CCNA 200-301 v2 (200-301) — Questions 301375

1819 questions total · 25pages · All types, answers revealed

Page 4

Page 5 of 25

Page 6
301
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the TCP three-way handshake process between a client and a server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The TCP three-way handshake begins with the client sending a SYN (A) to initiate the connection. The server replies with a SYN-ACK (B) to acknowledge the client's SYN and provide its own sequence number. Finally, the client sends an ACK (C) to confirm the server's SYN, completing the handshake.

Option D, "Server sends ACK (ack=x+1)," is not part of the three-way handshake; an ACK from the server would be redundant at this stage and actually occurs during the four-way connection termination, not establishment.

Exam trap

The most common trap is confusing the order of the handshake or thinking the server sends a plain ACK instead of a SYN-ACK. Remember: the client always initiates with SYN, the server replies with SYN-ACK, and the client finishes with ACK.

302
MCQhard

An IPv6 LAN is using SLAAC. Which message allows hosts to learn the default gateway and on-link prefix?

A.Neighbor Solicitation
B.Router Advertisement
C.DHCPv6 Solicit
D.ICMP Echo Reply
AnswerB

Correct. RA messages provide prefix and default-router information.

Why this answer

In an IPv6 LAN using SLAAC (Stateless Address Autoconfiguration), hosts learn the default gateway and on-link prefix from Router Advertisement (RA) messages sent by routers. Neighbor Solicitation (NS) is used for address resolution and Duplicate Address Detection (DAD), not for learning gateway/prefix. DHCPv6 Solicit is part of stateful DHCPv6, not SLAAC.

ICMP Echo Reply is a simple reachability test and provides no configuration information.

Exam trap

Be careful not to confuse the roles of Router Solicitation and Router Advertisement messages. Remember, solicitations are requests, while advertisements provide information.

Why the other options are wrong

A

Neighbor Solicitation (NS) messages are used for address resolution (determining the link-layer address of a neighbor) and duplicate address detection, not for advertising default gateway or prefix information.

C

DHCPv6 Solicit messages are used in stateful DHCPv6 to request configuration parameters like addresses and DNS servers, but SLAAC does not use DHCPv6 for default gateway or prefix information; those are provided by RA messages.

D

ICMP Echo Reply messages are used for ping responses and do not carry any routing or prefix information; they are not involved in neighbor discovery or address autoconfiguration.

303
MCQhard

A host is configured with IP address 10.10.40.78/28. Which subnet contains that host?

A.10.10.40.48/28
B.10.10.40.64/28
C.10.10.40.72/28
D.10.10.40.80/28
AnswerB

This is correct because .78 falls inside the .64 through .79 range.

Why this answer

A /28 subnet has a block size of 16. In simple terms, the fourth-octet ranges are 0–15, 16–31, 32–47, 48–63, 64–79, 80–95, and so on. Because 78 falls inside the 64–79 block, the network address for this host’s subnet is 10.10.40.64/28.

This style of subnetting question checks whether you can move from prefix length to block size and then place the host into the correct range. The common mistake is choosing the nearest familiar-looking number instead of the actual block boundary.

Exam trap

Avoid selecting a subnet range based on the nearest familiar-looking number; always calculate the correct block boundary.

Why the other options are wrong

A

The subnet 10.10.40.48/28 includes addresses 10.10.40.48 through 10.10.40.63. The host address 10.10.40.78 is outside this range, so it does not belong to this subnet.

C

The subnet 10.10.40.72/28 is not a valid subnet because /28 subnets have boundaries that are multiples of 16. The valid subnet starting addresses for /28 are 0, 16, 32, 48, 64, 80, etc. 72 is not a multiple of 16, so this is not a valid network address.

D

The subnet 10.10.40.80/28 includes addresses 10.10.40.80 through 10.10.40.95. The host address 10.10.40.78 is below this range, so it does not belong to this subnet.

304
Matchingmedium

Match each security concept to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protection against unauthorized disclosure

Protection against unauthorized modification

Ensuring systems and data can be accessed when needed

Limiting access to only what is necessary

Why these pairings

Confidentiality ensures data is not disclosed to unauthorized parties; integrity prevents unauthorized modification of data; availability guarantees systems and data are accessible when needed; least privilege limits access rights to the minimum necessary. The correct matches reflect these core security principles.

Exam trap

A common mistake is confusing confidentiality with integrity or assuming availability means data is always accessible without considering authorized access.

305
MCQhard

A host receives an IP address, subnet mask, default gateway, and DNS server automatically when it joins the network. Which service is most directly responsible for delivering that bundle of settings?

A.DHCP
B.Syslog
C.NTP
D.GRE
AnswerA

This is correct because DHCP provides automatic host IP configuration information.

Why this answer

DHCP is most directly responsible because it is designed to provide hosts with IP configuration parameters automatically. In practical terms, this often includes the address, mask, gateway, and DNS server information needed for ordinary operation. That is exactly why DHCP is such a central end-host service.

This is one of the most foundational services in enterprise client connectivity.

Exam trap

Be careful not to confuse services that involve IP addresses with those that assign them. DHCP assigns IP settings, while others like DNS, NAT, and ARP have different roles.

Why the other options are wrong

B

Syslog is a protocol used for logging and monitoring system events, not for delivering network configuration parameters. It collects and forwards log messages from network devices to a central server for analysis, but does not assign IP settings.

C

NTP (Network Time Protocol) is designed to synchronize clocks between devices over a network, ensuring accurate timekeeping. It does not provide IP address, subnet mask, default gateway, or DNS server information to hosts.

D

GRE (Generic Routing Encapsulation) is a tunneling protocol used to encapsulate packets of one protocol within another, typically for creating VPNs or connecting remote networks. It does not provide host configuration parameters like IP addresses or DNS servers.

306
Matchingmedium

Match each REST-style method to the action it most commonly represents.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve information

Submit or create data

Update or replace a resource

Remove a resource

Why these pairings

REST methods are standardized: GET retrieves, POST creates, PUT replaces, PATCH partially modifies, DELETE removes, and HEAD retrieves only headers.

Exam trap

The exam often tests the distinction between PUT (full replacement) and PATCH (partial modification). Many candidates incorrectly assign PUT to 'update' and PATCH to 'replace'.

307
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an IPv4 address on a Cisco IOS-XE router interface, then verify the configuration with a ping to a host that uses an IPv6 EUI-64 address.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is to first enter global configuration mode, then interface configuration mode, assign the IPv4 address, exit completely to enable mode, and finally ping the IPv6 host. Option B is incorrect because you cannot enter interface configuration mode before global configuration mode; you must be in global config first. Option C is incorrect because you cannot assign an IPv4 address in global configuration mode; that command must be issued in interface configuration mode.

Option D is incorrect because you cannot execute the ping command from interface configuration mode; you must exit to enable mode first.

Exam trap

The exam trap is that candidates often confuse the order of configuration modes or try to execute commands in the wrong mode. Remember: global config first, then interface config, then assign IP, then exit to enable mode for verification commands like ping.

308
Drag & Dropmedium

Which of the following sequences correctly configures and verifies PortFast and BPDU Guard on a Cisco IOS-XE switch interface, and then recovers after a BPDU guard violation?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then the specific interface, enable PortFast, then BPDU Guard; verification confirms settings; recovery after error-disable requires administrative shutdown and no shutdown.

Exam trap

The exam trap is that candidates may confuse the order of PortFast and BPDU Guard, or think that recovery requires a switch reload or a special clear command. Remember: PortFast first, then BPDU Guard; recovery is always 'shutdown/no shutdown' on the interface.

309
MCQmedium

A branch router has only one WAN link connected to an Ethernet handoff from the provider. Which static default route is generally the better choice?

A.ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
B.ip route 0.0.0.0 0.0.0.0 198.51.100.1
C.ip route 255.255.255.255 255.255.255.255 198.51.100.1
D.No static default route should ever be used on Ethernet.
AnswerB

A next-hop address is generally preferred on Ethernet provider handoffs.

Why this answer

On multiaccess Ethernet, pointing the default route to a next-hop IP address is usually cleaner because the router can resolve the next hop with ARP. Using only the exit interface on Ethernet can make the router treat many destinations as directly connected and trigger unnecessary ARP behavior.

Exam trap

A common exam trap is selecting a static default route that specifies only the exit Ethernet interface without a next-hop IP address. While this configuration can work, it causes the router to treat all unknown destinations as directly connected on the Ethernet segment. This behavior triggers excessive ARP requests for every unknown IP address, leading to network inefficiency and potential delays.

Candidates might incorrectly assume that specifying the interface alone is sufficient, but on multiaccess Ethernet links, this is suboptimal and can cause routing issues.

Why the other options are wrong

A

Configuring 'ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0' specifies only the exit interface. On multiaccess Ethernet, this causes the router to ARP for every unknown destination, which is inefficient and less ideal.

C

Configuring 'ip route 255.255.255.255 255.255.255.255 198.51.100.1' creates a host route, which matches only one IP address, not all unknown destinations. Therefore, it is not a valid default route.

D

The statement that no static default route should ever be used on Ethernet is incorrect. Static default routes are valid and commonly used on Ethernet interfaces, especially for WAN links.

310
Matchingmedium

Drag and drop the FHRP protocols on the left to their key characteristics on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco proprietary; active/standby; virtual MAC 0000.0c07.acXX

Open standard; master/backup; virtual MAC 0000.5e00.01XX

Cisco proprietary; active/active load balancing; virtual MAC 0007.b400.XXYY

Supports IPv6; uses group numbers 0-4095

Supports IPv4 and IPv6; uses virtual router ID 1-255

Why these pairings

HSRP and GLBP are Cisco proprietary; VRRP is open standard. GLBP uniquely supports load balancing. IRDP is not a true FHRP.

Virtual IP and preemption are common characteristics.

Exam trap

The exam often tests whether you know that VRRP is the open standard, while HSRP and GLBP are Cisco proprietary. Also, IRDP is a common distractor because it is a router discovery protocol but not a true FHRP.

311
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an IOS-XE device as an NTP client and ensure its syslog messages are sent to a remote server with correct timestamps.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global config, then set the NTP server, configure syslog destination and source interface, and finally verify both services.

Exam trap

A common trap is to configure syslog before NTP, but NTP should be set first so that syslog messages have correct timestamps. Also, candidates may forget that global config mode must be entered before any configuration commands.

312
MCQhard

A named standard ACL is configured to permit only the 192.168.30.0/24 subnet, but users from 192.168.31.0/24 are still passing traffic. What is the most likely reason?

A.Standard ACLs cannot match source addresses
B.The ACL is probably applied in the wrong place or direction for the traffic flow
C.Named ACLs ignore wildcard masks
D.The deny any line must appear before the permit
AnswerB

ACL placement matters a lot with standard ACLs.

Why this answer

Standard ACLs filter traffic based solely on the source IP address. If users from 192.168.31.0/24 are still passing traffic despite the ACL permitting only 192.168.30.0/24, the most likely reason is that the ACL is applied in the wrong place or direction. For example, if the ACL is applied inbound on an interface where traffic from 192.168.31.0/24 does not enter, or outbound on an interface where the traffic does not exit, the filter will not affect the intended flow.

The implicit deny statement denies all unmatched traffic, so if the ACL were correctly placed, traffic from 192.168.31.0/24 would be denied.

Exam trap

Remember that ACLs must be applied in the correct direction to affect traffic flow as intended.

Why the other options are wrong

A

Standard ACLs are specifically designed to match source IP addresses, so this statement is factually incorrect. They can match source addresses using wildcard masks.

C

Named ACLs use wildcard masks just like numbered ACLs; the naming does not affect the functionality of wildcard masks. The statement is technically incorrect.

D

The 'deny any' line at the end of an ACL is implicit, so placing it before the permit would block all traffic, including the intended 192.168.30.0/24 subnet. The order of entries matters, but the issue here is not about the order of deny any.

313
Multi-Selecthard

R1 learns the route 192.0.2.0/24 via OSPF, RIP, and a static route configured with an administrative distance of 130. Based on this information, which two statements are correct?

Select 2 answers
A.The OSPF route is installed because its administrative distance is lower than RIP and the floating static route.
B.The static route will be preferred because static routes always beat dynamic routes.
C.The static route acts as a backup and can be installed if the OSPF route disappears.
D.RIP wins because its metric is lower than OSPF cost.
E.All three routes should load-balance because the prefix length is the same.
AnswersA, C

For the same /24 prefix, OSPF AD 110 beats RIP 120 and static 130.

Why this answer

The router installs the OSPF route because it has the lowest administrative distance among the routes shown. The static route with AD 130 is intentionally floating, and the RIP route has a higher AD than OSPF. Route selection first prefers longest match, then lower AD among routes to the same prefix length.

Exam trap

A frequent exam trap is assuming that static routes always take precedence over dynamic routes regardless of administrative distance. Many candidates incorrectly believe that static routes inherently override OSPF or RIP routes. However, Cisco routers use administrative distance first to select the best route when multiple protocols provide the same prefix.

If a static route has a higher AD (like 130 for a floating static), it will not be installed unless the primary route disappears. Another common mistake is to think RIP wins because it has a lower metric than OSPF cost, but metrics are only compared within the same routing protocol, not across different protocols. This misunderstanding leads to incorrect route selection assumptions.

Why the other options are wrong

B

This option is incorrect because static routes do not always beat dynamic routes; the static route must have a lower administrative distance to be preferred, which is not the case here due to the floating static’s higher AD.

D

This option is incorrect because routing protocols are compared first by administrative distance, not by their internal metrics; RIP’s metric does not override OSPF’s lower AD.

E

This option is incorrect because equal prefix length alone does not guarantee load balancing; routes must have matching attributes and equal administrative distances for equal-cost multipath (ECMP) to occur.

314
MCQhard

A company wants to reduce the chance that unused switch ports can be exploited. Which action best aligns with that goal?

A.Administratively shut down unused switch ports
B.Convert all unused ports into trunk ports
C.Enable Telnet on all unused ports
D.Advertise every unused port into OSPF
AnswerA

This is correct because disabling unused ports reduces exposure and is a common hardening practice.

Why this answer

The best action is to administratively disable unused ports and apply hardening where appropriate. In plain language, an unused port is still a possible entry point if it remains active and unmonitored. Shutting it down reduces exposure and aligns with the broader principle of minimizing unnecessary attack surface. This is a simple but effective part of switch hardening.

Leaving unused ports active may feel convenient, but it creates opportunities for unauthorized connections. The correct answer is the one focused on disabling resources that are not needed rather than on unrelated technologies.

Exam trap

A frequent exam trap is selecting options that involve enabling protocols or configurations unrelated to physical port security, such as enabling Telnet or advertising ports in OSPF. These options may seem to increase control or visibility but do not reduce the risk of unauthorized access through unused switch ports. Another trap is converting unused ports into trunk ports, which actually increases exposure by allowing multiple VLANs to traverse ports that should be inactive.

