CCNA 200-301 v2 (200-301) — Questions 17261800

1819 questions total · 25pages · All types, answers revealed

Page 23

Page 24 of 25

Page 25
1726
Multi-Selectmedium

Which four of the following statements about IPv4 static routing are true? (Choose all that apply. There are four correct answers.)

Select 4 answers
.A default static route uses 0.0.0.0/0 as the destination network.
.A floating static route is configured with a higher administrative distance than the same route learned via a dynamic routing protocol.
.A fully specified static route includes both the exit interface and the next-hop IP address.
.A static route pointing to a next-hop IP address only is resolved through ARP on the router.
.An IPv4 static route can use an IPv6 address as the next hop.
.A recursive static route requires the router to perform multiple routing table lookups to forward the packet.

Why this answer

A default static route with destination 0.0.0.0/0 matches all packets when no more specific route exists, acting as a gateway of last resort. A floating static route uses a higher administrative distance (e.g., 150) than the dynamic protocol's default (e.g., 110 for OSPF), so it only appears in the routing table if the dynamic route fails. A fully specified static route includes both the exit interface and next-hop IP, eliminating recursive lookups.

A recursive static route specifies only the next-hop IP, forcing the router to perform multiple routing table lookups to find the exit interface.

Exam trap

Cisco often tests the distinction between recursive and fully specified static routes, tricking candidates into thinking that a next-hop-only route uses ARP directly, when in fact it requires a recursive lookup first.

1727
MCQhard

Why is HTTPS preferred over HTTP when accessing sensitive controller APIs?

A.Because HTTPS encrypts the API traffic in transit.
B.Because HTTPS removes the need for tokens and credentials.
C.Because HTTPS is the only way JSON can be transmitted.
D.Because HTTP cannot carry API requests at all.
AnswerA

This is correct because encrypted transport is the main reason HTTPS is preferred.

Why this answer

HTTPS is preferred because it encrypts the traffic in transit. In practical terms, sensitive controller APIs may carry tokens, credentials, operational details, and configuration data. Sending that information over plain HTTP would expose it to interception on the network. HTTPS reduces that risk by protecting the session.

This does not make HTTPS a replacement for authentication. It is a transport-security choice that works alongside access control, not instead of it.

Exam trap

A frequent exam trap is believing that HTTPS removes the need for tokens or credentials in API access. Some candidates incorrectly assume that because HTTPS encrypts traffic, authentication is unnecessary. However, HTTPS only secures the transport layer and does not provide access control.

Another trap is thinking HTTP cannot carry API requests, which is false since HTTP can transmit API data but without encryption. Also, confusing the data format with the transport protocol leads to the incorrect belief that JSON requires HTTPS, when in fact JSON can be sent over any protocol. Understanding these distinctions is crucial to avoid selecting incorrect answers.

Why the other options are wrong

B

Option B is incorrect because HTTPS does not remove the need for tokens or credentials; it only secures the transport layer. Authentication is still required to control access to APIs.

C

Option C is incorrect since JSON can be transmitted over any protocol, including HTTP and HTTPS. The choice of HTTPS is about securing the transport, not the data format.

D

Option D is incorrect because HTTP can carry API requests; however, it does so without encryption, making it unsuitable for sensitive data transmission.

1728
MCQhard

An API response returns a list of interface objects in JSON. Which structure most likely represents that list?

A.An array containing multiple interface objects
B.A single integer with the value 1
C.A native VLAN field
D.An STP root bridge ID
AnswerA

This is correct because JSON arrays are the normal way to hold lists of repeated items.

Why this answer

In JSON, a list is most naturally represented as an array. In plain language, when an API needs to return several interfaces, routes, VLANs, or similar repeated items, it usually places them inside square brackets as an ordered collection. Each item inside that array might itself be an object containing keys such as name, status, or IP address.

CCNA automation questions usually test whether you recognize that square brackets signal a list. If the response contains many similar interface records, the best structure is the one that looks like a JSON array of interface objects rather than a single scalar value.

Exam trap

Remember that arrays in JSON are denoted by square brackets, and each item should be a complete object if details are needed.

Why the other options are wrong

B

Option B is incorrect because an API response that returns a list of interface objects should be structured as an array, not as a single integer. A single integer does not represent a collection of objects.

C

A native VLAN field is not a valid representation of a list of interface objects in JSON; it typically refers to a specific VLAN configuration in networking, not an array structure.

D

Option D is incorrect because an STP root bridge ID is a specific identifier related to Spanning Tree Protocol, not a representation of a list of interface objects in JSON format.

1729
MCQhard

A subnet uses the prefix /29. How many usable host addresses are available in each subnet?

A.2
B.6
C.14
D.30
AnswerB

This is correct because a /29 has 8 total addresses and 6 usable host addresses.

Why this answer

A /29 prefix leaves 3 host bits, which creates 8 total addresses per subnet. In plain language, two of those addresses cannot be assigned to hosts because one identifies the subnet itself and one is reserved as the broadcast address. That leaves 6 usable host addresses. This is a standard CCNA calculation because it checks whether you understand both the total address count and the subtraction of the reserved addresses.

Many candidates remember powers of two but forget to account for the network and broadcast addresses when the question asks for usable hosts. The safest process is to calculate the total size first and then reduce it by two. That is how you arrive at 6 usable addresses for a /29.

Exam trap

Remember to subtract the network and broadcast addresses from the total count to find usable addresses.

Why the other options are wrong

A

Option A is incorrect because a /29 subnet provides 8 total IP addresses, of which 6 are usable for hosts after accounting for the network and broadcast addresses.

C

Option C is wrong because a /29 subnet provides 8 total IP addresses, of which 6 are usable for hosts after reserving one for the network address and one for the broadcast address.

D

Option D is incorrect because a /29 subnet provides 8 total IP addresses, of which 6 are usable for hosts after accounting for the network and broadcast addresses. Therefore, stating that there are 30 usable addresses is inaccurate.

1730
MCQmedium

A network engineer needs to automate the configuration of multiple Cisco IOS XE routers in a data center. The team requires a standard, vendor-neutral data modeling language to define the configuration parameters, and they need a protocol that uses XML-based remote procedure calls over SSH for secure, reliable configuration transactions. Which combination of technologies best meets these requirements?

A.Use YANG data models combined with RESTCONF over HTTPS.
B.Use YANG data models combined with NETCONF over SSH.
C.Use CLI commands combined with NETCONF over SSH.
D.Use CLI commands combined with RESTCONF over HTTPS.
AnswerB

YANG is a standard, vendor-neutral data modeling language. NETCONF uses XML-based RPCs over SSH for secure, reliable configuration transactions, making this combination ideal for the requirements.

Why this answer

Option B is correct because YANG is a standard, vendor-neutral data modeling language (RFC 6020) for defining configuration parameters, and NETCONF (RFC 6241) uses XML-based remote procedure calls (RPCs) over SSH for secure, reliable configuration transactions. This combination directly satisfies the requirement for a standard data model and XML-based RPCs over SSH, unlike RESTCONF which uses HTTPS and JSON/XML but not SSH.

Exam trap

Cisco often tests the distinction between NETCONF (XML RPCs over SSH) and RESTCONF (RESTful operations over HTTPS), and candidates mistakenly choose RESTCONF because it is more modern, but the question explicitly requires XML-based RPCs over SSH, which only NETCONF provides.

Why the other options are wrong

A

The scenario specifies a protocol that uses XML-based RPCs over SSH, which is a characteristic of NETCONF, not RESTCONF.

C

The scenario specifically asks for a standard, vendor-neutral data modeling language, which CLI is not.

D

Neither the data modeling language (CLI) nor the protocol (RESTCONF) matches the specified requirements of vendor-neutral data modeling and XML-based RPCs over SSH.

1731
MCQhard

A network engineer notices that internal hosts (192.168.1.0/24) can reach external servers on the internet, but replies from external servers never reach the internal hosts. The router R1 is configured with dynamic NAT to translate the internal subnet to a pool of public IPs (203.0.113.10-203.0.113.20). The engineer runs 'show ip nat translations' and sees only a few stale translations. What is the most likely cause of the issue?

A.The access list 'NAT' is incorrect; it should permit only specific hosts, not the entire subnet.
B.The outside interface (GigabitEthernet0/0) is missing the 'ip nat outside' command.
C.The NAT configuration lacks the 'overload' keyword, so the pool is exhausted quickly.
D.The NAT pool 'POOL' has too few addresses; it should be expanded to a /24 subnet.
AnswerB

Without 'ip nat outside' on the outside interface, the router does not translate return packets from the outside to the inside. Adding this command enables NAT to work bidirectionally.

Why this answer

The correct answer is B because the 'ip nat outside' command must be applied to the interface facing the external network (GigabitEthernet0/0) for the router to translate return traffic. Without it, the router does not perform NAT on packets arriving on that interface, so replies from external servers are forwarded without translation back to the inside local IPs, which are not routable on the internet. The stale translations indicate that outbound translations were created but never used for return traffic, confirming the missing outside interface command.

Exam trap

Cisco often tests the requirement that both 'ip nat inside' and 'ip nat outside' must be configured on the respective interfaces for NAT to work bidirectionally, and the trap here is that candidates assume only the inside interface needs the command or confuse the symptom with pool exhaustion or ACL issues.

Why the other options are wrong

A

The access list correctly matches the internal subnet, so this is not the root cause.

C

Even without overload, dynamic NAT should work for the first 11 hosts; the problem is that return packets are not being translated.

D

The pool size is not the issue; the router is not translating return traffic due to missing 'ip nat outside'.

1732
PBQhard

You are connected to a Cisco 9800 WLC (WLC1) via its management interface. A wireless client reports association failures with SSID 'CorpNet'. The client uses WPA3-Personal, but the WLAN is configured for WPA2. Additionally, the SSID is hidden and the client is on the wrong VLAN (VLAN 20 instead of VLAN 100). Fix these issues so the client can associate successfully with WPA3, on VLAN 100, and with the SSID broadcast enabled.

Network Topology
192.168.100.2/24networkWLC1AP

Hints

  • Check the WLAN security settings: WPA3 requires 'security wpa wpa3' and removal of 'wpa2'.
  • The SSID is hidden; use 'broadcast-ssid' under the WLAN configuration.
  • The policy tag assigns VLAN 20; change it to VLAN 100 to match client requirements.
A.Enable SSID broadcast, change security to WPA3-Personal, and assign VLAN 100 in the policy tag.
B.Enable SSID broadcast, change security to WPA2-PSK, and assign VLAN 20 in the policy tag.
C.Disable SSID broadcast, change security to WPA3-Personal, and assign VLAN 100 in the policy tag.
D.Enable SSID broadcast, change security to WPA3-Enterprise, and assign VLAN 100 in the policy tag.
AnswerA
solution
! WLC1
configure terminal
wlan CorpNet 1 CorpNet
broadcast-ssid
no security wpa wpa2
security wpa wpa3
security wpa psk set-ccmp 0 7 1234567890
exit
wireless tag policy default-policy
vlan 100
end
write memory

Why this answer

The WLAN was configured for WPA2-PSK with a hidden SSID, and the policy tag assigned VLAN 20 instead of VLAN 100. To fix: (1) Enable SSID broadcast with 'broadcast-ssid'. (2) Change security to WPA3-Personal by removing WPA2 and enabling WPA3 with 'security wpa wpa3' and 'security wpa psk set-ccmp'. (3) Assign VLAN 100 in the policy tag with 'vlan 100'. The client should then associate.

Exam trap

Be careful to distinguish between WPA2 and WPA3, and between Personal (PSK) and Enterprise (802.1X). Also, remember that a hidden SSID must be broadcast for clients to discover it, and VLAN assignment is done in the policy tag, not the SSID configuration.

Why the other options are wrong

B

The specific factual error is that the client uses WPA3-Personal, so changing to WPA2-PSK does not meet the requirement. Also, VLAN 20 is the wrong VLAN.

C

The specific factual error is that the SSID is currently hidden and the client cannot see it; enabling broadcast is required, not disabling.

D

The specific factual error is that WPA3-Personal uses a pre-shared key, while WPA3-Enterprise requires 802.1X authentication. The client is configured for Personal mode.

1733
MCQhard

An administrator has just configured OSPF in a single area between router R1 and router R2, which are directly connected via their Gi0/0 interfaces with IP addresses 10.0.0.1/30 and 10.0.0.2/30. On R1, the command show ip ospf neighbor shows no entries, and a further check on R2 with show ip ospf interface gi0/0 indicates that the interface is passive. Which configuration error is most likely causing the adjacency failure?

A.The network command on R1 does not cover the 10.0.0.0/30 subnet.
B.R2 has the passive-interface default command but no no passive-interface command for Gi0/0.
C.The OSPF process IDs on R1 and R2 are mismatched.
D.The hello and dead intervals on R1 and R2 are not the same.
AnswerB

The passive-interface default command sets all OSPF interfaces to passive mode. To allow neighbor adjacency on a specific interface, a no passive-interface <interface> command is required. Without it, Gi0/0 remains passive, preventing OSPF hellos and adjacency formation.

Why this answer

The output on R2 shows the Gi0/0 interface is passive, meaning OSPF will not send or receive hello packets on that interface, preventing neighbor discovery. The passive-interface default command makes all interfaces passive by default, and without a no passive-interface Gi0/0 command, the interface remains passive, blocking adjacency formation. This directly explains why R1's show ip ospf neighbor shows no entries.

Exam trap

Cisco often tests the distinction between passive-interface default and the need for explicit no passive-interface commands, as candidates may assume that OSPF will automatically form adjacencies on directly connected interfaces without considering passive configuration.

Why the other options are wrong

A

This option fails to account for the explicit passive interface state shown on R2. A missing network statement would not cause the interface to be displayed as passive; it would simply not be enrolled in the OSPF process.

C

This is a common misconception, but process ID mismatch does not affect OSPF neighbor formation. The passive interface status on R2 directly contradicts this as the cause.

D

The passive interface status would not appear if the only issue were interval mismatches; the interface would still be active and sending hellos. This directly conflicts with the given show output.

1734
MCQhard

A Layer 2 switch port connected to an end host should move to forwarding quickly but also shut down if a BPDU is received. Which pair of features best supports that design?

A.PortFast and BPDU Guard
B.Root Guard and UDLD
C.Loop Guard and native VLAN
D.Port security and EtherChannel
AnswerA

This is correct because PortFast speeds edge-port forwarding and BPDU Guard disables the port if a BPDU is received.

Why this answer

PortFast and BPDU Guard are the right pair. In plain language, PortFast makes an edge port usable quickly for a real end device, while BPDU Guard protects that same port by shutting it down if spanning-tree control traffic appears unexpectedly.

This is a classic access-layer design. PortFast improves usability, and BPDU Guard improves safety. The best answer combines both functions.

