Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
1819 questions total · 25pages · All types, answers revealed
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Match each REST or API concept to its most accurate description.
Drag a concept onto its matching description — or click a concept then click the description.
HTTP method commonly used to retrieve data
HTTP method commonly used to submit or create data
Credential-like value used to help control API access
Structured data format often used in API payloads
Why these pairings
GET is an HTTP method designed specifically for retrieving data from a server without side effects, making it idempotent and safe. POST is used to submit data to create or update resources, as it can change server state and is not idempotent. A token is a credential-like value (e.g., API key or JWT) that authenticates and authorizes API requests, controlling access to endpoints.
JSON is a lightweight, human-readable structured data format commonly used in API request/response payloads for data interchange. These concepts are distinct: GET and POST cannot be swapped because they have different HTTP semantics; a token is not a data format like JSON; and JSON is not an access control mechanism. Matching them incorrectly would violate RESTful principles.
Match each common automation term to its most accurate meaning.
Drag a concept onto its matching description — or click a concept then click the description.
Centralized management or policy platform
Defined software interface for communication
Lightweight structured data format
Secure transport commonly used for API access
Why these pairings
A controller provides centralized management or policy enforcement, abstracting device-level configuration. An API defines a structured software interface for programmatic interaction, not the underlying transport. JSON is a lightweight data-interchange format favored for its readability and ease of parsing by automation tools.
HTTPS is the secure transport layer that carries API calls, ensuring encrypted communication. Together, these terms form the foundation of network automation architectures, where a controller exposes APIs over HTTPS and exchanges JSON-formatted data.
Exam trap
Candidates often confuse the languages and architectures of automation tools. Remember: Ansible = YAML + agentless; Chef = Ruby DSL; Puppet = declarative manifests (custom DSL); SaltStack = master-minion with agents.
This is correct because the requirement depends on protocol/port-level filtering.
Why this answer
The policy requires extended ACL capability because it must distinguish traffic by protocol and destination port, not just by source address. In practical terms, the rule needs to treat TCP port 443 differently from TCP port 23 even though the source and destination networks are the same. A standard ACL is too limited for that.
This question is about matching precision. When the policy depends on protocol and port, extended ACLs are the right tool.
Exam trap
A frequent exam trap is selecting a standard ACL to enforce policies that require filtering by protocol or port number. Standard ACLs only filter by source IP address and cannot distinguish between different types of traffic like HTTPS and Telnet. This leads to incorrect assumptions that standard ACLs can block Telnet while allowing HTTPS from the same subnet.
The trap lies in overlooking the need for protocol and port-level filtering, which only extended ACLs provide. Candidates must remember that without extended ACLs, the router cannot differentiate traffic based on application-layer details, causing the policy to fail.
Why the other options are wrong
Incorrect because standard ACLs filter only by source IP address and cannot distinguish between different protocols or ports, making them insufficient for the requirement to allow HTTPS but deny Telnet.
Incorrect because a wildcard mask controls which bits of an IP address are matched but does not provide any capability to filter traffic based on protocol or port information, which is essential here.
Incorrect because wireless SSID ACLs relate to WLAN access control and do not filter IP traffic based on protocol or port, making them irrelevant to the question about IP traffic filtering.
Which four of the following are considered best practices for securing switch ports and preventing Layer 2 attacks? (Choose all that apply. There are four correct answers.)
Why this answer
Disabling unused ports and placing them in a shutdown state (A) prevents unauthorized physical access and stops Layer 2 attacks like rogue device connections or VLAN hopping. Enabling PortFast and BPDU guard on ports connecting to end devices (B) speeds up STP convergence and protects against rogue switch loops. DHCP snooping (D) prevents rogue DHCP server attacks by filtering untrusted DHCP messages.
Dynamic ARP inspection (E) uses DHCP snooping bindings to validate ARP packets and prevent ARP spoofing. Setting the native VLAN to a higher number (F) is not a best practice; the recommended approach is to change the native VLAN to an unused VLAN on both ends of the trunk and explicitly tag it. MAC address filtering as the sole measure (C) is easily bypassed and must be combined with port security or 802.1X.
Exam trap
Cisco often tests the misconception that MAC address filtering is a strong standalone security measure, when in reality it is trivial to bypass and must be combined with other features like 802.1X or port security with sticky MAC addresses to be effective.
Drag and drop the Wi-Fi features on the left to the correct descriptions on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Uses OFDMA to improve efficiency in dense environments
Uses SAE (Simultaneous Authentication of Equals) for secure password-based authentication
A single AP and its associated clients
Centralized management of multiple APs, enabling seamless roaming
Commonly used in 802.11ac to increase throughput by combining channels
Why these pairings
802.11ax (Wi-Fi 6) uses OFDMA to divide channels into smaller subcarriers, allowing simultaneous transmission to multiple clients and improving efficiency in dense environments. WPA3-Personal employs Simultaneous Authentication of Equals (SAE) to replace the vulnerable pre-shared key handshake, providing secure password-based authentication resistant to offline dictionary attacks. A Basic Service Set (BSS) is the fundamental building block of a WLAN, consisting of a single access point (AP) and all associated wireless clients.
A Wireless LAN Controller (WLC) centralizes AP management, handling configuration, firmware updates, and seamless roaming across multiple APs. Channel bonding (80 MHz) combines two 40 MHz channels, doubling the channel width to increase throughput; it is commonly used in 802.11ac (Wi-Fi 5) to achieve higher data rates.
Exam trap
Be careful not to confuse the specific technology used by each Wi-Fi generation: OFDMA is unique to 802.11ax, while channel bonding (80/160 MHz) is more closely associated with 802.11ac.
A trunk link between two switches is up, but voice phones connected through one access switch no longer receive the correct voice VLAN treatment. Data users still pass traffic. Which area should be checked first?
This is correct because selective failure affecting phones points to voice-VLAN handling rather than complete link failure.
Why this answer
The first area to check is the end-to-end handling of the voice VLAN across the switching path. In practical terms, the data VLAN can still work while the voice VLAN experiences a forwarding, configuration, or policy problem. Because the phones depend on the correct voice VLAN behavior, that VLAN path should be examined first rather than assuming the whole trunk is broken.
This is a selective-services troubleshooting question. One class of traffic can fail even when ordinary user data still works.
Exam trap
Be cautious not to assume that a general network issue is the cause when only specific traffic types are affected. Focus on the specific VLAN configuration first.
Why the other options are wrong
OSPFv3 is an IPv6 routing protocol and has no role in Layer 2 voice VLAN handling on access ports. The issue is about VLAN assignment and trunking, not routing protocol adjacency.
The scenario involves wired switches and IP phones, not wireless LAN. Guest SSID configuration on a wireless controller is unrelated to voice VLAN treatment on a wired trunk link.
BGP is an exterior routing protocol used for interdomain routing, not for Layer 2 VLAN handling. The symptom is about voice VLAN treatment on a trunk, which is unrelated to BGP metrics or static routes.
A host is configured with 172.16.10.62/27. Which address is the broadcast address for that subnet?
This is correct because the host is in the 32–63 /27 block, whose broadcast is .63.
Why this answer
A /27 uses blocks of 32 addresses. In plain language, the last-octet ranges are 0–31, 32–63, 64–95, and so on. Since the host address ends in 62, it belongs to the 32–63 block. The last address in that block is the broadcast address, so the broadcast is 172.16.10.63.
This is a classic subnetting question because it requires you to place the host inside the correct block and then identify the last address in that block rather than guessing based on the host value alone.
Exam trap
Be careful not to confuse the broadcast address with the network address or the start of the next subnet.
Why the other options are wrong
The address 172.16.10.31 is the broadcast address for the /27 subnet 172.16.10.0–31, not for the subnet containing host 172.16.10.62. Since the host's IP is in the 32–63 range, the broadcast is .63, not .31.
172.16.10.32 is the network address (subnet ID) of the /27 subnet that includes hosts 32–63. It is not the broadcast address; the broadcast is the last address in the subnet, which is .63.
172.16.10.64 is the network address of the next /27 subnet (64–95), not the broadcast address for the subnet containing .62. The broadcast for the subnet containing .62 is .63.
Users in 10.20.30.0/24 should be allowed to browse the web but should not be able to open Telnet sessions to any remote device. Which access list entry best meets the requirement?
This blocks Telnet from that subnet to any destination.
Why this answer
Exam trap
A frequent exam trap is selecting an ACL entry that denies UDP traffic on port 23 or denies traffic with the source port set to 23. Telnet exclusively uses TCP as its transport protocol and communicates over destination port 23, so denying UDP or source port 23 traffic will not block Telnet sessions. Another common mistake is denying inbound Telnet traffic to the subnet rather than outbound traffic from the subnet, which does not prevent users inside the subnet from initiating Telnet connections.
Misunderstanding these protocol and port details leads to ineffective ACLs that fail to meet the requirement.
Why the other options are wrong
This option denies UDP traffic on port 23, but Telnet uses TCP, not UDP. Therefore, this ACL entry will not block Telnet sessions and is incorrect.
Refer to the exhibit. A network administrator is reviewing the NAT translations on router R1 and notices that the internal host 192.168.1.10 appears in both a static NAT entry (for ports 80 and 443) using global address 203.0.113.10, and a dynamic PAT entry (port 49152) using global address 203.0.113.1. The administrator is concerned this might indicate a misconfiguration. Based on the output, which statement is correct?
The static mappings for ports 80 and 443 (global 203.0.113.10 → 192.168.1.10) are not overridden because the dynamic PAT entry uses a different global address (203.0.113.1) and a different source port (49152). This separation enables both inbound server traffic and outbound client traffic for the same inside host, which is a valid design.
Why this answer
The output shows static NAT entries mapping TCP ports 80 and 443 from global 203.0.113.10 to inside host 192.168.1.10. Simultaneously, a dynamic PAT entry maps a high ephemeral port 49152 to the same inside host for an outbound connection to 198.51.100.5:80. Because the static entries use a different global IP (203.0.113.10) and different port numbers than the dynamic PAT entry (203.0.113.1:49152), both can coexist correctly — static NAT handles inbound web requests, dynamic PAT handles outbound client traffic.
This is a normal operational state, not a misconfiguration.
Exam trap
Candidates often incorrectly assume that a single inside host cannot have both a static NAT entry and a dynamic PAT entry, leading them to choose option B (that the static rule is overridden). However, these entries serve different traffic directions and port ranges, so they coexist without conflict.
Why the other options are wrong
A common misconception is that any dynamic NAT entry for the same inside local address takes precedence or conflicts with static entries. In reality, the more specific static mapping takes priority for matching traffic, and the dynamic entry handles unrelated flows.
Candidates may misinterpret the presence of the same inside local IP in two entries as a duplicate session. Asymmetric routing would require inconsistent state in both directions, but here the NAT table correctly tracks distinct flows.
