CCNA 200-301 v2 (200-301) — Questions 376450

1819 questions total · 25pages · All types, answers revealed

Page 5

Page 6 of 25

Page 7
376
Multi-Selectmedium

Which TWO statements are correct regarding Protocol Data Units (PDUs) and data encapsulation in the OSI model?

Select 2 answers
A.The PDU at the Transport layer is called a frame.
B.Data is encapsulated with a TCP header at the Transport layer to form a segment.
C.The Network layer PDU is the packet, which includes the IP header.
D.The Data Link layer adds a header and trailer to create a bit.
E.Encapsulation occurs as data moves up the OSI layers from Physical to Application.
AnswersB, C

The Transport layer adds a TCP header (or UDP header) to the data from upper layers, creating a segment (or datagram). This is a correct description of encapsulation.

Why this answer

Option B is correct because at the Transport layer, the TCP protocol adds a TCP header to the payload data, forming a segment. This encapsulation process is fundamental to reliable data delivery, as the TCP header includes source and destination ports, sequence numbers, and acknowledgment numbers for connection-oriented communication.

Exam trap

Cisco often tests the direction of encapsulation (down the stack) versus de-encapsulation (up the stack), and the specific PDU names at each layer, to catch candidates who confuse these fundamental concepts.

Why the other options are wrong

A

This statement incorrectly identifies the Transport layer PDU; it is actually a segment or datagram, while a frame is at Layer 2.

D

Bits are created at the Physical layer, not the Data Link layer; the Data Link layer creates frames.

E

This describes decapsulation, not encapsulation. Encapsulation occurs when moving down the OSI model stack.

377
Matchingmedium

Match each service to the issue it most directly addresses.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Names fail but direct IP access still works

Clients do not receive addressing automatically

Device times and timestamps do not align

Administrators want centralized event collection

Why these pairings

Each service directly addresses a specific network issue: DNS resolves names, DHCP assigns IPs, NTP syncs time, SNMP manages devices, Syslog collects logs, and NetFlow analyzes traffic.

Exam trap

The trap is confusing services that have overlapping or complementary roles, such as DHCP providing NTP server options or SNMP and NetFlow both being monitoring tools. Focus on the primary function of each service, not secondary capabilities.

378
Matchingeasy

Match each remote-management concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted remote administration

Unencrypted remote terminal access

Framework for authentication, authorization, and accounting

Centralized event and log reporting

Why these pairings

Remote management methods vary in security and functionality: Telnet is unencrypted, SSH is encrypted, RDP is for Windows desktops, VNC is platform-independent, console provides direct access, and serial is a physical connection method.

Exam trap

Do not confuse Telnet with SSH; both provide remote CLI but only SSH encrypts. Also, distinguish between in-band (Telnet/SSH) and out-of-band (console) management.

379
Multi-Selectmedium

Which TWO statements accurately describe the responsibilities of the OSI model's Transport layer?

Select 2 answers
A.It provides logical addressing and routing to determine the best path for data.
B.It segments data from the upper layers and manages end-to-end flow control.
C.It converts data into electrical signals for transmission over the physical medium.
D.It provides reliable or unreliable delivery of data between applications on different hosts.
E.It encapsulates data into frames and adds source and destination MAC addresses.
AnswersB, D

The Transport layer segments data into smaller units and can use flow control mechanisms (e.g., TCP's windowing) to prevent overwhelming the receiver.

Why this answer

Option B is correct because the Transport layer (Layer 4) segments data from upper layers and manages end-to-end flow control using mechanisms like TCP's sliding window to prevent overwhelming a slow receiver. Option D is correct because the Transport layer provides either reliable delivery (TCP) or unreliable delivery (UDP) between applications on different hosts, ensuring data reaches the appropriate application via port numbers. Option A is incorrect because logical addressing and routing are functions of the Network layer (Layer 3).

Option C is incorrect because converting data into electrical signals is the responsibility of the Physical layer (Layer 1). Option E is incorrect because encapsulating data into frames with MAC addresses is a function of the Data Link layer (Layer 2).

Exam trap

Cisco often tests the distinction between Transport layer flow control (end-to-end) and Network layer congestion control (path-based), leading candidates to confuse Layer 4 segmentation with Layer 3 routing functions.

Why the other options are wrong

A

Logical addressing and routing are Network layer (Layer 3) functions, not Transport layer responsibilities.

C

Converting data into electrical signals is the Physical layer (Layer 1) function, not Transport layer.

E

Encapsulation into frames with MAC addresses is a Data Link layer (Layer 2) function, not Transport layer.

380
MCQmedium

A network engineer is troubleshooting a connectivity issue between two hosts on different subnets. The sending host has constructed a packet with a destination IP address of 192.168.2.10. As the packet travels down the OSI model layers on the sending host, which Protocol Data Unit (PDU) name is assigned to the data at the Transport layer after TCP segments are created, and at which layer does the IP address get encapsulated?

A.PDU is a frame; IP address is added at the Data Link layer.
B.PDU is a segment; IP address is added at the Network layer.
C.PDU is a packet; IP address is added at the Transport layer.
D.PDU is a datagram; IP address is added at the Transport layer.
AnswerB

TCP segments are formed at the Transport layer, and the IP address is encapsulated at the Network layer when creating the packet.

Why this answer

At the Transport layer, TCP divides data into segments, so the PDU is called a segment, making B correct. The destination IP address (192.168.2.10) is added at the Network layer, where the IP header encapsulates the segment into a packet. Option A is wrong because a frame is a Data Link layer PDU, and IP addresses are not added at that layer.

Option C is wrong because the PDU at the Transport layer is a segment, not a packet, and IP addresses are added at the Network layer, not the Transport layer. Option D is wrong because 'datagram' typically refers to UDP’s Transport layer PDU (not TCP), and IP addresses are not added at the Transport layer.

Exam trap

Cisco often tests the precise PDU naming per layer (segment for TCP at Transport, packet for IP at Network) and the layer where IP addresses are added, tricking candidates who confuse 'packet' with 'segment' or think IP addresses are added at the Transport layer.

Why the other options are wrong

A

The PDU at the Transport layer is a segment, not a frame. Frames are the PDU at the Data Link layer (Layer 2). Additionally, IP addresses are added at the Network layer (Layer 3), not the Data Link layer.

C

A packet is the PDU at the Network layer (Layer 3), not the Transport layer. The IP address is added at the Network layer, not the Transport layer. The Transport layer PDU is a segment (for TCP) or a datagram (for UDP).

D

A datagram is the PDU for UDP at the Transport layer, but the question specifies TCP segments. Even if it were UDP, the IP address is still added at the Network layer, not the Transport layer.

381
MCQhard

A technician connects a PC to a switch port that has port security enabled with the default maximum of one MAC address and violation mode shutdown. Immediately after connecting, the port goes into the err-disabled state. The technician runs the show interfaces command and sees the port status as err-disabled. What should the technician do next?

A.Configure the port security violation mode to restrict, increase the maximum number of MAC addresses, and then recover the port.
B.Disable port security on the interface.
C.Enter the shutdown and no shutdown commands to recover the port, then enable port security with sticky MAC learning.
D.Verify the spanning-tree portfast configuration on the interface.
AnswerA

This directly addresses the symptom (err-disabled due to a port security violation) by making the policy more permissive while still retaining security. Increasing max MACs prevents the violation, and switching to restrict mode avoids future shutdowns. The err-disable state is cleared so the port becomes operational again.

Why this answer

Option A is correct because the port went into err-disabled state due to a port security violation (default maximum of one MAC address was exceeded). To resolve this, the technician must first recover the port (shutdown/no shutdown) or use the 'errdisable recovery cause psecure-violation' command, but the question asks what to do next. The best next step is to configure the violation mode to 'restrict' (which allows traffic from violating MACs but logs them) and increase the maximum MAC addresses to accommodate the PC, then recover the port.

This prevents immediate err-disable on future violations while maintaining security.

Exam trap

Cisco often tests the misconception that simply recovering the port (shutdown/no shutdown) is sufficient, but candidates must realize that the underlying violation condition must be corrected first to prevent immediate reoccurrence.

Why the other options are wrong

B

Assumes port security is the problem itself rather than its configuration, leading to a full removal of the feature.

C

Focuses on clearing the error state without addressing why the violation occurred, leading to a loop of repeated err-disabled events.

D

Mistakenly attributes the err-disabled condition to a Layer 2 loop-prevention feature instead of the explicitly configured Layer 2 security feature.

382
PBQhard

You are connected to R1, a multilayer switch acting as the STP root bridge. Configure Root Guard on the designated port toward R2 (G0/1), Loop Guard on the uplink port G0/2, and BPDU Guard on PortFast-enabled access port G0/3. After configuration, a superior BPDU is received on G0/1, causing it to be blocked by Root Guard; later, an unauthorized BPDU on G0/3 triggers err-disable. Troubleshoot and verify the expected port states.

Hints

  • Root Guard only blocks a port when it receives a superior BPDU; it does not affect normal operation.
  • Loop Guard prevents alternate or root ports from becoming designated in case of BPDU loss.
  • BPDU Guard err-disables a PortFast port immediately upon BPDU reception.
A.G0/1 is in blocking state (Root Guard), G0/2 is in forwarding state (Loop Guard), G0/3 is in err-disable state (BPDU Guard).
B.G0/1 is in forwarding state (Root Guard), G0/2 is in blocking state (Loop Guard), G0/3 is in err-disable state (BPDU Guard).
C.G0/1 is in err-disable state (Root Guard), G0/2 is in forwarding state (Loop Guard), G0/3 is in blocking state (BPDU Guard).
D.G0/1 is in blocking state (Root Guard), G0/2 is in loop-inconsistent state (Loop Guard), G0/3 is in err-disable state (BPDU Guard).
AnswerA
solution
! R1
interface GigabitEthernet0/1
no spanning-tree guard root
spanning-tree guard root
end
interface GigabitEthernet0/3
shutdown
no shutdown
end

Why this answer

The root guard on G0/1 correctly blocked the port when a superior BPDU was received, preventing an unauthorized root bridge. Loop Guard was applied specifically to the uplink port G0/2 to prevent forwarding loops in case of uni-directional link failure. BPDU Guard on G0/3 placed the port into err-disable state upon receiving an unexpected BPDU, which protects the PortFast edge port.

To restore G0/3, you must manually shut/no shut the interface after removing the offending device.

Exam trap

Do not confuse the actions of Root Guard (blocking) with BPDU Guard (err-disable). Root Guard blocks the port temporarily; BPDU Guard err-disables the port until manual intervention. Also, Loop Guard does not block immediately; it only reacts when BPDUs stop.

Why the other options are wrong

B

Root Guard blocks the port upon receiving a superior BPDU, not forwards. Loop Guard transitions to blocking only after BPDU loss, not while BPDUs are still received.

C

Root Guard results in a blocking state, not err-disable. BPDU Guard results in err-disable, not blocking.

D

Loop Guard does not immediately place the port in loop-inconsistent state; it only does so after BPDU loss. Here, BPDUs are still being received.

383
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure NTP with authentication on a Cisco router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the NTP authentication key using the ntp authentication-key command to create the key that will be used. Second, enable NTP authentication globally with ntp authenticate so that the router requires keys for NTP associations. Third, specify which keys are trusted with ntp trusted-key so the router accepts those keys.

Fourth, associate the NTP server with the key using the ntp server command with the key option, linking the server to the trusted key. Finally, verify the authenticated association using show ntp associations to confirm the configuration is working. This order is required because the key must exist before it can be trusted, authentication must be enabled before keys are checked, and the server must be configured with the key only after it is trusted.

384
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, and then recover a port that enters err-disabled due to BPDU Guard.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order begins with Root Guard on designated ports to prevent them from becoming root ports upon receiving superior BPDUs. Next, Loop Guard is applied to non-designated ports (alternate/backup) to protect against unidirectional link failures. Then, BPDU Guard is placed on PortFast-enabled ports to shut them down if a BPDU is received, preventing rogue switch connections.

Finally, recovery from BPDU Guard err-disable requires a manual interface reset (shutdown/no shutdown) because the errdisable cause 'bpduguard' has no automatic timeout.

Exam trap

Cisco exams often test the specific port roles for each STP protection feature. Remember: Root Guard is for designated ports, Loop Guard is for non-designated ports (alternate/backup), and BPDU Guard is for PortFast ports. Also, recovery from err-disabled due to BPDU Guard requires manual interface reset, not just waiting or removing the configuration.

385
Matchingmedium

Match each switch protection feature to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits and controls MAC address use on a switch port

Disables an edge port if a BPDU is received

Helps block rogue DHCP behavior and build trusted bindings

Validates ARP traffic using trusted information

Why these pairings

Port security directly controls MAC address usage on a switch port, limiting the number and types of MACs allowed. BPDU Guard disables an edge port if it receives a BPDU, preventing potential loop or rogue switch issues. DHCP Snooping filters untrusted DHCP messages and builds a binding table of valid IP-MAC pairs.

Dynamic ARP Inspection validates ARP packets against the DHCP Snooping binding table, ensuring they are legitimate.

Exam trap

Do not confuse the purposes of BPDU Guard and Root Guard. BPDU Guard error-disables a port upon receiving any BPDU, while Root Guard only reacts to superior BPDUs and does not disable the port. Also, Loop Guard and UDLD both address loop issues but in different ways: Loop Guard handles BPDU loss, UDLD handles unidirectional links.

386
Multi-Selectmedium

Which TWO statements accurately describe cabling and SFP transceiver diagnostics?

