CCNA 200-301 v2 (200-301) — Questions 226300

1819 questions total · 25pages · All types, answers revealed

Page 3

Page 4 of 25

Page 5
226
MCQhard

A multilayer switch has SVIs for VLAN 10 and VLAN 20. Hosts in both VLANs can reach their local SVI, but they cannot reach each other. Which additional configuration is most likely required?

A.Enable `ip routing` on the multilayer switch.
B.Convert all access ports into trunks.
C.Make both VLANs use the same IP subnet.
D.Disable spanning tree on both VLANs.
AnswerA

This is correct because the switch needs Layer 3 routing enabled to forward traffic between SVIs.

Why this answer

The most likely missing configuration is `ip routing`. In practical terms, the switch already has Layer 3 gateway interfaces for the VLANs, which is why hosts can reach their local SVI. But inter-VLAN communication still requires the switch to actually route between those VLAN interfaces. Without IP routing enabled, the SVIs can exist and respond locally without forwarding traffic between them.

This is a classic multilayer-switch question because many learners assume that creating SVIs automatically enables inter-VLAN routing. It does not. The device must also be told to behave as a Layer 3 forwarding device across those VLAN interfaces.

Exam trap

Don't assume SVIs automatically enable inter-VLAN routing; IP routing must be explicitly enabled.

Why the other options are wrong

B

Converting all access ports to trunks is unnecessary and incorrect because host-facing ports should remain access ports assigned to a single VLAN. Trunks are used to carry multiple VLANs between switches, not to connect end hosts. This change would not enable inter-VLAN routing.

C

Making both VLANs use the same IP subnet would break the fundamental purpose of VLANs, which is to separate broadcast domains and logically segment the network. Hosts in different VLANs must be in different subnets for proper routing; otherwise, they would expect to communicate directly at Layer 2, which is not possible across VLANs.

D

Disabling Spanning Tree Protocol (STP) on both VLANs would not enable inter-VLAN routing; it would only risk creating Layer 2 loops and broadcast storms. STP is a loop-prevention mechanism and has no role in Layer 3 routing between VLANs.

227
MCQmedium

A router output shows this neighbor state: Neighbor ID 10.1.1.1 State FULL/DR Address 192.168.12.1 What does the FULL/DR state indicate?

A.The local router is the DR and adjacency formation has failed
B.The neighbor relationship is complete and the neighbor is the DR on that segment
C.The routers are exchanging only link-state requests
D.The neighbor has been learned through BGP redistribution
AnswerB

Correct. The adjacency is complete, and that neighbor is acting as the DR.

Why this answer

FULL means the OSPF adjacency is fully formed. The /DR suffix indicates that the listed neighbor is the Designated Router for that multiaccess segment.

Exam trap

A frequent exam trap is assuming that the FULL state with /DR means the local router is the Designated Router or that adjacency has failed. In reality, FULL indicates a successful adjacency, and the /DR suffix refers to the neighbor’s role. Candidates often confuse the neighbor ID with the local router’s role, leading to incorrect answers.

Another trap is thinking that exchanging only link-state requests corresponds to FULL state, but that actually occurs earlier in the adjacency process. Understanding the exact meaning of FULL and the DR role is essential to avoid these pitfalls.

Why the other options are wrong

A

Option A incorrectly states that adjacency formation has failed. FULL state actually indicates a successful adjacency, and the /DR suffix refers to the neighbor’s role, not failure.

C

Option C is incorrect because exchanging only link-state requests happens in earlier OSPF states, not in FULL adjacency, which means all exchanges are complete.

D

Option D is invalid because the output shows native OSPF neighbor information, not BGP redistribution, so the neighbor is not learned through BGP.

228
MCQhard

An EtherChannel between SW1 and SW2 is not forming. The technician runs the show etherchannel summary command on both switches and sees that all configured interfaces are in the 'I' (stand-alone) state. Both switches have their interfaces configured with channel-group 1 mode active. What should the technician check next?

A.Verify that both switches are using the same EtherChannel protocol (LACP or PAgP).
B.Check that the speed and duplex settings match on all member interfaces.
C.Check for a VLAN mismatch on the member interfaces (e.g., mismatched native VLAN or allowed VLAN list).
D.Determine whether Spanning Tree Protocol is blocking one of the ports.
AnswerC

LACP requires that all member ports have identical VLAN configurations (switchport mode, allowed VLANs, native VLAN). A mismatch in any of these parameters keeps the ports in stand-alone state. Since the protocol is already confirmed as LACP, verifying VLAN consistency is the most appropriate next step.

Why this answer

Option C is correct because when both switches are configured with channel-group 1 mode active, they are using LACP (active/active). The 'I' (stand-alone) state indicates the ports are not forming an EtherChannel despite LACP being enabled. A VLAN mismatch—such as differing native VLANs or allowed VLAN lists—can prevent LACP from successfully negotiating the bundle, as the control plane sees a Layer 2 inconsistency and keeps the ports in stand-alone mode.

Exam trap

Cisco often tests the misconception that the 'I' (stand-alone) state always indicates a physical or protocol mismatch, when in fact it frequently points to Layer 2 configuration inconsistencies like VLAN mismatches that prevent LACP from completing negotiation.

Why the other options are wrong

A

Assuming that a protocol mismatch might exist without checking the existing configuration first.

B

Prioritizing a Layer 1 check over a Layer 2 parameter that must be identical for EtherChannel to bundle.

D

Confusing STP port states with EtherChannel negotiation states.

229
PBQhard

You are connected to R1. Configure static routes so that R1 can reach the IPv4 network 203.0.113.0/24 and the IPv6 network 2001:db8:acad:1::/64 via R2 (G0/0 10.0.0.2/30). Additionally, configure a floating static default route (IPv4) with an administrative distance of 200 via R2, and a fully specified IPv6 default route via R2. Then, verify that the IPv4 static route to 203.0.113.0/24 is correctly installed by checking the routing table. The current configuration has an incorrect next-hop causing recursive routing failure for the IPv4 static route.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/12001:db8:acad:2::1/64G0/12001:db8:acad:2::2/64linkR2R1R3

Hints

  • Check the next-hop IP of the IPv4 static route; it should not be the router's own interface.
  • IPv6 static routes cannot use an IPv4 next-hop; they require an IPv6 next-hop or an exit interface.
  • After correcting the recursive route, the floating default route will become active.
A.Change the IPv4 static route next-hop from 10.0.0.1 to 10.0.0.2, change the IPv6 static route next-hop from 10.0.0.2 to 2001:db8:acad:2::2, and change the IPv6 default route to use next-hop 2001:db8:acad:2::2.
B.Change the IPv4 static route next-hop from 10.0.0.1 to 10.0.0.2, and change the IPv6 static route to use exit interface G0/0 instead of a next-hop.
C.Change the IPv4 static route next-hop from 10.0.0.1 to 10.0.0.2, and change the IPv4 default route administrative distance to 1.
D.Change the IPv4 static route next-hop from 10.0.0.1 to 10.0.0.2, and change the IPv6 default route to use exit interface G0/0.
AnswerA
solution
! R1
no ip route 203.0.113.0 255.255.255.0 10.0.0.1
ip route 203.0.113.0 255.255.255.0 10.0.0.2
no ipv6 route 2001:db8:acad:1::/64 10.0.0.2
ipv6 route 2001:db8:acad:1::/64 2001:db8:acad:2::2
no ipv6 route ::/0 10.0.0.2
ipv6 route ::/0 2001:db8:acad:2::2

Why this answer

The IPv4 static route to 203.0.113.0/24 incorrectly uses next-hop 10.0.0.1 (R1's own interface) instead of 10.0.0.2 (R2), causing recursive routing failure because R1 tries to reach itself. To fix, change the next-hop to 10.0.0.2. The IPv6 static route to 2001:db8:acad:1::/64 also incorrectly uses an IPv4 next-hop; it must be a fully specified IPv6 next-hop (2001:db8:acad:2::2) or an exit interface.

The IPv4 default route has AD 200 which is correct for a floating route, but it is not shown in the routing table because there is no route to the next-hop; after fixing the recursive route, the default route will appear. The IPv6 default route uses an IPv4 next-hop which is invalid; it should be a fully specified IPv6 route (e.g., ipv6 route ::/0 2001:db8:acad:2::2).

Exam trap

A common trap is using the local interface IP as the next-hop for a static route, which causes recursive routing failure. Also, remember that IPv6 static routes require IPv6 next-hop addresses; using an IPv4 address is invalid. Floating static routes must have a higher AD than the primary route.

Why the other options are wrong

B

The IPv6 static route should use a fully specified next-hop (IPv6 address) rather than just an exit interface to avoid recursive routing failures.

C

Floating static routes require a higher administrative distance (e.g., 200) so they are only used when the primary route is unavailable.

D

A fully specified IPv6 static route includes both the exit interface and the next-hop IPv6 address to ensure proper routing.

230
MCQmedium

Which ACL type can filter using source and destination IP addresses as well as TCP or UDP port numbers?

A.Standard IPv4 ACL
B.Extended IPv4 ACL
C.Prefix list
D.Native VLAN ACL
AnswerB

Correct. Extended ACLs support the granularity described.

Why this answer

Extended ACLs provide more granular matching, including source, destination, protocol, and Layer 4 port information.

Exam trap

A frequent exam trap is assuming that standard IPv4 ACLs can filter traffic based on destination IP addresses or TCP/UDP port numbers. Standard ACLs only match the source IP address, so relying on them for detailed filtering leads to incorrect answers. Another pitfall is confusing prefix lists or native VLAN ACLs with extended ACLs; prefix lists are for route filtering, and native VLAN ACLs do not provide the same level of granularity.

This misunderstanding can cause candidates to select incorrect options that seem plausible but do not meet the question’s requirements for filtering by source, destination, and port numbers.

Why the other options are wrong

A

Standard IPv4 ACLs only filter traffic based on the source IP address and cannot filter by destination IP or TCP/UDP port numbers, making this option incorrect for the question's requirements.

C

Prefix lists are used primarily for route filtering in routing protocols and do not filter traffic based on Layer 4 port numbers or destination IP addresses, so this option is incorrect.

D

Native VLAN ACLs apply to traffic within a VLAN but do not provide the granular filtering capabilities involving source/destination IP and port numbers, so this option is not correct.

231
MCQhard

A technician is troubleshooting an OSPF adjacency problem: R1 and R2 are not forming a neighbor relationship. R1's OSPF configuration includes the command 'network 192.168.1.0 0.0.0.255 area 0'. R2's GigabitEthernet0/0 is configured with IP address 10.1.1.1/30 and is participating in OSPF area 0. The engineer verifies that physical connectivity is fine and OSPF is enabled on R2. What is the most likely cause?

A.The OSPF network type on R1's interface differs from the network type on R2's interface.
B.R1's network statement does not include the subnet of the link connecting R1 and R2.
C.R1's router ID is not manually set and duplicates the router ID of R2.
D.Mismatched OSPF hello and dead intervals between the routers.
AnswerB

The command 'network 192.168.1.0 0.0.0.255 area 0' only enables OSPF on interfaces with an IP address in the 192.168.1.0/24 range. The link uses the 10.1.1.0/30 subnet, so R1's interface (e.g., 10.1.1.2/30) is not matched. Consequently, OSPF is inactive on that interface, and no neighbor relationship can form.

Why this answer

R1's network statement uses a wildcard mask of 0.0.0.255, which exactly matches interfaces with IP addresses in the 192.168.1.0/24 range. The link between R1 and R2 uses the 10.1.1.0/30 subnet, so R1's interface on that link will have an IP address that does not fall within the network command. Because OSPF only activates on interfaces whose primary IP is covered by a network statement, OSPF is not running on R1's connecting interface; no Hello packets are sent, and the adjacency cannot form.

The other options describe possible causes but do not align with the given configuration: no explicit network type change is mentioned, duplicate router-IDs are not indicated, and no timer modification is described.

Exam trap

Many candidates mistakenly believe the OSPF network command is used solely to advertise routes and does not control which interfaces run OSPF. They may overlook the fact that the network command also enables OSPF on interfaces whose IP address falls within the specified range, leading them to choose an incorrect but plausible alternative such as a mismatched network type or duplicate router‑IDs.

Why the other options are wrong

A

Candidates assume that OSPF adjacency failures on Ethernet links are often due to network type mismatches, without considering that the default settings match.

C

Candidates may remember that duplicate router‑IDs break OSPF and jump to this conclusion without first analyzing the simpler configuration issue.

D

Many students learn that timer mismatches are a common OSPF problem and may incorrectly assume they are the cause when the real issue is a basic configuration oversight.

232
MCQhard

A network engineer configures an EtherChannel between two Cisco switches SW1 and SW2 using LACP. After configuration, hosts connected to SW1 report intermittent connectivity to hosts on SW2. The engineer checks the EtherChannel status and sees that the trunk is up but only allows VLAN 1, while the hosts communicate across VLANs 10 and 20. Which command should the engineer apply to both switches to resolve the issue?

A.channel-group 1 mode active
B.switchport trunk allowed vlan 1,10,20
C.lacp rate fast
D.switchport mode trunk
AnswerB

This command ensures that all member ports of the EtherChannel have the same VLAN list. Inconsistent allowed VLANs across member ports can cause traffic to be dropped intermittently. Applying this to all member interfaces on both switches resolves the issue.

Why this answer

The output shows the EtherChannel is up but only VLAN 1 is allowed on the trunk, while the hosts on SW1 and SW2 communicate across VLANs 10 and 20. Applying 'switchport trunk allowed vlan 1,10,20' on both switches ensures all necessary VLANs are permitted over the EtherChannel, resolving the intermittent connectivity caused by dropped traffic for VLANs 10 and 20.

Exam trap

The trap here is that candidates assume the EtherChannel is fully functional once it shows as up/up, overlooking that the trunk's VLAN allowed list must match on both sides to pass traffic for all required VLANs.

Why the other options are wrong

A

The ports are already configured with LACP active mode, as indicated by the protocol being LACP and the ports being bundled. Reapplying this command does not address the root cause of intermittent connectivity, which is likely due to VLAN mismatch.

C

The 'lacp rate fast' command changes the LACP packet transmission rate to every second, which is used for faster failure detection. It does not affect VLAN consistency or cause intermittent connectivity; the issue is likely due to VLAN mismatch, not LACP rate.

D

The ports are already configured as trunk ports (the Po1 is Layer2 and trunking is implied). Reapplying 'switchport mode trunk' does not address the VLAN inconsistency that causes intermittent connectivity.

233
MCQhard

R1 and R2 are directly connected. Both are configured in OSPF area 0, and they can successfully ping each other. However, OSPF neighbor adjacency fails. R1's interface is configured with `ip ospf authentication message-digest` and a valid key, while R2's interface has no OSPF authentication configured. What is the most likely cause?

A.The routers are in different OSPF areas.
B.The OSPF authentication settings do not match.
C.The routers need identical hostnames before adjacency can form.
D.The subnet mask prevents OSPF multicast traffic.
AnswerB

This is correct because one side expects MD5 authentication and the other side is not shown with matching authentication.

Why this answer

The most likely cause is an OSPF authentication mismatch. Although the routers have IP connectivity and are in the same OSPF area, OSPF adjacency requires matching security parameters. R1 uses message-digest authentication whereas R2 has none configured, preventing neighbor formation.

The other options are incorrect: the stem confirms they are in the same area (A), OSPF does not require identical hostnames (C), and successful pings prove the subnet mask does not block multicast traffic (D).

