 9-micron core, allowing light to travel in a single mode for long distances up to 40 km. Multimode fiber has a larger core (50 or 62.5 microns), which introduces modal dispersion and limits distances to about 550 meters for Ethernet.

SFP transceivers are hot-swappable modules that provide the interface between a switch port and fiber or copper cabling. The 'show interfaces' command displays detailed interface statistics, including CRC errors and status, while 'show interfaces transceiver' displays optical monitoring data such as transmit power, receive power, and temperature.

Exam trap

A common mistake is confusing the core sizes and maximum distances of single-mode and multimode fiber. Also, learners often mix up the detailed counters from 'show interfaces' (CRC errors) with the optical diagnostics from 'show interfaces transceiver'.

1455
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic for L2/L3 troubleshooting.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The steps follow the logical sequence of a packet capture: first identify the traffic source, then configure a SPAN session to mirror it, connect the capture device, start capture, reproduce the issue, stop capture, and finally analyze the output. Each step must be completed before the next can succeed.

1456
PBQhard

You are connected to R1, a router that must send SNMP traps to a management server at 203.0.113.10 and export NetFlow data to a collector at 203.0.113.20. Currently, SNMPv2c traps are not being sent, and SNMPv3 is not configured for read-only access with authentication and privacy. Additionally, NetFlow export is missing the destination and version configuration. Configure the necessary commands on R1 to enable SNMPv2c traps (community string 'public'), configure SNMPv3 user 'admin' with SHA authentication and AES 128 encryption (password 'cisco123' for both auth and priv), and set NetFlow export to version 9.

Network Topology
G0/0203.0.113.1/24203.0.113.10linkR1Management Server

Hints

  • Use the 'snmp-server host' command to specify the trap destination and community.
  • For SNMPv3, you must first create a group with the appropriate security level before creating the user.
  • NetFlow export version is configured globally with 'ip flow-export version'.
A.snmp-server host 203.0.113.10 traps version 2c public snmp-server group MyGroup v3 priv snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export version 9
B.snmp-server host 203.0.113.10 traps version 2c public snmp-server group MyGroup v3 auth snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export version 9
C.snmp-server host 203.0.113.10 traps version 2c public snmp-server user admin v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export version 9
D.snmp-server host 203.0.113.10 traps version 2c public snmp-server group MyGroup v3 priv snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export destination 203.0.113.20 2055
AnswerA
solution
! R1
snmp-server host 203.0.113.10 traps version 2c public
snmp-server group MyGroup v3 priv
snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123
ip flow-export version 9

Why this answer

The configuration is missing SNMPv3 user setup, trap destination, and NetFlow export version. First, enable SNMPv2c traps with `snmp-server host 203.0.113.10 traps version 2c public`. Then, configure SNMPv3 user with `snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123` after creating a group with `snmp-server group MyGroup v3 priv`.

For NetFlow, set the export version with `ip flow-export version 9`. Finally, verify with `show snmp` to see trap host and v3 user, and `show ip cache flow` to confirm export configuration.

Exam trap

Watch out for the SNMPv3 group keyword: 'priv' is required when using encryption (AES 128), not just 'auth'. Also, remember that the 'snmp-server user' command requires a group name. For NetFlow, the version is set with 'ip flow-export version 9', not 'ip flow-export destination'.

Why the other options are wrong

B

The group keyword 'auth' only enables authentication, not encryption. AES 128 requires the 'priv' keyword.

C

The 'snmp-server user' command requires a group name. Omitting the group will result in an error or incomplete configuration.

D

The command 'ip flow-export destination' sets the collector IP and port, not the export version. The version is set with 'ip flow-export version 9'.

1457
MCQhard

A subnet must support 14 usable hosts. Which prefix is the smallest that meets the requirement?

A./29
B./28
C./27
D./26
AnswerB

This is correct because a /28 provides 16 total addresses and 14 usable hosts.

Why this answer

To support 14 usable hosts, the subnet must have 16 total addresses, because two are reserved for the network and broadcast addresses. In plain language, you need enough address slots so that after those two reserved entries are removed, 14 remain. A /28 provides exactly that: 16 total addresses and 14 usable addresses.

This is a classic minimum-subnet-size question because it tests whether you can work backward from host requirement to prefix length. A /29 would be too small, while a /27 would work but waste more addresses than necessary.

Exam trap

Avoid choosing a subnet size that either doesn't meet the host requirement or is unnecessarily large, leading to wasted addresses.

Why the other options are wrong

A

A /29 subnet provides only 6 usable host addresses, which is insufficient for the requirement of 14 usable hosts. Therefore, it does not meet the specified criteria.

C

Option C: /27 provides 30 usable hosts, which exceeds the requirement of 14 usable hosts. However, the question asks for the smallest prefix that meets the requirement, making /28 the correct choice.

D

Option D: /26 provides 62 usable hosts, which exceeds the requirement of 14 usable hosts. Therefore, it is not the smallest prefix that meets the specified need.

1458
PBQhard

You are connected to a multilayer switch MLSW1. PortFast and BPDU Guard have already been enabled on interface GigabitEthernet0/1, which connects to an end device, and a BPDU received on that interface placed it in the err-disabled state. Configure Rapid PVST+ so that MLSW1 becomes the root bridge for VLAN 10 with a priority of 4096. Recover the interface by re-enabling it. Finally, verify which port is blocking on VLAN 10 by connecting to MLSW2 and executing the appropriate show command.

Network Topology
G0/1 to PCG0/2 to MLSW3 G0/1G0/2 to MLSW3 G0/1G0/2 to MLSW1 G0/3SiMLSW2SiMLSW1SiMLSW3

Hints

  • Check the current root priority and adjust with 'spanning-tree vlan <vlan> priority <value>'.
  • An err-disabled interface can be recovered by administrative shutdown and no shutdown.
  • Look at the spanning-tree topology to find which port is blocking; it will be in 'ALT' role with 'BLK' state.
A.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; shutdown; no shutdown; show spanning-tree vlan 10
B.spanning-tree vlan 10 root primary; interface GigabitEthernet0/1; no shutdown; show spanning-tree vlan 10
C.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; no shutdown; show interfaces status
D.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; shutdown; no shutdown; show running-config
AnswerA
solution
! MLSW1
spanning-tree vlan 10 priority 4096
interface gigabitEthernet 0/1
shutdown
no shutdown

Why this answer

The correct solution sets the spanning-tree priority for VLAN 10 to 4096 on MLSW1, ensuring it becomes the root bridge. PortFast and BPDU Guard are already configured on G0/1, which caused the interface to go err-disabled when a BPDU was received. To recover, you must issue the 'shutdown' followed by 'no shutdown' commands on the interface.

Because MLSW1 is the root bridge, it has no blocking ports; the blocking port (alternate) will be seen on a downstream switch like MLSW2. Therefore, verification must be done on MLSW2 using 'show spanning-tree vlan 10' to view the alternate blocking port. Option A correctly includes all required steps.

Option B uses 'root primary' (priority 24576) instead of the specified 4096, lacks the recovery commands, and verifies on the wrong device. Option C omits the err-disabled recovery and uses the wrong verification command. Option D also verifies with 'show running-config', which does not display STP port roles.

Exam trap

Remember that 'spanning-tree vlan <vlan> root primary' sets priority to 24576, not a custom value. Also, err-disabled recovery requires a shutdown followed by no shutdown. Always use 'show spanning-tree vlan <vlan>' to verify port roles, not 'show interfaces status' or 'show running-config'.

Why the other options are wrong

B

The specific factual error: 'root primary' sets priority to 24576, not 4096. Also, err-disabled recovery requires a shutdown followed by no shutdown.

C

The specific factual error: err-disabled recovery requires a shutdown before no shutdown. 'show interfaces status' does not display STP port roles.

D

The specific factual error: 'show running-config' does not display STP port roles or blocking status.

1459
MCQhard

Refer to the exhibit. An administrator notices that all interfaces on R1 are in an administratively down state. The administrator issues the show version command and sees the following output. What is the most likely cause of the issue?

A.The router IOS image is corrupted and needs to be reinstalled.
B.The interfaces have been manually shut down in the running configuration, and the startup-config file is empty.
C.The router experienced a memory error during boot and failed to load the startup configuration.
D.The configuration register is set to 0x2142, causing the router to ignore the startup configuration.
AnswerD

This is directly confirmed by the last line of the exhibit: 'Configuration register is 0x2142'. This setting tells the router to bypass loading the startup-config from NVRAM, resulting in a clean slate where all interfaces are administratively down.

Why this answer

The configuration register value 0x2142 tells the router to ignore the startup configuration during boot, loading only the default factory configuration. This causes all interfaces to be in an administratively down state because no interface configurations from the startup-config are applied. The administrator sees the interfaces as administratively down because the default configuration does not include any 'no shutdown' commands.

Exam trap

Cisco often tests the specific effect of configuration register 0x2142 (ignoring startup-config) versus 0x2102 (normal boot), and the trap here is that candidates may confuse it with a corrupted IOS or manual shutdown, not realizing the register value directly causes the default interface state.

Why the other options are wrong

A

Candidates may confuse a successful IOS boot with a corrupted image because both can lead to an unusable configuration, but the configuration register is the direct clue.

B

Candidates may focus on the symptom (interfaces down) and hypothesize a manual configuration error, but they miss the clear hardware boot-parameter issue indicated by the config register.

C

Candidates equate configuration loss with hardware faults, overlooking the intentional nature of the 0x2142 register value.

1460
PBQmedium

You are connected to SW1 via console. SW1 is a multilayer switch with SVIs for VLAN 10 (192.168.10.1/24) and VLAN 20 (192.168.20.1/24). Hosts in VLAN 10 and VLAN 20 need to communicate with each other. Currently, inter-VLAN routing is not working. You need to enable routing on SW1 and verify that the SVIs are operational.