Select 2 answers
A.Copper SFP modules require Cat6a cabling to achieve a 100-meter reach.
B.Fiber SFP modules are typically identified by the 'GLC-T' or 'SFP-GE-T' product IDs.
C.The 'show interfaces transceiver' command displays optical power levels for both Tx and Rx on fiber SFPs.
D.The 'show cable-diagnostics tdr interface' command can measure the distance to a break in a fiber optic cable.
E.A multimode fiber SFP with LC connectors is commonly used for short-reach connections up to 550 meters.
AnswersC, E

This command provides real-time transceiver diagnostics, including transmit power, receive power, temperature, voltage, and bias current. It is valid for fiber SFP modules that support digital optical monitoring (DOM).

Why this answer

Option C is correct because the 'show interfaces transceiver' command on Cisco IOS devices displays detailed operational data for SFP modules, including optical power levels for both transmit (Tx) and receive (Rx) on fiber SFPs. This output is critical for verifying that the optical signal is within the specified thresholds to ensure proper link operation.

Exam trap

Cisco often tests the distinction between copper and fiber SFP product IDs (e.g., 'GLC-T' is copper, not fiber) and the correct diagnostic commands for each media type, leading candidates to confuse TDR (copper) with fiber optical power monitoring.

Why the other options are wrong

A

The statement incorrectly mandates Cat6a cabling, whereas Cat5e and Cat6 also support the full 100-meter distance for 1000BASE-T.

B

This mixes up part number naming conventions; GLC-T and SFP-GE-T always indicate copper transceivers, not fiber.

D

TDR relies on electrical signals and impedance changes; it cannot function on fiber optics.

387
PBQhard

You are connected to R1. The network administrator has partially configured IPv4 and IPv6 on the interfaces. However, PC1 (connected to R1's G0/1) cannot reach PC2 (connected to R2's G0/1). Configure R1 and R2 so that PC1 can ping PC2. Fix any addressing errors. Use IPv4 subnet 192.0.2.0/30 for the link between R1 and R2, and 198.51.100.0/24 for the PC LANs. For IPv6, use 2001:db8:1::/64 on R1's G0/1 and 2001:db8:2::/64 on R2's G0/1, with R1's G0/1 using EUI-64 and R2's G0/1 using a static address 2001:db8:2::1/64.

Hints

  • Check the subnet mask on the link between R1 and R2.
  • IPv6 EUI-64 requires the interface to be up and unicast-routing enabled.
  • Ensure both routers have routes to each other's LANs.
A.On R1, change the subnet mask on G0/0 from /24 to /30. On R1 G0/1, issue 'ipv6 address 2001:db8:1::/64 eui-64' and 'no shutdown'. Enable 'ipv6 unicast-routing' globally on both routers.
B.On R1, change the subnet mask on G0/0 from /24 to /30. On R1 G0/1, issue 'ipv6 address 2001:db8:1::/64 eui-64' and 'no shutdown'. No need to enable IPv6 unicast-routing because it is on by default.
C.On R1, change the subnet mask on G0/0 from /24 to /30. On R1 G0/1, issue 'ipv6 address 2001:db8:1::/64' (without eui-64) and 'no shutdown'. Enable 'ipv6 unicast-routing' globally on both routers.
D.On R1, change the subnet mask on G0/0 from /24 to /30. On R1 G0/1, issue 'ipv6 address 2001:db8:1::/64 eui-64' and 'no shutdown'. Enable 'ipv6 unicast-routing' globally on both routers. Also, change the default gateway on PC1 to 2001:db8:1::1.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 192.0.2.1 255.255.255.252
exit
interface GigabitEthernet0/1
ipv6 address 2001:db8:1::/64 eui-64
no shutdown
exit
ipv6 unicast-routing

! R2

Why this answer

The issue is a subnet mask mismatch on the link between R1 and R2: R1 uses /24 (255.255.255.0) while R2 uses /30 (255.255.255.252). This prevents R1 from having a route to R2's LAN. Fix R1's G0/0 mask to /30.

Additionally, R1's G0/1 IPv6 EUI-64 command is missing the interface identifier; the correct command is 'ipv6 address 2001:db8:1::/64 eui-64' but the interface must be enabled with 'no shutdown'. Also ensure IPv6 unicast-routing is enabled. The PCs have correct gateways.

Exam trap

Watch for subnet mask mismatches on point-to-point links; they break routing. Also, remember that IPv6 unicast-routing is disabled by default and must be enabled. EUI-64 requires the 'eui-64' keyword and generates an address based on MAC, not a static ::1.

Why the other options are wrong

B

The specific factual error is that IPv6 unicast-routing is disabled by default on Cisco routers.

C

The specific factual error is that the command without 'eui-64' assigns a static address, not an EUI-64 address.

D

The specific factual error is assuming the EUI-64 address ends with ::1, which is not guaranteed.

388
Multi-Selectmedium

Which three statements about the routing table and route selection are correct? (Choose three.)

Select 3 answers
.The route with the longest prefix match is always preferred when multiple routes match the destination IP.
.A directly connected route has an administrative distance of 0 by default.
.If two routes have the same prefix length and metric, load balancing can occur across both.
.The administrative distance of a static route is always 1.
.An OSPF inter-area route has a lower administrative distance than an OSPF intra-area route.
.A default route (0.0.0.0/0) is always preferred over any more specific route.

Why this answer

The route with the longest prefix match is always preferred because it is the most specific route to the destination IP. A directly connected route has an administrative distance of 0 by default, making it the most trusted route source. If two routes have the same prefix length, administrative distance, and metric, equal-cost load balancing can occur, distributing traffic over multiple paths.

Exam trap

Cisco often tests the distinction between administrative distance and metric, and the trap here is that candidates might think load balancing requires different metrics or that directly connected routes have an AD other than 0.

389
MCQhard

Why is a northbound API valuable to orchestration systems in a controller-based architecture?

A.It provides a defined software interface through which orchestration tools can interact with the controller.
B.It allows network devices to communicate directly with each other without the controller.
C.It is a physical interface used to connect the controller to the orchestration system.
D.It is a physical cable standard for controller uplinks.
AnswerA

This is correct because northbound APIs exist for application and orchestration access.

Why this answer

A northbound API is valuable because it provides a defined software interface for orchestration systems to interact with the controller programmatically. Option B is incorrect because northbound APIs do not enable direct device-to-device communication; that is a function of the data plane. Option C is incorrect because northbound APIs are logical software interfaces, not physical cables or ports.

Option D is also incorrect as it mischaracterizes the API as a hardware standard.

Exam trap

A common exam trap is mistaking the northbound API for a physical connection or confusing it with southbound APIs that communicate with network devices.

Why the other options are wrong

B

This describes direct device communication or southbound APIs, not the northbound API used by orchestration.

C

Northbound APIs are logical software interfaces, not physical cable standards or hardware.

390
PBQmedium

You are connected to R1 via the console. R1 is a router that needs to provide DHCP services for hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The DHCP server is located on VLAN 10 at 192.168.10.100, but hosts on VLAN 20 cannot reach it directly. Configure R1 to forward DHCP broadcasts from VLAN 20 to the DHCP server.

Network Topology
G0/0.10192.168.10.1/24G0/0.20192.168.20.1/24DHCP ServerVLAN 10R1VLAN 20Hosts

Hints

  • The helper address should be placed on the interface that receives the DHCP broadcast.
  • The helper address is the server's IP address.
  • Only one command is needed.
A.interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip helper-address 192.168.10.100
B.interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip helper-address 192.168.10.100
C.interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip dhcp relay information option
D.ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1
AnswerA
solution
! R1
interface GigabitEthernet0/0.20
ip helper-address 192.168.10.100

Why this answer

The ip helper-address command enables the router to forward UDP broadcasts (including DHCP) to a specific server. Placing it on the VLAN 20 subinterface ensures that DHCP requests from VLAN 20 are unicast to the server on VLAN 10.

Exam trap

The key trap is placing the ip helper-address on the wrong interface. Remember: the helper-address must be on the interface that receives the client's broadcast, not on the server's interface. Also, do not confuse ip helper-address with DHCP server configuration or relay option commands.

Why the other options are wrong

B

The ip helper-address must be configured on the interface that receives the client broadcasts (VLAN 20), not the server's VLAN.

C

This command enables relay agent information insertion, not the actual forwarding of DHCP packets to a server.

D

The question states the DHCP server is at 192.168.10.100, so R1 should relay, not serve.

391
Drag & Dropmedium

Drag and drop the following steps into the correct order to isolate and resolve interface CRC errors, duplex mismatches, and flapping on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start with checking statistics to identify issues, then verify duplex and cable, replace hardware if needed, and finally confirm resolution.

Exam trap

Candidates often jump to hardware replacement or configuration changes without first gathering data. Always start with 'show interface' statistics to pinpoint the issue before taking corrective action.

392
Multi-Selectmedium

Which two statements about OSPF neighbor requirements on a shared Ethernet segment are correct? (Choose two.)

Select 2 answers
A.They must be in the same OSPF area on that link.
B.They must use the same subnet on the connected interfaces.
C.They must have identical router IDs.
D.They must use the same process ID number on both routers.
AnswersA, B

Correct. Area mismatch prevents adjacency.

Why this answer

Neighbors must agree on key parameters such as area ID and subnet, and they exchange Hello packets on the segment.

Exam trap

A frequent exam trap is confusing the OSPF process ID with the area ID or router ID requirements. Candidates often think the process ID must match between neighbors, but it is locally significant and does not affect adjacency. Another common mistake is assuming router IDs must be identical; in fact, router IDs must be unique within the OSPF domain to prevent routing conflicts.

Misunderstanding these distinctions can lead to selecting incorrect answers about neighbor requirements. The key is to focus on area ID and subnet matching for adjacency on shared Ethernet segments, not process ID or identical router IDs.

Why the other options are wrong

C

Incorrect because router IDs must be unique within the OSPF domain, not identical. Identical router IDs cause routing conflicts and prevent proper operation.

D

Incorrect because the OSPF process ID is locally significant to each router and does not need to match between neighbors for adjacency formation.

393
Matchingeasy

Match each IP service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatic assignment of IP configuration information to clients

Resolution of hostnames into IP information

Synchronization of device clocks

Centralized collection of event and log messages

Why these pairings

DHCP automatically assigns IP configuration (IP address, subnet mask, default gateway) to clients. DNS resolves human-readable hostnames (e.g., www.example.com) into IP addresses. NTP synchronizes device clocks over a network to ensure accurate time-stamping.

Syslog provides a centralized collection of event and log messages from network devices.

Exam trap

Be careful not to confuse DHCP (automatic IP assignment) with DNS (name resolution).

394
MCQhard

A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?

A.R1 has failed to form adjacency with 10.1.1.3
B.This can be normal on a broadcast segment where DROTHER routers remain in 2-Way
C.R1 has a duplicate router ID with 10.1.1.3
D.The interface is passive
AnswerB

Correct. This is normal DR/DROTHER behavior on many multiaccess networks.

Why this answer

On broadcast OSPF networks, full adjacency is typically formed with the DR and BDR. DROTHER routers can remain in the 2-Way state with one another and still be operating normally.

Exam trap

Be cautious not to confuse the 2WAY state with being a BDR or DR. Understand the significance of FULL/DR and 2WAY/DROTHER states.

Why the other options are wrong

A

The 2-Way state is a normal OSPF neighbor state on broadcast multiaccess networks for non-DR/BDR routers (DROTHERs). It indicates that bidirectional communication has been established, but full adjacency is not required because they do not exchange LSAs directly. This is not a failure.

C

A duplicate router ID would cause OSPF neighbor state to oscillate or remain in EXSTART/EXCHANGE, not stabilize in 2-Way. The output shows a stable 2-Way state, which is normal for DROTHERs. Duplicate IDs would also generate error messages in the logs.

D

A passive interface in OSPF does not send Hello packets and therefore cannot form any neighbor adjacency. The output shows two neighbors in valid states (FULL and 2-Way), which proves the interface is active and sending Hellos.

395
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Rapid PVST+ on SW1, make it the root bridge, and enable PortFast with BPDU Guard on all access ports.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins by entering global configuration mode, then enabling Rapid PVST+ so that subsequent spanning-tree commands operate under that mode. Next, the switch is designated as the root bridge for VLAN 1 using 'spanning-tree vlan 1 root primary', which sets a superior bridge priority. After the root election is influenced, PortFast is applied to all access interfaces to transition them directly into forwarding state.

Finally, BPDU Guard is enabled globally to protect all PortFast-enabled ports; if a BPDU is received on such a port, it is immediately put into err-disabled state, preventing potential loops. Each step builds on the previous one: enabling Rapid PVST+ must precede root setup, root selection should be completed before any access-port optimization, and BPDU Guard is applied last to secure the already-accelerated ports.

396
MCQhard

A network technician is troubleshooting a link between two Cisco switches, SW1 and SW2, connected via a single-mode fiber optic cable. The interface on SW1 is up/up, but the interface on SW2 remains down/down. The technician has verified that the fiber cable is not damaged and that the SFP modules are correctly seated. Which configuration change should the technician make to resolve the issue?

A.Configure the interface on SW2 to use the same speed and duplex settings as SW1.
B.Replace the 1000BaseSX SFP on SW2 with a 1000BaseLX SFP.
C.Enable MDIX on both interfaces to allow automatic crossover detection.
D.Change the VLAN assignment on SW2's interface to match that of SW1.
AnswerB

The SFP types do not match—SW1 is LX (single-mode) and SW2 is SX (multimode). Using a consistent LX SFP on both ends ensures proper communication over single-mode fiber.

