CCNA 200-301 v2 (200-301) — Questions 151225

1819 questions total · 25pages · All types, answers revealed

Page 2

Page 3 of 25

Page 4
151
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on an IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then define RADIUS server, then configure AAA authentication, then enable 802.1X globally, then apply per-interface 802.1X settings.

Exam trap

The exam trap is that candidates often confuse the dependency order: AAA authentication must reference an already-defined RADIUS server, and 802.1X globally requires AAA to be configured first. Always think about what each step depends on.

152
Matchingmedium

Match each REST or API concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

HTTP method commonly used to retrieve data

HTTP method commonly used to submit or create data

Credential-like value used to help control API access

Structured data format often used in API payloads

Why these pairings

GET is an HTTP method designed specifically for retrieving data from a server without side effects, making it idempotent and safe. POST is used to submit data to create or update resources, as it can change server state and is not idempotent. A token is a credential-like value (e.g., API key or JWT) that authenticates and authorizes API requests, controlling access to endpoints.

JSON is a lightweight, human-readable structured data format commonly used in API request/response payloads for data interchange. These concepts are distinct: GET and POST cannot be swapped because they have different HTTP semantics; a token is not a data format like JSON; and JSON is not an access control mechanism. Matching them incorrectly would violate RESTful principles.

Exam trap

The exam may test your understanding of REST as an architectural style, not as a protocol or data format. Be careful not to confuse REST with its common implementations like HTTPS or JSON.

153
Matchingeasy

Match each common automation term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management or policy platform

Defined software interface for communication

Lightweight structured data format

Secure transport commonly used for API access

Why these pairings

A controller provides centralized management or policy enforcement, abstracting device-level configuration. An API defines a structured software interface for programmatic interaction, not the underlying transport. JSON is a lightweight data-interchange format favored for its readability and ease of parsing by automation tools.

HTTPS is the secure transport layer that carries API calls, ensuring encrypted communication. Together, these terms form the foundation of network automation architectures, where a controller exposes APIs over HTTPS and exchanges JSON-formatted data.

Exam trap

Candidates often confuse the languages and architectures of automation tools. Remember: Ansible = YAML + agentless; Chef = Ruby DSL; Puppet = declarative manifests (custom DSL); SaltStack = master-minion with agents.

154
MCQhard

An administrator wants to allow HTTPS traffic from a source subnet to a server but deny all Telnet traffic from that same subnet to the same server. Which ACL capability is required to express that policy accurately?

A.An extended ACL that can match protocol and destination port information
B.A standard ACL because source matching is enough
C.A wildcard mask with all zeros only
D.A wireless SSID ACL
AnswerA

This is correct because the requirement depends on protocol/port-level filtering.

Why this answer

The policy requires extended ACL capability because it must distinguish traffic by protocol and destination port, not just by source address. In practical terms, the rule needs to treat TCP port 443 differently from TCP port 23 even though the source and destination networks are the same. A standard ACL is too limited for that.

This question is about matching precision. When the policy depends on protocol and port, extended ACLs are the right tool.

Exam trap

A frequent exam trap is selecting a standard ACL to enforce policies that require filtering by protocol or port number. Standard ACLs only filter by source IP address and cannot distinguish between different types of traffic like HTTPS and Telnet. This leads to incorrect assumptions that standard ACLs can block Telnet while allowing HTTPS from the same subnet.

The trap lies in overlooking the need for protocol and port-level filtering, which only extended ACLs provide. Candidates must remember that without extended ACLs, the router cannot differentiate traffic based on application-layer details, causing the policy to fail.

Why the other options are wrong

B

Incorrect because standard ACLs filter only by source IP address and cannot distinguish between different protocols or ports, making them insufficient for the requirement to allow HTTPS but deny Telnet.

C

Incorrect because a wildcard mask controls which bits of an IP address are matched but does not provide any capability to filter traffic based on protocol or port information, which is essential here.

D

Incorrect because wireless SSID ACLs relate to WLAN access control and do not filter IP traffic based on protocol or port, making them irrelevant to the question about IP traffic filtering.

155
Multi-Selectmedium

Which four of the following are considered best practices for securing switch ports and preventing Layer 2 attacks? (Choose all that apply. There are four correct answers.)

Select 4 answers
.Disable unused ports and place them in a shutdown state.
.Enable PortFast and BPDU guard on all ports that connect to end devices.
.Use MAC address filtering as the sole security measure to prevent unauthorized access.
.Implement DHCP snooping to prevent rogue DHCP server attacks.
.Configure dynamic ARP inspection (DAI) to prevent ARP spoofing.
.Set the native VLAN to a higher number than the default VLAN 1 on trunk links.

Why this answer

Disabling unused ports and placing them in a shutdown state (A) prevents unauthorized physical access and stops Layer 2 attacks like rogue device connections or VLAN hopping. Enabling PortFast and BPDU guard on ports connecting to end devices (B) speeds up STP convergence and protects against rogue switch loops. DHCP snooping (D) prevents rogue DHCP server attacks by filtering untrusted DHCP messages.

Dynamic ARP inspection (E) uses DHCP snooping bindings to validate ARP packets and prevent ARP spoofing. Setting the native VLAN to a higher number (F) is not a best practice; the recommended approach is to change the native VLAN to an unused VLAN on both ends of the trunk and explicitly tag it. MAC address filtering as the sole measure (C) is easily bypassed and must be combined with port security or 802.1X.

Exam trap

Cisco often tests the misconception that MAC address filtering is a strong standalone security measure, when in reality it is trivial to bypass and must be combined with other features like 802.1X or port security with sticky MAC addresses to be effective.

156
Matchingmedium

Drag and drop the Wi-Fi features on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses OFDMA to improve efficiency in dense environments

Uses SAE (Simultaneous Authentication of Equals) for secure password-based authentication

A single AP and its associated clients

Centralized management of multiple APs, enabling seamless roaming

Commonly used in 802.11ac to increase throughput by combining channels

Why these pairings

802.11ax (Wi-Fi 6) uses OFDMA to divide channels into smaller subcarriers, allowing simultaneous transmission to multiple clients and improving efficiency in dense environments. WPA3-Personal employs Simultaneous Authentication of Equals (SAE) to replace the vulnerable pre-shared key handshake, providing secure password-based authentication resistant to offline dictionary attacks. A Basic Service Set (BSS) is the fundamental building block of a WLAN, consisting of a single access point (AP) and all associated wireless clients.

A Wireless LAN Controller (WLC) centralizes AP management, handling configuration, firmware updates, and seamless roaming across multiple APs. Channel bonding (80 MHz) combines two 40 MHz channels, doubling the channel width to increase throughput; it is commonly used in 802.11ac (Wi-Fi 5) to achieve higher data rates.

Exam trap

Be careful not to confuse the specific technology used by each Wi-Fi generation: OFDMA is unique to 802.11ax, while channel bonding (80/160 MHz) is more closely associated with 802.11ac.

157
MCQhard

A trunk link between two switches is up, but voice phones connected through one access switch no longer receive the correct voice VLAN treatment. Data users still pass traffic. Which area should be checked first?

A.Whether the voice VLAN is being carried and handled correctly across the switching path.
B.Whether OSPFv3 neighbors are fully adjacent on the phone switch ports.
C.Whether the wireless controller has the correct guest SSID.
D.Whether BGP uses a lower metric than the static route.
AnswerA

This is correct because selective failure affecting phones points to voice-VLAN handling rather than complete link failure.

Why this answer

The first area to check is the end-to-end handling of the voice VLAN across the switching path. In practical terms, the data VLAN can still work while the voice VLAN experiences a forwarding, configuration, or policy problem. Because the phones depend on the correct voice VLAN behavior, that VLAN path should be examined first rather than assuming the whole trunk is broken.

This is a selective-services troubleshooting question. One class of traffic can fail even when ordinary user data still works.

Exam trap

Be cautious not to assume that a general network issue is the cause when only specific traffic types are affected. Focus on the specific VLAN configuration first.

Why the other options are wrong

B

OSPFv3 is an IPv6 routing protocol and has no role in Layer 2 voice VLAN handling on access ports. The issue is about VLAN assignment and trunking, not routing protocol adjacency.

C

The scenario involves wired switches and IP phones, not wireless LAN. Guest SSID configuration on a wireless controller is unrelated to voice VLAN treatment on a wired trunk link.

D

BGP is an exterior routing protocol used for interdomain routing, not for Layer 2 VLAN handling. The symptom is about voice VLAN treatment on a trunk, which is unrelated to BGP metrics or static routes.

158
MCQhard

A host is configured with 172.16.10.62/27. Which address is the broadcast address for that subnet?

A.172.16.10.31
B.172.16.10.32
C.172.16.10.63
D.172.16.10.64
AnswerC

This is correct because the host is in the 32–63 /27 block, whose broadcast is .63.

Why this answer

A /27 uses blocks of 32 addresses. In plain language, the last-octet ranges are 0–31, 32–63, 64–95, and so on. Since the host address ends in 62, it belongs to the 32–63 block. The last address in that block is the broadcast address, so the broadcast is 172.16.10.63.

This is a classic subnetting question because it requires you to place the host inside the correct block and then identify the last address in that block rather than guessing based on the host value alone.

Exam trap

Be careful not to confuse the broadcast address with the network address or the start of the next subnet.

Why the other options are wrong

A

The address 172.16.10.31 is the broadcast address for the /27 subnet 172.16.10.0–31, not for the subnet containing host 172.16.10.62. Since the host's IP is in the 32–63 range, the broadcast is .63, not .31.

B

172.16.10.32 is the network address (subnet ID) of the /27 subnet that includes hosts 32–63. It is not the broadcast address; the broadcast is the last address in the subnet, which is .63.

D

172.16.10.64 is the network address of the next /27 subnet (64–95), not the broadcast address for the subnet containing .62. The broadcast for the subnet containing .62 is .63.

159
MCQmedium

Users in 10.20.30.0/24 should be allowed to browse the web but should not be able to open Telnet sessions to any remote device. Which access list entry best meets the requirement?

A.deny tcp 10.20.30.0 0.0.0.255 any eq 23
B.deny udp 10.20.30.0 0.0.0.255 any eq 23
C.deny tcp any 10.20.30.0 0.0.0.255 eq 23
D.permit tcp 10.20.30.0 0.0.0.255 any eq 80
AnswerA

This blocks Telnet from that subnet to any destination.

Why this answer

To block Telnet while still allowing web traffic, the ACL should deny TCP destination port 23 from that source subnet and then permit the rest of the needed traffic. Telnet uses TCP port 23, not UDP and not source port 23.

Exam trap

A frequent exam trap is selecting an ACL entry that denies UDP traffic on port 23 or denies traffic with the source port set to 23. Telnet exclusively uses TCP as its transport protocol and communicates over destination port 23, so denying UDP or source port 23 traffic will not block Telnet sessions. Another common mistake is denying inbound Telnet traffic to the subnet rather than outbound traffic from the subnet, which does not prevent users inside the subnet from initiating Telnet connections.

Misunderstanding these protocol and port details leads to ineffective ACLs that fail to meet the requirement.

Why the other options are wrong

B

This option denies UDP traffic on port 23, but Telnet uses TCP, not UDP. Therefore, this ACL entry will not block Telnet sessions and is incorrect.

C

This option denies TCP traffic destined to the 10.20.30.0/24 subnet on port 23, which blocks inbound Telnet sessions to the subnet but does not prevent users inside the subnet from initiating outbound Telnet sessions.

D

This option permits TCP traffic from the subnet to any destination on port 80 (HTTP), allowing web browsing but does not block Telnet traffic, so it does not meet the requirement.

160
MCQhard

Refer to the exhibit. A network administrator is reviewing the NAT translations on router R1 and notices that the internal host 192.168.1.10 appears in both a static NAT entry (for ports 80 and 443) using global address 203.0.113.10, and a dynamic PAT entry (port 49152) using global address 203.0.113.1. The administrator is concerned this might indicate a misconfiguration. Based on the output, which statement is correct?

A.The translations are functioning correctly; the static entries allow inbound web traffic to the host, while the dynamic PAT entry supports an outbound client connection.
B.The static NAT rule is being overridden by the dynamic PAT rule, causing inbound web traffic to the server to fail.
C.The dynamic PAT entry indicates a duplicate session that will cause asymmetric routing and packet drops.
D.The router is incorrectly performing both static and dynamic NAT for the same inside address, which violates the configured NAT order.
AnswerA

The static mappings for ports 80 and 443 (global 203.0.113.10 → 192.168.1.10) are not overridden because the dynamic PAT entry uses a different global address (203.0.113.1) and a different source port (49152). This separation enables both inbound server traffic and outbound client traffic for the same inside host, which is a valid design.

Why this answer

The output shows static NAT entries mapping TCP ports 80 and 443 from global 203.0.113.10 to inside host 192.168.1.10. Simultaneously, a dynamic PAT entry maps a high ephemeral port 49152 to the same inside host for an outbound connection to 198.51.100.5:80. Because the static entries use a different global IP (203.0.113.10) and different port numbers than the dynamic PAT entry (203.0.113.1:49152), both can coexist correctly — static NAT handles inbound web requests, dynamic PAT handles outbound client traffic.

This is a normal operational state, not a misconfiguration.

Exam trap

Candidates often incorrectly assume that a single inside host cannot have both a static NAT entry and a dynamic PAT entry, leading them to choose option B (that the static rule is overridden). However, these entries serve different traffic directions and port ranges, so they coexist without conflict.

Why the other options are wrong

B

A common misconception is that any dynamic NAT entry for the same inside local address takes precedence or conflicts with static entries. In reality, the more specific static mapping takes priority for matching traffic, and the dynamic entry handles unrelated flows.

C

Candidates may misinterpret the presence of the same inside local IP in two entries as a duplicate session. Asymmetric routing would require inconsistent state in both directions, but here the NAT table correctly tracks distinct flows.

D

Some candidates believe that a single inside address can only participate in one type of NAT at a time. In fact, multiple NAT rules can coexist, and the router will use the most specific match (static port mapping) before falling back to dynamic PAT for unmapped ports.

161
MCQhard

A host uses the subnet mask 255.255.255.192. How many usable host addresses exist in each subnet?

A.30
B.62
C.126
D.254
AnswerB

This is correct because /26 yields 64 total addresses and 62 usable hosts.

Why this answer

The mask 255.255.255.192 corresponds to /26. That leaves 6 host bits, which means each subnet contains 64 total addresses. After excluding the network and broadcast addresses, 62 usable host addresses remain.