Network Topology
G0/1G0/2SW1HostAHostB

Hints

  • Check if 'ip routing' is already enabled.
  • Verify that the SVIs are up with 'no shutdown'.
A.Enable IP routing using the 'ip routing' global configuration command.
B.Configure a routing protocol such as OSPF or EIGRP on the SVIs.
C.Assign IP addresses to the physical interfaces connected to the hosts.
D.Create a trunk port and connect a router to perform router-on-a-stick.
AnswerA
solution
! SW1
ip routing

Why this answer

The 'ip routing' command enables Layer 3 routing on the multilayer switch, allowing SVIs to route between VLAN 10 and VLAN 20. Option B is unnecessary because directly connected SVIs do not require a routing protocol; routing protocols are only needed for routes learned from other routers, and 'ip routing' must still be enabled. Option C would require converting the physical interfaces to routed ports, which would break the existing Layer 2 VLAN topology and is not the intended solution.

Option D provides an external router-on-a-stick solution but does not enable routing on SW1 itself, which is the required task. Therefore, only option A correctly enables inter-VLAN routing on SW1.

Exam trap

The trap is that many candidates assume SVIs automatically route traffic once they have IP addresses. However, on a multilayer switch, you must explicitly enable IP routing with the 'ip routing' command. Without it, the switch remains a Layer 2 device and SVIs only serve as management interfaces.

Why the other options are wrong

B

Routing protocols like OSPF or EIGRP are not required for directly connected SVIs; only 'ip routing' is needed to enable Layer 3 routing.

C

Assigning IP addresses to physical interfaces would convert them to routed ports, breaking the existing Layer 2 VLAN configuration and is not the correct approach.

D

Using an external router with router-on-a-stick would enable inter-VLAN routing but does not enable routing on SW1 as required.

1461
MCQhard

Exhibit: Users on the inside network can open connections to a web server in the DMZ, but return traffic is denied by an ACL on the outside interface. Which statement best explains the issue?

A.The ACL should match the source port 80 on returning traffic, not the destination port 80
B.HTTP traffic can never be filtered with a standard ACL
C.The ACL must be applied outbound on the inside interface only
D.NAT automatically bypasses interface ACLs
AnswerA

Return packets from the server use source port 80 and a random high destination port on the client.

Why this answer

An ACL applied inbound on the outside interface will evaluate the return traffic entering from the DMZ or outside toward the router. If it permits only destination port 80 inbound, the returning packets will not match because their destination is an ephemeral client port, not 80.

Exam trap

A frequent exam trap is believing that return HTTP traffic will have destination port 80, just like the outbound request. This misconception causes candidates to configure ACLs that only permit inbound packets with destination port 80, which blocks legitimate return traffic because the return packets have source port 80 and a high-numbered destination port. Misunderstanding this port reversal leads to ACLs that deny return traffic, causing connectivity failures despite correct outbound rules.

Another trap is confusing NAT behavior, incorrectly assuming NAT bypasses ACLs, which it does not. This misunderstanding can cause candidates to overlook ACL port matching issues.

Why the other options are wrong

B

Incorrect. While standard ACLs cannot filter by port, extended ACLs can. The issue here is port matching on return traffic, not the inability to filter HTTP with ACLs.

C

Incorrect. ACL placement varies, but the key problem is the ACL’s port matching logic on the outside interface inbound direction, not just interface selection.

D

Incorrect. NAT does not bypass ACLs. ACLs still process packets after NAT translation, so NAT is not the cause of return traffic denial.

1462
MCQhard

Refer to the exhibit. A network engineer notices that on a four-link EtherChannel bundle between two switches, all traffic from a particular VLAN is being forwarded over only one physical link, while the other three links remain idle. The engineer suspects a load-balancing issue and issues the show etherchannel load-balance command, the output of which is shown. What is the most likely cause of the uneven traffic distribution?

A.The switch is using source‑MAC‑address load balancing, and multiple end hosts are appearing with the same source MAC address.
B.The EtherChannel is misconfigured with an LACP active/passive mode mismatch, forcing only one link to bundle.
C.VLAN pruning on the trunk has removed the VLAN from three of the four member interfaces.
D.Spanning Tree Protocol has blocked three of the four links in the EtherChannel because they form a loop.
AnswerA

The show etherchannel load-balance output confirms the global load‑balancing method is src‑mac. With this method, frames with an identical source MAC always hash to the same physical member link, causing all traffic from hosts sharing that MAC to use only one link.

Why this answer

The exhibit shows the load-balancing method is 'src-mac'. When source-MAC-based hashing is used, all frames with the same source MAC address egress the same physical member link. If multiple end hosts are behind a router or proxy and appear with identical source MAC, the hash algorithm always selects the same link, leaving the other links in the bundle idle.

Exam trap

Many candidates choose LACP misconfiguration because they recall that mode mismatches can limit the number of active links. However, the exhibit explicitly displays the load‑balancing method, not the LACP negotiation state. A mode mismatch would prevent the EtherChannel from forming, not leave it forming but with only one link carrying traffic.

Why the other options are wrong

B

Candidates may think that an LACP problem explains a single active link, but a mismatch would cause the entire EtherChannel to fail, not selectively use one member.

C

Candidates might mistake an idle member for a pruned VLAN, but pruning would not affect all traffic, only the specific VLAN, and it is not related to the load‑balance method shown.

D

Candidates may associate an idle link with STP blocking, but an EtherChannel bundle presents one logical link to STP. A blocking state on some members only would indicate a serious configuration error, not the load‑balance method shown.

1463
MCQeasy

In AAA, which function determines what an authenticated user is allowed to do after login?

A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswerB

Correct. Authorization controls what the user may do.

Why this answer

Authentication verifies identity. Authorization determines permitted actions. Accounting records activity.

Exam trap

Don't confuse authentication with authorization; they serve different purposes in AAA.

Why the other options are wrong

A

Authentication is the process of verifying a user's identity, not determining their permissions. In the context of this question, it does not address what actions an authenticated user is allowed to perform.

C

Accounting refers to the tracking and logging of user activities and resource usage, not the permissions or access rights granted to users after authentication. Therefore, it does not determine what an authenticated user is allowed to do.

D

Encryption is a process that secures data by converting it into a coded format, but it does not determine user permissions or access rights after authentication. Therefore, it is not relevant to the function of managing user privileges post-login.

1464
Multi-Selectmedium

Which TWO statements correctly describe the encapsulation and de-encapsulation process at the transport layer of the OSI model?

Select 2 answers
A.During encapsulation, the transport layer adds a header to form a packet.
B.During encapsulation, the transport layer adds a header containing source and destination port numbers.
C.During de-encapsulation, the transport layer removes the IP header to extract the segment.
D.During de-encapsulation, the transport layer removes its header and passes the payload to the session layer.
E.During encapsulation, the transport layer adds a trailer for error detection.
AnswersB, D

The transport layer header includes port numbers to identify the application processes on the source and destination hosts. This is a key part of encapsulation.

Why this answer

Option B is correct because during encapsulation at the transport layer, the TCP or UDP header is added, which includes source and destination port numbers. These port numbers identify the specific application-layer processes on the sending and receiving hosts, enabling proper demultiplexing of data. Option D is correct because during de-encapsulation, the transport layer removes its own header (e.g., TCP or UDP header) and passes the remaining payload up to the session layer (or directly to the application layer in a simplified model).

Exam trap

Cisco often tests the precise PDU naming convention (segment vs. packet vs. frame) and which layer performs which header removal, causing candidates to confuse the transport layer's role with the network layer's role.

Why the other options are wrong

A

This statement confuses the PDU naming: packet belongs to Layer 3, not Layer 4.

C

This describes a Layer 3 de-encapsulation step, not a Layer 4 step.

E

Trailers are a Layer 2 feature; the transport layer uses header-based checksums for integrity.

1465
PBQhard

You are connected to R1 via console. You have attempted to configure single-area OSPFv2 on R1 and R2 so that they form a full adjacency, but the adjacency is not establishing. The link between them is 192.168.1.0/30. R1 uses G0/0 (192.168.1.1/30) and R2 uses G0/0 (192.168.1.2/30). R1's router-id must be 1.1.1.1, and R2's router-id must be 2.2.2.2. Additionally, ensure that no OSPF hello packets are sent on R1's loopback0 interface (10.0.0.1/32). After troubleshooting, identify what is causing the issue and what must be corrected. Then verify the adjacency is full and passive-interface is set correctly.

Network Topology
G0/0192.168.1.1/30G0/0192.168.1.2/30R1R2

Hints

  • Check the hello and dead timer values on both routers using 'show ip ospf interface'.
  • The timers must match for OSPF adjacency to form.
  • Use 'ip ospf hello-interval' and 'ip ospf dead-interval' under the interface to adjust.
A.The adjacency is not forming because the hello and dead timers are mismatched: R1 uses Hello 10 / Dead 40, but R2 uses Hello 5 / Dead 20. To fix, on R1's G0/0 interface, change the hello timer to 5 and dead timer to 20 using 'ip ospf hello-interval 5' and 'ip ospf dead-interval 20' (or adjust R2 to match R1's timers). After correction, the adjacency should become full. Additionally, R1's loopback0 is already correctly configured as passive-interface.
B.The adjacency is not forming because R1's router-id is not set correctly. To fix, configure 'router-id 1.1.1.1' under the OSPF process on R1, and 'router-id 2.2.2.2' on R2. After that, clear the OSPF process with 'clear ip ospf process' to force the new router-id to take effect. Additionally, R1's loopback0 is already correctly configured as passive-interface.
C.The adjacency is not forming because the network type is mismatched: R1 is configured as point-to-point, while R2 is broadcast. To fix, change the network type on both interfaces to the same type, e.g., 'ip ospf network point-to-point' on both. Additionally, R1's loopback0 is already correctly configured as passive-interface.
D.The adjacency is not forming because the passive-interface command is incorrectly applied to R1's G0/0 interface instead of loopback0. To fix, remove passive-interface from G0/0 using 'no passive-interface g0/0' and ensure it is only applied to loopback0. Additionally, verify that the router-ids are correctly set.
AnswerA
solution
! R1
interface gigabitethernet0/0
ip ospf hello-interval 5
ip ospf dead-interval 20

Why this answer

The correct answer is A: the adjacency is not forming because the hello and dead timers are mismatched. R1 uses Hello 10 / Dead 40, while R2 uses Hello 5 / Dead 20. To fix, on R1's G0/0 interface, change the hello timer to 5 and dead timer to 20 using 'ip ospf hello-interval 5' and 'ip ospf dead-interval 20' (or adjust R2 to match R1's timers).