Why this answer

The issue is that SW1 is up/up but SW2 is down/down, indicating a unidirectional link. Since the fiber cable and SFP seating are verified, the most likely cause is an SFP wavelength mismatch. SW1 likely has a 1000BaseLX SFP (long-wavelength, single-mode), while SW2 has a 1000BaseSX SFP (short-wavelength, multimode).

Single-mode fiber requires LX optics; SX optics are designed for multimode fiber and will not produce a signal that can be received correctly over single-mode fiber, causing the remote interface to remain down. Replacing the 1000BaseSX SFP on SW2 with a 1000BaseLX SFP resolves the wavelength incompatibility.

Exam trap

Cisco often tests the misconception that fiber link issues are always due to physical damage or seating, when in fact the most common exam trap is an SFP type mismatch (SX vs. LX) on single-mode fiber, causing a unidirectional link.

Why the other options are wrong

A

On fiber optic links, speed and duplex are typically fixed (e.g., 1000 Mbps full duplex) and do not require manual configuration; auto-negotiation is standard for Gigabit Ethernet over fiber. Since the interface on SW1 is up/up, the settings are already compatible, so this change would not resolve the down/down state on SW2.

C

MDIX (Medium Dependent Interface Crossover) is a feature for copper Ethernet cables to automatically correct for straight-through vs. crossover cable issues. Fiber optic connections do not use MDIX because they use separate transmit and receive fibers, so enabling MDIX has no effect on fiber links.

D

A VLAN mismatch would cause the interface to be up/up but not forward traffic (Layer 2 issue), not the down/down state observed. The down/down state indicates a Layer 1 problem, such as a physical or optical incompatibility.

397
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Router R1 with OSPFv2 process 1 to form neighbor adjacencies only on GigabitEthernet0/1 while preventing OSPF hello packets on all other OSPF-enabled interfaces.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enter OSPF router configuration mode. Then assign a Router ID (optional but good practice). Next, advertise the local subnet with a network statement to enable OSPF on interfaces.

Then apply passive-interface default to suppress hellos on all OSPF interfaces. Finally, use no passive-interface to allow adjacency on the specific interface.

398
MCQhard

A subnet must support at least 62 usable hosts. Which prefix will create the smallest subnet that meets the requirement?

A./27
B./26
C./25
D./24
AnswerB

This is correct because a /26 provides 64 total addresses and 62 usable hosts.

Why this answer

To support at least 62 usable hosts, the subnet needs 64 total addresses, because two of those will be reserved for the network and broadcast addresses. In plain language, the target is not 62 total addresses; it is 62 usable ones after the two reserved values are taken away. A /26 provides exactly 64 total addresses and therefore 62 usable host addresses.

This is a classic minimum-prefix question because it checks whether you can convert a host requirement into the correct power-of-two subnet size without over-allocating unnecessarily. A /27 would be too small, while /25 would work but would waste more addresses than needed. The smallest valid prefix is /26.

Exam trap

Ensure you calculate usable hosts, not total addresses. Remember that network and broadcast addresses are not usable.

Why the other options are wrong

A

A /27 prefix provides only 32 total addresses (2^(32-27)=32), with 30 usable hosts after subtracting network and broadcast addresses. This is insufficient for the requirement of at least 62 usable hosts.

C

A /25 prefix provides 128 total addresses and 126 usable hosts, which is more than required. While it meets the requirement, it is not the smallest prefix, leading to wasted IP addresses in a subnet.

D

A /24 prefix provides 256 total addresses and 254 usable hosts, far exceeding the requirement of 62 usable hosts. This is not the smallest prefix and results in significant waste of IP address space.

399
Multi-Selectmedium

Which TWO of the following are core applications of AI and ML in network operations as described in CCNA 200-301 v2.0 objective 5.1?

Select 2 answers
A.Using machine learning to detect unusual traffic patterns that may indicate a security threat or network fault.
B.Using historical data and ML models to forecast future network traffic loads and capacity requirements.
C.Automatically generating network configuration scripts using natural language processing.
D.Translating high-level business intent into network policies and continuously verifying that the network state matches the intended state.
E.Using reinforcement learning to optimize routing protocol metrics in real time.
AnswersA, D

This describes anomaly detection, which is a key AI/ML application in network operations. ML models learn normal traffic baselines and flag deviations for further investigation.

Why this answer

Options A and D are correct as per CCNA 200-301 v2.0 objective 5.1, which specifically lists anomaly detection using machine learning and intent-based networking as core AI/ML applications in network operations. Option A describes anomaly detection, where ML models trained on baseline traffic identify deviations indicating security threats or faults. Option D describes intent-based networking, where high-level business intent is translated into network policies with continuous verification.

Option B (capacity forecasting) and Option C (NLP-based config generation) are not listed in objective 5.1, though they are related AI/ML uses in networking. Option E (reinforcement learning for routing optimization) is also not a core application covered in the CCNA syllabus.

Exam trap

Cisco often tests the specific scope of objective 5.1, which lists only anomaly detection and intent-based networking as core AI/ML applications, causing candidates to mistakenly select capacity forecasting (option B) or NLP-based automation (option C) which are not included in that objective.

Why the other options are wrong

B

Capacity forecasting using ML is not listed as a core application in objective 5.1; it is a more advanced AIOps use case.

C

Automatically generating configs via NLP is not a core application in objective 5.1; it is not covered at CCNA level.

E

Reinforcement learning for routing optimization is not a core AI/ML application described in objective 5.1; it is beyond scope.

400
Matchingmedium

Match each IPv6 concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IPv6 addressing used for wider routed communication

IPv6 addressing used only on the local segment

Host self-configuration using router advertisements

OSPF version used for IPv6 routing operation

Why these pairings

These pairings accurately define key IPv6 concepts.

Exam trap

Be careful not to confuse the scope of IPv6 address types. Link-local addresses are not routable, unique local addresses are private, and anycast is one-to-nearest, not one-to-many. Remember that 'local' in link-local means the link, not the site.

401
MCQmedium

Users receive addresses from the correct subnet and can reach destinations by IP address, but they cannot browse by hostname.

A.Default-router option
B.DNS server option
C.Lease time option
D.TFTP server option
AnswerB

The DNS server option tells clients where to send name-resolution queries.

Why this answer

If clients get an IP address and default gateway but cannot resolve names, the usual problem is the DNS server information handed out by DHCP. Without that, hostname lookups fail even though IP connectivity may still exist.

Exam trap

Don't confuse general network connectivity options with DNS-specific configurations. Focus on what each DHCP option actually configures.

Why the other options are wrong

A

The default-router option (option 3) provides the gateway for off-subnet traffic. While a missing gateway would prevent access to external networks, the scenario states users receive correct subnet addresses and can likely reach local resources. The inability to browse by hostname points to a DNS issue, not a routing problem.

C

The lease time option (option 51) determines how long a client can use an assigned IP address before renewing. It does not affect DNS resolution or hostname browsing. A missing or incorrect lease time would cause IP address expiration issues, not name resolution failures.

D

The TFTP server option (option 66) is used for booting devices like IP phones or diskless workstations to download configuration files or operating systems. It is not involved in hostname resolution. A missing TFTP server would not affect DNS lookups.

402
Multi-Selectmedium

Which TWO statements accurately describe the encapsulation process and PDU naming across the OSI and TCP/IP models?

Select 2 answers
A.At the Transport layer, the TCP/IP model uses segments, while the OSI model uses packets.
B.In the OSI model, the Network layer encapsulates data into packets, while in the TCP/IP model the Internet layer performs the same function.
C.The term 'frame' is used at the Data Link layer in both the OSI and TCP/IP models, and it contains the Layer 2 header and trailer.
D.Encapsulation adds headers and trailers at each layer, so the PDU size decreases as data moves down the stack.
E.The OSI model's Session layer is responsible for end-to-end flow control using TCP segments, while the TCP/IP model combines this into the Application layer.
AnswersB, C

Both the OSI Network layer (Layer 3) and TCP/IP Internet layer produce packets (IP packets/datagrams) by adding a Layer 3 header.

Why this answer

Option B is correct because the OSI Network layer and the TCP/IP Internet layer both encapsulate transport layer segments or datagrams into packets by adding a Layer 3 header (e.g., IP header). This is the fundamental encapsulation step where logical addressing is applied, and the resulting PDU is called a packet in both models. The function is identical despite the different layer names.

Exam trap

Cisco often tests the precise PDU naming per layer (segment, packet, frame) and the fact that encapsulation increases PDU size, not decreases it, to catch candidates who confuse the direction of encapsulation or mix up OSI and TCP/IP layer terminology.

Why the other options are wrong

A

Misattributes the 'packet' PDU to the Transport layer – packets are created at the Network layer (Layer 3).

D

Reverses encapsulation logic: each layer adds its own overhead, increasing the size.

E

Incorrectly assigns flow control to the Session layer and misrepresents its placement in the TCP/IP model.

403
PBQhard

You are connected to SW1. Configure LACP EtherChannel between SW1 and SW2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. Ensure the channel forms and passes traffic for VLAN 10. Troubleshoot and fix any issues preventing the channel from coming up.

Network Topology
Gi0/1Gi0/1LACPSW1SW2

Hints

  • Check the speed and duplex settings on both member interfaces.
  • Verify that the port-channel interface and member ports are both Layer2 or both Layer3.
  • Ensure LACP mode is active on at least one side to initiate negotiation.
A.Configure speed 1000 and duplex full on Gi0/2, change port-channel 1 to switchport mode trunk with allowed vlan 10, and set both Gi0/1 and Gi0/2 to channel-group 1 mode active.
B.Configure speed 1000 and duplex full on Gi0/2, change port-channel 1 to no switchport, and set both Gi0/1 and Gi0/2 to channel-group 1 mode passive.
C.Configure speed 100 and duplex half on Gi0/1 to match Gi0/2, change port-channel 1 to switchport mode trunk with allowed vlan 10, and set both Gi0/1 and Gi0/2 to channel-group 1 mode active.
D.Configure speed 1000 and duplex full on Gi0/2, change port-channel 1 to switchport mode access with access vlan 10, and set both Gi0/1 and Gi0/2 to channel-group 1 mode desirable.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full
channel-group 1 mode active
exit
interface GigabitEthernet0/1
channel-group 1 mode active
exit
interface Port-channel1
switchport
switchport mode trunk
switchport trunk allowed vlan 10
no ip address
end

Why this answer

The EtherChannel is not forming because of multiple mismatches: speed (1000 vs 100), duplex (full vs half), and the port-channel interface is configured as Layer3 (no switchport) while the member ports are Layer2 (switchport mode trunk). First, correct the speed and duplex on Gi0/2 to match Gi0/1 (speed 1000, duplex full). Then change the port-channel to switchport mode trunk and set the allowed VLAN.

Finally, change the LACP mode on both interfaces to 'active' to initiate negotiation. After these changes, the channel should come up.

Exam trap

Watch for mismatches in speed, duplex, and Layer2/Layer3 configuration between member ports and the port-channel interface. Also, ensure LACP mode is active on at least one side to initiate negotiation.

Why the other options are wrong

B

The specific factual error: The port-channel interface must match the Layer2 configuration of member ports; using no switchport creates a Layer3 interface that cannot trunk VLANs. Additionally, passive mode requires an active partner to form the channel.

C

The specific factual error: Speed and duplex should be consistent across all member links, but the correct resolution is to correct the misconfigured interface (Gi0/2) to match the working one (Gi0/1), not vice versa.

D

The specific factual error: Access mode cannot carry multiple VLANs; trunk mode is required for VLAN 10. Additionally, desirable is a PAgP keyword, not LACP. LACP uses active or passive.

404
MCQmedium

An engineer successfully authenticates to a controller and receives a token. What is the usual reason for including that token in later API requests?

A.To identify and authorize the client without resending full login credentials each time
B.To convert HTTP requests into SNMP traps
C.To elect the active controller in the cluster
D.To compress JSON payloads before transport
AnswerA

That is the practical purpose of token-based API access.

Why this answer

The token proves the client has already authenticated and is authorized to continue interacting with the API for the lifetime of that token or session. It is commonly sent in an HTTP header such as Authorization. It does not replace the need for IP routing or DNS resolution.

Exam trap

Remember that tokens are specific to API authentication and should not be confused with other network security or configuration mechanisms.

Why the other options are wrong

B

Tokens are used for authentication and authorization in API requests, not for converting HTTP requests into SNMP traps. SNMP traps are asynchronous notifications sent by network devices, and token-based APIs operate at a different layer and protocol.

C

Token-based authentication is unrelated to controller cluster election. Cluster election typically uses protocols like VRRP, HSRP, or proprietary mechanisms to determine an active controller, not API tokens.

D

Token inclusion in API requests serves authentication and authorization, not data compression. JSON payload compression is typically handled by content-encoding headers (e.g., gzip) and is independent of token usage.

405
Matchingmedium

Drag and drop the syslog severity levels on the left to their corresponding names and meanings on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Emergency – system is unusable

Alert – immediate action needed

Critical – critical condition

Error – error condition

Warning – warning condition

Why these pairings

Syslog severity levels: 0 (emergency), 1 (alert), 2 (critical), 3 (error), 4 (warning), 5 (notification). Levels 6 and 7 are informational and debugging.

Exam trap

The exam often tests the order of syslog severity levels. Remember that lower numbers mean higher severity. A common trap is confusing the descriptions for Emergency, Alert, and Critical.

Memorize the top four: 0 Emergency, 1 Alert, 2 Critical, 3 Error.