Exam trap

A frequent exam trap is assuming that successful ping and matching OSPF areas guarantee neighbor adjacency. Candidates often overlook OSPF authentication mismatches, especially when one router uses message-digest authentication and the other does not. This leads to confusion because the link appears operational at Layer 3, but OSPF packets are discarded silently.

The trap exploits the misconception that IP connectivity alone is sufficient for OSPF adjacency, ignoring the protocol’s security requirements.

Why the other options are wrong

A

Both routers are explicitly in OSPF area 0, so they are not in different areas.

C

OSPF neighbor formation does not depend on matching hostnames; router IDs and interface parameters are what matter.

D

Since the routers can ping each other, IP reachability exists, indicating the subnet mask is not preventing OSPF multicast packets from being delivered.

234
MCQhard

A network administrator notices that wireless clients are unable to associate with the corporate SSID 'CorpNet' on an AP that is managed by a WLC. The AP has been joined to the WLC successfully, and the WLC is reachable from the AP. The administrator checks the WLC configuration. Based on the exhibit, what is the most likely cause of the association failure?

A.The WLAN is disabled.
B.The WLAN is missing a pre-shared key.
C.CCKM is not supported by the clients.
D.The WLAN is mapped to the management interface.
AnswerD

The management interface should not be used for client data traffic; it should be a dynamic interface.

Why this answer

The exhibit shows the WLAN 'CorpNet' is mapped to the management interface. While the association process may succeed, the management interface is reserved for control and management traffic (e.g., CAPWAP, SSH) and is not designed to carry client data. This misconfiguration prevents the client from obtaining network access (e.g., IP address via DHCP), which manifests as an apparent association failure.

Client data must be mapped to a dynamic interface (VLAN) or the guest interface for proper operation.

Exam trap

Cisco often tests the misconception that mapping to the management interface blocks 802.11 association; in reality, association may succeed, but the client fails to obtain network services.

Why the other options are wrong

A

The 'show wlan summary' output explicitly shows the WLAN status as 'Enabled', so the WLAN is not disabled. A disabled WLAN would prevent associations, but that is not the case here.

B

The output shows PSK is enabled with a passphrase 'Cisco123', so a pre-shared key is configured. Missing PSK would cause authentication failures, but that is not the issue here.

C

CCKM is a fast roaming method that is optional for client association. Clients can associate without CCKM support; it only affects roaming performance, not initial association.

235
MCQhard

A router has both an OSPF route and a static route to the same destination. The static route has an administrative distance of 200. What is the expected behavior while the OSPF route remains available?

A.The static route remains a backup and is used only if the OSPF route is lost.
B.The static route overrides OSPF immediately because static routes always win.
C.Both routes must be installed simultaneously because they point to the same destination.
D.The router removes the OSPF route because the static route has a manually configured distance.
AnswerA

This is correct because the static route’s administrative distance is higher than OSPF’s, so it floats in reserve.

Why this answer

The static route with an administrative distance of 200 behaves as a floating backup. In plain language, the router keeps it in reserve and prefers the OSPF route while OSPF is healthy, because OSPF’s default administrative distance of 110 is lower and therefore more trusted. The static route does not disappear from the configuration, but it stays out of the active routing table unless the better route is lost.

This is a very common CCNA concept because it shows how routing preference works between different route sources. The higher-distance static route is not useless; it is intentionally configured so that it becomes active only during a failure. That design provides backup routing without interfering with the normal dynamic path. The correct answer is the one describing the static route as a standby or floating route rather than as the preferred path.

Exam trap

Remember that lower administrative distance means higher preference, regardless of whether a route is static or dynamic.

Why the other options are wrong

B

Static routes do not always override dynamic routes; route selection is based on administrative distance. OSPF has a default AD of 110, which is lower than 200, so the OSPF route is preferred. The statement that static routes always win is incorrect because AD values determine preference.

C

Routers install only the best route (lowest AD) for a given destination in the routing table, unless equal-cost multipath (ECMP) is configured with identical metrics. Since OSPF and static routes have different ADs, they are not installed simultaneously; only the OSPF route is used.

D

The router does not remove the OSPF route because the static route has a manually configured distance. The OSPF route has a lower AD (110) than the static route's AD (200), so OSPF remains the preferred route and stays in the routing table.

236
MCQhard

An administrator configured a floating static default route on R1 as a backup to reach 10.10.10.0/24. The primary path is learned via OSPF, and the floating static route uses an administrative distance of 130. After the primary OSPF neighbor fails, traffic to 10.10.10.0/24 is dropped. According to the exhibit, why is the backup default route not being used?

A.The static route specifies an outgoing interface that is down; the next‑hop must be reachable for the route to be used.
B.The administrative distance of 130 is still less than the OSPF default of 110, so it will never be installed.
C.The static route is missing the permanent keyword, which is required for backup routes.
D.The metric of the static route is too high; it should be reduced to 0.
AnswerA

Because the static route uses only the outgoing interface (Serial0/0/0) without a next‑hop IP, the interface must be up/up for the route to be placed in the RIB. Since Serial0/0/0 is down, the entry is invalid.

Why this answer

The floating static default route is not used because the outgoing interface specified in the static route is down. For a static route with an outgoing interface to be considered valid and installed in the routing table, the interface must be in an up/up state. When the primary OSPF neighbor fails, the backup static route cannot be used because its next-hop is unreachable due to the interface being down, causing traffic to be dropped.

Exam trap

Cisco often tests the distinction between static routes with an outgoing interface versus a next-hop IP address, where candidates mistakenly assume a floating static route will automatically become active when the primary route fails, without considering the interface state.

Why the other options are wrong

B

This misinterprets AD: after the primary route is gone, any route with a higher AD (i.e., lower numeric value) is no longer present, so the floating static route should be installed if reachable.

C

Permanent is rarely needed and does not make a route usable when the interface is down; it only keeps the routing table entry present, but traffic cannot be forwarded.

D

Changing a static route metric is not possible, and even if it were, it would not change the fact that the specified interface is down.

237
PBQhard

You are connected to R1. The network uses 192.168.1.0/24 for internal hosts and 203.0.113.0/29 for the public IP pool (203.0.113.2 is the outside interface). Configure PAT so that inside hosts can reach the Internet using the pool address 203.0.113.2. Also configure static NAT to map internal server 192.168.1.10 to 203.0.113.3. The initial config has errors; identify and fix them.

Hints

  • Check the ACL used by the PAT command — does it match the inside subnet?
  • The inside hosts are on 192.168.1.0/24, not 10.0.0.0/8.
  • Only the ACL needs correction; the static NAT and interface NAT designations are correct.
A.Change ACL 10 to permit 192.168.1.0 0.0.0.255 and ensure the NAT pool and PAT are correctly configured.
B.Change the NAT pool to use a different public IP address and update the static NAT mapping.
C.Remove the static NAT and use PAT for the server as well.
D.Change the inside interface IP address to match the ACL.
AnswerA
solution
! R1
configure terminal
no access-list 10
access-list 10 permit 192.168.1.0 0.0.0.255
end

Why this answer

The ACL 10 permits 10.0.0.0/8, but inside hosts are on 192.168.1.0/24 — this ACL does not match the inside subnet, so PAT fails. The static NAT is correct. To fix: change ACL 10 to permit 192.168.1.0 0.0.0.255.

Also ensure the PAT references the correct ACL; currently it uses list 10, so after fixing the ACL, PAT will work. No other changes needed.

Exam trap

Candidates often overlook the ACL used in NAT and assume the NAT configuration is complete. Always verify that the ACL matches the inside network exactly. Also, remember that static NAT and PAT can coexist; do not remove static NAT if it is required.

Why the other options are wrong

B

The specific factual error is that the pool address 203.0.113.2 and static mapping to 203.0.113.3 are valid and do not need changing.

C

The specific factual error is that PAT does not allow inbound connections initiated from outside; static NAT is required for that purpose.

D

The specific factual error is that the inside interface IP is part of the 192.168.1.0/24 network and should not be changed; the ACL should be adjusted instead.

238
MCQmedium

Exhibit: R1 shows an OSPF neighbor stuck in EXSTART with R2 on a serial link. What is the most likely cause?

A.An OSPF area mismatch
B.A duplicate router ID on R1 and R2
C.An interface MTU mismatch between the routers
D.A missing default route on R2
AnswerC

EXSTART or EXCHANGE problems commonly occur when the MTU values do not match.

Why this answer

When two OSPF routers stay in EXSTART, the first thing to suspect is an MTU mismatch. They can discover each other, but database exchange does not complete because the DBD packets do not agree on interface MTU.

Exam trap

Be aware that MTU mismatches cause EXSTART issues, while other mismatches prevent adjacency formation.

Why the other options are wrong

A

An OSPF area mismatch prevents routers from forming a full adjacency; they typically remain in the INIT or 2-WAY state, not EXSTART. The EXSTART state indicates that the routers have already exchanged Hello packets and are attempting to negotiate the master/slave relationship, which requires matching area IDs.

B

Duplicate router IDs cause OSPF to behave unpredictably, often resulting in flapping adjacencies or multiple neighbors with the same ID, but they do not typically cause a stuck EXSTART state on a single link. The routers would still progress through the states, but the adjacency may be unstable.

D

A missing default route on R2 does not affect OSPF adjacency formation. OSPF neighbors exchange routing information using multicast Hello and DD packets, which do not require a default route. The adjacency process is independent of the routing table content.

239
MCQmedium

A network administrator is troubleshooting a Windows 10 client that cannot access a web server at 192.168.1.100. The client has an IP address of 192.168.1.50/24 and can ping its default gateway (192.168.1.1) successfully, but ping to 192.168.1.100 fails. Which command should the administrator run next to verify the client's current network connections and identify potential issues with active sessions?

A.ipconfig /all
B.netstat -a
C.tracert 192.168.1.100
D.ping -t 192.168.1.100
AnswerB

This command shows all active TCP connections and listening ports on the client, allowing the administrator to see if there are any established sessions to the web server or if the web server's port is being blocked or not responding.

Why this answer

The `netstat -a` command displays all active TCP/UDP connections and listening ports, which is the most direct way to verify current network sessions and identify issues such as blocked ports, half-open connections, or failed connection attempts. While ping failure could result from network-layer filtering (e.g., ACLs blocking ICMP), `netstat -a` reveals whether the client has initiated a TCP connection to 192.168.1.100 and its current state (e.g., SYN_SENT, ESTABLISHED, TIME_WAIT), helping to isolate transport-layer or application-layer problems.

Exam trap

Cisco often tests the distinction between Layer 3 connectivity (ping/tracert) and Layer 4 session verification (netstat), trapping candidates who assume that successful ping implies full application-layer connectivity.

Why the other options are wrong

A

The ipconfig /all command displays detailed IP configuration, including DNS servers and MAC addresses, but does not show active network connections or sessions. Since the client can ping the gateway, IP configuration is likely correct, and this command does not help identify issues with active sessions to the web server.

C

The tracert command performs a route trace to the destination, which requires Layer 3 reachability. Since ping to 192.168.1.100 already failed, tracert will likely also fail and does not provide information about active connections or listening ports. It is useful for identifying where packets are dropped along the path, but not for verifying active sessions.

D

The ping -t command sends continuous ICMP echo requests to test reachability over time, but it does not reveal connection states or listening ports. Since ping already failed, continuous pings will also fail and do not help identify issues with active TCP sessions to the web server.

240
PBQhard

You are connected to R1. The network requires HSRP for default gateway redundancy on subnet 192.168.1.0/24. R2 should be the active router, and R1 the standby. Currently, both routers show as active. Configure R1 with priority 90, enable preempt, ensure the virtual IP is 192.168.1.254, and configure tracking of interface GigabitEthernet0/1 (subnet 203.0.113.0/30) so that if R1's tracked interface goes down, its priority decreases by 20. Verify the final state with 'show standby brief'.

Network Topology
G0/0192.168.1.1/24G0/0192.168.1.2/24G0/1203.0.113.1/30R2switchR1ISP

Hints

  • Both routers show active; check priority values and preempt configuration.
  • The virtual IP must match on both routers; verify it's 192.168.1.254.
  • Use 'standby 1 track' with the correct interface and decrement value.
A.interface GigabitEthernet0/0 standby version 2 standby 1 ip 192.168.1.254 standby 1 priority 90 standby 1 preempt standby 1 track GigabitEthernet0/1 20
B.interface GigabitEthernet0/0 standby version 2 standby 1 ip 192.168.1.254 standby 1 priority 110 standby 1 preempt standby 1 track GigabitEthernet0/1 20
C.interface GigabitEthernet0/0 standby version 2 standby 1 ip 192.168.1.254 standby 1 priority 90 standby 1 preempt standby 1 track GigabitEthernet0/1 30
D.interface GigabitEthernet0/0 standby version 2 standby 1 ip 192.168.1.254 standby 1 priority 90 standby 1 preempt standby 1 track GigabitEthernet0/0 20
AnswerA
solution
! R1
interface GigabitEthernet0/0
standby 1 priority 90
standby 1 preempt
standby 1 track GigabitEthernet0/1 20
end

Why this answer

The scenario requires R2 to be the HSRP active router. By default, both routers have priority 100, and HSRP election would select the router with the higher IP address as active if priorities are equal. To ensure R2 becomes active, R1's priority must be lowered to 90.

Additionally, tracking interface GigabitEthernet0/1 with a decrement of 20 is configured so that if R1's uplink fails, its priority drops to 70, further preventing it from becoming active. The correct configuration on R1 sets priority 90, enables preempt, and tracks the correct interface with decrement 20. Options B, C, and D are wrong because: B sets a higher priority (110) which would make R1 active; C uses an incorrect decrement of 30; and D tracks the wrong interface (Gig0/0 instead of Gig0/1).

Exam trap

Trap: Candidates may think that increasing priority ensures redundancy, but the requirement specifies R2 as active, so R1's priority must be lower. Also, ensure the tracked interface is the correct one (Gig0/1) and the decrement value matches exactly.

Why the other options are wrong

B

The priority value is higher than the default, which would make R1 active instead of standby.

C

The decrement value does not match the required 20; it is 30.

D

The tracked interface is wrong; it should be GigabitEthernet0/1, not GigabitEthernet0/0.

241
MCQmedium

Which WAN technology is most closely associated with establishing a direct point-to-point data-link connection between two routers over a serial link?

A.PPP
B.CAPWAP
C.SNMP
D.STP
AnswerA

This is correct because PPP is a point-to-point WAN encapsulation commonly used on serial links.

Why this answer

PPP is the WAN technology most closely associated with point-to-point serial connections between routers. In practical terms, it is a Layer 2 WAN encapsulation method commonly discussed in traditional serial WAN contexts. It supports features such as authentication and link negotiation that make it more flexible than older basic encapsulations.

This is one of the classic CCNA WAN topics.

Exam trap

Don't confuse general WAN technologies like Frame Relay and MPLS with protocols specifically designed for point-to-point serial links.

Why the other options are wrong

B

CAPWAP is a control and provisioning protocol for wireless access points and controllers, not a WAN encapsulation for serial links. It operates at the application layer and is used in wireless LAN architectures, not for point-to-point data-link connections.

C

SNMP is an application-layer protocol for network management and monitoring, used to collect statistics and configure devices. It does not provide data-link layer encapsulation or establish point-to-point connections over serial links.

D

STP is a Layer 2 protocol that prevents loops in Ethernet switched networks by blocking redundant paths. It has no role in WAN serial links, which are point-to-point and inherently loop-free.

242
MCQhard

A REST API call uses the GET method against a device inventory endpoint. What is the most likely intent of the call?

