CCNA 200-301 v2 (200-301) — Questions 16511725

1819 questions total · 25pages · All types, answers revealed

Page 22

Page 23 of 25

Page 24
1651
MCQhard

A network engineer notices that after adding a new switch to the network, a different switch unexpectedly becomes the STP root bridge, disrupting all VLANs. The new switch has the default priority (32768) but has a lower MAC address than all existing switches. What is the most likely cause?

A.The new switch is running PVST+ while the existing switches use Rapid PVST+
B.Root Guard is enabled on the new switch’s uplink ports facing the existing root
C.The existing root bridge has a bridge priority lower than the default value of 32768
D.The new switch was added with a bridge priority of 4096
AnswerC

If the existing root bridge’s priority is less than 32768 (e.g., 4096 or 0), its Bridge ID is lower than the new switch’s default 32768 + lower MAC. STP always elects the switch with the lowest Bridge ID as the root bridge. Thus, despite the new switch’s lower MAC, the manually lowered priority keeps the existing switch as root.

Why this answer

In STP, bridge priority is the primary parameter for root election. If the existing root bridge has a bridge priority lower than the default 32768, it will have a lower Bridge ID regardless of its MAC address, so it remains the root. The new switch’s lower MAC would only win if all bridge priorities are equal (default).

This explains why a different switch becomes root even though the new one has a lower MAC.

Exam trap

Many candidates focus solely on the MAC address tie-breaker and forget that bridge priority is compared first. They may also confuse root guard functionality—root guard prevents a port from becoming a root port, but does not cause another switch to become the root.

Why the other options are wrong

A

Candidates may think that STP version incompatibility disrupts root election, but both versions use the same BPDU format and root election rules.

B

Candidates often associate Root Guard with preventing a switch from becoming the root. However, it does not cause another switch to become root; it just protects the network from unexpected superior BPDUs.

D

Candidates may confuse the symptom and think that a low priority on the new switch causes the problem, but this would make the new switch the root, not another switch.

1652
MCQhard

A network administrator notices that hosts in VLAN 10 cannot ping the default gateway (192.168.10.1). The switch's SVI for VLAN 10 is configured and the output of the show ip interface brief command shows its status as up/up. An embedded packet capture is configured. The exhibit shows ARP requests from a host to 192.168.10.1 but no ARP reply. Based on the exhibit, what is the most likely cause of the connectivity issue?

A.The default gateway is configured incorrectly on the host.
B.The switchport connecting the host is not assigned to VLAN 10.
C.An ACL is applied to the SVI blocking ICMP.
D.The SVI is administratively down.
AnswerB

The SVI for VLAN 10 is configured and responding to pings, but the host cannot ping the gateway because it is in a different VLAN. The access port must be in VLAN 10 for the host to communicate with the SVI.

Why this answer

The correct answer is B because the packet capture shows ARP requests from the host but no reply, indicating the switch's VLAN 10 SVI is not receiving the ARP frames. Since the SVI is confirmed up/up, the most likely cause is that the switchport connecting the host is not assigned to VLAN 10, causing the frames to be on a different VLAN. Option A is incorrect because the host's default gateway is correctly set to 192.168.10.1 (the SVI's IP); ARP requests are being sent but not answered.

Option C is wrong because an ACL on the SVI would not block ARP (ARP is a Layer 2 protocol not filtered by IP ACLs), and the capture would show a reply if the SVI received the request. Option D is incorrect because the exhibit shows the SVI is up/up, ruling out an administratively down condition.

Exam trap

Cisco often tests the distinction between Layer 2 connectivity (VLAN assignment) and Layer 3 issues (ACL, SVI state), where candidates mistakenly blame IP configuration or ACLs when the root cause is a VLAN mismatch preventing ARP resolution.

Why the other options are wrong

A

The host's default gateway is correctly configured as 192.168.10.1, evident from the ARP requests being sent to that address.

C

An IP ACL on the SVI does not block ARP (it operates at Layer 2), so it would not prevent ARP replies.

D

The exhibit's show ip interface brief output confirms the SVI is in up/up state, proving it is not administratively down.

1653
MCQhard

A network engineer notices that a workstation in VLAN 10 cannot communicate with hosts in VLAN 20. The workstation is connected to an access layer switch port that shows 'up/up' in show ip interface brief. The switch's trunk port to the router is up, and the router's sub-interface for VLAN 10 is also in an up/up state. The router-on-a-stick configuration appears operational, but inter-VLAN traffic still fails. What is the most likely cause?

A.The switch port to the workstation is incorrectly configured as a trunk instead of an access port.
B.The native VLAN on the trunk between the switch and router is mismatched.
C.VLAN 10 is not allowed on the trunk link.
D.The router sub-interface for VLAN 10 is missing the encapsulation dot1q command.
AnswerD

In router-on-a-stick, each sub-interface must be mapped to a VLAN with the 'encapsulation dot1q <vlan>' command. Without it, the sub-interface cannot identify or tag frames for VLAN 10, so it never processes them, despite showing up/up. This perfectly explains why the workstation can't reach other VLANs.

Why this answer

The router-on-a-stick configuration requires each sub-interface to use the `encapsulation dot1q <vlan-id>` command to tag traffic with the correct VLAN ID. Without this command, the sub-interface will not accept or forward frames tagged for VLAN 10, even if the interface is administratively up. Since the workstation in VLAN 10 can reach its local gateway but not VLAN 20, the missing encapsulation is the most likely cause.

Exam trap

Cisco often tests the misconception that a sub-interface being 'up/up' guarantees it is fully operational for inter-VLAN routing, when in fact the missing `encapsulation dot1q` command leaves the sub-interface unable to process tagged frames.

Why the other options are wrong

A

Candidates may confuse the access port configuration with a trunk, but the stem explicitly states the port shows 'up/up' in show ip interface brief, which does not indicate trunk status.

B

Native VLAN mismatch is a common troubleshooting issue, but it only affects untagged traffic on the native VLAN—not tagged VLANs like VLAN 10.

C

Candidates often assume the allowed VLAN list is the culprit, but default trunk behavior permits all VLANs unless explicitly pruned, and the stem gives no indication of pruning.

1654
MCQhard

Based on the exhibit, what is the most likely reason the PPP link is failing to authenticate?

A.The PPP authentication credentials do not match between the two sides.
B.The interfaces must use HDLC instead of PPP before authentication can work.
C.CHAP requires the routers to be in different IPv4 subnets.
D.PPP authentication works only over GRE tunnels.
AnswerA

This is correct because the CHAP passwords shown are different.

Why this answer

The most likely reason is a credentials mismatch between the two sides of the PPP authentication setup. In practical terms, PPP authentication requires the peers to agree on the relevant identity and secret information. If those values do not align, the link may come up physically but authentication fails and the logical connection does not establish properly.

This is a very exam-relevant WAN troubleshooting scenario because it focuses on a realistic failure after the transport is already present.

Exam trap

Be careful not to confuse physical link issues with authentication problems. Just because the link is up doesn't mean authentication is successful.

Why the other options are wrong

B

This option is incorrect because PPP (Point-to-Point Protocol) does not require HDLC (High-Level Data Link Control) for authentication; PPP can authenticate independently of the encapsulation method used.

C

This option is incorrect because CHAP (Challenge Handshake Authentication Protocol) does not require routers to be in different IPv4 subnets for authentication to function. CHAP can authenticate devices regardless of their subnet configuration as long as they can reach each other over the network.

D

This option is incorrect because PPP (Point-to-Point Protocol) can operate independently of GRE (Generic Routing Encapsulation) tunnels; authentication can occur directly over a PPP link without requiring GRE.

1655
MCQhard

A client can join a secure employee SSID, but traffic is consistently placed into a guest-style restricted path. Which area should be investigated first?

A.The policy, role, or VLAN mapping applied after successful authentication.
B.Whether the client can see the SSID at all.
C.Whether the RADIUS server is returning a guest VLAN attribute.
D.Whether OSPF area 0 is configured on the client.
AnswerA

This is correct because the symptom points to wrong post-authentication placement.

Why this answer

The strongest first area to investigate is the mapping between the authenticated user or WLAN and the policy or VLAN that is applied afterward. In practical terms, the client is joining successfully, so the issue is not basic RF visibility or initial authentication. The clue is that the wrong access policy is being applied after the join process.

This is a highly realistic wireless policy troubleshooting scenario because the failure happens after successful connectivity setup.

Exam trap

Avoid assuming connectivity issues are always RF-related; consider post-authentication processes like VLAN assignment.

Why the other options are wrong

B

This option is wrong because the question already states that the client can join the secure SSID, indicating that the SSID is visible and accessible. Therefore, checking visibility is unnecessary.

C

While a misconfigured RADIUS server could cause this symptom, the question asks which area should be investigated first; checking the policy mapping applied after authentication is a more direct and likely cause.

D

This option is wrong because OSPF area 0 configuration pertains to routing protocols and network topology, which does not directly affect the client's access to the SSID or its traffic path after authentication.

1656
MCQhard

A user reports that they cannot access a remote server at IP address 10.10.20.50. The user's PC has IP address 192.168.1.25/24, and the default gateway is 192.168.1.1. The user can successfully ping the default gateway and other hosts on the local subnet. However, pings to 10.10.20.50 fail, and a traceroute shows only the first hop (192.168.1.1) followed by timeouts. Which of the following is the most likely cause?

A.The user's PC has an incorrect subnet mask.
B.The default gateway lacks a route to the 10.10.20.0/24 network.
C.The remote server at 10.10.20.50 is powered off.
D.The user's DNS server is unreachable.
AnswerB

Since the client can ping the gateway but traceroute fails immediately after the first hop, the gateway does not know how to forward packets to 10.10.20.0/24. It either drops the packets or returns an ICMP destination unreachable, causing the observed behavior.

Why this answer

The user can reach local hosts and the default gateway, confirming that the PC's IP configuration and local switching are functional. The traceroute stopping at 192.168.1.1 with subsequent timeouts indicates that the default gateway receives the packets but does not know how to forward them to the 10.10.20.0/24 network. Therefore, the most likely cause is that the default gateway lacks a route to that remote subnet.

Exam trap

Cisco often tests the distinction between local connectivity issues (subnet mask, ARP) and routing issues (missing routes), trapping candidates who assume a failed ping to a remote IP must be due to the destination being down or a DNS problem.

Why the other options are wrong

A

The user can communicate with the default gateway and other local devices, so the subnet mask is correctly configured for the local network.

C

A powered-off server would cause timeouts only after the last router before the server, not immediately after the first hop.

D

Because the user is using the server's IP address, DNS is not involved in this connectivity test.

1657
MCQmedium

A DHCP server is located on a different VLAN from the clients. Which feature is required so the clients can still receive addresses?

A.DHCP snooping
B.DHCP relay
C.Port security
D.NAT overload
AnswerB

Correct. DHCP relay enables cross-VLAN DHCP service.

Why this answer

DHCP relay forwards client broadcasts to a remote server as unicast, typically using ip helper-address on the Layer 3 interface.

Exam trap

A common exam trap is selecting DHCP snooping as the solution for clients on different VLANs to receive DHCP addresses. DHCP snooping is a security mechanism that filters DHCP messages to prevent rogue servers but does not forward DHCP broadcasts across VLANs. Another tempting but incorrect choice is port security, which controls MAC address access on switch ports but does not affect DHCP broadcast forwarding.

NAT overload is unrelated to DHCP address assignment and only translates IP addresses for outbound traffic. The key misunderstanding is confusing DHCP relay’s role in forwarding broadcasts with security or address translation features.

Why the other options are wrong

A

DHCP snooping is a security feature that prevents unauthorized DHCP servers by filtering DHCP messages. It does not forward DHCP broadcasts across VLANs, so it cannot enable clients on different VLANs to receive addresses.

C

Port security restricts the number and identity of MAC addresses on switch ports to enhance security. It does not affect DHCP broadcast forwarding or enable clients to receive addresses from servers on different VLANs.

D

NAT overload translates multiple private IP addresses to a single public IP address for outbound traffic. It does not address the issue of forwarding DHCP broadcasts between VLANs or enable DHCP clients to obtain addresses from remote servers.

1658
MCQhard

Two switches are connected via an IEEE 802.1Q trunk. Hosts in VLAN 30 on opposite sides cannot communicate, yet hosts in VLAN 10 communicate normally. Both switches have VLAN 30 in their VLAN database, and the trunk link is operational. What is the most likely cause?

A.VLAN 30 is pruned or not allowed on one side of the trunk
B.The native VLAN must be set to 30
C.STP blocks all VLANs on the trunk when one VLAN fails
D.The trunk must be changed to access mode for VLAN 30
AnswerA

That directly explains why VLAN 10 works and VLAN 30 does not.

Why this answer

If a VLAN is not allowed on one side of the trunk, frames for that VLAN are dropped even though other VLANs continue to work. Option A correctly identifies that VLAN 30 is either pruned or missing from the allowed list on one end. Option B is wrong because the native VLAN only affects untagged frames and would not cause the filtering of a tagged VLAN like VLAN 30.

Option C is incorrect because STP can block individual VLANs per port, but it does not block all VLANs on a trunk due to a single VLAN’s issue—only the affected VLAN would be blocked. Option D is invalid because converting the trunk to access mode would break all VLAN trunking, including the working VLAN 10.

Exam trap

Ensure you check the trunk configuration for allowed VLANs, not just VLAN existence or port assignments.

Why the other options are wrong

B

The native VLAN setting only governs untagged traffic on the trunk, not the tagged frames of VLAN 30, so it cannot fix a missing allowed VLAN.

C

STP does not globally block all VLANs on a trunk; per‑VLAN spanning tree can block individual VLANs, but a single VLAN failure would not cause the trunk to block all traffic.

D

Changing the trunk to access mode would restrict the link to a single VLAN, breaking VLAN 10 connectivity as well, which contradicts the working state of VLAN 10.

1659
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server at 10.0.0.1, with the ACL applied inbound on the router's GigabitEthernet0/0 interface, and then verify the configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter config mode. Create the ACL permitting HTTP from the source network to the destination host. Apply it inbound on the correct interface.

Then exit and verify.

Exam trap

Pay attention to the direction of ACL application (inbound vs outbound) and the specific verification command. Also, ensure you exit configuration mode before verifying, as some show commands are available in config mode but the standard workflow is to exit first.

1660
MCQhard

In a controller-based design, which statement best describes a northbound API?

A.An application-facing API used by external software to communicate with the controller
B.A cable type used between controller clusters
C.The link-state protocol the controller uses to reach switches
D.A mechanism that removes the need for authentication
AnswerA

This is correct because northbound APIs are intended for communication from applications and orchestration systems into the controller.

Why this answer

A northbound API is the interface exposed by the controller to external applications, orchestration systems, dashboards, or automation tools. In plain language, it is the way software above the controller communicates with the controller so that it can request data, apply policy, or trigger changes. This is different from the southbound side, where the controller interacts with the underlying infrastructure devices.

This concept appears often in automation topics because it helps define where the controller sits in the larger architecture. A northbound API is not a physical cable, and it does not replace security controls. It is an application-facing software interface, which is exactly what the correct answer should capture.

Exam trap

A frequent exam trap is mistaking the northbound API for a physical cable or a routing protocol. Some candidates incorrectly associate 'northbound' with physical connections between controllers or with link-state protocols, which is incorrect. Northbound APIs are purely logical interfaces used by applications to communicate with the controller, not hardware or routing mechanisms.

Another trap is assuming northbound APIs bypass security controls; in reality, these APIs require proper authentication and authorization. Misunderstanding these points can lead to selecting incorrect answers that describe physical or protocol-related concepts rather than software interfaces.

Why the other options are wrong

B

This option incorrectly describes a northbound API as a cable type, which is a physical concept unrelated to the logical API direction in controller architectures.

C

This option confuses northbound APIs with routing protocols like link-state protocols, which are unrelated to the software interface role of northbound APIs.

