CCNA 200-301 v2 (200-301) — Questions 15011575

1819 questions total · 25pages · All types, answers revealed

Page 20

Page 21 of 25

Page 22
1501
MCQhard

Exhibit: R3 learns 10.50.0.0/16 by OSPF through two equal-cost paths. What will R3 do by default?

A.Install both routes and load balance
B.Choose the route from the neighbor with the highest router ID only
C.Install only one route because OSPF does not support ECMP
D.Prefer the path with the lower next-hop IP address
AnswerA

Equal-cost OSPF paths are installed by default.

Why this answer

When OSPF has equal-cost routes to the same destination, the router installs multiple paths and can load balance across them, assuming the platform supports the default maximum-paths value.

Exam trap

A frequent exam trap is believing that OSPF will choose only one route when multiple equal-cost paths exist, often assuming it picks the route from the neighbor with the highest router ID or the path with the lowest next-hop IP address. This misconception leads to incorrect answers because OSPF’s path selection process installs all equal-cost routes by default. Misunderstanding this behavior can cause candidates to overlook OSPF’s load balancing capability and mistakenly select options that describe single-route preferences, which do not apply to equal-cost multipath scenarios.

Why the other options are wrong

B

Incorrect because OSPF does not select a single route based on the highest router ID when multiple equal-cost paths exist; it installs all such routes.

C

Incorrect because OSPF explicitly supports equal-cost multipath (ECMP) routing and does not limit itself to installing only one route.

D

Incorrect because the next-hop IP address is not a factor in OSPF’s path selection among equal-cost routes; cost metric is the deciding factor.

1502
MCQhard

A branch router uses PPP on a serial WAN link. Which additional PPP capability most directly improves access security on that link?

A.PPP authentication
B.STP root election
C.Wireless roaming
D.IPv6 loopback addressing
AnswerA

This is correct because peer authentication is a direct PPP security-related capability.

Why this answer

PPP authentication most directly improves access security on the link. In practical terms, authentication helps verify the identity of the peer rather than simply bringing up the point-to-point connection without validation. That makes PPP more useful than a bare unauthenticated link in environments where peer identity matters.

At CCNA level, the important point is recognizing that PPP is associated with optional authentication capability on WAN links.

Exam trap

A common exam trap is selecting options like STP root election or IPv6 loopback addressing as security features for PPP links. STP is a Layer 2 protocol that prevents loops in Ethernet networks and does not apply to serial WAN links or PPP authentication. Similarly, IPv6 loopback addresses are used for router management and diagnostics, not for authenticating peers on a WAN link.

Candidates may also be tempted by unrelated wireless concepts like roaming, which have no bearing on PPP serial link security. Recognizing that PPP authentication specifically addresses peer verification on point-to-point links is essential to avoid these distractions.

Why the other options are wrong

B

STP root election is incorrect because STP operates at Layer 2 to prevent loops in Ethernet networks and does not provide authentication or security on PPP serial links.

C

Wireless roaming is unrelated to serial WAN links and PPP authentication; it applies to wireless LAN environments and does not affect WAN link security.

D

IPv6 loopback addressing is used for router management and diagnostics and does not provide any authentication or security features for PPP WAN links.

1503
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure dynamic NAT with overload (PAT) using a pool of public IP addresses.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The NAT pool must be defined first because it is referenced by the overload rule. Next, the access list identifies the inside local addresses that will be translated. The inside and outside interfaces are then labeled with 'ip nat inside' and 'ip nat outside' respectively, enabling NAT on those interfaces.

Finally, the overload rule is applied, linking the ACL and the pool on the specified interfaces to complete the configuration.

1504
MCQeasy

Which cable type is commonly used to connect a switch to a router when using standard Ethernet interfaces on modern devices with auto-MDIX support?

A.Rollover cable
B.Straight-through Ethernet cable
C.Serial DCE cable
D.Fiber patch cable only
AnswerB

Correct. Straight-through is the standard answer for this connection type.

Why this answer

A straight-through Ethernet cable is the common expected answer for switch-to-router Ethernet connections. On modern interfaces, auto-MDIX often makes crossover requirements less important in practice.

Exam trap

Remember that auto-MDIX allows for the use of straight-through cables in situations where crossover cables were once required.

Why the other options are wrong

A

A rollover cable is used to connect a console port of a router or switch to a computer terminal, not for connecting switches to routers over Ethernet interfaces. In modern networking setups with auto-MDIX, a straight-through cable is the standard choice.

C

A serial DCE cable is used for connecting devices in a serial communication setup, typically for console access or point-to-point connections, not for standard Ethernet interfaces between a switch and a router.

D

A fiber patch cable is not used to connect a switch to a router over standard Ethernet interfaces, as it requires compatible fiber optic ports and transceivers. Ethernet interfaces typically use copper cabling, such as straight-through cables, for such connections.

1505
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

For IOS‑XE embedded packet capture, the correct order is: 1) Access privileged EXEC mode (required for all monitor commands), 2) Create a capture buffer, 3) Associate a capture point, 4) Start the capture, 5) Stop the capture, 6) Export the capture, 7) Analyze in Wireshark. Options B, C, and D each violate the required sequence: B starts buffer creation before entering privileged mode, C associates the point before creating the buffer, and D omits the critical 'start' step entirely.

Exam trap

A common mistake is to forget the 'start the capture' step, making the exported file empty; always remember to issue 'monitor capture point start' after association.

1506
Multi-Selectmedium

Which TWO statements are true regarding HSRP active/standby election, priority, and preemption?

Select 2 answers
A.The router with the highest priority becomes the active router.
B.The router with the lowest IP address in the standby group becomes the active router.
C.HSRP priority can be configured from 0 to 100, with 100 being the highest.
D.Preemption is enabled by default on all HSRP interfaces.
E.If preemption is enabled, a router with a higher priority can take over the active role from a router with a lower priority that is already active.
F.The standby router uses a priority of 0 to indicate it will never become active.
AnswersA, E

HSRP uses a priority value (0–255, default 100) to determine the active router; the highest priority wins.

Why this answer

In HSRP, the router with the highest priority wins the election to become the active router (A correct). If preemption is enabled, a router with a higher priority can take over the active role from a lower-priority active router (E correct). Option B is incorrect: when priorities are equal, the router with the highest IP address in the standby group is chosen, not the lowest.

Option C is incorrect: HSRP priority ranges from 0 to 255, not 0 to 100. Option D is incorrect: preemption is disabled by default on all HSRP interfaces. Option F is incorrect: a priority of 0 is used to indicate that the router will not participate in the election or will immediately give up the active role, but it does not mean it will never become active; in fact, it can be configured to force a new election.

Exam trap

Cisco often tests the exact priority range (0–255) and the tiebreaker rule (highest IP, not lowest), leading candidates to confuse HSRP with VRRP or GLBP, or to misremember the priority scale.

Why the other options are wrong

B

This describes a different mechanism (e.g., VRRP uses IP address as a tiebreaker only after priority).

C

The range is 0–255, not 0–100.

D

Preemption is not a default behavior.

F

Priority 0 is a special value, not the normal standby priority.

1507
Matchingeasy

Match each basic networking service to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hostname resolution

Automatic IP configuration

Clock synchronization

Centralized event and log reporting

Why these pairings

DNS converts domain names to IP addresses; DHCP automates IP configuration; NTP synchronizes clocks across devices; Syslog centralizes event and log reporting for monitoring and troubleshooting.

Exam trap

Cisco exams often test the specific function of each service. Do not confuse DNS with DHCP, or NTP with Syslog. Remember: DNS = name-to-IP, DHCP = IP assignment, NTP = clock sync, Syslog = logging.

1508
Multi-Selectmedium

A branch office uses PAT overload on the edge router. Inside users can reach the internet, but return traffic for a newly deployed server must be mapped to a specific inside host. Which two statements are correct?

Select 2 answers
A.A static NAT entry can provide a consistent public-to-private mapping for the server
B.PAT overload is designed mainly for many-to-one outbound address sharing
C.Dynamic NAT always supports inbound access without additional configuration
D.NAT is unrelated to whether private addresses can reach the public internet
AnswersA, B

Static NAT is appropriate when inbound connections must always reach the same inside host.

Why this answer

PAT overload is great for many inside clients sharing a public IP for outbound sessions. A public-facing server that needs predictable inbound reachability typically requires static NAT or static PAT.

Exam trap

A frequent exam trap is assuming that PAT overload can handle inbound connections to a specific inside host because it manages many-to-one address sharing. However, PAT overload dynamically assigns ports for outbound sessions and does not reserve a fixed public IP and port combination for inbound traffic. This misconception leads to incorrect answers suggesting dynamic NAT or PAT overload can support inbound server access without additional configuration.

The key is recognizing that only static NAT provides a consistent public-to-private mapping necessary for inbound connectivity to a server.

Why the other options are wrong

C

Option C is incorrect because dynamic NAT does not guarantee a fixed public IP address for any inside host, so it cannot reliably support inbound access without additional static configuration.

D

Option D is incorrect because NAT and PAT are directly related to enabling private IP addresses to communicate with the public internet, making them central to edge router configurations in branch offices.

1509
PBQhard

You are connected to the console of R1, a Cisco IOS-XE router. The network operations team needs to automate the backup of the running configuration to a TFTP server using a Python netmiko script. However, the script is failing. Your task is to write the correct netmiko commands to connect to R1 and save the configuration to the TFTP server at 192.168.1.100.

Network Topology
G0/0192.168.1.1/24192.168.1.100/24linkR1TFTP Server

Hints

  • Netmiko uses 'send_command' to send CLI commands.
  • The command to backup is 'copy running-config tftp://<server-ip>/<filename>'.
  • Ensure the TFTP server is reachable from R1.
A.from netmiko import ConnectHandler connection = ConnectHandler(device_type='cisco_ios', ip='192.168.1.1', username='admin', password='cisco') connection.send_command('copy running-config tftp://192.168.1.100/r1-config', expect_string=r'\[confirm\]') connection.send_command('\n') connection.disconnect()
B.from netmiko import ConnectHandler connection = ConnectHandler(device_type='cisco_ios', ip='192.168.1.1', username='admin', password='cisco') connection.send_command('copy running-config tftp://192.168.1.100/r1-config') connection.disconnect()
C.from netmiko import ConnectHandler connection = ConnectHandler(device_type='cisco_ios', ip='192.168.1.1', username='admin', password='cisco') connection.send_command('copy running-config tftp://192.168.1.100/r1-config', expect_string=r'#')
D.from netmiko import ConnectHandler connection = ConnectHandler(device_type='cisco_ios', ip='192.168.1.1', username='admin', password='cisco') connection.send_command('copy running-config tftp://192.168.1.100/r1-config\n') connection.disconnect()
AnswerA
solution
! R1
copy running-config tftp://192.168.1.100/r1-config

Why this answer

The 'copy running-config tftp://...' command in Cisco IOS prompts with '[confirm]'. To handle this interactively in netmiko, the expect_string must use a regular expression that matches the literal characters '[' and ']', which requires escaping them as '\[' and '\]'. The corrected script uses r'\[confirm\]' and then sends a newline to confirm, ensuring the backup completes.

Options B and D fail to expect the prompt, and C uses an incorrect prompt match (expect_string=r'#' would only wait for the privileged EXEC prompt, missing the confirmation).

Exam trap

The key trap is that the 'copy' command in Cisco IOS is interactive even when the full destination is specified. Candidates often forget to handle the '[confirm]' prompt, assuming the command completes silently. Always test scripts interactively first to identify prompts.

Why the other options are wrong

B

The specific factual error is that the 'copy' command in Cisco IOS requires a confirmation (pressing Enter) when the destination filename is provided. The script must send an additional newline to complete the operation.

C

The specific factual error is that the 'copy' command generates an intermediate prompt ('[confirm]') before returning to the router prompt. The script should wait for that intermediate prompt, not the final prompt.

D

The specific factual error is that including a newline in the command string does not simulate an interactive response to a subsequent prompt. The script must send the newline separately after the command is issued.

1510
MCQhard

A host with address 192.168.1.130/26 needs to identify its local subnet. Which subnet does it belong to?

A.192.168.1.0/26
B.192.168.1.64/26
C.192.168.1.128/26
D.192.168.1.192/26
AnswerC

This is correct because 130 falls within the 128 through 191 range of the 192.168.1.128/26 subnet.

Why this answer

A /26 creates subnets in blocks of 64 addresses each. In plain language, that means the fourth octet ranges are 0–63, 64–127, 128–191, and 192–255. Since 192.168.1.130 falls within the 128–191 block, the host belongs to the 192.168.1.128/26 subnet. That is the local network boundary the host will use to decide what is on-link and what requires the default gateway.

This kind of question is a very common CCNA subnetting task. The main challenge is not the arithmetic itself but recognizing the block size and locating the destination inside the correct range. Once you know a /26 moves in increments of 64, the right subnet becomes much easier to see.

Exam trap

Be careful to calculate subnet ranges accurately and avoid assuming proximity based on the first or last octet.

Why the other options are wrong

A

Option A is incorrect because the address 192.168.1.130 falls within the subnet range of 192.168.1.128/26, not 192.168.1.0/26, which covers addresses from 192.168.1.0 to 192.168.1.63.

B

Option B, 192.168.1.64/26, is incorrect because the host 192.168.1.130 falls within the subnet range of 192.168.1.128 to 192.168.1.191, not 192.168.1.64 to 192.168.1.127.

D

Option D, 192.168.1.192/26, is incorrect because the host address 192.168.1.130 falls within the subnet range of 192.168.1.128 to 192.168.1.191, making it part of the 192.168.1.128/26 subnet, not 192.168.1.192/26.

1511
Multi-Selectmedium

Which TWO tools or commands are commonly used to troubleshoot wireless client connectivity issues on a Cisco WLAN?