After correction, the adjacency becomes full. The other options are incorrect: B is wrong because router-ids can be set after the process starts and a mismatch does not prevent adjacency; C is wrong because network type mismatch would still allow adjacency if both agree (or if one is point-to-point and the other broadcast they will not form, but that is not the case here); D is wrong because the passive-interface on G0/0 would prevent hello packets and thus adjacency, but the question states it is only on loopback0, so that is not the issue. Verify with 'show ip ospf neighbor' and 'show ip ospf interface loopback0'.

Exam trap

The trap is that candidates may overlook timer mismatch and focus on other common OSPF adjacency requirements like network type, area ID, or authentication. Always verify timers first when adjacency fails on a directly connected link. Also, remember that passive-interface on a loopback is normal and does not affect the link adjacency.

Why the other options are wrong

B

Router-ID mismatch does not block OSPF adjacency; an OSPF router can still form a neighbor relationship even if the router-ID is not explicitly set (it will use the highest loopback IP) and can be changed without issue.

C

Network type mismatch would prevent adjacency, but the scenario does not indicate a mismatch; the default for Ethernet is broadcast, so both should be broadcast, and if one were changed to point-to-point they would not form, but that is not stated.

D

Passive-interface on the link interface (G0/0) would suppress hello packets and prevent adjacency, but the configuration correctly has passive-interface only on loopback0, so this is not the problem.

1466
MCQhard

A switchport connected to another switch is configured as an access port by mistake. Which symptom is most likely in a multi-VLAN design?

A.Only one VLAN is likely to pass correctly, while other VLAN traffic across the link fails
B.The link negotiates as a trunk but drops all VLAN traffic
C.The switch generates excessive broadcasts on all VLANs
D.The switch stops learning MAC addresses entirely
AnswerA

This is correct because an access port normally carries one VLAN rather than multiple VLANs.

Why this answer

The most likely symptom is that only one VLAN’s traffic works correctly across the link while traffic for other VLANs fails. In plain language, an access port belongs to one VLAN in normal switching behavior. If an inter-switch link that should carry multiple VLANs is accidentally configured as an access port, the network loses the ability to transport the other VLANs.

The physical link may stay up, which can make the problem seem subtle, but the logical role of the port is wrong.

Exam trap

Be cautious not to confuse physical link status with logical configuration issues. An access port will not drop the link but will restrict traffic to a single VLAN.

Why the other options are wrong

B

An access port cannot negotiate trunking; it simply forwards only one VLAN's traffic.

C

Broadcast storms are not caused by an access port misconfiguration.

1467
MCQhard

After enabling DHCP snooping on VLAN 10, a technician finds that clients in that VLAN are no longer receiving IP addresses from the DHCP server. The server is connected to port Gi0/24. What is the most likely cause?

A.The port Gi0/24 has not been configured as a trusted port for DHCP snooping.
B.The DHCP server is on a different subnet, and the VLAN 10 SVI does not have an ip helper-address configured.
C.The DHCP snooping database location was not configured, causing the switch to discard all DHCP server messages.
D.The DHCP snooping binding table does not contain an entry for the DHCP server’s MAC address, so offers are being discarded.
AnswerA

DHCP snooping immediately blocks all DHCP server messages on untrusted ports. Because Gi0/24 is the uplink to the DHCP server, it must be explicitly set as trusted (ip dhcp snooping trust), otherwise the switch will drop the DHCP offers sent by the server.

Why this answer

DHCP snooping classifies all ports as untrusted by default, and an untrusted port drops DHCP server messages (OFFER/ACK) to prevent rogue servers. Because the uplink Gi0/24 was not explicitly configured as a trusted port with ip dhcp snooping trust, the legitimate DHCP offers from the server are being discarded, so clients never receive addresses. The other options are not the cause: an ip helper-address would still be needed if the server were remote and was working before snooping (so it is already in place); the DHCP snooping database is not required for traffic forwarding; and the binding table does not need to contain the server’s MAC to permit server traffic.

Exam trap

D. Candidates often misunderstand the role of the DHCP snooping binding table and think the switch must have learned the server’s MAC to allow DHCP traffic, but the binding table is used to filter client traffic, not to authorize servers.

Why the other options are wrong

B

This option assumes that the loss of DHCP service is due to a missing relay agent, but the symptom started only after enabling snooping, not after an infrastructure change that would affect the relay path.

C

The idea that a missing database causes immediate traffic blocking is a common misinterpretation of the database’s role—it is purely for persistency, not for runtime filtering.

D

Many candidates assume that DHCP snooping uses a reverse-check against the binding table for any DHCP server messages, but the filtering is based solely on the trusted/untrusted port state, not on a learned server entry.

1468
PBQhard

You are connected to SW1, a multilayer switch. Configure DHCP snooping and an IP helper-address so that clients in VLAN 20 receive IP addresses from the DHCP server at 10.0.0.2. The DHCP server is already configured with a pool for 192.168.20.0/24, but clients are not getting addresses. Identify and correct the issues in the current configuration.

Network Topology
G0/010.0.0.1/30G0/1SW1DHCP ServerClient

Hints

  • Check the helper-address on VLAN 20 — is it pointing to the correct server IP?
  • DHCP snooping must be enabled globally and for the specific VLAN.
  • The port towards the DHCP server must be configured as trusted.
A.Enable DHCP snooping globally and on VLAN 20, configure interface G0/0 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
B.Enable DHCP snooping globally and on VLAN 20, configure interface G0/1 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
C.Enable DHCP snooping globally and on VLAN 20, configure interface G0/0 as trusted, and keep the ip helper-address as 10.0.0.3 because that is the correct server address.
D.Enable DHCP snooping globally and on VLAN 20, configure both interfaces G0/0 and G0/1 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
AnswerA
solution
! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 20
interface gigabitethernet0/0
ip dhcp snooping trust
interface vlan20
no ip helper-address 10.0.0.3
ip helper-address 10.0.0.2
end
write memory

Why this answer

The DHCP relay helper-address was pointing to 10.0.0.3 instead of the actual server at 10.0.0.2. Also, DHCP snooping was not enabled. After enabling DHCP snooping globally and on VLAN 20, configure the uplink to the DHCP server as a trusted port (G0/0) and the access port (G0/1) as untrusted (default).

Finally, correct the helper-address to 10.0.0.2. These steps allow DHCP broadcasts from VLAN 20 to be relayed to the server and prevent rogue DHCP attacks.

Exam trap

A common trap is to trust all ports or to forget that the ip helper-address must match the actual DHCP server IP. Also, candidates may confuse which port should be trusted: only the port facing the legitimate DHCP server should be trusted, not client-facing ports.

Why the other options are wrong

B

The specific factual error is that the access port (G0/1) should be untrusted, not trusted. Only the uplink port to the legitimate DHCP server should be trusted.

C

The specific factual error is that the ip helper-address must be set to the actual DHCP server IP (10.0.0.2), not 10.0.0.3.

D

The specific factual error is that only the uplink port (G0/0) should be trusted; trusting the access port (G0/1) allows any device connected to that port to act as a DHCP server.

1469
Multi-Selectmedium

Which TWO statements are true about configuring and verifying VLANs, 802.1Q trunking, native VLAN, and inter-VLAN routing with router-on-a-stick?

Select 2 answers
A.On a router-on-a-stick configuration, each subinterface must be configured with an IP address and the encapsulation dot1Q command to specify the VLAN ID.
B.The native VLAN is always tagged on an 802.1Q trunk link.
C.The command switchport trunk native vlan 10 is used to restrict which VLANs are allowed on a trunk.
D.When configuring a router-on-a-stick, the native VLAN must match on both the switch and the router subinterface to avoid miscommunication.
E.The command show interfaces trunk displays the IP addresses configured on router subinterfaces.
AnswersA, D

This is correct because the router needs a subinterface per VLAN, each with an IP address and the dot1Q encapsulation to identify the VLAN.

Why this answer

Option A is correct because in a router-on-a-stick configuration, each subinterface must be assigned an IP address and use the encapsulation dot1Q command to associate it with a specific VLAN ID; this enables the router to process tagged frames from multiple VLANs over a single physical link. Option D is also correct because the native VLAN configured on the switchport trunk must match the native VLAN used on the router's subinterface (or physical interface if no subinterface); a mismatch causes the router to mishandle untagged frames because it expects them to belong to the configured native VLAN, leading to communication failures. Option B is wrong because on an 802.1Q trunk, the native VLAN frames are sent untagged, not tagged.

Option C is wrong because the command 'switchport trunk native vlan 10' only changes the native VLAN; it does not restrict which VLANs are allowed—that requires 'switchport trunk allowed vlan'. Option E is wrong because 'show interfaces trunk' shows trunking status, native VLAN, and allowed VLAN lists on switch ports, not IP addresses of router subinterfaces.

Exam trap

Cisco often tests the misconception that the native VLAN is tagged on a trunk, or that the switchport trunk native vlan command controls allowed VLANs, when in fact it only changes which VLAN is untagged.

Why the other options are wrong

B

The native VLAN is sent untagged to maintain backward compatibility with devices that do not understand 802.1Q tagging.

C

The command to restrict allowed VLANs is switchport trunk allowed vlan, not the native VLAN command.

E

To see IP addresses on subinterfaces, use show ip interface brief or show running-config on the router.