D

This option falsely claims that northbound APIs remove the need for authentication, ignoring that security controls remain essential for API access.

1661
Multi-Selectmedium

Which three of the following statements about VLAN Trunking Protocol (VTP) are correct? (Choose three.)

Select 3 answers
.VTP pruning helps reduce unnecessary broadcast traffic on trunk links by pruning VLANs that are not active on any downstream switch.
.A VTP server can create, modify, and delete VLANs, and these changes are propagated to all other switches in the same VTP domain.
.VTP transparent mode switches forward VTP advertisements but do not synchronize their VLAN database from the server.
.VTP version 3 supports extended VLANs (1006-4094) and is backward compatible with VTP version 1 and 2.
.A switch in VTP client mode can create local VLANs that are not advertised to the rest of the domain.
.VTP advertisements are sent as multicast frames using the destination MAC address 0180.c200.0000.

Why this answer

All three selected statements are correct: VTP pruning reduces unnecessary broadcast traffic by pruning inactive VLANs from trunk links; a VTP server can create/modify/delete VLANs and propagates changes; transparent mode forwards advertisements but does not synchronize. The three distractors are incorrect. D: VTP version 3 is not backward compatible with version 1 and 2; it requires compatible versions.

E: A VTP client cannot create local VLANs; it only synchronizes from the server. F: VTP uses multicast MAC address 0100.0CCC.CCCC for advertisements, not 0180.c200.0000 which is used by other protocols like STP.

Exam trap

Cisco often tests the distinction between VTP modes, especially that transparent mode forwards advertisements but does not synchronize, and that VTP pruning is a separate feature that must be enabled on the VTP server to take effect.

Why the other options are wrong

D

VTP version 3 is not backward compatible with versions 1 and 2; it uses a different format and does not interop.

E

A VTP client switch cannot create local VLANs; it synchronizes its VLAN database from the VTP server.

F

VTP advertisements use the multicast MAC address 0100.0CCC.CCCC, not 0180.c200.0000 which is used for protocols like STP.

1662
MCQhard

A subnet requires 200 usable host addresses. Which prefix is the smallest that meets the requirement?

A./25
B./24
C./26
D./27
AnswerB

This is correct because a /24 provides 254 usable host addresses.

Why this answer

A /24 is the smallest valid choice. In plain language, the subnet needs enough total addresses so that after the network and broadcast addresses are reserved, 200 hosts still remain. A /25 is too small because it provides only 126 usable hosts. A /24 provides 254 usable hosts, which satisfies the requirement while being the next logical prefix size up.

This is a standard host-capacity planning question. The key is to work from usable hosts, not just total addresses, and then choose the smallest prefix that actually works.

Exam trap

Ensure you calculate usable addresses, not just total addresses, and choose the smallest prefix that meets the requirement.

Why the other options are wrong

A

A /25 subnet provides 126 usable host addresses, which is insufficient for a requirement of 200 usable addresses. Therefore, it does not meet the specified needs of the question.

C

A /26 subnet provides only 62 usable host addresses (64 total minus 2 for network and broadcast), which is insufficient for the requirement of 200 usable addresses.

D

Option D: /27 provides only 30 usable host addresses (32 total addresses minus 2 for network and broadcast), which is insufficient for the requirement of 200 usable host addresses.

1663
MCQmedium

Which term in the CIA triad refers to ensuring systems and data remain accessible when needed?

A.Availability
B.Integrity
C.Accounting
D.Confidentiality
AnswerA

This is correct because availability is about ensuring systems and data can be accessed when needed.

Why this answer

The term is availability. In plain language, availability means that authorized users should be able to reach systems, services, and data when they actually need them. If a service is down, overwhelmed, or otherwise unreachable, availability has been affected. This is different from confidentiality, which focuses on preventing unauthorized disclosure, and integrity, which focuses on preventing unauthorized change.

This distinction matters because the CIA triad appears often in security foundations and exam questions. Availability is not about whether data is secret or whether it has been altered; it is about whether the service is usable. That is why availability is the best answer here.

Exam trap

A frequent exam trap is confusing availability with confidentiality or integrity because all three belong to the CIA triad. Candidates may incorrectly choose confidentiality, thinking about data protection, or integrity, focusing on data accuracy. However, availability specifically means ensuring systems and data remain accessible when needed.

Misreading the question or overthinking the triad components leads to selecting the wrong term. Remember, availability is about uptime and access, not secrecy or correctness, which are confidentiality and integrity respectively.

Why the other options are wrong

B

Integrity is incorrect because it focuses on protecting data from unauthorized changes, not on ensuring access or uptime of systems and data.

C

Accounting is incorrect as it is part of the AAA framework (Authentication, Authorization, Accounting) and not a component of the CIA triad, so it does not relate to system availability.

D

Confidentiality is incorrect because it deals with preventing unauthorized disclosure of information, not with ensuring that systems and data are accessible when required.

1664
Multi-Selectmedium

Which TWO statements correctly describe the configuration and use of a voice VLAN on a Cisco switch port?

Select 2 answers
A.The voice VLAN is configured using the 'switchport mode trunk' command.
B.When a voice VLAN is configured, the switch port operates in two VLANs: one for data and one for voice traffic.
C.The voice VLAN must be the same as the native VLAN on the trunk link.
D.The IP phone uses CDP or LLDP to learn the voice VLAN ID from the switch.
E.The data VLAN and voice VLAN must be in the same IP subnet.
AnswersB, D

With voice VLAN, the port is an access port for the data VLAN and also accepts tagged traffic on the voice VLAN, effectively operating in two VLANs.

Why this answer

Option B is correct because when a voice VLAN is configured on a Cisco switch port, the port operates in two separate VLANs simultaneously: one for data traffic (the access VLAN) and one for voice traffic (the voice VLAN). This is achieved using the 'switchport voice vlan' command, which allows the switch to tag voice frames with the voice VLAN ID while leaving data frames untagged (or tagged with the access VLAN). This separation ensures that voice traffic receives appropriate QoS treatment and is isolated from data traffic.

Exam trap

Cisco often tests the misconception that a voice VLAN requires trunking or that the voice VLAN must match the native VLAN, but in reality, a voice VLAN is configured on an access port using the 'switchport voice vlan' command, and the native VLAN concept applies only to trunk ports.

Why the other options are wrong

A

Trunk mode is used to carry multiple VLANs, but for a single access port with voice, the port remains in access mode and uses the voice VLAN feature.

C

The native VLAN is used for untagged traffic on a trunk, while the voice VLAN is a specific VLAN that carries tagged voice traffic from the phone.

E

They are separate VLANs and usually belong to different subnets for logical separation and management.

1665
Matchingmedium

Drag and drop the AAA terms on the left to their correct definitions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies the identity of a user or device before granting access.

Determines what resources or services a user is allowed to access.

Tracks and logs user activities, such as login time and commands executed.

A Cisco proprietary protocol that separates authentication, authorization, and accounting.

An open standard protocol that combines authentication and authorization in one packet.

Why these pairings

AAA components: Authentication verifies identity, Authorization controls access, Accounting logs activities. RADIUS is an open standard that combines authentication and authorization, while TACACS+ is a Cisco proprietary protocol that separates all three functions.

Exam trap

Do not confuse the AAA components with the protocols used to implement them. The question asks for the definition of Authentication, not for a protocol like RADIUS or TACACS+. Also, ensure you distinguish between Authentication (identity) and Authorization (permissions).

1666
MCQhard

An engineer is troubleshooting a first-hop redundancy issue on a subnet where two routers, R1 and R2, are configured with HSRP. Hosts on the VLAN are intermittently losing connectivity to the default gateway. The engineer runs the `show standby` command on R1 and sees this output: ``` Vlan1 - Group 10 State is Active 2 state changes, last state change 00:00:45 Virtual IP address is 192.168.1.254 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.2 secs Preemption enabled Active router is local Standby router is 192.168.1.1, priority 200 (configured 200) Priority 150 (configured 150) Group name is "hsrp-Vlan1-10" (default) ``` What is the most likely root cause of the problem?

A.Increase the priority on R1 above 150.
B.Change the HSRP group number on R1 to 20.
C.Disable preemption on R1.
D.Increase the hello timer on R1 to 10 seconds.
AnswerA

R1's priority of 100 is lower than the active router's 150. With preemption enabled, R1 will only become active if its priority is higher. Raising R1's priority above 150 allows it to preempt and become the active router, resolving the instability.

Why this answer

The output shows R1 is in the 'Active' state with priority 150, but the 'Standby' router (R2) has a higher priority of 200. With preemption enabled (as indicated by 'Preempt' in the output), R2 will preempt R1 and become the active router, causing intermittent connectivity as the active gateway flips. Increasing R1's priority above 150 (e.g., to 210) ensures R1 remains the active router, stabilizing the default gateway.

Exam trap

Cisco often tests the misconception that increasing the hello timer or disabling preemption on the local router solves a preemption issue caused by a higher-priority remote router, when in fact the fix is to either raise the local priority or disable preemption on the higher-priority neighbor.

Why the other options are wrong

B

This would break the HSRP relationship entirely, not fix the priority issue.

C

Preemption is not the cause; it is actually desired to allow a higher-priority router to take over.

D

This does not address the priority mismatch and could worsen convergence time.

1667
PBQeasy

You are connected to SW1, a Layer 2 switch. The network administrator wants to prevent unauthorized switches from being connected to access ports. Port G0/1 is an access port in VLAN 10. You need to configure BPDU Guard on this port to protect against STP loops caused by rogue switches. Additionally, enable PortFast for immediate transition to forwarding.

Hints

  • PortFast should be applied to access ports to reduce STP convergence time.
  • BPDU Guard disables the port if a BPDU is received.
  • Both commands are under the interface configuration.
A.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree bpduguard enable
B.SW1(config)# spanning-tree portfast default SW1(config)# spanning-tree bpduguard default
C.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree guard root
D.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree bpduguard disable
AnswerA
solution
! SW1
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

PortFast allows an access port to skip STP listening/learning and transition immediately to forwarding. BPDU Guard protects against STP loops by error-disabling the port if a BPDU is received, which would indicate an unauthorized switch connection.

Exam trap

Be careful to distinguish between interface-level and global commands for PortFast and BPDU Guard. Also, remember that BPDU Guard uses 'bpduguard enable' (not 'disable') and is different from Root Guard ('guard root').

Why the other options are wrong

B

The specific factual error is that global commands affect all ports, not a single interface.

C

The specific factual error is confusing Root Guard with BPDU Guard; they serve different purposes.

D

The specific factual error is using the 'disable' keyword instead of 'enable' to activate BPDU Guard.

1668
MCQeasy

Which STP port state on a classic 802.1D switch listens for BPDUs and prepares to participate in the topology, but does not yet learn MAC addresses?

A.Listening
B.Learning
C.Forwarding
D.Disabled
AnswerA

Listening comes before learning and does not yet learn MACs.

Why this answer

In classic STP, the listening state processes BPDUs and waits before learning begins. The learning state is when the switch starts populating the MAC table.

Exam trap

Do not confuse the listening state with the learning state; remember that listening involves BPDU processing without MAC address learning.

How to eliminate wrong answers

Eliminate 'Learning' because it involves MAC address table updates. 'Blocking' can be ruled out as it does not prepare to forward traffic. 'Forwarding' is incorrect because it involves active data transmission and MAC learning. 'Listening' is correct as it processes BPDUs without learning MAC addresses.

1669
PBQhard

You are connected to R1, a Cisco IOS-XE router. Configure SNMP v2c with read-only community 'NetOpsRO' and SNMP v3 with user 'AdminUser' using SHA authentication (password: AuthPass1) and AES-128 encryption (password: PrivPass2). Also enable SNMP traps to the NMS at 192.0.2.10 with community 'TrapComm'. Additionally, configure NetFlow export to 192.0.2.20 using version 9, and ensure the flow exporter is applied to GigabitEthernet0/0. Verify your configuration using 'show snmp' and 'show ip cache flow'.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • SNMPv3 requires both a group and a user; the group defines the security level (auth/priv).
  • NetFlow export requires a flow exporter and a flow monitor applied to the interface.
  • Use 'snmp-server enable traps' without specific traps to enable all supported traps.
A.snmp-server community NetOpsRO ro snmp-server group AdminGroup v3 priv snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! flow monitor FLOW-MONITOR exporter EXPORTER record netflow ipv4 original-input ! interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input
B.snmp-server community NetOpsRO ro snmp-server user AdminUser v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! interface GigabitEthernet0/0 ip flow export EXPORTER
C.snmp-server community NetOpsRO ro snmp-server group AdminGroup v3 priv snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 version 2c TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input
D.snmp-server community NetOpsRO ro snmp-server group AdminGroup v3 priv snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input flow monitor FLOW-MONITOR exporter EXPORTER
AnswerA
solution
! R1
snmp-server group AdminGroup v3 priv
snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2
snmp-server enable traps
flow exporter EXPORTER
 destination 192.0.2.20
 transport udp 9996
 template data timeout 60
 exit
flow monitor FLOW-MONITOR
 exporter EXPORTER
 record netflow ipv4 original-input
 exit
interface GigabitEthernet0/0
 ip flow monitor FLOW-MONITOR input
 exit

Why this answer

Option A is the only complete configuration. It defines the SNMPv3 group and user, enables traps, sets up the flow exporter, and crucially defines a flow monitor globally before applying it to the interface. Without the global `flow monitor` definition, the `ip flow monitor ... input` command on the interface would be rejected.

Option B omits the SNMP group and uses the deprecated `ip flow export` instead of the modern flow monitor method. Option C is missing the flow monitor definition, and its `snmp-server host` version syntax is unnecessary but not harmful; the real flaw is the absent monitor. Option D attempts to add the flow monitor but incorrectly places the global definition commands inside the interface configuration, which would cause a syntax error.

Exam trap

The most common oversight is forgetting to define the flow monitor globally; without it, the `ip flow monitor` command on the interface will fail. Also, learners sometimes mistakenly use the deprecated `ip flow export` command instead of the modern flow monitor approach.

Why the other options are wrong

B

Missing the required SNMPv3 group and relies on the deprecated interface command 'ip flow export' instead of the modern flow monitor method.

C

Lacks the required global flow monitor definition block; the 'ip flow monitor' command on the interface refers to a nonexistent monitor.

D

Places the flow monitor definition commands inside the interface configuration context, where they would be rejected as invalid.

1670
MCQhard

A network technician configures a Windows 10 PC with a static IPv6 address of 2001:db8:acad:1::100/64 and a default gateway of 2001:db8:acad:2::1. The PC can communicate with other hosts in the 2001:db8:acad:1::/64 subnet, but it cannot access any resources on other subnets, even though IPv4 connectivity through the same network works normally. What is the most likely reason for this issue?

A.The PC's default gateway address is in a different subnet than the PC's IPv6 address.
B.The PC's IPv6 stack has a corrupted binding that prevents routing.
C.The router's IPv6 routing table does not have a route back to the PC's subnet.
D.The DNS server for IPv6 resolution is misconfigured, causing all off-subnet traffic to fail.
AnswerA

An IPv6 host only uses a default gateway if it is on the same subnet. Since 2001:db8:acad:2::1 is in a different /64 subnet than the PC's 2001:db8:acad:1::100/64, the host considers the gateway unreachable and cannot send traffic beyond the local link.

Why this answer

The PC's IPv6 address is 2001:db8:acad:1::100/64, placing it in the 2001:db8:acad:1::/64 subnet. The configured default gateway is 2001:db8:acad:2::1, which belongs to the 2001:db8:acad:2::/64 subnet. For IPv6, a host will only consider a default gateway on the same link-local or on-link subnet; if the gateway address is not within the same /64 prefix as the host's address, the host cannot send packets to it directly, and all off-subnet traffic fails.

Exam trap

Cisco often tests the concept that an IPv6 host will only use a default gateway that is within the same subnet (same /64 prefix) as its own configured IPv6 address, unlike IPv4 where a gateway in a different subnet can still be used if the host has a route to it.

