CCNA 200-301 v2 (200-301) — Questions 15761650

1819 questions total · 25pages · All types, answers revealed

Page 21

Page 22 of 25

Page 23
1576
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router for outbound traffic from a private network to the Internet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

PAT configuration requires first entering global config, defining the traffic with an ACL, specifying the outside interface, then applying the NAT overload command referencing the ACL and outside interface.

Exam trap

The exam trap here is that candidates often confuse the order of steps, especially when the ACL and interface are both referenced in the NAT command. Remember that you must define the ACL and configure the interface with 'ip nat outside' before applying the NAT overload command.

1577
MCQmedium

PCs in VLAN 30 on SwitchA cannot reach servers in VLAN 30 on SwitchB. All other VLANs work across the trunk. What is the most likely cause?

A.The native VLAN is mismatched between the switches.
B.VLAN 30 should be configured as the native VLAN on both ends.
C.SwitchB must use ISL instead of 802.1Q.
D.VLAN 30 is not allowed on the trunk from SwitchA.
AnswerD

This is correct because the exhibit clearly shows VLAN 30 missing from the allowed list on SwitchA. A VLAN must be permitted across the trunk on both sides for end-to-end communication.

Why this answer

The trunk is up and carrying multiple VLANs, but VLAN 30 is missing from the allowed list on one side. Since SwitchA and SwitchB both need to permit VLAN 30 on the trunk, if SwitchA's allowed VLAN list does not include VLAN 30, traffic for that VLAN cannot cross. Native VLAN mismatch or ISL vs 802.1Q issues would affect all VLANs, not just VLAN 30.

Thus, the most likely cause is that VLAN 30 is not allowed on the trunk from SwitchA.

Exam trap

Be cautious of assuming native VLAN mismatches or protocol issues when the problem is specific to the allowed VLAN list.

Why the other options are wrong

A

This option is wrong because a native VLAN mismatch would typically affect all VLANs across the trunk, not just VLAN 30. In this scenario, only VLAN 30 is experiencing connectivity issues, indicating a different problem.

B

This option is wrong because configuring VLAN 30 as the native VLAN does not directly affect the ability of PCs in VLAN 30 on SwitchA to communicate with servers in VLAN 30 on SwitchB, especially if VLAN 30 is already properly configured on both switches.

C

SwitchB using ISL instead of 802.1Q is not relevant to the connectivity issue between VLAN 30 on SwitchA and SwitchB. The problem is likely due to VLAN 30 not being allowed on the trunk, not the encapsulation method used.

1578
MCQmedium

Users on VLAN 20 are not receiving IPv4 addresses from the centralized DHCP server at 10.50.0.10. Users in other VLANs are working normally. Based on the exhibit, which change should fix the issue for VLAN 20 clients?

A.Change the helper address on interface Vlan20 to 10.50.0.10.
B.Convert the VLAN 20 user ports to trunk mode.
C.Configure a default gateway on the user PCs manually.
D.Disable DHCP snooping on VLAN 20.
AnswerA

That points DHCP relay to the actual DHCP server.

Why this answer

The SVI for VLAN 20 is forwarding DHCP requests to the wrong helper address. DHCP relay depends on the Layer 3 interface for that VLAN sending client broadcasts to the correct server. Trunks, access ports, and the DHCP pool name on the server are not the first issue shown here.

DHCP snooping can filter DHCP server replies on untrusted ports, but since other VLANs are working and no trust misconfiguration is indicated, the root cause is the incorrect ip helper-address on Vlan20.

Exam trap

A frequent exam trap is assuming that user ports must be trunks or that disabling DHCP snooping will fix DHCP address assignment issues. In reality, user ports should remain in access mode to maintain VLAN membership, and DHCP snooping is unrelated to this specific forwarding problem because the exhibit shows a misconfigured helper address while other VLANs function normally. Another common mistake is thinking that manually configuring a default gateway on clients solves DHCP problems, but DHCP discovery requires proper relay configuration on the Layer 3 interface.

Misconfiguring or omitting the ip helper-address on the VLAN interface causes DHCP requests to fail, which is the core issue here.

Why the other options are wrong

D

Disabling DHCP snooping is unnecessary because the other VLANs work, and the scenario does not indicate a trust misconfiguration; the real problem is the incorrect helper address on Vlan20.

1579
MCQmedium

Two switches are configured to form an EtherChannel, but the bundle never comes up. Which explanation best describes this scenario?

A.The switches are using different native VLANs.
B.LACP active on one side is incompatible with mode on on the other side.
C.Both sides must use PAgP desirable mode.
D.The interfaces must be configured as routed ports first.
AnswerB

That is exactly why the channel does not negotiate properly.

Why this answer

One side is using LACP active mode and the other side is forcing a static channel-group with mode on. Those modes are not compatible. LACP needs active or passive on both sides, while PAgP uses desirable or auto, and static mode on expects a manual bundle on the other side.

Exam trap

Ensure you match the correct protocol and mode on both sides of the link; mixing protocols or incompatible modes will prevent channel formation.

Why the other options are wrong

A

This option is wrong because different native VLANs do not prevent an EtherChannel from forming; they can still establish a link if other configurations are compatible. The primary issue in this scenario is related to LACP mode mismatches.

C

This option is incorrect because EtherChannel can use either PAgP or LACP for negotiation, and both protocols can operate independently of each other. The requirement for both sides to use PAgP in desirable mode is not a necessity for EtherChannel to function.

D

This option is wrong because EtherChannel can be configured on switch ports without needing to convert them to routed ports. Routed ports are not necessary for EtherChannel to function, as it operates at Layer 2.

1580
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an IPv4 static address on a Windows host, generate an IPv6 EUI-64 address on a Cisco router, verify the router's IPv6 EUI-64 address, and confirm connectivity from the Windows host.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is: first configure the router's IPv6 EUI-64 address to set up the network infrastructure, then assign the Windows host a static IPv4 address. Next, verify the router's IPv6 EUI-64 address to confirm proper generation. Finally, perform a connectivity test from the Windows host to validate end-to-end communication.

This sequence ensures that configuration is completed before verification and that the final step confirms both configurations are operational.

Exam trap

Candidates often confuse the order of configuration and verification steps. Remember that configuration always comes before verification, and the final step is always a connectivity test from the end host.

1581
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the TCP three-way handshake between a client and server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The three-way handshake starts with SYN, then SYN-ACK, then ACK, after which the connection is established and data can flow.

Exam trap

Remember that the client always initiates the connection with a SYN. The server never sends a plain SYN; it always responds with SYN-ACK. The final ACK comes from the client, not the server.

1582
Multi-Selectmedium

Which two statements accurately describe a default gateway from a host perspective?

Select 2 answers
A.It is the next-hop path a host uses for destinations outside the local subnet.
B.It is typically the IP address of a local router or Layer 3 interface on the same subnet.
C.It replaces the need for a subnet mask.
D.It is the same thing as a DNS server.
E.It is used only for ARP broadcasts.
AnswersA, B

This is correct because the default gateway is used for off-subnet traffic.

Why this answer

A default gateway is the local router or Layer 3 interface that a host uses for traffic destined beyond its own subnet. In plain language, the host uses the gateway when the destination is not local. The default gateway does not replace the host’s own IP address or subnet mask; it complements them by providing the next-hop path for remote communication.

This is a foundational host-networking concept because many connectivity issues come from misunderstanding what the gateway actually does. The two correct answers are the ones that describe remote-traffic forwarding and the local next-hop role of the gateway.

Exam trap

Avoid confusing the gateway's role with local traffic handling or address replacement. Focus on its function in remote communication.

Why the other options are wrong

C

This option is wrong because a default gateway does not replace the need for a subnet mask; both are essential for proper IP communication. The subnet mask defines the network portion of an IP address, while the default gateway routes traffic to external networks.

D

This option is wrong because a default gateway and a DNS server serve different purposes; the default gateway routes traffic outside the local subnet, while a DNS server resolves domain names to IP addresses.

E

This option is wrong because a default gateway is not limited to ARP broadcasts; it is used for routing packets to destinations outside the local subnet, which involves more than just ARP communication.

1583
MCQhard

Refer to the exhibit. A network engineer is troubleshooting intermittent connectivity between a branch router and the upstream switch. The switch port is manually configured for full-duplex, and the Ethernet cable has been tested and is working properly. The engineer runs the show interfaces GigabitEthernet0/0 command on the router and receives the output shown. Based on the output, what is the most likely cause of the problem?

A.The switch port is configured for half-duplex instead of the expected full-duplex.
B.The cable is faulty, causing excessive late collisions and CRC errors.
C.The router interface is operating in half-duplex while the switch port is full-duplex, causing a duplex mismatch.
D.The excessive input errors are a result of a broadcast storm on the network.
AnswerC

The output shows 'Half-duplex, 1000Mb/s' and reports 17 late collisions and 23 CRC errors. With the switch known to be full-duplex, this is a classic duplex mismatch scenario, where the full-duplex switch transmits without sensing the medium, while the half-duplex router interprets simultaneous traffic as collisions (many of them late because the switch may start transmitting after the router has already begun its frame).

Why this answer

The exhibit clearly displays 'Half-duplex, 1000Mb/s' in the interface characteristics, while the scenario states the upstream switch port is set to full-duplex. This duplex mismatch is confirmed by the presence of 17 late collisions and 23 input CRC errors, which are classic symptoms of one side operating full-duplex and the other half-duplex. A properly negotiated or statically matched full-duplex GigabitEthernet link would not exhibit late collisions.

Exam trap

Many candidates incorrectly attribute the input CRC errors and late collisions to a faulty cable (option B) or a broadcast storm (option D). However, a known-good cable rules out physical damage, and broadcast storms cause excessive broadcasts and input queue drops, not late collisions specific to duplex mismatches. The most common error is focusing on the input errors without correlating the 'Half-duplex' line and the late collisions.

Why the other options are wrong

A

Users often think any collision indicator points to both sides being half-duplex, ignoring the known switch configuration.

B

Late collisions are commonly associated with physical layer issues, leading candidates to assume a cable problem even when explicitly ruled out.

D

Candidates see input errors and CRC and prematurely conclude a loop or broadcast storm, overlooking that the output shows no broadcast activity and contains late collisions specific to duplex issues.

1584
Multi-Selectmedium

Which two statements accurately describe good design thinking for wireless guest access?

Select 2 answers
A.Guest access should normally be isolated from internal corporate resources.
B.Guest access policies should usually reflect lower trust than employee access.
C.Guest WLANs should avoid all security to make access easier.
D.Guest WLANs should automatically use the same permissions as internal employee WLANs.
E.Guest access means the AP no longer needs controller coordination.
AnswersA, B

This is correct because guest segmentation is a core design principle.

Why this answer

Good guest-access design is based on isolation and appropriate policy. In practical terms, guest users should normally be separated from internal corporate resources, and their access should align with the limited purpose of guest connectivity. The goal is not to give them the same trust level as managed internal users.

This is about segmentation and policy, not about disabling the WLAN or eliminating security.

Exam trap

Don't assume guest access should mirror internal access policies; guests should have more restricted access.

Why the other options are wrong

C

This option is wrong because good design thinking for guest access requires implementing security measures to protect the network and its resources, even for guests. Completely avoiding security compromises the network's integrity and exposes it to potential threats.

D

This option is wrong because guest WLANs should have distinct permissions to ensure that guests do not have access to sensitive internal resources, which could lead to security breaches.

E

This option is wrong because guest access typically requires controller coordination to manage policies, monitoring, and security effectively, ensuring that guest traffic is properly segmented and controlled.

1585
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure single‑area OSPFv2 on a router, advertise the 192.168.10.0/24 and 10.0.0.0/24 networks in area 0, and set the GigabitEthernet0/0 interface as passive.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct sequence is: (1) Enter global configuration mode with 'configure terminal' – this is required before any configuration commands. (2) Initiate the OSPF process with 'router ospf 1' – this places the CLI into OSPF router configuration mode where the remaining commands are issued. (3) Advertise the 192.168.10.0/24 network in area 0 – the 'network' command must be issued under OSPF router mode to inject the connected network into OSPF. (4) Advertise the 10.0.0.0/24 network – a second 'network' statement; the order of network commands is interchangeable but they must be configured before setting passive interfaces in a logical workflow. (5) Configure GigabitEthernet0/0 as a passive interface – this prevents OSPF Hello packets and neighbor adjacency on that interface while still advertising its subnet, and it is configured under OSPF router mode. (6) Return to privileged EXEC mode with 'end' – exits configuration mode and returns to the enable prompt. While setting a passive interface before the network statement does not break the configuration, Cisco documentation suggests adding networks first to clearly define which interfaces participate in OSPF before applying passive-interface restrictions.

1586
MCQhard

A network team wants visibility into which flows are consuming the most bandwidth between internal subnets. Which technology is most directly associated with that goal?

A.NetFlow
B.Syslog
C.DHCP relay
D.PortFast
AnswerA

This is correct because NetFlow is specifically associated with traffic-flow visibility and analysis.

Why this answer

NetFlow provides visibility into traffic flows, allowing administrators to identify which flows (e.g., between internal subnets) are consuming the most bandwidth by showing source/destination, protocols, and traffic volume. Syslog only records system logs and events, not flow-level data. DHCP relay forwards DHCP broadcasts across subnets but offers no traffic analysis.

PortFast is an STP optimization that speeds up port transition to forwarding; it does not monitor bandwidth usage.

Exam trap

A frequent exam trap is mistaking Syslog or DHCP relay as solutions for traffic flow visibility. Syslog only records system events and error messages, not detailed traffic usage. DHCP relay simply forwards DHCP requests and does not analyze bandwidth.

Another trap is confusing PortFast, which is an STP feature to speed up port activation, with traffic monitoring technologies. Candidates must recognize that only NetFlow provides granular flow data needed to identify bandwidth consumption between internal subnets, making it the correct choice.

Why the other options are wrong

B

Syslog is incorrect because it only records system events, error messages, and notifications. It does not provide detailed traffic flow or bandwidth usage information, so it cannot help identify which flows consume the most bandwidth.

C

DHCP relay is incorrect as its function is to forward DHCP broadcast requests from clients to DHCP servers across different subnets. It does not analyze or report on traffic flows or bandwidth consumption.