A host uses the subnet mask 255.255.255.192. How many usable host addresses exist in each subnet?
This is correct because /26 yields 64 total addresses and 62 usable hosts.
Why this answer
The mask 255.255.255.192 corresponds to /26. That leaves 6 host bits, which means each subnet contains 64 total addresses. After excluding the network and broadcast addresses, 62 usable host addresses remain.
This is a standard host-capacity question. The safest approach is to convert the mask to the prefix, determine the total addresses from the number of host bits, and then subtract the two reserved addresses.
Exam trap
Be careful not to confuse total addresses with usable addresses; always subtract the network and broadcast addresses.
Why the other options are wrong
The subnet mask 255.255.255.192 is /26, which provides 64 total addresses per subnet. Subtracting the network and broadcast addresses leaves 62 usable hosts, not 30. 30 usable hosts corresponds to a /27 subnet mask (255.255.255.224).
126 usable hosts would require a /25 subnet mask (255.255.255.128), which provides 128 total addresses. The given mask /26 provides only 64 total addresses, so 126 is incorrect.
254 usable hosts corresponds to a /24 subnet mask (255.255.255.0), which provides 256 total addresses. The mask 255.255.255.192 is /26, which is two bits longer, resulting in only 64 total addresses.
R1 and R2 are directly connected. Their interfaces are up/up and belong to the same subnet. R1's OSPF configuration places the interface in area 0, while R2's interface is in area 1. R1 does not show R2 as an OSPF neighbor. What is the most likely cause?
An area mismatch prevents the neighbor relationship.
Why this answer
OSPF neighbors on the same link must agree on the area ID. Here, one side is in area 0 and the other is in area 1, so adjacency never forms even though the interfaces are up and in the same subnet.
Exam trap
A common trap is focusing on router ID or subnet mask instead of recognizing that mismatched area IDs prevent OSPF adjacency.
Why the other options are wrong
Incorrect. While using a loopback interface as the router ID is recommended for stability, it is not required for OSPF neighbor adjacency to form.
Incorrect. A /30 subnet mask is valid for point-to-point OSPF links and does not prevent neighbor relationships from forming.
Incorrect. The Designated Router (DR) election occurs after adjacency formation and does not prevent neighbors from forming if area IDs mismatch.
A subnet uses the mask 255.255.255.252. How many usable host addresses are available in each subnet?
This is correct because /30 provides 4 total addresses and 2 usable hosts.
Why this answer
The mask 255.255.255.252 corresponds to /30. In practical terms, that gives 4 total addresses per subnet. After subtracting the network and broadcast addresses, 2 usable host addresses remain.
This is a classic small-subnet calculation that often appears in point-to-point addressing scenarios.
Exam trap
Remember to exclude network and broadcast addresses when calculating usable host addresses.
Why the other options are wrong
The /30 subnet provides a total of 4 addresses, but one is the network address and one is the broadcast address, leaving only 2 usable host addresses. Saying 4 is incorrect because it counts the network and broadcast addresses as usable.
A /30 subnet has only 2 bits for host addresses, yielding 2^2 = 4 total addresses, of which 2 are usable. 6 usable hosts would require at least 3 host bits (2^3 - 2 = 6), which corresponds to a /29 subnet.
14 usable hosts correspond to a /28 subnet (255.255.255.240), which has 4 host bits (2^4 - 2 = 14). A /30 subnet has only 2 host bits, so it cannot provide 14 usable hosts.
A switch port configured with PortFast and BPDU Guard receives a BPDU and transitions to an error-disabled state. Which statement best explains why this is considered useful protection?
This matches the purpose of PortFast combined with BPDU Guard: to protect the network when an edge port unexpectedly receives BPDUs, indicating a potential loop condition.
Why this answer
PortFast is used on edge ports to bypass STP listening/learning, but if a BPDU is received, the assumption that the port is an edge port is violated. BPDU Guard then error-disables the port to prevent potential loops or topology disruptions. This protects the network when an edge port unexpectedly connects to another switch, which could cause a bridging loop.
The other options describe unrelated features or incorrect mechanisms.
Exam trap
Remember that BPDU Guard disables the port, not just logs or adjusts its role. It's a protective measure, not a monitoring tool.
Why the other options are wrong
Increasing port bandwidth by combining links is done via EtherChannel, not related to BPDU Guard or loop prevention.
VLAN trunking is automatically negotiated via DTP or manually configured, not triggered by BPDU Guard or PortFast.
Forcing Rapid Spanning Tree Protocol is not a function of PortFast or BPDU Guard; they are separate STP optimizations.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Exam trap
A common trap is applying the ACL to an interface before creating it, or verifying before applying. Remember: create first, then apply, then verify. Also, ensure the ACL is applied in the correct direction (inbound) on the correct interface.
Which four of the following are best practices for securing network services and devices? (Choose four.)
Why this answer
Disabling unused ports, implementing role-based access control (RBAC), enabling logging, and keeping firmware updated are all critical security best practices: they reduce the attack surface, limit user permissions, detect threats, and patch known vulnerabilities. Using Telnet is insecure because it transmits data in cleartext, unlike SSH. Placing all devices on the same VLAN undermines network segmentation and allows lateral movement by attackers.
Match each VLAN-related term to its most accurate meaning.
Drag a concept onto its matching description — or click a concept then click the description.
The VLAN assigned to a normal end-device access port
The VLAN used to carry phone voice traffic separately
A link carrying traffic for multiple VLANs
The VLAN associated with untagged traffic on an 802.1Q trunk
Why these pairings
Each VLAN type serves a specific purpose: Access VLAN for end devices, Trunk VLAN for multiple VLANs over a link, Native VLAN for untagged frames, Voice VLAN for phones, Management VLAN for admin access, and Data VLAN for user traffic.
Exam trap
Be careful not to confuse the function of a trunk link with a VLAN type. Also, remember that native VLAN and voice VLAN are not separate VLAN types; they are specific uses of data VLANs.
Drag and drop the cable/transceiver types on the left to the correct descriptions on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Supports 1000BASE-T up to 100 meters with auto-negotiation for speed/duplex
Supports up to 5 km (or more with longer optics) using 1310 nm laser
Supports up to 300 meters over OM3 fiber at 10 Gbps
Single-mode transceiver for 10 Gbps links up to 10 km
1000BASE-T copper SFP transceiver for up to 100 meters on CAT5e/CAT6
Why these pairings
CAT5e UTP supports 1000BASE-T up to 100 meters as standard twisted-pair copper cabling. Single-mode fiber with 1000BASE-LX SFP uses a 1310 nm laser for long-distance links, typically up to 5 km but extendable with specific optics. Multimode fiber with 10GBASE-SR SFP+ provides high-speed 10 Gbps connectivity up to 300 meters over OM3 fiber due to SR’s short-reach design.
SFP-10G-LR is a single-mode transceiver designed for 10 km at 10 Gbps, leveraging its long-reach specification. GLC-T is a 1000BASE-T copper SFP, so it operates over CAT5e/CAT6 up to 100 meters. Incorrect pairings would mismatch cable type and distance capabilities, such as using multimode fiber for a 10 km link or a copper SFP with single-mode fiber.
Exam trap
A common mistake is to mismatch transceiver types and fiber categories, like using a 10GBASE-SR SFP+ on single-mode fiber or expecting a copper SFP to work over fiber; always check the transceiver’s specifications and compatible cabling.
A subnet must support at least 126 usable IPv4 host addresses. Which prefix is the longest that meets the requirement?
This is correct because /25 provides 126 usable host addresses.
Why this answer
A /25 is the smallest valid answer. In practical terms, a /25 provides 128 total addresses. After subtracting the network and broadcast addresses, 126 usable hosts remain. A /26 would be too small because it supports only 62 usable hosts.
This is a typical minimum-prefix question. The goal is to choose the smallest subnet that satisfies the host requirement without wasting more address space than necessary.
Exam trap
Be careful not to confuse total addresses with usable addresses. Always subtract the network and broadcast addresses when calculating usable hosts.
Why the other options are wrong
A /26 prefix provides 2^(32-26) - 2 = 64 - 2 = 62 usable host addresses, which is insufficient for the requirement of at least 126 usable hosts.
A /24 prefix provides 2^(32-24) - 2 = 256 - 2 = 254 usable host addresses, which is more than required. While it works, it is not the smallest prefix that meets the requirement, wasting IP address space.
A /27 prefix provides 2^(32-27) - 2 = 32 - 2 = 30 usable host addresses, far below the required 126. This is insufficient for the subnet.
Which TWO statements about HSRP active/standby election, priority, and preempt are true?
HSRP uses priority (0–255, default 100) to determine the active router; the highest priority wins.
Why this answer
In HSRP, the router with the highest priority (default 100, range 0-255) becomes the active router (A). If priorities are equal, the router with the highest IP address on the subnet wins, not the highest MAC address (B). Preemption is disabled by default; 'standby preempt' must be configured for a higher-priority router to take over (C).
The 'show standby' command displays active/standby router roles, priority values, and preemption status, verifying D. The standby router is the one with the second-highest priority, not the lowest (E).
Exam trap
Cisco often tests the misconception that HSRP uses MAC address as a tiebreaker (it uses IP address) and that preemption is enabled by default (it is not).
Why the other options are wrong
HSRP tie-breaking uses the highest IP address on the HSRP interface, not the MAC address. The MAC address is used for virtual MAC assignment but does not influence election.
Preemption is disabled by default in HSRP; it must be explicitly configured with the 'standby preempt' command. Without preemption, a higher priority router will not take over active role from a lower priority router that is already active.
The standby router is the router with the second-highest priority, not the lowest. The lowest priority router would only become standby if all other routers fail, as it is the least preferred.
A JSON response from a controller contains a list of interfaces, each with its own name and status fields. Which JSON structure is most likely used to represent that list?
This is correct because a list of interfaces is commonly represented as objects inside an array.
Why this answer
The most likely structure is an array containing objects. In practical terms, an array is the natural way to represent a list of similar items, and each item can then be an object with named fields such as name and status. This is a very common pattern in API payloads.
The question is testing structure recognition, not programming syntax mastery.
Exam trap
A frequent exam trap is mistaking the JSON structure for unrelated networking concepts such as wildcard masks or route metric tables. Candidates might incorrectly select these options because they recognize the terms from routing or ACL topics, but these are not JSON data structures. Another trap is assuming a single scalar string can represent multiple interfaces, which ignores the need for multiple fields per interface.
Recognizing that an array of objects is the natural and standard way to represent a list of interfaces with multiple attributes helps avoid these pitfalls.
Why the other options are wrong
Drag and drop the following steps into the correct order to select and implement a network automation solution using the appropriate tool based on the use cases and differences between Puppet, Chef, Ansible, and Python.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The correct order follows a systematic approach: First, define the specific network automation goal to understand the scope and constraints. Next, evaluate whether a persistent, agent-based configuration enforcement approach (Puppet/Chef) or an agentless, orchestration-driven approach (Ansible) is required. Then consider the flexibility of a scripting language like Python for custom or one-off tasks.