This is a standard host-capacity question. The safest approach is to convert the mask to the prefix, determine the total addresses from the number of host bits, and then subtract the two reserved addresses.

Exam trap

Be careful not to confuse total addresses with usable addresses; always subtract the network and broadcast addresses.

Why the other options are wrong

A

The subnet mask 255.255.255.192 is /26, which provides 64 total addresses per subnet. Subtracting the network and broadcast addresses leaves 62 usable hosts, not 30. 30 usable hosts corresponds to a /27 subnet mask (255.255.255.224).

C

126 usable hosts would require a /25 subnet mask (255.255.255.128), which provides 128 total addresses. The given mask /26 provides only 64 total addresses, so 126 is incorrect.

D

254 usable hosts corresponds to a /24 subnet mask (255.255.255.0), which provides 256 total addresses. The mask 255.255.255.192 is /26, which is two bits longer, resulting in only 64 total addresses.

162
MCQhard

R1 and R2 are directly connected. Their interfaces are up/up and belong to the same subnet. R1's OSPF configuration places the interface in area 0, while R2's interface is in area 1. R1 does not show R2 as an OSPF neighbor. What is the most likely cause?

A.The area IDs do not match
B.R1 must use a loopback as the router ID
C.The subnet mask is too small for OSPF to work
D.R2 should be configured as the DR manually
AnswerA

An area mismatch prevents the neighbor relationship.

Why this answer

OSPF neighbors on the same link must agree on the area ID. Here, one side is in area 0 and the other is in area 1, so adjacency never forms even though the interfaces are up and in the same subnet.

Exam trap

A common trap is focusing on router ID or subnet mask instead of recognizing that mismatched area IDs prevent OSPF adjacency.

Why the other options are wrong

B

Incorrect. While using a loopback interface as the router ID is recommended for stability, it is not required for OSPF neighbor adjacency to form.

C

Incorrect. A /30 subnet mask is valid for point-to-point OSPF links and does not prevent neighbor relationships from forming.

D

Incorrect. The Designated Router (DR) election occurs after adjacency formation and does not prevent neighbors from forming if area IDs mismatch.

163
MCQhard

A subnet uses the mask 255.255.255.252. How many usable host addresses are available in each subnet?

A.2
B.4
C.6
D.14
AnswerA

This is correct because /30 provides 4 total addresses and 2 usable hosts.

Why this answer

The mask 255.255.255.252 corresponds to /30. In practical terms, that gives 4 total addresses per subnet. After subtracting the network and broadcast addresses, 2 usable host addresses remain.

This is a classic small-subnet calculation that often appears in point-to-point addressing scenarios.

Exam trap

Remember to exclude network and broadcast addresses when calculating usable host addresses.

Why the other options are wrong

B

The /30 subnet provides a total of 4 addresses, but one is the network address and one is the broadcast address, leaving only 2 usable host addresses. Saying 4 is incorrect because it counts the network and broadcast addresses as usable.

C

A /30 subnet has only 2 bits for host addresses, yielding 2^2 = 4 total addresses, of which 2 are usable. 6 usable hosts would require at least 3 host bits (2^3 - 2 = 6), which corresponds to a /29 subnet.

D

14 usable hosts correspond to a /28 subnet (255.255.255.240), which has 4 host bits (2^4 - 2 = 14). A /30 subnet has only 2 host bits, so it cannot provide 14 usable hosts.

164
MCQhard

A switch port configured with PortFast and BPDU Guard receives a BPDU and transitions to an error-disabled state. Which statement best explains why this is considered useful protection?

A.It prevents a port expected to be an edge port from accidentally becoming part of the switching topology and causing loops.
B.It increases the port's bandwidth by combining multiple links.
C.It automatically enables VLAN trunking on the port.
D.It forces the port to use Rapid Spanning Tree Protocol for faster convergence.
AnswerA

This matches the purpose of PortFast combined with BPDU Guard: to protect the network when an edge port unexpectedly receives BPDUs, indicating a potential loop condition.

Why this answer

PortFast is used on edge ports to bypass STP listening/learning, but if a BPDU is received, the assumption that the port is an edge port is violated. BPDU Guard then error-disables the port to prevent potential loops or topology disruptions. This protects the network when an edge port unexpectedly connects to another switch, which could cause a bridging loop.

The other options describe unrelated features or incorrect mechanisms.

Exam trap

Remember that BPDU Guard disables the port, not just logs or adjusts its role. It's a protective measure, not a monitoring tool.

Why the other options are wrong

B

Increasing port bandwidth by combining links is done via EtherChannel, not related to BPDU Guard or loop prevention.

C

VLAN trunking is automatically negotiated via DTP or manually configured, not triggered by BPDU Guard or PortFast.

D

Forcing Rapid Spanning Tree Protocol is not a function of PortFast or BPDU Guard; they are separate STP optimizations.

165
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server 10.0.0.10, applied inbound on interface GigabitEthernet0/1.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After entering config mode, create the ACL to allow HTTP from the specified network to the server. Apply it inbound on the correct interface. Then exit and verify.

Exam trap

A common trap is applying the ACL to an interface before creating it, or verifying before applying. Remember: create first, then apply, then verify. Also, ensure the ACL is applied in the correct direction (inbound) on the correct interface.

166
Multi-Selectmedium

Which four of the following are best practices for securing network services and devices? (Choose four.)

Select 4 answers
.Disable unused ports and services on routers and switches.
.Use Telnet for remote management because it is simpler to configure than SSH.
.Implement role-based access control (RBAC) to limit user privileges.
.Place all network devices on the same VLAN to simplify security policy enforcement.
.Enable logging and monitor logs for suspicious activity.
.Keep device firmware and operating systems up to date with security patches.

Why this answer

Disabling unused ports, implementing role-based access control (RBAC), enabling logging, and keeping firmware updated are all critical security best practices: they reduce the attack surface, limit user permissions, detect threats, and patch known vulnerabilities. Using Telnet is insecure because it transmits data in cleartext, unlike SSH. Placing all devices on the same VLAN undermines network segmentation and allows lateral movement by attackers.

Exam trap

Cisco often tests the misconception that Telnet is acceptable for management in a secure environment because it is easier to configure, but the exam expects you to recognize that SSH is the mandatory secure alternative.

167
Matchingmedium

Match each VLAN-related term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The VLAN assigned to a normal end-device access port

The VLAN used to carry phone voice traffic separately

A link carrying traffic for multiple VLANs

The VLAN associated with untagged traffic on an 802.1Q trunk

Why these pairings

Each VLAN type serves a specific purpose: Access VLAN for end devices, Trunk VLAN for multiple VLANs over a link, Native VLAN for untagged frames, Voice VLAN for phones, Management VLAN for admin access, and Data VLAN for user traffic.

Exam trap

Be careful not to confuse the function of a trunk link with a VLAN type. Also, remember that native VLAN and voice VLAN are not separate VLAN types; they are specific uses of data VLANs.

168
Matchingmedium

Drag and drop the cable/transceiver types on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Supports 1000BASE-T up to 100 meters with auto-negotiation for speed/duplex

Supports up to 5 km (or more with longer optics) using 1310 nm laser

Supports up to 300 meters over OM3 fiber at 10 Gbps

Single-mode transceiver for 10 Gbps links up to 10 km

1000BASE-T copper SFP transceiver for up to 100 meters on CAT5e/CAT6

Why these pairings

CAT5e UTP supports 1000BASE-T up to 100 meters as standard twisted-pair copper cabling. Single-mode fiber with 1000BASE-LX SFP uses a 1310 nm laser for long-distance links, typically up to 5 km but extendable with specific optics. Multimode fiber with 10GBASE-SR SFP+ provides high-speed 10 Gbps connectivity up to 300 meters over OM3 fiber due to SR’s short-reach design.

SFP-10G-LR is a single-mode transceiver designed for 10 km at 10 Gbps, leveraging its long-reach specification. GLC-T is a 1000BASE-T copper SFP, so it operates over CAT5e/CAT6 up to 100 meters. Incorrect pairings would mismatch cable type and distance capabilities, such as using multimode fiber for a 10 km link or a copper SFP with single-mode fiber.

Exam trap

A common mistake is to mismatch transceiver types and fiber categories, like using a 10GBASE-SR SFP+ on single-mode fiber or expecting a copper SFP to work over fiber; always check the transceiver’s specifications and compatible cabling.

169
MCQhard

A subnet must support at least 126 usable IPv4 host addresses. Which prefix is the longest that meets the requirement?

A./26
B./25
C./24
D./27
AnswerB

This is correct because /25 provides 126 usable host addresses.

Why this answer

A /25 is the smallest valid answer. In practical terms, a /25 provides 128 total addresses. After subtracting the network and broadcast addresses, 126 usable hosts remain. A /26 would be too small because it supports only 62 usable hosts.

This is a typical minimum-prefix question. The goal is to choose the smallest subnet that satisfies the host requirement without wasting more address space than necessary.

Exam trap

Be careful not to confuse total addresses with usable addresses. Always subtract the network and broadcast addresses when calculating usable hosts.

Why the other options are wrong

A

A /26 prefix provides 2^(32-26) - 2 = 64 - 2 = 62 usable host addresses, which is insufficient for the requirement of at least 126 usable hosts.

C

A /24 prefix provides 2^(32-24) - 2 = 256 - 2 = 254 usable host addresses, which is more than required. While it works, it is not the smallest prefix that meets the requirement, wasting IP address space.

D

A /27 prefix provides 2^(32-27) - 2 = 32 - 2 = 30 usable host addresses, far below the required 126. This is insufficient for the subnet.

170
Multi-Selectmedium

Which TWO statements about HSRP active/standby election, priority, and preempt are true?

Select 2 answers
A.The router with the highest priority becomes the active router.
B.If priorities are equal, the router with the highest MAC address becomes active.
C.Preemption is enabled by default on all HSRP routers.
D.The 'show standby' command can be used to verify the active and standby routers, priority, and preemption status.
E.The router with the lowest priority becomes the standby router.
AnswersA, D

HSRP uses priority (0–255, default 100) to determine the active router; the highest priority wins.

Why this answer

In HSRP, the router with the highest priority (default 100, range 0-255) becomes the active router (A). If priorities are equal, the router with the highest IP address on the subnet wins, not the highest MAC address (B). Preemption is disabled by default; 'standby preempt' must be configured for a higher-priority router to take over (C).

The 'show standby' command displays active/standby router roles, priority values, and preemption status, verifying D. The standby router is the one with the second-highest priority, not the lowest (E).

Exam trap

Cisco often tests the misconception that HSRP uses MAC address as a tiebreaker (it uses IP address) and that preemption is enabled by default (it is not).

Why the other options are wrong

B

HSRP tie-breaking uses the highest IP address on the HSRP interface, not the MAC address. The MAC address is used for virtual MAC assignment but does not influence election.

C

Preemption is disabled by default in HSRP; it must be explicitly configured with the 'standby preempt' command. Without preemption, a higher priority router will not take over active role from a lower priority router that is already active.

E

The standby router is the router with the second-highest priority, not the lowest. The lowest priority router would only become standby if all other routers fail, as it is the least preferred.

171
MCQhard

A JSON response from a controller contains a list of interfaces, each with its own name and status fields. Which JSON structure is most likely used to represent that list?

A.An array of objects
B.A single scalar string only
C.A wildcard mask
D.A route metric table
AnswerA

This is correct because a list of interfaces is commonly represented as objects inside an array.

Why this answer

The most likely structure is an array containing objects. In practical terms, an array is the natural way to represent a list of similar items, and each item can then be an object with named fields such as name and status. This is a very common pattern in API payloads.

The question is testing structure recognition, not programming syntax mastery.

Exam trap

A frequent exam trap is mistaking the JSON structure for unrelated networking concepts such as wildcard masks or route metric tables. Candidates might incorrectly select these options because they recognize the terms from routing or ACL topics, but these are not JSON data structures. Another trap is assuming a single scalar string can represent multiple interfaces, which ignores the need for multiple fields per interface.

Recognizing that an array of objects is the natural and standard way to represent a list of interfaces with multiple attributes helps avoid these pitfalls.

Why the other options are wrong

B

Incorrect because a single scalar string cannot represent multiple interfaces with distinct attributes, making it unsuitable for detailed interface lists.

C

Incorrect because wildcard masks are related to ACL configurations and do not represent JSON data structures for interface lists.

D

Incorrect because a route metric table is a routing concept and not a JSON data structure used to represent interface information.

172
Drag & Dropmedium

Drag and drop the following steps into the correct order to select and implement a network automation solution using the appropriate tool based on the use cases and differences between Puppet, Chef, Ansible, and Python.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order follows a systematic approach: First, define the specific network automation goal to understand the scope and constraints. Next, evaluate whether a persistent, agent-based configuration enforcement approach (Puppet/Chef) or an agentless, orchestration-driven approach (Ansible) is required. Then consider the flexibility of a scripting language like Python for custom or one-off tasks.

After selecting the tool, write the automation logic (playbook, manifest, or script). Test it in a controlled environment to avoid production issues, and finally deploy and verify the automation to ensure it meets the intended outcome.

173
MCQhard

Why is an extended ACL usually placed close to the source of the traffic being filtered?

A.Because standard ACLs cannot be applied near the destination
B.To stop unwanted traffic earlier and conserve bandwidth
C.To make NAT translation easier on inside interfaces
D.Because extended ACLs only work inbound on access interfaces
AnswerB

Correct. Filtering near the source is the classic design guidance for extended ACLs.

Why this answer

Extended ACLs can filter by source, destination, and protocol. Placing them near the source drops unwanted traffic before it crosses more of the network.

Exam trap

Remember that ACLs are processed by network devices, not end devices, and their placement affects traffic flow, not the ACL's complexity or dynamic capabilities.

Why the other options are wrong

A

Standard ACLs can be applied near the destination or source, but the placement guidance for extended ACLs is based on their ability to filter on source and destination IP addresses and ports, not on limitations of standard ACLs. The reason for placing extended ACLs near the source is to filter traffic early, not because standard ACLs cannot be applied near the destination.

C

NAT translation is typically performed on routers or firewalls at network boundaries, and ACL placement for filtering is independent of NAT configuration. Placing an extended ACL near the source does not directly affect NAT translation; NAT uses its own rules and is not a factor in ACL placement decisions.

D

Extended ACLs can be applied inbound or outbound on any interface, not just inbound on access interfaces. The statement is factually incorrect; extended ACLs are versatile and can be placed in various locations depending on the filtering requirements.

174
MCQhard

R1 is an IPv6-only branch router. The administrator wants all unknown IPv6 destinations to be sent to the upstream router at 2001:db8:ff::1. Which command best achieves that goal?