Select 2 answers
A.ping
B.ipconfig /release
C.traceroute
D.show running-config
E.show wireless client summary
F.debug dhcp detail
AnswersA, E

ping is a basic network utility used to test reachability and round-trip time to a destination IP address, helping to verify if the client has network connectivity.

Why this answer

The ping command (A) tests basic IP-layer connectivity from the wireless client to a target host, revealing whether the client has a valid IP and can reach the default gateway or servers. The show wireless client summary command (E) is a standard WLC diagnostic command that displays associated clients’ MAC addresses, IP addresses, VLAN assignments, and authentication states, enabling quick identification of connectivity issues at the wireless link layer. Option B, ipconfig /release, only renews the client’s DHCP lease and does not diagnose ongoing connectivity.

Option C, traceroute, traces the path to a destination, which is not a primary wireless client troubleshooting tool; it is more suited for routing analysis. Option D, show running-config, displays the device’s static configuration, not live client connectivity. Option F, debug dhcp detail, is a high-impact debug that is too granular for general wireless troubleshooting and can disrupt service.

Exam trap

Cisco often tests the distinction between configuration commands (like ipconfig /release) and actual diagnostic tools (like ping and traceroute), leading candidates to mistakenly select ipconfig /release because they confuse DHCP lease renewal with connectivity testing.

Why the other options are wrong

B

This command is part of IP address management, not a tool for troubleshooting wireless signal or association problems.

D

While it can show WLAN settings, it does not provide real-time client association or signal information needed for client troubleshooting.

F

It focuses on DHCP server/client interactions rather than the wireless link itself.

1512
MCQmedium

A user can reach a remote web server by IP address but not by hostname. Which service should be checked first?

A.DNS
B.STP
C.PAT
D.Port security
AnswerA

This is correct because DNS is responsible for resolving hostnames into IP information.

Why this answer

DNS should be checked first. In plain language, the path to the server appears to work because the user can reach it by numeric address. The missing function is the translation from hostname to IP-related information, and that is exactly what DNS provides.

This is one of the clearest service-troubleshooting patterns in networking. If IP works but the name fails, DNS becomes the strongest first suspect. The correct answer is therefore the name-resolution service rather than a routing or switching feature.

Exam trap

A frequent exam trap is selecting PAT or STP as the cause when a user cannot reach a server by hostname but can by IP address. Candidates may mistakenly associate PAT with all IP-related issues, but PAT only translates IP addresses and ports for outbound traffic and does not resolve hostnames. Similarly, STP manages Layer 2 loop prevention and does not affect Layer 3 name resolution.

Confusing these services with DNS leads to incorrect troubleshooting steps. The key is to recognize that DNS is the only service responsible for translating hostnames to IP addresses, so it must be checked first when name resolution fails but IP connectivity succeeds.

Why the other options are wrong

B

STP manages Layer 2 loop prevention and does not handle hostname resolution. It cannot cause issues with accessing a server by hostname versus IP address.

C

PAT translates IP addresses and ports for outbound connections but does not perform hostname resolution. Problems with PAT would affect IP connectivity, not just name resolution.

D

Port security restricts switch port access based on MAC addresses and does not influence DNS or hostname resolution, so it is unrelated to the problem.

1513
MCQmedium

An administrator configures an EtherChannel between SW1 and SW2. The port-channel interfaces are physically up, but the EtherChannel bundle fails to come up. On SW1, the channel-group is set to mode active; on SW2, it is set to mode on. What is the most likely cause?

A.The switch priority values are mismatched
B.One side is using LACP active while the other side is set to on
C.The native VLAN must be VLAN 1 for EtherChannel to form
D.Gi1/0/2 cannot be bundled because interfaces must be in different VLANs
AnswerB

Mode on does not negotiate LACP.

Why this answer

EtherChannel requires compatible modes: LACP active mode sends negotiation packets, while 'on' mode disables all negotiation, so the two sides cannot agree and the bundle stays down. Option A is wrong because switch priority values are used in STP root election, not EtherChannel formation. Option C is wrong because the native VLAN does not need to be VLAN 1; it only needs to match on both ends.

Option D is wrong because all member interfaces in an EtherChannel must be in the same VLAN, not different ones.

Exam trap

Ensure both sides of an EtherChannel are set to compatible modes; 'on' mode does not participate in LACP negotiation.

How to eliminate wrong answers

Option B can be eliminated because both sides set to passive will not initiate negotiation. Option C is incorrect because VLAN mismatches affect traffic, not channel formation. Option D is wrong because speed mismatches are a physical issue, not a configuration mismatch.

Option A is correct as it directly addresses the LACP mode incompatibility causing the EtherChannel to remain down.

1514
MCQhard

A network technician is troubleshooting a connectivity issue between two directly connected switches, SW1 and SW2. Hosts on VLAN 10 connected to SW1 can ping each other but cannot ping the default gateway or any host on VLAN 10 connected to SW2. The interface on SW1 is up/up, but the interface on SW2 is up/down. What is the most likely cause of the problem?

A.Configure the interface on SW2 to use a different MTU value.
B.Ensure both switches are configured for the same duplex setting, preferably by enabling autonegotiation on both interfaces.
C.Replace the Ethernet cable connecting SW1 and SW2.
D.Check for late collisions on the interface and increase the collision window size.
AnswerB

The output from SW1 shows the interface is full-duplex, but SW2's interface is up/down. This is a classic symptom of a duplex mismatch, where one side is full and the other half-duplex. Configuring both ends to the same duplex (or enabling autonegotiation) will resolve the issue.

Why this answer

The interface on SW2 is up/down, which typically indicates a Layer 1 issue such as a duplex mismatch. Duplex mismatch occurs when one switch is manually set to full duplex and the other to half duplex or auto-negotiation fails, causing the side expecting full duplex to report up/down due to excessive errors. Option A is incorrect because MTU mismatch would cause connectivity issues but not an up/down interface state.

Option C is incorrect because a faulty cable would likely cause both interfaces to be down/down, not up/down. Option D is incorrect because late collisions are a symptom of duplex mismatch, not a separate cause; increasing collision window size is not a standard troubleshooting step. The correct solution is to ensure both switches use the same duplex setting, preferably via autonegotiation (IEEE 802.3u).

Exam trap

Cisco often tests the distinction between up/down (Layer 1 issue like duplex mismatch) and down/down (cable or power issue) to trap candidates who assume any interface problem is a bad cable.

Why the other options are wrong

A

Changing MTU values affects frame size but does not cause an interface to show up/down; that state is associated with Layer 1 issues like duplex mismatch.

C

A bad cable typically results in both interfaces showing down/down, not one up and the other up/down.

D

Late collisions are a consequence of duplex mismatch, not a root cause; adjusting collision window size is not a standard practice on modern switches.

1515
MCQhard

Two switches are connected by a trunk. VLAN 50 exists on both switches, but hosts in VLAN 50 cannot communicate across the link. All other VLANs work. Based on the exhibit, what is the most likely cause?

A.VLAN 50 is not allowed on the trunk from SwitchA.
B.The native VLAN is mismatched.
C.802.1Q cannot carry VLAN 50.
D.VLAN 50 must be configured as the native VLAN first.
AnswerA

This is correct because VLAN 50 is missing from SwitchA’s allowed list.

Why this answer

Option A is correct because VLAN 50 is missing from the allowed VLAN list on the trunk, which blocks only that VLAN while allowing others. Option B is incorrect: a native VLAN mismatch would affect the native VLAN (usually VLAN 1) or cause STP issues, not specifically VLAN 50. Option C is incorrect: 802.1Q encapsulation supports all VLANs from 1 to 4094, including VLAN 50.

Option D is incorrect: VLANs do not need to be the native VLAN to be transported over a trunk; any VLAN can traverse a trunk if it is allowed.

Exam trap

Ensure you differentiate between general trunk issues and VLAN-specific configurations. Don't confuse access port settings with trunk link issues.

Why the other options are wrong

B

This option is wrong because a native VLAN mismatch would typically affect all VLANs, not just VLAN 50. Since other VLANs are functioning correctly, it indicates that the native VLAN configuration is not the issue.

C

802.1Q is a standard that can carry VLANs up to 4096, including VLAN 50. Therefore, the issue of VLAN 50 not communicating is not due to the protocol's inability to carry it.

D

This option is wrong because VLAN 50 can exist on a trunk without being the native VLAN; it does not need to be configured as such to communicate across the trunk link.

1516
MCQhard

A router has a default route and a specific route to 203.0.113.0/24. Which route is used for traffic to 203.0.113.25?

A.The specific route to 203.0.113.0/24
B.The default route
C.Both routes are always load-balanced
D.Neither route because defaults cannot coexist with specific routes
AnswerA

This is correct because it is more specific than the default route.

Why this answer

The specific route to 203.0.113.0/24 is used because it is a more specific match than the default route. In plain language, even though the default route could technically match almost anything, the router always prefers a route that more precisely describes the destination network. Since 203.0.113.25 is inside 203.0.113.0/24, that route wins under longest-prefix match.

This is one of the most basic routing-table interpretation rules. The default route remains important as a fallback, but it is not chosen when a more specific valid route exists.

Exam trap

Remember that the router always prefers the most specific route, not the default route, when a specific match is available.

Why the other options are wrong

B

The default route is used for traffic to destinations not explicitly defined in the routing table. Since there is a specific route to 203.0.113.0/24, that route will take precedence for traffic to 203.0.113.25.

C

This option is incorrect because routing protocols do not load-balance traffic between a specific route and a default route; the more specific route will always take precedence for matching traffic.

D

This option is wrong because default routes can coexist with specific routes; the router will prioritize the specific route to 203.0.113.0/24 for traffic to 203.0.113.25.

1517
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to router R1 via trunk port G0/1. The trunk is currently using VLAN 1 as native VLAN, but the network administrator wants to change the native VLAN to VLAN 99 for security. Configure the trunk on G0/1 to use native VLAN 99 and verify.

Hints

  • The native VLAN is configured per trunk interface.
  • Use show interfaces trunk to see allowed VLANs and native VLAN.
A.SW1(config)# interface g0/1 SW1(config-if)# switchport trunk native vlan 99 SW1(config-if)# end SW1# show interfaces trunk
B.SW1(config)# interface g0/1 SW1(config-if)# switchport trunk allowed vlan 99 SW1(config-if)# end SW1# show vlan brief
C.SW1(config)# vlan 99 SW1(config-vlan)# name Native SW1(config-vlan)# exit SW1(config)# interface g0/1 SW1(config-if)# switchport mode trunk SW1(config-if)# switchport trunk native vlan 99 SW1(config-if)# end SW1# show interfaces trunk
D.SW1(config)# interface g0/1 SW1(config-if)# switchport trunk native vlan 99 SW1(config-if)# end SW1# show vlan id 99
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk native vlan 99

Why this answer

Changing the native VLAN on a trunk prevents VLAN hopping attacks. The native VLAN carries untagged traffic; here it is changed from default VLAN 1 to VLAN 99.

Exam trap

The exam trap is confusing the 'switchport trunk native vlan' command with 'switchport trunk allowed vlan' or thinking that you need to create the VLAN or re-enter trunk mode. Also, ensure you use the correct verification command: 'show interfaces trunk' shows native VLAN, not 'show vlan'.

Why the other options are wrong

B

The specific factual error is confusing the allowed VLAN list with the native VLAN configuration. The native VLAN is set with 'switchport trunk native vlan', not 'switchport trunk allowed vlan'.

C

The specific factual error is including extra steps that are not needed. The trunk already exists, so 'switchport mode trunk' is redundant. Creating VLAN 99 is also unnecessary if it already exists or is not required for the native VLAN change.

D

The specific factual error is using the wrong verification command. 'show interfaces trunk' is needed to see trunk parameters including native VLAN.

1518
MCQmedium

Refer to the exhibit. Users on the inside network can browse the web, but return traffic is failing for some sessions. A partial configuration shows: interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.10 255.255.255.0 ip nat inside ! ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.10.0 0.0.0.255 Based on this configuration, which change is required to make PAT work correctly?

A.Apply ip nat enable on both interfaces.
B.Replace overload with pool.
C.Swap the inside and outside NAT roles on the two interfaces.
D.Change access-list 1 to a standard ACL numbered 100.
AnswerC

This is correct because NAT depends on the router knowing which side is private and which side is public. The current configuration labels them the wrong way round. PAT with overload on the WAN interface is fine, but the interface roles must match the traffic direction.

Why this answer

The problem is that the router has the NAT directions backwards. In simple terms, the interface facing the private LAN should be marked as inside, and the interface facing the public or WAN side should be marked as outside. Here, GigabitEthernet0/0 uses the private address 192.168.10.1, but it is configured as outside. GigabitEthernet0/1 uses the public address 203.0.113.10, but it is configured as inside. That reverses the translation logic and breaks normal PAT behavior.

Technically, the command `ip nat inside source list 1 interface GigabitEthernet0/1 overload` is otherwise reasonable for dynamic PAT using the WAN interface address. The ACL also correctly identifies the inside local subnet. The essential fix is to mark G0/0 as `ip nat inside` and G0/1 as `ip nat outside`. Once the directions are corrected, PAT can create and track translations properly for outbound traffic and returning sessions.

Exam trap

A frequent exam trap is confusing the NAT inside and outside interface roles. Candidates may see the private IP on an interface and mistakenly assign it as 'ip nat outside' or vice versa. This reverses the translation direction, causing return traffic to fail despite correct ACLs and overload commands.

The trap exploits the assumption that the public IP must be inside or that the interface with the ACL is always inside. Understanding that NAT roles depend on network topology, not just IP addresses, is crucial to avoid this error.

Why the other options are wrong

A

Applying 'ip nat enable' on both interfaces is incorrect because Cisco IOS uses 'ip nat inside' and 'ip nat outside' to define NAT roles. The problem is not enabling NAT but assigning the correct directional roles to interfaces.