A.To retrieve information from the endpoint.
B.To delete the endpoint from the controller.
C.To replace the endpoint with a new resource.
D.To force the device into PPP mode.
AnswerA

This is correct because GET is commonly used for reading data.

Why this answer

The most likely intent is to retrieve information, not to create or delete it. In practical terms, GET is commonly used when a client wants to read state or inventory data from an API endpoint. This is one of the most basic REST-style concepts in network automation.

The key is to associate method semantics with likely operational intent.

Exam trap

A common exam trap is confusing the GET method with other HTTP methods like DELETE or PUT. Candidates might incorrectly assume GET can modify or delete resources because they associate API calls with configuration changes. However, GET is strictly for retrieving information and does not alter device state.

Misreading this can lead to selecting options that imply deletion or replacement, which are handled by DELETE and PUT respectively. Recognizing the safe, read-only nature of GET prevents this mistake and aligns with REST API best practices in Cisco automation.

Why the other options are wrong

B

Incorrect because DELETE is the HTTP method used to remove resources. GET does not delete or alter the endpoint or its data, so this option misrepresents REST API semantics.

C

Incorrect because replacing or updating a resource is typically done with the PUT method. GET does not modify or replace resources, so this option confuses method purposes.

D

Incorrect because forcing a device into PPP mode is a configuration action unrelated to REST API method semantics. GET calls do not trigger operational mode changes.

243
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, then export the capture for analysis in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Embedded Packet Capture (EPC) on IOS-XE uses exec-mode monitor capture commands without needing global configuration mode. First, define the capture point specifying the interface and direction. Then start the capture to collect packets.

Stop the capture after gathering sufficient data, and finally export the file to a TFTP server for analysis in Wireshark.

Exam trap

A common mistake is attempting to start the capture before defining the capture point, or exporting before stopping the capture. Remember the logical order: define, start, stop, export.

244
MCQmedium

A router is configured for NAT overload, but translations never appear when inside users browse the internet. Which issue is most likely?

A.The outside interface is missing the ip nat outside command
B.The ACL used by NAT must deny inside addresses
C.PAT requires DHCP on the inside interface
D.NAT overload works only with OSPF-learned routes
AnswerA

Without inside and outside roles, overload translations will not build correctly.

Why this answer

NAT needs the inside and outside interfaces marked correctly. If those roles are missing or reversed, the router has no context for translating traffic and the NAT table stays empty.

Exam trap

Ensure inside and outside interfaces are correctly set for NAT; misconfigurations here are a common oversight.

Why the other options are wrong

B

The ACL used by NAT should match the inside local addresses that need to be translated, typically using a permit statement. If the ACL denies inside addresses, no traffic will be matched for translation, causing NAT to fail. The correct ACL should permit the inside network.

C

PAT (Port Address Translation) does not require DHCP on any interface. PAT translates multiple private IP addresses to a single public IP using different port numbers, and it works independently of how IP addresses are assigned. DHCP is only needed if the interface needs to obtain an IP address dynamically.

D

NAT overload (PAT) is independent of the routing protocol used. It works with static routes, OSPF, EIGRP, or any other routing protocol. The routing protocol only affects how packets are forwarded, not how NAT translates addresses.

245
Matchingmedium

Match each API interaction term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

HTTP method commonly used to retrieve information

HTTP method commonly used to update or replace a resource

Secure transport for the API exchange

Credential-like value used to help control API access

Why these pairings

GET is an HTTP method designed to retrieve data from a server without modifying resources. PUT is an HTTP method used to update or replace an existing resource at a given URI. HTTPS provides encrypted transport for the API exchange, ensuring confidentiality and integrity.

A token serves as a credential-like value, often passed in headers, to authenticate and authorize API access.

Exam trap

A common mistake is confusing the roles of GET and PUT—GET retrieves data while PUT updates it—and overlooking that HTTPS is a secure transport protocol, not an HTTP method or authentication mechanism.

246
MCQmedium

What is version control primarily used for in network automation workflows?

A.To replace authentication for API clients
B.To track changes and maintain history for code and templates
C.To automatically assign switchport VLANs in real time
D.To discover neighboring devices at Layer 2
AnswerB

Correct. That is the core value of version control.

Why this answer

Version control tracks changes to code and configuration artifacts, enabling rollback, collaboration, and auditability.

Exam trap

A common exam trap is mistaking version control for a live network function like VLAN assignment or device discovery. Some candidates incorrectly believe version control directly manages network devices in real time, such as automatically assigning VLANs or discovering neighbors. However, version control only manages the files that define these actions, not the actions themselves.

Confusing these roles leads to selecting incorrect options that describe operational network tasks rather than the management and tracking of automation code and templates.

Why the other options are wrong

A

Option A is incorrect because version control systems do not replace authentication for API clients. Authentication is handled by security protocols and credentials, not by version control.

C

Option C is incorrect because version control does not assign VLANs or perform any real-time network configuration tasks; it only manages the files that define such configurations.

D

Option D is incorrect because discovering neighboring devices at Layer 2 is a network function performed by protocols like CDP or LLDP, not by version control systems.

247
MCQmedium

A switch port connected to an end host should forward traffic for one VLAN only and should not negotiate trunking. Which configuration approach best fits that requirement?

A.Configure the interface with `switchport mode access`
B.Configure the interface with `switchport mode trunk`
C.Configure the interface with `switchport mode dynamic desirable`
D.Configure the interface with `no switchport`
AnswerA

This is correct because access mode is the normal one-VLAN configuration for an end-host port.

Why this answer

The best approach is to configure the interface as an access port. In plain language, this tells the switch that the interface is for a normal endpoint and should belong to one VLAN rather than carry multiple VLANs like a trunk. It also avoids reliance on dynamic trunk negotiation, which is usually unnecessary and potentially confusing for a user-facing connection.

This is a standard access-layer design principle. End hosts such as PCs and printers usually connect to access ports, not trunks. That is why the correct answer is the one centered on explicit access-port behavior.

Exam trap

Avoid confusing trunking features with access port requirements. Remember, end devices typically connect via access ports.

Why the other options are wrong

B

A trunk port is designed to carry traffic for multiple VLANs between switches, not for a single end host. Using switchport mode trunk on an access port would allow multiple VLANs and enable trunk negotiation, violating the requirement.

C

The dynamic desirable mode actively attempts to form a trunk with the connected device using DTP. This allows trunk negotiation, which contradicts the requirement to not negotiate trunking and to forward traffic for only one VLAN.

D

The no switchport command converts the Layer 2 switch port into a Layer 3 routed port, which does not operate as a switch port and cannot be assigned to a VLAN. This is used for routing between VLANs, not for connecting an end host to a single VLAN.

248
PBQhard

You are connected to R1 (192.168.1.1/24, GigabitEthernet0/0). Using RESTCONF, you need to retrieve the operational status of interface GigabitEthernet0/0 and then change its description to 'Uplink to R2'. The correct base URI is https://192.168.1.1/restconf. Provide the GET and PATCH request URIs, required HTTP headers, and identify the error that occurs if you use Accept: application/json instead of application/yang-data+json.

Hints

  • RESTCONF base URI is always /restconf on Cisco IOS-XE.
  • The ietf-interfaces module is used for standard interface configuration; Cisco-IOS-XE-native is for native CLI-like data.
  • Content-type and Accept headers must match the YANG data format (application/yang-data+json).
A.GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0?content=nonconfig, PATCH /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0, Accept: application/yang-data+json, error: 406 Not Acceptable
B.GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0, PATCH /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0, Accept: application/json, error: 404 Not Found
C.GET /restconf/data/Cisco-IOS-XE-native:interface/GigabitEthernet0/0?content=nonconfig, PATCH /restconf/data/Cisco-IOS-XE-native:interface/GigabitEthernet0/0, Accept: application/yang-data+json, error: 406 Not Acceptable
D.GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0?content=nonconfig, PATCH /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0, Accept: application/json, error: 404 Not Found
AnswerA
solution
! R1
GET URI: /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0?content=nonconfig
PATCH URI: /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0
Headers: Accept: application/yang-data+json, Content-Type: application/yang-data+json (for PATCH)
PATCH body: {"ietf-interfaces:interface": [{"name": "GigabitEthernet0/0", "description": "Uplink to R2"}]}
Wrong Accept: application/json causes 406 Not Acceptable
Wrong YANG path (e.g., /restconf/data/Cisco-IOS-XE-native:interface) causes 404 Not Found

Why this answer

The correct GET URI is /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0?content=nonconfig to retrieve operational status. The PATCH URI is /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0 with a JSON body containing the new description. Both requests require the header Accept: application/yang-data+json.

If Accept: application/json is used, the router returns a 406 Not Acceptable error because IOS-XE RESTCONF only accepts application/yang-data+json. The YANG module path must use the ietf-interfaces module name; using a wrong path like /restconf/data/Cisco-IOS-XE-native:interface/GigabitEthernet0/0 would return a 404 Not Found.

Exam trap

Remember that RESTCONF requires the specific media type application/yang-data+json, not generic application/json. Also, operational data retrieval requires the ?content=nonconfig query parameter. Using the wrong YANG module path leads to a 404 error, while the wrong Accept header leads to 406.

Why the other options are wrong

B

The specific factual error: The GET URI is missing ?content=nonconfig, and the Accept header should be application/yang-data+json. The error for wrong Accept is 406, not 404.

C

The specific factual error: The YANG module path should be ietf-interfaces:interfaces/interface=..., not Cisco-IOS-XE-native:interface/.... The error for wrong path is 404, not 406.

D

The specific factual error: The Accept header must be application/yang-data+json; application/json is not acceptable and returns 406, not 404.

249
Multi-Selectmedium

Which TWO symptoms are most likely to appear in the output of 'show interfaces' when a duplex mismatch exists between a switch port and a connected host?

Select 2 answers
A.Excessive collisions and CRC errors on the interface
B.Runts and frame errors on the interface
C.Auto-negotiation failed message in the interface output
D.High input rate on the interface
E.Line protocol is down
AnswersA, B

On the half-duplex side, collisions are normal but become excessive due to the full-duplex side transmitting without listening. CRC errors occur when frames are corrupted by collisions.

Why this answer

A duplex mismatch causes collisions on the half-duplex side, resulting in excessive collisions and CRC errors (option A). On the full-duplex side, the host receives truncated frames from the half-duplex side's collisions, leading to runts and frame errors (option B). Option C is incorrect because 'Auto-negotiation failed' would appear only if negotiation itself failed, not from a mismatch after successful negotiation.

Option D is wrong because a duplex mismatch typically reduces throughput and causes errors, not a high input rate. Option E is incorrect because the line protocol remains up; duplex mismatch does not bring the line protocol down.

Exam trap

Cisco often tests the distinction that 'runts' and 'frame errors' are symptoms of duplex mismatch on the full-duplex side, while 'excessive collisions' and 'CRC errors' appear on the half-duplex side, and candidates may incorrectly assume both symptoms appear on the same interface.

Why the other options are wrong

C

A duplex mismatch occurs after auto-negotiation completes; no 'auto-negotiation failed' message appears on the interface.

D

Duplex mismatch causes errors and retransmissions, usually reducing the effective input rate, not increasing it.

E

Duplex mismatch keeps the line protocol up; it affects data integrity but not the Layer 1/2 link state.

250
MCQhard

A packet destined for 10.1.1.130 arrives at the router. Based on the routing table, which route will be used?

A.The static route to 10.1.1.128/25
B.The default route
C.The OSPF route to 10.1.1.0/24
D.The OSPF route to 10.1.0.0/16
AnswerA

This is correct because 10.1.1.130 belongs to the 10.1.1.128/25 range, and /25 is the longest matching prefix shown.

Why this answer

Routers do not choose the route with the lowest administrative distance first when several routes match a destination. They begin with the most specific matching prefix. In practical terms, the router looks for the narrowest route that still contains the destination address. The packet is going to 10.1.1.130. That address fits inside 10.1.1.128/25, and it also fits inside 10.1.1.0/24 and 10.1.0.0/16. But /25 is the most specific of those matches, so the router uses it.

Only after determining that two routes have the same prefix length would the router consider administrative distance and metric. The default route is ignored because more specific matches exist.

Exam trap

A frequent exam trap is to mistakenly select the default route or a less specific OSPF route because they appear in the routing table. Candidates often overlook that routers prioritize the longest prefix match before considering administrative distance or route type. This leads to choosing the default route or a broader subnet like 10.1.1.0/24 or 10.1.0.0/16 instead of the more specific static route 10.1.1.128/25.

Misunderstanding this can cause incorrect answers and confusion about how Cisco routers forward packets.

Why the other options are wrong

B

The default route is incorrect because it is the least specific route and only used when no other matching routes exist; here, more specific routes are available.

C

The OSPF route to 10.1.1.0/24 is less specific than the /25 static route, so it is not selected despite matching the destination IP address.

D

The OSPF route to 10.1.0.0/16 is the least specific among the options and will not be chosen when more specific routes like /24 or /25 exist.

251
PBQhard

You are connected to R1 via the console. R1 has two directly connected routers: R2 and R3. Currently, R1 cannot reach R2's loopback interface (203.0.113.1/32). Additionally, R3 is IPv6-only and must be reachable from R1 using a statically assigned global unicast address. Configure R1's interfaces and static routes so that: (1) R1 can ping R2's loopback, (2) R1 can ping R3's IPv6 address 2001:db8:acad:2::1/64, and (3) R1's IPv6 address on the link to R3 is derived using EUI-64.

Hints

  • Check the subnet of the IPv6 address on R1's G0/1; it should match R3's subnet.
  • R2's loopback is not directly connected; a static route is needed.
  • EUI-64 uses the MAC address; ensure the prefix is correct.
A.Configure R1's G0/0 with IP 192.168.1.1/24 and add a static route to 203.0.113.1/32 via 192.168.1.2. Configure R1's G0/1 with IPv6 address 2001:db8:acad:2::/64 eui-64.
B.Configure R1's G0/0 with IP 192.168.1.1/24 and add a static route to 203.0.113.0/24 via 192.168.1.2. Configure R1's G0/1 with IPv6 address 2001:db8:acad:1::/64 eui-64.
C.Configure R1's G0/0 with IP 192.168.1.1/24 and add a static route to 203.0.113.1/32 via 192.168.1.2. Configure R1's G0/1 with IPv6 address 2001:db8:acad:2::1/64.
D.Configure R1's G0/0 with IP 192.168.1.1/24 and add a static route to 203.0.113.1/32 via 192.168.1.2. Configure R1's G0/1 with IPv6 address 2001:db8:acad:1::/64 eui-64.
AnswerA
solution
! R1
interface GigabitEthernet0/1
ipv6 address 2001:db8:acad:2::/64 eui-64
exit
ip route 203.0.113.1 255.255.255.255 192.168.1.2

Why this answer

The ping to R2's loopback fails because R1's G0/0 is configured with a /24 mask, but the network should be /24 (which is correct), but the loopback is on a different subnet (203.0.113.0/24 vs 192.168.1.0/24). Actually the issue is that R1 has no route to 203.0.113.1. The solution is to add a static route on R1 pointing to R2's G0/0 IP.

For IPv6, R1's EUI-64 address is on the wrong subnet (2001:db8:acad:1::/64) but R3 is on 2001:db8:acad:2::/64. The fix is to change the IPv6 address on R1's G0/1 to 2001:db8:acad:2::/64 eui-64. Then add an IPv6 static route if needed (but R1 and R3 are directly connected, so after fixing the subnet, ping should work).

Exam trap

Watch out for subnet mismatches in IPv6 and the requirement to use EUI-64. Many candidates forget that EUI-64 requires the 'eui-64' keyword, not a manual interface ID. Also, ensure static routes point to the exact host (/32) when the destination is a loopback.