D

PortFast is incorrect because it is a Spanning Tree Protocol feature that allows edge ports to transition quickly to the forwarding state. It has no role in traffic flow analysis or bandwidth monitoring.

1587
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, and to recover a port that enters err-disabled due to a BPDU guard violation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Root Guard on designated, Loop Guard on non-designated, then BPDU Guard on PortFast; recovery requires interface reset after violation.

Exam trap

Candidates often confuse the port roles for Root Guard and Loop Guard, or think that disabling the protection feature will recover an err-disabled port. Remember: Root Guard is for designated ports, Loop Guard for non-designated, and BPDU Guard for PortFast. Err-disabled recovery requires manual reset or global errdisable recovery configuration.

1588
MCQhard

A network administrator is troubleshooting an issue where hosts in the 192.168.20.0/24 subnet cannot reach the Internet, while hosts in 192.168.10.0/24 can. The router is configured for PAT overload using a dynamic pool on the outside interface. The administrator collects the configuration shown in the exhibit. What is the most likely cause of the connectivity problem for the 192.168.20.0/24 subnet?

A.The wildcard mask in access list 20 is incorrect; it matches only the network address.
B.The NAT pool does not have enough IP addresses to support both subnets.
C.Interface GigabitEthernet0/2 is missing the ip nat inside command.
D.Access list 10 is incorrectly applied to the NAT pool, causing a conflict.
AnswerA

Access list 20 uses mask 0.0.0.0, which matches only the single address 192.168.20.0. To encompass the entire 192.168.20.0/24 subnet, the mask must be 0.0.0.255.

Why this answer

The issue is that access list 20, used to define which internal addresses are eligible for NAT, has a wildcard mask of 0.0.0.0. This wildcard mask matches only the exact address 192.168.20.0, not the entire 192.168.20.0/24 subnet. For a /24 subnet, the correct wildcard mask should be 0.0.0.255, which would match all addresses from 192.168.20.1 to 192.168.20.254.

Because the ACL matches only the network address (192.168.20.0), no host traffic from that subnet is translated, breaking Internet connectivity.

Exam trap

Cisco often tests the distinction between matching the network address versus matching the host range in ACLs used for NAT, where candidates incorrectly assume that using the network address with a wildcard mask of 0.0.0.0 will match all hosts in the subnet.

Why the other options are wrong

B

NAT pool size is not a limiting factor with PAT overload; a single address can serve thousands of hosts.

C

The interface is correctly configured for NAT inside.

D

Applying multiple access lists to the same pool is allowed and does not create a conflict.

1589
MCQhard

Why is idempotency valuable in network automation?

A.It guarantees every API call will use TCP instead of UDP.
B.It ensures repeated runs converge on the same desired state safely.
C.It encrypts device credentials stored in scripts.
D.It forces the controller to use only one management protocol.
AnswerB

Correct. That property reduces drift and repeated-change problems.

Why this answer

Idempotent operations can be applied repeatedly without causing unintended changes once the desired state is already present.

Exam trap

Avoid confusing idempotency with concepts like redundancy or performance enhancements. Focus on its role in maintaining consistent configurations.

Why the other options are wrong

A

This option is incorrect because idempotency does not relate to the transport layer protocols like TCP or UDP; it focuses on the behavior of operations in terms of repeated execution leading to the same outcome.

C

Option C is incorrect because idempotency does not relate to the encryption of device credentials; it refers to the property of operations that can be applied multiple times without changing the result beyond the initial application.

D

Option D is incorrect because idempotency does not dictate the use of a single management protocol; rather, it refers to the property of operations yielding the same result regardless of how many times they are executed.

1590
Multi-Selectmedium

Which TWO statements accurately describe the behavior and configuration of floating static routes?

Select 2 answers
A.A floating static route is configured with a lower administrative distance than the primary dynamic route.
B.A floating static route uses an administrative distance greater than that of the primary dynamic route.
C.The administrative distance of a floating static route must be less than 1.
D.A floating static route becomes active only when the primary route is removed from the routing table.
E.Floating static routes automatically adjust their administrative distance based on network conditions.
AnswersB, D

The higher AD ensures the floating static route is less preferred and only used when the primary route fails.

Why this answer

A floating static route serves as a backup by being configured with an administrative distance (AD) greater than that of the primary dynamic route, making it less preferred (option B). It remains inactive until the primary route is removed from the routing table, at which point the floating static route is installed (option D). Option A is wrong because it reverses the AD logic—a floating static route uses a higher, not lower, AD.

Option C is incorrect because the AD of a floating static route is typically a value between 1 and 255, not necessarily less than 1. Option E is false because the AD of a floating static route is a fixed configured value and does not change automatically based on network conditions.

Exam trap

Cisco often tests the misconception that a floating static route uses a lower AD to 'float' above the primary route, when in fact it uses a higher AD to remain inactive until the primary route is lost.

Why the other options are wrong

A

A lower AD would make the static route preferred over the dynamic route, not floating.

C

AD values are integers; 0 is directly connected, and 1 is static. A floating static route must be >1 to be less preferred than a static default.

E

AD is a static value set at configuration time; it does not auto-adjust.

1591
PBQhard

You are troubleshooting a wired client connectivity issue on VLAN 10. PC1 (192.168.10.50/24) cannot reach the internet. The gateway is R1's subinterface G0/0.10 at 192.168.10.1. R1 has a default route to ISP router 203.0.113.1. From PC1, ping 192.168.10.1 fails, but ipconfig shows correct IP. Analyze the provided outputs and fix the problem on R1 so that PC1 can ping its default gateway.

Network Topology
G0/0.10192.168.10.1/24G0/0.10192.168.10.1/24203.0.113.1PC1VLAN10SW1R1ISP

Hints

  • Check the physical interface state of G0/0.
  • A subinterface cannot forward traffic if the parent interface is down.
  • Verify the default route is present for internet access.
A.Enable the physical interface GigabitEthernet0/0 with 'no shutdown'.
B.Configure 'no shutdown' on subinterface G0/0.10 and add a static route for 192.168.10.0/24 pointing to the ISP.
C.Change the IP address of subinterface G0/0.10 to 192.168.10.254 and add a default route via 203.0.113.1.
D.Enable VLAN 10 on the switch and configure trunking between the switch and R1.
AnswerA
solution
! R1
interface GigabitEthernet0/0
no shutdown

Why this answer

PC1 has a correct IP configuration and can reach its gateway IP 192.168.10.1 now that the physical interface is no longer administratively down. The R1 subinterface G0/0.10 already has the correct IP address, but the parent interface GigabitEthernet0/0 was shut down, preventing the subinterface from passing traffic. Issuing 'no shutdown' under the main interface restores connectivity because subinterfaces depend on the physical interface being up.

The default route to 203.0.113.1 was already present as stated in the stem, so no routing change is needed.

Exam trap

Remember that subinterfaces rely on the physical interface state; always check the parent interface status first when troubleshooting VLAN or subinterface connectivity.

Why the other options are wrong

B

The specific factual error: Subinterfaces cannot be individually shut/no shut; they depend on the physical interface. Also, adding a route for the local network is redundant.

C

The specific factual error: The gateway IP must match the PC's configured default gateway. Changing it would break connectivity even if the interface were up.

D

The specific factual error: The switch configuration may be correct; the issue is specifically on R1's interface. The question asks to fix the problem on R1.

1592
MCQhard

A switchport connected to another switch should carry multiple VLANs, but it was manually configured as an access port. What is the most likely operational result?

A.The link will not carry multiple VLANs as intended because an access port handles one VLAN only.
B.The switch automatically converts the access port into a proper trunk.
C.The port becomes a routed Layer 3 interface.
D.The VLANs are summarized into one prefix automatically.
AnswerA

This is correct because access mode is the wrong role for a multi-VLAN inter-switch link.

Why this answer

An access port is designed to carry only a single VLAN. If the link is intended to carry multiple VLANs, it must be configured as a trunk. The switch will not automatically convert the port to a trunk (B).

The port remains a Layer 2 access port, not a routed Layer 3 interface (C). VLANs are not automatically summarized into a single prefix (D). The most likely result is that the link will not carry multiple VLANs as intended.

Exam trap

Beware of confusing automatic port mode changes with manual configurations. Access ports do not auto-convert to trunk mode.

Why the other options are wrong

B

Switches do not automatically convert an access port to a trunk; manual configuration is required.

C

An access port remains a Layer 2 interface; it does not become a routed Layer 3 interface.

D

VLANs operate at Layer 2 and are not automatically summarized into a single prefix; that would be a routing function.

1593
Multi-Selectmedium

Which two statements accurately describe the purpose of least privilege in administration and operations?

Select 2 answers
A.It limits users and administrators to the permissions they actually need.
B.It helps reduce unnecessary exposure and the impact of mistakes or misuse.
C.It means no administrator should ever have any configuration access.
D.It replaces the need for logging and accounting.
E.It exists only on wireless guest networks.
AnswersA, B

This is correct because least privilege is fundamentally about constraining permission scope.

Why this answer

Least privilege is about limiting access to what is actually needed. In practical terms, it reduces unnecessary exposure and helps contain the impact of mistakes, misuse, or compromised accounts. It is not about refusing all access. It is about granting enough access to do the job, but not more than that.

This is a central principle in secure administration and role design.

Exam trap

Avoid confusing least privilege with either unrestricted access or complete denial of access.

Why the other options are wrong

C

This option is incorrect because the principle of least privilege does not imply that administrators should have no configuration access; rather, it means they should only have the access necessary to perform their job functions.

D

This option is incorrect because least privilege does not eliminate the need for logging and accounting; instead, it complements these practices by ensuring that access is limited while still requiring oversight and tracking of actions taken by users.

E

This option is incorrect because the principle of least privilege applies to all network environments, not just wireless guest networks. It is a fundamental security concept that should be implemented across all systems and user roles.

1594
MCQmedium

An engineer applies this command on an access interface connected to a user PC: switchport port-security violation restrict. What happens if a second unauthorized MAC address appears on the port?

A.The port immediately goes err-disabled.
B.Frames from the unauthorized MAC are dropped and the violation is counted while the port stays up.
C.The switch forwards the traffic but logs a warning.
D.The port transitions to listening and learning states.
AnswerB

That is the defining behavior of restrict.

Why this answer

With restrict mode, the switch drops frames from the violating MAC, increments the violation counter, and can generate notifications. Unlike shutdown mode, the interface stays up. Unlike protect mode, the switch records the violation.

Exam trap

A frequent exam trap is mistaking the restrict violation mode for shutdown mode. Many candidates incorrectly believe that a violation in restrict mode causes the port to go err-disabled immediately, but this behavior only occurs with the shutdown mode. Another common confusion is between restrict and protect modes; protect silently drops unauthorized frames without incrementing violation counters or generating alerts, whereas restrict does both.

Misunderstanding these differences can lead to incorrect answers about port behavior during security violations. Remember, restrict mode blocks unauthorized MAC addresses but keeps the port active and counts violations, which is a key distinction in Cisco port security.

Why the other options are wrong

A

Option A describes the shutdown violation mode behavior, where the port immediately goes err-disabled upon detecting a second unauthorized MAC address. Since the command specifies 'violation restrict', the port does not disable but stays up, so this option is incorrect.

C

Option C is incorrect because port security never forwards traffic from unauthorized MAC addresses. The switch drops such frames to enforce security policies, so forwarding violating traffic is not possible.

D

Option D is incorrect because listening and learning states refer to Spanning Tree Protocol (STP) port states, not port security violation responses. Port security violation modes do not cause STP state changes.

1595
Matchingeasy

Match each basic security term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of allowed actions

Protection against unauthorized disclosure

Protection against unauthorized modification

Why these pairings

Authentication is the process of verifying the claimed identity of a user or device, confirming 'who you are'. Authorization determines what resources or actions an authenticated entity is allowed to access, essentially 'what you can do'. Confidentiality ensures that sensitive information is not disclosed to unauthorized individuals, protecting data from being read.

Integrity guarantees that data has not been altered in an unauthorized manner, preserving its accuracy and trustworthiness.

Exam trap

Many learners confuse authentication (proving identity) with authorization (granting permissions); remember that authentication always comes first, and the two serve different security purposes.

1596
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to ISP router, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The internal network uses 192.168.1.0/24 and needs to access the internet. Configure NAT overload on R1 so that internal hosts are translated to the IP address of GigabitEthernet0/0 when accessing the internet.

Network Topology
G0/010.0.0.1/30G0/1192.168.1.1/24InternetISPR1LANPCs

Hints

  • Define inside and outside interfaces separately.
  • Use the ACL to identify which traffic to translate.
  • The overload keyword enables PAT.
A.R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
B.R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
C.R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface GigabitEthernet0/0 R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
D.R1(config)# access-list 1 permit any R1(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
AnswerA
solution
! R1
ip nat inside source list 1 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/0
ip nat outside
interface GigabitEthernet0/1
ip nat inside

Why this answer

NAT overload (PAT) allows multiple internal hosts to share a single public IP by using different source ports. The ACL identifies the internal network, and the interfaces are marked as inside/outside. The 'overload' keyword enables port address translation.

Option B fails because it translates to the wrong interface (GigabitEthernet0/1) instead of the public-facing interface (GigabitEthernet0/0). Option C is missing the required 'overload' keyword, so it performs dynamic NAT without PAT, which is insufficient for multiple hosts. Option D uses an overly broad ACL ('permit any') that does not match only the internal network (192.168.1.0/24) as required by the stem.

Exam trap

The most common traps are: (1) confusing inside and outside interfaces when specifying the NAT source, (2) forgetting the 'overload' keyword for PAT, and (3) using an overly permissive ACL like 'permit any' instead of restricting to the internal network. Always verify interface roles and the ACL scope.

Why the other options are wrong

B

The 'ip nat inside source list' command must specify the outside interface (the one with the public IP) for translation, not the inside interface.

C

NAT overload (PAT) requires the 'overload' keyword to enable port address translation. Without it, the router performs dynamic NAT, which is insufficient for sharing a single public IP among many hosts.

D

The ACL should match only the internal network that requires translation. Using 'permit any' would translate all traffic, including traffic that should not be translated, potentially breaking connectivity or causing security risks.

1597
MCQhard

A port connected to an end host is configured with PortFast and BPDU Guard. What is the most likely result if a small unmanaged switch is connected and starts sending BPDUs?