A.ipv6 route ::/0 2001:db8:ff::1
B.ip route 0.0.0.0 0.0.0.0 2001:db8:ff::1
C.ipv6 route 2001:db8:ff::/64 ::1
D.ipv6 default-gateway 2001:db8:ff::1
AnswerA

This is correct because ::/0 is the IPv6 default route and the next hop is the upstream router.

Why this answer

The correct configuration is an IPv6 default static route pointing to the upstream next hop. In practical terms, this is the IPv6 version of a route of last resort. The router does not need specific entries for every remote IPv6 network if all unknown traffic should go to the upstream device.

The key distinction is that IPv6 static routing uses IPv6 syntax and the double-colon default prefix representation. This is a foundational branch-routing concept for IPv6 deployments.

Exam trap

A common exam trap is confusing IPv4 and IPv6 routing commands by attempting to use the ip route command with an IPv6 next-hop address. This is invalid because ip route is strictly for IPv4 static routes. Another trap is using ipv6 default-gateway, which is not a valid static routing command and does not install a route in the routing table.

These mistakes cause the router to drop unknown IPv6 traffic since no default route is installed. Candidates must recognize that IPv6 static routes require the ipv6 route command with the ::/0 prefix for default routing.

Why the other options are wrong

B

This option is incorrect because it uses the IPv4 static route syntax (ip route) with an IPv6 next-hop address, which is invalid and will not configure a proper IPv6 route.

C

This command creates a specific static route to the 2001:db8:ff::/64 prefix with a next hop of ::1, which is not a default route and does not forward all unknown IPv6 traffic.

D

The ipv6 default-gateway command is not used for static routing configuration and does not install a default route in the routing table, making it ineffective for forwarding unknown IPv6 destinations.

175
Multi-Selectmedium

Which two statements accurately describe why structured telemetry and APIs improve operational tooling?

Select 2 answers
A.They make it easier for software to process known fields consistently.
B.They support scalable automation, dashboards, and assurance workflows.
C.They eliminate the need for secure transport or access control.
D.They force all devices to stop supporting CLI access.
E.They are used only on wireless LAN controllers.
AnswersA, B

This is correct because structured data supports reliable machine interpretation.

Why this answer

Structured telemetry and APIs improve tooling because they reduce ambiguity and make automation more reliable. In practical terms, software can collect and compare known fields, counters, and states without brittle text parsing. That supports dashboards, reporting, and automated checks much better than relying only on human-oriented command output.

This is a broad operations-and-automation value question rather than a protocol memorization item.

Exam trap

A frequent exam trap is believing that structured telemetry and APIs remove the need for secure transport or access control. Candidates might think that because data is structured and machine-readable, security is inherently handled, which is incorrect. Another trap is assuming that these technologies force the removal of CLI access, but Cisco devices maintain CLI alongside APIs to support diverse operational needs.

Misunderstanding these points can lead to incorrect answers about the scope and impact of automation technologies in Cisco environments.

Why the other options are wrong

C

This option is incorrect because structured telemetry and APIs do not eliminate the need for secure transport or access control; security remains a fundamental requirement in network operations.

D

This option is incorrect since structured telemetry and APIs do not force devices to stop supporting CLI access; Cisco devices commonly support both CLI and programmable interfaces simultaneously.

E

This option is incorrect because structured telemetry and APIs are broadly applicable across many Cisco network devices and are not limited to wireless LAN controllers.

176
PBQhard

You are connected to R1 via console. R1 must forward traffic to the 203.0.113.0/24 and 2001:db8:1::/48 networks through R2 (10.0.0.2/30, 2001:db8:ff::2/64). The primary path must use a next-hop of 10.0.0.2 for IPv4 and 2001:db8:ff::2 for IPv6. Additionally, configure a floating static default route for IPv4 that uses R3 (192.0.2.2/30) as a backup only when the primary path fails. The current configuration has errors: the IPv4 static route points to a wrong next-hop (10.0.0.5) and the primary default route is missing, causing the floating route (AD 100) to become active instead of serving as a backup. Fix these issues so that both primary and backup routes work correctly.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1192.0.2.1/30G0/0192.0.2.2/30linkR1R2R3

Hints

  • Check the directly connected subnet on G0/0 — what IPs are valid?
  • A floating static route must have a higher AD than the primary route.
  • The primary default route is missing — add it with a lower AD.
A.Change the next-hop of the static route to 203.0.113.0/24 from 10.0.0.5 to 10.0.0.2, and add a default route 0.0.0.0/0 via 10.0.0.2 with AD 1. Keep the floating default route 0.0.0.0/0 via 192.0.2.2 with AD 100.
B.Change the next-hop of the static route to 203.0.113.0/24 from 10.0.0.5 to 10.0.0.2, and change the administrative distance of the floating default route from 100 to 1 so it becomes the primary default route.
C.Change the next-hop of the static route to 203.0.113.0/24 from 10.0.0.5 to 10.0.0.2, and change the administrative distance of the floating default route from 100 to 255 so it is never used.
D.Change the next-hop of the static route to 203.0.113.0/24 from 10.0.0.5 to 10.0.0.2, and remove the floating default route because it is unnecessary.
AnswerA
solution
! R1
no ip route 203.0.113.0 255.255.255.0 10.0.0.5
ip route 203.0.113.0 255.255.255.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 10.0.0.2

Why this answer

The IPv4 static route to 203.0.113.0/24 used a next-hop of 10.0.0.5, which is not a directly connected interface (R1's G0/0 is 10.0.0.1/30, so only .2 is valid). This caused a recursive lookup failure. The floating static default route had AD 100, but a floating route must have an AD higher than the primary route's AD (typically 1) so it is only used when the primary fails; setting AD 100 is correct for backup, but the primary default route was missing.

The fix: change the next-hop for 203.0.113.0/24 to 10.0.0.2, and add a primary default route with AD 1 via 10.0.0.2. The floating route's AD of 100 is fine as backup. IPv6 route was correct.

Exam trap

Watch out for two common traps: (1) Static routes must use a directly connected next-hop; using an IP not on a directly connected subnet causes recursive lookup failure. (2) Floating static routes require a higher AD than the primary route; if the primary route is missing or has a higher AD, the floating route may become active prematurely or not at all.

Why the other options are wrong

B

The floating route must have a higher AD than the primary route to act as a backup; setting it to 1 would make it preferred over the primary default route, violating the requirement.

C

AD 255 is reserved for routes that are not to be installed; a floating route needs an AD higher than the primary but less than 255 to be usable as backup.

D

The floating route is required by the scenario; removing it would eliminate the backup path, which is not the intended fix.

177
MCQhard

What prefix length corresponds to the subnet mask 255.255.255.248?

A./28
B./29
C./30
D./27
AnswerB

This is correct because 255.255.255.248 equals 29 network bits.

Why this answer

The mask 255.255.255.248 corresponds to /29. In practical terms, the first three octets provide 24 network bits, and the value 248 in the last octet is 11111000 in binary, which contributes 5 more network bits. That gives a total prefix length of 29.

This is a standard dotted-decimal to prefix conversion question. It matters because subnetting often requires you to move comfortably between both forms.

Exam trap

Be careful not to confuse the binary values of subnet masks. Ensure you understand how to convert between dotted-decimal and CIDR notation.

Why the other options are wrong

A

The subnet mask 255.255.255.240 corresponds to a /28 prefix length, not /29. This mask has 28 network bits, leaving 4 host bits, which yields 14 usable hosts per subnet.

C

The subnet mask 255.255.255.252 corresponds to a /30 prefix length, not /29. A /30 mask has 30 network bits and only 2 host bits, providing 2 usable addresses, typically used for point-to-point links.

D

The subnet mask 255.255.255.224 corresponds to a /27 prefix length, not /29. A /27 mask has 27 network bits and 5 host bits, providing 30 usable hosts per subnet.

178
MCQmedium

What is a key difference between SNMPv3 and earlier SNMP versions?

A.SNMPv3 supports IPv4 only
B.SNMPv3 adds authentication and encryption features
C.SNMPv3 cannot be used for monitoring interface counters
D.SNMPv3 replaces syslog completely
AnswerB

Correct. Stronger security is the primary differentiator.

Why this answer

SNMPv3 improves security by adding authentication, message integrity, and privacy features. Earlier versions, especially SNMPv1 and v2c, rely on community strings and provide much weaker protection.

Exam trap

A common exam trap is to mistakenly believe that SNMPv3 restricts network monitoring capabilities or IP protocol support. Some candidates incorrectly think SNMPv3 supports only IPv4 or that it replaces syslog entirely. These misconceptions arise because the question emphasizes SNMPv3’s differences without clarifying what remains unchanged.

The trap is to focus on unrelated protocol features rather than the core improvement: security. Selecting options that mention monitoring limitations or protocol replacement leads to incorrect answers. Understanding that SNMPv3’s main advancement is adding authentication and encryption prevents falling into this trap.

Why the other options are wrong

A

Option A is incorrect because SNMPv3 supports both IPv4 and IPv6 networks. It is not limited to IPv4 only, so this option misrepresents SNMPv3’s capabilities.

C

Option C is incorrect since SNMPv3 continues to support monitoring functions such as interface counters. It does not remove or restrict these capabilities.

D

Option D is incorrect because SNMPv3 does not replace syslog. Both protocols coexist and serve different roles in network management and logging.

179
Matchingmedium

Match each routing term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trust comparison between route sources

Protocol-specific value used to compare paths

Preference for the most specific matching route

Fallback route used when no more specific route matches

Why these pairings

Administrative distance is a measure of trustworthiness of the route source; a lower AD is preferred when the same prefix is learned from multiple routing protocols. Metric is a protocol-specific value (e.g., OSPF cost, EIGRP composite) used to choose the best path among routes from the same source. Longest-prefix match is the fundamental routing table lookup rule: the route with the longest subnet mask (most specific) is used regardless of AD or metric.

Default route (0.0.0.0/0) acts as a gateway of last resort, forwarding packets when no more specific route exists.

Exam trap

A common pitfall is believing that a lower metric route always wins over a higher administrative distance route. In reality, AD determines which route makes it into the routing table, then metric selects within that source; longest-prefix match overrides both.

180
MCQhard

A network engineer notices that the system clock on a Cisco IOS-XE router is incorrect, causing syslog timestamps to be unreliable. The router is configured as an NTP client to synchronize with a remote NTP server at 192.168.1.10. However, the show ntp status command indicates the clock is unsynchronized. What is the most likely cause of this issue?

A.The NTP server is using TCP instead of UDP for NTP communication.
B.The router cannot reach the NTP server due to a missing route or firewall blocking UDP port 123.
C.The NTP server has a higher stratum level than the router's local clock, so the router ignores it.
D.NTP authentication is misconfigured on the router.
AnswerB

The reach value of 0 indicates no NTP packets have been received, typically due to connectivity issues or ACL/firewall blocking UDP 123.

Why this answer

NTP operates over UDP port 123. If the router cannot reach the NTP server at 192.168.1.10 due to a missing route or a firewall blocking UDP 123, the NTP client will remain unsynchronized, as indicated by the 'show ntp status' command showing the clock as unsynchronized. This is the most common cause of NTP synchronization failure in a network.

Exam trap

Cisco often tests the misconception that NTP uses TCP or that authentication is the primary cause of synchronization failure, when in fact the most common issue is simple network reachability or firewall blocking of UDP port 123.

Why the other options are wrong

C

The NTP server having a higher stratum level than the local clock does not prevent synchronization outright; the router will still attempt to sync if the server is reachable and authenticates, so this is not the most likely cause.

181
PBQhard

You are connected to R1. Configure HSRP on R1 and R2 so that R1 is the active gateway for VLAN 100 with a virtual IP of 192.0.2.254. R1 should preempt and track its G0/1 interface to decrement priority by 20 if it goes down. Currently, both routers show active for the group, and the virtual IP is incorrectly set. Troubleshoot and fix the configuration on R1 only.

Hints

  • Check the virtual IP address in the standby configuration.
  • Ensure R1's priority is higher than R2's to become active.
  • Preempt must be configured to re-elect after a priority change.
A.Change the virtual IP to 192.0.2.254 and set priority to 110.
B.Change the virtual IP to 192.0.2.254 and remove the track command.
C.Change the virtual IP to 192.0.2.254 and configure preempt on R2.
D.Change the virtual IP to 192.0.2.254 and set priority to 100.
AnswerA
solution
! R1
interface GigabitEthernet0/0.100
standby 1 ip 192.168.100.254
standby 1 priority 110
standby 1 preempt

Why this answer

The issue is that both routers are active because the virtual IP on R1 was 192.168.100.254, which is not in the same subnet as the interface IP (192.0.2.1/24), so HSRP couldn't form a common group. Changing the virtual IP to 192.0.2.254 fixes the subnet mismatch. Additionally, setting R1's priority to 110 ensures it becomes the active router because it has preempt configured, and the higher priority overrides R2's default 100.

The track command remains correct as it reduces priority if G0/1 fails.

Exam trap

Trap: Candidates may focus on the track command or preempt, but the primary issue is the virtual IP mismatch and default priority. Always verify the virtual IP belongs to the same subnet as the interface and adjust priority to ensure the desired active router.

Why the other options are wrong

B

Removing the track command would prevent R1 from decrementing priority when G0/1 fails, violating the requirement to track the interface.

C

Configuring preempt on R2 might allow it to take over, but the task only asks to fix R1; the primary issue is the virtual IP mismatch on R1.

D

Setting priority to 100 (the default) without preempt? Actually, R1 already has preempt, but with equal priority, the highest IP wins, which might be R2, so R1 might not become active. Increasing priority to 110 is required.

182
MCQhard

A network engineer is configuring an EtherChannel between two switches. After applying the configuration, the port-channel fails to form. What is the most likely reason?

A.The member links use different switchport modes, so the channel cannot form correctly.
B.LACP requires both interfaces to use different channel-group numbers.
C.The interfaces must both be configured for PPP.
D.The bundle fails because BGP is not enabled on the switch.
AnswerA

This is correct because trunk/access inconsistency breaks EtherChannel compatibility.

Why this answer

The port-channel is not forming because the two member interfaces are not configured consistently. In practical terms, EtherChannel requires important characteristics to align across candidate member links. Here, one interface is a trunk and the other is configured as an access port, so the channel cannot be built cleanly.

This is a classic EtherChannel consistency problem. The protocol alone is not enough if the member-link settings disagree.

Exam trap

Always verify interface configurations for consistency when troubleshooting EtherChannel issues.