Exam trap

Be careful not to confuse BPDU Guard with Root Guard or Loop Guard, as they serve different purposes in spanning tree protection.

Why the other options are wrong

B

Root Guard and UDLD do not directly address the requirement for a port to quickly transition to forwarding while shutting down upon receiving a BPDU. Root Guard is used to prevent a port from becoming a root port, while UDLD is for detecting unidirectional links.

C

Loop Guard and native VLAN do not directly address the requirement for a port to quickly transition to forwarding while shutting down upon receiving a BPDU. Loop Guard is designed to prevent loops by keeping a port in a loop-inconsistent state, and native VLAN is related to VLAN tagging, not port state management.

D

Port security and EtherChannel do not directly address the need for a switch port to quickly transition to forwarding mode while also shutting down upon receiving a BPDU. Port security focuses on limiting MAC addresses and EtherChannel is used for link aggregation, neither of which fulfill the specific requirements of this question.

1735
MCQhard

A network administrator configures PAT on a router to allow internal hosts in the 10.10.10.0/24 subnet to access the Internet. Afterward, users report that they can ping public IP addresses but cannot access any websites. The administrator verifies that the access list for NAT matches the correct subnet, and the 'ip nat inside source list 1 interface GigabitEthernet0/1 overload' command is applied. What is the most likely cause of this issue?

A.The router's DNS proxy is misconfigured, preventing resolution of website names.
B.The PAT translation table is full, causing new TCP connection requests to be dropped.
C.The 'overload' keyword was omitted, causing the router to use dynamic NAT with a single-address pool.
D.A static NAT entry for a web server is using the same public IP address as the PAT overload.
AnswerB

PAT uses source port translation to map many internal addresses to a single public IP. ICMP (ping) does not consume a port mapping and can still be translated even when the table is exhausted. New TCP connections, required for web traffic, will fail when no free source port is available.

Why this answer

The ability to ping public IP addresses confirms that IP routing and PAT translation are working for ICMP traffic. However, the failure to access websites (HTTP/HTTPS) while ping succeeds indicates that the PAT translation table is likely exhausted, preventing the router from creating new translations for TCP connections. The 'overload' keyword is correctly configured, so the issue is not a missing keyword but rather resource exhaustion in the NAT table.

Exam trap

Cisco often tests the distinction between ICMP and TCP behavior under PAT exhaustion—candidates assume that if ping works, all IP connectivity is fine, but the trap is that PAT table exhaustion selectively drops new TCP sessions while allowing existing or low-volume ICMP traffic.

Why the other options are wrong

A

The scenario explicitly mentions successful pings to IP addresses, so name resolution is not the cause.

C

The command output explicitly shows 'overload', and the symptom (ping works, TCP fails) is inconsistent with a missing overload keyword.

D

A static NAT conflict would affect all traffic (including ICMP), not just web traffic.

1736
MCQhard

After configuring the area 0 range 10.0.0.0 255.255.0.0 command on an OSPF ABR, a technician finds that a host at 10.0.5.100 in Area 1 cannot reach hosts in Area 0. The ABR’s OSPF database shows only the summary 10.0.0.0/16 in Area 0, and no individual /24 routes. What is the most likely cause?

A.The ABR is filtering the specific /24 routes using a distribute-list under the OSPF process.
B.The routers in Area 1 are no longer advertising their /24 routes to the ABR because the ABR is in a different area.
C.The area range command causes the ABR to advertise only the summary LSA and suppress the more-specific Type-3 LSAs for the range.
D.The ABR has automatically created a discard route to null0 for the summary, which is dropping all traffic destined to the summarized networks.
AnswerC

By default, the area range command summarizes the specified prefix range and suppresses the individual component routes from being advertised into the target area. Only the summary LSA appears in Area 0, which matches the observed behavior.

Why this answer

The area 0 range command on an OSPF ABR creates a summary Type-3 LSA and suppresses the more-specific Type-3 LSAs within that range. This is expected OSPF route summarization behavior; only the summary route is advertised into Area 0, which explains why the /24 routes are missing. The ABR continues to forward traffic properly because it retains specific routes learned from Area 1, so connectivity within the summary should still work under normal conditions.

The other answers either describe non-existent configurations or misunderstand the discard route's role.

Exam trap

Many candidates mistake the null0 discard route for an immediate black hole, but it only drops packets when no more-specific route exists in the ABR’s routing table. In this case, the ABR still has the /24 routes from Area 1, so the discard route does not block traffic.

Why the other options are wrong

A

A distribute-list requires explicit configuration; its absence makes this an unsubstantiated guess.

B

Area border routers receive all LSAs from non-backbone areas; the area boundary does not stop LSA propagation to the ABR itself.

D

The null0 route is a loop-prevention mechanism, not an absolute traffic blocker; more-specific entries in the routing table take precedence.

1737
PBQhard

You are connected to R1 via the console. The network administrator reports that PC1 (connected to R1's GigabitEthernet0/1) cannot reach the internet. Troubleshoot the issue step by step. The current configuration and show outputs are provided.

Hints

  • Check if PC1 can ping the default gateway and the next-hop router.
  • Verify R1's default route.
  • If all local connectivity works, the issue is likely beyond R1 (ISP side).
A.PC1 has an incorrect default gateway configured.
B.R1 is missing a default route to the ISP.
C.routing or NAT issue beyond the local network
D.PC1 has a DNS resolution issue.
AnswerC
solution
! R1

Why this answer

The issue is that PC1 cannot reach the internet despite having correct IP, gateway, and DNS. PC1 can ping the default gateway and even the next-hop router (203.0.113.2), but fails to ping 8.8.8.8. This indicates that the problem is beyond the local network — likely a routing or NAT issue on the ISP side.

However, the task requires troubleshooting client connectivity; the provided outputs show no misconfiguration on PC1 or R1. The fault is external (ISP not routing or no NAT), but the candidate must verify that client configuration is correct and then escalate or check the ISP link. For the PBQ, the candidate should confirm that PC1's IP, subnet mask, gateway, and DNS are correct, and that R1 has a default route and can reach the next hop.

No configuration changes are needed on R1 or PC1; the problem is outside the scope of the local network.

Exam trap

The trap is that candidates may focus on local misconfigurations (gateway, DNS, routing) when the evidence shows local connectivity works. Always verify step by step: if the client can ping the gateway and next hop, the problem is external.

Why the other options are wrong

A

The specific factual error is that a reachable gateway implies correct configuration; if the gateway were wrong, pinging it would fail.

B

The specific factual error is that reachability to the next hop requires a route; if R1 were missing a default route, it could not forward packets to the next hop.

D

The specific factual error is that DNS is only needed for name resolution; pinging an IP address bypasses DNS entirely.

1738
PBQmedium

You are connected to R1 via console. R1 has two upstream paths to the Internet: a primary via ISP1 (G0/0 10.1.1.1/30) and a backup via ISP2 (G0/1 10.2.2.1/30). The backup path should only be used when the primary fails. The default route to ISP1 has been configured, but you must now configure a floating static default route to ISP2 with an administrative distance of 200.

Network Topology
G0/010.1.1.1/30G0/110.2.2.1/30R1ISP1ISP2

Hints

  • Floating static routes use a higher administrative distance to serve as backups.
  • The AD of a static route defaults to 1; to make it floating, set it higher than the primary route's AD.
  • The command format is 'ip route [network] [mask] [next-hop] [distance]'.
A.ip route 0.0.0.0 0.0.0.0 10.2.2.2 200
B.ip route 0.0.0.0 0.0.0.0 10.2.2.1 2
C.ip route 0.0.0.0 0.0.0.0 10.2.2.1 1
D.ip route 0.0.0.0 0.0.0.0 10.2.2.1 250
AnswerA
solution
! R1
ip route 0.0.0.0 0.0.0.0 10.2.2.2 200

Why this answer

A floating static route ensures backup connectivity by using an administrative distance (AD) higher than the primary route's AD. Here, the primary default route has an AD of 1, so the backup must be configured with AD 200 as specified. Crucially, the next-hop address must be the ISP's IP address (10.2.2.2) in the /30 subnet, not R1's own interface IP (10.2.2.1).

Using the local interface IP creates an invalid static route. Option A is correct only with the next-hop set to 10.2.2.2. Options B and C fail because they use AD 2 and 1 respectively (not the required 200) and also point to the wrong next-hop.

Option D uses AD 250 instead of 200 and has the same next-hop error.

Exam trap

The key trap is confusing administrative distance values. Candidates often forget that the backup route must have a higher AD than the primary. They might use the same AD (causing ECMP) or a lower AD (making it preferred).

Also, they might misremember the exact AD value specified in the question. Always ensure the floating static route's AD is explicitly set higher than the primary route's AD.

Why the other options are wrong

B

Uses AD 2 instead of the specified AD 200 and a wrong next-hop of 10.2.2.1.

C

Uses AD 1 (equal to the primary route's AD), preventing failover, and a wrong next-hop of 10.2.2.1.

D

Uses AD 250 instead of the required AD 200 as specified in the question, and still uses the wrong next-hop.

1739
MCQhard

A user reports that their computer cannot access the network. The technician checks the computer's IP configuration and finds an APIPA address (169.254.x.x). The computer is connected to a switch port on VLAN 20. The DHCP server is located on VLAN 1. The technician then examines the router's interfaces using 'show ip interface brief' and sees that all interfaces shown are up/up. What should the technician do next?

A.Check the DHCP server logs to see if it is receiving Discover messages.
B.Verify that the ip helper-address command is configured on the router's VLAN 20 interface.
C.Attempt to ping the DHCP server's IP address from the host's APIPA address.
D.Restart the DHCP service on the server and recheck the host.
AnswerB

The router is the intervlan router, and the DHCP server is on a different subnet. For a DHCP Discover broadcast to cross VLANs, the router must have an IP helper-address pointing to the DHCP server's IP address on the VLAN 20 interface. Since all ports are up/up, the problem is almost certainly the missing relay. Checking this config directly addresses the most probable cause.

Why this answer

The APIPA address (169.254.x.x) indicates the host failed to obtain a DHCP lease. Since the DHCP server is on VLAN 1 and the host is on VLAN 20, a DHCP relay (ip helper-address) must be configured on the router's VLAN 20 interface to forward DHCP broadcast messages to the server. The 'show ip interface brief' shows all interfaces are up/up, so the next logical step is to verify the relay configuration.

Exam trap

Cisco often tests the concept that a DHCP relay (ip helper-address) is required when the DHCP server is on a different subnet, and candidates mistakenly focus on server-side issues or ping tests instead of the router configuration.

Why the other options are wrong

A

This action assumes the DHCP request has already reached the server; it bypasses verifying the network path that would deliver the broadcast to the server, which is the most likely missing piece.

C

Candidates might think that if the ping fails, the problem is network connectivity, but APIPA addresses are non-routable and the test itself is invalid in this context.

D

Many techs jump to rebooting a service when a simple configuration check would reveal the real problem. This violates the principle of least intrusive troubleshooting.

1740
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe how data is encapsulated as it travels down the OSI model layers.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Data originates at the application layer as user data. The transport layer then encapsulates this data by adding a header (e.g., TCP or UDP) to create a segment. The network layer further adds an IP header to the segment, forming a packet.

Next, the data link layer appends a frame header and trailer to the packet, resulting in a frame. Finally, the physical layer converts the entire frame into bits for electrical, optical, or radio transmission. This sequence follows the standard top-down encapsulation process in network communication.

1741
MCQhard

A network administrator has configured a switch port to support a VoIP phone and a desktop PC. Users report that the desktop PC cannot obtain an IP address via DHCP, while the VoIP phone registers successfully. The switch port is up/up, and the desktop is connected to the phone's PC port. What is the most likely cause of the issue?

A.The switchport mode access should be changed to switchport mode trunk to allow both vlans.
B.The switchport access vlan should be changed to the data VLAN to match the subnet expected by the desktop.
C.The switchport voice vlan should be removed because the desktop cannot use it.
D.The spanning-tree portfast should be disabled to prevent DHCP delays.
AnswerB

With the phone's PC port forwarding the switch's access VLAN, correcting the access VLAN to the data VLAN ensures the desktop receives a DHCP offer from the data subnet.

Why this answer

The desktop PC obtains its IP address from the data VLAN, but the switch port's access VLAN is likely misconfigured to the voice VLAN. Changing the access VLAN to the correct data VLAN places the PC in the proper subnet and allows DHCP to function. Option A is unnecessary because a voice-access port does not need to be a trunk.

Option C would break the VoIP phone without fixing the PC's VLAN assignment. Option D is irrelevant; PortFast speeds up STP convergence and does not block DHCP.

Exam trap

Cisco often tests the misconception that the PC uses the voice VLAN or that the port must be a trunk, when in reality the phone handles the VLAN separation internally and the switch port remains an access port with a separate voice VLAN.

Why the other options are wrong

A

The current configuration uses access mode with voice vlan, which is correct for a phone+PC setup. Trunk mode is unnecessary and could break the phone's untagged traffic expectations.

C

The voice vlan is correctly configured for the phone; the problem is with the data vlan assignment for the desktop.

D

Portfast is beneficial for host ports; disabling it would worsen the issue by introducing STP convergence delays.

1742
MCQmedium

Why is multifactor authentication generally stronger than password-only access?

A.It removes the need for authorization policies.
B.It relies on more than one authentication factor.
C.It guarantees that credentials can never be phished.
D.It replaces encryption on the network.
AnswerB

Correct. That is the core strength of MFA.

Why this answer

MFA combines independent factors, so compromise of one factor does not automatically grant access.

Exam trap

A common exam trap is selecting options that overstate MFA’s capabilities, such as assuming it guarantees immunity to phishing or replaces encryption. MFA reduces risk but does not eliminate all attack vectors, and it does not substitute for encryption protocols that protect data in transit. Another trap is confusing authentication with authorization; MFA strengthens authentication but does not remove the need for proper authorization policies.

Recognizing these distinctions is critical to avoid incorrect answers that exaggerate MFA’s role or misunderstand its function in network security.

Why the other options are wrong

A

Option A is incorrect because multifactor authentication strengthens authentication processes but does not remove the need for authorization policies. Authorization controls determine what an authenticated user can access, which remains essential regardless of the authentication method.

C

Option C is incorrect because while MFA reduces the risk of phishing attacks by requiring multiple factors, it does not guarantee that credentials can never be phished. Attackers may still find ways to bypass or trick users into revealing multiple factors.

D

Option D is incorrect because authentication methods like MFA do not replace encryption on the network. Encryption protects data confidentiality and integrity during transmission, which is a separate security function from verifying user identity.

1743
MCQeasy

Which NAT feature allows many inside hosts to share one public IPv4 address by using unique source port numbers?

A.Static NAT
B.PAT
C.NTP authentication
D.Port security
AnswerB

PAT uses port numbers to multiplex many inside devices to one or a few public addresses.