1470
MCQhard

A network engineer is troubleshooting a wireless performance issue in a dense office environment. Clients on the 5 GHz band are experiencing low throughput even though they are close to the AP. The AP is a Cisco 9130AXI running IOS-XE 17.9. What is the most likely cause of the poor performance?

A.The AP is using an incorrect channel width of 80 MHz, which is not supported by 802.11ac.
B.The AP is operating in 802.11ac mode instead of 802.11ax, and the 80 MHz channel bonding is causing high interference in the dense environment.
C.The AP has DFS non-compliance, which prevents it from using channel 36 and causes the radio to operate at reduced power.
D.The AP is using WPA2-PSK instead of WPA3, which causes lower throughput due to weaker encryption.
AnswerB

802.11ax (Wi-Fi 6) uses OFDMA to reduce interference and improve efficiency in dense environments. The AP is using 802.11ac with 80 MHz channel bonding, which is more prone to interference, leading to poor throughput.

Why this answer

Option B is correct because in a dense office environment, using 80 MHz channel bonding with 802.11ac (Wave 2) increases the likelihood of co-channel interference and overlapping basic service sets (OBSS), which degrades throughput despite strong signal. The Cisco 9130AXI supports 802.11ax (Wi-Fi 6), which includes OFDMA and better spatial reuse, but if the AP is configured for 802.11ac mode, it loses these efficiency gains and suffers from the wide channel's interference penalty.

Exam trap

Cisco often tests the misconception that wider channels always improve performance, when in reality, in dense environments, 80 MHz or 160 MHz channels cause severe interference and throughput degradation, especially with 802.11ac's lack of spatial reuse mechanisms.

Why the other options are wrong

A

802.11ac supports 80 MHz channel bonding, so this is not incorrect.

C

DFS non-compliance does not directly reduce power; it may cause channel avoidance, but the power is set to maximum.

D

WPA2-PSK does not cause throughput degradation; the issue is interference and protocol mode.

1471
MCQhard

Why might an automation script prefer a token-based API session over repeatedly prompting a human operator for credentials?

A.Because tokens support controlled repeated API access in a way that is practical for automation workflows.
B.Because tokens eliminate the need for any security controls.
C.Because tokens automatically create VLANs on the switch.
D.Because tokens replace all routing protocols.
AnswerA

This is correct because token-based access fits repeated software-driven interaction well.

Why this answer

Token-based API sessions allow scripts to make repeated, programmatic requests without requiring a human to re-enter credentials each time. This makes them more practical for automation workflows than constant interactive prompts. Options B, C, and D are incorrect: tokens do not eliminate the need for security controls (they still require proper management like expiration and revocation); they have nothing to do with VLAN creation; and they do not replace routing protocols—tokens are strictly used for authentication and authorization in API interactions.

Exam trap

Avoid assuming that token-based sessions eliminate authentication or are inherently more secure.

Why the other options are wrong

B

Tokens do not eliminate security controls; they still require mechanisms like expiration, revocation, and secure storage.

C

Tokens are unrelated to VLAN creation; VLANs are configured via switch CLI or network management protocols, not API tokens.

D

Tokens do not replace routing protocols; routing protocols handle packet forwarding, while tokens handle API access authentication.

1472
MCQhard

A user joins the employee SSID successfully and can browse internal resources, but VoIP over Wi-Fi calls fail only while roaming between floors. Which troubleshooting area is the strongest first focus?

A.Roaming behavior and RF transition quality between AP coverage areas
B.Whether the SSID name is spelled correctly
C.Whether the branch router has PPP enabled
D.Whether the user has a static default route on the phone
AnswerA

This is correct because the symptom appears specifically during movement between coverage zones.

Why this answer

The strongest first focus is roaming and RF transition behavior between AP coverage areas. In practical terms, the user already proved that general WLAN access and internal reachability are working. The failure happens during movement and affects a time-sensitive application. That points to mobility-related behavior rather than basic SSID visibility or simple IP addressing.

This is a realistic wireless troubleshooting item because it narrows the fault domain from the symptom pattern instead of restarting from the basics.

Exam trap

Avoid assuming basic connectivity issues when the problem is specific to roaming and affects a time-sensitive application.

Why the other options are wrong

B

This option is wrong because the spelling of the SSID does not affect the ability to roam between access points; the user is already connected to the SSID and can access internal resources.

C

This option is wrong because PPP (Point-to-Point Protocol) is not directly related to VoIP performance or roaming issues; it primarily pertains to WAN connections rather than local Wi-Fi network transitions.

D

This option is wrong because the issue described pertains to roaming and VoIP call quality, which is unrelated to static routing configurations on the user's phone. A static default route would not directly impact the ability to maintain VoIP calls while transitioning between access points.

1473
Multi-Selectmedium

Which TWO statements are true about OSPFv2 neighbor adjacency, network statements, and passive interfaces?

Select 2 answers
A.Configuring an interface as passive stops OSPF from sending Hello packets out of that interface, but OSPF will still advertise the connected network in its LSAs.
B.For two OSPF routers to establish full adjacency, they must agree on the Hello and Dead intervals.
C.The network command with a wildcard mask of 0.0.0.0 will enable OSPF on the exact matching interface, but it will also prevent OSPF from forming adjacencies on that interface.
D.Using the passive-interface default command makes all OSPF interfaces passive, which means OSPF will not advertise any connected networks.
E.The network command with a wildcard mask of 0.0.0.255 area 0 will match any interface whose IP address falls within that /24 subnet, but OSPF will only attempt to form adjacencies on the interface with the highest IP address in that range.
AnswersA, B

Passive-interface suppresses OSPF Hello packets, preventing neighbor formation on that interface, yet the network is still advertised via the Router LSA.

Why this answer

Option A is correct because configuring an interface as passive in OSPFv2 prevents the router from sending Hello packets out of that interface, which stops neighbor discovery and adjacency formation. However, OSPF still includes the connected network of that passive interface in its Type 1 Router LSAs, allowing the network to be advertised to other OSPF routers.

Exam trap

Cisco often tests the misconception that a passive interface stops network advertisement, when in fact it only stops Hello packets and adjacency formation while still advertising the connected network in LSAs.

Why the other options are wrong

C

A wildcard mask of 0.0.0.0 only matches one exact IP address. It does not impose any restriction on adjacency.

D

Passive interfaces still advertise their networks—they just do not send or receive Hello packets. Only adjacency is suppressed.

E

The network command matches multiple interfaces; OSPF then tries to form adjacencies on every enabled interface, regardless of IP address order.

1474
MCQhard

Refer to the exhibit. An engineer expects all traffic destined to the 10.10.10.0 network to be forwarded via 10.1.1.2. However, when testing connectivity to host 10.10.10.64, traffic is being sent to 10.2.2.2 instead. What is the most likely cause?

A.The static route to 10.10.10.0/24 has a higher administrative distance than the /26 route, making the /26 preferred.
B.The router is using longest prefix matching; the /26 route is more specific, so traffic to 10.10.10.64 is forwarded via 10.2.2.2.
C.The /26 static route was configured as a floating static route with an administrative distance of 5, overriding the /24 route.
D.The next-hop 10.1.1.2 for the /24 route is unreachable, causing the router to fall back to the /26 route.
AnswerB

The exhibit shows two overlapping static routes. The /26 prefix length is longer (more specific) than the /24. According to IP routing logic, the router selects the route with the longest matching prefix. The destination 10.10.10.64 falls within the /26 subnet, making it the preferred route.

Why this answer

The show ip route output contains two static routes for destination 10.10.10.0, one with a /24 prefix and one with a /26 prefix. Both routes have an administrative distance of 1 and a metric of 0, as indicated by the [1/0] in the output. The router always performs longest prefix matching; a packet destined to 10.10.10.64 falls within the range 10.10.10.0 – 10.10.10.63 of the /26 route, making the /26 the more specific match.

Therefore, traffic to 10.10.10.64 is forwarded via 10.2.2.2 despite the engineer's intent.

Exam trap

Candidates often believe the route with the lowest administrative distance or metric is always preferred, or that the route appearing first in the table is chosen. In this case, both routes have identical AD and metric, leading them to incorrectly assume the /24 route would be used. The key differentiator is the subnet mask length, not the numerical order in the output.

Why the other options are wrong

A

Misreading the administrative distance value in the routing table; candidates may overlook that both are the same.

C

Assuming that any backup route must be a floating static, without verifying the actual AD value in the exhibit.

D

Misconception that a route can be displayed yet be in a 'down' state; in reality, an invalid next-hop prevents the route from being installed.

1475
MCQmedium

A router learns 172.16.40.0/24 from OSPF with AD 110 and metric 20. It also learns the same prefix from EIGRP with AD 90 and feasible distance 30720. Which route is installed?

A.The OSPF route because metric 20 is lower than 30720
B.The EIGRP route because its administrative distance is lower
C.Both routes because ECMP is automatic across different protocols
D.Neither route until one is redistributed into the other protocol
AnswerB

Different protocols are compared by AD first.

Why this answer

When the same prefix is learned from different routing protocols, the router compares administrative distance first. EIGRP internal routes have AD 90, which beats OSPF AD 110, so the EIGRP path goes into the table.

Exam trap

A frequent exam trap is assuming that the route with the lower metric value is always preferred, regardless of the routing protocol. In this question, the OSPF route has a metric of 20, which seems better than EIGRP's feasible distance of 30720. However, Cisco routers do not compare metrics across different protocols.

Instead, they rely on administrative distance to choose the best route. Mistaking metric comparison for cross-protocol route selection can lead to choosing the wrong answer and misunderstanding how Cisco routing decisions work.

Why the other options are wrong

A

This option incorrectly assumes that the router compares OSPF metric 20 directly against EIGRP feasible distance 30720 to select the route. Cisco routers do not compare metrics across different routing protocols; they use administrative distance first. Therefore, this option is incorrect.

C

This option incorrectly claims that both routes are installed due to automatic ECMP across different protocols. Cisco routers do not perform equal-cost load balancing between different routing protocols without explicit redistribution or configuration, so this is false.