The key mistake is confusing Layer 2 port hardening with Layer 3 routing or management protocol configurations, which do not address the fundamental risk of an active but unused physical port.

Why the other options are wrong

B

Converting unused ports into trunk ports is incorrect because it increases network exposure by allowing multiple VLANs on ports that should remain inactive, thereby expanding potential attack vectors.

C

Enabling Telnet on all unused ports is wrong as Telnet is an insecure management protocol that does not address physical port security and can expose the network to interception and unauthorized access.

D

Advertising every unused port into OSPF is irrelevant because OSPF is a Layer 3 routing protocol that does not manage or secure Layer 2 switch ports, so it does not reduce exploitation risk.

315
MCQhard

A network technician notices CDP native VLAN mismatch warnings between switches SW1 and SW2 on their trunk link. The technician runs 'show interfaces trunk' on SW1 and sees native VLAN 1, then on SW2 and sees native VLAN 99. Data traffic is currently passing, but the mismatch can cause broadcast loops. What should the technician do next?

A.Add VLAN 99 to the allowed VLAN list on the trunk interface of SW1.
B.Remove the trunk configuration and set both interfaces as access ports in VLAN 1.
C.Enable spanning‑tree PortFast on the trunk ports.
D.Configure the native VLAN to match on both ends of the trunk.
AnswerD

The root cause is a configured native VLAN mismatch (1 vs 99). Changing one switch’s native VLAN to match the other (or setting both to a common VLAN) immediately resolves the CDP warning and eliminates the potential for broadcast loops caused by the mismatch. This is the most direct and least disruptive next step.

Why this answer

The correct action is to configure the native VLAN to match on both ends of the trunk. CDP reports a native VLAN mismatch when the native VLANs differ on the two sides of a trunk link. Although data traffic may still pass because 802.1Q does not tag frames on the native VLAN, the mismatch can cause broadcast loops and security risks, as frames from one native VLAN may be misinterpreted on the other side.

Setting both sides to the same native VLAN (e.g., VLAN 1 or VLAN 99) resolves the mismatch and ensures proper Layer 2 behavior.

Exam trap

Cisco often tests the misconception that data traffic passing means the configuration is fine, but the trap here is that the native VLAN mismatch can still cause serious issues like broadcast loops and security vulnerabilities, even if user data appears to work.

Why the other options are wrong

A

Common misconception: the warning message implies a VLAN is not allowed, but native VLAN mismatch means the trunk ports disagree on the native VLAN, not that a VLAN is missing from the allowed list.

B

Over‑reaction: candidates might think a trunk problem requires eliminating the trunk, but the correct approach is to correct the native VLAN parameter on the existing trunk.

C

Wrong feature: PortFast addresses access port convergence, not VLAN mismatches. Candidates may reach for any familiar command, but it targets the wrong layer and port type.

316
MCQhard

A host is configured with 192.168.60.33/26. Which address is the network address of its subnet?

A.192.168.60.0
B.192.168.60.32
C.192.168.60.64
D.192.168.60.63
AnswerA

This is correct because .33 is in the 0–63 /26 block.

Why this answer

A /26 uses blocks of 64 addresses. In practical terms, the fourth-octet ranges are 0–63, 64–127, 128–191, and 192–255. Since 33 falls within the 0–63 block, the network address is 192.168.60.0.

This is a straightforward boundary-identification question, but it catches people who memorize masks without understanding block sizes. The right approach is to find the correct block first, then take the first address in that block as the network address.

Exam trap

Avoid confusing the first usable host address with the network address. Always identify the block range first.

Why the other options are wrong

B

The /26 subnet mask has a block size of 64, not 32. The network addresses for /26 are 0, 64, 128, and 192. 192.168.60.32 is not a valid network address because it is not a multiple of 64.

C

192.168.60.64 is the network address of the next /26 subnet (64–127). The host address 192.168.60.33 belongs to the 0–63 range, not the 64–127 range.

D

192.168.60.63 is the broadcast address of the 192.168.60.0/26 subnet, not the network address. The network address is always the first address in the subnet (all host bits set to 0).

317
Multi-Selectmedium

Which TWO statements accurately describe the use of packet capture tools for troubleshooting Layer 2/3 issues?

Select 2 answers
A.A packet capture that shows ARP requests with no ARP replies indicates a Layer 3 routing issue.
B.A packet capture that shows frames with the same source and destination MAC addresses but different 802.1Q VLAN tags indicates a possible trunk misconfiguration.
C.A packet capture that shows ICMP echo requests but no echo replies confirms a Layer 2 switching loop.
D.A packet capture that shows ICMP echo requests leaving a router but no echo replies returning suggests a Layer 3 routing problem.
E.A packet capture that shows TCP SYN packets with no SYN-ACK replies indicates a Layer 1 physical issue.
AnswersB, D

Frames traversing a trunk should have consistent VLAN tags. Inconsistent tags suggest a mismatch in allowed VLANs or native VLAN on the trunk.

Why this answer

Option B is correct because frames with identical source and destination MAC addresses but different 802.1Q VLAN tags indicate the same device is reachable on multiple VLANs, which commonly results from a misconfigured trunk (e.g., native VLAN mismatch or inconsistent allowed VLAN lists). Option D is correct because seeing ICMP echo requests leave a router but no echo replies return suggests the reply is blocked or dropped at some intermediate Layer 3 hop, pointing to a routing problem rather than a Layer 2 issue. Option A is wrong: ARP requests without replies point to a Layer 2 problem (e.g., unreachable destination or filtering), not a Layer 3 routing issue.

Option C is wrong: ICMP echo requests without replies could have many causes (ACLs, firewalls, routing) – a switching loop would typically generate excessive broadcasts, not just missing replies. Option E is wrong: TCP SYN without SYN-ACK typically indicates a Layer 4 filtering or unreachable server issue, or possibly a Layer 3 routing problem, not a pure Layer 1 physical fault.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 troubleshooting by making candidates incorrectly attribute ARP failures to Layer 3 routing issues, when ARP is strictly a Layer 2 protocol used for MAC address resolution within the same subnet.

Why the other options are wrong

A

ARP operates at Layer 2 (Data Link layer) and is used to resolve IP addresses to MAC addresses. A lack of ARP replies indicates a Layer 2 connectivity issue, such as a misconfigured VLAN, incorrect cabling, or a switch port problem, not a Layer 3 routing issue.

C

ICMP echo requests without replies typically indicate a Layer 3 issue, such as no route back to the source, or a firewall blocking the replies. Layer 2 loops cause broadcast storms, duplicate frames, and MAC address flapping, not a simple lack of ICMP replies.

E

TCP SYN packets without SYN-ACK replies often indicate a firewall blocking the connection, a service not listening on the destination port, or a Layer 4-7 issue. Layer 1 physical issues would typically result in no packets being received at all, not just missing SYN-ACKs.

318
PBQmedium

You are connected to R1 via console. R1 is a router that has two paths to the Internet: one via ISP1 with next-hop 203.0.113.1, and a backup via ISP2 with next-hop 203.0.113.2. The primary path should be via ISP1, but if it fails, traffic should automatically use ISP2. Currently, R1 has a static default route to ISP1 only. You need to configure a floating static route to ISP2 with an administrative distance of 150 to provide backup connectivity. Additionally, you must ensure that the backup route is only used when the primary route is not available.

Network Topology
G0/0203.0.113.10/30203.0.113.1linkG0/1203.0.113.14/30203.0.113.2linkR1ISP1ISP2

Hints

  • A floating static route has a higher administrative distance than the primary route.
  • The default administrative distance for static routes is 1, so you need a distance greater than that.
  • When the primary route disappears (e.g., interface down), the floating route will appear in the routing table.
A.ip route 0.0.0.0 0.0.0.0 203.0.113.2 150
B.ip route 0.0.0.0 0.0.0.0 203.0.113.2 1
C.ip route 0.0.0.0 0.0.0.0 203.0.113.2 250
D.ip route 0.0.0.0 0.0.0.0 203.0.113.2
AnswerA
solution
! R1
ip route 0.0.0.0 0.0.0.0 203.0.113.2 150

Why this answer

By setting the administrative distance to 150, the backup static route is less preferred than the primary static route (distance 1). If the primary route is removed due to a failure, the floating route is installed, providing backup connectivity.

Exam trap

Do not confuse the metric with administrative distance. For static routes, the AD is used to determine preference. A floating static route must have a higher AD than the primary route to act as a backup.

Also, note that the question specifies the exact AD value to use.

Why the other options are wrong

B

The administrative distance should be higher than the primary route's AD (1) to make it less preferred. Setting it to 1 makes it equal, not a backup.

C

The question explicitly states 'with an administrative distance of 150'. Using 250 is not what was asked, though it would be technically valid.

D

The default AD is 1, which equals the primary route's AD. This does not create a floating route; both routes are equally preferred.

319
Multi-Selectmedium

Which three statements are true about the operation of Dynamic Host Configuration Protocol (DHCP) in an enterprise network? (Choose three.)

Select 3 answers
.A DHCP client sends a DHCPDISCOVER message as a broadcast to locate a DHCP server.
.A DHCP server uses the client's MAC address to uniquely identify and assign an IP address.
.DHCP options, such as default gateway and DNS server, are included in DHCPOFFER and DHCPACK messages.
.A DHCP relay agent is required only if the client and server are on the same subnet.
.The DHCPREQUEST message is always sent as a unicast directly to the DHCP server.
.DHCP ensures that IP addresses are permanently assigned and never expire.

Why this answer

The DHCP client sends a DHCPDISCOVER message as a broadcast (destination IP 255.255.255.255) because it does not yet know the IP address of any DHCP server. The server uses the client's MAC address (from the CHADDR field) to uniquely identify the client and assign an IP address. DHCP options like default gateway and DNS server are carried in the DHCPOFFER and DHCPACK messages as part of the Options field, allowing the server to provide essential network configuration parameters.

Exam trap

Cisco often tests the misconception that DHCPREQUEST is always unicast, but in the initial DORA exchange, it is broadcast until the client receives an ACK and configures its IP; the trap here is confusing the renewal process with the initial lease acquisition.

320
PBQhard

You are troubleshooting a wireless client connectivity issue on the Cisco WLC at 192.168.1.100. The client reports it can see the SSID 'CorpNet' and successfully associates, but cannot obtain an IP address or reach network resources. The WLAN is already configured with WPA3 security, and the SSID should remain hidden. Identify and correct the configuration issue.

Hints

  • Check which interface the WLAN is mapped to.
  • The management interface is not meant for client data traffic.
  • Use the 'config wlan interface' command to change the binding.
A.The WLAN is mapped to the management interface. Use 'config wlan interface 1 CorpNet_VLAN' to assign the correct interface.
B.The SSID is not hidden. Use 'config wlan disable-broadcast-ssid 1 enable' to hide the SSID.
C.WPA3 is not enabled on the WLAN. Use 'config wlan security wpa akm 6 enable' to enable WPA3.
D.The WLAN is disabled. Use 'config wlan enable 1' to enable the WLAN.
AnswerA
solution
! WLC
config wlan interface 1 CorpNet_VLAN

Why this answer

The WLAN is incorrectly mapped to the management interface, which places client traffic in the management VLAN instead of the correct CorpNet_VLAN. As a result, clients cannot obtain IP addresses or communicate beyond the WLC. Reassigning the WLAN to the CorpNet_VLAN interface with 'config wlan interface 1 CorpNet_VLAN' resolves the issue by placing client data in the proper VLAN.

Exam trap

Clients seeing the SSID indicates the WLAN is enabled and broadcasting; association can complete even on the wrong interface. The actual symptom is a lack of IP connectivity, not an association failure. Always check the WLAN-to-interface mapping when clients associate but cannot reach network services.

Why the other options are wrong

B

Hiding the SSID is already satisfied; changing broadcast settings would make the SSID visible, contradicting the requirement.

C

WPA3 is already enabled on the WLAN, so there is no need to configure security. The client associates successfully, proving security is not the issue.

D

The WLAN is enabled because the client can see the SSID and associates; enabling it again would not fix the VLAN mismatch.

321
PBQhard

You are connected to R1. Configure OSPFv2 on R1 and R2 so that they form a full adjacency and can exchange routes. Currently, the adjacency is stuck in EXSTART state. Identify and fix the issue, then verify the adjacency becomes FULL.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30R1R2

Hints

  • Check the hello and dead intervals on both routers using 'show ip ospf interface'.
  • The adjacency is stuck in EXSTART, often caused by mismatched MTU or timer values.
  • On R1, the timers are set to 10 and 40; on R2 they are 5 and 20. They must match.
A.On R1, configure 'ip ospf hello-interval 5' and 'ip ospf dead-interval 20' under interface GigabitEthernet0/0.
B.On R1, configure 'ip ospf network point-to-point' under interface GigabitEthernet0/0.
C.On R2, configure 'ip ospf hello-interval 10' and 'ip ospf dead-interval 40' under interface GigabitEthernet0/0.
D.On R1, configure 'ip ospf dead-interval 40' under interface GigabitEthernet0/0.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip ospf hello-interval 5
ip ospf dead-interval 20

Why this answer

The adjacency is stuck in EXSTART because the OSPF hello and dead timers are mismatched between R1 and R2. R1 has hello-interval 10 and dead-interval 40, while R2 has hello-interval 5 and dead-interval 20. OSPF requires these timers to match for adjacency formation.

To fix this, adjust the timers on R1 to match R2 (or vice versa). On R1, configure 'ip ospf hello-interval 5' and 'ip ospf dead-interval 20' under interface GigabitEthernet0/0. After correction, the adjacency should progress to FULL.

Exam trap

Be careful to identify which router you are configuring. The question states you are connected to R1, so changes should be made on R1. Also, remember that OSPF requires both hello and dead intervals to match, not just one.

Why the other options are wrong

B

The specific factual error is that the adjacency is stuck due to timer mismatch, not network type mismatch.

C

The specific factual error is that the configuration should be applied to R1, not R2, as per the question context.

D

The specific factual error is that both hello and dead intervals must match; changing only one leaves a mismatch.

322
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on two Cisco switches using active mode.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First create the logical port-channel interface and configure its properties, then assign physical interfaces to it using channel-group with active mode to initiate LACP negotiation.

Exam trap

Cisco exams often test the correct order of EtherChannel configuration: always create the port-channel interface first. Also, distinguish between LACP modes (active/passive) and PAgP modes (desirable/auto).

323
Matchingmedium

Match each switching feature to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Speeds an edge port into forwarding state

Disables an edge port if a BPDU is received

Limits and controls MAC address use on a switch port

Helps block rogue DHCP behavior and build trusted bindings

Why these pairings

PortFast allows an edge port (connected to an end device) to bypass the listening and learning states and transition directly to forwarding, speeding up convergence. BPDU Guard disables a port if it receives a BPDU, protecting against accidental bridge connections on edge ports. Port security restricts which MAC addresses can communicate on a switch port, preventing unauthorized devices.