Why this answer

PAT, sometimes called NAT overload, keeps track of connections by using Layer 4 port numbers so many private hosts can share a single public address.

Exam trap

A common exam trap is mistaking Static NAT for PAT. Static NAT creates a fixed one-to-one mapping between inside and outside IP addresses without using port numbers, so it cannot support multiple hosts sharing one public IP. Another trap is confusing unrelated features like NTP authentication or port security with NAT functions.

NTP authentication secures time synchronization and port security restricts MAC addresses on switch ports; neither involves IP address translation or port multiplexing. Candidates who overlook the role of Layer 4 port numbers in PAT may incorrectly select these options, missing the key concept that PAT uniquely identifies sessions by port numbers to allow many hosts to share a single public IPv4 address.

Why the other options are wrong

A

Static NAT provides a fixed one-to-one mapping between private and public IP addresses. It does not use port numbers to allow multiple inside hosts to share a single public IP, so it cannot fulfill the requirement of the question.

C

NTP authentication secures Network Time Protocol messages and is unrelated to address translation or NAT. It does not allow multiple hosts to share a public IP address.

D

Port security controls which MAC addresses can access a switch port to enhance Layer 2 security. It does not perform IP address translation or use port numbers to share public IP addresses.

1744
PBQhard

You are connected to R1, which is part of an HSRP group with R2. The current configuration has both routers active for the same virtual IP, causing instability. Configure R1 with a higher priority, enable preempt, and set the virtual IP to 192.168.1.1. Also, configure interface tracking so that if R1's G0/1 goes down, its priority decreases by 15. Verify with 'show standby brief'.

Network Topology
G0/0192.168.1.2/24G0/0192.168.1.3/24switchR1R2

Hints

  • Check the current virtual IP address — it may not match the required one.
  • Both routers have the same priority and preempt is missing, causing both to be Active.
  • Use 'standby 1 track' to monitor an uplink interface.
A.On R1, configure: standby 1 priority 110, standby 1 preempt, standby 1 ip 192.168.1.1, and standby 1 track GigabitEthernet0/1 15
B.On R1, configure: standby 1 priority 110, standby 1 preempt, standby 1 ip 192.168.1.254, and standby 1 track GigabitEthernet0/1 15
C.On R1, configure: standby 1 priority 110, standby 1 preempt, standby 1 ip 192.168.1.1, and standby 1 track GigabitEthernet0/1 10
D.On R1, configure: standby 1 priority 100, standby 1 preempt, standby 1 ip 192.168.1.1, and standby 1 track GigabitEthernet0/1 15
AnswerA
solution
! R1
interface GigabitEthernet0/0
standby 1 ip 192.168.1.1
standby 1 priority 110
standby 1 preempt
standby 1 track GigabitEthernet0/1 15
end

Why this answer

The current configuration does not cause both routers to be Active; rather, R2 is likely the Active router because both have default priority (100) and no preempt, so R2 with the higher interface IP (192.168.1.3) wins the election. To ensure R1 becomes Active, set its priority to 110 and enable preempt. Also correct the virtual IP to 192.168.1.1.

Interface tracking on G0/1 with a decrement of 15 ensures R1 yields to R2 if its tracked interface fails. Option A correctly applies all these settings. Option B uses the wrong virtual IP (192.168.1.254).

Option C uses the wrong decrement value (10). Option D uses default priority (100), which will not make R1 the Active router if R2 retains default priority and higher IP.

Exam trap

Watch out for the virtual IP address and the exact decrement value. Also, remember that preempt alone does not make a router Active if its priority is not higher than the current Active router.

Why the other options are wrong

B

The virtual IP address is wrong; it should be 192.168.1.1, not 192.168.1.254.

C

The decrement value is 10 instead of the required 15.

D

The priority is not increased; it remains at the default 100, so R1 may not become the Active router.

1745
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the routing table lookup process when a router receives a packet destined for 192.168.1.100, from destination IP match to forwarding decision.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The routing table lookup process begins with matching the destination IP, then longest prefix match, determining next-hop, resolving Layer 2 address, and finally forwarding the packet.

Exam trap

Do not confuse the order of operations: the longest prefix match occurs after matching the destination IP to the routing table, not before. Also, Layer 2 resolution comes after next-hop determination.

1746
MCQhard

A technician is troubleshooting an OSPF network. On a broadcast segment, R1 is the DR and R2 is the BDR. R1's interface GigabitEthernet0/0 is shut down for maintenance. The technician expects that R2 will assume the DR role, but instead a new DR election occurs and another router is elected DR. What is the most likely cause?

A.The OSPF hello and dead intervals on R2 do not match those of other routers on the segment.
B.R2 has an OSPF priority of 255.
C.The OSPF network type on the segment was changed to point-to-point.
D.R2 has an OSPF priority of 0.
AnswerD

On a broadcast OSPF network, a priority of 0 makes a router ineligible for DR or BDR election. Even though R2 was the BDR, its priority of 0 prevents it from taking over as DR when R1 fails. Consequently, a new DR election is triggered among the remaining eligible routers, and a router other than R2 becomes the new DR.

Why this answer

When the DR fails on a broadcast OSPF network, the BDR normally takes over as DR and a new BDR is elected. However, if the BDR's OSPF priority is set to 0, the router is ineligible to become DR or BDR. With the DR down and the BDR ineligible, the remaining routers must hold a fresh election, and the router with the highest non-zero priority (or highest router-ID if priorities tie) becomes the new DR.

Therefore, R2's priority of 0 explains why it did not become DR and a new election was triggered.

Exam trap

Many candidates assume the BDR becomes DR automatically when the DR fails, forgetting that an OSPF priority of 0 makes a router ineligible for DR/BDR elections. If the BDR has priority 0, it will not become DR; instead, a new election occurs among the other routers.

Why the other options are wrong

A

Neighbor adjacency failure due to timer mismatch would have prevented R2 from becoming BDR at all.

B

High priority increases the chance of being elected DR, not decrease it.

C

Point-to-point networks do not have DR/BDR elections, so R2 could not have been BDR.

1747
Multi-Selectmedium

A script authenticates to a controller API and receives a token that it presents in later requests. Which two statements about that token-based workflow are correct?

Select 2 answers
A.The token is often sent in an HTTP header in subsequent requests
B.The token proves identity for that authenticated session or request set
C.The token changes the API from REST to SNMP
D.The token must be stored in the router startup-config
AnswersA, B

Bearer or session tokens are commonly carried in headers.

Why this answer

After authentication, many APIs issue a token that the client includes in later HTTP requests. That token acts as proof that the client already authenticated successfully.

Exam trap

A common exam trap is assuming that the presence of a token changes the network management protocol from REST to SNMP or another protocol. This is incorrect because token-based authentication is a security mechanism layered on top of the existing API protocol and does not alter it. Another trap is believing that tokens must be stored in the router’s startup-config, which is false since tokens are ephemeral credentials managed by client applications, not static device configurations.

Misunderstanding these points can lead to selecting incorrect answers about token workflows in automation scenarios.

Why the other options are wrong

C

Option C is incorrect because the token does not change the API protocol from REST to SNMP; authentication methods do not alter the underlying management protocol.

D

Option D is incorrect because tokens are managed dynamically by client applications and are not stored in router startup-config files, which hold static device configurations.

1748
MCQhard

Based on the exhibit, which action is most likely required to allow AP-22 to join the controller successfully?

A.Correct the AP's default gateway so it matches the AP's actual subnet and reachability needs.
B.Change the AP from Ethernet to PPP encapsulation.
C.Remove the AP IP address so it can obtain an IP address automatically via DHCP.
D.Disable DHCP on the controller for all APs.
AnswerA

This is correct because the current gateway does not align with the AP's subnet, which breaks proper forwarding behavior.

Why this answer

The correct action is to fix the AP's default gateway so it can reach the controller's subnet. Option B is wrong because APs use Ethernet, not PPP encapsulation, which is used for serial WAN links. Option C is wrong because CAPWAP does not assign IP addresses; DHCP does, but the AP already has a static IP, and removing it would cause it to fall back to DHCP, which may not fix the gateway issue.

Option D is wrong because disabling DHCP on the controller would affect all APs and prevent new APs from obtaining addresses, which is not a targeted fix.

Exam trap

Avoid assuming resets or updates fix network configuration issues; focus on Layer 3 settings like gateways.

Why the other options are wrong

B

APs use Ethernet frames, not PPP encapsulation; PPP is used for serial links.

C

CAPWAP does not assign IP addresses; DHCP handles that, but removing the AP's IP does not correct the gateway mismatch.

D

Disabling DHCP on the controller would break all APs, not just AP-22, and does not address the gateway issue.

1749
MCQhard

A host is configured with 192.168.10.129/25. Which subnet contains that host?

A.192.168.10.0/25
B.192.168.10.64/25
C.192.168.10.128/25
D.192.168.10.192/25
AnswerC

This is correct because .129 is in the upper /25 block.

Why this answer

A /25 divides the /24 into two blocks: 0–127 and 128–255. In practical terms, 192.168.10.129 belongs to the upper half, so the containing subnet is 192.168.10.128/25.

This is a simple subnet-boundary question, but it is designed to confirm that you can identify the correct half of the /24 quickly and confidently.

Exam trap

A frequent exam trap is misidentifying the subnet boundaries for a /25 mask within a /24 network. Candidates often mistakenly believe that subnets start at .64 or .192, confusing /25 with other subnet sizes like /26 or /27. This leads to selecting incorrect subnets such as 192.168.10.64/25 or 192.168.10.192/25, which are invalid because /25 only divides the /24 into two halves starting at .0 and .128.

This misunderstanding causes errors in subnet identification and can result in wrong routing or access decisions in real networks.

Why the other options are wrong

A

192.168.10.0/25 covers IP addresses from 192.168.10.0 to 192.168.10.127. Since the host IP is 192.168.10.129, which is greater than .127, it does not belong to this subnet, making this option incorrect.

B

192.168.10.64/25 is not a valid /25 subnet boundary within a /24 network. /25 subnets split at .0 and .128 only, so this option is invalid and cannot contain the host 192.168.10.129.

D

192.168.10.192/25 is not a valid /25 subnet boundary within a /24 network. The /25 mask divides the network into two subnets only, starting at .0 and .128, so this option is incorrect.

1750
MCQhard

Exhibit: An access switch shows Gi1/0/10 as err-disabled shortly after an IP phone and a workstation are connected through the same wall jack. What is the most likely cause?

A.The native VLAN is missing
B.The port security maximum is too low for the connected devices
C.BPDU Guard blocked the port because a workstation was attached
D.DHCP snooping denied the voice VLAN
AnswerB

A phone plus a PC commonly requires more than one secure MAC address.

Why this answer

With a phone and a PC on the same access port, the switch may legitimately see two MAC addresses. Port security set to a maximum of 1 causes a violation and can place the interface into err-disabled state.

Exam trap

Be cautious of assuming all err-disabled states are due to STP or VLAN issues; port security is a frequent cause.

Why the other options are wrong

A

The native VLAN being missing would not directly cause a port to go err-disabled when connecting an IP phone and workstation; it typically results in VLAN mismatches or communication issues rather than disabling the port.

C

BPDU Guard is designed to protect against loops by disabling ports that receive Bridge Protocol Data Units (BPDUs). In this scenario, the port is err-disabled due to port security violations, not because of BPDU Guard activation.

D

DHCP snooping denying the voice VLAN would typically result in the IP phone failing to receive an IP address, rather than causing the port to go err-disabled. The err-disabled state is more likely due to port security violations when multiple devices are connected.

1751
PBQhard

You are connected to R1. Configure SNMP v2c with a read-only community string 'monitorRO' and a read-write community string 'controlRW', and enable SNMP traps for link status to the management server at 203.0.113.100. Additionally, configure NetFlow to export version 9 flow records to the same server on UDP port 2055, and ensure that only traffic from the 10.10.10.0/24 network is monitored. Finally, verify your configurations with the appropriate show commands.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/110.10.10.1/2410.10.10.0/24linkR1R2Internal Network

Hints

  • Remember to specify the SNMP version when configuring the trap receiver host.
  • NetFlow version 9 must be explicitly configured; otherwise, version 5 is used by default.
  • Apply the flow monitor to the interface that connects to the network you want to monitor (G0/1).
A.Configure SNMP community strings, enable link-status traps, set trap destination, configure NetFlow export version 9, and apply flow monitor to interface(s) carrying 10.10.10.0/24 traffic.
B.Configure SNMP community strings, enable link-status traps, set trap destination, and configure NetFlow export version 5. Apply flow monitor to all interfaces.
C.Configure SNMP community strings, enable all SNMP traps, set trap destination, and configure NetFlow export version 9. Apply flow monitor to interface with IP 10.10.10.0/24.
D.Configure SNMP community strings, enable link-status traps, set trap destination, and configure NetFlow export version 9. Do not apply any flow monitor; NetFlow automatically monitors all traffic.
AnswerA
solution
! R1
snmp-server community monitorRO RO
snmp-server community controlRW RW
snmp-server enable traps snmp linkdown linkup
snmp-server host 203.0.113.100 version 2c monitorRO
ip flow-export version 9
flow record NETFLOW-RECORD
 match ipv4 source address
 match ipv4 destination address
 match ipv4 protocol
 match transport source-port
 match transport destination-port
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime
 exit
flow exporter EXPORTER-TO-SERVER
 destination 203.0.113.100
 transport udp 2055
 source Loopback0
 exit
flow monitor MONITOR-10NET
 record NETFLOW-RECORD
 exporter EXPORTER-TO-SERVER
 cache timeout active 300
 exit
interface GigabitEthernet0/1
 ip flow monitor MONITOR-10NET input
 ip flow monitor MONITOR-10NET output
 exit

Why this answer

The solution correctly configures SNMP v2c with the required read-only and read-write community strings, enables only link-status traps, and sets the trap destination. For NetFlow, it uses Flexible NetFlow by defining a flow record, an exporter, and a monitor. Importantly, the export version (9) must be configured under the flow exporter, not with the legacy global `ip flow-export version 9` command.

The flow monitor is applied to GigabitEthernet0/1, which carries traffic from the 10.10.10.0/24 network. Verification can be done with `show snmp` to confirm communities and trap receivers, and `show flow monitor name MONITOR-10NET cache` or `show ip cache flow` to view exported flow records.

Exam trap

Common mistakes include mixing legacy and Flexible NetFlow commands (e.g., using the global `ip flow-export version` instead of setting it under the flow exporter), forgetting to apply the flow monitor to an interface, and enabling all SNMP traps rather than only link-status traps.

Why the other options are wrong

B

The question explicitly requires NetFlow version 9, and traffic monitoring must be limited to the 10.10.10.0/24 network.

C

Enabling all traps is unnecessary and may cause unwanted overhead; the flow monitor must be applied to the correct interface(s) based on traffic flow, not the network address.