D

This option incorrectly states that neither route is installed until redistribution occurs. Redistribution is not necessary for a router to install a route learned from a routing protocol. The router installs the route with the lowest administrative distance immediately, so this option is incorrect.

1476
MCQmedium

Why is PortFast typically enabled on switch ports connected to end devices?

A.To let end-device ports reach forwarding state more quickly
B.To make access ports participate in OSPF
C.To convert all access ports into trunks
D.To disable Ethernet addressing on PCs
AnswerA

This is correct because PortFast speeds transition to forwarding on suitable edge ports.

Why this answer

PortFast is enabled so access ports connected to end devices can move to forwarding more quickly instead of waiting through the normal spanning-tree listening and learning transitions. In plain language, it helps a user’s PC, printer, or similar endpoint start communicating sooner after the link comes up. That can reduce delays at startup and prevent certain device timeout problems.

PortFast is not intended as a loop-prevention mechanism by itself, and it should not normally be used carelessly on links to other switches. That is why it is commonly paired with BPDU Guard on edge ports. The correct answer is the one focused on faster transition for end-device access links rather than on unrelated routing or VLAN functions.

Exam trap

Do not confuse PortFast with disabling spanning-tree or improving routing; it specifically speeds up access port transitions.

Why the other options are wrong

B

This option is incorrect because PortFast does not enable access ports to participate in OSPF; OSPF is a routing protocol that requires Layer 3 interfaces, while PortFast is a feature for Layer 2 switch ports.

C

This option is wrong because PortFast does not convert access ports into trunk ports; it is designed to bypass the Spanning Tree Protocol (STP) listening and learning states to allow end devices to connect more quickly.

D

Disabling Ethernet addressing on PCs is not related to the function of PortFast, which is designed to expedite the transition of switch ports to the forwarding state. PortFast does not alter how Ethernet addressing operates on connected devices.

1477
MCQhard

A network administrator connects an IP phone to interface Gi0/1 and a PC to the phone's PC port. Users report that the phone cannot register with the call manager and the PC does not obtain an IP address. The administrator verifies the configuration shown in the exhibit. What is the most likely cause of the problem?

A.The switchport mode should be changed to trunk to allow tagged voice traffic.
B.The voice VLAN is not configured on the interface.
C.The spanning-tree portfast command is blocking the port from forwarding.
D.The access VLAN 10 is incorrect for the data subnet.
AnswerB

The exhibit lacks the 'switchport voice vlan <vlan-id>' command. Adding this command tells the switch to expect 802.1Q tagged frames for the phone's voice traffic while keeping the PC data in the access VLAN.

Why this answer

The correct answer is B because the voice VLAN is not configured on the interface. For an IP phone to communicate with the call manager, the switchport must be configured with a voice VLAN (e.g., 'switchport voice vlan 20') to separate voice traffic from data traffic. Without this command, the phone cannot tag its frames with the appropriate VLAN ID, preventing registration.

Additionally, the PC connected to the phone's PC port relies on the phone to pass untagged data traffic, but without the voice VLAN, the phone may not properly negotiate or forward traffic, causing the PC to fail to obtain an IP address.

Exam trap

Cisco often tests the distinction between access VLAN and voice VLAN, and the trap here is that candidates assume the access VLAN alone is sufficient for both voice and data, overlooking the mandatory 'switchport voice vlan' command required for IP phone operation.

Why the other options are wrong

A

Cisco best practice for IP phone + PC is an access port with switchport voice vlan, not trunk mode. Trunk mode is more complex and can cause VLAN hopping if misconfigured.

C

Portfast enables faster convergence, not a blocking action. A blocked port would show no link or constant amber LED, not intermittent connectivity.

D

Even if VLAN 10 were wrong, the phone’s registration issue would persist because the voice VLAN is still missing. The problem has two symptoms; the voice VLAN omission explains both.

1478
Matchingmedium

Match each WLAN term to its correct description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Name of the wireless network shown to clients

Wireless security standard

Protocol associated with AP-controller communication

Client movement between AP coverage areas

Why these pairings

SSID is the service set identifier, the human-readable name that identifies a wireless network. WPA3 is the latest Wi-Fi security standard providing stronger encryption and authentication. CAPWAP is the Control and Provisioning of Wireless Access Points protocol, used for communication between lightweight APs and wireless LAN controllers.

Roaming is the process of a wireless client moving between different access points or coverage areas while maintaining its network session.

Exam trap

Candidates often mistake CAPWAP for a security feature or confuse roaming with a security mechanism; remember CAPWAP handles AP-controller communication and roaming simply refers to client mobility between coverage areas.

1479
Multi-Selectmedium

Which TWO statements correctly describe NTP stratum levels and syslog severity levels in a Cisco IOS-XE environment?

Select 2 answers
A.An NTP stratum value of 1 indicates a higher accuracy than a stratum value of 3.
B.A syslog severity level of 5 (notice) is more severe than a level of 4 (warning).
C.The 'ntp server' command under global configuration configures the device as an NTP client.
D.Syslog severity level 0 (emergency) indicates a normal operational message.
E.NTP stratum 0 is assigned to devices that are directly connected to an authoritative time source.
AnswersA, C

Stratum 1 is directly synchronized to a stratum 0 reference clock (like GPS), while stratum 3 is two hops away, making stratum 1 more accurate.

Why this answer

Option A is correct because a lower NTP stratum number indicates higher accuracy; stratum 1 is directly synchronized to a precise reference clock (e.g., GPS) and is thus more accurate than stratum 3, which is two hops away. Option C is correct because the 'ntp server' command configures a device to synchronize its clock to a specified NTP server, making it an NTP client. Option B is incorrect: syslog severity level 4 (warning) is more severe than level 5 (notice) because lower severity numbers indicate higher severity.

Option D is incorrect: severity level 0 (emergency) is the most severe level, indicating a system-wide critical event, not a normal operational message. Option E is incorrect: NTP stratum 0 is assigned to an authoritative time source itself (e.g., atomic clock), not to devices directly connected to it; devices connected to stratum 0 sources are stratum 1.

Exam trap

Candidates often mistakenly equate lower syslog severity numbers with lower importance, not realizing that a smaller number means a higher severity; similarly, they may think higher NTP stratum numbers mean higher accuracy.

Why the other options are wrong

B

Syslog severity levels use inverse numbering: level 4 (warning) is more severe than level 5 (notice), so the statement is false.

D

Syslog level 0 (emergency) is the highest severity, indicating a catastrophic system failure, not a normal operational message.

E

NTP stratum 0 is the reference clock itself; devices synchronized directly to it are stratum 1, not stratum 0.

1480
Multi-Selectmedium

A network team wants to collect flow-level traffic statistics from routers to identify top talkers and bandwidth consumers. Which two statements about NetFlow are correct?

Select 2 answers
A.It summarizes traffic into flows instead of capturing every packet payload
B.It is primarily used to distribute time from an authoritative clock
C.It can help identify which conversations consume the most bandwidth
D.It replaces routing protocols by advertising reachability information
AnswersA, C

NetFlow tracks metadata about flows, not full payload captures.

Why this answer

NetFlow provides visibility into who is talking to whom, with what protocols and volume, making it valuable for capacity planning, troubleshooting, and security analysis.

Exam trap

A frequent exam trap is mistaking NetFlow for protocols that distribute time or routing information. For example, option B incorrectly associates NetFlow with NTP, which synchronizes clocks, and option D wrongly suggests NetFlow replaces routing protocols by advertising reachability. These misconceptions arise because candidates may not clearly differentiate between monitoring technologies and control plane protocols.

Remember, NetFlow only summarizes traffic flows for analysis and does not participate in routing or time synchronization. Confusing these roles can lead to selecting incorrect answers under exam pressure.

Why the other options are wrong

B

Option B is incorrect because distributing time from an authoritative clock is the function of NTP, not NetFlow, which is a traffic monitoring protocol.

D

Option D is incorrect because NetFlow does not replace routing protocols or advertise reachability information; it only monitors traffic flows.

1481
Matchingmedium

Drag and drop the VLAN and trunking commands/concepts on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configures an interface to operate as a trunk link

Sets the native VLAN on a trunk to VLAN 999

Assigns a port to VLAN 10 as an access port

VLAN that carries untagged traffic on a trunk

Creates a subinterface for router-on-a-stick

Configures 802.1Q tagging for VLAN 10 on a subinterface

Why these pairings

These are fundamental VLAN/trunking concepts: VLAN segments, trunk carries multiple VLANs, access port is single VLAN, 802.1Q is tagging standard, VLAN ID is the identifier.

Exam trap

Be careful not to confuse access ports with trunk ports. Access ports are for single VLANs, while trunk ports carry multiple VLANs. Also, native VLAN and allowed VLAN list are trunk-related concepts, not port modes.

1482
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Layer 3 switch to perform DHCP relay agent and DHCP snooping for a remote DHCP server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

Correct order: 1) Create DHCP pool on the server to have valid lease parameters; 2) Assign IP address to the SVI so it can act as the gateway and relay agent for the subnet; 3) Globally enable DHCP snooping to activate the feature; 4) Enable snooping on the client VLAN so that only that VLAN’s DHCP traffic is filtered; 5) Set the interface facing the server as trusted to allow DHCP replies; 6) Configure ip helper-address on the SVI to forward client DHCP broadcasts to the server. Each step depends on the previous: the server must be ready; the SVI needs an IP before the helper can be applied; snooping must be globally on before per-VLAN settings; trusted port must be defined before relayed replies are accepted; finally, the helper address enables the actual relay.

1483
MCQmedium

A network administrator is troubleshooting a new branch office where hosts in VLAN 20 on switch SW1 cannot obtain IP addresses from the DHCP server located at 192.168.10.5 in the main data center. The router R1 is configured as the default gateway for VLAN 20 with interface GigabitEthernet0/1.20. The administrator verifies that the DHCP server is reachable and has available addresses. What configuration change should the administrator make to resolve the issue?