406
Multi-Selectmedium

Which TWO statements about IPv4 and IPv6 static routing are correct?

Select 2 answers
A.A default static route is used when no dynamic routing protocols are configured.
B.A floating static route is configured with a higher administrative distance than the primary route.
C.A floating static route must have a lower administrative distance than the primary route.
D.An IPv6 default static route uses the prefix ::/0.
E.An IPv6 static route can specify an IPv4 address as the next-hop.
AnswersB, D

A floating static route is a backup route that is installed in the routing table only when the primary route (with a lower AD) is not available. By assigning a higher AD, the router prefers the primary route when it is reachable.

Why this answer

Option B is correct because a floating static route is configured with a higher administrative distance to serve as a backup when the primary route fails. Option D is correct because an IPv6 default static route uses the prefix ::/0 to match all destinations. Option A is incorrect because a default static route can be used independently of whether dynamic routing protocols are configured; it is simply a route with destination 0.0.0.0/0.

Option C is incorrect because a floating static route must have a higher AD, not lower, than the primary route. Option E is incorrect because an IPv6 static route cannot specify an IPv4 address as the next-hop; it must use an IPv6 address or an outgoing interface.

Exam trap

Cisco often tests the misconception that a floating static route must have a lower administrative distance than the primary route, when in fact it must be higher to serve as a backup.

Why the other options are wrong

A

A default static route is used as a gateway of last resort for any destination not in the routing table, regardless of whether dynamic routing protocols are configured. It is not dependent on the absence of dynamic routing.

C

A floating static route is designed to be a backup; therefore, it must have a higher AD than the primary route so that the primary route is preferred.

E

IPv6 static routes require an IPv6 next-hop address. Using an IPv4 address would be invalid because the router would not be able to resolve it in the IPv6 routing table.

407
PBQmedium

You are connected to the console of SW1. The network administrator reports that SW1 cannot discover neighbouring devices using CDP. SW1 is connected to R1 via GigabitEthernet0/1. CDP is globally enabled, but still no neighbours are shown.

Network Topology
G0/1G0/0SW1R1

Hints

  • CDP is enabled globally but may be disabled per interface.
  • Check the CDP status on the specific interface.
  • Enable CDP on the interface with the 'cdp enable' command.
A.Enable CDP on interface GigabitEthernet0/1 with the command 'cdp enable'.
B.Enable CDP globally with the command 'cdp run'.
C.Use the command 'lldp run' to enable LLDP as an alternative.
D.Check the physical cable and interface status on GigabitEthernet0/1.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
cdp enable

Why this answer

CDP was globally enabled but the interface GigabitEthernet0/1 had CDP disabled by default (or was explicitly disabled). Enabling CDP on the interface allowed neighbour discovery.

Exam trap

The trap is that candidates often think CDP is either globally enabled or disabled, forgetting that CDP must be enabled on each interface individually. Always check interface-level CDP configuration when global CDP is enabled but no neighbors are discovered.

Why the other options are wrong

B

The specific factual error is that 'cdp run' enables CDP globally, but global CDP is already enabled.

C

The specific factual error is that LLDP is a different protocol and does not affect CDP operation.

D

The specific factual error is that physical issues would likely cause the interface to be down, but the question does not indicate any physical problem.

408
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that blocks Telnet traffic from the 192.168.1.0/24 network to the 10.0.0.0/24 network, applied inbound on the interface facing the source.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, global config, then create ACL with deny and permit statements (order matters: deny first), then enter the source-facing interface and apply inbound; applying before creating ACL would fail.

Exam trap

Watch out for the order of ACL statements: deny must come before permit. Also, remember that ACLs must be created before they can be applied to an interface. Do not forget the implicit deny at the end of every ACL.

409
MCQhard

A route to 10.10.10.0/24 is learned through two OSPF paths. Both have the same prefix length and the same administrative distance, but one path has a lower OSPF metric. Which path is preferred?

A.The path with the lower OSPF metric
B.The path with the higher OSPF metric
C.Both paths equally, because the administrative distance is the same
D.Neither path, because two OSPF routes to the same prefix are invalid
AnswerA

This is correct because within the same protocol and prefix, the lower metric is preferred.

Why this answer

The path with the lower OSPF metric is preferred. In practical terms, when the prefix and route source are the same, the router uses the routing protocol’s internal path-selection logic. For OSPF, the lower metric is the more attractive path.

This is a clean example of metric-based selection within one routing protocol. Administrative distance is not the deciding factor here because the source protocol is the same on both paths.

Exam trap

Remember, administrative distance only matters when comparing different routing protocols, not when choosing between paths within the same protocol.

Why the other options are wrong

B

A higher OSPF metric indicates a less desirable path, as OSPF uses cost as its metric where lower cost is preferred. Selecting a higher metric path would contradict the fundamental routing principle of choosing the best path based on lowest metric.

C

Equal administrative distance does not imply equal preference when metrics differ. The router compares metrics within the same routing protocol; if metrics are different, the lower metric path is chosen, not both.

D

OSPF can learn the same prefix via multiple paths; this is normal. The router selects the best path based on metric, and the other paths are kept in the routing table as backup or for equal-cost load balancing if metrics are equal.

410
Multi-Selectmedium

Which two statements accurately describe ARP in an IPv4 Ethernet network?

Select 2 answers
A.ARP resolves a known IPv4 address to a MAC address on the local segment.
B.ARP is used to choose the best Layer 3 path across multiple routers.
C.ARP requests are typically sent as broadcasts on the local LAN.
D.ARP can normally resolve the MAC address of a host located across a routed network.
E.ARP replaces the need for a default gateway.
AnswersA, C

This is correct because ARP is used to discover the Layer 2 MAC address associated with a known IPv4 address on the local network.

Why this answer

ARP is the mechanism used to map a known IPv4 address to a Layer 2 MAC address on the local network segment. In plain language, if a device knows the IP address it wants to reach on the same LAN, ARP helps it discover the correct Ethernet destination MAC address to use in the frame. That is why ARP is so important for local delivery in IPv4 Ethernet environments. Without it, devices would know where they want to send traffic logically, but not how to address the actual frame on the local link.

ARP does not cross routers in the usual way, and it is not a routing protocol. It does not determine best paths to remote networks. It simply helps with local resolution of IPv4-to-MAC information. This distinction matters a lot on CCNA questions because many wrong answers try to blur the line between local neighbor resolution and routing behavior.

Exam trap

Do not confuse ARP with routing protocols or assume it functions across routers. Remember, ARP is strictly for local address resolution.

Why the other options are wrong

B

ARP operates at Layer 2 and is only concerned with resolving IP addresses to MAC addresses on the local link. Path selection between routers is performed by routing protocols (e.g., OSPF, EIGRP) and the routing table, which operate at Layer 3.

D

ARP requests are broadcast only within the local subnet and are not forwarded by routers. To reach a host on a different subnet, the source host must send the packet to its default gateway, which then uses its own ARP process to resolve the next-hop MAC.

E

ARP does not replace the default gateway; it only resolves the MAC address of the gateway or other local hosts. The default gateway is still required for routing traffic to other subnets, as ARP cannot provide Layer 3 forwarding.

411
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the general workflow for AI-assisted network configuration automation: receive intent, decompose into sub-tasks, call tools, validate output, and apply closed-loop remediation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The general AI workflow in network automation begins with receiving the high-level intent, then breaking it down into executable sub-tasks, calling the appropriate tools (e.g., APIs or scripts), validating the output to ensure correctness, and finally applying closed-loop remediation to correct any deviations. This order reflects a logical progression from planning to action to verification and correction, which aligns with foundational AI/ML concepts covered in the CCNA.

Exam trap

Do not confuse the order: decomposition must precede tool calls, and validation must occur after tool calls but before remediation.

412
PBQhard

You are connected to the console of R1. The network uses IPv6 and you need to configure an IPv6 address on interface G0/0 using the EUI-64 format. The subnet is 2001:db8:acad:1::/64. The interface MAC address is 0011.2233.4455. After configuration, verify that the full IPv6 address is correct.

Hints

  • EUI-64 automatically generates the interface ID from the MAC address.
  • The subnet prefix is /64, so the interface ID is 64 bits.
  • The MAC address 0011.2233.4455 will become 0211.22FF.FE33.4455.
A.ipv6 address 2001:db8:acad:1:0211:22ff:fe33:4455/64
B.ipv6 address 2001:db8:acad:1:0011:22ff:fe33:4455/64
C.ipv6 address 2001:db8:acad:1:0011:2233:4455/64
D.ipv6 address 2001:db8:acad:1:0211:2233:4455/64
AnswerA
solution
! R1
interface GigabitEthernet0/0
no shutdown
ipv6 address 2001:db8:acad:1::/64 eui-64

Why this answer

The EUI-64 method inserts FFFE in the middle of the MAC and flips the U/L bit. With the given MAC, the resulting interface ID is 0211:22FF:FE33:4455, forming the full IPv6 address.

Exam trap

Remember that EUI-64 requires both inserting FFFE and flipping the U/L bit. A common mistake is to do only one of these steps or to use the MAC address directly. Always verify the seventh bit of the first byte is flipped (0x00 becomes 0x02, 0x01 becomes 0x03, etc.).

Why the other options are wrong

B

The U/L bit was not flipped; the interface ID starts with 0011 instead of 0211.

C

The FFFE insertion is missing; the interface ID is just the MAC address written in IPv6 format.

D

FFFE is missing; only the U/L bit flip was applied.

413
Multi-Selectmedium

Which three of the following are key applications of AI in network operations? (Choose three.)

Select 3 answers
.Anomaly detection and proactive threat identification
.Automated root cause analysis of network faults
.Predictive maintenance of network hardware based on telemetry
.Replacing all manual CLI configuration with AI-generated scripts
.Eliminating the need for network monitoring tools entirely
.Automating the physical installation of network cables

Why this answer

AI in network operations enhances efficiency by automating complex analytical tasks. Anomaly detection uses machine learning models to identify deviations from baseline traffic patterns, enabling proactive threat identification before they cause outages. Automated root cause analysis correlates events across the network to pinpoint the origin of a fault, reducing mean time to repair (MTTR).

Predictive maintenance leverages telemetry data (e.g., from SNMP, NetFlow, or gRPC) to forecast hardware failures, allowing preemptive replacement and minimizing downtime.

Exam trap

Cisco often tests the distinction between AI augmenting versus replacing existing tools and processes, so the trap here is assuming AI can fully automate physical tasks or eliminate foundational monitoring infrastructure, when in reality AI works as an overlay to enhance human decision-making and existing systems.

414
Drag & Dropmedium

Drag and drop the following steps into the correct order to implement an AI/ML-based network operations workflow for proactive anomaly detection and automated remediation on a Cisco IOS-XE device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The workflow starts with data collection, then streaming, model training, deployment, and finally automated remediation based on detection.

Exam trap

Do not confuse the order of steps in an AI/ML workflow. Remember that data must be collected before it can be streamed, and models must be trained before they can be deployed for detection. Automated remediation is always the last step.

415
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a secure Cisco switch, from enabling secure management access to implementing advanced dynamic ARP inspection.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

Hostname and IP domain name: required to generate RSA keys for SSH in the next step. 2. RSA key generation: SSH cannot function without cryptographic keys. 3.

SSH v2 enabled and Telnet disabled: ensures secure remote access before any authentication method is applied. 4. AAA authentication with RADIUS/TACACS+ on vty lines: controls who can access the switch after SSH transport is established. 5. Port security on access ports: protects the data plane by restricting MAC addresses once management plane is secured. 6.

DHCP snooping: builds a binding database used to validate traffic; must be active before DAI can work. 7. Dynamic ARP Inspection: relies on the DHCP snooping database to filter ARP packets and prevent man-in-the-middle attacks, so it must be configured last.

416
Multi-Selectmedium

Which three of the following are functions of the Dynamic Host Configuration Protocol (DHCP) in a network? (Choose three.)

Select 3 answers
.Assigning IP addresses to hosts automatically from a defined pool.
.Providing the default gateway and DNS server information to clients.
.Leasing IP addresses for a configurable period of time.
.Resolving domain names to IP addresses for client devices.
.Authenticating users before granting network access.
.Translating private IP addresses to public IP addresses for internet access.

Why this answer

DHCP automates IP address assignment from a defined pool, eliminating manual configuration. It also provides essential network parameters like the default gateway and DNS server via DHCP options (e.g., Option 3 for router, Option 6 for DNS). Additionally, DHCP leases IP addresses for a configurable period, after which the client must renew the lease to continue using the address.

Exam trap

Cisco often tests the distinction between DHCP providing DNS server information (correct) and DHCP performing DNS resolution (incorrect), as candidates confuse the roles of DHCP and DNS.

417
Multi-Selectmedium

Which TWO statements correctly describe the behavior of standard ACLs and their placement on interfaces?

Select 2 answers
A.Standard ACLs filter traffic based on source IP address only.
B.Standard ACLs should be placed as close to the source as possible.
C.Standard ACLs can filter traffic based on destination IP address.
D.Standard ACLs should be placed as close to the destination as possible.
E.Standard ACLs can filter traffic based on TCP or UDP port numbers.
AnswersA, D

Standard ACLs use only the source IP address (or a wildcard mask) to match packets; they do not consider destination, protocol, or port.

Why this answer

Standard ACLs filter traffic based solely on the source IP address, using numbers 1–99 or 1300–1999 in classic Cisco IOS. They do not consider destination IP, protocol, or port numbers. Because they lack granularity, placing them close to the destination (option D) prevents them from inadvertently blocking traffic that should be permitted, as they cannot distinguish between traffic destined for different services on the same destination host.