D

NetFlow requires a flow monitor to be applied to an interface to capture traffic; it does not automatically monitor all traffic.

1752
Matchingmedium

Drag and drop the wireless LAN terms on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Wireless standard that operates only in the 5 GHz band and supports MU-MIMO

Wireless standard that introduces OFDMA and operates in both 2.4 GHz and 5 GHz bands

Security protocol that uses Simultaneous Authentication of Equals (SAE) to protect against dictionary attacks

A 32-character alphanumeric name that identifies a wireless network

Interference caused when two or more access points use partially overlapping frequency ranges

Methods such as SSH, HTTP/HTTPS, or SNMP used to configure a Wireless LAN Controller

Why these pairings

802.11ac is a wireless standard that operates exclusively in the 5 GHz band and supports MU-MIMO, matching that description. 802.11ax (Wi-Fi 6) introduces OFDMA and works in both 2.4 GHz and 5 GHz, so it correctly pairs with that description. WPA3 uses Simultaneous Authentication of Equals (SAE) to protect against offline dictionary attacks, making it the right match. The SSID is defined as a 32-character alphanumeric name identifying a wireless network, which directly matches.

Channel overlap refers to interference from partially overlapping frequency ranges, exactly as described. WLC management access methods include SSH, HTTP/HTTPS, and SNMP, fitting the given description.

Exam trap

Do not confuse WPA3's SAE with WPA2's PSK mechanism; WPA3 offers enhanced protection against dictionary attacks.

1753
Matchingmedium

Drag and drop the OSPFv3 commands/terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables OSPFv3 on a specific interface and assigns it to an area

Displays OSPFv3 neighbor adjacencies, state, and neighbor ID

Used for OSPFv3 neighbor discovery and as next-hop address

Enters OSPFv3 router configuration mode to enable the routing process

The backbone area required for all inter-area OSPFv3 routing

Lists OSPFv3-enabled interfaces, their area, and state

Why these pairings

These commands and terms are accurately paired with their OSPFv3 descriptions as per Cisco IOS.

Exam trap

Candidates often confuse the Router ID with other OSPF identifiers like the Link State ID. Remember that the Router ID uniquely identifies the router itself, while the Link State ID identifies a specific LSA. Also, do not confuse LSA types with router identifiers.

1754
MCQmedium

A network technician is troubleshooting a connectivity issue where a user's email client cannot send messages, but the client can receive emails. The technician uses a protocol analyzer and sees that the client is successfully resolving the mail server's domain name to an IP address and establishing a TCP connection, but the server responds with an application-layer error. At which layers of the OSI model are the problem and the successful operations occurring, respectively?

A.The problem is at the Transport layer (Layer 4); successful operations are at the Application layer (Layer 7) only.
B.The problem is at the Application layer (Layer 7); successful operations are at the Application layer (Layer 7) and Transport layer (Layer 4).
C.The problem is at the Network layer (Layer 3); successful operations are at the Data Link layer (Layer 2) and Physical layer (Layer 1).
D.The problem is at the Presentation layer (Layer 6); successful operations are at the Session layer (Layer 5) and Transport layer (Layer 4).
AnswerB

DNS resolution (Layer 7) and TCP connection (Layer 4) are successful. The sending error is an Application layer issue, as the mail server returns an application-level error.

Why this answer

The problem is at the Application layer (Layer 7) because the email client can resolve the domain name (DNS, Layer 7), establish a TCP connection (Transport layer, Layer 4), but the mail server returns an application-layer error (e.g., SMTP 550 or 554), indicating the issue lies in the email protocol itself (e.g., authentication failure, mailbox full, or rejected sender). Successful operations include DNS resolution (Application layer) and TCP three-way handshake (Transport layer), confirming layers 7 and 4 are functioning correctly.

Exam trap

Cisco often tests the distinction between successful lower-layer operations (DNS, TCP) and an application-layer failure, trapping candidates who assume any email problem must be at the Transport or Network layer because they confuse 'connection established' with 'protocol function working'.

Why the other options are wrong

A

The TCP handshake succeeded, so the Transport layer is working. The error message is generated by the application, not the transport protocol.

C

Successful TCP connection implies IP routing (Layer 3) is working. The error is not related to addressing or routing.

D

Email sending failures are typically application logic errors, not encryption/formatting or session problems. Also, DNS is an Application layer protocol, not Session or Presentation.

1755
Drag & Dropmedium

Drag and drop the configuration steps into the correct order to configure an LACP EtherChannel on two Cisco switches using active mode negotiation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order begins with configuring the interface range because the channel-group command must be issued under interface configuration mode. Then, set the channel-group mode to active to enable LACP active negotiation on both switches. Finally, verify the EtherChannel status using 'show etherchannel summary' to confirm the channel is up and using LACP.

Option C uses passive mode, which would not initiate negotiation as required; option D uses 'show interfaces status', which does not display EtherChannel-specific information.

Exam trap

Students often confuse the order of configuration steps, thinking the channel-group mode can be set before entering interface configuration. They also mix up active and passive modes, and may use incorrect verification commands. Remember: interface range first, then channel-group, and verify with 'show etherchannel summary'.

1756
Multi-Selectmedium

Which three of the following are correct steps in the process of CDP (Cisco Discovery Protocol) neighbor discovery? (Choose three.)

Select 3 answers
.CDP operates at Layer 2 and sends advertisements to the multicast address 01:00:0C:CC:CC:CC.
.CDP advertisements include the device identifier, platform, and capabilities.
.CDP is enabled by default on Cisco devices and runs over all interfaces that support SNAP headers.
.CDP advertisements are sent every 30 seconds by default.
.CDP can discover devices that are more than one Layer 2 hop away.
.CDP requires that both devices be in the same IP subnet.

Why this answer

CDP is a Cisco proprietary Layer 2 protocol that uses multicast MAC address 01:00:0C:CC:CC:CC to send advertisements to directly connected neighbors. Advertisements include device identifier, platform, and capabilities. CDP is enabled by default on Cisco devices and runs over interfaces supporting SNAP headers.

Incorrect options: CDP advertisements are sent every 60 seconds by default (not 30); CDP discovers only directly connected neighbors (not devices more than one L2 hop away); CDP does not require both devices to be in the same IP subnet because it operates at Layer 2.

Exam trap

A common mistake is thinking CDP uses a broadcast address or operates at Layer 3; another trap is confusing the default CDP timer (60 seconds) with the 30-second timer of other protocols like LLDP.

Why the other options are wrong

D

CDP advertisements are sent every 60 seconds by default, not 30.

E

CDP discovers only directly connected neighbors; it does not propagate beyond one Layer 2 hop.

F

CDP operates at Layer 2 and does not require devices to be in the same IP subnet.

1757
Matchingmedium

Match each switchport or STP feature to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Speeds an edge port into forwarding state

Disables an edge port if a BPDU is received

Prevents a port from becoming the root path under superior BPDUs

Limits and controls MAC address use on a switch port

Why these pairings

PortFast allows an edge port to immediately transition to forwarding state, skipping listening and learning. BPDU Guard disables a port if a BPDU is received, enhancing security. Root Guard prevents a port from becoming the root port by error-disabling it upon receiving superior BPDUs.

Port Security limits MAC addresses allowed on a switch port.

Exam trap

Cisco exams often test the specific purpose of each STP enhancement feature. Do not confuse PortFast with other fast-convergence features like UplinkFast or BackboneFast, and remember that BPDU Guard is a security feature, not a convergence feature.

1758
Drag & Drophard

Drag and drop the following steps into the correct order to configure a WLAN for WPA3-Enterprise on a Cisco WLC and sequence a wireless client association process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The configuration creates the WLAN with WPA3-Enterprise security, enables it, then the client associates and completes 802.1X authentication before getting an IP.

Exam trap

Do not confuse the order of 802.1X authentication and DHCP. In WPA3-Enterprise, the client must authenticate before obtaining an IP address. Also, remember that a WLAN must be created before it can be enabled, and it must be enabled before clients can associate.

1759
Matchingmedium

Match each NAT term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Private address used by the host on the internal network

Address that represents the internal host to outside networks

Fixed one-to-one translation

Many-to-one translation using ports

Why these pairings

NAT terms describe address perspectives: Inside Local is the internal host's IP, Inside Global is its external IP, Outside Local is the external host's IP seen internally, Outside Global is its actual external IP, Static NAT provides permanent mapping, and Dynamic NAT uses a pool.

Exam trap

The exam trap is confusing the perspective (inside vs. outside) and the location (local vs. global). Remember: 'Local' is the address as seen from the inside network, 'Global' is the address as seen from the outside network.

1760
MCQhard

Why is a northbound API valuable to orchestration tools in a controller-based network?

A.It gives orchestration tools a defined software interface to interact with the controller.
B.It replaces the need for all physical network devices.
C.It is a cabling standard for data center uplinks.
D.It makes security controls unnecessary.
AnswerA

This is correct because northbound APIs are the application-facing path into the controller.

Why this answer

A northbound API is valuable because it gives orchestration tools a defined way to request data and trigger changes on the controller programmatically. In plain language, the tool can interact with the controller through software rather than relying on manual device-by-device operations. That makes higher-level automation and service coordination possible.

The controller is the platform, and the northbound API is the application-facing interface into it. The correct answer is the one focused on orchestration and software-driven interaction.

Exam trap

A frequent exam trap is mistaking the northbound API for a physical network element or a cabling standard, such as assuming it replaces physical devices or relates to data center uplinks. Another common error is believing that northbound APIs eliminate the need for security controls, ignoring that software interfaces still require authentication and authorization mechanisms. These misconceptions stem from confusing the software abstraction layer with hardware or security concepts.

Understanding that northbound APIs are purely software interfaces designed for orchestration tools to interact programmatically with the controller helps avoid these pitfalls.

Why the other options are wrong

B

Option B is incorrect because northbound APIs do not replace physical network devices; forwarding hardware remains essential for actual data transmission and network operation.

C

Option C is incorrect since northbound APIs are software interfaces, not physical cabling standards, and have no relation to data center uplink cabling specifications.

D

Option D is incorrect because northbound APIs still require security measures such as authentication and authorization; they do not eliminate the need for security controls.

1761
PBQhard

You are connected to R1 via the console. R1 should synchronize its clock with the NTP server 192.0.2.10 using its loopback0 interface (IP 10.0.0.1) as the source. Additionally, syslog messages of severity 'notification' (level 5) and above must be sent to the syslog server at 198.51.100.20. Currently, R1 shows NTP stratum 16 (unsynchronized) and syslog messages are not being forwarded. Identify and resolve the issues.

Hints

  • Check if a server is configured under 'ntp server'.
  • The current trap level is 'informational' (level 6). Which level includes notifications (level 5)?
  • Use 'show run | section ntp' to see NTP configuration.
A.Add 'ntp server 192.0.2.10' and change 'logging trap informational' to 'logging trap notifications'.
B.Add 'ntp server 192.0.2.10' and change 'logging trap notifications' to 'logging trap informational'.
C.Add 'ntp server 192.0.2.10' and change 'logging trap notifications' to 'logging trap debugging'.
D.Add 'ntp server 192.0.2.10' and change 'logging trap informational' to 'logging trap emergencies'.
AnswerA
solution
! R1
ntp server 192.0.2.10
logging trap notifications

Why this answer

The NTP is unsynchronized because the 'ntp server' command is missing; only 'ntp source' is configured. Add 'ntp server 192.0.2.10' to point to the NTP server. The syslog trap level is set to 'informational' (level 6), which is too low—messages of level 5 (notification) are not sent because the trap level must be equal to or higher severity than the messages to be forwarded.

Change the trap level to 'notifications' (level 5) to ensure level 0-5 messages are forwarded.

Exam trap

Remember that syslog trap levels use lower numbers for higher severity. To forward messages of a given severity, the trap level must be set to that severity or higher (lower number). Also, NTP requires both 'ntp server' and optionally 'ntp source' to specify the source interface.

Why the other options are wrong

B

The trap level should be set to 'notifications' (level 5) or higher severity to forward level 5 messages; 'informational' is lower severity and would not forward level 5 messages.

C

The trap level is currently 'informational' (6), not 'notifications'. Changing to 'debugging' would forward all messages, but the requirement is to forward level 5 and above, which is achieved by setting trap level to 'notifications' (5).

D

Setting the trap level to 'emergencies' would filter out all messages except level 0, so level 5 messages would not be forwarded.

1762
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The OSI bottom-up troubleshooting method starts at Layer 1: first check physical cable connections and link lights (A). Next, at Layer 2, verify the switch's MAC address table (D) to ensure local segment communication is intact. Moving to Layer 3, confirm the IP address configuration and subnet mask (B) are correct.

Finally, ping the default gateway (C) to validate end-to-end Layer 3 connectivity. The correct sequence is A → D → B → C, because each lower layer must function before higher-layer tests can succeed.

Exam trap

The trap is that candidates often skip the physical layer and jump to IP or ping tests because those are more familiar. Remember: always start at Layer 1 in a bottom-up approach.

1763
Multi-Selectmedium

Which two features commonly strengthen access-switch security for user-facing ports? (Choose two.)

Select 2 answers
A.Port security
B.BPDU Guard
C.Administrative distance
D.Route summarization
AnswersA, B

Correct. It helps control which MAC addresses may appear on a port.

Why this answer

Port security can limit learned MAC addresses, and BPDU Guard can shut down an edge port that unexpectedly receives BPDUs.

Exam trap

A common exam trap is selecting administrative distance or route summarization as security features for user-facing access ports. Administrative distance is a routing protocol metric used to select the best path and has no role in access-switch port security. Similarly, route summarization is a routing optimization technique that reduces routing table size but does not affect port security.

Candidates may confuse these routing concepts with security features due to their importance in network design, but they do not strengthen access-switch security for user-facing ports. Recognizing this distinction is critical to avoid losing points on this question.

Why the other options are wrong

C

Administrative distance is a routing protocol metric used to select the best path and does not relate to access-switch port security. It does not control port access or prevent unauthorized devices, so option C is incorrect.

D

Route summarization is a routing optimization technique that reduces routing table size and update traffic. It does not provide any security controls for user-facing switch ports, so option D is incorrect.

1764
MCQmedium

Exhibit: A user reports intermittent connectivity after a new switch was connected to an access port. Which feature would have prevented this by immediately disabling the port when a BPDU was received?

A.Root Guard
B.Loop Guard
C.BPDU Guard
D.UDLD
AnswerC

BPDU Guard is the standard protection for PortFast access ports.

Why this answer

BPDU Guard is the correct answer because it protects PortFast-enabled edge ports by immediately disabling the port upon receiving a BPDU, preventing accidental loops. Root Guard prevents the port from becoming a root port, not from BPDU reception. Loop Guard prevents alternate or root ports from becoming designated due to BPDU loss, unrelated to BPDU reception disabling.

UDLD detects unidirectional links but does not disable ports upon BPDU reception.

