CCNA 200-301 v2 (200-301) — Questions 18011819

1819 questions total · 25pages · All types, answers revealed

Page 24

Page 25 of 25

1801
PBQhard

You are connected to R1. The network uses a single router with two subnets: 192.168.1.0/24 (connected to GigabitEthernet0/0) and 10.0.0.0/30 (connected to GigabitEthernet0/1). Configure an extended named ACL called 'FILTER_HTTP' that permits HTTP traffic (TCP port 80) from the 192.168.1.0/24 subnet to any destination, and includes an explicit deny statement to deny all other IP traffic. Apply the ACL inbound on GigabitEthernet0/0. Then verify that HTTP traffic is allowed and all other traffic is blocked.

Network Topology
G0/0192.168.1.1/24192.168.1.0/24G0/110.0.0.1/3010.0.0.0/30R1PC1ISP

Hints

  • Remember the implicit deny at the end of every ACL – you may not need an explicit deny, but the question asks to deny all other IP traffic.
  • Use the correct wildcard mask for the subnet 192.168.1.0/24: 0.0.0.255.
  • Apply the ACL to the interface that receives traffic from the internal subnet.
A.ip access-list extended FILTER_HTTP permit tcp 192.168.1.0 0.0.0.255 any eq 80 deny ip any any interface GigabitEthernet0/0 ip access-group FILTER_HTTP in
B.access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80 access-list 100 deny ip any any interface GigabitEthernet0/0 ip access-group 100 in
C.ip access-list extended FILTER_HTTP permit tcp 192.168.1.0 0.0.0.255 any eq 80 interface GigabitEthernet0/0 ip access-group FILTER_HTTP in
D.ip access-list extended FILTER_HTTP permit tcp 192.168.1.0 0.0.0.255 any eq 80 deny ip any any interface GigabitEthernet0/1 ip access-group FILTER_HTTP in
AnswerA
solution
! R1
ip access-list extended FILTER_HTTP
permit tcp 192.168.1.0 0.0.0.255 any eq 80
deny ip any any
interface GigabitEthernet0/0
ip access-group FILTER_HTTP in

Why this answer

The task requires creating an extended named ACL 'FILTER_HTTP' that permits TCP port 80 from source 192.168.1.0/24 to any destination, and then denies all other IP traffic (the implicit deny will block everything else, but you must explicitly add a deny ip any any statement to make the intent clear). The ACL must be applied inbound on GigabitEthernet0/0. The solution uses the commands: ip access-list extended FILTER_HTTP, permit tcp 192.168.1.0 0.0.0.255 any eq 80, deny ip any any, and interface GigabitEthernet0/0, ip access-group FILTER_HTTP in.

Verification with show access-lists and show ip interface GigabitEthernet0/0 confirms the ACL and its application.

Exam trap

Pay attention to the requirement for a named ACL versus numbered ACL. Also, note that while the implicit deny exists, the question explicitly asks for a deny statement, so you must include it. Finally, ensure the ACL is applied to the correct interface and direction.

Why the other options are wrong

B

The specific factual error is that the ACL must be named 'FILTER_HTTP', but this option uses a numbered ACL (100).

C

The specific factual error is that the ACL does not include an explicit deny ip any any, which is needed to satisfy the requirement of denying all other IP traffic.

D

The specific factual error is that the ACL is applied to the wrong interface (GigabitEthernet0/1 instead of GigabitEthernet0/0).

1802
MCQhard

A user reports that a laptop can connect to the correct SSID but repeatedly fails authentication when joining the WLAN. Which category of issue is most strongly indicated?

A.A security or authentication mismatch related to WLAN access
B.A missing OSPF router ID on the access point
C.A routed-port mismatch on the switch uplink
D.A DHCP relay problem on the client
AnswerA

This is correct because the client can discover the SSID but fails when authentication should succeed.

Why this answer

The strongest indication is a wireless security or authentication mismatch rather than a pure RF coverage problem. In practical terms, the laptop can already see and attempt to join the correct SSID, which means discovery is working. Repeated authentication failure points more directly to credentials, security settings, or authentication-policy alignment than to channel or signal absence.

This question is about recognizing the stage of failure. The client is finding the WLAN, but it is not being accepted onto it.