After selecting the tool, write the automation logic (playbook, manifest, or script). Test it in a controlled environment to avoid production issues, and finally deploy and verify the automation to ensure it meets the intended outcome.
Why is an extended ACL usually placed close to the source of the traffic being filtered?
Correct. Filtering near the source is the classic design guidance for extended ACLs.
Why this answer
Extended ACLs can filter by source, destination, and protocol. Placing them near the source drops unwanted traffic before it crosses more of the network.
Exam trap
Remember that ACLs are processed by network devices, not end devices, and their placement affects traffic flow, not the ACL's complexity or dynamic capabilities.
Why the other options are wrong
Standard ACLs can be applied near the destination or source, but the placement guidance for extended ACLs is based on their ability to filter on source and destination IP addresses and ports, not on limitations of standard ACLs. The reason for placing extended ACLs near the source is to filter traffic early, not because standard ACLs cannot be applied near the destination.
NAT translation is typically performed on routers or firewalls at network boundaries, and ACL placement for filtering is independent of NAT configuration. Placing an extended ACL near the source does not directly affect NAT translation; NAT uses its own rules and is not a factor in ACL placement decisions.
Extended ACLs can be applied inbound or outbound on any interface, not just inbound on access interfaces. The statement is factually incorrect; extended ACLs are versatile and can be placed in various locations depending on the filtering requirements.
R1 is an IPv6-only branch router. The administrator wants all unknown IPv6 destinations to be sent to the upstream router at 2001:db8:ff::1. Which command best achieves that goal?
This is correct because ::/0 is the IPv6 default route and the next hop is the upstream router.
Why this answer
The correct configuration is an IPv6 default static route pointing to the upstream next hop. In practical terms, this is the IPv6 version of a route of last resort. The router does not need specific entries for every remote IPv6 network if all unknown traffic should go to the upstream device.
The key distinction is that IPv6 static routing uses IPv6 syntax and the double-colon default prefix representation. This is a foundational branch-routing concept for IPv6 deployments.
Exam trap
A common exam trap is confusing IPv4 and IPv6 routing commands by attempting to use the ip route command with an IPv6 next-hop address. This is invalid because ip route is strictly for IPv4 static routes. Another trap is using ipv6 default-gateway, which is not a valid static routing command and does not install a route in the routing table.
These mistakes cause the router to drop unknown IPv6 traffic since no default route is installed. Candidates must recognize that IPv6 static routes require the ipv6 route command with the ::/0 prefix for default routing.
Why the other options are wrong
This option is incorrect because it uses the IPv4 static route syntax (ip route) with an IPv6 next-hop address, which is invalid and will not configure a proper IPv6 route.
This command creates a specific static route to the 2001:db8:ff::/64 prefix with a next hop of ::1, which is not a default route and does not forward all unknown IPv6 traffic.
The ipv6 default-gateway command is not used for static routing configuration and does not install a default route in the routing table, making it ineffective for forwarding unknown IPv6 destinations.
Which two statements accurately describe why structured telemetry and APIs improve operational tooling?
This is correct because structured data supports reliable machine interpretation.
Why this answer
Structured telemetry and APIs improve tooling because they reduce ambiguity and make automation more reliable. In practical terms, software can collect and compare known fields, counters, and states without brittle text parsing. That supports dashboards, reporting, and automated checks much better than relying only on human-oriented command output.
This is a broad operations-and-automation value question rather than a protocol memorization item.
Exam trap
A frequent exam trap is believing that structured telemetry and APIs remove the need for secure transport or access control. Candidates might think that because data is structured and machine-readable, security is inherently handled, which is incorrect. Another trap is assuming that these technologies force the removal of CLI access, but Cisco devices maintain CLI alongside APIs to support diverse operational needs.
Misunderstanding these points can lead to incorrect answers about the scope and impact of automation technologies in Cisco environments.
Why the other options are wrong
This option is incorrect because structured telemetry and APIs do not eliminate the need for secure transport or access control; security remains a fundamental requirement in network operations.
This option is incorrect since structured telemetry and APIs do not force devices to stop supporting CLI access; Cisco devices commonly support both CLI and programmable interfaces simultaneously.
This option is incorrect because structured telemetry and APIs are broadly applicable across many Cisco network devices and are not limited to wireless LAN controllers.
You are connected to R1 via console. R1 must forward traffic to the 203.0.113.0/24 and 2001:db8:1::/48 networks through R2 (10.0.0.2/30, 2001:db8:ff::2/64). The primary path must use a next-hop of 10.0.0.2 for IPv4 and 2001:db8:ff::2 for IPv6. Additionally, configure a floating static default route for IPv4 that uses R3 (192.0.2.2/30) as a backup only when the primary path fails. The current configuration has errors: the IPv4 static route points to a wrong next-hop (10.0.0.5) and the primary default route is missing, causing the floating route (AD 100) to become active instead of serving as a backup. Fix these issues so that both primary and backup routes work correctly.
Hints
! R1 no ip route 203.0.113.0 255.255.255.0 10.0.0.5 ip route 203.0.113.0 255.255.255.0 10.0.0.2 ip route 0.0.0.0 0.0.0.0 10.0.0.2
Why this answer
The IPv4 static route to 203.0.113.0/24 used a next-hop of 10.0.0.5, which is not a directly connected interface (R1's G0/0 is 10.0.0.1/30, so only .2 is valid). This caused a recursive lookup failure. The floating static default route had AD 100, but a floating route must have an AD higher than the primary route's AD (typically 1) so it is only used when the primary fails; setting AD 100 is correct for backup, but the primary default route was missing.
The fix: change the next-hop for 203.0.113.0/24 to 10.0.0.2, and add a primary default route with AD 1 via 10.0.0.2. The floating route's AD of 100 is fine as backup. IPv6 route was correct.
Exam trap
Watch out for two common traps: (1) Static routes must use a directly connected next-hop; using an IP not on a directly connected subnet causes recursive lookup failure. (2) Floating static routes require a higher AD than the primary route; if the primary route is missing or has a higher AD, the floating route may become active prematurely or not at all.
Why the other options are wrong
The floating route must have a higher AD than the primary route to act as a backup; setting it to 1 would make it preferred over the primary default route, violating the requirement.
AD 255 is reserved for routes that are not to be installed; a floating route needs an AD higher than the primary but less than 255 to be usable as backup.
The floating route is required by the scenario; removing it would eliminate the backup path, which is not the intended fix.
What prefix length corresponds to the subnet mask 255.255.255.248?
This is correct because 255.255.255.248 equals 29 network bits.
Why this answer
The mask 255.255.255.248 corresponds to /29. In practical terms, the first three octets provide 24 network bits, and the value 248 in the last octet is 11111000 in binary, which contributes 5 more network bits. That gives a total prefix length of 29.
This is a standard dotted-decimal to prefix conversion question. It matters because subnetting often requires you to move comfortably between both forms.
Exam trap
Be careful not to confuse the binary values of subnet masks. Ensure you understand how to convert between dotted-decimal and CIDR notation.
Why the other options are wrong
The subnet mask 255.255.255.240 corresponds to a /28 prefix length, not /29. This mask has 28 network bits, leaving 4 host bits, which yields 14 usable hosts per subnet.
The subnet mask 255.255.255.252 corresponds to a /30 prefix length, not /29. A /30 mask has 30 network bits and only 2 host bits, providing 2 usable addresses, typically used for point-to-point links.
The subnet mask 255.255.255.224 corresponds to a /27 prefix length, not /29. A /27 mask has 27 network bits and 5 host bits, providing 30 usable hosts per subnet.
What is a key difference between SNMPv3 and earlier SNMP versions?
Correct. Stronger security is the primary differentiator.
Why this answer
SNMPv3 improves security by adding authentication, message integrity, and privacy features. Earlier versions, especially SNMPv1 and v2c, rely on community strings and provide much weaker protection.
Exam trap
A common exam trap is to mistakenly believe that SNMPv3 restricts network monitoring capabilities or IP protocol support. Some candidates incorrectly think SNMPv3 supports only IPv4 or that it replaces syslog entirely. These misconceptions arise because the question emphasizes SNMPv3’s differences without clarifying what remains unchanged.
The trap is to focus on unrelated protocol features rather than the core improvement: security. Selecting options that mention monitoring limitations or protocol replacement leads to incorrect answers. Understanding that SNMPv3’s main advancement is adding authentication and encryption prevents falling into this trap.
Why the other options are wrong
Option A is incorrect because SNMPv3 supports both IPv4 and IPv6 networks. It is not limited to IPv4 only, so this option misrepresents SNMPv3’s capabilities.
Option C is incorrect since SNMPv3 continues to support monitoring functions such as interface counters. It does not remove or restrict these capabilities.
Option D is incorrect because SNMPv3 does not replace syslog. Both protocols coexist and serve different roles in network management and logging.
Match each routing term to its most accurate meaning.
Drag a concept onto its matching description — or click a concept then click the description.
Trust comparison between route sources
Protocol-specific value used to compare paths
Preference for the most specific matching route
Fallback route used when no more specific route matches
Why these pairings
Administrative distance is a measure of trustworthiness of the route source; a lower AD is preferred when the same prefix is learned from multiple routing protocols. Metric is a protocol-specific value (e.g., OSPF cost, EIGRP composite) used to choose the best path among routes from the same source. Longest-prefix match is the fundamental routing table lookup rule: the route with the longest subnet mask (most specific) is used regardless of AD or metric.
Default route (0.0.0.0/0) acts as a gateway of last resort, forwarding packets when no more specific route exists.
Exam trap
A common pitfall is believing that a lower metric route always wins over a higher administrative distance route. In reality, AD determines which route makes it into the routing table, then metric selects within that source; longest-prefix match overrides both.
A network engineer notices that the system clock on a Cisco IOS-XE router is incorrect, causing syslog timestamps to be unreliable. The router is configured as an NTP client to synchronize with a remote NTP server at 192.168.1.10. However, the show ntp status command indicates the clock is unsynchronized. What is the most likely cause of this issue?
The reach value of 0 indicates no NTP packets have been received, typically due to connectivity issues or ACL/firewall blocking UDP 123.
Why this answer
NTP operates over UDP port 123. If the router cannot reach the NTP server at 192.168.1.10 due to a missing route or a firewall blocking UDP 123, the NTP client will remain unsynchronized, as indicated by the 'show ntp status' command showing the clock as unsynchronized. This is the most common cause of NTP synchronization failure in a network.
Why the other options are wrong
The NTP server having a higher stratum level than the local clock does not prevent synchronization outright; the router will still attempt to sync if the server is reachable and authenticates, so this is not the most likely cause.