Why the other options are wrong

B

The IPv6 subnet mismatch prevents direct connectivity; R1 and R3 must be on the same subnet for a ping to work without additional routing.

C

The requirement explicitly states that the IPv6 address must be derived using EUI-64; a manually specified interface ID violates this.

D

The IPv6 subnet must be the same as R3's for direct connectivity; using a different subnet requires additional routing, which is not configured.

252
MCQhard

A switch has DHCP snooping enabled and Dynamic ARP Inspection enabled on VLAN 30. A printer with a static IP on VLAN 30 cannot communicate because its ARP packets are being dropped. What is the best fix?

A.Disable DAI on all VLANs globally.
B.Configure a static ARP inspection entry or ARP ACL for the printer.
C.Trust the user-facing printer access port for DHCP snooping and DAI.
D.Change the printer to use a larger MTU.
AnswerB

Correct. Static devices need a trusted binding source.

Why this answer

DAI relies on trusted bindings. Static-IP devices that are not learned through DHCP often require a static ARP ACL or equivalent trusted binding mechanism.

Exam trap

A common exam trap is to disable Dynamic ARP Inspection entirely or trust the user-facing access port to fix ARP packet drops from static IP devices. Disabling DAI weakens the network’s ARP spoofing protection, which is against best practices and exam expectations. Trusting access ports is too broad and can allow malicious ARP traffic, defeating the purpose of DAI.

The trap is that these options seem easier but compromise security, whereas the correct approach is to configure static ARP inspection entries or ARP ACLs for static IP devices to maintain security and functionality.

Why the other options are wrong

A

Disabling DAI on all VLANs globally removes ARP spoofing protection network-wide, which is excessive and reduces security unnecessarily. The question requires a targeted fix, so this option is incorrect.

C

Trusting the user-facing printer access port for DHCP snooping and DAI is too permissive and can allow malicious ARP packets, weakening security. It is not recommended as a best practice or exam answer.

D

Changing the printer to use a larger MTU does not affect ARP packet validation or DAI behavior. MTU size is unrelated to ARP inspection, so this option is irrelevant and incorrect.

253
PBQhard

You are connected to R1. The network consists of three routers: R1, R2, and R3. R1 must reach the loopback network 203.0.113.0/24 on R3 via two paths: a primary static route through R2's G0/0 (192.0.2.2) and a floating static route through R2's G0/1 (198.51.100.2) with an administrative distance of 150. Additionally, R1 already has a default route pointing to 192.0.2.2. Configure the two static routes to 203.0.113.0/24 on R1 as described. The default route does not need to be changed. Verify that the primary route is active and the floating route is used only if the primary fails.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30G0/0192.0.2.2/30Lo0203.0.113.1/24R2R1R3

Hints

  • Check the administrative distance of the floating static route; it should be higher than the primary route's AD.
  • Verify that both next-hop addresses are directly connected to R1.
  • Ensure the default route is present and pointing to the correct next-hop.
A.Configure ip route 203.0.113.0 255.255.255.0 192.0.2.2 and ip route 203.0.113.0 255.255.255.0 198.51.100.2 150. The default route is already configured. No further changes needed.
B.Configure ip route 203.0.113.0 255.255.255.0 192.0.2.2 and ip route 203.0.113.0 255.255.255.0 198.51.100.2 150. Also, remove the existing default route and re-add it with a higher administrative distance.
C.Configure ip route 203.0.113.0 255.255.255.0 192.0.2.2 150 and ip route 203.0.113.0 255.255.255.0 198.51.100.2. The default route is already configured.
D.Configure ip route 203.0.113.0 255.255.255.0 192.0.2.2 and ip route 203.0.113.0 255.255.255.0 198.51.100.2. The default route is already configured. No administrative distance is needed because the router will automatically prefer the route with the lower metric.
AnswerA
solution
! R1
configure terminal
no ip route 203.0.113.0 255.255.255.0 198.51.100.2 150
ip route 203.0.113.0 255.255.255.0 198.51.100.2 150
end
show ip route 203.0.113.0

Why this answer

The correct answer is option A because it correctly configures the primary static route to 203.0.113.0/24 via 192.0.2.2 (default AD 1) and the floating static route via 198.51.100.2 with AD 150, ensuring the primary route is preferred. The default route to 192.0.2.2 is already configured and does not need modification. Options B, C, and D are incorrect: B wrongly adds a higher AD to the default route, C inverts the ADs on the two routes, and D omits the required AD on the floating route, causing both routes to have equal AD and potential load balancing or conflict.

Exam trap

A common trap is confusing which route gets the higher administrative distance. Remember: the floating (backup) route gets the higher AD, so it is only used when the primary route fails. Also, do not modify the default route unless specified.

Always verify that the next-hop addresses are directly connected to avoid recursive routing issues.

Why the other options are wrong

B

The specific factual error is that the default route configuration is correct as given; there is no need to modify it. Changing the AD of the default route could cause routing issues.

C

The specific factual error is swapping the administrative distances: the primary route should have a lower AD than the floating route. Here, the primary route has AD 150 and the floating route has AD 1, causing the backup to be preferred.

D

The specific factual error is that static routes without an AD default to 1, so both routes would have equal AD. The floating route must have a higher AD (e.g., 150) to act as a backup.

254
Multi-Selectmedium

Which TWO statements about 802.1Q trunking, native VLANs, and inter-VLAN routing are correct? (Choose two.)

Select 2 answers
A.802.1Q trunking is a Cisco-proprietary protocol that uses a 4-byte tag to identify VLAN membership.
B.By default, frames belonging to the native VLAN are sent untagged across an 802.1Q trunk.
C.Inter-VLAN routing can be accomplished using a Layer 2 switch configured with VLAN access maps.
D.The native VLAN must be identical on both ends of an 802.1Q trunk to avoid native VLAN mismatch errors.
E.Switches strip the 802.1Q tag from all frames before forwarding them out of a trunk port.
AnswersB, D

The 802.1Q specification sends native VLAN traffic without a tag, allowing the receiving switch to identify the native VLAN.

Why this answer

Option B is correct because, by default, 802.1Q trunking treats the native VLAN (typically VLAN 1) as untagged. Frames in the native VLAN are sent without an 802.1Q tag, allowing interoperability with devices that do not understand trunking. This behavior is defined in IEEE 802.1Q and is essential for backward compatibility.

Exam trap

Cisco often tests the misconception that all frames on a trunk are tagged, but the trap here is that the native VLAN is sent untagged by default, and candidates may incorrectly assume that inter-VLAN routing can be done with a Layer 2 switch alone.

Why the other options are wrong

A

802.1Q is an open IEEE standard. Cisco-proprietary trunking is Inter-Switch Link (ISL).

C

Layer 2 switches cannot route between VLANs. Inter-VLAN routing requires a Layer 3 device such as a router or a Layer 3 switch with SVIs.

E

Trunk ports forward tagged frames so the receiving switch can distinguish VLANs. Removing tags from all frames would defeat the purpose of trunking.

255
MCQhard

Refer to the exhibit. An administrator has configured NAT on router R1 to allow hosts on the 192.168.1.0/24 LAN to access the Internet. However, users report that they cannot reach external websites. The administrator runs the show ip nat translations command. What is the most likely reason for the problem?

A.The access list used for dynamic NAT does not match the LAN subnet.
B.The ip nat outside command is missing from the WAN interface.
C.The ip nat inside source static commands have incorrect IP addresses.
D.The ip nat inside command is missing from the LAN-facing interface.
AnswerD

The output reveals that only static NAT translations are active; no dynamic entries exist. For the router to process packets from the LAN under NAT, the interface connected to the LAN must be configured with ip nat inside. Its absence stops all dynamic address translation, leaving only the manually configured static entries.

Why this answer

The output shows only static NAT entries (protocol column "---") with no dynamic translations. The presence of static entries does not depend on the dynamic NAT configuration. For dynamic NAT (like PAT overloading) to create translations for outbound traffic, the interface that receives packets from the inside hosts must have the ip nat inside command.

Because the LAN-facing interface is missing this command, no packets from 192.168.1.0/24 are evaluated for NAT, resulting in an empty dynamic translation table and connectivity failure.

Exam trap

Candidates often attribute the lack of dynamic translations to a misconfigured access list, but even a perfectly matched ACL cannot trigger NAT if the inside interface is not enabled with ip nat inside. The missing interface command is a more fundamental cause, as no translation can occur on packets entering that interface without it.

Why the other options are wrong

A

Candidates think any absence of dynamic entries is due to ACL mismatch, overlooking the prerequisite that the inside interface must be configured with ip nat inside for NAT to function at all.

B

The presence of static NAT translations in the output indicates that the ip nat outside command is already applied on the WAN interface.

C

Candidates may focus on the static entries, but the symptom is missing dynamic translations; bad static mappings would not prevent dynamic translations from appearing.

256
PBQhard

You are connected to R1 via the console. The network operations center (NOC) has asked you to configure R1 as an NTP client of the NTP server at 192.0.2.10 (reachable via VLAN 100, SVI 192.168.1.1/24). They also need all system messages of level 'debug' (level 7) and higher forwarded to the syslog server at 203.0.113.50. The current configuration shows that NTP is not working (stratum 16) and syslog is only sending critical and higher messages. Fix both issues.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR2R1switchNTP serverSyslog server

Hints

  • Check the source IP of NTP packets; the server may require a specific source address.
  • NTP synchronization fails if the router does not have a route to the NTP server; verify connectivity.
  • The logging trap level controls which severity messages are sent; 'critical' only sends levels 0-2.
A.Configure 'ntp source Vlan100' and 'logging trap debugging'.
B.Configure 'ntp server 192.0.2.10' and 'logging trap 7'.
C.Configure 'ntp source Vlan100' and 'logging trap warnings'.
D.Configure 'ntp update-calendar' and 'logging trap informational'.
AnswerA
solution
! R1
ntp source Vlan100
logging trap debugging

Why this answer

The NTP client is not synchronizing because there is no source interface specified; the NTP packets may be sourced from an unexpected interface and the server may ignore them. The solution is to configure 'ntp source Vlan100' to ensure NTP packets use the correct source IP. Additionally, the syslog trap level is set to 'critical', which filters out messages with severity lower than critical (like warnings, errors, etc.).

The NOC requires all messages up to debug level; therefore, change the logging trap level to 'debugging' with 'logging trap debugging'.

Exam trap

Do not confuse the NTP server command with the source interface command. The server command specifies the server, but the source interface ensures the correct source IP. For syslog, remember that 'debugging' is the keyword for the lowest severity level; using 'warnings' or 'informational' will exclude debug messages.

Why the other options are wrong

B

The specific factual error: 'logging trap 7' is not a valid Cisco IOS command; the correct command uses the keyword 'debugging'. Also, the NTP server command alone does not fix the source interface issue.

C

The specific factual error: 'logging trap warnings' only sends messages with severity 0-4, missing severity 5-7 (notifications, informational, debug).

D

The specific factual error: 'ntp update-calendar' is not needed for NTP synchronization; the source interface is the key missing piece. 'logging trap informational' does not include debug messages.

257
PBQhard

You are connected to R1 via the console. Configure OSPFv2 on R1 and R2 to establish a single-area OSPF adjacency in area 0. The link between R1 (G0/0) and R2 (G0/0) uses 10.0.0.0/30, and both routers must use an MTU of 1500. The current configuration has mismatched hello/dead timers and an area mismatch, preventing adjacency. Fix all issues so that R1 and R2 become fully adjacent.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Check the OSPF area configured under the network statement on R1.
  • Compare the hello and dead intervals on both routers; they must match.
  • After fixing area and timers, verify the adjacency with show ip ospf neighbor.
A.On R1, change the network statement to area 0 and set the hello interval to 5 under interface G0/0.
B.On R2, change the network statement to area 1 and set the hello interval to 10 under interface G0/0.
C.On R1, change the network statement to area 0 and set the MTU to 1500 under interface G0/0.
D.On R2, change the network statement to area 0 and set the dead interval to 40 under interface G0/0.
AnswerA
solution
! R1
configure terminal
router ospf 1
no network 10.0.0.0 0.0.0.3 area 1
network 10.0.0.0 0.0.0.3 area 0
exit
interface GigabitEthernet0/0
ip ospf hello-interval 5
end

Why this answer

The adjacency fails because of two mismatches: the OSPF area on R1 is area 1 while R2 uses area 0, and the hello/dead timers differ (R1: 10/40, R2: 5/20). To fix, on R1 change the network statement to area 0 and adjust the hello interval to 5 (which also automatically sets dead to 20). Option B is wrong because it places the adjacency in area 1 (not area 0) and does not fix the timer mismatch on R2.

Option C is wrong because it does not address the hello/dead timer mismatch; the MTU is already correct at 1500. Option D is wrong because it leaves the hello interval mismatched (10 vs 5) and alters the dead interval unnecessarily; the dead interval is automatically derived from the hello interval.

Exam trap

Watch out for multiple mismatches: area ID and timers. Do not assume MTU is the issue when it is explicitly stated as matching. Also remember that changing the hello interval automatically adjusts the dead interval (4x hello).

Why the other options are wrong

B

This places the adjacency in area 1, not area 0 as required, and does not fix the timer mismatch on R2.

C

This does not fix the hello/dead timer mismatch; MTU is already matching at 1500.

D

This leaves the hello interval mismatched (10 vs 5) and alters the dead interval unnecessarily; R2 needs hello interval set to 5, not dead interval.

258
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the encapsulation of data as it passes down the TCP/IP stack for transmission.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The encapsulation process starts with the application layer generating data. The transport layer packages data into segments (TCP) or datagrams (UDP). The network layer adds an IP header, creating a packet.

The data link layer adds a frame header and trailer (frame). Finally, the physical layer converts the frame into bits for transmission.

259
PBQhard

You are troubleshooting connectivity from R1 to the 203.0.113.0/24 network. R1 is a multilayer switch running routed ports. Currently, R1 has two paths to reach that network: one via R2 (192.0.2.2) and one via R3 (198.51.100.2). The path via R2 is preferred, but after a link failure between R1 and R2, traffic should automatically fail over to the R3 path. However, after the failure, traffic is still being sent to R2. Examine the routing table and configuration, then fix the issue so that the floating static route takes over correctly when the primary route is lost.

Hints

  • The primary static route does not have an exit interface specified, so it relies on recursive lookup. When the next-hop becomes unreachable, the route may still be present if there is another route to the next-hop.
  • Check if the static route is using the 'permanent' keyword (not shown in config, but possible).
  • To make the route interface-dependent, specify the exit interface in the static route command.
A.Replace the primary static route with one that uses an exit interface: ip route 203.0.113.0 255.255.255.0 GigabitEthernet1/0/1 192.0.2.2
B.Increase the administrative distance of the floating static route to 255
C.Add the permanent keyword to the floating static route
D.Change the administrative distance of the primary static route to 200 and the floating static route to 1
AnswerA
solution
! R1
no ip route 203.0.113.0 255.255.255.0 192.0.2.2
ip route 203.0.113.0 255.255.255.0 GigabitEthernet1/0/1 192.0.2.2

Why this answer

The issue is that the primary static route to 203.0.113.0/24 via 192.0.2.2 has an administrative distance of 1 (default), and the backup floating static route via 198.51.100.2 has an AD of 200. When the next-hop interface (Gi1/0/1) goes down, the route via 192.0.2.2 should be removed from the routing table because its next-hop is unreachable. However, the show output indicates that the route remains, which suggests that the static route is configured with the 'permanent' keyword or that the next-hop is still considered reachable via some other mechanism (e.g., a recursive lookup to a still-active route).