DHCP Snooping filters DHCP messages and builds a binding table of trusted clients, helping to block rogue DHCP servers and attacks.

Exam trap

Cisco exams often test the specific purpose of each switching feature; avoid confusing PortFast with BPDU Guard, or mixing up DHCP Snooping with Dynamic ARP Inspection.

324
Matchingeasy

Match each basic JSON element to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Group of key-value pairs

Ordered list of items

Field name

Content associated with a field

Why these pairings

The four terms are fundamental structural elements of JSON, not separate data types. JSON's six data types are object, array, string, number, boolean, and null. The pairings accurately describe each element: an Object is a group of key-value pairs, an Array is an ordered list of items, a Key is a field name (always a string), and a Value is the content associated with a field (any valid JSON type).

Exam trap

Watch out for common misconceptions: null is a separate type, not a boolean; objects use curly braces, not square brackets; and JSON numbers do not support scientific notation or leading zeros.

325
Multi-Selectmedium

Which two statements accurately compare SLAAC and DHCPv6?

Select 2 answers
A.SLAAC allows a host to form its own address using information from router advertisements.
B.DHCPv6 can be used to provide host configuration in a more server-driven way.
C.SLAAC requires NAT to function.
D.DHCPv6 replaces the need for router advertisements completely.
E.Neither SLAAC nor DHCPv6 can provide any addressing information to hosts.
AnswersA, B

This is correct because SLAAC relies on router advertisements and local address formation.

Why this answer

SLAAC and DHCPv6 are both IPv6 host-configuration approaches, but they are not the same. In practical terms, SLAAC lets a host build its own address using router advertisements and the advertised prefix, while DHCPv6 can be used to provide addressing information or other configuration in a more server-driven way. Depending on design, IPv6 networks can use one, the other, or a mixture of behaviors.

The key is not to oversimplify. SLAAC is not “IPv6 DHCP,” and DHCPv6 is not the only way IPv6 hosts learn how to operate. Router advertisements remain very important.

Exam trap

Do not assume DHCPv6 is the only way to configure IPv6 addresses or settings; SLAAC also plays a crucial role.

Why the other options are wrong

C

SLAAC does not require NAT because IPv6 has a vast address space, eliminating the need for address translation. NAT is a workaround for IPv4 address exhaustion and is not used in native IPv6 networks. SLAAC relies on router advertisements to provide prefix information, and hosts generate their own addresses without any translation.

D

DHCPv6 does not replace router advertisements; in fact, router advertisements are still required for hosts to determine the default gateway and other network parameters. Even when DHCPv6 is used, hosts rely on RAs to learn the on-link prefix and to decide whether to use stateful or stateless configuration.

E

Both SLAAC and DHCPv6 can provide addressing information to hosts. SLAAC allows hosts to form their own addresses from prefix information in RAs, while DHCPv6 can assign addresses and other configuration parameters. Therefore, the statement that neither can provide addressing information is false.

326
MCQmedium

Which wireless security method is considered strongest among these choices for modern enterprise WLAN deployments?

A.WEP
B.WPA
C.WPA2 with AES
D.Open authentication
AnswerC

Correct. WPA2 with AES is the strongest listed option.

Why this answer

WPA2 with AES provides substantially stronger security than WEP, legacy WPA, or open authentication. In current enterprise environments, WPA2 and WPA3 are the expected baseline approaches depending on platform support.

Exam trap

A frequent exam trap is selecting WPA instead of WPA2 with AES because WPA sounds like a newer or stronger protocol than WEP. However, WPA uses TKIP, which is less secure and considered legacy. Another trap is underestimating the insecurity of open authentication, which provides no encryption and leaves WLAN traffic exposed.

Candidates might also mistakenly think WEP is acceptable due to its historical use, but it is deprecated and easily cracked. The key mistake is not recognizing that WPA2 with AES is the current minimum security standard for enterprise wireless networks, making it the strongest choice among the options.

Why the other options are wrong

A

WEP is deprecated and insecure because it uses weak RC4 encryption with static keys, which attackers can easily crack, making it unsuitable for modern enterprise WLANs.

B

WPA improves on WEP by introducing TKIP but still uses weaker encryption than WPA2 with AES, so it is not the strongest choice for enterprise wireless security.

D

Open authentication provides no encryption or authentication, leaving wireless traffic exposed to interception and unauthorized access, so it is not a secure method.

327
PBQhard

You are connected to R1. The network currently permits all HTTP traffic from hosts on the 192.168.1.0/24 LAN to reach the web server at 203.0.113.10, but SSH traffic (TCP port 22) from the same LAN is being blocked. Additionally, you must ensure that no other traffic from the LAN reaches the server. Configure an extended ACL on R1 to allow only HTTP and SSH from the LAN to the server, and apply it inbound on the correct interface. Verify your solution.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/30hostsLAN:R1WANServer

Hints

  • The current ACL is blocking SSH but allowing everything else; you need to reverse the logic.
  • Apply the new ACL inbound on the interface facing the LAN (GigabitEthernet0/0).
  • Remember that an implicit deny all exists at the end of every ACL; do not add a permit ip any any.
A.Remove the existing ACL from the interface, delete the ACL, create a new extended ACL that permits tcp from 192.168.1.0/24 to host 203.0.113.10 for ports 80 and 22, and apply it inbound on GigabitEthernet0/0.
B.Modify the existing ACL BLOCK_SSH by adding a permit statement for HTTP and changing the deny SSH to permit SSH, then reapply it inbound on GigabitEthernet0/0.
C.Create a new extended ACL that permits tcp from 192.168.1.0/24 to host 203.0.113.10 for ports 80 and 22, and apply it inbound on GigabitEthernet0/1 (the WAN interface).
D.Create a new extended ACL that permits tcp from 192.168.1.0/24 to host 203.0.113.10 for ports 80 and 22, and apply it outbound on GigabitEthernet0/0.
AnswerA
solution
! R1
interface GigabitEthernet0/0
no ip access-group BLOCK_SSH in
exit
no ip access-list extended BLOCK_SSH
ip access-list extended LAN_TO_SERVER
permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80
permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 22
exit
interface GigabitEthernet0/0
ip access-group LAN_TO_SERVER in
end

Why this answer

The existing ACL BLOCK_SSH is applied inbound on GigabitEthernet0/0 and explicitly denies SSH from the LAN to the server, but permits all other IP traffic (including HTTP). The requirement is to allow only HTTP and SSH, blocking everything else. The solution is to remove the current ACL from the interface, delete the ACL, create a new extended ACL that permits tcp from the LAN to the server for ports 80 (HTTP) and 22 (SSH), and implicitly deny all other traffic, then reapply it inbound on GigabitEthernet0/0.

Exam trap

The trap is that candidates may try to modify the existing ACL without realizing it contains a permit ip any any statement that would still allow all traffic. Also, they may apply the ACL on the wrong interface or in the wrong direction. Always check the existing ACL entries and apply ACLs inbound on the interface closest to the source.

Why the other options are wrong

B

The specific factual error is that the existing ACL contains a permit ip any any statement that would override any specific denies, allowing all traffic.

C

The specific factual error is that ACLs should be applied inbound on the interface where the traffic enters the router, not on the outbound interface towards the destination.

D

The specific factual error is that outbound ACLs filter traffic exiting the interface, but the traffic from LAN to server enters the router via GigabitEthernet0/0 and exits via another interface (e.g., WAN). An outbound ACL on GigabitEthernet0/0 would not affect traffic going to the server.

328
MCQhard

A host is configured with 10.10.10.33/27. What is the broadcast address of its subnet?

A.10.10.10.31
B.10.10.10.63
C.10.10.10.32
D.10.10.10.64
AnswerB

This is correct because .33 is in the 32–63 subnet.

Why this answer

A /27 uses address blocks of 32. In practical terms, the ranges are 0–31, 32–63, 64–95, and so on. Because .33 falls inside the 32–63 block, the broadcast address is the last address in that block, which is 10.10.10.63.

This is a classic subnet-boundary question. The trick is to identify the correct block first and then choose its last address as the broadcast.

Exam trap

Don't confuse the network address or the next subnet's start with the broadcast address. Always calculate the correct range first.

Why the other options are wrong

A

10.10.10.31 is the broadcast address of the previous /27 subnet (10.10.10.0–10.10.10.31), not the subnet containing .33.

C

10.10.10.32 is the network address (subnet ID) of the subnet containing .33, not the broadcast address. The network address is the first address in the block.

D

10.10.10.64 is the network address of the next /27 subnet (10.10.10.64–10.10.10.95), not the broadcast address of the subnet containing .33.

329
PBQmedium

You are connected to R1 via console. R1 is connected to R2 via GigabitEthernet0/0 and to R3 via GigabitEthernet0/1. OSPF has been configured, but R1 is not forming a full adjacency with R2. You run `show ip ospf neighbor` on R1 and see R2 stuck in EXSTART state. You also run `show ip ospf interface GigabitEthernet0/0` and see the network type is broadcast. You need to identify and resolve the issue.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/110.0.1.1/30G0/110.0.1.2/30linkR1R2R3

Hints

  • Check the OSPF neighbor state with show ip ospf neighbor.
  • The issue may be related to the OSPF network type.
  • R1 and R2 are connected via a point-to-point link.
A.Change the OSPF network type on R1's GigabitEthernet0/0 interface to point-to-point.
B.Increase the OSPF hello interval on R1's GigabitEthernet0/0 interface to match R2's hello interval.
C.Configure the OSPF priority on R1's GigabitEthernet0/0 interface to 0 to prevent it from becoming the DR.
D.Add the 'ip ospf network broadcast' command on R1's GigabitEthernet0/0 interface.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip ospf network point-to-point
end

Why this answer

R1's Gi0/0 defaults to OSPF broadcast network type, while R2 is likely configured as point-to-point. This mismatch prevents the routers from forming a full adjacency, often leaving them stuck in EXSTART or 2-WAY state. Changing R1's interface to point-to-point aligns the network types, allowing adjacency to form.

The other options are incorrect because hello interval mismatches (B) or DR priority (C) are not the root cause, and adding the broadcast command (D) would not fix a point-to-point mismatch.

Exam trap

Candidates often forget that Ethernet interfaces default to broadcast OSPF network type, even on point-to-point links. They may focus on mismatched timers or priorities, but the key is to recognize that the broadcast network type introduces DR/BDR election, which is not needed on a direct link.

Why the other options are wrong

B

The specific factual error: Changing hello intervals is not the standard fix for a point-to-point link not forming adjacency; the network type is the primary issue.

C

The specific factual error: Setting priority to 0 does not eliminate the DR/BDR election process; it only ensures the router does not participate as DR/BDR.

D

The specific factual error: The broadcast network type is already the default on Ethernet; the command is redundant and does not address the need for a point-to-point network type.

330
Matchingmedium

Drag and drop the wireless terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses only the 5 GHz band and supports up to 160 MHz channel bonding

Introduces OFDMA and supports both 2.4 GHz and 5 GHz bands

Uses Simultaneous Authentication of Equals (SAE) for secure pre-shared key authentication

A single AP and its associated clients, identified by a BSSID

Centralized management device that handles AP configuration, roaming, and security policies

Why these pairings

802.11ac (Wi-Fi 5) operates only in the 5 GHz band and introduced support for 160 MHz-wide channels to achieve higher throughput. 802.11ax (Wi-Fi 6) adds OFDMA for more efficient channel use and works in both 2.4 GHz and 5 GHz bands. WPA3-Personal uses SAE (Simultaneous Authentication of Equals) to protect pre-shared key authentication against offline dictionary attacks. A Basic Service Set (BSS) consists of a single AP and its associated clients, identified by the AP's radio MAC address (BSSID).

A Wireless LAN Controller (WLC) centralizes management, handling AP configuration, client roaming, and security policies across the wireless network.

Exam trap

A common mistake is thinking 802.11ac also uses the 2.4 GHz band, but it is strictly 5 GHz-only; similarly, WPA3 does not use the traditional 4-way handshake like WPA2, but employs SAE to prevent brute-force attacks.

331
MCQhard

A host reaches websites by IP address but fails when using hostnames. Which service is the strongest suspect?

A.DNS
B.STP
C.PAT
D.Port security
AnswerA

This is correct because hostname resolution is the missing function in this scenario.

Why this answer

The strongest suspect is DNS. In plain language, the host can already reach the remote system when given the numeric address directly, which suggests the underlying IP connectivity works. The missing piece is the translation of hostnames into IP-related information, and that is exactly the role of DNS.

This is one of the most common real troubleshooting patterns because it cleanly separates connectivity problems from name-resolution problems. If IP works but names fail, DNS becomes the most likely area to investigate.

Exam trap

A frequent exam trap is selecting NAT or PAT as the cause of hostname resolution failure because these services involve IP address translation. However, NAT and PAT affect IP connectivity and address translation between private and public networks, not the translation of hostnames to IP addresses. Another trap is choosing STP, which is unrelated to IP services and only manages Layer 2 loop prevention.

Candidates might also confuse port security with DNS, but port security controls switch port access and does not resolve hostnames. The key mistake is overlooking that DNS is the sole service responsible for converting hostnames into IP addresses, which is why it is the strongest suspect when name-based access fails but IP-based access succeeds.

Why the other options are wrong

B

STP (Spanning Tree Protocol) is unrelated to hostname resolution. It prevents Layer 2 switching loops and does not affect IP connectivity or DNS services, so it cannot cause hostname resolution failures.

C

PAT (Port Address Translation) manages IP address translation for outbound traffic but does not handle hostname-to-IP translation. If PAT were failing, IP connectivity itself would be affected, not just hostname resolution.

D

Port security controls access to switch ports by limiting which MAC addresses can connect. It does not perform or affect hostname resolution or IP address translation, so it is not related to the problem.

332
MCQmedium

Exhibit: A switch port connected to an end host is stuck in a blocking state much longer than expected after a reboot. Which configuration change most directly speeds host access while still keeping loop protection elsewhere?

A.Enable PortFast on the access port
B.Disable STP globally
C.Change the trunk native VLAN
D.Set the port to half-duplex
AnswerA

PortFast is the standard fix for host-facing access ports.

Why this answer

PortFast should be enabled on access ports that connect to end devices. It lets the port move to forwarding quickly without waiting through normal STP listening and learning delays. Disabling STP globally removes all loop protection, which contradicts the requirement to keep loop protection elsewhere.

Changing the trunk native VLAN is irrelevant to an access port's STP state transition. Adjusting duplex has no effect on STP timers and would not speed up host access.

Exam trap

Avoid confusing STP parameters like hello time with features like PortFast that directly affect port state transitions.