Exam trap

Be cautious not to confuse BPDU Guard with other guard features like Root Guard or Loop Guard, which serve different purposes.

Why the other options are wrong

A

Root Guard prevents a port from being elected as root port, not from receiving BPDUs on an access port.

B

Loop Guard prevents loops caused by BPDU loss on blocked ports, not from BPDU reception on access ports.

D

UDLD detects unidirectional links but does not disable a port when a BPDU is received.

1765
PBQhard

You are connected to R1 (10.0.0.1/30). You need to use RESTCONF to verify the current administrative status of interface GigabitEthernet0/1 on R1, then change it to 'down'. The YANG data model is ietf-interfaces, and the base URI is https://10.0.0.1/restconf. Provide the correct GET and PATCH request URIs with appropriate HTTP headers. Also identify what error would occur if you used 'application/xml' as the Accept header or if you used the path 'Cisco-IOS-XE-native:native/interface/GigabitEthernet' instead of the correct ietf-interfaces path.

Hints

  • The ietf-interfaces module uses 'enabled' leaf (true/false) for admin status.
  • The interface name must be URL-encoded (e.g., GigabitEthernet0%2F1).
  • Using 'Cisco-IOS-XE-native' path for operational state will not return the admin status.
A.GET https://10.0.0.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1 with Accept: application/yang-data+json; PATCH same URI with Content-Type: application/yang-data+json and body {"ietf-interfaces:interface": {"enabled": false}}; using Accept: application/xml gives 406 Not Acceptable; using Cisco-IOS-XE-native path gives 404 or incorrect data.
B.GET https://10.0.0.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1 with Accept: application/xml; PATCH same URI with Content-Type: application/xml and body <interface><enabled>false</enabled></interface>; using Accept: application/xml is fine; using Cisco-IOS-XE-native path gives same data.
C.GET https://10.0.0.1/restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet0/1 with Accept: application/yang-data+json; PATCH same URI with Content-Type: application/yang-data+json and body {"Cisco-IOS-XE-native:interface": {"enabled": false}}; using Accept: application/xml gives 406; using ietf-interfaces path gives 404.
D.GET https://10.0.0.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1 with Accept: application/json; PATCH same URI with Content-Type: application/json and body {"interface": {"enabled": false}}; using Accept: application/xml gives 406; using Cisco-IOS-XE-native path gives 404.
AnswerA
solution
! R1
GET https://10.0.0.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1
Accept: application/yang-data+json
PATCH https://10.0.0.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1
Content-Type: application/yang-data+json
{
  "ietf-interfaces:interface": {
    "enabled": false
  }
}

Why this answer

The correct GET request URI is: GET https://10.0.0.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1 with Accept: application/yang-data+json. The correct PATCH request URI is the same, with Content-Type: application/yang-data+json and a JSON body {"ietf-interfaces:interface": {"enabled": false}}. Using Accept: application/xml would result in a 406 Not Acceptable error because the server only supports yang-data+json.

Using the Cisco-IOS-XE-native path would return a 404 or incorrect data because the operational state of the interface (admin status) is modeled under ietf-interfaces, not under the native YANG model which is used for configuration only.

Exam trap

The trap is that candidates may confuse the YANG models (ietf-interfaces vs. native) and the required media types. Remember that operational state is under ietf-interfaces, and RESTCONF on Cisco IOS XE uses application/yang-data+json, not XML or generic JSON.

Why the other options are wrong

B

The specific factual error is that Cisco IOS XE RESTCONF implementation does not support XML content type; it only supports JSON.

C

The specific factual error is that the admin status is not available under the native YANG model; it is under ietf-interfaces.

D

The specific factual error is that RESTCONF requires the media type application/yang-data+json, not generic application/json. Additionally, the module name prefix is required in the JSON body.

1766
MCQhard

Refer to the exhibit. A network engineer configured an EtherChannel between SW1 and SW2 using LACP. After the configuration is applied, the Port-channel 1 interface remains in a down state and does not pass traffic. The engineer runs the show etherchannel detail command on SW1. Based on the output, what is the most likely cause of the problem?

A.The native VLAN is mismatched on member interface Gi0/2.
B.The load-balancing method on the port-channel is set incorrectly to src-dst-ip.
C.The interface Gi0/1 is administratively down.
D.Spanning Tree Protocol has placed the port-channel in a blocking state due to a loop.
AnswerA

The output explicitly states 'Native vlan mismatch: local 20, partner 1' for Gi0/2, confirming that the native VLAN settings do not match, causing the port to be suspended.

Why this answer

The show etherchannel detail output includes 'Native vlan mismatch: local 20, partner 1' for interface Gi0/2. This indicates that the native VLAN configured on Gi0/2 (local VLAN 20) does not match the native VLAN advertised by the partner switch (VLAN 1). This mismatch causes Gi0/2 to be suspended ('susp') and prevents it from joining the port-channel bundle, thereby keeping the EtherChannel down.

Exam trap

Candidates often suspect STP blocking (option D) when a port-channel is down. However, the exhibit explicitly shows the native VLAN mismatch reason, not an STP state. STP information is not present in this output; the 'susp' state directly points to a configuration inconsistency.

Why the other options are wrong

B

Load-balancing configuration does not influence the bundle state of a port-channel; it only affects frame distribution. The output shows a physical/logical inconsistency, not a hashing algorithm problem.

C

Candidates may mistakenly think the whole bundle fails if one port is down, but the output clearly states Gi0/1 is operational. The failure is due to Gi0/2's native VLAN mismatch.

D

A common misconception is that any down or suspended link indicates an STP loop. However, 'show etherchannel detail' presents the explicit reason, and the native VLAN mismatch line directly contradicts this option.

1767
PBQhard

You are connected to R1 via console. The link between R1 and R2 is experiencing packet loss and CRC errors. Configure interface speed and duplex on R1's GigabitEthernet0/0 to match R2's settings, then replace the SFP module with one that supports the required 2 km distance. Finally, verify the interface is operational without errors.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/302km fiberR1R2

Hints

  • CRC errors often indicate a duplex mismatch. Check the neighbor's configuration.
  • Auto-negotiation must be disabled on both ends if one side is hardcoded.
  • The current SFP is rated for 550m; for 2 km you need a long-range SFP (e.g., 1000BASE-LX).
A.Configure speed 1000, duplex full, and no negotiation auto on Gi0/0, then replace the SFP-GE-SX with SFP-GE-L.
B.Configure speed 1000 and duplex full on Gi0/0, then replace the SFP-GE-SX with SFP-GE-SX-MM.
C.Configure speed 100 and duplex full on Gi0/0, then replace the SFP-GE-SX with SFP-GE-L.
D.Configure no negotiation auto on Gi0/0, then replace the SFP-GE-SX with SFP-GE-L.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
speed 1000
duplex full
no negotiation auto
end
copy running-config startup-config

Why this answer

The CRC errors indicate a duplex mismatch or faulty medium. R1 is set to auto-negotiation while R2 is hardcoded to 1000/full, causing mismatch. First, set speed and duplex on R1 to match R2: 'speed 1000' and 'duplex full'.

Also disable auto-negotiation with 'no negotiation auto'. The existing SFP-GE-SX only supports 550m, but the link requires 2 km; replace it with a 1000BASE-LX/LH SFP (SFP-GE-L) which supports up to 10 km. After changes, verify with 'show interfaces Gi0/0' to confirm no CRC errors and correct speed/duplex.

Exam trap

Do not forget to disable auto-negotiation when manually setting speed and duplex on a Cisco interface. Also, remember that SFP types have specific distance limitations: SX for short reach (550m), LX/LH for long reach (10 km), and EX or ZX for even longer distances.

Why the other options are wrong

B

The SFP-GE-SX-MM is a multimode SFP with the same distance limitation as the original SFP-GE-SX.

C

The speed must match exactly; 100 Mbps is not compatible with 1000 Mbps.

D

When auto-negotiation is disabled, speed and duplex must be manually set; otherwise, the interface may default to half-duplex or other incompatible settings.

1768
MCQhard

A monitoring system already collects Syslog and SNMP data. The network team now wants visibility into which applications or host conversations are driving link utilization. What is the strongest addition?

A.NetFlow
B.Another SSID
C.PortFast
D.A larger wildcard mask
AnswerA

This is correct because NetFlow provides detailed flow-level visibility into traffic usage.

Why this answer

The strongest addition is NetFlow because it provides traffic-flow visibility. In practical terms, Syslog and SNMP are useful, but they do not directly answer detailed conversation-level questions such as which hosts, protocols, or flows are consuming the most bandwidth. NetFlow is designed to answer exactly that kind of question.

This is about choosing the right operational tool for the visibility gap.

Exam trap

A frequent exam trap is selecting options like PortFast or adding another SSID, which are unrelated to traffic flow monitoring. PortFast is an STP feature that speeds up port transitions but does not provide any insight into bandwidth usage or application-level traffic. Similarly, adding another SSID only affects wireless network segmentation and does not offer visibility into which hosts or applications consume bandwidth.

Another trap is thinking that changing ACL wildcard masks can help analyze traffic flows, but ACLs only filter traffic and do not provide analytics. Recognizing that only NetFlow delivers detailed flow-level data prevents these common mistakes.

Why the other options are wrong

B

Adding another SSID is incorrect because it only creates a new wireless network segment and does not provide any traffic flow or bandwidth usage information. It does not help identify which applications or hosts are using the link.

C

PortFast is an STP feature that speeds up port transitions on edge ports but does not monitor or analyze traffic flows. It has no relevance to identifying bandwidth usage or application-level visibility.

D

Using a larger wildcard mask in ACLs affects traffic filtering rules but does not provide analytics or visibility into traffic flows. ACLs do not report on bandwidth consumption or application usage.

1769
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a switch interface, then verify and recover after a BPDU guard error-disable event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The order is global config, interface, PortFast, BPDU Guard, then verification; recovery after a BPDU guard event requires clearing the error-disable state by cycling the interface.

Exam trap

Candidates often confuse the order of PortFast and BPDU Guard, or use incorrect verification commands like 'show running-config'. Remember: PortFast first, then BPDU Guard. Verification is 'show spanning-tree interface <int> detail'.

Recovery is interface cycle, not global commands or reload.

1770
PBQhard

You are connected to R1 via the console. R1 and R2 are directly connected via their GigabitEthernet0/0 interfaces. Configure R1's G0/0 for 100 Mbps full-duplex operation. Then, diagnose and fix an auto-negotiation failure that prevents the link from coming up. Finally, replace the existing 1000BASE-T SFP with a 1000BASE-LX SFP to support a new 5 km fiber run. Ensure the link is up and working.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/301000BASE-LX SMF 5 kmR1R2

Hints

  • The interface is administratively down; use 'no shutdown' to bring it up.
  • Auto-negotiation failures often require manually setting speed and duplex on both ends.
  • To replace an SFP, the interface must be shut down, SFP swapped, then no shutdown.
A.Configure speed 100 and duplex full on G0/0, then no shutdown. After the link is up, remove the 1000BASE-T SFP and insert the 1000BASE-LX SFP; the interface will automatically detect the new SFP and adjust speed/duplex.
B.Configure speed 100 and duplex full on G0/0, then no shutdown. After the link is up, remove the 1000BASE-T SFP and insert the 1000BASE-LX SFP, then configure the interface with speed 1000 and duplex full to match the new SFP.
C.Configure speed 100 and duplex full on G0/0, then no shutdown. After the link is up, remove the 1000BASE-T SFP and insert the 1000BASE-LX SFP, then configure the interface with speed auto and duplex auto. Finally, verify the link state.
D.Configure speed 100 and duplex full on G0/0, then no shutdown. After the link is up, remove the 1000BASE-T SFP and insert the 1000BASE-LX SFP, then configure the interface with speed 100 and duplex full to maintain consistency.
AnswerC
solution
! R1
configure terminal
interface gigabitEthernet 0/0
speed 100
duplex full
no shutdown
end
! (Physically replace SFP with 1000BASE-LX)
configure terminal
interface gigabitEthernet 0/0
speed auto
duplex auto
no shutdown
end

Why this answer

First, set speed to 100 and duplex to full on GigabitEthernet0/0, then issue no shutdown to bring the link up. This manual configuration resolves potential auto-negotiation failures on the copper link. After confirming the link, issue shutdown on the interface before physically swapping the SFP to a 1000BASE-LX module.

Then, configure the interface with speed auto and duplex auto (standard for fiber) and no shutdown. Finally, verify the link state. Option A is wrong because the interface does not automatically adjust to the new SFP's capabilities; explicit reconfiguration is required.

Option B is wrong because forcing speed 1000 and duplex full is unnecessary and may cause negotiation issues. Option D is wrong because maintaining 100 Mbps on a 1000BASE-LX SFP would prevent the link from operating.

Exam trap

A common mistake is forgetting to issue the 'shutdown' command before physically swapping SFPs, which can damage the hardware. Also, understanding that fiber SFPs typically use auto-negotiation is key.

Why the other options are wrong

A

The interface does not automatically detect and adjust speed/duplex for a new SFP; explicit reconfiguration is required.

B

Setting speed 1000 and duplex full is not correct because fiber SFPs typically use auto-negotiation, and forcing these parameters can cause negotiation failures.

D

Maintaining speed 100 and duplex full on a 1000BASE-LX SFP is incorrect because the SFP operates only at 1000 Mbps, so the interface must be configured accordingly (speed auto/duplex auto).

1771
MCQhard

A host address is 172.22.14.99/27. Which address is the broadcast address of the subnet?

A.172.22.14.95
B.172.22.14.127
C.172.22.14.96
D.172.22.14.128
AnswerB

This is correct because .99 belongs to the 96-127 /27 subnet.

Why this answer

A /27 subnet has a block size of 32. In practical terms, the relevant blocks are 0-31, 32-63, 64-95, 96-127, and so on. Because 99 falls within the 96-127 block, the broadcast address is the last address in that block: 172.22.14.127.

This is a classic subnet-boundary question and remains important because addressing precision appears throughout the CCNA blueprint.

Exam trap

Be careful not to confuse network addresses with broadcast addresses, and ensure you are calculating the correct subnet range.

Why the other options are wrong

A

Option A is incorrect because the broadcast address for the subnet 172.22.14.99/27 is 172.22.14.127, not 172.22.14.95. The /27 subnet mask indicates that the last 5 bits are for host addresses, allowing for a range of addresses that ends at 172.22.14.127.

C

Option C (172.22.14.96) is incorrect because it falls within the usable host range of the subnet and is not the broadcast address. The broadcast address for the subnet 172.22.14.96/27 is actually 172.22.14.127.

D

Option D, 172.22.14.128, is incorrect because it does not fall within the subnet defined by 172.22.14.99/27, which has a valid range of 172.22.14.96 to 172.22.14.127. The broadcast address for this subnet is 172.22.14.127.