You are connected to R1. Configure HSRP on R1 and R2 so that R1 is the active gateway for VLAN 100 with a virtual IP of 192.0.2.254. R1 should preempt and track its G0/1 interface to decrement priority by 20 if it goes down. Currently, both routers show active for the group, and the virtual IP is incorrectly set. Troubleshoot and fix the configuration on R1 only.
Hints
! R1 interface GigabitEthernet0/0.100 standby 1 ip 192.168.100.254 standby 1 priority 110 standby 1 preempt
Why this answer
The issue is that both routers are active because the virtual IP on R1 was 192.168.100.254, which is not in the same subnet as the interface IP (192.0.2.1/24), so HSRP couldn't form a common group. Changing the virtual IP to 192.0.2.254 fixes the subnet mismatch. Additionally, setting R1's priority to 110 ensures it becomes the active router because it has preempt configured, and the higher priority overrides R2's default 100.
The track command remains correct as it reduces priority if G0/1 fails.
Exam trap
Trap: Candidates may focus on the track command or preempt, but the primary issue is the virtual IP mismatch and default priority. Always verify the virtual IP belongs to the same subnet as the interface and adjust priority to ensure the desired active router.
Why the other options are wrong
Removing the track command would prevent R1 from decrementing priority when G0/1 fails, violating the requirement to track the interface.
Configuring preempt on R2 might allow it to take over, but the task only asks to fix R1; the primary issue is the virtual IP mismatch on R1.
Setting priority to 100 (the default) without preempt? Actually, R1 already has preempt, but with equal priority, the highest IP wins, which might be R2, so R1 might not become active. Increasing priority to 110 is required.
A network engineer is configuring an EtherChannel between two switches. After applying the configuration, the port-channel fails to form. What is the most likely reason?
This is correct because trunk/access inconsistency breaks EtherChannel compatibility.
Why this answer
The port-channel is not forming because the two member interfaces are not configured consistently. In practical terms, EtherChannel requires important characteristics to align across candidate member links. Here, one interface is a trunk and the other is configured as an access port, so the channel cannot be built cleanly.
This is a classic EtherChannel consistency problem. The protocol alone is not enough if the member-link settings disagree.
Exam trap
Always verify interface configurations for consistency when troubleshooting EtherChannel issues.
Why the other options are wrong
LACP requires that all member interfaces in the same port-channel use the same channel-group number. Using different numbers would place them in separate bundles, preventing the intended aggregation.
PPP is a Layer 2 encapsulation used on serial links, not on Ethernet switch ports. EtherChannel on Cisco switches uses Ethernet frames, and PPP is irrelevant to the configuration of port-channels.
BGP is a routing protocol that operates at Layer 3 and is not required for EtherChannel formation. EtherChannel is a Layer 2 technology that bundles physical links into a single logical link, independent of any routing protocol.
A network administrator notices that the NTP server on Router R1 is not synchronizing with the upstream NTP server at 192.0.2.1. The router is configured as an NTP client, but show ntp status indicates the clock is unsynchronized and the stratum is 16. There is no firewall between R1 and 192.0.2.1. What is the most likely cause of this issue?
Without a route to the upstream NTP server, the NTP client cannot send or receive packets, leaving it unsynchronized at stratum 16.
Why this answer
The most likely cause is that Router R1 lacks a route to the upstream NTP server at 192.0.2.1. Without a valid IP route, NTP packets cannot reach the server, so the client remains unsynchronized with stratum 16. The other options are incorrect: A is not required for client operation, C is irrelevant because NTP version negotiation works across versions, and D is ruled out by the absence of a firewall.
Exam trap
Cisco often tests the misconception that NTP configuration alone ensures synchronization, but the trap here is that candidates overlook the prerequisite of IP reachability, assuming the ntp server command handles routing automatically.
Why the other options are wrong
In AAA, what does the second A stand for?
Correct. The second A is Authorization.
Why this answer
AAA stands for Authentication, Authorization, and Accounting. Authorization determines what an authenticated user is allowed to do.
Exam trap
A frequent exam trap is mistaking the second A in AAA for Accounting or Auditing. Many candidates confuse Authorization with Accounting because both start with 'A' and relate to user management. However, Authorization specifically controls what an authenticated user is allowed to do, while Accounting tracks user activities for logging and auditing purposes.
Selecting Accounting as the second A overlooks the sequential process where permissions are granted immediately after authentication, before any activity is logged. This confusion can lead to incorrect answers and misunderstanding of Cisco AAA implementation.
Why the other options are wrong
Application is not part of the AAA acronym and does not relate to the core security functions of Authentication, Authorization, or Accounting, making it an incorrect choice.
Accounting is the third A in AAA and focuses on logging user activities, not the second A which controls user permissions after authentication.
Auditing, while related to security, is not part of the AAA acronym and does not represent the second A in the AAA framework.
A host is configured with IP address 172.16.100.222/27. Which address is the broadcast address for its subnet?
This is correct because .222 is in the 192–223 /27 block.
Why this answer
A /27 uses address blocks of 32. In practical terms, the fourth-octet ranges are 0–31, 32–63, 64–95, 96–127, 128–159, 160–191, 192–223, and 224–255. Since 222 falls inside the 192–223 block, the broadcast address is the last address in that block, which is 172.16.100.223.
This is a classic subnet-boundary question because it tests whether you can place a host in the correct block and then identify the final address in that block as the broadcast.
Exam trap
Avoid assuming the broadcast address is always .255 or miscalculating subnet ranges.
Why the other options are wrong
172.16.100.191 is the broadcast address of the previous /27 subnet (172.16.100.160/27), not the subnet containing .222. The host .222 is in the 172.16.100.192/27 subnet, so its broadcast is .223.
172.16.100.224 is the network address of the next /27 subnet (172.16.100.224/27), not a broadcast address. Broadcast addresses are always the last address in a subnet, not the first.
172.16.100.255 is the broadcast address of the entire /24 subnet (172.16.100.0/24), not the /27 subnet containing .222. The /27 subnet has a smaller range, so its broadcast is .223.
You are connected to R1. Configure R1 and SW1 so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can communicate via the router-on-a-stick setup. The current configuration has errors: the trunk port between SW1 and R1 has a native VLAN mismatch, VLAN 30 is not allowed on the trunk, and the subinterface encapsulation is incorrect. Correct these issues and enable inter-VLAN routing.
Hints
! R1 configure terminal interface GigabitEthernet0/0.30 encapsulation dot1Q 30 native exit interface GigabitEthernet0/0 no shutdown exit ip routing exit copy running-config startup-config
Why this answer
The native VLAN on SW1 is 99 but R1's physical interface defaults to VLAN 1, causing a mismatch. To fix this, R1's subinterface Gi0/0.30 must be set with encapsulation dot1Q 99 native, making R1's native VLAN 99 and matching SW1. VLAN 30 is not allowed on the trunk, preventing any traffic in that VLAN; it must be added to the trunk's allowed list on SW1.
After these corrections, inter-VLAN routing for VLANs 10 and 20 will function correctly.
Exam trap
Candidates often assume that setting a subinterface's encapsulation to 'dot1Q 30 native' will fix any mismatch, but the native VLAN ID must be explicitly aligned with the switch's native VLAN configuration.
Why the other options are wrong
The specific factual error: VLAN 30 must be allowed on the trunk for the router to receive and forward traffic for that VLAN.
The specific factual error: The native VLAN must match on both ends of the trunk; changing SW1 to VLAN 1 would not resolve the mismatch with R1's native VLAN 30.
The specific factual error: The trunk must allow all VLANs that need to be routed, including the native VLAN (30), otherwise the router cannot communicate with hosts in VLAN 30.
You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 inside network can reach the Internet through the outside interface GigabitEthernet0/1 using the IP address 203.0.113.1. Additionally, configure static NAT to map internal server 192.168.1.10 to public IP 203.0.113.5. The current configuration has several errors. Identify and correct them.
Hints
! R1 configure terminal interface GigabitEthernet0/0 ip nat inside exit interface GigabitEthernet0/1 ip nat outside exit ip nat inside source list 100 interface GigabitEthernet0/1 overload no access-list 100 access-list 100 permit ip 192.168.1.0 0.0.0.255 any end write memory
Why this answer
The configuration had three issues: (1) Inside and outside interfaces were swapped — G0/0 (inside) was marked 'ip nat outside' and G0/1 (outside) was 'ip nat inside'. (2) The PAT command was missing the 'overload' keyword. (3) ACL 100 matched the wrong subnet (192.168.2.0 instead of 192.168.1.0). To fix: correct interface NAT directions, add 'overload', and update ACL to permit 192.168.1.0/24.
You are connected to R1, a router that serves as the DNS resolver for the local network 192.168.10.0/24. Users report that they cannot resolve the hostname 'webserver.internal' to its IP address (192.168.10.50), and reverse DNS lookups for that IP return a different name. Additionally, some queries to an external domain 'example.com' time out. Diagnose and fix the DNS configuration on R1 using nslookup and dig commands where applicable, ensuring proper forward and reverse resolution for internal hosts and reachability to external DNS servers.
Hints
! R1 no ip name-server 192.0.2.53 ip name-server 8.8.8.8 ip host webserver.internal 192.168.10.50 ip host 50.10.168.192.in-addr.arpa webserver.internal
Why this answer
The DNS server 192.0.2.53 is unreachable, causing timeouts for external queries. The primary DNS server 203.0.113.53 returns NXDOMAIN for 'webserver.internal' because no A record exists for that hostname in the internal zone. Additionally, the PTR record for 192.168.10.50 incorrectly points to 'mail.internal' instead of 'webserver.internal'.
To fix, first remove the unreachable DNS server with 'no ip name-server 192.0.2.53' or replace it with a reachable one. Then, on the DNS server (or via static host entries on R1), add an A record for webserver.internal (192.168.10.50) and correct the PTR record to point to webserver.internal. Optionally, configure 'ip host webserver.internal 192.168.10.50' on R1 for local resolution.
Exam trap
Watch out for questions that present multiple DNS issues simultaneously. Candidates often focus on one problem (e.g., missing A record) and forget to check reverse DNS or external server reachability. Always verify all symptoms before concluding the fix.
Why the other options are wrong
The specific factual error is that an unreachable DNS server must be removed or replaced to resolve external queries; simply fixing internal records does not address the timeout issue.
The specific factual error is that reverse DNS must match the forward record for consistency; an incorrect PTR record is a problem even if forward resolution works.
The specific factual error is that forward and reverse DNS are independent; adding a PTR record does not create an A record. The A record must exist for forward queries to succeed.
You are connected to a multilayer switch MLS1. Configure FastEthernet0/1 as an access port for an IP phone and a PC, with voice VLAN 20 and data VLAN 10. Also enable PoE on the port. Then verify the configuration using 'show interfaces switchport' and 'show power inline'.