Exam trap

Cisco often tests the misconception that standard ACLs should be placed close to the source (like extended ACLs), when in fact standard ACLs lack the granularity to do so safely and must be placed near the destination.

Why the other options are wrong

B

Standard ACLs filter only on source IP, so placing them close to the source can block traffic destined to other networks that should be allowed. The correct placement is close to the destination to minimize unintended filtering.

C

Standard ACLs do not examine destination IP addresses; they only match on source IP addresses. Filtering by destination requires an extended ACL.

E

Standard ACLs operate at Layer 3 and cannot examine Layer 4 information such as TCP or UDP port numbers. Port-based filtering requires an extended ACL.

418
MCQmedium

A network administrator at a large enterprise notices that the network monitoring system frequently generates false positive alerts for unusual traffic patterns during normal business hours. The administrator wants to reduce these false positives while still detecting genuine security threats. Which AI/ML concept would best address this requirement?

A.Deploy a predictive analytics model to forecast future traffic volumes and adjust thresholds accordingly.
B.Implement an anomaly detection system that uses machine learning to establish baseline behavior and flag deviations.
C.Apply intent-based networking to automatically enforce security policies based on high-level business intent.
D.Use deep packet inspection to examine all traffic and create static rules for known threats.
AnswerB

Anomaly detection with ML learns normal traffic baselines and adapts to changes, which significantly reduces false positives by only alerting on genuine anomalies.

Why this answer

Option B is correct because anomaly detection using machine learning establishes a dynamic baseline of normal network behavior, allowing the system to flag only significant deviations. This reduces false positives during normal business hours while still detecting genuine threats that deviate from the learned baseline, unlike static thresholds that trigger alerts on routine traffic variations.

Exam trap

Cisco often tests the distinction between predictive analytics (forecasting volume) and anomaly detection (learning behavior), trapping candidates who confuse adjusting thresholds with establishing a behavioral baseline.

Why the other options are wrong

A

Predictive analytics forecasts future traffic volumes but does not establish a dynamic baseline for normal behavior; thus, it cannot adapt to daily variations and would not reduce false positives from current traffic patterns.

C

Intent-based networking automates policy deployment and verification based on business intent, but it does not analyze traffic patterns or adapt alert thresholds; therefore, it does not directly reduce false positive alerts from monitoring systems.

D

Deep packet inspection with static rules can detect known threats but cannot adapt to new or evolving traffic patterns; thus, it would not reduce false positives from normal traffic variations and may even increase them due to rigid rules.

419
PBQmedium

You are connected to the console of R1. R1 is a new router that needs to be configured for remote management. The network administrator wants to enable SSH for secure access with a local user 'admin' and password 'cisco123'. The router already has an IP address 192.168.1.1/24 on GigabitEthernet0/0 and the interface is up.

Network Topology
G0/0192.168.1.1/24192.168.1.100/24linkR1Management host

Hints

  • SSH requires a hostname and domain name.
  • RSA key pairs must be generated for encryption.
  • The VTY lines must be configured to accept SSH connections.
A.Enable SSH by configuring a hostname, domain name, generating RSA keys, creating local user 'admin' with password 'cisco123', and configuring VTY lines for SSH transport.
B.Enable SSH by configuring a hostname, generating RSA keys, creating local user 'admin' with password 'cisco123', and configuring VTY lines for SSH transport. No domain name is needed.
C.Enable SSH by configuring a hostname, domain name, generating RSA keys, creating local user 'admin' with password 'cisco123', and configuring VTY lines for Telnet transport.
D.Enable SSH by configuring a hostname, domain name, generating RSA keys, creating local user 'admin' with password 'cisco123', and configuring VTY lines with 'login local' and 'transport input ssh'. No further configuration is needed.
AnswerD
solution
! R1
ip domain-name example.com
crypto key generate rsa
username admin secret cisco123
line vty 0 4
transport input ssh

Why this answer

To enable SSH with local authentication, the router requires a unique hostname, an IP domain name, RSA keys, a local username/password, and VTY lines configured with both 'transport input ssh' and 'login local'. Option D correctly includes all these elements, while the others omit critical steps like 'login local' or the domain name, or use Telnet instead of SSH.

Exam trap

Trap: Candidates often forget the domain name requirement or confuse 'transport input ssh' with 'login local'. Remember: both are needed on VTY lines for SSH with local authentication.

Why the other options are wrong

A

Missing the 'login local' command on VTY lines, so local authentication will not work.

B

Lacks an IP domain name, which is necessary to generate RSA keys for SSH.

C

Configures VTY lines for Telnet ('transport input telnet'), not SSH, failing the remote management requirement.

420
Multi-Selectmedium

Which THREE statements correctly describe the behavior of LACP modes in an EtherChannel configuration?

Select 3 answers
A.Active mode will not send LACP packets unless the peer is also in active mode.
B.Passive mode will only respond to LACP packets and will not initiate negotiation.
C.Passive mode cannot form an EtherChannel with another passive mode interface.
D.Active mode will initiate LACP negotiation by sending LACP packets.
E.Both active and passive modes are supported in PAgP.
AnswersB, C, D

Passive mode waits for LACP packets from the peer and does not initiate the negotiation.

Why this answer

B is correct because passive mode interfaces only respond to LACP packets and never initiate negotiation. C is correct because two passive interfaces will both wait for the other to initiate, so no LACP packets are sent and the EtherChannel never forms. D is correct because active mode interfaces actively send LACP packets to initiate negotiation with either an active or passive peer.

A is incorrect: active mode sends LACP packets regardless of the peer’s mode; it can form a channel with passive just as well as with active. E is incorrect because PAgP supports only desirable and auto modes, not LACP’s active/passive modes; PAgP and LACP are separate protocols.

Exam trap

A common mistake is thinking active mode requires the peer to also be active, but active can form with either active or passive, while passive–passive pairs never negotiate.

Why the other options are wrong

A

Active mode sends LACP packets unconditionally; it does not require the peer to be active and will negotiate with a passive peer.

E

PAgP uses desirable and auto modes, not the LACP active/passive modes; these modes are specific to LACP.

421
MCQhard

A network technician has configured static NAT with the command ip nat inside source static 192.168.1.10 203.0.113.10. The web server at 192.168.1.10 is accessible from the internet on TCP port 80 but not on TCP port 443. The ACL applied to the outside interface permits all IP traffic. What is the most appropriate next step to troubleshoot this issue?

A.Check if the web server is running HTTPS service on port 443.
B.Verify that the ACL applied to the outside interface explicitly permits TCP port 443.
C.Examine the NAT translation table for any conflicting dynamic entries.
D.Confirm the inside global IP address mapped to the server is correct.
AnswerA

This step targets the application layer, where the symptom most likely resides. The ACL permits all IP traffic and the static NAT is successfully translating port 80, ruling out misconfigurations there.

Why this answer

Since the ACL already permits all IP traffic and the static NAT translation works for port 80, the problem is not at Layer 3/4 filtering or NAT. The most likely cause is an application-layer issue: the web server is not listening on port 443. Checking the server's HTTPS service directly addresses that.

Exam trap

Verifying the ACL — many candidates miss that an ACL 'permit ip any any' already allows all ports, so adding a port 443 rule is unnecessary and distracts from the real problem.

Why the other options are wrong

B

The already-configured ACL permits all IP traffic, so explicitly allowing port 443 would not resolve a server not listening on that port. This step wastes time on a verified configuration.

C

Static NAT does not use dynamic overload entries. There are no conflicting entries because NAT overload is not configured, making this check irrelevant.

D

The fact that port 80 works shows the inside global IP is correct. Re-verifying it would not explain the port-specific failure, as the issue is not with the translation.

422
PBQhard

You are connected to R1. The internal network 192.168.1.0/24 must be able to access the Internet via PAT (NAT overload) using the outside interface G0/1 with IP 203.0.113.1. Additionally, a web server at 192.168.1.100 must be reachable from the Internet via static NAT to the same outside interface. The current configuration has errors. Correct the NAT configuration so that inside hosts can browse the web and the server is reachable from outside.

Hints

  • Check which interfaces are marked as inside and outside — both were inside.
  • The dynamic NAT rule is missing a keyword to enable port address translation.
  • Verify the ACL used in the NAT rule matches the correct inside subnet.
A.Change interface G0/1 to 'ip nat outside', add 'overload' to the dynamic NAT rule, and correct ACL 100 to permit 192.168.1.0 0.0.0.255
B.Change interface G0/1 to 'ip nat outside', add 'overload' to the dynamic NAT rule, and change ACL 100 to permit 192.168.2.0 0.0.0.255
C.Change interface G0/1 to 'ip nat outside', remove the 'overload' keyword from the dynamic NAT rule, and correct ACL 100 to permit 192.168.1.0 0.0.0.255
D.Change interface G0/1 to 'ip nat inside', add 'overload' to the dynamic NAT rule, and correct ACL 100 to permit 192.168.1.0 0.0.0.255
AnswerA
solution
! R1
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
exit
ip nat inside source list 100 interface GigabitEthernet0/1 overload
no access-list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

Why this answer

The configuration had three issues: (1) Interface G0/1 was incorrectly configured as 'ip nat inside' instead of 'ip nat outside' — this prevents translation as both interfaces are inside. (2) The NAT overload keyword was missing on the dynamic PAT rule — without 'overload', only one-to-one translation occurs. (3) ACL 100 was matching 192.168.2.0/24 instead of the actual inside subnet 192.168.1.0/24, so traffic from the correct subnet was not translated. Correcting these allows inside hosts to PAT to the outside IP and the static NAT to function properly.

Exam trap

Watch for three common mistakes in NAT configuration: (1) misplacing the 'inside' and 'outside' interface designations, (2) forgetting the 'overload' keyword for PAT, and (3) using an incorrect ACL that does not match the actual inside network. Always verify the ACL matches the source subnet of traffic needing translation.

Why the other options are wrong

B

The ACL must match the source subnet of the inside hosts that need translation; using 192.168.2.0/24 does not match 192.168.1.0/24.

C

The 'overload' keyword is essential for PAT; omitting it means only one inside host can use the outside IP at a time.

D

NAT requires one interface to be 'inside' and the other 'outside'; having both as 'inside' prevents translation of outbound traffic.

423
MCQhard

A technician is troubleshooting a dual-stack network where an IPv6-only host cannot reach an IPv4 resource. The technician issues the show ipv6 interface brief command on the local router and notices the interface facing the host has a link-local address but no global unicast address. The technician then checks the running configuration and finds that the command ipv6 unicast-routing is missing. What is the most likely cause?

A.An IPv6 access list on the router is blocking Router Advertisement messages.
B.IPv6 unicast routing has not been enabled on the router.
C.The IPv4 resource is not configured for NAT64 translation.
D.The host has an incorrect default gateway for IPv6.
AnswerB

The ipv6 unicast-routing command is required to enable IPv6 forwarding on Cisco routers. Without it, the router does not participate in IPv6 routing, does not generate Router Advertisements, and interfaces will not obtain global unicast addresses through SLAAC or DHCPv6 relay. The show ipv6 interface output displaying only a link-local address, combined with the absence of ipv6 unicast-routing in the configuration, confirms this root cause.

Why this answer

The missing `ipv6 unicast-routing` command means the router is not acting as an IPv6 router, so it does not send Router Advertisement (RA) messages. Without RAs, the host cannot autoconfigure a global unicast address or learn a default gateway, breaking IPv6 connectivity to any IPv4 resource even if NAT64 is present.

Exam trap

Cisco often tests the misconception that configuring an IPv6 address on an interface is sufficient for IPv6 routing, when in fact the global `ipv6 unicast-routing` command is required to enable the router to forward IPv6 packets and send Router Advertisements.

Why the other options are wrong

A

This option focuses on a filtering issue, not the disabled routing engine, and would not cause the router’s own interface to lack a global unicast address.

C

NAT64 configuration would affect translation, but the root cause visible in the output is the lack of IPv6 routing capability on the router.

D

This shifts the blame to the host, but the router-side evidence (missing command and missing global unicast) clearly indicates a router configuration problem.

424
Multi-Selectmedium

Which TWO statements are true regarding the configuration and placement of standard and extended ACLs on a router?

Select 2 answers
A.Standard ACLs are typically placed closest to the source of the traffic.
B.Extended ACLs are typically placed closest to the source of the traffic.
C.A wildcard mask of 0.0.0.0 in an ACL matches all bits of the IP address.
D.A wildcard mask of 255.255.255.255 in an ACL matches all bits of the IP address.
E.Extended ACLs should be placed on the interface closest to the destination to filter traffic before it reaches the final segment.
AnswersB, C

Extended ACLs can filter on source and destination IP addresses, ports, and protocols, so placing them near the source allows early filtering and conserves bandwidth.

Why this answer

Option B is correct because extended ACLs evaluate multiple criteria (source/destination IP, port, protocol), so placing them closest to the source prevents unwanted traffic from consuming bandwidth across the network. Option C is correct because a wildcard mask of 0.0.0.0 means all 32 bits must match, matching a single host. Option A is incorrect—standard ACLs are placed closest to the destination, not the source.

Option D is incorrect—a wildcard mask of 255.255.255.255 matches any address (ignores all bits), not all bits. Option E is incorrect—extended ACLs placed near the destination would not conserve bandwidth; they should be near the source.

Exam trap

Cisco often tests the misconception that standard ACLs should be placed close to the source, when in fact extended ACLs are placed close to the source and standard ACLs close to the destination.

Why the other options are wrong

A

Standard ACLs filter only on source IP address, so placing them close to the source can block traffic that should be allowed to other destinations, causing unnecessary denial of service.