1772
Drag & Dropmedium

Drag and drop the following commands into the correct order to configure OSPFv3 for IPv6 on a Cisco IOS-XE router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enable IPv6 routing, then create the OSPFv3 process, then assign the process to interfaces under interface configuration mode.

Exam trap

Do not confuse the order with OSPFv2. For OSPFv3, you must first enable IPv6 routing globally; otherwise, the router will reject OSPFv3 configuration commands.

1773
MCQhard

An administrator deploys a new WLAN on a Cisco 9800 WLC using WPA3-Personal (SAE) with AES encryption. A single 802.11ax laptop running Windows 10 fails to connect, displaying an authentication timeout despite entering the correct passphrase. Other clients, including legacy 802.11ac devices, connect without issue.

A.The WLC’s WLAN is misconfigured for WPA3-Enterprise, and the laptop lacks a supplicant for 802.1X authentication.
B.The laptop’s wireless adapter does not support Protected Management Frames, which are mandatory for WPA3-Personal.
C.The WLC has disabled 802.11ax OFDMA on the 5 GHz band, preventing the 802.11ax laptop from associating.
D.The laptop’s driver is configured for 160 MHz channel width, which is incompatible with the WLC’s channel plan, causing authentication to fail.
AnswerB

PMF is a prerequisite for WPA3. If the client cannot negotiate PMF, the SAE authentication will time out. This explains why only that laptop fails, even though it supports 802.11ax.

Why this answer

WPA3-Personal (SAE) mandates the use of Protected Management Frames (PMF) as defined in IEEE 802.11w. If the laptop's wireless adapter or driver does not support PMF, it cannot complete the SAE handshake, resulting in an authentication timeout. Legacy 802.11ac clients can connect because they are using WPA2, which does not require PMF.

Exam trap

Cisco often tests the mandatory dependency of Protected Management Frames (802.11w) for WPA3-Personal, leading candidates to incorrectly attribute the failure to channel width or OFDMA incompatibility.

Why the other options are wrong

A

Misidentifying the WLAN security type: WPA3-Personal does not require an enterprise supplicant, so this is not the cause.

C

Confusing radio resource management with connection establishment: OFDMA settings do not block initial association, only data transmission efficiency.

D

Misattributing connection failures to channel bandwidth settings; these are negotiated after successful association and do not impact the 802.11 authentication and association phases.

1774
PBQhard

You are connected to a single switch, SW1, which is a Cisco Catalyst 2960 running Cisco IOS. Configure port GigabitEthernet0/1 as an access port for a Cisco IP phone and a PC on the same VLAN (Voice VLAN 20, Data VLAN 10). The switch must provide PoE to the phone. Additionally, configure GigabitEthernet0/2 as an access port for a wireless access point (AP) that requires PoE. Verify both configurations using the appropriate show commands. The current running-config is incomplete; you must add the necessary commands.

Hints

  • Voice VLAN is configured with a separate command on the interface.
  • PoE may be disabled; use 'power inline auto' to enable it.
  • Use 'show interfaces switchport' to confirm voice VLAN assignment.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline auto interface GigabitEthernet0/2 switchport mode access switchport access vlan 10 power inline auto
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 power inline auto interface GigabitEthernet0/2 switchport mode access switchport access vlan 10 power inline auto
C.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline never interface GigabitEthernet0/2 switchport mode access switchport access vlan 10 power inline auto
D.interface GigabitEthernet0/1 switchport mode access switchport access vlan 20 switchport voice vlan 10 power inline auto interface GigabitEthernet0/2 switchport mode access switchport access vlan 10 power inline auto
AnswerA
solution
! SW1
configure terminal
interface gigabitEthernet 0/1
switchport voice vlan 20
power inline auto
exit
interface gigabitEthernet 0/2
power inline auto
end
write memory

Why this answer

The configuration was missing the voice VLAN assignment on Gi0/1 and PoE settings on both ports. For Gi0/1, the command 'switchport voice vlan 20' is required to separate voice traffic from data traffic. For both Gi0/1 and Gi0/2, PoE must be enabled; by default 'power inline auto' is set, but since the ports show 'off', they may have been disabled.

The solution ensures PoE is enabled with 'power inline auto' and sets the voice VLAN correctly. Verification with 'show interfaces switchport' should show 'Voice VLAN: 20' and 'show power inline' should show 'auto' for both ports.

Exam trap

Candidates often confuse the need for a trunk port when multiple VLANs are involved, but the voice VLAN feature allows an access port to carry both data and voice traffic. Also, remember that 'power inline auto' is the default but may need to be explicitly configured if disabled. Always verify with 'show interfaces switchport' to see the voice VLAN and 'show power inline' to see PoE status.

Why the other options are wrong

B

The specific factual error is that trunk ports are used to carry multiple VLANs between switches, not for connecting end devices like phones and PCs. The correct method is to use an access port with a voice VLAN.

C

The specific factual error is that 'power inline never' explicitly disables PoE, which would prevent the phone from powering on. The correct command is 'power inline auto' to enable PoE detection and delivery.

D

The specific factual error is that the VLAN numbers are reversed. The access VLAN should be the data VLAN (10), and the voice VLAN should be 20. Swapping them would place data traffic in VLAN 20 and voice in VLAN 10, which is not the intended configuration.

1775
MCQeasy

Which data format is most commonly used in REST APIs because it is lightweight and easy for applications to parse?

A.YANG
B.JSON
C.STP
D.TFTP
AnswerB

Correct choice.

Why this answer

JSON is widely used with REST because it is compact, human-readable, and easy for software to parse. It is common in controller APIs and automation workflows.

Exam trap

A common exam trap is selecting YANG as the data format for REST APIs because candidates recognize YANG as related to network automation. However, YANG is a data modeling language that defines the structure of data but does not represent the actual data format used in REST API communication. Confusing YANG with JSON leads to incorrect answers.

Similarly, confusing protocols like STP or TFTP with data formats can mislead candidates. The key is to remember that JSON is the actual data format used in REST APIs due to its lightweight and easy-to-parse nature.

Why the other options are wrong

A

YANG is a data modeling language used to define the structure of network data but is not the actual data format used in REST API communication, making it an incorrect choice.

C

STP (Spanning Tree Protocol) is a Layer 2 protocol for preventing loops in Ethernet networks and has no relation to data formatting in REST APIs, so it is incorrect.

D

TFTP is a simple protocol used for file transfers, such as IOS images, and is not a data format used in REST APIs, making it an invalid choice.

1776
MCQmedium

A switchport connected to an IP phone and a PC must carry user traffic and voice traffic separately. Which feature is designed for that purpose on a Cisco access port?

A.Voice VLAN
B.EtherChannel
C.SPAN
D.Native VLAN
AnswerA

This is correct because a voice VLAN is designed to separate voice traffic from user data on the same access port.

Why this answer

The correct feature is a voice VLAN. In plain language, a voice VLAN lets the switch treat the IP phone’s traffic differently from the user PC’s traffic even though both devices may be connected through the same physical access port. The phone can tag voice traffic for the voice VLAN while the PC remains in the normal data access VLAN. This is a practical design because it keeps voice traffic logically separate, which helps with policy, QoS, and management.

This is a classic CCNA switching concept because it shows that one physical edge port can still support more than one logical traffic type in a controlled way. A standard access VLAN by itself would not provide the same voice/data separation. EtherChannel, SPAN, and native VLAN concepts solve different problems. The best answer is the feature specifically built to support phones and workstations together on one access connection while keeping their traffic logically distinct.

Exam trap

Be cautious not to confuse VLAN-related terms. Understand that voice VLAN is specifically designed for separating voice and data traffic on access ports.

Why the other options are wrong

B

EtherChannel is a technology used to combine multiple physical links into a single logical link for increased bandwidth and redundancy, but it does not separate user and voice traffic on a switchport. Therefore, it does not fulfill the requirement of carrying voice and user traffic separately.

C

SPAN (Switched Port Analyzer) is used for monitoring and capturing traffic on a switch port, not for separating user and voice traffic. It does not provide the necessary functionality to handle VLANs for voice and data traffic on a single port.

D

The Native VLAN is used for untagged traffic on a trunk port and does not separate voice and user traffic on an access port. It is not designed to handle the specific requirements of carrying both voice and data traffic separately.

1777
MCQhard

Two routers, R1 and R2, are connected via a serial link. The interface on R1 shows 'Serial0/0 is up, line protocol is down' and no pings succeed across the link. You check the configuration and notice R1 has 'encapsulation ppp' but R2's serial interface was mistakenly left at the default encapsulation hdlc.

A.The IP addresses on the serial interfaces are in different subnets, so packets are dropped at Layer 3.
B.The mismatched encapsulation types prevent the routers from forming a Layer 2 connection, so the line protocol remains down.
C.The serial cable is faulty, causing physical layer issues that trigger the line protocol down state.
D.The routers are missing a routing protocol configuration, so they cannot route traffic across the link.
AnswerB

With PPP on one end and HDLC on the other, the L2 frames are incompatible. The receiving router cannot decode the incoming frame, and L2 keepalives fail, causing the line protocol to drop.

Why this answer

Option B is correct because the line protocol on a serial interface requires both ends to agree on the Layer 2 encapsulation type. R1 is configured with PPP (encapsulation ppp), while R2 defaults to HDLC. Since these encapsulations are incompatible, the routers cannot establish a valid Layer 2 connection, causing the line protocol to remain down despite the physical layer being up.

Exam trap

Cisco often tests the distinction between 'line protocol is down' (Layer 2 issue) and 'Serial0/0 is down' (Layer 1 issue), and candidates mistakenly attribute a line protocol down state to physical problems or IP addressing errors rather than encapsulation mismatch.

Why the other options are wrong

A

The line protocol down state is a Layer 2 indicator, not a Layer 3 problem. It reflects the failure of the data link layer to establish a connection, independent of IP addressing.

C

The 'interface up' part of the status explicitly confirms that the physical layer (Layer 1) is operational. A faulty cable would cause both physical and line protocol to show down.

D

Line protocol down indicates a Layer 2 failure, which occurs before any routing decision. Even without a routing protocol, the line protocol would come up if Layer 2 were functional, because the interface status is independent of routing.

1778
MCQhard

R1 and R2 are directly connected via Ethernet on interface G0/0. Both interfaces are in the same subnet and configured for OSPF area 0. After enabling OSPF, R1's G0/0 is stuck in the INIT state in the OSPF neighbor table. What is the most likely cause?

A.MTU mismatch
B.Hello and dead timer mismatch
C.Missing router ID on both routers
D.A duplicate static route to 10.1.12.0/30
AnswerB

Correct choice.

Why this answer

Being stuck in the INIT state means R1 has received Hello packets from R2 but has not transitioned to the 2-WAY state. This most often occurs when critical OSPF parameters like the hello and dead timers do not match. An MTU mismatch, while problematic, would cause the adjacency to fail during database exchange (Exstart/Exchange), not during initial neighbor formation.

Missing router IDs are not a real issue because routers auto-generate them, and a duplicate static route to the connected subnet would not affect OSPF neighbor discovery.

Exam trap

A common exam trap is selecting MTU mismatch or missing router IDs as the cause of OSPF adjacency failure. While MTU mismatches can cause adjacency issues during database exchange, they do not prevent the initial neighbor relationship from forming. Missing router IDs do not block adjacency because routers automatically generate IDs if none are configured.

Another trap is confusing static routes with neighbor discovery; static routes do not influence OSPF adjacency. The key is to focus on timer mismatches, as hello and dead intervals must be identical for routers to recognize each other as neighbors and establish adjacency.

Why the other options are wrong

A

MTU mismatch can cause OSPF adjacency problems during the database exchange phase, but it does not typically prevent the initial neighbor relationship from forming. Since the question states adjacency cannot form, MTU mismatch is unlikely the primary cause.

C

Missing router IDs do not prevent OSPF adjacency because routers automatically generate a router ID if none is configured. Therefore, this option is not a valid cause for adjacency failure.

D

A duplicate static route to 10.1.12.0/30 does not affect OSPF neighbor formation, as static routes are unrelated to OSPF adjacency processes. This option is irrelevant to the adjacency issue.

1779
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco switch access port with a data VLAN and a voice VLAN.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enter global configuration mode with 'configure terminal'. Next, select the interface using 'interface GigabitEthernet0/1'. Then, set the port to access mode with 'switchport mode access' to prevent trunk negotiation.

After that, assign the data VLAN with 'switchport access vlan 10'. Finally, assign the voice VLAN with 'switchport voice vlan 20'. This order ensures the interface is properly configured before VLAN assignment and prevents DTP from creating a trunk.

1780
Multi-Selectmedium

Which two statements accurately describe DHCP?

Select 2 answers
A.It can automatically provide an IP address to a client.
B.It can provide additional configuration such as default gateway and DNS server information.
C.It resolves hostnames into IP addresses.
D.It elects the designated router in OSPF.
E.It replaces the need for subnet masks.
AnswersA, B

This is correct because address assignment is a core DHCP function.

Why this answer

DHCP is used to provide IP configuration automatically to hosts. In practical terms, it can supply an IP address, subnet mask, default gateway, and often DNS server information. This reduces manual effort and helps standardize endpoint configuration across a network.

The wrong answers often confuse DHCP with DNS or routing. The two correct answers are the ones focused on automatic host configuration.

Exam trap

A common exam trap is confusing DHCP with DNS or routing protocol functions. Some candidates mistakenly believe DHCP resolves hostnames to IP addresses, but this is the role of DNS. Others incorrectly think DHCP participates in routing protocol processes such as OSPF designated router elections, which it does not.

Additionally, some may assume DHCP eliminates the need for subnet masks, but DHCP actually provides subnet mask information to clients. Recognizing that DHCP strictly handles IP address and related configuration assignment prevents these errors.

Why the other options are wrong

C

Incorrect. DHCP does not resolve hostnames to IP addresses; this is the responsibility of DNS, a separate IP service.

D

Incorrect. DHCP does not participate in routing protocol operations like OSPF designated router election, which is a function of OSPF itself.

E

Incorrect. DHCP supplies subnet masks to clients but does not replace the need for subnet masks; subnetting remains a fundamental network design concept.

1781
MCQmedium

As a general rule, where should an extended ACL be placed?

A.As close to the source as practical
B.As close to the destination as possible in all cases
C.Only on the default gateway
D.Only on WAN interfaces
AnswerA

Correct. This is the common placement guideline.

Why this answer

Extended ACLs are commonly placed near the source to stop unwanted traffic earlier and conserve bandwidth and device resources.

Exam trap

Remember that extended ACLs should be placed near the source, not the destination or core, to effectively manage traffic.

Why the other options are wrong

B

Placing an extended ACL as close to the destination can lead to unnecessary traffic being processed by intermediate devices, which is inefficient. Extended ACLs are designed to filter traffic based on source and destination, so positioning them closer to the source enhances performance and security.