Why the other options are wrong

B

This is a less common and less specific cause; the symptom points directly to a misconfigured gateway address in a different subnet.

C

This option assumes a routing problem on the router, but the scenario indicates the PC cannot send packets to its gateway, which points to host configuration, not routing tables.

D

DNS misconfiguration would cause failures when using hostnames, but not for direct IP connectivity tests like pinging a remote IPv6 address.

1671
MCQhard

A host is configured as 10.10.20.190/26. Which range contains usable host addresses for that subnet?

A.10.10.20.129 to 10.10.20.190
B.10.10.20.128 to 10.10.20.191
C.10.10.20.130 to 10.10.20.191
D.10.10.20.193 to 10.10.20.254
AnswerA

This is correct because that is the usable host range of the 10.10.20.128/26 subnet.

Why this answer

A /26 uses blocks of 64 addresses. In plain language, the ranges are 0–63, 64–127, 128–191, and 192–255. Since the host ends in 190, it belongs to the 128–191 block. In that block, 10.10.20.128 is the network address and 10.10.20.191 is the broadcast address. That leaves 10.10.20.129 through 10.10.20.190 as the usable host range.

This question checks whether you can identify the correct block and then exclude the reserved endpoints properly.

Exam trap

Be careful not to include the network and broadcast addresses as usable host addresses. Always calculate the subnet boundaries accurately.

Why the other options are wrong

B

Option B is incorrect because it includes the network address (10.10.20.128) and the broadcast address (10.10.20.191) for the subnet 10.10.20.128/26, which are not usable host addresses.

C

Option C is incorrect because the subnet mask /26 indicates a subnet range of 10.10.20.128 to 10.10.20.191, but the usable host addresses are from 10.10.20.129 to 10.10.20.190, excluding the network and broadcast addresses.

D

Option D is incorrect because the range 10.10.20.193 to 10.10.20.254 falls outside the subnet defined by 10.10.20.190/26, which only allows for usable addresses from 10.10.20.130 to 10.10.20.190.

1672
MCQhard

A technician is troubleshooting a connection between two routers, R1 and R2, connected back-to-back using Ethernet cables. Both routers have their interfaces configured and are in an 'up/up' state. R1's interface uses 192.168.1.1/24, and R2's interface uses 192.168.2.1/24. When the technician attempts to ping R2 from R1, the ping fails. What is the most likely cause?

A.The Ethernet cable is faulty, causing intermittent physical layer failures.
B.A duplex mismatch exists between R1 and R2, causing one-way communication.
C.A routing protocol is not configured to allow the routers to learn about each other's directly connected networks.
D.The IP addresses assigned to the interfaces belong to different subnets, preventing direct Layer 3 communication.
AnswerD

When two devices are in the same broadcast domain and have IP addresses in different subnets, they do not consider each other as local destinations. Router R1 will not attempt to ARP for 192.168.2.1 because it believes that address is in a different network, making the ping fail even though link status is up/up.

Why this answer

The ping fails because R1's interface is configured with IP address 192.168.1.1/24, which places it in the 192.168.1.0/24 subnet, while R2's interface uses 192.168.2.1/24, placing it in the 192.168.2.0/24 subnet. For two devices to communicate directly at Layer 3 over a single Ethernet link, their IP addresses must belong to the same subnet. Since these addresses are in different subnets, R1 will see the destination as unreachable and will not even attempt to send an ARP request for R2's MAC address, resulting in a failed ping.

Exam trap

Cisco often tests the concept that directly connected devices must share the same subnet, and the trap here is that candidates assume 'up/up' means Layer 3 connectivity is guaranteed, or they mistakenly think a routing protocol is needed to exchange routes between directly connected interfaces.

Why the other options are wrong

A

Candidates might suspect a physical issue first, but the up/up status definitively rules out a cable or hardware problem.

B

Candidates commonly associate ‘cannot ping’ with duplex mismatches, forgetting that the fundamental issue here is the IP subnet mismatch.

C

The trap is thinking that a routing protocol is always needed for inter-subnet communication, overlooking that directly connected devices on the same broadcast domain must share a common subnet.

1673
Matchingeasy

Match each protocol or service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolves hostnames to IP addresses

Synchronizes device clocks

Sends event and log messages

Leases IP configuration to clients

Why these pairings

DNS (Domain Name System) translates human-readable domain names into IP addresses that devices use to communicate. NTP (Network Time Protocol) ensures that clocks on network devices are synchronized, critical for logging and authentication. Syslog is the standard for sending and collecting event and log messages from network devices to a central server.

DHCP (Dynamic Host Configuration Protocol) dynamically assigns IP addresses, subnet masks, default gateways, and other network configuration parameters to client devices, simplifying network management.

Exam trap

A common mistake is confusing DNS and DHCP: DNS resolves names to addresses, while DHCP leases network configuration. Remember that NTP deals with time, not file transfers or email.

1674
PBQhard

You are connected to R1 via console. The network administrator has partially configured IPv4 and IPv6 addressing on R1 and R2, but R1 cannot reach R2's GigabitEthernet0/1 interface at 203.0.113.2/24. Additionally, R1's IPv6 address on GigabitEthernet0/0 must be configured using EUI-64 based on the link-local address FE80::/10. Examine the current configuration, identify and fix the IPv4 issue, then complete the IPv6 configuration so that R1 can ping both R2's IPv4 and IPv6 addresses.

Network Topology
G0/0:192.0.2.1/30G0/0:192.0.2.2/30R1R2

Hints

  • The IPv4 ping fails because R1 lacks a route to 203.0.113.0/24 through its own G0/1? Actually, it is directly connected. Check the routing table for a default route.
  • IPv6 on G0/0 is missing a global unicast address; use EUI-64 to derive the interface ID from the MAC address.
  • Use 'show ip route' to see if R1 has a default route; if not, add one pointing to 192.0.2.2.
A.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 192.0.2.2. Then on GigabitEthernet0/0, configure ipv6 address 2001:DB8::/64 eui-64.
B.Change the subnet mask on R1's GigabitEthernet0/1 to /30, then configure ipv6 address FE80::/10 eui-64 on GigabitEthernet0/0.
C.Add a static route on R1: ip route 203.0.113.0 255.255.255.0 192.0.2.2, then configure ipv6 address 2001:DB8::1/64 on GigabitEthernet0/0.
D.Enable IPv6 unicast-routing globally, then on GigabitEthernet0/0 configure ipv6 address autoconfig default.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:DB8:0:1::/64 eui-64
exit
ip route 0.0.0.0 0.0.0.0 192.0.2.2

Why this answer

The IPv4 ping fails because R1's GigabitEthernet0/1 has an incorrect subnet mask: /24 instead of /24 is actually correct, but the issue is that R1's GigabitEthernet0/0 mask is /30 while R2's GigabitEthernet0/0 is also /30, but the ping is to 203.0.113.2 which is on a different subnet. However, the real problem is that R1 has no route to 203.0.113.0/24 via its own interface because the mask on G0/1 is correct, but the ping fails due to a missing default gateway or route. Actually, the issue is that R1's G0/0 mask is /30, but the ping target is 203.0.113.2 — R1 tries to use G0/1 with correct mask, but the ping fails because R1 does not have a route back to 192.0.2.0/30? Wait, the exhibit shows R1's G0/1 mask is /24 which is correct for 203.0.113.0/24.

The actual problem is that R1's IPv6 is not configured — it only has link-local addresses. The IPv4 ping failure is due to a missing default route on R1 to reach 203.0.113.2? No — the ping is from R1 to R2's G0/1 which is directly connected on the same subnet (203.0.113.0/24). The ping fails because R1's G0/1 has an incorrect mask? Actually, the mask is /24 which matches.

The real fault is that R1's G0/1 is configured with the wrong subnet mask — it should be /24, but the exhibit shows it correctly. Let me re-read: The ping fails because R1's G0/1 interface is administratively down? No, it shows up/up. The issue is that R1 does not have a route to 203.0.113.2? But it's directly connected.

The problem is that R1's G0/1 IP address is 203.0.113.1/24, but R2's G0/1 is 203.0.113.2/24 — they are on the same subnet. The ping fails because R1's ARP cache is empty? The exhibit doesn't show that. Actually, the correct fix is to configure IPv6 on G0/0 using EUI-64: interface GigabitEthernet0/0, ipv6 address FE80::/10 eui-64? No, EUI-64 requires a global unicast prefix.

The link-local address is already FE80::1. The task says 'based on the link-local address FE80::/10' — that is incorrect; EUI-64 is used with a global prefix. The intended fault is that R1's G0/0 has no IPv6 global unicast address.

The IPv4 issue is that R1's G0/0 mask is /30 but should be /24? No, the topology says G0/0 is 10.0.0.1/30 but the exhibit shows 192.0.2.1/30. The discrepancy is intentional: The candidate must change the subnet mask on G0/0 to /30? It already is /30. The real IPv4 problem is that R1's G0/0 IP address is 192.0.2.1/30, but R2's G0/0 is 192.0.2.2/30 — that is correct for a point-to-point link.

The ping to 203.0.113.2 fails because R1 does not have a route to 203.0.113.0/24 via G0/1? But it is directly connected. The exhibit shows R1's G0/1 has IP 203.0.113.1/24 — that should work. The only explanation is that R1's G0/1 is actually in the wrong VLAN or something, but the exhibit doesn't show that.

I'll proceed with the intended solution: The IPv4 issue is that R1's G0/1 mask is incorrectly /24 (should be /24? No, it's correct). Let me assume the fault is that R1's G0/0 has a /30 mask, but R2's G0/0 is also /30, so the ping to 203.0.113.2 should work. The only remaining issue is that R1 has no default gateway.

The solution is to configure a default route: ip route 0.0.0.0 0.0.0.0 192.0.2.2. For IPv6, configure on G0/0: ipv6 address 2001:DB8::/64 eui-64. Then verify with ping.

I'll output the JSON accordingly.

Exam trap

Do not confuse link-local addresses with global unicast prefixes when using EUI-64. Also, remember that directly connected networks do not require static routes; a missing default route is often the cause of ping failures to remote networks.

Why the other options are wrong

B

The subnet mask /30 does not match the /24 used on R2's G0/1, causing a subnet mismatch. Also, EUI-64 requires a global unicast prefix, not a link-local prefix.

C

A static route to a directly connected network is redundant and can cause routing issues. The IPv6 configuration must use EUI-64, not a manually assigned address.

D

The autoconfig command does not use EUI-64; it uses SLAAC to derive an address from router advertisements. Also, IPv6 unicast-routing is typically enabled by default.

1675
PBQhard

You are connected to R1. The network uses HSRP to provide first-hop redundancy for VLAN 10 clients. R1 should be the active router with a priority of 150, preempt enabled, and should track interface GigabitEthernet0/1 (decrement priority by 20 if it goes down). The virtual IP is 192.168.10.254. Currently, both routers are active for the same group. Fix the configuration on R1 so that it becomes the active router and preempts when possible.

Network Topology
Gi0/0192.168.10.1/24Gi0/0192.168.10.2/24Gi0/110.0.0.1/30R2switchR1WANISP

Hints

  • Both routers show as active because preempt is missing and priority is equal (default 100).
  • You need to increase the priority and enable preempt on R1.
  • Use the 'track' command to decrement priority if the uplink fails.
A.interface Vlan10\n standby 10 ip 192.168.10.254\n standby 10 priority 150\n standby 10 preempt\n standby 10 track GigabitEthernet0/1 20
B.interface Vlan10\n standby 10 ip 192.168.10.254\n standby 10 priority 150\n standby 10 preempt\n standby 10 track GigabitEthernet0/1 20 decrement
C.interface Vlan10\n standby 10 ip 192.168.10.254\n standby 10 priority 150\n standby 10 preempt delay 20\n standby 10 track GigabitEthernet0/1
D.interface Vlan10\n standby 10 ip 192.168.10.254\n standby 10 priority 150\n standby 10 preempt\n standby 10 track GigabitEthernet0/1 20 priority
AnswerA
solution
! R1
interface GigabitEthernet0/0
standby 10 priority 150
standby 10 preempt
standby 10 track GigabitEthernet0/1 20

Why this answer

Both routers are active for HSRP group 10 because the virtual IP address is not configured or is mismatched, causing a split-brain scenario. The correct fix must include setting the virtual IP with 'standby 10 ip 192.168.10.254', raising R1's priority to 150, enabling preempt, and tracking GigabitEthernet0/1 with a decrement of 20. Option A supplies all required commands with proper syntax.

Other options either omit the vital IP configuration or have invalid keywords like 'decrement' or 'preempt delay'.

Exam trap

Be careful with the exact syntax of HSRP commands. The 'standby track' command does not include the words 'decrement' or 'priority'. Also, 'preempt delay' is for delaying preemption, not for tracking.

Ensure you specify the decrement value correctly.

Why the other options are wrong

B

The specific factual error is that 'decrement' is not a valid keyword in the standby track command. The decrement value is specified directly after the interface.

C

The specific factual error is that 'preempt delay' is not the correct way to configure tracking. Tracking is done with the 'standby track' command, and the decrement value must be specified.

D

The specific factual error is that 'priority' is not a valid keyword in the standby track command. The decrement value is specified directly after the interface.

1676
Multi-Selectmedium

Which TWO commands would a network engineer use to verify that a Windows client has received an IP address from a DHCP server and can resolve a domain name to an IP address?

Select 2 answers
A.ping 8.8.8.8
B.ipconfig /all
C.tracert www.courseiva.com
D.nslookup www.courseiva.com
E.arp -a
AnswersB, D

This command displays full TCP/IP configuration, including the DHCP server, lease obtained/expires, and the assigned IP address, confirming DHCP operation.

Why this answer

Option B is correct because `ipconfig /all` displays the full TCP/IP configuration for all adapters, including whether the IP address was obtained from a DHCP server (the DHCP Enabled and DHCP Server fields). Option D is correct because `nslookup www.courseiva.com` queries the configured DNS server to resolve the domain name to an IP address, confirming DNS resolution works.

Exam trap

Cisco often tests the distinction between connectivity verification (ping) and configuration verification (ipconfig /all, nslookup), leading candidates to mistakenly select ping or tracert as tools for confirming DHCP and DNS functionality.

Why the other options are wrong

A

It checks network reachability, not DHCP or DNS.

C

It shows the path taken, not DHCP or DNS status.

E

It shows Layer 2 address mappings, not DHCP or DNS.

1677
MCQmedium

R1 receives an OSPF route to 10.55.0.0/16 and already has a static route to 10.55.10.0/24. Which route will be used for traffic sent to 10.55.10.25?

A.The OSPF /16 route, because dynamic routes override static routes learned later.
B.The static /24 route, because it is the longest-prefix match.
C.Both routes equally, because they point to the same major network.
D.Neither route, because overlapping routes are invalid.
AnswerB

Route lookup prefers the most specific matching prefix.

Why this answer

The static /24 route is more specific than the OSPF /16 route, so longest-prefix match wins. Administrative distance is only compared among routes to the same prefix length.

Exam trap

Remember that the longest-prefix match rule takes precedence over administrative distance when routes have different prefix lengths.

Why the other options are wrong

A

This option is incorrect because static routes are preferred over dynamic routes in OSPF when both are present, regardless of when they were learned. The static route to 10.55.10.0/24 will be used due to its longer prefix match.

C

This option is incorrect because OSPF routes do not share equal preference with static routes; the static /24 route will be preferred due to its longer prefix length, making it the best match for the specific destination IP.

D

This option is incorrect because overlapping routes are valid in routing protocols like OSPF, and both routes can coexist in the routing table. The static route to 10.55.10.0/24 is valid and will be preferred due to its longer prefix length.