Why the other options are wrong

B

Disabling STP globally removes all loop protection, which is not desired because loop protection elsewhere is still needed.

C

Changing the trunk native VLAN does not affect STP port state transitions and is irrelevant for an access port.

D

Setting the port to half-duplex has no impact on STP listening/learning timers and would not speed up host access.

333
PBQhard

You are connected to R1. Configure IPv4 and IPv6 addressing on interfaces G0/0 and G0/1 so that R1 can reach R2's loopback0 (198.51.100.1/32) and R2 can reach R1's loopback0 (203.0.113.1/32). The current configuration has a wrong subnet mask on R1 G0/0 and a missing default gateway on R2, causing reachability failures. Additionally, configure IPv6 using EUI-64 on R1 G0/1 and static IPv6 on R2 G0/1 to enable IPv6 ping between the two routers. All devices are routers.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1192.168.1.1/24linkR1R2R2 (G0/1 192.168.2.1/24)

Hints

  • Check the subnet mask on R1 G0/0: it does not match R2's /30.
  • R2 has no route to reach R1's loopback or the 192.168.1.0/24 network; it needs a default gateway.
  • R2's IPv6 address is on a different subnet (2001:db8:2::/64) than R1's (2001:db8:1::/64); they must be on the same subnet.
A.On R1 G0/0, change subnet mask to 255.255.255.252; on R2, add ip route 0.0.0.0 0.0.0.0 10.0.0.1; for IPv6, on R2 G0/1 change address to 2001:db8:1::2/64.
B.On R1 G0/0, change subnet mask to 255.255.255.0; on R2, add ip route 0.0.0.0 0.0.0.0 10.0.0.1; for IPv6, on R2 G0/1 change address to 2001:db8:1::2/64.
C.On R1 G0/0, change subnet mask to 255.255.255.252; on R2, add ip route 0.0.0.0 0.0.0.0 10.0.0.2; for IPv6, on R2 G0/1 change address to 2001:db8:2::2/64.
D.On R1 G0/0, change subnet mask to 255.255.255.252; on R2, add ip route 0.0.0.0 0.0.0.0 10.0.0.1; for IPv6, on R2 G0/1 change address to 2001:db8:1::2/64 and on R1 G0/1 use static IPv6 instead of EUI-64.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.252
exit
interface GigabitEthernet0/1
ipv6 address 2001:db8:1::/64 eui-64
exit

! R2
interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.0
ipv6 address 2001:db8:1::2/64
exit
ip route 0.0.0.0 0.0.0.0 10.0.0.1

Why this answer

The primary IPv4 issues are a subnet mask mismatch on the point-to-point link and a missing default gateway on R2. On R1 G0/0, the mask is /24 instead of /30; while both routers can reach each other directly, the mismatched subnet mask causes routing inconsistencies because R1 advertises the link as a /24, potentially affecting routing decisions. Fixing the mask to /30 ensures both routers agree on the subnet.

R2 lacks a route to R1's loopback and the 192.168.1.0/24 network, so a default route via 10.0.0.1 resolves reachability. For IPv6, R1 G0/1 uses EUI-64, and R2 G0/1 must be on the same subnet (2001:db8:1::/64); R2's address was incorrectly set to 2001:db8:2::2/64, so changing it to 2001:db8:1::2/64 enables IPv6 ping.

Exam trap

Watch for subnet mask mismatches on point-to-point links; both ends must use the same mask. Also, ensure default routes point to the correct next-hop IP (the neighbor's interface IP). For IPv6, both interfaces must be on the same subnet to communicate directly.

Why the other options are wrong

B

The subnet mask on R1 G0/0 should be /30 to match R2, not /24.

C

The default gateway must be the neighbor's IP address, and IPv6 subnets must match for direct communication.

D

The requirement states EUI-64 on R1 G0/1, so static is not allowed.

334
Matchingeasy

Match each network service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolves hostnames to IP addresses

Assigns IP configuration to clients

Synchronizes device time

Collects and stores log messages

Why these pairings

Each network service has a distinct primary function: DNS translates names to IPs, DHCP automates IP assignment, NTP synchronizes time, SNMP manages devices, FTP transfers files, and HTTP serves web content.

Exam trap

A common trap is confusing DNS with DHCP because both involve IP addresses. Remember: DNS resolves names to IPs, while DHCP assigns IPs. Also, avoid mixing up DNS with other services like NTP or SNMP.

335
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure OSPFv3 for IPv6 on a Cisco router and verify basic neighbor relationships.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

IPv6 unicast routing must be enabled first, as OSPFv3 relies on the router being IPv6 aware. Next, the OSPFv3 process is created globally. The interface must then be IPv6-enabled to auto-generate the link-local address used by OSPFv3 for forming adjacencies.

After that, the interface is added to OSPFv3 Area 0. Finally, the 'show ospfv3 neighbor' command is used to verify that an adjacency has formed.

336
MCQmedium

An engineer configures NAT overload on a router for inside users. Which resource is primarily used to let many internal hosts share one public IPv4 address?

A.IPv6 extension headers
B.TCP and UDP port numbers
C.Different source MAC addresses on the WAN
D.Separate routing tables per client
AnswerB

Correct choice.

Why this answer

PAT distinguishes sessions by using Layer 4 port numbers. That is what allows many inside devices to use the same outside IP address at the same time without conflicting with each other.

Exam trap

Don't confuse static or dynamic NAT with PAT; only PAT allows multiple hosts to share a single IP using port numbers.

Why the other options are wrong

A

IPv6 extension headers are used for additional functionality in IPv6 packets, such as fragmentation or security, and are not involved in NAT overload (PAT) which operates at Layer 4 using port numbers.

C

Source MAC addresses are used for Layer 2 forwarding within a local network and are not preserved across a router's WAN interface; NAT operates at Layer 3 and above, not using MAC addresses for translation.

D

Routers do not maintain separate routing tables per client; routing tables are based on destination networks, not individual hosts. NAT overload uses a single routing table and relies on port numbers for translation.

337
MCQhard

A trunk link between two switches is operational, but one side shows a native VLAN mismatch warning. What is the main concern with that condition?

A.Untagged traffic may be associated with different VLANs on each end of the trunk
B.All tagged VLAN traffic is automatically converted to routed traffic
C.The mismatch forces OSPF adjacency reset on all routers
D.The trunk can carry only one VLAN until the mismatch is cleared
AnswerA

This is correct because that is the direct risk of a native VLAN mismatch.

Why this answer

A native VLAN mismatch can cause untagged traffic to be interpreted as belonging to different VLANs on each end of the trunk. In plain language, the two switches disagree about where untagged frames belong. That can lead to confusing traffic behavior, reachability problems for certain flows, and operational warnings. It is not always a total outage, but it is a design inconsistency that should be corrected.

This matters because trunks carry multiple VLANs, and the native VLAN defines how untagged traffic is handled. If both ends do not agree, the logical treatment of those frames becomes inconsistent. The correct answer is the one that focuses on misclassification of untagged traffic, not on unrelated routing behavior.

Exam trap

Be careful not to confuse native VLAN mismatches with general trunk failures or issues affecting tagged traffic.

Why the other options are wrong

B

A native VLAN mismatch does not convert tagged traffic into routed traffic. Tagged frames continue to be switched based on their VLAN tags, and the trunk remains a Layer 2 link. The mismatch only affects untagged frames on the native VLAN.

C

A native VLAN mismatch is a Layer 2 trunking issue and does not directly affect OSPF or any routing protocol. OSPF adjacency is a Layer 3 process and would only be impacted if the mismatch caused connectivity loss for the router interfaces, but the mismatch itself does not force OSPF adjacency resets.

D

A native VLAN mismatch does not prevent the trunk from carrying other tagged VLANs. Tagged frames for other VLANs are still forwarded correctly because they are not affected by the native VLAN configuration. The trunk can carry multiple VLANs, but the native VLAN traffic is misdirected.

338
MCQmedium

A router is configured with an access list intended to block Telnet from 192.168.10.0/24 to 10.1.1.10, but Telnet still works. What is the most likely reason?

A.The ACL must use wildcard mask 255.255.255.0 instead of 0.0.0.255
B.The ACL is applied in the wrong place or direction
C.Standard ACLs should always be used for Telnet filtering
D.The router must run PAT before ACLs can filter Telnet
AnswerB

The configuration logic points to an attachment problem rather than a syntax problem.

Why this answer

Option B is correct because the most common reason an ACL fails to block traffic is incorrect application—either it is applied to the wrong interface or in the wrong direction. For Telnet traffic from 192.168.10.0/24 to 10.1.1.10, the ACL must be applied inbound on the interface closest to the source or outbound on the interface closest to the destination. Option A is incorrect because the wildcard mask 0.0.0.255 is correct for matching the 192.168.10.0/24 network; 255.255.255.0 is a subnet mask, not a wildcard mask.

Option C is false—standard ACLs can only filter by source IP and cannot match the destination port (Telnet), so an extended ACL is actually required. Option D is unrelated; PAT (Port Address Translation) has no bearing on whether an ACL can filter Telnet traffic.

Exam trap

Cisco often tests the concept that an ACL's effectiveness depends on its placement and direction, not just its content, and the trap here is that candidates focus on the wildcard mask or ACL type while overlooking the fundamental requirement of correct application.

Why the other options are wrong

A

The wildcard mask 255.255.255.0 would match only the exact host 192.168.10.0, not the entire /24 subnet. Cisco ACLs use wildcard masks where 0 means match and 1 means ignore; for a /24, the correct mask is 0.0.0.255.

C

Standard ACLs can only filter based on source IP address and cannot match specific protocols like Telnet (TCP port 23) or destination addresses. Extended ACLs are required to filter Telnet traffic from a specific source to a specific destination.

D

PAT (Port Address Translation) is unrelated to ACL filtering. ACLs operate independently of NAT/PAT; they filter traffic based on Layer 3 and Layer 4 information regardless of whether translation is configured.

339
MCQhard

A network administrator is troubleshooting a connectivity issue on a subnet where two routers, R1 and R2, are configured with HSRP to provide a virtual gateway. Hosts on the subnet can ping the virtual IP address but cannot reach destinations outside the subnet. The administrator discovers that R1 is the active HSRP router. What is the most likely root cause of the problem?

A.Configure a default route on R1 pointing to the next-hop router.
B.Enable preemption on both routers to ensure the higher-priority router stays active.
C.Change the virtual MAC address on R2 to match the one on R1.
D.Increase the hello timer on R1 to match the hold timer on R2.
AnswerA

This is correct because R1 is the Active HSRP router and is responsible for forwarding traffic from hosts to external networks. Without a default route, R1 drops packets destined outside the subnet.

Why this answer

Hosts can ping the virtual IP address, so HSRP is functioning locally. The failure to reach external destinations indicates a routing problem, not an HSRP issue. The active router, R1, must have a default route pointing to the next-hop router to forward traffic beyond the subnet.

Incorrect options address HSRP settings (preemption, MAC address, timers) that are irrelevant because the virtual gateway is already reachable.

Exam trap

Cisco often tests the misconception that HSRP configuration alone provides full connectivity, when in fact the routers still need proper routing (e.g., a default route) to forward traffic beyond the subnet.

Why the other options are wrong

B

Preemption is not needed because the current Active router already has the higher priority (110 vs 100). Preemption only becomes relevant when a higher-priority router recovers after a failure and needs to reclaim the Active role. The issue here is routing, not HSRP state stability.

C

The virtual MAC address is automatically derived from the HSRP group number and is the same for both routers when they are in the same group. R2's local virtual MAC is different because it is used only when R2 becomes Active. The mismatch in the output is normal and does not affect connectivity.

D

The hello and hold timers are consistent (3 sec hello, 10 sec hold) and are not causing any issues. Adjusting timers would not fix the routing problem. The root cause is the lack of a default route on the Active router.

340
Multi-Selectmedium

Which four of the following are characteristics of Dynamic Trunking Protocol (DTP) and VLAN Trunking Protocol (VTP) used in Cisco switching? (Choose four.)

Select 4 answers
.DTP is a Cisco proprietary protocol used to negotiate trunking between two switches.
.VTP allows synchronization of VLAN information across switches in the same VTP domain.
.A switch configured with 'switchport mode dynamic desirable' actively attempts to form a trunk using DTP.
.VTP pruning helps reduce unnecessary broadcast traffic by limiting flooded traffic to only switches that need the VLAN.
.VTP transparent mode stores and forwards VTP advertisements but also modifies the VLAN database based on received updates.
.DTP can form a trunk regardless of whether both ends are configured with 'switchport nonegotiate'.

Why this answer

The four correct statements are: (1) DTP is a Cisco proprietary protocol for negotiating trunk links; (2) VTP synchronizes VLAN information across switches in the same VTP domain; (3) 'switchport mode dynamic desirable' actively sends DTP frames to form a trunk; (4) VTP pruning reduces unnecessary broadcast traffic by limiting flooded traffic to only switches that need the VLAN. The two incorrect statements: VTP transparent mode forwards VTP advertisements but does **not** modify its VLAN database based on received updates—it only passes them through. DTP **cannot** form a trunk when both ends are configured with 'switchport nonegotiate' because that command disables DTP frame transmission entirely, preventing trunk negotiation.

Exam trap

Cisco often tests the distinction between DTP modes (dynamic desirable vs. dynamic auto) and the fact that VTP can cause catastrophic VLAN propagation errors if revision numbers are not reset before adding a switch to a production network.

341
MCQmedium

A network engineer is configuring HSRP on a pair of Cisco routers to provide first-hop redundancy for a subnet. The goal is to ensure that the router with the highest IPv4 address always becomes the active router, and that it automatically reclaims the active role after a failure. The engineer configures priority 100 on both routers. Which additional configuration is required to meet these objectives?

A.Configure priority 150 on one router and priority 50 on the other.
B.Configure the preempt command on both routers.
C.Configure the standby 1 priority 100 command on both routers.
D.Configure the standby 1 priority 100 on one router and standby 1 priority 50 on the other.
AnswerB

With equal priority, HSRP elects the active router based on the highest IP address. The preempt command ensures that if a router with a higher IP address (and equal priority) recovers after a failure, it will preempt the current active router and reclaim the active role, as required.

Why this answer

Option B is correct because HSRP uses priority to determine the active router, but without the preempt command, a router with a higher priority will not take over the active role if it comes online after a failure. Since both routers have the same priority (100), the router with the highest IPv4 address will become active initially, but to ensure it automatically reclaims the active role after a failure, preempt must be enabled on both routers. This allows the router with the higher IP address (and equal priority) to preempt the current active router when it recovers.

Exam trap

Cisco often tests the misconception that priority alone determines active router selection and that preempt is only needed when priorities differ, but the trap here is that without preempt, even with equal priorities, the router with the higher IP address will not reclaim the active role after a failure.