A.Configure a static IP address on the DHCP server to ensure it is always reachable.
B.Configure the 'ip helper-address 192.168.10.5' command on the router interface GigabitEthernet0/1.20.
C.Enable DHCP snooping globally on the switch SW1.
D.Increase the DHCP lease time on the server to 30 days.
AnswerB

The ip helper-address command enables the router to forward DHCP broadcasts as unicasts to the specified DHCP server, allowing clients in VLAN 20 to obtain IP addresses from the remote server.

Why this answer

The correct answer is B because the DHCP server is on a different subnet than the hosts in VLAN 20. By default, DHCP broadcasts are not forwarded across routers. The 'ip helper-address 192.168.10.5' command on the router's subinterface GigabitEthernet0/1.20 converts the broadcast DHCP request into a unicast and forwards it to the DHCP server, allowing the hosts to obtain IP addresses.

Exam trap

Cisco often tests the misconception that DHCP issues across subnets are caused by server availability or switch security features, when the real problem is the lack of a DHCP relay agent (ip helper-address) on the router interface facing the client VLAN.

Why the other options are wrong

A

A static IP on the server does not forward broadcasts across subnets; the server's reachability is not the issue.

C

Enabling DHCP snooping without proper configuration could block legitimate DHCP traffic, and it does not solve the broadcast forwarding issue.

D

The problem is not about lease duration; clients cannot receive any DHCP offers because broadcasts are not forwarded.

1484
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First define the capture interface, then apply a filter, start capture, stop it, and finally export for analysis in Wireshark.

Exam trap

A common trap is confusing the order of steps, especially applying the filter before defining the interface or starting the capture before applying the filter. Remember that the interface must be defined first, then the filter, then start, then stop, then export.

1485
MCQeasy

Which protocol is preferred over Telnet for remote CLI management because it encrypts the session?

A.FTP
B.SSH
C.TFTP
D.SNMPv1
AnswerB

Correct. SSH secures the remote management session.

Why this answer

SSH encrypts credentials and management traffic, making it the standard secure replacement for Telnet.

Exam trap

A frequent exam trap is selecting Telnet or other protocols like FTP or TFTP for remote CLI management because they are familiar or commonly mentioned in networking contexts. Telnet is often mistakenly chosen because it provides remote access, but it sends all data unencrypted, exposing credentials to attackers. FTP and TFTP are file transfer protocols and do not support interactive command-line management sessions.

SNMPv1 is used for network monitoring, not secure CLI access, and lacks encryption. Candidates must recognize that only SSH encrypts the session, making it the secure and preferred protocol for remote management in Cisco environments.

Why the other options are wrong

A

FTP is designed for transferring files between devices and does not provide an interactive command-line interface for remote device management. It also lacks encryption for session data, making it unsuitable for secure remote CLI access.

C

TFTP is a simple file transfer protocol used mainly for transferring configuration files or IOS images. It does not support interactive remote CLI sessions and lacks encryption, so it cannot replace Telnet for secure management.

D

SNMPv1 is a protocol used for network monitoring and management but does not provide an interactive CLI interface. It also lacks encryption, making it unsuitable for secure remote management sessions.

1486
MCQhard

A network administrator is troubleshooting a Windows 10 client that cannot reach the internet. The client is connected to a Cisco switch port configured as an access port in VLAN 100. The administrator runs ipconfig on the client and sees an IP address of 169.254.10.15 with a subnet mask of 255.255.0.0. The switch port shows status up/up. What is the most likely cause of the issue?

A.The switch port is in err-disabled state due to a spanning-tree loop.
B.The switch is not configured with an ip helper-address on the VLAN 100 SVI to forward DHCP broadcasts to the DHCP server.
C.The client is in the wrong VLAN; the switch should be configured with VLAN 200.
D.There is a duplex mismatch between the client and the switch.
AnswerB

Without an ip helper-address, DHCP broadcasts from the client in VLAN 100 are not forwarded to the DHCP server, which is likely in a different VLAN.

Why this answer

The 169.254.x.x address is an Automatic Private IP Addressing (APIPA) address, assigned by Windows when DHCP fails. Since the client is in VLAN 100 and the switch port is up/up, the most likely cause is that the VLAN 100 SVI lacks an ip helper-address command, so DHCP broadcast requests from the client are not forwarded to the DHCP server, leaving the client without a valid IP address.

Exam trap

Cisco often tests the misconception that an APIPA address indicates a physical or VLAN issue, when in fact it specifically points to DHCP failure, and the most common cause in a routed environment is the absence of ip helper-address on the SVI.

Why the other options are wrong

A

The port status is 'connected', not err-disabled.

C

No information suggests the client should be in VLAN 200; the configuration matches the intended VLAN.

D

Duplex mismatch would typically cause errors or speed/duplex issues, but the switch shows a-full, so this is not the problem.

1487
MCQmedium

A router interface is configured for OSPF, but neighbors do not form. The engineer checks the interface and sees Hello 10 and Dead 40. The neighbor on the same segment uses Hello 30 and Dead 120. What is the most likely cause of the OSPF adjacency failure?

A.Router IDs are identical
B.OSPF timers do not match
C.The interface cost is too low
D.The subnet mask is invalid because it is a transit link
AnswerB

Correct. This is correct. OSPF neighbors must agree on timer values such as hello and dead intervals. If they do not, the devices will not form a full adjacency even if other parts of the link appear healthy.

Why this answer

The adjacency fails because the OSPF hello and dead timers do not match. OSPF neighbors on the same segment must agree on several key parameters before they accept each other as neighbors, and the timer settings are one of those required matches. In plain terms, each router is expecting to hear OSPF hellos at one rhythm, but the other side is speaking at a different rhythm, so the relationship never becomes valid.

This is different from cost, which matters later during path selection after neighbors are already exchanging information. The timer mismatch is a classic CCNA troubleshooting point because the interfaces can be up and IP connectivity can even appear normal while the OSPF adjacency still fails.

Exam trap

Be cautious of confusing OSPF timer mismatches with other common OSPF configuration issues like network types or authentication.

Why the other options are wrong

A

This option is wrong because OSPF allows multiple routers to have the same Router ID, but they can still form adjacencies if other parameters are correctly configured. The issue in this scenario is related to mismatched OSPF timers, not Router IDs.

C

This option is incorrect because the interface cost does not directly affect the formation of OSPF adjacencies; it only influences the route selection process once adjacencies are established.

D

The subnet mask being invalid is not the cause of the OSPF adjacency failure in this scenario, as the issue lies with the mismatch of OSPF timers rather than an incorrect subnet mask. Both routers are on the same segment and should have compatible subnet configurations.

1488
MCQhard

A router has these routes installed. Which path will be chosen for traffic to 172.16.10.200?

A.O 172.16.10.0/24 via 10.1.1.2
B.S 172.16.10.128/25 via 10.1.1.6
C.O 172.16.0.0/16 via 10.1.1.10
D.S* 0.0.0.0/0 via 203.0.113.1
AnswerB

This is correct because 172.16.10.200 falls within the 172.16.10.128/25 range, making it the most specific matching route.

Why this answer

When multiple routes could match a destination, the router first uses longest-prefix match. In plain language, it chooses the route that describes the destination most specifically, not simply the one from the protocol with the lowest metric somewhere else in the table. For 172.16.10.200, the key is to determine which listed prefix actually contains that address and is the narrowest valid match.

If a /25 and a /24 both match, the /25 wins because it is more specific. If the destination does not fit inside the smaller subnet, then the broader route is used instead. That is the entire skill being tested here: careful evaluation of the prefix boundaries before thinking about anything else. Once you recognize the address falls within the upper half of the /24, the more specific route becomes obvious.

Exam trap

A frequent exam trap is to select a route based solely on the routing protocol type or administrative distance without verifying the subnet mask specificity. For example, candidates might incorrectly choose the OSPF-learned /24 route over the static /25 route because they assume dynamic routes are preferred or because they overlook the subnet boundaries. This mistake ignores the fundamental longest-prefix match rule, which always prioritizes the most specific subnet regardless of protocol.

Misreading subnet ranges or confusing the address boundaries of a /25 versus a /24 can also lead to choosing an incorrect route.

Why the other options are wrong

A

Option A shows an OSPF route to 172.16.10.0/24 via 10.1.1.2. Although the /24 subnet covers 172.16.10.200, it is less specific than the /25 subnet. Therefore, this route will not be chosen because the router prefers the more specific /25 route.

C

Option C shows an OSPF route to 172.16.0.0/16 via 10.1.1.10. This is a very broad subnet covering a large address range, including 172.16.10.200. However, since more specific routes exist (/24 and /25), this route will be ignored in favor of the longer prefix matches.

D

Option D is a static default route (0.0.0.0/0) via 203.0.113.1. Default routes are only used when no other more specific route matches the destination. Since the /25 route matches 172.16.10.200, the default route will not be selected.

1489
MCQmedium

Why is route summarization useful at a distribution layer or area boundary?

A.It reduces the number of specific prefixes that must be carried or advertised.
B.It forces all traffic to use a default route only.
C.It automatically encrypts routing updates.
D.It removes the need for subnetting.
AnswerA

This is correct because summarization aggregates multiple routes into fewer broader entries.

Why this answer

Route summarization is useful because it reduces the number of individual routes that have to be advertised and stored. In practical terms, one summary can represent many more specific internal prefixes, which helps keep routing tables smaller and updates simpler. That improves scalability and reduces control-plane clutter.

Summarization does not eliminate the need for detail everywhere, but it helps present the network more efficiently at aggregation points.

Exam trap

A frequent exam trap is mistaking route summarization for default routing or encryption. Some candidates incorrectly believe summarization forces all traffic to use a default route or that it secures routing updates by encrypting them. Neither is true.

Summarization simply aggregates multiple specific routes into fewer, broader prefixes to reduce routing table size and update complexity. Misunderstanding this can lead to selecting incorrect answers such as options B or C, which confuse summarization with unrelated routing concepts. Recognizing that summarization optimizes routing information without changing traffic forwarding behavior or security is essential to avoid this trap.