Hints
! MLS1 configure terminal interface FastEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline auto end
Why this answer
Option A is correct because it configures FastEthernet0/1 as an access port with data VLAN 10, voice VLAN 20, and PoE enabled, which is the required setup for an IP phone and PC. Option B is incorrect because 'no switchport' makes the interface a routed port (Layer 3), but it needs to be a Layer 2 access port to support an IP phone and PC. Option C is incorrect because trunk mode is used for switch-to-switch links, not for connecting end devices like an IP phone and PC.
Option D is incorrect because 'power inline never' disables PoE, but the IP phone requires power; it should use 'power inline auto'.
Exam trap
The trap is that candidates may incorrectly use 'no switchport' to make the interface a routed port, or use trunk mode instead of access mode with voice VLAN. Remember that for end devices, the port must be an access port; the voice VLAN is configured separately. Also, ensure PoE is enabled with 'auto', not 'never'.
Why the other options are wrong
'no switchport' creates a routed port, which cannot handle VLANs for an IP phone and PC.
Trunk mode is for inter-switch links, not for end devices; access mode is required.
'power inline never' disables PoE, but the IP phone needs power from the switch.
A switch port is configured with port-security violation mode restrict. Which two statements are true when an unauthorized MAC address appears?
Restrict does not allow the violating traffic through.
Why this answer
Restrict drops frames from violating MAC addresses and can increment the violation counter while keeping the port up. Shutdown would err-disable the port instead.
Exam trap
Do not confuse restrict with shutdown mode; restrict does not disable the port.
Why the other options are wrong
The err-disabled state is characteristic of the shutdown violation mode, not restrict. In restrict mode, the port remains up and only drops violating traffic while logging the event.
Port security does not change the port's operational mode; it only controls MAC address access. Converting a port to a trunk is unrelated to port security and requires explicit configuration.
Port security violation modes do not automatically change. The mode is statically configured and remains the same regardless of the number of violations. There is no automatic escalation from restrict to shutdown.
Which TWO commands would a network administrator use to verify that a client has received a valid IP address from a DHCP server and can resolve domain names to IP addresses?
Displays full TCP/IP configuration, confirming DHCP-assigned IP address, subnet mask, gateway, and DNS servers.
Why this answer
Option A (ipconfig /all) is correct because it displays the full TCP/IP configuration for all network adapters, including whether DHCP is enabled, the assigned IP address, subnet mask, default gateway, and the DHCP server address. This allows the administrator to confirm that the client received a valid IP address from the DHCP server. Option D (nslookup www.courseiva.com) is correct because it queries the configured DNS server to resolve the domain name to an IP address, verifying that name resolution is working.
Option B (ping 127.0.0.1) only tests the local TCP/IP stack and does not verify DHCP assignment or DNS resolution. Option C (tracert 8.8.8.8) uses an IP address directly and does not test domain-name resolution. Option E (arp -a) displays the ARP cache, which is unrelated to DHCP or DNS.
Match each route source to its default administrative distance on a Cisco router.
Drag a concept onto its matching description — or click a concept then click the description.
0
1
20
110
Why these pairings
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The correct sequence is: enter global configuration mode, mark the inside and outside interfaces with 'ip nat inside' and 'ip nat outside', then create an ACL to match internal traffic, and finally apply the NAT overload statement using the outside interface. This order ensures the NAT process knows which interfaces are designated as inside/outside before matching and translating traffic. Option B follows this standard recommended order.
A phone and PC share one switchport. The phone registers successfully, but the workstation receives an address from the wrong subnet. Which explanation is strongest?
This is correct because voice and data can use different VLAN roles on the same physical port.
Why this answer
Option A is correct because the phone and PC share a single switchport configured with separate voice and data VLANs. The phone successfully registers in the voice VLAN, but the workstation receives an IP address from the wrong subnet, indicating it is placed in an incorrect data VLAN. This typically occurs when the switchport's access VLAN (data VLAN) is misconfigured or mismatched with the workstation's expected subnet, while the voice VLAN (often using 802.1Q tagging) is correctly set for the phone.
Exam trap
Cisco often tests the misconception that if the phone works, the entire port configuration is correct, but the trap here is that the voice and data VLANs are independent, so a misconfigured access VLAN can still cause the PC to receive an incorrect IP address.
Why the other options are wrong
This statement is incorrect because voice and data VLANs are independent on a switchport configured with separate VLANs. The phone successfully registering on the voice VLAN does not guarantee that the data VLAN is correctly configured; the PC could still be assigned to a different VLAN or subnet due to misconfiguration.
CAPWAP (Control and Provisioning of Wireless Access Points) is a protocol used for wireless LAN controller and access point communication, not for wired switchport configuration. The scenario describes a wired phone and PC sharing a switchport, which is unrelated to wireless controllers.
The phone's successful registration does not rule out DHCP issues for the PC. The PC could be receiving an IP address from a DHCP server that is on the wrong subnet or VLAN, or the DHCP relay might be misconfigured for the data VLAN. The phone's DHCP success is independent of the PC's DHCP process.
Why does traffic to 172.31.80.10 use the RIP route (172.31.80.0/24) instead of the static route (172.31.0.0/16)?
This is correct because longest-prefix match selects the /24 route for that destination.
Why this answer
Traffic uses the RIP route because the static route is less specific than the RIP route. In practical terms, longest-prefix match is always evaluated first. Even though the static route is manually configured, the more specific RIP prefix wins because it describes the destination more precisely.
This is a strong route-selection item because it tests whether you can prioritize specificity ahead of route source preference.
Exam trap
A frequent exam trap is assuming that static routes always take precedence over RIP routes because static routes have a lower administrative distance. This misconception ignores the critical role of longest-prefix match in route selection. The router first selects the route with the most specific subnet mask before considering administrative distance.
Therefore, a RIP route with a /24 mask will override a static route with a /16 mask for matching traffic. Another trap is thinking that enabling RIP disables or removes static routes, which is incorrect; static routes remain active unless explicitly removed or overridden by a more specific route.
Why the other options are wrong
Incorrect because RIP does not always override static routes. Static routes have a lower administrative distance and are preferred when prefix lengths are equal, so this statement is false.
Incorrect because static routes can be used with private IPv4 address space without issue. There is no restriction preventing static routing of private addresses.
Incorrect because enabling RIP does not automatically remove static routes. Static routes remain active unless manually removed or overridden by a more specific route.
Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method. The client cannot access a web server by its FQDN.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The bottom-up OSI approach starts with Layer 1 (physical) – step A; then Layer 2 (data link) – step D; then Layer 3 (network) – step C; and finally Layer 7 (application) – step B. This methodical progression isolates the issue layer by layer, ensuring all dependencies are checked systematically.
Exam trap
The trap is that candidates often jump to DNS or IP configuration because the symptom involves an FQDN, but the bottom-up method requires starting at Layer 1. Remember: always start at the bottom of the OSI model when using this approach.
Which two statements accurately describe longest-prefix match in routing?
This is correct because longest-prefix match is based on route specificity.
Why this answer
Longest-prefix match means a router prefers the most specific route that matches the destination. In plain language, if several entries could apply to a packet, the router chooses the one that narrows the destination range most precisely. This is why a /25 can beat a /24, and a /24 can beat a /16, even if all three technically contain the same destination address.
The common mistake is to assume the router always begins with protocol trust or metric. Those factors matter, but only after the router has determined which matching routes share the same prefix length.
Exam trap
A common exam trap is assuming that a default route or a route with a simpler prefix is preferred over a more specific route. Some candidates mistakenly believe that administrative distance or metric always takes precedence over prefix length. However, Cisco routers always apply longest-prefix match first, selecting the most specific route before considering administrative distance or metric.
This misunderstanding can lead to incorrect answers when default routes or broader prefixes appear in the routing table alongside more specific routes.
Why the other options are wrong
Option B is incorrect because a default route is less specific than a /24 route and is only used if no more specific route exists, not because it is simpler.
Option D is incorrect because routers do not ignore subnet masks; prefix length is fundamental to longest-prefix match and route selection.
Option E is incorrect since a /24 prefix is more specific than a /16 prefix, contradicting the statement that a /16 is always more specific.
You are troubleshooting a connectivity issue for a remote worker who reports being unable to access the internet. The worker's PC is connected to switch S1, which is connected to router R1. You have console access to R1. The router's interface G0/0 is configured with IP 192.168.1.1/24, and the DHCP pool 'LAN' currently has network 192.168.1.0 255.255.255.0 and default-router 192.168.1.254. The PC has obtained an IP address of 192.168.1.100 from DHCP and a subnet mask of 255.255.255.0, but cannot ping 8.8.8.8. Identify the fault and configure R1 to restore internet access for the PC.
Hints
! R1 conf t ip dhcp pool LAN default-router 192.168.1.1 end
Why this answer
The PC received a valid IP address from DHCP, proving the DHCP server is reachable and the network statement is correct. However, the pool’s default-router is set to 192.168.1.254, while the actual interface IP (the real gateway) is 192.168.1.1. The PC therefore uses an incorrect default gateway, blocking internet access.
Changing the default-router to 192.168.1.1 fixes the gateway mismatch. Option B is wrong because the network statement already matches the subnet. Option C is unnecessary since no helper address is needed for a DHCP server on the same subnet.
Option D would change the router’s IP to 192.168.1.254, creating further misalignment and breaking connectivity.
Exam trap
Do not assume that any connectivity issue is caused by a DHCP server failure; always compare the default-router entry in the DHCP pool with the actual interface IP before altering network statements or adding helper addresses.
Why the other options are wrong
The network statement is already correct; changing it does not resolve the incorrect default gateway.
No helper address is needed because the DHCP server (the router itself) is on the same subnet as the PC.
You are connected to R1. Configure R1 so that it uses a floating static route to reach the 203.0.113.0/24 network via R2 only when the primary route (learned via EIGRP) fails. The primary route has an administrative distance of 90. Currently, R1 has no route to 203.0.113.0/24 because EIGRP is down on the direct link. Ensure the floating static route is installed and used.
Hints
! R1 ip route 203.0.113.0 255.255.255.0 10.0.0.2 95
Why this answer
The issue is that R1 has no route to 203.0.113.0/24 because EIGRP is not working (likely due to misconfiguration or link failure). A floating static route with an administrative distance greater than EIGRP's default AD of 90 is needed. By configuring a static route to 203.0.113.0/24 via next-hop 10.0.0.2 with AD 95, the static route will be used only when EIGRP is down (since 95 > 90, EIGRP is preferred when active).
The command 'ip route 203.0.113.0 255.255.255.0 10.0.0.2 95' accomplishes this.
Exam trap
Remember that floating static routes require an administrative distance higher than the primary route's AD. Do not use the default AD (1) or match the primary AD; always set a higher value.
Why the other options are wrong
The AD must be greater than 90 to ensure the static route is only used when EIGRP fails. An AD of 90 does not create a floating static route.
A floating static route must have a higher AD than the primary route. An AD of 85 is lower than 90, so it would be preferred over EIGRP.