Why the other options are wrong

A

Configuring different priorities (150 and 50) would force the router with priority 150 to become active regardless of IP address, contradicting the requirement to use the highest IPv4 address for election. HSRP uses priority as the primary criterion; only when priorities are equal does the highest IP address break the tie.

C

The command 'standby 1 priority 100' is already implied by setting priority 100; it does not enable preemption. With equal priority and no preempt, both routers will remain in standby state indefinitely because HSRP cannot determine an active router without a tiebreaker or preemption. The active router election requires either a priority difference or preempt to resolve the tie.

D

Configuring different priorities (100 and 50) would make the router with priority 100 active regardless of IP address, which violates the requirement to use the highest IPv4 address for election. The requirement explicitly states that priorities must remain equal so that the highest IP address determines the active router.

342
MCQhard

A host sends a packet larger than the outgoing interface MTU, and the IPv4 header has the Don't Fragment bit set. What will a router do with the packet?

A.Fragment it anyway and forward the pieces
B.Drop it and typically return an ICMP message indicating fragmentation is needed
C.Translate it to IPv6 and forward it
D.Broadcast it so another router can handle fragmentation
AnswerB

Correct. This is correct. When a packet is too large for the outgoing MTU and fragmentation is not allowed, the router drops the packet and usually informs the sender that fragmentation would be required.

Why this answer

The router drops the packet because the packet is too large for the next link and the sender has explicitly said the packet must not be fragmented. In IPv4, the Don't Fragment bit tells routers not to break the packet into smaller pieces. If the outgoing interface MTU is smaller than the packet size, the router cannot legally forward it as-is and cannot fragment it, so the normal result is to drop the packet and usually send back an ICMP unreachable message indicating that fragmentation is needed.

In plain terms, the router is telling the sender, 'This packet is too big for the path you chose, and you told me I am not allowed to split it.' This behavior is central to path MTU discovery.

Exam trap

A common exam trap is to assume that routers will fragment any oversized IPv4 packet regardless of the Don't Fragment bit. Candidates might select the option that routers fragment the packet anyway, ignoring the DF bit. This is incorrect because the DF bit explicitly prevents fragmentation.

Another tempting mistake is to think that routers might broadcast the packet to other routers or convert it to IPv6 to solve the problem, which does not happen. Understanding that the router must drop the packet and send an ICMP message is critical to avoid this trap.

Why the other options are wrong

A

Fragmenting the packet despite the DF bit being set violates the sender's explicit instruction to avoid fragmentation. Routers must respect the DF bit and cannot fragment in this case.

C

Routers do not convert IPv4 packets to IPv6 to handle MTU or fragmentation issues. These are different protocols, and such conversion is not a standard router behavior.

D

Routers do not broadcast oversized packets to other routers for fragmentation. The forwarding decision and fragmentation handling are local to the router, so the packet is dropped if it cannot be forwarded.

343
Matchingeasy

Match each DHCPv4 message in the DORA process to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client looks for DHCP servers

Server proposes an address and lease details

Client asks to use the offered address

Server confirms the lease

Why these pairings

The DORA process includes Discover (client broadcast), Offer (server response), Request (client accepts), and Ack (server confirms). Additional messages like NAK and Decline handle errors.

Exam trap

Do not confuse the order or roles of DHCP messages. Remember that the client initiates with Discover, then the server Offers, the client Requests, and the server Acknowledges. The mnemonic DORA helps: Discover, Offer, Request, Ack.

344
Multi-Selectmedium

Exhibit: R1 learns 192.168.50.0/24 from multiple sources. Which two statements are correct about the route that will be installed in the routing table?

Select 2 answers
A.The static route is preferred because its administrative distance is lowest
B.The OSPF route is preferred because cost 20 is lower than RIP metric 2
C.The eBGP route would win over the static route because BGP is more dynamic
D.If the static route were removed, the eBGP route would beat OSPF and RIP
E.RIP would be chosen before OSPF because hop count is simpler
AnswersA, D

Administrative distance is compared before metric across different routing sources.

Why this answer

The router chooses the route with the lowest administrative distance first. If administrative distance ties, it then compares the metric within that routing source. In this case the static route wins because AD 1 beats eBGP 20, OSPF 110, and RIP 120.

Exam trap

A common exam trap is assuming that the routing protocol with the lowest metric always wins, regardless of administrative distance. For example, candidates might incorrectly believe that OSPF with a cost of 20 beats eBGP with an AD of 20 or that RIP’s hop count of 2 beats OSPF’s cost of 20. This mistake arises from confusing metrics with administrative distance.

Metrics are only compared within the same routing protocol, while administrative distance is the primary factor when routes come from different sources. Ignoring this can lead to selecting incorrect answers about route preference.

Why the other options are wrong

B

This option is incorrect because metrics such as OSPF cost and RIP hop count are not compared across different routing protocols. Administrative distance is the primary factor in route selection between protocols.

C

This option is incorrect because the dynamic nature of BGP does not override the administrative distance rule. Static routes with AD 1 are always preferred over eBGP routes with AD 20.

E

This option is incorrect because simplicity of metric calculation (hop count) does not influence route preference. Administrative distance is the deciding factor, and RIP’s higher AD (120) makes it less preferred than OSPF (110).

345
PBQhard

You are connected to R1. Configure router-on-a-stick inter-VLAN routing so that hosts in VLAN 10 and VLAN 20 can communicate through R1. The switch (not shown) is already configured with the correct VLANs and trunk. Troubleshoot and fix any issues in the current R1 configuration.

Network Topology
G0/0 802.1Q trunk to switchtrunkR1Switch

Hints

  • Check if the main physical interface is administratively down.
  • The subinterfaces require the parent interface to be up.
  • Verify that ip routing is enabled (it is already).
A.Enable IP routing globally and bring up the main interface GigabitEthernet0/0 with 'no shutdown'.
B.Change the encapsulation on the subinterfaces to 'encapsulation dot1Q 10 native' and 'encapsulation dot1Q 20 native'.
C.Remove the subinterfaces and configure IP addresses directly on GigabitEthernet0/0.
D.Add 'ip routing' on each subinterface individually.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no shutdown
end

Why this answer

The R1 configuration has two subinterfaces (G0/0.10 and G0/0.20) with correct VLAN encapsulation and IP addresses, but inter-VLAN routing fails because the main interface G0/0 is not configured as a trunk (no 'no shutdown' and no 'ip routing' globally). Enable IP routing globally with 'ip routing' and ensure GigabitEthernet0/0 is administratively up with 'no shutdown'. The subinterfaces will then route between VLANs.

Exam trap

Do not assume that configuring subinterfaces with encapsulation and IP addresses is sufficient. Always verify that 'ip routing' is enabled globally and that the main physical interface is not shut down. These are common oversights that cause inter-VLAN routing to fail.

Why the other options are wrong

B

The specific factual error: The 'native' keyword should only be applied to the subinterface that matches the native VLAN (usually VLAN 1 by default), not to all subinterfaces.

C

The specific factual error: Router-on-a-stick requires subinterfaces with VLAN encapsulation to handle multiple VLANs over a single trunk link. Assigning an IP to the physical interface only works for a single VLAN (usually the native VLAN).

D

The specific factual error: 'ip routing' is a global configuration command that enables Layer 3 forwarding on the entire router. It is not available under interface configuration mode.

346
Multi-Selectmedium

Which three options accurately describe characteristics of OSPFv2 in a single area? (Choose three.)

Select 3 answers
.OSPF uses cost as its metric, which is derived from the bandwidth of the interface.
.Hello packets are used to discover neighbors and maintain adjacencies.
.The designated router (DR) is elected on broadcast multiaccess networks to reduce LSAs flooding.
.OSPFv2 supports IPv6 routing natively without any additional configuration.
.Link-state advertisements (LSAs) are sent periodically every 30 seconds by default.
.OSPF routers in the same area must be configured with the same router ID.

Why this answer

OSPFv2 uses cost as its metric, derived from interface bandwidth using the formula cost = reference bandwidth / interface bandwidth (default reference bandwidth is 100 Mbps). Hello packets are used to discover neighbors, maintain adjacencies, and act as keepalives (default every 10 seconds on broadcast networks). The designated router (DR) is elected only on broadcast multiaccess networks (e.g., Ethernet) to reduce LSA flooding.

The incorrect options: OSPFv2 does not natively support IPv6 (OSPFv3 is needed for IPv6); LSAs are refreshed every 30 minutes, not 30 seconds; router IDs must be unique across the OSPF domain, not the same in an area.

Exam trap

Common mistakes include thinking OSPF uses hop count or bandwidth alone as metric, that the DR is elected on all network types, or that Hello packets are only for initial discovery rather than ongoing adjacency maintenance.

Why the other options are wrong

D

OSPFv2 does not natively support IPv6; OSPFv3 is required for IPv6 routing.

E

Link-state advertisements (LSAs) are refreshed every 30 minutes by default, not every 30 seconds.

F

OSPF router IDs must be unique throughout the OSPF domain; routers in the same area can have different router IDs.

347
MCQhard

A switch displays the following output: Switch# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi1/0/24 on 802.1q trunking 99 Port Vlans allowed on trunk Gi1/0/24 10,20,30 Port Vlans active in management domain Gi1/0/24 10,20,30,40 Users in VLAN 40 cannot reach resources across this trunk. What is the most likely reason?

A.VLAN 40 is active, so spanning tree must be blocking it
B.VLAN 40 is not in the native VLAN, so it cannot cross the trunk
C.VLAN 40 is not permitted on the trunk
D.802.1Q trunks can carry only three VLANs at a time
AnswerC

Correct. This is correct. The allowed VLAN list controls which VLANs are transported across the trunk. Because VLAN 40 is absent from that list, users in VLAN 40 cannot use that trunk to reach resources on the far side.

Why this answer

The trunk is not carrying VLAN 40 because VLAN 40 is missing from the allowed VLAN list (only 10, 20, 30 are allowed). Option A is incorrect because spanning tree does not block VLANs by default without evidence of a loop; the output shows no STP blocking. Option B is incorrect because native VLAN only affects tagging, not whether a VLAN can traverse a trunk; all VLANs can cross a trunk if permitted.

Option D is incorrect because 802.1Q can carry up to 4094 VLANs, not just three. The key distinction is that a VLAN may be active on the switch but still fail to cross a specific trunk if it is not in the allowed list.

Exam trap

Ensure you differentiate between VLANs configured on the switch and those allowed on the trunk. Just because a VLAN is active doesn't mean it's allowed on a trunk.

Why the other options are wrong

A

Spanning Tree Protocol (STP) can block a VLAN if there is a loop, but the output shows VLAN 40 is active in the management domain and not listed as blocked. The explicit absence of VLAN 40 from the allowed VLAN list is the direct cause, not STP.

B

The native VLAN is only for untagged traffic on an 802.1Q trunk. All other VLANs are tagged and can cross the trunk regardless of the native VLAN. VLAN 40 is not the native VLAN, but that does not prevent it from being carried if permitted.

D

802.1Q has no limit of three VLANs per trunk; it can support up to 4094 VLANs. The output shows only three VLANs allowed because of configuration, not a protocol limitation.

348
MCQhard

Exhibit: A router has both an OSPF-learned default route and a floating static default route. Which route is currently active?

A.The static route, because static routes always override dynamic routes
B.The OSPF default route, because AD 110 beats the floating static AD 150
C.Both routes load-balance automatically
D.Neither route, because a default route cannot be learned by OSPF
AnswerB

That is exactly why the OSPF default is active.

Why this answer

A floating static route only takes over when its administrative distance is set higher than the preferred route and the preferred route disappears. The routing table shows the OSPF default because AD 110 is lower than the floating static AD 150.

Exam trap

A frequent exam trap is believing that static routes always override dynamic routes simply because they are manually configured. This misconception leads to selecting the static route as active regardless of administrative distance. In reality, Cisco routers use administrative distance to determine route preference, and a floating static route is deliberately configured with a higher AD to act as a backup.

The router prefers the OSPF route with AD 110 over the floating static route with AD 150, so the static route is inactive unless the OSPF route fails. Misunderstanding this can cause incorrect answers about route selection in routing tables.

Why the other options are wrong

A

This option incorrectly states that static routes always override dynamic routes. In Cisco routing, static routes only override dynamic routes if their administrative distance is lower. Since the floating static route has a higher AD (150) than OSPF (110), it is not preferred here.

C

This option is incorrect because load balancing only occurs between routes with equal administrative distances and metrics. Here, the OSPF and floating static routes have different ADs, so only the route with the lower AD is active.

D

This option is false because OSPF can advertise and learn default routes using the 'default-information originate' command. Therefore, OSPF can carry a default route, making this statement incorrect.

349
MCQhard

A network administrator has configured a DHCP server on VLAN 100 with an IP address of 192.168.100.10/24. Clients on VLAN 200 (192.168.200.0/24) report that they cannot obtain an IP address via DHCP. The router is configured with a DHCP relay on the VLAN 200 interface. The administrator checks the router configuration and verifies that the relay is in place, but clients still fail to get an address. The switch that the router and clients connect to has DHCP snooping enabled. What is the most likely cause of this issue?

A.The DHCP server is on a different subnet and the relay address is incorrect.
B.DHCP snooping is blocking the relay agent because the relay interface is not trusted.
C.The DHCP server is unreachable from the router.
D.The ip helper-address command is missing from the VLAN 200 interface.
AnswerB

The 'show ip dhcp relay information trusted' output shows 'Not configured', which means the relay agent is not trusting the DHCP server's responses. This causes the switch to drop DHCP server responses when DHCP snooping is enabled. The fix is to configure 'ip dhcp relay information trusted' on the interface facing the DHCP server.

Why this answer

The scenario states that DHCP snooping is enabled on the switch. When DHCP snooping is active, it discards DHCP messages received on untrusted ports. The router's VLAN 200 interface, which is configured as a DHCP relay agent, must be configured as a trusted port for DHCP snooping; otherwise, the relayed messages are silently dropped.

Option A is incorrect because the relay address is correctly pointing to the DHCP server's subnet. Option C is too generic and unlikely since the router and switch are directly connected. Option D is incorrect because the relay is verified to be in place.

Therefore, the most likely cause is DHCP snooping blocking the relay agent due to the relay interface not being trusted.

Exam trap

Cisco often tests the misconception that a correctly configured DHCP relay alone guarantees DHCP operation, ignoring that DHCP snooping can silently drop relayed messages if the relay interface is not trusted.

Why the other options are wrong

A

The relay address 192.168.100.10 is correctly configured to point to the DHCP server on VLAN 100. The issue is not with the relay address being incorrect.

C

The DHCP server is on the same router (VLAN 100 interface) and is reachable; the relay configuration is correct. The server is not unreachable.

D

The exhibit shows 'ip helper-address 192.168.100.10' is configured on GigabitEthernet0/1, which is the VLAN 200 interface. The command is present.