Why the other options are wrong

B

LACP requires that all member interfaces in the same port-channel use the same channel-group number. Using different numbers would place them in separate bundles, preventing the intended aggregation.

C

PPP is a Layer 2 encapsulation used on serial links, not on Ethernet switch ports. EtherChannel on Cisco switches uses Ethernet frames, and PPP is irrelevant to the configuration of port-channels.

D

BGP is a routing protocol that operates at Layer 3 and is not required for EtherChannel formation. EtherChannel is a Layer 2 technology that bundles physical links into a single logical link, independent of any routing protocol.

183
MCQhard

A network administrator notices that the NTP server on Router R1 is not synchronizing with the upstream NTP server at 192.0.2.1. The router is configured as an NTP client, but show ntp status indicates the clock is unsynchronized and the stratum is 16. There is no firewall between R1 and 192.0.2.1. What is the most likely cause of this issue?

A.The NTP server at 192.0.2.1 is not configured as a peer on R1.
B.Router R1 does not have a route to reach 192.0.2.1.
C.The NTP server at 192.0.2.1 is not using NTP version 4.
D.The NTP server at 192.0.2.1 has a firewall blocking NTP traffic.
AnswerB

Without a route to the upstream NTP server, the NTP client cannot send or receive packets, leaving it unsynchronized at stratum 16.

Why this answer

The most likely cause is that Router R1 lacks a route to the upstream NTP server at 192.0.2.1. Without a valid IP route, NTP packets cannot reach the server, so the client remains unsynchronized with stratum 16. The other options are incorrect: A is not required for client operation, C is irrelevant because NTP version negotiation works across versions, and D is ruled out by the absence of a firewall.

Exam trap

Cisco often tests the misconception that NTP configuration alone ensures synchronization, but the trap here is that candidates overlook the prerequisite of IP reachability, assuming the ntp server command handles routing automatically.

Why the other options are wrong

A

Configuring the server as a peer is unnecessary for an NTP client; the client uses the ntp server command.

C

NTP version incompatibility does not prevent synchronization because devices negotiate versions automatically.

D

The problem states there is no firewall, so this cannot be the cause.

184
MCQmedium

In AAA, what does the second A stand for?

A.Application
B.Accounting
C.Authorization
D.Auditing
AnswerC

Correct. The second A is Authorization.

Why this answer

AAA stands for Authentication, Authorization, and Accounting. Authorization determines what an authenticated user is allowed to do.

Exam trap

A frequent exam trap is mistaking the second A in AAA for Accounting or Auditing. Many candidates confuse Authorization with Accounting because both start with 'A' and relate to user management. However, Authorization specifically controls what an authenticated user is allowed to do, while Accounting tracks user activities for logging and auditing purposes.

Selecting Accounting as the second A overlooks the sequential process where permissions are granted immediately after authentication, before any activity is logged. This confusion can lead to incorrect answers and misunderstanding of Cisco AAA implementation.

Why the other options are wrong

A

Application is not part of the AAA acronym and does not relate to the core security functions of Authentication, Authorization, or Accounting, making it an incorrect choice.

B

Accounting is the third A in AAA and focuses on logging user activities, not the second A which controls user permissions after authentication.

D

Auditing, while related to security, is not part of the AAA acronym and does not represent the second A in the AAA framework.

185
MCQhard

A host is configured with IP address 172.16.100.222/27. Which address is the broadcast address for its subnet?

A.172.16.100.191
B.172.16.100.223
C.172.16.100.224
D.172.16.100.255
AnswerB

This is correct because .222 is in the 192–223 /27 block.

Why this answer

A /27 uses address blocks of 32. In practical terms, the fourth-octet ranges are 0–31, 32–63, 64–95, 96–127, 128–159, 160–191, 192–223, and 224–255. Since 222 falls inside the 192–223 block, the broadcast address is the last address in that block, which is 172.16.100.223.

This is a classic subnet-boundary question because it tests whether you can place a host in the correct block and then identify the final address in that block as the broadcast.

Exam trap

Avoid assuming the broadcast address is always .255 or miscalculating subnet ranges.

Why the other options are wrong

A

172.16.100.191 is the broadcast address of the previous /27 subnet (172.16.100.160/27), not the subnet containing .222. The host .222 is in the 172.16.100.192/27 subnet, so its broadcast is .223.

C

172.16.100.224 is the network address of the next /27 subnet (172.16.100.224/27), not a broadcast address. Broadcast addresses are always the last address in a subnet, not the first.

D

172.16.100.255 is the broadcast address of the entire /24 subnet (172.16.100.0/24), not the /27 subnet containing .222. The /27 subnet has a smaller range, so its broadcast is .223.

186
PBQhard

You are connected to R1. Configure R1 and SW1 so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can communicate via the router-on-a-stick setup. The current configuration has errors: the trunk port between SW1 and R1 has a native VLAN mismatch, VLAN 30 is not allowed on the trunk, and the subinterface encapsulation is incorrect. Correct these issues and enable inter-VLAN routing.

Network Topology
G0/1trunkSW1R1

Hints

  • Check the native VLAN on both ends of the trunk: R1's subinterface .30 should use the native keyword.
  • Ensure VLAN 30 is allowed on the SW1 trunk; you may need to add it to the allowed list.
  • Enable ip routing globally on R1 to route between VLANs.
A.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 99 native; on SW1, allow VLAN 30 on the trunk interface.
B.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 30; on SW1, remove VLAN 30 from the trunk allowed list.
C.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 30; on SW1, set the native VLAN to 1 on the trunk.
D.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 30; on SW1, configure the trunk to allow only VLANs 10 and 20.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0.30
encapsulation dot1Q 30 native
exit
interface GigabitEthernet0/0
no shutdown
exit
ip routing
exit
copy running-config startup-config

Why this answer

The native VLAN on SW1 is 99 but R1's physical interface defaults to VLAN 1, causing a mismatch. To fix this, R1's subinterface Gi0/0.30 must be set with encapsulation dot1Q 99 native, making R1's native VLAN 99 and matching SW1. VLAN 30 is not allowed on the trunk, preventing any traffic in that VLAN; it must be added to the trunk's allowed list on SW1.

After these corrections, inter-VLAN routing for VLANs 10 and 20 will function correctly.

Exam trap

Candidates often assume that setting a subinterface's encapsulation to 'dot1Q 30 native' will fix any mismatch, but the native VLAN ID must be explicitly aligned with the switch's native VLAN configuration.

Why the other options are wrong

B

The specific factual error: VLAN 30 must be allowed on the trunk for the router to receive and forward traffic for that VLAN.

C

The specific factual error: The native VLAN must match on both ends of the trunk; changing SW1 to VLAN 1 would not resolve the mismatch with R1's native VLAN 30.

D

The specific factual error: The trunk must allow all VLANs that need to be routed, including the native VLAN (30), otherwise the router cannot communicate with hosts in VLAN 30.

187
PBQhard

You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 inside network can reach the Internet through the outside interface GigabitEthernet0/1 using the IP address 203.0.113.1. Additionally, configure static NAT to map internal server 192.168.1.10 to public IP 203.0.113.5. The current configuration has several errors. Identify and correct them.

Hints

  • Check the NAT direction on the interfaces.
  • Is the overload keyword present?
  • Does the ACL match the correct inside subnet?
A.Correct the NAT interface directions: G0/0 as inside, G0/1 as outside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
B.Change the NAT interface directions: G0/0 as outside, G0/1 as inside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
C.Correct the NAT interface directions: G0/0 as inside, G0/1 as outside. Add 'overload' to the PAT command. Keep ACL 100 as is because it already permits the correct subnet.
D.Change the NAT interface directions: G0/0 as outside, G0/1 as inside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
ip nat inside
exit
interface GigabitEthernet0/1
ip nat outside
exit
ip nat inside source list 100 interface GigabitEthernet0/1 overload
no access-list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
end
write memory

Why this answer

The configuration had three issues: (1) Inside and outside interfaces were swapped — G0/0 (inside) was marked 'ip nat outside' and G0/1 (outside) was 'ip nat inside'. (2) The PAT command was missing the 'overload' keyword. (3) ACL 100 matched the wrong subnet (192.168.2.0 instead of 192.168.1.0). To fix: correct interface NAT directions, add 'overload', and update ACL to permit 192.168.1.0/24.

Exam trap

Watch for three common NAT configuration errors: interface direction misassignment, missing 'overload' keyword for PAT, and incorrect ACL subnet matching. Always verify each component separately.

Why the other options are wrong

B

The specific factual error is that the inside and outside interfaces are swapped; G0/0 is the internal interface and must be 'ip nat inside'.

C

The specific factual error is that the ACL permits the wrong subnet (192.168.2.0 instead of 192.168.1.0).

D

The specific factual error is that both the interface directions are swapped and the ACL is changed, but the interface directions must be correct for NAT to work.

188
PBQhard

You are connected to R1, a router that serves as the DNS resolver for the local network 192.168.10.0/24. Users report that they cannot resolve the hostname 'webserver.internal' to its IP address (192.168.10.50), and reverse DNS lookups for that IP return a different name. Additionally, some queries to an external domain 'example.com' time out. Diagnose and fix the DNS configuration on R1 using nslookup and dig commands where applicable, ensuring proper forward and reverse resolution for internal hosts and reachability to external DNS servers.

Hints

  • Check which DNS servers are reachable with 'ping' or 'show ip dns'.
  • The missing A record can be added as a static host entry on R1.
  • The PTR record can be overridden with an 'ip host' command for the reverse lookup zone.
A.Remove the unreachable DNS server 192.0.2.53, add an A record for webserver.internal (192.168.10.50), and correct the PTR record for 192.168.10.50 to point to webserver.internal.
B.Add an A record for webserver.internal (192.168.10.50) and correct the PTR record for 192.168.10.50 to point to webserver.internal, but leave the unreachable DNS server 192.0.2.53 in the configuration.
C.Remove the unreachable DNS server 192.0.2.53 and add an A record for webserver.internal (192.168.10.50), but do not correct the PTR record for 192.168.10.50.
D.Replace the unreachable DNS server 192.0.2.53 with a reachable one, and correct the PTR record for 192.168.10.50 to point to webserver.internal, but do not add an A record for webserver.internal.
AnswerA
solution
! R1
no ip name-server 192.0.2.53
ip name-server 8.8.8.8
ip host webserver.internal 192.168.10.50
ip host 50.10.168.192.in-addr.arpa webserver.internal

Why this answer

The DNS server 192.0.2.53 is unreachable, causing timeouts for external queries. The primary DNS server 203.0.113.53 returns NXDOMAIN for 'webserver.internal' because no A record exists for that hostname in the internal zone. Additionally, the PTR record for 192.168.10.50 incorrectly points to 'mail.internal' instead of 'webserver.internal'.

To fix, first remove the unreachable DNS server with 'no ip name-server 192.0.2.53' or replace it with a reachable one. Then, on the DNS server (or via static host entries on R1), add an A record for webserver.internal (192.168.10.50) and correct the PTR record to point to webserver.internal. Optionally, configure 'ip host webserver.internal 192.168.10.50' on R1 for local resolution.

Exam trap

Watch out for questions that present multiple DNS issues simultaneously. Candidates often focus on one problem (e.g., missing A record) and forget to check reverse DNS or external server reachability. Always verify all symptoms before concluding the fix.

Why the other options are wrong

B

The specific factual error is that an unreachable DNS server must be removed or replaced to resolve external queries; simply fixing internal records does not address the timeout issue.

C

The specific factual error is that reverse DNS must match the forward record for consistency; an incorrect PTR record is a problem even if forward resolution works.

D

The specific factual error is that forward and reverse DNS are independent; adding a PTR record does not create an A record. The A record must exist for forward queries to succeed.

189
PBQhard

You are connected to a multilayer switch MLS1. Configure FastEthernet0/1 as an access port for an IP phone and a PC, with voice VLAN 20 and data VLAN 10. Also enable PoE on the port. Then verify the configuration using 'show interfaces switchport' and 'show power inline'.

Hints

  • The interface currently has 'no switchport' — remove that to make it a Layer 2 port.
  • You need to set both access VLAN and voice VLAN using the switchport command.
  • PoE is currently disabled globally or per interface — enable it with 'power inline auto'.
A.interface FastEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline auto no shutdown
B.interface FastEthernet0/1 no switchport ip address 192.168.1.1 255.255.255.0 power inline auto no shutdown
C.interface FastEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 power inline auto no shutdown
D.interface FastEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline never no shutdown
AnswerA
solution
! MLS1
configure terminal
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 20
power inline auto
end

Why this answer

Option A is correct because it configures FastEthernet0/1 as an access port with data VLAN 10, voice VLAN 20, and PoE enabled, which is the required setup for an IP phone and PC. Option B is incorrect because 'no switchport' makes the interface a routed port (Layer 3), but it needs to be a Layer 2 access port to support an IP phone and PC. Option C is incorrect because trunk mode is used for switch-to-switch links, not for connecting end devices like an IP phone and PC.

Option D is incorrect because 'power inline never' disables PoE, but the IP phone requires power; it should use 'power inline auto'.

Exam trap

The trap is that candidates may incorrectly use 'no switchport' to make the interface a routed port, or use trunk mode instead of access mode with voice VLAN. Remember that for end devices, the port must be an access port; the voice VLAN is configured separately. Also, ensure PoE is enabled with 'auto', not 'never'.

Why the other options are wrong

B

'no switchport' creates a routed port, which cannot handle VLANs for an IP phone and PC.

C

Trunk mode is for inter-switch links, not for end devices; access mode is required.

D

'power inline never' disables PoE, but the IP phone needs power from the switch.

190
Multi-Selectmedium

A switch port is configured with port-security violation mode restrict. Which two statements are true when an unauthorized MAC address appears?

Select 2 answers
A.Frames from the unauthorized MAC are dropped
B.The port remains up
C.The interface immediately goes into err-disabled state
D.The switch converts the port to a trunk automatically
E.The violation mode changes itself to shutdown after three attempts
AnswersA, B

Restrict does not allow the violating traffic through.

Why this answer

Restrict drops frames from violating MAC addresses and can increment the violation counter while keeping the port up. Shutdown would err-disable the port instead.

Exam trap

Do not confuse restrict with shutdown mode; restrict does not disable the port.

Why the other options are wrong

C

The err-disabled state is characteristic of the shutdown violation mode, not restrict. In restrict mode, the port remains up and only drops violating traffic while logging the event.

D

Port security does not change the port's operational mode; it only controls MAC address access. Converting a port to a trunk is unrelated to port security and requires explicit configuration.