D

A wildcard mask of 255.255.255.255 means 'ignore all bits,' so it matches any IP address, equivalent to the 'any' keyword. It does not match all bits.

E

Extended ACLs are more effective when placed near the source to filter unwanted traffic early, not near the destination. Placing them near the destination allows unwanted traffic to traverse the network unnecessarily.

425
Multi-Selectmedium

Which TWO statements correctly describe characteristics of SNMPv2c and SNMPv3 for network monitoring?

Select 2 answers
A.SNMPv3 supports authentication and encryption for secure network monitoring.
B.SNMPv2c uses community strings sent in clear text to authenticate requests.
C.SNMPv3 provides the same security level as SNMPv2c but with additional trap support.
D.SNMPv2c supports only GET and SET operations, but not traps.
E.SNMPv3 uses community strings to authenticate agents and managers.
AnswersA, B

SNMPv3 includes security features such as authentication (MD5/SHA) and encryption (DES/AES) to protect data in transit.

Why this answer

SNMPv3 is correct because it introduces authentication (MD5/SHA) and encryption (DES/AES) for secure monitoring. SNMPv2c is correct because it uses community strings transmitted in cleartext, lacking security. Option C is wrong: SNMPv3 is more secure than v2c, not the same.

Option D is wrong: SNMPv2c supports traps in addition to GET and SET. Option E is wrong: SNMPv3 uses usernames and security models, not community strings.

Exam trap

Cisco often tests the misconception that SNMPv3 is merely an extension of SNMPv2c with added trap support, when in fact the key differentiator is the security model (authentication and encryption), and both versions support traps.

Why the other options are wrong

C

SNMPv3 provides significantly higher security than SNMPv2c by adding authentication and encryption, whereas SNMPv2c uses only community strings in clear text. Both versions support traps, so the statement incorrectly claims SNMPv3 has additional trap support, which is not a distinguishing feature.

D

SNMPv2c supports GET, SET, and trap operations, just like SNMPv1 and SNMPv3. The statement is incorrect because it claims SNMPv2c does not support traps, which is false; traps are a key feature for asynchronous notifications in network monitoring.

E

SNMPv3 uses the User-based Security Model (USM) with usernames and authentication keys, not community strings. Community strings are a feature of SNMPv1 and SNMPv2c, which are transmitted in clear text and provide weak security.

426
Matchingmedium

Match each symptom to the first service area most likely involved.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

Works by IP but not by hostname indicates that name resolution is failing, pointing to DNS. No automatic address on the host means DHCP is not providing an IP, so DHCP is the likely problem. Logs that do not line up in time suggest inconsistent clocks, which is a symptom of NTP failure.

No centralized device event view means log messages are not being aggregated, which is the role of Syslog.

Exam trap

Students often confuse DNS with DHCP: if a host can reach a destination by IP but not by hostname, DNS is the issue, not DHCP.

427
Multi-Selectmedium

Users complain that log timestamps from several routers do not line up with one another. Which two actions are most appropriate?

Select 2 answers
A.Configure NTP on the network devices
B.Verify timezone and timestamp settings
C.Increase the syslog severity threshold to debugging
D.Disable console logging
E.Clear the logging buffer on all devices
AnswersA, B

NTP keeps time synchronized.

Why this answer

When timestamps disagree, the first fix is time synchronization. NTP should be configured consistently, and devices should have correct timezone or clock settings so syslog messages can be correlated across the network.

Exam trap

Don't confuse log display settings or buffer configurations with time synchronization settings.

Why the other options are wrong

C

Increasing the syslog severity threshold to debugging generates more log messages but does not address the root cause of time discrepancies. It can overwhelm storage and analysis without fixing the time synchronization issue.

D

Disabling console logging reduces output to the console but does not affect the timestamps on logs stored elsewhere. The underlying time synchronization issue remains unresolved.

E

Clearing the logging buffer removes existing log entries but does not prevent future timestamps from being incorrect. The time drift persists, so new logs will still have mismatched timestamps.

428
MCQhard

Refer to the exhibit. A network administrator is troubleshooting a connectivity issue on switch SW1. Users connected to port Gi0/3 are unable to reach resources in VLAN 30. The administrator issues the show vlan brief command and receives the output shown. What is the most likely cause of the problem?

A.The Gi0/3 port is in an error-disabled state due to port security violations.
B.The VLAN 30 SVI is administratively down.
C.VLAN 30 is administratively shut down.
D.Spanning Tree Protocol has placed Gi0/3 into a blocking state for VLAN 30.
AnswerC

The Status field for VLAN 30 clearly displays 'act/lshut', which is Cisco’s notation for an administratively shut-down VLAN. This prevents any data plane forwarding on ports assigned to that VLAN.

Why this answer

The 'show vlan brief' output shows VLAN 30 as 'active' but the ports assigned to it are not listed, and the VLAN is not present in the output at all. This indicates that VLAN 30 has been administratively shut down (shutdown command applied under the VLAN configuration mode), which prevents any traffic from being forwarded through that VLAN, even if the switch port Gi0/3 is configured as an access port in VLAN 30. The correct answer is C because an administratively shutdown VLAN will not appear in the 'show vlan brief' output, and all ports assigned to it will be unable to communicate within that VLAN.

Exam trap

Cisco often tests the distinction between a VLAN being 'shutdown' versus a VLAN being 'active' but with no ports assigned, and candidates mistakenly think that a missing VLAN in 'show vlan brief' means it doesn't exist, rather than recognizing it could be administratively disabled.

Why the other options are wrong

A

Candidates often confuse port-level issues with VLAN-level states. Port security violations would result in an err-disable status, which is not reflected in the VLAN status column; the VLAN would still show 'active' if it were enabled.

B

Candidates may mistake the VLAN shutdown for an SVI shutdown because both involve the 'shutdown' keyword. However, the SVI state would appear in 'show ip interface brief' or 'show interface vlan 30', not here.

D

Candidates often attribute connectivity loss to STP blocking, which is a common cause of forwarding issues. However, this exhibit’s specific clue is the 'act/lshut' flag, directing attention to the VLAN administrative state.

429
Multi-Selectmedium

Which TWO commands or tools would a network engineer use to verify if a client has a duplicate IP address conflict on the local subnet?

Select 1 answer
A.ipconfig /all
B.arp -a
C.nslookup
D.ping
E.tracert
AnswersB

This command displays the ARP cache, which maps IP addresses to MAC addresses. If a duplicate IP exists, the ARP cache may show two different MAC addresses for the same IP address, indicating a conflict.

Why this answer

The `arp -a` command displays the local ARP cache, which maps IP addresses to MAC addresses. If a duplicate IP exists on the subnet, the ARP cache may show inconsistent or rapidly changing MAC-to-IP mappings, and the local host may receive duplicate address detection messages, indicating a conflict. Other commands like `ipconfig`, `ping`, `nslookup`, and `tracert` do not directly reveal ARP-level conflicts.

Exam trap

Cisco often tests the misconception that `ipconfig /all` can detect duplicate IPs, but it only shows local configuration, not network-level conflicts, while `arp -a` is the correct tool to inspect the ARP table for anomalies.

Why the other options are wrong

A

`ipconfig /all` shows only the local IP configuration, not whether the same IP is assigned to another host.

C

`nslookup` resolves domain names to IP addresses and is unrelated to local IP conflicts.

D

`ping` tests connectivity but cannot identify duplicate IPs, as a reply does not guarantee the IP is unique.

E

`tracert` traces the path to a remote host, irrelevant for detecting local subnet duplicate IPs.

430
MCQeasy

Which medium is the most common choice for a 10G uplink between wiring closets on different floors of the same building?

A.Rollover cable
B.Fiber optic cable
C.Coaxial cable
D.Console cable
AnswerB

Correct. Fiber is the standard uplink choice here.

Why this answer

Fiber is commonly used for building uplinks because it supports higher bandwidth and longer distances than typical copper for this use case.

Exam trap

Don't confuse the capabilities of multimode fiber with single-mode fiber for long-distance, high-speed connections.

Why the other options are wrong

A

A rollover cable is a specialized Cisco console cable used for out-of-band management access to a device's console port, not for network data traffic. It cannot carry 10G Ethernet signals and is physically incompatible with Ethernet interfaces.

C

Coaxial cable (e.g., RG-6) is primarily used for cable TV, broadband internet (DOCSIS), or legacy Ethernet (10BASE2/10BASE5), but it does not support 10G Ethernet speeds over the distances required between floors in a modern enterprise network. Fiber or twisted-pair copper (Cat6a/Cat7) are the standard 10G media.

D

A console cable (typically a rollover or USB-to-serial cable) is used for initial device configuration and management access, not for carrying network traffic. It cannot support 10G data rates and is not designed for switch-to-switch uplinks.

431
MCQhard

A router learns the same destination prefix from OSPF and EIGRP. The prefix length is identical, and both routes are valid. Which route is preferred by default?

A.The EIGRP route
B.The OSPF route
C.Both routes are installed equally because the prefix length matches
D.Neither route is used because protocols cannot advertise the same prefix
AnswerA

This is correct because EIGRP's default administrative distance is lower than OSPF's.

Why this answer

The EIGRP route is preferred by default because EIGRP has a lower default administrative distance than OSPF. In practical terms, once the prefix length is the same, the router compares source trust. Lower administrative distance wins. EIGRP’s default of 90 beats OSPF’s default of 110.

This is not a longest-prefix question. The prefix is identical, so the decision is about source preference rather than specificity.

Exam trap

A frequent exam trap is believing that when two routing protocols advertise the same prefix with identical prefix lengths, the router installs both routes equally or performs load balancing. This misconception ignores the role of administrative distance, which is the primary factor in route preference when prefix lengths match. Another trap is thinking that OSPF is always preferred because it is a widely used IGP, but Cisco routers prioritize routes based on AD values, not protocol popularity.

Misunderstanding this can lead to incorrect answers about route selection in multi-protocol environments.

Why the other options are wrong

B

This option is incorrect because OSPF’s default administrative distance (110) is higher than EIGRP’s (90), making OSPF routes less preferred when both advertise the same prefix.

C

This option is incorrect because equal prefix length does not cause routers to install both routes equally; administrative distance determines which route is preferred and installed.

D

This option is incorrect because routers can receive and compare the same prefix from multiple routing protocols; they do not reject prefixes simply because they come from different sources.

432
MCQhard

A switch unexpectedly blocks a link toward the distribution layer. Gi1/0/24 shows a path cost of 4 while Gi1/0/23 shows a path cost of 19. Why did interface Gi1/0/24 become the root port instead of Gi1/0/23?

A.Gi1/0/24 has a lower port number, so STP always prefers it first.
B.STP prefers interfaces with the highest path cost to reduce loops.
C.Gi1/0/23 is blocked because alternate ports are always chosen over root ports.
D.has a lower root path cost to the root bridge
AnswerD

Correct. The root path cost is the primary determinant for root port selection; lower cost wins, which is why Gi1/0/24 (cost 4) is preferred over Gi1/0/23 (cost 19).

Why this answer

Spanning Tree chooses a root port by looking for the best path toward the root bridge. In this case, Gi1/0/24 shows a cost of 4, while Gi1/0/23 shows a cost of 19. Lower cost is better, so Gi1/0/24 is selected as the root port and moves into forwarding.

Gi1/0/23 becomes an alternate port and is placed into a blocking state to prevent a loop. STP compares root path cost first; only if the cost is tied does it move on to tie-breakers like sender bridge ID and port ID. The lower cost on Gi1/0/24 explains why that port won the root-port election.

Exam trap

Remember that STP prioritizes root path cost over other factors like port numbers or bridge IDs unless there's a tie.

Why the other options are wrong

A

STP does not use port number as the primary criterion; it is only a tie-breaker when path cost, bridge ID, and sender bridge ID are all equal. Here, the path costs differ, so port number is irrelevant.

B

STP is designed to select the path with the lowest total cost to the root bridge, not the highest. Choosing a higher-cost path would increase latency and waste bandwidth.

C

The root port is the forwarding port toward the root bridge, while the alternate port is a blocked backup. The alternate port is not chosen over the root port; it only becomes active if the root port fails.

433
MCQhard

A technician is troubleshooting a network-wide broadcast storm that has caused severe performance issues. The technician notices that BPDU guard is globally enabled on the access layer switch, but no ports are in an err-disabled state. All access ports have PortFast enabled. What is the most likely cause?

A.Spanning tree is disabled globally, allowing the rogue switch to create a loop.
B.BPDU guard is misconfigured on the wrong ports, so it failed to block the rogue switch.
C.Root guard is incorrectly enabled on the access ports, causing the rogue switch to become the root bridge.
D.BPDU filter is globally enabled, causing the switch to suppress BPDUs on PortFast ports and preventing BPDU guard from triggering.
AnswerD

Global BPDU filter on a switch sets PortFast on all access ports and disables BPDU transmission and reception on those ports. The rogue switch’s BPDUs are never processed, so BPDU guard—which depends on receiving a BPDU—never err-disables the port, allowing a loop and broadcast storm.

Why this answer

When BPDU filter is enabled globally on a switch, it enables PortFast on all access ports and also prevents those ports from sending or receiving BPDUs. If a rogue switch is then connected to such a port, the switch does not detect any BPDU from it, so BPDU guard never triggers despite being enabled globally. This allows the rogue switch to create a bridging loop without STP intervention, leading to a broadcast storm.