In this case, the most common fix is to add the 'track' option or to remove the static route and re-add it without the 'permanent' keyword, or to ensure that the static route uses an interface instead of just an IP address. The correct solution is to replace the primary static route with one that uses an exit interface, so that the route is automatically removed when the interface goes down. For example: 'ip route 203.0.113.0 255.255.255.0 GigabitEthernet1/0/1 192.0.2.2'.

This causes the route to be directly dependent on the interface state.

Exam trap

Be careful: static routes with only a next-hop IP address may remain in the routing table if the next-hop is still reachable via a recursive route. Always consider using an exit interface or a track object to ensure proper failover. Also, the 'permanent' keyword prevents route removal even if the next-hop is unreachable.

Why the other options are wrong

B

The specific factual error: An administrative distance of 255 is reserved for routes that are not considered valid; they are not installed in the routing table.

C

The specific factual error: The permanent keyword forces the route to stay in the routing table regardless of reachability, which is the opposite of what is needed.

D

The specific factual error: The AD values determine route preference; swapping them changes which route is preferred but does not address the removal of the route when the next-hop is unreachable.

260
MCQhard

A host address is 192.168.22.145/28. Which subnet contains that host?

A.192.168.22.128/28
B.192.168.22.144/28
C.192.168.22.160/28
D.192.168.22.148/28
AnswerB

This is correct because .145 falls within the .144 through .159 block.

Why this answer

A /28 prefix creates address blocks of 16. In practical terms, the fourth-octet ranges are 0–15, 16–31, 32–47, and so on. Because 145 falls inside the 144–159 range, the network address of the containing subnet is 192.168.22.144/28.

This type of question checks whether you can move from prefix length to block size and then place a host into the correct interval. The common mistake is choosing a nearby familiar number instead of calculating the actual block boundary.

Exam trap

Avoid assuming a host belongs to a subnet without calculating the exact range. Always verify the block size and boundaries.

Why the other options are wrong

A

The subnet 192.168.22.128/28 includes addresses 192.168.22.128 to 192.168.22.143. The host address 192.168.22.145 is outside this range, so it does not belong to this subnet.

C

The subnet 192.168.22.160/28 includes addresses 192.168.22.160 to 192.168.22.175. The host address 192.168.22.145 is below this range, so it cannot be in this subnet.

D

The subnet 192.168.22.148/28 is not a valid subnet because the network address must be a multiple of the subnet size (16). Valid network addresses for /28 are 0, 16, 32, 48, etc. 148 is not a multiple of 16, so this is not a valid subnet.

261
MCQhard

A host is configured with 10.10.10.130/25. What is the network address of its subnet?

A.10.10.10.0
B.10.10.10.64
C.10.10.10.128
D.10.10.10.255
AnswerC

This is correct because .130 falls in the upper /25 block starting at .128.

Why this answer

A /25 divides the address space into two blocks of 128 addresses. In plain language, the ranges are 0–127 and 128–255. Since the host ends in 130, it belongs to the 128–255 half. That means the network address is 10.10.10.128.

This is a common subnet-boundary question because it tests whether you can map a host address into the correct prefix block quickly and confidently.

Exam trap

Be careful not to confuse the subnet mask with /24 or mistake the broadcast address for the network address.

Why the other options are wrong

A

10.10.10.0 is the network address of the 10.10.10.0/25 subnet (range 0-127), but the host IP 10.10.10.130 is not in that range. The /25 mask creates two subnets: 10.10.10.0/25 and 10.10.10.128/25, and .130 belongs to the latter.

B

10.10.10.64 is not a valid network address for any /25 subnet derived from 10.10.10.0/24. A /25 subnet has a block size of 128, so the network addresses are multiples of 128: 0 and 128. 64 is a multiple of 64, which would be a /26 boundary, not /25.

D

10.10.10.255 is the broadcast address for the 10.10.10.128/25 subnet, not the network address. The broadcast address is the last address in the subnet (all host bits set to 1), while the network address is the first address (all host bits set to 0).

262
MCQmedium

What is a northbound API in a controller-based network architecture?

A.An interface used by the controller to program forwarding tables on switches
B.An interface used by applications to communicate with the controller
C.A dedicated out-of-band management port on the controller
D.A wireless uplink between access points and the controller
AnswerB

Correct. Northbound means application-to-controller communication.

Why this answer

Northbound APIs allow external applications, dashboards, and automation tools to interact with the controller. Southbound APIs are used by the controller to communicate with the network devices it manages.

Exam trap

Confusing northbound and southbound APIs is a common pitfall. Northbound APIs enable applications to communicate with the controller, while southbound APIs allow the controller to program network devices like switches and routers. Selecting an option that describes device programming or physical ports misses the architectural directionality of these APIs.

Why the other options are wrong

A

Incorrect because programming forwarding tables on switches is a southbound API function, not northbound.

C

Incorrect because a physical management port does not define API direction and is unrelated to northbound or southbound APIs.

D

Incorrect because wireless uplinks are physical connections and do not represent API communication directions.

263
MCQhard

A client can join a corporate SSID and authenticate successfully, but it consistently loses connectivity when moving between floors. Which area is most strongly suggested for deeper investigation?

A.Roaming and RF behavior between AP coverage areas
B.Whether the SSID is visible at all
C.Whether the host has a BGP autonomous system number
D.Whether the switch uses a smaller wildcard mask
AnswerA

This is correct because the failure occurs during movement rather than initial join.

Why this answer

The strongest area for deeper investigation is wireless mobility and RF behavior between the AP coverage areas involved. In practical terms, the client can already authenticate and use the WLAN initially, so the issue is more likely tied to movement, signal transition, channel behavior, or roaming-related operation rather than basic SSID existence or initial authentication alone.

This is a mobility-troubleshooting question, not a simple association problem.

Exam trap

A common exam trap is assuming that connectivity loss during movement is caused by SSID visibility or initial authentication failure. Since the client can join and authenticate successfully, the problem is not with the SSID broadcast or basic network access. Another tempting mistake is to consider unrelated network configurations such as BGP autonomous system numbers or ACL wildcard masks, which do not affect wireless roaming.

The key is to focus on roaming and RF behavior between AP coverage areas, as these directly impact client mobility and session continuity in a wireless environment.

Why the other options are wrong

B

Incorrect because the client already successfully joins and authenticates to the SSID, so SSID visibility is not the issue.

C

Incorrect because BGP autonomous system numbers relate to routing protocols and have no impact on wireless client roaming or connectivity.

D

Incorrect because ACL wildcard masks affect packet filtering rules and do not influence wireless roaming or client mobility between access points.

264
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure OSPFv3 for IPv6 on a Cisco IOS-XE router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

To configure OSPFv3 for IPv6, first enable IPv6 routing globally with 'ipv6 unicast-routing'. Next, enter OSPFv3 configuration mode using 'router ospfv3 1' to set process parameters. Then, apply OSPFv3 on each interface with 'ipv6 ospf <process-id> area <area-id>'.

Finally, verify adjacencies with 'show ipv6 ospf neighbor'.

Exam trap

Many learners assume OSPFv3 configuration is identical to OSPFv2; while the 'router ospfv3' command is valid and often needed for router-id assignment, the primary interface-level command 'ipv6 ospf area' is where adjacency parameters are applied.

265
Multi-Selectmedium

Which three of the following are characteristics of DHCP snooping? (Choose three.)

Select 3 answers
.It filters untrusted DHCP messages on trusted ports.
.It builds and maintains a DHCP snooping binding database.
.It prevents DHCP starvation attacks by rate-limiting DHCP messages.
.It allows DHCP server messages from untrusted ports if the source MAC matches.
.It can validate DHCP client MAC addresses against the source MAC in the Ethernet frame.
.It automatically enables IP source guard when configured globally.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding database to track valid IP-to-MAC address assignments. It prevents DHCP starvation attacks by rate-limiting DHCP messages on untrusted ports, and it validates DHCP client MAC addresses against the source MAC in the Ethernet frame to prevent MAC spoofing. These three functions directly correspond to the correct answer options.

Exam trap

Cisco often tests the distinction between trusted and untrusted ports, leading candidates to incorrectly assume that DHCP snooping filters messages on trusted ports or allows server messages from untrusted ports under certain conditions.

266
Multi-Selectmedium

Which two functions are commonly handled by a wireless LAN controller in a controller-based deployment? (Choose two.)

Select 2 answers
A.Centralized management of lightweight APs
B.Per-host DHCP address assignment on every WLAN
C.Policy enforcement for SSIDs and WLAN settings
D.Providing STP root bridge election for the campus
E.Replacing all Layer 2 switching functions in the access layer
AnswersA, C

Correct. Centralized AP management is a core controller role.

Why this answer

Wireless LAN controllers commonly centralize AP management and apply WLAN policies consistently across access points. They do not replace every switching or DHCP function in the network.

Exam trap

Don't confuse the roles of network devices; WLAN controllers manage APs and policies, not routing or DHCP.

Why the other options are wrong

B

DHCP address assignment is typically handled by dedicated DHCP servers or routers, not by the WLC. While the WLC can act as a DHCP relay or integrate with DHCP, it does not assign per-host addresses as a core function for every WLAN.

D

STP root bridge election is a Layer 2 switching function performed by switches in the campus network, not by a WLC. The WLC operates at higher layers and does not participate in STP processes.

E

The WLC does not replace Layer 2 switching functions; it focuses on wireless control and management. Switches still handle VLANs, STP, and forwarding in the access layer, while the WLC manages APs and wireless traffic.

267
Multi-Selectmedium

Which three of the following are key benefits of integrating AI into network operations? (Choose three.)

Select 3 answers
.Automated detection and correlation of anomalies across the network
.Real-time traffic classification and policy enforcement using machine learning models
.Predictive maintenance by analyzing historical performance data to forecast failures
.Complete elimination of the need for human network administrators
.Guaranteed 100% network uptime through self-healing algorithms
.Automatic reconfiguration of physical cabling without manual intervention

Why this answer

The three correct answers highlight practical AI benefits: anomaly detection correlates diverse telemetry (NetFlow, SNMP) to identify issues faster; real-time traffic classification uses ML models for dynamic policy enforcement without manual rule updates; predictive maintenance analyzes historical data to forecast failures, enabling proactive intervention. The wrong options are unrealistic: AI cannot eliminate all human administrators (complex troubleshooting still needs humans), cannot guarantee 100% uptime (failures still occur), and cannot automatically reconfigure physical cabling (that requires physical access).

Exam trap

Cisco often tests the distinction between AI as an augmentation tool versus a replacement for human administrators, and the trap here is assuming AI can guarantee 100% uptime or eliminate all manual tasks, which contradicts real-world network reliability principles.

268
Matchingmedium

Drag and drop the EtherChannel commands and concepts on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables LACP active negotiation to form EtherChannel

Enables LACP passive negotiation (waits for active side)

Enables PAgP desirable mode to actively negotiate EtherChannel

Displays port-channel interface status and member ports

Creates and enters the logical EtherChannel interface

Sets LACP heartbeat interval to 1 second instead of default 30 seconds

Why these pairings

EtherChannel modes: active/passive for LACP, desirable/auto for PAgP, on for static, and interface port-channel creates the logical interface.

Exam trap

Do not confuse LACP modes (active/passive) with PAgP modes (desirable/auto) or static mode (on).

269
MCQhard

A network administrator configured dynamic NAT on a Cisco router to allow internal hosts to access the internet. After the configuration, users report that they can access some websites but not others. The administrator checks the router and discovers that the NAT translation table is full, and new connection attempts are being dropped. What is the most likely cause of this issue?

A.The inside local addresses are not properly defined in the access list.
B.The NAT pool is exhausted; configure PAT to allow multiple hosts to share a single public IP.
C.The outside interface is not configured with the ip nat outside command.
D.The inside interface is not configured with the ip nat inside command.
AnswerB

The pool has only 10 addresses, and once all are used, new translations fail. PAT allows many internal hosts to share a single public IP by using unique port numbers.

Why this answer

When the NAT pool is exhausted, no new translations can be created, so only hosts that already have established translations can continue to communicate, causing intermittent connectivity. A full NAT table means the pool of public IP addresses is completely allocated, preventing new sessions. Implementing PAT allows multiple inside hosts to share a single public IP by multiplexing port numbers, resolving the pool exhaustion.

Exam trap

Cisco often tests the distinction between dynamic NAT (one-to-one pool) and PAT (many-to-one), leading candidates to overlook pool exhaustion when symptoms show partial connectivity rather than total failure.

Why the other options are wrong

A

The access list is used to define which inside local addresses are eligible for NAT. If the access list were misconfigured, the router would not create translations for those hosts. However, the scenario states that translations are present, indicating that the access list is correctly matching the internal hosts.

C

If the outside interface were missing the 'ip nat outside' command, the router would not perform NAT on outbound traffic at all, resulting in no translations being created. Since translations are present, this command is correctly configured.

D

Similar to option C, if the inside interface were missing the 'ip nat inside' command, no translations would be created. The presence of translations indicates that the inside interface is correctly configured.

270
MCQmedium

A router learns 10.10.10.0/24 from OSPF and EIGRP at the same time. OSPF reports a metric of 20, and EIGRP reports a metric of 30720. Which route is installed in the routing table by default?

A.The OSPF route, because 20 is lower than 30720
B.The EIGRP route, because its administrative distance is lower
C.Both routes, because they point to the same prefix
D.Neither route, because the metrics are not comparable
AnswerB

Correct. EIGRP wins because its default administrative distance is lower than OSPF.

Why this answer

When the same prefix is learned from different routing protocols, the router compares administrative distance first. EIGRP internal routes use AD 90, while OSPF uses AD 110, so the EIGRP route is preferred.

Exam trap

Remember, administrative distance is the first criterion for route selection between different protocols, not the metric.

Why the other options are wrong

A

Metrics from different routing protocols are not comparable because each protocol uses its own metric calculation (e.g., OSPF uses cost based on bandwidth, EIGRP uses composite metric based on bandwidth and delay). The router uses administrative distance to choose between routes from different protocols, not metric values.

C

A router installs only the best route to a destination in the routing table, unless equal-cost load balancing is configured. Since OSPF and EIGRP have different administrative distances, only the route with the lower AD is installed. Both routes cannot be installed simultaneously for the same prefix.

D

The router does compare routes from different protocols using administrative distance, not metrics. Since the metrics are from different protocols, they are not directly comparable, but the router still selects one route based on AD. Therefore, one route will be installed.

271
Matchingmedium

Match each Ethernet or switching term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 2 hardware-style address used for local delivery

Layer 2 protocol data unit on Ethernet

Device that learns MAC addresses and forwards local traffic

Traffic sent to all devices in the local broadcast domain

Why these pairings

A MAC address is a Layer 2 hardware identifier burned into each NIC, used for local frame delivery. A frame is the Layer 2 PDU that encapsulates data for Ethernet transmission. A switch learns MAC addresses by examining source addresses and forwards frames based on destination MACs, enabling local traffic isolation.

A broadcast frame is sent to the broadcast MAC address (FF:FF:FF:FF:FF:FF) and is received by all devices within the same broadcast domain.

Exam trap

Be careful not to confuse MAC addresses with other Layer 2 terms like VLANs, trunks, or STP. Each term has a specific definition; MAC addresses are hardware identifiers, not logical groupings or protocols.

272
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure RSTP and enable PortFast with BPDU Guard on a switch port, then verify the state transitions.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Correct order: First configure RSTP globally because interface commands like PortFast and BPDU Guard depend on the spanning-tree mode being set. Next enable PortFast on the interface to immediately transition to forwarding. Then enable BPDU Guard as a protective feature for PortFast ports.