E

Port security violation modes do not automatically change. The mode is statically configured and remains the same regardless of the number of violations. There is no automatic escalation from restrict to shutdown.

191
Multi-Selectmedium

Which TWO commands would a network administrator use to verify that a client has received a valid IP address from a DHCP server and can resolve domain names to IP addresses?

Select 2 answers
A.ipconfig /all
B.ping 127.0.0.1
C.tracert 8.8.8.8
D.nslookup www.courseiva.com
E.arp -a
AnswersA, D

Displays full TCP/IP configuration, confirming DHCP-assigned IP address, subnet mask, gateway, and DNS servers.

Why this answer

Option A (ipconfig /all) is correct because it displays the full TCP/IP configuration for all network adapters, including whether DHCP is enabled, the assigned IP address, subnet mask, default gateway, and the DHCP server address. This allows the administrator to confirm that the client received a valid IP address from the DHCP server. Option D (nslookup www.courseiva.com) is correct because it queries the configured DNS server to resolve the domain name to an IP address, verifying that name resolution is working.

Option B (ping 127.0.0.1) only tests the local TCP/IP stack and does not verify DHCP assignment or DNS resolution. Option C (tracert 8.8.8.8) uses an IP address directly and does not test domain-name resolution. Option E (arp -a) displays the ARP cache, which is unrelated to DHCP or DNS.

Exam trap

Cisco often tests the distinction between verifying local IP stack functionality (ping 127.0.0.1) versus verifying DHCP address assignment and DNS resolution, leading candidates to mistakenly choose loopback or traceroute commands that do not validate the specific requirements.

Why the other options are wrong

B

ping 127.0.0.1 only tests the local TCP/IP stack and does not verify DHCP address assignment or DNS resolution.

C

tracert 8.8.8.8 uses an IP address directly and does not test domain-name resolution.

E

arp -a displays the ARP cache, which is unrelated to DHCP or DNS.

192
Matchingmedium

Match each route source to its default administrative distance on a Cisco router.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

0

1

20

110

Why these pairings

Default administrative distances on Cisco routers: connected=0, static=1, EIGRP summary=5, OSPF=110, IS-IS=115, RIP=120. Lower value indicates higher preference.

Exam trap

The exam trap is that candidates often confuse the administrative distances for different routing protocols, especially EIGRP summary (5) vs. internal EIGRP (90), and OSPF (110) vs. IGRP (100). Remember that EIGRP summary routes are more preferred than internal EIGRP routes.

193
Drag & Drophard

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router for outbound traffic, including ACL creation, NAT statement, interface marking, and the translation process for an outbound packet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: enter global configuration mode, mark the inside and outside interfaces with 'ip nat inside' and 'ip nat outside', then create an ACL to match internal traffic, and finally apply the NAT overload statement using the outside interface. This order ensures the NAT process knows which interfaces are designated as inside/outside before matching and translating traffic. Option B follows this standard recommended order.

Exam trap

Many candidates mistakenly think the ACL must be created before marking interfaces, but interface designation should come first to define the NAT domains before defining the traffic to translate.

194
MCQhard

A phone and PC share one switchport. The phone registers successfully, but the workstation receives an address from the wrong subnet. Which explanation is strongest?

A.The workstation is likely in the wrong data VLAN even though the phone is in the correct voice VLAN.
B.If the phone works, the data VLAN must also be correct automatically.
C.The problem must be CAPWAP because phones require AP controllers.
D.The phone registration proves that DHCP cannot be the issue for the PC.
AnswerA

This is correct because voice and data can use different VLAN roles on the same physical port.

Why this answer

Option A is correct because the phone and PC share a single switchport configured with separate voice and data VLANs. The phone successfully registers in the voice VLAN, but the workstation receives an IP address from the wrong subnet, indicating it is placed in an incorrect data VLAN. This typically occurs when the switchport's access VLAN (data VLAN) is misconfigured or mismatched with the workstation's expected subnet, while the voice VLAN (often using 802.1Q tagging) is correctly set for the phone.

Exam trap

Cisco often tests the misconception that if the phone works, the entire port configuration is correct, but the trap here is that the voice and data VLANs are independent, so a misconfigured access VLAN can still cause the PC to receive an incorrect IP address.

Why the other options are wrong

B

This statement is incorrect because voice and data VLANs are independent on a switchport configured with separate VLANs. The phone successfully registering on the voice VLAN does not guarantee that the data VLAN is correctly configured; the PC could still be assigned to a different VLAN or subnet due to misconfiguration.

C

CAPWAP (Control and Provisioning of Wireless Access Points) is a protocol used for wireless LAN controller and access point communication, not for wired switchport configuration. The scenario describes a wired phone and PC sharing a switchport, which is unrelated to wireless controllers.

D

The phone's successful registration does not rule out DHCP issues for the PC. The PC could be receiving an IP address from a DHCP server that is on the wrong subnet or VLAN, or the DHCP relay might be misconfigured for the data VLAN. The phone's DHCP success is independent of the PC's DHCP process.

195
MCQhard

Why does traffic to 172.31.80.10 use the RIP route (172.31.80.0/24) instead of the static route (172.31.0.0/16)?

A.Because the RIP /24 route is more specific than the static /16 route.
B.Because RIP always overrides static routing.
C.Because static routes cannot be used for private IPv4 space.
D.Because the static route is automatically removed whenever RIP is enabled.
AnswerA

This is correct because longest-prefix match selects the /24 route for that destination.

Why this answer

Traffic uses the RIP route because the static route is less specific than the RIP route. In practical terms, longest-prefix match is always evaluated first. Even though the static route is manually configured, the more specific RIP prefix wins because it describes the destination more precisely.

This is a strong route-selection item because it tests whether you can prioritize specificity ahead of route source preference.

Exam trap

A frequent exam trap is assuming that static routes always take precedence over RIP routes because static routes have a lower administrative distance. This misconception ignores the critical role of longest-prefix match in route selection. The router first selects the route with the most specific subnet mask before considering administrative distance.

Therefore, a RIP route with a /24 mask will override a static route with a /16 mask for matching traffic. Another trap is thinking that enabling RIP disables or removes static routes, which is incorrect; static routes remain active unless explicitly removed or overridden by a more specific route.

Why the other options are wrong

B

Incorrect because RIP does not always override static routes. Static routes have a lower administrative distance and are preferred when prefix lengths are equal, so this statement is false.

C

Incorrect because static routes can be used with private IPv4 address space without issue. There is no restriction preventing static routing of private addresses.

D

Incorrect because enabling RIP does not automatically remove static routes. Static routes remain active unless manually removed or overridden by a more specific route.

196
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method. The client cannot access a web server by its FQDN.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The bottom-up OSI approach starts with Layer 1 (physical) – step A; then Layer 2 (data link) – step D; then Layer 3 (network) – step C; and finally Layer 7 (application) – step B. This methodical progression isolates the issue layer by layer, ensuring all dependencies are checked systematically.

Exam trap

The trap is that candidates often jump to DNS or IP configuration because the symptom involves an FQDN, but the bottom-up method requires starting at Layer 1. Remember: always start at the bottom of the OSI model when using this approach.

197
Multi-Selectmedium

Which two statements accurately describe longest-prefix match in routing?

Select 2 answers
A.The most specific matching route is preferred over broader matching routes.
B.A default route is preferred over a matching /24 because it is simpler.
C.Longest-prefix match is evaluated before choosing between broader and narrower matching routes.
D.Routers ignore subnet masks and choose only by administrative distance.
E.A /16 is always more specific than a /24.
AnswersA, C

This is correct because longest-prefix match is based on route specificity.

Why this answer

Longest-prefix match means a router prefers the most specific route that matches the destination. In plain language, if several entries could apply to a packet, the router chooses the one that narrows the destination range most precisely. This is why a /25 can beat a /24, and a /24 can beat a /16, even if all three technically contain the same destination address.

The common mistake is to assume the router always begins with protocol trust or metric. Those factors matter, but only after the router has determined which matching routes share the same prefix length.

Exam trap

A common exam trap is assuming that a default route or a route with a simpler prefix is preferred over a more specific route. Some candidates mistakenly believe that administrative distance or metric always takes precedence over prefix length. However, Cisco routers always apply longest-prefix match first, selecting the most specific route before considering administrative distance or metric.

This misunderstanding can lead to incorrect answers when default routes or broader prefixes appear in the routing table alongside more specific routes.

Why the other options are wrong

B

Option B is incorrect because a default route is less specific than a /24 route and is only used if no more specific route exists, not because it is simpler.

D

Option D is incorrect because routers do not ignore subnet masks; prefix length is fundamental to longest-prefix match and route selection.

E

Option E is incorrect since a /24 prefix is more specific than a /16 prefix, contradicting the statement that a /16 is always more specific.

198
PBQhard

You are troubleshooting a connectivity issue for a remote worker who reports being unable to access the internet. The worker's PC is connected to switch S1, which is connected to router R1. You have console access to R1. The router's interface G0/0 is configured with IP 192.168.1.1/24, and the DHCP pool 'LAN' currently has network 192.168.1.0 255.255.255.0 and default-router 192.168.1.254. The PC has obtained an IP address of 192.168.1.100 from DHCP and a subnet mask of 255.255.255.0, but cannot ping 8.8.8.8. Identify the fault and configure R1 to restore internet access for the PC.

Network Topology
G0/0192.168.1.1/24G0/0192.168.1.1/24PCS1R1internet

Hints

  • Check the default-router value in the DHCP pool against the router's interface IP.
  • The PC's APIPA address indicates DHCP failure — review the DHCP configuration.
  • Ensure the router's interface IP matches the gateway offered by DHCP.
A.Change the default-router in the DHCP pool 'LAN' to 192.168.1.1
B.Change the network statement in the DHCP pool 'LAN' to 192.168.1.0 255.255.255.0
C.Add the command 'ip helper-address 192.168.1.254' on interface G0/0
D.Change the IP address of interface G0/0 to 192.168.1.254/24
AnswerA
solution
! R1
conf t
ip dhcp pool LAN
default-router 192.168.1.1
end

Why this answer

The PC received a valid IP address from DHCP, proving the DHCP server is reachable and the network statement is correct. However, the pool’s default-router is set to 192.168.1.254, while the actual interface IP (the real gateway) is 192.168.1.1. The PC therefore uses an incorrect default gateway, blocking internet access.

Changing the default-router to 192.168.1.1 fixes the gateway mismatch. Option B is wrong because the network statement already matches the subnet. Option C is unnecessary since no helper address is needed for a DHCP server on the same subnet.

Option D would change the router’s IP to 192.168.1.254, creating further misalignment and breaking connectivity.

Exam trap

Do not assume that any connectivity issue is caused by a DHCP server failure; always compare the default-router entry in the DHCP pool with the actual interface IP before altering network statements or adding helper addresses.

Why the other options are wrong

B

The network statement is already correct; changing it does not resolve the incorrect default gateway.

C

No helper address is needed because the DHCP server (the router itself) is on the same subnet as the PC.

D

Setting the interface IP to 192.168.1.254 would create an address mismatch with the DHCP pool’s gateway and break the subnet.

199
PBQhard

You are connected to R1. Configure R1 so that it uses a floating static route to reach the 203.0.113.0/24 network via R2 only when the primary route (learned via EIGRP) fails. The primary route has an administrative distance of 90. Currently, R1 has no route to 203.0.113.0/24 because EIGRP is down on the direct link. Ensure the floating static route is installed and used.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1192.0.2.1/24linkR1R2LAN

Hints

  • The primary route would be learned via EIGRP with AD 90.
  • A floating static route must have an AD higher than 90 to be less preferred.
  • Use the 'ip route' command with an AD value between 91 and 255.
A.ip route 203.0.113.0 255.255.255.0 10.0.0.2 95
B.ip route 203.0.113.0 255.255.255.0 10.0.0.2 90
C.ip route 203.0.113.0 255.255.255.0 10.0.0.2 85
D.ip route 203.0.113.0 255.255.255.0 10.0.0.2
AnswerA
solution
! R1
ip route 203.0.113.0 255.255.255.0 10.0.0.2 95

Why this answer

The issue is that R1 has no route to 203.0.113.0/24 because EIGRP is not working (likely due to misconfiguration or link failure). A floating static route with an administrative distance greater than EIGRP's default AD of 90 is needed. By configuring a static route to 203.0.113.0/24 via next-hop 10.0.0.2 with AD 95, the static route will be used only when EIGRP is down (since 95 > 90, EIGRP is preferred when active).

The command 'ip route 203.0.113.0 255.255.255.0 10.0.0.2 95' accomplishes this.

Exam trap

Remember that floating static routes require an administrative distance higher than the primary route's AD. Do not use the default AD (1) or match the primary AD; always set a higher value.

Why the other options are wrong

B

The AD must be greater than 90 to ensure the static route is only used when EIGRP fails. An AD of 90 does not create a floating static route.

C

A floating static route must have a higher AD than the primary route. An AD of 85 is lower than 90, so it would be preferred over EIGRP.

D

The default AD for static routes is 1, which is lower than EIGRP's 90. Without specifying a higher AD, the static route will be preferred and not act as a floating static route.

200
MCQhard

A network administrator captures traffic on Server B and finds that ICMP echo requests from Host A arrive, and the server generates corresponding echo replies, but these replies never appear on the wire. The server's routing table has a valid default gateway, and no ACLs are blocking the traffic. What is the most likely cause?

A.The server's TCP stack is corrupt.
B.The server's ARP cache contains an incorrect MAC address for the destination host.
C.The server's routing table is missing a route to the source network.
D.The switch port connecting Server B has port security enabled and has learned a different MAC.
AnswerB

The server must resolve the destination IP address (Host A) to a MAC address to build the frame. If the ARP cache holds a wrong MAC, the frame carrying the echo reply is sent to an incorrect device or the encapsulation fails, so the reply never appears on the wire.

Why this answer

The ICMP echo requests arrive at Server B, and the server generates replies, but they never appear on the wire. This indicates the server cannot deliver the frames to the next hop. Since the server has a valid default gateway and no ACLs are blocking, the most likely cause is an incorrect MAC address in the ARP cache for the destination (either the host or the default gateway).

The server will encapsulate the IP packet into a frame using the wrong MAC, causing the switch to drop the frame or send it to the wrong device, so the reply never reaches the wire correctly.

Exam trap

Cisco often tests the distinction between Layer 3 routing (which works correctly here) and Layer 2 frame delivery (which fails due to ARP issues), leading candidates to incorrectly blame routing or ACLs instead of the ARP cache.