The default AD for static routes is 1, which is lower than EIGRP's 90. Without specifying a higher AD, the static route will be preferred and not act as a floating static route.
A network administrator captures traffic on Server B and finds that ICMP echo requests from Host A arrive, and the server generates corresponding echo replies, but these replies never appear on the wire. The server's routing table has a valid default gateway, and no ACLs are blocking the traffic. What is the most likely cause?
The server must resolve the destination IP address (Host A) to a MAC address to build the frame. If the ARP cache holds a wrong MAC, the frame carrying the echo reply is sent to an incorrect device or the encapsulation fails, so the reply never appears on the wire.
Why this answer
The ICMP echo requests arrive at Server B, and the server generates replies, but they never appear on the wire. This indicates the server cannot deliver the frames to the next hop. Since the server has a valid default gateway and no ACLs are blocking, the most likely cause is an incorrect MAC address in the ARP cache for the destination (either the host or the default gateway).
The server will encapsulate the IP packet into a frame using the wrong MAC, causing the switch to drop the frame or send it to the wrong device, so the reply never reaches the wire correctly.
Exam trap
Cisco often tests the distinction between Layer 3 routing (which works correctly here) and Layer 2 frame delivery (which fails due to ARP issues), leading candidates to incorrectly blame routing or ACLs instead of the ARP cache.
Why the other options are wrong
A missing route would prevent the IP layer from even attempting to send the packet, not result in a generated-but-not-transmitted error.
Port security would have blocked the incoming request if Host A's MAC violated the policy, but the request was received, so this cannot explain the missing reply.
You are connected to R1 via console. R1 is a router that needs to provide DHCP services to hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The router has two subinterfaces on GigabitEthernet0/0: G0/0.10 (192.168.10.1/24) and G0/0.20 (192.168.20.1/24) with 802.1Q encapsulation. Configure R1 as a DHCP server for both VLANs, excluding addresses 192.168.10.1-10 and 192.168.20.1-10, with a lease of 1 day. Ensure DNS server 8.8.8.8 is provided.
Hints
! R1 ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 1 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 1
Why this answer
Option A correctly uses `lease 1` for a 1-day lease, dotted decimal subnet masks, and proper DHCP pool settings. Option B incorrectly uses CIDR notation `/24` in the network command, which IOS does not accept. Option C uses `lease 24`, which is interpreted as 24 days, not 1 day.
Option D also incorrectly uses `lease 24`, resulting in a 24-day lease instead of the required 1-day lease.
Exam trap
Be careful with the lease command: the default unit is days, not hours. Also, remember that the network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR prefix length. Excluded addresses are configured globally, not within the pool.
Why the other options are wrong
The network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR notation like /24.
The lease command uses days as its unit; `lease 24` sets a 24-day lease, not the required 1 day.
The lease command sets duration in days, so `lease 24` gives a 24-day lease instead of a 1-day lease.
Match each routing term to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Trustworthiness of a routing information source
Value used by a routing protocol to choose the best path within that protocol
Route used when no more specific match exists
Combining multiple networks into a smaller set of advertised prefixes
Why these pairings
Administrative distance is the trustworthiness rating of a routing protocol, where a lower number means higher trust. Metric is a value used by a routing protocol to select the best path among multiple routes from that same protocol. A default route is the path of last resort, used when no other specific route matches the destination.
Summarization (route aggregation) combines several network prefixes into a smaller set of advertised prefixes, improving efficiency.
Exam trap
Be careful not to confuse the roles of UDRs and BGP routes. UDRs are static overrides, while BGP is a dynamic protocol. System routes are the baseline defaults.
Which prefix length corresponds to the subnet mask 255.255.255.192?
This is correct because 255.255.255.192 equals 26 network bits.
Why this answer
The mask 255.255.255.192 corresponds to /26. In practical terms, the first three octets contribute 24 network bits, and 192 in binary is 11000000, which contributes 2 more network bits. That totals 26 network bits.
This is a standard conversion skill that matters in subnetting, ACL design, and route interpretation.
Exam trap
Be careful not to confuse similar subnet masks or miscount the number of bits in the binary representation.
Why the other options are wrong
The /25 prefix length corresponds to subnet mask 255.255.255.128, not 255.255.255.192. The mask 255.255.255.128 has 128 in the last octet, while 255.255.255.192 has 192, indicating a different number of host bits.
The /27 prefix length corresponds to subnet mask 255.255.255.224, not 255.255.255.192. The mask 255.255.255.224 has 224 in the last octet, which provides 30 usable hosts per subnet, whereas 255.255.255.192 provides 62 usable hosts.
The /28 prefix length corresponds to subnet mask 255.255.255.240, not 255.255.255.192. The mask 255.255.255.240 has 240 in the last octet, which supports 14 usable hosts, while 255.255.255.192 supports 62 usable hosts.
After configuring a trunk port to allow VLAN 40, a technician finds that VLAN 40 is not listed among the VLANs in spanning tree forwarding state in the show interfaces trunk output. What is the most likely cause?
A VLAN must be defined in the local VLAN database for the switch to build a spanning-tree instance and forward frames for that VLAN. If it is permitted on the trunk but does not exist, the switch marks it as pruned and it will not appear in the 'VLANs in spanning tree forwarding state' list. This is the exact symptom presented.
Why this answer
Even if a VLAN is included in the trunk's allowed list, the switch cannot forward frames for that VLAN unless it exists in the local VLAN database. A non-existent VLAN is placed in a pruned state and will not appear as forwarding in show interfaces trunk. The allowed-list command worked, but the missing VLAN definition prevents the VLAN from being active on the trunk.
Exam trap
Option B: the classic mistake of omitting the 'add' keyword when modifying the allowed list is tempting because it is a very common trunk configuration error. However, that error would result in the VLAN not even appearing in the allowed list column, not simply missing from the forwarding state. The question states the VLAN was added to the allowed list, so the missing VLAN database entry is the correct culprit.
Why the other options are wrong
Candidates might associate VLAN support with trunk encapsulation types, but ISL fully supports VLAN 40. This is a distractor.
This is a common operational mistake, but the resulting output would show VLAN 40 missing from the 'Vlans allowed' column, not from the forwarding list.
Candidates might confuse local pruning (due to non-existent VLAN) with VTP pruning. VTP pruning would also require a multi-switch VTP domain and is less likely in a standalone troubleshooting scenario.
In a router-on-a-stick design, what is configured on the physical router interface connected to the switch?
Correct. Subinterfaces with dot1q encapsulation are the key configuration element.
Why this answer
Router-on-a-stick uses one physical router interface with multiple logical subinterfaces. Each subinterface is associated with a VLAN using 802.1Q encapsulation and gets an IP address for that VLAN. Option A is wrong because IP addresses are configured on subinterfaces, not directly on the physical interface for all VLANs.
Option B is wrong because inter-VLAN routing requires a router; the switch alone does not perform inter-VLAN routing in this design. Option D is wrong because serial encapsulation is used for WAN connections, not for VLAN tagging on Ethernet interfaces.
Exam trap
Avoid confusing switch VLAN configurations with router subinterface configurations. Remember that routers require subinterfaces for VLAN handling.
Why the other options are wrong
IP addresses for multiple VLANs are configured on subinterfaces, not directly on the physical interface.
Inter-VLAN routing requires a router; the switch does not route between VLANs internally in a router-on-a-stick design.
Serial encapsulation is used for WAN serial links, not for VLAN tagging on Ethernet interfaces.
Correct. The SVI or routed interface needs DHCP relay.
Why this answer
A DHCP relay agent forwards client broadcasts as unicast to the remote server, typically using ip helper-address.
Exam trap
A common exam trap is selecting NAT overload or port security as the required feature for DHCP communication across VLANs. NAT overload is used for IP address translation and does not forward DHCP broadcasts, while port security restricts MAC addresses on switch ports but does not relay DHCP messages. Another trap is confusing private VLANs with DHCP relay; private VLANs isolate Layer 2 domains but do not forward DHCP requests between VLANs.
The key is understanding that DHCP relay is the only feature that forwards DHCP broadcasts as unicast messages across Layer 3 boundaries, enabling clients on VLAN 20 to obtain leases from a DHCP server on VLAN 100.
Why the other options are wrong
NAT overload translates private IP addresses to a public IP for outbound traffic but does not forward DHCP broadcasts between VLANs. It is unrelated to DHCP relay functionality required for inter-VLAN DHCP communication.
Port security restricts which MAC addresses can connect to a switch port but does not forward DHCP broadcasts or relay DHCP messages between VLANs, so it cannot enable DHCP communication across VLANs.
A static route is configured as 198.51.100.0/24 via 192.0.2.9, but the connected network to the next hop goes down. What happens to the static route in the routing table?
Correct. The router must be able to resolve the next hop.
Why this answer
If the outgoing interface or connected path to the next hop becomes unreachable, the router cannot resolve the recursive next hop and the route is removed from the table.
Exam trap
Remember that static routes are removed if the next hop is unreachable, unlike dynamic routes that may have additional states.
Why the other options are wrong
Static routes are not permanent; they are removed from the routing table if the next-hop interface goes down or the next-hop IP becomes unreachable, because the route is no longer valid.
A static route does not automatically change into a default route; default routes are explicitly configured (e.g., ip route 0.0.0.0 0.0.0.0 next-hop) and are not derived from other static routes.
A static route does not become an OSPF external route automatically; OSPF routes are learned through the OSPF protocol, and a static route remains static unless redistributed into OSPF via configuration.
Which three options correctly describe the behavior or configuration of EtherChannel? (Choose three.)
Why this answer
EtherChannel allows bundling up to 8 active physical links of the same type (e.g., all FastEthernet or all GigabitEthernet) to increase bandwidth and provide redundancy. All interfaces in the bundle must have consistent VLAN allowed lists and trunk mode configurations (or, for access ports, the same access VLAN) to avoid traffic misdirection or loops. Load balancing uses a hash algorithm that can be based on source MAC, destination MAC, source/destination IP, or TCP/UDP port numbers, with the default typically being source MAC on Cisco switches.
Exam trap
Cisco often tests that EtherChannel can bundle up to 8 active links (not 16, which includes standby in LACP), and that all interfaces must have matching VLAN and trunk settings, but candidates may mistakenly think load balancing is round-robin or that different link types can be mixed.
Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The OSI bottom-up method starts at Layer 1 (physical) and moves upward. Step A (Check physical connectivity) verifies cables and link lights at Layer 1. Step D (Check for MAC address table entries) examines Layer 2 connectivity.
Step B (Verify IP address configuration) confirms Layer 3 settings. Step C (Test application functionality) tests Layer 7 applications such as ping or web browsing. This sequence aligns with the bottom-up approach of resolving lower-layer issues before examining higher layers.