Exam trap

A common exam trap is selecting options related to routing protocols or DHCP relay issues when a client fails to authenticate on a WLAN. Candidates may incorrectly assume that IP configuration problems or routing mismatches cause authentication failures. However, authentication occurs before IP assignment, so DHCP or OSPF issues cannot cause repeated authentication failures.

This trap distracts from the correct focus on wireless security settings and credentials, which are the root cause when a client sees the SSID but cannot authenticate.

Why the other options are wrong

B

Incorrect. OSPF router IDs are relevant to routing protocols and do not affect wireless client authentication or SSID association processes.

C

Incorrect. Routed-port mismatches on switch uplinks affect wired network traffic forwarding but do not cause wireless authentication failures at the client level.

D

Incorrect. DHCP relay problems affect IP address assignment after authentication; since the client fails authentication repeatedly, DHCP issues are not the cause.

1803
MCQhard

Based on the exhibit, why is the ACL blocking more traffic than intended?

A.Because the ACL denies all TCP traffic to the server instead of only Telnet.
B.Because Telnet uses UDP, not TCP.
C.Because the ACL should be a standard ACL, not an extended ACL.
D.Because the host keyword can never be used with TCP statements.
AnswerA

This is correct because the entry lacks the Telnet destination port qualifier and therefore matches too broadly.

Why this answer

The ACL is blocking more traffic than intended because it uses a broad deny against all TCP traffic to the server instead of only the one service that should be denied. In practical terms, the requirement is narrow, but the configured entry is much wider. As a result, multiple TCP-based applications to that server are blocked, not just the intended one.

This is a classic precision problem in ACL design. It tests whether you can compare what the business requirement says against what the ACL actually matches.

Exam trap

The exam trap here is assuming that denying TCP traffic to a server without specifying the Telnet port will only block Telnet sessions. In reality, the ACL entry without the destination port qualifier matches all TCP traffic to that server, blocking multiple services unintentionally. This mistake often arises from confusing standard ACLs, which filter only by source IP, with extended ACLs that require explicit port numbers for service-specific filtering.

Candidates may overlook the need for the 'eq 23' qualifier for Telnet, leading to broader traffic denial and failing the question.

Why the other options are wrong

B

This option is incorrect because Telnet uses TCP as its transport protocol, not UDP. Therefore, denying TCP traffic is relevant for blocking Telnet, and the statement about UDP is factually wrong.

C

This option is incorrect because standard ACLs filter only by source IP address and cannot filter by protocol or port. The question requires filtering by service (Telnet), which necessitates an extended ACL, making this option invalid.

D

This option is incorrect because the 'host' keyword is valid in extended ACLs and is commonly used to specify a single IP address for precise matching. There is no restriction against using 'host' with TCP statements.

1804
Matchingmedium

Match each term to the most appropriate description in an API context.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Structured payload format

Secure transport for the interaction

Credential-like access value

Specific API target or path

Why these pairings

These pairings define key API terms with their descriptions.

Exam trap

Be careful not to confuse the terms: JSON is a data format, HTTPS is a secure protocol, a token is an access credential, and an endpoint is a specific URL path; focus on matching each term to its correct role in API communication.

1805
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two VLANs (10 - Sales, 20 - Engineering). Port G0/1 is connected to a PC in VLAN 10, and port G0/2 is connected to a PC in VLAN 20. The switch needs to be configured to allow inter-VLAN communication using an external router connected to port G0/3. Currently, the PCs cannot communicate across VLANs. Configure the switch to support Router-on-a-Stick with VLAN 10 as the native VLAN on the trunk.

Network Topology
G0/1G0/1G0/3G0/3G0/0G0/0PC1SW1R1PC2

Hints

  • Remember to set the trunk port encapsulation if needed (though modern switches default to dot1q).
  • The native VLAN on the trunk must match what the router expects.
  • Use switchport mode access for ports connecting to end devices.
A.Configure G0/1 as access VLAN 10, G0/2 as access VLAN 20, G0/3 as trunk with native VLAN 10, and allow VLANs 10 and 20 on the trunk.
B.Configure G0/1 as access VLAN 10, G0/2 as access VLAN 20, G0/3 as trunk with native VLAN 1, and allow VLANs 10 and 20 on the trunk.
C.Configure G0/1 as access VLAN 10, G0/2 as access VLAN 20, G0/3 as trunk with native VLAN 10, but do not allow VLAN 10 on the trunk.
D.Configure G0/1 as trunk with native VLAN 10, G0/2 as trunk with native VLAN 20, G0/3 as trunk with native VLAN 10, and allow VLANs 10 and 20 on all trunks.
AnswerA
solution
! SW1
vlan 10
name Sales
vlan 20
name Engineering
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20
interface GigabitEthernet0/3
switchport mode trunk
switchport trunk native vlan 10