Why the other options are wrong

A

ICMP does not use TCP; it is encapsulated directly in IP. The symptom would be unrelated to TCP.

C

A missing route would prevent the IP layer from even attempting to send the packet, not result in a generated-but-not-transmitted error.

D

Port security would have blocked the incoming request if Host A's MAC violated the policy, but the request was received, so this cannot explain the missing reply.

201
PBQmedium

You are connected to R1 via console. R1 is a router that needs to provide DHCP services to hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The router has two subinterfaces on GigabitEthernet0/0: G0/0.10 (192.168.10.1/24) and G0/0.20 (192.168.20.1/24) with 802.1Q encapsulation. Configure R1 as a DHCP server for both VLANs, excluding addresses 192.168.10.1-10 and 192.168.20.1-10, with a lease of 1 day. Ensure DNS server 8.8.8.8 is provided.

Network Topology
G0/0.10192.168.10.1/24trunkR1SW1

Hints

  • Use 'ip dhcp excluded-address' to reserve addresses.
  • Create DHCP pools with 'network', 'default-router', and 'dns-server'.
  • Lease time is in days; use 'lease 1' for 1 day.
A.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 1 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 1
B.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 /24 default-router 192.168.10.1 dns-server 8.8.8.8 lease 1 0 0 ip dhcp pool VLAN20 network 192.168.20.0 /24 default-router 192.168.20.1 dns-server 8.8.8.8 lease 1 0 0
C.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 24 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 24
D.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 24 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 24
AnswerA
solution
! R1
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp pool VLAN10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
lease 1
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
lease 1

Why this answer

Option A correctly uses `lease 1` for a 1-day lease, dotted decimal subnet masks, and proper DHCP pool settings. Option B incorrectly uses CIDR notation `/24` in the network command, which IOS does not accept. Option C uses `lease 24`, which is interpreted as 24 days, not 1 day.

Option D also incorrectly uses `lease 24`, resulting in a 24-day lease instead of the required 1-day lease.

Exam trap

Be careful with the lease command: the default unit is days, not hours. Also, remember that the network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR prefix length. Excluded addresses are configured globally, not within the pool.

Why the other options are wrong

B

The network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR notation like /24.

C

The lease command uses days as its unit; `lease 24` sets a 24-day lease, not the required 1 day.

D

The lease command sets duration in days, so `lease 24` gives a 24-day lease instead of a 1-day lease.

202
Matchingmedium

Match each routing term to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trustworthiness of a routing information source

Value used by a routing protocol to choose the best path within that protocol

Route used when no more specific match exists

Combining multiple networks into a smaller set of advertised prefixes

Why these pairings

Administrative distance is the trustworthiness rating of a routing protocol, where a lower number means higher trust. Metric is a value used by a routing protocol to select the best path among multiple routes from that same protocol. A default route is the path of last resort, used when no other specific route matches the destination.

Summarization (route aggregation) combines several network prefixes into a smaller set of advertised prefixes, improving efficiency.

Exam trap

Be careful not to confuse the roles of UDRs and BGP routes. UDRs are static overrides, while BGP is a dynamic protocol. System routes are the baseline defaults.

203
MCQhard

Which prefix length corresponds to the subnet mask 255.255.255.192?

A./25
B./26
C./27
D./28
AnswerB

This is correct because 255.255.255.192 equals 26 network bits.

Why this answer

The mask 255.255.255.192 corresponds to /26. In practical terms, the first three octets contribute 24 network bits, and 192 in binary is 11000000, which contributes 2 more network bits. That totals 26 network bits.

This is a standard conversion skill that matters in subnetting, ACL design, and route interpretation.

Exam trap

Be careful not to confuse similar subnet masks or miscount the number of bits in the binary representation.

Why the other options are wrong

A

The /25 prefix length corresponds to subnet mask 255.255.255.128, not 255.255.255.192. The mask 255.255.255.128 has 128 in the last octet, while 255.255.255.192 has 192, indicating a different number of host bits.

C

The /27 prefix length corresponds to subnet mask 255.255.255.224, not 255.255.255.192. The mask 255.255.255.224 has 224 in the last octet, which provides 30 usable hosts per subnet, whereas 255.255.255.192 provides 62 usable hosts.

D

The /28 prefix length corresponds to subnet mask 255.255.255.240, not 255.255.255.192. The mask 255.255.255.240 has 240 in the last octet, which supports 14 usable hosts, while 255.255.255.192 supports 62 usable hosts.

204
MCQhard

After configuring a trunk port to allow VLAN 40, a technician finds that VLAN 40 is not listed among the VLANs in spanning tree forwarding state in the show interfaces trunk output. What is the most likely cause?

A.The trunk port is using ISL encapsulation, which does not support VLAN 40.
B.The technician omitted the 'add' keyword when adding VLAN 40 to the allowed list, so the trunk no longer permits VLAN 40.
C.VLAN 40 has not been created in the VLAN database on the switch.
D.VTP pruning is enabled, and VLAN 40 is not needed by any downstream neighbor, so it is pruned from this trunk.
AnswerC

A VLAN must be defined in the local VLAN database for the switch to build a spanning-tree instance and forward frames for that VLAN. If it is permitted on the trunk but does not exist, the switch marks it as pruned and it will not appear in the 'VLANs in spanning tree forwarding state' list. This is the exact symptom presented.

Why this answer

Even if a VLAN is included in the trunk's allowed list, the switch cannot forward frames for that VLAN unless it exists in the local VLAN database. A non-existent VLAN is placed in a pruned state and will not appear as forwarding in show interfaces trunk. The allowed-list command worked, but the missing VLAN definition prevents the VLAN from being active on the trunk.

Exam trap

Option B: the classic mistake of omitting the 'add' keyword when modifying the allowed list is tempting because it is a very common trunk configuration error. However, that error would result in the VLAN not even appearing in the allowed list column, not simply missing from the forwarding state. The question states the VLAN was added to the allowed list, so the missing VLAN database entry is the correct culprit.

Why the other options are wrong

A

Candidates might associate VLAN support with trunk encapsulation types, but ISL fully supports VLAN 40. This is a distractor.

B

This is a common operational mistake, but the resulting output would show VLAN 40 missing from the 'Vlans allowed' column, not from the forwarding list.

D

Candidates might confuse local pruning (due to non-existent VLAN) with VTP pruning. VTP pruning would also require a multi-switch VTP domain and is less likely in a standalone troubleshooting scenario.

205
MCQmedium

In a router-on-a-stick design, what is configured on the physical router interface connected to the switch?

A.One IP address for every VLAN on the physical interface itself only
B.No subinterfaces; the switch handles all inter-VLAN routing internally
C.Subinterfaces with 802.1Q encapsulation for each routed VLAN
D.A serial encapsulation setting for each VLAN
AnswerC

Correct. Subinterfaces with dot1q encapsulation are the key configuration element.

Why this answer

Router-on-a-stick uses one physical router interface with multiple logical subinterfaces. Each subinterface is associated with a VLAN using 802.1Q encapsulation and gets an IP address for that VLAN. Option A is wrong because IP addresses are configured on subinterfaces, not directly on the physical interface for all VLANs.

Option B is wrong because inter-VLAN routing requires a router; the switch alone does not perform inter-VLAN routing in this design. Option D is wrong because serial encapsulation is used for WAN connections, not for VLAN tagging on Ethernet interfaces.

Exam trap

Avoid confusing switch VLAN configurations with router subinterface configurations. Remember that routers require subinterfaces for VLAN handling.

Why the other options are wrong

A

IP addresses for multiple VLANs are configured on subinterfaces, not directly on the physical interface.

B

Inter-VLAN routing requires a router; the switch does not route between VLANs internally in a router-on-a-stick design.

D

Serial encapsulation is used for WAN serial links, not for VLAN tagging on Ethernet interfaces.

206
MCQmedium

A client on VLAN 20 must obtain an IPv4 lease from a DHCP server located on VLAN 100. Which feature is required on the Layer 3 interface for VLAN 20?

A.NAT overload
B.DHCP relay
C.Port security
D.Private VLAN
AnswerB

Correct. The SVI or routed interface needs DHCP relay.

Why this answer

A DHCP relay agent forwards client broadcasts as unicast to the remote server, typically using ip helper-address.

Exam trap

A common exam trap is selecting NAT overload or port security as the required feature for DHCP communication across VLANs. NAT overload is used for IP address translation and does not forward DHCP broadcasts, while port security restricts MAC addresses on switch ports but does not relay DHCP messages. Another trap is confusing private VLANs with DHCP relay; private VLANs isolate Layer 2 domains but do not forward DHCP requests between VLANs.

The key is understanding that DHCP relay is the only feature that forwards DHCP broadcasts as unicast messages across Layer 3 boundaries, enabling clients on VLAN 20 to obtain leases from a DHCP server on VLAN 100.

Why the other options are wrong

A

NAT overload translates private IP addresses to a public IP for outbound traffic but does not forward DHCP broadcasts between VLANs. It is unrelated to DHCP relay functionality required for inter-VLAN DHCP communication.

C

Port security restricts which MAC addresses can connect to a switch port but does not forward DHCP broadcasts or relay DHCP messages between VLANs, so it cannot enable DHCP communication across VLANs.

D

Private VLANs isolate devices within a VLAN for security purposes but do not provide DHCP relay capabilities or forward DHCP requests between VLANs, making this option incorrect.

207
MCQhard

A static route is configured as 198.51.100.0/24 via 192.0.2.9, but the connected network to the next hop goes down. What happens to the static route in the routing table?

A.It remains permanently because static routes never disappear.
B.It is removed because the recursive next hop is no longer reachable.
C.It changes automatically into a default route.
D.It becomes an OSPF external route.
AnswerB

Correct. The router must be able to resolve the next hop.

Why this answer

If the outgoing interface or connected path to the next hop becomes unreachable, the router cannot resolve the recursive next hop and the route is removed from the table.

Exam trap

Remember that static routes are removed if the next hop is unreachable, unlike dynamic routes that may have additional states.

Why the other options are wrong

A

Static routes are not permanent; they are removed from the routing table if the next-hop interface goes down or the next-hop IP becomes unreachable, because the route is no longer valid.

C

A static route does not automatically change into a default route; default routes are explicitly configured (e.g., ip route 0.0.0.0 0.0.0.0 next-hop) and are not derived from other static routes.

D

A static route does not become an OSPF external route automatically; OSPF routes are learned through the OSPF protocol, and a static route remains static unless redistributed into OSPF via configuration.

208
Multi-Selectmedium

Which three options correctly describe the behavior or configuration of EtherChannel? (Choose three.)

Select 3 answers
.EtherChannel can bundle up to 8 active physical links of the same type.
.All interfaces in the EtherChannel must have the same VLAN allowed list or trunk mode.
.Load balancing is based on a hash algorithm that can use source MAC, destination MAC, IP, or port numbers.
.EtherChannel provides redundancy by forwarding traffic out all active links simultaneously.
.PAgP is an industry-standard protocol for forming EtherChannels.
.EtherChannel interfaces are configured as individual switch ports in the running-config.

Why this answer

EtherChannel allows bundling up to 8 active physical links of the same type (e.g., all FastEthernet or all GigabitEthernet) to increase bandwidth and provide redundancy. All interfaces in the bundle must have consistent VLAN allowed lists and trunk mode configurations (or, for access ports, the same access VLAN) to avoid traffic misdirection or loops. Load balancing uses a hash algorithm that can be based on source MAC, destination MAC, source/destination IP, or TCP/UDP port numbers, with the default typically being source MAC on Cisco switches.

Exam trap

Cisco often tests that EtherChannel can bundle up to 8 active links (not 16, which includes standby in LACP), and that all interfaces must have matching VLAN and trunk settings, but candidates may mistakenly think load balancing is round-robin or that different link types can be mixed.

209
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The OSI bottom-up method starts at Layer 1 (physical) and moves upward. Step A (Check physical connectivity) verifies cables and link lights at Layer 1. Step D (Check for MAC address table entries) examines Layer 2 connectivity.

Step B (Verify IP address configuration) confirms Layer 3 settings. Step C (Test application functionality) tests Layer 7 applications such as ping or web browsing. This sequence aligns with the bottom-up approach of resolving lower-layer issues before examining higher layers.

Exam trap

The trap is that candidates may jump to common troubleshooting steps like checking IP configuration or testing applications, but the bottom-up method requires starting at the physical layer. Always remember the OSI layer order and apply it sequentially.

210
MCQmedium

A network administrator is troubleshooting a user's wired workstation that cannot access the internet. The user reports that the workstation was working earlier today. The administrator runs 'ipconfig /all' on the workstation and sees an IP address of 169.254.10.55. What is the most likely cause of this issue?

A.The workstation has a duplicate IP address conflict with another device.
B.The workstation is unable to communicate with a DHCP server due to a faulty network cable.
C.The workstation's DNS server settings are misconfigured.
D.The workstation is connected to the wrong VLAN, causing it to receive an incorrect IP address.
AnswerB

A faulty network cable prevents the workstation from reaching the DHCP server, causing the client to self-assign an APIPA address (169.254.x.x).

Why this answer

The IP address 169.254.10.55 falls within the Automatic Private IP Addressing (APIPA) range (169.254.0.0/16, RFC 3927). This address is assigned by the operating system when a DHCP client fails to receive a response from a DHCP server. A faulty network cable would prevent the workstation from communicating with the DHCP server, causing the client to self-assign an APIPA address after the DHCP discovery process times out.

Exam trap

Cisco often tests the concept that APIPA addresses are only generated when the DHCP client cannot communicate with any DHCP server, not when there is a configuration mismatch or server-side issue that still allows Layer 2 connectivity.

Why the other options are wrong

A

A duplicate IP address conflict would generate an error message and the workstation would still attempt to use the conflicting IP, not fall back to APIPA. The workstation would retain its DHCP-assigned address and display a conflict notification.

C

DNS misconfiguration would affect name resolution, but the workstation would still obtain a valid IP address from DHCP, not an APIPA address. APIPA is only triggered when DHCP discovery fails entirely.

D

Being on the wrong VLAN would likely result in an IP from a different subnet, not an APIPA address, unless the DHCP server for that VLAN is unreachable. APIPA occurs only when no DHCP server is reachable at all.

211
Drag & Dropmedium

Drag and drop the following OSPFv2 neighbor state transitions and DR/BDR election steps into the correct order for a multi-access network with default priority values.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct OSPF neighbor state progression on a multi-access network is: Down, Init, 2-Way (with DR/BDR election), ExStart (master/slave negotiation), Exchange (DBD exchange), Loading (link-state request and update), and Full. Each option missing the Loading state or placing it incorrectly fails to represent the complete adjacency process.