350
MCQhard

A multilayer switch has SVIs for VLAN 10 and VLAN 20, but hosts in those VLANs still cannot reach each other. The SVIs are up/up. Which additional condition is most likely required?

A.IP routing must be enabled on the multilayer switch
B.Every access port must be converted to a trunk
C.DHCP snooping must be disabled globally
D.The switch must remove all VLAN assignments
AnswerA

This is correct because the switch needs Layer 3 routing enabled to route between active SVIs.

Why this answer

If the SVIs are up but inter-VLAN traffic still fails, the most likely missing condition is that IP routing is not enabled on the multilayer switch. In plain language, the switch has the VLAN gateway interfaces present, but it has not been told to behave as a Layer 3 router between them. Without IP routing enabled, the SVIs can exist and still not actually route traffic between VLANs.

This is a classic multilayer-switch design issue because many learners assume the presence of SVIs alone automatically creates routing. In reality, routed forwarding between VLANs still requires the switch to operate as a Layer 3 device. That is why enabling routing is the best answer.

Exam trap

Don't assume SVIs automatically enable routing; IP routing must be explicitly configured.

Why the other options are wrong

B

Converting all access ports to trunk ports is unnecessary and incorrect for inter-VLAN routing. Access ports belong to a single VLAN, and hosts connect via access ports. Trunk ports are used to carry multiple VLANs between switches, not to connect end hosts.

Changing all ports to trunks would break connectivity for hosts.

C

DHCP snooping is a security feature that filters DHCP messages and does not affect Layer 3 routing between VLANs. Disabling it would not enable inter-VLAN communication. The issue is routing, not DHCP.

D

Removing all VLAN assignments would break the network entirely, as hosts would lose their VLAN membership and connectivity. VLANs are essential for segmenting the network; removing them would not solve the routing issue.

351
MCQhard

A junior network engineer configured a floating static route on Router R1 to provide backup connectivity to a remote network 10.10.10.0/24. The primary connection uses OSPF. However, after the primary link fails, hosts on R1 cannot reach the remote network. The OSPF adjacency is down, and the floating static route is not appearing in the routing table. Based on the exhibit, what is the most likely cause of the issue?

A.The floating static route is missing from the configuration.
B.The static route's next-hop becomes unreachable after the primary OSPF link fails.
C.The administrative distance of the static route is too high.
D.The default route is overriding the static route to 10.10.10.0/24.
AnswerB

The floating static route points to a next-hop that is only reachable via the OSPF-learned path. Once the primary link fails and OSPF is down, the router loses the route to that next-hop, preventing the static route from being installed.

Why this answer

Option B is correct because the floating static route's next-hop becomes unreachable after the primary OSPF link fails. In the exhibit, the next-hop IP is likely configured to an address that is only reachable via OSPF; when that adjacency drops, the router has no route to the next-hop, so it cannot recursively resolve the static route. As a result, the route does not appear in the routing table.

Option A is wrong because the route is present in the configuration (as a floating static route). Option C is wrong because the administrative distance of the floating static route is intentionally higher than OSPF's so that it only installs when OSPF fails; this is correct behavior. Option D is wrong because a default route would not override a more specific static route to 10.10.10.0/24.

Exam trap

Cisco often tests the misconception that a floating static route will automatically appear when the primary route fails, without considering that the next-hop must be directly connected or recursively resolvable via a remaining route.

Why the other options are wrong

A

The exhibit shows the static route is configured, so the issue is not that it is missing.

C

An administrative distance of 200 is appropriate for a floating static route to be less preferred than OSPF (AD 110) but still usable as a backup.

D

A default route (0.0.0.0/0) does not override a more specific route like 10.10.10.0/24; the longest prefix match rule ensures the specific route is preferred.

352
PBQhard

You are connected to R1, a multilayer switch acting as the root bridge for VLAN 10. The network has experienced a loop, and interface GigabitEthernet0/1 on R1 is currently in err-disabled state due to a BPDU guard violation. Configure the switch to recover automatically from err-disable state after 300 seconds, then verify that the interface comes back up.

Hints

  • The errdisable recovery command is in global configuration mode.
  • Use the 'show errdisable recovery' command to check the current causes and timers.
  • The interface will not recover immediately; you can use 'clear errdisable interface Gi0/1' to test manually.
A.Configure 'errdisable recovery cause bpduguard' and 'errdisable recovery interval 300' globally, then verify with 'show interfaces status'.
B.Configure 'spanning-tree portfast bpduguard default' and 'errdisable recovery interval 300' globally, then verify with 'show spanning-tree'.
C.Configure 'errdisable recovery cause all' and 'errdisable recovery interval 300' globally, then verify with 'show errdisable recovery'.
D.Configure 'errdisable recovery cause bpduguard' and 'errdisable recovery interval 300' on interface GigabitEthernet0/1, then verify with 'show interfaces GigabitEthernet0/1'.
AnswerA
solution
! R1
errdisable recovery cause bpduguard
errdisable recovery interval 300

Why this answer

The interface Gi0/1 is in err-disabled state because BPDU Guard detected an unexpected BPDU on a PortFast-enabled access port. To recover automatically, configure errdisable recovery cause bpduguard and set the recovery interval to 300 seconds with errdisable recovery interval 300. After applying these commands, the interface will automatically come out of err-disable state after 300 seconds.

The blocking port on Gi0/2 is expected because R1 is the root bridge and Gi0/2 is an alternate port providing redundancy; no action is needed for that blocking state.

Exam trap

The trap is that candidates may confuse enabling BPDU guard with configuring recovery, or they may think recovery commands are applied per-interface. Remember that errdisable recovery is a global setting, and you must specify the exact cause unless you want to recover from all causes.

Why the other options are wrong

B

The specific factual error: 'spanning-tree portfast bpduguard default' enables BPDU guard, not recovery. Recovery requires 'errdisable recovery cause bpduguard'.

C

The specific factual error: Using 'cause all' is not the best practice; the question implies a specific cause. Also, the verification command is correct but the configuration is not precise.

D

The specific factual error: errdisable recovery is a global configuration command, not interface-specific.

353
Multi-Selectmedium

Which TWO statements correctly describe the behavior of PortFast and BPDU Guard on a Cisco switch?

Select 2 answers
A.PortFast immediately transitions a port from blocking to forwarding state, bypassing listening and learning.
B.BPDU Guard disables a PortFast-enabled port if it receives any BPDU.
C.PortFast allows BPDUs to pass through the port normally, but the port remains in forwarding state.
D.BPDU Guard prevents the port from becoming a root port or designated port by ignoring superior BPDUs.
E.BPDU Guard is typically configured on trunk ports to prevent loops between switches.
AnswersA, B

This is correct. PortFast allows a port to go directly to forwarding, reducing the time a host takes to start sending traffic.

Why this answer

PortFast immediately transitions an access port from blocking to forwarding, bypassing listening and learning (Option A). BPDU Guard errdisables a PortFast-enabled port if any BPDU is received, protecting against accidental loops (Option B). Option C is incorrect because PortFast does not alter BPDU handling; the port still processes BPDUs and reverts to normal STP if one is received.

Option D is false because BPDU Guard disables the port entirely rather than ignoring BPDUs. Option E is incorrect because BPDU Guard is typically configured on access ports connected to end devices, not on trunk ports.

Exam trap

Cisco often tests the misconception that PortFast itself blocks or filters BPDUs, when in fact it only accelerates the transition to forwarding; BPDU Guard is a separate feature that must be explicitly enabled to disable the port upon BPDU reception.

Why the other options are wrong

C

PortFast does not filter BPDUs; it still processes them normally. If a BPDU is received on a PortFast port, the port will still participate in STP and may transition to a blocking state, defeating the purpose of PortFast. The statement incorrectly claims BPDUs pass through while the port remains forwarding, which is not true.

D

BPDU Guard does not affect STP election processes; it simply err-disables the port upon receiving any BPDU. It does not ignore superior BPDUs or prevent the port from becoming a root or designated port. That behavior is associated with Root Guard, not BPDU Guard.

E

BPDU Guard is intended for access ports with PortFast, not for trunk ports. Trunk ports between switches are expected to exchange BPDUs for normal STP operation; applying BPDU Guard on a trunk would cause the port to err-disable upon receiving legitimate BPDUs, disrupting the network.

354
Multi-Selecteasy

A company wants all routers and switches to use a common time source so log timestamps line up during incident review. Which two statements about NTP are correct?

Select 2 answers
A.It helps synchronize device clocks
B.Consistent time improves correlation of syslog and other event data
C.It advertises Layer 3 reachability between routers
D.It encrypts data traffic between endpoints by default
AnswersA, B

NTP is used to align time across systems.

Why this answer

NTP (Network Time Protocol) is used to synchronize device clocks (option A) so that event timestamps are consistent across network devices, which improves correlation of syslog and other event data (option B). Option C is incorrect because NTP does not advertise Layer 3 reachability; that is a function of routing protocols like OSPF or EIGRP. Option D is incorrect because NTP does not encrypt data traffic by default; it only synchronizes time and does not provide encryption.

Exam trap

A common exam trap is mistaking NTP for a routing or security protocol. Some candidates incorrectly believe NTP advertises Layer 3 reachability like routing protocols (e.g., OSPF or EIGRP) or that it encrypts data traffic by default. This confusion arises because NTP is often mentioned alongside other network services, but its sole purpose is to synchronize device clocks.

Selecting options related to routing or encryption when the question focuses on time synchronization leads to incorrect answers. Understanding that NTP only aligns time across devices helps avoid this trap.

Why the other options are wrong

C

This option is incorrect because advertising Layer 3 reachability is the role of routing protocols like OSPF or EIGRP, not NTP, which only synchronizes time.

D

This option is incorrect as NTP does not encrypt data traffic by default; it is a time synchronization protocol and does not provide encryption services.

355
PBQmedium

You are connected to R1 via the console. R1 is a new router that needs to be configured with a hostname, an encrypted privileged password 'cisco123', and a banner message 'Unauthorized access prohibited'. Additionally, SSH must be enabled for remote management using a domain name 'example.com' and a key size of 1024. The management interface is G0/0 with IP 192.168.1.1/24.

Network Topology
G0/0192.168.1.1/24linkR1management network

Hints

  • Set the hostname first, as it affects the RSA key generation.
  • The banner message must be delimited by a character not in the message.
  • SSH requires a domain name and RSA key pair.
A.hostname R1 enable secret cisco123 banner motd #Unauthorized access prohibited# ip domain-name example.com crypto key generate rsa modulus 1024 line vty 0 4 transport input ssh login local interface g0/0 ip address 192.168.1.1 255.255.255.0 no shutdown
B.hostname R1 enable password cisco123 banner motd #Unauthorized access prohibited# ip domain-name example.com crypto key generate rsa modulus 1024 line vty 0 4 transport input ssh password cisco123 login interface g0/0 ip address 192.168.1.1 255.255.255.0 no shutdown
C.hostname R1 enable secret cisco123 banner motd #Unauthorized access prohibited# ip domain-name example.com crypto key generate rsa modulus 1024 line vty 0 4 transport input ssh password cisco123 login local interface g0/0 ip address 192.168.1.1 255.255.255.0 no shutdown
D.hostname R1 enable secret cisco123 banner motd #Unauthorized access prohibited# ip domain-name example.com crypto key generate rsa modulus 1024 line vty 0 4 transport input ssh login local username admin secret cisco123 interface g0/0 ip address 192.168.1.1 255.255.255.0 no shutdown
AnswerA
solution
! R1
hostname R1
enable secret cisco123
banner motd $ Unauthorized access prohibited $
ip domain-name example.com
crypto key generate rsa modulus 1024
line vty 0 4
transport input ssh
login local

Why this answer

Configuring hostname, enable secret, and banner sets basic identity and security. Generating RSA keys with a domain name enables SSH; then VTY lines are restricted to SSH only.

Exam trap

Watch out for the difference between 'enable password' and 'enable secret' – only 'enable secret' encrypts the password. Also, remember that SSH requires a domain name and RSA keys generated before configuring VTY lines. Do not add unnecessary commands like creating a local username unless explicitly required.

Why the other options are wrong

B

The specific factual error: 'enable password' does not encrypt the password; 'login' without 'local' allows any password to work if set, but does not use local user database.

C

The specific factual error: 'login local' requires a local username database, but no username is configured; the VTY password is unnecessary and misleading.

D

The specific factual error: The question does not require creating a local username; adding one is extraneous and could be considered incorrect in a PBQ where only the specified steps are needed.

356
Matchingmedium

Drag and drop the cable types on the left to the correct maximum distance or connector type on the right. PAIRS: Cat5e → 100 meters (max distance) Cat6a → 100 meters (max distance) Single-mode fiber → LC connector Multimode fiber (OM3) → 300 meters (max distance at 10 Gbps) Coaxial cable (RG-6) → F-type connector

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

100 meters (max distance)

100 meters (max distance)

LC connector

550 meters (max distance at 10 Gbps)

F-type connector

Why these pairings

These pairings correctly match cable types to their typical maximum distances or connector types. OM3 multimode fiber supports 300 meters at 10 Gbps, not 550 meters (OM4 supports 550 meters). Single-mode fiber typically uses LC connectors, and RG-6 coaxial cable uses F-type connectors.

Exam trap

Be careful not to confuse the distance limits of single-mode and multi-mode fiber. Single-mode fiber supports much longer distances (kilometers) than multi-mode fiber (hundreds of meters). Also, remember that coaxial cables use BNC connectors, not RJ-45.

357
PBQhard

You are connected to R1. Configure OSPFv3 for IPv6 on R1 and R2 so that the loopback0 interface on R1 (IPv6 address 2001:db8:1::1/64) can ping the loopback0 interface on R2 (IPv6 address 2001:db8:2::1/64). The routers are connected via their GigabitEthernet0/0 interfaces using IPv6 addresses 2001:db8:12::1/64 (R1) and 2001:db8:12::2/64 (R2). OSPFv3 process ID 100 must be used, and all interfaces must be in area 0.