A.The port is error-disabled by BPDU Guard.
B.The port automatically becomes the root port.
C.The port is converted into a trunk.
D.The port ignores the BPDU because PortFast disables STP entirely.
AnswerA

This is correct because BPDU Guard disables an edge port when it receives a BPDU.

Why this answer

The most likely result is that the port is placed into an err-disabled state by BPDU Guard. In practical terms, PortFast tells the switch to treat the interface like an edge port for a normal endpoint, which is why it starts forwarding quickly. BPDU Guard protects that assumption. If the port suddenly receives a spanning-tree BPDU, the switch treats that as a sign that the port is no longer connected to a simple end device.

This combination is common in enterprise access-layer design because it improves user startup time while still protecting the topology. The correct answer is the one that describes the port being shut down automatically when BPDUs appear unexpectedly.

Exam trap

Remember, BPDU Guard disables the port, it doesn't use spanning-tree states like blocking or learning.

Why the other options are wrong

B

This option is wrong because a port configured with PortFast and BPDU Guard will not automatically become the root port when it receives BPDUs; instead, it will be error-disabled due to BPDU Guard's protection mechanism.

C

This option is wrong because a port configured with PortFast does not automatically convert to a trunk port when it receives BPDUs; instead, it remains in access mode. BPDU Guard will cause the port to be error-disabled upon receiving BPDUs, preventing any trunking behavior.

D

This option is wrong because PortFast does not disable Spanning Tree Protocol (STP) entirely; it merely allows the port to transition to the forwarding state immediately without participating in STP calculations. BPDUs are still processed, and BPDU Guard will take action if they are received.

1598
PBQhard

You are troubleshooting a wired client connectivity issue. A user on VLAN 10 (subnet 192.168.10.0/24) reports that they cannot reach the internet. The client PC is connected to switch SW1, which is connected to router R1. You have console access to the client PC and R1. Identify and fix the misconfiguration so that the client can ping the internet host 203.0.113.1.

Hints

  • The client's IP 169.254.10.25 indicates DHCP failure; check if the router has a DHCP pool.
  • The router has no default route; the client cannot reach the internet even with a correct IP.
  • Ensure the DHCP pool includes the correct network and default gateway.
A.Configure R1 as a DHCP server for VLAN 10, excluding the router's IP, and add a default route to 203.0.113.1.
B.Change the client's IP address to a static IP in the 192.168.10.0/24 subnet and set the default gateway to 203.0.113.1.
C.Enable DHCP snooping on SW1 and configure the client port as trusted.
D.Configure a static route on the client PC to 203.0.113.1 via the router's IP.
AnswerA
solution
! R1
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp pool LAN_POOL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
exit
ip route 0.0.0.0 0.0.0.0 203.0.113.1

Why this answer

The client PC has an APIPA address (169.254.x.x) because it failed to obtain an IP via DHCP. The DHCP server is likely the router R1, but the router is not configured as a DHCP server. To fix this, configure R1 as a DHCP server for VLAN 10, excluding the router's own IP from the pool, and set the default gateway and DNS.

Then the client can renew its IP and reach the internet. Additionally, the router lacks a default route to the internet; add a static default route pointing to the next-hop (203.0.113.1).

Exam trap

Do not confuse the need for a DHCP server with security features like DHCP snooping. Also, remember that the default gateway must be on the same subnet as the client, not the internet host.

Why the other options are wrong

B

The default gateway must be an IP on the same subnet as the client, typically the router's LAN interface.

C

DHCP snooping does not provide DHCP services; it only filters DHCP messages.

D

The client must first have a valid IP and default gateway; static routes on a host are rarely used and not the issue here.

1599
MCQmedium

A network administrator receives a report that a user on a Windows laptop cannot connect to the internet, although other devices on the same subnet are working. The administrator runs `ipconfig` on the laptop and sees an IP address of 169.254.15.22 with a subnet mask of 255.255.0.0 and no default gateway. Based on this output, what is the most likely cause of the connectivity issue?

A.The laptop's DNS server settings are incorrect.
B.The DHCP server is unreachable or not responding to the laptop's DHCP request.
C.The laptop has a static IP address configured that conflicts with another device.
D.The Ethernet cable is faulty or disconnected.
AnswerB

APIPA is assigned when a DHCP client fails to receive a DHCPOFFER after sending DHCPDISCOVER messages. This typically means the DHCP server is down, misconfigured, or the laptop cannot reach it due to a network issue (e.g., VLAN mismatch, switch port problem).

Why this answer

The IP address 169.254.15.22 with a subnet mask of 255.255.0.0 is an Automatic Private IP Addressing (APIPA) address, which Windows assigns when a DHCP client fails to obtain a lease from a DHCP server. The absence of a default gateway confirms that the laptop cannot reach any DHCP server, as APIPA addresses are not routable and are only used for link-local communication. Therefore, the most likely cause is that the DHCP server is unreachable or not responding to the laptop's DHCP request.

Exam trap

Cisco often tests the distinction between APIPA and other IP assignment failures, and the trap here is that candidates may confuse a DHCP failure with a physical layer issue (faulty cable) or a DNS misconfiguration, not realizing that APIPA is a specific Windows behavior triggered only by DHCP unavailability.

Why the other options are wrong

A

The APIPA address indicates a DHCP failure, not a DNS problem.

C

A static IP conflict would not result in an APIPA address; the laptop would show the manually configured IP, not 169.254.x.x.

D

A physical cable issue would prevent link, so the laptop would not even attempt DHCP and would not get an APIPA address.

1600
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure OSPFv3 for IPv6 on a Cisco IOS-XE router and verify the OSPFv3 neighbor adjacency and route installation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence ensures IPv6 routing is enabled first, then the OSPFv3 process is created, applied to the interface, and finally verified for adjacency and route installation.

Exam trap

Do not skip the 'ipv6 unicast-routing' command; without it, OSPFv3 will not function. Also, remember that OSPFv3 uses a router ID that must be configured manually or via an IPv4 address.

1601
MCQhard

A network engineer notices that Host A in VLAN 10 (10.10.10.50/24) can successfully ping its default gateway 10.10.10.1, but cannot ping the VLAN 20 SVI (10.20.20.1) or any hosts in VLAN 20. The SVIs for both VLAN 10 and VLAN 20 are in an up/up state, and the switch's trunk ports are correctly allowing both VLANs. What is the most likely cause?

A.The ip routing global configuration command is missing.
B.The VLAN 20 SVI is administratively shut down.
C.The trunk between the access switch and the Layer 3 switch is misconfigured as an access port.
D.The default gateway on Host A is configured incorrectly.
AnswerA

The missing 'ip routing' command prevents the Layer 3 switch from performing routing between VLANs, even though the SVIs are up and hosts can reach their own gateways.

Why this answer

Host A can reach its default gateway (10.10.10.1), which is the VLAN 10 SVI, but cannot reach the VLAN 20 SVI (10.20.20.1) or any hosts in VLAN 20. This indicates that Layer 2 connectivity is working (trunk allows both VLANs, SVIs are up/up), but inter-VLAN routing is failing. On a multilayer switch, inter-VLAN routing requires the global command 'ip routing' to enable the switch's IP routing engine; without it, the switch acts as a Layer 2 device only and cannot forward packets between different VLANs.

Exam trap

Cisco often tests the distinction between a switch operating as a Layer 2 device versus a Layer 3 device, and the trap here is that candidates assume SVIs in an up/up state automatically provide inter-VLAN routing, forgetting the mandatory 'ip routing' command.

Why the other options are wrong

B

Candidates may overlook the explicit mention that the SVIs are up/up, mistakenly thinking a shut SVI could be the problem.

C

Trunk misconfiguration is a common inter-VLAN issue, but the scenario explicitly says the trunks are working properly, making this answer invalid.

D

The successful ping to the default gateway proves the gateway is correct. Without 'ip routing', the switch can't forward packets from VLAN 10 to VLAN 20, but it can respond to local VLAN requests.

1602
Multi-Selectmedium

Which TWO statements correctly describe the causes or implications of CRC errors, runts, giants, or output errors as seen in the output of 'show interface' or 'show interface status'?

Select 2 answers
A.CRC errors are always caused by a faulty switch port and require port replacement.
B.A high number of runts on an interface typically indicates excessive collisions or a faulty NIC.
C.Giants are frames that exceed the maximum transmission unit (MTU) and are always discarded by the switch.
D.Output errors, including late collisions, can be caused by a duplex mismatch between the switch and the connected device.
E.The 'show controllers' command provides a detailed view of CRC errors but does not show runts or giants.
AnswersB, D

Runts are frames smaller than 64 bytes and often result from collisions (e.g., in half-duplex) or a malfunctioning NIC that generates undersized frames.

Why this answer

Option B is correct because runts—frames smaller than 64 bytes—often result from collisions truncating frames on half-duplex links or a faulty NIC. Option D is correct because duplex mismatch can cause late collisions, which appear as output errors in 'show interface'; a device on one side full-duplex and the other half-duplex leads to collisions and framing errors. Option A is wrong because CRC errors can stem from faulty cabling, interference, or a mismatched NIC, not exclusively a bad switch port.

Option C is wrong because giants (frames over maximum MTU) may be forwarded if the interface is configured with jumbo frames or the switch is set to accept oversize frames. Option E is wrong because 'show controllers' displays frame-size errors like runts and giants, including details beyond CRC errors.

Exam trap

Cisco often tests the misconception that CRC errors always indicate a bad port (trap A) and that giants are always discarded (trap C), when in reality both can have multiple causes and switches can be configured to forward larger frames.

Why the other options are wrong

A

This statement is too absolute; CRC errors often stem from Layer 1 issues like bad cables or noise, not always a defective port.

C

The statement is too definitive; giants can be forwarded if jumbo frame support is enabled.

E

This statement is incorrect because 'show controllers' often includes runt and giant counters on many Cisco platforms.

1603
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on a designated port, Loop Guard on a non-designated port, and BPDU Guard on a PortFast port, along with the recovery steps when a port enters err-disabled state.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The order follows the logical sequence: enter config mode, then configure each guard feature on its respective port, and finally set the errdisable recovery to automatically re-enable ports after a BPDU Guard violation.

Exam trap

The trap is that candidates may think the order of configuring the guards is arbitrary, but the question explicitly requires a specific sequence. Pay close attention to the order in which features are listed in the stem.

1604
PBQhard

You are connected to R1. The network consists of R1, SW1, and two hosts (Host-A on VLAN 10, Host-B on VLAN 20). SW1 has two access ports (one per VLAN) and a trunk to R1. Configure R1 for router-on-a-stick inter-VLAN routing. The current configuration has a native VLAN mismatch and a missing subinterface for VLAN 20. Fix these issues so that Host-A and Host-B can ping each other.

Hints

  • Check if all required subinterfaces are present.
  • Examine the native VLAN on the trunk.
  • Verify that IP routing is enabled globally.
A.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 1 on the trunk, and enable ip routing.
B.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 99 on the trunk, and enable ip routing.
C.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 1 on the trunk, but do not enable ip routing.
D.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 99 on the trunk, and do not enable ip routing.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
exit
interface GigabitEthernet0/0
no encapsulation dot1Q 99
exit
ip routing
end

Why this answer

The native VLAN mismatch exists: R1 expects native VLAN 99, but SW1 likely uses native VLAN 1 (default). This causes CDP/STP issues but not directly inter-VLAN routing; however, for proper operation, set native VLAN to 1 on R1. Additionally, the subinterface for VLAN 20 is missing, so traffic from VLAN 20 cannot be routed.

Finally, 'ip routing' is disabled, preventing any inter-VLAN routing. Solution: change native VLAN on trunk to 1, create subinterface G0/0.20 with encapsulation dot1Q 20 and IP 192.168.20.1/24, and enable ip routing.

Exam trap

Be careful to identify all issues in the scenario. Candidates often focus only on the missing subinterface and forget to check the native VLAN mismatch and the global 'ip routing' command. Always verify that routing is enabled and that native VLANs match on both ends of the trunk.

Why the other options are wrong

B

The native VLAN mismatch is not resolved; the switch likely uses native VLAN 1, so R1 should also use 1 or both sides must be configured consistently.

C

IP routing is disabled by default on Cisco routers; it must be explicitly enabled for the router to perform routing functions.

D

Two errors: native VLAN mismatch persists and IP routing is disabled, so packets cannot be routed between VLANs.

1605
PBQhard

You are connected to R1. Configure IPv4 and IPv6 addressing on R1's interfaces and verify reachability to R2. The current configuration has a wrong subnet mask on G0/0, missing default gateway for IPv4, and R1's IPv6 address is configured using EUI-64 while R2 uses a static IPv6 address. Fix these issues so that R1 can ping both R2's IPv4 and IPv6 addresses.

Network Topology
G0/0192.0.2.1/24G0/0192.0.2.2/30linkR1R2

Hints

  • Compare the subnet masks on R1 and R2's G0/0 interfaces.
  • Check the IPv4 default route — the next-hop must be reachable.
  • R1's IPv6 EUI-64 will not match the static address on R2; use a static assignment on the same subnet.
A.Change R1 G0/0 subnet mask to /30, add a default route via 192.0.2.2, and configure a static IPv6 address 2001:db8:1::1/64 on G0/0.
B.Change R1 G0/0 subnet mask to /30, add a default route via 192.0.2.254, and keep the EUI-64 IPv6 address on G0/0.
C.Change R1 G0/0 subnet mask to /24, add a default route via 192.0.2.2, and configure a static IPv6 address 2001:db8:1::1/64 on G0/0.
D.Change R1 G0/0 subnet mask to /30, add a default route via 192.0.2.2, and keep the EUI-64 IPv6 address on G0/0.
AnswerA
solution
! R1
enable
configure terminal
interface GigabitEthernet0/0
ip address 192.0.2.1 255.255.255.252
no ipv6 address 2001:db8:1::/64 eui-64
ipv6 address 2001:db8:1::1/64
exit
no ip route 0.0.0.0 0.0.0.0 192.0.2.254
ip route 0.0.0.0 0.0.0.0 192.0.2.2
end
write memory

Why this answer

The problem had three issues: (1) R1's G0/0 subnet mask was /24 (255.255.255.0) but R2's G0/0 was /30 (255.255.255.252), causing an IP subnet mismatch. (2) R1 lacked a default gateway for IPv4; the static route pointed to 192.0.2.254 which is not reachable. (3) R1's IPv6 EUI-64 configuration on G0/0 generates an interface ID from the MAC, but R2 expects a static address 2001:db8:1::2/64, so R1 must use a static IPv6 address on the same subnet. The fix: change R1's G0/0 mask to /30, add a default route via R2's G0/0 IP (192.0.2.2), and configure a static IPv6 address (e.g., 2001:db8:1::1/64) on R1's G0/0.