Exam trap

Many learners forget the Loading state, thinking adjacency jumps directly from Exchange to Full; however, after exchanging database descriptors (DBDs), routers must request and load missing LSAs via Link State Request/Update packets, which occurs in the Loading state.

212
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, then export to Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter privileged mode, then define the capture buffer, specify the interface and direction, start the capture, stop it after collecting data, export to a .pcap file, then transfer and analyze in Wireshark.

Exam trap

Be careful with the order of operations: the buffer must be defined before the capture point, and the capture must be stopped before exporting. Also, remember that these commands are executed in privileged EXEC mode, not global configuration mode.

213
MCQmedium

Exhibit: An engineer applies an ACL inbound on the VTY lines to permit SSH only from 10.5.5.0/24. Users from that subnet still cannot connect. What is the most likely reason?

A.The device may not have SSH fully enabled with keys and a valid login method
B.The ACL must be applied outbound on the VTY lines
C.SSH requires UDP port 22
D.VTY access-class can only be used with Telnet
AnswerA

The ACL allows the subnet, but SSH still needs its base configuration.

Why this answer

Restricting the VTY lines is not enough if SSH itself has not been enabled correctly. A missing local username, domain name, RSA keys, or transport input ssh setting can stop access even when the ACL is correct.

Exam trap

A frequent exam trap is believing that simply applying an ACL to permit SSH traffic on the VTY lines guarantees remote access. Candidates often overlook that SSH requires full configuration, including RSA key generation, domain name setting, and valid login credentials. Without these, the device will refuse SSH connections regardless of ACL permissions.

Another pitfall is misapplying the ACL outbound instead of inbound on VTY lines, which does not control incoming management sessions. Also, confusing SSH’s use of TCP port 22 with UDP can lead to incorrect ACL configurations. Recognizing these nuances prevents misinterpretation of the question and ensures correct troubleshooting.

Why the other options are wrong

B

Incorrect. Applying the ACL outbound on VTY lines does not control incoming management traffic. The correct direction for access control on VTY lines is inbound.

C

Incorrect. SSH uses TCP port 22, not UDP. Configuring ACLs to permit UDP port 22 will not allow SSH connections, making this option invalid.

D

Incorrect. The 'access-class' command works with both Telnet and SSH to restrict access based on IP addresses. It is not limited to Telnet only.

214
MCQmedium

When two routes to the same destination are learned by OSPF from different paths, what criterion does OSPF use to select the best path?

A.Lowest administrative distance
B.Lowest OSPF cost
C.Highest bandwidth of the first hop only
D.Lowest next-hop IP address
AnswerB

Correct choice.

Why this answer

Within OSPF, the router compares the total path cost to the destination. Lower cost is preferred. Administrative distance is used when comparing routes from different routing sources, not between two OSPF paths.

Exam trap

A common exam trap is selecting administrative distance as the criterion for OSPF route selection. While administrative distance determines route preference between different routing protocols, OSPF uses cost internally to choose the best path. Another trap is assuming OSPF chooses routes based on the highest bandwidth of the first hop only, ignoring the cumulative cost of the entire path.

Candidates may also mistakenly think OSPF uses the lowest next-hop IP address, which is incorrect. These misunderstandings can lead to incorrect answers on OSPF routing questions.

Why the other options are wrong

A

Lowest administrative distance is incorrect because administrative distance is used to compare routes from different routing protocols, not to select between multiple OSPF-learned routes. Within OSPF, all routes have the same administrative distance, so this criterion does not apply.

C

Highest bandwidth of the first hop only is incorrect because OSPF considers the cumulative cost of the entire path, not just the bandwidth of the first hop. Focusing only on the first hop bandwidth ignores the cost of subsequent links.

D

Lowest next-hop IP address is incorrect because OSPF does not use the next-hop IP address as a criterion for route selection. The protocol relies exclusively on the cost metric to determine the best path.

215
MCQhard

A switchport connected to a user workstation is placed in VLAN 30. The administrator also wants to prevent that port from learning more than one MAC address. Which feature should be configured?

A.Port security
B.EtherChannel
C.OSPF passive-interface
D.Native VLAN
AnswerA

This is correct because port security can enforce a maximum number of MAC addresses on the switchport.

Why this answer

The correct feature is port security. In practical terms, port security lets the administrator control how many MAC addresses can be learned on a switchport and what happens if that limit is exceeded. That makes it a very natural fit for a user-facing access port where one endpoint is expected and unmanaged extra devices are not.

This is a common access-layer hardening technique. VLAN assignment controls where the traffic belongs, but it does not limit who or what can appear on the port. Port security adds that second layer of control.

Exam trap

Don't confuse VLAN assignment or ACLs with port security; they serve different functions.

Why the other options are wrong

B

EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, not to limit MAC address learning on a single port. It does not provide any mechanism to restrict the number of MAC addresses learned on a switchport.

C

OSPF passive-interface is a routing protocol feature used to prevent OSPF from sending hello messages on an interface, typically used on interfaces that do not have OSPF neighbors. It has no effect on MAC address learning or switchport security.

D

Native VLAN is a concept used on trunk ports to specify the VLAN that carries untagged traffic. It does not control MAC address learning or limit the number of MAC addresses on a switchport.

216
MCQhard

PCs in VLAN 40 are not receiving addresses from the centralized DHCP server at 172.16.1.10. What should be configured on the VLAN 40 default gateway interface?

A.ip dhcp excluded-address 10.40.40.1 10.40.40.10
B.ip helper-address 172.16.1.10
C.service dhcp
D.ip default-gateway 172.16.1.10
AnswerB

Correct choice.

Why this answer

When DHCP clients and the DHCP server are on different subnets, the router interface serving the client subnet must relay broadcasts to the server with the ip helper-address command.

Exam trap

Ensure you understand the difference between DHCP relay and DHCP security features like snooping, as well as local DHCP server configuration.

Why the other options are wrong

A

The 'ip dhcp excluded-address' command is used on a DHCP server to prevent certain addresses from being assigned, not on a router interface to forward DHCP requests. This command would not help clients in VLAN 40 reach the centralized DHCP server.

C

The 'service dhcp' command globally enables the DHCP server or relay agent on a Cisco device, but it does not specify where to forward requests. Without the 'ip helper-address' command, DHCP broadcasts will not be forwarded to the server.

D

The 'ip default-gateway' command is used on a switch to set a default gateway for management purposes, not to forward DHCP broadcasts. It does not provide DHCP relay functionality.

217
MCQmedium

In a controller-based WLAN, what is the main job of the access point?

A.To provide the radio connection between wireless clients and the network
B.To replace the wireless LAN controller entirely
C.To act as the default gateway for every wired VLAN
D.To perform OSPF route summarization for wireless users
AnswerA

This is correct because the AP handles the local wireless connectivity.

Why this answer

The main job of the access point is to provide the actual radio connection between wireless clients and the network. In practical terms, the controller may centralize policy and management, but the AP is still the device that transmits and receives the wireless frames in the local area.

This distinction matters because CCNA wireless questions often separate the controller’s management role from the AP’s RF and client-connectivity role.

Exam trap

Remember that access points handle RF communication, while controllers manage policies and configurations. Don't confuse these roles.

Why the other options are wrong

B

In a controller-based WLAN, the access point is a lightweight device that relies on the wireless LAN controller (WLC) for management, control, and data forwarding decisions. The AP cannot replace the controller because it lacks the necessary intelligence and processing power to perform controller functions such as RF management, client authentication, and mobility services.

C

The access point does not act as a default gateway for wired VLANs. Default gateway functionality is provided by routers or Layer 3 switches that route traffic between different subnets. The AP's role is limited to wireless access and forwarding client traffic to the wired network, typically through the controller or directly to the switch.

D

OSPF route summarization is a routing protocol function performed by routers or Layer 3 switches, not by access points. APs are not involved in routing protocol operations; they focus on wireless connectivity and may forward traffic to the controller or wired network without participating in dynamic routing.

218
PBQhard

You are connected to R1 via console. Configure OSPFv3 for IPv6 on both R1 and R2 so that the loopback0 interface on R2 (IPv6 address 2001:db8:1:2::1/64) is reachable from R1. The link between R1 and R2 uses the subnet 2001:db8:1:1::/64 with R1's G0/0 having IPv6 address 2001:db8:1:1::1/64 and R2's G0/0 having 2001:db8:1:1::2/64. OSPFv3 process ID must be 100 and all interfaces must be in area 0. After configuration, verify OSPFv3 neighbors and the IPv6 route to the loopback0 network.

Hints

  • OSPFv3 uses the 'ipv6 ospf <process-id> area <area-id>' command under each interface.
  • The loopback0 interface on R2 must also be enabled for OSPFv3 to advertise its prefix.
  • A router-id is required for OSPFv3; if not configured explicitly, the router may not form adjacency.
A.On R1: ipv6 router ospf 100, router-id 1.1.1.1, interface g0/0: ipv6 ospf 100 area 0. On R2: ipv6 router ospf 100, router-id 2.2.2.2, interface g0/0: ipv6 ospf 100 area 0, interface loopback0: ipv6 ospf 100 area 0.
B.On R1: ipv6 router ospf 100, router-id 1.1.1.1, interface g0/0: ipv6 ospf 100 area 0. On R2: ipv6 router ospf 100, router-id 2.2.2.2, interface g0/0: ipv6 ospf 100 area 0. No configuration on loopback0.
C.On R1: ipv6 router ospf 100, router-id 1.1.1.1, interface g0/0: ipv6 ospf 100 area 0. On R2: ipv6 router ospf 100, router-id 2.2.2.2, interface g0/0: ipv6 ospf 100 area 0, interface loopback0: ipv6 ospf 100 area 0, and also configure 'network 2001:db8:1:2::/64 area 0' under the OSPFv3 process.
D.On R1: ipv6 router ospf 100, router-id 1.1.1.1, interface g0/0: ipv6 ospf 100 area 0. On R2: ipv6 router ospf 100, router-id 2.2.2.2, interface g0/0: ipv6 ospf 100 area 0, interface loopback0: ipv6 ospf 100 area 0, and also configure 'passive-interface GigabitEthernet0/0' under the OSPFv3 process.
AnswerA
solution
! R1
ipv6 router ospf 100
router-id 1.1.1.1
interface GigabitEthernet0/0
ipv6 ospf 100 area 0

! R2
ipv6 router ospf 100
router-id 2.2.2.2
interface GigabitEthernet0/0
ipv6 ospf 100 area 0
interface Loopback0
ipv6 ospf 100 area 0

Why this answer

To achieve reachability to R2's loopback, OSPFv3 must be enabled on R1's and R2's G0/0 interfaces in area 0, and on R2's loopback0 so its prefix is advertised. Option A shows the minimal correct configuration. Option B omits enabling OSPF on loopback0, so the route to 2001:db8:1:2::/64 is not advertised.

Option C incorrectly uses the 'network' command, which is not supported in OSPFv3; OSPFv3 relies on interface-level 'ipv6 ospf ... area' commands. Option D adds 'passive-interface GigabitEthernet0/0', which prevents OSPF from forming a neighbor adjacency on the link, breaking the required connectivity.

Exam trap

Do not confuse OSPFv2 and OSPFv3 configuration. OSPFv3 uses only interface-level commands, and while setting a loopback as passive is safe, applying 'passive-interface' on a transit link will block neighbor adjacency.

Why the other options are wrong

B

Loopback0 is not enabled for OSPF, so its prefix is not advertised into OSPF.

C

The 'network' command is invalid in OSPFv3 for IPv6; only interface-level 'ipv6 ospf ... area' commands are used.

D

Applying 'passive-interface GigabitEthernet0/0' prevents OSPF from forming a neighbor adjacency on the link, breaking the verification of neighbor state.

219
PBQmedium

You are connected to the console of R1. The network administrator reports that users cannot communicate with the server at 192.168.2.10. R1 is connected to R2 via a serial link (S0/0/0) with IP 10.0.0.1/30 on R1 and 10.0.0.2/30 on R2. The network uses OSPF for routing. You suspect an interface issue on the serial link.

Network Topology
S0/0/010.0.0.1/30S0/0/010.0.0.2/30SerialS0/0/010.0.0.2/30192.168.2.10G0/0 192.168.2.1/24R2R1Server

Hints

  • Check the interface status and line protocol.
  • Serial links require a clock rate on the DCE end.
  • Ensure the encapsulation matches on both ends.
A.Use the show interfaces serial0/0/0 command to verify the interface status and check for encapsulation mismatch.
B.Use the show ip route command to verify that the route to 192.168.2.0/24 is present in the routing table.
C.Use the ping 10.0.0.2 command to test Layer 3 connectivity to the neighbor router.
D.Use the show running-config interface serial0/0/0 command to check the configuration of the serial interface.
AnswerA
solution
! R1
interface Serial0/0/0
clock rate 64000
no shutdown
encapsulation ppp

Why this answer

The serial interface may be administratively down or have incorrect encapsulation. Setting the clock rate on the DCE side and ensuring PPP encapsulation matches the neighbor resolves the issue.

Exam trap

Do not confuse troubleshooting steps: when a specific interface issue is suspected, use interface-level commands like show interfaces, not routing or ping commands. The show interfaces command is the go-to for verifying interface status and encapsulation.

Why the other options are wrong

B

The show ip route command does not provide interface-level details such as encapsulation or clock rate; it only shows routing information.

C

Ping does not provide detailed interface status or configuration information; it only indicates whether the neighbor is reachable, not why it is not.

D

The running-config shows the intended configuration but not the current operational state; for example, it won't show if the interface is administratively down unless you check the shutdown command.

220
Multi-Selectmedium

Which TWO statements accurately describe the encapsulation process in the TCP/IP model as data moves from the application layer to the network access layer?

Select 2 answers
A.At the application layer, the PDU is called a segment and includes a transport layer header.
B.At the transport layer, the PDU is called a segment (for TCP) and includes source and destination port numbers.
C.At the network layer, the PDU is called a frame and includes source and destination MAC addresses.
D.At the network layer, the PDU is called a packet and includes source and destination IP addresses.
E.At the data link layer, the PDU is called a packet and includes source and destination IP addresses.
AnswersB, D

The transport layer encapsulates data with a header containing port numbers to identify the application.

Why this answer

At the transport layer, TCP creates segments that include source and destination port numbers (B correct). At the network layer, the PDU is a packet containing source and destination IP addresses (D correct). Option A is wrong because the application layer generates data, not segments, and transport headers are added later.