Network Topology
G0/02001:db8:12::1/64G0/02001:db8:12::2/64linkR1R2

Hints

  • OSPFv3 for IPv6 is configured under the 'ipv6 router ospf' process, not 'router ospf'.
  • Each interface that should participate in OSPFv3 must have the 'ipv6 ospf <process-id> area <area-id>' command.
  • Don't forget to set a router-id; otherwise the OSPFv3 process may not start.
A.R1(config)# ipv6 unicast-routing R1(config)# ipv6 router ospf 100 R1(config-rtr)# router-id 1.1.1.1 R1(config-rtr)# interface gigabitethernet0/0 R1(config-if)# ipv6 ospf 100 area 0 R1(config-if)# interface loopback0 R1(config-if)# ipv6 ospf 100 area 0 R2(config)# ipv6 unicast-routing R2(config)# ipv6 router ospf 100 R2(config-rtr)# router-id 2.2.2.2 R2(config-rtr)# interface gigabitethernet0/0 R2(config-if)# ipv6 ospf 100 area 0 R2(config-if)# interface loopback0 R2(config-if)# ipv6 ospf 100 area 0
B.R1(config)# ipv6 unicast-routing R1(config)# ipv6 router ospf 100 R1(config-rtr)# router-id 1.1.1.1 R1(config-rtr)# network 2001:db8:12::0/64 area 0 R1(config-rtr)# network 2001:db8:1::0/64 area 0 R2(config)# ipv6 unicast-routing R2(config)# ipv6 router ospf 100 R2(config-rtr)# router-id 2.2.2.2 R2(config-rtr)# network 2001:db8:12::0/64 area 0 R2(config-rtr)# network 2001:db8:2::0/64 area 0
C.R1(config)# ipv6 unicast-routing R1(config)# ipv6 router ospf 100 R1(config-rtr)# router-id 1.1.1.1 R1(config-rtr)# interface gigabitethernet0/0 R1(config-if)# ipv6 ospf 100 area 0 R2(config)# ipv6 unicast-routing R2(config)# ipv6 router ospf 100 R2(config-rtr)# router-id 2.2.2.2 R2(config-rtr)# interface gigabitethernet0/0 R2(config-if)# ipv6 ospf 100 area 0
D.R1(config)# ipv6 unicast-routing R1(config)# ipv6 router ospf 100 R1(config-rtr)# router-id 1.1.1.1 R1(config-rtr)# interface gigabitethernet0/0 R1(config-if)# ipv6 ospf 100 area 0 R1(config-if)# interface loopback0 R1(config-if)# ipv6 ospf 100 area 0 R2(config)# ipv6 unicast-routing R2(config)# ipv6 router ospf 100 R2(config-rtr)# router-id 1.1.1.1 R2(config-rtr)# interface gigabitethernet0/0 R2(config-if)# ipv6 ospf 100 area 0 R2(config-if)# interface loopback0 R2(config-if)# ipv6 ospf 100 area 0
AnswerA
solution
! R1
ipv6 router ospf 100
router-id 1.1.1.1
interface Loopback0
ipv6 ospf 100 area 0
interface GigabitEthernet0/0
ipv6 ospf 100 area 0

Why this answer

OSPFv3 for IPv6 requires enabling IPv6 unicast routing globally and configuring OSPFv3 on interfaces. The missing step was enabling OSPFv3 process 100 and assigning area 0 to the interfaces. On R1, the commands 'ipv6 router ospf 100' and 'router-id 1.1.1.1' create the OSPFv3 process, then 'ipv6 ospf 100 area 0' under each interface enables OSPFv3 on those interfaces.

Similar commands on R2 with a unique router-id complete the configuration. Verification with 'show ospfv3 neighbor' should show R2's router-id, and 'show ipv6 route ospf' should display the remote loopback network.

Exam trap

The most common trap is using OSPFv2-style 'network' commands for OSPFv3. Remember that OSPFv3 uses interface-level configuration. Also, ensure all interfaces that need to be advertised (including loopbacks) have OSPFv3 enabled, and that router-ids are unique.

Why the other options are wrong

B

The specific factual error is that OSPFv3 uses interface-level configuration, not network statements like OSPFv2 for IPv4.

C

The specific factual error is that OSPFv3 must be enabled on all interfaces that should participate in the routing process, including loopback interfaces.

D

The specific factual error is that OSPF router-ids must be unique. Using the same router-id on both routers prevents proper neighbor formation.

358
PBQhard

You are connected to R1. Configure the G0/0 interface to match the speed (100 Mbps) and duplex (full) of the connected switch port, then diagnose and fix an auto-negotiation failure that has caused excessive CRC errors. Finally, select and replace the SFP module on G0/0 with one that supports a 5 km fiber link, using the correct cable type.

Hints

  • Check the current SFP status with 'show interfaces gigabitethernet 0/0 transceiver'.
  • The switch port is configured with speed 100 and duplex full; mismatch causes protocol down.
  • For 5 km, you need a single-mode SFP (1000BASE-LX) and single-mode fiber (SMF).
A.Set speed 100, duplex full; replace SFP with 1000BASE-LX; use single-mode fiber (SMF).
B.Set speed 100, duplex half; replace SFP with 1000BASE-SX; use multimode fiber (MMF).
C.Set speed 1000, duplex full; replace SFP with 1000BASE-LX; use single-mode fiber (SMF).
D.Set no speed, no duplex (auto); replace SFP with 1000BASE-LX; use single-mode fiber (SMF).
AnswerA
solution
! R1
configure terminal
interface gigabitethernet 0/0
speed 100
duplex full
no shutdown
end
copy running-config startup-config

Why this answer

The interface is up but line protocol is down, indicating a layer 1 issue. The switch port is manually set to 100 Mbps/full duplex, but R1 is using auto-negotiation, causing a mismatch. First, set the speed to 100 and duplex to full on G0/0.

The CRC errors may appear later if cabling is faulty; for a 5 km fiber link, you need a 1000BASE-LX SFP (single-mode) and single-mode fiber (SMF). Verify the SFP is recognized and the link comes up.

Exam trap

A common trap is to assume auto-negotiation will work when one side is manually configured, or to confuse SFP types (SX vs LX) and fiber types (MMF vs SMF). Always verify that speed and duplex match on both ends, and choose the SFP based on distance and fiber type.

Why the other options are wrong

B

The specific factual error: Duplex must match the switch (full), and 1000BASE-SX cannot reach 5 km.

C

The specific factual error: Speed must match the switch port's configured speed (100 Mbps), not auto-negotiate to 1000 Mbps.

D

The specific factual error: Auto-negotiation cannot match a manually configured port; both sides must be manually set or both use auto-negotiation.

359
MCQhard

A switch port should allow an IP phone and attached PC to operate correctly. The phone should place voice traffic in VLAN 200 while the PC remains in VLAN 20. Which configuration approach best supports that design?

A.Configure the port with an access VLAN for data and a voice VLAN for the phone
B.Configure the port as a routed port with no switchport
C.Configure the port as an EtherChannel member
D.Use a native VLAN only and disable all tagging
AnswerA

This is correct because Cisco voice-VLAN design allows user data and tagged voice traffic to coexist correctly on one edge port.

Why this answer

The best approach is to configure the access VLAN for user data and the voice VLAN separately. In plain language, the PC should remain a normal untagged data endpoint in VLAN 20, while the phone can tag its own voice traffic for VLAN 200. Cisco access-port designs support this exact use case and allow the switch to keep voice and user traffic logically separated without requiring two physical ports.

This is a classic CCNA edge-port design. It is not a general trunking problem, and it does not require EtherChannel or router subinterfaces. The important idea is that one switchport can support an access VLAN and a voice VLAN together in a way designed specifically for IP phones with downstream PCs.

Exam trap

Avoid assuming trunk mode is needed for VLANs; understand access vs. voice VLANs for edge ports.

Why the other options are wrong

B

A routed port (no switchport) is used for Layer 3 routing between switches or routers, not for connecting end devices like IP phones and PCs. It does not support VLAN assignment or the coexistence of multiple VLANs on a single port, making it unsuitable for this scenario.

C

EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy. It does not provide any mechanism to separate voice and data traffic into different VLANs on a single port, and it is not relevant to the requirement of connecting an IP phone and PC.

D

Using a native VLAN only and disabling all tagging would place all traffic (voice and data) in the same VLAN, which contradicts the requirement to separate voice into VLAN 200 and data into VLAN 20. The native VLAN is used for untagged traffic on a trunk, but this design requires distinct VLANs with tagging for voice.

360
MCQhard

A network engineer notices that a root port on a switch has transitioned to a loop-inconsistent state. The port was previously receiving BPDUs normally, but after a suspected unidirectional fiber cut, it no longer receives BPDUs. What is the most likely cause?

A.BPDU Guard is enabled on the port, causing it to be placed in error-disabled state.
B.Loop Guard is active on the root port and transitioned it to loop-inconsistent state upon BPDU loss.
C.UDLD has detected a unidirectional link and has shut down the port.
D.Root Guard is preventing the port from transitioning to designated forwarding after losing BPDUs.
AnswerB

Loop Guard is precisely designed to monitor BPDU reception on blocked or alternate ports. When a unidirectional link failure occurs and BPDUs are no longer received, Loop Guard places the port into the loop-inconsistent state, blocking all traffic to prevent a potential loop. The 'loop-inconsistent' state is a clear indicator of this feature.

Why this answer

Loop Guard is an STP enhancement that monitors the reception of BPDUs on a blocked port. When BPDUs stop arriving (due to a unidirectional link failure), Loop Guard moves the port to loop-inconsistent state, preventing it from transitioning to the forwarding state and thus avoiding a switching loop.

Exam trap

UDLD is tempting because it also detects unidirectional links, but UDLD would place the port in err-disable or shut down state, not the STP loop-inconsistent state. The appearance of 'loop-inconsistent' specifically indicates Loop Guard is active.

Why the other options are wrong

A

BPDU Guard is a protective feature that disables a port upon receiving a BPDU, not upon losing BPDUs. The symptom here is a loss of BPDUs, not a reception of unexpected BPDUs.

C

UDLD acts by shutting down the port or putting it in errdisable state, while the scenario explicitly shows the port in a loop-inconsistent state, indicating an STP-based protection mechanism.

D

Root Guard would block a port if it received a BPDU with better root information, not when BPDUs stop arriving. It also does not produce a loop-inconsistent state.

361
MCQmedium

A router is configured for PAT overload. What does the inside global address represent for an internal PC?

A.The private IP address assigned to the internal PC
B.The public address that represents the internal PC to external networks
C.The remote server address as seen from the inside host
D.The MAC address of the outside interface
AnswerB

That is the inside global address.

Why this answer

With NAT overload, the inside local address is the private address on the internal host. The inside global is the translated public address that represents that inside host to the outside network.

Exam trap

A frequent exam trap is mistaking the inside global address for the inside local address. Candidates often confuse the private IP assigned to the internal PC (inside local) with the public IP address used externally (inside global). Another pitfall is mixing up inside global with outside local or outside global addresses, which relate to remote hosts rather than internal devices.

This confusion can lead to incorrect NAT configuration interpretations or troubleshooting errors. Remember, the inside global address is the public IP visible to external networks representing the internal PC, not the private IP assigned inside the LAN.

Why the other options are wrong

A

Option A incorrectly identifies the inside global address as the private IP address assigned to the internal PC. This is actually the inside local address, which is the private IP used within the internal network and not visible externally.

C

Option C confuses the inside global address with outside local or outside global addresses, which refer to remote servers or external hosts from the internal perspective. The inside global address specifically represents the internal PC externally.

D

Option D incorrectly associates the inside global address with the MAC address of the outside interface. NAT translation deals with IP addresses and ports, not MAC addresses, so this option is invalid.

362
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch. Port GigabitEthernet0/1 connects to a PC in VLAN 10, and port GigabitEthernet0/2 connects to a server in VLAN 20. Both ports are currently in VLAN 1. Configure SW1 to assign GigabitEthernet0/1 to VLAN 10 and GigabitEthernet0/2 to VLAN 20, and verify the configuration.

Network Topology
G0/1G0/2SW1PCServer

Hints

  • Use switchport mode access to configure the port as an access port.
  • Use switchport access vlan to assign the VLAN.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 interface GigabitEthernet0/2 switchport mode access switchport access vlan 20 end show vlan brief
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10 interface GigabitEthernet0/2 switchport mode trunk switchport trunk allowed vlan 20 end show interfaces trunk
C.vlan 10 name PC_VLAN vlan 20 name Server_VLAN interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 interface GigabitEthernet0/2 switchport mode access switchport access vlan 20 end show vlan brief
D.interface GigabitEthernet0/1 switchport access vlan 10 interface GigabitEthernet0/2 switchport access vlan 20 end show vlan brief
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20

Why this answer

Access ports carry traffic for a single VLAN. By assigning G0/1 to VLAN 10 and G0/2 to VLAN 20, the PC and server are placed in their respective VLANs.

Exam trap

Do not confuse access ports with trunk ports. Access ports are for end devices; trunk ports are for switch-to-switch connections. Also, remember that 'switchport mode access' is required before assigning a VLAN; otherwise, the port may not behave as expected.

Why the other options are wrong

B

Trunk ports are not appropriate for end devices; they are designed for inter-switch links.

C

The question does not require creating or naming VLANs; it only asks to assign ports to existing VLANs.

D

The 'switchport mode access' command is required to explicitly set the port as an access port; otherwise, the port might negotiate trunking.

363
MCQhard

Two routers are directly connected and running OSPF. Their IP addresses and hello timers match, but they still do not become neighbors. One side is configured for area 0 and the other for area 1 on the shared link. What is the most likely cause?

A.The interfaces are in different OSPF areas on the shared link.
B.The routers need identical hostnames.
C.The link must be converted to a trunk.
D.The routers must use static routes first.
AnswerA

This is correct because OSPF neighbors on the same segment must agree on the area.

Why this answer

An OSPF area mismatch is the most likely cause. In plain language, the routers may be physically connected and able to exchange packets, but OSPF still requires that both sides agree on the area associated with the shared segment. If one interface belongs to area 0 and the other belongs to area 1, the routers do not view the segment in the same OSPF context and the adjacency fails.

This is a classic CCNA troubleshooting case because the addressing can look perfect while the protocol still refuses to form a neighbor relationship. OSPF is strict about several interface-level values, and the area assignment is one of the most important.

Exam trap

A frequent exam trap is assuming that matching IP addresses and hello timers alone guarantee OSPF adjacency. Candidates often overlook the OSPF area configuration, which must be identical on both sides of a shared link. This mistake leads to confusion because the routers appear connected and can exchange packets, but OSPF adjacency never forms.

The trap is focusing on interface parameters like timers or IP addressing while ignoring the fundamental requirement that both interfaces must belong to the same OSPF area to establish neighbor relationships.

Why the other options are wrong

B

This option is incorrect because router hostnames do not affect OSPF neighbor relationships. OSPF adjacency depends on interface-level parameters, not device names, so identical hostnames are not required.

C

This option is incorrect because converting the link to a trunk is irrelevant for OSPF adjacency on routed interfaces. OSPF operates on Layer 3 interfaces, and trunking is a Layer 2 concept used for VLAN tagging, not required for OSPF neighbor formation.

D

This option is incorrect because static routes are not necessary for OSPF adjacency. OSPF dynamically discovers neighbors and exchanges routing information without requiring preconfigured static routes.