B

Replacing 'overload' with a pool is unnecessary since PAT uses 'overload' to allow multiple inside hosts to share one outside IP. The issue is not the translation method but the reversed inside/outside interface roles.

D

Changing access-list 1 to a standard ACL numbered 100 does not address the core problem. ACL 1 is valid for identifying inside local addresses, and the failure is due to reversed NAT interface roles, not the ACL number.

1519
Multi-Selectmedium

A network engineer needs a floating static route to back up an OSPF-learned route. Which two configurations are necessary for the static route to remain unused until OSPF fails?

Select 2 answers
A.Configure the static route with an administrative distance higher than 110
B.Point the static route toward a valid next-hop or exit interface
C.Set the static route metric lower than the OSPF cost
D.Configure the route as directly connected with no next-hop information
AnswersA, B

It must be less preferred than OSPF while OSPF is available.

Why this answer

A floating static route requires an administrative distance higher than OSPF's default of 110 (option A) so that the static route is less preferred and remains inactive while OSPF is available. Additionally, the static route must point to a valid next-hop IP or exit interface (option B); without a valid next-hop, the route cannot be installed in the routing table and would never serve as a backup. Option C is incorrect because Cisco routers compare administrative distance before metric when routes come from different sources, so a lower metric cannot override the AD difference.

Option D is wrong because a directly connected route (with no next-hop) would be treated as a connected route, not a static route, and would be preferred over OSPF due to its AD of 0, defeating the purpose of a floating backup.

Exam trap

A common mistake is assuming that lowering the static route's metric makes it preferred, but Cisco routers compare administrative distance before metric when routes originate from different sources.

Why the other options are wrong

C

Setting the static route metric lower than the OSPF cost is ineffective because Cisco routers compare administrative distance first across different routing sources.

D

Configuring the route as directly connected with no next-hop information would give it an administrative distance of 0, making it preferred over OSPF, which is not the behavior of a floating static route.

1520
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on port GigabitEthernet0/1 (designated port) to protect against superior BPDUs from an unauthorized switch, Loop Guard on uplink GigabitEthernet0/2 to prevent forwarding loops on unidirectional links, and BPDU Guard on PortFast-enabled GigabitEthernet0/3 to shut down the port if a BPDU is received. After configuration, troubleshoot the scenario: a superior BPDU is received on G0/1, causing it to be blocked by Root Guard, and an unauthorized switch sends a BPDU to G0/3, placing it in err-disable state. Verify the final configuration and state.

Network Topology
G0/1G0/2G0/3SiR1AccessSwitchCoreSwitchServer

Hints

  • Root Guard is configured with 'spanning-tree guard root' on the interface that should never become a non-designated port. It will block the port if a superior BPDU is received.
  • Loop Guard is enabled with 'spanning-tree guard loop' on interfaces where BPDU loss could cause a loop. It prevents the port from transitioning to forwarding if BPDUs stop.
  • BPDU Guard is configured with 'spanning-tree bpduguard enable' on PortFast ports. Any BPDU received will error-disable the port, requiring manual recovery with 'shutdown' followed by 'no shutdown'.
A.[CORRECT] Root Guard on G0/1 is correctly configured; when a superior BPDU is received, the port is placed into a root-inconsistent state (BKN* in show spanning-tree) to prevent the switch from becoming root. Loop Guard on G0/2 prevents loops if BPDUs stop arriving due to a unidirectional link. BPDU Guard on G0/3, combined with PortFast, err-disables the port upon receiving any BPDU, as shown by the err-disabled status. To recover, the administrator must manually re-enable the interface after removing the offending device. No additional configuration is required; the existing commands are correct and produce the expected behavior.
B.Root Guard on G0/1 is incorrectly configured; it should be configured on the root port, not the designated port. Loop Guard on G0/2 is correctly configured. BPDU Guard on G0/3 is correctly configured, but the port should automatically recover from err-disable state after a timeout.
C.Root Guard on G0/1 is correctly configured. Loop Guard on G0/2 is incorrectly configured because Loop Guard should be applied to root ports, not uplink ports. BPDU Guard on G0/3 is correctly configured, but the port should be in a blocking state, not err-disabled.
D.Root Guard on G0/1 is correctly configured. Loop Guard on G0/2 is correctly configured. BPDU Guard on G0/3 is incorrectly configured because BPDU Guard should be applied to trunk ports, not access ports, and the port should be placed in a root-inconsistent state.
AnswerA
solution
! R1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

The scenario demonstrates three STP protection mechanisms. Root Guard on G0/1 is correctly configured; when a superior BPDU is received, the port is placed into a root-inconsistent state (BKN* in show spanning-tree) to prevent the switch from becoming root. Loop Guard on G0/2 prevents loops if BPDUs stop arriving due to a unidirectional link.

BPDU Guard on G0/3, combined with PortFast, err-disables the port upon receiving any BPDU, as shown by the err-disabled status. To recover, the administrator must manually re-enable the interface after removing the offending device. No additional configuration is required; the existing commands are correct and produce the expected behavior.

Exam trap

Watch out for confusion between Root Guard and BPDU Guard states: Root Guard causes root-inconsistent (BKN*), while BPDU Guard causes err-disable. Also, remember Root Guard is for designated ports, not root ports. Loop Guard can be applied to any port expecting BPDUs, not just root ports.

Why the other options are wrong

B

The specific factual error: Root Guard is applied to designated ports, not root ports. BPDU Guard does not auto-recover by default.

C

The specific factual error: Loop Guard is not restricted to root ports; it can be used on any port where BPDUs are expected. BPDU Guard results in err-disable, not blocking.

D

The specific factual error: BPDU Guard is not limited to access ports; it works on any PortFast-enabled port. The state is err-disable, not root-inconsistent.

1521
MCQmedium

Exhibit: A host has address 192.168.14.77/27. Which address is its valid default gateway if the first usable address in the subnet is chosen for the router interface?

A.192.168.14.63
B.192.168.14.64
C.192.168.14.65
D.192.168.14.95
AnswerC

That is the first usable address in 192.168.14.64/27.

Why this answer

A /27 has a block size of 32. Address 192.168.14.77 falls in the 192.168.14.64/27 subnet, where the usable host range is 192.168.14.65 through 192.168.14.94. The first usable address is 192.168.14.65.

Exam trap

Be careful not to confuse network and broadcast addresses with usable host addresses when identifying a default gateway.

Why the other options are wrong

A

Option A (192.168.14.63) is wrong because it is the last address in the subnet range (192.168.14.64 to 192.168.14.95) and is reserved for the broadcast address, not a valid default gateway.

B

Option B, 192.168.14.64, is incorrect because it is the first usable address in the subnet 192.168.14.64/27, which is reserved for the router interface and cannot be assigned as a default gateway for hosts in the subnet.

D

Option D, 192.168.14.95, is incorrect because it falls outside the subnet range defined by the 192.168.14.64/27 subnet, which spans from 192.168.14.64 to 192.168.14.94. Thus, it cannot be a valid default gateway for the host in question.

1522
MCQhard

A network administrator notices that a workstation connected to a Cisco switch port cannot communicate with other devices on the same VLAN. The switch port is up/up, but the workstation reports slow performance and intermittent connectivity. What is the most likely cause of this issue?

A.Replace the faulty Ethernet cable between the switch and the workstation.
B.A duplex mismatch between the switch port and the workstation.
C.Assign the switch port to the correct VLAN.
D.Disable spanning-tree on the port to prevent frequent topology changes.
AnswerB

Duplex mismatch causes one side to transmit simultaneously while the other waits, leading to collisions, errors, and degraded throughput, consistent with the described symptoms.

Why this answer

A duplex mismatch occurs when one end of the link is set to full-duplex and the other to half-duplex. The half-duplex end detects collisions and the full-duplex end does not, causing late collisions, CRC errors, and retransmissions. This results in slow performance and intermittent connectivity even though the port is operationally up.

Exam trap

Cisco often tests the concept that a link being up/up does not guarantee error-free communication, and candidates mistakenly focus on VLAN or cable issues instead of recognizing duplex mismatch as the cause of slow performance and intermittent connectivity.

Why the other options are wrong

A

No cable-related errors are shown.

C

VLAN issues would typically prevent communication entirely or show input errors from misconfigured trunking.

D

The port is stable and not flapping.

1523
MCQmedium

A host address is 2001:db8:100:20::25/64. Which portion identifies the network prefix?

A.2001:db8:100
B.2001:db8:100:20
C.2001:db8:100:20::25
D.::25
AnswerB

Correct. Four hextets make up the /64 network prefix here.

Why this answer

With a /64 prefix, the first 64 bits identify the network. That corresponds to the first four hextets: 2001:db8:100:20.

Exam trap

Be careful not to confuse the shorthand notation '::' with part of the network prefix. Remember, '::' represents a series of zeroes and is not part of the network prefix.

Why the other options are wrong

A

Option A is incorrect because it only includes the first three hextets of the IPv6 address, which does not represent the complete network prefix as defined by the /64 subnet mask. The correct network prefix includes the first four hextets.

C

Option C is incorrect because it includes the full address, which encompasses both the network prefix and the host portion. The question specifically asks for the network prefix, which is only the first 64 bits of the address.

D

Option D, '::25', is incorrect because it represents the host portion of the IPv6 address, not the network prefix. The network prefix is determined by the first 64 bits, which in this case is '2001:db8:100:20'.

1524
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a link-down issue on a GigabitEthernet interface using an SFP transceiver.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting begins by verifying the interface status and physical layer (steps 1-2). Next, you ensure the SFP is physically and logically recognized (step 3) before retrieving specific diagnostic data (step 4). Only after confirming the health of the transceiver do you take corrective action (step 5), because replacing hardware without diagnostics may waste resources.

1525
PBQhard

You are connected to R1 (a router acting as DHCP server) via the console. Configure R1 to provide DHCP addresses for VLAN 10 (192.168.10.0/24) on the switch SW1, which is connected via R1's G0/0. Exclude the first 10 addresses (192.168.10.1-10) and the last address (192.168.10.254). Set the default gateway to 192.168.10.1 and DNS server to 203.0.113.10. On SW1, enable DHCP snooping globally and for VLAN 10, configure G0/1 as trusted toward R1, and ensure the ip helper-address on the switch's VLAN 10 SVI points to R1's G0/0 IP. The current config has a wrong helper-address and an oversized excluded range; identify and fix all issues.

Network Topology
G0/1 (SW1) to G0/0 (R1 10.0.0.1/30)SW1R1

Hints

  • Check the excluded-address range on R1 — it might be too broad.
  • Verify the helper-address on SW1's VLAN 10 SVI — it should be the DHCP server's interface IP, not a different subnet.
  • DHCP snooping requires the uplink to the DHCP server to be configured as trusted.
A.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10 and ip dhcp excluded-address 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
B.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 192.168.10.1.
C.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface Vlan10: ip helper-address 10.0.0.1.
D.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.10.1 192.168.10.254
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.10.254

! SW1
interface Vlan10
no ip helper-address 192.168.20.1
ip helper-address 10.0.0.1
exit
interface GigabitEthernet0/1
ip dhcp snooping trust

Why this answer

The DHCP server R1 had an excluded range that covered the entire subnet (192.168.10.1 through 192.168.10.254), preventing any addresses from being assigned. This was corrected by first removing that oversized exclusion, then setting the excluded range to 192.168.10.1 192.168.10.10 and adding 192.168.10.254 as a separate excluded address. On SW1, the ip helper-address pointed to 192.168.20.1 (wrong), which should be R1's G0/0 IP 10.0.0.1.

Also, DHCP snooping was enabled globally and for VLAN 10, but G0/1 (link to R1) was not trusted; it was set to trusted. These changes allow DHCP requests from VLAN 10 to be relayed to R1 and trusted from the correct interface. Option A is technically incomplete because it fails to include the removal of the original oversized exclusion.

Exam trap

A common trap is to add new exclusions without removing the old ones; Cisco IOS does not overwrite exclusions—it appends. You must explicitly remove the original oversized range or no addresses will be leased.

Why the other options are wrong

B

This option omits the `ip dhcp snooping trust` on G0/1 and uses the wrong helper-address (192.168.10.1, which is the default gateway, not R1's interface IP 10.0.0.1).

C

This option omits both the `ip dhcp snooping trust` on G0/1 and does not include the separate exclusion for 192.168.10.254.

D

This option leaves the oversized excluded range (192.168.10.1 to 192.168.10.254) intact, which blocks all address assignments, and uses the wrong helper-address (10.0.0.1 but on SW1's VLAN 10 SVI it is missing the trust on G0/1).

1526
Matchingmedium

Match each WAN or edge concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Point-to-point WAN encapsulation

PPP-style session behavior over Ethernet access

Tunneling mechanism across another network

BGP between different autonomous systems

Why these pairings

These matches reflect foundational WAN and edge concepts: PPP is a Layer 2 point-to-point encapsulation used on serial links, PPPoE extends PPP’s authentication and session behavior to Ethernet-based access networks, GRE is a simple tunneling protocol that can encapsulate various protocols for transport across another network, and eBGP exchanges routing information between different autonomous systems, which is essential for internet connectivity.

Exam trap

Do not confuse PPPoE (which runs PPP over Ethernet) with plain PPP on serial WAN links, and remember that eBGP operates between autonomous systems, not within a single AS.

1527
Matchingmedium

Match each ACL-related term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

ACL type that primarily matches on source address

ACL type that can match source, destination, and protocol details

Mask used to define which address bits must match

Unstated deny that exists at the end of the ACL

Why these pairings

Standard ACLs use source IP only; extended ACLs use more criteria. Named ACLs use names; inbound/outbound specify direction. Implicit deny is the default deny-all at the end of any ACL.