Option C mislabels the network layer PDU; it is a packet, not a frame, and MAC addresses belong to frames. Option E is wrong because the data link layer PDU is a frame, not a packet, and it uses MAC addresses, not IP addresses.

Exam trap

Cisco often tests the specific PDU naming conventions (segment, packet, frame) and the layer at which each header is added, causing candidates to confuse the network layer packet with the data link layer frame or to misidentify the transport layer PDU.

Why the other options are wrong

A

The application layer PDU is just data; no transport header is added at this stage.

C

At the network layer, the PDU is a packet with IP addresses; MAC addresses are added at the data link layer.

E

The data link layer PDU is a frame, not a packet, and it contains source and destination MAC addresses.

221
PBQhard

You are connected to SW1. The current configuration on SW1 is: interfaces GigabitEthernet0/1 and GigabitEthernet0/2 are set to channel-group mode passive; Gi0/1 has speed 100, duplex half, and access VLAN 20; Gi0/2 has speed 1000, duplex full, and access VLAN 10. You need to form an LACP EtherChannel between SW1 and SW2. Ensure the channel forms by setting the channel-group mode to active on SW1's member ports. Also correct the speed/duplex mismatch and VLAN mismatch so that the port-channel interface is in the up/up state. Finally, verify the EtherChannel summary shows the channel as a Layer 2 bundle in use.

Network Topology
Gi0/1Gi0/1LACP EtherChannelSW1SW2

Hints

  • LACP requires at least one side to be in active mode to initiate negotiation.
  • All member ports must have identical speed, duplex, and VLAN configuration.
  • Use the 'channel-group 1 mode active' command to set LACP active mode.
A.Change channel-group mode to active on both ports, set speed 1000 and duplex full on Gi0/1, set access VLAN 10 on Gi0/2.
B.Change channel-group mode to passive on both ports, set speed 100 and duplex half on Gi0/2, set access VLAN 20 on Gi0/1.
C.Change channel-group mode to desirable on both ports, set speed 1000 and duplex full on Gi0/1, set access VLAN 10 on Gi0/2.
D.Change channel-group mode to active on both ports, set speed 100 and duplex half on Gi0/1, set access VLAN 20 on Gi0/2.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
speed 1000
duplex full
channel-group 1 mode active
exit
interface GigabitEthernet0/2
switchport access vlan 10
channel-group 1 mode active
end

Why this answer

The EtherChannel fails because both member ports are set to mode passive, preventing LACP negotiation. Additionally, Gi0/1 has speed 100/duplex half while Gi0/2 has speed 1000/duplex full—a mismatch that causes one port to be suspended. Finally, the VLANs differ (10 vs 20), which also prevents bundling.

The solution: change the channel-group mode to active on both ports, set consistent speed (1000) and duplex (full) on Gi0/1, and set the same access VLAN (10) on Gi0/2. After these corrections, the port-channel should form and show as (SU) in the summary.

Exam trap

The exam often tests that LACP requires at least one side to be active, and that speed, duplex, and VLAN must match across all member ports. Do not confuse PAgP and LACP modes.

Why the other options are wrong

B

Passive mode requires the other side to be active; both passive means no negotiation. Speed/duplex mismatch (100/half vs 1000/full) and VLAN mismatch (20 vs 10) prevent bundling.

C

The mode 'desirable' is used with Cisco's proprietary PAgP protocol, not with the IEEE standard LACP. Using it would not form an LACP EtherChannel.

D

Speed/duplex mismatch causes one port to be suspended in the EtherChannel. VLAN mismatch prevents the port-channel from being in up/up state as a Layer 2 bundle.

222
PBQmedium

You are connected to R1 via console. R1 and R2 are configured with EIGRP AS 100. R1's loopback0 (1.1.1.1/32) should be advertised into EIGRP. However, after configuration, R2 does not have a route to 1.1.1.1/32. You need to verify the EIGRP configuration on R1 and R2 to determine why the route is missing. Use show commands to identify the issue.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30R1R2

Hints

  • Check if the loopback interface is configured as passive or if there is a network statement issue.
  • The 'passive-interface default' command makes all interfaces passive unless explicitly configured otherwise.
  • Ensure that the network statement for the loopback includes the correct wildcard mask.
A.Use 'show ip eigrp interfaces' on R1 to verify that EIGRP is enabled on the interface facing R2 and that it is not passive.
B.Use 'show ip eigrp topology' on R1 to confirm that the 1.1.1.1/32 route is in the EIGRP topology table.
C.Use 'show ip route eigrp' on R1 to verify that the 1.1.1.1/32 route is in the routing table.
D.Use 'show ip protocols' on R2 to verify that EIGRP AS 100 is configured and that the network statement includes the subnet of the interface facing R1.
AnswerA
solution
! R1
show ip eigrp neighbors
show ip eigrp topology
show ip route eigrp
show running-config | section router eigrp

! R2
show ip route eigrp

Why this answer

The root cause is that R1's interface facing R2 is passive, preventing EIGRP neighbor adjacency. 'show ip eigrp interfaces' verifies the passive state, identifying why no routes are exchanged. Option B is incorrect because the local topology table may contain the route, but without an active neighbor, it will not be advertised; the topology check alone is insufficient. Option C is incorrect because the routing table may also show the locally connected route, but that does not explain why R2 lacks it.

Option D is incorrect because checking R2's EIGRP configuration does not reveal R1's passive interface, which is the actual problem.

Exam trap

Be careful: 'passive-interface default' makes all interfaces passive, including the one needed for neighbor adjacency. You must use 'no passive-interface' on the specific interface to allow EIGRP to form a neighbor. Also, remember that passive interfaces can still advertise routes, but they do not form adjacencies.

Why the other options are wrong

B

The route being in R1's topology does not guarantee it is advertised to R2; the problem is more likely with the neighbor adjacency or outbound filters.

C

The loopback is a directly connected interface, so it will not appear in the EIGRP routing table; it is injected into EIGRP via the network statement. This command is irrelevant for checking the advertisement.

D

The problem is likely on R1, not R2. R2's configuration may be fine, but if R1 is not sending the route, R2 will never learn it. This command focuses on R2, which is not the source of the issue.

223
PBQhard

You are connected to R1 via console. R1's GigabitEthernet0/1 interface connects to a remote site switch over a 2 km fiber link. The current configuration shows speed and duplex set to 1000 Mbps and full, but the interface is down/down due to an SFP mismatch. Review the exhibit, identify the problem, and correct it so that the interface comes up and communicates at the correct speed and duplex. Additionally, ensure the interface is configured to auto-negotiate properly for future cable replacements.

Network Topology
Gi0/110.0.0.1/302 km fiberR1Remote Switch

Hints

  • Hard-coded speed and duplex can prevent auto-negotiation and cause link failure with fiber SFPs.
  • The interface is administratively down; check for the 'shutdown' command in the running config.
  • For distances over 550 m, a 1000BASE-LX SFP is needed instead of 1000BASE-SX.
A.Replace the SFP with a 1000BASE-LX module, remove the manual speed and duplex settings, and issue the no shutdown command.
B.Replace the SFP with a 1000BASE-SX module, keep the manual speed 1000 and duplex full, and issue the no shutdown command.
C.Keep the existing SFP, change the speed to 100 and duplex to half, and issue the no shutdown command.
D.Replace the SFP with a 1000BASE-LX module, keep the manual speed 1000 and duplex full, and issue the no shutdown command.
AnswerA
solution
! R1
interface GigabitEthernet0/1
no speed
no duplex
no shutdown

Why this answer

The interface was administratively shut down (shutdown command) and had hard-coded speed 1000 and duplex full, which is incompatible with the 2 km fiber link requiring a long-haul SFP (e.g., 1000BASE-LX). The correct fix is to remove the manual speed/duplex settings, enable auto-negotiation (which is default but overridden), and then no shutdown. For a 2 km link, a 1000BASE-LX SFP is required; the existing SFP (likely 1000BASE-SX, max 550 m) caused the link to be down.

After replacing with the correct SFP, the interface should come up. Commands: interface Gi0/1, no speed, no duplex, no shutdown.

Exam trap

Trap: Candidates may focus only on the SFP replacement and forget to remove manual speed/duplex settings, or they may choose an SFP with insufficient distance. Remember that Gigabit Ethernet fiber interfaces should use auto-negotiation, and manual settings are only for troubleshooting or specific legacy scenarios.

Why the other options are wrong

B

The specific factual error is that 1000BASE-SX cannot support 2 km distances; it is limited to 550 m.

C

The specific factual error is that Gigabit Ethernet interfaces cannot be set to 100 Mbps; they only support 1000 Mbps or auto-negotiation.

D

The specific factual error is that manual speed/duplex settings should be removed to allow auto-negotiation; they are not recommended for fiber interfaces.

224
PBQhard

You are connected to R1, a multilayer switch running Rapid PVST+. The current root bridge for VLAN 10 has priority 24586 and for VLAN 20 has priority 24676. Configure R1 so that it becomes the root bridge for VLAN 10 and VLAN 20. Then enable PortFast and BPDU Guard on interface FastEthernet0/1, which connects to an access switch. Finally, diagnose why interface FastEthernet0/2 has entered an err-disabled state and recover it.

Network Topology
Fa0/1Fa0/2Access SwitchSiR1Another Switch

Hints

  • Set root priority to a value lower than 24586 for VLAN 10 and 24676 for VLAN 20.
  • PortFast and BPDU Guard must be configured under the interface.
  • An interface in err-disabled state due to BPDU Guard requires a manual shutdown/no shutdown to recover.
A.Configure spanning-tree vlan 10,20 priority 4096; on Fa0/1: spanning-tree portfast and spanning-tree bpduguard enable; on Fa0/2: shutdown then no shutdown.
B.Configure spanning-tree vlan 10,20 root primary; on Fa0/1: spanning-tree portfast; on Fa0/2: no shutdown.
C.Configure spanning-tree vlan 10,20 priority 8192; on Fa0/1: spanning-tree portfast; on Fa0/2: no shutdown.
D.Configure spanning-tree vlan 10,20 priority 4096; on Fa0/1: spanning-tree portfast and spanning-tree bpduguard enable; on Fa0/2: shutdown.
AnswerA
solution
! R1
configure terminal
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 4096
interface FastEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable
interface FastEthernet0/2
shutdown
no shutdown
end

Why this answer

To become the root bridge, R1’s priority must be lower than the current root’s priority. Setting the priority to 4096 (or any value lower than 24586/24676) accomplishes this. Option A correctly uses `spanning-tree vlan 10,20 priority 4096` (though the actual command per VLAN is `spanning-tree vlan 10 priority 4096` and `spanning-tree vlan 20 priority 4096`).

It also enables PortFast and BPDU Guard on Fa0/1 to prevent BPDU reception on an edge port, and recovers the err-disabled Fa0/2 by cycling `shutdown` then `no shutdown`. Options B and C fail because they do not enable BPDU Guard, leaving the interface vulnerable. Option D fails because it only shuts down Fa0/2 without the `no shutdown` command, so the interface remains administratively down.

Exam trap

Candidates often mistakenly believe that the priority must be set to the absolute lowest (e.g., 0) or that `root primary` always works, but the real requirement is simply a priority lower than the current root. Also, they may forget that an err-disabled interface requires both `shutdown` and `no shutdown` to recover.

Why the other options are wrong

B

The 'root primary' command sets priority to 24576, which is higher than the current root priority for VLAN 10 (24586) and VLAN 20 (24676) — actually 24576 is lower than 24586 and 24676, so it would become root. Wait, check: 24576 < 24586, so it would become root. But the command 'root primary' sets priority to 24576 only if the current root priority is above 24576; if the current root priority is 24586, it sets to 24576, which is lower, so R1 would become root.

However, the question states the current root has priority 24586 and 24676, so 'root primary' would set to 24576, which is lower than 24586 but not lower than 24676? Actually 24576 < 24676, so it would become root for both. But the correct answer uses 4096, which is even lower. The key is that 'root primary' might not guarantee becoming root if another switch has a lower priority.

Also, BPDU Guard is missing, and recovery requires shutdown first.

C

BPDU Guard is not configured on Fa0/1, leaving the port vulnerable to BPDU attacks. Also, the err-disabled recovery requires a shutdown command before no shutdown.

D

Simply shutting down the interface does not recover it from err-disable; you must also re-enable it with 'no shutdown'.

225
PBQmedium

You are connected via the console to R1, a Cisco ISR 4331 router. The network uses IPv6. R1's GigabitEthernet0/0 interface has the MAC address 00:1C:0F:9A:7B:32. You need to configure the interface to use EUI-64 to form a global unicast address from the prefix 2001:DB8:CAFE:1::/64. Additionally, ensure that the interface is enabled for IPv6.

Network Topology
G0/0linkR1IPv6 Network

Hints

  • EUI-64 uses the interface MAC address to create the interface ID.
  • The command format is 'ipv6 address prefix/length eui-64'.
  • You may also need to enable IPv6 on the interface with 'ipv6 enable'.
A.R1(config-if)# ipv6 address 2001:DB8:CAFE:1:021C:0FFF:FE9A:7B32/64 eui-64 R1(config-if)# no shutdown
B.R1(config-if)# ipv6 address 2001:DB8:CAFE:1::/64 eui-64 R1(config-if)# no shutdown
C.R1(config-if)# ipv6 address 2001:DB8:CAFE:1:021C:0FFF:FE9A:7B32/64 R1(config-if)# no shutdown
D.R1(config-if)# ipv6 address 2001:DB8:CAFE:1:001C:0FFF:FE9A:7B32/64 eui-64 R1(config-if)# no shutdown
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:DB8:CAFE:1::/64 eui-64
ipv6 enable

Why this answer

The EUI-64 process inserts FF:FE in the middle of the MAC address and inverts the 7th bit. Configuring the IPv6 address with the eui-64 keyword automatically generates the interface ID from the MAC address.

Exam trap

Trap: Candidates often forget the bit inversion step in EUI-64 or incorrectly use the :: abbreviation with the eui-64 keyword. Remember: EUI-64 requires the full prefix and the 7th bit of the MAC must be flipped.

Why the other options are wrong

B

The specific factual error is that the EUI-64 keyword cannot be used with the double colon (::) abbreviation; the prefix must be fully specified.

C

The specific factual error is that the command does not use the eui-64 keyword, so it does not meet the requirement to use EUI-64.

D

The specific factual error is that the 7th bit inversion was not applied; the interface ID should start with 021C, not 001C.

Page 2

Page 3 of 25

Page 4