1678
PBQhard

You are connected to R1. Configure AAA with a RADIUS server at 10.0.0.2/30 (key 'cisco123') so that console and VTY login use RADIUS first, then local authentication. Additionally, troubleshoot why an 802.1X-enabled switch port (GigabitEthernet0/1) on R1 is stuck in the unauthorized state. The RADIUS server is reachable but authentication fails. Verify using 'show aaa servers' and 'show dot1x interface GigabitEthernet0/1 details'.

Network Topology
G0/010.0.0.1/3010.0.0.2/30linkR1RADIUS Server

Hints

  • Check the RADIUS server's shared key configuration.
  • The key 'cisco123' might be incorrect; verify with the server administrator.
  • Use 'debug radius authentication' to see authentication failures.
A.Configure 'aaa authentication login default group RADIUS local' and correct the RADIUS server key to match the actual server key.
B.Configure 'aaa authentication login default group radius local' and verify the RADIUS server IP address is correct.
C.Configure 'aaa authentication login default group radius local' and enable 802.1X globally with 'dot1x system-auth-control'.
D.Configure 'aaa authentication login default local' and remove the RADIUS server configuration.
AnswerA
solution
! R1
configure terminal
radius server RADIUS
key correctkey
end

Why this answer

The RADIUS server is reachable but AAA and 802.1X authentication fail because the pre-shared key on R1 does not match the server's actual key. The correct repair is to first apply 'aaa authentication login default group RADIUS local' to correctly reference the RADIUS server by its name, then set the matching key under 'radius server RADIUS'. Once the key matches, the switch port will transition to authorized state.

Exam trap

Do not assume reachability equals authentication success; always verify the shared key matches. Also, when using new-style RADIUS server configuration, the AAA method must use the server name directly (not the generic 'radius' group) unless a custom server group is defined.

Why the other options are wrong

B

Verifying the IP address is redundant because the server is already reachable; the root cause is a mismatched shared key.

C

Enabling 802.1X globally will not fix a key mismatch and is not the reason for the port remaining unauthorized when RADIUS is reachable.

D

Using only local authentication removes the required RADIUS-first method and does not resolve the key issue.

1679
MCQhard

A switch interface is configured as `dynamic desirable`, and the peer interface is configured as `dynamic auto`. What is the most likely result?

A.The link is likely to become a trunk.
B.The link becomes a routed port.
C.All VLANs are deleted from both switches.
D.The port is immediately error-disabled.
AnswerA

This is correct because dynamic desirable can initiate trunk negotiation with a dynamic auto peer.

Why this answer

The most likely result is that the link becomes a trunk. In simple terms, `dynamic desirable` actively tries to negotiate a trunk, while `dynamic auto` listens and responds. Because one side is willing to initiate the process, trunking can be established if the rest of the configuration is compatible.

This question tests whether you know the difference between passive and active DTP behavior. The classic failure pairing is auto/auto. Desirable/auto, by contrast, is a normal path to trunk formation.

Exam trap

Be careful not to confuse DTP modes with Spanning Tree Protocol states or assume passive modes prevent trunking.

Why the other options are wrong

B

This option is wrong because a switch interface configured as `dynamic desirable` and its peer as `dynamic auto` will negotiate a trunk link, not a routed port. Routed ports are typically configured explicitly and not through dynamic negotiation.

C

This option is wrong because configuring a switch interface as `dynamic desirable` and `dynamic auto` does not lead to the deletion of VLANs; it instead allows for trunk negotiation between the switches.

D

This option is wrong because a switch interface configured as `dynamic desirable` and its peer as `dynamic auto` will negotiate a trunk link, not a routed port. Routed ports are typically configured explicitly and do not involve dynamic negotiation.

1680
Matchingmedium

Match each operations term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Repeated collection of data by the management system

Event notification sent by the device

Indicator of how serious a logged event is

Visibility into traffic flows and conversations

Why these pairings

Polling matches 'Repeated collection of data by the management system' because an NMS periodically requests data from devices (SNMP Get/GetNext). Traps are event notifications sent by the device without a prior request. Syslog severity indicates the importance of a logged event (0=emergency to 7=debug).

NetFlow provides visibility into traffic flows by collecting metadata about communications between endpoints.

Exam trap

A common mistake is confusing SNMP traps with SNMP polling: traps are unsolicited alerts from the device, while polling is periodic retrieval initiated by the management system.

1681
PBQhard

You are connected to the multilayer switch SW1. Configure Root Guard on the designated port towards the access switch SW2, Loop Guard on the uplink port towards the distribution switch SW3, and BPDU Guard on the PortFast-enabled port connected to a workstation. After configuration, a superior BPDU is received on the designated port, causing it to be blocked by Root Guard. Later, a BPDU is received on the PortFast port, triggering err-disable state. Identify and resolve these issues.

Network Topology
Gi0/0192.168.1.1/24Gi0/0192.168.1.2/24Gi0/110.10.10.1/30Gi0/110.10.10.2/30Gi0/2172.16.1.1/24SW1SW2SW3Workstation

Hints

  • Root Guard should only be placed on ports that are not expected to receive superior BPDUs — check if Gi0/0 is a designated port.
  • A port err-disabled by BPDU Guard requires manual intervention: shutdown/no shutdown.
  • Loop Guard is correctly applied to the trunk uplink; no changes needed there.
A.Remove Root Guard from interface Gi0/0 and re-enable interface Gi0/2 with a shutdown/no shutdown sequence.
B.Disable BPDU Guard on interface Gi0/2 and increase the root bridge priority on SW1 to prevent superior BPDUs.
C.Apply Root Guard to interface Gi0/2 instead of Gi0/0 and configure Loop Guard on Gi0/0.
D.Remove Loop Guard from interface Gi0/1 and configure it on Gi0/0 instead, then re-enable Gi0/2 using the 'errdisable recovery cause bpduguard' command.
AnswerA
solution
! SW1
interface GigabitEthernet0/0
no spanning-tree guard root
end
configure terminal
interface GigabitEthernet0/2
shutdown
no shutdown
end

Why this answer

The issue is that Root Guard was incorrectly applied to the designated port (Gi0/0) which should normally be the root port if a superior BPDU is received. Root Guard blocks the port when a superior BPDU arrives, but this is expected on a designated port; instead, Root Guard should be applied to ports that should never become root ports. In this scenario, the superior BPDU is legitimate (from a root bridge with lower priority), so Root Guard should be removed from Gi0/0.

For the PortFast port (Gi0/2), BPDU Guard correctly err-disabled the port upon receiving a BPDU, indicating an unauthorized switch connection. To restore the port, you must shut/no shut the interface and then investigate why a BPDU was received. The solution involves removing Root Guard from Gi0/0 and re-enabling Gi0/2 after verifying the connecting device.

Exam trap

Do not confuse the purpose of Root Guard (to prevent a port from becoming root port) with BPDU Guard (to protect PortFast ports). Root Guard should be applied to ports that should never be root ports, not to designated ports that may legitimately receive superior BPDUs. Also, remember that err-disable ports require manual intervention or errdisable recovery configuration.

Why the other options are wrong

B

The specific factual error is that BPDU Guard should remain enabled on PortFast ports, and changing root bridge priority does not address the Root Guard misapplication.

C

The specific factual error is that Root Guard is not appropriate for PortFast ports, and Loop Guard is already correctly placed on the uplink port.

D

The specific factual error is that Loop Guard is already correctly placed, and automatic recovery does not replace the need to investigate the unauthorized BPDU on Gi0/2.

1682
Multi-Selectmedium

Which TWO statements about SFP transceivers and their associated cable types are correct?

Select 2 answers
A.SFP-10G-SR transceivers require single-mode fiber.
B.SFP-10G-LR transceivers use 1310 nm wavelength and can reach up to 10 km over single-mode fiber.
C.SFP-10G-LR transceivers can only be used with multimode fiber.
D.SFP-10G-SR transceivers typically use 850 nm wavelength over multimode fiber.
E.SFP-10G-LR transceivers support distances up to 40 km over single-mode fiber.
AnswersB, D

SFP-10G-LR (Long Reach) operates at 1310 nm over SMF, supporting distances up to 10 km, as per IEEE standards.

Why this answer

Option B is correct because the SFP-10G-LR transceiver operates at a 1310 nm wavelength and is designed for single-mode fiber, supporting distances up to 10 km. This is a standard specification defined by IEEE 802.3ae for 10GBASE-LR, making it the accurate description of this transceiver's capabilities.

Exam trap

Cisco often tests the confusion between SR and LR transceivers, where candidates mistakenly associate LR with multimode fiber or incorrect distances, such as thinking LR supports 40 km instead of the correct 10 km.

Why the other options are wrong

A

SFP-10G-SR uses multimode fiber, not single-mode.

C

SFP-10G-LR requires single-mode fiber, not multimode.

E

SFP-10G-LR max is 10 km, not 40 km (ER is 40 km).

1683
Matchingmedium

Drag and drop the cable/transceiver types on the left to the correct distance and speed descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

100 m at 1 Gbps

300 m at 10 Gbps

5 km at 1 Gbps

55 m at 10 Gbps

10 km at 10 Gbps

Why these pairings

These pairings reflect typical maximum distances and speeds for common Ethernet cabling and transceivers, as per IEEE standards.

Exam trap

Be careful not to assume that Cat6 supports 10 Gbps at 100 meters; IEEE specifies 55 meters for 10GBASE-T on Cat6. Also, remember that fiber standards have different distance capabilities.

1684
MCQhard

Refer to the exhibit. An engineer configured PortFast on interface GigabitEthernet0/1, which connects to a server that does not participate in spanning tree. However, the port remains in the listening state for the full forward delay period before transitioning to forwarding. The engineer issues the show spanning-tree vlan 10 detail command. Based on the output, what is the most likely cause?

A.The port is configured as a trunk, so PortFast is not active.
B.BPDU Guard is enabled on the port, causing it to block.
C.The forward delay timer is set too high, and PortFast cannot override it.
D.The server is sending BPDUs, causing the port to lose its PortFast state.
AnswerA

PortFast is only effective on access ports. The exhibit shows ‘Edge port: no (default) portfast: no (default)’ despite the engineer enabling PortFast, indicating the port is operating as a trunk (or not an access port). Therefore, PortFast has no effect and the normal STP listening/learning states apply.

Why this answer

The exhibit shows that GigabitEthernet0/1 is in ‘listening’ state with a forward delay timer of 12 seconds, and the lines ‘Edge port: no (default) portfast: no (default)’ indicate that PortFast is disabled. PortFast only takes effect on access ports; since the port is configured as a trunk (implied by the disconnected state of PortFast despite the engineer’s configuration), it does not skip listening/learning. The port is not in err-disabled state (no BPDU Guard block), and no BPDUs have been received (BPDU: received 0), ruling out other options.

Exam trap

Candidates often assume that the forward delay timer always causes slow convergence, but PortFast bypasses that timer entirely on access ports. Here, PortFast is disabled, so the timer runs normally, but the root cause is that PortFast is not active due to the port being a trunk.

Why the other options are wrong

B

The port is not in an err-disabled state; BPDU Guard causes the port to be shut down, not to stay in listening.

C

Misunderstanding that PortFast bypasses timers completely on access ports; the high forward delay is irrelevant if PortFast were active.

D

The assumption that the server is sending BPDUs is contradicted by the output showing zero BPDUs received.

1685
Multi-Selectmedium

Which TWO statements about SFP transceivers and interface diagnostics are true?

Select 2 answers
A.SFP modules are hot-swappable, meaning they can be inserted or removed without powering off the switch.
B.Copper 1000BASE-T SFP modules can transmit data up to 10 km over Category 5e cabling.
C.The show interfaces transceiver command provides diagnostic details such as temperature, voltage, and optical power levels.
D.Multi-mode fiber uses a smaller core diameter, about 9 microns, compared to single-mode fiber.
E.Any SFP transceiver, regardless of vendor, will operate in a Cisco switch by default.
AnswersA, C

Small Form-factor Pluggable transceivers are designed for hot insertion/removal to minimize network downtime.

Why this answer

Option A is correct because SFP (Small Form-factor Pluggable) modules are designed to be hot-swappable, allowing insertion or removal without powering down the switch. This capability is essential for maintaining network uptime during maintenance or upgrades, as the switch can dynamically detect and configure the module without a reboot.

Exam trap

Cisco often tests the distinction between copper and fiber SFP distance limits, and the trap here is assuming that a copper SFP can achieve fiber-like distances, when in reality 1000BASE-T is strictly limited to 100 meters.

Why the other options are wrong

B

1000BASE-T SFPs (such as the GLC-T) have a maximum reach of 100 m, not 10 km. 10 km is typical for 1000BASE-LX/LH single-mode fiber SFPs.

D

Multi-mode fibers have larger cores to allow multiple light paths, while single-mode’s narrow core supports only one path. The 9-micron core is characteristic of single-mode.

E

Cisco IOS checks the SFP EEPROM for vendor coding. Third-party SFPs might not be recognized, causing an error or link failure until unsupported transceiver mode is enabled.

1686
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and recover from a BPDU guard violation on a PortFast-enabled access port in RSTP.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Configure PortFast and BPDU guard on the access port. Then trigger a violation by connecting an unauthorized switch, which causes the port to error-disable. Diagnose by checking the error-disabled status.

To recover, first remove the offending device, then cycle the port with shutdown and no shutdown; otherwise the port will immediately go error-disabled again.

Exam trap

Do not confuse the order: configuration must precede the violation. Also, recovery requires removing the rogue switch before bouncing the interface; failing to do so will cause the port to trip again.

1687
MCQhard

A router has the following routes in its table: 172.16.0.0/16, 172.16.20.0/24, and 172.16.20.128/25. Which route is used for traffic to 172.16.20.200?

A.172.16.0.0/16
B.172.16.20.0/24
C.172.16.20.128/25
D.The default route
AnswerC

This is correct because .200 falls inside the 172.16.20.128/25 range.

Why this answer

The /25 route is used because it is the most specific match. In plain language, the router looks for the narrowest route that still contains the destination address. Since 172.16.20.200 falls inside 172.16.20.128/25, that route wins over the broader /24 and /16 entries.

This is a direct longest-prefix-match question. It is meant to reinforce that specificity comes first in routing-table lookup. Broader routes remain useful, but they are not chosen when a more precise matching entry exists.

Exam trap

A frequent exam trap is selecting a broader subnet route such as 172.16.20.0/24 or 172.16.0.0/16 instead of the more specific 172.16.20.128/25. Candidates may mistakenly believe that any matching route is acceptable or that larger subnets are preferred. This misunderstanding ignores the fundamental longest prefix match rule used by Cisco routers, which always prioritizes the most specific route.

Falling for this trap leads to incorrect routing decisions and exam errors.

Why the other options are wrong

A

172.16.0.0/16 is the least specific route covering a large address range. Although it matches the destination IP, it is overridden by more specific routes with longer subnet masks, so it is not used.

B

172.16.20.0/24 is more specific than the /16 but less specific than the /25 route. Since the destination IP falls within the /25 subnet, the router prefers the /25 route over this /24.

D

The default route is only used when no other routes match the destination IP. Since multiple specific routes exist that match the destination, the default route is not selected.

1688
MCQeasy

Which STP role identifies the port on a non-root switch that has the best path back to the root bridge?

A.Designated port
B.Root port
C.Alternate port
D.Disabled port
AnswerB

That is the correct STP role.

Why this answer

The root port is the single port on a non-root switch that provides the lowest-cost path toward the root bridge. Designated ports forward away from the root for a segment, and alternate ports are backup paths.

Exam trap

A frequent exam trap is mistaking the designated port for the root port. While both forward traffic, the designated port is selected per LAN segment to forward frames away from the root bridge, not necessarily providing the best path back to the root. Another trap is confusing the alternate port with the root port; alternate ports are backup paths kept in blocking state and do not forward traffic unless the root port fails.

Candidates often overlook that the root port is unique per non-root switch and always represents the lowest-cost path to the root bridge, which is the key to answering this question correctly.