Exam trap

Be careful not to confuse the types of ACLs: standard vs. extended. Also, remember that named ACLs are not a separate type; they are just an alternative naming method. Implicit deny is a behavior, not an ACL type.

1528
Multi-Selectmedium

Which four of the following are characteristics or functions of a stateless firewall, such as an extended access control list (ACL) on a Cisco router? (Choose four.)

Select 4 answers
.It examines each packet individually without considering the state of a connection.
.It can filter traffic based on source and destination IP addresses.
.It can inspect the application-layer payload to detect malicious content.
.It can filter traffic based on source and destination port numbers.
.It automatically allows return traffic for established connections.
.It uses an ordered list of permit or deny rules, processing packets in sequence until a match is found.

Why this answer

A stateless firewall, such as a Cisco extended ACL, processes each packet independently without tracking the state of a connection. It makes filtering decisions solely based on static fields in the packet header, such as source/destination IP addresses and port numbers, and applies rules in a sequential order until a match is found. This is why options about per-packet inspection, IP/port filtering, and sequential rule processing are correct.

Exam trap

Cisco often tests the misconception that stateless firewalls can automatically handle return traffic or inspect application data, leading candidates to confuse stateless ACLs with stateful firewalls or next-generation firewalls.

1529
MCQhard

A host on a guest WLAN can browse the Internet but cannot reach internal corporate resources, while employees on another SSID can. Which statement best explains why that can be a correct design outcome?

A.Because guest and employee WLANs can intentionally have different trust levels and access policies.
B.Because guest WLANs cannot use IP routing at all.
C.Because the guest WLAN is assigned to a different VLAN that uses a different IP subnet, and inter-VLAN routing is inherently disabled for security reasons.
D.Because the guest WLAN uses a different SSID that automatically triggers firewall rules that only permit HTTP/HTTPS traffic.
AnswerA

This is correct because guest isolation is often an intentional design goal.

Why this answer

The correct answer is A because guest wireless networks are intentionally isolated from corporate resources through separate trust levels and access policies. Option B is incorrect because guest WLANs can use IP routing, but routing policies restrict which destinations are reachable. Option C is incorrect because inter-VLAN routing is not inherently disabled; it is a design choice to restrict routing between VLANs.

Option D is incorrect because SSIDs themselves do not trigger firewall rules; it is the VLAN or group assignment that determines the applied policy.

Exam trap

A frequent exam trap is to interpret guest WLAN isolation as a misconfiguration, rather than an intentional policy enforcement. Candidates may also incorrectly attribute the restriction to technical limitations like routing being inherently disabled or SSIDs triggering firewall rules.

Why the other options are wrong

B

Guest WLANs can use IP routing; they are just restricted by policy.

C

Inter-VLAN routing is not inherently disabled; it is a configurable policy.

D

SSIDs do not automatically trigger firewall rules; the assigned VLAN determines the policy.

1530
MCQmedium

Exhibit: A branch router receives time from an NTP server, but the show output marks the server with a tilde instead of an asterisk. What does that mean?

A.That server is the current system clock source
B.The server is reachable but not the one currently selected for synchronization
C.NTP authentication has disabled the server permanently
D.The router is acting as an NTP master for that server
AnswerB

It is seen by the router, but it is not the chosen source.

Why this answer

In Cisco NTP output, the asterisk (*) indicates the current synchronization source. The tilde (~) specifically means the server is statically configured and reachable but has not been selected for synchronization. This differs from the plus sign (+), which denotes a candidate for synchronization.

Therefore, the router is not using that server as its active time source.

Exam trap

Be careful not to confuse the tilde (~) with the asterisk (*) or other symbols that indicate different statuses in NTP output.

Why the other options are wrong

A

In NTP, an asterisk (*) indicates the selected time source, while a tilde (~) means the server is reachable but not selected. Option A describes the asterisk, not the tilde.

C

A tilde (~) indicates the server is reachable but not synchronized; a permanently disabled server due to authentication would show a period (.) or not appear at all.

D

In the context of NTP, a tilde (~) indicates the server is reachable but not selected as the synchronization source. The router acting as an NTP master would be indicated by the 'master' command or stratum level, not by the tilde symbol.

1531
MCQhard

Clients can join the Guest SSID and authenticate successfully, but they never receive an IP address. The DHCP scope for the guest network exists on the server. Based on the exhibit, what is the most likely cause?

A.The AP trunk is not allowing VLAN 300.
B.The DHCP server must use TCP instead of UDP.
C.The SSID name must match the DHCP pool name.
D.The AP should be configured as an access port for VLAN 1.
AnswerA

That prevents guest client traffic from reaching the proper VLAN.

Why this answer

The Guest SSID is mapped to VLAN 300, but the switch trunk toward the AP allows only VLANs 10,20,30. Client traffic for the guest WLAN never reaches the correct VLAN upstream, so DHCP requests for that WLAN fail. Authentication can still succeed depending on how the WLAN is designed.

Exam trap

A common exam trap is to incorrectly assume that DHCP issues stem from the DHCP server configuration or protocol errors, such as believing DHCP must use TCP instead of UDP. Another tempting mistake is thinking the SSID name must match the DHCP pool name, which is false because DHCP scopes are based on VLAN subnets, not SSID naming. Additionally, some candidates mistakenly configure the access point port as an access port on VLAN 1, which prevents multiple VLANs from passing and breaks guest VLAN connectivity.

These traps distract from the core issue of VLAN trunk misconfiguration preventing DHCP traffic.

Why the other options are wrong

B

Incorrect. DHCP uses UDP, not TCP. Changing the protocol to TCP is not valid and would cause DHCP to fail entirely, which is not the issue here since clients authenticate successfully.

C

Incorrect. DHCP scopes are tied to VLAN subnets, not SSID names. The SSID name does not need to match the DHCP pool name for clients to receive IP addresses.

D

Incorrect. Configuring the AP port as an access port on VLAN 1 restricts traffic to a single VLAN. Since multiple SSIDs typically map to different VLANs, the port must be a trunk to carry all VLANs, including VLAN 300 for the guest SSID.

1532
MCQmedium

A company wants private IPv4 addressing that can be routed internally but not on the public Internet. Which range meets that requirement?

A.198.51.100.0/24
B.172.20.0.0/16
C.169.254.0.0/16
D.224.0.0.0/4
AnswerB

Correct. It falls within the private 172.16.0.0/12 block.

Why this answer

RFC 1918 defines private IPv4 ranges for internal routing: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. 172.20.0.0/16 falls within the 172.16.0.0/12 block, making it a valid private address. 198.51.100.0/24 is reserved for documentation (TEST-NET-2) and should not be used internally. 169.254.0.0/16 is link-local (APIPA), used only for automatic addressing on a single link. 224.0.0.0/4 is multicast, not routable as unicast and not private.

Exam trap

Be careful not to confuse reserved IP ranges for documentation or link-local use with private IP ranges.

Why the other options are wrong

A

198.51.100.0/24 is a documentation range (TEST-NET-2), not private or internally routable.

C

169.254.0.0/16 is link-local (APIPA), used only for automatic configuration on a single network segment, not for internal routing.

D

224.0.0.0/4 is reserved for multicast traffic and cannot be used as a private unicast range.

1533
MCQhard

A network administrator has configured 802.1X port-based authentication on a Cisco IOS-XE switch port connected to a single PC. The port is in the 'authorized' state, but the PC cannot reach any network resources beyond its directly connected switch. The switch is configured to use RADIUS for authentication. What is the most likely cause of this issue?

A.The switchport is in access mode and not trunking, so the PC cannot reach other VLANs.
B.The RADIUS server is not returning a VLAN assignment, so the port remains in the default VLAN, but the PC needs to be in a different VLAN to reach resources.
C.The switch is not configured with 'aaa new-model' and therefore AAA is not enabled.
D.The PC is not configured for 802.1X supplicant, so it cannot authenticate properly.
AnswerB

The 'show authentication sessions' output does not show a VLAN assigned, meaning the RADIUS server did not include the VLAN attribute. The switch uses the configured access VLAN (10) by default. If the PC needs to be in a different VLAN to reach resources, this is the root cause.

Why this answer

The RADIUS server can return a VLAN assignment as part of the Access-Accept message (via RADIUS attribute 64 or 81). If the server does not send a VLAN, the port remains in the configured access VLAN (often VLAN 1). If the PC needs to be in a different VLAN to reach network resources, it will be isolated even though 802.1X authentication succeeded and the port is authorized.

Exam trap

Cisco often tests the distinction between authentication success and post-authentication authorization, tricking candidates into thinking that a successful 802.1X authentication automatically grants full network access, when in fact the RADIUS server must also return the correct VLAN assignment.

Why the other options are wrong

A

Access mode is correct for a single PC; trunking is not needed for basic connectivity.

C

AAA is functioning, as evidenced by successful authentication.

D

The port status is 'Authorized', indicating successful authentication.

1534
Matchingmedium

Drag and drop the items on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays optical transceiver diagnostic information including temperature and Tx/Rx power

Shows Ethernet physical layer diagnostics such as cable length, MDI/MDIX, and pair status

10 Gigabit Ethernet short-reach multimode fiber transceiver for 850 nm up to 300 m

Copper twisted-pair cabling standard supporting 10GBASE-T up to 100 meters

Small form-factor duplex fiber optic connector used with SFP/SFP+ modules

Why these pairings

show interface transceiver outputs Digital Optical Monitoring (DOM) data such as temperature, voltage, and Tx/Rx power for installed transceivers. show controllers ethernet-controller phy displays physical layer diagnostics including cable length estimates, MDI/MDI-X status, pair swaps, and link quality counters. SFP-10G-SR is a multimode fiber transceiver supporting 10 Gigabit Ethernet at 850nm over distances up to 300 meters. Cat6a is enhanced copper twisted-pair cabling rated for 10GBASE-T up to 100 meters with improved alien crosstalk performance.

LC connectors are the small form-factor duplex fiber connectors commonly used with SFP and SFP+ optical modules.

1535
MCQmedium

Exhibit: R1 has learned 10.50.0.0/24 through OSPF and also has a floating static route to the same prefix with administrative distance 130. Which route is installed while OSPF is healthy?

A.The static route because static routes always win over dynamic routes
B.The OSPF route because its administrative distance is lower than the floating static route
C.Both routes because the prefix length matches
D.Neither route until equal-cost load balancing is configured
AnswerB

OSPF AD 110 beats the floating static AD 130.

Why this answer

A floating static route is meant to stay out of the table until the preferred route disappears. OSPF has administrative distance 110, which is lower than the static route AD 130, so the OSPF route is installed while the OSPF path is still present.

Exam trap

Remember that administrative distance determines route preference. A lower value means higher preference.

Why the other options are wrong

A

This option is incorrect because static routes do not always win over dynamic routes; the route with the lowest administrative distance is preferred. In this case, OSPF has a lower administrative distance (110) than the floating static route (130).

C

This option is incorrect because only one route can be installed in the routing table for a specific prefix, and in this case, OSPF has a lower administrative distance than the floating static route, so only the OSPF route will be installed.

D

This option is incorrect because OSPF is healthy and has a lower administrative distance than the floating static route, meaning the OSPF route will be preferred and installed in the routing table.

1536
MCQeasy

Why is Telnet generally discouraged for network device administration?

A.It cannot cross routed networks
B.It sends credentials and commands in clear text
C.It supports only local usernames
D.It works only from the console port
AnswerB

Correct. Lack of encryption is the key weakness.

Why this answer

Telnet sends all data, including credentials and commands, in clear text, making it vulnerable to eavesdropping. Option A is wrong because Telnet can traverse routed networks using TCP port 23. Option C is incorrect because Telnet can use local usernames as well as external AAA servers.

Option D is false because Telnet works over network interfaces, not exclusively from the console port.

Exam trap

Don't confuse protocol support or bandwidth usage with security features. Focus on encryption and data protection.

Why the other options are wrong

A

Telnet can cross routed networks because it operates at the application layer over TCP/IP.

C

Telnet supports both local usernames and external authentication via AAA servers like RADIUS or TACACS+.

D

Telnet connects via a virtual terminal line (VTY) over the network, not solely from the console port.

1537
PBQhard

You are connected to R1 via the console. R1's GigabitEthernet0/0 (192.168.1.1/24) connects to the management network, and GigabitEthernet0/1 (10.0.0.1/30) connects to the core. You need to restrict SSH access to R1 from only the management subnet 192.168.1.0/24. Additionally, SSH should be configured with a domain name 'example.com' and a modulus of 2048 bits. The username 'admin' with password 'Cisco123' should be created for SSH login.

Hints

  • Generate RSA keys after setting domain name.
  • Use an access-class on the VTY lines to restrict source IP.
  • Disable telnet by specifying only ssh transport.
A.ip access-list standard MGMT permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class MGMT in transport input ssh login local username admin secret Cisco123 ip domain-name example.com crypto key generate rsa modulus 2048
B.ip access-list standard MGMT permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class MGMT out transport input ssh login local username admin secret Cisco123 ip domain-name example.com crypto key generate rsa modulus 2048
C.ip access-list standard MGMT permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class MGMT in transport input telnet ssh login local username admin secret Cisco123 ip domain-name example.com crypto key generate rsa modulus 2048
D.ip access-list standard MGMT permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class MGMT in transport input ssh login local username admin password Cisco123 ip domain-name example.com crypto key generate rsa modulus 2048
AnswerA
solution
! R1
crypto key generate rsa modulus 2048
access-list 10 permit 192.168.1.0 0.0.0.255
line vty 0 4
access-class 10 in
transport input ssh

Why this answer

SSH requires RSA keys for encryption. The access-class applies an ACL to incoming VTY connections, allowing only the management subnet. Setting 'transport input ssh' disables less secure protocols like Telnet.