Exam trap

Be careful not to confuse the default gateway with an arbitrary IP; it must be the next-hop router's interface IP on the same subnet. Also, remember that EUI-64 generates a unique interface ID from the MAC, which may not match a statically configured peer address—both sides must use consistent addressing methods.

Why the other options are wrong

B

The default gateway must be R2's directly connected interface IP (192.0.2.2), not 192.0.2.254. EUI-64 cannot be used if the peer expects a specific static address on the same subnet.

C

The subnet mask must be consistent on both ends of the link. A /24 mask on one side and /30 on the other creates overlapping subnets and routing issues.

D

EUI-64 does not guarantee that the resulting IPv6 address will be on the same subnet as a statically configured peer address. For direct connectivity, both routers must have addresses in the same subnet.

1606
Multi-Selectmedium

Which three options describe common applications of AI/ML in network telemetry and monitoring? (Choose three.)

Select 3 answers
.Baseline profiling to detect unusual traffic patterns that may indicate an attack
.Dynamic threshold tuning based on learned normal behavior to reduce false positives
.Automated root cause analysis by correlating events across multiple network devices
.Directly rewriting routing tables in OSPF without any protocol interaction
.Replacing SNMP with AI-generated proprietary agents on every device
.Eliminating the need for network logs by using only synthetic data

Why this answer

Baseline profiling (correct) uses machine learning to learn normal traffic patterns and detect anomalies like attacks. Dynamic threshold tuning (correct) leverages learned behavior to adjust thresholds automatically, reducing false positives. Automated root cause analysis (correct) correlates events across devices using AI to identify the source of issues.

Directly rewriting routing tables in OSPF (wrong) is not an AI/ML application—OSPF has its own protocol mechanisms, and AI would not bypass them without integration. Replacing SNMP with AI-generated proprietary agents (wrong) is impractical and unnecessary; AI enhances rather than replaces standard protocols. Eliminating network logs with synthetic data (wrong) contradicts monitoring needs; logs remain essential for audit and analysis, and AI uses real data for training.

Exam trap

Cisco often tests the distinction between AI/ML applications that *augment* existing network operations (like anomaly detection and threshold tuning) versus options that propose unrealistic or protocol-breaking changes (like directly modifying OSPF tables or replacing SNMP), so candidates must recognize that AI/ML works *with* standard protocols, not against them.

1607
Matchingmedium

Match each JSON concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A set of key-value pairs enclosed in braces

An ordered list enclosed in square brackets

The name that identifies a field

The content associated with a key

Why these pairings

These pairings match fundamental JSON concepts with their correct definitions as per the JSON specification.

Exam trap

Be careful not to confuse JSON with XML or other data formats. JSON uses key-value pairs and does not use tags. Also, remember that JSON is text-based, not binary, and it is a data format, not a query language.

1608
MCQmedium

A controller API returns this data: { "device": { "hostname": "Dist-1", "interfaces": [ {"name": "Gig0/0", "status": "up"}, {"name": "Gig0/1", "status": "down"} ] } } Which statement is correct?

A.The response is XML because it contains nested elements
B.The interfaces field is an array of objects
C.The hostname field is a list
D.The format shown is YAML
AnswerB

Correct. This is correct. The interfaces field is enclosed in square brackets, which in JSON means an array. Each item inside the array is an object containing keys such as name and status.

Why this answer

The interfaces field is an array of objects. The giveaway is the square brackets around the interface entries. In JSON, square brackets represent an array, and braces represent an object.

Each interface entry inside that array has key-value pairs such as name and status, which makes each entry its own object. In plain language, the controller is returning a list of interface records for one device. The hostname field, by contrast, is a single value.

This style of question appears in automation topics because the exam wants you to recognize common data structures used in controller APIs without requiring deep programming expertise. Understanding the difference between an object and an array is usually enough.

Exam trap

Be careful not to confuse JSON arrays with objects or strings. Pay attention to the brackets and braces used.

Why the other options are wrong

A

This option is wrong because the response is in JSON format, not XML. JSON uses curly braces and key-value pairs, while XML uses tags to define elements.

C

The hostname field is a string, not a list, as it contains a single value ('Dist-1') and does not represent multiple items or entries.

D

This option is wrong because the format shown in the response is JSON, not YAML. YAML uses indentation and a different syntax for data representation, which is not present here.

1609
Multi-Selecteasy

A developer is interacting with a REST API exposed by a network controller. Which two statements correctly describe common REST behavior?

Select 2 answers
A.GET is commonly used to retrieve resource data
B.POST always replaces an existing resource completely
C.JSON is a common data format used in REST APIs
D.REST requires SNMP as the transport mechanism
AnswersA, C

GET requests are typically read operations.

Why this answer

REST APIs commonly use HTTP methods such as GET, POST, PUT, and DELETE, and JSON is one of the most common payload formats.

Exam trap

A common exam trap is assuming that POST always replaces an existing resource completely, which is incorrect. In REST API design, POST is typically used to create new resources or trigger server-side processing, whereas PUT is the method that fully replaces an existing resource. Confusing these two can lead to incorrect assumptions about how network controllers handle configuration changes or data updates.

This misunderstanding may cause candidates to select POST as the answer for resource replacement questions, which is a frequent mistake in Cisco automation and programmability topics.

Why the other options are wrong

B

Option B is incorrect because POST does not always replace an existing resource completely; it usually creates new resources or triggers processing. PUT is the method associated with full resource replacement.

D

Option D is incorrect because REST APIs do not require SNMP as the transport mechanism; they typically use HTTP or HTTPS protocols for communication.

1610
PBQhard

You are connected to R1. Configure IPv4 and IPv6 addressing on R1's GigabitEthernet0/0 and GigabitEthernet0/1 interfaces so that R1 can reach R2 and the internal host on VLAN 10. R1 G0/0 connects to R2 (198.51.100.0/24), and R1 G0/1 connects to a switch with VLAN 10 (192.168.1.0/24). The current configuration has a wrong subnet mask on G0/0, missing IPv6 addresses, and a duplicate IP on G0/1. Fix all issues and verify connectivity.

Network Topology
G0/0198.51.100.1/24G0/0198.51.100.2/24G0/1192.168.1.254/24192.168.1.10/24R2R1Switch VLAN 10Host

Hints

  • Check the subnet mask on G0/0 — the IP and mask must match the connected subnet.
  • Look at the ARP table on G0/1 — the IP 192.168.1.1 is already in use by another device.
  • IPv6 requires both a global unicast address and a link-local address; use 'ipv6 enable' to generate EUI-64 link-local.
A.On G0/0, change subnet mask to 255.255.255.0, add IPv6 address 2001:db8:1::1/64 and enable ipv6 enable; on G0/1, change IP to 192.168.1.254/24 and add IPv6 address 2001:db8:2::1/64.
B.On G0/0, change subnet mask to 255.255.255.252, add IPv6 address 2001:db8:1::1/64; on G0/1, keep IP 192.168.1.1/24 and add IPv6 address 2001:db8:2::1/64.
C.On G0/0, change subnet mask to 255.255.255.0, add IPv6 address 2001:db8:1::1/64; on G0/1, change IP to 192.168.1.254/24 but do not configure IPv6.
D.On G0/0, keep subnet mask 255.255.255.252, add IPv6 address 2001:db8:1::1/64 and enable ipv6 enable; on G0/1, change IP to 192.168.1.254/24 and add IPv6 address 2001:db8:2::1/64.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 198.51.100.1 255.255.255.0
ipv6 address 2001:db8:1::1/64
ipv6 address fe80::1 link-local
ipv6 enable
exit
interface GigabitEthernet0/1
no ip address 192.168.1.1 255.255.255.0
ip address 192.168.1.254 255.255.255.0
ipv6 address 2001:db8:2::1/64
ipv6 address fe80::254 link-local
ipv6 enable
exit

Why this answer

The GigabitEthernet0/0 interface had a wrong subnet mask (255.255.255.252 instead of 255.255.255.0), causing R1 to think R2 (198.51.100.2) was on a different subnet, so pings failed. Additionally, IPv6 was not configured at all; we added both a static global unicast address (2001:db8:1::1/64) and configured a static link-local address (fe80::1) on G0/0. On G0/1, the IP address 192.168.1.1 was already in use by another device (seen in ARP cache with age 0), so we changed it to 192.168.1.254 (the usual default gateway for VLAN 10).

Finally, we verified with show commands and pings.

Exam trap

Watch out for subnet mask mismatches: the mask on the router interface must match the network prefix of the connected subnet. Also, remember that IPv6 requires explicit configuration (ipv6 address and ipv6 enable) and that duplicate IP addresses must be resolved. Do not assume a /30 mask is correct just because it is a point-to-point link; always check the network statement.

Why the other options are wrong

B

The subnet mask on G0/0 must be /24 to match the connected network; a /30 mask would put R2 in a different subnet. Also, the duplicate IP on G0/1 is not resolved.

C

IPv6 must be configured on both interfaces to enable IPv6 connectivity. Omitting IPv6 on G0/1 leaves the interface without IPv6 capability.

D

The subnet mask on G0/0 must be changed to /24 to match the network 198.51.100.0/24. Keeping /30 is the original wrong configuration.

1611
MCQhard

A router interface is configured with the prefix 2001:db8:acad:12::/64 and uses EUI-64 to build the interface ID. What is the main purpose of EUI-64 in this context?

A.It automatically creates the interface ID portion of the IPv6 address from the MAC address.
B.It changes the /64 prefix into a /48 prefix for summarization.
C.It replaces the need for a link-local address.
D.It encrypts IPv6 traffic between neighbors.
AnswerA

This is correct because EUI-64 is used to derive the host/interface portion of the address.

Why this answer

EUI-64 is used to automatically generate the interface identifier portion of the IPv6 address from the underlying MAC address. In practical terms, the /64 prefix provides the network portion, and EUI-64 helps derive the lower 64 bits without the administrator manually typing a full host portion. This can make addressing easier in environments where automatic formation is desired.

The important idea is that EUI-64 affects the interface ID, not the prefix length or the routing behavior of the network. It is an address-construction method, not a routing protocol.

Exam trap

Remember, EUI-64 is about address generation, not routing or network configuration. Focus on its role in forming the interface ID.

Why the other options are wrong

B

This option is incorrect because EUI-64 does not change the prefix length of an IPv6 address; it is used solely for generating the interface ID from a MAC address within the existing prefix.

C

This option is incorrect because EUI-64 does not replace the need for a link-local address; link-local addresses are essential for local network communication in IPv6, regardless of how the global address is generated.

D

This option is wrong because EUI-64 does not encrypt IPv6 traffic; it is used to generate the interface ID from the MAC address, which is unrelated to encryption processes.

1612
PBQhard

You are connected to R1. The network has two VLANs (10 and 20) on SW1, connected to R1 via a trunk. Currently, hosts in VLAN 10 cannot reach the router or each other across VLANs. Configure R1 with the correct subinterface encapsulation and IP addressing, and ensure the trunk on SW1 allows both VLANs. Also, fix any native VLAN mismatch on the trunk link. Which configuration steps will resolve the issues?

Network Topology
Gi0/1Gi0/0trunkSW1R1

Hints

  • Check the native VLAN on the trunk; it's currently 1 but not configured on R1.
  • R1 needs a subinterface for the native VLAN with the 'native' keyword.
  • IP routing must be enabled for inter-VLAN routing to work.
A.On R1, configure subinterface Gi0/0.1 with encapsulation dot1Q 1 native and IP 192.168.1.1/24, and enable ip routing. On SW1, ensure trunk Gi0/1 allows VLANs 10,20 and set native VLAN 1.
B.On R1, configure subinterface Gi0/0.10 with encapsulation dot1Q 10 and IP 192.168.10.1/24, and subinterface Gi0/0.20 with encapsulation dot1Q 20 and IP 192.168.20.1/24. Enable ip routing. On SW1, change native VLAN to 10 on trunk Gi0/1.
C.On R1, configure subinterface Gi0/0.1 with encapsulation dot1Q 1 (without native keyword) and IP 192.168.1.1/24. Enable ip routing. On SW1, ensure trunk Gi0/1 allows VLANs 10,20 and set native VLAN 1.
D.On R1, configure subinterface Gi0/0.10 with encapsulation dot1Q 10 native and IP 192.168.10.1/24, and subinterface Gi0/0.20 with encapsulation dot1Q 20 and IP 192.168.20.1/24. Enable ip routing. On SW1, set native VLAN to 10 on trunk Gi0/1.
AnswerA
solution
! R1
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
ip routing

Why this answer

The current issue is a native VLAN mismatch and missing IP routing. SW1's trunk port Gi0/1 uses native VLAN 1, sending untagged frames for VLAN 1. R1 has subinterfaces for VLANs 10 and 20 but no subinterface handling untagged native traffic, causing VLAN 10 traffic (if it were tagged) to reach R1 but native traffic to be dropped.

Additionally, IP routing is not enabled, preventing inter‑VLAN forwarding even if subinterfaces are correctly addressed. Option A resolves both problems by adding a subinterface dot1Q 1 native with an IP address, enabling IP routing, and ensuring the trunk allows VLANs 10 and 20 with native VLAN 1. Option B creates subinterfaces for VLANs 10 and 20 but changes the switch native VLAN to 10 without a matching native subinterface on R1, so untagged VLAN 10 traffic still fails.

Option C incorrectly uses 'encapsulation dot1Q 1' without the native keyword, so it expects tagged VLAN 1 frames, which do not match the switch's untagged native traffic. Option D changes the native VLAN to 10 on both sides, but this requires modifying the existing VLAN design; moreover, it does not guarantee that hosts in VLAN 10 will be able to reach the router if they are using IP 192.168.1.1 as their default gateway, and the trunk may still be missing allowed VLANs—making A the simplest, design‑coherent solution.

Exam trap

Watch out for native VLAN mismatches: the router must have a subinterface with 'encapsulation dot1Q <vlan> native' to match the switch's native VLAN. Also, remember that 'ip routing' is required for router-on-a-stick to forward between VLANs.