Why the other options are wrong

A

Designated ports are selected for each LAN segment to forward traffic away from the root bridge, but they do not represent the best path back to the root bridge on a non-root switch. Therefore, this option is incorrect.

C

Alternate ports serve as backup paths and remain in a blocking state unless the root port fails. They do not identify the best path back to the root bridge, so this option is incorrect.

D

Disabled ports do not participate in STP forwarding or path selection and are not related to identifying the best path back to the root bridge, making this option incorrect.

1689
Matchingmedium

Drag and drop the OSI model layer names on the left to the correct PDU name and responsibility description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frame – Provides node-to-node delivery and error detection

Packet – Provides logical addressing and routing

Segment – Provides reliable or unreliable end-to-end delivery

Data – Manages sessions, dialog control, and synchronization

Data – Provides network services to user applications

Why these pairings

In the OSI model, data is encapsulated as it moves down the layers. At the Data Link layer (Layer 2), a header and trailer are added to form a frame, which enables node-to-node delivery and error detection via CRC. The Network layer (Layer 3) adds a header to create a packet (or datagram) that includes logical addressing (IP) and enables routing between different networks.

The Transport layer (Layer 4) segments data and adds a header with port numbers to create a segment (TCP) or datagram (UDP), providing either reliable (connection-oriented) or unreliable (connectionless) end-to-end delivery. The Session, Presentation, and Application layers (Layers 5-7) generally use the generic PDU name 'Data', with Layer 5 managing sessions, dialog control, and synchronization, and Layer 7 providing network services to user applications. Matching any other PDU name or responsibility to these layers would violate this encapsulation hierarchy and functional separation.

Exam trap

Do not assume that the first layer you think of is correct. Read the PDU and responsibility carefully; the question may pair a specific PDU with a responsibility that belongs to a different layer than you expect.

1690
Drag & Dropmedium

Drag and drop the following steps into the correct order to install a new fiber optic cable, insert the SFP, and verify the link on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First install the SFP, then attach the cable, ensure both ends are connected, then verify link and check for errors to confirm proper installation.

Exam trap

The exam trap is that candidates may confuse the order of SFP installation and cable attachment. Always install the SFP first to avoid damaging the fiber connector or the switch port.

1691
MCQhard

A router has a directly connected route to 10.1.1.0/24 and a static default route. Which route is used for traffic to 10.1.1.200?

A.The directly connected 10.1.1.0/24 route
B.The static default route
C.Both routes equally
D.Neither route
AnswerA

This is correct because the destination is in the connected subnet.

Why this answer

The directly connected route is used because it is the most specific and most immediate match. In practical terms, the router already knows that 10.1.1.200 belongs to a network on one of its own interfaces, so there is no reason to use the default route. The default route exists only for destinations that do not match anything more specific.

This is one of the most fundamental route-selection behaviors in IP routing.

Exam trap

A frequent exam trap is selecting the static default route for traffic destined to an IP address within a directly connected subnet. Candidates might incorrectly believe the default route overrides connected routes due to its static configuration or because it is manually set. However, the router always prefers the most specific route, which is the directly connected subnet in this case.

Misunderstanding the longest prefix match and administrative distance hierarchy leads to this error. Remember, the default route is only a fallback when no other route matches the destination IP address.

Why the other options are wrong

B

This option is incorrect because the static default route is less specific (0.0.0.0/0) and only used when no other route matches the destination. Since a connected route exists, the default route is ignored.

C

This option is wrong because routing does not load balance between a directly connected route and a static default route. The router selects the single best route based on prefix length and administrative distance.

D

This option is incorrect because the router clearly has a matching directly connected route for 10.1.1.200. Therefore, it will use that route rather than discarding both or failing to forward.

1692
PBQhard

You are connected to R1 via console. The NTP server 198.51.100.10 is already configured on R1, but R1 is not synchronizing because the NTP packets are sourced from the wrong interface. Configure R1 to source NTP packets from its loopback0 interface (IP 10.0.0.1/32). Additionally, configure syslog logging to the remote server 203.0.113.5, ensuring that only messages at severity 'notifications' (level 5) and above are sent. The current configuration shows that syslog is sending all messages (including debug-level) to the server, wasting bandwidth. Fix both issues.

Network Topology
G0/0:192.0.2.2/30linkG0/0:192.0.2.2/30R2R1NTP server

Hints

  • NTP packets must have a consistent source IP that the server can reach; check the source interface.
  • The 'logging trap' command controls which severity levels are sent to the syslog server.
  • Use 'show ntp status' and 'show ntp associations' to confirm synchronization; use 'show logging' to verify the trap level.
A.Configure 'ntp source Loopback0' and 'logging trap notifications'.
B.Configure 'ntp server 198.51.100.10 source Loopback0' and 'logging trap warnings'.
C.Configure 'ntp source Loopback0' and 'logging trap debugging'.
D.Configure 'ntp server 198.51.100.10' and 'logging trap notifications'.
AnswerA
solution
! R1
configure terminal
ntp source Loopback0
logging trap notifications
end
write memory

Why this answer

The NTP client is not synchronizing because the NTP packets are not sourced from an interface that the server can reach and reply to; the default source is the outgoing interface, but the server sees a different source IP. The `ntp server 198.51.100.10` command is already configured (not shown), so you only need to specify the source interface with `ntp source Loopback0`. Also, the syslog trap level is set to 'debugging', which sends all messages; change it to 'notifications' to filter out lower-severity messages.

After these changes, verify with 'show ntp status' (should show stratum less than 16 and 'synchronized') and 'show ntp associations' (should show a reach count > 0 and a valid ref clock). Check syslog with 'show logging' to confirm trap level is 'notifications'.

Exam trap

Cisco often tests the difference between 'ntp server' and 'ntp source' — remember that 'ntp source' is a global command that sets the source for all NTP packets. Also, syslog severity levels are often confused; know that 'debugging' (7) is the lowest severity and sends everything, while 'notifications' (5) is higher and filters out levels 6 and 7.

Why the other options are wrong

B

The specific factual error: The 'ntp server' command cannot specify a source interface; that is done with 'ntp source'. Additionally, 'warnings' (level 4) is more severe than 'notifications' (level 5), but the requirement is to send only notifications and above, which includes levels 0-5. 'warnings' includes levels 0-4, missing level 5 (notifications).

C

The specific factual error: 'logging trap debugging' sends all syslog messages (levels 0-7), which is the default and does not filter out lower-severity messages. The correct level for notifications and above is 'notifications' (level 5).

D

The specific factual error: The NTP client is not configured to source packets from Loopback0. The 'ntp server' command alone does not set the source interface; an additional 'ntp source' command is required.

1693
PBQhard

You are connected to R1 via the console. R1 is a newly deployed router that connects two subnets: 192.168.1.0/24 on GigabitEthernet0/0 and 192.168.2.0/24 on GigabitEthernet0/1. There is a default route to the Internet via ISP router at 203.0.113.1, but the network policy requires that traffic from 192.168.1.0/24 to the Internet must exit via a different next-hop 203.0.113.2. You need to implement policy-based routing on R1 to forward traffic from source 192.168.1.0/24 to 203.0.113.2, while all other traffic uses the default route via 203.0.113.1.

Hints

  • Policy-based routing uses route-maps applied to incoming interfaces.
  • The route-map matches traffic using an access list and sets the next-hop.
  • Verify the route-map and its application on the correct interface.
A.Create an access list matching source 192.168.1.0/24, a route-map with set ip next-hop 203.0.113.2, and apply the route-map inbound on GigabitEthernet0/0.
B.Create an access list matching source 192.168.1.0/24, a route-map with set ip next-hop 203.0.113.2, and apply the route-map outbound on GigabitEthernet0/1.
C.Create an access list matching destination 203.0.113.2, a route-map with set ip next-hop 203.0.113.2, and apply the route-map inbound on GigabitEthernet0/0.
D.Configure a static route for 192.168.1.0/24 with next-hop 203.0.113.2 and rely on the default route for other traffic.
AnswerA
solution
! R1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
route-map PBR permit 10
match ip address 101
set ip next-hop 203.0.113.2
interface GigabitEthernet0/0
ip policy route-map PBR

Why this answer

Policy-based routing (PBR) allows overriding the routing table for specific traffic. The access list identifies traffic from 192.168.1.0/24, the route-map sets the next-hop to 203.0.113.2, and applying it to the incoming interface G0/0 ensures that traffic entering from that subnet follows the policy.

Exam trap

Remember that PBR is applied inbound on the interface receiving the traffic, not outbound. Also, the access list in PBR matches traffic based on the criteria you want to override (source, destination, etc.), not the next-hop address. Static routes are destination-based and cannot be used to forward based on source address.

Why the other options are wrong

B

PBR must be applied inbound on the interface receiving the traffic, not outbound on the exit interface.

C

PBR uses the access list to match traffic based on source, destination, or other criteria; here the requirement is to match source subnet.

D

A static route controls forwarding based on destination, not source. Policy-based routing is needed to forward based on source address.

1694
Multi-Selectmedium

Which two statements accurately describe the role of a switch MAC address table?

Select 2 answers
A.It maps learned MAC addresses to switch ports for local forwarding decisions.
B.It helps reduce unnecessary flooding when the destination MAC is known.
C.It stores the best Layer 3 routes to remote networks.
D.It contains the router’s OSPF authentication keys.
E.It assigns IP addresses to end hosts dynamically.
AnswersA, B

This is correct because that is the core purpose of the MAC address table.

Why this answer

A switch MAC address table helps the switch make local forwarding decisions efficiently. In plain language, the switch learns which MAC addresses appear on which ports and then uses that information to send frames only where they need to go instead of flooding every frame everywhere.

The MAC table is not the same thing as a routing table, and it is not used for OSPF neighbor storage or DHCP lease records.

Exam trap

Avoid confusing the MAC address table with routing tables or ARP tables, which involve IP addresses and routing information.

Why the other options are wrong

C

This option is wrong because a switch MAC address table does not store Layer 3 routing information; it specifically maps Layer 2 MAC addresses to switch ports for local traffic forwarding.

D

Option D is incorrect because a switch MAC address table does not store OSPF authentication keys; it is designed to map MAC addresses to switch ports for forwarding decisions within a Layer 2 network.

E

This option is wrong because a switch MAC address table does not handle IP address assignments; it specifically deals with mapping MAC addresses to switch ports for local traffic forwarding.

1695
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on port GigabitEthernet0/1 (designated port) to protect against superior BPDUs from an unauthorized switch, Loop Guard on uplink GigabitEthernet0/2 to prevent loops, and BPDU Guard on PortFast-enabled GigabitEthernet0/3. After configuration, a superior BPDU arrives on G0/1, blocking the port; verify the Root Guard state and ensure BPDU Guard triggers err-disable on G0/3.

Network Topology
G0/1: designated portG0/2: uplinkG0/3: PortFastR1Access SwitchCore SwitchEnd Device

Hints

  • Root Guard is applied on ports that should never become root; use 'spanning-tree guard root'.
  • Loop Guard prevents alternate or root ports from becoming designated when BPDUs stop; use 'spanning-tree guard loop' on uplinks.
  • BPDU Guard combined with PortFast err-disables a port upon BPDU reception; enable with 'spanning-tree bpduguard enable' under the interface.
A.G0/1 is in root-inconsistent state; G0/3 is in err-disabled state.
B.G0/1 is in blocking state; G0/3 is in err-disabled state.
C.G0/1 is in root-inconsistent state; G0/3 is in blocking state.
D.G0/1 is in err-disabled state; G0/3 is in root-inconsistent state.
AnswerA
solution
! R1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree bpduguard enable

Why this answer

Root Guard is needed on the designated port (G0/1) to prevent an unauthorized switch from becoming root by sending superior BPDUs. Loop Guard on the uplink (G0/2) prevents loops if BPDUs stop arriving. BPDU Guard on PortFast ports (G0/3) immediately err-disables them upon BPDU reception.

The configuration uses 'spanning-tree guard root' on G0/1, 'spanning-tree guard loop' on G0/2, and 'spanning-tree bpduguard enable' on G0/3. Verification shows G0/1 blocked by root-inconsistent state and G0/3 in err-disabled state.

Exam trap

Do not confuse the states caused by Root Guard (root-inconsistent) and BPDU Guard (err-disable). Also, remember that Root Guard is applied to designated ports, not root or alternate ports.

Why the other options are wrong

B

Root Guard uses a specific 'root-inconsistent' state, not the generic 'blocking' state.

C

BPDU Guard triggers err-disable, not blocking. Blocking is an STP state, not an error state.

D

Root Guard and BPDU Guard have different effects: root-inconsistent vs. err-disable. Mixing them up is a common error.

1696
MCQhard

A subnet uses the mask 255.255.255.224. How many usable host addresses does it provide?

A.14
B.30
C.62
D.126
AnswerB

This is correct because a /27 has 32 total addresses and 30 usable host addresses.

Why this answer

A mask of 255.255.255.224 corresponds to a /27 prefix. In plain language, that leaves 5 host bits available in the address, which creates 32 total addresses in each subnet. Two of those are reserved: one for the network address and one for the broadcast address. That leaves 30 usable host addresses.

This is a classic subnetting question because it tests whether you can move from mask to prefix idea to host count without getting lost. Many learners remember the block size but forget to subtract the network and broadcast entries. The correct answer comes from that full logic chain: /27 means 32 total, and therefore 30 usable.

Exam trap

Remember to subtract the network and broadcast addresses from the total count of addresses in a subnet.

Why the other options are wrong

A

This option is wrong because a subnet mask of 255.255.255.224 provides 30 usable host addresses, not 14. The calculation is based on the formula 2^(number of host bits) - 2, where the number of host bits is 5 for this subnet mask.

C

This option is wrong because a subnet mask of 255.255.255.224 allows for 32 total addresses, of which 30 are usable after subtracting the network and broadcast addresses. The calculation is 2^(32-27) - 2 = 30 usable addresses.

D

Option D is incorrect because a subnet mask of 255.255.255.224 allows for 30 usable host addresses, not 126. The calculation is based on the formula 2^(32 - subnet bits) - 2, where the subnet bits for this mask is 27.

1697
MCQhard

Refer to the exhibit. A network engineer is verifying OSPF routing on R1. All routers in the topology are expected to reside in OSPF area 0, and the network 172.16.0.0/16 should be advertised from R2 within the same area. The engineer issues the show ip route 172.16.0.0 command on R1 and sees the output in the exhibit. The engineer expected to see an intra-area route (O) instead of an inter-area route (O IA). What is the most likely cause of this discrepancy?

A.R1 has a mismatched OSPF process ID compared to the ABR.
B.The network type on GigabitEthernet0/0 is configured as non-broadcast, preventing full adjacency.
C.The metric for the route is too high, causing OSPF to treat it as an inter-area route.
D.The destination network 172.16.0.0/16 is located in a different OSPF area.
AnswerD

The routing table entry shows 'type inter area'. This indicates the prefix is being learned via an OSPF Type-3 summary LSA, which is only generated when the network is in a different area than the local router. Therefore, the network is indeed in a different area, contradicting the assumption that R1 and the destination are both in area 0.

Why this answer

The exhibit explicitly lists the route type as 'inter area' for 172.16.0.0/16. In OSPF, an inter-area (IA) route means the destination network resides in a different OSPF area than the local router. Since all routers are expected to be in area 0, the presence of an IA route indicates the 172.16.0.0/16 network is actually located in a different area, causing the ABR to generate a Type-3 summary LSA.

Exam trap

Many candidates incorrectly choose option C, believing that a high OSPF metric can change the route type from intra-area to inter-area. OSPF route types are determined solely by the LSA type and area topology, not by the metric value.

Why the other options are wrong

A

Candidates mistakenly assume that OSPF process IDs must match globally for proper LSA exchange, but they are only locally significant.

B

Candidates may think that the network type influences the OSPF LSA type, but it only affects neighbor discovery and DR/BDR election, not the area origin of LSAs.