Finally verify state transitions. Other orders are incorrect: enabling PortFast or BPDU Guard before setting RSTP mode may cause the commands to be rejected or not take effect; enabling BPDU Guard before PortFast is not typical because BPDU Guard is designed to protect PortFast ports.

Exam trap

The exam trap is that candidates often confuse the order of configuration steps. They may enable PortFast or BPDU Guard before setting the global spanning-tree mode, or they may enable BPDU Guard before PortFast. Remember that global configurations come first, then interface-specific features, and BPDU Guard is typically enabled after PortFast.

273
MCQmedium

A switchport is configured as an access port for VLAN 20, but users connected to it cannot reach the default gateway. The switch shows the interface as up/up. Which switch misconfiguration is the most likely cause?

A.The access port is missing a speed command
B.VLAN 20 has not been created on the switch
C.The switch has not enabled VTP transparent mode
D.The port should use DTP desirable mode
AnswerB

Correct choice.

Why this answer

If the access port is assigned to VLAN 20 but VLAN 20 does not exist in the VLAN database, traffic is not placed into a usable VLAN and hosts lose connectivity. The port can still appear physically up while forwarding fails at Layer 2.

Exam trap

A common exam trap is assuming that an interface showing up/up means the port is fully functional and correctly forwarding traffic. Candidates may overlook the necessity of creating the VLAN in the switch’s VLAN database. Without VLAN 20 existing, the switch cannot forward traffic for that VLAN, even though the physical link is active.

This leads to confusion because the interface status does not reflect VLAN misconfiguration, causing users to lose connectivity to the default gateway despite the port appearing operational.

Why the other options are wrong

A

The absence of a speed command on the access port does not prevent VLAN forwarding or connectivity to the default gateway. Speed settings affect physical link parameters but not VLAN membership or Layer 2 forwarding.

C

VTP transparent mode controls VLAN propagation between switches but does not affect whether a VLAN exists locally. Missing VLANs must be created manually regardless of VTP mode.

D

DTP desirable mode is used to negotiate trunk links and is irrelevant for access ports, which do not trunk and only carry untagged frames for a single VLAN.

274
PBQhard

You are connected to R1. Configure AAA with RADIUS server at 192.0.2.10 (key = Cisco123) so that console login uses local authentication as fallback. Then troubleshoot why a host connected to R1's GigabitEthernet0/1 (802.1X enabled) remains in unauthorized state. The RADIUS server is reachable. Fix the issue so the port authorizes successfully.

Hints

  • The RADIUS server is configured, but the AAA group 'radius' is not defined.
  • Check the 'aaa authentication login default' command — it references a group that doesn't exist.
  • Use 'aaa group server radius' to create a group and associate the RADIUS server.
A.The RADIUS server is not defined in a AAA group; create 'aaa group server radius RAD_GROUP' and 'server name RADIUS_SERVER', then update the login default to reference the group.
B.The RADIUS server key is incorrect; change the key to match the server's configuration.
C.The 802.1X port is not enabled; enable 'dot1x port-control auto' on GigabitEthernet0/1.
D.The RADIUS server is not reachable; check IP connectivity and firewall rules.
AnswerA
solution
! R1
configure terminal
aaa group server radius RAD_GROUP
server name RADIUS_SERVER
exit
aaa authentication login default group RAD_GROUP local
end

Why this answer

The RADIUS server is reachable but not properly referenced in a AAA group. The 'aaa authentication login default group radius local' command uses the default group 'radius', which must be explicitly defined with 'aaa group server radius' and associated with the RADIUS server. Without this group, the router cannot send authentication requests to the server, keeping the port unauthorized.

The fix is to create a AAA group for RADIUS, add the server to it, and update the login default to reference that group.

Exam trap

Trap: Candidates assume that 'group radius' in the authentication command automatically works without defining the group. Remember that 'radius' is a default group name that must be explicitly created with the 'aaa group server radius' command. Also, do not confuse reachability with configuration; the server may be reachable but not properly referenced.

Why the other options are wrong

B

The specific factual error: The key is already correct as per the scenario; the problem is the missing AAA group definition.

C

The specific factual error: The port already has 802.1X enabled, so re-enabling it does not fix the authentication failure.

D

The specific factual error: The server is reachable, so connectivity is not the problem.

275
Drag & Dropmedium

Drag and drop the following steps into the correct order to isolate CRC errors, duplex mismatches, and flapping on a Cisco IOS-XE interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter configuration mode, then enable debugs to capture errors, monitor logs, analyze the data, and finally apply fixes and verify.

Exam trap

Do not confuse the order of enabling debugs and monitoring logs. Debuffs must be enabled before you can monitor the debug output. Also, configuration mode is typically entered first to set up logging parameters or debug conditions.

276
PBQhard

You are connected to R1. The network consists of three routers: R1, R2, and R3. R1's G0/0 connects to R2 (10.0.0.0/30), and R1's G0/1 connects to R3 (10.0.1.0/30). A server at 203.0.113.100 on R2's LAN must be reachable from R3's LAN (203.0.113.0/24) via ICMP, but all other traffic from R3 to R2 must be blocked. The current ACL on R1 is too permissive, allowing all traffic. Configure and apply a standard ACL to permit only ICMP echo requests from R3 to the server, with the implicit deny blocking everything else.

Network Topology
G0/110.0.1.2/30G0/010.0.0.1/3010.0.1.0/30G0/010.0.0.1/30G0/010.0.0.2/3010.0.0.0/30G0/010.0.0.2/30R3R1 (G0/1 10.0.1.1/30)R2Server

Hints

  • Standard ACLs cannot filter by protocol; use an extended ACL number (100-199 or 2000-2699).
  • Apply the ACL inbound on the interface closest to the source (R3) to filter traffic early.
  • The current ACL is applied inbound on G0/0, which faces R2; it should be removed and replaced with a new ACL on G0/1.
A.Remove ACL 10 from G0/0, delete ACL 10, then configure extended ACL 100 with 'permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo' and apply it inbound on G0/1.
B.Remove ACL 10 from G0/0, delete ACL 10, then configure standard ACL 10 with 'permit 203.0.113.0 0.0.0.255' and apply it inbound on G0/1.
C.Remove ACL 10 from G0/0, delete ACL 10, then configure extended ACL 100 with 'permit icmp host 203.0.113.100 203.0.113.0 0.0.0.255 echo' and apply it inbound on G0/0.
D.Keep the existing ACL 10 applied inbound on G0/0, but add an extended ACL 100 with 'permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo' applied inbound on G0/1.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no ip access-group 10 in
exit
no access-list 10
access-list 100 permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo
interface GigabitEthernet0/1
ip access-group 100 in

Why this answer

The current ACL 10 permits all traffic inbound on G0/0, which is too permissive. The requirement is to allow only ICMP echo requests from R3's LAN (source 203.0.113.0/24) to the server at 203.0.113.100. A standard ACL uses source IP only.

First, remove the existing ACL from the interface with 'no ip access-group 10 in' on G0/0. Then delete ACL 10 with 'no access-list 10'. Create a new standard ACL that permits ICMP echo requests; since standard ACLs cannot filter by protocol, we must use an extended ACL.

So we configure an extended ACL (e.g., 100) with 'permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo' and apply it inbound on G0/1 (the interface facing R3) to filter traffic before it enters R1. The implicit deny will block all other traffic from R3 to R2.

Exam trap

The key trap is that standard ACLs cannot filter by protocol; you must use an extended ACL for ICMP. Also, remember that ACLs are applied per interface and direction; removing the old permissive ACL is essential. Applying the ACL on the wrong interface or with reversed source/destination are common mistakes.

Why the other options are wrong

B

The specific factual error is that standard ACLs cannot filter by protocol (ICMP). They only match source IP addresses.

C

The specific factual error is that the ACL statement has the source and destination swapped, and it is applied on the wrong interface (G0/0 instead of G0/1).

D

The specific factual error is that the existing ACL 10 is too permissive and is applied on the wrong interface (G0/0 inbound) to filter traffic from R3 to R2. It must be removed to enforce the new restrictions.

277
PBQmedium

You are connected to R1 via the console. R1 connects two networks: GigabitEthernet0/0 (192.168.1.1/24) and GigabitEthernet0/1 (192.168.2.1/24). Create an extended ACL named BLOCK_HTTP that denies HTTP traffic (tcp port 80) from the 192.168.1.0/24 network to the 192.168.2.0/24 network, but permits all other IP traffic. Apply this ACL inbound on GigabitEthernet0/0.

Network Topology
G0/0192.168.1.1/24G0/1192.168.2.1/24HostsLAN AR1LAN BWeb servers

Hints

  • Use the 'ip access-list extended' command to create a named ACL.
  • The deny statement must specify source, destination, and protocol.
  • Apply the ACL to the interface where traffic enters.
A.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/0 ip access-group BLOCK_HTTP in
B.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/1 ip access-group BLOCK_HTTP in
C.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/0 ip access-group BLOCK_HTTP out
D.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/0 ip access-group BLOCK_HTTP in interface GigabitEthernet0/1 ip access-group BLOCK_HTTP in
AnswerA
solution
! R1
ip access-list extended BLOCK_HTTP
deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80
permit ip any any
interface GigabitEthernet0/0
ip access-group BLOCK_HTTP in

Why this answer

The named extended ACL BLOCK_HTTP denies TCP port 80 from 192.168.1.0/24 to 192.168.2.0/24, then permits all other traffic. Applying it inbound on G0/0 filters traffic from LAN A before routing.

Exam trap

Pay close attention to the interface and direction specified in the question. Inbound ACLs filter traffic entering the interface, while outbound ACLs filter traffic leaving. Also, ensure the ACL is applied only on the required interface.

Why the other options are wrong

B

The ACL is applied on the wrong interface; it should be applied inbound on G0/0, not G0/1.

C

The ACL is applied in the wrong direction; it should be inbound, not outbound.

D

The ACL is applied on an extra interface (G0/1) that is not required, which may block legitimate traffic.

278
MCQhard

R1 has the following routes installed: O 10.10.10.0/24 via 192.0.2.2 S 10.10.10.128/25 via 198.51.100.2 S* 0.0.0.0/0 via 203.0.113.1 A packet destined for 10.10.10.200 arrives at R1. Which route is used?

A.The OSPF route to 10.10.10.0/24 via 192.0.2.2
B.The static route to 10.10.10.128/25 via 198.51.100.2
C.The default route via 203.0.113.1
D.The packet is dropped because OSPF routes cannot overlap with static routes.
AnswerB

Longest prefix match makes the /25 win.

Why this answer

Routers forward using longest prefix match first. Even though the OSPF /24 exists, the static /25 is more specific and covers 10.10.10.200, so the packet is sent via 198.51.100.2. The default route is used only when nothing more specific matches.

Exam trap

A common exam trap is assuming that the router will always prefer OSPF routes over static routes because OSPF is a dynamic routing protocol. Candidates may also mistakenly believe that overlapping routes are invalid or cause routing conflicts. In reality, Cisco routers allow overlapping routes and use the longest prefix match rule first, regardless of the routing protocol or administrative distance.

This leads to confusion when a static route with a longer prefix exists alongside an OSPF route with a shorter prefix. Misunderstanding this can cause incorrect answers about which route will be used for forwarding packets.

Why the other options are wrong

A

The OSPF route to 10.10.10.0/24 matches the destination IP but has a shorter prefix length (/24) than the static route (/25). Since longest prefix match is the primary rule, this route is not used.

C

The default route 0.0.0.0/0 is the least specific and is only used when no other route matches the destination IP. Since more specific routes exist, the default route is not selected.

D

It is incorrect that packets are dropped due to overlapping routes. Cisco routers allow overlapping static and OSPF routes and forward packets based on the most specific prefix match, so the packet is not dropped.

279
MCQhard

A security team wants device administrators to log in with individual named accounts instead of sharing one generic admin account. Which security objective does that most directly improve?

A.Accountability for administrative actions
B.Automatic VLAN assignment for management traffic
C.Route summarization efficiency
D.Wireless roaming performance
AnswerA

This is correct because individual accounts make it easier to tie actions to specific administrators.

Why this answer

It most directly improves accountability. In practical terms, when each administrator has an individual account, the organization can tie actions to specific people rather than to one shared identity. That makes investigation, auditing, and operational review much more meaningful.

This also supports better access-control hygiene overall, but the clearest direct benefit is being able to identify who actually performed an administrative action.

Exam trap

A frequent exam trap is selecting options unrelated to user identity and accountability, such as VLAN assignment or routing efficiency, because they sound like valid network improvements. However, these options do not address the core security goal of tracking who performed administrative actions. Candidates might also confuse accountability with performance or configuration optimization objectives, which are important but distinct.

The key is to focus on the security principle that individual named accounts enable precise attribution of actions, which shared accounts cannot provide. This distinction is critical for Cisco’s security fundamentals domain and the CCNA exam.

Why the other options are wrong

B

Incorrect because automatic VLAN assignment for management traffic is unrelated to user identity or accountability; it concerns network segmentation, not administrative tracking.

C

Incorrect because route summarization efficiency deals with optimizing routing tables and has no connection to user account management or security accountability.

D

Incorrect because wireless roaming performance relates to client mobility and access point behavior, which does not involve administrative account design or accountability.

280
MCQhard

A router has a static default route with administrative distance 250 and also learns a default route through OSPF. What is the main design purpose of the static default route?

A.To serve as a backup default route if the OSPF default is lost.
B.To override the OSPF default route immediately.
C.To make the router ignore all default routes.
D.To turn the default route into a host route.
AnswerA

This is correct because the high administrative distance makes it a standby route.

Why this answer

The main purpose is to act as a backup route of last resort if the OSPF-learned default route disappears. In practical terms, the very high administrative distance keeps the static default out of the active table while the OSPF default is available. It remains in reserve only for failure conditions.

This is a classic floating-static-default design. It provides resilience without replacing the primary dynamic path.

Exam trap

A common exam trap is assuming that a static default route with a high administrative distance will override the OSPF default route immediately. Candidates might think the static route takes precedence because it is manually configured, but in reality, the administrative distance value controls route preference. Since 250 is much higher than OSPF’s 110, the static route remains inactive while OSPF’s route is available.

This misunderstanding can lead to incorrect answers about route selection and failover behavior in Cisco routing exams.

Why the other options are wrong

B

This option is incorrect because a static route with an administrative distance of 250 does not override the OSPF default route, which has a lower AD of 110. The high AD prevents immediate override.

C

This option is incorrect because the static default route does not cause the router to ignore all default routes. Instead, it remains as a backup and only becomes active if the OSPF route disappears.

D

This option is incorrect because administrative distance does not change the route prefix or convert a default route into a host route. It only influences route preference and selection.

281
MCQmedium

An administrator wants an access-layer interface to shut down immediately if another switch is connected accidentally. Which feature best meets that requirement?

A.Root Guard
B.PortFast
C.BPDU Guard
D.Loop Guard
AnswerC

Correct choice.

Why this answer

BPDU Guard is designed for edge ports. If the port receives a BPDU, the switch treats that as a sign that another switch has been connected and places the interface into an err-disabled state to protect the spanning-tree topology.

Exam trap

A frequent exam trap is selecting Root Guard or Loop Guard instead of BPDU Guard. Root Guard only blocks a port from becoming a root port but does not disable the port immediately upon receiving BPDUs. Loop Guard protects against unidirectional link failures by preventing a port from transitioning to forwarding when BPDUs are lost but does not shut down the port.