C

This option is incorrect because placing an extended ACL only on the default gateway limits its effectiveness in controlling traffic originating from various sources across the network. Extended ACLs should be strategically placed closer to the source to filter traffic before it reaches the destination.

D

Placing an extended ACL only on WAN interfaces can lead to inefficient traffic filtering, as it may not adequately control traffic originating from internal sources. Extended ACLs should ideally be positioned close to the source to effectively manage traffic before it reaches the destination.

1782
MCQhard

A router has a static route configured: ip route 10.200.0.0 255.255.0.0 GigabitEthernet0/1. The output of show ip interface brief shows that interface GigabitEthernet0/1 is administratively down. Why is the route to 10.200.0.0/16 present in the running configuration but absent from the routing table?

A.Because the route points to an interface that is administratively down.
B.Because static routes cannot reference exit interfaces.
C.Because the destination must be a /24, not a /16.
D.Because static routes require NTP before installation.
AnswerA

This is correct because a route using an unusable exit path will not provide operational forwarding.

Why this answer

The static route is absent because the outgoing interface is down. In practical terms, when a static route depends on an interface that is not operational, the router cannot use that path, so the route is not installed as usable forwarding state. The configuration line alone is not enough; the forwarding path also has to be viable.

This is a realistic static-route troubleshooting pattern because it distinguishes between configured intent and operational state.

Exam trap

A frequent exam trap is to confuse the presence of a static route in the configuration with its presence in the routing table. Candidates often overlook the fact that a static route pointing to an administratively down interface will not be installed, leading to the mistaken belief that the route is missing due to mask length or protocol requirements. Another trap is assuming static routes cannot use exit interfaces or require time synchronization, which is false.

This question tests the candidate's understanding of the difference between configured routes and operationally valid routes, focusing on interface state as the critical factor for route installation.

Why the other options are wrong

B

Incorrect because static routes can reference exit interfaces directly; Cisco routers support static routes with either next-hop IP addresses or exit interfaces.

C

Incorrect because the subnet mask length (such as /16 vs /24) does not prevent a static route from being installed; the issue is the interface state, not the mask.

D

Incorrect because static routes do not depend on NTP or time synchronization for installation; this is unrelated to static routing behavior.

1783
MCQhard

A network engineer is troubleshooting OSPFv3 adjacency between two directly connected Cisco routers, R1 and R2, both running IOS-XE. The engineer configures OSPFv3 on both routers but notices that the adjacency does not form. The engineer runs 'show ospfv3 neighbor' on R1 and sees no neighbors. What is the most likely cause of this issue?

A.The OSPFv3 process ID must match on both routers.
B.The interface GigabitEthernet0/0 is missing the 'ospfv3 1 ipv6 area 0' command.
C.The link-local addresses are not in the same subnet.
D.The router ID 1.1.1.1 is duplicated on R2.
AnswerB

Without this command, OSPFv3 is not enabled on the interface, preventing adjacency formation.

Why this answer

Option B is correct because OSPFv3 requires explicit interface-level configuration to enable the protocol on a specific interface. The correct command is 'ospfv3 1 ipv6 area 0' (or 'ipv6 ospf 1 area 0' for the traditional OSPFv3 configuration). Without this command, the interface does not participate in OSPFv3, so no Hello packets are sent or received, preventing adjacency formation.

Exam trap

Cisco often tests the distinction between OSPFv2 (where enabling the protocol under the routing process automatically activates it on all interfaces with 'network' statements) and OSPFv3 (which requires explicit per-interface activation), leading candidates to overlook the mandatory interface-level command.

Why the other options are wrong

A

This is a common misconception; OSPFv3 uses the router ID for neighbor identification, not the process ID.

C

Link-local addresses are automatically configured and do not affect OSPFv3 adjacency as long as they are unique.

D

In this scenario, no neighbors are seen, indicating a more fundamental issue like OSPFv3 not being enabled on the interface.

1784
PBQmedium

You are connected to R1, a Cisco IOS-XE router that provides connectivity for the 192.168.10.0/24 network. The network operations team uses a Python script with netmiko to push configuration changes. However, the script fails to connect to R1. You need to verify the SSH configuration on R1.

Hints

  • Check if SSH is enabled globally and on the VTY lines.
  • Verify that the transport input includes ssh.
  • Ensure there is a hostname and domain configured.
A.The VTY lines are configured for telnet only; SSH requires 'transport input ssh'.
B.The SSH server is not enabled because the crypto key is missing or 'ip ssh' is not configured.
C.The SSH version is set to version 1, which is not supported by the Python script.
D.The domain name is not configured, which is required for SSH key generation.
AnswerA
solution
! R1
show running-config | include ssh
show ip ssh
show line vty
show ip interface brief

Why this answer

The VTY lines are configured for telnet only. SSH requires 'transport input ssh' (or 'transport input all'). Additionally, the SSH server may not be enabled if the crypto key is missing or the ip ssh command is not present.

The commands show that transport input is telnet, so the script cannot connect via SSH. Changing to 'transport input ssh' resolves the issue.

Exam trap

The exam trap is that candidates often focus on SSH server configuration (crypto keys, domain name, ip ssh) and forget that the VTY lines must also permit SSH. Always check 'transport input' on VTY lines when troubleshooting SSH access.

Why the other options are wrong

B

The specific factual error: The crypto key and 'ip ssh' are necessary for SSH operation, but the VTY transport setting is the immediate cause of connection failure.

C

The specific factual error: There is no indication that SSH version 1 is in use; the issue is the VTY transport setting.

D

The specific factual error: A domain name is required for SSH key generation, but the VTY transport setting is the direct cause of the connection failure.

1785
Multi-Selectmedium

A route table shows both a default route and a more specific route to 192.168.50.0/24. Which two statements describe how packets destined for 192.168.50.25 are handled?

Select 2 answers
A.The router prefers the 192.168.50.0/24 route because it is the longest prefix match
B.The default route is used only when no more-specific route matches
C.Administrative distance is compared before prefix length for forwarding decisions
D.The packet is load-balanced across both routes automatically
AnswersA, B

Longest prefix match decides forwarding when multiple routes match a destination.

Why this answer

Once routes are installed, packet forwarding follows longest prefix match. The /24 route is more specific than the default route, so traffic to 192.168.50.25 uses the /24 entry.

Exam trap

A frequent exam trap is assuming that administrative distance is compared before prefix length when selecting a route. Candidates might think that if the default route has a better administrative distance, it will be chosen over a more specific route. However, Cisco routers always apply the longest prefix match rule first, selecting the most specific route regardless of administrative distance.

Administrative distance only comes into play when multiple routes have the same prefix length. Misunderstanding this can lead to incorrect answers about how packets are forwarded, especially when both default and specific routes exist in the routing table.

Why the other options are wrong

C

Option C is incorrect because administrative distance is not compared before prefix length; prefix length is the primary factor in route selection, making this option a common misconception.

D

Option D is incorrect because Cisco routers do not load-balance between a default route and a more specific route; these routes are not considered equal-cost and the more specific route is always preferred.

1786
MCQhard

A router is configured for PAT using the WAN interface address. Which command element is most directly associated with allowing many internal users to share that single outside address?

A.overload
B.inside
C.list 1
D.interface
AnswerA

This is correct because `overload` enables PAT behavior using transport-layer ports.

Why this answer

The `overload` element is the critical part. In plain language, that keyword tells the router to perform Port Address Translation so many inside sessions can be represented through the same outside IP address at the same time. Without overload, the router would be performing a different translation behavior and would not achieve the same many-to-one sharing model.

This is one of the most recognizable NAT design terms in CCNA because it directly distinguishes PAT from simple one-to-one translation methods. The correct answer is the part of the configuration that signals multi-session sharing through port tracking.

Exam trap

A common exam trap is selecting options like `inside`, `list 1`, or `interface` as the element that enables multiple internal users to share a single outside address. While these elements are part of the NAT configuration, they do not by themselves enable PAT. The `inside` keyword only marks interfaces as internal, the ACL (`list 1`) defines which addresses are translated, and specifying the `interface` chooses the public IP address source.

However, without the `overload` keyword, the router cannot perform port-based multiplexing, so many-to-one sharing fails. Candidates often overlook that `overload` is the explicit command that activates PAT, making it the correct answer.

Why the other options are wrong

B

Incorrect. The `inside` keyword only marks an interface as internal for NAT direction but does not enable multiple hosts to share one outside address.

C

Incorrect. The access list (`list 1`) specifies which internal addresses are translated but does not activate PAT or many-to-one sharing by itself.

D

Incorrect. Specifying the interface determines the outside IP address used for translation but does not enable PAT without the `overload` keyword.

1787
Multi-Selectmedium

A network engineer is implementing AIOps to improve network reliability. Which four of the following are core capabilities that AIOps platforms typically provide? (Choose four.)

Select 4 answers
.Correlation of alerts from multiple network devices to reduce noise
.Self-healing by automatically reverting problematic configuration changes
.Predictive maintenance to identify devices likely to fail
.Baseline learning of normal traffic patterns to detect deviations
.Direct manipulation of physical layer hardware to replace faulty optics
.Guaranteed elimination of all false positive alarms in the network

Why this answer

Correlation of alerts from multiple network devices is a core AIOps capability because it uses machine learning to analyze and group related alerts, reducing noise and helping engineers focus on root causes rather than individual symptoms. Self-healing by automatically reverting problematic configuration changes is a key feature, as AIOps can detect anomalies caused by changes and roll back to a stable state to minimize downtime. Predictive maintenance identifies devices likely to fail by analyzing historical performance data and telemetry, enabling proactive replacement or repair before failures occur.

Baseline learning of normal traffic patterns allows AIOps to detect deviations that indicate potential issues. The incorrect options are not core AIOps capabilities: Direct manipulation of physical layer hardware is beyond the scope of AIOps, which focuses on software-based analysis and automation; guaranteed elimination of all false positives is unrealistic because no system can achieve 100% accuracy in alarm filtering.

Exam trap

Candidates often mistakenly assume that AIOps includes direct hardware control or promises zero false alarms, but these are not realistic or core capabilities; AIOps focuses on data-driven analysis and automated responses within the software layer.

Why the other options are wrong

E

Direct manipulation of physical layer hardware is not a core AIOps capability; AIOps operates on data and software-based automation, not direct hardware control.

F

Guaranteed elimination of all false positive alarms is impossible because no AI system can achieve perfect accuracy; AIOps reduces but does not eliminate false positives.

1788
MCQhard

A technician is troubleshooting a connectivity issue where a workstation connected to a Cisco switch port cannot ping other hosts that are in the same VLAN 10 segment. The technician runs the show mac address-table command and notices that the workstation's MAC address is listed on VLAN 1, not VLAN 10. What is the most likely cause?

A.The switch port is not configured with the switchport access vlan 10 command.
B.The switch port is configured as a trunk with native VLAN 1.
C.The MAC address table contains a stale entry that must be cleared.
D.Spanning Tree Protocol has placed the port in a blocking state.
AnswerA

When an access port's VLAN is not explicitly set, the port defaults to VLAN 1. The workstation's MAC is learned on VLAN 1, causing connectivity failure with VLAN 10 hosts. Adding the switchport access vlan 10 command resolves the issue.

Why this answer

The workstation's MAC address appears in VLAN 1 instead of VLAN 10 because the switch port is operating in the default VLAN (VLAN 1). The most likely cause is that the port has not been explicitly assigned to VLAN 10 using the `switchport access vlan 10` command. Without this command, the port remains in its default access VLAN (VLAN 1), so all frames from the workstation are associated with VLAN 1, preventing communication with hosts in VLAN 10.

Exam trap

Cisco often tests the default VLAN behavior (VLAN 1) and the fact that an access port without an explicit VLAN assignment remains in VLAN 1, leading candidates to overlook the missing `switchport access vlan` command and instead blame trunking, STP, or MAC table aging.

Why the other options are wrong

B

Candidates often assume any VLAN mismatch with VLAN 1 indicates a trunk misconfiguration, but a missing access VLAN is the more common and direct cause.

C

Candidates might think that an outdated MAC record is causing the VLAN display, but the dynamic learning process reflects the actual port VLAN.

D

Tempting because a blocked port can disrupt connectivity, but the MAC address table entry would still appear on the correct VLAN, not default to VLAN 1.

1789
Multi-Selectmedium

Which TWO statements about interpreting routing table output are true? (Choose two.)

Select 2 answers
A.A route with a longer prefix length is always preferred over a route with a shorter prefix length, regardless of administrative distance.
B.A directly connected route has an administrative distance of 0 and is always preferred over any dynamic route for the same network.
C.If two routes have the same prefix length, the route with the higher administrative distance is preferred.
D.The metric is used to compare routes from different routing protocols.
E.A static route configured with an administrative distance of 200 will be preferred over an OSPF route with AD 110 for the same network.
AnswersA, B

The longest-prefix match rule ensures the most specific route is used first, even if another route has a lower AD.

Why this answer

Longest-prefix match always wins regardless of AD or route source (A correct), and directly connected routes have AD 0 (B correct). C is incorrect because among equal prefix lengths, lower AD wins. D is wrong because metric only compares same-protocol routes, while AD compares across protocols.

E fails because a higher AD (200) is less preferred than OSPF's 110.

Exam trap

Cisco often tests the misconception that administrative distance is the primary tie-breaker, but the trap here is that the longest prefix match rule always takes precedence, even over a directly connected route with AD 0.

Why the other options are wrong

C

A lower AD indicates a more trustworthy source, so the route with the lower AD is preferred, not the higher one.

D

Metrics are only comparable within the same routing protocol (e.g., OSPF cost vs. EIGRP composite metric). For different protocols, AD is used to select the best route.

E

A lower AD is preferred; OSPF AD 110 is lower than 200, so the OSPF route would be chosen.

1790
MCQhard

Exhibit: Users report no internet access after PAT was configured. The inside and outside interfaces are marked correctly. Which missing configuration is the most likely cause?

A.No ACL and nat overload statement identifying inside source addresses
B.No DHCP pool on the outside interface
C.No CDP enabled on the router
D.No syslog server configured
AnswerA

Correct choice.

Why this answer

PAT needs both the inside and outside interface roles and a NAT statement referencing an ACL that identifies the inside local addresses. Without the ACL match and NAT overload rule, translation does not occur for user traffic.

Exam trap

A frequent exam trap is believing that configuring the inside and outside interfaces alone is enough for PAT to function correctly. Candidates may overlook the necessity of an ACL that explicitly identifies the inside local addresses for translation. Without this ACL and the corresponding NAT overload statement, the router cannot perform address translation, causing intermittent or failed internet connectivity.

This mistake often occurs because the interface roles are visible and seem sufficient, but the translation logic depends on the ACL match. Understanding that PAT requires both interface roles and an ACL-based NAT overload rule is critical to avoid this pitfall.