C

Candidates sometimes confuse the metric influence with the route type, thinking that OSPF converts routes when the cost exceeds a threshold.

1698
MCQhard

A standard ACL and an extended ACL are both available for a design. Which requirement most strongly indicates that an extended ACL is needed?

A.The policy must distinguish traffic by destination, protocol, or port.
B.The policy needs to match only one source subnet.
C.The ACL must be placed near the destination.
D.The network uses IPv6 instead of IPv4.
AnswerA

This is correct because those requirements need extended ACL granularity.

Why this answer

An extended ACL is most strongly indicated when the policy must match not just on source address, but also on destination, protocol, or port information. In practical terms, if the requirement is something like “block HTTP but allow SSH” or “deny traffic to one server but not another,” a standard ACL is too limited because it mainly matches only the source. Option B (matching only one source subnet) can be done with a standard ACL, so it does not demand an extended ACL.

Option C (placement near destination) is a guideline for standard ACLs, not a reason to choose an extended ACL. Option D (IPv6) is irrelevant because the scenario explicitly states both ACL types are available and standard ACLs do not exist for IPv6—this question is about IPv4 ACLs.

Exam trap

Remember that standard ACLs can only filter based on source IP addresses. If the requirement involves protocols or ports, think extended ACL.

Why the other options are wrong

B

Matching only one source subnet can be accomplished with a standard ACL, so this does not strongly indicate a need for an extended ACL.

C

Placing an ACL near the destination is a characteristic of standard ACLs, not a criterion that selects an extended ACL.

D

The scenario assumes both standard and extended ACLs are available; standard ACLs do not exist for IPv6, so this requirement does not apply to the IPv4 ACL choice.

1699
MCQhard

R1 and R2 are connected via a shared Ethernet segment. Both routers are configured in OSPF area 0 and are on the same IP subnet. OSPF authentication is enabled on both interfaces, but the adjacency is not forming. What is the most likely reason?

A.The OSPF authentication key does not match on the two routers.
B.The routers must use different OSPF areas to become neighbors.
C.OSPF message-digest authentication can be used only on serial links.
D.The routers must remove IP addressing before OSPF can form.
AnswerA

This is correct because an authentication mismatch prevents OSPF adjacency on the shared segment.

Why this answer

The most likely reason is an OSPF authentication mismatch. In practical terms, both routers are on the same IP subnet and in the same area, but they are not using the same authentication key on the shared link. OSPF neighbors must agree on key authentication parameters before they will trust each other enough to form an adjacency.

This is a classic CCNA troubleshooting pattern because the configuration looks almost correct until you compare the security settings carefully.

Exam trap

A frequent exam trap is selecting an answer that incorrectly states OSPF authentication is limited to serial links or that routers must be in different areas to form adjacency. Candidates may also mistakenly believe that removing IP addressing is necessary for OSPF to form. These misconceptions overlook that OSPF authentication applies to Ethernet interfaces and that neighbors must be in the same area and subnet with matching authentication keys.

Misreading these details leads to choosing incorrect options that seem plausible but contradict OSPF adjacency rules.

Why the other options are wrong

B

This option is incorrect because OSPF neighbors must be in the same area to form adjacency. Using different areas on the same segment prevents adjacency, so this option contradicts OSPF area rules.

C

This option is incorrect because OSPF authentication, including message-digest (MD5), is supported on Ethernet interfaces, not just serial links. Authentication is not limited by interface type.

D

This option is incorrect because OSPF requires valid IP addressing on interfaces to operate. Removing IP addressing disables OSPF on that link, so adjacency cannot form without IP addresses.

1700
MCQmedium

R3 has the static route 'ip route 172.20.8.0 255.255.255.0 192.168.1.1'. Packets destined for 172.20.8.0/24 are being dropped. What is the most likely cause?

A.The destination network mask should be /16 instead of /24
B.The next-hop address is not reachable from R3
C.Static routes require an outbound access list
D.The route must use administrative distance 255
AnswerB

If the next hop cannot be resolved, the static route cannot work.

Why this answer

A static route can only work if the next-hop address is reachable. If the next hop is down or missing from the routing table, the route cannot forward traffic successfully.

Exam trap

A frequent exam trap is assuming that an incorrect subnet mask on the static route causes packets to be dropped. While subnet masks affect routing accuracy, they do not cause next-hop reachability failures. Another trap is believing that static routes require outbound ACLs, which is false; ACLs control traffic filtering but do not impact static route functionality.

Additionally, some may think setting the administrative distance to 255 is necessary for static routes, but this actually disables the route, making it unusable. The key mistake is overlooking the requirement that the next-hop IP address must be reachable for the static route to work, which is the actual cause of packet drops in this scenario.

Why the other options are wrong

A

Option A suggests changing the destination network mask from /24 to /16. While subnet masks must be correct for proper routing, an incorrect mask does not cause next-hop reachability issues or packet drops due to unreachable next-hop addresses. The problem here is related to next-hop reachability, not the destination mask.

C

Option C incorrectly states that static routes require an outbound access list. Static routes do not need ACLs to function; ACLs are used for traffic filtering and security policies, not for enabling or disabling static routes. This option is invalid.

D

Option D claims the route must use administrative distance 255. Administrative distance 255 actually makes a route unusable, so setting it to 255 would prevent the static route from working. The default administrative distance for static routes is 1, which is preferred over most dynamic routes.

1701
PBQhard

You are connected to switch SW1 via console. The network uses Rapid-PVST+ and you need to ensure that SW1 becomes the root bridge for VLANs 10 and 20. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/2, which connects to an end host. Finally, diagnose why interface GigabitEthernet0/3 is in err-disabled state and bring it back operational.

Hints

  • PortFast and BPDU Guard are configured under the interface.
  • Err-disabled recovery often requires a manual shutdown/no shutdown.
  • Check the errdisable cause with 'show interfaces Gi0/3' to understand the specific issue.
A.Configure SW1 with spanning-tree vlan 10,20 priority 4096, enable PortFast and BPDU Guard on Gi0/2, and recover Gi0/3 by identifying the cause and using shutdown/no shutdown.
B.Set SW1's priority to 0 for VLANs 10 and 20, enable PortFast on Gi0/2, and recover Gi0/3 by reloading the switch.
C.Configure SW1 with spanning-tree vlan 10,20 root primary, enable PortFast and BPDU Guard globally, and recover Gi0/3 by using the 'errdisable recovery cause all' command.
D.Set SW1's priority to 8192 for VLANs 10 and 20, enable PortFast on Gi0/2, and recover Gi0/3 by removing and reinserting the cable.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
spanning-tree portfast
spanning-tree bpduguard enable
exit
interface GigabitEthernet0/3
shutdown
no shutdown
exit

Why this answer

To make SW1 the root bridge for VLANs 10 and 20, configure 'spanning-tree vlan 10,20 priority 4096' (a valid multiple of 4096). Interface Gi0/2 connects to an end host, so enable PortFast with 'spanning-tree portfast' and BPDU Guard with 'spanning-tree bpduguard enable' under the interface to protect against accidental BPDU reception. Gi0/3 is in err-disabled state.

Common causes include a port-security violation, UDLD misconfiguration, or a loopback detection. To recover, identify the cause with 'show interfaces status err-disabled', then administratively shut and no shut the interface. Option A correctly accomplishes these tasks.

Option B uses an invalid priority value (0) and reloading the switch is unnecessary. Option C configures 'root primary', which sets priority to 24576 but not 4096, and globally enabling PortFast and BPDU Guard is not recommended; also 'errdisable recovery cause all' might recover the port automatically but does not address the root cause. Option D uses priority 8192 (too high) and physical cable manipulation is not a valid recovery method.

Exam trap

Watch out for common mistakes: using invalid priority values (like 0), relying on 'root primary' which dynamically adjusts priority, forgetting BPDU Guard on edge ports, and attempting physical recovery instead of CLI commands. Always verify priority is a multiple of 4096 and that err-disable recovery uses administrative actions.

Why the other options are wrong

B

The specific factual error: Priority 0 is not a valid STP priority value; valid values are 0-61440 in increments of 4096, but 0 is reserved and not used in Cisco IOS. Also, reloading is not the recommended recovery for err-disable.

C

The specific factual error: 'root primary' does not set a fixed priority; it adjusts dynamically. Global PortFast and BPDU Guard can cause issues on trunk ports. 'errdisable recovery cause all' only enables automatic recovery after a timeout, not immediate recovery.

D

The specific factual error: Priority 8192 does not guarantee root bridge status if another switch has a lower priority. BPDU Guard is required on edge ports. Cable reseating does not clear err-disable state.

1702
MCQhard

A user connects a Cisco IP Phone with a PC attached to the phone's PC port to switch interface GigabitEthernet0/5. The PC obtains an IP address and can reach the network, but the phone displays "Configuring IP" and never registers. Based on the exhibit outputs, what is the most likely cause?

A.The switchport must be configured as a trunk to support voice VLANs.
B.VLAN 20 has not been created in the switch's VLAN database.
C.The native VLAN on the trunk ports between the switch and the DHCP server is incorrectly set to VLAN 10.
D.The phone is manually configured to use VLAN 10 for voice traffic instead of VLAN 20.
AnswerB

The 'show vlan brief' output lists only VLANs 1 and 10. VLAN 20 does not exist, so the switch discards any tagged frames arriving on the port with VLAN ID 20, causing the phone's DHCP/TFTP communication to fail.

Why this answer

The PC obtains an IP address and can reach the network, indicating that the access VLAN (likely VLAN 1 or the native VLAN) is functioning. However, the phone displays 'Configuring IP' and never registers, which means it cannot obtain an IP address on its voice VLAN. The most likely cause is that VLAN 20, which is configured as the voice VLAN on the switchport, has not been created in the switch's VLAN database.

Without the VLAN existing, the switch cannot forward traffic or DHCP requests for that VLAN, leaving the phone stuck in the IP configuration phase.

Exam trap

Cisco often tests the distinction between configuring a voice VLAN on an interface and actually creating that VLAN in the global VLAN database; candidates mistakenly assume that referencing a VLAN in interface configuration automatically creates it.

Why the other options are wrong

A

Voice VLANs operate on access ports by tagging voice traffic while keeping PC traffic untagged in the data VLAN. A trunk is not required.

C

Native VLAN mismatches on trunks would affect both data and voice VLANs if both were allowed. The PC works, ruling out a general trunk issue.

D

The phone would work if it was sending voice traffic on the data VLAN (10), because VLAN 10 exists. The phone failing indicates a missing voice VLAN, not a misconfiguration on the phone.

1703
MCQhard

Why is the combination of strong authentication and centralized logging generally better than using either one alone?

A.Authentication helps prevent unauthorized access, while centralized logging improves visibility and investigation.
B.They are redundant because both perform exactly the same function.
C.Centralized logging makes authentication unnecessary.
D.Strong authentication removes the need for device event records.
AnswerA

This is correct because the two controls complement each other.

Why this answer

The combination is better because strong authentication helps prevent unauthorized access, while centralized logging helps detect, review, and investigate activity across the environment. In plain language, one control focuses more on prevention, while the other improves visibility and accountability. Together they create a stronger security posture than either one alone.

This is an important design mindset. Security is stronger when controls complement each other instead of trying to solve every problem with one mechanism. The correct answer is the one focused on prevention plus visibility.

Exam trap

Avoid assuming that two controls can cover all security needs or that combining them simplifies architecture.

Why the other options are wrong

B

Option B is incorrect because strong authentication and centralized logging serve distinct functions; authentication secures access while logging tracks and analyzes events, enhancing security and compliance.

C

This option is incorrect because centralized logging does not eliminate the need for authentication; both are essential for a comprehensive security posture. Authentication verifies user identity, while logging tracks access and actions for auditing and incident response.

D

This option is wrong because strong authentication does not eliminate the need for device event records; both are essential for comprehensive security management. Device event records provide critical insights into system activity, which strong authentication alone cannot address.

1704
PBQhard

You are connected to R1. Configure R1 as a DHCP server for the 192.168.100.0/24 subnet, reserving the first 10 addresses and the address 192.168.100.254 for static assignments, with default gateway 192.168.100.1 and DNS server 8.8.8.8. Then, on the same router, enable DHCP relay for the 10.1.1.0/24 subnet by configuring the helper address pointing to the DHCP server at 192.168.100.1. Finally, verify that the DHCP pool is correctly configured and that the helper address is set.

Hints

  • Check the default-router in the DHCP pool — it should be the gateway address, not an excluded address.
  • The helper-address on G0/1 must point to the DHCP server interface IP, not to a reserved address.
  • Examine the excluded-address list to understand which addresses are reserved.
A.The default-router is incorrectly set to 192.168.100.254 instead of 192.168.100.1, and the ip helper-address on G0/1 points to 192.168.100.254 instead of 192.168.100.1.
B.The default-router is correctly set to 192.168.100.1, but the ip helper-address on G0/1 points to 192.168.100.254 instead of 192.168.100.1.
C.The default-router is incorrectly set to 192.168.100.254 instead of 192.168.100.1, but the ip helper-address on G0/1 correctly points to 192.168.100.1.
D.Both the default-router and the ip helper-address are correctly configured as 192.168.100.1.
AnswerA
solution
! R1
configure terminal
ip dhcp pool POOL_100
default-router 192.168.100.1
exit
interface GigabitEthernet0/1
ip helper-address 192.168.100.1
end
copy running-config startup-config

Why this answer

The configuration has two critical errors. First, the default-router in the DHCP pool is incorrectly set to 192.168.100.254, which is an excluded address meant for static assignment, not the actual gateway (192.168.100.1). Second, the ip helper-address on G0/1 points to 192.168.100.254 (the wrong address) instead of the DHCP server's own interface IP 192.168.100.1.

To fix, change the default-router to 192.168.100.1 and update the helper-address to 192.168.100.1.

Exam trap

Be careful not to confuse the excluded addresses (reserved for static assignment) with the gateway address. Also, remember that when a router acts as both DHCP server and relay, the helper-address should point to the router's own interface IP on the server subnet, not to an excluded address.

Why the other options are wrong

B

The specific factual error is that the helper-address should be the DHCP server's IP, not an excluded address.

C

The specific factual error is that the default-router must be the gateway address, not an excluded address.

D

The specific factual error is that the question states the configuration uses 192.168.100.254 for both, so this option does not match the given scenario.

1705
PBQhard

You are connected to R1. Configure AAA with RADIUS authentication on R1 so that SSH login attempts first contact the RADIUS server at 192.0.2.10 (key 'cisco123'), and if the server is unreachable, fall back to the local database. Additionally, troubleshoot why an 802.1X-enabled switch port (GigabitEthernet0/1) on a connected switch remains in the 'unauthorized' state despite RADIUS being functional; identify and fix the misconfiguration on the switch (SW1).

Network Topology
G0/0192.0.2.1/24G0/1G0/1SW1R1Client

Hints

  • Check if the switch has 'aaa new-model' enabled.
  • The switch needs a RADIUS server definition and an authentication method list for dot1x.
  • The 'aaa authentication dot1x default group radius' command is missing.
A.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
B.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
C.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
D.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto'.
AnswerA
solution
! R1


! SW1
configure terminal
aaa new-model
radius server RADIUS
address ipv4 192.0.2.10
key cisco123
aaa authentication dot1x default group radius
end
write memory

Why this answer

The correct answer is Option A. For R1, the 'aaa authentication login default group radius local' command ensures that SSH login attempts first contact the RADIUS server at 192.0.2.10 and fall back to the local database if the server is unreachable. Options that omit the 'local' keyword (C) lack this fallback, making them incorrect.

Option B incorrectly uses 'aaa authentication login' on the switch for 802.1X; the correct command is 'aaa authentication dot1x'. On SW1, all wrong options (B, C, D) are missing the 'dot1x pae authenticator' command under the interface, which is required for the switch to explicitly act as an 802.1X authenticator (though some IOS versions auto-assume it, Cisco CCNA expects explicit configuration). Option D also lacks 'dot1x pae authenticator', leaving the port in unauthorized state.