Candidates may also confuse PortFast as it is related to edge ports but it only speeds up STP convergence and does not disable ports. Understanding that BPDU Guard uniquely disables the port immediately upon receiving BPDUs on an edge port is essential to avoid this trap.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port by blocking superior BPDUs but does not shut down the port immediately. It is designed to maintain the root bridge position, not to disable ports upon accidental switch connections.

B

PortFast allows a port to transition quickly to the forwarding state, reducing STP convergence time. However, it does not disable the port if a BPDU is received, so it does not meet the requirement to shut down the port immediately.

D

Loop Guard prevents a port from transitioning to forwarding if BPDUs are lost, protecting against unidirectional link failures. It does not disable the port upon receiving BPDUs and therefore does not meet the requirement.

282
MCQmedium

A switch interface connects to a user PC and should belong only to VLAN 30. Which command assigns that VLAN after the interface is in access mode?

A.switchport access vlan 30
B.switchport trunk allowed vlan 30
C.encapsulation dot1Q 30
D.ip helper-address 30
AnswerA

This is correct because it assigns VLAN 30 to the access port.

Why this answer

After an interface is placed into access mode, the command used to assign its VLAN is `switchport access vlan 30`. In plain language, this tells the switch which VLAN the endpoint traffic on that access port belongs to. Access mode defines the role of the interface, and the access VLAN command defines the specific VLAN membership for that role.

This distinction matters because some commands change the port’s behavior while others set the VLAN it uses. The correct answer is the one that directly assigns VLAN 30 to the access port rather than modifying a trunk or a native VLAN setting.

Exam trap

Be careful not to confuse commands for trunk ports with those for access ports. Ensure you understand the difference between setting a port mode and assigning a VLAN.

Why the other options are wrong

B

The command 'switchport trunk allowed vlan 30' is used on trunk ports to specify which VLANs are allowed to traverse the trunk link. It does not assign a VLAN to an access port; instead, it filters VLANs on a trunk, which is not appropriate for a port connected to a single PC.

C

The command 'encapsulation dot1Q 30' is used on a router subinterface to enable 802.1Q trunking and specify the VLAN for that subinterface. It is not a valid command on a switch access port, and switch ports do not use encapsulation commands for VLAN assignment.

D

The command 'ip helper-address 30' is used to configure DHCP relay on a router or Layer 3 switch interface, forwarding DHCP broadcasts to a DHCP server. It has nothing to do with VLAN assignment on a switch port.

283
MCQhard

A router learns 10.0.0.0/8 from OSPF and 10.10.0.0/16 from a static route. Which route is used for traffic to 10.10.20.1?

A.The OSPF 10.0.0.0/8 route
B.The static 10.10.0.0/16 route
C.The default route if present
D.Neither route, because the networks overlap
AnswerB

This is correct because it is the more specific matching route.

Why this answer

The static /16 route is used because it is more specific than the OSPF /8 route. In practical terms, even though both routes match the destination, the router chooses the one that narrows the destination range more precisely. Since 10.10.20.1 belongs to 10.10.0.0/16, that entry wins.

This question reinforces that longest-prefix match comes first. The broader OSPF route still matters for other destinations inside 10.0.0.0/8, but not for this one.

Exam trap

A frequent mistake is to assume that the OSPF route will be used simply because it is dynamically learned, or because it covers a larger network range. Candidates often overlook that the router applies longest-prefix match first, which means the more specific static route with a /16 mask takes precedence over the broader /8 OSPF route. This misunderstanding leads to incorrect answers, as the router does not ignore static routes in favor of OSPF when the static route is more specific.

Remember, overlapping routes are common, and the router always chooses the route with the most specific subnet mask matching the destination.

Why the other options are wrong

A

The OSPF 10.0.0.0/8 route is less specific than the static 10.10.0.0/16 route. Since the router uses longest-prefix match, the broader /8 route is not selected for traffic destined to 10.10.20.1.

C

The default route would only be used if no more specific matching routes exist. Since both OSPF and static routes match, and the static route is more specific, the default route is not used here.

D

Overlapping networks are common in routing tables and do not prevent route selection. The router resolves overlapping prefixes by choosing the longest-prefix match, so this option is incorrect.

284
MCQhard

PCs in VLAN 30 on SwitchA cannot reach PCs in VLAN 30 on SwitchB. VLAN 30 exists on both switches and all other VLANs work across the same link. Based on the exhibit, what is the most likely cause?

A.VLAN 30 is not allowed on the trunk from SwitchA.
B.The native VLAN is mismatched.
C.The trunk must use ISL instead of 802.1Q.
D.VLAN 30 must be configured as the native VLAN.
AnswerA

This is correct because VLAN 30 is missing from SwitchA’s allowed list.

Why this answer

The trunk is up, but VLAN 30 is missing from the allowed list on SwitchA. In plain language, the hallway between the switches is open, but one side is refusing to carry that specific VLAN through the hallway. Since the other VLANs are working, the failure is selective rather than total. That strongly points to an allowed-VLAN problem rather than a broader trunk outage.

This is a classic CCNA switching scenario because it tests whether you can separate trunk health from per-VLAN forwarding. A trunk can be operational and still block one VLAN if that VLAN is not permitted on one side. The native VLAN and encapsulation are not the issue shown here — the mismatch in the allowed list is.

Exam trap

Be careful not to confuse general trunk issues with specific VLAN forwarding problems. Always check the allowed VLAN list when specific VLANs fail to pass.

Why the other options are wrong

B

The exhibit shows both switches have native VLAN 1 configured, so there is no mismatch. A native VLAN mismatch would cause all VLAN traffic to fail or be misdirected, not just a single VLAN.

C

Since other VLANs are working across the same trunk, the trunk encapsulation (802.1Q) is functioning correctly. Changing to ISL would not fix the issue and would break connectivity for all VLANs.

D

A VLAN does not need to be the native VLAN to traverse a trunk; native VLAN is only for untagged traffic. Making VLAN 30 the native VLAN would not solve the problem and could introduce other issues.

285
MCQmedium

Exhibit: A controller returns an authentication token after a successful API login. Why does the client include that token in later requests?

A.To replace the need for an IP address on the client
B.To prove identity and authorization on later API calls
C.To encrypt every packet at Layer 1
D.To change HTTP from a stateless protocol to a routing protocol
AnswerB

That is the normal purpose of a bearer or session token.

Why this answer

The token proves the client already authenticated and is authorized to use the API. It saves the client from resending credentials on every request and lets the server validate session or access scope.

Exam trap

A frequent exam trap is assuming that the authentication token replaces the client’s IP address or provides encryption at the physical layer. Some candidates mistakenly believe tokens function like network identifiers or encryption keys, but tokens solely serve as proof of identity and authorization within API sessions. This confusion can lead to selecting incorrect answers that describe unrelated network functions such as IP addressing or Layer 1 encryption.

Understanding that tokens are application-layer credentials, not network-layer or physical-layer features, is critical to avoid this trap.

Why the other options are wrong

A

Option A incorrectly suggests that tokens replace the need for an IP address on the client. IP addresses are fundamental for network communication and routing, and tokens do not substitute for them. This misunderstanding confuses network-layer addressing with application-layer authentication.

C

Option C incorrectly claims that tokens encrypt every packet at Layer 1. Tokens are not encryption mechanisms and do not operate at the physical layer. Encryption is handled by separate protocols such as TLS or IPsec.

D

Option D falsely asserts that tokens change HTTP from a stateless protocol to a routing protocol. HTTP remains stateless, and tokens enable session continuity without altering the protocol’s fundamental nature. Routing protocols are unrelated to token use.

286
MCQeasy

A user types www.example.com into a browser. Which service is used first to resolve that name into an IP address?

A.DHCP
B.DNS
C.NTP
D.Syslog
AnswerB

DNS resolves the hostname to an IP address.

Why this answer

DNS maps hostnames to IP addresses, which is the first step when a user enters a URL. DHCP assigns IP addresses, NTP synchronizes time, and Syslog handles logging—none of these services resolve domain names to IP addresses. The web session itself uses HTTP or HTTPS later, but name resolution happens first.

Exam trap

Don't confuse the role of DNS with HTTP, ARP, or DHCP. Remember, DNS is specifically for domain name resolution.

Why the other options are wrong

A

DHCP (Dynamic Host Configuration Protocol) assigns IP addresses, subnet masks, default gateways, and other network configuration parameters to clients. It does not perform name resolution; DNS is required for that.

C

NTP (Network Time Protocol) is used to synchronize clocks between network devices, not to resolve hostnames to IP addresses. It operates on UDP port 123 and has no role in DNS resolution.

D

Syslog is a protocol for logging system messages and events from network devices. It has no function in name resolution; it is used for monitoring and troubleshooting.

287
PBQhard

You are troubleshooting a client connectivity issue on PC1, which is connected to switch SW1. PC1 reports that it cannot access the internet, but it can ping its default gateway (192.168.1.1). The network uses VLAN 10 for the client subnet. Examine the following show outputs: On PC1, ipconfig shows IP 192.168.1.10, default gateway 192.168.1.1, DNS server 192.168.1.1. On SW1, show running-config includes 'interface Vlan10' with IP 192.168.1.1 255.255.255.0, but no 'ip dns server' and no 'ip name-server' commands. SW1's show ip route displays a default route via 203.0.113.1. Identify the root cause. Configure the necessary fix on the appropriate device to restore full connectivity.

Network Topology
G0/1G0/1203.0.113.1/30203.0.113.1/30PC1SW1RouterInternet

Hints

  • Check DNS configuration on the switch.
  • The PC's DNS server is likely the default gateway (switch).
  • The switch needs to be configured to forward DNS queries.
A.Configure 'ip dns server' and 'ip name-server 8.8.8.8' on SW1.
B.Configure 'ip default-gateway 192.168.1.1' on SW1.
C.Configure 'ip route 0.0.0.0 0.0.0.0 203.0.113.1' on SW1.
D.Configure 'ip domain-lookup' on SW1.
AnswerA
solution
! SW1
ip name-server 8.8.8.8

Why this answer

PC1 is configured with DNS server 192.168.1.1, which is the switch SW1. However, SW1 lacks DNS forwarding capability. To enable DNS relay on the switch, both the 'ip dns server' command (to activate the DNS forwarder) and 'ip name-server 8.8.8.8' (to point to an upstream resolver) are required.

Option A provides the necessary configuration to restore DNS resolution and internet connectivity.

Exam trap

Do not assume that internet connectivity issues are always routing problems. When a client can ping the gateway but cannot access websites, the issue is often DNS. Also, remember that 'ip name-server' configures DNS servers, while 'ip domain-lookup' only enables the DNS client feature.

Why the other options are wrong

B

A default gateway is needed only for management traffic from the switch itself, not for DNS forwarding; the switch already communicates with the router via its default route.

C

A static default route is already present and unrelated to DNS resolution; adding another route would not solve the name resolution failure.

D

The 'ip domain-lookup' command only enables the DNS client on the switch itself, not DNS forwarding for clients like PC1.

288
MCQhard

After securing a switch by running 'ip ssh version 2' and generating RSA keys with 'crypto key generate rsa modulus 1024', remote SSH connections fail with a 'key exchange error'. A check of the SSH client’s documentation reveals it requires a minimum 2048-bit RSA key for SSH version 2. What should the technician do next?

A.Verify IP connectivity between the client and the switch by issuing a ping from the client to the switch.
B.Check the SSH client configuration on the host to ensure it accepts 1024-bit keys.
C.Regenerate the RSA key pair on the switch with a 2048-bit modulus using the command 'crypto key generate rsa modulus 2048'.
D.Disable SSH version 2 on the switch and revert to SSH version 1, which does not enforce key length restrictions.
AnswerC

Regenerating the key pair with a higher modulus directly resolves the key-strength mismatch. The switch will then present a 2048-bit key during the SSH handshake, fixing the key exchange error. The existing 'ip ssh version 2' setting remains active after rekeying.

Why this answer

The 'key exchange error' occurs because the 1024-bit RSA key does not meet the client’s 2048-bit minimum requirement for SSH version 2. The immediate corrective step is to regenerate the RSA keys with a 2048-bit modulus using the 'crypto key generate rsa modulus 2048' command, which will produce a larger key pair while preserving the existing SSH version 2 configuration. This addresses the Layer 7 application misconfiguration directly.

Exam trap

Many candidates select verifying Layer 3 connectivity or testing the SSH client, but the error message and known client requirement clearly point to a key-strength mismatch, not a network reachability problem.

Why the other options are wrong

A

Assuming that a connection failure always starts at Layer 1 or 3, ignoring the specific error message that points to an application-layer mismatch.

B

Misplaced troubleshooting – attempting to relax security instead of fixing the server’s key size to meet the documented standard.

D

Drastic and insecure step that misdiagnoses the root cause; the issue is key size, not protocol version.

289
MCQhard

A router allows SSH management from anywhere on the internal network. A new policy requires that only the management subnet 10.50.50.0/24 be allowed to initiate SSH to the device. Which approach best enforces that requirement?

A.Restrict SSH access so only the 10.50.50.0/24 management subnet is permitted
B.Replace SSH with Telnet so the traffic is easier to identify
C.Enable PortFast on all access switches
D.Raise the Syslog severity threshold
AnswerA

This is correct because the policy is specifically about limiting management access by source.

Why this answer

The best approach is to use an access control mechanism that limits SSH access to the approved source subnet. In practical terms, SSH is the correct secure protocol, but protocol choice alone is not enough. The device should also restrict who is allowed to reach that management service. That usually means applying an ACL or equivalent source restriction focused on the management subnet.

This is a common management-plane security pattern: use a secure protocol, then limit the set of trusted sources that are allowed to use it.

Exam trap

A frequent exam trap is selecting an option that changes the management protocol, such as replacing SSH with Telnet, because it seems to simplify access control. However, Telnet is insecure as it transmits data in clear text, exposing credentials to interception. Another trap is choosing unrelated features like PortFast or syslog severity thresholds, which do not control access to management services.

Candidates may also overlook the need to apply an ACL to restrict source IPs, mistakenly believing that enabling SSH alone enforces the policy. This misunderstanding leads to incomplete security configurations that fail the requirement to limit SSH access to the management subnet.

Why the other options are wrong

B

Incorrect because replacing SSH with Telnet reduces security by transmitting data unencrypted, exposing credentials and management traffic to interception, which violates best practices and the policy’s intent to secure management access.

C

Incorrect because enabling PortFast affects Spanning Tree Protocol port states to speed up network convergence and does not provide any control over router management access or SSH session initiation.

D

Incorrect because raising the syslog severity threshold only changes the level of logged messages and does not restrict or control which hosts can initiate SSH connections to the router.

290
PBQhard

You are connected to SW1 via the console. The network uses Rapid-PVST+ and you need to ensure that SW1 becomes the root bridge for VLAN 10 and VLAN 20. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/1, which connects to a workstation. After configuration, the workstation is moved and the port goes err-disabled. Diagnose the cause and recover the port without reloading the switch.