Why this answer

Access ports assign PCs to their respective VLANs. The trunk port carries multiple VLANs to the router, and setting the native VLAN to 10 ensures untagged frames on the trunk belong to VLAN 10, which the router's subinterface for VLAN 10 will handle as untagged.

Exam trap

A common trap is to leave the native VLAN as the default VLAN 1 or to forget that the native VLAN must be explicitly allowed on the trunk. Also, candidates may incorrectly configure PC-facing ports as trunks instead of access ports. Always verify the native VLAN matches the router's untagged subinterface and that the allowed VLAN list includes all necessary VLANs.

Why the other options are wrong

B

The native VLAN must match the VLAN that the router's subinterface handles as untagged. Setting it to VLAN 1 violates the requirement.

C

The trunk must carry all VLANs that need inter-VLAN communication. Excluding VLAN 10 prevents its traffic from reaching the router.

D

PCs are end devices that expect untagged frames; they should be connected to access ports, not trunk ports.

1806
Matchingmedium

Drag and drop the layer names on the left to the correct PDU names on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Segment

Packet

Frame

Bits

Data

Why these pairings

In the OSI model, each layer has a specific PDU name: Application layer uses Data, Transport uses Segment, Network uses Packet, Data Link uses Frame, Physical uses Bits.

Exam trap

A common trap is mixing up the PDU names for adjacent layers, especially confusing 'Packet' (Layer 3) with 'Frame' (Layer 2) or 'Segment' (Layer 4). Remember the order: Data, Segment, Packet, Frame, Bits.

1807
MCQmedium

Exhibit: An engineer wants a device to send only warning messages and more critical events to a syslog server. Which logging level should be configured?

A.logging trap debugging
B.logging trap warnings
C.logging trap notifications
D.logging trap informational
AnswerB

Warnings include warning and all more severe levels.

Why this answer

Syslog severity levels include lower numbers for more severe events. Warning is level 4, so setting logging trap warnings sends level 4, 3, 2, 1, and 0 messages.

Exam trap

A frequent exam trap is selecting 'logging trap debugging' or 'informational' because these options seem to provide comprehensive logging. However, these levels include all messages, even low-priority informational and debug messages, which can overwhelm the syslog server and make it difficult to identify critical issues. Another trap is misunderstanding the syslog severity numbering, assuming higher numbers mean higher severity, when in fact, lower numbers indicate more critical events.

This confusion leads to incorrect trap level configuration and ineffective monitoring.

Why the other options are wrong

A

The option 'logging trap debugging' sets the trap level to 7, which includes all syslog messages from debugging (least severe) up to emergencies (most severe). This floods the syslog server with excessive data, beyond just warnings and critical events, making it unsuitable for the requirement.

C

The option 'logging trap notifications' sets the trap level to 5, which includes notifications and all more severe messages. However, notifications are less severe than warnings, so this setting would include informational messages that are not requested, making it incorrect.

D

The option 'logging trap informational' sets the trap level to 6, which includes informational messages and all more severe messages. This level is less severe than warnings and includes many more messages than requested, so it does not meet the requirement.

1808
MCQhard

A host with address 172.16.5.10/23 wants to determine whether 172.16.6.20 is on the same local network. What is the correct conclusion?

A.It is on the same local network because both addresses begin with 172.16.
B.It is on the same local network because /23 covers all addresses in 172.16.5.x and 172.16.6.x
C.It is on a different network, so the host should use the default gateway
D.It is on a different network, so ARP will resolve it across the router automatically
AnswerC

This is correct because 172.16.6.20 is not in the same /23 network as 172.16.5.10.

Why this answer

A /23 prefix covers two consecutive /24 ranges. In plain language, that means the network boundaries move in blocks of 2 in the third octet. The address 172.16.5.10/23 belongs to the 172.16.4.0/23 network, which covers 172.16.4.x and 172.16.5.x. The destination 172.16.6.20 belongs to a different /23 block, so it is not on the same local network.