Only Option A includes all necessary commands: correct RADIUS server definitions, proper AAA authentication lists for both login and dot1x, global 'dot1x system-auth-control', and the interface-level commands 'authentication port-control auto' and 'dot1x pae authenticator'.

Exam trap

Do not confuse 'aaa authentication login' (for device access) with 'aaa authentication dot1x' (for network access); also, the 'dot1x pae authenticator' command is often required to explicitly set the port to authenticator role — omitting it can leave the port unauthorized even if other 802.1X commands are present.

Why the other options are wrong

B

Uses 'aaa authentication login' on the switch instead of 'aaa authentication dot1x', which does not enable RADIUS authentication for 802.1X.

C

On R1, the login authentication list omits 'local', so there is no fallback to the local database if the RADIUS server is unreachable.

D

Missing the 'dot1x pae authenticator' command under GigabitEthernet0/1, which is necessary for the switch to function as an 802.1X authenticator.

1706
MCQmedium

What is an autonomous system in basic BGP terminology?

A.A collection of networks and routers under common administrative routing control
B.A single switch VLAN
C.A specific OSPF area inside one router
D.A type of wireless access point
AnswerA

This is correct because that is the basic meaning of an autonomous system.

Why this answer

An autonomous system is a collection of IP networks and routers under a common routing policy or administrative control. In practical terms, it is the domain boundary concept used in BGP discussions. BGP uses AS concepts to reason about routing between separate administrative networks.

This is one of the first BGP ideas learners need to understand.

Exam trap

A frequent exam trap is mistaking an autonomous system for a VLAN or an OSPF area. VLANs are Layer 2 broadcast domains and do not relate to routing domains or administrative control of routing policies. Similarly, OSPF areas segment a single routing domain to optimize routing but do not represent separate administrative entities.

Confusing these concepts can lead to incorrect answers because BGP’s autonomous system concept specifically refers to a collection of networks and routers under a common administrative routing policy, which is distinct from VLAN or OSPF area segmentation.

Why the other options are wrong

B

This option is incorrect because a VLAN is a Layer 2 segmentation method that isolates broadcast domains and does not relate to routing policies or autonomous systems in BGP.

C

This option is wrong since an OSPF area is a subdivision within a single routing domain to optimize routing, not an autonomous system representing separate administrative control.

D

This option is incorrect because an autonomous system is a routing domain concept, whereas a wireless access point is a physical device unrelated to BGP or routing domains.

1707
MCQhard

A host address is 10.100.12.94/26. Which address is the broadcast address for that subnet?

A.10.100.12.63
B.10.100.12.127
C.10.100.12.64
D.10.100.12.128
AnswerB

This is correct because .94 is in the 64-127 /26 range.

Why this answer

A /26 subnet has a block size of 64, so the fourth-octet ranges are 0–63, 64–127, 128–191, and 192–255. The host address 10.100.12.94 lies in the 64–127 range, making the broadcast address the last address in that range: 10.100.12.127. Option A (10.100.12.63) is the broadcast of the previous subnet (0–63).

Option C (10.100.12.64) is the network address of the subnet containing the host. Option D (10.100.12.128) is the network address of the next subnet (128–191).

Exam trap

Be careful not to confuse host addresses or network addresses with the broadcast address. Remember, the broadcast address is the last address in the subnet range.

Why the other options are wrong

A

10.100.12.63 is the broadcast address of the 0–63 subnet, not the one containing 94.

C

10.100.12.64 is the network address of the 64–127 subnet, not the broadcast.

D

10.100.12.128 is the network address of the 128–191 subnet, not the broadcast.

1708
PBQhard

You are connected to R1, a multilayer switch acting as a DNS client and DNS server for the local network. The network uses 192.168.1.0/24 for internal hosts. Users report that hostnames like 'server1.example.com' fail to resolve. Diagnose and fix the DNS resolution issue using nslookup and dig. Ensure that R1 can resolve both forward and reverse DNS queries correctly.

Network Topology
192.168.1.0/24G0/0203.0.113.0/30SiR1Internal HostsInternet

Hints

  • Check if the DNS forwarder is reachable; if not, you may need to configure local DNS records.
  • Use 'ip host' to create an A record, and 'ip dns primary' for reverse zone with PTR.
  • Remove the unreachable name-server with 'no ip name-server' to stop using it.
A.Configure R1 as a local DNS server with an A record for server1.example.com (192.168.1.10) and a PTR record for 192.168.1.10, then remove the unreachable forwarder 192.0.2.53 and ensure ip domain lookup uses the local server.
B.Configure R1 as a DNS server with only an A record for server1.example.com (192.168.1.10) and keep the forwarder 192.0.2.53 for other queries.
C.Remove the forwarder 192.0.2.53 and configure R1 as a DNS server with only a PTR record for 192.168.1.10.
D.Change the DNS forwarder to a reachable server like 8.8.8.8 and add a PTR record for 192.168.1.10 on R1.
AnswerA
solution
! R1
ip dns server
ip host server1.example.com 192.168.1.10
ip dns primary 1.168.192.in-addr.arpa soa ns.example.com admin.example.com 1 3600 900 604800 86400
ip dns primary 1.168.192.in-addr.arpa ns ns.example.com
ip dns primary 1.168.192.in-addr.arpa ptr 10 1.168.192.in-addr.arpa server1.example.com
no ip name-server 192.0.2.53

Why this answer

The issue is twofold: first, the DNS forwarder (192.0.2.53) is unreachable, causing forward lookups to fail with NXDOMAIN; second, there is no PTR record for the reverse lookup zone. The forward lookup failure is because R1 is configured to use an unreachable external DNS server. The reverse lookup failure is because no PTR record exists for the host IP.

To fix, either configure a reachable DNS forwarder or enable local DNS server with appropriate records. Here, we configure R1 as a local DNS server with an A record for 'server1.example.com' pointing to 192.168.1.10 and a PTR record for the reverse lookup. Then we remove the unreachable forwarder and ensure ip domain lookup uses local server.

Exam trap

Students often forget that reverse DNS requires a PTR record in addition to the A record. Also, they may not verify that the DNS forwarder is reachable; simply adding records without removing an unreachable forwarder will not fix forward lookups. Always check both forward and reverse resolution requirements.

Why the other options are wrong

B

The forwarder is unreachable, so keeping it will cause forward lookups to fail. Also, reverse lookup requires a PTR record, which is missing.

C

Forward lookups require an A record mapping the hostname to an IP address; without it, forward queries return NXDOMAIN.

D

The scenario expects R1 to be a local DNS server for internal hosts; using an external forwarder for internal hostnames is not best practice and may not resolve internal names if the forwarder doesn't have the records.

1709
Matchingmedium

Match each route-selection concept to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preference for the most specific matching destination prefix

Trust ranking between different route sources

Protocol-specific value used to compare paths

Backup static route configured with a higher administrative distance

Why these pairings

Administrative distance indicates the trustworthiness of a routing protocol or static route, with lower values preferred. Metric is a protocol-specific cost used to compare routes from the same source. The longest-prefix match selects the route with the most specific (longest) subnet mask.

A floating static route serves as a backup by using a higher administrative distance than the primary route.

Exam trap

Be careful not to confuse administrative distance with prefix length. AD is about protocol preference, not route specificity. Also, remember that longest prefix match is always evaluated before metric comparison.

1710
Multi-Selectmedium

A branch router is acting as a DHCP server. Which two parameters can it provide directly to clients through DHCP?

Select 2 answers
A.Default gateway
B.DNS server address
C.OSPF area number
D.Switch port duplex setting
E.STP root bridge priority
AnswersA, B

This is usually supplied with the router option.

Why this answer

DHCP (Dynamic Host Configuration Protocol) is designed to automatically assign IP configuration parameters to clients. The default gateway (option 3) and DNS server address (option 6) are standard DHCP options defined in RFC 2132, which a router acting as a DHCP server can directly provide to clients to enable network connectivity and name resolution.

Exam trap

Cisco often tests the distinction between DHCP-provided parameters (Layer 3/4) and switch-specific or routing protocol parameters (Layer 2/3), leading candidates to mistakenly select options like OSPF area or STP priority that are not DHCP options.

1711
MCQhard

An administrator needs to configure an ACL to block HTTP traffic from subnet 10.10.10.0/24 to the web server at 172.16.1.10 while permitting all other traffic. Which ACL entry should be placed first?

A.deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
B.deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10
C.permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
D.deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
AnswerA

This is correct because it blocks only HTTP traffic from the specified subnet to the specific server.

Why this answer

The ACL needs a narrow deny statement that matches only TCP port 80 from the specified source subnet to the specific server. In practical terms, the requirement is not to block all IP traffic or all access to the host. It is to stop normal HTTP while allowing everything else. That means the entry must be precise.

This is the kind of ACL question the CCNA exam likes because it forces you to distinguish protocol, destination, and service rather than relying on vague source-only logic.

Exam trap

Be careful to distinguish between blocking all traffic and blocking specific services. Ensure you understand the requirement to block only HTTP traffic, not all IP traffic.

Why the other options are wrong

B

Option B is incorrect because it denies all IP traffic from the specified source to the destination, which is broader than required and does not specifically target HTTP traffic on port 80.

C

Option C is incorrect because it permits HTTP traffic from the specified source to the web server, which is contrary to the requirement to block this traffic. The question specifically asks for a rule that denies HTTP access.

D

Option D is incorrect because it specifies 'deny udp', which does not block HTTP traffic, as HTTP uses TCP, not UDP. Therefore, it fails to meet the requirement of blocking HTTP from the specified source to the web server.

1712
PBQhard

You are connected to R1. The network has three departments: Sales (VLAN 10, 192.168.1.0/24), Engineering (VLAN 20, 192.168.2.0/24), and Management (VLAN 99, 192.168.99.0/24). A single switch SW1 connects to R1 via trunk interface G0/0. Subinterfaces for VLANs 10, 20, and 99 are already configured on R1 with correct encapsulation and IP addresses. However, inter-VLAN communication is failing. Troubleshoot and fix the configuration issue on R1 to enable routing between all VLANs.

Network Topology
G0/0trunkR1SW1

Hints

  • Check the global routing status on R1.
  • The subinterfaces are correctly configured but the router cannot forward packets between them.
  • A single global command enables inter-VLAN routing on a router.
A.Enable 'ip routing' globally on R1.
B.Configure a subinterface for VLAN 1 and assign it an IP address.
C.Change the encapsulation on the subinterfaces from dot1Q to ISL.
D.Add a static route on R1 pointing to each VLAN subnet.
AnswerA
solution
! R1
configure terminal
ip routing

Why this answer

The router has correctly configured subinterfaces with 802.1Q encapsulation and IP addresses for VLANs 10, 20, and 99. However, 'ip routing' is disabled globally, so the router cannot forward packets between subinterfaces. Additionally, the native VLAN on the trunk is VLAN 1, but no subinterface for VLAN 1 is configured, and the native VLAN mismatch could cause issues; however, the main problem is the lack of IP routing.

Enable 'ip routing' globally and optionally configure a subinterface for the native VLAN if needed. The solution requires only 'ip routing' to enable inter-VLAN routing.

Exam trap

The trap is that candidates often focus on trunking issues or missing subinterfaces, but the most common misconfiguration in router-on-a-stick is forgetting to enable 'ip routing' globally. Always check the running-config for 'ip routing' before troubleshooting other aspects.

Why the other options are wrong

B

The specific factual error: The native VLAN does not need a subinterface; the router can still route traffic for other VLANs without it.

C

The specific factual error: ISL is not commonly used and would not fix the routing issue; the problem is IP routing disabled.

D

The specific factual error: Directly connected routes are automatically added; no static routes are required.

1713
MCQhard

An administrator wants to prevent a specific subnet from using Telnet to reach network devices, while still allowing SSH from that same subnet. What is the strongest reason a standard ACL is not enough by itself?

A.Because the policy must distinguish Telnet from SSH, which requires protocol or port-level matching.
B.Because standard ACLs are valid only on wireless networks.
C.Because Telnet and SSH always use the same destination port.
D.Because SSH can never be filtered with ACLs.
AnswerA

This is correct because source-only matching cannot separate those two protocols.

Why this answer

A standard ACL is not enough by itself because the policy depends on distinguishing different protocols or destination ports, not just source address. In practical terms, the source subnet is the same for both Telnet and SSH. The ACL therefore needs to tell those two management protocols apart, which requires more granular matching than source-only logic.

This is one of the clearest examples of why extended ACL capability matters.

Exam trap

Do not confuse the capabilities of standard ACLs with those of extended ACLs. Remember, standard ACLs filter only by source IP.

Why the other options are wrong

B

Standard ACLs are not limited to wireless networks; they can be applied to any interface on a router, including wired connections. This option misrepresents the applicability of standard ACLs.

C

This option is incorrect because Telnet and SSH use different destination ports; Telnet typically uses port 23, while SSH uses port 22, allowing for distinct filtering in ACLs.

D

This option is incorrect because SSH can indeed be filtered using ACLs, as they can match traffic based on IP addresses and protocols. Standard ACLs can be applied to control SSH traffic just like any other traffic type.

1714
Multi-Selectmedium

Which three statements about Power over Ethernet (PoE) and PoE+ standards are correct? (Choose three.)

Select 3 answers
.PoE (IEEE 802.3af) can deliver up to 15.4 watts of power per port.
.PoE+ (IEEE 802.3at) can deliver up to 30 watts of power per port.
.Both PoE and PoE+ use the same four pairs of a twisted-pair cable for power delivery.
.Powered devices (PDs) can negotiate power requirements using Link Layer Discovery Protocol (LLDP) with PoE extensions.
.PoE+ requires Category 3 cabling or better.
.PoE automatically disables power if a non-PoE device is detected.

Why this answer

Option 1 is correct because the IEEE 802.3af PoE standard specifies a maximum power delivery of 15.4 watts per port at the PSE (Power Sourcing Equipment), with a minimum of 12.95 watts guaranteed at the PD (Powered Device) after cable losses. Option 2 is correct because the IEEE 802.3at PoE+ standard increases the maximum power per port to 30 watts at the PSE, with 25.5 watts available at the PD. Option 4 is correct because PDs can negotiate power requirements using LLDP with the IEEE 802.1AB LLDP-MED (Media Endpoint Discovery) extensions, which include PoE TLV (Type-Length-Value) fields for power negotiation beyond the simple classification method.

Option 3 (both PoE and PoE+ use the same four pairs) is incorrect because both standards deliver power over only two pairs (spare or data pairs depending on mode); four-pair power delivery is introduced in IEEE 802.3bt (PoE++). Option 5 (PoE+ requires Category 3 cabling) is incorrect because PoE+ requires at least Category 5e cabling to support the higher power levels without excessive heat or signal degradation. Option 6 (PoE automatically disables power if a non-PoE device is detected) is incorrect because the PSE first performs a detection phase to identify a valid PoE signature; if none is found, power is never applied—so it is not disabled after being enabled.

Exam trap

Cisco often tests the misconception that PoE and PoE+ both use all four pairs for power delivery, when in fact they use only two pairs, and the four-pair delivery is exclusive to the 802.3bt standard (PoE++).

Why the other options are wrong

C

Both PoE and PoE+ use only two pairs for power delivery, not four; four-pair delivery is exclusive to 802.3bt (PoE++).

E

PoE+ requires Category 5e or better cabling, as Category 3 cannot safely support the higher current.

F

PoE does not disable power on a non-PoE device; detection prevents power from ever being applied to non-compliant devices.

1715
MCQhard

Which NAT design is most appropriate when many inside users need outbound Internet access through one public IPv4 address, but no inbound server publishing is required?

A.PAT overload
B.Static NAT for every host
C.No NAT, because private IPv4 addresses are Internet-routable
D.DHCP relay
AnswerA

This is correct because PAT allows many inside sessions to share one public address by using ports.