Why the other options are wrong

B

Incorrect. DHCP pools assign IP addresses to clients and are unrelated to NAT or PAT configuration. Lack of a DHCP pool on the outside interface does not affect PAT functionality.

C

Incorrect. CDP is a Layer 2 protocol used for device discovery and does not influence NAT or PAT operations. Its absence does not cause internet access issues related to PAT.

D

Incorrect. Syslog servers are used for logging and monitoring router events. Not configuring a syslog server does not impact NAT translation or internet connectivity.

1791
Drag & Dropmedium

Drag and drop the following steps into the correct order to replace a faulty SFP module on a Cisco switch and verify the fiber interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

To replace a faulty SFP, first disconnect the cable to avoid damage, then remove the old module, insert the new one, reconnect the cable, and finally verify the interface is operational.

Exam trap

A common trap is to think you should remove the module before disconnecting the cable, but this can damage the fiber connector. Always disconnect cables first when working with optical modules.

1792
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and apply an extended IPv4 ACL on a Cisco router to block Telnet traffic from subnet 192.168.1.0/24 to host 10.0.0.1 and permit all other IP traffic.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

Correct order: 1) Identify the traffic to filter and the interface/direction because this planning determines all subsequent configuration choices. 2) Enter global configuration mode to access ACL definition. 3) Configure the deny statement first — ACLs are processed top-down, so the specific deny must precede the general permit to actually block the unwanted traffic. 4) Add the permit statement after the deny to allow everything else. 5) Enter interface configuration mode to attach the ACL to a specific port. 6) Apply the ACL with the correct direction (inbound) using the ip access-group command, which activates the filtering. 7) Verify the ACL is correctly applied to confirm the configuration is functioning as intended.

1793
MCQhard

A company wants internal users to share one public IPv4 address for outbound Internet access, while keeping sessions separate. Which NAT approach best meets that requirement?

A.PAT overload
B.Static NAT only
C.No NAT, because private IPv4 addresses are Internet-routable
D.DHCP relay
AnswerA

This is correct because PAT uses port values to let many internal sessions share one public IPv4 address.

Why this answer

PAT is the correct approach because it allows many internal sessions to share one outside IPv4 address while distinguishing them by port numbers. In plain language, PAT gives the office an efficient many-to-one translation model that works well for ordinary user Internet access when public addresses are limited.

This is different from static NAT, which gives a fixed one-to-one mapping, and from dynamic NAT pools that usually rely on multiple public addresses. The correct answer is the translation method designed specifically for shared public-address use across many sessions.

Exam trap

A common exam trap is selecting static NAT as the solution because it involves address translation, but static NAT only supports one-to-one mappings and cannot handle multiple internal users sharing a single public IP address. Another frequent mistake is assuming private IPv4 addresses can be routed on the Internet without NAT, which is incorrect because private addresses are non-routable externally. Additionally, confusing DHCP relay with NAT functions can mislead candidates, as DHCP relay only forwards DHCP messages and does not perform address translation.

Recognizing that PAT overload uniquely enables many-to-one translation with port differentiation is crucial to avoid these pitfalls.

Why the other options are wrong

B

Static NAT only provides a one-to-one mapping between private and public IP addresses, so it cannot support multiple internal users sharing one public IP address simultaneously, making it unsuitable for the scenario.

C

No NAT is incorrect because private IPv4 addresses are not routable on the public Internet; without NAT, internal users cannot access external resources using private IPs alone.

D

DHCP relay is unrelated to NAT or IP address translation; it simply forwards DHCP requests between clients and servers and does not enable sharing of public IP addresses for Internet access.

1794
MCQmedium

Exhibit: A host on VLAN 10 can ping the local SVI but not a server in VLAN 20. The Layer 3 switch has both VLAN interfaces up. What is the next item to verify first?

A.Whether the server in VLAN 20 has the correct default gateway
B.Whether the switch should disable IP routing
C.Whether VLAN 10 should be the native VLAN
D.Whether the host should use a /8 mask instead of /24
AnswerA

End-host gateway issues are a very common reason for one-way inter-VLAN failures.

Why this answer

If the source host can reach its own default gateway, the local VLAN and access port are probably fine. The next practical check is whether the server in VLAN 20 has the correct IP address, mask, and default gateway configured.

Exam trap

A frequent exam trap is to overlook the remote device’s default gateway configuration and instead suspect the Layer 3 switch’s routing or VLAN setup. Candidates often assume that because the VLAN interfaces are up, routing must be functional. However, if the server in VLAN 20 lacks the correct default gateway pointing to its VLAN SVI, it cannot return traffic to the source host, causing failed pings.

This one-way communication failure can mislead candidates into troubleshooting switch settings unnecessarily, wasting time and missing the root cause.

Why the other options are wrong

B

Disabling IP routing on the Layer 3 switch would prevent inter-VLAN routing entirely. Since both VLAN interfaces are up and the host can ping its local SVI, IP routing is likely enabled, so this is not the first item to verify.

C

The native VLAN setting affects untagged traffic on trunk links but does not directly impact inter-VLAN routing or the ability of hosts to communicate across VLANs. It is not the primary cause of the described symptom.

D

Using a /8 mask instead of /24 would cause subnetting issues, but since the host can ping its own VLAN interface, the subnet mask is likely correct. This is not the first or most probable cause of the problem.

1795
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that denies Telnet from a specific host to a server subnet, then verify the configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: create the ACL (A), apply it to the interface (B), verify it works (D), then save the configuration (C). This prevents saving a faulty ACL. Verifying after saving (C before D) risks persisting errors and is not the Cisco recommended workflow.

Exam trap

Do not confuse the order of creation and application: you must create the ACL before applying it. Also, always verify before saving to avoid locking in errors.

1796
PBQhard

You are connected to R1 via the console. SNMP v2c community strings (public RO, private RW) are already configured. The network has a management server at 10.1.1.100 and a NetFlow collector at 10.1.1.200. Configure SNMP traps to the management server for link status changes. Also configure NetFlow on interface GigabitEthernet0/0 to export version 9 to the collector, with a source interface of Loopback0 (10.255.255.1/32).

Network Topology
G0/0G0/010.1.1.10010.1.1.200R210.0.0.1/30R1MGMT_ServerNMS_Collector

Hints

  • SNMP traps require both a host command and enabling specific trap types.
  • NetFlow export needs destination, version, and source interface, plus flow ingress on the interface.
  • Use 'show running-config | section snmp|flow' to verify your changes.
A.snmp-server host 10.1.1.100 version 2c public snmp-server enable traps snmp linkdown linkup ip flow-export destination 10.1.1.200 2055 ip flow-export version 9 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress
B.snmp-server host 10.1.1.200 version 2c private snmp-server enable traps ip flow-export destination 10.1.1.100 2055 version 9 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow egress
C.snmp-server host 10.1.1.100 version 2c private snmp-server enable traps ip flow-export destination 10.1.1.200 2055 version 9 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress
D.snmp-server host 10.1.1.100 version 2c public snmp-server enable traps snmp linkdown linkup ip flow-export destination 10.1.1.200 2055 version 5 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress
AnswerA
solution
! R1
snmp-server host 10.1.1.100 version 2c public
snmp-server enable traps snmp linkdown linkup
ip flow-export destination 10.1.1.200 2055
ip flow-export version 9
ip flow-export source Loopback0
interface GigabitEthernet0/0
ip flow ingress

Why this answer

The current configuration has SNMP community strings but lacks trap destinations and NetFlow export. To fix, you must configure snmp-server host 10.1.1.100 version 2c public to send traps, and snmp-server enable traps snmp linkdown linkup is required to send link status changes. For NetFlow, you need ip flow-export destination 10.1.1.200 2055 and then ip flow-export version 9 to set the export version.

Also configure ip flow-export source Loopback0 and apply ip flow ingress on GigabitEthernet0/0. Verification commands confirm the settings.

Exam trap

Pay close attention to the IP addresses: the management server (10.1.1.100) is for SNMP traps, and the collector (10.1.1.200) is for NetFlow. Also, remember that SNMP traps use the read-only community, and NetFlow version must match the requirement (version 9).

Why the other options are wrong

B

The specific factual error: The SNMP trap destination and NetFlow export destination are swapped, and the flow direction is egress instead of ingress.

C

The specific factual error: SNMP traps should use the read-only community string 'public', not the read-write 'private'.

D

The specific factual error: NetFlow export version is set to 5, but the requirement is version 9.

1797
MCQhard

A host address is 10.10.10.14/29. Which address is the broadcast address for its subnet?

A.10.10.10.7
B.10.10.10.15
C.10.10.10.8
D.10.10.10.16
AnswerB

This is correct because .14 is in the 8–15 /29 subnet.

Why this answer

A /29 subnet has a block size of 8. In practical terms, the fourth-octet ranges are 0–7, 8–15, 16–23, and so on. Since 14 falls in the 8–15 block, the broadcast address is the last address in that block, which is 10.10.10.15.

This is a classic subnetting question that checks whether you can find the block first and then identify the final address in that block.

Exam trap

Avoid confusing the network address or a host address with the broadcast address. Remember, the broadcast address is the last address in the subnet range.

Why the other options are wrong

A

Option A, 10.10.10.7, is incorrect because it does not represent the broadcast address for the subnet defined by 10.10.10.14/29. The correct broadcast address is 10.10.10.15, which is the highest address in the subnet range.

C

The address 10.10.10.8 is not the broadcast address for the subnet 10.10.10.14/29. The correct broadcast address is 10.10.10.15, which is the highest address in the subnet range from 10.10.10.8 to 10.10.10.15.

D

The address 10.10.10.16 is outside the subnet defined by 10.10.10.14/29, which includes addresses from 10.10.10.8 to 10.10.10.15. Therefore, it cannot be the broadcast address for this subnet.

1798
Multi-Selectmedium

A switch should learn one MAC address on an access port and shut the port down if a second unauthorized device appears. Which two port-security settings support that requirement?

Select 2 answers
A.switchport port-security maximum 1
B.switchport port-security violation shutdown
C.switchport protected
D.switchport nonegotiate
AnswersA, B

This limits the number of learned secure MAC addresses to one.

Why this answer

Port security enforces how many MAC addresses may be learned on a port and what happens when a violation occurs. 'switchport port-security maximum 1' limits the port to one MAC address, and 'switchport port-security violation shutdown' disables the port if a violation occurs, matching the requirement. 'switchport protected' isolates ports within a switch but does not limit MAC addresses or cause a shutdown. 'switchport nonegotiate' disables DTP negotiation, which is unrelated to port security.

Exam trap

Be careful not to confuse the different port security violation modes. Only the shutdown mode will disable the port.

1799
MCQmedium

A network administrator wants to secure remote CLI access to a Cisco router, moving beyond simple username/password authentication. Which approach best achieves this goal?

A.Use stronger or additional authentication controls to improve remote administrative access security
B.Replace SSH with Telnet to simplify troubleshooting
C.Configure an extended ACL to limit remote access to specific source IP addresses
D.Disable password authentication and rely solely on device location in the network
AnswerA

This is correct because the goal is to improve authentication strength rather than rely only on a weak single factor.

Why this answer

The goal is to strengthen authentication beyond a simple password. Cisco AAA (Authentication, Authorization, and Accounting) using TACACS+ or RADIUS provides stronger, centralized authentication. Secure Shell (SSH) with key-based or two-factor authentication also enhances security.

Option A correctly describes this concept, while the other options either weaken security (B, D) or address access control via ACLs, which does not improve the authentication factor itself (C).

Exam trap

A common trap is thinking that limiting access with an ACL (option C) satisfies the goal, but ACLs restrict source addresses, not strengthen the authentication process. Another trap is confusing stronger authentication with simpler troubleshooting (B) or location-based trust (D).

Why the other options are wrong

B

Telnet transmits credentials in plaintext, making it less secure than SSH and opposite to the goal of stronger authentication.

C

An ACL restricts source addresses but does not strengthen the authentication factor itself; it is an authorization control, not an authentication improvement.

D

Removing password authentication and relying on location removes all credential verification, making the device vulnerable to unauthorized access from permitted locations.

1800
PBQhard

You are connected to R1. Configure single-area OSPFv2 on R1 and R2 so that they become fully adjacent. The link between them is 10.0.0.0/30, with R1 using G0/0 and R2 using G0/1. The current configuration has mismatched hello/dead timers: R1's G0/0 uses hello 10 and dead 40, while R2's G0/1 uses hello 30 and dead 120. Also, the 'passive-interface loopback0' command is missing on R1. Ensure OSPF is enabled in area 0, use router-id 1.1.1.1 on R1 and 2.2.2.2 on R2, and correct the timer mismatch.

Network Topology
G0/010.0.0.1/30G0/110.0.0.2/30linkR1R2

Hints

  • Check the hello/dead timers on both routers' interfaces.
  • The loopback0 interface should not send OSPF hellos.
  • Use 'ip ospf hello-interval' and 'ip ospf dead-interval' on the interface with wrong timers.
A.On R2, configure 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40' under G0/1. On R1, configure 'passive-interface loopback0' under router ospf.
B.On R1, configure 'ip ospf hello-interval 30' and 'ip ospf dead-interval 120' under G0/0. On R2, configure 'passive-interface loopback0' under router ospf.
C.On R1, configure 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40' under G0/0. On R2, configure 'passive-interface loopback0' under router ospf.
D.On R2, configure 'ip ospf hello-interval 30' and 'ip ospf dead-interval 120' under G0/1. On R1, configure 'passive-interface loopback0' under router ospf.
AnswerA
solution
! R1
configure terminal
router ospf 1
passive-interface loopback0
end
write memory

! R2
configure terminal
interface gigabitethernet0/1
ip ospf hello-interval 10
ip ospf dead-interval 40
end
write memory

Why this answer

The adjacency fails because R2's G0/1 has hello/dead timers of 30/120, while R1's G0/0 uses 10/40. To fix, on R2 under interface G0/1, use 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40'. Additionally, R1's loopback0 is advertised via a /32 network statement but should be made passive to prevent OSPF hellos from being sent out (where no neighbor exists).

On R1, configure 'passive-interface loopback0' under router ospf. After both changes, adjacency forms.

Exam trap

Watch out for timer mismatches: OSPF requires hello and dead intervals to match between neighbors. Also, remember that loopback interfaces should be made passive to avoid unnecessary OSPF hellos. Do not confuse which router needs the timer change or where the passive-interface command should be applied.

Why the other options are wrong

B

The specific factual error is that the passive-interface command is applied on the wrong router (R2 instead of R1) and the timers are changed on R1 instead of R2.

C

The specific factual error is that the timer change is applied to the wrong interface (R1's G0/0 already has correct timers) and the passive-interface is applied to the wrong router.

D

The specific factual error is that the timer values are not changed; they remain mismatched with R1's timers.

Page 23

Page 24 of 25

Page 25