Exam trap

Pay attention to the direction of access-class (in vs out), the transport input setting (ssh only vs telnet ssh), and the use of 'secret' vs 'password' for the username command. These are common traps in CCNA exams.

Why the other options are wrong

B

The access-class must be applied 'in' to restrict incoming SSH sessions; 'out' controls traffic initiated from the router.

C

The transport input command should be 'ssh' only to disable Telnet.

D

The 'secret' keyword should be used for secure password storage; 'password' is less secure.

1538
PBQhard

You are troubleshooting DNS resolution issues from R1. Using nslookup and dig commands, diagnose why the router cannot resolve the hostname 'fileserver.courseiva.com' to an IP address, and why reverse lookup for IP address 198.51.100.10 fails. Determine the appropriate fix to ensure successful forward and reverse DNS resolution.

Network Topology
G0/010.0.0.1/30203.0.113.1linkR1DNS Server

Hints

  • The DNS server returns NXDOMAIN for both queries, indicating missing records on the server.
  • Use 'nslookup' to test forward lookup and 'nslookup <ip>' for reverse lookup.
  • The router's DNS configuration is correct; the fault lies in the DNS server's zone data.
A.Add an A record for 'fileserver.courseiva.com' pointing to 198.51.100.10 and a PTR record for 198.51.100.10 pointing to 'fileserver.courseiva.com' on the DNS server.
B.Configure the 'ip host' command on R1 to statically map 'fileserver.courseiva.com' to 198.51.100.10.
C.Enable 'ip domain-lookup' and configure the correct DNS server IP on R1 using 'ip name-server 203.0.113.1'.
D.Add only an A record for 'fileserver.courseiva.com' on the DNS server.
AnswerA
solution
! R1
! No configuration changes are needed on R1; the DNS server must be updated.
! Add A record: fileserver.courseiva.com -> 198.51.100.10
! Add PTR record: 198.51.100.10 -> fileserver.courseiva.com

Why this answer

The DNS resolution failures are due to two issues: the A record for 'fileserver.courseiva.com' does not exist on the DNS server (NXDOMAIN response), and the PTR record for reverse lookup of 198.51.100.10 is missing. To resolve the forward lookup, you must add an A record mapping the hostname to an IP address on the DNS server (e.g., 198.51.100.10). For the reverse lookup, you need to add a PTR record mapping the IP address 198.51.100.10 to the hostname.

On R1, the DNS configuration is correct (ip domain-lookup enabled, name-server 203.0.113.1), but the DNS server lacks the necessary records. The solution involves configuring the DNS server (not R1) to add the missing records. On R1, ensure that the DNS server is reachable and that the domain lookup is enabled; no additional CLI changes are required on the router.

Exam trap

Cisco exams often test the distinction between DNS client configuration on the router and DNS server records. Do not assume that DNS issues are always due to router misconfiguration; verify the DNS server's records first.

Why the other options are wrong

B

The 'ip host' command creates a static host table entry on the router, bypassing DNS. It does not fix reverse lookup and is not the intended solution for missing DNS records.

C

The problem is not with R1's DNS client configuration but with missing records on the DNS server. Repeating correct configuration does not resolve the missing records.

D

Reverse lookup requires a PTR record. Without it, the reverse query for 198.51.100.10 will still fail.

1539
PBQmedium

You are connected to SW1 via the console. The network uses VLANs 10 (Sales) and 20 (Engineering). A new switch SW2 is connected to SW1 via G0/1. You need to enable CDP to discover neighbor devices and verify that SW1 sees SW2. Currently, CDP is disabled globally.

Network Topology
G0/1G0/1linkSW1SW2

Hints

  • CDP is a Cisco proprietary protocol.
  • The command to enable it globally is straightforward.
  • After enabling, wait a few seconds for neighbor discovery.
A.Enable CDP globally with 'cdp run' and verify with 'show cdp neighbors'.
B.Enable CDP on interface G0/1 with 'cdp enable' and verify with 'show cdp neighbors'.
C.Enable CDP globally with 'cdp run' and verify with 'show cdp interface'.
D.Enable CDP globally with 'cdp enable' and verify with 'show cdp neighbors'.
AnswerA
solution
! SW1
cdp run

Why this answer

CDP is disabled globally with 'no cdp run'. Re-enabling with 'cdp run' allows SW1 to discover directly connected Cisco devices, including SW2. Option B is incorrect because interface-level 'cdp enable' requires CDP to already be enabled globally; since CDP is globally disabled, this command has no effect.

Option C is incorrect because 'show cdp interface' displays CDP parameters per interface, not the neighbor table; you need 'show cdp neighbors' to see discovered devices. Option D is incorrect because 'cdp enable' is not a valid global command; the correct global command is 'cdp run'.

Exam trap

Remember that CDP has both global and interface-level configuration. If CDP is disabled globally, interface-level commands have no effect. Always use 'cdp run' to enable globally and 'show cdp neighbors' to see neighbors.

Why the other options are wrong

B

Interface-level 'cdp enable' requires CDP to be enabled globally first; with global CDP disabled, this command is ineffective.

C

'show cdp interface' shows CDP status and counters on interfaces, not the list of neighboring devices; use 'show cdp neighbors' to see neighbors.

D

'cdp enable' is an interface command, not a global command; the global command to enable CDP is 'cdp run'.

1540
Drag & Dropmedium

Drag and drop the following steps into the correct order to retrieve the current OSPF configuration via RESTCONF and apply a change to the OSPF process ID on a Cisco IOS-XE device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, send a GET request to retrieve the current OSPF configuration. Then parse the JSON/XML payload to identify the OSPF process ID. Next, modify the OSPF process ID in the payload.

Finally, send a PUT or PATCH request to apply the change.

Exam trap

Do not assume that modification or update is the first step. RESTCONF operations require a read-modify-write sequence. Always start with a GET to retrieve the current configuration.

1541
Multi-Selectmedium

Which three of the following are characteristics of Layer 2 Ethernet switches that support VLANs? (Choose three.)

Select 3 answers
.They forward frames based on the destination MAC address.
.They can segment a LAN into multiple broadcast domains.
.They use ARP to resolve IP addresses to MAC addresses.
.They use the Spanning Tree Protocol to prevent Layer 2 loops.
.They perform routing between VLANs without a router.
.They forward frames based on the destination IP address.

Why this answer

Layer 2 Ethernet switches that support VLANs forward frames based on the destination MAC address, which is the fundamental switching decision. They can segment a LAN into multiple broadcast domains because each VLAN creates its own isolated broadcast domain, preventing unnecessary traffic propagation. They use the Spanning Tree Protocol (STP) to prevent Layer 2 loops by dynamically blocking redundant paths, ensuring a loop-free topology.

Exam trap

Cisco often tests the misconception that switches use ARP or that VLANs segment collision domains, when in fact VLANs segment broadcast domains and switches forward based on MAC addresses, not IP addresses.

1542
MCQhard

A branch office uses PAT for user Internet access. The administrator notices that inside users can browse out, but an internal server still cannot be reached consistently from outside. Which change is most appropriate?

A.Add a static NAT mapping for the server while leaving PAT in place for user traffic.
B.Replace PAT with DHCP relay.
C.Disable NAT entirely because PAT is preventing inbound routing.
D.Put the server in the native VLAN.
AnswerA

This is correct because static NAT provides the server with a stable public identity.

Why this answer

The most appropriate change is to add a static NAT mapping for the internal server while keeping PAT for ordinary user traffic. In practical terms, PAT solves the many-users-outbound problem by allowing shared use of a public address. But an inbound-published server needs a stable, predictable public identity. That requirement is different from the requirement for user browsing.

This is a common NAT design distinction. PAT and static NAT can coexist because they solve different problems. The best answer is the one that preserves PAT for users while giving the server a fixed public translation.

Exam trap

A frequent exam trap is to confuse the role of PAT and static NAT, leading to the incorrect assumption that disabling NAT or changing VLANs will fix inbound server reachability. Disabling NAT entirely stops all address translation, breaking Internet access for all internal hosts. Changing VLANs, such as moving a server to the native VLAN, does not affect NAT or public accessibility.

Another trap is to replace PAT with unrelated features like DHCP relay, which does not influence NAT or inbound connections. Understanding that static NAT is required for stable inbound access while PAT supports outbound user traffic avoids these mistakes.

Why the other options are wrong

B

Incorrect because DHCP relay is unrelated to NAT or inbound server reachability; it only forwards DHCP messages across subnets and does not solve NAT issues.

C

Incorrect because disabling NAT removes all address translation, preventing private IP addresses from reaching the Internet and breaking outbound connectivity for users.

D

Incorrect because placing the server in the native VLAN affects Layer 2 segmentation but does not provide a public IP address or influence NAT behavior for inbound access.

1543
PBQhard

You are connected to R1. R1, R2, and R3 are connected via serial links as shown. Configure single-area OSPFv2 on all three routers so that all interfaces in the 10.0.0.0/8 range participate in OSPF area 0, except the loopback interfaces. Currently R1 cannot form OSPF adjacencies with R2 and R3. Examine the running-config of R1 below and determine the corrective actions needed.

Network Topology
Se0/0/010.0.1.1/30Se0/0/010.0.1.2/30Se0/0/110.0.2.1/30Se0/0/010.0.2.2/30R1R2R3

Hints

  • Check the passive-interface configuration under router ospf.
  • Verify hello and dead timers on serial interfaces.
  • Use show ip ospf interface serial0/0/0 to see timer values.
A.Remove the passive-interface configuration from GigabitEthernet0/0, Serial0/0/0, and Serial0/0/1, and adjust the hello timer on Serial0/0/0 to 30 seconds.
B.Change the OSPF network type on all interfaces to point-to-point and increase the dead timer to 120 seconds.
C.Add the network 10.0.0.0 0.255.255.255 area 0 command under router ospf and enable OSPF on all interfaces.
D.Configure the loopback interfaces with the ip ospf network point-to-point command to ensure they participate in OSPF.
AnswerA
solution
! R1
configure terminal
router ospf 1
no passive-interface GigabitEthernet0/0
no passive-interface Serial0/0/0
no passive-interface Serial0/0/1
interface Serial0/0/0
ip ospf hello-interval 30
ip ospf dead-interval 120
end

Why this answer

R1 has passive-interface configured on all active interfaces (G0/0, Se0/0/0, Se0/0/1), which prevents OSPF hello packets from being sent and stops adjacencies from forming. Additionally, the hello timer on Serial0/0/0 is mismatched (default 10 vs. required 30). To resolve the adjacency issues while keeping loopback interfaces inactive, the passive-interface command must be removed from only the necessary interfaces and the hello timer on Se0/0/0 must be set to 30 seconds.

Exam trap

This question tests your ability to identify two common OSPF adjacency issues: passive interfaces and hello/dead timer mismatches. Many candidates focus only on one issue and miss the other. Always check both the passive-interface configuration and timer values when troubleshooting OSPF adjacencies.

Why the other options are wrong

B

The specific factual error is that changing network type is unnecessary and does not fix the passive-interface or timer mismatch problems.

C

The specific factual error is that the network command is already configured, so adding it again does not solve the adjacency problem.

D

The specific factual error is that loopback interfaces are intentionally excluded from OSPF, and forcing them to participate is not required and would be incorrect.

1544
MCQmedium

A network team wants all devices to timestamp logs consistently so event correlation works across routers, switches, and firewalls. Which service should they configure first?

A.DNS
B.DHCP
C.NTP
D.TFTP
AnswerC

NTP synchronizes time across devices.

Why this answer

NTP provides consistent time across the infrastructure. Syslog carries log messages, but if device clocks are wrong, the log entries will still be hard to correlate. Accurate time is a foundational service for troubleshooting and forensics.

Exam trap

A common exam trap is selecting DHCP or DNS as the service to synchronize device clocks. DHCP only assigns IP addresses and related network parameters, while DNS resolves domain names to IP addresses; neither service manages time synchronization. Another tempting but incorrect choice is TFTP, which is used for transferring files such as configurations or IOS images, not for time services.

Candidates might confuse the need for consistent network services with time synchronization, but only NTP provides the accurate, network-wide clock synchronization required for consistent log timestamps. Misunderstanding this leads to incorrect answers and potential operational issues in real networks.

Why the other options are wrong

A

DNS is responsible for resolving domain names to IP addresses and does not provide any mechanism for synchronizing device clocks or timestamps.

B

DHCP dynamically assigns IP addresses and other network configuration parameters to clients but does not handle time synchronization or timestamp consistency.

D

TFTP is a simple file transfer protocol used for transferring configuration files or IOS images but does not provide time synchronization services.

1545
MCQhard

Why is shutting down unused switch ports considered a useful hardening measure?

A.Because it removes unused active connection points and reduces attack surface.
B.Because it converts all other ports into trunks.
C.Because it replaces VLAN segmentation.
D.Because it forces devices to use SSH.
AnswerA

This is correct because unused enabled ports are avoidable exposure points.

Why this answer

Shutting down unused switch ports reduces attack surface by removing unnecessary active connection points. This is a simple but effective control because it eliminates the risk of unauthorized physical access. Option B is incorrect because disabling a port does not change its mode to trunk; trunking is a separate configuration.

Option C is incorrect because shutting down ports does not replace VLAN segmentation; VLANs provide logical separation, while port shutdown is a physical access control. Option D is incorrect because shutting down ports does not force devices to use SSH; SSH is an application-layer protocol for secure remote management, unrelated to port shutdown.

Exam trap

Don't confuse port security measures with performance improvements or unrelated security features like VLAN isolation.

Why the other options are wrong

B

Disabling a port does not convert it into a trunk; trunking is a separate configuration for carrying multiple VLANs.

C

Shutting down ports does not replace VLAN segmentation; VLANs provide logical separation, while port shutdown is a physical access control.

D

Shutting down ports does not force devices to use SSH; SSH is a management protocol unrelated to port state.