Why the other options are wrong

B

This option is incorrect because summarization does not force all traffic to use a default route. Summarization aggregates routes but does not replace them with a default route, so traffic forwarding decisions remain based on specific or summarized routes.

C

This option is wrong as route summarization does not provide encryption for routing updates. Encryption is a separate security feature unrelated to summarization, which only aggregates routing information.

D

This option is incorrect because summarization does not remove the need for subnetting. Subnetting defines network address structure, while summarization aggregates existing subnets into broader prefixes for routing efficiency.

1490
Multi-Selectmedium

Which three statements accurately describe the role of AI in software-defined networking (SDN) and intent-based networking (IBN)? (Choose three.)

Select 3 answers
.AI can analyze network state and suggest or enforce configuration changes to meet defined business intent
.IBN systems may use AI to verify that the current network state matches the desired intent
.AI can assist in translating high-level business policies into low-level device configurations
.SDN controllers replace AI for all decision-making, making AI unnecessary in IBN
.AI in SDN is only used for traffic engineering, not for security or compliance
.Intent-based networking eliminates the need for any monitoring or feedback loops

Why this answer

AI enhances SDN and IBN by analyzing network state to suggest or enforce configuration changes that align with business intent, verifying that the current state matches the desired intent, and translating high-level policies into low-level device configurations. These capabilities enable automation, continuous validation, and policy-driven operations. The incorrect options are wrong because: (1) SDN controllers do not replace AI; AI can augment decision-making beyond basic controller logic. (2) AI in SDN is used for security, compliance, and many other areas, not just traffic engineering. (3) Intent-based networking relies on monitoring and feedback loops to maintain alignment with intent; it does not eliminate them.

Exam trap

Cisco often tests the misconception that SDN and IBN are purely rule-based or that AI replaces existing control mechanisms, when in fact AI augments them for dynamic, intent-driven operations.

Why the other options are wrong

A

SDN controllers do not replace AI; AI can augment control and decision-making, making this statement false.

B

AI in SDN applies to security, compliance, and analytics, not only traffic engineering, so this statement is incorrect.

C

Intent-based networking requires continuous monitoring and feedback loops to ensure match with intent, so this statement is false.

1491
MCQhard

A static default route is configured with an administrative distance of 250. What is the most likely design intention?

A.To keep the route as a backup of last resort behind normal learned routes
B.To make the route override all dynamic routing immediately
C.To disable default routing entirely
D.To convert the default route into a host route
AnswerA

This is correct because a very high administrative distance makes the static route float behind preferred sources.

Why this answer

The design intention is to make the static default route a very low-priority backup path. In plain language, the administrator wants the route to exist only as a last resort behind almost any normal learned path. By assigning such a high administrative distance, the route stays out of the active table unless better routes disappear.

This is a floating-static design concept. The route is not meant to be primary. It is intentionally configured to sit in reserve and become relevant only during failure conditions or severe loss of normal routing information.

Exam trap

A common exam trap is assuming that increasing the administrative distance disables the static route or forces it to override dynamic routes. In reality, a higher AD causes the static route to be less preferred, effectively floating it behind all other routes. Candidates might confuse the AD value with route priority or think that setting it to 250 disables the route, but the route remains active and is used only as a last resort.

Misinterpreting this can lead to incorrect answers about route behavior and fail to recognize the floating static route design pattern.

Why the other options are wrong

B

Incorrect. A high administrative distance does not make a route override dynamic routes; it makes the route less preferred. Therefore, the static route will not immediately override dynamic routes.

C

Incorrect. Assigning a high administrative distance does not disable the route; it remains configured and available as a backup. The route is not conceptually disabled but deprioritized.

D

Incorrect. Administrative distance affects route preference, not the route prefix or mask. Changing AD does not convert a default route into a host route.

1492
MCQhard

A switch port connected to an IP phone and a PC should separate voice traffic from data traffic while still using one physical edge connection. Which feature best supports that design?

A.Voice VLAN
B.EtherChannel
C.Native VLAN
D.Loop guard
AnswerA

This is correct because a voice VLAN separates phone traffic from user data on a shared edge port.

Why this answer

A voice VLAN best supports that design. In practical terms, a Cisco-style voice VLAN allows the switch to carry voice traffic separately from user data even though the phone and PC share the same physical access connection. This is a common enterprise edge design because it lets the phone use one VLAN while the downstream PC uses another.

The key point is separation of traffic types over one edge port, not trunking between switches or link aggregation.

Exam trap

Avoid confusing the purpose of trunk ports and link aggregation with traffic separation on a single edge port.

Why the other options are wrong

B

EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, but it does not inherently separate voice and data traffic on a single port. It does not address the requirement of managing different traffic types on the same physical connection.

C

The Native VLAN is used for untagged traffic on a trunk link and does not separate voice and data traffic effectively; it simply allows untagged frames to pass through without any differentiation.

D

Loop guard is designed to prevent loops in a switched network by blocking ports that receive unexpected BPDUs. It does not facilitate the separation of voice and data traffic on a single physical connection, which is the requirement of the question.

1493
PBQhard

You are connected to R1 via the console. Configure single-area OSPFv2 on R1, R2, and R3 so that all three routers can exchange routes. The current configuration has mismatched hello/dead timers on the link between R1 and R2, and an area mismatch on the link between R2 and R3. Correct these issues and ensure OSPF adjacencies form.

Network Topology
G0/010.0.12.1/30G0/110.0.23.2/30G0/110.0.23.2/30G0/010.0.13.2/30G0/010.0.13.2/30G0/110.0.13.1/30R1R2 (G0/0 10.0.12.2/30)R3 (G0/1 10.0.23.2/30)

Hints

  • Check the hello/dead timers on R2's G0/0 using 'show ip ospf interface'.
  • Check the OSPF area on R2's G0/1 and R3's G0/1 using 'show ip ospf interface'.
  • On R2, use 'ip ospf hello-interval' and 'ip ospf dead-interval' under G0/0, and 'network' command under router ospf to change area.
A.On R2, configure interface G0/0 with 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40', and modify the OSPF network statement for 10.0.23.0/30 to area 0.
B.On R2, configure interface G0/0 with 'ip ospf hello-interval 30' and 'ip ospf dead-interval 120', and modify the OSPF network statement for 10.0.23.0/30 to area 1.
C.On R1, configure interface G0/0 with 'ip ospf hello-interval 30' and 'ip ospf dead-interval 120', and on R3, change the OSPF network statement for 10.0.23.0/30 to area 1.
D.On R1, configure interface G0/0 with 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40', and on R2, modify the OSPF network statement for 10.0.23.0/30 to area 1.
AnswerA
solution
! R1

Why this answer

The adjacency between R1 and R2 fails because R1 has hello/dead timers of 10/40, while R2 has 30/120 on G0/0. The adjacency between R2 and R3 fails because R2's G0/1 is in area 1, but R3's G0/1 is in area 0. On R2, change the hello/dead timers on G0/0 to match R1 (10/40) using 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40'.

Also change the network statement for 10.0.23.0/30 to area 0 using 'network 10.0.23.0 0.0.0.3 area 0'. Verify with 'show ip ospf neighbor' on all routers.

Exam trap

A common trap is to assume that timers must be changed on the router with the 'non-default' values, but OSPF requires timers to match on both ends; either router can be adjusted. Another trap is to think that the area mismatch can be resolved by changing the area on either router, but the correct area must be consistent with the network design. In this scenario, the existing explanation specifies the correction on R2.

Why the other options are wrong

B

The specific factual error is that the timers should be made consistent by adjusting R2 to match R1, not the other way around, and the area mismatch requires both routers to be in the same area, which is area 0.

C

The specific factual error is that the timers can be adjusted on either router, but the area mismatch must be resolved by making both routers use the same area. Changing R3 to area 1 would not fix the adjacency if R2 is already in area 1? Actually, R2 is in area 1 on G0/1, so changing R3 to area 1 would make them match, but the question states the area mismatch is on the link between R2 and R3, and the existing explanation says to change R2's network statement to area 0. This option changes R3 instead, which could also work, but the question expects the correction on R2 as per the existing explanation.

Additionally, changing R1's timers is not the most efficient if R1 is already configured correctly.

D

The specific factual error is that the timers on R1 are already correct, and the area mismatch requires both routers to be in the same area. Changing R2's area to area 1 would not match R3's area 0.

1494
Multi-Selectmedium

Which three options are valid ways to secure administrative access to a Cisco IOS device? (Choose three.)

Select 3 answers
.Create a local username and password with the 'username name secret password' command.
.Configure an ACL on the VTY lines to restrict source IP addresses.
.Use the 'enable secret' command to set a privileged EXEC password.
.Disable all unused ports using the 'shutdown' command.
.Set the 'service password-encryption' command to encrypt all passwords in transit.
.Configure CDP globally to verify neighbor devices before login.

Why this answer

All three correct options are valid methods to secure administrative access. Creating a local username/password with the 'username name secret password' command provides authentication for login (e.g., via SSH, console, or VTY). Configuring an ACL on VTY lines restricts which source IP addresses can initiate administrative sessions, adding a layer of network-based access control.

Using 'enable secret' protects privileged EXEC mode with a strong hashed password. The three wrong options do not directly secure administrative access: 'shutdown' disables ports (port security, not administrative access), 'service password-encryption' only encrypts passwords in the running configuration (not in transit), and CDP is a neighbor discovery protocol unrelated to authentication.

Exam trap

Cisco often tests the distinction between 'enable secret' (hashed) and 'enable password' (weak encryption), and candidates may mistakenly think only one method is valid, but all three options here are correct and commonly used together for layered security.

1495
Multi-Selectmedium

Which two statements accurately describe passive interfaces in OSPF?

Select 2 answers
A.It suppresses OSPF hello packets on that interface.
B.It can still allow the connected network to be advertised into OSPF.
C.It converts OSPF on that interface into static routing.
D.It forces the interface IP address to become the router ID.
E.It disables OSPF on every interface in the router automatically.
AnswersA, B

This is correct because passive interfaces do not actively form OSPF neighbors.