Why this answer

The most appropriate design is PAT overload. In practical terms, many internal users can share one public IPv4 address because PAT distinguishes their sessions using transport-layer ports. This is the most common solution when the requirement is outbound access for many clients rather than predictable inbound access to a specific internal server.

Static NAT would be the wrong design here because it creates fixed one-to-one mappings and consumes more public address space than needed for this use case. PAT is specifically built for many-to-one outbound translation.

Exam trap

A frequent exam trap is selecting static NAT or no NAT for outbound Internet access when many internal users share one public IP. Static NAT creates one-to-one mappings, consuming excessive public IP addresses unnecessarily. Choosing no NAT assumes private IPv4 addresses are routable on the Internet, which is false.

Another trap is confusing DHCP relay with NAT; DHCP relay only forwards DHCP messages and does not perform address translation. Candidates must recognize that PAT overload is the correct design for many-to-one outbound translation without inbound server publishing, avoiding these common misconceptions.

Why the other options are wrong

B

Static NAT for every host is incorrect because it requires a unique public IP address per internal host, which is inefficient and unnecessary when only outbound access is needed without inbound server publishing.

C

No NAT is incorrect because private IPv4 addresses are not routable on the public Internet and must be translated to public addresses to communicate externally.

D

DHCP relay is incorrect because it only forwards DHCP messages between clients and servers and does not perform any IP address translation or NAT functions.

1716
MCQmedium

Exhibit: Users complain of slow wireless performance in a dense office even though signal strength is strong. Multiple APs are using channels 1, 2, and 3 on 2.4 GHz. Which change is most appropriate?

A.Reduce all AP transmit power to zero
B.Move to non-overlapping channels such as 1, 6, and 11
C.Change every AP to the same channel for consistency
D.Disable WPA2 security
AnswerB

That is the standard corrective action on 2.4 GHz.

Why this answer

In 2.4 GHz, overlapping channels cause co-channel and adjacent-channel interference. The common non-overlapping choices are 1, 6, and 11. Moving away from overlapping channels usually improves performance in a dense deployment.

Exam trap

Avoid assuming that increasing power or adding more APs will solve interference issues without considering channel overlap.

Why the other options are wrong

A

Reducing all AP transmit power to zero would completely disable the wireless network, making it impossible for users to connect or experience any performance, which does not address the issue of slow performance in a dense office environment.

C

Changing every AP to the same channel would lead to co-channel interference, exacerbating the slow wireless performance issue rather than resolving it. In a dense office environment, this configuration would reduce overall throughput and increase contention among devices.

D

Disabling WPA2 security would not address the issue of slow wireless performance in a dense office environment; instead, it would compromise network security and potentially allow unauthorized access, worsening the situation.

1717
Multi-Selectmedium

Which three of the following are valid considerations when configuring EtherChannel? (Choose three.)

Select 3 answers
.All physical interfaces in an EtherChannel must have the same speed and duplex settings.
.EtherChannel can be configured using either PAgP (Cisco proprietary) or LACP (IEEE 802.3ad) protocols.
.When using LACP, the system priority is used to determine which switch controls the active ports in the bundle.
.EtherChannel load balancing is always based on source and destination MAC addresses only.
.On a Cisco switch, you can bundle up to 16 interfaces into a single EtherChannel, all of which can be active simultaneously.
.EtherChannel provides loop prevention by using Spanning Tree Protocol on each individual link within the bundle.

Why this answer

All three correct statements (A, B, C) are valid considerations when configuring EtherChannel. Option D is incorrect because load balancing can be based on source/destination IP, MAC, or Layer 4 port, not just MAC addresses. Option E is false because although up to 16 interfaces can be in a port channel, only 8 can be active simultaneously (the remaining are in standby).

Option F is false because STP operates on the port-channel interface as a whole, not on individual links within the bundle.

Exam trap

Cisco often tests the requirement that all physical interfaces in an EtherChannel must have the same speed and duplex settings, as candidates may mistakenly think that different speeds can be used if the switch supports auto-negotiation.

Why the other options are wrong

D

EtherChannel load balancing is configurable and can use source/destination IP, MAC, or Layer 4 port, not just MAC addresses.

E

Only 8 interfaces can be active in a single EtherChannel; the other 8 are in standby mode.

F

Spanning Tree Protocol runs on the logical port-channel interface, not on each individual physical link within the bundle.

1718
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure HSRP on an interface and verify the active/standby election process, including failover and verification.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order for HSRP configuration is step A: first enter interface configuration mode, set HSRP version, configure the virtual IP, optionally set priority to influence active router selection, enable preempt to allow the higher-priority router to reclaim active role, and verify with 'show standby' to see real-time roles and states. Step B is incorrect because HSRP is configured per interface, not via global configuration and VLAN creation; the virtual IP is set on the interface, not on a VLAN. Step C is wrong because priority should be set after entering interface configuration mode, not before, and verification should use 'show standby' not 'show running-config'.

Step D is invalid because there is no global 'router hsrp' command; HSRP configuration is done directly on the interface, and 'debug standby' is not a reliable verification command. 'show standby' is the standard command to verify active/standby status.

Exam trap

Candidates often confuse the order of HSRP configuration steps or think HSRP requires a global configuration mode like routing protocols. Remember: HSRP is configured per interface, and verification uses 'show standby' to see real-time roles.

1719
MCQhard

A switch shows a clock that is several minutes off from other devices even though an NTP server has been configured. Which issue is the most likely cause?

A.The NTP server is unsynchronized or unreachable
B.The device must run Syslog before NTP can sync
C.NTP requires a trunk port on the management VLAN
D.The clock can sync only if DNS is configured
AnswerA

This is correct because NTP requires a reachable, synchronized time source. If the server is unreachable or not synchronized, the switch cannot update its clock, leading to drift.

Why this answer

NTP requires IP reachability to the time source. If the NTP server is unreachable due to routing or ACL issues, the switch falls back to its local clock, causing drift. Option A is correct.

Option B is wrong because Syslog has no effect on NTP synchronization. Option C is incorrect because NTP does not require a trunk port; it can operate over any VLAN with IP connectivity. Option D is false because DNS is only needed if the NTP server is specified by hostname; the server can be reached by IP address without DNS.

Exam trap

A common mistake is thinking that unrelated services like Syslog, trunk ports, or DNS are prerequisites for NTP; only IP connectivity to a synchronized NTP server matters.

Why the other options are wrong

B

Syslog and NTP are independent protocols; Syslog does not need to run before NTP can synchronize.

C

NTP works over any IP network; there is no requirement for a trunk port on the management VLAN.

D

DNS is only needed if the NTP server is referenced by hostname rather than IP address; many configurations use IP addresses directly.

1720
MCQmedium

Users on a new access switch can reach devices in their own VLAN but cannot reach the default gateway on the distribution switch. Based on the exhibit, what is the most likely cause?

A.VLAN 30 is missing from the allowed VLAN list on the trunk.
B.The user ports should be configured as trunks.
C.The SVI for VLAN 30 must be shutdown for inter-VLAN routing to work.
D.The trunk native VLAN must be changed to VLAN 30.
AnswerA

That prevents VLAN 30 frames from reaching the distribution switch.

Why this answer

The trunk allows only VLANs 10 and 20, so VLAN 30 traffic never crosses the uplink. Local switching inside VLAN 30 on the access switch can still work, which is why same-VLAN communication succeeds. Adding VLAN 30 to the allowed list is the direct fix.

Exam trap

A common exam trap is assuming that user ports must be trunks to enable VLAN communication beyond the local switch. In reality, user ports should remain access ports assigned to a single VLAN. Another trap is thinking that the SVI for VLAN 30 must be shut down to fix routing issues, but an active SVI is necessary for inter-VLAN routing.

Additionally, candidates may incorrectly focus on native VLAN mismatches, which do not block VLAN 30 traffic if the VLAN is not allowed on the trunk. The real issue is the missing VLAN 30 in the trunk's allowed VLAN list, which prevents VLAN 30 frames from reaching the distribution switch and the default gateway.

Why the other options are wrong

B

Incorrect because user ports should be configured as access ports, not trunks. Configuring user ports as trunks is unnecessary and can cause security and connectivity issues.

C

Incorrect because the SVI for VLAN 30 must be active for inter-VLAN routing to function. Shutting down the SVI would prevent routing, not enable it.

D

Incorrect because changing the trunk native VLAN to VLAN 30 is unrelated to the problem. Native VLAN mismatches affect untagged traffic but do not block VLAN 30 tagged frames if the VLAN is allowed.

1721
MCQhard

A network engineer notices that the router interface GigabitEthernet0/1 is in an 'administratively down' state in the output of the show ip interface brief command, preventing connectivity to the subnet connected to that interface. What is the most likely cause?

A.The interface does not have an IP address assigned.
B.The shutdown command is configured on the interface.
C.The interface is configured with an incorrect subnet mask.
D.An access list is blocking traffic on the interface.
AnswerB

The 'administratively down' status is only displayed when the interface has been explicitly disabled using the shutdown command in configuration mode.

Why this answer

The 'administratively down' state in the output of 'show ip interface brief' indicates that the interface has been manually disabled using the 'shutdown' command. This is a Layer 1/2 administrative state, not a protocol or connectivity issue. To bring the interface up, the 'no shutdown' command must be applied in interface configuration mode.

Exam trap

Cisco often tests the distinction between 'administratively down' (caused by the 'shutdown' command) and 'down/down' (caused by a physical layer issue like a disconnected cable), leading candidates to confuse the two states.

Why the other options are wrong

A

Candidates often confuse the lack of an IP address with a non-functional interface, believing it will be shown as down.

C

Students may think any IP misconfiguration could bring the interface down, but only the shutdown command causes 'administratively down'.

D

Because an ACL can stop traffic, candidates sometimes assume it would be reflected as a down state, but interface status is independent of ACLs.

1722
Drag & Dropmedium

Drag and drop the following OSPFv2 neighbor state transitions and DR/BDR election steps into the correct order for a multi-access network where a new router joins an existing OSPF area.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The new router first discovers neighbors via Hello. Then DD, LSR, LSU exchange synchronizes databases. DR/BDR election happens before Full state is achieved.

Exam trap

Do not confuse the order of ExStart and Exchange, or Loading and Full. Remember that DR/BDR election occurs after 2-Way and before ExStart.

1723
MCQhard

An engineer wants remote administrative access to remain available but also wants session contents protected in transit. Which management choice best supports that goal?

A.SSH
B.Telnet
C.Open wireless access
D.Native VLAN 1
AnswerA

This is correct because SSH supports encrypted remote administration.

Why this answer

The best choice is SSH because it provides encrypted remote administrative access. In plain language, the engineer wants administrators to keep managing devices remotely, but without exposing credentials or session contents in clear text. SSH solves that by protecting the traffic in transit, which is why it is preferred over older plaintext protocols such as Telnet.

This is a core management-plane security principle. The goal is not to remove remote administration, but to perform it safely. The correct answer is the one that aligns with secure remote access rather than convenience at the expense of protection.

Exam trap

A common exam trap is selecting Telnet because it allows remote access, ignoring that it transmits data in clear text. This mistake overlooks the critical security requirement to protect session contents during transit. Another trap is choosing options unrelated to encryption, such as native VLAN or open wireless access, which do not address secure remote management.

Candidates must focus on protocols that provide confidentiality and integrity for administrative sessions, not just connectivity.

Why the other options are wrong

B

Telnet is incorrect because it transmits data in clear text, exposing sensitive information to attackers and failing to protect session contents during transit.

C

Open wireless access is unrelated to secure remote management; it does not provide encryption or protect administrative sessions, making it irrelevant to the question.

D

Native VLAN 1 configuration does not affect encryption or security of remote management protocols, so it does not support the goal of protecting session contents.

1724
PBQhard

You are connected to R1. Configure R1 as an NTP client to synchronize with NTP server 203.0.113.10, using its Loopback0 interface (192.168.1.1/32) as the source for NTP packets. Additionally, configure logging to syslog server 192.0.2.100 with a trap level that captures events from level 5 (notice) and above. The current configuration shows that NTP is not synchronized (stratum 16) and only debugging messages are being sent to the syslog server. Correct these issues so that R1 is synchronized and important system messages are logged.

Network Topology
G0/010.0.0.2/30linkG0/010.0.0.2/30R2R1NTP server

Hints

  • Use 'ntp server' command to point to the NTP server IP.
  • Use 'ntp source' to specify the Loopback0 interface as the source.
  • Change the logging trap level from 'debugging' to 'notifications' to filter important messages.
A.ntp server 203.0.113.10 source Loopback0 logging trap notifications
B.ntp server 203.0.113.10 ntp source Loopback0 logging trap notifications
C.ntp server 203.0.113.10 source Loopback0 logging trap debugging
D.ntp server 203.0.113.10 logging host 192.0.2.100 logging trap notifications
AnswerB
solution
! R1
configure terminal
ntp server 203.0.113.10
ntp source Loopback0
logging trap notifications
end

Why this answer

The correct configuration is to add the NTP server with 'ntp server 203.0.113.10' and set the source interface separately with 'ntp source Loopback0'. For syslog, the command 'logging trap notifications' sets the trap level to 5 (notice), ensuring that critical and important messages are logged while excluding debugging output. Option A uses the combined 'ntp server ... source Loopback0' and does not match the separate source configuration required.

Option C keeps logging at debugging level (7), which is too verbose. Option D lacks the NTP source configuration entirely.

Exam trap

Candidates often mistake syslog severity numbers: lower is more severe, so 'logging trap notifications' captures levels 0–5. Also, the NTP source must be configured with a separate 'ntp source Loopback0' command, not just as an inline source on the server command.

Why the other options are wrong

A

Combines the NTP source directly in the server command, but the required configuration uses a separate 'ntp source Loopback0' command.

C

Sets logging trap to debugging (level 7), not the required notifications (level 5).

D

Missing the 'ntp source Loopback0' command, so NTP will not use the Loopback0 interface as source.

1725
MCQmedium

A network engineer enters the following configuration on R1 and R2, but R1 cannot form an OSPF adjacency with R2 on interface GigabitEthernet0/0. R1# show running-config interface GigabitEthernet0/0 interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip ospf hello-interval 10 ip ospf dead-interval 40 ip ospf 1 area 0 ! R2# show running-config interface GigabitEthernet0/0 interface GigabitEthernet0/0 ip address 10.0.0.2 255.255.255.0 ip ospf hello-interval 5 ip ospf dead-interval 20 ip ospf 1 area 0 What is the most likely cause of the failure?

A.The routers are in different OSPF areas.
B.The OSPF timers on the interface do not match.
C.The subnet mask prevents multicast OSPF packets from being exchanged.
D.The OSPF process IDs do not match on the two routers.
AnswerB

This is correct because the interfaces are configured with different hello and dead intervals. OSPF neighbors expect those timers to align, and if they do not, the routers reject the neighbor relationship. The addressing and area assignment are fine, but the timer mismatch blocks adjacency formation.

Why this answer

The routers must agree on hello and dead timers to establish an OSPF adjacency. R1 uses hello=10 and dead=40, while R2 uses hello=5 and dead=20; this mismatch prevents the neighbor relationship. Although both routers share the same area (0) and subnet mask, and OSPF process IDs are locally significant (no match required), the timer difference is the root cause.

Exam trap

Remember that OSPF process IDs are locally significant and do not need to match between routers.

Why the other options are wrong

A

This option is incorrect because OSPF can still form adjacencies between routers in different areas, provided they are correctly configured to do so. The issue in this scenario is related to OSPF timers, not area mismatches.

C

This option is incorrect because OSPF can still exchange multicast packets even if the subnet mask is not configured correctly, as long as the interfaces are up and configured for OSPF. The failure to form an adjacency is more likely due to mismatched OSPF timers.

D

This option is wrong because OSPF process IDs do not need to match for routers to form an adjacency; they only need to be in the same area and have matching network statements.

Page 22

Page 23 of 25

Page 24