Why the other options are wrong

B

Changing the native VLAN to 10 on the switch without a matching 'encapsulation dot1Q 10 native' subinterface on R1 causes native VLAN traffic to be dropped.

C

Using 'encapsulation dot1Q 1' (without native) tells the router to expect tagged VLAN 1 frames, which will never arrive because the switch sends native VLAN 1 untagged.

D

Altering the network to make VLAN 10 the native VLAN is unnecessary and can break existing connectivity; the correct fix is to accommodate the existing native VLAN 1 design.

1613
PBQhard

You are connected to R1, a Cisco IOS-XE router. The network uses a DNS server at 203.0.113.10 for name resolution. Users report that 'ping server.example.com' fails, but 'ping 203.0.113.50' succeeds. Assume proper routing is configured between R1 and the DNS server. Diagnose and resolve the DNS resolution issue so that the hostname resolves correctly, and verify the fix using appropriate Cisco IOS commands (e.g., ping, show hosts, debug domain).

Network Topology
G0/010.0.0.1/30203.0.113.10/24linkR1DNS Server

Hints

  • Compare the output of nslookup and dig; nslookup may show cached or incorrect data.
  • The DNS server 203.0.113.10 is returning NXDOMAIN, meaning the A record is missing.
  • Configure a different DNS server that has the correct A record for server.example.com.
A.Configure R1 to use a different DNS server, such as 198.51.100.10, that has the correct A record for server.example.com.
B.Add the command 'ip domain lookup' under global configuration to enable DNS resolution on R1.
C.Clear the DNS cache on R1 using 'clear ip dns cache' to remove any stale entries.
D.Configure the router to use the IP address 203.0.113.50 as the DNS server instead of 203.0.113.10.
AnswerA
solution
! R1
configure terminal
no ip name-server 203.0.113.10
ip name-server 198.51.100.10
end
write memory

Why this answer

The issue is that the DNS server at 203.0.113.10 does not have a valid A record for server.example.com, returning NXDOMAIN. Since ping to the IP address works, connectivity is fine. To resolve, configure R1 to use a different DNS server (e.g., 198.51.100.10) that has the correct A record.

After configuration, verify with 'show hosts' to see the resolved hostname entry and 'ping server.example.com' to confirm successful resolution. The options involving DNS cache clearing or enabling domain lookup are irrelevant because the problem lies with the DNS server itself, not with caching or disabled DNS lookup.

Exam trap

Do not confuse DNS caching with authoritative DNS responses; use 'show hosts' and 'ping' to verify resolution, not nslookup or dig, which are not available on Cisco IOS routers.

Why the other options are wrong

B

The specific factual error is that 'ip domain lookup' is not the cause of the problem; it is already enabled by default.

C

The specific factual error is that the problem is not a cached negative response; the DNS server itself lacks the record.

D

The specific factual error is that 203.0.113.50 is a host address, not a DNS server address.

1614
PBQhard

You are connected to R1 via console. R1 and R2 are connected via two serial links: Serial0/0/0 (10.0.0.1/30) and Serial0/0/1 (10.0.0.5/30). OSPF is configured on both links. However, the OSPF neighbor adjacency is stuck in EXSTART/EXCHANGE state. You suspect a mismatch in OSPF parameters. You need to identify and fix the issue.

Network Topology
S0/0/010.0.0.1/30S0/0/010.0.0.2/30R1R2

Hints

  • EXSTART/EXCHANGE state indicates a problem with the Database Descriptor (DBD) packet exchange.
  • Check the MTU on the interfaces; a mismatch can cause this issue.
  • Use show ip interface to verify the MTU value.
A.Check and adjust the MTU on the serial interfaces to match.
B.Check and adjust the OSPF hello and dead timers to match.
C.Check and adjust the OSPF network type on the interfaces to match.
D.Check and adjust the OSPF area ID on the interfaces to match.
AnswerA
solution
! R1
interface Serial0/0/0
ip mtu 1400

! R2
interface Serial0/0/0
ip mtu 1400

Why this answer

The adjacency stuck in EXSTART/EXCHANGE is often due to an MTU mismatch. If one interface has a lower MTU, the DBD packets may be fragmented or rejected, preventing the exchange of LSAs. Setting the same MTU on both sides resolves the issue.

Exam trap

Do not confuse the symptoms of MTU mismatch with other OSPF parameter mismatches. MTU mismatch specifically causes problems in EXSTART/EXCHANGE, while timer mismatches cause issues in INIT/2-WAY, and area ID mismatches prevent adjacency entirely.

Why the other options are wrong

B

The specific factual error is that timer mismatches affect the neighbor discovery phase, not the database exchange phase.

C

The specific factual error is that network type affects the election of DR/BDR and adjacency formation, but not the DBD exchange process.

D

The specific factual error is that area ID mismatches cause OSPF to ignore hello packets, so the adjacency never progresses beyond DOWN.

1615
MCQhard

A host address is 10.77.4.141/28. Which address is the network address of the subnet?

A.10.77.4.128
B.10.77.4.143
C.10.77.4.144
D.10.77.4.112
AnswerA

This is correct because .141 is in the 128-143 /28 subnet.

Why this answer

A /28 subnet has a block size of 16. In practical terms, the last-octet blocks are 0-15, 16-31, 32-47, and so on. Because 141 falls within the 128-143 block, the network address is 10.77.4.128.

This is a clean addressing-boundary question that rewards careful block calculation rather than guesswork.

Exam trap

Be careful not to confuse host addresses with network addresses. Always calculate the subnet block to find the network address.

Why the other options are wrong

B

Option B, 10.77.4.143, is incorrect because it falls within the usable host range of the subnet defined by 10.77.4.128/28, which spans from 10.77.4.129 to 10.77.4.142. The network address must always be the first address in the subnet.

C

This option is wrong because 10.77.4.144 is not the network address for the subnet defined by 10.77.4.141/28; the correct network address is 10.77.4.128, which is the first address in the subnet range.

D

Option D, 10.77.4.112, is incorrect because it does not fall within the subnet defined by the CIDR notation /28, which covers addresses from 10.77.4.128 to 10.77.4.143. The network address for this subnet is 10.77.4.128.

1616
MCQhard

A network engineer is troubleshooting an OSPFv3 adjacency issue between two directly connected routers. Both routers are configured for OSPFv3 in area 0 on their GigabitEthernet0/0 interfaces. The engineer checks the OSPFv3 neighbor status on R1 and sees that the neighbor state is stuck in EXSTART. The engineer verifies that both interfaces are up and have IPv6 link-local addresses. What is the most likely cause of this problem?

A.Configure a global unicast IPv6 address on the interface.
B.Ensure that the MTU is the same on both sides of the link.
C.Change the router ID to be the same on both routers.
D.Change the network type to point-to-point.
AnswerB

An MTU mismatch can cause OSPFv3 to get stuck in EXSTART state because DBD packets exceed the MTU of one interface.

Why this answer

The EXSTART state in OSPF indicates that the routers have formed a bidirectional communication and are negotiating the master/slave relationship and the initial Database Description (DBD) packet exchange. A common cause for getting stuck in EXSTART is an MTU mismatch between the two interfaces, which prevents the DBD packets from being accepted by the neighbor, causing the process to stall.

Exam trap

Cisco often tests the MTU mismatch as a specific cause for OSPF adjacency being stuck in EXSTART, and candidates may mistakenly focus on router IDs or addressing instead of the packet size negotiation.

Why the other options are wrong

A

The problem is not due to missing global addresses; the adjacency is stuck at EXSTART, not at DOWN or INIT.

C

The show output shows different router IDs (192.168.1.1 and 192.168.1.2), so this is not the issue.

D

The adjacency is stuck in EXSTART, which is not typically resolved by changing network type; the issue is related to packet exchange.

1617
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot an end-to-end connectivity issue using a bottom-up approach.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct troubleshooting order follows the OSI model bottom-up: start with physical connectivity (A), then verify Layer 3 addressing (B), use diagnostic tools (C) to isolate the failure, and finally implement the solution and verify restoration (D). Skipping layers can lead to misdiagnosis.

Exam trap

A common mistake is to begin with tools like ping before confirming physical and IP configuration; always validate lower layers first.

1618
MCQhard

A network engineer notices that after removing a standard ACL that was applied inbound on the internet-facing interface, the router is now receiving IP packets from the internet with source IP addresses in the 10.0.0.0/8 range, which were previously blocked. What is the most likely cause?

A.The original standard ACL only had a permit statement, so after removal the permit still takes effect because the ACL remains in the running configuration.
B.The ip access-group command on the interface remains but is missing the referenced ACL, causing the router to default to denying all ingress traffic except the previously permitted 10.0.0.0/8.
C.Removing the ACL from the interface eliminates the implicit deny at the end and restores the default permit all behavior, allowing all incoming traffic.
D.The ACL was reapplied in the outbound direction instead of inbound, so it now blocks traffic leaving the interface but not entering it.
AnswerC

Before removal, the applied ACL permitted only 10.0.0.0/8 and denied everything else (implicit deny all), which correctly blocked spoofed RFC 1918 traffic. Once the ACL is de-applied, the interface has no access list, so all traffic is permitted, including the previously blocked spoofed packets.

Why this answer

When an ACL is removed from an interface using 'no ip access-group', the interface reverts to its default behavior of permitting all traffic. The previous ACL's implicit deny all no longer applies, so spoofed RFC 1918 source addresses that were once blocked are now allowed to enter.

Exam trap

Many candidates assume that removing an ACL from an interface still leaves some residual filtering based on the ACL's permit statements, but in reality the interface returns to a wide-open permit-all state.

Why the other options are wrong

A

Candidates may think that the ACL itself, if still configured, continues to filter traffic even when not applied to an interface.

B

A common misunderstanding is that the access-group line can persist without a valid ACL and cause some default behavior; in fact the entire command is removed.

D

Some candidates may confuse direction changes with removal and assume the ACL is still filtering traffic in some way, but the symptom clearly indicates no filtering at all.

1619
MCQhard

What is the strongest explanation for why hosts in VLAN 40 are receiving addresses from the wrong DHCP scope?

A.The relay path is sending requests to the wrong DHCP scope or server target.
B.The VLAN 40 SVI must be changed to a trunk port.
C.DHCP can provide only one scope in the entire network.
D.The clients must use static addresses before DHCP relay can work.
AnswerA

This is correct because the clients are receiving addresses, but from the wrong network scope.

Why this answer

Option A is correct because the DHCP relay agent (typically configured on the VLAN 40 SVI with the 'ip helper-address' command) is forwarding client broadcast requests to a DHCP server that either has no scope for VLAN 40 or has a scope configured for a different subnet. This causes the server to assign an address from the wrong scope, as the relay agent does not filter by scope—it simply forwards the packet to the configured server IP.

Exam trap

Cisco often tests the misconception that DHCP can only serve one scope per network, when in fact the issue is typically a misconfigured relay path or server scope mapping, not a protocol limitation.

Why the other options are wrong

B

This option is wrong because an SVI (Switched Virtual Interface) for a VLAN cannot be configured as a trunk port; it must be an access port. VLANs are typically assigned to access ports, and changing the SVI to a trunk would not resolve DHCP scope issues.

C

This option is incorrect because DHCP can support multiple scopes across different VLANs, allowing for distinct address ranges for each VLAN. Thus, having multiple scopes is not a limitation of DHCP itself.

D

This option is incorrect because DHCP relay does not require clients to use static addresses; it is designed to facilitate dynamic IP address assignment. Static addresses would not affect the relay process or the DHCP server's ability to assign addresses from the correct scope.

1620
PBQhard

You are connected to R1. The inside network 192.168.10.0/24 must be able to reach the Internet via PAT (NAT overload) using the outside interface G0/1 with IP 203.0.113.2/30. Additionally, the internal server at 192.168.10.100 must be statically mapped to public IP 203.0.113.10. The current configuration is incomplete and contains errors. Fix the NAT configuration on R1 so that both requirements are met.

Hints

  • Check the NAT direction on the outside interface.
  • The overload keyword is missing from the PAT command.
  • The ACL must match the entire inside subnet, not just one host.
A.ip access-list standard 100 permit 192.168.10.0 0.0.0.255 ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat outside
B.ip access-list standard 100 permit host 192.168.10.100 ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat outside
C.ip access-list standard 100 permit 192.168.10.0 0.0.0.255 ip nat inside source list 100 interface GigabitEthernet0/1 ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat outside
D.ip access-list standard 100 permit 192.168.10.0 0.0.0.255 ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat inside
AnswerA
solution
! R1
configure terminal
interface gigabitEthernet0/1
no ip nat inside
ip nat outside
exit
ip nat inside source list 100 interface gigabitEthernet0/1 overload
no access-list 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
end

Why this answer

The correct configuration is a standard ACL matching the entire 192.168.10.0/24 subnet, a PAT statement with the overload keyword, and the outside interface correctly configured as ip nat outside. Option A achieves all three. Option B fails because its ACL only matches the server host, so only 192.168.10.100 can use the PAT translation.

Option C omits the overload keyword, meaning only one inside host can translate at a time – PAT is not enabled. Option D configures the external interface as ip nat inside instead of outside, blocking translation of outbound traffic.

Exam trap

Watch out for three common traps: (1) forgetting the overload keyword when PAT is needed; (2) using an ACL that only matches the server instead of the whole subnet; (3) confusing inside and outside interface configuration. Always verify the ACL scope and the presence of overload for PAT.

Why the other options are wrong

B

The ACL must match the entire inside network (192.168.10.0/24), not just the server IP.

C

The overload keyword is required to enable PAT (port address translation) for sharing a single public IP among multiple inside hosts.

D

The interface facing the internet must be configured as ip nat outside; inside interfaces are those facing the internal network.

1621
MCQhard

A packet is destined for 192.168.40.130. The routing table contains 192.168.40.0/24, 192.168.40.128/25, and 0.0.0.0/0. Which route is used?

A.192.168.40.0/24
B.192.168.40.128/25
C.0.0.0.0/0
D.No route can be used because the entries overlap
AnswerB

This is correct because 192.168.40.130 falls within that more specific range.

Why this answer

The /25 route is used because it is the most specific matching prefix. In plain language, even though the /24 and the default route also technically match, the router prefers the entry that most precisely describes the destination range. Since 192.168.40.130 falls inside 192.168.40.128/25, that route wins under longest-prefix match.