Why this answer

A passive interface stops the router from sending OSPF hello packets on that interface, which means the router will not try to form neighbors there. In practical terms, this is useful on user-facing or stub-like links where no OSPF neighbor should exist. However, passive does not necessarily mean the connected network disappears from OSPF. The network can still be advertised through the router’s other active adjacencies.

This is a common design and security practice because it reduces unnecessary routing chatter on interfaces that should not form adjacencies in the first place.

Exam trap

A frequent exam trap is assuming that configuring an interface as passive disables OSPF routing on that interface or converts OSPF routes into static routes. Candidates may also mistakenly believe that passive interfaces automatically disable OSPF on all router interfaces or force the interface IP to become the router ID. These misunderstandings arise because passive interfaces stop hello packets but do not disable OSPF or affect router ID selection.

Misreading this can lead to incorrect answers about OSPF behavior and network design.

Why the other options are wrong

C

Option C is incorrect because passive interfaces do not convert OSPF into static routing; OSPF remains active and continues to advertise routes.

D

Option D is incorrect because passive interface configuration does not influence router ID selection, which is determined by other OSPF rules.

E

Option E is incorrect because passive interface settings apply only to the specified interface and do not disable OSPF on all router interfaces.

1496
MCQmedium

A PC in VLAN 30 must obtain an address from a DHCP server in VLAN 99. Which feature is required on the Layer 3 interface for VLAN 30?

A.Port security
B.DHCP snooping
C.DHCP relay
D.Dynamic ARP inspection
AnswerC

Correct. DHCP relay is what allows a client to reach a server on another subnet.

Why this answer

DHCP Discover messages are broadcasts and do not cross Layer 3 boundaries on their own. DHCP relay, commonly configured with ip helper-address, forwards the requests to a server on another subnet.

Exam trap

A frequent exam trap is selecting DHCP snooping or port security as the solution for inter-VLAN DHCP communication. DHCP snooping is often misunderstood as a relay mechanism, but it only validates DHCP messages to prevent unauthorized servers and does not forward broadcasts between VLANs. Similarly, port security controls MAC address access on switchports but does not affect DHCP message forwarding.

Candidates may also confuse Dynamic ARP Inspection with DHCP relay, but DAI only inspects ARP traffic for security purposes. The key mistake is overlooking that DHCP broadcasts are Layer 2 broadcasts and require DHCP relay on the Layer 3 interface to reach servers in other VLANs.

Why the other options are wrong

A

Port security restricts MAC addresses on switchports to enhance security but does not forward DHCP broadcasts or enable clients in one VLAN to reach DHCP servers in another VLAN. It does not facilitate inter-VLAN DHCP communication.

B

DHCP snooping is a security feature that validates DHCP messages to prevent rogue DHCP servers but does not relay DHCP requests between VLANs. It cannot replace DHCP relay functionality needed for inter-VLAN DHCP address assignment.

D

Dynamic ARP Inspection inspects ARP traffic to prevent ARP spoofing attacks but does not forward DHCP messages or enable DHCP communication between VLANs. It is unrelated to DHCP relay or inter-VLAN DHCP address assignment.

1497
Multi-Selecthard

Which two conditions must match for a Layer 2 EtherChannel bundle to form correctly? (Choose two.)

Select 2 answers
A.The member interfaces must use the same speed and duplex settings.
B.Each member interface must be assigned a different native VLAN.
C.The member interfaces must have compatible switchport mode and VLAN settings.
D.One side must use LACP and the other must use PAgP.
AnswersA, C

Correct. Inconsistent physical settings can prevent bundling.

Why this answer

Member interfaces must have consistent Layer 2 parameters such as speed/duplex and trunk/access characteristics.

Exam trap

Don't confuse VLAN membership or MAC address requirements with EtherChannel parameters. Focus on speed and duplex consistency.

Why the other options are wrong

B

This option is wrong because all member interfaces in an EtherChannel must be configured with the same native VLAN for the bundle to form correctly, not different native VLANs.

D

This option is wrong because EtherChannel can only form if both ends of the link use the same protocol, either LACP or PAgP, not a mix of both. Mixing protocols will prevent the EtherChannel from establishing.

1498
Multi-Selectmedium

Which TWO of the following are essential IPv4 host parameters that must be correctly configured for a host to communicate with devices on remote networks?

Select 2 answers
A.DNS server address
B.Default gateway
C.Subnet mask
D.MAC address
E.Host name
AnswersB, C

The default gateway is the router interface that allows a host to send traffic to destinations outside its local subnet.

Why this answer

The default gateway is the IP address of the router interface on the local subnet; when a host needs to communicate with a device on a remote network, it must forward packets to the default gateway because the destination is not reachable locally. The subnet mask is equally essential because the host uses it (along with its own IP address) to determine whether a destination IP address is on the same local network or a remote network; without a correctly configured subnet mask, the host cannot make this determination and may misroute traffic. DNS server address is only for name resolution and is not required for IP-level connectivity, MAC address is a Layer 2 address already present on the NIC, and hostname is a local identifier irrelevant to routing.

Exam trap

Cisco often tests the misconception that a DNS server address is a mandatory host parameter for remote communication, but DNS is only a name-resolution service and not required for IP-level connectivity.

Why the other options are wrong

A

A host can communicate using IP addresses directly without DNS. DNS is a service, not a mandatory parameter for routing.

D

MAC addresses are not manually configured as part of IPv4 host parameters (they are burned into the NIC). The question asks for IPv4 host parameters that must be configured.

E

Host names are used for identification and can be resolved via DNS, but they are not essential for the host to send or receive IP packets.

1499
MCQhard

A network administrator is troubleshooting connectivity between two directly connected Cisco switches. Hosts on VLAN 10 connected to Switch A cannot ping the default gateway on Switch B. The interface on Switch A shows 'up/up' but there are excessive CRC errors and runts. The administrator checks the interface configuration on both switches. What is the most likely cause of the issue?

A.Replace the faulty Ethernet cable.
B.Mismatched duplex and speed settings between the interfaces.
C.Disable spanning tree on both interfaces to prevent loop prevention from blocking traffic.
D.Assign the interfaces to the same VLAN to ensure Layer 2 connectivity.
AnswerB

This directly resolves the duplex mismatch. Switch A shows full-duplex/1000 Mbps, while Switch B shows half-duplex/100 Mbps. Setting both to full-duplex and 1000 Mbps eliminates the CRC errors caused by the mismatch.

Why this answer

The presence of excessive CRC errors and runts on an interface that is 'up/up' strongly indicates a Layer 1 or Layer 2 duplex mismatch. When one switch is set to full-duplex and the other to half-duplex (or auto-negotiation fails), the half-duplex side will detect collisions and retransmit, while the full-duplex side will not, leading to frame corruption (CRC errors) and truncated frames (runts). Configuring both interfaces with the same duplex and speed settings (e.g., full-duplex and 1000 Mbps) resolves this mismatch, restoring proper connectivity for VLAN 10 traffic to the default gateway.

Exam trap

Cisco often tests the concept that 'up/up' does not guarantee error-free communication, and candidates mistakenly focus on cable replacement or VLAN misconfiguration instead of recognizing CRC errors and runts as classic symptoms of a duplex mismatch.

Why the other options are wrong

A

The exhibit shows both switches have different speed and duplex settings, indicating a configuration mismatch rather than a cable fault.

C

The interface is up/up and the errors are CRC, which are not related to spanning tree operation.

D

CRC errors indicate physical or duplex issues, not VLAN misconfiguration.

1500
PBQhard

You are connected to R1. The network must route IPv6 traffic between two directly connected routers using OSPFv3. Configure OSPFv3 on R1's GigabitEthernet0/0 interface in area 0, enable IPv6 unicast routing, and verify that R1 forms an OSPFv3 neighbor adjacency with R2 and learns the remote network 2001:DB8:CAFE:2::/64 via OSPFv3.

Network Topology
G0/02001:DB8:CAFE:1::1/64G0/02001:DB8:CAFE:1::2/64linkR1R2

Hints

  • OSPFv3 is enabled per interface, not as a network statement.
  • You need to create the OSPFv3 process before enabling it on the interface.
  • The OSPFv3 process ID must match on both routers.
A.Enable OSPFv3 on the interface with 'ipv6 ospf 1 area 0' under GigabitEthernet0/0.
B.Configure 'ipv6 router ospf 1' and then 'network 2001:DB8:CAFE:1::/64 area 0' under the OSPFv3 process.
C.Enable OSPFv3 on the interface with 'ipv6 ospf 1 area 0' under the OSPFv3 router configuration mode.
D.Configure 'ipv6 unicast-routing' and then 'ipv6 ospf 1 area 0' under the interface.
AnswerA
solution
! R1
router ospfv3 1
exit
interface GigabitEthernet0/0
ipv6 ospf 1 area 0

Why this answer

The issue is that OSPFv3 is not enabled on R1's GigabitEthernet0/0 interface, and the OSPFv3 routing process has not been started. To fix this, first ensure ipv6 unicast-routing is already enabled (it is). Then configure the OSPFv3 process with a process ID (e.g., 1) and enable OSPFv3 on the interface in area 0 using the command 'ipv6 ospf 1 area 0' under the interface.

After that, R1 will form a neighbor adjacency with R2 and learn the remote route.

Exam trap

Do not confuse OSPFv3 configuration with OSPFv2. OSPFv3 uses interface-level activation, not the 'network' command. Also, ensure you apply the command in the correct configuration mode (interface mode, not router mode).

Why the other options are wrong

B

The 'network' command is not valid for OSPFv3; OSPFv3 uses interface-level configuration.

C

This command is only valid in interface configuration mode.

D

The question explicitly says IPv6 unicast routing is already enabled, so this option includes an unnecessary step.

Page 19

Page 20 of 25

Page 21