This question checks whether you can think beyond default /24 boundaries and understand how a broader prefix changes the local network range. The host would therefore need to use its default gateway to reach 172.16.6.20, because that destination is off-subnet relative to the /23 in use.

Exam trap

Don't assume addresses with the same initial octets are in the same subnet; always calculate based on the subnet mask.

Why the other options are wrong

A

This option is incorrect because the addresses 172.16.5.10 and 172.16.6.20 belong to different subnets; 172.16.6.20 is in the 172.16.6.0/23 subnet, while 172.16.5.10 is in the 172.16.5.0/23 subnet.

B

This option is incorrect because a /23 subnet mask allows for addresses in the range of 172.16.4.0 to 172.16.5.255, meaning 172.16.6.20 is outside this range and not on the same local network.

D

Option D is incorrect because ARP (Address Resolution Protocol) operates within the same local network and cannot resolve addresses across routers. Since 172.16.6.20 is on a different network than 172.16.5.10, ARP cannot automatically resolve it.

1809
PBQhard

You are connected to R1. Use RESTCONF to retrieve all operational interface statistics from the ietf-interfaces YANG module, then modify the description of GigabitEthernet0/1 to 'Link to R2 via RESTCONF' using a PATCH request. The device is reachable at 203.0.113.1 with port 443, username 'admin', password 'cisco123'. Identify the error that would occur if you used a PATCH with Content-Type: application/json instead of application/yang-data+json.

Network Topology
G0/0203.0.113.1/24InternetR1RESTCONF client

Hints

  • RESTCONF base URI is always /restconf.
  • Use the YANG module 'ietf-interfaces' for operational state and configuration.
  • The correct media type for RESTCONF is application/yang-data+json, not generic application/json.
A.The server returns a 415 Unsupported Media Type error because RESTCONF requires the Content-Type header to be application/yang-data+json.
B.The server returns a 400 Bad Request error because the JSON payload is malformed when using application/json.
C.The server returns a 404 Not Found error because the URI is incorrect when using application/json.
D.The server returns a 204 No Content response but ignores the description change because application/json is not supported.
AnswerA
solution
! R1
GET https://203.0.113.1/restconf/data/ietf-interfaces:interfaces-state/interface
Accept: application/yang-data+json
PATCH https://203.0.113.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1
Content-Type: application/yang-data+json
{"ietf-interfaces:interface": [{"name": "GigabitEthernet0/1", "description": "Link to R2 via RESTCONF"}]}

Why this answer

The correct base URI for RESTCONF is https://203.0.113.1/restconf. To retrieve operational interface statistics, use GET with the path /data/ietf-interfaces:interfaces-state/interface. For the PATCH to modify the description, the URI must target /data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1 with a JSON payload containing the 'description' leaf.

The required Content-Type and Accept headers must be 'application/yang-data+json'. Using 'application/json' will result in a 415 Unsupported Media Type error because RESTCONF requires the specific YANG media type.

Exam trap

The exam tests your knowledge of RESTCONF's strict media type requirements. Many candidates assume that application/json is acceptable because it is common in REST APIs, but RESTCONF specifically requires 'application/yang-data+json'. Remember that using any other media type results in a 415 error.

Why the other options are wrong

B

The specific factual error is that a 400 Bad Request is not triggered by an incorrect Content-Type; it is triggered by malformed syntax or invalid data.

C

The specific factual error is that the Content-Type header does not affect resource discovery; it only affects how the server interprets the payload.

D

The specific factual error is that an unsupported media type results in a client error (4xx), not a success response (2xx).

1810
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and verify a floating IPv4 static route as a backup path.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order begins with configuring the primary static route because it defines the main path. Checking its administrative distance (default 1) is essential to then set a higher AD for the floating route, ensuring it acts only as a backup. Next, the floating static route is configured with a higher AD so it is less preferred.

Verification of the routing table shows only the primary route installed. Simulating a failure by shutting down the primary interface triggers the failover. Finally, rechecking the routing table confirms the floating route is now active, proving backup operation.

1811
MCQhard

Refer to the exhibit. A network engineer is troubleshooting an EtherChannel on R1 that is not passing traffic. The output of the show etherchannel summary command is displayed. What is the most likely cause?