Exam trap
The trap is that candidates may jump to common troubleshooting steps like checking IP configuration or testing applications, but the bottom-up method requires starting at the physical layer. Always remember the OSI layer order and apply it sequentially.
A network administrator is troubleshooting a user's wired workstation that cannot access the internet. The user reports that the workstation was working earlier today. The administrator runs 'ipconfig /all' on the workstation and sees an IP address of 169.254.10.55. What is the most likely cause of this issue?
A faulty network cable prevents the workstation from reaching the DHCP server, causing the client to self-assign an APIPA address (169.254.x.x).
Why this answer
The IP address 169.254.10.55 falls within the Automatic Private IP Addressing (APIPA) range (169.254.0.0/16, RFC 3927). This address is assigned by the operating system when a DHCP client fails to receive a response from a DHCP server. A faulty network cable would prevent the workstation from communicating with the DHCP server, causing the client to self-assign an APIPA address after the DHCP discovery process times out.
Exam trap
Cisco often tests the concept that APIPA addresses are only generated when the DHCP client cannot communicate with any DHCP server, not when there is a configuration mismatch or server-side issue that still allows Layer 2 connectivity.
Why the other options are wrong
A duplicate IP address conflict would generate an error message and the workstation would still attempt to use the conflicting IP, not fall back to APIPA. The workstation would retain its DHCP-assigned address and display a conflict notification.
Drag and drop the following OSPFv2 neighbor state transitions and DR/BDR election steps into the correct order for a multi-access network with default priority values.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The correct OSPF neighbor state progression on a multi-access network is: Down, Init, 2-Way (with DR/BDR election), ExStart (master/slave negotiation), Exchange (DBD exchange), Loading (link-state request and update), and Full. Each option missing the Loading state or placing it incorrectly fails to represent the complete adjacency process.
Exam trap
Many learners forget the Loading state, thinking adjacency jumps directly from Exchange to Full; however, after exchanging database descriptors (DBDs), routers must request and load missing LSAs via Link State Request/Update packets, which occurs in the Loading state.
Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, then export to Wireshark to isolate a Layer 2 or Layer 3 fault.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
First enter privileged mode, then define the capture buffer, specify the interface and direction, start the capture, stop it after collecting data, export to a .pcap file, then transfer and analyze in Wireshark.
Exam trap
Be careful with the order of operations: the buffer must be defined before the capture point, and the capture must be stopped before exporting. Also, remember that these commands are executed in privileged EXEC mode, not global configuration mode.
The ACL allows the subnet, but SSH still needs its base configuration.
Why this answer
Exam trap
A frequent exam trap is believing that simply applying an ACL to permit SSH traffic on the VTY lines guarantees remote access. Candidates often overlook that SSH requires full configuration, including RSA key generation, domain name setting, and valid login credentials. Without these, the device will refuse SSH connections regardless of ACL permissions.
Another pitfall is misapplying the ACL outbound instead of inbound on VTY lines, which does not control incoming management sessions. Also, confusing SSH’s use of TCP port 22 with UDP can lead to incorrect ACL configurations. Recognizing these nuances prevents misinterpretation of the question and ensures correct troubleshooting.
Why the other options are wrong
Incorrect. Applying the ACL outbound on VTY lines does not control incoming management traffic. The correct direction for access control on VTY lines is inbound.
When two routes to the same destination are learned by OSPF from different paths, what criterion does OSPF use to select the best path?
Correct choice.
Why this answer
Within OSPF, the router compares the total path cost to the destination. Lower cost is preferred. Administrative distance is used when comparing routes from different routing sources, not between two OSPF paths.
Exam trap
A common exam trap is selecting administrative distance as the criterion for OSPF route selection. While administrative distance determines route preference between different routing protocols, OSPF uses cost internally to choose the best path. Another trap is assuming OSPF chooses routes based on the highest bandwidth of the first hop only, ignoring the cumulative cost of the entire path.
Candidates may also mistakenly think OSPF uses the lowest next-hop IP address, which is incorrect. These misunderstandings can lead to incorrect answers on OSPF routing questions.
Why the other options are wrong
Lowest administrative distance is incorrect because administrative distance is used to compare routes from different routing protocols, not to select between multiple OSPF-learned routes. Within OSPF, all routes have the same administrative distance, so this criterion does not apply.
Highest bandwidth of the first hop only is incorrect because OSPF considers the cumulative cost of the entire path, not just the bandwidth of the first hop. Focusing only on the first hop bandwidth ignores the cost of subsequent links.
A switchport connected to a user workstation is placed in VLAN 30. The administrator also wants to prevent that port from learning more than one MAC address. Which feature should be configured?
This is correct because port security can enforce a maximum number of MAC addresses on the switchport.
Why this answer
The correct feature is port security. In practical terms, port security lets the administrator control how many MAC addresses can be learned on a switchport and what happens if that limit is exceeded. That makes it a very natural fit for a user-facing access port where one endpoint is expected and unmanaged extra devices are not.
This is a common access-layer hardening technique. VLAN assignment controls where the traffic belongs, but it does not limit who or what can appear on the port. Port security adds that second layer of control.
Exam trap
Don't confuse VLAN assignment or ACLs with port security; they serve different functions.
Why the other options are wrong
EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, not to limit MAC address learning on a single port. It does not provide any mechanism to restrict the number of MAC addresses learned on a switchport.
OSPF passive-interface is a routing protocol feature used to prevent OSPF from sending hello messages on an interface, typically used on interfaces that do not have OSPF neighbors. It has no effect on MAC address learning or switchport security.
Native VLAN is a concept used on trunk ports to specify the VLAN that carries untagged traffic. It does not control MAC address learning or limit the number of MAC addresses on a switchport.
PCs in VLAN 40 are not receiving addresses from the centralized DHCP server at 172.16.1.10. What should be configured on the VLAN 40 default gateway interface?
Correct choice.
Why this answer
When DHCP clients and the DHCP server are on different subnets, the router interface serving the client subnet must relay broadcasts to the server with the ip helper-address command.
Exam trap
Ensure you understand the difference between DHCP relay and DHCP security features like snooping, as well as local DHCP server configuration.
Why the other options are wrong
The 'ip dhcp excluded-address' command is used on a DHCP server to prevent certain addresses from being assigned, not on a router interface to forward DHCP requests. This command would not help clients in VLAN 40 reach the centralized DHCP server.
The 'service dhcp' command globally enables the DHCP server or relay agent on a Cisco device, but it does not specify where to forward requests. Without the 'ip helper-address' command, DHCP broadcasts will not be forwarded to the server.
The 'ip default-gateway' command is used on a switch to set a default gateway for management purposes, not to forward DHCP broadcasts. It does not provide DHCP relay functionality.
In a controller-based WLAN, what is the main job of the access point?
This is correct because the AP handles the local wireless connectivity.
Why this answer
The main job of the access point is to provide the actual radio connection between wireless clients and the network. In practical terms, the controller may centralize policy and management, but the AP is still the device that transmits and receives the wireless frames in the local area.
This distinction matters because CCNA wireless questions often separate the controller’s management role from the AP’s RF and client-connectivity role.
Exam trap
Remember that access points handle RF communication, while controllers manage policies and configurations. Don't confuse these roles.
Why the other options are wrong
In a controller-based WLAN, the access point is a lightweight device that relies on the wireless LAN controller (WLC) for management, control, and data forwarding decisions. The AP cannot replace the controller because it lacks the necessary intelligence and processing power to perform controller functions such as RF management, client authentication, and mobility services.
The access point does not act as a default gateway for wired VLANs. Default gateway functionality is provided by routers or Layer 3 switches that route traffic between different subnets. The AP's role is limited to wireless access and forwarding client traffic to the wired network, typically through the controller or directly to the switch.
OSPF route summarization is a routing protocol function performed by routers or Layer 3 switches, not by access points. APs are not involved in routing protocol operations; they focus on wireless connectivity and may forward traffic to the controller or wired network without participating in dynamic routing.
You are connected to R1 via console. Configure OSPFv3 for IPv6 on both R1 and R2 so that the loopback0 interface on R2 (IPv6 address 2001:db8:1:2::1/64) is reachable from R1. The link between R1 and R2 uses the subnet 2001:db8:1:1::/64 with R1's G0/0 having IPv6 address 2001:db8:1:1::1/64 and R2's G0/0 having 2001:db8:1:1::2/64. OSPFv3 process ID must be 100 and all interfaces must be in area 0. After configuration, verify OSPFv3 neighbors and the IPv6 route to the loopback0 network.
Hints
! R1 ipv6 router ospf 100 router-id 1.1.1.1 interface GigabitEthernet0/0 ipv6 ospf 100 area 0 ! R2 ipv6 router ospf 100 router-id 2.2.2.2 interface GigabitEthernet0/0 ipv6 ospf 100 area 0 interface Loopback0 ipv6 ospf 100 area 0
Why this answer
To achieve reachability to R2's loopback, OSPFv3 must be enabled on R1's and R2's G0/0 interfaces in area 0, and on R2's loopback0 so its prefix is advertised. Option A shows the minimal correct configuration. Option B omits enabling OSPF on loopback0, so the route to 2001:db8:1:2::/64 is not advertised.
Option C incorrectly uses the 'network' command, which is not supported in OSPFv3; OSPFv3 relies on interface-level 'ipv6 ospf ... area' commands. Option D adds 'passive-interface GigabitEthernet0/0', which prevents OSPF from forming a neighbor adjacency on the link, breaking the required connectivity.
Exam trap
Do not confuse OSPFv2 and OSPFv3 configuration. OSPFv3 uses only interface-level commands, and while setting a loopback as passive is safe, applying 'passive-interface' on a transit link will block neighbor adjacency.
Why the other options are wrong
Loopback0 is not enabled for OSPF, so its prefix is not advertised into OSPF.
The 'network' command is invalid in OSPFv3 for IPv6; only interface-level 'ipv6 ospf ... area' commands are used.
Applying 'passive-interface GigabitEthernet0/0' prevents OSPF from forming a neighbor adjacency on the link, breaking the verification of neighbor state.
You are connected to the console of R1. The network administrator reports that users cannot communicate with the server at 192.168.2.10. R1 is connected to R2 via a serial link (S0/0/0) with IP 10.0.0.1/30 on R1 and 10.0.0.2/30 on R2. The network uses OSPF for routing. You suspect an interface issue on the serial link.
Hints
! R1 interface Serial0/0/0 clock rate 64000 no shutdown encapsulation ppp
Why this answer
The serial interface may be administratively down or have incorrect encapsulation. Setting the clock rate on the DCE side and ensuring PPP encapsulation matches the neighbor resolves the issue.
Exam trap
Do not confuse troubleshooting steps: when a specific interface issue is suspected, use interface-level commands like show interfaces, not routing or ping commands. The show interfaces command is the go-to for verifying interface status and encapsulation.
Why the other options are wrong
The show ip route command does not provide interface-level details such as encapsulation or clock rate; it only shows routing information.