Network Topology
Gi0/1Gi0/2SW1workstationother switch

Hints

  • Use 'spanning-tree vlan <vlan> priority <value>' to set root bridge priority (lower values are preferred).
  • A port in err-disabled due to BPDU Guard must be manually recovered with 'shutdown' and 'no shutdown' after removing the BPDU source.
  • Check which VLANs the switch is currently root for using 'show spanning-tree'.
A.Configure spanning-tree vlan 10 priority 4096 and spanning-tree vlan 20 priority 4096. Then on interface GigabitEthernet0/1, configure spanning-tree portfast and spanning-tree bpduguard enable. After removing the BPDU source, use 'shutdown' and 'no shutdown' to recover the port.
B.Configure spanning-tree vlan 10,20 root primary and spanning-tree portfast on Gi0/1; then use 'errdisable recovery cause bpduguard' to automatically recover the port.
C.Configure spanning-tree vlan 10,20 priority 0 and spanning-tree bpduguard enable on Gi0/1; then use 'no spanning-tree bpduguard' to recover the port.
D.Configure spanning-tree vlan 10,20 priority 4096 and spanning-tree portfast on Gi0/1; then use 'clear spanning-tree detected-protocols' to recover the port.
AnswerA
solution
! SW1
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 4096
interface GigabitEthernet0/1
shutdown
no shutdown

Why this answer

SW1 is currently the root for VLAN 10 but not for VLAN 20. To become root for both VLANs, set the spanning-tree priority to a lower value (e.g., 4096) for each VLAN. The port Gi0/1 went err-disabled because it received a BPDU, which is unexpected on a PortFast edge port with BPDU Guard enabled.

To recover, first identify and remove the BPDU source (likely another switch connected to that port), then use 'shutdown' followed by 'no shutdown' on the interface to bring it back up.

Exam trap

Do not confuse 'root primary' with a guaranteed root election; always check for lower priorities. Also, remember that err-disabled ports require manual intervention (shutdown/no shutdown) unless you configure errdisable recovery. BPDU Guard err-disables the port; simply disabling BPDU Guard does not recover it.

Why the other options are wrong

B

The 'root primary' command does not guarantee root status if another switch has a priority lower than 24576. The question expects manual recovery, not automatic.

C

Priority 0 is not incorrect but is not the standard recommendation. The recovery method is wrong: disabling BPDU Guard does not clear the err-disabled state.

D

The command 'clear spanning-tree detected-protocols' does not clear the err-disabled state; it only resets the port's protocol state.

291
Drag & Dropmedium

Drag and drop the following steps into the correct order to determine the best route to a destination using a routing table.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order follows Cisco's route selection logic: 1. Extract the destination IP (the lookup key). 2. Find all matching routes in the routing table. 3.

Apply longest prefix match – the most specific route (longest subnet mask) is always preferred, regardless of administrative distance. 4. If multiple routes share that longest prefix length, compare administrative distances. 5. The route with the lowest administrative distance wins. 6.

If AD values are equal (same routing protocol is typical), compare metrics. 7. The route with the lowest metric becomes the best route. This hierarchy – longest match > AD > metric – is fundamental to Cisco router behavior.

292
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an IPv4 static address on a Windows host, generate an IPv6 EUI-64 address on a Cisco router, and verify the static IP assignment on Windows.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The static IPv4 is configured on Windows first, then the EUI-64 IPv6 address on the router, and finally verification on Windows. This order separates host and router tasks logically.

Exam trap

Do not assume that router configuration must come first because it is more complex. The logical workflow is to configure the host first, then the router, then verify. Also, verification should always be the last step after all configurations are complete.

293
MCQhard

A network technician is troubleshooting a connectivity issue for a PC connected to switch port Gi1/0/12. The PC can ping its default gateway (192.168.10.1) but cannot ping a server at 192.168.20.10. The switch is configured with VLAN 10 for the access port and is connected to a router-on-a-stick. The technician runs 'show vlan brief' and 'show interfaces trunk' on the switch. What is the most likely cause of the problem?

A.The trunk port Gi1/0/24 is not in trunking mode.
B.The router is missing a subinterface for VLAN 20.
C.The switch port Gi1/0/12 is not assigned to VLAN 10.
D.The PC has a duplicate IP address with the server.
AnswerB

The PC in VLAN 10 can ping its gateway, but VLAN 20 traffic cannot be routed because the router lacks a subinterface for VLAN 20.

Why this answer

The PC can ping its default gateway (192.168.10.1) but not the server at 192.168.20.10, indicating Layer 3 routing is failing between VLANs. Since the switch is configured with VLAN 10 for the access port and uses a router-on-a-stick, the router must have a subinterface for VLAN 20 to route traffic to the server's subnet. The absence of a subinterface for VLAN 20 prevents the router from forwarding packets from VLAN 10 to VLAN 20, making option B correct.

Exam trap

Cisco often tests the misconception that a trunk misconfiguration (option A) is the cause, but the PC's ability to ping the gateway confirms the trunk is working for VLAN 10, so the real issue is the missing subinterface for the destination VLAN.

Why the other options are wrong

A

The trunk port Gi1/0/24 is in 'on' mode and trunking, as shown in 'show interfaces trunk'. Therefore, the trunk is operational and not the cause of the issue.

C

The 'show vlan brief' output shows that port Gi1/0/12 is assigned to VLAN 10, so the PC is in the correct VLAN. This is not the issue.

D

A duplicate IP address would cause connectivity issues to the gateway as well, but the PC can ping the gateway successfully. Therefore, duplicate IP is not the problem.

294
Multi-Selectmedium

Which TWO statements correctly describe EtherChannel configuration and verification with LACP?

Select 2 answers
A.LACP uses the modes 'active' and 'passive' to negotiate an EtherChannel.
B.LACP uses the modes 'desirable' and 'auto' to negotiate an EtherChannel.
C.The command 'show etherchannel summary' displays the status of each port-channel as SU (in use) or SD (shutdown).
D.The command 'show etherchannel summary' displays the status of each port-channel as UP or DOWN.
E.LACP 'active' mode can only form an EtherChannel with another interface in 'active' mode.
AnswersA, C

LACP defines 'active' (initiates negotiation) and 'passive' (responds to negotiation) modes. At least one side must be active to form a channel.

Why this answer

Option A is correct because LACP (IEEE 802.3ad) defines two negotiation modes: 'active' (sends LACP frames and initiates negotiation) and 'passive' (responds only to received LACP frames). An EtherChannel forms only when at least one side is in 'active' mode; two 'passive' sides will never negotiate. Option C is correct because the 'show etherchannel summary' command displays the port-channel status as 'SU' (in use, Layer 2) or 'SD' (administratively down/shutdown), not simply 'UP' or 'DOWN'.

Exam trap

Cisco often tests the distinction between LACP modes ('active'/'passive') and PAgP modes ('desirable'/'auto'), and the trap here is that candidates confuse the proprietary PAgP terms with the standards-based LACP terms, or assume 'show etherchannel summary' shows simple UP/DOWN like interface status.

Why the other options are wrong

B

The modes 'desirable' and 'auto' are used by PAgP (Cisco proprietary), not LACP. LACP uses 'active' and 'passive' modes for negotiation.

D

The 'show etherchannel summary' command does not display 'UP' or 'DOWN' in plain text; it uses two-letter codes like SU (Layer 2 up), SD (shutdown), etc. This is a common misinterpretation of the output format.

E

LACP 'active' mode can form an EtherChannel with either 'active' or 'passive' mode. If both sides are passive, the channel will not form because neither initiates negotiation.

295
MCQmedium

What is the operational purpose of configuring the IPv6 route ::/0?

A.It provides a fallback path for unknown remote IPv6 destinations.
B.It enables OSPFv3 on the upstream interface.
C.It converts link-local addresses into global unicast addresses.
D.It summarizes all IPv6 routes into one /64 route.
AnswerA

This is correct because ::/0 defines the route of last resort for IPv6.

Why this answer

The configured route is a default route. In practical terms, it gives the router one simple next hop for any remote IPv6 destination that is not matched by a more specific entry. That is exactly what a small branch router often needs when it has a single upstream path.

This is the same design logic as an IPv4 default route, but with IPv6 syntax and addressing.

Exam trap

A frequent exam trap is mistaking the IPv6 default route (::/0) for a command that enables OSPFv3 or performs address translation. Some candidates incorrectly believe that the static route command configures OSPFv3 or converts link-local addresses to global unicast addresses. Another common error is interpreting ::/0 as a summary route with a /64 prefix, which it is not.

Understanding that ::/0 is specifically a default route that provides a fallback path for all unknown IPv6 destinations is crucial to avoid these misconceptions.

Why the other options are wrong

B

Option B is incorrect because the static route command does not enable OSPFv3. OSPFv3 requires separate configuration commands and is a dynamic routing protocol, unlike static routes.

C

Option C is incorrect because routing does not convert link-local addresses into global unicast addresses. Address types remain consistent, and routing forwards packets based on existing address formats.

D

Option D is incorrect because ::/0 is a default route covering all IPv6 addresses, not a summary route with a /64 prefix. Summarization involves aggregating multiple routes into a larger prefix, which is not the case here.

296
Drag & Dropmedium

Drag and drop the steps into the recommended configuration order for setting up VLANs, assigning access ports, configuring 802.1Q trunking with a non-default native VLAN, and verifying the setup on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After creating VLANs, the recommended order is to configure trunking with a non-default native VLAN before assigning access ports. This ensures the trunk is ready with the correct native VLAN, preventing mismatches and allowing the switch to carry traffic for the new VLANs. Options B and D fail because VLANs must exist first.

Option A places trunking last, which is not the best practice.

Exam trap

Candidates often assume that access ports must be assigned before trunking, but in a recommended workflow, configuring trunking early helps avoid native VLAN mismatches and aligns with common Cisco configuration guides.

297
MCQhard

A router has routes to 10.50.0.0/16, 10.50.10.0/24, and 10.50.10.128/25. Which route is used for traffic to 10.50.10.140?

A.10.50.0.0/16
B.10.50.10.0/24
C.10.50.10.128/25
D.The default route
AnswerC

This is correct because .140 falls inside the 10.50.10.128/25 range.

Why this answer

The /25 route is used because it is the most specific matching prefix. In practical terms, 10.50.10.140 belongs to the upper half of the 10.50.10.0/24 space, which is exactly what 10.50.10.128/25 describes. Even though the /24 and /16 also match, longest-prefix match prefers the narrowest route.

This is a direct route-selection question. It reinforces that the router chooses the route that describes the destination most precisely.

Exam trap

A frequent exam trap is choosing a less specific route such as 10.50.0.0/16 or 10.50.10.0/24 because they also include the destination IP address. Candidates might overlook the importance of the subnet mask length and assume any matching route is acceptable. This mistake ignores the longest-prefix match rule, which always prefers the route with the most bits matching the destination IP.

Selecting a broader route leads to incorrect routing decisions and fails to reflect Cisco’s routing behavior.

Why the other options are wrong

A

The route 10.50.0.0/16 is the least specific among the options because it covers a large range of IP addresses. Although it matches the destination IP 10.50.10.140, it is overridden by more specific routes with longer subnet masks, so it is not chosen.

B

The route 10.50.10.0/24 is more specific than the /16 but less specific than the /25. Since 10.50.10.140 falls within the /25 subnet, the router prefers the /25 route over this /24 route, making this option incorrect.

D

The default route is only used when no other matching routes exist. Since multiple specific routes match 10.50.10.140, the router will not use the default route, so this option is incorrect.

298
Drag & Dropmedium

Drag and drop the following OSPFv2 DR/BDR election steps into the correct order for a multiaccess network where a new router is added after the DR and BDR have already been elected.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

When a new router joins a multiaccess network that already has DR/BDR, it goes through the ExStart state with both the DR and BDR, then forms full adjacencies with both, regardless of its OSPF priority. Options A, B, and C are incorrect because they either describe adjacencies with only the DR, or claim the new router becomes DR/BDR, which cannot happen when DR/BDR are already elected.

Exam trap

A router with OSPF priority 0 never becomes DR or BDR, but it still forms full adjacencies with both the existing DR and BDR.

299
MCQhard

A network administrator is troubleshooting a connectivity issue between two remote sites connected via a WAN link. Hosts on VLAN 10 at Site A (192.168.10.0/24) cannot ping the server at Site B (10.10.20.100). The router at Site A has a default route configured with the next-hop IP address 10.10.10.2. The administrator checks the routing table on Router A and notices that the default route is not installed. What is the most likely cause of the problem?

A.The static route for 10.10.20.0/24 is missing from the routing table.
B.The GigabitEthernet0/0 interface is administratively down.
C.The default route is not configured; the gateway of last resort is missing.
D.The next-hop router 10.10.10.2 is unreachable.
AnswerD

A static route with a next-hop IP is only installed in the routing table when that next-hop is reachable. Since the default route is missing from the routing table, the next-hop 10.10.10.2 must be unreachable, making option D the correct diagnosis.

Why this answer

Option D is correct because the default route uses a next-hop IP (10.10.10.2) and will only be installed in the routing table if that next-hop is reachable. Since the router’s routing table shows no default route, the most likely cause is that the next-hop 10.10.10.2 is unreachable, preventing the static route from being used. This explains why traffic fails despite the configuration.

Exam trap

Cisco often tests the misconception that a default route alone guarantees connectivity, when in reality the next-hop must be reachable; candidates may overlook verifying the next-hop's availability.

Why the other options are wrong

A

The routing table shows a static route to 10.10.20.0/24 via 10.10.10.2, so the route is present. The issue is not a missing route.

B

The interface is shown as directly connected with a local address, indicating it is up and operational. An administratively down interface would show 'administratively down' in the status.

C

The output shows 'Gateway of last resort is 10.10.10.2 to network 0.0.0.0', confirming the default route is configured.

300
PBQhard

You are connected to a Multilayer Switch MLS1. Configure the switch so that interface GigabitEthernet1/0/1 is an access port for VLAN 10, with voice VLAN 110 for an IP phone, and enable PoE. Additionally, interface GigabitEthernet1/0/2 must be an access port for VLAN 20 to connect an AP. Verify the configuration using 'show interfaces switchport' and 'show power inline'.

Network Topology
G1/0/1G1/0/2SiMLS1IP PhoneAP

Hints

  • Use 'switchport mode access' to set the port as an access port.
  • For the IP phone port, apply both 'switchport access vlan' and 'switchport voice vlan' commands.
  • PoE is enabled by default but ensure 'power inline auto' is configured.
A.interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline auto interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
B.interface GigabitEthernet1/0/1 switchport mode trunk switchport trunk allowed vlan 10,110 power inline auto interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
C.interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline never interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
D.interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 110 switchport voice vlan 10 power inline auto interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
AnswerA
solution
! MLS1
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 110
power inline auto
exit
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 20
exit

Why this answer

Option A is correct. It configures Gi1/0/1 as an access port in VLAN 10 with voice VLAN 110 and PoE enabled, and Gi1/0/2 as an access port in VLAN 20. Option B is wrong because it uses 'switchport mode trunk' instead of 'switchport mode access'.

For a voice VLAN, the port should be an access port, not a trunk. Option C is wrong because it disables PoE with 'power inline never', but the IP phone requires power. Option D is wrong because it assigns the access VLAN as 110 and voice VLAN as 10, reversing the intended roles.

Verify with 'show interfaces switchport' and 'show power inline'.

Exam trap

Watch out for the difference between access and trunk ports when a voice VLAN is involved. The voice VLAN is configured on an access port, not a trunk. Also, ensure PoE is enabled (auto) and not disabled (never).

Finally, do not confuse the access VLAN with the voice VLAN.

Why the other options are wrong

B

The specific factual error is using 'switchport mode trunk' instead of 'switchport mode access'. Access ports are used for end devices like IP phones and APs, not trunks.

C

The specific factual error is using 'power inline never' which disables PoE. The correct command to enable PoE is 'power inline auto'.

D

The specific factual error is reversing the VLAN assignments: 'switchport access vlan 110' and 'switchport voice vlan 10' instead of the correct order.

Page 3

Page 4 of 25

Page 5