A.The local switch is configured with LACP passive while the remote switch is set to LACP active.
B.One side is configured with LACP active and the other side is configured with mode 'on' (static).
C.The remote switch is configured with PAgP desirable while the local switch uses LACP.
D.The port-channel member interfaces are configured as access ports, preventing LACP from negotiating.
AnswerB

The remote static mode sends no LACP PDUs, so the local LACP active ports will remain down (D) because they cannot negotiate, resulting in the port-channel being in use (SU) but no active members.

Why this answer

The exhibit shows Po1(SU) with protocol LACP, but member interfaces Gi0/1 and Gi0/2 are in state (D) – down. This indicates LACP negotiation is failing. The most likely cause is that the remote side is using static mode 'on', which does not participate in LACP and sends no PDUs, so the local LACP active side cannot form a bundle, leaving the physical ports down while the port-channel logical interface remains up.

This is confirmed by the combination of (D) flags and the LACP protocol designation without any bundled ports.

Exam trap

Candidates may see the (SU) status and assume the EtherChannel is operational, overlooking the member interface (D) flags, and then incorrectly choose LACP passive mode (A) or PAgP mismatch (C) as easier-to-identify misconfigurations.

Why the other options are wrong

A

LACP passive is not incompatible with LACP active.

C

PAgP/LACP mismatch leads to suspended state, not down; the exhibit's (D) indicates the link is not up, which points to LACP negotiation failure rather than protocol mismatch.

D

LACP negotiation is independent of the access/trunk configuration.

1812
PBQmedium

You are connected to the console of R1. The network has a point-to-point serial link between R1 and R2. The link is down and the line protocol is down. The cable is a DCE/DTE crossover, and R1 is the DCE. The initial configuration shows the interface with an IP address but no clock rate set.

Network Topology
S0/0/0 .1/30S0/0/0 .2/30serial DCER1R2

Hints

  • The DCE side must provide the clock rate.
  • Check the cable type using 'show controllers'.
  • Common clock rates are 64000, 128000, 256000, etc.
A.Configure the clock rate on R1's serial interface.
B.Configure the clock rate on R2's serial interface.
C.Replace the serial cable with a straight-through cable.
D.Set the encapsulation on both ends to PPP.
AnswerA
solution
! R1
interface Serial0/0/0
clock rate 128000

Why this answer

On a serial DCE cable, the DCE end must configure a clock rate to provide timing. Without it, the line protocol stays down. Setting 'clock rate 128000' on R1 resolved the issue.

Exam trap

Remember that 'down/down' indicates a Layer 1 issue. On serial links, the DCE must provide clocking. Do not confuse DCE/DTE roles or jump to Layer 2 solutions like encapsulation.

Why the other options are wrong

B

The DTE end does not set clock rate; only the DCE end does.

C

Serial cables are always DCE/DTE crossover; straight-through cables are for Ethernet.

D

Encapsulation mismatch causes protocol down, not line protocol down; the line protocol is down due to no clock.

1813
MCQmedium

Which pairing is correct?

A.JSON — data modeling language used to define network schemas such as YANG modules
B.YANG — lightweight interchange format built from curly braces and arrays
C.RESTCONF — protocol that can use YANG-defined data models over HTTP-based access
D.NETCONF — spanning-tree enhancement for rapid convergence
AnswerC

Correct. RESTCONF commonly exposes YANG-modeled data over HTTP methods.

Why this answer

RESTCONF is an HTTP-based API approach that commonly uses YANG-defined data models. JSON is a data-interchange format, YANG is the data modeling language, and NETCONF is a network management protocol rather than an STP feature.

Exam trap

A frequent exam trap is confusing JSON with YANG or NETCONF with spanning-tree enhancements. JSON is a data format, not a modeling language, so pairing it with YANG modules is incorrect. Similarly, NETCONF is often mistakenly thought to be related to spanning-tree protocols, but it is actually a network configuration protocol.

Candidates might also confuse YANG’s role with JSON’s syntax or RESTCONF’s protocol function. This confusion arises because these technologies often work together but serve distinct purposes. Understanding each technology’s specific role prevents selecting incorrect answers based on superficial similarities.

Why the other options are wrong

A

Option A incorrectly pairs JSON with YANG modules as a data modeling language. JSON is a data interchange format used to represent data but does not define schemas or models. YANG is the actual modeling language used to define network data structures, so this pairing is false.