This is a classic routing-table interpretation pattern. The router does not start with the default route when more specific routes exist, and it does not choose the /24 simply because it is familiar. Specificity comes first.

Exam trap

A common exam trap is assuming that the default route or a larger subnet like /24 will be chosen over a more specific subnet like /25. Candidates may incorrectly think the default route is preferred or that overlapping routes cause ambiguity. However, routers always use the longest prefix match rule, which means the route with the most specific subnet mask that includes the destination IP is selected.

Misunderstanding subnet mask lengths or ignoring longest prefix match leads to wrong answers in routing questions.

Why the other options are wrong

A

192.168.40.0/24 is a valid route but less specific than 192.168.40.128/25. Since the destination IP falls within both, the router prefers the more specific /25 route, so this option is incorrect.

C

0.0.0.0/0 is the default route and only used when no other route matches. Since more specific routes exist for the destination IP, this option is incorrect.

D

Overlapping routes like /24 and /25 are common and resolved by longest prefix match. The presence of overlapping entries does not prevent route selection, so this option is incorrect.

1622
MCQhard

Two OSPF routers connected over Ethernet fail to become neighbors. Their interfaces are up/up and in the same IPv4 subnet. One router uses area 0 and the other uses area 1 on the connecting interfaces. What is the most likely cause?

A.Mismatched OSPF process IDs
B.Mismatched OSPF areas on the shared link
C.Missing default routes
D.Different router IDs
AnswerB

Correct. The area mismatch is a neighbor-forming failure condition.

Why this answer

OSPF neighbors on the same link must agree on key parameters, including the area assigned to that interface. A mismatch prevents the adjacency from forming.

Exam trap

A common exam trap is assuming that OSPF process IDs must match between neighbors for adjacency to form. Many candidates mistakenly focus on process ID alignment, but OSPF process IDs are locally significant and do not need to match. The real cause of adjacency failure in this scenario is the mismatch in OSPF area IDs on the shared link.

This subtle difference often leads to confusion, causing candidates to overlook the critical role of area consistency in neighbor formation and select incorrect answers related to process IDs or router IDs.

Why the other options are wrong

A

Mismatched OSPF process IDs do not prevent neighbor formation because process IDs are locally significant identifiers on each router. They do not need to match for adjacency to form, so this option is incorrect.

C

Missing default routes do not affect OSPF neighbor formation. Default routes influence routing decisions but are not required for establishing OSPF adjacencies, so this option is incorrect.

D

Different router IDs are necessary for OSPF neighbors to uniquely identify each router. Having different router IDs does not cause adjacency failure, so this option is incorrect.

1623
MCQhard

Exhibit: Hosts on the inside network can reach the internet, but inbound connections to a published web server fail. Static NAT is configured. What is the most likely missing piece?

A.A default route on the inside host
B.An ACL permit entry allowing TCP port 80 or 443 to the translated address
C.PAT overload on the outside interface
D.DHCP relay toward the web server
AnswerB

NAT alone does not override an inbound filtering policy.

Why this answer

Static NAT provides the address translation, but traffic still must be permitted by an inbound ACL or firewall policy on the outside interface. Option A is incorrect because a default route on the inside host affects outbound traffic, not inbound connections. Option C is wrong since PAT overload is for many-to-one translation and is not required here, and it would not block inbound traffic if static NAT is already configured.

Option D is incorrect because DHCP relay does not influence inbound access to a web server; it only forwards DHCP requests from clients to a remote DHCP server.

Exam trap

Many candidates assume that static NAT alone guarantees inbound access, forgetting that an inbound ACL on the outside interface must explicitly permit the traffic.

Why the other options are wrong

A

A default route on the inside host controls outbound traffic, not inbound connections from the internet.

C

PAT overload is used for many-to-one translation and would not block inbound traffic if static NAT is already configured.

D

DHCP relay forwards DHCP requests to a remote server and does not affect inbound HTTP/HTTPS access to a web server.

1624
MCQhard

An administrator configures a GRE tunnel interface on a router with the following: interface Tunnel0, tunnel source GigabitEthernet0/0, tunnel destination 192.168.2.2. What is the main purpose of this configured tunnel?

A.It creates a logical tunnel across another network.
B.It enables PPP authentication on a serial interface.
C.It configures WPA3 security for a wireless bridge.
D.It enables BGP between autonomous systems automatically.
AnswerA

This is correct because the tunnel source and destination define a virtual tunnel path.

Why this answer

GRE is a tunneling mechanism used to carry one type of traffic over another network path by encapsulating packets. In practical terms, the configuration creates a logical tunnel between endpoints so traffic can cross an underlying IP network as if a virtual path existed between them. The key point is that GRE is about tunneling, not encryption by itself.

This distinction matters because people often assume tunnels automatically imply encryption. GRE by itself does not provide that.

Exam trap

A frequent exam trap is confusing GRE tunnels with encryption or automatic routing protocol establishment. Candidates often assume that because GRE creates a tunnel, it also encrypts traffic or automatically enables protocols like BGP. However, GRE only encapsulates packets and does not provide confidentiality or integrity.

Encryption requires pairing GRE with IPsec. Additionally, routing protocols must be explicitly configured over the tunnel interface; the tunnel itself does not initiate or enable them. Misreading the tunnel configuration as PPP authentication or wireless security is another common pitfall, as GRE operates at Layer 3 and is unrelated to those technologies.

Why the other options are wrong

B

Incorrect. PPP authentication applies to serial interfaces and point-to-point links, but the exhibit shows a GRE tunnel configuration, not PPP on a serial link.

C

Incorrect. WPA3 is a wireless security protocol unrelated to GRE tunnels, which operate at Layer 3 and do not configure wireless security settings.

D

Incorrect. GRE tunnels do not automatically enable BGP or any routing protocol; routing protocols must be explicitly configured over the tunnel interface.

1625
PBQhard

You are connected to the console of R1. The network team wants to secure remote access. R1 currently has no SSH configuration. The domain name is 'example.com' and you need to generate an RSA key pair of 2048 bits and enable SSH version 2 on vty lines.

Network Topology
G0/010.0.0.1/24R1Management Network

Hints

  • SSH requires a domain name and RSA keys.
  • Use 'ip ssh version 2' to enforce SSHv2.
  • The vty lines must accept SSH only, not Telnet.
A.Configure IP domain name, generate RSA key pair with 2048 bits, set SSH version 2, and configure vty lines to use SSH.
B.Generate RSA key pair with 2048 bits, set SSH version 2, and configure vty lines to use SSH. Domain name is optional.
C.Configure IP domain name, generate RSA key pair with 2048 bits, and set SSH version 2. No need to configure vty lines.
D.Configure IP domain name, generate RSA key pair with 1024 bits, set SSH version 2, and configure vty lines to use SSH.
AnswerA
solution
! R1
ip domain-name example.com
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0 4
transport input ssh

Why this answer

SSH requires a hostname and domain name to generate RSA keys. Use 'ip domain-name example.com' then 'crypto key generate rsa general-keys modulus 2048' (the 'general-keys' keyword is required to avoid interactive prompts). Set SSH version 2 with 'ip ssh version 2' and restrict vty lines to SSH only with 'line vty 0 4' and 'transport input ssh'.

Answer A includes all required steps correctly. Option B misses the domain name. Option C omits vty line configuration.

Option D uses the wrong key size.

Exam trap

A common mistake is using 'crypto key generate rsa modulus 2048' without 'general-keys'; IOS requires the keyword to generate the key non-interactively.

Why the other options are wrong

B

The specific factual error: The domain name is mandatory for RSA key generation in SSH configuration.

C

The specific factual error: Vty lines require transport input ssh to allow SSH connections.

D

The specific factual error: The key size must be 2048 bits as specified; 1024 bits is insufficient.

1626
MCQhard

A company wants an internal web server to be reachable consistently from the Internet using one known public IPv4 address. Which NAT approach best fits that requirement?

A.Static NAT
B.PAT overload
C.No NAT, because private IPv4 addresses are publicly routable
D.DHCP relay
AnswerA

This is correct because static NAT gives the server a permanent public mapping.

Why this answer

Static NAT is the best fit because it creates a fixed one-to-one relationship between the inside server and the public address. In practical terms, outside clients need a stable public identity for the server. They cannot rely on a translated address that changes session by session. Static NAT gives that predictability.

This is different from PAT, which is designed for many inside users sharing fewer public addresses for outbound traffic. The question is about publishing a server, not conserving addresses for client browsing. That is why static NAT is the strongest answer.

Exam trap

A frequent exam trap is selecting PAT overload as the solution for making an internal server reachable from the Internet. PAT is primarily designed for outbound traffic from multiple internal hosts sharing a single public IP, not for inbound access to a specific server. Another trap is thinking private IPv4 addresses are publicly routable, which they are not, so no NAT would fail to provide Internet reachability.

Also, confusing DHCP relay with NAT functions can mislead candidates, as DHCP relay only forwards DHCP messages and does not affect public IP mappings or server accessibility from the Internet.

Why the other options are wrong

B

PAT overload is incorrect because it is designed for many internal hosts sharing a single public IP for outbound traffic, not for providing a fixed public IP for inbound server access.

C

No NAT is incorrect since private IPv4 addresses are not routable on the public Internet; without NAT, the internal server cannot be reached from outside the private network.

D

DHCP relay is unrelated to NAT or public reachability; it only forwards DHCP requests across subnets and does not provide any public IP mapping for internal servers.

1627
MCQhard

A network engineer has configured an LACP EtherChannel between Switch1 and Switch2 by assigning interfaces to channel-group 1 with the mode passive on both switches. The engineer issues the show etherchannel summary command on Switch1 and sees the output below. The Port-channel interface remains down. Which action resolves the issue?

A.Configure the switchport mode as trunk on both sides.
B.Change the mode on one switch to active.
C.Verify that the native VLAN matches on both sides of the trunk.
D.Correct the speed and duplex settings on the member ports.
AnswerB

With both sides passive, no LACP PDUs are exchanged. Configuring one side as active starts the negotiation, allowing the ports to bundle and the Port-channel to come up.

Why this answer

When both switches are configured with LACP mode passive, neither switch initiates the negotiation process because passive mode only responds to incoming LACP packets. By changing one side to active mode, that switch will actively send LACP packets, allowing the EtherChannel to form. The Port-channel interface remains down due to this negotiation failure, not because of VLAN or physical mismatch issues.

Exam trap

Cisco often tests the LACP mode interaction by setting both sides to passive, leading candidates to incorrectly focus on trunking, VLAN, or physical layer issues instead of recognizing that LACP requires at least one side to be active.

Why the other options are wrong

A

The show output indicates Layer 2 mode is already active, and trunking isn’t required for bundling. The issue is LACP protocol negotiation, not interface mode.

C

The Port-channel would still form even with a native VLAN mismatch; it would not be down (SD) and ports would not be stand-alone (I) solely because of VLAN mismatch.

D

The flags in the output (I, SD) are not consistent with a speed/duplex problem, and the explicit configuration of passive mode on both sides is the known root cause.

1628
Matchingeasy

Match each common infrastructure service to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hostname resolution

Automatic IP configuration

Clock synchronization

Centralized event and log reporting

Why these pairings

DNS resolves hostnames to IP addresses (hostname resolution). DHCP automatically assigns IP configurations to devices (automatic IP configuration). NTP synchronizes clocks across network devices (clock synchronization).

Syslog collects and centralizes logs from network devices for monitoring and troubleshooting (centralized event and log reporting). A common mistake is confusing Syslog with SNMP: Syslog sends log messages, while SNMP is used for polling and traps for device management.

Exam trap

The exam often tests your ability to distinguish between DNS and DHCP, as both are foundational services. Remember: DNS resolves names, DHCP assigns addresses. Do not confuse their roles.

1629
MCQhard

Refer to the exhibit. A network engineer is investigating intermittent connectivity complaints on a gigabit uplink between two distribution switches. The engineer runs the show interfaces GigabitEthernet0/0 command on one of the switches. Based on the output, what is the most likely cause of the errors?

A.The interface is configured with an incorrect encapsulation type.
B.A damaged or faulty cable is causing excessive CRC errors.
C.A duplex mismatch exists between the connected devices.
D.The interface is assigned to the wrong VLAN.
AnswerB

The exhibit displays 5200 CRC errors (more than 5000) and 5231 input errors. High CRC counts directly indicate that received frames are being corrupted by physical layer issues such as a damaged cable, loose connector, or EMI on the copper segment.

Why this answer

The output shows a high number of CRC errors and runts, which typically indicate a Layer 1 physical-layer issue such as a damaged or faulty cable. CRC errors occur when frames fail the cyclic redundancy check due to signal degradation, noise, or physical damage to the cabling. On a gigabit uplink, this is the most likely cause of intermittent connectivity.

Exam trap

Cisco often tests the distinction between CRC errors (physical layer) and late collisions (duplex mismatch), so the trap here is that candidates see errors and assume a duplex mismatch without checking for the specific error types like late collisions or alignment errors.

Why the other options are wrong

A

Encapsulation problems cause protocol failures, not corrupted frames with CRC errors.

C

Candidates often mistake high CRC counts for duplex issues. The absence of collision-related counters rules out a duplex mismatch.

D

A wrong VLAN does not generate CRC errors on the physical interface.

1630
MCQhard

A PC connected to SW1 cannot reach the default gateway. The access port is assigned to VLAN 20, and the switch output shows that VLAN 20 is inactive. What is the most likely cause?

A.Port security has shut down the interface
B.VLAN 20 does not exist or is not active on the switch
C.The port must be converted to a trunk
D.The default gateway must be configured on the physical switch port
AnswerB

That is exactly what the inactive VLAN status is telling you.

Why this answer

The port is operationally up, but VLAN 20 is listed as inactive because that VLAN does not exist in the VLAN database. An access port assigned to a missing VLAN will not carry normal user traffic for that VLAN.

Exam trap

Ensure the VLAN is created and active in the VLAN database when troubleshooting connectivity issues.

Why the other options are wrong

A

This option is wrong because the question specifies that the PC cannot reach the default gateway due to VLAN issues, not because of port security settings. Port security would typically result in the interface being in an error-disabled state, which is not indicated here.

C

This option is incorrect because converting the port to a trunk would not resolve the issue of the PC not reaching the default gateway if VLAN 20 is not configured or active. The problem lies in the VLAN configuration, not the port type.