1546
Matchingeasy

Match each security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies identity

Determines permitted actions

Records activity

Grants only required access

Why these pairings

Authentication is the process of verifying that the user or device is who they claim to be, which matches 'Verifies identity'. Authorization determines what actions an authenticated entity is allowed to perform, matching 'Determines permitted actions'. Accounting tracks and records the activities of authenticated users, corresponding to 'Records activity'.

Least privilege grants only the minimum access needed for a task, aligning with 'Grants only required access'. These are foundational security principles for access control.

Exam trap

Do not confuse AAA with other security features that have 'access' or 'security' in their names. AAA is specifically about user authentication, authorization, and accounting, not about filtering traffic or preventing specific attacks.

1547
Multi-Selectmedium

Select the options that correctly pair the security principle or control with its meaning.

Select 2 answers
A.Confidentiality ensures that data is accessible only to authorized users.
B.Integrity ensures that data is always available when needed.
C.Non-repudiation ensures that a user cannot deny having performed an action.
D.Authorization verifies the identity of a user or device.
AnswersA, C

Confidentiality is the principle of preventing unauthorized access to information, ensuring that only those with proper permissions can view or read data.

Why this answer

Confidentiality ensures data is accessible only to authorized users; integrity ensures data accuracy and trustworthiness (not availability); non-repudiation ensures accountability by preventing denial of actions; authorization grants permissions (not identity verification, which is authentication). Option B is wrong because integrity is about data correctness, not availability. Option D is wrong because authorization determines permissions, while authentication verifies identity.

Exam trap

Be careful not to confuse integrity with availability, and authorization with authentication. Remember: integrity = data accuracy, availability = data accessible; authentication = who you are, authorization = what you can do.

Why the other options are wrong

B

Integrity ensures data accuracy and trustworthiness, not availability; availability is a separate principle.

D

Authorization grants permissions to resources; identity verification is the role of authentication.

1548
Matchingmedium

Drag and drop the STP port roles on the left to their descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Port on a non-root switch with the best path to the root bridge

Port on a segment that forwards traffic and has the best path to the root bridge

Blocked port that provides a backup path to the root bridge

Blocked port that provides a redundant connection to the same segment

Port that is administratively shut down or not participating in STP

Why these pairings

In STP/RSTP, root ports provide best path to root; designated ports are the forwarding ports per segment; alternate ports back up root ports; backup ports back up designated ports; blocking ports prevent loops; disabled ports are shut down.

Exam trap

Be careful not to confuse alternate ports (backup for root port) with backup ports (backup for designated port). Also, remember that designated ports are the only forwarding ports on a segment, not backup ports.

1549
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a serial link between two routers that is not coming up. The engineer issues the show controllers command on one router and sees the output shown. What is the most likely cause of the issue?

A.The clock rate command is missing on the DCE serial interface.
B.The serial cable type is incorrectly identified.
C.The encapsulation mismatch is causing the line protocol to stay down.
D.The serial interface is administratively shut down.
AnswerA

The show controllers output clearly states “DCE V.35, no clock rate” and “no clock rate configured,” confirming that the DCE side lacks the required clock rate. Without it, the serial interface cannot bring the line protocol up.

Why this answer

The 'show controllers' output indicates the router is the DCE (Data Communications Equipment) on the serial link, but no clock rate has been configured. For a serial interface to come up, the DCE end must provide clocking via the 'clock rate' command. Without it, the interface will remain down (line protocol down) because no clock signal is present to synchronize data transmission.

Exam trap

Cisco often tests the distinction between DCE and DTE roles; the trap here is that candidates assume the 'show controllers' output is irrelevant or that the issue is a Layer 2 problem (encapsulation) when the root cause is a missing Layer 1 clock signal on the DCE side.

Why the other options are wrong

B

Some candidates may misinterpret the DCE cable type as a problem, but the output merely states the detected cable type accurately, not a misidentification.

C

Candidates often fixate on encapsulation issues when line protocol is down, overlooking the explicit hardware-level clocking problem shown here.

D

Many candidates think that a non‑functioning interface might be shut down, but the exhibit explicitly shows an active hardware detection with a configuration error, not an administrative shutdown.

1550
MCQhard

A network administrator has recently upgraded the corporate wireless LAN to support 802.11ax (Wi-Fi 6) and is using WPA3-Enterprise with a central WLC. Several users with new 802.11ax laptops report that they can connect to the SSID, but after a few minutes their connections drop and then re-establish, while legacy 802.11ac clients work without issues. Which action will resolve this problem?

A.Downgrade the WLAN security to WPA2-Enterprise for backward compatibility.
B.Enable Protected Management Frames (PMF) as Required on the WLAN.
C.Disable OFDMA and MU-MIMO on the WLC for the affected APs.
D.Adjust the 5 GHz channel width from 80 MHz to 40 MHz to avoid interference.
AnswerB

WPA3 and 802.11ax require PMF. Setting PMF to Required ensures that the AP and clients use encrypted management frames, preventing disconnections due to failed PMF negotiation or unprotected robust security network associations.

Why this answer

WPA3-Enterprise requires Protected Management Frames (PMF) to be set to 'Required' on the WLC. When PMF is not enabled or set to 'Optional', 802.11ax clients using WPA3 may experience intermittent disconnects because management frame protection is mandatory for WPA3 operation. Legacy 802.11ac clients using WPA2 do not require PMF, so they remain unaffected.

Exam trap

Cisco often tests the misconception that Wi-Fi 6 issues are caused by physical layer features like OFDMA or channel width, when the actual problem is a mandatory security configuration mismatch (PMF) between WPA3 and the WLC.

Why the other options are wrong

A

Downgrading to WPA2 is a common workaround when WPA3-related features aren't correctly configured, but it's not the correct solution for PMF-related disconnections.

C

Disabling Wi-Fi 6 features does not resolve authentication or management frame protection issues; this misconception stems from blaming new features for instability.

D

Changing channel width addresses co-channel interference and throughput, not authentication or management frame protection issues.

1551
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure HSRP on a Cisco IOS-XE router, including priority, preempt, virtual IP, and then verify the active/standby election and failover process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, the interface is configured. Then the virtual IP is set, followed by priority and preempt. Verification confirms the election, and failover testing demonstrates the preempt mechanism works.

Exam trap

The exam trap is that candidates often confuse the order of priority and preempt, or try to configure HSRP parameters before the interface is ready. Remember: interface first, then virtual IP, then priority, then preempt. Verification and testing come last.

1552
Multi-Selecteasy

Which two statements correctly describe JSON?

Select 2 answers
A.It commonly represents data as key-value pairs
B.It is often used in REST API payloads
C.It requires angle-bracket tags around every field
D.It is a routing protocol used by controllers
E.It can only carry integer values
AnswersA, B

That is a core JSON pattern.

Why this answer

JSON is a lightweight data-interchange format commonly used in APIs. It represents data using key-value pairs and arrays. It is not the same as XML, which uses angle-bracket tags.

JSON is not a routing protocol. JSON can carry various data types including strings, numbers, booleans, arrays, objects, and null, not only integers.

Exam trap

A common exam trap is mistaking JSON for XML or a routing protocol. Some candidates incorrectly believe JSON requires angle-bracket tags around fields, which is actually an XML characteristic. Others confuse JSON with routing protocols used by controllers, which it is not.

JSON is solely a data format for representing structured data, primarily using key-value pairs and arrays. Misunderstanding this can lead to selecting incorrect answers that describe XML or routing protocols instead of JSON’s actual function in network automation and programmability.

Why the other options are wrong

C

Option C is incorrect because JSON does not use angle-bracket tags; that syntax belongs to XML. Confusing JSON with XML is a common mistake but not accurate for this question.

D

Option D is incorrect as JSON is not a routing protocol. It is a data format used for representing information, not for routing or control plane functions in networks.

E

Option E is incorrect because JSON can carry various data types beyond integers, including strings, booleans, arrays, objects, and null values. Limiting JSON to integers is a misunderstanding.

1553
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that blocks Telnet traffic from the 192.168.1.0/24 network to the 10.0.0.0/24 network, applied inbound on the router's G0/0 interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then create ACL with deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq telnet, then permit ip any any, then enter interface G0/0, then apply ACL inbound. This order ensures the ACL is created before being applied, and the specific source/destination networks match the requirement.

Exam trap

Be careful with the order of operations: ACLs must be created before they can be applied, and the order of entries within the ACL matters. Also, remember that 'ip access-group' is an interface command, not global.

1554
Matchingmedium

Drag and drop the IPv6 address types on the left to their corresponding scope and prefix on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2000::/3; globally routable across the Internet

FE80::/10; automatically assigned on each interface

FC00::/7; private, not routable on the Internet

FF00::/8; one-to-many communication

::1/128; used for localhost testing

Why these pairings

IPv6 address types have defined scopes and prefixes: Global Unicast has global scope with 2000::/3, Link-Local has link-local scope with FE80::/10, Unique Local has unique local scope with FC00::/7, Multicast has multicast scope with FF00::/8, Loopback has loopback scope with ::1/128, and Unspecified has unspecified scope with ::/128. Each address type's description should explicitly state its scope to clarify the matching task.

Exam trap

Do not confuse the scope of Link-Local (link) with Unique Local (site). Also remember that Multicast scope is not fixed; it varies based on the address.

1555
Multi-Selectmedium

Which three of the following are security best practices for implementing AAA on a Cisco router? (Choose three.)

Select 3 answers
.Use a local username database as a fallback method if the AAA server is unreachable.
.Enable AAA new-model before configuring any AAA methods.
.Configure TACACS+ for detailed command authorization and accounting.
.Set the authentication login method to 'none' for console access.
.Use RADIUS for command-level authorization.
.Disable the enable secret password when using AAA servers.

Why this answer

Using a local username database as a fallback method ensures that if the AAA server becomes unreachable, administrators can still authenticate via the router's local accounts. This is a standard best practice to prevent lockout. Enabling 'aaa new-model' is mandatory before any AAA configuration, as it activates the AAA subsystem on the router.

TACACS+ is the preferred protocol for command authorization and accounting because it encrypts the entire packet and supports per-command authorization, unlike RADIUS which only encrypts the password.

Exam trap

Cisco often tests the misconception that RADIUS can be used for command authorization, but the trap is that RADIUS only supports authentication and accounting for network access, not the granular command-level control that TACACS+ provides.

1556
Matchingmedium

Match each automation-related data term to the most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A lightweight structured data format

An ordered list of values or objects

A name used to identify a field in structured data

A data modeling language used to describe network information

Why these pairings

JSON is a lightweight data-interchange format that uses human-readable text to store and transmit data objects. An array in structured data is an ordered collection of items, indexed by integers. A key is a unique identifier used to map to a value in a key-value pair, such as in JSON objects.

YANG is specifically a data modeling language designed for defining configuration and state data for network devices, often used with NETCONF/RESTCONF.

Exam trap

A common mistake is confusing YANG with a data format like JSON or XML, when actually YANG is a modeling language that defines the structure and constraints for data, which is then serialized into formats like JSON or XML.

1557
PBQhard

You are connected to R1. The network uses a router-on-a-stick design with a single switch (SW1) and two VLANs: VLAN 10 (10.0.10.0/24) and VLAN 20 (10.0.20.0/24). The current configuration has connectivity issues: PCs in VLAN 20 cannot ping the router interface or each other, and there is a native VLAN mismatch on the trunk. Configure R1 to correct the native VLAN mismatch, ensure the trunk allows both VLANs, enable inter-VLAN routing, and fix any subinterface encapsulation errors so that all PCs can reach the router and each other across VLANs.

Hints

  • Check the native VLAN on both sides of the trunk
  • Ensure the trunk allows all required VLANs
  • Router-on-a-stick requires ip routing to be enabled
A.interface gig0/0 no shutdown switchport trunk native vlan 99 switchport trunk allowed vlan 10,20 ip routing
B.interface gig0/0.10 encapsulation dot1Q 10 ip address 10.0.10.1 255.255.255.0 interface gig0/0.20 encapsulation dot1Q 20 ip address 10.0.20.1 255.255.255.0
C.interface gig0/0 no shutdown switchport trunk native vlan 1 switchport trunk allowed vlan 10,20 ip routing
D.interface gig0/0 no shutdown switchport trunk native vlan 99 switchport trunk allowed vlan 10,20 no ip routing
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no switchport
switchport trunk native vlan 99
switchport trunk allowed vlan 10,20
exit
ip routing

Why this answer

The issue is a native VLAN mismatch: R1 subinterface .99 uses native VLAN 99, but the switch expects native VLAN 1 (default). Additionally, VLAN 20 traffic may be blocked if the switch trunk does not allow VLAN 20, and 'ip routing' is missing on R1 (though it appears to have routes, but the command may not be present). The fix: on R1, set the native VLAN on the physical interface to 99 (or match switch), ensure the trunk allows VLANs 10 and 20, and enable IP routing.

Also verify subinterface encapsulation is correct. In this case, the candidate must issue 'interface gig0/0', 'no shutdown', 'switchport trunk native vlan 99', 'switchport trunk allowed vlan 10,20', and 'ip routing'.

Exam trap

Cisco exams often test the concept that native VLAN must match on both ends of a trunk. Also, remember that 'ip routing' is required for inter-VLAN routing on a router, even with subinterfaces configured.

Why the other options are wrong

B

Missing commands to set native VLAN on the physical interface and enable ip routing.

C

The native VLAN should match the switch's native VLAN (99), not default to 1.

D

IP routing must be enabled for the router to route between subinterfaces.

1558
Multi-Selectmedium

Which two statements accurately describe floating static routes?

Select 2 answers
A.They are static routes configured with higher administrative distance so they act as backups.
B.They can become active automatically if the preferred route is lost.
C.They always override dynamic routes immediately.
D.They are identical to equal-cost load balancing.
E.They remove the need for routing tables.
AnswersA, B

This is correct because that is the definition of a floating static route.