B

Option B wrongly describes YANG as a lightweight interchange format built from curly braces and arrays, which actually describes JSON syntax. YANG is a modeling language that defines network data hierarchies and constraints, not a data format with JSON-like syntax.

D

Option D falsely claims NETCONF is a spanning-tree enhancement for rapid convergence. NETCONF is a network configuration protocol using XML over SSH and has no relation to spanning-tree protocols or their convergence mechanisms, making this option incorrect.

1814
MCQmedium

Why is HTTPS usually preferred over HTTP when accessing a controller API?

A.Because HTTPS provides encrypted transport for API traffic.
B.Because HTTPS automatically replaces authentication.
C.Because HTTPS is the only format that can carry JSON.
D.Because HTTP cannot carry controller data at all.
AnswerA

This is correct because encryption in transit is the main reason HTTPS is preferred.

Why this answer

HTTPS is preferred because it protects the communication with encryption while it crosses the network. In practical terms, controller APIs often carry tokens, credentials, device state, or configuration information that should not be exposed in clear text. HTTPS helps protect those requests and responses in transit.

This does not make HTTPS the same thing as JSON, nor does it remove the need for authentication. It is simply the more secure transport choice for sensitive API communication.

Exam trap

Avoid assuming that HTTPS improves speed or handles authentication. Focus on its role in securing data in transit.

Why the other options are wrong

B

This option is incorrect because HTTPS does not replace authentication; it enhances security by encrypting the transport layer, but authentication mechanisms still need to be implemented separately.

C

This option is incorrect because both HTTPS and HTTP can carry JSON data; JSON is a data format independent of the transport protocol used. Thus, HTTPS is not the only format capable of transmitting JSON.

D

This option is wrong because HTTP can indeed carry controller data; it is a fundamental protocol for transmitting data over the web. Both HTTP and HTTPS can be used to send and receive data, including JSON payloads, between clients and APIs.

1815
Multi-Selectmedium

Which two statements accurately describe the value of source restriction on administrative access?

Select 2 answers
A.It reduces the set of network locations from which administrative access is allowed.
B.It can make access monitoring and filtering easier to manage.
C.It removes the need for SSH or other secure transports.
D.It makes logging unnecessary.
E.It can be used only for wireless management.
AnswersA, B

This is correct because source restriction narrows exposure.

Why this answer

Source restriction improves security by reducing the number of places from which administrative traffic is expected and permitted. In practical terms, this makes exposure smaller and monitoring clearer. It does not replace secure protocols or identity controls, but it strengthens the overall design.

This is a layered-management-security question because it emphasizes how source restriction complements other controls.

Exam trap

A common exam trap is to believe that source restriction removes the need for secure transport protocols like SSH or makes logging unnecessary. Some candidates mistakenly think that limiting source IP addresses alone fully secures administrative access. However, source restriction only controls where connections can originate; it does not encrypt data or authenticate users.

Ignoring secure protocols or logging can leave management sessions vulnerable to interception or unauthorized use. The exam tests understanding that source restriction is a complementary control, not a replacement for transport security or auditing.

Why the other options are wrong

C

Incorrect because source restriction does not replace the need for secure transport protocols like SSH; encryption and authentication remain essential for secure management.

D

Incorrect because logging is still necessary to maintain visibility and audit trails of administrative access attempts, even when source restriction is applied.

E

Incorrect because source restriction is not limited to wireless management; it applies broadly to all administrative access methods on Cisco devices.

1816
Matchingmedium

Match each IPv4-related concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines which destinations are local versus remote

Next hop used for off-subnet traffic

Address used to reach all hosts in the local subnet

Address identifying one device in the subnet

Why these pairings

The subnet mask defines the network and host portions of an IP address, allowing a host to determine which destinations are on the local subnet versus remote. The default gateway is the local router that forwards traffic destined for other subnets. The broadcast address is used to send a packet to all hosts within the local subnet simultaneously.

The host address uniquely identifies one specific device on that subnet.

Exam trap

Do not confuse the function of the IP address with other network layer concepts like subnet mask or default gateway. The IP address is the unique identifier for a host.

1817
MCQeasy

Which IPv6 address type is automatically created on an interface and used for link-local communication?

A.Unique local
B.Global unicast
C.Link-local
D.Anycast
AnswerC

Correct. Link-local addresses are auto-created and used locally.