D

This option is incorrect because the default gateway is typically configured on the device (e.g., a router or PC) rather than on the switch port itself. The issue in the question pertains to VLAN configuration, not gateway settings.

1631
PBQmedium

You are connected to SW1, a Layer 2 switch. Port G0/1 connects to a PC in VLAN 10. Management requires that only one MAC address is allowed on this port, and if a violation occurs, the port should shut down and a log message should be generated. Additionally, you need to ensure that the port enables rapidly and does not wait for STP convergence. Currently, the PC has MAC address aaaa.bbbb.cccc.

Network Topology
G0/1SW1PC

Hints

  • Port security must be enabled first.
  • Use the 'mac-address' command to specify the allowed MAC.
  • PortFast bypasses STP listening/learning for access ports.
A.switchport port-security; switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation shutdown; spanning-tree portfast
B.switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation restrict; spanning-tree portfast
C.switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation protect; spanning-tree portfast
D.switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation shutdown; no spanning-tree portfast
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address aaaa.bbbb.cccc
switchport port-security violation shutdown
spanning-tree portfast

Why this answer

Port security limits access to a port based on MAC addresses. The correct sequence must first enable port security with the `switchport port-security` command. Then setting maximum to 1 with a specific MAC ensures only that device can connect.

Violation shutdown disables the port if an unauthorized MAC appears. PortFast allows the port to transition to forwarding immediately, which is appropriate for end-user devices. Options B and C use wrong violation modes (restrict or protect) that do not shut the port and may not log.

Option D uses correct violation mode but omits PortFast, causing STP delays.

Exam trap

The key trap is confusing the three port security violation modes: shutdown (disables port + logs), restrict (drops traffic + logs but port stays up), and protect (drops traffic silently, no log). Also, remember that PortFast is needed for immediate forwarding on access ports.

Why the other options are wrong

B

The specific factual error: 'restrict' does not disable the port; it only filters traffic and logs the violation, but the port remains operational.

C

The specific factual error: 'protect' silently drops unauthorized traffic without logging or disabling the port.

D

The specific factual error: PortFast is required to bypass STP convergence; without it, the port will wait for STP to transition, causing delay.

1632
Multi-Selectmedium

A network operations team wants centralized logging from routers and switches and also wants meaningful severity filtering. Which two statements about syslog are correct?

Select 2 answers
A.Devices can send log messages to a remote syslog server for central storage
B.Severity levels allow filtering based on how serious an event is
C.Syslog is used to assign IP addresses dynamically to endpoints
D.Syslog entries replace SNMP counters for interface statistics
AnswersA, B

Centralization helps with monitoring, retention, and incident response.

Why this answer

Syslog provides centralized event reporting by allowing devices to send log messages to a remote server (option A is correct). Severity levels enable filtering based on event seriousness (option B is correct). Option C is incorrect because syslog does not assign IP addresses dynamically—that is the role of DHCP.

Option D is incorrect because syslog logs events and does not replace SNMP counters, which remain the primary method for collecting interface statistics.

Exam trap

Be careful not to confuse syslog's use of UDP with TCP, and remember that syslog can send to multiple servers.

Why the other options are wrong

C

Syslog is not used for IP address assignment; that function is performed by DHCP.

D

Syslog does not replace SNMP counters for interface statistics; SNMP remains the primary method for collecting such data.

1633
Multi-Selectmedium

Which TWO statements accurately describe how AI/ML concepts are applied to network operations in modern enterprise networks?

Select 2 answers
A.Supervised machine learning models can be used to classify network traffic into predefined categories, such as identifying whether traffic is voice, video, or data.
B.Anomaly detection algorithms, often based on unsupervised learning, can identify unusual network behavior that may indicate a security threat or device malfunction.
C.Reinforcement learning is primarily used to automatically classify email traffic as spam or not spam based on a labeled dataset.
D.Clustering algorithms, a type of unsupervised learning, are used to predict the exact bandwidth usage of a specific application over the next hour.
E.Predictive analytics in network operations relies solely on static thresholds defined by network administrators to forecast potential failures.
AnswersA, B

Supervised learning trains on labeled data to classify new traffic, enabling accurate identification of application types for QoS or security policies.

Why this answer

Option A is correct because supervised learning uses labeled data to classify traffic (e.g., voice, video, data). Option B is correct because anomaly detection often uses unsupervised learning to identify deviations from normal behavior. Option C is wrong because reinforcement learning is not used for spam classification; that task uses supervised learning.

Option D is wrong because clustering groups data but cannot predict exact bandwidth usage; prediction requires regression models. Option E is wrong because predictive analytics in network operations leverages machine learning models, not solely static thresholds defined by administrators.

Exam trap

Cisco often tests the distinction between supervised and unsupervised learning by pairing a correct application (e.g., anomaly detection) with a plausible but incorrect application (e.g., clustering for exact prediction), so candidates must remember that clustering groups data without predicting specific values.

Why the other options are wrong

C

This is incorrect because spam classification is a supervised learning problem, not a reinforcement learning one.

D

This is incorrect because clustering groups data, it doesn't forecast numeric values like bandwidth usage.

E

This is incorrect because predictive analytics typically involves dynamic ML models, not just static thresholds.

1634
MCQmedium

Which security concept is most closely associated with ensuring data has not been altered in an unauthorized way?

A.Integrity
B.Availability
C.Accounting
D.Confidentiality
AnswerA

This is correct because integrity is concerned with preventing or detecting unauthorized changes to data.

Why this answer

The concept is integrity. In plain language, integrity is about making sure data remains accurate and trustworthy and that unauthorized changes can be detected or prevented. If confidentiality is about stopping the wrong people from seeing data, integrity is about stopping the wrong people from changing it. Availability, meanwhile, focuses on access to systems and services when needed.

This distinction matters because CCNA questions often group security vocabulary together and rely on candidates to separate them cleanly. Integrity is not the same as authentication or accounting, and it is not simply about whether a service is online. It specifically focuses on the correctness and trustworthiness of data or system state. That is why integrity is the correct answer here.

Exam trap

A frequent exam trap is mistaking confidentiality for integrity because both relate to data security. Confidentiality prevents unauthorized users from viewing data, but it does not guarantee that the data has not been altered. Another trap is confusing availability with integrity; availability ensures systems and data are accessible when needed but does not protect against unauthorized changes.

Candidates might also select accounting, which tracks user activity but does not ensure data correctness. Understanding these distinctions is crucial to avoid selecting the wrong security concept under exam pressure.

Why the other options are wrong

B

Availability is incorrect because it focuses on ensuring that systems and data are accessible when needed, not on preventing unauthorized data modification.

C

Accounting is incorrect since it involves logging and tracking user activities and network events but does not guarantee that the data itself has not been altered.

D

Confidentiality is incorrect because it protects data from unauthorized disclosure but does not ensure that the data has not been changed or tampered with.

1635
MCQmedium

A team wants to know which internal hosts are sending the most traffic to a specific data center subnet. Which technology is most directly associated with that visibility goal?

A.NetFlow
B.Syslog
C.DHCP
D.PortFast
AnswerA

This is correct because NetFlow is designed to provide traffic-flow visibility.

Why this answer

NetFlow is the best fit because it provides visibility into traffic flows and conversations. In practical terms, it helps answer questions like who is talking to whom, over which protocols and ports, and how much traffic is being exchanged. That makes it useful for capacity, troubleshooting, and unusual-traffic analysis.

This is different from Syslog, which reports device events, and from general SNMP polling, which focuses more on device and interface counters.

Exam trap

A common exam trap is selecting Syslog or DHCP when asked about traffic visibility. Syslog focuses on logging system events and device messages, not on analyzing who is sending traffic or how much. DHCP is solely for IP address assignment and does not provide any traffic flow data.

Candidates might confuse these because they are familiar Cisco technologies, but neither provides the flow-level traffic insight that NetFlow offers. Misunderstanding the purpose of these protocols leads to incorrect answers, especially under time pressure.

Why the other options are wrong

B

Syslog is incorrect because it focuses on logging device events and messages rather than providing traffic flow or volume information necessary for identifying heavy traffic sources.

C

DHCP is incorrect since it only assigns IP addresses and network settings to hosts and does not offer any insight into traffic patterns or flow data.

D

PortFast is incorrect because it is a Spanning Tree Protocol feature that accelerates port forwarding state transitions and does not relate to traffic monitoring or analysis.

1636
MCQhard

After configuring DHCP snooping on VLAN 10 to prevent rogue DHCP servers, all clients in the VLAN stop receiving DHCP offers from the legitimate DHCP server that is connected to port Gi0/1. The administrator verifies the DHCP server is operational and reachable. What should the technician do next?

A.Enable Dynamic ARP Inspection on VLAN 10.
B.Configure interface Gi0/1 as a DHCP snooping trusted port.
C.Add an ip helper-address on the VLAN 10 SVI pointing to the DHCP server.
D.Reconfigure the DHCP server scope to include DHCP Option 82.
AnswerB

DHCP snooping blocks DHCP server messages on untrusted ports. Since the legitimate server is on Gi0/1, trusting the port allows the switch to forward DHCP offers from that port, resolving the issue.

Why this answer

By default, DHCP snooping marks all ports as untrusted, which blocks DHCP server replies (including offers) from those ports. Since the legitimate server is connected to Gi0/1, the port must be explicitly trusted to allow DHCP offers through. This step directly addresses the Layer 2 access control mechanism.

Exam trap

The most common mistake is to enable Dynamic ARP Inspection on VLAN 10, assuming it is required for DHCP snooping to work, but DAI only uses the DHCP snooping binding table and does not control DHCP traffic.

Why the other options are wrong

A

Misunderstanding that DAI controls DHCP traffic rather than ARP packets.

C

Assuming DHCP snooping introduces routing changes or that the server is on a different subnet.

D

Confusing DHCP snooping with DHCP relay agent functionality and option 82 insertion.

1637
Matchingeasy

Match each HTTP method to its common REST API action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource

Create a new resource

Update or replace a resource

Remove a resource

Why these pairings

GET retrieves data; POST creates; PUT replaces; PATCH partially updates; DELETE removes; OPTIONS queries available methods.

Exam trap

Be careful not to confuse PUT (full replacement) with PATCH (partial update). Also, remember that GET is read-only and should not create or modify data.

1638
Multi-Selectmedium

Which TWO statements correctly describe OSPFv2 DR/BDR election behavior in a multi-access network?

Select 2 answers
A.The router with the highest OSPF interface priority is elected as the DR.
B.A router with OSPF priority 0 can become the BDR if no other router has a higher priority.
C.If two routers have equal priority, the router with the highest router ID (RID) is elected as the DR.
D.The DR election is preemptive; a new router with a higher priority will immediately take over as DR.
E.All routers on a multi-access network form full adjacencies with the DR and BDR only.
AnswersA, C

The DR is elected based on the highest interface priority (0-255, default 1).

Why this answer

Options A and C are correct: OSPFv2 DR election first compares interface priority (highest wins), and if equal, the highest Router ID (RID) wins. Option B is incorrect because a priority of 0 prevents a router from ever becoming DR or BDR. Option D is incorrect because the election is non‑preemptive; a router with higher priority won't take over until the current DR/BDR fails.

Option E is incorrect because DR and BDR form full adjacencies with all routers on the segment, not just with each other.

Exam trap

Cisco often tests the misconception that a priority 0 router can become BDR if no other router has a higher priority, but in reality, priority 0 means the router is never elected as DR or BDR.

Why the other options are wrong

B

Priority 0 excludes the router from DR/BDR election entirely; it can only become a DROTHER.

D

A new router with a higher priority does not trigger a new election unless the existing DR or BDR goes down.

E

DROTHERs do not form full adjacencies among themselves; they only exchange LSAs via the DR/BDR.

1639
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then define the RADIUS server, then configure AAA authentication, then enable 802.1X globally, and finally apply per-interface 802.1X settings.

Exam trap

Do not confuse the order: the RADIUS server must be defined before AAA authentication, and AAA must be configured before enabling 802.1X globally. A common trap is to enable 802.1X too early.

1640
PBQhard

You are connected to R1 via console. The network administrator has attempted to configure OSPFv2 between R1, R2, and R3 but OSPF neighbor adjacencies are failing. Configure R1 to correct all issues so that R1 becomes FULL neighbors with both R2 and R3. Do not modify any other device's configuration.

Hints

  • Check if OSPF is sending hello packets on the interfaces.
  • Review the passive-interface configuration on R1.
  • The network statements are correct; the issue is with hello suppression.
A.Remove the 'passive-interface default' command and remove the 'passive-interface GigabitEthernet0/0' and 'passive-interface GigabitEthernet0/1' commands under OSPF configuration.
B.Add 'no passive-interface GigabitEthernet0/0' and 'no passive-interface GigabitEthernet0/1' under OSPF configuration, but keep 'passive-interface default'.
C.Change the network statements to include the correct wildcard masks for the subnets on GigabitEthernet0/0 and GigabitEthernet0/1.
D.Add 'ip ospf network point-to-point' on both GigabitEthernet0/0 and GigabitEthernet0/1 interfaces.
AnswerB
solution
! R1
configure terminal
router ospf 1
no passive-interface GigabitEthernet0/0
no passive-interface GigabitEthernet0/1
end

Why this answer

The core issue is that R1 has 'passive-interface default' under the OSPF process, which prevents all interfaces from sending or receiving OSPF hello packets, breaking neighbor formation. The correct fix is to override this default with 'no passive-interface' on the interfaces that connect to neighbors (GigabitEthernet0/0 and GigabitEthernet0/1), allowing OSPF to form adjacencies while keeping other interfaces passive for security. Option B matches the solution commands and is the intended approach.

Option A would also work but removes the default entirely, potentially enabling OSPF on all interfaces, which is not the recommended best practice in this scenario.

Exam trap

When 'passive-interface default' is configured, you must explicitly enable OSPF on neighbor-facing interfaces with 'no passive-interface'; simply removing the default (Option A) is not the intended solution and may expose unintended interfaces to OSPF.

Why the other options are wrong

A

Although removing 'passive-interface default' would also restore OSPF on these interfaces, the solution commands show the preferred method of overriding the default selectively, making this option incorrect for the given scenario.