Why this answer

The two correct statements describe floating static routes as backup routes with higher administrative distance that activate when the preferred route is lost. Option C is wrong because floating static routes have a higher administrative distance, so they do not override dynamic routes immediately; they only activate if the dynamic route is lost. Option D is wrong because floating static routes are for backup, not equal-cost load balancing.

Option E is wrong because floating static routes are entries in the routing table that provide backup, not a replacement for it.

Exam trap

Be cautious of confusing floating static routes with load balancing or manual intervention requirements.

Why the other options are wrong

C

Floating static routes have higher administrative distance, so they do not override dynamic routes immediately.

D

Floating static routes are for backup purposes, not equal-cost load balancing.

E

Floating static routes are entries in the routing table, not a replacement for it.

1559
Matchingmedium

Match each route-selection concept to the description that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Selects the most specific matching route

Compares trust between route sources

Compares candidate paths within a protocol or route source

Fallback when no more specific route exists

Why these pairings

Longest-prefix match selects the most specific matching route. Administrative distance compares trust between route sources. Metric compares candidate paths within a protocol or route source.

Default route serves as a fallback when no more specific route exists.

Exam trap

Do not confuse the order of route selection: LPM is always checked first, before AD or metric. Many candidates mistakenly think AD or metric determines specificity, but they only come into play after LPM is applied.

1560
Matchingmedium

Match each service to the problem it most directly helps solve.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Users can reach servers by IP but not by hostname

Hosts are not receiving addressing automatically

Logs from different devices have inconsistent times

Engineers want centralized event messages

Why these pairings

DNS resolves hostnames to IP addresses, so without it users can reach servers by IP but not by hostname. DHCP automatically assigns IP addresses, so without it hosts do not receive addressing automatically. NTP synchronizes clocks across devices, so without it logs from different devices show inconsistent time stamps.

Syslog forwards event messages to a central server, solving the need for centralized event logging.

Exam trap

Do not confuse services that use timestamps (like Syslog or NetFlow) with the service that provides the timestamps (NTP). The question asks which service directly solves the problem of clock synchronization.

1561
MCQhard

Two routers are in the same OSPF area and on the same subnet, but they do not form an adjacency. One interface uses a hello interval of 10 seconds and the other uses 5 seconds. What is the most likely cause?

A.The OSPF hello timers do not match.
B.The routers need matching hostnames.
C.The subnet must be changed to /24 before OSPF can work.
D.The routers must both use static routes first.
AnswerA

This is correct because OSPF neighbors must agree on hello timing in order to form an adjacency.

Why this answer

An OSPF timer mismatch is the most likely cause. In plain language, the routers are trying to discover each other, but they are speaking on different timing expectations. OSPF neighbors on the same segment must agree on certain parameters before they trust each other enough to form an adjacency, and the hello and dead timers are among those critical values.

This is a very common OSPF troubleshooting issue because the interfaces may still be reachable with ping and may even appear correctly addressed and placed in the same area. But OSPF is stricter than simple IP reachability. If the hello interval does not match, the adjacency usually fails before it becomes fully operational.

Exam trap

A common exam trap is assuming that because two routers can ping each other on the same subnet, their OSPF adjacency will form automatically. The trap lies in overlooking the importance of matching OSPF hello and dead timers. Many candidates focus only on IP addressing or area configuration and miss that OSPF requires exact timer agreement.

This leads to confusion when adjacency never forms despite correct IP setup. The exam tests your understanding that OSPF is a protocol with strict neighbor parameter requirements, not just IP reachability.

Why the other options are wrong

B

Incorrect because router hostnames do not affect OSPF adjacency formation. OSPF neighbors identify each other by router IDs and interface parameters, not hostnames.

C

Incorrect because OSPF supports various subnet masks and does not require a /24 subnet. The problem is related to timer mismatch, not subnet size.

D

Incorrect because static routes are not necessary for OSPF adjacency. OSPF dynamically discovers neighbors using hello packets and forms adjacencies based on protocol parameters.

1562
PBQhard

You are connected to R1, a Catalyst 3650 multilayer switch running IOS-XE. Configure Root Guard on all designated ports, Loop Guard on uplink interfaces, and BPDU Guard on all PortFast-enabled ports. Troubleshoot the current issue: one port is receiving a superior BPDU and is being blocked by Root Guard, and a different PortFast port has gone err-disabled after BPDU Guard triggered. Verify that Root Guard is active on port Gi1/0/1, Loop Guard is active on Gi1/0/2, and BPDU Guard is enabled on Gi1/0/3.

Network Topology
Gi1/0/1Gi1/0/2Gi1/0/3R1R2Core SwitchHost

Hints

  • Root Guard should be on the port that is designated, not receiving superior BPDUs.
  • Loop Guard should be on the port that is a root port or alternate root port.
  • An err-disabled port must be manually recovered with shutdown/no shutdown.
A.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue shutdown then no shutdown; verify Root Guard on Gi1/0/2, Loop Guard on Gi1/0/1, BPDU Guard on Gi1/0/3.
B.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue no shutdown; verify Root Guard on Gi1/0/2, Loop Guard on Gi1/0/1, BPDU Guard on Gi1/0/3.
C.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue shutdown then no shutdown; verify Root Guard on Gi1/0/1, Loop Guard on Gi1/0/2, BPDU Guard on Gi1/0/3.
D.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue shutdown then no shutdown; verify Root Guard on Gi1/0/2, Loop Guard on Gi1/0/2, BPDU Guard on Gi1/0/3.
AnswerA
solution
! R1
interface GigabitEthernet1/0/1
no spanning-tree guard root
spanning-tree guard loop
interface GigabitEthernet1/0/2
no spanning-tree guard loop
spanning-tree guard root
interface GigabitEthernet1/0/3
shutdown
no shutdown

Why this answer

The network requires Root Guard on designated ports, Loop Guard on uplink (root/alternate) ports, and BPDU Guard on PortFast ports. Gi1/0/1 is receiving a superior BPDU and being blocked by Root Guard, indicating Root Guard is misapplied to a non-designated port; it should be moved to the designated port Gi1/0/2. Loop Guard belongs on the uplink port Gi1/0/1, not Gi1/0/2, so the configuration is swapped.

The PortFast port Gi1/0/3 experienced a BPDU Guard violation and is err-disabled; recovering it requires a shutdown followed by a no shutdown command, not just no shutdown. Finally, verification must confirm the correct new placement: Root Guard on Gi1/0/2, Loop Guard on Gi1/0/1, and BPDU Guard on Gi1/0/3.

Exam trap

Be careful not to confuse the purpose of Root Guard and Loop Guard. Root Guard is for designated ports, Loop Guard is for root/alternate ports. Also, remember that an err-disabled port requires a shutdown/no shutdown sequence to recover, not just no shutdown.

Why the other options are wrong

B

Issuing only 'no shutdown' will not recover an interface from the err-disabled state caused by BPDU Guard; it must be administratively shut down first with 'shutdown', then re-enabled with 'no shutdown'.

C

The verification step checks Root Guard on Gi1/0/1 and Loop Guard on Gi1/0/2, which is the original incorrect configuration before the swap; after the fix, Root Guard should be on Gi1/0/2 and Loop Guard on Gi1/0/1.

D

The verification step incorrectly states that Loop Guard is active on Gi1/0/2. After swapping the configurations, Loop Guard is now on Gi1/0/1, not Gi1/0/2, so this option validates the wrong port.

1563
Drag & Dropmedium

Drag and drop the following steps into the correct order to retrieve a specific interface configuration via RESTCONF and apply a change to the interface description.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Retrieve the current interface config, parse it, modify the description, apply the update, and verify the change.

Exam trap

The trap is that all steps are valid actions, but the question asks for the correct order. Candidates must recognize that retrieval (GET) must come before modification (PUT), and verification (another GET) comes after the update.

1564
Drag & Dropmedium

Drag and drop the following steps into the correct order to install a new fiber optic cable and SFP module on a Cisco switch, then verify the interface status.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct procedure for installing a fiber optic cable and SFP module on a modern Cisco switch is to insert the SFP module into the port while the switch is powered on, as most Cisco switches support hot-swapping of SFP modules to minimize network downtime. Then, connect the fiber optic cable to the SFP module, ensuring proper alignment and locking. Finally, verify the interface status using 'show interfaces status' to confirm the link is up and operational.

Powering down the switch is unnecessary and contradicts hot-swappable design, while connecting the cable before inserting the SFP or skipping the SFP module entirely are incorrect because the switch port requires an SFP to convert electrical signals to optical.

Exam trap

Many learners assume SFP modules require the switch to be powered down before installation, but modern Cisco switches support hot-swapping; always verify the specific module and device documentation.

1565
Multi-Selectmedium

Which three options correctly describe how AI can optimize network performance and quality of service (QoS)? (Choose three.)

Select 3 answers
.Predicting traffic congestion and proactively rerouting flows to avoid bottlenecks
.Automatically adjusting QoS queue weights based on learned application traffic patterns
.Identifying and prioritizing latency-sensitive applications such as VoIP and video conferencing
.Replacing all hardware switches with software-based AI routers to eliminate latency
.Guaranteeing line-rate throughput on all interfaces regardless of traffic load
.Eliminating packet loss entirely by using AI to predict every transmission failure

Why this answer

AI optimizes network performance and QoS by analyzing traffic patterns and making real-time adjustments. Predicting congestion and rerouting flows prevents packet loss and delays. Automatically adjusting queue weights ensures bandwidth is allocated based on learned application needs.

Identifying and prioritizing latency-sensitive traffic like VoIP ensures low jitter and delay, meeting QoS requirements. The incorrect options are unrealistic: replacing all hardware switches with software-based AI routers cannot eliminate latency because hardware still provides fast forwarding; AI cannot guarantee line-rate throughput on all interfaces regardless of traffic load because bandwidth is limited; and AI cannot entirely eliminate packet loss by predicting every transmission failure because physical and unpredictable errors still occur.

Exam trap

Cisco often tests the misconception that AI only applies to security or automation, not to QoS, but here all three options are valid, so candidates must recognize that AI can directly enhance traffic engineering and queue management.

1566
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a switch port for a VoIP phone (voice VLAN + data VLAN), an AP trunk, and a PoE-powered IoT device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First create VLANs, then assign data and voice VLANs to the phone port, configure the AP trunk, and lastly enable PoE on the IoT port.

Exam trap

The trap is that candidates may enable PoE too early or configure trunks before VLANs exist. Remember: VLANs must be created first, then assigned to ports, and PoE is typically enabled last.

1567
Multi-Selectmedium

Which two statements accurately describe good management-plane security practice on network devices?

Select 2 answers
A.Use secure management protocols such as SSH instead of less secure remote-access methods.
B.Restrict management access to trusted source networks where possible.
C.Prefer shared generic admin accounts for convenience.
D.Disable all logging to reduce device workload.
E.Rely only on SSID names to protect router management.
AnswersA, B

This is correct because encrypted management access is a core best practice.

Why this answer

Good management-plane security combines multiple layers of control. In practical terms, using secure protocols such as SSH is important, but so is restricting which sources may connect, controlling who is authorized, and maintaining visibility into administrative activity. Strong management security is not usually one setting by itself.

This is a layered-control question rather than a single-technology question.

Exam trap

A common exam trap is selecting only one security measure, such as using SSH, and ignoring the importance of restricting management access sources. Candidates might assume that encrypted protocols alone provide complete security, but without source filtering, attackers can still attempt unauthorized connections. Another trap is choosing options that suggest disabling logging or using shared admin accounts, which weaken security by reducing accountability and visibility.

The exam tests understanding that management-plane security is multi-layered, requiring both secure protocols and access restrictions to effectively protect network devices.

Why the other options are wrong

C

Incorrect because shared generic admin accounts reduce traceability and accountability, making it difficult to audit who made changes or accessed the device, which weakens security.

D

Incorrect because disabling logging removes visibility into management activities, hindering the ability to detect unauthorized access or troubleshoot issues, which is counterproductive to security.

E

Incorrect because SSID names pertain to wireless network identification and do not provide any protection for router management-plane access or protocols.

1568
MCQmedium

A switch shows this output from the "show interfaces trunk" command: Gi0/1 on 802.1q trunking 1 Gi0/2 auto 802.1q not-trunking 1 Which statement is correct?

A.Gi0/1 is an access port in VLAN 1
B.Gi0/1 is trunking, and Gi0/2 is waiting for DTP negotiation
C.Gi0/2 is forced to trunk mode
D.Neither interface can carry tagged traffic
AnswerB

Correct. Gi0/1 is trunking now; Gi0/2 is in a passive DTP negotiation state.

Why this answer

Gi0/1 is already operating as an 802.1Q trunk. Gi0/2 is in dynamic auto mode, which waits for the other side to actively negotiate trunking.

Exam trap

Beware of confusing 'on' with access mode and misunderstanding dynamic auto's capability to negotiate trunking.

Why the other options are wrong

A

This option is incorrect because Gi0/1 is configured as a trunk port, not an access port, and it is actively trunking VLANs. Access ports do not participate in VLAN tagging and would not show trunking status.

C

This option is incorrect because Gi0/2 is set to 'auto' for trunking, meaning it is not forced into trunk mode but is instead waiting for Dynamic Trunking Protocol (DTP) negotiation to determine if it should become a trunk port.

D

This option is incorrect because Gi0/1 is configured as a trunk port and can carry tagged traffic, while Gi0/2 is in a state waiting for DTP negotiation, which means it can potentially become a trunk port as well.

1569
Multi-Selectmedium

A branch router is running single-area OSPF. An engineer wants an interface to advertise its connected network into OSPF but must prevent hello packets from being sent on that LAN segment. Which two actions achieve that goal?