Exam trap

Many candidates see that BPDU guard is globally enabled but no ports are err-disabled, and conclude that BPDU guard is misconfigured or not applied correctly. However, the true reason is that BPDU filter suppresses BPDUs on PortFast ports, rendering BPDU guard ineffective because no BPDU is ever received to trigger it.

Why the other options are wrong

A

This answer assumes STP is off entirely, but the presence of BPDU guard configuration indicates spanning tree is operational.

B

Candidates often assume that BPDU guard simply failed, overlooking the interaction with BPDU filter, which can neutralize guard by suppressing BPDUs.

C

Root guard is a different feature and not related to the suppression of BPDUs that would allow a loop to form undetected.

434
Multi-Selectmedium

Which TWO statements correctly describe the operation of the ip helper-address command in a DHCP relay agent configuration?

Select 2 answers
A.It forwards DHCPDISCOVER broadcasts from a client to a DHCP server on a different subnet.
B.It is configured on the DHCP server interface to allow replies to reach clients on remote subnets.
C.It automatically forwards all UDP broadcasts by default.
D.It sets the gateway IP address (giaddr) field in the DHCP packet to the relay agent's IP address.
E.It prevents DHCP spoofing by validating the source MAC address of DHCP packets.
AnswersA, D

The relay agent listens for DHCP broadcasts on one interface and forwards them as unicasts to the configured server IP.

Why this answer

Option A is correct because the `ip helper-address` command is configured on the router interface facing the client, and it converts the client's DHCPDISCOVER broadcast into a unicast directed to the specified DHCP server, allowing the client to obtain an IP address from a server on a different subnet. Option D is also correct because the relay agent sets the giaddr (gateway IP address) field in the DHCP packet to its own interface IP address. This is how the DHCP server knows which subnet the client is on and can assign an appropriate IP address and return the reply.

Option B is incorrect because the command is configured on the interface facing the DHCP clients, not on the server-facing interface. Option C is incorrect because `ip helper-address` does not forward all UDP broadcasts; it only forwards broadcasts for specific UDP ports (DHCP, DNS, TFTP, etc.) by default, and this list can be modified. Option E is incorrect because the command does not perform any MAC address validation or spoofing protection; it simply relays DHCP messages.

Exam trap

Cisco often tests the misconception that `ip helper-address` forwards all UDP broadcasts, when in reality it only forwards specific UDP ports (default: 67, 68, 53, 69, 37, 137, 138, 161, 162) and can be customized with the `ip forward-protocol` command.

Why the other options are wrong

B

The `ip helper-address` command is configured on the client-facing interface, not the server-facing interface.

C

The command does not forward all UDP broadcasts; it only forwards specific UDP ports (DHCP, DNS, TFTP, etc.) by default.

E

The command does not validate source MAC addresses or prevent DHCP spoofing; it only relays DHCP messages.

435
Multi-Selectmedium

Which two statements accurately describe CAPWAP in a controller-based WLAN context?

Select 2 answers
A.It is associated with communication between lightweight APs and the wireless LAN controller.
B.It is relevant in controller-based WLAN designs.
C.It is the same thing as a client SSID.
D.It is a replacement for WPA2 and WPA3.
E.It is used only for IPv4 ACL filtering.
AnswersA, B

This is correct because CAPWAP is part of the AP-controller architecture.

Why this answer

CAPWAP (Control and Provisioning of Wireless Access Points) is the protocol used between lightweight access points (LAPs) and the wireless LAN controller (WLC) in controller-based WLAN architectures. Options C, D, and E are incorrect: CAPWAP is not an SSID; it is a control and data tunneling protocol, not a security standard like WPA2/WPA3; and it supports both IPv4 and IPv6, not just IPv4 ACL filtering.

Exam trap

Be careful not to confuse encapsulation with encryption or assume CAPWAP is limited to a specific IP version.

Why the other options are wrong

C

CAPWAP is a control protocol for AP-WLC communication, not a client SSID—an SSID is the network name that clients see and associate with.

D

CAPWAP is not a security replacement; WPA2 and WPA3 are wireless security standards, whereas CAPWAP tunnels traffic between AP and WLC.

E

CAPWAP supports both IPv4 and IPv6 transport; it is not limited to IPv4 ACL filtering.

436
MCQmedium

A network administrator is configuring a new Windows workstation on a small office network that uses IPv4 addressing. The workstation must be able to communicate with devices on other subnets and resolve hostnames via a company DNS server at 10.10.10.5. The administrator has already set the IP address to 10.10.10.10 and the subnet mask to 255.255.255.0. Which additional parameter must be configured to meet both requirements?

A.Configure a default gateway of 10.10.10.1 and a DNS server of 10.10.10.5.
B.Configure only a DNS server of 10.10.10.5.
C.Change the subnet mask to 255.255.0.0 to allow communication across subnets.
D.Configure a default gateway of 10.10.20.1 and a DNS server of 10.10.10.5.
AnswerA

This provides both the default gateway for routing to other subnets and the DNS server for name resolution.

Why this answer

To communicate with devices on other subnets, the workstation needs a default gateway (router) to forward traffic beyond its local subnet. The IP address 10.10.10.10 with subnet mask 255.255.255.0 places it in the 10.10.10.0/24 network, so a default gateway (e.g., 10.10.10.1) is required for inter-subnet routing. Additionally, to resolve hostnames, the DNS server address must be explicitly configured; the company DNS server is at 10.10.10.5.

Option A correctly provides both parameters.

Exam trap

Cisco often tests the requirement that a default gateway must be on the same subnet as the host; the trap here is that candidates may think a DNS server alone suffices for inter-subnet communication, or they may incorrectly assume changing the subnet mask can replace a router, or they may choose a gateway on a different subnet without realizing it is unreachable.

Why the other options are wrong

B

Without a default gateway, the workstation cannot send packets to destinations outside its own subnet (10.10.10.0/24). The DNS server alone only provides name resolution, not routing to other subnets.

C

Changing the subnet mask to 255.255.0.0 would expand the broadcast domain and could cause routing problems, but it does not provide a path to other subnets. The workstation still needs a default gateway to communicate with devices outside its local network.

D

The default gateway 10.10.20.1 is not on the same subnet as the workstation (10.10.10.0/24). For a host to reach its default gateway, the gateway must be directly reachable on the local subnet. Since 10.10.20.1 is on a different subnet, the workstation cannot send traffic to it.

437
Multi-Selectmedium

Which TWO statements accurately describe 802.1Q trunking and inter-VLAN routing on Cisco switches?

Select 2 answers
A.The native VLAN on a trunk port sends frames with an 802.1Q tag containing VLAN ID 1.
B.802.1Q trunking adds a 4-byte tag that includes a 12-bit VLAN ID field, increasing the maximum frame size.
C.A router-on-a-stick configuration uses subinterfaces, each mapped to a VLAN with 802.1Q encapsulation and an IP address in a unique subnet.
D.A trunk port can only forward traffic for one VLAN at a time.
E.The native VLAN on a trunk cannot be changed from VLAN 1.
AnswersB, C

The 802.1Q tag is 4 bytes, consisting of TPID and TCI, where the TCI contains a 12-bit VLAN ID.

Why this answer

Option B is correct because 802.1Q trunking inserts a 4-byte tag into the Ethernet frame, which includes a 12-bit VLAN ID field (supporting up to 4094 VLANs). This tag increases the maximum frame size from 1518 bytes to 1522 bytes, which is a key characteristic of 802.1Q encapsulation.

Exam trap

Cisco often tests the misconception that the native VLAN is always VLAN 1 and that it is tagged, when in fact the native VLAN is untagged and can be changed to any VLAN number.

Why the other options are wrong

A

By default, frames belonging to the native VLAN (VLAN 1) traverse a trunk link without an 802.1Q tag.

D

Trunk ports differentiate frames from multiple VLANs using VLAN tags, permitting concurrent forwarding for all allowed VLANs.

E

Cisco switches allow administrators to assign any active VLAN as the native VLAN for a trunk port.

438
Matchingmedium

Drag and drop the monitoring protocols and features on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses community strings for authentication, transmitted in plaintext

Provides authentication and encryption via AuthPriv security model

Cisco-proprietary flow monitoring that caches flows and exports records

IETF standard based on NetFlow v9 for flexible flow export

Push model that continuously streams operational data to a collector

Why these pairings

These pairs correctly match monitoring protocols and features with their descriptions as covered in network monitoring and management topics.

Exam trap

Watch out for confusing protocols with features: SNMP and NetFlow are protocols, while SPAN is a feature. Also, don't mix up the purposes: Syslog is for logs, not backups; NetFlow is for flow data, not packet inspection.

439
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure gRPC streaming telemetry subscription on a Cisco IOS-XE device, from initial setup to data collection.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order starts with entering global config, then enabling telemetry, defining subscription details (encoding and filter), specifying the receiver, and finally verifying data collection.

Exam trap

The trap is that candidates may confuse the order of enabling telemetry and defining the subscription, or think that global config is not needed first. Remember that all telemetry commands are configured in global config mode, and the subscription must be defined before the receiver can be added.

440
PBQhard

You are securing the spanning-tree topology on R1, the root bridge for VLAN 10. Intended configurations: Root Guard on GigabitEthernet1/0/3, Loop Guard on gigabit interfaces 1/0/1 and 1/0/2, and BPDU Guard on all PortFast-enabled interfaces. After initial configuration, a superior BPDU on G1/0/3 blocks the port (expected), and a host on G1/0/5 triggers BPDU Guard, causing err-disable (expected). However, you realize Loop Guard was not applied to the uplinks. Troubleshoot and apply the missing configuration.

Hints

  • Root Guard on the root bridge may cause blocking if a superior BPDU is received; this is correct behavior unless the port should be a root port.
  • Loop Guard prevents alternate or root ports from becoming designated in case of unidirectional link failure; it is safe on trunk uplinks.
  • BPDU Guard err-disables a PortFast port when a BPDU is received; re-enable with 'no shutdown' after fixing the cause.
A.Remove Root Guard from G1/0/3 and configure it with 'spanning-tree guard loop' to prevent the blockage.
B.Re-enable G1/0/5 with 'no shutdown' and apply 'spanning-tree bpduguard enable' on all PortFast-enabled interfaces to prevent future err-disable.
C.Configure Loop Guard on G1/0/1 and G1/0/2 with 'spanning-tree guard loop' and recover G1/0/5 from err-disable by issuing 'shutdown' followed by 'no shutdown'.
D.Remove BPDU Guard from all PortFast interfaces and configure 'spanning-tree portfast bpdufilter default' to prevent err-disable.
AnswerC
solution
! R1
interface GigabitEthernet1/0/1
spanning-tree guard loop
interface GigabitEthernet1/0/2
spanning-tree guard loop
interface GigabitEthernet1/0/5
shutdown
no shutdown

Why this answer

The candidate must first identify that Root Guard is correctly configured on G1/0/3, causing it to block (BKN*ROOT_Guard) upon receiving a superior BPDU, which is correct behavior. However, the task states to protect the root bridge role; since R1 is already root, Root Guard is appropriate. The err-disabled port G1/0/5 indicates BPDU Guard triggered; this is expected because a host connected to a PortFast port sent a BPDU.

To resolve, the candidate should re-enable the port with 'no shutdown' and ensure BPDU Guard is properly applied. Additionally, Loop Guard is missing on uplinks G1/0/1 and G1/0/2; it must be configured with 'spanning-tree guard loop' under each interface. No changes to Root Guard are needed; the blockage is intentional.

Exam trap

Do not assume that a blocked port due to Root Guard is a problem; it is intentional. Also, do not confuse BPDU Guard with BPDU Filter; BPDU Guard err-disables, while BPDU Filter suppresses BPDUs. Remember that err-disabled ports must be manually re-enabled with 'no shutdown'.

Why the other options are wrong

A

Root Guard is designed to block a port that receives superior BPDUs, which is exactly what happened. The configuration is correct and should not be removed.

B

BPDU Guard is correctly configured; the err-disable is expected behavior when a BPDU is received on a PortFast port. The solution is to re-enable the port and ensure the host is not a switch.

D

BPDU Filter is not a substitute for BPDU Guard; it prevents the port from sending or receiving BPDUs, which can cause bridging loops. The correct action is to re-enable the port, not change the protection mechanism.

441
Multi-Selectmedium

Which THREE statements accurately describe the role of AI agents in closed-loop remediation workflows for network automation?

Select 3 answers
A.AI agents require manual approval before executing any remediation action in a closed-loop workflow.
B.AI agents can autonomously analyze network telemetry and decide on remediation actions.
C.AI agents rely solely on static baseline configurations to detect anomalies.
D.Tool-calling allows AI agents to invoke external automation tools (e.g., Ansible, Python scripts) to execute remediation steps.
E.In a closed-loop remediation workflow, the AI agent monitors the network after action to confirm the issue is resolved and adjusts if needed.
F.AI agents eliminate the need for human oversight in network operations.
AnswersB, D, E

AI agents use machine learning and rule-based logic to analyze real-time telemetry (e.g., interface errors, CPU utilization) and determine the appropriate remediation step, such as adjusting routing or resetting an interface.

Why this answer

B is correct because AI agents in closed-loop remediation workflows autonomously analyze network telemetry (e.g., gRPC, NETCONF) and decide on remediation actions without manual intervention, enabling rapid response. D is correct because tool-calling allows the AI agent to invoke external automation tools like Ansible or Python scripts to execute the chosen remediation steps. E is correct because a key part of the closed-loop is that the AI agent monitors the network after action to confirm the issue is resolved and adjusts if needed, ensuring the loop is closed.