Why this answer

IPv6 interfaces automatically generate a link-local address in FE80::/10 for local-segment functions such as neighbor discovery.

Exam trap

Be careful not to confuse link-local addresses with global or unique local addresses, which are not automatically generated and serve different purposes.

Why the other options are wrong

A

Unique local addresses (ULAs) are designed for local communications within a site and are not automatically created on an interface for local-link communication. They require manual configuration and are not used for link-local purposes.

B

Global unicast addresses are routable addresses used for communication over the internet and are not automatically created for local-link communication. They require configuration and are not limited to a single local network segment.

D

Anycast addresses are not automatically created on an interface for local-link communication; they are assigned to multiple interfaces to allow for routing to the nearest one. Therefore, they do not serve the same purpose as link-local addresses.

1818
MCQhard

A network administrator notices that syslog messages from a core router are arriving at the syslog server with timestamps that are hours behind other devices. The router’s NetFlow exports also show incorrect start and end times for flows, making traffic analysis unreliable. The administrator verifies that all router interfaces are up and that the SNMP community strings on the router match the NMS.

A.The logging trap level is set to informational, so only high-severity messages are sent with correct timestamps.
B.The router’s NTP client is configured with an incorrect authentication key.
C.The SNMP v3 user’s privacy password is incorrect, causing the NMS to reject syslog traps.
D.The IP flow cache timeout is set too low, causing NetFlow timestamps to appear skewed.
AnswerB

NTP can use authentication keys to verify server identity. If the client key does not match the server’s key, the router will not trust the time updates and will fail to synchronize. This leaves the router’s clock uncorrected, causing incorrect timestamps in syslog and NetFlow records.

Why this answer

The router's timestamps are incorrect for both syslog messages and NetFlow exports, which points to a system-wide time synchronization issue. NTP (Network Time Protocol) is responsible for maintaining accurate time on network devices, and if the NTP client is configured with an incorrect authentication key, it will fail to synchronize with the NTP server, causing the router's clock to drift. This explains why all time-stamped data (syslog and NetFlow) is consistently behind.

Exam trap

Cisco often tests the distinction between time synchronization issues (NTP) and logging/SNMP configuration issues, so candidates may incorrectly attribute timestamp problems to syslog or SNMP settings rather than the underlying system clock.

Why the other options are wrong

A

Logging trap level controls which severity messages are forwarded, not the accuracy of the timestamps.

C

SNMP v3 misconfiguration impacts SNMP traps, not syslog messages, which are sent independently via a different transport.

D

Cache timeout affects flow export frequency, not the accuracy of the timestamps inside the flow data.

1819
MCQmedium

Why does DNS make networks easier for people to use?

A.It lets people use memorable names instead of raw IP addresses.
B.It assigns IP addresses automatically.
C.It replaces the need for default gateways.
D.It elects the root bridge for STP.
AnswerA

This is correct because name-based access is the main usability benefit of DNS.

Why this answer

DNS makes networks easier to use because it lets people work with names instead of memorizing numeric IP addresses. In practical terms, users can remember a server name much more easily than a string of numbers. DNS creates that naming layer while the network still uses IP underneath.

This usability benefit is one of the main reasons DNS is so important in everyday network operations.

Exam trap

A frequent exam trap is mistaking DNS for DHCP or routing functions. Some candidates incorrectly believe DNS assigns IP addresses automatically, which is actually the role of DHCP. Others think DNS replaces default gateways or participates in spanning-tree protocol (STP) operations, which it does not.

This confusion arises because DNS, DHCP, routing, and STP are all fundamental network services but serve distinct purposes. Misunderstanding these roles can lead to selecting incorrect answers that sound plausible but do not match DNS’s actual function of name resolution.

Why the other options are wrong

B

Option B is incorrect because DHCP, not DNS, is responsible for automatically assigning IP addresses to devices on a network. DNS only resolves names to IP addresses after assignment.

C

Option C is incorrect because DNS does not replace default gateways. Default gateways are necessary for routing traffic outside the local subnet, a function unrelated to DNS name resolution.

D

Option D is incorrect because DNS has no role in Spanning Tree Protocol (STP) operations, including root bridge election, which is a Layer 2 loop prevention mechanism.

Page 24

Page 25 of 25