C

The network statements on R1 already correctly include the /30 subnets, so there is no need to change wildcard masks.

D

The OSPF network type defaults to broadcast, which is appropriate for Ethernet links; changing to point-to-point does not resolve the passive-interface issue and would not fix hello suppression.

1641
MCQmedium

An engineer wants users to get fast link-up on access ports but also wants the switch to disable a port if another switch is connected and sends BPDUs. Which combination of features best meets that requirement?

A.PortFast and BPDU Guard
B.DHCP snooping and DAI
C.Root Guard and VTP pruning
D.Port security and CDP
AnswerA

Correct. This is correct. PortFast provides fast host connectivity, and BPDU Guard protects the port by shutting it down if BPDUs are received from a connected switch.

Why this answer

PortFast and BPDU Guard are the classic edge-port combination for this requirement. PortFast helps a user-facing interface begin forwarding quickly so a PC or phone does not wait through the normal spanning-tree transition delay. BPDU Guard adds protection by monitoring that same port for BPDUs.

If a switch is accidentally or intentionally connected and starts participating in spanning tree, BPDU Guard reacts by disabling the port to protect the Layer 2 topology. In plain language, users get quick connectivity when the port is used correctly, but the network still protects itself against someone plugging in a switch where only an endpoint should exist. That is exactly what the requirement asks for.

Exam trap

Avoid confusing BPDU Guard with other guard features like Root Guard or Loop Guard, which serve different purposes.

Why the other options are wrong

B

DHCP snooping and DAI (Dynamic ARP Inspection) do not address the requirement of disabling a port upon receiving BPDUs; they focus on protecting against rogue DHCP servers and ARP spoofing, respectively.

C

Root Guard and VTP pruning do not address the requirement of quickly enabling access ports and disabling them upon receiving BPDUs. Root Guard is used to prevent a port from becoming a root port, while VTP pruning optimizes VLAN traffic, neither of which directly manage port states based on BPDU reception.

D

Port security and CDP do not provide the necessary functionality to disable a port when BPDUs are received. Port security can limit the number of MAC addresses but does not specifically address BPDU handling.

1642
MCQhard

A router performing PAT is using a single public IPv4 address for many inside hosts. Which value most often distinguishes one inside flow from another on the same outside address?

A.TTL
B.DSCP
C.TCP or UDP source port
D.MAC address of the host
AnswerC

Correct. PAT uses port numbers to distinguish flows.

Why this answer

PAT commonly multiplexes sessions by translating Layer 4 source port numbers.

Exam trap

A common exam trap is selecting TTL or DSCP as the distinguishing value for inside flows in PAT. TTL is often mistaken because it changes during routing, but it does not uniquely identify sessions. DSCP is related to Quality of Service and does not influence NAT translations.

Another trap is thinking MAC addresses can be used to differentiate flows; however, MAC addresses are stripped and replaced at each routed hop, so they are irrelevant in PAT. The correct distinguishing factor is the TCP or UDP source port number, which PAT uses to multiplex multiple inside hosts over a single public IP address.

Why the other options are wrong

A

TTL is not the main distinguishing value PAT uses because it changes as packets traverse routers and does not uniquely identify individual flows in NAT translations.

B

DSCP is a QoS marking used to prioritize traffic and does not play a role in NAT or PAT flow differentiation, so it cannot distinguish inside flows sharing one outside IP.

D

MAC addresses are Layer 2 addresses that are not preserved across routed NAT boundaries, so they cannot be used to distinguish flows in PAT.

1643
Drag & Dropmedium

Drag and drop the following OSPFv2 neighbor state transitions into the correct order, starting from the initial state when no neighbor information has been received.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

OSPF neighbor states begin at Down, then Init after receiving Hello, 2-Way after seeing own router ID, ExStart for master/slave negotiation, and Exchange for exchanging database descriptors.

Exam trap

Do not confuse the order of ExStart and Exchange; ExStart always precedes Exchange. Also, remember that 2-Way comes after Init, not before.

1644
MCQmedium

Which HTTP method is typically used to retrieve data from a REST API without modifying the resource?

A.POST
B.PUT
C.GET
D.DELETE
AnswerC

Correct. GET retrieves a resource representation.

Why this answer

GET requests are used to retrieve resource information. They are intended for read operations rather than creation, replacement, or deletion.

Exam trap

A common exam trap is confusing the GET method with POST or PUT because all involve interacting with REST API resources. Candidates might incorrectly select POST or PUT, thinking they retrieve data, but POST is primarily for creating resources and PUT for updating them. GET is unique because it only retrieves data without changing the resource.

Misunderstanding this can lead to selecting an incorrect method that modifies the network device state, which is not the intent of the question. Remember, GET is the only method designed to safely fetch data without side effects.

Why the other options are wrong

A

POST is incorrect because it is used to create new resources or submit data that modifies the server state, not for retrieving existing data. Selecting POST would imply changing the resource, which contradicts the question's requirement for a non-modifying method.

B

PUT is incorrect as it replaces or updates an existing resource entirely. It modifies the resource state, which is not the intended action when simply retrieving data from a REST API.

D

DELETE is incorrect because it removes a resource from the server. Using DELETE would modify the resource by deleting it, which is the opposite of the question's intent to retrieve data without modification.

1645
MCQmedium

Exhibit: A network engineer wants to identify which applications are consuming most WAN bandwidth over time. Which feature should be enabled on the router?

A.NTP authentication
B.NetFlow
C.DNS forwarding
D.DHCP snooping
AnswerB

NetFlow provides detailed flow-based traffic visibility.

Why this answer

NetFlow records conversations and traffic characteristics so an external collector can analyze top talkers, protocols, and usage trends. Syslog and SNMP have different purposes.

Exam trap

A frequent exam trap is mistaking features like DHCP snooping or DNS forwarding as tools for bandwidth monitoring. DHCP snooping is a Layer 2 security mechanism that prevents unauthorized DHCP servers but does not provide traffic usage data. DNS forwarding helps resolve domain names faster but does not track or analyze bandwidth consumption.

Another trap is confusing NTP authentication, which secures time synchronization, with traffic profiling tools. Candidates must recognize that only NetFlow collects detailed flow information necessary to identify which applications consume the most WAN bandwidth over time.

Why the other options are wrong

A

NTP authentication protects the integrity of time synchronization between devices but does not provide any mechanism for monitoring or analyzing network traffic flows or bandwidth usage.

C

DNS forwarding improves domain name resolution efficiency but does not collect or analyze traffic flow information related to bandwidth consumption.

D

DHCP snooping is a security feature that prevents unauthorized DHCP servers at Layer 2 and does not provide any traffic profiling or bandwidth monitoring capabilities.

1646
Multi-Selectmedium

Which four of the following correctly describe how AI/ML techniques can improve network operations in a modern enterprise? (Choose all that apply.)

Select 4 answers
.AI models can analyze historical traffic data to predict future bandwidth congestion
.Natural language processing (NLP) can be used to automate responses to helpdesk tickets based on intent
.Reinforcement learning can adjust firewall rules dynamically in response to evolving attack patterns
.Unsupervised learning can identify unknown device types on the network by clustering behavior patterns
.AI eliminates the need for baseline performance metrics because it learns in real-time
.ML models always require labeled training data to be effective in network operations

Why this answer

Options A, B, C, and D are correct. AI models can predict bandwidth congestion by analyzing historical traffic data, enabling proactive capacity planning. Natural language processing (NLP) automates helpdesk ticket responses by interpreting user intent, reducing manual effort.

Reinforcement learning can dynamically adjust firewall rules in response to evolving attack patterns, improving threat response without human intervention. Unsupervised learning can cluster behavior patterns to identify unknown device types on the network. Option E ("AI eliminates the need for baseline performance metrics because it learns in real-time") is incorrect because even AI/ML models require baseline metrics to establish normal behavior and detect anomalies; real-time learning does not remove the need for baselines.

Option F ("ML models always require labeled training data to be effective in network operations") is incorrect because many ML techniques, such as unsupervised learning (as shown in option D), operate effectively on unlabeled data by discovering patterns and clusters without predefined labels.

Exam trap

Cisco often tests the breadth of AI/ML applications in network operations, and the trap here is that candidates might dismiss reinforcement learning as too advanced or theoretical, but it is a valid technique for dynamic policy adjustment in modern intent-based networking (IBN) systems.

1647
MCQhard

Why is traffic to 10.10.10.200 using the EIGRP route instead of the OSPF route, given that both routes have the same prefix length?

A.Because EIGRP has a lower administrative distance than OSPF for the same prefix length.
B.Because OSPF routes are never installed when EIGRP is present.
C.Because OSPF can be used only for IPv6 routes.
D.Because EIGRP routes always have a smaller subnet mask than OSPF routes.
AnswerA

This is correct because both routes are /24, so administrative distance becomes decisive and EIGRP wins.

Why this answer

When two routes have the same prefix length, the router uses administrative distance to choose the route with the lowest value. EIGRP has a default administrative distance of 90, while OSPF uses 110. Therefore, the EIGRP route is preferred.

Exam trap

A common mistake is to assume that OSPF routes always have a lower administrative distance than EIGRP routes.

Why the other options are wrong

B

OSPF routes are installed when EIGRP is present; routing protocols coexist and the route with the lowest AD is selected.

C

OSPF supports both IPv4 and IPv6; it is not limited to IPv6.

D

EIGRP routes do not always have a smaller subnet mask; prefix length is determined by the network design, not the routing protocol.

1648
Multi-Selectmedium

Which TWO switch port configurations are required when connecting a Cisco IP phone and a desktop PC to a single access port?

Select 2 answers
A.Configure the port as a trunk and allow both VLANs.
B.Use the 'switchport voice vlan' command to assign a dedicated voice VLAN.
C.Disable spanning tree on the port to prevent voice delays.
D.Apply 'mls qos trust cos' on the interface to preserve voice packet markings.
E.Configure the port as a routed port with an IP address for management.
AnswersB, D

This command separates voice traffic from data traffic by placing the phone in a specific VLAN, typically VLAN 10 or similar, while the PC remains in the native access VLAN.

Why this answer

Option B is correct because the 'switchport voice vlan' command assigns a dedicated VLAN for voice traffic, allowing the IP phone to tag its packets with the voice VLAN ID while the PC remains in the native (data) VLAN. Option D is correct because 'mls qos trust cos' preserves the Layer 2 Class of Service (CoS) markings from the IP phone, ensuring voice packets receive appropriate QoS treatment across the network. Option A is incorrect because a trunk port is not required—the access port with the voice VLAN command handles both VLANs without trunking.

Option C is incorrect because disabling Spanning Tree Protocol (STP) is not a recommended practice and does not prevent voice delays; STP is essential for loop prevention and can be tuned with PortFast instead. Option E is incorrect because the port must remain a Layer 2 access port, not a routed port, to support both the PC and IP phone.

Exam trap

Cisco often tests the misconception that a trunk port is needed to carry both voice and data VLANs, but the correct approach uses a single access port with the 'switchport voice vlan' command to handle both VLANs without trunking.

Why the other options are wrong

A

Using a trunk port for a single device connection is unnecessary and violates standard access port design; it would also require the phone to support trunking, which is not the typical Cisco IP phone configuration.

C

STP does not introduce significant delays in normal operation, and disabling it risks broadcast storms and network loops.

E

Access ports operate at Layer 2; converting to a routed port would prevent the phone and PC from communicating within their respective VLANs.

1649
Multi-Selectmedium

Which TWO statements about IPv4/IPv6 static routing are true?

Select 2 answers
A.A floating static route is configured with a lower administrative distance than the primary route.
B.An IPv6 default static route can be configured using the destination prefix ::/0.
C.A static route with an administrative distance of 1 is preferred over a directly connected route.
D.A floating static route becomes active in the routing table only when the primary route is removed or fails.
E.IPv4 and IPv6 static routes are configured using the same command syntax.
AnswersB, D

The IPv6 default route is ::/0, similar to 0.0.0.0/0 for IPv4.

Why this answer

Option B is correct because the IPv6 default static route uses the destination prefix ::/0, which matches all IPv6 addresses, similar to 0.0.0.0/0 in IPv4. Option D is correct because a floating static route is configured with a higher administrative distance and only becomes active when the primary route (with a lower AD) is removed or fails. Option A is wrong: a floating static route is configured with a higher administrative distance, not lower.

Option C is wrong: a directly connected route has an administrative distance of 0, which is always preferred over a static route (even with AD 1). Option E is wrong: IPv4 static routes use the 'ip route' command, while IPv6 static routes use the 'ipv6 route' command; the syntax is different.

Exam trap

Cisco often tests the inverse relationship between administrative distance and route preference, trapping candidates who think a lower AD makes a route less preferred rather than more preferred.

Why the other options are wrong

A

A floating static route is configured with a higher administrative distance than the primary route, not lower.

C

A directly connected route has an administrative distance of 0, which is preferred over a static route with AD 1.

E

IPv4 static routes use the 'ip route' command, while IPv6 static routes use the 'ipv6 route' command; the syntax is different.

1650
MCQhard

A small office uses PAT for user Internet access. What mechanism does PAT use to allow many users to share one public address while keeping their sessions distinct?

A.Use transport-layer port values to distinguish multiple inside sessions behind one outside address.
B.Convert all inside hosts to the same private IP address.
C.Increase the size of the NAT pool to include multiple public addresses.
D.Configure static NAT mappings for each inside host.
AnswerA

This is correct because PAT uses ports to separate many sessions sharing one public IP.

Why this answer

PAT (Port Address Translation) distinguishes multiple inside sessions by rewriting the source port number for each connection while using the same public IP address. This transport-layer port translation allows many internal hosts to share one outside address without conflict. The correct answer identifies the use of port numbers, which is the core mechanism.

Increasing the NAT pool or using static NAT would not enable sharing of a single public address. Changing private IPs to be identical or disabling routes are irrelevant to PAT's operation.

Exam trap

A common mistake is thinking PAT requires all inside hosts to have the same private IP or that adding more public IPs is the primary method for sharing a single address.

Why the other options are wrong

B

Converting all inside hosts to the same private IP would cause addressing conflicts and break basic connectivity, not enable PAT.

C

Increasing the NAT pool provides more public addresses but does not allow many users to share one public address via port translation.

D

Static NAT requires a dedicated public IP per host, preventing many-to-one sharing.

Page 21

Page 22 of 25

Page 23