Ping does not provide detailed interface status or configuration information; it only indicates whether the neighbor is reachable, not why it is not.
The running-config shows the intended configuration but not the current operational state; for example, it won't show if the interface is administratively down unless you check the shutdown command.
Which TWO statements accurately describe the encapsulation process in the TCP/IP model as data moves from the application layer to the network access layer?
The transport layer encapsulates data with a header containing port numbers to identify the application.
Why this answer
At the transport layer, TCP creates segments that include source and destination port numbers (B correct). At the network layer, the PDU is a packet containing source and destination IP addresses (D correct). Option A is wrong because the application layer generates data, not segments, and transport headers are added later.
Option C mislabels the network layer PDU; it is a packet, not a frame, and MAC addresses belong to frames. Option E is wrong because the data link layer PDU is a frame, not a packet, and it uses MAC addresses, not IP addresses.
Exam trap
Cisco often tests the specific PDU naming conventions (segment, packet, frame) and the layer at which each header is added, causing candidates to confuse the network layer packet with the data link layer frame or to misidentify the transport layer PDU.
Why the other options are wrong
The application layer PDU is just data; no transport header is added at this stage.
At the network layer, the PDU is a packet with IP addresses; MAC addresses are added at the data link layer.
The data link layer PDU is a frame, not a packet, and it contains source and destination MAC addresses.
You are connected to SW1. The current configuration on SW1 is: interfaces GigabitEthernet0/1 and GigabitEthernet0/2 are set to channel-group mode passive; Gi0/1 has speed 100, duplex half, and access VLAN 20; Gi0/2 has speed 1000, duplex full, and access VLAN 10. You need to form an LACP EtherChannel between SW1 and SW2. Ensure the channel forms by setting the channel-group mode to active on SW1's member ports. Also correct the speed/duplex mismatch and VLAN mismatch so that the port-channel interface is in the up/up state. Finally, verify the EtherChannel summary shows the channel as a Layer 2 bundle in use.
Hints
! SW1 interface GigabitEthernet0/1 speed 1000 duplex full channel-group 1 mode active exit interface GigabitEthernet0/2 switchport access vlan 10 channel-group 1 mode active end
Why this answer
The EtherChannel fails because both member ports are set to mode passive, preventing LACP negotiation. Additionally, Gi0/1 has speed 100/duplex half while Gi0/2 has speed 1000/duplex full—a mismatch that causes one port to be suspended. Finally, the VLANs differ (10 vs 20), which also prevents bundling.
The solution: change the channel-group mode to active on both ports, set consistent speed (1000) and duplex (full) on Gi0/1, and set the same access VLAN (10) on Gi0/2. After these corrections, the port-channel should form and show as (SU) in the summary.
Why the other options are wrong
Passive mode requires the other side to be active; both passive means no negotiation. Speed/duplex mismatch (100/half vs 1000/full) and VLAN mismatch (20 vs 10) prevent bundling.
The mode 'desirable' is used with Cisco's proprietary PAgP protocol, not with the IEEE standard LACP. Using it would not form an LACP EtherChannel.
Speed/duplex mismatch causes one port to be suspended in the EtherChannel. VLAN mismatch prevents the port-channel from being in up/up state as a Layer 2 bundle.
You are connected to R1 via console. R1 and R2 are configured with EIGRP AS 100. R1's loopback0 (1.1.1.1/32) should be advertised into EIGRP. However, after configuration, R2 does not have a route to 1.1.1.1/32. You need to verify the EIGRP configuration on R1 and R2 to determine why the route is missing. Use show commands to identify the issue.
Hints
! R1 show ip eigrp neighbors show ip eigrp topology show ip route eigrp show running-config | section router eigrp ! R2 show ip route eigrp
Why this answer
The root cause is that R1's interface facing R2 is passive, preventing EIGRP neighbor adjacency. 'show ip eigrp interfaces' verifies the passive state, identifying why no routes are exchanged. Option B is incorrect because the local topology table may contain the route, but without an active neighbor, it will not be advertised; the topology check alone is insufficient. Option C is incorrect because the routing table may also show the locally connected route, but that does not explain why R2 lacks it.
Option D is incorrect because checking R2's EIGRP configuration does not reveal R1's passive interface, which is the actual problem.
Exam trap
Be careful: 'passive-interface default' makes all interfaces passive, including the one needed for neighbor adjacency. You must use 'no passive-interface' on the specific interface to allow EIGRP to form a neighbor. Also, remember that passive interfaces can still advertise routes, but they do not form adjacencies.
Why the other options are wrong
The route being in R1's topology does not guarantee it is advertised to R2; the problem is more likely with the neighbor adjacency or outbound filters.
The loopback is a directly connected interface, so it will not appear in the EIGRP routing table; it is injected into EIGRP via the network statement. This command is irrelevant for checking the advertisement.
The problem is likely on R1, not R2. R2's configuration may be fine, but if R1 is not sending the route, R2 will never learn it. This command focuses on R2, which is not the source of the issue.
You are connected to R1 via console. R1's GigabitEthernet0/1 interface connects to a remote site switch over a 2 km fiber link. The current configuration shows speed and duplex set to 1000 Mbps and full, but the interface is down/down due to an SFP mismatch. Review the exhibit, identify the problem, and correct it so that the interface comes up and communicates at the correct speed and duplex. Additionally, ensure the interface is configured to auto-negotiate properly for future cable replacements.
Hints
! R1 interface GigabitEthernet0/1 no speed no duplex no shutdown
Why this answer
The interface was administratively shut down (shutdown command) and had hard-coded speed 1000 and duplex full, which is incompatible with the 2 km fiber link requiring a long-haul SFP (e.g., 1000BASE-LX). The correct fix is to remove the manual speed/duplex settings, enable auto-negotiation (which is default but overridden), and then no shutdown. For a 2 km link, a 1000BASE-LX SFP is required; the existing SFP (likely 1000BASE-SX, max 550 m) caused the link to be down.
After replacing with the correct SFP, the interface should come up. Commands: interface Gi0/1, no speed, no duplex, no shutdown.
Exam trap
Trap: Candidates may focus only on the SFP replacement and forget to remove manual speed/duplex settings, or they may choose an SFP with insufficient distance. Remember that Gigabit Ethernet fiber interfaces should use auto-negotiation, and manual settings are only for troubleshooting or specific legacy scenarios.
Why the other options are wrong
The specific factual error is that 1000BASE-SX cannot support 2 km distances; it is limited to 550 m.
The specific factual error is that Gigabit Ethernet interfaces cannot be set to 100 Mbps; they only support 1000 Mbps or auto-negotiation.
The specific factual error is that manual speed/duplex settings should be removed to allow auto-negotiation; they are not recommended for fiber interfaces.
You are connected to R1, a multilayer switch running Rapid PVST+. The current root bridge for VLAN 10 has priority 24586 and for VLAN 20 has priority 24676. Configure R1 so that it becomes the root bridge for VLAN 10 and VLAN 20. Then enable PortFast and BPDU Guard on interface FastEthernet0/1, which connects to an access switch. Finally, diagnose why interface FastEthernet0/2 has entered an err-disabled state and recover it.
Hints
! R1 configure terminal spanning-tree vlan 10 priority 4096 spanning-tree vlan 20 priority 4096 interface FastEthernet0/1 spanning-tree portfast spanning-tree bpduguard enable interface FastEthernet0/2 shutdown no shutdown end
Why this answer
To become the root bridge, R1’s priority must be lower than the current root’s priority. Setting the priority to 4096 (or any value lower than 24586/24676) accomplishes this. Option A correctly uses `spanning-tree vlan 10,20 priority 4096` (though the actual command per VLAN is `spanning-tree vlan 10 priority 4096` and `spanning-tree vlan 20 priority 4096`).
It also enables PortFast and BPDU Guard on Fa0/1 to prevent BPDU reception on an edge port, and recovers the err-disabled Fa0/2 by cycling `shutdown` then `no shutdown`. Options B and C fail because they do not enable BPDU Guard, leaving the interface vulnerable. Option D fails because it only shuts down Fa0/2 without the `no shutdown` command, so the interface remains administratively down.
Exam trap
Candidates often mistakenly believe that the priority must be set to the absolute lowest (e.g., 0) or that `root primary` always works, but the real requirement is simply a priority lower than the current root. Also, they may forget that an err-disabled interface requires both `shutdown` and `no shutdown` to recover.
Why the other options are wrong
The 'root primary' command sets priority to 24576, which is higher than the current root priority for VLAN 10 (24586) and VLAN 20 (24676) — actually 24576 is lower than 24586 and 24676, so it would become root. Wait, check: 24576 < 24586, so it would become root. But the command 'root primary' sets priority to 24576 only if the current root priority is above 24576; if the current root priority is 24586, it sets to 24576, which is lower, so R1 would become root.
However, the question states the current root has priority 24586 and 24676, so 'root primary' would set to 24576, which is lower than 24586 but not lower than 24676? Actually 24576 < 24676, so it would become root for both. But the correct answer uses 4096, which is even lower. The key is that 'root primary' might not guarantee becoming root if another switch has a lower priority.
Also, BPDU Guard is missing, and recovery requires shutdown first.
BPDU Guard is not configured on Fa0/1, leaving the port vulnerable to BPDU attacks. Also, the err-disabled recovery requires a shutdown command before no shutdown.
Simply shutting down the interface does not recover it from err-disable; you must also re-enable it with 'no shutdown'.
You are connected via the console to R1, a Cisco ISR 4331 router. The network uses IPv6. R1's GigabitEthernet0/0 interface has the MAC address 00:1C:0F:9A:7B:32. You need to configure the interface to use EUI-64 to form a global unicast address from the prefix 2001:DB8:CAFE:1::/64. Additionally, ensure that the interface is enabled for IPv6.
Hints
! R1 interface GigabitEthernet0/0 ipv6 address 2001:DB8:CAFE:1::/64 eui-64 ipv6 enable
Why this answer
The EUI-64 process inserts FF:FE in the middle of the MAC address and inverts the 7th bit. Configuring the IPv6 address with the eui-64 keyword automatically generates the interface ID from the MAC address.
Exam trap
Trap: Candidates often forget the bit inversion step in EUI-64 or incorrectly use the :: abbreviation with the eui-64 keyword. Remember: EUI-64 requires the full prefix and the 7th bit of the MAC must be flipped.
Why the other options are wrong
The specific factual error is that the EUI-64 keyword cannot be used with the double colon (::) abbreviation; the prefix must be fully specified.
The specific factual error is that the command does not use the eui-64 keyword, so it does not meet the requirement to use EUI-64.
The specific factual error is that the 7th bit inversion was not applied; the interface ID should start with 021C, not 001C.
Practice 200-301 by domain
Target a specific domain to shore up weak areas.
Study 200-301 by topic
Focused topic pages — one weak area at a time.