Select 2 answers
A.Enable OSPF on the interface or matching network statement
B.Configure the interface as passive in the OSPF process
C.Set the interface network type to point-to-point
D.Apply distribute-list out on the interface
AnswersA, B

OSPF must still be enabled for the connected subnet to be advertised.

Why this answer

In OSPF, a passive interface still advertises the connected network but does not send or process hello packets. So the interface must participate in OSPF, and then it must be made passive.

Exam trap

A frequent exam trap is assuming that changing the OSPF network type or applying a distribute-list on the interface will stop hello packets. Many candidates mistakenly believe that setting the interface to point-to-point suppresses hellos, but it only changes adjacency behavior. Similarly, distribute-lists filter routing updates but do not affect hello packet transmission.

The key mistake is forgetting that OSPF must be enabled on the interface to advertise the network and that only the passive-interface command prevents hello packets while still advertising the connected subnet.

Why the other options are wrong

C

Setting the interface network type to point-to-point changes adjacency behavior but does not suppress hello packets. Therefore, it does not meet the requirement to prevent hello packet transmission.

D

Applying a distribute-list out on the interface filters routing updates but does not affect the sending of OSPF hello packets. It does not prevent hello packet transmission on the LAN segment.

1570
Multi-Selecthard

Exhibit: A static route to 172.16.40.0/24 is configured, but traffic still follows the default route. Which two explanations are plausible?

Select 2 answers
A.The next hop for the static route may not be reachable
B.The exit interface associated with that path may be down
C.The default route always overrides more specific routes
D.Static routes require a metric lower than 1
E.The destination prefix must be configured under router ospf first
AnswersA, B

A recursive lookup problem can prevent installation.

Why this answer

If a static route points to an unreachable next hop or the outgoing interface is down, the route may not be installed as usable. In that case the router can still use a less specific route such as the default route.

Exam trap

A frequent exam trap is believing that a static route always takes precedence over a default route regardless of network conditions. Candidates may overlook that Cisco routers require the next hop to be reachable and the exit interface to be operational before installing the static route. If these conditions are not met, the router ignores the static route and uses the default route instead.

This misunderstanding can lead to incorrect answers, especially when the question involves static route reachability or interface status.

Why the other options are wrong

C

Incorrect because Cisco routers use the longest prefix match rule, meaning a more specific static route overrides the default route when valid. The default route does not always override specific routes.

D

Incorrect because static routes do not require a metric lower than 1. Static routes have an administrative distance of 1 by default, but metric values do not prevent route installation based on reachability.

E

Incorrect because static routes operate independently of dynamic routing protocols like OSPF. The destination prefix does not need to be configured under OSPF for a static route to function.

1571
MCQhard

Which IPv6 prefix is used for link-local addresses?

A.FC00::/7
B.FE80::/10
C.2000::/3
D.FF00::/8
AnswerB

Correct. FE80::/10 is the link-local prefix.

Why this answer

IPv6 link-local addresses come from FE80::/10. They are valid only on the local link and are commonly used for neighbor discovery and routing adjacency formation.

Exam trap

Don't confuse link-local prefixes with global unicast or multicast prefixes. Remember, link-local addresses are only valid within the local link.

Why the other options are wrong

A

The prefix FC00::/7 is designated for Unique Local Addresses (ULAs) in IPv6, not link-local addresses. Link-local addresses specifically use the FE80::/10 prefix.

C

C: 2000::/3 is incorrect because it designates global unicast addresses, not link-local addresses, which are specifically defined by the prefix FE80::/10.

D

D is incorrect because FF00::/8 is reserved for multicast addresses in IPv6, not link-local addresses. Link-local addresses specifically use the FE80::/10 prefix.

1572
MCQhard

On a broadcast multiaccess segment, R3 has an OSPF priority of 255, but it is in the DROTHER state. Which explanation best fits OSPF behavior?

A.DR election is nonpreemptive on broadcast networks
B.A router cannot become DR if it uses a loopback router ID
C.OSPF priority works only on point-to-point links
D.R3's priority is lower than the current DR's priority
AnswerA

Changing priority later does not automatically replace the existing DR.

Why this answer

On broadcast networks, OSPF DR and BDR election is not preemptive. If a DR is already elected, giving another router a higher priority later does not force a new election unless the current DR goes down or OSPF is reset on the segment.

Exam trap

A common exam trap is assuming that increasing a router's OSPF priority after the DR election will cause it to immediately become the new DR. Many candidates mistakenly believe OSPF DR election is preemptive and that the router with the highest priority always becomes DR instantly. However, OSPF DR election on broadcast networks is nonpreemptive, meaning the current DR remains until it fails or OSPF adjacency resets.

This misunderstanding can lead to incorrect answers about why a router with a higher priority remains DROTHER, as in the case of R3 in the question.

Why the other options are wrong

D

This distractor assumes the election is based on current priority values, but OSPF DR election is nonpreemptive; even if R3's priority is higher, it will not become DR unless the current DR fails.

1573
MCQhard

A network engineer notices that a new switch, SW3, was connected to port GigabitEthernet0/1 on SW1, but the port immediately went into an err-disabled state. The network uses Rapid PVST+ with BPDU Guard enabled globally on all access ports. The engineer checks the logs and sees 'bpduguard error detected' messages. What is the most likely cause of the err-disabled state?

A.The port is configured as an access port, but BPDU Guard should be disabled on all access ports.
B.A BPDU was received on port GigabitEthernet0/1, triggering BPDU Guard.
C.Configure Root Guard on the interface to prevent the err-disabled state.
D.Enable Loop Guard on the interface to prevent the err-disabled state.
AnswerB

BPDU Guard err-disables a port immediately when a BPDU is received on an access port where it is enabled, which is exactly the scenario described.

Why this answer

The err-disabled state is caused by BPDU Guard triggering when a BPDU is received on an access port. Option A is incorrect because BPDU Guard is intentionally enabled on access ports to prevent unauthorized switches from joining the network. Option C is wrong because Root Guard prevents a port from becoming the root, not from receiving BPDUs.

Option D is wrong because Loop Guard prevents loops on blocked ports in case of unidirectional links, not relevant to BPDU reception.

Exam trap

Cisco often tests the confusion between BPDU Guard, Root Guard, and Loop Guard; candidates may incorrectly attribute the err-disable to Root Guard or Loop Guard, but the true cause is receiving a BPDU on a BPDU-Guard-enabled port.

Why the other options are wrong

A

BPDU Guard is designed to be enabled on access ports to protect against unauthorized switches, so disabling it on all access ports would defeat its purpose.

C

Root Guard prevents a port from becoming the root bridge, but does not block BPDU reception that causes err-disable with BPDU Guard.

D

Loop Guard detects and prevents loops on blocked ports due to unidirectional links, not related to the BPDU Guard err-disable mechanism.

1574
PBQhard

You are connected to R1 via the console. R1 is the DHCP server for the 192.168.50.0/24 LAN. Configure DHCP on R1 to assign addresses from 192.168.50.10 to 192.168.50.200, with default gateway 192.168.50.1 and DNS server 8.8.8.8. Also, configure R1 to act as a DHCP relay agent for the 10.0.0.0/30 link to reach a remote DHCP server at 203.0.113.10. Then, troubleshoot and fix a misconfiguration that causes clients on VLAN 50 to not receive IP addresses.

Network Topology
G0/0:192.168.50.1/24G0/1:10.0.0.1/30linkR1VLAN 50 clientsRemote DHCP server at

Hints

  • Check the excluded-address range — it may be too large.
  • A helper-address on the same subnet as the DHCP server is not needed.
  • The relay agent must be configured on the interface that receives the client broadcasts.
A.[CORRECT] The DHCP pool is misconfigured: the excluded-address range covers most of the pool (192.168.50.1 through 192.168.50.200), but leaves 192.168.50.201-254 assignable, violating the requirement. The correct configuration should exclude 192.168.50.1-9 (gateway) and 192.168.50.201-254 (upper end). The 'ip helper-address' on GigabitEthernet0/0 is unnecessary because R1 itself is the DHCP server for that subnet; it should be removed. The relay agent configuration is missing on the interface facing the remote DHCP server—'ip helper-address 203.0.113.10' should be added to GigabitEthernet0/1.
B.The DHCP pool is misconfigured: the excluded-address range should be 192.168.50.1 192.168.50.9, but the helper-address on GigabitEthernet0/0 is correct because it forwards DHCP requests to the remote server. The relay agent configuration is missing on GigabitEthernet0/1.
C.The DHCP pool is correctly configured with excluded-address 192.168.50.1 192.168.50.9. The issue is that the 'ip helper-address' on GigabitEthernet0/1 is missing; it should be added to forward requests to the remote server. Additionally, the 'ip helper-address' on GigabitEthernet0/0 is correct because it forwards requests from VLAN 50 to the remote server.
D.The DHCP pool is misconfigured: the excluded-address range should be 192.168.50.1 192.168.50.9. The 'ip helper-address' on GigabitEthernet0/0 should be removed. The relay agent configuration is correct because 'ip helper-address 203.0.113.10' is already configured on GigabitEthernet0/1.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.50.1 192.168.50.200
ip dhcp excluded-address 192.168.50.1 192.168.50.9
interface GigabitEthernet0/0
no ip helper-address 203.0.113.10
exit
interface GigabitEthernet0/1
ip helper-address 203.0.113.10
exit

Why this answer

The DHCP pool is misconfigured: the excluded-address range of 192.168.50.1 through 192.168.50.200 covers most of the pool, but leaves addresses 192.168.50.201 to 192.168.50.254 assignable, which violates the requirement to assign addresses only from 192.168.50.10 to 192.168.50.200. To meet the requirement, you must exclude both the lower range (192.168.50.1 to 192.168.50.9, reserving the gateway) and the upper range (192.168.50.201 to 192.168.50.254). Additionally, the 'ip helper-address' on GigabitEthernet0/0 is unnecessary because R1 itself is the DHCP server for that subnet; it should be removed.

The relay agent configuration is missing on the interface facing the remote DHCP server—'ip helper-address 203.0.113.10' should be added to GigabitEthernet0/1 so that broadcasts from the 10.0.0.0/30 subnet are forwarded.

Exam trap

A single 'ip dhcp excluded-address' range does not limit the DHCP pool to only the desired contiguous range; you must explicitly exclude all addresses you do not want assigned, even those at the upper end. Ensure you create multiple excluded-address ranges when the pool is not contiguous.

Why the other options are wrong

B

The specific factual error is that a helper-address should not be configured on an interface where the router itself is the DHCP server for that subnet.

C

The specific factual error is that the helper-address on the LAN interface is not needed and would cause issues, and the excluded-address range is actually correct in this option, but the question's misconfiguration is the excluded-address being too broad.

D

The specific factual error is that the helper-address on the interface facing the remote server is not configured, so DHCP broadcasts from the 10.0.0.0/30 subnet will not be forwarded.

1575
PBQhard

You are connected to R1 via the console. R1 and R2 are running HSRP for the VLAN 10 subnet 192.168.10.0/24. Currently both routers are active for group 10, causing instability. Configure R1 so that it becomes the active router when its G0/0 interface is up, and R2 takes over only if R1's G0/0 fails. Also correct the virtual IP address to 192.168.10.1. Verify with show standby brief.

Hints

  • Check the virtual IP address on R1; it does not match the required 192.168.10.1.
  • Both routers are active because preempt is missing on R2; ensure R1 can reclaim active role.
  • Use the track interface feature to reduce priority on R1 if its G0/0 goes down.
A.On R1: interface GigabitEthernet0/0, standby 10 ip 192.168.10.1, standby 10 preempt, standby 10 track GigabitEthernet0/0 decrement 60. On R2: standby 10 preempt.
B.On R1: interface GigabitEthernet0/0, standby 10 ip 192.168.10.1, standby 10 preempt, standby 10 track GigabitEthernet0/0 decrement 10. On R2: no additional configuration.
C.On R1: interface GigabitEthernet0/0, standby 10 ip 192.168.10.1, standby 10 preempt, standby 10 track GigabitEthernet0/0 decrement 60. On R2: no additional configuration.
D.On R1: interface GigabitEthernet0/0, standby 10 ip 192.168.10.254, standby 10 preempt, standby 10 track GigabitEthernet0/0 decrement 60. On R2: standby 10 preempt.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no standby 10 ip 192.168.10.254
standby 10 ip 192.168.10.1
standby 10 track GigabitEthernet0/0 decrement 60
end

Why this answer

The dual-active state was caused by R1 having an incorrect virtual IP address (192.168.10.254 instead of 192.168.10.1), making it active for a different HSRP group. Correcting the VIP to 192.168.10.1 on R1 aligns both routers to the same group. Enabling preempt on R2 (and it should already be enabled on R1) allows R1 to reclaim the active role after the VIP correction.

Additionally, interface tracking with a decrement of 60 ensures that if R1's G0/0 fails, R1's priority drops below 100, allowing R2 to take over.

Exam trap

Remember that preempt must be enabled on both HSRP routers for proper failover and reclamation. Also, interface tracking decrement must be large enough to drop priority below the standby router's priority. Finally, always verify the virtual IP address matches the required gateway.

Why the other options are wrong

B

The decrement value of 10 does not cause R1's priority to drop below R2's default priority of 100 (assuming R1 starts at 100, it becomes 90, still above R2's 100? Actually 90 < 100, but without preempt on R2, R2 won't become active. The main error is missing preempt on R2 and insufficient decrement to ensure R2 takes over.

C

Missing preempt on R2 prevents R1 from becoming active again after a failure, which violates the requirement that R1 should be active when its interface is up.

D

The virtual IP is not corrected to 192.168.10.1; it stays at 192.168.10.254, which is not the correct gateway address for the subnet.

Page 20

Page 21 of 25

Page 22