364
PBQhard

You are connected to the WLC via its management IP 192.168.10.10. A new corporate SSID 'SecureCorp' must be configured for WPA3-Personal with PSK 'Cisco123' on the 5 GHz radio only. The SSID should be broadcast. The WLAN must be mapped to interface 'corp_vlan' (VLAN 100). After configuration, a wireless client reports it cannot see or connect to the SSID. Troubleshoot and resolve the client's association failure.

Network Topology
192.168.10.50192.168.10.50APWLCClient

Hints

  • The client cannot see the SSID in its Wi-Fi list — check broadcast setting.
  • All other WLAN parameters are correct; only one setting prevents discovery.
  • Use the 'broadcast-ssid' command under the WLAN configuration.
A.Enable SSID broadcast for the SecureCorp WLAN.
B.Change the security mode to WPA2-Personal with the same PSK.
C.Reconfigure the WLAN to use interface 'management' instead of 'corp_vlan'.
D.Disable the 5 GHz radio and enable the 2.4 GHz radio for the SecureCorp WLAN.
AnswerA
solution
! WLC
config wlan 1
broadcast-ssid
end

Why this answer

The client cannot see the SSID because SSID broadcast is disabled. The SSID is configured to be broadcast, but the actual setting is off. To resolve, enable SSID broadcast on the WLAN.

The security and VLAN settings are correct. Enabling broadcast allows the client to discover the network without manual entry.

Exam trap

Do not confuse SSID visibility issues with security or VLAN misconfigurations. A hidden SSID prevents discovery; the client must either manually configure the SSID or the administrator must enable broadcast. Always check the broadcast setting first when a client cannot see a WLAN.

Why the other options are wrong

B

The specific factual error is that the security mode does not affect SSID visibility; the problem is the broadcast setting.

C

The specific factual error is that interface mapping controls VLAN assignment for traffic, not SSID broadcast.

D

The specific factual error is that radio band selection does not affect SSID broadcast; the hidden SSID prevents discovery on any band.

365
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (NAT overload) on a Cisco IOS-XE router so that internal hosts can share a single public IP when accessing the internet. Note: The NAT overload command is applied globally, not on the interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global configuration mode. Then configure the inside and outside interfaces with 'ip nat inside' and 'ip nat outside'. Next, create an ACL to identify internal traffic that should be translated.

Finally, apply the NAT overload configuration globally using 'ip nat inside source list <ACL> interface <outside-interface> overload'. The correct order is global config, interfaces, ACL, then global NAT command.

Exam trap

A common mistake is placing the ACL creation before configuring the interfaces or thinking that the NAT overload command is applied directly on the outside interface instead of globally.

366
MCQhard

A network engineer notices that users in VLAN 10 report intermittent connectivity and slow file transfers to a server on the same switch. The engineer issues the show interfaces fa0/1 command on the switch port connected to the server and observes a high number of runts, input errors, and CRC errors, while output errors are minimal. The interface configuration shows speed 100 and duplex full.

A.The server NIC is set to 10 Mbps half-duplex, causing a speed mismatch.
B.The server NIC is auto-negotiating to 100 Mbps half-duplex, resulting in a duplex mismatch.
C.The cable connecting the server to the switch is faulty, introducing excessive noise.
D.The switch port is configured with an incorrect native VLAN, causing duplex negotiation issues.
AnswerB

With the switch forced to full-duplex and the server using auto-negotiation, the server defaults to half-duplex. The duplex mismatch leads to collisions on the half-duplex side, generating runts, CRC errors, and input errors on the switch port.

Why this answer

Option B is correct because the symptoms—high runts, input errors, and CRC errors with minimal output errors—are classic indicators of a duplex mismatch. When the switch port is hardcoded to 100 Mbps full-duplex and the server NIC auto-negotiates to 100 Mbps half-duplex (a common fallback when one side is manually set), collisions occur on the full-duplex side, corrupting frames and causing input errors. The speed matches (both 100 Mbps), so the issue is purely duplex-related.

Exam trap

Cisco often tests the misconception that speed and duplex mismatches always occur together; the trap here is that a duplex mismatch can exist even when speed matches, and the error pattern (high input errors, low output errors) specifically points to duplex, not cabling or VLAN issues.

Why the other options are wrong

A

Misconception that speed mismatch produces specific error counters; in reality, incompatible speeds cause link failure, not runts and CRC errors.

C

Misconception that CRC errors alone point to a bad cable; duplex mismatch is one of the most common causes of runts and CRC errors on forced-full interfaces.

D

Misconception that a VLAN mismatch can trigger interface errors; these errors are purely physical/data-link layer phenomena unrelated to VLAN settings.

367
Matchingmedium

Match each programmability term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Structured representation of configuration or state

Common machine-readable data format

Specific API target or path

Credential-like access value

Why these pairings

Each term is correctly matched with its standard definition in software development and API contexts.

Exam trap

Candidates often confuse APIs with programming languages or protocols. Remember that an API is an interface, not a language or a protocol itself. It enables communication between different software systems.

368
MCQhard

An administrator wants to permit SSH management access but block Telnet access to a device. Which statement best reflects that design goal?

A.SSH is preferred because it provides encrypted remote administration, unlike Telnet
B.Telnet is preferred because it provides stronger confidentiality than SSH
C.SSH can be used only on Layer 2 switches and not routers
D.Blocking Telnet automatically disables all AAA functions
AnswerA

This is correct because SSH protects management traffic with encryption, while Telnet sends it in clear text.

Why this answer

Permitting SSH while blocking Telnet is a hardening decision because SSH encrypts management traffic and Telnet does not. The administrator wants remote access to remain available with credentials and session data protected. Option A is correct: SSH provides encrypted remote administration.

Option B is wrong: Telnet offers no confidentiality. Option C is wrong: SSH works on routers and Layer 3 switches, not only Layer 2 switches. Option D is wrong: blocking Telnet does not disable AAA; AAA can still function over SSH or local authentication.

Exam trap

Avoid assuming that enabling both protocols or disabling both achieves security goals. Focus on encryption as the key factor.

Why the other options are wrong

B

Telnet transmits credentials and data in plaintext, so it lacks confidentiality and is less secure than SSH.

C

SSH can be configured on routers, Layer 3 switches, and any device that supports IP connectivity, not just Layer 2 switches.

D

Blocking Telnet only disables unencrypted remote access; AAA functions (e.g., authentication, authorization, accounting) remain operational via SSH or other methods.

369
Drag & Drophard

Drag and drop the following steps into the correct order to describe how a router selects the best path and forwards a packet, using the routing table lookup process from destination IP to forwarding decision.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The router first identifies the destination IP, then finds the best matching route using longest prefix match, and forwards to the next hop.

Exam trap

The exam trap here is that candidates often confuse the order of steps, especially placing the longest prefix match before examining the destination IP. Remember: you must know the destination before you can look it up in the routing table.

370
Multi-Selectmedium

Which TWO statements accurately describe how AI and ML concepts are applied to network operations?

Select 2 answers
A.Intent-based networking translates business intent into network policies and continuously validates that the network meets those intentions.
B.Anomaly detection uses ML models to identify deviations from normal traffic baselines, which can indicate security threats or performance issues.
C.Predictive analytics uses historical data to forecast future network conditions and automatically reconfigures network devices to prevent issues.
D.ML models in network operations are trained exclusively on labeled datasets to detect known attack signatures.
E.Rule-based systems are preferred over ML for anomaly detection because they can adapt to new, unknown patterns without manual updates.
AnswersA, B

This is a core principle of IBN: it automates policy translation and ongoing validation to ensure the network aligns with business goals.

Why this answer

Option A is correct because intent-based networking (IBN) captures business intent in a declarative model, translates it into network policies (e.g., via Cisco DNA Center), and continuously validates that the network state matches the intended outcome using assurance and closed-loop analytics. Option B is correct because anomaly detection leverages ML models to establish a baseline of normal traffic and then flags deviations, which can indicate security threats or performance issues. Option C is incorrect because predictive analytics forecasts future network conditions but does not automatically reconfigure devices; that requires closed-loop automation.

Option D is false because ML models in network operations are not trained exclusively on labeled data; unsupervised learning can detect unknown patterns without labeled datasets. Option E is false because rule-based systems cannot adapt to new, unknown patterns without manual updates, whereas ML models are better suited for anomaly detection due to their ability to learn and generalize from data.

Exam trap

Cisco often tests the distinction between 'predictive analytics' (which forecasts but does not automatically reconfigure) and 'closed-loop automation' (which does), leading candidates to overstate the capabilities of predictive analytics in option C.

Why the other options are wrong

C

Predictive analytics forecasts future network conditions (e.g., link utilization trends) but does not automatically reconfigure devices; automation requires separate closed-loop systems like Cisco DNA Assurance with RMA (reactive, proactive, predictive) workflows. The statement incorrectly combines prediction with automatic reconfiguration.

D

ML models in network operations can be trained using both supervised learning (labeled data for known attacks) and unsupervised learning (unlabeled data to discover unknown patterns). The statement incorrectly claims exclusive use of labeled datasets, ignoring unsupervised anomaly detection which is critical for identifying novel threats.

E

Rule-based systems are static and cannot adapt to new, unknown patterns without manual rule updates. ML models, especially unsupervised learning, excel at detecting anomalies without predefined rules. The statement reverses the strengths of rule-based and ML approaches.

371
Matchingmedium

Match each HTTP method to the action it most commonly performs in a REST API.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource

Create a new resource

Update or replace a resource

Remove a resource

Why these pairings

These are the standard HTTP methods and their typical CRUD operations in RESTful APIs, as defined by the HTTP specification.

Exam trap

Cisco exams often test the standard RESTful mapping of HTTP methods to CRUD operations. Remember: GET = read, POST = create, PUT = update/replace, DELETE = delete. Do not confuse POST with update or PUT with delete.

372
Matchingmedium

Match each STP or switch protection feature to the problem it is mainly designed to prevent.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Reduces delay for an end-host access port to reach forwarding

Err-disables a PortFast port that unexpectedly receives a BPDU

Prevents an access or designated port from becoming a new root port because of superior BPDUs

Helps stop a non-designated port from transitioning to forwarding when BPDUs stop arriving

Why these pairings

STP protection features prevent specific problems: Root Guard protects root bridge election, BPDU Guard prevents loops on access ports, Loop Guard handles BPDU loss, UDLD detects unidirectional links, and PortFast speeds up port transition.

Exam trap

The exam trap is confusing BPDU Guard with Root Guard or Loop Guard. Remember that BPDU Guard specifically protects against rogue switches by shutting down the port if a BPDU is received on a PortFast port.

373
Matchingmedium

Match each controller or API direction term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Direction used when applications communicate with the controller

Direction used when the controller communicates with infrastructure devices

Central platform used for policy and management coordination

Software interface used for defined communication between systems

Why these pairings

Controller/API directions: Northbound goes to apps; Southbound to devices; East/West between controllers; REST and NETCONF are common protocols.

Exam trap

Do not confuse protocols (REST, NETCONF) with direction terms (northbound, southbound). The question specifically asks for direction terms, not protocols.

374
Multi-Selecthard

Which two statements accurately compare IPv4 private addresses and public addresses?

Select 2 answers
A.Private IPv4 addresses are not directly Internet-routable.
B.Public IPv4 addresses are intended to be globally unique and routable.
C.Private IPv4 addresses always require OSPF to function inside a LAN.
D.Public IPv4 addresses cannot exist on Internet-facing devices.
E.Private and public IPv4 addresses are both automatically translated by ARP.
AnswersA, B

This is correct because RFC 1918 private ranges are intended for internal use and are not routed on the public Internet.

Why this answer

Private IPv4 addresses are intended for internal use and are not directly routable on the public Internet. In plain language, they are designed for use inside organizations, homes, and other local environments without consuming globally unique public space. Public addresses, by contrast, are intended to be unique and routable across the Internet. This is one of the main reasons NAT became so common in IPv4 environments.

CCNA questions often test this distinction because learners sometimes confuse “valid inside a LAN” with “routable everywhere.” Private addressing is extremely useful, but it does not eliminate the need for translation or public addressing when reaching the Internet. The two correct statements are the ones that preserve that basic separation between internal-use ranges and globally routable address space.

Exam trap

Be careful not to confuse the routability of private addresses with their validity within a LAN. Private addresses need NAT for Internet access.

Why the other options are wrong

C

Private IPv4 addresses do not require OSPF or any specific routing protocol to function inside a LAN; they can operate with static routes or any dynamic routing protocol. OSPF is just one option and is not mandatory.

D

Public IPv4 addresses are specifically used on Internet-facing devices to enable global reachability. Without public addresses, devices would not be directly accessible from the Internet.

E

ARP (Address Resolution Protocol) resolves IP addresses to MAC addresses on a local network segment and does not perform any translation between private and public addresses. NAT (Network Address Translation) handles that translation.

375
PBQmedium

You are connected to the console of R1. The network uses IPv6 with EUI-64. R1's GigabitEthernet0/0 has MAC address 0011.2233.4455. You need to configure an IPv6 address on this interface using the prefix 2001:db8:1:1::/64 with EUI-64, and ensure the interface is operational.

Network Topology
G0/0LANR1Hosts

Hints

  • The command uses 'ipv6 address' with the 'eui-64' keyword.
  • EUI-64 automatically generates the interface ID from the MAC address.
  • Verify the full IPv6 address with the link-local and global addresses.
A.ipv6 address 2001:db8:1:1:0011:22ff:fe33:4455/64 eui-64
B.ipv6 address 2001:db8:1:1::/64 eui-64
C.ipv6 address 2001:db8:1:1:0211:22ff:fe33:4455/64
D.ipv6 address 2001:db8:1:1::/64 eui-64 0011.2233.4455
AnswerB
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:db8:1:1::/64 eui-64

Why this answer

Option B uses the correct syntax 'ipv6 address 2001:db8:1:1::/64 eui-64', which configures the prefix and derives the interface ID automatically from the MAC address via EUI-64. Option A is invalid because specifying the full 128-bit address with the eui-64 keyword is not allowed; the eui-64 keyword requires only a prefix. Option C omits the eui-64 keyword, so it configures a static address without using EUI-64, which would not match the requirement to use EUI-64.

Option D appends the MAC address after the eui-64 keyword, which is invalid syntax; the eui-64 keyword does not accept an explicit MAC address.

Exam trap

Remember that the 'ipv6 address ... eui-64' command automatically derives the interface ID from the MAC address. Do not manually calculate the EUI-64 address or include the MAC address in the command. Also, ensure you include the 'eui-64' keyword; without it, the command expects a full 128-bit address.

Why the other options are wrong

A

Invalid syntax: the eui-64 keyword cannot be used with a full 128-bit address; it requires only a prefix.

C

Missing the eui-64 keyword, so the interface would be configured with a static address rather than deriving the interface ID from the MAC.

D

Invalid syntax: the eui-64 keyword does not accept an explicit MAC address as an argument.

Page 4

Page 5 of 25

Page 6