A is wrong because closed-loop automation implies autonomous execution based on predefined policies, not requiring manual approval for every action. C is wrong because AI agents use dynamic telemetry and learned patterns, not just static baseline configurations, to detect anomalies. F is wrong because AI agents augment, not eliminate, human oversight; human intervention remains for policy exceptions and oversight.

Exam trap

Cisco often tests the misconception that AI agents require manual approval for every action in closed-loop workflows, when in fact the 'closed-loop' concept implies autonomous execution based on predefined policies.

Why the other options are wrong

A

Closed-loop remediation is defined by autonomous execution without manual approval for standard actions.

C

AI agents rely on continuous telemetry and machine learning, not solely static baseline configurations, to detect anomalies.

F

AI agents reduce but do not eliminate the need for human oversight, especially for policy exceptions and strategic decisions.

442
MCQmedium

Which traffic type is typically most sensitive to delay and jitter and is commonly prioritized with QoS?

A.Voice traffic
B.Bulk backup traffic
C.Email attachments
D.Operating system updates
AnswerA

Correct. Voice is the classic latency-sensitive traffic class.

Why this answer

Voice traffic is highly sensitive to delay, jitter, and packet loss, so it is commonly prioritized in QoS policies.

Exam trap

A common exam trap is assuming that all traffic types require equal QoS prioritization. Candidates might incorrectly select bulk backup traffic or email attachments because they involve large data transfers, but these are not sensitive to delay or jitter. The trap lies in confusing throughput sensitivity with latency sensitivity.

Voice traffic demands low latency and minimal jitter to maintain call quality, which is why it is prioritized. Misunderstanding this distinction can lead to choosing incorrect answers that focus on volume rather than real-time sensitivity.

Why the other options are wrong

B

Bulk backup traffic is throughput-sensitive but not delay-sensitive. It can tolerate delays and jitter without impacting the backup process, so it is not typically prioritized by QoS in Cisco networks.

C

Email attachments are not time-sensitive and can tolerate delays and jitter. They do not require prioritization in QoS policies, making this option incorrect for delay-sensitive traffic.

D

Operating system updates involve large data transfers that are throughput-sensitive but not sensitive to delay or jitter. They are usually scheduled during off-peak times and are not prioritized by QoS.

443
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two links to SW2: G0/1 and G0/2. The administrator wants to combine these two links into an EtherChannel using LACP. Configure an EtherChannel on SW1 for these ports and verify.

Hints

  • EtherChannel requires a port-channel interface and channel-group configuration on member ports.
  • Use mode active for LACP.
A.interface range g0/1-2 channel-group 1 mode active
B.interface range g0/1-2 channel-group 1 mode desirable
C.interface g0/1 channel-group 1 mode active interface g0/2 channel-group 1 mode passive
D.interface port-channel 1 channel-group 1 mode active
AnswerA
solution
! SW1
interface port-channel 1
interface range GigabitEthernet0/1-2
channel-group 1 mode active

Why this answer

The correct answer is A because it applies the LACP 'active' mode to both interfaces in the range, which will dynamically negotiate an EtherChannel with the peer. Option B uses PAgP 'desirable' mode, which is Cisco proprietary and not LACP, failing the requirement for LACP. Option C mixes LACP modes (active on one interface and passive on the other); both member ports must use the same mode (either active/active or passive/passive) to form a channel.

Option D attempts to configure the 'channel-group' command on the port-channel interface itself, but this command must be applied to the physical interfaces, not the logical port-channel.

Exam trap

Remember that LACP uses 'active' and 'passive' modes, while PAgP uses 'desirable' and 'auto'. Also, the 'channel-group' command is applied on physical interfaces, not on the port-channel interface. Both ports in the channel must use the same mode on the same switch.

Why the other options are wrong

B

The specific factual error is that 'desirable' is a PAgP mode, not LACP. LACP uses 'active' or 'passive'.

C

The specific factual error is that LACP requires both ends to be in compatible modes (active-active or active-passive), but on the same switch, both ports should use the same mode for the same channel group.

D

The specific factual error is that 'channel-group' is a physical interface command, not a port-channel interface command. The port-channel interface is used for logical configuration (e.g., trunking) after the channel is formed.

444
Drag & Drophard

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on an IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First configure the RADIUS server, then enable AAA, create an authentication list for 802.1X, and finally apply 802.1X to the port.

Exam trap

Do not confuse the order of enabling AAA and creating authentication lists. AAA must be enabled globally before you can create authentication lists. Also, remember that the RADIUS server configuration comes first, as AAA needs to know which server to use.

445
PBQhard

You are connected to SW1. An EtherChannel between SW1 and SW2 using LACP must be established on interfaces GigabitEthernet0/1 and GigabitEthernet0/2. Currently, the channel is not forming. Inspect the provided configuration and output, then apply the necessary commands on SW1 to resolve the issue and bring up the Port-Channel interface.

Network Topology
Gi0/1Gi0/1EtherChannelSW1SW2

Hints

  • Check the duplex and speed settings on both member interfaces on SW1.
  • Verify that the native VLAN (or access VLAN if not trunking) is identical on all bundled ports.
  • Ensure both sides use compatible LACP modes (active/active or active/passive).
A.Configure both interfaces with speed 1000, duplex full, and switchport access vlan 1.
B.Change the LACP mode on SW1's Gi0/2 from active to passive.
C.Configure both interfaces with speed 100, duplex half, and switchport access vlan 10.
D.Remove the switchport access vlan command from both interfaces and configure them as trunk ports with native vlan 1.
AnswerA
solution
! SW1
interface gigabitEthernet 0/2
speed 1000
duplex full
switchport access vlan 1
end

Why this answer

The EtherChannel failed because the two member interfaces on SW1 have mismatched speed (Gi0/1: 1000 Mbps, Gi0/2: 100 Mbps) and duplex (Gi0/1: full, Gi0/2: half), and their native VLANs differ (Gi0/1: VLAN 1, Gi0/2: VLAN 10). LACP requires all bundled ports to have identical speed, duplex, and VLAN configuration. To fix, on SW1 configure both interfaces with consistent settings: set speed 1000, duplex full, and switchport access vlan 1 (or a common trunk native VLAN).

Also ensure both sides use the same LACP mode (both active or active/passive); here SW2's Gi0/2 is passive, which is acceptable with SW1's active, so the primary issue is the mismatched physical and VLAN parameters. After correction, the channel will form.

Exam trap

Do not focus solely on LACP mode mismatches; always check physical parameters (speed, duplex) and VLAN consistency first. Mismatched native VLANs are a common cause of EtherChannel failures.

Why the other options are wrong

B

The specific factual error is assuming that LACP mode must match on both sides; active/passive is acceptable.

C

The specific factual error is that the solution should aim for optimal performance, not just consistency; using 100/half is technically possible but not the best practice.

D

The specific factual error is that trunking does not fix speed/duplex mismatches, and the native VLAN must be consistent.

446
MCQhard

An ACL is intended to block Telnet from 10.1.1.0/24 to router VTY access while still allowing SSH from the same subnet. Which statement best explains why an extended ACL is appropriate here?

A.Because the ACL must distinguish traffic by protocol or destination port, not just by source address.
B.Because standard ACLs can match destination TCP ports just as well.
C.Because extended ACLs are required for every router login policy regardless of criteria.
D.Because SSH and Telnet always use the same port number.
AnswerA

This is correct because Telnet-versus-SSH filtering requires extended matching capability.

Why this answer

An extended ACL is appropriate because the requirement is based not only on source address but also on the specific protocol and application port involved. In practical terms, the policy must distinguish Telnet from SSH even though both originate from the same source subnet. A standard ACL would be too limited because it mainly matches only on source address.

This is the kind of requirement that shows why extended ACLs exist. They allow more granular traffic control by matching protocol and destination details, not just who sent the packet.

Exam trap

Do not confuse the ability to filter by protocol and port with filtering by IP address alone; extended ACLs are required for the former.

Why the other options are wrong

B

Standard ACLs can only filter based on source IP address, not destination ports or protocols. They lack the granularity to distinguish between Telnet and SSH traffic.

C

Extended ACLs are not required for every router login policy; they are only needed when filtering must consider protocol or port information. Simple source-based filtering can use standard ACLs.

D

SSH uses TCP port 22, while Telnet uses TCP port 23. They are distinct ports, so an ACL can differentiate them based on destination port.

447
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a connectivity issue on SW3. A host connected to the same segment as SW3's GigabitEthernet0/0 interface cannot reach any network resources. The engineer issues the show spanning-tree vlan 10 command and receives the output shown. Based on the output, what is the most likely cause?

A.GigabitEthernet0/0 is administratively down, which prevents the host from communicating.
B.The port is in the Blocking state because the switch detected a loop and moved the port to error-disabled state.
C.The port is blocked because SW3 has a lower bridge priority than the root bridge and should be the designated port for that segment.
D.The interface GigabitEthernet0/0 is in the Blocking state because it received a superior BPDU, making it an alternate port to the root bridge.
AnswerD

The output explicitly shows role 'Altn' and state 'BLK' for Gi0/0. An alternate port is blocked because it receives better BPDUs on that interface than it can send, providing an alternate path to the root bridge. This is correct STP behavior, and the blocking state prevents the host from communicating.

Why this answer

The output shows that GigabitEthernet0/0 is in the Blocking state for VLAN 10. In Rapid PVST+ or classic STP, a port enters the Blocking state when it receives a superior BPDU (i.e., a BPDU with a lower bridge ID or lower path cost to the root), causing it to become an alternate (or backup) port rather than a designated or root port. This prevents the host from reaching network resources because the port does not forward traffic.

Exam trap

Cisco often tests the distinction between a port being blocked due to normal STP operation (receiving a superior BPDU) versus being error-disabled or administratively down, leading candidates to incorrectly assume a physical or administrative issue.

Why the other options are wrong

A

Candidates may incorrectly associate the blocked state with an administratively disabled interface.

B

Candidates often confuse error-disabled state (caused by features like BPDU guard) with the standard STP blocking state.

C

Candidates may misunderstand the root election process and assume a lower priority switch always becomes designated for all segments, ignoring the Altn role.

448
Multi-Selectmedium

Drag and drop the following steps into the correct order to describe the TCP three-way handshake between a client and a server.

Select 3 answers
A.Client sends SYN to server
B.Server sends SYN-ACK to client
C.Client sends ACK to server
D.Server sends ACK to client
AnswersA, B, C

This is the first step of the TCP three-way handshake. The client initiates the connection by sending a SYN (synchronize) segment to the server, indicating its initial sequence number and requesting a connection.

Why this answer

The TCP three-way handshake starts with the client initiating the connection by sending a SYN, followed by the server acknowledging with SYN-ACK, and finally the client confirming with an ACK. This sequence establishes a reliable connection before data transfer.

Exam trap

Do not confuse the order of the handshake. The server never sends a standalone ACK; its ACK is always combined with its SYN. Also, remember that the client sends the first SYN, not the server.

Why the other options are wrong

D

The server's acknowledgment is already included in the SYN-ACK segment; sending a separate ACK would be an extra step not defined in the TCP specification.

449
Matchingmedium

Drag and drop the OSPFv2 neighbor states on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No hello packets received from neighbor

Master/slave election and DBD sequence number negotiation

Bi-directional communication established (hello seen self)

Requesting and receiving missing LSAs via LSR/LSU

Neighbors are fully adjacent and databases synchronized

Why these pairings

OSPF neighbor states progress: Down (no Hello), Init (Hello seen), 2-Way (bidirectional), ExStart (master/slave election), Exchange (DBD packets), Loading (requesting missing LSAs via LSR/LSU), Full (LSDB synchronized). These states ensure proper adjacency formation and reliable database exchange.

Exam trap

Be careful not to confuse the order of OSPF states. The Down state is the very first state, not Init or 2-Way. Remember that Down means no Hello received at all.

450
Multi-Selectmedium

Which two statements accurately describe OSPF passive interfaces?

Select 2 answers
A.It prevents OSPF from sending hello packets on that interface.
B.It can still allow the connected network to be advertised into OSPF.
C.It changes OSPF into a static route on that interface.
D.It forces the interface to become the router ID.
E.It disables OSPF on every interface in the router automatically.
AnswersA, B

This is correct because passive interfaces suppress OSPF hello exchange locally.

Why this answer

An OSPF passive interface stops hello packet exchange on that interface while still allowing the connected network to be advertised into OSPF through other active adjacencies. In plain language, it tells the router not to try to form neighbors on that interface, but not to forget that the network exists. This is very useful on user-facing or stub-like interfaces where no routing neighbor should appear.

The wrong answers often treat passive as if it disables OSPF globally or removes the network completely. The two correct answers are the ones that preserve the suppression of adjacency on that interface and the continued advertisement of the connected network.

Exam trap

A common exam trap is to confuse the effect of the OSPF passive interface command with disabling OSPF entirely on that interface or converting OSPF routes into static routes. Some candidates mistakenly believe that passive interfaces stop all OSPF activity or remove the network from OSPF advertisements. In reality, passive interfaces only stop OSPF hello packets and adjacency formation but continue to advertise the connected network.

Misunderstanding this can lead to incorrect answers or network misconfigurations, especially when interpreting how OSPF maintains routing information despite passive interfaces.

Why the other options are wrong

C

This option is incorrect because passive interfaces do not convert OSPF routes into static routes; OSPF routing remains dynamic and active elsewhere.

D

This option is incorrect because the passive-interface command does not affect the router ID selection, which is determined by other OSPF rules.

E

This option is incorrect because passive-interface affects only the specified interface unless configured globally; it does not disable OSPF on all interfaces.

Page 5

Page 6 of 25

Page 7